Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
AX release 2.4
Course AX-DSC-001.12
Table of Contents
Module 1: Course Introduction - 3 Module 2: AX Product Line - 8 Module 3: Basic Load Balancing Concepts and Related AX Configuration & Management - 19 Module 4: FTP, HTTP and HTTPS Protocols - 68 Module 5: AX Acceleration - 118 Module 6: AX Security - 141 Module 7: AX Power and Flexibility- 178 Module 8: AX Management and Troubleshooting - 210
2
Course Introduction
Module 1
Module objectives
Understand the course goals Understand the facilities and materials available Understand the objective for the students
To present the A10 Networks AX product line To teach the basic load balancing concepts To present FTP, HTTP and HTTPS protocols To teach advanced AX load balancing concepts To prepare students to install, configure and manage the AX device
Basics:
Material:
Additional Resources:
Course map
Module 2: AX Product Line Module 3: Basic Load Balancing Concepts and Related AX Configuration & Management Module 4: FTP, HTTP and HTTPS Protocols Module 5: AX Acceleration Components Module 6: AX Security Components Module 7: AX Power and Flexibility Module 8: AX Management and Troubleshooting
AX Product Line
Module 2
Module objectives
Understand the AX solution / market Understand the AX product portfolio Understand the feature set Understand the licensing
ACOS
Designed for multi-core CPUs Hardware Accelerated Symmetrical Multiprocessing (SMP) Flexible Traffic ASIC, SSL ASIC, Switching and Routing ASIC Highest throughput and performance
CPU or MultiCPU with instruction blocking Retrofitted Platform Limited scalability Lower throughput Half the performance SSL ASIC only
10
Basic LB benefits
11
789
AX 3200-11 AX 2200-11
7.4 Gbps
302,000 L4 CPS
153,000 L4 CPS
Price
AX 1000-11
4 Gbps
8.7 Gbps
541,000 L4 CPS
Overall Performance
12
789
40 Gbps
2 Million L4 CPS
Price
30 Gbps
850,000 L4 CPS
Overall Performance
13
AX product line
32-bit:
AX 2100
8 4 0 Yes Yes Dual
AX 2200
16 4 0 Yes Yes Dual
AX 3100
16 4 2 Yes Yes Dual
AX 3200
16 4 2 Yes Yes Dual
Ethernet Interfaces: Gigabit Copper Gigabit Fiber SFP Mini GBIC 10 Gigabit Fiber SFP+ Management Interface Console Port Storage Cooling Fan Power Supplies
Hot Swap Smart Fan Dual 600 W RPS Dual 600 W RPS Dual 600 W RPS
Dual 460 W Dual 460 W RPS RPS 100 to 240 VAC, Frequency 50-60 Hz Yes No Yes No No Yes No Yes No No Yes No Yes No Option
Hardware Acceleration Linear Decoupled Architecture Flexible Traffic ASIC SSL Acceleration ASIC Switching and Routing ASIC Hardware Compression ASIC
14
AX product line
64-bit:
AX 3000
GC 16 0 4 Yes Yes GCF 8 8 4
AX 5100
0 4 8 Yes Yes
AX 5200
0 4 16 Yes Yes
Model Option Code Ethernet Interfaces: Gigabit Copper Gigabit Fiber SFP Mini GBIC 10 Gigabit Fiber SFP+ Management Interface Console Port Storage Cooling Fan Dual Power Supplies
Hot Swap Smart Fan 400 W RPS 400 W RPS 400 W RPS 900W RPS 900W RPS
100 to 240 VAC, Frequency 50-60 Hz Hardware Acceleration Linear Decoupled Architecture Flexible Traffic ASIC SSL Acceleration ASIC Multi-ASIC High Performance SSL Switching and Routing ASIC Hardware Compression ASIC Yes No Yes Option No Option Yes No Yes Option No Option Yes No Yes Option No Option Yes Yes x4 No Option Yes Option Yes Yes x4 No Option Yes Option
15
AX feature set
Layer
aXAPI
aFleX
L7 TCL scripting for deep packet inspection Advanced NAT options AX High-Availability Firewall LB GSLB Global Server Load Balancing DNS Application Layer Firewall Operates in Layer 2/Layer 3 simultaneously
IPv4
and IPv6 load balancing and management Full web interface or industry standard command line interface
AX licensing
No extra licenses required for performance or features Each AX is offered with full scalability and benefits
17
Summary
18
19
Module objectives
Understand Main Load Balancing Goals and Concepts Configure AX Basic L4 SLB VIP configuration steps Understand and Configure two common L4 SLB VIP Options (Source IP Persistence + NAT)
20
Module 3 Lesson1
21
22
Routed Mode
23
Routed Mode
No
change required on clients and servers Servers keep the Client IP@ visibility
Points
to keep in mind:
has to be the servers dgw can't be in the servers' subnet
24
SLB
Clients
One-Arm Mode
25
One-Arm Mode
Benefits:
No
change required on clients and servers Easy to test Clients can be in the servers' subnet
Points
to keep in mind:
Servers
26
Transparent Mode
27
Transparent Mode
Benefits:
No
change required on clients and servers Servers keeps the Client IP@ visibility
Points
to keep in mind:
to implement servers responses must go through AX"
"Harder
28
DSR Mode
29
DSR Mode
Benefits:
Highly
Points
to keep in mind:
Cant
use any AX layer 7 features Extra configuration required on every server (IP Stack update)
30
31
Servers
Minimum configuration
Server configuration
32
Service groups
Minimum configuration
33
Service groups
34
Minimum configuration
35
Minimum configuration
36
Health monitors
Service availability is checked using health monitors Health monitors apply to:
37
Health monitors
Multiple L3/L4/L7 tests can also be combined in a Boolean expression (and/or/not) Health monitor configuration
38
39
40
Server HM configuration
Server HM status
41
a. Create a TCP Health Monitor for port 80: "hm-tcp-80" b. Associate the Health Monitor "hm-tcp-80" with the Service Group "sg-80" c. Check Virtual Server "vip1" status
42
Module 3 Lesson2
43
Source IP persistence
44
Source IP persistence
Name Type: Port (persistence per VIP:Port) or Server (persistence per VIP) or Service-Group (persistence per URL or Host switching see Module 4 lesson 2) Timeout: How long inactive entries are saved (default = 5 minutes) Don't Honor Conn Rules: Ignore connection limits defined on Servers and Server Ports and connect new clients' connections to the Server (default = disabled) Netmask: Granularity of Client IP address hashing (default = 255.255.255.255 for the most granularity)
45
Source IP persistence
WebUI: Config > Service > Template > Persistent > Source IP Persistence CLI: AX(config)# slb template persist source-ip <name>
WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N tcp AX(config-slb vserver-vport)# template persist source-ip <name>
47
48
49
WebUI: Config > Service > IP Source NAT > IPv4 Pool CLI: AX(config)# ip nat pool <pool-name>
WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N <type> AX(config-slb vserver-vport)# source-nat pool <pool-name>
50
51
52
53
54
WebUI: Config > Service > IP Source NAT > IPv4 Pool CLI: AX(config)# ip nat pool <pool-name> WebUI: Config > Service > IP Source NAT > Group CLI: AX(config)# ip nat pool-group <pool-group-name> WebUI: Config > Network > ACL CLI: AX(config)# access-list [] WebUI: Config > Service > IP Source NAT > Binding CLI: AX(config)# ip nat inside source list [acl#] pool [pool-group-name | pool-name]
55
On the inside interfaces WebUI: Config > Service > IP Source NAT > Interface CLI: AX(config)# interface ethernet # AX(config-if:ethernetx)# ip nat inside On the outside interfaces WebUI: Config > Service > IP Source NAT > Interface CLI: AX(config)# interface ethernet # AX(config-if:ethernetx)# ip nat outside
56
57
58
4.
59
WebUI: Config > Service > IP Source NAT > Static NAT CLI: AX(config)# ip nat inside source static [original-IP@] [NAT-IP@] WebUI: Config > Service > IP Source NAT > NAT Range CLI: AX(config)# ip nat range-list []
60
On the inside interfaces WebUI: Config > Service > IP Source NAT > Interface CLI: AX(config)# interface ethernet # AX(config-if:ethernetx)# ip nat inside On the outside interfaces WebUI: Config > Service > IP Source NAT > Interface CLI: AX(config)# interface ethernet # AX(config-if:ethernetx)# ip nat outside WebUI: Config > Service > IP Source NAT > Global CLI: AX(config)# ip nat allow-static-host
61
62
63
64
65
66
Summary
And also:
67
68
Module objectives
Understand protocols
Understand Load Balancing specifics for each Configure FTP, HTTP and HTTPS VIPs
69
Module 4 Lesson1
FTP protocol
70
FTP protocol
File Transfer Protocol (FTP) RFC is 959 ( http://www.w3.org/Protocols/rfc959/) FTP is an unencrypted TCP protocol used to transfer files between clients and servers FTP has 2 connections
71
FTP protocol
Important Notes:
72
FTP protocol
In the control session, the client tells the server what IP and TCP port to use to establish the data connection. The server establishes the data connection to the client, and data requested in the control session can be exchanged.
73
FTP protocol
In the control session, the server tells the client what IP and TCP port to use to establish the data session. The client establishes the data connection to the server, and data requested in the control session can be exchanged.
74
75
Active Mode - Data session established from the server IP@ (not the VIP IP@)
76
Passive Mode - Data session established to the server IP@ (not the VIP IP@)
77
78
79
Active Mode - Data session established from the server IP@ (not VIP IP@)
WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N ftp
80
Passive Mode - Data session established to the server IP@ (not the VIP IP@)
WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N ftp
81
82
Lab3b (optional) Create FTP health monitor and use least connection algorithm
In this lab, you will configure an FTP VIP health monitor and the least connection algorithm
83
Module 4 Lesson2
HTTP protocol
84
HTTP protocol
HTTP RFC is 2616 ( http://www.w3.org/Protocols/rfc2616/rfc2616.html) HTTP (Hypertext Transfer Protocol) is an unencrypted TCP protocol used to access web content (usually on port 80)
85
HTTP requests
86
HTTP responses
87
88
Load Balancers don't need a specific configuration for basic HTTP load balancing - Any L4 SLB VIP works for HTTP services However, advanced load balancers provide techniques for improving HTTP services
89
Port: TCP port Method (GET or HEAD or POST) URL User + Password: For web sites that require authentication Expect: Server Response code or Server text Maintenance Code: To automatically mark the server in maintenance, rather than down (so users with persistence to that server remain on that server)
90
AX offers advanced flexibility options for web applications These options are available via HTTP templates
HTTP templates are associated with virtual server ports of service type HTTP" or "HTTPS
91
Load Balancing of Servers is done based on hash on the URL (beginning or end of the URL). This option is usually used for Web Cache load balancing. Selection of Servers is done based on Host or URL (beginning or end). This option also is usually used for Web Cache load balancing. Allows the AX to insert or remove client request header (such as "Accept-Encoding") server response header (such as "Cache-Control") This option usually is used to centrally change web server behavior without changing the web servers configuration.
92
Allows HTTP/HTTPS load balancing per request (instead of per session). This option usually is used when the load among the Servers is unequal.
93
AX offers advanced security options for web applications These options are available via HTTP templates
HTTP templates are associated with virtual server ports of service type "HTTP" or "HTTPS Note: Some of the following options can be considered as availability and flexibility options too.
94
URL failover
95
96
"On HTTP 5xx code for each request": The client request is resent to a new server "On HTTP 5xx code": The client request is resent to a new server + the server that replied with the 5xx is not used for new requests for 30 seconds "#": Number of servers that can be tried Logging: Generates logs when this event happens (not available in WebUI in AX 2.4.2)
97
98
In this lab, you will configure an HTTP VIP with an HTTP health monitor
99
In this lab, you will configure an HTTP VIP with URL switching
100
In this lab, you will configure an HTTP VIP with response header insertion
101
Lab4d - (optional) Redirect clients to backup site when all servers are down
In this lab, you will configure an HTTP VIP with URL failover
102
Module 4 Lesson3
HTTPS protocol
103
HTTPS protocol
HTTPS (HTTP over TLS) RFC is 2818 ( http://www.ietf.org/rfc/rfc2818.txt) HTTPS is the "secured" version of HTTP (usually port 443) HTTPS offers
104
TLS/SSL is based on public certificates / private keys Certificates are issued and signed by Certificate Authority (CA) HTTPS clients first request the server public certificate and validates it using list of trusted CAs When the server certificate is validated (name, date, etc.), the client sends its HTTP requests
105
Once the server is trusted, the client and server negotiate a "session key" to encrypt the traffic The session key is negotiated via an asymmetric encryption protocol using long keys (usually 2048 bits) Once the"session key is negotiated, the HTTPS client requests / server responses are sent encrypted
Note: If the client re-establishes a new TCP session before the session key expires, it will propose to the server to use it (SSL session ID reuse option). The server can accept or refuse it. If refused, a new session key is negotiated.
106
Load balancers don't need a specific configuration for HTTPS load balancing - Any L4 SLB VIP works for HTTPS services However, advanced load balancers provide techniques to improve HTTPS services
107
AX offers advanced flexibility/performance/security options for HTTPS applications These options are available via HTTP templates
HTTP templates are associated with virtual server ports of type "HTTP" or "HTTPS.
108
Public certificate that will be presented to Clients Private key (and its passphrase) SSL cipher supported ("encrypted algorithm") (optional) Client certificate request
109
WebUI: Config > Service > SSL Managament > Certificate CLI: AX(config)# import ssl-cert <name> AX(config)# import ssl-key <name> WebUI: Config > Service > Template > SSL > Client SSL CLI: AX(config)# slb template client-ssl <name> []
WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N https AX(config-slb vserver-vport)# template client-ssl <name>
110
SSL cipher supported ("encrypted algorithm") (optional) CA that will be used to validate the Servers certificate
111
WebUI: Config > Service > SSL Managament > Certificate CLI: AX(config)# import ssl-cert <name> WebUI: Config > Service > Template > SSL > Server SSL CLI: AX(config)# slb template server-ssl <name> []
WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N https AX(config-slb vserver-vport)# template server-ssl <name>
112
SSL statistics
113
In this lab, you will configure an HTTPS VIP using HTTPS servers
114
In this lab, you will configure an HTTPS VIP using HTTP servers
115
In this lab, you will configure an HTTPS VIP and an HTTP VIP that will redirect traffic to HTTPS
116
Summary
And also:
117
AX Acceleration
Module 5
118
Module objectives
119
Connection reuse
Note: Web browsers keep their TCP connections open - even when all objects have been loaded
120
Connection reuse
Connection Reuse off loads the server TCP stack This option provides faster server response time and higher server scalability Connection reuse
121
Connection reuse
WebUI: Config > Service > Template > Connection Reuse CLI: AX(config)# slb template connection-reuse <name> []
WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N http AX(config-slb vserver-vport)# template connection-reuse <name> Note: IP Source NAT also must be configured on the Virtual Server Port
SSL offload
SSL Offload relieves the server of SSL tasks This option provides faster server response time and higher server scalability AX receives HTTPS client traffic and sends HTTP traffic to the servers
123
SSL offload
124
HTTP compression
Compresses HTTP/HTTPS objects Uses less bandwidth and provides faster client download time AX HTTP compression
125
HTTP compression
WebUI: Config > Service > Template > Application > HTTP CLI: AX(config)# slb template http <name> []
WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N http AX(config-slb vserver-vport)# template http <name>
WebUI: Config > Service > SLB > Global CLI: AX(config)# slb hw-compression
126
HTTP compression
127
RAM Caching
Caches HTTP/HTTPS static and dynamic content in AX RAM Delivers cached objects to clients directly from the AX Cache, offloading servers from these requests Provides faster client download time and higher server scalability
128
RAM Caching
AX RAM Caching
200 OK 203 Non-Authoritative response 300 Multiple Choices 301 Moved Permanently 302 Found (only if Expires header is also present) 410 Gone
129
RAM Caching
130
RAM Caching
WebUI: Config > Service > Template > Application > RAM Caching CLI: AX(config)# slb template cache <name>
WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N http AX(config-slb vserver-vport)# template cache <name>
131
RAM Caching
What is to be cached? How long is the cached content valid? What is the trigger that would cause the response to change? The URL matches a specific pattern. Specific query parameters are present. Specific cookies in the request are present. Specific HTTP headers in the request are present. Cacheability rules determine what is cacheable and what is not Invalidation rules
132
RAM Caching
Example: the response to a login page Example: a confirmation number for a transaction that was just executed
Example: the portfolio page of a brokerage account user changes when the user executes transactions.
Example: the response contains personalized settings, such as the user name but no query parameter or cookie directly identifies the user.
133
RAM Caching
policy <condition> <action> Where: <condition> is of the form uri <pattern> <action> is cache <seconds>, no-cache, or invalidate <entry> Note: More sophisticated conditions will be supported in future using aFleX policies
134
RAM Caching
lists all items from database adds item to database deletes item from database private info for user
135
RAM Caching
136
In this lab, you will update HTTP "vip2" to use connection reuse
137
In this lab, you will update HTTP "vip2" to use HTTP compression
138
In this lab, you will update HTTP "vip2" to use RAM Caching
139
Summary
140
AX Security
Module 6
141
Module objectives
Configure HA on AX devices
142
Some advanced HTTP/HTTPS security options are detailed in Module 4 (HTTP Templates) This module (Module 6) presents other AX advanced security options Note: aFleX (covered in Module 7) also can be considered a security option
143
DDoS protection
DDoS configuration
144
DDoS protection
145
Policy-based SLB
Policy-based SLB (PBSLB) allows "black lists" and "white lists" with individual clients or subnets PBSLB denies client traffic based on:
146
Policy-based SLB
PBSLB specifics
Up to 8 M IP addresses Up to 64 K IP subnets Up to 32 group IDs B/W lists are stored in hash tables Can process Gbps of traffic AX can update its B/W automatically at specific intervals via TFTP
PBSLB components
Policy-based SLB
PBSLB configuration
WebUI (creation or import): Config > Service > PBSLB CLI (import): AX(config)# import bw-list [] WebUI: Config > Service > Template > PBSLB Policy CLI (import): AX(config)# slb template policy <name> []
WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N <type> AX(config-slb vserver-vport)# template policy <name>
PBSLB statistics
148
Policy-based SLB
149
AX supports standard and extended Access Control Lists (ACLs) ACL can be applied to data interfaces, management interface, and virtual server ports Remark, re-sequencing and logging options are supported (Cisco/Foundry format) IPv4 and IPv6 ACLs are supported
150
ACL components
ACL configuration
151
ACL configuration
Data Interface: WebUI: Config > Network > Interfaces > LAN CLI: AX(config)# interface ethernet 1 AX(config-if:ethernet1)# access-list <num> in Management: CLI only: AX(config)# interface management AX(config-if:ethernet1)# access-list <num> in Virtual Server Port: WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N <type> AX(config-slb vserver-vport)# access-list <name>
152
ACL statistics
153
Management security
154
155
Active-Standby Mode
156
Active-Standby Failover
157
Active-Active Mode
158
Active-Active Failover
159
160
161
High Availability
Active-Standby, Active-Active and L3 Hot Standby modes Active-Standby and Active-Active modes and L3 Hot Standby modes L2 Hot Standby mode Active-Standby, Active-Active and L3 Hot Standby modes
162
High Availability
Identifier (AX1 = 1 , AX2 = 2) HA Status: Enabled (optional) HA Mirroring IP address: Remote AX Sync interface (optional) Preempt: to failover to a higher AX when available Group1 with priority 200 on AX1 (priority 100 on AX2) Floating VIP for Group1: IP addresses defined on servers' gateway (VRRP-like) (optional) IP@ and VLAN check Note: IP@ have to be defined as SLB-Server too
163
High Availability
In IP Source NAT, associate the HA Group with IPv4 Pools, IPv6 Pools, NAT Ranges, or Static NAT.
164
High Availability
Step2:
Group1 with priority 200 on AX1 (priority 100 on AX2) Group2 with priority 100 on AX1 (priority 200 on AX2) Associate Group1 with half of the VIPs and Group2 with the second half Associate Group1 with the NAT Pools used by VIPs in Group1 and Group2 with the NAT Pools used by VIPs in Group2
Step3:
Step4:
165
High Availability
166
High Availability
WebUI: Config > HA > Setting > HA Global CLI: AX(config)# ha interface []
Active-Standby or Active-Active Modes: WebUI : Config > HA > Setting > HA Global CLI: AX(config)# ha [] Note: If IP@ check is configured, define these IP@ in SLB-Server too. L2/3 Modes: WebUI : Config > HA > Setting > HA Inline Mode CLI: AX(config)# ha [inline-mode | l3inline-mode]
167
High Availability
WebUI: Config > Service > SLB > Virtual Server CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver))# ha-group <num> WebUI: Config > Service > SLB > IP Source NAT CLI: AX(config)# ip nat []
168
High Availability
Configuration synchronization
169
High Availability
HA status
170
High Availability
HA statistics
171
In this lab, you will configure HA Active/Standby mode with your neighbor
An interlink has been added on the AXs (on ether3). AX1 is connected to AX2, AX3 to AX4, etc. Note: The trainer will show you how to configure the ether3 interface. HA config sync will erase the configuration of the AX Standby. Backup your configuration to be able to do the following labs after this one. Note: The trainer will show you how to backup your AXs. Servers' default gateway is changed to the AX floating VIP
172
In this lab, you will configure HA Active/Standby mode with your neighbor (cont.)
a. Configure inter-AX connection i. Create VLAN 100 called "AX-HA" with interface "e3untagged" and Virtual Ethernet (VE) interface "100" ii. Configure VE "100" with IP@ "10.0.3.1/255.255.255.252" iii. Enable interface "e3" b. Enable HA for interfaces "e1" + "e2" + "e3" c. Enable HA Global Settings i. Identifier "1" - Set-ID "group-pair" (AX1=1, AX3=2, AX5=3, etc) ii. HA Mirroring IP = "10.0.3.2" (Secondary-AX-e3) iii. Group1 with priority 200 iv. Floating IP = "10.0.2.x" (AX1=10.0.2.10, AX3=10.0.2.30, etc) d. Configure VIP HA for "vip1" + "vip2" + "snat-pool1" i. Associate HA Group "1" with both VIPs and SNAT ii. Enable HA Connection Mirroring on "vip1" port "21" + "80" e. Save your config
173
In this lab, you will configure HA Active/Standby mode with your neighbor (cont.)
a. Configure inter-AX connection i. Create VLAN 100 called "AX-HA" with interface "e3untagged" and the VE "100" ii. Configure VE "100" with IP@ "10.0.3.2/255.255.255.252" iii. Enable interface "e3" b. Enable HA interfaces for "e1" + "e2" + "e3" c. Enable HA Global Settings i. Identifier "2" - Set-ID "group-pair" (AX2=1, AX4=2, AX6=3, etc) ii. HA Mirroring IP = "10.0.3.1" (AX2=10.0.2.10, AX4=10.0.2.30, etc) iii. Group1 with priority 100 iv. Floating IP = "10.0.2.x" (Server's default gateway) d. Save your config e.
174
In this lab, you will configure HA Active/Standby mode with your neighbor (cont.)
a. Be sure you saved your config on both AXs before you start the config sync b. Sync Configuration Primary-AX "all" to Secondary-AX "startup-config + reload"
175
In this lab, you will configure HA Active/Standby mode with your neighbor (cont.)
176
Summary
177
178
Module objectives
179
Module 7 Lesson1
AX Flexibility
180
Some advanced HTTP/HTTPS flexibility options already have been detailed in Module 4 (HTTP Templates) This module (Module 7) presents other advanced AX flexibility options
181
Cookie persistence
182
Cookie persistence
Name (optional) Expiration (optional) Cookie Name (optional) Domain (optional) Path (optional) Match type (optional) Insert Always (optional) Don't Honor Conn Rules
183
Cookie persistence
WebUI: Config > Service > Template > Persistent > Cookie Persistence CLI: AX(config)# slb template persist cookie <name> []
WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N tcp AX(config-slb vserver-vport)# template persist cookie <name>
184
185
aFleX
What is aFleX?
Stantard Tcl commands Special set of extensions provided by the AX Content inspection (headers / data) Actions on traffic Block traffic Redirect traffic to a specific Service Group (pool) or Server (node) Modify traffic content
186
aFleX
aFleX scripts are event-driven, which means that the AX system triggers the aFleX whenever that event occurs. Examples: HTTP_REQUEST is triggered when an HTTP request is received. CLIENT_ACCCEPTED is triggered when a client has established a connection.
Standard Tcl operators Relational operators: contains, matches, equals, starts_with, ends_with, matches_regex Logical operators: not, and, or
187
aFleX
Used to query for data, manipulate data, or specify a traffic destination. These may be grouped into three main categories: Statement commands Example: "pool <name> directs traffic to the named load balancing pool Commands that query or manipulate data Examples: "IP::remote_addr returns the remote IP address of a connection "HTTP::header remove <name> removes the last occurrence of the named header from a request or response Utility commands - useful for parsing and manipulating content Example: "decode_uri <string> decodes the named string using HTTP URI encoding and returns the result
188
aFleX
aFleX configuration
Using the CLI Use a computer with any text editor to write an aFleX script and save it as a file. Use import aflex command to import the aFleX file from the computer to AX. aFleX CLI syntax check: "aflex check <name>". Using the WebUI With AXs web interface, users can directly type in aFleX scripts and save them on the AX under "Config > Service > aFleX". Using the aFleX Editor The aFleX editor can download/upload aFleX scripts from/to the AX. Moreover, it can do syntax checking. As an editor, it also has syntax highlighting, keyword autocompletion, etc.
189
aFleX
aFleX statistics
190
aFleX
aFleX examples
aFleX
aFleX examples
when HTTP_REQUEST { if { [HTTP::uri] starts_with "/finance" } { pool finance_pool } elseif { [HTTP::uri] starts_with "/dev" } { pool dev_pool } }
192
Lab9a - Block HTTP access to directory /private from your IP address on "vip2" port "80"
Event is "HTTP_REQUEST" Tests are: [IP::addr [IP::client_addr] equals x.x.x.x] [HTTP::uri] starts_with "/private" Action is: drop
193
Lab9a - Block HTTP access to directory /private from your IP address on "vip2" port "80"
194
Lab9b Transparently convert "intranet.abc.com" from HTTP to HTTPS Create the HTTP + HTTPS VIP
195
Lab9b Transparently convert "intranet.abc.com" from HTTP to HTTPS Redirect HTTP clients
In this lab, you will create the HTTP + HTTPS VIP (cont.)
7. Create aFleX script "aFleX-9b-80" to transparently redirect the HTTP clients to HTTPS (for instance clients that use old bookmarks)
196
Lab9b Transparently convert "intranet.abc.com" from HTTP to HTTPS Redirect HTTP clients
In this lab, you will create the HTTP + HTTPS VIP (cont.)
9. Request the page "http://intranet.abc.com/", validate you're redirected to "https://intranet.abc.com/" 10.Request the page "http://intranet.abc.com/index.html", validate you're redirected to https://intranet.abc.com/index.html
197
Lab9b Transparently convert "intranet.abc.com" from HTTP to HTTPS Rewrite sever redirect
(optional) In this lab, you will configure an aFleX rule to transparently rewrite the redirects from the server
1. If pages contain redirections, create aFleX script "aFleX-9b443" to rewrite the server redirects from "http://intranet.abc.com/*" to "https://intranet.abc.com/*"
Event is "HTTP_RESPONSE" Test is: [HTTP::header Location] contains "http://intranet.abc.com" Action is: regsub "http://intranet.abc.com" [HTTP::header Location] "https://intranet.abc.com" new_location HTTP::header replace Location $new_location
2. Associate updated aFleX "aFleX-9b-443" with Virtual Server "vip3" port "443" 3. Request the page https://intranet.abc.com/redirect.html and verify the redirection
198
Lab9b Transparently convert "intranet.abc.com" from HTTP to HTTPS Rewrite absolute links
(optional) In this lab, you will configure an aFleX rule to transparently rewrite absolute links
1. If pages contain absolute links, expand aFleX script "aFleX9b-443" to rename absolute links from "http://intranet.abc.com" to "https://intranet.abc.com"
aFleX rule is
when HTTP_REQUEST { HTTP::header remove Accept-Encoding } when HTTP_RESPONSE { if { [HTTP::header exists "Location"]} { if {([HTTP::header "Location"] starts_with "http://intranet.abc.com")} { regsub "http://intranet.abc.com" [HTTP::header Location] "https://intranet.abc.com" new_location HTTP::header replace Location $new_location } } if { [HTTP::header "Content-Type"] starts_with "text" } { HTTP::collect } }
199
Lab9b Transparently convert "intranet.abc.com" from HTTP to HTTPS Rewrite absolute links
(optional) In this lab, you will configure an aFleX rule to transparently rewrite absolute links (cont)
when HTTP_RESPONSE_DATA { if { [HTTP::header "Content-Type"] contains "text" } { set payload_length [HTTP::payload length] regsub -all "http://intranet.abc.com" [HTTP::payload] "https://intranet.abc.com" new_payload HTTP::payload replace 0 $payload_length $new_payload HTTP::release } }
2. Associate aFleX "aFleX-9b-443" with Virtual Server "vip3" port "443" 3. Access page https://intranet.abc.com/absolute.html and check the link
200
Module 7 Lesson2
201
le Traffic ASIC (FTA) utes Traffic Across L4-7 CPUs, Efficient Network I/O, DDoS
202
Linux on the control plane All application delivery traffic handled by ACOS Efficient use of memory no duplicate data
203
Processing Efficiency
Zero locking, zero buffer copy, zero IPC, zero scheduling, zero interrupt
Data is not replicated, multiple copies of data are not needed, more total memory available
Low latency packet processing, optimized drivers, Flexible Traffic ASIC, low overhead
204
Legacy approach
205
AX
Series eliminates IPC and maximizes performance Data required by all CPUs is processed in the same location without other CPU notification/reliance Accurate real-time decision criteria, e.g. rate-limiting, connection-limit, max TCP connections, server selection, tracked global variables used for decisions or any shared data set Maximizes memory no redundant copies of information per core. More total system memory
206
Shared Memory
PBSLB List uses 64 MB of RAM, Total AX Memory Usage = 64MB RAM Cached Objects, 10 x 0.5 MB, Total AX Memory Usage = 5 MB Total 69 MB of RAM used
Multiple copies of each item kept in each cores memory, for example 32 cores
PBSLB List uses 64 MB of RAM per core, Total Memory Usage = 2048 MB RAM Cached Objects, 10 x 0.5 MB per core, Total Memory Usage = 160 MB Total 2208 MB of RAM used
207
208
Summary
And also configured them on the AX. We also presented the ACOS architecture.
209
210
Module objectives
Understand the different types of AX management access Understand the AX configuration components and how to backup/restore AX configuration Understand the AX software components and how to upgrade/downgrade AX Understand VLAN on AX Learn initial AX configuration Learn troubleshooting techniques and tools Understand AX Release Process and how to contact AX support
211
AX management access
CLI
Web
212
AX configuration components
AX configuration components
213
AX configuration components
WebUI: Configuration > System > Maintenance > Backup > System CLI: AX(config)# backup config []
WebUI: Configuration > System > Maintenance > Restore > System CLI: AX(config)# restore []
Note: Supported upload protocols: FTP, SCP, RCP, TFTP, and HTTPS (via WebUI)
214
AX software management
AX software is stored on
Second partition is designed for easy software rollback CF is designed for emergency recovery
215
AX software management
(covered on previous slide) WebUI: Monitor > Overview > Summary > System Information CLI: AX# show bootimage WebUI: Configuration > System > Maintenance > Upgrade CLI: AX(config)# upgrade [] CLI only: AX# write memory [primary|secondary] WebUI: Configuration > System > Settings > Boot CLI: AX(config)# bootimage hd [primary|secondary] WebUI: Configuration > System > Settings > Action > Reboot CLI: AX# reboot
216
VLAN
VLAN allows AX to
217
VLAN
218
VLAN
VLAN ID Physical interfaces tagged and untagges (optional) VLAN Name (optional) Virtual Interface IP address Netmask (optional) all ethernet options such as ACL, secondary IP@
219
VLAN
VLAN configuration
WebUI: Config > Network > VLAN CLI: AX(config)# vlan [] WebUI: Config > Network > Interface > Virtual CLI: AX(config)# interface ve []
220
VLAN
Important Point
221
Default user/password: admin/a10 Configure the management interface, its default gateway Finish the AX configuration via CLI (ssh) or WebUI (https) Configure Production interfaces (vlan, ethernet/ve interfaces) Enable production interfaces (optional) Configure routing (static/dynamic) (optional) Configure specific management rights Configure Servers / Service Groups / Virtual Servers etc
222
AX login: admin Password: [type ? for help] AX>en Password: AX#conf AX(config)#in AX(config)#interface m AX(config)#interface management AX(config-if:management)#ip address 172.31.31.11 /24 AX(config-if:management)#ip default-gateway 172.31.31.1 AX(config-if:management)#exit AX(config)#exit
223
Troubleshooting methodology
AX# show arp + AX# show mac-address-table AX# show ip fib + AX# show ip route Check for connection errors Check for application specific errors
224
Troubleshooting tools
Port/Interface up/down messages L2 loop detection warnings Unicast/Multicast/Broadcast packet limit warnings MAC address movement warnings Duplicate IP warnings Server & service port up/down messages Application specific error messages: SLB, PBSLB, HTTP, HA, etc.
225
Troubleshooting tools
Debug
AXs WebUI provides a number of report graphs that can help you identify any potential issues Example: CPU and server/virtual-server load information can help identify time periods when the system was under stress SNMP clients can query AX for status information AX can be configured to send SNMP traps to servers/receivers
226
Troubleshooting tools
Debug (cont.)
Define a set of filters for packet capture Example: interface, IP address, protocol, port number, etc. Captures application specific debug information Use this command after defining a filter to display captured packets on screen Make sure your filter is specific enough to capture only the packets needed for debugging The CLI may become temporarily unresponsive if a large number of packets are captured to the screen
227
Troubleshooting tools
AXdebug
Show techsupport
Backup log
228
AX Release Process
Major features/enhancements (between 12 - 14 months) Enhancements (between 6 - 8 months) Periodic bug fixes and minor enhancements (between 3 - 4 months) Collection of P1/P2 fixes and previous patch fixes (between 4-5 weeks) Emergency patch for a specific customer (2-3 days)
229
AX Release Process
AX releases tests
MAJOR Enhancement New features New features Full Affected Manual=affected Automated=full Full Affected Affected 1 week Affected Affected Minor Fixes Fixes Affected None Manual=affected Automated=full Partial Affected Affected 3 days Affected None PATCH Fixes Fixes None None Manual=affected Automated=full Partial as needed None None 1 day None None New features New features Full Full Manual=full Automated=full Full Full Full 2 weeks Full Full
Unit Functional Negative Stress Regression Sys Integration Performance Scalability Stability Alpha Beta
230
AX Release Process
Approve
Release
Functional Test
Alpha Test
Test
AX Release Process
Major features/enhancements (between 12 - 14 months) Enhancements (between 6 - 8 months) Periodic bug fixes and minor enhancements (between 3 - 4 months) Collection of P1/P2 fixes and previous patch fixes (between 4-5 weeks) Emergency patch for a specific customer (2-3 days)
232
AX Release Process
233
Passionate
234
From North America: 1 888 822 7210 (1-888-TACSA10) From International: +1 408 325 8676 24 x 7 x 365 Support Mon-Fri 6AM-11PM PST + Sat, Sun 9AM 6PM PST A10 support engineers All other hours Call center When needed: escalation to standby engineers and standby engineers contact customer immediately Be ready to provide Problem description Showtech (almost always required) Topology; highly preferred Trace Backup log
235
236
http://a10networks.com/support A support ticket auto generated Auto reply email with a ticket number is sent What information to provide? Same as by email (see previous slide).
237
* 30 minutes of less
238
Escalation metrics
Level 1
TAC Engineer/ Manager
Level 2 (after 1 hour) Director, Technical Support TAC Manager TAC Engineer
Director, Technical VP, Engineering/ Support Sales TAC Engineer TAC Manager Engineer
239
Lab10a Troubleshooting
240
Lab10b Troubleshooting
Group troubleshooting
241
Summary
242