Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

ServerIronXL L4-7 Software Configuration Guide 2100 Gold Street P .O. Box 64910

ServerIronXL L4-7 Software Configuration Guide 2100 Gold Street P .O. Box 649100 San Jose, CA 95164-9100 Tel 408.586.1700 Fax 408.586.1900 Publication date: 4/8/05 Copyright © 2004 Foundry Networks, Inc. All rights reserved. No part of this work may be reproduced in any form or by any means – graphic, electronic or mechanical, including photocopying, recording, taping or storage in an information retrieval system – without prior written permission of the copyright owner. The trademarks, logos and service marks ("Marks") displayed herein are the property of Foundry or other third parties. You are not permitted to use these Marks without the prior written consent of Foundry or such appropriate third party. Foundry Networks, BigIron, FastIron, IronView, JetCore, NetIron, ServerIron, TurboIron, IronWare, EdgeIron, the Iron family of marks and the Foundry Logo are trademarks or registered trademarks of Foundry Networks, Inc. in the United States and other countries. F-Secure is a trademark of F-Secure Corporation. All other trademarks mentioned in this document are the property of their respective owners. February 2005 © 2005 Foundry Networks, Inc. iii Contents CHAPTER 1 PREFACE.................................................................................................... 1-1 PURPOSE ...................................................................................................................................................1-1 SCOPE .......................................................................................................................................................1-1 AUDIENCE ..................................................................................................................................................1-1 CONVENTIONS USED IN THIS GUIDE ............................................................................................................1-1 RELATED PUBLICATIONS .............................................................................................................................1-2 GETTING HELP ...........................................................................................................................................1-2 WEB ACCESS .......................................................................................................................................1-2 EMAIL ACCESS .....................................................................................................................................1-2 TELEPHONE ACCESS ............................................................................................................................1-2 WARRANTY COVERAGE ...............................................................................................................................1-2 CHAPTER 2 NEW FEATURES AND ENHANCEMENTS......................................................... 2-1 RELEASE 07.3.05 .......................................................................................................................................2-1 RELEASE 07.3.06 .......................................................................................................................................2-2 RELEASE 07.3.07 .......................................................................................................................................2-2 RELEASE 07.4.00 .......................................................................................................................................2-3 RELEASE 07.4.01 .......................................................................................................................................2-5 CHAPTER 3 SERVER LOAD BALANCING ......................................................................... 3-1 SLB OVERVIEW ..........................................................................................................................................3-1 VALUE OF SLB ....................................................................................................................................3-2 HOW SLB WORKS ...............................................................................................................................3-2 LOAD-BALANCING PREDICTOR ..............................................................................................................3-2 CONFIGURABLE APPLICATION GROUPING ..............................................................................................3-4 UNLIMITED VIPS ..................................................................................................................................3-6 ServerIron L4-7 Software Configuration Guide iv © 2005 Foundry Networks, Inc. February 2005 GEOGRAPHICALLY-DISTRIBUTED SERVERS ............................................................................................3-6 GLOBAL SERVER LOAD BALANCING ......................................................................................................3-6 SYMMETRIC SERVER LOAD BALANCING .................................................................................................3-6 DSR ....................................................................................................................................................3-8 MANY-TO-ONE TCP/UDP PORT BINDING .............................................................................................3-9 HTTP REDIRECT .................................................................................................................................3-9 TRANSPARENT VIP AND STATELESS APPLICATION PORTS .....................................................................3-9 MULTINETTING USING NAT .........................................................................................................................3-9 CONFIGURATION GUIDELINES ....................................................................................................................3-11 BASIC CONFIGURATION EXAMPLE ..............................................................................................................3-12 DEFINING THE REAL SERVERS AND ADDING THE APPLICATION PORTS .................................................3-13 VIRTUAL-NAME-OR-IP ..........................................................................................................................3-14 BINDING VIRTUAL AND REAL SERVERS ................................................................................................3-14 GLOBAL SLB SETTINGS ............................................................................................................................3-14 SLB-OPTIMIZE .....................................................................................................................................3-15 PREDICTOR ........................................................................................................................................3-15 ROUTER-PORTS ..................................................................................................................................3-15 TCP SYN LIMIT .................................................................................................................................3-16 ICMP-MESSAGE ..................................................................................................................................3-16 SENDING A TCP RST OR ICMP UNREACHABLE MESSAGE TO A CLIENT ..............................................3-16 TCP-AGE RESET .................................................................................................................................3-17 SERVER SOURCE-IP ............................................................................................................................3-17 L7-DONT-USE-GATEWAY-MAC ..............................................................................................................3-19 SOURCE-NAT ......................................................................................................................................3-19 REVERSE-NAT ....................................................................................................................................3-19 FORCE-DELETE ...................................................................................................................................3-20 STICKY-AGE .......................................................................................................................................3-22 ALLOW-STICKY ...................................................................................................................................3-22 TRANSPARENT-VIP ..............................................................................................................................3-23 REAL SERVER SETTINGS ..........................................................................................................................3-24 IP-ADDRESS .......................................................................................................................................3-24 DESCRIPTION .....................................................................................................................................3-24 LOCATION ..........................................................................................................................................3-24 PRIMARY AND BACKUP SERVERS ........................................................................................................3-25 APPLICATION PORTS ..........................................................................................................................3-28 HOST-RANGE ......................................................................................................................................3-28 MAX-CONN .........................................................................................................................................3-32 LAYER 3 HEALTH CHECK ....................................................................................................................3-33 SOURCE-NAT ......................................................................................................................................3-33 WEIGHT .............................................................................................................................................3-34 REAL SERVER PORTS ...............................................................................................................................3-35 PORT STATE ......................................................................................................................................3-35 PORT UNBIND-ALL ...............................................................................................................................3-36 PORT KEEPALIVE ................................................................................................................................3-36 MAX-CON-RATE ..................................................................................................................................3-37 LAYER 7 HEALTH CHECK PARAMETERS ...............................................................................................3-38 February 2005 © 2005 Foundry Networks, Inc. v VIP SETTINGS ..........................................................................................................................................3-38 APPLICATION PORTS AND BINDINGS ....................................................................................................3-38 PRIMARY AND BACKUP SERVERS ........................................................................................................3-38 HOST-RANGE ......................................................................................................................................3-39 HTTP REDIRECT ...............................................................................................................................3-39 PREDICTOR: VIRTUAL SERVER SPECIFIC CONFIGURATION ...................................................................3-40 SYMMETRIC SLB PRIORITY ................................................................................................................3-40 TRACK ...............................................................................................................................................3-40 TRACK-GROUP ....................................................................................................................................3-41 TRACK-GROUP-UNBIND-WAIT-ALL .........................................................................................................3-42 NORMAL UDP AGING FOR DNS AND RADIUS ....................................................................................3-42 TRANSPARENT VIP ............................................................................................................................3-42 TCP AND UDP AGES FOR VIPS .........................................................................................................3-42 VIRTUAL SERVER PORTS ..........................................................................................................................3-44 PORT DISABLE ...................................................................................................................................3-44 GLOBALLY DISABLE REAL AND VIRTUAL ..............................................................................................3-44 PORT STICKY .....................................................................................................................................3-44 CONCURRENT ....................................................................................................................................3-45 SMOOTH FACTOR ...............................................................................................................................3-45 STATELESS ........................................................................................................................................3-46 VIRTUAL SOURCE ...............................................................................................................................3-47 TRANSLATION .....................................................................................................................................3-47 HEALTH CHECK OF MULTIPLE WEB SITES ON THE SAME REAL SERVER ...............................................3-48 SSL ACCELERATORS ................................................................................................................................3-48 OVERVIEW .........................................................................................................................................3-48 SLB CONFIGURATION .........................................................................................................................3-49 TCS CONFIGURATION ........................................................................................................................3-49 REAL SERVER SHUTDOWN ........................................................................................................................3-50 POLICY-BASED ROUTING FOR REVERSE SLB TRAFFIC ...............................................................................3-50 DSR ........................................................................................................................................................3-51 OVERVIEW .........................................................................................................................................3-51 REMOTE FAILOVER SERVERS FOR DSR ..............................................................................................3-53 HEALTH CHECKS WITH DSR ...............................................................................................................3-53 DSR CONFIGURATION EXAMPLE .........................................................................................................3-53 COMMAND SUPPORT ..........................................................................................................................3-54 SHOW COMMANDS ....................................................................................................................................3-60 SHOW SERVER GLOBAL .......................................................................................................................3-60 SHOW SERVER REAL ...........................................................................................................................3-64 SHOW SERVER VIRTUAL ......................................................................................................................3-68 SHOW SERVER BIND ...........................................................................................................................3-75 SHOW SERVER SESSION ......................................................................................................................3-76 SHOW SERVER TRAFFIC ......................................................................................................................3-77 CLEAR SERVER SESSION .....................................................................................................................3-80 CLEAR SERVER TOT-CONN ..................................................................................................................3-81 SLB CONFIGURATION EXAMPLES ..............................................................................................................3-82 WEB HOSTING WITH ONE VIRTUAL SERVER MAPPED TO MULTIPLE REAL SERVERS .............................3-82 ServerIron L4-7 Software Configuration Guide vi © 2005 Foundry Networks, Inc. February 2005 WEB HOSTING WITH MULTIPLE VIRTUAL SERVERS MAPPED TO ONE REAL SERVER .............................3-82 MANY-TO-ONE TCP/UDP PORT BINDING ...........................................................................................3-83 WEB HOSTING WITH UNLIMITED VIRTUAL IP ADDRESSES .....................................................................3-86 SLB INTRANET CONFIGURATION WITH HTTP, TELNET HOSTING ACROSS MULTIPLE VIRTUAL SERVERS AND MULTIPLE REAL SERVERS ............................................................................................................3-89 TCP/UDP APPLICATION GROUPS .......................................................................................................3-89 WEB HOSTING WITH SI AND REAL SERVERS IN DIFFERENT SUB-NETS .................................................3-91 WEB HOSTING WITH GEOGRAPHICALLY-DISTRIBUTED SERVERS ...........................................................3-93 USING HTTP REDIRECT WITH GEOGRAPHICALLY-DISTRIBUTED SERVERS ............................................3-96 LOAD BALANCING STREAMING MEDIA FILES ......................................................................................3-101 CHAPTER 4 STATELESS SLB ........................................................................................ 4-1 INTRODUCTION ...........................................................................................................................................4-1 STATELESS TCP/UDP PORTS ....................................................................................................................4-1 HOW THE SI SELECTS A REAL SERVER FOR A STATELESS PORT ...........................................................4-2 CONFIGURING A STATELESS APPLICATION PORT ...................................................................................4-2 STATELESS HEALTH CHECKING ...................................................................................................................4-3 CONFIGURING STATELESS HEALTH CHECKS ..........................................................................................4-4 CHAPTER 5 HEALTH CHECKS ........................................................................................ 5-1 HEALTH CHECKS OVERVIEW .......................................................................................................................5-1 APPLICATION PORTS ............................................................................................................................5-1 LAYER 3 HEALTH CHECKS ....................................................................................................................5-2 LAYER 4 HEALTH CHECKS ....................................................................................................................5-2 LAYER 7 HEALTH CHECKS ....................................................................................................................5-4 HEALTH CHECKING FOR REAL SERVERS IN OTHER SUB-NETS .............................................................5-11 FASTCACHE .......................................................................................................................................5-12 SERVER AND APPLICATION PORT STATES ..................................................................................................5-12 SERVER STATES ................................................................................................................................5-12 APPLICATION PORT STATES ...............................................................................................................5-13 BEST PATH TO A REMOTE SERVER ...........................................................................................................5-15 REASSIGN THRESHOLD .............................................................................................................................5-16 PING-INTERVAL, PING-RETRIES ...................................................................................................................5-17 L3-HEALTH-CHECK ....................................................................................................................................5-17 LAYER 3 HEALTH CHECK FOR REAL SERVERS ...........................................................................................5-17 NO-REAL-L3-CHECK ............................................................................................................................5-18 NO-REMOTE-L3-CHECK .......................................................................................................................5-18 NO-L3-CHECK .....................................................................................................................................5-18 L4-CHECK ..........................................................................................................................................5-18 PORT PROFILES .......................................................................................................................................5-18 REASSIGN THRESHOLD .............................................................................................................................5-26 SSL HEALTH CHECKS ..............................................................................................................................5-27 ERROR MESSAGES ............................................................................................................................5-28 February 2005 © 2005 Foundry Networks, Inc. vii LAYER 4 UDP KEEPALIVE HEALTH CHECKS FOR THE DNS PORT ...............................................................5-28 LAYER 7 HEALTH CHECKS ........................................................................................................................5-29 HEALTH CHECK OF MULTIPLE WEB SITES ON THE SAME REAL SERVER .....................................................5-36 LAYER 7 HEALTH CHECK FOR AN UNKNOWN PORT ....................................................................................5-37 BOOLEAN HEALTH-CHECK POLICIES ..........................................................................................................5-38 BOOLEAN HEALTH-CHECK POLICIES ..........................................................................................................5-47 SHOW HEALTHCK ......................................................................................................................................5-51 SHOW HEALTHCK STATISTICS .....................................................................................................................5-53 CLEAR HEALTHCK STATISTICS ..................................................................................................................5-53 PORT STATUS THE SYSLOG ......................................................................................................................5-53 SESSION TABLES ......................................................................................................................................5-53 SESSION-LIMIT ..........................................................................................................................................5-54 SESSION-MAX-IDLE ....................................................................................................................................5-54 TCP-AGE ...................................................................................................................................................5-56 UDP-AGE ..................................................................................................................................................5-57 CLOCK-SCALE ...........................................................................................................................................5-57 SYSLOG FOR SESSION TABLE ENTRIES .....................................................................................................5-57 SLOW-START MECHANISM ........................................................................................................................5-59 OVERVIEW .........................................................................................................................................5-59 PORT SLOW-START MECHANISM ........................................................................................................5-61 NO-SLOW-START ................................................................................................................................5-65 LDAP OVER SSL .....................................................................................................................................5-66 OVERVIEW .........................................................................................................................................5-66 EXAMPLE ...........................................................................................................................................5-66 CHAPTER 6 LAYER 7 SWITCHING................................................................................... 6-1 LAYER 7 SWITCHING OVERVIEW ..................................................................................................................6-1 URL SWITCHING ........................................................................................................................................6-2 OVERVIEW ...........................................................................................................................................6-2 BASIC URL SWITCHING EXAMPLE .........................................................................................................6-2 URL SWITCHING EXAMPLE FOR TWO WEB SITES USING ONE VIP ........................................................6-7 DIRECTING HTTP REQUESTS TO SPECIFIC TCP PORTS ......................................................................6-10 COOKIE SWITCHING ..................................................................................................................................6-12 REAL SERVER SETUP .........................................................................................................................6-14 COOKIE CONFIGURATION ....................................................................................................................6-14 VIRTUAL SERVER SETUP ....................................................................................................................6-15 COOKIE INSERTION .............................................................................................................................6-15 CONCURRENT URL SWITCHING AND COOKIE SWITCHING ...........................................................................6-21 URL SWITCHING POLICIES .................................................................................................................6-23 SERVER GROUPS AND SERVER IDS ....................................................................................................6-23 CONFIGURING THE SERVER TO SET A COOKIE ....................................................................................6-24 VIRTUAL SERVER SETUP ....................................................................................................................6-24 HTTP HEADER HASHING ..........................................................................................................................6-25 COOKIE HASHING ...............................................................................................................................6-25 ServerIron L4-7 Software Configuration Guide viii © 2005 Foundry Networks, Inc. February 2005 SELECTIVE COOKIE HASHING .............................................................................................................6-27 URL STRING HASHING .......................................................................................................................6-28 HOST ID WITH URL STRING HASHING ................................................................................................6-29 URL SEGMENT HASHING ....................................................................................................................6-29 SHOW SERVER HASH ..........................................................................................................................6-31 SSL SESSION ID SWITCHING ....................................................................................................................6-32 INTRODUCTION ...................................................................................................................................6-32 SSL SESSION ID SWITCHING .............................................................................................................6-32 REAL SERVERS FOR SSL ...................................................................................................................6-34 VIRTUAL SERVERS FOR SSL SESSION ID SWITCHING ..........................................................................6-34 SESSION-ID-AGE .................................................................................................................................6-35 MAX-SSL-SESSION-ID ..........................................................................................................................6-35 SHOW COMMANDS ....................................................................................................................................6-35 SHOW POLICY-MAP .............................................................................................................................6-35 SHOW SERVER PROXY ........................................................................................................................6-36 MAX-URL-SWITCH ...............................................................................................................................6-37 HTTP 1.1 FOR CONNECTIONS TO REAL SERVERS ...............................................................................6-38 HTTP REQUEST DROPS .....................................................................................................................6-38 L7 CONTENT BUFFERING OPTIONS ............................................................................................................6-39 TCP WINDOW SIZE ............................................................................................................................6-39 PREVENTING THE SI FROM SENDING AN ACK TO THE CLIENT .............................................................6-39 HTTP-REDIRECT-1.0 ..................................................................................................................................6-39 L7-HASHING BUCKET-REASSIGN .................................................................................................................6-40 HTTP STATUS CODES ..............................................................................................................................6-40 CHAPTER 7 LINK LOAD BALANCING .............................................................................. 7-1 OVERVIEW OF LLB .....................................................................................................................................7-1 OUTBOUND LLB ...................................................................................................................................7-2 INBOUND LLB ......................................................................................................................................7-3 HOW THE SI SELECTS THE BEST ISP LINK FOR LLB .............................................................................7-4 USING LLB IN HIGH-AVAILABILITY CONFIGURATIONS .............................................................................7-5 CONFIGURING BACKUP LINKS ...............................................................................................................7-6 GRACEFUL LINK SHUTDOWN .................................................................................................................7-6 IP FORWARDING .........................................................................................................................................7-6 DEFAULT GATEWAY ....................................................................................................................................7-6 LINK HEALTH CHECKS ................................................................................................................................7-6 LINK PROPERTIES .......................................................................................................................................7-7 DEFINING A LINK ..................................................................................................................................7-7 HEALTH CHECK WITH A LINK .................................................................................................................7-7 NEXT-HOP MAC ADDRESS AND VLAN ID FOR THE LINK .......................................................................7-7 LINK WEIGHT .......................................................................................................................................7-8 BANDWIDTH THRESHOLD FOR A LINK ....................................................................................................7-8 BACKUP LINK SETUP ............................................................................................................................7-8 LINK PRICING PARAMETERS ..................................................................................................................7-8 February 2005 © 2005 Foundry Networks, Inc. ix PREDICTOR ................................................................................................................................................7-9 PROXIMITY SETTINGS .................................................................................................................................7-9 BINDING A LINK TO A VIRTUAL ROUTING INTERFACE ...................................................................................7-10 OUTBOUND LLB .......................................................................................................................................7-10 INBOUND LLB ...........................................................................................................................................7-11 DNS ZONE AND HOST APPLICATIONS .................................................................................................7-11 REAL SERVER AND VIRTUAL SERVER FOR THE DNS SERVER ..............................................................7-11 VIRTUAL SERVERS FOR THE LINKS ......................................................................................................7-12 DISPLAYING LLB INFORMATION .................................................................................................................7-12 LINK INFORMATION .............................................................................................................................7-12 PROXIMITY INFORMATION ...................................................................................................................7-13 SYSLOG MESSAGE .............................................................................................................................7-14 LINK GROUPS FOR OUTBOUND LLB ..........................................................................................................7-15 LINK GROUP NAME ............................................................................................................................7-15 PRIMARY MEMBER LINKS FOR THE LINK GROUP ..................................................................................7-15 BACKUP MEMBER LINKS FOR THE LINK GROUP ...................................................................................7-15 ASSOCIATING AN ACL WITH THE LINK GROUP .....................................................................................7-16 METRIC FOR THE LINK GROUP ............................................................................................................7-16 DISABLING A LINK GROUP ..................................................................................................................7-16 DEFAULT LINK GROUP ........................................................................................................................7-16 DISPLAYING LINK GROUP INFORMATION ..............................................................................................7-17 CLIENT SOURCE IP PERSISTENCE .............................................................................................................7-18 ENABLING SOURCE IP PERSISTENCE ..................................................................................................7-18 PERSISTENCE LENGTH .......................................................................................................................7-19 PERSISTENCE REFRESHING, DISABLING ..............................................................................................7-19 DISPLAYING INFORMATION ABOUT SOURCE IP PERSISTENCE ...............................................................7-19 INTERNAL AND EXTERNAL PORTS FOR ACTIVE-STANDBY OUTBOUND LLB ..................................................7-21 NEW METHODS FOR INBOUND LLB ...........................................................................................................7-22 DNS OVERRIDE .................................................................................................................................7-22 DNS CACHE PROXY ..........................................................................................................................7-23 DNS OVERRIDE WITH DNS CACHE PROXY .........................................................................................7-23 TTL FOR RECORDS IN THE DNS REPLY ..............................................................................................7-24 DISPLAYING POLICY SETTINGS ...........................................................................................................7-24 DISPLAYING INBOUND LLB ZONE AND HOST NAME INFORMATION ........................................................7-24 DISPLAYING STATISTICS FOR THE DNS CACHE PROXY FEATURE .........................................................7-25 CLEARING DNS SELECTION COUNTERS ..............................................................................................7-25 CLEARING STATISTICS FOR THE DNS CACHE PROXY FEATURE ...........................................................7-26 SAMPLE LLB CONFIGURATIONS ................................................................................................................7-26 ServerIron L4-7 Software Configuration Guide x © 2005 Foundry Networks, Inc. February 2005 CHAPTER 8 HIGH AVAILABILITY..................................................................................... 8-1 INTRODUCTION ...........................................................................................................................................8-1 HOT STANDBY uploads/Litterature/ xlconfig-guide.pdf