Professional Documents
Culture Documents
Overview of Alteon
Layer 2
Layer 3
10.1.1.1 Mac ?
Layer 4
C-Port B620
IP : 10.1.1.1 Mac : 00-00-E2-6D-7A-F8
Layer 2
http://www.ringnet.co. kr DNS
Layer 3
Layer 4
C-Port B620
10.1.1.1 10.1.1.2 10.1.1.3
WSM
4- 10/100 TX or Gig SX ports 80MB of Memory 512K concurrent sessions
WSM 184
180e
Eight 10/100/1000 Mbps ports One 1000BASE-SX port 2MB of memory per port 336K concurrent sessions 8 Gbps backplane capacity
Price
AD4
AD3
Eight 10/100 BASE-T ports One 1000BASE-SX uplink 4 MB of memory per port (1-8) 8 MB of memory on port 9 512K concurrent sessions 8 Gbps backplane capacity
180e AD4
Eight 10/100 BASE-T ports One 1000BASE-SX uplink 2 MB of memory per port 336K concurrent sessions 8 Gbps backplane capacity
AD3
Feature/Function
Alteon 184
Console port
We went with Alteons AD4 because of its industry leading performance and Layer 7 logic.
Alteon 184 outclassed all of its competitors under the heaviest load conditions and demonstrated superior performance!
Price
Feature/Function
25
26
Nortel Networks
{
1-RU form factor
1 2
7 8
9 10
15 16
17 18
23 24
25 26 27 28
LEDs: SFP
{
1-RU form factor
LEDs: SFP
1 23 4 3 4 5 6 5 6 7 8 9 10 11 12
Feature/Function/Performance
AAS2224
AAS2216 A3408 AAS2208 Passport 8600 Layer 2-7 Routing Switch 184 180e Gig Ethernet Modular
AD3 AD4 180E 184 WSM AAS 2208
8-10/100M, 2-1000M
AAS 2216
AAS 2224
AAS 2424
2410/100M, 4-1000M
AAS 3408
4-1G (RJ-45), 4-1G (SFP), 4-1G (RJ-45/ SFP )
Port
4-1000M
40M
18M
40M
80M
256M
384M
640M
640M
640M
512K
336K
512K
512K
600K
1M
2M
2M
2M
8Gbps
8Gbps
8Gbps
16Gbps
16Gbps
16Gbps
16Gbps
16Gbps
CPU load
MP (Management Processor) Configuration Manager All switch management including SNMP, WebUI, Telnet, SSH, RADIUS, Syslogs, Traps, etc.., STP (Spanning Tree Protocol) Routing protocols such as RIP1, OSPF, BGP VRRP Real server health checking Statistics collection from SPs SP (Switch Processor) Processes received packets from the port Transmits packets out to the port L2 bridging VLAN and Trunk management VLAN tag insertion by HW L3 forwarding L4-7 packet processing Session table management BWM classification BWM (shaping & policing) Statistics reporting to MP
Switch Basics
The switch is a Layer 2 device with Layer 3 functionality All Layer 4 to 7 features are off by default Allows for 16 instance of Spanning Tree Group Supports 10/100/1000Mbps Ethernet Supports Telnet, CLI, WebUI Boots in 10 seconds!!
Console Connection
Requires standard DB9 cable with male connection Standard connection
9600 baud 8 data bits No parity bit 1 stop bit No flow control
Setting Telnet
Telnet capabilities Enable/disable telnet
/cfg/sys/tnet <ena|dis> From console port only Telnet timeout default set to 5 minutes
Switch Timeout
Switch CLI session timeout
1 to 60 minutes Default set to 5 minutes
Port Configurations
Configure individual physical switch ports /cfg/port <port number> fast menu Link speed - speed <any/10/100> Duplex mode - mode <any/full/half> Flow control - fctl <auto/rx/tx/both/none> Auto-negotiation enable/disable - auto <e|d> Enable/disable a switch port /cfg/port <port number> menu ena/dis (or shorter term e/d)
IP Interfaces
Switch supports 256 IP Interfaces Switch supports 246 Vlans
range 1~4094
The interfaces are logical and are associated with Vlans Vlans are in turn associated with Physical ports Each port can support 246 Vlans by using Vlan Tagging All IP interfaces can be on different subnets all in the same Vlan Interfaces need to be enabled in order to become active
IP Interfaces
Switch Operation VLAN's IP I/F's Routing Protocols Routes Static Routes ARP Cache STP Domains MAC Addresses 246 256 RIP I, OSPF, BGP Lite (up to 4 peers) 1K 128 4096 16(webos 10.0), 1(webos 9.0) 2K AD3/4 and 180e/184
Changing Password
Default Password is admin To change a user level password Administrator access to switch with admin password /cfg/sys/user menu then select user to change usrpw - Set user password (user) sopw - Set SLB operator password (slboper) l4opw - Set L4 operator password (l4oper) opw - Set operator password (oper) sapw - Set Slb administrator password (slbadmin) l4apw - Set L4 administrator password (l4admin) admpw - Set administrator password (admin)
Setting Up a Syslog
Configure up to two hosts to capture syslog messages /cfg/sys/syslog/host <ip address> Eight different types of syslog messages
EMERG: system is unusable ALERT: immediate action required CRIT: critical condition ERR: error condition/operation WARNING: warning condition NOTICE: normal but significant condition INFO: information message DEBUG: debug level message
Setting Up SNMP
Allows for the switch to support SNMP network management
/cfg/snmp menu System name, system location, contact information (64 characters each) Read/write community strings (32 characters) IP address of up to 2 hosts to receive system traps (allows for community string access)
/oper/swkey
Enter swkey
Part of a Virtual Server which associates a TCP or UDP port and Group to be load balanced
Virtual Server
Comprises of a VIP and and up to 8 services. Up to 256 Virtual Servers per switch
VIP (Virtual IP Address)
Architecture issue
Switch Overview
Each switch supports the following:
10/100/1000 Ethernet VLAN Tagging - 802.1.Q Trunking up to 4 GE or 6 FE ports SNMP Routing (RIP, OSPF, BGP Lite) Syslog SSH Telnet
MAC Addresses
Each Tigon switch is assigned 16 MAC addresses by manufacturing. The first three octets (OUI) are currently 00:60:cf These 16 MAC addresses are assigned as follows:
One to the MP and is used for routing and management One is assigned to each SP and is used as the MAC address of the PIP Two are used as Virtual MAC addresses The remaining 4 are undefined
WebOS Software
Runs proprietary software coded in C++ and Assembler Majority of functions are programed into the ASICs Image sizes are between 500KB and 1MB Requires a Boot Image to boot switch Boot Image can be different version to OS Solid state switch means boot process takes 10 seconds
WebOS Software
Configs and Image stored in non-volatile internal flash memory Three config banks (TFTP or Text up/download)
Factory Default Active Backup
WebOS Software
WebOS file name format
Version_File Type.Product (e.g. 100309_mp.184) where:
FileType mp for core WebOS code (TFTP upload) AlteonOS (AAS) boot for boot code (TFTP upload) Boot (AAS) bin for both above (Serial upload) Serial (AAS) Product 180E for 180E and AD3 184 for 184 and AD4 img for AAS
Switch Architecture
Management Module Memory
RISC RISC
Flash
Switch Ports
RISC RISC
Fwd Engine
WebIC
RISC RISC
Fwd Engine
WebIC
...
Fwd Engine
WebIC
Memory
Memory
Memory
Distributed architecture WebIC: network processing ASIC with hardware-assisted forwarding engine and dual RISC processors Up to 20 RISC processor per switch Separate centralized switch management processors
Can be turned off if not required /c/slb/adv/matrix ena/dis Only used for Layer 4 7 sessions Requires Version 8.0 or above WebOS
CPU
CPU
CPU
Server
Unattached port
Server
Performance of distributed architecture with centralized architectures resource utilization CPUs at all ports actively share L4-7 processing load
Each ingress packet hashed to one of 8 ports for L4-7 processing Hashing algorithm ensures even distribution of Internet traffic Packets in same session always hashed to the same CPU Memory at all ports pooled and utilized at all times
Session entries kept in memory local to designated CPUs Global session table kept for cookie persistent sessions All ports store all filtering/redirection policies
SP1
SP2
SP3
N/A
SP4
N/A
MP
1 (128M)
Alteon 2216
N/A
1 (128M)
Alteon 2224
Ports 13-24
Port 26
N/A
1 (128M)
Alteon 2424
Port 25
1-12, and
Port 28
1 (128M)
Alteon Terminology
VIP, VMAC, Vport virtual server : IP address, MAC address, TCP/UDP port RIP, RMAC, Rport real server : IP address, MAC address, TCP/UDP port CIP, CMAC, Cport Client : IP address, MAC address, TCP/UDP port PIP, PMAC, Pport proxy : IP address, MAC address, TCP/UDP port Session TCP connection, UDP session, IP flow
Filter
Fires Filters and performs associated action
Client - Translates VIP to RIP, VPort to Rport and VMAC to RMAC PIP -> RTP -> Server -> Filter -> Client -> L3/L2
Others
Routing Protocols
RIPv1, 1K route table entries BGP4 subset supported (on AD4 and Alteon 184) Static routes (up to 128) Multiple default gateways
Up to 4 per switch Each default gateway is health checked using ICMP Echo
VLAN Terminology
VLANs Separation of broadcast domains On a single networking device or multiple networking devices VLAN ID Identifier of a specific broadcast domain Can be named any number 1-4095 (per IEEE 802.1Q standard) PVID Port VLAN Identifier Used to associate a physical switch port with a specific VLAN Tagged Ports Field in Ethernet frame used to identify a VLAN Required if multiple VLANs are running over an single port Trunk Ports Ports that carry more than one VLAN
VLAN Configurations
When running VLANs, there are two areas you need to configure VLAN identifiers: on the IP interface configuration on the switch port To configure VLANs on the IP interface /cfg/ip/if <if number> vlan <vlan number> (1-4094) To configure VLANs on the port /cfg/port <port number> menu pvid <vlan number (1-4094)> To configure a port for multiple VLANs /cfg/port <port number>/tag e pvid <vlan number (1-4094)>
Port Trunking
Port trunking is combining multiple physical ports together to act as one single Super Bandwidth port
Aggregate bandwidth Built in fault tolerance
Server Load Balancing generally uses VIP WCR and FWLB (+ other application LB) generally use Redirection Filters L4 to L7 Load Balancing supported Alteon can LB on any TCP / UDP port
However, some applications write Real server IP address in data portion and we may not be able to Load Balance
Servers
Groups
Server 192.168.1.1
MAC
IP
TCP
Client
Alteon Switch
Real Server
MAC
IP
TCP
Client
Alteon Switch
Real Server
Persistent Based
Hash
Source IP address used to generate an index into a table containing all servers in group All requests from same user are sent to same server
True as long as no servers enter or leave group Useful in e-commerce applications and FWLB where state must be maintained across multiple TCP sessions
Table recomputed when a server leaves or enters group Weighting has no effect Maximum connections option supported If Application Redirection is configured the DIP is used instead
Health Checks
Health checks are used to determine the availability of the servers/service Servers are marked down when health check fails and up when health check succeeds All health check parameters are configurable:
Interval between checks Number of failed Retry Counts to declare a server down Number of Restore Counts to declare a server up
Health Checks
Health check types are:
ICMP TCP - 3 way handshake on configured Service port Content - HTTP Application specific Radius, SSL, POP, DNS etc. Scripted send sequence, expected response
Note:
If you put all Services on a Real server into one Group and one service fails, all services in that Group will be marked down It is therefore recommended that Services are put into different Groups when adding more than 1 service per Real server
Health Checks
Group configuration item Health checks occur every 2 seconds by default For ICMP and TCP, 4 Retries will be attempted by default before declaring a service down For ICMP only, there must be 8 successful pings by default before declaring service up All other types will be declared up after 1 successful Health check If more than 1 service is configured on a Real server for a Virtual Server, the Health checks occur sequentially for each service
Health Checks
- TCP
Layer 4 connection requests (TCP SYN requests) sent to each configured service on each server Interval between attempts is user configurable When connection request succeeds (switch receives TCP SYN ACK response), connection is quickly closed (switch sends TCP FIN request to server)
VRRP
Defined by RFC 2338 for Layer 3 resilience Virtual default gateway Upon switch failure the backup switches will select a new master Fail over takes 3 seconds VRRP uses IP multicast to communicate on 224.0.0.18 Use of a multicast MAC address
VRRP Terminology
VRRP Router
A router running VRRP, e.g., an Alteon switch
VRRP Terminology
Virtual Router Master
Answers ARP requests VRRP router that forwards packets sent to the virtual router
VRRP
How does VRRP work ?
Uses IP Multicast 224.0.0.18 for advertisements Advertisements sent every second by Master If Backup does not hear advertisement for 3 seconds, declares itself as Master Master sends MAC address 00-00-5E-00-01-VRID in response to ARP for Redundant IP address This MAC address is used by all Virtual Routers in a VIR VRID must be unique on a LAN
VRRP
When configuring VRRP it is important that both switches be configured identically only IP Address and Priorities should be different The Priority of the switch determines who is master for that VIR and VSR Priorities are between 1 254 (default 100) Highest Priority wins if set the same then the highest MAC address becomes Master Preemption forces switch back to original Master on recovery can be turned off
VRRP Tracking
Track on L3 parameters or L4 parameters Parameters you can track on:
L3 parameters Virtual routers in master mode on the switch (vrs) Active IP interfaces on the switch (ifs) Active ports on the same VLAN (ports) L4 parameters Physical ports that have active Layer 4 processing (l4pts) Healthy Real Servers behind the VIP (reals) In HSRP networks, the number of layer 4 client-only ports that receive HSRP advertisements (hsrp)
Active-Active
All switches can actively forward traffic for the same virtual services and/or interface
Hot Standby
One master with one or more backups. Only master processes layer 4 traffic
Hot-Standby Redundancy
Internet
Active-Standby Redundancy
Internet
Active-Active Redundancy
Internet
VRRP Summary
Alteon switches provide L3 and L4 redundancy, as well as support for sharing interfaces (Active-Active feature) Reviewed VRRP operations and services Reviewed VRRP configuration
Filters
Filters
The use of filters enable the administrator to allow and deny traffic, provides application redirection and increase network security Rich feature set that can allow packets to be:
Allowed Denied Redirected NATed TOS Bit Coloring
Filters
Filter Processing done in ASIC providing wire speed access lists Off load network devices to take advantage of their strengths 2048 filters per switch on AD4/184
224 filters on other models
Filter number determines order of precedence Once filter fires, packet is passed out of switch When allow filter is created there is no explicit deny
Filters
Normal filters perform a logical AND on all filter parameters
Filter fires if all filter conditions are met
Each Filter can have logging enabled or disabled Caching of Filter entries is recommended when using TCP for quick filter access
Application Redirection
Application Redirection
Allows traffic to be steered transparently to the device proxying or handling the session Requires redirection filters SSL, WCR and FWLB are typical applications
Apply Filter 10
/cfg/slb/filt 10 sip any dip any proto tcp sport any dport http action redir rport http group 10 ena
With STP off VRRP allows for a much quicker fail over and is the recommended configuration See the Complete Firewall Load Balancing Guide for most configurations
Dirty Side
Allow Filters for local address/subnets/VRRP Broadcasts Redirection Filter for all others Enable FWLB on Filter Static Routes to internal networks and to Real servers Default Route to external networks
Clean Side
Allow Filters for local address/subnets/VRRP Broadcast (dip 224.0.0.0/24)
Ingress to Site
Traffic hits the ingress port server, filter, client Redirection Filter Fires hash on SIP and DIP Select designated Real server this is merely the corresponding IP Interface of Clean Switch Route via configured Static Route changing only the DMAC to that of the Firewall Firewall receives packet with original DIP (VIP) and routes to Switch for SLB Arrives on Clean Switch, Client Processing replaces VIP with RIP and sends to selected Real server Server processes request
Net B M
R.3 R.1 .1
FW 1
.1
Net D
R.1 R.3
M
VIR's SLB Servers Net F
Internet Net A
VIR's
R.2 R.2
B
R.4 .1 .1
Net C
FW 2
Net E
R.4
Common Mistakes Real servers incorrectly numbered No Routes to Networks on switch or Firewall Firewall Policy does not allow Health Checks through Filters not set for local nets No Dummy Filter for HTTP Health Checks Static Routes are not consistent with Clean and Dirty Side Reals Incorrect Vlans configured on switch
Alteons maintain session state through Firewalls by using Hash Metric on SIP / DIP Uses ICMP Health Checks
Alteon Troubleshooting
Bootup Issues
Switch will not boot Check LED patterns May need to do a serial download Switch will boot but generates errors Kernel Magic Wrong Bad CRC Could not read Active/Backup Config blocks
Link Issues
Check cable (could be wrong type or a bad cable) Check link negotiation (especially for Gigabit connections) Check for port configuration mismatches on either end of the connection (speed/mode/fctl) Check /info/link Check LED status
Panic/Crash/Hang Issues
Forcing a panic /maint/panic Hitting <ctrl-shift-6> keys together Collecting core dumps /maint/uudmp (make sure terminal logging is turned ON prior to initiating this) Hard reset /boot/reset hard
Connectivity Problems
Flaky port connections check port statistics and look for error counters, for example /stats/port <port-number>/ether /stats/port <port-number>/if/ifInErrors check link on either ends (refer to Link Issues) check STP states check LED patterns note changes after disconnecting/connecting cable and/or resetting the switch
L4 Issues
Clients cannot access the real servers service port directly security feature Periodic health check failures (L3) check IP interfaces on both ends Periodic health check failures (L4) check if service is up and running might need network traces between Alteon & the real servers Periodic health check failures (Content) verify that the requested http object is present on the real server(s)
L4 Issues (contd.)
Clients cannot contact the VIP check port state(s) for client connections make sure the VIP is enabled VIP needs to be well known Cannot telnet to the Switch make sure the concerned interface is enabled Clients cannot access the services through the VIP when the real server(s) are marked operational possible condition with L3 health checks, service could be down but server might be UP