AX Training

1

A10 Networks:AX Planning, Deployment and Management

Class

Course AX-DSC-001.12

2

Table of Contents

� Module 1: Course Introduction

� Module 2: AX Product Line

� Module 3: Basic Load Balancing Concepts and Relate d AX Configuration & Management

� Module 4: FTP, HTTP and HTTPS Protocols

� Module 5: AX Acceleration

� Module 6: AX Security

� Module 7: AX Power and Flexibility

� Module 8: AX Management and Troubleshooting

3

Course Introduction

Module 1

4

Module objectives

� Understand the course goals

� Understand the objective for the students

5

Goal of this course

� To present the A10 Networks AX product line

� To teach the basic load balancing concepts

� To present FTP, HTTP and HTTPS protocols

� To teach advanced AX load balancing concepts

� To prepare students to install, configure and manag e the AX device

6

Course map

� Module 2: AX Product Line

� Module 3: Basic Load Balancing Concepts and Relate d AX Configuration & Management

� Module 4: FTP, HTTP and HTTPS Protocols

� Module 5: AX Acceleration Components

� Module 6: AX Security Components

� Module 7: AX Power and Flexibility

� Module 8: AX Management and Troubleshooting

7

AX Product Line

Module 2

8

Module objectives

� Understand the AX solution / market

� Understand the AX product portfolio

� Understand the feature set

� Understand the licensing

9

AX solution / market:AX – new generation load balancers

� New Generation in Design and Performance

� Single CPU or Multi-CPU with instruction blocking

� Retrofitted Platform

� Limited scalability

� Lower throughput

� Half the performance

� SSL ASIC only

� ACOS Designed for multi-core CPUs

� Hardware Accelerated Symmetrical Multiprocessing (SMP)

� Flexible Traffic ASIC, SSL ASIC, Switching and Routing ASIC

� Highest throughput and performance

10

AX solution / market:AX – new generation customer benefits

� Basic LB benefits� Share load among multiple servers (load balancing)

� Provide high availability of services

� New Generation LB benefits� Advanced load balancing (ex: based on HTTP request or SIP parameters)

� Advanced high availability of services (ex: application simulation and testing)

� Acceleration of services (ex: SSL server offload and HTTP caching)

� "Securitization" of services (DDoS protection and DNS Security)

� Advanced Flexibility to allow the administrator to create their own LB rules (using aFleX and aXAPI)

11

AX 32-bit Series Models

AX 1000-117.4 Gbps

302,000 L4 CPS

AX 2200-11

AX 3200-11

4 Gbps153,000 L4 CPS

8.7 Gbps541,000 L4 CPS

Price

Overall Performance

789

12

AX 64-bit Series Models

AX 250030 Gbps

850,000 L4 CPS

AX 2600*

AX 3000-11*

AX 5100AX 5200

19 Gbps355,000 L4 CPS

11 Gbps300,000 L4 CPS

40 Gbps2 Million L4 CPS

40 Gbps3 Million L4 CPS

Price

Overall Performance

Large Enterprise or Service Provider

789

13

AX product line

� 32-bit: AX Series Family Interface and hardware options

AX 1000 AX 2000 AX 2100 AX 2200 AX 3100 AX 3200

Ethernet Interfaces:Gigabit CopperGigabit Fiber – SFP Mini GBIC10 Gigabit Fiber – SFP+

620

820

840

1640

1642

1642

Management Interface Yes Yes Yes Yes Yes Yes

Console Port Yes Yes Yes Yes Yes Yes

Storage Single Single Dual Dual Dual Dual

Cooling Fan Fixed Hot Swap Smart Fan

Power Supplies250 W RPS

Dual 460 W RPS

Dual 460 W RPS

Dual 600 W RPS

Dual 600 W RPS

Dual 600 W RPS

100 to 240 VAC, Frequency 50-60 Hz

Hardware AccelerationLinear Decoupled ArchitectureFlexible Traffic ASICSSL Acceleration ASICSwitching and Routing ASICHardware Compression ASIC

YesNoYesNoNo

YesNoYesNoNo

YesNoYesNo

Option

YesYesYesYes

Option

YesYesYesYes

Option

YesYesYesYes

Option

14

AX product line

� 64-bit: AX Series Family Interface and hardware optionsAX 2500 AX 2600 AX 3000 AX 5100 AX 5200

Model Option Code - GC GF GCF GC GCF - -

Ethernet Interfaces:Gigabit CopperGigabit Fiber – SFP Mini GBIC10 Gigabit Fiber – SFP+

840

2400

0240

1680

1604

884

048

04

16

Management Interface Yes Yes Yes Yes Yes

Console Port Yes Yes Yes Yes Yes

Storage SSD

Cooling Fan Hot Swap Smart Fan

Dual Power Supplies400 W RPS 400 W RPS 400 W RPS 900W RPS 900W RPS

100 to 240 VAC, Frequency 50-60 Hz

Hardware AccelerationLinear Decoupled ArchitectureFlexible Traffic ASICSSL Acceleration ASICMulti-ASIC High Performance SSLSwitching and Routing ASICHardware Compression ASIC

YesNoYes

OptionNo

Option

YesNoYes

OptionNo

Option

YesNoYes

OptionNo

Option

YesYes x4

NoOption

YesOption

YesYes x4

NoOption

YesOption

15

AX feature set

� Layer 4 and Layer 7 Application Acceleration

� SSL ASIC � RAM caching – static or dynamic� HTTP compression

� aFleX L7 TCL scripting fordeep packet inspection

� Advanced NAT options

� AX High-Availability

� Firewall LB

� GSLB – Global Server Load Balancing

� DNS Application Layer Firewall

� Operates in Layer 2/Layer 3 simultaneously

� aXAPI REST-based XML API for custom management

� Virtualized management� Role-Based and Partition-Based

Management

� Seamless Management for Multiple Devices

� IPv4 and IPv6 load balancing and management

� Full web interface or industry standard command line interface

Covered in this Training

16

AX licensing

� No extra licenses required for performance or featu res

� Each AX is offered with full scalability and benefi ts

17

Summary

� In this module we discussed:� AX is the New Generation of Load Balancers

� AX offers a portfolio to meet low-end Enterprise to high-end ISP/SP needs

� AX offers a comprehensive set of load balancing features and other features such as GSLB, IPv6, Virtualization, NAT and DNS firewall

� AX comes feature-complete with no extra licensing required

18

Basic Load Balancing Concepts and Related AX Configuration & Management

Module 3

19

Module objectives

� Understand Main Load Balancing Goals and Concepts

� Configure AX Basic L4 SLB VIP configuration steps

� Understand and Configure two common L4 SLB VIP Options (Source IP Persistence + NAT)

20

Main LB Goals and Concepts

Module 3 – Lesson1

21

Main load balancing goals and concepts

� Share load among multiple servers (load balancing)

� Provide high availability of services

22

Methods of load balancer integration into network

� Routed Mode

23


� Routed Mode

� Benefits:� No change required on

clients and servers� Servers keep the Client IP@

visibility

� Points to keep in mind:� SLB has to be the servers dgw� Clients can't be in the servers'

subnet

24


� One-Arm Mode

25


� One-Arm Mode


clients and servers� Easy to test� Clients can be in the servers'

subnet

� Points to keep in mind:� Servers lose the Client IP@

visibility� Requires Source NAT on SLB

26


� Transparent Mode

27


� Transparent Mode


clients and servers� Servers keeps the Client

IP@ visibility

� Points to keep in mind:� "Harder to implement – servers

responses must go through AX"

28


� DSR Mode

29


� DSR Mode

� Benefits:� Highly sclalable (SLB

process only incommingtraffic)

� Points to keep in mind:� Can’t use any AX layer 7

features� Extra configuration required on

every server (IP Stack update)

30

Server Load Balancing

� AX SLB configuration has three core elements:� Servers, Service Groups, Virtual Servers (VIPs)

31

Servers

� Minimum configuration� Name

� IP address (can use DNS name)

� Ports

� Server configuration� WebUI: Config > Service > SLB > Server

� CLI: AX(config)# slb server <name> […]

� Server status and statistics� WebUI: Monitor > Service > SLB > Server

� CLI: AX# show slb server […]

32

Service groups


� Type (TCP/UDP)

� LB Algorithm

� At least one Server/Port

� Service group configuration� WebUI: Config > Service > SLB > Service Group

� CLI: AX(config)# slb service-group <name> […]

� Service group status and statistics� WebUI: Monitor > Service > SLB > Service Group

� CLI: AX# show slb service-group […]

33

Service groups

� Service group – load-balancing algorithms� Round-Robin

� Least Connection

� Service Least Connection

� Weighted Round Robin

� Weighted Least Connection

� Service Weighted Least Connection

� Fastest Response time

� Least Request

� Round Robin Strict

� Stateless (new in release 2.4.2; see notes)

34

Virtual Server (VIP)


� IP address (accessed by end-users)

� Virtual Server Ports (usually)

� Virtual server configuration� WebUI: Config > Service > SLB > Virtual Server

� CLI: AX(config)# slb virtual-server <name> […]

� Virtual server status and statistics� WebUI: Monitor > Service > SLB > Virtual Server

� CLI: AX# show slb virtual-server […]

35

Virtual server (VIP) –Virtual server port (VIP port)

� Minimum configuration� Type (TCP/UDP/HTTP/HTTPS/Fast-HTTP/RTSP/FTP/MMS/

SSL-Proxy/SMTP/SIP/SIP-TCP/SIP-TLS/Others)

� Port

� Service Group (usually)

� Virtual server port configuration� WebUI: Config > Service > SLB > Virtual Server > Port

� CLI: AX(config)# slb virtual-server <name>

AX(config-slb vserver))# port N <type>

� Virtual server port status and statistics� WebUI: Monitor > Service > SLB > Virtual Server

� CLI: AX# show slb virtual-server […]

36

Health monitors

� Service availability is checked using health monito rs

� Health monitors apply to:� Server

� AND/OR Server:Port

� AND/OR Service Group

Note: For simplicity, health monitors generally are applied to service groups.

37

Health monitors

� Health monitors can test server availability� On layer 3: ping (icmp)

� On layer 4: tcp, udp

� On layer7 (application): http, https, ftp, smtp, pop3, snmp, dns, radius, ldap, rtsp, sip, ntp

� Via manually created scripts

� Multiple L3/L4/L7 tests can also be combined in a B oolean expression (and/or/not)

� Health monitor configuration� WebUI: Config > Service > Health Monitor

� CLI: AX(config)# health monitor […]

38

Service group health monitor

� Health Monitoring is done on all Service Group memb ers� If HM fails for a specific member, the service group stops using this

member for load balancing

Note: By default there is no health monitor configured on the Service Group

� Service Group HM configuration� WebUI: Config > Service > SLB > Service Group – "Health Monitor"

� CLI: AX(config)# slb service-group <sg-name> <tcp|udp>

AX(config-slb svc group)# health-check <hm-name>

� Service Group HM status� WebUI: Monitor > Service > SLB > Service Group (expand Service

Group)

� CLI: AX# show slb service-group <sg-name>

39

Server port health monitor

� Health Monitoring is done on the Server Port� If HM fails, that server port will be considered down and service groups

configured with that specific server:port will stop using it for load balancing

Note: Default Server Port health monitor is tcp handcheck for tcp ports and udp packets for udp ports.

� Server Port HM configuration� WebUI: Config > Service > SLB > Server > Port – "Health Monitor"

� CLI: AX(config)# slb server <server-name>

AX(config-slb vserver)# port N <tcp|udp>

AX(config-slb vserver-vport)# health-check <hm-name>

� Server Port HM status� WebUI: Monitor > Service > SLB > Server (expand Server)

� CLI: AX# show slb server <server-name>

40

Server health monitor

� Health Monitoring is done on the Server� If HM fails, that server will be considered down and service groups

configured with that specific server will stop using it for load balancing

Note: Default Server health monitor is icmp.

� Server HM configuration� WebUI: Config > Service > SLB > Server – "Health Monitor"

� CLI: AX(config)# slb server <server-name>

AX(config-real server)# health-check <hm-name>

� Server HM status� WebUI: Monitor > Service > SLB > Server (expand Server )

� CLI: AX# show slb Server <server-name>

41

Common SLB VIP Options


42

Source IP persistence

� When to use Source IP persistence� Source IP persistence must be used when clients must have their future

connections/traffic terminated on the same server

43


� Source IP persistence configuration steps1. Create one Source IP Persistence Template

� Name� Type: Port (persistence per VIP:Port)

or Server (persistence per VIP)or Service-Group (persistence per URL or Host switching – see

Module 4 – lesson 2)� Timeout: How long inactive entries are saved (default = 5 minutes)� Don't Honor Conn Rules: Ignore connection limits defined on Servers and

Server Ports and connect new clients' connections to the Server (default = disabled)

� Netmask: Granularity of Client IP address hashing (default = 255.255.255.255 for the most granularity)

2. Assign the Source IP Persistence Template to the Virtual Server Port

44


� Source IP persistence configuration� Create one Source IP Persistence Template

� WebUI: Config > Service > Template > Persistent > Source IP Persistence� CLI: AX(config)# slb template persist source-ip <name>

� Assign the Source IP Persistence Template to the Virtual Server Port� WebUI: Config > Service > SLB > Virtual Server > Port� CLI: AX(config)# slb virtual-server <name>

AX(config-slb vserver)# port N tcp

AX(config-slb vserver-vport)# template persistsource-ip <name>

� Source IP persistence entries� CLI: AX# show session persist src-ip […]

45

Network Address Translation

� AX provides multiple NAT services� SLB source NAT

� Layer3 NAT

46

Network Address Translation – SLB source NAT

� When to use SLB source NAT� SLB Source NAT must be used when server responses don't

automatically pass through the AX, such as in One-Arm mode or when servers and the AX are in different subnets

47


� SLB source NAT configuration steps1. Create one IP Source NAT Pool:

• Name: Name of the template• Start IP address: First IP address for the SLB source NAT (can be the AX

interface IP address)• End IP address: Last IP address for the SLB source NAT (can be the same as

"Start IP address")Note: If the "Start" and "End IP address" are the same, the AX will NAT with one unique IP address and can NAT up to 64k flows.

• Netmask: Specify the netmask of the SLB source IP addresses.Note: This is used by the "IP Source NAT – Group" when servers are in different subnets (see AX Config Guide for more information).

• (optional) Gateway: Specify a specific gateway to use to reply to the clients' requests when SLB Source NAT has been used.

• (optional) "HA Group": Specify the HA group to tie to the SLB source NAT pool.

2. Assign the SLB Source NAT Pool to the Virtual Server Port

48


� SLB source NAT configuration1. Create one IP Source NAT Pool:

� WebUI: Config > Service > IP Source NAT > IPv4 Pool

� CLI: AX(config)# ip nat pool <pool-name>

2. Assign the SLB Source NAT Pool to the Virtual Server Port� WebUI: Config > Service > SLB > Virtual Server > Port


AX(config-slb vserver)# port N <type>

AX(config-slb vserver-vport)# source-natpool <pool-name>

49


� SLB source NAT statistics� WebUI: Monitor > Service > IP Source NAT > Pool

� CLI: AX# show ip nat pool statistics

50

Network Address Translation – Layer3 NAT

� When to use Layer3 NAT� Layer3 NAT is used to NAT specific traffic such as clients or servers on

private networks that have to access Internet

51


� Dynamic Layer3 NAT� Used to source NAT dynamically internal clients with one or a group of

IP@ (also called NAT n to 1)

52


� Dynamic Layer3 NAT configuration steps1. Create one or more IP Source NAT Pool with the "NATed" IP@

2. (optional) Group IP Source NAT pools in one IP Source NAT Group

3. Create an ACL with the source IP@ to NAT

4. Bind the ACL with the IP Source NAT Pool (or Group Pool)

5. Enable inside NAT on AX inside and outside interfaces

53


� Dynamic Layer3 NAT configuration� Create one or more IP Source NAT Pool with the "NATed" IP@

� WebUI: Config > Service > IP Source NAT > IPv4 Pool

� CLI: AX(config)# ip nat pool <pool-name>

� (optional) Group IP Source NAT pools in one IP Source NAT Group� WebUI: Config > Service > IP Source NAT > Group

� CLI: AX(config)# ip nat pool-group <pool-group-name>

� Create an ACL with the source IP@ to NAT� WebUI: Config > Network > ACL

� CLI: AX(config)# access-list […]

� Bind the ACL with the IP Source NAT Pool (or Group Pool)� WebUI: Config > Service > IP Source NAT > Binding

� CLI: AX(config)# ip nat inside source list [acl#] pool [pool-group-name | pool-name]

54


� Dynamic Layer3 NAT configuration (cont.)� Enable inside NAT on AX inside and outside interfaces

� On the inside interfaces� WebUI: Config > Service > IP Source NAT > Interface� CLI: AX(config)# interface ethernet #

AX(config-if:ethernetx)# ip nat inside

� On the outside interfaces� WebUI: Config > Service > IP Source NAT > Interface� CLI: AX(config)# interface ethernet #

AX(config-if:ethernetx)# ip nat outside

55


� Dynamic Layer3 NAT statistics� WebUI: Monitor > Service > IP Source NAT > Pool

� CLI: AX# show ip nat pool statistics

56


� Static Layer3 NAT� Used to source NAT statically servers with dedicated IP@ (also called

NAT 1 to 1)

Note: Static NAT allows communication started from outside.

57


� Static Layer3 NAT configuration steps1. Create IP Static NAT or NAT range

2. Enable inside NAT on AX inside and outside interfaces

3. Enable Static Host Source NAT (if IP Static NAT used)

58


� Static Layer3 NAT configuration� Create IP Static NAT

� WebUI: Config > Service > IP Source NAT > Static NAT

� CLI: AX(config)# ip nat inside source static [original-IP@] [NAT-IP@]

� Or create NAT Range� WebUI: Config > Service > IP Source NAT > NAT Range

� CLI: AX(config)# ip nat range-list […]

59


� Static Layer3 NAT configuration (cont.)� Enable inside NAT on AX inside and outside interfaces

� On the inside interfaces� WebUI: Config > Service > IP Source NAT > Interface� CLI: AX(config)# interface ethernet #

AX(config-if:ethernetx)# ip nat inside

� On the outside interfaces� WebUI: Config > Service > IP Source NAT > Interface� CLI: AX(config)# interface ethernet #

AX(config-if:ethernetx)# ip nat outside

� Enable Static Host Source NAT (if IP Static NAT used)� WebUI: Config > Service > IP Source NAT > Global

� CLI: AX(config)# ip nat allow-static-host

60


� Static Layer3 NAT statistics� WebUI: Monitor > Service > IP Source NAT > Static NAT

� CLI: AX# show ip nat static-binding statistics

61

Network Address Translation

� Virtual Server Port option "Source NAT traffic agai nst VIP"� This option allows the AX administrator to apply the Layer3 NAT settings

on the VIP for the internal clients

� If SLB source NAT is also configured, all clients not using Layer3 NAT will use the SLB source NAT Pool

62

Summary

� In this module, we discussed:� Load Balancing’s main goals: server load sharing and high availability of

services

� Load Balancers can be integrated in different ways into existing architectures, all supported by AX

� And also:� Configured one AX L4 SLB VIP

� Explained two common L4 SLB options and their AX configuration: Source IP Persistence and NAT

� Configured Source IP Persistence, SLB Source NAT and static Layer3 NAT on AX

63

FTP, HTTP and HTTPS protocols

Module 4

64

Module objectives

� Understand protocols� FTP� HTTP� HTTPS

� Understand Load Balancing specifics for each

� Configure FTP, HTTP and HTTPS VIPs

65

FTP protocol


66

FTP protocol

� File Transfer Protocol (FTP) RFC is 959 (http://www.w3.org/Protocols/rfc959/ )

� FTP is an unencrypted TCP protocol used to transfer files between clients and servers

� FTP has 2 connections� Control session

� Data Session

67

FTP protocol

� FTP Control Session� Used for client/server communication. No data is sent on this connection.

� This session is established from the client to the server (usually on port 21).

� FTP Data session� This session is open "on demand" when there is need to send data

between the client and the server.

� Used for client/server data exchange only.

Important Notes:� The Control Session remains open for the duration of the FTP connection

� The data session will be closed at the end of each object transfer. If you transfer 3 files, you'll have 3 data sessions (one at a time).

�

68

FTP protocol

� FTP Data session – 2 modesThere are two data session modes. The mode is negotiated between the

client/server on the control session.

� Active Mode (default)� In the control session, the client tells the server what IP and TCP port to use to

establish the data connection.

� The server establishes the data connection to the client, and data requested in the control session can be exchanged.

69

FTP protocol

� FTP Data session – 2 modes (cont.)� Passive Mode

� In the control session, the server tells the client what IP and TCP port to use to establish the data session.

� The client establishes the data connection to the server, and data requested in the control session can be exchanged.

70

Load balancer configuration for FTP applications

� Control session resets� During data exchange (in the data

session) there is no activity in the control session.

� Load Balancers track activity on load balanced sessions and flush stale connections. If the data transfer takes too long, the control connection will be dropped.

71


� Active Mode - Data session established from the serv er IP@ (not the VIP IP@)

� Client establishes control connection to the VIP.� With Active Mode, the client expects the data session from the VIP IP@

and not the Server IP@.

72


� Passive Mode - Data session established to the serve r IP@ (not the VIP IP@)

� Client establishes control connection to the VIP.

� With Passive Mode, the client expects to open the data session to the VIP@ and not the Server IP@.

73


� Control session resets� Solution is to increase SLB aging time on Load Balancer

� However, on AX, control and data session times are linked, so there is no need to update the timer.

Note: AX default aging time is 120 seconds

74


� AX configuration to update default aging timerFor example, to allow users to spend more than 120 seconds betweenFTP commands.

1. Create a TCP template with 15,000 seconds Idle Timeout� WebUI: Config > Service > Template > L4 > TCP� CLI: AX(config)# slb template tcp <name>

AX(config-l4 tcp)# idle-timeout 15000

2. Assign the TCP template to the Virtual Server Port

� WebUI: Config > Service > SLB > Virtual Server > Port� CLI: AX(config)# slb virtual-server <name>


AX(config-slb vserver-vport)# template tcp <name>

� Show aging time of SLB entries� CLI: AX# show session […]

75


� Active Mode - Data session established from the serv er IP@ (not VIP IP@)

� Load Balancers need to automatically Source NAT the data connection from the servers with the VIP IP@.

� This is done automatically on AX when the SLB VIP is defined as FTP type

� AX configuration:� WebUI: Config > Service > SLB > Virtual Server > Port


AX(config-slb vserver)# port N ftp

76


� Passive Mode - Data session established to the serve r IP@ (not the VIP IP@)

� Load Balancers need to automatically Source NAT the data connection from the servers with the VIP IP@.

� This is done automatically on AX when the SLB VIP is defined as service type FTP

� AX configuration:� WebUI: Config > Service > SLB > Virtual Server > Port� CLI: AX(config)# slb virtual-server <name>

AX(config-slb vserver)# port N ftp

77

HTTP protocol


78

HTTP protocol

� HTTP RFC is 2616 (http://www.w3.org/Protocols/rfc2616/rfc2616.html )

� HTTP (Hypertext Transfer Protocol) is an unencrypte d TCP protocol used to access web content (usually on por t 80)

Note: HTTPS uses the same protocol with explicit SSL encryption for higher security (usually on port 443)

� HTTP is a sequence of network request/response transactions

Important Note: Browsers open multiple TCP sessions to download multiple objects from 1 web site in parallel (2 sessions with IE5.5/6.0, 6 sessions with IE8, 15 sessions with Firefox 3.x)

� Request and response options are sent via headers

79

HTTP requests

� Main request methods� "GET url": Request object from server

� "POST url": Send data/object to server

� Others: HEAD, CONNECT

Important Note: The Host (such as www.a10networks.com) is not part of the url, but is listed in the "Host“ header in the request

� Main request headers� "Host": Site name

� "Connection: Keep-Alive" : Client support for using the same session for multiple request/response transactions

� "Accept-Encoding: gzip, deflate": Support for HTTP compression

� "Cookie": Text used to keep track of user information

80

HTTP responses

� Main server response codes� 200: OK (object in the response)

� 301: Redirect permanently

� 302: Temporary redirect

� 304: Not Modified

� 404: Page not found

� 5xx: Server error

� Main response headers� "Last-Modified": When object was last modified

� "Etag": Entity tag (used to detect object changes)

� "Connection: Keep-Alive": Server support for using the same session for multiple request/response transactions

� "Set-Cookie": Asks user to save cookie to keep track of user information

� "Cache-Control" / "Pragma": Cacheability of the object

81

HTTP example (using HttpFox)

82

Load balancer configuration for HTTP applications

� Load Balancers don't need a specific configuration for basic HTTP load balancing - Any L4 SLB VIP works for HTTP services

� However, advanced load balancers provide techniques for improving HTTP services

� Better Availability (see below)

� Better Flexibility (see below and Module 7 - aFleX)

� Better Performance/Acceleration (see Module 5)

� Better Security (see below and Module 6)

83

Load balancer configuration for HTTP applications – greater availability

� HTTP Health Monitor� AX provides the ability to test HTTP/HTTPS services using Health

Monitors

� HTTP/HTTPS Health Monitors have the following required parameters:� Port: TCP port

� Method (GET or HEAD or POST)

� URL

� And the following optional parameters:� User + Password: For web sites that require authentication

� Expect: Server Response code or Server text

� Maintenance Code: To automatically mark the server in maintenance, rather than down (so users with persistence to that server remain on that server)

84

Load balancer configuration for HTTP applications – greater flexibility

� AX offers advanced flexibility options for web appl ications

� These options are available via HTTP templates� WebUI: Config > Service > Template > Application > HTTP� CLI: AX(config)# slb template http <name> […]

� HTTP templates are associated with virtual server p orts of service type “HTTP" or "HTTPS”

85


� HTTP template options� URL Hash switching

� Load Balancing of Servers is done based on hash on the URL (beginning or end of the URL).

� This option is usually used for Web Cache load balancing.

� Host/URL switching� Selection of Servers is done based on Host or URL (beginning or end).

� This option also is usually used for Web Cache load balancing.

� Request/Response Header Erasure/Insertion� Allows the AX to insert or remove

� client request header (such as "Accept-Encoding")� server response header (such as "Cache-Control")

� This option usually is used to centrally change web server behavior without changing the web servers’ configuration.

86


� HTTP template options (cont.)� Strict Transaction Switching

� Allows HTTP/HTTPS load balancing per request (instead of per session).

� This option usually is used when the load among the Servers is unequal.

87

Load balancer configuration for HTTP applications – greater security

� AX offers advanced security options for web applica tions


� HTTP templates are associated with virtual server p orts of service type "HTTP" or "HTTPS”

Note: Some of the following options can be considered as availability and flexibility options too.

88


� URL failover� When all servers are disabled or have failed, the AX can send an HTTP

redirect to a "backup site" or "sorry page".

� This option usually is used with "backup sites" or "sorry pages".

89


� URL redirect / rewrite� When the Server replies with an HTTP redirect, the AX can rewrite it with

a new value.

� This option usually is used for transparent "SSL-ization" of HTTP web applications.

90


� Retry HTTP request on HTTP 5xx� When the Server replies with a 5xx error, by default the AX forwards it to

the client. The retry option allows the AX to resend the request to another Server in the Service Group.

� The following options are available:� "On HTTP 5xx code for each request": The client request is resent to a new

server

� "On HTTP 5xx code": The client request is resent to a new server + the server that replied with the 5xx is not used for new requests for 30 seconds

� "#": Number of servers that can be tried

� Logging: Generates logs when this event happens (not available in WebUI in AX 2.4.2)

91


� Client IP header insertion� In Web server logs, the client IP address is logged. Web servers retrieve

the client IP information from the source IP address.

� Some AX advanced HTTP options (Connection Reuse or Source NAT) force the AX to establish the connection to the server with an AX IP address. In this cases, the Web server loses the client IP address information.

� To allow Web Servers to log Client IP address information, the AX can inject the Client IP information in a request header.

92

HTTPS protocol


93

HTTPS protocol

� HTTPS (HTTP over TLS) RFC is 2818 (http://www.ietf.org/rfc/rfc2818.txt )

� HTTPS is the "secured" version of HTTP (usually por t 443)

� HTTPS offers� Server Authentication (with server certificates)

� (optional) Client Authentication (with client certificates)

� Encryption (with TLS/SSL)

94

How does server authentication work?

� TLS/SSL is based on public certificates / private k eys

� Certificates are issued and signed by Certificate A uthority (CA)

� HTTPS clients first request the server public certi ficate and validates it using list of trusted CAs

� When the server certificate is validated (name, dat e, etc.), the client sends its HTTP requests

95

How does the encryption work?

� Once the server is trusted, the client and server n egotiate a "session key" to encrypt the traffic

� The session key is negotiated via an asymmetric encryption protocol using long keys (usually 2048 b its)

Note: This step is very CPU intensive (asymmetric encryption)

� Once the"session key is negotiated, the HTTPS client requests / server responses are sent encrypted

Note: Less CPU intensive (symmetric encryption)

Note: If the client re-establishes a new TCP session before the session key expires, it will propose to the server to use it (SSL session ID reuse option). The server can accept or refuse it. If refused, a new session key is negotiated.

96

Load balancer configuration for HTTPS applications

� Load balancers don't need a specific configuration for HTTPS load balancing - Any L4 SLB VIP works for HTTP S services

� However, advanced load balancers provide techniques to improve HTTPS services

� Better Availability (see Module 4 - lesson 2)

� Better Flexibility (see Module 4 - lesson 2 and Module 7 - aFleX)

� Better Performance/Acceleration (see Module 5)

� Better Security (see Module 4 - lesson 2 and Module 6)

97

Load balancer configuration for HTTPS applications

� AX offers advanced flexibility/performance/security options for HTTPS applications


� HTTP templates are associated with virtual server p orts of type "HTTP" or "HTTPS”.

98

HTTPS communication with clients

� Client SSL templates� To enable HTTPS communication with the Clients� Client SSL template

� Public certificate that will be presented to Clients� Private key (and its passphrase)� SSL cipher supported ("encrypted algorithm")� (optional) Client certificate request

99

HTTPS communication with clients

� HTTPS communication with clients – configuration1. Import SSL public certificates and private key on the AX

Note: Self-Signed certificates can be created on the AX too� WebUI: Config > Service > SSL Managament > Certificate� CLI: AX(config)# import ssl-cert <name>

AX(config)# import ssl-key <name>

2. Create a Client SSL template� WebUI: Config > Service > Template > SSL > Client SSL� CLI: AX(config)# slb template client-ssl <name> […]

3. Assign the Client SSL template to the Virtual Server Port� WebUI: Config > Service > SLB > Virtual Server > Port


AX(config-slb vserver)# port N https

AX(config-slb vserver-vport)# template client-ssl<name>

100

HTTPS communication with servers

� Server SSL templates� To enable HTTPS communication with the Servers� Server SSL template

� SSL cipher supported ("encrypted algorithm")� (optional) CA that will be used to validate the Server’s certificate

101

HTTPS communication with servers

� HTTPS communication with servers – configuration1. (Optional) Import CA public certificate that will be used to validate the

Servers certificate� WebUI: Config > Service > SSL Managament > Certificate� CLI: AX(config)# import ssl-cert <name>

2. Create a Server SSL template� WebUI: Config > Service > Template > SSL > Server SSL� CLI: AX(config)# slb template server-ssl <name> […]

3. Assign the Server SSL template to the Virtual Server Port� WebUI: Config > Service > SLB > Virtual Server > Port


AX(config-slb vserver)# port N https

AX(config-slb vserver-vport)# template server-ssl <name>

102

HTTPS virtual port options

� SSL statistics� WebUI: Monitor > Service > Application > SSL

� CLI: AX# show slb ssl stats

103

Summary

� In this module, we presented:� FTP protocol

� HTTP protocol

� HTTPS protocol

� And also:� Explained the specific Load Balancer configuration required for each

protocol

� Explained specific Load Balancer options available for each protocol for better availability, flexibility, performance and security

� Configured FTP, HTTP, and HTTPS VIPs on the AX

104

AX Acceleration

Module 5

105

Module objectives

� Understand the advanced AX options for acceleration� Connection Reuse� SSL offload� HTTP compression� RAM Caching

� Configure advanced AX options for acceleration

106

Connection reuse

� Web servers need to manage:� New clients (open new sessions)� Clients leaving (close sessions)� Maintain all connected clients sessions

Note: Web browsers keep their TCP connections open - even when all objects have been loaded

107

Connection reuse

� Connection Reuse off loads the server TCP stack

� This option provides faster server response time an d higher server scalability

� Connection reuse� Terminates all client’s connections to the AX� Maintains persistent connections to the Servers� Sends all client’s requests on the same persistent connections

Note: Connection Reuse requires SLB Source NAT

Note2: HTTP Keep-alive should be enabled on the web servers

108

Connection reuse

� Connection reuse – configuration1. Create a Connection Reuse template

� WebUI: Config > Service > Template > Connection Reuse� CLI: AX(config)# slb template connection-reuse <name> […]

2. Assign the Connection Reuse template to the Virtual Server Port� WebUI: Config > Service > SLB > Virtual Server > Port


AX(config-slb vserver)# port N http

AX(config-slb vserver-vport)# templateconnection-reuse <name>

Note: IP Source NAT also must be configured on the Virtual Server Port

� Connection Reuse statistics� WebUI: Monitor > Service > Application > Connection Reuse

� CLI: AX# show slb connection-reuse

109

SSL offload

� SSL Offload relieves the server of SSL tasks

� This option provides faster server response time an d higher server scalability

� AX receives HTTPS client traffic and sends HTTP tra ffic to the servers

110

SSL offload

� SSL offload – configuration� HTTPS VIP pointing to HTTP servers (see Module 4 - lesson 3)� (optional) Rewrite server’s HTTP redirect response

Note: This is done via an HTTP template containing the Redirect / Rewrite option

� (optional) Rewrite absolute links

Note: This is done via aFleX (see Module 7)

111

HTTP compression

� Compresses HTTP/HTTPS objects

� Uses less bandwidth and provides faster client down load time

� AX HTTP compression� Compresses objects sent to the clients

Note: By default, "text" (such as html/css/js) and "application" (such as doc/xls/ppt/pdf)

� If HTTP compression is enabled on the servers, AX transparently offloads this task from servers

112

HTTP compression

� HTTP compression – configuration1. Create an HTTP template

� WebUI: Config > Service > Template > Application > HTTP� CLI: AX(config)# slb template http <name> […]

2. Assign the HTTP template to the Virtual Server Port� WebUI: Config > Service > SLB > Virtual Server > Port



AX(config-slb vserver-vport)# template http <name>

Note: On AX models with a Hardware Based Compression module, you need to enable Hardware Based Compression first� WebUI: Config > Service > SLB > Global� CLI: AX(config)# slb hw-compression

113

HTTP compression

� HTTP compression – statistics� WebUI: Monitor > Service > Application > Proxy > HTTP

� CLI: AX# show slb http-proxy

114

RAM Caching

� Caches HTTP/HTTPS static and dynamic content in AX RAM

� Delivers cached objects to clients directly from th e AX Cache, offloading servers from these requests

� Provides faster client download time and higher ser ver scalability

115

RAM Caching

� AX RAM Caching� Caches objects unless explicitly denied by the server's response

� Caches responses with the following codes:� 200 OK

� 203 Non-Authoritative response

� 300 Multiple Choices

� 301 Moved Permanently

� 302 Found (only if Expires header is also present)

� 410 Gone

116

RAM Caching

� AX RAM Caching – limitations� Does not support client HTTP range requests (they are sent to the

servers)

� Does not cache server responses with "Vary" header (except "Vary: Accept-Encoding")

� Does not cache server responses with "Warning" header

� Does not cache server responses if requests had an "Authorization" header (even if the server specifies "Cache-Control: public”)

� Does not cache incomplete (partial) responses

117

RAM Caching

� RAM Caching – configuration1. Create a RAM Caching template

� WebUI: Config > Service > Template > Application > RAM Caching� CLI: AX(config)# slb template cache <name>

2. Assign the RAM Caching template to the Virtual Server Port� WebUI: Config > Service > SLB > Virtual Server > Port



AX(config-slb vserver-vport)# template cache <name>

� RAM Caching – statistics� WebUI: Monitor > Service > Application > RAM Caching

� CLI: AX# show slb cache […]

118

RAM Caching

� AX RAM Caching for dynamic objects� Allows the AX to Cache non-static objects

� Need to understand application behavior to determine cacheability� What is to be cached?

� How long is the cached content valid?

� What is the trigger that would cause the response to change?

� Parameterized requests� The URL matches a specific pattern.

� Specific query parameters are present.

� Specific cookies in the request are present.

� Specific HTTP headers in the request are present.

� Policies� Cacheability rules determine what is cacheable and what is not

� Invalidation rules

119

RAM Caching

� When not to use dynamic caching� The response sets cookies specific to that session.

� Example: the response to a login page

� The response contains data specific to a previous action in the session.� Example: a confirmation number for a transaction that was just executed

� The life of a response is indeterminate; that is, the response contains data that becomes stale based on a future action.

� Example: the portfolio page of a brokerage account user changes when the user executes transactions.

� Different versions of the response cannot be distinguished by using the URL, query parameters, or cookies in the request.

� Example: the response contains personalized settings, such as the user name but no query parameter or cookie directly identifies the user.

120

RAM Caching

� Dynamic caching – caching policies� Caching policies can be used to override/augment standard HTTP

behavior

� Policies are specified as follows:policy <condition> <action>

Where:

<condition> is of the form uri <pattern>

<action> is cache <seconds>, no-cache, or invalidate <entry>

Note: More sophisticated conditions will be supported in future using aFleX policies

� Policies are evaluated in the order they are specified. The action in the first policy that matches will be applied.

121

RAM Caching

� Dynamic caching example� Let's say there is a web application with the following URLs:

� http://x.y.com/list lists all items from database

� http://x.y.com/add?a=p1&b=p2 adds item to database

� http://x.y.com/del?c=p3 deletes item from database

� http://x.y.com/private?user=u1 private info for user

� This is a simple example, but is also a very common scenario, and is representative of many sites on the web today.

� In this case, the list URI will be hit by a lot of users. Thus it would make sense to cache the URI as long as it remains up to date.

� However, when the user does an add/delete operation, or one of the other URIs arrives, the database would change and the cached list will have to be refreshed.

122

RAM Caching

� WebUI configuration for the example

123

Summary

� In this module, we presented the AX acceleration op tions:� Connection Reuse� SSL offload� HTTP compression� RAM Caching

� And also configured them on the AX.

124

AX Security

Module 6

125

Module objectives

� Understand the advanced AX options for security� DDoS protection

� PBSLB

� ACL

� Management security

� High Availability (HA)

� Configure HA on AX devices

126

Points to keep in mind

� Some advanced HTTP/HTTPS security options are detai led in Module 4 (HTTP Templates)

� This module (Module 6) presents other AX advanced security options

Note: aFleX (covered in Module 7) also can be considered a security option

127

DDoS protection

� AX provides enhanced protection against DDoS(Distributed Denial of Service) attacks

Note: AX 2200 / AX 3100 / AX 3200 / AX 5100 / AX 5200 provide DDoSprotection in hardware. Other models provide DDoS protection in software.

� DDoS basic filters

� DDoS configuration� WebUI: Config > SLB > Global� CLI: AX(config)# ip anomaly-drop <DDoS-type>

128

DDoS protection

� Advanced DDoS filters are also available with system -wide PBSLB

Note: PBSLB is detailed on the next slide.� Invalid HTTP or SSL payload or DNS� Zero-Length TCP Window� Out-of-sequence packet

� Advanced DDoS configuration� CLI only: AX(config)# ip anomaly-drop <DDoS-type>

[threshold]

� Basic and advanced DDoS statistics� WebUI (basic only): Monitor > Service > Application > Switch

� CLI:(basic only) AX# show slb switch […]

� CLI:(basic only) AX# show slb l4 and show pbslb client [ip@]

129

Policy-based SLB

� Policy-based SLB (PBSLB) allows "black lists" and " white lists" with individual clients or subnets

Note: IPv6 addresses are not supported in PBSLB.

� PBSLB denies client traffic based on:� IP address / subnet� (optional) # of connections from that IP address / subnet� (optional) can permit client, but select another Service Group

130

Policy-based SLB

� PBSLB specifics� Large list support

� Up to 8 M IP addresses

� Up to 64 K IP subnets

� Up to 32 group IDs

� Highly efficient� B/W lists are stored in hash tables

� Can process Gbps of traffic

� Automatic B/W list support� AX can update its B/W automatically at specific intervals via TFTP

� PBSLB components� PBSLB is a list of text entries, as follows:

� ipaddr [/network-mask] [group-id] [#conn-limit] [;comment-string]

131

Policy-based SLB

� PBSLB configuration1. Create or Import a PBSLB list

� WebUI (creation or import): Config > Service > PBSLB� CLI (import): AX(config)# import bw-list […]

2. Create a PBSLB Policy template� WebUI: Config > Service > Template > PBSLB Policy� CLI (import): AX(config)# slb template policy <name> […]

3. Assign the PBSLB Policy template to the Virtual Server Port

� WebUI: Config > Service > SLB > Virtual Server > Port



AX(config-slb vserver-vport)# template policy <name >

� PBSLB statistics� WebUI: Monitor > Service > PBSLB

� CLI(basic only): AX# show pbslb […]

132

Policy-based SLB

� PBSLB file example10.10.1.3 4; blocking host (group 4 is defined in t he

template with action "drop")

10.10.2.0/24 4; blocking subnet (group 4 is defined in the template with action "drop")

192.168.1.1/32 2 #20; 20 concurrent connections max for that host (group 2 is defined in the template with action "permit with Service Group X")

� PBSLB template example

133

Access Control Lists

� AX supports standard and extended Access Control Li sts (ACLs)

� ACL can be applied to data interfaces, management interface, and virtual server ports

� Remark, re-sequencing and logging options are suppo rted (Cisco/Foundry format)

� IPv4 and IPv6 ACLs are supported

134


� ACL components� [no] access-list acl-num [seq-num]

{permit | deny | remark string} ip {any | host host-src-ipaddr | net-src-ipaddr

{filter-mask | /mask-length}} {any | host host-dst-ipaddr | net-dst-ipaddr {filter-mask | /mask-length}}

[log [transparent-session-only]

� ACL configuration1. Create an ACL

� WebUI: Config > Network > ACL� CLI: AX(config)# access-list […]

135


� ACL configuration2. Assign the ACL to Data interfaces, Management interface, or Virtual

Server Ports� Data Interface:

� WebUI: Config > Network > Interfaces > LAN� CLI: AX(config)# interface ethernet 1

AX(config-if:ethernet1)# access-list <num> in

� Management:� CLI only: AX(config)# interface management

AX(config-if:ethernet1)# access-list <num> in

� Virtual Server Port:

� WebUI: Config > Service > SLB > Virtual Server > Port� CLI: AX(config)# slb virtual-server <name>


AX(config-slb vserver-vport)# access-list <name>

136


� ACL statistics� CLI (only) AX# show access-list

137

Management security

� AX provides advanced management security options� Multiple management accounts with distinct levels of access� Interface level access for individual access types (ICMP / Telnet / SSH /

HTTP / HTTPS / SNMP)� Management account with lockout in response to excessive invalid

password� External Authentication support with RADIUS and TACACS+� Private partitions

Note: See AX Series Configuration Guide for more information

138

High Availability (HA)

� High Availability Design Options� Active-Standby mode

� Active-Active mode

� Layer 2/3 Hot Standby mode

139


� Active-Standby Mode� Active AX processes all the

production traffic

� Standby AX does not process any production traffic

� Standby AX mirrors all session information from Active AX

� Reliability is scaled but not performance

140


� Active-Standby Failover� Peer AX elected as active

� Gratuitous ARPs for virtual, floating and NAT IPs are sent

� Existing mirrored sessions are picked up by newly elected active AX

� New sessions are served by newly elected active AX

141


� Active-Active Mode� Both AX units process

the production traffic

� Session and state information is mirrored between both AX units

� Performance is scaled in addition to reliability

Note: Don't exceed 50% utilization on each unit for full HA

142


� Active-Active Failover� Peer AX is elected active for

HA group 2 and sends gratuitous ARPs for virtual IPs, floating IPs, and NAT IPs

� Existing mirrored sessions are picked up by peer AX

� Peer AX serves requests for both HA groups

143


� L2/3 Hot Standby Mode� Active AX processes all the

production traffic

� Standby AX does not process any production traffic

� Standby AX mirrors all session information from Active AX

� Standby becomes non-forwarding but is reachable for management traffic, sends and receives HA heartbeats, receives sync sessions from peer, and performs health checks

Note: Loop elimination protocols such as STP are not required

144


� L2/3 Hot Standby Failover� Peer AX elected new active

� Gratuitous ARPs for virtual, floating and NAT IPs are sent

� New active becomes fully forwarding and existing mirrored sessions continue

145

High Availability

� All AX integration modes support HA� Routed mode

� Active-Standby, Active-Active and L3 Hot Standby modes

� One-Arm mode� Active-Standby and Active-Active modes and L3 Hot Standby modes

� Transparent mode� L2 Hot Standby mode

� DSR mode� Active-Standby, Active-Active and L3 Hot Standby modes

146

High Availability

� HA Active-Standby Mode – configuration steps1. Configure HA interfaces

� All interfaces used with production traffic (+ AX interlink if exists)

Note: We recommend a dedicated direct interlink between the AX so synctraffic is off the production network.

2. Configure HA Global settings� Identifier (AX1 = 1 , AX2 = 2)

� HA Status: Enabled

� (optional) HA Mirroring IP address: Remote AX Sync interface

� (optional) Preempt: to failover to a higher AX when available

� Group1 with priority 200 on AX1 (priority 100 on AX2)

� Floating VIP for Group1: IP addresses defined on servers' gateway (VRRP-like)

� (optional) IP@ and VLAN checkNote: IP@ have to be defined as SLB-Server too

147

High Availability

� HA Active-Standby Mode – configuration steps (cont.)3. Configure VIP HA settings

� In VIP settings, associate HA Group with the VIP

� (optional) Enable Dynamic Server Weight: Reduce the AX HA Group priority when a server is down

� (optional) Enable HA Connection Mirroring on the VIP ports: To synchronize SLB session table (available for TCP, UDP, RTSP, FTP, MMS and SIP VIP types)

Note: For HTTP/HTTPS VIP types, the client session is terminated on the AX device. HA Connection Mirroring is not available for these VIP types.

4. Configure NAT pool HA settings� In IP Source NAT, associate the HA Group with IPv4 Pools, IPv6 Pools, NAT

Ranges, or Static NAT.

148

High Availability

� HA Active-Active Mode – configuration steps� Same as Active-Passive with two groups defined

� Step2:� Group1 with priority 200 on AX1 (priority 100 on AX2)� Group2 with priority 100 on AX1 (priority 200 on AX2)

� Step3:� Associate Group1 with half of the VIPs and Group2 with the second half

� Step4:� Associate Group1 with the NAT Pools used by VIPs in Group1 and

Group2 with the NAT Pools used by VIPs in Group2

149

High Availability

� HA Layer2/3 Mode – configuration steps� Same as Active-Passive except for step 2

2. Configure HA Inline Mode� Enable� Preferred port: Port used to sync configuration and sessions� (optional) Restart port list: Add AX interfaces in production� (optional) L3 mode enabled: If AX in Layer3 Inline mode

150

High Availability

� HA Active-Standby Mode – configuration1. Configure HA interfaces

� WebUI: Config > HA > Setting > HA Global� CLI: AX(config)# ha interface […]

2. Configure HA Global settings� Active-Standby or Active-Active Modes:

� WebUI : Config > HA > Setting > HA Global� CLI: AX(config)# ha […]

Note: If IP@ check is configured, define these IP@ in SLB-Server too.� L2/3 Modes:

� WebUI : Config > HA > Setting > HA Inline Mode� CLI: AX(config)# ha [inline-mode | l3-inline-mode]

151

High Availability

� HA Active-Standby Mode – configuration (cont.)3. Configure VIP HA settings

� WebUI: Config > Service > SLB > Virtual Server� CLI: AX(config)# slb virtual-server <name>

AX(config-slb vserver))# ha-group <num>

4. Configure NAT settings� WebUI: Config > Service > SLB > IP Source NAT� CLI: AX(config)# ip nat […]

152

High Availability

� Configuration synchronization� WebUI: Config > HA > Config Sync� CLI: AX(config)# ha sync [all | data-files | running-

config | startup-config] to-[running-config|startup -config] [with-reload] [all-partitions | partition]

Note: We recommend to sync "All" to the "startup-config + reload"

� HA Manual failover can also be initiated with the f ollowing:� CLI (from the AX Active): AX(config)# ha force-self-standby

Note: Manual failover can also be done with "preempt enabled" + changing the HA group priority.

153

High Availability

� HA status� WebUI: Monitor > HA > Group� CLI: AX# show ha

154

High Availability

� HA statistics� WebUI: Monitor > HA > Status� CLI: AX# show ha detail

155

Summary

� In this module, we presented AX advanced security options:

� DDoS protection� PBSLB� ACL� Management security� High-Availability (HA)

� And also configured HA.

156

AX Power and Flexibility

Module 7

157

Module objectives

� Understand the advanced AX options for flexibility� Cookie persistence

� aFleX

� Understand AX Advanced Core Operating System (ACOS)

158

AX Flexibility


159

Points to keep in mind

� Some advanced HTTP/HTTPS flexibility options alread y have been detailed in Module 4 (HTTP Templates)

� This module (Module 7) presents other advanced AX flexibility options

160

Cookie persistence

� When to use cookie persistence� Like Source IP Persistence, Cookie Persistence is used when

HTTP/HTTPS clients must have their future connections/traffic terminated on the same server.

� But Cookie Persistence provides more granularity, since even different users coming from the same Proxy (same IP address) will get different persistence with Cookie Persistence.

161

Cookie persistence

� AX Cookie Persistence – configuration � Create a Cookie Persistence Template

� Name

� (optional) Expiration

� (optional) Cookie Name

� (optional) Domain

� (optional) Path

� (optional) Match type

� (optional) Insert Always

� (optional) Don't Honor Conn Rules

� Assign the Cookie Persistence Template to the Virtual Server Port

162

Cookie persistence

� AX Cookie Persistence – configuration (cont.)� Create a Cookie Persistence Template

� WebUI: Config > Service > Template > Persistent > Cookie Persistence� CLI: AX(config)# slb template persist cookie <name> […]

� Assign the Cookie Persistence Template to the Virtual Server Port� WebUI: Config > Service > SLB > Virtual Server > Port



AX(config-slb vserver-vport)# template persist cookie <name>

163

aFleX

� What is aFleX?� aFleX is a powerful and flexible AX feature that you can use to manage

your traffic and provide enhanced benefits/services

� aFleX uses industry-standard Tcl (Tools command language) based syntax

� Stantard Tcl commands

� Special set of extensions provided by the AX

� aFleX allows:� Content inspection (headers / data)

� Actions on traffic� Block traffic� Redirect traffic to a specific Service Group (pool) or Server (node)

� Modify traffic content

164

aFleX

� Elements of an aFleX script� aFleX scripts are made up of three basic elements:

� Events

� Operators

� aFleX commands

� Events� aFleX scripts are event-driven, which means that the AX system triggers the

aFleX whenever that event occurs.

� Examples: HTTP_REQUEST is triggered when an HTTP request is received.

CLIENT_ACCCEPTED is triggered when a client has established a connection.

� Operators� Standard Tcl operators

� Relational operators: contains, matches, equals, starts_with, ends_with, matches_regex

� Logical operators: not, and, or

165

aFleX

� Elements of an aFleX script (cont.)� aFleX commands

� Used to query for data, manipulate data, or specify a traffic destination. These may be grouped into three main categories:

� Statement commandsExample: "pool <name>“ directs traffic to the named load balancing

pool� Commands that query or manipulate data

Examples:� "IP::remote_addr“ returns the remote IP address of a connection� "HTTP::header remove <name> removes the last occurrence of the

named header from a request or response� Utility commands - useful for parsing and manipulating content

Example: "decode_uri <string>“ decodes the named string using HTTP URI encoding and returns the result

Note: aFleX is extensible. In future releases, additional aFleX events and aFleX commands will be added.

166

aFleX

� aFleX configuration� 1. Place the aFleX script on the AX

� Using the CLI� Use a computer with any text editor to write an aFleX script and save it as

a file.� Use “import aflex ” command to import the aFleX file from the

computer to AX.� aFleX CLI syntax check: "aflex check <name> ".

� Using the WebUI� With AX’s web interface, users can directly type in aFleX scripts and save

them on the AX under "Config > Service > aFleX".

� Using the aFleX Editor� The aFleX editor can download/upload aFleX scripts from/to the AX.

Moreover, it can do syntax checking. As an editor, it also has syntax highlighting, keyword auto-completion, etc.

167

aFleX

� aFleX configuration (cont.)� 2. Assign aFleX script to VIP port

� WebUI: Config > Service > SLB > Virtual Server > Port



AX(config-slb vserver-vport)# aflex <name>

� aFleX statistics� WebUI: Monitor > Service > aFleX� CLI: AX# show aflex […]

168

aFleX

� aFleX examples� Redirect a specific client to a specific service group

When CLIENT_ACCEPTED {

if { [IP::addr [IP::client_addr] equals 10.10.10.10] } {

pool sg2

}

}

Note: This could be achieved by PBSLB too.

� Redirect clients to https for the host secure.abc.comwhen HTTP_REQUEST {

if {[HTTP::host] equals "secure.abc.com"} {

HTTP::redirect https://[HTTP::host][HTTP::uri]

}

}

Note: This could NOT be achieved by PBSLB.

169

aFleX

� aFleX examples� Redirect clients to specific pools in function of the url

when HTTP_REQUEST {

if { [HTTP::uri] starts_with "/finance" } {

pool finance_pool

} elseif { [HTTP::uri] starts_with "/dev" } {

pool dev_pool

}

}

170

Advanced Core Operating System


171

ACOS – Architecture Overview

SSL Acceleration Module – SSL Processing

Application Memory – Session Tables, Buffer Memory, Application Data

L4-7 CPUs – L4-7 Processing, Security

Control Kernel – CLI, GUI, Management Tasks and Health Checking

Flexible Traffic ASIC (FTA) –Distributes Traffic Across L4-7 CPUs, Efficient Network I/O, DDoS

Switching & Routing ASIC –L2 & L3 Processing and Security

172

ACOS Design Highlights

� ACOS on the data plane� Zero locking

� Zero IPC

� Zero interrupt

� Zero scheduling

� Zero buffer copy for low latency packet processing

� Linux on the control plane� Used by Management CPU only

� All application delivery traffic handled by ACOS

� Efficient use of memory – no duplicate data

173

ACOS = Resource Efficiency

� Processing Efficiency� Eliminates unneeded cycles for faster processing

� Zero locking, zero buffer copy, zero IPC, zero scheduling, zero interrupt

� Physical Memory Efficiency� Data is not replicated, multiple copies of data are not needed,

more total memory available� Space saving, non-replication, zero copy, accuracy, real-time data

� Input/Output (I/O) Efficiency� Faster overall system processing

� Low latency packet processing, optimized drivers, Flexible Traffic ASIC, low overhead

174

AX Series Shared Memory

Legacy approach

Shared Memory Versus Legacy Approach

Replicate to each core’s dedicated memory

175

AX Shared Memory Advantage

� AX Series eliminates IPC and maximizes performance� Data required by all CPUs is processed in the same location without other CPU notification/reliance� Accurate real-time decision criteria, e.g. rate-limiting, connection-limit, max TCP connections, server selection, tracked global variables used for decisions or any shared data set� Maximizes memory – no redundant copies of information per core. More total system memory

AX Series Shared Memory

176

Shared Memory Efficiency

� Shared Memory� One copy of each item kept in memory, for example� PBSLB List uses 64 MB of RAM, Total AX Memory Usage = 64MB RAM� Cached Objects, 10 x 0.5 MB, Total AX Memory Usage = 5 MB� Total 69 MB of RAM used

� Without Shared Memory� Multiple copies of each item kept in each cores memory, for example 32 cores� PBSLB List uses 64 MB of RAM per core, Total Memory Usage = 2048 MB RAM� Cached Objects, 10 x 0.5 MB per core, Total Memory Usage = 160 MB� Total 2208 MB of RAM used

� Total system memory is reduced dramatically by the non-shared memory architecture

177

ACOS Versus Legacy OS

ACOS Legacy OS

ACOS Designed for multi-core

Not Designed for multi-core

32-bit or 64-bit OS

(With Feature Parity)32-bit OS Only

Decoupled CPU Architecture

Coupled CPU Architecture

Shared Memory Non-shared Memory

No IPC (Inter Process Communication)

IPC (Inter Process Communication)

Optimized Flow Distribution

Software Based Flow Distribution

178

Summary

� In this module, we presented the following advanced AX flexibility options:

� Cookie persistence� aFleX

� And also configured them on the AX.

� We also presented the ACOS architecture.

179

AX Management and Troubleshooting

Module 8

180

Module objectives

� Understand the different types of AX management acc ess

� Understand the AX configuration components and how to backup/restore AX configuration

� Understand the AX software components and how to upgrade/downgrade AX

� Understand VLAN on AX

� Learn initial AX configuration

� Learn troubleshooting techniques and tools

� Understand AX Release Process and how to contact AX support

181

AX management access

� CLI� Console (RS-232 connection / 9600, 8, N, 1)

� Telnet (disabled by default)

� SSHv2

� Web� HTTP (configurable ports - disabled by default)

� HTTPS (configurable ports)

� Levels of CLI authentication� CLI:

� Login ID/Password

� Enable ID/Password

� Web:� User roles (read-write / read-only)

182

AX configuration components

� AX configuration components� Configuration file

� (optional) aFleX files

� (optional) PBSLB files

� (optional) SSL certificates and keys

� (optional) Geo-location files (option in GSLB and geo-location-based VIP access)

183

AX configuration components

� AX full configuration backup� Full AX configuration can be backed up

� WebUI: Configuration > System > Maintenance > Backup > System

� CLI: AX(config)# backup config […]

� AX full configuration restore� Full AX configuration can be restored

� WebUI: Configuration > System > Maintenance > Restore > System

� CLI: AX(config)# restore […]

Note: Supported upload protocols: FTP, SCP, RCP, TFTP, and HTTPS (via WebUI)

184

AX software management

� AX software is stored on� Two disk partitions: primary and secondary

� Second partition is designed for easy software rollback

� Two Compact Flash partitions: primary and secondary� CF is designed for emergency recovery

Note: Each storage location has its own software and AX configuration

185

AX software management

� AX software upgrade recommended steps� Back up your system� (covered on previous slide)

� Check the AX running partition� WebUI: Monitor > Overview > Summary > System Information

� CLI: AX# show bootimage

� Upgrade the AX device’s other partition� WebUI: Configuration > System > Maintenance > Upgrade

� CLI: AX(config)# upgrade […]

� Copy the running configuration to the other partition� CLI only: AX# write memory [primary|secondary]

� Set the boot source to the other partition� WebUI: Configuration > System > Settings > Boot

� CLI: AX(config)# bootimage hd [primary|secondary]

� Restart from the other partition� WebUI: Configuration > System > Settings > Action > Reboot

� CLI: AX# reboot

186

VLAN

� VLAN allows AX to� Bind multiple physical interfaces to same broadcast domain

187

VLAN

� VLAN allows AX to (cont.)� Bind one physical interface to multiple layer2 broadcast domains

188

VLAN

� VLAN configuration steps1. VLAN creation

� VLAN ID

� Physical interfaces tagged and untagges

� (optional) VLAN Name

� (optional) Virtual Interface

2. Virtual Interface (when selected in the VLAN configuration)� IP address

� Netmask

� (optional) all ethernet options such as ACL, secondary IP@

189

VLAN

� VLAN configuration� VLAN creation

� WebUI: Config > Network > VLAN

� CLI: AX(config)# vlan […]

� Virtual Interface (when selected in the VLAN configuration)� WebUI: Config > Network > Interface > Virtual

� CLI: AX(config)# interface ve […]

190

VLAN

� Important Point� Always configure virtual interfaces in

AX routed mode integration to avoidloop!!!

191

First Steps configuration

� Rollback to Factory configuration� CLI: AX(config)# system-reset

AX(config)# end

AX# reboot

� First Step configuration� Connect on the AX console (9600 baud - 8 bits – no parity - 1 stop bit)

� Default user/password: admin/a10

� Configure the management interface, its default gateway

� Finish the AX configuration via CLI (ssh) or WebUI (https)� Configure Production interfaces (vlan, ethernet/ve interfaces)� Enable production interfaces

� (optional) Configure routing (static/dynamic)� (optional) Configure specific management rights� Configure Servers / Service Groups / Virtual Servers� etc

192

First Steps configuration

� First Step configuration exampleAX login: admin

Password:

[type ? for help]

AX>en

Password:

AX#conf

AX(config)#in

AX(config)#interface m

AX(config)#interface management

AX(config-if:management)#ip address 172.31.31.11 /2 4

AX(config-if:management)#ip default-gateway 172.31. 31.1

AX(config-if:management)#exit

AX(config)#exit

193

Troubleshooting methodology

� Layer 2 and 3: Data Link & Network Layers� Check network connectivity

� AX# ping

� Check port/interface status � AX# show interface brief + AX# show interface

� Check ARP and MAC tables� AX# show arp + AX# show mac-address-table

� Check routes� AX# show ip fib + AX# show ip route

� Layer 4: Transport Layer� Check for connection errors

� Layer 7� Check for application specific errors

194

Troubleshooting tools

� AX log (AX# show log)� AX logs many informational, warning, and error messages, the first place

to check when experiencing any issues� Port/Interface up/down messages

� L2 loop detection warnings

� Unicast/Multicast/Broadcast packet limit warnings

� MAC address movement warnings

� Duplicate IP warnings

� Server & service port up/down messages

� Application specific error messages: SLB, PBSLB, HTTP, HA, etc.

195


� Debug� WebUI

� AX’s WebUI provides a number of report graphs that can help you identify any potential issues

� Example: CPU and server/virtual-server load information can help identify time periods when the system was under stress

� SNMP� SNMP clients can query AX for status information

� AX can be configured to send SNMP traps to servers/receivers

196


� Debug (cont.)� debug packet <filters>

� Define a set of filters for packet capture

� Example: interface, IP address, protocol, port number, etc.

� debug http/ssl/ (etc.)� Captures application specific debug information

� debug monitor� Use this command after defining a filter to display captured packets on screen

� Make sure your filter is specific enough to capture only the packets needed for debugging

� The CLI may become temporarily unresponsive if a large number of packets are captured to the screen

197


� AXdebug� More filter options than debug packet

� Allows saving captured packets to a local file (in tcpdump/Wiresharkformat) and then exporting off the AX

� Show techsupport� Provides important debug information for the A10 Support team

� When possible, issue the command once before, during, and after the issue being experienced

Note: Make sure your terminal session has enough scroll back lines to capture the full output (or log it to a text file)

� Backup log� Provides detailed system information for debugging

� Compresses data and exports the file off the AX

198

AX Release Process

� AX provides 5 different releases� Major

� Major features/enhancements (between 12 - 14 months)

� Enhancement� Enhancements (between 6 - 8 months)

� Minor� Periodic bug fixes and minor enhancements (between 3 - 4 months)

� Patch� Collection of P1/P2 fixes and previous patch fixes (between 4-5 weeks)

� Special Patch� Emergency patch for a specific customer (2-3 days)

Note: New hardware platforms support only the newest release available on their release date

199

AX Release Process

� AX releases tests

MAJOR Enhancement Minor PATCH

Unit New features New features Fixes Fixes

Functional New features New features Fixes Fixes

Negative Full Full Affected None

Stress Full Affected None None

Regression Manual=fullAutomated=full

Manual=affectedAutomated=full



Sys Integration Full Full Partial Partial as needed

Performance Full Affected Affected None

Scalability Full Affected Affected None

Stability 2 weeks 1 week 3 days 1 day

Alpha Full Affected Affected None

Beta Full Affected None None

200

AX Release Process

� QA patch release process

Functional Test

Regression TestManual Automated

ReleaseApprove

Sys Integration Test

Alpha Test

Defect report Support QARelease Mgr

Test Performance Test Scalability Test (as needed)

201

AX Release Process

� AX provides 5 different releases type� Major (X.Y.M-Pn build N)

� Major features/enhancements (between 12 - 14 months)

� Enhancement (X.Y.M-Pn build N)� Enhancements (between 6 - 8 months)

� Minor (X.Y.M-Pn build N)� Periodic bug fixes and minor enhancements (between 3 - 4 months)

� Patch (X.Y.M-Pn build N)� Collection of P1/P2 fixes and previous patch fixes (between 4-5 weeks)

� Special Patch (X.Y.M-Pn build N)� Emergency patch for a specific customer (2-3 days)

Note: New hardware platforms support only the newest release available on their release date

Note: build N information may be removed in the future

203

Why AX support is better

� Qualified support staff� Average 10+ years experience

� Training� Support

� SEs

� Core Engineers on Tier 2 support rotation

� Passionate� Really care about customers

� Company directive:

� Customer issue is #1 Priority

204

How to contact AX support

� AX support can be contacted by 3 methods� Phone

� From North America: 1 888 822 7210 (1-888-TACSA10)

� From International: +1 408 325 8676

� 24 x 7 x 365 Support

� Mon-Fri 6AM-11PM PST + Sat, Sun 9AM – 6PM PST� A10 support engineers

� All other hours

� Call center� When needed: escalation to standby engineers and standby engineers

contact customer immediately

� Be ready to provide� Problem description� Showtech (almost always required)� Topology; highly preferred� Trace

� Backup log

205


� AX support can be contacted by 3 methods (cont.)� Email

� [email protected]

� A support ticket auto generated

� Auto reply email with a ticket number is sent

� What information to provide?� Subject with "Priority (if urgent)" + "Customer name" + "Brief description

of ticket + Release number"Example: "P1: abc.com - Certain VIPs fail to pass traffic – release 2.4.2"

� Additional information :� Detail problem description� Production, eval, POC, etc, � Expected time of resolution by customer� Showtech attachment (almost always required)� Topology; highly preferred� Trace� Backup log

206


� AX support can be contacted by 3 methods (cont.)� Support web site

� http://a10networks.com/support

� A support ticket auto generated

� Auto reply email with a ticket number is sent

� What information to provide?� Same as by email (see previous slide).

207


� Security levels� Priority 1: Network Down

� Priority 2: Serious Performance Degradation

� Priority 3: Performance Impact, Installation Issue

� Priority 4: Information request

Note: Priority 1 and 2 issues should be reported via phone (1-888-TACS-A10)

Priority Level Acknowledgement Response Ownership

Priority 1 < 1 Hour* < 1 Hour Support Manager

Priority 2 < 1 Hour < 4 Hours Support Engineer

Priority 3 < 8 Hour < 2 Day Support Engineer

Priority 4 < 8 Hour < 4 Day Support Engineer

* 30 minutes of less

208


� Escalation metrics

Escalation Level 1 Level 2 (after 1 hour)

Level 3(after 4 hours)

Level 4(after 24 hours)

Level 5(after 7 days)

Priority 1,Critical

TAC Engineer/ Manager

Director, Technical Support

VP, Engineering/Sales

CEO

Priority 2,High

TAC Engineer TAC ManagerDirector, Technical Support

VP, Engineering/Sales

CEO

Priority 3,Medium

TAC Engineer TAC Engineer TAC Engineer TAC ManagerFlagged

Priority 4,Low

TAC Engineer TAC Engineer TAC Engineer TAC EngineerFlagged(after 14 days)

209

Summary

� In this module, we presented:� AX Management� AX troubleshooting techniques and tools� AX Release Process and how to contact AX support

AX Training

Documents

Transcript of AX Training