Académique Documents
Professionnel Documents
Culture Documents
Terminology
Deciphering Codenames
Project has had several codenames, which you may see in slides and software output. The names:
Itasca: Cat6k hardware platform. Trinity: Software running on Itasca hardware. Nagog: Original name for appliance box note: there are 3 new codenames to cover this! ACE: The actual product name.
CA Training
This module covers the hardware components of the Application Control Engine (ACE). To comprehend how the ACE device processes traffic it essential to understand the HW Architecture chosen to implement ACE. By understanding the hardware the user can better understand packet flows through ACE.
CA Training
CA Training
Agenda
Hardware Architecture IXP Architecture Data Plane Architecture
Micro Engine (ME) usage Xscale usage
CA Training
Hardware Architecture
Same Hardware supports 4G, 8G, and 16G Functionally ACE is a superset of: CSM + SSLM + Basic FW
CA Training
2006 Cisco Systems, Inc. All rights reserved.
10
Field upgradeable
DRAM 1.5 GB
10 Gbps 16 Gbps
Supervisor Connection 1 Gbps
16 Gbps
Hyperion
10 Gbps
8 Gbps
X S c a l e
8 Gbps
DRAM 1.5 GB
Nitrox II
DBUS 16 Gbps Bus RBUS EOBC
X S c a l e
CEF720 Linecard
11
CA Training
XScale Processor (700 MHz) 1.5GB RDRAM (433 MHz DDR) 32MB SRAM (200 MHz DDR) Both IXPs run in parallel
process data independently Inter Process Communication Protocol (IPCP) Required for IXP to share information (sticky lookups)
CA Training
12
CA Training
13
IXP2800 XScale
700 Mhz ARM 5 core running QNX QNX is chosen because
Supports FCSE (Fast Context Switch Extensions) mode Real time scheduling Small efficient microkernel, fast context switch Virtual memory
14
CA Training
15
CA Training
16
CDE: Functions
Inbound: Classify the packet as L2, L3, or L4. Verifies the IP and TCP checksum. Creates IMPH header and pre-pends to pkt. IMPH header has info about which IXP, etc. Outbound: Generates IP and TCP checksum. Generates header for Hyperion (Cat6k). Checks status of output queue; if it is full, it will assert backpressure on the IXP that is feeding it.
CA Training
17
Traffic Distribution
IXPs work in parallel independent of each other:
Scales nicely for both PPS and CPS. System pools are split between the two (e.g., NAT/PAT pools, sticky table). System tables are duplicated on both (e.g., ACL & FIB tables).
Due to distributed system, must have protocol to communicate within system IPCP is proprietary protocol developed for ACE. Each ME has a specialized functionality that is defined by that subsystem. Fastpath connections for client and server are independently allocated and linked together. System uses fixed size packet buffers (particles) that can be chained together.
CA Training
18
19
Xscale
CA Training
20
Receive (RX) ME
Takes inbound packets from CDE FIFO via SPI and reassembles packets into internal representation, Particle Buffers. Once packets are transferred from FIFO, RxME signals FastPath. Can also support Jumbo frames.
CA Training
21
CA Training
22
Interface Lookup
PVLAN to VLAN mapping Resolves shared interface (VLAN + MAC) Resolves connection lookup key
CA Training
23
CA Training
24
CA Training
25
CA Training
26
CA Training
27
Backpressure: Definition
Backpressure is the mechanism used to slow the system down if queues start to fill up internally. Queues that can be affected and create backpressure:
FIFOs for CDE, IXPs, and Nitrox. Internal queues for each ME.
It is possible that some packets that are received by the system could be dropped internally if backpressure is applied.
CA Training
28
CA Training
29
30
CA Training
31
Per connection IP/TCP normalization Unicast RPF + L2 Firewall checks IP forwarding lookup Client-side FastPath connection setup Proxy connection id allocation Control Point traffic management ICMP Inspect Data structures referenced: icmiflookup table, MTRIE, reverse encap table , encap table, policy MTRIE, connection table.
CA Training
32
Work done:
Egress ACL lookup. NAT/PAT allocation. Route/bridge table lookup. Setup the egress connection record. Buddy connection management.
CA Training
33
Connection create syslog message is generated. Data structures referenced: MTRIE, reverse encap table, encap table, connection table, xlate
CA Training
34
CA Training
35
TCP ME
Full TCP state machine
Based on CSS-SSL Module. Out of order segment support.
CA Training
36
TCP ME
Support for TCP options, continued:
Timestamp: Improve RTT measurements, which will allow for better use of congestion window and slowstart algorithms during connection. When combined with window scaling is useful when there is a great deal of latency between the endpoints as RTT is less accurate using the normal van Jacobsen algorithm. SACK, Selective ACKs: allows the other side to ACK any holes in data so that the segment can be re-sent by ACE more quickly than the normal TCP timers allow.
CA Training
37
HTTP ME
Support for persistent and pipelined requests. Match URLs and Cookies against user defined regular expressions. Insert user defined cookies and other headers in request/response. Facilitate server side connection reuse. Ability to perform HTTP RFC compliance checks, MIME type checks, URL/Content/URL Header checks etc.
CA Training
38
CA Training
39
Syslog
40
Modes of operation
Two modes of operation: 1. All syslog processing in CP (default mode) Benefit: Syslogs will be delivered in sequence in accordance to event occurrence. One TCP connection per syslog server. Caveat: Cannot achieve marketing requirement of syslog rate matching connection throughput rate. DP messages will be rate-limited based on pre-defined CP processing limit.
2006 Cisco Systems, Inc. All rights reserved.
CA Training
41
CA Training
42
Emblem message structure: <fac|pri>: [mmm dd hh:mm:ss TimeZone:] <ip or dns>:%ACE-[SUBFACILITY-]SEVERITY-<msg id>: <Message-text>
CA Training
43
CP Syslog
Handle CLI commands Receive syslogs from CP modules via Unix socket and place them in internal queue Receive syslogs from IXP and Xscale modules via IPCP and place them in internal queue: Generate timestamp. Support sending syslogs via UDP and TCP to external servers. Periodically retrieve syslog statistics from DP.
CA Training
44
DP Syslog
Disabled by default. Enable via command logging fastpath. Syslogs that will be sent out directly from DP to external syslog servers:
302028: Built TCP connection 302029: Teardown TCP connection 302030: Built UDP connection 302031: Teardown UDP connection
These syslogs will not be forwarded to CP when this option is enabled, which means they will not be seen on console, buffer, supervisor, telnet sessions, SNMP.
2006 Cisco Systems, Inc. All rights reserved.
CA Training
45
CA Training
46
CA Training
47
Communicates to Nitrox using the APIs provided to implement the handshake protocol. Will communicate via the SSL ME for talking to the rest of the system.
CA Training
48
49
CA Training
50
Configuration Manager
Two parts to configuration manager:
Top-half: pertains to getting the actual CLI commands entered either via console, remotely, or from AAA. Also does some data sanity checking of configuration before it gets downloaded (e.g., duplicate IPs, etc). Bottom-half: pertains to getting data to DP where lookup tables and data structures are available. Additionally, this can also be triggered due to probes running on CP.
Other work:
Gathering of statistics. show running
CA Training
2006 Cisco Systems, Inc. All rights reserved.
51
H T T P /X M L
C L I: T e ln e t /S S H / C o n s o le
L o g in
R e m o te A u t h e n t ic a t io n S e rv e r
V S H /P a r s e r
C o n fig m a n a g e r (T o p H a lf)
CA Training
52
IF
Regex HealthMon
RIB
TNRPC
CA Training
53
DHCP Relay
ACE can be configured to relay a clients DHCP request to a defined list of DHCP servers. Used if DHCP client and server are on different networks. Command to enable:
ip dhcp relay enable
CA Training
54
55
CA Training
56
CP Packet Forwarding
CP packet forwarding has no knowledge of connections; it operates on a packet-by-packet basis.
No SLB policies get applied. No support for bridging (i.e. outgoing packets are always routed).
If ECMP enabled, only the 1st entry in route table is used. There are two code paths out of the CP based on traffic:
encap_decap based. socket interface (LINUX stack) based.
CA Training
57
CA Training
58
CA Training
59
Agenda
Interface Management ARP and adjacency Routing
CA Training
60
Interface Management
61
Interface Modes
Routed Interface Bridged Interface
CA Training
62
Routed Interface
L3 interface: all traffic hitting this are routed. IP address (mandatory). Alias IP address (Optional). Peer IP address (Optional). IP subnets cannot overlap within a context. Can overlap between interfaces in different contexts. Across context on a shared VLAN the IP address cannot be identical. On a non-shared VLAN they can be identical.
CA Training
63
CA Training
64
Bridged Interface
L2 interface: non-loadbalanced traffic hitting this interface is bridged.
LoadBalanced traffic is always routed.
IOS style configuration: put interfaces in a bridge group. 2 interfaces in a bridge group. No MAC learning. Bridge lookup based on <bridge-group-id, dest-MAC>. Bridged Traffic never unknown-unicast-flooded. Multicast and broadcast bridged traffic automatically sent to the other interface of the bridge-group.
CA Training
65
Interface Types
VLAN Interface BVI Interface Fault Tolerant (FT) Interface
CA Training
66
VLAN interface
Associated with VLANs on the SUP. Must be routed or bridged
A bridge-group or an IP address is required to be useable.
CA Training
67
BVI interface
Is a routed interface. Associated with bridge-group. Interface number must be same as bridge-group-id (BGID). BGID is a number between 1 and 4k. Internal BGID starts at 8K+1 and goes up to 12K. Allowed configs: IP addresses, shut/no shut. In order to be able to use BVI to terminate management traffic, need to put management policy on the specific L2 interface from which management traffic expected.
CA Training
68
CA Training
69
CA Training
70
Interface goes up if
It is not administratively down ("no shut"). There must be an IP address or bridge-group configured. If it is a VLAN interface:
VLAN must be assigned to this module on the SUP. auto-state UP (auto-state is off by default). It must be primary or normal (not a private VLAN).
If it's an L2 interface, its BVI must be UP. Interface subnet change also causes interface flap.
CA Training
71
Shared VLANs
Multiple interfaces in different contexts on the same VLAN. Only L3 interfaces can be sharing a VLAN (shared VLAN configuration for L2 interfaces not permitted). All these interfaces must be on the same subnet. Different MAC addresses for the interfaces sharing the VLAN. No routing across contexts even when shared VLANs configured.
CA Training
72
System limits
8K interfaces entries total. 4K BVI entries. 1K instances of shared interfaces entries.
4 interfaces on a shared VLAN => 3 instances of shared interfaces.
CA Training
73
Shared MAC => Shared VLAN interface. Converse not TRUE. VMACs come from a pool of 1K MACs shared across all ACEs. The VMAC is a function of ft-group-id. Therefore different cards must have different ft-group-ids. Floating IPs (e.g. alias, VIP etc.) have VMACs.
CA Training
74
75
External
RServer Gateway HA Peer Learned
Default refresh period for configured entries is 5 mins and for learned entries is 4 hours. This and retry timeout and number of retries configurable per context.
CA Training
76
CA Training
77
CA Training
78
CA Training
79
CA Training
80
CA Training
81
CA Training
82
CA Training
83
CA Training
84
Routing
85
CA Training
86
CA Training
87
CA Training
88
CA Training
89
CA Training
90
ICMP thread
Virtualized context aware. Integrated with HA state machine, no ping if standby unit Uses virtual MAC when active. Integrated with VIP state change
CA Training
91
Virtualization
92
Agenda
Virtualization Overview Resource Management Roles Domains Role-Domain based Access Control
CA Training
93
Virtualization Overview
Provides means to partition one physical unit into independently managed logical engines
Provisions resource per logical device Almost every feature subsystem is virtualized including Linux kernel
CA Training
94
Admin Context (Blade level control and view, provisioning) System level file, HA grouping etc. Context foo Context Blah My config DB My LIFs My FIB My Resource My file directory My users
CA Training
95
CA Training
96
Admin Context
Created at the time of system initialization. Cannot be removed/changed by user. Global configurations handled in Admin context
Creation of contexts Creation of resource-classes ft-groups
Admin users defined in the Admin context have system wide privileges. Users logging over console are logged into the Admin context. Only users authenticated in Admin context can use changeto.
CA Training
97
AAA Server
TNRPC / MTS
Config Manager
VACd
CA Training
98
Resource Management
By default, every context is a member of the default resource-class, with unlimited access to system resources. Resources can be guaranteed in three ways
1. No guaranteed resources but access to any available resource 2. X% of resources guaranteed, with no access to other additional resources 3. X% of resources guaranteed and access to any available resource
Minimum limit is specified as a percentage (5.00%) Maximum limit can equal the Min value or be unlimited Only one resource-class can be applied per context Maximum 100 resource-classes can be configured
CA Training
99
Config Mgr
Sticky Regexp
ACL
Syslog
Syslog buffer Syslog rate
ACL memory
NOTE 1: Only min limits allowed for sticky resources in Phase 1 NOTE 2: No sticky resource are applied by default! They must be added manually for sticky to work!
CA Training
2006 Cisco Systems, Inc. All rights reserved.
100
Filesystem Virtualization
root
(/mnt/cf) TN-CONFIG (70 Mb) TN-CERTKEYSTORAGE (30 Mb) TN-COREFILE (100 Mb) TN-LOGFILE (10 Mb) dir disk0: -> TN-HOME, dir core: -> TN-COREFILE, dir image: -> /mnt/cf Access to image directory allowed from Admin context only
CA Training
2006 Cisco Systems, Inc. All rights reserved.
...
101
RBAC Overview
Roles and Domains for access control Roles: Feature privilege
User has a set of roles
The Role X Domain provides the final authentication for any object Users are defined in a context
User name space is unique within the context only
CA Training
102
Roles
Roles
Define actions a user can perform Maximum of 16 Roles per Context (9 are user configurable) 7 are predefined roles, and cannot be removed Each role is comprised of up to 16 rules. Default role for new user is Network-Monitor
Rules
Each rule is associated with a Feature, A Feature is a grouping of one or more CLIs. Rule number determines order in which rules are applied
Default for new roles is to deny all Features, until a Rule has been applied
CA Training
2006 Cisco Systems, Inc. All rights reserved.
103
Role Configuration
switch/Admin(config)# role Network-Operator switch/Admin(config-role)# rule 1 permit ? create debug modify monitor Commands for creation of new objects Commands for debugging Commands for modifying existing configurations Commands for monitoring
switch/Admin(config-role)# rule 1 permit create switch/Admin(config-role)# rule 2 deny create feature interface
CA Training
104
Default Roles
Admin
Access to all functions in the context/device.
SLB-Admin
Permit create on Serverfarm, Real, VIP,Probe, Loadbalance, NAT, Interface
Security-Admin
Permit create ACL, Inspect, AAA, NAT, TCP, Interface
Server-Maintenance
Permit modify on feature Real-Inservice. Permit debug Probe, Real, VIP, Serverfarm, Loadbalance
Server-Application-Maintenance
Permit create on Probe, Real, VIP, Serverfarm, Loadbalance
Network-Admin
Permit create on Interface, Routing, NAT, VIP, TCP
Network-Monitor
Access to all show commands only
CA Training
105
Domains
Domains are used to group object within a single context to control access. Each ACE context has a default-domain, which is used if no other domain is specified. For example the admin user a member of the default-domain for the Admin context. A maximum of 10 domains can be created per context. Objects can belong to multiple domains within the context. Objects with a hierarchical relationship implicitly added to a domain. New objects created by user automatically added to user domain. Default domain for new user created in Admin context is entire device, for new user in any other context is entire context.
106
CA Training
Domain Configuration
Types of objects that can be added to a domain include Interfaces Access-lists Policy-maps Class-maps Parameter-maps Serverfarms Rservers Probes Scripts Sticky-groups.
To create a domain and add an object to it switch/Admin(config)# domain SF-domain switch/Admin(config-domain)# add-object serverfarm sf1
CA Training
107
Software Versioning
108
Software Versioning
Based on SanOS, which has a common version numbering scheme. Version number:
Major.Minor(Maint.Interim)BUidBUminor(BUmaint.BUinterim.BUrebuild)
Major = SanOS major build number. Minor = SanOS minor build number. Maint = SanOS maintenance build number. Interim = SanOS interim build number. BUid = Business unit identifier (unique per BU). BUminor = Business unit minor build number. BUmaint = Business unit maintenance build number. BU rebuild = Business unit rebuild number.
CA Training
109
CA Training
110