Alteon Application Switch Basics

Overview of Alteon

What is L4 Switch? L2 Switch

Switching Mac (Switch FDB ).
Ping 10.1.1.1

Layer 2

D-mac S-mac D-ip

Layer 3

S-ip B620 D-Port

10.1.1.1 Mac ?

Layer 4

C-Port B620
IP : 10.1.1.1 Mac : 00-00-E2-6D-7A-F8

What is L4 Switch? L4 Switch

Switching Service Type(Port) .

Layer 2

D-mac S-mac D-ip

http://www.ringnet.co. kr DNS

Layer 3

S-ip B620 D-Port

VIP 10.1.1.100 VIP http Service 3 Switching .

Layer 4

C-Port B620
10.1.1.1 10.1.1.2 10.1.1.3

Alteon Web Switch Platforms

Industry Leading Web Switching (L4-7)
184
Nine 10/100/1000 Mbps ports 4 MB of memory per port (1-8) 8 MB of memory on port 9 512K concurrent sessions 8 Gbps backplane capacity

WSM
4- 10/100 TX or Gig SX ports 80MB of Memory 512K concurrent sessions

WSM 184

180e

Eight 10/100/1000 Mbps ports One 1000BASE-SX port 2MB of memory per port 336K concurrent sessions 8 Gbps backplane capacity

Price
AD4

AD3

Eight 10/100 BASE-T ports One 1000BASE-SX uplink 4 MB of memory per port (1-8) 8 MB of memory on port 9 512K concurrent sessions 8 Gbps backplane capacity

180e AD4

Eight 10/100 BASE-T ports One 1000BASE-SX uplink 2 MB of memory per port 336K concurrent sessions 8 Gbps backplane capacity

AD3

Feature/Function

Alteon Web Switches

Selectable 8 x 10/100 or 1000SX Ethernet ports 1- 100 or Gigabit Ethernet uplink on Port 9

AC and DC power available

- Data 6 LEDs/port - Link - Active

Alteon 184

Console port
We went with Alteons AD4 because of its industry leading performance and Layer 7 logic.

Alteon 184 outclassed all of its competitors under the heaviest load conditions and demonstrated superior performance!

Alteon AAS Series Platforms

AAS 3408 AAS 2424

Price

AAS 2224 AAS 2216 AAS 2208

Feature/Function

AAS Series Model Number

Alteon Application Switch xyzz
First Digit = x Second Digit = y Last Two Digits = zz Identifies series 2000 = Fast Ethernet; 3000 = Gigabit Ethernet Indicates the number of optical Gigabit ports (uplink but can be used for anything) Indicates the number of ports for servers/devices

Example: Alteon Application Switch 2224

Fast Ethernet; 2 optical GE ports; 24 FE ports

Alteon Application Switch 2224

DB9 Console RJ45 Management Port

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

25

26

Nortel Networks

Note: GBIC is required for GE.

Alteon Application Switch 2424

RJ45 Auto 10/100 Fast Ethernet Ports LEDs on Port SFP GBICs: 1000Base-SX Or 1000Base-LX with LC Connectors

{
1-RU form factor

1 2

7 8

9 10

15 16

17 18

23 24

25 26 27 28

DB9 Console RJ45 Management Port

LEDs: SFP

LED: Fan LED: Power

Alteon Application Switch 3408

SFP GBICs: 1000Base-SX Or 1000Base-LX with LC Connectors DB9 Console

{
1-RU form factor

LEDs: SFP
1 23 4 3 4 5 6 5 6 7 8 9 10 11 12

Optional Copper or Optical

RJ45 Auto 10/100/1000 Ethernet Ports

LED: Power RJ45 Management LED: Fan Port

Summary: Alteon Switch Positioning

AAS2424

Feature/Function/Performance

AAS2224

AAS2216 A3408 AAS2208 Passport 8600 Layer 2-7 Routing Switch 184 180e Gig Ethernet Modular

Alteon Web Switches AD4 AD3 Fast Ethernet


AD3 AD4 180E 184 WSM AAS 2208
8-10/100M, 2-1000M

AAS 2216

AAS 2224

AAS 2424
2410/100M, 4-1000M

AAS 3408
4-1G (RJ-45), 4-1G (SFP), 4-1G (RJ-45/ SFP )

Port

8-10/100M,1-8-10/100M, 1000M 1-1000M

89-10/100M/ 10/100M/100 1000M 0M, 1-1000M

4-1000M

162410/100M,2- 10/100M, 1000M 2-1000M

Total 18M Memory

40M

18M

40M

80M

256M

384M

640M

640M

640M

Concurre 336K nt Session Switch 8Gbps Capacity

512K

336K

512K

512K

600K

1M

2M

2M

2M

8Gbps

8Gbps

8Gbps

16Gbps

16Gbps

16Gbps

16Gbps

16Gbps

CPU load
MP (Management Processor) Configuration Manager All switch management including SNMP, WebUI, Telnet, SSH, RADIUS, Syslogs, Traps, etc.., STP (Spanning Tree Protocol) Routing protocols such as RIP1, OSPF, BGP VRRP Real server health checking Statistics collection from SPs SP (Switch Processor) Processes received packets from the port Transmits packets out to the port L2 bridging VLAN and Trunk management VLAN tag insertion by HW L3 forwarding L4-7 packet processing Session table management BWM classification BWM (shaping & policing) Statistics reporting to MP

Alteon L4 Switch Basic

Switch Basics
The switch is a Layer 2 device with Layer 3 functionality All Layer 4 to 7 features are off by default Allows for 16 instance of Spanning Tree Group Supports 10/100/1000Mbps Ethernet Supports Telnet, CLI, WebUI Boots in 10 seconds!!

Console Connection
Requires standard DB9 cable with male connection Standard connection
9600 baud 8 data bits No parity bit 1 stop bit No flow control

Hyper-terminal or any other terminal emulator

Upgrading Switch Code

Two software images plus boot image Upgrading procedure Option 1 - Download image from TFTP server to switch Option 2 Load image via serial download /boot menu gtimg downloads new image via TFTP Where to put image <image 1/image 2/boot> TFTP server IP address Image file name _mp vs. _boot vs._bin .180e vs. .184 ptimg transfers image to a TFTP server Reset switch with /boot/reset command

Setting the Switch Configuration Block

Two user configuration blocks or a factory configuration /boot/conf command
active backup factory

Setting Telnet
Telnet capabilities Enable/disable telnet
/cfg/sys/tnet <ena|dis> From console port only Telnet timeout default set to 5 minutes

Switch Timeout
Switch CLI session timeout
1 to 60 minutes Default set to 5 minutes

/cfg/sys/idle <idle time>

Set time from 1 to 60 minutes

Setting Switch Date and Time

/cfg/sys/date <date>
System# date Enter year [2004]: 2004 Enter month [4]: 4 Enter day [18]: 18 System clock set to 14:11:46 Sun Apr 18, 2004.

/cfg/sys/time <24 hour time>

System# time Enter hour in 24-hour format [14]: 14 Enter minutes [11]: 12 Enter seconds [50]: 00 System clock set to 14:12:00 Sun Apr 18, 2004.

Setting the Switch Banner

Login banner up to 80 characters Banner enabled for console/telnet user/admin logins /cfg/sys/bannr <banner>

Setting the Switch Management Network

Allows the administrator to set a workstation or range of workstations that are allowed to have management access to the switch /cfg/sys/mnet <IP Address> /cfg/sys/mmask <Subnet Mask> Limits internal stack access

Port Configurations
Configure individual physical switch ports /cfg/port <port number> fast menu Link speed - speed <any/10/100> Duplex mode - mode <any/full/half> Flow control - fctl <auto/rx/tx/both/none> Auto-negotiation enable/disable - auto <e|d> Enable/disable a switch port /cfg/port <port number> menu ena/dis (or shorter term e/d)

IP Interfaces
Switch supports 256 IP Interfaces Switch supports 246 Vlans
range 1~4094

The interfaces are logical and are associated with Vlans Vlans are in turn associated with Physical ports Each port can support 246 Vlans by using Vlan Tagging All IP interfaces can be on different subnets all in the same Vlan Interfaces need to be enabled in order to become active

IP Interfaces
Switch Operation VLAN's IP I/F's Routing Protocols Routes Static Routes ARP Cache STP Domains MAC Addresses 246 256 RIP I, OSPF, BGP Lite (up to 4 peers) 1K 128 4096 16(webos 10.0), 1(webos 9.0) 2K AD3/4 and 180e/184

Changing Password
Default Password is admin To change a user level password Administrator access to switch with admin password /cfg/sys/user menu then select user to change usrpw - Set user password (user) sopw - Set SLB operator password (slboper) l4opw - Set L4 operator password (l4oper) opw - Set operator password (oper) sapw - Set Slb administrator password (slbadmin) l4apw - Set L4 administrator password (l4admin) admpw - Set administrator password (admin)

Switch Administration Security Protection

user Generic switch access to view switch statistics and status information Default - user slboper Operator that manages web servers and other Internet services and their loads l4oper Operator that manages traffic on the lines leading to the Internet services oper Operator that manages all functions of the switch and is permitted to reset ports or the entire switch

Switch Administration Security Protection

slbadmin Administrator that configures and manages web servers and other Internet services and their loads l4admin Administrator that configures and manages the traffic on the lines leading to the shares Internet services Default - l4admin admin The Superuser Administrator that has access to all of the switch's management and configuration features Default - admin Password determines user level

Setting Up a Syslog
Configure up to two hosts to capture syslog messages /cfg/sys/syslog/host <ip address> Eight different types of syslog messages
EMERG: system is unusable ALERT: immediate action required CRIT: critical condition ERR: error condition/operation WARNING: warning condition NOTICE: normal but significant condition INFO: information message DEBUG: debug level message

Setting Up SNMP
Allows for the switch to support SNMP network management
/cfg/snmp menu System name, system location, contact information (64 characters each) Read/write community strings (32 characters) IP address of up to 2 hosts to receive system traps (allows for community string access)

Upgrading Switch Software Key

SLB and WCR software come with the switch GSLB and BWM are optional If you want to run GSLB or BWM
Call Alteon to obtain license certificate (key)
License is MAC Address specific

/oper/swkey
Enter swkey

Command Line Basics

/

Move back to Main menu

..

Move back one menu level

.

Show menu for current context

apply

Makes changes active in volatile RAM

save

Save changes to non-volatile Active Flash bank.

diff [flash]

View un-applied [applied but un-saved] changes

revert [apply]

Revert un-applied [applied but not saved] changes

Useful Reference Material

/info/link View physical port Link state /info/vrrp Show VRRP information /info/ip Show IP Interface Information /info/route/dump Dump the routing table /info/slb/dump Show SLB state and information /info/slb/sess/dump Dump session table or find entry by clients IP address /stat/slb/<virt x> <real x> <group x> View SLB statistics for Virtual Server, Real Server or Group

Useful Reference Material

Glossary
Service

Part of a Virtual Server which associates a TCP or UDP port and Group to be load balanced
Virtual Server

Comprises of a VIP and and up to 8 services. Up to 256 Virtual Servers per switch
VIP (Virtual IP Address)

Destination IP to load balance service requests from clients

Real [server]

A physical server - May have more than 1 RIP bound to it

RIP (Real IP Address)

Architecture issue

Switch Overview
Each switch supports the following:
10/100/1000 Ethernet VLAN Tagging - 802.1.Q Trunking up to 4 GE or 6 FE ports SNMP Routing (RIP, OSPF, BGP Lite) Syslog SSH Telnet

MAC Addresses
Each Tigon switch is assigned 16 MAC addresses by manufacturing. The first three octets (OUI) are currently 00:60:cf These 16 MAC addresses are assigned as follows:
One to the MP and is used for routing and management One is assigned to each SP and is used as the MAC address of the PIP Two are used as Virtual MAC addresses The remaining 4 are undefined

WebOS Software
Runs proprietary software coded in C++ and Assembler Majority of functions are programed into the ASICs Image sizes are between 500KB and 1MB Requires a Boot Image to boot switch Boot Image can be different version to OS Solid state switch means boot process takes 10 seconds

WebOS Software
Configs and Image stored in non-volatile internal flash memory Three config banks (TFTP or Text up/download)
Factory Default Active Backup

Two Image banks (TFTP or Serial upload)

Image 1 Image 2

WebOS Software
WebOS file name format
Version_File Type.Product (e.g. 100309_mp.184) where:

FileType mp for core WebOS code (TFTP upload) AlteonOS (AAS) boot for boot code (TFTP upload) Boot (AAS) bin for both above (Serial upload) Serial (AAS) Product 180E for 180E and AD3 184 for 184 and AD4 img for AAS

Switch Architecture
Management Module Memory
RISC RISC

Flash

8 Gbps Switch Backplane

RISC RISC

Switch Ports

RISC RISC

Fwd Engine
WebIC

RISC RISC

Fwd Engine
WebIC

...

Fwd Engine
WebIC

Memory

Memory

Memory

Distributed architecture WebIC: network processing ASIC with hardware-assisted forwarding engine and dual RISC processors Up to 20 RISC processor per switch Separate centralized switch management processors

Virtual Matrix Architecture (VMA)

Client
DA_X SA_1 DA_Y SA_2 DA_X SA_1 DA_X SA_3
CPU CPU CPU CPU CPU

Can be turned off if not required /c/slb/adv/matrix ena/dis Only used for Layer 4 7 sessions Requires Version 8.0 or above WebOS

CPU

CPU

CPU

DA_X, SA_3, RIP_A

DA_X, SA_1, RIP_A

DA_Y, SA_2, RIP_B

DA_X, SA_1, RIP_A

Server

Unattached port

Server

Performance of distributed architecture with centralized architectures resource utilization CPUs at all ports actively share L4-7 processing load
Each ingress packet hashed to one of 8 ports for L4-7 processing Hashing algorithm ensures even distribution of Internet traffic Packets in same session always hashed to the same CPU Memory at all ports pooled and utilized at all times
Session entries kept in memory local to designated CPUs Global session table kept for cookie persistent sessions All ports store all filtering/redirection policies

SP(Switch Processor)/MP(Management Processor)

Switch Model
Alteon 2208

SP1

SP2

SP3
N/A

SP4
N/A

MP
1 (128M)

Ports 1-8, and 9 Port 10

Alteon 2216

Ports 1-12, and 17

Ports 13-16, and N/A 18

N/A

1 (128M)

Alteon 2224

Ports 1-12, and 25

Ports 13-24

Port 26

N/A

1 (128M)

Alteon 2424

Port 25

1-12, and

Ports 13-24, and Port 26 27

Port 28

1 (128M)

All the four SPs are used in Virtual Matrix Architecture(VMA)

Alteon Terminology
VIP, VMAC, Vport virtual server : IP address, MAC address, TCP/UDP port RIP, RMAC, Rport real server : IP address, MAC address, TCP/UDP port CIP, CMAC, Cport Client : IP address, MAC address, TCP/UDP port PIP, PMAC, Pport proxy : IP address, MAC address, TCP/UDP port Session TCP connection, UDP session, IP flow

WebOS Traffic Flow

At each Ingress Port if Layer 4 parameters are configured traffic flow follows these 3 processes: Server
Translates RIP to VIP, RPort to VPort and RMAC to VMAC

Filter
Fires Filters and performs associated action

Client - Translates VIP to RIP, VPort to Rport and VMAC to RMAC PIP -> RTP -> Server -> Filter -> Client -> L3/L2

Others

Routing Protocols
RIPv1, 1K route table entries BGP4 subset supported (on AD4 and Alteon 184) Static routes (up to 128) Multiple default gateways
Up to 4 per switch Each default gateway is health checked using ICMP Echo

VLAN Terminology
VLANs Separation of broadcast domains On a single networking device or multiple networking devices VLAN ID Identifier of a specific broadcast domain Can be named any number 1-4095 (per IEEE 802.1Q standard) PVID Port VLAN Identifier Used to associate a physical switch port with a specific VLAN Tagged Ports Field in Ethernet frame used to identify a VLAN Required if multiple VLANs are running over an single port Trunk Ports Ports that carry more than one VLAN

VLAN Configurations
When running VLANs, there are two areas you need to configure VLAN identifiers: on the IP interface configuration on the switch port To configure VLANs on the IP interface /cfg/ip/if <if number> vlan <vlan number> (1-4094) To configure VLANs on the port /cfg/port <port number> menu pvid <vlan number (1-4094)> To configure a port for multiple VLANs /cfg/port <port number>/tag e pvid <vlan number (1-4094)>

Port Trunking
Port trunking is combining multiple physical ports together to act as one single Super Bandwidth port
Aggregate bandwidth Built in fault tolerance

Alteons Port Trunking Capabilities

Up to four trunk groups consisting of 2 to 6 ports each Up to six 10/100 mbps ports per group Up to four 1000 mbps ports per group Nortel Multilink Trunking (MLT) compatible Cisco Etherchannel compatible SUN Quad Fast Ethernet Adapter compatible

Server Load Balancing

Server Load Balancing-advantage

Improves server utilization by transparently distributing traffic across server groups Provides increased reliability of user services and applications in the event of server or network failure Increases Web server performance by offloading server CPUs while increasing throughput

Server Load Balancing-advantage

Provides scalability for deploying new services without interrupting existing services Improves security by allowing private addresses to be used Allows intelligent management of content by inspecting Layer 7 information Provides switch and/or site resilience MaxCon Real server capacity by intelligently limiting the maximum connections

Server Load Balancing

Two ways to implement SLB
VIP Based Load Balancing Redirection Filter Based Balancing

Server Load Balancing generally uses VIP WCR and FWLB (+ other application LB) generally use Redirection Filters L4 to L7 Load Balancing supported Alteon can LB on any TCP / UDP port
However, some applications write Real server IP address in data portion and we may not be able to Load Balance

Server Load Balancing

Internet Traffic comes into a Virtual IP address which is resolved via DNS The VIP (Virtual IP Address) is associated with a Group of Real Servers The Alteon load balances the requests to the Real Servers Request forwarding is determined using an algorithm to establish the load on each Real Server Health checks are used to determine Real Server responsiveness and availability

VIP Virtual Web Site

Servers

Server Load Balancing

Real Servers
Can have Public or Private IP Addresses Must run a TCP/UDP service Up to 1024 Real Servers can be configured (Version 10) Must Belong to a Group but can be a member of multiple Groups an have maximum connections and timeout values assigned Support of up to 256 Groups A Group can support 1024 Real Servers Requires a Health Check metric Requires a Load Balancing Metric

Groups

Server Load Balancing

Virtual IP Address (VIP)
Also called Virtual Server Up to 256 VIPs can be configured Each VIP must have at least one service (TCP/UDP port such as HTTP, HTTPS, FTP etc.) associated with it Must have a Group associated with each service Each VIP can support 8 Services

Server Load Balancing

VIP, VMAC, Vport virtual server : IP address, MAC address, TCP/UDP port RIP, RMAC, Rport real server : IP address, MAC address, TCP/UDP port CIP, CMAC, Cport Client : IP address, MAC address, TCP/UDP port PIP, PMAC, Pport proxy : IP address, MAC address, TCP/UDP port Session TCP connection, UDP session, IP flow

Server Load Balancing

Client / Server processing
Changes DIP from VIP to Real server IP and vice-versa Client processing also creates session binding entry based on client SIP and Sport

SIP 200.20.20.1 DIP 100.10.10.1 DMAC = V-MAC Client 200.20.20.1

Client processing

SIP 200.20.20.1 DIP 192.168.1.1 DMAC = R-MAC VIP 100.10.10.1

Server processing

Server 192.168.1.1

SIP 100.10.10.1 DIP 200.20.20.1 DMAC = C-MAC

SIP 192.168.1.1 DIP 200.20.20.1 DMAC = DGW-MAC

Server Load Balancing

Client processing
Dst MAC Src MAC Src IP Address Dst IP Address IP Checksum Src Port Dst Port TCP Checksum Vmac Cmac CIP VIP B62A 2155 80 037A Vmac Cmac CIP VIP B62A 2155 80 037A Rmac Cmac CIP RIP 48A0 2155 80 C107 Rmac Cmac CIP RIP 48A0 2155 80 C107

MAC

IP

TCP

Client

Alteon Switch

Real Server

Server Load Balancing

Server processing
Dst MAC Src MAC Src IP Address Dst IP Address IP Checksum Src Port Dst Port TCP Checksum Cmac Vmac VIP CIP 644B 80 2155 761A Cmac Vmac VIP CIP 644B 80 2155 761A Cmac Rmac RIP CIP 823F 80 2155 0A15 Cmac Rmac RIP CIP 823F 80 2155 0A15

MAC

IP

TCP

Client

Alteon Switch

Real Server

Load Balancing Metrics

Load Based or Persistent Based Load Based:
Round Robin / Weighted Round Robin Least Connections / Weighted Least Connections Response Time Bandwidth Hash Minimum Misses Cookie Phash SSL ID

Persistent Based

Hash
Source IP address used to generate an index into a table containing all servers in group All requests from same user are sent to same server
True as long as no servers enter or leave group Useful in e-commerce applications and FWLB where state must be maintained across multiple TCP sessions

Table recomputed when a server leaves or enters group Weighting has no effect Maximum connections option supported If Application Redirection is configured the DIP is used instead

Health Checks
Health checks are used to determine the availability of the servers/service Servers are marked down when health check fails and up when health check succeeds All health check parameters are configurable:
Interval between checks Number of failed Retry Counts to declare a server down Number of Restore Counts to declare a server up

Health Checks can be turned off

Health Checks
Health check types are:
ICMP TCP - 3 way handshake on configured Service port Content - HTTP Application specific Radius, SSL, POP, DNS etc. Scripted send sequence, expected response

Note:
If you put all Services on a Real server into one Group and one service fails, all services in that Group will be marked down It is therefore recommended that Services are put into different Groups when adding more than 1 service per Real server

Health Checks
Group configuration item Health checks occur every 2 seconds by default For ICMP and TCP, 4 Retries will be attempted by default before declaring a service down For ICMP only, there must be 8 successful pings by default before declaring service up All other types will be declared up after 1 successful Health check If more than 1 service is configured on a Real server for a Virtual Server, the Health checks occur sequentially for each service

Health Checks
- TCP
Layer 4 connection requests (TCP SYN requests) sent to each configured service on each server Interval between attempts is user configurable When connection request succeeds (switch receives TCP SYN ACK response), connection is quickly closed (switch sends TCP FIN request to server)

Direct Access Mode

Direct Access Mode (DAM) is needed when:
Flows from a RIP that use a load balanced service should not be load balanced

Providing direct access to real servers

When a single RIP supports multiple VIPs When delayed bindings are used

Server Load Balancing Configuration

Server Load Balancing

All configuration happens under the /cfg/slb/ menu Steps:
Turn on SLB Set up Real Servers Set up Real Server Groups Configure VIP with required services Ensure correct processing (client/servers) is on for ports

Server Load Balancing

Troubleshooting
Is SLB enabled Are the Reals enabled Is the Virt enabled Are the Groups associated with the correct Service

Use the /info, /stat menus to get SLB information

Virtual Router Redundancy Protocol

VRRP
Defined by RFC 2338 for Layer 3 resilience Virtual default gateway Upon switch failure the backup switches will select a new master Fail over takes 3 seconds VRRP uses IP multicast to communicate on 224.0.0.18 Use of a multicast MAC address

VRRP and Alteon WebOS

VRRP
Allows multiple routers/switches to be active at the same time

Alteon extensions to VRRP

Supports Layer 4 redundancy with Virtual Server Routers (VSR) Share Mode

VRRP Terminology
VRRP Router
A router running VRRP, e.g., an Alteon switch

Virtual Router (per RFC 2338)

Virtual interface that represents a set of IP addresses

Virtual Interface Router (Alteon terminology)

A Virtual Router supporting layer 3 interfaces

Virtual Server Router (Alteon terminology)

A Virtual Router supporting layer 4 (VIP) interfaces

Virtual Router ID (VRID)

Unique within a LAN Used for building the Virtual Router MAC address

VRRP Terminology
Virtual Router Master
Answers ARP requests VRRP router that forwards packets sent to the virtual router

Virtual Router Backups

VRRP routers available to assume forwarding responsibility for a virtual router if the master fails

VRRP
How does VRRP work ?
Uses IP Multicast 224.0.0.18 for advertisements Advertisements sent every second by Master If Backup does not hear advertisement for 3 seconds, declares itself as Master Master sends MAC address 00-00-5E-00-01-VRID in response to ARP for Redundant IP address This MAC address is used by all Virtual Routers in a VIR VRID must be unique on a LAN

Virtual Router MAC Address

First five octets are the standard MAC prefix for VRRP packets as defined in RFC 2338 VRID becomes the final octet 00-00-5E-00-01-02 for VRID = 2

VRRP
When configuring VRRP it is important that both switches be configured identically only IP Address and Priorities should be different The Priority of the switch determines who is master for that VIR and VSR Priorities are between 1 254 (default 100) Highest Priority wins if set the same then the highest MAC address becomes Master Preemption forces switch back to original Master on recovery can be turned off

VRRP Tracking
Track on L3 parameters or L4 parameters Parameters you can track on:
L3 parameters Virtual routers in master mode on the switch (vrs) Active IP interfaces on the switch (ifs) Active ports on the same VLAN (ports) L4 parameters Physical ports that have active Layer 4 processing (l4pts) Healthy Real Servers behind the VIP (reals) In HSRP networks, the number of layer 4 client-only ports that receive HSRP advertisements (hsrp)

Each tracked parameter has a user configurable weight associated with it

Redundant Operation Modes

Active-standby
All switches actively perform load balancing and/or routing functions, but for different virtual services and/or interfaces

Active-Active
All switches can actively forward traffic for the same virtual services and/or interface

Hot Standby
One master with one or more backups. Only master processes layer 4 traffic

Hot-Standby Redundancy

Internet

Active for Service #1

Active Standby

Standby for Service #1

Master Backup

Active for Service #2 Active for Service #3

Standby for Service #2 Standby for Service #3

Active-Standby Redundancy
Internet

Active for Service #1

Active Active

Standby for Service #1

Master Backup

Standby for Service #2 Active for Service #3

Active for Service #2 Standby for Service #3

Active-Active Redundancy
Internet

Active for Service #1

Active Active

Active for Service #1

Master Backup

Active for Service #2 Active for Service #3

Active for Service #2 Active for Service #3

Configuration and Operations

VRRP Summary
Alteon switches provide L3 and L4 redundancy, as well as support for sharing interfaces (Active-Active feature) Reviewed VRRP operations and services Reviewed VRRP configuration

Filters

Filters
The use of filters enable the administrator to allow and deny traffic, provides application redirection and increase network security Rich feature set that can allow packets to be:
Allowed Denied Redirected NATed TOS Bit Coloring

Is the second stage of WebOS traffic flow

PIP > RTP > Server > Filter > Client > L2/L3

Filters

Filter Processing done in ASIC providing wire speed access lists Off load network devices to take advantage of their strengths 2048 filters per switch on AD4/184
224 filters on other models

Filter number determines order of precedence Once filter fires, packet is passed out of switch When allow filter is created there is no explicit deny

Filters
Normal filters perform a logical AND on all filter parameters
Filter fires if all filter conditions are met

Each Filter can have logging enabled or disabled Caching of Filter entries is recommended when using TCP for quick filter access

Application Redirection

Application Redirection
Allows traffic to be steered transparently to the device proxying or handling the session Requires redirection filters SSL, WCR and FWLB are typical applications
Apply Filter 10
/cfg/slb/filt 10 sip any dip any proto tcp sport any dport http action redir rport http group 10 ena

Firewall Load Balance & VPN LB

Firewall Load Balancing

Firewall Load Balancing

Eliminates single points of failure in a network Allows multiple active firewalls to operate in parallel Increases Internet access for internal users

Firewall Load Balancing

Firewall Load Balancing and Server Load Balancing can be performed on the same switch Highly Scalable solution Up to 256 Firewalls can be Load Balanced in an Alteon Firewall Load Balancing Sandwich Firewall vendor independent

Firewall Load Balancing

Most Common Designs:

Directly Connected Firewalls Bucher Box Two Switch Two Vlans or STP Four switch Four Vlans or STP Bridging Firewalls FWLB with Multiple DMZ FWLB with NAT FWLB with SLB/URL SLB

With STP off VRRP allows for a much quicker fail over and is the recommended configuration See the Complete Firewall Load Balancing Guide for most configurations

FwLB Traffic Flow

Firewall Load Balancing

-Traffic Flow

Dirty Side
Allow Filters for local address/subnets/VRRP Broadcasts Redirection Filter for all others Enable FWLB on Filter Static Routes to internal networks and to Real servers Default Route to external networks

Clean Side
Allow Filters for local address/subnets/VRRP Broadcast (dip 224.0.0.0/24)

/(and management area)

Redirection Filter for all others Enable FWLB on Filter Static Routes to external networks and to Real servers SLB Configuration

Firewall Load Balancing

-Traffic Flow

Ingress to Site
Traffic hits the ingress port server, filter, client Redirection Filter Fires hash on SIP and DIP Select designated Real server this is merely the corresponding IP Interface of Clean Switch Route via configured Static Route changing only the DMAC to that of the Firewall Firewall receives packet with original DIP (VIP) and routes to Switch for SLB Arrives on Clean Switch, Client Processing replaces VIP with RIP and sends to selected Real server Server processes request

Firewall Load Balancing

-Traffic Flow

Egress from Site

Server sends packet back to Client Server processing changes the RIP back to the VIP Redirection Filter Fires - hash on SIP and DIP still the same just reversed Select designated Real server this is merely the corresponding IP Interface of the Dirty Switch Route via configured static route changing only the DMAC to that of the original Firewall Firewall receives packet with DIP of Client and routes to Dirty switch which sends to upstream router via default gateway or static route

Firewall Load Balancing

- Four Switch Four Vlans no STP
Group 1 Metric:Hash, Health:ICMP Real 1, Backup Real 2 Real 3, Backup Real 4 Static 1 Net D via Net B.1 Static 2 Net E via Net C.1 Group 1 Metric:Hash, Health:ICMP Real 1, Backup Real 2 Real 3, Backup Real 4 Static 1 Net B via Net D.1 Static 2 Net C via Net E.1

Net B M
R.3 R.1 .1

FW 1
.1

Net D
R.1 R.3

M
VIR's SLB Servers Net F

Internet Net A

VIR's
R.2 R.2

B
R.4 .1 .1

Net C

FW 2

Net E

R.4

Firewall Load Balancing

Common Mistakes Real servers incorrectly numbered No Routes to Networks on switch or Firewall Firewall Policy does not allow Health Checks through Filters not set for local nets No Dummy Filter for HTTP Health Checks Static Routes are not consistent with Clean and Dirty Side Reals Incorrect Vlans configured on switch

Virtual Private Network Load Balancing

VPN Load Balancing

Eliminates single points of failure in a network Allows multiple active VPN Gateways to operate in parallel VPN LB, Firewall LB and SLB can be performed on the same switch Scalable solution

VPN Load Balancing

Load balance up to 256 VPN Gateways in an Alteon 'sandwich Multiple VPN Gateway products supported:
Contivity Checkpoint VPN-1 Netscreen Intel

Alteons maintain session state through Firewalls by using Hash Metric on SIP / DIP Uses ICMP Health Checks

Alteon Troubleshooting

Bootup Issues
Switch will not boot Check LED patterns May need to do a serial download Switch will boot but generates errors Kernel Magic Wrong Bad CRC Could not read Active/Backup Config blocks

Switch Management Issues

Cannot ping switch IP interface(s) Cannot telnet to the switch IP interface(s) Cannot bring up WebUI Switch does not log messages to syslog host Switch does not send SNMP traps

Link Issues
Check cable (could be wrong type or a bad cable) Check link negotiation (especially for Gigabit connections) Check for port configuration mismatches on either end of the connection (speed/mode/fctl) Check /info/link Check LED status

Panic/Crash/Hang Issues
Forcing a panic /maint/panic Hitting <ctrl-shift-6> keys together Collecting core dumps /maint/uudmp (make sure terminal logging is turned ON prior to initiating this) Hard reset /boot/reset hard

Connectivity Problems
Flaky port connections check port statistics and look for error counters, for example /stats/port <port-number>/ether /stats/port <port-number>/if/ifInErrors check link on either ends (refer to Link Issues) check STP states check LED patterns note changes after disconnecting/connecting cable and/or resetting the switch

L4 Issues
Clients cannot access the real servers service port directly security feature Periodic health check failures (L3) check IP interfaces on both ends Periodic health check failures (L4) check if service is up and running might need network traces between Alteon & the real servers Periodic health check failures (Content) verify that the requested http object is present on the real server(s)

L4 Issues (contd.)
Clients cannot contact the VIP check port state(s) for client connections make sure the VIP is enabled VIP needs to be well known Cannot telnet to the Switch make sure the concerned interface is enabled Clients cannot access the services through the VIP when the real server(s) are marked operational possible condition with L3 health checks, service could be down but server might be UP

Layer 2 - Useful CLI Commands

/info/sys /info/link /info/dump /cfg/dump /stats/port <num> <ether/if/link> /stats/if <>

Layer 4 - Useful CLI Commands

/info/slb /cfg/slb/cur /cfg/dump /stats/slb/group <real-server-group-number> /stats/slb/real <real-server-number> /stats/slb/virt <virtual-server-number> /stats/slb/maint