Professional Documents
Culture Documents
Application Guide
NN47220-104 (320507-D)
.
Document status: Standard Document version: 01.01 Document date: 28 January 2008 Copyright 2008, Nortel Networks All Rights Reserved. Sourced in Canada, India and the United States of America Part Number: NN472000-104 (320507-D) This document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of Nortel Networks, Inc. Documentation is provided "as is" without warranty of any kind, either express or implied, including any kind of implied or express warranty of non-infringement or the implied warranties of merchantability or tness for a particular purpose. U.S. Government End Users: This document is provided with a "commercial item" as dened by FAR 2.101 (Oct 1995) and contains "commercial technical data" and "commercial software documentation" as those terms are used in FAR 12.211-12.212 (Oct 1995). Government End Users are authorized to use this documentation only in accordance with those rights and restrictions set forth herein, consistent with FAR 12.211- 12.212 (Oct 1995), DFARS 227.7202 (JUN 1995) and DFARS 252.227-7015 (Nov 1995). Nortel Networks, Inc. reserves the right to change any products described herein at any time, and without notice. Nortel Networks, Inc. assumes no responsibility or liability arising from the use of products described herein, except as expressly agreed to in writing by Nortel Networks, Inc. The use and purchase of this product does not convey a license under any patent rights, trademark rights, or any other intellectual property rights of Nortel Networks, Inc. Nortel Application Switch Operating System, Nortel Application Switch 2424, Nortel Application Switch 2424-SSL, Nortel Application Switch 2224, 2216, 2208, 3408, Nortel Application Switch 180, Nortel Application Switch 180e, Nortel Application Switch 184, Nortel Application Switch AD3, Nortel Application Switch AD4, and ACEswitch are trademarks of Nortel Networks, Inc. in the United States and certain other countries. Cisco and EtherChannel are registered trademarks of Cisco Systems, Inc. in the United States and certain other countries. Check Point and FireWall-1 are trademarks or registered trademarks of Check Point Software Technologies Ltd. Any other trademarks appearing in this manual are owned by their respective companies.
Contents
Preface
Who should use this guide 17 What you will nd in this guide 17 Part 1: Basic Switching 17 Part 2: IP Routing 18 Part 3: Application Switching Fundamentals 18 Part 4: Advanced Switching 19 Typographic Conventions 19 Related Documentation 20 How to get help 20
17
23
25
46
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
4 Contents How Different Protocols Attack the Switch 46 Conguring Denial of Service Protection 47 Viewing Dropped Packets 47 Setting Source IP Address Ranges for Switch Management 48 RADIUS Authentication and Authorization 49 RADIUS Authentication Features 49 How Radius Authentication Works 50 Conguring RADIUS Authentication on the Switch 50 Switch User Accounts 52 RADIUS Attributes for User Privileges 53 TACACS+ Authentication 54 How TACACS+ Authentication Works 54 TACACS+ Authentication Features 55 Authorization 55 Accounting 56 Conguring TACACS+ Authentication on the Switch 56 Secure Shell and Secure Copy 58 Conguring SSH/SCP features on the switch 58 Conguring the SCP Administrator Password 59 SCP Services 60 Using SSH and SCP Client Commands 60 SSH and SCP Encryption of Management Messages 61 Generating RSA Host and Server Keys for SSH Access 62 SSH/SCP Integration with Radius Authentication 63 SSH/SCP Integration with SecurID 63 End User Access Control 64 Considerations for Conguring End User Accounts 64 User Access Control Menu 65 Setting up User IDs 65 Dening User Names and Passwords 65 Changing Passwords 65 Dening User Access Level 66 Assigning One or More Real Servers to the End User 66 Validating User Conguration 66 Listing Current Users 66 Enabling or Disabling a User 67 Logging into an End User Account 67 Deny Routes 67 Conguring a Deny Route 68 Viewing a Deny Route 68
VLANs
VLAN ID Numbers 71 VLAN Tagging 72
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
71
Contents 5 VLANs and the IP Interfaces 72 VLAN Topologies and Design Issues 72 Example 1: Multiple VLANS with Tagging Adapters 73 Example 2: Parallel Links with VLANs 74 VLANs and Default Gateways 75 Segregating VLAN Trafc 75 Conguring the Local Network 77 Conguring Gateways per VLAN 77 VLANs and Jumbo Frames 80 Limitations 80 Isolating Jumbo Frame Trafc using VLANs 80 Conguring VLANs for Jumbo and Non-Jumbo Frames 81 Port Trunking 83 Overview 83 Statistical Load Distribution 84 The Trunk Hash Algorithm 84 Built-In Fault Tolerance 85 Static Port Trunking Example 85 Link Aggregation Control Protocol Trunking 87 Conguring LACP 89 Port Teaming 91 Spanning Tree Protocol 93 Overview 93 Bridge Protocol Data Units (BPDUs) 94 Determining the Path for Forwarding BPDUs 94 Spanning Tree Compatibility between BPDU Formats 95 Spanning Tree Group Conguration Guidelines 96 Adding a VLAN to a Spanning Tree Group 96 Creating a VLAN 96 Multiple Spanning Trees 97 Why Do We Need Multiple Spanning Trees? 98 Four-Switch Topology with a Single Spanning Tree 99 Four-Switch Topology with Multiple Spanning Trees 100 Switch-Centric Spanning Tree Protocol 101 VLAN Participation in Spanning Tree Groups 101 Rapid Spanning Tree Protocol 102 Port State Changes 102 Port Type and Link Type 102 RSTP Conguration Guidelines 103 RSTP Conguration Example 103 Multiple Spanning Tree Protocol 104 MSTP Region 105 Common Internal Spanning Tree 105
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Part 2: IP Routing
Basic IP Routing 110 IP Routing Benets 110 Routing Between IP Subnets 110 Example of Subnet Routing 112 Dening IP Address Ranges for the Local Route Cache 117 Dynamic Host Conguration Protocol 118 DHCP Relay Agent 118 DHCP Relay Agent Conguration 119 Gratuitous ARP (GARP) Command 120 Static Routes 120 IPv4 Static Routes 121 IPv6 Static Routes 121 IPv6 123 IPv6 Address Format 123 IPv6 Address Types 123 Unicast Address 123 Multicast 124 Anycast 124 Pinging IPv6 Addresses 124 Verifying IPv6 Conguration 125 Verifying IPv6 Statistics 125 Routing Information Protocol 126 Border Gateway Protocol 131 Internal Routing Versus External Routing 131 Forming BGP Peer Routers 133 What is a Route Map? 133 Incoming and Outgoing Route Maps 134 Precedence 134 Conguration Overview 135 Aggregating Routes 137 Redistributing Routes 137 BGP Attributes 138 Local Preference Attribute 138 Metric (Multi-Exit Discriminator) Attribute 138 Selecting Route Paths in BGP 139 BGP Failover Conguration 139 Default Redistribution and Route Aggregation Example 143 Open Shortest Path First (OSPF) 146 OSPF Overview 146 Equal Cost Multipath Routing Support 147
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
109
Contents 7 Types of OSPF Areas 147 Types of OSPF Routing Devices 148 Neighbors and Adjacencies 149 The Link-State Database 150 The Shortest Path First Tree 150 Internal Versus External Routing 150 OSPF Implementation 151 Congurable Parameters 151 Dening Areas 152 Interface Cost 154 Electing the Designated Router and Backup 154 Summarizing Routes 155 Default Routes 155 Virtual Links 156 Router ID 157 Authentication 158 Host Routes for Load Balancing 160 Redistributing Routes into OSPF 161 OSPF Features Not Supported in This Release 164 OSPF Conguration Examples 164 Example 1: Simple OSPF Domain 165 Example 2: Virtual Links 167 Example 3: Summarizing Routes 173 Example 4: Host Routes 176 Verifying OSPF Conguration 185
187
8 Contents Unlimited Connections to Real Servers 208 Backup/Overow Servers 208 Backup Only Server 209 Connection Pooling 210 Content Intelligent Server Load Balancing 210 URL-Based Server Load Balancing 211 Virtual Hosting 216 Cookie-Based Preferential Load Balancing 219 Browser-Smart Load Balancing 222 URL Hashing for Server Load Balancing 223 Header Hash Load Balancing 225 Inserting the X-Forwarded-For Header in HTTP Requests 226 Extending SLB Topologies 227 Virtual Matrix Architecture 227 Proxy IP Address Conguration 229 Port-based Proxy IP Addresses 229 VLAN-based Proxy IP Addresses 230 Selecting a Proxy IP Based on the Egress Port or VLAN 230 Proxy IP Addresses in Filters 231 Using a Virtual Server IP Address as the Proxy IP Address 231 Conguring Proxy IP Addresses 232 Proxy IP Limitation 234 Mapping Ports 234 Direct Server Return 238 Direct Access Mode 239 Assigning Multiple IP Addresses 240 Delayed Binding 242 Session Timeout Per Service 245 IPv6 and Server Load Balancing 246 IPv6 to IPv4 Server Load Balancing 247 IPv6 to IPv6 Server Load Balancing 251 IPv6 Layer 4 SLB Information 253 IPv6 Real Server Health Checks 253 Load Balancing Special Services 254 IP Server Load Balancing 254 FTP Server Load Balancing 255 Active FTP Conguration 255 FTP Network Topology Restrictions 256 Conguring FTP Server Load Balancing 256 TFTP Server Load Balancing 256 Requirements 257 Conguring TFTP Server Load Balancing 257 Lightweight Directory Access Server SLB 257
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Contents 9 LDAP Operations and Server Types 258 How LDAP SLB Works 258 Selectively Resetting a Real Server 258 Conguring LDAP SLB 259 Domain Name Server (DNS) SLB 261 Preconguration Tasks 262 Conguring UDP-based DNS Load Balancing 263 Conguring TCP-based DNS Load Balancing 264 Layer 7 DNS Load Balancing 265 Real Time Streaming Protocol SLB 268 How RTSP Server Load Balancing Works 268 Supported RTSP Servers 269 RTSP Port Conguration 269 Conguring RTSP Load Balancing 270 Content-Intelligent RTSP Load Balancing 273 Wireless Application Protocol SLB 279 WAP SLB with RADIUS Static Session Entries 280 WAP SLB with RADIUS Snooping 283 WAP SLB with Radius/WAP Persistence 287 Intrusion Detection System SLB 290 How Intrusion Detection Server Load Balancing Works 291 Setting Up IDS Servers 292 IDS Load Balancing Congurations 293 Session Initiation Protocol Server Load Balancing 310 SIP Processing on the Switch 310 TCP based SIP Servers 310 Conguring SIP Server Load Balancing 310 UDP based SIP servers 314 Conguring SIP Server Load Balancing 314 Enhancements to SIP Server Load Balancing 317 SoftGrid Load Balancing 319 Workload Manager Support 322 WAN Link Load Balancing 327 Multi-homing 327 Benets of WAN Link Load Balancing 328 Identifying Your Network Needs 329 What is Load Balancing? 329 How WAN Link Load Balancing Works 330 Outbound Trafc 330 Inbound Trafc 332 Conguring WAN Link Load Balancing 336 Before You Begin 336 Conguration Summary 336
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
10 Contents Example 1: Simple WAN Link Load Balancing 338 Example 2: WAN Link Load Balancing with Server Load Balancing Health Checking and Multi-homing 362 Filtering 364 Overview 365 Filtering Benets 365 Filtering Criteria 365 Filtering Actions 366 Stacking Filters 367 Overlapping Filters 367 The Default Filter 368 Optimizing Filter Performance 369 IP Address Ranges 369 Filter Logs 369 Cached versus Non-cached Filters 371 MAC-Based Filters for Layer 2 Trafc 372 VLAN-based Filtering 373 Conguring VLAN-based Filtering 373 Filtering on 802.1p Priority Bit in a VLAN Header 376 802.1p Priorities 376 Classifying Packets Based on 802.1p Priority Bits 376 Tunable Hash for Filter Redirection 377 Filter-based Security 378 Network Address Translation 385 Static NAT 386 Dynamic NAT 388 FTP Client NAT 389 Overlapping NAT 391 SIP NAT and Gleaning Support 392 Matching TCP Flags 394 Matching ICMP Message Types 399 Deny Filter Based on Layer 7 Content Lookup 400 Denying HTTP URL Requests 401 Denying HTTP Headers 403 Multicast Filter Redirection 405 IPv6 Filtering 406 Application Redirection 409 Overview 409 Cache Redirection Environment 410 Additional Application Redirection Options 411 Cache Redirection Conguration Example 411 RTSP Cache Redirection 417 IP Proxy Addresses for NAT 421
350
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Contents 11 Excluding Noncacheable Sites 423 Content Intelligent Cache Redirection 423 URL-Based Cache Redirection 424 HTTP Header-Based Cache Redirection 433 Browser-Based Cache Redirection 434 URL Hashing for Cache Redirection 436 RTSP Streaming Cache Redirection 439 HTTP Redirection 444 Congure SLB Strings for HTTP Redirection 444 IP based HTTP redirection 447 TCP Service Port Based HTTP Redirection 450 MIME Type Header-Based Redirection 452 URL-Based Redirection 454 Source IP from HTTP header and Host Header-Based Redirection HTTP to HTTPS Redirection 458 IPv6 Redirection Filter 459 Peer-to-Peer Cache Load Balancing 461 Health Checking 463 Real Server Health Checks 465 Advanced Group Health Check 465 Disabling the Fast Link Health Check 467 DSR Health Checks 467 Link Health Checks 468 Conguring Link Health Checks 469 TCP Health Checks 469 ICMP Health Checks 470 Script-Based Health Checks 470 Conguring Script-Based Health Checks 470 Script Formats 471 Scripting Commands 473 Scripting Guidelines 474 Script Conguration Examples 474 Application-Specic Health Checks 478 HTTP Health Checks 479 UDP-Based DNS Health Checks 481 TFTP Health Check 482 SNMP Health Check 483 FTP Server Health Checks 485 POP3 Server Health Checks 486 SMTP Server Health Checks 487 IMAP Server Health Checks 488 NNTP Server Health Checks 488 RADIUS Server Health Checks 489
456
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
12 Contents HTTPS/SSL Server Health Checks 492 WAP Gateway Health Checks 492 LDAP Health Checks 499 Windows Terminal Server Health Checks 501 ARP Health Checks 501 Buddy Server Health Checks 503 DHCP Health Checks 505 Failure Types 506 Service Failure 506 Server Failure 507 High Availability 508 VRRP Overview 509 Standard VRRP Components 509 IPv6 VRRP Support 521 IPv6 VRRP packets 522 IPv6 VRRP conguration 523 IPv6 VRRP information 523 Failover Methods and Congurations 524 Active-Standby Redundancy 525 Active-Active Redundancy 529 Hot-Standby Redundancy 539 Tracking Virtual Routers 548 Service-Based Virtual Router Groups 550 IPv6 VRRP Conguration Examples 555 Hot Standby Conguration Example 555 Active-Standby Conguration Example 562 Active-Active Conguration Example 569 Virtual Router Deployment Considerations 576 Mixing Active-Standby and Active-Active Virtual Routers 577 Eliminating Loops with STP and VLANs 577 Assigning VRRP Virtual Router ID 578 Conguring VRRP Peers for Synchronization 578 Synchronizing Active/Active Failover 580 Stateful Failover of Persistent Sessions 580 What Happens When a Switch Fails 581 Viewing Statistics on Persistent Port Sessions 583 Service-based Session Failover 584 Peer Synchronization 586
587
Contents 13 Using SSL Session ID 590 HTTP and HTTPS Persistence Based on Client IP 590 Cookie-Based Persistence 591 Permanent and Temporary Cookies 592 Cookie Formats 593 Cookie Properties 593 Client Browsers that Do Not Accept Cookies 594 Cookie Modes of Operation 594 Conguring Cookie-Based Persistence 598 Server-Side Multi-Response Cookie Search 604 Proxy Support for Insert Cookie 604 SSL Session ID-Based Persistence 605 How SSL Session ID-Based Persistence Works 605 Conguring SSL Session ID-Based Persistence 607 Windows Terminal Server Load Balancing and Persistence 607 Advanced Denial of Service Protection 611 Background 611 Security Inspection Workow 612 Other Types of Security Inspection 612 IP Address Access Control Lists 612 Conguring Blocking with IP Access Control Lists 613 Viewing IP ACL statistics 614 Bogon List 614 Protection Against Common Denial of Service Attacks 615 Conguring Ports with DoS Protection 615 Viewing DOS statistics 616 Viewing DOS statistics per port 617 Understanding the types of DOS attacks 618 DoS Attack Prevention Conguration 627 Preventing other types of DOS attack 627 Protocol-BasedRate Limiting 628 Time Windows and Rate Limits 628 Hold Down Periods 629 UDP and ICMP Rate Limiting 629 TCP Rate Limiting 629 Conguring Protocol-Based Rate Limiting Filters 630 Protection Against UDP Blast Attacks 635 Conguring UDP Blast Protection 635 TCP or UDP Pattern Matching 636 Pattern Criteria 637 Matching Groups of Patterns 639 Nortel Threat Protection System 4.1 Enforcement Point 647 Remediation Subsystem 647
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
14 Contents Operations IP Access Control List 648 Session Deletion 649 Symantec Intelligent Network Protection 651 Overview 652 Intelligent Network Protection Components 653 Installing Software Keys 653 Conguration Tasks 654 CLI Command Analogs 655 Tunable Resources 656 Monitoring Symantec Functionality 657 General Symantec Information 657 Signature Names 658 Conguration Example 659 Troubleshooting 665 Conguration Synchronization - Different Memory Proles 665 Conguration Synchronization - Similar Memory Proles 665 Firewall Load Balancing 667 Firewall Overview 667 Basic FWLB 669 Basic FWLB Implementation 670 Conguring Basic FWLB 672 Four-Subnet FWLB 682 Four-Subnet FWLB Implementation 683 Conguring Four-Subnet FWLB 684 Advanced FWLB Concepts 701 Free-Metric FWLB 701 Adding a Demilitarized Zone (DMZ) 704 Firewall Health Checks 706 Virtual Private Network Load Balancing 708 Overview 708 How VPN Load Balancing Works 708 VPN Load Balancing Persistence 710 VPN Load-Balancing Conguration 711 Congure the First Clean-Side Application Switch-CA 712 Congure the Second Clean-Side Application Switch-CB 716 Congure the First Dirty-Side Application Switch-DA 718 Congure the Second Dirty-Side Application Switch-DB 721 Test Congurations and General Topology 723 Test the VPN 724 Global Server Load Balancing 727 Enabling GSLB on the Switch 727 DSSP version 1 vs. version 2 728 Migrating Previous GSLB Congurations 728
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Contents 15 GSLB License Key 728 GSLB Overview 728 Benets 728 How GSLB Works 729 GSLB Metrics 731 Metric preferences 733 Rules 734 GSLB Availability Persistence 734 Conguring Basic GSLB 735 Basic GSLB Requirements 736 Example GSLB Topology 736 Conguring a Standalone GSLB Domain 752 GSLB Topology with a Standalone GSLB Site 753 A Standalone DNS Server Conguration 757 Conguring GSLB with Rules 759 Conguring Time-Based Rules 760 Using the Availability Metric in a Rule 761 Conguring GSLB Network Preference 762 Conguring GSLB with Proxy IP for Non-HTTP Redirects How Proxy IP Works 765 Conguring Proxy IP Addresses 766 Using Border Gateway Protocol for GSLB 767 Verifying GSLB Operation 768 Bandwidth Management 769 Enabling Bandwidth Management 769 Contracts 770 Classication Rules 771 Grouped Bandwidth Contracts 773 IP User Level Contracts for Individual Sessions 774 Policies 776 Bandwidth Policy Index 776 Time Policy 776 Enforcing Policies 776 Rate Limiting 777 Application Session Capping 779 Rate Limiting Timeslots 779 Trafc Shaping 780 Bandwidth Management Information 781 Viewing BWM Statistics 781 Conguring BWM History 782 Sending BWM History 782 Statistics and Management Information Bases 783 Synchronizing BWM Congurations in VRRP 783
764
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
16 Contents Packet Coloring (TOS bits) for Burst Limit 783 Contract-Based Packet Mirroring 784 Conguring Bandwidth Management 784 Additional BWM Conguration Examples 788 Conguring User/Application Fairness 788 ConguringGrouped Contracts for Bandwidth Sharing 791 Conguring a IP User-Level Rate Limiting Contract 794 Conguring BWMPreferential Services 796 Conguring Content Intelligent Bandwidth Management 799 Conguring Cookie-Based Bandwidth Management 803 ConguringSecurity Management 807 Conguring Time and Day Policies 809 Egress Bandwidth Tuning for Lower Speed Networks 811 Overwriting the TCP Window Size 812 Conguring Intelligent Trafc Management 812 XML Switch Conguration API 814 Software Components 814 XML Conguration File 815 XML File Transmission 815 Feature Conguration 816 Additional Feature Commands 817 Port Mirroring 819 Mirroring Individual Ports 819 Mirroring VLANs on a Port 821 Filtering the Session Dump 822 Exclusionary String Matching for Real Servers 825 Conguring Exclusionary URL String Matching 826 Regular Expression Matching 827 Standard Regular Expression Characters 827 Conguring Regular Expressions 828 Content Precedence Lookup 829 Requirements 830 Assigning Multiple Strings 831 String Case Insensitivity 832 Congurable HTTP Methods 833
Index
839
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
17
Preface
This Application Guide describes how to congure and use the Nortel Application Switch Operating System software on the Nortel Application Switches. For documentation on installing the switches physically, see the Hardware Installation Guide for your particular switch model.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
18 Preface
"Port Trunking" (page 83), describes how to group multiple physical ports together to aggregate the bandwidth between large-scale network devices. "Port Teaming" (page 91), describes how to congure port teaming. "Spanning Tree Protocol" (page 93), discusses how Spanning Trees congure the network so that the switch uses the most efcient path when multiple paths exist.
Part 2: IP Routing
"Basic IP Routing" (page 110), describes how to congure the Nortel Application Switch for IP routing using IP subnets, and DHCP Relay. "IPv6" (page 123), describes how to congure the IP version 6 features of the Nortel Application Switch. "Routing Information Protocol" (page 126), describes how the Nortel Application Switch Operating System software implements standard RIP for exchanging TCP/IP route information with other routers "Border Gateway Protocol" (page 131), describes BGP concepts and BGP features supported in Nortel Application Switch Operating System. "Open Shortest Path First (OSPF)" (page 146), describes OSPF concepts, how OSPF is implemented in Nortel Application Switch Operating System, and four examples of how to congure your switch for OSPF support.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Typographic Conventions
19
"Health Checking" (page 463), describes how to congure the Nortel Application Switch to recognize the availability of the various network resources used with the various load-balancing and application redirection features. "High Availability" (page 508), describes how to use the Virtual Router Redundancy Protocol (VRRP) to ensure that network resources remain available if one Nortel Application Switch is removed for service.
Typographic Conventions
The following table describes the typographic styles used in this book.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
20 Preface Typographic Conventions Typeface or Symbol AaBbCc123 Meaning This type is used for names of commands, files, and directories used within the text. It also depicts on-screen computer output and prompts. AaBbCc123 This bold type appears in command examples. It shows text that must be typed in exactly as shown. This italicized type appears in command examples as a parameter placeholder. Replace the indicated text with the appropriate real name or value when using the command. Do not type the brackets. This also shows book titles, special terms, or words to be emphasized. [* ] Command items shown inside brackets are optional and can be used or excluded as the situation demands. Do not type the brackets. Example View the readme.txt file. Main# Main# sys
<AaBbCc123>
Related Documentation
Nortel Application Switch Operating System 24.0 Release Notes (NN47220-401). Provides up-to-date information about Nortel Application Switch Operating System 24.0 installation, upgrade, and known issues. Nortel Application Switch Operating System 24.0 Command Reference (NN47220-105) Provides a command and usage reference for all switch CLI commands. Nortel Application Switch Operating System Browser-Based Interface (BBI) Quick Guide (NN47220-103) Provides a description of the switch BBI and how to congure and access it.
21
If you purchased a Nortel Networks service program, contact one of the following Nortel Networks Technical Solutions Centers:
Technical Solutions Center Europe, Middle East, and Africa North America Asia Pacific China Telephone 00800 8008 9009 or +44 (0) 870 907 9009 (800) 4NORTEL or (800) 466-7835 (61) (2) 8870-8800 (800) 810-5000
Additional information about the Nortel Networks Technical Solutions Centers is available at the following URL: http://www.nortel.com/help/contact/global An Express Routing Code (ERC) is available for many Nortel Networks products and services. When you use an ERC, your call is routed to a technical support person who specializes in supporting that product or service. To locate an ERC for your product or service, refer to the following URL: http://www.nortel.com/help/contact/erc/index.html
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
22 Preface
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
23
Features
See the following sections for information about feature changes: "New Conguration options" (page 601) "Cookie Insert Mode Enhancement " (page 595) "Proxy support for Passive Cookie" (page 597) "A Standalone DNS Server Conguration" (page 757) "Accounting" (page 56) "Session Initiation Protocol Server Load Balancing" (page 310)
Other changes
See the following sections for information about changes that are not feature-related: "Limiting Management Access" (page 40) "Hot-Standby Conguration" (page 541) "Virtual Matrix Architecture" (page 227)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
25
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
You can access the built-in, text-based CLI in the following ways: Using a serial connection via the console port You can access and congure the application switch by using a computer running terminal emulation software. Using the management port The management port is a Fast Ethernet port on the Nortel Application Switch that is used exclusively for managing the switch.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
27
For more information on the management port, see "Using the Management Port" (page 37). Using a Telnet connection over the network A Telnet connection offers the convenience of accessing the switch from any workstation connected to the network. Telnet access provides the same options for user and administrator access as those available through the console port. To establish a Telnet connection with the switch, run the Telnet program on your workstation and issue the Telnet command, followed by the switch IP address:
telnet <switch IP address>
Using a SSH connection to securely log into another computer over a network. The SSH (Secure Shell) protocol enables you to securely log into another computer over a network to execute commands remotely. As a secure alternative to using Telnet to manage switch conguration, SSH ensures that all data sent over the network is encrypted and secure. For more information, see "Secure Shell and Secure Copy" (page 58).
For more information on the CLI, see the Nortel Application Switch Operating System Command Reference.
Using SNMP
Nortel Application Switch Operating System provides SNMP v1.0 and SNMP v3.0 support for access through any network management software, such as Nortel ASEM or HP-OpenView.
SNMP v1.0
To access the SNMP agent on the Nortel Application Switch, the read and write community strings on the SNMP manager should be congured to match those on the switch. The default read community string on the switch is public and the default write community string is private. Note: Leaving the default community strings enabled on the switch presents a security risk. Use the commands noted below to change these community strings. The read and write community strings on the switch can be changed using the following commands on the CLI:
>> /cfg/sys/ssnmp/rcomm
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
and
>> /cfg/sys/ssnmp/wcomm
The SNMP manager should be able to reach the management interface (management port) or any one of the IP interfaces on the switch.
SNMP v3.0
SNMPv3 is an enhanced version of the Simple Network Management Protocol, approved by the Internet Engineering Steering Group in March, 2002. SNMP v3.0 contains additional security and authentication features that provide data origin authentication, data integrity checks, timeliness indicators and encryption to protect against threats such as masquerade, modication of information, message stream modication and disclosure. SNMP v3 ensures that the client can use SNMP v3 to query the MIBs, mainly for security purposes. To access the SNMP v3.0 menu, enter the following command in the CLI:
>> # /cfg/sys/ssnmp/snmpv3
For more information on SNMP MIBs and the commands used to congure SNMP on the switch, see the Nortel Application Switch Operating System Command Reference.
Default conguration
The Nortel Application Switch Operating System has two users by default. Both the users adminmd5 and adminsha have access to all the MIBs supported by the switch. Step 1 2 Action username 1: adminmd5/password adminmd5. Authentication used is MD5. username adminsha/password adminsha. Authentication used is SHA. To congure an SNMP user name, enter the following command from the CLI:
>> # /cfg/sys/ssnmp/snmpv3/usm <x>
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
29
User Conguration
Users can be congured to use the authentication and privacy options. Currently Nortel Application Switch Operating System supports two authentication algorithms: MD5 and SHA. Authentication and privacy options are specied using the following command:
>> # /cfg/sys/ssnmp/snmpv3/usm <x> /auth md5|sha
Step 1
Action To congure a user with name test, authentication type MD5, and authentication password of test, privacy option DES with privacy password of test, enter the following CLI commands.
>> >> >> >> >> >> # /cfg/sys/ssnmp/snmpv3/usm 5 SNMPv3 usmUser 5 # name "test" SNMPv3 usmUser 5 # auth md5 SNMPv3 usmUser 5 # authpw test SNMPv3 usmUser 5 # priv des SNMPv3 usmUser 5 # privpw test
Once a user is congured, specify the access level for this user along with the views to which the user is allowed access. This is specied in the access table.
>> >> >> >> >> >> # /cfg/sys/ssnmp/snmpv3/access 5 SNMPv3 vacmAccess 5 # name "testgrp" SNMPv3 vacmAccess 5 # level authPriv SNMPv3 vacmAccess 5 # rview "iso" SNMPv3 vacmAccess 5 # wview "iso" SNMPv3 vacmAccess 5 # nview "iso"
If you want to allow the user access only certain MIBs, see "View based Congurations" (page 30). End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
To congure an SNMP user equivalent to the CLI access level for oper, use the following conguration:
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
31
/cfg/sys/ssnmp/snmpv3/usm 5 name "slboper" /cfg/sys/ssnmp/snmpv3/access 4 name "slbopergrp" rview "slboper" wview "slboper" nview "slboper" /cfg/sys/ssnmp/snmpv3/group 4 uname slboper gname slbopergrp /cfg/sys/ssnmp/snmpv3/view 20 name "slboper" tree "1.3.6.1.4.1.1872.2.5.1.2" /cfg/sys/ssnmp/snmpv3/view 21 name "slboper" tree "1.3.6.1.4.1.1872.2.5.1.3" /cfg/sys/ssnmp/snmpv3/view 22 name "slboper" tree "1.3.6.1.4.1.1872.2.5.2.2" /cfg/sys/ssnmp/snmpv3/view 23 name "slboper" tree "1.3.6.1.4.1.1872.2.5.2.3" /cfg/sys/ssnmp/snmpv3/view 24 name "slboper" tree "1.3.6.1.4.1.1872.2.5.3.2" /cfg/sys/ssnmp/snmpv3/view 25 name "slboper" tree "1.3.6.1.4.1.1872.2.5.3.3" /cfg/sys/ssnmp/snmpv3/view 26 name "slboper" tree "1.3.6.1.4.1.1872.2.5.4" /cfg/sys/ssnmp/snmpv3/view 27 name "slboper" tree "1.3.6.1.4.1.1872.2.5.4.1" type excluded /cfg/sys/ssnmp/snmpv3/view 28 name "slboper" tree "1.3.6.1.4.1.1872.2.5.5.2" /cfg/sys/ssnmp/snmpv3/view 29 name "slboper" tree "1.3.6.1.4.1.1872.2.5.5.3" /cfg/sys/ssnmp/snmpv3/view 30 name "slboper" tree "1.3.6.1.4.1.1872.2.5.6.2"
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Step 1
Action To congure a SNMPv1 trap host, rst congure a user with no authentication and password.
>> # /cfg/sys/ssnmp/snmpv3/usm 10 name "v1trap"
Congure an access group and group table entries for the user. The nview command is used to specify which traps can be received by the user. In the example below, the user will receive the traps send by the switch.
>> >> >> >> >> >> >> >> # /cfg/sys/ssnmp/snmpv3/access 10 SNMPv3 vacmAccess 10 # name "v1trap" SNMPv3 vacmAccess 10 # model snmpv1 SNMPv3 vacmAccess 10 # nview "iso" # /cfg/sys/ssnmp/snmpv3/group SNMPv3 vacmSecurityToGroup 10 SNMPv3 vacmSecurityToGroup 10 SNMPv3 vacmSecurityToGroup 10 10 # model snmpv1 # uname v1trap # gname v1trap
Specify the IP address and other trap parameters in the targetAddr and targetParam tables. The uname command is used to specify the user name used with this targetParam table.
>> # /cfg/sys/ssnmp/snmpv3/taddr 10 >> >> >> >> SNMPv3 SNMPv3 SNMPv3 SNMPv3 snmpTargetAddrTable snmpTargetAddrTable snmpTargetAddrTable snmpTargetAddrTable 10 10 10 10 # # # # (Access the targetAddr Table Menu) name v1trap addr 50.80.23.245 taglist v1trap pname v1param
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
33
>> # /cfg/sys/ssnmp/snmpv3/tparam 10 >> >> >> >> SNMPv3 SNMPv3 SNMPv3 SNMPv3 snmpTargetParamsTable snmpTargetParamsTable snmpTargetParamsTable snmpTargetParamsTable 10 10 10 10
(Access the targetParams table menu) # # # # name v1param mpmodel snmpv1 uname v1trap model snmpv1
Specify the community string used in the traps using the community table.
>> # /cfg/sys/ssnmp/snmpv3/comm 10 (Select the Community Table)
>> SNMPv3 snmpCommunityTable 10 # index v1trap >> SNMPv3 snmpCommunityTable 10 # name public >> SNMPv3 snmpCommunityTable 10 # uname v1trap
End
SNMPv2 trap host conguration The v2 trap host conguration is similar to the SNMPv1 trap host conguration. Wherever you specify the model make sure to specify snmpv2 instead of snmpv1.
/cfg/sys/ssnmp/snmpv3/usm 10 name "v2trap" /cfg/sys/ssnmp/snmpv3/access 10 name "v2trap" model snmpv2 nview "iso" /cfg/sys/ssnmp/snmpv3/group 10 model snmpv2 uname v2trap gname v2trap /cfg/sys/ssnmp/snmpv3/taddr 10 name v2trap addr 50.81.25.66 taglist v2trap pname v2param /cfg/sys/ssnmp/snmpv3/tparam 10 name v2param mpmodel snmpv2c uname v2trap model snmpv2 /cfg/sys/ssnmp/snmpv3/notify 10 name v2trap tag v2trap
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
SNMPv3 trap host conguration To congure a user for SNMPv3 traps, you can choose to send the traps with both privacy and authentication, with authentication only, or with neither. An SNMPv3 trap host is congured in the access table using the following commands:
>> # /cfg/sys/ssnmp/snmpv3/access <x> /level Enter new access level [noAuthNoPriv|authNoPriv|authPriv]: <access-level> >> # /cfg/sys/ssnmp/snmpv3/tparam <snmpTargetParams number: (1-16)>
The user in the user table should also be congured accordingly from the SNMPv3 usmUser 1 Menu, which is accessed from the following command:
>> /cfg/sys/ssnmp/snmpv3/usm <usmUser number: (1-16)>
It is not necessary to congure the community table for SNMPv3 traps because the community string is not used by SNMPv3. The following example shows how to congure an SNMPv3 user v3trap with authentication only:
/cfg/sys/ssnmp/snmpv3/usm 11 name "v3trap" auth md5 authpw v3trap /cfg/sys/ssnmp/snmpv3/access 11 name "v3trap" level authNoPriv nview "iso" /cfg/sys/ssnmp/snmpv3/group 11 uname v3trap gname v3trap /cfg/sys/ssnmp/snmpv3/taddr 11 name v3trap addr 50.81.25.66 taglist v3trap pname v3param /cfg/sys/ssnmp/snmpv3/tparam 11
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
35
name v3param uname v3trap level authNoPriv /cfg/sys/ssnmp/snmpv3/notify 11 name v3trap tag v3trap
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Nortel ASEM monitors data in tables and graphs. You must rst select a few items in the table before the graph icons are enabled. Nortel ASEM generates line, bar, or pie charts. Export data to a le such as an Excel spreadsheet
"Nortel ASEM Screen Example" (page 36)illustrates an example of a Nortel ASEM screen.
Nortel ASEM Screen Example
To change the HTTP web server port from the default port 80, use the following command:
/cfg/sys/access/wport <x>
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
37
To access your switch via the Browser-Based Interface, open a Web browser window and type in the URL using the IP interface address of the switch, such as http://10.10.10.1.
To change the HTTPS Web server port number from the default port 443, use the following command:
/cfg/sys/access/https/port <x>
Accessing the BBI via HTTPS requires that you generate a certicate to be used during the key exchange. A default certicate is created the rst time HTTPS is enabled, but you can create a new certicate dening the information you want to be used in the various elds.
>> /cfg/sys/access/https/generate Country Name (2 letter code) [ ]: <country code> State or Province Name (full name) []: <state> Locality Name (eg, city) []: <city> Organization Name (eg, company) []: <company> Organizational Unit Name (eg, section) []: <org. unit> Common Name (eg, YOUR name) []: <name> Email (eg, email address) []: <email address> Confirm generating certificate? [y/n]: y Generating certificate. Please wait (approx 30 seconds) restarting SSL agent
The certicate can be saved to ash for use if the switch is rebooted by using the apply and save commands. When a client (e.g. web browser) connects to the switch, they will be asked if they accept the certicate and can verify that the elds are what expected. Once BBI access is granted to the client, the BBI can be used as described in the BBI Quick Guide.
data port that could otherwise be used for processing requests. You can use the management port to access the switch using Telnet (CLI), SSH, SNMP (ASEM), or HTTP (Nortel Application Switch Operating System BBI). The management port does not participate in the switching and routing protocols that run on the data ports, but it can be used to perform management functions such as, accessing the NTP server sending out SNMP traps sending out Syslog messages accessing the Radius server accessing the TACACS+ server accessing the DNS server performing TFTP or FTP functions (ptimg, gtimg, ptcfg, gtcfg, ptdmp) accessing the SMTP server running ping, Telnet and traceroute commands Note: BOOTP is not supported over the management port. For more information on using the commands to perform these functions, see the Nortel Application Switch Operating System Command Reference.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
39
When the management port is enabled, you can use it to access the switch via Telnet, SSH, BBI, and SNMP (ASEM), provided the commands are enabled on the switch. These commands can occur simultaneously on both the management port and the data ports.
>> Management Port# ena (Enable the management port)
Note: There is a maximum of four concurrent Telnet sessions on the Nortel Application Switch over the management and data ports combined. 4 Congure the default port type for each management function. Select the management port or the default data port for each management function. For example, select the management port for NTP, Radius, and Syslog functions only. SMTP, TFTP, and SNMP traps are congured to use the default data ports.
>> Management Port# ntp mgmt >> Management Port# radius mgmt >> Management Port# syslog mgmt (Select the management port for NTP) (Select the management port for radius) (Select the management port for syslog)
Note: The default for TFTP can be overridden by using the data or mgmt option after a gtimg, ptimg, gtcfg, ptcfg, or ptdmp command. 5 Apply, verify your conguration, and save the changes.
>> Management Port # apply >> Management Port # cur >> Management Port # save (Make your changes active) (View current settings) (Save for restore after reboot)
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Enable port for management /cfg/sys/access/port/add <port number> access. Disable port from management access. Disable all ports from management access. Current listing of data ports with management access. /cfg/sys/access/port/rem <port number> /cfg/sys/access/port/arem /cfg/sys/access/port/cur
Feature Description
To support conguring 128 management IP addresses and mask pairs, support need to be added to provide more restriction if needed by enabling only a particular type of access for a given network like Telnet, SSH, SNMP, or BBI.
Action Now accepts 128 networks addr: IP Address mask: Network mask acctype: all | telnet | ssh | snmp | bbi Note: By default access type is all Removes a defined network, which consists of a management network address and management network mask address. /cfg/sys/access/mgmt/rem Command /cfg/sys/access/mgmt/add <1-128> /cfg/sys/access/mgmt/add <1-128> <addr> <mask> <acctype>
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
41
Action When a user enters a specific access type, only that protocol access is removed. Network can access through other access protocols. When all (default feature) is entered, network is removed. addr: IP Address mask: Network mask acctype: all | telnet | ssh | snmp | bbi Note: By default access type is all
/cfg/sys/access/mgmt/arem When a user enters this command all the entries are removed giving all type of access to all the users as if no restrictions are configured. It displays Network address, mask and access protocol for all the networks configured upto 128. /cfg/sys/access/mgmt/cur
File Transfers
The Nortel Application Switch Operating System supports the usage of the File Transfer Protocol (FTP) as a le transfer alternative to the Trivial File Transfer Protocol (TFTP). FTP is supported over data and management ports for the upload and download of the following le types: Software Images Conguration Files TSDumps Panic Dumps
A FTP host name, le name, user name, and password is requested when using FTP. The initiation of boot image uploads and downloads is also supported through SNMP and the Browser-Based Interface.
Time Conguration
This section describes the time conguration options available in the Nortel Application Switch Operating System.
The following example sets the time zone to Atlantic Time for a switch that is physically located in Atlantic Canada. Step 1 Action Access time zone conguration.
>> Main# /cfg/sys/timezone
Note: The time zone setting can be disabled in this menu by selecting 11. 3 Select the country inside the geographic zone previously selected.
Please select a country. 1) Anguilla 18) Ecuador 35) Paraguay 2) Antigua & Barbuda 19) El Salvador 36) Peru 3) Argentina 20) French Guiana 37) Puerto Rico 4) Aruba 21) Greenland 38) St Kitts & Nevis 5) Bahamas 22) Grenada 39) St Lucia 6) Barbados 23) Guadeloupe 40) St Pierre & Miquelon 7) Belize 24) Guatemala 41) St Vincent 8) Bolivia 25) Guyana 42) Suriname
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
43
9) Brazil 26) Haiti 43) Trinidad & Tobago 10) Canada 27) Honduras 44) Turks & Caicos Is 11) Cayman Islands 28) Jamaica 45) United States 12) Chile 29) Martinique 46) Uruguay 13) Colombia 30) Mexico 47) Venezuela 14) Costa Rica 31) Montserrat 48) Virgin Islands (UK) 15) Cuba 32) Netherlands Antilles 49) Virgin Islands (US) 16) Dominica 33) Nicaragua 17) Dominican Republic 34) Panama Enter the number of your choice: 10
Select the time zone appropriate to the specic geographic location of the switch.
Please select one of the following time zone regions. 1) Newfoundland Island 2) Atlantic Time - Nova Scotia (most places), NB, W Labrador, E Quebec & PEI 3) Atlantic Time - E Labrador 4) Eastern Time - Ontario & Quebec - most locations 5) Eastern Time - Thunder Bay, Ontario 6) Eastern Standard Time - Pangnirtung, Nunavut 7) Eastern Standard Time - east Nunavut 8) Eastern Standard Time - central Nunavut 9) Central Time - Manitoba & west Ontario 10) Central Time - Rainy River & Fort Frances, Ontario 11) Central Time - west Nunavut 12) Central Standard Time - Saskatchewan most locations 13) Central Standard Time - Saskatchewan - midwest 14) Mountain Time - Alberta, east British Columbia & west Saskatchewan 15) Mountain Time - central Northwest Territories 16) Mountain Time - west Northwest Territories 17) Mountain Standard Time - Dawson Creek & Fort Saint John, British Columbia 18) Pacific Time - west British Columbia 19) Pacific Time - south Yukon 20) Pacific Time - north Yukon
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
The following example congures NTP for a switch: Step 1 Action Access the NTP menu.
>> Main# /cfg/sys/ntp
Set the IP address of the primary NTP server. This would be the NTP server that the switch would regularly synchronize with to adjust its time.
>> NTP Server# prisrv Current NTP server address: 0.0.0.0 Enter new NTP server address: 192.168.249.13
Set the IP address of the secondary NTP server. This would be the NTP server that the switch would synchronize with in instances where the primary server is not available.
>> NTP Server# secsrv Current NTP server address: 0.0.0.0 Enter new NTP server address: 192.168.249.45
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
45
Set the resynchronisation interval. The resynchronisation interval is the amount of time the switch waits between queries to the NTP server.
>> NTP Server# intrval Current resync interval (minutes): 1440 Enter new resync interval (minutes) [1-44640]:
2000
(Optional) Set the NTP time zone offset. The NTP time zone offset from Greenwich Mean Time defaults to the setting congured with the switch time zone was set up. If this has not been done, or you wish to override the current value, do the following:
>> NTP Server# tzone Current GMT timezone offset: -8:00 Enter new GMT timezone offset in hours [-12:00, +12:00]: +4:00
Enable NTP functionality. After NTP functionality has been congured, it must be enabled.
>> NTP Server# on Current status: OFF New status: ON
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
47
arp
2 3
Repeat step 1 to congure rate limits on any other of the supported protocols. Apply and save the conguration. End
0 0 0
icmpDiscards: udpDiscards:
0 0
Dynamic Memory statistics -------------------------------------------------Total memory in bytes 36699136 Current memory in bytes 5580064 allocs 28 frees 2 alloc failures 0 bytes hiwait 5580064
The following source IP addresses are granted or not granted access to the switch: A host with a source IP address of 192.192.192.21 falls within the dened range and would be allowed to access the switch. A host with a source IP address of 192.192.192.192 falls outside the dened range and is not granted access. To make this source IP address valid, you would need to shift the host to an IP address within the valid range specied by the addr and mask or modify the addr to be 192.192.192.128 and the mask to be 255.255.255.128. This would put the 192.192.192.192 host within the valid range allowed by the addr and mask (192.192.192.128-255).
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
49
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Step 1 2 3 4
Action Remote administrator connects to the switch and provides user name and password. Using Authentication/Authorization protocol, the switch sends request to authentication server. Authentication server checks the request against the user ID database. Using RADIUS protocol, the authentication server instructs the switch to grant or deny administrative access. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
51
>> Main# /cfg/sys/radius >> RADIUS Server# on Current status: OFF New status: ON >> RADIUS Server# prisrv 10.10.1.1
Current primary RADIUS server: 0.0.0.0 New pending primary RADIUS server: 10.10.1.1 >> RADIUS Server# secsrv 10.10.1.2 (Enter secondary server IP)
Current secondary RADIUS server: 0.0.0.0 New pending secondary RADIUS server: 10.10.1.2
CAUTION
If you congure the RADIUS secret using any method other than a direct console connection, the secret may be transmitted over the network as clear text.
If desired, you may change the default TCP port number used to listen to RADIUS. The well-known port for RADIUS is 1812.
>> RADIUS Server# port Current RADIUS port: 1812 Enter new RADIUS port [1500-3000]: <port number>
Congure the number retry attempts for contacting the RADIUS server, and the timeout period.
>> RADIUS Server# retries Current RADIUS server retries: Enter new RADIUS server retries [1-3]:
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> RADIUS Server# time Current RADIUS server timeout: Enter new RADIUS server timeout [1-10]: 10
SLB Operator
slboper
Layer 4 Operator
l4oper
Operator
oper
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
53
Description and Tasks Performed The SLB Administrator configures and manages content servers and other Internet services and their loads. In addition to SLB Operator functions, the SLB Administrator can configure parameters on the SLB menus, with the exception of not being able to configure filters or bandwidth management. The Layer 4 Administrator configures and manages traffic on the lines leading to the shared Internet services. In addition to SLB Administrator functions, the Layer 4 Administrator can configure all parameters on the SLB menus, including filters and bandwidth management. The super-user Administrator has complete access to all menus, information, and configuration commands on the switch, including the ability to change both the user and administrator passwords.
Password slbadmin
l4admin
Administrator
admin
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
TACACS+ Authentication
Nortel Application Switch Operating System supports authentication and authorization with networks using the Cisco Systems TACACS+ protocol. The Nortel Application Switch functions as the Network Access Server (NAS) by interacting with the remote client and initiating authentication and authorization sessions with the TACACS+ access server. The remote user is dened as someone requiring management access to the Nortel Application Switch either through a data or management port. TACACS+ offers the following advantages over RADIUS: TACACS+ uses TCP-based connection-oriented transport; whereas RADIUS is UDP-based. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a TCP transport offers. TACACS+ offers full packet encryption whereas RADIUS offers password-only encryption in authentication requests. TACACS+ separates authentication, authorization and accounting. TACACS+ offers privilege level mapping. By enabling cmap, the privilege level can be increased from default 0-6 to 0-15. Nortel Application Switch sends command log messages to TACACS+ server when clog is enabled.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
55
3 4
Authentication server checks the request against the user ID database. Using TACACS+ protocol, the authentication server instructs the switch to grant or deny administrative access. End
TACACS+ uses the AAA architecture, which separates authentication, authorization, and accounting. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After the Nortel Application Switch authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without requiring re-authentication. The Nortel Application Switch informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information. During a session, if additional authorization checking is needed, the Nortel Application Switch checks with a TACACS+ server to determine if the user is granted permission to use a particular command.
Authorization
Authorization is the action of determining a users privileges on the device, and usually takes place after authentication. The mapping between TACACS+ authorization levels and Nortel Application Switch Operating System management access levels is shown in "Nortel Application Switch Operating System-Proprietary Attributes for TACACS+" (page 55).
Nortel Application Switch Operating System-Proprietary Attributes for TACACS+ Nortel Application Switch Operating System User Access Level user TACACS+ level 0
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Nortel Application Switch Operating System User Access Level slboper l4oper oper slbadmin l4admin admin
TACACS+ level 1 2 3 4 5 6
Accounting
Accounting is the action of recording a users activities on the device for the purposes of billing and/or security. It follows the authentication and authorization actions. If the authentication and authorization is not performed through TACACS+, there will be no TACACS+ accounting messages sent out. The approach is simple. Whenever there is successful command execution on CLI an accounting message is created by NAS and sent to the TACACS+ server. The attributes provided for the TACACS+ accounting are: protocol (console/telnet/ssh/http) start_time (in seconds, since 12am 1-1-1970) stop_time (in seconds, since 12am 1-1-1970) elapsed_time (in seconds) disc-cause (a string) Note: Other than these, cmd and cmd-arg accounting attributes is also supported for command logging.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
57
Current primary TACACS+ server: 0.0.0.0 New pending primary TACACS+ server: 10.10.1.1 >> TACACS+ Server# secsrv 10.10.1.2 (Enter secondary server IP)
Current secondary TACACS+ server: 0.0.0.0 New pending secondary TACACS+ server: 10.10.1.2
CAUTION
If you congure the TACACS+ secret using any method other than a direct console connection, the secret may be transmitted over the network as clear text.
If desired, you may change the default TCP port number used to listen to TACACS+. The well-known port for TACACS+ is 49.
>> TACACS+ Server# port Current TACACS+ port: 49 Enter new TACACS+ port [1-65000]: <port number>
Congure the number retry attempts for contacting the TACACS+ server, and the timeout period.
>>TACACS+ Server# retries Current TACACS+ server retries: Enter new TACACS+ server retries [1-3]: >> TACACS+ Server# time Current TACACS+ server timeout: Enter new TACACS+ server timeout [1-15]: 10
3 <server retries>
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
End
59
Before you can use SSH commands, use the following commands to turn on SSH/SCP.
RSA host key generation starts ............................................................ ...................................................... RSA host key generation completes (lasts 212549 ms) RSA host key is being saved to Flash ROM, please dont reboot the box immediately. RSA server key generation starts ............................................................ RSA server key generation completes (lasts 75503 ms) RSA server key is being saved to Flash ROM, please dont reboot the box immediately. ----------------------------------------------------------------Apply complete; dont forget to "save" updated configuration. >> Main# /cfg/sys/access/sshd/dis (Disable SSH/SCP apply and save)
To congure the password, enter the following command via the CLI. At factory default settings, the current SCP administrator password is admin.
>> /cfg/sys/access/sshd/scpadmin Changing SCP-only Administrator password; validation required... Enter current administrator password: <password> Enter new SCP-only administrator password: <new password> Re-enter new SCP-only administrator password: <new password> New SCP-only administrator password accepted.
SCP Services
To perform SCP commands, you need the SCP admin password with administrator privileges (this password must be different from the admin password). The following SCP commands are supported in this service. These commands are entered using the CLI on the client that is running the SCP application: getcfg is used to download the switchs conguration to the remote host via SCP. putcfg is used to upload the switchs conguration from a remote host to the switch; the diff command is automatically executed at the end of putcfg to notify the remote client of the difference between the new and the current congurations. putcfg_apply runs the apply command after the putcfg is done. putcfg_apply_save saves the new conguration to the ash after putcfg_apply is done.
The putcfg_apply and putcfg_apply_save commands are provided because extra apply and save commands are usually required after a putcfg; however, an SCP session is not in an interactive mode at all.
Example:
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
61
>> # ssh 192.168.249.13 >> # ssh -l <login-name> 192.168.249.13 (Login to the switch)
Example:
>> # scp 192.168.249.13:getcfg applSwitch.cfg
Example:
>> # scp applSwitch.cfg 192.168.249.13:putcfg
The diff command is automatically executed at the end of putcfg to notify the remote client of the difference between the new and the current congurations. putcfg_apply runs the apply command after the putcfg is done. putcfg_apply_save saves the new conguration to the ash after putcfg_apply is done. The putcfg_apply and putcfg_apply_save commands are provided because extra apply and save commands are usually required after a putcfg; however, an SCP session is not in an interactive mode at all.
Client RSA authenticates the switch at the beginning of every connection RSA 3DES-CBC, DES Local password authentication, RADIUS, SecurID (via RADIUS, for SSH onlydoes not apply to SCP)
These two commands take effect immediately without the need of an apply command. When the switch reboots, it retrieves the host and server keys from the FLASH memory. If these two keys are not available in the ash and if the SSH server feature is enabled, the switch automatically generates them during the system reboot. This process may take several minutes to complete. The switch can also automatically regenerate the RSA server key. To set the interval of RSA server key autogeneration, use this command:
>> # /cfg/sys/access/sshd/interval <number of hours (0-24)>
Note: The /cfg/sys/access/sshd/interval is only available when connected through the console port.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
63
The number of hours must range between 024. A value of 0 denotes that RSA server key autogeneration is disabled. When greater than 0, the switch autogenerates the RSA server key every specied interval; however, RSA server key generation is skipped if the switch is busy doing other key or cipher generation when the timer expires. Note: The Nortel Application Switch performs only one session of key/cipher generation at a time. Thus, an SSH/SCP client is not be able to log in if the switch is performing key generation at that time, or if another client has logged in immediately prior. Also, key generation fails if an SSH/SCP client is logging in at that time.
Using an SCP-only administrator password. Use the command, /cfg/sys/access/sshd/scpadmin to bypass the checking of SecurID. Note: The /cfg/sys/access/sshd/scpadmin command is only available when connected through the console port.
An SCP-only administrators password is typically used when SecurID is used. For example, it can be used in an automation program (in which the tokens of SecurID are not available) to back up (download) the switch congurations each day. Note: The SCP-only administrators password must be different from the regular administrators password. If the two passwords are the same, the administrator using that password is not allowed to log in as a SSH user because the switch recognizes him as the SCP-only administrator and only allow the administrator access to SCP commands. Alternately, you can congure a regular administrator with a xed password in the RADIUS server if it can be supported. A regular administrator with a xed password in the RADIUS server can perform both SSH and SCP with no additional authentication required.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
65
criterion for displaying virtual service information for end users is based on the validation of ownership of the rst real server in the group for a given virtual server port. The Nortel Application Switch Operating System has end user support for Console and Telnet access to the switch. As a result, only very limited access is granted to the Primary Administrator under the BBI/SSH1 mode of access. If RADIUS authentication is used, the user password on the Radius server will override the user password on the Nortel Application Switch. Also note that the password change command on the switch ONLY modies the use switch password and has no effect on the user password on the Radius server. Radius authentication and user password cannot be used concurrently to access the switch. Passwords can be up to 128 characters in length for TACACS, RADIUS, Telnet, SSH, Console, and Web access.
Changing Passwords
>> User ID 1 # passwd Changing user password; validation required: Enter current admin password: <current administrator password> Enter new user password: <new user password> Re-enter new user password: <new user password> New user password accepted.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
(1-1023) 23
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
67
Current User ID table: 1: name jane , ena, cos user , password valid, online real servers: 1: 10.10.10.211, disabled, name , weight 1, timeout 10 mins, maxcon 200000 2: 10.10.10.212, enabled, name , weight 1, timeout 10 mins, maxcon 200000 2: name john , ena, cos user , password valid, online real servers: 3: 10.10.10.213, enabled, name , weight 1, timeout 10 mins, maxcon 200000
Deny Routes
A deny route, or black hole route, can be congured to deny Layer 3 routable packets to destinations covered by a static route. A deny route is created by setting the gateway address in a static route to 0. If the longest prex match route (which is obtained via route lookup) is deny route, the packet is dropped. A deny route may be congured when an administrator nds a specic user or network that is under attack. For example, IP addresses in the 62.62.x.x network are under attack from an unknown source. The Nortel Application Switch can be congured temporarily with a deny route so that any trafc destined to this network is dropped. In the meantime the attack pattern and source can be detected.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
This feature is similar to a deny lter, except that it works only on routable Layer 3 trafc; it does not deny Layer 2 trafc.
Enter destination subnet mask: 255.255.0.0(And this mask address) Enter gateway IP address (for martian/deny route use 0):0 (Enter 0 to create a deny route) Enter interface number: (1-256) (A deny route will ignore an Inter face number, so dont enter one here.)
CAUTION
Do not congure a deny route that covers the destination/mask pair of an existing IP interfaces IP address/mask pair. For example, if you have an IP interface of 50.0.0.1/255.0.0.0, and a deny route of 50.0.0.0/255.0.0, then trafc to the interface as well as the subnet is deniedwhich is not the desired result.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
69
255.255.0.0
0.0.0.0
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
71
VLANs
This chapter describes network design and topology considerations for using Virtual Local Area Networks (VLANs). VLANs are commonly used to split up groups of network users into manageable broadcast domains, to create logical segmentation of workgroups, and to enforce security policies among logical segments. The following topics are addressed in this chapter: "VLAN ID Numbers" (page 71) "VLAN Tagging" (page 72) "VLANs and the IP Interfaces" (page 72) This section briey describes how management functions can only be accomplished from stations on VLANs that include an IP interface to the switch. "VLAN Topologies and Design Issues" (page 72) This section discusses how you can logically connect users and segments to a host that supports many logical segments or subnets by using the exibility of the multiple VLAN system. "VLANs and Default Gateways" (page 75) Note: Basic VLANs can be congured during initial switch conguration (see "Using the Setup Utility" in the Nortel Application Switch Operating System Command Reference). More comprehensive VLAN conguration can be done from the Command Line Interface (see "VLAN Conguration" as well as "Port Conguration" in the Nortel Application Switch Operating System Command Reference).
VLAN ID Numbers
Nortel Application Switch Operating System supports up to 2048 VLANs per switch. Even though the maximum number of VLANs supported at any given time is 2048, each can be identied with any number between 1 and 4090. VLANs are dened on a per-port basis. Each port on the switch can belong to one or more VLANs, and each VLAN can have any number of switch ports in its membership. Any port that belongs to multiple VLANs, however, must have VLAN tagging enabled (see "VLAN Tagging" (page 72)).
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
72 VLANs
Each port in the switch has a congurable default VLAN number, known as its PVID. The factory default value for all PVIDs is 1. This places all ports on the same VLAN initially, although each ports PVID is congurable to any VLAN number between 1 and 4090. Any untagged frames (those with no VLAN specied) are classied with the sending ports PVID.
VLAN Tagging
Nortel Application Switch Operating System software supports 802.1Q VLAN tagging, providing standards-based VLAN support for Ethernet systems. Tagging places the VLAN identier in the frame header, allowing multiple VLANs per port. When you congure multiple VLANs on a port, you must also enable tagging on that port. Since tagging fundamentally changes the format of frames transmitted on a tagged port, you must carefully plan network designs to prevent tagged frames from being transmitted to devices that do not support 802.1Q VLAN tags.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
73
Since VLANs are most commonly used to create individual broadcast domains and/or separate IP subnets, host systems should be present on more than one VLAN simultaneously. Nortel Application Switches and VLAN-tagging server adapters support multiple VLANS on a per-port or per-interface basis, allowing very exible congurations. You can congure multiple VLANs on a single VLAN-tagging server adapter, with each VLAN being congured through a logical interface and logical IP address on the host system. Each VLAN congured on the server adapter must also be congured on the switch port to which it is connected. If multiple VLANs are congured on the port, tagging must be turned on. Using this exible multiple VLAN system, you can logically connect users and segments to a host with a single VLAN-tagging adapter that supports many logical segments or subnets. Note: If a 802.1Q tagged frame is sent to a port that has vlan-tagging disabled, then the frames are dropped at the ingress port.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
74 VLANs
Description This switch is configured for three VLANs that represent three different IP subnets. Two servers and five clients are attached to the switch. This server is part of VLAN 3 and only has presence in one IP subnet. The port that the VLAN is attached to is configured only for VLAN 3, so VLAN tagging is off. This high-use server needs to be accessed from all VLANs and IP subnets. The server has a VLAN-tagging adapter installed with VLAN tagging turned on. The adapter is attached to one of the application switchs Gigabit Ethernet ports, that is configured for VLANs 1, 2, and 3. Tagging is turned on. Because of the VLAN tagging capabilities of both the adapter and the switch, the server is able to communicate on all three IP subnets in this network. Broadcast separation between all three VLANs and subnets, however, is maintained. These PCs are attached to a shared media hub that is then connected to the switch. They belong to VLAN 2 and are logically in the same IP subnet as Server 2 and PC 5. Tagging is not enabled on their switch port. A member of VLAN 1, this PC can minimize its broadcast domain to Server 2 and PC 5. A member of VLAN 3, this PC can minimize its broadcast domain to Server 1 and Server 2. A member of both VLAN 1 and VLAN 2, this PC has VLAN-tagging Gigabit Ethernet adapter installed. It can minimize its broadcast domain to Server #2 via VLAN 1, and to PC #1 and PC #2 via VLAN 2. The switch port to which it is connected is configured for both VLAN 1 and VLAN 2 and has tagging enabled.
Server #1
Server #2
PCs #1 and #2
PC #3 PC #4 PC #5
Note: VLAN tagging is required only on ports that are connected to other Nortel Application Switches or on ports that connect to tag-capable end-stations, such as servers with VLAN- tagging adapters.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
broadcast loops, port 25 is on VLAN 10, port 26 is on VLAN 109. Both switch-to-switch links are on different VLANs and, thus, are separated into their own broadcast domains.
Example 2: Parallel Links with VLANs
In this example the Gig ports are on different VLANs and Spanning Tree Protocol is disabled. For information on Spanning Tree Protocol, see "Spanning Tree Protocol" (page 93)."
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
You can congure up to 255 gateways with one gateway per VLAN with values starting from 5 through 259. If the gateways per VLAN fail, then trafc is directed to default gateways 1 through 4. Default gateways 1 through 4 are used for load balancing session requests and as backup when a specic gateway that has been assigned to a VLAN is down. In the example shown in "Default Gateways per VLAN" (page 76), if gateways 5 or 6 fail, then trafc is directed to default gateway 1, which is congured with IP address 10.10.4.1. If default gateways 1 through 4 are not congured on the switch, then packets from VLAN 2 and VLAN 3 are discarded. The route cache table on the switch records each session request by mapping the destination IP address with the MAC address of the default gateway. The command /info/l3/arp/dump on the switch command line displays the entries in the route cache similar to those shown in "Route Cache Example" (page 76). The destination IP addresses (see the last two rows) are associated with the MAC addresses of the gateways.
Route Cache Example Destination IP address 10.10.1.1 10.10.1.20 Flags P MAC address 00:60:cf:46:48:60 00:60:cf:44:cd:a0 VLAN 4 4 25 (Gig) Port Referenced SPs 1-4 empty
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Destination IP address 10.10.1.30 10.10.4.1 10.10.4.40 172.21.2.27 172.21.2.200 172.21.3.14 172.21.2.200 192.168.20.200 200.1.2.200
Flags
VLAN 4 1 1 2 2 3 3 4 4
00:60:cf:46:48:60 00:50:da:17:c8:05
00:60:cf:46:48:60 00:c0:4f:09:3e:56
2 1-4
P R R
1 2
7 8
As shown in "Route Cache Example" (page 76), trafc from VLAN 2 uses Gateway 5 to access destination IP address 192.168.20.200. If trafc from VLAN 3 requests the same destination address, then trafc is routed via Gateway 5 instead of Gateway 6, because 192.168.20.200 in the route cache is mapped to Gateway 5. If the requested route is not in the route cache, then the switch reads the routing table. If the requested route is not in the routing table, then the switch looks at the congured default Gateway.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
78 VLANs
>> /cfg/l3/if 1 >> IP Interface 1# 10.10.1.1 >> IP Interface 1# 255.255.255.0 >> IP Interface 1# >> IP Interface 1# 2 >> IP Interface 2# 10.10.4.40 >> IP Interface 2# 255.255.255.0 >> IP Interface 2# >> IP Interface 2# 3 >> IP Interface 3# 172.21.2.200 >> IP Interface 3# 255.255.255.0 >> IP Interface 3# >> IP Interface 3# 4 >> IP Interface 4# 172.21.3.200 >> IP Interface 4# 255.255.255.0 >> IP Interface 4# addr mask vlan 4 /cfg/l3/if addr mask vlan 1 /cfg/l3/if addr mask vlan 2 /cfg/l3/if addr mask vlan 3
(Select IP interface 1 for gateway 5 & 6 subnet) (Assign IP address for interface 1) (Assign mask for IF 1) (Assign VLAN 4 to IF 1) (Select IP interface 2 for gateway 1) (Assign IP address for interface 2) (Assign mask for IF 2) (Assign VLAN 1 to IF 2) (Select IP interface 3 for VLAN 2 subnet) (Assign IP address for interface 3) (Assign mask for IF 3) (Assign VLAN 2 to IF 3) (Select IP interface 4 for VLAN 3) subnet) (Assign IP address for interface 4) (Assign mask for IF 4) (Assign VLAN 3 to IF 4)
Congure the default gateways . Conguring gateways 5 and 6 for VLANs 2 and 3 respectively. Congure default gateway 1 for load balancing session requests and as backup when gateways 5 and 6 fail.
>> /cfg/l3/gw 5 addr (Select gateway 5) ( Assign IP address for gateway 5) (Select default gateway 6) addr (Assign IP address for gateway 6)
>> Default gateway 5# 10.10.1.20 >> Default gateway 5# /cfg/l3/gw 6 >> Default gateway 6# 10.10.1.30
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Note: The IP address for default gateways 1 to 4 must be unique. IP addresses for default gateways 5 to 259 can be set to the same IP address as the other gateways (including default gateway 1 to 4). For example, you can congure two default gateways with the same IP address for two different VLANs. 4 Add the VLANs to the gateways and enable them.
>> /cfg/l3/gw 5 vlan 2 ena (Select gateway 5) (Add VLAN 2 for default gateway 5) (Enable gateway 5) (Select gateway 6) vlan 3 ena (Add VLAN 3 for default gateway 6) (Enable gateway 6) (Select default gateway 1) ena (Enable gateway 1 for all VLAN s)
>> Default gateway 5# >> Default gateway 5# >> Default gateway 5# /cfg/l3/gw 6 >> Default gateway 6# >> Default gateway 6# >> Default gateway 6# /cfg/l3/gw 1 >> Default gateway 1#
(Optional) Congure the local networks using address and mask pairs to ensure that the VLANs use the congured default gateways.
>> Default gateway 1# /cfg/l3/frwd/local >> IP Forwarding# add 10.10.0.0 255.255.0.0 (Select the local network Menu) (Specify the network for routers 1, 2, & 3)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
80 VLANs
>> IP Forwarding# add 172.21.2.0 255.255.255.0 >> IP Forwarding# add 172.21.3.0 255.255.255.0
(Specify the network for VLAN 2) (Specify the network for VLAN 3)
End
Limitations
Jumbo frames are supported on the switch uplink ports and not supported on switch downlink ports. For information on uplink vs. downlink ports on your particular switch model, refer Nortel Application Switch Hardware Installation Guide. Jumbo frames are not supported if Bandwidth Management is enabled on the switch. Jumbo Frames are supported only for ROHS/E model Application Switches in NAS 23.2.X and 24.X.
81
extended frame sizes. End-stations installed with jumbo frames-capable Gigabit adapters, and attached to application switches can communicate across both the jumbo frame VLANs and regular frame VLANs at the same time. In the example illustrated in "Jumbo Frame VLANs" (page 81), the two servers can handle jumbo frames but the two clients cannot; therefore jumbo frames should only be enabled and used on the VLAN represented by the solid lines but not for the VLAN with the dashed lines. Jumbo frames are not supported on ports that are congured for half-duplex mode.
Jumbo Frame VLANs
VLAN number 2 with name "VLAN 2" created. -----------------------------------------------------[VLAN 2 Menu] name - Set VLAN name stg - Assign VLAN to a Spanning Tree Group cont - Set BW contract add - Add port to VLAN rem - Remove port from VLAN
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
82 VLANs
def jumbo learn ena dis del cur >> VLAN Port 25 current Confirm Current Pending >> VLAN Port 26 current Confirm Current Pending
Define VLAN as list of ports Enable/disable Jumbo Frame support Enable/disable smac learning Enable VLAN Disable VLAN Delete VLAN Display current VLAN configuration
2# add 25 is an UNTAGGED port and its PVID is 1. changing PVID from 1 to 2 [y/n]: ports for VLAN 2: empty new ports for VLAN 2: 25 2# add 26 is an UNTAGGED port and its PVID is 1. changing PVID from 1 to 2 [y/n]: ports for VLAN 2: empty new ports for VLAN 2: 25 26
>> VLAN 2#
Enable jumbo frame processing on VLAN 2, then apply and save the changes.
>> VLAN 2# jumbo enable Current jumbo frame support: disabled New jumbo frame support: enabled >> apply >> save
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Port Trunking
83
Port Trunking
Trunk groups can provide super-bandwidth, multi-link connections between Nortel Application Switches or other trunk-capable devices. A trunk group is a group of ports that act together, combining their bandwidth to create a single, larger virtual link. This chapter provides conguration background and examples for trunking multiple ports together either in a static (manually congured) trunk group, or dynamic trunk group using Link Aggregation Control Protocol. The following topics are addressed in this chapter: " "Overview" (page 83) " on this page "Static Port Trunking Example" (page 85) "Link Aggregation Control Protocol Trunking" (page 87)
Overview
When using port trunk groups between two Nortel Application Switches as shown in "Port Trunk Group" (page 83), you can create a virtual link between the switches operating up to 4 Gigabits per second, depending on how many physical ports are combined. The switch supports up to 12 static trunk groups per switch, each with two to eight ports per group.
Port Trunk Group
Trunk groups are also useful for connecting a Nortel Application Switch to third-party devices that support link aggregation, such as Cisco routers and switches with EtherChannel technology (not ISL trunking technology) and Suns Quad Fast Ethernet Adapter. Nortel Networks trunk group technology is compatible with these devices when they are congured manually.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
84 VLANs
where x is the number of active ports within the trunk group. The parameters A and B are given below for different types of forwarding and frames. These two parameters are XORed together to give the hash index. The modulus x of the lower 6 bits of the hash index is then taken to give the port of the trunk group. Note: The same algorithm is used across all Nortel Application Switches including Nortel Application Switch 180 and AD series, Nortel Switched Firewall Accelerator, and Nortel Application Switches. For Layer 2 forwarding of non-IP frames: A = lower 16 bits of destination MAC address B = lower 32 bits of source MAC address
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Port Trunking
85
For L2 forwarding of IP frames: A = lower 16 bits of source IP address B = lower 32 bits of source MAC address
For L3 forwarding (enabled in WSM platform and Cheetah 20.1): A = lower 32 bits of destination IP B = lower 16 bits of source MAC
For L4 trunking (trafc towards the real servers in SLB and WCR): A = lower 32 bits of source IP B = lower 16 bits of destination MAC Note: L4 trunk hashing is currently supported only in Nortel Application Switch Operating System 21.0 and higher.
Prior to conguring each switch in the above example, you must connect to the appropriate switchs Command Line Interface (CLI) as the administrator.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
86 VLANs
Note: For details about accessing and using any of the menu commands described in this example, see the Nortel Application Switch Operating System Command Reference. In this example, two Nortel Application Switches are used. If a third-party device supporting link aggregation is used (such as Cisco routers and switches with EtherChannel technology or Suns Quad Fast Ethernet Adapter), trunk groups on the third-party device should be congured manually. Connection problems could arise when using automatic trunk group negotiation on the third-party device.
CAUTION
To prevent spanning tree instability, do not change the spanning tree parameters on individual ports belonging to any trunk group.
Step 1 2
Action Connect the switch ports that is involved in the trunk group. On application switch 1, dene a trunk group.
>> # /cfg/l2/trunk 1 >> Trunk group 1# add 2 >> Trunk group 1# add 12 >> Trunk group 1# add 25 >> Trunk group 1# ena (Select trunk group 1) (Add port 2 to trunk group 1) (Add port 12 to trunk group 1) (Add port 25 to trunk group 1) (Enable trunk group 1)
Examine the resulting information. If any settings are incorrect, make appropriate changes. 4 Save your new conguration changes.
>> Trunk group 1# save (Save for restore after reboot)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Port Trunking
87
>> # /cfg/l2/trunk 3 >> Trunk group 3# add 6 >> Trunk group 3# add 11 >> Trunk group 3# add 26 >> Trunk group 3# ena >> Trunk group 3# apply >> Trunk group 3# cur >> Trunk group 3# save
(Select trunk group 3) (Add port 6 to trunk group 3) (Add port 11 to trunk group 3) (Add port 26 to trunk group 3) (Enable trunk group 3) (Make your changes active) (View current trunking configuration) (Save for restore after reboot)
Trunk group 1 (on application switch 1) is now connected to trunk group 3 (on application switch 2). 6 Examine the trunking information on each switch.
>> /info/l2/trunk (View trunking information)
Information about each port in each congured trunk group is displayed. Make sure that trunk groups consist of the expected ports and that each port is in the expected state. The following restrictions apply: Any physical switch port can belong to only one trunk group. Up to eight ports can belong to the same trunk group. Best performance is achieved when all ports in any given trunk group are congured for the same speed. Trunking from non-Nortel devices must comply with Cisco EtherChannel technology. End
88 VLANs
When using LACP, any trunk groups you may have already congured according to the manual procedure described in "Static Port Trunking Example" (page 85) "Static Port Trunking Example" (page 85) are "static trunks." Any trunk groups using LACP are "dynamic trunks." With LACP, the maximum number of trunk groups has increased to 40; static trunks continue to be limited to trunk IDs 112, and LACP trunks use IDs 13 through 40. The Nortel Application Switch Operating System implementation of LACP allows you to group a maximum of eight physical ports into one logical port (LACP trunk group). Standby ports in LACP are created only when there are more than eight LACP ports congured in a trunk. The switch automatically assigns any non-trunked LACP-congured ports as standby ports for the LACP trunk. If any of the eight primary LACP ports fails, the switch dynamically replaces it with the standby port. The Nortel Application Switch can form trunk groups with any device which supports the IEEE 802.3ad standard. Each LACP port in the switch has a parameter called admin key. An LACP trunk group is formed with the ports with the same admin key. The value of admin key can be any integer between 1 and 65535. For example, consider two switches as shown in "Actor vs. Partner LACP conguration" (page 88).
Actor vs. Partner LACP conguration Actor Switch Port 1 (admin key = 100) Port 2 (admin key = 100) Port 3 (admin key = 100) Port 4 (admin key = 100) Partner Switch 1 Port 1 (admin key = 50) Port 2 (admin key = 50) Port 3 (admin key = 50) Port 4 (admin key = 50)
In the conguration shown in "Actor vs. Partner LACP conguration" (page 88), Actor switch ports 1-4 can aggregate to form an LACP trunk group with the Partner switch ports 1-4. Note that the port admin key value has local signicance only the admin key value for the partner switch ports can be any integer value but it should be same for all ports 1-4. In this example it is 50. Each port in the Nortel Application Switch can have one of the following LACP modes. off (default) The user can congure this port into a regular static trunk group. active
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Port Trunking
89
The port is capable of forming an LACP trunk. This port sends LACPDU packets to partner system ports. passive The port is capable of forming an LACP trunk. This port only responds to the LACPDU packets sent from an LACP active port. Each active LACP port transmits LACP data units (LACPDUs), while each passive LACP port listens for LACPDUs. During LACP negotiation, the admin key value is exchanged. The LACP trunk group is enabled as long as the information matches at both ends of the link. If the admin key value changes for a port at either end of the link, that ports association with the LACP trunk group is lost. When the system is initialized, all ports by default are in LACP off mode and are assigned unique admin keys. To make a group of ports eligible for aggregation, you assign them all the same admin key. You must set the ports LACP mode to active to activate LACP negotiation. You can set other ports LACP mode to passive, to reduce the amount of LACPDU trafc, at the initial trunk-forming stage. Note: LACP implementation in Nortel Application Switch Operating System 22.0 does not support the Churn machine, an option used for detecting the port is operable within a bounded time period between the actor and the partner. Only the Marker responder is implemented, and there is no marker protocol generator. Refer to 802.3ad-2002 for details.
Conguring LACP
Use the following procedure to congure LACP for port 1 through port 4 for the actor switch to participate in link aggregation. Perform a similar conguration on the partner switch with adminkey 50. Step 1 Action Set the LACP mode on port 1.
>> # /cfg/l2/lacp/port 1/mode >> LACP port 1# active (Select port 1 for LACP mode of operation) (Set port 1 to LACP active)
Current Port 1 LACP mode setting: off New Port 1 LACP mode setting: active
Dene the admin key on port 1. Only ports with the same admin key can form a LACP trunk group.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
90 VLANs
Current LACP port adminkey: 1 New pending LACP port adminkey: 100
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Port Teaming 91
Port Teaming
Port teaming is a feature deployed in scenarios where VRRP is not used to detect link failures. If an uplink connection fails, then the switch noties uplink routers and switches of the failure instead of waiting for the routers and switches to time out. This feature is also used to team ports or trunks so that when one port or trunk in the team is down, all others in the team are operationally disabled. The following examples create two simple port teams. The rst example creates a simple, two port team and the second creates a simple two trunk team. The following example creates a simple two port team: Step 1 Action Create a new port team.
>> Main# /cfg/l2/team 1
End
The following example creates a simple two trunk team: Step 1 Action Create a new port team.
>> Main# /cfg/l2/team 2
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
92 VLANs
In both examples above, the teams are placed in passive mode with either the ports or trunks operational. The team is in passive mode is when all ports or trunks are operational and the team is waiting for any one of the ports or trunks to become disabled. When one of the ports or trunks is disabled, the team goes to active mode and the other ports or trunks in the team are operationally disabled. The port or trunk that triggered this becomes the master port. When the master port or trunk becomes operational once more, the other ports or trunks in the team are operationally enabled. When all the ports or trunks are operational, the team goes back to passive mode. There are scenarios when, after operationally enabled, some of the other ports or trunks in the team are not operational due to a link being down or operational or conguration disabling. When this happens the team goes into off mode. In this mode, the team waits until all ports or trunks are operational before going back to passive mode to repeat the cycle. The Nortel Application Switch Operating System supports a maximum of 8 port teams. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
93
Overview
Spanning Tree Protocol (STP) detects and eliminates logical loops in a bridged or switched network. STP forces redundant data paths into a standby (blocked) state. When multiple paths exist, Spanning Tree congures the network so that a switch uses only the most efcient path. If that path fails, Spanning Tree automatically sets up another active path on the network to sustain network operations. The relationship between port, trunk groups, VLANs, and Spanning Trees is shown in "Ports, Trunk Groups, and VLANs" (page 93).
Ports, Trunk Groups, and VLANs Switch Element Port Belongs to Trunk group or One or more VLANs One or more VLANs One Spanning Tree group
Note: Due to Spanning Trees sequence of listening, learning, and forwarding or blocking, lengthy delays may occur. For more information on using STP in cross-redundant topologies, see "Eliminating Loops with STP and VLANs" (page 577).
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
94 VLANs
Bridge Priority
The bridge priority parameter controls which bridge on the network is the STP root bridge. To make one switch the root bridge, congure the bridge priority lower than all other switches and bridges on your network. The lower the value, the higher the bridge priority. The bridge priority is congured using the /cfg/l2/stg/brg/prior command in the CLI.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
95
Port Priority
The port priority helps determine which bridge port becomes the designated port. In a network topology that has multiple bridge ports connected to a single segment, the port with the lowest port priority becomes the designated port for the segment. The port priority is congured using the /cfg/l2/stg/port/prior command in the CLI.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
96 VLANs
Creating a VLAN
When you create a VLAN, that VLAN automatically belongs to STG 1, the default STG. If you want the VLAN in another STG, you must move the VLAN by assigning it to another STG. Move a newly created VLAN to an existing STG by following this order: Create the VLAN Add the VLAN to an existing STG If ports are tagged, all trunked ports can belong to multiple STGs. A port that is not a member of any VLAN cannot be added to any STG. The port must be added to a VLAN, and that VLAN added to the desired STG.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
97
If you add untagged port 5 (which is a member to STG2) to STG1, the switch prompts you to change the PVID from 2 to 1:
"Port 5 is an UNTAGGED port and its current PVID is 2. Confirm changing PVID from 2 to 1 [y/n]:" y
When you remove a port from VLAN that belongs to an STG, that port will also be removed from the STG. However, if that port belongs to another VLAN in the same STG, the port remains in the STG. As an example, assume that port 1 belongs to VLAN1, and VLAN1 belongs to STG1. When you remove port 1 from VLAN1, port 1 is also removed from STG1. However, if port 1 belongs to both VLAN1 and VLAN2 and both VLANs belong to STG1, removing port 1 from VLAN1 does not remove port 1 from STG1 because VLAN2 is still a member of STG1.
An STG cannot be deleted, only disabled. If you disable the STG while it still contains VLAN members, Spanning Tree will be off on all ports belonging to that VLAN.
CAUTION
All ports that are within a trunk group should be congured to have the same Spanning Tree and VLAN parameters. Spanning Tree parameters should not be changed on individual ports that belong to a trunk group. To change spanning tree on one or more ports belonging to a trunk group, rst remove individual members from the trunk group before changing their spanning tree parameters.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
98 VLANs
Before the 802.1S standard, MSTP was implemented through a variety of proprietary protocols such as Nortel MSTP and Cisco PVST+. Each one of these proprietary protocols had advantages and disadvantages but they were never interoperable. The 801.S standard solves this by creating standards-based MSTP. The 802.1W standard takes the same approach in creating standards-based RSTP. In this implementation of MSTP, up to 2048 VLANs can be mapped to any of the 16 spanning tree instances. Each spanning tree instance handles multiple VLANs that have the same Layer 2 topology but each spanning tree instance can have a topology independent of other instances. As well, MSTP provides multiple forwarding paths for data trafc, enables load balancing, and improves overall network fault tolerance. This implementation of RSTP improves upon previous implementations by addressing slow convergence times. Note: By default, all newly created VLANs are members of Spanning Tree Group 1. For specic information on Multiple and Rapid Spanning Tree Protocol, refer to the following topics: "Rapid Spanning Tree Protocol" (page 102) "Multiple Spanning Tree Protocol" (page 104)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
99
With a single Spanning Tree environment, as shown in "VLAN 3 Isolated in a Single Spanning Tree Group" (page 99), you will have two links blocked to prevent loops on the network. It is possible that the blocks may be between application switches C and D and between application switches B and C, depending on the bridge priority, port priority, and port cost. The two blocks would prevent looping on the network, but the blocked link between application switches B and C will inadvertently isolate VLAN 3 altogether. Note: For more information on bridge priority, port priority, and port cost see the Nortel Application Switch Operating System Command Reference.
VLAN 3 Isolated in a Single Spanning Tree Group
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
100 VLANs
Three instances of Spanning Tree are congured in the example shown in "Implementing Multiple Spanning Tree Groups" (page 100). Refer to "Multiple Spanning Tree Groups per VLAN" (page 100) to identify the Spanning Tree group a VLAN is participating in for each switch.
Multiple Spanning Tree Groups per VLAN VLAN 1 Nortel Application Switch A Spanning Tree Group 1 Ports 1 and 2 VLAN 2 Spanning Tree Group 2 Port 8 Spanning Tree Group 1 Port 1 Spanning Tree Group 2 Port 8 VLAN 3
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
101
VLAN 1 Nortel Application Switch C Spanning Tree Group 1 Ports 1 and 2 Spanning Tree Group 1 Ports 1 and 8
VLAN 2
102 VLANs
8. Nortel Application Switch C receives this BPDU on port 8 and is identied as participating in VLAN 3, Spanning Tree group 2. Since application switch C has no additional ports participating in Spanning Tree group 2, this BPDU is not forwarded to any additional ports and application switch B remains the designated root.
103
Edge Port
A port that does not connect to a bridge is called an edge port. Edge ports are generally connected to a server. Edge ports can start forwarding as soon as the link is up. Edge ports do not take part in Spanning Tree, and should not receive BPDUs. If a port with edge enabled does receive a BPDU, it begins STP processing only if it is connected to a spanning tree bridge. If it is connected to a host, the edge port ignores BPDUs.
Link Type
The link type determines how the port behaves in regard to Rapid Spanning Tree. The link type corresponds to the duplex mode of the port. A full-duplex link is point-to-point (p2p), while a half-duplex link should be congured as shared. If you select auto as the link type, the port dynamically congures the link type.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
104 VLANs
>> Main# /cfg/l2/stg 2 >> Spanning Tree Group 2# clear >> Spanning Tree Group 2# off
(Select Spanning Tree Group 2) (Clear STP Group 2 parameters) (Turn off STP Group 2)
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
105
By default, the spanning tree on the management ports is turned off in both STP/PVST+ mode and in MSTP/RSTP mode.
MSTP Region
A group of interconnected bridges that share the same attributes is called an Multiple Spanning Tree (MST) region. Each bridge within the region must share the following attributes: Alphanumeric name Version number VLAN-to STG mapping scheme
MSTP provides rapid reconguration, scalability and control due to the support of regions, and multiple Spanning-Tree instances support within each region.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
106 VLANs
Create VLAN and add ports. Once ports have been readied for VLAN membership, VLAN 3 can be created and the ports added to the VLAN.
>> Main# /cfg/l2/vlan 2 <If the VLAN was not already created, it would be created with this command.> >> VLAN 2# add 2 >> VLAN 2# add 3 >> VLAN 2# add 4
Set the mode to Multiple Spanning Tree, and congure MSTP region parameters.
>> Main# /cfg/l2/mrst >> Multiple Spanning Tree# mode mstp >> Multiple Spanning Tree# on >> Multiple Spanning Tree# name xxxxxx (Select Multiple Spanning Tree menu) (Set mode to Multiple Spanning Trees) (Turn Multiple Spanning Trees on) (Define the Region name)
107
>> Main# /cfg/l3/frwd off >> IP Forwarding# apply >> IP Forwarding# save
(Turn Layer 3 forwarding off) (Apply the configuration) (Save the configuration)
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
108 VLANs
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
109
Part 2: IP Routing
This section discusses Layer 3 switching functions. In addition to switching trafc at near line rates, the application switch can perform multi-protocol routing. This section discusses basic routing and advanced routing protocols: "Basic IP Routing" (page 110) " "IPv6" (page 123) " "Routing Information Protocol" (page 126) " "Border Gateway Protocol" (page 131) "Open Shortest Path First (OSPF)" (page 146)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Basic IP Routing
This chapter provides conguration background and examples for using the Nortel Application Switch to perform IP routing functions. The following topics are addressed in this chapter: "IP Routing Benets" (page 110) "Routing Between IP Subnets" (page 110) "Example of Subnet Routing" (page 112) "Dening IP Address Ranges for the Local Route Cache" (page 117) "Dynamic Host Conguration Protocol" (page 118) "Gratuitous ARP (GARP) Command" (page 120) "Static Routes" (page 120)
IP Routing Benets
The Nortel Application Switch uses a combination of congurable IP switch interfaces and IP routing options. The switch IP routing capabilities provide the following benets: Connects the server IP subnets to the rest of the backbone network. Performs server load balancing (using both Layer 3 and Layer 4 switching in combination) to server subnets that are separate from backbone subnets. Provides another means to invisibly introduce Jumbo frame technology into the server-switched network by automatically fragmenting UDP Jumbo frames when routing to non-Jumbo frame VLANs or subnets. Provides the ability to route IP trafc between multiple Virtual Local Area Networks (VLANs) congured on the switch.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
In this example, a corporate campus has migrated from a router-centric topology to a faster, more powerful, switch-based topology. As is often the case, the legacy of network growth and redesign has left the system with a mix of illogically distributed subnets. This is a situation that switching alone cannot cure. Instead, the router is ooded with cross-subnet communication. This compromises efciency in two ways: Routers can be slower than switches. The cross-subnet side trip from the switch to the router and back again adds two hops for the data, slowing throughput considerably. Trafc to the router increases, increasing congestion.
Even if every end-station could be moved to better logical subnets (a daunting task), competition for access to common server pools on different subnets still burdens the routers. This problem is solved by using Nortel Application Switches with built-in IP routing capabilities. Cross-subnet LAN trafc can now be routed within the application switches with wire speed Layer 2 switching performance. This not only eases the load on the router but saves the network administrators from reconguring each and every end-station with new IP addresses.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Take a closer look at the Nortel Application Switch in the following conguration example:
Switch-Based Routing Topology
The Nortel Application Switch connects the Gigabit Ethernet and Fast Ethernet trunks from various switched subnets throughout one building. Common servers are placed on another subnet attached to the switch. A primary and backup router are attached to the switch on yet another subnet. Without Layer 3 IP routing on the switch, cross-subnet communication is relayed to the default gateway (in this case, the router) for the next level of routing intelligence. The router lls in the necessary address information and sends the data back to the switch, which then relays the packet to the proper destination subnet using Layer 2 switching. With Layer 3 IP routing in place on the Nortel Application Switch, routing between different IP subnets can be accomplished entirely within the switch. This leaves the routers free to handle inbound and outbound trafc for this group of subnets. To make implementation even easier, UDP Jumbo frame trafc is automatically fragmented to regular Ethernet frame sizes when routing to non-Jumbo frame VLANS or subnets. This automatic frame conversion allows servers to communicate using Jumbo frames, all transparently to the user.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Note: For details about accessing and using any of the menu commands described in this example, see the Nortel Application Switch Operating System Command Reference. Step 1 Action Assign an IP address (or document the existing one) for each real server, router, and client workstation. In the example topology in "Switch-Based Routing Topology" (page 112), the following IP addresses are used:
Subnet Routing Example: IP Address Assignments Subnet 1 2 3 4 Devices Primary and Secondary Default Routers First Floor Client Workstations Second Floor Client Workstations Common Servers IP Addresses 205.21.17.1 and 205.21.17.2 100.20.10.2-254 131.15.15.2-254 206.30.15.2-254
Assign an IP interface for each subnet attached to the switch. Since there are four IP subnets connected to the switch, four IP interfaces are needed:
Subnet Routing Example: IP Interface Assignments Interface IF 1 IF 2 IF 3 IF 4 Devices Primary and Secondary Default Routers First Floor Client Workstations Second Floor Client Workstations Common Servers IP Interface Address 205.21.17.3 100.20.10.1 131.15.15.1 206.30.15.1
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> IP Interface 1# 2 >> IP Interface 2# 100.20.10.1 >> IP Interface 2# >> IP Interface 2# 3 >> IP Interface 3# 131.15.15.1 >> IP Interface 3# >> IP Interface 3# 4 >> IP Interface 4# 206.30.15.1 >> IP Interface 4#
(Select IP interface 2) (Assign IP address for the interface) (Enable IP interface 2) (Select IP interface 3) (Assign IP address for the interface) (Enable IP interface 3) (Select IP interface 4) (Assign IP address for the interface) (Enable IP interface 5)
Set each server and workstations default gateway to the appropriate switch IP interface (the one in the same subnet as the server or workstation). Congure the default gateways to the routers addresses. Conguring the default gateways allows the switch to send outbound trafc to the routers:
>> IP Interface 5# 1 /cfg/l3/gw addr ena (Select primary default gateway) ( Assign IP address for primary router) (Enable primary default gateway) (Select secondary default gateway) addr ena (Assign address for secondary router) ( Enable secondary default gateway)
>> Default gateway 1# 205.21.17.1 >> Default gateway 1# >> Default gateway 1# /cfg/l3/gw 2 >> Default gateway 2# 205.21.17.2 >> Default gateway 2#
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
apply /cfg/l3/cur
Examine the resulting information. If any settings are incorrect, make the appropriate changes. 6 Save your new conguration changes.
>> IP# save (Save for restore after reboot)
End
The VLANs shown in "Subnet Routing Example: Optional VLAN Ports" (page 115) are congured as follows:
>> # /cfg/l2/vlan 1 add port 1 add port 2 ena /cfg/l2/vlan 2 add port 3 add port 4 ena /cfg/l2/vlan 3 add port 5 add port 6 ena (Select VLAN 1) (Add port for 1st floor to VLAN 1) (Add port for 2nd floor to VLAN 1) (Enable VLAN 1) (Select VLAN 2) (Add port for default router 1) (Add port for default router 2) (Enable VLAN 2) (Add port for default router 3) (Select VLAN 3) (Select port for common server 1) (Enable VLAN 3)
>> VLAN 1# >> VLAN 1# >> VLAN 1# >> VLAN 1# >> VLAN 2# >> VLAN 2# >> VLAN 2# >> VLAN 2# >> VLAN 3# >> VLAN 3# >> VLAN 3#
Each time you add a port to a VLAN, you may get the following prompt:
Port 4 is an untagged port and its current PVID is 1. Confirm changing PVID from 1 to 2 [y/n] ?
Enter y to set the default Port VLAN ID (PVID) for the port. 3 Add each IP interface to the appropriate VLAN. Now that the ports are separated into three VLANs, the IP interface for each subnet must be placed in the appropriate VLAN. From "Subnet Routing Example: Optional VLAN Ports" (page 115), the settings are made as follows:
>> VLAN 3# /cfg/l3/if 1 vlan 2 /cfg/l3/if vlan 1 (Select IP interface 1 for def. routers) (Set to VLAN 2) (Select IP interface 2 for first floor) (Set to VLAN 1)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
(Select IP interface 3 for second floor) (Set to VLAN 1) (Select IP interface 4 for servers) (Set to VLAN 3)
Examine the resulting information. If any settings are incorrect, make the appropriate changes. 5 Save your new conguration changes.
>> Information# save (Save for restore after reboot)
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
118 Part 2: IP Routing Local Routing Cache Address Ranges Local Host Address Range 0.0.0.0 - 127.255.255.255 128.0.0.0 - 128.255.255.255 205.32.0.0 - 205.32.255.255 Local Network Address 0.0.0.0 128.0.0.0 205.32.0.0 Local Network Mask 128.0.0.0 128.0.0.0 or 255.0.0.0 255.255.0.0
Note: Static routes must be congured within the congured range. All other addresses that fall outside the dened range are forwarded to the default gateway.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
DHCP denes the methods through which clients can be assigned an IP address for a nite lease period and allowing reassignment of the IP address to another client later. Additionally, DHCP provides the mechanism for a client to gather other IP conguration parameters it needs to operate in the TCP/IP network. In the DHCP environment, the Nortel Application Switch acts as a relay agent. The DHCP relay feature (/cfg/l3/bootp) enables the switch to forward a client request for an IP address to two BOOTP servers with IP addresses that have been congured on the switch. When a switch receives a UDP broadcast on port 67 from a DHCP client requesting an IP address, the switch acts as a proxy for the client, replacing the client source IP (SIP) and destination IP (DIP) addresses. The request is then forwarded as a UDP Unicast MAC layer message to two BOOTP servers whose IP addresses are congured on the switch. The servers respond as a a UDP Unicast message back to the switch, with the default gateway and IP address for the client. The destination IP address in the server response represents the interface address on the switch that received the client request. This interface address tells the switch on which VLAN to send the server response to the client.
In this Nortel Application Switch implementation, there is no need for primary or secondary servers. The client request is forwarded to the BOOTP servers congured on the switch. The use of two servers provide failover redundancy. However, no health checking is supported. Use the following commands to congure the switch as a DHCP relay agent:
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> #
/cfg/l3/bootp addr addr2 on off cur (Set IP address of BOOTP server) (Set IP address of 2nd BOOTP server) (Globally turn BOOTP relay on) (Globally turn BOOTP relay off) (Display current configuration)
>> Bootstrap Protocol Relay# >> Bootstrap Protocol Relay# >> Bootstrap Protocol Relay# >> Bootstrap Protocol Relay# >> Bootstrap Protocol Relay#
Additionally, DHCP Relay functionality can be assigned on a per interface basis. Use the following command to enable the Relay functionality:
>> #/cfg/l3/if <interface number> /relay ena
Static Routes
A switch has two basic mechanisms for learning networking routes. The primary mechanism is through the use of routing protocols like the Routing Information Protocol (RIP) and Open Shortest Path First (OSPF) protocol. Routes learned in this manner are often referred to dynamic routes because they are updated periodically by the routing protocols to reect the current conditions in the network. For more information on these protocols and their use, refer to "Routing Information Protocol" (page 126) and "Open Shortest Path First (OSPF)" (page 146). Switches also learn networking routes through static routes. Static routes are manually entered into the switch by an administrator. Although whole networks could be built upon static routes, they do not have the capacity to change without user intervention and therefore do not adequately represent the every changing reality of an enterprise network. It is because of this that static routes have an important but limited role in the enterprise network. Typically static routes are used in situations when a protocol like RIP or OSPF cannot provide the information necessary to create connectivity between two nodes.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
For example, a node in a network that is running OSPF may need to know the route to a node in a network that is not running OSPF. OSPF would not be able to provide information about either network to its counterpart. In this situation, a static route should be used to provide connectivity. The Nortel Application Switch supports both IPv4 and IPv6 static routes through the Layer 3 conguration menu. Up to 128 IPv4 and 128 IPv6 static routes are supported.
IPv4 static routes are removed from the switch using the /cfg/l3/route/ip4/rem command. This command has the following syntax:
>> Main#/cfg/l3/route/ip4/rem <destination> <mask>
The IPv4 static routes that are currently part of the switch conguration can be displayed using the /cfg/l3/route/ip4/cur command. This command has no parameters.
IPv6 static routes are removed from the switch using the /cfg/l3/route/ip6/rem command. This command has the following syntax:
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
The IPv6 static routes that are currently part of the switch conguration can be displayed using the /cfg/l3/route/ip6/cur command. This command has no parameters.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
IPv6 123
IPv6
IPv6, or Internet Protocol version 6, is a network layer protocol intended to expand the network address spaces of IPv4. IPv6 will differ in a number of ways from IPv4 that makes it more robust and expandable protocol as the need for physical address space goes up. IPv6 was mainly conceived as a protocol to help alleviate the shortage of available network addresses. Currently, IPv4 supports the creation and use of approximately 4 billion IP addresses. IPv6 expands the number of available addresses to approximately 3.4 x 1038. IPv6 is dened in RFC 2373, RFC 2460, and RFC 2461. The Nortel Application Switch Operating System 24.0 supports IPv6 in a number of different areas. Refer to the individual feature sections for details on the level of support. This section describes the basic conguration and management of IPv6 on the switch.
Some address can contain long sequences of zeros. A contiguous sequence of zeros can be compressed to :: (double colon). For example, the address of FE80:0:0:0:2AA:FF:FA:4CA2 can be compressed to FE80::2AA:FF:FA:4CA2. Unlike IPv4, a subnet mask is not used for IPv6 addresses. IPv6 uses prex length for network identier. For example,
21DA:D300:0000:2F3C::/64
Unicast Address
There are two types of unicast addresses: Global Unicast address: An address that can be reached and identied globally.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Global Unicast addresses use the high-order bit range from 2000 to 3FFF. If the last 64 bits of the address are not congured, Nortel Application Switch Operating System will default automatically to utilize the EUI-64 (Extended Unique Identier 64-bit) address format. RFC 3513 denes the expanding of the Ethernet MAC address based on a 48-bit format into a 64-bit EUI-64 format. The interface ID must be unique within the same subnet. Link-local unicast address: An address used to communicate with a neighbor on the same link. Link-local addresses use the high-order bit range from FE80 to FEBF. Link-local unicast addresses are automatically congured on the interface by using the link-local prex FE80::/10 and the interface identier in EUI-64 format for its low-order 64-bit. Link-local packets are not routed between subnets.
Multicast
A multicast address (FF00 - FFFF) is an identier for a group interface. The multicast address most often encountered is a solicited-mode multicast address using prex FF02::1:FF00:0000/104 with the low-order 24 bits of the unicast or anycast address.
Anycast
Anycast addresses can be global unicast, site-local or link-local addresses used for a one-to-nearest node member of the anycast group communication. Nortel Application Switch Operating System does not support anycast addresses.
Specify the interface number when pinging to a IPv6 link-local unicast address.
>> IP6 Neighbor Discovery Protocol# ping6 fe80::20d:56 ff:fe22:df09 Enter interface number: (1-256) 200 fe80:0:0:0:20d:56ff:fe22:df09 is alive
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
IPv6 125
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Stability
RIP includes a number of other stability features that are common to many routing protocols. For example, RIP implements the split horizon and hold-down mechanisms to prevent incorrect routing information from being propagated. RIP prevents routing loops from continuing indenitely by implementing a limit on the number of hops allowed in a path from the source to a destination. The maximum number of hops in a path is 15. The network destination network is considered unreachable if increasing the metric value by 1 causes the metric to be 16 (that is innity). This limits the maximum diameter of a RIP network to less than 16 hops. RIP is often used in stub networks and in small autonomous systems that do not have many redundant paths.
Routing Updates
RIP sends routing-update messages at regular intervals and when the network topology changes. Each router " advertises" routing information by sending a routing information update every 30 seconds. If a router doesnt receive an update from another router for 180 seconds, those routes provided by that router are declared invalid. After another 120 seconds without receiving an update for those routes, the routes are removed from the routing table and respective regular updates.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
127
When a router receives a routing update that includes changes to an entry, it updates its routing table to reect the new route. The metric value for the path is increased by 1, and the sender is indicated as the next hop. RIP routers maintain only the best route (the route with the lowest metric value) to a destination. For more information see the Conguration Menu, Routing Information Protocol Conguration (/cfg/l3/rip) in the Nortel Application Switch Operating System 24.0 Command Reference (NN47220-105).
RIPv1
RIP version 1 uses broadcast User Datagram Protocol (UDP) data packets for the regular routing updates. The main disadvantage is that the routing updates do not carry subnet mask information. Hence, the router cannot determine whether the route is a subnet route or a host route. It is of limited usage after the introduction of RIPv2. For more information about RIPv1 and RIPv2, refer to RFC 1058 and RFC 2453.
RIPv2
RIPv2 is the most popular and preferred conguration for most networks. RIPv2 expands the amount of useful information carried in RIP messages and provides a measure of security. For a detailed explanation of RIPv2, refer to RFC 1723 and RFC 2453. RIPv2 improves efciency by using multicast UDP (address 224.0.0.9) data packets for regular routing updates. Subnet mask information is provided in the routing updates. A security option is added for authenticating routing updates, by using a shared password. Nortel Application Switch Operating System 24.0 supports using clear text passwords for RIPv2.
For a detailed description of RIP version 2, refer to RFC 1723 and 2453.
RIPv1 routers as recipients, the routing updates have to carry natural or host mask. Hence, it is not a recommended conguration for most network topologies. Note: When using both RIPv1 and RIPv2 within a network, use a single subnet mask throughout the network.
RIP Features
Nortel Application Switch Operating System 24.0 provides the following features to support RIPv1 and RIPv2:
Poison
Simple split horizon in the RIP scheme omits routes learned from one neighbor in updates sent to that neighbor. That is the most common conguration used in RIP network topology. Split horizon with poisoned reverse includes such routes in updates, but sets their metrics to 16. The disadvantage of using this feature is the increase of size in the routing updates. So, it is recommended to disable split horizon with poisoned reverse.
Triggered updates
Triggered updates are an attempt to speed up convergence. When Triggered Updates is enabled, whenever a router changes the metric for a route, it sends update messages almost immediately, without waiting for the regular update interval. It is recommended to enable Triggered Updates.
Multicast
RIPv2 messages use IP multicast address (224.0.0.9) for periodic broadcasts. Multicast RIPv2 announcements are not processed by RIPv1 routers. To congure RIPv2 in RIPv1 compatibility mode, set multicast to DISABLE.
Default
The RIP router can listen and supply a default route, usually represented as 0.0.0.0 in the routing table. When a router does not have an explicit route to a destination network in its routing table, it uses the default route to forward those packets.
Metric
The metric eld contains a congurable value between 1 and 15 which species the current metric for the interface. The metric value typically indicates the total number of hops to the destination. The metric value of 16 represents an unreachable destination.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
129
Authentication
RIPv2 authentication uses clear text passwords for authentication. If congured using Authentication password, then it is necessary to enter an authentication key value. The following method is used to authenticate a RIP message: If the router is not congured to authenticate RIPv2 messages, then RIPv1 and unauthenticated RIPv2 messages are accepted; authenticated RIPv2 messages are discarded. If the router is congured to authenticate RIPv2 messages, then RIPv1 messages and RIPv2 messages which pass authentication testing are accepted; unauthenticated and failed authentication RIPv2 messages are discarded.
For maximum security, RIPv1 messages are ignored when authentication is enabled. If not, the routing information from authenticated messages is propagated by RIPv1 routers in an unauthenticated manner.
Port 2 is an UNTAGGED port and its current PVID is 1. Confirm changing PVID from 1 to 2 [y/n]: y >> VLAN 2# /cfg/l2/vlan 3/ena >> VLAN 3# add 3 (Enable VLAN 3) (Add port EXT3 to VLAN 3)
Port 3 is an UNTAGGED port and its current PVID is 1. Confirm changing PVID from 1 to 3 [y/n]: y
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> IP Interface 2# /cfg/l3/if 3/ena >> IP Interface 3# addr 103.1.1.1 >> IP Interface 3# vlan 3
Use the /maint/route/dump command to check the current valid routes in the routing table of the switch. For those RIP learnt routes within the garbage collection period, routes phasing out of the routing table with metric 16, use the /info/l3/routes/dump command. Locally congured static routes do not appear in the RIP Routes table. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
131
BGP-based Global Server Load Balancing utilizes the Internets routing protocols to localize content delivery to the most efcient and consistent site. For more information on BGP-based GSLB, see "Using Border Gateway Protocol for GSLB" (page 767).
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Static routes, should have a higher degree of precedence than dynamic routing protocols. If the destination route is not in the route cache, then the packets are forwarded to the default gateway which may be incorrect if a dynamic routing protocol is enabled. It is also useful to tell routers outside your network (upstream providers or peers) about the routes you can access in your network. External networks (those outside your own) that are under the same administrative control are referred to as autonomous systems (AS). Sharing of routing information between autonomous systems is known as external routing. External BGP (eBGP) is used to exchange routes between different autonomous systems whereas internal BGP (iBGP) is used to exchange routes within the same autonomous system. An iBGP is a type of internal routing protocol you can use to do active routing inside your network. It also carries AS path information, which is important when you are an ISP or doing BGP transit. Note: The iBGP peers must be part of a fully meshed network, as shown in "iBGP and eBGP" (page 132).
iBGP and eBGP
Typically, an AS has one or more border routerspeer routers that exchange routes with other ASsand an internal routing scheme that enables routers in that AS to reach every other router and destination within that AS. When you advertise routes to border routers on other autonomous systems, you are effectively committing to carry data to the IP space represented in the route being advertised. For example, if you advertise 192.204.4.0/24, you are declaring that if another router sends you data destined for any address in 192.204.4.0/24, you know how to carry that data to its destination.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
133
A route map allows you to match attributes, such as metric, network address, and AS number. It also allows users to overwrite the local preference metric and to append the AS number in the AS route. See "BGP Failover Conguration" (page 139). The Nortel Application Switch Operating System allows you to congure 32 route maps. Each route map can have up to eight access lists. Each access list consists of a network lter. A network lter denes an IP address and subnet mask of the network that you want to include in the lter. "Distributing Network Filters in Access Lists and Route Maps" (page 134) illustrates the relationship between route maps, access lists and network lters.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
134 Part 2: IP Routing Distributing Network Filters in Access Lists and Route Maps
Precedence
You can set a priority to a route map by specifying a precedence value with the following command:
>> /cfg/l3/rmap <x> /pre (Specify a precedence)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
135
The smaller the value the higher the precedence. If two route maps have the same precedence value, the smaller number has higher precedence.
Conguration Overview
To congure route maps, you need to do the following: Step 1 Action Dene network lter.
>> # /cfg/l3/nwf 1 >> IP Network Filter 1# addr <IP address> >> IP Network Filter 1# mask <IP mask> >> IP Network Filter 1# ena (Specify a network filter number) (Specify network address) (Specify network mask) (Enable network filter)
Enter a lter number from 1 to 256. Specify the IP address and subnet mask of the network that you want to match. Enable the network lter. You can distribute up to 256 network lters among 32 route maps each containing eight access lists. 2 (Optional) Dene the criteria for the access list and enable it. Specify the access list and associate the network lter number congured in Step 1.
>> # /cfg/l3/rmap 1 >> IP Route Map 1# alist 1 >> IP Access List 1# nwf 1 >> IP Access List 1# metric >> IP Access List 1# action deny >> IP Access List 1# ena (Specify a route map number) (Specify the access list number) (Specify the network filter number) (Define a metric) (Specify action for the access list) (Enable the access list)
Steps 2 and 3 are optional, depending on the criteria that you want to match. In Step 2, the network lter number is used to match the subnets dened in the network lter. In Step 3, the autonomous system number is used to match the subnets. Or, you can use both (Step 2 and Step 3) criteria: access list (network lter) and access path (AS lter) to congure the route maps.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Set up the BGP attributes. If you want to overwrite the attributes that the peer router is sending, then dene the following BGP attributes: Specify the AS numbers that you want to prepend to a matched route and the local preference for the matched route. Specify the metric [Multi Exit Discriminator (MED)] for the matched route.
>> # /cfg/l3/rmap 1 >> IP Route Map 1# ap >> IP Route Map 1# lp >> IP Route Map 1# med (Specify a route map number) (Specify the AS numbers to prepend) (Specify the local preference) (Specify the metric)
Assign the route map to a peer router. Select the peer router and then add the route map to the incoming route map list,
>> # /cfg/l3/bgp/peer 1/addi (Add to the incoming route map)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
137
End
Aggregating Routes
Aggregation is the process of combining several different routes in such a way that a single route can be advertised, which minimizes the size of the routing table. You can congure aggregate routes in BGP either by redistributing an aggregate route into BGP or by creating an aggregate entry in the BGP routing table. When a subnet is redistributed from an Interior Gateway Protocol (IGP) into BGP, only the network route is injected into the BGP table. By default, this automatic summarization is disabled. To dene the route to aggregate, use the following commands:
>> # /cfg/l3/bgp >> Border Gateway Protocol# aggr 1 >> BGP aggr 1 # addr >> BGP aggr 1 # mask >> BGP aggr 1 # ena (Specify BGP) (Specify aggregate list number) (Enter aggregation network address) (Enter aggregation network mask) (Enable aggregation)
An example of creating a BGP aggregate route is shown in "Default Redistribution and Route Aggregation Example" (page 143).
Redistributing Routes
In addition to running multiple routing protocols simultaneously, the Nortel Application Switch Operating System software can redistribute information from one routing protocol to another. For example, you can instruct the switch to use BGP to readvertise static routes. This applies to all of the IP-based routing protocols. You can also conditionally control the redistribution of routes between routing domains by dening a method known as route maps between the two domains. For more information on route maps, see "What is a Route Map?" (page 133). Redistributing routes is another way of providing policy control over whether to export OSPF routes, xed routes, static routes, and virtual IP address routes. For an example conguration, see "Default Redistribution and Route Aggregation Example" (page 143). Default routes can be congured using the following methods: Import
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
OriginateThe router sends a default route to peers even though it does not have any default routes in its routing table. RedistributeDefault routes are either congured through the default gateway or learned via other protocols and redistributed to peer routers. If the default routes are from the default gateway, enable the static routes because default routes from the default gateway are static routes. Similarly, if the routes are learned from another routing protocol, make sure you enable that protocol for redistribution. None
BGP Attributes
The following two BGP attributes are discussed in this section: Local preference and metric (Multi-Exit Discriminator).
139
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
As shown in "BGP Failover Conguration Example" (page 140), the switch is connected to ISP 1 and ISP 2. The customer negotiates with both ISPs to allow the Application switch to use their peer routers as default gateways. The ISP peer routers will then need to announce themselves as default gateways to the Application switch.
BGP Failover Conguration Example
On the Application switch, one peer router (the secondary one) is congured with a longer AS path than the other, so that the peer with the shorter AS path will be seen by the switch as the primary default gateway. ISP 2, the secondary peer, is congured with a metric of "3," thereby appearing to the switch to be three router hops away. Step 1 Action Congure the switch as you normally would for Server Load Balancing (SLB). Assign an IP address to each of the real servers in the server pool. Dene each real server. Dene a real server group. Dene a virtual server. Dene the port conguration.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
141
For more information about SLB conguration, refer to "Server Load Balancing" (page 188)." 2 Dene the VLANs. For simplicity, both default gateways are congured in the same VLAN in this example. The gateways could be in the same VLAN or different VLANs.
>> # /cfg/l2/vlan 1 >> vlan 1# add <port number> (Select VLAN 1) (Add a port to the VLAN membership)
Dene the IP interfaces. The switch needs an IP interface for each default gateway to which it is connected. Each interface needs to be placed in the appropriate VLAN. These interfaces is used as the primary and secondary default gateways for the switch.
>> /cfg/l3/arp/rearp 10 >> IP# /cfg/l3/metric strict >> IP# if 1 >> IP Interface 1# ena >> IP Interface 1# addr 200.200.200.1 >> IP Interface 1# mask 255.255.255.0 >> IP Interface 1# /cfg/l3/if 2 >> IP Interface 2# ena >> IP Interface 2# addr 210.210.210.1 >> IP Interface 2# mask 255.255.255.0 (Set re-ARP period for interface to 10) (Set metric for default gateway) (Select default gateway interface 1) (Enable switch interface 1) (Configure IP address of interface 1) (Configure IP subnet address mask) (Select default gateway interface 2) (Enable switch interface 2) (Configure IP address of interface 2) (Configure IP subnet address mask)
Enable IP forwarding.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
IP forwarding is enabled by default and is used for VLAN-to-VLAN (non-BGP) routing. Make sure IP forwarding is enabled if the default gateways are on different subnets or if the switch is connected to different subnets and those subnets need to communicate through the switch (which they almost always do).
>> /cfg/l3/frwd/on (Enable IP forwarding)
Note: To help eliminate the possibility for a Denial of Service (DoS) attack, the forwarding of directed broadcasts is disabled by default. 5 Globally turn on BGP.
>> # /cfg/l3/bgp/on
Congure BGP peer router 1 and 2. Peer 1 is the primary gateway router. Peer 2 is congured with a metric of 3. The metric option is key to ensuring gateway trafc is directed to Peer 1, as it makes Peer 2 appear to be three router hops away from the switch. Thus, the switch should never use it unless Peer 1 goes down.
>> # /cfg/l3/bgp/peer 1 >> BGP Peer 1# ena >> BGP Peer 1# addr 200.200.20 0.2 >> BGP Peer 1# if 200.200.200.1 >> BGP Peer 1# ras 100 >> BGP Peer 1# /cfg/l3/bgp/peer 2 >> BGP Peer 2# ena >> BGP Peer 2# addr 210.210.21 0.2 >> BGP Peer 2# if 210.210.210.1 >> BGP Peer 2# ras 200 >> BGP Peer 2# metric 3 (Select BGP peer router 1) (Enable this peer configuration) (Set IP address for peer router 1) (Set IP interface for peer router 1) (Set remote AS number) (Select BGP peer router 2) (Enable this peer configuration) (Set IP address for peer router 2) (Set IP interface for peer router 2) (Set remote AS number) (Set AS path length to 3 router hops)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
143
The metric command in the peer menu tells the Nortel Application Switch to create an AS path of "3" when advertising via BGP. 7 On the switch, apply and save your conguration changes.
>> BGP Peer 2# apply >> save (Make your changes active) (Save for restore after reboot)
End
Step 1
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Congure the AS number (AS 135) and router ID number (10.1.1.135). The router ID number must be a unique number and does not have to be an IP address. However, for convenience, this id is typically one of IP addresses assigned in IP interfaces.
>> # /cfg/l3/bgp >> Border Gateway Protocol# as 135 (Select the BGP menu) (Specify an AS number)
>> Border Gateway Protocol# /cfg/l3/rtrid 10.1.1.135 (Specify the router ID number)
Congure aggregation policy control. Congure the routes that you want aggregated.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
145
>> # /cfg/l3/bgp/aggr 1 >> BGP Aggr 1# addr 135.0.0.0 >> BGP Aggr 1# mask 255.0.0.0 >> BGP Aggr 1# ena
(Set aggregation number) (Add IP address to aggregate 1) (Add IP mask to aggregate 1) (Enable route aggregation)
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
OSPF Overview
OSPF is designed for routing trafc within a single IP domain called an Autonomous System (AS). The AS can be divided into smaller logical units known as areas. All routing devices maintain link information in their own Link State Database (LSDB). The LSDB for all routing devices within an area is identical but is not exchanged between different areas. Only routing updates are exchanged between areas, thereby signicantly reducing the overhead for maintaining routing information on a large, dynamic network. The following sections describe key OSPF concepts.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
147
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Open Shortest Path First (OSPF) OSPF Domain and an Autonomous System
149
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
151
Typically, an AS has one or more border routers (peer routers that exchange routes with other OSPF networks) as well as an internal routing system enabling every router in that AS to reach every other router and destination within that AS. When a routing device advertises routes to boundary routers on other autonomous systems, it is effectively committing to carry data to the IP space represented in the route being advertised. For example, if the routing device advertises 192.204.4.0/24, it is declaring that if another router sends data destined for any address in the 192.204.4.0/24 range, it will carry that data to its destination.
OSPF Implementation
Nortel Application Switch Operating System supports a single instance of OSPF and up to 4 K routes on the network. The following sections describe OSPF implementation in Nortel Application Switch Operating System: "Congurable Parameters" (page 151) "Dening Areas" (page 152) "Interface Cost" (page 154) "Electing the Designated Router and Backup" (page 154) "Summarizing Routes" (page 155) "Default Routes" (page 155) "Virtual Links" (page 156) "Router ID" (page 157) "Authentication" (page 158) "Host Routes for Load Balancing" (page 160)
Congurable Parameters
In Nortel Application Switch Operating System, OSPF parameters can be congured through the Command Line Interface (CLI)
The CLI supports the following parameters: interface output cost, interface priority, dead and hello intervals, retransmission interval, and interface transmit delay. In addition to the above parameters, you can also specify the following: Shortest Path First (SPF) intervalTime interval between successive calculations of the shortest path tree using the Dijkstras algorithm. Stub area metricA stub area can be congured to send a numeric metric value such that all routes received via that stub area carry the congured metric to potentially inuence routing decisions.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Default routesDefault routes with weight metrics can be manually injected into transit areas. This helps establish a preferred route when multiple routing devices exist between two areas. It also helps route trafc to external networks.
Dening Areas
If you are conguring multiple areas in your OSPF domain, one of the areas must be designated as area 0, known as the backbone. The backbone is the central OSPF area and is usually physically connected to all other areas. The areas inject routing information into the backbone which, in turn, disseminates the information into other areas. Since the backbone connects the areas in your network, it must be a contiguous area. If the backbone is partitioned (possibly as a result of joining separate OSPF networks), parts of the AS will be unreachable, and you will need to congure virtual links to reconnect the partitioned areas (see "Virtual Links" (page 156)). Up to three OSPF areas can be connected to the Nortel Application Switch with Nortel Application Switch Operating System software. To congure an area, the OSPF number must be dened and then attached to a network interface on the switch. The full process is explained in the following sections. An OSPF area is dened by assigning two pieces of informationan area index and an area ID. The command to dene an OSPF area is as follows:
>> # /cfg/l3/ospf/aindex <area index> /areaid <n.n.n.n>
Note: The aindex option above is an arbitrary index used only on the switch and does not represent the actual OSPF area number. The actual OSPF area number is dened in the areaid portion of the command as explained in the following sections.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
153
(Use index 0 to set area 0 in ID octet format) (Use index 1 to set area 1 in ID octet format)
For example, the following commands could be used to congure IP interface 14 for a presence on the 10.10.10.1/24 network, to dene OSPF area 1, and to attach the area to the network:
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> # /cfg/l3/if 14 >> IP Interface 14# addr 10.10.10.1 >> IP Interface 14# mask 255.255.2 55.0 >> IP Interface 14# ena >> IP Interface 14# /cfg/l3/ospf/a index 1 >> OSPF Area (index) 1 # areaid 0.0.0.1 >> OSPF Area (index) 1 # ena >> OSPF Area (index) 1 # /cfg/l3/ ospf/if 14 >> OSPF Interface 14# aindex 1 >> OSPF Interface 14# enable
(Select menu for IP interface 14) (Define IP address on backbone network) (Define IP mask on backbone) (Enable IP interface 14) (Select menu for area index 1) (Define area ID as OSPF area 1) (Enable area index 1) (Select OSPF menu for interface 14) (Attach area to network on interface 14) (Enable interface 14 for area index 1)
Interface Cost
The OSPF link-state algorithm (Dijkstras algorithm) places each routing device at the root of a tree and determines the cumulative cost required to reach each destination. Usually, the cost is inversely proportional to the bandwidth of the interface. Low cost indicates high bandwidth. You can manually enter the cost for the output route with the following command:
>> # /cfg/l3/ospf/if <OSPF interface number> /cost <cost value (1-65535)>
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
155
A priority value of 255 is the highest, and 1 is the lowest. A priority value of 0 species that the interface cannot be used as a DR or BDR. In case of a tie, the routing device with the highest router ID wins.
Summarizing Routes
Route summarization condenses routing information. Without summarization, each routing device in an OSPF network would retain a route to every subnet in the network. With summarization, routing devices can reduce some sets of routes to a single advertisement, reducing both the load on the routing device and the perceived complexity of the network. The importance of route summarization increases with network size. Summary routes can be dened for up to 16 IP address ranges using the following command:
>> # /cfg/l3/ospf/range <range number> /addr <IP address> /mask <mask>
where <range number> is a number 1 to 16, <IP address> is the base IP address for the range, and <mask> is the IP address mask for the range. For a detailed conguration example, see "Example 3: Summarizing Routes" (page 173).
Default Routes
When an OSPF routing device encounters trafc for a destination address it does not recognize, it forwards that trafc along the default route. Typically, the default route leads upstream toward the backbone until it reaches the intended area or an external router. Each Nortel Application Switch acting as an ABR automatically inserts a default route into each attached area. In simple OSPF stub areas or NSSAs with only one ABR leading upstream (see Area 1 in "Injecting Default Routes" (page 156)), any trafc for IP address destinations outside the area is forwarded to the switchs IP interface, and then into the connected transit area (usually the backbone). Since this is automatic, no further conguration is required for such areas.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
In more complex OSPF areas with multiple ABRs or ASBRs (such as area 0 and area 2 in "Injecting Default Routes" (page 156)), there are multiple routes leading from the area. In such areas, trafc for unrecognized destinations cannot tell which route leads upstream without further conguration. To resolve the situation and select one default route among multiple choices in an area, you can manually congure a metric value on each ABR. The metric assigns a priority to the ABR for its selection as the priority default route in an area. The following command is used for setting the metric value:
>> # /cfg/l3/ospf/default <metric value> <metric type (1 or 2)>
where <metric value> sets the priority for choosing this switch for default route. The value none sets no default and 1 sets the highest priority for default route. Metric type determines the method for inuencing routing decisions for external routes. To clear a default route metric from the switch, use the following command:
>> # /cfg/l3/ospf/default none
Virtual Links
Usually, all areas in an OSPF AS are physically connected to the backbone. In some cases where this is not possible, you can use avirtual link. Virtual links are created to connect one area to the backbone through another non-backbone area (see "OSPF Area Types" (page 148)).
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
157
The area which contains a virtual link must be a transit area and have full routing information. Virtual links cannot be congured inside a stub area or NSSA. The area type must be dened as transit using the following command:
>> # /cfg/l3/ospf/aindex <area index> /type transit
The virtual link must be congured on the routing devices at each endpoint of the virtual link, though they may traverse multiple routing devices. To congure a Nortel Application Switch as one endpoint of a virtual link, use the following command:
>> # /cfg/l3/ospf/virt <link number> /aindex <area index> /nbr <router ID>
where<link number> is a value between 1 and 3, <area index> is the OSPF area index of the transit area, and <router ID> is the IP address of the virtual neighbor (nbr), the routing device at the target endpoint. Another router ID is needed when conguring a virtual link in the other direction. To provide the Nortel Application Switch with a router ID, see the following section "Router ID" (page 157). For a detailed conguration example on Virtual Links, see "Example 2: Virtual Links" (page 167).
Router ID
Routing devices in OSPF areas are identied by a router ID. The router ID is expressed in IP address format. The IP address of the router ID is not required to be included in any IP interface range or in any OSPF area. The router ID can be congured in one of the following two ways: DynamicallyOSPF protocol congures the lowest IP interface IP address as the router ID. This is the default. StaticallyUse the following command to manually congure the router ID:
>> # /cfg/l3/rtrid <IP address>
To modify the router ID from static to dynamic, set the router ID to 0.0.0.0, save the conguration, and reboot the Nortel Application Switch. To view the router ID, enter:
>> # /info/l3/ospf/gen
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Authentication
OSPF protocol exchanges can be authenticated so that only trusted routing devices can participate. This ensures less processing on routing devices that are not listening to OSPF packets. OSPF allows packet authentication and uses IP multicast when sending and receiving packets. Routers participate in routing domains based on predened passwords. Nortel Application Switch Operating System supports simple password (type 1 plain text passwords) and MD5 cryptographic authentication. This type of authentication allows a password to be congured per area. "OSPF Authentication" (page 158) shows authentication congured for area 0 with the password test. Simple authentication is also congured for the virtual link between area 2 and area 0. Area 1 is not congured for OSPF authentication.
OSPF Authentication
To congure simple plain text OSPF passwords on the Nortel Application Switches shown in "OSPF Authentication" (page 158) use the following commands: Step 1 Action Enable OSPF authentication for Area 0 on Nortel Application Switches 1, 2, and 3.
>> # /cfg/l3/ospf/aindex 0/auth password (Turn on OSPF password authentication)
Congure a simple text password up to eight characters for each OSPF IP interface in Area 0 on Nortel Application Switches 1, 2, and 3.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
159
# /cfg/l3/ospf/if 1 OSPF Interface 1 # key test OSPF Interface 1 # /cfg/l3/ospf/if 2 OSPF Interface 2 # key test OSPF Interface 1 # /cfg/l3/ospf/if 3 OSPF Interface 3 # key test
Congure a simple text password up to eight characters for the virtual link between Area 2 and Area 0 on Nortel Application Switches 2 and 4.
>> # /cfg/l3/ospf/virt 1/key alteon
Use the following commands to congure MD5 authentication on the Nortel Application Switches shown in "OSPF Authentication" (page 158): End
Step 1
Action Enable OSPF MD5 authentication for Area 0 on Nortel Application Switches 1, 2, and 3.
>> # /cfg/l3/ospf/aindex 0/auth md5 (Turn on MD5 authentication)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
# /cfg/l3/ospf/if 1 OSPF Interface 1 # mdkey 1 OSPF Interface 1 # /cfg/l3/ospf/if 2 OSPF Interface 2 # mdkey 1 OSPF Interface 1 # /cfg/l3/ospf/if 3 OSPF Interface 3 # mdkey 1
Congure MD5 key for the virtual link between Area 2 and Area 0 on Nortel Application Switches 2 and 4.
>> # /cfg/l3/ospf/md5key 2/key alteon
Assign MD5 key ID to OSPF virtual link on Nortel Application Switches 2 and 4.
>> # /cfg/l3/ospf/virt 1/mdkey 2
End
161
ABR Failover Complementing ABR load sharing, identical host routes can be congured on each ABR. These host routes can be given different costs so that a different ABR is selected as the preferred route for each virtual server and the others are available as backups for failover purposes.
If redundant routes via multiple routing processes (such as OSPF, RIP, BGP, or static routes) exist on your network, the application switch defaults to the OSPF-derived route. For a conguration example, see "Example 4: Host Routes" (page 176).
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
where metric sets the OSPF cost for the route and metric type (either 1 or 2) determines whether the routes cost includes or excludes external costs of the route. If you want to remove a previous conguration to export all the routes of a protocol, then use the parameter "none" to the export command.
/cfg/l3/ospf/redist <protocol name> /export none
OSPF does not require you to set all the elds in the route map menu. However, set the following parameters in the route maps and network lter menu: Step 1 Action Enable the route map.
/cfg/l3/rmap <route map number> /ena
If a route map is added to a protocol for redistribution, and if the routes of that protocol match any of the routes in the access lists, and if action is set to permit, then those routes are redistributed into OSPF using the metric and metric type assigned for that route map. Metric sets the priority for choosing this switch for default route.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
163
To redistribute routes matched by the route map, the action in the alist must be set to permit. If the action is set to deny the routes matched by the route map is not be redistributed. 5 Link a network lter to the access list.
/cfg/l3/rmap <route map number> /alist <access list number> /nwf <network filter number>
End
Metric type determines the method for inuencing routing decisions for external routes. 2 Match the metric of the protocol route.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Metric value sets the priority for choosing this switch for the route. The value none sets no default and 1 sets the highest priority for the route. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
165
Step 1
Action Congure IP interfaces. One IP interface is required for each desired network (range of IP addresses) being assigned to an OSPF area on the Nortel Application Switch.
(Optional) Congure the router ID. The router ID is required only when conguring virtual links on the Nortel Application Switch.
3 4 5
Enable OSPF on the switch. Dene the OSPF areas. Congure OSPF interface parameters. IP interfaces are used for attaching networks to the various areas.
6 7 8
(Optional) Congure route summarization between OSPF areas. (Optional) Congure virtual links. (Optional) Congure host routes. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Follow this procedure to congure OSPF support as shown in "A Simple OSPF Domain" (page 165): Step 1 Action Congure IP interfaces on each network that is attached to OSPF areas. In this example, two IP interfaces are needed: one for the backbone network on 10.10.7.0/24 and one for the stub area network on 10.10.12.0/24.
>> # /cfg/l3/if 1 >> IP Interface 1 # addr 10.10.7.1 >> IP Interface 1 # mask 255.255.255.0 >> IP Interface 1 # enable >> IP Interface 1 # /cfg/l3/if 2 >> IP Interface 2 # addr 10.10.12.1 >> IP Interface 2 # mask 255.255.255.0 >> IP Interface 2 # enable (Select menu for IP interface 1) (Set IP address on backbone network) (Set IP mask on backbone network) (Enable IP interface 1) (Select menu for IP interface 2) (Set IP address on stub area network) (Set IP mask on stub area network) (Enable IP interface 2)
Enable OSPF.
>> IP Interface 2 # /cfg/l3/os pf/on (Enable OSPF on the Nortel Application Switch)
Dene the backbone. The backbone is always congured as a transit area using areaid 0.0.0.0.
>> Open Shortest Path First # aindex 0 >> OSPF Area (index) 0 # areaid 0.0.0.0 >> OSPF Area (index) 0 # type transit >> OSPF Area (index) 0 # enable (Select menu for area index 0) (Set the ID for backbone area 0) (Define backbone as transit type) (Enable the area)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
167
End
Congure the router ID. A router ID is required when conguring virtual links. Later, when conguring the other end of the virtual link on Nortel Application Switch 2, the router ID specied here is used as the target virtual neighbor (nbr) address.
>> IP Interface 2 # /cfg/l3/rt rid 10.10.10.1 (Set static router ID on Nortel Application Switch 1)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
169
Enable OSPF.
>> IP # /cfg/l3/ospf/on (Enable OSPF on Nortel Application Switch 1)
Dene the transit area. The area that contains the virtual link must be congured as a transit area.
>> OSPF Area (index) 0 # /cfg/l3/ospf/aindex 1(Select menu for area index 1) >> OSPF Area (index) 1 # areaid 0.0.0.1 >> OSPF Area (index) 1 # type transit >> OSPF Area (index) 1 # enable (Set the area ID for OSPF area 1) (Define area as transit type) (Enable the area)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> OSPF Interface 1 # /cfg/l3/ospf/if 2 >> OSPF Interface 2 # aindex 1 >> OSPF Interface 2 # enable
(Select OSPF menu for IP interface 2) (Attach network to transit area index) (Enable the transit area interface)
Congure the virtual link. The nbr router ID congured in this step must be the same as the router ID that is congured for Switch #2 in step 2.
>> OSPF Interface 2 # /cfg/l3/ospf/virt 1 >> OSPF Virtual Link 1 # aindex 1 >> OSPF Virtual Link 1 # nbr 10.10.14.1 >> OSPF Virtual Link 1 # enable (Specify a virtual link number) (Specify the transit area for the virtual link) (Specify the router ID of the recipient) (Enable the virtual link)
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
171
>> # /cfg/l3/if 1 >> IP Interface 1 # addr 10.10.12.2 >> IP Interface 1 # mask 255.255.255.0 >> IP Interface 1 # enable >> IP Interface 1 # /cfg/l3/if 2 >> IP Interface 2 # addr 10.10.24.1 >> IP Interface 2 # mask 255.255.255.0 >> IP Interface 2 # enable
(Select menu for IP interface 1) (Set IP address on transit area net- work) (Set IP mask on transit area network) (Enable IP interface 1) (Select menu for IP interface 2) (Set IP address on stub area network) (Set IP mask on stub area network) (Enable IP interface 2)
Congure the router ID. A router ID is required when conguring virtual links. This router ID should be the same one specied as the target virtual neighbor (nbr) on Nortel Application Switch 1 in Step 8.
>> IP Interface 2 # /cfg/l3/rt rid 10.10.14.1 (Set static router ID on Nortel Application Switch 2)
Enable OSPF.
>> IP# /cfg/l3/ospf/on (Enable OSPF on Nortel Application Switch 2)
Dene the backbone. This version of Nortel Application Switch Operating System requires that a backbone index be congured on the non-backbone end of the virtual link as follows:
>> Open Shortest Path First # aindex 0 >> OSPF Area (index) 0 # areaid 0.0.0.0 >> OSPF Area (index) 0 # enable (Select the menu for area index 0) (Set the area ID for OSPF area 0) (Enable the area)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> OSPF Area (index) 0 # /cfg/l3/ospf/aindex 1(Select menu for area index 1) >> OSPF Area (index) 1 # areaid 0.0.0.1 >> OSPF Area (index) 1 # type transit >> OSPF Area (index) 1 # enable (Set the area ID for OSPF area 1) (Define area as transit type) (Enable the area)
Congure the virtual link. The nbr router ID congured in this step must be the same as the router ID that was congured for Nortel Application Switch #1 in Step 2.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
173
>> OSPF Interface 2 # /cfg/l3/ospf/virt 1 >> OSPF Virtual Link 1 # aindex 1 >> OSPF Virtual Link 1 # nbr 10.10.10.1 >> OSPF Virtual Link 1 # enable
(Specify a virtual link number) (Specify the transit area for the virtual link) (Specify the router ID of the recipient) (Enable the virtual link)
10
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Note: You can specify a range of addresses to prevent advertising by using the hide option. In this example, routes in the range 36.128.200.0 through 36.128.200.255 are kept private. Follow this procedure to congure OSPF support as shown in "Summarizing Routes" (page 174): Step 1 Action Congure IP interfaces for each network which is attached to OSPF areas.
>> # /cfg/l3/if 1 >> IP Interface 1 # addr 10.10.7.1 >> IP Interface 1 # mask 255.255.255.0 >> IP Interface 1 # ena >> IP Interface 1 # /cfg/l3/if 2 >> IP Interface 2 # addr 36.128.192.1 >> IP Interface 2 # mask 255.255.192.0 >> IP Interface 2 # ena (Select menu for IP interface 1) (Set IP address on backbone network) (Set IP mask on backbone network) (Enable IP interface 1) (Select menu for IP interface 2) (Set IP address on stub area network) (Set IP mask on stub area network) (Enable IP interface 2)
Enable OSPF.
>> IP Interface 2 # /cfg/l3/os pf/on (Enable OSPF on the Nortel Application Switch)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
175
Congure route summarization by specifying the starting address and mask of the range of addresses to be summarized
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> OSPF Interface 2 # /cfg/l3/ospf/range 1 >> OSPF Summary Range 1 # addr 36.128.192.0 >> OSPF Summary Range 1 # mask 255.255.192.0 >> OSPF Summary Range 1 # aindex 0 >> OSPF Summary Range 1 # enable
(Select menu for summary range) (Set base IP address of summary range) (Set mask address for summary range) (Inject summary route into backbone) (Enable summary range)
Use the hide command to prevent a range of addresses from advertising to the backbone.
>> OSPF Interface 2 # /cfg/l3/ospf/range 2 >> OSPF Summary Range 2 # addr 36.128.200.0 >> OSPF Summary Range 2 # mask 255.255.255.0 >> OSPF Summary Range 2 # hide enable (Select menu for summary range) (Set base IP address) (Set mask address) (Hide the range of addresses)
End
177
route with a low cost for virtual server 10.10.10.1 and another host route with a high cost for virtual server 10.10.10.2. Nortel Application Switch #2 is congured with the same hosts but with the costs reversed; one host route has a high cost for virtual server 10.10.10.1 and another has a low cost for virtual server 10.10.10.2. All four host routes are injected into the upstream router and advertised externally. Trafc comes in for both virtual server IP addresses (10.10.10.1 and 10.10.10.2). The upstream router sees that both addresses exist on both Nortel Application Switches and uses the host route with the lowest cost for each. Trafc for 10.10.10.1 goes to Nortel Application Switch #1 because its host route has the lowest cost for that address. Trafc for 10.10.10.2 goes to Nortel Application Switch #2 because its host route has the lowest cost. This effectively shares the load among ABRs. Both Nortel Application Switches then use standard server load balancing to distribute trafc among available real servers. In addition, if one of the Nortel Application Switches were to fail, the upstream routing device would forward the trafc to the ABR whose host route has the next lowest cost. In this example, the remaining Nortel Application Switch would assume the entire load for both virtual servers.
Conguring OSPF Host Routes
>> Virtual server 1 # /cfg/l3/if 1 >> IP Interface 1 # addr 10.10.10.5 >> IP Interface 1 # enable >> IP Interface 1 # /cfg/l3/if 2 >> IP Interface 2 # addr 100.100.100.40 >> IP Interface 2 # enable
(Select menu for IP interface 1) (Set IP address on backbone network) (Enable IP interface 1) (Select menu for IP interface 2) (Set IP address on stub area network) (Enable IP interface 2)
Congure basic SLB parameters. Nortel Application Switch 1 is connected to two real servers. Each real server is given an IP address and is placed in the same real server group.
>> # /cfg/slb/real 1 >> Real server 1 # rip 100.100.100.25 >> Real server 1 # ena >> Real server 1 # /cfg/slb/rea l 2 >> Real server 2 # rip 100.100.100.26 >> Real server 2 # ena >> Real server 2 # /cfg/slb/gr oup 1 >> Real server group 1 # add 1 >> Real server group 1 # add 2 >> Real server group 1 # enable >> Real server group 1 # /cfg/slb/on (Select menu for real server 1) (Set the IP address for real server 1) (Enable the real server) (Select menu for real server 2) (Set the IP address for real server 2) (Enable the real server) (Select menu for real server group 1) (Add real server 1 to group) (Add real server 2 to group) (Enable the group) (Turn SLB on)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
179
Congure the primary virtual server. Nortel Application Switch # 1 is preferred for virtual server 10.10.10.1.
>> Layer 4 # /cfg/slb/virt 1 >> Virtual server 1 # vip 10.10.10.1 >> Virtual server 1 # ena >> Virtual server 1 # service http >> Virtual server 1 http service # group 1 (Select menu for virtual server 1) (Set the IP address for virtual server 1) (Enable the virtual server) (Select menu for service on virtual server) (Use real server group 1 for http service)
Congure the backup virtual server. Nortel Application Switch # 1 acts as a backup for virtual server 10.10.10.2. Both virtual servers in this example are congured with the same real server group and provide identical services.
>> Virtual server 2 http service # /cfg/slb/virt 2(Select menu for virtual server 2) >> Virtual server 1 # vip 10.10.10.2 >> Virtual server 1 # ena >> Virtual server 1 # service http >> Virtual server 1 # group 1 (Set the IP address for virtual server 2) (Enable the virtual server) (Select menu for service on virtual server) (Use real server group 1 for http service)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
10
11
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
181
12
Congure host routes. One host route is needed for each virtual server on Nortel Application Switch 1. Since virtual server 10.10.10.1 is preferred for Nortel Application Switch 1, its host route has a low cost. Because virtual server 10.10.10.2 is used as a backup in case Nortel Application Switch 2 fails, its host route has a high cost. Note: You do not need to enable redistribution (/cfg/l3/ospf/redist) if you congure virtual server routes as host routes.
>> OSPF Interface 2 # /cfg/l3/ospf/host 1 >> OSPF Host Entry 1 # addr 10.10.10.1 >> OSPF Host Entry 1 # aindex 0 >> OSPF Host Entry 1 # cost 1 >> OSPF Host Entry 1 # enable >> OSPF Host Entry 1 # /cfg/l3/ospf/host 2 >> OSPF Host Entry 2 # addr 10.10.10.2 >> OSPF Host Entry 2 # aindex 0 >> OSPF Host Entry 2 # cost 100 >> OSPF Host Entry 2 # enable (Select menu for host route 1) (Set IP address same as virtual server 1) (Inject host route into backbone area) (Set low cost for preferred path) (Enable the host route) (Select menu for host route 2) (Set IP address same as virtual server 2) (Inject host route into backbone area) (Set high cost for use as backup path) (Enable the host route)
Note: When a service goes down, the corresponding host route is removed from advertising. 13 Apply and save the conguration changes.
>> OSPF Host Entry 2 # apply >> OSPF Host Entry 2 # save (Global command to apply all changes) (Global command to save all changes)
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Congure the virtual server parameters. The same virtual servers are congured as on Nortel Application Switch 1.
>> Layer 4 # /cfg/slb/virt 1 >> Virtual server 1 # vip 10.10.10.1 >> Virtual server 1 # enable >> Virtual server 1 # service http (Select menu for virtual server 1) (Set the IP address for virtual server 1) (Enable the virtual server) (Select menu for service on virtual server)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
183
>> Virtual server 2 http service # /cfg/slb/virt 2 (Select menu for virtual server 2) >> Virtual server 1 # vip 10.10.10.2 >> Virtual server 1 # enable >> Virtual server 1 # service http >> Virtual server 1 # group 1 (Set the IP address for virtual server 2) (Enable the virtual server) (Select menu for service on virtual server) (Use real server group 1 for http service)
Congure IP interfaces for each network that will be attached to OSPF areas.
>> Virtual server 1 # /cfg/l3/if 1 >> IP Interface 1 # addr 10.10.10.6 >> IP Interface 1 # enable >> IP Interface 1 # /cfg/l3/if 2 >> IP Interface 2 # addr 100.100.100.41 >> IP Interface 2 # enable (Select menu for IP Interface 1) (Set IP address on backbone network) (Enable IP interface 1) (Select menu for IP Interface 2) (Set IP address on stub area network) (Enable IP interface 2)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Congure host routes. Host routes are congured just like those on Nortel Application Switch 1, except their costs are reversed. Since virtual server 10.10.10.2 is preferred for Nortel Application Switch 2, its host route has been given a low cost. Because virtual server 10.10.10.1 is used as a backup in case Nortel Application Switch 1 fails, its host route has been given a high cost.
>> OSPF Interface 2 # /cfg/l3/ospf/host 1 >> OSPF Host Entry 1 # addr 10.10.10.1 >> OSPF Host Entry 1 # aindex 0 (Select menu for host route 1) (Set IP address same as virtual server 1) (Inject host route into backbone area)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
185
>> OSPF Host Entry 1 # cost 100 >> OSPF Host Entry 1 # enable >> OSPF Host Entry 1 # /cfg/l3/ospf/host 2 >> OSPF Host Entry 2 # addr 10.10.10.2 >> OSPF Host Entry 2 # aindex 0 >> OSPF Host Entry 2 # cost 1 >> OSPF Host Entry 2 # enable
(Set high cost for use as backup path) (Enable the host route) (Select menu for host route 2) (Set IP address same as virtual server 2) (Inject host route into backbone area) (Set low cost for primary path) (Enable the host route)
10
End
Refer to the Nortel Application Switch Operating System Command Reference for information on the above commands.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
187
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
For additional information on SLB commands, Nortel Application Switch Operating System Command Reference.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
189
As users are added and the server pools capabilities are saturated, new servers can be added to the pool transparently.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
190 Part 3: Application Switching Fundamentals Traditional Versus SLB Network Congurations
To provide load balancing for any particular type of service, each server in the pool must have access to identical content, either directly (duplicated on each server) or through a back-end network (mounting the same le system or database server). The Nortel Application Switch, with SLB software, acts as a front-end to the servers, interpreting user session requests and distributing them among the available servers. Load balancing in Nortel Application Switch Operating System can be done in the following ways: Virtual server-based load balancing This is the traditional load balancing method. The switch is congured to act as a virtual server and is given a virtual server IP address (or range of addresses) for each collection of services it distributes. Depending on your switch model, there can be as many as 1023 virtual servers on the switch, each distributing up to eight different services. Each virtual server is assigned a list of the IP addresses (or range of addresses) of the real servers in the pool where its services reside. When the user stations request connections to a service, they communicate with a virtual server on the switch. When the switch receives the request, it binds the session to the IP address of the best available real server and remaps the elds in each frame from virtual addresses to real addresses. HTTP, IP, FTP, RTSP, IDS, and static session WAP are examples of some of the services that use virtual servers for load balancing. Filtered-based load balancing A lter allows you to control the types of trafc permitted through the switch. Filters are congured to allow, deny, or redirect trafc according
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
191
to the IP address, protocol, or Layer 4 port criteria. In ltered-based load balancing, a lter is used to redirect trafc to a real server group. If the group is congured with more than one real server entry, redirected trafc is load balanced among the available real servers in the group. Firewalls, WAP with RADIUS snooping, IDS, and WAN links use redirection lters to load balance trafc. Content-based load balancing Content-based load balancing uses Layer 7 application data (such as URL, cookies, and Host Headers) to make intelligent load balancing decisions. URL-based load balancing, browser-smart load balancing, and cookie-based preferential load balancing are a few examples of content-based load balancing.
Such a company has three primary needs: Increased server availability Server performance scalable to match new customer demands Easy administration of network and servers
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
192 Part 3: Application Switching Fundamentals Web Hosting with SLB Solutions
All the issues can be addressed by adding an Nortel Application Switch with SLB software. Reliability is increased by providing multiple paths from the clients to the Nortel Application Switch and by accessing a pool of servers with identical content. If one server fails, the others can take up the additional load. Performance is improved by balancing the Web request load across multiple servers. More servers can be added at any time to increase processing power. For ease of maintenance, servers can be added or removed dynamically, without interrupting shared services.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
193
Identical content must be available to each server in the same pool. Either of these methods can be used: Static applications and data are duplicated on each real server in the pool. Each real server in the pool has access to the same data through use of a shared le system or back-end database server.
Some services require that a series of client requests go to the same real server so that session-specic state data can be retained between connections. Services of this nature include Web search results, multi-page forms that the user lls in, or custom Web-based applications typically created using cgi-bin scripts. Connections for these types of services must be congured as persistent (see "Persistence" (page 588) ") or must use the minmisses, hash, phash metrics (see "Metrics for Real Server Groups" (page 202)). Clients and servers can be connected through the same switch port. Each port in use on the switch can be congured to process client requests, server trafc, or both. You can enable or disable processing on a port independently for each type of Layer 4 trafc. Layer 4 client processing: Ports that are congured to process client request trafc provide address translation from the virtual server IP to the real server IP address. Layer 4 server processing: Ports that are congured to process server responses to client requests provide address translation from the real server IP address to the virtual server IP address. These
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
ports require real servers to be connected to the Nortel Application Switch directly or through a hub, router, or another switch. Note: Switch ports congured for Layer 4 client/server processing can simultaneously provide Layer 2 switching and IP routing functions. Consider the following network topology:
Example Network for Client/Server Port Conguration
In "Example Network for Client/Server Port Conguration" (page 194), the switch load balances trafc to a Web server pool and to a Domain Name System (DNS) server pool. The switch port connected to the Web server pool (port 11) is asked to perform both server and client processing.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
195
The real servers in any given real server group must have an IP route to the switch that performs the SLB functions. This IP routing is most easily accomplished by placing the switches and servers on the same IP subnet, although advanced routing techniques can be used as long as they do not violate the topology rules outlined in "Network Topology Requirements" (page 192). For this example, the three hosts (real servers) have been given the following IP addresses on the same IP subnet:
Web Host Example: Real Server IP Addresses Real Server Server A Server B Server C IP address 200.200.200.2 200.200.200.3 200.200.200.4
Note: An imask option can be used to dene a range of IP addresses for real and virtual servers (see "IP Address Ranges Using imask" (page 201)). 2 Dene an IP interface on the switch. The switch must have an IP route to all of the real servers that receive switching services. For SLB, the switch uses this path to determine the level of TCP/IP reach of the real servers. To congure an IP interface for this example, enter these commands from the CLI:
>> # /cfg/l3/if 1 >> IP Interface 1# addr 200.200.200.100 >> IP Interface 1# ena (Select IP interface 1) (Assign IP address for the interface) (Enable IP interface 1)
Note: The IP interface and the real servers must belong to the same VLAN, if they are in the same subnet. This example assumes that all ports and IP interfaces use default VLAN 1, requiring no special VLAN conguration for the ports or IP interface. 3 Dene each real server. For each real server, you must assign a real server number, specify its actual IP address, and enable the real server. For example:
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> IP Interface 1# /cfg/slb/real 1 >> Real server 1# rip 200.200.200.2 >> Real server 1# ena >> Real server 1# /cfg/slb/real 2 >> Real server 2# rip 200.200.200.3 >> Real server 2# ena >> Real server 2# /cfg/slb/real 3 >> Real server 3# rip 200.200.200.4 >> Real server 3# ena
(Server A is real server 1) (Assign Server A IP address) (Enable real server 1) (Server B is real server 2) (Assign Server B IP address) (Enable real server 2) (Server C is real server 3) (Assign Server C IP address) (Enable real server 3)
Dene a real server group and add the three real servers to the service group.
>> Real server 3# /cfg/slb/group 1 >> Real server group 1# add 1 >> Real server group 1# add 2 >> Real server group 1# add 3 (Select real server group 1) (Add real server 1 to group 1) (Add real server 2 to group 1) (Add real server 3 to group 1)
Dene a virtual server. All client requests is addressed to a virtual server IP address on a virtual server dened on the switch. Clients acquire the virtual server IP address through normal DNS resolution. In this example, HTTP is congured as the only service running on this virtual server, and this service is associated with the real server group. For example:
>> Real server group 1# /cfg/slb/virt 1 >> Virtual server 1# vip 200.200.200.1 >> Virtual server 1# ena (Select virtual server 1) (Assign a virtual server IP address) (Enable the virtual server)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
197
>> Virtual server 1# service http >> Virtual server 1 http Service# group 1
(Select the HTTP service menu) (Associate virtual port to real group)
Note: This conguration is not limited to HTTP Web service. Other TCP/IP services can be congured in a similar fashion. For a list of other well-known services and ports, see "Well-Known Application Ports" (page 199). To congure multiple services, see "Conguring Multiple Services" (page 202). 6 Dene the port settings. In this example, the following ports are being used on the Nortel Application Switch:
Web Host Example: Port Usage Port 1 2 3 4 Host Server A serves SLB requests. Server B serves SLB requests. Server C serves SLB requests. Back-end NFS server provides centralized content for all three real servers. This port does not require switching features. Client router A connects the switch to the Internet where client requests originate. Client router B connects the switch to the Internet where client requests originate. L4 Processing Server Server Server None
5 6
Client Client
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> SLB port 3# /cfg/slb/port 5 >> SLB port 5# client ena >> SLB port 5# /cfg/slb/port 6 >> SLB port 6# client ena
(Select physical switch port 5) (Enable client processing on port 5) (Select physical switch port 6) (Enable client processing on port 6)
Examine the resulting information. If any settings are incorrect, make the appropriate changes. 8 Save your new conguration changes.
>> Layer 4# save (Save for restore after reboot)
Note: You must apply any changes in order for them to take effect, and you must save changes if you wish them to remain in effect after switch reboot. 9 Check the SLB information.
>> Layer 4# /info/slb/dump (View SLB information)
Check that all SLB parameters are working according to expectation. If necessary, make any appropriate conguration changes and then check the information again. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
199
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Number 53 69
Number 1985
Note: Load balancing some applications (such as FTP and RTSP) require special conguration. See "Load Balancing Special Services" (page 254) for more information.
When the current session count on your server falls to zero, you can shut down your server. If you have congured persistence on the real server, use the following command with the p (persistent) option to suspend connection assignments (except for persistent http 1.0 sessions) to the real server:
>> # /oper/slb/dis <real server number> p
When the current session count on your server falls to zero and when persistent sessions for the real server have aged out (refer to the persistence parameters you have set for this real server), you can shut down your server. For more information (see "Persistence" (page 588) "). When maintenance is complete, use the following command to enable the real server:
>> # /oper/slb/ena <real server number>
The switch resumes assignment of connections to this real server immediately. Following table is the behavior comparison of >> # /oper/slb/dis and >> # /cfg/slb/dis.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
201
Behavior Clearing all old sessions immediately after executing command Allowing persistent HTTP 1.0 sessions
>> # /oper/slb/dis No
Yes/No
NA
The grace option is enabled only if the real server is in "failed" state and not in "disabled" state (failed by health check). For example, consider HTTP service when grace option is enabled. After handling client requests for some time the real server is marked failed by health check, but the remaining sessions to the real server are still kept to maintain previous connections from client to the real server.
If the client request was sent to virtual server IP address 172.16.10.45, the unmasked portion of the address (0.0.0.45) gets mapped directly to whichever real server IP address is selected by the SLB algorithm. Thus, the request would be sent to either 172.16.20.45 or 172.16.30.45.
>> # /cfg/slb/real <real server number> >> Real server# inter 4 >> Real server# retry 6
(Select the real server) (Check real server every 4 seconds) (Declare down after 6 checks fail)
For more complex health-checking strategies, see "Health Checking" (page 463)."
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
203
Minimum Misses
The minmisses metric is optimized for application redirection. It uses IP address information in the client request to select a server. When selecting a server, the switch calculates a value for each available real server based on the relevant IP address information. The server with highest value is assigned the connection. This metric attempts to minimize the disruption of persistency when servers are removed from service. This metric should be used only when persistence is a must. By default the minmiss algorithm uses the upper 24-bits of the source IP address to calculate the real server that the trafc should be sent to when the minmiss metric is selected. The Nortel Application Switch Operating System allows the selection of all 32-bits of the source IP address to hash to the real server. The source or destination IP address information used depends on the application: For application redirection, the client destination IP address is used. All requests for a specic IP destination address is sent to the same server. This metric is particularly useful in caching applications, helping to maximize successful cache hits. Best statistical load balancing is achieved when the IP address destinations of load-balanced frames are spread across a broad range of IP subnets. For SLB, the client source IP address and real server IP address are used. All requests from a specic client are sent to the same server. This metric is useful for applications where client information must be retained on the server between sessions. With this metric, server load becomes most evenly balanced as the number of active clients with different source or destination addresses increases. To select all 32-bits of the source IP address, use the command, /cfg/slb/group x/mhash 32. This 32-bit hash is most useful in the wireless world. The minmisses metric cannot be used for rewall load balancing, since the real server IP addresses used in calculating the score for this metric are different on each side of the rewall.
Hash
The hash metric uses IP address information in the client request to select a server. The specic IP address information used depends on the application: For Application Redirection, the client destination IP address is used. All requests for a specic IP destination address is sent to the same server. This is particularly useful for maximizing successful cache hits.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
For SLB, the client source IP address is used. All requests from a specic client is sent to the same server. This option is useful for applications where client information must be retained between sessions. For FWLB, both the source and destination IP addresses are used to ensure that the two unidirectional ows of a given session are redirected to the same rewall.
When selecting a server, a mathematical hash of the relevant IP address information is used as an index into the list of currently available servers. Any given IP address information will always have the same hash result, providing natural persistence, as long as the server list is stable. However, if a server is added to or leaves the set, then a different server might be assigned to a subsequent session with the same IP address information even though the original server is still available. Open connections are not cleared. The phash metric can be used to maintain stable server assignment. For more information, see "Persistent Hash" (page 204). Note: The hash metric provides more distributed load balancing than minmisses at any given instant. It should be used if the statistical load balancing achieved using minmisses is not as optimal as desired. If the load balancing statistics with minmisses indicate that one server is processing signicantly more requests over time than other servers, consider using the hash metric. Persistent Hash The phash metric provides the best features of hash and minmisses metrics together. This metric provides stable server assignments like the minmiss metric and even load distribution like the hash metric. When you select the phash metric for a group, a baseline hash is assumed based on the congured real servers that are enabled for the group. If the server selected from this baseline hash is unavailable, then the old hash metric is used to nd an available server. If all the servers are available, then phash operates exactly like hash. When a congured server becomes unavailable, then clients bound to operational servers will continue to be bound to the same servers for future sessions and clients bound to unavailable servers are rehashed to an operational server using the old hash metric. With phash however, when more servers go down, then you will not have an even load distribution as you would with the standard hash metric.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
205
Tunable Hash By default, the hash metric has used the clients source IP address as the parameter for directing a client request to a real server. In environments where multiple users are sharing the same proxy, and thus the same source IP address, a load balancing hash on the source IP address would direct all users to the same real server. Tunable hash allows the user to select the parameters (source IP, or source IP and source port) that are used when hashing is chosen as the load balancing metric.
Least Connections
With the leastconns metric, the number of connections currently open on each real server is measured in real time. The server with the fewest current connections is considered to be the best choice for the next client connection request. This option is the most self-regulating, with the fastest servers typically getting the most connections over time.
Round Robin
With the roundrobin metric, new connections are issued to each server in turn; that is, the rst real server in the group gets the rst connection, the second real server gets the next connection, followed by the third real server, and so on. When all the real servers in this group have received at least one connection, the issuing process starts over with the rst real server.
Response Time
The response metric uses real server response time to assign sessions to servers. The response time between the servers and the switch is used as the weighting factor. The switch monitors and records the amount of time it takes for each real server to reply to a health check to adjust the real server weights. The weights are adjusted so they are inversely proportional to a moving average of response time. In such a scenario, a server with half the response time as another server receives a weight twice as large. Note: The effects of the response weighting apply directly to the real servers and are not necessarily conned to the real server group. When response time-metered real servers are also used in other real server groups that use the leastconns or roundrobin metrics, the response weights are applied on top of the leastconns or roundrobin calculations for the affected real servers. Since the response weight changes dynamically, this can produce uctuations in trafc distribution for the real server groups that use the leastconns or roundrobin metrics.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Bandwidth
The bandwidth metric uses real server octet counts to assign sessions to a server. The switch monitors the number of octets sent between the server and the switch. Then, the real server weights are adjusted so they are inversely proportional to the number of octets that the real server processes during the last interval. Servers that process more octets are considered to have less available bandwidth than servers that have processed fewer octets. For example, the server that processes half the amount of octets over the last interval receives twice the weight of the other servers. The higher the bandwidth used, the smaller the weight assigned to the server. Based on this weighting, the subsequent requests go to the server with the highest amount of free bandwidth. These weights are automatically assigned. The bandwidth metric requires identical servers with identical connections. Note: The effects of the bandwidth weighting apply directly to the real servers and are not necessarily conned to the real server group. When bandwidth-metered real servers are also used in other real server groups that use the leastconns or roundrobin metrics, the bandwidth weights are applied on top of the leastconns or roundrobin calculations for the affected real servers. Since the bandwidth weight changes dynamically, this can produce uctuations in trafc distribution for the real server groups that use the leastconns or roundrobin metrics.
Readjusting server weights based on SNMP health check response Nortel Application Switch Operating System can be congured to dynamically change weights of real servers based on a health check response using the Simple Network Management Protocol (SNMP). To enable dynamic assignment of weights based on the response to an SNMP health check, enter the following commands:
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
207
>> # /cfg/slb/adv/snmphc < SNMP health script number> >> SNMP Health Check 1# weight e (Enable weighting via SNMP health check)
For more information on conguring SNMP health checks, see "SNMP Health Check" (page 483).
The example above would change the time-out period of all connections on the designated real server to four minutes.
Values average from approximately 500 HTTP connections for slower servers to 1500 for quicker, multiprocessor servers. The appropriate value also depends on the duration of each session and how much CPU capacity is occupied by processing each session. Connections that use a lot of Java or CGI scripts for forms or searches require more server resources and thus a lower maxcon limit. You may wish to use a performance benchmark tool to determine how many connections your real servers can handle. When a server reaches its maxcon limit, the switch no longer sends new connections to the server. When the server drops back below the maxcon limit, new sessions are again allowed.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
End
Backup/Overow Servers
A real server can backup other real servers and can handle overow trafc when the maximum connection limit is reached. Each backup real server must be assigned a real server number and real server IP address. It must then be enabled. Finally, the backup server must be assigned to each real server that it will back up. The following denes real server 4 as a backup/overow for real servers 1 and 2:
>> # /cfg/slb/real 4 >> Real server 4# rip 200.200.200.5 >> Real server 4# ena >> Real server 4# /cfg/slb/real 1 >> Real server 1# backup 4 >> Real server 1# /cfg/slb/real 2 >> Real server 2# backup 4 >> Real server 2# overflow enabled (Select real server 4 as backup) (Assign backup IP address) (Enable real server 4) (Select real server 1) (Real server 4 is backup for 1) (Select real server 2) (Real server 4 is backup for 2) (Overflow enabled)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
209
In a similar fashion, a backup/overow server can be assigned to a real server group. If all real servers in a real server group fail or overow, the backup comes online.
>> # /cfg/slb/group <real server group number> >> Real server group# backup r4 (Select real server group) (Assign real server 4 as backup)
Real server groups can also use another real server group for backup/overow:
>> # /cfg/slb/group <real server group number> >> Real server group# backup g2 (Select real server group) (Assign real server group 2 as backup)
In a similar fashion, a backup/overow server can be assigned to a real server group. If all real servers in a real server group fail the backup comes online.
>> # /cfg/slb/group <real server group number> >> Real server group# backup r4 (Select real server group) (Assign real server 4 as backup)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Real server groups can also use another real server group for backup:
>> # /cfg/slb/group <real server group number> >> Real server group# backup g2 (Select real server group) (Assign real server group 2 as backup)
Connection Pooling
The Nortel Application Switch Operating System supports connection pooling to the Nortel Application Switch. This feature multiplexes client and server connections and improves the throughput of server load balancing. It also helps the real server lower the needs of establishing and tearing down TCP connections. In a connection pooled environment, a pool of server connections in maintained for servicing client connections. When a client requests a connection, an unused connection is selected from the server pool and used to service the request. When the client request is complete, the server connection is returned to the pool and the client connection dropped. This feature only supports the HTTP and HTTPS protocols over TCP with delayed binding enabled. The following example enable s connection pooling for the HTTP protocol on virtual server 1:
>> Main# /cfg/slb/virt 1/service http/http/pooling enabled
The following example enables connection pooling for the HTTPS protocol on virtual server 1:
>> Main# /cfg/slb/virt 1/service https/http/pooling enabled
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
211
Note: When Layer 7 load balancing is congured, a Nortel Application Switch does not support IP fragments. If IP fragments were supported in this mode, the switch would have to buffer, re-assemble, and inspect packets before making a forwarding decision. "URL-Based Server Load Balancing" (page 211) "Virtual Hosting" (page 216) "Cookie-Based Preferential Load Balancing" (page 219) "URL Hashing for Server Load Balancing" (page 223) "Header Hash Load Balancing" (page 225)
Requests containing URLs with anything else are sent to real servers 1, 2, 3, and 4. These servers have been dened with the "any" string.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
For information on how to congure your network for SLB, see "Server Load Balancing" (page 188).
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
213
A default string any indicates that the particular server can handle all URL or cache requests. Refer to the following examples given below: Example 1: String with the Forward Slash (/) A string that starts with a forward slash ( / ), such as "/images," indicates that the server processes requests that start out with the "/images" string only. For example, with the "/images" string, the server handles these requests:
/images/product/b.gif /images/company/a.gif /images/testing/c.jpg
Example 2: String without the Forward Slash (/) A string that does not start out with a forward slash ( / ) indicates that the server will process any requests that contain the dened string. For example, with the "images" string, the server will process these requests:
/images/product/b.gif /images/company/a.gif /images/testing/c.jpg /company/images/b.gif /product/images/c.gif /testing/images/a.gif
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
If a server is congured with the load balance string ( / ) only, it will only handle requests to the root directory. For example, the server handles any les in the root directory:
/ /index.htm /default.asp /index.shtm
3 4
Apply and save your conguration changes. Identify the dened string IDs.
>> # /cfg/slb/layer7/slb/cur
For easy conguration and identication, each dened string is assigned an ID number, as shown in the following example:
ID 1 2 3 4 5 6 SLB String any .gif /sales /xitami /manual .jpg
5 6
Congure one or more real servers to support URL-based load balancing. Add the dened string(s) to the real server using the following command:
>> # /cfg/slb/real 2/layer7/addlb <ID>
where ID is the identication number of the dened string. Note: If you dont add a dened string (or add the dened string any) the server will handle any request. A server can have multiple dened strings. For example: "/images" "/sales"
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
215
".gif"
With these dened strings, this particular server can handle requests that start with "/images" or "/sales" and any requests that contain ".gif". 7 Enable SLB on the switch.
>> # /cfg/slb/on (Turn SLB on)
Enable DAM on the switch or congure proxy IP addresses and enable proxy on the client port. DAM and proxy IPs allow you to perform port mapping for URL load balancing. Enable DAM
>> # /cfg/slb/adv/direct ena
For more information on proxy IP addresses, see "Proxy IP Addresses" (page 228). 9 Enable URL-based SLB on the virtual server(s).
>> # /cfg/slb/virt <virtual server number> /service 80/httpslb urlslb
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Sample Statistics:
ID 1 2 3 4 5 6 SLB String any .gif /sales /xitami /manual .jpg Hits 73881 0 0 162102 0 0
Virtual Hosting
Nortel Application Switch Operating System allows individuals and companies to have a presence on the Internet in the form of a dedicated Web site address. For example, you can have a "www.site-a.com" and "www.site-b.com" instead of "www.hostsite.com/site-a" and "www.hostsite.com/site-b." Service providers, on the other hand, do not want to deplete the pool of unique IP addresses by dedicating an individual IP address for each home page they host. By supporting an extension in HTTP 1.1 to include the host header, Nortel Application Switch Operating System enables service providers to create a single virtual server IP address to host multiple Web sites per customer, each with their own host name. Note: For SLB, one HTTP header is supported per virtual server. The following list provides more detail on virtual hosting with conguration information. An HTTP/1.0 request sent to an origin server (not a proxy server) is a partial URL instead of a full URL. An example of the request that the origin server would see as follows: GET /products/2424/ HTTP/1.0 User-agent: Mozilla/3.0 Accept: text/html, image/gif, image/jpeg The GET request does not include the host name. From the TCP/IP headers, the origin server knows the requests host name, port number, and protocol. With the extension to HTTP/1.1 to include the HTTP HOST: header, the above request to retrieve the URL " www.nortelnetworks.com/products/2424" would look like this:
GET /products/2424/ HTTP/1.1 Host: www.nortelnetworks.com User-agent: Mozilla/3.0
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
217
Accept:
The Host: header carries the hostname used to generate the IP address of the site. Based on the Host: header, the switch forwards the request to servers representing different customers Web sites. The network administrator needs to dene a domain name as part of the 128 supported URL strings. The switch performs string matching; that is, the string "nortelnetworks.com" or "http://www.nortel.com/" will match "http://www.nortel.com/".
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
For information on how to congure your network for server load balancing, see "Server Load Balancing" (page 188). 2 Turn on URL parsing for the virtual server for virtual hosting.
>> # /cfg/slb/virt 1 >> Virtual Server 1 # service 80 (Select the virtual IP for host header-based SLB) (Select the HTTP service)
Congure the real server(s) to handle the appropriate load balancing string(s). To add a dened string:
>> # /cfg/slb/real 2 >> Real Server 2 # Layer7 >> Real Server 2 Layer 7 Commands # addlb
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
219
where ID is the identication number of the dened string. Note: If you dont add a dened string (or add the dened string any), the server will handle any request. End
Clients that receive preferential service can be distinguished from other users by one of the following methods: Individual User Specic individual user could be distinguished by IP address, login authentication, or permanent HTTP cookie. User Communities Some set of users, such as "Premium Users" for service providers who pay higher membership fees than "Normal Users" could be identied by source address range, login authentication, or permanent HTTP cookie. Applications
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Users could be identied by the specic application they are using. For example, priority can be given to HTTPS trafc that is performing credit card transactions versus HTTP browsing trafc. Content Users could be identied by the specic content they are accessing. Based on one or more of the criteria above, you can load balance requests to different server groups.
For information on how to congure your network for SLB, see "Server Load Balancing" (page 188). 2 Turn on URL parsing for the virtual server.
>> # /cfg/slb/virt 1 >> Virtual Server 1 # service 80 >> Virtual Server 1 http Service # httpslb cookie Enter Cookie Name: sid Enter the starting point of the Cookie value [1-64]: 1 Enter the number of bytes to extract [1-64]: 6 Look for Cookie in URI [e|d]: d
where sid = cookie name 1 = offset (the starting position of the value to be used for hashing) 6 = length (the number of bytes in the cookie value)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
221
d = looks for the cookie in the cookie header instead of the URI (disables searching for cookie in the URI) 3 Dene the cookie values.
>> # /cfg/slb/layer7/slb/addstr "Gold" >> # addstr "Silver" >> # addstr "Bronze"
Since a session cookie does not exist in the rst request of an HTTP session, a default server or any server is needed to assign cookies to a None cookie HTTP request. Example: Real Server 1: Gold handles gold requests. Real Server 2: Silver handles silver request. Real Server 3: Bronze handles bronze request. Real Server 4: any handles any request that does not have a cookie or matching cookie.
With servers dened to handle the requests listed above, here is what happens: Request 1 comes in with no cookie; it is forwarded to Real Server 4 to get cookie assigned. Request 2 comes in with "Gold" cookie; it is forwarded to Real Server 1. Request 3 comes in with "Silver" cookie; it is forwarded to Real Server 2. Request 4 comes in with "Bronze" cookie; it is forwarded to Real Server 3. Request 5 comes in with "Titanium" cookie; it is forwarded to Real Server 4, since it does not have an exact cookie match (matches with "any" congured at Real Server 4).
Congure the real server(s) to handle the appropriate load balance string(s). To add a dened string:
>> # /cfg/slb/real 2/layer7/addlb <ID>
Note: If you dont add a dened string (or add the dened string any), the server will handle any request. 5 Enable DAM on the switch or congure proxy IP addresses and enable proxy on the client port. To use cookie-based preferential load balancing without DAM, you must congure proxy IP addresses. Enable proxy load balancing on the port used for cookie-based preferential load balancing. If Virtual Matrix Architecture (VMA) is enabled on the switch, you can choose to congure the remaining ports with proxy disabled. End
To allow the switch to perform browser-smart load balancing, perform the following procedure. Step 1 Action Before you can congure browser-based load balancing, ensure that the switch has already been congured for basic SLB with the following tasks: 2 Assign an IP address to each of the real servers in the server pool. Dene an IP interface on the switch. Dene each real server. Assign servers to real server groups. Dene virtual servers and services.
Turn on URL parsing for the virtual server for "User-Agent:" header.
>> # /cfg/slb/virt 1/service 80/httpslb browser
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
223
Congure the real server(s) to handle the appropriate load balancing string(s). Note: If you dont add a dened string (or add the dened string any), the server will handle any request. Use the following command to add a dened string:
>> # /cfg/slb/real 2/layer7/addlb <ID>
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
224 Part 3: Application Switching Fundamentals Using URL hashing to Load Balance Nontransparent Caches
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
225
>> # /cfg/slb/virt 1 >> Virtual Server 1 # service 80 >> Virtual Server 1 http Service # httpslb urlhash Enter new hash length [1-255]: 25
Hashing is based on the URL, including the HTTP Host: header (if present), up to a maximum of 255 bytes. 3 Set the metric for the real server group to minmisses or hash.
>> # /cfg/slb/group 1/metric <hash|minmisses>
End
Set the metric for the real server group to minmisses or hash.
>> # /cfg/slb/group 1/metric <hash|minmisses>
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
End
Enable client proxy operation mode on the real servers used in load balancing.
>> # /cfg/slb/real 1/proxy ena
On the virtual server attached to the real servers, enable the X-Forwarded-For header.
>> # /cfg/slb/virt 1/service 80/xforward ena
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
227
Source IP and destination IP are used to determine the processor. Both options can be enabled together wherein source IP, source port and destination IP are used to determine the processor.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Note: It is not advisable to change VMA option while switch is in operation since that may result in temporary disconnection of clients. Maintenance mode command /maint/debug/vmasp can be used to nd the processor for any combination of source IP, source port (if VMA with source port is enabled) and destination IP (if VMA with destination IP is enabled).
Miscellaneous Debug
When VMA with destination IP is enabled:
>> /cfg/slb/adv/vmadip ena Current VMA with destination IP: disabled New VMA with destination IP: enabled WARNING!! Changing VMA option may result in temporary disconnection of clients. Do you want to continue?[y/n] [n]
Proxy IP Addresses
In complex network topologies (see "SLB Client/Server Trafc Routing" (page 193)), SLB functions can be managed using a proxy IP address on the client switch ports. When the client requests services from the switchs virtual server, the client sends its own IP address for use as a return address. If a proxy IP address is congured for the client port on the switch, the switch replaces the clients source IP address with the switchs own proxy IP address before sending the request to the real server. This creates the illusion that the switch originated the request. The real server uses the switchs proxy IP address as the destination address for any response. SLB trafc is forced to return through the proper switch, regardless of alternate paths. Once the switch receives the proxied data, it puts the original client IP address into the destination address and sends the packet to the client. This process is transparent to the client. Note: Because requests appear to come from the switch proxy IP address rather than the client source IP address, the network administrator should be aware of this behavior during debugging and statistics collection. The proxy IP address can also be used for direct access to the real servers (see "Direct Access Mode" (page 239)).
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
229
Proxy IP addresses can also be assigned based on egress port or VLAN (see "Selecting a Proxy IP Based on the Egress Port or VLAN" (page 230)). To use Proxy IP addresses on the physical port or VLAN:
>> # /cfg/slb/pip/type port|vlan (Set base pip type to port or VLAN)
The address is then specied using either the add or add6 command. The command is dependent on the IP protocol version in use. For an IPv4 address, the add command is used:
/cfg/slb/pip/add
The following example demonstrates the conguration of an IPv4 port-based proxy IP address. To congure an IPv6 address, substitute the add6 command for the add command and enter an IPv6 address.
>> # /cfg/slb/pip/type port >> # /cfg/slb/pip/add (Select port-based proxy IP address) (Add a proxy IP address) e.g. 1 2 3-10
Enter Proxy IP address: 10.10.10.1 Enter port <1 to 28> or block <first-last>: 1-3 New pending: 1:
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Once enabled, the port-based proxy IP addressing is the active mode, and VLAN-based proxy IP addressing is inactive. Any VLAN-based proxy IP addresses that may have been congured are now inactive on the Nortel Application Switch. Note: WAN Link Load Balancing (see " WAN Link Load Balancing" (page 327)) requires use of port-based proxy IP addresses; VLAN-based proxy IP addresses cannot be used.
The address is then specied using either the add or add6 command. The command is dependent on the IP protocol version in use. For an IPv4 address, the add command is used:
/cfg/slb/pip/add
The following example demonstrates the conguration of an IPv4 VLAN-based proxy IP address. To congure an IPv6 address, substitute the add6 command for the add command and enter an IPv6 address
>> # /cfg/slb/pip/type vlan >> Proxy IP Address# add (Choose VLAN as the pip type) (Add a proxy IP address) e.g. 1 2
Enter Proxy IP address: 10.10.10.1 Enter VLAN <1 to 4090> or block <first-last>: 3-10 2 New Pending: 1: 10.10.10.1 vlan 2
231
>> # /cfg/slb/virt <x> /service <y> /epip ena >> # /cfg/slb/filt <x> /adv/proxyad v/epip ena
(Select proxy IP based on egress port or VLAN for this virtual service) (Select proxy IP based on egress port or VLAN for a WCR filter)
Use of a port-based proxy IP or a VLAN-based proxy IP depends on whether you have selected the proxy IP type as port or VLAN.
If no proxyip is congured in Filter Advanced menu then the Nortel Application Switch uses the proxy IP address congured in /cfg/slb/pip menu. If proxy IP addresses are congured in both the Filter Advanced menu and the /cfg/slb/pip menus, then the Proxy IP address in Filter Advanced menu takes precedence over the Proxy IP address in the /cfg/slb/pip menu.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Using a virtual server IP address as the proxy IP address allows conservation of public IP addresses. When proxy servers initiate requests to the web, they require a public IP address for their source IP address. In previous versions of Nortel Application Switch Operating System, this required Network Address Translation (NAT) to substitute the private source IP address of the proxy server, with one of only four available proxy IP addresses. The previous limitation of four proxy IP addresses meant that only four addresses were available as public IP addresses for outgoing proxy trafc. In the current release, Nortel Application Switch Operating System can mask real IP addresses of the servers in the server farm with the virtual server IP address congured on the Nortel Application Switch, when the real servers initiate trafc ows. The benet of using a virtual server IP address as the proxy IP address is that multiple proxy servers can share the same virtual server IP address and embed that address as their source IP address, thus conserving use of Public IP addresses. For example, if virtual server IP 50.50.50.1 is congured on the switch, and proxy servers are to share this address, congure both proxy and virtual server IPs with the same address:
>> # /cfg/slb/virt 1/vip 50.50.50.1 >> # /cfg/slb/pip/add 50.50.50.1
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
233
Port 5 6
Host Client router A connects the switch to the Internet where all client requests originate. Client router B also connects the switch to the Internet where all client requests originate.
The following commands are used to disable server processing on ports 1-3:
>> # /cfg/slb/port 1 >> SLB port 1# server dis >> SLB port 1# /cfg/slb/port 2 >> SLB port 2# server dis >> SLB port 2# /cfg/slb/port 3 >> SLB port 3# server dis (Select switch port 1) (Disable server processing on port 1) (Select switch port 2) (Disable server processing on port 2) (Select switch port 3) (Disable server processing on port 3)
Congure a unique proxy address and enable proxy for the client ports. Congure a unique proxy IP address and enable proxy on the client ports:
>> Main # /cfg/slb/pip >> Proxy IP Address# type port (Select proxy IP menu) (Set proxy IP base type to port)
>> Proxy IP Address# add 200.200.200.68 5-6 (Set proxy IP address) >> Main # /cfg/slb/port 5/proxy ena >> SLB port 5# /cfg/slb/port 6 >> SLB port 6# proxy ena (Select network port 5 and enable proxy) (Select network port 6) (Enable proxy)
The proxies are transparent to the user. 3 Apply and save your changes. Note: Remember that you must apply any changes in order for them to take effect, and you must save them if you wish them to remain in effect after switch reboot. Also, the /info/slb
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
command is useful for checking the state of Server Load Balancing operations. End
Proxy IP Limitation
If a Proxy IP address is enabled, the Selected DAM feature should also be enabled. When Selective DAM is disabled for a service and trafc ingresses a port with a port or VLAN based Proxy IP, the client trafc still uses a proxy port. This causes client port network address translation (NAT). This in turn causes a failure when the trafc comes back to the switch from the server.
Mapping Ports
A Nortel Application Switch allows you to hide the identity of a port for security by mapping a virtual server port to a different real server port.
Note: If ltering is enabled, a proxy IP address is congured, or URL parsing is enabled on any switch port, then port mapping is supported with Direct Access Mode (DAM). For information about DAM, refer to "Direct Access Mode" (page 239).
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
235
A Nortel Application Switch supports up to 16 real ports per server when multiple rports are enabled. This feature allows the network administrator to congure up to 16 real ports for a single service port. This feature is supported in Layer 4 and Layer 7 and in cookie-based and SSL persistence switching environments. When multiple real ports on each real server are mapped to a virtual port, the Nortel Application Switch treats the real server IP address/port mapping combination as a distinct real server. Note: For each real server, you can only congure one service with multiple real ports. Consider the following network:
Basic Virtual Port to Real Port Mapping Conguration
Port Mapping Real Server IP Address 8001 (rport 1) 8002 (rport 2) 192.168.2.1 (RIP 1) 192.168.2.2 (RIP 2) 192.168.2.3 (RIP 3) 192.168.2.4 (RIP 4)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
In this example, four real servers are used to support a single service (HTTP). Clients access this service through a virtual server with IP address 192.168.2.100 on virtual port 80. Since each real server uses two ports (8001 and 8002) for HTTP services, the logical real servers are: 192.168.2.1/8001 192.168.2.1/8002 192.168.2.2/8001 192.168.2.2/8002 192.168.2.3/8001 192.168.2.3/8002 192.168.2.4/8001 192.168.2.4/8002
237
# # # #
1 2 3 4
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Step 1 2
Action A client request is forwarded to the Nortel Application Switch. Because only MAC addresses are substituted, the switch forwards the request to the best server, based on the congured load-balancing policy. The server responds directly to the client, bypassing the switch, and using the virtual server IP address as the source IP address. To set up DSR, use the following commands:
>> # /cfg/slb/real <real server number> /submac ena >> # /cfg/slb/virt <virtual server number> /service <service number> /nonat ena
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
239
End
When DAM (/cfg/slb/adv/direct) is enabled on a switch, any client can communicate with any real servers load-balanced service. Also, with DAM enabled, any number of virtual services can be congured to load balance a real service. With Direct Access Mode, trafc that is sent directly to real server IP addresses (instead of the virtual server IP address) is excluded from load balancing decisions. The same clients may also communicate to the virtual server IP address for load-balanced requests. Direct access mode is necessary for applications such as: Direct access to real servers for management or administration One real server serving multiple virtual server IP (VIP) addresses Content intelligent switching, which requires trafc to go to specic real servers based on inspection of HTTP headers, content identiers such as URLs and cookies, and the parsing of content requests. For more information see "Content Intelligent Server Load Balancing" (page 210). Note: When DAM is enabled on a switch, port mapping and default gateway load balancing is supported only when ltering is enabled, a proxy IP address is congured, or URL parsing is enabled on any switch port.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Note 1: The /cfg/slb/virt <x> /service <y> /direct command requires that DAM be enabled globally on the switch. If DAM is not enabled globally on the switch, the direct disable command has no effect. When direct access mode is enabled on the switch and disabled on a virtual server/virtual port pair, direct access to other real servers (those servers that are not servicing a virtual server/virtual port pair with direct access mode disabled) is still allowed. Note 2: DAM cannot be disabled for FTP and RTSP services.
241
Mapping Ports
When SLB is used without proxy IP addresses and without DAM, the Nortel Application Switch must process the server-to-client responses. If a client were to access the real server IP address and port directly, bypassing client processing, the server-to-client response could be mishandled by SLB processing as it returns through the Nortel Application Switch, with the real server IP address getting remapped back to the virtual server IP address on the Nortel Application Switch. First, two port processes must be executed on the real server. One real server port handles the direct trafc, and the other handles SLB trafc. Then, the virtual server port on the Nortel Application Switch must be mapped to the proper real server port. In "Mapped and Nonmapped Server Access" (page 241), clients can access SLB services through well-known TCP port 80 at the virtual servers IP address. The Nortel Application Switch behaving like a virtual server is mapped to TCP port 8000 on the real server. For direct access that bypasses the virtual server and SLB, clients can specify well-known TCP port 80 as the real servers IP address.
Mapped and Nonmapped Server Access
Note: Port mapping is supported with DAM when ltering is enabled, a proxy IP address is congured, or URL parsing is enabled on any switch port. For more information on how to map a virtual server port to a real server port, see "Mapping Ports" (page 234).
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Delayed Binding
The delayed binding feature on the switch prevents SYN Denial-of-Service (DoS) attacks on the server. DoS occurs when the server or switch is denied servicing the client because it is saturated with invalid trafc. Typically, a three-way handshake occurs before a client connects to a server. The client sends out a synchronization (SYN) request to the server. The server allocates an area to process the client requests, and acknowledges the client by sending a SYN ACK. The client then acknowledges the SYN ACK by sending an acknowledgement (ACK) back to the server, thus completing the three-way handshake. "DoS SYN Attacks without Delayed Binding" (page 243) illustrates a classic type of SYN DoS attack. If the client does not acknowledge the servers SYN ACK with a data request (REQ) and, instead, sends another SYN request, the server gets saturated with SYN requests. As a result, all of the servers resources are consumed and it can no longer service legitimate client requests.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
243
Using a Nortel Application Switch with delayed binding, as illustrated in "Repelling DoS SYN Attacks With Delayed Binding" (page 244), the Nortel Application Switch intercepts the client SYN request before it reaches the server. The Nortel Application Switch responds to the client with a SYN ACK that contains embedded client information. The Nortel Application Switch does not allocate a session until a valid SYN ACK is received from the client or the three-way handshake is complete.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
244 Part 3: Application Switching Fundamentals Repelling DoS SYN Attacks With Delayed Binding
Once the Nortel Application Switch receives a valid ACK or DATA REQ from the client, the Nortel Application Switch sends a SYN request to the server on behalf of the client, waits for the server to respond with a SYN ACK, and then forwards the clients DATA REQ to the server. Basically, the Nortel Application Switch delays binding the client session to the server until the proper handshakes are complete. Thus, with delayed binding, two independent TCP connections span a session: one from the client to the Nortel Application Switch and the second from the switch to the selected server. The switch temporarily terminates each TCP connection until content has been received, thus preventing the server from being inundated with SYN requests. Note: Delayed binding is automatically enabled when content intelligent switching features are used. However, if you are not parsing content, you must explicitly enable delayed binding if desired.
245
Note: Enable delayed binding without conguring any HTTP SLB processing or persistent binding types. To congure delayed binding for cache redirection, see "Delayed Binding for Cache Redirection" (page 417).
The probability of a SYN attack is higher if excessive half-open sessions are being generated on the Nortel Application Switch. Half-open sessions show an incomplete three-way handshake between the server and the client. You can view the total number of half-open sessions from the /stat/slb/layer7/maint menu. To detect SYN attacks, the Nortel Application Switch keeps track of the number of new half-open sessions for a set period of time. If the value exceeds the threshold, then a syslog message and an SNMP trap are generated. You can change the default parameters for detecting SYN attacks in the /cfg/slb/adv/synatk menu. You can specify how frequently you want to check for SYN attacks, from 2 seconds to a minute and modify the default threshold representing the number of new half-open sessions per second.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
is useful in instances where sessions need to be kept alive after their real server congured timeout expires. An FTP session could be kept alive after its server dened timeout period for example. The following is an example of how a timeout of 10 minutes would be congured for HTTP (service 80) on virtual server 1: Step 1 Action Select service 80.
>> Main# /cfg/slb/virt 1/service 80
Save conguration.
>> Virtual Server 1 http Service# apply >> Virtual Server 1 http Service# save
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
247
To implement IPv6 server load balancing, real servers are set to be either IPv4 or IPv6 servers. Similarly, real server groups are set to contain either IPv4 or IPv6 servers. Combinations of the two server types are not allowed. Proxy IP addresses can be in either IPv4 or IPv6 format as well. Switch ports and VLANs can be assigned either one type or the other or both. The appropriate PIP is used in load balancing operations based on the IP version of the incoming packet. Note: Only basic Layer 4 server load balancing is supported and includes support for Direct Access Mode (DAM). For conceptual information on basic Layer 4 load balancing, refer to "Understanding Server Load Balancing" (page 188) and "Implementing Basic Server Load Balancing" (page 191). IPv6 server load balancing supports the following metrics: Roundrobin Leastconn Minmisses Hash
IPv6 server load balancing does not support the following metrics: Not support Phash Bandwidth Delay Note: IPv6 fragments are only supported on a client-enabled port and when the fragments are in order.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
248 Part 3: Application Switching Fundamentals IPv6 to IPv4 Layer 4 SLB Example
The following procedure is used to congure IPv6 support for load balancing IPv4 real servers. The specic commands, as presented in the example, would replicate the topology in "IPv6 to IPv4 Layer 4 SLB Example" (page 248). Step 1 Action Congure IPv6 network interface.
>> >> >> >> >> >> Main# /cfg/l3/if 1 IP Interface 1# ena IP Interface 1# ipver v6 IP Interface 1# addr 2005:0:0:0:0:0:0:1 IP Interface 1# mask 64 IP Interface 1# apply
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
249
>> Main# /cfg/l2/vlan 3 >> VLAN 3# ena >> VLAN 3# add 13 Port 13 is an UNTAGGED port and 1. Confirm changing PVID from 1 to >> VLAN 3# add 14 Port 14 is an UNTAGGED port and 1. Confirm changing PVID from 1 to >> VLAN 3# add 15 Port 15 is an UNTAGGED port and 1. Confirm changing PVID from 1 to
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
10
Congure a proxy IP and enable it on the client port. The proxy IP address is used to converge the IPv4 and IPv6 trafc. Optionally, the proxy IP address can be assigned to a VLAN instead of the port. To enable it on the VLAN use the command /cfg/slb/pip/type vlan instead of /cfg/slb/pip/type port.
>> >> >> >> Main# /cfg/slb/pip/type port Proxy IP Address# add 70.1.1.1 1 Main# /cfg/slb/port 1 SLB Port 1# proxy ena
11
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
251
End
The following procedure is used to congure IPv6 support for load balancing IPv6 real servers. The specic commands, as presented in the example, would replicate the topology in "IPv6 to IPv6 Layer 4 SLB Example" (page 251).
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Step 1
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
253
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
For additional information on SLB commands, refer Nortel Application Switch Operating System Command Reference.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
255
Nortel Application Switch Operating System supports both active and passive modes of FTP operation. You can switch from active to passive or vice versa in the same FTP session.
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
To make your conguration changes active, enterapplyat any prompt in the CLI.
>> Virtual Server 1 ftp Service# apply
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
257
Requirements
Load balancing service port 69 must be selected. DAM must be enabled. UDP must be enabled (/cfg/slb/virt <x> /service tftp/udp ena) PIP is not supported because the server port is changed. PIP uses server port for allocating a pport. Multiple rports are not supported.
To make your conguration changes active, enter apply at any prompt in the CLI.
>> Virtual Server 1 ftp Service# apply
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
"Layer 4 DNS Load Balancing" (page 261) shows four LDAP servers load balancing LDAP queries.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
259
Congure the four real LDAP servers and their real IP addresses.
>> # /cfg/slb/real 20 >> Real server 20 # ena >> Real server 20 # rip 10.10.10.20 >> Real server 20 # layer7/ >> Real Server 20 Layer 7 Commands# ldapwr e (Enable real server 20) (Specify the IP address) (Select the Layer 7 menu) (Enable LDAP read-write)
/cfg/slb/real 21/ena/rip 10.10.10.21/layer7/ldapwr e (Configure and enable LDAP write server 21) /cfg/slb/real 22/ena/rip 10.10.10.22/layer7/ldapwr e (Configure and enable LDAP write server 21) /cfg/slb/real 26/ena/rip 10.10.10.26/layer7/ldapwr e (Configure and enable LDAP write server 21)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> # /cfg/slb/group 1 >> Real server group 1 # metric roundrobin >> Real server group 1 # add 20 >> Real server group 1 # add 21 >> Real server group 1 # add 22 >> Real server group 1 # add 26
(Select real server group 1) (Specify the load balancing metric for group 1) (Add real server 20) (Add real server 21) (Add real server 22) (Add real server 26)
End
Step 1
Set up the LDAP service for the virtual server, and add real server group 1.
>> Virtual Server 1# service ldap >> Virtual Server 1 LDAP Service# group 1 (Specify the LDAP service) (Select the real server group)
Enable delayed binding. Delayed binding is required in order to process session requests with a TCP three-way handshake.
>> Virtual Server 1 LDAP Service# dbind ena (Enable delayed binding)
261
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Note: You can congure both UDP and TCP DNS queries for the same virtual server IP address.
Preconguration Tasks
Step 1 Action Enable server load balancing.
>> # /cfg/slb/on
>> Real server 20 # /cfg/slb/real 21 >> Real server 21 # ena >> Real server 21 # rip 10.10.10.21 (Enable real server 21) (Specify the IP address)
>> Real server 20 # /cfg/slb/real 22 >> Real server 22 # ena >> Real server 22 # rip 10.10.10.22 (Enable real server 22) (Specify the IP address)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
263
>> Real server group 1 # /cfg/slb/group 2 >> Real server group 2 # metric roundrobin >> Real server group 2 # health dns >> Real server group 2 # add 22 >> Real server group 2 # add 26
For more information on conguring health check, see "UDP-Based DNS Health Checks" (page 481). 4 Dene and enable the server ports and the client ports. For more information, see step 6 step 6. Some DNS servers initiate upstream requests and must be congured both as server and client. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Set up the DNS service for the virtual server, and add real server group 1.
>> Virtual Server 1# service dns >> Virtual Server 1 DNS Service# group 1 (Specify the DNS service) (Select the real server group)
Disable delayed binding. Delayed binding is not required because UDP does not process session requests with a TCP three-way handshake.
>> Virtual Server 1 DNS Service# dbind dis (Disable delayed binding)
End
Set up the DNS service for virtual server, and select real server group 2.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
265
>> Virtual Server 2# service dns >> Virtual Server 2 DNS Service# group 2
As this is TCP-based load balancing, make sure to disable UDP DNS queries.
>> Virtual Server 2 DNS Service# udp dis (Disable UDP balancing)
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
To congure the switch for DNS load balancing, perform the following procedure: Step 1 Action Before you can congure DNS load balancing, ensure that the switch has already been congured for basic SLB with the following tasks: Assign an IP address to each of the real servers in the server pool. Dene an IP interface on the switch. Dene each real server (DNS server address). Assign servers to real server groups. Dene virtual servers and services. Enable SLB. For information on how to congure your network for SLB, see "Server Load Balancing" (page 188)." 2 Dene server port and client port.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
267
If using a TCP-based DNS server, enable delayed binding (if using a UDP-based DNS server, do not enable delayed binding).
>> Virtual Server 1 DNS Service# dbind ena
5 6
Apply and save your conguration changes. Identify the dened string IDs.
>> # /cfg/slb/layer7/slb/cur
For easy conguration and identication, each dened string has an ID attached, as shown in the following example:
ID 1 2 3 4 5 SLB String any, cont 1024 www.[abcdefg]*.com, cont 1024 www.[hijklm]*.com, cont 1024 www.[nopqrst]*.com, cont 1024 www.[uvwxyz]*.com, cont 1024
Add the dened string IDs to the real server using the following command:
>> # /cfg/slb/real 1/layer7/addlb 2 >> # /cfg/slb/real 2/layer7/addlb 3 >> # /cfg/slb/real 3/layer7/addlb 4
Note: If you dont add a dened string (or add the dened string any) the server handles any request. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
269
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> Main# /cfg/slb/virt 1/service 808/rtsp >> Main# /cfg/slb/virt 1/service 808/rtsp/rtspslb hash Note: The rtspslb options are: hash, pattern, l4hash, and none.
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
271
Follow this procedure to congure the topology illustrated in "Load Balancing RTSP Servers" (page 270): Step 1 Action At the Nortel Application Switch, before you start conguring RTSP load balancing: 2 Connect each QuickTime server to the layer 2 switch Connect each RealNetworks server to the layer 2 switch Congure the IP addresses on all devices connected to the Nortel Application Switch Congure the IP interfaces on the switch Enable Direct Access Mode (DAM) Disable Bandwidth Management Disable proxy IP addressing
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>>Real Server Group 100# add 2 >>Real Server Group 100# add 3
Create a virtual server for the RealNetworks servers. To congure a virtual server for layer 4 load balancing of RTSP, select rtsp or port 554 as a service for the virtual server.
>> # /cfg/slb/virt 1 >>Virtual Server 1# vip 30.30.30.100 >>Virtual Server 1# service 554 >>Virtual Server 1 rtsp Service# group 100 (Select the virtual server) (Set IP address for the virtual server (Add the RTSP service for the virtual server) (Set the real server group)
Create a virtual server for the QuickTime servers. To congure a virtual server for Layer 4 load balancing of RTSP, select rtsp or port 554 as a service for the virtual server.
>> # /cfg/slb/virt 2 >>Virtual Server 2# vip 40.40.40.100 >>Virtual Server 2# service 554 >>Virtual Server 2 rtsp Service# group 200 (Select the virtual server) (Set IP address for the virtual server (Add the RTSP service for the virtual server) (Set the Quicktime server group)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
273
>> # /cfg/slb/port 25 >>SLB port 25# client ena >>SLB port 1# /cfg/slb/port 2 >>SLB port 2# server ena >>SLB port 2# /cfg/slb/port 3 >>SLB port 3# server ena >>SLB port 3# /cfg/slb/port 4 >>SLB port 4# server ena >>SLB port 4# /cfg/slb/port 13 >>SLB port 13# server ena >>SLB port 13# /cfg/slb/port 14 >>SLB port 14# server ena >>SLB port 14# /cfg/slb/port 15 >>SLB port 15# server ena
(Select the client port) (Enable client processing) (Select the server port) (Enable server processing) (Select the server port) (Enable server processing) (Select the server port) (Enable server processing) (Select the server port) (Enable server processing) (Select the server port) (Enable server processing) (Select the server port) (Enable server processing)
Clients retrieving les of type RTSP://nortelnews.com/headlines.ram use virtual IP address 30.30.30.100 of the RealNetworks server group and clients retrieving les of type RTSP://nortelnews.com/headlines.mov use virtual IP address 40.40.40.100 of the QuickTime server group. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
"Layer 7 RTSP Load Balancing" (page 275) shows two groups of media servers: Group 1 is congured for URL hashing and group 2 is congured for string matching. The media servers are cache servers congured in reverse proxy mode.
URL Hash
Use the URL hash metric to maximize client requests to hash to the same media server. The original servers push the content to the cache servers ahead of time. For example in "Layer 7 RTSP Load Balancing" (page 275), an ISP is hosting audio-video les for NortelNews on media servers 1, 2, 3, and 4. The domain name nortelnews.com associated with the virtual IP address 120.10.10.10 is congured for URL hash. The rst request for http://nortelnews.com/saleswebcast.rm hashes to media server 1. Subsequent requests for http://nortelnews.com/saleswebcast.rm from other clients or from client 1 will hash to the same server 1. Similarly, another request for http://nortelnews.com/marketingwebcast.rm may hash to media server 2, provided saleswebcast and marketingwebcast media les are located in the origin servers. Typically, a set of related les (audio, video, and text) of a presentation are usually placed under the same directory (called container directory). Nortel Application Switch Operating System URL hashing ensures that the entire container is cached in a single cache by using the entire URL to compute the hash value and omitting the extension (for example, .ram, .rm, .smil) occurring at the end of the URL.
String Matching
Use the string matching option to populate the RTSP servers with content-specic information. For example, you have clients accessing audio-video les on Nortel1 and clients accessing audio-video les on Nortel2. You can host theNortel1 media les on media servers 5 and 6 and host Nortel2 media les on media servers 7 and 8.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
275
Follow this procedure to congure the topology illustrated in "Layer 7 RTSP Load Balancing" (page 275): Step 1 Action Before you start conguring RTSP load balancing, congure the application switch for standard server load balancing as described in "Conguring Server Load Balancing" (page 194): Connect each Media server to the application switch Congure the IP addresses on all devices connected to the switch Congure the IP interfaces on the switch Enable server load balancing (/cfg/slb/on) Enable client processing at the client port (/cfg/slb/port 1/client ena) Enable server processing at the server ports 2 and 7 (for example, /cfg/slb/port 2/server ena) Enable Direct Access Mode (DAM) Disable Bandwidth Management
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Create a virtual server for group 1 media servers. Congure a virtual server and select rtsp or port 554 as a service for the virtual server.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
277
>> # /cfg/slb/virt 1 >>Virtual Server 1# vip 120.10.10.10 >>Virtual Server 1# service 554 >>Virtual Server 1 rtsp Service# group 100
(Select the virtual server) (Set IP address for the virtual server (Add the RTSP service for the virtual server) (Set the real server group)
Congure URL hash-based RTSP load balancing for group 1 servers. URL hashing maintains persistency by enabling the client to hash to the same media server.
>> Virtual Server 1 rtsp Service# rtspslb hash
Create another virtual server for group 2 media servers. Congure a virtual server and select rtsp or port 554 as a service for the virtual server.
>> # /cfg/slb/virt 2 >>Virtual Server 2# vip 120.10.10.20 >>Virtual Server 2# service 554 >>Virtual Server 2 rtsp Service# group 200 (Select the virtual server) (Set IP address for the virtual server) (Add the RTSP service for the virtual server) (Set the real server group)
Congure string matching-based RTSP load balancing for group 2 servers. Enable layer 7 pattern matching
>> Virtual Server 2 rtsp Service# rtspslb pattern (Enable Layer 7 pattern matching)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
For easy conguration and identication, each dened string has an ID attached, as shown in the following example: Number of entries: three
ID 1 2 3 SLB String any, cont 1024 nortel1.mov, cont 1024 nortel2.mov, cont 1024
Add the dened string IDs to the real servers as shown in "Layer 7 RTSP Load Balancing" (page 275).
>> >> >> >> >> >> >> >> # /cfg/slb/real 5/layer7 Real server 5 Layer 7 Commands# addlb Real server 5# /cfg/slb/real 6/layer7 Real server 6 Layer 7 Commands# addlb Real server 6# /cfg/slb/real 7/layer7 Real server 7 Layer 7 Commands# addlb Real server 7# /cfg/slb/real 8/layer7 Real server 8 Layer 7 Commands# addlb
2 2 3 3
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
279
A client request of the form RTSP://120.10.10.20/../nortel1.mov is load balanced between RTSP servers 5 and 6 using string matching. A client request of the form RTSP://120.10.10.20/../nortel2.mov is load balanced between RTSP servers 7 and 8. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Nortel Application Switch Operating System allows you to congure the Nortel Application Switch to select a WAP gateway for each client request based on one of the following three methods: static session entry via TPCP, RADIUS snooping, or RADIUS/WAP persistence. The following topics are discussed in this section: "WAP SLB with RADIUS Static Session Entries" (page 280) "WAP SLB with RADIUS Snooping" (page 283) "WAP SLB with Radius/WAP Persistence" (page 287)
281
Enable UDP under the WAP services (ports 9200 to 9203) menu.
>> # /cfg/slb/virt <number> /service <name|number> /udp ena
Note: The radius service number specied on the switch must match with the service specied on the server.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
At the Nortel Application Switch, congure the switch for basic SLB.
>> # /cfg/slb/on
Enable the external notication from WAP gateway to add and delete session request if you are using static session via TPCP.
>> # cfg/slb/adv/tpcp ena
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
283
3 4 5
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Consider the following items before conguring RADIUS snooping: The same virtual server IP address must be used when load balancing both the RADIUS accounting trafc and WAP trafc. All the RADIUS servers must use the same UDP port for RADIUS accounting services. Before a session entry is recorded on the switch, WAP packets for a user can go to any of the real WAP gateways. If a session entry for a client cannot be added because of resource constraints, the subsequent WAP packets for that client will not be load balanced correctly. The client will need to drop the connection and then reconnect to the wireless service. The persistence of a session cannot be maintained if the number of healthy real WAP gateways changes during the session. For example, if a new WAP server comes into service or some of the existing WAP servers are down, the number of healthy WAP gateway changes and, in this case, the persistence for a user cannot be maintained. Persistence cannot be maintained if the user moves from one ISP to another, or if the base of the users session changes (that is, from CALLING_STATION_ID to USER_NAME, or vice versa). For example, if a user moves out of a roaming area, it is possible that his/her CALLING_STATION_ID is not available in the RADIUS Accounting packets. In such a case, the switch uses USER_NAME to choose a WAP server instead of CALLING_STATION_ID. Thus, persistence cannot be maintained. End
Enable UDP under the WAP services (ports 9200 to 9203) menu.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
285
Note: The radius service number specied on the switch must match with the service specied on the server. 2 At the Nortel Application Switch, congure the switch for basic SLB.
>> # /cfg/slb/on
Enable the external notication from WAP gateway to add and delete session request if you are using static session via TPCP.
>> # cfg/slb/adv/tpcp ena
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Congure the following lter on the switch to examine a RADIUS accounting packet. Set the basic lter parameters
>> # /cfg/slb/filt 1 >> Filter 1 >> Filter 1 # ena # dip 10.10.10.100 (Select the filter) (Enable the filter) (Set the destination IP address) (Set the destination IP mask) (Set the protocol to UDP) (Set the destination port) (Set the action to redirect) (Set the group for redirection) (Set server port for redirection)
>> Filter 1 # dmask 255.255.255.255 >> Filter 1 >> Filter 1 >> Filter 1 >> Filter 1 >> Filter 1 # proto udp # dport 1813 # action redir # group 1 # rport 1813
>> Filter 1 Advanced# proxy ena >> Filter 1 Advanced# layer7 >> Layer 7 Advanced# rdsnp ena
Note: Nortel Application Switch Operating System supports Virtual Router Redundancy Protocol (VRRP) and stateful failover, using both static session entries and RADIUS snooping. However, active-active conguration with Stateful Failover is not supported. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
287
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
The RADIUS session and the WAP session are now both bound to the same server because both sessions are using the same source IP address. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
289
>> # cfg/slb/virt 1/vip 10.10.10.10 >>Virtual Server 1# ena (Enable virtual server 1)
Congure the services for virtual server 1. Note: The radius service number specied on the switch must match with the service specied on the server.
>>Virtual >>Virtual >>Virtual 1/service >>Virtual >>Virtual 1/service >>Virtual >>Virtual 1/service >>Virtual >>Virtual 1/service >>Virtual >>Virtual 1/service >>Virtual Server Server Server 1813 Server Server 9200 Server Server 9201 Server Server 9202 Server Server 9203 Server 1# service 1812 1 radius-auth service# udp ena 1 radius-auth service# /cfg/slb/virt 1 radius-acc service# udp ena 1 radius-auth service# /cfg/slb/virt 1 9200 service# udp ena 1 radius-auth service# /cfg/slb/virt 1 9201 service# udp ena 1 radius-auth service# /cfg/slb/virt 1 9202 service# udp ena 1 radius-auth service# /cfg/slb/virt 1 9203 service# udp ena
Congure the following lter on the switch to examine a RADIUS accounting packet. Set the basic lter parameters.
>> # /cfg/slb/filt 1 >> Filter 1 >> Filter 1 # ena # dip 10.10.10.10 (Select the filter) (Enable the filter) (Set the destination IP address) (Set the destination IP mask) (Set the protocol to UDP) (Set the destination port) (Set the action to redirect) (Set the group for redirection) (Set server port for redirection)
>> Filter 1 # dmask 255.255.255.255 >> Filter 1 >> Filter 1 >> Filter 1 >> Filter 1 >> Filter 1 # proto udp # dport 1813 # action redir # group 100 # rport 1813
Enable client and server ports and enable ltering on client ports.
>> # /cfg/slb/port 1/client ena >> SLB port 1# filt ena >> >> >> >> >> >> SLB SLB SLB SLB SLB SLB port port port port port port 1# 2# 1# 3# 3# 4# (Enable filtering on port 1)
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
291
Intrusion detection devices inspect every packet before it enters a network, looking for any signs of an attack. The attacks are recorded and logged in an attempt to guard against future attacks and to record the information about the intruders. IDS server load balancing helps scale intrusion detection systems since it is not possible for an individual server to scale information being processed at Gigabit speeds.
Congure lter processing on the incoming ports with the IDS hash metric. This allows a session entry to be created for frames ingressing the port. IDS load balancing requires a session entry to be created in order to store the information regarding which IDS server to send the request. If the allow lter is congured to hash on both the client and server IP address, then this ensures that both client and server trafc belonging to the same session is sent to the same IDS server. For more information, see "Example 2: Load Balancing to Multiple IDS Groups" (page 298). If the port is congured for client processing only, then the switch hashes on the source IP address only. End
IDS servers must directly connect to separate physical ports on the switch. Real server # of IDS server must match the physical port # (1 to 26) on the switch
To send packets to different IDS servers you must connect IDS servers to separate switch ports and associate them with different VLANs and tag the packets accordingly. Because unmodified frames are sent to the IDS servers, the switch does not use the L2 destination field of the packet to direct it to the correct IDS server. The switch port or the VLAN tag is used to identify the destination IDS server. However, if the ingress packet is already tagged, then you must use different switch ports for different IDS servers.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
293
Port Configuration
Explanation
IDS servers need not be directly connected to the application switch.The IDS servers may be connected to another switch via an interswitch link between it and the application switch. SNMP health checks are used to check the status of a port on the remote switch, that is connected to an IDS server.
To send packets to different IDS servers you must connect IDS servers to separate switch ports and associate them with different VLANs. Because unmodified frames are sent to the IDS servers, the switch does not use the L2 destination field of the packet to direct it to the correct IDS server. The VLAN tag is used to identify the destination IDS server. However, if the ingress packet is already tagged, then you must use different VLANs for different IDS servers. The data packet is modified, so that it is addressed to the IDS servers. Destination MAC address is changed to Real server MAC address.
With IP addresses
ICM P or ARP
IDS servers need not be directly connected to the application switch.The IDS servers may be connected via an Nortel Application Switch or a Layer 2 switch.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
A feature to disable source MAC address learning across the interswitch link, allows trafc to reach real servers even when one switch goes into the Standby state.
When the client request enters port 25 on Nortel Application Switch 1, the switch makes a copy of the packet. The switch load balances the copied packet between the two IDS servers based on the congured load balancing metric (hash). The original data packet however, enters Nortel Application Switch 2 through the rewall and Nortel Application Switch 2 performs standard server load balancing on the client data between the three real servers. The client request is processed and returned to Nortel Application
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
295
Switch 1 via the rewall. An allow lter at ports 26 and port 27 causes the Nortel Application Switch to make a copy of the request and directs the copy to the IDS server group. Follow this procedure to congure the topology illustrated in "Server Load Balancing and IDS Load Balancing to a Single Group" (page 294): Step 1 Action Set up the IDS servers. To congure the IDS servers as real servers you must consider the setup of the IDS servers and the selection of the health check. Typically, most IDS servers are setup in stealth mode (without IP addresses); but, they can also be set up with non-routable IP addresses. See "Setting Up IDS Servers" (page 292) for more information about setting up IDS servers. 2 At the Nortel Application Switch, congure the IDS servers as real servers. In "Server Load Balancing and IDS Load Balancing to a Single Group" (page 294) the IDS servers are congured in stealth mode. Match the real server number with the physical port number to which the IDS servers are connected, and congure dummy IP addresses. The real servers must be numbered between 1-63.
>> # /cfg/slb/real 6/rip 6.6.6.6/ena >> # /cfg/slb/real 7/rip 7.7.7.7/ena (Define a dummy IP address for IDS server 6) (Define a dummy IP address for IDS server 7)
Create a group and add the IDS servers. The group must be numbered between 163.
>> # /cfg/slb/group 50 >>Real Server Group 50# add 6 >>Real Server Group 50# add 7 (Define a group) (Add IDS server 6) (Add IDS server 7)
Dene the group metric for the IDS server group. IDS server load balancing supports the hash metric only.
>>Real Server Group 50# metric hash (Set the metric to hash)
Congure link health check which is specically developed for IDS servers set up in stealth mode (without IP addresses).
>>Real Server Group 50# health link (Set the health check to link)
Enable IDS on the client and server ports. This enables frames ingressing the port to be copied to the IDS servers.
>># /cfg/slb/port 25/ids ena >>SLB port 25# /cfg/slb/port 26/ids ena >>SLB port 26# /cfg/slb/port 27/ids ena (Enable IDS processing for port 25) (Enable IDS processing for port 26) (Enable IDS processing for port 27)
In addition to enabling IDS at the port level, a lter must be congured to create a session entry for non-SLB frames ingressing the port. IDS load balancing requires a session entry to be created to store the information regarding which IDS server to send to. 9 Create an allow lter and congure the lter with the idshash metric.
>> # /cfg/slb/filt 2048 >> Filter 2048# sip any >> Filter 2048# dip any >> Filter 2048# action allow (Select the menu for Filter 2048) (From any source IP address) (To any destination IP address) (Allow matching traffic to pass)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
297
The IDS hash metric is set to hash on both the source and destination IP addresses. Hashing on both source and destination IP address ensures that the returning trafc goes to the same IDS server. If the port is congured for client processing only, then the switch hashes on the source IP address. By default, the IDS hash metric hashes on the source IP address only. 10 Apply the allow lter to ports 25, 26, and 27. The allow lter must be applied on all ports that require layer 4 trafc to be routed to the IDS servers.
>> Filter 2048# /cfg/slb/port 25 >> SLB Port 25# add 2048 >> SLB Port 25# filt ena >> SLB Port 25# /cfg/slb/port 26 >> SLB Port 26# add 2048 >> SLB Port 26# filt ena >> SLB Port 26# /cfg/slb/port 27 >> SLB Port 27# add 2048 >> SLB Port 27# filt ena (Select the client port) (Apply the filter to the client port) (Enable the filter) (Select port 26) (Apply the filter to port 26) (Enable the filter) (Select port 27) (Apply the filter to port 27) (Enable the filter)
All ingressing trafc at these ports that match any of the lters congured for that port will be load balanced to the IDS groups. The allow lter is used at the end of the lter list to make sure that all trafc matches a lter. A deny all lter could also be used as the nal lter instead of an allow all lter. 11 Apply and save your changes.
>> SLB Port 25# apply >> SLB Port 25# save
12
Congure Nortel Application Switch 2 to load balance the real servers as described in "Conguring Server Load Balancing" (page 194) .
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Congure the IP interfaces on the switch Congure the SLB real servers and add the real servers to the group Congure the virtual IP address Congure the SLB metric Enable SLB
A copy of layer 4 trafc from clients A, B, and C and from the real servers are directed to the IDS servers and load balanced between IDS servers 6 and 7. End
When the same Nortel Application Switch is congured to load balance real servers and IDS servers as shown in "Server Load Balancing and IDS Load Balancing" (page 298), lter processing is not required on the client processing port (port 25). To maintain session persistency however, if you
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
299
add the lter to the client port, the switch can be congured to hash on both the client IP and virtual server IP. This ensures that both client and server trafc belonging to the same session is sent to the same IDS server. If you do not add the lter on port 25, then the switch hashes on the client IP address only. Note: While this example assumes use of an Nortel Application Switch 2424, you may adapt this example according the ports available on your particular Nortel Application Switch model. Follow this procedure to congure the topology illustrated in "Server Load Balancing and IDS Load Balancing" (page 298): Step 1 Action Set up the IDS servers. Refer to "Setting Up IDS Servers" (page 292) for information on setting up the IDS servers. To congure the IDS servers as real servers you must consider the following: Connecting the IDS servers Choosing the health check Conguring the IP addresses
For more information on each of the above items, see step 1 on step 1. 2 Congure the IDS servers as real servers. In "Server Load Balancing and IDS Load Balancing" (page 298) the IDS servers are setup with non-routable IP addresses. The real servers must be numbered 1-63.
>> # /cfg/slb/real 6/rip 10.20.20.1/ena >> # /cfg/slb/real 7/rip 10.20.20.2/ena >> # /cfg/slb/real 8/rip 10.20.20.3/ena (Specify IP address for IDS server 6) (Specify IP address for IDS server 7) (Specify IP address for IDS server 8)
Create two IDS groups and add the IDS servers. Dene the two IDS groups 51 and 52. The IDS group numbers must be between 1 to 63.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> # /cfg/slb/group 51 >>Real Server Group 51# add 6 >>Real Server Group 51# add 7 >>Real Server Group 51# /cfg/slb/group 52 >>Real Server Group 52# add 8
(Define a group) (Add IDS server 6) (Add IDS server 7) (Define another group) (Add IDS server 8)
Dene the group metric for the IDS server groups. IDS server load balancing supports the hash metric only.
>>Real Server Group 51# metric hash >>Real Server Group 51# /cfg/slb/group 52 >>Real Server Group 52# metric hash (Set the metric to hash) (Select the other IDS group) (Set the metric to hash)
The hash metric is implemented in two ways. For more information, see step 4 on step 4. 5 Dene the health check for the group. Congure ICMP health check for the group.
>>Real Server Group 51# health icmp >>Real Server Group 51# /cfg/slb/group 52 >>Real Server Group 52# health arp (Set the health check to ICMP) (Select the other IDS group) (Set the health check to ARP)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
301
>> # /cfg/slb/group 51 >>Real Server Group 51# idsrprt http >>Real Server Group 51# /cfg/slb/group 52
(Select the IDS group) (Select HTTP traffic for IDS group) (Select the IDS group)
>>Real Server Group 52# idsrprt any (Select non-HTTP traffic for IDS group)
Enable IDS on the client and server processing ports. This enables frames ingressing the port to be copied to the IDS servers.
>># /cfg/slb/port 25/idslb ena >>SLB port 25# /cfg/slb/port 2/idslb ena >>SLB port 2# /cfg/slb/port 3/idslb ena >>SLB port 3# /cfg/slb/port 4/idslb ena (Enable IDS SLB for port 25) (Enable IDS SLB for port 2) (Enable IDS SLB for port 3) (Enable IDS SLB for port 4)
In addition to enabling IDS at the port level, a lter must be congured to create a session entry for non-SLB frames ingressing the port. IDS load balancing requires a session entry to be created to store the information regarding which IDS server to send to. 9 Create an allow lter and congure the lter with the idshash metric.
>> # /cfg/slb/filt 2048 >> Filter 2048# sip any >> Filter 2048# dip any >> Filter 2048# action allow >> Filter 2048# ena >> Filter 2048# adv/idshash both (Select the menu for Filter 2048) (From any source IP address) (To any destination IP address) (Allow matching traffic to pass) (Enable the filter) (Set the hash metric parameter)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
The IDS hash metric is set to hash on both the source and destination IP addresses. Hashing on both source and destination IP address ensures that the returning trafc goes to the same IDS server. By default, the IDS hash metric hashes on the source IP address only. 10 Apply the lter to ports 2, 3, 4 and 25 only. Enable lter processing on all ports that have IDS enabled. If you add the allow lter to the client port 25, the switch will hash on client IP and virtual server IP address for both client and server frames. This ensures that both client and server trafc belonging to the same session is sent to the same IDS server. If you do not add the allow lter on port 25, then the switch hashes on client IP only for client frames and hashes on client IP and virtual server IP address for server frames.
>> # /cfg/slb/port 2 >> SLB Port 2# add 2048 >> SLB Port 2# filt ena >> SLB Port 2# /cfg/slb/port 3 >> SLB Port 3# add 2048 >> SLB Port 3# filt ena >> SLB Port 3# /cfg/slb/port 4 >> SLB Port 4# add 2048 >> SLB Port 4# filt ena >> SLB Port 4# /cfg/slb/port 25 >> SLB Port 25# add 2048 >> SLB Port 25# filt ena (Select the port menu) (Apply the filter to port 2) (Enable the filter) (Select port 3) (Apply the filter to port 3) (Enable the filter) (Select port 4) (Apply the filter to port 4) (Enable the filter) (Select port 25) (Apply the filter to port 25) (Enable the filter)
11
A copy of layer 4 Web trafc from clients A, B, and C and from the real servers 1, 2, and 3 is load balanced between IDS servers 6 and 7. A copy of all non-HTTP trafc is directed to IDS server 8. 12 Congure the switch for server load balancing the real servers as described in "Conguring Server Load Balancing" (page 194). Congure the IP interfaces on the switch
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
303
Congure and create a group for the SLB real servers Congure the virtual IP address Congure the SLB metric Enable SLB End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Normally, the standby switch will learn the source MAC address of clients in the copied packet from the port that is connected to the inter-switch link. The standby switch also learns the source MAC address of the server when the server response packets enter the master switch and are ooded to the IDS VLAN over the interswitch link. In a high availability conguration, the standby switch becomes the master if the current master switch fails. The new master switch forwards trafc between clients and servers. Because the MAC addresses of the real servers are learned via the inter-switch link port, the request packets from clients are forwarded to the inter-switch link port on the new master switch, and are received by the new standby switch. Because the standby switch does not forward trafc, the request packets would not normally reach the real servers. Nortel Application Switch Operating System remedies this situation by allowing the administrator to disable learning of client and server source MAC addresses over the interswitch link, thus ensuring that when switch failover occurs, the client request packets reach the real servers. Note: While this example assumes use of an Nortel Application Switch 2424, you may adapt this example according the ports available on your particular Nortel Application Switch model. Follow this procedure to congure the topology illustrated in "Load Balancing IDS Servers Across Two Switches" (page 303): Step 1 Action Set up the IDS servers. Refer to "Setting Up IDS Servers" (page 292) for information on setting up the IDS servers. To congure the IDS servers as real servers you must consider the following: Connecting the IDS servers Choosing the health checkin this case, use SNMP health check Conguring the IP addresses
For more information on each of the above items, see step 1 on step 1. 2 On the Nortel Application Switch, congure the interswitch link ports for the IDS VLAN.
/cfg/port 25/tag ena/pvid 1000 /cfg/port 26/tag ena/pvid 1000
305
(Add ports 25, 26 to trunk group 1) (Add ports 27, 28 to trunk group 2)
Congure an IP interface for the SNMP health check to the other switch.
/cfg/l3/if 3/addr 11.11.11.1/mask 255.255.255.255/v lan 1000
Congure VLANs. Make sure to disable source MAC address learning only on the IDS VLANs. The following VLANS are congured on the switch: VLAN 1: for load balancing trafc to the real servers VLAN 1000: for performing SNMP health check on switch 2 VLAN 1001: for IDS server 1 VLAN 1002: for IDS server 2 VLAN 1003: for IDS server 3 VLAN 1004: for IDS server 4.
>> Main# /cfg/l2/vlan 1001/ena >> VLAN 1001# learn dis : >> VLAN 1001# add 25/add 26 Port 25 1. Confirm Port 26 1. Confirm (Set port members of the VLAN) (Disable source MAC learning on the IDS VLAN)
is an UNTAGGED port and its current PVID is changing PVID from 1 to 1001 [y/n]: y is an UNTAGGED port and its current PVID is changing PVID from 1 to 1001 [y/n]: y
>> Layer 2# 25/add 26 >> Layer 2# 25/add 26 >> Layer 2# 25/add 26 >> Layer 2# 25/add 26
/cfg/l2/vlan 1001/ena/learn dis/add /cfg/l2/vlan 1002/ena/learn dis/add /cfg/l2/vlan 1003/ena/learn dis/add /cfg/l2/vlan 1004/ena/learn dis/add
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Congure the IDS servers as real servers. In "Server Load Balancing and IDS Load Balancing" (page 298) the IDS servers are setup with non-routable IP addresses. The real servers must be numbered 1-63. SNMP health checks are congured to check the status of the ports on switch 2 that are connected to the IDS servers.
>> # /cfg/slb/real 1/rip 11.11.11.1/ena >> Real server 1 # ids/idsvlan 1001 >> Real Server 1 IDS# idsport 25 (Set IP address for IDS server 1) (Set IDS VLAN for IDS server 1) (Set IDS VLAN port)
>> Real Server 1 IDS# oid 1.3.6.1.2.1.2.2.1.8.257 (Set OID to health check port 1) >> # /cfg/slb/real 2/rip 11.11.11.1/ena >> Real server 2 # ids/idsvlan 1002 >> Real Server 2 IDS# idsport 25 >> Real Server 2 IDS# oid 1.3.6.1.2.1.2.2.1.8.258 (Set OID to health check port 2) >> # /cfg/slb/real 3/rip 11.11.11.100/ena (Set the IP interface for switch 2)
>> Real server 3 # ids/idsvlan 1003 >> Real Server 3 IDS# idsport 25 >> Real Server 3 IDS# oid 1.3.6.1.2.1.2.2.1.8.259 (Set OID to health check port 3 on switch 2) >> # /cfg/slb/real 4/rip 11.11.11.100/ena >> Real server 4 # ids/idsvlan 1004 >> Real Server 4 IDS# idsport 25 >> Real Server 4 IDS# oid 1.3.6.1.2.1.2.2.1.8.260 (Set OID to health check port 4 on switch 2)
Create an IDS group and add the IDS servers. Dene the IDS group. The IDS group numbers must be between 1 to 63.
>> # /cfg/slb/group 53 >>Real Server Group 53# add 1 (Define a group) (Add IDS server 1)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
307
>>Real Server Group 53# add 2 >>Real Server Group 53# add 3 >>Real Server Group 53# add 4
Dene the group metric for the IDS server group. IDS server load balancing supports the hash metric only.
>>Real Server Group 53# metric hash (Set the metric to hash)
10
11
12
Enable IDS on the client and server ports. This enables frames ingressing the trafc ports to be copied to the IDS servers.
/cfg/slb/port 4/ids ena >>SLB port 4# /cfg/slb/port 7 ids ena >>SLB port 7# /cfg/slb/port 8 ids ena >>SLB port 7# /cfg/slb/port 27/ids ena >>SLB port 27# /cfg/slb/port 28/ids ena (Enable IDS processing for port 4) (Enable IDS processing for port 7) (Enable IDS processing for port 8) (Enable IDS processing for port 27) (Enable IDS processing for port 28)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
In addition to enabling IDS at the port level, a lter must be congured to create a session entry for non-SLB frames ingressing the port. IDS load balancing requires a session entry to be created to store the information regarding which IDS server to send to. 13 Congure an integer value for the switch to accept the SNMP health check. If the value returned by the real server for the MIB variable does not match the expected value congured in the rcvcnt eld, then the server is marked down; the server is marked back up when it returns the expected value. In this step, the server is marked down if the switch receives a value 1; the real server is considered as health check failed.
>>SLB port 27# /cfg/slb/advhc/snmphc 1/rcvcnt "1"
14
Create an allow lter and congure the lter with the idshash metric. The IDS hash metric is set to hash on both the source and destination IP addresses. Hashing on both source and destination IP address ensures that the returning trafc goes to the same IDS server. If the port is congured for client processing only, then the switch hashes on the source IP address. By default, the IDS hash metric hashes on the source IP address only.
15
Apply the allow lter to ports 4, 7, 8, 27, and 28, to enable lter processing on all ports that have IDS enabled. If you add the allow lter to the client port 4, the switch will hash on client IP and virtual server IP address for both client and server frames. This ensures that both client and server trafc belonging to the same session is sent to the same IDS server. If you do not add the allow lter on port 5, then the switch hashes on client IP only for client frames and hashes on client IP and virtual server IP address for server frames. The allow lter must be applied on all ports that require layer 4 trafc to be routed to the IDS servers.
>> Filter 2048# /cfg/slb/port 4 >> SLB Port 4# add 2048 >> SLB Port 4# filt ena >> SLB Port 4# /cfg/slb/port 7 >> SLB Port 7# add 2048 (Select the client port) (Apply the filter to the IDS port) (Enable the filter) (Select the IDS server 7 port) (Apply the filter to the IDS port)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
309
>> SLB Port 7# filt ena >> SLB Port 7# /cfg/slb/port 8 >> SLB Port 2# add 2048 >> SLB Port 2# filt ena >> SLB Port 2# /cfg/slb/port 27 >> SLB Port 27# add 2048 >> SLB Port 27# filt ena >> SLB Port 27# /cfg/slb/port 28 >> SLB Port 28# add 2048 >> SLB Port 28# filt ena
(Enable the filter) (Select the IDS server 8 port) (Apply the filter to the client port) (Enable the filter) (Select the interswitch link for IDS) (Apply the filter to traffic port 27) (Enable the filter) (Select the interswitch link for IDS) (Apply the filter to traffic port 28) (Enable the filter)
All ingressing trafc at these ports that match any of the lters congured for that port will be load balanced to the IDS groups. The allow lter is used at the end of the lter list to make sure that all trafc matches a lter. A deny all lter could also be used as the nal lter instead of an allow all lter. 16 Apply and save your changes.
>> SLB Port 26# apply >> SLB Port 26# save
17
Congure Nortel Application Switch 2 to load balance the real servers as described in "Conguring Server Load Balancing" (page 194). Congure the IP interfaces on the switch Congure the SLB real servers and add the real servers to the group Congure the virtual IP address Congure the SLB metric Enable SLB End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
311
Follow this procedure to congure the topology illustrated in "SIP Load Balancing" (page 311): Step 1 Action At the Nortel Application Switch, before you start conguring SIP load balancing: 2 Connect each SIP proxy server to the application switch Congure the IP addresses on all devices connected to the application switch Congure the IP interfaces on the application switch Enable Direct Access Mode (DAM) Disable proxy IP addressing
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> Real server 2# ena >> # /cfg/slb/real 3/rip 10.10.10.3 >> Real server 3# ena
(Enable real server 2) (Define address for MCS 3) (Enable real server 3)
Dene the group metric for the server group. TCP based SIP load balancing supports all metrics. For example, set the metric to minmisses.
>>Real Server Group 100# metric minmiss (Set the metric to minmisses)
Dene the health check for the group. The health check is TCP for TCP based SIP load balancing.
>>Real Server Group 100# health tcp (Set the health check to tcp)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
313
10
Enable DAM.
>> # /cfg/slb/adv/direct ena
11
Increase the timeout for idle sessions. SIP sessions are quite long and data may be owing while the signalling path is idle. Because the switch resides in the signalling path, it is recommended to increase the Real server session timeout value to 30 minutes (default value is 10 minutes).
>> # /cfg/slb/real 1/tmout 30 >> # /cfg/slb/real 2/tmout 30 >> # /cfg/slb/real 3/tmout 30 (Increase Real 1 session timeout) (Increase Real 2 session timeout) (Increase Real 3 session timeout)
12
13
14
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
End
Follow this procedure to congure the topology illustrated in "SIP Load Balancing" (page 311): Step 1 Action At the Nortel Application Switch, before you start conguring SIP load balancing: Connect each SIP proxy server to the application switch
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
315
Congure the IP addresses on all devices connected to the application switch Congure the IP interfaces on the application switch Enable Direct Access Mode (DAM) Disable proxy IP addressing
Dene the group metric for the server group. Because SIP load balancing is done based on Call-ID, minmisses metric only is supported to ensure persistency.
>>Real Server Group 100# metric minmiss (Set the metric to minmisses)
Dene the health check for the group. Congure SIP PING request health check which is specically developed for SIP-enabled servers.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
10
Enable DAM.
>>Virtual Server 1 sip Service # direct ena
11 12
Enable UDP load balancing Increase the timeout for idle sessions. SIP sessions are quite long and data may be owing while the signalling path is idle. Because the switch resides in the signalling path, it is recommended to increase the Real server session timeout value to 30 minutes (default value is 10 minutes). When the call terminates with a BYE command, the application switch releases the session entry immediately.
>> # /cfg/slb/real 1/tmout 30 >> # /cfg/slb/real 2/tmout 30 >> # /cfg/slb/real 3/tmout 30 (Increase Real 1 session timeout) (Increase Real 2 session timeout) (Increase Real 3 session timeout)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
317
When the call terminates with a BYE command, the application switch releases the session entry immediately. 13 Enable server and client processing at the port level.
>> # /cfg/slb/port 25 >>SLB port 25# client ena >>SLB port 25# /cfg/slb/port 5 >>SLB port 5# server ena >>SLB port 5# /cfg/slb/port 6 >>SLB port 6# server ena >>SLB port 6# /cfg/slb/port 7 >>SLB port 7# server ena (Select the client port) (Enable client processing) (Select the server port) (Enable server processing) (Select the server port) (Enable server processing) (Select the server port) (Enable server processing)
14
End
Session persistency using the refer method The refer method of load balancing SIP servers is required for call transfer services. The refer method indicates that the recipient should contact a third party using the contact information provided in the request. To maintain session persistency, the new request from the recipient to the third party should also hash the same real server. To maintain
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
persistency, whenever the switch receives a session congured for refer method, Nortel Application Switch Operating System 24.0 creates a persistent session. When creating a session for a new request Nortel Application Switch Operating System looks up the session table and selects the correct real server. If there is a persistent session, then the real server specied in the session entry is used if that real server is up, otherwise the normal minmiss method is used to select the real server. Supports standard health check options Nortel Application Switch Operating System 24.0 supports the standard method to health check SIP servers. The options method (like HTTP and RTSP) is supported by all RFC 3261 compliant proxies. The application switch sends an options request to the SIP server when congured to use the SIP options health check. If the response from the server is a "200 OK," then the server is operational, otherwise the server is marked down. To congure the SIP options health check, use the following command:
>> Main# /cfg/slb/virt<Virtual Server>/service 5060/rport<Port>>> Main# /cfg/slb/group <Real Server Group> /health sipoptions
Support for RTP (SDP) Media Portal NAT This feature is useful if you have several media portal servers with private IP addresses. When the proxy servers respond to an INVITE request, the private IP address of the Media Portal is embedded in the SDP. The switch translates this private IP address to a public IP address. The private media portal address is sent in the response to an INVITE request. The switch replaces the private IP with the public IP address in the SDP. To support media portal NAT, you must congure the following:
Step 1
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
319
Main# /cfg/slb/virt 1 Virtual Server 1# service 14 Virtual Server 1 14 Service# sip SIP Load Balancing# sdpnat
Create static NAT lters. This allows RTP trafc destined for the public media portal address to be translated to the actual private media portal address. Create static NAT lters to operate in both directions; one to translate the public address to the private address and one to translate the private address to the public address. For more information on static NAT lters, refer to "Static NAT" (page 386). End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
320 Part 3: Application Switching Fundamentals SoftGrid Load Balancing Network Topology
The SoftGrid platform supports TCP unicast connections using the following protocols: Step 1 Action Real Time Streaming Protocol (RTSP) RTSP is an application level protocol that is responsible for controlling the transport of multimedia content, session announcements, and tear downs. 2 Real Time Transport Protocol (RTP) RTP is used to transport the application data between server and client. 3 Real Time Control Protocol (RTCP) RTCP is used to control the streaming of the application data that is transported by RTP. The SoftGrid platform uses three channels to complete the application delivery process. Initially, the SoftGrid Client uses the RTSP channel to create a connection with the SoftGrid Server.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
321
The SoftGrid Server then opens two ports for the RTP and RTCP channels and sends these port numbers to the Client. The Client then opens TCP connections to the ports created on the Server. The requested application is then streamed over the RTP channel while the RTCP channel provides control over the RTP channel. End
If softgrid is enabled for a RTSP service, the softgrid RTSP mode performs the RTSP server load balancing for that service. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
323
You can congure up to 16 Work Load Managers (WLM). Step 1 Action Congure the IP address and the TCP port number to connect to the WLM.
>> Main# /cfg/slb/wlm 11 >> Workload Manager 1# addr 10.10.10.10 >> Workload Manager 1# port 10 (IP address of the WLM) (TCP port to connect to the WLM)
If the WLM number is not specied, then this group is not registered with the WLM. As a result, dynamic weights are not used for this group. 3 Specify if WLM should use data or management port.
>> Main# /cfg/slb/mmgmt >> Management Port# wlm mgmt
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> Main# /info/slb/wlm Workload Manager Information: ID IP address Port 1 47.81.25.66 3860 10 47.80.23.245 3860
1 1 0 1 1 0 1 1 0 0 0 0 47 0 0 0 0 0 0 0
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
325
>> Main# /stats/slb/group 2 Real server group 2 stats: Total weight updates from WorkLoad Manager : Current Total Highest Real IP address Sessions Sessions Octets ---- ----------------- ---------------- -------1 1.1.1.1 0 2 2.2.2.2 0 3 3.3.3.3 0 4 4.4.4.4 0 ---- ----------------- ---------------- -------group 2 0 Sessions -------0 0 0 0 -------0 0 0 0 0 0 0 0 0 10
(Application load balancing) Display the current weight for the real servers for a particular service. Note that the WLM-assigned weights are displayed as dynamic weight.
>> Main# /info/slb >> Server Load Balancing Information# virt 1 1: 10.10.7.1, 00:01:81:2e:a0:8e virtual ports: http: rport http, group 1, backup none, slowstart real servers: 1: 192.168.2.11, backup none, 0 ms, group ena, up dynamic weight 20 2: 192.168.2.12, backup none, 0 ms, group ena, up dynamic weight 40
(Application Redirection) Display the current weight for the real server.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> Main# /info/slb >> Server Load Balancing Information# filt 224 224: action allow group 1, health 3, backup none, vlan any, content web.gif thash auto, idsgrp 1 proxy: enabled layer 7 parse all packets: enabled real servers: 1: 192.168.2.11, backup none, 0 ms, group ena, up dynamic weight 40
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
327
Multi-homing
WAN link load balancing enables the Nortel Application Switch to provide Fast Ethernet and Gigabit connectivity from corporate resources to multiple ISP links to the Internet. To handle the high volume of data on the Internet, corporations are using more than one Internet Service provider (ISP) as a way to increase reliability of Internet connections. Such enterprises with more than one ISP are referred to as being multi-homed. In addition to reliability, a multi-homed network architecture enables enterprises to distribute load among multiple connections and to provide more optimal routing.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Multi-homing is becoming essential for reliable networks, providing customers with protection against connectivity outages and unforeseen ISP failures. Multi-homing also presents other clear opportunities for enterprises to intelligently manage how WAN links are used. With link load balancing organizations have greater exibility to scale bandwidth and reduce spending for corporate connectivity. Nortel Application Switch software provides a solution for enterprises that wish to optimize utilization of Internet connectivity. This comprehensive solution helps enterprises to direct trafc over the best connection to maximize performance, maximize corporate bandwidth investments, and effectively remove existing deployment and management barriers for multi-homed networks.
WAN link load balancing benets your network in a number of ways: Performance is improved by balancing the request load across multiple WAN links. More WAN links can be added at any time to increase processing power. Increased efciency for WAN link utilization and network bandwidth Your Nortel Application Switch is aware of the shared services provided by your WAN link pool and can then balance user trafc among the available WAN links. Important WAN link trafc gets through more
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
329
easily, reducing user competition for connections on overutilized links. For even greater control, trafc is distributed according to a variety of user-selectable rules. Increased reliability Reliability is increased by providing multiple paths from the clients to the Nortel Application Switch and by accessing a pool of WAN links. If one WAN link fails, the others can take up the additional load. Increased scalability of services As trafc increases and the WAN link pools capabilities are saturated, new WAN links can be added to the pool transparently. For ease of maintenance, WAN links can be added or removed dynamically, without interrupting trafc.
server entry, redirected trafc is load balanced among the available real servers in the group. WAN links use redirection lters to load balance outbound trafc. For more information, see "Outbound Trafc" (page 330). Virtual server-based load balancing This is the traditional load balancing method. The Nortel Application Switch is congured to act as a virtual server and is given a virtual server IP address (or range of addresses) for each collection of services it will distribute. Depending on your application switch model, there can be as many as 1024 virtual servers, each distributing up to 8 different services (up to a total of 1023 services). Each virtual server is assigned a real server. When the user stations request connections to a service, they will communicate with a virtual server on the Nortel Application Switch. When the application switch receives the request, it binds the session to the IP address of the corresponding real server and remaps the elds in each frame from virtual addresses to real address. This method of load balancing is used to load balance inbound trafc. For more information, see "Inbound Trafc" (page 332).
Outbound Trafc
Outbound trafc is data from the intranet that accesses content across the Internet. Nortel Application Switch Operating System load balances outbound trafc using redirection lters to redirect trafc initiated from within the users network to a group of devices that exist at the other end of the WAN link. These lters determine which link is the best at the time the request is generated.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
331
The design of outbound WAN link load balancing is identical to standard redirection, except that Nortel Application Switch Operating System substitutes the source IP address of each frame with the proxy IP address of the port to which the WAN link is connected. This substitution ensures that the returning response traverse the same link. In "Outbound Trafc" (page 331), client 1 at IP address 1.1.1.2 sends a HTTP request to the Internet. Outbound trafc from client 1 reaches port 5 on the Nortel Application Switch which is congured with a redirection lter for link load balancing. The trafc is load balanced between ports 2 and 7 depending on the metric of the WAN group (congured as real server 1 and 2).
Outbound Trafc
The outbound trafc resolution in "Outbound Trafc" (page 331) is described in detail in the following section: Step 1 2 Action Client 1 makes a data request for content on the Internet. When the request reaches port 5, the redirection lter is triggered and the Nortel Application Switch selects the optimal WAN link. Before the packets leave the WAN link ports, the client IP address is substituted with the congured proxy IP address on port 2 or 7. Proxy IP address maintains persistency for the returning request. The Nortel Application Switch sends the request to the destination IP address. The returning request from the Internet uses the same WAN link because the destination IP address responds to the proxy IP address, thereby maintaining persistency. The selected ISP processes the packet.
4 5
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
The Application Switch converts the proxy IP address to the client IP address and the request is returned to the client. End
Inbound Trafc
Inbound trafc is data from an external client on the Internet that enters the Nortel Application Switch to access an internal service, such as corporate Web servers or FTP servers. Nortel Application Switch Operating System allows you to load balance the inbound trafc by providing access to the external client with the best available WAN link. This is implemented by conguring the Nortel Application Switch as an authoritative name server. The application switch dynamically determines the best ISP link to use at the time the request is generated. The best link is determined by the congured metric, the load on the ISP, and periodic health checks on the upstream routers. For more information on load balancing metrics, see "Metrics for Real Server Groups" (page 202). Real server weighting can also be used to determine the best link when using the hash metric for load balancing inbound WAN links. For more information on real server weighting, see "Weights for Real Servers" (page 206). When the external client makes a DNS request, the application switch responds with the IP address of the best available WAN link (ISP).
Return-to-Sender
Enabling Return-to-Sender (RTS) allows the application switch to associate the session with the MAC address of the WAN router. This ensures that the returning trafc takes the same ISP path as the incoming trafc. RTS is enabled on the incoming WAN ports (port 2 and 7) to maintain persistence for the returning trafc. Data leaves the Nortel Application Switch from the same WAN link that it used to enter, thus maintaining persistency. If you want the incoming DNS request to go through the same ISP, then congure VLAN for gateways as described in "VLANs and Default Gateways" (page 75).
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
333
As shown in "Inbound Trafc for non-SLB server" (page 333), two virtual server IP addressesvirtual server IP address 1 and virtual server IP address 2 are congured for nortelnetworks.com in each of the ISPs address range. Once the application switch responds with the best virtual server IP address, all subsequent trafc from the clients to this Domain is sent to the same virtual server IP address, thereby passing through the same ISP. External client request can be one of the following ways: External client accessing data from non-SLB group External client accessing data from an SLB group
External client accessing data from non-SLB group In "Inbound Trafc for non-SLB server" (page 333), a client request for http://www.nortelnetworks.com enters the Nortel Application Switch via an ISP. The non-SLB server (real server 3) can be directly or indirectly connected to the application switch. A real server 4 is congured on the Nortel Application Switch with the IP address of real server 3. Real server 4 is added to a server group and that group is advertised in VIP 1 and VIP 2.
Inbound Trafc for non-SLB server
The inbound trafc resolution in "Inbound Trafc for non-SLB server" (page 333) is described in detail in the following section:
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Step 1 2
Action Client makes a request to www.nortel.com. The client query does not exist in local DNS database. Local DNS queries the Domain Name Server on the Nortel Application Switch. The Nortel Application Switch monitors WAN links and responds with the virtual IP address of the optimal ISP. Default gateways for each ISP VLAN is recommended to avoid asymmetric routing.
4 5
Client again requests www.nortel.com with the provided virtual IP address. The server responds to the content request. An allow lter at port 5 processes the data for the services congured on the server. For example, if the client sends HTTP request to server 3, then the allow lter should be congured for source port 80. Similarly, if the client sends SMTP request to server 3, then the allow lter should be congured for source port 25.
The RTS feature on the WAN ports maintains persistency, so that the trafc returns via the same ISP. End
External client accessing data from an SLB group In www.nortel.com, the client request is for www.nortel.com. The client request should be load balanced between SLB servers 5 and 6.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
335
The inbound trafc resolution in "Inbound Trafc for SLB group" (page 335) is described in detail in the following section: Step 1 2 Action Client makes a request to www.nortel.com. The client query does not exist in local DNS database. Local DNS queries the Domain Name Server on the Nortel Application Switch. The Nortel Application Switch monitors WAN links and responds with the virtual IP address of the optimal ISP. Client makes the request again to www.nortel.com with the provided virtual IP address. The SLB servers responds to the content request, because real server 7 IP address on the Nortel Application Switch is the virtual server address of www.nortel.com. The session request egresses from port 1 and port 11 of the Nortel Application Switch where it is then load balanced between the SLB servers. The virtual server IP address for the SLB servers on the
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
3 4 5
application switch is congured as a real server IP address (Real 7 IP: 30.30.30.2) on the Nortel Application Switch. Real 7 is added to a group on the Nortel Application Switch. 6 The returning data from the SLB server reaches port 1, which is enabled for server processing. For information on server processing, see "Network Topology Requirements" (page 192). The RTS feature on the WAN ports maintains persistency, so that the trafc returns via the same ISP. End
Conguration Summary
"Conguration Summary" (page 337) summarizes the steps involved to congure the Nortel Application Switch for WAN link load balancing.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
WAN Link Load Balancing Conguration Summary Configuring Outbound Traffic 1. Configure the basic parameters. This includes configuring VLAN, IP interfaces, and defining gateways per VLAN. 2. Configure the load balancing parameters for the ISP WAN links. Configuring Inbound Traffic
337
1. Configure the basic parameters. This includes configuring VLAN, IP interfaces, and defining gateways per VLAN. 2. Configure the load balancing parameters for the ISP WAN links.
Configure the ISP routers as real servers Add it to a group Define the metric and health Enable SLB
Configure the ISP routers as real servers (Optional) assign weight to real servers Add it to a group Define the metric and health Enable SLB
Configure the redirection filter and enable it for link load balancing Apply the filter to the client ports
Create a group with the real server(s) Enable server processing Enable link load balancing Enable filter processing
A real server is configured for every SLB group on the Nortel Application Switch. 5. Configure virtual server IP addresses and services for each ISP. For each ISP link, configure a virtual server IP address per domain.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Configuring Inbound Traffic 6. Configure the Nortel Application Switch to behave like a Domain Name Server. This involves defining the domain record name and mapping the virtual server and real server addresses (ISP router) for each WAN link.
Note: For details about any of the menu commands described in the examples, refer Nortel Application Switch Operating System Command Reference. In the following procedure, many of the load balancing options are left to their default values. See "Additional Server Load Balancing Options" (page 199) for details on other options.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
339
"Conguring Simple WAN Link Load Balancing" (page 339) gives an overview of the steps described in the following procedure.
Conguring Simple WAN Link Load Balancing For outbound traffic For inbound traffic
"Step 1: Configure basic parameters on the Nortel Application Switch" (page 340) "Step 2: Configure the load balancing parameters for ISP routers" (page 342) "Step 3a (outbound traffic): Configure the WAN link ports" (page 343) "Step 4a (outbound traffic): Configure the client ports" (page 345) "Step 3b (inbound traffic): Configure the WAN link ports" (page 344) "Step 4b (inbound traffic): Configure server ports" (page 346) "Step 5: Configure the virtual server IP address and the services for each ISP" (page 346)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
For inbound traffic "Step 6: Configure the Application Switch as a Domain Name Server" (page 348)
To congure the topology illustrated in "Simple WAN Link Load Balancing" (page 339), follow this procedure on the Nortel Application Switch: Step 1: Congure basic parameters on the Nortel Application Switch This includes conguring VLAN, IP interfaces, and dening gateways per VLAN. Gateways per VLAN is recommended if you have not congured other routing protocols. For each ISP, congure a default gateway for each VLAN. Step 1 Action Assign an IP address to each of the ISP links. The WAN links in any given real server group must have an IP route to the application switch that performs the load balancing functions. For this example, the two ISP links must be given the following IP addresses on different IP subnets:
ISP links: Real Server IP Addresses WAN links ISP 1 ISP 2 IP address 50.1.1.1 80.1.1.1
Congure the IP interfaces on the Nortel Application Switch. The Nortel Application Switch must have an IP route to all of the real servers that receive switching services. For load balancing the trafc, the Nortel Application Switch uses this path to determine the level of TCP/IP reach of the WAN links.
>> Main # /cfg/l3/if 2 >> IP Interface 2# ena >> IP Interface 2# addr 80.1.1.2 >> IP Interface 2# mask 255.255.255.0 (Define interface 2 for ISP 1) (Enable interface 2) (Define the IP address for interface 2) (Define the mask for interface 2)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
341
>> IP Interface 2# broad 50.1.1.255 >> IP Interface 2# vlan 2 >> Main # /cfg/l3/if 7 >> IP Interface 7# ena >> IP Interface 7# addr 50.1.1.2 >> IP Interface 7# mask 255.255.255.0 >> IP Interface 7# broad 80.1.1.255 >> IP Interface 7# vlan 7 >> Main # /cfg/l3/if 1 >> IP Interface 1# ena >> IP Interface 1# addr 1.1.1.1 >> IP Interface 1# mask 255.255.255.0 >> IP Interface 1# broad 1.1.1.255 >> IP Interface 1# vlan 1 >> Main # /cfg/l3/if 5 >> IP Interface 5# ena >> IP Interface 5# addr 2.2.2.1 >> IP Interface 5# mask 255.255.255.0 >> IP Interface 5# broad 2.2.2.255 >> IP Interface 5# vlan 5
(Define the broadcast for interface 2) (Specify the VLAN for interface 2) (Define interface 7 for ISP 2) (Enable interface 7) (Define the IP address for interface 7) (Define the mask for interface 7) (Define the broadcast for interface 7) (Specify the VLAN for interface 7) (Define interface 1 for Real server 3) (Enable interface 1) (Define the IP address for interface 1) (Define the mask for interface 1) (Define the broadcast for interface 1) (Specify the VLAN for interface 1) (Define interface 5 for internal client) (Enable interface 5) (Define the IP address for interface 5) (Define the mask for interface 5) (Define the broadcast for interface 5) (Specify the VLAN for interface 5)
Congure VLANs.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
The real server IP addresses (WAN links and real server 3) and the respective IP interfaces must be on different VLANs. The pvid command sets the default VLAN number which is used to forward frames which are not VLAN tagged. The default number is 1.
>> # /cfg/port 25/pvid 2 >> # /cfg/port 26/pvid 7 >> # /cfg/port 1/pvid 1 >> # /cfg/port 5/pvid 5 >> # /cfg/vlan 2/ena >> # /cfg/vlan 2/def 25 >> # /cfg/vlan 7/ena >> # /cfg/vlan 7/def 26 >> # /cfg/vlan 1/ena >> # /cfg/vlan 1/def 1 >> # /cfg/vlan 5/ena >> # /cfg/vlan 5/def 5 >> # /cfg/l2/stg 1/off >> # /cfg/l2/stg 1/clear >> # /cfg/l2/stg 1/port 1 2 5 7 (Sets the default VLAN number) (Sets the default VLAN number) (Sets the default VLAN number) (Sets the default VLAN number) (Enable VLAN 2) (Add port 25 to VLAN 2) (Enable VLAN 7) (Add port 26 to VLAN 7) (Enable VLAN 2) (Add port 1 to VLAN 1) (Enable VLAN 5) (Add port 5 to VLAN 5) (Disable STG) (Clear STG) (Add ports 1, 2, 5, and 7 to STG 1)
End
Step 2: Congure the load balancing parameters for ISP routers On the Nortel Application Switch, congure the ISP routers with load balancing parameters: real servers, group, metric, and health. Step 1 Action At the Nortel Application Switch, congure IP addresses for WAN link routers. Proxy is disabled on the real servers, so that the original destination IP address is preserved.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
343
>> # /cfg/slb/real 1/rip 50.1.1.1 >> Real server 1# ena >> Real server 1# proxy dis >> # /cfg/slb/real 2/rip 80.1.1.1 >> Real server 2# ena >> Real server 2# proxy dis
(Define IP address for WAN link 1) (Enable real server 1) (Disable proxy) (Define IP address for WAN link 2) (Enable real server 2) (Disable proxy)
Any of the server load balancing metrics may be used, but response or bandwidth metric is recommended. 4 Congure health check for the WAN link group.
>>Real Server Group 100# health icmp (Set health check to ICMP)
Enable SLB.
>> # /cfg/slb/on (Enable load balancing)
End
Step 3a (outbound trafc): Congure the WAN link ports Step 1 Action Congure proxy IP addresses on ports 25 and 26 for WAN link load balancing.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> # /cfg/slb/pip/type port >> # /cfg/slb/pip >> Proxy IP Address# add 50.1.1.3 25 >> Proxy IP Address# add 80.1.1.7 26
(Set base type of proxy IP address) (Set proxy IP address for port 25) (Set proxy IP address for port 26)
Step 3b (inbound trafc): Congure the WAN link ports Step 1 Action Enable client processing for ports 25 and 26. This enables inbound trafc to access the virtual server IP address.
>> # /cfg/slb/port 25/client ena >> # /cfg/slb/port 26/client ena (Enable client processing for port 25) (Enable client processing for port 26)
Enable the Return to Sender (RTS) feature for ports 25 and 26. Enable RTS to ensure the returning trafc from all servers to go back to the same ISP router.
>> # /cfg/slb/port 25/rts ena >> # /cfg/slb/port 26/rts ena (Enable rts for port 25) (Enable rts for port 26)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
345
Typically, you have two or more virtual server IP addresses representing the same real service. On the return path, DAM ensures that the real server IP address is mapped to the correct virtual IP address.
>> # /cfg/slb/adv/direct ena
For information about DAM, refer to "Direct Access Mode" (page 239). End
Step 4a (outbound trafc): Congure the client ports Congure the redirection lter and enable the lter for link load balancing. This is required to translate (NAT) the client IP address to the proxy IP address. Step 1 Action Dene the WAN link load balancing redirection lter.
>> # /cfg/slb/filt 100 >> Filter 100# ena >> Filter 100# action redir >> Filter 100# group 100 (Select the ISP group of real servers)
Add the link load balancing lter 100 to the outbound client port
>> # /cfg/slb/port 5 >> SLB Port 5# add 100 >> SLB Port 5# filt ena (Select port 5) (Add filter 100 to port 5) (Enable the filter)
If you are conguring link load balancing for outbound trafc only, then go to "Step 7: Apply and save your changes" (page 349). The remaining steps in this procedure are used for load balancing of inbound trafc only. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Step 4b (inbound trafc): Congure server ports For each real server connected to the Nortel Application Switch, assign a real server number, specify its IP address and enable the real server. Dene a real server group and add the real server to the group. Step 1 Action Congure real server and create a group.
>> # /cfg/slb/real 3/rip 1.1.1.2 >> Real server 3# ena >> # /cfg/slb/group 3 >> Real server Group 3# add 3 (Define IP address for real server 3) (Enable real server 3) (Define a group) (Add Real server 3)
Enable lter on server port 1. Filter is enabled on port 1, because you want the Nortel Application Switch to look up the session table for the RTS entry.
>> # /cfg/slb/port 1 >> SLB Port 1# filt ena (Select port 1) (Enable the filter)
End
Step 5: Congure the virtual server IP address and the services for each ISP All client requests is addressed to a virtual server IP address dened on the Nortel Application Switch. Clients acquire the virtual server IP address through normal DNS resolution. In this example, HTTP and FTP are congured as the services running on this virtual server, and this service is associated with the real server group. Other TCP/IP services can be congured in a similar fashion. For a list of other well-known services and ports, see "Well-Known Application Ports" (page 199). To congure multiple services, see "Conguring Multiple Services" (page 202).
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
347
Note: Dene a virtual server IP address for each ISP. Step 5a: Congure the virtual server IP address and the services for ISP 1 Dene a virtual server and add the services and real server group for ISP 1. Step 1 Action Congure a virtual server for ISP 1.
>> # /cfg/slb/virt 1 >>Virtual Server 1# vip 50.1.1.100 >>Virtual Server 1# ena (Select the virtual server) (Set IP address from the ISP 1 subnet) (Enable virtual server)
End
Step 5b: Congure the virtual server IP address and the services for ISP 2 Dene a virtual server and add the services and real server group for ISP 2. Step 1 Action Congure a virtual server for ISP 2.
>> # /cfg/slb/virt 2 >>Virtual Server 2# vip 80.1.1.100 >>Virtual Server 2# ena (Select the virtual server) (Set IP address from the ISP 1 subnet) (Enable virtual server)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
End
Step 6: Congure the Application Switch as a Domain Name Server Dene the domain record name and map the virtual server and real server (ISP router) for each WAN link. Step 1 Action Congure the Domain record for the application switch to behave as a Domain Name Server.
>> # /cfg/slb/linklb/drecord 1 (Select the Domain record menu)
>> Domain record 1# domain nortelnetworks.com (Define the Domain name) >> Domain Record 1# ena (Enable the Domain)
Congure an entry for each ISP and specify the virtual server and real server (ISP router). You must map the domain record, nortelnetworks.com to each ISP. Each ISP has two parametersvirtual IP address and real server IP address. The virtual IP address is used to respond to the DNS query for the nortelnetworks.com domain. The real server IP address is used to measure the ISP load and ISP health. These commands map the two parameters to the ISP link
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
349
>> Domain record 1# entry 1/ena >> Virt Real Mapping# virt 1 >> Virt Real Mapping# real 1 >> Domain record 1# entry 2/ena >> Virt Real Mapping# virt 2 >> Virt Real Mapping# real 2
(Define entry for ISP 1) (Select virtual server 1 for ISP 1) (Select real server for ISP 1) (Define entry for ISP 2) (Select virtual server 2 for ISP 2) (Select real server for ISP 2)
End
Step 7: Apply and save your changes You must apply in order for these changes to take effect, and you must save changes if you wish them to remain in effect after reboot. Step 1 Action Apply and verify the conguration.
>> Layer 4# apply >> Layer 4# cur (Make your changes active) (View current settings)
Examine the resulting information. If any settings are incorrect, make the appropriate changes. 2 Save your new conguration changes.
>> Layer 4# save (Save for restore after reboot)
Check that all load balancing parameters are working according to expectation. If necessary, make any appropriate conguration changes and then check the information again. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
"Conguring WAN Link Load Balancing with SLB" (page 351) gives an overview of the steps described in the following procedure.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
WAN Link Load Balancing Conguring WAN Link Load Balancing with SLB For outbound traffic For inbound traffic
351
"Step 1: Configure basic parameters on the Nortel Application Switch" (page 351) "Step 2: Configure the load balancing parameters for ISP routers" (page 353) "Step 3a (outbound traffic): Configure the WAN link ports" (page 354) "Step 4a (outbound traffic): Configure the internal network port" (page 356) "Step 3b (inbound traffic): Configure the WAN link ports" (page 355) "Step 4b (inbound traffic): Configure the internal network" (page 356) "Step 5: Configure the virtual server IP address and the services for each ISP" (page 358) "Step 6: Configure the Application Switch as a Domain Name Server" (page 360) "Step 7: Apply and save your changes" (page 361)
To congure the topology illustrated in "WAN Link Load Balancing with SLB" (page 350), follow this procedure on the Nortel Application Switch: Step 1: Congure basic parameters on the Nortel Application Switch This includes conguring VLAN, interfaces, and dening gateways per VLAN. Gateways per VLAN is recommended if you have not congured other routing protocols. Congure a default gateway per VLAN for each ISP. Step 1 Action Assign an IP address to each of the ISP links. The WAN links in any given real server group must have an IP route to the application switch that performs the load balancing functions. For this example, the two ISP links must be given the following IP addresses on different IP subnets:
ISP links: Real Server IP Addresses WAN links ISP 1 ISP 2 IP address 80.1.1.1 30.1.1.1
Congure the IP interfaces on the Nortel Application Switch. The Nortel Application Switch must have an IP route to all of the real servers that receive switching services. For load balancing the trafc, the Nortel Application Switch uses this path to determine the level of TCP/IP reach of the WAN links.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
353
>> # /cfg/port 5/pvid 5 >> # /cfg/vlan 2/ena >> # /cfg/vlan 2/def 25 >> # /cfg/vlan 7/ena >> # /cfg/vlan 7/def 26 >> # /cfg/vlan 1/ena >> # /cfg/vlan 1/def 1 >> # /cfg/vlan 5/ena >> # /cfg/vlan 5/def 5 >> # /cfg/stp 1/off >> # /cfg/stp 1/clear >> # /cfg/stp 1/add 1 25 26 5
(Sets the default VLAN number) (Enable VLAN 2) (Add port 25 to VLAN 2) (Enable VLAN 7) (Add port 26 to VLAN 7) (Enable VLAN 1) (Add port 1 to VLAN 1) (Enable VLAN 5) (Add port 5 to VLAN 5) (Disable STP) (Clear STP) (Add ports 1, 25, 26, 5 to STP 1)
End
Step 2: Congure the load balancing parameters for ISP routers On the Nortel Application Switch, congure the ISP routers as if they were real servers, with SLB parameters: real servers, group, metric, and health. Step 1 Action Congure IP addresses for WAN link routers.
>> # /cfg/slb/real 1/rip 50.1.1.1 >> Real server 1# ena >> Real server 1# proxy dis >> # /cfg/slb/real 2/rip 80.1.1.1 >> Real server 2# ena >> Real server 2# proxy dis (Define IP address for WAN link 1) (Enable real server 1) (Disable proxy) (Define IP address for WAN link 2) (Enable real server 2) (Disable proxy)
Proxy is disabled on the real servers, because link load balancing and full NAT cache redirection cannot coexist. 2 Create a group to load balance the WAN link routers.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> # /cfg/slb/group 100 >>Real Server Group 100# add 1 >>Real Server Group 100# add 2
Any of the server load balancing metrics may be used, but response or bandwidth metric is recommended. 4 Congure health check for the WAN link group.
>>Real Server Group 100# health icmp (Set health check to ICMP)
Enable SLB.
>> # /cfg/slb/on (Enable load balancing)
End
Step 3a (outbound trafc): Congure the WAN link ports Step 1 Action Congure proxy IP addresses on ports 25 and 26.
>> # /cfg/slb/pip/type port >> # /cfg/slb/pip >> Proxy IP Address# add 50.1.1.2 25 >> Proxy IP Address# add 80.1.1.7 26 (Set proxy IP address for port 25) (Set proxy IP address for port 26) (Set base type of proxy IP address)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
355
Step 3b (inbound trafc): Congure the WAN link ports Step 1 Action Enable client processing at ports 25 and 26.
>> # /cfg/slb/port 25/client ena >> # /cfg/slb/port 26/client ena (Enable client processing for port 25) (Enable client processing for port 26)
This enables inbound trafc to access the virtual server IP address. 2 Enable RTS for ports 25 and 26. Enable RTS to ensure the returning trafc from all servers to go back to the same ISP router.
>> # /cfg/slb/port 25/rts ena >> # /cfg/slb/port 26/rts ena (Enable rts for port 25) (Enable rts for port 26)
Enable Direct Access Mode (DAM). Typically, you have two or more virtual server IP addresses representing the same real service. On the return path, DAM ensures that the real server IP address is mapped to the correct virtual IP address.
>> # /cfg/slb/adv/direct ena
For information about DAM, refer to "Direct Access Mode" (page 239). End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Step 4a (outbound trafc): Congure the internal network port Congure the redirection lter and enable the lter for link load balancing. This is required to translate (NAT) the client IP address to the proxy IP address. Step 1 Action Dene the WAN link load balancing redirection lter.
>> # /cfg/slb/filt 100 >> Filter 100# ena >> Filter 100# action redir >> Filter 100# group 100 (Select the ISP group of real servers)
Add the link load balancing lter 100 to the outbound client port.
>> # /cfg/slb/port 1 >> SLB Port 1# add 100 >> SLB Port 1# filt ena (Select port 1) (Add filter 100 to port 1) (Enable the filter)
If you are conguring link load balancing for outbound trafc only, then go to "Step 7: Apply and save your changes" (page 349). The remaining steps in this procedure are for load balancing inbound trafc only. End
Step 4b (inbound trafc): Congure the internal network Congure the virtual server IP addresses on the Nortel Application Switch as real server IP addresses. In this example, you will congure two real server IP addresses for each of the two virtual server IP addresses. Then, dene a real server group and add the real servers to the group. Step 1 Action Congure real server and create a group. The real server IP address must be the virtual server IP address of the SLB servers that are hosting abc.com.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
357
>> # /cfg/slb/real 7/rip 1.1.1.100 >> Real server 7# ena >> # /cfg/slb/group 3 >> Real server Group 3# add 3
(Define IP address for www.abc.com) (Enable real server 3) (Define a group) (Add Real server 7)
Congure real server and create a group. The real server IP address must be the virtual server IP address of the SLB servers that are hosting xyz.com.
>> # /cfg/slb/real 8/rip 1.1.1.200 >> Real server 8# ena >> # /cfg/slb/group 4 >> Real server Group 4# add 4 (Define IP address for xyz.com) (Enable real server 8) (Define a group) (Add Real server 8)
Enable lter on server port 1. Filter is enabled on port 1, because you want the Nortel Application Switch to look up the session table for the RTS entry.
>> # /cfg/slb/port 1 >> SLB Port 1# filt ena (Select port 1) (Enable the filter)
Congure an allow lter for health checks to occur. If you have enabled link load balancing lter and server processing on the same port, then an allow lter must be congured for health checks. The allow lter is activated before the link load balancing lter, so that the health check trafc does not get redirected to the WAN links.
>> # /cfg/slb/filt 50 >> Filter 50# sip 1.1.1.0 >> Filter 50# smask 255.255.255.0 (From server subnet)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> Filter 50# dip 1.1.1.1 >> Filter 50# action allow >> Filter 50# ena
For more information on health checking, see "Health Checks for Real Servers" (page 201). 6 Add the allow lter 50 to port 1.
>> # /cfg/slb/port 1 >> SLB Port 1# add 50 >> SLB Port 1# filt ena (Select port 1) (Add filter 50 to port 1) (Enable the filter)
Note: If you are using two Nortel Application Switches for redundancy, then must add allow lters for VRRP before the redirection lter. For more information on VRRP, see "High Availability" (page 508)" End
Step 5: Congure the virtual server IP address and the services for each ISP All client requests is addressed to a virtual server IP address on a virtual server dened on the Nortel Application Switch. Clients acquire the virtual server IP address through normal DNS resolution. In this example, HTTP and FTP are congured as the services running on this virtual server, and this service is associated with the real server group. Other TCP/IP services can be congured in a similar fashion. For a list of other well-known services and ports, see "Well-Known Application Ports" (page 199). To congure multiple services, see "Conguring Multiple Services" (page 202). Note: Dene a virtual server IP address for each ISP. Step 5a: Congure the virtual server IP address and the services for ISP 1 Dene a virtual server and add the services and real server group for ISP 1. Step 1 Action Congure a virtual server for ISP 1.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
359
(Select the virtual server) (Set IP address from the ISP 1 subnet) (Enable virtual server)
Step 5b: Congure the virtual server IP address and the services for ISP 2 Dene a virtual server and add the services and real server group for ISP 2. 3 Congure a virtual server for ISP 2.
>> # /cfg/slb/virt 2 >>Virtual Server 2# vip 80.1.1.100 >>Virtual Server 2# ena (Select the virtual server) (Set IP address from the ISP 1 subnet) (Enable virtual server)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Note: Repeat Steps 5a and 5b for virtual server 3 and 4 and add group 4 for each of the services. This allows inbound trafc to access SLB servers hosting the XYZ.com. End
Step 6: Congure the Application Switch as a Domain Name Server This involves conguring the domain record name and mapping the virtual server and real server (ISP router) for each WAN link.
You must map the domain record, nortelnetworks.com to each ISP. Each ISP has two parametersvirtual IP address and real server IP address. The virtual IP address is used to respond to the DNS query for the nortelnetworks.com domain. The real server IP address is used to measure the ISP load and ISP health. These commands map the two parameters to the ISP link Step 1 Action Congure the Domain record for abc.com .
>> # /cfg/slb/linklb/drecord 1 >> Domain Record 1# ena >> Domain record 1# domain abc.com (Select the Domain record menu) (Enable the Domain) (Define the Domain name)
Congure an entry for each ISP and specify the virtual and real server (ISP router).
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
361
>> Domain record 1# entry 1/ena >> Virt Real Mapping# virt 1 >> Virt Real Mapping# real 1 >> Domain record 1# entry 2/ena >> Virt Real Mapping# virt 2 >> Virt Real Mapping# real 2
(Define entry for ISP 1) (Select virtual server 1 for ISP 1) (Select real server for ISP 1) (Define entry for ISP 2) (Select virtual server 2 for ISP 2) (Select real server for ISP 2)
Congure an entry for each ISP and specify the virtual and real server (ISP router).
>> Domain record 2# entry 1/ena >> Virt Real Mapping# virt 3 >> Virt Real Mapping# real 1 >> Domain record 1# entry 2/ena >> Virt Real Mapping# virt 4 >> Virt Real Mapping# real 2 (Define entry for ISP 1) (Select virtual server 3 for ISP 1) (Select real server for ISP 1) (Define entry for ISP 2) (Select virtual server 4 for ISP 2) (Select real server for ISP 2)
End
Step 7: Apply and save your changes You must apply in order for these changes to take effect, and you must save changes if you wish them to remain in effect after reboot.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Step 1
Examine the resulting information. If any settings are incorrect, make the appropriate changes. 2 Save your new conguration changes.
>> Layer 4# save (Save for restore after reboot)
Check that all load balancing parameters are working according to expectation. If necessary, make any appropriate conguration changes and then check the information again. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
363
To overcome this problem, two lters can be used to on the two load balanced ports to suppress the ICMP echo-reply which makes the health check fail if the link fails. The following commands would apply Filter 10 to the link to the rst service provider:
/c/slb/filt 10 ena action deny sip 80.1.1.1 smask 255.255.255.255 dip 50.1.1.2 dmask 255.255.255.255 proto icmp vlan any /c/slb/filt 10/adv icmp echorep
After the lter is applied to the rst link, the lter on the second link would be applied. The following commands would apply Filter 20 to the link to the second service provider:
/c/slb/filt 20 ena action deny sip 50.1.1.1 smask 255.255.255.255 dip 80.1.1.2 dmask 255.255.255.255 proto icmp vlan any /c/slb/filt 20/adv icmp echorep
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Filtering
This chapter provides a conceptual overview of lters and includes conguration examples showing how lters can be used for network security and Network Address Translation (NAT). The following topics are addressed in this chapter: Note: IPv6 lters support the allow, deny, and redirection actions. "Overview" (page 365). This section describes the benets and ltering criteria to allow for extensive ltering at the IP and TCP/UDP levels. "Filtering Benets" (page 365) "Filtering Criteria" (page 365) "Stacking Filters" (page 367) "Overlapping Filters" (page 367) "The Default Filter" (page 368) "VLAN-based Filtering" (page 373) "Optimizing Filter Performance" (page 369) "Filter Logs" (page 369) " IP Address Ranges" (page 369) "Cached versus Non-cached Filters" (page 371) "Tunable Hash for Filter Redirection" (page 377) allows you to select any hash parameter for lter redirection. " Filter-based Security" (page 378). This section provides an example of conguring lters for providing the best security. "Network Address Translation" (page 385). This section provides two examples: Internal client access to the Internet and external client access to the server. "Matching TCP Flags" (page 394) and "Matching ICMP Message Types" (page 399). Describes the ACK lter criteria which provides greater ltering exibility and lists ICMP message types that can be ltered respectively. "Deny Filter Based on Layer 7 Content Lookup" (page 400) "Filtering on 802.1p Priority Bit in a VLAN Header" (page 376) "IPv6 Filtering" (page 406)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Filtering
365
Overview
Nortel Application Switch are used to deliver content efciently and secure your servers from unauthorized intrusion, probing, and Denial-of-Service (DoS) attacks. Nortel Application Switch Operating System includes extensive ltering capabilities at the Layer 2 (MAC), Layer 3 (IP) and Layer 4 (TCP/UDP) levels.
Filtering Benets
Filtering give the network administrator a powerful tool with the following benets: Filtering of Layer 2 non-IP frames. In the Nortel Application Switch Operating System, a lter can specify only source MAC and destination MAC addresses, and capture and apply an allow. Increased security for server networks Filtering gives the administrator control over the types of trafc permitted through the switch. Filters can be congured to allow or deny trafc from Layer 2 - Layer 7: MAC address, IP address, protocol, and Layer 4 port, and Layer 7 string or pattern content. Layer 2 only lters, as described in "MAC-Based Filters for Layer 2 Trafc" (page 372) can be congured to allow or deny non-IP trafc. You can also secure your switch from further virus attacks by allowing you to congure the switch with a list of potential offending string patterns. For more information, see "Deny Filter Based on Layer 7 Content Lookup" (page 400). Any lter can be optionally congured to generate system log messages for increased security visibility. Used to map the source or destination IP addresses and ports Generic Network Address Translation (NAT) can be used to map the source or destination IP addresses and the ports of private network trafc to or from advertised network IP addresses and ports.
Filtering Criteria
Up to 2048 lters can be congured on the Nortel Application Switch. Descriptive names can be used to dene lters. Each lter can be set to perform "Filtering Actions" (page 366), based on any combination of the following lter options: smac: source MAC address. dmac: destination MAC address. sip: source IP address or range (see " IP Address Ranges" (page 369)) dip: destination IP address or range (dip and dmask)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
proto: protocol number or name as shown in "Well-Known Protocol Types" (page 366).
Well-Known Protocol Types Number 1 2 6 17 89 112 Protocol Name icmp igmp tcp udp ospf vrrp
sport: TCP/UDP application or source port as shown in "Well-Known Application Ports" (page 199), or source port range (such as 31000-33000) Note: The service number specied on the switch must match the service specied on the server.
dport: TCP/UDP application or destination port as shown in "Well-Known Application Ports" (page 199), or destination port range (such as 31000-33000) invert: reverse the lter logic in order to activate the lter whenever the specied conditions are not met. Advanced ltering options such as TCP ags ("Matching TCP Flags" (page 394)) or ICMP message types ("Matching ICMP Message Types" (page 399)) are also available.
Using these lter criteria, you could create a single lter that blocks external Telnet trafc to your main server except from a trusted IP address. Another lter could warn you if FTP access is attempted from a specic IP address. Another lter could redirect all incoming e-mail trafc to a server where it can be analyzed for spam. The options are nearly endless.
Filtering Actions
A ltering action (/cfg/slb/filt/action) instructs the lter what to do once the ltering criteria are matched. allowAllow the frame to pass (by default). denyDiscard frames that t this lters prole. This can be used for building basic security proles.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Filtering
367
redirRedirect frames that t this lters prole, such as for web cache redirection. In addition, Layer 4 processing must be activated using the /cfg/slb/on command). natPerform generic Network Address Translation (NAT). This can be used to map the source or destination IP address and port information of a private network scheme to/from the advertised network IP address and ports. This is used in conjunction with the nat option (mentioned in this table) and can also be combined with proxies. gotoAllows the user to specify a target lter ID that the lter search should jump to when a match occurs. The "goto" action causes lter processing to jump to a designated lter, effectively skipping over a block of lter IDs. Filter searching then continues from the designated lter ID. To specify the new lter to goto, use the /cfg/slb/filt/adv/goto command.
Stacking Filters
Stacking lters are assigned and enabled on a per-port basis. Each lter can be used by itself or in combination with any other lter on any given switch port. The lters are numbered 1 through 2048 on Nortel Application Switches. When multiple lters are stacked together on a port, the lters number determines its order of precedence: the lter with the lowest number is checked rst. When trafc is encountered at the switch port, if the lter matches, its congured action takes place and the rest of the lters are ignored. If the lter criteria do not match, the next lter is tried. As long as the lters do not overlap, you can improve lter performance by making sure that the most heavily utilized lters are applied rst. For example, consider a lter system where the Internet is divided according to destination IP address:
Assigning Filters According to Range of Coverage
Assuming that trafc is distributed evenly across the Internet, the largest area would be the most utilized and is assigned to Filter 1. The smallest area is assigned to Filter 4.
Overlapping Filters
Filters are permitted to overlap, although special care should be taken to ensure the proper order of precedence. When overlapping lters are present, the more specic lters (those that target fewer addresses or ports) should be applied before the generalized lters.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Example:
Assigning Filters to Overlapping Ranges
In this example, Filter 2 must be processed prior to Filter 3. If Filter 3 was permitted to take precedence, Filter 2 could never be triggered.
In this example, the default lter is dened as Filter 2048 in order to give it the lowest order of precedence. All matching criteria in Filter 2048 are set to the any state. If no other lter acts on the trafc, Filter 2048 processes it, denying and logging unwanted trafc.
(Select the default filter) >> # /cfg/slb/filt 2048 >> Filter 2048# sip any >> Filter 2048# dip any >> Filter 2048# proto any >> Filter 2048# action deny >> Filter 2048# name deny unwanted traffic >> Filter 2048# ena >> Filter 2048# adv >> Filter 2048 Advanced# log enable (From any source IP addresses) (To any destination IP addresses) (For any protocols) (Deny matching traffic) (Provide a descriptive name for the filter) (Enable the default filter) (Select the advanced menu) (Log matching traffic to syslog)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Filtering
369
Default lters are recommended (but not required) when conguring lters for IP trafc control and redirection. Using default lters can increase session performance but takes some of the session binding resources. If you experience an unacceptable number of binding failures, as shown in the Server Load Balancing Maintenance Statistics (/stats/slb/maint), you may wish to remove some of the default lters.
IP Address Ranges
You can specify a range of IP addresses for ltering both the source and/or destination IP address for trafc. When a range of IP addresses is needed, the source IP (sip) address or destination IP (dip) address denes the base IP address in the desired range. The source mask (smask) or destination mask (dmask) is the mask that is applied to produce the range. For example, to determine if a client requests destination IP address should be redirected to the cache servers attached to a particular switch, the destination IP address is masked (bit-wise AND) with the dmask and then compared to the destination IP address. As another example, the switch could be congured with two lters so that each would handle trafc ltering for one half of the Internet. To do this, you could dene the following parameters:
Filtering IP Address Ranges Filter 1 2 Internet Address Range 0.0.0.0 - 127.255.255.255 128.0.0.0 - 255.255.255.255 dip 0.0.0.0 128.0.0.0 dmask 128.0.0.0 128.0.0.0
Filter Logs
To provide enhanced troubleshooting and session inspection capability, packet source and destination IP addresses are included in lter log messages. Filter log messages are generated when a Layer 3/Layer 4
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
lter is triggered and has logging enabled. The messages are output to the console port, system host log (syslog), and the Web-based interface message window. Example: A network administrator has noticed a signicant number of ICMP frames on one portion of the network and wants to determine the specic sources of the ICMP messages. The administrator uses the Command Line Interface (CLI) to create and apply the following lter:
(Select filter 15) >> # /cfg/slb/filt 15 >> Filter 15# sip any >> Filter 15# dip any >> Filter 15# action allow >> Filter 15# name allow matching traffic >> Filter 15# proto icmp >> Filter 15# ena >> Filter 15# adv/log enable >> Filter 15 Advanced# /cfg/slb/po rt 7 >> SLB port 7# add 15 >> SLB port 7# filt ena >> SLB port 7# apply >> SLB port 7# save (From any source IP address) (To any destination IP address) (Allows matching traffic to pass) (Provide a descriptive name for the filter) (For the ICMP protocol) (Enable the filter) (Log matching traffic to syslog) (Select a switch port to filter) (Add the filter to the switch port) (Enable filtering on the switch port) (Apply the configuration changes) (Save the configuration changes)
When applied to one or more switch ports, this simple lter rule produces log messages that show when the lter is triggered, and what the IP source and destination addresses were for the ICMP frames traversing those ports. Example: Filter log message output is shown below, displaying the lter number, port, source IP address, and destination IP address:
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Filtering
371
>> # /cfg/slb/filt <filter number> /adv >> Filter 1 Advanced # cache ena|dis
Note: Cache-enabled lters should not be applied to the same ports as cache-disabled lters. Otherwise, the cache-disabled lters could potentially be bypassed for frames matching the cache-enabled criteria.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> Filter <#> Advanced# apply >> Filter <#> Advanced# save
NON-cached filter 1
End
>> # /cfg/slb/filt 23 Filter 23# smac any >> Filter 23# dmac 00:60:cf:40:56: 00 >> Filter 23# action deny >> Filter 23# ena
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Filtering
373
VLAN-based Filtering
Filters are applied per switch, per port, or per VLAN. VLAN-based ltering allows a single application switch to provide differentiated services for multiple customers, groups, or departments. For example, you can dene separate lters for Customers A and B on the same application switch on two different VLANs. If VLANs are assigned based on data trafc, for example, ingress trafc on VLAN 1, egress trafc on VLAN 2, and management trafc on VLAN 3, lters can be applied accordingly to the different VLANs. In the following example shown in "VLAN-based Filtering" (page 373), Filter 2 is congured to allow local clients on VLAN 20 to browse the Web, and Filter 3 is congured to allow local clients on VLAN 30 to Telnet anywhere outside the local intranet. Filter 2048 is congured to deny ingress trafc from VLAN 70.
VLAN-based Filtering
Note: While the following example is based on IP trafc, VLAN-based ltering can also be used for non-IP trafc by specifying smac and dmac criteria instead of sip and dip.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
The lter must recognize and allow TCP trafc from VLAN 20 to reach the local client destination IP addresses if originating from any HTTP source port:
(Select the menu for Filter 2) (From any source IP address) (To base local network dest. address) (For entire subnet range) (For TCP protocol traffic) (From any source HTTP port) (To any destination port) (Allow matching traffic to pass) (Assign VLAN 20 to Filter 2) (Enable the filter)
>> # /cfg/slb/filt 2 >> Filter 2# sip any >> Filter 2# dip 205.177.15.0 >> Filter 2# dmask 255.255.255 .0 >> Filter 2# proto tcp >> Filter 2# sport http >> Filter 2# dport any >> Filter 2# action allow >> Filter 2# vlan 20 >> Filter 2# ena
All clients from other VLANs are ignored. 2 Congure lter 3 to allow local clients to Telnet anywhere outside the local intranet and then assign VLAN 30 to the lter. The lter must recognize and allow TCP trafc to reach the local client destination IP addresses if originating from a Telnet source port:
(Select the menu for Filter 3) (From any source IP address) (To base local network dest. address) (For entire subnet range) (For TCP protocol traffic) (From a Telnet port) (To any destination port)
>> # /cfg/slb/filt 3 >> Filter 3# sip any >> Filter 3# dip 205.177.15.0 >> Filter 3# dmask 255.255.255 .0 >> Filter 3# proto tcp >> Filter 3# sport telnet >> Filter 3# dport any
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Filtering
375
>> Filter 3# action allow >> Filter 3# name allow clients to telnet >> Filter 3# vlan 30 >> Filter 3# ena
(Allow matching traffic to pass) (Provide a descriptive name for the filter) (Assign VLAN 30 to Filter 3) (Enable the filter)
Congure Filter 2048 to deny trafc and then assign VLAN 70 to the lter. As a result, ingress trafc from VLAN 70 is denied entry to the switch.
(Select the menu for Filter 2048) (From any source IP address) (To base local network dest. address) (For entire subnet range) (For TCP protocol traffic) (From a Telnet port) (To any destination port) (Allow matching traffic to pass) (Assign VLAN 70 to Filter 2048) (Enable the filter)
>> # /cfg/slb/filt 2048 >> Filter 2048# sip any >> Filter 2048# dip 205.177.15 .0 >> Filter 2048# dmask 255.255.255.0 >> Filter 2048# proto tcp >> Filter 2048# sport http >> Filter 2048# dport any >> Filter 2048# action deny >> Filter 2048# vlan 70 >> Filter 2048# ena
Assign VLAN-based lters to an SLB port. Before the lters can be used, they must be assigned to an SLB port.
>> # /cfg/slb/port 10 >> SLB Port 10# add 2 >> SLB Port 10# add 3 >> SLB Port 10# add 2048 (Select the menu for the port in use) (Add Filter 2 to SLB Port 10) (Add Filter 3 to SLB Port 10) (Add Filter 2048 to SLB Port 10)
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
802.1p Priorities
The IEEE 802.1p standard uses eight levels of priority, 0-7, with priority 7 being assigned to highest priority network trafc such as OSPF or RIP routing table updates, priorities 5-6 being for delay-sensitive applications such as voice and video, and lower priorities for standard applications. A value of zero indicates a "best effort" trafc prioritization, and this is the default when trafc priority has not been congured on your network. The Nortel Application Switch can only lter packets based on the 802.1p values already present in the packets. It does not assign or overwrite the 802.1p values in the packet.
Go to the ltering advanced menu and select the 802.1p priority value.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Filtering
377
>> # /cfg/slb/filt <x> >> 802.1p Advanced# adv/8021p/ >> 802.1p Advanced# match ena >> # 802.1p Advanced# value 1 (Select the 802.1p Advanced Menu) (Enable matching of 802.1p value) (Set the 802.1p priority value to match)
Apply a BWM Contract to the Prioritized Filter. You can apply an 802.1p-prioritized lter to a Bandwidth Management contract to establish the rule for how the trafc that matches the dened 802.1p priority value.
(Apply BWM contract 1 to this filter)
For more information on conguring a Bandwidth Management contract, see "Contracts" (page 770). End
(Specify the redir action) (Specify the protocol) (Specify the group of real servers) (Specify the redirection port) (Specify the VLAN)
(Select the advanced filter menu) (Select source IP address for hashing)
Hashing on the 24-bit source IP address ensures that client requests access the same cache. 2 Set the metric for the real server group to minmisses or hash . The source IP address is passed to the real server group for either of the two metrics.
(Select the group of real servers) (Set the metric to minmiss or hash)
Note: If rewall load balancing is enabled on the switch, the rewall load balancing lter which hashes on source and destination IP addresses will override the tunable hash lter. End
Filter-based Security
This section provides an example of conguring lters for providing the best security. It is recommended that you congure lters to deny all trafc except for those services that you specically wish to allow. Consider the following sample network:
Security Topology Example
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Filtering
379
In this example, the network is made of local clients on a collector switch, a Web server, a mail server, a domain name server, and a connection to the Internet. All the local devices are on the same subnet. In this example, the administrator wishes to install basic security lters to allow only the following trafc: External HTTP access to the local Web server External SMTP (mail) access to the local mail server Local clients browsing the World Wide Web Local clients using Telnet to access sites outside the intranet DNS trafc
All other trafc is denied and logged by the default lter. Note: Since IP address and port information can be manipulated by external sources, ltering does not replace the necessity for a well-constructed network rewall.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
At the Application Switch, create a default lter to deny and log unwanted trafc. The default lter is dened as Filter 2048 in order to give it the lowest order of precedence:
(Select the default filter) >> # /cfg/slb/filt 2048 >> Filter 2048# sip any >> Filter 2048# dip any >> Filter 2048# proto any >> Filter 2048# action deny >> Filter 2048# name deny unwanted traffic >> Filter 2048# ena >> Filter 2048# adv/log enable (From any source IP addresses) (To any destination IP addresses) (For any protocols) (Deny matching traffic) (Provide a descriptive name for the filter) (Enable the default filter) (Log matching traffic to syslog)
Note: Because the proto parameter is not tcp or udp, the source port ( sport) and destination port ( dport) values are ignored and may be excluded from the lter conguration. 3 Create a lter that will allow external HTTP requests to reach the Web server. The lter must recognize and allow TCP trafc with the Web servers destination IP address and HTTP destination port:
(Select the menu for filter 1) >> Filter 2048# /cfg/slb/filt 1 >> Filter 1# sip any >> Filter 1# dip 205.177.15.2 >> Filter 1# dmask 255.255.255 .255 >> Filter 1# proto tcp >> Filter 1# sport any >> Filter 1# dport http (From any source IP address) (To Web server dest. IP address) (Set mask for exact dest. address) (For TCP protocol traffic) (From any source port) (To an HTTP destination port)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Filtering
381
>> Filter 1# action allow >> Filter 1# name allow matching traffic >> Filter 1# ena
(Allow matching traffic to pass) (Provide a descriptive name for the filter) (Enable the filter)
Create a pair of lters to allow incoming and outgoing mail to and from the mail server. Filter 2 allows incoming mail to reach the mail server, and Filter 3 allows outgoing mail to reach the Internet:
(Select the menu for filter 2) >> Filter 1# /cfg/slb/filt 2 >> Filter 2# sip any >> Filter 2# dip 205.177.15.3 >> Filter 2# dmask 255.255.255 .255 >> Filter 2# proto tcp >> Filter 2# sport any >> Filter 2# dport smtp >> Filter 2# action allow >> Filter 2# ena >> Filter 2# /cfg/slb/filt 3 >> Filter 3# sip 205.177.15.3 >> Filter 3# smask 255.255.255 .255 >> Filter 3# dip any >> Filter 3# proto tcp >> Filter 3# sport smtp >> Filter 3# dport any >> Filter 3# action allow >> Filter 3# ena (From any source IP address) (To mail server dest. IP address) (Set mask for exact dest. address) (For TCP protocol traffic) (From any source port) (To a SMTP destination port) (Allow matching traffic to pass) (Enable the filter) (Select the menu for filter 3) (From mail server source IP address) (Set mask for exact source address) (To any destination IP address) (For TCP protocol traffic) (From a SMTP port) (To any destination port) (Allow matching traffic to pass) (Enable the filter)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Create a lter that will allow local clients to browse the Web. The lter must recognize and allow TCP trafc to reach the local client destination IP addresses if trafc originates from any HTTP source port:
>> Filter 3# /cfg/slb/filt 4 >> Filter 4# sip any >> Filter 4# dip 205.177.15.0 >> Filter 4# dmask 255.255.255 .0 >> Filter 4# proto tcp >> Filter 4# sport http >> Filter 4# dport any >> Filter 4# action allow >> Filter 4# name allow clients Web browse >> Filter 4# ena (Select the menu for Filter 4) (From any source IP address) (To base local network dest. address) (For entire subnet range) (For TCP protocol traffic) (From any source HTTP port) (To any destination port) (Allow matching traffic to pass) (Provide a descriptive name for the filter) (Enable the filter)
Create a lter that will allow local clients to Telnet anywhere outside the local intranet. The lter must recognize and allow TCP trafc to reach the local client destination IP addresses if originating from a Telnet source port:
(Select the menu for Filter 5) (From any source IP address) (To base local network dest. address) (For entire subnet range) (For TCP protocol traffic) (From a Telnet port) (To any destination port)
>> Filter 4# /cfg/slb/filt 5 >> Filter 5# sip any >> Filter 5# dip 205.177.15.0 >> Filter 5# dmask 255.255.255 .0 >> Filter 5# proto tcp >> Filter 5# sport telnet >> Filter 5# dport any
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Filtering
383
Create a series of lters to allow Domain Name System (DNS) trafc. DNS trafc requires four lters; one pair is needed for UDP trafc (incoming and outgoing) and another pair for TCP trafc (incoming and outgoing). For UDP:
(Select the menu for Filter 6) (From any source IP address) (To local DNS Server) (Set mask for exact dest. address) (For UDP protocol traffic) (From any source port) (To any DNS destination port) (Allow matching traffic to pass) (Enable the filter) (Select the menu for Filter 7) (From local DNS Server) (Set mask for exact source address) (To any destination IP address) (For UDP protocol traffic) (From a DNS source port) (To any destination port) (Allow matching traffic to pass) (Enable the filter)
>> Filter 5# /cfg/slb/filt 6 >> Filter 6# sip any >> Filter 6# dip 205.177.15.4 >> Filter 6# dmask 255.255.255 .255 >> Filter 6# proto udp >> Filter 6# sport any >> Filter 6# dport domain >> Filter 6# action allow >> Filter 6# ena >> Filter 6# /cfg/slb/filt 7 >> Filter 7# sip 205.177.15.4 >> Filter 7# smask 255.255.255 .255 >> Filter 7# dip any >> Filter 7# proto udp >> Filter 7# sport domain >> Filter 7# dport any >> Filter 7# action allow >> Filter 7# ena
>> Filter 7# /cfg/slb/filt 8 >> Filter 8# sip any >> Filter 8# dip 205.177.15.4 >> Filter 8# dmask 255.255.255 .255 >> Filter 8# proto tcp >> Filter 8# sport any >> Filter 8# dport domain >> Filter 8# action allow >> Filter 8# ena >> Filter 8# /cfg/slb/filt 9 >> Filter 9# sip 205.177.15.4 >> Filter 9# smask 255.255.255 .255 >> Filter 9# dip any >> Filter 9# proto tcp >> Filter 9# sport domain >> Filter 9# dport any >> Filter 9# action allow >> Filter 9# ena
(Select the menu for Filter 8) (From any source IP address) (To local DNS Server) (Set mask for exact dest. address) (For TCP protocol traffic) (From any source port) (To any DNS destination port) (Allow matching traffic to pass) (Enable the filter) (Select the menu for Filter 9) (From local DNS Server) (Set mask for exact source address) (To any destination IP address) (For TCP protocol traffic) (From a DNS source port) (To any destination port) (Allow matching traffic to pass) (Enable the filter)
Assign the lters to the switch port that connects to the Internet.
(Select the SLB port 5 to the Internet) (Add filters 1-9 to port 5) (Add the default filter to port 5) (Enable filtering for port 5)
>> Filter 9# /cfg/slb/port 5 >> SLB Port 5# add 1-9 >> SLB Port 5# add 2048 >> SLB Port 5# filt enable
Nortel Application Switch Operating System allows you to add and remove a contiguous block of lters with a single command.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Filtering
385
Examine the resulting information. If any settings are incorrect, make appropriate changes. 10 Save your new conguration changes.
(Save for restore after reboot)
11
Check that all SLB parameters are working according to expectation. If necessary, make any appropriate conguration changes and then check the information again. Note: Changes to lters on a given port do not take effect until the ports session information is updated (every two minutes or so). To make lter changes take effect immediately, clear the session binding table for the port (see the /oper/slb/clear command in the Nortel Application Switch Operating System Command Reference). End
In the following NAT examples, a company has congured its internal network with private IP addresses. A private network is one that is isolated from the global Internet and is, therefore, free from the usual restrictions requiring the use of registered, globally unique IP addresses. With NAT, private networks are not required to remain isolated. NAT capabilities within the switch allow internal, private network IP addresses to be translated to valid, publicly advertised IP addresses and back again. NAT can be congured in one of the following two ways: Static NAT provides a method for direct mapping of one predened IP address (such as a publicly available IP address) to another (such as a private IP address) Dynamic NAT provides a method for mapping multiple IP addresses (such as a group of internal clients) to a single IP address (to conserve publicly advertised IP addresses)
Static NAT
The static NAT (non-proxy) example requires two lters: one for the external client-side switch port, and one for the internal, server-side switch port. The client-side lter translates incoming requests for the publicly advertised server IP address to the servers internal private network address. The lter for the server-side switch port reverses the process, translating the servers private address information to a valid public address. In this example, clients on the Internet require access to servers on the private network:
Static Network Address Translation
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Filtering
387
>> Filter 10# nat source >> Filter 10# sip 10.10.10.0 >> Filter 10# smask 255.255.255.0 >> Filter 10# dip 205.178.13.0 >> Filter 10# dmask 255.255.255.0 >> Filter 10# ena >> Filter 10# adv/proxy disable >> Filter 10 Advanced# /cfg/slb/f ilt 11 >> Filter 11# action nat >> Filter 11# nat dest >> Filter 11# sip 10.10.10.0 >> Filter 11# smask 255.255.255.0 >> Filter 11# dip 205.178.13.0 >> Filter 11# dmask 255.255.255.0 >> Filter 11# ena >> Filter 11# adv/proxy disable >> Filter 11 Advanced# /cfg/slb/po rt 1 >> SLB port 1# add 10 >> SLB port 1# filt enable >> SLB port 1# /cfg/slb/port 2 >> SLB port 2# add 11 >> SLB port 2# filt enable >> SLB port 2# apply >> SLB port 2# save
(Translate source information) (From the clients private IP address) (For the entire private subnet range) (To the public network address) (For the same subnet range) (Enable the filter) (Override any proxy IP settings) (Select the menu for inbound filter) (Use the same settings as outbound) (Reverse the translation direction) (Use the same settings as outbound) (Use the same settings as outbound) (Use the same settings as outbound) (Use the same settings as outbound) (Enable the filter) (Override any proxy IP settings) (Select server-side port) (Add the outbound filter) (Enable filtering on port 1) (Select the client-side port) (Add the inbound filter) (Enable filtering on port 2) (Apply configuration changes) (Save configuration changes)
Note the following important points about this conguration: Within each lter, the smask and dmask values are identical.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
All parameters for both lters are identical except for the NAT direction. For Filter 10, nat source is used. For Filter 11, nat dest is used. Filters for static (non-proxy) NAT should take precedence over dynamic NAT lters (following example). Static lters should be given lower lter numbers.
Dynamic NAT
Dynamic NAT is a many-to-one solution: multiple clients on the private subnet take advantage of a single external IP address, thus conserving valid IP addresses. In this example, clients on the internal private network require TCP/UDP access to the Internet:
Dynamic Network Address Translation
You may directly connect the clients to the application switch if the total number of clients is less than or equal to the switch ports. Note: Dynamic NAT can also be used to support ICMP trafc for PING. This example requires a NAT lter to be congured on the switch port that is connected to the internal clients. When the NAT lter is triggered by outbound client trafc, the internal private IP address information on the outbound packets is translated to a valid, publicly advertised IP address on the switch. In addition, the public IP address must be congured as a proxy IP address on the switch port that is connected to the internal clients. The proxy performs the reverse translation, restoring the private network addresses on inbound packets.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Filtering
389
>> Filter 14# dmask 255.255.255.0 >> Filter 14# sip any >> Filter 14# action nat >> Filter 14# nat source >> Filter 14# ena >> Filter 14# adv/proxy enable
(For the entire private subnet range) (From any source IP address) (Perform NAT on matching traffic) (Translate source information) (Enable the filter) (Enable client proxy on this filter)
>> Filter 14 Advanced# proxyip 205.178.17.12 (Set the filters proxy IP address) >> Filter 14 Advanced# /cfg/slb/po rt 1 >> SLB port 1# add 14 >> SLB port 1# filt enable >> SLB port 1# proxy ena >> SLB port 1# apply >> SLB port 1# save (Select SLB port 1) (Add the filter 14 to port 1) (Enable filtering on port 1) (Enable proxies on this port) (Apply configuration changes) (Save configuration changes)
For more information on proxy IP address, see "Proxy IP Addresses" (page 228). Note 1: The invert option in this example lter makes this specic conguration easier, but is not a requirement for dynamic NAT. Note 2: Filters for dynamic NAT should be given a higher numbers than any static NAT lters (see "Static NAT" (page 386)).
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
The switch can monitor the control channel and replace the client s private IP address with a proxy IP address dened on the switch. When a client in active FTP mode sends a port command to a remote FTP server, the switch will look into the data part of the frame and modify the port command as follows: The real server (client) IP address will be replaced by a public proxy IP address. The real server (client) port will be replaced with a proxy port.
You may directly connect the real servers to the application switch if the total number of servers is less than or equal to the switch ports.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Filtering
391
>> Filter 14# action nat >> Filter 14# nat source >> Filter 14# ena >> Filter 14# adv/proxy enable
(Perform NAT on matching traffic) (Translate source information) (Enable the filter) (Allow proxy IP translation)
>> Filter 14 Advanced# proxyip 205.178.17.12 (Set the filters proxy IP address) >> Proxy IP Address# /cfg/slb/p ort 1 >> SLB port 1# add 14 >> SLB port 1# filt enable >> SLB port 1# proxy ena >> SLB port 1# apply >> SLB port 1# save (Select SLB port 1) (Add the filter to port 1) (Enable filtering on port 1) (Enable proxies on this port) (Apply configuration changes) (Save configuration changes)
For more information on proxy IP address, see "Proxy IP Addresses" (page 228). 3 Enable active FTP NAT using the following command:
>> # /cfg/slb/filt <filter number> /adv/layer7/ftpa ena
Overlapping NAT
The Nortel Application Switch Operating System supports the presence of overlapping or duplicate source IP addresses on different VLANs in a source NAT lter. This is accomplished by extending the session table lookup algorithm to include the session VLAN. In instances where an overlapping source IP address is present for different VLANs, the switch will create different sessions. For the source NAT, the switch substitutes the source IP address with the congured proxy IP address. A proxy IP address for the VLAN must be congured for this to function properly.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
In instances where an overlapping NAT is present the switch will not use the routing table to route the packet back to the sender, due to the overlapping source address, in Layer 3 mode. Instead, the switch will use the VLAN gateway to forward the packet back to the sender. VLAN gateway conguration is necessary to make this feature function properly. Layer 2 mode is supported however.
Congure source NAT lter Select the appropriate lter for usage. In this example, lter 2 is used.
>> Main# /cfg/slb/filt 2/action na
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Filtering
393
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Note: When MCS proxy authentication is enabled, the MCS PC client will create message digests using the clients private address. These digests are sent back to the MCS server for authentication during the invite stage. Call setup will fail with MCS proxy authentication enabled as the switch does not regenerate these message digests with the public address. End
Any lter may be set to match against more than one TCP ag at the same time. If there is more than one ag enabled, the ags are applied with a logical AND operator. For example, by setting the switch to lter SYN and ACK, the switch lters all SYN-ACK frames. Note: TCP ag lters must be cache-disabled. Exercise caution when applying cache-enabled and cache-disabled lters to the same switch port. For more information, see "Cached versus Non-cached Filters" (page 371).
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
395
In this network, the Web servers inside the LAN must be able to transfer mail to any SMTP-based mail server out on the Internet. At the same time, you want to prevent access to the LAN from the Internet, except for HTTP. SMTP trafc uses well-known TCP Port 25. The Web servers will originate TCP sessions to the SMTP server using TCP destination Port 25, and the SMTP server will acknowledge each TCP session and data transfer using TCP source Port 25. Creating a lter with the ACK ag closes one potential security hole. Without the lter, the switch would permit a TCP SYN connection request to reach any listening TCP destination port on the Web servers inside the LAN, as long as it originated from TCP source Port 25. The server would listen to the TCP SYN, allocate buffer space for the connection, and reply to the connect request. In some SYN attack scenarios, this could cause the servers buffer space to ll, crashing the server or at least making it unavailable. A lter with the ACK ag enabled prevents external devices from beginning a TCP connection (with a TCP SYN) from TCP source Port 25. The switch drops any frames that have the ACK ag turned off. The following lters are required: Step 1 Action An allow lter for TCP trafc from LAN that allows the Web servers to pass SMTP requests to the Internet.
>> # /cfg/slb/filt 10 >> Filter 10# sip 203.122.186.0 >> Filter 10# smask 255.255.25 5.0 >> Filter 10# sport any >> Filter 10# proto tcp >> Filter 10# dip any (Select a filter for trusted SMTP requests) (From the Web servers source IP address) (For the entire subnet range) (From any source port) (For TCP traffic) (To any destination IP address)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> Filter 10# dport smtp >> Filter 10# action allow >> Filter 10# ena
(To well-known destination SMTP port) (Allow matching traffic to pass) (Enable the filter)
A lter that allows SMTP trafc from the Internet to pass through the switch only if the destination is one of the Web servers, and the frame is an acknowledgment (SYN-ACK) of a TCP session.
>> Filter 10# /cfg/slb/filt 15 >> Filter 15# sip any >> Filter 15# sport smtp >> Filter 15# proto tcp >> Filter 15# dip 203.122.186.0 >> Filter 15# dmask 255.255.25 5.0 >> Filter 15# dport any >> Filter 15# action allow >> Filter 15# ena >> Filter 15# adv/tcp >> Filter 15 Advanced# ack ena >> Filter 15 Advanced# syn ena (Select a filter for Internet SMTP ACKs) (From any source IP address) (From well-known source SMTP port) (For TCP traffic) (To the Web servers IP address) (To the entire subnet range) (To any destination port) (Allow matching traffic to pass) (Enable the filter) (Select the advanced TCP menu) (Match acknowledgments only) (Match acknowledgments only)
A lter that allows SMTP trafc from the Internet to pass through the switch only if the destination is one of the Web servers, and the frame is an acknowledgment (ACK-PSH) of a TCP session.
>> Filter 15# /cfg/slb/filt 16 >> Filter 16# sip any >> Filter 16# sport smtp (Select a filter for Internet SMTP ACKs) (From any source IP address) (From well-known source SMTP port)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Filtering
397
>> Filter 16# proto tcp >> Filter 16# dip 203.122.186.0 >> Filter 16# dmask 255.255.25 5.0 >> Filter 16# dport any >> Filter 16# action allow >> Filter 16# ena >> Filter 16# adv/tcp >> Filter 16 Advanced# ack ena >> Filter 16 Advanced# psh ena
(For TCP traffic) (To the Web servers IP address) (To the entire subnet range) (To any destination port) (Allow matching traffic to pass) (Enable the filter) (Select the advanced TCP menu) (Match acknowledgments only) (Match acknowledgments only)
A lter that allows trusted HTTP trafc from the Internet to pass through the switch to the Web servers.
>> Filter 16 Advanced# /cfg/slb/filt 17 >> Filter 17# sip any >> Filter 17# sport http >> Filter 17# proto tcp >> Filter 17# dip 203.122.186.0 >> Filter 17# dmask 255.255.25 5.0 >> Filter 17# dport http >> Filter 17# action allow >> Filter 17# ena (Select a filter for incoming HTTP traffic) (From any source IP address) (From well-known source HTTP port) (For TCP traffic) (To the Web servers IP address) (To the entire subnet range) (To well-known destination HTTP port) (Allow matching traffic to pass) (Enable the filter)
A lter that allows HTTP responses from the Web servers to pass through the switch to the Internet.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> Filter 17# /cfg/slb/filt 18 >> Filter 18# sip 203.122.186.0 >> Filter 18# smask 255.255.25 5.0 >> Filter 18# sport http >> Filter 18# proto tcp >> Filter 18# dip any >> Filter 18# dport http >> Filter 18# action allow >> Filter 18# ena
(Select a filter for outgoing HTTP traffic) (From the Web servers source IP address) (From the entire subnet range) (From well-known source HTTP port) (For TCP traffic) (To any destination IP address) (To well-known destination HTTP port) (Allow matching traffic to pass) (Enable the filter)
>> Filter 2048# name deny matching traffic (Provide a descriptive name for the filter) >> Filter 2048# ena (Enable the filter)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Filtering
399
>> SLB port 1# add 2048 >> SLB port 1# filt ena >> SLB port 1# /cfg/slb/port 2 >> SLB port 2# add 10 >> SLB port 2# add 18 >> SLB port 2# add 2048 >> SLB port 2# filt ena >> SLB port 2# /cfg/slb/port 3 >> SLB port 3# add 10 >> SLB port 3# add 18 >> SLB port 3# add 2048 >> SLB port 3# filt ena >> SLB port 3# apply >> SLB port 3# save
(Add the default filter to the port) (Enable filtering on the port) (Select the first Web server port) (Add the outgoing SMTP filter to the port) (Add the outgoing HTTP filter to the port) (Add the default filter to the port) (Enable filtering on the port) (Select the other Web server port) (Add the outgoing SMTP filter to the port) (Add the outgoing HTTP filter to the port) (Add the default filter to the port) (Enable filtering on the port) (Apply the configuration changes) (Save the configuration changes)
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
400 Part 3: Application Switching Fundamentals ICMP Message Types Type # 0 3 4 5 8 9 10 11 12 13 14 15 16 17 18 Message Type echorep destun quench redir echoreq rtradv rtrsol timex param timereq timerep inforeq inforep maskreq maskrep Description ICMP echo reply ICMP destination unreachable ICMP source quench ICMP redirect ICMP echo request ICMP router advertisement ICMP router solicitation ICMP time exceeded ICMP parameter problem ICMP timestamp request ICMP timestamp reply ICMP information request ICMP information reply ICMP address mask request ICMP address mask reply
The command to enable or disable ICMP message type ltering is entered from the Advanced Filtering menu as follows:
>> # /cfg/slb/filt <filter number> /adv >> Filter 1 Advanced# icmp <message type|number|any|list>
For any given lter, only one ICMP message type can be set at any one time. The any option disables ICMP message type ltering. The list option displays a list of the available ICMP message types that can be entered. Note: ICMP message type lters must be cache-disabled. Exercise caution when applying cache-enabled and cache-disabled lters to the same switch port. For more information, see "Cached versus Non-cached Filters" (page 371).
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Filtering
401
the incoming client request for the matching string pattern. If the matching virus pattern is found, then the packet is dropped and a reset frame is sent to the offending client. SYSLOG messages and SNMP traps are generated warning operators of a possible attack. A layer string 7 deny lter works just like a basic deny lter, except that the deny action is delayed until the string content is examined to see if the packet should be denied. "Conguring a Deny Filter with Layer 7 Lookup for HTTP URL, HTTP Header, or UDP Strings" (page 401) shows an incoming client requests with offending content. The application switch is congured with a deny lter combined with the Layer 7 lookup feature. The lter blocks the incoming packet with the offending string or pattern, and prevents it from entering the network.
Conguring a Deny Filter with Layer 7 Lookup for HTTP URL, HTTP Header, or UDP Strings
For information on how to congure your network for the above tasks, see "Server Load Balancing" (page 188)."
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Dene the virus string patterns or offending HTTP URL request to be blocked.
>> # /cfg/slb/layer7/slb/addstr ida >> Server Loadbalance Resource# add %c1%9c >> Server Loadbalance Resource# add %c0%af (Define the code red virus string) (Define the code blue virus string) (Define the code blue virus string)
>> Server Loadbalance Resource# add playdog.com (Define offending URL request)
Number of entries: 4
ID 1 2 3 4 SLB String ida %c1%9c %c0%af playdog.com
Enable Layer 7 lookup. This feature, when combined with the lter deny action, will match and deny any trafc containing the strings you just added in step 4 .
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Filtering
403
End
Congure a lter as described in "Denying HTTP URL Requests" (page 401). Step 1 Action Dene the HTTP header strings to be blocked.
>> /cfg/slb/layer7/slb/ (Select the Serverloadbalance Resource menu)
>> Server Loadbalance Resource# add Enter type of string [l7lkup|pattern]: Configure HTTP header string? [y/n] y l7lkup
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
(Define HTTP header name Host) Enter HTTP header name: Host Enter SLB header value string: www.playdog.com (Define offending header content) Configure URL string? Enter URL string: [y/n] y www.playdog.com
>> Server Loadbalance Resource# add Enter type of string [l7lkup|pattern]: Configure HTTP header string? Enter HTTP header name: SoapAction=* Enter SLB header value string: Configure URL string? [y/n] n [y/n] y l7lkup
Assign the HTTP host header string IDs from step 1 to the lter.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Filtering
405
>> /cfg/slb/filt 1/adv/layer7 >> Layer 7 Advanced# addstr 6 >> Layer 7 Advanced# addstr 7
(Select the Filt. 1 L7 Advanced menu) (Add the HTTP header host string) (Add the HTTP header SoapAction string)
Enable Layer 7 lookup. This feature, when combined with the lter deny action, will match and deny any trafc containing the strings you just added in step 3.
/cfg/slb/filt 1/adv/layer7/l7l kup ena (Enable the Layer 7 lookup feature)
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
to. If the received packet is a multicast packet, the destination MAC address is not substituted. Then the redirected multicast packet is sent to the port that the server connected to.
IPv6 Filtering
IPv6 support in Nortel Application Switch Operating System includes support for ALLOW and DENY lters only; IPv6 ltering does not support REDIR, NAT, or GOTO lters. IPv6 ltering operates in a similar fashion to IPv4 ltering with the exception that IPv6 ltering is only supported in bridging mode. Routed packets will be passed through without being ltered. Connectivity is maintained in IPv6 through the regular exchange of Neighbors Solicitation (NSol) packets. These packets are sent to nd the link layer address of a neighbor in the link and to nd the reachability of a neighboring node. It is usually necessary to congure an additional ALLOW lter for these multicast packets so that link neighbors can be learnt. If this is not done no packets will be allowed because link neighbors cannot be learnt. Filter inversion will also have to take these NSol packets into consideration. Not all commands available for the conguration of IPv4 lters are available for the conguration of IPv6 lters. The commands outlined in "IPv6 Filter Conguration Commands" (page 406) are used to congure IPv6 lters.
IPv6 Filter Conguration Commands Command Menu /cfg/slb/filt <filter number> Supported Commands sip <IPv6 Address> dip <IPv6 Address> smask <IPv6 Prefix Length> dmask <IPv6 Prefix Length> proto <Protocol Name | Number | any> sport <Port> dport <Port> length <IP packet length (in bytes), 64-65535 | any> urg ack psh syn rst fin ackrst cur <enable | disable> <enable | disable> <enable | disable> <enable | disable> <enable | disable> <enable | disable> <enable | disable>
The following example creates two IPv6 lters for Port 1. Filter 1 will allow the exchange Neighbors Solicitation packets and Filter 2 will allow the movement of bridged HTTP trafc.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Filtering
407
Step 1
Action Globally enable Layer 4 load balancing. Layer 4 load balancing must be enabled to allow lter processing to take place.
>> Main# /cfg/slb/on
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Application Redirection
409
Application Redirection
Application Redirection improves network bandwidth and provides unique network solutions. Filters can be created to redirect trafc to cache and application servers improving speed of access to repeated client access to common Web or application content and free valuable network bandwidth. The following topics are addressed in this chapter: "Overview" (page 409). Application redirection helps reduce the trafc congestion during peak loads by accessing locally cached information. This section also discusses how performance is improved by balancing cached requests across multiple servers. "Cache Redirection Conguration Example" (page 411). This section provides a step-by-step procedure on how to intercept all Internet bound HTTP requests (on default TCP port 80) and redirect them to the cache servers. "RTSP Cache Redirection" (page 417). This section explains how to congure the switch to redirect data (multimedia presentations) to the cache servers, and how to balance the load among the cache servers. "IP Proxy Addresses for NAT" (page 421). This section discusses the benets of transparent proxies when used with application redirection. "Excluding Noncacheable Sites" (page 423). This section describes how to lter out applications that prevent real-time session information from being redirected to cache servers. "Content Intelligent Cache Redirection" (page 423). This section describes how to redirect cache requests based on different Layer 7 content. "HTTP Redirection" (page 444). This section describes how use lters to redirect HTTP requests to different gateways or servers. "Peer-to-Peer Cache Load Balancing" (page 461) Note: To access Application Redirection functionality, the optional Layer 4 software must be enabled on the application switch (see "Filtering and Layer 4" in the Nortel Application Switch Operating System Command Reference).
Overview
Most of the information downloaded from the Internet is not unique, as clients will often access the Web page many times for additional information or to explore other links. Duplicate information also gets requested as the components that make up Internet data at a particular Web site (pictures, buttons, frames, text, and so on) are reloaded from page to page. When you
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
consider this scenario in the context of many clients, it becomes apparent that redundant requests can consume a considerable amount of your available bandwidth to the Internet. Application redirection can help reduce the trafc congestion during peak loads. When Application redirection lters are properly congured for the Nortel Application Switch Operating System-powered switch, outbound client requests for Internet data are intercepted and redirected to a group of application or cache servers on your network. The servers duplicate and store inbound Internet data that has been requested by your clients. If the servers recognize a clients outbound request as one that can be lled with cached information, the servers supply the information rather than send the request across the Internet. In addition to increasing the efciency of your network, accessing locally cached information can be much faster than requesting the same information across the Internet.
The network needs a solution that addresses the following key concerns: The solution must be readily scalable The administrator should not need to recongure all the clients browsers to use proxy servers.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
411
If you have more clients than application switch ports, then connect the clients to a layer 2 switch. Adding an Nortel Application Switch with optional Layer 4 software addresses these issues: Cache servers can be added or removed dynamically without interrupting services. Performance is improved by balancing the cached request load across multiple servers. More servers can be added at any time to increase processing power. The proxy is transparent to the client. Frames that are not associated with HTTP requests are normally passed to the router.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
In this example, an Nortel Application Switch is placed between the clients and the border gateway to the Internet. The application switch will be congured to intercept all Internet bound HTTP requests (on default TCP port 80), and redirect them to the cache servers. The application switch will distribute HTTP requests equally to the cache servers based on the destination IP address of the requests. If the cache servers do not have the requested information, then the cache servers behave like the client and forwards the request out to the internet. Also, lters are not limited to the few protocols and TCP or UDP applications shown in this example. See "Well-Known Application Ports" (page 199) for a list of well-known applications ports and "Well-Known Protocol Types" (page 366) for a list of supported protocols. Step 1 Action Assign an IP address to each of the cache servers. Similar to server load balancing, the cache real servers are assigned an IP address and placed into a real server group. The real servers must be in the same VLAN and must have an IP route to the application switch that will perform the cache redirection. In addition, the path from the application switch to the real servers must not contain a router. The router would stop HTTP requests from reaching the cache servers and, instead, direct them back out to the Internet. More complex network topologies can be used if conguring IP proxy addresses (see "IP Proxy Addresses for NAT" (page 421)). For this example, the three cache real servers have the following IP addresses on the same IP subnet:
Cache Redirection Example: Real Server IP Addresses Cache Server Server A Server B Server C IP address 200.200.200.2 200.200.200.3 200.200.200.4
2 3
Install transparent cache software on all three cache servers. Dene an IP interface on the application switch. The application switch must have an IP interface on the same subnet as the three cache servers because, by default, the application switch only remaps destination MAC addresses. To congure an IP interface for this example, enter this command from the CLI:
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Application Redirection
413
Note: The IP interface and the real servers must be in the same subnet. This example assumes that all ports and IP interfaces use default VLAN 1, requiring no special VLAN conguration for the ports or IP interface. 4 Dene each real server on the switch. For each cache real server, you must assign a real server number, specify its actual IP address, and enable the real server. For example:
>> # /cfg/slb/real 1 >> Real server 1# rip 200.200.200.2 >> Real server 1# ena >> Real server 1# /cfg/slb/real 2 >> Real server 2# rip 200.200.200.3 >> Real server 2# ena >> Real server 2# /cfg/slb/real 3 >> Real server 3# rip 200.200.200.4 >> Real server 3# ena (Server A is real server 1) (Assign Server A IP address) (Enable real server 1) (Server B is real server 2) (Assign Server B IP address) (Enable real server 2) (Server C is real server 3) (Assign Server C IP address) (Enable real server 3)
Dene a real server group. This places the three cache real servers into one service group:
>> Real server 3# /cfg/slb/grou p 1 >> Real server group 1# add 1 >> Real server group 1# add 2 >> Real server group 1# add 3 (Select real server group 1) (Add real server 1 to group 1) (Add real server 2 to group 1) (Add real server 3 to group 1)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Set the real server group metric to minmisses. This setting helps minimize cache misses in the event real servers fail or are taken out of service:
>> Real server group 1# metric minmisses (Metric for minimum cache misses.)
Verify that server processing is disabled on the ports supporting application redirection. Note: Do not use the "server" setting on a port with Application Redirection enabled. Server processing is used only with server load balancing. To disable server processing on the port, use the commands on the /cfg/slb/port menu, as described in the Nortel Application Switch Operating System Command Reference.
Create a lter that will intercept and redirect all client HTTP requests. The lter must be able to intercept all TCP trafc for the HTTP destination port and must redirect it to the proper port on the real server group:
>> SLB port 6# /cfg/slb/filt 2 >> Filter 2# sip any >> Filter 2# dip any >> Filter 2# proto tcp >> Filter 2# sport any >> Filter 2# dport http >> Filter 2# action redir >> Filter 2# rport http >> Filter 2# group 1 >> Filter 2# ena (Select the menu for Filter 2) (From any source IP addresses) (To any destination IP addresses) (For TCP protocol traffic) (From any source port) (To an HTTP destination port) (Set the action for redirection) (Set the redirection port) (Select real server group 1) (Enable the filter)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Application Redirection
415
The rport (redirection) parameter must be congured whenever TCP/UDP protocol trafc is redirected. The rport parameter denes the real server TCP or UDP port to which redirected trafc will be sent. The port dened by the rport parameter is used when performing Layer 4 health checks of TCP services. Also, if NAT and proxy addresses are used on the application switch (see Step 3 on step 3), the rport parameter must be congured for all application redirection lters. Take care to use the proper port designation with rport: if the transparent proxy operation resides on the host, the well-known port 80 (or HTTP) is probably required. If the transparent proxy occurs on the application switch, make sure to use the service port required by the specic software package. See "IP Proxy Addresses for NAT" (page 421) for more information on IP proxy addresses. 9 Create a default lter. In this case, the default lter will allow all noncached trafc to proceed normally:
>> Filter 2# /cfg/slb/filt 2048 >> Filter 2048# sip any >> Filter 2048# dip any >> Filter 2048# proto any >> Filter 2048# action allow >> Filter 2048# ena (Select the default filter) (From any source IP addresses) (To any destination IP addresses) (For any protocols) (Set the action to allow traffic) (Enable the default filter)
Note: When the proto parameter is not TCP or UDP, then sport and dport are ignored. 10 Assign the lters to the client ports. Assuming that the redirected clients are connected to physical switch ports 5 and 6, both ports are congured to use the previously created lters as follows:
>> Filter 2048# /cfg/slb/port 5 >> SLB Port 5# add 2 >> SLB Port 5# add 2048 >> SLB Port 5# filt enable (Select the client port 5) (Add filter 2 to port 5) (Add the default filter to port 5) (Enable filtering for port 5)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> SLB Port 5# /cfg/slb/port 6 >> SLB Port 6# add 2 >> SLB Port 6# add 2048 >> SLB Port 6# filt enable
(Select the client port 6) (Add filter 2 to port 6) (Add the default filter to port 6) (Enable filtering for port 6)
11
Note: SLB must be turned on in order for application redirection to work properly. The on command is valid only if the optional Layer 4 software is enabled on your application switch (see "Activating Optional Software" in the Nortel Application Switch Operating System Command Reference). 12 13 Examine the resulting information from the cur command. If any settings are incorrect, make appropriate changes. Save your new conguration changes.
>> Layer 4# save (Save for restore after reboot)
14
Check that all SLB parameters are working according to expectation. If necessary, make any appropriate conguration changes and then check the information again. Note: Changes to lters on a given port only effect new sessions. To make lter changes take effect immediately, clear the session binding table for the port (see the /oper/slb/clear command in the Nortel Application Switch Operating System Command Reference). End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Application Redirection
417
For more conceptual information on delayed binding, see "Delayed Binding" (page 242).
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Follow this procedure to congure to load balance RTSP cache servers for the topology illustrated in "RTSP Cache Redirection" (page 418): Step 1 Action Before conguring RTSP, do the following: 2 Connect each cache server to the application switch Congure the IP addresses on all devices connected to the switch Congure the IP interfaces on the switch
At the application switch, congure RTSP cache servers and the IP addresses
>> # /cfg/slb/real 1 >> Real server 1# rip 1.1.1.1 >> Real server 1# ena >> Real server 1# /cfg/slb/real 2 >> Real server 2# rip 1.1.1.2 (Configure RTSP cache server 2) (Configure RTSP cache server 1) (Enable RTSP cache server 1)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Application Redirection
419
>> Real server 2# ena >> Real server 2# /cfg/slb/real 3 >> Real server 3# rip 1.1.1.3 >> Real server 3# ena >> Real server 3# /cfg/slb/real 4 >> Real server 4# rip 1.1.1.4 >> Real server 4# ena
(Enable RTSP cache server 2) (Configure RTSP cache server 3) (Enable RTSP cache server 3) (Configure RTSP cache server 4) (Enable RTSP cache server 4)
Dene the group metric for the RTSP cache servers. RTSP supports all the standard load balancing metrics.
>>Real Server Group 1# metric leastconn (Set the metric to leastconn)
Congure an RTSP redirection lter to cache data and balance the load among the cache servers.
>> # /cfg/slb/filt 1 >> Filter 1# action redir >> Filter 1# proto tcp >> Filter 1# dport rtsp (Select the menu for filter 1) (Set the action for redirection) (Enter TCP protocol) (Enter service port for RTSP)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> Filter 1# rport rtsp >> Filter 1# group 1 >> Filter 1# adv >> Filter 1# Advanced# proxy disable
(Enter redirection port for RTSP) (Select RTSP cache server group 1) (Select advanced menu for filter 1) (Disable proxy)
Add and enable the redirection lter on the port to support basic cache redirection.
>> # /cfg/slb/port 25 >> SLB Port 25# add 1 >> SLB Port 25# add 2048 >> SLB Port 25# filt ena (Select the menu for port 25) (Add RTSP filter 1 to port 25) (Add default filter 2048 to port 25) (Enable filtering on port 25)
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Application Redirection
421
The following procedure can be used for conguring proxy IP addresses: Step 1 Action Congure proxy IP addresses and enable proxy for the redirection ports. Each of the ports using redirection lters require proxy IP addresses. For more information on proxy IP addresses, see "Proxy IP Addresses" (page 228). In this example, proxy IP addresses are congured:
>> SLB port 3# /cfg/slb/pip >> Proxy IP address# type port >> Proxy IP Address# add 200.200.200.68 >> Proxy IP Address# add 200.200.200.69 >> Proxy IP Address# add 200.200.200.70 >> Proxy IP Address# add 200.200.200.71 >> Proxy IP Address# /cfg/slb/p ort 1 >> SLB port 1# proxy ena >> SLB port 1# /cfg/slb/port 2 >> SLB port 2# proxy ena >> SLB port 2# /cfg/slb/port 3 >> SLB port 3# proxy ena (Select proxy IP address menu) (Use port-based proxy IP) (Set proxy IP address) (Set proxy IP address) (Set proxy IP address) (Set proxy IP address) (Select port 1) (Enable proxy port 1) (Select port 2) (Enable proxy port 2) (Select port 3) (Enable proxy port 3)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> SLB port 3# /cfg/slb/port 4 >> SLB port 4# proxy ena >> SLB port 4# /cfg/slb/port 5 >> SLB port 5# proxy ena >> SLB port 5# /cfg/slb/port 6 >> SLB port 6# proxy ena
(Select port 4) (Enable proxy port 4) (Select port 5) (Enable proxy port 5) (Select port 6) (Enable proxy port 6)
Congure the application redirection lters. Once proxy IP addresses are established, congure each application redirection lter (Filter 2 in our example) with the real server TCP or UDP port to which redirected trafc will be sent. In this case, the requests are mapped to a different destination port (8080). You must also enable proxies on the real servers:
>> # /cfg/slb/filt 2 >> Filter 2# rport 8080 >> Filter 2# /cfg/slb/real 1/proxy enable (Select the menu for Filter 2) (Set proxy redirection port) (Enable proxy on real servers)
>> Real server 1# /cfg/slb/real 2/proxy enable (Enable proxy on real servers) >> Real server 2# /cfg/slb/real 3/proxy enable (Enable proxy on real servers)
Note: This conguration is not limited to HTTP (Web) service. Other TCP/IP services can be congured in a similar fashion. For example, if this had been a DNS redirect, rport would be sent to well-known port 53 (or the service port you want to remap to). For a list of other well-known services and ports, see the "Well-Known Application Ports" (page 199). 3 4 Apply and save your changes. Check server statistics to verify that trafc has been redirected based on ltering criteria:
>> # /info/slb/group <group number> /filter <filter number>
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Application Redirection
423
to caching, such as to guarantee up-to-date data from the origin server. If this feature (Cache-Control: no cache directive) is enabled, HTTP 1.1 GET requests are forwarded directly to the origin servers. Note: The term origin server refers to the server originally specied in the request. The HTTP 1.0 Pragma: no-cache header is equivalent to the HTTP 1.1 Cache-Control header. By enabling the Pragma: no-cache header, requests are forwarded to the origin server. Note: For cache redirection, at any given time one HTTP header is supported globally for the entire switch. This section discusses the following types of cache redirection: "URL-Based Cache Redirection" (page 424) "HTTP Header-Based Cache Redirection" (page 433) "Browser-Based Cache Redirection" (page 434) "URL Hashing for Cache Redirection" (page 436) "RTSP Streaming Cache Redirection" (page 439)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Application Redirection
425
Examples of matching string expressions are: /product Any URL that starts with "/product," including any information in the "/product" directory product Any URL that has the string "product" Some of the common noncacheable items that you can congure the switch to add to, delete, or modify are: Dynamic content les: Common gateway interface les (.cgi) cold fusion les (.cfm), ASP les (.asp) BIN directory CGI-BIN directory SHTML (scripted html) Microsoft HTML extension les (.htx) executable les (.exe) Dynamic URL parameters: +, !, %, =, &
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Requests matching the URL are load balanced among the multiple servers, depending on the metric specied for the real server group (leastconns is the default).
Application Redirection
427
address is replaced by the MAC address of the cache. Both the IP address and the MAC address of the source remain unchanged. Full NAT In this NAT method, the source IP address and the source MAC address are replaced by the IP address and MAC address of the cache. This method works well for proxy cache servers.
For information on how to congure your network for SLB, see "Server Load Balancing" (page 188). 2 Congure the switch to support basic cache redirection. For information on cache redirection, refer to "Application Redirection" (page 409). 3 Congure the parameters and le extensions that bypass cache redirection. a. Add or remove string IDs that should not be cacheable.
>> # /cfg/slb/filt 1/adv/addstr|remstr <ID> >> # /cfg/slb/layer7/slb/addstr|remstr <strings>
b. Enable/disable ALLOW for non-GETS (such as HEAD, POST, and PUT) to the origin server, as described below.
>> # /cfg/slb/layer7/redir/urlal {ena|dis}
Ena: The switch allows all non-GET requests to the origin server.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Dis: The switch compares all requests against the expression table to determine whether the request should be redirected to a cache server or the origin server.
c. Enable/disable cache redirection of requests that contain " cookie: " in the HTTP header.
>> # /cfg/slb/layer7/redir/cookie {ena|dis}
Ena: The switch redirects all requests that contain "cookie:" in the HTTP header to the origin server. Dis: The switch compares the URL against the expression table to determine whether the request should be redirected to a cache server or the origin server.
d. Enable/disable cache redirection of requests that contain " Cache-control:no cache " in the HTTP 1.1 header or " Pragma:no cache " in the HTTP 1.0 header to the origin server.
>> # /cfg/slb/layer7/redir/nocache {ena|dis}
Ena: The switch redirects all requests that contain Cache-control: no cache in the HTTP 1.1 header or Pragma:no cache in the HTTP 1.0 header to the origin server. Dis: The switch compares the URL against the expression table to determine whether the request should be redirected to a cache server or the origin server.
Dene the string(s) to be used for cache SLB. Refer to the parameters listed below:
>> # /cfg/slb/layer7/slb/{addstr|remstr} <string>
A default string any indicates that the particular server can handle all URL or cache requests. Refer to the following examples: Example 1: String Starting with the Forward slash (/)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Application Redirection
429
A string that starts with a forward slash ( / ), such as "/images," indicates that the server will process requests that start out with the "/images" string only. For example, with the "/images" string, the server will handle these requests:
/images/product/b.gif /images/company/a.gif /images/testing/c.jpg
Example 2: String without the Forward slash (/) A string that does not start out with a forward slash ( / ) indicates that the server will process any requests that contain the dened string. For example, with the "images" string, the server will process these requests:
/images/product/b.gif /images/company/a.gif /images/testing/c.jpg /company/images/b.gif /product/images/c.gif /testing/images/a.gif
Example 3: String with the Forward slash (/) Only If a server is congured with the load balance string ( / ) only, it will only handle requests to the root directory. For example, the server will handle any les in the ROOT directory:
/ /index.htm /default.asp /index.shtm
5 6
Apply and save your conguration changes. Identify the dened string IDs.
>> # /cfg/slb/layer7/slb/cur
For easy conguration and identication, each dened string has an ID attached, as shown in "SLB Strings" (page 430).
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
430 Part 3: Application Switching Fundamentals SLB Strings ID 1 2 3 4 5 6 SLB String any .gif /sales /xitami /manual .jpg
Congure the real server(s) to support cache redirection. Note: If you dont add a dened string (or add the dened string any), the server will handle any request. Add the dened string(s) to the real servers:
>> # /cfg/slb/real 2/layer7/addlb <ID>
where ID is the identication number of the dened string. The server can have multiple dened strings. For example: "/images", "/sales", ".gif" With these dened strings, the server can handle requests that begin with "/images" or "/sales" and any requests that contain ".gif". 8 Dene a real server group and add real servers to the group. The following conguration combines three real servers into a group:
>> # /cfg/slb/group 1 >> Real server group 1# add 1 >> Real server group 1# add 2 >> Real server group 1# add 3 (Select real server group 1) (Add real server 1 to group 1) (Add real server 2 to group 1) (Add real server 3 to group 1)
Congure a lter to support basic cache redirection. The lter must be able to intercept all TCP trafc for the HTTP destination port and must redirect it to the proper port in the real server group:
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Application Redirection
431
>> # /cfg/slb/filt <filter number> >> Filter <filter number> # sip any >> Filter <filter number> # dip any >> Filter <filter number> # proto tcp >> Filter <filter number> # sport any >> Filter <filter number> # dport http >> Filter <filter number> # action redir >> Filter <filter number> # rport http >> Filter <filter number> # group 1 >> Filter <filter number> # ena
(Select the menu for Filter #x) (From any source IP addresses) (To any destination IP addresses) (For TCP protocol traffic) (From any source port) (To an HTTP destination port) (Set the action for redirection) (Set the redirection port) (Select real server group 1) (Enable the filter)
10
11
Select the appropriate NAT option. The three NAT options are listed below. For more information about each option, see "Network Address Translation Options" (page 426). No NAT option:
>> # /cfg/slb/filter <filter number> /adv/proxy dis
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> # /cfg/slb/filt <filter number> >> Filter <filter number> # rport 3128 (Specify redirection port)
>> Filter <filter number> # adv (Select the advance menu) >> Filter <filter number> Advanced# proxy ena (Enable proxy IP address)
For more information on proxy IP addresses, see "Proxy IP Addresses" (page 228). 12 Create a default lter for noncached trafc on the switch.
>> # /cfg/slb/filt <filter number> >> Filter <filter number> # sip any >> Filter <filter number> # dip any >> Filter <filter number> # proto any >> Filter <filter number> # action allow >> Filter <filter number> # ena >> Filter <filter number> # port <port number> (Select the default filter) (From any source IP addresses) (To any destination IP addresses) (For any protocol traffic) (Set the action to allow traffic) (Enable the default filter) (Assign the default filter to a port)
Note: When the proto parameter is not tcp or udp, then sport and dport are ignored. 13 Turn on ltering for the port.
>> SLB <port number> # filt ena
14
15
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Application Redirection
433
16
End
5 6
Apply and save your conguration changes. Identify the string ID numbers with this command.
>> # /cfg/slb/layer7/slb/cur
Congure the real server(s) to handle the appropriate load balance string(s). Add the dened string IDs to the real servers:
>> # /cfg/slb/real 2/layer7/addlb <ID>
where ID is the identication number of the dened string. Note: If you dont add a dened string (or add ID=1), the server will handle any request. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Application Redirection
435
Step 1
Action Before you can congure header-based cache redirection, ensure that the switch is already congured for basic SLB with the following tasks: Assign an IP address to each of the real servers in the server pool. Dene an IP interface on the switch. Dene each real server. Assign servers to real server groups. Dene virtual servers and services.
5 6
Apply and save your conguration changes. Identify the string ID numbers with this command.
>> # /cfg/slb/layer7/slb/cur
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
ID 3 4
Add the dened string IDs to congure the real server(s) to handle the appropriate load balance string(s).
>> # /cfg/slb/real 2/layer7/addlb <ID>
where ID is the identication number of the dened string. Note: If you dont add a dened string (or add the ID 1), the server will handle any request. End
To congure the switch for cache redirection based on a hash key, use the following procedure: Step 1 Action Congure basic SLB. Before you can congure header-based cache redirection, ensure that the switch has already been congured for basic SLB (see "Server Load Balancing" (page 188)) with the following tasks: Assign an IP address to each of the real servers in the server pool.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Application Redirection
437
Dene an IP interface on the switch. Dene each real server. Assign servers to real server groups. Dene virtual servers and services. Congure the load-balancing algorithm to hash or minmiss.
Enable hash to direct a cacheable URL request to a specic cache server. By default, the host header eld is used to calculate the hash key and URL hashing is disabled. hash ena: Enables hashing based on the URL and the host header if it is present. Specify the length of the URL to hash into the cache server.
>> # /cfg/slb/layer7/redir/hash ena Enter new hash length [1-255]: 24
hash disable: Disables hashing based on the URL. Instead, the host header eld to calculate the hash key. If the host header eld does not exist in the HTTP header, then the switch uses the source IP address as the hash key. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Application Redirection
439
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Follow this procedure to congure to load balance RTSP cache servers for the topology illustrated in "Load Balancing RTSP Cache Servers" (page 439): Step 1 Action Before you start conguring the application switch do the following: 2 Connect each cache server to the application switch Congure the IP addresses on all devices connected to the switch Congure the IP interfaces on the switch
At the application switch, congure RTSP cache servers and the IP addresses.
>> # /cfg/slb/real 1 >> Real server 1# rip 1.1.1.1 >> Real server 1# ena >> Real server 1# /cfg/slb/real 2 >> Real server 2# rip 1.1.1.2 >> Real server 2# ena >> Real server 2# /cfg/slb/real 3 >> Real server 3# rip 1.1.1.3 >> Real server 3# ena >> Real server 3# /cfg/slb/real 4 >> Real server 4# rip 1.1.1.4 >> Real server 4# ena (Configure RTSP cache server 4) (Enable RTSP cache server 4) (Configure RTSP cache server 3) (Enable RTSP cache server 3) (Configure RTSP cache server 2) (Enable RTSP cache server 2) (Configure RTSP cache server 1) (Enable RTSP cache server 1)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Application Redirection
441
>> # /cfg/slb/group 1 >> Real Server Group 1# add 1 >> Real Server Group 1# add 2 >> Real Server Group 1# add 3 >> Real Server Group 1# add 4 (Add RTSP cache server 1 to group 1) (Add RTSP cache server 2 to group 1) (Add RTSP cache server 3 to group 1) (Add RTSP cache server 4 to group 1)
>> # /cfg/slb/filter 100 >> Filter 100# action redir >> Filter 100# proto tcp >> Filter 100# dport rtsp >> Filter 100# rport rtsp >> Filter 100# group 1 >> Filter 100# adv >> Filter 100# Advanced# proxy disable
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> Filter 2048# dip any >> Filter 2048# ena >> Filter 2048# action allow
(To any destination IP addresses) (Enable a default allow filter) (Set the action to allow normal traffic)
>> # /cfg/slb/port 25 >> SLB Port 25# add 100 >> SLB Port 25# add 2048 >> SLB Port 25# filt ena
Congure the parameters and le extensions that will bypass RTSP streaming cache redirection. This is for user-dened non-cacheable content. For example, QuickTime les are non-cacheableRTSP les with the extension *.mov must bypass the streaming cache redirection. Similarly, you can add other RTSP le extensions (such as *.smil, *.rm, *.ram, and so forth) to bypass the redirection.
(Select the SLB resource menu) (Add non-cacheable RTSP strings)
A client request of the form RTSP://*.mov bypasses the cache servers and instead is routed directly to the original servers. 9 Under the lter menu, add the string IDs that need to be excluded.
(Select the Filtering L7 Adv. menu) (Add the string ID for *.mov)
10
Dene the RTSP le extensions to load balance among the cache servers.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Application Redirection
443
>> # /cfg/slb/layer7/slb/addstr condor.rm >> Server Load Balance Resource# addstr tiger.rm
11 12
Apply and save your conguration changes. Identify the associated ID number for each of the dened RTSP le extension.
>> # /cfg/slb/layer7/slb/cur SLB Strings ID 1 2 3 4 SLB String any *.mov condor.rm tiger.rm
13
>> Real Server 1 Layer 7 Commands# cfg/slb/real 2 >> Real Server 2# Layer 7/addlb 3 (Add the URL string ID 3)
>> Real Server 2 Layer 7 Commands# cfg/slb/real 3 >> Real Server 3# Layer 7/addlb 4 (Add the URL string ID 4)
>> Real Server 3 Layer 7 Commands# cfg/slb/real 4 >> Real Server 4# Layer 7/addlb 4 (Add the URL string ID 4)
Note: If no string is assigned to the server, the server will handle all requests. 14 Apply and save the conguration.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> Real Server 4 Layer 7 Commands# apply >> Real Server 4 Layer 7 Commands# save
Client requests condor.rm or tiger.rm are retrieved from the local cache servers 1 or 2 and 3 or 4 respectively; however, a client request cheetah.mov bypasses the local cache servers and is forwarded to the original server. End
HTTP Redirection
Filters can be used to redirect HTTP requests to different gateways or servers. The following HTTP redirection types are supported: IP redirectionThe application switch redirects client requests to different service gateways based on the address range of the client device and requested URL. For details, see "IP based HTTP redirection" (page 447). Port redirectionThe application switch examines trafc entering on a TCP service port (such as HTTP port 80) and sends that trafc to a user-specied IP address on a different service port (such as 9090). For details, see "TCP Service Port Based HTTP Redirection" (page 450). MIME type redirectionThe application switch examines the HTTP header or URL of an incoming request for a specic Multipurpose Internet Mail Extensions (MIME) type, and replaces the URL with another URL. For details, see "MIME Type Header-Based Redirection" (page 452). URL redirectionThe application switch examines a URL and redirects it to a precongured IP address or URL. For details, see "URL-Based Redirection" (page 454). Note: The HTTP header redirection feature is not limited to the types of HTTP headers listed below.
Application Redirection Example HTTP Redirection Strings ID 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 SLB String any, cont 256 HTTPHDR=Host:wap.example.com HTTPHDR=Host:wap.yahoo.com HTTPHDR=Host:wap.google.com HTTPHDR=Host:wap.p-example.com HTTPHDR=Host:10.168.224.227=/top jad, cont 256 jar, cont 256 HTTPHDR=Accept:text/vnd.foo.j2me.app-descriptor HTTPHDR=Host:mobile.example.com=/4g/w?url=$HOST_URL HTTPHDR=Host:any HTTPHDR=Host:any:90 HTTPHDR=Host:any:8080 HTTPHDR=X-Foo-ipaddress:10.168.100.* HTTPHDR=Host:www.abc.com, cont 256 HTTPHDR=Host:any:443, cont 256
445
HTTPHDR=Host:mobile.example.com=/4g/w?url=$HOST/nava/ toggle.jad, nre, cont 1024 HTTPHDR=Host:mobile.example.com=/4g/w?url=dev.example .com/$URL, nre, cont 1024
Step 1
Action Congure the switch with the basic Server Load Balancing requirements as described in "HTTP Header-Based Cache Redirection" (page 433). Congure the lter strings.
>> # /cfg/slb/layer7/slb/ >> Server Loadbalance Resource# addstr (Add the first SLB string) l7lkup
Enter type of string [l7lkup|pattern]: Configure HTTP header string? Enter HTTP header name: Host
(y/n) [n] y
wap.example.com
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
(y/n) [n] n (Select the Serverloadbala nce Resource menu) (Add the second SLB string) [y/n] y (Define HTTP header name Host) wap.yahoo.com
>> # /cfg/slb/layer7/slb/ >> Server Loadbalance Resource# add Configure HTTP header string? Enter HTTP header name: Host Enter SLB header value string:
Use the same commands as step 2 to congure the rest of the lter strings shown in "Example HTTP Redirection Strings" (page 445). Identify the ID numbers of the dened strings.
>> # /cfg/slb/layer7/slb/cur Number of entries: 14 1: any, cont 256 2: HTTPHDR=Host:wap.example.com, cont 256 3: HTTPHDR=Host:wap.yahoo.com, cont 256 4: HTTPHDR=Host:wap.google.com, cont 256 5: HTTPHDR=Host:wap.p-example.com, cont 256 6: HTTPHDR=Host:10.168.224.227=/top, cont 256 7: jad, cont 256 8: jar, cont 256 9: HTTPHDR=Accept:text/vnd.foo.j2me.app-descriptor, cont 256 10: HTTPHDR=Host:mobile.example.com=/4g/w?url=$HOST _URL, cont 256 11: HTTPHDR=Host:any, cont 256 12: HTTPHDR=Host:any:90, cont 256 13: HTTPHDR=Host:any:8080, cont 256 14: HTTPHDR=X-Foo-ipaddress:10.168.100.* , cont 256 15: HTTPHDR=Host:www.abc.com, cont 256 16: HTTPHDR=Host:any:443, cont 256 17: HTTPHDR=Host:mobile.example.com=/4g/w?url=$HOST/ nava/toggle.jad, nre, cont 1024 18: HTTPHDR=Host:mobile.example.com=/4g/w?url=dev.ex ample.com/$URL, nre, cont 1024
Congure a port for client trafc. This conguration assumes client trafc enters the application switch on port 1. Enabled ltering on the client port.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Application Redirection
447
>> /cfg/slb/port 1 >> SLB port 1# filt en Current port 1 filtering: New port 1 filtering:
(Select the SLB port 1 menu) (Enable filtering on the port) disabled enabled
The basic HTTP redirection conguration is now complete and can be used for each of the redirection options described in the following sections. End
Conguration rules
The following lter rules on the Application switch to lter client requests from different WAP gateways: Filter 1: If the client IP address is between 10.168.43.0-255 and the requested URL is http://wap.example.com, then redirect the client request to http://wap.yahoo.com. Filter 2: If the Client IP address is between 10.46.6.0.0-255 and the requested URL is http://wap.example.com then redirect the client request to http://wap.google.com. Filter 3: If the client IP address is between 10.23.43.0- 255 and the requested URL is http://wap.p-example.com, then redirect the client request to http://10.168.224.227/top.
Assuming that each client is in a different subnet, congure the switch with three lters to redirect client requests from each subnet, to the URLs specied above. Use the string index numbers in "Example HTTP Redirection Strings" (page 445) to congure a redirection map for each lter.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Step 1
Action Identify the ID numbers of the dened strings. The strings in bold are used in this example.
>> # /cfg/slb/layer7/slb/cur Number of entries: 14 1: any, cont 256 2: HTTPHDR=Host:wap.example.com, cont 256 3: HTTPHDR=Host:wap.yahoo.com, cont 256 4: HTTPHDR=Host:wap.google.com, cont 256 5: HTTPHDR=Host:wap.p-example.com, cont 256 6: HTTPHDR=Host:10.168.224.227=/top, cont 256 7: jad, cont 256 8: jar, cont 256 9: HTTPHDR=Accept:text/vnd.foo.j2me.app-descriptor, cont 256 10: HTTPHDR=Host:mobile.example.com=/4g/w?url=$HOST _URL, cont 256 11: HTTPHDR=Host:any, cont 256 12: HTTPHDR=Host:any:90, cont 256 13: HTTPHDR=Host:any:8080, cont 256 14: HTTPHDR=X-Foo-ipaddress:10.168.100.* , cont 256 15: HTTPHDR=Host:www.abc.com, cont 256 16: HTTPHDR=Host:any:443, cont 256 17: HTTPHDR=Host:mobile.example.com=/4g/w?url=$HOST/ nava/toggle.jad, nre, cont 1024 18: HTTPHDR=Host:mobile.example.com=/4g/w?url=dev.ex ample.com/$URL, nre, cont 1024
Congure lter 1.
>> /cfg/slb/filt 1 >> Filter 1 # sip 10.168.43.0 Current source address: New pending source address: any 10.168.43.0 (From this source IP address range)
>> Filter 1 # smask 255.255.255.0 Current source mask: New pending source mask: >> Filter 1 # proto tcp 0.0.0.0 255.255.255.0 (For TCP protocol traffic)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Application Redirection
449
any
Current destination port or range: Pending new destination port or range: >> Filter 1 # action redir Current action: allow redir
>> Filter 1 # /cfg/slb/filt/adv /layer7 >> Layer 7 Advanced# addrd Enter filtering string ID (1-1024) to redirect from: Enter filtering string ID (2-1024) to redirect to:
Congure lter 2.
>> /cfg/slb/filt 2 >> Filter 2 # sip 10.46.6.0.0 Current source address: any New pending source address: 10.46.6.0.0 >> Filter 2 # smask 255.255.255.0 Current source mask: 0.0.0.0 New pending source mask: 255.255.255.0 >> Filter 2 # proto tcp Current protocol: any Pending new protocol: tcp >> Filter 2 # dport http Current destination port or range: any Pending new destination port or range: http >> Filter 2 # action redir Current action: allow Pending new action: redir >> Filter 2 # /cfg/slb/filt/adv/layer7 >> Layer 7 Advanced# addrd Enter filtering string ID (1-1024) to redirect from: 2 Enter filtering string ID (2-1024) to redirect to: 4
Congure Filter 3.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> /cfg/slb/filt 3 >> Filter 3 # sip 10.23.43.0 Current source address: any New pending source address: 10.23.43.0 >> Filter 3 # smask 255.255.255.0 Current source mask: 0.0.0.0 New pending source mask: 255.255.255.0 >> Filter 3 # proto tcp Current protocol: any Pending new protocol: tcp >> Filter 3 # dport http Current destination port or range: Pending new destination port or range: >> Filter 3 # action redir Current action: allow Pending new action: redir >> Filter 3 # /cfg/slb/filt/adv/layer7 >> Layer 7 Advanced# addrd Enter filtering string ID (1-1024) to redirect from: 5 Enter filtering string ID (2-1024) to redirect to: 6
any http
Step 1
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Application Redirection
451
>> # /cfg/slb/layer7/slb/cur Number of entries: 14 1: any, cont 256 2: HTTPHDR=Host:wap.example.com, cont 256 3: HTTPHDR=Host:wap.yahoo.com, cont 256 4: HTTPHDR=Host:wap.google.com, cont 256 5: HTTPHDR=Host:wap.p-example.com, cont 256 6: HTTPHDR=Host:10.168.224.227=/top, cont 256 7: jad, cont 256 8: jar, cont 256 9: HTTPHDR=Accept:text/vnd.foo.j2me.app-descriptor , cont 256 10: HTTPHDR=Host:mobile.example.com=/4g/w?url=$HOST _URL, cont 256 11: HTTPHDR=Host:any, cont 256 12: HTTPHDR=Host:any:90, cont 256 13: HTTPHDR=Host:any:8080, cont 256 14: HTTPHDR=X-Foo-ipaddress:10.168.100.* , cont 256 15: HTTPHDR=Host:www.abc.com, cont 256 16: HTTPHDR=Host:any:443, cont 256 17: HTTPHDR=Host:mobile.example.com=/4g/w?url=$HOST/ nava/toggle.jad, nre, cont 1024 18: HTTPHDR=Host:mobile.example.com=/4g/w?url=dev.ex ample.com/$URL, nre, cont 1024
Congure lter 4.
>> /cfg/slb/filt 4 >> Filter 4 # sip 10.46.6.231 Current source address: any New pending source address: 10.46.6.231 >> Filter 4 # smask 255.255.255.255 Current source mask: 0.0.0.0 New pending source mask: 255.255.255.255 >> Filter 4 # proto tcp Current protocol: any Pending new protocol: tcp >> Filter 4 # dport http Current destination port or range: any Pending new destination port or range: http >> Filter 4 # action redir Current action: allow Pending new action: redir >> Filter 4 # /cfg/slb/filt/adv/layer7 >> Layer 7 Advanced# addrd Enter filtering string ID (1-1024) to redirect from: 11
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Congure lter 5.
>> /cfg/slb/filt 5 >> Filter 5 # sip 10.46.6.231 Current source address: any New pending source address: 10.46.6.231 >> Filter 5 # smask 255.255.255.255 Current source mask: 0.0.0.0 New pending source mask: 255.255.255.255 >> Filter 5 # proto tcp Current protocol: any Pending new protocol: tcp >> Filter 5 # dport http Current destination port or range: any Pending new destination port or range: http >> Filter 5 # action redir Current action: allow Pending new action: redir >> Filter 5 # /cfg/slb/filt/adv/layer7 >> Layer 7 Advanced# addrd Enter filtering string ID (1-1024) to redirect from: 11 Enter filtering string ID (2-1024) to redirect to: 13
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Application Redirection
453
Step 1
Action Identify the ID numbers of the dened strings. The strings in bold are used in this example.
>> # /cfg/slb/layer7/slb/cur Number of entries: 14 1: any, cont 256 2: HTTPHDR=Host:wap.example.com, cont 256 3: HTTPHDR=Host:wap.yahoo.com, cont 256 4: HTTPHDR=Host:wap.google.com, cont 256 5: HTTPHDR=Host:wap.p-example.com, cont 256 6: HTTPHDR=Host:10.168.224.227=/top, cont 256 7: jad, cont 256 8: jar, cont 256 9: HTTPHDR=Accept:text/vnd.foo.j2me.app-descriptor , cont 256 10: HTTPHDR=Host:mobile.example.com=/4g/w?url=$HOST_URL, cont 256 11: HTTPHDR=Host:any, cont 256 12: HTTPHDR=Host:any:90, cont 256 13: HTTPHDR=Host:any:8080, cont 256 14: HTTPHDR=X-Foo-ipaddress:10.168.100.* , cont 256 15: HTTPHDR=Host:www.abc.com, cont 256 16: HTTPHDR=Host:any:443, cont 256 17: HTTPHDR=Host:mobile.example.com=/4g/w?url=$HOST/nava/ toggle.jad,nre, cont 1024 18: HTTPHDR=Host:mobile.example.com=/4g/w?url=dev.example. com/$URL,nre, cont 1024
Congure lter 6. The lter intercepts string 7, 8, and 9 and then redirects them based on strings 10, 17, and 18 information. The $HOST_URL is replaced with the incoming request from HOST and URL string. The $HOST is replaced with the incoming request from HOST string. The $URL is replaced with the incoming request from the URL string.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> /cfg/slb/filt 6 >> Filter 6 # sip 10.46.6.231 Current source address: any New pending source address: 10.46.6.231 >> Filter 6 # smask 255.255.255.255 Current source mask: 0.0.0.0 New pending source mask: 255.255.255.255 >> Filter 6 # proto tcp Current protocol: any Pending new protocol: tcp >> Filter 6 # dport http Current destination port or range: any Pending new destination port or range: http >> Filter 6 # action redir Current action: allow Pending new action: redir >> Filter 6 # /cfg/slb/filt/adv/layer7 >> Layer 7 Advanced# addrd Enter filtering string ID (1-1024) to redirect from: 7 Enter filtering string ID (2-1024) to redirect to: 10 >> Layer 7 Advanced# addrd Enter filtering string ID (1-1024) to redirect from: 8 Enter filtering string ID (2-1024) to redirect to: 17 >> Layer 7 Advanced# addrd Enter filtering string ID (1-1024) to redirect from: 9 Enter filtering string ID (2-1024) to redirect to: 18 >> Layer 7 Advanced# apply >> Layer 7 Advanced# save
URL-Based Redirection
A request for a URL can be redirected to another URL as follows: Filter 7: URL http://wap.example.com is redirected to http://10.168.224.227/top.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Application Redirection
455
Step 1
Action Identify the ID numbers of the dened strings. The strings in bold are used in this example.
>> # /cfg/slb/layer7/slb/cur Number of entries: 14 1: any, cont 256 2: HTTPHDR=Host:wap.example.com, cont 256 3: HTTPHDR=Host:wap.yahoo.com, cont 256 4: HTTPHDR=Host:wap.google.com, cont 256 5: HTTPHDR=Host:wap.p-example.com, cont 256 6: HTTPHDR=Host:10.168.224.227=/top, cont 256 7: jad, cont 256 8: jar, cont 256 9: HTTPHDR=Accept:text/vnd.foo.j2me.app-descriptor, cont 256 10: HTTPHDR=Host:mobile.example.com=/4g/w?url=$HOST _URL, cont 256 11: HTTPHDR=Host:any, cont 256 12: HTTPHDR=Host:any:90, cont 256 13: HTTPHDR=Host:any:8080, cont 256 14: HTTPHDR=X-Foo-ipaddress:10.168.100.* , cont 256 15: HTTPHDR=Host:www.abc.com, cont 256 16: HTTPHDR=Host:any:443, cont 256 17: HTTPHDR=Host:mobile.example.com=/4g/w?url=$HOST/ nava/toggle.jad, nre, cont 1024 18: HTTPHDR=Host:mobile.example.com=/4g/w?url=dev.ex ample.com/$URL, nre, cont 1024
Pending new action: redir >> Filter 7 # /cfg/slb/filt/adv/layer7 >> Layer 7 Advanced# addrd Enter filtering string ID (1-1024) to redirect from: 2 Enter filtering string ID (2-1024) to redirect to: 6 >> Layer 7 Advanced# apply >> Layer 7 Advanced# save
Step 1
>> # /cfg/slb/layer7/slb/cur Number of entries: 14 1: any, cont 256 2: HTTPHDR=Host:wap.example.com, cont 256 3: HTTPHDR=Host:wap.yahoo.com, cont 256 4: HTTPHDR=Host:wap.google.com, cont 256 5: HTTPHDR=Host:wap.p-example.com, cont 256 6: HTTPHDR=Host:10.168.224.227=/top, cont 256 7: jad, cont 256 8: jar, cont 256 9: HTTPHDR=Accept:text/vnd.foo.j2me.app-descriptor , cont 256 10: HTTPHDR=Host:mobile.example.com=/4g/w?url=$HOST _URL, cont 256 11: HTTPHDR=Host:any, cont 256 12: HTTPHDR=Host:any:90, cont 256 13: HTTPHDR=Host:any:8080, cont 256 14: HTTPHDR=X-Foo-ipaddress:10.168.100.* , cont 256 15: HTTPHDR=Host:www.abc.com, cont 256 16: HTTPHDR=Host:any:443, cont 256
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Application Redirection
457
17: HTTPHDR=Host:mobile.example.com=/4g/w?url=$HOST/ nava/toggle.jad, nre, cont 1024 18: HTTPHDR=Host:mobile.example.com=/4g/w?url=dev.ex ample.com/$URL, nre, cont 1024
End
Step 1
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Step 1
Congure lter 9.
>> /cfg/slb/filt 9 >> Filter 9 # proto tcp Current protocol: any Pending new protocol: tcp >> Filter 9 # dport http Current destination port or range: any Pending new destination port or range: http >> Filter 9 # action redir Current action: allow Pending new action: redir >> Filter 9 # /cfg/slb/filt/adv/layer7
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Application Redirection
459
>> Layer 7 Advanced# addrd >> Layer 7 Advanced# l7lkup en Current layer 7 lookup: disabled New layer 7 lookup: enabled Enter filtering string ID (1-1024) to redirect from: 15 Enter filtering string ID (2-1024) to redirect to: 16
Take the following steps to replicate the conguration illustrated above: Step 1 Action Congure the client VLAN.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
10
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Application Redirection
461
11
Congure the IPv6 redirection lter to redirect all HTTP trafc to the cache servers.
12
13
Enable lter processing on client ports and add the 2 lters to the client ports.
14
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Step 1
Action The packet matches a congured lter. The packet matches a previously congured lter with a REDIR action.
A packet earlier in the session was matched. A packet earlier in the session was matched against a lter congured with a REDIR action and the session has been converted to a redirect session. In this instance, subsequent packets after the initial match are not subjected to pattern matching. Packet redirection is accomplished by substituting the original destination MAC address with the real server MAC address. Some applications, however, require that all of the Layer 2 information remain unmodied in the redirected packet. To support instances where this is the case, an option has been added to disable destination MAC address substitution on a real server by real server basis. With this option enabled, all packets will be transparently redirected and no destination MAC address substitution will take place. Note: Disabling destination MAC address substitution is only available for lter redirection. To disable destination MAC address substitution, issue the following command:
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Health Checking
463
Health Checking
Health checking allows you to verify content accessibility in large Web sites. As content grows and information is distributed across different server farms, exible, customizable content health checks are critical to ensure end-to-end availability. The following Nortel Application Switch Operating System health-checking topics are described in this chapter. "Real Server Health Checks" (page 465). This section explains the switchs default health check, which checks the status of each service on each real server every two seconds. "DSR Health Checks" (page 467). This section describes the servers ability to respond to the client queries made to the Virtual server IP address when the server is in Direct Server Return (DSR) mode. "Link Health Checks" (page 468). This section describes how to perform Layer 1 health checking on an Intrusion Detection Server (IDS). "TCP Health Checks" (page 469). TCP health checks help verify the TCP applications that cannot be scripted. "ICMP Health Checks" (page 470). This section explains how ICMP health checks are used for UDP services. "Script-Based Health Checks" (page 470). This section describes how to congure the switch to send a series of health-check requests to real servers or real server groups and monitor the responses. Health checks are supported for TCP and UDP protocols, using either Binary or ASCII content. Application-based health checks: "HTTP Health Checks" (page 479). This section provides examples of HTTP-based health checks using hostnames. "UDP-Based DNS Health Checks" (page 481). This section explains the functionality of the DNS Health Checks using UDP packets. "TFTP Health Check" (page 482). This section explains how to health check a real server using the TFTP protocol. "SNMP Health Check" (page 483). This section explains how to perform SNMP health checks to real servers running SNMP Agents. "FTP Server Health Checks" (page 485). This section describes how the File Transfer Protocol (FTP) server is used to perform health checks and explains how to congure the switch to perform FTP health checks.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
"POP3 Server Health Checks" (page 486). This section explains how to use Post Ofce Protocol Version 3 (POP3) mail server to perform health checks between a client system and a mail server and how to congure the switch for POP3 health checks. "SMTP Server Health Checks" (page 487). This section explains how to use Simple Mail Transfer Protocol (SMTP) mail server to perform health checks between a client system and a mail server and how to congure the switch for SMTP health checks. "IMAP Server Health Checks" (page 488). This section describes how the mail server Internet Message Access Protocol (IMAP) protocol is used to perform health checks between a client system and a mail server. "NNTP Server Health Checks" (page 488). This section explains how to use Network News Transfer Protocol (NNTP) server to perform health checks between a client system and a mail server and how to congure the switch for NNTP health checks "RADIUS Server Health Checks" (page 489). This section explains how the RADIUS protocol is used to authenticate dial-up users to Remote Access Servers (RASs). "HTTPS/SSL Server Health Checks" (page 492). This section explains how the switch queries the health of the SSL servers by sending an SSL client "Hello" packet and then veries the contents of the servers "Hello" response. "WAP Gateway Health Checks" (page 492). This section discusses how the application switch provides connectionless and connection-oriented WSP health check for WAP gateways. "LDAP Health Checks" (page 499). This section describes how to congure the switch to perform Lightweight Directory Access Protocol (LDAP) health checks for the switch to determine whether or not the LDAP server is running. "ARP Health Checks" (page 501). This section describes how to perform health checks on Intrusion Detection Servers (IDS) that do not have full TCP/IP stack support. "Buddy Server Health Checks" (page 503). This section describes how to congure buddy server health checking. "Failure Types" (page 506). This section explains the service failed and server failed states. Note: IPv6 health checking currently supports ICMP, TCP, HTTP, and script-based health checks.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Health Checking
465
Note: Health checks are performed sequentially when used in conjunction with a virtual server congured with multiple services and groups. As a result, the actual health-check interval could vary signicantly from the value set for it using the inter parameter. Select a health check based on the application running on the real servers. For example, with IDS servers, you could use any of the three health checking methods: link, advanced SNMP, or ARP. You may use the LDAP health check method to health check LDAP servers.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
The advanced group health check feature allows you to create a boolean expression to health check the real server group based on the state of the virtual services. This feature supports two boolean operators, AND and OR. The two boolean operators are used to manipulate TRUE/FALSE values as follows: OR operator (|): A boolean operator that returns a value of TRUE if either (or both) of its operands is TRUE. This is called an inclusive OR operator. AND operator (&): A boolean operator that returns a value of TRUE if both of its operands is TRUE. Using parenthesis with the boolean operators, you can create a boolean expression to state the health of the server group. The following two boolean expressions show two examples with real servers 1, 2, 3, and 4 in two different groups: (1|2)&(3|4) Real servers 1, 2, 3, and 4 are congured in group 1 and assigned to virtual service x in virtual server 1. The boolean expression is used to calculate the status of a virtual service using group 1 based on the status of the real servers. Virtual service x of virtual server 1 is marked UP if real servers 1 or 2 and real servers 3 or 4 are health checked successfully.
>> # /cfg/slb/group 1 >> Real server group 1# advhlth (1|2)&(3|4)(Configure a boolean expression for health check) >> # /cfg/slb/virt 1/service x/group 1 >> Virtual Server 1 Service# apply >> Virtual Server 1 Service# save (Assign the real server group 1) (Apply the changes) (Save the changes) (Select the real server group 1)
(1&2)|(2&3)|(1&3) Real servers 1, 2, and 3 are congured in group 2 and assigned to virtual service x in virtual server 1. The boolean expression is used to calculate the status of the virtual service using group 2 based on the status of the real servers. Virtual service x of virtual server 1 is marked UP only if at least two of the real servers are health checked successfully.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Health Checking
467
>> # /cfg/slb/group 2
>> Real server group 2# advhlth (1&2)|(2&3)|(1&3) (Configure a boolean expression for health check) >> # /cfg/slb/virt 1/service x/group 2 >> Virtual Server 1 Service# apply >> Virtual Server 1 Service# save (Assign the real server group 2) (Apply the changes) (Save the changes)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
that are forwarded to the real servers for health checking. With this feature enabled, the health check will fail if the real server is not properly congured with the virtual server IP address. Note: viphlth is enabled by default. This has no effect on the health check unless the real server is congured with DSR.
Enable DSR VIP health checks for a real server group. For more information on DSR, see "Direct Server Return" (page 238).
>> Real server group 1# viphlth enable|disable
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Health Checking
469
To perform this health check, a link option has been added to the real server group health command. The real server number is used to determine which port the server is connected to. For example, real server 1 is assumed to be connected to port 1. The valid IDS real server numbers are from 1 to 26 when health check is in use.
Set the health check type to link for real server group 1.
>> # Real server group 1# health Current health check type: tcp Enter health check type: link
End
End
Nortel Application Switch Operating System supports the following capacity for a single switch: 6K bytes per script 64 scripts per switch
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Health Checking
471
A simple command line interface controls the addition and deletion of commands to each script. New commands are added and removed from the end of the script. Commands exist to open a connection to a specic TCP or UDP port, send a request to the server, expect an ASCII string or Binary pattern, and, for TCP-based health checks only, to close a connection. The string or pattern congured with an expect (or in the case of binary, bexpect) command is searched for in each response packet. If it is not seen anywhere in any response packet before the real server health check interval expires, the server does not pass the expect (or bexpect) step and fails the health check. A script can contain any number of these commands, up to the allowable number of characters that a script supports. Note: Health check scripts can only be set up via the command line interface, but once entered, can be assigned as the health-check method using SNMP or the Browser-Based Interface (BBI).
Script Formats
Health check script formats use different commands based on whether the content to be sent is ASCII-based or Binary-based. And, remember, the close command is used only to close a TCP connection, and is not required if health checking a UDP-based protocol. Each script should start with the command open <protocol port number>,<protocol-name>. The next line can be either a send or expect (for ASCII-based), or bsend or bexpect (Binary-based).
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
open application_port, protocol-name (e.g. 80, TCP) bsend request 1 (binary pattern in hex format) nsend request 1-continued bexpect response 1 nexpect response 1-continued expect response 3 offset offset count depth number of packets from offset to count close (used in TCP-based health checks only)
open "80,tcp" bsend " <binary content for request 1> " nsend " <continuing binary content for request 1> " bexpect " <binary content for response 1> " nexpect " <binary content> " offset " <byte count from the start of the IP header> " depth "10" wait "100" close (used in TCP-based health checks only)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Health Checking
473
Example:
GET /index.html HTTP/1.1 (press Enter key) Host: www.hostname.com (press Enter key twice)
This is known as a host header. It is important to include because most Web sites now require it for proper processing. Host headers were optional in HTTP/1.0 but are required when you use HTTP/1.1+. In order to tell the application server you have nished entering header information, a blank line of input is needed after all headers. At this point, the URL will be processed and the results returned to you. Note: If you make an error, enter rem to remove the last typed script line entered. If you need to remove more than one line, enter rem for each line that needs to be removed. The switch provides the "\" prompt, which is one enter key stroke. When using the send command, note what happens when you type the send command with the command string. When you type send, press enter and allow the switch to format the command string (that is, \ versus \\).
Scripting Commands
Listed below are the currently available commands for building a script-based health check: OPEN: specify which destination real server UDP port to be used; for example, OPEN 9201. After entering the destination port, you will be prompted to specify a protocol; choose udp. CLOSE (for TCP-based health checks only): This command is used to close a TCP connection. It is not necessary to use this command for UDP services. SEND: specify the send content in raw hexadecimal format. BSEND (for binary content only): This command is used to specify binary content (in hex format) for the request packet. NSEND (for binary content only): can be used to specify an additional binary send value (in hexadecimal format) at the end of a UDP based health check script. The NSEND command allows the user to append additional content to the packet generated by the BSEND command. Since the current CLI limit allows a maximum of 256 bytes to be entered, using one or more NSEND commands will allow binary content of more than 256 bytes in length to be generated. EXPECT: specify the expected content in raw hexadecimal format.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
BEXPECT (for binary content only): This command is used to specify the binary content (in hex format) to be expected from the server response packet. NEXPECT (for binary content only): Similar to NSEND, this command allows the user to specify additional binary content to be appended to the original content specied by the BEXPECT command. OFFSET (for binary content only): can be used to specify the offset from the beginning of the binary data area to start matching the content specied in the EXPECT command. The OFFSET command is supported for both UDP and TCP-based health checks. Specify the OFFSET command after an EXPECT command if an offset is desired. If this command is not present, an offset of zero is assumed. DEPTH (for binary content only): can be used to specify the number of bytes in the IP packet that should be examined. If no OFFSET value is specied, Depth is specied from the beginning of the packet. If an OFFSET value is specied, the Depth counts the number of bytes starting from the offset value. WAIT: can be used to specify a wait interval before the expected response is returned. The wait window begins when the SEND string is sent from the switch. If the expected response is received within the window, the WAIT step passes. Otherwise, the health check fails. The WAIT command should come after an EXPECT command in the script, or the OFFSET command if one exists after an EXPECT command. The wait window is in units of milliseconds. Wildcard character (*): can be used to trigger a match as long as a response is received from the server. The wildcard character is allowed with the BEXPECT command, as in BEXPECT *. Any NEXPECT, OFFSET, or DEPTH commands that follow a wildcard character will be ignored.
Scripting Guidelines
Use generic result codes that are standard and dened by the RFC, as applicable. This helps ensure that if the server software changes, the servers wont start failing unexpectedly. Avoid tasks that may take a long time to perform or the health check will fail. For example, avoid tasks that exceed the interval for load balancing.
Script Conguration Examples Script Example 1: A Basic ASCII TCP-Based Health Check
Congure the switch to check a series of Web pages (HTML or dynamic CGI scripts) before it declares a real server is available to receive requests.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Health Checking
475
Note: If you are using the CLI to create a health check script, you must use quotes (") to indicate the beginning and end of each command string.
>> /cfg/slb/group x/health script1/content none >> /cfg/slb/advhc/script 1 open 80 send "GET /index.html HTTP/1.1\\r\\nHOST:www.hostname.com \\r\\n\\r\\n" expect "HTTP/1.1 200" close open 80 send "GET /script.cgi HTTP/1.1\\r\\nHOST:www.hostname.com \\r\\n\\r\\n" expect "HTTP/1.1 200" close open 443 ... close
Note: When you are using the command line interface to enter the send string as an argument to the send command, you must type two "\"s before an "n" or "r." If you are instead prompted for the line, that is, the text string is entered after hitting <return>, then only one "\" is needed before the "n" or "r."
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Site 2 with Virtual Server 2 and the following real servers: Real Server 1 and Real Server 2: "images" Real Server 3 and Real Server 4: "html" Real Server 5 and Real Server 6: "cgi" and "bin" Real Server 7 (which is Virtual Server 2): "any"
Script-based health checking is intelligent in that it will only send the appropriate requests to the relevant servers. In the example above, the rst GET statement will only be sent to Real Server 1 and Real Server 2. Going through the health-check statements serially will ensure that all content is available by at least one real server on the remote site. Congure the remote real server IP address (the virtual server IP address of the remote site) to accept "any" URL requests. The purpose of the rst GET is to check if Real Server 1 or Real Server 2 is upthat is, to check if the remote site has at least one server for "images" content. Either Real Server 1 or Real Server 2 will respond to the rst GET health check.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Health Checking
477
If all the real server IP addresses are down, Real Server 7 (the virtual server IP address of the remote site) will respond with an HTTP Redirect (respond code 302) to the health check. Thus, the health check will fail as the expected response code is 200, ensuring that the HTTP Redirect messages will not cause a loop.
Note: A maximum of 255 bytes of input are allowed on the switch command line. If your send or expect content is lengthy, you may remove spaces in between the numbers to save space on the command line. For example, type 000101 instead of 00 01 01. Or, continue the content using the nsend and nexpect commands.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> /cfg/slb/group <x> /health script 4/content none >> /cfg/slb/advhc/script4 open "80,tcp" bsend "474554202F746573742E68746D20" nsend "485454502F312E300D0A0D0A" bexpect "203230" nexpect "3020" offset "7" depth "10" wait "100" close
The server is not responding to the get with the expect string. When the script succeeds in determining the health of a real server, the following information is displayed:
>> # /info/slb/real 1 1: 205.178.13.223, 00:00:5e:00:01:24, vlan 1, port 2, health 4, up real ports: script 2, up, current
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Health Checking
479
"NNTP Server Health Checks" (page 488) "RADIUS Server Health Checks" (page 489) "HTTPS/SSL Server Health Checks" (page 492) "WAP Gateway Health Checks" (page 492) "Conguring WSP Health Checks" (page 494) "Conguring WTP Health Checks" (page 496) "Conguring WTLS Health Checks" (page 498)
If the HOST: header is required, an HTTP/1.1 GET will occur. Otherwise, an HTTP/1.0 GET will occur. HTTP health check is successful if you get a return code of 200.
Example 1: hname= everest dname= alteonwebsystems.com content= index.html
Health check is performed using: GET /index.html HTTP/1.1 Host: everest.alteonwebsystems.com Note: If the content is not specied, the health check will revert back to TCP on the port that is being load balanced.
Example 2: hname= (none) dname= raleighduram.cityguru.com content= /page/gen/?_template=alteon
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Health check is performed using: GET /index.html HTTP/1.0 (since no HTTP HOST: header is required)
Example 5: hname= (none) dname= (none) content= //everest/index.html
Set the health check type to FTP for the real server group.
>> # /cfg/slb/group 1/health http
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Health Checking
481
End
Set the health check type to UDP for the real server group.
>> # Real server group 1# health udpdns
Note: If no host name is congured, the health check is performed by sending a UDP-based query from a dummy host and watching for the servers reply. The reply, even though negative (for example, "Server not found" since the query is from a dummy host), serves the purpose of a health check, nonetheless. End
Set the health check type to TFTP for the real server group.
>> # Real server group 1# health tftp
Specify the le name that the switch requests from the real servers. Make sure the le is less than 512 bytes, so you dont incur additional trafc between the server and the switch. Depending on the implementation of the TFTP daemon on the real servers being health-checked, you may have to specify the full pathname of the le (/tftpboot/<filename>) on some systems and on others a lename is sufcient. By default, the switch checks the /tftpboot folder.
>> # Real server group 1# content test
If full pathname is specied, add quotation marks for example, "/tftpboot/test". 4 Apply and save the conguration.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Health Checking
483
>> # Real server group 1# apply >> # Real server group 1# save
End
Specify the object identier (OID). The OID is obtained from the MIB le of the switch. For example, you may enter the OID for checking the status of a physical port on the switch port that is connected to the group of IDS servers.
>> SNMP Health Check 1# oid 1.3.6.1.2.1.2.2.1.8.257
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Set the community string on the switch which noties the SNMP agent on the real server to accept the SNMP packet from the switch. This community string must match the community string specied on the real server.
>> SNMP Health Check 1# comm real1
Congure an integer value for the switch to accept the health check. If the value returned by the real server for the MIB variable does not match the expected value congured in the rcvcnt eld, then the server is marked down; the server is marked back up when it returns the expected value. In this Step, the server is marked up if the switch receives a value 0; any other value that is returned from the real server is considered as health check failed
>> SNMP Health Check 1# rcvcnt 0
Enable the real server weights to dynamically change based on the SNMP health check response
>> SNMP Health Check 1# weight ena (Update weights for the real servers)
Enable the invert eld if you want the switch to invert the health check. By enabling the invert eld, it is possible to reverse your conguration in Step 4. Then, the server is marked down if the switch receives the expected value in Step 4. In this example, the real server is marked up if the switch receives any value other than 0.
>> SNMP Health Check 1# invert ena
Add the SNMP health check to a real server group. When you assign a group to use the SNMP health check, all the real servers in the group must use the same OID and community string.
>> # /cfg/slb/group 10 >> Real Server Group 10# health snmp1
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Health Checking
485
End
Set the health check type to FTP for the real server group.
>> # /cfg/slb/group 1/health ftp
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> # Real server group 1# apply >> # Real server group 1# save
End
Set the health check type to POP3 for the real server group.
>> # /cfg/slb/group 1/health pop3
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Health Checking
487
>> # Real server group 1# apply >> # Real server group 1# save
End
Set the health check type to SMTP for the real server group.
>> # /cfg/slb/group 1/health smtp
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Set the health check type to IMAP for the real server group.
>> # /cfg/slb/group 1/health imap
The content option species the username:passwordvalue that the server tries to match in its user database. In addition to verifying the user name and password, the database may specify the client(s) or port(s) the user is allowed to access. 4 Apply and save your conguration.
>> # Real server group 1# apply >> # Real server group 1# save
End
Health Checking
489
news among the ARPA-Internet community. NNTP is designed so that news articles are stored in a central database allowing a subscriber to select only those items he wishes to read. NNTP is documented in RFC977. Articles are transmitted in the form specied by RFC1036.
Set the health check type to NNTP for the real server group.
>> # /cfg/slb/group 1/health nntp
Create nntp directory from MS Windows Option Pack4. 4 Apply and save your conguration.
>> # Real server group 1# apply >> # Real server group 1# save
End
parameter while performing RADIUS content health checks. The switch uses the IP address of the IP interface that is on the same subnet as the RADIUS server or the default gateway as the NAS IP. Congure the real server port (rport) on the switch The RADIUS health check is performed using the real server port (rport). Make sure that the rport is the same port the server is listening on for RADIUS authentication (1812) or RADIUS accounting (1813). To congure the rport, use the /cfg/slb/virt <#> / service menu.
Set the health check type for the real server group.
>> Real server group 1# health radius-auth
Congure the health check content. The content option species the username:password value that the server tries to match in its user database. In addition to verifying the user name and password, the database may specify the client(s) or port(s) the user is allowed to access.
>> Real server group 1# content <username>:<password>
Congure the RADIUS code value. The secret value is a eld of up to 32 alphanumeric characters used by the switch to encrypt a password during the RSA Message Digest Algorithm (MD5) and by the RADIUS server to decrypt the password during verication. This value must be identical to the value specied on the RADIUS server.
>> # /cfg/slb/advhc/secret <RADIUS-coded value>
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Health Checking
491
End
Set the health check type for the real server group.
>> Real server group 1# health radius-acc
Note: Nortel Application Switch Operating System allows you to couple the Radius Accounting Health check with the WAP health checks. If you enable the couple command (/cfg/slb/advhc/waphc/couple) and one of the WAP health checks fail, then the Radius Accounting service is disabled. End
Step 1
Set the health check type for the real server group.
>> Real server group 1# health radius-aa (Set the health check type)
Congure the content of the group so that it contains the RADIUS user name and password separated by a colon.
>> Real server group 1# content radadmin:radpassword
End
During the handshake, the user and server exchange security certicates, negotiate an encryption and compression method, and establish a session ID for each session.
Health Checking
493
Wireless Session Protocol (WSP) is used within the WAP suite to manage sessions between wireless devices and WAP content servers or WAP gateways. Nortel Application Switch Operating System provides a content-based health check mechanism where customized WSP packets are sent to the WAP gateways, and the switch veries the expected response, in a manner similar to scriptable health checks. WSP content health checks can be congured in two modes: connectionless and connection-oriented. Connectionless WSP runs on UDP/IP protocol, ports 9200/9202. Connection-oriented trafc runs on ports 9201 and 9203. Nortel Application Switches can be used to load balance the gateways in both modes of operation. Nortel Application Switch Operating System allows you to congure three WAP gateway health check types for all four WAP services (default ports 9200, 9201, 9202, and 9203) deployed on WAP gateway/servers.
WAP Gateway Health Checks Health Check Type WSP Type of Traffic Health Check Mode connectionless WSP WAP Service 9200 To configure, see "Configuring WSP Health Checks" (page 494) "Configuring WTP Health Checks" (page 496) "Configuring WTLS Health Checks" (page 498) "Configuring WTLS Health Checks" (page 498)
WTPa
9201
WTLSb
9202
WTLS
Note: In the Nortel Application Switch Operating System, all four WAP services are grouped together. If a health check to one of the services fail, then all four WAP services (9200, 9201, 9202, or 9203) are disabled.
What is WTLS?
Wireless Transport Layer Security or WTLS is the security layer of the WAP, providing privacy, data integrity and authentication for WAP services. WTLS, designed specically for the wireless environment, is needed because the client and the server must be authenticated in order for wireless transactions
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
to remain secure and because the connection needs to be encrypted. For example, a user making a transaction with a bank over a wireless device needs to know that the connection is secure and private and not subject to a security breach during transfer. WTLS is needed because mobile networks do not provide complete end-to-end security.
Enter the WSP port. By default, the health check is sent to the UDP port 9200.
>> WAP Health Check# wspport 9200
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Health Checking
495
Use the sndcnt command to enter the content to be sent to the WSP gateway.
>> WSP Health Check Content# sndcnt Current Send content: Enter new Send content: 01 42 15 68 74 74 70 3a 2f 77 77 77 2e 6e 6f 6b 61 6d 00 .
Enter the content that the switch expects to receive from the WSP gateway.
>> WSP Health Check Content# rcvcnt Current Receive content: Enter new Receive content: 01 04 60 0e 03 94
Note: A maximum of 255 bytes of input are allowed on the switch command line. You may remove spaces in between the numbers to save space on the command line. For example, type 010203040506 instead of 01 02 03 04 05 06. 6 Set the offset value. The offset value is the number of bytes from the beginning of the UDP Data Area, at which the comparison begins to match with the expected receive content. For 9200 service, the UDP data area is the WSP response content.
>> WSP Health Check Content# offset 0
Because WAP gateways are UDP-based and operate on a UDP port, congure UDP service in the virtual server menu.
>> # /cfg/slb/virt 1 >> Virtual Server 1# service Enter virtual port: 9200 (Configure virtual service 1) (On the default WSP port) (Set the real server group number)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> Virtual Server 1 9200 Service# udp ena >> Virtual Server 1 9200 Service# apply
End
Enter the WTP port. By default, the health check is sent to the UDP port 9201.
>> WAP Health Check# wtpport 9201
Create a WSP session by sending the connect message. Use the connect command to enter the content for the rst switch-generated WSP session packet. This command allows you to customize the headers in the connect message.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Health Checking
497
>> WTP+WSP Health Check Content# connect Current Connect content: Enter new Connect content: 01 10 00 00
Use the sndcnt command to enter the content to be sent to the WSP gateway. This send content can be used to get a dummy Web page from the server.
>> WTP+WSP Health Check Content# sndcnt Current Send content: Enter new Send content: 01 42 15 68 74 74 70 3a 2f 77 77 77 2e 6e 6f 6b 61 6d 00 .
Enter the content that the switch expects to receive from the WSP gateway.
>> WTP+WSP Health Check Content# rcvcnt Current Receive content: Enter new Receive content: 01 04 60 0e 03 94
Set the offset value. The offset value is the number of bytes from the beginning of the UDP Data Area, at which the comparison begins to match with the expected receive content. For 9201 service, the UDP data area includes the WTP content as well as the WSP content.
>> WTP+WSP Health Check Content# offset 0
Because WAP gateways are UDP-based and operate on a UDP port, congure UDP service in the virtual server menu.
>> # /cfg/slb/virt 1 >> Virtual Server 1# service Enter virtual port: 9201 (Configure virtual service 1) (On the default WTP port) (Set the real server group number) (Enable UDP load balancing) (Apply the configuration)
>> Virtual Server 1 9200 Service# group 1 >> Virtual Server 1 9200 Service# udp ena >> Virtual Server 1 9200 Service# apply
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
10
End
Use the sndcnt command to enter the content to be sent to the WSP gateway.
>> Real server group 1# health wtls
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Health Checking
499
By default, the health check is sent to the UDP port 9202 for connectionless trafc (/cfg/slb/adv/waphc/wtlswsp) and to port 9203 for connection-oriented trafc (/cfg/slb/adv/waphc/wtlsprt).
>> WAP Health Check# wtlsprt 9203
End
If the server is up, the switch closes the TCP connection after sending the unbind request. If the server is down, the connection is torn down after the bind response, if one arrives. The connection will also be torn down if it crosses the timeout limit, irrespective of the servers condition.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Step 1
Action Select the health check menu for the real server group.
>> # /cfg/slb/group 1
Set the health check type to LDAP for the real server group.
>> # Real server group 1# health ldap
Congure the LDAP health check to verify the domain name in the content eld. For example, to verify the domain name ldap.example.com , enter the following with the customer name = Admin and password =test :
>> # content "cn=Admin,dc=ldap,dc=example,dc=com:te st"
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Health Checking
501
End
Step 1 2
Action Accessing the ARP table. Looking for the session entry in the ARP table. If the entry exists in the table, that means the real server is up, otherwise the health check has failed. If the entry is present, then check the timestamp to nd out if the last used time is greater than the ARP health check interval. If it is, then delete the query, as this means that the health check has failed. Send another ARP request and repeat the above process until the timestamp shows the last used time smaller than the ARP health check interval. End
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Health Checking
503
Note: This is not the same as Buddy Groups as this marks individual servers and not server groups. To add a real server as a buddy server for another real server, use the following command:
>> Main# /cfg/slb/real <real server number> /adv/buddyhc/add bd <real server number> <real server group> <service>
To view the current buddy server settings for a real server, use the following command:
>> Main# /cfg/slb/real <real server number> /adv/buddyhc/cur
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Health Checking
505
Note: It is not mandatory for a Buddy Server Group to be part of any virtual service. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
End
Failure Types
Service Failure
If a certain number of connection requests for a particular service fail, the Nortel Application Switch places the service into the service failed state. While in this state, no new connection requests are sent to the server for this service; however, if graceful real server failure is enabled (/cfg/slb/adv/grace ena), state information about existing sessions is maintained and trafc associated with existing sessions continues to be sent to the server. Connection requests to, and trafc associated with, other load-balanced services continue to be processed by the server. Example: A real server is congured to support HTTP and FTP within two real server groups. If a session switch detects an HTTP service failure on the real server, it removes that real server group from the load-balancing algorithm for HTTP, but keeps the real server in the mix for FTP. Removing only the failed service from load balancing allows users access to all healthy servers supporting a given service.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Health Checking
507
When a service on a server is in the service failed state, the Nortel Application Switch sends Layer 4 connection requests for the failed service to the server. When the session switch has successfully established a connection to the failed service, the service is restored to the load-balancing algorithm.
Server Failure
If all load-balanced services supported on a server fail to respond to switch connection requests within the specied number of attempts, then the server is placed in the server failed state. While in this state, no new connection requests are sent to the server; however, if graceful real server failure is enabled (/cfg/slb/adv/grace ena), state information about existing sessions is maintained and trafc associated with existing sessions continues to be sent to the server. Note: All load-balanced services on a server must fail before the switch places the server in the server failed state. The server is brought back into service as soon as the rst service is proven to be healthy. Additional services are brought online as they are subsequently proven to be healthy.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
High Availability
Nortel Application Switches support high-availability network topologies through an enhanced implementation of the Virtual Router Redundancy Protocol (VRRP). The following topics are addressed in this chapter: "VRRP Overview" (page 509). This section discusses VRRP operation and Nortel Application Switch Operating System redundancy congurations. "Nortel Application Switch Operating System Extensions to VRRP" (page 512). This section describes VRRP enhancements implemented in Nortel Application Switch Operating System. "IPv6 VRRP Support" (page 521). This section describes VRRP support for IPv6 in the Nortel Application Switch Operating System. "Failover Methods and Congurations" (page 524). This section discusses a few of the more useful and easily deployed redundant congurations. "Active-Standby VSR Conguration in a Non-Shared Environment" (page 526) "Active-Active VIR and VSR Conguration" (page 529) "Active-Active Server Load Balancing Conguration" (page 531) "Hot-Standby Conguration" (page 541) "Service-Based Virtual Router Groups" (page 550) "IPv6 VRRP Conguration Examples" (page 555). This section illustrates examples for IPv6 VRRP conguration. "Hot Standby Conguration Example" (page 555) "Active-Standby Conguration Example" (page 562) "Active-Active Conguration Example" (page 569) "Virtual Router Deployment Considerations" (page 576). This section describes issues to consider when deploying virtual routers. "Stateful Failover of Persistent Sessions" (page 580). This section describes how to enable stateful failover by mirroring Layer 7 and Layer 4 persistent transactional states on the peer switch. "Service-based Session Failover" (page 584). This section describes the Nortel Application Switch Operating System 24.0 support for the failover of a session based on a service.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
VRRP Overview
In a high-availability network topology, no device can create a single point-of-failure for the network or force a single point-of-failure to any other part of the network. This means that your network will remain in service despite the failure of any single device. To achieve this usually requires redundancy for all vital network components. VRRP enables redundant router congurations within a LAN, providing alternate router paths for a host to eliminate single points-of-failure within a network. Each participating VRRP-capable routing device is congured with the same virtual router IP address and ID number. One of the virtual routers is elected as the master, based on a number of priority criteria, and assumes control of the shared virtual router IP address. If the master fails, one of the backup virtual routers will take control of the virtual router IP address and actively process trafc addressed to it. Because the router associated with a given alternate path supported by VRRP uses the same IP address and MAC address as the routers for other paths, the hosts gateway information does not change, no matter what path is used. A VRRP-based redundancy schema reduces administrative overhead because hosts need not be congured with multiple default gateways. Note: The IP address of a VRRP virtual interface router (VIR) and virtual server router (VSR) must be in the same IP subnet as the interface to which it is assigned.
Virtual Router
Two or more VRRP routers can be congured to form a virtual router (RFC 2338). Each VRRP router may participate in one or more virtual routers.Each virtual router consists of a user-congured virtual router identier (VRID) and an IP address.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
One difference between virtual server routers and virtual interface routers is that a virtual server router cannot be an IP address owner. All virtual server routers are renters. All virtual routers, whether virtual server routers or virtual interface routers, operate independently of one another; that is, their priority assignments, advertisements, and master negotiations are separate. For example, when you congure a VRRP routers priority in a virtual server router, you are not affecting that VRRP routers priority in any virtual interface router or any other virtual server router of which it is a part. However, because of the requirement that MAC addresses be unique on a LAN, VRIDs must be unique among all virtual routers, whether virtual interface routers or virtual server routers. The Nortel Application Switches in "Virtual Interface Router" (page 513) have been congured as VRRP routers. Together, they form a virtual interface router (VIR).
Virtual Interface Router
Application Switch 1 in "Virtual Interface Router" (page 513) has its real interface congured with the IP address of the virtual interface router, making it the IP address owner. As IP address owner, it receives a priority of 255, and is the virtual router master. Application Switch 2 is a virtual router backup. Its real interface is congured with an IP address that is on the same subnet as the virtual interface router, but is not the IP address of the virtual interface router. The virtual interface router has been assigned a VRID = 1. Both of the VRRP routers have a virtual router MAC address = 00-00-5E-00-01-01.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
With sharing enabled, an IP interface or a VIP address can be active simultaneously on multiple switches, enabling active-active operation as shown in "Active-Active Failover with Shared Interfaces" (page 514), and "Active-Active Failover with Shared Interfaces" (page 514) below.
Active-Active Failover with Shared Interfaces Virtual Router 1 Applicatio Master-Active n Switch 1 VRID 2 VIP: 205.178.13.226 Virtual Rtr. MAC address: 00-00-5E-00-01-02 Applicatio Backup-Active VR 1 n Switch 2 VRID 2 VIP: 205.178.13.226 Virtual Rtr. MAC address: 00-00-5E-00-01-02 Virtual Router 2 Backup-Active VRID 4 VIP: 205.178.13.240 Virtual Rtr. MAC address: 00-00-5E-00-01-04 Master-Active VR 2 VRID 4 VIP: 205.178.13.240 Virtual Rtr. MAC address: 00-00-5E-00-01-04 Virtual Router 3 Master-Active VRID 6 VIP: 205.178.13.110 Virtual Rtr. MAC address: 00-00-5E-00-01-06 Backup-Active VR 3 VRID 6 VIP: 205.178.13.110 Virtual Rtr. MAC address: 00-00-5E-00-01-06
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
When sharing is used, incoming packets are processed by the switch on which they enter the virtual router. The ingress switch is determined by external factors, such as routing and Spanning Tree conguration. Sharing cannot be used in congurations where incoming packets have more than one entry point into the virtual routerfor example, where a hub is used to connect the switches. When sharing is enabled, the master election process still occurs. Although the process does not affect which switch processes packets that must be routed or that are destined for the virtual server IP address, it does determine which switch sends advertisements and responds to ARP requests sent to the virtual routers IP address. Nortel strongly recommends that sharing, rather than active-standby congurations, be used whenever possible. Sharing offers both better performance and fewer service interruptions in the face of fault conditions than active-standby congurations. See "Active-Active Redundancy" (page 529) for a conguration example.
Each switch is congured with vrgroup 1 for customer A, and vrgroup 2 for Customer B. Because each vrgroup is tracked independently of the other, vrgroup 1 can failover to its equivalent vrgroup 1 on the other switch while not affecting the VRRP state of vrgroup 2.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Characteristics of Service-Based Virtual Router Groups (vrgroups) The following are characteristics of Virtual Router Groups: Switch-based VRRP groups must be disabled (/cfg/l3/vrrp/group dis) Up to 16 vrgroups can be congured on a single application switch. Each vrgroup can contain up to 64 virtual routers assigned with a virtual router number from 1-1024. Each virtual router can be congured as a virtual interface router or a virtual service router. Virtual routers that become members of a vrgroup, assume the priority tracking parameters congured for that vrgroup. When one member of a Master vrgroup fails, the priority of the vrgroup decreases, and all the members of that vrgroup change from Master to Backup. This is accomplished by conguring tracking on the service-based virtual router group.
To add virtual routers to a service-based virtual router group use the scenario as an example:
>> Main# /cfg/l3/vrrp/vrgroup 1 >> VRRP Virtual Router Vrgroup 1# add 1 >> VRRP Virtual Router Vrgroup 1# add 2 (Select vrgroup 1) (Add virtual router 1 to vrgroup 1) (Add virtual router 2 to vrgroup 1)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> Main# /cfg/l3/vrrp/vrgroup 2 >> VRRP Virtual Router Vrgroup 2# add 3 >> VRRP Virtual Router Vrgroup 2# add 4
(Select vrgroup 2) (Add virtual router 3 to vrgroup 2) (Add virtual router 4 to vrgroup 2)
See "Tracking Service-Based Virtual Router Groups" (page 520) for a conguration example.
When enabled, all virtual routers behave as one entity, and all group settings override any individual virtual router settings or service-based vrgroup settings. All individual virtual routers, once the switch-based VRRP group is enabled, assume the groups tracking and priority. When one member of a switch-based VRRP group fails, the priority of the group decreases, and the state of the entire switch changes from Master to Backup. If a switch is in the backup state, Layer 4 processing is still enabled. If a virtual server is not a virtual router, the backup switch can still process trafc addressed to that virtual server IP address. Filtering is also still functional. Only trafc addressed to virtual server routers is not processed. Each VRRP advertisement can include up to 1024 addresses. All virtual routers are advertised within the same packet, conserving processing and buffering resources. Note: The switch-based virtual router group cannot be used for active-active congurations or any other conguration that requires shared interfaces.
Command The switch-based VRRP group is congured by using the following command:
>> Main# /cfg/l3/vrrp/group ena
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Note: For more information on using switch-based VRRP groups with hot-standby, see "Hot-Standby Conguration" (page 541).
To change the virtual router increm ent: /cfg/l3/vrrp/track/vrs Note: The vrs parameter is not available <[0-254]> for tracking for a service based virtual router group (vrgroup). Helps elect the virtual routers with the most available routes as the master. (An IP interface is considered active when there is at least one active port on the same VLAN.) This parameter influences the VRRP routers priority in both virtual interface routers and virtual server routers.
To enable tracking on IP interfaces: /cfg/l3/vrrp/vr /track/ifs <#> /ena To change the interfaces tracking increment: /cfg/l3/vrrp/trac k/ifs <[0-254]>
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Description Helps elect the virtual routers with the most available ports as the master. This parameter influences the VRRP routers priority in both virtual interface routers and virtual server routers.
To enable tracking on ports on the same VLAN: /cfg/l3/vrrp/vr /track/port <#> /ena To change the ports tracking increment: /cfg/l3/vrrp/trac k/ports <[0-254]>
Number of physical switch ports that Helps elect the main Layer 4 switch as have active Layer 4 processing on the master. This parameter influences the switch. the VRRP routers priority in both virtual interface routers and virtual server routers. To enable tracking on Layer 4 ports: /cfg/l3/vrrp/vr/track /l4pts/ena To change the Layer 4 ports tracking increment: /cfg/l3/vrrp/track/l4pts <[0-254]> Helps elect the switch with the largest server pool as the master, increasing Layer 4 efficiency. This parameter influences the VRRP routers priority in virtual server routers only.
Number of healthy real servers behind the virtual server IP address that is the same as the IP address of the virtual server router on the switch. /cfg/l3/vrrp/track/reals In networks where the Hot Standby Router Protocol (HSRP) is used for establishing router failover, the number of Layer 4 client-only ports that receive HSRP advertisements. /cfg/l3/vrrp/track/hsrp Tracking HSRP on VLAN. /cfg/l3/vrrp/track/hsrv
Helps elect the switch closest to the master HSRP router as the master, optimizing routing efficiency. This parameter influences the VRRP routers priority in both virtual interface routers and virtual server routers.
Hot Standby Router on VLAN (HSRV) is used in VLAN-tagged environments. Enable this option to increment only that VRRP instance that is on the same VLAN as the tagged HSRP master flagged packet. This command is disabled by default.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Each tracked parameter is associated with a user-congurable weight. As the count associated with each tracked item increases (or decreases), so does the VRRP routers priority, subject to the weighting associated with each tracked item. If the priority level of a backup is greater than that of the current master, then the backup can assume the role of the master. See "Tracking Virtual Routers" (page 548) for an example on how to congure the switch for tracking VRRP priority.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
The Link-local Unicast address is an address used to communicate with neighbors on the same link. The source address of an IPv6 VRRP packet is set to the IPv6 Link-local address of the transmission interface.
Multicast address The IPv6 Multicast address is an identier for a group interface. IPv6 VRRP support has an IPv6 link-local scope multicast address assigned by IANA. This multicast address follows the format FF02:0:0:0:0:0:XXXX:XXXX. The destination address of the IPv6 packet is set to this link-local scope multicast address. Routers must not forward a datagram with this destination address regardless of its Hop Limit setting. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
enables a router to advertise its presence and address prex to inform hosts of a better next hop address to forward packets.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> Main# /info/l3/vrrp VRRP information: 9: vrid 9, 2005:0:0:0:0:0:10:9 if 9, renter, prio 101, master 10: vrid 10, 10.10.10.50, if 1, renter, prio 101, master 20: vrid 20, 2005:0:0:0:0:0:20:20 if 20, renter, prio 105, master, server
The command /stat/l3/vrrp6 displays statistical information about the current IPv6 VRRP conguration. The output for this command is illustrated below.
>> Main# /stat/l3/vrrp6 -----------------------------------------------------------VRRP6 statistics: vrrp6InAdvers: 7 vrrp6BadAdvers: 0 vrrp6OutAdvers: 86801 vrrp6BadVersion: 0 vrrp6BadVrid: 0 vrrp6BadAddress: 0 vrrp6BadData: 0 vrrp6BadInterval: 0
Nortel Application Switch Operating System high availability congurations are based on VRRP. TheNortel Application Switch Operating System implementation of VRRP includes proprietary extensions to accommodate Layer 4 though Layer 7 application switching features. The Nortel Application Switch Operating System implementation of VRRP supports three modes of high availability: Active-Standby Active-Active Hot-Standby
The rst mode, active-standby, is based on standard VRRP, as dened in RFC 2338. The second and third modes, active-active and hot-standby, are based on proprietary Nortel Application Switch Operating System extensions to VRRP. Each mode is described in detail in the following sections.
Active-Standby Redundancy
In an active-standby conguration, shown in "Active-Standby VRRP Routers" (page 525), two application switches are used. Both switches support active trafc but are congured so that they do not simultaneously support the same service. Each switch is active for its own set of services, such as IP routing interfaces or load-balancing virtual server IP addresses, and acts as a standby for other services on the other switch. If either switch fails, the remaining switch takes over processing for all services. The backup switch may forward Layer 2 and Layer 3 trafc, as appropriate. Note: In an active-standby conguration, the same service cannot be active simultaneously on both switches.
Active-Standby VRRP Routers
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
In the example shown in "Active-Standby VRRP Routers" (page 525), Application Switch 1 is the master for the virtual interface router with VRID = 1, and its backup for the virtual interface router with VRID = 2. Application Switch 2 is master for the virtual interface router with VRID = 2 and backup for the virtual interface router with VRID = 1. In this manner, both routers can actively forward trafc at the same time but not for the same interface.
Active-Standby Conguration VRID = 1 Application Switch 1 Router #1 = Master Active VR IP address = 205.178.13.226 MAC address = 00.00.5E.00.01.01 Priority = 255 IP interface = 205.178.13.226 Router #2 = Backup Standby VR IP address = 205.178.13.226 MAC address = 00.00.5E.00.01.01 Priority = 100 IP interface = 205.178.13.225 VRID = 2 Router #1 = Backup Standby VR IP address = 205.178.13.240 MAC address = 00.00.5E.00.01.02 Priority = 100 IP interface = 205.178.13.239 Router #1 = Master Active VR IP address = 205.178.13.240 MAC address = 00.00.5E.00.01.02 Priority = 255 IP interface = 205.178.13.240
Application Switch 2
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Although this example shows only two switches, there is no limit on the number of switches that can be used in a redundant conguration. It is possible to implement an active-standby conguration across all the VRRP-capable switches in a LAN. Each VRRP-capable switch in an active-standby conguration is autonomous. Switches in a virtual router need not be identically congured. To implement the active-standby example, perform the following switch conguration: Step 1 Action Congure the appropriate Layer 2 and Layer 3 parameters on both switches. This includes any required VLANs, IP interfaces, default gateways, and so on. If IP interfaces are congured, none of them should use the virtual server IP address described in Step 3. 2 Dene all lters required for your network conguration. Filters may be congured on one switch and synchronized with settings on the other switch (see Step 5 below). 3 Congure all required SLB parameters on application switch 1. For the purposes of this example, assume that application switch 1 in "Non-Shared Active-Standby High Availability Conguration" (page 527) is congured in this step. Required Layer 4 parameters include a VIP = 205.178.13.226 and one real server group with four real servers, RIP = 10.10.10.101, RIP = 10.10.10.102, RIP = 10.10.10.103, and RIP = 10.10.10.104. 4 Congure the VRRP parameters on application switch 1.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
This conguration includes VRID = 2, VIP = 205.178.13.226 and the priority. Enable tracking on the virtual router, and set the parameters appropriately (refer to "Tracking Virtual Routers" (page 548)). Make sure to disable sharing. 5 Synchronize the SLB and VRRP congurations by synchronizing the conguration from application switch 1 to application switch 2. Use the /oper/slb/sync command (see "Conguring VRRP Peers for Synchronization" (page 578)). 6 Change the real servers in the application switch 2 conguration to RIP = 10.10.11.101, RIP = 10.10.11.102, RIP =10.10.11.103, and RIP = 10.10.11.104. Adjust application switch 2s priority (see "Tracking Virtual Routers" (page 548)). In this example, with application switch 1 as the master, if a link between application switch 1 and a server fails, the server will fail health checks and be taken out of the load-balancing algorithm. If tracking is enabled and is congured to take into account the number of healthy real servers for the Virtual Routers VIP address, application switch 1s priority will be reduced. If it is reduced to a value lower than application switch 2s priority, then application switch 2 will assume the role of master. In this case, all active connections serviced by application switch 1s virtual server IP address are severed. If the link between application switch 1 and its Internet router fails, the protocol used to distribute trafc between the routers, for example, Open Shortest Path First (OSPF), will reroute trafc to the other router. application switch 2 (backup) will act as a Layer 2/3 switch and forward all trafc destined to the virtual server IP address to application switch 1. If the entire application switch 1 (master) fails, the protocol used to distribute trafc between the routers, such as OSPF, will reroute trafc to application switch 2. Application switch 2 (backup) detects that the master has failed because it will stop receiving advertisements. The backup then assumes the masters responsibility of responding to ARP requests and issuing advertisements. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Active-Active Redundancy
Nortel Application Switch Operating System has extended VRRP to include virtual servers, allowing full active/active redundancy between its Layer 4 switches. In an active-active conguration, shown in "Active-Active High Availability Conguration" (page 529), both switches can process trafc for the same service at the same time. Both switches share interfaces at Layer 3 and Layer 4, meaning that both switches can be active simultaneously for a given IP routing interface or load-balancing virtual server (VIP).
Although this example shows only two switches, there is no limit on the number of switches used in a high availability conguration. It is possible to implement an active-active conguration and perform load sharing between all of the VRRP-capable switches in a LAN. In this conguration, when both switches are healthy, the load balanced packets are sent to the virtual server IP address, resulting in higher capacity and performance than when the switches are used in an active-standby conguration. The switch on which a frame enters the virtual server router is the one that processes that frame. The ingress switch is determined by external factors, such as routing and STP settings. Note: Each VRRP-capable switch is autonomous. There is no requirement that the switches in a virtual router be identically congured. Different switch models with different numbers of ports and different enabled services may be used in a virtual router.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
To implement this example, congure the switches as follows: Step 1 Action Congure the appropriate Layer 2 and Layer 3 parameters on both switches. This conguration includes any required VLANs, IP interfaces, default gateways, and so on. If IP interfaces are congured, none of them should use the VIP address described in Step 3. 2 Dene all lters required for your network conguration. Filters may be congured on one switch and synchronized with the settings on the other switch (see Step 6, below). 3 Congure all required SLB parameters on one of the switches. For the purposes of this example, assume that application switch 1 (see "Active-Active High Availability Conguration" (page 529)) is congured in this step. Congure a VIP = 205.178.13.226 and one real server group with two real servers: RIP = 10.10.10.103 should be congured as a backup server to RIP = 10.10.10.101. RIP = 10.10.10.104 should be congured as a backup server to RIP = 10.10.10.102. Note: In this conguration, each servers backup is attached to the other switch. This ensures that operation will continue if all of the servers attached to a switch fail. 4 Congure the VRRP parameters on the switch. Congure VRID = 2, VIP address = 205.178.13.226, and priority. Be sure to enable sharing. 5 Disable synchronization of VRRP priority to switch 2. Use the /cfg/slb/synch/prios dis command. This will leave switch 2 with its default priority of 100. 6 Synchronize the SLB and VRRP congurations by pushing the conguration from application switch 1 to application switch 2. Use the /oper/slb/sync command. 7 Reverse the roles of the real servers and their backups in application switch 2s conguration. RIP = 10.10.10.101 should be congured as a backup server to RIP = 10.10.10.103.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
RIP = 10.10.10.102 should be congured as a backup server to RIP = 10.10.10.104. In this conguration, if a link between a switch and a server fails, the server will fail health checks and its backup (attached to the other switch) will be brought online. If a link between a switch and its Internet router fails, the protocol used to distribute trafc between the routers (for example, OSPF) will reroute trafc to the other router. Since all trafc now enters the virtual server router on one switch, that switch will process all incoming connections. If an entire master switch fails, the backup will detect this failure because it will stop receiving advertisements. The backup will assume the masters responsibility of responding to ARP requests and issuing advertisements. Be cautious before setting the maximum connections (maxconn) metric in this conguration. The maxcon number is not shared between switches. Therefore, if a server is used for normal operation by one switch and is activated simultaneously as a backup by the other switch, the total number of possible connections to that server will be the sum of the maximum connection limits dened for it on both switches. End
The switch will need an IP interface for each subnet to which it will be connected so it can communicate with devices attached to it. Each interface will need to be placed in the appropriate VLAN. In our example, Interfaces 1, 2, 3, and 4 will be in VLAN 2 and Interface 5 will be in VLAN 3. Note: On Nortel Application Switches, you may congure more than one subnet per VLAN. To congure the IP interfaces for this example, enter the following commands from the CLI:
>> Main# /cfg/l3/if 1 >> IP Interface 1 # addr 10.10.10.10 >> IP Interface 1 # vlan 2 >> IP Interface 1 # ena (Select IP interface 1) (Assign IP address for the interface) (Assign VLAN for the interface) (Enable IP interface 1)
Repeat the commands for each interface listed below: 2 IF 220.10.10.10 IF 330.10.10.10 IF 440.10.10.10 IF 5200.1.1.10
Dene the VLANs. In this conguration, set up two VLANs: One for the outside world (the ports connected to the upstream switches, toward the routers) and one for the inside (the ports connected to the downstream switches, toward the servers).
>> Main# /cfg/l2/vlan <VLAN number> >> vlan 3 # add <port number> >> vlan 3 # ena (Select VLAN 3) (Add a port to the VLAN membership) (Enable VLAN 3)
Repeat this command for the second VLAN. VLAN 3 - IF 5physical ports connected to upstream switches. VLAN 2 - IFs 1,2,3,4physical ports connected to downstream switches.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Enable IP forwarding. IP forwarding is enabled by default. Make sure IP forwarding is enabled if the virtual server IP addresses and real server IP addresses are on different subnets, or if the switch is connected to different subnets and those subnets need to communicate through the switch. If you are in doubt as to whether or not to enable IP forwarding, enable it. In this example, the virtual server IP addresses and real server IP addresses are on different subnets, so enable this feature using the following command:
>> Main# /cfg/l3/frwd/on (Enable IP forwarding)
End
Task 2: SLB Conguration Step 1 Action Dene the Real Servers. The real server IP addresses are dened and put into four groups, depending on the service they are running. Notice that RIPs 7 and 8 are on routable subnets in order to support passive FTP. For each real server, you must assign a real server number, specify its actual IP address, and enable the real server. For example:
>> Main# /cfg/slb/real 1 >> Real server 1 # rip 10.10.10.5 >> Real server 1 # ena (Server A is real server 1) (Assign Server A IP address) (Enable real server 1)
Repeat this sequence of commands for the following real servers: RIP 210.10.10.6/24
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
RIP 320.10.10.5/24 RIP 420.10.10.6/24 RIP 530.10.10.5/24 RIP 630.10.10.6/24 RIP 7200.1.1.5/24 RIP 8200.1.1.6/24
Dene the real server groups, adding the appropriate real servers. This combines the three real servers into one service group:
>> Real server 8 # /cfg/slb/gr oup 1 >> Real server group 1# add 1 >> Real server group 1# add 2 (Select real server group 1) (Add real server 1 to group 1) (Add real server 2 to group 1)
Repeat this sequence of commands for the following real server groups: 3 Group 2Add RIP 3 and 4 Group 3Add RIP 5 and 6 Group 4Add RIP 7 and 8
Dene the virtual servers. After dening the virtual server IP addresses and associating them with a real server group number, you must tell the switch which IP ports/services/sockets you want to load balance on each VIP. You can specify the service by either the port number, service name, or socket number.
>> Real server group 4 # /cfg/slb/virt 1 >> Virtual server 1 # vip 200.200.200.100 >> Virtual Server 1 # service 80 >> Virtual server 1 http Service # group 1 >> Virtual server 1 # ena (Select virtual server 1) (Assign a virtual server IP address) (Assign HTTP service port 80) (Associate virtual port to real group) (Enable the virtual server)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Repeat this sequence of commands for the following virtual servers: VIP 2200.200.200.101 will load balance HTTPS (Port 443) to Group 2 VIP 3200.200.200.102 will load balance POP/SMTP (Ports 110/25) to Group 3 VIP 4200.200.200.104 will load balance FTP (Ports 20/21) to Group 4
Dene the client and server port states. Dening a client port state tells that port to watch for any frames destined for the VIP and to load balance them if they are destined for a load-balanced service. Dening a server port state tells the port to the do the remapping (NAT) of the real server IP address back to the virtual server IP address. Note the following: The ports connected to the upstream switches (the ones connected to the routers) will need to be in the client port state. The ports connected to the downstream switches (the ones providing fan out for the servers) will need to be in the server port state.
End
Task 3: Virtual Router Redundancy Conguration Step 1 Action Congure virtual routers 2, 4, 6, and 8.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
These virtual routers will have the same IP addresses as the virtual server IP address. This is what tells the switch that these are virtual service routers (VSRs). In this example, Layer 3 bindings are left in their default conguration, which is disabled. Congure a virtual router using the following sequence of commands:
>> Virtual server 4 # /cfg/l3/vrrp/vr 2 >> Virtual router 2 # vrid 2 >> Virtual router 2 # addr 200.200.200.100 >> Virtual router 2 # if 5 >> Virtual router 2 # ena (Select virtual router 2) (Set virtual router ID) (Assign virtual router IP address) (Assign virtual router interface) (Enable virtual router 2)
Repeat this sequence of commands for the following virtual routers: VR 4 - VRID 4 - IF 5 (associate with IP interface #5)Address 200.200.200.101 VR 6 - VRID 6 - IF 5 (associate with IP interface #5)Address 200.200.200.103 VR 8 - VRID 8 - IF 5 (associate with IP interface #5)Address 200.200.200.104
Congure virtual routers 1, 3, 5, and 7. These virtual routers will act as the default gateways for the servers on each respective subnet. Because these virtual routers are survivable next hop/default gateways, they are called virtual interface routers (VIRs). Congure each virtual router listed below, using the sequence of commands in Step 1. VR 1 - VRID 1 - IF 1 (associate with IP interface 1)Address 10.10.10.1 VR 3 - VRID 3 - IF 2 (associate with IP interface 2)Address 20.10.10.1 VR 5 - VRID 5 - IF 3 (associate with IP interface 3)Address 30.10.10.1 VR 7 - VRID 7 - IF 4 (associate with IP interface 4)Address 40.10.10.1
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Since you want Switch 1 to be the master router, you need to bump the default virtual router priorities (which are 100 to 101 on virtual routers 1-4) to force switch 1 to be the master for these virtual routers. Use the following sequence of commands:
>> Virtual server 4 # /cfg/l3/vrrp/vr 1 >> Virtual router 1 # prio 101 (Select virtual router 1) (Set virtual router priority)
Apply this sequence of commands to the following virtual routers, assigning each a priority of 101: 4 VR 2Priority 101 VR 3Priority 101 VR 4Priority 101
Congure priority tracking parameters for each virtual router. For this example, the best parameter to track is Layer 4 ports (l4pts). Use the following command:
>> Virtual server 4# /cfg/l3/vrrp/vr 1/track l4pts
This command sets the priority tracking parameter for virtual router 1, electing the virtual router with the most available ports as the master router. Repeat this command for the following virtual routers: n VR 2 - Track l4ptsVR 6 - Track l4pts n VR 3 - Track l4ptsVR 7 - Track l4pts n VR 4 - Track l4ptsVR 8 - Track l4pts
Task 4: Conguring Switch 2 Use the following procedure to congure Switch 2: Step 1 Action Dump the conguration script (text dump) of Switch 1 using either of the following tools:
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
The Browser Based Interface (BBI) You need a serial cable that is a DB-9 Male to DB-9 Female, straight-through (not a null modem) cable. Connect the cable from a COM port on your computer to the console port on switch 1. Open HyperTerminal (or the terminal program of your choice) and connect to the switch using the following parameters: Baud: 9600, Data Bits: 8, Parity: None, Stop Bits:1, Flow Control: None.
HyperTerminal Only the Baud Rate and Flow Control options need to be changed from the default settings. Once you connect to the switch, start logging your session in HyperTerminal (transfer/capture text). Save the le as "Customer Name" Switch 1, then type the following command in the switch command line interface:
/cfg/dump
A script will be dumped out. Stop logging your session (transfer/capture text/stop). 2 Modify the script created in Step 1 as follows: Open the text le that was created and change the following: Delete anything above Script Start. Delete the two lines directly below Script Start. These two lines identify the switch from which the dump was taken and the date and time. If these two lines are left in, it will confuse Application Switch 2 when you dump in the le. Change the last octet in all the IP interfaces from .10 to .11. Find this line in the le:
/cfg/l3/if 1/addr 10.10.10.10
Simply delete the 0 and put in a 1. Be sure to do this for all the IP interfaces or duplicate IP addresses will be present in the network. Change the virtual router priorities. Virtual routers 14 need to have their priority set to 100 from 101, and virtual routers 5-7 need to have their priorities set to 101 from 100. You can nd this in the line /cfg/l3/vrrp/vr 1/vrid 1/if 1/prio 101.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Scroll to the bottom of the text le and delete anything past Script End. Save the changes to the text le as <Customer Name> Switch 2. 3 Move your serial cable to the console port on the second switch. Any conguration on it needs to be deleted by resetting it to factory settings, using the following command:
>> Main# /boot/conf factory/reset
You can tell if the switch is at factory default when you log on because the switch will prompt you if you want to use the step-by-step conguration process. When it does, respond: No. Note: After completing the setup you cannot proceed further without conguring the ports. To congure ports enter y or enter n to ignore. 4 In HyperTerminal, go to transfer/send text le and send the Switch 2 text le created in Step 2. The conguration will dump into the switch. Simply type apply , then save. When you can type characters in the terminal session again, reboot the switch ( /boot/reset ). End
Hot-Standby Redundancy
In a hot-standby conguration, Spanning Tree Protocol (STP) is not needed to eliminate bridge loops. This speeds up failover when a switch fails. The standby switch blocks all ports congured as standby ports, whereas the master switch enables these same ports. Consequently, on a given switch, all virtual routers are either master or backup; they cannot change state individually. In a hot-standby conguration, two or more switches provide redundancy for each other. One switch is elected master and actively processes Layer 4 trafc. The other switches (the backups) assume the master role should the master fail. The backups may forward Layer 2 and Layer 3 trafc as appropriate.
When enabled, the switch-centric virtual router group (/cfg/l3/vrrp/group) aggregates all virtual routers on the switch as a single entity. All virtual routers will failover as a group, and cannot failover individually. As members of a group, all virtual routers on the switch (and therefore the switch itself), will be in either a master or backup state. Enable the switch-based virtual router group using the following command:
>> Main# /cfg/l3/vrrp/group ena
Note: All ports with hot standby enabled must be connected to another device. Links that are used by VRRP to deliver updates are congured as intersw, or Inter-switch links (not to be confused with Ciscos ISL). The command to congure one or more ports as interswitch links is:
>> Main# /cfg/slb/port <port number> /intersw
Note: A port cannot be congured to support both hot-standby and interswitch link. The hot-standby switch listens to the masters VRRP updates. After an interval period has expired without receiving a update, the backup switch will take over. The forwarding states of hot-standby ports are controlled
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
much like the forwarding states of the old hot-standby approach. Enabling hot-standby on a switch port allows the hot-standby algorithm to control the forwarding state of the port. If a switch is master, the forwarding states of the hot-standby ports are enabled. If a switch is backup, the hot-standby ports are blocked from forwarding or receiving trafc. When the hotstan option (/cfg/slb/port x/hotstan) is enabled and all hot-standby ports have link, the virtual router groups priority is automatically incremented by the track other virtual routers value. This action allows the switches to failover when a hot-standby port loses link. Other enabled tracking features only have effect when all hot-standby ports on a switch have link. The default virtual routers tracking value is two seconds. Keep in mind that this is an automatic process that cannot be turned off. Note: The VRRP hot-standby approach does not support single-link failover. If one hot-standby port loses link, the entire switch must become master to eliminate loss of connectivity. The forwarding states of non-hot-standby ports are not controlled via the hot-standby algorithm, allowing the additional ports on the switches to provide added port density. The client ports on both switches should be able to process or forward trafc to the master switch. The inter-switch port state is only a place holder. Its presence forces the user to congure an inter-switch link when hot-standby is globally enabled and prohibits the inter-switch link from also being a hot-standby link for VRRP advertisements. These advertisements must be able to reach the backup switch.
Hot-Standby Conguration
A hot-standby conguration allows all processes to failover to a backup switch if any type of failure should occur. The primary application for hot-standby redundancy is to avoid bridging loops when using the Spanning Tree Protocol (STP), IEEE 802.1d. VRRP-based hot-standby supports the default Spanning Tree only. It does not support multiple Spanning Trees. "Hot-Standby Conguration" (page 542) shows a classic network topology, designed with redundancy in mind. This topology contains bridging loops that would require the use of STP. In the typical network, STP failover time is 45-50 seconds, much longer than the typical failover rate using VRRP only. Note: To use hot-standby redundancy, peer switches must have an equal number of ports.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
The key to hot-standby is that the interswitch link (the link between switches), does not participate in STP, so there are no loops in the topology (see"Hot-Standby Conguration" (page 542)). User has to disable STP globally to use VRRR Hot-Standby Scenario. The switch will have failover times similar to what would be the case with VRRP. Note: While the port usage in this example assumes use of a Nortel Application Switch 2424, you may adapt this example according the ports available on your particular Nortel Application Switch model. Task 1: Congure Layer 2 and Layer 3 Parameters on Switch 1 example assumes you have already congured SLB parameters. This
Perform the following procedure to congure Layer 2 and 3 parameters on Switch 1: Step 1 Action On Switch 1, congure the external ports into their respective VLANs as shown in "Hot-Standby Conguration" (page 542) .
>> Main# /cfg/l2/vlan 1 >> VLAN 1# ena >> VLAN 1# name servers >> VLAN 1# /cfg/l2/vlan 192 >> VLAN 192# ena >> VLAN 192# name clients >> VLAN 192# def 25 26 (Name VLAN 1 for server traffic) (VLAN 192 is for client traffic) (Enable the VLAN) (Name VLAN 192 for client traffic) (Add the ports 25, 26 to client VLAN)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> VLAN 192# /cfg/l2/vlan 172 >> VLAN 172# ena >> VLAN 172# name ISL >> VLAN 172# def 3
(VLAN 172 is for the Interswitch Link) (Enable the VLAN) (Name VLAN 172 for ISL) (Add port 3 to ISL VLAN)
>> IP Interface 1# addr 10.0.1.251 >> IP Interface 1# mask 255.255.255.0 >> IP Interface 1# broad 10.0.1.255 >> IP Interface 1# /cfg/l3/if 2 (IP Interface 2: Client traffic)
>> IP Interface 2# ena >> IP Interface 2# addr 192.168.1.251 >> IP Interface 2# vlan 192 >> IP Interface 2# /cfg/l3/if 3 (IP Interface 3: Interswitch Link)
>> IP Interface 3# ena >> IP Interface 3# addr 172.16.2.251 >> IP Interface 3# vlan 172
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Task 2:Congure Virtual Router Redundancy Perform the following tasks to congure Virtual Router redundancy: Step 1 Action Congure virtual routers for the server, client, and Interswitch Link trafc.
>> Main# /cfg/l3/vrrp/vr 1 >> >> >> >> VRRP VRRP VRRP VRRP Virtual Virtual Virtual Virtual Router Router Router Router 1# 1# 1# 1# (Virtual router for server) ena vrid 1 if 1 addr 10.0.1.250 (Virtual router for client) ena vrid 2 if 2 addr 192.168.1.250 (Virtual router for Interswitch Link)
>> Main #/cfg/l3/vrrp/vr 2 >> >> >> >> VRRP VRRP VRRP VRRP Virtual Virtual Virtual Virtual Router Router Router Router 2# 2# 2# 2#
>> Main # /cfg/l3/vrrp/vr 3 >> >> >> >> VRRP VRRP VRRP VRRP Virtual Virtual Virtual Virtual Router Router Router Router 3# 3# 3# 3#
From the VRRP menu, enable VRRP group mode and hot-standby on all connected ports except the interswitch link.
>> Main # /cfg/l3/vrrp/on (Enable VRRP)
>> Virtual Router Redundancy Protocol# hotstan ena (Enable hot-standby) >> Virtual Router Redundancy Protocol# group ena (Enable VR group) >> VRRP Virtual Router Group# apply >> VRRP Virtual Router Group# save (Make your changes active) (Save for restore after reboot)
Set VRRP tracking for the ports. If a link on any of the connected ports goes down, the switch will decrease in VRRP priority and the backup switch will take over as the master.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> Main # /cfg/l3/vrrp >> VRRP Virtual Router Group# vrid 254 >> VRRP Virtual Router Group# prio 101 (Set priority at 101 for Master switch)
Setup the peer switch to receive synchronization. Make sure to disable synchronization of VRRP priorities; the peer switch will assume its own priority based on the VRRP election process and should not acquire the VRRP priority from the Master switchs conguration. If you will be conguring real servers for VRRP hotstandby, make sure to enable synchronization of real server conguration as well.
>> Main # /cfg/slb/sync/prios d >> Config Synchronization# peer 1/ena >> Peer Switch 1# addr 172.16.2.252 (Do not synchronize VRRP priorities to the peer switch) (Enable the synch. peer switch) (Set IP address of switch 1)
From the SLB menu, enable a hot-standby link on the Layer 4 ports; then enable interswitch link on the crosslink.
>> >> >> >> Main # /cfg/slb/port 2 SLB port 2# hotstan ena SLB port 2# /cfg/slb/port 3 SLB port 3# intersw ena
End
Task 3: Prepare a Conguration Script for Switch 2 Use the following procedure to dump the conguration script (text dump) from Switch 1. This conguration will be modied and loaded onto Switch 2.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Step 1
A script will be dumped out. 2 Copy and paste the entire contents of the script to a text le. The rst and last lines of the le should show the following:
script start "Nortel Application Switch 2424" 4 /**** DO NOT EDIT THIS LINE! (File must begin with this line)
/* Configuration dump taken 1:52:02 Fri Feb 6, 2004 /* Version 0.0.0, Base MAC address 00:0e:40:32:7c:00 : : script end /**** DO NOT EDIT THIS LINE! >> Configuration#
Edit the text le that you just created as follows: Change all the IP interface addresses for switch 2; otherwise, you will have duplicate IP addresses in the network. In this example, change the last octet in all the IP interfaces from .251 to .252.
(Example from configuration script) /c/l3/if 1 addr 10.0.1.252
Change the synchronization peer switch to use the IP address of Switch 1. In this example, change the last octet from .252 (denoting switch 2), to .251 (switch 1).
(Example from configuration script) /c/slb/sync/peer 1 ena addr 172.16.2.251
Change the virtual router priority from 100 to 101this will indicate that switch 2 is the backup for now.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
4 5
Save the changes to the text le as <CustomerName>_backup_cong and load it onto a TFTP server. Begin a Telnet session for the second switch. Delete any existing conguration on it by resetting it to factory settings, using the following command:
>> Main # /boot/conf factory/reset
Conrmation message appears. Enter y to save changes and restart enter n to ignore changes and cancel restart. You can tell if the switch is at factory default when you log on, because the switch will prompt you if you want to use the step-by-step conguration process. When it does, respond: No. 6 From the CLI, download the conguration script into the switch from the TFTP server using the following command:
>> Main # /cfg/gtcfg <tftp-server-addr> <cfg-filename>
End
Task 4: Synchronize Layer 4 Parameters form Switch 1 to Switch 2 Synchronize Layer 4 parameters from Switch 1 to 2 using the following procedure: Step 1 Action On Switch 1, synchronize the VRRP, SLB, real server, and lter settings to the other switch (same ports). Switches peering with each other should have an equal number of ports.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> Main# /oper/slb/sync NOTE: Use the "/c/slb/sync" menu to configure omitting sections of the configuration. Synchronizing VRRP, FILT, PORT, REAL and SLB configuration to 172.16.2.252 Confirm synchronizing the configuration to 172.16.2.252 [y/n]:y
The user can implement this behavior by conguring the switch for tracking as follows: Step 1 2 Action Set the priority for application switch 1 to the default value of 100. Set the priority for application switch 2 to 96.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
On both switches, enable tracking based on the number of virtual routers in master mode on the switch and set the value = 5. On both switches, enable tracking based on the number of healthy real servers behind the VIP address. The VIP address is the same as the IP address of the virtual server router on the switch. Set the value = 6. Initially, application switch 1 ("Non-Shared Active-Standby High Availability Conguration" (page 527)) will have a priority of 100 (base value) + 5 (initially it is the master) + 24 (4 active real servers * 6 per real server) = 129. Application Switch 2 will have a priority of 96 (base value) + 24 (4 active real servers * 6 per real server) = 120. If a server attached to application switch 1 fails, then application switch 1s priority will be reduced by 6 to 123. Since 123 is greater than 120 (application switch 2s priority), application switch 1 will remain the master. If a second server attached to application switch 1 fails, then application switch 1s priority will be reduced by 6 more to 117. Since 117 is less than 120 (application switch 2s priority), then application switch 2 will become the Master. At this point, application switch 1s priority will fall by 5 more and application switch 2s will rise by 5 because the switches are tracking how many masters they are running. So, application switch 1s priority will settle out at 112 and application switch 2s priority at 125. When both servers are restored to application switch 1, that switchs priority will rise by 12 (2 healthy real servers * 6 per healthy server) to 124. Since 124 is less than 125, application switch 2 will remain the master. If, at this point, a server fails on application switch 2, its priority will fall by 6 to 119. Since 119 is less than 124, application switch 1 will become the Master. Its priority will settle out at 129 (since its now the master) while application switch 2s priority will drop by 5 more to 114. You can see from this example that the users goals were met by the congured tracking parameters. Note: There is no shortcut to setting tracking parameters. The goals must rst be set and the outcomes of various congurations and scenarios analyzed to nd settings that meet the goals. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Virtual router 1 on the master forwards the packets sent to the IP addresses associated with the virtual router and answers ARP requests for these IP addresses. The virtual router backup assumes forwarding responsibility for a virtual router should the current master fail. Virtual routers 1 and 2 are members of vrgroup 1 and virtual routers 3 and 4 are members of vrgroup 2.
Service-based Virtual Router Groups - Active-Standby Conguration
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Conguration Example
In this example, if the interface or link to the real server fails for the vrgroup 1 on Application Switch 1, then all the VRs in vrgroup 1 change to the backup state. At the same time, all VRs in vrgroup 1 on Application Switch 2 change to the master state. Meanwhile, the VRs in vrgroup 2 continue to operate via Application switch 1. The separate real server groups provide segregation of services for each customer., so neither customers trafc interferes with the others. To implement the active-standby example with tracking of service-based virtual router groups, perform the following switch conguration. Step 1 Action Dene the IP interfaces. The switch will need an IP interface for each subnet to which it will be connected so it can communicate with devices attached to it. To congure the IP interfaces for this example, enter the following commands from the CLI:
>> Main# /cfg/l3/if 1 >> IP Interface 1 # addr 200.200.200.1 >> IP Interface 1 # ena (Select IP interface 1) (Assign IP address for the interface) (Enable IP interface 1)
Repeat the commands for the following interfaces: 2 IF 2: 205.178.13.2 IF 3: 200.200.200.3 IF 4: 205.178.13.4
Dene all lters required for your network conguration. Filters may be congured on one switch and synchronized with settings on the other switch.
Congure all required SLB parameters on application switch 1. Required Layer 4 parameters include 2 virtual server IP addresses, two groups and four real servers.
>> Main# /cfg/slb/real 1/ >> >> >> >> Real Real Real Real server server server server 1# 1# 2# 3# (Configure real servers)
rip 10.10.10.101 /cfg/slb/real 2/rip 10.10.10.102 /cfg/slb/real 3/rip 10.10.10.103 /cfg/slb/real 4/rip 10.10.10.104
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> Real server 3# /cfg/slb/grou p 1 >> Real server group 1# add 1 >> Real server group 1# add 2
(Select real server group 1) (Add real server 1 to group 1) (Add real server 2 to group 1)
>> Main # /cfg/slb/virt 1/vip 205.178.13.226 (Configure virtual server IP 1) >> Virtual server 1# ena >> Virtual server 1# service http >> Virtual server 1 http Service# group 1 >> Main # /cfg/slb/group 2 >> Real server group 1# add 3 >> Real server group 1# add 4 (Add real server 1 to group 1) (Add real server 2 to group 1) (Enable the virtual server) (Select the HTTP service menu) (Associate virtual port to real group) (Enable the virtual server) (Select the HTTP service port menu) (Associate virtual port to real group)
>> Main # /cfg/slb/virt 1/vip 205.178.13.300 >> Virtual server 1# ena >> Virtual server 1# service http >> Virtual server 1 http Service# group 2
Congure virtual interface routers 1 and 3, make sure to disable sharing. These virtual routers are assigned the same IP address as the IP interfaces congured in Step 1, thus telling the switch that these are virtual interface routers (VIRs). In this example, Layer 3 bindings are left in their default conguration, which is disabled. For an active-standby conguration, sharing is disabled.
>> Main # /cfg/l3/vrrp/vr 1 >> VRRP Virtual Router 1# vrid 1 (Select virtual router 1) (Set virtual router ID)
>> VRRP Virtual Router 1# addr 200.200.200.100 (Assign VR IP address) >> VRRP Virtual Router 1# if 1 (Assign virtual router interface)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> VRRP Virtual Router 1# share dis >> VRRP Virtual Router 1# ena >> Main # /cfg/l3/vrrp/vr 3 >> VRRP Virtual Router 3# vrid 3
(Disable sharing of interfaces) (Enable virtual router 1) (Select virtual router 3) (Set virtual router ID)
>> VRRP Virtual Router 3# addr 200.200.200.103 (Assign VR IP address) >> VRRP Virtual Router 3# if 3 >> VRRP Virtual Router 3# share dis >> VRRP Virtual Router 3# ena (Assign virtual router interface) (Disable sharing of interfaces) (Enable virtual router 3)
Congure virtual server routers 2 and 4. These virtual routers will have the same IP addresses as the virtual server IP address. This is what tells the switch that these are virtual service routers (VSRs). For an active-standby conguration, sharing is disabled.
>> Main # /cfg/l3/vrrp/vr 2 >> VRRP Virtual Router 2# vrid 2 (Select virtual router 2) (Set virtual router ID)
>> VRRP Virtual Router 2# addr 205.178.13.226 (Assign VR IP address) >> VRRP Virtual Router 2# if 2 >> VRRP Virtual Router 2# share dis >> VRRP Virtual Router 2# ena >> Main # /cfg/l3/vrrp/vr 4 >> VRRP Virtual Router 4# vrid 4 (Assign virtual router interface) (Disable sharing of interfaces) (Enable virtual router 2) (Select virtual router 4) (Set virtual router ID)
>> VRRP Virtual Router 4# addr 205.178.13.300 (Assign VR IP address) >> VRRP Virtual Router 4# if 4 >> VRRP Virtual Router 4# share dis >> VRRP Virtual Router 4# ena (Assign virtual router interface) (Disable sharing of interfaces) (Enable virtual router 4)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> VRRP Virtual Router Vrgroup 1# ena >> VRRP Virtual Router Vrgroup 1# track
>> VRRP Vrgroup 1 Priority Tracking# ports ena (Track on physical ports)
>> VRRP Virtual Router Vrgroup 2# ena >> VRRP Virtual Router Vrgroup 2# track (Select the Priority Tracking Menu)
>> VRRP Vrgroup 2 Priority Tracking# l4ports ena (Track on layer 4 ports)
Disable synchronizing of priority on Application Switch 1. The priorities should not be synchronized between the two switches. Priority for each vrgroup will change based on the tracking parameters congured in Step 6 and Step 7.
>> Main # /cfg/slb/synch prios disable
Synchronize the SLB and VRRP congurations from application switch 1 to application switch 2. Use the /oper/slb/sync command (see "Conguring VRRP Peers for Synchronization" (page 578)). End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Spanning Tree Group conguration The Spanning Tree Protocol must be turned off.
Layer 3 interface and VRRP conguration In this example, tracking is performed by Layer 2 ports so that any failures on the Master switch results in a successful switch to the Backup switch.
Server Load Balancing Ports connected to the peer switch directly, or via a Layer 2 switch, must have Hot Standby (/cfg/slb/port hot) enabled. ISL and other ports should not have Hot Standby enabled. End
The following illustration demonstrates the Hot Standby conguration presented in this example
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
556 Part 3: Application Switching Fundamentals IPv6 Hot Standby conguration example
Take the following steps to replicate the conguration demonstrated above: Step 1 Action 2424-A Switch Conguration Layer 2 (Port and VLAN) and Layer 3 (Interface) conguration
/cfg/port 1 pvid 3 /cfg/port 2 pvid 2 /cfg/port 3 tagged ena pvid 911 /cfg/port 4 tagged ena pvid 911 /cfg/l2/vlan 2 ena name "server" learn ena def 2,3,4 /cfg/l2/vlan 3 ena name "client" learn ena
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
def 1,3,4 /cfg/l2/vlan 911 ena name "intersw" learn ena def 3,4 cfg/l2/trunk 1 ena add 3 add 4
Interface conguration
/cfg/l3/if 2 ena ipver v6 addr 2000:2:2:0:0:0:0:a mask 96 vlan 2 /cfg/l3/if 3 ena ipver v6 addr 3000:3:3:0:0:0:0:a mask 96 vlan 3 /cfg/l3/if 254 ena ipver v4 addr 192.168.0.1 mask 255.255.255.0 broad 192.168.0.255 vlan 911
VRRP conguration
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
/cfg/l3/vrrp/on /cfg/l3/vrrp/vr 2 ena ipver v6 vrid 2 if 2 addr 2000:2:2:0:0:0:0:fff0 share dis /cfg/l3/vrrp/vr 3 ena ipver v6 vrid 3 if 3 addr 3000:3:3:0:0:0:0:ffff share dis /cfg/l3/vrrp/group ena ipver v6 vrid 254 if 2 share dis track ports
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Synchronization conguration
/cfg/slb/sync prios d /cfg/slb/sync/peer 1 ena addr 192.168.0.2
2424-B Switch Conguration Layer 2 (Port and VLAN) and Layer 3 (Interface) conguration
/cfg/port 1 pvid 3 /cfg/port 2 pvid 2 /cfg/port 3 tagged ena pvid 911 /cfg/port 4 tagged ena pvid 911 /cfg/l2/vlan 2 ena name "server" learn ena
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
def 2,3,4 /cfg/l2/vlan 3 ena name "client" learn ena def 1,3,4 /cfg/l2/vlan 911 ena name "intersw" learn ena def 3,4 /cfg/l2/trunk 1 ena add 3 add 4
Interface conguration
/cfg/l3/if 2 ena ipver v6 addr 2000:2:2:0:0:0:0:b mask 96 vlan 2 /cfg/l3/if 3 ena ipver v6 addr 3000:3:3:0:0:0:0:b mask 96 vlan 3 /cfg/l3/if 255 ena ipver v4 addr 192.168.0.2 mask 255.255.255.0 broad 192.168.0.255 vlan 911
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
VRRP conguration
/cfg/l3/vrrp/on /cfg/l3/vrrp/vr 2 ena ipver v6 vrid 2 if 2 addr 2000:2:2:0:0:0:0:fff0 share dis /cfg/l3/vrrp/vr 3 ena ipver v6 vrid 3 if 3 addr 3000:3:3:0:0:0:0:ffff share dis /cfg/l3/vrrp/group ena ipver v6 vrid 254 if 2 share dis track ports
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Synchronization conguration
/cfg/slb/sync prios d /cfg/slb/sync/peer 1 ena addr 192.168.0.1
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Step 1
Action Layer 2 (Port and VLAN) conguration Each VLAN must be congured per interface.
Layer 3 interface and VRRP conguration In this example, tracking is performed by Layer 4 ports so that the two virtual routers will switch over when one of the Master virtual routers declare as Backup.
The following illustration demonstrates the Active-Standby conguration presented in this example
IPv6 Active-Standby conguration example
Take the following steps to replicate the conguration demonstrated above: End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Step 1
Action 2424-A Switch Conguration Layer 2 (Port and VLAN) and Layer 3 (Interface) conguration
/cfg/port 1 pvid 3 /cfg/port 2 pvid 2 /cfg/port 3 pvid 911 /cfg/l2/vlan 2 ena name "server" learn ena def 2 /cfg/l2/vlan 3 ena name "client" learn ena def 1 /cfg/l2/vlan 911 ena name "intersw" learn ena def 3
Interface conguration
/cfg/l3/if 2 ena ipver v6 addr 2000:2:2:0:0:0:0:a mask 96 vlan 2 /cfg/l3/if 3 ena ipver v6 addr 3000:3:3:0:0:0:0:a mask 96 vlan 3 /cfg/l3/if 254 ena ipver v4 addr 192.168.0.1 mask 255.255.255.0 broad 192.168.0.255 vlan 911
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
VRRP conguration
/cfg/l3/vrrp/on /cfg/l3/vrrp/vr 2 ena ipver v6 vrid 2 if 2 addr 2000:2:2:0:0:0:0:fff0 share dis track l4pts ena /cfg/l3/vrrp/vr 3 ena ipver v6 vrid 3 if 3 addr 3000:3:3:0:0:0:0:ffff share dis track l4pts ena
Synchronization conguration
/cfg/slb/sync prios d /cfg/slb/sync/peer 1 ena addr 192.168.0.2
2424-B Switch Conguration Layer 2 (Port and VLAN) and Layer 3 (Interface) conguration
/cfg/port 1 pvid 3 /cfg/port 2 pvid 2 /cfg/port 3 pvid 911 /cfg/l2/vlan 2 ena name "server" learn ena def 2 /cfg/l2/vlan 3 ena name "client"
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
learn ena def 1 /cfg/l2/vlan 911 ena name "intersw" learn ena def 3
Interface conguration
/cfg/l3/if 2 ena ipver v6 addr 2000:2:2:0:0:0:0:b mask 96 vlan 2 /cfg/l3/if 3 ena ipver v6 addr 3000:3:3:0:0:0:0:b mask 96 vlan 3 /cfg/l3/if 255 ena ipver v4 addr 192.168.0.2 mask 255.255.255.0 broad 192.168.0.255 vlan 911
VRRP conguration
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
/cfg/l3/vrrp/on /cfg/l3/vrrp/vr 2 ena ipver v6 vrid 2 if 2 addr 2000:2:2:0:0:0:0:fff0 share dis track l4pts ena /cfg/l3/vrrp/vr 3 ena ipver v6 vrid 3 if 3 addr 3000:3:3:0:0:0:0:ffff share dis track l4pts ena
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
/cfg/slb/virt 1 ena ipver v6 vip 3000:3:3:0:0:0:0:ffff vname "v6http" /cfg/slb/virt 1/service http group 1
Synchronization conguration
/cfg/slb/sync prios d /cfg/slb/sync/peer 1 ena addr 192.168.0.1
End
Layer 3 interface and VRRP conguration In this example, tracking is performed by Layer 4 ports so that the two virtual routers will switch over when one of the Master virtual routers declare as Backup. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
The following illustration demonstrates the Active-Active conguration presented in this example
IPv6 Active-Active conguration example
Take the following steps to replicate the conguration demonstrated above: Step 1 Action 2424-A Switch Conguration Layer 2 (Port and VLAN) and Layer 3 (Interface) conguration
/cfg/port 1 pvid 3 /cfg/port 2 pvid 2 /cfg/port 3 pvid 911 /cfg/l2/vlan 2 ena name "server" learn ena def 2 /cfg/l2/vlan 3
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
ena name "client" learn ena def 1 /cfg/l2/vlan 911 ena name "intersw" learn ena def 3
Interface conguration
/cfg/l3/if 2 ena ipver v6 addr 2000:2:2:0:0:0:0:a mask 96 vlan 2 /cfg/l3/if 3 ena ipver v6 addr 3000:3:3:0:0:0:0:a mask 96 vlan 3 /cfg/l3/if 254 ena ipver v4 addr 192.168.0.1 mask 255.255.255.0 broad 192.168.0.255 vlan 911
VRRP conguration
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
/cfg/l3/vrrp/on /cfg/l3/vrrp/vr 2 ena ipver v6 vrid 2 if 2 addr 2000:2:2:0:0:0:0:fff0 share en track l4pts ena /cfg/l3/vrrp/vr 3 ena ipver v6 vrid 3 if 3 addr 3000:3:3:0:0:0:0:ffff share en track l4pts ena
/cfg/slb/real 1 ena ipver v6 rip 2000:2:2:0:0:0:0:1001 /cfg/slb/real 2 ena ipver v6 rip 2000:2:2:0:0:0:0:1002
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
/cfg/slb/virt 1 ena ipver v6 vip 3000:3:3:0:0:0:0:ffff vname "v6http" /cfg/slb/virt 1/service http group 1
/cfg/slb/port 1 client ena hotstan en /cfg/slb/port 2 server ena hotstan en /cfg/slb/port 3 intersw ena /cfg/slb/port 4 intersw ena
Synchronization conguration
2424-B Switch Conguration Layer 2 (Port and VLAN) and Layer 3 (Interface) conguration
/cfg/port 1 pvid 3 /cfg/port 2 pvid 2 /cfg/port 3 pvid 911 /cfg/l2/vlan 2 ena name "server" learn ena def 2 /cfg/l2/vlan 3
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
ena name "client" learn ena def 1 /cfg/l2/vlan 911 ena name "intersw" learn ena def 3
Interface conguration
/cfg/l3/if 2 ena ipver v6 addr 2000:2:2:0:0:0:0:b mask 96 vlan 2 /cfg/l3/if 3 ena ipver v6 addr 3000:3:3:0:0:0:0:b mask 96 vlan 3 /cfg/l3/if 255 ena ipver v4 addr 192.168.0.2 mask 255.255.255.0 broad 192.168.0.255 vlan 911
VRRP conguration
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
/cfg/l3/vrrp/on /cfg/l3/vrrp/vr 2 ena ipver v6 vrid 2 if 2 addr 2000:2:2:0:0:0:0:fff0 share en track l4pts en /cfg/l3/vrrp/vr 3 ena ipver v6 vrid 3 if 3 addr 3000:3:3:0:0:0:0:ffff share en track l4pts en
/cfg/slb on
/cfg/slb/real 1 ena ipver v6 rip 2000:2:2:0:0:0:0:1001 /cfg/slb/real 2 ena ipver v6 rip 2000:2:2:0:0:0:0:1002
/cfg/slb/virt 1 ena ipver v6 vip 3000:3:3:0:0:0:0:ffff vname "v6http" /cfg/slb/virt 1/service http group 1
/cfg/slb/port 1 client ena hotstan en /cfg/slb/port 2 server ena hotstan en /cfg/slb/port 3 intersw ena /cfg/slb/port 4 intersw ena
Synchronization conguration
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
One drawback to using STP with VRRP is the failover response time. STP could take as long as 45 seconds to re-establish alternate routes after a switch or link failure.
This topology allows STP to be disabled. On the Nortel Application Switches, IP routing allows trafc to cross VLAN boundaries. The servers use the Nortel Application Switches as default gateways. For port failure, trafc is rerouted to the alternate path within one health check interval (congurable between 1 and 60 seconds, with a default of 2 seconds).
Each VRRP-capable switch is autonomous. Switches in a virtual router need not be identically congured. As a result, congurations cannot be synchronized automatically. For user convenience, it is possible to synchronize a conguration from one VRRP-capable switch to another using the /oper/slb/sync command. However, care must be taken when using this command to avoid unexpected results. All server load balancing, port congurations, lter congurations, and VRRP parameters can be synchronized using the /oper/slb/synch command. Note: Before you synchronize the conguration between two switches, a peer must be congured on each switch. Switches being synchronized must use the same administrator password. Sessions created in 33-64 auxiliary table are not synced to backup. Congure the two switches as peers to each other. From Switch 1, congure Switch 2 as a peer and specify its IP address as follows:
>> Main # /cfg/slb/sync >> Config Synchronization # peer 1 >> Peer Switch 1 # addr <IP address> >> Peer Switch 1 # enable (Select the synchronization menu) (Select a peer) (Assign switch 2 IP address) (Enable peer switch)
Similarly, from Switch 2, congure Switch 1 as a peer and specify its IP address as follows:
>> Main # /cfg/slb/sync >> Config Synchronization # peer 2 >> Peer Switch 2 # addr <IP address> >> Peer Switch 2 # enable (Select the synchronization menu) (Select a peer) (Assign switch 1 IP address) (Enable peer switch)
Port specic parameters, such as what lters are applied and enabled on what ports, are part of what is pushed by the /oper/slb/synch command. Thus, if the /oper/slb/synch command is used, it is highly recommended that the hardware congurations and network connections of all switches in the virtual router be identical; that is, each switch should be the same model, have the same line cards in the same slots (if modular) and have the same ports connected to the same external
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
network devices. Otherwise, unexpected results may occur when the /oper/slb/synch command attempts to congure a non-existent port or applies an inappropriate conguration to a port.
The sync command copies the following settings to the switch at the specied IP interface address: VRRP settings (including priority) SLB settings (including port settings) Filter settings (including lter port settings) Proxy IP settings
If you perform the sync command, you should check the conguration on the target switch to ensure that the settings are correct. Note: When using both VRRP and GSLB, you must change the /cfg/sys/access/wport (Browser-Based Interface port) value of the target switch (the switch that is being synchronized to) to a port other than port 80 before VRRP synchronization begins.
Stateful failover enables network administrators to mirror their Layer 7 and Layer 4 persistent transactional state on the peer switch.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Note: Stateful failover is only supported in active-standby mode with VMA enabled. Also, Stateful failover does not synchronize all sessions, except persistent sessions (SSL session ID persistence and cookie-based persistence). If a service fails in the middle of a connection, the current session is discarded, but the new connection binds the session request correctly to the same real server. To provide stateful failover, the state of the connection and session table must be shared between the switches in high-availability congurations. If Virtual Matrix Architecture (VMA) is enabled, all URL and cookie-parsing information is stored in the session table on the last port number on the switch. Sharing this information between switches is necessary to ensure the persistent session goes back to the same server. Stateful failover only ensures that the clients request returns to the same server based on the persistent session entries being shared by the master and the slave switch. The TCP session information, however, is not shared.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
582 Part 3: Application Switching Fundamentals Stateful Failover Example when the Master Switch Fails
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
End
Note: The update does not have to be the same for both switches. Stateful failover supports up to two peer switches. Repeat the steps mentioned above to enable stateful failover on all the peer switches. 3 Congure the master switch as a peer and specify its IP address.
>> Main # /cfg/slb/sync >> Config Synchronization # peer 2 >> Peer Switch 2 # addr 10.1.1.1 >> Peer Switch 2 # enable (Select a peer) (Assign master switch IP address) (Enable peer switch)
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> Main # /info/l3/vrrp VRRP information: 1: vrid 1, 172.21.16.187,if 109, master, server 3: vrid 3, 192.168.1.30, if prio 109, master 5: vrid 5, 172.21.16.10, if prio 109, master
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
When a new session is created on the master, the session entry will be sent to the backup switch using NAAP. The backup switch will create the session and set the age to a maximum age. This prevents the session from aging out on the backup switch and prevents frequent updates between the master and backup. When the session is updated or deleted on the master, the session on the backup will also be updated or deleted. This feature can only be supported for group-based VRRP in hot and active standby congurations. To support this feature, the following new commands have been added: Step 1 Action Enable and disable mirroring for a service.
>> Main # /cfg/slb/virt <Virtual Server> /service <Service Number> / mirror {enable|disable}
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Mirroring statistics.
>> Main # /stats/slb/mirror
End
Peer Synchronization
In situations where a peer device has been created for a switch, the software will prompt for conguration synchronization with that peer before any reboot.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
587
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Persistence
The Nortel Application Switch Operating Systempersistence feature ensures that all connections from a specic client session reach the same real server, even when Server Load Balancing (SLB) is used. The following topics are addressed in this chapter: "Overview of Persistence" (page 588). This section gives an overview of persistence and the different types of persistence methods implemented in Nortel Application Switch Operating System. "Cookie-BasedPersistence" (page 591). The use of cookie persistence provides a mechanism for inserting a unique key for each client of a virtual server. This feature is only used in non-Secure Sockets Layer (SSL) connections. This section discusses in detail how persistence is maintained between a client and a real server using different types of cookies. "HTTP and HTTPS Persistence Based on Client IP" (page 590). This section explains how both HTTP and HTTPS trafc map to the same server based on client IP. "Server-Side Multi-Response Cookie Search" (page 604). This section explains how to congure the switch to look through multiple HTTP responses from the server to achieve cookie-based persistence. "SSL Session ID-Based Persistence" (page 605). This section explains how an application server and client communicate over an encrypted HTTP session. "Windows Terminal Server Load Balancing and Persistence" (page 607). This section explains how to congure load balancing and persistence for Windows Terminal Services.
Overview of Persistence
In a typical SLB environment, trafc comes from various client networks across the Internet to the virtual server IP address on the Nortel Application Switch. The switch then load balances this trafc among the available real servers. In any authenticated Web-based application, it is necessary to provide a persistent connection between a client and the content server to which it is connected. Because HTTP does not carry any state information for these applications, it is important for the browser to be mapped to the same real server for each HTTP request until the transaction is complete. This ensures that the client trafc is not load balanced mid-session to a different real server, forcing the user to restart the entire transaction.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Persistence
589
Persistence-based SLB enables the network administrator to congure the network to redirect requests from a client to the same real server that initially handled the request. Persistenceis an important consideration for administrators of e-commerce Web sites, wherea server may have data associated with a specic user that is not dynamically shared with other servers at the site. In Nortel Application Switch Operating System, persistence can be based on the following characteristics: source IP address, cookies, and Secure Sockets Layer (SSL) session ID.
Using Cookies
Cookies are strings passed via HTTP from servers to browsers. Based on the mode of operation, cookies are inserted by either the application switch or the server. After a client receives a cookie, a server can poll that cookie with a GET command, which allows the querying server to positively identify the client as the one that received the cookie earlier. The cookie-based persistence feature solves the proxy server problem and gives better load distribution at the server site. In the application switch, cookies are used to route client trafc back to the same physical server to maintain session persistence.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Persistence
591
For information on how to congure your network for SLB, see "Server Load Balancing" (page 188) 2 If a proxy IP address is not congured on the client port, enable DAM for real servers.
>> # /cfg/slb/adv/direct ena
Select Client IP-based persistence as the persistent binding option for the virtual port. If multiple real server ports are congured for this service, you may choose whether to maintain persistence to the rport on the real server.
>> # /cfg/slb/virt 1/service <virtual port> pbind clientIP Current persistent binding mode: disabled Enter clientip|cookie|sslid|disable persistence mode: clientIP Use Rport? (y/n) [y]y
End
Cookie-Based Persistence
Cookies are a mechanism for maintaining state between clients and servers. When the server receives a client request, the server issues a cookie, or token, to the client, which the client then sends to the server on all subsequent requests. Using cookies, the server does not require authentication, the client IP address, or any other time-consuming mechanism to determine that the user is the same user that sent the original request. In the simplest case, the cookie may be just a "customer ID" assigned to the user. It may be a token of trust, allowing the user to skip authentication while his or her cookie is valid. It may also be a key that associates the user with additional state data that is kept on the server, such as a shopping cart and its contents. In a more complex application, the cookie may be encoded so that it actually contains more data than just a single key or an identication number. The cookie may contain the users preferences for a site that allows their pages to be customized.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
The following topics discussing cookie-based persistence are detailed in this section: "Permanent and Temporary Cookies" (page 592) "Cookie Formats" (page 593) "Cookie Properties" (page 593) "Client Browsers that Do Not Accept Cookies" (page 594) "Cookie Modes of Operation" (page 594) "Conguring Cookie-Based Persistence" (page 598)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Persistence
593
Cookie Formats
A cookie can be dened in the HTTP header (the recommended method) or placed in the URL for hashing. The cookie is dened as a "Name=Value" pair and can appear along with other parameters and cookies. For example, the cookie "SessionID=1234" can be represented in one of the following ways: In the HTTP Header
Cookie: Cookie: Cookie: SesssionID=1234 ASP_SESSIONID=POIUHKJHLKHD name=john_smith
The second cookie represents an Active Server Page (ASP) session ID. The third cookie represents an application-specic cookie that records the name of the client. Within the URL
http://www.mysite.com/reservations/SessionID=1234
Cookie Properties
Cookies are congured on the application switch by dening the following properties: Cookie names of up to 20 bytes The offset of the cookie value within the cookie string For security, the real cookie value can be embedded somewhere within a longer string. The offset directs the application switch to the starting point of the real cookie value within the longer cookie string. Length of the cookie value This denes the number of bytes to extract for the cookie value within a longer cookie string. Whether to nd the cookie value in the HTTP header (the default) or the URL Cookie values of up to 64 bytes for hashing Hashing on cookie values is used only with the passive cookie mode ("Passive Cookie Mode" (page 596)), using a temporary cookie. The switch mathematically calculates the cookie value using a hash algorithm to determine which real server should receive the request. An asterisk (*) in cookie names for wildcards For example, Cookie name = ASPsession*
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
595
Cookie name - This defaults to "AlteonP". Expiry date and time - If congured, client sends cookie only till the expiration time. Otherwise cookie expires after the current session. Domain name - If congured, cookies are sent only to the domain.
Note: Domain name is taken as "<hname>.<dname>". It defaults to NULL string. CLI Capture When this command is executed: /cfg/slb/virt <virtual#>/service <service#>/pbind , additional inputs taken from the user are listed in the table below.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> Virtual Server 10 http Service# /c/sl/vi 10/ser http/pbind Current persistent binding mode: disabled New persistent binding mode: cookie
Enter clientip|cookie|sslid|disable persistence mode: cookie Enter passive|rewrite|insert cookie persistence mode [p/r/i]: i Enter Cookie Name [AlteonP]: Enter insert-cookie expiration as either: ...a date <MM/dd/yy[@hh:mm]> (e.g. 12/31/01@23:59) ...a duration <days[:hours[:minutes]]> (e.g 45:30:90) ...or none <return> Enter cookie expiration: 0:0:59 (y/n) [n]yes
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
597
Subsequent requests from Client 1 with the same cookie value will be sent to the same real server (RIP 1 in this example). Proxy support for Passive Cookie When passive cookie persistence mode is enabled, switch creates persistent entries for server returned responses with new cookie values, within the same TCP connection.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Note: When the application switch rewrites the value of the cookie, the rewritten value represents the responding server; that is, the value can be used for hashing into a real server ID or it can be the real server IP address. The rewritten cookie value is encoded.
For information see "Server Load Balancing" (page 188). 2 Either enable Direct Access Mode (DAM), or disable DAM and specify proxy IP address(es) on the client port(s). Enable DAM for the switch.
>> # /cfg/slb/adv/direct ena (Enable Direct Access Mode on switch)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Persistence
599
Note: If Virtual Matrix Architecture (VMA) is enabled on the switch, you must congure a unique proxy IP address for every port (except port 9). 3 If proxy IP addresses are used, make sure server processing is disabled on the server port.
>> # /cfg/slb/port 1 >> # server dis (Select switch port 1) (Disable server processing on port 1)
Select the appropriate load-balancing metric for the real server group.
>> # /cfg/slb/group 2/metric hash (Select hash as server group metric)
If embedding an IP address in the cookie, select roundrobin or leastconns as the metric. If you are not embedding the IP address in the cookie, select hash as the metric in conjunction with a cookie assignment server. While you may experience trafc concentration using the hash metric with a cookie assignment server, using a hash metric without a cookie assignment server will cause trafc concentration on your real servers.
Enable cookie-based persistence on the virtual server service. In this example, cookie-based persistence is enabled for service 80 (HTTP).
>> # /cfg/slb/virt 1/service 80/pbind Current persistent binding mode: disabled Enter clientip|cookie|sslid|disable persistence mode: cookie
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Once you specify cookie as the mode of persistence, you will be prompted for the following parameters:
Enter insert|passive|rewrite cookie persistence mode [i/p/r]: p Enter cookie name: CookieSession1 Enter starting point of cookie value [1-64]: 1 Enter number of bytes to extract [0-64]: 8 Look for cookie in URI [e|d]: d
Cookie-based persistence mode: insert, passive or rewrite Cookie name Starting point of the cookie value Number of bytes to be extracted Look for cookie in the URI [e | d] If you want to look for cookie name/value pair in the URI, enter e to enable this option. To look for the cookie in the HTTP header, enter d to disable this option. End
Relative timer
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Persistence
601
This timer denes the elapsed time from when the cookie was created. The syntax for the relative timer is days[:hours[:minutes]]. For example,
Enter cookie expiration: 32:25:61 Current persistent binding for http: disabled New persistent binding for http: cookie New cookie persistence mode: insert Inserted cookie expires after 33 days 2 hours 1 minutes
The switch adds or subtracts hours according to the time zone settings in /cfg/sys/ntp/tzone. When relative expiration timer is used, make sure the tzone setting is set correctly. If NTP is disabled (/cfg/sys/ntp/off), the tzone setting will still apply to the cookie mode. Note: If the cookie expiration timer is not specied, the cookie will expire when the users session ends. New Conguration options The new conguration options provided are: Cookie path - If congured, cookie is sent only for URL requests which are subset of the path, path defaults to "/". Secure ag - If secure ag is set, client is required to use secure connection to obtain content associated with the cookie.
The last parameter in this command answers the "Look for cookie in URI?" prompt. If you set this parameter to disable, the application switch will use UID=87654321 as the cookie. Look for the cookie in the URI
>> # /cfg/slb/virt 1/service 80/pbind cookie passive UID 1 8 ena
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
The last "Look for cookie in URI?" parameter is set to enable. Therefore the application switch will use UID=12345678 as the cookie.
Select the entire value of the sid cookie as a hashing key for selecting the real server:
>> # /cfg/slb/virt 1/service 80/pbind cookie passive sid 1 16 dis
This command directs the switch to use the sid cookie, starting with the rst byte in the value and using the full 16 bytes. Select a specic portion of the sid cookie as a hashing key for selecting the real server:
>> # /cfg/slb/virt 1/service 80/pbind cookie passive sid 8 4 dis
This command directs the switch to use the sid cookie, starting with the eight byte in the value and using only four bytes. This uses 789a as a hashing key. Using wildcards for selecting cookie names:
>> #/cfg/slb/virt 1/service 80/pbind cookie passive ASPSESSIONID* 1 16 dis
With this conguration, the switch will look for a cookie name that starts with ASPSESSIONID. ASPSESSIONID123, ASPSESSIONID456, and ASPSESSIONID789 will all be seen by the switch as the same cookie name. If more than one cookie matches, only the rst one will be used.
Persistence
603
then the application switch will rewrite the rst eight bytes of the cookie to include the servers encrypted IP address:
Set-Cookie: sid=alteonpersistence;
All subsequent trafc from a specic client with this cookie will be directed to the same real server. Rewrite server cookie with the encrypted real server IP address and virtual server IP address: If the cookie length is congured to be 16 bytes, the switch will rewrite the cookie value with the encrypted real server IP address and virtual server IP address.
>> # /cfg/slb/virt 1/service 80/pbind cookie rewrite sid 1 16 dis
then the application switch will rewrite the rst 16 bytes of the cookie to include the encrypted real server IP address and virtual server IP address:
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Set-Cookie:
sid=cdb20f04cdb20f0a;
All subsequent trafc from a specic client to the particular virtual server IP address with this cookie will be directed to the same real server.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Persistence
605
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
"SSL Session ID-Based Persistence" (page 606) illustrates persistence based on SSL session ID as follows: Step 1 2 3 4 Action An SSL Hello handshake occurs between Client 1 and Server 1 via the application switch. An SSL session ID is assigned to Client 1 by Server 1. The application switch records the SSL session ID. The application switch selects a real server based on the existing SLB settings. As a result, subsequent connections from Client 1 with the same SSL session ID are directed to Server 1.
SSL Session ID-Based Persistence
Client 2 appears to the switch to have the same source IP address as Client 1 because they share the same proxy rewall. However, the application switch does not automatically direct Client 2 trafc to Server 1 based on the source IP address. Instead an SSL session ID for the new trafc is assigned. Based on SLB settings, the connection from Client 2 is spliced to Server 3. As a result, subsequent connections from Client 2 with the same SSL session ID are directed to Server 3. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Persistence
607
For information on how to congure your network for SLB, see "Server Load Balancing" (page 188). 2 If a proxy IP address is not congured on the client port, enable DAM for real servers.
>> # /cfg/slb/adv/direct ena
Select session ID-based persistence as the persistent binding option for the virtual port.
>> # /cfg/slb/virt <virtual server number> /service <virtual port> pbind sslid
End
In a load-balanced environment, a group of terminal servers have incoming session connections distributed in a balanced manner across the servers in the group. The Windows session director is used to keeping a list of sessions indexed by user name. This allows a user to reconnect to a disconnected user session. The session director provides functionality that allows a group of terminal servers to coordinate the reconnection of disconnected sessions. The session director is updated and queried by the terminal servers whenever users log on, log off, or disconnect their sessions while leaving their applications active. Client can be reconnected to the terminal server where the users disconnected session resides using the routing token information. The session director passes the routing token information to the client with the correct server IP address embedded. The client presents this routing token to the load balancer when it reconnects to the virtual IP address. The load balancer will decipher the token and send the client to the correct terminal server. In some instances a dedicated session director may not exist. If this is the case, enable the userhash functionality to perform the terminal server binding operation based on user name hashing. By default, Windows Terminal Server trafc uses TCP port 3389 but it can congured to work on any non-standard port. For further information regarding Windows Terminal Services, refer to the Microsoft website. The following illustration demonstrates a sample Windows Terminal Server Load Balancing network topology.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
609
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Step 1
(Optional) Enable the WTS userhash. If the dedicated session director does not exist to relate users to disconnected sessions, it is advised that the userhash functionality be enabled to perform this task.
>> WTS Load Balancing# userhash enable
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
611
Background
The Advanced Denial of Service Protection feature set extends the functionality of the Nortel Application Switch to act as an application-intelligent rewall. An administrator can use the features described in this chapter to congure the Nortel Application Switch to perform deep inspection and blocking of malicious content. For example, many newer viruses, worms, malicious code, buggy applications, and cyber-attacks have targeted application and protocol weaknesses by tunneling through the rewall over HTTP port 80, or by encapsulating attacks into SSL tunnels. Such packets can pass undetected through standard network rewalls, which are congured only to open or close
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
access to HTTP port 80. Many of the attacks (such as nullscan, xmascan, scan SYNFIN) are created with purposely malformed packets that include illegal elds in the IP headers.
613
How it works
The IP ACL feature uses a hash table to effectively block a congured range of IP addresses. The access control list is a global list which is by default disabled on the switch; and then enabled on a per-port basis. When a packet ingresses a port that has been enabled with IP access control list processing, the switch compares the client source or destination IP address with internal hash tables containing the IP addresses. If a match is found, the packet is dropped. If no match on the address is found in any of the hash tables, the packet is allowed to pass.
Enter IP subnet mask [default is 255.255.255.255]: 255.255.255.0 (Enter the appropriate mask)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Enter IP subnet mask [default is 255.255.255.255]: 255.255.255.0 (Enter the appropriate mask)
2 3
Repeat step 1 to congure any other IP addresses that should be dropped. Enable IP ACL processing on the ingress port.
>> Main# /cfg/security/port <x> /ipacl ena (Enable IP ACL) Current IP ACL processing: disabled New IP ACL processing: enabled
Bogon List
The Nortel Application Switch Operating System supports the importation and use of a Bogon list. A bogon list species a listing of source IP addresses that are not currently in use or valid and therefore should be blocked. This is a useful tool in ltering out packets that would otherwise not be caught by other means. Bogon lists will be imported through the Nortel Application Switch Element Manager 4.0 although usage statistics can be viewed through either the Nortel ASEM application or the CLI. To view the number of bogon lists through the CLI, use the following command:
>> Main# /cfg/security/ipacl/bogon
615
Current Protocol anomaly and DoS attack prevention: disabled New Protocol anomaly and DoS attack prevention: enabled
Note: To determine which DoS attack types a port is guarding against, view the current settings by using the command /cfg/security/port <port number>/cur. 3 (Optional) To remove a DoS attack type from a port, use the following command.
>> Main# /cfg/security/port 1/dos/rem <DoS attack type>
4 5
Repeat steps 1 and 2 to apply DoS protection to any other ports. Apply and save the conguration. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
The following command shows DOS statistics on all ports where DOS protection is enabled:
>> /stats/security/dos/dump -----------------------------------------------------------Protocol anomaly and DoS attack prevention statistics for port 1: -----------------------------------------------------------Protocol anomaly and DoS attack prevention statistics for port 8: broadcast : 1 loopback : 8 land : 1 ipttl : 1 ipprot : 1 fragmoredont: 1 fragdata : 2 fragboundary: 2 fraglast : 1 fragdontoff : 1 fragoff : 1 fragoversize: 1 tcplen : 4 tcpportzero : 2 blat : 1 nullscan : 1 fullxmasscan: 1 finscan : 1 vecnascan : 5 xmasscan : 1 synfinscan : 1 synfrag : 1 ftpport : 1 dnsport : 1 seqzero : 1 ackzero : 1 udplen : 2 udpportzero : 2
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
617
: : : : : : : : :
1 1 2 1 1 2 1 21 77
Specic subtotals are given for only those ports that are seeing attack trafc.
udpportzero fraggle snmpnull icmplen smurf icmpdata igmplen igmpfrag arpnbcast -----Totals
: : : : : : : : : :
2 1 1 2 1 1 2 1 21 77
Once DOS protection is enabled on the appropriate ports on the Nortel Application Switch, the switch performs the following checks on incoming packets.
IPLen:
Description: An IPv4 packet is sent with an invalid payload or IP header length. Switch action: The switch checks for malformed packets that have either an IP header length less than 20 bytes, an IP total packet length less than the IP header length, or an actual packet length less than the IP total length and drops any matching packets.
IPVersion:
Description: An IPv4 packet is sent with an invalid IP version. Switch action: The switch checks for IPv4 packets marked with a version other than 4 and drops any matching packets.
Broadcast:
Description: An IPv4 packet with a broadcast source or destination IP address. Switch action: The switch checks for IPv4 packets with a broadcast source or destination IP address (0.0.0.0,255.255.255.255) and drops any matching packets.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
619
LoopBack:
Description: An IPv4 packet with a loopback source or destination IP address. Switch action: The switch checks for IPv4 packets with a loopback source or destination IP address (127.0.0.0/8) and drops any matching packets.
LandAttack:
Description: Packets with source IP (sip) equal to destination IP (dip) address. Switch action: The switch checks for sip=dip in the packet and drop any matching packets.
IPReserved:
Description: An IPv4 packet with the reserved IP bit set. Switch action: The switch checks for IPv4 packets with the reserved IP bit set and drops any matching packets.
IPTTL:
Description: An IPv4 packet with a small IP TTL. Switch action: The switch checks for IPv4 packets with a small IP TTL and drops any matching packets.
IPProt:
Description: An IPv4 packet with an unassigned or reserved IP protocol. Switch action: The switch checks for IPv4 packets with an unassigned or reserved IP protocol and drops any matching packets.
IPOptLen:
Description: An IPv4 packet with an invalid IP options length. Switch action: The switch checks for IPv4 packets with an invalid IP options length set and drops any matching packets.
FragMoreDont:
Description: An IPv4 packet with the more fragments and dont fragment bits set. Switch action: The switch checks for IPv4 packets with both the more fragments and dont fragments bits set and drops any matching packets.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
FragData:
Description: An IPv4 packet with the more fragments bit set but a small payload. Switch action: The switch checks for IPv4 packets with the more fragments bit set but exhibiting a small payload and drops any matching packets.
FragBoundary:
Description: An IPv4 packet with the more fragments bit set but a payload not at an 8-byte boundary. Switch action: The switch checks for IPv4 packets with the more fragments bit set but whose payload is not at an 8-byte boundary and drops any matching packets.
FragLast:
Description: An IPv4 packet that is the last fragment but no payload. Switch action: The switch checks for IPv4 packets with the last fragment bit set but no payload and drops any matching packets.
FragDontOff:
Description: An IPv4 packet with a non-zero fragment offset and the dont fragment bits set. Switch action: The switch checks for IPv4 packets with a non-zero fragment offset and the dont fragment bits set and drops any matching packets.
FragOpt:
Description: An IPv4 packet with a non-zero fragment offset and IP options bits set. Switch action: The switch checks for IPv4 packets with a non-zero fragment offset and the IP options bits set and drops any matching packets.
FragOff:
Description: An IPv4 packet with a small non-zero fragment offset. Switch action: The switch checks for IPv4 packets with a small non-zero fragment offset and drops any matching packets.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
621
FragOverSize:
Description: An IPv4 packet with a non-zero fragment offset and an oversized payload. Switch action: The switch checks for IPv4 packets with a non-zero fragment offset and an oversized payload and drops any matching packets.
TCPLen:
Description: A TCP packet with a TCP header length less than 20 bytes and an IP data length less than the TCP header length. Switch action: The switch checks for TCP packets with a TCP header length less than 20 bytes and an IP data length less than the TCP header length and drops any matching packets.
TCPPortZero:
Description: A TCP packet with a source or destination port of zero. Switch action: The switch checks for TCP packets with a source or destination port of zero and drops any matching packets.
TCPReserved:
Description: A TCP packet with the TCP reserved bit set. Switch action: The switch checks for TCP packets with the TCP reserved bit set and drops any matching packets.
NULLscan:
Description: A TCP packet with a sequence number of zero or all of the control bits are set to zero. Switch action: The switch checks for TCP packets with a sequence number or zero or with all control bits set to zero and drops any matching packets.
FullXmasScan:
Description: A TCP packet with all control bits set. Switch action: The switch checks for TCP packets with all of the control bits set and drops any matching packets.
FinScan:
Description: A TCP packet with only the FIN bit set. Switch action: The switch checks for TCP packets with only the FIN bit set and drops any matching packets.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
VecnaScan:
Description: A TCP packet with only the URG, PUSH, URG|FIN, PSH|FIN, or URG|PSH bits set. Switch action: The switch checks for TCP packets with only the URG, PUSH, URG|FIN, PSH|FIN, or URG|PSH bits set and drops any matching packets.
Xmascan:
Description: Sequence number is zero and the FIN, URG, and PSH bits are set. Switch action: The switch checks for any TCP packets where the sequence number is zero and the FIN, URG, and PSH bits are set and drops any matching packets.
SYNFIN Scan:
Description: SYN and FIN bits set in the packet. Switch action: The switch checks for TCP packets with the SYN and FIN bits set and drops any matching packets.
FlagAbnormal:
Description: A TCP packet with an abnormal control bit combination set. Switch action: The switch checks for an abnormal control bit combination and drops any matching packets.
SynData:
Description: A TCP packet with the SYN bit set and that also has a payload. Switch action: The switch checks for TCP packets with the SYN bit set and that also has a payload and drops any matching packets.
SynFrag:
Description: A TCP packet with the SYN and more fragments bits set. Switch action: The switch checks for TCP packets with the SYN and more fragments bits set and drops any matching packets.
FTPPort:
Description: A TCP packet with a source port of 20, a destination port of less than 1024 and the SYN bit set.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
623
Switch action: The switch checks for TCP packets with a source port of 20, a destination port of less than 1024 and the SYN bit set and drops any matching packets.
DNSPort:
Description: A TCP packet with a source port of 53, a destination port of less than 1024 and the SYN bit set. Switch action: The switch checks for TCP packets with a source port of 53, a destination port of less than 1024 and the SYN bit set and drops any matching packets.
SeqZero:
Description: A TCP packet with a sequence number of zero. Switch action: The switch checks for TCP packets with a sequence number of zero and drops any matching packets.
AckZero:
Description: A TCP packet with an acknowledgement number of zero and the ACK bit set. Switch action: The switch checks for TCP packets with an acknowledgement number of zero and the ACK bit set and drops any matching packets.
TCPOptLen:
Description: A TCP packet with a TCP options length of less than two or where the TCP options length is greater than the TCP header length. Switch action: The switch checks for TCP packets with a TCP options length of less than two or where the TCP options length is greater than the TCP header length and drops any matching packets.
UDPLen:
Description: An UDP packet with a UDP header length of less than 8 bytes or where the IP data length is less than the UDP header length. Switch action: The switch checks for UDP packets with a UDP header length of less than 8 bytes or where the IP data length is less than the UDP header length and drops any matching packets.
UDPPortZero:
Description: An UDP packet with a source or destination port of zero. Switch action: The switch checks for UDP packets with a source or destination port of zero and drops any matching packets.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Fraggle:
Description: Similar to a smurf attack, attacks are directed to a broadcast address, except that the packets sent are UDP, not ICMP. Switch action: Deny all the UDP packets with destination address set to a broadcast address. User action: Congure "UDP and ICMP Rate Limiting" (page 629).
Pepsi:
Description: An UDP packet with a source port of 19 and destination port of 7 or vice versa. Switch action: The switch checks for UDP packets with a source port of 19 and destination port of 7 or vice versa and drops any matching packets.
RC8:
Description: An UDP packet with a source and destination port of 7. Switch action: The switch checks for UDP packets with a source and destination port of 7 and drops any matching packets.
SNMPNull:
Description: An UDP packet with a destination port of 161 and no payload. Switch action: The switch checks for UDP packets with a destination port of 161 and no payload and drops any matching packets.
ICMPLen:
Description: An ICMP packet with an improper ICMP header length. Switch action: The switch checks for ICMP packets with an improper ICMP header length and drops any matching packets.
Smurf:
Description: The attacker sends ICMP ping requests to multiple broadcast destination IP (x.x.x.255). The packet contains spoofed source IP of the victim. Switch action: Check every packet for destination IP set to a broadcast address in a lter, and drop any matching packet.
ICMPData:
Description: An ICMP packet with a zero fragment offset and a large payload.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
625
Switch action: The switch checks for ICMP packets with a zero fragment offset and a large payload and drops any matching packets.
ICMPOff:
Description: An ICMP packet with a large fragment offset. Switch action: The switch checks for ICMP packets with a large fragment offset and drops any matching packets.
ICMPType:
Description: An ICMP packet where the type is unassigned or reserved. Switch action: The switch checks for ICMP packets where the type is unassigned or reserved and drops any matching packets.
IGMPLen:
Description: An IGMP packet with an improper IGMP header length. Switch action: The switch checks for IGMP packets with an improper IGMP header length and drops any matching packets.
IGMPFrag:
Description: An IGMP packet with the more fragments bit set and a non-zero fragment offset. Switch action: The switch checks for IGMP packets with the more fragments bit set and a non-zero fragment offset and drops any matching packets.
IGMPType:
Description: An IGMP packet with the type of unassigned or reserved. Switch action: The switch checks for IGMP packets with the type of unassigned or reserved and drops any matching packets.
ARPLen:
Description: An ARP request or reply packet with an improper length. Switch action: The switch checks for ARP request or reply packets with an improper length and drops any matching packets.
ARPNBCast:
Description: An ARP request packet with a non-broadcast destination MAC address.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Switch action: The switch checks for ARP request packets with a non-broadcast destination MAC address and drops any matching packets.
ARPNUCast:
Description: An ARP reply packet with a non-unicast destination MAC address. Switch action: The switch checks for ARP reply packets with a non-unicast destination MAC address and drops any matching packets.
ARPSpoof:
Description: An ARP request or reply packet with a mismatched source with sender MAC addresses or destination with target MAC addresses. Switch action: The switch checks for ARP request or reply packets with a mismatched source with sender MAC addresses or destination with target MAC addresses and drops any matching packets. It should be noted that VRRP enabled gateways can produce a false positive for arpspoof.
GARP:
Description: An ARP request or reply packet with the same source and destination IP. Switch action: The switch checks for ARP request or reply packets with the same source and destination IP and drops any matching packets.
IP6Len:
Description: An IPv6 packet with an improper header length. Switch action: The switch checks for IPv6 packets with an improper header length and drops any matching packets.
IP6Version:
Description: An IPv6 packet with the IP version set to a value other than 6. Switch action: The switch checks for IPv6 packets with the IP version set to a value other than 6 and drops any matching packets.
Blat
Description: TCP packets with a source IP (sip) not equal to a destination IP (dip), but a source port (sport) equal to the destination port (dport). Switch action: The switch checks for sourceIP destinationIP, sport = dport and drops any matching packets.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
627
To view the current values associated with these DoS attacks, use either of the following commands:
>> Main# /cfg/security/dos/cur >> Main# /info/security/dos
A brief explanation of any of the DoS attacks guarded against by the switch can be acquired by using the following command:
>> Main# /cfg/security/dos/help
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
User action: Congure "A Rate Limiting Filter to Thwart Ping Flooding" (page 634) to limit ICMP packets.
Ping of Death:
Description: A ping of death attack sends fragmented ICMP echo request packets. When these packets are reassembled, they are larger than the 65536 byte packets allowed by the IP protocol. Oversized packets cause overows in the servers input buffer, and can cause a system to crash, hang, or reboot. User action: Congure FragOversize or "Matching and Denying Large Packets - ICMP Ping of Death Example" (page 643).
Protocol-BasedRate Limiting
Nortel Application Switch Operating System allows you to detect and block certain kinds of protocol-based attacks. These attacks can ood servers with enough trafc to severely affect their performance or bring them down altogether. Protocol-based rate limiting is implemented via lters. Nortel Application Switch Operating System currently supports rate limiting on TCP, UDP and ICMP protocols. Each lter is congured with one of the above protocols, and then rate limiting is enabled or disabled in the Filtering Advanced menu. TCP Rate Limiting: limits new TCP connection requests, or SYN packets. The switch monitors the rate of incoming TCP connection requests to a virtual IP address and limits the client requests with a known set of IP addresses. See "TCP Rate Limiting" (page 629) for more information. UDP and ICMP Rate limiting: counts all received packets from a client and compares against the congured maximum threshold. When the maximum congured threshold has been reached before the time window expires, the switch will drop until the congured hold-down period expires. See "UDP and ICMP Rate Limiting" (page 629) for more information.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
629
When the fastage value is congured, the time window used by the switch is a multiple of the congured switch fastage and timewin values. Refer to Chapter 6 of the Command Reference for information on these value. The total time window then is the outcome of the timewin value multiplied by the fastage value.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
"Conguring Clients with Different Rates" (page 630) shows four clients congured for TCP rate limits based on source IP address. Clients 1 and 4 have the same TCP rate limit of 10 connections per second. Client 2 has a TCP rate limit of 20 connections per second. Client 3 has a TCP rate limit of 30 connections per second. When the rate of new TCP connections from clients 1, 2, 3, and 4 reach the congured threshold, any new connection request from the client is blocked for a pre-determined amount of time. If the clients IP address and the congured lter do not match, then the default lter is applied. In "Conguring Clients with Different Rates" (page 630), the default lter 2048 congured for Any is applied for all other connection requests.
Conguring Clients with Different Rates
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
631
The value of 1 indicates a total of 10 TCP connections (or sessions). 4 Set the time window in seconds.
>> Rate Limiting Advanced# timewin 3 (Denotes a 3-second time window)
Note: From step 3 and step 4 the rate limit dened as the maximum number of connections over a specied time window is 30 TCP connections for every 3 seconds (or 10 TCP connections per second). 5 Set the holddur parameter in minutes.
>> Rate Limiting Advanced# holddur 4 (Set the hold duration)
If a client exceeds the rate limit, then the client is not allowed to make any new TCP connections or UDP/ICMP packets for 4 minutes. The following two conguration examples illustrate how to use protocol-based rate limiting to limit user access based on source IP address and virtual IP address.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
6 7
Repeat steps 1-5 to congure the other lters shown in "Conguring Clients with Different Rates" (page 630). Apply and save the conguration. End
Time window = 1 second Hold duration = 10 minutes Max rate = maxconn/timewin = 150 connections/1 second = 150 connections/second
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
633
Any client with source IP address equal to 30.30.30.x is allowed to make 150 new TCP connections (or UDP/ICMP packets) per second to any single destination. When the rate limit of 150 is met, the hold duration takes effect. The client is not allowed to transmit sessions or connections to the same destination for 10 minutes. End
Step 1
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
(Specify the maximum connections in multiples of 10) (Set the time window for the session) (Set the hold duration for the session)
time window = 2 seconds hold down time = 40 minutes max rate = maxconn/time window = 100 connections/second 200 connections/2 seconds = 100 connections/second
This conguration limits all clients to 100 new TCP (or UDP/ICMP packets) per second to the server. If a client exceeds this rate, then the client is not allowed transmit sessions or connections to the virtual server for 40 minutes. 2 Add the lter to the ingress port on the switch.
>> Rate Limiting # /cfg/slb/port 2/filt ena/add 100
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
635
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> /cfg/security/udpblast
>> UDP Blast Protection# add Enter UDP port number (1 to 65535) or range (first-last): 1001-2000 Enter max packet rate per second (1 to 20000000): 1000 >> UDP Blast Protection# add Enter UDP port number (1 to 65535) or range (first-last): 2001-4000 Enter max packet rate per second (1 to 20000000): 2000 >> UDP Blast Protection# add Enter UDP port number (1 to 65535) or range (first-last): 4001-6000 Enter max packet rate per second (1 to 20000000): 5000
Nortel Application Switch Operating System supports up to 5000 UDP port numbers, using any integer from 1 to 65535. For the entire port range, the difference between the highest port number and the lowest port number must be less than or equal to 5000. 2 Enable UDP blast protection on the ports on the switch that are connected to unsafe networks
/cfg/security/port 1/udpblast ena
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
637
Note: The ability to match and perform lter action on a pattern or group of patterns is available only when the Security Pack software is enabled on your switch.
Pattern Criteria
Many TCP or UDP attacks contain common signatures or patterns in the IP packet data. The switch can be congured to examine an IP packet from either the beginning, from a specic offset value (starting point) within the IP packet, and/or from a specied depth (number of characters) into the IP packet. It then performs a matching operation. "IP Packet Format" (page 638) shows an IP packet format. The switch is able to track from the beginning of the IP packet (at IP version number), through IP packet payload of 1500 bytes. Each row in an IP packet is four bytes.
Pattern
A pattern can be a regular expression string pattern in ASCII characters, or a binary pattern in Hexadecimal notation. For more information on using regular expressions to match pattern data, see "Regular Expression Matching" (page 827). If the pattern is binary, specify the binary pattern in Hexadecimal notation. For example, to specify the binary pattern 1111 1100 0010 1101, enter FC2D.
Offset
An offset value is the byte count from the start of the IP header, from which a search or compare operation is performed. An offset value is always required when the creating pattern strings, even if the desired value is zero (0). For example, if an offset of 12 is specied, the switch will start examining the hexadecimal representation of a binary string, from the 13th byte. In the IP packet, the 13th byte starts at the Source IP Address portion of the IP payload.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Depth
Depth is the number of bytes in the IP packet that should be examined from either the beginning of the packet or from the offset value. For example, if an offset of 12 and a depth of 8 is specied, the search begin at the 13th byte in the IP packet, and will match 8 bytes. As we can see from "IP Packet Format" (page 638), an offset of 12 and depth of 8 encompasses the Source IP Address and Destination IP Address elds in the IP payload. If no depth is specied in ASCII matches, the exact pattern will be matched from the offset value to the end of the pattern. A depth must be specied for Binary matches that is larger than the pattern length in bytes.
Operation
An operation tells the switch how to interpret the pattern, offset and depth criteria. For a string pattern, use the operation eq (equals) in order to match the content of the string. Use the operations to nd values lt (less than), gt (greater than) or eq (equals) to the specied binary value. If no operation is specied, the pattern is invalid. The lt and gt operations can be used for certain attack signatures, in which one or more bytes are less than or greater than a certain value.
Syntax:
>> /cfg/slb/layer7/slb/addstr
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
639
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
The following example illustrates adding one binary pattern and one ASCII string pattern. The binary pattern is written in hexadecimal notation.
>> /cfg/slb/layer7/slb/addstr Enter type of string [l7lkup|pattern]: pattern (Add the first pattern) Enter match pattern type [ascii|binary]: binary (Select binary matching) Enter HEX string: 014F (For this Binary pattern)
Enter offset in bytes from start of IP frame (0-1500): 2 (Starting from 3rd byte) Enter depth in bytes to search from offset (0-1500): 0 (Search length of the pattern) Enter operation (eq|gt|lt): eq (For values equal to this Binary pattern)
>> Server Loadbalance Resource# add (Add the second pattern) Enter type of string [l7lkup|pattern]: pattern
Enter match pattern type [ascii|binary]: ascii (Select ascii matching) Enter ASCII string: /default.htm (Match this ascii string) Enter offset in bytes from start of IP frame (0-1500): 44 (Search from 45th byte) Enter depth in bytes to search from offset (0-1500): 30 (through 30th byte)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
641
ID 8 9
SLB String BINMATCH=014F, offset=2, depth=0, op=eq, cont 256 STRMATCH=/default.htm offset=44, depth=30, op=eq, cont 256
In the security menu, congure a pattern group and name it something relevant and easy to remember.
>> /cfg/security/pgroup 1/name Current pattern group name: Enter new pattern group name: virus_x (Name the group) (Name pattern group 1)
Add the new pattern/offset pairs to the pattern group using their ID numbers. Refer back to step 2, where you typed the cur command, if you need to recall the ID number associated with the SLB string.
>> Pattern Match Group 1# add 8 >> Pattern Match Group 1# add 9 (Add the first binary pattern) (Add the ascii string pattern)
Congure a lter and its appropriate protocol in which the patterns are found.
>> /cfg/slb/filt 90 >> Filter 90 # proto tcp (Go to the Filter 90 menu)
Apply the pattern group you congured in step 3 and step 4 to the lter.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Enable pattern matching on the lter. This command will automatically enable Layer 7 lookup on the lter.
>> /cfg/slb/filt 90/adv/security/pmatch enable Current Pattern Match: disabled New Pattern Match: enabled
10
Apply the lter to the client port. If the incoming client requests enter the switch on port 3, then add this lter to port 3.
>> # /cfg/slb/port 3 >> SLB Port 3# filt ena >> SLB Port 3# add 90 (Select the client port) (Enable filtering on the client port) (Add Filter #90 to the client port)
11
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
643
Now, both patterns congured in the above example must be matched before a packet is denied and dropped:
8 9 BINMATCH=014F, offset=2, depth=0, op=eq, cont 256 STRMATCH=/default.htm offset=44, depth=30, op=eq, cont 256
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> /cfg/slb/layer7/slb/addstr Enter type of string [l7lkup|pattern]: pattern (Add the pattern) Enter match pattern type [ascii|binary]: binary (Select binary matching) Enter HEX string: 0000 (non-zero IP offset)
Enter offset in bytes from start of IP frame (0-1500): 6 (Search from 7th byte) Enter depth in bytes to search from offset (0-1500): 0 (Through end of pattern) Enter operation (eq|gt|lt): gt (For values greater than 0000)
Enter offset in bytes from start of IP frame (0-1500): 6 (Search from 7th byte) Enter depth in bytes to search from offset (0-1500): 0 (Through end of pattern) Enter operation (eq|gt|lt): lt (For values less than 4000)
645
ID 6 7 8 9 10 11
SLB String HTTPHDR:Host:www.playdog.com HTTPHDR:SoapAction=* BINMATCH=014F, offset=2, depth=0, op=eq, cont 256 STRMATCH=/default.htm offset=44, depth=30, op=eq, cont 256 BINMATCH=0000, offset=6, depth=0, op=gt, cont 256 BINMATCH=4000, offset=6, depth=0, op=lt, cont 256
In the security menu, congure a pattern group and name it something relevant and easy to remember.
>> /cfg/security/pgroup 2/name Current pattern group name: Enter new pattern group name: pingofdeath (Enter name for pattern group 2)
Congure a lter and its appropriate protocol in which the patterns are found; in this case, icmp protocol should be specied.
>> /cfg/slb/filt 190 >> Filter 190 # proto icmp (Go to the Filter 90 menu)
Set the ICMP message type. Ping of Death uses the ICMP message type echoreq.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> Filter 190 # adv/icmp >> Filter 190 Advanced# icmp Current ICMP message type: Enter ICMP message type or any: echoreq
10
Apply the pattern group you congured in step 5 and step 6 to the lter.
>> Filter 190 # security/addgrp 2 Group ID 2 added. (Add pattern group 2 to the filter)
11
12
Enable matchall criteria so that the lter matches on all patterns in the pattern group.
>> Security# matchall ena Current Match-all Criteria: disabled New Match-all Criteria: enabled
13
Apply the lter to the client port. This example assumes a client connection on port 22.
>> # /cfg/slb/port 22 >> SLB Port 22# filt ena >> SLB Port 22# add 190 (Select the client port) (Enable filtering on the client port) (Add Filter #190 to the client port)
14
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
647
Remediation Subsystem
The Remediation Subsystem is a component of the Nortel Threat Protection System that issues remediations directly to the Nortel Application Switch in response to detected threats on the network. These remediations, with the exception of session deletion, take the form of Operations IP Access Control Lists. Refer to "Operations IP Access Control List" (page 648) for more information on this topic. The following remediations are issued directly to the Nortel Application Switch from the Remediation Subsystem of the Nortel TPS: Step 1 Action Block Source IP Blocks any trafc sent from the source IP in the event that triggered the remediation. 2 Block Destination IP Blocks any trafc sent to the destination IP in the event that triggered the remediation. 3 Block Source Network Block any trafc sent from source network in the event that triggered the remediation. 4 Block Destination Network Block any trafc sent to destination network in the event that triggered the remediation. 5 Delete Session Deletes existing session based on ve parameters of the event that triggered the remediation. Refer to "Session Deletion" (page 649) for further information on this topic. When an operations IP ACL is added remotely by the remediation subsystem a syslog entry is generated. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Remove a source IP access control list. A source IP access control list can be removed from the switch before its timeout threshold is reached. To remove a source IP access control list, use the following command:
>> Main# /oper/sec/ipacl/rem <IP Address> <Subnet Mask>
Remove all source IP access control lists. To remove all source IP access control lists from the switch, use the following command:
>> Main# /oper/sec/ipacl/arem
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
649
Conguring Destination IP Access Control Lists A switch administrator has the option of performing the following three actions with destination IP access control lists: Step 1 Action Add a new destination IP access control list. To add a new destination IP access control list, use the following command:
>> Main# /oper/sec/ipacl/dadd <IP Address> <Subnet Mask> <Duration in Minutes (110080)>
Remove a destination IP access control list. A destination IP access control list can be removed from the switch before the timeout threshold is reached. To remove a destination IP access control list, use the following command:
>> Main# /oper/sec/ipacl/drem <IP Address> <Subnet Mask>
Remove all destination IP access control lists. To remove all destination IP access control lists from the switch, use the following command:
>> Main# /oper/sec/ipacl/darem
Session Deletion
Sessions can be deleted from the switch through the Remediation Subsystem when the switch is acting as a Nortel TPS enforcement point or manually through the command line interface. Manual session deletion is based on the ve parameters entered by the user when the command is executed. Based on these parameters the operating system will nd the corresponding single session entry and delete it. The ve parameters are: Source IP Address Source Port
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
When the session deletion command is received by the switch, the MP will loop and send session deletion requests to all SPs but it will stop once the session entry is found and deleted on any SP. Session deletion is accomplished by the following command:
>> Main# /oper/slb/sessdel <Source IP Address> <Source Port> <Destination IP Address> <Destination Port> {TCP | UDP}
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
651
Symantec Intelligent Network Protection is only available to switches that have a valid Intelligent Trafc Management and Symantec license that are running the Nortel Application Switch Operating System 24.0 and higher. Symantec Intelligent Network Protection is not meant to supplant the existing security functionality of the Nortel Application Switch Operating System but to enhance it. For the most secure solution possible, use this functionality in conjunction with the existing security functionality. Information on this security functionality can be found in "Advanced Denial of Service Protection" (page 611) This chapter contains the following topics: "Overview" (page 652) "Installing Software Keys" (page 653) "Intelligent Network Protection Components" (page 653) "Conguration Tasks" (page 654) "Tunable Resources" (page 656) "Monitoring Symantec Functionality" (page 657) "General Symantec Information" (page 657) "Signature Names" (page 658) "Conguration Example" (page 659) "Troubleshooting" (page 665)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Overview
Intelligent Network Protection provides enhanced security functionality to the switch by providing a continually updated line of defense against moderate and severe network threats. Intelligent Network Protection is provided as a subscription based service that is purchased on a yearly basis for each switch it protects. This allows a user to provide up to date protection to the switch. Intelligent Network Protection is available to a Nortel Application Switch with a valid Intelligent Trafc Management license. Once this functionality is enabled on the switch, Symantec security signatures are downloaded to it through the Symantec LiveUpdate technology. Security signatures are continuously updated by Symantec and posted for immediate download by subscribers. Updated signatures can be downloaded through Nortel ASEM automatically and applied either automatically or manually. Trafc ows are then steered through the Symantec security engine for inspection and the results are communicated to the Application Switch to enable the pre-determined course of action. Trafc that cleanly passes security interrogation is then processed for application classication and policy assignment. "Security Layers in Nortel Application Switch Operating System" (page 652) illustrates the multiple layers of security enabled by a Nortel Application Switch running Intelligent Trafc Management and Intelligent Network Protection.
Security Layers in Nortel Application Switch Operating System
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
653
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Globally enable Intelligent Network Protection functionality. Globally enable the Intelligent Network Protection functionality using the following command:
>> Main# /boot/symantec ena
The switch will prompt for conrmation of the request. Answer y at the prompt. The switch will then reset and load the Intelligent Network Protection memory management scheme. Note: To disable the Intelligent Network Protection functionality globally, use the command /boot/symantec dis. The switch will prompt for conrmation of the request and reset after answering y at the prompt. End
Conguration Tasks
The tasks listed in this section must be completed to successfully enable Intelligent Network Protection on a switch. Before enabling Intelligent Network Protection, both an Intelligent Trafc Management and Symantec license must be purchased for each switch on which this feature will run. For information on purchasing these licenses, refer to http://www.nortel.com/contactus. The tasks outlined in this section refer to, and make use of, the Application Switch Element Manager. Use of the ASEM is the preferred mode of conguration for Intelligent Network Protection functionality. To enable Intelligent Network Protection, perform the following tasks: Note: Although many of these tasks are represented individually, most can be performed together when running the Trafc Management Wizard in the Application Switch Element Manager. Step 1 Action Log into the switch using SNMPv3.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
655
Symantec Intelligent Network Protection requires the use of SNMPv3 for switch authentication. Using any other form of SNMP authentication to log into the switch will cause the Intelligent Network Protection options to be unavailable. 2 Open the Trafc Management Wizard. Open the Trafc Management Wizard by selecting Wizards > Trafc Management Wizard from the ASEM menu. 3 Add inbound and outbound ports for protection. Select the inbound and outbound ports that will be protected. 4 Add Symantec critical and severe threats to monitor. Critical network threats are selected from a list presented on the Threats - Criticial and Threats-Severe tabs of the Application Selection screen of the Trafc Management Wizard. 5 Schedule signature updates. Symantec signatures can be congured to update automatically using Symantec LiveUpdate functionality. Use the Symantec Schedule button found at the bottom of the Application Selection screen of the Trafc Management Wizard to schedule updates. This screen is also used to determine if signatures will be automatically or manually applied to the switch. 6 Congure application actions. Once threats have been identied and congured for monitoring, the action to take on these threats are congured in the Application Actions screen of the Trafc Management Wizard. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
656 Part 4: Advanced Switching Intelligent Network Protection CLI Commands Command /cfg/bwm/cont <contract number> /maxsess <0 - 65534> Description This command limits the number of open sessions per user or application. If Intelligent Traffic Management is in use, this command should not be used. Configuration should take place in the Traffic Management Wizard. This command enables or disables Intelligent Network Protection on a port. Since Intelligent Traffic Management will automatically enable or disable Symantec processing, this command is provided for troubleshooting purposes only. This command manually adds a Symantec signature to bandwidth contract mappings. This command is provided for troubleshooting purposes only. Where possible, this procedure should be performed in the third screen of the Traffic Management Wizard. This command manually removes a Symantec signature to bandwidth contract mappings. This command is provided for troubleshooting purposes only. Where possible, this procedure should be performed in the third screen of the Traffic Management Wizard.
/cfg/security/symdel <signature_id>
Tunable Resources
As features are added to the Nortel Application Switch Operating System, more and more memory is necessary to sufciently support these new features. Since the Nortel Application Switch hardware has not been upgraded to provide this additional capacity, the Tunable Resource feature has been created to provide variable memory proles. The Tunable Resources feature allows switch memory to be allocated based on two types of conguration: Intelligent Trafc Management / Symantec Default
Switches running the Nortel Application Switch Operating System automatically have their memory allocations tuned to the Default conguration. This memory allocation conguration maximizes switch resources to handle day to day operations.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
657
The Intelligent Trafc Management / Symantec memory allocation conguration maximizes switch performance for the use of the Intelligent Network Protection feature. This memory allocation prole is automatically selected when the user enables the Symantec Intelligent Network Protection feature. Memory allocation proles are not congurable and are selected automatically by the switch. The switch will indicate the current memory allocation conguration when logging into the CLI or by using the /info/sys/general command.
Monitor > Security (Several tabs) Monitor > Layer 4 > SLB > SP Maintenance Monitor > Layer 4 > SLB > SP Maintenance
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
658 Part 4: Advanced Switching General Symantec Information Symantec Information License Expiration ASEM Location Configure > Security > General Description The number of days left on the current Symantec license. Licenses expire within 365 days after the first signature download. The default action the switch applies to newly downloaded signatures. The Traffic Management Wizard is used to set the long term signature policy. The version of the Symantec security engine currently running on the switch. Indicates whether a license renewal is pending.
Signature Names
All Symantec signatures used in Intelligent Network Protection functionality follow a specic naming scheme where le names are as follows: YYYYMMDDNN where: Step 1 2 3 4 Action YYYY = The year the signature was issued. MM = The month the signature was issued. DD = The day the signature was issued. NN = The iteration number of the signature issued on the date specied by the previous three name components. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
659
Conguration Example
This section contains a Nortel Symantec Intelligent Network Protection example conguration. This conguration example assumes that client port 5 and server port 6 are Symantec enabled. Trafc in this example is being sent at 10 Mbps but rate limited to 5 Mbps as dened in the policy in the example. Take the following steps to create the sample conguration: Step 1 Action Congure the switch management port options.
/cfg/sys/mmgmt addr 47.80.20.103 mask 255.255.255.0 broad 47.80.20.255 gw 47.80.20.1 tftp mgmt report mgmt ena
20595 20596 20267 20268 20269 20270 20271 20272 20273 20274 20294 20295 20296 20275 20293 20297
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig
20276 20148 20277 20298 20278 20299 20300 20301 20302 20575 20597 20303 20304 20305 20279 20179 20306 20307 20598 20309 20310 20311 20313 20314 20315 20316 20317 20280 20281 20282 20283 20284 20285 20319 20286 20318 20287 20320 20599 20288 20289 20321 20600 20290 20322 20601 20291 20292 20715 20021
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
661
symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig symsig
20076 1 2 20958 1 2 20359 1 2 21298 1 2 20716 1 2 21744 1 2 21732 1 2 21320 1 2 21750 1 2 20704 1 2 20726 1 2 21265 1 2 21297 1 2 21319 1 2 21256 1 2 20727 1 2 20094 1 2 21391 1 2 20706 1 2 20633 1 2 20634 1 2 20097 7 8 20098 7 8 20088 7 8 20077 7 8 20767 7 8 20086 7 8 20087 7 8 20074 7 8 20326 7 8 20765 7 8 21701 7 8 21702 7 8 20022 7 8 20023 7 8 20024 7 8 20637 7 8 20763 7 8 21266 7 8 100101 11 100102 12 100103 13 100104 14 100105 15
11 12 13 14 15
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
663
mononly ena /cfg/bwm/cont 7 ena name "Symantec-Critical_IN" pol 1 prec 255 /cfg/bwm/cont 8 ena name "Symantec-Critical_OUT" pol 2 prec 255 /cfg/bwm/cont 11 ena pol 11 /cfg/bwm/cont 12 ena pol 12 /cfg/bwm/cont 13 ena pol 13 /cfg/bwm/cont 14 ena pol 14 /cfg/bwm/cont 15 ena pol 15
10
11
12
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
665
/cfg/slb/port 5 filt ena add 2043 /cfg/slb/port 6 filt ena add 2044
End
Troubleshooting
This section details known situations that may arise out of the operation of the Symantec Intelligent Network Protection functionality. Where possible, workarounds for these situations are provided.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Switch A synchronizes its conguration with Switch B. Both Switch A and Switch B are currently running the Symantec memory prole (see "Tunable Resources" (page 656)). Additionally, Symantec processing is enabled on port 1 of Switch A and Switch B. If an administrator disables Symantec processing on Switch A it will revert to the default memory prole, disable Symantec processing previously congured on port 1 and reboot. The congurations of Switch A and B will remain inconsistent until such time as the congurations are synchronized.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
667
Firewall Overview
Firewall devices have become indispensable for protecting network resources from unauthorized access. Prior to FWLB, however, rewalls could become critical bottlenecks or single points-of-failure for your network. As an example, consider the following network:
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
One network interface card on the rewall is connected to the public side of the network, often to an Internet router. This is known as the dirty or untrusted side of the rewall. Another network interface card on the rewall is connected to the side of the network with the resources that must be protected. This is known as the clean or trusted side of the rewall. In this simple example, all trafc passing between the dirty, clean, and DMZ networks must traverse the rewall, which examines each individual packet. The rewall is congured with a detailed set of rules that determine which types of trafc are allowed and which types are denied. Heavy trafc can turn the rewall into a serious bottleneck. The rewall is also a single point-of-failure device. If it goes out of service, external clients can no longer reach your services and internal clients can no longer reach the Internet. Sometimes, a Demilitarized Zone (DMZ) is attached to the rewall or between the Internet and the rewall. Typically, a DMZ contains its own servers that provide dirty-side clients with access to services, making it unnecessary for dirty-side trafc to use clean-side resources. FWLB with Nortel Application Switches provides a variety of options that enhance rewall performance and resolve typical rewall problems. Nortel Application Switches support the following methods of FWLB: Basic FWLB for simple networks This method uses a combination of static routes and redirection lters and is usually employed in smaller networks. A Nortel Application Switch lter on the dirty-side splits incoming trafc into streams headed for different rewalls. To ensure persistence of session trafc through the same rewall, distribution is based on a mathematical hash of the IP source and destination addresses. For more information about basic FWLB, see "Basic FWLB" (page 669). Four-Subnet FWLB for larger networks
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
669
Although similar to basic FWLB, the four-subnet method is more often deployed in larger networks that require high-availability solutions. This method adds Virtual Router Redundancy Protocol (VRRP) to the conguration. Just as with the basic method, four-subnet FWLB uses the hash metric to distribute rewall trafc and maintain persistence. For more information, see "Four-Subnet FWLB" (page 682). Each method is described in more detail in the following sections.
Basic FWLB
The basic FWLB method uses a combination of static routes and redirection lters to allow multiple active rewalls to operate in parallel. "Basic FWLB Topology" (page 669) shows a basic FWLB topology:
Basic FWLB Topology
The rewalls being load balanced are in the middle of the network, separating the dirty side from the clean side. This conguration requires a minimum of two application switches: one on the dirty side of the rewalls and one on the clean side. A redirection lter on the dirty-side application switch splits incoming client trafc into multiple streams. Each stream is routed through a different rewall. The same process is used for outbound server responses; a redirection lter on the clean-side application switch splits the trafc, and static routes forward each stream through a different rewall and then back to the client. Although other metrics can be used in some congurations (see "Free-Metric FWLB" (page 701)), the distribution of trafc within each stream is normally based on a mathematical hash of the source IP address and destination IP addresses. This ensures that each client request and its related responses
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
will use the same rewall (a feature known as persistence) and that the trafc will be equally distributed. The persistence is required for the rewall as it maintains state and processes trafc in both directions for a connection. Although basic rewall load-balancing techniques can support more rewalls as well as multiple switches on the clean and dirty sides for redundancy, the conguration complexity increases dramatically. The four-subnet FWLB solution is usually preferred in larger scale, high-availability topologies (see "Four-Subnet FWLB" (page 682)).
Step 1
Action The client requests data. The external clients intend to connect to services at the publicly advertised IP address assigned to a virtual server on the clean-side application switch.
A redirection lter balances incoming requests among different IP addresses. When the client request arrives at the dirty-side application switch, a lter redirects it to a real server group that consists of a number of different IP addresses. This redirection lter splits the trafc into balanced streams: one for each IP address in the real server group. For FWLB, each IP address in the real server group represents an IP Interface (IF) on a different subnet on the clean-side application switch.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
671
On the dirty-side switch, one static route is needed for each trafc stream. For instance, the rst static route will lead to an IP interface on the clean-side application switch using the rst rewall as the next hop. A second static route will lead to a second clean-side IP interface using the second rewall as the next hop, and so on. By combining the redirection lter and static routes, trafc is load balanced among all active rewalls. All trafc between specic IP source/destination address pairs ows through the same rewall, ensuring that sessions established by the rewalls persist for their duration. Note: More than one stream can be routed though a particular rewall. You can weight the load to favor one rewall by increasing the number of static routes that traverse it. 4 The rewalls decide if they should allow the packets and, if so, forwards them to a virtual server on the clean-side application switch. Client requests are forwarded or discarded according to rules congured for each rewall. Note: Rule sets must be consistent across all rewalls. 5 The clean-side application switch performs normal SLB functions. Packets forwarded from the rewalls are sent to the original destination address, that is, the virtual server on the clean-side application switch. There, they are load balanced to the real servers using standard SLB conguration. 6 7 The real server responds to the client request. Redirection lters on the clean-side application switch balance responses among different IP addresses. Redirection lters are needed on all ports on the clean-side application switch that attach to real servers or internal clients on the clean-side of the network. Filters on these ports redirect the Internet-bound trafc to a real server group that consists of a number of different IP addresses. Each IP address represents an IP interface on a different subnet on the dirty-side application switch. 8 Outbound trafc is routed to the rewalls. Static routes are congured on the clean-side switch. One static route is needed for each stream that was congured on the dirty-side application switch. For instance, the rst static route would be congured to lead to the rst dirty-side IP interface using the rst
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
rewall as the next hop. The second static route would lead to the second dirty-side IP interface using the second rewall as the next hop, and so on. Since application switches intelligently maintain state information, all trafc between specic IP source/destination addresses ows through the same rewall, maintaining session persistence. Note: If Network Address Translation (NAT) software is used on the rewalls, FWLB session persistence requires the RTS option to be enabled on the application switch (see "Free-Metric FWLB" (page 701)). 9 The rewall decides if it should allow the packet and, if so, forwards it to the dirty-side application switch. Each rewall forwards or discards the server responses according to the rules that are congured for it. Forwarded packets are sent to the dirty-side application switch and out to the Internet. 10 The client receives the server response. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
673
Congure the clean-side IP interface as if they were real servers on the dirty side. Later in this procedure, youll congure one clean-side IP interface on a different subnet for each rewall path being load balanced. On the dirty-side application switch, create two real servers using the IP address of each clean-side IP interface used for FWLB. Note: The real server index number must be the same on both sides of the rewall. For example, if real server 1 is the dirty-side
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
IP interface for Firewall 1, then congure real server 1 on the clean side with the dirty-side IP interface. Conguring the same real server number on both sides of the rewall ensures that the trafc travels through the same rewall.
>> IP Interface 3# /cfg/slb/rea l 1 >> Real server 1# rip 10.1.3.1 >> Real server 1# ena >> Real server 1# /cfg/slb/real 2 >> Real server 2# rip 10.1.4.1 >> Real server 2# ena (Select real server 1) (Assign clean-side IF 2 address) (Enable real server 1) (Select real server 2) (Assign clean-side IF 3 address) (Enable real server 1)
Real servers in the server groups must be ordered the same on both clean side and dirty side switch. For example, if real server 1 IP interface connects to Firewall 1 for clean side server group, then real server 1 IP interface on the dirty side should be connected to Firewall 1. Selecting the same real server ensures that the trafc travels through the same rewall. Note: Each of the four interfaces used for FWLB (two on each application switch) in this example must be congured for a different IP subnet. 4 Place the IP interface real servers into a real server group.
>> Real server 2# /cfg/slb/group 1 >> Real server group 1# add 1 >> Real server group 1# add 2 (Select real server group 1) (Add real server 1 to group 1) (Add real server 2 to group 1)
Set the health check type for the real server group to ICMP.
>> Real server group 1# health icmp (Select ICMP as health check type)
Set the load-balancing metric for the real server group to hash.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
675
Using the hash metric, all trafc between specic IP source/destination address pairs ows through the same rewall. This ensures that sessions established by the rewalls are maintained for their duration. Note: Other load balancing metrics such as leastconns, roundrobin, minmiss, response, and bandwidth can be used when enabling the Return to Sender (RTS) option. For more information, see "Free-Metric FWLB" (page 701). 7 Enable SLB on the switch.
>> Real server group 1# /cfg/slb/on
Create a lter to allow local subnet trafc on the dirty side of the rewalls to reach the rewall interfaces.
>> Layer 4# /cfg/slb/filt 10 >> Filter 10# sip any >> Filter 10# dip 192.16.12.0 >> Filter 10# dmask 255.255.25 5.0 >> Filter 10# action allow >> Filter 10# ena (Select filter 10) (From any source IP address) (Specify destination IP address) (Specify destination mask) (Allow frames with this DIP address) (Enable filter)
Create the FWLB redirection lter. This lter will redirect inbound trafc, load balancing it among the dened real servers in the group. In this network, the real servers represent IP interfaces on the clean-side application switch.
>> Filter 10# /cfg/slb/filt 15 >> Filter 15# sip any >> Filter 15# dip any >> Filter 15# proto any >> Filter 15# action redir (Select filter 15) (From any source IP address) (To any destination IP address) (For any protocol) (Perform redirection)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
10
11
12
Dene static routes to the clean-side IP interfaces, using the rewalls as gateways. One static route is required for each rewall path being load balanced. In this case, two paths are required: one that leads to clean-side IF 2 (10.1.3.1) through the rst rewall (10.1.1.10) as its gateway, and one that leads to clean-side IF 3 (10.1.4.1) through the second rewall (10.1.2.10) as its gateway.
>> SLB Port 5# /cfg/l3/route/ip4 >> IP Static Route# add 10.1.3.1 255.255.255.255 10.1.1.10 >> IP Static Route# add 10.1.4.1 255.255.255.255 10.1.2.10
13
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
677
Congure the dirty-side IP interfaces as if they were real servers on the clean side. You should already have congured a dirty-side IP interface on a different subnet for each rewall path being load balanced. Create two real servers on the clean-side switch, using the IP address of each dirty-side IP interface. Note: The real server index number must be the same on both sides of the rewall. For example, if real server 1 is the dirty-side IP interface for Firewall 1, then congure real server 1 on the clean side with the dirty-side IP interface. Conguring the same real server number on both sides of the rewall ensures that the trafc travels through the same rewall.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
>> IP Interface 5# /cfg/slb/rea l 1 >> Real server 1# rip 10.1.1.1 >> Real server 1# ena >> Real server 1# /cfg/slb/real 2 >> Real server 2# rip 10.1.2.1 >> Real server 2# ena
(Select real server 1) (Assign dirty-side IF 1 address) (Enable real server 1) (Select real server 2) (Assign dirty-side IF 2 address) (Enable real server 2)
Note: Each of the four IP interfaces (two on each application switch) in this example must be congured for a different IP subnet. 3 Place the real servers into a real server group.
>> Real server 2# /cfg/slb/grou p 1 >> Real server group 1# add 1 >> Real server group 1# add 2 (Select real server group 1) (Select real server 1 to group 1) (Select real server 2 to group 1)
Set the health check type for the real server group to ICMP.
>> Real server group 1# health icmp (Select ICMP as health check type)
Set the load-balancing metric for the real server group to hash.
>> Real server group 1# metric hash (Select SLB hash metric for group 1)
Note: The clean-side application switch must use the same metric as dened on the dirty side. 6 Enable server load balancing on the switch.
>> Real server group 1# /cfg/slb/on
Congure ports 2 and 3, which are connected to the clean-side of the rewalls, for client processing.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
679
>> Real server group 1# /cfg/slb/port 2/client ena (Enable client processing on port 2) >> SLB port 2# /cfg/slb/port 3/client ena >> SLB port 3# apply >> SLB port 3# save (Enable client processing on port 3) (Apply the configuration) (Save the configuration)
Congure the virtual server that will load balance the real servers.
>> SLB port 3# /cfg/slb/virt 100 >> Virtual Server 100# vip 20.1.1.10 >> Virtual Server 100# ena (Configure virtual server 100) (Assign virtual server 100 IP address) (Enable the virtual server)
Congure the real servers to which trafc will be load-balanced. These are the real servers on the network.
>> Real server group 1# /cfg/slb/real 3 >> Real server 2 # rip 20.1.1.2 >> Real server 2 # ena >> Real server 2 # /cfg/slb/rea l 4 >> Real server 3# ena 20.1.1.3 (Select real server 3) (Assign real server 2 IP address) (Enable real server 2) (Select real server 4) (Assign real server 3 IP address)
10
11
Congure ports 4 and 5, which are connected to the real servers, for server processing.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> Real server group 200# /cfg/slb/port 4/server ena >> SLB port 4# /cfg/slb/port 5/server ena
12
13
14
Create the redirection lter. This lter will redirect outbound trafc, load balancing it among the dened real servers in the group. In this case, the real servers represent IP interfaces on the dirty-side switch.
>> Filter 10# /cfg/slb/filt 15 >> Filter 15# sip any >> Filter 15# dip any >> Filter 15# proto any >> Filter 15# action redir >> Filter 15# group 1 >> Filter 15# ena (Select filter 15) (From any source IP address) (To any destination IP address) (For any protocol) (Perform redirection) (To real server group 1) (Enable the filter)
15
Add the lters to the ingress ports for the outbound packets. Redirection lters are needed on all the ingress ports on the clean-side application switch. Ingress ports are any that attach to real servers or internal clients on the clean-side of the network. In this case, two real servers are attached to the clean-side application switch on port 4 and port 5.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
681
>> Filter 15# /cfg/slb/port 4 >> SLB Port 4# add 10 >> SLB Port 4# add 15 >> SLB Port 4# filt ena >> SLB Port 4# /cfg/slb/port 5 >> SLB Port 5# add 10 >> SLB Port 5# add 15 >> SLB Port 5# filt ena
(Select ingress port 4) (Add the filter to the ingress port) (Add the filter to the ingress port) (Enable filtering on the port) (Select ingress port 5) (Add the filter to the ingress port) (Add the filter to the ingress port) (Enable filtering on the port)
16
Dene static routes to the dirty-side IP interfaces, using the rewalls as gateways. One static route is required for each rewall path being load balanced. In this case, two paths are required: one that leads to dirty-side IF 2 (10.1.1.1) through the rst rewall (10.1.3.10) as its gateway, and one that leads to dirty-side IF 3 (10.1.2.1) through the second rewall (10.1.4.10) as its gateway.
>> SLB Port 5# /cfg/l3/route/ip4 >> IP Static Route# add 10.1.1.1 255.255.255.255 10.1.3.10 >> IP Static Route# add 10.1.2.1 255.255.255.255 10.1.4.10
Note: Conguring static routes for FWLB does not require IP forwarding to be turned on. 17 Apply and save the conguration changes
>> # apply >> # save
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Four-Subnet FWLB
The four-subnet FWLB method is often deployed in large networks that require high-availability solutions. This method uses ltering, static routing, and Virtual Router Redundancy Protocol (VRRP) to provide parallel rewall operation between redundant application switches. "Four-Subnet FWLB Topology" (page 682) shows one possible network topology using the four-subnet method:
Four-Subnet FWLB Topology
This network is classied as a high-availability network because no single component or link failure could cause network resources to become unavailable. Simple switches and vertical block interswitch connections are used to provide multiple paths for network failover. However, the interswitch links may trunked together with multiple ports for additional protection from failure. Note: Other topologies that use internal hubs, or diagonal cross-connections between the Nortel Application Switches and simple switches are also possible. While such topologies may resolve networking issues in special circumstances, they can make conguration more complex and can cause restrictions on the use of advanced features such as Active-Active VRRP, free-metric FWLB, or Content Intelligent Switching. Alternate topologies are explored in more detail in Nortel Application Switch Operating System FWLB white papers, but are not within the scope of this manual. As shown in "Four-Subnet FWLB Topology" (page 682), the network is divided into four sections: Subnet 1 includes all equipment between the exterior routers and dirty-side application switches. Subnet 2 includes the dirty-side application switches with their interswitch link, and dirty-side rewall interfaces.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
683
Subnet 3 includes the clean-side rewall interfaces, and clean-side application switches with their interswitch link. Subnet 4 includes all equipment between the clean-side application switches and their servers.
In this network, external trafc arrives through both routers. Since VRRP is enabled, one of the dirty-side application switches acts as primary and receives all trafc. The dirty-side primary application switch performs FWLB in a fashion similar to basic FWLB: a redirection lter splits trafc into multiple streams which are routed through the available rewalls to the primary clean-side application switch. Just as with the basic method, four-subnet FWLB uses the hash metric to distribute rewall trafc and maintain persistence, though other load-balancing metrics can be used by conguring an additional Return to Sender (RTS) option (see "Free-Metric FWLB" (page 701)).
Step 1
Action Incoming trafc converges on the primary dirty-side application switch. External trafc arrives through redundant routers. A set of interconnected switches ensures that both routers have a path to each dirty-side application switch.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
VRRP is congured on each dirty-side application switch so that one acts as the primary routing switch. If the primary fails, the secondary takes over. 2 FWLB is performed between primary application switches. Just as with basic FWLB, lters on the ingress ports of the dirty-side application switch redirect trafc to a real server group composed of multiple IP addresses. This conguration splits incoming trafc into multiple streams. Each stream is then routed toward the primary clean-side application switch through a different rewall. Although other load balancing metrics can be used in some congurations (see "Free-Metric FWLB" (page 701)), the distribution of trafc within each stream is normally based on a mathematical hash of the IP source and destination addresses. Hashing ensures that each request and its related responses will use the same rewall (a feature known as persistence), and that the streams will be statistically equal in trafc load. 3 The primary clean-side application switch forwards the trafc to its destination. Once trafc arrives at the primary clean-side application switch, it is forwarded to its destination. In this example, the application switch uses regular server load balancing settings to select a real server on the internal network for each incoming request. The same process is used for outbound server responses; a lter on the clean-side application switch splits the trafc, and static routes forward each response stream back through the same rewall that forwarded the original request. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
685
Note: The port designations of both dirty-side application switches are identical, as are the port designations of both clean-side application switches. This simplies conguration by allowing you to synchronize each primary application switchs conguration with the secondary. Four-subnet FWLB conguration is summarized as follows: Congure routers and rewalls and test them for proper operation. Congure VLANs, IP interfaces, and static routes on all application switches and test them. Congure secondary application switches with VRRP support settings. Congure FWLB groups and redirection lters on the primary dirty-side application switch. Congure and synchronize VRRP on the primary dirty-side application switch. Congure FWLB and SLB groups, and add FWLB redirection lters on the primary clean-side application switch. Congure VRRP on the primary clean-side application switch and synchronize the secondary.
In this example, the external clients intend to connect to services at a publicly advertised IP address on this network. Since the real servers are load balanced behind a virtual server on the clean-side application switch using normal SLB settings, the routers require a static route to the virtual server IP address. The next hop for this static route is the application switch Virtual Interface Router (VIR), which is in the same subnet as the routers:
Route Added: 10.10.4.100 (to clean-side virtual server) via 195.1.1.9 (Subnet 1 VIR)
The rewalls must also be congured with rules that determine which types of trafc will be forwarded through the rewall and which will be dropped. All rewalls participating in FWLB must be congured with the same set of rules.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
687
Note: It is important to test the behavior of the rewalls prior to adding FWLB.
Note: Port 25 is part of VLAN 1 by default and does not require manual conguration. 2 Congure IP interfaces on the primary dirty-side application switch. Three IP interfaces (IFs) are used. IF 1 is on placed on Subnet 1. IF 2 will be used for routing trafc through the top rewall. IF 3 will be used for routing trafc through the lower rewall. To avoid confusion, IF 2 and IF 3 will be used in the same way on all application switches.
>> >> >> >> >> >> >> >> >> >> >> >> >> >> # # # # # # # # # # # # # # /cfg/l3/if 1 mask 255.255.255.0 addr 195.1.1.10 ena /cfg/l3/if 2 mask 255.255.255.0 addr 10.10.2.1 vlan 2 ena /cfg/l3/if 3 mask 255.255.255.255 addr 10.10.2.2 vlan 2 ena
Note: By conguring the IP interface mask prior to the IP address, the broadcast address is automatically calculated. Also,
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
only the rst IP interface in a given subnet is given the full subnet range mask. Subsequent IP interfaces (such as IF 3) are given individual masks. 3 Turn Spanning Tree Protocol (STP) off for the primary dirty-side application switch.
>> # /cfg/l2/stg #/off
Congure static routes on the primary dirty-side application switch. Four static routes are required: To primary clean-side IF 2 via Firewall 1 using dirty-side IF 2 To primary clean-side IF 3 via Firewall 2 using dirty-side IF 3 To secondary clean-side IF 2 via Firewall 1 using dirty-side IF 2 To secondary clean-side IF 3 via Firewall 2 using dirty-side IF 3 Note: Remember, IF 2 is being used on all application switches whenever routing through the top rewall, and IF 3 is being used on all application switches whenever routing through the lower rewall. The static route add command uses the following format: add <destination address> <dest. address> <source interface> mask> <gateway
Note: When dening static routes for FWLB, it is important to specify the source IP interface numbers. 5 When dynamic routing protocols are not used, congure a gateway to the external routers.
>> # /cfg/l3/gw 1/addr 195.1.1.1 >> # /cfg/l3/gw 2/addr 195.1.1.2
689
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
# # # # #
/cfg/l3/frwd/route add 10.10.3.1 255.255.255.255 10.10.2.3 2 add 10.10.3.2 255.255.255.255 10.10.2.4 3 add 10.10.3.11 255.255.255.255 10.10.2.3 2 add 10.10.3.12 255.255.255.255 10.10.2.4 3
When dynamic routing protocols are not used, congure a gateway to the external routers on the secondary dirty-side switch.
>> # /cfg/l3/gw 1/addr 195.1.1.1 >> # /cfg/l3/gw 2/addr 195.1.1.2
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
691
>> >> >> >> >> >> >> >> >> >> >> >> >> >> >>
# # # # # # # # # # # # # # #
/cfg/l3/if 1 mask 255.255.255.0 addr 10.10.4.10 vlan 4 ena /cfg/l3/if 2 mask 255.255.255.0 addr 10.10.3.1 vlan 3 ena /cfg/l3/if 3 mask 255.255.255.255 addr 10.10.3.2 vlan 3 ena
Spanning Tree Protocol is disabled because VLANs prevent broadcast loops. 4 Congure static routes on the primary clean-side application switch. Four static routes are needed: To primary dirty-side IF 2 via Firewall 1 using clean-side IF 2 To primary dirty-side IF 3 via Firewall 2 using clean-side IF 3 To secondary dirty-side IF 2 via Firewall 1 using clean-side IF 2 To secondary dirty-side IF 3 via Firewall 2 using clean-side IF 3
The static route add command uses the following format: add <destination address> <dest. address> <source interface> mask> <gateway
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
693
Spanning Tree Protocol is disabled because VLANs prevent broadcast loops. 4 Congure static routes on the secondary clean-side application switch.
>> >> >> >> >> # # # # # /cfg/l3/frwd/route add 10.10.2.1 255.255.255.255 10.10.3.3 2 add 10.10.2.2 255.255.255.255 10.10.3.4 3 add 10.10.2.11 255.255.255.255 10.10.3.3 2 add 10.10.2.12 255.255.255.255 10.10.3.4 3
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
In this example, the secondary application switch is congured to use primary dirty-side interface 1 as its peer.
>> >> >> >> >> >> >> >> # # # # # # # # /cfg/l3/vrrp/on /cfg/slb on sync/peer 1 addr 195.1.1.10 ena apply save
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
695
>> >> >> >> >> >> >> >> >> >> >> >>
# # # # # # # # # # # #
/cfg/slb on real 1 rip 10.10.3.1 ena /cfg/slb/real 2 rip 10.10.3.2 ena /cfg/slb/group 1 add 1 add 2 metric hash
Using the hash metric, all trafc between specic IP source/destination address pairs ows through the same rewall, ensuring that sessions established by the rewalls are maintained for their duration (persistence). Note: Other load balancing metrics, such as leastconns, roundrobin, minmiss, response, and bandwidth, can be used when enabling the Return to Sender (RTS) option. For more information, see "Free-Metric FWLB" (page 701). 2 Create the FWLB lters. Three lters are required on the port attaching to the routers:
>> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >>
Filter 10 prevents local trafc from being redirected. Filter 20 prevents VRRP trafc (and other multicast trafc on the reserved 224.0.0.0/24 network) from being redirected. Filter 2048 redirects the remaining trafc to the rewall group.
# # # # # # # # # # # # # # # # # /cfg/slb/filt 10 dip 195.1.1.0 dmask 255.255.255.0 ena /cfg/slb/filt 20 dip 224.0.0.0 dmask 255.255.255.0 ena /cfg/slb/filt 2048 action redir group 1 ena /cfg/slb/port 1 filt ena add 10 add 20 add 2048
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Congure VRRP on the primary dirty-side application switch. VRRP in this example requires two virtual routersone for the subnet attached to the routers, and one for the subnet attached to the rewalls.
>> # /cfg/l3/vrrp >> # on >> # vr 1 >> # vrid 1 >> # addr 195.1.1.9 >> >> >> >> >> >> >> >> # # # # # # # # if 1 prio 101 share dis ena track ifs ena ports ena /cfg/l3/vrrp/vr 2 (Configure virtual router 2) (For the subnet attached to the firewall) (Configure virtual router 1) (For the subnet attached to the routers)
>> # vrid 2 >> # addr 10.10.2.9 >> >> >> >> >> >> >> # # # # # # # if 2 prio 101 share dis ena track ifs ena ports ena
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
697
Synchronize primary and secondary dirty-side application switches for the VRRP conguration.
>> # /oper/slb/sync
End
Note: The clean-side application switch must use the same metric as dened on the dirty side. For information on using metrics other than hash, see "Free-Metric FWLB" (page 701).
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Create an SLB real server group on the primary clean-side application switch, to which trafc will be load-balanced. The external clients intend to connect to HTTP services at a publicly advertised IP address. The servers on this network are load balanced by a virtual server on the clean-side application switch. SLB options are congured as follows:
>> # /cfg/slb >> # real 20 >> # rip 10.10.4.20 >> # ena >> # /cfg/slb/real 21 >> # rip 10.10.4.21 >> # ena >> # /cfg/slb/real 22 >> # rip 10.10.4.22 >> # ena >> # /cfg/slb/group 2 >> # add 20 >> # add 21 >> # add 22 >> # metric leastconns >> # /cfg/slb/virt 1 >> # vip 10.10.4.100 >> # service http >> # group 2 >> # ena >> # /cfg/slb/port 26/server ena >> # /cfg/slb/port 25/client ena >> # /cfg/slb/port 28/client ena (Select least connections as the load balancing metric) (Select the virtual server 1 menu) (Set the virtual server IP address) (Select HTTP for load balancing) (Add real server group 2) (Enable the virtual server) (Enable server processing on the port connected to the real servers) (Enable client processing on the port connected to the firewall) (Enable client processing on the inter- switch connection) (Select the SLB menu) (Select real server 20) (Set IP address of real server 20) (Enable) (Select real server 21) (Set IP address of real server 21) (Enable) (Select real server 22) (Set IP address of real server 22) (Enable) (Select real server group 2) (Add the real servers to the group)
Note: The virtual server IP address congured in this step will also be congured as a Virtual Server Router (VSR) when VRRP is congured in a later step.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
699
Create the FWLB lters on the primary clean-side application switch. Three lters are required on the port attaching to the real servers:
>> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >>
Filter 10 prevents local trafc from being redirected. Filter 20 prevents VRRP trafc from being redirected. Filter 2048 redirects the remaining trafc to the rewall group.
# # # # # # # # # # # # # # # # # /cfg/slb/filt 10 dip 10.10.4.0 dmask 255.255.255.0 ena /cfg/slb/filt 20 dip 224.0.0.0 dmask 255.255.255.0 ena /cfg/slb/filt 2048 action redir group 1 ena /cfg/slb/port 4 filt ena add 10 add 20 add 2048
Congure VRRP on the primary clean-side application switch. VRRP in this example requires two virtual routers to be conguredone for the subnet attached to the real servers, and one for the subnet attached to the rewalls.
>> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> # # # # # # # # # # # # # # # # # /cfg/l3/vrrp on vr 1 vrid 3 addr 10.10.4.9 if 1 prio 100 share dis ena track ifs ena ports ena /cfg/l3/vrrp/vr 2 vrid 4 addr 10.10.3.9 if 2 prio 101
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
# # # # #
A third virtual router is required for the virtual server used for optional SLB.
>> >> >> >> >> >> >> >> >> # # # # # # # # # /cfg/l3/vrrp/vr 3 vrid 5 addr 10.10.4.100 prio 102 share dis ena track ifs ena ports ena
Synchronize primary and secondary dirty-side application switches for the VRRP conguration.
>> # /oper/slb/sync
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
701
To use free-metric FWLB in this network, the following conguration changes are necessary. Step 1 Action On the clean-side application switch, enable RTS on the ports attached to the rewalls (ports 2 and 3). Enable lter and server processing on ports 2 and 3, so that the responses from the real server are looked up in the session table.
>> # /cfg/slb/port 2/rts enable >> # /cfg/slb/port 3/rts enable
On the clean-side application switch, remove the redirection lter from the ports attached to the real servers (ports 4 and 5), but make sure lter processing is enabled. The redirection lter is removed so that the return packet traverses through the same rewall. If the rewalls synchronize their states, then it is not required to remove the redirection lter. Filter processing is enabled to make use of the RTS-created sessions.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
# # # #
/cfg/slb/port 4/rem 2048 filt ena /cfg/slb/port 5/rem 2048 filt ena
Make sure to use the hash metric if the session is from an FTP or RTSP servers. 3 On the dirty-side application switch, set the FWLB metric.
>> # /cfg/slb/group 1 >> # metric <metric type>
Any of the following load-balancing metrics can be used: hash, leastconns, roundrobin, minmiss, response, and bandwidth. See "Metrics for Real Server Groups" (page 202) for details on using each metric. Note: Some metrics allow other options (such as weights) to be congured. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
703
To use free-metric FWLB in this network, the following conguration changes are necessary. Step 1 Action On the clean-side application switches, enable RTS on the ports attached to the rewalls (port 3) and on the interswitch port (port 9). Enable lter and server processing on ports 3 and 9, so that the responses from the real server are looked up in the session table. On both clean-side switches:
>> # /cfg/slb/port 3/rts enable >> # /cfg/slb/port 9/rts enable
On the clean-side application switches, remove the redirection lter from the ports attached to the real servers (ports 4), but make sure lter processing is enabled. To view the original redirection lters that were congured for the four-subnet example, see Step step 3. On both clean-side switches:
>> # /cfg/slb/port 4/rem 2048 >> # filt ena
On the dirty-side application switches, set the FWLB metric. On both dirty-side application switches:
>> # /cfg/slb/group 1 >> # metric <metric type>
Any of the following load-balancing metrics can be used: hash, leastconns, roundrobin, minmiss, response, and bandwidth. See "Metrics for Real Server Groups" (page 202) for details on using each metric. Note: Some metrics allow other options (such as weights) to be congured. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
The DMZ servers can be attached to the application switch directly or through an intermediate hub or switch. The application switch is then congured with lters to permit or deny access to the DMZ servers. In this manner, two levels of security are implemented: one that restricts access to the DMZ through the use of application switch lters, and another that restricts access to the clean network through the use of stateful inspection performed by the rewalls. You could add the lters required for the DMZ (to each application switch) as follows: Step 1 Action On the dirty-side application switch, create the lter to allow HTTP trafc to reach the DMZ Web servers. In this example, the DMZ Web servers use IP addresses 205.178.29.0/24.
>> # /cfg/slb/filt 80 >> Filter 80# sip any (Select filter 80) (From any source IP address)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
705
>> Filter 80# dip 205.178.29.0 >> Filter 80# dmask 255.255.255.0 >> Filter 80# proto tcp >> Filter 80# sport any >> Filter 80# dport http >> Filter 80# action allow >> Filter 80# ena
(To the DMZ base destination) (For the range of DMZ addresses) (For TCP protocol traffic) (From any source port) (To an HTTP destination port) (Allow the traffic) (Enable the filter)
Create another lter to deny all other trafc to the DMZ Web servers.
>> Filter 80# /cfg/slb/filt 89 >> Filter 89# sip any >> Filter 89# dip 205.178.29.0 >> Filter 89# dmask 255.255.25 5.0 >> Filter 89# proto any >> Filter 89# action deny >> Filter 89# ena (Select filter 89) (From any source IP address) (To the DMZ base destination) (For the range of DMZ addresses) (For TCP protocol traffic) (Allow the traffic) (Enable the filter)
Note: The deny lter has a higher lter number than the allow lter. This is necessary so that the allow lter has the higher order of precedence. 3 Add the lters to the trafc ingress ports.
>> Filter 89# /cfg/slb/port 1 >> SLB Port 1# add 80 >> SLB Port 1# add 89 (Select the ingress port) (Add the allow filter) (Add the deny filter)
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
707
Step 1
Congure a "dummy" redirect lter as the last lter (after the redirect all lter) to force the HTTP health checks to activate, as shown below:
>> # /cfg/slb/filt 2048 >> Filter 2048# proto tcp >> Filter 2048# action redir >> Filter 2048# group 1 >> Filter 2048# rport http >> Filter 2048# ena (Select filter 2048) (For TCP protocol traffic) (Redirect the traffic) (Set real server group for redirection) (Set real server port for redirection) (Enable the filter)
Note: Make sure that the number of each real lter is lower than the number of the "dummy" redirect lter. 4 Apply lter to the port directed to the rewall.
>> # /cfg/slb/port #/add 2048 (Add the dummy filter)
In addition to HTTP, Nortel Application Switch Operating System allows you to congure up to 5 different TCP services to listen for health checks. For example, you can congure FTP and SMTP ports to perform health checks. Refer to "Well-Known Application Ports" (page 199) for a list of other well-known application ports. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Overview
A VPN is a connection that has the appearance and advantages of a dedicated link, but it occurs over a shared network. Using a technique called tunneling, data packets are transmitted across a routed network, such as the Internet, in a private tunnel that simulates a point-to-point connection. This approach enables network trafc from many sources to travel via separate tunnels across the infrastructure. It also enables trafc from many sources to be differentiated, so that it can be directed to specic destinations and receive specic levels of service. VPNs provide security features of a rewall, network address translation, data encryption, and authentication and authorization. Since most of the data sent between VPN initiators and terminators is encrypted, network devices cannot use information inside the packet to make intelligent routing decisions.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
709
In many VPN/rewall congurations it may not be possible to use the hash algorithm on the source and destination address, because the address may be encrypted inside the datagram. Also, the source/destination IP address of the packet may change as the packet traverses from the dirty-side switches to clean-side switches and back. To support VPN load balancing, the Nortel Application Switch records state on frames entering the switch to and from the VPNs. This session table ensures that the same VPN server handles all the trafc between an inside host and an outside client for a particular session. Note: VPN load balancing is supported for connecting from remote sites to the network behind the VPN cluster IP address. Connection initiated from clients internal to the VPN gateways is not supported. Basic frame ow, from the dirty side of the network to the clean side, is shown in "Basic Network Frame Flow and Operation" (page 709). An external client is accessing an internal server. The VPN devices do not perform Network Address Translation (NAT).
Basic Network Frame Flow and Operation
The basic steps that occur at the switches when a request arrives from the Internet are described below:
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Step 1 2 3
Action The client prepares to send trafc to the destination real server (with IP address E10). The VPN client software encrypts the packet and sends it to the cluster IP address (D3) of the VPN devices. Nortel Application Switch 1 makes an entry in the session table and forwards the packet to VPN device 1. It is recommended to use the hash load-balancing metric to select the VPN device.
4 5
The VPN device 1 strips the IP header and decrypts the encrypted IP header. Nortel Application Switch 2 forwards the packet to the real server. End
If an entry is found, the frame is forwarded normally. If an entry is not found, the switch determines which VPN device processed the frame by performing a lookup with the source MAC address of the frame. If the MAC address matches a MAC address of a VPN device, the switch adds an entry to the session table so that reverse trafc is redirected to the same VPN device.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
711
The following example illustrates VPN load balancing with two VPN devices and four Nortel Application Switches in a four subnet scenario.
VPN Load-Balancing Conguration Example
Build the topology illustrated in "VPN Load-Balancing Conguration Example" (page 711), and congure the switches as shown in the following sections.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Dene the clean-side IP interfaces. Create one clean-side IP interface on a different subnet for each VPN device being load balanced.
>> # /cfg/l3/if 1/ena >> IP Interface 1# mask 255.255.255.0 >> IP Interface 1# addr 30.0.0.10 >> IP Interface 1# vlan 1 >> IP Interface 1# /cfg/l3/if 2/ena >> IP Interface 2# mask 255.255.255.0 >> IP Interface 2# addr 20.0.0.10 >> IP Interface 2# vlan 2 >> IP Interface 2# /cfg/l3/if 3/ena >> IP Interface 3# mask 255.255.255.255 >> IP Interface 3# addr 20.0.0.11 >> IP Interface 3# vlan 2 (Select IP interface 1 and enable) (Set subnet mask for interface 1) (Set IP address for interface 1) (For VLAN 1) (Select IP interface 2 and enable) (Set subnet mask for interface 2) (Set IP address for interface 2) (For VLAN 2) (Select IP interface 3 and enable) (Set subnet mask for interface 3) (Set IP address for interface 3) (For VLAN 2)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
713
Congure routes for each of the IP interfaces you congured in Step 4 using the VPN devices as gateways. One static route for redirection is required for each VPN device being load balanced.
>> # /cfg/l3/route >> IP Static Route# add 10.0.0.10 >> IP Static Route# 255.255.25 5.255 >> IP Static Route# 20.0.0.101 >> IP Static Route# 2 >> IP Static Route# add 10.0.0.11 >> IP Static Route# 255.255.25 5.255 >> IP Static Route# 20.0.0.102 >> IP Static Route# 3 >> IP Static Route# add 10.0.0.20 >> IP Static Route# 255.255.25 5.255 >> IP Static Route# 20.0.0.101 >> IP Static Route# 2 >> IP Static Route# add 10.0.0.21 >> IP Static Route# 255.255.25 5.255 >> IP Static Route# 20.0.0.102 >> IP Static Route# 3 (Static route destination IP address) (Destination subnet mask) (Enter gateway IP address) (For interface 2) (Enter destination IP address) (Destination subnet mask) (Enter gateway IP address) (For interface 3) (Enter destination IP address) (Destination subnet mask) (Enter gateway IP address) (For interface 2) (Static route destination IP address) (Destination subnet mask) (Enter gateway IP address) (For interface 3)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> VRRP Virtual Router 1# prio 101 >> VRRP Virtual Router 1# addr 30.0.0.50 >> VRRP Virtual Router 1# share dis >> VRRP Virtual Router 1# track >> VRRP VR 1 Priority Tracking# vrs ena >> VRRP VR 1 Priority Tracking# apply >> VRRP VR 1 Priority Tracking# save
(Set the renter priority) (Set IP address of virtual router) (Disable sharing) (Select virtual router tracking menu) (Enable tracking of virtual routers) (Apply the configuration) (Save the configuration)
>> VRRP VR 1 Priority Tracking# /cfg/l3/vrrp/vr 2 (Select virtual router 2 menu) >> VRRP Virtual Router 2# ena >> VRRP Virtual Router 2# vrid 2 >> VRRP Virtual Router 2# if 2 >> VRRP Virtual Router 2# prio 101 >> VRRP Virtual Router 2# addr 20.0.0.1 >> VRRP Virtual Router 2# share dis >> VRRP Virtual Router 2# track >> VRRP VR 2 Priority Tracking# ports ena >> VRRP VR 2 Priority Tracking# apply >> VRRP VR 2 Priority Tracking# save (Enable the virtual router) (Assign virtual router ID 2) (To interface number 2) (Set the renter priority) (Set IP address of virtual router) (Disable sharing) (Select Virtual Router Tracking Menu) (Track VLAN switch ports) (Apply the configuration) (Save the configuration)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
715
>> # /cfg/slb/real 1/ena >> Real server 1 # rip 10.0.0.10 >> Real server 1 # /cfg/slb/rea l 2/ena >> Real server 2 # rip 10.0.0.11 >> Real server 2 # /cfg/slb/rea l 3/ena >> Real server 3 # rip 10.0.0.20 >> Real server 3 # /cfg/slb/rea l 4/ena >> Real server 4 # rip 10.0.0.21
(Enable slb for real server 1) (Assign IP address for real server 1) (Enable SLB for real server 2) (Assign IP address for real server 2) (Enable SLB for real server 3) (Assign IP address for real server 3) (Enable SLB for real server 4) (Assign IP address for real server 4)
Congure real server group 1, and add real servers 1, 2, 3, and 4 to the group.
>> # /cfg/slb/group 1 >> Real server group 1# metric hash >> Real server group 1# add 1 (Configure real server group 1) (Select SLB hash metric for group 1) (Add real servers 1-4 to group 1)
10
11
Enable lter processing on the server ports so that the responses from the real server is looked up in the VPN session table.
>> # /cfg/slb/port 1/filt ena
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
12
When dynamic routing protocols are not used, congure a gateway to the external router.
>> # /cfg/l3/gw 1/addr 192.168.10.50
13
End
Dene the clean-side IP interfaces. Create one clean-side IP interface on a different subnet for each VPN device being load balanced.
>> # /cfg/l3/if 1/ena/mask 255.255.255.0/addr 30.0.0.11 >> # /cfg/l3/if 2/ena/mask 255.255.255.0/addr 20.0.0.20/vl 2 >> # /cfg/l3/if 3/ena/mask 255.255.255.255/addr 20.0.0.21/vl 2
Congure routes for each of the IP interfaces you congured in Step 4, using the VPN devices as gateways.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
717
One static route is required for each VPN device being load balanced.
>> >> >> >> >> # # # # # /cfg/l3/route add 10.0.0.10 add 10.0.0.11 add 10.0.0.20 add 10.0.0.21
2 3 2 3
Congure Virtual Router Redundancy Protocol (VRRP) for virtual routers 1 and 2.
>> # /cfg/l3/vrrp/on >> Virtual Router Redundancy Protocol# vr 1 >> VRRP Virtual Router 1# ena >> VRRP Virtual Router 1# vrid 1 >> VRRP Virtual Router 1# if 1 >> VRRP Virtual Router 1# addr 30.0.0.50 >> VRRP Virtual Router 1# share dis >> VRRP Virtual Router 1# track/vrs ena >> VRRP Virtual Router 1 Priority Tracking# /cfg/l3/vrrp/vr 2 >> VRRP Virtual Router 2# ena >> VRRP Virtual Router 2# vrid 2 >> VRRP Virtual Router 2# if 2 >> VRRP Virtual Router 2# addr 20.0.0.1 >> VRRP Virtual Router 2# share dis >> VRRP Virtual Router 2# track/ports ena
Enable SLB.
>> VRRP Virtual Router 2 Priority Tracking# /cfg/slb/on
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
10
11
Enable lter processing on the server ports so that the response from the real server will be looked up in VPN session table.
>> SLB port 25# /cfg/slb/port 1/filt ena
12
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
719
Dene static routes for each of the IP interfaces you congured in Step 4, using the VPN devices as gateways. One static route is required for each VPN device being load balanced.
>> >> >> >> >> # # # # # /cfg/l3/route add 20.0.0.10 add 20.0.0.11 add 20.0.0.20 add 20.0.0.21
2 3 2 3
Enable SLB.
>> VRRP Virtual Router 1 Priority Tracking# /cfg/slb/on
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Layer 4# real 1/ena/rip 20.0.0.10 Real server 1# /cfg/slb/real 2/ena/rip 20.0.0.11 Real server 2# /cfg/slb/real 3/ena/rip 20.0.0.20 Real server 3# /cfg/slb/real 4/ena/rip 20.0.0.21
10
Congure the lters to allow local subnet trafc on the dirty side of the VPN device to reach the VPN device interfaces.
>> >> >> >> >> >> >> >> >> >> # # # # # # # # # # /cfg/slb/filt 100 ena sip any dip 192.168.10.0/dmask 255.255.255.0 action allow /cfg/slb/filt 110 ena sip any dip 224.0.0.0/dmask 255.0.0.0 action allow
11
Create the redirection lter and enable rewall load balancing. This lter will redirect inbound trafc, redirecting it among the dened real servers in the group.
>> >> >> >> >> >> >> # # # # # # # /cfg/slb/filt 2048 ena sip any dip any action redir /cfg/slb/filt 2048/adv fwlb ena
12
Create a lter to allow the management rewall (Policy Server) to reach the VPN rewall.
>> >> >> >> >> # # # # # /cfg/slb/filt 120 ena sip 192.168.10.120 smask 255.255.255.255 dip 10.0.0.0 dmask 255.255.255.0
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
721
13
14
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
# # # # #
2 3 2 3
Enable SLB.
>> # /cfg/slb/on
Enable the real server group, and place real servers 1-4 into the real server group.
>> # /cfg/slb/group 1 >> # metric hash >> # add 1/add 2/add 3/add 4
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
723
10
Congure the lters to allow local subnet trafc on the dirty side of the VPN device to reach the VPN device interfaces.
>> >> >> >> >> >> >> >> # # # # # # # # /cfg/slb/filt 100 ena sip any dip 192.168.10.0/dmask 255.255.255.0 /cfg/slb/filt 110 ena sip any dip 224.0.0.0/dmask 255.0.0.0
11
Create the redirection lter and enable rewall load balancing. This lter will redirect inbound trafc, among the dened real servers in the group.
>> >> >> >> >> >> >> >> # # # # # # # # /cfg/slb/filt 2048 ena sip any dip any proto any action redir /cfg/slb/filt 2048/adv fwlb ena
12
13
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
724 Part 4: Advanced Switching Checkpoint Rules for Both VPN Devices as Seen in the Policy Editor
Step 1
Action Disconnect the cables (cause failures) to change the available servers that are up
>> # /info/slb/dump (Verify which servers are up)
This should change the VRRP preferences. You can view VRRP preferences using the CLI command /info/l3/vrrp. 2 Watch for accepted and dropped trafc. In the tool bar above, click on Window, then Log Viewer. Note: To help simplify the logs, the health checks are not logged. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
725
3 4 5
Enter the policy server IP address: 192.168.10.120. You have the option of adding a nickname. Launch a browser (such as Netscape or Internet Explorer) and go to http://30.0.0.100 You will be prompted for authentication. Enter vpnuser for user name and alteon for the password.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
If there are other services running on other servers in the internal network, you should be able to reach those services. All trafc traveling over the VPN is decrypted at the VPN device. You can verify which VPN device is being used by looking at the Log Viewer. You should also be able to see the client authentication as well as the decrypted trafc. To verify that the FWLB and hash metric is working correctly on the dirty-side switches (that is, hashed on client IP address/destination IP address), congure your current client with an IP address one higher (or lower) in the last octet, and try to reestablish the VPN connection. Or, add another PC on the dirty side and connect to it. Note: When many clients are coming from behind a VPN gateway (for example, not using the SecuRemote clients but using a VPN 1 Gateway or other compatible VPN Gateway), you will not see load balancing across those clients. Each SecuRemote client will be treated differently, but each VPN 1 Gateway will be treated as one client each (that is, one Client IP address). VPN Device 1 and VPN Device 2 belong to one cluster IP. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
727
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
GSLB Overview
GSLB allows balancing server trafc load across multiple physical sites. The Nortel Application Switch Operating System GSLB implementation takes into account an individual sites health, response time, and geographic location to smoothly integrate the resources of the dispersed server sites for complete global performance.
Benets
GSLB meets the following demands for distributed network services: High content availability is achieved through distributed content and distributed decision making. If one site becomes disabled, the others become aware of it and take up the load. There is no latency during client connection set up. Instant site hand-off decisions can be made by any distributed switch.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
729
The best performing sites receive a majority of trafc over a given period of time but are not overwhelmed. Switches at different sites regularly exchange information through the Distributed Site State Protocol ( DSSP), and can trigger exchanges when any sites health status changes. This ensures that each active site has valid state knowledge and statistics. DSSP v1.0 and DSSP v2.0 are supported. GSLB implementation takes geography as well as network topology into account. Creative control is given to the network administrator or Webmaster to build and control content by user, location, target application, and more. GSLB is easy to deploy, manage, and scale. Switch conguration is straightforward. There are no complex system topologies involving routers, protocols, and so forth. Flexible design options are provided. All IP protocols are supported.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
730 Part 4: Advanced Switching DNS Resolution with Global Server Load Balancing
The DNS resolution for GSLB is described in detail in the following procedure: Step 1 2 Action The client Web browser requests the "www.example.com" IP address from the local DNS. The clients DNS asks its upstream DNS, which in turn asks the next, and so on, until the address is resolved. Eventually, the request reaches an upstream DNS server that has the IP address information available or the request reaches one of the Example, Inc. DNS servers. 3 The Example Inc.s San Jose DNS tells the local DNS to query the Nortel Application Switch with GSLB software as the authoritative name server for "www.example.com." The San Jose switch responds to the DNS request, listing the IP address with the current best service. Each switch with GSLB software is capable of responding to the clients name resolution request. Since each switch regularly checks and communicates health and performance information with its peers, either switch can determine which site(s) are best able to serve the clients Web access needs. It can respond with a list of IP addresses for the Example Inc.s distributed sites, which are prioritized by performance, geography, and other criteria.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
731
In this case, the San Jose switch knows that Example Inc. Denver currently provides better service, and lists Example Inc. Denvers virtual server IP address rst when responding to the DNS request. 5 The client connects to Example Inc. Denver for the best service. The clients Web browser will use the IP address information obtained from the DNS request to open a connection to the best available site. The IP addresses represent virtual servers at any site, which are locally load balanced according to regular SLB conguration. If the site serving the client HTTP content suddenly experiences a failure (no healthy real servers) or becomes overloaded with trafc (all real servers reach their maximum connection limit), the switch issues an HTTP Redirect and transparently causes the client to connect to another peer site. The end result is that the client gets quick, reliable service with no latency and no special client-side conguration. End
GSLB Metrics
This section describes all GSLB metrics. All metrics can be prioritized for selection order, and can be weighted on a per site basis. For details on the conguration parameters of GSLB metrics, see the /cfg/slb/gslb/rule menu and the command descriptions in the Nortel Application Switch Operating System 24.0 Command Reference. The following is a list of all GSLB metrics: Session utilization capacity threshold This metric causes the GSLB-enabled application switch to not select the server when the session utilization of the server goes above the threshold. The session utilization is the percentage of sessions used over total sessions that results in normalized sessions between servers. When the server is not available, the session utilization is 100%. This is a threshold metric and it overwrites all other metrics. This metric requires remote site updates. CPU utilization capacity threshold This metric causes the GSLB-enabled application switch to not select the server when the CPU utilization of the site with the server goes above the threshold. CPU utilization is the highest CPU utilization for periods of up to 64 seconds among SPs. This is a threshold metric and overwrites all other metrics.This metric requires remote site updates. Session available capacity threshold This metric does not select the server when the number of available sessions on the server falls below
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
the threshold. When the server is not available, the session available is 0. This is a threshold metric and it overwrites all other metrics. This metric requires remote site updates. Geographical preference This metric causes the GSLB-enabled application switch to select the server based on the same IANA region of the source IP address and the server IP address. This metric does not require remote site updates. The command, /info/slb/gslb/geo can be used to obtain a list of the IP address ranges that are mapped to each region. The regions are as follows: North America South America Europe Caribbean Pacic Rim Sub-Sahara Japan Network preferenceThis metric selects the server based on the preferred network of the source IP address. This metric does not require remote site updates. Weighted least connections This metric selects the server based on which server has the lowest session utilization. Session utilization is the percentage of sessions used over total sessions, which results in normalized sessions between servers. A server whose session utilization is 100% is considered unavailable. This metric requires remote site updates. Weighted response time This metric selects the server based on the lowest response time in milliseconds from an SLB health check of the servers. This metric requires SLB health checks and remote site updates. Weighted round robin This metric selects the server based on round robin of the servers. Weighted random This metric selects the server based on uniform random distribution of the servers. Availability This metric selects the same server while the server is still available. If the same server is not available, this metric selects the next server based on a ranking of the local virtual server and remote real server in a list from the highest (48) to the lowest (1) ranking. Multiple servers can have the same priority. This metric allows servers to be grouped based on priorities, or into primary and secondary groups. This metric requires SLB health checks and remote site updates.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
733
Quality of service This metric selects the server based on combination of the lowest session utilization and the lowest response time of the SLB health check of the servers. This metric requires SLB health checks and remote site updates. Minmisses This metric selects the same server based on the hash of source IP address and domain name. The hash calculation uses all the servers that are congured for the domain irrespective of the state of the server. When the server selected is not available, minmisses selects the next available server. Hashing This metric selects the same server based on the hash of source IP address and domain name. The hash calculation uses only the servers that are available for the domain. The server selected may be affected when a server become available or not available since the hash calculation uses only the servers that are available. DNS local This metric selects the local virtual server only when the local virtual server is available. This metric applies to DNS-based GSLB only. DNS always This metric selects the local virtual server even though the local virtual server is not available. This metric applies to DNS-based GSLB only. Remote This metric selects the remote real servers only.
Metric preferences
This metric allows the GSLB selection to use multiple metrics from a metric preference list. The GSLB selection starts with the rst metric in the list. The GSLB selection goes to the next metric when no server is selected, or more than the required servers is selected. The GSLB selection stops when the metric results at least one and no more than the required servers, or after the last metric in the list is reached. For DNS direct-based GSLB, the DNS response can be congured to return up to 10 required servers. For HTTP redirects based GSLB, the required server is one. The following metrics can be selected from the metric preference list. Geographical preference Network preference Least connections Response time Round robin Random Availability Quality of service
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Rules
A rule allows the GSLB selection to use a different GSLB site selection metric preference list, and rules can be set based on the time of day. Each domain has one or more rules. Each rule has a metric preference list. The GSLB selection selects the rst rule that matches for the domain and starts with the rst metric in the metric preference list of the rule. For more information, see "Conguring GSLB with Rules" (page 759).
735
/cfg/slb/gslb/version 3
Availability must be the primary rule metric. The Availability metric must be the rst metric congured in the rst GSLB rule. For information on rule creation, refer to "Rules" (page 734).
Enable Availability Persistence. Enable Availability Persistence on the backup switch (the switch that will take over from the primary switch) using the following command: /oper/slb/gslb/avpersis <virtual server number> enable Note: This is an operational command that will not survive a switch reboot. After the primary server recovers, reversion to the congured availabilities can be accomplished at a convenient time. To do so, use the following command on the switch whose virtual server currently has precedence. This would be the switch with the virtual server that is advertising an availability of 48. /oper/slb/gslb/avpersis <virtual server number> disable. After both sites are reporting their congured availability, turn the feature back on. This is accomplished by enabling Availability Persistence on the switch with the backup server using the following command: /oper/slb/gslb/avpersis <virtual server number> enable. Nortel Application Switch Operating System 24.0 supports the following command to enable or disable Availability Persistence on the backup switch: /cfg/slb/virt <virtual server number>/avpersis enable/disable. End
Activate the GSLB software key. See the Nortel Application Switch Operating System Command Reference for details. Congure the switch at each site with basic attributes. Congure the switch IP interface. Congure the default gateways.
Congure the switch at each site to act as the DNS server for each service that is hosted on its virtual servers. Also, congure the master DNS server to recognize the switch as the authoritative DNS server for the hosted services. Congure the switch at each site for local SLB. Dene each local real server. Group local real servers into real server groups. Dene the local virtual server with its IP address, services, and real server groups. Dene the switch port states. Enable SLB.
Finally, congure each switch so that it recognizes its remote peers. Congure a remote real server entry on each switch for each remote service. This is the virtual server IP address that is congured on the remote peer. Add the remote real server entry to an appropriate real server group. Enable GSLB.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
737
In the following examples, many of the options are left to their default values. See "Additional Server Load Balancing Options" (page 199) for more options. Note: For details about any of the processes or menu commands described in this example, see the Nortel Application Switch Operating System Command Reference.
If using the Browser-Based Interface (BBI) for managing the San Jose switch, change its service port. By default, GSLB listens on service port 80 for HTTP redirection. By default, the Nortel Application Switch Operating System Browser-Based Interface (BBI) also uses port 80. Both services cannot use the same port. If the BBI is enabled (see the
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
/cfg/sys/access/http command in the Nortel Application Switch Operating System Command Reference), congure it to use a different port. For example, enter the following command to change the BBI port to 8080:
>> # /cfg/sys/wport 8080 (Set service port 8080 for BBI)
Port 2 is an UNTAGGED port and its current PVID is 1. Confirm changing PVID from 1 to 101 [y/n]: y Current ports for VLAN 101: empty Pending new ports for VLAN 101: 2 Current status: disabled New status: enabled
Congure another VLAN for local server trafc, and add server ports to this VLAN.
>> # /cfg/l2/vlan 201/name servers >> VLAN 201# add 4/ena (VLAN 201 for local servers) (Add port 4 to VLAN 201)
Port 4 is an UNTAGGED port and its current PVID is 1. Confirm changing PVID from 1 to 201 [y/n]: y Current ports for VLAN 201: empty Pending new ports for VLAN 201: 10 Current status: disabled New status: enabled >> VLAN 201# add 3/ena (Add port 3 to VLAN 201)
Port 3 is an UNTAGGED port and its current PVID is 1. Confirm changing PVID from 1 to 201 [y/n]: y Current ports for VLAN 201: empty Pending new ports for VLAN 201: 3 4
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
739
>> IP Interface 201# mask 255.255.255.0 >> IP Interface 201# vlan 201 >> IP Interface 201# ena
(Assign network mask) (Assign interface to VLAN 201) (Enable IP interface 201)
Dene an IP interface to the Internet. The switch IP interface responds when asked to resolve client DNS requests.
>> # /cfg/l3/if 101 >> IP Interface 101# addr 200.200.200.1 >> IP Interface 101# mask 255.255.255.0 >> IP Interface 101# vlan 101 >> IP Interface 101# ena (Select IP interface 101) (Assign IP address for the interface) (Assign network mask) (Assign interface to VLAN 101) (Enable IP interface 101)
Dene the default ga teway. The router at the edge of the site acts as the default gateway to the Internet. The default gateway address should be on the same subnet as the IP interface 101, which points to the Internet. To congure the default gateway for this example, enter these commands from the CLI:
>> IP Interface 101# /cfg/l3/gw 1 >> Default gateway 1# addr 200.200.200.101 >> Default gateway 1# ena (Select default gateway 1) (Assign IP address for the gateway) (Enable default gateway 1)
Congure the master DNS server to recognize the local GSLB switch as the authoritative name server for the hosted services.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Determine the domain name that will be distributed to both sites and the host name for each distributed service. In this example, the San Jose DNS server is congured to recognize 200.200.200.1 (the IP interface of the San Jose GSLB switch) as the authoritative name server for "www.gslb.example.com." End
Dene each local real server. For each local real server, you must assign a real server number, specify its actual IP address, and enable the real server. For example:
>> Default gateway 1# /cfg/slb/real 10 >> Real server 10# rip 200.2.2.10 >> Real server 10# ena >> Real server 10# /cfg/slb/real 20 (Configure Real Server 10) (Assign IP address to server 10) (Enable real server 10) (Configure Real Server 20)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
741
>> Real server 20# rip 200.2.2.20 >> Real server 20# ena
On the San Jose switch, dene a real server group. Combine the real servers into one service group and set the necessary health checking parameters. In this example, HTTP health checking is used to ensure that Web content is being served. If the index.html le is not accessible on a real server during health checks, the real server will be marked as down.
>> Real server 2# /cfg/slb/group 1 >> Real server group 1# add 10 >> Real server group 1# add 20 >> Real server group 1# health http >> Real server group 1# content index.html (Select real server group 1) (Add real server 10 to group 1) (Add real server 20 to group 1) (Use HTTP for health checks) (Set URL content for health checks)
On the San Jose switch, dene a virtual server. All client requests will be addressed to a virtual server IP address dened on the switch. Clients acquire the virtual server IP address through normal DNS resolution. HTTP uses well-known TCP port 80. In this example, HTTP is congured as the only service running on this virtual server IP address and, is associated with the real server group. For example:
>> Real server group 1# /cfg/slb/virt 1 >> Virtual server 1# vip 200.200.200.100 >> Virtual Server 1# service 80 >> Virtual server 1 http Service# group 1 (Associate virtual port to real group) (Select virtual server 1) (Assign a virtual server IP address)
>> Virtual server 1 http Service# /cfg/slb/virt 1 ena (Enable virtual server)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Note: This conguration is not limited to HTTP services. For a list of other well-known TCP/IP services and ports, see "Well-Known Application Ports" (page 199). 5 On the San Jose switch, dene the type of Layer 4 trafc processing each port must support. In this example, the following ports are being used on the Nortel Application Switch:
GSLB Example: San Jose Nortel Application Switch Port Usage Port 4 3 2 Host Server 10 Server 20 Layer 4 Processing Server Server
Default Gateway Router. This connects Client the switch to the Internet where all client requests originate.
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
743
Enable DSSP version 2 to send out remote site updates. Unless you are in the middle of network migration from an Nortel Application Switch Operating System version prior to 22.0 you should always enable DSSP version 2.
>> # /cfg/slb/gslb/version 2 (Enable DSSP version 2 updates)
On the San Jose switch, dene each remote site. When you start conguring at the San Jose site, San Jose is local and Denver is remote. Add and enable the remote switchs Internet-facing IP interface address. In this example, there is only one remote site: Denver, with an IP interface address of 74.14.70.2. The following commands are used:
>> # /cfg/slb/gslb/site 2 >> Remote site 2# name site_2 >> Remote site 2# prima 174.14.70.2 >> Remote site 2# ena (Select remote site 2) (Name remote site 2) (Define remote interface) (Enable remote site 1)
Each additional remote site would be congured in the same manner. You can enable up to 64 remote sites. 4 On the San Jose switch, assign each remote distributed service to a local virtual server. Congure the local San Jose site to recognize the services offered at the remote Denver site. To do this, congure one real server entry on the San Jose switch for each virtual server located at each remote site. Since there is only one remote site (Denver) with only one virtual server, only one more local real server entry is needed at the San Jose site.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
The new real server entry is congured with the remote virtual server IP address, i.e. Switch 2s VIP address, rather than the usual IP address of a local physical server. Do not confuse this value with the IP interface address on the remote switch. Also, the remote parameter is enabled, and the real server entry is added to the real server group under the local virtual server for the intended service. Finally, since the real server health checks are performed across the Internet, the health-checking interval should be increased to 30 or 60 seconds to avoid generating excess trafc. The health check interval should also depend on the number of remote sites. The more remote sites you have, the larger the time interval should be. For example:
>> # /cfg/slb/real 2 >> Real server 2# rip 174.14.70.200 >> Real server 3# remote enable >> Real server 3# inter 30 >> Real server 3# ena >> Real server 3# /cfg/slb/group 1 >> Real server group 1# add 2 (Create an entry for real server 2) (Set remote virtual server IP address) (Define the real server as remote) (Set a higher health check interval) (Enable the real server entry) (Select appropriate real server group) (Add real server 2 to the group 1)
Note: Take care to note where each congured value originates, or this step can result in improper conguration. 5 On the San Jose switch, dene the domain name and host name for each service hosted on each virtual server. In this example, the domain name for the Example Inc. is "gslb.example.com," and the host name for the only service (HTTP) is "www." These values are congured as follows:
>> Real server group 1# /cfg/slb/virt 1 (Select virtual server 1)
>> Virtual server 1# dname gslb.example.com (Define domain name) >> Virtual server 1# service 80/hname www (Define HTTP host name)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
745
To dene other services (such as FTP), make additional hostname entries. 6 Apply and verify the conguration.
>> Global SLB# apply >> Global SLB# cur >> Global SLB# /cfg/slb/cur (Make your changes active) (View current GSLB settings) (View current SLB settings)
Examine the resulting information. If any settings are incorrect, make and apply any appropriate changes, and then check again. 7 Save your new conguration changes.
>> Layer 4# save (Save for restore after reboot)
End
If using the Browser-Based Interface (BBI) for managing the San Jose switch, change its service port. By default, GSLB listens on service port 80 for HTTP redirection. By default, the Nortel Application Switch Operating System Browser-Based Interface (BBI) also uses port 80. Both services cannot use the same port. If the BBI is enabled (see the
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
/cfg/sys/access/http command in the Nortel Application Switch Operating System Command Reference), congure it to use a different port. For example, enter the following command to change the BBI port to 8080:
>> # /cfg/sys/wport 8080 (Set service port 8080 for BBI)
Port 2 is an UNTAGGED port and its current PVID is 1. Confirm changing PVID from 1 to 102 [y/n]: y Current ports for VLAN 102: empty Pending new ports for VLAN 102: 2 Current status: disabled New status: enabled
Congure a VLAN for local server trafc, and add server ports to this VLAN.
>> # /cfg/l2/vlan 202/name servers >> VLAN 202# add 11/ena (VLAN 202 for local servers) (Add port 11 to vlan 202)
Port 10 is an UNTAGGED port and its current PVID is 1. Confirm changing PVID from 1 to 202 [y/n]: y Current ports for VLAN 202: empty Pending new ports for VLAN 202: 11 Current status: disabled New status: enabled >> VLAN 202# add 12/ena Port 11 current Confirm Current Pending (Add port 12 to VLAN 201)
is an UNTAGGED port and its PVID is 1. changing PVID from 1 to 202 [y/n]: y ports for VLAN 202: empty new ports for VLAN 202: 11 12
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
747
>> # /cfg/l3/if 202 >> IP Interface 202# addr 174.40.7.202 >> IP Interface 202# mask 255.255.255.0 >> IP Interface 202# vlan 202 >> IP Interface 202# ena
(Select IP interface 202) (Assign IP address for the interface) (Assign network mask) (Assign interface to VLAN 202) (Enable IP interface 202)
Congure the local DNS server to recognize the local GSLB switch as the authoritative name server for the hosted services. Determine the domain name that will be distributed to both sites and the host name for each distributed service. In this example, the Denver DNS server is congured to recognize 174.14.70.2 (the IP interface of the Denver GSLB switch, congured with the domain name "www.gslb.example.com") as the authoritative name server for "www.example.com."
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
749
>> Virtual server 1 http service# /cfg/slb/virt 1/ena (Enable the virtual server)
On the Denver switch, dene the type of Layer 4 processing each port must support. In this example, the following ports are being used on the Nortel Application Switch:
Web Host Example: Port Usage Port 11 12 2 Host Server 11 Server 12 Layer 4 Processing Server Server
Default Gateway Router. This connects Client the switch to the Internet where all client requests originate.
>> # /cfg/slb/on
End
Enable DSSP version 2 to send out remote site updates. Unless you are in the middle of network migration to 22.0, you should always enable DSSP version 2.
>> # /cfg/slb/gslb/version 2 (Enable DSSP version 2 updates)
On the Denver switch, dene each remote site. When you start conguring at the Denver site, Denver is local and San Jose is remote. Add and enable the remote switchs IP address interface. In this example, there is only one remote site: San Jose, with an IP interface address of 200.200.200.1. The following commands are used:
>> # /cfg/slb/gslb/site 1 >> Remote site 1# prima 200.200.200.1 >> Remote site 1# ena (Select remote site 1) (Define remote IP interface address) (Enable remote site 1)
Each additional remote site would be congured in the same manner. You can enable up to 64 remote sites. 4 On the Denver switch, assign each remote distributed service to a local virtual server. In this step, the local Denver site is congured to recognize the services offered at the remote San Jose site. As before, congure one real server entry on the Denver switch for each virtual server
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
751
located at each remote site. Since there is only one remote site (San Jose) with only one virtual server, only one more local real server entry is needed at the Denver site. The new real server entry is congured with the IP address of the remote virtual server, rather than the usual IP address of a local physical server. Do not confuse this value with the IP interface address on the remote switch. Also, the remote parameter is enabled, and the real server entry is added to the real server group under the local virtual server for the intended service. Finally, since the real server health checks are headed across the Internet, the health-checking interval should be increased to 30 or 60 seconds to avoid generating excess trafc. The more remote sites you have, the larger the time interval should be. For example:
>> Remote site 1# /cfg/slb/real 1 >> Real server 1# rip 200.200.200.100 >> Real server 1# remote enable >> Real server 1# inter 30 >> Real server 1# ena >> Real server 1# /cfg/slb/grou p 1 >> Real server group 1# add 1 (Create an entry for real server 1) (Set remote virtual server IP address) (Define the real server as remote) (Set a high health check interval) (Enable the real server entry) (Select appropriate. real server group) (Add real server 1 to group 1)
Note: Take care to note where each congured value originates or this step can result in improper conguration. 5 On the Denver switch, dene the domain name and host name for each service hosted on each virtual server. These will be the same as for the San Jose switch: the domain name is "gslb.example.com," and the host name for the HTTP service is "www." These values are congured as follows:
>> Real server group 1# /cfg/slb/virt 1 >> Virtual server 1# dname gslb.example.com
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> Virtual server 1# service 80 >> Virtual server 1 http# hname www
Examine the resulting information. If any settings are incorrect, make and apply any appropriate changes, and then check again. 7 Save your new conguration changes.
Web Host Example: Port Usage Port 11 12 2 Host Server 11 Server 12 Layer 4 Processing Server Server
Default Gateway Router. This connects Client the switch to the Internet where all client requests originate.
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
753
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Port 3 is an UNTAGGED port and its current PVID is 1. Confirm changing PVID from 1 to 103 [y/n]: y Current ports for VLAN 103: empty Pending new ports for VLAN 103: 3 Current status: disabled New status: enabled
Congure the local DNS server to recognize the local GSLB switch as the authoritative name server for the hosted services. Determine the domain name that will be distributed to both sites and the host name for each distributed service. In this example, the Tokyo DNS server is congured to recognize 43.10.10.3 (the IP interface of the Tokyo GSLB switch) as the authoritative name server for "www.gslb.example.com." End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
755
On the Tokyo switch, assign each remote distributed service to a local virtual server. In this step, the local site, Tokyo, is congured to recognize the services offered at the remote San Jose and Denver sites. As before, congure one real server entry on the Tokyo switch for each virtual server located at each remote site. The new real server entry is congured with the IP address of the remote virtual server, rather than the usual IP address of a local physical server. Do not confuse this value with the IP interface address on the remote switch.
>> # /cfg/slb/real 1 >> Real server 1# ena >> Real server 1# name San_Jose >> Real server 1# rip 200.200.200.100 >> Real server 1# remote enable >> # /cfg/slb/real 2 >> Real server 2# ena >> Real server 2# name Denver (Create an entry for San Jose) (Enable the real server entry) (Set a name for the real server entry) (Set remote vip address of San Jose) (Define the real server as remote) (Create an entry for Denver) (Enable the real server entry) (Set a name for the real server entry)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> Real server 2# rip 74.14.70.200 >> Real server 2# remote enable
(Set remote vip address for Denver) (Define the real server as remote)
Note: Take care to note where each congured value originates, or this step can result in improper conguration. 3 Dene a network that will match and accept all incoming trafc for the other sites.
>> # /cfg/gslb/net 1 >> Network 1# ena >> Network 1# sip 0.0.0.0 >> Network 1# mask 0.0.0.0 >> Network 1# addreal 1 >> Network 1# addreal 2 (Create an entry for the new network) (Enable the new network) (Define a source IP address match) (Define a network mask match) (Add the San Jose site to the network) (Add the Denver site to the network)
Dene a new rule that will make the new network active.
>> # /cfg/slb/gslb/rule 1/ena >> Rule 1# dname gslb.example.c om >> Rule 1# metric 1/gmetric network >> Rule 1# metric 1/addnet 1 (Enable the new rule) (Define a domain name) (Define the metric this rule will use) (Add network to the rule metric)
Examine the resulting information. If any settings are incorrect, make and apply any appropriate changes, and then check again.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
757
The conguration example for Microsoft Windows 2003 DNS Server is explained below. The DNS server is congured to resolve domain name (e.g. geored.com) into active Alteon virtual IP address which represents active MCS system (Alteon1 vip1, Alteon1 vip2, or Alteon2 vip1, Alteon2 vip2). Perform the following conguration steps on the DNS server machine: Step 1 2 3 4 Action Run the DNS console. Create a primary forward lookup zone com. Create a delegation in zone com: Delegated domain geored; FQDN - geored.com. Add rst resource record: FQDN Alteon1 interface IP address (which is set up by /c/l3/if 1); IP address Alteon1 interface IP address.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Add second resource record: FQDN Alteon2 interface IP address; IP address Alteon2 interface IP address. The example of the conguration is as shown in "DNS Console" (page 758).
DNS Console
6 7
Set TTL = 10 seconds for records of zone com. 7. Disable Round Robin algorithm for the server as shown in the "ZDEDIC-5 Properties window" (page 758).
ZDEDIC-5 Properties window
Note: If the DNS server is down the clients (PCC, Sigma phone that supports DNS and AudioCodes GW) do not work. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
759
Up to 128 rules can be congured, with up to eight metrics per rule. The site selection metric sequence in the default Rule 1 is as follows: Step 1 Action Network Preference The rst metric in rule 1 is set to "Network Preference," which selects the server based on the preferred network of the source IP address for a given domain. If preferred networks are not congured, this metric is not used in the default rule. For more information on conguring preferred networks, see "Conguring GSLB Network Preference" (page 762). 2 None The second metric in rule 1 is set to "None" in order to allow you to congure the local or availability metric here. The local server or the server with the highest availability is selected before any subsequent metric is used to select other servers. 3 Geographical preference The third metric in rule 1 is set to "Geographical Preference" so that the IANA-dened geographical region based on the client source IP is used to redirect the request to the clients region. 4 5 Least connections Round robin "Round robin" or random should be the last metric dened in a rule, because they always return a value if there is at least one functional site. 6 7 None None
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
None The last metric in rule 1 should be congured as dnsalways so that the GSLB selection selects at least the local virtual server when all servers are not available. In this case, metric 6 can be congured with DNS always. End
Specify the GSLB metrics to be used to select a site if a server is not selected at rst. Since network metric is the rst metric, make sure to add the congured networks to metric 1.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
761
>> # /cfg/slb/gslb/rule 2/metric 1/gmetric network >> # /cfg/slb/gslb/rule 2/metric 1/addnet 43/addnet 55/addnet 56
Task 2: Congure the second time-based rule Using the steps in "Conguring Time-Based Rules" (page 760), congure another rule with the following parameters.
>> # /cfg/slb/gslb/net 48/sip 48.0.0.0/mask 240.0.0.0/addreal 2/en >> # /cfg/slb/gslb/rule 4/start 18 00/end 7 00/ena >> # /cfg/slb/gslb/rule 4/metric 1/gmetric network/addnet 48 >> # /cfg/slb/gslb/rule 4/metric 2/gmetric geographical >> # /cfg/slb/gslb/rule 4/metric 3/gmetric random
Add the rule to the congured virtual server. Using the basic GSLB example, add the following command to the virtual server conguration steps on step 5 on step 5.
>> # /cfg/slb/virt 1/addrule 2/addrule 4 (Add rules 2 and 4 to the virtual server/domain)
End
Set the Availability values for the real/virt servers. For example:
>> Rule 1# /cfg/slb/virt 1/avail 11 >> Rule 1# /cfg/slb/real 10/avail 22 >> Rule 1# /cfg/slb/real 11/avail 33 (Set avail. weight for virt. server) (Set avail. weight for real server) (Set avail. weight for real server)
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
763
Note: Nortel Application Switch Operating System allows you to congure up to 128 preferred client networks. Each network can contain up to 1023 real servers. Use the following commands to congure network preferences on the application switch at Site 4:
>> # /cfg/slb/gslb/net 1/ >> Network 1# sip 205.178.13.0 >> Network 1# mask 255.255.255.0 >> Network 1# addreal 1/addreal 3 >> # /cfg/slb/gslb/net 2/ >> Network 2# sip 204.165.0.0 >> Network 2# mask 255.255.0.0 >> Network 2# addreal 2 >> Network 2# addvir 4 (Select Network 1) (Assign source address for Client A) (Assign the mask for Client A) (Add real servers 1 and 3) (Select Network 2) (Assign source address for Client B) (Assign the mask for Client B) (Add real server 2) (Select preferred Site 4)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Using this conguration, the DNS request for "nortelnetworks.com" from client IP 205.178.13.0 will receive a DNS response with only the virtual server IP address of Site 1, if Site 1 has less load than Site 3.
2a. Client resends request to Site 1. 1a Client HTTP request reaches Site 2. Resources are unavailable at Site 2. Resources are available at Site 1. Site 2 sends an HTTP redirect to Client with Site 1s virtual server IP address. 1b. Client non-HTTP request reaches Site 2. Resources are unavailable at Site 2. Site 2 sends a request to Site 1 with Site 2s proxy IP address as the source IP address and the virtual server IP address of Site 1 as the destination IP address. 2b. Site 1 processes the client proxy IP request. Resources are available at Site 1. Site 1 returns request to proxy IP port on Site 2.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
765
The following procedure explains the three-way handshake between the two sites and the client for a non-HTTP application (POP3).
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Step 1
Action A user POP3 TCP SYN request is received by the virtual server at Site 2. The switch at that site determines that there are no local resources to handle the request. The Site 2 switch rewrites the request such that it now contains a client proxy IP address as the source IP address, and the virtual server IP address at Site 1 as the destination IP address. The switch at Site 1 receives the POP3 TCP SYN request to its virtual server. The request looks like a normal SYN frame, so it performs normal local load-balancing. Internally at Site 1, the switch and the real servers exchange information. The TCP SYN ACK from Site 1s local real server is sent back to the IP address specied by the proxy IP address. The Site 1 switch sends the TCP SYN ACK frame to Site 2, with Site 1s virtual server IP address as the source IP address, and Site 2s proxy IP address as the destination IP address. The switch at Site 1 receives the frame and translates it, using Site 1s virtual server IP address as the source IP address and the clients IP address as the destination IP address. This cycle continues for the remaining frames to transmit all the clients mail, until a FIN frame is received. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
767
>> Proxy IP address /cfg/slb/real 1/proxy dis (Disable local real server proxy) >> Real server 1# /cfg/slb/real 2/proxy dis (Disable proxy for local server) >> Real server 2# /cfg/slb/real 3/proxy ena (Enable proxy for remote server) >> Real server 3# apply >> Real server 3# save (Apply configuration changes) (Save configuration changes)
For more information on proxy IP address, see "Proxy IP Addresses" (page 228). If you want to congure proxy IP addresses on Site 2, the following commands are issued on the Denver switch:
>> # /cfg/slb/pip >> Proxy IP address# type port >> Proxy IP address# add 174.14.70 .4 >> # /cfg/slb/port 4/proxy enable (Select proxy IP address menu) (Use port-based proxy IP) (Set unique proxy IP address) (Enable proxy on the port)
>> Proxy IP address# /cfg/slb/real 1/proxy dis (Disable local real server proxy) >> Real server 1# /cfg/slb/real 2/proxy dis (Disable local real server proxy) >> Real server 2# /cfg/slb/real 3/proxy ena (Enable proxy for remote server) >> Real server 3# apply >> Real server 3# save (Apply configuration changes) (Save configuration changes)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Some corporations use more than one ISP as a way to increase the reliability and bandwidth of their Internet connection. Enterprises with more than one ISP are referred to as being multi-homed. Instead of multi-homing a network to several other networks, BGP-based GSLB enables you to multi-home a particular piece of content (DNS information) to the Internet by distributing the IP blocks that contain that content to several sites. When using DNS to select the site, a single packet is used to make the decision so that the request will not be split to different locations. Through the response to the DNS packet, a client is locked in to a particular site, resulting in efcient, consistent service that cannot be achieved when the content itself is shared. For example, in multi-homing, you can connect a data center to three different Internet providers and have one DNS server that has the IP address 1.1.1.1. In this case, all requests can be received via any given feed but are funneled to the same server on the local network. In BGP-based GSLB, the DNS server (with the IP address 1.1.1.1) is duplicated and placed local to the peering point instead of having a local network direct trafc to one server. When a particular DNS server receives a request for a record (in this case, the application switch), it returns with the IP address of a virtual server at the same site. This can be achieved using the local option (/cfg/slb/gslb/rule 1/metric 2/gmetric local) in the GSLB conguration. If one site is saturated, then the switch will failover and deliver the IP address of a more available site. For more information on conguring your switch to support BGP routing, see "Border Gateway Protocol" (page 131).
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Bandwidth Management
769
Bandwidth Management
Bandwidth Management (BWM) enables Web site managers to allocate a portion of the available bandwidth for specic users or applications. It allows companies to guarantee that critical business trafc, such as e-commerce transactions, receive higher priority versus non-critical trafc. Trafc classication can be based on user or application information. BWM policies can be congured to set lower and upper bounds on the bandwidth allocation. The following topics are addressed in this chapter: "Enabling Bandwidth Management" (page 769) "Contracts" (page 770) "Policies" (page 776) "Rate Limiting" (page 777) "Trafc Shaping" (page 780) "Bandwidth Management Information" (page 781) "Packet Coloring (TOS bits) for Burst Limit" (page 783) "Conguring Bandwidth Management" (page 784) "Additional BWM Conguration Examples" (page 788)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
You will be prompted to enter the password key. If the key is correct for this switchs MAC address, the switch will accept the password, permanently record it in the switchs non-volatile RAM (NVRAM), and will then enable the feature. End
Contracts
A contract is created to assign a certain amount of bandwidth. Up to 1024 contracts can be congured on a single Nortel Application Switch. The switch uses these contracts to limit individual trafc ows. Contracts can be assigned to different types of trafc. Trafc can be classied based on layer 2, layer 4, or layer 7 trafc. Trafc classication can be based on the following: port, VLAN, trunk, lters, virtual IP address, service on the virtual server, URL, and so on. Any item that is congured with a lter can be used for BWM. Bandwidth classication is performed using the following menus: /cfg/slb/filt is used to congure classications based on the IP destination address, IP source address, TCP port number, UDP, UDP port number, 802.1p priority value, or any lter rule. /cfg/slb/virt is used to congure classications based on virtual servers. /cfg/port is used to congure classications based on physical ports (in case of trunking, use /cfg/l2/trunk). /cfg/l2/vlan is used to congure classications based on VLANs. /cfg/slb/layer7/lb is used to congure classication based on URL paths.
To associate a particular classication with a contract, enter the contract index into the cont menu option under the applicable conguration menus. When Virtual Matrix Architecture (VMA) is enabled, trafc classication is done on the ingress portthat is, the port on which the frame is received (not the client port or the server port). If the trafc classication is done on layer 4 through layer 7 trafc (lter-based or SLB trafc), then the classication occurs on the designated port.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
771
Classication Rules
In a classication rule certain frames are grouped together. For frames qualifying for multiple classications, precedence of contracts is also specied per contract. If no precedence is specied, the default order is used (see "Classication Precedence" (page 772)). The following classications are aimed at limiting the trafc outbound from the server farm for bandwidth measurement and control. Physical Port - All frames are from a specied physical port. VLAN - All frames are from a specied VLAN. If a VLAN translation occurs, the bandwidth policy is based on the ingress VLAN. IP Source Address - All frames have a specied IP source address or range of addresses dened with a subnet mask. IP Destination Address - All frames have a specied IP destination address or range of addresses dened with a subnet mask. Switch services on the virtual servers
The following are various Layer 4 groupings: A single virtual server A group of virtual servers A service for a particular virtual server Select a particular port number (service on the virtual server) within a particular virtual server IP address.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
The following are various Layer 7 groupings: A single URL path A group of URL paths A single cookie
Classication Precedence
If a frame qualies for different classications, it is important to be able to specify the classication with which it should be associated. There are two mechanisms to address classicationa per-contract precedence value and a default precedence ordering from 1-255. The higher numbers having the higher precedence. If a contract does not have an assigned precedence value, then the default ordering is applied as follows: Step 1 2 3 4 5 Action Incoming source port/default assignment VLAN Filter Layer 4 services on the virtual server Layer 7 applications (for example, URL, HTTP, headers, cookies, and so forth End
If a frame falls into all of classications #15, and if the precedence is same for all the applicable contracts, then the Layer 7 applications contract classication (#5) will be assigned since it comes last and has the highest presentness.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Bandwidth Management
773
Combinations
Combinations of classications are limited to grouping items together into a contract. For example, if you wanted to have three different virtual servers associated with a contract, you would specify the same contract index on each of the three virtual server IP addresses. You can also combine lters in this manner. "Grouped Bandwidth Contracts" (page 773) describes how the contracts can be grouped together to aggregate BWM resources. "IP User Level Contracts for Individual Sessions" (page 774) describes a user level contract.
available Extra Share, or 2 Mbps. The remaining 3 Mbps that Contract 1 requested is dropped. Contract 4 requests 60 Mbps, which is 20 Mbps over its hard limit. Because Contract 4 requested 20 of the 25 Mbps over the total BW Hard Limit for the contract group, it will thus receive four-fths of the Extra Share, or 12 Mbps. The remaining 12 Mbps requested by Contract 4 is dropped.
Bandwidth Reallocation in Grouped Contracts Contract 1 Hard Limit (Mbps) Actual traffic Unused BW BW over Hard Extra Share Adjusted Hard Limit (All units in Mbps) a. Denotes the BW over hard limit in Contract 1, divided by the Total BW over hard limit for the contract group, multiplied by the total Extra Share bandwidth. b. Denotes the BW over hard limit in Contract 4, divided by the Total BW over hard limit for the contract group, multiple by the total Extra Share bandwidth. 12 10 15 NA 5 Contract 2 20 20 NA 0 0 20 Contract 3 30 20 10 NA NA 20 48 Contract 4 40 60 NA 20 Total 100 115 10 25 10 100
The soft and reserved (CIR) limits of each contract are not part of the grouped contracts calculation, and remain set at their individual contracts levels. For a group contract conguration example, see "ConguringGrouped Contracts for Bandwidth Sharing" (page 791).
Bandwidth Management
775
to monitor a users bandwidth, the switch creates a user entry that records the source or destination IP address, and the amount of bandwidth used. This user entry is called an IP user entry, because the user is identied by his/her IP address. The user limit feature is extremely useful for limiting bandwidth hogging by a few overactive internet users with unimportant trafc (for example peer-to-peer movie sharing), which may end up denying the other users with legitimate trafc from their fair share. Since the user limiting is done on per-contract basis, different types of trafc can be classied into different contracts and can have different user limits applied according to the class of trafc. Also, since user limiting for a contract is optional, it can be congured for some contracts with class of trafc where fair sharing of bandwidth is important, and not congured for the contracts where fair sharing of bandwidth is not important or undesirable. The following sections describe how user limits work.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
For an example, see "Conguring a IP User-Level Rate Limiting Contract" (page 794).
Policies
Bandwidth policies are bandwidth limitations dened for any set of frames, that specify the maximum, best effort, and minimum guaranteed bandwidth rates. A bandwidth policy is assigned to one or more contracts. A bandwidth policy is often based on a rate structure whereby a Web host or co-location provider could charge a customer for bandwidth utilization. There are three rates that are congured: a Committed Information Rate (CIR)/Reserved Limit, a Soft Limit, and a Hard Limit, as described below.
Time Policy
A BWM contract can be congured to apply different time policies dened by ranges of hours or days of the week. The time policy is based on the time set in the switchs system clock (/info/sys/general). "Conguring Time and Day Policies" (page 809) describes how to congure and apply policies to different times and days.
Enforcing Policies
In order for BWM contracts and policies to take effect, the policies must be enforced using the /cfg/bwm/force ena command.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Bandwidth Management
777
Even when BWM is not enforced, the Nortel Application Switch can still collect classication information and report it, allowing an administrator to observe a network for a while before deciding how to congure it. This feature can be disabled using /cfg/bwm/force dis. When this command is used, no limits will be applied on any contract.
Rate Limiting
A rate limiting contract is controlled by metering the trafc that egresses from the switch. If the egress rate is below the congured rate limit (hard limit) for the port, the trafc is transmitted immediately without any buffering. If the egress rate is above the congured rate limit the trafc above the rate limit is dropped.
Bandwidth Rate Limits
For rate limiting contracts, the queue depth is ignored because trafc is not buffered. Typically, bandwidth management occurs on the egress port of the switchthat is, the port from which the frame is leaving. However, in the case of multiple routes or trunk groups, the egress port can actually be one of several ports (from the point-of-view of where the queues are located). A bandwidth policy species four limits, listed and described in "Bandwidth Rate Limits" (page 778):
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
778 Part 4: Advanced Switching Bandwidth Rate Limits Rate Limit Committed Information Rate (CIR) or Reserved Limit Description This is a rate that a bandwidth classification is always guaranteed. In configuring BWM contracts, ensure that the sum of all committed information rates never exceeds the link speeds associated with ports on which the traffic is transmitted. In a case where the total CIRs exceed the outbound port bandwidth, the switch will perform a graceful degradation of all traffic on the associated ports. For traffic shaping contracts, this is the desired bandwidth rate, that is, the rate the customer has agreed to pay on a regular basis. When output bandwidth is available, a bandwidth class will be allowed to send data at this rate. No exceptional condition will be reported when the data rate does not exceed this limit. For rate limiting contracts, the soft limit is ignored. This is a "never exceed" rate. A bandwidth class is never allowed to transmit above this rate. Typically, traffic bursts between the soft limit and the hard limit are charged a premium. The maximum hard limit for a bandwidth policy is 1 Gbps, even when multiple Gigabit ports are trunked. To ensure a specific amount of throughput on a port, configure hard and soft limits close together. For example: to ensure 20Mbps of throughput on a 100Mbps port, create a policy on a contract that sets the hard limit to 20M, and the soft limit to 19M. If you apply this contract to a filter on the egress port, 20Mbps of throughput can be ensured. A user limit is a Hard Limit rate for individual users. It is defined as a policy and is applied and enabled for an individual contract. It is based on either a source IP or destination IP address. Setting user limits requires that a contract be configured that enables IP limiting (/cfg/bwm/cont <x> /iplimit ena), and sets the type of limiting to source IP or destination IP address (/cfg/bwm/cont <x> /iptype {sip|dip}). When configured, an individual IP address can be limited to traffic between 0kbps and 1000Mbps. A user limit based on source IP address should be set if the goal is to limit the amount of data being transmitted from a source IP address in your network. A user limit based on destination IP address should be set if the goal is to limit the amount of data being downloaded from a destination IP address in your network.
Soft Limit
Hard Limit
User Limit
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Bandwidth Management
779
Application Session Capping is a feature that is especially relevant in todays world of peer to peer applications that require a large amount of network bandwidth. This feature will allow the switch administrator to cap the number of sessions of an application assigned to each user. In this way, peer to peer (and other such non-business applications) can be limited or completely eliminated on the network. Note: For the purposes of this feature, a user is dened as a unique source IP address and the application is identied based upon a bandwidth contract This feature functions by creating an entry in the session table that designates the contract/user combination. Whenever a new session is created, this entry is checked against existing sessions in the session table and if a match is made, the maximum sessions value is queried. If the maximum sessions value has been reached, the new session will be dropped. If the value has not been reached, the session count is incremented and the session allowed to continue. Note 1: Application Session Capping is not supported when a contract is assigned to a port, VLAN, trunk, or virtual service. Note 2: Application Session Capping does not support an iplimit contract based on DIP. It will however support on based on SIP.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
For any contract there is one timeslot trafc limit for each egress port. The timeslot trafc limit is calculated from the hard limit. The timeslot trafc limit is the amount of trafc that corresponds to the hard limit per second divided by the number of timeslots per second. Trafc is transmitted for every timeslot as long as the trafc is below the timeslot trafc limit for the contract. Any trafc that exceeds the timeslot trafc is discarded.
Trafc Shaping
A trafc shaping contract establishes queues and schedules when frames are sent from each queue. Trafc is shaped by pacing the packets according to the hard, soft and reserve limits. Each frame is put into a managed buffer and placed on a contract queue. The time that the next frame is supposed to be transmitted for the contract queue is calculated according to the congured rate of the contract, the current egress rate of the ports, and the buffer size set for the contract queue. The scheduler then organizes all the frames to be sent according to their time-based ordering and meters them out to the port. When packets in a contract queue have not yet been sent and the buffer size set for the queue is full, any new frames attempting to be placed in the queue is discarded. For trafc shaping contracts, a queue depth is also associated with a policy. A queue depth is the size of the queue that holds the data. It can be adjusted to accommodate delay-sensitive trafc (such as audio) versus drop-sensitive trafc (such as FTP).
Bandwidth Management
781
1500 bytes and inserts some delay as it processes the rst three 500 byte frames and then the next three frames. Queue 3 processes at 3000 bytes per second and has ample capacity to process egress frames at the same rate as the ingress frames.
Real-time Clocks and Theoretical Departure Times
If the data is arriving more quickly than it can be transmitted at the soft limit and sufcient bandwidth is still available, the rate is adjusted upwards based on the depth of the queue, until the rate is fast enough to reduce the queue depth or the hard limit is reached. If the data cannot be transmitted at the soft limit, then the rate is adjusted downward until the data can be transmitted or the CIR is hit. If the CIR is overcommitted among all the contracts congured for the switch, graceful degradation will reduce each CIR until the total bandwidth allocated ts within the total bandwidth available.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
To send BWM statistics by socket to a reporting server, issue the following commands:
>> Main# /cfg/bwm/email disable (E-Mail statistics delivery must be disabled)
BWM statistics will be sent to TCP port 49152 of the specied reporting server. 2 Congure the selected delivery method. To congure e-mail usage, issue these commands:
>> Main# /cfg/bwm/user <SMTP User Name> >> Main# /cfg/sys/smtp <SMTP host name or IP address>
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Bandwidth Management
783
(Select to use the management or data port to communicate with the reporting server).
To obtain graphs, the data must be collected and processed by an external entity through SNMP. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
values allowed are 0-255. Typically, the values specied should match the appropriate diff-serv specication but could be different, depending on the customer environment.
Note: Mirroring occurs before the application of the limiting contract. Packets that would have been otherwise discarded by the contract are also copied to the mirroring port.
Bandwidth Management
785
Dene a real server group. Dene a virtual server. Dene the port conguration.
For more information about SLB conguration, see "Server Load Balancing" (page 188)." 2 Enable BWM on the switch. Note: If you purchased the Bandwidth Management option, make sure you enable it by typing/oper/swkey and entering its software key. For more information, see "Enabling Bandwidth Management" (page 769).
>> # /cfg/bwm/on (Turn BWM on)
Select a bandwidth policy. Each policy must have a unique number from 1 to 64.
>> Bandwidth Management# pol 1 (Select bandwidth policy 1)
Set the hard, soft, and reserved rate limits for the policy, in Mbps. Typically, charges are applied for burst rates between the soft and hard limit. Each limit must be set between 64K-1000M. Note: For rates less than 1 Mbps, append a "K" sufx to the number.
>> Policy 1# hard 6 >> Policy 1# soft 5 >> Policy 1# resv 4 (Set "never exceed" rate) (Set desired bandwidth rate) (Set committed information rate)
(Optional) Set the Type-Of-Service (TOS) byte value, between 0-255, for the policy underlimit and overlimit. There are two parameters for specifying the TOS bits: underlimit (utos) and overlimit (otos). These TOS values are used to overwrite the TOS values of IP packets if the trafc for a contract is under or over the soft limit, respectively. These values only have signicance to a contract if TOS overwrite is enabled in the Bandwidth Management Contract Menu (/cfg/bwm/cont <x> /wtos ena). The administrator has to be very careful in selecting the TOS values because of their greater impact on the downstream routers.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Set the buffer limit for the policy. Set a value between 8192-128000 bytes. The buffer depth for a BWM contract should be set to a multiple of the packet size. Note: Keep in mind that the total buffer limit for the Bandwidth Management policy is 128K.
>> Policy 1# buffer 16320 (Set BWM policy buffer limit)
On the switch, select a BWM contract and (optional) a name for the contract. Each contract must have a unique number from 1 to 256.
>> Policy 1# /cfg/bwm/cont 1 >> BWM Contract 1# name BigCorp (Select BWM contract 1) (Assign contract name "BigCorp")
(Optional) Set a precedence value for the BWM contract. Each contract can be given a precedence value from 1-255. The higher the number, the higher the precedence. If a frame is applicable to different classications, then the contract with higher precedence will be assigned to the frame. If the precedence is the same for the applicable contracts, then the following order will be used to assign the contract to the frame: (1) Incoming port, (2) VLAN, (3) Filter, (4) Service on the Virtual server, (5) URL/Cookie
>> BWM Contract 1# prec 1 (Sets contract precedence value to 1)
10
Set the bandwidth policy for this contract. Each bandwidth management contract must be assigned a bandwidth policy.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Bandwidth Management
787
11
(optional) Enable trafc shaping. Rate limiting is enabled by default. Enabling trafc shaping automatically disables rate limiting. See "Trafc Shaping" (page 780) for more information.
>> BWM Contract 1# shaping e (Enables traffic shaping)
12
13
Classify the frames for this contract and assign the BWM contract to the lter or virtual IP address. Each BWM contract must be assigned a classication rule. The classication can be based on a lter or service(s) on the Virtual server. Filters are used to create classication policies based on the IP source address, IP destination address, TCP port number, UDP, and UDP port number.
>> BWM Contract 1# /cfg/slb/vi rt 1/cont 1 >> Virtual Server 1# /cfg/slb/f ilt 1/adv/cont 1 (Assign contract to virtual server) (Assign contract 1 to filter 1)
In this case, all frames that match lter 1 or virtual server 1 will be assigned contract 1. 14 On the switch, apply and verify the conguration.
>> Filter 1 Advanced# apply >> Filter 1 Advanced# /cfg/bwm/cur (Make your changes active) (View current settings)
Examine the resulting information. If any settings are incorrect, make any appropriate changes. 15 On the switch, save your new conguration changes.
>> Bandwidth Management# save (Save for restore after reboot)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
16
Check that all BWM contract parameters are set correctly. If necessary, make any appropriate conguration changes and then check the information again. End
Bandwidth Management
789
In the following example, BWM is congured to prevent broadband customers from affecting dial-up customer access. This is accomplished by setting higher bandwidth policy rate limits for the port that processes broadband trafc. Policy 1 is for dialup customers with lower bandwidth allocation needs Policy 2 is for broadband customers with higher bandwidth allocation needs. Action Select the rst bandwidth policy for dialup customers. Each policy must have a number from 1 to 512. Note: Ensure BWM is enabled on the switch (/cfg/bwm/on).
>> # /cfg/bwm/pol 1 (Select BWM policy 1)
Step 1
Set the hard, soft, and reserved rate limits for the bandwidth policy, in Mbps.
>> Policy 1# hard 5 >> Policy 1# soft 4 >> Policy 1# resv 3 (Set "never exceed" rate) (Set desired bandwidth rate) (Set committed information rate)
On the switch, select a BWM contract and name the contract. Each contract must have a unique number from 1 to 1024.
>> Policy 1# /cfg/bwm/cont 1 >> BWM Contract 1# name dial-up (Select BWM contract 1) (Assign contract name "dial-up")
Set the bandwidth policy for this contract. Each BWM contract must be assigned a bandwidth policy.
>> BWM Contract 1# pol 1 (Assign policy 1 to BWM Contract 1)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Set the hard, soft, and reserved rate limits for this policy, in Mbps.
>> Policy 2# hard 30 >> Policy 2# soft 25 >> Policy 2# resv 20 (Set "never exceed" rate) (Set desired bandwidth rate) (Set committed information rate)
On the switch, select the second BWM contract and name the contract.
>> Policy 2# /cfg/bwm/cont 2 >> BWM Contract 2# name broadband (Select BWM contract 2) (Assign contract name "broadband")
Set the bandwidth policy for this contract. Each BWM contract must be assigned a bandwidth policy.
>> BWM Contract 2# pol 2 (Assign policy 2 to BWM contract 2)
10
11
Assign the BWM contracts to different switch ports. Physical switch ports are used to classify which frames are managed by each contractthat is, one BWM contract will be applied to all frames from a specic port. The second contract will be applied to all frames from another specied port.
>> BWM Contract 2# /cfg/port 1/cont 1 >> Port 1# /cfg/slb/port 2/cont 2 (Assign contract 1 to port 1) (Assign contract 2 to port 2)
12
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Bandwidth Management
791
Examine the resulting information. If any settings are incorrect, make any appropriate changes. 13 On the switch, save your new conguration changes.
>> Bandwidth Management# save (Save for restore after reboot)
14
Check that all BWM contract parameters are set correctly. If necessary, make any appropriate conguration changes and then check the information again. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> /cfg/bwm/on
Congure the switch as you normally would for SLB. Conguration includes the following tasks: Assign an IP address to each of the real servers in the server pool. Dene an IP interface on the switch. Dene each real server. Dene a real server group. Dene a virtual server. Dene the port conguration.
Select the rst bandwidth policy and set the hard, soft, and reserved rate limits for the bandwidth policy, in Mbps.
>> # /cfg/bwm/pol 1 >> Policy 1# hard 10M >> Policy 1# soft 5M >> Policy 1# resv 1M (Select BWM policy 1) (Set "never exceed" rate) (Set desired bandwidth rate) (Set committed information rate)
Congure BWM contract 1. Each contract must have a unique number from 1 to 1024.
>> Policy 1# /cfg/bwm/cont 1 (Select BWM contract 1)
Enable contract 1.
>> BWM Contract 1# ena (Enables this BWM contract)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Bandwidth Management
793
Set the hard, soft, and reserved rate limits for this policy, in Mbps.
>> Policy 2# hard 20 >> Policy 2# soft 15 >> Policy 2# resv 10 (Set "never exceed" rate) (Set desired bandwidth rate) (Set committed information rate)
10
Assign bandwidth policy 2 to contract 2. Each BWM contract must be assigned a bandwidth policy.
>> BWM Contract 2# pol 2 (Assign policy 2 to BWM contract 2)
11
Enable contract 2.
>> BWM Contract 2# ena (Enables this BWM contract)
12
Using the same CLI commands as described above, congure policy 3 with hard, soft, and reserved limits of 30, 25, and 20 Mbps respectively. Then create contract 3 and apply policy 3 to this contract. Congure policy 4 with hard, soft, and reserved limits of 40, 35, and 30 Mbps respectively. Then create contract 4 and apply policy 4 to this contract. Assign the BWM contracts to different switch ports. Physical switch ports are used to classify which frames are managed by each contractthat is, one BWM contract will be applied to all frames from a specic port. The second contract will be applied to all frames from another specied port.
>> BWM Contract 4# /cfg/port 1/cont 1 >> Port 1# /cfg/port 2/cont 2 >> Port 2# /cfg/port 3/cont 3 >> Port 3# /cfg/port 4/cont 4 (Assign contract 1 to port 1) (Assign contract 2 to port 2) (Assign contract 3 to port 3) (Assign contract 4 to port 4)
13
14
15
Congure BWM contract group 1 and add all four contracts to this group.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
>> /cfg/bwm/group 1 >> BW Group 1# add 1 Contract 1 added to group 1. >> BW Group 1# add 2 Contract 2 added to group 1. >> BW Group 1# add 3 Contract 3 added to group 1. >> BW Group 1# add 4 Contract 4 added to group 1.
(Select contract group 1) (Add contract 1 to group 1) (Add contract 2 to group 1) (Add contract 3 to group 1) (Add contract 4 to group 1)
16
Examine the resulting information. If any settings are incorrect, make any appropriate changes. 17 Save your new conguration changes.
>> Bandwidth Management# save (Save for restore after reboot)
18
Check that all BWM contract parameters are set correctly. If necessary, make any appropriate conguration changes and then check the information again. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Bandwidth Management
795
All members of the student body is limited to maximum (hard limit) of 10 Mbps. If the number of octets sent out exceeds the value of the entire contract (10 Mbps), excess octets will be dropped. If the number of octets is below the value of the contract (10 Mbps), a session is created on the switch that records the students IP address, the egress port number, and the contract number, as well as the number of octets transferred for that second. The session updates the number of octets being transferred every second, thus maintaining trafc within the congured user limit of 64 kbps.
The administrator would setup a conguration as follows: Step 1 Action Select the rst bandwidth policy. Each policy must have a number from 1 to 512.
>> # /cfg/bwm/pol 1 (Select BWM policy 1)
Congure the BWM policy with a Hard Limit of 10 Mbps and a "user limit" of 64 kbps. Then apply that policy to Contract 1.
>> Policy 1# hard 10m >> Policy 1# userlim 64k >> Policy 1# /cfg/bwm/cont 1 >> BW Contract 1# policy 1 (Select contract 1) (Apply policy 1 to this contract)
Congure a lter to match the source IP address range of the student body, and assign BWM Contract 1 to that lter.
/cfg/slb/filt 20/sip 150.150.0.0/smask 255.255.0.0/ac tion allow (Allow student traffic) >> Filter 20 # adv (Select the filter 20 advanced menu) (Apply BWM contract 1 to this filter)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Determine whether the user should be identied by their source or destination IP address. If the contract is used for trafc going out to the Internet, dene it by the source IP address: iptype sip. If the contract is used to limit the amount of trafc downloaded from the user by a client on the Internet, dene it by the destination IP address: iptype dip.
>> BW Contract 1# iptype sip
Disable trafc shaping on this contract. Trafc shaping cannot be used in user-level rate limiting contracts.
>> /cfg/bwm/cont 1/shaping dis
8 9
Apply and save the conguration. View the current per-user BWM sessions for the active contract.
/stats/bwm/port 1/cont 1
End
Bandwidth Management
797
Dene each real server. Dene a real server group. Dene a virtual server. Dene the port conguration.
For more information about SLB conguration, refer to "Server Load Balancing" (page 188)." Note: Ensure BWM is enabled on the switch (/cfg/bwm/on). 2 Select bandwidth policy 1. Each policy must have a number from 1 to 512.
>> # /cfg/bwm/pol 1 (Select BWM policy 1)
Set the hard, soft, and reserved rate limits for the bandwidth policy in Mbps.
>> Policy 1# hard 10 >> Policy 1# soft 8 >> Policy 1# resv 5 (Set "never exceed" rate) (Set desired bandwidth rate) (Set committed information rate)
Select a BWM contract and name the contract. Each contract must have a unique number from 1 to 1024.
>> Policy 1# /cfg/bwm/cont 1 >> BWM Contract 1# name a.com (Select BWM Contract 1) (Assign contract name "a.com")
Assign the bandwidth policy to this contract. Each BWM contract must be assigned a bandwidth policy.
>> BWM Contract 1# pol 1 (Assign policy 1 to BWM contract 1)
Set the hard, soft, and reserved rate limits for this policy, in Mbps.
>> Policy 2# hard 18 >> Policy 2# soft 15 >> Policy 2# resv 10 (Set "never exceed" rate) (Set desired bandwidth rate) (Set committed information rate)
10
Assign the bandwidth policy to this contract. Each BWM contract must be assigned a bandwidth policy.
>> BWM Contract 2# pol 2 (Assign policy 2 to BWM contract 2)
11
12
Create a virtual server that will be used to classify the frames for contract 1 and assign the Virtual server IP address for this server. Then, assign the BWM contract to the virtual server. Repeat this procedure for a second virtual server. Note: This classication applies to the services within the virtual server and not to the virtual server itself. The classication rule for these BWM contracts is based on a virtual service. One of the BWM contracts will be applied to any frames that are sent to the virtual server associated with that contract.
>> BWM Contract 2# /cfg/slb/virt 1/service 80/cont 1 (Assign contract to virtual server 1) >> Virtual Server 1# vip 100.2.16.2 >> Virtual Server 1# ena >> Virtual Server 1# /cfg/slb/virt 2/cont 2 (Set virtual server VIP address) (Enable this virtual server) (Assign contract to virtual server)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Bandwidth Management
799
13
Examine the resulting information. If any settings are incorrect, make the appropriate changes. 14 Save your new conguration changes.
>> Bandwidth Management# save (Save for restore after reboot)
15
Check that all BWM contract parameters are set correctly. If necessary, make any appropriate conguration changes and then check the information again. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
The switch allocates bandwidth based on certain strings in the incoming URL request. For example, as shown in "URL-Based SLB with Bandwidth Management" (page 800), if a Web site has 10Mbps of bandwidth, the site manager can allocate 1 Mbps of bandwidth for static HTML content, 3Mbps of bandwidth for graphic content and 4Mbps of bandwidth for dynamic transactions, such as URLs with cgi-bin requests and .asp requests. Ability to prioritize transactions or applications By allocating bandwidth, the application switch can guarantee that certain applications and transactions get better response time. Ability to allocate a certain amount of bandwidth for requests that can be cached As shown in "URL-Based SLB with Bandwidth Management" (page 800), users will be able to allocate a certain percentage of bandwidth for Web cache requests by using the URL parsing and bandwidth management feature.
URL-Based SLB with Bandwidth Management
The following example assumes you have congured URL-based SLB and the layer 7 strings as described in "Content Intelligent Server Load Balancing" (page 210). For URL-based server load balancing, a user has
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Bandwidth Management
801
to rst dene strings to monitor. Each of these strings is attached to real servers, and any URL with the string is load balanced across the assigned servers. The best way to achieve URL-based bandwidth management is to assign a contract to each dened string. This allocates a percentage of bandwidth to the string or URL containing the string. Step 1 2 Action Congure "Content Intelligent Server Load Balancing" (page 210). Congure BWM policies with the desired bandwidth limits. In this example, four policies are congured, as illustrated in "URL-Based SLB with Bandwidth Management" (page 800).
>> Main# /cfg/bwm/pol 1/hard 3M/soft 2M/res 1M >> Policy 1# /cfg/bwm/pol 2/hard 4M/soft 3M/res 2M >> Policy 2# /cfg/bwm/pol 3/hard 1M/soft 500k/res 250k >> Policy 3# /cfg/bwm/pol 4/hard 2M/soft 1M/res 500k
Congure BWM contracts and apply the appropriate policies to the contracts. In this example, the policy numbers correspond to the contract numbers.
>> Main# /cfg/bwm/cont 1/policy 1 (Apply policy 1 to contract 1)
>> BW Contract 1# /cfg/bwm/cont 2/policy 2 >> BW Contract 2# /cfg/bwm/cont 3/policy 3 >> BW Contract 3# /cfg/bwm/cont 4/policy 4
For easy conguration and identication, each dened string is assigned an ID number, as shown in the following example. The third column shows the BWM contracts to assign to the strings in this example
ID 1 2 3 4 5 SLB String any .gif .jpg .cgi .bin BWM Contract 4 1 1 2 2
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
ID 6 7
BWM Contract 2 3
Congure a real server to handle the URL request. To add a dened string:
>> # /cfg/slb/real 2/layer7/addlb <SLB string ID>
where SLB string ID is the identication number of the dened string as displayed when you enter the cur command. Example: /cfg/slb/real 2/layer7/addlb 3 8 Either enable Direct Access Mode (DAM) on the switch or congure a proxy IP address on the client port. To turn on DAM:
>> # /cfg/slb/adv/direct ena
To turn off DAM and congure a proxy IP address on the client port:
>> # /cfg/slb/adv/direct dis >> # /cfg/slb/port 2/proxy ena (Enable use of proxy IP on this port)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Bandwidth Management
803
>> # /cfg/slb/pip/type port >> # /cfg/slb/pip/add 12.12.12.12 (Add this proxy IP address to port 2)
For more information on proxy IP addresses, see "Proxy IP Addresses" (page 228). Note: Port mapping for content intelligent server load balancing can be performed by enabling DAM on the switch, or disabling DAM and conguring a proxy IP address on the client port. 9 Turn on HTTP SLB processing on the virtual server. Congure everything under the virtual server as in Conguration Example 1.
>> # /cfg/slb/virt 1/service 80/httpslb urlslb
If the same string is used by more than one service, and you want to allocate a certain percentage of bandwidth to this URL string for this service on the virtual server, then dene a rule using the urlcont command.
>> # /cfg/slb/virt 1/service 80/urlcont <SLB string ID> <BW Contract number>
This contract is tied to service 1. The urlcont command will override the contract assigned to the URL string ID. 10 Enable Server Load Balancing.
>> # /cfg/slb/on
11
Note: Cookie-based BWM does not apply to cookie-based persistency or cookie passive/active mode applications. In this example, you will assign bandwidth based on cookies. First, congure cookie-based server load balancing, which is very similar to URL-based load balancing. Any cookie containing the specied string is redirected to the assigned server. Scenario 1: In this scenario, the Web site has a single virtual server IP address and supports multiple classes of users. Turn on cookie parsing for the service on the virtual server.
>> # /cfg/slb/virt 1/service 80 >> Virtual Server 1 http Service# httpslb cookie ena Enter the starting point of the cookie value [1-64]: Enter the number of bytes to be extract [1-64]: 8 Look for cookie in URI [e|d]: d
Step 1
Example:
>> # /cfg/slb/layer7/slb/addstr l7lkup "Business" >> # add l7lkup "First" >> # add l7lkup "Coach"
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Bandwidth Management
805
Allocate bandwidth for each string. To do this, assign a BWM contract to each dened string.
>> # /cfg/slb/layer7/slb/cont <SLB string ID> <BWM Contract number>
where SLB string ID is the identication number of the dened string. Example:
>> # /cfg/slb/real 2/layer7/addlb 3
Either enable DAM on the switch or congure a proxy IP address on the client port. To turn on DAM:
>> # /cfg/slb/adv/direct ena
To turn off DAM and congure a Proxy IP address on the client port:
>> # /cfg/slb/adv/direct dis >> # /cfg/slb/pip >> Proxy IP address# type port >> Proxy IP Address# add 12.12.12.12 >> # /cfg/slb/port 2 >> SLB Port 2# proxy ena (Use port-based proxy IP)
For more information on proxy IP addresses, see "Proxy IP Addresses" (page 228). Note: By enabling DAM on the switch or, alternatively, disabling DAM and conguring a proxy on the client port, port mapping for URL-based load balancing can be performed. 5 Enable SLB.
>> # /cfg/slb/on
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Scenario 2: In this scenario, the Web site has multiple virtual server IP addresses, and the same user classication or multiple sites use the same string name. In this scenario, there are two Virtual IP (VIP) addresses: 172.17.1.1 and 172.17.1.2. Both the virtual servers and sites have rst class and business class customers, with different bandwidth allocations, as shown in "Cookie-Based Preferential Services" (page 806).
Cookie-Based Preferential Services
The conguration to support this scenario is similar to scenario 1. Note the following: End
Step 1 2
Action Congure the string and assign contracts for the strings and services. If the same string is used by more than one service, and you want to allocate a certain percentage of bandwidth to a user class for this service on the virtual server, then dene a rule using the urlcont command:
>> # /cfg/slb/virt 1/service 80/ urlcont <URL path ID> <BW Contract number>
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Bandwidth Management
807
Note: When assigning /cfg/slb/virt 1/service 80/urlcont (contract 1) and /cfg/slb/layer7/lb/cont (contract 2) to the same URL, urlcont will override contract 2, even if contract 2 has higher precedence. End
ConguringSecurity Management
BWM can be used to prevent Denial of Service (DoS) attacks that generate a ooding of "necessary evil" packets. BWM can be used to limit the rate of TCP SYN, ping, and other disruptive packets. BWM can also be used to alert the network manager when soft limits are exceeded. In the following example, a lter is congured to match ping packets, and BWM is congured to prevent DoS attacks by limiting the bandwidth policy rate of those packets: Step 1 Action Congure the switch as usual for SLB (see "Server Load Balancing" (page 188)): Assign an IP address to each of the real servers in the server pool. Dene an IP interface on the switch. Dene each real server. Dene a real server group. Dene a virtual server. Dene the port conguration. Note: Ensure BWM is enabled on the switch (/cfg/bwm/on). 2 Select a bandwidth policy. Each policy must have a number from 1 to 512.
>> # /cfg/bwm/pol 1 (Select BWM policy 1)
Set the hard, soft, and reserved rate limits for this policy in Kilobytes.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
>> Policy 1# hard 250k >> Policy 1# soft 250k >> Policy 1# resv 250k
(Set "never exceed" rate) (Set desired bandwidth rate) (Set committed information rate)
Set the buffer limit for the policy. Set a parameter between 8192 and 128000 bytes. The buffer depth for a BWM contract should be set to a multiple of the packet size.
>> Policy 1# buffer 8192 (Set policy buffer limit of 8192 bytes)
On the switch, select a BWM contract and name the contract. Each contract must have a unique number from 1 to 1024.
>> Bandwidth Management# /cfg/bwm/cont 1 >> BWM Contract 1# name icmp (Select BWM contract 1) (Select contract name "icmp")
Set the bandwidth policy for the contract. Each BWM contract must be assigned a bandwidth policy.
>> BWM Contract 1# pol 1 (Assign policy 1 to BWM contract 1)
Create a lter that will be used to classify the frames for this contract and assign the BWM contract to the lter. The classication rule for this BWM contract is based on a lter congured to match ICMP trafc. The contract will be applied to any frames that match this lter
>> BW Contract 1# /cfg/slb/filt 1/proto icmp >> Filter 1# adv/icmp any >> Filter 1 Advanced# cont 1 (Define protocol affected by filter) (Set the ICMP message type) (Assign BWM contract 1 to this filter)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Bandwidth Management
809
Examine the resulting information. If any settings are incorrect, make the appropriate changes. 10 On the switch, save your new conguration changes.
>> Bandwidth Management# save (Save for restore after reboot)
11
Check that all BWM contract parameters are set correctly. If necessary, make any appropriate conguration changes and then check the information again. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
CAUTION
When conguring time policies, the "to" hour cannot be earlier than the "from" hour, as in a time policy set from 7pm to 7 am. Nortel Application Switch Operating System does not calculate time policies that cross the 24-hour day boundary.
Step 1
Action Congure three BWM policies for high, low and default bandwidth. These policies will be applied to different time policies later in this procedure.
>> /cfg/bwm/policy 1/hard 10M/soft 5M >> /cfg/bwm/policy 2/hard 5M/soft 1M >> /cfg/bwm/policy 3/hard 4M/soft 2M (For peak working hours) (For weekday evening hours) (For all other times)
Create the rst time policy under contract 1, for peak working hours.
>> # /cfg/bwm/cont 1/timepol 1 >> BW Contract 1 Time Policy 1# day weekday Current Time Policy Day: everyday Pending new Time Policy Day: weekday >> BW Contract 1 Time Policy 1# from 7am Current Time Policy from hour: 12am Pending new Time Policy from hour: 7am >> BW Contract 1 Time Policy 1# to 7pm Current Time Policy to hour: 12am Pending new Time Policy to hour: 7pm >> BW Contract 1 Time Policy 1# policy 1 (Assign highest BW policy to this time policy)
>> BW Contract 1 Time Policy 1# ena Current status: disabled New status: enabled
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Bandwidth Management
811
Create the second time policy under contract 1, for weekday evening hours.
>> # /cfg/bwm/cont 1/timepol 2/day weekday/from 7pm/to 11pm/policy 2/ena
Apply the default BWM policy 3 to this contract. This BW policy will be in effect at all other times beyond the specications of the two time policies.
>> # /cfg/bwm/cont 1/policy 3/ena
Current port egress bandwidth: 0K New pending port egress bandwidth: 44M
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Bandwidth Management
813
Reverse session update avoids the need to inspect trafc in both directions. This feature can also supply a "reverse contract" association so that returning trafc can be classied, through Bandwidth Management, into a different contract than was congured on the ingress lter. For more information on how to run the wizard and classify trafc see Chapter 2, "Getting Started" in the Nortel Intelligent Trafc Management Users Guide. Run the Reporting tool frequently to verify if the policies are being enforced.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Software Components
This feature uses two distinct software components that will work together to interpret XML les sent to the switch. These two software components are: Step 1 Action Schema Document The Schema, document is the roadmap that allows the switch software to interpret the XML documents that are sent to it. This Schema document denes the markup tags that appear in the XML document and what each means. "Schema Document" (page 814) illustrates the Schema document used by the XML Conguration API.
Schema Document <?xml version="1.0" encoding="UTF-8"?> <xs:schema xmlns:xs= "http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" attributeFormDefault="unqualified"> <xs:element name="AlteonConfig"> <xs:annotation> <xs:documentation> Comment describing your root element</xs:documentation> </xs:annotation> <xs:complexType> <xs:sequence> <xs:element name="Cli" maxOccurs="unbounded"> <xs:complexType> <xs:attribute name="Command" type="xs:string" use="required"/> </xs:complexType> </xs:element> </xs:sequence>
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
815
XML Parser An XML parser is embedded in the software. This parser is used to interpret an XML le received by the switch into usable CLI commands. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Feature Conguration
To make use of this feature, several steps must be taken: Note: All Command Line Interface commands ending with enable to enable a feature can be used to disable a feature as well. Simply repeat the command and substitute enable with disable. Step 1 Action Globally enable XML conguration. The XML Switch Conguration API is disabled by default. To enable this feature, enter the following command:
>> Main# /cfg/sys/access/xml/xml enable
(Optional) Set the XML transport port number. Since SSL is the transport mechanism for the XML conguration le, the port used by the switch to receive these les is the SSL port by default. This can be changed by using the following command:
>> Main# /cfg/sys/access/xml/port <port number>
Note: Since both HTTPS and XML use SSL as a transport layer, the two are closely tied together. Both HTTPS and XML must use the same port if both are enabled. 3 Import client certicate. Certicate authentication is required to send an XML conguration le to the switch. To import a client certicate, complete the process outlined below:
>> Main# /cfg/sys/access/xml/gtcert <TFTP/FTP IP Address> <Certificate File Name> <FTP User Name> <FTP Password>
After entering the required information, the client certicate will be downloaded to the switch. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
817
Display client certicate. To display the current client certicate, issue this command:
>> Main# /cfg/sys/access/xml/dispcert
Debug XML operations. Enabling XML debug operations causes all commands in the XML le to be echoed to the Console and prefaces each one with running XML cmd: or Invalid XML cmd:. All responses to the commands will also be output to the Console. To debug XML switch operations, issue this command:
>> Main# /cfg/sys/access/xml/debug enabled
Display the current XML API conguration. To display the current XML API conguration, issue this command:
>> Main# /cfg/sys/access/xml/cur
End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
819
Appendix Troubleshooting
This section discusses some tools to help you troubleshoot common problems on the Nortel Application Switch: "Port Mirroring" (page 819) "Filtering the Session Dump" (page 822)
Port Mirroring
Mirroring Individual Ports
The port mirroring feature in the Nortel Application Switch Operating System allows you to attach a sniffer to a monitoring port that is congured to receive a copy of all packets that are forwarded from the mirrored port. Nortel Application Switch Operating System enables you to mirror port trafc for all layers (Layer 2 - 7). Port mirroring can be used as a troubleshooting tool or to enhance the security of your network. For example, an IDS server can be connected to the monitor port to detect intruders attacking the network. As shown in "Monitoring Ports" (page 819), port 19 is monitoring ingress trafc (trafc entering the switch) on port 3 and egress trafc (trafc leaving the switch) on port 11. You can attach a device to port 19 to monitor the trafc on ports 3 and 11.
Monitoring Ports
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
"Monitoring Ports" (page 819) shows two mirrored ports monitored by a single port. Similarly, you can have a single or groups of a mirrored port to a monitored port many mirrored ports to one monitored port a mirrored port on one or more vlans to a monitored port (see "Mirroring VLANs on a Port" (page 821)) many mirrored ports on one or more vlans to one monitored port (see "Mirroring VLANs on a Port" (page 821))
Nortel Application Switch Operating System does not support a single port being monitored by multiple ports. Ingress trafc is duplicated and sent to the mirrored ports before processing and egress trafc is duplicated and sent to the mirrored ports after processing. To congure port mirroring for the example shown in "Monitoring Ports" (page 819): Step 1 Action Specify the monitoring port.
>> # /cfg/pmirr/monport 19 (Select port 19 for monitoring)
>> Enter port mirror direction [in, out, or both]: in (Monitor ingress traffic on port 3) >> Port 19 # add 11 (Select port 11 to mirror)
>> Enter port mirror direction [in, out, or both]: out (Monitor egress traffic on port 11)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Port Mirroring
821
End
To enable mirroring of ingress trafc for VLAN 3 on port 3, and egress trafc for VLAN 4 on port 11 of step 1 and step 2 step 2, change the commands to the following:.
>> # /cfg/pmirr/monport 19 >> Port 19 # add 3 in 3 >> Port 19 # add 11 out 4 (Select port 19 for monitoring) (Mirror only vlan 3 ingress traffic on port 3) (Mirror only vlan 4 egress traffic on)
Only one attribute can be used at a time to lter the session dump. For example, to lter a session dump based on client IP address 10.10.10.1, use the following command:
>> # /info/slb/sess/cip 10.10.10.1 Printing Sessions for SP 1 1,01: 10.10.10.1 137, 205.178.13.100 ALLOW age 2 f:100 E 1,01: 10.10.10.1 2592, 172.21.31.100 10.20.1.2 http age 0 1,01: 10.10.10.1 2593, 172.21.31.100 10.20.1.3 http age 0 1,01: 10.10.10.1 2594, 172.21.31.100 10.20.1.2 http age 0 1,01: 10.10.10.1 2595, 172.21.31.100 10.20.1.3 http age 0 1,01: 10.10.10.1 2596, 172.21.31.100 10.20.1.4 http age 0 1,01: 10.10.10.1 2597, 172.21.31.100 10.20.1.3 http age 0 1,01: 10.10.10.1 2598, 172.21.31.100 10.20.1.4 http age 0 1,01: 10.10.10.1 2599, 172.21.31.100 10.20.1.3 http age 0 1,01: 10.10.10.1 2600, 172.21.31.100 10.20.1.4 http age 0
137 http -> 14291 http -> 14292 http -> 14307 http -> 14308 http -> 14309 http -> 14310 http -> 14311 http -> 14339 http -> 14340
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
823
1,01: 10.10.10.1 2601, 10.20.1.3 http age 0 1,01: 10.10.10.1 2602, 10.20.1.2 http age 10 1,01: 10.10.10.1 2603, 10.20.1.3 http age 10 1,01: 10.10.10.1 2604, 10.20.1.2 http age 10
172.21.31.100 http -> 14367 172.21.31.100 http -> 14384 172.21.31.100 http -> 14385 172.21.31.100 http -> 14414
Because VMA is enabled, the command displayed all sessions for client IP address 10.10.10.1 on SP 1. The sessions hash on source IP address and destination IP address.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
825
You can assign one or more strings to each real server. When more than one URL string is assigned to a real server, requests matching any string are redirected to that real server. There is also a special string known as "any" that matches all content. Nortel Application Switch Operating System also supports exclusionary string matching. Using this option, you can dene a server to accept any requests regardless of the URL, except requests with a specic string.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Note: Once exclusionary string matching is enabled, clients cannot access the URL strings that are added to that real server. This means you cannot congure a dedicated server to receive a certain string and, at the same time, have it exclude other URL strings. The exclusionary feature is enabled per server, not per string. For example, the following strings are assigned to a real server: string 1 = cgi string 2 = NOT cgi/form_A string 3 = NOT cgi/form_B As a result, all cgi scripts are matched except form_A and form_B.
For information on how to congure your network for server load balancing, see "Server Load Balancing" (page 188)." 2 Add the load balancing strings (for example test, /images, and /product ) to the real server.
>> # /cfg/slb/layer7/slb/addstr "test" >> Server Loadbalance Resource# addstr "/images" >> Server Loadbalance Resource# addstr "/product"
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
827
If you congured a string "any" and enabled the exclusion option, the server will not handle any requests. This has the same effect as disabling the server. End
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
828 Appendix Layer 7 String Handling Standard Regular Expression Special Characters Construction * . + ? $ \ [abc] [^abc] ^ Description Matches any string of zero or more characters Matches any single character Matches one or more occurrences of the pattern it follows Matches zero or one occurrences of its followed pattern Matches the end of a line Escape the following special character Matches any of the single character inside the bracket Matches any single character except those inside the bracket Matches the pattern exactly only if it appears at the beginning of a line
Use the following rules to describe patterns for string matching: Supports one layer of parenthesis. Supports only single "$" (match at end of line) which must appear at the end of the string. For example, "abc$*def" is not supported. Size of the user input string must be 40 characters or less. Size of the regular expression structure after compilation cannot exceed 43 bytes for load balancing strings and 23 bytes for cache redirection. The size of regular expression after compilation varies, based on regular expression characters used in the user input string. Use "/" at the beginning of the regular expression. Otherwise a regular expression will have "*" prexed to it automatically. For example, "html/*\.htm" appears as "*html/*\.htm". Incorrectly or ambiguously formatted regular expressions are rejected instantly. For example: where a "+" or "?" follows a special character like the "*" A single "+" or "?" sign Unbalanced brackets and parenthesis
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
829
>> # /cfg/slb/layer7/slb/addstr
As a result, both HTTP SLB and application redirection can use regular expression as the resource. Note: The more complex the structure of the string, the longer it will take for the server to load balance the incoming packets.
Using the above content types with the and and or operators, the application switch is congured to rene HTTP-based server load balancing multiple times on a single client HTTP request in order to bind it to an appropriate server. Typically, when you combine two content types with an operator (and/or), URL hash and Header hash are used in combination with Host, Cookie, or Browser content types. For example, the following types of load balancing can be congured using the Content Precedence Lookup feature: Virtual host and/or URL-based load balancing Cookie persistence and URL-based load balancing Cookie load balancing and/or URL-based load balancing Cookie persistence and HTTP SLB together in the same service Multiple HTTP SLB process type on the same service
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Note: Cookie persistence can also be combined with the Layer 7 content types. For more information on cookie persistence, see "Persistence" (page 588)." For example, the Content Precedence Lookup feature can be used in the following scenarios: If the client request is sent without a cookie and if no HTTP SLB is congured, then the switch binds the request to the real server using normal SLB. If the client request is sent without a cookie, but HTTP SLB is congured on the switch, then the request is bound to real server based on HTTP SLB. If the client request is sent with a cookie, and a real server associated to the cookie is found in the local session table, then the request will stay bound to that real server.
Requirements
Enable Direct Access Mode (DAM), or congure proxy IP address if DAM is disabled. Enable delayed binding.
If the Content Precedence Lookup feature is congured with the or and and operators, the request from the client is as follows: HTTP Host or URL SLB
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
831
The HTTP Host header takes precedence because it is specied rst. If there is no Host Header information and because or is the operator, the URL string is examined next. If a request from a client contains no Host Header but has a URL string (such as "/gold"), the request is load balanced among Server 1 or Server 3. If a request from a client contains a Host Header, then the request is load balanced among Server 2 and Server 3. The URL string is ignored because the HTTP Host was specied and matched rst. HTTP Host and URL SLB The HTTP Host header takes precedence because it is specied rst. Because and is the operator, both a Host Header and URL string are required. If either is not available, the request is dropped. If a request from a client contains a URL string (such as "/gold") but not a Host Header, it is not served by any real server. If a request from a client contains a URL string (such as "/gold") and Host Header, it is served only by real server 3.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
832 Appendix Layer 7 String Handling Content Precedence Lookup Multiple Strings Example
To congure content precedence lookup for the example in "Content Precedence Lookup Multiple Strings Example" (page 832), the hosting company groups all the real servers into one real server group even though different servers provide services for different customers and different types of content. In this case, the servers are set up for the following purpose:
Real Server Content Server Server 1 Server 2 Server 3 Server 4 Server 5 Customer Customer A Customer A Customer A Customer B Customer B Content Static .jpg files Static .jpg files Dynamic .cgi files Static .jpg files Dynamic .cgi files
When a client request is received with www.a.com in the Host Header and .jpg in the URL, the request will be load balanced between Server 1 and Server 2. To accomplish this conguration, you must assign multiple strings (a Host Header string and a URL string) for each real server.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
833
Any incoming request containing "GET /Default.asp" would not bind to string 1 because of the capitalized D in Default.asp. String case sensitivity may be disabled, so that any incoming request containing "GET /Default.asp, GET /DEFAULT.ASP, and other case combinations, all map to string 1.
>> # /cfg/slb/layer7/slb/case disable (Disable case-sensitive matching)
3 7 11 15 19
4 8 12 16 20
To add an HTTP method type, select the method by its index number from the above list, and enter the following:
>> # /cfg/slb/layer7/slb/addmeth 2 (Add HTTP POST method)
The list of supported HTTP methods will be updated regularly in Nortel Application Switch Operating System as the HTTP protocol evolves.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
835
Glossary
DIP (Destination IP Address)
The destination IP address of a frame.
Preemption
In VRRP, preemption will cause a Virtual Router that has a lower priority to go into backup should a peer Virtual Router start advertising with a higher priority.
Priority
In VRRP, the value given to a Virtual Router to determine its ranking with its peer(s). Minimum value is 1 and maximum value is 254. Default is 100. A higher number will win out for master designation.
Proto (Protocol)
The protocol of a frame. Can be any value represented by a 8-bit value in the IP header adherent to the IP specication (for example, TCP, UDP, OSPF, ICMP, and so on.)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
836 Glossary
Tracking
In VRRP, a method to increase the priority of a virtual router and thus master designation (with preemption enabled). Tracking can be very valuable in an active/active conguration. You can track the following: Vrs: Virtual Routers in Master Mode (increments priority by 2 for each) Ifs: Active IP interfaces on the application switch (increments priority by 2 for each) Ports: Active ports on the same VLAN (increments priority by 2 for each) l4pts: Active Layer 4 Ports, client or server designation (increments priority by 2 for each reals: healthy real servers (increments by 2 for each healthy real server)
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Glossary
837
hsrp: HSRP announcements heard on a client designated port (increments by 10 for each)
Virtual Router
A shared address between two devices utilizing VRRP, as dened in RFC 2338. One virtual router is associated with an IP interface. This is one of the IP interfaces that the switch is assigned. All IP interfaces on the Nortel Application Switches must be in a VLAN. If there is more than one VLAN dened on the application switch, then the VRRP broadcasts will only be sent out on the VLAN of which the associated IP interface is a member.
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
838 Glossary
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
839
Index
Symbols/Numerics
80 (port) 737, 745 802.1Q VLAN tagging 72, 72 authoritative name servers 729 autonomous systems (AS) 151
B
backup servers 208, 209, 209 bandwidth management burst limit 783 conguration, general 770, 788 conguration, preferential service 796 conguration, security 807 conguration, user fairness 788 content intelligent 799, 803 contracts 773 cookie-based 803 data pacing 780 egress bandwidth tuning 811 grouped contracts 773, 774, 791 operational keys 769 overwriting TCP window 811 rate limiting 787 statistics and history 781 time policy 776 conguration example 809, 811 trafc shaping 780, 780, 787 user limits 776 conguration example 794, 796 VMA 770 bandwidth managment policies 776 bandwidth metric 206 bandwidth policies rates blat 626 Border Gateway Protocol (BGP) 131
A
accessing the switch dening source IP addresses 48 RADIUS authentication 49 security 46 using ASEM 35 using the Browser-based Interface 36 using the CLI 26 active cookie mode 597 administrator account 53 aggregating routes 137 example 143 allow (ltering) 190, 329, 365 application health checking 479 application ports application redirection 367, 409 client IP address authentication 423 example with NAT 415 games and real-time applications 423 non cacheable sites 423 non-HTTP redirects for GSLB 764 proxies 411, 415, 421 rport 415, 422 See cache redirection 411 topologies 412 Web-cache redirection example 409, 423 Application Switch Element Manager (ASEM) 35 authenticating, in OSPF 158
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
840 Index
attributes 138 failover conguration 139 route aggregation 137 route maps 133 selecting route paths 139 use with GSLB 767 Bridge Protocol Data Unit (BPDU) 94 broadcast domains 71, 72, 74, 115 Browser-Based Interface 471, 737, 745
C
cache redirection browser-based 434 delayed binding 417 example 411 HTTP header-based 433 layer 7 trafc 423 RTSP 417, 417, 439 See application redirection 410 servers 410, 412, 412 URL hashing 436 URL-based 424 CGI-bin scripts 193, 207 Cisco EtherChannel 87 CIST 105 client trafc processing 193, 197 command conventions 19 Command Line Interface 26, 151 conguring BGP failover 139 cache redirection cookie-based persistence 598 default lter 368 delayed binding 245 DNS load balancing 263 dynamic NAT 388 lter-based security 379 FTP Server Load Balancing 256, 257, 261 IDS load balancing 295 IP load balancing 254 IP routing 113 LDAP load balancing 260 multi-response cookie search 604 multiple services 202 OSPF 164
port trunking 86 proxy IP addresses 232 RTSP cache redirection 418 server load balancing 194 static NAT 386 tunable hash for lter redirection 377 VLAN-based lters 373 WAP load balancing 281, 284, 288 conguring WAN links basic example 338 summary 336 with SLB 350 connection time-out 207 console port 26 content intelligent cache redirection 423 server load balancing 210 contracts, bandwidth management 773 cookie active 597 different types 594 expiration timer 600 header 593 names 593 passive mode 596 permanent 592 rewrite 597 temporary 592 values 593 cookie-based persistence 591
D
data pacing 780 datagram 708 default gateway 112, 112 conguration example 78, 79, 114, 739, 747, 754 VLAN-based 75 default password 53 default route OSPF 155 delayed binding 242, 244 cache redirection 417 denial of service protection 646 deny (ltering) 190, 329, 365 detecting SYN attacks 245
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Index 841
dip (destination IP address for ltering) 369 rate limiting 631 Direct Access Mode (DAM) 345, 355 security example 378 direct real server access 238 session dumps 822 disabling real servers 200 ltering-based VLANs 373 Distributed Site State Protocol (DSSP) 729 rewalls 379 dmask fraggle 624 destination mask for ltering 369 fragmenting jumbo frames 110, 112 DNS load balancing 263 frame processing 80 Domain Name Server 348, 360 frame tagging. See VLANs tagging. 72 Domain Name System (DNS) FTP ltering 379, 383 applications 200 Global SLB (diagram) 730 proxy IP 764 load balancing, layer 7 265 Server Load Balancing 255 round robin 189, 329 conguring 256, 257, 261 dport (ltering option) 380, 415 DSSP. See Distributed Site State Protocol. 729 gateway. See default gateway. 112 duplex mode for jumbo frames 81 Gigabit adapters dynamic NAT 388, 388 jumbo frames 80 Global SLB conguration tutorial 736, 752, 757 egress trafc 708 Distributed Site State Protocol 729 encrypt 708 DNS resolution (diagram) 730 End user access control domain name conguration 744 conguring 64 health check interval 744 EtherChannel 83 hostname conguration 744 as used with port trunking 87 HTTP redirect 731 expiration timer, insert cookie 600 port states 742 external routing 131, 150 real server groups 741 real servers 740 remote site conguration 743 tests 768 failed server protection, SLB 188, 329 using proxy IP 764 fault tolerance group SLB, metrics 202 port trunking 85 grouped contracts, bandwidth 773, 774, Server Load Balancing 192, 329 791 lter redirection example 791, 794 tunable hash 378
ltering conguration example 379 default lter 368, 380 IP address ranges 369 layer 7 deny 401 NAT conguration example 385, 388 numbering 369 order of precedence 367, 367 proto (option) 380, 415
H
half-duplex for jumbo frames 81 hash metric 203 hashing redirection lters 378 hashing on any HTTP header 225 health checks 415, 488 conguration using scripts 474
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
842 Index
format 471 internal routing 131, 150 Global SLB interval 744 Internet Service Provider (ISP), SLB hostname for HTTP content 479, 480 example 191 HTTPS/SSL 492 Intrusion Detection System (IDS) 290 IMAP server 488 IP address RADIUS server 489, 490 conservation 385 real server parameters 479 lter ranges 369 real servers 201 local route cache ranges 117 script-based 470, 478 private 386 SNMP 483 proxies 192, 228, 411, 415, 421 verifying scripts 478 real server groups 196, 430, 741 wireless session protocol 492, 498 real servers 190, 194, 330, 340, 351, 740 WTLS 498 routing example 77, 113 Host routes SLB real servers 195 OSPF 160 virtual servers 190, 192, 196, 196, 330, hostname, for HTTP health checks 479, 744 346, 358, 741 HP-OpenView 27 IP interfaces HTTP conguration example 195, 739, 739, application health checks 479 747, 747, 754, 754 redirects (Global SLB option) 731 example conguration 77, 113, 116 HTTP header VLAN 1 (default) 72 hashing 225 VLANs 72 HTTP redirection IP packet format 638 IP-based 447, 450 IP proxies MIME header-based 452, 454 for application redirection 421 TCP service port-based 450, 452 for Global Server Load Balancing 764 URL-based 454 for Server Load Balancing 228 HTTP URL request 400 See also proxies, proxy IP address HTTPS/SSL health checks 492 (PIP). 228 IP routing 194 cross-subnet example 110 default gateway conguration 78, 79, 114 ICMP 366 IP interface conguration 77, 113, 116 IDS load balancing 295 IP subnets 111 IEEE 802.1Q VLAN tagging 72 network diagram 111 IEEE standards subnet conguration example 112 802.1s 104 switch-based topology 112 IF. See IP interfaces. 72 IP subnets 112 IGMP 366 routing 111, 112 IMAP server health checks 488, 488 VLANs 71, 73 imask 201 ISL Trunking 83 inbound trafc 332 ITM. See Intelligent Trafc Management 812 incoming route maps 134 ingress trafc 708 insert cookie mode expiration timer 600 jumbo frames Intelligent Trafc Management 812 fragmenting to normal size 110, 112
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Index 843
frame size 80 Gigabit adapter 80 isolating with VLANs 80 routing 110, 112 supported duplex modes 81 VLANs 80
L
landattack 619 Layer 4 administrator account 52, 53 cache redirection 412 server load balancing 194, 336 Layer 7 cache redirection 423 deny lter 401 precedence lookup 829 regular expression matching 827 server load balancing 210 string matching 825 Layer 7 lookup with deny lter 401 LDAP load balancing 260 least connections (SLB Real Server metric) 205 leastconn metric 205 link load balancing basic example 338 benets 328 conguration summary 336 example with SLB 350 inbound trafc 332 outbound trafc 330 using virtual servers 330 WAN links 327 Link load balancing using lters 329 lmask (local route cache parameter) 117 lnet (local route cache parameter) 117 load balancing DNS 261, 265 FTP trafc 255 IDS trafc 290 layer 7 trafc 210 SIP trafc 310 TFTP trafc 256
types of 254, 327 WAN trafc 327, 327 WAP trafc 279 local route cache address range 117 local route cache parameters lmask 117 lnet 117 log ltering option 365 log (ltering option) 379 logical segment. See IP subnets. 71 LSAs 150
M
MAC address 710 Main Menu Command-Line Interface (CLI) 26 management port setting up 38 management port, using 37 Management Processor (MP) use in switch security 48 manual style conventions 19 mapping ports 422 mapping virtual ports to real ports 234 matchall 642 matching TCP ags 394 maxcons limit 207, 208 maximum connections 207, 208 metrics real server groups 202 MIME header, in HTTP redirection 452, 454 minimum misses (SLB real server metric) 203 minmiss metric 203 mirroring ports 819 monitoring ports 819 monitoring real servers 242 MSTPMultiple Spanning Tree Protocol (MSTP) 104 multi-homing 768 WAN links 327 multi-links between switches using port trunking 83 using VLANs 74 multimedia servers 268
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
844 Index
multiple services, conguring 202 multiple spanning tree groups 98 Multiple Spanning Tree Protocol 104
parallel links 74 password administrator account 53 default 53 name servers, Global SLB conguration L4 administrator account 52, 53 example 729 user account 52 Network Address Translation (NAT) 415 pattern group 639 conguration example 385, 388 pattern matching lter action 367 criteria 637 lter example 388 depth 638 proxy 388 groups 639 static example 386 matchall 642 network management 27 offset 637 network performance operation 638 statistics, with use of proxy addresses 228 TCP or UDP 636 NFS server 191 persistence non cacheable sites in application Client IP-based 590, 591 redirection 423 cookie-based 591 non-HTTP redirects for GSLB 764 multi-response cookie search 604 none (port processing mode) example 197 SSL session ID-based 605, 607 Nortel ASEM 27 persistent nullscan 621 bindings 193 ping ood 627, 634 ping of death 628, 643, 646 PIP. See proxies, proxy IP address. 421 offset 637 POP3 764 optional software 409 port 80 737, 745 OSPF port mapping 422 area types 147 port mirroring 819, 821 authentication 158 port processing mode conguration examples 165, 185 client 197 default route 155 none 197 external routes 164 server 193, 197 ltering criteria 366 port states 742 host routes 160 port trunking 84 link state database 150 conguration example 85 neighbors 149 description 87 overview 146 EtherChannel 83 redistributing routes 133, 137 fault tolerance 85 route maps 133, 135 ports route summarization 155 for services router ID 157 monitoring 819 virtual link 156 physical. See switch ports. 71 outbound trafc 330 SLB conguration example 197 outgoing route maps 134 overow servers 208, 209, 209
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Index 845
precedence, in bandwidth classicamaximum connections 207 tions 772 SLB conguration example 195 private IP address 386 weights 206 private network 386 redirect (HTTP) 731 protocol types redirecting lters proxies 192, 228, 411, 421 tunable hash 378 conguration example 388 redirecting non-HTTP applications 764 NAT 388 redirection. See application redirection 409 proxy IP address (PIP) 192, 228, 240, 421, redistributing routes 133, 137, 143 421 remote (Global SLB real server proxy servers 410 property) 744 PVID (port VLAN ID) 72 response metric 205 Return-to-Sender (RTS) for link load balancing 332, 344, 355, 357 RIP (Routing Information Protocol) QuickTime Streaming Server 269 advertisements 126 distance vector protocol 126 hop count 126 RADIUS metric 126 authentication 49 TCP/IP route information 18, 126 health checks 489 version 1 126 port 1812 and 1645 199, 280, 281, 285 roundrobin port 1813 199, 286, 289 SLB Real Server metric 205 SSH/SCP 63 route aggregation 137, 143 RADIUS snooping 283, 283, 287 route cache, sample 76 RADIUS static session entries 280 route maps 133 RADIUS/WAP persistence 287 conguring 135 Rapid Spanning Tree Protocol 102 incoming and outgoing 134 Rapid Spanning Tree Protocol route paths in BGP 139 (RSTP)RSTP 102 Router ID rate limiting 777, 787 OSPF 157 lter 631 routers 78, 111, 114 hold down periods 629 border 151 protocol-based 628, 635 peer 151 TCP 629 port trunking 83 time window 628 switch-based routing topology 112 timeslots 779 using redirection to reduce Internet UDP and ICMP 629 congestion 409 Rate limiting 778 web-cache redirection example 410 real server groups routes, advertising 151 conguration example 430, 741 routing 131 real servers 192 internal and external 150 backup/overow servers 208 Routing Information Protocol. See RIP 126 conguration example 740 rport (ltering) 415, 422 connection timeouts 207 RSA keys 62 disable/enable 200 RSTP 102 health checks 479 RTSP
Q R
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
846 Index
overview 189 persistent bindings 193 port processing modes 193, 197 proxies 192, 228 proxy IP addresses 240 scalability, service 188, 329 real server group 196, 430 SCP real server IP address (RIP) 190, 330 client commands 60, 61 real servers 192 conguring administrator password 59 remote sites 728 enabling 59 topology considerations 192 services 60, 60 virtual IP address (VIP) 190, 192, 330 script-based health checks 470, 478 virtual servers 190, 196, 330 searching for cookie 604 WAN links 327, 327 SecurID 63 WAP 279 security weights 206 allowable SIP addresses 48 server pool 188 denial of service protection 615, 646 server port processing 193 lter-based 378 service failure 506 ltering 365, 378 service ports rewalls 379 session dumps 822 from viruses 365 Session Initiation Protocol (SIP) 310 IP access control lists 612, 614 shared services 188, 328 layer 7 deny lter 400 SIP (source IP address for ltering) 369 port mirroring 819 smask private networks 385 source mask for ltering 369 RADIUS authentication 49 SMTP 764 switch management 48 smurf 624 VLANs 71 SNMP 27 segmentation. See IP subnets. 71 assign health check 471 segments. See IP subnets. 71 HP-OpenView 27 server (port processing mode) example 197 Nortel ASEM 27 server failure 507 SNMP content health check 483 Server Load Balancing SNMP health check 483 across subnets 110 Spanning-Tree Protocol backup servers 208, 209, 209 multiple instances 98 complex network topologies 227, 228 VLANs 74 conguration example 191, 228 spoong, prevention of 48 distributed sites 728 sport (ltering option) 380, 415 DNS 261, 265 SSH failed server protection 188, 329 client commands 60, 61 fault tolerance 192, 329 RSA host and server keys 62 FTP 255 SSH/SCP health checks 479 client commands 60, 61 IDS 290, 310 conguring 58 maximum connections 207 encryption and authentication metrics 202 methods 61 overow servers 209, 209 with Radius authentication 63
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Index 847
with SecurID 63 static NAT 386 static session entries 280 statistical load distribution 84, 84 streaming media 268 summarizing routes 155 switch management security 48 via IP interface 72 switch ports VLANs membership 71 synn scan 622 syslog messages 365
V
virtual clocks 780 virtual IP address (VIP) 190, 192, 330 virtual link, OSPF 156 Virtual Local Area Networks. See VLANs. 71 Virtual Matrix Architecture (VMA) 227 virtual port mapping to multiple real ports 234, 237 virtual servers 190, 330 conguration example 196 IP address 196, 346, 358, 741 virus attacks, preventing 400 VLAN-based 821 VLAN-based ltering 373 VLANs broadcast domains 71, 72, 74, 115 default PVID 72 example showing multiple VLANs 73 ltering 373 gateway, default 75 ID numbers 71 IP interface conguration 116 IP interfaces 72 jumbo frames 80 multiple links 74 multiple spanning trees 93 multiple VLANs 72, 73 parallel links example 74 port members 71 port mirroring 821 PVID 72 routing 115 security 71 Spanning-Tree Protocol 74, 93, 93 tagging 71, 74 topologies 72 VLAN 1 (default) 72, 72, 195, 413 VLAN-tagging adapter support for 73 VPN 708 VPN cluster 709 VPN Load Balancing overview 708
T
tagging. See VLANs tagging. 72 TCP 366, 383, 383 health checking using 201 port 80 241 TCP ags 394 TCP window size overwriting 811 TCP/UDP port numbers 234 TDT (Theoretical Departure Times) 780 Telnet 379 text conventions 19 Theoretical Departure Times (TDT) 780 timeouts for real server connections 207 Trafc shaping 778, 780 trafc shaping 787 bandwidth management 780 transparent proxies 228, 411, 415, 421 troubleshooting 822 tunable hashing 378 tunneling 708 typographic conventions 19
U
UDP 366, 383, 383 jumbo frame trafc fragmentation 112 server status using 201 UDP blast protection 635, 636 URL, in HTTP redirection 454 user account 52 user limits, bandwidth 774, 776
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
848 Index
W
WAN links conguration summary 336 conguring basic example 338 conguring with SLB 350 inbound trafc 332 load balancing 329 multi-homing 327 outbound trafc 330 WAP WTLS health check 498 WAP Gateway 279 WAP load balancing RADIUS snooping 283, 283, 287 RADIUS/WAP persistence 287
static session entries 280 Web cache redirection See application redirection 409 Web hosting 191 weights 206 Wide Area Networking (WAN) load balancing 327, 327 Wireless Application Protocol 279 World Wide Web, client security for browsing 379 WSP health checks 492, 498 WTLS health check 498
X
xmascan 622
Nortel Application Switch Operating System Application Guide NN47220-104 (320507-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
Application Guide
Copyright 2008, Nortel Networks All Rights Reserved. Publication: NN47220-104 (320507-D) Document status: Standard Document version: 01.01 Document date: 28 January 2008 To provide feedback or report a problem in this document, go to www.nortel.com/documentfeedback Sourced in Canada, India and the United States of America The information in this document is subject to change without notice. Nortel Networks reserves the right to make change in design or components as progress in engineering and manufacturing warrant. *Nortel, Nortel Networks, the Nortel logo and the Globemark are trademarks of Nortel Networks. Trademarks are acknowledged with an asterisk (*) at their rst appearance in the document. All other trademarks are the property of their respective owners.