P e r f o r m a n c e

b y

D e s i g n

AX Series™ Advanced Traffic Manager

Configuration Guide
Document No.: D-030-01-00-0006 Ver. 2.0.2 11/11/2009

Headquarters A10 Networks, Inc. 2309 Bering Dr. San Jose, CA 95131-1125 USA Tel: +1-408-325-8668 (main) Tel: +1-408-325-8676 (support) Fax: +1-408-325-8666 www.a10networks.com Tel: +1-408-325-8668 (main) Tel: +1-408-325-8676 (support) Fax: +1-408-325-8666

Notice: A10 Networks, the A10 logo, ACOS, aFleX, aXAPI, IDaccess, IDsentrie, IP-to-ID, and VirtualN are trademarks or registered trademarks of A10 Networks, Inc. All other trademarks are property of their respective owners. Information in this document is subject to change without notice.
Published by: A10 Networks, Inc. 2309 Bering Dr. San Jose, CA 95131-1125 USA
©

A10 Networks, Inc. 11/11/2009 - All Rights Reserved

Disclaimer The information presented in this document describes the specific products noted and does not imply nor grant a guarantee of any technical performance nor does it provide cause for any eventual claims resulting from the use or misuse of the products described herein or errors and/or omissions. A10 Networks, Inc. reserves the right to make technical and other changes to their products and documents at any time and without prior notification. No warranty is expressed or implied; including and not limited to warranties of noninfringement, regarding programs, circuitry, descriptions and illustrations herein. Environmental Considerations Some electronic components may possibly contain dangerous substances. For information on specific component types, please contact the manufacturer of that component. Always consult local authorities for regulations regarding proper disposal of electronic components in your area. Further Information For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10 Networks, Inc. location which can be found by visiting www.a10networks.com.

AX Series - Configuration Guide
About This Document

About This Document
This document describes the features of the A10 Networks AX Series™ Advanced Traffic Manager. Configuration examples of the major features are provided. Additional information is available for AX Series systems in the following documents. These documents are included on the documentation CD shipped with your AX Series system, and also are available on the A10 Networks support site:
• AX Series Installation Guide • AX Series GUI Reference • AX Series CLI Reference • AX Series aFleX Reference • AX Series MIB Reference • AX Series aXAPI Reference

This document assumes that you have already performed the basic deployment tasks described in the AX Series Installation Guide.

System Description – The AX Series
FIGURE 1 The AX Series™ Advanced Traffic Manager

The AX Series is the industry’s best performing application acceleration switch that helps organizations scale and maximize application availability through the world’s most advanced application delivery platform. The AX Series Advanced Core Operating System (ACOS) accelerates and secures critical business applications, provides the highest performance and
P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009 b y

3 of 702

AX Series - Configuration Guide
About This Document reliability, and establishes a new industry-leading price/performance For more detailed information, see “System Overview” on page 17.

Audience
This document is intended for use by network architects for determining applicability and planning implementation, and for system administrators for provision and maintenance of the A10 Networks AX Series.

Representations of Layer 2 and Layer 3 Devices
This document uses the following commonly used icons in network topology examples for vendor-agnostic representations of Layer 2 switches and Layer 3 routers.

Icon

Description Layer 2 switch

Layer 3 router

4 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
Contents

About This Document

3

System Description – The AX Series .................................................................................................... 3 Audience.................................................................................................................................................. 4 Representations of Layer 2 and Layer 3 Devices ................................................................................ 4

System Overview

17

AX Series Features............................................................................................................................... 17 ACOS Architecture ............................................................................................................................... 18 AX Software Processes .................................................................................................................. 19 Hardware Interfaces ............................................................................................................................. 20 Software Interfaces............................................................................................................................... 21 Server Load Balancing......................................................................................................................... 21 Intelligent Server Selection ............................................................................................................. 22 Configuration Templates ................................................................................................................. 23 Global Server Load Balancing............................................................................................................. 25 Outbound Link Load Balancing .......................................................................................................... 25 Transparent Cache Switching ............................................................................................................. 25 Firewall Load Balancing....................................................................................................................... 25 Where Do I Start?.................................................................................................................................. 25

Basic Setup

27

Logging On............................................................................................................................................ 27 Logging Onto the CLI ...................................................................................................................... 28 Logging Onto the GUI ..................................................................................................................... 29 Configuring Basic System Parameters .............................................................................................. 32 Setting the Hostname and Other DNS Parameters ........................................................................ 32 Setting the CLI Banners .................................................................................................................. 33 Setting Time/Date Parameters ....................................................................................................... 34 Configuring Syslog Settings ............................................................................................................ 37 Enabling SNMP .............................................................................................................................. 41 SNMP Traps ................................................................................................................................ 42 SNMP Communities and Views .................................................................................................. 43 SNMP Configuration Steps ......................................................................................................... 44 Configuration Examples ...................................................................................................................... 47

P e r f o r m a n c e

D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

b y

5 of 702

AX Series - Configuration Guide
Contents

Network Setup

53

Overview ................................................................................................................................................53 IP Subnet Support .......................................................................................................................... 53 Transparent Mode .................................................................................................................................54 Configuration Example ................................................................................................................... 56 Transparent Mode in Multinetted Environment ..................................................................................62 Configuration Example ................................................................................................................... 64 Route Mode............................................................................................................................................68 Configuration Example ................................................................................................................... 69 Direct Server Return in Transparent Mode .........................................................................................74 Configuration Example ................................................................................................................... 76 Direct Server Return in Route Mode....................................................................................................79 Configuration Example ................................................................................................................... 80 Direct Server Return in Mixed Layer 2/Layer 3 Environment............................................................82

HTTP Load Balancing

89

Overview ................................................................................................................................................89 Configuring HTTP Load Balancing......................................................................................................93

HTTP Options for SLB

105

Overview ..............................................................................................................................................105 Summary of HTTP Options .......................................................................................................... 105 HTTP Template Configuration ...................................................................................................... 106 URL Hash Switching ...........................................................................................................................108 Configuring URL Hashing ............................................................................................................. 110 URL / Host Switching .......................................................................................................................... 111 Configuring URL / Host Switching ................................................................................................ 114 Using URL / Host Switching along with Cookie Persistence ........................................................ 115 Using URL / Host Switching along with Source IP Persistence ................................................... 119 URL Failover ........................................................................................................................................119 Configuring URL Failover ............................................................................................................. 120 5xx Retry and Reassignment .............................................................................................................121

6 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
Contents

Content Compression ........................................................................................................................ 122 Hardware-Based Compression ..................................................................................................... 123 How the AX Device Determines Whether to Compress a File ...................................................... 125 Configuring Content Compression ................................................................................................ 126 Client IP Insertion / Replacement...................................................................................................... 129 Configuring Client IP Insertion / Replacement .............................................................................. 132 Header Insertion / Erasure ................................................................................................................. 133 Configuring Header Insertion / Replacement ................................................................................ 134 Configuring Header Erasure ......................................................................................................... 137 URL Redirect Rewrite......................................................................................................................... 138 Configuring URL Redirect Rewrite ................................................................................................ 138 Strict Transaction Switching ............................................................................................................. 140 Enabling Strict Transaction Switching .......................................................................................... 140

FTP Load Balancing

141

Overview.............................................................................................................................................. 141 Configuring FTP Load Balancing ...................................................................................................... 143

SIP Load Balancing

163

Overview.............................................................................................................................................. 163 Configuring SIP Load Balancing....................................................................................................... 164 Disabling Reverse NAT Based on Destination IP Address ........................................................... 174

SSL Offload and SSL Proxy

177

Overview.............................................................................................................................................. 177 Choosing an SSL Optimization Implementation ........................................................................... 177 Configuring Client SSL ...................................................................................................................... 178 Configuring HTTPS Offload ............................................................................................................... 182 Configuring the SSL Proxy Feature .................................................................................................. 188

STARTTLS for Secure SMTP

195

Overview.............................................................................................................................................. 195 Configuring STARTTLS...................................................................................................................... 197

P e r f o r m a n c e

D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

b y

7 of 702

AX Series - Configuration Guide
Contents

Streaming-Media Load Balancing

207

Overview ..............................................................................................................................................207 Configuring Streaming-Media SLB....................................................................................................209

Layer 4 TCP/UDP Load Balancing

213

Overview ..............................................................................................................................................213 Configuring Layer 4 Load Balancing.................................................................................................216

IP Protocol Load Balancing

221

Overview ..............................................................................................................................................221 Configuring IP Protocol Load Balancing ..........................................................................................224

Wildcard VIPs

229

Configuring a Wildcard VIP ................................................................................................................229 Configuration Examples ............................................................................................................ 233

Outbound Link Load Balancing Transparent Cache Switching

235 241

Configuring Link Load Balancing .................................................................................................. 237 Configuring Layer 4 TCS .............................................................................................................. 244 Configuring Layer 7 TCS .............................................................................................................. 247 Service Type HTTP Without URL Switching Rules ................................................................... 249 Service Type HTTP with URL Switching Rules ......................................................................... 250 Optimizing TCS with Multiple Cache Servers ........................................................................... 252 Enabling Support for Cache Spoofing ....................................................................................... 254

Firewall Load Balancing

255

Overview ..............................................................................................................................................255 FWLB HA with Direct Connection of AX Devices to Firewalls ...................................................... 257 FWLB Parameters ...............................................................................................................................260 TCP and UDP Session Aging ....................................................................................................... 263 Configuring FWLB...............................................................................................................................264

Server and Port Templates

281

Overview ..............................................................................................................................................281 Parameters That Can Be Configured Using Server and Port Templates ..................................... 282 Default Server and Service Port Templates ................................................................................. 284 8 of 702
P e r f o r m a n c e b y D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
Contents

Configuring Server and Service Port Templates ............................................................................. 285 Applying a Server or Service Port Template .................................................................................... 286 Binding a Server Template to a Real Server ................................................................................ 287 Binding a Server Port Template to a Real Server Port ................................................................. 288 Binding a Virtual Server Template to a Virtual Server .................................................................. 288 Binding a Virtual Server Port Template to a Virtual Service Port .................................................. 289 Binding a Server Port Template to a Service Group ..................................................................... 289 Connection Limiting ........................................................................................................................... 290 Setting a Connection Limit ........................................................................................................ 290 Connection Rate Limiting .................................................................................................................. 292 Slow-Start............................................................................................................................................ 294

Health Monitoring

297

Default Health Checks........................................................................................................................ 297 Health Method Timers ........................................................................................................................ 298 Health Method Types.......................................................................................................................... 298 Protocol Port Numbers Tested by Health Checks ........................................................................ 303 Configuring and Applying a Health Method..................................................................................... 303 Configuring Health Monitoring of Virtual IP Addresses in DSR Deployments .............................. 308 Configuring POST Requests in HTTP/HTTPS Health Monitors ................................................... 310 Customizing DNS Health Monitors ............................................................................................... 312 Overriding the Target IP Address or Protocol Port Number ......................................................... 315 Service Group Health Checks ........................................................................................................... 318 In-Band Health Monitoring................................................................................................................. 322 Configuring In-Band Health Monitoring ......................................................................................... 324 Consecutive Health Checks Within a Health Check Period............................................................ 325 On-Demand Health Checks................................................................................................................ 326 Displaying Health Status.................................................................................................................... 327 External Health Method Examples .................................................................................................... 331 TCL Script Example ...................................................................................................................... 331 Perl Script Example ...................................................................................................................... 333 Shell Script Example ..................................................................................................................... 334

P e r f o r m a n c e

D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

b y

9 of 702

AX Series - Configuration Guide
Contents

Global Server Load Balancing

335

Overview ..............................................................................................................................................335 Advantages of GSLB .................................................................................................................... 337 Zones, Services, and Sites ........................................................................................................... 338 GSLB Policy ................................................................................................................................. 338 Health Checks ........................................................................................................................... 340 Geo-Location ............................................................................................................................ 341 DNS Options ............................................................................................................................. 342 Metrics That Require the GSLB Protocol on Site AX Devices .................................................. 344 Configuration Overview......................................................................................................................345 Configure Health Monitors ............................................................................................................ 346 Configure the DNS Proxy ............................................................................................................. 347 Configure a GSLB Policy .............................................................................................................. 349 Enabling / Disabling Metrics ...................................................................................................... 349 Changing the Metric Order ........................................................................................................ 351 Configuring RTT Settings .......................................................................................................... 352 Passive RTT .............................................................................................................................. 356 Configuring BW-Cost Settings .................................................................................................. 357 Loading or Configuring Geo-Location Mappings ....................................................................... 363 Configure Services ....................................................................................................................... 372 Configure Sites ............................................................................................................................. 374 Configure a Zone .......................................................................................................................... 375 Enable the GSLB Protocol ........................................................................................................... 376 GSLB Parameters................................................................................................................................378 Policy Parameters ........................................................................................................................ 387 Configuration Examples .....................................................................................................................397 CLI Example ................................................................................................................................. 397 Configuration on the GSLB AX Device (GSLB Controller) ........................................................ 397 Configuration on Site AX Device AX-A ..................................................................................... 399 Configuration on Site AX Device AX-B ..................................................................................... 399 GUI Example ................................................................................................................................ 400 Configuration on the GSLB AX Device (GSLB Controller) ........................................................ 400 Configuration on Site AX Devices ............................................................................................. 409

RAM Caching

411

Overview ..............................................................................................................................................411 RFC 2616 Support ....................................................................................................................... 411 Dynamic Caching ......................................................................................................................... 412 Host Verification ........................................................................................................................... 412

10 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
Contents

Support for no-cache and max-age=0 Cache-Control Headers ................................................... 413 RAM Caching Notes ..................................................................................................................... 413 Configuring RAM Caching ................................................................................................................. 414

High Availability

423

Overview.............................................................................................................................................. 423 Layer 3 Active-Standby HA ........................................................................................................... 424 Layer 3 Active-Active HA .............................................................................................................. 426 Layer 2 Active-Standby HA (Inline Deployment) .......................................................................... 428 Preferred HA Port ...................................................................................................................... 431 Port Restart ............................................................................................................................... 432 Layer 3 Active-Standby HA (Inline Deployment) .......................................................................... 433 HA Messages ............................................................................................................................... 434 HA Heartbeat Messages ........................................................................................................... 435 Gratuitous ARPs ........................................................................................................................ 435 HA Interfaces ................................................................................................................................ 436 Session Synchronization .............................................................................................................. 437 Optional Failover Triggers ............................................................................................................ 438 VLAN-based Failover ................................................................................................................ 438 Gateway-based Failover ........................................................................................................... 438 VIP-based Failover .................................................................................................................... 439 How the Active AX Device Is Selected ......................................................................................... 440 HA Pre-Emption ............................................................................................................................ 443 HA Sets ......................................................................................................................................... 444 HA Configuration Parameters ....................................................................................................... 445 Configuring Layer 3 HA...................................................................................................................... 450 Configuring Layer 2 HA (Inline Mode) .............................................................................................. 459 Layer 2 Inline HA Configuration Example ..................................................................................... 459 Configuring Layer 3 HA (Inline Mode) .............................................................................................. 466 Layer 3 Inline HA Configuration Example ..................................................................................... 466 Configuring Optional Failover Triggers............................................................................................ 471 VLAN-Based Failover Example .................................................................................................... 471 Gateway-Based Failover Example ............................................................................................... 472 VIP-Based Failover Example ........................................................................................................ 474 Enabling Session Synchronization................................................................................................... 476 Synchronizing Configuration Information........................................................................................ 477 Configuration Items That Are Backed Up ..................................................................................... 478 Configuration Items That Are Not Backed Up ........................................................................... 479 Performing HA Synchronization .................................................................................................... 480
P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009 b y

11 of 702

AX Series - Configuration Guide
Contents

Network Address Translation

483

SLB NAT ...............................................................................................................................................483 IP NAT Configuration Limits ......................................................................................................... 484 SLB Source NAT .......................................................................................................................... 484 Connection Reuse .................................................................................................................... 484 Source NAT for Servers in Other Subnets ................................................................................ 489 Direct Server Return ..................................................................................................................... 491 Using IP Pool Default Gateways To Forward Traffic from Real Servers ...................................... 493 IP Source NAT......................................................................................................................................493 Configuring Dynamic IP Source NAT ........................................................................................... 495 Configuring Static IP Source NAT ................................................................................................ 501 IP NAT Use in Transparent Mode in Multi-Netted Environment ................................................... 503 IP NAT in HA Configurations ........................................................................................................ 504

Management Security Features

507

Configuring Additional Admin Accounts..........................................................................................507 Configuring an Admin Account ..................................................................................................... 508 Deleting an Admin Account .......................................................................................................... 512 Configuring Admin Lockout...............................................................................................................513 Securing Admin Access by Ethernet ................................................................................................515 Displaying the Current Management Access Settings ................................................................. 518 Regaining Access if you Accidentally Block All Access ............................................................... 519 Changing Web Access Settings ........................................................................................................519 Configuring AAA for Admin Access..................................................................................................521 Authentication ............................................................................................................................... 522 Authorization ................................................................................................................................ 522 CLI Access Levels ..................................................................................................................... 523 TACACS+ Authorization Debug Options .................................................................................. 523 Accounting .................................................................................................................................... 524 Command Accounting ............................................................................................................... 524 TACACS+ Accounting Debug Options ...................................................................................... 524 Configuring AAA for Admin Access .............................................................................................. 525 Configuring RADIUS for Authentication .................................................................................... 525 Configuring TACACS+ for Authentication ................................................................................. 526 Configuring TACACS+ for Authorization and Accounting ......................................................... 527

12 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
Contents

Traffic Security Features

533

DDoS Protection ................................................................................................................................. 533 Enabling DDoS Protection ............................................................................................................ 534 SYN Cookies ....................................................................................................................................... 535 The Service Provided By SYN Cookies ........................................................................................ 535 Enabling Hardware-Based SYN Cookies ..................................................................................... 537 Configuration when Target VIP and Client-side Router Are in Different Subnets ..................... 537 Enabling Software-Based SYN Cookies ....................................................................................... 538 Configuring Layer 2/3 SYN Cookie Support ................................................................................. 539 ICMP Rate Limiting ............................................................................................................................. 540 Source-IP Based Connection Rate Limiting..................................................................................... 543 Parameters ................................................................................................................................... 543 Log Messages .............................................................................................................................. 544 Deployment Considerations .......................................................................................................... 544 Configuration ............................................................................................................................. 545 Configuration Examples ................................................................................................................ 546 Access Control Lists (ACLs) ............................................................................................................. 547 How ACLs Are Used ..................................................................................................................... 548 Configuring Standard IPv4 ACLs .................................................................................................. 549 Configuring Extended IPv4 ACLs ................................................................................................. 551 Configuring Extended IPv6 ACLs ................................................................................................. 555 Adding a Remark to an ACL ......................................................................................................... 558 Applying an ACL to an Interface ................................................................................................... 558 Applying an ACL to a Virtual Server Port ...................................................................................... 559 Using an ACL to Control Management Access ............................................................................ 560 Using an ACL for NAT .................................................................................................................. 560 Resequencing ACL Rules ............................................................................................................. 561 Policy-Based SLB (PBSLB) ............................................................................................................... 563 Configuring a Black/White List ...................................................................................................... 564 Configuring Policy-Based SLB on the AX Device ......................................................................... 565 Displaying PBSLB Information .................................................................................................. 573

Role-Based Administration

577

Overview.............................................................................................................................................. 578 Resource Partitions ...................................................................................................................... 579 Administrator Roles ...................................................................................................................... 581

P e r f o r m a n c e

D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

b y

13 of 702

AX Series - Configuration Guide
Contents

Configuring Role-Based Administration...........................................................................................583 Configuring Private Partitions ....................................................................................................... 583 Changing the Maximum Number of aFleX Policies Allowed in a Partition ................................ 584 Migrating Resources Between Partitions .................................................................................. 585 Deleting a Partition .................................................................................................................... 585 Configuring Partition Admin Accounts .......................................................................................... 586 CLI Example ................................................................................................................................. 588 Viewing and Saving the Configuration..............................................................................................589 Viewing the Configuration ............................................................................................................ 589 Saving the Configuration .............................................................................................................. 590 Switching To Another Partition..........................................................................................................591 Synchronizing the Configuration.......................................................................................................592 Operator Management of Real Servers .............................................................................................594

SLB Parameters

599

Service Template Parameters ............................................................................................................599 Cache Template Parameters ....................................................................................................... 601 Client SSL Template Parameters ................................................................................................. 603 Connection Reuse Template Parameters .................................................................................... 605 Cookie Persistence Template Parameters ................................................................................... 606 Destination-IP Persistence Template Parameters ....................................................................... 608 HTTP Template Parameters ........................................................................................................ 610 Policy Template Parameters ........................................................................................................ 615 Source-IP Persistence Template Parameters .............................................................................. 617 Server SSL Template Parameters ............................................................................................... 619 SIP Template Parameters ............................................................................................................ 620 SMTP Template Parameters ........................................................................................................ 621 SSL Session-ID Persistence Template Parameters ..................................................................... 623 Streaming-Media Template Parameters ...................................................................................... 623 TCP Template Parameters ........................................................................................................... 624 TCP-Proxy Template Parameters ................................................................................................ 625 UDP Template Parameters .......................................................................................................... 626 Global SLB Parameters ......................................................................................................................628 Real Server Parameters ......................................................................................................................632 Real Service Port Parameters ............................................................................................................634 Service Group Parameters .................................................................................................................636 Virtual Server Parameters ..................................................................................................................638 Virtual Service Port Parameters.........................................................................................................640

14 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

..............................................................................Ver.........................................................................................................................................................................................................................................................2 11/11/2009 b y 15 of 702 ... 667 Using the Management Interface as the Source for Management Traffic 669 Route Tables ...................................................................................................................................................................................................................... 650 SSL Templates .......................................................................................: D-030-01-00-0006 ..................................................................... 664 Creating an SSL Template ................ Keys..................................................................................................................................................................................................................... 659 Importing a CRL.......... 655 Importing a Certificate and Key.........................................................................................................................0.......AX Series ................................... 658 Generating a Self-Signed Certificate ................................................... 662 Exporting a CRL ................................................................................................................................................... and CRLs .................................................................... 2.................................................... 672 Commands at the Privileged EXEC Level .. 672 Commands at the Global Configuration Level .......... 653 Requesting and Installing a CA-Signed Certificate ................................................................. 661 Exporting Certificates....................................................................................... 665 Converting Certificates and CRLs to PEM Format ......................................................................................................................................................................................... 675 Configuring an Auto-Port Translation Range ............................................................................................... 670 Enabling Use of the Management Interface as the Source for Automated Management Traffic .......... 647 SSL Process ......................................................................... 653 Installing a Self-Signed Certificate ................................................................. 673 Auto-Port Translation 675 Overview.............................................................................................................................................. 663 Creating a Client-SSL or Server-SSL Template and Binding it to a VIP .. 664 Binding an SSL Template to a VIP .. 676 P e r f o r m a n c e D e s i g n Document No............................................... 650 Certificate Installation Process .............................................................................................................................................................. 665 Converting SSL Certificates to PEM Format .... 669 Management Routing Options........................ 662 Exporting a Certificate and Key .......................................... 672 Commands at the User EXEC Level ...................... 666 Converting CRLs from DER to PEM Format ...........Configuration Guide Contents SSL Certificate Management 647 Overview......................................................................................................... 655 Generating a Key and CSR for a CA-Signed Certificate ............................................................................................................................................................................................................................................................................................................ 672 Show Commands ............................................................................................ 647 CA-Signed and Self-Signed Certificates ..................................... 671 Using the Management Interface as the Source Interface for Manually Generated Management Traffic ..................

...................................................................... 685 RIP Interface Parameters .....................................................679 OSPF Global Parameters ...........................................................................................................................685 RIP Global Parameters ................................................................ 680 OSPF Interface Parameters .................. 686 Configuration Management 687 Backing Up System Information ............................................AX Series ..................................................................................................... 2......................................................................Ver............................................................................................................... 690 Commands for Local Configuration Management ........................................................................................................................0....................................................................................................... 690 Scan-All-Members Option in Persistence Templates 697 16 of 702 P e r f o r m a n c e b y D e s i g n Document No..: D-030-01-00-0006 ... 682 RIP Parameters....2 11/11/2009 ..............................................................................................................................................Configuration Guide Contents Routing Parameters 679 OSPF Parameters .............687 Saving Multiple Configuration Files Locally...........689 Configuration Profiles ..........................

DoS protection.2 11/11/2009 b y 17 of 702 . multi-Giga TCP SYN floor protection/acceleration and Client-Server packet dispatcher • Scalable configuration with the use of templates • Server Load Balancing (SLB) • Global Server Load Balancing (GSLB) • Link Load Balancing (LLB) P e r f o r m a n c e D e s i g n Document No. Dynamic Routing protocols RIP and OSPF • A10 Networks Proprietary offloading technology provides – buffer management.Configuration Guide AX Series Features System Overview This chapter provides a brief overview of the AX Series system and features.: D-030-01-00-0006 . multi-CPU system with offload features give the CPU more cycles for L4-L7 processing • Wire-speed L2/L3 switching • Operates in either Transparent mode or Gateway mode • L4 packet classification assist technology • Static routes.0. receive/transmit assist. AX Series Features Key features of the AX Series include: • Rack-mountable 2U chassis • High Availability (Layer 4 Active-Active and Active-Standby) to pro- vide session-level synchronization • Raid 1 Dual hard disk drive and compact flash to provide extremely reli- able software images and configuration files redundancy • Redundant power supply • Removable fan tray • Dual Core/Dual Processors • Optimized embedded Linux for Control Thread • Optimized embedded A10 Packet Processing Data Thread • Multi-core.AX Series . For more information. see the other chapters in this guide. 2.Ver.

0. SSL.: D-030-01-00-0006 . to free servers from SSL authentication and SSL encryp- tion • Layer 4 and Layer 7 fast forwarding support • Layer 4 and Layer 7 proxy support • Security and DoS attack prevention • Comprehensive aFleX scripting based on the Tool Command Language (Tcl) programming standard. Web Server.2 11/11/2009 . to permit or deny clients and direct them to service groups based on client black/white lists • SSL offload. ACOS incorporates the A10 Networks customizable aFleX scripting language. This allows you to customize L4 application load balancing. in which the AX device functions as a web cache server • Configuration templates for easy configuration of large deployments • Sophisticated health checking • High performance IP Network Address Translation (IP NAT) • Streaming-media server load balancing • Session IP load balancing • Policy-based SLB (PBSLB). SSH • Industry standard CLI support • Web GUI localization • Comprehensive built-in debugging ACOS Architecture The AX Series uses embedded Advanced Core Operating System (ACOS) architecture. • SNMP.Configuration Guide ACOS Architecture • Transparent Cache Switching (TCS) • Firewall Load Balancing (FWLB) • RAM caching. 2. ACOS is designed to handle high-volume application data with integrated Layer 2 / Layer 3 processing and integrated SSL acceleration built into the system. which provides administrators with configuration flexibility for application data redirection.AX Series .Ver. In addition. 18 of 702 P e r f o r m a n c e b y D e s i g n Document No. ACOS is built on top of a set of Symmetric Multi-Processing CPUs and uses shared memory architecture to maximize application data delivery.

• a10timer – Schedules and executes scheduled tasks. • syslogd – System logger daemon that logs kernel and system events. You can deploy the AX Series into your network in transparent mode or gateway (route) mode. If a server or individual service does not respond. • a10logd – Fetches all the logs from the AX Log database. For multi- netted environments. The a10stat process probes every thread within these processes to ensure that they are responsive.Configuration Guide ACOS Architecture The AX Series inspects packets at Layers 2.Ver. you can configure multiple Virtual LANs (VLANs). the AX Series performs Layer 4-7 switching based on the SLB configuration settings. Packets are processed and forwarded based on the AX Series configuration. it is marked P e r f o r m a n c e D e s i g n Document No. 3. 4.: D-030-01-00-0006 . • a10switch – Contains libraries and APIs to program the Switching ASIC to perform Layer 2 and Layer 3 switching at wire speed. a10stat kills the process. AX Software Processes The AX software performs its many tasks using the following processes: • a10mon – Parent process of the AX device. This process is executed when the system comes up. 2. after which a10mon restarts the process and other processes associated with it. • Route mode – Each AX interface is in a separate IP subnet.AX Series . • a10stat – Monitors the status of all the main processes of the AX device. This process sends pre-configured requests to external servers at pre-defined intervals. In either type of deployment. • Transparent mode – The AX device has a single IP interface. Open Short- est Path First (OSPF) and Routing Information Protocol (RIP) are supported. If a thread is deemed unhealthy.0. and 7 and uses hardwareassisted forwarding. The a10mon process is responsible for the following: • Responsible for bringing AX user-space processes up and down • Monitors all its child processes and restarts a process and all dependent processes if any of them die. • a10hm – Performs health-checking for real servers and services.2 11/11/2009 b y 19 of 702 . such as a10switch (on models AX2200 and higher) and a10lb.

The management Ethernet port allows an out-of-band IP connection to the switch for management. • a10snmpd – SNMPv2c and v3 agent. • rimacli – This process is automatically invoked when an admin logs into the AX device through an interface address. Hardware Interfaces • 1000BaseT (GOC) + SFP Mini GBIC Fiber Ports • On models AX 3100 and AX 3200. • a10gmpd – Global SLB (GSLB) daemon. depending on order • Management Ethernet Port • RJ-45 Console Port Generally. which services MIB requests. The management interface traffic is isolated from the traffic on the other Ethernet ports. Once the server or service starts responding again. as well as static routes. • a10wa – Embedded Web Server residing on the AX device. • a10rt – Routing daemon. 10G XFP-SR (short range) single- mode fiber port or XFP-LR (long range) multi-mode fiber port. • a10ospf – Implements the OSPFv2 routing protocol. which maintains the routing table with routes injected from OSPF and RIP routing protocols.Configuration Guide Hardware Interfaces down. • a10lb – The heart of the AX device. This process serves the Web-based management Graphical User Interface (GUI).0.AX Series . The admin is presented a Command Line Interface (CLI) that can issue and save commands to configure the system. it is marked up. • a10rip – Implements RIPv1 and v2 routing protocols.Ver. the fiber ports do not require any configuration other than IP interface(s).2 11/11/2009 . • a10snpm_trapd – Handles SNMP traps initiated by a10lb.: D-030-01-00-0006 . the port speed and mode (full-duplex or half-duplex) are automatically negotiated with the other end of the link. The serial console port is for direct connection of a laptop PC to the AX device. When you plug in a port. This process contains all the intelli- gence to perform Server Load Balancing. 2. 20 of 702 P e r f o r m a n c e b y D e s i g n Document No.

0. From the perspective of a client who accesses services. Telnet. you do not need to wait for DNS entries to propagate for new servers. and v3 • XML Application Programming Interface (aXAPI) The configuration examples in this manual show how to configure the AX Series using the CLI and GUI.AX Series .2 11/11/2009 b y 21 of 702 . To add a new server. The client simply receives faster. Moreover. you simply add it to the AX configuration for the virtual server. and the new real server becomes accessible immediately.Configuration Guide Software Interfaces Software Interfaces • Graphical User Interface (GUI) • Command Line Interface (CLI) accessible using console. P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0006 . v2c. requests go to and arrive from a single IP address. see the following documents: • AX Series GUI Reference • AX Series CLI Reference • AX Series MIB Reference • AX Series aXAPI Reference Server Load Balancing Server Load Balancing (SLB) is a suite of resource management features that make server farms more reliable and efficient. more reliable service. For more information about the AX management interfaces. 2. The client is unaware that the server is in fact multiple servers managed by an AX device. or Secure Shell (v1 and v2) • Simple Network Management Protocol (SNMP) v1.Ver. while protecting the servers behind a common virtual IP address. You can easily grow server farms in response to changing traffic flow.

The AX device selects a real server for a client’s request based on a set of tunable criteria including server health.2 11/11/2009 . A service group is a set of real servers.Configuration Guide Server Load Balancing FIGURE 2 SLB Example Intelligent Server Selection The services managed by the AX device are controlled by service groups.Ver. and server load.0. 22 of 702 P e r f o r m a n c e b y D e s i g n Document No. The AX device provides a robust set of configurable health monitors for checking the health (availability) of servers and individual services. server response time. For more information. see “Health Monitoring” on page 297. These criteria can be tuned for individual servers and even individual service ports.: D-030-01-00-0006 . 2.AX Series .

Templates simplify configuration by enabling you to configure common settings once and use them in multiple service configurations. and application parameters. The AX device provides templates to control server and port configuration parameters.: D-030-01-00-0006 . connectivity parameters. or direct them to service groups.Ver. 2.2 11/11/2009 b y 23 of 702 .Configuration Guide Server Load Balancing Configuration Templates SLB configuration is simplified by the use of templates. The AX device provides the following types of server and port configuration templates: • Server – Controls parameters for real servers • Port – Controls parameters for service ports on real servers • Virtual server – Controls parameters for virtual servers • Virtual port – Controls parameters for service ports on virtual servers The AX device provides the following types of connectivity templates: • TCP-Proxy – Controls TCP/IP stack parameters • TCP – Controls the idle timeout for unused sessions and specifies whether the AX device sends TCP Resets to clients or servers after a session times out • UDP – Controls the idle timeout for unused sessions and specifies how quickly sessions are terminated after a server response is received The following types of application templates are provided: • HTTP – Provides a robust set of options for HTTP header manipulation and for load balancing based on HTTP header content or the URL requested by the client. and other options • Policy – Uses Policy-based SLB (PBSLB) to permit or deny clients.0.AX Series . based on client black/white lists • Cache – Caches web content on the AX device to enhance website per- formance for clients • Client SSL – Offloads SSL validation tasks from real servers • Server SSL – Validates real servers on behalf of clients • Connection reuse – Reduces overhead from TCP connection setup by establishing and reusing TCP connections with real servers for multiple client requests P e r f o r m a n c e D e s i g n Document No.

The configuration examples in this guide show how to do this.: D-030-01-00-0006 . to the same real server and real port • SIP – Customizes settings for load balancing of Session Initiation Proto- col (SIP) traffic • SMTP – Configures STARTTLS support for Simple Mail Transfer Pro- tocol (SMTP) clients • Streaming-media – Directs client requests based on the requested con- tent Where applicable. 24 of 702 P e r f o r m a n c e b y D e s i g n Document No. 2. to direct clients to the same service group. to the same service port.Configuration Guide Server Load Balancing • Cookie persistence – Inserts a cookie into server replies to clients. real server. the AX device automatically applies a default template with commonly used settings. or service group • Destination-IP persistence – Configures persistence to real servers based on destination IP address • SSL session-ID persistence – Directs all client requests for a given vir- tual port. see “Server and Port Templates” on page 281 and “Service Template Parameters” on page 599. the AX device automatically applies the default TCP template.Ver. when you configure SLB for FTP.0. If required by your application. and that have a given SSL session ID. server. or real service port for subsequent requests for the service • Source-IP persistence – Directs a given client. For example. you can configure a different template and apply that one instead.2 11/11/2009 . identified by its IP address. See the following chapters for examples of SLB configurations: • “HTTP Load Balancing” on page 89 • “FTP Load Balancing” on page 141 • “SIP Load Balancing” on page 163 • “SSL Offload and SSL Proxy” on page 177 • “STARTTLS for Secure SMTP” on page 195 • “Streaming-Media Load Balancing” on page 207 • “Layer 4 TCP/UDP Load Balancing” on page 213 For descriptions of all the parameters you can control using templates.AX Series .

TCS. For more information. see “Basic Setup” on page 27. LLB.Configuration Guide Global Server Load Balancing Global Server Load Balancing Global Server Load Balancing (GSLB) allows you to manage multiple SLB sites and direct clients to the best site.2 11/11/2009 b y 25 of 702 . 2. For more information. P e r f o r m a n c e D e s i g n Document No. see “Global Server Load Balancing” on page 335. Transparent Cache Switching Transparent Cache Switching (TCS) enables you to improve server response times by redirecting client requests for content to cache servers containing the content. • To configure network settings. • To configure traffic management features (SLB. see the remaining chapters in this guide. see “Transparent Cache Switching” on page 241. see “Network Setup” on page 53 and “Routing Parameters” on page 679. For more information. The servers are located on the external side of the network. In outbound LLB. Site selection is based on metrics including the site’s health and the site’s geographic proximity to the client.0. see “Firewall Load Balancing” on page 255.AX Series . Where Do I Start? • To configure basic system settings. GSLB.Ver.: D-030-01-00-0006 . Firewall Load Balancing Firewall Load Balancing (FWLB) maximizes throughput through firewall bottlenecks by load balancing server-client sessions across the firewalls. see “Outbound Link Load Balancing” on page 235. For more information. the clients are located on the internal side of the network. Outbound Link Load Balancing Outbound Link Load Balancing (LLB) balances client-server traffic across a set of WAN links. and FWLB).

0. 2.Ver.: D-030-01-00-0006 .AX Series .Configuration Guide Where Do I Start? 26 of 702 P e r f o r m a n c e b y D e s i g n Document No.2 11/11/2009 .

Unsaved configuration changes will be lost following a reboot. When you make configuration changes.: D-030-01-00-0006 .Configuration Guide Logging On Basic Setup This chapter describes how to log onto the AX device and how to configure the following basic system parameters: • Hostname and other Domain Name Server (DNS) settings • CLI banner messages • Date/time settings • System log (Syslog) settings • Simple Network Management Protocol (SNMP) settings After you are through with this chapter. Note: Caution: Logging On AX Series devices provide the following management interfaces: • Command-Line Interface (CLI) – Text-based interface in which you type commands on a command line. be sure to remember to save the changes. To save changes. see the AX Series Advanced Traffic Manager Installation Guide. Note: The only basic parameters that you are required to configure are date/time settings. 2. For that information.AX Series .0.Ver. You can access the GUI using either of the following protocols: P e r f o r m a n c e D e s i g n Document No. click Save on the top row of the GUI window or enter the write memory command in the CLI. Configuring the other parameters is optional.2 11/11/2009 b y 27 of 702 . You can access the CLI directly through the serial console or over the network using either of the following protocols: • Secure protocol – Secure Shell (SSH) version 1 or version 2 • Unsecure protocol – Telnet (if enabled) • Graphical User Interface (GUI) – Web-based interface in which you click to access configuration or management pages and type or select values to configure or manage the device. This chapter does not describe how to access the out-of-band management interface. go to “Network Setup” on page 53.

Generally. the new hostname appears in the prompt instead of “AX”. This section assumes that only the basic security settings are in place. HTTPS. which is “AX” by default. To access the Privileged EXEC level of the CLI and allow access to all configuration levels. although it is possible to configure the same value for both passwords. enter the enable password. (Press Enter. the command prompt for the User EXEC level of the CLI appears: AX> The User EXEC level allows you to enter a few basic commands. and disabled by default on all data interfaces.Configuration Guide Logging On • Secure protocol – Hypertext Transfer Protocol over Secure Socket Layer (HTTPS) • Unsecure protocol – Hypertext Transfer Protocol (HTTP) Note: By default.: D-030-01-00-0006 . At the login as: prompt.2 11/11/2009 .Ver. SSH. if this the first time the SSH client has accessed the AX device.) 28 of 702 P e r f o r m a n c e b y D e s i g n Document No. and SNMP access are enabled by default on the management interface only. Telnet access is disabled on all interfaces. open an SSH connection to the IP address of the management interface.) To log onto the CLI using SSH: 1. enter the enable command. the SSH client displays a security warning. Logging Onto the CLI Note: The AX Series provides advanced features for securing management access to the device. including some show commands as well as ping and traceroute. 2.AX Series . On a PC connected to a network that can access the AX device’s management interface. At the Password: prompt. including the management interface. enter the admin username. If the hostname has already been changed. (For more information about securing management access. enter the admin password.0. At the Password: prompt. Note: The “AX” in the CLI prompt is the hostname configured on the device. (This is not the same as the admin password. HTTP. Read the warning carefully. then acknowledge the warning to complete the connection. 2.) 3. 4. 5. see “Management Security Features” on page 507. If the admin username and password are valid.

Open one of the Web browsers listed in Table 1. 3.x Safari 3. Support for IE 6.0.x Firefox 3.2 11/11/2009 b y 29 of 702 . enter the config command. 2. A login dialog is displayed. 1.0 IE 6. TABLE 1 Browser IE 7. enter the IP address of the AX device’s management interface. 2.AX Series .Configuration Guide Logging On If the enable password is correct.0 Safari 2. The following command prompt appears: AX(config)# Logging Onto the GUI Web access to the AX device is supported on the Web browsers listed in Table 1. the command prompt for the Privileged EXEC level of the CLI appears: AX# 6.x is new in AX Release 2.Ver. Support for Firefox 3. If the browser displays a certificate warning.x Firefox 1. The name and appearance of the dialog depends on the browser you are using. In the URL field. To access the global configuration level.0. P e r f o r m a n c e D e s i g n Document No.0 Chrome GUI Browser Support Platform Windows Supported Not Supported1 Supported Supported Supported Not Supported Not Supported Not Supported Linux N/A N/A Supported Supported Supported N/A N/A N/A MAC N/A N/A N/A N/A N/A Supported Not Supported N/A 1.0.x is discontinued in AX Release 2. 2.: D-030-01-00-0006 . A10 Networks recommends that you upgrade to IE 7.x2 Firefox 2. A screen resolution of at least 1024x768 is required. select the option to continue to the server (the AX device).

AX Series . 2.Configuration Guide Logging On FIGURE 3 GUI Login Dialog (Internet Explorer) 4. Note: The default admin username and password are “admin”. 5.: D-030-01-00-0006 .0. by selecting Monitor > Overview > Summary. showing at-a-glance information for your AX device.Ver.2 11/11/2009 . 30 of 702 P e r f o r m a n c e b y D e s i g n Document No. The Summary page appears. Enter your admin username and password and click OK. “a10”. You can access this page again at any time while using the GUI.

P e r f o r m a n c e D e s i g n Document No.Ver.AX Series .2 11/11/2009 b y 31 of 702 .0. 2.Configuration Guide Logging On FIGURE 4 Monitor > Overview > Summary Note: For more information about the GUI. see the AX Series GUI Reference or the GUI online help.: D-030-01-00-0006 .

Setting the Hostname and Other DNS Parameters The default hostname is “AX”. edit the name to one that will uniquely identify this particular AX device (for example. 4. enter the IP address of an external backup DNS server the AX Series should use if the primary DNS server is unavailable. 2. 2.0. USING THE GUI 1. In the Hostname field.: D-030-01-00-0006 .2 11/11/2009 .AX Series . USING THE CLI 1. the command prompt should change to the same value as the new hostname. use either of the following methods. enter the IP address of the external DNS server the AX Series should use for resolving DNS queries. The DNS tab appears. 6. In the DNS Suffix field. Use the following command to change the hostname: hostname string After you enter this command. “AX-SLB1”). Access the global configuration level of the CLI: AX>enable Password:enable-password AX#config AX(config)# 2. In the Secondary DNS field. 5. 3.Ver.Configuration Guide Configuring Basic System Parameters Configuring Basic System Parameters This section describes the basic system parameters and provides CLI and GUI steps for configuring them. Click OK. enter the domain name to which the host (AX Series) belongs. Select Config > Network > DNS. To change the hostname. 32 of 702 P e r f o r m a n c e b y D e s i g n Document No. In the Primary DNS field.

use the following command: ip dns suffix string 4. the last line of the banner text will be empty. If you do not want the last line to be empty. put the end marker at the end of the last non-empty line.Configuration Guide Configuring Basic System Parameters Note: The “ > ” or “ # ” character and characters in parentheses before “ # ” indicate the CLI level you are on and are not part of the hostname. The secondary option specifies the DNS server that the AX device should use if the primary DNS server is unavailable.2 11/11/2009 b y 33 of 702 . To specify the DNS servers the AX should use for resolving DNS requests.AX Series .1. P e r f o r m a n c e D e s i g n Document No. The multi-line banner text starts from the first line and ends at the marker.144 [type ? for help] 7 13:44:32 2008 from You can format banner text as a single line or multiple lines. you must specify the end marker that indicates the end of the last line.0.168. By default. To set the default domain name (DNS suffix) for hostnames on the AX device.Ver. If the end marker is on a new line by itself. each of the which must be an ASCII character from the following range: 0x21-0x7e. 2. Setting the CLI Banners The CLI displays banner messages when you log onto the CLI. Password: Last login: Thu Feb 192. use the following command: ip dns {primary | secondary ipaddr} The primary option specifies the DNS server the AX device should always try to use first.: D-030-01-00-0006 . 3. If you configure a banner message that occupies multiple lines. The end marker is a simple string up to 2-characters long. the messages shown in bold type in the following example are displayed: login as: admin Welcome to AX Using keyboard-interactive authentication.

2. To configure a banner: a. Setting Time/Date Parameters To configure time/date parameters: • Set the timezone. Enter the message in the Login Banner or Exec Banner field. single-line or multi-line. Do not type the end marker at the end of the message.0.Ver. enter the delimiter value in the End Marker field. select Terminal > Banner. c. use the following command: [no] banner {exec | login} [multi-line end-marker] line The login option changes the first banner. enclose the entire banner string with double quotation marks. USING THE CLI To change one or both banners. 4. If the message is a multi-line message. 5. Select Config > System > Settings. To use blank spaces within the banner. If you are configuring both messages. 3. The exec option changes the second banner.AX Series . b. which is displayed after you enter the admin password. repeat step 3 for the other message. The GUI automatically places the end marker at the end of the message text in the configuration. press Enter / Return at the end of every line. 34 of 702 P e r f o r m a n c e b y D e s i g n Document No. If you selected multi-line. • Set the system time and date manually or configure the AX device to use a Network Time Protocol (NTP) server.2 11/11/2009 . Click OK. which is displayed after you enter the admin username. Select the banner type.Configuration Guide Configuring Basic System Parameters USING THE GUI 1. 2. On the menu bar.: D-030-01-00-0006 .

To select the timezone: a. b. Click Time Zone to display the tab. Enter the time in the Time field. enter the NTP server’s IP address.2 11/11/2009 b y 35 of 702 .AX Series . Click OK. Enter the date in the Date field or select the date using the calendar. b. From the Time Zone Name pull-down list. • To set the time and date by synchronizing them with the time and date on the PC from which you are running the GUI. which is equivalent to Greenwich Mean Time (GMT). The AX device automatically adjusts the time for Daylight Savings Time based on the timezone you select. select the time zone. Select the Automatically Synchronize with Internet Time Server checkbox. so must manually set them or configure NTP. click Sync Local Time. USING THE CLI To set the timezone Enter the following command at the global configuration level of the CLI: clock timezone timezone P e r f o r m a n c e D e s i g n Document No.Configuration Guide Configuring Basic System Parameters The default timezone is Europe/Dublin. USING THE GUI 1. c. Note: You do not need to configure Daylight Savings Time.: D-030-01-00-0006 . 2. In the Update System Clock Every field. Click Date/Time to re-display the tab.0. if not already displayed. Click OK. d. c.Ver. enter the number of minutes you want the AX device to wait between synchronizations with the NTP server. Select Config > System > Time. 2. • To configure the time and date manually: a. The Date/Time tab appears. • To set the time and date using NTP: a. In the NTP Server field. 3. b. The time and date are not set at the factory.

. Enter the following command at the Privileged EXEC level of the CLI: clock set time day month year Enter the time and date in the following format: time – hh:mm:ss day – 1-31 month – January. use the following command: show clock [detail] 36 of 702 P e r f o r m a n c e b y D e s i g n Document No. You can specify 1-518400 minutes.2 11/11/2009 . For example. year – 2008. enter the following command: ntp enable To set the time and date manually 1. for 1 p. 3.0.. which specifies how often the AX polls the NTP server for updated time information. To specify the NTP server to use.Ver.: D-030-01-00-0006 . enter the following command: clock timezone ? To configure the AX device to use NTP 1. February. Return to the Privileged EXEC level of the CLI by entering the exit command.m. To enable NTP and synchronize the AX clock with the NTP server. The default is 1440 minutes.. enter the following command at the global configuration level of the CLI: ntp server {hostname | ipaddr} [minutes] The minutes option sets the synchronization interval. 2.Configuration Guide Configuring Basic System Parameters To view the available timezones. To display clock settings.AX Series . Note: The clock is based on 24 hours. March. 2. 2. enter the hour as “13”.. .. 2009 . You can configure a maximum of 4 NTP servers.

AX Series . P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0006 . Logging to other places requires additional configuration. The AX device can send Syslog messages to the following places: • Local buffer • Console CLI session • Console SSH and Telnet sessions • External Syslog server • Email address(es) • SNMP servers (for events that are logged by SNMP traps) Logging to the local buffer and to CLI sessions is enabled by default.Configuration Guide Configuring Basic System Parameters Configuring Syslog Settings The AX device logs system events with Syslog messages. 2.0.2 11/11/2009 b y 37 of 702 . The standard Syslog message severity levels are supported: • Emergency – 0 • Alert – 1 • Critical – 2 • Error – 3 • Warning – 4 • Notification – 5 • Information – 6 • Debugging – 7 Table 2 lists the configurable Syslog parameters.Ver.

Standard Syslog facility to use. you can select which of the following output options to enable: • Console – Messages are displayed in Console sessions. (See below.: D-030-01-00-0006 . Each email address can be a maximum of 31 characters long. Only the message levels for which Email is selected in the Disposition list are sent to log servers. Standard Syslog facilities listed in RFC 3164.AX Series .) • SNMP – SNMP traps are generated and sent to the SNMP receivers. 10000 to 50000 entries Default: 30000 Any valid IP address or fully-qualified domain name. Click the down arrow next to the input field to add another address (up to 10). Note: By default. Critical. Alert. 2. For each message level.Ver. Only Emergency. Supported Values The following message levels can be individually selected for each output option: • Emergency (0) • Alert (1) • Critical (2) • Error (3) • Warning (4) • Notification (5) • Information (6) • Debug (7) Only Emergency. Only the message levels for which Syslog is selected in the Disposition list are sent to log servers. and Critical can be selected for SNMP.2 11/11/2009 . Email addresses to which to send log messages. Default: None configured Facility Log Buffer Entries Log Server Log Server Port Email To Any valid protocol port number Default: 514 Valid email address. 38 of 702 P e r f o r m a n c e b y D e s i g n Document No. the AX device can reach remote log servers only if they are reachable through the AX device’s data ports.0. Alert. (See below. Protocol port to which log messages sent to external log servers are addressed. • Syslog – Messages are sent to the external log servers specified in the Log Server fields.Configuration Guide Configuring Basic System Parameters TABLE 2 Parameter Disposition (message target) Configurable System Log Settings Description Output options for each message level. To enable the AX device to reach remote log servers through the management port. see “Using the Management Interface as the Source for Management Traffic” on page 669. not the management port.) • Monitor – Messages are displayed in Telnet and SSH sessions. Maximum number of log entries the log buffer can store. and Notification can be selected for Email. IP addresses or fully-qualified domain names of external log servers. • Buffered – Messages are stored in the system log buffer. • Email – Messages are sent to the email addresses in the Email To list.

then during the next one-second interval. Note: By default. 2. the AX sends log messages only to the external log servers. the AX device can reach SMTP servers only if they are reachable through the AX device’s data ports. and sent only after either of the following occurs: P e r f o r m a n c e D e s i g n Document No.AX Series .000 per second) get sent to the external log servers. • If the number of new messages generated within the new one-second interval is 32 or less.: D-030-01-00-0006 .Configuration Guide Configuring Basic System Parameters TABLE 2 Configurable System Log Settings (Continued) Description IP address or fully-qualified domain name of an email server using Simple Message Transfer Protocol. all messages (up to 15. In any case.0. not the management port. Logging by Email (SMTP) If you enable the AX device to send log messages by email. • Other messages (messages with severity level Normal) are queued.000 messages per second from the AX device.2 11/11/2009 b y 39 of 702 . see “Using the Management Interface as the Source for Management Traffic” on page 669. or Critical are sent immedi- ately.Ver. Default: None configured Parameter SMTP Server SMTP Server Port Any valid protocol port number Default: 25 Log Rate Limiting The AX device uses a log rate limiting mechanism to ensure against overflow of external log servers and the internal logging buffer. messages are emailed as follows: • Logs with severity level Emergency. The rate limit for external logging is 15. then during the following one-second interval. Supported Values Any valid IP address or fully-qualified domain name. Alert. the AX will again send messages to the local logging buffer as well as the external log server. Protocol port to which email messages sent to the SMTP server are addressed. To enable the AX device to reach SMTP servers through the management port. The rate limit for internal logging is 32 messages per second from the AX device. • If the number of new messages within a one-second interval exceeds 32.

You can specify only one protocol port with the command. Select Config > System > Settings.) 4. Click OK.: D-030-01-00-0006 . 3. USING THE GUI 1. To configure the AX device to send log messages to an external Syslog server. Each email contains a maximum of 50 log messages. 40 of 702 P e r f o r m a n c e b y D e s i g n Document No. (For descriptions of the settings.Ver. 3.0. • 10 minutes passes since the previous email.Configuration Guide Configuring Basic System Parameters • 50 messages are queued. USING THE CLI 1. To change the severity level of messages that are logged in the local buffer. The default protocol port is 514.. alert.AX Series . see Table 2.] [port protocol-port] You can enter up to 4 server IP addresses on the same command line. All servers must use the same protocol port to listen for syslog messages. 2. and notification can be sent by email.. use the following command to specify the server: logging host ipaddr [ipaddr.2 11/11/2009 . Select Log on the menu bar. Change settings as needed. use the following command: logging target severity-level The target can be one of the following: • console – Serial console • email – Email • monitor – Telnet and SSH sessions • syslog – external Syslog host • trap – external SNMP trap host Note: Only severity levels emergency. To change the severity level of messages that are logged in other places. critical. use the following command: logging buffered severity-level 2. 2.

you must enter all server IP addresses in the new command. 4. To send event messages to an external SNMP server. To configure the AX device to send log messages by email. see “Enabling SNMP” on page 41. RFC 1901) • SNMP MIB-II (RFC 1213.0. Note: SNMP access to the AX device is read-only. logging email-address address [.Ver. SET operations (write access) are not supported. You can configure the AX device to send SNMP traps to the Syslog and to external trap receivers.] To enter more than one address. it replaces any set of servers and syslog port configured by the previous logging host command.AX Series .. v2c. SNMP is disabled by default..2 11/11/2009 b y 41 of 702 . The default is 25. You also can configure read (GET) access to SNMP Management Information Base (MIB) objects on the AX device by external SNMP managers. use a space between each address. v3. 5. 2. Enabling SNMP AX devices support the following SNMP versions: v1. use the following commands to specify the email server and the email addresses: smtp {hostname | ipaddr} [port protocol-port] The port option specifies the protocol port to which to send email. RFC 1573) • Ethernet Interface MIB (RFC 1643) • SNMP View-based Access Control Model SNMP (RFC 2575) • SNMPv3 Introduction to Framework (RFC 2570) • SNMPv3 User-based Security Model (RFC 2574) P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0006 .Configuration Guide Configuring Basic System Parameters If you use the command to add some log servers. then need to add a new log server later. The AX device supports the following SNMP-related RFCs: • SNMPv1/v2c (RFC 1157. Each time you enter the logging host command.

The primary Hard Disk is the one on the left. Indicates that the AX device has shut down. TABLE 3 AX SNMP Traps Trap Link Up Link Down Start Shutdown Restart High Temperature Description Indicates that an Ethernet interface has come up. The power supply needs to be replaced. as you are facing the front of the AX chassis. Indicates that system fan 3 has failed.Configuration Guide Configuring Basic System Parameters SNMP Traps Table 3 lists the SNMP traps supported by the AX device. Contact A10 Networks. Contact A10 Networks. as you are facing the front of the AX chassis. Contact A10 Networks. Indicates that hard disk usage on the AX device is high (85% or higher). Trap Category SNMP System Fan 1 Fan 2 Fan 3 Lower Power Supply Upper Power Supply Primary Hard Disk Secondary Hard Disk High Disk Usage High Memory Usage High Availability (HA) Active Standby 42 of 702 P e r f o r m a n c e b y D e s i g n Document No. check for fan failure traps. All traps are disabled by default. Contact A10 Networks.Ver. Indicates that the lower power supply has failed.0. The power supply needs to be replaced.: D-030-01-00-0006 .AX Series . Contact A10 Networks. Indicates that the AX device is going from HA Standby mode to Active mode. Indicates that the AX device has started. Indicates that system fan 1 has failed. Indicates that the AX device is going to reboot or reload. The secondary Hard Disk is the one on the right. Indicates that the secondary Hard Disk has failed or the RAID system has failed. Indicates that system fan 2 has failed. Indicates that the memory usage on the AX device is high (95% or higher). Indicates that an Ethernet interface has gone down. 2. Indicates that the upper power supply has failed. If you see this trap. Indicates that the temperature inside the AX chassis is too high (68 C or higher). Indicates that the AX device is going from HA Active mode to Standby mode. Indicates that the primary Hard Disk has failed or the RAID system has failed.2 11/11/2009 . Also check the installation location to ensure that the chassis room temperature is not too high (40 C or higher) and that the chassis is receiving adequate air flow.

Indicates that an SLB server has gone down.: D-030-01-00-0006 .0.2 11/11/2009 b y 43 of 702 . The OID for A10 Networks AX Series objects is 1.1. P e r f o r m a n c e D e s i g n Document No.22610.1. Community strings are similar to passwords. Use a hard-to-guess string and avoid use of commonly used community names such as “public” or “private”. Indicates that an SLB service has reached its configured connection-resume value. Indicates that an SLB service has come up. Trap Category Server Load Balancing (SLB) Virtual Port Down SNMP Communities and Views You can allow external SNMP managers to access the values of MIB objects from the AX device. configure one or both of the following types of access. Indicates that an SLB virtual service port has come up. on an individual community basis. SNMP Community Strings An SNMP community string is a string that an SNMP manager can present to the AX device when requesting MIB values.4. Indicates that an SLB virtual service port has gone down. Indicates that an SLB server has reached its configured connection-resume value. Indicates that an SLB server has reached its configured connection limit. 2.AX Series . To allow remote read-only access to AX MIB objects.3. You also can restrict access to specific Object IDs (OIDs) within the MIB. An SLB virtual server’s service port is up when at least one member (real server and real port) in the service group bound to the virtual port is up. You can minimize security risk by applying the same principles to selecting a community name as you would to selecting a password.Configuration Guide Configuring Basic System Parameters TABLE 3 AX SNMP Traps (Continued) Trap Server Up Server Down Service Up Service Down Server Connection Limit Server Connection Resume Service Connection Limit Service Connection Resume Virtual Port Up Description Indicates that an SLB server has come up.Ver. Indicates that an SLB service has gone down. OIDs indicate the position of a set of MIB objects in the global MIB tree. Indicates that an SLB service has reached its configured connection limit.6.

You can enable authentication. Save the configuration changes. 2. Note: By default. Optionally. Optionally. encryption.2 11/11/2009 . To enable the AX device to reach remote logging and trap servers through the management port. you specify the SNMP version. configure one or more read-only communities. see “Using the Management Interface as the Source for Management Traffic” on page 669. You can specify the authentication method and the password for individual SNMP users when you configure the users. You can configure SNMP user groups and individual SNMP users. 4. 3. and users. not the management port. the AX device can reach remote logging and trap servers only if they are reachable through the AX device’s data ports.: D-030-01-00-0006 . 5. SNMP v1 and v2c do not support authentication or encryption of SNMP packets. Enable the SNMP agent and SNMP traps.AX Series . configure views. and allow or disallow them to read specific portions of the AX MIBs using different views. Optionally. on an individual SNMP user-group basis when you configure the groups.0. 6. SNMPv3 does. configure external SNMP trap receivers. Optionally. SNMP Configuration Steps To configure SNMP: 1. 2. When you configure an SNMP user group or user. configure location and contact information. groups. You are not required to perform these configuration tasks in precisely this order.Ver. The workflow in the GUI is slightly different from the workflow shown here. or both. 44 of 702 P e r f o r m a n c e b y D e s i g n Document No.Configuration Guide Configuring Basic System Parameters SNMP Views An SNMP view is like a filter that permits or denies access to a specific OID or portions of an OID.

f. Select Config > System > SNMP. enter the OID at which SNMP management applications can reach the AX device. Click Community to display the tab. Repeat step b through step e for each combination of community string. On the Trap tab. In the System Location field. In the IP Address (host) field. b. and OID. enter a community name. enter the name of the community sending the traps. If the trap receiver does not use the standard protocol port to listen for traps. In the Community field. 2. In the System Contact field. enter the IP address or fully-qualified hostname of the SNMP trap receiver. On the Community tab.AX Series . Select SNMP the version from the Version drop-down list: • V1 • V2c P e r f o r m a n c e D e s i g n Document No. c. any host can access the SNMP agent on the AX device. enter a hostname or an IP address and network mask in the Hostname (IP/ Mask) field. In the Object Identifier field. To restrict SNMP access to a specific host or subnet. 1. To enable SNMP. On the General tab. By default. specify external trap receivers: a. Click Add. d. e. Click Trap to display the tab. The current release does not support configuration of SNMPv3 using the GUI. enter a description of the AX device’s location. b. change the port number in the Port field. d. groups.2 11/11/2009 b y 45 of 702 . use the CLI.Ver. 2. configure community strings: a. 3.: D-030-01-00-0006 . In the SNMP Community field.Configuration Guide Configuring Basic System Parameters USING THE GUI Note: To configure support for SNMPv3 or to configure views. and users. select Enabled next to System SNMP Service.0. e. 4. c. c. b. configure general settings: a. enter the name or email address of the AX administrator to contact for system issues. management host.

1. Repeat step b through step f for each trap receiver.Ver. 5. Click Add to add the receiver. select the individual traps you want to enable.0. 2. To configure external SNMP trap receivers.AX Series . click the Save button. Click Trap List to display the tab. b. the Save button flashes. Note: When there are unsaved configuration changes on the AX device.Configuration Guide Configuring Basic System Parameters f. To save the configuration changes. Otherwise. To configure location and contact information.2 11/11/2009 . 6. select All Traps. Click OK. To enable all traps. use the following command: snmp-server community read ro-community-string [oid oid-value] [remote {hostname | ipaddr mask-length | ipv6-addr/prefix-length}] 46 of 702 P e r f o r m a n c e b y D e s i g n Document No. USING THE CLI All SNMP configuration commands are available at the global configuration level of the CLI. On the Trap List tab.: D-030-01-00-0006 . 7. To configure one or more read-only communities. enable traps: a. use the following commands: snmp-server location location snmp-server contact contact-name 2. g. use the following command: snmp-server host trap-receiver [version {v1 | v2c}] community-string [udp-port port-num] 3.

0. To save the configuration changes. GUI EXAMPLE The following examples show the GUI screens used for configuration of the basic system settings described in this chapter.Configuration Guide Configuration Examples 4. P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0006 . and users. groups.AX Series . To enable the SNMP agent and SNMP traps.2 11/11/2009 b y 47 of 702 . Note: The GUI does not support configuration of SNMPv3 settings.Ver. use the following commands: snmp-server view view-name oid [oid-mask] {included | excluded} snmp-server group group-name {v1 | v2c | v3 {auth | noauth | priv}} read view-name snmp-server user username group groupname {v1 | v2 | v3 [auth {md5 | sha} password [encrypted]]} 5. To configure views. use the following command at the Privileged EXEC level or any configuration level of the CLI: write memory Configuration Examples The following examples show how to configure the system settings described in this chapter. 2. use the following command: snmp-server enable [ traps [ snmp [trap-name] system [trap-name] ha [trap-name] slb [trap-name] ] ] 6.

: D-030-01-00-0006 .0.Ver.Configuration Guide Configuration Examples FIGURE 5 Config > Network > DNS > DNS tab 48 of 702 P e r f o r m a n c e b y D e s i g n Document No. 2.2 11/11/2009 .AX Series .

2 11/11/2009 b y 49 of 702 .Configuration Guide Configuration Examples FIGURE 6 Config > System > Time > Date/Time tab FIGURE 7 Config > System > Settings > Log tab P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0006 . 2.0.AX Series .Ver.

: D-030-01-00-0006 .Configuration Guide Configuration Examples FIGURE 8 Config > System > SNMP FIGURE 9 Config > System > SNMP > Trap List tab 50 of 702 P e r f o r m a n c e b y D e s i g n Document No. 2.Ver.0.2 11/11/2009 .AX Series .

20.Configuration Guide Configuration Examples FIGURE 10 Save Button CLI EXAMPLE The following commands log onto the CLI.0. access the global configuration level. Password:******** Last login: Tue Jan 13 19:51:56 2009 from 192. and set the hostname and configure the other DNS settings: login as: admin Welcome to AX Using keyboard-interactive authentication.144 [type ? for help] AX>enable Password:******** AX#config AX(config)#hostname AX-SLB2 AX(config)#ip dns suffix ourcorp AX(config)#ip dns primary 10.168.2 11/11/2009 b y 51 of 702 .AX Series .Ver.: D-030-01-00-0006 .25 The following examples set the login banner to “welcome to login mode” and set the EXEC banner to “welcome to exec mode”: AX(config)#banner login “welcome to login mode” AX(config)#banner exec “welcome to exec mode” P e r f o r m a n c e D e s i g n Document No.25 AX(config)#ip dns secondary 192.1.168.10.1. 2.

and configure a community string for use by external SNMP managers to read MIB data from the AX device. The message level emailed to admins is set to Emergency (0) messages only. In this example. Error (3) and above.168. By default.. the message levels sent to the external server are left at the default. 2.11 ourcorpsnmp The following command saves the configuration changes to the startup-config.0.. AX(config)#write memory 52 of 702 P e r f o r m a n c e b y D e s i g n Document No. Tijuana (GMT-08:00)Pacific Time AX(config)#ntp server 10.: D-030-01-00-0006 .20 AX(config)#ntp server enable The following commands configure the AX device to system log messages to an external syslog server and to email Emergency messages to the system admins. This is the file from which the AX device loads the configuration following a reboot. the same message levels are sent to the management terminal in CLI sessions.4.AX Series .2 11/11/2009 . AX(config)#logging host 192.Configuration Guide Configuration Examples The following commands set the timezone and NTP parameters: AX(config)#clock timezone ? Pacific/Midway Pacific/Honolulu America/Anchorage America/Tijuana America/Los_Angeles .com AX(config)#logging email 0 The following commands enable SNMP and all traps. configure the AX device to send traps to an external trap receiver.168. AX(config)#clock timezone America/Los_Angeles (GMT-11:00)Midway Island.10.10 AX(config)#smtp ourmailsrvr AX(config)#logging email-address admin1@example.1.com admin2@example.10. AX(config)#snmp-server location ourcorp-HQ AX(config)#snmp-server contact Me_admin1 AX(config)#snmp-server enable trap AX(config)#snmp-server community read ourcorpsnmp AX(config)#snmp-server host 192. Samoa (GMT-10:00)Hawaii (GMT-09:00)Alaska (GMT-08:00)Pacific Time(US & Canada).Ver.

AX Series - Configuration Guide
Overview

Network Setup
This chapter describes how to insert the AX device into your network. After you complete the setup tasks in this chapter that are applicable to your network, the AX device will be ready to configure for its primary function: load balancing.

Overview
AX Series devices can be inserted into your network with minimal or no changes to your existing network. You can insert the AX device into your network as a Layer 2 switch or a Layer 3 router. The same Layer 4-7 features are available with either deployment option. You can deploy the AX device as a single unit or as a High Availability (HA) pair. Deploying a pair of AX devices in an HA configuration provides an extra level of redundancy to help ensure your site remains available to clients. For simplicity, the examples in this chapter show deployment of a single AX device. For information about HA, see “High Availability” on page 423. Examples are provided in this chapter for the following types of network deployment:
• Transparent mode • Transparent mode in multinetted environment • Route mode (also called gateway mode) • Direct Server Return (DSR) in transparent mode • DSR in route mode

IP Subnet Support
Each AX device has a management interface and data interfaces. The management interface is a physical Ethernet port. A data interface is a physical Ethernet port, a trunk group, or a virtual Ethernet (VE) interface. The management interface can have a single IP address.

P e r f o r m a n c e

D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

b y

53 of 702

AX Series - Configuration Guide
Transparent Mode An AX device deployed in transparent mode (Layer 2) can have a single IP address for all data interfaces. The IP address of the data interfaces must be in a different subnet than the management interface’s address. An AX device deployed in route mode (Layer 3) can have separate IP addresses on each data interface. No two interfaces can have IP addresses that are in the same subnet. This applies to the management interface and all data interfaces.

Transparent Mode
Figure 11 shows an example of an AX Series device deployed in transparent mode. FIGURE 11 AX Deployment Example – Transparent Mode

54 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
Transparent Mode The blue arrows show the traffic flow for client-server traffic; in this example, between clients and server 10.10.10.3. In this example, the AX device is inserted directly between the gateway router and the real servers. The AX device and real servers are all in the same subnet and all use the router as their default gateway. Note: For simplicity, this example and the other examples in this chapter show the physical links on single Ethernet ports. Everywhere a single Ethernet connection is shown, you can use a trunk, which is a set of multiple ports configured as a single logical link. Similarly, where a single gateway router is shown, a pair of routers in a Virtual Router Redundancy Protocol (VRRP) configuration could be used. In this case, the gateway address used by hosts and Layer 2 switches is the virtual IP address of the pair of routers. This example does not use Layer 3 Network Address Translation (NAT) but does use the default SLB NAT settings. (For a description, see “SLB Source NAT” on page 484.) HTTP requests from clients for virtual server 10.10.10.99 are routed by the Layer 3 router to the AX device. SLB on the AX device selects a real server and sends the request to the server. The server reply passes back through the AX device to clients.

P e r f o r m a n c e

D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

b y

55 of 702

AX Series - Configuration Guide
Transparent Mode

Configuration Example
This section shows the GUI screens and CLI commands needed to implement the configuration shown in Figure 11.

USING THE GUI
The following figures show the GUI screens used to implement the configuration shown in Figure 11. Here and elsewhere in this guide, the command paths used to access a GUI screen are listed in the figure caption. Interface Configuration FIGURE 12 Config > Network > Interface > Transparent

Note:

For reference, Figure 12 shows the entire interface. Subsequent figures show only the relevant configuration page. FIGURE 13 Config > Network > Interface > LAN

56 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
Transparent Mode

Real server configuration The following screen examples show the GUI pages for basic SLB configuration. To implement changes entered on a GUI configuration page, click OK at the bottom of the page. FIGURE 14 Config > Service > SLB > Server

P e r f o r m a n c e

D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

b y

57 of 702

AX Series - Configuration Guide
Transparent Mode Service group configuration FIGURE 15 Config > Service > SLB > Service Group

58 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
Transparent Mode Virtual server configuration FIGURE 16 Config > Service > SLB > Virtual Server

P e r f o r m a n c e

D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

b y

59 of 702

AX Series - Configuration Guide
Transparent Mode FIGURE 17 tab Config > Service > SLB > Virtual Server - Virtual Server Port

60 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
Transparent Mode

USING THE CLI
The following commands configure the global IP address and default gateway:
AX(config)#ip address 10.10.10.2 /24 AX(config)#ip default-gateway 10.10.10.1

The following commands enable the Ethernet interfaces used in the example:
AX(config)#interface ethernet 1 AX(config-if:ethernet1)#enable AX(config-if:ethernet1)#interface ethernet 2 AX(config-if:ethernet2)#enable AX(config-if:ethernet2)#interface ethernet 3 AX(config-if:ethernet3)#enable AX(config-if:ethernet3)#exit

The following commands add the SLB configuration. (For more information about SLB commands, see the SLB configuration chapters in this guide. Also see the AX Series CLI Reference.) Commands to configure the real servers
AX(config)#slb server rs1 10.10.10.3 AX(config-real server)#port 80 tcp AX(config-real server-node port)#exit AX(config-real server)#exit AX(config)#slb server rs2 10.10.20.4 AX(config-real server)#port 80 tcp AX(config-real server-node port)#exit AX(config-real server)#exit

Commands to configure the service group
AX(config)#slb service-group sg-web tcp AX(config-slb service group)#member rs1:80 AX(config-slb service group)#member rs2:80 AX(config-slb service group)#exit

Commands to configure the virtual server
AX(config)#slb virtual-server vip1 10.10.10.99 AX(config-slb virtual server)#port 80 fast-http AX(config-slb virtual server-slb virtua...)#service-group sg-web

P e r f o r m a n c e

D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

b y

61 of 702

AX Series - Configuration Guide
Transparent Mode in Multinetted Environment

Transparent Mode in Multinetted Environment
Figure 18 shows an example of an AX device deployed in transparent mode, in a multinetted environment. FIGURE 18 AX Deployment Example – Transparent Mode in Multinetted Environment

This example is similar to the example in Figure 11, except the real servers are in separate subnets. Each server uses the router as its default gateway, but at a different subnet address.

62 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
Transparent Mode in Multinetted Environment The blue arrows show the traffic flow for client-server traffic; in this example, between clients and server 10.10.10.4. To enable the AX device to pass traffic for multiple subnets, the device is configured with multiple VLANs. The interfaces in subnet 10.10.10.x are in VLAN 1. The interfaces in the 10.10.20.x subnet are in VLAN 2. Note: In this example, each AX interface is in only one VLAN and can therefore be untagged. The AX device could be connected to the router by a single link, in which case the AX link with the router would be in two VLANs and would need to tagged in at least one of the VLANs. (If an interface is in multiple VLANs, the interface can be untagged in only one of the VLANs.) Layer 3 IP Source NAT The default SLB NAT settings allow client traffic to reach the server in the 10.10.20.x subnet, even though this is not the subnet that contains the AX device’s IP address. However, in a multinetted environment where the AX device is deployed in transparent mode, source NAT is required, to allow health checking of server 10.10.20.4 and its application port. In this example, an address pool containing a range of addresses in the 10.10.20.x subnet is configured. The pool configuration includes the default gateway for the 10.10.20.x subnet (10.10.20.1). Without a gateway specified for the NAT pool, the AX device would attempt to send reply traffic using its own gateway (10.10.10.x), which is in a different subnet. The NAT configuration also includes enabling source NAT on the service port (in this example, 80) on the virtual server. Note: The AX device initiates health checks using the last (highest numbered) IP address in the pool as the source IP address. In addition, the AX device will only respond to control traffic (for example, management and ICMP traffic) from the NATted subnet if the control traffic is sent to the last IP address in the pool.

P e r f o r m a n c e

D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

b y

63 of 702

AX Series - Configuration Guide
Transparent Mode in Multinetted Environment

Configuration Example
This section shows the GUI screens and CLI commands needed to implement the configuration shown in Figure 18. Note: GUI examples are shown here only for the configuration elements that are new in this section (VLAN and Source NAT pool). For examples of the GUI screens for the rest of the configuration, see “Transparent Mode” on page 54.

USING THE GUI
FIGURE 19 Config > Network > VLAN

FIGURE 20

Config > Service > IP Source NAT > IPv4 Pool

64 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
Transparent Mode in Multinetted Environment FIGURE 21 tab Config > Service > SLB > Virtual Server - Virtual Server Port

P e r f o r m a n c e

D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

b y

65 of 702

AX Series - Configuration Guide
Transparent Mode in Multinetted Environment

USING THE CLI
The following commands configure the global IP address and default gateway:
AX(config)#ip address 10.10.10.2 /24 AX(config)#ip default-gateway 10.10.10.1

The following commands enable the Ethernet interfaces used in the example:
AX(config)#interface ethernet 1 AX(config-if:ethernet1)#enable AX(config-if:ethernet1)#interface ethernet 2 AX(config-if:ethernet2)#enable AX(config-if:ethernet2)#interface ethernet 3 AX(config-if:ethernet3)#enable AX(config-if:ethernet3)#interface ethernet 4 AX(config-if:ethernet4)#enable AX(config-if:ethernet4)#exit

The following commands configure the VLANs. By default, all AX Ethernet data ports are in VLAN 1 by default, so the only configuration required in this example is to create a second VLAN and add ports to it. The ports you add to other VLANs are automatically removed from VLAN 1.
AX(config)#vlan 2 AX(config-vlan:2)#untagged ethernet 2 ethernet 4 AX(config-vlan:2)#exit

The following command configures a pool of IP addresses for use by source NAT. The pool is in the same subnet as real server 10.10.20.4.
AX(config)#ip nat pool pool1 10.10.20.100 10.10.20.101 netmask /24 gateway 10.10.20.1

The following commands add the SLB configuration. The source-nat command enables the IP address pool configured above to be used for NATting health check traffic between the AX device and the real server. (For more information about SLB commands, see the SLB configuration chapters in this guide. Also see the AX Series CLI Reference.)

66 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

)#source-nat pool pool1 AX(config-slb virtual server-slb virtua..Configuration Guide Transparent Mode in Multinetted Environment Commands to configure the real servers AX(config)#slb server rs1 10.10.99 AX(config-slb virtual server)#port 80 fast-http AX(config-slb virtual server-slb virtua..10.4 AX(config-real server)#port 80 tcp AX(config-real server-node port)#exit AX(config-real server)#exit AX(config)#slb server rs2 10.20. 2.0.4 AX(config-real server)#port 80 tcp AX(config-real server-node port)#exit AX(config-real server)#exit Commands to configure the service group AX(config)#slb service-group sg-web tcp AX(config-slb service group)#member rs1:80 AX(config-slb service group)#member rs2:80 AX(config-slb service group)#exit Commands to configure the virtual server AX(config)#slb virtual-server vip1 10.2 11/11/2009 b y 67 of 702 .: D-030-01-00-0006 .10.Ver.)#service-group sg-web P e r f o r m a n c e D e s i g n Document No.10.AX Series ..10..

168.0.4. Real servers can reach the database server through the AX device just as they would through any other 68 of 702 P e r f o r m a n c e b y D e s i g n Document No. 2.: D-030-01-00-0006 . in this example. between clients and server 192. FIGURE 22 AX Deployment Example – Route Mode The blue arrows show the traffic flow for client-server traffic.101.AX Series . This example shows a database server that is not part of the SLB configuration but that is used by the real servers when fulfilling client requests.Configuration Guide Route Mode Route Mode Figure 22 shows an example of an AX device deployed in route mode.Ver.2 11/11/2009 .

the IP addresses would be configured on Virtual Ethernet (VE) interfaces.AX Series . see “Transparent Mode” on page 54.168. A static route is configured to use as the default route through 10.10.2 11/11/2009 b y 69 of 702 . The database server would use 192. Replies to clients still travel from the real servers through the AX device back to the client.100 as its default gateway.1.Configuration Guide Route Mode router. instead of being configured on individual Ethernet ports. Note: GUI examples are shown here only for the configuration elements that are new in this section (configuration of routing parameters). Although this example shows single physical links.10. downstream devices can use the AX device as their default gateway.1. you could use trunks as physical links. the router connected to port 3 would use 192.168. In this case. Configuration Example This section shows the GUI screens and CLI commands needed to implement the configuration shown in Figure 22.Ver. In this example. Since the AX device is a router in this deployment. (For more on HA.100 would use that address as its default gateway. see “High Availability” on page 423.111 as its default gateway. the downstream devices would use a floating IP address shared by the two AX devices as their default gateway. You also could use multiple VLANs.0. 2.3.: D-030-01-00-0006 . In this example. If a pair of AX devices in a High Availability (HA) configuration is used.168. one per VLAN. and the Layer 2 switch connected to 192.) Source NAT is not required for this configuration. For examples of the GUI screens for the SLB configuration. the AX device has separate IP interfaces in different subnets on each of the interfaces connected to the network. the device is enabled to run RIP. P e r f o r m a n c e D e s i g n Document No.2. The AX device can be configured with static IP routes and can be enabled to run RIP and OSPF. The AX can send health checks to the real servers and receive the replies without NAT.

AX Series .2 11/11/2009 .Ver.0. 2.Configuration Guide Route Mode USING THE GUI FIGURE 23 Config > Network > Interface > LAN > IPv4 FIGURE 24 Config > Network > Route > IPv4 Static 70 of 702 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 .

2 11/11/2009 b y 71 of 702 .: D-030-01-00-0006 .Ver.0.Configuration Guide Route Mode FIGURE 25 Config > Network > Route > RIP > Route > General FIGURE 26 Config > Network > Route > RIP > Interface FIGURE 27 Config > Network > Route > RIP > Route > Network P e r f o r m a n c e D e s i g n Document No. 2.AX Series .

168.10.0 /24 AX(config-router-rip)#network 192.1.10.1.2.2.168.2 11/11/2009 .0.1 The following commands configure the AX device as a RIP router.1: AX(config)#ip route 0.0 /0 10. AX(config)#interface ethernet 1 AX(config-if:ethernet1)#ip rip authentication string myrip AX(config-if:ethernet1)#interface ethernet 2 AX(config-if:ethernet2)#ip rip authentication string myrip AX(config-if:ethernet2)#interface ethernet 3 AX(config-if:ethernet3)#ip rip authentication string myrip AX(config-if:ethernet3)#exit AX(config-if:ethernet3)#interface ethernet 4 AX(config-if:ethernet4)#ip rip authentication string myrip AX(config-if:ethernet4)#exit AX(config)#router rip AX(config-router-rip)#network 10.10.0. a simple text string (“myrip”) is used to authenticate route updates exchanged between the AX device and its neighboring RIP routers.0 /24 72 of 702 P e r f o r m a n c e b y D e s i g n Document No. 2.0 /24 AX(config-router-rip)#network 192.168.10.10.Configuration Guide Route Mode USING THE CLI The following commands enable the Ethernet interfaces used in the example and configure IP addresses on them: AX(config)#interface ethernet 1 AX(config-if:ethernet1)#enable AX(config-if:ethernet1)#ip address 10.: D-030-01-00-0006 .100 /24 AX(config-if:ethernet2)#interface ethernet 3 AX(config-if:ethernet3)#enable AX(config-if:ethernet3)#ip address 192. In this example.2 /24 AX(config-if:ethernet1)#interface ethernet 2 AX(config-if:ethernet2)#enable AX(config-if:ethernet2)#ip address 192.100 /24 AX(config-if:ethernet4)#exit The following command configures the default route through 10.168.168.0.10.Ver.10.10.AX Series .3.111 /24 AX(config-if:ethernet3)#exit AX(config-if:ethernet3)#interface ethernet 4 AX(config-if:ethernet4)#enable AX(config-if:ethernet4)#ip address 192.

Ver.)#service-group sg-web P e r f o r m a n c e D e s i g n Document No.10.168.10.0.101 AX(config-real server)#port 80 tcp AX(config-real server-node port)#exit AX(config-real server)#exit AX(config)#slb server rs2 192.: D-030-01-00-0006 .101 AX(config-real server)#port 80 tcp AX(config-real server-node port)#exit AX(config-real server)#exit Commands to configure the service group AX(config)#slb service-group sg-web tcp AX(config-slb service group)#member rs1:80 AX(config-slb service group)#member rs2:80 AX(config-slb service group)#exit Commands to configure the virtual server AX(config)#slb virtual-server vip1 10. see the SLB configuration chapters in this guide.) Commands to configure the real servers AX(config)#slb server rs1 192.168.2..AX Series .1..99 AX(config-slb virtual server)#port 80 http AX(config-slb virtual server-slb virtua. (For more information about SLB commands.Configuration Guide Route Mode AX(config-router-rip)#network 192. Also see the AX Series CLI Reference.2 11/11/2009 b y 73 of 702 .168.3. 2.0 /24 AX(config-router-rip)#exit The following commands add the SLB configuration.

0. In a DSR configuration. The blue arrows show the traffic flow for client-server traffic.3-4. 10.2 11/11/2009 .10.10. FIGURE 28 AX Deployment Example – DSR in Transparent Mode In this example. 2.Configuration Guide Direct Server Return in Transparent Mode Direct Server Return in Transparent Mode Figure 28 shows an example of an AX device deployed in transparent mode.99.: D-030-01-00-0006 .Ver. 74 of 702 P e r f o r m a n c e b y D e s i g n Document No. between clients and servers 10. in a Direct Server Return (DSR) configuration. in this example.10. The link can be on a single Ethernet port or a trunk.10.AX Series . A single link connects the AX device to the network. However. This example uses a single Ethernet port. Client request traffic for the virtual server IP address. the AX device is attached to the network in a “one-armed” configuration. is routed to the AX device. server reply traffic does not pass back through the AX device. replies from real servers do not necessarily pass through the AX device.

and RTSP.0. • To send the Layer 3 health checks to the virtual IP address instead: • Configure an ICMP health method with the transparent option enabled. For IPv6 VIPs. (This is performed on the real server itself. • Requirements on the real server: • A loopback interface must be configured with the virtual server IP address. (This applies to the loopback interfaces that have the virtual server IP address.) • DSR must be enabled on the virtual service ports. not as part of the real server’s configuration on the AX device. DSR is supported on virtual port types (service types) TCP.AX Series .) P e r f o r m a n c e D e s i g n Document No. and with the alias address set to the virtual IP address. This example uses the default TCP health monitor. you can use the default Layer 3 health method (ICMP). • The virtual server IP address must be configured as a loopback interface on each real server. The target of the Layer 3 health checks can be the real IP addresses of the servers. and the real servers all must be in the same subnet. You can use the default TCP and UDP health monitors or configure new health monitors. 2. • Globally enable DSR health checking. (Enabling DSR is equivalent to disabling destination NAT. depending on your preference. UDP. for IPv4 VIPs.2 11/11/2009 b y 75 of 702 . • To send the Layer 3 health checks to the real server IP addresses. or the virtual IP address.Ver. and RTSP.Configuration Guide Direct Server Return in Transparent Mode DSR Health Checking Layer 3 and Layer 4-7 health checks are supported in DSR configurations.: D-030-01-00-0006 . DSR is supported on virtual port types TCP. FTP.) Note: In the current release. Requirements This configuration has certain requirements: • Requirements on the AX device: • The AX device. UDP. virtual server. Layer 4-7 health checks are sent to the same IP address as the Layer 3 health checks. • ARP replies from the loopback interfaces must be disabled. and then addressed to the specific protocol port.

Configuration Guide Direct Server Return in Transparent Mode Configuration Example This section shows how to implement the configuration shown in Figure 28. Click OK again. Click Enable.) 4. Configure other settings if needed. Select Config > Network > Interface. Select Config > Service > Server > Virtual Server.Ver.0. Select the virtual server or click Add to create a new one. The icon in the Status column changes to a green checkmark to indicate that the interface is enabled. select Enabled next to Direct Server Return. select Transparent.0. Select the virtual port and click Edit.10. USING THE GUI Note: This example does not include configuration of the real servers. 76 of 702 P e r f o r m a n c e b y D e s i g n Document No. 2. use the IPv4 tab and enter 10.255. 255.2. 3. 2.) 5. 6. 2. Enable Ethernet interface(s) 1. or configuration of the virtual server other than the steps for enabling DSR. Specify the AX device’s IP address and default gateway 1. 3. and default gateway address.10. Enable DSR on virtual ports 1. On the menu bar.10. Select Config > Network > Interface. and 10.2 11/11/2009 . On the Virtual Server Port tab. The virtual port list for the virtual server reappears. “e3”). select LAN.255. 3. (In this example.1. Click on the checkbox next to the interface number to enable (for example. Enter the IP address. The virtual server list reappears. On the menu bar. or click Add to create a new one.10.AX Series . Click OK. 4. (The other settings are not specific to DSR and depend on the application.: D-030-01-00-0006 . 4. Click OK. 2. network mask or prefix length.

)#no-dest-nat P e r f o r m a n c e D e s i g n Document No.10.10...10. 2.10.10..: D-030-01-00-0006 .Ver.0.1 The following commands enable the Ethernet interface connected to the clients and server: AX(config)#interface ethernet 3 AX(config-if:ethernet3)#enable AX(config-if:ethernet3)#exit The following commands add the SLB configuration.Configuration Guide Direct Server Return in Transparent Mode USING THE CLI The following commands configure the global IP address and default gateway: AX(config)#ip address 10..2 11/11/2009 b y 77 of 702 . (For more information about SLB commands. see the SLB configuration chapters in this guide.99 AX(config-slb virtual server)#port 80 tcp AX(config-slb virtual server-slb virtua.10.)#service-group sg-web AX(config-slb virtual server-slb virtua.10.10.AX Series .10. Also see the AX Series CLI Reference.10.) Commands to configure the real servers AX(config)#slb server rs1 10.3 AX(config-real server)#port 80 tcp AX(config-real server-node port)#exit AX(config-real server)#exit AX(config)#slb server rs2 10.4 AX(config-real server)#port 80 tcp AX(config-real server-node port)#exit AX(config-real server)#exit Commands to configure the service group AX(config)#slb service-group sg-web tcp AX(config-slb service group)#member rs1:80 AX(config-slb service group)#member rs2:80 AX(config-slb service group)#exit Commands to configure the virtual server AX(config)#slb virtual-server vip1 10.2 /24 AX(config)#ip default-gateway 10.

255 -arp up echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_ignore echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce echo 2 > /proc/sys/net/ipv4/conf/eth0/arp_announce 78 of 702 P e r f o r m a n c e b y D e s i g n Document No. and ARP replies from the loopback address must be disabled.Configuration Guide Direct Server Return in Transparent Mode CONFIGURATION ON THE REAL SERVERS For DSR to work.255.2 11/11/2009 .0.255. a loopback interface with the IP address of the virtual server must be configured on each real server.10. Here is an example for a Unix/Linux server: ifconfig lo:0 10.: D-030-01-00-0006 .99 netmask 255. 2.10.AX Series .Ver.

: D-030-01-00-0006 . except the AX device uses an IP interface configured on an individual Ethernet port instead of a global IP address.AX Series . FIGURE 29 AX Deployment Example – DSR in Route Mode The configuration is very similar to the one for DSR in transparent mode.) P e r f o r m a n c e D e s i g n Document No.2 11/11/2009 b y 79 of 702 .Configuration Guide Direct Server Return in Route Mode Direct Server Return in Route Mode Figure 29 shows an example of an AX device deployed in a DSR configuration in route mode. 2.0. The requirements for the AX device and real servers are the same as those for DSR in transparent mode.Ver. (See “Direct Server Return in Transparent Mode” on page 74.

2. Select Config > Network > Interface. click Enabled next to Status.0. select LAN. Click OK. 5.2 11/11/2009 . Enter 0. 4. On the menu bar. Configure a default route 1. 2. “e3”).: D-030-01-00-0006 . 80 of 702 P e r f o r m a n c e b y D e s i g n Document No.0. 3. select IPv4 Static. Note: The following examples only show the part of the configuration that differs from deployment of DSR in transparent mode. Click OK.Ver.0 in the IP Address and Netmask fields. Enter the IP address of the gateway router in the Gateway field. On the menu bar.0.AX Series . 2. In the Interface column. enter the IP address and network mask. USING THE GUI Configure an IP address on the Ethernet port 1. 6. Select Config > Network > Route. 6. The only difference is configuration of the IP interface on the Ethernet interface connected to the router. 3. click on the interface name (for example. Click Add. 4. In the IPv4 section. and configuration of a default route.Configuration Guide Direct Server Return in Route Mode Configuration Example This section shows how to implement the configuration shown in Figure 29. In the General section. 5.

0.10.2 11/11/2009 b y 81 of 702 .10. 2.1: AX(config)#ip route 0.2 /24 AX(config-if:ethernet3)#exit The following command configures the default route through 10.0.10.0. P e r f o r m a n c e D e s i g n Document No.0 /0 10.1 The rest of the configuration commands are the same as those shown in “Direct Server Return in Transparent Mode” on page 74.10.Ver.AX Series . beginning with configuration of the real servers.10.10.Configuration Guide Direct Server Return in Route Mode USING THE CLI The following commands enable the Ethernet interface used in the example and configure an IP address on it: AX(config)#interface ethernet 3 AX(config-if:ethernet3)#enable AX(config-if:ethernet3)#ip address 10.: D-030-01-00-0006 .

Since the backup server is a valuable network resource. They are in the same IP subnet as the AX device.168. Another server. 82 of 702 P e r f o r m a n c e b y D e s i g n Document No.10.Ver. 2. The backup servers are not required to be connected to the AX device at Layer 2 or in the same IP subnet. two real servers are used as the primary servers for VIP 10. without changing the network topology.10.1.: D-030-01-00-0006 . The AX device can be configured to use the server as a backup to a DSR server farm. It also used by other applications elsewhere in the network. to be used only if both primary servers are unavailable.AX Series . is configured as a backup. serving as a server farm backup is only one of its functions. Note: The deployment described in this section is useful for deploying backup servers to use only if primary servers are unavailable.10. Figure 30 shows an example that uses a backup server in a different subnet.2 11/11/2009 .99:80.Configuration Guide Direct Server Return in Mixed Layer 2/Layer 3 Environment Direct Server Return in Mixed Layer 2/Layer 3 Environment You can configure the AX device to use some servers as backups in a DSR deployment. FIGURE 30 Backup Server in DSR Configuration In this example. 192.0. Each of them is configured for DSR: destination NAT is disabled on the virtual port.

P e r f o r m a n c e D e s i g n Document No. then click Update. Select Config > Service > SLB. Enabling destination NAT for the backup server allows the server to remain on a different subnet from the AX device. Click on the service group name or click Add to create a new one. • Enable destination NAT on the backup server. and still be used for the VIP that normally is served by DSR. 3. Destination NAT can not be set directly on an individual real port. To enable destination NAT on a real port. destination NAT is disabled on virtual ports used for DSR. USING THE GUI Set member priorities in the service group 1. enable destination NAT in the template. and is set by the virtual port .2 11/11/2009 b y 83 of 702 . It can remain on a different subnet from the AX device and the primary servers. 2. In the Server section. for each of the primary server ports. 5. Select 1 for the backup server port. 2. so that the member for the backup server has the lower priority. However.: D-030-01-00-0006 . Use the same priority for all the primary servers. On the menu bar. create a real port template. select Service Group. Note: If you are modifying a member that is already in the list. 6. select 16 from the Priority field.AX Series . Normally. If this is a new service group. 4.Configuration Guide Direct Server Return in Mixed Layer 2/Layer 3 Environment To deploy the backup server: • In the service group. select the priority. By default. the AX device will not use the lower-priority server (the backup server) unless all the primary servers are down. Click OK. The backup server does not need to be moved to a Layer 2 connection to the AX device and the server’s IP address does not need to be changed.Ver.0. By default. destination NAT is unset on real ports. enter the name. assign a higher priority to the members for the pri- mary servers. destination NAT needs to be enabled on the real port on the backup server. click the checkbox in the row containing the member information. and bind the template to the real port. when adding a member.

c. On the menu bar. d. 84 of 702 P e r f o r m a n c e b y D e s i g n Document No.AX Series . select the port template from the Server Port Template drop-down list. c.0. select Template > Server Port.Ver. Click OK. b. enter the port number in the Port field.: D-030-01-00-0006 . select Disabled next to Direct Server Return. If you are adding a port. Click Update (if you are updating a port) or Add (if you are adding a new one). Enter a name for the template in the Name field. • In the Server Port Template section. Apply the server port template to the real server port: a. to select the port. 2. d. Select Config > Service > SLB. Click Add. Configure a server port template: a.2 11/11/2009 . click on the checkbox in the row for the port. select the checkbox next to the port. On the menu bar. b. f. Select Config > Service > SLB. Select the server port template from the Server Port Template dropdown list. select Server. e.Configuration Guide Direct Server Return in Mixed Layer 2/Layer 3 Environment Enable destination NAT on the backup server’s port 1. 2. • In the real server Port section. and click Update. In the Port section.

0.Configuration Guide Direct Server Return in Mixed Layer 2/Layer 3 Environment FIGURE 31 Config > Service > SLB > Service Group FIGURE 32 Config > Service > SLB > Template > Server Port P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0006 .Ver.AX Series .2 11/11/2009 b y 85 of 702 . 2.

re-add the members for the primary servers’ ports. use the dest-nat option in a server port template. 2. then bind that template to the server port in the service group.AX Series .Configuration Guide Direct Server Return in Mixed Layer 2/Layer 3 Environment FIGURE 33 Config > Service > SLB > Server . 86 of 702 P e r f o r m a n c e b y D e s i g n Document No.General and Port sections USING THE CLI To set the priority values of the primary servers to a higher value than the backup server.Ver. To enable destination NAT on a service port within a service group.: D-030-01-00-0006 . Use the same priority value on each of the primary server’s member ports.2 11/11/2009 . and use the priority option. Set the priority to a value higher than 1 (the default).0.

168.10 AX(config-real server)#port 80 tcp AX(config-real server-node port)#template port dsrbackup P e r f o r m a n c e D e s i g n Document No.Ver. 2.AX Series .0.2 11/11/2009 b y 87 of 702 .1.: D-030-01-00-0006 .Configuration Guide Direct Server Return in Mixed Layer 2/Layer 3 Environment CLI Example The following commands add the members to the service group: AX(config)#slb service-group sg-dsr tcp AX(config-slb service group)#member primarys1:80 priority 16 AX(config-slb service group)#member primarys2:80 priority 16 AX(config-slb service group)#member secondarys1:80 AX(config-slb service group)#exit The following commands configure a server port template for the backup server and bind it to the HTTP port on the backup server: AX(config)#slb template port dsrbackup AX(config-rport)#dest-nat AX(config-rport)#exit AX(config)#slb server secondarys1 192.

2.: D-030-01-00-0006 .Ver.2 11/11/2009 .0.AX Series .Configuration Guide Direct Server Return in Mixed Layer 2/Layer 3 Environment 88 of 702 P e r f o r m a n c e b y D e s i g n Document No.

Configuration Guide Overview HTTP Load Balancing This chapter describes HTTP load balancing and how to configure it.: D-030-01-00-0006 .2 11/11/2009 b y 89 of 702 .0. the Internet router connecting the clients to the AX device is not shown here. Note: The network topologies in application examples such as this one are simplified to focus on the application. FIGURE 34 HTTP Load Balancing P e r f o r m a n c e D e s i g n Document No. 2.Ver. Overview HTTP load balancing manages HTTP traffic across a Web server farm.AX Series . Your configuration might use an AX pair for High Availability (HA). a single AX is shown. For example. Likewise. Figure 34 shows an example of an HTTP load balancing deployment.

example. 192. In this example.com.10.0. You also specify the service type. is used. the real servers use the default protocol port number for HTTP (80). or customize the HTTP template to change information in the HTTP headers of server replies. receive the reply from the server. During configuration. The round robin method selects servers in rotation. Use this service type if you plan to cus- tomize any templates. SERVICE GROUPS A service group contains a set of real servers from which the AX device can select to service a client request. you specify the protocol port number for the port. the AX device selects a real server and sends the client request to the server. For example.11.Ver.Configuration Guide Overview In this example.: D-030-01-00-0006 . nor is the client aware that the site actually consists of multiple servers. This example uses a single service group that contains all the real servers and the applicable service port (80). the Web session is between the client and port 80 on 192.11. use the HTTP service 90 of 702 P e r f o r m a n c e b y D e s i g n Document No. When the AX device receives a client request for the HTTP port (80) on 192.168. the AX device automatically performs the necessary Network Address Translation (NAT) to send the client request to the server. VIRTUAL SERVER The virtual server in this example has IP address 192. the default load balancing method. round robin.168.10. The port numbers on the real and virtual servers are not required to match. After selecting a real server. a server farm consisting of three servers provides content for Web site www. When you configure a virtual service port.10. and so on. 2. For simplicity in this example. and on additional criteria relevant to the load balancing method.168. you bind the service group to the virtual port(s) on the virtual server.10.11.11 and virtual service port 80. The client is unaware of the real IP address of the real server.AX Series . From the client’s perspective. and send the reply to the client. the next client request is sent to server web-3. For example. The AX device selects a server based on the load balancing method used by the service group. The AX device supports the following service types for HTTP ports: • HTTP – Complete TCP stack. if you plan to use SSL (HTTPS load balancing or SSL offload).2 11/11/2009 . the first client request is sent to server web-2. Clients access the site through its virtual IP address.168.

and select a service group based on the URL requested by the client. the default settings in the template disable connection reuse. Unless you want to use connection reuse.Ver. the AX configuration has a “default” template that is automatically applied to a service port unless you apply another template of the same type instead.2 11/11/2009 b y 91 of 702 .) Service Templates For HTTP. (See “Service Template Parameters” on page 599. enable compression. use Fast-HTTP. (For a complete list of the service types.Configuration Guide Overview type. all the options in this template are disabled or not set. (Connection reuse requires additional configuration. the AX configuration applies “default” templates of each of the following template types to HTTP service ports: • TCP-Proxy – TCP-proxy templates control TCP stack settings.) TEMPLATES Templates are sets of configuration parameters that apply to specific service types or to servers and service ports. • Fast-HTTP – Streamlined hybrid stack for high performance. This example uses the default settings for each of the templates that are automatically applied to the HTTP service type and to the real and virtual servers and ports.AX Series . The rest of the information in this section is for reference but is not required reading to continue with this example.) P e r f o r m a n c e D e s i g n Document No. For some of types of templates. Also use this service type for stream-based applications such as RAM Caching and compression. you can safely allow the AX device to apply the default TCP-proxy template to the service types that use it. see “Virtual Service Port Parameters” on page 640. • Connection Reuse – Allows TCP connections between the AX device and real servers to be reused for multiple clients instead of terminating a connection and starting a new one for each new client.0. including options to change information in the HTTP header. • HTTP – HTTP templates provide many options. See “Connection Reuse” on page 484. you can ignore this template. Unless you need to change the setting for a TCP/IP stack parameter. Although the default connection reuse template is automatically applied. so you can safely allow the AX device to apply the default for this template type too. If you do not plan to offload SSL or customize any templates. By default. 2. includ- ing the idle timeout for TCP connections.: D-030-01-00-0006 .

: D-030-01-00-0006 . or real service port. 2. these types of templates do not have “default” templates that are applied automatically. For more information about server and port templates.AX Series . clients are directed to the same resource in the server farm for every request. However. By default. real server.) Server and Port Templates The AX device uses templates for configuration of some commonly used server and port parameters. • Cookie Persistence – Inserts a cookie in the HTTP header of a server reply before sending the reply to the client. (For an example that uses a source-IP persistence template. The granularity of the persistence can be set to always use the same real server port. see the following: • “Server and Port Templates” on page 281 in this guide • “Config Commands: SLB Templates” chapter in the AX Series CLI Ref- erence • “Config > Service > SLB > Template” section in the “Config Mode” chapter of the AX Series GUI Reference 92 of 702 P e r f o r m a n c e b y D e s i g n Document No.0.Configuration Guide Overview The following types of templates also can be used with HTTP service ports. the same real server. or the same service group. the following templates are applied: • Default server template – Contains configuration parameters for real servers • Default port template – Contains configuration parameters for real ser- vice ports • Default virtual-server template – Contains configuration parameters for virtual servers • Default virtual-port template – Contains configuration parameters for virtual service ports Each of the default templates is named “default”.2 11/11/2009 . The cookie ensures that subsequent requests from the client for the same virtual server and virtual port are directed to the same service group. • Source-IP Persistence – Similar to cookie persistence. for the duration of a configurable timer on the AX device. see “Layer 4 TCP/UDP Load Balancing” on page 213. Instead.Ver. except the AX device does not insert cookies.

Configure the service group. Configure the virtual server: • Add the HTTP service port. On each real server: • Add the HTTP service port. 4. in this case ports 80 and 443. the AX device completes the TCP handshake. This example uses an HTTP health monitor. with the following default settings. 3. P e r f o r m a n c e D e s i g n Document No.AX Series . 2. 2. Add the real servers and service ports to the group.Configuration Guide Configuring HTTP Load Balancing HEALTH MONITORS This example uses the following types of health monitors to check the real servers: • Ping – A Layer 3 health method that sends an ICMP echo request to the real server’s IP address. Configure the real servers. the AX device sends an HTTP GET request for the default index page. Configure an HTTP health monitor. • TCP – By default. The server passes the health check if the AX device receives a ping reply. (For more information about health monitors and their configurable options. with service type Fast-HTTP. A TCP port passes the health check if the server replies to the AX device by sending a TCP SYN ACK. • Enable the HTTP health monitor. • Every 30 seconds.0. In addition to these default health checks. see “Health Monitoring” on page 297. perform the following tasks on the AX device: 1.) Configuring HTTP Load Balancing To configure the HTTP load balancing solution described in “Overview” on page 89. • Bind the service group to the virtual port. • The HTTP service port passes the health check if the requested page is present on the server and the server replies with an OK message (200).Ver.2 11/11/2009 b y 93 of 702 .: D-030-01-00-0006 . By default. every 30 seconds the AX device sends a connection request (TCP SYN) to each load balanced TCP port on each server. you can configure health monitors for specific service types.

: D-030-01-00-0006 . 6. The other configuration fields on the tab change to those that apply to HTTP health monitors.2 11/11/2009 . enter a name for the monitor.0. On the Method tab. you can use all the default settings 7. Click Add. select or enter additional options for the health monitor.) In this example. 4. Optionally. On the Health Monitor tab. Select Config > Service > Health Monitor.AX Series . select HTTP from the Type drop-down list. Select Health Monitor on the menu bar. 2.Ver. 2. 5. 3.Configuration Guide Configuring HTTP Load Balancing USING THE GUI To configure an HTTP health method 1. FIGURE 35 Config > Service > Health Monitor > Health Monitor 94 of 702 P e r f o r m a n c e b y D e s i g n Document No. The new monitor appears in the health monitor table. (See “Health Monitoring” on page 297. Click OK.

Click Add. Select Server on the menu bar.Ver. select the HTTP health monitor configured in “To configure an HTTP health method” on page 94. In the Health Monitor drop-down list. In the IP Address field.) 7. enter “80”. 10. 6. not the virtual server IP address. (See “Default Health Checks” on page 297. On the Port tab. 8. 4. Click Add. In this example. P e r f o r m a n c e D e s i g n Document No. select ping or leave the monitor unset.0. enter a name for the server in the Name field. The port appears in the port list. Note: Enter the server’s real address.: D-030-01-00-0006 . On the General tab. the Layer 3 health monitor that comes in the AX configuration by default is used.Configuration Guide Configuring HTTP Load Balancing To configure the real servers Perform the following procedure separately for each real server. enter the number of the service port on the real server in the Port field. Click OK.2 11/11/2009 b y 95 of 702 . Note: If you leave the monitor unset. 2. Select Config > Service > SLB. In the Health Monitor drop-down list.AX Series . 2. 5. enter the IP address of the server. 3. 1. The real server appears in the server table. 9.

2.AX Series . If the status is Down ( ) instead of Up ( ). unless you selected another health method instead. The default Layer 3 health method is automatically used for the Layer 3 health check.2 11/11/2009 . verify that health monitors are configured for all the service ports.Configuration Guide Configuring HTTP Load Balancing FIGURE 36 Config > Service > SLB > Server FIGURE 37 Config > Service > SLB > Server (real servers added) Note: The AX device begins sending health checks to a real server’s IP address and service ports as soon as you finish configuring the server.Ver. The overall health status for the server is shown in the Health column.0. 96 of 702 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 .

On the Service Group tab.: D-030-01-00-0006 .Configuration Guide Configuring HTTP Load Balancing To configure the service group 1. In the port field. select a real server from the Server drop-down list. if not still selected. 3. On the Server tab. 7. 8. select the load-balancing method from the Algorithm drop-down list. Click Add. 2. 4. Repeat step 5 through step 7 for each real server. Select Config > Service > SLB. enter the service port number. 6.0. 9. Click Add.2 11/11/2009 b y 97 of 702 . For this example. The new group appears in the service group table. Click OK.AX Series .Ver. 2. FIGURE 38 Config > Service > SLB > Service Group P e r f o r m a n c e D e s i g n Document No. you can leave the default selected: Round Robin 5. Select Service Group on the menu bar.

click Add. In this example.0. In the Service Group drop-down list. On the Port tab. enter the IP address that clients will request. 4. Click OK. select the service group. On the General tab. 10. enter a name for the virtual server in the Name field. Select Config > Service > SLB. select Fast-HTTP.Ver. In the Type drop-down list. The port appears in the Port list of the Port tab. The Virtual Server Port tab appears. 7. Click Add. 6. select the service type. enter the service port number. Select Virtual Server on the menu bar. 2. 3.: D-030-01-00-0006 . In the IP Address field. Click OK. 2. 8. 11. The General tab appears. In this example. 98 of 702 P e r f o r m a n c e b y D e s i g n Document No. enter “80”.AX Series . 5.Configuration Guide Configuring HTTP Load Balancing To configure the virtual server 1. The virtual server appears in the virtual server table. if not still selected.2 11/11/2009 . 9. In the Port field.

Configuration Guide Configuring HTTP Load Balancing FIGURE 39 Config > Service > SLB > Virtual Server P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0006 .AX Series . 2.2 11/11/2009 b y 99 of 702 .Ver.0.

use the following commands: health monitor monitor-name Enter this command at the global configuration level of the CLI.2 11/11/2009 . For complete syntax information about any command. see the AX Series CLI Reference. 2.AX Series .0.Port tab USING THE CLI Note: The command syntax shown in this section is simplified for the configuration example in this chapter.: D-030-01-00-0006 . 1. At the monitor configuration level.Ver. The command changes the CLI to the configuration level for the monitor.Configuration Guide Configuring HTTP Load Balancing FIGURE 40 Config > Service > SLB > Virtual Server . for each monitor to be configured. To configure HTTP and HTTPS health methods. enter the following command: method http 100 of 702 P e r f o r m a n c e b y D e s i g n Document No.

2. To customize settings for a health monitor. 3. use additional commands at the configuration level for the monitor.AX Series . use the following commands: slb service-group group-name tcp This command changes the CLI to the configuration level for the service group. use the following commands: slb server server-name ipaddr This command changes the CLI to the configuration level for the real server. In this example. where you can use the following command to add the real servers and service ports to the group: member server-name:portnum The portnum is the protocol port number of the service to be load balanced. To configure the virtual server and virtual port. where you can use the following command to enable the HTTP health check: health-check monitor-name For monitor-name. where you can use the following command to add the HTTP port to the server: port port-num tcp The port-num specifies the protocol port number. specify “80”. where you can use the following command to add the virtual port to the server: port port-number fast-http or P e r f o r m a n c e D e s i g n Document No. specify the name of the HTTP health monitor configured in step 1. This command adds the port and changes the CLI to the configuration level for the port. Repeat the command for each real server. To configure the service group.2 11/11/2009 b y 101 of 702 . In this example. without entering additional commands at this level. configures the monitor to use all the default settings for the HTTP method. To configure the real servers.: D-030-01-00-0006 . 2. specify “80”. 4. use the following commands: slb virtual-server name ipaddr This command changes the CLI to the configuration level for the virtual server.Ver.0.Configuration Guide Configuring HTTP Load Balancing Entering this command.

3 AX(config-real server)#port 80 tcp AX(config-real server-node port)#health-check http-hmon AX(config-real server-node port)#exit AX(config-real server)#exit AX(config)#slb server web-4 10.0. where you can use the following command to bind the virtual port to the service group: service-group group-name The group-name is the name of the service group configured in step 3.10.10. 2.Configuration Guide Configuring HTTP Load Balancing port port-num http For this example.Ver.AX Series .10.: D-030-01-00-0006 .10.2 11/11/2009 .2 AX(config-real server)#port 80 tcp AX(config-real server-node port)#health-check http-hmon AX(config-real server-node port)#exit AX(config-real server)#exit AX(config)#slb server web-3 10. use the first command (the one with fast-http as the service type) and specify “80” as the port-num. The port command changes the CLI to the configuration level for the virtual port.10.4 AX(config-real server)#port 80 tcp AX(config-real server-node port)#health-check http-hmon AX(config-real server-node port)#exit AX(config-real server)#exit The following commands configure the service group: AX(config)#slb service-group sg-web tcp AX(config-slb service group)#member web-2:80 AX(config-slb service group)#member web-3:80 AX(config-slb service group)#member web-4:80 AX(config-slb service group)#exit 102 of 702 P e r f o r m a n c e b y D e s i g n Document No. CLI EXAMPLE The following commands configure the HTTP health monitor: AX(config)#health monitor http-monitor AX(config-health:monitor)#method http AX(config-health:monitor)#exit The following commands configure the real servers: AX(config)#slb server web-2 10.10.

11 AX(config-slb virtual server)#port 80 fast-http AX(config-slb virtual server-slb virtua...Ver.10.168.. 2.Configuration Guide Configuring HTTP Load Balancing The following commands configure the virtual server: AX(config)#slb virtual-server web-vip 192.AX Series .)#exit P e r f o r m a n c e D e s i g n Document No.2 11/11/2009 b y 103 of 702 .0..)#service-group sg-web AX(config-slb virtual server-slb virtua.: D-030-01-00-0006 .

: D-030-01-00-0006 .AX Series .Configuration Guide Configuring HTTP Load Balancing 104 of 702 P e r f o r m a n c e b y D e s i g n Document No.2 11/11/2009 .Ver. 2.0.

Ver.0. Summary of HTTP Options This section briefly describes each of the options you can configure in HTTP templates.AX Series . Overview HTTP templates provide many SLB options. (See “URL Hash Switching” on page 108.2 11/11/2009 b y 105 of 702 . while other options modify HTTP header information or enhance website performance. Some options control selection of real servers or service groups.) • 5xx retry and reassignment – Retries a server that replies to a request with a 5xx status code instead of sending the status code to the client. and reassigns the request to another server if the first server continues to reply with a 5xx status code. (See “5xx Retry and Reassignment” on page 121. Options for Server and Service Group Selection You can use the following HTTP options to select real servers or service groups. the AX device uses the load-balancing method set for the service group to select a real server.: D-030-01-00-0006 . (See “URL Failover” on page 119.) • Strict transaction switching – Performs server selection for each request within a client-server session. the AX device sends a 302 Redirect to the client. This option provides a simple method to force rebalP e r f o r m a n c e D e s i g n Document No. and provides examples of their use. (See “URL / Host Switching” on page 111. 2. • URL hash switching – Selects a real server based on a hash value calcu- lated from part of the URL string.) • URL / host switching – Selects a service group based on the URL path or domain in the client’s GET request. rather than performing server-selection once per session.Configuration Guide Overview HTTP Options for SLB This chapter describes the HTTP options you can configure in HTTP templates.) • Failover URL – If the URL in GET request cannot be reached due to server unavailability. By default. The server selection options override selection by the load-balancing method.

(See “Strict Transaction Switching” on page 140.) Options that Modify Server Replies • Redirect rewrite – Modifies 302 Redirect messages from real servers before sending the redirect messages to clients. you must configure the template.) HTTP Template Configuration To use the options in an HTTP template. then bind the template to virtual service ports. you can add the client address to a different field instead.) • Header insertion / erasure – Inserts a field:value pair into requests or responses.AX Series . Enabling content compression on the AX device can help increase overall website performance by freeing real server resources from CPU-intensive compression tasks. This option can convert HTTP URLs into HTTPS URLs. You can bind an HTTP template to the following types of virtual service ports: • HTTP • Fast-HTTP • HTTPS To configure an HTTP template and bind it to a virtual service port.) Performance Enhancing Option • Content Compression – You can configure the AX device to offload content compression from real servers.) Options that Modify HTTP Requests • Client IP insertion – Inserts the client’s IP address into GET requests before sending the requests to a real server. and can modify the domain or URL path in the redirect message. use either of the following methods: 106 of 702 P e r f o r m a n c e b y D e s i g n Document No.2 11/11/2009 . (See “Header Insertion / Erasure” on page 133.0.Configuration Guide Overview ancing of server selection. for example: X-Forwarded-For. 2. (See “Content Compression” on page 122. (See “URL Redirect Rewrite” on page 138. or deletes a header. Optionally. The address is added as a value to the X-ClientIP field by default.: D-030-01-00-0006 .Ver. (See “Client IP Insertion / Replacement” on page 129.

6. or HTTPS. Note: Some settings are on the other HTTP template tabs (App switching. 3. Fast-HTTP.Configuration Guide Overview USING THE GUI To configure an HTTP template: 1. 3. In the HTTP Template drop-down list. Click OK. 6. Select Virtual Server on the menu bar. To configure a new one. The remaining sections in this chapter describe the fields for configuring each option. Make sure the port type is HTTP. 5. Configure other options if needed.: D-030-01-00-0006 . Click Add. The virtual server list reappears. Select Config > Service > Template. 7. 4. 2. 4. (For example. Enter a name for the template. 2. To bind a template to a virtual service port: 1.0. To edit an existing virtual server. When finished. 8. click OK. select the HTTP template. and Compression). make sure to select the service group. The port appears in the Port list of the Port tab. 2. Select or enter values for the template options you want to use. if you are configuring a new port. Redirect Rewrite. The Virtual Server Port tab appears. 5. Click OK.2 11/11/2009 b y 107 of 702 . Select the port or Click Add. Select Application > HTTP on the menu bar.) 9. The HTTP tab appears. The template appears in the HTTP template list. Click Port. Select Config > Service > SLB. select it. 10. The Port tab appears. The General tab appears.Ver. P e r f o r m a n c e D e s i g n Document No.AX Series . Click Add.

The remaining sections in this chapter describe the commands for configuring each option.Configuration Guide URL Hash Switching USING THE CLI To configure an HTTP template. enter the following command at the configuration level for the port: template http template-name URL Hash Switching URL hash switching provides a simple method for optimizing a server farm in which the same content is served by multiple servers.AX Series . The AX device then sends all subsequent requests for the content to the same real server.Ver.0. enter the following command at the global configuration level of the CLI: slb template http template-name This command changes the CLI to the configuration level for the template. When enabled. 2.: D-030-01-00-0006 . URL hashing selects a real server for the first request for given content. This feature enhances website performance by taking advantage of content caching on the real servers. and assigns a hash value to the server for the content. 108 of 702 P e r f o r m a n c e b y D e s i g n Document No. Figure 41 shows an example of URL hashing. To bind a template to a virtual service port.2 11/11/2009 .

assigns a hash value to it.2 11/11/2009 b y 109 of 702 . and .0. In this example. a service group contains three real servers. P e r f o r m a n c e D e s i g n Document No.html(l). and assign the hash value to a server.Ver. After assigning a hash value to a server. . the AX device selects another server.jpg files. the AX device sends all requests that match the hash value to the same real server.AX Series . If the real server becomes unavailable.pdf. 2. The AX device is configured to calculate a hash value based on the last 3 bytes of the URL string in the client request.: D-030-01-00-0006 .Configuration Guide URL Hash Switching FIGURE 41 URL Hashing In this example. and uses that server for all subsequent requests for URL strings that have the same hash value. Each of the real servers contains the same set of . all requests that end with “pdf” are sent to the same server.

Configuration Guide URL Hash Switching Hash Options You can specify the following hash options: • Bytes – Specifies how many bytes of the URL string to use to calculate the hash value. 3. (See “HTTP Template Configuration” on page 106. Configuring URL Hashing The following sections show how to configure URL hashing. Click the App Switching tab. • First or last – Specifies which end of the URL string to use to calculate the hash value.: D-030-01-00-0006 . 2. 5. Enter the number of bytes to use for calculating the hash value. Click OK. Select the position in the URL upon which to calculate the hash value. To set the hashing granularity: a.0.) 2. The example in Figure 41 calculates hash values based on the last 3 bytes of the URL strings. This activates the configuration fields.AX Series . 110 of 702 P e r f o r m a n c e b y D e s i g n Document No. b. USING THE CLI Enter the following command at the configuration level for the HTTP template: url-hash-persist {first | last} bytes CLI Example The following commands implement the URL hashing configuration shown in Figure 41 on page 109.Ver. 4. Access the configuration tabs for the template.2 11/11/2009 . USING THE GUI 1. Select the URL Hash checkbox.

2..1 AX(config-slb virtual server)#port 80 http AX(config-slb virtual server-slb virtua.AX Series . (See “Using URL / Host Switching along with Cookie Persistence” on page 115.1.) Figure 42 shows an example of URL switching. You can configure an HTTP template with one of the following servicegroup switching options: • URL switching – Selects a service group based on the URL path in the GET line of the HTTP request’s header • Host switching – Selects a service group based on the domain name in the Host field of the HTTP request’s header Note: If you plan to use URL / host switching along with cookie persistence. The selection overrides the service group configured on the virtual port.. P e r f o r m a n c e D e s i g n Document No..1.: D-030-01-00-0006 .htm AX(config-HTTP template)#exit The following commands bind the HTTP template to virtual port 80: AX(config)#slb virtual-server vs1 1.2 11/11/2009 b y 111 of 702 . you must enable the match-type service-group option in the cookie persistence template.Configuration Guide URL / Host Switching The following commands configure the HTTP template: AX(config)#slb template http hash AX(config-HTTP template)#url-hash-persist last 3 AX(config-HTTP template)#url-switching ends-with .Ver.0.)#template http hash URL / Host Switching The AX device supports multiple service groups. URL / host switching enables an AX device to select a service group based on the URL or domain name in a client’s GET request.)#service-group sg1 AX(config-slb virtual server-slb virtua..

: D-030-01-00-0006 .Ver.AX Series .2 11/11/2009 . The real servers in service group sg-123 provide content for www.Configuration Guide URL / Host Switching FIGURE 42 URL Switching In this example. URL switching rules configured on the AX device select a service group based on the beginning of the URL on the GET line of client requests.example. Requests for URLs that begin with “/abc” are sent to service group sg-abc. 2.com/abc.com domain. the AX device is configured to use separate service groups for URLs in the www. Likewise.example. The real servers in service group sg-abc provide content for www. 112 of 702 P e r f o r m a n c e b y D e s i g n Document No. requests for URLs that begin with “/123” are sent to service group sg-123.example.0. URL switching or host switching.com/123. Note: An HTTP template can be configured with only one type of service-group switching.

0. • Ends-with string – matches only if the URL or host name ends with the specified string. These match options are always applied in the following order.AX Series .org” will always be directed to service group http-sgf: host-switching contains d service-group http-sgd host-switching contains dd service-group http-sge host-switching contains dde service-group http-sgf If you use the starts-with option with URL switching. contains. use a slash in front of the URL string. the most-specific match is always used.: D-030-01-00-0006 . The service group for the first match is used.ddeeff.2 11/11/2009 b y 113 of 702 . • Starts-with • Contains • Ends-with If a template has more than one rule with the same option (starts-with. if a template has the following rules.Ver. You can use the following match options in URL / host switching rules: • Starts-with string – matches only if the URL or host name starts with the specified string. regardless of the order in which the rules appear in the configuration.Configuration Guide URL / Host Switching Match Options URL / host switching selects a service group based on rules that map part of the URL string or host (domain name) to the service group. 2. or ends-with) and a URL or host name matches on more than one of them. For example. For example: url-switching starts-with /urlexample service-group http-sg1 P e r f o r m a n c e D e s i g n Document No. requests for host “www. • Contains string – matches if the specified string appears anywhere within the URL or host name.

This activates configuration fields for the type of switching you select. In the Service Group drop-down list. Use “Contains” instead of “Match”. For host switching: a.: D-030-01-00-0006 . select the service group to which to send client requests.Configuration Guide URL / Host Switching Configuring URL / Host Switching The following sections show how to configure URL / host switching. b. 7. select the match option to use. Click the App Switching tab. The HTTP template list reappears.2 11/11/2009 . 5. In the Match Type drop-down list. For URL switching: a. Access the configuration tabs for the template. 3. select the service group to which to send client requests. enter the URL. select the match option to use. In the Match Type drop-down list. 2.0. Select the type of switching. Use “Contains” instead of “Match”.AX Series . 6. 4. Note: The “Match” match option is a deprecated version of the “Contains” option. In the URL field. Click Add. c. Note: The “Match” match option is a deprecated version of the “Contains” option. Click OK.Ver. (See “HTTP Template Configuration” on page 106.) 2. USING THE GUI 1. USING THE CLI Enter one of the following commands at the configuration level for the HTTP template: url-switching {starts-with | contains | ends-with} url-string service-group service-group-name 114 of 702 P e r f o r m a n c e b y D e s i g n Document No. c. b. enter the domain name. URL or Host. In the Host field. In the Service Group drop-down list.

the service-group option is disabled in cookie persistence templates.1.AX Series .)#template http urlswitch AX(config-slb virtual server-slb virtua.1 AX(config-slb virtual server)#port 80 http AX(config-slb virtual server-slb virtua..1 AX(config-slb virtual server)#port 80 http AX(config-slb virtual server-slb virtua. However.Configuration Guide URL / Host Switching host-switching {starts-with |contains | ends-with} host-string service-group service-group-name CLI Example The following commands implement the URL switching configuration shown in Figure 42 on page 112.. the same service group is always used for subsequent requests from the same client.. to enable this support. The following commands configure the HTTP template: AX(config)#slb template http urlswitch AX(config-HTTP template)#url-switching starts-with abc service-group sg-abc AX(config-HTTP template)#url-switching starts-with 123 service-group sg-123 AX(config-HTTP template)#exit The following commands bind the HTTP template and service group sg-abc to virtual port 80: AX(config)#slb virtual-server vs1 1. you must enable the match-type service-group option in the cookie persistence template..)#template http urlswitch AX(config-slb virtual server-slb virtua. 2. After the initial request. URL switching or host switching is used only for the initial request from a client.1.. By default. P e r f o r m a n c e D e s i g n Document No.)#service-group sg-123 Using URL / Host Switching along with Cookie Persistence The AX device supports use of URL / host switching and cookie persistence in the same SLB configuration.Ver.1.)#service-group sg-abc The following commands bind the HTTP template and service group sg-123 to virtual port 80: AX(config)#slb virtual-server vs1 1. In this case.: D-030-01-00-0006 .1...2 11/11/2009 b y 115 of 702 ..0.

In this case.2 11/11/2009 . FIGURE 43 URL Switching with Cookie Persistence In this example.0. then uses information in the cookie to select the real server and port within the service group. Figure 43 shows an example.: D-030-01-00-0006 . 2. for each request from the client. enable the service-group option in the cookie persistence template. For each client request. a real server and port are selected within the service group. after a service group is selected. Then. URL switching and cookie persistence are both configured. URL switching selects a service group first.Ver. and the service-group option is enabled in the cookie persistence template.Configuration Guide URL / Host Switching To continue using URL switching or host switching to select a service group for each request. the AX device first selects a service group. 116 of 702 P e r f o r m a n c e b y D e s i g n Document No.AX Series .

The format of the cookie depends on the match-type setting: • match-type (port) – This is the default setting. The rserverIP is the real server IP address and the rport is the real server port number. the AX device inserts a second cookie into the server’s reply. to ensure that the same server is used the next time URL switching selects sg123. The cookie includes the service group name.Ver.AX Series .0. Even though URL switching does not always select the same service group. the match type is automatically “port”. Cookie Persistence Match-Type Options When cookie persistence is configured. provided that all virtual ports of the VIP use the same cookie persistence template with match-type set to server. The cookie that the AX device inserts into the server reply has the following format: Set-Cookie: cookiename-vport=rserverIP_rport The vport is the virtual port number. the AX device uses SLB to select a server.Configuration Guide URL / Host Switching • If the client’s request does not have a persistence cookie that includes the selected service group. to ensure that the same server is used the next time URL switching selects sgabc. the AX device uses the information in the cookie to select the same server within the service group. If you do not set the match type to server (see below). the AX device inserts a cookie into the server's reply. For example. The client’s browser re-inserts the cookie into each request. the AX device adds a persistence cookie to the server reply before sending the reply to the client. 2. The cookie that the AX device inserts into the server reply has the following format: Set-Cookie: cookiename=rserverIP P e r f o r m a n c e D e s i g n Document No. • If the client’s request already has a persistence cookie containing the name of the selected service group. then inserts a persistence cookie into the reply from the server. Note: The port option is shown in parentheses because the CLI does not have a “port” keyword. the same server within the selected service group is always selected. The first time service group sg123 is selected by URL switching.2 11/11/2009 b y 117 of 702 . the first time service group sgabc is selected by URL switching.: D-030-01-00-0006 . • match-type server – Subsequent requests from the client for the same VIP will be sent to the same real server. URL switching or host switching is used only for the first request. URL switching or host switching is used only for the first request. Subsequent requests from the client will be sent to the same real port on the same real server.

(There is no port keyword. URL switching or host switching is still used for every request.0.AX Series .: D-030-01-00-0006 . use the following command at the configuration level for the cookie persistence template: [no] match-type {server [service-group] | service-group} The default granularity is port-level granularity as described above. The cookie that the AX device inserts into the server reply has the following format: Set-Cookie: cookiename-vport-servicegroupname=rserverIP_rport • match-type server service-group – Subsequent requests from the cli- ent for the same VIP will be sent to the same real server.Ver.2 11/11/2009 . USING THE CLI To enable the service-group option. address information in the persistence cookies is encrypted. within the service group selected by URL switching or host switching. URL switching or host switching is still used for every request. 2. enter the following command: match-type server service-group CLI Example The following commands configure a cookie persistence template named “persist-cookie-sg” and enable port-level persistence with support for URL switching or host switching: AX(config)#slb template persist cookie persist-cookie-sg AX(config-cookie persistence template)#name SGCookie AX(config-cookie persistence template)#match-type service-group 118 of 702 P e r f o r m a n c e b y D e s i g n Document No. within the service group selected by URL switching or host switching. The cookie that the AX device inserts into the server reply has the following format: Set-Cookie: cookiename-servicegroupname=rserverIP Note: For security.) To use the service-group option with port-level granularity.Configuration Guide URL / Host Switching • match-type (port) service-group – Subsequent requests from the client will be sent to the same real port on the same real server. enter the following command: match-type service-group To use the service-group option with server-level granularity.

: D-030-01-00-0006 .2 11/11/2009 b y 119 of 702 . For more information. Instead. if URL / host switching is configured along with source IP persistence. the default service group is always selected.0. FIGURE 44 URL Failover P e r f o r m a n c e D e s i g n Document No.Configuration Guide URL Failover Using URL / Host Switching along with Source IP Persistence By default. To enable URL / host switching to be used along with source IP persistence. URL Failover The AX device can send an HTTP 302 Redirect message to a client when the real servers for the URL requested by the client are unavailable. Figure 44 shows an example. 2.Ver. you must use the match-type servicegroup option in the source IP persistence template.AX Series . see the description of the slb template persist source-ip command in the “Config Commands: SLB Templates” chapter of the AX Series CLI Reference. the URL / host switching settings are not used.

To configure it. 3.example. By default.168.) 2. 2.Configuration Guide URL Failover In this example.com (virtual IP address 192. a client sends a request for www.) Configuring URL Failover The following sections show how to configure URL failover. use the URL redirect-rewrite option instead. Like the other HTTP options. Note: The URL failover option does not affect redirect messages sent by real servers. enter the URL to which to redirect clients. Click OK. However. you can apply this option to a virtual port by configuring the option in an HTTP template. (See “HTTP Template Configuration” on page 106. The AX device is configured to send an HTTP 302 Redirect message if the VIP is down. USING THE CLI Enter the following command at the configuration level for the HTTP template: failover-url url-string CLI Example The following commands implement the URL failover configuration shown in Figure 44 on page 119. this VIP is unavailable because all the real servers are failing their health checks.10).AX Series . URL failover is not configured. The following commands configure the HTTP template: AX(config)#slb template http urlfailover AX(config-HTTP template)#failover-url www. In the URL Failover field of the HTTP tab. USING THE GUI 1.example.: D-030-01-00-0006 . and binding the template to the virtual port.com. To alter redirect messages from real servers. you specify the URL to which to redirect clients. (See “URL Redirect Rewrite” on page 138. The HTTP template list reappears.0.Ver.example2.10.2 11/11/2009 . Access the configuration tabs for the template.com AX(config-HTTP template)#exit 120 of 702 P e r f o r m a n c e b y D e s i g n Document No. redirecting clients to www.

because the maximum number of retries has already been used. either the service port and server remain eligible for more client requests. You can configure the AX device to retry sending a client’s request to a service port that replies with an HTTP 5xx status code. the AX device reassigns the request to s2. In this case.1 AX(config-slb virtual server)#port 80 http AX(config-slb virtual server-slb virtua.Ver.Configuration Guide 5xx Retry and Reassignment The following commands bind the HTTP template to virtual port 80: AX(config)#slb virtual-server vs1 1.AX Series .1. and the retry is set to 1. [no] retry-on-5xx-per-req num [no] retry-on-5xx num P e r f o r m a n c e D e s i g n Document No. Depending on the 5xx retry option you configure.2 11/11/2009 b y 121 of 702 .)#template http urlfailover 5xx Retry and Reassignment By default. and s3).. the AX device forwards the error to the client. Note: Server re-selection is not performed if Layer 3 features such as PBSLB or source-IP persistence are configured on the virtual port.) Note: USING THE CLI To configure server re-selection if a real server repeatedly replies with 5xx status codes. HTTP 503 – Service Unavailable). These features override the server re-selection. HTTP templates have an option to override this behavior.0. and reassign the request to another server if the first server replies with a 5xx status code. assume that a service group has three members (s1. if a real server replies to a request with a 5xx status code (for example. the AX device will not reassign the request to s3. or the AX device briefly stops sending client requests to the service port and server. 2. if s1 replies with a 5xx status code. For example.. Use of this HTTP template option also requires the strict-transactionswitch option to be used in the same HTTP template. use one of the following commands at the configuration level for the HTTP template.: D-030-01-00-0006 . (See “Strict Transaction Switching” on page 140. s2. The AX device is allowed to reassign the request up to the configured number of retries.1. If s2 also responds with a 5xx status code.

You can configure the AX device to compress additional media types You also can configure the AX device to exclude specific media types and even specific URIs from compression. CLI Example The following commands configure an HTTP template to reselect a server if the initially selected server responds 4 times to a client’s request with a 5xx status code. Accept-Encoding Field An HTTP request from clients usually contains an Accept-Encoding field in the header. The num option specifies the number of times the AX device will resend the request to the server before assigning the request to another server. AX(config)#slb template http 5xxretry AX(config-HTTP)#strict-transaction-switch AX(config-HTTP)#retry-on-5xx Content Compression Most types of real servers are able to compress media (content) before sending it to clients. compression also can sometimes actually hinder overall website performance. You can specify 1-3 retries. Compression is disabled by default. The second command briefly stops using the service port and server after a reassignment occurs. Compression reduces the amount of bandwidth required to send content to clients. 122 of 702 P e r f o r m a n c e b y D e s i g n Document No. When you enable it. Although compression optimizes bandwidth.AX Series . even after a reassignment has occurred. the AX device compresses media of types “text” and “application” by default.Configuration Guide Content Compression The first command continues to use the service port and server for client requests. The AX device briefly stops using the service port and server following reassignment.2 11/11/2009 . you can enable the AX device to perform compression for the real servers.: D-030-01-00-0006 . This field indicates to the real server whether the client is willing to accept compressed content. 2. if the real servers spend a lot of their CPU resources performing the compression.Ver. An HTTP template can contain only one of the commands shown above. The default is 3. To maximize the benefits of content compression.0.

if the content has a lot of repeated string patterns (for example.0. AX 3100. so performance can be affected. For example. XML files).Configuration Guide Content Compression If compression is enabled on the real server.AX Series . the server does not compress the content before sending it in the reply. if the server is configured to perform the compression. compression is faster than it is for content with few repeated string patterns (for example. beginning with level 1. which provides the lowest compression ratio. The AX device can still compress content that the real server does not compress. the device removes the entire Accept-Encoding field from the request before sending the request to the server. Hardware-Based Compression Hardware-based compression is available using an optional hardware module in new AX devices. which provides the fastest compression speed but with the lowest compression ratio. if the client’s request contains the Accept-Encoding field with the “compress” value for the requested content type. Note: Installation of the compression module into AX devices in the field is not supported. Compression Level The AX device supports compression level 1-9.: D-030-01-00-0006 . compression is performed by the real server instead of the AX device. Each level provides a higher compression ratio. In this case. The default compression level is 1. graphics). P e r f o r m a n c e D e s i g n Document No. However. A higher compression ratio results in a smaller file size after compression. and AX 3200. AX 2200. 2. Contact A10 Networks for information on obtaining an AX device that includes the module. the real server will compress content before sending it to a client. on the following models: AX 2100. Note: The actual performance impact of a given compression level depends on the content being compressed. you can configure the AX device to leave the Accept-Request field unchanged. As a result.Ver. By default. The AX device compresses the content. If you still want the server to compress some content. then sends the reply with the compressed content to the client. when you enable compression on the AX device. higher compression levels also require more CPU processing than lower compression levels.2 11/11/2009 b y 123 of 702 .

regardless of the compression level configured in an HTTP template.2 11/11/2009 . The module always uses the same compression level. 2. 124 of 702 P e r f o r m a n c e b y D e s i g n Document No.Ver.Configuration Guide Content Compression Hardware-based compression is disabled by default. are used. When you enable it. Note: Hardware-based compression is automatically set on the module and can not be set using a template.: D-030-01-00-0006 .AX Series . all compression settings configured in HTTP templates.0. except the compression level.

2.2 11/11/2009 b y 125 of 702 .0.Configuration Guide Content Compression How the AX Device Determines Whether to Compress a File The AX device uses the following process to determine whether to compress a file before sending it to a client.AX Series . the AX device forwards the compressed file without recompressing it.: D-030-01-00-0006 . P e r f o r m a n c e D e s i g n Document No.Ver. FIGURE 45 Content Compression Note: If the AX device is configured to leave the Accept-Encoding field unchanged. and the real server has already compressed the file.

5. 6.0. 3. your AX device does not contain a compression module. Click OK. Note: If the Hardware Compression option is not present. b. d.Configuration Guide Content Compression Configuring Content Compression The following sections show how to configure content compression. enable the feature: a. To specify the minimum content length that is eligible for compression. c. Otherwise. select Global. Select Enabled next to Hardware Compression. In the Type field. If your AX device supports hardware-based compression. Repeat step b and step c for each type of content to compress. USING THE GUI 1.2 11/11/2009 . 126 of 702 P e r f o r m a n c e b y D e s i g n Document No. Click Add. 7. c. select Enabled next to Compression Keep Accept Encoding. To add more content types to be compressed: a. On the menu bar. enter the minimum number of bytes the content must be in the Compression Content Length field. d. Click Enabled next to Compression Flag. Select Config > Service > SLB. Click the Compression Type tab. enter the string for a content type to compress. to remove the field.AX Series .) 2. b. Click OK. 4. 2.: D-030-01-00-0006 .Ver. (See “HTTP Template Configuration” on page 106. leave this option disabled. To keep the Accept-Encoding field in client requests. Access the configuration tabs for the HTTP template.

When keep-accept-encoding is enabled. By default. [no] compression minimum-content-length number This command changes the minimum payload size that is eligible for compression. media types “text” and “application” are included and all other media types are excluded. compression is performed by the real server instead of the AX device. if the server is configured to perform the compression. [no] compression keep-accept-encoding This command configures the AX device to leave the Accept-Encoding field in HTTP requests from clients instead of removing the field.0. The default is 120 bytes. [no] compression content-type content-string [no] compression exclude-content-type content-string These commands explicitly include or exclude specific media types for compression. [no] compression exclude-uri uri-string This command excludes an individual URI from being compressed.AX Series . An HTTP template can exclude up to 10 URI strings. The default is 1.Configuration Guide Content Compression USING THE CLI To configure HTTP compression. 2. The command changes the CLI to the configuration level for the template. [no] compression level number This command changes the compression level (for software-based compression only).2 11/11/2009 b y 127 of 702 .: D-030-01-00-0006 . You can specify 0-2147483647 bytes. The number option specifies the compression level and can be 1-9.Ver. The order in which content-type and exclude-content-type filters appear in the configuration does not matter. The URI string can be 1-31 characters. use the following commands: [no] slb template http template-name Enter this command at the global configuration level of the CLI. [no] compression enable This command enables HTTP compression. The AX device compresses the content that the real server P e r f o r m a n c e D e s i g n Document No.

Files with media type "application/zip" are explicitly excluded from compression. This option is disabled by default. The compression counters are shown in bold type. 2. The counters are in bytes and apply to all HTTP compression configured in all HTTP templates on the AX device. CLI Example The following commands configure an HTTP template called "http-compress" that uses compression level 5 to compress files with media type "application" or "image". use the following command at the global configuration level of the CLI: [no] slb hw-compression To display statistics for the feature. use the following command: show slb hw-compression Note: If the slb hw-compression and show slb hw-compression commands are not in the CLI. AX(config-HTTP template)#show slb http-proxy Total -----------------------------------------------------------------Curr Proxy Conns 58 Total Proxy Conns 49 HTTP requests 306 HTTP requests(succ) 269 No proxy error 0 Client RST 17 Server RST 0 128 of 702 P e r f o r m a n c e b y D e s i g n Document No. AX(config)#slb template http http-compress AX(config-HTTP template)#compression enable AX(config-HTTP template)#compression level 5 AX(config-HTTP template)#compression content-type image AX(config-HTTP template)#compression exclude-content-type application/zip The following command displays HTTP compression statistics.AX Series .Configuration Guide Content Compression does not compress.: D-030-01-00-0006 . To display compression statistics.Ver. which means the AX device performs all the compression.0. use the following command: show slb http-proxy [detail] To enable hardware-based compression (if supported on your AX device).2 11/11/2009 . your AX device does not contain a compression module.

Configuration Guide Client IP Insertion / Replacement No tuple error 0 Parse req fail 0 Server selection fail 0 Fwd req fail 0 Fwd req data fail 0 Req retransmit 0 Req pkt out-of-order 0 Server reselection 0 Server premature close 0 Server conn made 50 Source NAT failure 0 Tot data before compress 1373117 Tot data after compress 404410 The following commands enable hardware-based compression and display statistics for the feature: AX(config)#slb hw-compression AX(config)#show slb hw-compression Hardware compression device is installed.0. the source IP address of a request received by the AX device continues to be the source IP address when the AX device sends the request to a real server.: D-030-01-00-0006 .2 11/11/2009 b y 129 of 702 . in configurations where IP source NAT is enabled for SLB.) However. Hardware compression module is enabled. (An example is shown in Figure 141 on page 483. 2.Ver. The real server therefore knows the IP addresses of its clients. the client’s IP address is not the source IP address in the request received by the P e r f o r m a n c e D e s i g n Document No. When the default NEtwork Address Translation (NAT) settings for SLB are used.AX Series . Total -----------------------------------------------------------------total request count total submit count total response count total failure count last failure code compression queue full max queued submit count 177157 177157 177157 0 0 0 68 max queued request count 84 Client IP Insertion / Replacement Many websites find it useful to know the IP addresses of clients.

AX Series . To add the client’s IP address back to the request. you can simply enable the AX device to insert the client’s IP address into the header of the client’s GET request before sending the request to a real server. 2. Figure 46 shows an example of client IP insertion.Configuration Guide Client IP Insertion / Replacement real server.2 11/11/2009 . Instead.Ver.: D-030-01-00-0006 . Instead.0. the source IP address of the request is the address into which the AX device translated the client’s IP address. you do not need to change the network configuration or NAT settings. 130 of 702 P e r f o r m a n c e b y D e s i g n Document No.

0. 2. SLB source NAT changes the source address of the client’s GET request from 192. by inserting the address into the X-ClientIP field.20.20.3 to 10.100.168.AX Series . P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0006 .2 11/11/2009 b y 131 of 702 . the client’s source IP address is preserved within the HTTP header of the request. However.Configuration Guide Client IP Insertion / Replacement FIGURE 46 Client IP Insertion In this example.11.Ver.

Note: To insert HTTP header fields with other types of values. Replace Option By default.1.2”. Configuring Client IP Insertion / Replacement The following sections show how to enable client IP insertion / replacement. If you enable replacement of the client IP addresses. This enables the option and displays the name of the header field to which the client IP address will be added. 2. see “Header Insertion / Erasure” on page 133. Optionally. For example.1. 132 of 702 P e r f o r m a n c e b y D e s i g n Document No. Without this option.2. you can configure the option to insert the client IP address into the X-Forwarded-For field. On the HTTP template. Click OK. select Replace. the client IP address is appended to the lists of client IP addresses already in the header. To change the name of the field. USING THE GUI 1.2 11/11/2009 .Configuration Guide Client IP Insertion / Replacement This option inserts the client’s IP address into the X-ClientIP field by default.: D-030-01-00-0006 . However. Without this option. to replace any client addresses that are already in the header. the client IP address is appended to the lists of client IP addresses already in the header. You can configure the AX device to replace any addresses that are already in the field. the field:value pair becomes “X-Forwarded-For:1. if the header already contains “X-Forwarded-For:1.2. the field:value pair becomes “X-Forwarded-For:2. 2. or to erase fields. edit the name. you can specify another field name instead. 4. Otherwise. the client IP address is appended to addresses already in the target header field. The HTTP template list reappears.0. leave the field name set to the default (X-ClientIP).Ver. Access the configuration tabs for the template. 3.1.2”. 5. (See “HTTP Template Configuration” on page 106.) 2.1.2.1.1”. select the “Header Name for Inserting Client IP” checkbox.AX Series . For example.2.

2. replace. or erase a maximum of 8 headers. replace. and erase options described in this section are not supported with the fast-http service type..0.Configuration Guide Header Insertion / Erasure USING THE CLI Enter the following command at the configuration level for the HTTP template: insert-client-ip [http-fieldname] [replace] The http-fieldname option specifies the HTTP field. or erase headers in client requests or server responses.1 AX(config-slb virtual server)#port 80 http AX(config-slb virtual server-slb virtua.1.. CLI Example The following commands implement the client IP insertion configuration shown in Figure 46 on page 131. Without this option.1.2 11/11/2009 b y 133 of 702 .: D-030-01-00-0006 . Insert and delete options can be used in the same HTTP template. the AX device does not allow any of the P e r f o r m a n c e D e s i g n Document No. for example: X-Forwarded-For. An HTTP template can contain options to insert. Note: The header insert. The AX device does not allow an HTTP template with any of these header options to be bound to a fast-http virtual port.AX Series . the client IP address is inserted into the X-ClientIP field. Likewise. header insertion and erasure are configured using HTTP template options. The replace option replaces any client addresses that are already in the header. The following commands configure the HTTP template: AX(config)#slb template http insertclientip AX(config-HTTP template)#insert-client-ip AX(config-HTTP template)#exit The following commands bind the HTTP template to virtual port 80: AX(config)#slb virtual-server vs1 1.Ver.)#template http insertclientip Header Insertion / Erasure You can configure the AX device to insert. replace. Like other HTTP options.

The insert / replace option can be one of the following: • Insert-always – always inserts the field:value pair. • Default behavior (neither of the options above) – inserts the header. specify the header (the field:value pair).example. Note: Configuring Header Insertion / Replacement To configure header insertion or replacement..Ver.. Effects of the Insert / Replace Options Here are some examples of the effects of the insert / replace options: insertalways.2 11/11/2009 . Note: To configure the AX device to insert the client’s IP address. • Insert-if-not-exist – inserts the header only if the packet does not already contain a header with the same field name. and you use the insert-always option.com Cookie: a=1 Cookie: b=2 Cookie: c=3 . For these examples.0.Configuration Guide Header Insertion / Erasure header options to be added to an HTTP template that is already bound to a fast-http virtual port. Existing headers are not replaced. If the packet already contains one or more headers with the specified field name.com Cookie: a=1 Cookie: b=2 . assume that a client’s request packet already contains the following Cookie headers: “Cookie: a=1” and “Cookie: b=2”. 2.. the new field:value pair is added after the existing field:value pair. Header insertion is not supported on fast-HTTP virtual ports. and the insert or replace option.example..1 Host: www.1 Host: www. If the request already contains a header with the same field name. see “Client IP Insertion / Replacement” on page 129. GET / HTTP/1.AX Series . insert-if-not-exist. 134 of 702 P e r f o r m a n c e b y D e s i g n Document No. Effect When insert-always Is Used If you configure an HTTP template to insert “Cookie: c=3”.: D-030-01-00-0006 . this option replaces the first header. the client’s header is changed as follows: GET / HTTP/1. and the default (no options).

select one of the following options from the drop-down list next to the Name field: • Insert Always – The AX device always inserts the field:value pair. 2.Ver. P e r f o r m a n c e D e s i g n Document No. and you use the insert-if-not-exist option. Access the configuration tabs for the template.2 11/11/2009 b y 135 of 702 . the new field:value pair is added after the existing field:value pair. (See “HTTP Template Configuration” on page 106. the command replaces the first header. Therefore. To insert a request header: a. • Insert if not already present – The AX device inserts the header only if the packet does not already contain a header with the same field name. but you do not use either the insert-always or insert-if-not-exist option. the header is replaced. USING THE GUI 1. the header is always inserted into the request.com Cookie: c=3 Cookie: b=2 .1 Host: www. b..example. If the packet contains multiple “Cookie” headers. Existing headers are not replaced. if a packet already contains one or more headers with the specified field name. Here is the result: GET / HTTP/1.. If the request already contains a header with the same field name.0. If the packet already contains a “Cookie” header.example. enter the name:value pair in the Name field. to change this behavior. By default. Effect When Default Behavior (Neither Option Above) Is Used If you configure an HTTP template to insert “Cookie: c=3”. In the Request section of the tab. Optionally. Click on the Header Insert tab to display its fields.com Cookie: a=1 Cookie: b=2 .) 2.: D-030-01-00-0006 . 3.Configuration Guide Header Insertion / Erasure Effect When insert-if-not-exist Is Used If you configure an HTTP template to insert “Cookie: c=3”...AX Series . the client request in this example is unchanged: GET / HTTP/1.1 Host: www. the first one is replaced. the client’s header is changed only if it does not contain any “Cookie” headers.

Click OK. 5. Existing headers are not replaced. the command always inserts the field:value pair.: D-030-01-00-0006 . To insert a response header. use the following command: [no] request-header-insert field:value [insert-always | insert-if-not-exist] The field:value pair indicates the header field name and the value to insert. the new field:value pair is added after the existing field:value pair. the command inserts the header only if the packet does not already contain a header with the same field name.0. follow the same steps as those for inserting a request header. the first header is replaced. AX(config)#slb template http replace-cookie AX(config-HTTP template)#request-header-insert "Cookie: c=3" The following command configures an HTTP template that always inserts “Cookie: c=3” into HTTP requests. USING THE CLI To insert a header. • If you use the insert-if-not-exist option. To insert a field:value pair into response headers. use the following command: [no] response-header-insert field:value [insert-always | insert-if-not-exist] CLI Examples The following command configures an HTTP template that inserts “Cookie: c=3” into every HTTP request. if a packet already contains one or more headers with the specified field name. 136 of 702 P e r f o r m a n c e b y D e s i g n Document No. 4.AX Series . 2. but use the Response section of the tab. Click Add. the command replaces the first header. but does not replace other “Cookie” headers. If the request already contains a header with the same field name. • If you use the insert-always option.Ver. The “Cookie: c=3” header is added after any “Cookie” headers that are already present in the request. • By default. The HTTP template list reappears.Configuration Guide Header Insertion / Erasure c.2 11/11/2009 . If the request already contains “Cookie” headers.

The HTTP template list reappears. In the Request section of the tab. follow the same steps as those for erasing a request header. Click on the Header Erase tab to display its fields. 5.: D-030-01-00-0006 .Configuration Guide Header Insertion / Erasure AX(config)#slb template http add-cookie AX(config-HTTP template)#request-header-insert "Cookie: c=3" insert-always The following command configures an HTTP template that inserts “Cookie: c=3” into HTTP requests. To erase a header from responses.0. use the following command: [no] response-header-erase field P e r f o r m a n c e D e s i g n Document No. Access the configuration tabs for the template.2 11/11/2009 b y 137 of 702 .) 2. but use the Response section of the tab. use the following command: [no] request-header-erase field The field value specifies the header name.AX Series . Click OK. 4. USING THE GUI 1. To erase a response header. (See “HTTP Template Configuration” on page 106. Click Add. 2. enter the field name (the name portion of the name:value pair) in the Name field. AX(config)#slb template http add-cookie-unless-present AX(config-HTTP template)#request-header-insert "Cookie: c=3" insert-if-not- exist Configuring Header Erasure The following sections show how to erase headers from HTTP requests or responses. To erase a request header: a. b. 3. USING THE CLI To erase a header from requests.Ver. but only if the requests do not already have a “Cookie” header.

1.com.html rewrite-to /001.com or https://www.: D-030-01-00-0006 .222/000.example1.Ver.gif redirect-rewrite match 66. if the real server redirects the client to http://www.1.com. For example. the AX device will use the last rule because it is the most specific match to the URL: slb template http 1 redirect-rewrite match /00 rewrite-to http://66.2 11/11/2009 .1. Access the configuration tabs for the template.html rewrite-to 66.1.AX Series .1. (See “HTTP Template Configuration” on page 106.202/a redirect-rewrite match /000.com.1. if the real server redirects the client to http://www. You can use redirect-rewrite options to make the following types of changes: • URL change – You can change the URL before sending the redirect to the client. Click the Redirect Rewrite tab.) 2. and the HTTP template has the redirect-rewrite rules shown below. you change the URL to http://www.example2. the AX device selects the rule that has the most specific match to the URL.com. 138 of 702 P e r f o r m a n c e b y D e s i g n Document No. if a server sends redirect URL 66.example1. You can use one or both options. 2.1. you change the URL to https://www.example2. Redirect-Rewrite Rule Matching If a URL matches on more than redirect-rewrite rule within the same HTTP template.222/000.Configuration Guide URL Redirect Rewrite CLI Example The following command removes the Set-Cookie header from HTTP responses: AX(config-HTTP template)#response-header-erase Set-Cookie URL Redirect Rewrite The AX device can be configured to alter redirect messages sent by real servers.202/003.example1.1.bmp Configuring URL Redirect Rewrite USING THE GUI 1.0. For example. For example. • Secure redirection – You can change an unsecure redirect (HTTP) to a secure one (HTTPS).html.

In this case. AX(config)#slb template http secureredirect AX(config-HTTP template)#redirect-rewrite secure AX(config-HTTP template)#exit P e r f o r m a n c e D e s i g n Document No. 4. In the Redirect To field. edit the number in the field. If you do specify the port number.) 5. the client browser adds the SSL port number when sending a request to the redirect URL. enter the URL string to be changed. To change the SSL port number. enter the following command at the configuration level for the HTTP template: redirect-rewrite match url-string rewrite-to url-string To change “http://” to “https://”. In the Pattern field. enter the new URL. The URLs in the redirect messages are otherwise unchanged. To change the URL: a. b. b.2 11/11/2009 b y 139 of 702 .0. CLI Example The following commands configure the AX device to change unsecure URLs to secure URLs in redirect messages.: D-030-01-00-0006 . If you do not specify a port number. enter the following command at the configuration level for the HTTP template: redirect-rewrite secure {port tcp-portnum} The default SSL port number (tcp-portnum) is 443.Ver. USING THE CLI To change the URL in redirect messages from servers. The following commands configure the HTTP template. Click OK. Redirect URLs that begin with “http://” are changed to “https://”. 2. (The default is 443. the AX device does not include a port number in the URL. the AX includes the port number in the redirect URL.AX Series .Configuration Guide URL Redirect Rewrite 3. To change “http://” to “https://”: a. Select Enable next to HTTPS Rewrite.

1. 2. Note: Use this option only if needed. the AX device performs server selection once for a client session. On the HTTP tab. A new server is selected during the session only if the server that was originally selected is no longer available.Ver. enter the following command at the configuration level for the HTTP template: strict-transaction-switch 140 of 702 P e r f o r m a n c e b y D e s i g n Document No. you can enable strict transaction switching to rebalance the load. 3..AX Series . and disable the option once the server load is rebalanced. Access the configuration tabs for the template. The HTTP template list reappears.0..1 AX(config-slb virtual server)#port 80 http AX(config-slb virtual server-slb virtua. USING THE CLI To enable strict transaction switching. Enabling Strict Transaction Switching The following sections show how to enable strict transaction switching. This option makes server selection much more granular but also uses more AX system resources. USING THE GUI 1.)#template http secureredirect Strict Transaction Switching By default. (See “HTTP Template Configuration” on page 106.1.Configuration Guide Strict Transaction Switching The following commands bind the HTTP template to virtual port 80: AX(config)#slb virtual-server vs1 1. Click OK. select Enabled next to Strict Transaction Switch.: D-030-01-00-0006 . If the load among real servers appears to be unbalanced. all requests within that session are automatically sent to the same real server. After the initial selection.2 11/11/2009 .) 2. The strict transaction switching option forces the AX device to perform server selection for each request within every session.

AX Series .Configuration Guide Overview FTP Load Balancing This chapter describes how to configure SLB for FTP services.: D-030-01-00-0006 . Overview FTP load balancing optimizes the download experience for clients by balancing FTP traffic across servers in a server farm.2 11/11/2009 b y 141 of 702 . FIGURE 47 FTP Load Balancing P e r f o r m a n c e D e s i g n Document No. Figure 47 shows an example of an FTP load balancing solution. You can provide clients with a single. 2.0. and serve the files from a set of real servers.Ver. published virtual IP address for large files.

By assigning a weight to a real server and using a weighted load-balancing metric. For this configuration. 2. to weighted round robin. Each server has the same set of files available for download. the custom template is used instead of the default TCP template. so the default templates and their settings are applied. This example assumes that the servers have equivalent capacity and performance. 142 of 702 P e r f o r m a n c e b y D e s i g n Document No. One of the servers also provides the HTML pages for the download site. The default HTTP template is assigned to the virtual HTTP port by default.2 11/11/2009 . and balances FTP requests among servers ftp-2. To provide weighted load balancing as described above. you can bias load-balancing decisions to favor that server. This example does not include configuration of server or port templates. In this example.0. The AX Series device sends all HTTP requests to server ftp-2. the load balancing method is changed from the default (round robin) to weighted round robin. This custom TCP template must be explicitly bound to the virtual FTP port on the virtual server. with the idle time set to a high value. However. Service Groups This example uses a single service group containing all three servers. The AX device supports both the passive and port FTP modes. and ftp-4.Configuration Guide Overview In this example. • For HTTP. a custom TCP template is required. round robin. In this case. Templates In this example. the default TCP template is used. The differing weights compensate for the greater load to be placed on the server that is handling the HTTP requests. the parameters in the default HTTP template are unset by default. to prevent FTP download sessions from timing out if they pause for a while.AX Series .Ver. You do not need to explic- itly bind this template to the HTTP port on the virtual server. unless you explicitly bind another TCP template to the virtual port instead.: D-030-01-00-0006 . • For FTP. FTP files are served by three real servers. The AX device automatically binds this template to a virtual TCP port on a virtual server when you create the port. ftp-3. two TCP templates are required. you do not need to configure a different HTTP template or change settings in the default one. the load-balancing method is changed from the default.

0.Configuration Guide Configuring FTP Load Balancing For more information about templates. The Ping health moni- tor is already configured by default.Ver. In this example. The Ping health monitor is already configured by default. the default settings are used: Every 30 seconds.2 11/11/2009 b y 143 of 702 . (For information. using the FTP health method configured in step 1. and is enabled by default when you add the real server. and is enabled by default when you add the real server. P e r f o r m a n c e D e s i g n Document No. using the HTTP health method configured in step 1. For each server. In this example. to use for checking the health of the HTTP and FTP ports on the servers.AX Series . For the server that will serve the Web pages. 2. the AX device sends an anonymous FTP login request to port 21. add the server’s HTTP port and enable health checking of the port. b. The HTTP and FTP monitors must be configured and applied to the real server ports. add its FTP port and enable health checking of the port. • FTP – Tests the FTP port by sending a login request to the port. the AX device sends an HTTP Get request for the index. Configure the real servers: a. This configuration also uses those health checks. 2. Configure HTTP and FTP health methods.: D-030-01-00-0006 . The AX device has default Layer 4 health checks it uses to test the TCP and UDP transport layers. the default settings are used: Every 30 seconds. • HTTP – Tests the HTTP port by requesting a Web page from the port. see the following: • “Service Template Parameters” on page 599 • “Server and Port Templates” on page 281 Health Monitors This example uses the following health monitors to check the real servers: • Ping – Tests Layer 3 connectivity to the servers.) Configuring FTP Load Balancing To configure FTP load balancing: 1.html page. see “Default Health Checks” on page 297.

Repeat step 2 through step 6 to configure the FTP health monitor. Assign weight 80 to the HTTP/FTP server. b. Click Add. On the Method tab to display the Method tab. 3. select HTTP from the Type drop-down list. 5. c.Configuration Guide Configuring FTP Load Balancing c. 4. On the Health Monitor tab. 4. Add TCP ports for HTTP and FTP. 144 of 702 P e r f o r m a n c e b y D e s i g n Document No. On the Method tab. Assign weight 100 to each of the FTP servers that will not also be handling HTTP. 2.AX Series .: D-030-01-00-0006 .2 11/11/2009 . Select Config > Service > Health Monitor. The new health monitor appears in the health monitor table. Click OK. In step 5. Bind the HTTP port to the HTTP service group.0.Ver. 7. Configure the virtual server: a. 5. USING THE GUI To configure the health monitors 1. Bind the FTP port to the FTP service group and to the TCP template. 3. 6. 2. select FTP instead of HTTP. These weights will cause the AX device to select the HTTP/FTP server for FTP only 80% as often as each of the other servers. Configure a TCP template and set the idle time in the template to a high value. enter a name for the monitor in the Name field. 6. Configure another service group for FTP and add the FTP servers to it. Configure a service group for HTTP and add the HTTP server to it.

2 11/11/2009 b y 145 of 702 .Ver. 2.: D-030-01-00-0006 .0.Method tab (for FTP P e r f o r m a n c e D e s i g n Document No.AX Series .Configuration Guide Configuring FTP Load Balancing FIGURE 48 Config > Service > Health Monitor (for HTTP monitor) FIGURE 49 monitor) Config > Service > Health Monitor .

Enter the IP address of the server in the IP Address field. The new server appears in the server table. 2.AX Series . 8. 3. In this example. 7. 2. On the General tab.0. Select Config > Service > SLB. Select Server on the menu bar. 9. 4.Configuration Guide Configuring FTP Load Balancing FIGURE 50 monitors) Config > Service > Health Monitor (showing configured health To configure the real servers 1. 146 of 702 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 . Click Add. Click OK. change the weight for the HTTP/FTP server to 80 and change the weights of the two other FTP servers to 100. HTTP or FTP. Leave the transport protocol set to TCP. 12. select the HTTP or FTP health monitor you configured in “To configure the health monitors” on page 144. enter the HTTP (or FTP) port number in the Port field. Click Add. enter a name for the server in the Name field.) 10. The new port appears in the port list.Ver.2 11/11/2009 . Repeat step 3 through step 11 for each of the other real servers. 5. 6. In the Health Monitor drop-down list. (Select the monitor that matches the port type. 11. Change the weight be editing the number in the Weight field. On the Port tab.

: D-030-01-00-0006 .AX Series .Ver.Configuration Guide Configuring FTP Load Balancing FIGURE 51 Config > Service > SLB > Server (ftp-2) P e r f o r m a n c e D e s i g n Document No. 2.0.2 11/11/2009 b y 147 of 702 .

0.AX Series .Configuration Guide Configuring FTP Load Balancing FIGURE 52 Config > Service > SLB > Server (ftp-3) 148 of 702 P e r f o r m a n c e b y D e s i g n Document No.2 11/11/2009 .: D-030-01-00-0006 . 2.Ver.

2 11/11/2009 b y 149 of 702 .AX Series .: D-030-01-00-0006 .0. 2.Configuration Guide Configuring FTP Load Balancing FIGURE 53 Config > Service > SLB > Server (ftp-4) FIGURE 54 servers) Config > Service > SLB > Server (showing configured real P e r f o r m a n c e D e s i g n Document No.Ver.

Click Add. In the Idle Timeout field. Leave the transport protocol set to TCP. 8. FIGURE 55 Config > Service > Template > L4 > TCP To configure a service group for HTTP 1. 2. Click Add. 3. Enter the real server’s IP address in the Server field. Select Config > Service > Template. 4. enter a name in the Name field. select Weighted Round Robin. On the Service Group tab.AX Series .0. 150 of 702 P e r f o r m a n c e b y D e s i g n Document No.Configuration Guide Configuring FTP Load Balancing To configure the TCP template for FTP 1. enter 15000. 3. For this example. Enter the protocol port in the Port field. Select Config > Service > SLB. if not already selected. 6. 4. Enter a name for the template in the Name field. In the Algorithm field. 5.2 11/11/2009 . 6.: D-030-01-00-0006 . Select Service Group on the menu bar. 7. 5. Select L4 > TCP on the menu bar. The new template appears in the TCP template table.Ver. Click OK. 2. 2. select the load balancing method.

add member 10. you can leave this field set to Round Robin. P e r f o r m a n c e D e s i g n Document No. The server and port appear in the member list.Ver. The new service group appears in the service group table. FIGURE 56 Config > Service > Service Group (for HTTP) To configure a service group for FTP Repeat the procedure in “To configure a service group for HTTP” on page 150.10. with the following differences: • In the Algorithm drop-down list. Click Add.) • Add members 10. 10.2 for port 80 and again for port 21 to service group http-grp.AX Series .: D-030-01-00-0006 . Click OK. 2. select Weighted Round Robin. (If your configuration does not use weights to bias server selection.2-4 for port 21. Repeat for each combination of server and port.2 11/11/2009 b y 151 of 702 . In this example.10.0.10.10.Configuration Guide Configuring FTP Load Balancing 9.

AX Series .Ver.0.: D-030-01-00-0006 . 2.2 11/11/2009 .Configuration Guide Configuring FTP Load Balancing FIGURE 57 Config > Service > Service Group (for FTP) FIGURE 58 Config > Service > Service Group (service groups added) 152 of 702 P e r f o r m a n c e b y D e s i g n Document No.

2 11/11/2009 b y 153 of 702 . 11. 7. 6. Click OK. 3. click Add. Repeat from step 6 for the FTP service. In this example. there are two services. Click OK. 2. In the Type drop-down list. 10.: D-030-01-00-0006 . HTTP and FTP. On the Port tab. select the service type. select the TCP template you configured in “To configure the TCP template for FTP” on page 150. 4. Select Virtual Server on the menu bar. 9. select http-grp for HTTP and ftp-grp for FTP. Edit the number in the Port field to match the protocol port that clients will request at the virtual IP address. In this example. Enter the virtual IP address in the IP Address field. Select Config > Service > SLB. 5.0. 2. The Virtual Server Port tab appears. This is the IP address to which clients will send HTTP and FTP requests. The new virtual server appears in the virtual server table.Ver. Select HTTP first and go to the next step. enter a name in the Name field. P e r f o r m a n c e D e s i g n Document No.Configuration Guide Configuring FTP Load Balancing To configure the virtual server 1. In this example. On the General tab. if not already selected. Click Add. The port and service group appear in the virtual port list.AX Series . Select the service group from Service Group drop-down list. 12. 8.

2 11/11/2009 .0.AX Series .Configuration Guide Configuring FTP Load Balancing FIGURE 59 Config > Service > Virtual Server 154 of 702 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 .Ver. 2.

Ver.AX Series .Virtual Server Port tab (for P e r f o r m a n c e D e s i g n Document No. 2.Configuration Guide Configuring FTP Load Balancing FIGURE 60 HTTP) Config > Service > Virtual Server .0.2 11/11/2009 b y 155 of 702 .: D-030-01-00-0006 .

Virtual Server Port tab (for 156 of 702 P e r f o r m a n c e b y D e s i g n Document No.0. 2.2 11/11/2009 .Ver.Configuration Guide Configuring FTP Load Balancing FIGURE 61 FTP) Config > Service > Virtual Server .AX Series .: D-030-01-00-0006 .

Configuration Guide Configuring FTP Load Balancing FIGURE 62 Config > Service > Virtual Server .0.: D-030-01-00-0006 .2 11/11/2009 b y 157 of 702 .AX Series . 2.Ver.Port tab (ports added) FIGURE 63 Config > Service > Virtual Server (virtual server added) P e r f o r m a n c e D e s i g n Document No.

see the AX Series CLI Reference.2 11/11/2009 .: D-030-01-00-0006 . The weight command assigns a weight to the server.AX Series . use the following commands: slb template tcp template-name This command creates the TCP template and changes the CLI to the configuration level for the template. and changes the CLI to the configuration level for the port. use the following command at the configuration level for the port.0. for use with weighted load-balancing methods.) 2. The default settings are used for both types of health monitors. Enter a separate port command for each port number to be load balanced.Configuration Guide Configuring FTP Load Balancing USING THE CLI 1. health-check monitor-name 3. The command creates the server and changes the CLI to the configuration level for it. To configure the real servers. To configure the health monitors. none of the optional parameters are used. To configure an HTTP health method. To configure the TCP template for FTP. weight number The slb server command creates the real server. use the following commands: health monitor monitor-name Enter this command at the global Config level of the CLI to create a monitor and access the configuration level for it. 2. use the following command at the configuration level for the monitor: method ftp In this example. use the following command at the configuration level for the monitor: method http To configure an FTP health method. use the following commands: slb server server-name ipaddr Enter this command at the global Config level of the CLI.Ver. (For information about the optional parameters. idle-timeout seconds 158 of 702 P e r f o r m a n c e b y D e s i g n Document No. port port-num tcp The port command adds a TCP port for HTTP or FTP. To assign the HTTP or FTP health monitor to a port.

see the AX Series CLI Reference. 6. use the following commands: slb service-group group-name tcp This command creates the service group and changes the CLI to the configuration level for it.2 11/11/2009 b y 159 of 702 . set the idle timeout to 1500 seconds (the maximum). 2. 4. use the following commands: slb service-group group-name tcp This command creates the service group and changes the CLI to the configuration level for it.AX Series . For this example. (For descriptions of the other options. To configure the virtual server. The server-name is the name you used when you configured the real server.) 5.0. The method command changes the load-balancing method from the default (simple round robin) to weighted round robin. Use the following command to change the load balancing method: method {fastest-response | least-connection | service-least-connection | weighted-least-connection | service-weighted-least-connection | weighted-rr } In this example. The default is 60 seconds. use the weighted-rr option. To configure a service group for FTP. member server-name:portnum The member command adds the HTTP server to the service group. To configure a service group for HTTP. Enter a separate command for each port.: D-030-01-00-0006 . use the following commands: slb virtual-server name ipaddr This command creates the virtual server and changes the CLI to the configuration level for it. The portnum is the protocol port number configured on the real server. member server-name:portnum method weighted-rr The member command adds the servers and their ports to the service group.Ver. P e r f o r m a n c e D e s i g n Document No.Configuration Guide Configuring FTP Load Balancing The idle-timeout command specifies the number of seconds a TCP session can remain idle.

10. The template tcp command binds the virtual port to a TCP template.Ver. 2.4 AX(config-real server)#weight 100 AX(config-real server)#port 21 tcp AX(config-real server-node port)#health-check ftp-monitor 160 of 702 P e r f o r m a n c e b y D e s i g n Document No.10.: D-030-01-00-0006 .Configuration Guide Configuring FTP Load Balancing port port-number http port port-number ftp The port commands add virtual ports for HTTP and FTP.3 AX(config-real server)#weight 100 AX(config-real server)#port 21 tcp AX(config-real server-node port)#health-check ftp-monitor AX(config-real server-node port)#exit AX(config-real server)#exit AX(config)#slb server ftp-4 10.10.2 11/11/2009 . CLI CONFIGURATION EXAMPLE The following commands configure the HTTP and FTP health monitors: AX(config)#health monitor http-monitor AX(config-health:monitor)#method http AX(config-health:monitor)#exit AX(config)#health monitor ftp-monitor AX(config-health:monitor)#method ftp AX(config-health:monitor)#exit The following commands configure the real servers: AX(config)#slb server ftp-2 10.0.AX Series .2 AX(config-real server)#weight 80 AX(config-real server)#port 8801 tcp AX(config-real server-node port)#health-check http-monitor AX(config-real server-node port)#exit AX(config-real server)#port 21 tcp AX(config-real server-node port)#health-check ftp-monitor AX(config-real server-node port)#exit AX(config-real server)#exit AX(config)#slb server ftp-3 10.10. the command changes the CLI to the configuration level for the port.10.10. where the following commands are used: service-group group-name template tcp template-name The service-group command binds the virtual port to a service group. For each port.

2..168...)#service-group ftp-grp AX(config-slb virtual server-slb virtua.: D-030-01-00-0006 .AX Series .2 11/11/2009 b y 161 of 702 .10....)#template tcp ftp-longidletime P e r f o r m a n c e D e s i g n Document No.)#exit AX(config-slb virtual server)#port 21 ftp AX(config-slb virtual server-slb virtua.Configuration Guide Configuring FTP Load Balancing AX(config-real server-node port)#exit AX(config-real server)#exit The following commands configure the TCP template for use with FTP: AX(config)#slb template tcp ftp-longidletime AX(config-L4 TCP LB template)#idle-timeout 15000 AX(config-L4 TCP LB template)#exit The following commands configure the service group for HTTP: AX(config)#slb service-group http-grp tcp AX(config-slb service group)#member ftp-2:8801 AX(config-slb service group)#exit The following commands configure the service group for FTP: AX(config)#slb service-group ftp-grp tcp AX(config-slb service group)#member ftp-2:21 AX(config-slb service group)#member ftp-3:21 AX(config-slb service group)#member ftp-4:21 AX(config-slb service group)#method weighted-rr AX(config-slb service group)#exit The following commands configure the virtual server: AX(config)#slb virtual-server ftp-vip 192..21 AX(config-slb virtual server)#port 80 http AX(config-slb virtual server-slb virtua.)#service-group http-grp AX(config-slb virtual server-slb virtua..0.Ver.

Ver.AX Series .Configuration Guide Configuring FTP Load Balancing 162 of 702 P e r f o r m a n c e b y D e s i g n Document No.2 11/11/2009 .0.: D-030-01-00-0006 . 2.

Overview AX Series devices support SIP load balancing.: D-030-01-00-0006 .Ver. Figure 64 shows an example of a SIP load balancing configuration. SIP load balancing balances SIP registration messages from clients across a service group of SIP Registrar servers.0. 2.2 11/11/2009 b y 163 of 702 .Configuration Guide Overview SIP Load Balancing This chapter describes Session Initiation Protocol (SIP) load balancing and how to configure it. The commands to implement this configuration are shown in “Configuring SIP Load Balancing” on page 164.AX Series . FIGURE 64 SIP Load Balancing P e r f o r m a n c e D e s i g n Document No. SIP load balancing enables you to offload registration processing from other SIP servers so those servers can more efficiently process other SIP traffic.

5. edit the port number in the Port field. c. an OPTION request is sent instead.) 164 of 702 P e r f o r m a n c e b y D e s i g n Document No. Configure a SIP template to redirect all SIP registration messages to the SIP Registrar service group. The following sections provide detailed steps and examples. Configure a real server for each SIP Registrar server. 4. leave the port unchanged. enter a name for the health monitor. On the Health Monitor tab.0. Configure a virtual server containing the SIP port and bind the port to the SIP proxy group. Configure a SIP health monitor for the Registrar servers: a. The SIP port can be the same on the Registrar servers and these proxy servers. 2. 3. select SIP in the Type drop-down list. and assign the SIP health monitor to the port. to send the request to a different port. To send health checks to the default SIP port (5060). Click Add. Configure a service group for the other SIP servers and add them to the group. 7. Configure a real server as a proxy for each SIP server that will handle SIP messages other than registration messages. This is the SIP proxy group.AX Series . Configure a service group for the Registrar servers and add them to the group. USING THE GUI 1. Add the SIP port to each server.Configuration Guide Configuring SIP Load Balancing Configuring SIP Load Balancing To configure SIP load balancing: 1. (By default. 6. 2. add the SIP port to the server. Otherwise. e.2 11/11/2009 . Select Health Monitor on the menu bar. Select Register to send a REGISTER request. g. The AX selects a service group based on the message type. On the Method tab. Add the SIP proxy service group and the SIP template to the port. Configure SIP health monitors using the SIP health method.Ver. d. Select Config > Service > Health Monitor. f.: D-030-01-00-0006 . b.

The port appears in the Port list. h. select the health monitor. d. b. Click OK.Configuration Guide Configuring SIP Load Balancing h. The server appears in the real server table. In the Port field. f. b. In the Type drop-down list. (See Figure 68. leave the other settings unchanged. select SIP in the Type drop-down list. 3. On the Method tab. g. f.) 5. enter the SIP port number in the Port field. On the Service Group tab. In the Health Monitor drop-down list. On the Port tab. e. P e r f o r m a n c e D e s i g n Document No. Select Service Group on the menu bar. select UDP. To use the default monitoring settings for SIP (OPTION request sent to port 5060). select UDP.2 11/11/2009 b y 165 of 702 . Click OK. d. enter a name for the Registrar server. Click OK. i. On the Port tab. 4. To configure a service group for the Registrar servers and add them to the group: a.0. b. d. Click Add. 2. c.: D-030-01-00-0006 . Select Config > Service > SLB. The new SIP health monitor appears in the Health Monitor table. Click Add. 2. Click Add. Configure a SIP health monitor for the other SIP servers: a. enter the SIP port number. enter a name for the health monitor. e. Click Add. The new SIP health monitor appears in the Health Monitor table. enter a name for the group. Enter the IP address of the server. e. On the General tab. The steps are the same as the steps for adding the Registrar servers. c. Use the same steps to configure a real server as a proxy for each SIP server that will handle SIP messages other than registration messages.AX Series . In the Protocol drop-down list. Configure a real server for the SIP Registrar server: a. j.Ver. Select Server on the menu bar. On the Health Monitor tab. select the real server for the SIP Registrar server from the Server drop-down list. c.

insert. Use the same steps to configure a service group for the other SIP servers and add them to the group. enter the SIP port number. In the IP Address field. b. Click Add.Configuration Guide Configuring SIP Load Balancing g. The new service group appears in the service group table. h. select the service group. This is the SIP proxy group. c. erase. g. enter the IP address to which clients will send SIP Registration messages.AX Series . select the SIP template. select the SIP service group you created above for non-registration traffic. e. Select Application > SIP from the menu bar. b. select SIP from the Type drop-down list.0. d. 7. i. f. Click Add. In the SIP Template drop-down list. Click OK.: D-030-01-00-0006 . Click OK. Select Config > Service > Template. f. Click OK. g. In the Registrar Service Group drop-down list. j. To configure a SIP template to redirect all SIP registration messages to the SIP Registrar service group: a. c.2 11/11/2009 . Click Add. d. k. The virtual server appears in the virtual server table. Select Virtual Server on the menu bar. The new SIP template appears in the SIP template table. On the Port tab. Repeat for each Registrar server. 2. Select Config > Service > SLB. i. e. 8. Click Add. enter a name for the virtual server. The port appears in the Port list for the virtual server. In the Port field. In the Service Group drop-down list. Optionally. To configure a virtual server for the SIP proxy: a. On the General tab.Ver. 166 of 702 P e r f o r m a n c e b y D e s i g n Document No. 6. or replace text in the SIP header. h. Enter a name for the template.

AX Series .2 11/11/2009 b y 167 of 702 .Ver.: D-030-01-00-0006 .Configuration Guide Configuring SIP Load Balancing GUI CONFIGURATION EXAMPLE The following GUI examples show the configuration steps. FIGURE 65 Config > Service > Health Monitor > Health Monitor (example for Registrar servers) FIGURE 66 Config > Service > Health Monitor > Health Monitor (example for other SIP servers) P e r f o r m a n c e D e s i g n Document No. 2.0.

0.Ver.Registrar and Proxy servers 168 of 702 P e r f o r m a n c e b y D e s i g n Document No.2 11/11/2009 . 2.AX Series .Configuration Guide Configuring SIP Load Balancing FIGURE 67 Config > Service > SLB > Server FIGURE 68 added Config > Service > SLB > Server .: D-030-01-00-0006 .

groups added FIGURE 71 Config > Service > Template > Application > SIP P e r f o r m a n c e D e s i g n Document No.Configuration Guide Configuring SIP Load Balancing FIGURE 69 Config > Service > Service Group (registrar group) FIGURE 70 Config > Service > Service Group .Ver.0.AX Series .2 11/11/2009 b y 169 of 702 .: D-030-01-00-0006 . 2.

AX Series .Configuration Guide Configuring SIP Load Balancing FIGURE 72 added Config > Service > Template > Application > SIP .: D-030-01-00-0006 .server added 170 of 702 P e r f o r m a n c e b y D e s i g n Document No.0. 2.Port tab FIGURE 74 Config > Service > Virtual Server .Ver.template FIGURE 73 Config > Service > Virtual Server .2 11/11/2009 .

To configure a real server for a SIP Registrar server. use the following commands: health monitor monitor-name Enter this command at the global Config level.0.AX Series . 4.Configuration Guide Configuring SIP Load Balancing USING THE CLI 1. use the port option to specify the port number. 2. To configure a real server as a proxy for each SIP server that will handle SIP messages other than registration messages. add the SIP port to it. To configure a service group for the other SIP servers and add them to the group. To configure a SIP template to redirect all SIP registration messages to the SIP Registrar service group. To configure a SIP health monitor using the SIP health method.: D-030-01-00-0006 . use the register option. To send a REGISTER request instead. port port-num udp Enter this command at the configuration level for the real server. 5. use the same commands as in step 4. use the same commands as in step 2. use the following commands: slb service-group group-name udp Enter this command at the global Config level. The SIP health monitor sends an OPTION request to port 5060 by default. use the following commands: slb server server-name ipaddr Enter this command at the global Config level. use the following commands: slb template sip template-name P e r f o r m a n c e D e s i g n Document No. and apply the SIP health monitor to the port. member server-name [priority number] Enter this command at the configuration level for the service group. To configure a service group for the Registrar servers and add them to the group. 6.Ver. 2. 3. method sip [register [port port-num]] Enter this command at the configuration level for the health method. To send the request to a port other than 5060. health-check monitor-name Enter this command at the configuration level for the SIP port.2 11/11/2009 b y 171 of 702 .

172 of 702 P e r f o r m a n c e b y D e s i g n Document No. (See “Disabling Reverse NAT Based on Destination IP Address” on page 174. 2. The SIP termination message (Bye) does not necessarily go through the AX device. header-insert.: D-030-01-00-0006 .Ver. and header-replace commands edit information in the SIP header of each SIP packet before sending it to the service group. inserts. This command is useful in cases where a SIP server needs to reach another server.AX Series .Configuration Guide Configuring SIP Load Balancing Enter this command at the global Config level. based on IP address. port port-number sip Enter this command at the configuration level for the virtual server. and the traffic must pass through the AX device. The default is 30. or replaces a single header field. To configure a virtual server for the SIP proxy servers (the servers that will handle all other SIP traffic except registration messages). The pass-real-server-ip-for-acl command disables reverse NAT based for traffic from the server. 7. You can specify 1-250 minutes. Each command erases.2 11/11/2009 . use the following commands: slb virtual-server name ipaddr Enter this command at the global Config level. service-group group-name template sip template-name Enter these commands at the configuration level for the virtual port. thus the AX device does not know for certain that a conversation has ended.) Enter these commands at the configuration level for the SIP template. The timeout command specifies how many minutes the AX device leaves a SIP call session up.0. registrar service-group group-name header-erase string header-insert string header-replace string new-string timeout minutes pass-real-server-ip-for-acl acl-id The header-erase. Caution: A10 Networks recommends that you do not set the timeout to a value lower than 30 minutes.

10. 2.Configuration Guide Configuring SIP Load Balancing CLI CONFIGURATION EXAMPLE The commands in the following example implement the SIP load balancing configuration shown in Figure 64 on page 163.56 AX(config-real server)#port 5060 udp AX (config-real server-node port)#health-check sipreg_monitor AX (config-real server-node port)#exit AX(config-real server)#exit AX(config)#slb server Registrar2 10.20.Ver.10.11 AX(config-real server)#port 5060 udp AX (config-real server-node port)#health-check sip_monitor AX (config-real server-node port)#exit AX(config-real server)#exit AX(config)#slb server Proxy4 10.10.12 AX(config-real server)#port 5060 udp AX (config-real server-node port)#health-check sip_monitor AX (config-real server-node port)#exit AX(config-real server)#exit P e r f o r m a n c e D e s i g n Document No.57 AX(config-real server)#port 5060 udp AX (config-real server-node port)#health-check sipreg_monitor AX (config-real server-node port)# #exit AX(config-real serverexit The following commands configure the SIP proxy servers: AX(config)#slb server Proxy3 10.10.: D-030-01-00-0006 .10.0.10. The following commands configure the SIP health monitors: AX(config)#health monitor sip_monitor AX(config-health:monitor)#method sip AX (config-health:monitor)#exit AX(config)#health monitor sipreg_monitor AX(config-health:monitor)#method sip register AX (config-health:monitor)#exit The following commands configure the Registrar servers: AX(config)#slb server Registrar1 10.2 11/11/2009 b y 173 of 702 .20.AX Series .

168.)#template sip Registrar_template Disabling Reverse NAT Based on Destination IP Address You can use a SIP template to disable reverse NAT for traffic from servers. and the traffic must pass through the AX device.Configuration Guide Configuring SIP Load Balancing The following commands configure the service groups: AX(config)#slb service-group Registrar_gp udp AX(config-slb service group)#member Registrar1:5060 AX(config-slb service group)#member Registrar2:5060 AX(config-slb service group)#exit AX(config)#slb service-group sip5060 udp AX(config-slb service group)#member Proxy3:5060 AX(config-slb service group)#member Proxy4:5060 AX(config-slb service group)#exit The following commands configure the SIP template: AX(config)#slb template sip Registrar_template AX(config-SIP LB template)#registrar service-group Registrar_gp AX(config-SIP LB template)#header-insert Max-Forwards:22 AX(config-SIP LB template)#header-replace Max-Forwards 15 AX(config-SIP LB template)#header-erase Contact AX(config-SIP LB template)#exit The following commands configure the VIP for the SIP registrar: AX(config)#slb virtual-server sip1 192.20. Figure 75 shows an example..: D-030-01-00-0006 .Ver..AX Series .2 11/11/2009 .0.)#service-group sip5060 AX(config-slb virtual server-slb virtua.. based on IP address.. This option is useful in cases where a SIP server needs to reach another server. 174 of 702 P e r f o r m a n c e b y D e s i g n Document No.1 AX(config-slb virtual server)#port 5060 sip AX(config-slb virtual server-slb virtua. 2.

: D-030-01-00-0006 . 2. On the menu bar.Ver. if the SIP server needs to reach another server. Configure an extended ACL that matches on the SIP server IP address or subnet as the source address. select Application > SIP. and matches on the destination server’s IP address or subnet as the destination address. Select Config > Service > Template. 3. Reverse NAT translates the source IP address of return traffic from servers to clients back into the VIP address before forwarding the traffic to clients. the destination server will receive the traffic from the VIP address instead of the SIP server address. and the traffic must pass through the AX device. However.2 11/11/2009 b y 175 of 702 . To disable reverse NAT in this type of situation: 1.Configuration Guide Configuring SIP Load Balancing FIGURE 75 Revere NAT Disabled for Traffic from a SIP Server By default. Configure a SIP template that disables reverse NAT based on the ACL. 2. USING THE GUI 1. the AX device performs reverse NAT on all traffic from a SIP server before forwarding the traffic. Bind the SIP template to the SIP virtual port. P e r f o r m a n c e D e s i g n Document No.AX Series .0. 2.

The following command configures an extended ACL that matches on the SIP server’s subnet and on the database server’s subnet: AX(config)#access-list 101 permit ip 10. Click on the template name of click Add to create a new one.20.2 11/11/2009 .Ver. USING THE CLI To disable reverse NAT based on the IP addresses in an extended ACL.10.168.Configuration Guide Configuring SIP Load Balancing 3.AX Series .0. 2.: D-030-01-00-0006 .0 /24 The following commands configure a SIP template that disables reverse NAT for traffic that matches the ACL: AX(config)#slb template sip sip1 AX(config-sip)#pass-real-server-ip-for-acl 101 AX(config-sip)#exit The following commands bind the SIP template to the SIP virtual port: AX(config)#slb virtual-server sip-vip 192.10.0 /24 10. CLI Example The commands in this section are applicable to Figure 75. Select the ACL from the Pass Real Server IP for ACL drop-down list.20.1 AX(config-slb vserver)#port 5060 sip AX(config-slb vserver-vport)#template sip sip1 176 of 702 P e r f o r m a n c e b y D e s i g n Document No.20. 4. use the following command at the configuration level for the SIP template: [no] pass-real-server-ip-for-acl acl-id The acl-id specifies an extended ACL ID (100-199).

: D-030-01-00-0006 . consider the following.Configuration Guide Overview SSL Offload and SSL Proxy This chapter describes how to configure optimization of Secure Sockets Layer (SSL).Ver.2 11/11/2009 b y 177 of 702 . Note: The AX device devices also support STARTTLS acceleration and encryption. as well as encryption / decryption. See “STARTTLS for Secure SMTP” on page 195. Overview The AX device provides the following types of SSL optimization: • SSL Offload – The AX device applies Layer 7 features to HTTPS traffic per your configured HTTP template options. SSL certificates and keys are required. IMAPS. You can import the certificates and keys or create them on the AX device. • SSL proxy – The AX device acts as a Layer 4 SSL proxy for TCP ser- vices such as POPS.0. Implement SSL offload if the following are true: • The traffic will be HTTPS traffic. and LDAPS. Both types of SSL optimization perform SSL handshakes. P e r f o r m a n c e D e s i g n Document No. SSL offload uses service type (virtual port type) HTTPS. Choosing an SSL Optimization Implementation To choose which of the SSL optimization features to implement in your server farm. 2. and supports deep packet inspection and header manipulation. SMTPS. • Layer 7 processing (deep packet inspection or manipulation) is required. such as those described in “HTTP Options for SLB” on page 105. SSL proxy uses service type SSL-proxy and provides Layer 4 SLB but does not provide deep packet inspection or header manipulation.AX Series .

The path and filename appear in the Source field. k. b. In the Name field. For more information about certificate options. Click Browse and navigate to the location of the key. g. 2. Select Certificate from the Type drop-down list. enter a name for the key. To import a certificate and its key to use for TLS sessions with clients: a. Import or create a certificate and its key to use for TLS sessions with clients. but not necessarily HTTPS traffic. see “SSL Certificate Management” on page 647. e.2 11/11/2009 . In the Name field. The certificate appears in the certificate and key list.0.Ver. Click Import. • Layer 7 features are not required. Configure a client SSL template and add the certificate and key to it. 178 of 702 P e r f o r m a n c e b y D e s i g n Document No. c. This is the name you will refer to when adding the certificate to a client-SSL or server-SSL template. On the menu bar. select Certificate. Click OK.AX Series . You can create a self-signed certificate on the AX device or import a certificate.Configuration Guide Configuring Client SSL Implement SSL proxy if the following are true: • The traffic will be SSL-secured traffic over TCP. f. USING THE GUI 1. h. Click Browse and navigate to the location of the certificate. 2. j. enter a name for the certificate. Select Key from the Type drop-down list. if not already selected. The configuration example in this chapter uses an imported certificate. This is the name you will refer to when adding the key to a client-SSL or server-SSL template. Select Config > SLB > SSL Management. i. d. Click Import. Click Open. l.: D-030-01-00-0006 . Configuring Client SSL 1.

select the certificate you imported in the previous step. c. enter the passphrase. e. select the private key you imported in the previous step.2 11/11/2009 b y 179 of 702 . FIGURE 76 certificate) Configure > Service > SSL Management . 2. The key appears in the certificate and key list. h. d. Click Add.Configuration Guide Configuring Client SSL m. In the Key Name field. In the Certificate Name drop-down list. GUI CONFIGURATION EXAMPLE The following GUI examples show the configuration steps. Select Configure > Service > Template. b.0. Select SSL > Client SSL from the menu bar. On the Client SSL tab. Click OK. 2. n.Ver. The new template appears in the Client SSL template table.: D-030-01-00-0006 . Click Open. g.AX Series . f.Import (for the P e r f o r m a n c e D e s i g n Document No. enter a name for the template in the Name field. To configure a client SSL template and add the certificate and key to it: a. If the files are secured with a passphrase.Import (for the FIGURE 77 private key) Configure > Service > SSL Management . Click OK. The path and filename appear in the Source field.

use the following commands: slb template client-ssl template-name Enter this command at the global Config level.Configuration Guide Configuring Client SSL FIGURE 78 Configure > Service > Template > SSL > Client SSL USING THE CLI 1.: D-030-01-00-0006 . directory path. You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. and filename.Ver. 2. To import a certificate and key. key key-name [passphrase passphrase-string] 180 of 702 P e r f o r m a n c e b y D e s i g n Document No. use the following commands at the global Config level of the CLI: slb ssl-load certificate file-name url slb ssl-load key file-name url The url specifies the file transfer protocol.AX Series .2 11/11/2009 . username (if required). To enter the entire URL: • tftp://host/file • ftp://[user@]host[:port]/file • scp://[user@]host/file • rcp://[user@]host/file 2. To configure a client SSL template. you will still be prompted for the password. If you enter the entire URL and a password is required. cert cert-name Enter this command at the configuration level for the client SSL template.0.

crt AX(config)#slb ssl-load key sslcertkey.pem ftp: Address or name of remote host []?1.2 User name []?axadmin Password []?********* File name [/]?sslcertkey.pem AX(config-client SSL template)#exit P e r f o r m a n c e D e s i g n Document No.1. and configure a client-SSL template to use them.Configuration Guide Configuring Client SSL CLI CONFIGURATION EXAMPLE The following commands import certificates and keys.Ver.0. 2.crt ftp: Address or name of remote host []?1.crt AX(config-client SSL template)#key sslcertkey. The following commands import an SSL certificate and key: AX(config)#slb ssl-load certificate sslcert1.pem The following commands configure a client SSL template to use the certificate and key: AX(config)#slb template client-ssl sslcert-tmplt AX(config-client SSL template)#cert sslcert.1.2 User name []?axadmin Password []?********* File name [/]?sslcert1.1.2 11/11/2009 b y 181 of 702 .AX Series .1.: D-030-01-00-0006 .

in the Name and IP Address fields. Click OK. Click Add. The port appears in the Port list. The server appears in the server table. f. The General tab appears. if not already selected. Configure client SSL. select TCP. Bind the service-group to the virtual port and to the HTTP template (if configured) and client-SSL template. 182 of 702 P e r f o r m a n c e b y D e s i g n Document No. USING THE GUI 1. select TCP. if your configuration will use one. e. f.0. d. In the Type drop-down list.Ver. On the General tab. 3. Select Server on the menu bar. Repeat for each real server. i. b. c. if your configuration will use one.) 2. j. On the Port tab. Select the health monitor. g.2 11/11/2009 . Configure a service group for the servers and add them to the group.) 5. To configure real servers: a. On the Port tab.: D-030-01-00-0006 .Configuration Guide Configuring HTTPS Offload Configuring HTTPS Offload To configure the AX device to perform Layer 7 SLB for HTTPS clients: 1. if not already selected. e. (For information and examples. configure HTTP template options.AX Series . Select Service Group on the menu bar. enter a name for the server and enter its IP address. Configure the real servers for the TCP service. If needed for your specific application. (See “Configuring Client SSL” on page 178. On the Service Group tab. see “HTTP Options for SLB” on page 105. Click Add. select a server from the Server drop-down list. Select the health monitor. Select Config > Service > SLB. 4. Click Add. In the Protocol drop-down list. b. Configure a virtual server and add a virtual port that has the service type https. c. h. enter the port number in the Port field. d. To configure a service group for the servers and add them to the group: a. enter a name for the service group. 2. 2.

In the IP Address field. f. h. In the Type drop-down list. j. j. To configure a virtual server for SSL offload: a. 3. In the Port field. e. c. Enter the service port in the Port field. The HTTPS port appears in the port list for the virtual server. i. The new virtual server appears in the virtual server table. d. enter a name for the virtual server. Repeat step f through step h for each server. select the template. In the Client-SSL Template drop-down list. The port appears in the list.Ver. 2. Click Add. To configure HTTP template options. see “HTTP Options for SLB” on page 105. If a custom HTTP template has been configured for this application. Click OK. P e r f o r m a n c e D e s i g n Document No. The new service group appears in the service group table.2 11/11/2009 b y 183 of 702 . On the General tab. k. select HTTPS. enter the VIP address.: D-030-01-00-0006 . 4.AX Series . Click OK again. click Add. In the Service Group drop-down list. select the service group.Configuration Guide Configuring HTTPS Offload g. i. Click Add. Click OK. Select Virtual Server on the menu bar.0. On the Port tab. enter the service port number. l. h. b. g. select the template from the HTTP Template drop-down list.

FIGURE 79 Configure > Service > SLB > Server 184 of 702 P e r f o r m a n c e b y D e s i g n Document No.Ver.Configuration Guide Configuring HTTPS Offload GUI CONFIGURATION EXAMPLE The following GUI examples show the configuration steps.AX Series .: D-030-01-00-0006 .0. 2.2 11/11/2009 .

0.: D-030-01-00-0006 .Configuration Guide Configuring HTTPS Offload FIGURE 80 Configure > Service > SLB > Service Group FIGURE 81 Configure > Service > SLB > Virtual Server P e r f o r m a n c e D e s i g n Document No. 2.Ver.AX Series .2 11/11/2009 b y 185 of 702 .

Port tab USING THE CLI 1. port port-num tcp Enter this command at the configuration level for the real server.: D-030-01-00-0006 . 2. To configure a service group for the servers and add them to the group.Configuration Guide Configuring HTTPS Offload FIGURE 82 Configure > Service > SLB > Virtual Server .0. 2.Ver. use the following commands: slb service-group group-name tcp 186 of 702 P e r f o r m a n c e b y D e s i g n Document No. To configure a real server.AX Series .2 11/11/2009 . use the following commands: slb server server-name ipaddr Enter this command at the global Config level.

4.Configuration Guide Configuring HTTPS Offload Enter this command at the global Config level. port port-number https Enter this command at the configuration level for the virtual server.Ver.5.5.0. To configure a virtual server and HTTPS virtual port. CLI CONFIGURATION EXAMPLE The following commands configure SSL offload. 2.5.2 AX(config-real server)#port 443 tcp AX (config-real server-node port)#exit AX(config-real server)#exit AX(config)#slb server HTTPS2 10.3 AX(config-real server)#port 443 tcp AX (config-real server-node port)# #exit AX(config-real server)#exit The following commands configure a service group for the HTTPS servers: AX(config)#slb service-group HTTPS_servers tcp AX(config-slb service group)#member HTTPS1:443 AX(config-slb service group)#member HTTPS2:443 AX(config-slb service group)#exit P e r f o r m a n c e D e s i g n Document No. To configure HTTP template options.2 11/11/2009 b y 187 of 702 .: D-030-01-00-0006 . use the following commands: slb virtual-server name ipaddr Enter this command at the global Config level. service-group group-name template http template-name template client-ssl template-name Enter these commands at the configuration level for the virtual port to bind the port to the service group and the application templates.AX Series . see “HTTP Options for SLB” on page 105. member server-name [priority number] Enter this command at the configuration level for the service group. The feature is enabled by the https option of the port command at the virtual server configuration level of the CLI. The following commands configure the real servers: AX(config)#slb server HTTPS1 10.5. 3.

)#template client-ssl sslcert-tmplt Configuring the SSL Proxy Feature To configure the AX device as an SSL proxy for a TCP service: 1. 4. Click Add. To configure real servers: a. The General tab appears. The server appears in the server table. b. Click Add..AX Series . select TCP. The port appears in the Port list. Bind the service-group to the virtual port and to the clientSSL template. In the Protocol drop-down list. Select Server on the menu bar. f. Configure the real servers for the TCP service. enter a name for the server and enter its IP address. To configure a service group for the servers and add them to the group: a.0.Configuration Guide Configuring the SSL Proxy Feature The following commands configure the VIP to which clients will send HTTPS traffic: AX(config)#slb virtual-server v1 10. d. h.. i. (See “Configuring Client SSL” on page 178.Ver. Click OK.2 11/11/2009 .)#template http HTTPS_1 AX(config-slb virtual server-slb virtua.6.6 AX(config-slb virtual server)#port 443 https AX(config-slb virtual server-slb virtua. in the Name and IP Address fields. Configure client SSL. Select Service Group on the menu bar.: D-030-01-00-0006 . Click Add. 3. j. USING THE GUI 1.)#service-group HTTPS_servers AX(config-slb virtual server-slb virtua. On the General tab. Select Config > Service > SLB. On the Port tab. enter the port number in the Port field.6... Configure a service group for the servers and add them to the group.. Configure a virtual server and add a virtual port that has the service type ssl-proxy.. g. 2.) 2. 2. c. e. if your configuration will use one. Select the health monitor. Repeat for each real server. 188 of 702 P e r f o r m a n c e b y D e s i g n Document No. b. if not already selected.

j. On the General tab.AX Series . f. Click Add. f. e. Repeat step f through step h for each server. b. h. 3. k. select SSL-Proxy.Ver. In the Port field. The new service group appears in the service group table. Click Add. enter a name for the virtual server. g. i.2 11/11/2009 b y 189 of 702 . In the Service Group drop-down list. P e r f o r m a n c e D e s i g n Document No. enter the VIP address. select the template. if your configuration will use one. To configure a virtual server for SSL proxy: a.0. enter the service port number. On the Port tab. The new virtual server appears in the virtual server table. e. select a server from the Server drop-down list. i. Select Virtual Server on the menu bar. On the Port tab. Enter the service port in the Port field. In the IP Address field. c. Select the health monitor. select the service group. j. h. In the Client-SSL Template drop-down list. enter a name for the service group. if not already selected.: D-030-01-00-0006 . select TCP. d. In the Type drop-down list. On the Service Group tab. The SSL proxy port appears in the port list for the virtual server. click Add. In the Type drop-down list. The port appears in the list. Click OK again. 2. g. Click OK.Configuration Guide Configuring the SSL Proxy Feature c. Click OK. d.

2.Ver.AX Series .: D-030-01-00-0006 .2 11/11/2009 . FIGURE 83 Configure > Service > SLB > Server 190 of 702 P e r f o r m a n c e b y D e s i g n Document No.Configuration Guide Configuring the SSL Proxy Feature GUI CONFIGURATION EXAMPLE The following GUI examples show the configuration steps.0.

2.0.AX Series .2 11/11/2009 b y 191 of 702 .Ver.: D-030-01-00-0006 .Configuration Guide Configuring the SSL Proxy Feature FIGURE 84 Configure > Service > SLB > Service Group FIGURE 85 Configure > Service > SLB > Virtual Server P e r f o r m a n c e D e s i g n Document No.

use the following commands: slb service-group group-name tcp Enter this command at the global Config level.Configuration Guide Configuring the SSL Proxy Feature FIGURE 86 Configure > Service > SLB > Virtual Server . 2.Port tab USING THE CLI 1.AX Series .2 11/11/2009 . member server-name [priority number] Enter this command at the configuration level for the service group. To configure a service group for the servers and add them to the group. 192 of 702 P e r f o r m a n c e b y D e s i g n Document No. port port-num tcp Enter this command at the configuration level for the real server.Ver. 2. To configure a real server.0. use the following commands: slb server server-name ipaddr Enter this command at the global Config level.: D-030-01-00-0006 .

: D-030-01-00-0006 .Configuration Guide Configuring the SSL Proxy Feature 3. The following commands configure the real servers: AX(config)#slb server POP1 10. 2. To configure a virtual server and port for the TCP service.)#service-group SMTP_servers AX(config-slb virtual server-slb virtua.)#template client-ssl sslcert-tmplt P e r f o r m a n c e D e s i g n Document No.2 AX(config-real server)#port 110 tcp AX (config-real server-node port)#exit AX(config-real server)#exit AX(config)#slb server POP2 10. CLI CONFIGURATION EXAMPLE The following commands configure proxy SSL for POPS.6.AX Series .. the feature is enabled by the ssl-proxy option of the port command at the virtual server configuration level of the CLI.3 AX(config-real server)#port 110 tcp AX (config-real server-node port)# #exit AX(config-real server)#exit The following commands configure a service group for the POP servers: AX(config)#slb service-group POP_servers tcp AX(config-slb service group)#member POP1:110 AX(config-slb service group)#member POP2:110 AX(config-slb service group)#exit The following commands configure the VIP to which clients will send POPS traffic: AX(config)#slb virtual-server v1 10.5.Ver.5. use the following commands: slb virtual-server name ipaddr Enter this command at the global Config level..0. port port-number ssl-proxy Enter this command at the configuration level for the virtual server.6... The same commands can be used to configure SSL proxy for other TCP services.6 AX(config-slb virtual server)#port 110 ssl-proxy AX(config-slb virtual server-slb virtua.5. In each case.5.2 11/11/2009 b y 193 of 702 . service-group group-name template client-ssl template-name Enter these commands at the configuration level for the virtual port.

Configuration Guide Configuring the SSL Proxy Feature 194 of 702 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 . 2.Ver.AX Series .0.2 11/11/2009 .

2.Configuration Guide Overview STARTTLS for Secure SMTP This chapter describes how to configure the AX device to secure Simple Mail Transfer Protocol (SMTP) mail using STARTTLS.AX Series . SMTP itself does not provide any security.Ver. FIGURE 87 STARTTLS P e r f o r m a n c e D e s i g n Document No.0.2 11/11/2009 b y 195 of 702 . the AX acts as a proxy between SMTP clients and servers. STARTTLS is an extension to SMTP that enables you to secure mail traffic to and from your legacy SMTP servers. When the AX device is configured to perform STARTTLS. whereas traffic between the AX and the SMTP servers is clear (not encrypted). Overview AX Series devices support the STARTTLS feature. Mail traffic to and from clients is encrypted by the AX.: D-030-01-00-0006 . Figure 87 shows an example of the STARTTLS feature.

the AX sends the following message to the client: "530 .2 11/11/2009 . you can send SMTP traffic from clients in domain "CorpA" to a different service group than SMTP traffic from clients in domain "CorpB". EXPN. SMTP traffic from all client domains is sent to the same service group.Configuration Guide Overview Additional SMTP Security Options In addition to providing encryption of mail traffic for clients. the VRFY.0. 2.Must issue a STARTTLS command first” • Disable SMTP commands – By default. and TURN commands are allowed.AX Series . You can configure multiple service groups and send traffic to the groups based on the client domain. In this case. if the client tries to issue a disabled SMTP command. In this case. You can disable support of any of these commands. If the client does not issue the STARTTLS command. the AX sends the following message to the client: “502 Command not implemented” Domain Switching By default. the AX STARTTLS feature has additional security options: • Require STARTTLS – By default. the client must issue the STARTTLS command to establish a secured session. For example. client use of STARTTLS is optional. before any mail transactions are allowed. You can configure the AX to require STARTTLS.Ver. FIGURE 88 STARTTLS Domain Switching 196 of 702 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 .

2. Optionally. The complete message sent to the client is constructed as follows: 200 . Optionally. 5. Within the template: a. Configure an SMTP template. The default is “mail-serverdomain”. Optionally.: D-030-01-00-0006 . disable one or more of the following SMTP commands: VRFY. 2. EXPN. If you leave the setting "optional".Ver. the AX sends the following message to the client: “502 . Configure a virtual server and port for the SMTP address to which clients will send SMTP traffic. P e r f o r m a n c e D e s i g n Document No. b. Import a certificate and its key to use for TLS sessions with clients.0. or TURN. 6. Configure a real server for each SMTP server and add the SMTP port to the server. Configure a service group for the SMTP servers and add them to the group.Command not implemented” d.Configuration Guide Configuring STARTTLS Configuring STARTTLS To configure STARTTLS: 1. and add the SMTP service group and SMTP template to the port. Optionally. e.2 11/11/2009 b y 197 of 702 . change STARTTLS from being optional to being required. Configure a client SSL template and add the certificate and its key to it. load balance SMTP traffic among multiple service groups based on client domains.AX Series . Specify the email server domain. If a client sends an SMTP command that is disabled on the AX. mail clients will be able to send and receive unencrypted mail. 4. The default message text is "ESMTP mail service ready".smtp-domain service-ready-string c. modify the service ready message. 3.

select Enforced next to STARTTLS. 3. b. In the Server Domain field.AX Series . d. Click OK. Select Application > SMTP from the menu bar. Click Add.2 11/11/2009 . e. 6. c. enter the domain for which the AX will provide STARTTLS service. select the service group to use for the client domain. In the Service Group drop-down list. d. most of the configuration steps (step 1 through step 4 above) for STARTTLS are the same as those for SSL proxy support.Ver. To disable STARTTLS commands sent by the client. The SMTP tab appears. 198 of 702 P e r f o r m a n c e b y D e s i g n Document No. 2. In the Name field. 2. enter the message that the AX will send to client to inform them that the STARTTLS service is ready.0.Configuration Guide Configuring STARTTLS USING THE GUI In the GUI. On the SMTP tab. The new template appears in the SMTP template table. enter a name for the template. 4. In the Service Ready Message field. To force clients to use STARTTLS. On the Client Domain Switching tab. c. To configure domain switching settings: a. (See “Configuring the SSL Proxy Feature” on page 188. 5. Repeat for each client domain. Select Configure > Service > Template. b.) To configure an SMTP template for STARTTLS (step 5 above): 1. Click Add. enter the client SMTP domain in the Client Domain field. select the commands to disable.: D-030-01-00-0006 . enter general settings for the template: a.

In the IP address field. f.Configuration Guide Configuring STARTTLS To configure a virtual server for STARTTLS (step 6 above): 1. click Add. b. 3. Enter a name for the virtual server. In the SMTP Template drop-down list. Select Virtual Server on the menu bar. 5. On the Port tab. select the service group. Configure port settings for the virtual server: a. 4. The Virtual Server Port tab appears. select SMTP. P e r f o r m a n c e D e s i g n Document No. c. The new virtual server appears in the virtual server table.2 11/11/2009 b y 199 of 702 . h.0.: D-030-01-00-0006 . In the Port field. b. e.AX Series . Click OK. d. 2. enter the service port number. On the General tab. Select Configure > Service > Server. In the Service Group drop-down list. The port appears in the port list for the virtual server. Click OK again. select the SMTP template. enter general settings for the virtual server: a. In the Client-SSL Template drop-down list. enter the VIP address. select the client SSL template. g. 2. In the Type drop-down list.Ver. Click Add.

: D-030-01-00-0006 .0.AX Series . 2.Ver.Configuration Guide Configuring STARTTLS GUI CONFIGURATION EXAMPLE The following GUI examples show the configuration steps.2 11/11/2009 . FIGURE 89 Config > Service > Template > Application > SMTP 200 of 702 P e r f o r m a n c e b y D e s i g n Document No.

AX Series - Configuration Guide
Configuring STARTTLS FIGURE 90 Config > Service > SLB > Virtual Server - Port tab

USING THE CLI
1. To import a certificate and its key, use the following commands at the global Config level of the CLI: slb ssl-load certificate file-name url slb ssl-load key file-name url The url specifies the file transfer protocol, username (if required), directory path, and filename. You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. If you enter the entire URL and a password is required, you will still be prompted for the password. To enter the entire URL:

P e r f o r m a n c e

D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

b y

201 of 702

AX Series - Configuration Guide
Configuring STARTTLS
• tftp://host/file • ftp://[user@]host[:port]/file • scp://[user@]host/file • rcp://[user@]host/file

2. To configure a client SSL template, use the following commands: slb template client-ssl template-name Enter this command at the global Config level. cert cert-name Enter this command at the configuration level for the client SSL template. key key-name [passphrase passphrase-string] 3. To configure a real server for an SMTP server, use the following commands: slb server server-name ipaddr Enter this command at the global Config level. port port-num tcp Enter this command at the configuration level for the real server. 4. To configure a service group for the SMTP servers and add them to the group, use the following commands: slb service-group group-name tcp Enter this command at the global Config level. member server-name [priority number] Enter this command at the configuration level for the service group. 5. To configure an SMTP template, use the following commands: slb template smtp template-name Enter this command at the global Config level. Use the following commands at the configuration level for the SMTP template to set SMTP options: server-domain name service-ready-message string starttls {disable | optional | enforced} domain-switching match string service-group group-name

202 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
Configuring STARTTLS The disable option of the starttls command disables STARTTLS support on the VIP that uses the SMTP template. The domain-switching command is required only if you have multiple service groups and you want to direct SMTP clients to specific service groups based on the client's domain. 6. To configure a virtual server and port for the SMTP address to which clients will send SMTP traffic, add the SMTP service group, and add the SMTP and client SSL templates to the port, use the following commands: slb virtual-server name ipaddr Enter this command at the global Config level. port port-num smtp Enter this command at the configuration level for the virtual server. service-group group-name template smtp template-name template client-ssl template-name Enter these commands at the configuration level for the virtual port. Displaying STARTTLS Statistics To display STARTTLS statistics, use the following command at the Privileged EXEC level or any configuration level of the CLI: show slb smtp [detail]

P e r f o r m a n c e

D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

b y

203 of 702

AX Series - Configuration Guide
Configuring STARTTLS

CLI CONFIGURATION EXAMPLE
The following commands implement the STARTTLS configuration shown in Figure 87 on page 195. To begin, the following commands import an SSL certificate and key:
AX(config)#slb ssl-load certificate starttls.crt ftp: Address or name of remote host []?1.1.1.2 User name []?axadmin Password []?********* File name [/]?starttls.crt AX(config)#slb ssl-load key tlscertkey.pem ftp: Address or name of remote host []?1.1.1.2 User name []?axadmin Password []?********* File name [/]?tlscertkey.pem

The following commands configure a client SSL template to use the certificate and key:
AX(config)#slb template client-ssl mailcert-tmplt AX(config-client SSL template)#cert starttls.crt AX(config-client SSL template)#key tlscertkey.pem AX(config-client SSL template)#exit

The following commands configure the SMTP real servers:
AX(config)#slb server SMTP1 10.1.1.2 AX(config-real server)#port 25 tcp AX (config-real server-node port)#exit AX(config-real server)#exit AX(config)#slb server SMTP2 10.1.1.3 AX(config-real server)#port 25 tcp AX (config-real server-node port)# #exit AX(config-real server)#exit

The following commands configure a service group for the SMTP servers:
AX(config)#slb service-group SMTP_servers tcp AX(config-slb service group)#member SMTP1:25 AX(config-slb service group)#member SMTP2:25 AX(config-slb service group)#exit

204 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
Configuring STARTTLS The following commands configure the STMP template. In this example, additional security is added by enforcing STARTTLS and by disabling the SMTP commands VRFY, EXPN, and TURN.
AX(config)#slb template smtp starttls-tmplt AX(config-slb template)#server-domain “mycorp.com” AX(config-slb template)#service-ready-message “MyCorp ESMTP mail service is ready” AX(config-slb template)#starttls enforced AX(config-slb template)#command-disable vrfy expn turn

The following commands configure the VIP to which mail clients will send SMTP traffic:
AX(config)#slb virtual-server v1 10.1.1.1 AX(config-slb virtual server)#port 25 smtp AX(config-slb virtual server-slb virtua...)#service-group SMTP_servers AX(config-slb virtual server-slb virtua...)#template client-ssl mailcert-tmplt AX(config-slb virtual server-slb virtua...)#template smtp starttls-tmplt

P e r f o r m a n c e

D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

b y

205 of 702

AX Series - Configuration Guide
Configuring STARTTLS

206 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
Overview

Streaming-Media Load Balancing
This chapter describes streaming-media load balancing and how to configure it.

Overview
AX Series devices support content-aware load balancing of the following widely used streaming-media types:
• Real Time Streaming Protocol (RTSP) • Microsoft Media Server (MMS)

Note:

The AX Series also supports load balancing of Session Initiation Protocol (SIP) sessions. For information, see “SIP Load Balancing” on page 163. Figure 91 shows an example of a streaming-media load balancing solution.

P e r f o r m a n c e

D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

b y

207 of 702

AX Series - Configuration Guide
Overview FIGURE 91 Streaming-Media Load Balancing

In this example, a server farm provides streaming content in both RTSP and MMS format. All the servers are allowed to serve HTTP and HTTPS requests. Two of the servers (stream-rs2 and stream-rs3) are configured to serve RTSP and MMS requests. Service Groups This example uses the following service groups:
• all80-grp – The servers in this service group provide HTTP and HTTPS

service. In this example, all the servers are members of this service group.
• rtsp554-grp – The servers in this service group provide RTSP content. • mms1755-grp – The servers in this service group provide MMS content.

208 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
Configuring Streaming-Media SLB Note: Using separate service groups makes it easier to adapt the configuration when the server farm grows. For example, if RTSP and MMS content is separated onto different servers, the membership of the RTSP group can easily be edited to include only the RTSP servers, and so on. Templates By default, the default TCP template is applied to RTSP and MMS traffic. (For information, see “TCP Template Parameters” on page 624.) Health Monitors This example uses the default Layer 3 health check (ping) and the default Layer 4 TCP health check.

Configuring Streaming-Media SLB
To configure streaming-media load balancing: 1. Configure the real servers. Make sure to add the RTSP or MMS ports. 2. Configure service groups. If both supported streaming-media types are used (RTSP and MMS), make sure to configure a separate service group for each type. 3. Configure the virtual server by adding virtual service ports for the streaming-media services. Most of the configuration procedures are the same as the configuration procedures for other types of SLB.

USING THE GUI
To configure a streaming-media template: 1. Select Config > Service > Template. 2. Select Application > RTSP on the menu bar. 3. Click Add. 4. Enter a name for the template. 5. Configure other options, if applicable to your configuration. 6. Click OK.
P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009 b y

209 of 702

AX Series - Configuration Guide
Configuring Streaming-Media SLB When configuring the virtual server, select RTSP or MMS as the service port type.

USING THE CLI
1. To configure the real servers, use the following commands: slb server server-name ipaddr Enter this command at the global Config level of the CLI. The command creates the server and changes the CLI to the configuration level for it. port port-num tcp Available at the configuration level for the server, the port command adds a TCP port and changes the CLI to the configuration level for the port. Enter a separate port command for each port number to be load balanced. 2. To configure the service groups, use the following commands: slb service-group group-name tcp This command creates the service group and changes the CLI to the configuration level for it. member server-name:portnum The member command adds a server to the service group. The servername is the name you used when you configured the real server. The portnum is the protocol port number configured on the real server. 3. To configure the virtual server, use the following commands: slb virtual-server name ipaddr This command creates the virtual server and changes the CLI to the configuration level for it. port port-number http port port-number https port port-number rtsp port port-number mms The port commands add virtual ports for each service to be load balanced. For each port, the command changes the CLI to the configuration level for the port, where the following command is used: service-group group-name The service-group command binds the virtual port to a service group.

210 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
Configuring Streaming-Media SLB

CLI CONFIGURATION EXAMPLE
The following commands configure the real servers:
AX(config)#slb server stream-rs1 192.168.66.21 AX(config-real server)#port 80 tcp AX(config-real server-node port)#exit AX(config-real server)#port 443 tcp AX(config-real server-node port)#exit AX(config-real server)#exit AX(config)#slb server stream-rs2 192.168.66.22 AX(config-real server)#port 80 tcp AX(config-real server-node port)#exit AX(config-real server)#port 443 tcp AX(config-real server-node port)#exit AX(config-real server)#exit AX(config-real server)#port 1755 tcp AX(config-real server-node port)#exit AX(config-real server)#port 554 tcp AX(config-real server-node port)#exit AX(config-real server)#exit AX(config)#slb server stream-rs3 192.168.66.23 AX(config-real server)#port 80 tcp AX(config-real server-node port)#exit AX(config-real server)#port 443 tcp AX(config-real server-node port)#exit AX(config-real server)#port 1755 tcp AX(config-real server-node port)#exit AX(config-real server)#port 554 tcp AX(config-real server-node port)#exit AX(config-real server)#exit

P e r f o r m a n c e

D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

b y

211 of 702

AX Series - Configuration Guide
Configuring Streaming-Media SLB The following commands configure the service groups:
AX(config)#slb service-group all80-grp tcp AX(config-slb service group)#member stream-rs1:80 AX(config-slb service group)#member stream-rs1:443 AX(config-slb service group)#member stream-rs2:80 AX(config-slb service group)#member stream-rs2:443 AX(config-slb service group)#member stream-rs3:80 AX(config-slb service group)#member stream-rs3:443 AX(config-slb service group)#exit AX(config)#slb service-group rtsp554-grp tcp AX(config-slb service group)#member stream-rs2:554 AX(config-slb service group)#member stream-rs3:554 AX(config-slb service group)#exit AX(config)#slb service-group mms1755-grp tcp AX(config-slb service group)#member stream-rs2:1755 AX(config-slb service group)#member stream-rs3:1755 AX(config-slb service group)#exit

The following commands configure the virtual server:
AX(config)#slb virtual-server streaming-vip 192.168.69.4 AX(config-slb virtual server)#port 80 http AX(config-slb virtual server-slb virtua...)#service-group all80-grp AX(config-slb virtual server-slb virtua...)#exit AX(config-slb virtual server)#port 443 https AX(config-slb virtual server-slb virtua...)#service-group all80-grp AX(config-slb virtual server-slb virtua...)#exit AX(config-slb virtual server)#port 554 rtsp AX(config-slb virtual server-slb virtua...)#service-group rtsp554-grp AX(config-slb virtual server-slb virtua...)#exit AX(config-slb virtual server)#port 1755 mms AX(config-slb virtual server-slb virtua...)#service-group mms1755-grp AX(config-slb virtual server-slb virtua...)#exit

212 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
Overview

Layer 4 TCP/UDP Load Balancing
This chapter describes Layer 4 load balancing of TCP and UDP traffic and how to configure it. Note: The Layer 4 load balancing described in this chapter requires you to specify the protocol port numbers to be load balanced. To load balance traffic based solely on transport protocol (TCP, UDP, or other), see “IP Protocol Load Balancing” on page 221.

Overview
In addition to load balancing for well-known and widely used types of services such as HTTP, HTTPS, and FTP, AX devices also support Layer 4 load balancing for custom applications. If a service you need to load balance is not one of the well-known service types recognized by the AX device, you still can configure Layer 4 TCP or UDP load balancing for the service. Figure 92 shows an example of a Layer 4 load balancing implementation.

P e r f o r m a n c e

D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

b y

213 of 702

AX Series - Configuration Guide
Overview FIGURE 92 Layer 4 SLB

Layer 4 load balancing balances traffic based on the transport protocol (TCP or UDP) and the protocol port number. The payload of the UDP or TCP packets is not examined. In this example, a custom application is running on a server farm consisting of three real servers. Clients navigate to the VIP to use the custom application. Note: To configure deeper packet inspection for custom applications, you can use aFleX policies. For example, you can configure an aFleX policy to examine the byte value at a certain position within each client request packet and select a server based on the value of the byte. For information about aFleX policies, see the AX Series aFleX Reference.

SERVICE GROUPS
This example uses a single service group that contains all the real servers. The service group uses the default load balancing method (round robin).

214 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
Overview

VIRTUAL SERVER
The custom application on the real servers is accessed at TCP port 1020 by clients through virtual IP address 192.168.55.55.

TEMPLATES
The AX device has default TCP and UDP templates. You can use the default template or configure another TCP or UDP template and use that one instead. If your Layer 4 load balancing configuration is for a TCP application and you do not bind a TCP template to the virtual port, the default TCP template is used. For a UDP application, the default UDP template is used unless you bind another UDP template to the virtual port. One of the parameters you can configure in TCP and UDP templates is the idle time. Depending on the requirements of your application, you can reduce or increase the amount of time the AX device allows a session to remain idle. For UDP transaction-based applications, another parameter you can adjust is how quickly connections are terminated after a server reply is received. For example, if there are licensing costs associated with active sessions, you can minimize unnecessary costs by quickly terminating idle sessions, and immediately terminating connections that are no longer needed. For more information about the parameters controlled by TCP and UDP templates, see the following sections:
• “TCP Template Parameters” on page 624 • “UDP Template Parameters” on page 626

Optionally, you also can configure a source-IP persistence template and bind it to the virtual port. The example in this chapter uses a source-IP persistence template that is configured to send all traffic from a given client IP address to the same real server. Without this custom template, different requests from a given client can be sent to different servers, based simply on the load balancing method. See “Source-IP Persistence Template Parameters” on page 617.

P e r f o r m a n c e

D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

b y

215 of 702

AX Series - Configuration Guide
Configuring Layer 4 Load Balancing

HEALTH MONITORS
This example uses the default Layer 3 and Layer 4 health monitors. The Layer 3 monitor (Ping) and the applicable Layer 4 monitor (TCP or UDP) are enabled by default when you configure the real server and real service ports. Note: You can create an external health monitor using a script and import the monitor onto the AX device. For information, see “Health Monitoring” on page 297.

Configuring Layer 4 Load Balancing
To configure Layer 4 load balancing: 1. Configure the real servers. Add the custom application’s TCP or UDP port number, with the applicable service type (TCP or UDP). 2. Configure a service group. Add the real servers, service port, and any custom templates to the group. 3. If applicable, configure a custom TCP or UDP template. 4. If applicable, configure a source-IP persistence template. 5. Configure the virtual server. Bind the virtual service port on the virtual server to the service group and custom templates, if configured.

USING THE GUI
1. To configure the real servers: a. Select Config > Service > SLB. b. Select Server on the menu bar. c. Click Add. d. On the General tab, configure general settings for the server. e. On the Port tab, enter the protocol port number of the application in the port field. f. In the Type drop-down list, select the transport protocol for the application, TCP or UDP. g. Configure other port settings if needed, then click Add. The application port appears in the Port list. h. Click OK. The real server appears in the real server table.

216 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
Configuring Layer 4 Load Balancing 2. To configure the service group: a. Select Config > Service > SLB, if not already selected. b. Select Service Group on the menu bar. c. Click Add. d. On the Service Group tab, enter a name for the service group. e. In the Type drop-down list, select the transport protocol for the application, TCP or UDP. f. On the Server tab, select a server from the Server drop-down list. g. Enter the protocol port number in the Port field. h. Click Add. i. Repeat step f through step h for each server and port. j. Click OK. The service group appears in the Service Group table. 3. To configure a custom TCP or UDP template: a. Select Config > Service > Template. b. Select L4 > TCP or L4 > UDP on the menu bar. c. Click Add. d. Enter a name for the template. e. Edit template settings as needed for your application. (See “TCP Template Parameters” on page 624 or “UDP Template Parameters” on page 626.) f. Click OK. 4. To configure a source-IP persistence template: a. Select Config > Service > Template. b. Select Persistent > Source IP Persistent on the menu bar. c. Click Add. d. Enter a name for the template. e. Edit template settings as needed for your application. (See “SourceIP Persistence Template Parameters” on page 617.) f. Click OK. 5. To configure the virtual server: a. Select Config > Service > SLB, if not already selected. b. Select Virtual Server on the menu bar. c. Click Add.
P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009 b y

217 of 702

AX Series - Configuration Guide
Configuring Layer 4 Load Balancing d. Enter a name for the virtual server. e. In the IP Address field, enter the virtual IP address to which clients will send requests. f. Select or enter other general settings as needed. g. On the Port tab, click Add. The Virtual Server Port tab appears. h. In the Type drop-down list, select the transport protocol for the application, TCP or UDP. i. Enter the application port number in the Port field. j. If you configured any custom templates, select them from the dropdown lists for each template type. k. Enter or select other values as needed. l. Click OK. The port appears in the port section. m. Click OK again. The virtual server appears in the virtual server list.

USING THE CLI
1. To configure the real servers, use the following commands: slb server server-name ipaddr This command changes the CLI to the configuration level for the real server, where you can use the following command to add the TCP or UDP port to the server: port port-num {tcp | udp} The port-num specifies the protocol port number. In this example, specify “1020”. This command adds the port and changes the CLI to the configuration level for the port, where additional commands are available. (For information, see the AX Series CLI Reference.) 2. To configure the service group, use the following commands: slb service-group group-name {tcp | udp} This command changes the CLI to the configuration level for the service group, where you can use the following command to add the real servers and service ports to the group: member server-name:portnum The portnum is the protocol port number of the service to be load balanced. In this example, specify “tcp-2:1020”. Repeat the command for “tcp-3:1020” and “tcp-4:1020”.

218 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
Configuring Layer 4 Load Balancing 3. To configure a custom TCP or UDP template, use the following commands at the global configuration level of the CLI: slb template tcp template-name slb template udp template-name These commands create the template and change the CLI to the configuration level for the template, where additional commands are available. (See “TCP Template Parameters” on page 624 or “UDP Template Parameters” on page 626. Also see the “Config Commands: SLB Templates” chapter in the AX Series CLI Reference.) 4. To configure a source-IP persistence template, use the following command at the global configuration level of the CLI: slb template persist source-ip template-name 5. To configure the virtual server, use the following commands: slb virtual-server name ipaddr This command changes the CLI to the configuration level for the virtual server, where you can use the following command to add the virtual port to the server: port port-number {tcp | udp} For this example, specify tcp and “1020” as the port-num. The port command changes the CLI to the configuration level for the virtual port, where you can use the following command to bind the virtual port to the service group: service-group group-name The group-name is the name of the service group configured in step 2. If you configured a custom template, use the following command to bind the template to the service group: template template-type template-name

P e r f o r m a n c e

D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

b y

219 of 702

AX Series - Configuration Guide
Configuring Layer 4 Load Balancing

CLI EXAMPLE
The following commands configure the real servers:
AX(config)#slb server tcp-2 10.10.10.2 AX(config-real server)#port 1020 tcp AX(config-real server-node port)#exit AX(config-real server)#exit AX(config)#slb server tcp-3 10.10.10.3 AX(config-real server)#port 1020 tcp AX(config-real server-node port)#exit AX(config-real server)#exit AX(config)#slb server tcp-4 10.10.10.4 AX(config-real server)#port 1020 tcp AX(config-real server-node port)#exit AX(config-real server)#exit

The following commands configure the service group:
AX(config)#slb service-group tcp-sg tcp AX(config-slb service group)#member tcp-2:1020 AX(config-slb service group)#member tcp-3:1020 AX(config-slb service group)#member tcp-4:1020 AX(config-slb service group)#exit

The following commands configure a source-IP persistence template:
AX(config)#slb template persist source-ip app1020persist AX(config-source ip persistence template)#match-type server AX(config-source ip persistence template)#exit

The following commands configure the virtual server:
AX(config)#slb virtual-server web-vip 192.168.55.55 AX(config-slb virtual server)#port 1020 tcp AX(config-slb virtual server-slb virtua...)#service-group tcp-sg AX(config-slb virtual server-slb virtua...)#template persist source-ip app1020persist

220 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
Overview

IP Protocol Load Balancing
This chapter describes load balancing of traffic based solely on transport protocol (TCP, UDP, or other), without the need to specify the protocol port numbers to be load balanced.

Overview
IP protocol load balancing enables you to easily load balance traffic based solely on whether the traffic is TCP, UDP, or other (not UDP or TCP), without the need to specify the protocol port numbers to be load balanced. You can combine IP protocol load balancing with other load balancing configurations. For example, you can use IP protocol load balancing along with HTTP load balancing. In this case, HTTP traffic to the VIP HTTP port number is load balanced separately from traffic to other port numbers. Figure 93 shows an example of an IP protocol load balancing deployment.

P e r f o r m a n c e

D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

b y

221 of 702

AX Series - Configuration Guide
Overview FIGURE 93 IP Protocol Load Balancing

This example uses separate service groups for each of the following types of traffic:
• HTTP traffic addressed to TCP port 80 is sent to service group http-grp. • All TCP traffic addressed to any TCP port except port 80 is sent to ser-

vice group tcp-grp.

222 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
Overview
• All UDP traffic, addressed to any UDP port, is sent to service group

udp-grp.
• All other traffic (all non TCP/UDP traffic) is sent to service group oth-

ers-grp. Although this example shows separate service groups for each type of traffic, you can use the same service group for multiple traffic types. In IP protocol load-balancing configurations, port 0 (zero) is used as a wildcard port and matches on any port number. In configurations where some protocol port numbers are explicitly specified, SLB for those ports takes precedence over SLB for the wildcard port (0). In the example above, the service group configured for TCP port 80 is always used for client requests addressed to that port, instead of a service group configured for the wildcard port. Health checking does not apply to the wildcard port. When you configure IP protocol load balancing, make sure to disable health checking of port 0. If you leave health checking enabled, the port will be marked down and the client’s request therefore will not be serviced. SLB NAT For client request traffic to which IP protocol load balancing applies, the AX device translates only the destination IP address, not the protocol port number. The AX device translates the destination IP address in the request from the VIP address to a real server’s IP address. The AX device then sends the request to the same protocol port number as the one requested by the client. (Likewise, the AX device does not translate the port number to “0”.) In configurations where some protocol port numbers are explicitly specified, auto port translation is still supported for the explicitly specified port numbers. In the example above, SLB NAT can translate TCP port 80 into another TCP port number if required by the configuration. Template Support For TCP or UDP, a TCP or UDP template is applied, as in other types of SLB. Optionally, you also can use a source-IP persistence template. For non-TCP/UDP traffic, the TCP template is used.

P e r f o r m a n c e

D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

b y

223 of 702

AX Series - Configuration Guide
Configuring IP Protocol Load Balancing Direct Server Return For either of the following types of applications, IP protocol load balancing is supported only when Direct Server Return (DSR) is enabled on the virtual port.
• Application Layer Gateway (ALG) applications, such as FTP. For an

ALG application, either enable DSR or configure SLB explicitly for the ALG service port.
• Any application that requires inspection of any part of the client request

packet other than the destination IP address Note: In the CLI, DSR is enabled by the no-dest-nat command. Comparison of IP Protocol Load Balancing to Layer 4 TCP/UDP Load Balancing IP protocol load balancing is similar to Layer 4 load balancing, except IP protocol load balancing enables you to load balance non-TCP/UDP traffic. Layer 4 load balancing applies only to TCP or UDP traffic. In addition, IP protocol load balancing uses a wildcard port number that matches on any TCP port, UDP port, or any non-TCP/UDP port, depending on the configuration. Layer 4 load balancing requires you to explicitly specify the protocol port numbers to load balance.

Configuring IP Protocol Load Balancing
To configure IP protocol load balancing: 1. Configure the real servers. For each real server that will service requests to IP protocol load-balanced traffic, add service port 0 (the wildcard port). Disable health checking of port 0. Health checking does not apply to the wildcard port. 2. Configure the service group(s). To add members (real servers) for traffic to which IP protocol load balancing will apply, specify 0 as the protocol port for the member.

224 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
Configuring IP Protocol Load Balancing 3. Configure the virtual server. Bind virtual port 0 to the service group(s) that have members for port 0. Specify one of the following as the service type:
• TCP • UDP • Others

Note:

For load balancing of non-TCP/UDP traffic, you can specify TCP or UDP as the transport protocol, in the configurations of the real server ports and service groups. If the port number is 0 and the service type on the virtual port is “others”, the AX device will load balance the traffic as non-TCP/ UDP traffic.

USING THE GUI
Configuration of IP protocol SLB is similar to configuration of TCP/UDP SLB, with the following differences. 1. On the real server Port tab (Config > Service > SLB > Server), enter 0 in the Port field. 2. On the Service Group tab, enter 0 as the port number on the Service Group tab. 3. On the Virtual Server Port tab (Config > Service > SLB > Virtual Server), select TCP, UDP, or Others in the Type drop-down list.

USING THE CLI
The following commands configure the real servers shown in Figure 93 on page 222. For simplicity, the example assumes that only the default TCP health check is used for port 80. Health checking does not apply to the wildcard port number and is therefore disabled. Health checking of other, explicitly specified port numbers is still supported as in previous releases.
AX(config)#slb server rs1 10.10.10.21 AX(config-real server)#port 80 tcp AX(config-real server)#exit AX(config)#slb server rs2 10.10.10.22 AX(config-real server)#port 80 tcp AX(config-real server)#exit AX(config)#slb server rs3 10.10.20.21 AX(config-real server)#port 0 tcp P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009 b y

225 of 702

AX Series - Configuration Guide
Configuring IP Protocol Load Balancing
AX(config-real server)#no health-check AX(config-real server)#exit AX(config)#slb server rs4 10.10.20.22 AX(config-real server)#port 0 tcp AX(config-real server)#no health-check AX(config-real server)#exit AX(config)#slb server rs5 10.10.30.21 AX(config-real server)#port 0 udp AX(config-real server)#no health-check AX(config-real server)#exit AX(config)#slb server rs6 10.10.30.22 AX(config-real server)#port 0 udp AX(config-real server)#no health-check AX(config-real server)#exit AX(config)#slb server rs7 10.10.40.21 AX(config-real server)#port 0 tcp AX(config-real server)#no health-check AX(config-real server)#exit AX(config)#slb server rs8 10.10.40.22 AX(config-real server)#port 0 tcp AX(config-real server)#no health-check AX(config-real server)#exit

The following commands configure the service groups.
AX(config)#slb service-group http-grp tcp AX(config-slb service group)#member rs1:80 AX(config-slb service group)#member rs2:80 AX(config-slb service group)#exit AX(config)#slb service-group tcp-grp tcp AX(config-slb service group)#member rs3:0 AX(config-slb service group)#member rs4:0 AX(config-slb service group)#exit AX(config)#slb service-group udp-grp udp AX(config-slb service group)#member rs5:0 AX(config-slb service group)#member rs6:0 AX(config-slb service group)#exit AX(config)#slb service-group others-grp tcp AX(config-slb service group)#member rs7:0 AX(config-slb service group)#member rs8:0 AX(config-slb service group)#exit

226 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

168.)#service-group udp-grp AX(config-slb virtual server-slb virtua.)#exit AX(config-slb virtual server)#port 0 others AX(config-slb virtual server-slb virtua.....Ver..... AX(config)#slb virtual-server vip1 192..)#service-group tcp-grp AX(config-slb virtual server-slb virtua.2 11/11/2009 b y 227 of 702 .1 AX(config-slb virtual server)#port 80 tcp AX(config-slb virtual server-slb virtua...)#exit AX(config-slb virtual server)#port 0 tcp AX(config-slb virtual server-slb virtua.: D-030-01-00-0006 .)#service-group tcp-others To display configuration information and statistics..2.)#exit AX(config-slb virtual server)#port 0 udp AX(config-slb virtual server-slb virtua..AX Series .Configuration Guide Configuring IP Protocol Load Balancing The following commands configure the virtual server. you can use the same show commands used for other types of SLB: show slb virtual show slb server show slb service-group show session P e r f o r m a n c e D e s i g n Document No. 2..0.)#service-group http-grp AX(config-slb virtual server-slb virtua.

Configuration Guide Configuring IP Protocol Load Balancing 228 of 702 P e r f o r m a n c e b y D e s i g n Document No.2 11/11/2009 . 2.Ver.AX Series .: D-030-01-00-0006 .0.

0.2 11/11/2009 b y 229 of 702 . without the need to re-configure the feature separately for each VIP. Likewise. You can use wildcard VIPs for all types of load balancing: • SLB • IP load balancing • Transparent Cache Switching (TCS) • Link Load Balancing (LLB) • Firewall Load Balancing (FWLB) Note: Use of wildcard VIPs and interface-based SYN cookies is not supported.0.Configuration Guide Configuring a Wildcard VIP Wildcard VIPs You can create SLB configurations that use wildcard VIPs and wildcard virtual ports.0. Configuring a Wildcard VIP The procedure for configuring a wildcard VIP is the same as the procedure for configuring a standard VIP. Wildcard VIPs have IP address 0.: D-030-01-00-0006 .AX Series . Wildcard VIPs enable you to configure a feature that applies to multiple VIPs.0. The AX device allows multiple VIPs to have IP address 0. If applicable. 2. Likewise. In the current release. You can configure multiple wildcard VIPs and wildcard ports. To specify the subset of VIP addresses and ports for which the feature applies.0. A wildcard VIP matches on any destination IP address. a wildcard virtual port matches on any port number.0.Ver. wildcard protocol ports have port number 0. multiple ports that have port number 0 are allowed. the ACL also can specify the subset of clients allowed to access the VIPs. wildcard ports must have service type TCP or HTTP. you can use an ACL.0. Other service types are not supported on wildcard ports in the current release. except you have the option to bind an ACL to the wildcard VIP. Likewise. P e r f o r m a n c e D e s i g n Document No.

0. This feature is useful in mixed wildcard virtual server environments where Layer 4-7 features apply to certain VIPs and Layer 2/3 forwarding applies to other traffic. This is the default wildcard VIP. By default. USING THE GUI To configure a wildcard VIP: 1. Default Wildcard VIP The AX device can have multiple wildcard VIPs. bound to different ACLs. Select Config > Service > SLB.: D-030-01-00-0006 . 230 of 702 P e r f o r m a n c e b y D e s i g n Document No. 3.Ver. the AX device can have only one wildcard VIP that is not bound to any ACL. and treats any IP address permitted by the ACL. The General tab appears.0. On the General tab. If you do not configure a default wildcard VIP.2 and later supports forwarding of wildcard VIP traffic that is not bound to a service group. traffic that does not match any of the ACLs bound to the other wildcard VIPs is forwarded at Layer 2/ 3. 2. if applicable. promiscuous VIP support is disabled.Configuration Guide Configuring a Wildcard VIP Promiscuous VIP support must be enabled on the interface connected to clients who will access wildcard VIPs. as a wildcard VIP. enter a name for the virtual server in the Name field.2 11/11/2009 . 4. A10 Networks recommends that you use the most restrictive ACL possible.AX Series . In AX releases prior to 2.0. 2. and received on the promiscuous VIP interface. to permit only the IP addresses that should be treated as VIPs and deny all other IP addresses. The AX device creates a session for the traffic and forwards it at Layer 2/3. Click Add. Layer 4 traffic for a wildcard VIP that is not bound to a service group is dropped. Select Virtual Server on the menu bar.2. Pass-Through Layer 2/3 Forwarding Support for Layer 4 Wildcard VIP Traffic AX Release 2. Note: The ACL acts as a “catch-all”. The default wildcard VIP is used for traffic that does not match any of the ACLs bound to other wildcard VIPs. However.

Click on the VIP tab to display the configuration fields.Ver. Select Network > Interface. Click on the interface name to display the configuration tabs for the interface. Select the ACL from the Access List drop-down list.0. 5.: D-030-01-00-0006 .wildcard VIP configuration P e r f o r m a n c e D e s i g n Document No. Selecting this checkbox causes the Access List drop-down list to appear in place of the IP Address field. then click OK. Select Enabled next to Allow Promiscuous VIP. Configure other VIP settings. 4. 2. 7. 2.2 11/11/2009 b y 231 of 702 . 3.AX Series . Select the Wildcard checkbox next to the Name field. Click OK. To enable promiscuous VIP support: 1. FIGURE 94 Config > Service > SLB > Virtual Server .Configuration Guide Configuring a Wildcard VIP 5. 6.

The destination address in the ACL filters the VIPs. If you specify an ACL.2 11/11/2009 .0. 2. use the following command at the configuration level for each interface connected to clients: [no] ip allow-promiscuous-vip 232 of 702 P e r f o r m a n c e b y D e s i g n Document No.promiscuous VIP USING THE CLI To configure a wildcard VIP.0. use the following command at the global configuration level of the CLI: [no] slb virtual-server 0. the ACL is used to control the clients allowed to access the VIPs and the VIP addresses managed by the wildcard VIP.0.: D-030-01-00-0006 .0 ipaddr [acl acl-id] The ipaddr is used as the name of the virtual server and can be an IPv4 address or an IPv6 address. To enable promiscuous VIP support.Configuration Guide Configuring a Wildcard VIP FIGURE 95 support Config > Service > SLB > Virtual Server . The source address in the ACL filters the clients.Ver.AX Series .

AX Series .0.Ver.Configuration Guide Configuring a Wildcard VIP Configuration Examples See the following: • “Outbound Link Load Balancing” on page 235 • “Transparent Cache Switching” on page 241 P e r f o r m a n c e D e s i g n Document No. 2.2 11/11/2009 b y 233 of 702 .: D-030-01-00-0006 .

Configuration Guide Configuring a Wildcard VIP 234 of 702 P e r f o r m a n c e b y D e s i g n Document No.2 11/11/2009 .AX Series .Ver.: D-030-01-00-0006 . 2.0.

: D-030-01-00-0006 .Ver.AX Series . Figure 96 shows an example of outbound LLB. 2.Configuration Guide Outbound Link Load Balancing The AX Series supports outbound Link Load Balancing (LLB). Outbound LLB enables you to balance client-server traffic across a set of WAN links. FIGURE 96 Link Load Balancing P e r f o r m a n c e D e s i g n Document No.2 11/11/2009 b y 235 of 702 . the clients are located on the internal side of the network. The servers are located on the external side of the network.0. In outbound LLB.

Configuration Guide In this example. To ensure that the server reply traffic passes back through the AX device. The AX device then uses source IP NAT to translate the client’s private IP address into a public IP address. through next-hop routers 192. Load Balancing Methods You can use either of the following load balancing methods to load balance traffic across the WAN links: • Round-robin – Selects the links in simple rotation. Network Address Translation Requirements In an outbound LLB topology.AX Series . then sends the client’s request to the next-hop router for the selected WAN link. When the AX device receives a request from a client. the AX device is configured to balance client traffic across a set of two WAN links. which is enabled by default. 2. 236 of 702 P e r f o r m a n c e b y D e s i g n Document No.168.10. When the AX device receives the server’s reply to the client’s request.1 and 192. must be disabled. In a standard SLB configuration. use an IP source NAT pool for each WAN link.: D-030-01-00-0006 . the AX device uses SLB load balancing to select one of the WAN links.2 11/11/2009 . this NAT operation is not applicable to outbound LLB. • Least-connections – Selects the link that has the least current client con- nections on it. The AX device internally uses a separate protocol port number for each client session on a pool address.20. The pools do not need to contain more than a few addresses. the next-hop routers for the WAN links must be able to send the server reply traffic back to the AX device.0. destination NAT is used to translate the server address (destination IP address) requested by clients from the VIP address into the server’s real address. SLB destination NAT. The connection count is based on client connections initiated on the link by the AX device. the AX device translates the destination IP address from the NAT address back into the client’s private IP address. However.Ver. then forwards the reply to the client.168. This results in each link being selected an equal number of times. The default is round-robin.1.

add the wildcard UDP port and bind it to the the UDP service group. If the real server configurations for the links have both TCP and UDP ports.0 (the wildcard VIP address).0. Configure a pool group and add the pools to it. Configure the AX interfaces connected to the next-hop routers for the links to be load balanced. Likewise.2 11/11/2009 b y 237 of 702 .Configuration Guide Configuring Link Load Balancing To configure LLB: 1. Note: You can use Layer 3 health checking (ICMP ping) to check the health of the router’s IP interface. configure a service group for TCP and another service group for UDP. UDP 0. bind the port to the IP Source NAT pool group and disable destination NAT. The router will not respond to these health checks. On each port. P e r f o r m a n c e D e s i g n Document No. Using the wildcard VIP address enables the configuration to work for any destination IP address requested by clients. (Do not enable promiscuous VIP on these interfaces. Bind the ports to service group(s). 5. Configure the AX interfaces connected to the clients. the AX device will mark the ports down and LLB will not work. Add the wildcard TCP port (TCP 0) and bind it to the TCP service group. 2.AX Series . 2. If you leave health checking enabled on the wildcard ports.: D-030-01-00-0006 . The address range in a pool must be in the same subnet as the next-hop router’s interface with the AX device. or both) to the server.) 4. the configuration requires health checking to be disabled on the wildcard ports added for a router.0.Ver. Add wildcard ports (TCP 0. 6. Enable promiscuous VIP support on the interfaces. Configure a service group for the links (real servers). 3. Configure a virtual server with virtual IP address 0.0. Configure a real server for each link to be load balanced. However. Configure an IP source NAT pool for each link to be load balanced.

Ver.255.168.20.4 netmask /24 AX(config)#ip nat pool-group outbound-nat-group nat10 nat20 The following commands enable promiscuous VIP support on the AX interfaces connected to clients.255.2 255.10. Note: For simplicity.10.168. AX(config)#interface ethernet 3 AX(config-if: ethernet3)#ip address 10. or both.2 255.0 AX(config-if: ethernet3)#ip allow-promiscuous-vip AX(config-if: ethernet3)#exit AX(config)#interface ethernet 4 AX(config-if: ethernet4)#ip address 10.10.0.AX Series .168.255.168.: D-030-01-00-0006 .10.20. virtual Ethernet (VE) interfaces.255.255.3 192.0 AX(config-if: ethernet2)#exit 238 of 702 P e r f o r m a n c e b y D e s i g n Document No.168.20.4 netmask /24 AX(config)#ip nat pool nat20 192.20.Configuration Guide CLI Example The commands in this example implement the LLB configuration shown in Figure 96 on page 235. 2.255.1 255.255. this example uses a single Ethernet port for each interface to the clients and the next-hop routers.2 11/11/2009 .1 255.168.255.0 AX(config-if: ethernet1)#exit AX(config)#interface ethernet 2 AX(config-if: ethernet2)#ip address 192. The following commands configure the IP source NAT pools and pool group: AX(config)#ip nat pool nat10 192.10.3 192.20. You also can use trunk interfaces.0 AX(config-if: ethernet4)#ip allow-promiscuous-vip AX(config-if: ethernet4)#exit The following commands configure the AX interfaces to the next-hop routers for the load-balanced links: AX(config)#interface ethernet 1 AX(config-if: ethernet1)#ip address 192.

: D-030-01-00-0006 .20.AX Series .0 AX(config-slb vserver)#port 0 tcp AX(config-slb vserver-vport)#service-group outbound-tcp-links AX(config-slb vserver-vport)#source-nat pool outbound-nat-group AX(config-slb vserver-vport)#no-dest-nat AX(config-slb vserver-vport)#exit AX(config-slb vserver)#port 0 udp AX(config-slb vserver-vport)#service-group outbound-udp-links AX(config-slb vserver-vport)#source-nat pool outbound-nat-group AX(config-slb vserver-vport)#no-dest-nat P e r f o r m a n c e D e s i g n Document No.2 11/11/2009 b y 239 of 702 .Ver.1 AX(config-real server)#port 0 tcp AX(config-real server-node port)#no health-check AX(config-real server-node port)#exit AX(config-real server)#port 0 udp AX(config-real server-node port)#no health-check AX(config-real server-node port)#exit AX(config-real server)#exit AX(config)#slb server link-201 192.10. 2.0.168.Configuration Guide The following commands configure a real server for each link to be load balanced: AX(config)#slb server link-101 192.0.0.168.1 AX(config-real server)#port 0 tcp AX(config-real server-node port)#no health-check AX(config-real server-node port)#exit AX(config-real server)#port 0 udp AX(config-real server-node port)#no health-check AX(config-real server-node port)#exit AX(config-real server)#exit The following commands configure service groups for the links: AX(config)#slb service-group outbound-tcp-links tcp AX(config-slb svc group)#member link-101:0 AX(config-slb svc group)#member link-201:0 AX(config-slb svc group)#exit AX(config)#slb service-group outbound-udp-links udp AX(config-slb svc group)#member link-101:0 AX(config-slb svc group)#member link-201:0 AX(config-slb svc group)#exit The following commands configure the virtual server: AX(config)#slb virtual-server wildcard-vip 0.

2.AX Series .: D-030-01-00-0006 .2 11/11/2009 .Ver.0.Configuration Guide 240 of 702 P e r f o r m a n c e b y D e s i g n Document No.

AX Series - Configuration Guide

Transparent Cache Switching
The AX Series supports Transparent Cache Switching (TCS). TCS enables you to improve server response times by redirecting client requests for content to cache servers containing the content. Figure 97 shows an example. FIGURE 97 Transparent Cache Switching

P e r f o r m a n c e

D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

b y

241 of 702

AX Series - Configuration Guide
In this example, a client sends a request for content that is hosted by the content server. The AX device redirects the client’s request to the cache server. If the cache server has the requested content, the cache server sends the content to the AX device, which sends the content to the client. If the content is cacheable, but the cache server does not have the requested content or the content is stale, the cache server requests the content from the content server, caches the content, then sends the content to the AX device, which sends the content to the client. Granularity of TCS You can configure Layer 4 TCS or Layer 7 TCS.
• Layer 4 TCS – Sends all TCP or UDP traffic addressed to the content

server to the cache server instead
• Layer 7 TCS – You can configure Layer 7 TCS with either of the fol-

lowing levels of granularity: • Sends all HTTP requests to the cache server and sends all other requests to the content server • Sends HTTP requests for specific URLs to the cache server, and sends other requests to the content server Optimizing When Using Multiple Cache Servers If your network uses multiple cache servers, you can configure destinationIP persistence, to always select the same cache server for content from a given destination IP address. This technique reduces cache misses, by ensuring that requests for a given site IP address always go to the same cache server. For even greater control, you can configure the AX device to select from among multiple cache service groups based on the requested URL. When combined with destination-IP persistence, this method allows you to control initial selection of the cache service group, after which the AX device always sends requests for the same content to the same cache server within the cache service group. Application Templates TCS does not require configuration of any application templates. However, you can use the following types of application templates for advanced features, such as URL-based Layer 7 TCS:
• HTTP template – If you want to selectively redirect client requests

based on URL strings, you can use an HTTP template containing URL switching rules. When a client request matches the URL string in a URL
P e r f o r m a n c e b y D e s i g n

242 of 702

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
switching rule, the AX device selects the service group specified in the URL switching rule, instead of the service group bound to the virtual port. For example, you can configure a URL switching rule that matches on any URL that contains “.mycorp/”. In this case, requests for any URL that contains “.mycorp/” are sent to the service group that contains the cache server. Requests for other URLs are sent to the gateway router instead. In a Layer 7 TCS configuration that uses URL switching, a separate real server is required for the gateway router, and the real server is required to be placed in its own service group. The gateway router’s service group is used as the default service group for the virtual port. Client requests to a URL that does not match a URL switching rule are sent to the gateway router’s service group instead of the cache server’s service group.
• Destination-IP persistence template – In deployments that use multiple

cache servers, you can use a destination-IP persistence template to ensure that the same cache server is used for every request for content on a given content server. The AX device uses standard SLB to select a cache server for the first request to a real server IP address, and assigns a hash value to the server. All subsequent requests for the same real server are sent to the same cache server. By always using the same cache server for content from a given server, a destination-IP persistence template can reduce duplication of content on multiple cache servers, and can also reduce cache misses.
• RAM caching template – To also cache some content on the AX device

itself, you can use a RAM caching template. In this case, the AX device directly serves content that is cached on the AX device, and only sends requests to the cache server for content that is not cached on the AX device.
• Connection reuse template – You can use a connection reuse template to

reuse TCP connections. When a client’s session ends, the TCP connection is not terminated. Instead, the connection is reused for a new client session. Support for Spoofing Caches Some cache servers can use the client’s IP address instead of the cache server’s IP address as the source address when obtaining content requested by the client. A cache server operating in this mode is a spoofing cache server. Configuration for a spoofing cache server includes a couple of additional steps. (See “Enabling Support for Cache Spoofing” on page 254.)

P e r f o r m a n c e

D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

b y

243 of 702

AX Series - Configuration Guide

Configuring Layer 4 TCS
To configure Layer 4 TCS: 1. Configure the interfaces connected to the clients, the content servers, and the cache server. Enable promiscuous VIP on the AX interface(s) connected to the clients. 2. Configure an extended ACL that uses the permit action and that matches on client addresses as the source address, and on the content server address as the destination address. 3. Configure a real server for the cache server. Add the TCP or UDP port; for example, TCP port 80. If the cache server will spoof client IP addresses when requesting content from content servers, enable cache spoofing support. 4. Configure a service group for the cache server and add the cache server to it. 5. Configure a virtual server with virtual IP address 0.0.0.0 (the wildcard VIP address) and bind it to the ACL. Add virtual port 80 and bind it to the service group containing the cache server. Disable destination NAT on the virtual port. 6. If the cache server will spoof client IP addresses when requesting content from content servers, enable cache spoofing support on the AX interface connected to the cache server, and on the real server (cache server).

244 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
CLI Example The commands in this section implement the TCS configuration shown in Figure 98. FIGURE 98 Layer 4 TCS

P e r f o r m a n c e

D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

b y

245 of 702

AX Series - Configuration Guide
The following commands configure the AX interface to the client. Promiscuous VIP is enabled on the interface.
AX(config)#trunk 4 AX(config-trunk:4)#ethernet 3 to 4 AX(config-trunk:4)#exit AX(config)#vlan 4 AX(config-vlan:4)#tagged ethernet 3 to 4 AX(config-vlan:4)#router-interface ve 4 AX(config-vlan:4)#exit AX(config)#interface ve 4 AX(config-if:ve4)#ip address 192.168.19.1 255.255.255.0 AX(config-if:ve4)#ip allow-promiscuous-vip AX(config-if:ve4)#exit

The following commands configure the AX interface to the content server.
AX(config)#trunk 2 AX(config-trunk:2)#ethernet 1 to 2 AX(config-trunk:2)#exit AX(config)#vlan 2 AX(config-vlan:2)#tagged ethernet 1 to 2 AX(config-vlan:2)#router-interface ve 2 AX(config-vlan:2)#exit AX(config)#interface ve 2 AX(config-if:ve2)#ip address 10.10.10.1 255.255.0.0 AX(config-if:ve2)#exit

The following commands configure the interface to the cache server:
AX(config)#interface ethernet 5 AX(config-if:ethernet5)#ip address 110.110.110.254 255.255.255.0 AX(config-if:ethernet5)#exit

The following command configures an extended ACL to match on clients and on the content server. The ACL in this example matches on any source address (client IP address) and on the destination IP address of the content server.
AX(config)#access-list 198 permit ip any host 20.20.20.10 log

The following commands configure a real server for the cache server. TCP port 80 is added to the real server.
AX(config)#slb server cache-rs 110.110.110.10 AX(config-real server)#port 80 tcp AX(config-real server-node port)#exit

246 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
The following command configures a service group for the cache server:
AX(config)#slb service-group sg-tcs tcp AX(config-slb svc group)#member cache-rs:80 AX(config-slb svc group)#exit

The following commands configure a wildcard VIP and bind it to the ACL:
AX(config)#slb virtual-server wildcard 0.0.0.0 acl 198 AX(config-slb vserver)#port 80 tcp AX(config-slb vserver-vport)#service-group sg-tcs AX(config-slb vserver-vport)#no-dest-nat

Configuring Layer 7 TCS
Layer 7 TCS can be configured in either of the following ways. Select one of these methods based on the level of granularity you want to use for traffic redirection.
• Service type HTTP without URL switching rules – This method redi-

rects all HTTP traffic to the cache server. The configuration steps are very similar to those for Layer 4 TCS. The only difference is use of HTTP instead of TCP or UDP as the service type of the virtual port.
• Service type HTTP with URL switching rules – This method uses an

HTTP template containing URL switching rules. Traffic that matches a URL switching rule is redirected to the cache server. Other traffic is sent to the gateway router. This method requires configuration of a separate real server and service group for the gateway router. Figure 99 on page 248 shows an example of the first method, which does not use URL switching rules. Figure 100 on page 249 shows an example of the second method, which does use URL switching rules.

P e r f o r m a n c e

D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

b y

247 of 702

AX Series - Configuration Guide
FIGURE 99 Layer 7 TCS Without URL Switching Rules

248 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
FIGURE 100 Layer 7 TCS Using URL Switching Rules

Service Type HTTP Without URL Switching Rules
To configure this type of Layer 7 TCS: 1. Configure the interfaces connected to the clients, the content servers, and the cache server. Enable promiscuous VIP on the AX interface(s) connected to the clients.

P e r f o r m a n c e

D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

b y

249 of 702

AX Series - Configuration Guide
2. Configure an extended ACL that uses the permit action and that matches on client addresses as the source address, and on the content server address as the destination address. 3. Configure a real server for the cache server. Add the TCP port; for example, TCP port 80. 4. Configure a service group for the cache server and add the cache server to it. 5. Configure a virtual server with virtual IP address 0.0.0.0 (the wildcard VIP address) and bind it to the ACL. Add virtual port 80 with service type HTTP and bind it to the service group containing the cache server. Enable disable destination NAT on the virtual port. CLI Example The commands in this section implement the TCS configuration shown in Figure 99 on page 248. The commands for configuring the interfaces and ACL, and the real server and service group for the cache server, are the same as those used in the Layer 4 TCS example, and are therefore not shown. The following commands configure a wildcard VIP and bind it to the ACL:
AX(config)#slb virtual-server wildcard 0.0.0.0 acl 198 AX(config-slb vserver)#port 80 http AX(config-slb vserver-vport)#service-group sg-tcs AX(config-slb vserver-vport)#no-dest-nat

Service Type HTTP with URL Switching Rules
To configure this type of Layer 7 TCS: 1. Configure the interfaces connected to the clients, the content servers, and the cache server. Enable promiscuous VIP on the AX interface(s) connected to the clients. 2. Configure an extended ACL that uses the permit action and that matches on client addresses as the source address, and on the content server address as the destination address. 3. Configure a real server for the cache server. Add the TCP or UDP port; for example, TCP port 80.

250 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
4. Configure a real server for the next-hop router through which the AX device will reach the content servers. Add the same TCP port number as the one on the cache server (for example, TCP port 80). Disable health checking on the port. Note: The configuration requires health checking to be disabled on the router port. The router will not respond to the health check. If you leave health checking enabled, the AX device will mark the port down and TCS will not work. 5. Configure a service group for the cache server and add the cache server to it. 6. Configure a separate service group for the router, and add the router to it. 7. Configure an HTTP template with URL switching rules. Add a separate URL switching rule for each URI string based on which to select a service group. 8. Configure a virtual server with virtual IP address 0.0.0.0 (the wildcard VIP address) and bind it to the ACL. Add virtual port 80 with service type HTTP and bind it to the service group containing the cache server. Bind the virtual port to the HTTP template. Enable disable destination NAT. Add virtual port 0 with service type HTTP and bind it to the service group containing the router. Enable disable destination NAT. CLI Example The commands in this section implement the TCS configuration shown in Figure 100 on page 249. The commands for configuring the interfaces and ACL, and the real server and service group for the cache server, are the same as those used in the Layer 4 TCS example, and are therefore not shown. The following commands configure a real server for the gateway router:
AX(config)#slb server router 10.10.10.20 AX(config-real server)#port 80 tcp AX(config-real server-node port)#no health-check AX(config-real server-node port)#exit

P e r f o r m a n c e

D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

b y

251 of 702

AX Series - Configuration Guide
The following commands configure a service group for the router:
AX(config)#slb service-group sg-router tcp AX(config-slb svc group)#member router:80 AX(config-slb svc group)#exit

The following commands configure an HTTP template containing URL switching rules. Client requests for any URL that contains “.examplecorp/” or “.mycorp/” will be redirected to the service group for the cache server. Requests for any other URL will instead be sent to the service group for the router.
AX(config)#slb template http http1 AX(config-HTTP template)#url-switching contains .examplecorp/ service-group sg-tcs AX(config-HTTP template)#url-switching contains .mycorp/ service-group sg-tcs AX(config-HTTP template)#exit

The following commands configure a wildcard VIP and bind it to the ACL:
AX(config)#slb virtual-server wildcard 0.0.0.0 acl 198 AX(config-slb vserver)#port 80 http AX(config-slb vserver-vport)#service-group sg-router AX(config-slb vserver-vport)#template http http1 AX(config-slb vserver-vport)#no-dest-nat

Optimizing TCS with Multiple Cache Servers
To optimize TCS in deployments that use more than one cache server, use a destination-IP persistence template. CLI Example The commands in this section implement the TCS configuration shown in Figure 101. Only the commands specific to destination-IP persistence are shown. The other commands are the same as those shown in the previous sections.

252 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

AX Series - Configuration Guide
FIGURE 101 TCS with Multiple Cache Servers

The following commands configure the destination-IP persistence template:
AX(config)#slb template persist destination-ip d-sticky AX(config-dest ip persistence template)#match-type service-group

Note:

The match-type service-group command is required, to enable use of URL switching and persistence in the same configuration.

P e r f o r m a n c e

D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

b y

253 of 702

AX Series - Configuration Guide
The following commands configure the VIP. The commands are the same as those used for Layer 7 TCS, with the addition of a command to bind the destination-IP persistence template to the virtual port.
AX(config)#slb virtual-server wildcard 0.0.0.0 acl 198 AX(config-slb vserver)#port 80 http AX(config-slb vserver-vport)#template http http1 AX(config-slb vserver-vport)#service-group sg-router AX(config-slb vserver-vport)#no-dest-nat AX(config-slb vserver-vport)#template persist destination-ip d-sticky AX(config-slb vserver-vport)#exit AX(config-slb vserver)#exit

Enabling Support for Cache Spoofing
If the cache server spoofs client IP addresses when requesting content from servers, the following additional configuration is required: 1. Enable cache spoofing support on the AX interface connected to the spoofing cache server. In the CLI, enter the following command at the configuration level for the AX interface: cache-spoofing-port 2. In the real server configuration for the cache server, enable spoof caching support. In the CLI, enter the following command at the configuration level for the real server: spoofing-cache CLI Example The commands in this section enable cache spoofing support for the TCS configuration shown in Figure 101.
AX(config)#interface ethernet 5 AX(config-if:ethernet5)#ip address 110.110.110.254 255.255.255.0 AX(config-if:ethernet5)#ip cache-spoofing-port AX(config-if:ethernet5)#exit AX(config)#slb server cache-rs 110.110.110.10 AX(config-real server)#spoofing-cache AX(config-real server)#port 80 tcp

254 of 702

P e r f o r m a n c e

b y

D e s i g n

Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009

FIGURE 102 Example FWLB Topology P e r f o r m a n c e D e s i g n Document No. Figure 102 shows an example FWLB topology.: D-030-01-00-0006 .AX Series .0. FWLB load balances server-client sessions across firewalls.2 11/11/2009 b y 255 of 702 .Ver. 2.Configuration Guide Overview Firewall Load Balancing This chapter describes how to configure Firewall Load Balancing (FWLB). Overview AX Series devices support Firewall Load Balancing (FWLB).

One pair is located on the public (unprotected) side of the network.Configuration Guide Overview This example shows two pairs of AX devices. When you configure FWLB. do not add the SLB configuration to both AX pairs. make sure to configure a firewall group for the firewalls rather than an SLB service group. If HA pairs are being used. you can use a source-IP persistence template in an FWLB configuration. You can configure SLB for the servers on either AX pair. One member of the pair is the Active AX device and the other is a hot Standby. The other pair is located on the secured side of the network. • If you apply a source-IP persistence template to the virtual firewall.2 11/11/2009 . The upstream/downstream routers and the firewalls need to be configured to use the AX device as the next hop. 256 of 702 P e r f o r m a n c e b y D e s i g n Document No. Templates Although this example does not use one. However.0. Each pair is configured for High Availability (HA). The following types of IP addresses are HA-capable: • Floating IP addresses (shown in Figure 102) • Virtual IP addresses • IP addresses allocated from IP source NAT pools In HA deployments. the next hop IP configured on the upstream/downstream routers and firewalls must be an HA-capable IP address. 2. You can bind a source-IP persistence template to the virtual firewall or to individual service ports on the virtual firewall.AX Series . each AX device needs an HA-capable IP interface in the subnets connected to the firewalls and those connected to real servers and upstream/downstream routers. • If you apply a source-IP persistence template to an individual service port on the virtual firewall.: D-030-01-00-0006 . Firewall Groups This example uses a single firewall group for both firewall nodes. the AX device sends all traffic from a given source address through the same firewall.Ver. the AX device sends all traffic from a given client for that service port through the same firewall. SLB for the real servers is configured on one of the AX pairs.

: D-030-01-00-0006 . as shown in Figure 103. 2. You can connect the AX device directly to the firewalls.0.Ver.2 11/11/2009 b y 257 of 702 .AX Series . FIGURE 103 FWLB HA with Direct Connection of AX Devices to Firewalls P e r f o r m a n c e D e s i g n Document No. This type of health monitor verifies a firewall’s health by verifying the path through the firewall to the AX device or HA pair on the other side of the firewall.Configuration Guide Overview Health Monitors To monitor the health of a firewall. FWLB HA with Direct Connection of AX Devices to Firewalls Layer 2 switches are not required between the A device and the firewalls. use a Layer 3 monitor with the ICMP method. and with transparent mode enabled.

and the other AX device.2 11/11/2009 .1. but can reach the other two firewalls at Layer 2 through the other AX device.1.2. the destination address of this route is the VE subnet connected to the real servers.: D-030-01-00-0006 . the standby for SLB and FWLB.AX Series . External AX1 is directly connected to the firewalls with interfaces 20. External AX1 is configured with the following VE interfaces: • VE1 – Connects the AX device to clients (through the gateway routers). allows clientserver traffic to pass through at Layer 2. each AX device is directly connected to only two of the four firewalls. External AX2. Each VE is configured with an IP address. The active AX device load balances client-server traffic across all four firewalls. servers.Ver. Static IP Routes Each of the AX devices requires static IP routes to the following: • Firewall VE subnet of the other AX pair • Client or server VE subnet of the other AX pair: • On the external AX devices. The standby AX device allows Layer 2 client-server traffic to pass through but blocks other traffic. In this example.1 and 20. Virtual Ethernet (VE) interfaces are used to connect the AX device to clients. 258 of 702 P e r f o r m a n c e b y D e s i g n Document No. • VE50 – Provides the HA management and session synchronization con- nection to the other AX device. • On the internal AX devices.0. 2.Configuration Guide Overview In this topology. assume that External AX1 is the active member of the HA pair (is the one actively performing SLB and FWLB).1. and indirectly connects to the other firewalls through the other AX device.1. one AX device is active for SLB and FWLB and the other AX device is a hot standby for these services. In this topology. • VE2 – Directly connects the AX device to some of the firewalls. but can also reach the other two firewalls by sending the traffic at Layer 2 through External AX2. For example. the destination address of this route is the virtual IP address of a pair of external access routers running a router redundancy protocol such as VRRP. Interfaces to Clients and Servers This topology is supported on AX devices that are deployed in route mode (also called gateway mode).

through one of the firewalls. SLB.AX Series .1 – This route reaches the fire- wall VE subnet of the external AX devices. Note: If the management interface is on a separate subnet. To simplify configuration.0 Next hop: 20. If the route to the specified next hop goes down. either the external pair or the internal pair. Internal AX1 has the following static routes: • Destination: 10.1.1.1. 2.1 – This route reaches the VE subnet of the real servers.1 – This route reaches the client VE subnet of the external AX devices.1.1.0 Next hop: 30. There are no new commands or options required to configure this HA solution. Using the same hop does not present a single point of failure.1.0. the AX device automatically looks for another path to the route's destination through another firewall. through one of the firewalls.1.0 Next hop: 20.1.1.1.1. and HA Configuration The FWLB and HA configuration is the same as in previous releases.1.Configuration Guide Overview In the example above. through one of the firewalls.1. P e r f o r m a n c e D e s i g n Document No.0 Next hop: 30. • Destination: 20.1. SLB does not need to be configured on both pairs.2 11/11/2009 b y 259 of 702 . External AX1 has the following static routes: • Destination: 30. This is not required but it is recommended. both static routes use the same next hop. a static IP route for this interface might also be required.1 – This route reaches the fire- wall VE subnet of the internal AX devices.1.: D-030-01-00-0006 . • Destination: 40.1. FWLB. through one of the firewalls. Notice that on each AX device. A10 Networks recommends that you configure SLB on only one of the AX pairs. This is network-dependent and is not covered in this example.Ver.

The only type of health monitor supported for FWLB is Layer 3 ICMP with the transparent option enabled. Firewall Group Parameters Firewall service group (Required) Member (Required) Configures the firewall group.AX Series .0. Config > Service > Firewall > Firewall Group Changes the algorithm used to select a firewall for a client request. from round-robin to least-connection.Ver.2 11/11/2009 . TABLE 4 Parameter Firewall (Required) Health check (Optional) FWLB Parameters Description and Syntax Supported Values Default: None configured Firewall Node Parameters Configures the firewall. However. [no] fwlb node fwall-name ipaddr Config > Service > Firewall > Firewall Node Applies a configured health check to the firewall. the default priority is 1. Load balancing method (Optional) Default: round robin Firewall Virtual Server Parameters Virtual firewall state (Optional) State of the firewall virtual server [no] disable Config > Service > Firewall > Firewall Virtual server Enabled or disabled Default: Enabled 260 of 702 P e r f o r m a n c e b y D e s i g n Document No. health-check monitor-name Config > Service > Firewall > Firewall Node Name of a configured health monitor Default: The AX device attempts to use the default Layer 3 method (ping). The transparent option sends health check packets to the AX device or HA pair on the other side of the firewall. [no] least-connection Config > Service > Firewall > Firewall Group Default: None configured Default: None When you configure one. this default method does not use the transparent option.: D-030-01-00-0006 .Configuration Guide FWLB Parameters FWLB Parameters Table 4 lists the FWLB parameters. Least connection selects the firewall that has the fewest connections. fwlb service-group group-name Config > Service > Firewall > Firewall Group Adds a firewall to the firewall group. 2. member fwall-name [priority num] The priority option enables you to designate some firewalls as backups (the lower priority firewalls) to be used only if the higher priority firewalls all are unavailable.

You also can specify a source-IP persistence template on individual service ports. [no] ha-conn-mirror Config > Service > Firewall > Firewall Virtual server Sends all traffic from a given source address to the same firewall.0. Note: The match-type option is not applicable to FWLB. the firewall group specified for the individual service port takes precedence. Supported Values Protocol port number. to prevent the sessions from being interrupted if an HA failover occurs. which sets the granularity of source-IP persistence to individual firewalls. which means all traffic is load balanced. [no] ha-group group-id Config > Service > Firewall > Firewall Virtual server Synchronizes active sessions onto the standby AX in the HA pair.2 11/11/2009 b y 261 of 702 . You also can specify a firewall group on individual service ports. Parameter Service ports (Optional) Firewall group (Required) Name of a configured firewall group Default: not set High Availability (HA) group (Optional) 1-31 Default: not set Session synchronization (Optional) Enabled or disabled Default: Disabled Source-IP persistence template (Optional) Name of a configured source-IP persistence template Default: not set P e r f o r m a n c e D e s i g n Document No. the template specified for the individual service port takes precedence. [no] template persist source-ip template-name This parameter cannot be configured using the GUI.AX Series .Ver. The match type for FWLB is always server. not firewall groups or individual service ports. 2. If you specify a firewall group at each level. 1-65535 Default: No service ports are specified. port port-number {tcp | udp} Config > Service > Firewall > Firewall Virtual server .: D-030-01-00-0006 .Configuration Guide FWLB Parameters TABLE 4 FWLB Parameters (Continued) Description and Syntax Specifies the service ports to load balance. If you specify a template at each level. [no] service-group group-name Config > Service > Firewall > Firewall Virtual server Specifies the HA group to use for the virtual firewall’s traffic.Port tab (See the “Firewall Virtual Service Port Parameters” below for additional port settings) Specifies the firewall group to use.

[no] service-group group-name Config > Service > Firewall > Firewall Virtual server .: D-030-01-00-0006 . See “TCP and UDP Session Aging” on page 263.Ver.0. Supported Values 60-15000 seconds Default: 300 seconds Parameter TCP idle timeout (Optional) UDP idle timeout (Optional) 60-15000 seconds Default: 300 seconds Firewall Virtual Service Port Parameters Firewall group (Optional) Specifies the firewall group to use. See “TCP and UDP Session Aging” on page 263.Configuration Guide FWLB Parameters TABLE 4 FWLB Parameters (Continued) Description and Syntax Specifies the number of seconds a TCP session through a firewall can remain idle before the AX device terminates the session. [no] udp-idle-timeout seconds Config > Service > Firewall > Firewall Virtual server Note: The idle timeout applied to a session can come from the idle timeout configured here. [no] tcp-idle-timeout seconds Config > Service > Firewall > Firewall Virtual server Note: The idle timeout applied to a session can come from the idle timeout configured here. If you specify a firewall group at this level. the idle timeout configured on the virtual firewall port. If you specify a source-IP persistence template at this level. or the idle time configured in SLB.2 11/11/2009 .AX Series . the idle timeout configured on the virtual firewall port.Port tab Sends all traffic from a given source address to the same firewall. Name of a configured firewall group Default: not set Source-IP persistence template (Optional) Name of a configured source-IP persistence template Default: not set 262 of 702 P e r f o r m a n c e b y D e s i g n Document No. 2. the firewall group specified here takes precedence over the firewall group specified at the firewall level. [no] template persist source-ip template-name This parameter cannot be configured using the GUI. Specifies the number of seconds a UDP session through a firewall can remain idle before the AX device terminates the session. or the idle time configured in SLB. the template specified here takes precedence over the template specified at the firewall level.

2 11/11/2009 b y 263 of 702 .: D-030-01-00-0006 . the TCP idle-timeout settings in FWLB are never used. Note: In the current release. or the idle time configured in SLB.Ver.Configuration Guide FWLB Parameters TABLE 4 FWLB Parameters (Continued) Description and Syntax Specifies the number of seconds a session through a firewall on this service port can remain idle before the AX device terminates the session. if the UDP idle-timeout is not set in FWLB. The idle timeout for a TCP or UDP session through a firewall is determined as follows: • For service-type UDP (Layer 4). See “TCP and UDP Session Aging” on page 263. Otherwise. Unless the default template has been changed. • For service-type HTTP (Layer 7). the idle timeout configured on the virtual firewall. The AX device allows you to configure them but they are not used. the AX device allows TCP or UDP connections through a firewall to be idle for 300 seconds (5 minutes). the idle-timeout is 120 seconds. P e r f o r m a n c e D e s i g n Document No. that idle-timeout is used. Unless the default template has been changed. the idle-timeout in the default SLB TCP template is used. Supported Values 60-15000 seconds Default: 300 seconds Parameter TCP/UDP idle timeout (Optional) TCP and UDP Session Aging By default.0. the idle-timeout is 120 seconds. 2. if the idle-timeout is set on the virtual firewall or the UDP virtual firewall port.AX Series . • For service-type TCP (Layer 4). the idle-timeout in the default SLB UDP template is used. the idle-timeout is 600 seconds. [no] idle-timeout seconds Config > Service > Firewall > Firewall Virtual server . the idle-timeout in the default SLB TCP-proxy template is used.Port tab Note: The idle timeout applied to a session can come from the idle timeout configured here. Unless the default template has been changed.

3. see Table 4 on page 260. do not configure any virtual ports on the virtual firewall. 4. Configure the firewalls. Note: The essential steps are described in this section. specify the HA group ID to use for the virtual port.Ver. To apply FWLB only to traffic for specific services. enter the floating IP address of the HA pair. On the Health Monitor tab. 2.2 11/11/2009 . Select Config > Service > Health Monitor. Configure a health check for each firewall. If the AX device is configured for HA. Click Add. USING THE GUI To configure a health check for a firewall path 1. Select Health Monitor on the menu bar. 7. enter the IP address of the AX. 264 of 702 P e r f o r m a n c e b y D e s i g n Document No. Select Transparent. The Alias Address field appears. Configure a firewall group and add the firewalls to the group. session synchronization.0. 4. 2. • If there is an HA pair of AX device on the other side of the firewall. 2. 5. and bind the firewall group to each virtual port.: D-030-01-00-0006 . For the complete list of FWLB settings you can configure.Configuration Guide Configuring FWLB Configuring FWLB To configure FWLB: 1. and floating IP address. HA group. On the Method tab. enter a name for the health monitor. Enter the AX IP address at the other end of the path to check: • If there is a single AX device on the other side of the firewall. Configure High Availability (HA) parameters: HA ID. 5. select ICMP from the Type drop-down list.AX Series . Configure a virtual firewall. 3. create a virtual port for each service. 6. If FWLB will apply to all traffic types.

FIGURE 104 Config > Service > Health Monitor To configure a firewall node 1. Select the health method to use for checking the path through the firewall to the other AX device. 6.: D-030-01-00-0006 . Select Firewall Node on the menu bar. P e r f o r m a n c e D e s i g n Document No. If an HA pair is configured on the other side of the firewall. 5. The new health monitor appears in the Health Monitor table. Select Config > Service > Firewall. Click Add. 4. The firewall appears in the Firewall Node table.0. 2. The Firewall Node tab appears.2 11/11/2009 b y 265 of 702 .Configuration Guide Configuring FWLB 8. Enter the firewall name and IP address. Click OK. Click OK. enter the floating IP address of the HA pair.Ver. 2. 3.AX Series .

Repeat step 4 and step 5 for each firewall. 6.Configuration Guide Configuring FWLB FIGURE 105 Config > Service > Firewall > Firewall Node To configure a firewall group 1. 3. Click Add. enter the IP address of a firewall in the Firewall field. 5. The Firewall Group tab appears.AX Series . 2.Ver. Click OK. FIGURE 106 Config > Service > Firewall > Firewall Group 266 of 702 P e r f o r m a n c e b y D e s i g n Document No. Select Firewall Group on the menu bar. 2. On the Member tab. 4. enter a name for the service group.: D-030-01-00-0006 . 7. Click Add.2 11/11/2009 . The firewall group appears in the Firewall Group table. On the Firewall Group tab.0.

go to step 6. e. P e r f o r m a n c e D e s i g n Document No. Select the transport protocol (TCP or UDP) from the Type dropdown list. Enter the protocol port number in the Port field. To specify services to load balance: a. Select the firewall group. d.Ver. select Enabled next to HA Connection Mirror. b. 4. Select Virtual Firewall Server on the menu bar. to load balance only specific services. Otherwise. 5.AX Series . select the HA group. If you want to load balance all types of traffic through the firewalls. f. h. Repeat for each protocol port. click Add.Configuration Guide Configuring FWLB To configure the virtual firewall 1. 6. 2.2 11/11/2009 b y 267 of 702 . 2. Click OK. On the Default tab. Select the firewall group from the Firewall Group drop-down list.: D-030-01-00-0006 . On the Port tab. if HA is configured. Click OK to complete the firewall virtual server configuration. c. 3.0. Click Add. If HA is configured and you plan to use connection mirroring (session synchronization). g. click OK to complete the configuration.

2 11/11/2009 .Configuration Guide Configuring FWLB FIGURE 107 Config > Service > Firewall > Firewall Virtual Server FIGURE 108 Config > Service > Firewall > Firewall Virtual Server .0.AX Series .: D-030-01-00-0006 . 2.Port tab 268 of 702 P e r f o r m a n c e b y D e s i g n Document No.Ver.

3. The transparent option is required and configures the health method to check the full path through the firewall to the other AX. To configure HA parameters. 4.0. member fwall-name [priority num] method least-connection P e r f o r m a n c e D e s i g n Document No. The ipaddr specifies the IP address of the AX on the other side of the firewall. health-check monitor-name Enter this command at the configuration level for the firewall. To configure a health check for a firewall path. 2.AX Series .Configuration Guide Configuring FWLB USING THE CLI 1. use the following commands: fwlb node fwall-name ipaddr Enter this command at the global Config level. In an HA configuration. use the following commands at the global configuration level of the CLI: ha id {1 | 2} ha group group-id priority number ha conn-mirror ip ipaddr ha interface ethernet port-num [router-interface | server-interface | both] [no-heartbeat | vlan vlan-id] floating-ip ipaddr ha-group group-id 2. To configure a firewall group and add the firewalls to it.2 11/11/2009 b y 269 of 702 . method icmp transparent ipaddr Enter this command at the configuration level for the health monitor.: D-030-01-00-0006 . the ipaddr is the floating IP address of the HA group on the other side of the firewall. use the following commands: health monitor monitor-name [interval seconds | retry number | timeout seconds] Enter this command at the global Config level.Ver. use the following commands: fwlb service-group group-name Enter this command at the global Config level. To configure a firewall and assign a health monitor to it.

Ver. 5. The port command specifies the service port that is being protected by the firewall. The ha-group command specifies the HA group the virtual port is in.0. Enter these commands at the configuration level for the firewall group. The method command is optional and changes the load-balancing method from round-robin (the default) to least-connections. 2. use the following commands: show fwlb node [fwall-name] [config] show fwlb service-group [group-name] [config] show fwlb virtual-firewall [config] In each command. Enter this command at the global Config level. statistics are displayed instead. port port-number {tcp | udp} ha-group {1 | 2} Enter these commands at the configuration level for the virtual firewall. To configure the virtual firewall. the config option displays configuration information. This is the virtual port configured on the VIP in the SLB configuration.AX Series . The "default" virtual firewall is the only one supported in the current release. The service-group command binds the firewall group to the virtual port. If you omit the config option. Displaying FWLB Information To display FWLB configuration information and statistics. 270 of 702 P e r f o r m a n c e b y D e s i g n Document No. The ha-conn-mirror command enables session synchronization (connection mirroring) between the Active and Standby AX devices in the HA configuration. use the following commands: fwlb virtual-firewall default This command changes the CLI to the configuration level for the virtual firewall named "default".: D-030-01-00-0006 .2 11/11/2009 . service-group fwall-name ha-conn-mirror Enter these commands at the configuration level for the virtual port.Configuration Guide Configuring FWLB The priority option enables you to designate some firewalls as backups (the lower priority firewalls) to be used only if the higher priority firewalls all are unavailable.

Likewise.100 AX-Ext-A(config-health:monitor)#exit P e r f o r m a n c e D e s i g n Document No.100 and 10. CLI Commands on External AX (Active) The following commands configure global HA parameters: AX-Ext-A(config)#ha id 1 AX-Ext-A(config)#ha group 1 priority 100 AX-Ext-A(config)#ha interface ethernet 1 AX-Ext-A(config)#ha interface ethernet 2 AX-Ext-A(config)#ha conn-mirror ip 10. The same commands can be used on the other AX devices. The internal AX devices need floating IP addresses 10. In Figure 102 on page 255. the external AX devices need floating IP addresses 10.2 11/11/2009 b y 271 of 702 . External AX B must use HA ID 2.1.0.1.1. 2.100. • The method icmp transparent commands on the External AX devices must use the floating IP address of the subnet on which the Internal AX pair is connected to the firewalls.Ver.1.100 ha-group 1 The following commands configure the health monitors: AX-Ext-A(config)#health monitor fwpathcheck AX-Ext-A(config-health:monitor)#method icmp transparent 10.AX Series .Configuration Guide Configuring FWLB CLI CONFIGURATION EXAMPLE—TOPOLOGY USING LAYER 2 SWITCHES The commands in the following example implement the FWLB configuration for the External AX (Active) shown in Figure 102 on page 255.6 AX-Ext-A(config)#floating-ip 192. with the following exceptions: • The ha id command on each AX in an HA pair must use a different HA ID. • The floating-ip commands on the each AX device must use addresses within the subnets connected to the firewalls and upstream/downstream routers or servers. External AX B uses priority 1.100.1.1.1. since External AX A uses priority 100 for the HA group.5.168. since External AX A uses HA ID 1.168.100 ha-group 1 AX-Ext-A(config)#floating-ip 10.1. the method icmp transparent commands on the Internal AX devices must use the floating IP address of the subnet on which the External AX pair is connected to the firewalls. For example. For example.1. • The ha group command on each AX in an HA pair should use a differ- ent HA priority.100 and 192.5.1.20.1.: D-030-01-00-0006 .

2 AX-Ext-S(config-firewall node)#health-check fwpathcheck AX-Ext-S(config-firewall node)#exit AX-Ext-S(config)#fwlb service-group fwsg AX-Ext-S(config-fwlb service group)#member fw1 AX-Ext-S(config-fwlb service group)#member fw2 272 of 702 P e r f o r m a n c e b y D e s i g n Document No.1.Ver.: D-030-01-00-0006 .1.0..2 11/11/2009 .)#service-group fwsg AX-Ext-A(config-fwlb virtual firewall default.1.1.100 ha-group 1 AX-Ext-S(config)#health monitor fwpathcheck AX-Ext-S(config-health:monitor)#method icmp transparent 10.100 AX-Ext-S(config-health:monitor)#exit AX-Ext-S(config)#fwlb node fw1 10.1.1.100 ha-group 1 AX-Ext-S(config)#floating-ip 10.1.5.Configuration Guide Configuring FWLB The following commands configure the firewalls: AX-Ext-A(config)#fwlb node fw1 10.1.1 AX-Ext-A(config-firewall node)#health-check fwpathcheck AX-Ext-A(config-firewall node)#exit AX-Ext-A(config)#fwlb node fw2 10..1 AX-Ext-S(config-firewall node)#health-check fwpathcheck AX-Ext-S(config-firewall node)#exit AX-Ext-S(config)#fwlb node fw2 10. 2.1.6 AX-Ext-S(config)#floating-ip 192.1.1.2 AX-Ext-A(config-firewall node)#health-check fwpathcheck AX-Ext-A(config-firewall node)#exit The following commands configure the firewall groups: AX-Ext-A(config)#fwlb service-group fwsg AX-Ext-A(config-fwlb service group)#member fw1 AX-Ext-A(config-fwlb service group)#member fw2 AX-Ext-A(config-fwlb service group)#exit The following commands configure the virtual firewall: AX-Ext-A(config)#fwlb virtual-firewall default AX-Ext-A(config-fwlb virtual firewall default)#ha-group 1 AX-Ext-A(config-fwlb virtual firewall default)#port 80 tcp AX-Ext-A(config-fwlb virtual firewall default..)#ha-conn-mirror CLI Commands on External AX (Standby) AX-Ext-S(config)#ha id 2 AX-Ext-S(config)#ha group 1 priority 1 AX-Ext-S(config)#ha interface ethernet 1 AX-Ext-S(config)#ha interface ethernet 2 AX-Ext-S(config)#ha conn-mirror ip 10.168.1.AX Series ..1.1.

5.0.1.5.5.100 ha-group 1 AX-Int-A(config)#health monitor fwpathcheck AX-Int-A(config-health:monitor)#method icmp transparent 10....100 AX-Int-A(config-health:monitor)#exit AX-Int-A(config)#fwlb node fw1 10.)#service-group fwsg AX-Int-A(config-fwlb virtual firewall default..Configuration Guide Configuring FWLB AX-Ext-S(config-fwlb service group)#exit AX-Ext-S(config)#fwlb virtual-firewall default AX-Ext-S(config-fwlb virtual firewall default)#ha-group 1 AX-Ext-S(config-fwlb virtual firewall default)#port 80 tcp AX-Ext-S(config-fwlb virtual firewall default.2 AX-Int-A(config-firewall node)#health-check fwpathcheck AX-Int-A(config-firewall node)#exit AX-Int-A(config)#fwlb service-group fwsg AX-Int-A(config-fwlb service group)#member fw1 AX-Int-A(config-fwlb service group)#member fw2 AX-Int-A(config-fwlb service group)#exit AX-Int-A(config)#fwlb virtual-firewall default AX-Int-A(config-fwlb virtual firewall default)#ha-group 1 AX-Int-A(config-fwlb virtual firewall default)#port 80 tcp AX-Int-A(config-fwlb virtual firewall default.1.5.1..6 AX-Int-A(config)#floating-ip 10. 2.: D-030-01-00-0006 .)#ha-conn-mirror CLI Commands on Internal AX (Active) AX-Int-A(config)#ha id 1 AX-Int-A(config)#ha group 1 priority 100 AX-Int-A(config)#ha interface ethernet 1 AX-Int-A(config)#ha interface ethernet 2 AX-Int-A(config)#ha conn-mirror ip 10.)#ha-conn-mirror P e r f o r m a n c e D e s i g n Document No.1.1 AX-Int-A(config-firewall node)#health-check fwpathcheck AX-Int-A(config-firewall node)#exit AX-Int-A(config)#fwlb node fw2 10.1.1.Ver.100 ha-group 1 AX-Int-A(config)#floating-ip 10.1...)#service-group fwsg AX-Ext-S(config-fwlb virtual firewall default.AX Series .20.2 11/11/2009 b y 273 of 702 ..

5.Ver.1.5.0.1 AX-Int-S(config-firewall node)#health-check fwpathcheck AX-Int-S(config-firewall node)#exit AX-Int-S(config)#fwlb node fw2 10.5.1.5 AX-Int-S(config)#floating-ip 10.1.100 ha-group 1 AX-Int-S(config)#floating-ip 10.1..Configuration Guide Configuring FWLB CLI Commands on Internal AX (Standby) AX-Int-S(config)#ha id 2 AX-Int-S(config)#ha group 1 priority 1 AX-Int-S(config)#ha interface ethernet 1 AX-Int-S(config)#ha interface ethernet 2 AX-Int-S(config)#ha conn-mirror ip 10..100 AX-Int-S(config-health:monitor)#exit AX-Int-S(config)#fwlb node fw1 10.)#ha-conn-mirror 274 of 702 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 .5.2 11/11/2009 . 2.1.AX Series ..20.)#service-group fwsg AX-Int-S(config-fwlb virtual firewall default.100 ha-group 1 AX-Int-S(config)#health monitor fwpathcheck AX-Int-S(config-health:monitor)#method icmp transparent 10.1.1.2 AX-Int-S(config-firewall node)#health-check fwpathcheck AX-Int-S(config-firewall node)#exit AX-Int-S(config)#fwlb service-group fwsg AX-Int-S(config-fwlb service group)#member fw1 AX-Int-S(config-fwlb service group)#member fw2 AX-Int-S(config-fwlb service group)#exit AX-Int-S(config)#fwlb virtual-firewall default AX-Int-S(config-fwlb virtual firewall default)#ha-group 1 AX-Int-S(config-fwlb virtual firewall default)#port 80 tcp AX-Int-S(config-fwlb virtual firewall default..

0.1 Ext-AX1(config)#ip route 30.1. Configuration of External AX1 The following commands configure the HA management and session synchronization interface to the other AX device.255.Ver.10 255.1.255.0 /24 20.1.255.1.255.255. For simplicity. Ext-AX1(config)#trunk 1 Ext-AX1(config-trunk:1)#ethernet 9 to 10 Ext-AX1(config-trunk:1)#exit Ext-AX1(config)#vlan 50 Ext-AX1(config-vlan:50)#untagged ethernet 9 to 10 Ext-AX1(config-vlan:50)#router-interface ve 5 Ext-AX1(config-vlan:50)#exit Ext-AX1(config)#interface ve 5 Ext-AX1(config-if:ve5)#ip address 50.0 Ext-AX1(config-if:ve1)#exit The following commands configure the VE interface to the firewalls: Ext-AX1(config)#vlan 20 Ext-AX1(config-vlan:20)#untagged ethernet 2 ethernet 4 ethernet 13 Ext-AX1(config-vlan:20)#router-interface ve 2 Ext-AX1(config-vlan:20)#exit Ext-AX1(config)#interface ve 2 Ext-AX1(config-if:ve2)#ip address 20.1.0 Ext-AX1(config-if:ve2)#exit The following commands configure the static routes: Ext-AX1(config)#ip route 40.1. FWLB.2 11/11/2009 b y 275 of 702 . and HA on each of the AX devices shown in Figure 103 on page 257. 2.1. the SLB configuration is not shown.10 255.0 /24 20.1.AX Series .1.1.1 P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0006 .1.Configuration Guide Configuring FWLB CLI CONFIGURATION EXAMPLE—TOPOLOGY WITHOUT LAYER 2 SWITCHES The following sections show the CLI commands for configuring interfaces.1.1.1 255.1.0 Ext-AX1(config-if:ve5)#exit The following commands configure the VE interface to clients: Ext-AX1(config)#vlan 10 Ext-AX1(config-vlan:10)#untagged ethernet 1 Ext-AX1(config-vlan:10)#router-interface ve 1 Ext-AX1(config-vlan:10)#exit Ext-AX1(config)#interface ve 1 Ext-AX1(config-if:ve1)#ip address 10.255.

1.: D-030-01-00-0006 . 2.1.1.1.1.254 ha-group 1 The following commands configure a Layer 2 health monitor to check the health of the paths through the firewalls to the floating IP address configured on the other AX pair: Ext-AX1(config)#health monitor tsping interval 15 Ext-AX1(config-health:monitor)#method icmp transparent 40.4 Ext-AX1(config-firewall node)#health-check tsping Ext-AX1(config-firewall node)#exit Ext-AX1(config)#fwlb service-group fwsg Ext-AX1(config-fwlb service group)#member fw1 Ext-AX1(config-fwlb service group)#member fw2 Ext-AX1(config-fwlb service group)#member fw3 Ext-AX1(config-fwlb service group)#member fw4 Ext-AX1(config-fwlb service group)#exit Ext-AX1(config)#fwlb virtual-firewall default Ext-AX1(config-fwlb virtual firewall default)#ha-group 1 Ext-AX1(config-fwlb virtual firewall default)#service-group fwsg Ext-AX1(config-fwlb virtual firewall default)#ha-conn-mirror Ext-AX1(config-fwlb virtual firewall default)#port 80 tcp P e r f o r m a n c e b y D e s i g n 276 of 702 Document No.1.Configuration Guide Configuring FWLB The following commands configure global HA parameters: Ext-AX1(config)#ha id 1 Ext-AX1(config)#ha group 1 priority 200 Ext-AX1(config)#ha interface ethernet 1 Ext-AX1(config)#ha interface ethernet 2 Ext-AX1(config)#ha interface ethernet 4 Ext-AX1(config)#ha conn-mirror ip 50.1.1.1.1 Ext-AX1(config-firewall node)#health-check tsping Ext-AX1(config-firewall node)#exit Ext-AX1(config)#fwlb node fw2 20.2 Ext-AX1(config-firewall node)#health-check tsping Ext-AX1(config-firewall node)#exit Ext-AX1(config)#fwlb node fw3 20.1.254 Ext-AX1(config-health:monitor)#exit The following commands configure the FWLB parameters: Ext-AX1(config)#fwlb node fw1 20.0.1.1.1.2 11/11/2009 .2 Ext-AX1(config)#ha preemption-enable Ext-AX1(config)#floating-ip 20.3 Ext-AX1(config-firewall node)#health-check tsping Ext-AX1(config-firewall node)#exit Ext-AX1(config)#fwlb node fw4 20.Ver.AX Series .1.

1 Ext-AX2(config)#ip route 30. 2.255..1.1.255.255.1.1.1.20 255. with the following exceptions: • The VE IP addresses are different (although they are in the same subnets as those on the other AX device).2 255.255..Configuration Guide Configuring FWLB Ext-AX1(config-slb virtual firewall default.0 /24 20.1 Ext-AX2(config)#ha id 2 Ext-AX2(config)#ha group 1 priority 100 P e r f o r m a n c e D e s i g n Document No.AX Series . and connection mirroring IP address are different from the other AX device.2 11/11/2009 b y 277 of 702 .255.)#ha-conn-mirror Configuration of External AX2 This configuration is like the configuration for External AX1.1.1. • The HA ID.1.. it is not shown. For brevity.0 Ext-AX2(config-if:ve2)#exit Ext-AX2(config)#ip route 40.20 255.1.0.1.1.0 Ext-AX2(config-if:ve5)#exit Ext-AX2(config)#vlan 10 Ext-AX2(config-vlan:10)#untagged ethernet 1 Ext-AX2(config-vlan:10)#router-interface ve 1 Ext-AX2(config-vlan:10)#exit Ext-AX2(config)#interface ve 1 Ext-AX2(config-if:ve1)#ip address 10.1.255.: D-030-01-00-0006 .Ver.0 /24 20. Ext-AX2(config)#trunk 1 Ext-AX2(config-trunk:1)#ethernet 9 to 10 Ext-AX2(config-trunk:1)#exit Ext-AX2(config)#vlan 50 Ext-AX2(config-vlan:50)#untagged ethernet 9 to 10 Ext-AX2(config-vlan:50)#router-interface ve 5 Ext-AX2(config-vlan:50)#exit Ext-AX2(config)#interface ve 5 Ext-AX2(config-if:ve5)#ip address 50. The FWLB configuration is the same.0 Ext-AX2(config-if:ve1)#exit Ext-AX2(config)#vlan 20 Ext-AX2(config-vlan:20)#untagged ethernet 2 ethernet 4 ethernet 13 Ext-AX2(config-vlan:20)#router-interface ve 2 Ext-AX2(config-vlan:20)#exit Ext-AX2(config)#interface ve 2 Ext-AX2(config-if:ve2)#ip address 20.1.)#service-group fwsg Ext-AX1(config-slb virtual firewall default. priority.1..

Int-AX1(config)#trunk 1 Int-AX1(config-trunk:1)#ethernet 9 to 10 Int-AX1(config-trunk:1)#exit Int-AX1(config)#vlan 60 Int-AX1(config-vlan:60)#untagged ethernet 9 to 10 Int-AX1(config-vlan:60)#router-interface ve 60 Int-AX1(config-vlan:60)#exit Int-AX1(config)#interface ve 60 Int-AX1(config-if:ve60)#ip address 60.Ver.) • The static routes are different.0. The following commands configure the HA management and session synchronization interface to the other AX device. For simplicity.254 ha-group 1 Configuration of Internal AX1 This configuration is like the configuration for External AX1. but this is not required.1.1. • The target IP address of the transparent Layer 3 health check is the float- ing IP address of the external AX pair.: D-030-01-00-0006 . (The VLAN numbers and some of the VE numbers also are different. the VLAN numbers were selected to match the subnet numbers.1 255.1. • The floating IP address and connection mirroring IP address are differ- ent.255.AX Series . 2.1 Ext-AX2(config)#ha preemption-enable Ext-AX2(config)#floating-ip 20. • The IP addresses of the firewall nodes are different.1.2 11/11/2009 .1.1.0 Int-AX1(config-if:ve60)#exit 278 of 702 P e r f o r m a n c e b y D e s i g n Document No. with the following exceptions: • The VE IP addresses and subnets are different.Configuration Guide Configuring FWLB Ext-AX2(config)#ha interface ethernet 1 Ext-AX2(config)#ha interface ethernet 2 Ext-AX2(config)#ha interface ethernet 4 Ext-AX2(config)#ha conn-mirror ip 50.255.

1.1.1.1.1.2 Int-AX1(config)#ha preemption-enable Int-AX1(config)#floating-ip 40.1.Configuration Guide Configuring FWLB The following commands configure the VE interface to the servers: Int-AX1(config)#vlan 40 Int-AX1(config-vlan:40)#untagged ethernet 2 Int-AX1(config-vlan:40)#router-interface ve 2 Int-AX1(config-vlan:40)#exit Int-AX1(config)#interface ve 2 Int-AX1(config-if:ve2)#ip address 40.0 /24 30. 2.1.: D-030-01-00-0006 . • The HA ID.1 Int-AX1(config)#ip route 20.255.0 /24 30.2 11/11/2009 b y 279 of 702 .10 255.1. priority. and connection mirroring IP address are different from the other AX device.1. with the following exceptions: • The VE IP addresses are different (although they are in the same subnets as those on the other AX device).Ver.0 Int-AX1(config-if:ve1)#exit The following commands configure the static routes: Int-AX1(config)#ip route 10.1.1.255.254 ha-group 1 Configuration of Internal AX2 This configuration is like the configuration for Internal AX1.1.255.1 The following commands configure global HA parameters: Int-AX1(config)#ha id 1 Int-AX1(config)#ha group 1 priority 200 Int-AX1(config)#ha interface ethernet 1 Int-AX1(config)#ha interface ethernet 2 Int-AX1(config)#ha interface ethernet 3 Int-AX1(config)#ha conn-mirror ip 60.10 255.1.1.AX Series .0 Int-AX1(config-if:ve2)#exit The following commands configure the VE interface to the firewalls: Int-AX1(config)#vlan 30 Int-AX1(config-vlan:30)#untagged ethernet 1 ethernet 3 ethernet 13 Int-AX1(config-vlan:30)#router-interface ve 1 Int-AX1(config-vlan:30)#exit Int-AX1(config)#interface ve 1 Int-AX1(config-if:ve1)#ip address 30.0.1. P e r f o r m a n c e D e s i g n Document No.1.255.

0.Ver.1.254 ha-group 1 280 of 702 P e r f o r m a n c e b y D e s i g n Document No.1.1 Int-AX2(config)#ha preemption-enable Int-AX2(config)#floating-ip 40. 2.2 11/11/2009 .1.1.: D-030-01-00-0006 .1.0 Int-AX2(config-if:ve60)#exit Int-AX2(config)#vlan 40 Int-AX2(config-vlan:40)#untagged ethernet 2 Int-AX2(config-vlan:40)#router-interface ve 2 Int-AX2(config-vlan:40)#exit Int-AX2(config)#interface ve 2 Int-AX2(config-if:ve2)#ip address 40.1.1 Int-AX2(config)#ip route 20. it is not shown.1.0 Int-AX2(config-if:ve1)#exit Int-AX2(config)#ip route 10.1.1.255.Configuration Guide Configuring FWLB The health monitor and FWLB configuration is the same.0 Int-AX2(config-if:ve2)#exit Int-AX2(config)#vlan 30 Int-AX2(config-vlan:30)#untagged ethernet 1 ethernet 3 ethernet 13 Int-AX2(config-vlan:30)#router-interface ve 1 Int-AX2(config-vlan:30)#exit Int-AX2(config)#interface ve 1 Int-AX2(config-if:ve1)#ip address 30.255.255.0 /24 30.1.1.1.1.1.AX Series .255.1 Int-AX2(config)#ha id 2 Int-AX2(config)#ha group 1 priority 100 Int-AX2(config)#ha interface ethernet 1 Int-AX2(config)#ha interface ethernet 2 Int-AX2(config)#ha interface ethernet 3 Int-AX2(config)#ha conn-mirror ip 60.1.2 255.255.0 /24 30.1. For brevity.255. Int-AX2(config)#trunk 1 Int-AX2(config-trunk:1)#ethernet 9 to 10 Int-AX2(config-trunk:1)#exit Int-AX2(config)#vlan 60 Int-AX2(config-vlan:60)#untagged ethernet 9 to 10 Int-AX2(config-vlan:60)#router-interface ve 60 Int-AX2(config-vlan:60)#exit Int-AX2(config)#interface ve 60 Int-AX2(config-if:ve60)#ip address 60.20 255.1.20 255.1.

• If a parameter is set (or changed from its default) in a template but is not set or changed from its default on the individual server or port.2 11/11/2009 b y 281 of 702 .Configuration Guide Overview Server and Port Templates This chapter describes how to configure parameters for multiple servers and service ports using server and port templates. you can configure sets of parameters (templates) for SLB assets (servers and service ports) and apply the parameters to multiple servers or ports. Some of the parameters that can be set using a template can also be set or changed on the individual server or port. Overview The AX device supports the following types of templates for configuration of SLB servers and ports: • Server – Contains configuration parameters for real servers • Port – Contains configuration parameters for real service ports • Virtual-server – Contains configuration parameters for virtual servers • Virtual-port – Contains configuration parameters for virtual service ports These template types provide the same benefit as other template types.AX Series . the setting on the individual server or port takes precedence. the setting in the template takes precedence.: D-030-01-00-0006 . P e r f o r m a n c e D e s i g n Document No.0. • If a parameter is set (or changed from its default) in both a template and on the individual server or port. In this case. 2.Ver. They allow you to configure a set of parameter values and apply the set of values to multiple configuration items.

AX Series . (See “SlowStart” on page 294.) Limits the rate of new connections the AX is allowed to send to any server that uses the template.0. (See “Connection Limiting” on page 290.) Template Type Real Server Connection limit Connection rate limiting Slow start 282 of 702 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 . (See “Connection Rate Limiting” on page 292. (See “Configuring and Applying a Health Method” on page 303. TABLE 5 SLB Port and Server Template Parameters Parameter Health monitor Description Assigns a configured Layer 3 health monitor to all servers that use the template.) Provides time for servers that use the template to ramp-up after TCP/UDP service is enabled.2 11/11/2009 . by temporarily limiting the number of new connections on the server.Configuration Guide Overview Parameters That Can Be Configured Using Server and Port Templates Table 5 describes the server and port parameters you can configure using templates.) Specifies the maximum number of connections allowed on any server that uses the template. 2.Ver.

2 11/11/2009 b y 283 of 702 . This is an enhanced health check mechanism that works independently of the standard out-of-band health mechanism.) Note: The weight option applies only to the weighted-leastconnection. but still illustrates how the weight option works.0.) Enables destination Network Address Translation (NAT). See “Direct Server Return in Mixed Layer 2/Layer 3 Environment” on page 82. (The example configures weights directly on the real service ports rather than using templates. Template Type Real Server Port In-band health monitor Connection limit Connection rate limiting Destination NAT DSCP Slow start Source NAT Weight P e r f o r m a n c e D e s i g n Document No. Sets the differentiated services code point (DSCP) value in the IP header of a client request before sending the request to a server. (See “Connection Rate Limiting” on page 292. see “Network Address Translation” on page 483 Biases load-balancing selection of this port. You can re-enable destination NAT on individual ports for deployment of mixed DSR configurations.) Provides rapid server status change and reassignment based on client-server traffic. Destination NAT is enabled by default.) Limits the rate of new connections the AX is allowed to send to any real port that uses the template. (See “Connection Limiting” on page 290. A higher weight gives more favor to the server and port relative to the other servers and ports.Configuration Guide Overview TABLE 5 SLB Port and Server Template Parameters (Continued) Parameter Health monitor Description Assigns a configured Layer 4-7 health monitor to all service ports that use the template. (See “Configuring and Applying a Health Method” on page 303. service-weighted-least-connection. (See “SlowStart” on page 294. see “FTP Load Balancing” on page 141.) Specifies the IP NAT pool to use for assigning a source IP address to client traffic addressed to the port. For information about NAT. by temporarily limiting the number of new connections on the ports. and weighted-round-robin load-balancing methods. 2. Provides time for real ports that use the template to ramp-up after TCP/UDP service is enabled. Specifies the maximum number of connections allowed on any real port that uses the template.: D-030-01-00-0006 . For an example of weighted SLB. but is disabled in Direct Server Return (DSR) configurations. See “In-Band Health Monitoring” on page 322.AX Series .Ver.

For example. If you do not explicitly bind a server or service port template to a server or service port. The default server and port templates are each named “default”. since the default server and port templates use the default settings for all parameters. The default settings in the templates are the same as the default settings for the parameters that can be set in the templates. when you create a real server. the default template is automatically applied.AX Series . (See “Connection Rate Limiting” on page 292. This does not change the configuration or operation of the servers and ports themselves. the default server and port templates are automatically bound (applied to) the servers and ports in the configuration.2 11/11/2009 .) Template Type Virtual Server Connection rate limiting ICMP rate limiting Virtual Server Port Connection limit Connection rate limiting Default Server and Service Port Templates The AX device has a default template for each of these template types. the parameter settings in the default real server template are automatically applied to the new server.: D-030-01-00-0006 . If you are upgrading an AX device that has a configuration saved under a previous release. 284 of 702 P e r f o r m a n c e b y D e s i g n Document No.) Specifies the maximum number of connections allowed on any virtual service port that uses the template. unless overridden by parameter settings on the individual servers and ports. unless you bind a different real server template to the server. (See “ICMP Rate Limiting” on page 540. (See “Connection Limiting” on page 290.) Limits the rate at which ICMP packets can be sent to the VIP.) Limits the rate of new connections the AX is allowed to send to any VIP that uses the template.Ver.0. (See “Connection Limiting” on page 290.Configuration Guide Overview TABLE 5 SLB Port and Server Template Parameters (Continued) Parameter Connection limit Description Specifies the maximum number of connections allowed on any VIP that uses the template.) Limits the rate of new connections the AX is allowed to send to any virtual service port that uses the template. (See “Connection Rate Limiting” on page 292. 2.

4. use the following commands at the global configuration level of the CLI: [no] slb template server template-name [no] slb template port template-name [no] slb template virtual-server template-name [no] slb template virtual-port template-name The template name can be 1-31 characters. P e r f o r m a n c e D e s i g n Document No. specify the name “default” (without the quotation marks). Click OK. 5.AX Series . USING THE GUI 1. Enter or edit other settings. 2.0.Configuration Guide Configuring Server and Service Port Templates Configuring Server and Service Port Templates To configure a server or port template. (See the descriptions in the sections below for information. 3. To modify the default template.2 11/11/2009 b y 285 of 702 . Enter a name for the template (if the template is new). use either of the following methods. These commands change the CLI to the configuration level for the template.: D-030-01-00-0006 . The configuration tab for the template appears.Ver. 2. select one of the following: • Template > Server • Template > Server Port • Template > Virtual Server • Template > Virtual Server Port The list of configured templates of the selected type appears. Click Add to create a new one or click on the name of a configured template to edit it. Select Config > Service > SLB.) 6. On the menu bar. USING THE CLI To configure server and service-port templates.

2 11/11/2009 . Table 6 lists the types of bindings that are supported for server and port templates. see “Applying a Server or Service Port Template” on page 286. use one of the following commands: show slb template server template-name show slb template port template-name show slb template virtual-server template-name show slb template virtual-port template-name CLI Example The following commands configure a new real server template and bind the template to two real servers: AX(config)#slb template server rs-tmplt1 AX(config-rserver)#health-check ping2 AX(config-rserver)#conn-limit 500000 AX(config-rserver)#exit AX(config)#slb server rs1 10.99 AX(config-real server)#template server rs-tmplt1 AX(config-real server)#exit AX(config)#slb server rs2 10. If you create a new server or port template.AX Series .1. the template takes effect only after you bind it to servers or ports. 2. For information about binding the templates.: D-030-01-00-0006 .0.1.1. Applying a Server or Service Port Template If you modify a “default” server or port template.Ver.Configuration Guide Applying a Server or Service Port Template To display the settings in a template. 286 of 702 P e r f o r m a n c e b y D e s i g n Document No. the changes are automatically applied to any servers or ports that are not bound to another server or port template.1.100 AX(config-real server)#template server rs-tmplt1 This example includes the commands to bind the template to real servers.

3. and not bound to the port directly. Select Config > Service > SLB. Click Server on the menu bar. Real servers Real server ports You can apply them to real server ports directly or in a service group.0.: D-030-01-00-0006 .. Click on the server name. 2. the template settings apply to the port only when the port is used by the service group. To create one. For configuration examples. click OK.Ver. 2. 4. The settings do not apply to the same port if used in other service groups. and service group members. 5. see the feature sections referred to in Table 5 on page 282. When the template is bound to the port only within a service group.2 11/11/2009 b y 287 of 702 . USING THE CLI Enter the following command at the configuration level for the real server: [no] template server template-name P e r f o r m a n c e D e s i g n Document No. Binding a Server Template to a Real Server USING THE GUI 1. click create.Configuration Guide Applying a Server or Service Port Template TABLE 6 Template Type Server Port Server and Port Template Bindings Can Be Bound To. Select the template from the Server Template drop-down list.AX Series . Note: Binding a server port template to a service port within a service group provides a finer level of control than binding the template directly to a port.. Virtual servers Virtual server ports Virtual Server Virtual Server Port The following subsections describe how to bind server and port templates to servers. When finished. ports.

AX Series . 3. Select the template from the Virtual Server Template drop-down list. 4. Click Server on the menu bar. 5. Click on the virtual server name. click OK.0. On the Port tab.: D-030-01-00-0006 . 2. 2. click create. Select Config > Service > SLB. To create one. 5. click OK. USING THE CLI Enter the following command at the configuration level for the virtual server: [no] template virtual-server template-name 288 of 702 P e r f o r m a n c e b y D e s i g n Document No. 3. USING THE CLI Enter the following command at the configuration level for the real port: [no] template port template-name Binding a Virtual Server Template to a Virtual Server USING THE GUI 1.2 11/11/2009 . When finished. Click on the server name. Click Update. When finished. 2.Configuration Guide Applying a Server or Service Port Template Binding a Server Port Template to a Real Server Port USING THE GUI 1. 4. Select Config > Service > SLB. click create.Ver. 6. Click Virtual Server on the menu bar. select the template from the Server Port Template dropdown list. To create one.

3. Click on the virtual server name. 7. Click Service Group on the menu bar.Configuration Guide Applying a Server or Service Port Template Binding a Virtual Server Port Template to a Virtual Service Port USING THE GUI 1. P e r f o r m a n c e D e s i g n Document No. 2.AX Series . Click OK. Select Config > Service > SLB. Click Virtual Server on the menu bar. When finished. 3. Select the template from the Virtual Server Port Template drop-down list. select the port and click Edit. select the server port template from the Server Port Template drop-down list. 2. click OK.0.Ver.2 11/11/2009 b y 289 of 702 . 2. On the Server tab. Click OK. 5. 6. USING THE CLI Enter the following command at the configuration level for the virtual service port: [no] template virtual-port template-name Binding a Server Port Template to a Service Group USING THE GUI 1. On the Port tab.: D-030-01-00-0006 . 4. Select Config > Service > SLB. 4.

• Reset or Drop (virtual servers or virtual server ports only) – Specifies the action to take for connections after the connection limit is reached on the virtual server or virtual server port.: D-030-01-00-0006 . use either of the following methods. the connections are reset instead. use the template template-name option with the member command: [no] member server-name:portnum [disable | enable] [priority num] [template port template-name] Connection Limiting By default. You can specify 1-1048575 (1 million) connections. If certain servers or services are becoming oversaturated.Configuration Guide Connection Limiting USING THE CLI At the configuration level for the service group. virtual server templates. You can specify 0-1048575. the AX device does not limit the number of concurrent connections on a server or service port. By default. The AX device stops sending new connection requests to a server or port when that server or port reaches its maximum allowed number of concurrent connections. real port templates. Connection Limit Parameters To configure connection limits. Setting a Connection Limit To set a connection limit in a server or port template. and virtual port templates. 290 of 702 P e r f o r m a n c e b y D e s i g n Document No. excess connections are dropped. you can set a connection limit. • Connection resume threshold (real servers or ports only) – Specifies the maximum number of connections the server or port can have before the AX device resumes use of the server or port.Ver.AX Series . If you change the action to reset. 2. the connection limit is not set.2 11/11/2009 . By default.0. Excess connections are dropped by default. you can set the following parameters : • Connection limit – Specifies the maximum number of concurrent con- nections allowed on a server or port. Connection limiting can be set in real server templates.

0. Click OK. use the following command at the configuration level for the template: [no] conn-limit max-connections [reset] CLI Example The following commands set the connection limit to 500.2 11/11/2009 b y 291 of 702 . 4.100 AX(config-real server)#template server rs-tmplt1 P e r f o r m a n c e D e s i g n Document No. then bind the template to real servers: AX(config)#slb template server rs-tmplt1 AX(config-rserver)#conn-limit 500000 AX(config-rserver)#exit AX(config)#slb server rs1 10. In the Connection Limit field.99 AX(config-real server)#template server rs-tmplt1 AX(config-real server)#exit AX(config)#slb server rs2 10.1.1. USING THE CLI To set a connection limit using a server or server port template.AX Series .Configuration Guide Connection Limiting USING THE GUI On the configuration tab for the template: 1. enter the maximum number of connections the server or port can have before the AX device resumes use of the server or port.1. 2. use the following command at the configuration level for the template: [no] conn-limit max-connections [resume connections] To set a connection limit using a virtual server or virtual server port template. enter the maximum number of concurrent connections to allow on the server or port.Ver. 5.: D-030-01-00-0006 . 3.000 concurrent connections in a real server template. 2. (Virtual Server or Virtual Server Port Templates only) Select the action to take for connections that occur after the limit is reached: Drop or Reset. Select the Connection Limit Status checkbox to display the configuration fields. (Server or Server Port Templates only) In the Connection Resume.1.

The default is onesecond intervals.: D-030-01-00-0006 . Note: Connection rate limiting is different from slow-start.0. When a server or service port reaches its connection limit. Select the sampling interval: 100ms or 1 second. which temporarily limits the number of new connections per second when TCP/UDP service comes up on a service port. See “Slow-Start” on page 294.AX Series . 2. 2.2 11/11/2009 . USING THE GUI On the configuration tab for the template: 1. you can set the following parameters: • Connection rate limit – The connection rate limit specifies the maximum of new connections allowed on a server or service port.Ver. • Interval – The interval specifies whether the connection rate limit applies to one-second intervals or 100-ms intervals. The action can be to silently drop excess connections or to send a reset (RST) to client requesting the connection. By default. 3. • Action for excess connections (virtual servers or virtual server ports only) – The action specifies how the AX device responds to connection requests after the connection rate has been exceeded. 292 of 702 P e r f o r m a n c e b y D e s i g n Document No. Select the Connection Rate Limit checkbox to activate the configuration fields. Select the action to take for connections that exceed the limit: Drop or Reset. the connection rate limit is not set. Connection Rate Limiting Parameters When you configure connection rate limiting. the AX device stops using the server or service port. Enter the connection rate limit in the field next to the checkbox.Configuration Guide Connection Rate Limiting Connection Rate Limiting You can limit the rate at which the AX device is allowed to send new connections to servers or service ports. You can specify 1-1048575 connections. The default action is to silently drop the excess connection requests. 4.

use the following commands: show slb server [server-name] detail show slb virtual-server [server-name] detail CLI Example The following commands configure connection rate limiting in a real server template. the AX device uses the lower limit.1. then bind the template to real servers. For example. use the following command at the configuration level for a virtual server or virtual server port template. AX(config)#slb template server rs-tmplt1 AX(config-rserver)#conn-rate-limit 50000 AX(config-rserver)#exit AX(config)#slb server rs1 10. To configure connection rate limiting for a virtual server or service port. (Virtual Server or Virtual Server Port Templates only) Select the action to take for connections that occur after the limit is reached: Drop or Reset. The per {100ms | 1sec} option specifies the interval. By default. If you configure a limit for a server and also for an individual port. the AX device limits connections to TCP port HTTP to 1200 per second. Click OK.2 11/11/2009 b y 293 of 702 .Configuration Guide Connection Rate Limiting 5. USING THE CLI To configure connection rate limiting for a real server or service port. To display connection rate limiting information.0.AX Series . use the following command at the configuration level for a server or server port template. and apply the template to the virtual server or virtual server port: [no] conn-rate-limit connections [per {100ms | 1sec}] [reset] The reset option resets connections that occur after the limit is reached. excess connections are dropped.1. and apply the template to the server or port: [no] conn-rate-limit connections [per {100ms | 1sec}] The connections option specifies the maximum number of new connections allowed per interval. 2.Ver. 6.99 P e r f o r m a n c e D e s i g n Document No. if you limit new TCP connections to a real server to 5000 per second and also limit new HTTP connections to 1200 per second.: D-030-01-00-0006 .

AX Series .1. The scale factor can be 2-10. However.Ver. then doubles the number of new connections allowed in every subsequent 10-second interval until 4096 new connections per second are allowed. You can specify from 14095 new connections per second.Configuration Guide Slow-Start AX(config-real server)#template server rs-tmplt1 AX(config-real server)#exit AX(config)#slb server rs2 10. you can instead specify how many new connections per second to 294 of 702 P e r f o r m a n c e b y D e s i g n Document No. Ramp-Up Parameters The default ramp-up is as follows: when enabled. you can enable slow-start on individual real servers. 2. the feature first limits the server to 128 new connections per second for the first 10 seconds. • Connection increment – The connection increment specifies the amount by which to increase the number of new connections per second.) – The scale factor is the number by which to multiply the starting connections per second. You can configure the slow-start parameters described in this section in real server templates and real port templates.100 AX(config-real server)#template server rs-tmplt1 Slow-Start The slow-start feature allows time for a server or real service port to ramp up after TCP/UDP service on a server is enabled. the ramp-up settings on individual servers are not configurable.2 11/11/2009 . The settings are the same as the default ramp-up settings in server and port templates. You can configure the following ramp-up parameters: • Starting connections per second – The starting connections per second is the maximum number of new connections per second to allow on the server or service port when it first comes up. if the scale factor is 2 and the starting connections per second is 128. The ramp up continues for a total of 60 seconds. the AX device increases the number of new connections per second to 256 after the first ramp-up interval. Note: Alternatively. The default is 2. by temporarily limiting the number of new connections on the server or port. • Connection addition – As an alternative to specifying a scale factor.1. The default is 128. using one of the following parameters: • Scale factor (This is the default. For example.: D-030-01-00-0006 .0.

USING THE CLI To configure slow-start. The connection addition can be 1-4095 new connections per second. The default is 4096. if the ramp-up interval is 10 seconds. Enter the ending connections per second in the Till field. • Ramp-up interval – The ramp-up interval specifies the number of sec- onds between each increase of the number of new connections allowed. Enter the ramp-up interval in the Every field. 3.: D-030-01-00-0006 .0. the number of new connections per second to allow is increased every 10 seconds. The ending connections per second must be higher than the starting connections per second. 6. USING THE GUI On the configuration tab for the real server template or real port template: 1. For example. You can specify from 1-65535 new connections per second.Configuration Guide Slow-Start allow. 2.2 11/11/2009 b y 295 of 702 . 5. 2. 4. Select the Slow Start checkbox to activate the configuration fields.Ver. use the following command at the configuration level for a real server or real service port: [no] slow-start [from starting-conn-per-second] [times scale-factor | add conn-incr] [every interval] [till ending-conn-per-second] P e r f o r m a n c e D e s i g n Document No.AX Series . The default is 10 seconds. 7. Enter the connection increment method: Multiplying or Adding. Enter the connection increment in the field next to the increment method you selected. you can specify a scale factor or a connection addition. Note: For the connection increment. • Ending connections per second – The ending connections per second is the number of new connections per second at which the ramp-up is completed. The ramp-up interval can be 1-60 seconds. Enter the starting number of connections per second in the field to the right of "From". Click OK.

2.100 AX(config-real server)#template server rs-tmplt1 296 of 702 P e r f o r m a n c e b y D e s i g n Document No.0.1.99 AX(config-real server)#template server rs-tmplt1 AX(config-real server)#exit AX(config)#slb server rs2 10. and bind the template to real servers. using the default settings.1.Ver.1.1.AX Series .Configuration Guide Slow-Start CLI Example The following commands enable slow start in a real server template.: D-030-01-00-0006 . AX(config)#slb template server rs-tmplt1 AX(config-rserver)#slow-start AX(config-rserver)#exit AX(config)#slb server rs1 10.2 11/11/2009 .

AX Series . the AX device sends a packet with a valid UDP header and a garbage payload to the UDP port. • Layer 4 UDP – Every 30 seconds. P e r f o r m a n c e D e s i g n Document No. Servers or ports that respond appropriately to health checks remain eligible to serve client requests. • Layer 4 TCP – Every 30 seconds. The AX device always performs Layer 3 and Layer 4 health checks using these methods. the AX device sends a connection request (TCP SYN) to the specified TCP port on the server.2 11/11/2009 b y 297 of 702 . or UDP). The port passes the health check if the server replies to the AX device by sending a TCP SYN ACK. Default Health Checks The AX device performs the following types of health checks by default: • Layer 3 ping – The AX device sends an ICMP echo request (ping) addressed to the real server’s IP address. A server or port that does not respond appropriately to a health check is temporarily removed from service.0. and UDP monitors are used even if you also apply additional configured monitors to a service port. unless you disable them on the real server or service port or configure other monitors for the same methods (ICMP.Configuration Guide Default Health Checks Health Monitoring AX Series devices can regularly check the health of real servers and service ports.: D-030-01-00-0006 . or replies with any type of packet except an ICMP Error message. The port passes the health check if the server either does not reply. The ICMP. You can configure health methods on the AX device by configuring settings for the type of service you are monitoring. The server passes the health check if it sends an echo reply to the AX device. TCP. 2. Health checks ensure that client requests go only to available servers.Ver. TCP. You also can configure health monitors externally using scripts and import the monitors for use by the AX device. until the server or port is healthy again.

When a health monitor is in use by a server.2 11/11/2009 .Configuration Guide Health Method Timers Health Method Timers Health methods operate based on the following timers: • Interval – Number of seconds between each check using the monitor. multiple health monitors can use the same health method to check different servers. Note: To configure a health monitor for Direct Server Return (DSR).0. • Up-Retry – Number of consecutive times the device must pass the same periodic health check. the AX device uses monitors every 30 seconds. you can change it to a value from 1-180 seconds.: D-030-01-00-0006 . Multiple health method instances can be defined using the same method type and different parameters. see “Configuring Health Monitoring of Virtual IP Addresses in DSR Deployments” on page 308. • Timeout – Number of seconds the AX device waits for a reply to a health check. You can specify 1-10. the AX device either sends the health check again (if there are retries left) or marks the server or service down. If the AX device does not receive the expected reply by the end of the timeout.Ver. The default is 5 seconds.) • Retries – Maximum number of times the AX device will send the same health check to an unresponsive server or service before marking that server or service as down. You can change the port numbers and other options when you define the health methods. (See “Health Method Types” on page 298. The health methods use the well-known port numbers for each application by default. The default is 1. You can specify 1-4.AX Series . the monitor cannot be removed. Likewise. Health Method Types Table 7 lists the internal health method types supported by the AX device. in order to be marked Up.) Note: The timeout does not apply to externally configured health monitors. If you need to fine-tune this interval. 2. The default is 3. By default. (See “Consecutive Health Checks Within a Health Check Period” on page 325. You can specify 1-12 seconds. 298 of 702 P e r f o r m a n c e b y D e s i g n Document No. The type of reply expected by the AX device depends on the monitor type.

) Server replies with FTP OK message or Password message. you can disable recursion. You can require the server to reply with specific status codes within the range 0-15.Configuration Guide Health Method Types TABLE 7 Type DNS Internal Health Method Types Description AX Series sends a lookup request for the specified domain name or server IP address. You can configure the response code(s) and record type required for a successful health check.Ver. The tested DNS server is allowed to send the health check’s request to another DNS server if the tested server can not fulfill the request using its own database.. FTP AX Series sends an FTP login request to the specified port. Configuration Required on Target Server Domain name in the lookup request must be in the server’s database. In this case. the AX Series expects the server to reply with another OK message. If the server sends the Password message.0. Optionally. P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0006 . Requested user name and password must be valid on the server.2 11/11/2009 b y 299 of 702 . you can require the server to reply with one of the following record types: • A – IPv4 address record (the default) • CNAME – Canonical name record for a DNS alias • SOA – Start of authority record • PTR – Pointer record for a domain name • MX – Mail Exchanger record • TXT – Text string • AAAA – IPv6 address record (For more information. If anonymous login is not used. 2.AX Series . By default. the username also must be specified in the health check configuration. the AX Series sends the password specified in the health check configuration.. recursion is allowed. For health checks sent to a domain name. Successful If. Server sends a reply with the expected status code (0 by default) and record type (A by default). see “Customizing DNS Health Monitors” on page 312.

see “Configuring POST Requests in HTTP/HTTPS Health Monitors” on page 310. (For more information. If this try succeeds. • HEAD requests only the meta-information in the header. If you specify a username and password. the server also must reply with the requested content or meta-information in the page header.) If a user name and password are required to access the page. Server replies with OK message (200). Use the other method types to check the health of a specific application. For POST requests. You can configure the response code(s) and record type required for a successful health check. SSL support must be enabled on the server.2 11/11/2009 .: D-030-01-00-0006 . or POST request to the specified TCP port and URL. 300 of 702 P e r f o r m a n c e b y D e s i g n Document No. they also must be specified in the health check configuration. the data must be posted without error. Server must be configured to reply to ICMP echo requests. Configuration Required on Target Server Requested page (URL) must be present on the server. For HEAD requests. by default. For HTTPS health checks. AX Series sends an ICMP echo request (ping) to the server. the field names specified in the health check must be present on the requested page.AX Series . You can configure a different value if needed. the AX Series ignores the Expect field and only checks for the server reply message. and retry the health check using that authentication method. HEAD. the string specified as the expected reply must be present. The AX device always accepts the server certificate presented by the server.0.. • GET requests the entire page. For POST operations. the authentication process is complete. digest and NT LAN Manager (NTLM) authentication. Successful If. For POST operations. 2. the health monitor will negotiate with the server to select another authentication method. The response must include the string specified in the Expect field on the AX Series.Ver.. ICMP Server replies with an ICMP echo reply message. Note: This is a Layer 3 health check only. For GET requests. For GET requests. you must specify the target field names and the values to post. Otherwise. By default. The following types of authentication are supported: basic. the health monitor will try to use basic authentication first. • POST attempts to write information to the server.Configuration Guide Health Method Types TABLE 7 Type HTTP / HTTPS Internal Health Method Types (Continued) Description AX Series sends an HTTP GET. the real server’s IP address is placed in the request header’s Host: field. A certificate does not need to be installed on the AX device.

NTP service must be running. AX Series sends an NTP client Successful If.OK. the shared secret sent in the health check must be valid on the server. The AX Series also must send a valid password. Server replies with an OK message. AX Series sends a request for information about the file specified in the health check configuration. Likewise. Server sends an OK message (reply code 250). AX Series sends a POP3 user login request with the specified user parameter. The AX Series always accepts the server certificate presented by the server. The AX Series expects the server to reply with another OK message. Requested user name and password must be configured in the server’s user database. from the specified community. Requested user name and password must be valid on the server. if one is required by the server.AX Series . None. NTP POP3 message to UDP port 123.. If SMTP service is running and can reply to Hello messages.: D-030-01-00-0006 . Optionally.Ver. The AX Series then sends the password specified in the health check configuration. Configuration Required on Target Server If a Distinguished Name and password are sent in the health check. SNMP AX Series sends an SNMP Get or Get Next request to the specified OID. Server sends Access Accepted message (reply code 2). The file must be present on the RTSP server. Server sends a standard NTP 48-byte reply packet.2 11/11/2009 b y 301 of 702 . RTSP Server replies with information about the specified file. AX Series sends a SIP OPTION request or REGISTER request. SIP SMTP Server replies with 200 . RADIUS AX Series sends a Password Authentication Protocol (PAP) request to authenticate the user name and password specified in the health check configuration.. Server sends a reply containing result code 0. the request can be directed to a specific Distinguished Name. P e r f o r m a n c e D e s i g n Document No.Configuration Guide Health Method Types TABLE 7 Type LDAP Internal Health Method Types (Continued) Description AX Series sends an LDAP request to the LDAP port. Server replies with the value of the OID. A certificate does not need to be installed on the AX Series. AX Series sends an SMTP Hello message. the server can pass the health check. Optionally.0. they must match these values on the LDAP server. 2. Server recognizes and accepts the domain of sender. SSL can be enabled for the health check. Requested OID and the SNMP community must both be valid on the server.

FIN-ACK ACK -> To configure the AX device to send a RST (Reset) instead of sending the first ACK. Server replies with a TCP SYN ACK.Configuration Guide Health Method Types TABLE 7 Type TCP Internal Health Method Types (Continued) Description AX Series sends a connection request (TCP SYN) to the specified TCP port on the server. By default. the health check is performed as follows: SYN -> <.. Destination UDP port of the health check must be valid on the server. Configuration Required on Target Server Destination TCP port of the health check must be valid on the server..SYN-ACK ACK -> FIN-ACK -> <. The server fails the health check only if the server replies with an ICMP Error message.2 11/11/2009 .AX Series . • Does not reply at all.: D-030-01-00-0006 . 302 of 702 P e r f o r m a n c e b y D e s i g n Document No. the AX device completes the TCP handshake with the server: AX -> Server SYN -> <. enable the Halfopen option.0.Ver. UDP AX Series sends a packet with a valid UDP header and a garbage payload to the specified UDP port on the server. 2.SYN-ACK RST -> Server does either of the following: • Replies from the specified UDP port with any type of packet. Successful If. In this case.

P e r f o r m a n c e D e s i g n Document No. You can apply a health monitor to a server or port in either of the following ways: • Apply the health monitor to a server or port template.: D-030-01-00-0006 .Configuration Guide Configuring and Applying a Health Method Protocol Port Numbers Tested by Health Checks If you specify the protocol port number to test in a health monitor. (See “On-Demand Health Checks” on page 326. • Apply the health monitor directly to the individual server or port.) After you bind the health monitor to a real server port.Ver.2 11/11/2009 b y 303 of 702 . 2. import the script. Apply the monitor to the real server (for Layer 3 checks) or service port.0. you can override the IP address or port using the override options described in “Overriding the Target IP Address or Protocol Port Number” on page 315. If you created the monitor externally with a script. health checks using the monitor are addressed to the real server port number instead of the port number specified in the health monitor’s configuration. the protocol port number configured in the health monitor is used if you send an ondemand health check to a server without specifying the protocol port.AX Series . Create a new health monitor and configure its settings for the type of service you are monitoring. 2. Configuring and Applying a Health Method 1. In this case. then bind the template to the server or port.

(See “Health Method Types” on page 298.Configuration Guide Configuring and Applying a Health Method USING THE GUI To configure an internal monitor 1. Select External Program on the menu bar. Select the health monitor from the Health Monitor drop-down list. Select Health Monitor on the menu bar. On the Method tab. click Add. The method appears in the External Program table. On the Health Monitor tab. 3. Click OK. 3.AX Series . Click Add. The Server Template tab appears. 4. enter a name for the monitor. On the menu bar. Click OK.) 2. Select Config > Service > Health Monitor. select Template > Server. 7. 2. To apply a Layer 3 health monitor to a real server template 1. (For an example. The rest of the configuration fields change depending on the monitor type. 6. To import an externally configured monitor 1. The new monitor appears in the Health Monitor table.0. To create a new template.: D-030-01-00-0006 . select Config > Service > Health Monitor. 7. 4. In the AX management GUI.Ver. 5.2 11/11/2009 . 2.) 6. To edit an existing template. Enter or select settings for the monitor. 2. Copy and paste the script into the Definition field. 5. 304 of 702 P e r f o r m a n c e b y D e s i g n Document No. 4. Click Add. Select Config > Service > SLB. see “External Health Method Examples” on page 331. 3. Create a script for the monitor. Enter a name and description for the external health method. select the monitor type from the Type drop-down list. click on the template name.

5. To apply a Layer 3 health monitor to the server. The Server Port Template tab appears. click on the template name.2 11/11/2009 b y 305 of 702 . 3.0.) 6. b. To apply a health monitor to a service port: a. On the Port tab. click the checkbox next to the service port to select it. Select the health monitor from the Health Monitor drop-down list on the Port tab.Configuration Guide Configuring and Applying a Health Method 5. Configure other settings if needed. On the menu bar. P e r f o r m a n c e D e s i g n Document No. c. To apply the monitor to an individual real server or service port 1. (See “Server and Port Templates” on page 281. select the health monitor from the Health Monitor drop-down list on the General tab. 2. Select Config > Service > SLB. select Server.Ver. Select Config > Service > SLB.) 6. On the menu bar. Configure other settings if needed. 5. 4. 2. Click OK. To apply a health monitor to a real service port template 1. 2. 7. 4. To edit an existing template. To create a new template. (See “Server and Port Templates” on page 281. click Add. Enter or change other settings if needed. 6. Select the health monitor from the Health Monitor drop-down list. Click Update. Select the server or click Add to create a new one. select Template > Server Port.: D-030-01-00-0006 . Click OK.AX Series . Click OK. 3.

Configuration Guide Configuring and Applying a Health Method To apply a Layer 3 health monitor to a service group 1.AX Series . (For more information about how health monitors are used when applied to service groups. select Service Group. 2.) USING THE CLI To configure an internal monitor 1. 306 of 702 P e r f o r m a n c e b y D e s i g n Document No. the CLI changes to the configuration level for the monitor. see the “Config Commands: SLB Health Monitors” chapter in the AX Series CLI Reference. see “Service Group Health Checks” on page 318. Select Config > Service > SLB. 3. use the following command to specify the method to use: [no] method method-name The method-name can be one of the types listed in “Health Method Types” on page 298. Select the service group or click Add to create a new one. If you enter any of the timer options. the timer value is changed instead.0. At the configuration level for the monitor. 2. Click OK.2 11/11/2009 . 4. Use the following command at the global configuration level of the CLI: health monitor monitor-name [interval seconds | retry number | timeout seconds] If you enter the monitor-name without any of the timer options. For syntax information.Ver. 6. 2. Select the health monitor from the Health Monitor drop-down list on the Service Group tab. On the menu bar. 5.: D-030-01-00-0006 . Also see that section for additional options you can specify. Enter or change other settings if needed.

and directory path. you will still be prompted for the password.0. health-check [monitor-name] P e r f o r m a n c e D e s i g n Document No. specify the service port number on the real server. At the configuration level for the monitor. see “External Health Method Examples” on page 331. At the global configuration level of the AX CLI. use the following command to import the monitor script: health external import [description] url The url specifies the file transfer protocol.Ver. use the following command to associate the script with the new monitor: method external [port port-num] program programname [arguments argument-string] For port-num. To apply the health monitor to a real server template or real service port template Use the following command at the configuration level for the server template (if applying a monitor that uses the ping method) or at the configuration level for the service port template (for all other method types). To enter the entire URL: tftp://host/program-name ftp://[user@]host[:port]/program-name scp://[user@]host/program-name rcp://[user@]host/program-name 3. Create a Tcl script for the monitor.) 2.: D-030-01-00-0006 . username (if required).AX Series . 4.Configuration Guide Configuring and Applying a Health Method To import an externally configured monitor 1.2 11/11/2009 b y 307 of 702 . (For an example. If you enter the entire URL and a password is required. 2. You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. Create a new health monitor to use the script by entering the following command at the global config level: health monitor monitor-name This command changes the CLI to the configuration level for the new health monitor.

: D-030-01-00-0006 .AX Series .Configuration Guide Configuring and Applying a Health Method To apply the monitor to an individual real server or service port Use the following command at the configuration level for the server (if applying a monitor that uses the ping method) or at the configuration level for the service port (for all other method types). The target of the Layer 3 health checks can be the real IP addresses of the servers. Layer 4-7 health checks are sent to the same IP address as the Layer 3 health checks. 2. See the examples in “Network Setup” on page 49.0. This example uses the default TCP health monitor. 3. The Health Monitor tab appears. Enter a name for the monitor. USING THE GUI To configure a Layer 3 health method targeted to a virtual IP address: 1. A complete DSR deployment requires additional configuration. and then addressed to the specific protocol port. you can use the default Layer 3 health method (ICMP). Select Health Monitor on the menu bar. 4. • Globally enable DSR health checking. You can use the default TCP and UDP health monitors or configure new health monitors. Click New. health-check [monitor-name] Configuring Health Monitoring of Virtual IP Addresses in DSR Deployments Layer 3 and Layer 4-7 health checks are supported on DSR configurations. • To send the Layer 3 health checks to the virtual IP address instead: • Configure an ICMP health method with the transparent option enabled. Note: The following sections show how to configure Layer 3 health checking of virtual IP addresses and how to globally enable DSR health checking of virtual IP addresses. depending on your preference. Select Config > Service > Health Monitor. • To send the Layer 3 health checks to the real server IP addresses.Ver. 308 of 702 P e r f o r m a n c e b y D e s i g n Document No. or the virtual IP address.2 11/11/2009 . 2. and with the alias address set to the virtual IP address.

Configuration Guide Configuring and Applying a Health Method 5. Select Enabled next to DSR Health Check. 9. To globally enable DSR health checking of virtual IP addresses: 1. 6.: D-030-01-00-0006 . select ICMP.AX Series . Select Config > Service > Server > Global > Settings. 7. USING THE CLI To configure a Layer 3 health method targeted to a virtual IP address: Use the following commands: health monitor monitor-name [interval seconds | retry number | timeout seconds] Enter this command at the global Config level of the CLI.Ver. enter the loopback address. In the Alias Address field. The CLI changes to the configuration level for the health method. In the Mode drop-down list. method icmp transparent ipaddr For ipaddr. 2. enter the virtual IP address.0. To globally enable DSR health checking of virtual IP addresses: Use the following command at the global Config level of the CLI: slb dsr-health-check-enable P e r f o r m a n c e D e s i g n Document No. Click Method to display the tab. 8. 3. select Transparent. Click Apply. In the Type drop-down list. Click Apply or OK.2 11/11/2009 b y 309 of 702 . 2.

Configuration Guide Configuring and Applying a Health Method Configuring POST Requests in HTTP/HTTPS Health Monitors You can specify a POST operation in an HTTP or HTTPS health monitor.2 11/11/2009 . In the postdata string.: D-030-01-00-0006 . 2.AX Series . Click Add. select POST from the drop-down list. Next to URL. To configure an HTTP POST operation: a. 7. 5. c. Configuration fields for HTTP or HTTPS health monitoring options appear.Ver. 310 of 702 P e r f o r m a n c e b y D e s i g n Document No. If you post to multiple fields. Select Config > Service > Health Monitor. Click OK. enter the field names and values to be posted. enter the URL path.0. 3. b. In the field next to the drop-down list. use “&” between the fields. 2. 4. use “=” between a field name and the value you are posting to it. On the Method tab. A POST operation attempts to post data into fields on the requested page. For example: fieldname1=value&fieldname1=value 6. enter a name for the monitor in the Name field. select HTTP or HTTPS from the Type drop-down list. On the Health Monitor tab. In the Post Data field. Configure other settings as needed. USING THE GUI 1.

2 11/11/2009 b y 311 of 702 .0. If you enter the monitor-name without entering any other options.AX Series .Configuration Guide Configuring and Applying a Health Method FIGURE 109 HTTP Health Monitor with POST Operation USING THE CLI To configure an HTTP or HTTPS health monitor. If you enter any of the timer options. the CLI changes to the configuration level for the monitor. At the configuration level for the health monitor.: D-030-01-00-0006 . enter one of the following commands: P e r f o r m a n c e D e s i g n Document No. use the following commands: [no] health monitor monitor-name [interval seconds] [retry number] [timeout seconds] [up-retry num] This command creates the health monitor.Ver. but does not configure the health method used by the monitor. 2. the timer value is changed instead.

2. If you post to multiple fields. that are valid responses to a health check. use “&” between the fields.2 11/11/2009 . • Recursion setting (enabled or disabled) – Recursion specifies whether the tested DNS server is allowed to send the health check’s request to 312 of 702 P e r f o r m a n c e b y D e s i g n Document No.asp on the tested server: AX(config)#health monitor http1 AX(config-health:monitor)#method http url POST /postdata. use “=” between a field name and the value you are posting to it. By default. the server passes the health check.Configuration Guide Configuring and Applying a Health Method [no] method http [port port-num] [url {GET | HEAD} url-path | POST url-path postdata string] [host {ipv4-addr | ipv6-addr | domain-name} [:port-num]] [expect {string | response-code code-list}] [username name] or [no] method https [port port-num] [url {GET | HEAD} url-path | POST url-path postdata string] [host {ipv4-addr | ipv6-addr | domain-name} [:port-num]] [expect {string | response-code code-list}] [username name] In the postdata string.0. the expect list is empty. in the range 0-15. For example: postdata fieldname1=value&fieldname1=value CLI Example The following commands configure an HTTP health method that uses a POST operation to post firstname=abc and lastname=xyz to /postdata. in which case the AX device expects status code 0 (No error condition).AX Series . If the tested DNS server responds with any of the expected response codes.Ver.asp postdata firstname=abc&lastname=xyz Customizing DNS Health Monitors The AX Series provides the following configurable options for DNS health monitors • Expected response codes – You can specify a list of response codes.: D-030-01-00-0006 .

click IP Address and enter the address in the IP Address field. leave Domain selected and enter the domain name in the Domain field. 7. enter a name for the monitor in the NAme field. Click OK. 3. 10. 6. select Disabled next to Recursion.Ver. Select Config > Service > Health Monitor. Separate the codes (and code ranges) with commas. Configuration fields for DNS health monitoring options appear. If you left Domain selected. If you do not want to allows recursion.2 11/11/2009 b y 313 of 702 . select DNS from the Type drop-down list. If the DNS server to be tested does not listen for DNS traffic on the default DNS port (53). P e r f o r m a n c e D e s i g n Document No. enter the codes in the Expect field. • Record type expected from the server – You can specify one of the fol- lowing record types: • A – IPv4 address record • CNAME – Canonical name record for a DNS alias • SOA – Start of authority record • PTR – Pointer record for a domain name • MX – Mail Exchanger record • TXT – Text string • AAAA – IPv6 address record By default. 5. 2. To specify a range. Otherwise.Configuration Guide Configuring and Applying a Health Method another DNS server if the tested server can not fulfill the request using its own database. To specify the response codes that are valid for passing a health check. To test a specific server. Select the record type from the Type drop-down list.0. Click Add. 9. to test based on a domain name sent in the health check. select the record type the server is expected to send in reply to health checks. 4. the AX device expects the DNS server to respond to the health check with an A record. 2.: D-030-01-00-0006 .AX Series . USING THE GUI 1. 8. use a dash. edit the port number in the Port field. On the Health Monitor tab. On the Method tab. Recursion is enabled by default.

enter the following command: 314 of 702 P e r f o r m a n c e b y D e s i g n Document No.AX Series . If you enter the monitor-name without entering any other options. the timer value is changed instead.: D-030-01-00-0006 . At the configuration level for the health monitor. but does not configure the health method used by the monitor. use the following commands: [no] health monitor monitor-name [interval seconds] [retry number] [timeout seconds] [up-retry num] This command creates the health monitor. the CLI changes to the configuration level for the monitor. If you enter any of the timer options.Configuration Guide Configuring and Applying a Health Method FIGURE 110 DNS Health Monitor USING THE CLI To configure a DNS health monitor.Ver. 2.0.2 11/11/2009 .

For example. 2.100.100-102.5 Overriding the Target IP Address or Protocol Port Number The AX device provides options to override the real server IP address or protocol port number to which health checks are addressed.example. 2. 3. For GSLB service IPs.0.com expect responsecode 0-3. the AX device sends a Layer 3 health check to the IP address used in the real server configuration.168. P e r f o r m a n c e D e s i g n Document No. as in the following example.com. In this case. and expects an Address record and any of the following response codes in reply: 0. the AX device sends Layer 4-7 health checks to the real port number in the real server’s configuration. or 5: AX(config)#health monitor dnshm1 AX(config-health:monitor)#method dns domain www. the AX device addresses the health checks those IP addresses. if the configuration has a Layer 3 health monitor used by service IPs 192.2 11/11/2009 b y 315 of 702 . You can specify an override IP address or protocol port number in the health monitor. By default.example. 1. Likewise.: D-030-01-00-0006 .AX Series . This option is particularly useful for testing the health of a remote link. the AX device sends the health check to the service IP address.Configuration Guide Configuring and Applying a Health Method [no] method dns {ipaddr | domain domain-name} [ expect response-code code-list | port port-num | recurse {enabled | disabled} | type {A | CNAME | SOA | PTR | MX | TXT | AAAA} ] CLI Example The following commands configure a DNS health monitor that sends a query for www. the AX device always addresses the health check to the override address or port.Ver.

AX Series . One way to do so is to check the health of the ISP link connected to the site AX device.Configuration Guide Configuring and Applying a Health Method FIGURE 111 Example of Health-check Address Override In this example.168. so health checks are needed to verify that the service IPs are healthy.: D-030-01-00-0006 .100. 192.1. The health-check metric is enabled in the GSLB policy.1.Ver. Because the GSLB AX device is deployed in route mode instead of transparent mode. the transparent option for ICMP health monitors can not be used to check the remote end of the path. 2. In this case.2 11/11/2009 . to check the health of the ISP link to the site where the servers are located. When the AX device in this example uses the health monitor to check the health of a service IP. the real servers managed by the site AX are configured as service IPs 192.100-102 on the GSLB AX. 316 of 702 P e r f o r m a n c e b y D e s i g n Document No.168.0. the health monitor can be configured with an override IP address.

instead of addressing the health check to the service IP addresses. USING THE CLI Use one of the following commands at the configuration level for the health monitor: [no] override-ipv4 ipaddr [no] override-ipv6 ipv6addr [no] override-port portnum P e r f o r m a n c e D e s i g n Document No. 2. For other health methods. Leave ICMP selected in the Type drop-down list.0.1. For an ICMP health monitor: a. A protocol port override is applicable to all health methods except ICMP. If the protocol port number is explicitly configured for the method. Enter the target IP address of the health monitor. the override port number is still used instead. Override Parameters You can independently configure any of the following override parameters for a health monitor: • Target IPv4 address • Target IPv6 address • Target Layer 4 protocol port number The override is used only if applicable to the method (health check type) and the target.AX Series . Click on the health monitor name or click Add to create a new one. in the Override IPv4 or Override IPv6 field. The health monitor list re-appears. An IP address override is applicable only if the target has the same address type (IPv4 or IPv6) as the override address.: D-030-01-00-0006 .Ver. the override address.168. Click OK. 4. USING THE GUI 1.2 11/11/2009 b y 317 of 702 . b. Select Config > Service > Health Monitor. 5. 2. then enter the target protocol port number in the Override Port field. 3.1. select the type.Configuration Guide Configuring and Applying a Health Method the device addresses the health check to 192.

100.2 11/11/2009 .AX Series .168. and clients will not be sent to the site. the server will fail the health check for that site.168.102 AX(config-gslb service-ip)#health-check site1-hm Service Group Health Checks You can assign a health monitor to a service group.101 AX(config-gslb service-ip)#health-check site1-hm AX(config-gslb service-ip)#exit AX(config)#gslb service-ip gslb-srvc3 192.100.: D-030-01-00-0006 . AX(config)#health monitor site1-hm AX(config-health:monitor)#method icmp AX(config-health:monitor)#override-ipv4 192.168.100. other sites on the same server will pass their health checks. However. Figure 112 shows an example. 2. 318 of 702 P e r f o r m a n c e b y D e s i g n Document No.100 AX(config-gslb service-ip)#health-check site1-hm AX(config-gslb service-ip)#exit AX(config)#gslb service-ip gslb-srvc2 192.0.1 AX(config-health:monitor)#exit AX(config)#gslb service-ip gslb-srvc1 192. and clients of those sites will be sent to the server.168. if a site is unavailable (for example. is taken down for maintenance). This feature is useful in cases where the same server provides content for multiple. When you use this feature.Configuration Guide Service Group Health Checks The following commands configure a health monitor for the service IPs shown in Figure 111 on page 316.1. and apply the monitor to the service IPs. independent sites.Ver.

a separate HTTP health method is configured for each of the services. if one of the sites is taken down for maintenance. and assigning a separate Layer 7 health monitor to each of the service groups.com All sites can be reached on HTTP port 80 on the server. by assigning each site to a separate service group.Ver.com • www. the health status of that site will still be up. if a site is taken down for maintenance.2 11/11/2009 b y 319 of 702 . You can configure the AX device to separately test the health of each site.0.media-rts. In this case.AX Series . In this example. since the real port still responds to the health check configured on the port. 2. The health check configured on the port in the real server configuration results in the same health status for all three sites. even though the P e r f o r m a n c e D e s i g n Document No. All of them either are up or are down.: D-030-01-00-0006 .com • www. In this case. that site fails its health check while the other sites still pass their health checks. a single server provides content for the following sites: • www.Configuration Guide Service Group Health Checks FIGURE 112 Service Group Health Checks In this example. The health monitors test the health of a site by sending an HTTP request to a URL specific to the site. In this way. on the same real port.media-wxyz.media-tuv.

For example. they have the priority listed above.2 11/11/2009 . if a service group health check is configured. a health check of the same port from another service group can result in a different health status. the health of a service is based on that health check. 2. USING THE CLI Use the following command at the configuration level for the service group: [no] health-check monitor-name CLI Example The commands in this section implement the configuration shown in Figure 112. 320 of 702 P e r f o r m a n c e b y D e s i g n Document No. select the monitor from the Health Monitor list or click “create” to create a new one and select it.Configuration Guide Service Group Health Checks server’s HTTP port is up.0. To assign a health monitor to a service group. In a server or server port configuration template that is bound to the server or port 3. In a service group that contains the server and port as a member 2. Directly on the individual server or port In cases where health checks are applied at multiple levels. Priority of Health Checks Health checks can be applied to the same resource (real server or port) at the following levels: 1.Ver. For example. Service group health status applies only within the context of the service group.: D-030-01-00-0006 . depending on the resource requested by the health check. USING THE GUI On the Service Group configuration tab. not on a health check at the server port template or individual port configuration level.AX Series . use either of the following methods. a site will fail its health check if the URL requested by its health check is unavailable.

1.0.html AX(config-health:monitor)#exit AX(config)#health monitor tuv AX(config-health:monitor)#method http url GET /media-tuv/index.2 11/11/2009 b y 321 of 702 .html AX(config-health:monitor)#exit AX(config)#health monitor wxyz AX(config-health:monitor)#method http url GET /media-wxyz/index.html AX(config-health:monitor)#exit The following commands configure the real server: AX(config)#slb server media-rs 10.88 AX(config-real server)#port 80 tcp AX(config-real server-node port)#exit AX(config-real server)#exit The following commands configure the service groups: AX(config)#slb service-group qrs tcp AX(config-slb svc group)#member media-rs:80 AX(config-slb svc group)#health-check qrs AX(config-slb svc group)#exit AX(config)#slb service-group tuv tcp AX(config-slb svc group)#member media-rs:80 AX(config-slb svc group)#health-check tuv AX(config-slb svc group)#exit AX(config)#slb service-group wxyz tcp AX(config-slb svc group)#member media-rs:80 AX(config-slb svc group)#health-check wxyz AX(config-slb svc group)#exit The following commands configure the virtual servers: AX(config)#slb virtual-server media-qrs 192.Configuration Guide Service Group Health Checks The following commands configure the health monitors for each site on the server: AX(config)#health monitor qrs AX(config-health:monitor)#method http url GET /media-qrs/index.168.Ver.: D-030-01-00-0006 .1.11 AX(config-slb vserver)#port 80 http AX(config-slb vserver-vport)#service-group tuv P e r f o r m a n c e D e s i g n Document No.AX Series .10.10. 2.168.10 AX(config-slb vserver)#port 80 http AX(config-slb vserver-vport)#service-group qrs AX(config-slb vserver-vport)#exit AX(config-slb vserver)#exit AX(config)#slb virtual-server media-tuv 192.

An in-band health check can also mark a port down. in-band health monitoring is supported for the following service types: • TCP • HTTP • HTTPS Relationship To Standard Layer 4 Health Monitoring The in-band health check works independently of and supplements the standard Layer 4 health check. and can very quickly send a client’s traffic to another server and port if necessary.: D-030-01-00-0006 . The port passes the health check if the server replies to the AX device by sending a TCP SYN ACK.Ver. Note: A10 Networks recommends that you continue to use standard Layer 4 health monitoring even if you enable in-band health monitoring.2 11/11/2009 .AX Series . In the current release. the standard health check works as follows by default: Every 30 seconds. In-band health checks assess service port health based on client-server traffic.Configuration Guide In-Band Health Monitoring AX(config-slb vserver-vport)#exit AX(config-slb vserver)#exit AX(config)#slb virtual-server media-wxyz 192. For example. Without standard health monitoring.0. In-band health monitoring works as described below. 2. a server port marked down by an in-band health check remains down.1.168.12 AX(config-slb vserver)#port 80 http AX(config-slb vserver-vport)#service-group wxyz AX(config-slb vserver-vport)#exit AX(config-slb vserver)#exit In-Band Health Monitoring In-band health checks are an optional supplement to the standard Layer 4 health checks. the AX device sends a connection request (TCP SYN) to the specified TCP port on the server. for TCP. 322 of 702 P e r f o r m a n c e b y D e s i g n Document No. This is the same Layer 4 health check available in previous releases and has the same defaults.

A10LB SLB server s-3-2-1 (10.3.Configuration Guide In-Band Health Monitoring How In-Band Layer 4 Health Monitoring Works In-band health monitoring for services on TCP watches client-server SYN handshake traffic.0. Logging and Traps When the AX device marks a server port down. The AX device increments a session’s retry counter each time a SYN ACK is late. In-band health monitoring is disabled by default. • A10HM – The port was marked down by a standard health check. the AX device starts using the port again and resets the reassign counter to 0. Each time the retry counter for any session is exceeded. If the reassign counter exceeds the configured maximum number of reassignments allowed. • Reassign counter – Each real port has its own reassign counter. Here is an example of a log message generated from each module: Sep 08 2008 17:15:04 Info down.2.Ver. the device generates a log message and an SNMP trap. you can discern whether the port was marked down due to a failed in-band health check or standard health check. You can set the reassign counter to 0-255 reassignments.1) port 80 is P e r f o r m a n c e D e s i g n Document No. Once the port passes a standard health check. the AX device marks the port DOWN.2 11/11/2009 b y 323 of 702 . The AX device also resets the retry counter to 0. You can set the retry counter to 0-7 retries.AX Series . if logging or SNMP traps are enabled. In this case. the AX device increments the reassign counter for the server port.3.2. The message and trap are the same as those generated when a server port fails a standard health check. The default is 2 retries. and increments the following counters if the server does not send a SYN ACK in reply to a SYN: • Retry counter – Each client-server session has its own retry counter. • A10LB – The port was marked down by an in-band health check. However. the port remains DOWN until the next time the port successfully passes a standard health check.: D-030-01-00-0006 . Sep 08 2008 17:15:04 Info down. based on the module name listed in the message.1) port 80 is A10HM SLB server s-3-2-1 (10. The default is 25 reassignments. 2. If the retry counter exceeds the configured maximum number of retries allowed. the AX device sends the next SYN for the session to a different server.

Enter other parameters as needed (for example.0. 2. enter the number of reassignments allowed. In the Reassign field. Select Inband Health Check on the Server Port tab. either directly or in a service group. To bind the template to a server port. see “Binding a Server Port Template to a Real Server Port” on page 288. select Template > Server Port. 4.Configuration Guide In-Band Health Monitoring In-band health monitoring does not mark ports up. 7. Only standard health monitoring marks ports up. use the following command at the configuration level for the server port template: [no] inband-health-check [retry maximum-retries] [reassign maximum-reassigns] 324 of 702 P e r f o r m a n c e b y D e s i g n Document No. Click on the template name or click Add to create a new one. Select Config > Service > SLB. if you are creating a new template). 5. 8.Ver. In the Retry field. On the menu bar. USING THE CLI To configure in-band health monitoring.AX Series . 2. USING THE GUI To configure in-band health monitoring in server port template: 1. the template name. enter the number of retries allowed. Bind the port template to real server ports.: D-030-01-00-0006 . 3. 6.2 11/11/2009 . Click OK. So messages and traps for server ports coming up are generated only by the A10HM module. 2. Enable the feature in a server port template. Configuring In-Band Health Monitoring To configure in-band health monitoring: 1.

enter a name for the monitor (if new).Ver. 3.99 AX(config-real server)#port 80 tcp AX(config-real server-node port)#template port rp-tmplt2 AX(config-real server-node port)#exit AX(config-real server)#exit AX(config)#slb server rs2 10. USING THE GUI 1. On the Health Monitor tab.1.2 11/11/2009 b y 325 of 702 . The setting applies to all health checks that are performed using the health monitor.1. a server or port needs to successfully reply to a given health check only one time in order to pass the health check.: D-030-01-00-0006 . The server or port is then considered to be up until the next periodic health check. P e r f o r m a n c e D e s i g n Document No.1.Configuration Guide Consecutive Health Checks Within a Health Check Period CLI Example The following commands enable in-band health monitoring in a server port template and bind the template to real ports on two real servers: AX(config)#slb template port rp-tmplt2 AX(config-rport)#inband-health-check AX(config-rport)#exit AX(config)#slb server rs1 10. Click on the monitor name or click Add to add a new one.0. You can configure this parameter on an individual health monitor basis. You can set the required number of consecutive passes to 1-10.1. Select Health Monitor on the menu bar.AX Series . By default.100 AX(config-real server)#port 80 tcp AX(config-real server-node port)#template port rp-tmplt2 AX(config-real server-node port)#exit AX(config-real server)#exit Consecutive Health Checks Within a Health Check Period You can configure the number of times the target device must consecutively reply to the same periodic health check in order to pass the health check. 2. 2. Select Config > Service > Health Monitor. 4.

The status of the server or service appears in the Status message area. To test a specific service. Select the health monitor to use from the Health Monitor drop-down list. enter the protocol port number for the service in the Port field. 7. 4. Note: If an override IP address and protocol port are set in the health monitor configuration.Configuration Guide On-Demand Health Checks 5. Click OK. 2. enter the number of consecutive times the target must pass the same periodic health check. the AX device will use the override address and port. Click Start. or global configuration level of the CLI: health-test {ipaddr | ipv6 ipv6addr} [count num] [monitorname monitor-name] [port portnum] 326 of 702 P e r f o r m a n c e b y D e s i g n Document No. On-Demand Health Checks You can easily test the health of a server or individual service at any time.: D-030-01-00-0006 . use the following command at the EXEC. using the default Layer 3 health monitor (ICMP ping) or a configured health monitor. 2. 5. 3. select the monitor type from the Type dropdown list. USING THE CLI To test the health of a server. on the Method tab. In the Consec Pass Req’d field. even if you specify an address and port when you send the on-demand health check.2 11/11/2009 . Privileged EXEC.Ver. USING THE CLI Use the up-retry number option with the health-monitor command.0. and enter or select settings for the monitor. Select Monitor > Service > Health Monitor. If new. 6.AX Series . Enter the IP address of the server to be tested in the IP Address field. USING THE GUI 1.

1-65535.1. use either of the following methods. The count num option specifies the number of health checks to send to the device.66. 2. even if you specify an address and port when you send the on-demand health check. 2. the protocol port number specified in the health monitor configuration is used.168. To display health status. the AX device will use the override address and port. P e r f o r m a n c e D e s i g n Document No. By default. By default. The virtual servers are listed at the top of the page. using configured health monitor hm80: AX#health-test 192.: D-030-01-00-0006 . The health monitor must already be configured. To display more specific health information for a virtual server’s service ports. The state of health of each virtual server is shown by an icon next to the virtual server name.Configuration Guide Displaying Health Status The ipaddr | ipv6 ipv6addr option specifies the IPv4 or IPv6 address of the device to test. The default is 1. The monitorname monitor-name option specifies the health monitor to use.2 11/11/2009 b y 327 of 702 .1. Select Monitor > Overview > Status. You can display health status for virtual servers and service ports. Displaying Health Status The AX device begins sending health checks to a real server’s IP address and service ports as soon as you finish configuring the server. click on the virtual server name. CLI Example The following command tests port 80 on server 192.0.66 monitorname hm80 node status UP.168. You can specify 1-65535. the default Layer 3 health check (ICMP ping) is used. USING THE GUI To display the health of virtual servers and service ports: 1. The port portnum option specifies the protocol port to test.AX Series . and for the real servers and service ports used by the virtual server.Ver. Note: If an override IP address and protocol port are set in the health monitor configuration.

To display the health of real servers and service ports: 1. 3. see the “Monitor > Overview > Status” section in the “Monitor Mode” chapter of the AX Series GUI Reference. For information about the real server health state icons. 2. show slb virtual-server virtual-server-name [virtual-port-num service-type [group-name]] 328 of 702 P e r f o r m a n c e b y D e s i g n Document No.AX Series . click on the server name.Ver. see the “Monitor > Service > Server” section in the “Monitor Mode” chapter of the AX Series GUI Reference.Configuration Guide Displaying Health Status Virtual server health status is also displayed in the virtual server list displayed by Config > Service > SLB > Virtual Server. Real server health status is also displayed in the real server list displayed by Config > Service > SLB > Server.: D-030-01-00-0006 .0. To display more specific health information for a real server’s service ports. 2.2 11/11/2009 . see the AX Series CLI Reference. For descriptions of each health state. The health is shown in the State field. The state of health of each real server is shown by an icon next to the server name. For information about the virtual server health state icons. On the menu bar. USING THE CLI To display the health of virtual servers and service ports: Use the following command. select Server. Select Monitor > Service > Server.

For descriptions of each health state.2 11/11/2009 b y 329 of 702 . show slb server [server-name [port-num]] P e r f o r m a n c e D e s i g n Document No.1. The health is shown in the State field. 2.0.Ver. To display the health of real servers and service ports: Use the following command.201 Tx-Pkt -----------------------------------------------------------------------Virtual Port:80 / service:svcgrp 1 / state:Down port 80 1 tcp server 1:80/Down 0 0 0 0 Virtual Port:1 / service: / state:Unkn port 1 tcp Persist Source IP:tmpl persist srcip 1 Virtual Port:2 / service: / state:Unkn port 2 tcp Persist SSL session ID:tmpl persist sslid 1 Virtual Port:3 / service: / state:Unkn port 3 tcp Template tcp tmpl tcp 1 Virtual Port:4 / service: / state:Unkn .: D-030-01-00-0006 ..1.Configuration Guide Displaying Health Status Here is an example: AX#show slb virtual-server "vs 1" Virtual server: vs 1 Pri Port/State State: Down Curr-conn Total-conn Rx-Pkt IP: 1.AX Series . see the AX Series CLI Reference..

.99 default Down 0 /48 /854 2 /0 4.AX Series .10.4.4.. Total = Total Connections Req-pkt = Request packets.99. see the AX Series CLI Reference. Current 0 0 0 0 Total 0 0 0 0 Req-pkt 0 0 0 0 Resp-pkt 0 0 0 0 State Down Down Down Down ------------------------------------------------------------------------------ To display health monitoring statistics: Use the following command: show health stat Here is an example: AX#show health stat Health monitor statistics Total run time: Number of burst: Number of timer adjustment: Timer offset: Opened socket: Open socket failed: Close socket: Send packet: Send packet failed: Receive packet: Receive packet failed Retry times: Timeout: Unexpected error: : : : : : : : : : : : : : : 2 hours 1345 seconds 0 0 0 1140 0 1136 0 259379 0 0 4270 0 0 IP address Port Health monitor Status Cause(Up/Down/Retry) PIN -------------------------------------------------------------------------------10.99 default Down 0 /48 /854 2 /0 10. 330 of 702 P e r f o r m a n c e b y D e s i g n Document No.10.: D-030-01-00-0006 .2 default Down 0 /48 /854 2 /0 99.99.4.4 default Down 0 /48 /854 2 /0 8.Configuration Guide Displaying Health Status Here is an example: AX#show slb server Total Number of Services configured: 5 Current = Current Connections.2 11/11/2009 .10.10.3.10.Ver.10.88 80 qrs Down 0 /34 /0 2 /0 For more information.0. 2. Resp-pkt = Response packets Service s1:80/tcp s1:53/udp s1:85/udp s1: Total .88 default Down 0 /48 /854 2 /0 10.

The array variable ax_env(ServerHost) is the server IP address and ax_env(ServerPort) is the server port number.: D-030-01-00-0006 . TCL script filenames must use the “. which use a predefined health check method.0.0.2 11/11/2009 b y 331 of 702 .Ver.0. The script execution result indicates the server status. dig. The following commands import external program “ext. and so on are supported. the health check parameters are transmitted to the script through the predefined TCL array ax_env.Configuration Guide External Health Method Examples External Health Method Examples Besides internal health checks.tcl” extension. wget.tcl” from FTP server 192.tcl P e r f o r m a n c e D e s i g n Document No.1/ ext. you must import the program onto the AX Series device.168.AX Series . ping6. To use the external method. you can use external health checks with scripts.168. The following types of scripts are supported: • Perl • Shell • Tcl Utility commands such as ping. Set ax_env(Result) 0 as pass and set the others as fail.tcl AX(config)#health monitor hm3 AX(config-health:monitor)#method external port 80 program ext. TCL Script Example For Tcl scripts. 2. and configure external health method “hm3” to use the imported program to check the health of port 80 on the real server: AX(config)#health external import "checking HTTP server" ftp://192.1. which must be stored in ax_env(Result).

0.. (\[0-9\]+) " $line match status] } { puts "server $ax_env(ServerHost) response : $status" # Check exit code if { $status == 200 } { # Set server to be "UP" set ax_env(Result) 0 } } close $sock } 332 of 702 P e r f o r m a n c e b y D e s i g n Document No. 2.tcl file: # Init server status to "DOWN" set ax_env(Result) 1 # Open a socket if {[catch {socket $ax_env(ServerHost) $ax_env(ServerPort)} sock]} { puts stderr "$ax_env(ServerHost): $sock" } else { fconfigure $sock -buffering none -eofchar {} # Send the request puts $sock "GET /1.2 11/11/2009 .Ver.Configuration Guide External Health Method Examples Here is the ext.AX Series .: D-030-01-00-0006 .0\n" # Wait for the response from http server set line [read $sock] if { [ regexp "HTTP/1.html HTTP/1.

Configuration Guide External Health Method Examples Perl Script Example For other external scripts (non-Tcl). } # Use wget. environment variables are used to pass the server IP address (HM_SRV_IPADDR) and the port number (HM_SRV_PORT). For Perl scripts. @args.2 11/11/2009 b y 333 of 702 . # vim: tw=78:sw=3:tabstop=3:autoindent:expandtab P e r f o r m a n c e D e s i g n Document No. 2. my @args = qw(-O /dev/null -o /dev/null). exit code is zero if wget was successful. my $port = 80.Ver. The script returns 0 as pass and returns others as fail. "http://$host:$port". exec "wget".AX Series .0. Here is an example using the Perl scripting language: #!/usr/bin/perl -w # Sample script for checking Web server my $host = $ENV{'HM_SRV_IPADDR'}.: D-030-01-00-0006 . use #! /usr/bin/perl at the beginning of the script. if (defined($ENV{'HM_SRV_PORT'})) { $port = $ENV{'HM_SRV_PORT'}.

. then echo "OK" exit 0 else echo "Fail" exit 1 fi > /dev/null 2>&1 334 of 702 P e r f o r m a n c e b y D e s i g n Document No. 2.2 11/11/2009 .AX Series ." wget $HM_SRV_IPADDR --delete-after --timeout=2 --tries=1 ret=$? if test $ret == 0 . then echo "Please check ENV Var 'HM_SRV_IPADDR'" exit 1 fi echo -n "Test $HM_SRV_IPADDR .Configuration Guide External Health Method Examples Shell Script Example For Shell scripts. Here is an example using the Shell scripting language: #! /bin/bash if test "$HM_SRV_IPADDR" == "" .. use #! /bin/bash at the beginning of the script..Ver.: D-030-01-00-0006 .0.

Overview Global Server Load Balancing (GSLB) extends load balancing to global geographic scale.: D-030-01-00-0006 .AX Series . AX Series GSLB provides the following key advantages: • Protects businesses from down time due to site failures • Ensures business continuity and applications availability • Provides faster performance and improved user experience by directing users to the nearest site • Increases data center efficiency and better return on investment by dis- tributing load to multiple sites • Provides flexible policies for selecting fairness and distribution to multi- ple sites P e r f o r m a n c e D e s i g n Document No. GSLB evaluates the server IP addresses in DNS replies and changes the order of the addresses in the replies so that the best available host IP address is the preferred choice.0.2 11/11/2009 b y 335 of 702 . AX Series GSLB uses the DNS proxy method to add intelligence to DNS.Ver. 2.Configuration Guide Overview Global Server Load Balancing This chapter describes Global Server Load Balancing (GSLB). GSLB provides SLB service across multiple sites.

an AX device provides SLB for the real servers.: D-030-01-00-0006 .AX Series .com services reside on real servers at two sites.com”. 2. FIGURE 113 GSLB Example In this example. the GSLB AX device (the GSLB controller) globally load balances client requests for “www. On the GSLB AX device.Configuration Guide Overview Figure 113 shows an example of a GSLB configuration.Ver. the sites are grouped into a zone for the service. The GSLB AX device also makes other changes 336 of 702 P e r f o r m a n c e b y D e s i g n Document No.com”.2 11/11/2009 .a10. The a10. the device re-orders the IP addresses in the reply based on the results of site evaluation using the configured GSLB metrics. When a client sends a DNS lookup request for the IP address of “www.a10. the GSLB AX device intercepts the request and sends the same request to the DNS server on behalf of the client.0. At each site. When the GSLB AX device receives the DNS reply.

When a request reaches an authoritative DNS server. The local DNS server checks its local database. Thus. the DNS server sends the IP address for the host name back to the client. Standard DNS servers can provide only rudimentary load sharing for the addresses.2 11/11/2009 b y 337 of 702 . The A10 Networks GSLB protocol uses port 4149.Ver. When the client receives the DNS reply. if specified by the GSLB configuration. a host name can reside at multiple data centers or sites. • If the local DNS server does not have an Address record for the requested server. Note: Here and elsewhere in A10 Networks user documentation.AX Series . for the controller function. which results in authoritative DNS server addresses.: D-030-01-00-0006 . with different IP addresses. when a client wants to connect to a host and has the hostname but not the IP address. such as shortening the TTL of the IP Address records. An AX device becomes a GSLB AX device when you configure GSLB on the device and enable the GSLB protocol. • If the database contains an Address record for the requested host name. When you configure a feature for your network. The client’s local DNS server then sends the reply to the client.0. In today’s redundant data centers and multiple service provider sites. The client now can access the requested host. using a simple round-robin algorithm to rotate the list of addresses for each query. you will need to use the IP addresses that apply to your network. When this is the case.Configuration Guide Overview to the DNS reply. that DNS server sends a reply to the DNS query. the IP addresses shown in figures and configuration examples are for illustration purposes only. the client sends a lookup request to its local DNS server. the authoritative DNS server for the host sends multiple IP addresses in its replies to DNS queries. The GSLB AX device then sends the modified DNS reply to the client. 2. and so on. The protocol is registered on this port for both TCP and UDP. The client can then access the host. Note: Advantages of GSLB In standard DNS. the local DNS server makes recursive queries to the root and intermediate DNS servers. the client then sends the HTTP request to the IP address that the GSLB AX device placed at the top of the IP address list in the DNS reply. the address that is listed first in the last reply sent by the DNS server is rotated to be the last address listed in the next reply. P e r f o r m a n c e D e s i g n Document No.

weighted-site – Sites with higher administratively assigned weights are preferred. HTTP or FTP.: D-030-01-00-0006 . for example. weighted-ip – Service IP addresses with higher administratively assigned weights are used more often than service IP addresses with lower weights.Ver.) 4. Services.Configuration Guide Overview Zones. 2. (See “Weighted-IP and Weighted-Site” on page 339. Each zone can be configured with one or more services. 5. Sites with higher administratively assigned weights are used more often than sites with lower weights. geographic – Services located within the client’s geographic region are preferred. • Services – A service is an application.0. active-servers – Sites with the most currently active servers are preferred.) 3. A GSLB policy consists of one or more of the following metrics: 1.2 11/11/2009 . 8. (See “Weighted-IP and Weighted-Site” on page 339. health-check – Services that pass health checks are preferred. As a result of this process. active-rtt – Sites with faster round-trip-times for DNS queries and replies between a site AX device and the GSLB local DNS are preferred. session capacity – Sites with more available sessions based on respective maximum session capacity are preferred. 7.AX Series . • Sites – A site is a server farm that is locally managed by an AX device that performs Server Load Balancing (SLB) for the site. services. and sends the DNS replies to clients with the re-ordered IP address lists. Each zone can contain one or more GSLB sites. GSLB selects the best site IP address using a GSLB policy. GSLB Policy GSLB evaluates the service IP addresses listed in replies from DNS servers to clients. 338 of 702 P e r f o r m a n c e b y D e s i g n Document No. • Zones – A zone is a GSLB domain. re-orders the addresses based on that evaluation. 2. passive-rtt – Services with faster response times to clients are preferred. and Sites GSLB operates on zones. connection-load – Sites that are not exceeding their thresholds for new connections are preferred. 6. An AX device can be configured with one or more GSLB zones. and sites. each client receives a DNS reply that has the best service IP address listed first. 9.

and so on. if there are two sites (A and B). 12. All other metrics are disabled by default. The metric order and the configuration of each metric are specified in a GSLB policy. bw-cost – Selects sites based on bandwidth utilization on the site AX links.2 11/11/2009 b y 339 of 702 . least-response – Service IP addresses with the fewest hits are preferred. and will then select site A the next 2 times. to sort (re-order) the list of addresses. Note: If DNS caching is used.0. The prioritized list is sent to the next metric for further evaluation. round-robin – Sites are selected in sequential order. ordered-ip – Service IP addresses are administratively prioritized. Specifically. and A has weight 2 whereas B has weight 4. geographic. and round-robin metrics are enabled by default. named “default”. GSLB selects higher-weighted sites or IP addresses more often than lower-weighted sites or IP addresses. then passes the subset of addresses that pass the metric’s criteria to the next metric.Ver.Configuration Guide Overview 10. For example. the cycle starts over if the cache aging timer expires. Policies can be applied to GSLB zones and to individual services. admin-preference – The site with the highest administratively set preference is selected. GSLB will select site B twice as often as site A. If ordered-ip is the last metric. that is automatically applied to a zone or service. Weighted-IP and Weighted-Site The weighted-ip and weighted-site metrics allow you to bias selection toward specific sites or IP addresses. GSLB will select site B the first 4 times.) The health-check. 11. 2. P e r f o r m a n c e D e s i g n Document No. The GSLB AX device uses each enabled GSLB metric to select or eliminate service IP addresses. then B is chosen the next 4 times.) 15. (See “Ordered-IP” on page 340.: D-030-01-00-0006 .AX Series . The GSLB AX device then replaces the IP address list in the DNS reply with the re-ordered list before sending the reply to the client. the prioritized list is sent to the client. unless you configure and assign a different policy to the zone or service. and so on. The GSLB AX device has a default GSLB policy. 13. num-session – Sites that are not exceeding available session capacity threshold compared to other sites are treated as having the same preference. 14. (See “Tie-Breaker” on page 340. This cycle then repeats: B is chosen 4 times. then A is chosen the next 2 times.

GSLB supports health check methods for the following services: ICMP (Layer 3 health check). TCP. The default health monitor for a service port is the default TCP or UDP monitor. you need to disable the round-robin metric. the ordered-ip metric re-orders the IP addresses based on the metric’s configuration in the GSLB policy. Instead. the ordered-ip metric does not select or eliminate sites or IP addresses. Round-robin is not used. the prioritized list of IP addresses is sent to the client. Note: The default health monitor for a service is the default Layer 3 health monitor (ICMP ping). the re-ordered list is sent to the next metric. Otherwise. If you leave the health monitor for a service left at its default setting (the default ICMP ping health check). DNS. SNMP. the AX device uses round-robin to select a site. 2. LDAP. If you plan to use the ordered-ip metric.0.AX Series . POP3. depending on the transport protocol. Sites whose real servers and service ports respond to the health checks are preferred over sites in which servers or service ports are unresponsive to the health checks.2 11/11/2009 . Note: If the last metric is ordered-ip. HTTP. SMTP. This requires the GSLB protocol to be enabled on the site AX devices as well as the GSLB controller. the health checks are performed within the GSLB protocol. Tie-Breaker If all the enabled metrics in the policy result in a tie (do not definitively select a single site as the best site). This is true even if the round-robin metric is disabled in the GSLB policy. 340 of 702 P e r f o r m a n c e b y D e s i g n Document No. and round-robin is disabled. RTSP. HTTPS. SIP You can use the default health methods or configure new methods for any of these services.Ver. Health Checks The health-check metric checks the availability (health) of the real servers and service ports. However. FTP. round-robin will be used as the tie-breaker and the ordered IP list will be ignored. If there are any more metrics after ordered-ip. UDP.Configuration Guide Overview Ordered-IP Most metrics select a site or IP address as the best address. RADIUS.: D-030-01-00-0006 .

GSLB places a CNAME record for www. see “Health Monitoring” on page 297. see “Loading or Configuring Geo-Location Mappings” on page 363.com. P e r f o r m a n c e D e s i g n Document No. A CNAME record maps a domain name to an alias for that domain. or you explicitly apply the default Layer 3 health monitor to the service. In this case. especially if you have more than a few GSLB sites. you can configure aliases such as the following for domain “a10. Loading geo-location data from a file is simpler than manually configuring geo-location mappings.a10.Configuration Guide Overview If you use a custom health monitor.1. you can configure GSLB to favor the USA site for USA clients while preferring the Asian site for Asian clients.com in the DNS reply to the client. For more information. • Load geo-location data.com • ftp. CNAME Support As an extension to geo-location support. and associate the aliases with different geo-locations: • www. (For more information about health monitoring.1.Ver.cn • www.com”. To configure geo-location: • Leave the geographic GSLB metric enabled.2 11/11/2009 b y 341 of 702 .a10.: D-030-01-00-0006 . For example.com If a client’s IP address is within a geo-location associated with www. the GSLB protocol is not required to be enabled on the site AX devices. For example. you can configure GSLB to send a Canonical Name (CNAME) record instead of an Address record in DNS replies to clients.a10. the GSLB protocol is not used for any of the health checks. if a domain is served by sites in both the USA and Asia. the port number specified in the service configuration is used instead of the port number specified in the health monitor configuration.) Geo-Location You can configure GSLB to prefer site VIPs for DNS replies that are geographically closer to the clients. 2.a10.a10.1.0. You can load geo-location data from a file or manually configure individual geo-location mappings.co. If you use a custom health monitor for a service port. although use of the protocol is still recommended.AX Series .

Configuration Guide Overview To configure CNAME support: • Configure geo-location as described above.) • dns external-ip – Returns the external IP address configured for a ser- vice IP. 2. • In the GSLB policy. the internal address is returned instead. 342 of 702 P e r f o r m a n c e b y D e s i g n Document No.2 11/11/2009 . • dns addition-mx – Appends MX records in the Additional section in replies for A records. the AX device applies the enabled DNS options to the list. applies the GSLB policy to the CNAME record instead of the Address record. instead of sending a new DNS request for every client query. when the device is configured for DNS proxy or cache mode. • dns geoloc-action – Performs the DNS traffic handling action specified for the client’s geo-location. enable the following DNS options: • dns cname-detect (enabled by default) • dns geoloc-alias • For individual services in the zone. • dns cache – Caches DNS replies and uses them when replying to clients.AX Series . (This applies only if the CNAME records are for the zone and application requested by the DNS proxy on the GSLB AX device. After the GSLB AX device uses the metrics to select and prioritize the IP addresses for the DNS reply.: D-030-01-00-0006 . • dns active-only – Removes IP addresses for services that did not pass their health checks. • dns geoloc-alias – Replaces the IP address with its alias configured on the GSLB AX Series.Ver. If this option is disabled. The action is specified as part of service configuration in a zone. • dns best-only – Removes all IP addresses from DNS replies except for the address selected as the best address by the GSLB policy metrics.0. configure the aliases and associate them with geo-locations. The following DNS options can be set in GSLB policies: • dns action – Enable GSLB to perform DNS actions specified in the serv- ice configurations. DNS Options DNS options provide additional control over the IP addresses listed in DNS replies to clients. • dns cname-detect – For IP addresses that have Canonical Name (CNAME) records.

(For more information about this option.AX Series . clients might receive outdated information. 2. Note: sticky server cache proxy GSLB does not have a separately configurable “proxy” option. • dns ip-replace – Replaces the IP addresses with the set of addresses administratively assigned to the service in the zone configuration. 3. and send those stale replies to clients. The proxy option is automatically enabled when you configure the DNS proxy as part of GSLB configuration. • dns ttl – Overrides the TTL set in the DNS reply. However. for specific service IPs in the GSLB zone. Server. GSLB uses them in the order listed. TTL Override GSLB ensures that DNS replies to clients contain the optimal set of IP addresses based on current network conditions. and Proxy Options Are Used If more than one of the following options are enabled.2 11/11/2009 b y 343 of 702 .Configuration Guide Overview • dns geoloc-policy – Returns the alias name configured for the client’s geo-location.Ver. To ensure that the clients’ local DNS servers do not cache the DNS replies for too long. Cache. All the other DNS options are disabled by default. • dns sticky – Sends the same service IP address to a client for all requests from that client for the service address. 2. even though the GSLB AX device has current information.) The cname-detect and external-ip options are enabled by default. Order in Which Sticky. P e r f o r m a n c e D e s i g n Document No. the local DNS servers used by clients might cache the replies for a long time.0. beginning with sticky: 1. if the DNS TTL value assigned to the Address records is long. see “TTL Override” on page 343.: D-030-01-00-0006 . you can configure the GSLB AX device to override the TTL values of the Address records in the DNS replies before sending the replies to clients. Thus. The site address selected by the first option that is applicable to the client and requested service is used. • dns server – Enables the GSLB AX device to act as a DNS server. 4.

If no policy is assigned to the individual service. The protocol is required to be enabled on the GSLB controller. the TTL override is not set in either of these places. Note: The GSLB protocol is also required for the health-check metric. the GSLB protocol is not required. (See “Health Checks” on page 340. However. Metrics That Require the GSLB Protocol on Site AX Devices AX devices use the GSLB protocol for GSLB management traffic. 2. if the default health checks are used. the TTL set in that policy is used. By default.Configuration Guide Overview The TTL of the DNS reply can be overridden in two different places in the GSLB configuration: 1.) 344 of 702 P e r f o r m a n c e b y D e s i g n Document No. some GSLB policy metrics require the protocol to be enabled on the site AX devices as well as the GSLB controller: • session-capacity • active-rtt • passive-rtt • connection-load • num-session • least-response The GSLB protocol is required in order to collect the site information provided for these metrics. but the TTL is set in the zone. The protocol is recommended on site AX devices but is not required. If a GSLB policy is assigned to the individual service. then the zone’s TTL setting is used.Ver. If you modify the health checks.: D-030-01-00-0006 .AX Series . 2.0.2 11/11/2009 .

: D-030-01-00-0006 .0. Configure sites. Note: If you plan to run GSLB in server mode. the real server and service group are required along with the VIP. Configure services. Configuration on GSLB Controller Configuration is required on the GSLB AX device and the site AX devices. 2. P e r f o r m a n c e D e s i g n Document No. 3.Configuration Guide Configuration Overview Configuration Overview Configuration is required on the GSLB AX device (GSLB controller) and the site AX devices. (Server and proxy mode are configured as DNS options. However.) Configuration on Site AX Device To configure GSLB on the site AX devices: 1. Configure a GSLB policy (unless you plan to use the default policy settings. Configure a DNS proxy. Only the VIP is required. To configure GSLB on the GSLB AX device: 1. See “DNS Options” on page 342.AX Series . 2. 4. Configure health monitors for the DNS server to be proxied and for the GSLB services to be load balanced. 5. 6. Configure a zone.Ver. Enable the GSLB protocol for the GSLB controller function. if you plan to run GSLB in proxy mode. if not already configured. the proxy DNS server does not require configuration of a real server or service group. Enable the GSLB protocol for the GSLB site device function. Configure SLB.2 11/11/2009 b y 345 of 702 . described in “GSLB Policy” on page 338). 7. 2.

Ver. for an HTTP service. To monitor the health of the real servers providing the services.Configuration Guide Configuration Overview Configuration takes place at the following levels: Global (system-wide on the GSLB AX device) Zone Service IP Site SLB device The parameters you can configure at each level are described in “GSLB Parameters” on page 378. and also for the GSLB services to be load balanced.: D-030-01-00-0006 . Required commands and commonly used options are listed. see “GSLB Parameters” on page 378. For advanced commands and options. 2. For the GSLB service. Note: Each of the following configuration sections shows the CLI and GUI methods for configuration. Configure Health Monitors A10 Networks recommends that you configure health monitors for the local DNS server to be proxied. For example. use an HTTP health monitor. 346 of 702 P e r f o r m a n c e b y D e s i g n Document No. configure health monitors on the site SLB devices. For complete configuration examples.AX Series . You also can use a Layer 3 health monitor to check the IP reachability of the server.0. Configure the health monitors for real servers and their services on the site AX devices.2 11/11/2009 . Configure the health monitors for the proxied DNS server and the GSLB services on the GSLB AX device. use health monitors for the application types of the services. The following sections describe the GSLB configuration steps in the GUI and in the CLI. If the health-check metric is enabled in the GSLB policy. Use a DNS health monitor for the local DNS server. the metric will use the results of service health checks to select sites. see “Configuration Examples” on page 397.

7. Configure the DNS Proxy The DNS proxy is a DNS virtual service. In the Type drop-down list. 11. see “Health Monitoring” on page 257. Note: The GUI will not accept the configuration if the IP address you enter here is the same as the real DNS server IP address you enter when configuring the service group for this proxy (below). enter the DNS port number. enter the IP address of the DNS server. In the Port field. and its configuration is therefore similar to the configuration of an SLB service. 9. Click DNS Proxy. 3. click Add. use either of the following methods. Enter the DNS port number in the Port field and click Add. USING THE GUI 1. in the Server drop-down list. On the GSLB Port tab. 6. For configuration information. There are no special health monitoring options or requirements for GSLB. 5. 2. 2. if not already filled in. select “create”.0. The server information appears on the tab.2 11/11/2009 b y 347 of 702 .Ver. In the Name field. In the Service Group field. 10. Enter the IP address that will be advertised as the authoritative DNS server for the GSLB zone. enter a name for the service group. To configure the GSLB DNS proxy.Configuration Guide Configuration Overview Configuration of health monitors is the same as for standard SLB. then click Add. 12. The Service Group and Server tabs appear. 4.AX Series . (Optional) To add this proxy configuration of the DNS server to a High Availability (HA) group. Select Config > Service > GSLB. 8. select UDP. Enter a name for the DNS proxy. Enter the real IP address of the DNS server. P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0006 . select the group. On the Server tab. not the IP address you are assigning to the DNS proxy.

14.: D-030-01-00-0006 . The command creates the service group and changes the CLI to the configuration level for it. Click OK. The DNS proxy appears in the DNS proxy table.2 11/11/2009 .0. The Proxy tab re-appears. Click OK. use the following command: health-check monitor-name (Layer 3 health monitoring using the default Layer 3 health monitor is already enabled by default. To configure a real server for the DNS server to be proxied. To add the DNS port.) 2. use the following command: port port-number udp This command changes the CLI to the configuration level for the DNS port. The command creates the virtual server changes the CLI to the configuration level for it. The GSLB Port tab re-appears.AX Series . The command creates the proxy and changes the CLI to the configuration level for it. use the following commands: service-group group-name 348 of 702 P e r f o r m a n c e b y D e s i g n Document No. 2. Click OK. To configure the DNS port on the server. To add the DNS server to the service group. use the following commands: slb virtual-server name ipaddr Use this command at the global configuration level of the CLI. use the following commands: slb server server-name ipaddr Use this command at the global configuration level of the CLI. use the following command to change the CLI to the configuration level for the port: port port-num udp To enable health monitoring of the DNS service. To configure a service group and add the DNS proxy (real server) to it. use the following commands: slb service-group group-name udp Use this command at the global configuration level of the CLI. 15.Ver. use the following command: member server-name:port-num 3.Configuration Guide Configuration Overview 13. USING THE CLI 1. To bind the DNS port to the DNS proxy service group and enable GSLB on the port. To configure a virtual server for the DNS proxy and bind it to the real server and service group.

For example. In the “default” GSLB policy. to disable the health-check metric. Using the GUI 1. On the Metrics tab. 3.: D-030-01-00-0006 . drag-and-drop the metric from one column to the other. there are no default geo-location mappings. 2. enter a name in the Name field on the General tab. use either of the following methods. drag-and-drop it from the In Use column to the Not In Use column.Configuration Guide Configuration Overview gslb-enable Configure a GSLB Policy The GSLB policy contains the metrics used to evaluate each site and select the best site for a client request. 2. you must load or manually configure geo-location mappings. the “default” policy is used unless you configure and apply a different policy. Click on the policy name or click Add to create a new policy. (For detailed information about policy parameters and their defaults. if you are enabling the Admin P e r f o r m a n c e D e s i g n Document No.Ver. (See “Loading or Configuring Geo-Location Mappings” on page 363 later in this section. If you are configuring a new policy. 5. 4.0. To use the geographic metric. For example.2 11/11/2009 b y 349 of 702 . If you are enabling a metric. Configuring a GSLB policy is optional.) Enabling / Disabling Metrics To enable or disable a metric. Select Config > Service > GSLB. By default. On the menu bar. drag it to the position you want it to be used in the processing order. select Policy. the following metrics are enabled by default: • health-check • geographic • round-robin The other metrics are disabled. see “GSLB Parameters” on page 378.) Note: Although the geographic metric is enabled by default.AX Series .

Using the CLI To enable a metric. enter the metric name at the configuration level for the policy. For example. On the DNS Options tab. Click OK. at the configuration level for the policy. drag-anddrop the metric to the top of the In Use column. see “DNS Options” on page 342 and Table 9. to disable the health-check metric. enter the following command: AX(config gslb-policy)#admin-preference To disable a GSLB metric. to enable the admin-preference metric. enter the following command at the configuration level for the policy: AX(config gslb-policy)#no health-check To set DNS options.” on page 387. 6. 2.Configuration Guide Configuration Overview Preference metric and you want this metric to be used first. use the “no” form of the command for the metric.2 11/11/2009 . “GSLB Policy Parameters. (For descriptions. (For descriptions. For example.Ver. see “DNS Options” on page 342 and Table 9. if applicable to your deployment.” on page 387. configure the DNS options.) [no] dns { action | active-only | addition-mx | best-only | cache [aging-time {seconds | ttl}] | cname-detect | external-ip | geoloc-action | geoloc-alias | geoloc-policy | ip-replace | server [authoritative] | sticky [/prefix-length] [aging-time minutes] | ttl num } 350 of 702 P e r f o r m a n c e b y D e s i g n Document No. use the following command at the configuration level for the policy.AX Series . “GSLB Policy Parameters.) 7.: D-030-01-00-0006 .0.

On the Parameters tab.2 11/11/2009 b y 351 of 702 . If you are configuring a new policy. 2. Click OK. Using the CLI To change the positions of metrics in a GSLB policy.Configuration Guide Configuration Overview Changing the Metric Order To change the metric order. Click on the policy name or click Add to create a new policy. use either of the following methods. 6. 4.AX Series .: D-030-01-00-0006 . enter a name in the Name field on the General tab.Ver. 2.0.. select Policy. drag-and-drop the metric to the position in which you want it to be used in the processing order. drop the metric to the top of the In Use column.. Using the GUI 1. if you want the admin-preference metric to be used first. For example. On the menu bar. 3. 5. use the following command at the configuration level for the policy: [no] metric-order metric [metric .] The metric option specifies a metric and can be one of the following: • active-rtt • active-servers • admin-preference • bw-cost • capacity • connection-load • geographic • health-check • least-response • num-session • ordered-ip P e r f o r m a n c e D e s i g n Document No. Select Config > Service > GSLB.

Otherwise.Ver. The active RTT metric is disabled by default. For example. Single Sample (Single Shot) To take a single sample and use that sample indefinitely. 352 of 702 P e r f o r m a n c e b y D e s i g n Document No. read this section.Configuration Guide Configuration Overview • passive-rtt • weighted-ip • weighted-site Configuring RTT Settings If you are planning to use the active-RTT or passive-RTT metric.AX Series . This option instructs each site AX device to send a single DNS query to the GSLB local DNS. using the single-shot option ensures that clients are not frequently sent to differing sites based on active RTT measurements. Active RTT Active RTT measures the round-trip-time for a DNS query and reply between a site AX device and the GSLB local DNS. if the GSLB domain's clients tend to remain logged on for long periods of time. You can configure active RTT to take a single sample or periodic samples. use the single-shot option.: D-030-01-00-0006 . The GSLB AX device averages the RTT times of the 5 samples. you can skip the section. Both these metrics are disabled by default. The single-shot option is useful if you do not want to frequently update the active RTT measurements. Default Settings When you enable Active RTT. 2.2 11/11/2009 . a site AX device sends 5 DNS requests to the GSLB domain’s local DNS.0. You can enable it to take either a single sample (single shot) or multiple samples at regular intervals.

On the menu bar. In this case. the AX device uses the averaged RTT based on the number of samples measured for the intervals. P e r f o r m a n c e D e s i g n Document No.2 11/11/2009 b y 353 of 702 .Configuration Guide Configuration Overview The single-shot has the following additional options: • timeout – Specifies the number of seconds each site AX device should wait for the DNS reply. Optionally. without the active RTT metric itself being skipped by the GSLB AX device during site selection. 2. If the reply does not arrive within the specified timeout. • skip – Specifies the number of site AX devices that can exceed their sin- gle-shot timeouts.Ver. collected in 5second intervals. the GSLB AX device stores one active RTT measurement per site SLB device. The default is 3 seconds. if you set active RTT to use 3 samples with an interval of 5 seconds. a single sample is taken. do not use the single-shot option.AX Series . the GSLB AX device considers the sites to be equal in terms of active RTT. USING THE GUI 1. Multiple Samples To periodically retake active RTT samples.0. the RTT is the average RTT for the last 3 samples. For example. The default is 5 samples. If you configure single-shot instead. You can skip from 1-31 sites.: D-030-01-00-0006 . This option is configurable on individual GSLB sites. (See “Changing Active RTT Settings for a Site” on page 355. The default is 3. Enabling Active RTT To enable active RTT. If the RTT measurements for more than one site are within 10 percent. Store-By By default. the site becomes ineligible for selection.) Tolerance The default measurement tolerance is 10 percent. You can adjust the tolerance to any value from 0-100 percent. The number of samples can be 1-8. 2. in cases where selection is based on the active RTT metric. You can specify 1-255 seconds. you can configure the GSLB AX device to store one measurement per geo-location instead. use either of the following methods. select Policy. Select Config > Service > GSLB.

Click on the policy name or click Add to create a new one.AX Series . Click OK. The GSLB AX device averages the RTT times of the 5 samples. 6. The active RTT measurements are regularly updated.: D-030-01-00-0006 . 2.Configuration Guide Configuration Overview 3. Click the plus sign to display the Active RTT configuration fields. CLI Examples The following commands access the configuration level for GSLB policy “gslbp2” and enable the active RTT metric. see “Store-By” on page 353 and “Tolerance” on page 353. USING THE CLI Enter the following command at the configuration level for the GSLB policy: [no] active-rtt [samples num-samples] [single-shot] [skip count] [timeout seconds] [tolerance num-percentage] If you omit all the options. select the Single-shot checkbox. the site AX device send 5 DNS requests to the GSLB domain’s local DNS.0. To collect multiple samples. use the single-shot option. Drag-and-drop Active RTT from the Not In Use column to the In Use column. For singeshot. do not select the Single-shot checkbox. You can use the samples option to change the number of samples to 1-8. edit the values in the Samples and Tolerance fields. using all the default settings: AX(config)#gslb policy gslbp2 AX(config gslb-policy)#active-rtt 354 of 702 P e r f o r m a n c e b y D e s i g n Document No. To change settings for multiple samples. 5. To enable single-shot RTT instead. 7. 4. edit the values in the Timeout and Skip fields. (See the descriptions above.Ver. in “Single Sample (Single Shot)” on page 352) For descriptions of the store-by and tolerance options. 9. To use single-shot RTT. To change settings for single-shot. 8. you also can use the skip and timeout options.2 11/11/2009 .

You can specify 1-1000. using single-shot settings: AX(config)#gslb policy gslbp3 AX(config gslb-policy)#active-rtt single-shot AX(config gslb-policy)#active-rtt skip 3 In this example.: D-030-01-00-0006 . if the smooth-factor is set to 10 (the default).Ver. The default is 25. each site AX device will send a single DNS query to the GSLB domain’s local DNS. For example. • bind-geoloc – Stores the active-RTT measurements on a per geo-loca- tion basis. You can specify 1-100. along with 50% of the previous measurement. P e r f o r m a n c e D e s i g n Document No. 10% of the new measurement is used. along with 90% of the previous measurement. • smooth-factor – Blends the new measurement with the previous one. If the new measurement differs from the previous measurement by more than the allowed percentage. The default is 10 minutes. if the range-factor is set to 25 (the default). a new measurement that has a value from 75% to 125% of the previous value can be used. The default is 10. The site AX devices will then send their RTT measurements to the GSLB AX device.0. the measurements are stored on a per site-SLB device basis. 2. to smoothen the measurements. For example. 50% of the new measurement is used. the AX device will not use the active RTT metric. and wait 3 seconds (the default) for a reply. • range-factor – Specifies the maximum percentage a new active-RTT measurement can differ from the previous measurement. Without this option. if more than 3 site AX devices fail to send their RTT measurements to the GSLB AX device.2 11/11/2009 b y 355 of 702 . Changing Active RTT Settings for a Site You can adjust the following Active RTT settings on individual sites: • aging-time – Specifies the maximum amount of time a stored active- RTT result can be used. Similarly.Configuration Guide Configuration Overview The following commands access the configuration level for GSLB policy “gslbp3” and enable the active RTT metric. if the smooth-factor is set to 50. You can specify 1-60 minutes.AX Series . the new measurement is discarded and the previous measurement is used again. A measurement that is less than 75% or more than 125% of the previous measurement can not be used. However.

Select Config > Service > GSLB. Enabling Passive RTT To enable passive RTT. edit the values in the Samples and Tolerance fields. Click OK. 2. 6.AX Series .) 7. 5. Click on the policy name or click Add to create a new one.2 11/11/2009 .0. To change sample settings. USING THE GUI 1. 3. (These parameters work the same as they do for active RTT.Ver. Click the plus sign to display the Passive RTT configuration fields.: D-030-01-00-0006 .Configuration Guide Configuration Overview USING THE GUI Note: Active RTT settings for a site cannot be changed using the GUI. 4. See “Multiple Samples” on page 353 and “Tolerance” on page 353. 2. use either of the following methods. select Policy. USING THE CLI Use the following command at the configuration level for the site: [no] active-rtt aging-time minutes | bind-geoloc | range-factor num | smooth-factor num Passive RTT Passive RTT measures the round-trip-time between when the site AX device receives a client’s TCP connection (SYN) and the time when the site AX device receives acknowledgement (ACK) back from the client for the connection. 356 of 702 P e r f o r m a n c e b y D e s i g n Document No. On the menu bar. Drag-and-drop Passive RTT from the Not In Use column to the In Use column.

Ver. See “Changing Active RTT Settings for a Site” on page 355. USING THE GUI Note: Passive RTT settings for a site cannot be changed using the GUI. P e r f o r m a n c e D e s i g n Document No. read this section. USING THE CLI Use the following command at the configuration level for the site: [no] passive-rtt aging-time minutes | bind-geoloc | range-factor num | smooth-factor num Configuring BW-Cost Settings If you are planning to use the bw-cost metric.2 11/11/2009 b y 357 of 702 . The bw-cost metric selects sites based on bandwidth utilization on the site AX links. The bw-cost metric is disabled by default. Otherwise.: D-030-01-00-0006 .Configuration Guide Configuration Overview USING THE CLI Enter the following command at the configuration level for the GSLB policy: [no] passive-rtt [samples num-samples] [tolerance num-percentage] Changing Passive RTT Settings for a Site You can adjust Passive RTT settings on individual sites.0.AX Series . 2. The types of settings used by Passive RTT settings are the same as those used for Active RTT. you can skip the section.

the limit value must increment by 72000 or less. the SNMP object’s value is again allowed to increment by as much as the bandwidth limit value (80000.) Configuration Requirements To use the bw-cost metric. the site can become eligible again at the next interval if the utilization incrementation is below the configured limit minus the threshold percentage. • If the SNMP object value has incremented more than the bandwidth limit configured for the site. the SNMP object’s incremental value must be below the threshold-percentage of the limit value. the following bw-cost parameters must be configured on each site: • Bandwidth limit – The bandwidth limit specifies the maximum value by which the requested MIB object can increment.Ver. • If the SNMP object value has incremented less than or equal to the bandwidth limit configured for the site. such as ifInOctets. For example. Once a site is ineligible. and the Object Identifier (OID) of the MIB object to request. if the limit value is 80000 and the threshold is 90.: D-030-01-00-0006 . an SNMP template must be configured and bound to each site. 358 of 702 P e r f o r m a n c e b y D e s i g n Document No. The GSLB SNMP template specifies the SNMP version and other information necessary to access the SNMP agent on the site AX device.Configuration Guide Configuration Overview How Bandwidth Cost Is Measured To compare sites based on bandwidth utilization. (See below. In addition. Once a site again becomes eligible.0. the site is eligible to be selected as the best site. • Bandwidth threshold – For a site to regain eligibility when bw-cost is being compared. in order for the site to become eligible again based on bandwidth cost. in this example). to each site. 2. the GSLB AX device sends SNMP GET requests for a specified MIB interface object. the site is ineligible.2 11/11/2009 . The GSLB AX device sends the SNMP requests at regular intervals.AX Series . for the site to be eligible for selection as the best site.

On the GSLB AX device: a. d. On the site AX devices.2 11/11/2009 b y 359 of 702 . the bwcost metric is disabled. 2. then use the following GUI procedures. c. where the following template-related commands are available: [no] version {v1 | v2c | v3} The version command specifies the SNMP version running on the site AX device. Note: If the object is part of a table. Add the template to the GSLB site configuration. Configure a GSLB SNMP template. By default.0. Otherwise. By default. 2.Configuration Guide Configuration Overview Configuring Bandwidth Cost To use the bw-cost metric: 1. b. the AX device will return an error. The oid command specifies the interface MIB object to query on the site AX device. set the bandwidth limit and threshold on the site. Use the CLI to configure the template. [no] host ipaddr [no] oid oid-value The host command specifies the IP address of the site AX device. P e r f o r m a n c e D e s i g n Document No. USING THE GUI Note: SNMP template configuration is not supported in the GUI.Ver. the bandwidth limit is not set (unlimited). Optionally. USING THE CLI To Configure a GSLB SNMP Template Use the following commands: [no] gslb template snmp template-name This command adds the template and changes the CLI to the configuration level for the template. configure and enable SNMP.AX Series . Enable the bw-cost metric in the GSLB policy.: D-030-01-00-0006 . make sure to append the table index to the end of the OID.

[no] context-engine-id id [no] context-name id [no] security-engine-id id The context-engine-id command specifies the ID of the SNMPv3 protocol engine running on the site AX device.0. [no] security-level {no-auth | auth-no-priv | auth-priv} This command specifies the SNMPv3 security level: • no-auth – Authentication is not used and encryption (privacy) is not used.Ver.: D-030-01-00-0006 . • auth-priv – Both authentication and encryption are used. The security-engine-id command specifies the ID of 360 of 702 P e r f o r m a n c e b y D e s i g n Document No. The key string can be 1-127 characters long. 2. [no] auth-proto {sha | md5} [no] auth-key string These commands are applicable if the security level is auth-no-priv or auth-priv. The auth-key command specifies the authentication key. The context-name command specifies an SNMPv3 collection of management information objects accessible by an SNMP entity.Configuration Guide Configuration Overview SNMPv1 / v2c Commands: [no] community community-string The community command specifies the community string required for authentication. The priv-key command specifies the encryption key. This is the default.AX Series . • auth-no-priv – Authentication is used but encryption is not used. [no] priv-proto {aes | des} [no] priv-key string These commands are applicable only if the security level is auth-priv.2 11/11/2009 . SNMPv3 Commands: [no] username name This command specifies the SNMPv3 username required for access to the SNMP agent on the site AX device. The auth-proto command specifies the authentication protocol. The priv-proto command specifies the privacy protocol used for encryption. The key string can be 1-127 characters long.

the site’s limit value must not increment more than limit*threshold-percentage.AX Series . To Apply a GSLB SNMP Template to a GSLB Site Use the following command at the configuration level for the site: [no] template template-name To Configure the Bandwidth Limit and Threshold on a Site Use the following command at the configuration level for the site: [no] bw-cost limit limit threshold percentage The limit specifies the maximum amount the SNMP object queried by the GSLB AX device can increment since the previous query. There is no default. 2. You can specify 165535. The default is 161. The port command specifies the protocol port on which the site AX devices listen for the SNMP requests from the GSLB AX device. in order for the site to remain eligible for selection as the best site.0. You can specify 1-999 seconds. To Enable the Bandwidth Cost Metric in a GSLB Policy Use the following command at the configuration level for the policy: [no] bw-cost P e r f o r m a n c e D e s i g n Document No.Configuration Guide Configuration Overview the SNMPv3 security engine running on the site AX device. The default is 3. [no] interface id The interface command specifies the SNMP interface ID. There is no default. You can specify 0-100. In order to become eligible for selection again. Additional Commands: [no] interval seconds [no] port port-num The interval command specifies the amount of time between each SNMP GET to the site AX devices.: D-030-01-00-0006 .Ver. the percentage parameter is used. For each command. If a site becomes ineligible due to being over the limit.2 11/11/2009 b y 361 of 702 . the ID is a string 1-127 characters long. You can specify 02147483647.

Ver.2.2.1. 2.0.1.2.1.2 11/11/2009 .124 AX(config-gslb template snmp)#oid . CT64 = Counter 64 Site Template Current Highest Limit U Type Len Value TI -------------------------------------------------------------------------------usa snmp-1 31091 142596 100000 Y CNTR 4 3355957308 3 362 of 702 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 . SN64 = Unsigned 64 CNTR = Counter.1.16.AX Series .12 AX(config-gslb template snmp)#community public AX(config-gslb template snmp)#exit The following commands apply the SNMP template to a site and set the bandwidth increment limit and threshold: AX(config)#gslb site usa AX(config gslb-site)#template snmp-1 AX(config gslb-site)#bw-cost limit 100000 threshold 90 AX(config gslb-site)#exit The following commands enable the bw-cost metric in the GSLB policy: AX(config)#gslb policy pol1 AX(config-gslb policy)#bw-cost AX(config-gslb policy)#exit The following command displays bw-cost data for the site: AX-1(config)#show gslb site usa bw-cost U = Usable.168. TI = Time Interval USGN = Unsigned.6.214.Configuration Guide Configuration Overview To display bw-cost data for a site Use the following command: show gslb site [site-name] bw-cost CLI Example – SNMPv2c The following commands configure a GSLB SNMP template for SNMPv2c: AX(config)#gslb template snmp snmp-1 AX(config-gslb template snmp)#version v2c AX(config-gslb template snmp)#host 192.3.

Each section provides the procedure for one of the methods to configure geo-location mappings. see one of the following sections.6.2. The IANA database is included in the AX system software.3. In this example. P e r f o r m a n c e D e s i g n Document No.Ver. This option requires configuration of a CSV template on the AX device.12 AX(config-gslb template snmp)#priv-proto des AX(config-gslb template snmp)#auth-key 12345678 AX(config-gslb template snmp)#priv-key 12345678 The other commands are the same as those shown in “CLI Example – SNMPv2c” on page 362.16.1.1.214.0. • Custom database in CSV format – You can load a custom geo-location database from a file in comma-separated-values (CSV) format. A10 Networks recommends that you load the mappings from a file.124 AX(config-gslb template snmp)#username read AX(config-gslb template snmp)#oid . The geo-location configuration options are described in detail below.168.Configuration Guide Configuration Overview CLI Example – SNMPv3 The following commands configure a GSLB SNMP template for SNMPv3.: D-030-01-00-0006 . • “Loading the IANA Database” on page 366 • “Creating and Loading a Custom Geo-Location Database” on page 366 • “Manually Configuring Geo-Location Mappings” on page 369 Geo-Location Database Files You can load the geo-location database from one of the following types of files: • Internet Assigned Numbers Authority (IANA) database – The IANA database contains the geographic locations of the IP address ranges and subnets assigned by the IANA. However. authentication and encryption are both used. Loading or Configuring Geo-Location Mappings You can configure geo-location mappings manually or by loading the mappings from a file. AX(config)#gslb template snmp snmp-2 AX(config-gslb template snmp)#security-level auth-priv AX(config-gslb template snmp)#host 192.1. To skip the descriptions and go directly to configuration instructions. 2.1. it is unloaded (not used) by default.2.2 11/11/2009 b y 363 of 702 .2. Unless you have only a few sites. configuring the geolocation mappings manually might not be practical.AX Series .

"1159364351".0708"."SHREWSBURY".. "COMMRAIL INC". the file is essentially as shown above.2 11/11/2009 ."NA"."ENVIRONMENTAL COMPLIANCE SERVICE". Each paragraph is actually a single line in the file. For example."NORTH AMERICA". but they are displayed here in multiple lines due to the limited width of the page."42.2959"."US".: D-030-01-00-0006 . 2."MIDDLESEX".. The older database is no longer used. the data is formatted based on the template. that site will be preferred."-71. GSLB automatically maps the service-ip to a geo-location in the loaded geo-location database."SILVER". the site in that state will be preferred."US".7134" . GSLB uses the mapping. If more than one geo-location matches a client’s IP address. if a client is in the same city as a site AX."UNITED STATES"."UNITED STATES"."-100. • If no geo-location is configured for a GSLB site. Example Database File An example of a database file is shown below. • If a service-ip cannot be mapped to a geo-location."NORTH AMERICA".682" "1159364352".""."NORTH AMERICA". the most specific match is used."42. "MLS PROPERTY INFORMATION NETWORK". If the client and site are in the same state but in different cities. The example above shows the file displayed in a text editor."EST".""."UNITED STATES". Geo-Location Mappings A geo-location mapping consists of a geo-location name and an IP address or IP range. Data from the older database is not merged into the new database."WORCESTER". However."MA".Configuration Guide Configuration Overview When you load the CSV file."32.5482" "1159364096". • If you manually map a geo-location to an GSLB site.AX Series ."NA". the most-recently loaded one becomes the active one.0.""."MARLBOROUGH"."".Ver."EST"."MA". Only one database can be active. If you load more than one database. 364 of 702 P e r f o r m a n c e b y D e s i g n Document No. "1159363840"."1159364095"."NA"."MASSACHUSETTS".3495"."71."US". The same file looks like the example in Figure 114 if displayed in a spreadsheet application. when the file is saved to CSV format. GSLB maps the site AX device to a geo-location."MASSACHUSETTS"."1159364607".

Convert the resulting Hex number into decimal. or subnet mask)."EST".Configuration Guide Configuration Overview FIGURE 114 CSV File in Spreadsheet Application The database file can contain more types of information (fields) than are required for the GSLB database.2 11/11/2009 b y 365 of 702 . the CSV template on the AX device is used to filter the file to extract the required data. 3."42.0.00 Combined Hex Number 451a7d00 Decimal 1159363840 P e r f o r m a n c e D e s i g n Document No. Convert each node into Hex. To IP address (ending IP address in range."-71.0) is also supported. Enter the decimal number into the database file. Continent.26. Here is an example for IP address 69. 2. 2."COMMRAIL INC".AX Series . Converting IP Addresses into bin4 Format If you want to use bin4 format in the CSV file. the first IP address in the example CSV file: Dotted Decimal 69."NORTH AMERICA".0."MA".3495". here is how to convert an IP address from dotted-decimal format to bin4 format: 1.5482" These fields contain the following information: From IP address (starting IP address in range)."US".Ver. only the fields shown in bold type will be extracted and placed into the geo-location database: "1159363840".125. Country The IP addresses in this example are in bin4 format."1159364095".0 Hex of Each Node 45.26.125. Dotted decimal format (for example: 69.: D-030-01-00-0006 .26. When you load the file into the geo-location database.1a."MARLBOROUGH". the AX device automatically converts the addresses into dotted decimal format when you load the database into GSLB."MIDDLESEX".125."MASSACHUSETTS".7d."UNITED STATES". If you use bin4 format."NA". In this example.

enter “iana” in the File field.: D-030-01-00-0006 . Prepare the database file. When you configure the CSV template on the AX device. 3. Leave the Template field blank. 4. you can set the delimiter to any valid ASCII character.Configuration Guide Configuration Overview CSV File Field Delimiters The fields in the CSV file must be separated by a delimiter. and can not be performed on the AX device. The CSV template specifies the field positions for IP address and location information. Import the CSV file onto the AX device. On the Load/Unload tab. Configure a CSV template for the file. USING THE CLI Use the following command at the global configuration level of the CLI: [no] gslb geo-location load iana Creating and Loading a Custom Geo-Location Database To create and load a custom geo-location database: 1. 2. 5.AX Series . By default. Load the CSV file. Display the geo-location database.0. 4. Loading the IANA Database The AX system software already contains the IANA database. However. 2. the AX device interprets commas as delimiters. 3. On the menu bar. Click Add. (This step requires an application that can save to text for CSV format. Select Config > Service > GSLB. USING THE GUI 1. select Geo-location > Import.) 2.2 11/11/2009 . the database does not become active until you load it. 366 of 702 P e r f o r m a n c e b y D e s i g n Document No.Ver.

enter the name of the template to use for formatting the data. select Geo-location > Import. Click Add. 3. 5. P e r f o r m a n c e D e s i g n Document No. In each data field. Select Config > Service > GSLB.Ver. Loading the CSV File Data into the Geo-Location Database 1. On the File tab. 2. if not already selected. On the Load/Unload tab. 4.Configuration Guide Configuration Overview USING THE GUI Configuring the CSV Template 1.. 6. if not already selected. enter the name of the geo-location database in the file field. 2. On the Template tab. indicate the field’s position in the CSV file. select Geo-location > Import. In the Template field. Importing the CSV File 1. If the CSV file uses a character other than a comma to delimit fields. enter name for the template.2 11/11/2009 b y 367 of 702 . 4. enter “4” in the IP-To field. On the menu bar. 5. 4. 2. For example.AX Series . Select Config > Service > GSLB. 3. select Geo-location > Import. On the menu bar. if not already selected. Click Add. Enter the filename and the access parameters required to copy the file from the remote server.0. select the file transfer protocol. 2. if not already selected.. if the destination IP address or subnet is listed in the CSV file in data field 4. enter the delimiter character in the Delimiter field. On the menu bar. 3.: D-030-01-00-0006 . Select Config > Service > GSLB.

the AX device uses the template to extract the data and load it into the GSLB database. • ip-to-mask – Specifies the ending IP address in the range.Configuration Guide Configuration Overview USING THE CLI Configuring the CSV Template On the AX device. 2. Use the following command at the global configuration level of the CLI: [no] gslb template csv template-name This command creates the template and changes the CLI to the configuration level for it. 1. use the following command at the Privileged EXEC or global configuration level of the CLI: import geo-location file-name [use-mgmt-port] url 368 of 702 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 . If the CSV file uses a character other than a comma to delimit fields. When you load the file into GSLB. • state – Specifies the state where the IP address range or subnet is located.0. or the subnet mask. 2. The following options specify the type of geo-location data that is located in the field position: • ip-from – Specifies the beginning IP address in the range or subnet. Use the following command to identify the field positions for the geolocation data: [no] field num {ip-from | ip-to-mask | continent | country | state | city} The num option specifies the field position within the CSV file. You can specify 1-64. • continent – Specifies the continent where the IP address range or subnet is located. 3.2 11/11/2009 .Ver. • city – Specifies the city where the IP address range or subnet is located. • country – Specifies the country where the IP address range or subnet is located.AX Series . use the following command to specify the character used in the file: [no] delimiter {character | ASCII-code} You can type the character or enter its decimal ASCII code (0-255). Importing the CSV File To import the CSV file onto the AX device. you must configure a CSV template for the database file.

) Loading the CSV File Data into the Geo-Location Database To load the CSV file. you will still be prompted for the password. P e r f o r m a n c e D e s i g n Document No. use the following command: show gslb geo-location file [file-name] Manually Configuring Geo-Location Mappings USING THE GUI In the GUI. see “Using the Management Interface as the Source for Management Traffic” on page 669.AX Series . To enter the entire URL: • tftp://host/file • ftp://[user@]host[:port]/file • scp://[user@]host/file • rcp://[user@]host/file (For information about the use-mgmt-port option. If you enter the entire URL and a password is required. Note: The file-name option is available only if you have already imported a geolocation database file. To display information about CSV files that have been loaded are currently being loaded.0. this is part of site configuration. use the following command at the global configuration level of the CLI: [no] gslb geo-location load file-name csv-template-name Use the file name you specified when you imported the CSV file. See “Configure Sites” on page 374. and the name of the CSV template to be used for extracting data from the file.Configuration Guide Configuration Overview You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. 2.Ver.2 11/11/2009 b y 369 of 702 .: D-030-01-00-0006 .

use the following command: show gslb geo-location db [geo-location-name] [[statistics] ip-range range-start range-end] [[statistics] depth num] [statistics]] The geo-location-name option displays the database entry for the specified location. use the following command at the global configuration level or at the configuration level for the GSLB policy: [no] gslb geo-location location-name start-ip-addr [mask ip-mask] [end-ip-addr] 2. and a client IP address matches both a globally configured geo-location and a geo-location configured on a site.AX Series .Configuration Guide Configuration Overview USING THE CLI To manually configure a geo-location mapping: 1.: D-030-01-00-0006 . 2.0. On the menu bar. Configure each geographic location (geo-location) as a named range of client IP addresses. To configure the GSLB AX device to use geo-locations configured on individual sites instead. using the following command at the configuration level for the site: [no] geo-location location-name Note: If you configure geo-locations globally and at the configuration level for individual sites. The geo-location database appears. Displaying the Geo-Location Database USING THE GUI 1. You can use the find options to display database entries or statistics for specific geo-locations or IP addresses. 370 of 702 P e r f o r m a n c e b y D e s i g n Document No. the globally configured geo-location is used by default.Ver. 2. use the geo-location match-first policy command at the configuration level for the policy. USING THE CLI To display the geo-location database.2 11/11/2009 . Associate a site with a geo-location name. Select Config > Service > GSLB. You can configure geo-locations globally and within individual GSLB policies. select Geo-location > Find. To configure a geo-location.

AX Series . specify depth 2.2 11/11/2009 b y 371 of 702 .csv ftp: Address or name of remote host []?192.csv”.100 User name []?admin2 Password []?********* File name [/]?test1. and display the status of the load operation: AX(config)#gslb geo-location load test1. the following commands configure the CSV template: AX(config)#gslb template csv test1-tmplte AX(config-gslb template csv)#field 1 ip-from AX(config-gslb template csv)#field 2 ip-to-mask AX(config-gslb template csv)#field 5 continent AX(config-gslb template csv)#field 3 country AX(config-gslb template csv)#exit The following command imports the file onto the AX device: AX(config)#import geo-location test1. To search for an entry in the geo-location database based on client IP address. The test. For example.csv test1-tmplte AX(config)#show gslb geo-location file T = T(Template)/B(Built-in).Configuration Guide Configuration Overview The ip-range option displays entries for the specified IP address range. First.csv The following commands initiate loading the data from the CSV file into the geo-location database. to display only continent and country entries and hide individual state and city entries.Ver. Per = Percentage of loading Filename T Template Per Lines Success Error -----------------------------------------------------------------------------test1 T t1 98% 11 10 0 P e r f o r m a n c e D e s i g n Document No. The depth num option filters the display to show only the location entries at the specified depth or higher.1.: D-030-01-00-0006 .csv file is shown in “Example Database File” on page 364. 2.0.168. and display the database. use the following command: show gslb geo-location ip ipaddr CLI Example The commands in this example load a custom geo-location database from a CSV file called “test.

125.26.26.161. Click Add. USING THE GUI 1.255 (empty) 0 0 GR 69. select Service IP.255 (empty) 0 0 GR 69.26.26.26.0 69.255 (empty) 0 0 GR 69. use either of the following methods.136.AX Series .140. On the menu bar.255 (empty) 0 0 GR 69.161.255 (empty) 0 0 GR 69.26.26.136.26.0 69. Sub = Count of Sub Geo-location G(global)/P(policy).136 69.26.0 69.26. S(sub)/R(sub range) M(manually config) Global Name From To Last Hits Sub T -----------------------------------------------------------------------------NA (empty) (empty) (empty) 0 1 G Geo-location: NA.0 69. Hits = Count of Client matched T = Type.125. Enter the service name and IP address. 2.255 (empty) 0 0 GR 69. 2.0 69.136. 3.0 69.127. 4.Configuration Guide Configuration Overview The following command displays the geo-location database.26.136.126.26.144 69.26.26.135 (empty) 0 0 GR 69.: D-030-01-00-0006 .US.141. AX(config)#show gslb geo-location db Last = Last Matched Client. 372 of 702 P e r f o r m a n c e b y D e s i g n Document No.0.26.26.160. Select Config > Service > GSLB. The data that was extracted from the CSV file is shown here in bold type. Global Name From To Last Hits Sub T -----------------------------------------------------------------------------US (empty) (empty) (empty) 0 10 GS Geo-location: NA.127. Global Name From To Last Hits Sub T -----------------------------------------------------------------------------69.26.26.128.126.142.26.143 (empty) 0 0 GR 69.159.141.Ver.0 69.160.26.0 69.2 11/11/2009 .255 (empty) 0 0 GR 69.7 (empty) 0 0 GR Configure Services To configure GSLB services.

Click OK. assign an external IP address to the service IP.: D-030-01-00-0006 . 7. use the following command to change the CLI to the configuration level for the port: port port-num {tcp | udp} To enable health monitoring of the service.2 11/11/2009 b y 373 of 702 . b. USING THE CLI To configure service VIPs. 2. external-ip ipaddr To configure a service port on the service. The service port appears in the service port list. Repeat for each service IP. c.Ver.0. Click Add. 6. Optionally. Enter the port number and select the protocol (TCP or UDP). 8.AX Series . use the following command. select a health monitor. The external IP address allows a service IP that has an internal IP address to be reached from outside the internal network. use the following command at the global configuration level of the CLI: gslb vip-name ipaddr This command changes the CLI to the configuration level for the service. use the following command: health-check monitor-name P e r f o r m a n c e D e s i g n Document No. To assign an external IP address to the service. If needed. Add the service port(s): a.Configuration Guide Configuration Overview 5. An external IP address is needed if the service IP address is an internal IP address that can not be reached from outside the internal network.

The site appears in the Site table.Configuration Guide Configuration Overview Configure Sites To configure GSLB sites.2 11/11/2009 . Enter a name for the device. 374 of 702 P e r f o r m a n c e b y D e s i g n Document No. 5. Click Add. To associate an IP service with this site. d. enter information about the AX devices that provide SLB for the site: a. USING THE GUI 1. add services to the site. To add a service to this SLB device. use the following commands: gslb site site-name This command changes the CLI to the configuration level for the site. On the menu bar. On the SLB-Device tab. select Site.AX Series . Select a service from the drop-down list and click Add. b. use the following command: ip-server service-ip The ipaddr is the IP address of a real server load balanced by the site. c. use either of the following methods. 2. Click OK. On the IP-Server tab. USING THE CLI To configure the GSLB sites. Click Add.: D-030-01-00-0006 . select it from the drop-down list in the VIP server section and click Add. Repeat for each service. enter the geo-location name on the Geo-location tab and click Add. 8. Select Config > Service > GSLB. Enter the site name.0. 3. 2. 6.Ver. To manually map a geo-location name to the site. 4. Repeat for each service. Enter the IP address at which the GSLB AX device will be able to reach the site AX device. 7.

AX Series . (See Table 8.) The service configuration tabs appear.Ver. select Zone. use the following command: vip-server gslb service-name The service-name is the GSLB service specified by the gslb vip-name ipaddr command in “Configure Services” on page 372.) e. click Add. USING THE GUI 1. b. On the menu bar. 7. c. Enter name for the service (for example.Configuration Guide Configuration Overview To specify the AX device that provides SLB at the site. P e r f o r m a n c e D e s i g n Document No. On the Service tab. if applicable to your deployment. The zone appears in the GSLB zone list. (See Figure 123 on page 408. use the following command: slb-dev device-name ip-addr To add the GSLB VIP server to the SLB device. Add the services: a. click Add. Configure additional options. Configure a Zone To configure a GSLB zone. use either of the following methods. Select Config > Service > GSLB. 3. “GSLB Parameters. In the Service field. Click OK. “www”). enter the service name.: D-030-01-00-0006 .0. 9. Click Add. f.2 11/11/2009 b y 375 of 702 . Click OK. 6.” on page 378. 2. d. 8. Select the service type from the Port drop-down list. Enter the zone name in the Name field. Select the service type from the Port drop-down list. Repeat for each service. 5. 4. 2. On the Service tab.

4. Select Enabled next to one of the following options. 3. To add a service to the zone. use the following commands: gslb zone zone-url The zone-url is the URL that clients will send in DNS queries. use the following command: service port service-name The port is the application port for the server and must be the same port name or number specified on the service VIP.AX Series .Configuration Guide Configuration Overview USING THE CLI To configure the GSLB zone. Select Config > Service > GSLB.0. On the menu bar. The Global tab appears.: D-030-01-00-0006 . 2. select Global. 2. USING THE CLI To enable the GSLB protocol on the GSLB AX device. use the following command at the global configuration level of the CLI: gslb protocol enable controller 376 of 702 P e r f o r m a n c e b y D e s i g n Document No.2 11/11/2009 .Ver. Click OK. USING THE GUI 1. This command changes the CLI to the configuration level for the zone. use either of the following methods. select the Passive RTT checkbox to enable collection of passive RTT data on this site AX device. Enable the GSLB Protocol To enable the GSLB protocol. depending on the AX device’s function in the GSLB configuration: • Run GSLB as Controller • Run GSLB as Site SLB Device If you are planning to use the Passive RTT metric.

AX Series .Ver. If you are planning to use the Passive RTT metric. P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0006 . 2.Configuration Guide Configuration Overview To enable the GSLB protocol on a site AX device. do not use this option. use the following command at the global configuration level of the CLI: gslb protocol enable device [no-passive-rtt] The no-passive-rtt option disables collection of passive RTT data on this site AX device.2 11/11/2009 b y 377 of 702 .0.

the default status interval is 30 seconds. 2. use the controller option. TABLE 8 Parameter protocol enable (Required) GSLB Parameters Description and Syntax Supported Values Controller or device. GSLB forwards client requests from addresses within the range to the GSLB site that serves the location. The status-interval option sets the number of seconds between GSLB status messages.2 11/11/2009 . the mappings must be in the AX device’s IANA database or in a comma-separated values (CSV) file. 378 of 702 P e r f o r m a n c e b y D e s i g n Document No. For individual mappings. On the site AX devices.0. geo-location (Optional) Config > Service > GSLB > Global Maps geographic locations to IP address ranges. [no] gslb protocol {enable {controller | device [no-passive-rtt]} | status-interval seconds} On the GSLB AX device.Configuration Guide GSLB Parameters GSLB Parameters Table 8 lists the GSLB parameters. To load the IANA database: [no] gslb geo-location load iana Config > Service > GSLB > Geo-location > Import To load a custom database: [no] gslb template csv templatename [no] gslb geo-location load file-name csv-template-name Config > Service > GSLB > Geo-location > Import To configure individual mappings: [no] gslb geo-location location-name start-ip-addr [mask ip-mask] [end-ip-addr] Config > Service > GSLB > Site . the locationname can be up to 127 alphanumeric characters.: D-030-01-00-0006 . Default: Disabled When you enable the GSLB protocol. use the device option. Default: No geo-location database is loaded and no individual mappings are configured. Global GSLB Parameters Enables the GSLB protocol. Specify either the beginning and ending addresses of the range.Ver. The protocol must be enabled on the GSLB AX device and on the site AX devices.Geo-location tab For geo-location mappings loaded from a database.AX Series . or the beginning address and the network mask.

the AX device internally converts all upper case characters in GSLB zone names to lower case. [no] gslb site site-name Config > Service > GSLB > Site See “Site Parameters” below. service-ip (Required) Config > Service > GSLB > Policy Configures a virtual IP address (VIP) for a service. 2. However.2 11/11/2009 b y 379 of 702 . A GSLB zone can contain one or more sites.0. disable | enable Config > Service > GSLB > Service-IP Assigns an external IP address to the service IP. [no] external-ip ipaddr Config > Service > GSLB > Service-IP Default: None P e r f o r m a n c e D e s i g n Document No. service IP addresses are VIPs that represent services that are provided by servers connected to the site AX devices. Configures a zone. unless you configure another policy and apply it to the zone. [no] gslb zone zone-url Config > Service > GSLB > Zone See “Zone Parameters” below. The site-name can be up to 31 alphanumeric characters.AX Series .: D-030-01-00-0006 . The external IP address allows a service IP that has an internal IP address to be reached from outside the internal network. [no] gslb service-ip vip-name [ipaddr] The vip-name can be up to 31 alphanumeric characters.Ver. In GSLB. site (Required) Config > Service > GSLB > Service IP Configures a site.Configuration Guide GSLB Parameters TABLE 8 Parameter policy (Optional) GSLB Parameters (Continued) Description and Syntax Configures a GSLB policy. The zone identifies the top-level URL for the services load balanced by GSLB. GSLB policies configure the GSLB metrics used to select the best sites and site IP addresses to return in DNS replies to clients. Default: Enabled Service-IP Parameters service-ip status (Required) external IP address Enables or disables the service-ip. [no] gslb policy {default | policy-name} Supported Values Default: The “default” GSLB policy is used. Default: None Note: You can use lower case characters and upper case characters. since Internet domain names are case-insensitive. Each site has at least one AX device providing load balancing for the site’s services. Default: None zone (Required) The zone-url is the URL of the zone and can be up to 127 alphanumeric characters.

a new measurement that has a value from 75% to 125% of the previous value can be used.Configuration Guide GSLB Parameters TABLE 8 Parameter health check GSLB Parameters (Continued) Description and Syntax Enables or disables monitoring for the service IP address.: D-030-01-00-0006 . The default is 10 minutes. [no] active-rtt aging-time minutes | bind-geoloc | range-factor num | smooth-factor num Note: Configuration of these parameters is not supported in the GUI. 4 or 7).AX Series . 380 of 702 P e r f o r m a n c e b y D e s i g n Document No. aging-time – Specifies the maximum amount of time a stored active-RTT result can be used. bind-geoloc – Stores the active-RTT measurements on a per geo-location basis. Without this option. You can specify any health monitor (Layer 3. You can specify 1-1000. where the following service port-related commands are available: port num {tcp | udp} Config > Service > GSLB > Service-IP Supported Values Default: The default Layer 3 health monitor (ICMP ping) is used.0. You can specify 160 minutes. If the new measurement differs from the previous measurement by more than the allowed percentage. 2.Ver. The command also changes the CLI to the configuration level for the specified service port. [no] health-check [monitor-name] Config > Service > GSLB > Service-IP Adds a service port to the service IP address.2 11/11/2009 . smooth-factor – Blends the new measurement with the previous one. service port Valid protocol port number and service type Default: None Site Parameters active-rtt (Optional) Configures options for the Active RTT metric. The default is 10. if the range-factor is set to 25 (the default). A measurement that is less than 75% or more than 125% of the previous measurement can not be used. the new measurement is discarded and the previous measurement is used again. the measurements are stored on a per site-SLB device basis. The default is 25. to smoothen the measurements. range-factor – Specifies the maximum percentage a new active-RTT measurement can differ from the previous measurement. For example. You can specify 1-100.

You can specify 0-100. The location-name can be up to 127 alphanumeric characters. For example. 2.0. Once a site again becomes eligible.: D-030-01-00-0006 .Ver. the site’s limit value must not increment more than limit*threshold-percentage. in order for the site to become eligible again based on bandwidth cost. the SNMP object’s value is again allowed to increment by as much as the bandwidth limit value (80000.2 11/11/2009 b y 381 of 702 . you do not need to use this option. If a site becomes ineligible due to being over the limit.AX Series . in order for the site to remain eligible for selection as the best site. if the limit value is 80000 and the threshold is 90. in this example). threshold percentage – For a site to regain eligibility when bw-cost is being compared. the SNMP object’s incremental value must be below the threshold-percentage of the limit value. Default: None geo-location (Optional) Associates the site with a specific geographic location. [no] geo-location location-name Config > Service > GSLB > Site .Geo-location tab Note: This option is applicable only for manually configuring geo-location mappings. In order to become eligible for selection again. You can specify 0-2147483647. P e r f o r m a n c e D e s i g n Document No.Configuration Guide GSLB Parameters TABLE 8 Parameter bw-cost (Optional) GSLB Parameters (Continued) Description and Syntax Configures options for the bw-cost metric: [no] bw-cost limit limit threshold percentage Note: Configuration of these parameters is not supported in the GUI. If you plan to load geo-location mappings from a file instead. There is no default. the limit value must increment by 72000 or less. Supported Values limit – Specifies the maximum amount the SNMP object queried by the GSLB AX device can increment since the previous query. the percentage parameter is used. There is no default.

virtual servers rather than real servers are associated with a site.IP Server tab Note: Generally.SLB Device tab Supported Values Default: None passive-rtt (Optional) See the description for active-rtt. Default: 100 382 of 702 P e r f o r m a n c e b y D e s i g n Document No. To use the bw-cost metric.0. [no] ip-server service-name Config > Service > GSLB > Site . use this option to bind a GSLB SNMP template to the site.Ver.) [no] passive-rtt aging-time minutes | bind-geoloc | range-factor num | smooth-factor num Note: Configuration of these parameters is not supported in the GUI.2 11/11/2009 . (See “SLB device parameters”. Default: None Name of configured SNMP template. above.AX Series .: D-030-01-00-0006 . use the vip-server option at the SLB device configuration level. Default: None template (Optional) Binds a template to the site.SLB-Device tab You can specify from 0 – 255. If the admin-preference metric is enabled in the policy and all metrics before this one result in a tie.General tab weight (Optional) The weight can be from 1 – 100. Assigns a weight to the site. [no] slb-dev device-name ipaddr Config > Service > GSLB > Site .Configuration Guide GSLB Parameters TABLE 8 Parameter ip-server (Optional) GSLB Parameters (Continued) Description and Syntax Associates a real server with this site. [no] weight num Config > Service > GSLB > Site . [no] admin-preference num Config > Service > GSLB > Site . To associate a virtual server with a site. Default: 1 SLB Device Parameters admin-preference (Optional) Assigns a preference value to the SLB device. Specifies the AX device that provides SLB for the site. 2. slb-device (Required) The device-name can be up to 31 alphanumeric characters. If the weighted-site metric is enabled in the policy and all metrics before weighted-site result in a tie. The IP address must be an address that can be reached by the GSLB AX device. [no] template template-name Note: Configuration of this parameter is not supported in the GUI. (See above. the site with the highest weight is preferred. The options are the same as those for active-rtt. the SLB device with the highest admin-preference value is preferred.) Configures options for the passive RTT metric.

[no] policy policy-name Config > Service > GSLB > Zone See “Policy Parameters” on page 387. use the no passive-rtt-timer command. policy (Optional) The policy-name can be up to 31 alphanumeric characters.Ver.) Default: None P e r f o r m a n c e D e s i g n Document No. service (Required) Adds a service to the zone.2 11/11/2009 b y 383 of 702 . [no] vip-server name Config > Service > GSLB > Site .) Default: None The name is the fully-qualified domain name of the mail server for the zone. specifies the number of seconds during which samples are collected during each sampling period.AX Series . The service-name can be up to 31 alphanumeric characters. The priority can be 0-65535. The priority can be 0-65535. 2.Click Add on the Service tab to display the DNS MX Record tab. the priority specifies the order in which the mail server should attempt to deliver mail to the MX hosts.SLB-Device tab Supported Values 1-255 Default: 3 Parameter passive-rtt-timer (Optional) vip-server (Required) The name must be the name of a configured service IP. Default: None Zone Parameters dns-mx-record (Optional) Configures a DNS Mail Exchange (MX) record for the zone. The default is 3. use the gslb service-ip command. Maps this SLB site to a globally configured GSLB service IP address (configured by the service-ip option). Default: The “default” GSLB policy is used. The name is the fully-qualified domain name of the mail server for the zone. The port can be a well-known name recognized by the CLI or a port number from 1 to 65535. The MX with the lowest preference value has the highest priority and is tried first. Note: Configuration of this parameter is not supported in the GUI. You can specify 1-255. (To configure the service IP.: D-030-01-00-0006 . [no] service port service-name Config > Service > GSLB > Zone . the AX device converts all upper case characters in GSLB service names to lower case.Configuration Guide GSLB Parameters TABLE 8 GSLB Parameters (Continued) Description and Syntax For passive RTT.0. [no] dns-mx-record name priority Config > Service > GSLB > Zone . See “Service Parameters” below. There is no default. [no] passive-rtt-timer num To prevent samples from being taken for this device. unless you configure another policy and apply it to the zone.Service tab The health check must be assigned to the individual service. If more than MX record is configured for the same zone. There is no default preference. (For the same reason described for zone names. The GSLB AX Series verifies the availability of the service by sending a health check to the specified service port. Applies a GSLB policy to the zone. MX records configured on a zone are used only for services on which MX records are not configured.

2.: D-030-01-00-0006 .” on page 387.000) seconds.000. “GSLB Policy Parameters. only one of the TTL settings is used. Supported Values You can specify from 0 to 1000000 (1. using the DNS action option.AX Series . Default: 10 seconds Service Parameters action (Optional) Specifies the action to perform for DNS traffic. • Reject – Rejects DNS queries from the local DNS server and returns the “Refused” message in replies. and forwards responses to the local DNS server. You can specify one of the following: • Drop – Drops DNS queries from the local DNS server. [no] action {drop | reject | forward {both | query | response}} Config > Service > GSLB > Zone . however. See “Service Parameters” below. • Forward – Forwards requests or queries. • Forward response – Forwards responses to the local DNS server.0. Note: Use of the actions configured for services also must be enabled in the GSLB policy. but does not forward responses to the local DNS server. See Table 9.2 11/11/2009 .Ver. 384 of 702 P e r f o r m a n c e b y D e s i g n Document No. as follows: • Forward both – Forwards queries to the Authoritative DNS server.) ttl seconds [no] Config > Service > GSLB > Zone The health check must be assigned to the individual service. for this zone. TTL can be set at different levels of the GSLB configuration. (See “DNS Options” on page 342. • Forward query – Forwards queries to the Authoritative DNS server.Click Add on the Service tab to display the Service tab. but does not forward queries to the Authoritative DNS server.Configuration Guide GSLB Parameters TABLE 8 Parameter ttl (Optional) GSLB Parameters (Continued) Description and Syntax Changes the TTL of each DNS record contained in DNS replies received from the DNS for which the AX Series is a proxy.

If you use no-resp.Ver. This option is disabled by default. the client receives only the IP address set here by service-ip. When both options are set (as-replace here and ip-replace in the policy).: D-030-01-00-0006 .0.Click Add on the Service tab to display the DNS Address Record tab. no-resp – Prevents the IP address for this site from being included in DNS replies to clients. 2. static – This option is used with the dns server option in the policy. Default: None dns-cnamerecord (Optional) Configures DNS Canonical Name (CNAME) records for the service. If the weighted-ip metric is enabled in the policy and all metrics before weighted-ip result in a tie. as-replace – This option is used with the ip-replace option in the policy. When both options are set (static here and dns server in the policy).2 11/11/2009 b y 385 of 702 .AX Series . you cannot use static or as-replace.Configuration Guide GSLB Parameters TABLE 8 Parameter dns-a-record (Optional) GSLB Parameters (Continued) Description and Syntax Configures a DNS Address (A) record for the service.. dns-a-record {service-name | service-ipaddr} {weight num | static | as-replace | no-resp} Config > Service > GSLB > Zone . P e r f o r m a n c e D e s i g n Document No. By default.] Config > Service > GSLB > Zone . the service on the site with the highest weight is selected. This option is disabled by default. This option is disabled by default. Note: The no-resp option is not valid with the static or as-replace option.. the weight is not set. the GSLB AX device acts as the DNS server for the IP address set here by service-ip. Supported Values weight – Assigns a weight to the service.Click Add on the Service tab to display the DNS CName Record tab. dns-cname-record alias [alias . The weight can be 1-100. for use with the DNS replace-ip option in the GSLB policy.

(See “Global GSLB parameters” and “Site parameters” above. each service will have a different virtual IP address for each real server that provides the service at the site.: D-030-01-00-0006 .AX Series .Ver. Specifies the order in which to list the service IP addresses (VIPs) for this service in the DNS replies to clients. the “default” GSLB policy is applied. 386 of 702 P e r f o r m a n c e b y D e s i g n Document No. There is no default. Maps an alias to the specified geographic location for this service. Supported Values The name is the fully-qualified domain name of the mail server for the service.Configuration Guide GSLB Parameters TABLE 8 GSLB Parameters (Continued) Description and Syntax Configures a DNS Mail Exchange (MX) record for the service.Click Add on the Service tab to display the DNS MX Record tab. dns-mx-record name priority Config > Service > GSLB > Zone . 2. You must configure the policy before you apply it.Click Add on the Service tab to display the DNS Address Record tab. you must configure A records for the mail service. Applies the specified GSLB policy to the service. The priority can be 0-65535. [no] policy policy-name Config > Service > GSLB > Zone . [no] geo-location location-name alias url Config > Service > GSLB > Zone . [no] ip-order {service-name | service-ipaddr} [service-ipaddr . This CNAME overrides any CNAME globally configured for the zone. Default: The GSLB policy applied to the zone is also applied to the services in that zone. Note: If you want the GSLB AX device to return the IP address of the mail service in response to MX requests. If no policy is applied to the zone.0. The ip-order is one of the metrics used to select the best IP address for a service.Click Add on the Service tab to display the Geo-location tab. the priority specifies the order in which the mail server should attempt to deliver mail to the MX hosts. Parameter dns-mx-record (Optional) geo-location (Optional) The location-name is a global GSLB parameter and must already be configured. The MX record with the lowest priority number has the highest priority and is tried first. (See above.. ip-order (Optional) policy (Optional) The policy-name can be up to 31 alphanumeric characters.) Default: None Each service-ipaddr is a virtual IP address assigned to the service at this site. Generally. If more than MX record is configured for the same service.2 11/11/2009 .] Config > Service > GSLB > Zone ..) The alias is a service parameter and must already be configured.Click Add on the Service tab to display the Service tab.

AX Series .Ver. admin-preference P e r f o r m a n c e D e s i g n Document No. The active RTT metric is disabled by default. [no] active-rtt [samples num-samples] [single-shot] [skip count] [timeout seconds] [store-by {geo-location | slb-device}] [tolerance num-percentage] Config > Service > GSLB > Policy . [no] admin-preference Config > Service > GSLB > Policy .Metrics tab active-servers The state is one of the following: • Enabled • Disabled – This is the default.2 11/11/2009 b y 387 of 702 . You can enable it to take either a single sample (single shot) or multiple samples at regular intervals.Configuration Guide GSLB Parameters Policy Parameters Table 9 lists the GSLB policy parameters. 2. The state is one of the following: • Enabled • Disabled – This is the default. The default is 100 for each site. The state is one of the following: • Enabled • Disabled – This is the default. The preference can be from 0 to 255.Metrics tab bw-cost Load balancing metric that selects sites based on bandwidth utilization on the site AX links. When you enable the active-rtt metric. [no] active-servers Config > Service > GSLB > Policy .Metrics tab Load balancing metric that selects the service with the highest administratively set preference.: D-030-01-00-0006 . the default number of samples is 5.) Load balancing metric that selects the site that has the most active servers for the requested service.Metrics tab Note: This metric requires the GSLB protocol to be enabled on the site AX devices. TABLE 9 Parameter active-rtt GSLB Policy Parameters Description and Syntax Supported Values The state is one of the following: • Enabled • Disabled – This is the default. Load Balancing Metrics Load balancing metric that selects the site with the fastest round-trip-time for a DNS query and reply between a site AX device and the GSLB local DNS.0. [no] bw-cost Config > Service > GSLB > Policy . (See “Metrics That Require the GSLB Protocol on Site AX Devices” on page 344. The default store-by is slb-device. The default tolerance is 10 percent.

Metrics tab Note: This metric requires the GSLB protocol to be enabled on the site AX devices. The interval can be from 1 to 60 seconds.Metrics tab Service IP addresses that pass their health checks are preferred over addresses that do not pass their health checks. 388 of 702 P e r f o r m a n c e b y D e s i g n Document No. • Disabled health-check The state is one of the following: • Enabled – This is the default.Configuration Guide GSLB Parameters TABLE 9 GSLB Policy Parameters (Continued) Description and Syntax Sites that are at or below their thresholds of average new connections per second are preferred over sites that are above their thresholds.: D-030-01-00-0006 .Metrics tab Note: This metric requires the GSLB protocol to be enabled on the site AX devices. The limit can be from 1 to 999999999 (999.2 11/11/2009 . [no] connection-load [limit average-load] | [samples num interval seconds] Config > Service > GSLB > Policy .999).999. The default is 5 seconds. The samples can be from 1 to 8. if the default health checks are used on the service IPs.AX Series . The default is not set (unlimited). • Disabled least-response The state is one of the following: • Enabled • Disabled – This is the default. (See “Health Checks” on page 340.) Service IP addresses for the geographic region where the client is located are preferred over addresses from other regions. [no] least-response Config > Service > GSLB > Policy .) Service IP addresses with the fewest hits are preferred over addresses with more hits. An IP address that fails its health check is not automatically ineligible to be included in the DNS reply to a client.) Supported Values The state is one of the following: • Enabled • Disabled – This is the default. Parameter connection-load geographic The state is one of the following: • Enabled – This is the default.Ver. The GSLB AX Series selects the geographic region by matching the client’s IP address with the GSLB address ranges configured using geo-location options. [no] geographic Config > Service > GSLB > Policy . The default is 5. 2. [no] health-check Config > Service > GSLB > Policy . (See “Metrics That Require the GSLB Protocol on Site AX Devices” on page 344.Metrics tab Note: This metric requires the GSLB protocol to be enabled on the site AX devices.0. (See “Metrics That Require the GSLB Protocol on Site AX Devices” on page 344.

The tolerance specifies the percentage by which the number of available sessions on site SLB devices can differ without causing the num-session metric to select one SLB device over another.000. The ordered list of IP addresses must be configured for the service. ordered-ip The state is one of the following: • Enabled • Disabled – This is the default.AX Series . 2. then Site A is preferred because 200. If numsession is set to 10. unnecessary changes in site preference. the prioritized list is sent to the client.000 sessions available.0. which is 80. minor differences among SLB devices do not cause frequent.) Service IP addresses are re-ordered in DNS replies to match the order administratively configured for the service. [no] num-session [tolerance num] Config > Service > GSLB > Policy . [no] ordered-ip Config > Service > GSLB > Policy .000 is larger than 10% of 800. P e r f o r m a n c e D e s i g n Document No. The difference between the two sites is 200. Example: Site A has 800. the default tolerance is 10 percent. When you enable the num-session metric. Thus.000 available sessions.Configuration Guide GSLB Parameters TABLE 9 Parameter num-session GSLB Policy Parameters (Continued) Description and Syntax Sites that are at or below their thresholds of current available sessions are preferred over sites that are above their thresholds. The prioritized list is sent to the next metric for further evaluation.: D-030-01-00-0006 .Metrics tab Note: This metric requires the GSLB protocol to be enabled on the site AX devices.000. (See “Metrics That Require the GSLB Protocol on Site AX Devices” on page 344.2 11/11/2009 b y 389 of 702 .Ver. If ordered-ip is the last metric.Metrics tab Supported Values The state is one of the following: • Enabled • Disabled – This is the default.000 sessions available and Site B has 600.

If the passive RTT tolerance is 10% then the two sites are treated as having the same passive RTT preference.Configuration Guide GSLB Parameters TABLE 9 Parameter passive-rtt GSLB Policy Parameters (Continued) Description and Syntax Sites with faster round-trip times (RTTs) between a client and the site are preferred over sites with slower times. The first service IP address is selected for the first new connection. and so on until all service IP addresses have been selected. [no] round-robin Config > Service > GSLB > Policy . in rotation. [no] passive-rtt [samples num-samples] [store-by {geo-location | slb-device}] [tolerance num-percentage] Config > Service > GSLB > Policy . the second address is selected for the second new connection. Example: Site A’s RTT value is 0.Metrics tab Supported Values The state is one of the following: • Enabled • Disabled – This is the default. When you enable the passive-rtt metric. The default tolerance is 10 percent. • Disabled 390 of 702 P e r f o r m a n c e b y D e s i g n Document No. The passive RTT is the time between when the site AX device receives a client’s TCP connection (SYN) and the time when the site AX device receives acknowledgement (ACK) back from the client for the connection. The default store-by is slb-device.) Each service IP address is used sequentially. (See “Metrics That Require the GSLB Protocol on Site AX Devices” on page 344. Then selection starts over again with the first service IP address. Passive RTT tolerance is a percentage from 0 to 100.0.AX Series .Metrics tab Note: This metric requires the GSLB protocol to be enabled on the site AX devices. the default number of samples is 5.: D-030-01-00-0006 . Passive RTT measurements are taken for client addresses in each /24 subnet range. It specifies how much the RTT values of sites must differ in order for GSLB to prefer one site over the other based on RTT.3 seconds and Site B’s RTT value is 0.32 seconds. 2.2 11/11/2009 . round-robin The state is one of the following: • Enabled – This is the default.Ver.

Parameter session-capacity weighted-ip The state is one of the following: • Enabled • Disabled – This is the default.000.Metrics tab Note: This metric requires the GSLB protocol to be enabled on the site AX devices. Example: Site A’s maximum session capacity is 800. The default is 90. The threshold can be from 0 to 100 percent. P e r f o r m a n c e D e s i g n Document No.Metrics tab Supported Values The state is one of the following: • Enabled • Disabled – This is the default. If the session-capacity threshold is set to 90.000. Likewise.AX Series .Ver. which is 720.000 and Site B’s maximum session capacity is 500. 2. (See “Metrics That Require the GSLB Protocol on Site AX Devices” on page 344. weighted-site The state is one of the following: • Enabled • Disabled – This is the default.) Service IP addresses with higher weight values are used more often than addresses with lower weight values. then for Site A the capacity threshold is 90% of 800.2 11/11/2009 b y 391 of 702 .000.000.Metrics tab Sites with higher weight values are used more often than sites with lower weight values. the capacity threshold for Site B is 90% of 500.: D-030-01-00-0006 . which is 450. [no] weighted-ip Config > Service > GSLB > Policy .000. [no] capacity [threshold num] Config > Service > GSLB > Policy . [no] weighted-site Config > Service > GSLB > Policy .0.Configuration Guide GSLB Parameters TABLE 9 GSLB Policy Parameters (Continued) Description and Syntax Sites that have not exceeded their thresholds for their respective maximum TCP/UDP sessions are preferred over sites that have exceeded their thresholds.

since it would result in an empty IP address list. If you specify additional parameters. Supported Values You can specify one or more of the following metrics (listed alphabetically): • active-rtt • active-servers • admin-preference • bw-cost • capacity • connection-load • geographic • health-check • least-response • num-session • ordered-ip • passive-rtt • weighted-ip • weighted-site Default metric order: See “GSLB Policy” on page 338. “GSLB Parameters.0. [no] dns active-only Config > Service > GSLB > Policy ..2 11/11/2009 . The state is one of the following: • Enabled • Disabled – This is the default.Configuration Guide GSLB Parameters TABLE 9 Parameter metric-order GSLB Policy Parameters (Continued) Description and Syntax Assigns a geographic location to an IP address range.AX Series .Ver. DNS Parameters action Enable GSLB to perform the DNS actions specified in the service configurations. 392 of 702 P e r f o r m a n c e b y D e s i g n Document No. GSLB forwards client requests from addresses within the range to the GSLB site that serves the location. All remaining metrics are prioritized to follow the metrics you specify.: D-030-01-00-0006 . [no] metric-order metric [metric . The health-check metric becomes the second metric. For example. See Table 8. and the metric order in the policy has not been changed previously. the ordered-ip metric becomes the first metric. use the action option at the configuration level for the service. Note: If none of the IP addresses in the DNS reply pass the health check. they are used in the priority you specify. [no] dns action Config > Service > GSLB > Policy . if you specify only the ordered-ip metric with the command.Metrics tab The first metric you specify becomes the primary metric.” on page 378.DNS Options tab Note: To configure the DNS action for a service. the weighted-ip metric becomes the third metric. 2. and so on..] Config > Service > GSLB > Policy .DNS Options tab active-only The state is one of the following: • Enabled • Disabled – This is the default. the GSLB AX Series does not use this metric. Removes IP addresses from DNS replies when those addresses fail a health check.

000. If this option is disabled.DNS Options tab Returns the external IP address configured for a service IP.000. see “Order in Which Sticky.2 11/11/2009 b y 393 of 702 . Supported Values The state is one of the following: • Enabled • Disabled – This is the default. See Table 8. [no] dns external-ip Config > Service > GSLB > Policy .DNS Options tab Note: The external IP address must be configured on the service IP.0. Use the external-ip option at the configuration level for the service IP.AX Series . • Disabled cname-detect Applies GSLB to CNAME records.Configuration Guide GSLB Parameters TABLE 9 Parameter addition-mx GSLB Policy Parameters (Continued) Description and Syntax Appends MX records in the Additional section in replies for A records.” on page 378. the internal address is returned instead. “GSLB Parameters. [no] dns best-only Config > Service > GSLB > Policy .DNS Options tab Removes all IP addresses from DNS replies except for the address selected as the best address by the GSLB policy metrics.DNS Options tab Caches DNS replies and uses them when replying to clients. [no] dns addition-mx Config > Service > GSLB > Policy . Default: TTL set by the DNS server in the reply Note: If you change the value and later want to restore it to the default. Server.Ver. instead of sending a new DNS request for every client query.DNS Options tab For more information on this option. [no] dns cache [aging-time seconds | ttl] Config > Service > GSLB > Policy . and Proxy Options Are Used” on page 343. cache The state is one of the following: • Enabled • Disabled – This is the default.: D-030-01-00-0006 . Cache.000 seconds (nearly 32 years). The state is one of the following: • Enabled – This is the default. external-ip P e r f o r m a n c e D e s i g n Document No. use the ttl option. The aging time can be 1-1. when the device is configured for DNS proxy or cache mode. 2. [no] dns cname-detect Config > Service > GSLB > Policy . best-only The state is one of the following: • Enabled • Disabled – This is the default. • Disabled The state is one of the following: • Enabled – This is the default.

DNS Options tab Supported Values The state is one of the following: • Enabled • Disabled – This is the default.AX Series . [no] dns geoloc-action Config > Service > GSLB > Policy . Parameter geoloc-action geoloc-alias The state is one of the following: • Enabled • Disabled – This is the default. use the geo-location action option at the configuration level for the service. 394 of 702 P e r f o r m a n c e b y D e s i g n Document No.DNS Options tab Note: To configure the DNS action for a service. “GSLB Parameters.2 11/11/2009 . The action is specified as part of service configuration in a zone. Returns the alias name configured for the client’s geo-location.Configuration Guide GSLB Parameters TABLE 9 GSLB Policy Parameters (Continued) Description and Syntax Performs the DNS traffic handling action specified for the client’s geo-location.DNS Options tab Uses the GSLB policy assigned to the client’s geolocation. [no] dns geoloc-alias Config > Service > GSLB > Policy . ip-replace The state is one of the following: • Enabled • Disabled – This is the default. geoloc-policy The state is one of the following: • Enabled • Disabled – This is the default.” on page 378. See Table 8.Ver.: D-030-01-00-0006 . 2.DNS Options tab Replaces the IP addresses in the DNS reply with the service IP addresses configured for the service. [no] dns ip-replace Config > Service > GSLB > Policy .0. [no] dns geoloc-policy Config > Service > GSLB > Policy .

Configuration Guide GSLB Parameters TABLE 9 Parameter server GSLB Policy Parameters (Continued) Description and Syntax Directly responds to Address queries for specific service IP addresses in the GSLB zone. If you omit the authoritative option. • addition-mx – enables the GSLB AX device to provide the A record containing the mail server’s IP address in the Additional section. [no] dns server addition-mx [no] dns server authoritative [full-list] [no] dns server mx Config > Service > GSLB > Policy . 2.) If you use this option. (The AX device still forwards other types of queries to the DNS server.0. To place the server option into effect. Cache.AX Series . and the A record for the mail server in the Additional section. When a client requests a configured alias name.2 11/11/2009 b y 395 of 702 . Other defaults: • addition-mx – Disabled • authoritative – The AX device is a non-authoritative DNS server for the zone domain. see “Order in Which Sticky. you also must enable the static option on the individual service IP. when the device is configured for DNS server mode.Ver. Supported Values The state is one of the following: • Enabled • Disabled – This is the default.DNS Options tab For more information on this option.: D-030-01-00-0006 . • mx – Provides the MX record in the Answer section. GSLB applies the policy to the CNAME records. Server. The full-list option appends all A records in the Authoritative section of DNS replies. • authoritative – makes the AX device the authoritative DNS server for the GSLB zone. and Proxy Options Are Used” on page 343. you do not need to use the cname-detect option. when the device is configured for DNS server mode. for the service IPs in which you enable the static option. • mx – Disabled P e r f o r m a n c e D e s i g n Document No. the AX device is a non-authoritative DNS server for the zone domain.

Geolocation tab The location-name can be up to 127 alphanumeric characters. The geo-location mapping cannot be configured using the GUI. [no] dns sticky [/prefix-length] [aging-time minutes] The /prefix-length option adjusts the granularity of the feature.DNS Options tab The aging-time option specifies how many minutes a DNS reply remains sticky. You can specify 165535 minutes. see “Order in Which Sticky. [no] geo-location location-name start-ip-addr [mask ip-mask] [end-ip-addr] This parameter cannot be configured using the GUI. Default: 5 minutes You can specify from 0 to 1000000 (1. Note: If you enable the sticky option.Configuration Guide GSLB Parameters TABLE 9 Parameter sticky GSLB Policy Parameters (Continued) Description and Syntax Sends the same service IP address to a client for all requests from that client for the service address. and two other clients use DNS 10.2 11/11/2009 . and Proxy Options Are Used” on page 343.0. Server. Default location: None Default match-first: global 396 of 702 P e r f o r m a n c e b y D e s i g n Document No. Default: 10 seconds ttl Geo-location Parameters geo-location Assigns a geographic location to an IP address range.DNS Options tab Supported Values The state is one of the following: • Enabled • Disabled – This is the default. The aging time can be 1-65535 minutes.10.AX Series . the AX maintains separate stickiness information for each set of clients. select Config > Service > GSLB > Policy . if two clients use DNS 10. Cache.000. Specifies the value to which the AX Series changes the TTL of each DNS record contained in DNS replies received from the DNS for which the AX Series is a proxy. (Use the ttl command at the configuration level for the zone.000) seconds.25 as their local DNS server. The default prefix is /32. by maintaining separate stickiness information for each of the local DNS servers.20.Ver. [no] geo-location match-first {global | policy} The match-first parameter specifies whether to match the requested IP address with the global geolocation table or with the geo-location table configured in the policy.10. which causes the AX device to maintain separate stickiness information for each local DNS server.) For more information on this option. Config > Service > GSLB > Policy . [no] dns ttl num Config > Service > GSLB > Policy .: D-030-01-00-0006 . 2. This is an alternative to loading a geo-location database.20. GSLB forwards client requests from addresses within the range to the GSLB site that serves the location. For example. To configure the match-first parameter. the sticky time must be as long or longer than the zone TTL.99 as their local DNS server.

AX Series .1..: D-030-01-00-0006 .53 AX-Controller(config-real server)#port 53 udp AX-Controller(config-real server-node port)#health-check dns-53 AX-Controller(config-real server-node port)#exit AX-Controller(config-real server)#exit AX-Controller(config)#slb service-group sg-1 udp AX-Controller(config-slb service group)#member dns-1:53 AX-Controller(config-slb service group)#exit AX-Controller(config)#slb virtual-server DNS_SrvA 10. The VIP address and virtual port number of the virtual server in the site AX Series device’s SLB configuration are used as the service IP address and port number on the GSLB AX Series device..1.10.10.)#exit AX-Controller(config-slb virtual server)#exit The following commands configure the service IP addresses.Ver.. AX-Controller(config)#gslb service-ip servicevip1 2.)#service-group sg-1 AX-Controller(config-slb virtual server-slb virtua. 2.1. The examples assume that the default GSLB policy is used. CLI Example Configuration on the GSLB AX Device (GSLB Controller) The following commands configure a health monitor for the local DNS server to be proxied: AX-Controller(config)#health monitor dns-53 AX-Controller(config-health:monitor)#method dns domain example.10. without any changes to the policy settings..10 AX-Controller(config-gslb service ip)#port 80 tcp AX-Controller(config-gslb service ip)#exit The following command loads the IANA file into the geo-location database: AX-Controller(config)#gslb geo-location load iana P e r f o r m a n c e D e s i g n Document No.0..)#gslb-enable AX-Controller(config-slb virtual server-slb virtua..Configuration Guide Configuration Examples Configuration Examples These examples implement the GSLB configuration shown in Figure 113 on page 336.10 AX-Controller(config-gslb service ip)#port 80 tcp AX-Controller(config-gslb service ip)#exit AX-Controller(config)#gslb service-ip servicevip2 3.10.com AX-Controller(config-real server)#exit The following commands configure the DNS proxy: AX-Controller(config)#slb server dns-1 10.100 AX-Controller(config-slb virtual-server)#port 53 udp AX-Controller(config-slb virtual server-slb virtua.1.2 11/11/2009 b y 397 of 702 .

Ver.1.a10. AX-Controller(config)#gslb site usa AX-Controller(config-gslb site)#slb-dev ax-a 2. 2. For the VIP server names.2 11/11/2009 . GSLB sends the CNAME www. enter the IP address of the AX Series device that provides SLB at the site.cn AX-Controller(config-gslb zone-gslb service)#exit AX-Controller(config-gslb zone)#exit At the configuration level for the service (www).a10.co.AX Series .co.cn is configured.cn in the DNS reply. the CNAME www. The following command enables the GSLB protocol: AX-Controller(config)#gslb protocol enable controller 398 of 702 P e r f o r m a n c e b y D e s i g n Document No.1.0.1.1.co.Configuration Guide Configuration Examples The following commands configure the sites.a10.1 AX-Controller(config-gslb site-slb dev)#vip-server servicevip2 AX-Controller(config-gslb site-slb dev)#exit AX-Controller(config-gslb site)#exit The following commands configure the GSLB zone: AX-Controller(config)#gslb zone a10.co.com AX-Controller(config-gslb zone)#service http www AX-Controller(config-gslb zone-gslb service)#cname www.cn AX-Controller(config-gslb zone-gslb service)#geo-location China www.1 AX-Controller(config-gslb site-slb dev)#vip-server servicevip1 AX-Controller(config-gslb site-slb dev)#exit AX-Controller(config-gslb site)#exit AX-Controller(config)#gslb site asia AX-Controller(config-gslb site)#slb-dev ax-b 3. enter the service IP name specified above. For each site SLB device. If a client’s IP address is in the range for the China geo-location.: D-030-01-00-0006 . and the CNAME is associated with geo-location China.a10.

: D-030-01-00-0006 .1.Configuration Guide Configuration Examples Configuration on Site AX Device AX-A The following commands configure SLB on site AX device AX-A in Figure 113 on page 336: Site-AX-A(config)#slb server www 2. The following command enables the GSLB protocol: Site-AX-A(config)#gslb protocol enable device Configuration on Site AX Device AX-B The following commands configure SLB and enable the GSLB protocol on site AX device AX-B: Site-AX-B(config)#slb server www 3..1.10 Site-AX-A(config-slb virtual server)#port 80 http Site-AX-A(config-slb virtual server-slb virtua.1.)#service-group www Site-AX-B(config-slb virtual server-slb virtua.2 Site-AX-A(config-real server)#port 80 tcp Site-AX-A(config-real server-node port)#exit Site-AX-A(config-real server)#exit Site-AX-A(config)#slb server www2 2.3 Site-AX-B(config-real server)#port 80 tcp Site-AX-B(config-real server-node port)#exit Site-AX-B(config-real server)#exit Site-AX-B(config)#slb service-group www tcp Site-AX-B(config-slb service group)#member www:80 Site-AX-B(config-slb service group)#member www2:80 Site-AX-B(config-slb service group)#exit Site-AX-B(config)#slb virtual-server www 3.Ver.1.)#exit Site-AX-A(config-slb virtual server)#exit Note: The virtual server IP address must be the same as the GSLB service IP address configured on the GSLB AX device..1.)#service-group www Site-AX-A(config-slb virtual server-slb virtua...0.2 Site-AX-B(config-real server)#port 80 tcp Site-AX-B(config-real server-node port)#exit Site-AX-B(config-real server)#exit Site-AX-B(config)#slb server www2 3.)#exit P e r f o r m a n c e D e s i g n Document No.1. 2.1..1..3 Site-AX-A(config-real server)#port 80 tcp Site-AX-A(config-real server-node port)#exit Site-AX-A(config-real server)#exit Site-AX-A(config)#slb service-group www tcp Site-AX-A(config-slb service group)#member www:80 Site-AX-A(config-slb service group)#member www2:80 Site-AX-A(config-slb service group)#exit Site-AX-A(config)#slb virtual-server www 2.AX Series .1.2 11/11/2009 b y 399 of 702 .10 Site-AX-B(config-slb virtual server)#port 80 http Site-AX-B(config-slb virtual server-slb virtua.1.1.1...

On the menu bar. Enter a name for the proxy in the Name field.Configuration Guide Configuration Examples Site-AX-B(config-slb virtual server)#exit Site-AX-B(config)#gslb protocol enable device GUI Example Configuration on the GSLB AX Device (GSLB Controller) Configure a Health Monitor for the DNS Proxy 1. b. 400 of 702 P e r f o r m a n c e b y D e s i g n Document No. Begin configuring the proxy: a. 5.) Configure the DNS Proxy 1. select “create” to create a service group. Enter a name for the monitor in the Name field. d. this is the same as the GSLB zone name you will configure. In the Service Group drop-down list. In the IP Address field. Select Config > Service > Health Monitor. Click Add. Click Add. Note: The GUI will not accept the configuration if the IP address you enter here is the same as the real DNS server IP address you enter when configuring the service group for this proxy. On the menu bar. Select Config > Service > GSLB. e.) The Service Group tab appears. enter the IP address that will be advertised as the authoritative DNS server for GSLB zone.2 11/11/2009 .: D-030-01-00-0006 . enter the domain name. select DNS Proxy. (below). f. 4. Configure the service group: a. (See Figure 115 on page 401. click Add.AX Series . On the Method tab. (Generally.Ver. 6. select Health Monitor. 2. 2. The GSLB Port tab appears. select DNS from the Type drop-down list. 2. c. 3. On the GSLB Port tab.0. In the Domain field.

Finish configuration of the proxy: a. For this example. enter the following: • Name – gslb-proxy-sg-1 • Port type – UDP • Load-balancing metric (algorithm) – Round-Robin • Health Monitor – “default” c.) b. Click OK. (See Figure 116 on page 402. (See Figure 118 on page 403. Enter the service group information.: D-030-01-00-0006 . enter the DNS server’s real IP address in the Server field. 2. and enter the DNS port number in the port field.) FIGURE 115 Configure > Service > GSLB > DNS Proxy P e r f o r m a n c e D e s i g n Document No. In the service drop-down list.2 11/11/2009 b y 401 of 702 . the service group you just configured is selected.Ver. Click OK. Click OK. (See Figure 117 on page 402. The DNS proxy appears in the DNS Proxy table. The DNS port appears in the list. The Proxy tab reappears.Configuration Guide Configuration Examples b.AX Series . (See Figure 119 on page 403. On the Server tab. d.) 3.0. The GSLB Port tab reappears.) e. Click Add.

AX Series .Configuration Guide Configuration Examples FIGURE 116 Configure > Service > GSLB > DNS Proxy .service group 402 of 702 P e r f o r m a n c e b y D e s i g n Document No.0.service group configuration FIGURE 117 selected Configure > Service > GSLB > DNS Proxy .2 11/11/2009 . 2.: D-030-01-00-0006 .Ver.

enter “iana” in the File field.GSLB port FIGURE 119 configured Configure > Service > GSLB > DNS Proxy .2 11/11/2009 b y 403 of 702 . Select Config > Service > GSLB. Leave the Template field blank. P e r f o r m a n c e D e s i g n Document No. Select Config > Service > GSLB. Click Add. On the menu bar. 2. Click Add. 4.0.Ver.Configuration Guide Configuration Examples FIGURE 118 configured Configure > Service > GSLB > DNS Proxy . 2. select Service IP. Configure Services 1. On the Load/Unload tab.DNS proxy Load the IANA Geo-location Database 1. select Geo-location > Import.AX Series . 3. 2.: D-030-01-00-0006 . 3. On the menu bar.

AX Series .1.1. enter the following: • Name – servicevip1 • IP Address – 2.: D-030-01-00-0006 . 2. Optionally. Enter the port number and select the protocol (TCP or UDP).) 7. Click Add.) 5. (See Figure 120 on page 404. b. Click OK. add TCP port 80 and leave the health monitor unselected. Enter the service name and IP address. FIGURE 120 Config > Service > GSLB > Service IP 404 of 702 P e r f o r m a n c e b y D e s i g n Document No.0. The external IP address allows a service IP that has an internal IP address to be reached from outside the internal network. The service port appears in the service port list. Configure a separate GSLB service IP for each SLB VIP. If needed. For this example. 6.10 (This is the VIP address of a site. Add the service port(s): a. For this example. Repeat for each service IP. select a health monitor. c.Configuration Guide Configuration Examples 4.2 11/11/2009 . assign an external IP address to the service IP.Ver. 8.

1. 2. Click OK. On the menu bar. d. 8.AX Series . P e r f o r m a n c e D e s i g n Document No. 3. Select a service from the drop-down list and click Add.0. add services to the site. c. enter information about the AX devices that provide SLB for the site: a. Repeat for each service. Click Add.1. select it from the drop-down list in the VIP server section and click Add.: D-030-01-00-0006 . 6. Repeat for each service. On the IP-Server tab. Select Config > Service > GSLB. enter the geo-location name on the Geo-location tab and click Add. On the SLB-Device tab. For this example. select Site.2 11/11/2009 b y 405 of 702 . Click Add.1 (This is the IP address of the site AX device that provides SLB for the site. Enter a name for the device. 2.Ver. add “servicevip1” to site “usa”. 7. To manually map a geo-location name to the site. Enter the site name. enter the following: • Name – AX-A • IP Address – 2. 5. For this example. To add a service to this SLB device. The site appears in the Site table.) • GSLB Service – Add a service IP by selecting it from the dropdown list and clicking Add. 4. b.Configuration Guide Configuration Examples Configure Sites 1. Enter the IP address at which the GSLB AX device will be able to reach the site AX device.

0.SLB Device FIGURE 122 Configure > Service > GSLB > Site .Ver.2 11/11/2009 .Configuration Guide Configuration Examples FIGURE 121 Configure > Service > GSLB > Site .site parameters selected 406 of 702 P e r f o r m a n c e b y D e s i g n Document No.AX Series . 2.: D-030-01-00-0006 .

Select the service type from the Port drop-down list. 8. In the Service field. On the Service tab.AX Series . “www”). 6. click Add. On the Service tab. Select the service type from the Port drop-down list.” on page 378.: D-030-01-00-0006 . Configure additional options.Configuration Guide Configuration Examples Configure a Zone 1. Add the services: a.) The service configuration tabs appear. Click OK. (See Figure 123 on page 408. 9. b. Repeat for each service.2 11/11/2009 b y 407 of 702 . 7. Enter name for the service (for example. Click Add. 2. enter the service name. “GSLB Parameters. (See Table 8. Select Config > Service > GSLB. if applicable to your deployment. 2. click Add. P e r f o r m a n c e D e s i g n Document No. Click OK. c. 5.) e. On the menu bar. 4. d. The zone appears in the GSLB zone list.Ver. Enter the zone name in the Name field.0. f. 3. select Zone.

AX Series .0.2 11/11/2009 .Ver.: D-030-01-00-0006 . 2.Configuration Guide Configuration Examples FIGURE 123 Configure > Service > GSLB > Zone FIGURE 124 Configure > Service > GSLB > Zone 408 of 702 P e r f o r m a n c e b y D e s i g n Document No.

4.Configuration Guide Configuration Examples Enable the GSLB Protocol 1. 4. Select Enabled next to Run GSLB as Site SLB Device.: D-030-01-00-0006 . On the menu bar. and is not described here. Click OK. select Global. Click OK. Select Config > Service > GSLB. To enable the AX device to run GSLB as a site AX device.2 11/11/2009 b y 409 of 702 .0. select Global. 3.Ver. 2. 2. Select Enabled next to Run GSLB as Controller. Select Config > Service > GSLB. P e r f o r m a n c e D e s i g n Document No. On the menu bar. perform the following steps on each site AX device: 1. 2. 3.AX Series . Configuration on Site AX Devices SLB configuration is the same with or without GSLB.

Ver. 2.: D-030-01-00-0006 .2 11/11/2009 .Configuration Guide Configuration Examples 410 of 702 P e r f o r m a n c e b y D e s i g n Document No.0.AX Series .

Overview The RAM Cache is a high-performance. 2. along with the device’s many other uses. in-memory Web cache that by default caches HTTP responses (RFC 2616 compliant).Configuration Guide Overview RAM Caching You can use the AX device as a transparent cache server. and when used in conjunction with compression to store compressed responses.1”.2 11/11/2009 b y 411 of 702 . The RAM Cache can store a variety of static and dynamic content and serve this content instantly and efficiently to a large number of users.HTTP/1. Caching of HTTP content reduces the number of Web server transactions and hence the load on the servers.Ver.AX Series . AX RAM caching considers HTTP responses with the following status codes to be cacheable: • 200 – OK • 203 – Non-Authoritative Response • 300 – Multiple Choices • 301 – Moved Permanently • 302 – Found (Only if Expires header is also present) • 410 – Gone P e r f o r m a n c e D e s i g n Document No. Caching of dynamic content reduces the latency and the computation cost of generating dynamic pages by application servers and database servers.0. for static content such as images.: D-030-01-00-0006 . eliminating unnecessary overhead. RFC 2616 Support In general. “Hypertext Transfer Protocol -. RAM caching is especially useful for high-demand objects on a website. in sections 13 and 14. AX RAM caching conforms with the cache requirements described in RFC 2616. Caching can also result in significant reduction in page download time and in bandwidth utilization.

For example. 2. When the AX device receives the server response for cacheable content.html.xyz. the AX device caches the host name along with the URI. The AX 412 of 702 P e r f o r m a n c e b y D e s i g n Document No.html.html”. If a new request is received.com/index. dynamic RAM caching is beneficial for a hierarchical directory that is generated dynamically but presents the same view to all users that request it. dynamic RAM caching is useful even if the cache expiration period is very small. Dynamic RAM caching is useful in situations where the response to a client request can be used multiple times before the response expires. for http://www.AX Series . If you enable host verification.com”. for http://www. the real server IP address 192. Host verification supports multiple name-based virtual hosts.Configuration Guide Overview However.2 11/11/2009 .html. if the response generated in one session can be used unchanged in a second session. Warning headers are not supported. and “abc. Dynamic Caching You can enhance RAM caching performance with dynamic RAM caching. the response will not be cached. if there is no Content-Length header.xyz.168. For example.0.html. the AX device serves the same content.com/index.com • www.com/index.html” and “xyz. if enough users access the response within that period. the AX device caches the content and “/index. For example.com/index. • The response is usable by only a single user but the user accesses it mul- tiple times.abc.Ver. If another request is received.com”.html” but does not cache “abc. the AX device checks the cache for content indexed by both “/index.com”. Here are some examples where dynamic RAM caching is beneficial: • The same response is usable by multiple users within a certain period of time. “/index.abc.com By default. In this case.abc. the AX device caches the content. For example.xyz.: D-030-01-00-0006 . if a client requests http://www. Name-based virtual hosts are host names that share the same IP address.209. but not the host name. Host Verification RAM caching has an optional host verification feature. the AX device caches the content along with the URI. host verification is disabled. for http://www. For example.34 could be shared by the following virtual hosts: • www.

AX 3100.0. • The AX device does not support the HTTP header “Cache-Control: only-if-cached” directive. Support for no-cache and max-age=0 Cache-Control Headers According to RFC 2616. for security. • The AX device caches responses that contain the “Vary: Accept-Encod- ing” header. However. However.AX Series . 2. sessions served from the RAM cache increment the TCP Half Open counter in show session command output. either of the following Cache-Control headers in a request should make the cache (the AX device) reload the cached object from the origin server: • Cache-Control: no-cache • Cache-Control: max-age=0 However. • RAM caching can be used with compression on the same virtual port. the AX device will cache a response that has a Vary header only if the header’s value is Accept-Encoding (“Vary: Accept-Encoding”). since they accept compressed content by default. • In the current release.: D-030-01-00-0006 . This can cause the dynamic Syn-Cookie feature (on models AX 2200.2 11/11/2009 b y 413 of 702 . This should not affect current Web browsers. In this case. you can enable support for the headers. RAM Caching Notes • In the current release. compressed objects are cached and served to clients. Thee headers can make the AX device vulnerable to Denial of Service (DoS) attacks.com”. P e r f o r m a n c e D e s i g n Document No. the AX device will send compressed content anyway. and AX 3200) to be activated prematurely. support for these headers is disabled by default.Ver. Responses that have a Vary header with any other value are considered to be non-cacheable and therefore are not cached.Configuration Guide Overview device serves the content to the client only if the content was cached for “xyz. The AX device will serve compressed objects from the cache even if a client request does not contain the “Accept-Encoding” HTTP header to indicate willingness to accept compressed content. To enforce strict RFC compliance. if a client is running an old browser that does not accept compressed content. compressed responses from real servers are not supported.

b. 414 of 702 P e r f o r m a n c e b y D e s i g n Document No. 2. use the applicable set of steps below. c. Configure a cache template with settings for the type and size of content to be cached. The Duration field appears. Optionally. On the menu bar. Enter or change any settings for which you do not want to use the default settings.Configuration Guide Configuring RAM Caching Configuring RAM Caching To configure RAM caching: 1. 4. if not already configured. Configure the virtual server. if not already configured. if you are creating a new one. Enter a name for the template. specify the number of seconds in the Duration field. Click on the template name or click Add to create a new one. 3. 2. d. select Application > RAM Caching. To configure dynamic caching polices.0. configure dynamic caching policies. Add the real servers that serve the content to be cached. Select Cache from the Action drop-down list.2 11/11/2009 . To configure a cache policy: a.Ver. 5. USING THE GUI To Configure RAM Caching 1. Select Config > Service > Template. By default. and bind the service group and cache template to the service ports for which caching will be provided. the content is cached for the number of seconds specified in the Age field of the RAM Caching tab. 6.AX Series . enter the portion of the URI string to match on.: D-030-01-00-0006 . 4. To override the aging period. In the URI field. 2. Configure a service group and add the real servers to it. Click Add. 3.

The list of log archive files appears. To Export Web Log Archives 1.: D-030-01-00-0006 . Click Export. select RAM Caching > Logs. b. Select Monitor > Service > Application. click the checkbox next to each file you want to delete. To Monitor RAM Caching Use the following options: • Monitor > Service > Application > RAM Caching > Details • Monitor > Service > Application > RAM Caching > Objects • Monitor > Service > Application > RAM Caching > Replacement The Details menu option displays RAM caching statistics. 3. 7.Configuration Guide Configuring RAM Caching To configure a no-cache policy: a. For example. On the menu bar. In the URI field. Select No Cache from the Action drop-down list. Click OK. The Objects option displays cached entries.0. c. Select Invalidate from the Action drop-down list. b. enter the portion of the URI string to match on.AX Series . Enter the portion of the URL string on which to match. To configure an invalidate policy: a. The Pattern field appears. enter “/add” (without the quotation marks). P e r f o r m a n c e D e s i g n Document No. 4. To delete log archive files. 2. In the URI field.Ver. 2. Click Add. to invalidate “/list” objects when the URL contains “/add”. The Replacement option shows entry replacement information. Click on the checkbox next to the filename of each log file you want to export. and click Delete.2 11/11/2009 b y 415 of 702 . enter the portion of the URI string to match on.

When you use the default no-cache policy.: D-030-01-00-0006 . [no] default-policy-nocache This command changes the default cache policy in the template from cache to nocache. enter the show version command.AX Series . You can specify 1-512 MB.0. 2.Ver. The command changes the CLI to the configuration level for the template.Configuration Guide Configuring RAM Caching USING THE CLI The commands for configuring the real servers. [no] age seconds This command specifies how long a cached object can remain in the AX RAM cache without being requested. The default is 3600 seconds (1 hour). where the following commands specific to RAM caching are available: [no] accept-reload-req This command enables support for the following Cache-Control headers: • Cache-Control: no-cache • Cache-Control: max-age=0 When support for these headers is enabled. (To display the amount of memory your system has. This option gives you tighter control over content caching. The default is 10 MB. The total size of all RAM caches combined can be 512 MB on systems with 2 GB of memory and 1024 MB on systems with 4 GB of memory. To configure a RAM caching template.2 11/11/2009 . use the following commands: [no] slb template cache template-name Enter this command at the global configuration level of the CLI. You can specify 1-999999 seconds (about 11-1/2 days). the only content that is cached is cacheable content whose URI matches an explicit cache policy. and virtual server are the same as those used for configuring other types of SLB. service group.) 416 of 702 P e r f o r m a n c e b y D e s i g n Document No. [no] max-cache-size MB This command specifies the size of the AX RAM cache. either header causes the AX device to reload the cached object from the origin server. These configuration items have no commands or options specific to RAM caching.

You can specify 1-8000000 bytes (8 MB). By default. the content is cached for the number of seconds configured in the template (set by the age command). If a URI matches the pattern in more than one policy command. This is the default behavior and is the only supported option in the current release.0. use the following command at the configuration level for a RAM caching template: [no] policy uri pattern {cache [seconds] | nocache | invalidate inv-pattern} The pattern option specifies the portion of the URI string to match on. the AX device discards the least-frequently used objects to ensure there is sufficient room for new objects. To configure a caching policy. When the RAM cache becomes more than 90% full. You can specify 1-8000000 bytes (8 MB). Dynamic Caching Command Dynamic caching is performed using caching policies.2 11/11/2009 b y 417 of 702 . [no] min-content-size bytes This command specifies the minimum object size that can be cached. the policy command with the most specific match is used. The other options specify the action to take for URIs that match the pattern: • cache [seconds] – Caches the content. The AX device will not cache objects larger than this size. • nocache – Does not cache the content. [no] replacement-policy LFU This command specifies the policy used to make room for new objects when the RAM cache is full.AX Series . The default is 50000 bytes (50 Kbytes).Configuration Guide Configuring RAM Caching [no] max-content-size bytes This command specifies the maximum object size that can be cached. • invalidate inv-pattern – Invalidates the content that has been cached for inv-pattern.Ver.: D-030-01-00-0006 . specify the number of seconds with the cache command. The AX device will not cache objects smaller than this size. To override the aging period set in the template. 2. The default is 500 bytes (1/2 Kbyte). The policy supported in the current release is Least Frequently Used (LFU). P e r f o r m a n c e D e s i g n Document No.

Show Commands To display client sessions that are using cached content.com and www.abc. Use this command if a real server that contains cacheable content will host more than one host name (for example. the default template settings are used. use the following command: show slb cache memory-usage CLI CONFIGURATION EXAMPLES Basic Configuration The commands in this example enable RAM caching for virtual service port TCP 80 on VIP “cached-vip”. www.xyz.Configuration Guide Configuring RAM Caching Host Verification Command [no] verify-host This command enables the AX device to cache the host name in addition to the URI for cached content. In this example.Ver. use the following command: show slb cache To display cached objects.com). The following commands add a RAM caching template. use the following command: show session To display RAM caching statistics. AX(config)#slb template cache ramcache AX(config-RAM caching template)#exit 418 of 702 P e r f o r m a n c e b y D e s i g n Document No.2 11/11/2009 . use the following command: clear slb cache stats [vip-name port-num] To clear cached objects. 2.0.AX Series . use the following command: show slb cache entries vip-name port-num To clear RAM caching statistics counters.: D-030-01-00-0006 . use the following command: clear slb cache entries vip-name port-num To display RAM caching memory usage.

Asterisks ( * ) in the Reverse Source and Reverse Dest fields indicate that the AX device directly served the requested content to the client from the AX RAM cache. AX(config-slb virtual server-slb virtua.2 11/11/2009 b y 419 of 702 .)#show session Traffic Type Total -------------------------------------------TCP Established 4328 TCP Half Open 39026 UDP 0 Non TCP/UDP IP sessions 0 Other 0 Reverse NAT TCP 0 Reverse NAT UDP 0 Free Buff Count 0 P e r f o r m a n c e D e s i g n Document No.10.168. the session is actually between the client and the AX device rather than the real server.Configuration Guide Configuring RAM Caching The following commands configure the real servers.90.35:80 AX(config-slb service group)#member 192. In this case..34:443 AX(config-slb service group)#member 192.168.168.168.34:80 AX(config-slb service group)#member 192. 2.35 AX(config-real server)#port 80 tcp AX(config-real server-node port)#exit AX(config-real server)#port 443 tcp AX(config-real server-node port)#exit AX(config-real server)#exit The following commands configure the service group... AX(config)#slb service-group cached-group AX(config-slb service group)#member 192.10.)#template cache ramcache The following command shows client sessions.90..34 AX(config-real server)#port 80 tcp AX(config-real server-node port)#exit AX(config-real server)#port 443 tcp AX(config-real server-node port)#exit AX(config-real server)#exit AX(config)#slb server 192.. AX(config)#slb server 192.101 AX(config-slb virtual server)#port 80 http AX(config-slb virtual server-slb virtua.35:443 The following commands configure the virtual server and bind the RAM caching template and the service group to virtual HTTP service port 80.: D-030-01-00-0006 .Ver.90.0..168. AX(config)#slb virtual-server cached-vip 10.)#service-group cached-group AX(config-slb virtual server-slb virtua.90.168.90.90.AX Series .

60:9239 10.57:9233 10.10.11:80 * * 600 Tcp 10.61:1838 10.10.10. 2.10.10:80 * * 600 Tcp 10.10.: D-030-01-00-0006 .10.62:55613 10.)#show slb cache Total --------------------------------------------------------------Cache Hits Cache Misses Memory Used Entries Cached Entries Replaced Entries Aged Out Entries Cleaned Total Requests Cacheable Requests No-cache Requests No-cache Responses Revalidation Successes Revalidation Failures Content Too Big Content Too Small Cache add skips Entry create failures Double enqueues Double deletes (hlist) Double deletes (list) 0 0 0 0 0 6 27648 6 0 0 0 6 6 0 0 0 0 0 0 0 420 of 702 P e r f o r m a n c e b y D e s i g n Document No.10.Ver.10..10.10.10.10.10:80 * * 600 Tcp 10.11:80 * * 600 Tcp 10.0.10.10. AX(config-slb virtual server-slb virtua.10.61:25058 10.10..10.11:80 * * 600 The following command shows RAM caching statistics.10.65:47834 10.10.2 11/11/2009 .10.10.11:80 * * 600 Tcp 10.10.AX Series .Configuration Guide Configuring RAM Caching Curr Free Conn Conn Count Conn Freed tcp syn half open 1923655 5287134 5113720 0 Prot Forward Source Forward Dest Reverse Source Reverse Dest Age --------------------------------------------------------------------------------------Tcp 10.10.10.

For more information. 2.com/private?user=u1 http://x. Dynamic Caching Configuration Here is an example application of dynamic RAM caching.y. so that new requests for the URI are not served with a stale page. the currently cached content for the /list URI should be invalidated.txt 4310 FR 2968 s 10.2 11/11/2009 b y 421 of 702 .: D-030-01-00-0006 .Ver.120 /static4K/4K8663.com/add?a=p1&b=p2 http://x.120 10.AX Series .com displays a frequently requested list page. AX#show slb cache entries cached-vip 80 cahed-vip:80 Host Object URL Bytes Status Expires in --------------------------------------------------------------------------------------10.120 /static4K/4K8662.0.y.20. see the AX Series CLI Reference. In this example. Clients also can add or delete content on the list page. so long as the content is current. When either type of URI is observed by the AX device. The /add and /del URLs modify the content of the list page. AX(config)#slb template cache ram-cache AX(config-RAM caching template)#policy uri /list cache 3000 AX(config-RAM caching template)#policy uri /private nocache AX(config-RAM caching template)#policy uri /add invalidate /list AX(config-RAM caching template)#policy uri /del invalidate /list P e r f o r m a n c e D e s i g n Document No.txt 4325 4325 FR FR 2968 s 2968 s The Status column indicates the status. The following commands implement the dynamic RAM caching configuration described above.0.com/del?c=p3 Dynamic RAM caching policies can be used to effectively manage caching for this site.0. Web site x.20. However.y. and should not be cached. all entries are fresh (FR). and also serves private pages to individual clients based on additional requests from clients.0.com/list http://x. the /private URI contain private data for a specific user. http://x.Configuration Guide Configuring RAM Caching The following command shows cached objects. The /list URI is visited by many users and therefore should be cached.y.txt /static4K/4K8661.y.20.

2. The policies that match on “/add” and “/del” invalidate the cached “/list” content.0.2 11/11/2009 . 422 of 702 P e r f o r m a n c e b y D e s i g n Document No.Ver.Configuration Guide Configuring RAM Caching The policy that matches on “/list” caches content for 50 minutes. The policy is activated when a request is received with the URI “/flush”. The policy that matches on “/private” does not cache content.: D-030-01-00-0006 . Here is an example: AX(config)#slb template cache ram-cache AX(config-RAM caching template)#policy uri /story cache 3600 AX(config-RAM caching template)#policy uri /flush invalidate /story This policy is configured to flush (invalidate) all cached entries that have “/ story” in the URI. Configuration To Flush Specific Cache Entries If you need to flush specific entries from the RAM cache.AX Series . you can do so using an invalidate policy.

AX Series .0.Configuration Guide Overview High Availability This chapter describes High Availability (HA) and how to configure it.Ver. the other AX device takes over. Overview High Availability (HA) is an AX feature that provides AX-level redundancy to ensure continuity of service to clients.2 11/11/2009 b y 423 of 702 .: D-030-01-00-0006 . P e r f o r m a n c e D e s i g n Document No. and is a hot Standby for the other configured virtual services. If one AX device in the HA pair becomes unavailable. Note: Both AX devices in an HA pair should be the same model and should be running the same software version. • Active-Active – Each AX device is the primary SLB device for some of the configured virtual services. Active-Standby is supported on AX devices deployed in transparent mode or route mode. Using different AX models or different software versions in an HA pair is not supported. In HA configurations. The other AX device is a hot Standby for the virtual services. You can configure either of the following types of HA: • Active-Standby – One AX device is the primary SLB device for all vir- tual services on which HA is enabled. Active-Active is supported only on AX devices that are deployed in route mode. AX devices are deployed in pairs. 2.

FIGURE 125 Active-Standby HA 424 of 702 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 .0. 2.Configuration Guide Overview Layer 3 Active-Standby HA Figure 125 shows an example of an Active-Standby configuration.Ver.2 11/11/2009 .AX Series .

2 11/11/2009 b y 425 of 702 . session synchronization sends information about active client sessions to the Standby AX device. which can be 1 or 2. • Session synchronization – Also called connection mirroring.Configuration Guide Overview In this example. Each AX device has the following HA configuration elements: • HA ID – The HA ID of AX1 is 1 and the AX ID of AX2 is 2.AX Series . Each HA group must be configured with a priority. 2. the client sessions are maintained without interruption. The ID can be used as a tie breaker to select the Active AX device. If a failover occurs.0. VIP1 and VIP2.) • HA group – HA group 1 is configured on each AX device.: D-030-01-00-0006 . The priority can be used as a tie breaker to select the Active AX device for a VIP.Ver. An AX device can have up to 31 HA groups. The ID must be different on each AX device. (See “How the Active AX Device Is Selected” on page 440. An AX device must have an HA ID.) P e r f o r m a n c e D e s i g n Document No. Both VIPs on each AX device are members of the HA group. (For a complete list of configurable HA parameters. see “HA Configuration Parameters” on page 445. each AX device provides SLB for two virtual servers.

FIGURE 126 Active-Active HA In the Active-Active configuration.: D-030-01-00-0006 . each of the AX devices can be the Active AX device for some VIPs.Ver. AX1 is Active for VIP2 and AX2 is Active for VIP1.0. Instead. 2. the same AX device does not need to be the Active AX device for all the VIPs. only one AX is active for a given VIP. But unlike the Active-Standby configuration. 426 of 702 P e r f o r m a n c e b y D e s i g n Document No.AX Series .2 11/11/2009 . In this example. as in the Active-standby configuration.Configuration Guide Overview Layer 3 Active-Active HA Figure 126 shows an example of an Active-Active configuration.

HA group 1 has a higher priority on AX2.0.: D-030-01-00-0006 . In this example. HA pre-emption is enabled.Ver.2 11/11/2009 b y 427 of 702 . with the following exceptions: • Both HA groups are configured on each of the AX devices. In Active- Standby. HA pre-emption enables the devices to use the HA group priority values to select the Active and Standby AX device for each VIP. • The priority values have been set so that each HA group has a higher priority on one AX device than it does on the other AX device. one of the VIPs is assigned to HA group 1 and the other VIP is assigned to HA group 2. P e r f o r m a n c e D e s i g n Document No. Without HA pre-emption. • On each AX device. the AX selection is based on which of the AX devices comes up first. whereas HA group 2 has a higher priority on AX1.Configuration Guide Overview This configuration is similar to the configuration for Active-Standby shown in Figure 125. • On both AX devices. 2. only a single HA group is configured.AX Series .

a pair of routers configured as a redundant pair route traffic between clients and servers. or another equivalent router redundancy protocol. Inline deployment allows you to insert a pair of AX devices into an existing network without the need to reconfigure other devices in the network. 428 of 702 P e r f o r m a n c e b y D e s i g n Document No.Configuration Guide Overview Layer 2 Active-Standby HA (Inline Deployment) AX devices support Layer 2 hot standby inline deployment. as shown in this example.Ver. FIGURE 127 Topology Supported for Layer 2 Inline HA Deployment In this example. The redundant router pair can be implemented using Virtual Router Redundancy Protocol (VRRP).: D-030-01-00-0006 .AX Series . 2. Inline support applies specifically to network topologies where inserting a pair of AX switches would cause a Layer 2 loop.2 11/11/2009 . Extreme Standby Router Protocol (ESRP).0.

and the routers do not forward Layer 2 traffic.0. Inline mode automatically blocks redundant paths through the Standby AX device. P e r f o r m a n c e D e s i g n Document No. 2. which cause Layer 2 loops. Neither the Layer 2 switches nor the routers are running Spanning Tree Protocol (STP). If a pair of AX switches in transparent mode are added.Configuration Guide Overview Each real server is connected to the router pair through a Layer 2 switch.AX Series . you can enable HA inline mode on the AX devices.: D-030-01-00-0006 . without the need to enable STP on any devices.Ver. the AX switches can add redundant Layer 2 paths. The network does not have any Layer 2 loops because the Layer 2 switches are not connected directly together. without making any configuration changes on the other devices in the network.2 11/11/2009 b y 429 of 702 . To prevent loops in this deployment.

Ver. Not supported for Active-Active HA.: D-030-01-00-0006 . Do not configure more than one HA group on an AX running in inline mode. • Inline mode is designed for one HA group in Hot-Standby mode. 430 of 702 P e r f o r m a n c e b y D e s i g n Document No. 2.AX Series .2 11/11/2009 .0.Configuration Guide Overview FIGURE 128 Layer 2 Inline HA Deployment Restrictions • Supported for Active-Standby HA deployments only.

you can designate the preferred HA port when you enable inline mode.Configuration Guide Overview • In order to prevent Layer 2 loops in a Layer 2 host-standby environ- ment.AX Series .0. In addition. certain traffic to the Standby AX might be dropped if it must first pass through the Active AX. the HA interface with the lowest port number is used. the AX uses a preferred HA port for session synchronization and for management traffic between the AX devices in the HA pair. 2. the ping packets are sent only on the preferred HA port. If no preferred HA port is specified in the configuration or that port is down. if you use the CLI on one AX to ping the other AX. above goes down. use the port. 3. the Standby AX does not forward traffic. 2. the Active AX in the HA pair is designed to not forward packets destined for the Standby AX. Depending on the network topology. the HA interface with the next-lowest port number is used.2 11/11/2009 b y 431 of 702 . the other AX sends the ping reply only on its preferred HA port. P e r f o r m a n c e D e s i g n Document No. and so on. HA heartbeat messages are not restricted to the preferred HA port. and is the port up? If so. Heartbeat messages are sent out all HA interfaces unless you disable the messages on specific interfaces. the first HA interface that comes up on the AX is used as the preferred HA port. • IPv6 traffic is not supported. Preferred HA Port When you enable inline mode on an AX. In Figure 128 on page 430. For example. The AX selects the Active AX device’s preferred HA port as follows: 1.: D-030-01-00-0006 . If that port also goes down. Management traffic between AX devices includes any of the following types of traffic: • Telnet • SSH • Ping Optionally. If the preferred HA port selected by 1. Ethernet interface 5 on each AX has been configured as the preferred HA port. Is a preferred port specified with the inline configuration. or 2.Ver. Likewise.

Ver. it drops the traffic. the active router (the one on the left) uses the MAC entries it has learned on its link with AX1 to reach downstream devices. if the transition from Active to Standby does not involve failure of the router's link with AX1. you can enable HA port restart. On model AX 2000 or AX 2100. Port Restart When a transition from Standby to Active occurs because the formerly Active AX device becomes unavailable. the router does not flush its learned MAC entries on the link. if you administratively force a failover by changing the HA configurations of the AX devices and enabling HA pre-emption.2 11/11/2009 . To ensure that devices connected to the formerly Active AX flush their learned MAC entries on their links with AX1. the other devices that are directly connected to the unavailable AX detect that their links to the AX have gone down. For example. the router continues to have MAC addresses through this link. then re-enabling the ports. thereby causing reachability issues. otherwise. Note: 432 of 702 P e r f o r m a n c e b y D e s i g n Document No. waiting for a specified number of milliseconds. In this case. in Figure 128 on page 430. 2. This is so that heartbeat messages between the AX devices are maintained. However.Configuration Guide Overview Note: The preferred port must be added as an HA interface and heartbeat messages must be enabled on the interface. Since AX1 is now the Standby. the router might continue to send traffic for downstream devices through the router's link with AX1. flapping might occur. Toggling the ports causes the links to go down. which in turn causes the devices on the other ends of the links to flush their learned MAC entries on the links. If the link with AX1 goes down. while AX1 is still Active.: D-030-01-00-0006 . the link between the router and AX1 remains up. As a result. The devices then flush their cached MAC entries on the down links.AX Series . The devices then can relearn MACs through links with the newly Active AX. the router flushes the MAC entries. Note: You must omit at least one port connecting the AX devices from the restart port-list.0. HA port restart toggles a specified set of ports on the formerly Active AX by disabling the ports. This mechanism is applicable when the link with AX1 goes down. The router then relearns the MAC addresses on the link with AX2 when it becomes the Active AX. A10 recommends that you do not include Fiber ports in the restart port list. For example.

Figure 129 shows an example.Configuration Guide Overview Layer 3 Active-Standby HA (Inline Deployment) Inline mode HA is also supported for AX devices deployed in route mode (Layer 3).AX Series . FIGURE 129 Inline Mode for Layer 3 HA In this example. and multiple Ethernet ports connected to the servers. 2. The routers. and the servers are all in the same subnet.2 11/11/2009 b y 433 of 702 . Layer 3 HA for inline mode is beneficial in network topologies where the AX interfaces with the clients and real servers are in the same subnet. On each AX device.Ver.0. all these Ethernet interfaces are configured as a single Virtual Ethernet (VE) interface with a single IP address.: D-030-01-00-0006 . both AX devices. P e r f o r m a n c e D e s i g n Document No. each AX device has multiple Ethernet ports connected to the clients.

2.Ver. HA Messages The AX devices in an HA pair communicate their HA status with the following types of messages: • HA heartbeat messages • Gratuitous ARP requests and replies 434 of 702 P e r f o r m a n c e b y D e s i g n Document No. certain traffic to the Standby AX might be dropped if it must first pass through the Active AX. the Active AX in the HA pair is designed to not forward packets destined for the Standby AX. the dedicated link is in another subnet. Restrictions • Supported for Active-Standby HA deployments only. Depending on the network topology. with the following exceptions: • Layer 3 inline mode does not require designation of a preferred port or configuration of port restart. Spanning Tree Protocol (STP) is not required in order to prevent loops. this topology would introduce a traffic loop. • CPU processing must be enabled on the Ethernet interfaces that will receive server replies to client requests.2 11/11/2009 . CPU processing is required on these interfaces in order to change the source IP address from the server’s real IP address back into the VIP address. the Standby AX does not forward traffic.Configuration Guide Overview Normally. Comparison to Layer 2 Inline Mode Layer 3 inline configuration is similar to Layer 2 inline mode configuration. In addition. A dedicated link between the AX devices is used for HA management traffic. Not supported for Active-Active HA. • Inline mode is designed for one HA group in Hot-Standby mode.: D-030-01-00-0006 . • In order to prevent Layer 2 loops in a Layer 2 host-standby environ- ment. the HA inline mode prevents loops by logically blocking through traffic on the standby AX device. However.0. • IPv6 traffic is not supported. In this example.AX Series . Do not configure more than one HA group on an AX running in inline mode.

By default. After this. for the VIPs that are assigned to an HA group.: D-030-01-00-0006 . the AX device sends gratuitous ARPs every 30 seconds to keep its IP information current.2 11/11/2009 b y 435 of 702 . 2.Ver.) Gratuitous ARPs When an AX transitions from Standby to Active. for NAT pools assigned to an HA group Devices that receive the ARPs learn that the MAC address for the AX HA pair has moved. the newly Active AX device sends gratuitous ARP requests and replies (ARPs) for the IP address under HA control.) P e r f o r m a n c e D e s i g n Document No. • Floating IP address. To make sure ARPs are being received by the target addresses. heartbeat messages are sent every 200 milliseconds. The Active AX device sends the gratuitous ARPs immediately upon becoming the Active AX device. The Standby AX device listens for the heartbeat messages. If the Standby AX device does not receive a heartbeat message for 1 second (5 times the heartbeat interval). The ARP retry count is configurable.AX Series . at 500millisecond intervals.Configuration Guide Overview HA Heartbeat Messages Each of the AX devices regularly sends HA heartbeat messages out its HA interfaces. The heartbeat interval and retry count are configurable. if configured • NAT pool IP addresses. (See “HA Configuration Parameters” on page 445. the Standby AX device transitions to Active. the Standby AX device transitions to Active and takes over networking and SLB operations from the other AX device. (See “HA Configuration Parameters” on page 445. If the Standby AX device stops receiving heartbeat messages from the Active AX device. Gratuitous ARPs are sent for the following types of addresses: • Virtual server IP addresses.0. and update their forwarding tables accordingly. the AX device re-sends the ARPs 4 additional times.

2. • Partially Up – Some HA router or server interfaces are down but at least one server link and one router link are up. you specify each of the interfaces that are HA interfaces. If you specify the HA interface type. If both types of interfaces (router interfaces and server interfaces) are configured. HA heartbeat messages can be sent only on HA interfaces. you must specify the VLAN on which to send the heartbeat messages.Ver. • Down – All router interfaces. • Both – Both a server and upstream router can be reached through the interface.2 11/11/2009 . or the other AX device in the HA pair. you can disable the messages on individual interfaces. the HA status of the AX device is based on the status of the AX link with the real server and/or upstream router. The HA status can be one of the following: • Up – All configured HA router and server interfaces are up. The status also is Down if both router interfaces and server interfaces are not configured and an HA interface goes down. Note: Note: A maximum of 16 HA interfaces are supported on an AX device. a real server. For example. the HA interfaces for which a type has not been configured are not included in the HA interface status determination.Configuration Guide Overview HA Interfaces When configuring HA. clients) can be reached through the interface.AX Series . If the heartbeat messages from one AX device to the other will pass though a Layer 2 switch. you can specify the HA interface type as one of the following: • Server interface – A real server can be reached through the interface. Optionally. Optionally. When you configure an HA interface that is a tagged member of one or more VLANs. Changes to the state of an HA interface can trigger a failover. During selection of the active AX.: D-030-01-00-0006 . An HA interface is an interface that is connected to an upstream router.0. the AX that is UP becomes the active AX. • Router interface – An upstream router (and ultimately. or both are down. By default. the switch must be able to pass UDP IP multicast packets. the AX with the highest state becomes the active AX and all HA interfaces on that AX become active. the HA state of an interface can be Up or Down. or all server interfaces. 436 of 702 P e r f o r m a n c e b y D e s i g n Document No. if one AX is UP and the other AX is only Partially Up.

Config sync uses the session synchronization link.0. To enable session synchronization. there is no benefit to synchronizing them. Synchronization of these sessions is not needed since the newly Active AX device will create a new flow for the session following failover. Session synchronization is required for config sync.2 11/11/2009 b y 437 of 702 . For Active-Standby configurations. a failover causes client sessions to be terminated. If a failover occurs. the client sessions are maintained without interruption. Note: You can configure up to 31 HA groups on an AX. Session synchronization applies primarily to Layer 4 sessions. (For more information. 2. Likewise. • If HA pre-emption is enabled. P e r f o r m a n c e D e s i g n Document No. Session synchronization does not apply to DNS sessions.: D-030-01-00-0006 . Session synchronization is optional. “Synchronizing Configuration Information” on page 477. the first AX to come up is the active AX. If the group priorities on the two AX devices are also the same.) Note: Session synchronization is also called “connection mirroring”. Without it. the active AX is selected as follows: • If HA pre-emption is disabled (the default). For Active-Active configurations. session synchronization does not apply to static NAT sessions. see “Enabling Session Synchronization” on page 476. the AX with the higher HA group priority becomes active for that group. the AX that has the lowest HA ID (1 or 2) becomes active. use multiple groups IDs and assign VIPs to different groups.Ver. Since these sessions are typically very short lived.Configuration Guide Overview If each AX has the same state. and assign a separate HA priority to each. Session Synchronization HA session synchronization sends information about active client sessions to the Standby AX device.AX Series . use only one group ID. Session synchronization can be enabled on individual virtual ports.

AX Series . If the new HA status of the AX device is higher than the other AX device’s HA status. you can configure failover based one any of the following: • Inactive VLAN (VLAN-based failover) • Unresponsive gateway router (gateway-based failover) • Unresponsive real servers (VIP-based failover) VLAN-based Failover You can enable HA checking for individual VLANs. see “VLAN-Based Failover Example” on page 471. If the HA status of the other AX device is higher than Down. a failover occurs. A10 recommends that you specify an HA checking interval (timeout) that is much longer than the heartbeat interval.2 11/11/2009 .Configuration Guide Overview Optional Failover Triggers In addition to HA interface-based failover. or broadcast ARP requests through the VLAN. The timeout can be 2-600 seconds. a failover occurs. the AX device changes its HA status to Down. the active AX device in the HA pair monitors traffic activity on the VLAN. the AX device recalculates its HA status according to the HA interface counts. You must specify the timeout. This HA checking method provides a passive means to detect network health. 438 of 702 P e r f o r m a n c e b y D e s i g n Document No. Gateway-based Failover Gateway-based failover uses ICMP health monitors to check the availability of the gateways. Likewise. If there is no traffic on the VLAN for half the duration of a configurable timeout. For a configuration example. 2. the AX device attempts to generate traffic by issuing ping requests to servers if configured. Although there is no default. whereas heartbeat messages are an active mechanism.Ver. a failover occurs. A10 recommends trying 30 seconds. When HA checking is enabled for a VLAN. You can use either or both methods to check VLAN health. If you use both methods on a VLAN.: D-030-01-00-0006 .0. If any of the active AX device’s gateways fails a health check. If the AX device does not receive any traffic on the VLAN before the timeout expires. if the gateway becomes available again and all gateways pass their health checks.

: D-030-01-00-0006 . Configure a health monitor that uses the ICMP method. Enable HA checking for the gateway. the weight value that was subtracted from the HA group’s priority is re-added.AX Series . If you enable the dynamic HA option on a virtual server. In this case. also assign any floating IP addresses and IP Source NAT pools used by the virtual server to HA group 31. For a configuration example.2 11/11/2009 b y 439 of 702 . the virtual server is failed over again to the AX device with the higher priority value for the group. Note: Configure the same HA group ID on any floating IP addresses or Source IP NAT pools used by the virtual server. When you configure an HA group ID. P e r f o r m a n c e D e s i g n Document No. VIP-based Failover VIP-based failover allows service for a VIP to be transferred from one AX device in an HA pair to the other AX device based on HA status changes of the real servers. When a real server becomes available again. Configure the gateway as an SLB real server and apply the ICMP health monitor to the server. For example. the AX device reduces the HA priority of the group assigned to the virtual server. you also specify its priority. (A real server is unavailable if it is marked Down by the AX device because the server failed its health check. see “Gateway-Based Failover Example” on page 472.Configuration Guide Overview Configuration of gateway-based failover requires the following steps: 1.Ver. the HA group’s priority can be used to determine which AX device in the HA pair becomes the Active AX for the HA group. and HA pre-emption is enabled. For a configuration example. If this results in the priority value being higher than on the other AX device. the AX device that has a higher value for the group’s priority becomes the Active AX device for the group.0. 2.) If the priority value is reduced to a value that is lower than the group’s priority value on the other AX device in the HA pair. 3. 2. if you assign a virtual server to HA group 31. see “VIP-Based Failover Example” on page 474. service of the virtual serve is failed over to the other AX device. If HA pre-emption is enabled. if a real server becomes unavailable.

Ver. • The HA interface status of the Active AX device becomes lower than the HA interface status of the Standby AX device. only one AX device is Active and the other is the Standby. 440 of 702 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 .2 11/11/2009 . After you configure HA. • VLAN-based failover is configured and the VLAN becomes inactive.0. the Active AX device is selected using the process shown in Figure 130.Configuration Guide Overview How the Active AX Device Is Selected In Active-Standby configurations. that device remains the Active AX device unless one of the following events occurs: • The Standby AX device stops receiving HA heartbeat messages from the Active AX device. FIGURE 130 Initial Selection of Active AX Device After initial selection of the Active AX device.AX Series . 2.

: D-030-01-00-0006 . 2.2 11/11/2009 b y 441 of 702 . • HA pre-emption is enabled. and the configured HA priority is changed to be higher on the Standby AX device. Figure 131 shows the events that can cause an HA failover.0.AX Series .Configuration Guide Overview • Gateway-based failover is configured and the gateway becomes unavail- able.Ver. P e r f o r m a n c e D e s i g n Document No.

: D-030-01-00-0006 .Configuration Guide Overview FIGURE 131 HA Failover 442 of 702 P e r f o r m a n c e b y D e s i g n Document No.AX Series .0. 2.2 11/11/2009 .Ver.

failover does not occur due to HA configuration changes to the HA priority. To enable the AX devices to failover in response to changes in priority. (See “VLAN-based Failover” on page 438. When pre-emption is enabled.) • VLAN-based failover is configured and the VLAN becomes inactive. 2. (See “HA Interfaces” on page 436. then the AX device with the lower HA ID (1) becomes the Active AX device.: D-030-01-00-0006 .Configuration Guide Overview HA Pre-Emption By default.Ver. a failover occurs only in the following cases: • The Standby AX device stops receiving HA heartbeat messages form the other AX device in the HA pair.0.) • VIP-based failover is configured and the unavailability of real servers causes the Standby AX to have the greater HA priority for the VIP’s HA group. If the HA priority is equal on both AX devices.AX Series . (See “VIP-based Failover” on page 439.2 11/11/2009 b y 443 of 702 . the AX device with the higher HA priority becomes the Active AX device. P e r f o r m a n c e D e s i g n Document No.) By default. • HA interface state changes give the Standby AX device a better HA state than the Active AX device. enable HA pre-emption. (See “Gateway-based Failover” on page 438.) • Gateway-based failover is configured and the gateway becomes unavail- able.

(For syntax information.: D-030-01-00-0006 . FIGURE 132 Multiple HA Pairs In this example. This feature is supported for Layer 2 and Layer 3 HA configurations.2 11/11/2009 . two HA pairs are configured. The set ID can be specified along with the HA ID.) 444 of 702 P e r f o r m a n c e b y D e s i g n Document No.0. Each pair is distinguished by an HA set ID. see Table 10 on page 445.Configuration Guide Overview HA Sets Optionally. 2.AX Series . You can configure up to 7 HA sets. you can provide even more redundancy by configuring multiple sets of HA pairs. Each HA pair can be used to handle a different set of real servers.Ver.

) [no] ha group group-id priority num Floating IP address Config > HA > Setting > HA Global .0. Regardless of which device is Active. and HA set to which the AX device belongs. The same address is shared by both AX devices in the HA pair. [no] ha id {1 | 2} [set-id num] HA group ID Config > HA > Setting > HA Global .Floating IP Address tab Default: not set HA group ID: 1-31 Priority: 1 (low priority) to 255 (high priority Default: not set P e r f o r m a n c e D e s i g n Document No. TABLE 10 HA Parameters Parameter HA ID and HA set ID Description and Syntax Supported Values HA ID: 1 or 2 HA set ID: 1-7 Default: Neither parameter is set Global HA Parameters HA ID of the AX device.Ver. 2. The HA set ID specifies the HA set to which the AX device belongs. The HA ID uniquely identifies the AX device within the HA pair. downstream devices can reach their default gateway at this IP address.AX Series .Configuration Guide Overview HA Configuration Parameters Table 10 lists the HA parameters.2 11/11/2009 b y 445 of 702 . (See“How the Active AX Device Is Selected” on page 440.General tab Uniquely identifies the HA group on an individual AX device.Group tab IP address that downstream devices should use as their default gateway. [no] floating-ip ipaddr ha-group group-id Config > HA > Setting > HA Global . This parameter is applicable to configurations that use multiple AX pairs.: D-030-01-00-0006 . The priority value can be used during selection of the Active AX device.

the AX device attempts to generate traffic by issuing ping requests to servers if configured. a failover occurs. If there is no traffic on the VLAN for half the duration of a configurable timeout. If the HA status of the other AX device is higher than Down. unless you use the option to disable the messages. HA heartbeat messages are sent on HA interfaces. If the gateway fails a Layer 3 (ICMP) health check.Configuration Guide Overview TABLE 10 HA Parameters (Continued) Parameter HA interfaces Description and Syntax Interfaces used for HA management. Gateway-based HA IP address of the gateway Default: not set Additional configuration is required.0.Status Check tab Enables the AX device to change its HA status based on the health of a gateway router.2 11/11/2009 . [no] ha check vlan vlan-id timeout seconds Config > HA > Setting > HA Global . the active AX device in the HA pair monitors traffic activity on the VLAN.) [no] ha interface ethernet port-num [router-interface | server-interface | both] [no-heartbeat | vlan vlan-id] Config > Network > Interface > LAN .Ver. [no] ha check gateway ipaddr Config > HA > Setting > HA Global . or broadcast ARP requests through the VLAN. or both). the AX device changes its HA status to Down.Status Check tab Supported Values AX Ethernet interfaces Default: not set VLAN-based HA Valid VLAN ID Default: not set The timeout can be 2-600 seconds. Enables the AX device to change its HA status based on the health of a VLAN. changes to the interface state can control failover. If the interface is tagged. 2.) 446 of 702 P e r f o r m a n c e b y D e s i g n Document No. If the AX device does not receive any traffic on the VLAN before the timeout expires. Although there is no default timeout. (See “Gateway-based Failover” on page 438. then a VLAN ID must be specified if heartbeat messages are enabled on the interface. At least one HA interface must be specified.AX Series . a failover occurs. When HA checking is enabled for a VLAN. A10 recommends trying 30 seconds. router. (See “HA Interfaces” on page 436 and “How the Active AX Device Is Selected” on page 440. If you specify the interface type (server.: D-030-01-00-0006 .Select the interface and then click the HA tab.

2. If a failover occurs. there is no benefit to synchronizing them.General tab Enabled or disabled Default: disabled Supported Values IP address of the other AX device Default: not set 1-255 units of 100 milliseconds (ms) each Default: 200 ms 2-255 Default: 5 1-255 Default: 4 additional gratuitous ARPs. [no] ha timeout-retry-count num ARP repeat count Config > HA > Setting > HA Global . uses the session information it received from the Active AX device before the failover to continue the sessions without terminating them.Ver.General tab Interval at which the AX device sends HA heartbeat messages on its HA interfaces.: D-030-01-00-0006 . To enable session synchronization. The Standby AX device. Session synchronization does not apply to DNS sessions. specify the IP address of the other AX device in the HA pair.0. Since these sessions are typically very short lived. (See “HA Parameters for Virtual Service Ports” below. an AX sends after transitioning from Standby to Active in an HA configuration. in addition to the first ones. [no] ha preemption-enable HA heartbeat interval Config > HA > Setting > HA Global . Note: This option also requires session synchronization to be enabled on the individual virtual service ports.General tab Number of HA heartbeat intervals the Standby device will wait for a heartbeat message from the Active AX device before failing over to become the Active AX device. client sessions continue uninterrupted. for a total of 5 P e r f o r m a n c e D e s i g n Document No.2 11/11/2009 b y 447 of 702 . [no] ha time-interval 100-msec-units Retry count Config > HA > Setting > HA Global .General tab Number of additional gratuitous ARPs. [no] ha arp-retry num Config > HA > Setting > HA Global .) [no] ha conn-mirror ip ipaddr Pre-emption Config > HA > Setting > HA Global .Configuration Guide Overview TABLE 10 HA Parameters (Continued) Parameter Session synchronization (Also called “connection mirroring”) Description and Syntax Enables the AX devices to share information about active client sessions.General tab Controls whether failovers can be caused by configuration changes to HA priority or HA ID. when it becomes Active.AX Series .

Global HA Parameters for Layer 2 Inline Mode AX Ethernet interfaces Default: not set Global HA Parameters for Layer 3 Inline Mode Inline mode state Enables Layer 3 inline mode.HA Inline Mode tab Amount of time interfaces in the restart port list remain disabled following a failover. (See “VIP-based Failover” on page 439.HA Inline Mode tab 1-100 units of 100 milliseconds (ms) Default: 20 units of 100 ms (2 seconds) Supported Values Enabled or disabled Default: disabled When inline mode is enabled.Configuration Guide Overview TABLE 10 HA Parameters (Continued) Parameter Inline mode state Description and Syntax Enables Layer 2 inline mode and. The weight is used for VIP-based failover.Ver. This is required to enable HA for the VIP. 1-255 Not set 1-31 Default: not set 448 of 702 P e r f o r m a n c e b y D e s i g n Document No.2 11/11/2009 . [no] ha inline-mode [preferred-port port-num] Restart port list Config > HA > Setting . optionally. then select the Dynamic Server Weight.AX Series .) [no] ha-dynamic server-weight Config > Service > SLB > Virtual Server . [no] ha restart-port-list ethernet port-list Port restart time Config > HA > Setting . specifies the HA interface to use for session synchronization and for management traffic between the AX devices.0. [no] ha restart-time 100-msec-units Config > HA > Setting .Select the HA group. [no] ha-group group-id Server weight Config > Service > SLB > Virtual Server Weight value assigned to real servers bound to the virtual server. Enabled or disabled Default: disabled HA Parameters for Virtual Servers HA group ID HA group ID for a virtual server. [no] ha l3-inline-mode Note: This option is not configurable using the GUI. the preferred port is selected as described in “Preferred HA Port” on page 431. 2.: D-030-01-00-0006 .HA Inline Mode tab List of Ethernet interfaces on the previously Active AX device to toggle (shut down and restart) following HA failover.

) [no] ha-conn-mirror Config > Service > Firewall > Firewall Virtual Server (for virtual firewall) Config > Service > Firewall > Firewall Virtual Server . see “Firewall Load Balancing” on page 255. Default: not set [no] ha-group group-id Config > Service > Firewall > Firewall Virtual Server (for virtual firewall) Config > Service > Firewall > Firewall Virtual Server . Note: This option also requires session synchronization to be enabled globally.Ver. 2. ipv6 nat pool. (See “Global HA Parameters” above.Port tab (for virtual firewall port) Session synchronization Enabled or disabled Default: disabled HA Parameters for IP Network Address Translation (NAT) Pools HA group ID HA group ID for IP NAT. or ip nat inside command: ha-group group-id Config > Service > IP Source NAT > IPv4 Pool Config > Service > IP Source NAT > IPv6 Pool Config > Service > IP Source NAT > NAT Range 1-31 Default: not set P e r f o r m a n c e D e s i g n Document No. (See “Global HA Parameters” above.2 11/11/2009 b y 449 of 702 .: D-030-01-00-0006 . HA group ID HA group ID for a virtual firewall or virtual firewall 1-31 port.Port tab (for virtual firewall port) Enables active client sessions on this virtual firewall port to continue uninterrupted following a failover.Port tab Supported Values Enabled or disabled Default: disabled HA Parameters for Virtual Service Ports HA Parameters for Firewall Load Balancing (FWLB) Note: For an example of an FWLB HA configuration. Note: This option also requires session synchronization to be enabled globally.0.) [no] ha-conn-mirror Config > Service > SLB > Virtual Server . Option with ip nat pool.AX Series .Configuration Guide Overview TABLE 10 HA Parameters (Continued) Parameter Session synchronization (Also called “connection mirroring”) Description and Syntax Enables active client sessions on this virtual port to continue uninterrupted following a failover.

In the Priority field. If you are configuring Active-Active. enter the IP address of the other AX device in the HA Mirroring IP Address field. 2. select the next HA group from the Group Name drop-down list. For Active-Active. enter its priority in the Priority field. 4. To enable pre-emption. Select Enabled next to HA Status. Select HA group 1 from the Group Name drop-down list. Note: Enter the real IP address of the AX device. Repeat for each additional group used in the configuration.: D-030-01-00-0006 .2 11/11/2009 . and click Add. For an Active-Standby configuration. 3. Add each virtual server to an HA group. If IP NAT pools are configured.Ver. configure one group ID. To enable connection mirroring. USING THE GUI Configuring Global HA Parameters 1. b. configure HA group parameters: a. a. Configure the HA interfaces. c. c. add each pool to an HA group. 450 of 702 P e r f o r m a n c e b y D e s i g n Document No. enter the priority for HA group 1 and click Add. Configure the following global HA parameters: • HA ID • HA group ID and priority.Configuration Guide Configuring Layer 3 HA Configuring Layer 3 HA To configure Layer 3 HA: 1. enable it on the individual virtual ports whose client sessions you want to synchronize. configure multiple HA group IDs. not the floating IP address that downstream devices will use as their default gateway address. select the HA ID for the AX device. select Enabled next to Preempt Status. 2. b. d. Select Config > HA > Setting.AX Series . 5. • Floating IP address (optional) • Session synchronization (optional) • HA pre-emption (optional) 2.0. If session synchronization is globally enabled. In the Identifier drop-down list. On the Group tab.

To specify the interface type. f. enter the VLAN ID in the VLAN field. Configuring HA Parameters on a Virtual Server 1. c. On the General tab. b. To enable HA heartbeat messages. Configuring HA Interfaces 1. Select an HA group from the Group Name drop-down list. On the menu bar. a. Click on the virtual server name or click Add to add a new one. Click OK. Select Config > Service > SLB. e. Click Add. Select the address type (IPv4 or IPv6). If you are configuring Active-Active. P e r f o r m a n c e D e s i g n Document No. Click on the interface number.) a. 2. select one of the following or leave the setting None: • Router-Interface • Server-Interface • Both d. Select Config > Network > Interface. Perform the following steps for each HA interface.AX Series .Ver. and repeat the previous steps. 4. On the HA tab. 2. 3. Click OK. b. d. To restrict the HA heartbeat messages to a specific VLAN. select Virtual Server. select LAN.: D-030-01-00-0006 . see “HA Interfaces” on page 436. select the HA group ID from the HA Group dropdown list. On the Floating IP Address tab.Configuration Guide Configuring Layer 3 HA 3. select Enabled next to HA Enabled. Enter the floating IP address for the group. configure the floating IP addresses for the HA groups. select the next HA group from the Group Name drop-down list. e. select Enabled next to Heartbeat. On the menu bar. (For information. 2.2 11/11/2009 b y 451 of 702 . c. 4.0. The list of the AX device’s physical Ethernet data interfaces appears. 3.

Click OK. The service port list re-appears. b. Click OK to complete configuration of the virtual server. On the Port tab. 7. you can enable connection mirroring for these service types using the CLI. The Virtual Server Port tab appears. However. If you plan to use session synchronization (connection mirroring) for a service port: a.Configuration Guide Configuring Layer 3 HA Note: The Dynamic Server Weight option is used for VIP-based failover. Configure other general settings. not related to HA. Note: The GUI does not support enabling connection mirroring on some types of service ports.: D-030-01-00-0006 . click Add to add a new virtual service port or select an existing port and click Edit. if needed. Select enabled next to HA Connection Mirror. 2. 6.Ver.0.AX Series . For information.2 11/11/2009 . c. 5. see “VIP-based Failover” on page 439. 452 of 702 P e r f o r m a n c e b y D e s i g n Document No.

Ver.0.2 11/11/2009 b y 453 of 702 .AX Series .: D-030-01-00-0006 . 2.Configuration Guide Configuring Layer 3 HA HA Configuration of AX1 FIGURE 133 Config > HA > Setting > HA Global FIGURE 134 Config > Service > SLB > Virtual Server (VIP1) P e r f o r m a n c e D e s i g n Document No.

: D-030-01-00-0006 .0.Configuration Guide Configuring Layer 3 HA FIGURE 135 Config > Service > SLB > Virtual Server (VIP2) HA Configuration of AX2 FIGURE 136 Config > HA > Setting 454 of 702 P e r f o r m a n c e b y D e s i g n Document No.Ver.AX Series . 2.2 11/11/2009 .

: D-030-01-00-0006 .AX Series . To add a virtual server to an HA group. use the following command at the configuration level for the virtual server: ha-group group-id P e r f o r m a n c e D e s i g n Document No.Ver. use the following commands at the global configuration level of the CLI: ha id {1 | 2} [set-id num] ha group group-id priority num floating-ip ipaddr ha-group group-id ha interface ethernet port-num [router-interface | server-interface | both] [no-heartbeat | vlan vlan-id] ha conn-mirror ip ipaddr ha preemption-enable 2. To configure the global HA parameters. 2.Configuration Guide Configuring Layer 3 HA FIGURE 137 Config > Service > SLB > Virtual Server (VIP1) FIGURE 138 Config > Service > SLB > Virtual Server (VIP2) USING THE CLI 1.0.2 11/11/2009 b y 455 of 702 .

The real servers and the Layer 2 switches connected to them will need to be configured to use the floating IP addresses as their default gateways. The same group will be set to a higher priority value on the other AX device.2 11/11/2009 .Configuration Guide Configuring Layer 3 HA Use the same HA group ID for the same virtual server. Likewise.0. on both AX devices. If IP NAT pools are configured.10.AX Series . Since this is an Active-Active configuration. The interface types are specified.10. Later in the configuration. If session synchronization is globally enabled.100 ha-group 2 The following commands configure the HA interfaces. use the following option with the ip nat pool or ipv6 nat pool command.Ver. AX1(config)#floating-ip 10. The priority for group 1 is set to a low value.10. 2. ha-group group-id (For the complete command syntax. the priority of group 2 is set to a high value on this AX device but will be set to a lower value on the other AX device.) 456 of 702 P e r f o r m a n c e b y D e s i g n Document No.) Commands on AX1 This examples shows the CLI commands to implement the Active-Active configuration shown in Figure 126 on page 426. use the following command at the configuration level for the virtual port to enable session synchronization for the port: ha-conn-mirror 4. 3. both HA groups are configured. (See “HA Interfaces” on page 436. AX1(config)#ha id 1 AX1(config)#ha group 1 priority 1 AX1(config)#ha group 2 priority 255 The following commands configure the floating IP addresses for each HA group.1 ha-group 1 AX1(config)#floating-ip 10. see Table 10 on page 445. The following commands configure the HA ID and HA groups.: D-030-01-00-0006 .10. each virtual server will need to be added to one or the other of the HA groups. so that the HA state of the AX device can be more precisely calculated based on HA interface state.

AX1(config)#ha conn-mirror ip 10.AX Series . when HA is first configured. Active and Standby are selected based on which AX device comes up first. to ensure that the Active and Standby for each virtual server are chosen based on the configuration. (For brevity.30.)#ha-conn-mirror AX(config-slb virtual server-slb virtua.. AX1(config)#ha preemption-enable The following commands add each of the virtual servers to an HA group.0.. this example does not show the complete SLB configuration. AX1(config)#ha interface ethernet 1 router-interface no-heartbeat AX1(config)#ha interface ethernet 2 router-interface no-heartbeat AX1(config)#ha interface ethernet 3 server-interface no-heartbeat AX1(config)#ha interface ethernet 4 server-interface no-heartbeat AX1(config)#ha interface ethernet 5 The following command enables session synchronization (connection mirroring).Ver. and enables session synchronization on the virtual ports. 2.) AX1(config)#slb virtual-server VIP1 AX(config-slb virtual server)#ha group 1 AX(config-slb virtual server)#port 80 tcp AX(config-slb virtual server-slb virtua.)#ha-conn-mirror AX1(config-slb virtual server-slb virtua.. The feature also will need to be enabled on individual virtual ports. later in the configuration. The IP address is the real address of the other AX device.Configuration Guide Configuring Layer 3 HA Heartbeat messages are disabled on all HA interfaces except the dedicated HA link between the AX devices..2 The following command enables HA pre-emption.10.)#exit AX1(config-slb virtual server)#exit P e r f o r m a n c e D e s i g n Document No..2 11/11/2009 b y 457 of 702 ....)#exit AX(config-slb virtual server)#exit AX1(config)#slb virtual-server VIP2 AX1(config-slb virtual server)#ha group 2 AX1(config-slb virtual server)#port 80 tcp AX1(config-slb virtual server-slb virtua. only the HA part of the SLB configuration.: D-030-01-00-0006 . By default.

... Likewise.1 AX2(config)#ha preemption-enable The HA configuration for virtual servers and virtual ports is identical to the configuration on AX1.10.2 11/11/2009 .0.Configuration Guide Configuring Layer 3 HA Commands on AX2 Here are the commands for AX2. so that group 1 has higher priority on this AX device than on AX1.)#exit AX2(config-slb virtual server)#exit AX2(config)#slb virtual-server VIP2 AX2(config-slb virtual server)#ha group 2 AX2(config-slb virtual server)#port 80 tcp AX2(config-slb virtual server-slb virtua. AX2(config)#ha id 2 AX2(config)#ha group 1 priority 255 AX2(config)#ha group 2 priority 1 The floating IP addresses must be the same as the ones set on AX1.100 ha-group 2 AX2(config)#ha interface ethernet 1 router-interface no-heartbeat AX2(config)#ha interface ethernet 2 router-interface no-heartbeat AX2(config)#ha interface ethernet 3 server-interface no-heartbeat AX2(config)#ha interface ethernet 4 server-interface no-heartbeat AX2(config)#ha interface ethernet 5 The IP address for session synchronization is the address of AX1. AX2(config)#floating-ip 10.30..Ver.10.)#ha-conn-mirror AX2(config-slb virtual server-slb virtua. the priority of group 2 is set so that its priority is higher on AX1.)#ha-conn-mirror AX2(config-slb virtual server-slb virtua.)#exit AX2(config-slb virtual server)#exit 458 of 702 P e r f o r m a n c e b y D e s i g n Document No.10....10. AX2(config)#ha conn-mirror ip 10.1 ha-group 1 AX2(config)#floating-ip 10.. 2.10. The priority values for the groups are different from the values set on AX1.: D-030-01-00-0006 .AX Series . AX2(config)#slb virtual-server VIP1 AX2(config-slb virtual server)#ha group 1 AX2(config-slb virtual server)#port 80 tcp AX2(config-slb virtual server-slb virtua.

0.: D-030-01-00-0006 . 4. P e r f o r m a n c e D e s i g n Document No. 2. Configure the following global HA parameters: • HA ID • HA group ID and priority. add each pool to the HA group.2 11/11/2009 b y 459 of 702 . (See “HA Interfaces” on page 436. the sample configuration also uses the following HA features: • Identification of HA interface type: server or router – The interface types affect the AX device’s summary link state for HA. In addition to the inline features described in this section. without the need for the gateway address to be changed to the Standby AX device’s address. rather than the IP address of the Active AX. If session synchronization is globally enabled. enable it on the individual virtual ports whose client sessions you want to synchronize. 3. If IP NAT pools are configured.Ver. Servers can still reach clients through their default gateway after an HA failover. Layer 2 Inline HA Configuration Example The following configuration examples implement the deployment shown in Figure 128 on page 430.AX Series .) • Session synchronization (also called “connection mirroring”) – Existing client sessions remain up during a failover. Configure only one group ID. • Floating IP address (optional) • Inline mode and optional preferred port • Restart port list and time (optional) • HA interfaces • Session synchronization (optional) • HA pre-emption (optional) 2. • Floating IP – The default gateway IP address used by the real servers is a floating IP address shared by the AX devices.Configuration Guide Configuring Layer 2 HA (Inline Mode) Configuring Layer 2 HA (Inline Mode) To configure Layer 2 HA: 1. Configure the same ID on both AX devices. Add each virtual server to the HA group.

(For information.0.) a. see “HA Interfaces” on page 436.2 11/11/2009 . b. To enable pre-emption. On the menu bar. Click on the interface number. 460 of 702 P e r f o r m a n c e b y D e s i g n Document No.Ver. configure HA group parameters: a. Select HA group 1 from the Group Name drop-down list. 4. select the HA ID for the AX device from the Identifier drop-down list. The list of the AX device’s physical Ethernet data interfaces appears. Enter the floating IP address for the group. enter the IP address of the other AX device in the HA Mirroring IP Address field. b.AX Series .Configuration Guide Configuring Layer 2 HA (Inline Mode) USING THE GUI Configuring Global HA Parameters 1. On the HA tab. Select Config > HA > Setting. c. On the Floating IP Address tab. On the Group tab. not the floating IP address that downstream devices will use as their default gateway address. d. select Enabled next to HA Enabled. 3. Click Add. select LAN. enter the priority for HA group 1 and click Add. b. 2. Select the address type (IPv4 or IPv6).: D-030-01-00-0006 . configure the floating IP address for the HA group. 3. In the Priority field. a. Perform the following steps for each HA interface. d. Select an HA group 1 from the Group Name drop-down list. 2. c. Note: Enter the real IP address of the AX device. Select Yes next to HA Status. a. Click OK. On the General tab. b. Configuring HA Interface Parameters 1. To enable connection mirroring. 2. Select Config > Network > Interface. select Yes next to Preempt Status.

Ver. Select the preferred port. The following GUI screens configure HA on AX1 in Figure 128 on page 430. select one of the following or leave the setting None: • Router-Interface • Server-Interface • Both d. Select HA Inline Mode on the menu bar.AX Series . Configuring Inline Parameters 1. To specify the interface type. Click OK.0. To enable HA heartbeat messages. 4. select the HA interfaces.: D-030-01-00-0006 . 2.Configuration Guide Configuring Layer 2 HA (Inline Mode) c. Click >> to move them to the Selected list. Click OK. 7. Select Config > HA > Setting. e. select Enabled next to Heartbeat. 2. 6. P e r f o r m a n c e D e s i g n Document No. f. To restrict the HA heartbeat messages to a specific VLAN. Select Enabled next to Inline Mode Status. enter the VLAN ID in the VLAN field. In Restart Port List section. 5.2 11/11/2009 b y 461 of 702 . 3.

Ver. 2.Configuration Guide Configuring Layer 2 HA (Inline Mode) FIGURE 139 Config > HA > Setting FIGURE 140 Config > HA > Setting > HA Inline Mode 462 of 702 P e r f o r m a n c e b y D e s i g n Document No.0.: D-030-01-00-0006 .2 11/11/2009 .AX Series .

to use for session synchronization.3 The following command configures the floating IP address for the real servers to use as their default gateway address. 2. a router. or the other AX can be configured as an HA interface. AX1(config)#ha id 1 AX1(config)#ha group 1 priority 255 The following command enables inline HA mode and specifies the preferred HA port. this will trigger a failover. (For example. the VIP is assigned to this HA group. Since inline mode is supported only in Active-Standby configurations. which causes failover to occur in response to administrative changes to the HA configuration.168. AX1(config)#ha interface ethernet 1 router-interface no-heartbeat AX1(config)#ha interface ethernet 2 router-interface no-heartbeat AX1(config)#ha interface ethernet 3 server-interface AX1(config)#ha interface ethernet 4 server-interface AX1(config)#ha interface ethernet 5 The following command enables restart of the HA ports connected to the routers.10. AX1(config)#ha inline-mode preferred-port 5 The following commands configure the HA interfaces. AX1(config)#ha conn-mirror ip 172. HA priority is associated with an HA group.Configuration Guide Configuring Layer 2 HA (Inline Mode) USING THE CLI Commands on AX1 The following commands configure the HA ID and set the HA priority. Make sure to add the preferred HA port as one of the HA interfaces. only one HA group is used.) AX1(config)#ha preemption-enable The following command specifies the IP address of the other AX.1 ha-group 1 P e r f o r m a n c e D e s i g n Document No. Each interface that is connected to a server.2 11/11/2009 b y 463 of 702 .10. AX1(config)#ha restart-port-list ethernet 1 to 2 The following command enables HA pre-emption mode. but only if pre-emption mode is enabled. AX1(config)#floating-ip 172.0. Later in the configuration.AX Series .Ver.168. if you change the HA priority so that the other AX has higher priority.: D-030-01-00-0006 . to occur if the AX transitions to Standby.

Ver. AX1(config)#health monitor myHttp interval 10 retry 2 timeout 3 AX1(config-health:monitor)#method http url HEAD /index. real servers. AX2.168. with the following exceptions: • The HA ID is 2.10. a server group.31 AX1(config-real server)#port 80 tcp AX1(config-real server-node port)#health-check myHttp AX1(config-real server-node port)#exit AX1(config-real server)#exit AX1(config)#slb service-group g80 tcp AX1(config-slb service group)#member s1:80 AX1(config-slb service group)#member s2:80 AX1(config-slb service group)#exit AX1(config)#slb virtual-server v1 172. the session synchronization IP address is the address of the Standby AX.html AX1(config-health:monitor)#exit AX1(config)#slb server s1 172.10.AX Series . • The session synchronization (conn-mirror) IP address is the address of the Active AX. Most of the commands are the same as those on AX1.30 AX1(config-real server)#port 80 tcp AX1(config-real server-node port)#health-check myHttp AX1(config-real server-node port)#exit AX1(config-real server)#exit AX1(config)#slb server s2 172.80 AX1(config-slb virtual server)#ha-group 1 AX1(config-slb virtual server)#port 80 tcp AX1(config-slb virtual server-slb virtua.)#ha-conn-mirror Commands on AX2 Here are the commands for implementing HA on the standby AX.)#service-group g80 AX1(config-slb virtual server-slb virtua.10. 2. (On the Active AX.) AX2(config)#ha id 2 AX2(config)#ha group 1 priority 1 AX2(config)#ha interface ethernet 1 router-interface no-heartbeat AX2(config)#ha interface ethernet 2 router-interface no-heartbeat AX2(config)#ha interface ethernet 3 server-interface AX2(config)#ha interface ethernet 4 server-interface 464 of 702 P e r f o r m a n c e b y D e s i g n Document No..168.0.Configuration Guide Configuring Layer 2 HA (Inline Mode) The following commands configure a health method..168. and a VIP for an HTTP service.2 11/11/2009 . • The HA priority is 1...: D-030-01-00-0006 .

168.0.2 11/11/2009 b y 465 of 702 .31 AX2(config-real server)#port 80 tcp AX2(config-real server-node port)#health-check myHttp AX2(config-real server-node port)#exit AX2(config-real server)#exit AX2(config)#slb service-group g80 tcp AX2(config-slb service group)#member s1:80 AX2(config-slb service group)#member s2:80 AX2(config-slb service group)#exit AX2(config)#slb virtual-server v1 172.30 AX2(config-real server)#port 80 tcp AX2(config-real server-node port)#health-check myHttp AX2(config-real server-node port)#exit AX2(config-real server)#exit AX2(config)#slb server s2 172.2 AX2(config)#floating-ip 172.10.80 AX2(config-slb virtual server)#ha-group 1 AX2(config-slb virtual server)#port 80 tcp AX2(config-slb virtual server-slb virtua.10.Configuration Guide Configuring Layer 2 HA (Inline Mode) AX2(config)#ha interface ethernet 5 AX2(config)#ha inline-mode preferred-port 5 AX2(config)#ha restart-port-list ethernet 1 to 2 AX2(config)#ha preemption-enable AX2(config)#ha conn-mirror ip 172.10. 2..168.1 ha-group 1 AX2(config)#health monitor myHttp interval 10 retry 2 timeout 3 AX2(config-health:monitor)#method http url HEAD /index..AX Series .: D-030-01-00-0006 .168...10.168.Ver.168.)#ha-conn-mirror P e r f o r m a n c e D e s i g n Document No.)#service-group g80 AX2(config-slb virtual server-slb virtua.html AX2(config-health:monitor)#exit AX2(config)#slb server s1 172.10.

Configuration Guide Configuring Layer 3 HA (Inline Mode) Configuring Layer 3 HA (Inline Mode) To configure Layer 3 HA: 1.) 466 of 702 P e r f o r m a n c e b y D e s i g n Document No. 5. Add each virtual server to the HA group. • Floating IP address (optional) • Inline mode • HA interfaces • Session synchronization (optional) • HA pre-emption (optional) 2. 3. To enable Layer 3 inline mode. Configure only one group ID.Ver. If IP NAT pools are configured. Note: The GUI does not support configuration of Layer 3 inline mode in the current release. use the following command at the global configuration level of the CLI: ha l3-inline-mode 2. (The lead interface of a trunk is the lowest-numbered interface in the trunk. Enable CPU processing on the Ethernet interfaces that will receive server replies to client requests.AX Series . use the command on the lead interface of the trunk. Layer 3 Inline HA Configuration Example The following configuration example implements the deployment shown in Figure 129 on page 433. enable it on the individual virtual ports whose client sessions you want to synchronize.: D-030-01-00-0006 . add each pool to the HA group. To enable CPU processing on an interface. 4. Configure the following global HA parameters: • HA ID • HA group ID and priority. If session synchronization is globally enabled. use the following command at the configuration level for the interface: cpu-process If the interface is part of a trunk. USING THE CLI 1.2 11/11/2009 . Configure the same ID on both AX devices. 2.0.

168. 2.168.Configuration Guide Configuring Layer 3 HA (Inline Mode) Commands on AX1 The following commands configure the interfaces. CPU processing is enabled on those interfaces.Ver.10.2 11/11/2009 b y 467 of 702 . AX1(config)#ha id 1 AX1(config)#ha group 1 priority 255 The following command enables Layer 3 inline HA mode.20. AX1(config)#interface ethernet 1 AX1(config-if:ethernet1)#enable AX1(config-if:ethernet1)#interface ethernet 2 AX1(config-if:ethernet2)#enable AX1(config-if:ethernet2)#interface ethernet 3 AX1(config-if:ethernet3)#enable AX1(config-if:ethernet3)#cpu-process AX1(config-if:ethernet3)#interface ethernet 4 AX1(config-if:ethernet4)#enable AX1(config-if:ethernet4)#cpu-process AX1(config-if:ethernet4)#interface ethernet 5 AX1(config-if:ethernet5)#enable AX1(config-if:ethernet5)#exit AX1(config)#vlan 100 AX1(config-vlan:100)#untagged ethernet 1 to 4 AX1(config-vlan:100)#router-interface ve 1 AX1(config-vlan:100)#exit AX1(config)#vlan 5 AX1(config-vlan:5)#untagged ethernet 5 AX1(config-vlan:5)#router-interface ve 5 AX1(config-vlan:5)#exit AX1(config)#interface ve1 AX1(config-if:ve1)#ip address 172. AX1(config)#ha l3-inline-mode P e r f o r m a n c e D e s i g n Document No.AX Series .2 /24 AX1(config-if:ve5)#exit The following commands configure the HA ID and set the HA priority.0.2 /24 AX1(config-if:ve1)#interface ve5 AX1(config-if:ve5)#ip address 172. the VIP is assigned to this HA group.: D-030-01-00-0006 . Later in the configuration. HA priority is associated with an HA group. Since Ethernet interfaces 3 and 4 will receive server replies to client requests.

10. AX1(config)#health monitor myHttp interval 10 retry 2 timeout 3 AX1(config-health:monitor)#method http url HEAD /index. which causes failover to occur in response to administrative changes to the HA configuration.: D-030-01-00-0006 . a server group. to use for session synchronization.1 ha-group 1 The following commands configure a health method.168.2 11/11/2009 .) AX1(config)#ha preemption-enable The following command specifies the IP address of the other AX. and a VIP for an HTTP service. AX1(config)#floating-ip 172. AX1(config)#ha conn-mirror ip 172.168. (Make sure to add the dedicated HA link between the AX devices as one of the HA interfaces.0. to occur if the AX transitions to Standby. (For example.10.AX Series . or the other AX can be configured as an HA interface. but only if pre-emption mode is enabled.31 AX1(config-real server)#port 80 tcp AX1(config-real server-node port)#health-check myHttp AX1(config-real server-node port)#exit 468 of 702 P e r f o r m a n c e b y D e s i g n Document No.168. real servers.3 The following command configures the floating IP address for the real servers to use as their default gateway address.10.10. if you change the HA priority so that the other AX has higher priority.html AX1(config-health:monitor)#exit AX1(config)#slb server s1 172.) AX1(config)#ha interface ethernet 1 router-interface no-heartbeat AX1(config)#ha interface ethernet 2 router-interface no-heartbeat AX1(config)#ha interface ethernet 3 server-interface AX1(config)#ha interface ethernet 4 server-interface AX1(config)#ha interface ethernet 5 The following command enables restart of the HA ports connected to the routers. AX1(config)#ha restart-port-list ethernet 1 to 2 The following command enables HA pre-emption mode.168. a router. 2. Each interface that is connected to a server.Configuration Guide Configuring Layer 3 HA (Inline Mode) The following commands configure the HA interfaces. this will trigger a failover.Ver.30 AX1(config-real server)#port 80 tcp AX1(config-real server-node port)#health-check myHttp AX1(config-real server-node port)#exit AX1(config-real server)#exit AX1(config)#slb server s2 172.

• The HA priority is 1. the session synchronization IP address is the address of AX2.0..: D-030-01-00-0006 .2 11/11/2009 b y 469 of 702 . (On AX1.80 AX1(config-slb virtual server)#ha-group 1 AX1(config-slb virtual server)#port 80 tcp AX1(config-slb virtual server-slb virtua.168. with the following exceptions: • The IP interfaces are different.10. Most of the commands are the same as those on AX1.Configuration Guide Configuring Layer 3 HA (Inline Mode) AX1(config-real server)#exit AX1(config)#slb service-group g80 tcp AX1(config-slb service group)#member s1:80 AX1(config-slb service group)#member s2:80 AX1(config-slb service group)#exit AX1(config)#slb virtual-server v1 172.) AX2(config)#interface ethernet 1 AX2(config-if:ethernet1)#enable AX2(config-if:ethernet1)#interface ethernet 2 AX2(config-if:ethernet2)#enable AX2(config-if:ethernet2)#interface ethernet 3 AX2(config-if:ethernet3)#enable AX1(config-if:ethernet3)#cpu-process AX2(config-if:ethernet3)#interface ethernet 4 AX2(config-if:ethernet4)#enable AX1(config-if:ethernet4)#cpu-process AX2(config-if:ethernet4)#interface ethernet 5 AX2(config-if:ethernet5)#enable AX2(config-if:ethernet5)#exit AX2(config)#vlan 100 AX2(config-vlan:100)#untagged ethernet 1 to 4 AX2(config-vlan:100)#router-interface ve 1 AX2(config-vlan:100)#exit AX2(config)#vlan 5 AX2(config-vlan:5)#untagged ethernet 5 P e r f o r m a n c e D e s i g n Document No..Ver.)#service-group g80 AX1(config-slb virtual server-slb virtua..AX Series . The session synchronization (conn-mirror) IP address is the address of AX1..)#ha-conn-mirror Commands on AX2 Here are the commands for implementing HA on AX2. 2. • The HA ID is 2.

168.: D-030-01-00-0006 .30 AX2(config-real server)#port 80 tcp AX2(config-real server-node port)#health-check myHttp AX2(config-real server-node port)#exit AX2(config-real server)#exit AX2(config)#slb server s2 172.2 AX2(config)#floating-ip 172. 2..10.168.10.31 AX2(config-real server)#port 80 tcp AX2(config-real server-node port)#health-check myHttp AX2(config-real server-node port)#exit AX2(config-real server)#exit AX2(config)#slb service-group g80 tcp AX2(config-slb service group)#member s1:80 AX2(config-slb service group)#member s2:80 AX2(config-slb service group)#exit AX2(config)#slb virtual-server v1 172.10.AX Series .)#ha-conn-mirror 470 of 702 P e r f o r m a n c e b y D e s i g n Document No.168.10.2 11/11/2009 .168.168..)#service-group g80 AX2(config-slb virtual server-slb virtua.23 /24 AX2(config-if:ve1)#interface ve5 AX2(config-if:ve5)#ip address 172.Configuration Guide Configuring Layer 3 HA (Inline Mode) AX2(config-vlan:5)#router-interface ve 5 AX2(config-vlan:5)#exit AX2(config)#interface ve1 AX2(config-if:ve1)#ip address 172.10.20..10.1 ha-group 1 AX2(config)#health monitor myHttp interval 10 retry 2 timeout 3 AX2(config-health:monitor)#method http url HEAD /index.html AX2(config-health:monitor)#exit AX2(config)#slb server s1 172..80 AX2(config-slb virtual server)#ha-group 1 AX2(config-slb virtual server)#port 80 tcp AX2(config-slb virtual server-slb virtua.168.Ver.168.3 /24 AX2(config-if:ve5)#exit AX2(config)#ha id 2 AX2(config)#ha group 1 priority 1 AX2(config)#ha interface ethernet 1 router-interface no-heartbeat AX2(config)#ha interface ethernet 2 router-interface no-heartbeat AX2(config)#ha interface ethernet 3 server-interface AX2(config)#ha interface ethernet 4 server-interface AX2(config)#ha interface ethernet 5 AX2(config)#ha l3-inline-mode AX2(config)#ha restart-port-list ethernet 1 to 2 AX2(config)#ha preemption-enable AX2(config)#ha conn-mirror ip 172.0.

Repeat step 2 through step 4 for each VLAN to be monitored for HA. Enter the timeout in the Timeout field. The timeout can be 2-600 seconds.Configuration Guide Configuring Optional Failover Triggers Configuring Optional Failover Triggers The following sections show how to configure the following optional failover triggers: • VLAN-based failover • Gateway-based failover • VIP-based failover Only the configuration relevant to the triggers is shown.2 11/11/2009 b y 471 of 702 .) USING THE GUI 1. use the following command at the global configuration level of the CLI: [no] ha check vlan vlan-id timeout seconds P e r f o r m a n c e D e s i g n Document No. You must specify the timeout. A complete HA configuration also includes the configuration items described in the previous sections. use either of the following methods. Although there is no default. 6. On the Status Check tab. USING THE CLI To enable HA checking for a VLAN.: D-030-01-00-0006 . VLAN-Based Failover Example To configure VLAN-based failover. see “VLAN-based Failover” on page 438. and is described in other sections in this chapter.0. enter the VLAN ID in the VLAN ID field. 5. Select Config > HA > Setting > HA Global.AX Series . 2. Click OK. (For a description of the feature. 4. Click Add. 2. 3. Note: Failover based on HA interface state is also optional. A10 recommends trying 30 seconds.Ver.

b. Although there is no default. Select Config > HA > Setting > HA Global. select the ICMP health monitor you configured in step 1. see “Gateway-based Failover” on page 438. c. In the IP Address field.2 11/11/2009 . enter the IP address of the gateway.) USING THE GUI 1. Click OK. Enable gateway-based failover: a. d. 3.AX Series . On the Method tab. f. f. d. b. Select Health Monitor on the menu bar. Select Config > Service > Health Monitor. Configure a health monitor that uses the ICMP method: a. enter a name for the monitor. enter a name for the gateway in the Name field. In the Health Monitor drop-down list. Configure the gateway as an SLB real server and apply the ICMP health monitor to the server: a. On the General tab.Configuration Guide Configuring Optional Failover Triggers The timeout can be 2-600 seconds. 2. c. Click OK. A10 recommends trying 30 seconds. use either of the following methods. On the Status Check tab. On the Health Monitor tab. e. Click Add.: D-030-01-00-0006 . Select Server on the menu bar. (For a description of the feature. b. select ICMP from the Type drop-down list. enter the IP address of the gateway in the IP Address field. g. 2. The following command enables VLAN-based failover for VLAN 10 and sets the timeout to 30 seconds: AX(config)#ha check vlan 10 timeout 30 Gateway-Based Failover Example To configure gateway-based failover. 472 of 702 P e r f o r m a n c e b y D e s i g n Document No.Ver. The General tab appears.0. Select Config > Service > SLB. e. Click Add. You must specify the timeout.

Click OK. Repeat step b and step c for each gateway to be monitored for HA.: D-030-01-00-0006 . [no] health monitor monitor-name Enter this command at the global Config level.10. 2. [no] slb server server-name ipaddr [no] health-check monitor-name 3. use the following command at the global configuration level. Click Add.0. To enable HA health checking for the gateway.10. To configure the gateway as an SLB real server and apply the health monitor to the server. 2. USING THE CLI 1. [no] method icmp Enter this command at the configuration level for the health monitor.10. To configure a health monitor for a gateway. e.Configuration Guide Configuring Optional Failover Triggers c. d.10.AX Series .Ver. use the following command.1 AX(config-real server)#health-check gatewayhm1 AX(config-real server)#exit The following command enables HA health checking for the gateway: AX(config)#ha check gateway 10. use the following commands.1 P e r f o r m a n c e D e s i g n Document No.2 11/11/2009 b y 473 of 702 . [no] ha check gateway ipaddr CLI Example The following commands configure an ICMP health method: AX(config)#health monitor gatewayhm1 AX(config-health:monitor)#method icmp AX(config-health:monitor)#exit The following commands configure a real server for the gateway and apply the health monitor to it: AX(config)#slb server gateway1 10.

4.) USING THE GUI To configure VIP-based failover on a virtual server: 1. Select the HA group from the HA Group drop-down list. Note: If the HA Group drop-down list does not have any group IDs. 5. [no] ha-dynamic server-weight 474 of 702 P e r f o r m a n c e b y D e s i g n Document No.Ver. Enter other parameters if needed (for example.Configuration Guide Configuring Optional Failover Triggers VIP-Based Failover Example To configure VIP-based failover. USING THE CLI To configure VIP-based failover. the name. use the following commands: [no] ha-group group-id Enter this command at the configuration level for a virtual server. Configure HA global and interface parameters. 7. IP address. to assign the virtual server to the HA group.2 11/11/2009 . (For a description of the feature. you still need to configure global HA parameters. The group-id can be 1-31. The Dynamic Server Weight field appears. These procedures apply specifically to the VIP-based failover parameters. You also need to configure HA global and interface parameters.: D-030-01-00-0006 . See “Configuring Global HA Parameters” on page 450. see “VIP-based Failover” on page 439. 6. if you have not already done so. Click OK.0. See “Configuring Global HA Parameters” on page 450 and “Configuring HA Interfaces” on page 451. and virtual service ports). 2. Select Config > Service > SLB. On the menu bar. Click on the virtual server name or click Add to create a new one.AX Series . select Virtual Server. 3. 2. use either of the following methods.

2 11/11/2009 b y 475 of 702 . The server-weight specifies the amount to subtract from the HA group's priority value for each real server that becomes unavailable. HA pre-emption must be enabled in order for failover to occur based on HA group priority changes. However. the same weight value set on AX-1. (For simplicity.Ver. In this case.1 ha-group 6 AX-2(config)#slb virtual VIP2 192.10. The server weight for HA group 6 on VIP2 is set to 10.10.22 AX-2(config-slb virtual server)#ha group 6 AX-2(config-slb virtual server)#ha-dynamic 10 P e r f o r m a n c e D e s i g n Document No. CLI Example The following command configures HA group 6 on AX-1 and assigns priority 100 to the group: AX-1(config)#ha group 6 priority 100 The following command enables HA pre-emption.0. The weight can be 1-255. which is lower than the priority value set on AX-2 for the group. The priority for HA group 6 is set to 80. AX-2(config)#ha group 6 priority 80 AX-2(config)#ha preemption-enable AX-2(config)#floating-ip 192.22 AX-1(config-slb virtual server)#ha group 6 AX-1(config-slb virtual server)#ha-dynamic 10 The following commands configure the HA settings on AX-2.168.Configuration Guide Configuring Optional Failover Triggers Enter this command at the configuration level for the virtual server to enable VIP-based failover.) AX-1(config)#slb virtual VIP2 192. 2.1 ha-group 6 The following commands assign virtual server VIP2 to HA group 6 and enable VIP-based failover for the virtual server. Up to 2 real servers bound to VIP2 can become unavailable on AX-1 without triggering a failover. The default is 1. the priority of HA group 6 is reduced to 70.: D-030-01-00-0006 .10.10. a failover does occur for VIP2.168.168. AX-1(config)#ha preemption-enable The following command configures a floating IP address and assigns it to HA group 6: AX-1(config)#floating-ip 192. if a third real server becomes unavailable.168.AX Series . this example does not show configuration of the real servers or non-HA virtual server options.

• Enable the feature on individual virtual ports.AX Series . To enable the feature on individual virtual ports: 1. select the port and click Edit. Click on the virtual server name. Click OK or Apply. 7. USING THE GUI To globally enable the feature: 1. 3. In the Mirror IP Address field. select HA Global. Select Config > HA > Setting. 476 of 702 P e r f o r m a n c e b y D e s i g n Document No. To enable session synchronization: • Globally enable the feature.2 11/11/2009 . 4.Configuration Guide Enabling Session Synchronization Enabling Session Synchronization Session synchronization backs up live client sessions on the Backup AX device. Click OK to redisplay the Port tab. Note: If the HA Connection Mirror option is not displayed. 3.Ver. enter the IP address of the other AX device in the HA pair. 6. 2. 5. On the menu bar. 2. 4. select Virtual Server. On the menu bar. specifying the IP address of the other AX device in the HA pair. session synchronization is not supported for this service type. Session synchronization is supported for Layer 4 sessions. 2. Select Enabled next to HA Connection Mirror. Select Config > Service > Server. Click OK again. On the Port tab.: D-030-01-00-0006 .0.

AX Series .10.100 AX(config-slb virtual server)#port 80 tcp AX(config-slb virtual server-slb virtua.Ver. To enable session synchronization on a virtual port.10.Configuration Guide Synchronizing Configuration Information USING THE CLI To globally enable session synchronization.0.10. the IP address of the other AX in this HA pair: AX(config)#ha conn-mirror ip 10. to the other AX device’s startup-config or running-con- fig • Running-config.: D-030-01-00-0006 .66 The following commands access the configuration level for a virtual port and enable connection mirroring on the port: AX(config)#slb virtual-server vip1 10... use the following command at the configuration level for the port: [no] ha-conn-mirror CLI Example The following command sets the session synchronization address to 10. use the following command at the global configuration level of the CLI: [no] ha conn-mirror ip ipaddr The ipaddr must be an IP address on the other AX device.)#ha-conn-mirror Synchronizing Configuration Information You can use config-sync options to synchronize some or all of the following: • Startup-config.10.10.10. 2.2 11/11/2009 b y 477 of 702 . to the other AX device’s running-config or startup-con- fig) • Data files: • SSL certificates and private-key files • aFleX files • External health check files • Black/white-list files P e r f o r m a n c e D e s i g n Document No.66.

see “Enabling Session Synchronization” on page 476.2 11/11/2009 .AX Series .Configuration Guide Synchronizing Configuration Information Requirements Session synchronization (connection mirroring) is required for config sync. Config sync uses the session synchronization link. To enable session synchronization. 478 of 702 P e r f o r m a n c e b y D e s i g n Document No. you must specify an HA group ID as part of the NAT configuration.) Configuration Items That Are Backed Up The following configuration items are backed up during HA configuration synchronization: • Admin accounts and settings • Floating IP addresses • IP NAT configuration • Access control lists (ACLs) • Health monitors • Policy-based SLB (black/white lists) • SLB • FWLB • GSLB • Data Files: • aFleX files • External health check files • SSL certificate and private-key files • Black/white-list files Note: For IP NAT configuration items to be backed up.0.: D-030-01-00-0006 . 2.Ver. SSH management access must be enabled on both ends of the link. (See “Securing Admin Access by Ethernet” on page 515.

It is recommended to save the configuration if required to keep the running-config before the next reboot. P e r f o r m a n c e D e s i g n Document No. 2. the target AX device is automatically reloaded.Ver. If the target AX device is not reloaded.0.: D-030-01-00-0006 .Configuration Guide Synchronizing Configuration Information Configuration Items That Are Not Backed Up The following configuration items are not backed up during HA configuration synchronization: • Management access settings (the ones described in “Securing Admin Access by Ethernet” on page 515) • AX Hostname • MAC addresses • Management IP addresses • Trunks or VLANs • Interface settings • OSPF or RIP settings • ARP entries or settings Reload of the Target AX Device In certain cases. “Active” means the AX device is currently the active device for at least one HA group. optional.2 11/11/2009 b y 479 of 702 . Table 11 lists the cases in which reload is automatic.AX Series . reload is either optional or is not allowed. TABLE 11 Reload of Target AX Device After Config-Sync Admin Role Root or Super User (Read-Write) Status of Target AX1 Standby Active Target Config startup-config running-config startup-config running-config startup-config running-config startup-config running-config Reload? Automatic Automatic Optional2 Not reloaded by default Automatic Not Allowed Not Allowed Not Allowed Not Allowed Partition Write Standby Active 1. but in other cases. or not allowed. 2. the GUI Save button on the Standby AX device does not blink to indicate unsaved changes.

If the configuration includes Policy-based SLB (black/white lists). The with-reload and to-running-config options are not available to Partition Write admins. and can only synchronize to the startup-config on the other device. If Role-Based Administration (RBA) is configured on the AX device.AX Series . 3. An admin who is logged on with Partition Write privileges can synchronize only for the partition to which the admin is assigned. 2. select whether to synchronize all partitions or only the currently selected partition. verify that both are running the same software version. you must be logged onto the Active AX with configuration (read-write) access. HA configuration synchronization between two different software versions is not recommended. Performing HA Synchronization To synchronize the AX devices in an HA configuration.2 11/11/2009 . enter the admin username and password for logging onto the other AX device. since some configuration commands in the newer version might not be supported in the older version. The HA configuration synchronization process does not check user privileges on the Standby AX device and will synchronize to it using read-only privileges. USING THE GUI 1. In the User and Password fields. Select Config > HA > Config Sync. This is because the synchronization process is blocked until the files are transferred from active to standby.Ver. use the CLI commands described below. the time it takes for synchronization depends on the size of the black/white-list file.0. Do not make other configuration changes to the Active or Standby AX device during synchronization. (For information.: D-030-01-00-0006 .) 480 of 702 P e r f o r m a n c e b y D e s i g n Document No. see “Synchronizing the Configuration” on page 592. Caveats Before synchronizing the Active and Standby AX devices. 2. However.Configuration Guide Synchronizing Configuration Information An admin who is logged on with Root or Read-Write (Super Admin) privileges can synchronize for all Role-Based Administration (RBA) partitions or for a specific partition.

Click OK. USING THE CLI The ha sync commands are available at the global configuration level of the CLI. except the data files. 2. from this AX device’s running-config • Startup-config – Copies everything listed for the All option. Next to Peer Option. except the data files. See Table 11 on page 479. Otherwise. select With Reload. Note: The all-partitions and partition partition-name options are applicable on AX devices that are configured for Role-Based Administration (RBA). External health heck files.: D-030-01-00-0006 . see “Role-Based Administration” on page 577. For information.2 11/11/2009 b y 481 of 702 . select the target for the synchronization: • To Running-config – Copies the items selected in step 4 to the other AX device’s running-config • To Startup-config – Copies the items selected in step 4 to the other AX device’s startup-config 6. aFleX files.Ver. reload of the other AX device either is automatic or is not allowed. Next to Operation.0. P e r f o r m a n c e D e s i g n Document No.AX Series .Configuration Guide Synchronizing Configuration Information 4. 7. • Data Files – Copies only the SSL certificates and private-key files. select the information to be copied to the other AX device: • All – Copies all the following to the other AX device: • Floating IP addresses • IP NAT configuration • Access control lists (ACLs) • Health monitors • Policy-based SLB (black/white lists) • SLB • FWLB • GSLB • Data files (see below) The items listed above that appear in the configuration file are copied to the other AX device’s running-config. and black/white-list files to the other AX device • Running-config – Copies everything listed for the All option. the other AX device is not reloaded following the synchronization. To reload the other AX device after synchronization. from this AX device’s startup-config 5. Note: In some cases.

To synchronize the Active AX device’s startup-config to the Standby AX device’s startup-config or running-config. use the following command: ha sync all {to-startup-config [with-reload] | to-running-config} [all-partitions | partition partition-name] Note: In some cases. without also synchronizing the data files. See Table 11 on page 479. use the following command: ha sync running-config {to-startup-config [with-reload] | to-running-config} [all-partitions | partition partition-name] To synchronize the data files by copying the Active AX device’s data files to the Standby AX device. 2. use the following command: ha sync data-files [all-partitions | partition partition-name] 482 of 702 P e r f o r m a n c e b y D e s i g n Document No. use the following command: ha sync startup-config {to-startup-config [with-reload] | to-running-config} [all-partitions | partition partition-name] To synchronize the Active AX device’s running-config to the Standby AX device’s running-config or startup-config.0.Configuration Guide Synchronizing Configuration Information To synchronize data files and the running-config.: D-030-01-00-0006 .Ver. reload of the other AX device either is automatic or is not allowed. without also synchronizing the data files.2 11/11/2009 .AX Series .

The AX device also supports traditional Layer 3 NAT. FIGURE 141 SLB NAT By default. The AX device uses NAT to perform SLB. P e r f o r m a n c e D e s i g n Document No. 2.Configuration Guide SLB NAT Network Address Translation This chapter describes Network Address Translation (NAT) and how to configure it.0.Ver.2 11/11/2009 b y 483 of 702 . SLB NAT AX Series devices automatically perform destination NAT for client-VIP SLB traffic. which you can configure if required by your network. SLB NAT works as follows. Figure 141 shows an example. NAT translates the source or destination IP address of a packet before forwarding the packet.: D-030-01-00-0006 .AX Series .

(See “Source NAT for Servers in Other Subnets” on page 489. when non-standard port numbers (higher than 1023) are used.AX Series . IP NAT Configuration Limits The AX device supports the following: • NAT pool addresses – Maximum of 500 NAT pool addresses supported.) Connection Reuse Connection reuse enables you to reuse TCP connections between the AX device and real servers for multiple client sessions.) • Use of different real port numbers for the same service within a service group. the AX device does not tear down a TCP connection with the real server each time a client ends it session. the AX device trans- lates the destination IP address from the virtual server IP address (VIP) to the IP address of the real server. When you enable this feature.Ver. The default SLB NAT behavior does not translate the client’s IP address. you can configure 1 NAT pool containing 500 NAT addresses.) • The VIP and real servers are in different subnets. Each NAT pool group can contain up to 5 NAT pools. There are some cases where SLB Source NAT is applicable: • Connection reuse. 2. the AX device leaves the P e r f o r m a n c e b y D e s i g n 484 of 702 Document No. and so on. In cases where real servers are in a different subnet than the VIP. Instead. • The AX device reverses the translation before sending the server reply to the client. (See “Auto-Port Translation” on page 675. source NAT ensures that reply traffic from a server will pass back through the AX device. (See “Connection Reuse” on page 484. For example. The source IP address is translated from the real server’s IP address to the VIP address.0. • NAT pool groups – Maximum of 50 NAT pool groups supported. • NAT pools – Maximum of 100 NAT pools supported. SLB Source NAT SLB source NAT is disabled by default.Configuration Guide SLB NAT • Before forwarding a client packet to a real server. in all NAT pools.: D-030-01-00-0006 . or 100 NAT pools containing 5 addresses each.2 11/11/2009 .

Connection reuse requires SLB source NAT. Enable source NAT on the virtual service port and specify the pool or pool group to use for the source addresses. • To use a single. P e r f o r m a n c e D e s i g n Document No. the client’s IP address cannot be used as the source address for the connection. and so on. The addresses within an individual pool still must be contiguous. If you are configuring policy-based source NAT.: D-030-01-00-0006 .0. 3. If you plan to use policy-based source NAT. A pool can be a member of multiple pool groups. Configure a NAT pool or set of pools to specify the IP addresses to use as source addresses for the reusable connections with the real servers. A complete SLB configuration also requires the standard SLB configuration steps. Note: These steps apply specifically to configuration of connection reuse. A pool group can contain up to 5 pools. Since the TCP connection with the real server needs to remain established after a client’s session ends. You also can use pools that are in different subnets. configure an ACL for each of the client address ranges that will use its own pool. Pool group members must belong to the same protocol family (IPv4 or IPv6) and must use the same HA ID. 5. Up to 50 NAT pool groups are supported. Instead. Add the connection reuse template to the service port.Ver. • To use a non-contiguous range of addresses. the source address must be an IP address from a NAT pool or pool group configured on the AX device.Configuration Guide SLB NAT TCP connection established. only one pool is needed. bind each ACL to its pool. 4. 2. but you can have gaps between the ending address in one pool and the starting address in another pool. including configuration of the real servers and service group. To configure connection reuse: 1. configure a separate pool for each contiguous portion of the range. 2. to select from among multiple pools based on source IP address. The pool or pool group must have a unique IP address for each reusable TCP connection you want to establish. contiguous range of addresses.2 11/11/2009 b y 485 of 702 . then configure a pool group that contains the pools. Configure a connection reuse template.AX Series . and reuses the connection for the next client that uses the real server.

g. Select Connection Reuse on the menu bar. enter the general server settings. select the HA group. b.Ver. Select the port and click Edit. Edit the other parameters or leave them at their default settings.0. If you are adding a new virtual server. b. The Connection Reuse tab appears. Click OK. 2. If the AX device is deployed in transparent mode. f. i. enter the default gateway to use for NATted traffic. d. Click OK. Click New. The Pool tab appears. Enter a name for the template. if the port is new. The template appears in the connection reuse template table. 3. To use session synchronization for NAT translations. Select the virtual server name or click New. Select Config > Service > Server. e.: D-030-01-00-0006 . To configure a pool of addresses: a. Enter the network mask. d. b. Click Port. To configure a connection reuse template: a. e. Select Virtual Server on the menu bar. d. To enable source NAT on the virtual port: a. f. or click New. 2.AX Series . g.2 11/11/2009 . c. f. Select Config > Service > Template. Enter or select the port settings. e. Select Config > Service > IP Source NAT. Select IPv4 Pool or IPv6 Pool on the menu bar. Enter the start and end addresses. Click New. 486 of 702 P e r f o r m a n c e b y D e s i g n Document No. h. Enter a name for the pool. The Virtual Server Port tab appears.Configuration Guide SLB NAT USING THE GUI 1. c. c.

Configuration Guide SLB NAT h. select the pool from the Source NAT pool drop-down list. and click Add. b. 2.2 11/11/2009 b y 487 of 702 . use one of the following commands at the global configuration level of the CLI.Ver. c. 4.: D-030-01-00-0006 . Click OK. select the ACL from the Access List dropdown list. Do one of the following: • To use a single pool or pool group for all source addresses. use the ACL-SNAT Binding fields to bind each ACL to its pool. USING THE CLI 1. To configure an IP address pool. • To use separate pools based on source addresses. Click OK again.0. For each binding. select the pool from the Source NAT Pool drop-down list. To configure a connection reuse template. configure a separate IP pool for each contiguous set of addresses.AX Series . then use the following command to add the pools to a pool group: ip nat pool-group pool-group-name {pool-name . In the Connection Reuse Template drop-down list. To add the connection reuse template to the virtual port: a. Do not click OK yet. enter the following command at the global configuration level to create the template: slb template connection-reuse template-name P e r f o r m a n c e D e s i g n Document No. select the template.} 2. i. Go to step 4... To configure an IPv4 pool: ip nat pool pool-name start-ipaddr end-ipaddr netmask {subnet-mask | /mask-length} [gateway ipaddr] [ha-group-id group-id] To configure an IPv6 pool: ipv6 nat pool pool-name start-ipv6-addr end-ipv6-addr netmask mask-length [gateway ipaddr] [ha-group-id group-id] To configure a pool group.

168. The default is 1000. 4.1.10. 3.10. The default is 2400 seconds (40 minutes).Configuration Guide SLB NAT This command creates the template and changes the CLI to configuration level for the template.20. do one of the following: • To enable source NAT on the virtual port and use a single pool or pool group for all source addresses.10.200 10.AX Series .69 The following commands configure source NAT pools: AX(config)#ip nat pool pool1 10. use the following command at the configuration level for the virtual port: source-nat pool {pool-name | pool-group-name} • To enable policy-based source NAT and use separate pools based on source IP address.100 netmask /16 ha-group-id 1 AX(config)#ip nat pool pool2 10. 2.: D-030-01-00-0006 . This command binds an ACL to its pool: access-list acl-num source-nat-pool pool-name Note: If you do not specify a NAT pool with this command. use the following command at the configuration level for the port.Ver. You can specify 1-3600 seconds.1 AX(config)#access-list 50 permit ip 192. use the following command at the configuration level for the virtual port: template connection-reuse template-name CLI Example The following commands configure standard ACLs that match on different client addresses: AX(config)#access-list 30 permit ip 192.10. Use the following commands to configure the template. To enable source NAT.10. You can specify 065535.168.200 netmask /16 ha-group-id 1 488 of 702 P e r f o r m a n c e b y D e s i g n Document No.0.2 11/11/2009 . For unlimited connections. or use the default settings: limit-per-server number timeout seconds The limit-per-server command specifies the maximum number of reusable connections to establish with each real server. specify 0. Add the connection reuse template to the virtual port. The timeout command specifies the maximum number of seconds a reusable connection can remain idle before it times out.200 10. the ACL is used only to filter the traffic.10.10.10.

.. The source IP address must match on the client address.10..Ver. The destination IP address must match on the real server address. The action must be permit. use an extended ACL.168. You must use this method if the real servers are in multiple subnets. • Use sets of ACL-pool pairs.100 AX(config-slb virtual server)#port 80 tcp AX(config-slb virtual server-slb virtua.0.10.)#access-list 30 source-nat-pool pool1 AX(config-slb virtual server-slb virtua.)#access-list 50 source-nat-pool pool2 Source NAT for Servers in Other Subnets The AX device allows source NAT to be enabled on a virtual port. In cases where real servers are in a different subnet than the VIP.Configuration Guide SLB NAT The following commands configure a real server and a service group: AX(config)#slb server s1 192. For the real server to be able to send replies back through the AX device.2 11/11/2009 b y 489 of 702 . Figure 142 on page 490 shows an example. This section describes how to use this method. You can enable source NAT on a virtual port in either of the following ways: • Use the the source-nat option to bind a single IP address pool or pool group to the virtual port. one for each real server subnet. This option is applicable if all the real servers are in the same subnet. AX(config)#slb virtual-server vs1 10. The ACL should not match on the virtual IP address (unless the virtual IP address is in the same subnet as the real servers. P e r f o r m a n c e D e s i g n Document No.19.. 2.48 AX(config-real server)#port 80 tcp AX(config-real server-node port)#exit AX(config-real server)#exit AX(config)#slb service-group group80 tcp AX(config-slb service group)#method weighted-rr AX(config-slb service group)#member s1:80 AX(config-slb service group)#exit The following commands configure policy-based source NAT.AX Series . source NAT ensures that reply traffic from a server will pass back through the AX device. by binding ACLs to NAT pools on the virtual port.: D-030-01-00-0006 . in which case source NAT is probably not required).

two pairs of ACL and IP address pool are bound to the virtual port. To ensure that reply traffic from a server will pass back through the AX device. Each ACL-pool pair contains the following: • An extended ACL whose source IP address matches on client addresses and whose destination IP address matches on the real server’s subnet. To implement IP source NAT. The VIP is not in either of the subnets. 2. a service group has real servers that are located in two different subnets.: D-030-01-00-0006 .2 11/11/2009 .0.AX Series . 490 of 702 P e r f o r m a n c e b y D e s i g n Document No. the AX device uses IP source NAT.Ver.Configuration Guide SLB NAT FIGURE 142 Multiple NAT Pools Bound to a Virtual Port In this example. • An IP address pool or pool group containing translation addresses in the real server’s subnet.

10. AX(config)#access-list 100 permit any 10.Configuration Guide SLB NAT For example.101 netmask /24 The following commands bind the ACLs and IP address pools to a virtual port on the VIP: AX(config)#slb virtual-server vip1 192. The AX is not required to return the server’s response traffic to clients. The AX device automatically translates the VIP address into a real server address before forwarding a request to the server. 2.20. Each pool contains addresses in one of the real server subnets. When the server replies. “any” is used to match on all clients.. The destination address is the subnet where the real servers are located.AX Series . to enable Direct Server Return (DSR).: D-030-01-00-0006 ..10.10. AX(config)#ip nat pool pool1 10. it replies to the address from pool 1.20..0.)#access-list 110 source-nat-pool pool2 Direct Server Return You can disable destination NAT on a virtual port.100 10.100 10. so there is no need to un-NAT traffic. CLI Example The following commands implement the source NAT configuration shown in Figure 142 on page 490. In each ACL.)#access-list 100 source-nat-pool pool1 AX(config-slb virtual server-slb virtua.10.10.Ver. then the source IP address is translated from the client’s address to an address in pool 1.101 netmask /24 AX(config)#ip nat pool pool2 10. P e r f o r m a n c e D e s i g n Document No. destination NAT does not need to be configured for SLB. DSR enables a real server to respond to clients directly instead of going through the AX device.10. the ACLs are configured.168.x subnet.10. such as FTP and streaming media.2 11/11/2009 b y 491 of 702 ..10.100 AX(config-slb virtual server)#port 80 tcp AX(config-slb virtual server-slb virtua.0 /24 AX(config)#access-list 110 permit any 10.10.10.20. Note: In most cases.10.0 /24 The following commands configure the IP address pools. First. This type of NAT is especially useful for applications that have intensive payload transfers. if SLB selects a real server in the 10.1.

The Virtual Server Port tab appears. Click OK again. To use DSR. use either of the following methods. 2. Select Config > Service > SLB. the AX device and the real servers must be in the same Layer 2 subnet. Click Port. To enable DSR on a virtual port. If you are adding a new virtual server. 9. Note: USING THE GUI 1.0. Note: To configure health checking for DSR. 6.: D-030-01-00-0006 . Enter or select the port settings. 5. USING THE CLI Enter the following CLI command at the configuration level for the virtual port: no-dest-nat 492 of 702 P e r f o r m a n c e b y D e s i g n Document No. if the port is new. For examples of DSR configurations. Select Enabled next to Direct Server Return. see “Network Setup” on page 53. Select Virtual Server on the menu bar. 8.Configuration Guide SLB NAT When DSR is enabled. or click Add. Click OK.2 11/11/2009 . The VIP address must be configured as a loopback address on the real servers. The destination IP address is still the VIP. Select the port and click Edit. 3. 7. enter the general server settings. 10. 4.AX Series . Select the virtual server name or Click Add. 2.Ver. only the destination MAC address is translated from the VIP’s MAC address to the real server’s IP address. see “Configuring Health Monitoring of Virtual IP Addresses in DSR Deployments” on page 308.

2. When reply traffic is received. You can configure dynamic or static IP source NAT: • Dynamic source IP NAT – Internal addresses are dynamically translated into external addresses from a pool. Configuration Elements for Dynamic NAT Dynamic NAT uses the following configuration elements: • Access Control List (ACL) – to identify the inside host addresses to be translated • Pool – to identify a contiguous range of external addresses into which to translate inside addresses • Optionally. you can configure traditional. To use a non-contiguous range of addresses. Layer 3 IP source NAT. use the following command at the global configuration level of the CLI: [no] slb snat-gwy-for-l3 IP Source NAT Independently of SLB NAT. pool group – to use non-contiguous address ranges. • Static source IP NAT – Internal addresses are explicitly mapped to external addresses. When this option is enabled. the AX device then retranslates addresses back into internal addresses before sending the reply to the client. IP source NAT translates internal host addresses into routable addresses before sending the host’s traffic to the Internet. the AX device checks the configured IP NAT pools for an IP address range that includes the server IP address (the source address of the traffic).AX Series . then combine them in a pool group and map the ACL to the pool group.2 11/11/2009 b y 493 of 702 .Configuration Guide IP Source NAT Using IP Pool Default Gateways To Forward Traffic from Real Servers The AX device provides an option to use the default gateway of an IP source NAT pool to forward traffic from a real server. P e r f o r m a n c e D e s i g n Document No. the AX device forwards the server traffic through the pool’s default gateway. To enable it. and a default gateway is defined for the pool.Ver. This feature is disabled by default.0. If the address range in a pool does include the server’s IP address.: D-030-01-00-0006 . you can configure separate pools.

In this case. However.: D-030-01-00-0006 . and selects the first match. A pool can be a member of multiple pool groups. the AX uses the first pool that has available addresses. You also can use pools that are in different subnets. • Inside NAT setting on the interface connected to the inside host. • Outside NAT setting on the interface connected to the Internet. the pool’s default gateway can not be used. Inside host addresses are translated into external addresses from a pool before the host traffic is sent to the Internet. 2. Configuration Elements for Static NAT Static NAT uses the following configuration elements: • Static mappings or an address range list – A static mapping is a one-to- one mapping of an inside address to an external address. but you can have gaps between the ending address in one pool and the starting address in another pool.0. in different subnets. An address range list is a contiguous range of inside addresses and external addresses to translate them into. Pool group members must belong to the same protocol family (IPv4 or IPv6) and must use the same HA ID. the pool’s default gateway will override the route. Up to 50 NAT pool groups are supported. If the data route table does not have a default route or a direct route to the NAT traffic destination. the AX selects the pool that is in the subnet for the outbound route. 494 of 702 P e r f o r m a n c e b y D e s i g n Document No. of there are two routes to a given destination. If a pool group contains pools in different subnets.AX Series . • Inside NAT setting on the interface connected to the inside host. Note: The AX device enables you to specify the default gateway for an IP source NAT pool to use. and the pool group has a pool for one of those subnets. for NAT traffic that uses the pool. In this case. If none of the pools are in the destination subnet.Configuration Guide IP Source NAT The addresses within an individual pool still must be contiguous. For example. Inside host addresses are translated into external addresses from a static mapping or a range list before the host traffic is sent to the Internet. A pool group can contain up to 5 pools. the AX device selects the pool that matches the outbound subnet.2 11/11/2009 . the pool’s default gateway can be used only if the data route table already has either a default route or a direct route to the destination of the NAT traffic. The AX device searches the pools beginning with the first one added to the group. the NAT traffic can not reach its destination. • Outside NAT setting on the interface connected to the Internet.Ver.

Enable outside NAT on the interfaces connected to the Internet. To bind an IPv6 pool to an ACL. To configure a pool of external addresses to use for translation: a. b. Enable inside NAT on the interfaces connected to the inside hosts. g. Select Config > Service > IP Source NAT. b. Enable inside source NAT and map the ACL to the pool. configure multiple pools and add them to a pool group. USING THE GUI Note: In step 3.Ver. c. Standard or Extended.2 11/11/2009 b y 495 of 702 . c. P e r f o r m a n c e D e s i g n Document No. To use noncontiguous ranges of addresses. Click OK.Configuration Guide IP Source NAT Configuring Dynamic IP Source NAT To configure dynamic source NAT: 1. on the menu bar. Click Add. If the AX device is deployed in transparent mode. 2. f. Configure an Access Control List (ACL) to identify the inside addresses that need to be translated. e.AX Series . d. 5. Click Add. d. Select IPv4 Pool or IPv6 Pool on the menu bar. enter the default gateway to use for NATted traffic. Enter a name for the pool. The new ACL appears in the Standard ACL table or Extended ACL table. use the CLI instead. 4. Select the ACL type. Enter the network mask. Configure a pool of external addresses to use for translation. Enter or select the values to filter. 1.: D-030-01-00-0006 . Select Config > Network > ACL.0. e. To configure an ACL to identify the inside addresses that need to be translated: a. Enter the start and end addresses. the GUI supports binding IPv4 pools to ACLs but not IPv6 pools. Click OK to commit the ACL change. f. 2. 3. 2.

b. 4. 3. In the Direction drop-down list. Repeat for each interface connected to the internal hosts. e. select the HA group. Click OK.: D-030-01-00-0006 . if not already selected. Click Add. Click Add. i. To use session synchronization for NAT translations. Select the interface connected to the internal hosts. select Inside. e. Do not click OK yet. Repeat for each interface connected to the Internet. Select Config > Service > IP Source NAT. Click Add. f. c. Select the interface connected to the Internet. if not already selected. g. 2. 5. c.0. f. d. Select Binding on the menu bar. In the Direction drop-down list. To enable inside NAT on the interfaces connected to the inside hosts: a. To enable outside NAT on the interfaces connected to the Internet: a. The new binding appears in the ACL section. b. To enable inside source NAT and map the ACL to the pool: a. b. d. Select Config > Service > IP Source NAT. Click OK.2 11/11/2009 . e. Select the pool ID from the NAT Pool drop-down list. d.Configuration Guide IP Source NAT h.AX Series . c. 496 of 702 P e r f o r m a n c e b y D e s i g n Document No. go to the next step. Click OK. select Outside. Instead. Select Interface on the menu bar. Select the ACL number from the ACL drop-down list.Ver.

Ver.2 11/11/2009 b y 497 of 702 .0. 2.: D-030-01-00-0006 .Configuration Guide IP Source NAT FIGURE 143 Configure > Network > ACL > Standard ACL FIGURE 144 Configure > Service > IP Source NAT > IPv4 Pool FIGURE 145 Configure > Service > IP Source NAT > Binding P e r f o r m a n c e D e s i g n Document No.AX Series .

All host addresses that are permitted by the ACL are translated before traffic is sent to the Internet. Use a standard ACL to specify the host IP addresses to translate.Ver. 2.0. use either of the following commands at the global configuration level of the CLI.2 11/11/2009 .Configuration Guide IP Source NAT FIGURE 146 Configure > Service > IP Source NAT > Interface USING THE CLI 1.: D-030-01-00-0006 . To also specify other information including destination addresses and source and destination protocol ports.AX Series . use an extended ACL. To configure an ACL to identify the inside addresses that need to be translated. Standard ACL Syntax access-list acl-num {permit | deny} source-ipaddr {filter-mask | /mask-length} Extended ACL Syntax access-list acl-num {permit | deny} {ip | icmp} {any | host host-src-ipaddr | net-src-ipaddr {filter-mask | /mask-length}} {any | host host-dst-ipaddr | net-dst-ipaddr {filter-mask | /mask-length}} 498 of 702 P e r f o r m a n c e b y D e s i g n Document No.

. To configure an IPv4 pool: ip nat pool pool-name start-ipaddr end-ipaddr netmask {subnet-mask | /mask-length} [gateway ipaddr] [ha-group-id group-id] To configure an IPv6 pool: ipv6 nat pool pool-name start-ipv6-addr end-ipv6-addr netmask mask-length [gateway ipaddr] [ha-group-id group-id] To configure a pool group: ip nat pool-group pool-group-name {pool-name .AX Series . To enable inside NAT on the interfaces connected to the inside hosts. use the following commands: interface [ethernet port-num | ve ve-num] ip nat inside The interface command changes the CLI to the configuration level for the interface connected to the internal hosts. These are the hosts identiP e r f o r m a n c e D e s i g n Document No.Configuration Guide IP Source NAT or access-list acl-num {permit | deny} {tcp | udp} {any | host host-src-ipaddr | net-src-ipaddr {filter-mask | /mask-length}} [eq src-port | gt src-port | lt src-port | range start-src-port end-src-port] {any | host host-dst-ipaddr | net-dst-ipaddr {filter-mask | /mask-length}} [eq dst-port | gt dst-port | lt dst-port | range start-dst-port end-dst-port] 2.} 3.. 2. use the following command: ip nat inside source list acl-name pool {pool-name | pool-group-name} 4. To enable inside source NAT and map the ACL to the pool.0.2 11/11/2009 b y 499 of 702 . To configure a pool of external addresses to use for translation.Ver. use one of the following commands at the global configuration level of the CLI.: D-030-01-00-0006 .

all hosts in the 10.2: AX(config)#ip nat pool pool1 192. 2.10.: D-030-01-00-0006 .168.1.10.255 The following command configures an IPv4 pool of external addresses to use for the NAT translations.0. In this example. In this example.x subnet are to receive NAT service for traffic to the Internet.0.1.2 netmask /24 The following command enables inside source NAT and associates the ACL with the pool: AX(config)#ip nat inside source list 1 pool pool1 The following commands enable inside source NAT on the interface connected to the internal hosts: AX(config)#interface ethernet 4 AX(config-if:ethernet4)#ip nat inside The following commands enable source NAT on the interface connected to the external hosts: AX(config-if:ethernet4)#interface ethernet 6 AX(config-if:ethernet6)#ip nat outside 500 of 702 P e r f o r m a n c e b y D e s i g n Document No.2 11/11/2009 .1.168. 5. 10.168.10.1 or 192. To enable outside NAT on the interfaces connected to the Internet.0 0.10.x addresses will be translated into 192.10.10.168. AX(config)#access-list 1 permit 10.1 192.Ver.1.0.AX Series .Configuration Guide IP Source NAT fied by the ACL configured in step 1 and used by the commands in step 2 and step 3. use the following commands: interface [ethernet port-num | ve ve-num] ip nat outside CLI EXAMPLE The following commands configure an ACL to specify the internal hosts to be NATted.

b. f. do the following: • Enable inside NAT on the interfaces connected to the inside hosts. In the Count field. enter the first (lowest numbered) address and network mask in the range of inside host addresses to be translated. To enable inside NAT on the interfaces connected to the inside hosts: a. • Enable outside NAT on the interfaces connected to the Internet. Select the address type (IPv4 or IPv6) e.0. enter the first (lowest numbered) address and network mask in the range of external addresses into which to translate the inside host addresses. select the HA group.Ver. d. 1. b. e. Select Inside in the Direction drop-down list. P e r f o r m a n c e D e s i g n Document No.2 11/11/2009 b y 501 of 702 . 2. h. Select NAT Range on the menu bar. enter the number of addresses to be translated.AX Series . i. Select Interface on the menu bar.: D-030-01-00-0006 . Click Add. c. To configure the static translations of internal host addresses to external addresses: a. Select the interface from the Interface drop-down list. Click OK. To apply HA to the addresses. USING THE GUI Note: The GUI supports configuring a static NAT range but does not support configuring individual mappings. Click OK. After configuring the static source NAT mappings. g. In the To field. Repeat for each inside interface. c. d. Enter a name for the range. In the From fields. 2.Configuration Guide IP Source NAT Configuring Static IP Source NAT You can configure individual static source NAT mappings or configure a range of static mappings.

enter the following command at the global configuration level of the CLI. The count option specifies how many mappings to create.Configuration Guide IP Source NAT 3. The nat-ipaddr command specifies the first address in the range of external addresses to use for the translations. Select the interface from the Interface drop-down list. Select Interface on the menu bar. Select Outside in the Direction drop-down list. To enable outside NAT on the interfaces connected to the Internet: a. use the following command to configure each mapping: ip nat inside source static source-ipaddr nat-ipaddr [ha-group-id group-id] To configure a range list to use for the mappings: ip nat range-list list-name source-ipaddr /mask-length nat-ipaddr /mask-length count number [ha-group-id group-id] The source-ipaddr specifies the starting address in the range of internal host addresses. to enable static NAT support: ip nat allow-static-host Note: This step is not required if you use a static source NAT range list instead. 2. USING THE CLI 1. 3. To configure the external addresses to use for translation.Ver. use the following commands: interface [ethernet port-num | ve ve-num] ip nat inside 502 of 702 P e r f o r m a n c e b y D e s i g n Document No. If you used the ip nat inside source command. b. To enable inside NAT on the interfaces connected to the inside hosts.AX Series . Click OK.: D-030-01-00-0006 . d. use one of the following commands.2 11/11/2009 . c. 2.0. e. To configure individual address mappings. Repeat for each outside interface.

22.50 /16 count 100 AX(config)#interface ethernet 2 AX(config-if:ethernet2)#ip nat inside AX(config-if:ethernet2)#exit AX(config)#interface ethernet 4 AX(config-if:ethernet4)#ip nat outside IP NAT Use in Transparent Mode in Multi-Netted Environment If the AX device is deployed in transparent mode. use the following commands: interface [ethernet port-num | ve ve-num] ip nat outside CLI EXAMPLE The following commands enable static NAT. A NAT pool has been configured to reach servers outside of that subnet/VLAN. AX(config)#ip nat range-list nat-list-1 10.168.10. configure an IP address range named “nat-list-1” that maps up to 100 local addresses starting from 10.10.: D-030-01-00-0006 .0/24 subnet.101.2 11/11/2009 b y 503 of 702 . If there are multiple IP addresses in the NAT pool. 2.AX Series . and set Ethernet interface 4 as the outside NAT interface.97 to Internet addresses starting from 192. To enable outside NAT on the interfaces connected to the Internet. the AX device only responds to control traffic (for example.50.22.0. Also.168.10. In the following example.Configuration Guide IP Source NAT The interface command changes the CLI to the configuration level for the interface connected to the internal hosts. P e r f o r m a n c e D e s i g n Document No. the device uses NAT IP addresses to perform health monitoring on servers that are outside the IP subnet or VLAN of the AX device. the AX device uses only the last IP address in the pool for the health checks. the AX device’s IP address is on the 172. 4.97 /16 192.10.Ver. management and ICMP traffic) on the last IP address in the pool.168. set Ethernet interface 2 as the inside NAT interface.

2 11/11/2009 .250 0 172.10. In addition. In this example. make sure to add the NAT pool or range list to an HA group. you can select the HA group from the HA Group drop-down list on the following configuration tabs: • Config > Service > IP Source NAT > IPv4 Pool • Config > Service > IP Source NAT > IPv6 Pool • Config > Service > IP Source NAT > NAT Range USING THE CLI In the CLI.255.0.168.168.10.101.10.25 from the 173.251 Not configured In this configuration. the AX device will use IP address 173. IP NAT in HA Configurations If you are using IP source NAT or full NAT in an HA configuration. 2.168.168.Ver.25.4 255. Doing so allows a newly Active AX device to properly continue management of NAT resources following a failover.168. the AX device will initiate health checks using the last IP address in the pool as the source IP address.AX Series . the ha-group-id option is supported with the following NAT commands: [no] ip nat pool pool-name start-ipaddr end-ipaddr netmask {subnet-mask | /mask-length} [gateway ipaddr] [ha-group-id group-id] 504 of 702 P e r f o r m a n c e b y D e s i g n Document No.Configuration Guide IP Source NAT AX#show ip System is running in Transparent Mode IP address: IP Gateway address: SMTP Server address: AX#show ip nat pool Total IP NAT Pools: 4 Pool Name Pool-A Start Address 173.10.168.0/24 subnet.10. the AX device will only respond to control traffic directed to 173.168.168.10.255.101.25 Mask /24 Gateway HA Group ---------------------------------------------------------------------------173.20 End Address 173.0 172. USING THE GUI In the GUI.: D-030-01-00-0006 .

AX Series .2 11/11/2009 b y 505 of 702 .Ver.0. 2.: D-030-01-00-0006 .Configuration Guide IP Source NAT [no] ipv6 nat pool pool-name start-ipv6-addr end-ipv6-addr netmask mask-length [gateway ipaddr] [ha-group-id group-id] [no] ip nat range-list list-name source-ipaddr /mask-length nat-ipaddr count number [ha-group-id group-id] /mask-length P e r f o r m a n c e D e s i g n Document No.

2.: D-030-01-00-0006 .Ver.2 11/11/2009 .AX Series .0.Configuration Guide IP Source NAT 506 of 702 P e r f o r m a n c e b y D e s i g n Document No.

When logged onto the AX device with the admin account. Authorization. you can configure additional admin accounts. you can configure the following settings: • Username and password • Privilege level (read or read-write) • IP host or subnet address from which the admin is allowed to log on • Account state (enabled or disabled) Note: You cannot change the privilege level of the “admin” account or disable it. SSH. “admin”. For each admin account.2 11/11/2009 b y 507 of 702 . 2. and so on) • Web access features for securing access through the GUI • Authentication. The “admin” account has Root privileges and cannot be deleted.0.: D-030-01-00-0006 . before implementing security options described in this chapter. Configuring Additional Admin Accounts The AX device comes with one admin account. and Accounting (AAA) for remotely managed access security The following sections describe these features and show how to configure them.Configuration Guide Configuring Additional Admin Accounts Management Security Features In addition to basic security provided by login and enable passwords. P e r f o r m a n c e D e s i g n Document No. Note: If you have not already changed the default “admin” password and the enable password. AX Series devices support the following advanced management access security features: • Multiple admin accounts with distinct levels of access • Admin account lockout in response to excessive invalid passwords • Interface-level access control for individual management access types (Telnet. A10 Networks recommends that you do so now.AX Series .Ver. by default.

255. (Only the admin account that has Root privileges can configure other admin accounts. 4. Click Add. To restrict access to just a single host. Enter the password for the new admin account in the Password and Confirm Password fields. The admin has read-only privileges for the shared partition. edit the value in the Netmask field to the subnet mask for the subnet. From the Privilege drop-down list.: D-030-01-00-0006 . the default is used: “a10”. (If you do not change the password. Enter the address in the Trusted Host IP Address field. In the CLI.) 5. 3. To restrict login access by the admin to a specific host or subnet: a.AX Series . select the access level: • Super Admin – Allows access to all levels of the system. leave the Trusted Host IP Address and Netmask fields blank.Ver. Enter the name in the Name field. 2. 508 of 702 P e r f o r m a n c e b y D e s i g n Document No. • Partition Read Admin – The admin has read-only privileges within the private partition to which the admin is assigned. not the configuration levels. 6. 7.255. use either of the following methods. b.0. c. In the GUI. this account cannot modify configuration information. • Partition Write Admin – The admin has read-write privileges within the private partition to which the admin is assigned. and read-only privileges for the shared partition. To restrict access to a subnet.) • Read Only Admin – Allows monitoring access to the system but not configuration access. This account cannot configure other admin accounts. Note: To allow access from any host. Leave Change Administrator Password selected. USING THE GUI 1. this account can only access the User EXEC and Privileged EXEC levels. 2. The Administrator tab appears. This account is not the “Root” account and can be deleted.Configuration Guide Configuring Additional Admin Accounts Configuring an Admin Account To configure an admin account. Select Config > System > Admin.255.2 11/11/2009 . edit the value in the Netmask field to 255.

Leave the Status enabled.Configuration Guide Configuring Additional Admin Accounts • Partition RS Operator – The admin is assigned to a private partition but has permission only to view service port statistics for real servers in the partition.Ver.2 11/11/2009 b y 509 of 702 . see “Role-Based Administration” on page 577.0. 8.AX Series . 2. 9.: D-030-01-00-0006 . The new admin appears in the Admin table. and to disable or re-enable the real servers and their service ports. FIGURE 147 Config > Admin > Admin FIGURE 148 Config > Admin . 10. Click OK.new admin added P e r f o r m a n c e D e s i g n Document No. For information about this feature. Note: The Partition roles apply to Role-Based Administration (RBA).

with permission to view service port statistics and to disable or re-enable the servers and their service ports.0.Ver. • partition-enable-disable – The admin has read-only privileges for real servers. which can be 1-63 characters. The trusted-host command specifies the host or subnet from which the admin is allowed to log in. No other read-only or read-write privileges are granted. Log on through the CLI and access the global configuration level. This is the default.0. partition-write.: D-030-01-00-0006 . Note: To restrict write access to specific configuration areas. 510 of 702 P e r f o r m a n c e b y D e s i g n Document No. 2. 2. 3.0 /0 (any host or subnet). or partition-enable-disable. • write – The admin can access all levels of the CLI but cannot configure other admin accounts.AX Series . • partition-write – The admin has read-write privileges within the private partition to which the admin is assigned. Enter the following command to create the new admin account: [no] admin admin-username This command changes the CLI to the configuration level for the new account. The admin has read-only privileges for the shared partition. • partition-read – The admin has read-only privileges within the private partition to which the admin is assigned.2 11/11/2009 . see “Configuring AAA for Admin Access” on page 521. The partition-name – specifies the name of the private partition to which the admin is assigned. Use the following commands to complete the configuration: password string trusted-host ipaddr {subnet-mask | /mask-length} privilege priv-level [partition-name] The password command assigns the password. and read-only privileges for the shared partition. The privilege command specifies the privileges granted to the admin account: • read – The admin can access the User EXEC and Privileged EXEC levels of the CLI only.Configuration Guide Configuring Additional Admin Accounts USING THE CLI 1.0. This option applies only to admins that have privilege level partition-read. The default is “a10”. The default is 0.

.. $1$6334ba07$CKbWL/LuSNdY12kcE..10.0.. Read/Write Partition ..0 /24 AX(config-admin:adminuser3)#show admin UserName admin adminuser2 adminuser3 Status Enabled Enabled Enabled Privilege Partition Root Read/Write Read/Write ------------------------------------------------------- AX(config-admin:adminuser3)#show admin adminuser3 detail User Name . Trusted Host(Netmask) ...10.255.: D-030-01-00-0006 . and restrict login access to the 10.Configuration Guide Configuring Additional Admin Accounts 4...... Enabled Privilege .. enter the following command: show admin CLI EXAMPLES The following commands add admin “adminuser2” with password “12345678” and read-write privilege: AX(config)#admin adminuser2 AX(config-admin:adminuser2)#password 12345678 AX(config-admin:adminuser2)#privilege write AX(config-admin:adminuser2)#show admin UserName admin adminuser2 Status Enabled Enabled Privilege Partition Root Read/Write ------------------------------------------------------- The following commands add admin “adminuser3” with password “abcdefgh” and read-write privilege.. Unlock Time ........0(255... Encrypted Password .0) Lock Status ...10.255...... To verify the new admin account.. No Lock Time .10...2 11/11/2009 b y 511 of 702 ....10... 10..10..x subnet only: AX(config)#admin adminuser3 AX(config-admin:adminuser3)#password abcdefgh AX(config-admin:adminuser3)#privilege write AX(config-admin:adminuser3)#trusted-host 10.Ver... adminuser3 Status ...... Password Type ...KdS0 P e r f o r m a n c e D e s i g n Document No..AX Series . 2.

2. USING THE CLI 1. 3. b. To display the admin session table. c. To display the admin session table. use the following command at the Privileged EXEC level or any configuration level: show admin session 2. Delete the admin account.Configuration Guide Configuring Additional Admin Accounts Deleting an Admin Account An admin with Root privileges can delete other admin accounts. 3. use the following command at the Privileged EXEC level or any configuration level: clear admin session session-id The session-id is the ID listed in the ID column of the show admin session output. Select Config > System > Admin. 2.0. To delete the admin account: a. To clear an admin session. 3. Clear any sessions the admin has open. click on the checkbox next to the session to select it.2 11/11/2009 . use the following command at the global configuration level: no admin admin-username 512 of 702 P e r f o r m a n c e b y D e s i g n Document No. The account is not deleted if there are any open sessions for the account. To delete the admin account. select Monitor > System > Admin.AX Series . then click Delete.: D-030-01-00-0006 . Note: To delete an admin account. you first must terminate any active sessions the admin account has open.Ver. Display the admin session table to determine whether the admin has any active admin sessions. USING THE GUI 1. Click Delete. If you need to delete an admin account: 1. 2. To clear an admin session. Click on the checkbox next to the admin name.

there is no limit to the number of times an incorrect password can be entered with an admin account to attempt access.AX Series . Select Config > System > Admin.: D-030-01-00-0006 . TABLE 12 Admin Lockout Parameters Parameter Feature state Threshold Reset time Description Controls whether admin accounts can be locked. Default Disabled 5 10 minutes Duration 10 minutes To configure admin lockout. To keep accounts locked until you or another authorized administrator unlocks them.Ver. For an account to be locked. (For descriptions. P e r f o r m a n c e D e s i g n Document No. You can enable the AX device to lock admin accounts for a specific period of time following a specific number of invalid passwords entered for the account. Select Lockout Policy on the menu bar.) 5. greater than the number of failed login attempts specified by the threshold must occur within the reset time. 3. Optionally. Select Enable Administrator lockout Feature. change lockout settings. 2. Click OK. Number of failed login attempts allowed for an admin account before it is locked. Table 12 lists the admin lockout parameters you can configure. USING THE GUI To enable the lockout feature: 1. 2. Number of minutes the AX device remembers a failed login attempt. 4.0. use either of the following methods.2 11/11/2009 b y 513 of 702 . set the value to 0. see Table 12 on page 513. Number of minutes a locked account remains locked.Configuration Guide Configuring Admin Lockout Configuring Admin Lockout By default.

Select Monitor > System > Admin. Use the following command to enable admin lockout: admin lockout enable To view lockout status or manually unlock a locked account: 1.Configuration Guide Configuring Admin Lockout To view lockout status or manually unlock a locked account: 1. Log on through the CLI and access the global configuration level. 2. 2.2 11/11/2009 . Use the following command to unlock the account: unlock 514 of 702 P e r f o r m a n c e b y D e s i g n Document No. Click Unlock. 2. Enter the following command to access the configuration level for the admin account: admin admin-username 4. Optionally.) 3. Log on through the CLI and access the global configuration level. enter the following commands to change lockout settings: admin lockout threshold number admin lockout duration minutes admin lockout reset-time minutes (For descriptions. Enter the following command to view the lockout status of an admin account: show admin admin-username detail 3. Select the admin account. 2.Ver. USING THE CLI 1.: D-030-01-00-0006 .AX Series . see Table 12 on page 513.0. 3.

on the management interface. do not use a permit ACL to control management access to the interface. but you also enable access to the interface using an ACL with permit rules. the ACL permits Telnet (and all other) access to the interface.Configuration Guide Securing Admin Access by Ethernet Securing Admin Access by Ethernet By default.2 11/11/2009 b y 515 of 702 .Ver. To set management access through Ethernet interfaces.AX Series . P e r f o r m a n c e D e s i g n Document No. However. On data interfaces. If the management traffic’s source address does not match a permit rule in the ACL. TABLE 13 Default Management Access Management Service SSH Telnet HTTP HTTPS SNMP Ping Ethernet Management Interface Enabled Disabled Enabled Enabled Enabled Enabled Ethernet and VE Data Interfaces Disabled Disabled Disabled Disabled Disabled Enabled You can enable or disable management access. use either of the following methods. for traffic that matches the permit rules in the ACL. regardless of other management access settings. you can disable or enable access to specific services and also use an ACL to control access. If you want certain types of management access to be disabled on an interface. certain types of management access through the AX device’s Ethernet interfaces are blocked. Table 13 lists the default settings for each management service. for individual access types and interfaces. You also can use an Access Control List (ACL) to permit or deny management access through the interface by specific hosts or subnets.0. Notes Regarding Use of ACLs If you use an ACL to secure management access. the action in the ACL rule that matches the management traffic’s source address is used to permit or deny access. the implicit deny any any rule is used to deny access. For example. 2.: D-030-01-00-0006 . if you disable Telnet access to a data interface. Each ACL has an implicit deny any any rule at the end.

To reset the access settings to the defaults listed in Table 13.0. click OK. 2. the following options specify the interfaces to protect: • management – The out-of-band Ethernet management interface (MGMT) • ve ve-num [to ve-num] – A VE data interface or range of VE data inter- faces • ethernet port-num [to port-num] – An Ethernet data interface or range of Ethernet data interfaces In the first command. select the ACL from the ACL dropdown list in the row for the interface. After selecting the settings for all the interfaces. but you can not do both. Select Config > System > Access Control. USING THE GUI To change management access settings for interfaces: 1. use either of the following commands at the global configuration level of the CLI: disable-management service {all | ssh | telnet | http | https | snmp | ping} {management | ethernet port-num [to port-num] | ve ve-num [to ve-num]} or disable-management service acl acl-num {management | ethernet port-num [to port-num] | ve ve-num [to ve-num]} In both commands. 4. To use an ACL to control access. For each interface (each row).AX Series . click Reset to Default.: D-030-01-00-0006 . the following options specify the type of management access you are configuring: 516 of 702 P e r f o r m a n c e b y D e s i g n Document No.2 11/11/2009 . select or de-select the checkboxes for the access types.Ver.Configuration Guide Securing Admin Access by Ethernet you can disable or enable access to specific services or control access using an ACL. USING THE CLI Disabling Management Access To disable management access. 2. 3.

Management access from any host address that matches the ACL is either permitted or denied.AX Series . • https – Disables HTTPS access to the management GUI. Note: Disabling ping replies from being sent by the AX device does not affect the device’s ability to ping other devices. depending on the action (permit or deny) used in the ACL. use either of the following commands at the global configuration level of the CLI: enable-management service {all | ssh | telnet | http | https | snmp | ping} {management | ethernet port-num [to port-num] | ve ve-num [to ve-num]} or enable-management service acl acl-num {management | ethernet port-num [to port-num] | ve ve-num [to ve-num]} The options are the same as those for the disable-management command.0.: D-030-01-00-0006 .Configuration Guide Securing Admin Access by Ethernet • all – Disables access to all the management services listed below. 2. • ping – Disables ping replies from AX interfaces.2 11/11/2009 b y 517 of 702 . • snmp – Disables SNMP access to the AX device’s SNMP agent.Ver. CLI Example: P e r f o r m a n c e D e s i g n Document No. • http – Disables HTTP access to the management GUI. the acl acl-id option specifies an ACL. Continue? [yes/no]:yes Enabling Management Access To enable management access. CLI Examples: The following command disables HTTP access to the out-of-band management interface: AX(config)#disable-management service http management You may lose connection by disabling the http service. • ssh – Disables SSH access to the CLI. This option does not affect the AX device’s ability to ping other devices. In the second command. • telnet – Disables Telnet access to the CLI.

all the access settings are set to their default values. AX#show management PING mgmt on 1 2 3 4 5 6 7 9 10 ve1 on on on on on on on on on on SSH on off off off off off off off off off off Telnet HTTP off off off off off off off off off off off on off off off off off off off off off off HTTPS on off off off off off off off off off off SNMP on off off off off off off off off off off ACL ------------------------------------------------------ 518 of 702 P e r f o r m a n c e b y D e s i g n Document No.0.AX Series .2 11/11/2009 . 2. enter the following command at any level of the CLI: show management CLI EXAMPLES Here is an example for an AX device that has 10 Ethernet data ports. In this example.Ver.Configuration Guide Securing Admin Access by Ethernet The following command enables Telnet access to data interface 6: AX(config)#enable-management service telnet ethernet 6 Displaying the Current Management Access Settings To display the management access settings that are currently in effect.: D-030-01-00-0006 .

AX Series .Configuration Guide Changing Web Access Settings Here is an example after entering the commands used in the configuration examples above. Changing Web Access Settings By default. TABLE 14 Default Web Access Settings Parameter Auto-redirect Description Automatically redirects requests for the unsecured port (HTTP) to the secure port (HTTPS). If you accidentally lock yourself out of the device altogether (for example. 2. if you use the all option for all interfaces). your management session will end. Table 14 lists the default settings for Web access. Protocol port number for the unsecured (HTTP) port. HTTP server on the AX device. you can still access the CLI by connecting a PC to the AX device’s serial port. A valid admin username and password are required to log in.: D-030-01-00-0006 .2 11/11/2009 b y 519 of 702 . access to the AX management GUI is enabled and is secure.0. Default Enabled HTTP server HTTP port HTTPS server Enabled 80 Enabled P e r f o r m a n c e D e s i g n Document No.Ver. AX#show management PING mgmt on 1 2 3 4 5 6 7 9 10 ve1 on on on on on on on on on on SSH on off off off off off off off off off off Telnet HTTP off off off off off off on off off off off off off off off off off off off off off off HTTPS on off off off off off off off off off off SNMP on off off off off off off off off off off ACL 1 1 1 1 1 1 1 1 1 ------------------------------------------------------ Regaining Access if you Accidentally Block All Access If you disable the type of access you are using on the interface you are using at the time you enter a disable-management command. HTTPS server on the AX device.

2 11/11/2009 . On the menu bar. select Web. see the AX Series aXAPI Reference. Note: For information about aXAPI. 2. Edit the settings you want to change. 4. Click OK. Number of minutes a Web management session can remain idle before it times out and is terminated by the AX device. specify 0.0. f you aXAPI Timeout Number of minutes an aXAPI session can remain idle before being terminated. Select Config > System > Settings. USING THE GUI 1. sessions never time out. 520 of 702 P e r f o r m a n c e b y D e s i g n Document No.Ver. 3.: D-030-01-00-0006 . Once the aXAPI session is terminated. any sessions on the management GUI are immediately terminated. The tab does not affect access to the GUI itself. Default 443 Range: 0-60 minutes To disable the timeout. Note: The Preference tab sets the default IP address type (IPv4 or IPv6) for GUI configuration fields that require an IP address. specify 0.AX Series . Default: 10 minutes 0-60 minutes. Default: 10 minutes Note: If you disable HTTP or HTTPS access.Configuration Guide Changing Web Access Settings TABLE 14 Default Web Access Settings (Continued) Parameter HTTPS port Timeout Description Protocol port number for the secure (HTTPS) port. 2. the session ID generated by the AX device for the session is no longer valid.

: D-030-01-00-0006 . P e r f o r m a n c e D e s i g n Document No. The AX device supports RADIUS and TACACS+ for Authentication. and TACACS+ for Authorization and Accounting. Authorization.0.2 11/11/2009 b y 521 of 702 . 2.Configuration Guide Configuring AAA for Admin Access USING THE CLI At the global configuration level of the CLI.Ver. and Accounting (AAA) for admin sessions.AX Series . use the following command: show web-service CLI EXAMPLE The following command disables management access on HTTP and verifies the change: AX(config)#no web-service server AX(config)#show web-service AX Web server: Idle time: Http port: Https port: Auto redirect: Https: Http: 10 minutes 80 443 Enabled Enabled Disabled Configuring AAA for Admin Access You can configure the AX device to use remote servers for Authentication. use the following command: [no] web-service { axapi-timeout-policy idle minutes | auto-redir | port protocol-port | secure-port protocol-port | server | secure-server | timeout-policy idle minutes } To view Web access settings.

You can use TACACS+ or RADIUS for external authentication. 522 of 702 P e r f o r m a n c e b y D e s i g n Document No. Authorization You can configure the AX device to use external TACACS+ servers for Authorization. the AX device denies access. Otherwise. • If the username and password are present in the local database. If they are on the server. the admin is granted access. You can configure the AX device to also use an external RADIUS or TACACS+ server for authentication. the AX device still checks its local database first. the device checks its local admin database for the username and password entered by the person attempting to gain access. the person is granted access.AX Series . the AX device checks the external RADIUS or TACACS+ server for the admin name and password. the AX device grants access. Only one external authentication method can be used. Authentication for management access to the AX device grants or denies access based on the admin username and password. 2. By default. For an AX admin.: D-030-01-00-0006 . Without additional configuration. authorization specifies the CLI levels they can access.0. • If the username is not present in the local database. when someone attempts to log into the AX device. the authentication process stops at this point. If the admin username and password are in the local database. If admin lockout is enabled. they are denied. and if the AX device is configured to use RADIUS or TACACS+. the authenticated party is granted access to specific system resources by Authorization. • If the username is present but the password is wrong.Configuration Guide Configuring AAA for Admin Access Authentication Authentication grants or denies access based on the credentials presented by the person who is attempting access. In this configuration.2 11/11/2009 . Following successful Authentication by the AX local database or by RADIUS.Ver. the counter for failed login attempts for that admin account is incremented.

Otherwise. The most secure option is 15(admin).Configuration Guide Configuring AAA for Admin Access To configure Authorization: • Configure the TACACS+ server to authorize or deny execution of spe- cific commands or command groups. • Configure the AX device to send commands to the TACACS+ server for authorization before executing those commands. P e r f o r m a n c e D e s i g n Document No. • 0 (user EXEC) – Commands at the User EXEC level are sent to TACACS+ for authorization. • 14(config) – Commands at all CLI levels except those used to configure admin accounts are sent to TACACS+ for authorization.Ver. • 1(priv EXEC) – Commands at the Privileged EXEC and User EXEC levels are sent to TACACS+ for authorization.0. for example. Commands at other levels are automatically allowed. 1(priv EXEC).AX Series . Note: Caution: Command levels 2-13 are equivalent to command level 1. These events are recorded in the syslog. Com- mands at all CLI levels. If you select a lower option. CLI Access Levels You can use TACACS+ to authorize an admin to execute commands at one of the following CLI access levels: • 15(admin) – This is the most extensive level of authorization. are sent to TACACS+ for authorization. 2.2 11/11/2009 b y 523 of 702 . Commands at other levels are automatically allowed. not including the length fields. including those used to configure admin accounts. TACACS+ Authorization Debug Options You can enable the following TACACS+ debug levels for troubleshooting: • 0x1 – Common system events such as “trying to connect with TACACS+ servers” and “getting response from TACACS+ servers”. Commands for configuring admin accounts are automatically allowed. • 0x2 – Packet fields sent out and received by the AX Series device. including commands at higher levels.: D-030-01-00-0006 . unmatched commands. These events are written to the terminal. make sure to configure the TACACS+ server to deny any unmatched commands (commands that are not explicitly allowed by the server). will automatically be authorized to execute.

Configuration Guide Configuring AAA for Admin Access • 0x4 – Length fields of the TACACS+ packets will also be displayed on the terminal.Ver. Commands at other levels are not tracked.0. are tracked. including those used to configure admin accounts. Commands at all CLI levels. 2.2 11/11/2009 . • 14(config) – Commands at all CLI levels except those used to configure admin accounts are tracked. • 0x8 – Information about TACACS+ MD5 encryption will be sent to the syslog. Accounting keeps track of user activities while the user is logged on.) 524 of 702 P e r f o r m a n c e b y D e s i g n Document No. you can configure Accounting for the following: • Login/logoff activity (start/stop accounting) • Commands Command Accounting You can track attempts to execute commands at one of the following CLI access levels: • 15(admin) – This is the most extensive level of accounting. TACACS+ Accounting Debug Options The same debug levels that are available for TACACS+ Authorization are also available for TACACS+ Accounting. Accounting You can configure the AX device to use external TACACS+ servers for Accounting. Commands for configuring admin accounts are not tracked. For AX admins. (See “TACACS+ Authorization Debug Options” on page 523 .AX Series . • 0 (user EXEC) – Commands at the User EXEC level are tracked. Com- mands at other levels are not tracked.: D-030-01-00-0006 . Note: Command levels 2-13 are equivalent to command level 1. • 1(priv EXEC) – Commands at the Privileged EXEC and User EXEC levels are tracked.

Configuring RADIUS for Authentication USING THE GUI 1. add admin accounts (usernames and passwords). • On the TACACS+ servers (if used). 3. b. 4.Configuration Guide Configuring AAA for Admin Access Configuring AAA for Admin Access To configure AAA for admin access: 1. To use RADIUS or TACACS+ for Authentication: a. b. or neither. 2.2 11/11/2009 b y 525 of 702 . c. Add the TACACS+ server(s). P e r f o r m a n c e D e s i g n Document No. Prepare the AAA servers: • On the RADIUS or TACACS+ server(s). Select the Server checkbox to display the server configuration fields.Ver. 2. Enter the hostname or IP address of the RADIUS server in the Hostname field. Specify whether to track logon/logoff activity. You can track both logons and logoffs. add the AX device as a AAA client. specify the AX IP address. On the menu bar. 3. Add RADIUS or TACACS+ as the authentication method to try after Local. Add the RADIUS or TACACS+ server(s) to the AX device.0. 2. Add the TACACS+ servers. select External Authentication > RADIUS. Configure Accounting: a. • For authorization. For the client IP address.AX Series . if not already added for Authorization. Configure Authorization: a. The AX device always checks its local admin database first. Specify the command levels to be authorized by TACACS+. 4. b. Select Config > System > Admin.: D-030-01-00-0006 . specify the commands or command groups that are to be allowed or denied execution. on the TACACS+ server(s). logoffs only. Specify the command levels to track. then checks the RADIUS or TACACS+ server(s) if the admin account is not in the local database.

use the following command at the global configuration level of the CLI: [no] tacacs-server host {hostname | ipaddr} secret secret-string [port protocol-portnum] [timeout seconds] To configure the AX device to use the external TACACS+ server(s) for admin authentication. use the following command at the global configuration level of the CLI: [no] authentication type local tacplus 526 of 702 P e r f o r m a n c e b y D e s i g n Document No. For complete syntax information. The AX device always checks its local admin database first. In the Secret and Confirm Secret fields. 2. USING THE CLI Note: The command syntax shown in this section is simplified to show the required or more frequently used options. Use the following command to add RADIUS as an Authentication method: authentication type local radius The local option is required and must be entered before radius.Ver. enter the shared secret (password) expected by the RADIUS server when it receives requests.: D-030-01-00-0006 .Configuration Guide Configuring AAA for Admin Access 5. Click OK.AX Series . 2.2 11/11/2009 . see the AX Series CLI Reference. 6. Use the following command at the global configuration level of the CLI to add the RADIUS server(s): radius server {hostname | ipaddr} secret secret-string The secret-string is the shared secret (password) expected by the RADIUS server when it receives requests.0. To configure Authentication 1. Configuring TACACS+ for Authentication USING THE CLI To add a TACACS+ server.

(For descriptions.Ver. or 0x8.10.10. Optionally. or 0. 2. For complete syntax information.0. The none option allows a command to execute if Authorization cannot be performed (for example. use the following command: authorization debug debug-level The debug-level can be one of the following: 0x1.AX Series . Use the following command to specify the command levels the TACACS+ server will be used to authorize: authorization commands cmd-level method tacplus [none] The cmd-level can be one of the following: 15. The configuration options described in this section are available only in the CLI. Use the following command at the global configuration level of the CLI to add the TACACS+ server(s): tacacs-server host {hostname | ipaddr} secret secret-string 2. To configure Authorization 1. 0x4. (See “TACACS+ Authorization Debug Options” on page 523.13 secret tacpwd AX(config)#authentication type local tacplus Configuring TACACS+ for Authorization and Accounting USING THE CLI Note: The command syntax shown in this section is simplified to show the required or more frequently used options.2 11/11/2009 b y 527 of 702 .13 to authenticate admin access: AX(config)#tacacs-server host 10. if all TACACS+ servers are down).: D-030-01-00-0006 . see the AX Series CLI Reference. see “Authorization” on page 522. to enable Authorization debugging. 0x2.10.Configuration Guide Configuring AAA for Admin Access CLI Example The following commands configure an AX device to use TACACS+ server 10.) 3. 1.) Note: P e r f o r m a n c e D e s i g n Document No.1. 14.

10.2 11/11/2009 . the command is denied. to enable Accounting debugging.: D-030-01-00-0006 .1. if TACACS+ authorization cannot be performed (for example.0.Configuration Guide Configuring AAA for Admin Access To configure Accounting 1.10. To configure accounting for command execution. use the following command: accounting exec {start-stop | stop-only} tacplus 2.Ver.12 to authenticate admin access: AX(config)#radius server 10. Optionally. use the following command: accounting commands cmd-level stop-only tacplus 3.10. 2. As a result.10.10. AX(config)#tacacs-server host 10.AX Series . To configure Accounting for logon/logoff activity.12 secret radpwd AX(config)#authentication type local radius The following commands configure the AX device to use TACACS+ server 10. the none option is not used. due to server unavailability). In this example.13 secret SharedSecret AX(config)#authorization commands 15 method tacplus The following commands configure the AX device to use the same TACACS+ server for accounting of logon/logoff activity and of all command activity: AX(config)#accounting exec start-stop tacplus AX(config)#accounting commands 15 stop-only tacplus 528 of 702 P e r f o r m a n c e b y D e s i g n Document No. use the following command: accounting debug debug-level CLI EXAMPLES The following commands configure an AX device to use RADIUS server 10.10.13 to authorize commands at all CLI levels.10.

b. Configuration on the AX Device Enter the following commands at the global configuration level of the CLI: AX(config)#radius server 192.Ver. c. In the users file.157 secret a10rad AX(config)#authentication type local radius Configuration on the freeRADIUS Server Changes in clients.0/24 { secret shortname } = a10rad = private-network-1 Note: In this example. Add a dictionary file for vendor “a10networks”.168.168.conf file as a RADIUS client: vi /usr/local/etc/raddb/clients. Add the RADIUS server. The IP address is 192.Configuration Guide Configuring AAA for Admin Access EXAMPLE INCLUDING RADIUS SERVER SETUP This example shows the AX commands to configure an AX device to use a RADIUS server. In the clients. To implement the solution. add the AX device as a client. add each AX admin as a user. On the AX device: a. b. and also shows the changes to make on the RADIUS server itself. The RADIUS server in this example is freeRADIUS.2 11/11/2009 b y 529 of 702 .1.conf File The AX device is added to the clients.168.conf client 192. the AX device’s subnet is added as the client.conf file. 2. P e r f o r m a n c e D e s i g n Document No. and add the file to the dictionary.1.: D-030-01-00-0006 .1.AX Series .157. the following steps are required: 1. and the shared secret is “a10rad”. Enable RADIUS authentication. On the freeRADIUS server: a. 2.0.

see: BEGIN-VENDOR A10-Networks ATTRIBUTE A10-App-Name ATTRIBUTE A10-Admin-Privilege VALUE VALUE 1 2 String integer 1 2 A10-Admin-Privilege Read-only-Admin A10-Admin-Privilege Read-write-Admin 51 String 52 String 53 String ATTRIBUTE A10-Single-1 ATTRIBUTE A10-Single-2 ATTRIBUTE A10-Single-3 530 of 702 P e r f o r m a n c e b y D e s i g n Document No.0.a10networks File In the dictionary file.isi. These are commands at the >.2 11/11/2009 .v 1. specify the following: • Vendor name – “A10-Networks” • Vendor code – 22610 After authenticating an admin.a10networks # # # # Version: $Id: dictionary. #. (config)# and sub-config prompts. with one of the following values: • “Read-only-Admin” – The admin can access User EXEC and Privileged EXEC commands only.AX Series .: D-030-01-00-0006 .Ver. Privileged EXEC.Configuration Guide Configuring AAA for Admin Access Creation of dictionary.edu/in-notes/iana/assignments/enterprise-numbers For a complete list of Private Enterprise Codes. and configuration commands.4 2009/05/05 11:03:56 a10user Exp $ The FreeRADIUS Vendor-Specific dictionary. • “Read-write-Admin” – The admin can access User EXEC. the RADIUS server must return the A10-Admin-Privilege attribute. These are commands at the > and # prompts.a10networks. # # # # # VENDOR A10-Networks 22610 http://www. vi /usr/local/share/freeradius/dictionary. 2.

AX Series .: D-030-01-00-0006 .Ver.2 11/11/2009 b y 531 of 702 .Configuration Guide Configuring AAA for Admin Access ATTRIBUTE A10-Single-4 ATTRIBUTE A10-Single-5 ATTRIBUTE A10-Multi-1 ATTRIBUTE A10-Multi-2 ATTRIBUTE A10-Multi-3 ATTRIBUTE A10-Multi-4 ATTRIBUTE A10-Multi-5 END-VENDOR A10-Networks 54 String 55 String 56 String 57 String 58 String 59 String 60 String vi /usr/local/share/freeradius/dictionary add $INCLUDE dictionary. User-Password == "test" A10-Admin-Privilege = 2 P e r f o r m a n c e D e s i g n Document No. 2. User-Password == "test" A10-Admin-Privilege = 1 write Auth-Type := Local.0.a10networks #new added for a10networks Changes in users File vi /usr/local/etc/raddb/users read Auth-Type := Local.

2.0.2 11/11/2009 .AX Series .Configuration Guide Configuring AAA for Admin Access 532 of 702 P e r f o r m a n c e b y D e s i g n Document No.Ver.: D-030-01-00-0006 .

known as “ping of death” packets P e r f o r m a n c e D e s i g n Document No. DDoS detection applies only to Layer 3.Ver.Configuration Guide DDoS Protection Traffic Security Features AX Series devices support the following advanced security features: • DDoS protection • SYN Cookies • ICMP rate limiting • Source-IP based connection rate limiting • Access Control Lists (ACLs) • Policy-based SLB (PBSLB) The following sections describe these features and show how to configure them. AX 3100. and Layer 7 traffic.2 11/11/2009 b y 533 of 702 . with IP anomaly filters. You can enable the following DDoS filters: • Frag – Drops all IP fragments.0. and AX 2200. which can be used to attack hosts running IP stacks that have known vulnerabilities in their fragment reassembly code • IP-option – Drops all packets that contain any IP options • Land-attack – Drops spoofed SYN packets containing the same IP address as the source and destination. Layer 2 traffic is not affected by the feature. Layer 4. The IP anomaly filters drop packets that contain common signatures of DDoS attacks. 2. which can be used to launch an “IP land attack” • Ping-of-death – Drops all jumbo IP packets. Note: On AX models AX 3200. On models AX 2100 and AX 2000.AX Series .: D-030-01-00-0006 . DDoS protection is software-based. DDoS Protection AX Series devices provide enhanced protection against distributed denialof-service (DDoS) attacks. DDoS protection is hardware-based.

the option drops IP packets longer than 65535 bytes. • TCP-no-flag – Drops all TCP packets that do not have any TCP flags set • TCP-SYN-FIN – Drops all TCP packets in which both the SYN and FIN flags are set • TCP-SYN-frag – Drops incomplete (fragmented) TCP Syn packets. To enable all of them. On the menu bar. 2. which can be used to launch TCP Syn flood attacks Enabling DDoS Protection To enable DDoS protection.: D-030-01-00-0006 . Select Config > Service > SLB. the ping-of-death option drops all IP packets longer than 32000 bytes.2 11/11/2009 . select Global > DDoS Protection. Click OK. 2. USING THE GUI 1. the following command enables DDoS protection against ping-of-death attacks: AX(config)#ip anomaly-drop ping-of-death 534 of 702 P e r f o r m a n c e b y D e s i g n Document No. Select each type of DDoS protection filter to enable. use either of the following methods.Ver. USING THE CLI Use the following command at the global Config level of the CLI: ip anomaly-drop {drop-all | frag | ip-option | land-attack | ping-of-death | tcp-no-flag | tcpsyn-fin | tcp-syn-frag} You can enable the following options individually or specify drop-all to enable all the options: As an example. On other models.Configuration Guide DDoS Protection Note: On the AX 2000 and AX 2100. 4. select Drop All. 3.AX Series .0.

The Service Provided By SYN Cookies SYN cookies enable the AX device to continue to serve legitimate clients during a TCP SYN flood attack.0. TCP options are preserved. However. without allowing illegitimate traffic to consume system resources. The benefit of this feature is that when there is no TCP SYN attack. SYN cookies enable the AX to continue to serve legitimate clients during a TCP SYN flood attack. the attacker does not send an ACK. P e r f o r m a n c e D e s i g n Document No. During a TCP SYN flood attack. an attacker sends a large series of TCP SYN Requests but does not acknowledge the SYN ACKs that the AX sends in reply. if the SYN Request is part of an attack. The AX reconstructs the client’s connection information based on information in the SYN ACK. Normally.AX Series . and establishes a connection for the client. • Layer 4-7 SYN cookies protect against TCP SYN flood attacks directed at SLB service ports. without allowing illegitimate traffic to consume system resources.Ver.Configuration Guide SYN Cookies SYN Cookies AX Series devices provide enhanced protection against TCP SYN flood attacks. If the SYN Request is from a legitimate client. 2. the feature prevents the AX device’s TCP connection queue from filling up during TCP SYN flood attacks. The AX device supports SYN cookies for Layer 4-7 SLB traffic and for Layer 2/3 traffic. Dynamic SYN Cookies You can configure the on and off thresholds for SYN cookie use by the AX device. • Layer 2/3 SYN cookies protect against TCP SYN flood attacks attempted in traffic passing through the AX device. with SYN cookies. When SYN cookies are enabled.: D-030-01-00-0006 . these half-completed connections can eventually cause the AX device's TCP connection queue to become full.2 11/11/2009 b y 535 of 702 . the client sends an ACK in response to the SYN cookie. Instead of leaving a half-completed TCP connection in the queue. which is a special type of SYN ACK. and the AX therefore does not establish a connection. the AX replies to each SYN Request with a SYN cookie. which prevents the AX from establishing new connections for legitimate clients. and does not leave a connection in the queue.

A10 Networks recommends that you use the hardware-based version of the feature instead of the software-based version of the feature. use of hardware-based SYN cookies requires some additional configuration. easier-to-configure alternative to the software-based SYN cookie feature available on all AX platforms.Ver. 536 of 702 P e r f o r m a n c e b y D e s i g n Document No. before SYN cookies are enabled. This version of the feature is available on all AX models. 2.0. If both hardware-based and software-based SYN cookies are enabled. and AX 2200. Hardware-based SYN cookies are disabled by default. Note: If the target VIP is in a different subnet from the client-side router. Hardware-based SYN cookies are available on the AX 3200. SYN cookies are disabled.: D-030-01-00-0006 . You can specify 0-2147483647 halfopen connections. only hardware-based SYN cookies are used. the AX device enables SYN cookies. See “Configuration when Target VIP and Client-side Router Are in Different Subnets” on page 537. If you omit the on-threshold and off-threshold options. • Off-threshold – option specifies the minimum number of concurrent half-open TCP connections for which to keep SYN cookies enabled. Hardware-Based or Software-Based Depending on the AX model. When the feature is enabled. You can leave softwarebased SYN cookies enabled but they are not used. If your AX model supports hardware-based SYN cookies. If the number of half-open TCP connections exceeds the on-threshold. Note: Hardware-based SYN cookies are a faster. SYN cookies are enabled and are always on regardless of the number of half-open TCP connections present on the AX device.Configuration Guide SYN Cookies You can configure the following dynamic SYN cookie options: • On-threshold – specifies the maximum number of concurrent half- open TCP connections allowed on the AX device.AX Series . you can use hardware-based SYN cookies or software-based SYN cookies: • Hardware-based SYN cookies can be globally enabled and apply to all virtual server ports configured on the device. there are no default settings for the on and off thresholds.2 11/11/2009 . • Software-based SYN cookies can be enabled on individual virtual ports. If the number of half-open TCP connections falls below this level. You can specify 0-2147483647 half-open connections. Note: It may take up to 10 milliseconds for the AX device to detect and respond to crossover of either threshold. AX 3100.

2.: D-030-01-00-0006 . USING THE CLI To enable hardware-based SYN cookies. In the On Threshold field. In the Off Threshold field. USING THE GUI 1. select Global > Settings. use of hardware-based SYN cookies requires some additional configuration: • On the AX device. before SYN cookies are enabled. 5. Select Enabled next to SYN Cookie. the target VIP in an SLB configuration is in the same subnet as the client-side router. enter the maximum number of concurrent half-open TCP connections allowed on the AX device.Configuration Guide SYN Cookies Enabling Hardware-Based SYN Cookies To enable hardware-based SYN cookies. 6. if the target VIP is in a different subnet from the client-side router. Click OK. configure a “dummy” VIP that is in the same subnet as the client-side router. 2.0. However. 4. P e r f o r m a n c e D e s i g n Document No. • On the client-side router. using the dummy VIP as the next hop. enter the minimum number of concurrent half-open TCP connections for which to keep SYN cookies enabled.AX Series . 3.2 11/11/2009 b y 537 of 702 . use the following command at the global Config level of the CLI: [no] syn-cookie [on-threshold num off-threshold num] The command in the following example configures dynamic SYN cookies when the number of concurrent half-open TCP connections exceeds 50000. use following CLI method. Select Config > Service > SLB. and disables SYN cookies when the number falls below 30000: AX(config)#syn-cookie on-threshold 50000 off-threshold 30000 Configuration when Target VIP and Client-side Router Are in Different Subnets Usually. configure a static route to the VIP.Ver. On the menu bar.

10. for individual virtual ports.10. so they will fail over to the HA peer as a unit.Ver. FIGURE 149 Hardware-based SYN Cookies – Target VIP and Client-side Router in Different Subnets The following commands configure hardware-based SYN cookies on the AX device in this example: AX(config)#slb virtual-server dummyvip 10.0. Enabling Software-Based SYN Cookies If you are using an AX model that does not support hardware-based SYN cookies. you can still enable the software-based version of the feature. 538 of 702 P e r f o r m a n c e b y D e s i g n Document No.Configuration Guide SYN Cookies Figure 149 shows an example.: D-030-01-00-0006 .2 11/11/2009 .AX Series .154 AX(config-slb virtual server)#exit AX(config)#syn-cookie Note: If HA is configured. 2. add both the target VIP and the dummy VIP to the same HA group.

AX Series . modify the threshold for TCP handshake completion. or click Add. 2. Configuring Layer 2/3 SYN Cookie Support To configure Layer 2/3 SYN cookie support: 1. 6. Enter or edit other values as needed for your configuration. USING THE CLI 1. 4. see the AX Series CLI Reference.0. 5. use the following command at the configuration level for the virtual port on the virtual server: syn-cookie [sack] For information about the sack feature.Ver. Click OK again to save the new or changed virtual server. 3. use the following command at the configuration level for the interface: [no] ip tcp syn-cookie The feature is disabled by default. 9. On the Port tab. USING THE CLI To enable software-based SYN cookies. 2. 8. select the TCP port and click Edit. Select Enabled next to SYN Cookie. P e r f o r m a n c e D e s i g n Document No. 2.2 11/11/2009 b y 539 of 702 .: D-030-01-00-0006 . If you are configuring a new port. Optionally. select TCP in the Type drop-down list. Enter or edit the information on the General tab. Click on an existing virtual server name or click Add.Configuration Guide SYN Cookies USING THE GUI 1. 10. 7. Select Virtual Server on the menu bar. To enable Layer 2/3 SYN cookies on an interface. Enable Layer 2/3 SYN cookies on individual interfaces. Click OK. Select Config> Service > Server.

ICMP Rate Limiting Parameters IMCP rate limiting filters consist of the following parameters: • Normal rate – The ICMP normal rate is the maximum number of ICMP packets allowed per second. use the following command at the global configuration level of the CLI: [no] ip tcp syn-cookie threshold seconds You can specify 1-100 seconds.Configuration Guide ICMP Rate Limiting 2. The normal rate can be 1-65535 packets per second. If you configure ICMP rate limiting filters at more than one of these levels. You can configure ICMP rate limiting filters globally. CLI Example The following commands globally enable SYN cookie support. 2. all filters are applicable. then enable Layer 2/3 SYN cookies on Ethernet interfaces 4 and 5: AX(config)#syn-cookie on-threshold 50000 off-threshold 30000 AX(config)#interface ethernet 4 AX(config-if: ethernet4)#ip tcp syn-cookie AX(config-if: ethernet4)#interface ethernet 5 AX(config-if: ethernet5)#ip tcp syn-cookie ICMP Rate Limiting ICMP rate limiting protects the AX device against denial-of-service (DoS) attacks such as Smurf attacks. all ICMP packets are dropped until the lockup expires. to modify the threshold for TCP handshake completion. If the AX device receives more than the normal rate of ICMP packets.AX Series .0.2 11/11/2009 .: D-030-01-00-0006 . • Maximum rate – The IMCP maximum rate is the maximum number of ICMP packets allowed per second before the AX device locks up ICMP traffic. 540 of 702 P e r f o r m a n c e b y D e s i g n Document No. on individual Ethernet interfaces. The maximum rate can be 1-65535 packets per second.Ver. When ICMP traffic is locked up. the excess packets are dropped until the next one-second interval begins. Optionally. and in virtual server templates. ICMP rate limiting monitors the rate of ICMP traffic and drops ICMP packets when the configured thresholds are exceeded. The default is 4 seconds. which consist of floods of spoofed broadcast ping messages.

2 11/11/2009 b y 541 of 702 . 2. Select the ICMP Rate Limiting checkbox to activate the configuration fields. Enter the lockup time in the Lockup Period field. Enter the normal rate in the Normal Rate field. Enter the normal rate in the Normal Rate field. Click OK.AX Series . Select the ICMP Rate Limiting checkbox to activate the configuration fields. 5. USING THE GUI To globally configure ICMP rate limiting: 1. The lockup time can be 1-16383 seconds. Specifying a maximum rate (lockup rate) and lockup time is optional. after the maximum rate is exceeded. Click OK. Enter the maximum rate in the Lockup Rate field. lockup does not occur.0. 6.: D-030-01-00-0006 . Note: The maximum rate must be larger than the normal rate. 4. Enter the maximum rate in the Lockup Rate field. Enter the lockup time in the Lockup Period field. Select Config > Network > ICMP Rate Limiting. To configure ICMP rate limiting on an individual Ethernet interface: 1. If you do not specify them. 3.Configuration Guide ICMP Rate Limiting • Lockup time – The lockup time is the number of seconds for which the AX device drops all ICMP traffic. 4. 7.Ver. Click on the interface name to display the configuration tabs for it. 2. 6. Select Config > Network > Interface. 3. 5. 2. P e r f o r m a n c e D e s i g n Document No.

or the configuration level for a virtual server template. 4. click Lockup Status. Enter the normal rate in the Normal Rate field. To edit an existing template. You can enter this command at the global configuration level. Enter the maximum rate in the Lockup Rate field.Ver. 6. select Template > Virtual Server. see “ICMP Rate Limiting Parameters” on page 540. USING THE CLI To configure an ICMP rate-limiting filter. the configuration level for a physical or virtual Ethernet interface. To configure the lockup time. 9. 2. click Add. 7.Configuration Guide ICMP Rate Limiting To configure ICMP rate limiting in a virtual server template: 1. 8.: D-030-01-00-0006 .AX Series .2 11/11/2009 . 5. click on the template name. Select Config > Service > SLB. Select the ICMP Rate Limit Status checkbox to enable the configuration fields. To display ICMP rate limiting information. 3. Click OK. use the following commands: show icmp show interfaces show slb virtual-server server-name detail CLI Example The following commands configure a virtual server template that sets ICMP rate limiting: AX(config)#slb template virtual-server vip-tmplt AX(config-vserver)#icmp-rate-limit 25000 lock 30000 60 542 of 702 P e r f o r m a n c e b y D e s i g n Document No. use the following command. To create a new template. 2. Enter the lockup time in the Lockup Period field. [no] icmp-rate-limit normal-rate lockup max-rate lockup-time For descriptions of the parameters.0. The Virtual Server tab appears. On the menu bar.

2.) • Exceed actions – Actions to take when the connection limit is exceeded.: D-030-01-00-0006 .Configuration Guide Source-IP Based Connection Rate Limiting Source-IP Based Connection Rate Limiting Source-IP based connection rate limiting protects the system from excessive connection requests from individual clients. the connection limit applies separately to each individual virtual port. There is no default. During the lockout period. By default. • Limit period – Interval to which the connection limit is applied.AX Series . By default. • Lockout – Locks out the client for a specified number of seconds. P e r f o r m a n c e D e s i g n Document No. or is applied as an aggregate to all virtual ports. This action is enabled by default when you enable the feature. and can not be disabled. logging and lockout are both disabled. The limit period can be one of the following: • 100 milliseconds (one tenth of a second) • 1000 milliseconds (one second) • Scope – Specifies whether the connection limit applies separately to each virtual port.Ver. You can enable one or both of the following additional exceed actions: • Logging – Generates a log message when a client exceeds the connection limit. all connection requests from the client are dropped. A client is conforming to the rate limit if the number of new connection requests within the limit period does not exceed the connection limit.0. The connection limit can be 1-1000000.2 11/11/2009 b y 543 of 702 . Parameters Source-IP based connection rate limiting is configured using the following parameters: • Connection limit – Maximum number of connection requests allowed from a client. The feature applies only to SLB virtual ports. This feature can be enabled on a global basis. within the limit period. The lockout period can be 1-3600 seconds (1 hour). All connection requests in excess of the connection limit that are received from a client within the limit period are dropped. (See “Deployment Considerations” on page 544 for more information.

2:53 nection rate limit dropped this packet (locked out) Source IP Con- Mar 05 2009 14:37:00 Notice [AX]: UDP 51.: D-030-01-00-0006 . Currently.1.Configuration Guide Source-IP Based Connection Rate Limiting Log Messages The AX device generates two log messages per offending client. 2.12.1.12. Deployment Considerations The AX device internally uses a session to keep track of user activity.1. the message also indicates the number of requests that were dropped during lockout.1. and were dropped. The message indicates the source (client) address and the destination address of the session. If lockout is enabled. if lockout is not configured.2 11/11/2009 . This message indicates the number of times the client exceeded the connection limit.1. Message Examples – With Lockout Configured Here is an example of how the messages look if lockout is configured.2.1.AX Series . the session is between the same client and destination as the previous example.12. During this period of activity. Mar 05 2009 14:34:57 Notice [AX]: UDP 53.0. Mar 05 2009 14:55:59 Notice [AX]: UDP 53. An additional 2342 requests were dropped because they were received during the lockout. The first message is generated the first time a client exceeds the connection limit.2:53. If lockout is configured. the message also indicates that the client is locked out.3.82 > 51.1. the session is between client 53.Ver. 897 of the requests from the client were sent after a connection limit had been exceeded.2:53 nection rate limit dropped this packet Mar 05 2009 14:37:00 Notice [AX]: UDP 51.81 > 51. and were dropped. 8654 of the requests from the client were sent after a connection limit had been exceeded. 544 of 702 P e r f o r m a n c e b y D e s i g n Document No.1.82 and destination 51.1. per client activity.3.3.1.2:53 exceeded Connection rate limit in all (8654 times) Source IP ConSource IP In this example. During this period of activity.81 > 51. the AX device has a capacity of up to 16 million sessions. 2342 times in lockout) In this example.1. Up to 8 million of these sessions are available for tracking user activity.82 > 51. The second message is generated after the client activity for that period.2. Message Examples – No Lockout Configured Here is an example of the pair of log messages generated by this feature for an offending client.2:53 Source IP exceeded Connection rate limit in all (897 times.1.

as well as the number of virtual ports configured on the device. A10 Networks recommends using an external log server. For more information. Recommendations for DNS Load Balancing If you plan to use this feature with DNS load balancing.0. use the fol- lowing command at the configuration level for the UDP template to which you plan to bind the DNS virtual port(s): aging short [seconds] The seconds option specifies the number of seconds to wait before terminating UDP sessions.Configuration Guide Source-IP Based Connection Rate Limiting Depending on client profile and activity. • Use a short UDP aging time.) Configuration Note: The current release does not support configuration or monitoring of this feature using the GUI. To increase the maximum number of Layer 4 sessions the system can have.2 11/11/2009 b y 545 of 702 . A10 Networks recommends the following: • Increase the maximum number of Layer 4 sessions. use the following CLI command at the global configuration level of the CLI: system resource-usage l4-session-count num The num option specifies the number of Layer 4 sessions.AX Series . The default is to apply the connection limit to each individual virtual port. use the following command at the global configuration level of the CLI: slb conn-rate-limit src-ip conn-limit per {100 | 1000} [shared] [exceed-action [log] [lock-out lockout-period]] P e r f o r m a n c e D e s i g n Document No. (The MSL timer is a globally configurable SLB option. Recommendation for Logging If you plan to enable logging for this feature. If you omit the seconds option. Log traffic can be heavy during an attack. see the AX Series CLI Reference or AX Series GUI Reference. instead of each individual port. To set a short UDP aging time. after a request is received and sent out to the server.: D-030-01-00-0006 . sessions are terminated after the SLB maximum session life (MSL) time expires. To configure source-IP based connection rate limiting. 2. you might need to use the shared option to apply the connection limit to all virtual ports.Ver. which uses proportionally more sessions than the shared option.

• The lock-out lockout-period option enables lockout.2 11/11/2009 . The limit applies separately to each individual virtual port. the client is locked out for 3 seconds. The per {100 | 1000} option specifies the limit period. Logging is not enabled. To display statistics for this feature.AX Series .Ver.0. The limit applies to all virtual ports together. The shared option specifies that the connection limit applies in aggregate to all virtual ports. If a client sends a total of more than 2000 546 of 702 P e r f o r m a n c e b y D e s i g n Document No. If a client sends more than 1000 requests within a given limit period. The exceed-action options enable optional exceed actions: • The log option enables logging. AX(config)#slb conn-rate-limit src-ip 2000 per 100 shared exceed-action log CLI Example 3 The following command allows up to 2000 connection requests per 100millisecond interval. use the following command: clear slb conn-rate-limit src-ip statistics Configuration Examples CLI Example 1 The following command allows up to 1000 connection requests per onesecond interval from any individual client. use the following command: show slb conn-rate-limit src-ip statistics To clear statistics for this feature. either 100 milliseconds or 1000 milliseconds. The lockout period can be 1-3600 seconds (1 hour). The limit applies to all virtual ports together. the limit applies separately to each virtual port. 2. If you omit this option. Logging is enabled and lockout is enabled. AX(config)#slb conn-rate-limit src-ip 1000 per 1000 exceed-action lock-out 3 CLI Example 2 The following command allows up to 2000 connection requests per 100millisecond interval. Logging is enabled but lockout is not enabled.: D-030-01-00-0006 .Configuration Guide Source-IP Based Connection Rate Limiting The conn-limit option specifies the connection limit and can be 1-1000000.

to one or more virtual ports.Configuration Guide Access Control Lists (ACLs) requests within a given limit period. 2.: D-030-01-00-0006 . AX(config)#slb conn-rate-limit src-ip 2000 per 100 shared exceed-action log lock-out 3 Statistics The following commands display statistics for this feature.0.Ver. IP protocol. P e r f o r m a n c e D e s i g n Document No.AX Series . then reset the counters to 0 and verify that they have been reset: AX(config)#show slb conn-rate-limit src-ip statistics Threshold check count 1022000 Honor threshold Lockout drops 60 Log messages sent 20532 DNS requests re-transmitted 1000 No DNS response for request 1021000 AX(config)#clear slb conn-rate-limit src-ip statistics AX(config)#show slb conn-rate-limit src-ip statistics Threshold check count 0 Honor threshold Lockout drops 0 Log messages sent 0 DNS requests re-transmitted No DNS response for request 0 count 0 Threshold exceeded count 0 count 20532 Threshold exceeded count 1001408 Access Control Lists (ACLs) You can use Access Control Lists (ACLs) to permit or deny packets based on address and protocol information in the packets. the client is locked out for 3 seconds. AX devices support the following types of ACLs: • Standard – Standard ACLs filter based on source IP address. • Extended – Extended ACLs filter based on source and destination IP addresses.2 11/11/2009 b y 547 of 702 . and TCP/UDP port numbers.

The first rule you add appears at the top of the ACL.) • To permit or block through traffic on a virtual server port. After the first rule match. no additional rules are compared against the traffic.) • To permit or block management access. • To permit or block through traffic on an interface.) 548 of 702 P e r f o r m a n c e b y D e s i g n Document No. • Permit or block management access. (See “Network Address Translation” on page 483. downward).Ver.: D-030-01-00-0006 . The first rule that matches traffic is used to permit or deny that traffic.Configuration Guide Access Control Lists (ACLs) How ACLs Are Used You can use ACLs for the following tasks: • Permit or block through traffic. 2.2 11/11/2009 . (See “Applying an ACL to a Virtual Server Port” on page 559. Access lists do not take effect until you apply them.AX Series . use the ACL with the enable- management command. use the ACL when configuring the pool. apply the ACL to the virtual port. Rules are added to the ACL in the order you configure them. (See “Securing Admin Access by Ethernet” on page 515.0. (See “Applying an ACL to an Interface” on page 558. apply the ACL to the interface. Each rule contains a single permit or deny statement. An ACL can contain multiple rules.) • To specify the internal host or subnet addresses to which to provide NAT. which is the first rule. • Specify the internal host or subnet addresses to which to provide Net- work Address Translation (NAT). Rules are applied to the traffic in the order they appear in the ACL (from the top.

2.2 11/11/2009 b y 549 of 702 . from 1-99. (See “Resequencing ACL Rules” on page 561. Select Config > Network > ACL. (For more information.: D-030-01-00-0006 . (For descriptions. Click OK to commit the change. use the following command: access-list acl-num [seq-num] {permit | deny | remark string} source-ipaddr {filter-mask | /mask-length} [log] The acl-num specifies the ACL number.Ver. P e r f o r m a n c e D e s i g n Document No.) The source address to match on is specified by one of the following: • any – The ACL matches on all source IP addresses. USING THE CLI To configure a standard ACL. 6. see the CLI syntax below. Select Standard on the menu bar.AX Series . see “Adding a Remark to an ACL” on page 558.Configuration Guide Access Control Lists (ACLs) Configuring Standard IPv4 ACLs To configure a standard IPv4 ACL. The remark option adds a remark to the ACL. 3.0. Enter or select the values to filter. USING THE GUI 1. 2. 4. Click Add. • permit – Allows the traffic. use either of the following methods. The seq-num option specifies the sequence number of this rule in the ACL. Click OK.) The deny | permit option specifies the action to perform on traffic that matches the ACL: • deny – Drops the traffic. • host host-src-ipaddr – The ACL matches only on the specified host IP address.) 5. The new ACL appears in the Standard ACL table.

the server must be attached to an AX data port in order for ACL logging messages to reach the server. This option is disabled by default.x. you can use mask-length to specify the portion of the address to filter.255 AX(config)#interface ethernet 4 AX(config-if:ethernet4)#access-list 1 in 550 of 702 P e r f o r m a n c e b y D e s i g n Document No.0. CLI EXAMPLE The following commands configure a standard ACL to deny traffic sent from subnet 10.10.0 0. Note: If you plan to use an external log server. If you configure an external log server.Ver.10.255” to filter on a 24-bit subnet. When ACL logging is enabled. 2. see “Log Rate Limiting” on page 39. For more information.10. the AX device writes the log messages to the local logging buffer.0.0.10. you can specify “/24” instead “0. • Use 255 to ignore. They will not reach the server if the server is attached to the AX management port.2 11/11/2009 . For example.Configuration Guide Access Control Lists (ACLs) • net-src-ipaddr {filter-mask | /mask-length} – The ACL matches on any host in the specified subnet. The filter-mask specifies the portion of the address to filter: • Use 0 to match. and apply the ACL to inbound traffic received on Ethernet interface 4: AX(config)#access-list 1 deny 10.0.AX Series .: D-030-01-00-0006 .0. For example.255 Alternatively. The log option configures the AX device to generate log messages when traffic matches the ACL.0. the following filter-mask filters on a 24-bit subnet: 0. the AX device also sends the messages to the server.0.

: D-030-01-00-0006 .Configuration Guide Access Control Lists (ACLs) Configuring Extended IPv4 ACLs To configure an extended IPv4 ACL. USING THE GUI 1.2 11/11/2009 b y 551 of 702 . Enter or select the values to filter. (For descriptions. Select Extended on the menu bar. Select Config > Network > ACL. USING THE CLI To configure an extended ACL. Click OK. Syntax for Filtering on Source and Destination IP Addresses [no] access-list acl-num [seq-num] {permit | deny | remark string} ip {any | host host-src-ipaddr | net-src-ipaddr {filter-mask | /mask-length}} {any | host host-dst-ipaddr | net-dst-ipaddr {filter-mask | /mask-length}} [log] The acl-num specifies the ACL number. 2.AX Series .Ver. use either of the following methods.) The deny | permit option specifies the action to perform on traffic that matches the ACL: • deny – Drops the traffic. (See “Resequencing ACL Rules” on page 561. • permit – Allows the traffic. P e r f o r m a n c e D e s i g n Document No.) 5. use the following commands. Click Add. 6.0. The seq-num option specifies the sequence number of this rule in the ACL. 4. see the CLI syntax below. 3. The new ACL appears in the Extended ACL table. 2. Click OK to commit the change. from 100-199.

0. • host host-src-ipaddr – The ACL matches only on the specified host IP address. the following filter-mask filters on a 24-bit subnet: 0. For more information.0.0.: D-030-01-00-0006 .0. you can specify “/24” instead “0. 2.0.Ver. If you configure an external log server.2 11/11/2009 . the server must be attached to an AX data port in order for ACL logging messages to reach the server. This option is disabled by default. • Use 255 to ignore. the AX device also sends the messages to the server. see “Adding a Remark to an ACL” on page 558. 552 of 702 P e r f o r m a n c e b y D e s i g n Document No. • net-src-ipaddr {filter-mask | /mask-length} – The ACL matches on any host in the specified subnet. you can use mask-length to specify the portion of the address to filter. When ACL logging is enabled. Note: If you plan to use an external log server.255 Alternatively.255” to filter on a 24-bit subnet. For example. The log option enables the AX device to generate log messages when traffic matches the ACL. The filter-mask specifies the portion of the address to filter: • Use 0 to match.) The source address to match on is specified by one of the following: • any – The ACL matches on all source IP addresses.AX Series . The options for specifying the destination address are the same as those for specifying the source address. (For more information. For example. see “Log Rate Limiting” on page 39. They will not reach the server if the server is attached to the AX management port.Configuration Guide Access Control Lists (ACLs) The remark option adds a remark to the ACL. the AX device writes the log messages to the local logging buffer.

destination unreachable • echo-reply | 0 – Type 0. information request • mask-reply | 18 – Type 18. The type-option can be one of the following: • any-type – Matches on any ICMP type.Ver.AX Series .Configuration Guide Access Control Lists (ACLs) Syntax for Filtering on ICMP Traffic [no] access-list acl-num [seq-num] {permit | deny | remark string} icmp [type icmp-type [code icmp-code]] {any | host host-src-ipaddr | net-src-ipaddr {filter-mask | /mask-length}} {any | host host-dst-ipaddr | net-dst-ipaddr {filter-mask | /mask-length}} [log] The type and code options enable you to filter on ICMP traffic. information reply • info-request | 15 – Type 15. The type type-option option matches based on the specified ICMP type. dest-unreachable or 3). 0-254 P e r f o r m a n c e D e s i g n Document No. Enter the type name or the type number (for example. redirect message • source-quench | 4 – Type 4. echo reply • echo-request | 8 – Type 8.: D-030-01-00-0006 . time exceeded • timestamp | 13 – Type 13. echo request • info-reply | 16 – Type 16. timestamp • timestamp-reply | 14 – Type 14.2 11/11/2009 b y 553 of 702 . timestamp reply • type-num – ICMP type number. 2.0. address mask reply • mask-request | 17 – Type 17. You can specify one of the following. address mask request • parameter-problem | 12 – Type 12. parameter problem • redirect | 5 – Type 5. • dest-unreachable | 3 – Type 3. source quench • time-exceeded | 11 – Type 11.

0-254.Configuration Guide Access Control Lists (ACLs) The code code-num option matches based on the specified ICMP code.Ver. 2. • gt src-port – The ACL matches on traffic from any source port with a higher number than the specified port.2 11/11/2009 . • lt src-port – The ACL matches on traffic from any source port with a lower number than the specified port. To match on any ICMP code.: D-030-01-00-0006 . specify any-code.0. Use one of the following options to specify the source port(s) on which to filter: • eq src-port – The ACL matches on traffic from the specified source port. Syntax for Filtering on Source and Destination IP Addresses and on TCP or UDP Protocol Port Numbers [no] access-list acl-num [seq-num] {permit | deny | remark string} {tcp | udp} {any | host host-src-ipaddr | net-src-ipaddr {filter-mask | /mask-length}} [eq src-port | gt src-port | lt src-port | range start-src-port end-src-port] {any | host host-dst-ipaddr | net-dst-ipaddr {filter-mask | /mask-length}} [eq dst-port | gt dst-port | lt dst-port | range start-dst-port end-dst-port] [log] The tcp and udp options enable you to filter on protocol port numbers. specify the code. • range start-src-port end-src-port – The ACL matches on traffic from any source port within the specified range. To match on a specific ICMP code. 554 of 702 P e r f o r m a n c e b y D e s i g n Document No. The same options can be used to specify the destination port(s) on which to filter.AX Series .

0 0.10.10.255 10.10.20. USING THE CLI To configure an IPv6 ACL. 2.0. [no] [seq-num] {permit | deny} {ipv6 | icmp} {any | host host-src-ipv6addr | net-src-ipv6addr /mask-length} {any | host host-dst-ipv6addr | net-dst-ipv6addr /mask-length} [log] or P e r f o r m a n c e D e s i g n Document No.0.0. specifies the source and destination addresses upon which to perform the action.10. use the following CLI method. use the following commands: [no] ipv6 access-list acl-id Enter this command at the global configuration level of the CLI.20.Ver. This command changes the CLI to the configuration level for the ACL. The acl-id can be a string up to 16 characters long. and optionally.Configuration Guide Access Control Lists (ACLs) CLI EXAMPLE The following commands configure an extended IPv4 ACL to deny traffic sent from subnet 10. Note: The GUI does not support configuration of IPv6 ACLs in the current release. enables logging.5 /32 eq 80 AX(config)#interface ethernet 7 AX(config-if:ethernet7)#access-list 100 in Configuring Extended IPv6 ACLs To configure an extended IPv6 ACL.2 11/11/2009 b y 555 of 702 .AX Series . and apply the ACL to inbound traffic received on Ethernet interface 7: AX(config)#access-list 100 deny tcp 10. where the following ACL-related commands are available. The permit | deny Command This command specifies the action to take for traffic that matches the ACL.x to 10.5:80.10.10.: D-030-01-00-0006 .

host host-src-ipv6addr – The ACL matches only on the specified host IPv6 address. deny – Drops the traffic. 2. net-src-ipv6addr /mask-length – The ACL matches on any host in the specified subnet.2 11/11/2009 .0. The mask-length specifies the portion of the address to filter. Action to take for traffic that matches the ACL. permit – Allows the traffic.: D-030-01-00-0006 . Filters on TCP or UDP packets.AX Series . You can use this option to resequence the rules in the ACL. ipv6 | icmp tcp | udp Filters on IPv6 or ICMP packets.Configuration Guide Access Control Lists (ACLs) [no] {permit | deny} {tcp | udp} {any | host host-src-ipv6addr | net-src-ipv6addr /mask-length} [eq src-port | gt src-port | lt src-port | range start-src-port end-src-port] {any | host host-dst-ipv6addr | net-dst-ipv6addr /mask-length} [eq dst-port | gt dst-port | lt dst-port | range start-dst-port end-dst-port] [log] Parameter seq-num Description Sequence number of this rule in the ACL. any – The ACL matches on all source IP addresses.Ver. 556 of 702 P e r f o r m a n c e b y D e s i g n Document No. The tcp and udp options enable you to filter on protocol port numbers. deny | permit any | host host-srcipv6addr | net-srcipv6addr /masklength Source IP address(es) to filter.

P e r f o r m a n c e D e s i g n Document No. To use blank spaces in the remark. the destination protocol ports to filter. range start-src-port end-src-port – The ACL matches on traffic from any source port within the specified range. 2.Configuration Guide Access Control Lists (ACLs) eq src-port | gt src-port | lt src-port | range startsrc-port end-src-port For tcp or udp. gt src-port – The ACL matches on traffic from any source port with a higher number than the specified port. Here is the syntax: [no] remark string The string can be 1-63 characters.2 11/11/2009 b y 557 of 702 .: D-030-01-00-0006 . any | host host-dstipv6addr | net-dstipv6addr /masklength Destination IP address(es) to filter. the source protocol ports to filter. enclose the entire remark string in double quotes. The remark appears at the top of the ACL when you display it in the CLI.0.Ver. eq src-port – The ACL matches on traffic from the specified source port. eq dst-port | gt dst-port | lt dst-port | range startdst-port end-dst-port log For tcp or udp. Configures the AX device to generate log messages when traffic matches the ACL. The remark Command The remark command adds a remark to the ACL.AX Series . lt src-port – The ACL matches on traffic from any source port with a lower number than the specified port.

AX Series .1. Click OK.1.: D-030-01-00-0006 . 558 of 702 P e r f o r m a n c e b y D e s i g n Document No.42 AX(config)#access-list 42 deny 192. USING THE GUI To apply an ACL to an Ethernet port: 1.168. The remark appears at the top of the ACL when you display it in the CLI.168.0 /24 AX(config)#access-list 42 remark "The meaning of life" AX(config)#show access-list ipv4 42 Access List 42 "The meaning of life" access-list 42 10 permit host 192. Here is a CLI example: AX(config)#access-list 42 permit host 192.1.168. The ACL must already exist before you can configure a remark for it.2 11/11/2009 .168. Select LAN on the menu bar. select the ACL from the Access List field.42 access-list 42 20 deny 192. Click on the port number. On the IPv4 tab.0.0.1. above the first rule. use either of the following methods. 5. the remark appears at the top of the ACL. as shown in the example. 2.255 Hits: 0 Hits: 0 As shown in this example.0 0.Configuration Guide Access Control Lists (ACLs) Adding a Remark to an ACL You can add a remark to an ACL. To use blank spaces in the remark. Applying an ACL to an Interface To apply a configured ACL to an interface.0. 2. or next to the ACL in the ACL tables displayed in the GUI. 4. enclose the entire remark string in double quotes. 3.Ver. Select Config > Network > Interface.

0.: D-030-01-00-0006 . Select Virtual Server on the menu bar.10. 2. Select Config > Network > Interface. 3. To apply a configured ACL to a virtual server port. USING THE GUI 1.Configuration Guide Access Control Lists (ACLs) To apply an ACL to a Virtual Ethernet (VE) interface: 1. Select the ACL from the Access List field.x. Click Add or click on the name of a configured virtual server.0 0. 2.2 11/11/2009 b y 559 of 702 . Click OK. USING THE CLI Access the configuration level for the interface and use the following command: access-list acl-num in The following commands configure a standard ACL to deny traffic from subnet 10.Ver.10. 5.0. Click on the VE name.0.255 AX(config)#interface ethernet 4 AX(config-if:ethernet4)#access-list 1 in Applying an ACL to a Virtual Server Port You can apply an ACL to a virtual server port. Select IPv4 to display the IPv4 tab. 3.10. Select Config > Service > SLB.10. and apply the ACL to the inbound traffic direction on Ethernet interface 4: AX(config)#access-list 1 deny 10. 4. P e r f o r m a n c e D e s i g n Document No. 6.AX Series . 2. Select Virtual on the menu bar. use either of the following methods. An ACL applied to a virtual server port permits or denies traffic just as an ACL applied to a physical port or Virtual Ethernet (VE) interface does.

USING THE CLI To apply an ACL to a virtual port in the CLI. 7. Click OK again to return to the virtual server table. On the Virtual Server Port tab. 3.: D-030-01-00-0006 .0. use the following command at the configuration level for the virtual port: access-list acl-id The acl-id specifies the ACL number. 6. Select the pool ID from the NAT Pool drop-down list. Using an ACL to Control Management Access To use an ACL to control management access. 8. Select the ACL number from the ACL drop-down list. Select Config > Service > IP Source NAT. Enter or change information on the General tab. if you are configuring a new virtual server. 5. On the Port tab.2 11/11/2009 .AX Series . Select Binding on the menu bar. 2. 2. USING THE GUI To bind an ACL to an IP source NAT pool: 1. then use either of the following methods to bind the ACL to a NAT pool. click Add or select a port and click Edit.Configuration Guide Access Control Lists (ACLs) 4. Click OK. select the ACL from the Access List drop-down list. 4. Using an ACL for NAT To use an ACL for NAT. configure the ACL.Ver. 560 of 702 P e r f o r m a n c e b y D e s i g n Document No. see “Securing Admin Access by Ethernet” on page 515.

downward).Ver. After the first rule match.10.10. Click Add. Resequencing ACL Rules An ACL can contain multiple rules.0.10.0. the AX device assigns a sequence number to the rule and places the rule at the bottom of the ACL. Click OK. two rules are configured for ACL 86. The new binding appears in the ACL section. Here is an example: AX(config)#access-list 86 permit host 10. USING THE CLI To use a configured ACL in an IPv4 NAT pool. which is the first. 6. The deny any rule at the end of the ACL is not displayed and cannot be removed. This rule is applied to any traffic that does not match any of the configured rules in the ACL.12 log Hits: 0 access-list 86 20 deny 10. Each access-list command configures one rule.10.10. Rules are applied to the traffic in the order they appear in the ACL (from the top rule. P e r f o r m a n c e D e s i g n Document No. The first rule you add appears at the top of the ACL.AX Series . 2. The first rule has sequence number 10.0 /24 AX(config)#show access-list ipv4 86 access-list 86 10 permit host 10. When you create an ACL rule. Rules are added to the ACL in the order you configure them. The first rule that matches traffic is used to permit or deny that traffic. no additional rules are compared against the traffic.: D-030-01-00-0006 . You can resequence the rules in an ACL.10. and each rule after that has a sequence number that is higher by 10.2 11/11/2009 b y 561 of 702 .12 AX(config)#access-list 86 deny 10.10. The default sequence numbers are used. Each ACL has an implicit deny any rule at the end of the ACL.0 0.255 log Hits: 0 In this example.0. use the following command: [no] ip nat inside source {list acl-name {pool pool-name | pool-group pool-group-name} static local-ipaddr global-ipaddr} The list acl-name option specifies the ACL.10.Configuration Guide Access Control Lists (ACLs) 5.

13 log AX(config)#show access-list ipv4 86 access-list 86 10 permit host 10. Alternatively.10. sequenced to come before the deny rule. AX(config)#no access-list 86 30 AX(config)#access-list 86 11 permit host 10. host 10. the rule is placed at the end of the ACL.10. then re-add it with the sequence number. the permit rule for the host appears before the deny rule for the subnet the host is in.x subnet.0 0. another rule can be added.10. then re-added. delete the rule.10.10.10.Configuration Guide Access Control Lists (ACLs) The intent of this ACL is to deny all access from the 10. and permit hosts 10. To permit another host.12 and 10.10.255 log Hits: 0 In this example.Ver.10.10.0.AX Series .10.10.0. To resequence the ACL to work as intended.10. In this example.10. except for access from specific host addresses.10. Because the deny rule comes before the permit rule.10.10.10. 2.10.x subnet.10. The ACL will now work as intended.: D-030-01-00-0006 . However. To change the sequence number of an ACL rule.12 log Hits: 0 access-list 86 11 permit host 10.10. AX(config)#access-list 86 permit host 10. then re-added with sequence number 11. suppose another permit rule is added for another host in the same subnet. so the host will be permitted.10.0 0. the deny rule can be deleted.0.10.10.10.10.12 log Hits: 0 access-list 86 11 permit host 10.13 while denying all other hosts in the 10.10.0 0.0. since no sequence number was specified when the rule was configured.10.12 log Hits: 0 access-list 86 20 deny 10.10.10.10.13 will never be permitted.10.0. either the deny rule or the second permit rule can be resequenced to appear in the right place.14 log Hits: 0 access-list 86 20 deny 10.13 log Hits: 0 By default.0.10.10.0.10.14 log AX(config)#show access-list ipv4 86 access-list 86 10 permit host 10.255 log Hits: 0 access-list 86 30 permit host 10.13 AX(config)#show access-list ipv4 86 access-list 86 10 permit host 10. rule 30 is deleted.13 log Hits: 0 access-list 86 12 permit host 10.2 11/11/2009 .10. AX(config)#access-list 86 12 permit host 10.255 log Hits: 0 562 of 702 P e r f o r m a n c e b y D e s i g n Document No.10.13 log Hits: 0 access-list 86 20 deny 10.

If you need to re-order the ACL rules. For each address in a black/white list.000 subnet addresses. For example. starting at the top of the table.: D-030-01-00-0006 .0. they still appear as separate rows. with the same ACL number. In a PBSLB P e r f o r m a n c e D e s i g n Document No. A black/white list can contain up to 8 million individual host addresses and up to 32.AX Series . you can specify the service group to use. where the actions to take on the addresses are specified. The AX device applies the ACL rules in the order they are listed. In this case. you can do so by clicking the up or down arrows at the ends of the rows containing the ACL rules.Ver. You can configure multiple rules in the same ACL. no additional rules are compared against the traffic.2 11/11/2009 b y 563 of 702 . Client IP lists (black/white lists) are configured on an external device. Note: IPv6 addresses are not supported in black/white lists. After the first rule match. then imported into the AX. Policy-Based SLB (PBSLB) AX Series devices allow you to “black list” or “white list” individual clients or client subnets. 2. USING THE CLI See the description above. the AX will allow (white list) or drop (black list) traffic from specific client hosts or subnets in the list. For traffic that is allowed. you can configure the AX to respond to DDoS attacks from a client by dropping excessive connection attempts from the client. You also can specify the action to perform (drop or reset) on new connections that exceed the configured connection threshold for the client address. The first rule that matches traffic is used to permit or deny that traffic.Configuration Guide Policy-Based SLB (PBSLB) USING THE GUI Each row in the Standard ACL and Extended ACL tables is a separate ACL rule. Based on actions you specify on the AX device. Click OK to commit the changes. you can set values for the following options: • Group ID – A number from 1 to 31 in a black/white list that identifies a group of IP host or subnet addresses contained in the list.

you can map the group to one of the following actions: • Drop the traffic • Reset the connection • Send the traffic to a specific service group • Connection limit – The total number of concurrent connections between the client address and the virtual port.Configuration Guide Policy-Based SLB (PBSLB) policy template on the AX device. 564 of 702 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 . using the following syntax: ipaddr [/network-mask] [service-group-id] [#conn-limit] [. which means no group is assigned. 2. the syntax is the same.2 11/11/2009 . the valid range is from 1 to 32767.0.comment-string] The ipaddr is the host or subnet address of the client. With either method. The group-id is a number from 1 to 31 that identifies a group of host or subnet IP addresses in the list.Ver. • Comment – A text string that provides administrators information within the list file. then import the list onto the AX device. The default group ID is 0. If you set it. The #conn-limit specifies the maximum number of concurrent connections allowed from the client. Configuring a Black/White List You can configure black/white lists in either of the following ways: • Remote option – Use a text editor on a PC. The # is required only if you do not specify a group-id. • Local option – Enter the black/white list directly into a management GUI window. Add a row for each IP address (host or subnet). By default. which means the address is a host address. you can specify whether to reset or drop new connections that exceed this limit. The default is 32.AX Series . On the AX. The network-mask is optional. there is no connection limit.

The larger the number you specify. if the file contains 32768. The AX regularly synchronizes with the list to make sure the AX version is current. To configure PBSLB: 1.Configuration Guide Policy-Based SLB (PBSLB) Note: The conn-limit is a coarse limit.2. If the number in the file is larger than the supported maximum (32767).10.10. 2. the device limits the connections to not exceed 992. the drop action will be assigned to this group. The second row black lists an entire subnet.1.: D-030-01-00-0006 . Configure a black/white list. The fourth row assigns a specific host to group 2 and specifies a maximum of 20 concurrent connections. either remotely or on the AX device itself. the coarser the limit will be. import the list onto the AX device. If you configure the list remotely. Configuring Policy-Based SLB on the AX Device You can configure PBSLB parameters on virtual ports by configuring the settings directly on individual ports. thus black listing the client. or by configuring a PBSLB policy template and binding the template to individual virtual ports. 2.comment-string is a comment. 20 concurrent connections max. The third row sets the maximum number of concurrent connections for a specific host to 20. As another example.69 2 20 . For example. the parser will use 11111 as the value. if you specify 100.2. modify the sync interval for the list. any group ok 192. Everything to the right of the . the parser will use 3276 as the value. Here is an example black/white list: 10. Note: The AX device allows up to three parser errors when reading the file. the device stops reading the file.2 11/11/2009 b y 565 of 702 . The .0. assign to service group 2. However. 4 is the drop group 10.168. is ignored by the AX device when it parses the file. P e r f o r m a n c e D e s i g n Document No. Optionally. the AX device limits the total connections to exactly 100.AX Series . the parser will use the longest set of digits in the number you enter that makes a valid value. by assigning it to the same group (4).1. after the third parser error.Ver. 3.4.3 4. blocking a single host. On the AX device.1/32 #20 . if you specify 1000. blocking the entire 10. if the file contains 111111.0/24 4.10. and allow 20 max The first row assigns a specific host to group 4. For example.168.x subnet 192. however.

You can configure the following settings directly on individual virtual ports.2 11/11/2009 . Note: These steps assume that the real servers. 566 of 702 P e r f o r m a n c e b y D e s i g n Document No. The Definition field appears.: D-030-01-00-0006 . • Optionally. service groups. • Reset the traffic.Configuration Guide Policy-Based SLB (PBSLB) 4. • Drop the traffic.0. click Local.Ver. 2. 6. • Specify the black/white list. select the black/white list or click “create” to create or import one. • Optionally. In the Name field. b. Configure PBSLB settings. a. map each group ID used in the list to one of the follow- ing actions: • Send the traffic to a specific service group. 3. the PBSLB tab appears. if needed for your configuration. Click Add. 2. From the drop-down list below the Name field. select Application > Policy. 4. enter a name for the template. Enter or select the following information in the fields of the PBSLB tab: • Name that will be used for the imported black/white list. If you clicked “create”. or configure a policy template and bind the template to virtual ports.AX Series . USING THE GUI To Configure PBSLB Settings Using a Policy Template: 1. change the action (drop or reset) the AX will perform on connections that exceed the limit specified in the list. change client address matching from source IP matching to destination IP matching. • Optionally. and virtual servers have already been configured. Select Config > Service > Template. On the menu bar. To create the list using a text entry field in the GUI. Copy-and-paste or type the black/white list. 5. • Location of the black/white list (Local or Remote).

• service group name – Each of the service groups configured on the AX device is listed. Logging generates messages to indicate that traffic matched the group ID. • IP address or hostname of the device where the list is located. log messages will never be generated for server-selection failures. d. To generate log messages only when there is a failed attempt to reach a service group. • create – This option displays the configuration tabs for creating a new service group. disable the Use default server selection when preferred method fails option on the virtual port. select Remote. c. Repeat the steps above for each group. P e r f o r m a n c e D e s i g n Document No. This limitation does not affect failures that occur because a client is over their PBSLB connection limit. The group settings appear in the PBSLB list. select Use Destination IP. e. Select the action to take when traffic exceeds the limit: Drop or Reset. Select one of the following from the Action drop-down list. select Log Failures only. To ensure that messages are generated to log server-selection failures. 8. Note: If the Use default server selection when preferred method fails option is enabled on the virtual port. instead of source traffic. 2.AX Series . • Path and filename of the list on the remote device. enable logging. d. These failures are still logged.: D-030-01-00-0006 . 7. (The connection limit is set in the black/white list. Optionally. Enter values for the following parameters: • Interval at which the AX device re-imports the list.0. Optionally. edit the number in the Period field.) • Reset – Resets new connections until the number of concurrent connections on the virtual port falls below the connection limit. Select the group from the Group ID drop-down list. • Drop – Drops new connections until the number of concurrent connections on the virtual port falls below the port’s connection limit. To configure group options: a. Click Add. Click OK.Configuration Guide Policy-Based SLB (PBSLB) c. 9.2 11/11/2009 b y 567 of 702 . The Policy tab reappears. b. To import a list from a remote server. • File transfer protocol to use. This option ensures that changes to the list are automatically replicated on the AX device. to match destination traffic against the black/white list.Ver. To change the logging interval.

2. Click OK. Click OK again. The new policy appears in the PBSLB policy list. Click on the virtual server name or click Add to create a new one. FIGURE 150 PBSLB Policy tab 568 of 702 P e r f o r m a n c e b y D e s i g n Document No. On the menu bar.Ver. or select a virtual port and click Edit. g. f. On the Virtual Server Port tab.Configuration Guide Policy-Based SLB (PBSLB) 10. To bind the PBSLB policy template to a virtual port: a. Select Config > Service > SLB. b. e.AX Series . select the PBSLB template from the Policy Template drop-down list.: D-030-01-00-0006 . Click OK.0. c. click Add. select Virtual Server. d.2 11/11/2009 . On the Port tab. 11.

: D-030-01-00-0006 . directory path.Virtual Server Port USING THE CLI To Import a Black/White List: Use the following command at the global configuration level of the CLI: bw-list name url [period seconds] [load] The name can be up to 31 alphanumeric characters long.0. and filename.Configuration Guide Policy-Based SLB (PBSLB) FIGURE 151 tab Config > Service > SLB > Virtual Server .Ver. The url specifies the file transfer protocol. 2.AX Series . The following URL format is supported: tftp://host/file P e r f o r m a n c e D e s i g n Document No.2 11/11/2009 b y 569 of 702 .

Use this option if you change the list and want to immediately replicate the changes on the AX device.: D-030-01-00-0006 . use the following commands: [no] slb template policy template-name Enter this command at the global configuration level of the CLI. Note: A TFTP server is required on the PC and the TFTP server must be running when you enter the bw-list command. The default is 300 seconds.Configuration Guide Policy-Based SLB (PBSLB) The period seconds option specifies how often the AX device re-imports the list to ensure that changes to the list are automatically replicated on the AX. • drop – Drops connections for IP addresses that are in the specified group. Do not abort the load process. loading can take a while. doing so can also interrupt periodic black/white-list updates. 570 of 702 P e r f o r m a n c e b y D e s i g n Document No. [no] bw-list name file-name This command binds a black/white list to the virtual ports that use this template. You can specify 60 – 86400 seconds. If you do accidentally abort the load process. [no] bw-list id id {service service-group-name | drop | reset} [logging [minutes] [fail]] This command specifies the action to take for clients in the black/white list: • id – Group ID in the black/white list.0. The load option immediately re-imports the list to get the latest changes. To Configure PBSLB Settings Using a Policy Template: To configure a PBSLB template. repeat the command with the load option and allow the load to complete. If you use the load option.2 11/11/2009 . 2. The command creates the template and changes the CLI to the configuration for the template. • service-group-name – Sends clients to the SLB service group Note: associated with this group ID on the AX device. the CLI cannot accept any new commands until the load is completely finished.AX Series . • reset – Resets connections for IP addresses that are in the specified group. where the following PBSLB-related commands are available.Ver. For large black/white lists. without waiting for the update period.

PBSLB rules that use the service service-group-name option also have a fail option for logging.Configuration Guide Policy-Based SLB (PBSLB) • logging [minutes] [fail] – Enables logging. (The connection limit is set in the black/white list. Messages are not generated for successful connections to the service group.0. Logging is disabled by default. since any time a drop or reset rule affects traffic. The fail option is disabled by default. [no] use-destination-ip This command matches black/white list entries based on the client’s destination IP address. this indicates a failure condition.) • reset – Resets new connections until the number of concurrent con- nections on the virtual port falls below the connection limit. The option is available only for PBSLB rules that use the service service-group-name option. The message indicates the number of times the rule was applied since the last message. This limitation does not affect failures that occur because a client is over their PBSLB connection limit. You can specify a logging interval from 0 to 60 minutes. To send a separate message for each event. Note: If the def-selection-if-pref-failed option is enabled on the virtual port. log messages will never be generated for server-selection failures.AX Series .: D-030-01-00-0006 .2 11/11/2009 b y 571 of 702 . The minutes option specifies how often messages can be generated. and the PBSLB rule is used 100 times within a five-minute period. matching is based on the client’s source IP P e r f o r m a n c e D e s i g n Document No. [no] bw-list over-limit {drop | reset} This command specifies the action to take for traffic that is over the limit. The fail option configures the AX device to generate log messages only when there is a failed attempt to reach a service group. See “Log Rate Limiting” on page 39. 2. set the interval to 0. The AX device uses the same log rate limiting and load balancing features for PBSLB logging as those used for ACL logging. To ensure that messages are generated to log server-selection failures. the default for minutes is 3. if the logging interval is set to 5 minutes. • drop – Drops new connections until the number of concurrent connec- tions on the virtual port falls below the port’s connection limit. By default. This option reduces overhead caused by frequent recurring messages. For example. These failures are still logged. not for rules with the drop or reset option. disable the def-selection-if-pref-failed option on the virtual port. If you enable it. the AX device generates only a single message.Ver.

use the following command at the configuration level for the port: [no] template policy template-name To Configure PBSLB Settings Directly on a Virtual Port: To bind a black/white list to a virtual port. The default is 3 minutes. You can specify a logging interval from 0 to 60 minutes.0. PBSLB rules that use the service service-group-name option also have a fail option for logging.: D-030-01-00-0006 . The message indicates the number of times the rule was applied since the last message. use the following command at the configuration level for the virtual port: pbslb bw-list name The name is the name you assign to the list when you import it. if the logging interval is set to 5 minutes. The fail option configures the AX device to generate log messages only when there is a failed attempt to reach a service group.AX Series .Ver. 2. (See “Wildcard VIPs” on page 229. Messages are not generated for successful connections to the service group. The drop option immediately drops all connections between the clients in the list and any servers in the service group. To map client IP addresses in a black/white list to specific service groups.) To bind the template to a virtual port. The reset option resets the connections between the clients in the list and any servers in the service group. For example. This option reduces overhead caused by frequent recurring messages.2 11/11/2009 . not for rules 572 of 702 P e r f o r m a n c e b y D e s i g n Document No. The fail option is disabled by default.Configuration Guide Policy-Based SLB (PBSLB) address. the AX device generates only a single message. The service-group-name is the name of an SLB service group on the AX. This option is applicable if you are using a wildcard VIP. The option is available only for PBSLB rules that use the service service-group-name option. use the following command at the configuration level for the virtual port: pbslb id id {service service-group-name | drop | reset} [logging [minutes] [fail]]] The id is a group ID in the black/white list and can be from 1 to 31. The logging option enables logging. To send a separate message for each event. The minutes option specifies how often messages can be generated. set the interval to 0. and the PBSLB rule is used 100 times within a five-minute period.

use the following command: show pbslb [name] P e r f o r m a n c e D e s i g n Document No. disable the def-selection-if-pref-failed option on the virtual port. To ensure that messages are generated to log server-selection failures. use the following command: show bw-list [name [ipaddr]] The name is the name you assign to the list when you import it. use the following command: show slb template policy template-name To show client IP addresses contained in a black/white list. log messages will never be generated for server-selection failures. To show policy-based SLB statistics.: D-030-01-00-0006 . The default action is drop.Configuration Guide Policy-Based SLB (PBSLB) with the drop or reset option. use the following command at the configuration level for the virtual port: pbslb over-limit {drop | reset} The drop action drops new connections until the number of concurrent connections on the virtual port falls below the threshold. The reset option resets new connections until the number of concurrent connections on the virtual port falls below the threshold.Ver. 2. The AX device uses the same log rate limiting and load balancing features for PBSLB logging as those used for ACL logging. These failures are still logged.2 11/11/2009 b y 573 of 702 . this indicates a failure condition. This limitation does not affect failures that occur because a client is over their PBSLB connection limit. Displaying PBSLB Information To show the configuration of a PBSLB policy template. since any time a drop or reset rule affects traffic. To specify the action to take if the virtual port’s connection threshold is exceeded. The ipaddr is the client IP address. See “Log Rate Limiting” on page 39. Note: The connection threshold is set in the black/white list.0. Note: If the def-selection-if-pref-failed option is enabled on the virtual port.AX Series .

txt” onto the AX device: AX(config)#bw-list sample-bwlist tftp://myhost/TFTP-Root/AX_bwlists/samplebwlist.10.70 AX(config-slb virtual server)#port 80 http AX(config-slb virtual server-slb virtua..)#pbslb bw-list sample-bwlist AX(config-slb virtual server-slb virtua. 2.0.10.....AX Series .: D-030-01-00-0006 .txt Size(Byte) N/A Date N/A ------------------------------------------------------------------------------ The following commands configure a PBSLB template and bind it to a virtual port: AX(config)#slb template policy bw1 AX(config-policy)#bw-list name bw1 AX(config-policy)#bw-list id 2 service srvcgroup2 AX(config-policy)#bw-list id 4 drop AX(config-policy)#exit AX(config)#slb virtual-server PBSLB_VS1 10.10. statistics are shown for all virtual servers. statistics are displayed only for that virtual server. CLI CONFIGURATION EXAMPLES The following commands import black/white list “sample-bwlist..)#pbslb id 4 drop AX(config-slb virtual server-slb virtua.Configuration Guide Policy-Based SLB (PBSLB) The name option specifies a virtual server name.10. Otherwise.)#pbslb id 2 service srvcgroup2 574 of 702 P e r f o r m a n c e b y D e s i g n Document No. If you use this option.Ver.2 11/11/2009 .69 AX(config-slb virtual server)#port 80 http AX(config-slb virtual server-slb virtua..)#template policy bw1 The following commands configure the same PBSLB settings directly on a virtual port: AX(config)#slb virtual-server PBSLB_VS2 10..txt AX(config)#show bw-list Name sample-bwlist Total: 1 Url tftp://myhost/TFTP-Root/AX_ bwlists/sample-bwlist.

Configuration Guide Policy-Based SLB (PBSLB) The following commands shows PBSLB information: AX(config-slb virtual server-slb virtua.Ver.AX Series ..2 11/11/2009 b y 575 of 702 . 2.0.)#show pbslb Total number of PBSLB configured: 1 Virtual Server Port Blacklist/whitelist GID Connection # (Establish Reset Drop) -----------------------------------------------------------------------------PBSLB_VS1 PBSLB_VS2 80 80 sample-bwlist sample-bwlist 2 4 2 4 0 0 0 0 0 0 0 0 0 0 0 0 P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0006 ..

2 11/11/2009 .Configuration Guide Policy-Based SLB (PBSLB) 576 of 702 P e r f o r m a n c e b y D e s i g n Document No.Ver. 2.: D-030-01-00-0006 .0.AX Series .

Note: RBA is backwards compatible with configurations saved under earlier AX releases.: D-030-01-00-0006 . RBA supports separate partitions for these types of resources. Admins assigned to a partition can manage only the resources inside that partition. All resources are automatically migrated to a single. for example.2 11/11/2009 b y 577 of 702 .0. P e r f o r m a n c e D e s i g n Document No. 2.Configuration Guide Role-Based Administration Role Based Administration (RBA) allows administrators (“admins”) to configure and view SLB resources based on administrative domains (“partitions”).AX Series . Partitioning allows the AX device to be logically segmented to support separate configurations for different customers. shared partition. separate companies or separate departments within an enterprise.Ver.

2. B.AX Series . Admins assigned to the partition for A. delete and save only those resources contained in A. The following sections describe RBA in more detail. the partition for B.com contains B.com contains A.: D-030-01-00-0006 . delete and save only the resources in B. Each company has its own dedicated servers that they want to manage in entirety.com can add.0. Likewise. Likewise.com. FIGURE 152 Role-Based Administration In this example. The partition for A.com's SLB resources.com's SLB resources. modify.com's partition.Ver.com and B. 578 of 702 P e r f o r m a n c e b y D e s i g n Document No. modify.com's partition.Configuration Guide Overview Overview Figure 152 shows an example of an AX device with multiple partitions.2 11/11/2009 .com's admins can add. a service provider hosts an AX device shared by two companies: A.

There is one shared partition for the device and it is the default partition. the same name can be used for resources in different partitions. partitions “A.Ver. see Table 15 on page 581. all resources are in the shared partition. 2. • Private partitions – A private partition can be accessed only by the admins who are assigned to it.) Types of Resources That Can Be Contained in Private Partitions Only certain types of resources can be contained in private partitions. However.AX Series .com” and “B. Resource names must be unique within a partition.2 11/11/2009 b y 579 of 702 . The AX device is able to distinguish between them.com” can each have a real server named “rs1”. By default. For example. The shared partition cannot be deleted. A maximum of 128 partitions are supported. or Read Only privileges. P e r f o r m a n c e D e s i g n Document No. a private partition can contain SLB resources only: • Real servers • Virtual servers • Service groups • Templates • Health monitors • Certificates and keys • aFleX policies All other types of resources can reside only in the shared partition and are not configurable by admins assigned to private partitions. Read Write. and by admins with Root. The AX device does not have any private partitions by default. In the current release. (For descriptions of admin privileges.: D-030-01-00-0006 . Private partitions can be created or deleted only by admins who have Root or Read Write privileges. • Shared partition – The shared partition contains resources that can be configured only by admins with Root or Read Write privileges.0.Configuration Guide Overview Resource Partitions AX system resources are contained in partitions. The AX device has a single shared partition and can have multiple private partitions.

as shown in the following GUI example. 580 of 702 P e r f o r m a n c e b y D e s i g n Document No. Some aFleX commands have an option to act upon service groups in the shared partition instead. see the AX Series aFleX Reference.: D-030-01-00-0006 . whether private or shared. aFleX Policies By default. the A10 Networks logo is used. By default. (For more information.0.AX Series . FIGURE 153 Shared SLB Resource Used by Private SLB Resource Resources in a private partition cannot be used by resources in any other partition.Configuration Guide Overview Use of Shared Resources by Private Resources SLB resources in private partitions can use SLB resources in the shared partition. The recommended logo size is 180x60 pixels. For example. The following examples show Web GUI pages for two private partitions. but cannot use resources in other private partitions. Partition admins can replace the A10 Networks logo with a company logo. a virtual service port in a private partition can be configured to bind to a service group in the shared partition.2 11/11/2009 .) Partition Logos Each private partition has a logo file associated with it. 2.Ver. The logo appears in the upper left corner of the Web GUI. A company-specific logo has been uploaded for each partition. aFleX policies act upon resources within the partition that contains the aFleX policy.

2. Table 15 describes the admin roles.AX Series . for the partition to which the admin is assigned P e r f o r m a n c e D e s i g n Document No.0. depend on that admin’s privilege level (role). Note: The “Partition” privilege levels apply specifically to admins who are assigned to private partitions. and the partitions where the access applies. An admin account can have one of the privilege levels listed in Table 15 on page 581. TABLE 15 Admin Privilege Levels Privilege Level (Role) Root Read Write Read Only Partition Write Access to Shared Partition Read-write Read-write Read-only Read-only Can configure other admin accounts Yes1 No No No Can Change Own Password? Yes2 Yes No Yes Access to Private Partition Read-write Read-write Read-only Read-write.2 11/11/2009 b y 581 of 702 .Ver.: D-030-01-00-0006 .Configuration Guide Overview FIGURE 154 Configurable Partition Logos Administrator Roles The type of access (read-only or read-write) allowed to an admin.

Configuration Guide Overview TABLE 15 Admin Privilege Levels (Continued) Privilege Level (Role) Partition Read Partition Real Server Operator Access to Shared Partition Read-only None Can configure other admin accounts No No Can Change Own Password? No No Access to Private Partition Read-only. Admins assigned to a partition cannot view the resources in any other private partition. 2. When an admin assigned to a partition displays the running-config or startup-config. with permission to view service port statistics.0.: D-030-01-00-0006 . Only admins with Root or Read Write privileges can select the partition(s) for which to save changes. Only the admin account named “admin” is allowed to configure other admin accounts. However. The configuration changes in the partition’s running-config are copied to the partition’s startup-config. Otherwise. and to disable or enable real servers and real server ports. Admins who are assigned to a partition can view but not modify resources in the shared partition. only the resources within the partition are listed. Admins with Real Server Operator privileges can view real servers within the private partition and can disable or re-enable the real servers and their individual service ports. The Root privilege level can also change the passwords of other admins. Likewise. 2.AX Series .2 11/11/2009 .Ver. These admins have no other privileges. only the startup-config for that partition is modified. for the partition to which the admin is assigned Read-only for real servers. 582 of 702 P e r f o r m a n c e b y D e s i g n Document No. the Root and Read-write privilege levels are the same. All access is restricted to the partition to which the admin is assigned. No other read-only or read-write privileges are granted. or delete resources in the shared partition are admins with Root or Read Write privileges. 1. Each partition has its own running-config and startup-config. and cannot be deleted. modify. the only admins who can add. Types of Resources That Can Be Viewed and Saved By Private Partition Admins All admins can view resources in the shared partition. when an admin assigned to a private partition saves the configuration.

select Partition.Ver. 4. 2.: D-030-01-00-0006 . The new partition appears in the partition list. you must be logged in with Root privileges. use either of the following methods. routing. see the SLB configuration chapters in this guide. 2. However. To configure admin accounts. Select Config > System > Admin. 2. Configure partitions. Note: Configuring Private Partitions To configure a private partition. 5. If a partition logo is not uploaded. Configure admin accounts and assign them to partitions. and perform the following steps: 1. On the menu bar. Enter a name for the partition. you will need to configure connectivity resources such as interfaces. log in using an admin account with Root privileges. Note: This document shows how to set up partitions and assign admins to them. You also will need to configure any additional admin accounts for the partition. 3. Click OK.0. 6. Click New.2 11/11/2009 b y 583 of 702 . (For information about configuring SLB resources. To upload a logo for the partition. USING THE GUI 1.AX Series . VLANs. The Partition tab appears. The partition admins will be able to configure their own SLB resources. P e r f o r m a n c e D e s i g n Document No. the A10 Networks logo is used by default. 3.) Configuration of SLB resources within a private partition can be performed by an admin with Partition-write privileges who is assigned to the partition.Configuration Guide Configuring Role-Based Administration Configuring Role-Based Administration To configure role-based administration. click Browse and navigate to the logo file. 7. Configure any SLB shared resources that you want to make available to multiple private partitions. and so on.

2.2 11/11/2009 .List USING THE CLI To configure a private partition.Configuration Guide Configuring Role-Based Administration FIGURE 155 Config > System > Admin > Partition FIGURE 156 Config > System > Admin > Partition . on an individual partition basis. 584 of 702 P e r f o r m a n c e b y D e s i g n Document No. You can specify a maximum of 1-128 aFleX policies.: D-030-01-00-0006 . each partition is allowed to have a maximum of 32 aFleX policies.0. If a partition admin attempts to add more aFleX policies than are allowed for the partition.) Changing the Maximum Number of aFleX Policies Allowed in a Partition By default. (For information about the maxaflex-file option. an error message is displayed to the admin.AX Series .Ver. see “Changing the Maximum Number of aFleX Policies Allowed in a Partition” on page 584. use the following command at the global configuration level of the CLI: partition partition-name [max-aflex-file num] The partition-name can be 1-14 characters.

Deleting a Partition Only an admin with Root or Read Write privileges can delete a partition. On the menu bar. use the following command at the global configuration level of the CLI: no partition [partition-name] P e r f o r m a n c e D e s i g n Document No. You can specify 1-128. 3. USING THE CLI To delete a partition. USING THE CLI The max-aflex-file option of the partition command specifies the maximum number of aFleX policies that can belong to the partition.AX Series .Ver. You can specify 1-128. Click Delete. select Partition. (Click the checkbox next to the partition name. an admin must delete the resources from the partition they are in.: D-030-01-00-0006 . 2. Migrating Resources Between Partitions Resources cannot be moved directly from one partition to another. 3. then recreate the resources in the new partition. Select the partition.2 11/11/2009 b y 585 of 702 . Select Config > System > Admin. Edit the number in the Max aFleX File field. On the menu bar.Configuration Guide Configuring Role-Based Administration USING THE GUI 1. select Partition.0. USING THE GUI 1.) 4. (Click the checkbox next to the partition name. 2. When a partition is deleted. all resources within the partition also are deleted.) 4. Select Config > System > Admin. Select the partition. 2. The default is 32. To move resources.

0. Click OK. select one of the following: • Partition Write Admin – Gives read-write privileges within the par- tition you select below. • Partition Read Admin – Gives read-only privileges within the partition you select below. 7. 6. Click New. USING THE GUI To configure an admin account for a private partition: 1. Select Config > System > Admin (if not already selected). No other read or write privileges are granted. 5. From the Partition drop-down list. 4. • Partition RS Operator – Allows the admin to view. The Admin tab appears. the CLI displays a prompt to verify whether you want to delete all partitions and the resources within them.: D-030-01-00-0006 . use either of the following methods. 2. Enter “y” to confirm or “n” to cancel the request.Ver. select Admin Management.Configuration Guide Configuring Role-Based Administration If you do not specify a partition name. 2. On the menu bar. Enter a name and password for the admin. Note: To delete an admin account. see “Deleting an Admin Account” on page 512. or reenable real servers and service ports in the partition. select the partition to which you are assigning the admin. The new admin appears in the admin list with their respective partition logos.AX Series . disable. 3. Configuring Partition Admin Accounts To configure admin accounts and assign them to partitions. From the Role drop-down list. 586 of 702 P e r f o r m a n c e b y D e s i g n Document No.2 11/11/2009 .

) Note: The other admin configuration commands do not apply specifically to role-based administration. or with the separate password command at the configuration level for the account. The default password is “a10”.Configuration Guide Configuring Role-Based Administration FIGURE 157 Config > System > Admin > Admin Management USING THE CLI To configure an admin account for a private partition.0. You can specify the password with the admin command.: D-030-01-00-0006 .Ver. The command syntax shown here includes the password option. P e r f o r m a n c e D e s i g n Document No. use the following commands: [no] admin admin-username password string [no] privilege {partition-write | partition-read | partition-enable-disable} partition-name The admin command creates the admin account and changes the CLI to the configuration level for the account. For information about these other commands. (The partition-enable-disable option gives Partition Real Server Operator privileges.AX Series . see “Configuring Additional Admin Accounts” on page 507. The privilege command specifies the privilege level for the account and assigns the account to a partition. 2.2 11/11/2009 b y 587 of 702 .

2.R/W P.2 11/11/2009 . • P.R/W companyA companyB ------------------------------------------------------- The show admin command shows privilege information as follows: • Root – The admin has Root privileges. “companyA” and “companyB”.AX Series . AX(config)#partition companyA AX(config)#partition companyB AX(config)#show partition Max Number allowed: 128 Total Number of partitions configured: 2 Partition Name companyA companyB Max. and verify that they have been created. aFleX File Allowed 32 32 # of Admins 0 0 ------------------------------------------------------ The following commands configure an admin account for each partition: AX(config)#admin compAadmin password compApwd AX(config-admin:compAadmin)#privilege partition-write companyA Modify Admin User successful ! AX(config-admin:compAadmin)#exit AX(config)#admin compBadmin password compBpwd AX(config-admin:compBadmin)#privilege partition-write companyB Modify Admin User successful ! AX(config-admin:compBadmin)#exit The following command displays the admin accounts: AX(config)#show admin UserName admin compAadmin compBadmin Status Enabled Enabled Enabled Privilege Partition Root P.0.R/W – The admin is assigned to a private partition and has Partition- write (read-write) privileges within that partition. 588 of 702 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 . • R – The admin has Read Only privileges. • R/W – The admin has Read Write privileges.Ver.Configuration Guide Configuring Role-Based Administration CLI Example The following commands configure two private partitions.

Viewing the Configuration To view configuration information on an AX device configured with private partitions. use the following commands: show running-config [all-partitions | partition partition-name] show startup-config [all-partitions | partition partition-name] If you enter the command without either option. use either of the following methods. Admins with Root or Read Write privileges can save resources in any partition.0.Ver. The all-partitions option shows all resources in all partitions. Read Write. the command shows only the resources that are in the shared partition. the resources in the shared partition are listed first. In this case.R – The admin is assigned to a private partition and has Partition-read (read-only) privileges within that partition. and to disable or re-enable the real servers. USING THE GUI See “Switching To Another Partition” on page 591.RS Op – The admin is assigned to a private partition but has permis- sion only to view service port statistics for real servers in the partition. Admins assigned to a partition can view the resources in the shared partition and in their own private partition but not in any other private partition. Admins with Partition-write privileges can save only the resources within their own partition. USING THE CLI To view the configuration. 2. organized by partition.AX Series . • P. or Read Only privileges can view resources in any partition. Then the resources in each private partition are listed.: D-030-01-00-0006 . P e r f o r m a n c e D e s i g n Document No.Configuration Guide Viewing and Saving the Configuration • P. Viewing and Saving the Configuration Admins with Root.2 11/11/2009 b y 589 of 702 .

Partition admins can only save their respective partitions. 2. If you specify a private partition-name. a Root or Read Write admin should notify all partition admins to save their configurations if they wish to. the command saves only the changes for resources that are in the current partition. USING THE GUI To save the configuration in the GUI. only the changes for the resources in that partition are saved.AX Series . if a partition admin enters the name of another private partition for partition-name. use either of the following methods.: D-030-01-00-0006 . The all-partitions and partition partition-name options are not applicable for admins with Partition-write privileges. For example.Ver. Saving all partitions without consent from the partition admins is not recommended. Similarly.2 11/11/2009 . reboot. Note: If an admin assigned to a private partition uses the all-partitions option. or shutdown operation.0. For these admins. The all-partitions option saves changes for all resources in all partitions. only the resources in that partition are saved. the option does not list resources in any other private partitions. click the Save button on the title bar. use the following command: write memory [all-partitions | partition partition-name] If you enter the command without either option. The resources of the other partition are not displayed. USING THE CLI To save the configuration.Configuration Guide Viewing and Saving the Configuration If you specify a private partition-name. The GUI automatically saves only the resources that are in the current partition view. Caution: Before saving all partitions or before a reload. an “Insufficient privilege” warning message appears. the command syntax is Note: 590 of 702 P e r f o r m a n c e b y D e s i g n Document No. only the resources in that partition are listed. Saving the Configuration To save the configuration on an AX device configured with private partitions. if the partition view is set to the “companyB” private partition.

specify shared. When an admin with one of these privilege levels logs in. To change the view to a private partition.AX Series . Switching To Another Partition Admins with Root. 2. To change the view to the shared partition. The command does not create new configuration profiles for private partitions. which means all resources are visible.2 11/11/2009 b y 591 of 702 .Configuration Guide Switching To Another Partition the same as in previous releases. P e r f o r m a n c e D e s i g n Document No. the view is set to the shared partition by default. as supported in previous releases.0. You must refresh the page in order for the view change to take effect. Unless the resources in the shared partition are being saved. USING THE CLI Use the following command at the Privileged EXEC level of the CLI: active-partition {partition-name | shared} To change the view to a private partition. or Read Only privileges can select the partition to view. 2.Ver. the resources that are saved depend on the partition(s) to which the write memory command is applied. A dialog appears. Note: A configuration can be saved to a different configuration profile name (rather than being written to “startup-config”). specify the partition name. On the title bar. In this case. select the partition from the Partition drop-down list. The options are available only to admins with Root or Read Write privileges. asking you to confirm your partition selection. the configuration profile name used with the write memory command must already exist.: D-030-01-00-0006 . Read Write. Click Yes. Click the Refresh button next to the Partition drop-down list. 3. use either of the following methods. USING THE GUI 1.

use the following command: show active-partition Synchronizing the Configuration When an admin assigned to a private partition synchronizes the configuration to the other AX device in a High-Availability (HA) pair.2 11/11/2009 . Log onto the Standby AX device and save the shared partition (write memory partition shared).0. 592 of 702 P e r f o r m a n c e b y D e s i g n Document No.Configuration Guide Synchronizing the Configuration The following command changes the view to private partition “companyA”: AX#active-partition companyA Currently active partition: companyA To display the currently active partition. HA config-sync to a partition is supported only for Active-Standby HA configurations. In the current release. HA config-sync to a partition is supported only for Active-Standby HA configurations. Note: USING THE GUI In the GUI.AX Series .Ver. synchronize the private partition to the running-config. make sure to use one of the following synchronization options. Then. the resources in the private partition are synchronized for that partition. An admin with Root or Read Write privileges can specify any partitions(s) to synchronize. – Synchronize all partitions – Synchronize the shared partition to the startup-config first.: D-030-01-00-0006 . the synchronization applies only to the current partition. No other resources are synchronized. Note: In the current release. – On the Active AX device. Note: If you plan to synchronize the Active AX device’s running-config to the Standby AX device’s running-config. synchronize the shared partition to the running-config first. Performing any one of these options ensures that new private partitions appear correctly in the Standby AX device’s configuration. then synchronize the private partition to the running-config. 2. on the Active AX device.

2. use the all-partitions option.0. For admins with Root or Read Write privileges.AX Series .Configuration Guide Synchronizing the Configuration USING THE CLI The ha sync commands have new options that enable you to specify the partition.2 11/11/2009 b y 593 of 702 . the synchronization applies only to the current partition.: D-030-01-00-0006 . see the note at the beginning of this section first. P e r f o r m a n c e D e s i g n Document No. here is the new syntax for the ha sync commands: ha sync all {to-startup-config [with-reload] | to-running-config} [all-partitions | partition partition-name] ha sync startup-config {to-startup-config [with-reload] | to-running-config} [all-partitions | partition partition-name] ha sync running-config {to-startup-config [with-reload] | to-running-config} [all-partitions | partition partition-name] ha sync data-files [all-partitions | partition partition-name] To synchronize the configuration for all partitions. the following syntax is available: ha sync all to-startup-config ha sync startup-config to-startup-config ha sync running-config to-startup-config ha sync data-files Admins with Partition Write privileges are not allowed to synchronize to the running-config or to reload the other AX device.Ver. If you plan to use the ha sync running-config to-running-config command. By default. For admins logged on with Partition Write privileges. use the partition partition-name option. To synchronize only a specific private partition.

3. The procedures in this section explain how to view service port statistics. 3.0. A list of all the service ports on the selected servers is displayed. Click Disable or Enable. Select the checkbox next to each server for which you want to disable or re-enable service ports. Log in with your Partition-enable-disable account. To display service port statistics. use the CLI instead. or click Select All to select all of the servers. 4. To Disable or Re-Enable Servers 1. To Disable or Re-Enable Individual Real Server Ports 1.Configuration Guide Operator Management of Real Servers Operator Management of Real Servers This section is for admins with Partition Real Server Operator privileges. Note: Service port statistics are not available in the GUI. 594 of 702 P e r f o r m a n c e b y D e s i g n Document No. 2. Log in with your Partition Real Server Operator account. these buttons are not supported for admins with Partition Real Server Operator privileges. FIGURE 158 Real Server Management in Operator Mode Note: Although the GUI displays the Delete and New buttons. and how to disable or re-enable real servers and individual service ports on the servers. USING THE GUI This section describes how to enable or disable real servers and service ports using the GUI.AX Series .2 11/11/2009 . Click Edit. or click Select All to select all of the servers. Select the checkbox next to each server you want to disable or re-enable. 2. 2.: D-030-01-00-0006 .Ver.

Click OK.2 11/11/2009 b y 595 of 702 .AX Series . 2. log in with your Partition-enable-disable account and use the following command: show slb server [server-name] [config] P e r f o r m a n c e D e s i g n Document No.0. Selecting a row selects the port number on each of the real servers you selected in step 2.Configuration Guide Operator Management of Real Servers 5. A single row appears for each port number. Select the port numbers you want to disable or re-enable.Ver. 6. FIGURE 159 Disabling Service Ports – Selecting the Servers FIGURE 160 Disabling Service Ports – Selecting the Ports USING THE CLI To View Service Statistics To view configuration information and statistics for real servers used by the partition.: D-030-01-00-0006 . 7. Click Disable or Enable.

The end of the command prompt changes from > to #. The config command accesses the configuration level.2 11/11/2009 . Connection H-check Default Default Default Default Wgt = Weight Max conn Wgt 1000000 1000000 1000000 1000000 1 1 1 1 Address 7.8.8 Status Enable Disable Enable Enable Current 23 23 Total 320543 321024 Req-pkt 1732383 1732383 Resp-pkt 1263164 1263164 State Up /60 ms Up ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ To Disable or Re-Enable Servers Use the following commands to access the configuration level of the CLI: enable config The enable command accesses the Privileged EXEC level. enter the enable password assigned by the root administrator. use the following command to access the operation level for the real server: slb server server-name [ipaddr] 596 of 702 P e r f o r m a n c e b y D e s i g n Document No.7. Resp-pkt = Response packets Service compArs1:80/tcp compArs1: Total AX>show slb server config Total Number of Services configured: 2 H-check = Health check Service compArs1:80/tcp compArs1 compArs2:80/tcp compArs2 Max conn = Max.8.130 [type ? for help] AX>show slb server Total Number of Services configured: 2 Current = Current Connections.8 8.Ver. At the configuration level. 2.1.7 8.Configuration Guide Operator Management of Real Servers CLI Example login as:compAoper Welcome to AX Using keyboard-interactive authentication. Total = Total Connections Req-pkt = Request packets.8.8.: D-030-01-00-0006 .0.7. If you are prompted for a password.7 7.168.AX Series .7.7. Password:******** Last login: Wed Aug 20 08:58:45 2008 from 192.

7.7. To Disable or Re-Enable Real Service Ports Access the configuration level.00 Disabled AX(config)#show slb server compArs1 config Total Number of Services configured on Server compArs1: 1 H-check = Health check Service compArs1:80/tcp compArs1 P e r f o r m a n c e b y Max conn = Max.: D-030-01-00-0006 . CLI Example The following commands access the configuration level and disable real server “compArs1” and verify the change: AX>enable Password:******** AX#config AX(config)#slb server compArs1 AX(config-real server)#disable AX(config)#show slb server compArs1 Total Number of Services configured on Server compArs1: 1 Current = Current Connections.0. then use the following command to access the operation level for the server: slb server server-name [ipaddr] Use the following command to access the operation level for the service port: port port-num {tcp | udp} Use one of the following commands to change the state of the service port: {disable | enable} To verify the state change.AX Series .7 7.2 11/11/2009 597 of 702 .7.7 Status Enable Disable ------------------------------------------------------------------------------ D e s i g n Document No. Total = Total Connections Req-pkt = Request packets. use the show slb server command. Connection H-check Default Default Wgt = Weight Max conn Wgt 1000000 1000000 1 1 Address 7.7. use the show slb server command.Ver. 2. Resp-pkt = Response packets Service Time compArs1:80/tcp ms compArs1: Total Current Total Req-pkt Resp-pkt State/Rsp -----------------------------------------------------------------------------0 0 0 0 0 0 0 0 Down 0.Configuration Guide Operator Management of Real Servers Use one of the following commands to change the state of the server: {disable | enable} To verify the state change.

AX Series .Ver.Configuration Guide Operator Management of Real Servers 598 of 702 P e r f o r m a n c e b y D e s i g n Document No.0.2 11/11/2009 . 2.: D-030-01-00-0006 .

2. For information about specific applications. For information about FWLB parameters. Note: This chapter is intended only as a reference. For information about GSLB parameters. see the individual SLB configuration chapters in this guide.AX Series . Table 18 lists the types of templates that are valid for each service type. the following templates are automatically applied to the service port: • TCP • HTTP • Connection Reuse (The parameters in this default template are all unset. see “Global Server Load Balancing” on page 335. When you configure a virtual port. see “Firewall Load Balancing” on page 255.) P e r f o r m a n c e D e s i g n Document No. the AX device automatically adds any default templates that are applicable to the service type. For example. Service Template Parameters The tables in this section list the template types that are valid for each service type. when you configure a virtual port that has the service type Fast-HTTP.: D-030-01-00-0006 . and the configurable settings in each type of template.0. To override a default template. see “Health Monitoring” on page 297.Ver. Not every configurable parameter will apply to a given SLB application. Note: For information about server and port configuration templates. see “Server and Port Templates” on page 281.2 11/11/2009 b y 599 of 702 .Configuration Guide Service Template Parameters SLB Parameters This chapter lists the parameters you can configure for Server Load Balancing (SLB). For information about health monitoring parameters. you can configure another template of the same type and bind that template to the virtual port instead.

2.Configuration Guide Service Template Parameters For information about the default settings in a template. configure another HTTP template and assign that one to the virtual port instead. the other template of the same type is automatically removed from the virtual port.0. For the template types listed above.: D-030-01-00-0006 . see the following sections: • “Connection Reuse Template Parameters” on page 605 • “HTTP Template Parameters” on page 610 • “TCP Template Parameters” on page 624 To override the settings in a default template.AX Series . TABLE 16 Template Types Valid for Service Types Service Type Template Type Cache Client SSL Connection Reuse HTTP Cookie Persistence Policy Destination-IP Persistence Source-IP Persistence Server SSL SIP SMTP SSL Session-ID Persistence Streamingmedia TCP TCP-Proxy UDP V V V V V V V V V V V V V V V V V V V V V V V V V V FastHTTP HTTP V HTTPS V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V V FTP MMS RTSP SIP SMTP SSLProxy TCP UDP 600 of 702 P e r f o r m a n c e b y D e s i g n Document No. see the section in this chapter that describes the template. so when you add a template to the virtual port.2 11/11/2009 . you must configure another template of the same type and apply that template to the service port instead. For example. A virtual port can have only one of each type of template that is valid for the port’s service type.Ver. to override the settings that will be applied from the HTTP template.

: D-030-01-00-0006 . either header causes the AX device to reload the cached object from the origin server. or not cache them.Configuration Guide Service Template Parameters Cache Template Parameters Table 17 lists the parameters you can configure in RAM caching templates. 1-999999 seconds (about 11-1/2 days) Default: 3600 seconds (1 hour) Age time Default cache action Enabled or disabled Default: disabled (Cacheable objects are cached by default. [no] accept-reload-req Config > Service > Template > Application > RAM Caching Size of the AX RAM cache. 2.) Reload header support Enabled or disabled Default: disabled Cache size 1-512 Mbytes Default: 10 Mbytes P e r f o r m a n c e D e s i g n Document No. If you change the default action to nocache. the AX device can cache only those objects that match a dynamic policy rule that has the cache action. TABLE 17 Cache Template Parameters Parameter Template name Description and Syntax Name of the template. Enables support for the following Cache-Control headers: • Cache-Control: no-cache • Cache-Control: max-age=0 When support for these headers is enabled. The total size of all RAM caches combined can be 512 Mbytes on systems with 2 GBytes of memory and 1024 Mbytes on systems with 4 GBytes of memory. enter the show version command. (To display the amount of memory your system has. [no] slb template cache template-name Config > Service > Template > Application > RAM Caching Number of seconds a cached object can remain in the AX RAM cache without being requested.0. [no] default-policy-nocache Note: The current release does not support configuration of this option using the GUI.) [no] max-cache-size Mbytes Config > Service > Template > Application > RAM Caching Supported Values String of 1-31 characters Default: “default”.AX Series .Ver. [no] age seconds Config > Service > Template > Application > RAM Caching Controls whether the default action is to cache cacheable objects.2 11/11/2009 b y 601 of 702 . The default template has the default values listed below.

[no] verify-host Config > Service > Template > Application > RAM Caching Supported Values 1-8000000 bytes Default: 50000 bytes (50 Kbytes) Minimum object size 1-8000000 bytes Default: 500 bytes (1/2 Kbytes) Dynamic caching policy Valid URI pattern.Configuration Guide Service Template Parameters TABLE 17 Cache Template Parameters (Continued) Parameter Maximum object size Description and Syntax Maximum object size that can be cached. Config > Service > Template > Application > RAM Caching Enables the AX device to cache the host name in addition to the URI for cached content. • invalidate inv-pattern – Invalidates the content that has been cached for inv-pattern. specify the number of seconds with the cache command. The other options specify the action to take for URIs that match the pattern: • cache [seconds] – Caches the content. By default. [no] min-content-size bytes Config > Service > Template > Application > RAM Caching Configures dynamic caching.2 11/11/2009 .: D-030-01-00-0006 .Ver. the content is cached for the number of seconds configured in the template (set by the age command). • nocache – Does not cache the content. www.AX Series .com and www. Default: Not set Verify host Default: Disabled 602 of 702 P e r f o r m a n c e b y D e s i g n Document No. The AX device will not cache objects smaller than this size. The AX device will not cache objects larger than this size.abc. To override the aging period set in the template. 2.0.xyz.com). [no] policy uri pattern {cache [seconds] | nocache | invalidate inv-pattern} The pattern option specifies the portion of the URI string to match on. [no] max-content-size bytes Config > Service > Template > Application > RAM Caching minimum object size that can be cached. Use this option if a real server that contains cacheable content will host more than one host name (for example.

[no] ca-cert cert-name Config > Service > Template > SSL > Client SSL Note: To use the certificate. you must import it onto the AX device. [no] slb template client-ssl template-name Certificate Authority (CA) certificate name Config > Service > Template > SSL > Client SSL Name of the Certificate Authority (CA) certificate to use for validating client certificates. [no] replacement-policy LFU Config > Service > Template > Application > RAM Caching Supported Values The policy supported in the current release is Least Frequently Used (LFU).Configuration Guide Service Template Parameters TABLE 17 Cache Template Parameters (Continued) Parameter Replacement policy Description and Syntax Policy used to make room for new objects when the RAM cache is full.) Certificate to use for terminating or initiating SSL connections with clients. (See “Importing SSL Certificates” on page 467. Name of a CA certificate or CRL imported onto the AX device Certificate name Name of a certificate imported onto the AX device Certificate key-chain name String of 1-31 characters P e r f o r m a n c e D e s i g n Document No. (See “Importing SSL Certificates” on page 467. TABLE 18 Client SSL Template Parameters Parameter Template name Description and Syntax Name of the template.: D-030-01-00-0006 . When the RAM cache becomes more than 90% full. [no] cert cert-name Config > Service > Template > SSL > Client SSL Note: To use the certificate. You also can use this command to specify a Certificate Revocation List (CRL). [no] chain-cert chain-cert-name Config > Service > Template > SSL > Client SSL Supported Values String of 1-31 characters Default: “default”. 2.Ver.0. The default template has the default values listed below. you must import it onto the AX device.) Chain of certificates to use for terminating or initiating SSL connections with clients.AX Series .2 11/11/2009 b y 603 of 702 . the AX device discards the least-frequently used objects to ensure there is sufficient room for new objects. Default: LFU Client SSL Template Parameters Table 18 lists the parameters you can configure in client SSL templates.

and the passphrase used to encrypt the key. the AX device checks the CRL to ensure that the certificates presented by clients have not been revoked by the issuing CA. [no] client-certificate {ignore | request | require} Config > Service > Template > SSL > Client SSL Supported Values Key name: string of 1-31 characters Passphrase: string of 1-16 characters Default: None configured One of the following: • ignore – The AX device does not request the client to send its certificate. you must import it onto the AX device.AX Series . the SSL handshake does not proceed (it fails) if the client sends a NULL certificate or the certificate is invalid. Use this option if you want to the request to trigger an aFleX policy for further processing. Certificate Revocation List (CRL) CRL to use for verifying that client certificates have not been revoked. (See “Importing SSL Certificates” on page 467. the SSL handshake proceeds even if either of the following occurs: • The client sends a NULL certificate (one with zero length). you must set the Mode to Require. Note: To use the CRL. • The certificate is invalid. • require – The AX device requires the client certificate.: D-030-01-00-0006 .Configuration Guide Service Template Parameters TABLE 18 Client SSL Template Parameters (Continued) Parameter Certificate key Description and Syntax Key for the certificate. [no] crl filename Config > Service > Template > SSL > Client SSL Note: If you plan to use a CRL. However. causing client verification to fail.2 11/11/2009 . This action requests the client to send its certificate. With this action.Ver.0. 2. [no] key key-name [passphrase passphrase-string] AX response to connection request from client Config > Service > Template > SSL > Client SSL Action that the AX device takes in response to a client’s connection request.) Default: ignore Name of a CRL imported onto the AX device 604 of 702 P e r f o r m a n c e b y D e s i g n Document No. • request – The AX device requests the client to send its certificate. When you add a CRL to a client SSL template.

[no] slb template connection-reuse template-name Connection limit Config > Service > Template > Connection Reuse Maximum number of reusable connections per server port.Configuration Guide Service Template Parameters TABLE 18 Client SSL Template Parameters (Continued) Parameter Session cache size Description and Syntax Maximum number of cached sessions for SSL session ID reuse.2 11/11/2009 b y 605 of 702 .: D-030-01-00-0006 . [no] limit-per-server number Config > Service > Template > Connection Reuse Supported Values String of 1-31 characters Default: “default”. specify 0.0. Connection Reuse Template Parameters Table 19 lists the parameters you can configure in connection reuse templates. The default template has the default values listed below.Ver. TABLE 19 Connection Reuse Template Parameters Parameter Template name Description and Syntax Name of the template. 2.AX Series . [no] session-cache-size number Ciphers Config > Service > Template > SSL > Client SSL Cipher suite to support for decrypting certificates from clients. 0-65535 For unlimited connections. [no] cipher Config > Service > Template > SSL > Client SSL Cipher tab Supported Values 0-131072 Default: 0 (session ID reuse is disabled) One or more of the following: • SSL3_RSA_DES_192_CBC3_SHA • SSL3_RSA_DES_40_CBC_SHA • SSL3_RSA_DES_64_CBC_SHA • SSL3_RSA_RC4_128_MD5 • SSL3_RSA_RC4_128_SHA • SSL3_RSA_RC4_40_MD5 • TLS1_RSA_AES_128_SHA • TLS1_RSA_AES_256_SHA • TLS1_RSA_EXPORT1024_RC4_56 _MD5 • TLS1_RSA_EXPORT1024_RC4_56 _SHA Default: All the above are enabled. Default: 1000 P e r f o r m a n c e D e s i g n Document No.

: D-030-01-00-0006 . the maximum configurable expiration is one year. [no] path path-name Config > Service > Template > Persistent > Cookie Persistence Specifies whether to insert a new persistence cookie in every reply. The AX device inserts a persistence cookie only if the client request does not contain a persistence cookie inserted by the AX device. TABLE 20 Cookie Persistence Template Parameters Parameter Template name Description and Syntax Name of the template. Default: 2400 seconds (40 minutes) Cookie Persistence Template Parameters Table 20 lists the parameters you can configure in cookie persistence templates.2 11/11/2009 . specify 0. unlimited). 0 to 31. even if the request already had an AX cookie.Configuration Guide Service Template Parameters TABLE 19 Connection Reuse Template Parameters (Continued) Parameter Connection idle timeout Description and Syntax Maximum number of seconds a connection can remain idle before it times out. cookies persist only for the current session. Default: 10 years Note: Although the default is 10 years (essentially.000 seconds (one year) If you specify 0. [no] timeout seconds Config > Service > Template > Connection Reuse Supported Values 0-3600 seconds To disable timeout. or if the server referenced by the cookie is unavailable. 2. [no] expire expire-seconds Config > Service > Template > Persistent > Cookie Persistence Supported Values String of 1-31 characters Default: “default”.0. Valid domain name Default: Not set Cookie expiration Domain Adds the specified domain name to the cookie. The default template has the default values listed below.536. [no] slb template persist cookie template-name Config > Service > Template > Persistent > Cookie Persistence Number of seconds a cookie persists on a client’s PC before being deleted by the client’s browser. [no] insert-always Config > Service > Template > Persistent > Cookie Persistence Path 1-31 characters Default: “ / ” Insert always Enabled or disabled Default: Disabled.Ver. 606 of 702 P e r f o r m a n c e b y D e s i g n Document No.AX Series . [no] domain domain-name Config > Service > Template > Persistent > Cookie Persistence Adds path information to the cookie.

After the initial request. Note: To use URL switching or host switching. the connection limit set on real servers and real ports is used. [no] dont-honor-conn-rules Config > Service > Template > Persistent > Cookie Persistence Cookie name String of 1-63 characters Default: sto-id Ignore connection limits Enabled or Disabled Default: Disabled. The format of the cookie depends on the match type. [no] match-type {server | service-group} Config > Service > Template > Persistent > Cookie Persistence Specifies the name of the persistence cookie.) • Service Group – Enables support for URL switching or host switching along with cookie persistence.AX Series .2 11/11/2009 b y 607 of 702 .Configuration Guide Service Template Parameters TABLE 20 Cookie Persistence Template Parameters (Continued) Parameter Match type Description and Syntax Changes the granularity of cookie persistence: • Port – The cookie inserted into the HTTP header of the server reply to a client ensures that subseSupported Values One of the following: • Port (selectable in the GUI but not in the CLI) • Server • Service-group Default: Port quent requests from the client will be sent to the same real port on the same real server. (This assumes that all virtual ports of the VIP use the same cookie persistence template with matchtype set to Server.: D-030-01-00-0006 . • Server – The cookie inserted into the HTTP header of the server reply to a client ensures that subsequent requests from the client for the same VIP are sent to the same real server. you also must configure an HTTP template with the Host Switching or URL Switching option. Without this option. 2. This option is useful for applications in which multiple sessions (connections) are likely to be used for the same persistent cookie.Ver. By default. subsequent requests are always sent to the same service group.0. [no] name cookie-name Config > Service > Template > Persistent > Cookie Persistence Ignores connection limit settings configured on real servers and real ports. URL switch- ing or host switching can be used only for the initial request from the client. P e r f o r m a n c e D e s i g n Document No.

The default template has the default values listed below. [no] slb template persist destination-ip template-name Config > Service > Template > Persistent > Destination IP Persistence Granularity of persistence: • Port – Traffic from a given client to the same virtual port is always sent to the same real port.2 11/11/2009 . Thus. [no] match-type {server | service-group} Config > Service > Template > Persistent > Destination IP Persistence Supported Values String of 1-31 characters Default: “default”. This is the most granular setting. The next time URL or host switching selects the same service group. you also must configure an HTTP template with the Host Switching or URL Switching option. URL or host switching is used for every request to select a service group. Note: To use URL switching or host switching. service group selection is performed for every request. If you use the Service-group option. • Service-group – This option is applicable if you also plan to use URL switching or host switching. 2.Ver. the load-balancing method is used to select a real port within the service group.AX Series . The first time URL or host switching selects a given service group.Configuration Guide Service Template Parameters Destination-IP Persistence Template Parameters Table 21 lists the parameters you can configure in destination-IP persistence templates.0. the request goes to the same real port that was selected the first time that service group was selected. One of the following: • Port (selectable in the GUI but not in the CLI) • Server • Service-group Default: Port Persistence granularity 608 of 702 P e r f o r m a n c e b y D e s i g n Document No. TABLE 21 Destination-IP Persistence Template Parameters Parameter Template name Description and Syntax Name of the template. • Server – Traffic from a given client to the same VIP is always sent to the same real server. the same real port is used. for any service port requested by the client.: D-030-01-00-0006 . but once a service group is selected for a request.

255.1.255. 192.10.255. [no] dont-honor-conn-rules Config > Service > Template > Persistent > Destination IP Persistence Supported Values Valid IPv4 network mask Default: 255. P e r f o r m a n c e D e s i g n Document No.255. and so on (“class C” subnets).255.0. SLB selects a server port for the first request to the given VIP subnet. • To configure initial server port selection to occur independently for each requested VIP.255 Persistence Timeout 1-1000 minutes Default: 5 minutes Ignore connection limits Enabled or Disabled Default: Disabled.10. You can specify an IPv4 network mask in dotted decimal notation.x.0. the connection limit set on real servers and real ports is used.: D-030-01-00-0006 .AX Series . 2. [no] timeout timeout-minutes Config > Service > Template > Persistent > Destination IP Persistence Ignores connection limit settings configured on real servers and real ports.255. • To configure initial server port selection to occur once per destination VIP subnet. For example. configure the network mask to indicate the subnet length.2 11/11/2009 b y 609 of 702 .Configuration Guide Service Template Parameters TABLE 21 Destination-IP Persistence Template Parameters (Continued) Parameter Hashing netmask Description and Syntax Granularity of IP address hashing for initial server port selection.168. use mask 255. (This is the default. By default. use mask 255.Ver. to select a server port once for all requested VIPs within a subnet such as 10. the sends all other requests for the same VIP subnet to the same port.x.255. This option is useful for applications in which multiple sessions (connections) are likely to be used for the same persistent client source IP address.) [no] netmask ipaddr Config > Service > Template > Persistent > Destination IP Persistence Number of minutes the mapping of a client source IP to a real server persists after the last time traffic from the client is sent to the server.

AX Series . The first command shown below temporarily stops using a service port after reassignment. Valid URL Default: Not set 610 of 702 P e r f o r m a n c e b y D e s i g n Document No. 2. [no] slb template http templatename Failover URL Config > Service > Template > Application > HTTP Fallback URL to send in an HTTP 302 response when all real servers are down. TABLE 22 HTTP Template Parameters Parameter Template name Description and Syntax Name of the template. The default template has the default values listed below.: D-030-01-00-0006 . Supported Values String of 1-31 characters Default: “default”. [no] retry-on-5xx num [no] retry-on-5xx-per-req num Config > Service > Template > Application > HTTP 1-3 Default: Disabled. The second command does not. [no] failover-url url-string Retry and reassignment when server replies with 5xx status code Config > Service > Template > Application > HTTP Configures the AX device to retry sending a client’s request to a service port that replies with an HTTP 5xx status code. The AX device sends the 5xx status code to the client.2 11/11/2009 . and reassign the request to another server if the first server replies with a 5xx status code.Ver. the default number of retries is 3. When you enable this option.Configuration Guide Service Template Parameters HTTP Template Parameters Table 22 lists the parameters you can configure in HTTP templates.0.

• minimum-content-length – Specifies the minimum length (in bytes) a server response can be in order to be compressed. [no] compression {enable | content-type content-string | exclude-content-type contentstring | exclude-uri uri-string keep-accept-encoding enable | level number | minimum-content-length number} Config > Service > Template > Application > HTTP Supported Values Any of the following: • enable – Enables compression. so performance can be affected. • level – Specifies the compression level. • exclude-content-type – Specifies the types of content to exclude from compression.2 11/11/2009 b y 611 of 702 . You can specify 0-2147483647 bytes. However. The contentstring can be 1-64 characters long. • content-type – Specifies the types of content to compress.: D-030-01-00-0006 . higher compression levels also require more CPU processing than lower compression levels.Configuration Guide Service Template Parameters TABLE 22 HTTP Template Parameters (Continued) Parameter Compression Description and Syntax Offloads Web servers from CPU-intensive HTTP compression operations. • keep-accept-encoding enable – Leaves the Accept-Encoding header in HTTP requests from clients instead of removing the header. which provides the lowest compression ratio. beginning with level 1. Each level provides a higher compression ratio.AX Series . 2.Ver. P e r f o r m a n c e D e s i g n Document No. A higher compression ratio results in a smaller file size after compression. based on a string in the content-type header of the HTTP response. The length applies to the content only and does not include the headers. 1-9.0. • exclude-uri – Specifies URI strings (up to 31 characters) to exclude from compression.

Header erase String of 1-256 characters Default: Not set 612 of 702 P e r f o r m a n c e b y D e s i g n Document No. Erases the specified header from an HTTP request or reply. the compression options have the following defaults: • content-type – “text” and “application” included by default • exclude-content-type – not set • exclude-content – not set • keep-accept-encoding – disabled • level – 1 • minimum-content-length – 120 bytes String of 1-256 characters Default: Not set Header insert / replace Inserts the specified header into an HTTP request or reply. When it is enabled. [no] request-header-erase field [no] response-header-erase field Config > Service > Template > Application > HTTP Note: These options are not supported with the fasthttp service type. 2.2 11/11/2009 . Likewise.AX Series .: D-030-01-00-0006 . the AX device does not allow header options to be added to an HTTP template that is already bound to a fast-http virtual port. The AX device does not allow an HTTP template with any of the header erase or header insert options to be bound to a fast-http virtual port.0.Configuration Guide Service Template Parameters TABLE 22 HTTP Template Parameters (Continued) Parameter Compression (cont. The AX device does not allow an HTTP template with any of the header erase or header insert options to be bound to a fast-http virtual port. [no] request-header-insert field:value [insert-always | insert-if-not-exist] [no] response-header-insert field:value [insert-always | insert-if-not-exist] Config > Service > Template > Application > HTTP Note: These options are not supported with the fasthttp service type. Likewise.Ver. the AX device does not allow header options to be added to an HTTP template that is already bound to a fast-http virtual port.) Description and Syntax Supported Values Compression is disabled by default.

Selection is performed using the following match filters: • starts-with host-string – matches only if the hostname or IP address starts with host-string. the client IP address is inserted into the X-ClientIP field by default. regardless of the order in which they appear in the configuration. The selection overrides the service group configured on the virtual port. • contains host-string – matches if the host-string appears anywhere within the hostname or host IP address. [no] redirect-rewrite match url-string rewrite-to url-string Config > Service > Template > Application > HTTP P e r f o r m a n c e D e s i g n Document No.Ver. If the host-string does not match.AX Series .2 11/11/2009 b y 613 of 702 . without replacing any client IP addresses already in the field. The match options are always applied in the order listed above. the service group configured on the virtual port is used. Default: Not set Redirect rewrite Modifies redirects sent by servers by rewriting the matching URL string to the specified value before sending the redirects to clients. • ends-with host-string – matches only if the hostname or IP address ends with host-string. The service group for the first match is used. [no] insert-client-ip [http-fieldname] [replace] Config > Service > Template > Application > HTTP String of 1-256 characters Default: Not set When you enable this option. the most specific match is used. Strings of 1-256 characters Default: Not set Supported Values Each host string can be all or part of an IP address or host name.0.Configuration Guide Service Template Parameters TABLE 22 HTTP Template Parameters (Continued) Parameter Host switching Description and Syntax Selects a service group based on the value in the Host field of the HTTP header.: D-030-01-00-0006 . 2. If a host name matches on more than one match filter of the same type. [no] host-switching {starts-with |contains | ends-with} host-string service-group servicegroup-name Client IP insert Config > Service > Template > Application > HTTP Inserts the client’s source IP address into HTTP headers.

Configuration Guide Service Template Parameters TABLE 22 HTTP Template Parameters (Continued) Parameter Redirect rewrite secure Description and Syntax Changes HTTP redirects sent by servers into HTTPS redirects before sending the redirects to clients. Config > Service > Template > Application > HTTP • Note: You can configure a maximum of 16 URL switching rules in a template. unless overridden by other template options. 2. The match options are always applied in the order listed above. Without this option. • contains url-string – matches if the url-string appears anywhere within the URL. [no] url-switching {starts-with | contains | ends-with} url-string service-group service-group-name If the URL-string does not match.AX Series .2 11/11/2009 . • ends-with url-string – matches only if the URL ends with url-string. use aFleX policies. the service group configured on the virtual port is used. the AX device reselects the same server for subsequent requests (assuming the same server group is used). Selection is performed using the following match filters: • starts-with url-string – matches only if the URL starts with url-string.Ver. If a URL matches on more than one match filter of the same type. regardless of the order in which they appear in the configuration.: D-030-01-00-0006 . [no] strict-transaction-switch URL switching Config > Service > Template > Application > HTTP Selects a service group based on the URL string requested by the client. If you need to use more. [no] redirect-rewrite secure {port tcp-portnum} Config > Service > Template > Application > HTTP Forces the AX device to perform the server selection process anew for every HTTP request. The service group for the first match is used. Strings of 1-256 characters Default: Not set Supported Values Strings of 1-256 characters Default: Not set Strict transaction switching Enabled or disabled Default: Disabled 614 of 702 P e r f o r m a n c e b y D e s i g n Document No. the most specific match is used. The selection overrides the service group configured on the virtual port.0.

Optionally. 2. you can use URL hashing with either URL switching or host switching.Ver. then calculates the hash value and uses it to choose a server within the selected service group. [no] slb template policy templatename Black/white list name Config > Service > Template > Application > Policy Binds a black/white list to the virtual ports that use this template. Matching is based on the client’s source IP address. If URL switching or host switching is configured. [no] use-destination-ip Config > Service > Template > Application > Policy Enabled or Disabled Default: Disabled. Supported Values String of 1-31 characters Default: None.: D-030-01-00-0006 . [no] bw-list name file-name Config > Service > Template > Application > Policy Specifies the action to take for traffic that is over the limit. Without URL switching or host switching configured. TABLE 23 Policy Template Parameters Parameter Template name Description and Syntax Name of the template. the AX device first selects a service group based on the URL or host switching values.2 11/11/2009 b y 615 of 702 . Default: None.0. Action for overlimit traffic Reset or drop Default: drop P e r f o r m a n c e D e s i g n Document No.Configuration Guide Service Template Parameters TABLE 22 HTTP Template Parameters (Continued) Parameter URL hash persistence (also called URL hash switching) Description and Syntax Selects a service group based on the hash value of the first or last bytes of the URL string. URL hash switching uses the hash value to choose a server within the default service group.AX Series . [no] url-hash-persist {first | last} bytes Config > Service > Template > Application > HTTP Supported Values First or last 4-128 bytes Default: Not set Policy Template Parameters Table 23 lists the parameters you can configure in Policy-Based SLB (PBSLB) templates. [no] bw-list over-limit {drop | reset} Matching based on destination IP address Config > Service > Template > Application > Policy Matches black/white list entries based on the client’s destination IP address. for each HTTP request. The bytes option specifies how many bytes to use to calculate the hash value. Name of a configured black/white list.

0. These failures are still logged. 616 of 702 P e r f o r m a n c e b y D e s i g n Document No.AX Series . To send a separate message for each event. You can specify a logging interval from 0 to 60 minutes. (The connection limit is set in the black/white list. set the interval to 0. If you enable logging. • Service-group name – Name of an SLB service group on the AX Series device. Supported Values The following settings are configurable: • List ID – ID of the black/white list. This limitation does not affect failures that occur because a client is over their PBSLB connection limit.2 11/11/2009 . log messages will never be generated for server-selection failures. You can specify the number of minutes between log messages. To ensure that messages are generated to log server-selection failures. 2.) • Reset – Resets new connections until the number of concurrent connections on the virtual port falls below the connection limit. Defaults: • List ID – None • Group ID – None • Action – Not set • Logging – Disabled. [no] bw-list id id {service service-group-name | drop | reset} [logging [minutes] [fail]] Config > Service > Template > Application > Policy Note: If the option to use default selection if preferred server selection fails is enabled on the virtual port. disable the option on the virtual port. • Action: • Drop – Drops new connections until the number of concurrent connections on the virtual port falls below the port’s connection limit. the default for minutes is 3. • Logging – Enables logging.Configuration Guide Service Template Parameters TABLE 23 Policy Template Parameters (Continued) Parameter Action Description and Syntax Specifies the action to take for clients in the black/ white list.: D-030-01-00-0006 .Ver. • Group ID – Group ID in the black/ white list. This option reduces overhead caused by frequent recurring messages.

The default template has the default values listed below. service group selection is performed for every request. Note: To use URL switching or host switching. the load-balancing method is used to select a real port within the service group. but once a service group is selected for a request. [no] slb template persist source-ip template-name Config > Service > Template > Persistent > Source IP Persistence Granularity of persistence: • Port – Traffic from a given client to the same virtual port is always sent to the same real port. the request goes to the same real port that was selected the first time that service group was selected.Configuration Guide Service Template Parameters Source-IP Persistence Template Parameters Table 24 lists the parameters you can configure in source-IP persistence templates.Ver.0.2 11/11/2009 b y 617 of 702 . for any service port requested by the client. If you use the Service-group option. the same real port is used. • Service-group – This option is applicable if you also plan to use URL switching or host switching. 2. TABLE 24 Source-IP Persistence Template Parameters Parameter Template name Description and Syntax Name of the template. [no] match-type {server | service-group} Config > Service > Template > Persistent > Source IP Persistence Supported Values String of 1-31 characters Default: “default”. • Server – Traffic from a given client to the same VIP is always sent to the same real server.: D-030-01-00-0006 . you also must configure an HTTP template with the Host Switching or URL Switching option. The next time URL or host switching selects the same service group.AX Series . This is the most granular setting. The first time URL or host switching selects a given service group. One of the following: • Port (selectable in the GUI but not in the CLI) • Server • Service-group Default: Port Persistence granularity P e r f o r m a n c e D e s i g n Document No. Thus. URL or host switching is used for every request to select a service group.

This option is useful for applications in which multiple sessions (connections) are likely to be used for the same persistent client source IP address.0.10.168.10.Ver. 618 of 702 P e r f o r m a n c e b y D e s i g n Document No. configure the network mask to indicate the subnet length. [no] dont-honor-conn-rules Config > Service > Template > Persistent > Source IP Persistence Supported Values Valid IPv4 network mask Default: 255. For example. use mask 255.x.x. • To configure server port selection to occur on a per subnet basis.AX Series .) [no] netmask ipaddr Config > Service > Template > Persistent > Source IP Persistence Number of minutes the mapping of a client source IP to a real server persists after the last time traffic from the client is sent to the server.Configuration Guide Service Template Parameters TABLE 24 Source-IP Persistence Template Parameters (Continued) Parameter Hashing netmask Description and Syntax Granularity of IP address hashing for server port selection. and so on (“class C” subnets) to the same server port.255. 2. • To configure server port selection to occur on a per client basis. the sends all other requests from the same client to the same port. You can specify an IPv4 network mask in dotted decimal notation.2 11/11/2009 .255. the sends all other clients in the same subnet to the same port. to send all clients within a subnet such as 10.255. [no] timeout timeout-minutes Config > Service > Template > Persistent > Source IP Persistence Ignores connection limit settings configured on real servers and real ports. (This is the default.255. By default.0. use mask 255. 192.255.255 Persistence Timeout 1-1000 minutes Default: 5 minutes Ignore connection limits Enabled or Disabled Default: Disabled.255. SLB selects a server port for the first client in a given subnet. the connection limit set on real servers and real ports is used.: D-030-01-00-0006 .1. SLB selects a server port for the first request from a given client.255.

AX Series .0. you must import it onto the AX device.Configuration Guide Service Template Parameters Server SSL Template Parameters Table 24 lists the parameters you can configure in Server SSL templates.Ver. The default template has the default values listed below. P e r f o r m a n c e D e s i g n Document No. [no] slb template server-ssl template-name Certificate Authority (CA) certificate name Config > Service > Template > SSL > Server SSL Name of the Certificate Authority (CA) certificate to use for validating server certificates. TABLE 25 Server SSL Template Parameters Parameter Template name Description and Syntax Name of the template. Name of a CA certificate imported onto the AX device Default: None Ciphers One or more of the following: • SSL3_RSA_DES_192_CBC3_SHA • SSL3_RSA_DES_40_CBC_SHA • SSL3_RSA_DES_64_CBC_SHA • SSL3_RSA_RC4_128_MD5 • SSL3_RSA_RC4_128_SHA • SSL3_RSA_RC4_40_MD5 • TLS1_RSA_AES_128_SHA • TLS1_RSA_AES_256_SHA • TLS1_RSA_EXPORT1024_RC4_56 _MD5 • TLS1_RSA_EXPORT1024_RC4_56 _SHA Default: All the above are enabled. (See “Importing SSL Certificates” on page 467. [no] cipher Config > Service > Template > SSL > Server SSL Supported Values String of 1-31 characters Default: “default”. or replace a certificate in a server-SSL template that is already bound to a VIP. 2.) Cipher suite to support for decrypting certificates from servers. the AX device does not use the changes.: D-030-01-00-0006 . Note: If you add. [no] ca-cert cert-name Config > Service > Template > SSL > Server SSL Note: To use the certificate. Configure a new template with the changed certificates and bind the new template to the VIP. remove.2 11/11/2009 b y 619 of 702 . To change the certificates in a server-SSL template. unbind the template from the VIP and delete the template.

Call timeout Config > Service > Template > Application > SIP Number of minutes a call can remain idle before the AX Series terminates it. [no] registrar service-group group-name Header erase Config > Service > Template > Application > SIP Erases the specified SIP header from the SIP request before sending it to a SIP Registrar.: D-030-01-00-0006 . [no] header-insert string Header replace Config > Service > Template > Application > SIP Replaces the specified SIP header in the SIP request before sending it to a SIP Registrar.0. This option is useful in cases where a SIP server needs to reach another server. [no] header-erase string Header insert Config > Service > Template > Application > SIP Inserts the specified SIP header into the SIP request before sending it to a SIP Registrar. [no] header-replace string new-string Config > Service > Template > Application > SIP Reverse NAT disable String of 1-256 characters Default: None String of 1-256 characters Default: None String of 1-256 characters Default: None Supported Values String of 1-31 characters Default: “default”. Reverse NAT is enabled for all traffic from the server. and the traffic must pass through the AX device. TABLE 26 SIP Template Parameters Parameter Template name Description and Syntax Name of the template. 2. Default: Not set.Configuration Guide Service Template Parameters SIP Template Parameters Table 26 lists the parameters you can configure in SIP templates. [no] slb template sip template-name Config > Service > Template > Application > SIP Registrar service group Name of a configured service group of SIP Registrar servers.AX Series . [no] timeout minutes Config > Service > Template > Application > SIP 1-250 minutes Default: 30 minutes 620 of 702 P e r f o r m a n c e b y D e s i g n Document No. and matches on the destination server’s IP address or subnet as the destination address.Ver. Configure the extended ACL to match on the SIP server IP address or subnet as the source address. [no] pass-real-server-ip-for-acl acl-id ID of a configured extended ACL. The default template has the default values listed below. Name of a configured service group Disables reverse NAT based on the IP addresses in an extended ACL.2 11/11/2009 .

The match options are always applied in the order listed above. regardless of the order in which they appear in the configuration. TABLE 27 SMTP Template Parameters Parameter Template name Description and Syntax Name of the template. and any service group can be used.2 11/11/2009 b y 621 of 702 . The default template has the default values listed below.Configuration Guide Service Template Parameters SMTP Template Parameters Table 27 lists the parameters you can configure in SMTP templates. If the client domain does not match. [no] slb template smtp template-name Config > Service > Template > Application > SMTP Selects a service group based on the domain of the client. You can specify all or part of the client domain name. If a domain name matches on more than one match filter of the same type. 2. All client domains match. Domain name switching P e r f o r m a n c e D e s i g n Document No. • contains string – matches if the string appears anywhere within the domain name.: D-030-01-00-0006 .0. Selection is performed using the following match filters: • starts-with string – matches only if the domain name starts with string. [no] client-domain-switching {starts-with | contains | endswith} string service-group group-name Config > Service > Template > Application > SMTP Supported Values String of 1-31 characters Default: “default”.AX Series . the most specific match is used.Ver. • ends-with string – matches only if the domain name ends with string. The service group for the first match is used. This option is applicable when you have multiple SMTP service groups. Strings Default: Not set. the service group configured on the virtual port is used.

smtp-domain service-ready-string [no] service-ready-message string Config > Service > Template > Application > SMTP Specifies whether use of STARTTLS by clients is required. EXPN. the client must issue the STARTTLS command to establish a secured session.Ver. If the client does not issue the STARTTLS command.Command not implemented” [no] command-disable [vrfy] [expn] [turn] Note: To disable all three commands. The complete message sent to the client is constructed as follows: 200 .: D-030-01-00-0006 . EXPN. This is the domain for which the AX Series device provides SMTP load balancing. the AX sends the following message to the client: “502 . starttls {disable | optional | enforced} Config > Service > Template > Application > SMTP Supported Values Any of the following: VRFY. Use this option if you need to disable STARTTLS support but you do not want to remove the configuration. simply enter the following: command-disable Config > Service > Template > Application > SMTP Email server domain.0. 2. • Enforced – Before any mail transactions are allowed. [no] server-domain name Config > Service > Template > Application > SMTP Text of the SMTP service-ready message sent to clients.2 11/11/2009 .AX Series . and TURN are enabled Email server domain String Default: “mail-server-domain” Service ready message String Default: “ESMTP mail service ready” STARTTLS requirement One of the following: • Disabled – Clients cannot use STARTTLS. If a client tries to issue a disabled SMTP command. • Optional – Clients can use STARTTLS but are not required to do so.Configuration Guide Service Template Parameters TABLE 27 SMTP Template Parameters (Continued) Parameter STARTTLS command disable Description and Syntax Disables support of certain SMTP commands. TURN Default: VRFY. the AX sends the following message to the client: "530 Must issue a STARTTLS command first” Default: Disabled 622 of 702 P e r f o r m a n c e b y D e s i g n Document No.

P e r f o r m a n c e D e s i g n Document No.0. 2. [no] slb template persist ssl-sid template-name Config > Service > Template > Persistent > SSL Session ID Persistence Number of minutes the mapping of an SSL session ID to a real server and real server port persists after the last time traffic using the session ID is sent to the server. This option is useful for applications in which multiple sessions (connections) are likely to be used for the same persistent SSL session ID. the connection limit set on real servers and real ports is used. [no] dont-honor-conn-rules Config > Service > Template > Persistent > SSL Session ID Persistence Supported Values String of 1-31 characters Default: “default”. By default. 1-250 minutes Default: 5 minutes Persistence Timeout Ignore connection limits Enabled or Disabled Default: Disabled. [no] timeout timeout-minutes Config > Service > Template > Persistent > SSL Session ID Persistence Ignores connection limit settings configured on real servers and real ports. TABLE 29 Streaming-media Template Parameters Parameter Template name Description and Syntax Name of the template.Ver. The default template has the default values listed below.2 11/11/2009 b y 623 of 702 .Configuration Guide Service Template Parameters SSL Session-ID Persistence Template Parameters Table 28 lists the parameters you can configure in SSL session-ID persistence templates. TABLE 28 SSL Session-ID Persistence Template Parameters Parameter Template name Description and Syntax Name of the template. [no] slb template streaming-media template-name Config > Service > Template > Application > RTSP Supported Values String of 1-31 characters Default: “default”. Streaming-Media Template Parameters Table 29 lists the parameters you can configure in streaming-media templates. The default template has the default values listed below.: D-030-01-00-0006 .AX Series .

[no] initial-window-size bytes Config > Service > Template > L4 > TCP Enabled or disabled Default: Disabled Supported Values String of 1-31 characters Default: “default”.Configuration Guide Service Template Parameters TABLE 29 Streaming-media Template Parameters (Continued) Parameter URI switching Description and Syntax Service group to which to send requests for a specific URI. TCP Template Parameters Table 30 lists the parameters you can configure in TCP templates.AX Series . [no] idle-timeout seconds Config > Service > Template > L4 > TCP Sends a TCP RST to the real server after a session times out. this option immediately sends the RST to the client and does not wait for the session to time out. TABLE 30 TCP Template Parameters Parameter Template name Description and Syntax Name of the template.0.Ver. Note: If the server is Down.2 11/11/2009 . The default template has the default values listed below. [no] uri-switching stream uri-string service-group group-name Config > Service > Template > Application > RTSP Supported Values Name of a configured service group Default: Requests are sent to the service group that is bound to the virtual port. [no] slb template tcp template-name Config > Service > Template > L4 > TCP Idle timeout Number of seconds a connection can remain idle before the AX Series device terminates it. 624 of 702 P e r f o r m a n c e b y D e s i g n Document No. [no] reset-fwd Client reset Config > Service > Template > L4 > TCP Sends a TCP RST to the client after a session times out. [no] reset-rev Config > Service > Template > L4 > TCP Sets the initial TCP window size in SYN ACK packets to clients.: D-030-01-00-0006 . 2. The TCP window size in a SYN ACK or ACK packet specifies the amount of data that a client can send before it needs to receive an ACK. 60-15000 seconds Default: 120 seconds Server reset Enabled or disabled Default: Disabled Initial window size 1-65535 bytes Default: The AX device uses the TCP window size set by the client or server.

Configuration Guide Service Template Parameters TCP-Proxy Template Parameters Table 30 lists the parameters you can configure in TCP-proxy templates. [no] idle-timeout seconds Config > Service > Template > TCP Proxy Enables Nagle congestion compression (described in RFC 896).: D-030-01-00-0006 . [no] timewait number Config > Service > Template > TCP Proxy Supported Values String of 1-31 characters Default: “default”. [no] receive-buffer number Config > Service > Template > TCP Proxy Number of times the AX Series can retransmit a data segment for which the AX Series does not receive an ACK. The default template has the default values listed below. [no] retransmit-retries number Config > Service > Template > TCP Proxy Number of times the AX Series can retransmit a SYN for which the AX Series does not receive an ACK.2 11/11/2009 b y 625 of 702 .AX Series . [no] nagle Config > Service > Template > TCP Proxy Maximum number of bytes addressed to the port that the AX Series will buffer. [no] fin-timeout seconds Config > Service > Template > TCP Proxy Number of minutes that a connection can be idle before the AX Series terminates the connection. [no] slb template tcp-proxy template-name FIN timeout Config > Service > Template > TCP Proxy Number of seconds that a connection can be in the FIN-WAIT or CLOSING state before the AX Series terminates the connection. 1-60 seconds Default: 5 seconds Idle timeout 60-15000 seconds Default: 600 seconds Nagle algorithm Enabled or disabled Default: Disabled Receive buffer size 1-2147483647 bytes Default: 87380 bytes Retransmit retries 1-20 Default: 3 SYN retries 1-20 Default: 5 Time-Wait 1-60 seconds Default: 5 seconds P e r f o r m a n c e D e s i g n Document No. [no] syn-retries number Config > Service > Template > TCP Proxy Number of seconds that a connection can be in the TIME-WAIT state before the AX Series transitions it to the CLOSED state.Ver. TABLE 31 TCP-Proxy Template Parameters Parameter Template name Description and Syntax Name of the template.0. 2.

Ver. 2. The TCP window size in a SYN ACK or ACK packet specifies the amount of data that a client can send before it needs to receive an ACK.Configuration Guide Service Template Parameters TABLE 31 TCP-Proxy Template Parameters (Continued) Parameter Transmit buffer size Description and Syntax Number of bytes sent by the port that the AX Series will buffer. TABLE 32 UDP Template Parameters Parameter Template name Description and Syntax Name of the template.2 11/11/2009 .: D-030-01-00-0006 . [no] initial-window-size bytes Config > Service > Template > TCP Proxy Supported Values 1-2147483647 Default: 16384 bytes Initial window size 1-65535 bytes Default: The AX device uses the TCP window size set by the client or server. UDP Template Parameters Table 32 lists the parameters you can configure in UDP templates. 626 of 702 P e r f o r m a n c e b y D e s i g n Document No.AX Series . The default template has the default values listed below. [no] transmit-buffer number Config > Service > Template > TCP Proxy Sets the initial TCP window size in SYN ACK packets to clients. [no] slb template udp template-name Config > Service > Template > L4 > UDP Supported Values String of 1-31 characters Default: “default”.0.

Configuration Guide Service Template Parameters TABLE 32 UDP Template Parameters (Continued) Parameter Aging Description and Syntax Specifies how quickly sessions are terminated when the request is received.0.2 11/11/2009 b y 627 of 702 .) Default: Not set. another server is not selected.: D-030-01-00-0006 . the AX device waits the specified number of seconds after a request is received and sent out to the server. • If you do not specify the number of seconds. [no] idle-timeout number Config > Service > Template > L4 > UDP Configures the AX device to select another real server if the server that is bound to an active connection goes down. You can specify 1-32 seconds. 2. A10 Networks recommends using the immediate option. (See “Global SLB Parameters” on page 628. [no] re-select-if-server-down Config > Service > Template > L4 > UDP 60-15000 seconds Default: 120 seconds Server reselection Enabled or disabled Default: Disabled P e r f o r m a n c e D e s i g n Document No.AX Series . • Short – The AX device waits briefly before terminating a UDP session. Supported Values One of the following: • Immediate – Sessions are terminated as soon as a response is received. sessions are terminated after the SLB maximum session life (MSL) time expires. The idle timeout value in the template is used instead.Ver. aging {immediate | short [seconds]} Config > Service > Template > L4 > UDP Note: If you are configuring DNS load balancing. after a request is received and sent out to the server. • If you specify the number of seconds. Idle timeout Number of seconds a connection can remain idle before the AX Series terminates it. Without this option. then terminates the session.

: D-030-01-00-0006 .Ver. graceful shutdown applies to all real and virtual servers. and applies only to deleted servers. See “Configuring Health Monitoring of Virtual IP Addresses in DSR Deployments” on page 308.0. [no] slb dsr-health-check-enable Config > Service > SLB > Global > Settings Note: Additional configuration is required. Allows currently active sessions time to terminate normally before shutting down a service when you delete the real or virtual port providing the service. all existing connections on the server or port are immediately terminated. 1-40 seconds Default: 2 seconds Maximum session life 628 of 702 P e r f o r m a n c e b y D e s i g n Document No. not to disabled ones.AX Series .2 11/11/2009 . TABLE 33 Global SLB Parameters Parameter Server state Description and Syntax Globally disables or re-enables a real or virtual server.Configuration Guide Global SLB Parameters Global SLB Parameters Table 34 lists the SLB parameters you can configure globally. [no] slb graceful-shutdown grace-period [server | virtual-server] [after-disable] Config > Service > SLB > Global > Settings Maximum session life following completion of a TCP flow. 2. {disable | enable} slb server [server-name] [port port-num] {disable | enable} slb virtual-server [server-name] [port port-num] Config > Service > SLB > Server Config > Service > SLB > Virtual Server Enables Layer 4-7 health checking in Direct Server Return (DSR) configurations. [slb] msl-time seconds Config > Service > SLB > Global > Settings Supported Values Enabled or disabled Default: Enabled DSR health check Enabled or disabled Default: Disabled Graceful shutdown 1-65535 seconds (about 18 hours) Default: Not set. By default.

0. If the number of half-open TCP connections falls below this level. If the number of halfopen TCP connections exceeds the on-threshold. without allowing illegitimate traffic to consume system resources. the AX device enables SYN cookies. SYN cookies enable the AX device to continue to serve legitimate clients during a TCP SYN flood attack. [no] syn-cookie [on-threshold num off-threshold num] Config > Service > SLB > Global > Settings Note: This option is not supported on model AX 2000 or AX 2100. You can specify 02147483647 half-open connections. SYN cookies are disabled. the AX device forwards the server traffic through the pool’s default gateway. 2.2 11/11/2009 b y 629 of 702 .Configuration Guide Global SLB Parameters TABLE 33 Global SLB Parameters (Continued) Parameter Hardware-based SYN cookies Description and Syntax Enables system-wide protection against TCP SYN flood attacks. the AX device checks the configured IP NAT pools for an IP address range that includes the server IP address (the source address of the traffic).: D-030-01-00-0006 . Use of IP pool default gateways by real servers Enabled or disabled Default: Disabled P e r f o r m a n c e D e s i g n Document No.AX Series . before SYN cookies are enabled. SYN cookies are enabled and are always on regardless of the number of half-open TCP connections present on the AX device. • Off-Threshold . If the address range in a pool does include the server’s IP address. Supported Values Disabled or Enabled On-Threshold – 0-2147483647 halfopen connections Off-Threshold – 0-2147483647 halfopen connections Default: Disabled Note: If you leave the On-Threshold and Off-Threshold fields blank. You can specify 0-2147483647 halfopen connections. When this option is enabled.Ver. Enables use of IP pool default gateways to forward traffic from real servers. • On-Threshold – Specifies the maximum number of concurrent half-open TCP connections allowed on the AX device. [no] slb snat-gwy-for-l3 Note: This parameter is not configurable using the GUI. and a default gateway is defined for the pool.Specifies the minimum number of concurrent half-open TCP connections for which to keep SYN cookies enabled.

all connection requests from the client are dropped. There is no “Not shared” option.Configuration Guide Global SLB Parameters TABLE 33 Global SLB Parameters (Continued) Parameter Source-IP based connection rate limiting Description and Syntax Protects the system from excessive connection requests from individual clients. you can enable one or both of the following additional exceed actions: • Logging – Generates a log message when a client exceeds the connection limit. (This is the default behavior. Optionally.AX Series .0. • Not shared – Connection limit applies separately to each virtual port. see “Source-IP Based Connection Rate Limiting” on page 543. There is no default. Default: Not configured 630 of 702 P e r f o r m a n c e b y D e s i g n Document No. • Lockout – Locks out the client for a specified number of seconds. and can not be disabled. During the lockout period. 2.Ver. The lockout period can be 1-3600 seconds (1 hour). slb conn-rate-limit src-ip conn-limit per {100 | 1000} [shared] [exceed-action [log] [lock-out lockout-period]] Note: The current release does not support configuration of this feature using the GUI.2 11/11/2009 .: D-030-01-00-0006 . Limit period – One of the following: • 100 milliseconds (one tenth of a second) • 1000 milliseconds (one second) Scope – One of the following: • Shared – Connection limit applies as an aggregate to all virtual ports.) Exceed actions – All connection requests in excess of the connection limit that are received from a client within the limit period are dropped. This action is enabled by default when you enable the feature. Supported Values Connection limit – 1-1000000. For more information about this feature.

see “Auto-Port Translation” on page 675. Hardware-based compression is available using an optional hardware module in new AX devices. AX 3100. Default: Enabled. [no] slb auto-translate-port range number range-start port-num range-end port-num Config > Service > SLB > Global > Auto Translation Enables hardware-based compression. except the compression level. regardless of the compression level configured in an HTTP template. on the following models: AX 2100. Hardware-based compression always uses the same compression level. Supported Values Range number: 1-3 Default: Protocol ports 0-1023 assigned to each range Hardware-based content compression Enabled or disabled Default: Disabled Fast-path processing Enabled (slb fast-path-disable) or disabled (no slb fastpath-disable) P e r f o r m a n c e D e s i g n Document No. Note: To determine whether you need to change an auto-port translation range for your configuration. AX 2200. it is recommended to use a narrow port range. in configurations that do not use source NAT. NAT pools). the ports in the range are reserved and can not be used by other features (for example. the device does not contain a compression module. 2. all compression settings configured in HTTP templates.2 11/11/2009 b y 631 of 702 .: D-030-01-00-0006 . [no] slb hw-compression Note: This parameter is not configurable using the GUI. Deep inspection of every packet field is enabled. are used. Auto-translation allows real server protocol port numbers to differ from the protocol port numbers used on a virtual server bound to the real servers. Note: If you configure a port range. [no] slb fast-path-disable Note: This parameter is not configurable using the GUI. To prevent depletion of available ports. Enables fast-path processing. wherein the AX device does not perform a deep inspection of every field within a packet. When you enable hardware-based compression.AX Series .0. If this option does not appear on your AX device. and AX 3200. You do not need to reconfigure an auto-port translation range unless the real or virtual port number is non-standard (above 1023).Ver.Configuration Guide Global SLB Parameters TABLE 33 Global SLB Parameters (Continued) Parameter Auto-port translation range Description and Syntax Configures a range of protocol ports for auto-translation.

0.2 11/11/2009 .AX Series . [no] slb server server-name ipaddr Config > Service > SLB > Server State of the real server. The IP address must be the real IP address of the server. [no] {disable | enable} Config > Service > SLB > Server Configuration template of real server parameters. The name is not required to be the hostname configured on the real server.Configuration Guide Real Server Parameters Real Server Parameters Table 34 lists the parameters you can configure on real servers. [no] health-check [monitor-name] Config > Service > SLB > Server Yes Connection limit Number of concurrent connections allowed on a real server.Ver. TABLE 34 Real Server Parameters Supported Values String of 1-31 characters IPv4 or IPv6 address Default: None configured Enabled or disabled Default: Enabled Name of a configured real server template Default: “Default” real server template Enabled or disabled Name of a configured health monitor Default: Enabled. 1-1048575 if configured in the server template Default: 1000000 if configured on the real server.: D-030-01-00-0006 . [no] slb template server templatename Config > Service > SLB > Template > Server Server state Real server template Health check Enables or disables Layer 3 health monitoring and species the monitor to use. 1048575 if configured in the server template N/A No Configurable in Real Server Template? N/A Parameter Server name and IP address Description and Syntax Name and IP address of the real server. ping (ICMP) 1-1000000 (one million) if configured on the real server. [no] conn-limit max-connections Config > Service > SLB > Server Yes 632 of 702 P e r f o r m a n c e b y D e s i g n Document No. 2.

see “Real Service Port Parameters” on page 634. used for reaching a server in a private network from outside the network.0. Use does not resume until the number of connections reaches the configured maximum or less. No Weight Administrative weight of the server.Port tab (For parameters you can set on the service port.Ver.Configuration Guide Real Server Parameters TABLE 34 Real Server Parameters (Continued) Supported Values 1-1000000 (one million) connections Default: Not set. by temporarily limiting the number of new connections on the server. The AX device is allowed to start sending new connection requests to the server as soon as the number of connections on the server falls back below the connection limit.2 11/11/2009 b y 633 of 702 . 1-100 Default: 1 External IP address Valid IP address Default: Not set No P e r f o r m a n c e D e s i g n Document No.AX Series .) N/A Slow start Allows time for a server to ramp up after the server is enabled or comes online. used for weighted load balancing (weighted-least-connection or weighted-round-robin). [no] weight num Config > Service > SLB > Server External IP address. but as additional parameter with conn-limit command (CLI) or additional field under Connection Limit Status (GUI) Parameter Connection resume Description and Syntax Maximum number of connections the server can have before the AX device resumes use of the server.Port tab Yes Note: Template configuration of this feature provides additional options. 2. Transport protocol: TCP or UDP Port number: 0-65534 Default: None configured Enabled or disabled Default: Disabled Configurable in Real Server Template? Yes. [no] slow-start Config > Service > SLB > Server . See “Slow-Start” on page 294. [no] conn-resume connections Config > Service > SLB > Server Service port TCP or UDP port number. [no] port port-num {tcp | udp} Config > Service > SLB > Server .: D-030-01-00-0006 . [no] external-ip ipaddr Note: This parameter can not be configured using the GUI.

[no] {disable | enable} Config > Service > SLB > Server . Service port state Real server port template State of the service port. (For more information. this is set on the Port tab.Configuration Guide Real Service Port Parameters TABLE 34 Real Server Parameters (Continued) Supported Values Enabled or disabled Default: Disabled Configurable in Real Server Template? No Parameter Spoofing cache Description and Syntax Enables support for a spoofing cache server. TABLE 35 Real Service Port Parameters Supported Values TCP or UDP 0-65534 Default: Not set Note: Port number 0 is a wildcard port used for IP protocol load balancing.) Enabled or disabled Default: Enabled Name of a configured real port template Default: “Default” real port template b y D e s i g n N/A Configurable in Real Port Template? N/A Parameter Service port number and transport protocol Description and Syntax TCP or UDP port number. [no] slb template port templatename Config > Service > SLB > Template > Server Port No 634 of 702 P e r f o r m a n c e Document No.: D-030-01-00-0006 . [no] port port-num {tcp | udp} Config > Service > SLB > Server .2 11/11/2009 .) [no] spoofing-cache Note: This parameter can not be configured using the GUI.Port tab Configuration template of real port parameters.Port tab In the CLI. (see . this is set at the real server configuration level.AX Series . This command applies to the Transparent Cache Switching (TCS) feature. see “IP Protocol Load Balancing” on page 221. Real Service Port Parameters Table 35 lists the parameters you can configure on individual service ports on real servers. 2.Ver. A spoofing cache server uses the client’s IP address instead of its own as the source address when obtaining content requested by the client.0. In the GUI.

Use does not resume until the number of connections reaches the configured maximum or less.Port tab Yes Connection resume Maximum number of connections the port can have before the AX device resumes use of the port.Port tab Yes P e r f o r m a n c e D e s i g n Document No.Configuration Guide Real Service Port Parameters TABLE 35 Real Service Port Parameters (Continued) Supported Values Enabled or disabled Name of a configured health monitor Default: The AX performs the default TCP or UDP check every 30 seconds.AX Series .Port tab Yes. [no] health-check [monitor-name] Config > Service > SLB > Server . [no] conn-limit max-connections Config > Service > SLB > Server .: D-030-01-00-0006 . 1-100 Default: 1 Configurable in Real Port Template? Yes Parameter Health check Description and Syntax Enables or disables health monitoring and species the monitor to use. 2. 1048575 if configured in the server port template 1-1000000 (one million) connections Default: Not set. but as additional parameter with conn-limit command (CLI) or additional field under Connection Limit Status (GUI) Weight Administrative weight of the service port. [no] conn-resume connections Config > Service > SLB > Server .Ver.0. 1-1048575 if configured in the server port template Default: 1000000 if configured on the server port.) 1-1000000 (one million) if configured on the server port. [no] weight num Config > Service > SLB > Server . (See “Default Health Checks” on page 297. The AX device is allowed to start sending new connection requests to the port as soon as the number of connections on the port falls back below the connection limit.2 11/11/2009 b y 635 of 702 .Port tab Connection limit Number of concurrent connections allowed on the service port. used for weighted load balancing (service-weighted-leastconnection).

Port tab Service Group Parameters Table 35 lists the parameters you can configure in service groups.Configuration Guide Service Group Parameters TABLE 35 Real Service Port Parameters (Continued) Supported Values Enabled or disabled Default: Disabled (SSL is enabled) Configurable in Real Port Template? No Parameter No-SSL Description and Syntax Disables SSL for server-side connections. Encryption is disabled by default.: D-030-01-00-0006 . The priority option enables you to designate some real servers as backups (the lower priority servers) to be used only if the higher priority servers all are unavailable.0. This option is useful if a server-SSL template is bound to the virtual port that uses this real port. [no] member server-name:portnum [disable | enable] [priority num] [template port template-name] The enable | disable options change the server and port state within the service group only.AX Series .2 11/11/2009 . TABLE 36 Service Group Parameters Parameter Service group name and type Description and Syntax Name of a service group and the transport protocol used by service ports in the group. Default priority: 1 636 of 702 P e r f o r m a n c e b y D e s i g n Document No. [no] no-ssl Config > Service > SLB > Server .Ver. 2. The template option binds a real port template to the port. Config > Service > SLB > Service Group Supported Values String of 1-31 characters TCP or UDP Default: None configured Name of a configured real server. and a service port number configured on the server The priority can be 1-16. but it is enabled for server-side connections when the real port is used by a virtual port that is bound to a server-SSL template. [no] slb service-group group-name {tcp | udp} Member Config > Service > SLB > Service Group Real servers and service ports managed by the group. and you want to disable encryption on this real port.

[no] method lb-method Config > Service > SLB > Service Group Note: The fastest-response algorithm takes effect only if the traffic rate on the servers is at least 5 connections per second (per server). independent sites. is taken down for maintenance). • Least-connection – Selects the server that currently has the fewest connections. this load-balancing method simply selects the servers in rotation. [no] health-check monitor-name Config > Service > SLB > Service Group P e r f o r m a n c e D e s i g n Document No. • Service-least-connection – Selects the server port that currently has the lowest number of total request bytes and total response bytes. combined). Supported Values One of the following: • Fastest-response – Selects the server with the fastest SYN-ACK response time. If the weight value is the same on each server.0. if a site is unavailable (for example. the first server in the service group usually is selected. If the traffic rate is lower.Ver. and clients of those sites will be sent to the server.Configuration Guide Service Group Parameters TABLE 36 Service Group Parameters (Continued) Parameter Load balancing method Description and Syntax Algorithm used to select a real server and service port to fulfil a client’s request. other sites on the same server will pass their health checks. but per service.2 11/11/2009 b y 637 of 702 . Default: Round robin (simple rotation without weighting) The default health monitor (IP ping) or the name of a configured health monitor Default: Not set Health monitor Assigns a health monitor to all members in the service group. 2. When you use this feature. • Weighted-least-connection – Selects a server based on a combination of the server’s administratively assigned weight and the number of connections on the server. added together.AX Series . However. • Service-weighted-least-connection – Same as weighted-least-connection. SLB randomly selects a server port.: D-030-01-00-0006 . the server will fail the health check for that site. biased by the servers’ administratively assigned weights. and clients will not be sent to the site. • Weighted-round-robin – Selects servers in rotation. This option is useful in cases where the same server provides content for multiple. If there is a tie (two or more server ports have the lowest number of total request and response bytes.

Backup servers are used only if all primary servers are unavailable. TABLE 37 Virtual Server Parameters Supported Values String of 1-31 characters IPv4 or IPv6 address Default: None configured Enabled or disabled Default: Virtual servers are enabled by default.: D-030-01-00-0006 . 2. the AX device uses only the backup servers and stops using any of the primary servers.Ver. [no] {disable [when-all-ports-down] | enable} The when-all-ports-down option automatically disables the virtual server if all its service ports are down. for all load-balancing methods except round-robin. The skip-pri-set option specifies whether the remaining primary servers continue to be used. The when-all-portsdown option is disabled by default. specify the number of primary servers that can still be active before the backup servers are used. and the virtual IP address that clients will request. If OSPF redistribution of the VIP is enabled. [no] min-active-member num [skip-pri-set] Config > Service > SLB > Service Group Supported Values 1-63 Default: Not set. the skip-pri-set option is disabled by default. the AX device also withdraws the route to the VIP in addition to disabling the virtual server.AX Series . If you use this option. Virtual Server Parameters Table 37 lists the parameters you can configure on virtual servers. When you configure this parameter. No 638 of 702 P e r f o r m a n c e b y D e s i g n Document No. skip-pri-set is always enabled and can not be disabled. [no] slb virtual-server name ipaddr Config > Service > SLB > Virtual Server Virtual server state State of the virtual server.Configuration Guide Virtual Server Parameters TABLE 36 Service Group Parameters (Continued) Parameter Minimum active members Description and Syntax Uses backup servers even if some primary servers are up. For round-robin (the default). To configure this parameter.2 11/11/2009 . Config > Service > Server > Virtual Server Note: The when-all-ports-down option is not configurable using the GUI. Configurable in Virtual Server Template? N/A Parameter Virtual server name and virtual IP address Description and Syntax Name to identify the virtual server on the AX device.0.

[no] arp-disable Config > Service > SLB > Virtual Server HA group ID HA group ID to use for session backup.) Disables or re-enables ARP replies from a virtual server.) (For parameters you can set on the service port.Configuration Guide Virtual Server Parameters TABLE 37 Virtual Server Parameters (Continued) Supported Values Name of a configured virtual server template Default: “Default” virtual server template Port number: 0-65535 Service type: • fast-http • ftp • http • https • mms • rtsp • sip • smtp • ssl-proxy • tcp • udp • others Default: None configured Configurable in Virtual Server Template? N/A Parameter Virtual server template Description and Syntax Configuration template of virtual server parameters. [no] slb template virtual-server template-name Config > Service > SLB > Template > Virtual Server Virtual service port number and service type Service port number and service type.Ver. [no] ha-group group-id Config > Service > SLB > Virtual Server ARP disable Enabled or disabled Default: Disabled.: D-030-01-00-0006 .Port tab Service type can be one of the following: • fast-http – Streamlined Hypertext Transfer Protocol (HTTP) service • ftp – File Transfer Protocol • http – HTTP • https – Secure HTTP (SSL) • mms – Multimedia Messaging Service • rtsp – Real Time Streaming Protocol • sip – Session Initiation Protocol • smtp – Simple Mail Transfer Protocol • ssl-proxy – SSL proxy service • tcp – Transmission Control Protocol • udp – User Datagram Protocol • others – Wildcard port used for IP protocol N/A load balancing.AX Series .0. ARP replies are enabled. 2. see “IP Protocol Load Balancing” on page 221. see “Virtual Service Port Parameters” on page 640. 1-31 Default: Not set No No P e r f o r m a n c e D e s i g n Document No.2 11/11/2009 b y 639 of 702 . (For more information. [no] port port-num service-type Config > Service > SLB > Virtual Server .

Virtual Server Port tab In the CLI. this is set at the virtual server configuration level.0. this is set on the Virtual Server Port tab. TABLE 38 Virtual Service Port Parameters Supported Values Port number: 0-65535 Service type: • fast-http • ftp • http • https • mms • rtsp • sip • smtp • ssl-proxy • tcp • udp Default: None configured Configurable in Virtual Port Template? N/A Parameter Virtual service port number and service type Description and Syntax Service port number and service type.2 11/11/2009 . The configured amount is subtracted from the HA group’s priority value for each real server that goes down. [no] ha-dynamic server-weight Config > Service > SLB > Virtual Server Virtual Service Port Parameters Table 38 lists the parameters you can configure on individual service ports on virtual servers.AX Series . In the GUI.Configuration Guide Virtual Service Port Parameters TABLE 37 Virtual Server Parameters (Continued) Supported Values 1-255 Default: Not set Configurable in Virtual Server Template? No Parameter VIP-based High Availability (HA) failover Description and Syntax Enables dynamic failover based on server weight.Ver. [no] port port-num service-type Config > Service > SLB > Virtual Server . Service type can be one of the following: • fast-http – Streamlined Hypertext Transfer Protocol (HTTP) service • ftp – File Transfer Protocol • http – HTTP • https – Secure HTTP (SSL) • mms – Multimedia Messaging Service • rtsp – Real Time Streaming Protocol • sip – Session Initiation Protocol • smtp – Simple Mail Transfer Protocol • ssl-proxy – SSL proxy service • tcp – Transmission Control Protocol • udp – User Datagram Protocol 640 of 702 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 . 2.

2.AX Series .Virtual Server Port tab No Template Template type: One of the types described in “Service Template Parameters” on page 599.Virtual Server Port tab Connection or application template to use for service port parameters.: D-030-01-00-0006 . [no] {disable | enable} Config > Service > SLB > Virtual Server .Ver.Configuration Guide Virtual Service Port Parameters TABLE 38 Virtual Service Port Parameters (Continued) Supported Values Enabled or disabled Default: Enabled Name of a configured virtual port template Default: “Default” virtual port template Name of a configured service group Default: Not set N/A Configurable in Virtual Port Template? No Parameter Virtual service port state Virtual port template Description and Syntax State of the virtual service port. [no] slb template virtual-port template-name Config > Service > SLB > Template > Virtual Server Port Service group Service group bound to the virtual service port.2 11/11/2009 b y 641 of 702 . [no] service-group group-name Config > Service > SLB > Virtual Server . (See “Service Template Parameters” on page 599. Template name: Name of a configured template.0. Default: Depends on whether the template type has a default and whether the service type uses that template type. The AX device uses real servers and ports in the service group to fulfill requests for the virtual service port.) N/A P e r f o r m a n c e D e s i g n Document No. [no] template template-type template-name Config > Service > SLB > Virtual Server .Virtual Server Port tab Configuration template of virtual port parameters.

[no] access-list acl-num [source-nat-pool pool-name] Config > Service > SLB > Virtual Server . If you do not also specify a NAT pool name. The NAT pool is used only for the client addresses in the ACL.: D-030-01-00-0006 . If you do specify a NAT pool name. [no] aflex aflex-name Config > Service > SLB > Virtual Server .2 11/11/2009 . so that server responses go directly to clients. When this option is enabled.Virtual Server Port tab Disables destination NAT.AX Series .0. 2. it binds the source addresses in the ACL to the NAT pool. Instead.Ver.Configuration Guide Virtual Service Port Parameters TABLE 38 Virtual Service Port Parameters (Continued) Supported Values Valid standard or extended ACL ID Default: None Configurable in Virtual Port Template? No Parameter Access Control List (ACL) Description and Syntax ID of an ACL. sessions remain up even following a failover. Default: None 0-8000000 (8 million) 0 means no limit.Virtual Server Port tab Backs up session information on the Standby AX device in an HA configuration. but the range is 1-1048575 Session synchronization (connection mirroring) No Direct Server Return (DSR) Enabled or disabled Disabled: Destination NAT is enabled. [no] conn-limit number Config > Service > SLB > Virtual Server . [no] no-dest-nat Config > Service > SLB > Virtual Server . [no] ha-conn-mirror Config > Service > SLB > Virtual Server .Virtual Server Port tab aFleX policy Name of a configured aFleX policy.Virtual Server Port tab Number of concurrent connections allowed on the virtual service port.Virtual Server Port tab aFleX policy to use for custom SLB processing. the ACL is used to deny or permit inbound traffic on the service port. Default: Not set Enabled or disabled Default: Disabled No Connection limit Yes. the ACL does not permit or deny traffic. No 642 of 702 P e r f o r m a n c e b y D e s i g n Document No.

Note: If the option to use default selection if preferred server selection fails is enabled on the virtual port. 2. Protects against TCP SYN floods. [no] syn-cookie [sack] Config > Service > SLB > Virtual Server . (See “SYN Cookies” on page 535.) Name of a pool of IP addresses to use for Network Address Translation (NAT). select service groups for allowed clients.2 11/11/2009 b y 643 of 702 . These failures are still logged.Configuration Guide Virtual Service Port Parameters TABLE 38 Virtual Service Port Parameters (Continued) Supported Values Name of a configured black/white list. use that version of the feature instead. PBSLB can only be configured and applied using PBSLB policy templates. and drop or reset connections if the connection limit is reached. [no] source-nat pool pool-name Config > Service > SLB > Virtual Server . disable the option on the virtual port. (For information about PBSLB. The list must be imported onto the AX device. [no] pbslb bw-list name [no] pbslb id id {service service-group-name | drop | reset} [logging [minutes [fail]]] [no] pbslb over-limit {drop | reset} Note: In the GUI.) Source NAT Name of a configured source NAT pool. To ensure that messages are generated to log server-selection failures. Default: Not set Configurable in Virtual Port Template? No Parameter Policy-based SLB (PBSLB) Description and Syntax Uses a black/white list to allow or deny clients who request the service port. Default: Not set No Softwarebased protection against TCP SYN flood attacks Enabled or disabled Default: Disabled No P e r f o r m a n c e D e s i g n Document No. This limitation does not affect failures that occur because a client is over their PBSLB connection limit.: D-030-01-00-0006 .Virtual Server Port tab Note: If hardware-based SYN cookies are supported on the AX model you are configuring.Ver. see “Policy-Based SLB (PBSLB)” on page 563. log messages will never be generated for server-selection failures.Virtual Server Port tab Note: This option is not applicable to the mms or rtsp service types.0.AX Series .

: D-030-01-00-0006 .2 11/11/2009 .0.AX Series .Configuration Guide Virtual Service Port Parameters TABLE 38 Virtual Service Port Parameters (Continued) Supported Values Enabled or disabled Default: Disabled Configurable in Virtual Port Template? No Parameter Use receive hop for responses Description and Syntax Sends replies to clients back through the last hop on which the request for the virtual port's service was received. [no] use-rcv-hop-for-resp Config > Service > SLB > Virtual Server . 2.Virtual Server Port tab 644 of 702 P e r f o r m a n c e b y D e s i g n Document No.Ver.

If none of the items above results in selection of a server.Configuration Guide Virtual Service Port Parameters TABLE 38 Virtual Service Port Parameters (Continued) Supported Values Enabled or disabled Default: Enabled Configurable in Virtual Port Template? No Parameter Default selection if preferred server selection fails Description and Syntax Continues checking for an available server in other service groups if all of the servers are down in the first service group selected by SLB. SLB checks the following configuration areas. For example. the default service group is the one that is used if none of the templates used by the configuration selects another service group instead. During SLB selection of the preferred server to use for a client request. Host switching 3. 2. the default service group is used. • If the configuration uses multiple service groups. aFleX policies triggered by Layer 7 events c. and the client request is sent to a server in the service group that is applicable to that configuration area. The first configuration area that matches the client or VIP (as applicable) is used. Policy-based SLB (black/white lists). [no] def-selection-if-pref-failed Config > Service > SLB > Virtual Server . Cookie switching b. Layer 7 configuration items: a. Layer 3-4 configuration items: a.Virtual Server Port tab P e r f o r m a n c e D e s i g n Document No. Default service group. URL switching d. 2. PBSLB is a Layer 3 configuration item because it matches on IP addresses in black/white lists. • If the configuration uses only one service group. in the order listed: 1.: D-030-01-00-0006 .Ver.2 11/11/2009 b y 645 of 702 . the service group specified by the list is used for the client request. if the client’s IP address in a black/white list. aFleX policies triggered by Layer 4 events b.AX Series . this is the default service group.0.

: D-030-01-00-0006 .Ver.AX Series . 2.Virtual Server Port tab Note: This option applies only to DNS ports and only for a virtual service port on a virtual server that will be used as a DNS proxy on the GSLB AX device.Configuration Guide Virtual Service Port Parameters TABLE 38 Virtual Service Port Parameters (Continued) Supported Values Enabled or disabled Default: Disabled Configurable in Virtual Port Template? No Parameter GSLB enable (DNS proxy ports only) Description and Syntax Enables a DNS port to function as a proxy for Global Server Load Balancing (GSLB) for this virtual port. 646 of 702 P e r f o r m a n c e b y D e s i g n Document No.0.2 11/11/2009 . [no] gslb-enable Config > Service > SLB > Virtual Server .

then send an encrypted reply to the client.) Overview Some types of client-server traffic need to be encrypted for security. and so on. The client will decrypt the server reply. The request begins an SSL handshake. elsewhere this document and other AX user documents use the term “SSL” to mean both SSL and TLS. The AX device supports Privacy Enhanced Mail (PEM) format for certificate files and CRLs. The server will decrypt the client’s data.: D-030-01-00-0006 . a client will begin a secure session by sending an HTTPS request to a VIP. for some types of traffic. Commonly. The AX device also supports RFC 3268: “AES Ciphersuites for TLS”. From the client’s perspective. Note: SSL Process SSL works using certificates and keys.AX Series . see “SSL Offload and SSL Proxy” on page 177. traffic for online shopping must be encrypted to secure sensitive account information from being stolen.0. You can use the AX device to offload SSL processing from servers or. Typically.0 and TLS version 1. the client begins an encrypted client-server session with the AX device. P e r f o r m a n c e D e s i g n Document No. The AX device will respond with a digital certificate. The AX device supports SSL version 3.Configuration Guide Overview SSL Certificate Management This chapter describes how to install SSL keys. this certificate comes from the server. For example. certificates. and Certificate Revocation Lists (CRLs) on the AX device. (For more information about SSL offload and SSL proxy. 2. For simplicity. a client that is using a shopping application on a server will encrypt data before sending it to the server. you can use the AX device as an SSL proxy. Once the SSL handshake is complete.0. Installing these SSL resources on the AX device enables the AX device to provide SSL services on behalf of real servers. For example.2 11/11/2009 b y 647 of 702 . Note: SSL is an older version of TLS.Ver. clients and servers use Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to secure traffic. AX SSL processing supports PEM format and RSA encryption.

Configuration Guide Overview Figure 161 shows a simplified example of an SSL handshake. checks for a client-SSL template bound to the VIP. The server (in this case. the AX device.AX Series .0. Each digital certificate includes a public key and various other identifying information. the AX device is acting as an SSL proxy for backend servers. the AX device sends all the digital certificates and certificate chains contained in the template to the client. 2. on behalf of the server).: D-030-01-00-0006 .Ver.2 11/11/2009 . 648 of 702 P e r f o r m a n c e b y D e s i g n Document No. In this example. The request includes some encryption details such as the cipher suites supported by the client. the client sends an HTTPS request. If a client-SSL template is bound to the VIP. FIGURE 161 Typical SSL Handshake (simplified) To begin.

which is a nested set of certificates. They do not need to be signed by a higher (more trusted) CA. the client should have a copy of the root CA’s certificate. Ultimately. 2.2 11/11/2009 b y 649 of 702 . whereas traffic between the AX device and the real servers is clear (not encrypted). If the CA that signed the certificate is a root CA. If the client does not have a copy of the server certificate.Ver. the client should have another certificate or a certificate chain. a certificate must be validated by a root CA. that includes the CA that signed the CA’s certificate. If a CA certificate or certificate chain in the client’s certificate store can validate the server certificate.: D-030-01-00-0006 .0. the client will check for a certificate from the Certificate Authority (CA) that signed the server certificate. FIGURE 162 Example of Certificate Warning Note: It is normal for the AX device to display a certificate warning when an admin accesses the AX management GUI. the client’s browser may display a certificate warning. If the client can not validate the server certificate or the certificate is out of date. traffic between the AX device and the client is encrypted. P e r f o r m a n c e D e s i g n Document No. If the CA that signed the server certificate is not a root CA. Certificates from root CAs are the most trusted. Figure 162 shows an example of a certificate warning displayed by Internet Explorer. the client accepts the certificate and begins an encrypted session with the AX device.Configuration Guide Overview The client checks its certificate store (sometimes called the certificate list) for a copy of the server certificate. Certificates used for SLB are not used by the management GUI.AX Series . In a typical deployment.

CA-signed certificates are considered to be more secure than self-signed certificates.0. to verify the identity of the server (AX device). Certificates can be CA-signed or self-signed: • CA-signed – A CA-signed certificate is a certificate that is created and signed by a recognized Certificate Authority (CA). The admin installs the certificate on the AX device. and sends the CSR to the CA. The CA then creates and signs a certificate.AX Series . 2.2 11/11/2009 . To obtain a CAsigned certificate.: D-030-01-00-0006 .The CSR includes the key. This can be alarming or confusing to end users. an admin creates a key and a Certificate Signing Request (CSR). the AX device sends a copy of the certificate to the client. in which case the warning will not re-appear. Users can select the option to trust a self-signed certificate. The AX device selects the certificate(s) to send a client or server based on the SSL template bound to the VIP. either directly or through a chain of certificates that end with a root certificate. the client’s browser may display a certificate warning. Likewise. The certificate store may also have some non-CA certificates that can be validated by a root CA certificate. • Self-signed – A self-signed certificate is a certificate that is created and signed by the AX device. clients are more likely to be able to validate a CAsigned certificate than a self-signed certificate. SSL Templates You can install more than one key-certificate pair on the AX device. You can bind the following types of SSL templates to VIPs: • Client-SSL template – Contains keys and certificates for SSL-encrypted traffic between clients and the AX device.Configuration Guide Overview CA-Signed and Self-Signed Certificates Typically. clients have a certificate store that includes certificates signed by the various root CAs. 650 of 702 P e r f o r m a n c e b y D e s i g n Document No. Each certificate is digitally “signed” to validate its authenticity. The example in Figure 161 on page 648 uses a CA-signed certificate.Ver. If you configure the AX device to present a self-signed certificate to clients. A CA is not used to create or sign the certificate. When a client sends an HTTPS request. • Server-SSL template – Contains CA certificates for SSL-encrypted traf- fic between servers and the AX device.

so that the client can validate the server’s identity. they must be imported onto the AX device. This option is applicable only if the AX device will be required to validate the identities of clients.2 11/11/2009 b y 651 of 702 . the SSL handshake proceeds even if either of the following occurs: • The client sends a NULL certificate (one with zero length). Client-SSL templates have the following options. or using a combination of individual certificates and certificate chains. 2. Otherwise. With this action. The AX device is not configured at the factory to contain a certificate store. If CA certificates are required for this purpose. • The certificate is invalid. • Certificate Revocation List (CRL) – Specifies a list of client certificates that have been revoked by the CAs that signed them. • Certificate chain – Specifies a named set of server certificates. • CA certificate – Specifies a CA certificate that the AX device can use to validate the identity of a client. in certificate chains. Use this option if you want to the request to trigger an aFleX policy for further processing. causing client verification to fail. You can add server certificates to the AX device individually.Configuration Guide Overview Client-SSL Template Options Use client-SSL templates for deployments in which traffic between clients and the AX device will be SSL-encrypted. • request – The AX device requests the client to send its certificate. This option is applicable only if the AX device will be required to validate the identities of clients.: D-030-01-00-0006 . only the first option (Certificate) needs to be configured. The response can be one of the following: • ignore (default) – The AX device does not request the client to send its certificate. The AX device always sends all individual server certificates and certificate chains in the template to each client.Ver. For the deployment example in Figure 161 on page 648. the key is automatically generated. • Connection-request response – Specifies the AX response to connection requests from clients. the key must be imported.0. The certificate can be generated on the AX device (self-signed) or can be signed by another entity and imported onto the AX device. • Certificate – Specifies a server certificate that the AX device will send to a client.AX Series . A CA certificate is needed only if the AX device will be required to validate the identities of clients. • Key – Specifies a public key for a server certificate. If the CSR used to request the server certificate is generated on the AX device. P e r f o r m a n c e D e s i g n Document No.

Support for all of them is enabled by default.Ver.2 11/11/2009 . When the server sends its connection request. the SSL handshake does not proceed (it fails) if the client sends a NULL certificate or the certificate is invalid. The same cipher suites supported in client-SSL templates are supported in server-SSL templates. all the following are enabled: • SSL3_RSA_DES_192_CBC3_SHA • SSL3_RSA_DES_40_CBC_SHA • SSL3_RSA_DES_64_CBC_SHA • SSL3_RSA_RC4_128_MD5 • SSL3_RSA_RC4_128_SHA • SSL3_RSA_RC4_40_MD5 • TLS1_RSA_AES_128_SHA • TLS1_RSA_AES_256_SHA • TLS1_RSA_EXPORT1024_RC4_56_MD5 • TLS1_RSA_EXPORT1024_RC4_56_SHA • Session cache size – Specifies the maximum number of cached sessions for SSL session ID reuse. However.: D-030-01-00-0006 . it also sends a list of the cipher suites it can support. 2.0. The AX device selects the strongest cipher suite supported by the server that is also enabled in the template and uses that cipher suite for traffic with the server. In this case. the AX device will be required to validate the identities of the servers. When the client sends its connection request. By default. and uses that cipher suite for traffic with the client.AX Series . it also sends a list of the cipher suites it can support.Configuration Guide Overview • require – The AX device requires the client certificate. Server-SSL Template Options A server-SSL template is needed only if traffic between the AX device and real servers will be encrypted using SSL. • Cipher list – Specifies the cipher suites supported by the AX device. • CA certificate – Specifies a CA certificate that the AX device can use to validate the identity of a server. This action requests the client to send its certificate. • Cipher list – Specifies the cipher suites supported by the AX device. 652 of 702 P e r f o r m a n c e b y D e s i g n Document No. The AX device selects the strongest cipher suite supported by the client that is also enabled in the template.

do one of the following: • Copy and paste the CSR from the AX CLI or GUI onto the CSR submission page of the CA server. the P e r f o r m a n c e D e s i g n Document No. In this case.0. 2. If the CSR was created on the AX device. or copy-and-paste it onto the CSR submission page of the CA server. 1. You can create the key and CSR on the AX device or on a server that is running openssl or a similar application. such as the PC from which you access the AX CLI or GUI. email the CSR to the CA. You also must configure a client-SSL template. as well as information that you enter when you create the CSR. Create a Certificate Signing Request (CSR). 2.Ver. Email the CSR to the CA. Submit the CSR to the CA. The CSR will include the public portion of the key. After receiving the signed certificate and the CA’s public key from the CA. use the following process. you must install a certificate on the AX device.2 11/11/2009 b y 653 of 702 . Detailed procedures are provided later in this chapter. add the key and certificate to the template. This certificate is the one that the AX device will present to clients during the SSL handshake. 3. • If the key and certificate are provided by the CA in separate files (PKCS #7 format). You do not need to import the key if the CSR was created on the AX device. For detailed steps. see “Generating a Key and CSR for a CA-Signed Certificate” on page 655 and “Importing a Certificate and Key” on page 658. and bind the template to the VIP that will be requested by clients.Configuration Guide Overview Certificate Installation Process To configure an AX device to perform SSL processing on behalf of real servers. If the CSR was created on another device. import them onto the AX device. import the certificate.AX Series . or copy-andpaste it onto the CSR submission page of the CA server. You can install a CA-signed certificate or a self-signed certificate (described in “CA-Signed and Self-Signed Certificates” on page 650). Create an encryption key. 4. Requesting and Installing a CA-Signed Certificate To request and install a CA-signed certificate.: D-030-01-00-0006 . This section gives an overview of the process for each type of certificate. • Export the CSR to another device.

you can use an application such as openssl to create a certificate. If the CSR was not created on the AX device. However. • If the key and certificate are provided by the CA in a single file (PKCS #12 format).2 11/11/2009 . 654 of 702 P e r f o r m a n c e b y D e s i g n Document No. If the CSR was not created on the AX device. If the certificate is not in PEM format.0. a client’s browser is still likely to display a certificate warning to the end user. FIGURE 163 Obtaining and Installing Signed Certificate from CA Note: As an alternative to using a CA. 2. then import the certificate.Configuration Guide Overview key is already on the AX device. then use that certificate as a CA-signed certificate to sign another certificate. Figure 163 shows the most common way to obtain and install a CA-signed certificate onto the AX device. you do need to import the key also. you need to import the key also. convert them into separate files in PEM format. See “Converting SSL Certificates to PEM Format” on page 666. convert it into PEM format. in this case.: D-030-01-00-0006 .Ver.AX Series .

0. 2. 2. Click OK.AX Series . Note: If the browser security settings normally block downloads. 6. 3. From the Key drop-down list. Enter the rest of the certificate information in the remaining fields of the Certificate section. See “Generating a Self-Signed Certificate” on page 659. if not already selected. select Certificate Authority. select the length (bits) for the key. and displays the CSR. 2. b. P e r f o r m a n c e D e s i g n Document No. 8. Enter a passphrase. Create an encryption key. Create the certificate.2 11/11/2009 b y 655 of 702 . 7. 10. you may need to override the setting. On the menu bar. Select Config > Service > SSL Management. 4. For example. select Certificate. if not already selected. Generating a Key and CSR for a CA-Signed Certificate USING THE GUI 1. 5. Click Download. The CSR is displayed in the Request Text field.Ver. Enter a name for the certificate. This option displays the Pass Phrase and Confirm Pass Phrase fields. The AX device generates the certificate key and the certificate signing request (CSR). in Internet Explorer. Click Save. hold the Ctrl key while clicking Download.: D-030-01-00-0006 .Configuration Guide Generating a Key and CSR for a CA-Signed Certificate Installing a Self-Signed Certificate To install a self-signed certificate instead of a CA-signed certificate: 1. 9. To save the CSR to your PC: a. Click Create. In the Issuer drop-down list.

2. Navigate to the save location. 1-64 characters • Division. To enter the entire URL: • tftp://host/file • ftp://[user@]host[:port]/file • scp://[user@]host/file • rcp://[user@]host/file • http://[user@]host/file • https://[user@]host/file This command displays a series of prompts.AX Series . When you receive the certificate from the CA. If you enter the entire URL and a password is required. (See “Importing a Certificate and Key” on page 658. for the following information: • IP address of the server to which to export the CSR • Username for write access to the server • Password for write access to the server • Path and filename • Key length.Ver.) USING THE CLI To generate a key and a CSR. import it onto the AX device. use the following command at the global configuration level of the CLI: slb ssl-create csr csr-name url The csr-name can be 1-31 characters.Configuration Guide Generating a Key and CSR for a CA-Signed Certificate c. d.0. Note: If you prefer to copy-and-paste the CSR. 1024.2 11/11/2009 . which can be 512. Click Save again. you will still be prompted for the password. 0-63 characters 656 of 702 P e r f o r m a n c e b y D e s i g n Document No. directory path.: D-030-01-00-0006 . The url specifies the file transfer protocol. or 2048 bits • Common name. 0-31 characters • Organization. and filename. including “-----BEGIN CERTIFICATE REQUEST-----” and “-----END CERTIFICATE REQUEST-----”. You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. 11. username (if required). make sure to include everything.

AX(config)#slb ssl-create csr slbcsr1 ftp: Address or name of remote host []?192. 0-64 characters • Passphrase to use for the key. 2.1024. The key is generated along with the CSR. 0-31 characters • Country. After you receive the signed certificate from the CA.com input Pass Phrase.1. The key does not need to be imported.2048) default 1024:<Enter> input Common Name. send the CSR to the CA.Ver. 0-31 characters After the CSR is generated. 0~31:div1 input Organization.Configuration Guide Generating a Key and CSR for a CA-Signed Certificate • Locality. 2 characters:us input email address. 0-31 characters • State or Province.0. 0~31:ca input Country. then import the signed certificate. 0~63:org2 input Locality. 0~31:csrpword Confirm Pass Phrase:csrpword AX(config)#import ca-signedcert1 ftp: Address or name of remote host []?192.168.AX Series .2 11/11/2009 b y 657 of 702 .10 User name []?axadmin Password []?******** File name [/]?ca-signedcert1 P e r f o r m a n c e D e s i g n Document No. 0~31:westcoast input State or Province.1.10 User name []?axadmin Password []?******** File name [/]?slbcsr1 input key bits(512. The following commands generate and export a CSR. use the import command to import the CA onto the AX device. 1~64:slbcsr1 input Division. 0~64:axadmin@example. 2 characters • Email address.: D-030-01-00-0006 .168.

enter a name for the key.: D-030-01-00-0006 . 4. or onto a PC or file server that can be locally reached over the network. d. To import the key: a. This is the name you will refer to when adding the certificate to a client-SSL or server-SSL template. Click Import. Select Key from the Type drop-down list. The path and filename appear in the Source field. 3. Click Browse and navigate to the location of the key. b. d. enter a name for the certificate. The key is automatically generated on the AX device when you generate the CSR. The path and filename appear in the Source field. e. if not already selected.AX Series . you do not need to import the key.Configuration Guide Importing a Certificate and Key Importing a Certificate and Key To import certificate and key files. In the Name field. e. Note: If you are importing a CA-signed certificate for which you used the AX device to generate the CSR. In the Name field. Click Open. select Certificate. The certificate appears in the certificate and key list. Click Open. 658 of 702 P e r f o r m a n c e b y D e s i g n Document No. b. place them on the PC that is running the GUI or CLI session.0. 2. if not already selected. f. Select Certificate from the Type drop-down list. Click OK. To import the certificate: a. c. Click OK. f.2 11/11/2009 .Ver. 2. On the menu bar. This is the name you will refer to when adding the key to a client-SSL or server-SSL template. Click Browse and navigate to the location of the certificate. Click Import. USING THE GUI 1. Select Config > Service > SSL Management. c. The key appears in the certificate and key list.

directory path. 5. To enter the entire URL: • tftp://host/file • ftp://[user@]host[:port]/file • scp://[user@]host/file • rcp://[user@]host/file • http://[user@]host/file • https://[user@]host/file Alternatively. select Self. If you enter the entire URL and a password is required. Click Create. In the Issuer drop-down list. and filename.AX Series .2 11/11/2009 b y 659 of 702 .: D-030-01-00-0006 . select Certificate. username (if required).Ver. use the following command at the global Config level of the CLI: [no] slb ssl-load {certificate cert-name | private-key-string} url The url specifies the file transfer protocol. You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. 4. Select Config > Service > SSL Management. 3. 2. Enter a name for the certificate.0. if not already selected. 2. you can use the following commands at the Privileged EXEC or global Config level of the CLI: import ssl-cert file-name url import ssl-key file-name url Generating a Self-Signed Certificate USING THE GUI 1. you will still be prompted for the password. if not already selected. P e r f o r m a n c e D e s i g n Document No.Configuration Guide Generating a Self-Signed Certificate USING THE CLI To import a certificate and its key. On the menu bar.

7.: D-030-01-00-0006 . 0-31 characters • Country. The default number of days the certificate is valid is 730. 30-3650 days The key length. 1024.0. The AX device generates the self-signed certificate and its key. 2. common name. Click OK. USING THE CLI To generate a self-signed certificate. 8.2 11/11/2009 . The default key length is 1024 bits. 0-31 characters • State or Province. 0-63 characters • Locality. 1-64 characters • Division. 2 characters • Email address. 0~63:Org2 input Locality. The following commands create a self-signed certificate named “slbcert1” and verify the configuration: AX(config)#slb ssl-create certificate slbcert1 input key bits(512. The certificate is ready to be used in client-SSL and server-SSL templates. Enter the rest of the certificate information in the remaining fields of the Certificate section. The CLI prompts you for the following information: • Key length. use the following command at the global configuration level of the CLI: slb ssl-create certificate certificate-name The certificate-name can be 1-31 characters. and number of days the certificate is valid are required.AX Series . 0-64 characters • Number of days the certificate is valid.2048) default 1024:<Enter> input Common Name. 0~31:CA 660 of 702 P e r f o r m a n c e b y D e s i g n Document No. This command enters configuration mode for the certificate. The new certificate and key appear in the certificate list.Ver. From the Key drop-down list.Configuration Guide Generating a Self-Signed Certificate 6.1024. select the length (bits) for the key. 0~31:WestCoast input State or Province. 1~64:slbcert1 input Division. which can be 512. 0-31 characters • Organization. 0~31:Div1 input Organization. The other information is optional. or 2048 bits • Common name.

6. you will still be prompted for the password. USING THE GUI 1. On the menu bar. The path and filename appear in the Source field. and filename. 0~64:axadmin@example. 3.2 11/11/2009 b y 661 of 702 . If you enter the entire URL and a password is required.com input valid days. default 730:<Enter> AX(config)#show slb ssl cert name: slbcert1 type: certificate/key Common Name: slbcert1 Organization: Org2 Expiration: Apr 10 00:34:34 2010 GMT Issuer: Self key size: 1024 Importing a CRL To import a CRL.Ver. use the following command at the global Config level of the CLI: [no] slb ssl-load certificate crl-name url The url specifies the file transfer protocol.Configuration Guide Importing a CRL input Country. USING THE CLI To import a CRL. 2. Click Import. Select Config > Service > SSL Management. 5. To enter the entire URL: P e r f o r m a n c e D e s i g n Document No. Click Browse and navigate to the location of the CRL. or onto a PC or file server that can be locally reached over the network. 2 characters:US input email address. username (if required).: D-030-01-00-0006 . select Cert Revocation List. 4. Click Open.AX Series . directory path. 30~3650. You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. Click OK. 2.0. if not already selected. place it on the PC that is running the GUI or CLI session.

Ver. hold the Ctrl key while clicking Export. Click Export. 2. Select the certificate.0.: D-030-01-00-0006 . (Click the checkbox next to the certificate name. select Certificate. if not already selected. and CRLs Exporting a Certificate and Key USING THE GUI 1. Navigate to the save location. 662 of 702 P e r f o r m a n c e b y D e s i g n Document No. 4. Keys. On the menu bar. d. in Internet Explorer. 2. you may need to override the setting. Select the key. e. and CRLs • tftp://host/file • ftp://[user@]host[:port]/file • scp://[user@]host/file • rcp://[user@]host/file • http://[user@]host/file • https://[user@]host/file Exporting Certificates. Navigate to the save location.Configuration Guide Exporting Certificates. Click Export. To export a certificate: a. Note: If the browser security settings normally block downloads. c. 3. c. For example. d. Click Save again. Keys. e. Click Save. b. Click Save. Click Save again.AX Series . Select Config > Service > SSL Management. To export a key: a.) b.2 11/11/2009 .

directory path. you may need to override the setting. For example.: D-030-01-00-0006 . and filename. Click Save.) 4. select Cert Revocation List. Note: If the browser security settings normally block downloads. in IE. and CRLs USING THE CLI To export a certificate and its key. P e r f o r m a n c e D e s i g n Document No.Configuration Guide Exporting Certificates. if not already selected. (Click the checkbox next to the CRL name. Click Export. username (if required). On the menu bar.0. If you enter the entire URL and a password is required. 5. Keys. 2.2 11/11/2009 b y 663 of 702 . 2.Ver. Select Config > Service > SSL Management. use the following commands at the Privileged EXEC or global Config level of the CLI: export ssl-cert file-name url export ssl-key file-name url The url specifies the file transfer protocol. To enter the entire URL: • tftp://host/file • ftp://[user@]host[:port]/file • scp://[user@]host/file • rcp://[user@]host/file • http://[user@]host/file • https://[user@]host/file Exporting a CRL USING THE GUI 1. 3. Navigate to the save location.AX Series . you will still be prompted for the password. Select the CRL. You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. 6. hold the Ctrl key while clicking Export.

or the online help. 2. 3. in order for them to take effect. 4. Enter or select the configuration options. (For information. USING THE CLI Use one of the following commands at the global configuration level of the CLI: [no] slb template client-ssl template-name [no] slb template server-ssl template-name The command creates the template and changes the CLI to the configuration level for it. you must add them to an SSL template. 2. Note: The CLI does not support export of CRLs. Click Save again.) 5. select one of the following: • SSL > Client SSL – to create a template for SSL traffic between the AX device (VIP) and clients. When finished.: D-030-01-00-0006 . On the menu bar. • SSL > Server SSL – to create a template for SSL traffic between the AX device and servers. see “SSL Templates” on page 650. the AX Series GUI Reference.0.2 11/11/2009 . then bind the template to a VIP. Creating a Client-SSL or Server-SSL Template and Binding it to a VIP After creating or importing certificates and keys on the AX device. Use the commands at the template configuration level to config- 664 of 702 P e r f o r m a n c e b y D e s i g n Document No.AX Series . click OK.Ver. Click Add. Select Config > Service > Template.Configuration Guide Creating a Client-SSL or Server-SSL Template and Binding it to a VIP 7. Creating an SSL Template USING THE GUI 1.

before you import it onto the AX device. 2.AX Series . 6.2 11/11/2009 b y 665 of 702 . On the menu bar.: D-030-01-00-0006 . P e r f o r m a n c e D e s i g n Document No. The Virtual Server Port page appears. 2. select Virtual Server. select a port and click Edit. if creating a new VIP.0. Select the template from the Client-SSL Template or Server-SSL Template drop-down list. Click OK again. Enter the VIP name and IP address. it must be converted to PEM format first. In the Port section. Click on the virtual server name or click Add to create a new one. see “SSL Templates” on page 650 or the AX Series CLI Reference. (For information. 5. Converting Certificates and CRLs to PEM Format The AX device supports Privacy Enhanced Mail (PEM) format for certificate files and CRLs. 8. USING THE CLI Use one of the following commands at the configuration level for the virtual port on the VIP: [no] template client-ssl template-name [no] template server-ssl template-name Use the same command on each port for which SSL will be used. 4. If a certificate or CRL you plan to import onto the AX device is not in PEM format.Ver. or click Add to add a new port. Click OK. 3. 7.Configuration Guide Converting Certificates and CRLs to PEM Format ure template parameters.) Binding an SSL Template to a VIP USING THE GUI 1. Select Config > Service > SLB.

Steps to perform on the Windows PC: 1. Select File Add/Remove Snap-In.AX Series . you can use this procedure to export SSL certificates that were created under a Windows IIS environment. Add the Certificates snap-in: a. For example. Start the Microsoft Management Console (mmc. Click Close. The Export wizard guides you with instructions. The Certificates snap-in appears in the Console Root list. Click OK. d. Select Computer Account and click Next. 2.Configuration Guide Converting Certificates and CRLs to PEM Format Converting SSL Certificates to PEM Format If you have certificates that are in Windows format. h.Ver. Expand the Certificate folders and navigate to the certificate you want to convert.2 11/11/2009 . f. Service account. b. 666 of 702 P e r f o r m a n c e b y D e s i g n Document No. Click Add. Select Action > All Tasks > Export.0. A dialog appears with the following choices: My user account.: D-030-01-00-0006 . A list of available snap-ins appears. 2. for use on servers that are running Apache. e. use the procedure in this section to convert them to PEM format. The Add/Remove Snap-In dialog appears. The wizard will ask you to enter a passphrase to use to encrypt the key. 4.exe). Select Local Computer and click Finish. Select Certificates. This procedure requires a Windows PC and a Unix/Linux workstation. The Select Computer dialog appears. 3. Perform step 5 through step 8 on the Unix/Linux workstation. g. and Computer account. Click Add. Perform step 1 through step 4 on the Windows PC. c. Make sure to export the private key too.

Copy the PFX-format file that was created by the Export wizard to a UNIX machine.: D-030-01-00-0006 .Configuration Guide Converting Certificates and CRLs to PEM Format Steps to perform on the Unix/Linux workstation: 5.pem P e r f o r m a n c e D e s i g n Document No. 6. Use OpenSSL to convert the PFX file into a PKCS12 format: $ openssl pkcs12 -in filename. A10 Networks recommends that you remove the passphrase for production environments where Apache must start unattended. use the following command: $ openssl rsa -in encrypted.pfx -out pfxoutput.txt This command creates a PKCS12 output file.crt) and the other for the private key. 7.0.key -out unencrypted.der –inform der -outform pem -out filename. Use the vi editor to divide the PKCS12 file into two files. which contains a concatenation of the private key and the certificate.Ver. 2.key Note: Although removing the passphrase is optional. the CRL must be in PEM format. 8. To convert Distinguished Encoding Rules (DER) format to PEM format. use the following command on a Unix/Linux machine where the file is located: openssl crl -in filename. To remove the passphrase from the key.AX Series .2 11/11/2009 b y 667 of 702 . one for the certificate (. Converting CRLs from DER to PEM Format If you plan to use a Certificate Revocation List (CRL).

0.2 11/11/2009 .Configuration Guide Converting Certificates and CRLs to PEM Format 668 of 702 P e r f o r m a n c e b y D e s i g n Document No.Ver.AX Series . 2.: D-030-01-00-0006 .

0.: D-030-01-00-0006 . • Main route table – Contains all r