Transparent Cache Switching

Overview

ACOS supports Transparent Cache Switching (TCS). TCS enables you to improve server response times by redirecting client requests for content to cache servers containing the content. Figure 122 shows an example. topology.

FIGURE 122      Transparent Cache Switching

AX-TCS.jpg

 

In this example, a client sends a request for content that is hosted by the content server. ACOS redirects the client’s request to the cache server. If the cache server has the requested content, the cache server sends the content to the ACOS device, which sends the content to the client.

If the content is cacheable, but the cache server does not have the requested content or the content is stale, the cache server requests the content from the content server, caches the content, then sends the content to the ACOS device, which sends the content to the client.

Granularity of TCS

You can configure Layer 4 TCS or Layer 7 TCS.

     Layer 4 TCS – Sends all TCP or UDP traffic addressed to the content server to the cache server instead

     Layer 7 TCS – You can configure Layer 7 TCS with either of the following levels of granularity:

     Sends all HTTP requests to the cache server and sends all other requests to the content server

     Sends HTTP requests for specific URLs to the cache server, and sends other requests to the content server

Optimizing When Using Multiple Cache Servers

If your network uses multiple cache servers, you can configure destination-IP persistence, to always select the same cache server for content from a given destination IP address. This technique reduces cache misses, by ensuring that requests for a given site IP address always go to the same cache server.

For even greater control, you can configure the ACOS device to select from among multiple cache service groups based on the requested URL. When combined with destination-IP persistence, this method allows you to control initial selection of the cache service group, after which the ACOS device always sends requests for the same content to the same cache server within the cache service group.

Application Templates

TCS does not require configuration of any application templates. However, you can use the following types of application templates for advanced features, such as URL-based Layer 7 TCS:

     HTTP template – If you want to selectively redirect client requests based on URL strings, you can use an HTTP tem­plate containing URL switching rules. When a client request matches the URL string in a URL switching rule, the ACOS device selects the service group specified in the URL switching rule, instead of the service group bound to the virtual port.

For example, you can configure a URL switching rule that matches on any URL that contains “.mycorp/”. In this case, requests for any URL that contains “.mycorp/” are sent to the service group that contains the cache server. Requests for other URLs are sent to the gateway router instead.

In a Layer 7 TCS configuration that uses URL switching, a separate real server is required for the gateway router, and the real server is required to be placed in its own service group. The gateway router’s service group is used as the default service group for the virtual port. Client requests to a URL that does not match a URL switching rule are sent to the gateway router’s service group instead of the cache server’s service group.

     Destination-IP persistence template – In deployments that use multiple cache servers, you can use a destination-IP persistence template to ensure that the same cache server is used for every request for content on a given content server. ACOS uses standard SLB to select a cache server for the first request to a real server IP address, and assigns a hash value to the server. All subsequent requests for the same real server are sent to the same cache server.

By always using the same cache server for content from a given server, a destination-IP persistence template can reduce duplication of content on multiple cache servers, and can also reduce cache misses.

     RAM caching template – To also cache some content on the ACOS device itself, you can use a RAM caching template. In this case, the ACOS device directly serves content that is cached on the ACOS device, and only sends requests to the cache server for content that is not cached on the ACOS device.

     Connection reuse template – You can use a connection reuse template to reuse TCP connections. When a client’s ses­sion ends, the TCP connection is not terminated. Instead, the connection is reused for a new client session.

Support for Spoofing Caches

Some cache servers can use the client’s IP address instead of the cache server’s IP address as the source address when obtaining content requested by the client. A cache server operating in this mode is a spoofing cache server. Configuration for a spoofing cache server includes a couple of additional steps. (See Enabling Support for Cache Spoofing.)

High Availability Support

You can deploy TCS in VRRP-A high availability configurations. For an example of TCS deployed in Layer 3 inline mode of HA, see Configuring IPv4 TCS in VRRP-A High Availability Layer 3 Inline Mode.

Configuring Layer 4 TCS

To configure Layer 4 TCS:

1.     Configure the interfaces connected to the clients, the content servers, and the cache server. Enable promiscuous VIP on the ACOS interface(s) connected to the clients.

2.     Configure an extended ACL that uses the permit action and that matches on client addresses as the source address, and on the content server address as the destination address.

3.     Configure a real server for the cache server. Add the TCP or UDP port; for example, TCP port 80.

If the cache server will spoof client IP addresses when requesting content from content servers, enable cache spoofing support.

4.     Configure a service group for the cache server and add the cache server to it.

5.     Configure a virtual server with virtual IP address 0.0.0.0 (the wildcard VIP address) and bind it to the ACL.

Add virtual port 80 and bind it to the service group containing the cache server. Disable destination NAT on the virtual port.

6.     If the cache server will spoof client IP addresses when requesting content from content servers, enable cache spoofing support on the ACOS interface connected to the cache server, and on the real server (cache server).

CLI Example

The commands in this section implement the TCS configuration shown in FIGURE 123   .

FIGURE 123      Layer 4 TCS

AX-TCS-L4.jpg

The following commands configure the ACOS interface to the client. Promiscuous VIP is enabled on the interface.

ACOS(config)#vlan 4

ACOS(config-vlan:4)#tagged ethernet 4

ACOS(config-vlan:4)#router-interface ve 4

ACOS(config-vlan:4)#exit

ACOS(config)#interface ve 4

ACOS(config-if:ve:4)#ip address 192.168.19.1 255.255.255.0

ACOS(config-if:ve:4)#ip allow-promiscuous-vip

ACOS(config-if:ve:4)#exit

 

The following commands configure the ACOS interface to the content server.

ACOS(config)#vlan 2

ACOS(config-vlan:4)#tagged ethernet 2

ACOS(config-vlan:4)#router-interface ve 2

ACOS(config-vlan:4)#exit

ACOS(config)#interface ve 2

ACOS(config-if:ve:4)#ip address 10.10.10.1 255.255.0.0

ACOS(config-if:ve:4)#exit

 

The following commands configure the interface to the cache server:

ACOS(config)#interface ethernet 5

ACOS(config-if:ethernet:5)#ip address 110.110.110.254 255.255.255.0

ACOS(config-if:ethernet:5)#exit

 

The following command configures an extended ACL to match on clients and on the content server. The ACL in this example matches on any source address (client IP address) and on the destination IP address of the content server.

ACOS(config)#access-list 198 permit ip any host 20.20.20.10 log

 

The following commands configure a real server for the cache server. TCP port 80 is added to the real server.

ACOS(config)#slb server cache-rs 110.110.110.10

ACOS(config-real server)#port 80 tcp

ACOS(config-real server-node port)#exit

 

The following command configures a service group for the cache server:

ACOS(config)#slb service-group sg-tcs tcp

ACOS(config-slb svc group)#member cache-rs 80

ACOS(config-slb svc group)#exit

 

The following commands configure a wildcard VIP and bind it to the ACL:

ACOS(config)#slb virtual-server wildcard 0.0.0.0 acl 198

ACOS(config-slb vserver)#port 80 tcp

ACOS(config-slb vserver-vport)#service-group sg-tcs

ACOS(config-slb vserver-vport)#no-dest-nat

 

Configuring Layer 7 TCS

Layer 7 TCS can be configured in either of the following ways. Select one of these methods based on the level of granularity you want to use for traffic redirection.

     Service type HTTP without URL switching rules – This method redirects all HTTP traffic to the cache server. The config­uration steps are very similar to those for Layer 4 TCS. The only difference is use of HTTP instead of TCP or UDP as the service type of the virtual port.

     Service type HTTP with URL switching rules – This method uses an HTTP template containing URL switching rules. Traffic that matches a URL switching rule is redirected to the cache server. Other traffic is sent to the gateway router.

This method requires configuration of a separate real server and service group for the gateway router.

FIGURE 124    shows an example of the first method, which does not use URL switching rules. FIGURE 125    shows an example of the second method, which does use URL switching rules.

FIGURE 124      Layer 7 TCS Without URL Switching Rules

AX-TCS-L7-noURLswitching.jpg

 

 

FIGURE 125      Layer 7 TCS Using URL Switching Rules

AX-TCS-L7.jpg

 

Service Type HTTP Without URL Switching Rules

To configure this type of Layer 7 TCS:

1.     Configure the interfaces connected to the clients, the content servers, and the cache server. Enable promiscuous VIP on the ACOS interface(s) connected to the clients.

2.     Configure an extended ACL that uses the permit action and that matches on client addresses as the source address, and on the content server address as the destination address.

3.     Configure a real server for the cache server. Add the TCP port; for example, TCP port 80.

4.     Configure a service group for the cache server and add the cache server to it.

5.     Configure a virtual server with virtual IP address 0.0.0.0 (the wildcard VIP address) and bind it to the ACL.

Add virtual port 80 with service type HTTP and bind it to the service group containing the cache server. Enable disable destination NAT on the virtual port.

CLI Example

The commands in this section implement the TCS configuration shown in FIGURE 124   . The commands for con­figuring the interfaces and ACL, and the real server and service group for the cache server, are the same as those used in the Layer 4 TCS example, and are therefore not shown.

The following commands configure a wildcard VIP and bind it to the ACL:  

ACOS(config)#slb virtual-server wildcard 0.0.0.0 acl 198

ACOS(config-slb vserver)#port 80 http

ACOS(config-slb vserver-vport)#service-group sg-tcs

ACOS(config-slb vserver-vport)#no-dest-nat

Service Type HTTP with URL Switching Rules

To configure this type of Layer 7 TCS:

1.     Configure the interfaces connected to the clients, the content servers, and the cache server. Enable promiscuous VIP on the ACOS interface(s) connected to the clients.

2.     Configure an extended ACL that uses the permit action and that matches on client addresses as the source address, and on the content server address as the destination address.

3.     Configure a real server for the cache server. Add the TCP or UDP port; for example, TCP port 80.

4.     Configure a real server for the next-hop router through which the ACOS device will reach the content servers. Add the same TCP port number as the one on the cache server (for example, TCP port 80). Disable health checking on the port.

NOTE:                               The configuration requires health checking to be disabled on the router port. The router will not respond to the health check. If you leave health checking enabled, the ACOS device will mark the port down and TCS will not work.

5.     Configure a service group for the cache server and add the cache server to it.

6.     Configure a separate service group for the router, and add the router to it.

7.     Configure an HTTP template with URL switching rules. Add a separate URL switching rule for each URI string based on which to select a service group.

8.     Configure a virtual server with virtual IP address 0.0.0.0 (the wildcard VIP address) and bind it to the ACL.

Add virtual port 80 with service type HTTP and bind it to the service group containing the cache server. Bind the virtual port to the HTTP template. Enable disable destination NAT.

Add virtual port 0 with service type HTTP and bind it to the service group containing the router. Enable disable destina­tion NAT.

CLI Example

The commands in this section implement the TCS configuration shown in FIGURE 125   . The commands for con­figuring the interfaces and ACL, and the real server and service group for the cache server, are the same as those used in the Layer 4 TCS example, and are therefore not shown.

The following commands configure a real server for the gateway router:

ACOS(config)#slb server router 10.10.10.20

ACOS(config-real server)#port 80 tcp

ACOS(config-real server-node port)#no health-check

ACOS(config-real server-node port)#exit

 

The following commands configure a service group for the router:

ACOS(config)#slb service-group sg-router tcp

ACOS(config-slb svc group)#member router 80

ACOS(config-slb svc group)#exit

 

The following commands configure an HTTP template containing URL switching rules. Client requests for any URL that con­tains “.examplecorp/” or “.mycorp/” will be redirected to the service group for the cache server. Requests for any other URL will instead be sent to the service group for the router.

ACOS(config)#slb template http http1

ACOS(config-HTTP template)#url-switching contains .examplecorp/ service-group sg-tcs

ACOS(config-HTTP template)#url-switching contains .mycorp/ service-group sg-tcs

ACOS(config-HTTP template)#exit

 

The following commands configure a wildcard VIP and bind it to the ACL:  

ACOS(config)#slb virtual-server wildcard 0.0.0.0 acl 198

ACOS(config-slb vserver)#port 80 http

ACOS(config-slb vserver-vport)#service-group sg-router

ACOS(config-slb vserver-vport)#template http http1

ACOS(config-slb vserver-vport)#no-dest-nat

Optimizing TCS with Multiple Cache Servers

To optimize TCS in deployments that use more than one cache server, use a destination-IP persistence template.

The commands in this section implement the TCS configuration shown in FIGURE 126   . Only the commands specific to desti­nation-IP persistence are shown. The other commands are the same as those shown in the previous sections.

FIGURE 126      TCS with Multiple Cache Servers

AX-TCS-multcaches.jpg

 

The following commands configure the destination-IP persistence template:

ACOS(config)#slb template persist destination-ip d-sticky

ACOS(config-dest ip persistence template)#match-type service-group

 

NOTE:                               The match-type service-group command is required, to enable use of URL switch­ing and persistence in the same configuration.

The following commands configure the VIP. The commands are the same as those used for Layer 7 TCS, with the addition of a command to bind the destination-IP persistence template to the virtual port.

ACOS(config)#slb virtual-server wildcard 0.0.0.0 acl 198

ACOS(config-slb vserver)#port 80 http

ACOS(config-slb vserver-vport)#template http http1

ACOS(config-slb vserver-vport)#service-group sg-router

ACOS(config-slb vserver-vport)#no-dest-nat

ACOS(config-slb vserver-vport)#template persist destination-ip d-sticky

ACOS(config-slb vserver-vport)#exit

ACOS(config-slb vserver)#exit

Enabling Support for Cache Spoofing

If the cache server spoofs client IP addresses when requesting content from servers, the following additional configuration is required:

1.     Enable cache spoofing support on the ACOS interface connected to the spoofing cache server. Use the ip cache-spoofing-port command at the interface configuration level.

2.     In the real server configuration for the cache server, enable spoof caching support. Use the spoofing-cache com­mand at the real server configuration level.

The commands in this section enable cache spoofing support for the TCS configuration shown in FIGURE 126   .

ACOS(config)#interface ethernet 5

ACOS(config-if:ethernet:5)#ip address 110.110.110.254 255.255.255.0

ACOS(config-if:ethernet:5)#ip cache-spoofing-port

ACOS(config-if:ethernet:5)#exit

ACOS(config)#slb server cache-rs 110.110.110.10

ACOS(config-real server)#spoofing-cache

ACOS(config-real server)#port 80 tcp

Configuring IPv4 TCS in VRRP-A High Availability Layer 3 Inline Mode

You can use VRRP-A high availability to provide redundancy and failover for TCS. This section shows an example for IPv4 Layer 3 inline mode VRRP-A high availability. Layer 3 high availability for inline mode is beneficial in network topologies where the ACOS interfaces with the clients and cache servers are in the same subnet. FIGURE 127    shows an example.

FIGURE 127      TCS in VRRP-A high availability Layer 3 Inline Mode

AX-TCS-HAL3inline.jpg

Interface Parameters

In this configuration, each ACOS device connects to the client, cache servers, and content server on a single IP interface:

     ACOS-1 – Connected on IP interface 10.10.10.1, which is assigned to VE 1 on VLAN 1 containing Ethernet data ports 3-11

     ACOS-2 – Connected on IP interface 10.10.10.2, which is assigned to VE 1 on VLAN 1 containing Ethernet data ports 3-11

The following interface parameters are required:

     Promiscuous VIP – Must be enabled on the interface connected to clients, and on the IP interface assigned to the VE on the VLAN containing the interfaces to the clients, content servers, and cache servers.

     Cache spoofing – If the cache server will spoof client IP addresses when requesting content from content servers, enable cache spoofing support on the ACOS interface connected to the cache server.

VRRP-A High Availability Parameters

This configuration uses the following VRRP-A high availability parameters. The last two in this list apply specifically to inline mode. The other parameters apply to all types of VRRP-A configurations.

     Device ID – ACOS-1 uses Device ID 1. ACOS-2 uses Device ID 2.

     VRID and priority – A single VRID is configured, with a higher priority on ACOS-1.

     Pre-emption – Pre-emption is enabled, to force initial failover to the ACOS device with the higher priority.

     VRRP-A interfaces – Ethernet interfaces 1, 3, and 6 are configured as VRRP-A interfaces. Interfaces 1 and 3 are the lead interfaces in trunks, so all the interfaces in these trunks are VRRP-A interfaces.

     Session synchronization (connection mirroring) – Each ACOS device is enabled, when in Active role, to synchronize its sessions onto the other ACOS device.

     Floating IP address – Both ACOS devices share floating IP address 10.10.10.250 for the VRID.

     L3-inline mode – This must be enabled on each ACOS device.

     Restart port list – Interfaces 1 to 5 and interface 9 are designated as inline-mode restart ports. This includes the ACOS interfaces with the client, cache servers, and content server. Interface 6 is the dedicated HA link between the ACOS devices and is not included in the restart list.

SLB Parameters

Real server parameters:

     Port type – A Layer 4 port type, such as TCP, should be used. HA session synchronization is supported only for Layer 4 sessions.

     Cache spoofing – If the cache server will spoof client IP addresses when requesting content from content servers, enable cache spoofing support on the real server configuration for the cache server.

Service group parameters:

     Type – Typically, the type should be TCP.

     Members – Add the real servers configured for the cache servers.

In a Layer 7 TCS configuration that uses URL switching, a separate real server is required for the gateway router, and the real server is required to be placed in its own service group. (See Configuring Layer 7 TCS.) The example in FIGURE 127    does not use Layer 7 switching.

Virtual server parameters:

     VIP – The VIP address must be 0.0.0.0 (a wildcard VIP). The ACL associated with the VIP must be an extended ACL that uses the permit action and that matches on client addresses as the source address, and on the content server address as the destination address:

     Service type – The service type of the TCS virtual port must be a Layer 4 service type (TCP).

     VRID – Add the virtual server to the VRID.

     Destination NAT – Destination NAT must be disabled.

     Session synchronization – Enable this feature so that customer sessions are synchronized from the Active ACOS device to the standby ACOS device.

NOTE:                               If spoof-caching is enabled, the ACOS device creates a transparent session from the cache to the server. This session is not synchronized. However, the main session from the client to the cache server is always synchronized.

NOTE:                               Client sessions will be reset if a failover occurs. In most cases, the reset will not be notice­able. However, if a client is downloading a large file, the reset may be noticeable, because the download progress is not retained after the session is reset.

Templates

For simplicity, the sample configuration in this section does not use any custom templates. For information about the tem­plates that can be used with TCS, see Application Templates.

The following CLI examples show how to implement the configuration shown in FIGURE 127   .

ACOS-1 Configuration

The following commands configure the links:

ACOS-1(config)#interface ethernet 1

ACOS-1(config-if:ethernet:1)#enable

ACOS-1(config-if:ethernet:1)#trunk group 1

ACOS-1(config-if:ethernet:1)#exit

ACOS-1(config)#interface ethernet 2

ACOS-1(config-if:ethernet:2)#enable

ACOS-1(config-if:ethernet:2)#trunk group 1

ACOS-1(config-if:ethernet:2)#exit

ACOS-1(config)#interface ethernet 9

ACOS-1(config-if:ethernet:9)#enable

ACOS-1(config-if:ethernet:9)#trunk group 1

ACOS-1(config-if:ethernet:9)#exit

ACOS-1(config)#interface ethernet 3

ACOS-1(config-if:ethernet:3)#enable

ACOS-1(config-if:ethernet:3)#ip allow-promiscuous-vip

ACOS-1(config-if:ethernet:3)#trunk group 3

ACOS-1(config-if:ethernet:3)#exit

ACOS-1(config)#interface ethernet 4

ACOS-1(config-if:ethernet:4)#enable

ACOS-1(config-if:ethernet:4)#trunk group 3

ACOS-1(config-if:ethernet:4)#exit

ACOS-1(config)#vlan 11

ACOS-1(config-vlan:11)#untagged ethernet 3 to 6

ACOS-1(config-vlan:11)#tagged ethernet 1 to 2 ethernet 9

ACOS-1(config-vlan:11)#router-interface ve 1

ACOS-1(config-vlan:11)#exit

ACOS-1(config)#interface ethernet 5

ACOS-1(config-if:ethernet:5)#enable

ACOS-1(config-if:ethernet:5)#ip cache-spoofing-port

ACOS-1(config-if:ethernet:5)#exit

ACOS-1(config)#interface ve 1

ACOS-1(config-if:ve1)#ip address 10.10.10.1 255.255.255.0

ACOS-1(config-if:ve1)#ip allow-promiscuous-vip

ACOS-1(config-if:ve1)#exit

 

The following commands configure static routes. One of the routes goes to the subnet on the other side of the router that connects the ACOS device to the content servers. The other static route goes to the subnet on the other side of the router that connects the ACOS device to the client.

ACOS-1(config)#ip route 20.20.20.0 /24 10.10.10.20

ACOS-1(config)#ip route 192.168.19.0 /24 10.10.10.254

 

The following command configures an extended ACL that uses the permit action and that matches on client addresses as the source address, and on the content server address as the destination address:

ACOS-1(config)#access-list 198 permit ip any host 20.20.20.11 log

 

The following commands configure the global VRRP-A parameters:

ACOS-1(config)#vrrp-a common

ACOS-1(config-common)#device-id 1

ACOS-1(config-common)#set-id 1

ACOS-1(config-common)#enable

ACOS-1(config-common)#disable-default-vrid

ACOS-1(config-common)#exit

ACOS-1(config)#vrrp-a l3-inline-mode

ACOS-1(config)#vrrp-a vrid 1

ACOS-1(config-vrid:1)#floating-ip 10.10.10.250

ACOS-1(config-vrid:1)#blade-parameters

ACOS-1(config-vrid:1-blade-parameters)#priority 200

ACOS-1(config-vrid:1-blade-parameters)#exit

ACOS-1(config-vrid:1)#exit

ACOS-1(config)#vrrp-a interface ethernet 6

ACOS-1(config-ethernet:6)#vlan 11

ACOS-1(config-ethernet:6)#exit

ACOS-1(config)#vrrp-a restart-port-list

ACOS-1(config-restart-port-list)#ethernet 1 to 5

ACOS-1(config-restart-port-list)#ethernet 9

ACOS-1(config-restart-port-list)#exit

ACOS-1(config)#

 

The following commands configure real servers for the cache servers:

ACOS-1(config)#slb server cache1 10.10.10.10

ACOS-1(config-real server)#spoofing-cache

ACOS-1(config-real server)#port 80 tcp

ACOS-1(config-real server-node port)#exit

ACOS-1(config-real server)#exit

ACOS-1(config)#slb server cache2 10.10.10.11

ACOS-1(config-real server)#spoofing-cache

ACOS-1(config-real server)#port 80 tcp

ACOS-1(config-real server-node port)#exit

ACOS-1(config-real server)#exit

 

The following commands configure a service group for the real servers:

ACOS-1(config)#slb service-group sg-cache-80 tcp

ACOS-1(config-slb svc group)#member cache1 80

ACOS-1(config-slb svc group)#member cache2 80

ACOS-1(config-slb svc group)#exit

 

The following commands configure the virtual server:

ACOS-1(config)#slb virtual-server wildcard 0.0.0.0 acl 198

ACOS-1(config-slb vserver)#vrid 1

ACOS-1(config-slb vserver)#port 80 tcp

ACOS-1(config-slb vserver-vport)#service-group sg-cache-80

ACOS-1(config-slb vserver-vport)#no-dest-nat

ACOS-1(config-slb vserver-vport)#ha-conn-mirror

 

ACOS-2 Configuration

The commands on ACOS-2 are the same as the ones on ACOS-1, with the following exceptions:

     The ip address command on the VE adds a unique IP address (not the address of the other ACOS device).

     The vrid command assigns VIRD 2 instead of VRID 1.

     The priority command assigns a lower priority to the group.

 

ACOS-2(config)#interface ethernet 1

ACOS-2(config-if:ethernet:1)#enable

ACOS-2(config-if:ethernet:1)#trunk group 1

ACOS-2(config-if:ethernet:1)#exit

ACOS-2(config)#interface ethernet 2

ACOS-2(config-if:ethernet:2)#enable

ACOS-2(config-if:ethernet:2)#trunk group 1

ACOS-2(config-if:ethernet:2)#exit

ACOS-2(config)#interface ethernet 9

ACOS-2(config-if:ethernet:9)#enable

ACOS-2(config-if:ethernet:9)#trunk group 1

ACOS-2(config-if:ethernet:9)#exit

ACOS-2(config)#interface ethernet 3

ACOS-2(config-if:ethernet:3)#enable

ACOS-2(config-if:ethernet:3)#ip allow-promiscuous-vip

ACOS-2(config-if:ethernet:3)#trunk group 3

ACOS-2(config-if:ethernet:3)#exit

ACOS-2(config)#interface ethernet 4

ACOS-2(config-if:ethernet:4)#enable

ACOS-2(config-if:ethernet:4)#trunk group 3

ACOS-2(config-if:ethernet:4)#exit

ACOS-2(config)#vlan 11

ACOS-2(config-vlan:11)#untagged ethernet 3 to 6

ACOS-2(config-vlan:11)#tagged ethernet 1 to 2 ethernet 9

ACOS-2(config-vlan:11)#router-interface ve 1

ACOS-2(config-vlan:11)#exit

ACOS-2(config)#interface ethernet 5

ACOS-2(config-if:ethernet:5)#enable

ACOS-2(config-if:ethernet:5)#ip cache-spoofing-port

ACOS-2(config-if:ethernet:5)#exit

ACOS-2(config)#interface ve 1

ACOS-2(config-if:ve1)#ip address 10.10.10.2 255.255.255.0

ACOS-2(config-if:ve1)#ip allow-promiscuous-vip

ACOS-2(config-if:ve1)#exit

ACOS-2(config)#ip route 20.20.20.0 /24 10.10.10.20

ACOS-2(config)#ip route 192.168.19.0 /24 10.10.10.254

ACOS-2(config)#access-list 198 permit ip any host 20.20.20.11 log

ACOS-2(config)#vrrp-a common

ACOS-2(config-common)#device-id 1

ACOS-2(config-common)#set-id 1

ACOS-2(config-common)#enable

ACOS-2(config-common)#disable-default-vrid

ACOS-2(config-common)#exit

ACOS-2(config)#vrrp-a l3-inline-mode

ACOS-2(config)#vrrp-a vrid 2

ACOS-2(config-vrid:1)#floating-ip 10.10.10.250

ACOS-2(config-vrid:1)#blade-parameters

ACOS-2(config-vrid:1-blade-parameters)#priority 180

ACOS-2(config-vrid:1-blade-parameters)#exit

ACOS-2(config-vrid:1)#exit

ACOS-2(config)#vrrp-a interface ethernet 6

ACOS-2(config-ethernet:6)#vlan 11

ACOS-2(config-ethernet:6)#exit

ACOS-2(config)#vrrp-a restart-port-list

ACOS-2(config-restart-port-list)#ethernet 1 to 5

ACOS-2(config-restart-port-list)#ethernet 9

ACOS-2(config-restart-port-list)#exit

ACOS-2(config)#slb server cache1 10.10.10.10

ACOS-2(config-real server)#spoofing-cache

ACOS-2(config-real server)#port 80 tcp

ACOS-2(config-real server-node port)#exit

ACOS-2(config-real server)#exit

ACOS-2(config)#slb server cache2 10.10.10.11

ACOS-2(config-real server)#spoofing-cache

ACOS-2(config-real server)#port 80 tcp

ACOS-2(config-real server-node port)#exit

ACOS-2(config-real server)#exit

ACOS-2(config)#slb service-group sg-cache-80 tcp

ACOS-2(config-slb svc group)#member cache1 80

ACOS-2(config-slb svc group)#member cache2 80

ACOS-2(config-slb svc group)#exit

ACOS-2(config)#slb virtual-server wildcard 0.0.0.0 acl 198

ACOS-2(config-slb vserver)#vrid 2

ACOS-2(config-slb vserver)#port 80 tcp

ACOS-2(config-slb vserver-vport)#service-group sg-cache-80

ACOS-2(config-slb vserver-vport)#no-dest-nat

ACOS-2(config-slb vserver-vport)#ha-conn-mirror

 

Configuring IPv6 TCS in VRRP-A Layer 3 Inline Mode

Figure 128 shows an example of a TCS deployment in VRRP-A Layer 3 Inline mode.

FIGURE 128      TCS – VRRP-A Layer 3 Inline Mode

AX-TCS-HAL3inline-ipV6.jpg

 

The configuration requirements and syntax are the same as for IPv4. The only difference is use of IPv6 addresses instead of IPv4 addresses.

ACOS-1 Configuration

The following commands configure the links.

ACOS-1(config)#interface ethernet 5

ACOS-1(config-if:ethernet:5)#enable

ACOS-1(config-if:ethernet:5)#trunk-group 1

ACOS-1(config-if:ethernet:5)#exit

ACOS-1(config)#interface ethernet 6

ACOS-1(config-if:ethernet:6)#enable

ACOS-1(config-if:ethernet:6)#trunk-group 1

ACOS-1(config-if:ethernet:6)#exit

ACOS-1(config)#vlan 21

ACOS-1(config-vlan:21)#untagged ethernet 1 to 3

ACOS-1(config-vlan:21)#router-interface ve 1

ACOS-1(config-vlan:21)#exit

ACOS-1(config)#vlan 22

ACOS-1(config-vlan:22)#untagged ethernet 2

ACOS-1(config-vlan:22)#router-interface ve 22

ACOS-1(config-vlan:22)#exit

ACOS-1(config)#vlan 56

ACOS-1(config-vlan:56)#untagged ethernet 5 to 6

ACOS-1(config-vlan:56)#router-interface ve 56

ACOS-1(config-vlan:56)#exit

ACOS-1(config)#interface ethernet 2

ACOS-1(config-if:ethernet:2)#ip cache-spoofing-port

ACOS-1(config-if:ethernet:2)#exit

ACOS-1(config)#interface ve 1

ACOS-1(config-if:ve1)#ipv6 address 2309:e90::2/64

ACOS-1(config-if:ve1)#ip allow-promiscuous-vip

ACOS-1(config-if:ve1)#exit

ACOS-1(config)#interface ve 22

ACOS-1(config-if:ve22)#ipv6 address 2409:c90::1/64

ACOS-1(config-if:ve22)#exit

ACOS-1(config)#interface ve 56

ACOS-1(config-if:ve56)#ipv6 address 2509:c90::1/64

ACOS-1(config-if:ve56)#ip address 3.3.3.2 255.255.255.0

ACOS-1(config-if:ve56)#exit

 

The following commands configure static routes. One of the routes goes to the subnet on the other side of the router that connects the ACOS device to the content servers. The other static route goes to the subnet on the other side of the router that connects the ACOS device to the client. CPU processing is also enabled on the routes.

ACOS-1(config)#ipv6 route 2309:d90::/32 2309:e90::1

ACOS-1(config)#ipv6 route 2309:f90::/32 2309:e90::3

 

The following commands configure an IPv6 ACL that uses the permit action and that matches on client addresses as the source address, and on the content server address as the destination address:

ACOS-1(config)#ipv6 access-list ipv6-101

ACOS-1(config-access-list:ipv6-101)#permit ipv6 any host 2309:f90::10 log

ACOS-1(config-access-list:ipv6-101)#exit

 

The following commands configure the VRRP-A parameters:

ACOS-1(config)#vrrp-a common

ACOS-1(config-common)#set-id 1

ACOS-1(config-common)#device-id 1

ACOS-1(config-common)#enable

ACOS-1(config-common)#disable-default-vrid

ACOS-1(config-common)#exit

ACOS-1(config)#vrrp-a l3-inline-mode

ACOS-1(config)#vrrp-a vrid 2

ACOS-1(config-vrid:1)#floating-ip 2409:c90::100

ACOS-1(config-vrid:1)#floating-ip 2309:e90::100

ACOS-1(config-vrid:1)#blade-parameters

ACOS-1(config-vrid:1-blade-parameters)#priority 200

ACOS-1(config-vrid:1-blade-parameters)#exit

ACOS-1(config-vrid:1)#exit

ACOS-1(config)#vrrp-a interface ethernet 1

ACOS-1(config-ethernet:1)#server-interface

ACOS-1(config-ethernet:1)#no-heartbeat

ACOS-1(config-ethernet:1)#exit

ACOS-1(config)#vrrp-a interface ethernet 3

ACOS-1(config-ethernet:1)#router-interface

ACOS-1(config-ethernet:1)#no-heartbeat

ACOS-1(config-ethernet:1)#exit

ACOS-1(config)#vrrp-a restart-port-list

ACOS-1(config-restart-port-list)#ethernet 1

ACOS-1(config-restart-port-list)#ethernet 3

ACOS-1(config-restart-port-list)#exit

 

The following commands configure a custom ICMP health monitor with very short interval and timeout values. In Layer 3 inline VRRP-A configurations, the short interval and timeout values help eliminate traffic disruption following a failover.

ACOS-1(config)#health monitor icmp interval 1 timeout 1

 

The following commands configure ICMP health checking for the upstream and downstream routers. The health checks help ensure rapid VRRP-A failover. (See the Configuring VRRP-A High Availability guide.) The custom ICMP health monitor config­ured above is also used.

ACOS-1(config)#slb server up-router 2309:e90::1

ACOS-1(config-real server)#health-check icmp

ACOS-1(config-real server)#exit

ACOS-1(config)#slb server down-router 2309:e90::3

ACOS-1(config-real server)#health-check icmp

ACOS-1(config-real server)#exit

 

The following commands configure real servers for the cache servers:

ACOS-1(config)#slb server cache1-ipv6 2409:c90::5

ACOS-1(config-real server)#spoofing-cache

ACOS-1(config-real server)#health-check icmp

ACOS-1(config-real server)#port 80 tcp

ACOS-1(config-real server-node port)#exit

ACOS-1(config-real server)#exit

ACOS-1(config)#slb server cache2-ipv6 2409:c90::6

ACOS-1(config-real server)#spoofing-cache

ACOS-1(config-real server)#health-check icmp

ACOS-1(config-real server)#port 80 tcp

ACOS-1(config-real server-node port)#exit

ACOS-1(config-real server)#exit

 

The following commands configure a service group for the real servers (cache servers):

ACOS-1(config)#slb service-group cache-ipv6 tcp

ACOS-1(config-slb svc group)#member cache1-ipv6 80

ACOS-1(config-slb svc group-member:80)#member cache2-ipv6 80

ACOS-1(config-slb svc group-member:80)#exit

 

The following commands configure the virtual server:

ACOS-1(config)#slb virtual-server wildcard-ipv6 :: ipv6-acl ipv6-101

ACOS-1(config-slb vserver)#vrid 1

ACOS-1(config-slb vserver)#port 80 tcp

ACOS-1(config-slb vserver-vport)#service-group cache-ipv6

ACOS-1(config-slb vserver-vport)#no-dest-nat

ACOS-1(config-slb vserver-vport)#ha-conn-mirror

 

ACOS-2 Configuration

Here are the configuration commands for ACOS-2. Most of the commands are exactly the same as on ACOS-1. Only the fol­lowing values differ:

     IP addresses of the VEs

     VRID priority

     IP address for session synchronization (ha conn-mirror)

 

ACOS-2(config)#interface ethernet 5

ACOS-2(config-if:ethernet:5)#enable

ACOS-2(config-if:ethernet:5)#trunk-group 1

ACOS-2(config-if:ethernet:5)#exit

ACOS-2(config)#interface ethernet 6

ACOS-2(config-if:ethernet:6)#enable

ACOS-2(config-if:ethernet:6)#trunk-group 1

ACOS-2(config-if:ethernet:6)#exit

ACOS-2(config)#vlan 21

ACOS-2(config-vlan:21)#untagged ethernet 1 to 3

ACOS-2(config-vlan:21)#router-interface ve 1

ACOS-2(config-vlan:21)#exit

ACOS-2(config)#vlan 22

ACOS-2(config-vlan:22)#untagged ethernet 2

ACOS-2(config-vlan:22)#router-interface ve 22

ACOS-2(config-vlan:22)#exit

ACOS-2(config)#vlan 56

ACOS-2(config-vlan:56)#untagged ethernet 5 to 6

ACOS-2(config-vlan:56)#router-interface ve 56

ACOS-2(config-vlan:56)#exit

ACOS-2(config)#interface ethernet 2

ACOS-2(config-if:ethernet:2)#ip cache-spoofing-port

ACOS-2(config-if:ethernet:2)#exit

ACOS-2(config)#interface ve 1

ACOS-2(config-if:ve1)#ipv6 address 2309:e90::3/64

ACOS-2(config-if:ve1)#ip allow-promiscuous-vip

ACOS-2(config-if:ve1)#exit

ACOS-2(config)#interface ve 22

ACOS-2(config-if:ve22)#ipv6 address 2409:c90::1/64

ACOS-2(config-if:ve22)#exit

ACOS-2(config)#interface ve 56

ACOS-2(config-if:ve56)#ipv6 address 2509:c90::1/64

ACOS-2(config-if:ve56)#ip address 3.3.3.2 255.255.255.0

ACOS-2(config-if:ve56)#exit

ACOS-2(config)#ipv6 route 2309:d90::/32 2309:e90::1

ACOS-2(config)#ipv6 route 2309:f90::/32 2309:e90::3

ACOS-2(config)#ipv6 access-list ipv6-101

ACOS-2(config-access-list:ipv6-101)#permit ipv6 any host 2309:f90::10 log

ACOS-2(config-access-list:ipv6-101)#exit

ACOS-2(config)#vrrp-a common

ACOS-2(config-common)#set-id 1

ACOS-2(config-common)#device-id 1

ACOS-2(config-common)#enable

ACOS-2(config-common)#disable-default-vrid

ACOS-2(config-common)#exit

ACOS-2(config)#vrrp-a l3-inline-mode

ACOS-2(config)#vrrp-a vrid 2

ACOS-2(config-vrid:1)#floating-ip 2409:c90::100

ACOS-2(config-vrid:1)#floating-ip 2309:e90::100

ACOS-2(config-vrid:1)#blade-parameters

ACOS-2(config-vrid:1-blade-parameters)#priority 180

ACOS-2(config-vrid:1-blade-parameters)#exit

ACOS-2(config-vrid:1)#exit

ACOS-2(config)#vrrp-a interface ethernet 1

ACOS-2(config-ethernet:1)#server-interface

ACOS-2(config-ethernet:1)#no-heartbeat

ACOS-2(config-ethernet:1)#exit

ACOS-2(config)#vrrp-a interface ethernet 3

ACOS-2(config-ethernet:1)#router-interface

ACOS-2(config-ethernet:1)#no-heartbeat

ACOS-2(config-ethernet:1)#exit

ACOS-2(config)#vrrp-a restart-port-list

ACOS-2(config-restart-port-list)#ethernet 1

ACOS-2(config-restart-port-list)#ethernet 3

ACOS-2(config-restart-port-list)#exit

ACOS-2(config)#health monitor icmp interval 1 timeout 1

ACOS-2(config)#slb server up-router 2309:e90::1

ACOS-2(config-real server)#health-check icmp

ACOS-2(config-real server)#exit

ACOS-2(config)#slb server down-router 2309:e90::3

ACOS-2(config-real server)#health-check icmp

ACOS-2(config-real server)#exit

ACOS-2(config)#slb server cache1-ipv6 2409:c90::5

ACOS-2(config-real server)#spoofing-cache

ACOS-2(config-real server)#health-check icmp

ACOS-2(config-real server)#port 80 tcp

ACOS-2(config-real server-node port)#exit

ACOS-2(config-real server)#exit

ACOS-2(config)#slb server cache2-ipv6 2409:c90::6

ACOS-2(config-real server)#spoofing-cache

ACOS-2(config-real server)#health-check icmp

ACOS-2(config-real server)#port 80 tcp

ACOS-2(config-real server-node port)#exit

ACOS-2(config-real server)#exit

ACOS-2(config)#slb service-group cache-ipv6 tcp

ACOS-2(config-slb svc group)#member cache1-ipv6 80

ACOS-2(config-slb svc group-member:80)#member cache2-ipv6 80

ACOS-2(config-slb svc group-member:80)#exit

ACOS-2(config)#slb virtual-server wildcard-ipv6 :: ipv6-acl ipv6-101

ACOS-2(config-slb vserver)#vrid 1

ACOS-2(config-slb vserver)#port 80 tcp

ACOS-2(config-slb vserver-vport)#service-group cache-ipv6

ACOS-2(config-slb vserver-vport)#no-dest-nat

ACOS-2(config-slb vserver-vport)#ha-conn-mirror

 

 

Configuring TCS for FTP

You can configure the ACOS device to use cache servers for FTP traffic. Figure 129 shows an example.

FIGURE 129      Transparent Cache Switching for FTP

TCS-FTP.jpg

 

When a client sends a request to the FTP server, the ACOS device intercepts the request and forwards it to the FTP cache server. The cache server then forwards the requested content to the ACOS device, if the content is cached. ACOS forwards the content to the client.

If the requested content is not already cached, the cache server obtains the content from the FTP server and caches it. ACOS forwards the content to the client.

Each cache server in this example has two physical interfaces. One of the interfaces receives client requests forwarded by the ACOS device. The other interface communicates with the FTP server, and forwards cached content to the ACOS device. Only the interfaces that receive client requests from the ACOS device need to be configured as real servers.

NOTE:                               In this example, the content transferred by FTP is cached on the cache servers. However, this feature also can be used if the device is a firewall instead of an FTP cache server. In that case, the firewall is used to examine the traffic that is transferred to or from the FTP server by the client.

Configuration

To configure TCS for FTP:

1.     Configure the interfaces connected to the clients, the content servers, and the cache server.

     Enable promiscuous VIP on the ACOS interface(s) connected to the clients.

     Enable cache spoofing on the interface(s) connected to the cache server.

2.     Configure an extended ACL that uses the permit action and that matches on client addresses as the source address, and on the content server address as the destination address.

3.     Configure a real server for the cache server. Add an FTP port to the server.

If the cache server will spoof client IP addresses when requesting content from content servers, enable cache spoofing support.

If the cache server has multiple interfaces, configure a separate real server for each one.

4.     Configure a real server for the next-hop router through which the ACOS device will reach the content servers. Add the same FTP port number as the one on the cache server (for example, port 21). Disable health checking on the port.

NOTE:                               The configuration requires health checking to be disabled on the router port. The router will not respond to the health check. If you leave health checking enabled, the ACOS device will mark the port down and TCS will not work.

5.     Configure a service group for the cache servers and add them to it.

6.     Configure a separate service group for the router, and add the router to it.

7.     Configure a virtual server with virtual IP address 0.0.0.0 (the wildcard VIP address) and bind it to the ACL.

Add an FTP virtual port and bind it to the service group containing the cache server, and to the service group contain­ing the router. Disable destination NAT on the virtual port.

CLI Example

The following commands configure the ACOS interfaces to the FTP server, the FTP client, and the cache servers.

ACOS(config)#interface ethernet 1

ACOS(config-if:ethernet:1)#enable

ACOS(config-if:ethernet:1)#ip address 10.10.10.254 255.255.255.0

ACOS(config-if:ethernet:1)#exit

ACOS(config)#interface ethernet 2

ACOS(config-if:ethernet:2)#enable

ACOS(config-if:ethernet:2)#ip address 192.168.19.254 255.255.255.0

ACOS(config-if:ethernet:2)#ip allow-promiscuous-vip

ACOS(config-if:ethernet:2)#exit

ACOS(config)#interface ethernet 5

ACOS(config-if:ethernet:5)#enable

ACOS(config-if:ethernet:5)#ip address 12.12.12.254 255.255.255.0

ACOS(config-if:ethernet:5)#ip cache-spoofing-port

ACOS(config-if:ethernet:5)#exit

ACOS(config)#interface ethernet 6

ACOS(config-if:ethernet:6)#enable

ACOS(config-if:ethernet:6)#ip address 11.11.11.254 255.255.255.0

ACOS(config-if:ethernet:6)#ip cache-spoofing-port

ACOS(config-if:ethernet:6)#exit

 

The following command configures an extended ACL to match on clients and on the content server. The ACL in this example matches on any source address (client IP address) and on the destination IP address of the content server.

ACOS(config)#access-list 198 permit ip any host 20.20.20.11 log

 

The following commands configure real servers for FTP on each of the cache servers. Cache spoofing is enabled and TCP port 21 is added to each real server.

ACOS(config)#slb server ftps1 11.11.11.10

ACOS(config-real server)#spoofing-cache

ACOS(config-real server)#port 21 tcp

ACOS(config-real server-node port)#no health-check

ACOS(config-real server-node port)#exit

ACOS(config-real server)#exit

ACOS(config)#slb server ftps2 11.11.11.11

ACOS(config-real server)#spoofing-cache

ACOS(config-real server)#port 21 tcp

ACOS(config-real server-node port)#no health-check

ACOS(config-real server-node port)#exit

ACOS(config-real server)#exit

 

The following commands configure an FTP service group for the cache server:

ACOS(config)#slb service-group sg-ftps tcp

ACOS(config-slb svc group)#member ftps1 21

ACOS(config-slb svc group-member:21)#member ftps2 21

ACOS(config-slb svc group-member:21)#exit

 

The following commands configure a wildcard VIP traffic and bind it to the ACL. The FTP virtual port is bound to the FTP and router service groups. Also, destination NAT is disabled.

ACOS(config)#slb virtual-server wildcard 0.0.0.0 acl 198

ACOS(config-slb vserver)#port 21 ftp

ACOS(config-slb vserver-vport)#service-group sg-ftps

ACOS(config-slb vserver-vport)#no-dest-nat

 

 

Table of Contents

Index

Glossary

-Search-

Back