|
Available
|
Description
|
Benefit
|
|
GenericProtocolParsing
(GPP)
|
ACEhasnativeunderstandingofthefollowingprotocols:HTTP, FTP,DNS,ICMP,SIP,RTSP,ExtendedRTSP,Radiusand RDP.However,datacenterownersmayhavetodealwithmany otherapplications–customapplications,legacyapplications, packagedapplications,etc.
CiscoACE’sGPPfeatureenables youtoconfigureapplication switchingandpersistencepoliciesbasedonanyinformationin trafficpayloadforcustomandpackagedapplicationswithout requiringanyprogramming.
TheCiscoACEperformspayloadparsingviahardwareusinga powerfulregularexpressionenginetoobtainmaximum performanceunlikeothersoftware-basedsolutions.
|
ACEcanswitchcustomand packagedapplicationswithout anyprogramming.
|
|
HTTPHeader
Manipulation
|
CiscoACEsupportstheabilitytoinsert,deleteorrewriteHTTP
headersinbothclientrequestsandserverresponses. HTTPHeaderInsertion
ACEprovidesanabilitytoinsertHTTPheaderinrequest, responseorboth.
ConsideranexamplewhenACEusessourceNATtotranslate theclientsIP address,oftentheserversneeda waytoidentify thatclient.
ToidentifyaclientwhosesourceIP addresshasbeenNAT’ed, youcaninstructtheACEtoinsertagenericheaderandstring valueofsourceIP addressbeforetherequestissenttothe server.
|
Increasedclientvisibilityfor applicationstoperform loggingandauditing.
|
|
HTTPHeaderRewrite
ACEprovidesanabilitytorewriteHTTPheaderinrequest, responseorboth.
Consideranexamplewhereaclientwantstoconnecttoa securedWebapplication.Inthisscenario,clientsendsaHTTPS requesttotheapplication.Anexternalapplicationswitch terminatestheSSLconnectionandsendscleartexttothe application.Sincetheapplicationis unawarethatincomingclient HTTPSrequestwasterminatedontheapplicationswitch,the applicationmayredirecttheclienttoanonsecuredHTTPURL ratherthantothesecuredHTTPSURL.
Tosolvethisproblem,CiscoACEapplicationswitchmodifiesthe redirectedURLfromHTTPtoHTTPSinthe“Location”header beforesendingtheresponsetotheclient.
|
SecuredeliveryofSSL
contentbacktotheclient
|
|
|
DeleteHTTPHeader
HTTPheaderdeletioncanbeusedtostripsensitiveHTTP
headersfromserverresponses.
Forexample,bydefaultmanywebserversincludethe informationaboutthewebserversuchasversion,O/SinHTTP responseheader.Thisinformationcouldpotentiallybeusedto generatemaliciousattacks.
Inthisexample,CiscoACEcanautomaticallydeletesuch headers,thushidingtheservertypeandversionfromclients.
|
SecuredWebapplications
|
|
|
PartialServer-Farm
Failover
|
Currently,ifabackupserver-farmisconfigured,theprimary server-farmwouldfailovertothebackuponlywhenallthereal serversinthatserver-farmgodown.
PartialServer-farmFailoverfeatureallowstheusertospecifya minimumpercentage(eg.X%)ofrealserverstobeactiveinthe farmbeforetheprimaryserver-farmfailsovertothebackup server-farm.
Whentheprimaryserver-farmfailsovertothebackup,all currentlyestablishedconnectionswillcontinuetoexistonthe primaryserver-farm.Allnewrequestsareroutedtothebackup server-farm.
Fortheprimaryserver-farmtoreturntoservice,aminimum percentage(eg.Y%>X%)ofrealserversshouldbeactive.
|
CiscoACEprovidescapability tomanagewhichserverfarm (primaryorbackup)receives newtrafficbasedonthe numberofavailableReal Servers(RServers).
|
|
TCPDump
|
ACEcancapturereal-timepacketinformationforthenetwork trafficthatpassesthroughtheACE.
TheACEbuffersthecapturedpackets,andyoucancopythe bufferedcontentstoafileinflashmemoryontheACEorexport toEthereal.
|
EnhancedTroubleshooting
|
|
Available
|
Description
|
Benefit
|
|
SourceNATforVIP
|
SourceNATforVIPallowstoincludeaVirtualIP (VIP)address inthenetworkaddresstranslation(NAT)poolfordynamicNAT andPAT
ThisfeaturecanbeusedtoSource-NATRealServer-originated connections(boundtotheclient)usingtheVIPaddress.
|
Savereal worldIP addresses ontheclient-sidenetwork
|
|
SourceNATforSever
Farm
|
EnablessourceNATtoabackupServerFarmmultiplehops awayduringthefailureofaprimaryServerFarm
ACEcanapplydynamicNATforbothprimaryandbackupServer
Farms,formultipleoutgoingServerVLAN’s.
|
Providescontinuous applicationavailabilityeven duringthePrimaryServer Farmfailure.
|
|
AdaptiveResponse
Predictor
|
CiscoACEaddsseveralnewintelligentload-balancing predictors.
CiscoACEpredictorselectsaserverbasedonits responsetime. Responsetimesarecalculatedoverauser-configurednumberof
samplesandsupportsthefollowingthreemeasurementoptions:
●SYN-to-SYN-ACK:ServerresponsetimebetweenSYNsent fromACEtoSYN-ACKreceivedfromserver
●SYN-to-Close:ServerresponsetimebetweenSYNsentfrom
ACEtoFIN/RSTreceivedfromserver.
ApplicationRequesttoResponse:Serverresponsetimebetween HTTPrequestsentfromACEtoHTTPresponsereceivedfrom server.
|
ACEswitchesapplications basedonreal-time server/application performancedatameasured acrossavarietyofuser- configuredcriteria.
|
|
Least-LoadedPredictor
|
ThisACEpredictorselectstheleast-loadedserverbasedonthe valueofupto8SNMPMIBobjectsdefinedbytheuser.These objectscanbeserverresourceslikeCPUutilization,memory resources,disk driveavailability,etc.Userscanassociate weightswitheachofthemeasuredobjectsforultimategranular controlinapplicationswitching.
|
|
|
Least-Bandwidth
Predictor
|
ThisACEpredictorselectstheserverthatprocessedtheleast amountofapplicationtrafficbetweenACEandtherealservers, inbothdirections,overauser-configuredsamplingperiodand numberofsamples.
|
|
|
KeepaliveAppliance
Protocol(KAL-AP)
|
Keepalive-ApplianceProtocol(KAL-AP)ontheACEapplication switchesallowscommunicationwithACEGlobalSiteSelector (GSS),toreport
VIPandrealServersavailability
Theaboveinformationis usedbytheCiscoACEGSSfor intelligentglobalserverloadbalancing(GSLB)acrossdata centers.
KAL-APcommunicationbetweentheACEGSScanbesecured usingMD5encryption.
|
Globalserverload-balancing (GSLB)toprovidebusiness continuity
|
|
SimpleNetwork ManagementProtocol (SNMP)Probes
|
ThemainpurposeofanSNMPmessageistocontrol(set)or monitor(get)parametersonanSNMPagent,eg.webserver. SNMPusesanObjectIdentifier(OID)tospecifytheexact parametertosetorgetinanSNMPagent.
ThisSNMP-basedserverloadprobeallowstheusertoconfigure aqueryconsistingofuptoeightSMNPobjectidentifiers(OIDs) to probetheserver.Inaddition,theusercanassociateweights witheachoftheseOIDs.
Theinformationretrievedbythisprobefromtheserversis used asinputtotheLeast-loadedpredictordescribedabove.
|
Intelligentserverhealth monitoringusingcustomized probesinanSNMP environment
|
|
ScriptedProbes
|
InadditiontoexistingflexibilitytoauthorspecificToolkit CommandLanguage(TCL)scriptsuniquetocustomer environmentsforserverhealthmonitoring,ACEsupportis extendedtoexecuteACECLIcommandsviaTCLScripts
|
Intelligentserverhealth monitoringusingcustomized TCLscripts
|
|
HTTPReturnCode
Parsing
|
Thisfeatureenablesconfigurationofathresholdvaluebasedon thenumberofspecificHTTPreturncodesseeninaspecified timeframe.Whenthisthresholdis reached,theCiscoACEcan automaticallyremoveaserverfromservice.
HTTPreturncodeparsingisinvaluableinascenariowhereitis desirabletoremoveaserverfromserviceif,forexample,apage cannotbefound(e.g.manyHTTP404NotFoundresponsesare seen).Inthiscase,traditionalTCP-basedHTTPserver availabilityprobeswouldindicatetheserveris availableand responding,butwouldnotprovideinformationaboutwhetheror theserveris abletofulfillrequestsforcontent.HTTPreturncode parsingis neededinthisscenariotoprovideadditionalserver- levelinformationwithwhichtodetermineserveravailability.
|
Enhancedin-bandserver healthmonitoringfor improvedapplication availability
|