Page is loading ...
50 Great Oaks Boulevard
San Jose, California 95119
408-360-5500 Main
408-360-5501 Fax
www.nortelnetworks.com
Web OS Switch Software
10.0 Application Guide
Part Number: 212777, Revision A, February 2002
Web OS 10.0 Application Guide
2
212777-A, February 2002
Copyright 2002 Nortel Networks, Inc., 50 Great Oaks Boulevard, San Jose, California 95119, USA. All
rights reserved. Part Number: 212777, Revision A.
This document is protected by copyright and distributed under licenses restricting its use, copying,
distribution, and decompilation. No part of this document may be reproduced in any form by any means
without prior written authorization of Nortel Networks, Inc. Documentation is provided “as is” without
warranty of any kind, either express or implied, including any kind of implied or express warranty of non-
infringement or the implied warranties of merchantability or fitness for a particular purpose.
U.S. Government End Users: This document is provided with a “commercial item” as defined by FAR
2.101 (Oct 1995) and contains “commercial technical data” and “commercial software documentation” as
those terms are used in FAR 12.211-12.212 (Oct 1995). Government End Users are authorized to use this
documentation only in accordance with those rights and restrictions set forth herein, consistent with FAR
12.211- 12.212 (Oct 1995), DFARS 227.7202 (JUN 1995) and DFARS 252.227-7015 (Nov 1995).
Nortel Networks, Inc. reserves the right to change any products described herein at any time, and without
notice. Nortel Networks, Inc. assumes no responsibility or liability arising from the use of products
described herein, except as expressly agreed to in writing by Nortel Networks, Inc. The use and purchase of
this product does not convey a license under any patent rights, trademark rights, or any other intellectual
property rights of Nortel Networks, Inc.
Web OS, Alteon 180, Alteon 180e, Alteon 184, Alteon AD3, Alteon AD4, and ACEswitch are trademarks
of Nortel Networks, Inc. in the United States and certain other countries. Cisco
®
and EtherChannel
®
are
registered trademarks of Cisco Systems, Inc. in the United States and certain other countries. Check Point
®
and FireWall-1
®
are trademarks or registered trademarks of Check Point Software Technologies Ltd. Any
other trademarks appearing in this manual are owned by their respective companies.
212777-A, February 2002
3
Contents
Preface 21
Who Should Use This Guide 21
What You’ll Find in This Guide 21
Typographic Conventions 23
Contacting Us 24
Part 1: Basic Switching & Routing
Chapter 1: Basic IP Routing 27
IP Routing Benefits 28
Routing Between IP Subnets 28
Example of Subnet Routing 31
Defining IP Address Ranges for the Local Route Cache 35
Border Gateway Protocol (BGP) 36
Internal Routing Versus External Routing 36
Forming BGP Peer Routers 37
BGP Failover Configuration 37
DHCP Relay 41
DHCP Overview 41
DHCP Relay Agent Configuration 42
Chapter 2: VLANs 43
VLAN ID Numbers 44
VLAN Tagging 44
VLANs and the IP Interfaces 45
VLAN Topologies and Design Issues 45
Example 1: Multiple VLANS with Tagging Adapters 46
Example 2: Parallel Links with VLANs 48
Web OS 10.0 Application Guide
4
Contents
212777-A, February 2002
VLANs and Spanning Tree Protocol 49
Bridge Protocol Data Units (BPDUs) 50
Multiple Spanning Trees 51
VLANs and Default Gateways 58
Segregating VLAN Traffic 58
Configuring the Local Network 60
Configuring Default Gateways per VLAN 60
VLANs and Jumbo Frames 63
Isolating Jumbo Frame Traffic using VLANs 63
Routing Jumbo Frames to Non-Jumbo Frame VLANs 64
Chapter 3: Port Trunking 65
Overview 65
Statistical Load Distribution 66
Built-In Fault Tolerance 66
Port Trunking Example 67
Chapter 4: OSPF 69
OSPF Overview 69
Types of OSPF Areas 70
Types of OSPF Routing Devices 71
Neighbors and Adjacencies 72
The Link-State Database 72
The Shortest Path First Tree 73
Internal Versus External Routing 73
OSPF Implementation in Web OS 74
Configurable Parameters 74
Defining Areas 75
Interface Cost 77
Electing the Designated Router and Backup 77
Summarizing Routes 77
Default Routes 78
Virtual Links 79
Router ID 80
Authentication 80
Host Routes for Load Balancing 82
OSPF Features Not Supported in This Release 82
Web OS 10.0 Application Guide
Contents
5
212777-A, February 2002
OSPF Configuration Examples 83
Example 1: Simple OSPF Domain 84
Example 2: Virtual Links 86
Example 3: Summarizing Routes 90
Example 4: Host Routes 92
Verifying OSPF Configuration 98
Chapter 5: Secure Switch Management 99
Setting Allowable Source IP Address Ranges 100
Secure Switch Management 101
Authentication and Authorization 101
Requirements 102
RADIUS Authentication and Authorization 103
RADIUS Authentication Features in Web OS 104
Web Switch User Accounts 105
Secure Shell and Secure Copy 107
Encryption of Management Messages 108
SCP Services 108
RSA Host and Server Keys 109
Radius Authentication 110
SecurID Support 110
Port Mirroring 113
Part 2: Web Switching Fundamentals
Chapter 6: Server Load Balancing 117
Understanding Server Load Balancing 118
Identifying Your Network Needs 118
How Server Load Balancing Works 119
Implementing Basic Server Load Balancing 121
Network Topology Requirements 122
Configuring Server Load Balancing 124
Additional Server Load Balancing Options 128
Extending SLB Topologies 136
Proxy IP Addresses 136
Mapping Ports 139
Direct Server Interaction 142
Delayed Binding 146
Web OS 10.0 Application Guide
6
Contents
212777-A, February 2002
Load Balancing Special Services 149
IP Server Load Balancing 149
FTP Server Load Balancing 150
Domain Name Server (DNS) Load Balancing 151
Real Time Streaming Protocol SLB 155
Wireless Application Protocol SLB 158
Intrusion Detection System Server Load Balancing 163
WAN Link Load Balancing 166
Chapter 7: Filtering 169
Overview 170
Filtering Benefits 170
Filtering Criteria 170
Stacking Filters 172
Overlapping Filters 172
The Default Filter 173
VLAN-based Filtering 174
Optimizing Filter Performance 176
Filter Logs 176
IP Address Ranges 178
Cache-Enabled versus Cache-Disabled Filters 178
TCP Rate Limiting 179
Configuring TCP Rate Limiting Filters 180
Tunable Hash for Filter Redirection 184
Filter-based Security 185
Network Address Translation 191
Static NAT 191
Dynamic NAT 193
FTP Client NAT 195
Matching TCP Flags 197
Matching ICMP Message Types 201
Web OS 10.0 Application Guide
Contents
7
212777-A, February 2002
Chapter 8: Application Redirection 203
Overview 204
Web Cache Redirection Environment 204
Additional Application Redirection Options 205
RTSP Web Cache Redirection 211
IP Proxy Addresses for NAT 213
Excluding Noncacheable Sites 215
Chapter 9: Virtual Matrix Architecture 217
Chapter 10: Health Checking 219
Real Server Health Checks 221
DSR Health Checks 222
Link Health Checks 223
Configuring the Switch for Link Health Checks 223
TCP Health Checks 224
ICMP Health Checks 224
Script-Based Health Checks 225
Configuring the Switch for Script-Based Health Checks 225
Script Format 226
Scripting Guidelines 227
Script Configuration Examples 227
Application-Specific Health Checks 230
HTTP Health Checks 231
UDP-Based DNS Health Checks 233
FTP Server Health Checks 234
POP3 Server Health Checks 235
SMTP Server Health Checks 236
IMAP Server Health Checks 237
NNTP Server Health Checks 238
RADIUS Server Health Checks 239
HTTPS/SSL Server Health Checks 240
WAP Gateway Health Checks 240
LDAP Health Checks 243
ARP Health Checks 245
Failure Types 246
Service Failure 246
Server Failure 246
Web OS 10.0 Application Guide
8
Contents
212777-A, February 2002
Chapter 11: High Availability 247
VRRP Overview 248
VRRP Components 248
VRRP Operation 251
Selecting the Master VRRP Router 251
Active-Standby Failover 252
Failover Methods 253
Active-Standby Redundancy 254
Active-Active Redundancy 255
Hot-Standby Redundancy 256
Synchronizing Configurations 258
Web OS Extensions to VRRP 259
Virtual Server Routers 259
Sharing/Active-Active Failover 260
Tracking VRRP Router Priority 261
High Availability Configurations 263
Active-Standby Virtual Server Router Configuration 263
Active-Active VIR and VSR Configuration 265
Active/Active Server Load Balancing Configuration 267
VRRP-Based Hot-Standby Configuration 275
Virtual Router Deployment Considerations 277
Mixing Active-Standby and Active-Active Virtual Routers 277
Synchronizing Active/Active Failover 277
Eliminating Loops with STP and VLANs 278
Assigning VRRP Virtual Router ID 280
Configuring the Switch for Tracking 280
Synchronizing Configurations 282
Stateful Failover of Layer 4 and Layer 7 Persistent Sessions 283
What Happens When a Switch Fails 284
Viewing Statistics on Persistent Port Sessions 286
Web OS 10.0 Application Guide
Contents
9
212777-A, February 2002
Part 3: Advanced Web Switching
Chapter 12: Global Server Load Balancing 289
GSLB Overview 290
Benefits 290
Compatibility with Other Web OS Features 290
How GSLB Works 291
Configuring GSLB 293
IP Proxy for Non-HTTP Redirects 304
How IP Proxy Works 305
Configuring Proxy IP Addresses 307
Verifying GSLB Operation 308
Configuring Client Site Preferences 308
Using Border Gateway Protocol for GSLB 312
Chapter 13: Firewall Load Balancing 313
Firewall Overview 314
Basic FWLB 316
Basic FWLB Implementation 317
Configuring Basic FWLB 319
Four-Subnet FWLB 326
Four-Subnet FWLB Implementation 327
Configuring Four-Subnet FWLB 329
Advanced FWLB Concepts 346
Free-Metric FWLB 346
Adding a Demilitarized Zone (DMZ) 349
Firewall Health Checks 351
Chapter 14: Virtual Private Network Load Balancing 353
Overview 354
Virtual Private Networks 354
How VPN Load Balancing Works 354
VPN Load-Balancing Configuration 356
Requirements 356
VPN Load-Balancing Configuration Example 356
Web OS 10.0 Application Guide
10
Contents
212777-A, February 2002
Chapter 15: Content Intelligent Switching 371
Overview 372
Parsing Content 373
HTTP Header Inspection 374
Buffering Content with Multiple Frames 374
Content Intelligent Server Load Balancing 375
URL-Based Server Load Balancing 375
Virtual Hosting 380
Cookie-Based Preferential Load Balancing 383
Browser-Smart Load Balancing 386
URL Hashing for Server Load Balancing 387
Header Hash Load Balancing 389
DNS Load Balancing 390
Layer 7 RTSP Load Balancing 392
Content Intelligent Web Cache Redirection 394
URL-Based Web Cache Redirection 395
HTTP Header-Based Web Cache Redirection 403
Browser-Based Web Cache Redirection 405
URL Hashing for Web Cache Redirection 406
Layer 7 RTSP Streaming Cache Redirection 409
Exclusionary String Matching for Real Servers 410
Configuring for Exclusionary URL String Matching 410
Regular Expression Matching 412
Standard Regular Expression Characters 412
Configuring Regular Expressions 413
Content Precedence Lookup 414
Requirements 415
Using the or and and Operators 415
Assigning Multiple Strings 416
Layer 7 Deny Filter 417
Web OS 10.0 Application Guide
Contents
11
212777-A, February 2002
Chapter 16: Persistence 421
Overview of Persistence 422
Using Source IP Address 422
Using Cookies 423
Using SSL Session ID 423
Cookie-Based Persistence 424
Permanent and Temporary Cookies 425
Cookie Formats 425
Cookie Properties 426
Client Browsers that Do Not Accept Cookies 426
Cookie Modes of Operation 427
Configuring Cookie-Based Persistence 430
Server-Side Multi-Response Cookie Search 436
SSL Session ID-Based Persistence 437
How SSL Session ID-Based Persistence Works 437
Chapter 17: Bandwidth Management 441
Overview 442
Bandwidth Policies 444
Rate Limits 445
Bandwidth Policy Configuration 445
Data Pacing 446
Classification Criteria 447
Server Output Bandwidth Control 447
Application Bandwidth Control 447
Combinations 448
Precedence 448
Bandwidth Classification Configuration 448
Frame Discard 449
URL-Based Bandwidth Management 449
HTTP Header-Based Bandwidth Management 451
Cookie-Based Bandwidth Management 451
Bandwidth Statistics and History 452
Statistics Maintained 452
Statistics and Management Information Bases 452
Packet Coloring (TOS bits) for Burst Limit 453
Operational Keys 453
212777-A, February 2002
13
Figures
Figure 1-1: The Router Legacy Network 29
Figure 1-2: Switch-Based Routing Topology 30
Figure 1-3: iBGP and eBGP 37
Figure 1-4: BGP Failover Configuration Example 38
Figure 1-5: DHCP Relay Agent Configuration 42
Figure 2-1: Example 1: Multiple VLANs with Tagging Gigabit Adapters 46
Figure 2-2: Example 2: Parallel Links with VLANs 48
Figure 2-3: Using Multiple Instances of Spanning Tree Protocol 51
Figure 2-4: VLAN 3 Isolated in a Single Spanning Tree Group 52
Figure 2-5: Implementing Multiple Spanning Tree Groups 53
Figure 2-6: Default Gateways per VLAN 58
Figure 2-7: Jumbo Frame VLANs 64
Figure 3-1: Port Trunk Group 65
Figure 3-2: Port Trunk Group Configuration Example 67
Figure 4-1: OSPF Area Types 70
Figure 4-2: OSPF Domain and an Autonomous System 71
Figure 4-3: Injecting Default Routes 78
Figure 4-4: OSPF Authentication 80
Figure 4-5: A Simple OSPF Domain 84
Figure 4-6: Configuring a Virtual Link 86
Figure 4-7: Summarizing Routes 90
Figure 4-8: Configuring OSPF Host Routes 92
Figure 5-1: Authentication and Authorization: How It Works 103
Figure 5-2: Monitoring Ports 113
Web OS 10.0 Application Guide
14
Figures
212777-A, February 2002
Figure 6-1: Traditional Versus SLB Network Configurations 119
Figure 6-2: Web Hosting Configuration Without SLB 121
Figure 6-3: Web Hosting with SLB Solutions 121
Figure 6-4: SLB Client/Server Traffic Routing 122
Figure 6-5: Example Network for Client/Server Port Configuration 123
Figure 6-6: Basic Virtual Port to Real Port Mapping Configuration 140
Figure 6-7: Direct Server Return 143
Figure 6-8: Mapped and Nonmapped Server Access 144
Figure 6-9: DoS SYN Attacks without Delayed Binding 146
Figure 6-10: Repelling DoS SYN Attacks With Delayed Binding 147
Figure 6-11: Layer 4 DNS Load Balancing 151
Figure 7-1: Assigning Filters According to Range of Coverage 172
Figure 7-2: Assigning Filters to Overlapping Ranges 172
Figure 7-3: Assigning a Default Filter 173
Figure 7-4: VLAN-based Filtering 174
Figure 7-5: Configuring Clients with Different Rates 180
Figure 7-6: Limiting User Access to Server 183
Figure 7-7: Security Topology Example 185
Figure 7-8: Static Network Address Translation 192
Figure 7-9: Dynamic Network Address Translation 193
Figure 7-10: Active FTP for Dynamic NAT 195
Figure 7-11: TCP ACK Matching Network 197
Figure 8-1: Traditional Network Without Web Cache Redirection 204
Figure 8-2: Network with Web Cache Redirection 205
Figure 11-1: Example 1: VRRP Router 250
Figure 11-2: Example 2: VRRP Router 252
Figure 11-3: A Non-VRRP, Hot-Standby Configuration 253
Figure 11-4: Active-Standby Redundancy 254
Figure 11-5: Active-Active Redundancy 255
Figure 11-6: Hot-Standby Redundancy 256
Figure 11-7: Active-Active High Availability 260
Figure 11-8: Active-Standby High-Availability Configuration 263
Figure 11-9: Active-Active High-Availability Configuration 265
Figure 11-10: Hot-Standby Configuration 275
Figure 11-11: Loops in Active-Active Configuration 278
Figure 11-12: Cross-Redundancy Creates Loops, But STP Resolves Them 279
Figure 11-13: Using VLANs to Create Non-Looping Topologies 279
Figure 11-14: Stateful Failover Example when the Master Switch Fails 284
Web OS 10.0 Application Guide
Figures
15
212777-A, February 2002
Figure 12-1: DNS Resolution with Global Server Load Balancing 291
Figure 12-2: GSLB Topology Example 294
Figure 12-3: HTTP and Non-HTTP Redirects 304
Figure 12-4: POP3 Request Fulfilled via IP Proxy 305
Figure 12-5: GSLB Proximity Tables: How They Work 309
Figure 12-6: Configuring Client Proximity Table 310
Figure 13-1: Typical Firewall Configuration Before FWLB 314
Figure 13-2: Basic FWLB Topology 316
Figure 13-3: Basic FWLB Process 317
Figure 13-4: Basic FWLB Example Network 319
Figure 13-5: Four-Subnet FWLB Topology 326
Figure 13-6: Four-Subnet FWLB Process 327
Figure 13-7: Four-Subnet FWLB Example Network 329
Figure 13-8: Basic FWLB Example Network 346
Figure 13-9: Four-Subnet FWLB Example Network 347
Figure 13-10: Typical Firewall Load-Balancing Topology with DMZ 349
Figure 14-1: Basic Network Frame Flow and Operation 355
Figure 14-2: VPN Load-Balancing Configuration Example 356
Figure 14-3: Checkpoint Rules for Both VPN Devices as Seen in the Policy
Editor 368
Figure 15-1: Content Intelligent Load Balancing Example 372
Figure 15-2: URL-Based Server Load Balancing 376
Figure 15-3: Balancing Nontransparent Caches 387
Figure 15-4: Load Balancing DNS Queries 390
Figure 15-5: URL-Based Web Cache Redirection 396
Figure 15-6: URL Hashing for WCR 408
Figure 15-7: Content Precedence Lookup Protectors Example 415
Figure 15-8: Content Precedence Lookup Multiple Strings Example 416
Figure 15-9: Configuring Layer 7 Deny Filter 417
Figure 16-1: Cookie-Based Persistence: How It Works 424
Figure 16-2: Insert Cookie Mode 427
Figure 16-3: Passive Cookie Mode 428
Figure 16-4: Rewrite Cookie Mode 429
Figure 16-5: SSL Session ID-Based Persistence 438
Web OS 10.0 Application Guide
16
Figures
212777-A, February 2002
Figure 17-1: Bandwidth Management: How It Works 442
Figure 17-2: Bandwidth Rate Limits 444
Figure 17-3: Virtual Clocks and TDT 446
Figure 17-4: URL-Based Bandwidth Management 450
Figure 17-5: URL-Based Bandwidth Management with Web Cache Redirection 450
Figure 17-6: Cookie-Based Bandwidth Management 451
Figure 17-7: Cookie-Based Preferential Services 467
212777-A, February 2002
17
Tables
Table 1-1: Subnet Routing Example: IP Address Assignments 31
Table 1-2: Subnet Routing Example: IP Interface Assignments 31
Table 1-3: Subnet Routing Example: Optional VLAN Ports 33
Table 1-4: Local Routing Cache Address Ranges 35
Table 2-1: Ports, Trunk Groups, and VLANs 49
Table 2-2: Multiple Spanning Tree Groups per VLAN 54
Table 2-3: Route Cache Example 59
Table 5-1: User Access Levels 105
Table 5-2: Web OS Alteon Levels 106
Table 6-1: Web Host Example: Real Server IP Addresses 124
Table 6-2: Web Host Example: Port Usage 126
Table 6-3: Well-Known Application Ports 128
Table 6-4: Proxy Example: Port Usage 137
Table 7-1: Well-Known Protocol Types 171
Table 7-2: Well-Known Application Ports 171
Table 7-3: Filtering IP Address Ranges 178
Table 7-4: Web Cache Example: Real Server IP Addresses 186
Table 7-5: TCP Flags 197
Table 7-6: ICMP Message Types 201
Table 8-1: Web Cache Example: Real Server IP Addresses 206
Table 11-1: Active Standby Configuration 252
Table 11-2: Sharing Active-Active Failover 260
Table 11-3: VRRP Tracking Parameters 261
Web OS 10.0 Application Guide
18
Tables
212777-A, February 2002
Table 12-1: GSLB Example: California Real Server IP Addresses 296
Table 12-2: GSLB Example: California Alteon 180 Port Usage 297
Table 12-3: Denver Real Server IP Addresses 300
Table 12-4: Web Host Example: Alteon 180 Port Usage 301
Table 12-5: HTTP Versus Non-HTTP Redirects 305
Table 15-1: Standard Regular Expression Special Characters 412
Table 15-2: Real Server Content 416
Table 16-1: Comparison Among the Three Cookie Modes 427
Table 17-1: Bandwidth Rate Limits 445
Table 17-2: Bandwidth Policy Limits 445
212777-A, February 2002
19
New Features
The following table lists the new features in Web OS 10.0 and the supported platforms:
Feature Alteon Web Switches
AD3/180e
Alteon Web Switches
AD4/184
Vlan-based default gateway No Yes
Vlan Filtering No Yes
Multiple Instances of Spanning Tree Yes Yes
Layer 7 deny filter Yes Yes
Increase real server support to 1024 No Yes
SYN Attack Detection/Protection Yes Yes
Enhanced Port Mirroring Yes Yes
Reporting Classification Manager: SYSLOG and
SNMP
No Yes
Reporting Classification Manager: Ability to fil-
ter SYSLOG based on severity
No Yes
Reporting Classification Manager: SNMP traps
defined for VRRP state changes
No Yes
Reporting Classification Manager: SNMP traps
defined for failed login
No Yes
Selectable Hash Parameters Yes Yes
Layer 4 DNS Load Balancing (UDP and TCP
ports)
Ye s Ye s
L7 DNS Load Balancing Yes Yes
Enhanced DNS Health Check Yes Yes
TCP Rate Limiting Yes Yes
Web OS 10.0 Application Guide
20
New Features
212777-A, February 2002
Hash on any HTTP header Yes Yes
Increase support of 16 rport to vport No Yes
Increased number of scripted health check to 16 No Yes
Descriptive names for filters Yes Yes
OSPF No Yes
LDAP health check Yes Yes
Streaming Cache Redirection Yes Yes
L7 Parsing of RTSP SLB Yes Yes
ARP health check Yes Yes
Telnet client Yes Yes
Increase logging buffer Yes Yes
Support of OPER command on Web OS BBI and
SNMP
No Yes
Enhanced Web OS Browser-based Interface
support
No Yes
Configurable prompt name Yes Yes
Bandwidth management No Yes
Feature Alteon Web Switches
AD3/180e
Alteon Web Switches
AD4/184
/
