AX Training

A10 Networks: AX Planning, Deployment and Management Class
Course AX-DSC-001.12
Table of Contents
Module 1: Course Introduction Module 2: AX Product Line Module 3: Basic Load Balancing Concepts and Related AX Configuration & Management Module 4: FTP, HTTP and HTTPS Protocols Module 5: AX Acceleration Module 6: AX Security Module 7: AX Power and Flexibility Module 8: AX Management and Troubleshooting
2
Course Introduction
Module 1
Module objectives
Understand the course goals Understand the objective for the students
Goal of this course

To present the A10 Networks AX product line To teach the basic load balancing concepts To present FTP, HTTP and HTTPS protocols To teach advanced AX load balancing concepts To prepare students to install, configure and manage the AX device
Course map
Module 2: AX Product Line Module 3: Basic Load Balancing Concepts and Related AX Configuration & Management Module 4: FTP, HTTP and HTTPS Protocols Module 5: AX Acceleration Components Module 6: AX Security Components Module 7: AX Power and Flexibility Module 8: AX Management and Troubleshooting
AX Product Line
Module 2
Module objectives
Understand the AX solution / market Understand the AX product portfolio Understand the feature set Understand the licensing
AX solution / market: AX new generation load balancers

New Generation in Design and Performance
ACOS Designed for multi-core CPUs Hardware Accelerated Symmetrical Multiprocessing (SMP) Flexible Traffic ASIC, SSL ASIC, Switching and Routing ASIC Highest throughput and performance Single CPU or Multi-CPU with instruction blocking Retrofitted Platform Limited scalability Lower throughput Half the performance SSL ASIC only
9
AX solution / market: AX new generation customer benefits

Basic LB benefits
Share load among multiple servers (load balancing) Provide high availability of services
New Generation LB benefits

Advanced load balancing (ex: based on HTTP request or SIP parameters) Advanced high availability of services (ex: application simulation and testing) Acceleration of services (ex: SSL server offload and HTTP caching) "Securitization" of services (DDoS protection and DNS Security) Advanced Flexibility to allow the administrator to create their own LB rules (using aFleX and aXAPI)
10
789
AX 32-bit Series Models
AX 3200-11 Price AX 1000-11

4 Gbps
153,000 L4 CPS
AX 2200-11
7.4 Gbps
302,000 L4 CPS
8.7 Gbps
541,000 L4 CPS
Overall Performance
11
789
AX 64-bit Series Models

AX 5200 AX 5100
40 Gbps 40 Gbps
3 Million L4 CPS
AX 3000-11* Price AX 2600* AX 2500

19 Gbps
355,000 L4 CPS
2 Million L4 CPS
30 Gbps
850,000 L4 CPS
11 Gbps
300,000 L4 CPS
Large Enterprise or Service Provider
Overall Performance
12
AX product line 32-bit: AX Series Family Interface and hardware options

AX 1000
Ethernet Interfaces: Gigabit Copper Gigabit Fiber SFP Mini GBIC 10 Gigabit Fiber SFP+ Management Interface Console Port Storage Cooling Fan 6 2 0 Yes Yes Single Fixed 250 W RPS Power Supplies Dual 460 W RPS Dual 460 W RPS
AX 2000
8 2 0 Yes Yes Single
AX 2100
8 4 0 Yes Yes Dual
AX 2200
16 4 0 Yes Yes Dual
AX 3100
16 4 2 Yes Yes Dual
AX 3200
16 4 2 Yes Yes Dual
Hot Swap Smart Fan Dual 600 W RPS Dual 600 W RPS Dual 600 W RPS
100 to 240 VAC, Frequency 50-60 Hz Hardware Acceleration Linear Decoupled Architecture Flexible Traffic ASIC SSL Acceleration ASIC Switching and Routing ASIC Hardware Compression ASIC
Yes No Yes No No
Yes No Yes No No
Yes No Yes No Option
Yes Yes Yes Yes Option
13
AX product line 64-bit: AX Series Family Interface and hardware options

AX 2500
Model Option Code Ethernet Interfaces: Gigabit Copper Gigabit Fiber SFP Mini GBIC 10 Gigabit Fiber SFP+ Management Interface Console Port Storage Cooling Fan 400 W RPS Dual Power Supplies 100 to 240 VAC, Frequency 50-60 Hz Hardware Acceleration Linear Decoupled Architecture Flexible Traffic ASIC SSL Acceleration ASIC Multi-ASIC High Performance SSL Switching and Routing ASIC Hardware Compression ASIC GC
AX 2600
GF GCF
AX 3000
GC GCF
AX 5100
-
AX 5200
-
8 4 0 Yes Yes
24 0 0
0 24 0 Yes Yes
16 8 0
16 0 4 Yes Yes SSD
8 8 4
0 4 8 Yes Yes
0 4 16 Yes Yes
Hot Swap Smart Fan 400 W RPS 400 W RPS 900W RPS 900W RPS
Yes No Yes Option No Option
Yes Yes x4 No Option Yes Option
Yes Yes x4 No Option Yes Option

14
AX feature set
Layer 4 and Layer 7 Application Acceleration
SSL ASIC RAM caching static or dynamic HTTP compression
aXAPI REST-based XML API for custom management Virtualized management

Role-Based and Partition-Based Management Seamless Management for Multiple Devices
aFleX L7 TCL scripting for deep packet inspection Advanced NAT options AX High-Availability Firewall LB GSLB Global Server Load Balancing DNS Application Layer Firewall Operates in Layer 2/Layer 3 simultaneously
IPv4 and IPv6 load balancing and management Full web interface or industry standard command line interface
Covered in this Training

15
AX licensing
No extra licenses required for performance or features Each AX is offered with full scalability and benefits
16
Summary
In this module we discussed:
AX is the New Generation of Load Balancers AX offers a portfolio to meet low-end Enterprise to high-end ISP/SP needs AX offers a comprehensive set of load balancing features and other features such as GSLB, IPv6, Virtualization, NAT and DNS firewall AX comes feature-complete with no extra licensing required
17
Basic Load Balancing Concepts and Related AX Configuration & Management

Module 3
18
Module objectives
Understand Main Load Balancing Goals and Concepts Configure AX Basic L4 SLB VIP configuration steps Understand and Configure two common L4 SLB VIP Options (Source IP Persistence + NAT)
19
Module 3 Lesson1
Main LB Goals and Concepts
20
Main load balancing goals and concepts

Share load among multiple servers (load balancing)
Provide high availability of services
21
Methods of load balancer integration into network

Routed Mode
22

Routed Mode
Benefits:
No change required on clients and servers Servers keep the Client IP@ visibility
Points to keep in mind:

SLB has to be the servers dgw Clients can't be in the servers' subnet
23

One-Arm Mode
24

One-Arm Mode
Benefits:
No change required on clients and servers Easy to test Clients can be in the servers' subnet

Servers lose the Client IP@ visibility Requires Source NAT on SLB
25

Transparent Mode
26

Transparent Mode
Benefits:
No change required on clients and servers Servers keeps the Client IP@ visibility

"Harder to implement servers responses must go through AX"
27

DSR Mode
28

DSR Mode
Benefits:
Highly sclalable (SLB process only incomming traffic)

Cant use any AX layer 7 features Extra configuration required on every server (IP Stack update)
29
Server Load Balancing

AX SLB configuration has three core elements:
Servers, Service Groups, Virtual Servers (VIPs)
30
Servers
Minimum configuration
Name IP address (can use DNS name) Ports
Server configuration
WebUI: Config > Service > SLB > Server CLI: AX(config)# slb server <name> []
Server status and statistics

WebUI: Monitor > Service > SLB > Server CLI: AX# show slb server []
31
Service groups
Name Type (TCP/UDP) LB Algorithm At least one Server/Port
Service group configuration

WebUI: Config > Service > SLB > Service Group CLI: AX(config)# slb service-group <name> []
Service group status and statistics

WebUI: Monitor > Service > SLB > Service Group CLI: AX# show slb service-group []
32
Service groups
Service group load-balancing algorithms
Round-Robin Least Connection Service Least Connection Weighted Round Robin Weighted Least Connection Service Weighted Least Connection Fastest Response time Least Request Round Robin Strict Stateless (new in release 2.4.2; see notes)
33
Virtual Server (VIP)

Name IP address (accessed by end-users) Virtual Server Ports (usually)
Virtual server configuration

WebUI: Config > Service > SLB > Virtual Server CLI: AX(config)# slb virtual-server <name> []
Virtual server status and statistics

WebUI: Monitor > Service > SLB > Virtual Server CLI: AX# show slb virtual-server []
34
Virtual server (VIP) Virtual server port (VIP port)

Type (TCP/UDP/HTTP/HTTPS/Fast-HTTP/RTSP/FTP/MMS/ SSL-Proxy/SMTP/SIP/SIP-TCP/SIP-TLS/Others) Port Service Group (usually)
Virtual server port configuration

WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver))# port N <type>
Virtual server port status and statistics

WebUI: Monitor > Service > SLB > Virtual Server CLI: AX# show slb virtual-server []
35
Health monitors
Service availability is checked using health monitors Health monitors apply to:
Server AND/OR Server:Port AND/OR Service Group
Note: For simplicity, health monitors generally are applied to service groups.
36
Health monitors
Health monitors can test server availability
On layer 3: ping (icmp) On layer 4: tcp, udp On layer7 (application): http, https, ftp, smtp, pop3, snmp, dns, radius, ldap, rtsp, sip, ntp Via manually created scripts
Multiple L3/L4/L7 tests can also be combined in a Boolean expression (and/or/not) Health monitor configuration
WebUI: Config > Service > Health Monitor CLI: AX(config)# health monitor []
37
Service group health monitor

Health Monitoring is done on all Service Group members
If HM fails for a specific member, the service group stops using this member for load balancing Note: By default there is no health monitor configured on the Service Group
Service Group HM configuration

WebUI: Config > Service > SLB > Service Group "Health Monitor" CLI: AX(config)# slb service-group <sg-name> <tcp|udp> AX(config-slb svc group)# health-check <hm-name>
Service Group HM status

WebUI: Monitor > Service > SLB > Service Group (expand Service Group) CLI: AX# show slb service-group <sg-name>
38
Server port health monitor

Health Monitoring is done on the Server Port
If HM fails, that server port will be considered down and service groups configured with that specific server:port will stop using it for load balancing Note: Default Server Port health monitor is tcp handcheck for tcp ports and udp packets for udp ports.
Server Port HM configuration

WebUI: Config > Service > SLB > Server > Port "Health Monitor" CLI: AX(config)# slb server <server-name> AX(config-slb vserver)# port N <tcp|udp> AX(config-slb vserver-vport)# health-check <hm-name>
Server Port HM status

WebUI: Monitor > Service > SLB > Server (expand Server) CLI: AX# show slb server <server-name>
39
Server health monitor

Health Monitoring is done on the Server
If HM fails, that server will be considered down and service groups configured with that specific server will stop using it for load balancing Note: Default Server health monitor is icmp.
Server HM configuration
WebUI: Config > Service > SLB > Server "Health Monitor" CLI: AX(config)# slb server <server-name> AX(config-real server)# health-check <hm-name>
Server HM status
WebUI: Monitor > Service > SLB > Server (expand Server ) CLI: AX# show slb Server <server-name>
40
Module 3 Lesson2
Common SLB VIP Options
41
Source IP persistence
When to use Source IP persistence
Source IP persistence must be used when clients must have their future connections/traffic terminated on the same server
42
Source IP persistence configuration steps
1.
Create one Source IP Persistence Template

Name Type: Port (persistence per VIP:Port) or Server (persistence per VIP) or Service-Group (persistence per URL or Host switching see Module 4 lesson 2) Timeout: How long inactive entries are saved (default = 5 minutes) Don't Honor Conn Rules: Ignore connection limits defined on Servers and Server Ports and connect new clients' connections to the Server (default = disabled) Netmask: Granularity of Client IP address hashing (default = 255.255.255.255 for the most granularity)
2.
Assign the Source IP Persistence Template to the Virtual Server Port
43
Source IP persistence configuration
Create one Source IP Persistence Template
WebUI: Config > Service > Template > Persistent > Source IP Persistence CLI: AX(config)# slb template persist source-ip <name>
Assign the Source IP Persistence Template to the Virtual Server Port

WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N tcp AX(config-slb vserver-vport)# template persist source-ip <name>
Source IP persistence entries

CLI: AX# show session persist src-ip []
44
Network Address Translation

AX provides multiple NAT services
SLB source NAT Layer3 NAT
45
Network Address Translation SLB source NAT

When to use SLB source NAT
SLB Source NAT must be used when server responses don't automatically pass through the AX, such as in One-Arm mode or when servers and the AX are in different subnets
46

SLB source NAT configuration steps
1.
Create one IP Source NAT Pool:

Name: Name of the template Start IP address: First IP address for the SLB source NAT (can be the AX interface IP address) End IP address: Last IP address for the SLB source NAT (can be the same as "Start IP address") Note: If the "Start" and "End IP address" are the same, the AX will NAT with one unique IP address and can NAT up to 64k flows. Netmask: Specify the netmask of the SLB source IP addresses. Note: This is used by the "IP Source NAT Group" when servers are in different subnets (see AX Config Guide for more information). (optional) Gateway: Specify a specific gateway to use to reply to the clients' requests when SLB Source NAT has been used. (optional) "HA Group": Specify the HA group to tie to the SLB source NAT pool.
2.
Assign the SLB Source NAT Pool to the Virtual Server Port
47

SLB source NAT configuration
1.
Create one IP Source NAT Pool:

WebUI: Config > Service > IP Source NAT > IPv4 Pool CLI: AX(config)# ip nat pool <pool-name>
2.
Assign the SLB Source NAT Pool to the Virtual Server Port
WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N <type> AX(config-slb vserver-vport)# source-nat pool <pool-name>
48

SLB source NAT statistics
WebUI: Monitor > Service > IP Source NAT > Pool CLI: AX# show ip nat pool statistics
49
Network Address Translation Layer3 NAT

When to use Layer3 NAT
Layer3 NAT is used to NAT specific traffic such as clients or servers on private networks that have to access Internet
50

Dynamic Layer3 NAT
Used to source NAT dynamically internal clients with one or a group of IP@ (also called NAT n to 1)
51

Dynamic Layer3 NAT configuration steps
1. 2. 3. 4. 5.
Create one or more IP Source NAT Pool with the "NATed" IP@ (optional) Group IP Source NAT pools in one IP Source NAT Group Create an ACL with the source IP@ to NAT Bind the ACL with the IP Source NAT Pool (or Group Pool) Enable inside NAT on AX inside and outside interfaces
52

Dynamic Layer3 NAT configuration
Create one or more IP Source NAT Pool with the "NATed" IP@
WebUI: Config > Service > IP Source NAT > IPv4 Pool CLI: AX(config)# ip nat pool <pool-name>
(optional) Group IP Source NAT pools in one IP Source NAT Group

WebUI: Config > Service > IP Source NAT > Group CLI: AX(config)# ip nat pool-group <pool-group-name>
Create an ACL with the source IP@ to NAT

WebUI: Config > Network > ACL CLI: AX(config)# access-list []
Bind the ACL with the IP Source NAT Pool (or Group Pool)
WebUI: Config > Service > IP Source NAT > Binding CLI: AX(config)# ip nat inside source list [acl#] pool [pool-group-name | pool-name]
53

Dynamic Layer3 NAT configuration (cont.)
Enable inside NAT on AX inside and outside interfaces
On the inside interfaces WebUI: Config > Service > IP Source NAT > Interface CLI: AX(config)# interface ethernet # AX(config-if:ethernetx)# ip nat inside On the outside interfaces WebUI: Config > Service > IP Source NAT > Interface CLI: AX(config)# interface ethernet # AX(config-if:ethernetx)# ip nat outside
54

Dynamic Layer3 NAT statistics
WebUI: Monitor > Service > IP Source NAT > Pool CLI: AX# show ip nat pool statistics
55

Static Layer3 NAT
Used to source NAT statically servers with dedicated IP@ (also called NAT 1 to 1) Note: Static NAT allows communication started from outside.
56

Static Layer3 NAT configuration steps
1. 2. 3.
Create IP Static NAT or NAT range Enable inside NAT on AX inside and outside interfaces Enable Static Host Source NAT (if IP Static NAT used)
57

Static Layer3 NAT configuration
Create IP Static NAT
WebUI: Config > Service > IP Source NAT > Static NAT CLI: AX(config)# ip nat inside source static [originalIP@] [NAT-IP@]
Or create NAT Range

WebUI: Config > Service > IP Source NAT > NAT Range CLI: AX(config)# ip nat range-list []
58

Static Layer3 NAT configuration (cont.)
Enable inside NAT on AX inside and outside interfaces
On the inside interfaces WebUI: Config > Service > IP Source NAT > Interface CLI: AX(config)# interface ethernet # AX(config-if:ethernetx)# ip nat inside On the outside interfaces WebUI: Config > Service > IP Source NAT > Interface CLI: AX(config)# interface ethernet # AX(config-if:ethernetx)# ip nat outside
Enable Static Host Source NAT (if IP Static NAT used)

WebUI: Config > Service > IP Source NAT > Global CLI: AX(config)# ip nat allow-static-host
59

Static Layer3 NAT statistics
WebUI: Monitor > Service > IP Source NAT > Static NAT CLI: AX# show ip nat static-binding statistics
60
Network Address Translation

Virtual Server Port option "Source NAT traffic against VIP"
This option allows the AX administrator to apply the Layer3 NAT settings on the VIP for the internal clients If SLB source NAT is also configured, all clients not using Layer3 NAT will use the SLB source NAT Pool
61
Summary
In this module, we discussed:
Load Balancings main goals: server load sharing and high availability of services Load Balancers can be integrated in different ways into existing architectures, all supported by AX
And also:
Configured one AX L4 SLB VIP Explained two common L4 SLB options and their AX configuration: Source IP Persistence and NAT Configured Source IP Persistence, SLB Source NAT and static Layer3 NAT on AX
62
FTP, HTTP and HTTPS protocols

Module 4
63
Module objectives
Understand protocols
FTP HTTP HTTPS
Understand Load Balancing specifics for each Configure FTP, HTTP and HTTPS VIPs
64
Module 4 Lesson1
FTP protocol
65
FTP protocol
File Transfer Protocol (FTP) RFC is 959 (http://www.w3.org/Protocols/rfc959/) FTP is an unencrypted TCP protocol used to transfer files between clients and servers FTP has 2 connections
Control session Data Session
66
FTP protocol
FTP Control Session
Used for client/server communication. No data is sent on this connection. This session is established from the client to the server (usually on port 21).
FTP Data session

This session is open "on demand" when there is need to send data between the client and the server. Used for client/server data exchange only.
Important Notes:
The Control Session remains open for the duration of the FTP connection The data session will be closed at the end of each object transfer. If you transfer 3 files, you'll have 3 data sessions (one at a time).
67
FTP protocol
FTP Data session 2 modes
There are two data session modes. The mode is negotiated between the client/server on the control session. Active Mode (default)
In the control session, the client tells the server what IP and TCP port to use to establish the data connection. The server establishes the data connection to the client, and data requested in the control session can be exchanged.
68
FTP protocol
FTP Data session 2 modes (cont.)
Passive Mode
In the control session, the server tells the client what IP and TCP port to use to establish the data session. The client establishes the data connection to the server, and data requested in the control session can be exchanged.
69
Load balancer configuration for FTP applications

Control session resets
During data exchange (in the data session) there is no activity in the control session. Load Balancers track activity on load balanced sessions and flush stale connections. If the data transfer takes too long, the control connection will be dropped.
70

Active Mode - Data session established from the server IP@ (not the VIP IP@)
Client establishes control connection to the VIP. With Active Mode, the client expects the data session from the VIP IP@ and not the Server IP@.
71

Passive Mode - Data session established to the server IP@ (not the VIP IP@)
Client establishes control connection to the VIP. With Passive Mode, the client expects to open the data session to the VIP@ and not the Server IP@.
72

Control session resets
Solution is to increase SLB aging time on Load Balancer However, on AX, control and data session times are linked, so there is no need to update the timer.
Note: AX default aging time is 120 seconds
73

AX configuration to update default aging timer
For example, to allow users to spend more than 120 seconds between FTP commands.
1.
Create a TCP template with 15,000 seconds Idle Timeout WebUI: Config > Service > Template > L4 > TCP CLI: AX(config)# slb template tcp <name> AX(config-l4 tcp)# idle-timeout 15000 Assign the TCP template to the Virtual Server Port WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N tcp AX(config-slb vserver-vport)# template tcp <name>
2.
Show aging time of SLB entries

CLI: AX# show session []
74

Active Mode - Data session established from the server IP@ (not VIP IP@)
Load Balancers need to automatically Source NAT the data connection from the servers with the VIP IP@. This is done automatically on AX when the SLB VIP is defined as FTP type AX configuration:
WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N ftp
75

Passive Mode - Data session established to the server IP@ (not the VIP IP@)
Load Balancers need to automatically Source NAT the data connection from the servers with the VIP IP@. This is done automatically on AX when the SLB VIP is defined as service type FTP AX configuration:
WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N ftp
76
Module 4 Lesson2
HTTP protocol
77
HTTP protocol
HTTP RFC is 2616 (http://www.w3.org/Protocols/rfc2616/rfc2616.html) HTTP (Hypertext Transfer Protocol) is an unencrypted TCP protocol used to access web content (usually on port 80)
Note: HTTPS uses the same protocol with explicit SSL encryption for higher security (usually on port 443)
HTTP is a sequence of network request/response transactions

Important Note: Browsers open multiple TCP sessions to download multiple objects from 1 web site in parallel (2 sessions with IE5.5/6.0, 6 sessions with IE8, 15 sessions with Firefox 3.x)
Request and response options are sent via headers
78
HTTP requests
Main request methods
"GET url": Request object from server "POST url": Send data/object to server Others: HEAD, CONNECT Important Note: The Host (such as www.a10networks.com) is not part of the url, but is listed in the "Host header in the request
Main request headers

"Host": Site name "Connection: Keep-Alive" : Client support for using the same session for multiple request/response transactions "Accept-Encoding: gzip, deflate": Support for HTTP compression "Cookie": Text used to keep track of user information
79
HTTP responses
Main server response codes
200: OK (object in the response) 301: Redirect permanently 302: Temporary redirect 304: Not Modified 404: Page not found 5xx: Server error
Main response headers

"Last-Modified": When object was last modified "Etag": Entity tag (used to detect object changes) "Connection: Keep-Alive": Server support for using the same session for multiple request/response transactions "Set-Cookie": Asks user to save cookie to keep track of user information "Cache-Control" / "Pragma": Cacheability of the object
80
HTTP example (using HttpFox)
81
Load balancer configuration for HTTP applications

Load Balancers don't need a specific configuration for basic HTTP load balancing - Any L4 SLB VIP works for HTTP services However, advanced load balancers provide techniques for improving HTTP services
Better Availability (see below) Better Flexibility (see below and Module 7 - aFleX) Better Performance/Acceleration (see Module 5) Better Security (see below and Module 6)
82
Load balancer configuration for HTTP applications greater availability

HTTP Health Monitor
AX provides the ability to test HTTP/HTTPS services using Health Monitors HTTP/HTTPS Health Monitors have the following required parameters:
Port: TCP port Method (GET or HEAD or POST) URL
And the following optional parameters:

User + Password: For web sites that require authentication Expect: Server Response code or Server text Maintenance Code: To automatically mark the server in maintenance, rather than down (so users with persistence to that server remain on that server)
83
Load balancer configuration for HTTP applications greater flexibility

AX offers advanced flexibility options for web applications These options are available via HTTP templates
WebUI: Config > Service > Template > Application > HTTP CLI: AX(config)# slb template http <name> []
HTTP templates are associated with virtual server ports of service type HTTP" or "HTTPS
84

HTTP template options
URL Hash switching
Load Balancing of Servers is done based on hash on the URL (beginning or end of the URL). This option is usually used for Web Cache load balancing.
Host/URL switching
Selection of Servers is done based on Host or URL (beginning or end). This option also is usually used for Web Cache load balancing.
Request/Response Header Erasure/Insertion

Allows the AX to insert or remove client request header (such as "Accept-Encoding") server response header (such as "Cache-Control") This option usually is used to centrally change web server behavior without changing the web servers configuration.
85

HTTP template options (cont.)
Strict Transaction Switching
Allows HTTP/HTTPS load balancing per request (instead of per session). This option usually is used when the load among the Servers is unequal.
86
Load balancer configuration for HTTP applications greater security

AX offers advanced security options for web applications These options are available via HTTP templates
HTTP templates are associated with virtual server ports of service type "HTTP" or "HTTPS Note: Some of the following options can be considered as availability and flexibility options too.
87

URL failover
When all servers are disabled or have failed, the AX can send an HTTP redirect to a "backup site" or "sorry page". This option usually is used with "backup sites" or "sorry pages".
88

URL redirect / rewrite
When the Server replies with an HTTP redirect, the AX can rewrite it with a new value. This option usually is used for transparent "SSL-ization" of HTTP web applications.
89

Retry HTTP request on HTTP 5xx
When the Server replies with a 5xx error, by default the AX forwards it to the client. The retry option allows the AX to resend the request to another Server in the Service Group. The following options are available:
"On HTTP 5xx code for each request": The client request is resent to a new server "On HTTP 5xx code": The client request is resent to a new server + the server that replied with the 5xx is not used for new requests for 30 seconds "#": Number of servers that can be tried Logging: Generates logs when this event happens (not available in WebUI in AX 2.4.2)
90

Client IP header insertion
In Web server logs, the client IP address is logged. Web servers retrieve the client IP information from the source IP address. Some AX advanced HTTP options (Connection Reuse or Source NAT) force the AX to establish the connection to the server with an AX IP address. In this cases, the Web server loses the client IP address information. To allow Web Servers to log Client IP address information, the AX can inject the Client IP information in a request header.
91
Module 4 Lesson3
HTTPS protocol
92
HTTPS protocol
HTTPS (HTTP over TLS) RFC is 2818 (http://www.ietf.org/rfc/rfc2818.txt) HTTPS is the "secured" version of HTTP (usually port 443) HTTPS offers
Server Authentication (with server certificates) (optional) Client Authentication (with client certificates) Encryption (with TLS/SSL)
93
How does server authentication work?

TLS/SSL is based on public certificates / private keys Certificates are issued and signed by Certificate Authority (CA) HTTPS clients first request the server public certificate and validates it using list of trusted CAs When the server certificate is validated (name, date, etc.), the client sends its HTTP requests
94
How does the encryption work?

Once the server is trusted, the client and server negotiate a "session key" to encrypt the traffic The session key is negotiated via an asymmetric encryption protocol using long keys (usually 2048 bits)
Note: This step is very CPU intensive (asymmetric encryption)
Once the"session key is negotiated, the HTTPS client requests / server responses are sent encrypted
Note: Less CPU intensive (symmetric encryption) Note: If the client re-establishes a new TCP session before the session key expires, it will propose to the server to use it (SSL session ID reuse option). The server can accept or refuse it. If refused, a new session key is negotiated.
95
Load balancer configuration for HTTPS applications

Load balancers don't need a specific configuration for HTTPS load balancing - Any L4 SLB VIP works for HTTPS services However, advanced load balancers provide techniques to improve HTTPS services
Better Availability (see Module 4 - lesson 2) Better Flexibility (see Module 4 - lesson 2 and Module 7 - aFleX) Better Performance/Acceleration (see Module 5) Better Security (see Module 4 - lesson 2 and Module 6)
96
Load balancer configuration for HTTPS applications

AX offers advanced flexibility/performance/security options for HTTPS applications These options are available via HTTP templates
HTTP templates are associated with virtual server ports of type "HTTP" or "HTTPS.
97
HTTPS communication with clients

Client SSL templates
To enable HTTPS communication with the Clients Client SSL template
Public certificate that will be presented to Clients Private key (and its passphrase) SSL cipher supported ("encrypted algorithm") (optional) Client certificate request
98
HTTPS communication with clients

HTTPS communication with clients configuration
1.
Import SSL public certificates and private key on the AX Note: Self-Signed certificates can be created on the AX too
WebUI: Config > Service > SSL Managament > Certificate CLI: AX(config)# import ssl-cert <name> AX(config)# import ssl-key <name>
2.
Create a Client SSL template

WebUI: Config > Service > Template > SSL > Client SSL CLI: AX(config)# slb template client-ssl <name> []
3.
Assign the Client SSL template to the Virtual Server Port

WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N https AX(config-slb vserver-vport)# template client-ssl <name>
99
HTTPS communication with servers

Server SSL templates
To enable HTTPS communication with the Servers Server SSL template
SSL cipher supported ("encrypted algorithm") (optional) CA that will be used to validate the Servers certificate
100
HTTPS communication with servers

HTTPS communication with servers configuration
1.
(Optional) Import CA public certificate that will be used to validate the Servers certificate
WebUI: Config > Service > SSL Managament > Certificate CLI: AX(config)# import ssl-cert <name>
2.
Create a Server SSL template

WebUI: Config > Service > Template > SSL > Server SSL CLI: AX(config)# slb template server-ssl <name> []
3.
Assign the Server SSL template to the Virtual Server Port

WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N https AX(config-slb vserver-vport)# template server-ssl <name>
101
HTTPS virtual port options

SSL statistics
WebUI: Monitor > Service > Application > SSL CLI: AX# show slb ssl stats
102
Summary
In this module, we presented:
FTP protocol HTTP protocol HTTPS protocol
And also:
Explained the specific Load Balancer configuration required for each protocol Explained specific Load Balancer options available for each protocol for better availability, flexibility, performance and security Configured FTP, HTTP, and HTTPS VIPs on the AX
103
AX Acceleration
Module 5
104
Module objectives
Understand the advanced AX options for acceleration
Connection Reuse SSL offload HTTP compression RAM Caching
Configure advanced AX options for acceleration
105
Connection reuse
Web servers need to manage:
New clients (open new sessions) Clients leaving (close sessions) Maintain all connected clients sessions Note: Web browsers keep their TCP connections open - even when all objects have been loaded
106
Connection reuse
Connection Reuse off loads the server TCP stack This option provides faster server response time and higher server scalability Connection reuse
Terminates all clients connections to the AX Maintains persistent connections to the Servers Sends all clients requests on the same persistent connections
Note: Connection Reuse requires SLB Source NAT Note2: HTTP Keep-alive should be enabled on the web servers
107
Connection reuse
Connection reuse configuration
1.
Create a Connection Reuse template

WebUI: Config > Service > Template > Connection Reuse CLI: AX(config)# slb template connection-reuse <name> []
2.
Assign the Connection Reuse template to the Virtual Server Port

WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N http AX(config-slb vserver-vport)# template connection-reuse <name> Note: IP Source NAT also must be configured on the Virtual Server Port
Connection Reuse statistics

WebUI: Monitor > Service > Application > Connection Reuse CLI: AX# show slb connection-reuse
108
SSL offload
SSL Offload relieves the server of SSL tasks This option provides faster server response time and higher server scalability AX receives HTTPS client traffic and sends HTTP traffic to the servers
109
SSL offload
SSL offload configuration
HTTPS VIP pointing to HTTP servers (see Module 4 - lesson 3) (optional) Rewrite servers HTTP redirect response Note: This is done via an HTTP template containing the Redirect / Rewrite option (optional) Rewrite absolute links Note: This is done via aFleX (see Module 7)
110
HTTP compression
Compresses HTTP/HTTPS objects Uses less bandwidth and provides faster client download time AX HTTP compression
Compresses objects sent to the clients Note: By default, "text" (such as html/css/js) and "application" (such as doc/xls/ppt/pdf) If HTTP compression is enabled on the servers, AX transparently offloads this task from servers
111
HTTP compression
HTTP compression configuration
1.
Create an HTTP template

2.
Assign the HTTP template to the Virtual Server Port

WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N http AX(config-slb vserver-vport)# template http <name>
Note: On AX models with a Hardware Based Compression module, you need to enable Hardware Based Compression first
WebUI: Config > Service > SLB > Global CLI: AX(config)# slb hw-compression
112
HTTP compression
HTTP compression statistics
WebUI: Monitor > Service > Application > Proxy > HTTP CLI: AX# show slb http-proxy
113
RAM Caching
Caches HTTP/HTTPS static and dynamic content in AX RAM Delivers cached objects to clients directly from the AX Cache, offloading servers from these requests Provides faster client download time and higher server scalability
114
RAM Caching
AX RAM Caching
Caches objects unless explicitly denied by the server's response Caches responses with the following codes:
200 OK 203 Non-Authoritative response 300 Multiple Choices 301 Moved Permanently 302 Found (only if Expires header is also present) 410 Gone
115
RAM Caching
AX RAM Caching limitations
Does not support client HTTP range requests (they are sent to the servers) Does not cache server responses with "Vary" header (except "Vary: Accept-Encoding") Does not cache server responses with "Warning" header Does not cache server responses if requests had an "Authorization" header (even if the server specifies "Cache-Control: public) Does not cache incomplete (partial) responses
116
RAM Caching
RAM Caching configuration
1.
Create a RAM Caching template

WebUI: Config > Service > Template > Application > RAM Caching CLI: AX(config)# slb template cache <name>
2.
Assign the RAM Caching template to the Virtual Server Port

WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N http AX(config-slb vserver-vport)# template cache <name>
RAM Caching statistics

WebUI: Monitor > Service > Application > RAM Caching CLI: AX# show slb cache []
117
RAM Caching
AX RAM Caching for dynamic objects
Allows the AX to Cache non-static objects Need to understand application behavior to determine cacheability
What is to be cached? How long is the cached content valid? What is the trigger that would cause the response to change?
Parameterized requests
The URL matches a specific pattern. Specific query parameters are present. Specific cookies in the request are present. Specific HTTP headers in the request are present.
Policies
Cacheability rules determine what is cacheable and what is not Invalidation rules
118
RAM Caching
When not to use dynamic caching
The response sets cookies specific to that session.
Example: the response to a login page
The response contains data specific to a previous action in the session.

Example: a confirmation number for a transaction that was just executed
The life of a response is indeterminate; that is, the response contains data that becomes stale based on a future action.
Example: the portfolio page of a brokerage account user changes when the user executes transactions.
Different versions of the response cannot be distinguished by using the URL, query parameters, or cookies in the request.
Example: the response contains personalized settings, such as the user name but no query parameter or cookie directly identifies the user.
119
RAM Caching
Dynamic caching caching policies
Caching policies can be used to override/augment standard HTTP behavior Policies are specified as follows:
policy <condition> <action> Where: <condition> is of the form uri <pattern> <action> is cache <seconds>, no-cache, or invalidate <entry> Note: More sophisticated conditions will be supported in future using aFleX policies
Policies are evaluated in the order they are specified. The action in the first policy that matches will be applied.
120
RAM Caching
Dynamic caching example
Let's say there is a web application with the following URLs:
http://x.y.com/list http://x.y.com/add?a=p1&b=p2 http://x.y.com/del?c=p3 http://x.y.com/private?user=u1 lists all items from database adds item to database deletes item from database private info for user
This is a simple example, but is also a very common scenario, and is representative of many sites on the web today. In this case, the list URI will be hit by a lot of users. Thus it would make sense to cache the URI as long as it remains up to date. However, when the user does an add/delete operation, or one of the other URIs arrives, the database would change and the cached list will have to be refreshed.
121
RAM Caching
WebUI configuration for the example
122
Summary
In this module, we presented the AX acceleration options:
Connection Reuse SSL offload HTTP compression RAM Caching
And also configured them on the AX.
123
AX Security
Module 6
124
Module objectives
Understand the advanced AX options for security
DDoS protection PBSLB ACL Management security High Availability (HA)
Configure HA on AX devices
125
Points to keep in mind

Some advanced HTTP/HTTPS security options are detailed in Module 4 (HTTP Templates) This module (Module 6) presents other AX advanced security options Note: aFleX (covered in Module 7) also can be considered a security option
126
DDoS protection
AX provides enhanced protection against DDoS (Distributed Denial of Service) attacks
Note: AX 2200 / AX 3100 / AX 3200 / AX 5100 / AX 5200 provide DDoS protection in hardware. Other models provide DDoS protection in software.
DDoS basic filters
DDoS configuration
WebUI: Config > SLB > Global CLI: AX(config)# ip anomaly-drop <DDoS-type>
127
DDoS protection
Advanced DDoS filters are also available with system-wide PBSLB
Note: PBSLB is detailed on the next slide. Invalid HTTP or SSL payload or DNS Zero-Length TCP Window Out-of-sequence packet
Advanced DDoS configuration

CLI only: AX(config)# ip anomaly-drop <DDoS-type> [threshold]
Basic and advanced DDoS statistics

WebUI (basic only): Monitor > Service > Application > Switch CLI:(basic only) AX# show slb switch [] CLI:(basic only) AX# show slb l4 and show pbslb client [ip@]
128
Policy-based SLB
Policy-based SLB (PBSLB) allows "black lists" and "white lists" with individual clients or subnets
Note: IPv6 addresses are not supported in PBSLB.
PBSLB denies client traffic based on:

IP address / subnet (optional) # of connections from that IP address / subnet (optional) can permit client, but select another Service Group
129
Policy-based SLB
PBSLB specifics
Large list support
Up to 8 M IP addresses Up to 64 K IP subnets Up to 32 group IDs
Highly efficient
B/W lists are stored in hash tables Can process Gbps of traffic
Automatic B/W list support

AX can update its B/W automatically at specific intervals via TFTP
PBSLB components
PBSLB is a list of text entries, as follows:
ipaddr [/network-mask] [group-id] [#conn-limit] [;comment-string]
130
Policy-based SLB
PBSLB configuration
1.
Create or Import a PBSLB list

WebUI (creation or import): Config > Service > PBSLB CLI (import): AX(config)# import bw-list []
2.
Create a PBSLB Policy template

WebUI: Config > Service > Template > PBSLB Policy CLI (import): AX(config)# slb template policy <name> []
3.
Assign the PBSLB Policy template to the Virtual Server Port

WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N <type> AX(config-slb vserver-vport)# template policy <name>
PBSLB statistics
WebUI: Monitor > Service > PBSLB CLI(basic only): AX# show pbslb []
131
Policy-based SLB
PBSLB file example
10.10.1.3 4; blocking host (group 4 is defined in the template with action "drop") 10.10.2.0/24 4; blocking subnet (group 4 is defined in the template with action "drop") 192.168.1.1/32 2 #20; 20 concurrent connections max for that host (group 2 is defined in the template with action "permit with Service Group X")
PBSLB template example
132
Access Control Lists

AX supports standard and extended Access Control Lists (ACLs) ACL can be applied to data interfaces, management interface, and virtual server ports Remark, re-sequencing and logging options are supported (Cisco/Foundry format) IPv4 and IPv6 ACLs are supported
133

ACL components
[no] access-list acl-num [seq-num] {permit | deny | remark string} ip {any | host host-src-ipaddr | net-src-ipaddr {filter-mask | /mask-length}} {any | host host-dst-ipaddr | net-dst-ipaddr {filter-mask | /mask-length}} [log [transparent-session-only]
ACL configuration
1.
Create an ACL
WebUI: Config > Network > ACL CLI: AX(config)# access-list []
134

ACL configuration
2.
Assign the ACL to Data interfaces, Management interface, or Virtual Server Ports
Data Interface: WebUI: Config > Network > Interfaces > LAN CLI: AX(config)# interface ethernet 1 AX(config-if:ethernet1)# access-list <num> in Management: CLI only: AX(config)# interface management AX(config-if:ethernet1)# access-list <num> in Virtual Server Port: WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N <type> AX(config-slb vserver-vport)# access-list <name>
135

ACL statistics
CLI (only) AX# show access-list
136
Management security
AX provides advanced management security options
Multiple management accounts with distinct levels of access Interface level access for individual access types (ICMP / Telnet / SSH / HTTP / HTTPS / SNMP) Management account with lockout in response to excessive invalid password External Authentication support with RADIUS and TACACS+ Private partitions
Note: See AX Series Configuration Guide for more information
137
High Availability (HA)

High Availability Design Options
Active-Standby mode Active-Active mode Layer 2/3 Hot Standby mode
138

Active-Standby Mode
Active AX processes all the production traffic Standby AX does not process any production traffic Standby AX mirrors all session information from Active AX Reliability is scaled but not performance
139

Active-Standby Failover
Peer AX elected as active Gratuitous ARPs for virtual, floating and NAT IPs are sent Existing mirrored sessions are picked up by newly elected active AX New sessions are served by newly elected active AX
140

Active-Active Mode
Both AX units process the production traffic Session and state information is mirrored between both AX units Performance is scaled in addition to reliability
Note: Don't exceed 50% utilization on each unit for full HA
141

Active-Active Failover
Peer AX is elected active for HA group 2 and sends gratuitous ARPs for virtual IPs, floating IPs, and NAT IPs Existing mirrored sessions are picked up by peer AX Peer AX serves requests for both HA groups
142

L2/3 Hot Standby Mode
Active AX processes all the production traffic Standby AX does not process any production traffic Standby AX mirrors all session information from Active AX Standby becomes non-forwarding but is reachable for management traffic, sends and receives HA heartbeats, receives sync sessions from peer, and performs health checks
Note: Loop elimination protocols such as STP are not required
143

L2/3 Hot Standby Failover
Peer AX elected new active Gratuitous ARPs for virtual, floating and NAT IPs are sent New active becomes fully forwarding and existing mirrored sessions continue
144
High Availability
All AX integration modes support HA
Routed mode
Active-Standby, Active-Active and L3 Hot Standby modes
One-Arm mode
Active-Standby and Active-Active modes and L3 Hot Standby modes
Transparent mode
L2 Hot Standby mode
DSR mode
Active-Standby, Active-Active and L3 Hot Standby modes
145
High Availability
HA Active-Standby Mode configuration steps
1.
Configure HA interfaces
All interfaces used with production traffic (+ AX interlink if exists) Note: We recommend a dedicated direct interlink between the AX so sync traffic is off the production network.
2.
Configure HA Global settings

Identifier (AX1 = 1 , AX2 = 2) HA Status: Enabled (optional) HA Mirroring IP address: Remote AX Sync interface (optional) Preempt: to failover to a higher AX when available Group1 with priority 200 on AX1 (priority 100 on AX2) Floating VIP for Group1: IP addresses defined on servers' gateway (VRRPlike) (optional) IP@ and VLAN check Note: IP@ have to be defined as SLB-Server too
146
High Availability
HA Active-Standby Mode configuration steps (cont.)
3.
Configure VIP HA settings

In VIP settings, associate HA Group with the VIP (optional) Enable Dynamic Server Weight: Reduce the AX HA Group priority when a server is down (optional) Enable HA Connection Mirroring on the VIP ports: To synchronize SLB session table (available for TCP, UDP, RTSP, FTP, MMS and SIP VIP types) Note: For HTTP/HTTPS VIP types, the client session is terminated on the AX device. HA Connection Mirroring is not available for these VIP types.
4.
Configure NAT pool HA settings

In IP Source NAT, associate the HA Group with IPv4 Pools, IPv6 Pools, NAT Ranges, or Static NAT.
147
High Availability
HA Active-Active Mode configuration steps
Same as Active-Passive with two groups defined
Step2: Group1 with priority 200 on AX1 (priority 100 on AX2) Group2 with priority 100 on AX1 (priority 200 on AX2) Step3: Associate Group1 with half of the VIPs and Group2 with the second half Step4: Associate Group1 with the NAT Pools used by VIPs in Group1 and Group2 with the NAT Pools used by VIPs in Group2
148
High Availability
HA Layer2/3 Mode configuration steps
Same as Active-Passive except for step 2
2.
Configure HA Inline Mode Enable Preferred port: Port used to sync configuration and sessions (optional) Restart port list: Add AX interfaces in production (optional) L3 mode enabled: If AX in Layer3 Inline mode
149
High Availability
HA Active-Standby Mode configuration
1.
Configure HA interfaces
WebUI: Config > HA > Setting > HA Global CLI: AX(config)# ha interface []
2.
Configure HA Global settings

Active-Standby or Active-Active Modes: WebUI : Config > HA > Setting > HA Global CLI: AX(config)# ha [] Note: If IP@ check is configured, define these IP@ in SLB-Server too. L2/3 Modes: WebUI : Config > HA > Setting > HA Inline Mode CLI: AX(config)# ha [inline-mode | l3-inline-mode]
150
High Availability
HA Active-Standby Mode configuration (cont.)
3.
Configure VIP HA settings

WebUI: Config > Service > SLB > Virtual Server CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver))# ha-group <num>
4.
Configure NAT settings

WebUI: Config > Service > SLB > IP Source NAT CLI: AX(config)# ip nat []
151
High Availability
Configuration synchronization
WebUI: Config > HA > Config Sync CLI: AX(config)# ha sync [all | data-files | runningconfig | startup-config] to-[running-config|startupconfig] [with-reload] [all-partitions | partition] Note: We recommend to sync "All" to the "startup-config + reload"
HA Manual failover can also be initiated with the following:

CLI (from the AX Active): AX(config)# ha force-self-standby Note: Manual failover can also be done with "preempt enabled" + changing the HA group priority.
152
High Availability
HA status
WebUI: Monitor > HA > Group CLI: AX# show ha
153
High Availability
HA statistics
WebUI: Monitor > HA > Status CLI: AX# show ha detail
154
Summary
In this module, we presented AX advanced security options:
DDoS protection PBSLB ACL Management security High-Availability (HA)
And also configured HA.
155
AX Power and Flexibility

Module 7
156
Module objectives
Understand the advanced AX options for flexibility
Cookie persistence aFleX
Understand AX Advanced Core Operating System (ACOS)
157
Module 7 Lesson1
AX Flexibility
158
Points to keep in mind

Some advanced HTTP/HTTPS flexibility options already have been detailed in Module 4 (HTTP Templates) This module (Module 7) presents other advanced AX flexibility options
159
Cookie persistence
When to use cookie persistence
Like Source IP Persistence, Cookie Persistence is used when HTTP/HTTPS clients must have their future connections/traffic terminated on the same server. But Cookie Persistence provides more granularity, since even different users coming from the same Proxy (same IP address) will get different persistence with Cookie Persistence.
160
Cookie persistence
AX Cookie Persistence configuration
Create a Cookie Persistence Template
Name (optional) Expiration (optional) Cookie Name (optional) Domain (optional) Path (optional) Match type (optional) Insert Always (optional) Don't Honor Conn Rules
Assign the Cookie Persistence Template to the Virtual Server Port
161
Cookie persistence
AX Cookie Persistence configuration (cont.)
Create a Cookie Persistence Template
WebUI: Config > Service > Template > Persistent > Cookie Persistence CLI: AX(config)# slb template persist cookie <name> []
Assign the Cookie Persistence Template to the Virtual Server Port

WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N tcp AX(config-slb vserver-vport)# template persist cookie <name>
162
aFleX
What is aFleX?
aFleX is a powerful and flexible AX feature that you can use to manage your traffic and provide enhanced benefits/services aFleX uses industry-standard Tcl (Tools command language) based syntax
Stantard Tcl commands Special set of extensions provided by the AX
aFleX allows:
Content inspection (headers / data) Actions on traffic Block traffic Redirect traffic to a specific Service Group (pool) or Server (node) Modify traffic content
163
aFleX
Elements of an aFleX script
aFleX scripts are made up of three basic elements:
Events Operators aFleX commands
Events
aFleX scripts are event-driven, which means that the AX system triggers the aFleX whenever that event occurs. Examples: HTTP_REQUEST is triggered when an HTTP request is received. CLIENT_ACCCEPTED is triggered when a client has established a connection.
Operators
Standard Tcl operators Relational operators: contains, matches, equals, starts_with, ends_with, matches_regex Logical operators: not, and, or
164
aFleX
Elements of an aFleX script (cont.)
aFleX commands
Used to query for data, manipulate data, or specify a traffic destination. These may be grouped into three main categories: Statement commands Example: "pool <name> directs traffic to the named load balancing pool Commands that query or manipulate data Examples: "IP::remote_addr returns the remote IP address of a connection "HTTP::header remove <name> removes the last occurrence of the named header from a request or response Utility commands - useful for parsing and manipulating content Example: "decode_uri <string> decodes the named string using HTTP URI encoding and returns the result
Note: aFleX is extensible. In future releases, additional aFleX events and aFleX commands will be added.
165
aFleX
aFleX configuration
1. Place the aFleX script on the AX
Using the CLI Use a computer with any text editor to write an aFleX script and save it as a file. Use import aflex command to import the aFleX file from the computer to AX. aFleX CLI syntax check: "aflex check <name>". Using the WebUI With AXs web interface, users can directly type in aFleX scripts and save them on the AX under "Config > Service > aFleX". Using the aFleX Editor The aFleX editor can download/upload aFleX scripts from/to the AX. Moreover, it can do syntax checking. As an editor, it also has syntax highlighting, keyword auto-completion, etc.
166
aFleX
aFleX configuration (cont.)
2. Assign aFleX script to VIP port
WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N tcp AX(config-slb vserver-vport)# aflex <name>
aFleX statistics
WebUI: Monitor > Service > aFleX CLI: AX# show aflex []
167
aFleX
aFleX examples
Redirect a specific client to a specific service group
When CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 10.10.10.10] } { pool sg2 } }
Note: This could be achieved by PBSLB too. Redirect clients to https for the host secure.abc.com
when HTTP_REQUEST { if {[HTTP::host] equals "secure.abc.com"} { HTTP::redirect https://[HTTP::host][HTTP::uri] } }
Note: This could NOT be achieved by PBSLB.

168
aFleX
aFleX examples
Redirect clients to specific pools in function of the url
when HTTP_REQUEST { if { [HTTP::uri] starts_with "/finance" } { pool finance_pool } elseif { [HTTP::uri] starts_with "/dev" } { pool dev_pool } }
169
Module 7 Lesson2
Advanced Core Operating System
170
ACOS Architecture Overview
SSL Acceleration Module SSL Processing
Application Memory Session Tables, Buffer Memory, Application Data
L4-7 CPUs L4-7 Processing, Security
Control Kernel CLI, GUI, Management Tasks and Health Checking Flexible Traffic ASIC (FTA) Distributes Traffic Across L4-7 CPUs, Efficient Network I/O, DDoS Switching & Routing ASIC L2 & L3 Processing and Security
171
ACOS Design Highlights

ACOS on the data plane
Zero locking Zero IPC Zero interrupt Zero scheduling Zero buffer copy for low latency packet processing
Linux on the control plane

Used by Management CPU only
All application delivery traffic handled by ACOS Efficient use of memory no duplicate data
172
ACOS = Resource Efficiency
Processing Efficiency
Eliminates unneeded cycles for faster processing
Zero locking, zero buffer copy, zero IPC, zero scheduling, zero interrupt
Physical Memory Efficiency

Data is not replicated, multiple copies of data are not needed, more total memory available
Space saving, non-replication, zero copy, accuracy, real-time data
Input/Output (I/O) Efficiency

Faster overall system processing
Low latency packet processing, optimized drivers, Flexible Traffic ASIC, low overhead
173
Shared Memory Versus Legacy Approach AX Series Shared Memory
Replicate to each cores dedicated memory
Legacy approach
174
AX Shared Memory Advantage AX Series Shared Memory
AX Series eliminates IPC and maximizes performance Data required by all CPUs is processed in the same location without other CPU notification/reliance Accurate real-time decision criteria, e.g. rate-limiting, connection-limit, max TCP connections, server selection, tracked global variables used for decisions or any shared data set Maximizes memory no redundant copies of information per core. More total system memory
175
Shared Memory Efficiency

Shared Memory
One copy of each item kept in memory, for example
PBSLB List uses 64 MB of RAM, Total AX Memory Usage = 64MB RAM Cached Objects, 10 x 0.5 MB, Total AX Memory Usage = 5 MB Total 69 MB of RAM used
Without Shared Memory

Multiple copies of each item kept in each cores memory, for example 32 cores
PBSLB List uses 64 MB of RAM per core, Total Memory Usage = 2048 MB RAM Cached Objects, 10 x 0.5 MB per core, Total Memory Usage = 160 MB Total 2208 MB of RAM used
Total system memory is reduced dramatically by the nonshared memory architecture
176
ACOS Versus Legacy OS

ACOS ACOS Designed for multi-core 32-bit or 64-bit OS 32-bit OS Only (With Feature Parity) Decoupled CPU Architecture Coupled CPU Architecture Legacy OS Not Designed for multi-core
Shared Memory
Non-shared Memory
No IPC (Inter Process Communication)
IPC (Inter Process Communication)
Optimized Flow Distribution
Software Based Flow Distribution
177
Summary
In this module, we presented the following advanced AX flexibility options:
Cookie persistence aFleX
And also configured them on the AX. We also presented the ACOS architecture.
178
AX Management and Troubleshooting

Module 8
179
Module objectives
Understand the different types of AX management access Understand the AX configuration components and how to backup/restore AX configuration Understand the AX software components and how to upgrade/downgrade AX Understand VLAN on AX Learn initial AX configuration Learn troubleshooting techniques and tools Understand AX Release Process and how to contact AX support
180
AX management access
CLI
Console (RS-232 connection / 9600, 8, N, 1) Telnet (disabled by default) SSHv2
Web
HTTP (configurable ports - disabled by default) HTTPS (configurable ports)
Levels of CLI authentication

CLI:
Login ID/Password Enable ID/Password
Web:
User roles (read-write / read-only)
181
AX configuration components
Configuration file (optional) aFleX files (optional) PBSLB files (optional) SSL certificates and keys (optional) Geo-location files (option in GSLB and geo-location-based VIP access)
182
AX full configuration backup
Full AX configuration can be backed up
WebUI: Configuration > System > Maintenance > Backup > System CLI: AX(config)# backup config []
AX full configuration restore

Full AX configuration can be restored
WebUI: Configuration > System > Maintenance > Restore > System CLI: AX(config)# restore []
Note: Supported upload protocols: FTP, SCP, RCP, TFTP, and HTTPS (via WebUI)
183
AX software management
AX software is stored on
Two disk partitions: primary and secondary
Second partition is designed for easy software rollback
Two Compact Flash partitions: primary and secondary

CF is designed for emergency recovery
Note: Each storage location has its own software and AX configuration
184
AX software management
AX software upgrade recommended steps
Back up your system
(covered on previous slide)
Check the AX running partition

WebUI: Monitor > Overview > Summary > System Information CLI: AX# show bootimage
Upgrade the AX devices other partition

WebUI: Configuration > System > Maintenance > Upgrade CLI: AX(config)# upgrade []
Copy the running configuration to the other partition

CLI only: AX# write memory [primary|secondary]
Set the boot source to the other partition

WebUI: Configuration > System > Settings > Boot CLI: AX(config)# bootimage hd [primary|secondary]
Restart from the other partition

WebUI: Configuration > System > Settings > Action > Reboot CLI: AX# reboot
185
VLAN
VLAN allows AX to
Bind multiple physical interfaces to same broadcast domain
186
VLAN
VLAN allows AX to (cont.)
Bind one physical interface to multiple layer2 broadcast domains
187
VLAN
VLAN configuration steps
1.
VLAN creation
VLAN ID Physical interfaces tagged and untagges (optional) VLAN Name (optional) Virtual Interface
2.
Virtual Interface (when selected in the VLAN configuration)

IP address Netmask (optional) all ethernet options such as ACL, secondary IP@
188
VLAN
VLAN configuration
VLAN creation
WebUI: Config > Network > VLAN CLI: AX(config)# vlan []
Virtual Interface (when selected in the VLAN configuration)

WebUI: Config > Network > Interface > Virtual CLI: AX(config)# interface ve []
189
VLAN
Important Point
Always configure virtual interfaces in AX routed mode integration to avoid loop!!!
190
First Steps configuration

Rollback to Factory configuration
CLI: AX(config)# system-reset AX(config)# end AX# reboot
First Step configuration

Connect on the AX console (9600 baud - 8 bits no parity - 1 stop bit)
Default user/password: admin/a10 Configure the management interface, its default gateway Finish the AX configuration via CLI (ssh) or WebUI (https) Configure Production interfaces (vlan, ethernet/ve interfaces) Enable production interfaces (optional) Configure routing (static/dynamic) (optional) Configure specific management rights Configure Servers / Service Groups / Virtual Servers etc
191
First Steps configuration

First Step configuration example
AX login: admin Password: [type ? for help] AX>en Password: AX#conf AX(config)#in AX(config)#interface m AX(config)#interface management AX(config-if:management)#ip address 172.31.31.11 /24 AX(config-if:management)#ip default-gateway 172.31.31.1 AX(config-if:management)#exit AX(config)#exit
192
Troubleshooting methodology
Layer 2 and 3: Data Link & Network Layers
Check network connectivity
AX# ping
Check port/interface status

AX# show interface brief + AX# show interface
Check ARP and MAC tables

AX# show arp + AX# show mac-address-table
Check routes
AX# show ip fib + AX# show ip route
Layer 4: Transport Layer

Check for connection errors
Layer 7
Check for application specific errors
193
Troubleshooting tools
AX log (AX# show log)
AX logs many informational, warning, and error messages, the first place to check when experiencing any issues
Port/Interface up/down messages L2 loop detection warnings Unicast/Multicast/Broadcast packet limit warnings MAC address movement warnings Duplicate IP warnings Server & service port up/down messages Application specific error messages: SLB, PBSLB, HTTP, HA, etc.
194
Debug
WebUI
AXs WebUI provides a number of report graphs that can help you identify any potential issues Example: CPU and server/virtual-server load information can help identify time periods when the system was under stress
SNMP
SNMP clients can query AX for status information AX can be configured to send SNMP traps to servers/receivers
195
Debug (cont.)
debug packet <filters>
Define a set of filters for packet capture Example: interface, IP address, protocol, port number, etc.
debug http/ssl/ (etc.)

Captures application specific debug information
debug monitor
Use this command after defining a filter to display captured packets on screen Make sure your filter is specific enough to capture only the packets needed for debugging The CLI may become temporarily unresponsive if a large number of packets are captured to the screen
196
AXdebug
More filter options than debug packet Allows saving captured packets to a local file (in tcpdump/Wireshark format) and then exporting off the AX
Show techsupport
Provides important debug information for the A10 Support team When possible, issue the command once before, during, and after the issue being experienced Note: Make sure your terminal session has enough scroll back lines to capture the full output (or log it to a text file)
Backup log
Provides detailed system information for debugging Compresses data and exports the file off the AX
197
AX Release Process
AX provides 5 different releases
Major
Major features/enhancements (between 12 - 14 months)
Enhancement
Enhancements (between 6 - 8 months)
Minor
Periodic bug fixes and minor enhancements (between 3 - 4 months)
Patch
Collection of P1/P2 fixes and previous patch fixes (between 4-5 weeks)
Special Patch
Emergency patch for a specific customer (2-3 days)
Note: New hardware platforms support only the newest release available on their release date
198
AX Release Process
AX releases tests
MAJOR Unit Functional Negative Stress Regression Sys Integration Performance Scalability Stability Alpha Beta New features New features Full Full Manual=full Automated=full Full Full Full 2 weeks Full Full Enhancement New features New features Full Affected Manual=affected Automated=full Full Affected Affected 1 week Affected Affected Minor Fixes Fixes Affected None Manual=affected Automated=full Partial Affected Affected 3 days Affected None PATCH Fixes Fixes None None Manual=affected Automated=full Partial as needed None None 1 day None None
199
AX Release Process
QA patch release process
Defect report
Support QA Release Mgr
Approve
Release
Functional Test
Alpha Test
Regression Test Manual Automated
Test
Sys Integration Test
Performance Test Scalability Test (as needed)

200
AX Release Process
AX provides 5 different releases type
Major (X.Y.M-Pn build N)
Major features/enhancements (between 12 - 14 months)
Enhancement (X.Y.M-Pn build N)

Enhancements (between 6 - 8 months)
Minor (X.Y.M-Pn build N)

Periodic bug fixes and minor enhancements (between 3 - 4 months)
Patch (X.Y.M-Pn build N)

Collection of P1/P2 fixes and previous patch fixes (between 4-5 weeks)
Special Patch (X.Y.M-Pn build N)

Emergency patch for a specific customer (2-3 days)
Note: New hardware platforms support only the newest release available on their release date Note: build N information may be removed in the future
201
Why AX support is better

Qualified support staff
Average 10+ years experience
Training
Support SEs Core Engineers on Tier 2 support rotation
Passionate
Really care about customers Company directive: Customer issue is #1 Priority
203
How to contact AX support

AX support can be contacted by 3 methods
Phone
From North America: 1 888 822 7210 (1-888-TACSA10) From International: +1 408 325 8676 24 x 7 x 365 Support Mon-Fri 6AM-11PM PST + Sat, Sun 9AM 6PM PST A10 support engineers All other hours Call center When needed: escalation to standby engineers and standby engineers contact customer immediately Be ready to provide Problem description Showtech (almost always required) Topology; highly preferred Trace Backup log
204

AX support can be contacted by 3 methods (cont.)
Email
support@a10networks.com A support ticket auto generated Auto reply email with a ticket number is sent What information to provide? Subject with "Priority (if urgent)" + "Customer name" + "Brief description of ticket + Release number" Example: "P1: abc.com - Certain VIPs fail to pass traffic release 2.4.2" Additional information : Detail problem description Production, eval, POC, etc, Expected time of resolution by customer Showtech attachment (almost always required) Topology; highly preferred Trace Backup log
205

AX support can be contacted by 3 methods (cont.)
Support web site
http://a10networks.com/support A support ticket auto generated Auto reply email with a ticket number is sent What information to provide? Same as by email (see previous slide).
206

Priority Level levels Acknowledgement Security Response Ownership Support Manager Support Engineer Support Engineer
Priority 1: Network Down Priority 1 < 1 Hour* < 1 Hour Priority 2: Serious Performance Degradation Priority Priority 3: Performance Impact, Installation Issue 2 < 1 Hour < 4 Hours Priority 4: Information request Priority 3 < 8 Hour < 2 Day
Note: 1 and 2 Priority 4 Priority < 8 Hour issues should be4reported via phone (1-888-TACS< Day Support Engineer A10) * 30 minutes of less
207

Escalation metrics
Escalation
Level 1
Level 2 (after 1 hour) Director, Technical Support TAC Manager
Level 3 (after 4 hours) VP, Engineering/ Sales Director, Technical Support TAC Engineer
Level 4 (after 24 hours) CEO VP, Engineering/ Sales TAC Manager
Level 5 (after 7 days)
Priority 1, Critical Priority 2, High Priority 3, Medium Priority 4, Low
TAC Engineer/ Manager TAC Engineer
CEO
TAC Engineer
TAC Engineer
Flagged
TAC Engineer
TAC Engineer
TAC Engineer
TAC Engineer
Flagged (after 14 days)
208
Summary
In this module, we presented:
AX Management AX troubleshooting techniques and tools AX Release Process and how to contact AX support
209

AX Training

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AX Training

Uploaded by

Copyright:

Available Formats

A10 Networks: AX Planning, Deployment and Management Class

Goal of this course

AX solution / market: AX new generation load balancers

AX solution / market: AX new generation customer benefits

New Generation LB benefits

AX 32-bit Series Models

AX 3200-11 Price AX 1000-11

AX 64-bit Series Models

AX 3000-11* Price AX 2600* AX 2500

Large Enterprise or Service Provider

AX product line 32-bit: AX Series Family Interface and hardware options

Yes No Yes No Option

Yes Yes Yes Yes Option

Yes Yes Yes Yes Option

Yes Yes Yes Yes Option

AX product line 64-bit: AX Series Family Interface and hardware options

16 0 4 Yes Yes SSD

Yes No Yes Option No Option

Yes No Yes Option No Option

Yes No Yes Option No Option

Yes Yes x4 No Option Yes Option

Yes Yes x4 No Option Yes Option

aXAPI REST-based XML API for custom management Virtualized management

Covered in this Training

Basic Load Balancing Concepts and Related AX Configuration & Management

Main LB Goals and Concepts

Main load balancing goals and concepts

Provide high availability of services

Methods of load balancer integration into network

Methods of load balancer integration into network

Points to keep in mind:

Methods of load balancer integration into network

Methods of load balancer integration into network

Points to keep in mind:

Methods of load balancer integration into network

Methods of load balancer integration into network

Points to keep in mind:

Methods of load balancer integration into network

Methods of load balancer integration into network

Points to keep in mind:

Server Load Balancing

Server status and statistics

Service group configuration

Service group status and statistics

Virtual Server (VIP)

Virtual server configuration

Virtual server status and statistics

Virtual server (VIP) Virtual server port (VIP port)

Virtual server port configuration

Virtual server port status and statistics

Service group health monitor

Service Group HM configuration

Service Group HM status

Server port health monitor

Server Port HM configuration

Server Port HM status

Server health monitor

Common SLB VIP Options

Create one Source IP Persistence Template

Assign the Source IP Persistence Template to the Virtual Server Port

Assign the Source IP Persistence Template to the Virtual Server Port

Source IP persistence entries

Network Address Translation