Professional Documents
Culture Documents
Course AX-DSC-001.12
Table of Contents
Module 1: Course Introduction Module 2: AX Product Line Module 3: Basic Load Balancing Concepts and Related AX Configuration & Management Module 4: FTP, HTTP and HTTPS Protocols Module 5: AX Acceleration Module 6: AX Security Module 7: AX Power and Flexibility Module 8: AX Management and Troubleshooting
2
Course Introduction
Module 1
Module objectives
Understand the course goals Understand the objective for the students
Course map
Module 2: AX Product Line Module 3: Basic Load Balancing Concepts and Related AX Configuration & Management Module 4: FTP, HTTP and HTTPS Protocols Module 5: AX Acceleration Components Module 6: AX Security Components Module 7: AX Power and Flexibility Module 8: AX Management and Troubleshooting
AX Product Line
Module 2
Module objectives
Understand the AX solution / market Understand the AX product portfolio Understand the feature set Understand the licensing
10
789
AX 2200-11
7.4 Gbps
302,000 L4 CPS
8.7 Gbps
541,000 L4 CPS
Overall Performance
11
789
2 Million L4 CPS
30 Gbps
850,000 L4 CPS
11 Gbps
300,000 L4 CPS
Overall Performance
12
AX 2000
8 2 0 Yes Yes Single
AX 2100
8 4 0 Yes Yes Dual
AX 2200
16 4 0 Yes Yes Dual
AX 3100
16 4 2 Yes Yes Dual
AX 3200
16 4 2 Yes Yes Dual
Hot Swap Smart Fan Dual 600 W RPS Dual 600 W RPS Dual 600 W RPS
100 to 240 VAC, Frequency 50-60 Hz Hardware Acceleration Linear Decoupled Architecture Flexible Traffic ASIC SSL Acceleration ASIC Switching and Routing ASIC Hardware Compression ASIC
Yes No Yes No No
Yes No Yes No No
13
AX 2600
GF GCF
AX 3000
GC GCF
AX 5100
-
AX 5200
-
8 4 0 Yes Yes
24 0 0
0 24 0 Yes Yes
16 8 0
8 8 4
0 4 8 Yes Yes
0 4 16 Yes Yes
Hot Swap Smart Fan 400 W RPS 400 W RPS 900W RPS 900W RPS
AX feature set
Layer 4 and Layer 7 Application Acceleration
SSL ASIC RAM caching static or dynamic HTTP compression
aFleX L7 TCL scripting for deep packet inspection Advanced NAT options AX High-Availability Firewall LB GSLB Global Server Load Balancing DNS Application Layer Firewall Operates in Layer 2/Layer 3 simultaneously
IPv4 and IPv6 load balancing and management Full web interface or industry standard command line interface
AX licensing
No extra licenses required for performance or features Each AX is offered with full scalability and benefits
16
Summary
In this module we discussed:
AX is the New Generation of Load Balancers AX offers a portfolio to meet low-end Enterprise to high-end ISP/SP needs AX offers a comprehensive set of load balancing features and other features such as GSLB, IPv6, Virtualization, NAT and DNS firewall AX comes feature-complete with no extra licensing required
17
18
Module objectives
Understand Main Load Balancing Goals and Concepts Configure AX Basic L4 SLB VIP configuration steps Understand and Configure two common L4 SLB VIP Options (Source IP Persistence + NAT)
19
Module 3 Lesson1
20
21
22
Benefits:
No change required on clients and servers Servers keep the Client IP@ visibility
23
24
Benefits:
No change required on clients and servers Easy to test Clients can be in the servers' subnet
25
26
Benefits:
No change required on clients and servers Servers keeps the Client IP@ visibility
27
28
Benefits:
Highly sclalable (SLB process only incomming traffic)
30
Servers
Minimum configuration
Name IP address (can use DNS name) Ports
Server configuration
WebUI: Config > Service > SLB > Server CLI: AX(config)# slb server <name> []
31
Service groups
Minimum configuration
Name Type (TCP/UDP) LB Algorithm At least one Server/Port
32
Service groups
Service group load-balancing algorithms
Round-Robin Least Connection Service Least Connection Weighted Round Robin Weighted Least Connection Service Weighted Least Connection Fastest Response time Least Request Round Robin Strict Stateless (new in release 2.4.2; see notes)
33
34
Health monitors
Service availability is checked using health monitors Health monitors apply to:
Server AND/OR Server:Port AND/OR Service Group
Note: For simplicity, health monitors generally are applied to service groups.
36
Health monitors
Health monitors can test server availability
On layer 3: ping (icmp) On layer 4: tcp, udp On layer7 (application): http, https, ftp, smtp, pop3, snmp, dns, radius, ldap, rtsp, sip, ntp Via manually created scripts
Multiple L3/L4/L7 tests can also be combined in a Boolean expression (and/or/not) Health monitor configuration
WebUI: Config > Service > Health Monitor CLI: AX(config)# health monitor []
37
Server HM configuration
WebUI: Config > Service > SLB > Server "Health Monitor" CLI: AX(config)# slb server <server-name> AX(config-real server)# health-check <hm-name>
Server HM status
WebUI: Monitor > Service > SLB > Server (expand Server ) CLI: AX# show slb Server <server-name>
40
Module 3 Lesson2
41
Source IP persistence
When to use Source IP persistence
Source IP persistence must be used when clients must have their future connections/traffic terminated on the same server
42
Source IP persistence
Source IP persistence configuration steps
1.
2.
43
Source IP persistence
Source IP persistence configuration
Create one Source IP Persistence Template
WebUI: Config > Service > Template > Persistent > Source IP Persistence CLI: AX(config)# slb template persist source-ip <name>
44
45
46
Name: Name of the template Start IP address: First IP address for the SLB source NAT (can be the AX interface IP address) End IP address: Last IP address for the SLB source NAT (can be the same as "Start IP address") Note: If the "Start" and "End IP address" are the same, the AX will NAT with one unique IP address and can NAT up to 64k flows. Netmask: Specify the netmask of the SLB source IP addresses. Note: This is used by the "IP Source NAT Group" when servers are in different subnets (see AX Config Guide for more information). (optional) Gateway: Specify a specific gateway to use to reply to the clients' requests when SLB Source NAT has been used. (optional) "HA Group": Specify the HA group to tie to the SLB source NAT pool.
2.
Assign the SLB Source NAT Pool to the Virtual Server Port
47
2.
Assign the SLB Source NAT Pool to the Virtual Server Port
WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N <type> AX(config-slb vserver-vport)# source-nat pool <pool-name>
48
49
50
51
Create one or more IP Source NAT Pool with the "NATed" IP@ (optional) Group IP Source NAT pools in one IP Source NAT Group Create an ACL with the source IP@ to NAT Bind the ACL with the IP Source NAT Pool (or Group Pool) Enable inside NAT on AX inside and outside interfaces
52
Bind the ACL with the IP Source NAT Pool (or Group Pool)
WebUI: Config > Service > IP Source NAT > Binding CLI: AX(config)# ip nat inside source list [acl#] pool [pool-group-name | pool-name]
53
54
55
56
Create IP Static NAT or NAT range Enable inside NAT on AX inside and outside interfaces Enable Static Host Source NAT (if IP Static NAT used)
57
58
59
60
61
Summary
In this module, we discussed:
Load Balancings main goals: server load sharing and high availability of services Load Balancers can be integrated in different ways into existing architectures, all supported by AX
And also:
Configured one AX L4 SLB VIP Explained two common L4 SLB options and their AX configuration: Source IP Persistence and NAT Configured Source IP Persistence, SLB Source NAT and static Layer3 NAT on AX
62
63
Module objectives
Understand protocols
FTP HTTP HTTPS
Understand Load Balancing specifics for each Configure FTP, HTTP and HTTPS VIPs
64
Module 4 Lesson1
FTP protocol
65
FTP protocol
File Transfer Protocol (FTP) RFC is 959 (http://www.w3.org/Protocols/rfc959/) FTP is an unencrypted TCP protocol used to transfer files between clients and servers FTP has 2 connections
Control session Data Session
66
FTP protocol
FTP Control Session
Used for client/server communication. No data is sent on this connection. This session is established from the client to the server (usually on port 21).
Important Notes:
The Control Session remains open for the duration of the FTP connection The data session will be closed at the end of each object transfer. If you transfer 3 files, you'll have 3 data sessions (one at a time).
67
FTP protocol
FTP Data session 2 modes
There are two data session modes. The mode is negotiated between the client/server on the control session. Active Mode (default)
In the control session, the client tells the server what IP and TCP port to use to establish the data connection. The server establishes the data connection to the client, and data requested in the control session can be exchanged.
68
FTP protocol
FTP Data session 2 modes (cont.)
Passive Mode
In the control session, the server tells the client what IP and TCP port to use to establish the data session. The client establishes the data connection to the server, and data requested in the control session can be exchanged.
69
70
71
72
73
Create a TCP template with 15,000 seconds Idle Timeout WebUI: Config > Service > Template > L4 > TCP CLI: AX(config)# slb template tcp <name> AX(config-l4 tcp)# idle-timeout 15000 Assign the TCP template to the Virtual Server Port WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N tcp AX(config-slb vserver-vport)# template tcp <name>
2.
74
75
76
Module 4 Lesson2
HTTP protocol
77
HTTP protocol
HTTP RFC is 2616 (http://www.w3.org/Protocols/rfc2616/rfc2616.html) HTTP (Hypertext Transfer Protocol) is an unencrypted TCP protocol used to access web content (usually on port 80)
Note: HTTPS uses the same protocol with explicit SSL encryption for higher security (usually on port 443)
78
HTTP requests
Main request methods
"GET url": Request object from server "POST url": Send data/object to server Others: HEAD, CONNECT Important Note: The Host (such as www.a10networks.com) is not part of the url, but is listed in the "Host header in the request
79
HTTP responses
Main server response codes
200: OK (object in the response) 301: Redirect permanently 302: Temporary redirect 304: Not Modified 404: Page not found 5xx: Server error
81
82
83
HTTP templates are associated with virtual server ports of service type HTTP" or "HTTPS
84
Host/URL switching
Selection of Servers is done based on Host or URL (beginning or end). This option also is usually used for Web Cache load balancing.
85
86
HTTP templates are associated with virtual server ports of service type "HTTP" or "HTTPS Note: Some of the following options can be considered as availability and flexibility options too.
87
88
89
90
91
Module 4 Lesson3
HTTPS protocol
92
HTTPS protocol
HTTPS (HTTP over TLS) RFC is 2818 (http://www.ietf.org/rfc/rfc2818.txt) HTTPS is the "secured" version of HTTP (usually port 443) HTTPS offers
Server Authentication (with server certificates) (optional) Client Authentication (with client certificates) Encryption (with TLS/SSL)
93
94
Once the"session key is negotiated, the HTTPS client requests / server responses are sent encrypted
Note: Less CPU intensive (symmetric encryption) Note: If the client re-establishes a new TCP session before the session key expires, it will propose to the server to use it (SSL session ID reuse option). The server can accept or refuse it. If refused, a new session key is negotiated.
95
96
HTTP templates are associated with virtual server ports of type "HTTP" or "HTTPS.
97
98
Import SSL public certificates and private key on the AX Note: Self-Signed certificates can be created on the AX too
WebUI: Config > Service > SSL Managament > Certificate CLI: AX(config)# import ssl-cert <name> AX(config)# import ssl-key <name>
2.
3.
100
(Optional) Import CA public certificate that will be used to validate the Servers certificate
WebUI: Config > Service > SSL Managament > Certificate CLI: AX(config)# import ssl-cert <name>
2.
3.
101
102
Summary
In this module, we presented:
FTP protocol HTTP protocol HTTPS protocol
And also:
Explained the specific Load Balancer configuration required for each protocol Explained specific Load Balancer options available for each protocol for better availability, flexibility, performance and security Configured FTP, HTTP, and HTTPS VIPs on the AX
103
AX Acceleration
Module 5
104
Module objectives
Understand the advanced AX options for acceleration
Connection Reuse SSL offload HTTP compression RAM Caching
105
Connection reuse
Web servers need to manage:
New clients (open new sessions) Clients leaving (close sessions) Maintain all connected clients sessions Note: Web browsers keep their TCP connections open - even when all objects have been loaded
106
Connection reuse
Connection Reuse off loads the server TCP stack This option provides faster server response time and higher server scalability Connection reuse
Terminates all clients connections to the AX Maintains persistent connections to the Servers Sends all clients requests on the same persistent connections
Note: Connection Reuse requires SLB Source NAT Note2: HTTP Keep-alive should be enabled on the web servers
107
Connection reuse
Connection reuse configuration
1.
2.
SSL offload
SSL Offload relieves the server of SSL tasks This option provides faster server response time and higher server scalability AX receives HTTPS client traffic and sends HTTP traffic to the servers
109
SSL offload
SSL offload configuration
HTTPS VIP pointing to HTTP servers (see Module 4 - lesson 3) (optional) Rewrite servers HTTP redirect response Note: This is done via an HTTP template containing the Redirect / Rewrite option (optional) Rewrite absolute links Note: This is done via aFleX (see Module 7)
110
HTTP compression
Compresses HTTP/HTTPS objects Uses less bandwidth and provides faster client download time AX HTTP compression
Compresses objects sent to the clients Note: By default, "text" (such as html/css/js) and "application" (such as doc/xls/ppt/pdf) If HTTP compression is enabled on the servers, AX transparently offloads this task from servers
111
HTTP compression
HTTP compression configuration
1.
2.
Note: On AX models with a Hardware Based Compression module, you need to enable Hardware Based Compression first
WebUI: Config > Service > SLB > Global CLI: AX(config)# slb hw-compression
112
HTTP compression
HTTP compression statistics
WebUI: Monitor > Service > Application > Proxy > HTTP CLI: AX# show slb http-proxy
113
RAM Caching
Caches HTTP/HTTPS static and dynamic content in AX RAM Delivers cached objects to clients directly from the AX Cache, offloading servers from these requests Provides faster client download time and higher server scalability
114
RAM Caching
AX RAM Caching
Caches objects unless explicitly denied by the server's response Caches responses with the following codes:
200 OK 203 Non-Authoritative response 300 Multiple Choices 301 Moved Permanently 302 Found (only if Expires header is also present) 410 Gone
115
RAM Caching
AX RAM Caching limitations
Does not support client HTTP range requests (they are sent to the servers) Does not cache server responses with "Vary" header (except "Vary: Accept-Encoding") Does not cache server responses with "Warning" header Does not cache server responses if requests had an "Authorization" header (even if the server specifies "Cache-Control: public) Does not cache incomplete (partial) responses
116
RAM Caching
RAM Caching configuration
1.
2.
117
RAM Caching
AX RAM Caching for dynamic objects
Allows the AX to Cache non-static objects Need to understand application behavior to determine cacheability
What is to be cached? How long is the cached content valid? What is the trigger that would cause the response to change?
Parameterized requests
The URL matches a specific pattern. Specific query parameters are present. Specific cookies in the request are present. Specific HTTP headers in the request are present.
Policies
Cacheability rules determine what is cacheable and what is not Invalidation rules
118
RAM Caching
When not to use dynamic caching
The response sets cookies specific to that session.
Example: the response to a login page
The life of a response is indeterminate; that is, the response contains data that becomes stale based on a future action.
Example: the portfolio page of a brokerage account user changes when the user executes transactions.
Different versions of the response cannot be distinguished by using the URL, query parameters, or cookies in the request.
Example: the response contains personalized settings, such as the user name but no query parameter or cookie directly identifies the user.
119
RAM Caching
Dynamic caching caching policies
Caching policies can be used to override/augment standard HTTP behavior Policies are specified as follows:
policy <condition> <action> Where: <condition> is of the form uri <pattern> <action> is cache <seconds>, no-cache, or invalidate <entry> Note: More sophisticated conditions will be supported in future using aFleX policies
Policies are evaluated in the order they are specified. The action in the first policy that matches will be applied.
120
RAM Caching
Dynamic caching example
Let's say there is a web application with the following URLs:
http://x.y.com/list http://x.y.com/add?a=p1&b=p2 http://x.y.com/del?c=p3 http://x.y.com/private?user=u1 lists all items from database adds item to database deletes item from database private info for user
This is a simple example, but is also a very common scenario, and is representative of many sites on the web today. In this case, the list URI will be hit by a lot of users. Thus it would make sense to cache the URI as long as it remains up to date. However, when the user does an add/delete operation, or one of the other URIs arrives, the database would change and the cached list will have to be refreshed.
121
RAM Caching
WebUI configuration for the example
122
Summary
In this module, we presented the AX acceleration options:
Connection Reuse SSL offload HTTP compression RAM Caching
123
AX Security
Module 6
124
Module objectives
Understand the advanced AX options for security
DDoS protection PBSLB ACL Management security High Availability (HA)
Configure HA on AX devices
125
126
DDoS protection
AX provides enhanced protection against DDoS (Distributed Denial of Service) attacks
Note: AX 2200 / AX 3100 / AX 3200 / AX 5100 / AX 5200 provide DDoS protection in hardware. Other models provide DDoS protection in software.
DDoS configuration
WebUI: Config > SLB > Global CLI: AX(config)# ip anomaly-drop <DDoS-type>
127
DDoS protection
Advanced DDoS filters are also available with system-wide PBSLB
Note: PBSLB is detailed on the next slide. Invalid HTTP or SSL payload or DNS Zero-Length TCP Window Out-of-sequence packet
Policy-based SLB
Policy-based SLB (PBSLB) allows "black lists" and "white lists" with individual clients or subnets
Note: IPv6 addresses are not supported in PBSLB.
129
Policy-based SLB
PBSLB specifics
Large list support
Up to 8 M IP addresses Up to 64 K IP subnets Up to 32 group IDs
Highly efficient
B/W lists are stored in hash tables Can process Gbps of traffic
PBSLB components
PBSLB is a list of text entries, as follows:
ipaddr [/network-mask] [group-id] [#conn-limit] [;comment-string]
130
Policy-based SLB
PBSLB configuration
1.
2.
3.
PBSLB statistics
WebUI: Monitor > Service > PBSLB CLI(basic only): AX# show pbslb []
131
Policy-based SLB
PBSLB file example
10.10.1.3 4; blocking host (group 4 is defined in the template with action "drop") 10.10.2.0/24 4; blocking subnet (group 4 is defined in the template with action "drop") 192.168.1.1/32 2 #20; 20 concurrent connections max for that host (group 2 is defined in the template with action "permit with Service Group X")
132
133
ACL configuration
1.
Create an ACL
WebUI: Config > Network > ACL CLI: AX(config)# access-list []
134
Assign the ACL to Data interfaces, Management interface, or Virtual Server Ports
Data Interface: WebUI: Config > Network > Interfaces > LAN CLI: AX(config)# interface ethernet 1 AX(config-if:ethernet1)# access-list <num> in Management: CLI only: AX(config)# interface management AX(config-if:ethernet1)# access-list <num> in Virtual Server Port: WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N <type> AX(config-slb vserver-vport)# access-list <name>
135
136
Management security
AX provides advanced management security options
Multiple management accounts with distinct levels of access Interface level access for individual access types (ICMP / Telnet / SSH / HTTP / HTTPS / SNMP) Management account with lockout in response to excessive invalid password External Authentication support with RADIUS and TACACS+ Private partitions
137
138
139
140
141
142
143
144
High Availability
All AX integration modes support HA
Routed mode
Active-Standby, Active-Active and L3 Hot Standby modes
One-Arm mode
Active-Standby and Active-Active modes and L3 Hot Standby modes
Transparent mode
L2 Hot Standby mode
DSR mode
Active-Standby, Active-Active and L3 Hot Standby modes
145
High Availability
HA Active-Standby Mode configuration steps
1.
Configure HA interfaces
All interfaces used with production traffic (+ AX interlink if exists) Note: We recommend a dedicated direct interlink between the AX so sync traffic is off the production network.
2.
High Availability
HA Active-Standby Mode configuration steps (cont.)
3.
4.
147
High Availability
HA Active-Active Mode configuration steps
Same as Active-Passive with two groups defined
Step2: Group1 with priority 200 on AX1 (priority 100 on AX2) Group2 with priority 100 on AX1 (priority 200 on AX2) Step3: Associate Group1 with half of the VIPs and Group2 with the second half Step4: Associate Group1 with the NAT Pools used by VIPs in Group1 and Group2 with the NAT Pools used by VIPs in Group2
148
High Availability
HA Layer2/3 Mode configuration steps
Same as Active-Passive except for step 2
2.
Configure HA Inline Mode Enable Preferred port: Port used to sync configuration and sessions (optional) Restart port list: Add AX interfaces in production (optional) L3 mode enabled: If AX in Layer3 Inline mode
149
High Availability
HA Active-Standby Mode configuration
1.
Configure HA interfaces
WebUI: Config > HA > Setting > HA Global CLI: AX(config)# ha interface []
2.
150
High Availability
HA Active-Standby Mode configuration (cont.)
3.
4.
151
High Availability
Configuration synchronization
WebUI: Config > HA > Config Sync CLI: AX(config)# ha sync [all | data-files | runningconfig | startup-config] to-[running-config|startupconfig] [with-reload] [all-partitions | partition] Note: We recommend to sync "All" to the "startup-config + reload"
High Availability
HA status
WebUI: Monitor > HA > Group CLI: AX# show ha
153
High Availability
HA statistics
WebUI: Monitor > HA > Status CLI: AX# show ha detail
154
Summary
In this module, we presented AX advanced security options:
DDoS protection PBSLB ACL Management security High-Availability (HA)
155
156
Module objectives
Understand the advanced AX options for flexibility
Cookie persistence aFleX
157
Module 7 Lesson1
AX Flexibility
158
159
Cookie persistence
When to use cookie persistence
Like Source IP Persistence, Cookie Persistence is used when HTTP/HTTPS clients must have their future connections/traffic terminated on the same server. But Cookie Persistence provides more granularity, since even different users coming from the same Proxy (same IP address) will get different persistence with Cookie Persistence.
160
Cookie persistence
AX Cookie Persistence configuration
Create a Cookie Persistence Template
Name (optional) Expiration (optional) Cookie Name (optional) Domain (optional) Path (optional) Match type (optional) Insert Always (optional) Don't Honor Conn Rules
161
Cookie persistence
AX Cookie Persistence configuration (cont.)
Create a Cookie Persistence Template
WebUI: Config > Service > Template > Persistent > Cookie Persistence CLI: AX(config)# slb template persist cookie <name> []
162
aFleX
What is aFleX?
aFleX is a powerful and flexible AX feature that you can use to manage your traffic and provide enhanced benefits/services aFleX uses industry-standard Tcl (Tools command language) based syntax
Stantard Tcl commands Special set of extensions provided by the AX
aFleX allows:
Content inspection (headers / data) Actions on traffic Block traffic Redirect traffic to a specific Service Group (pool) or Server (node) Modify traffic content
163
aFleX
Elements of an aFleX script
aFleX scripts are made up of three basic elements:
Events Operators aFleX commands
Events
aFleX scripts are event-driven, which means that the AX system triggers the aFleX whenever that event occurs. Examples: HTTP_REQUEST is triggered when an HTTP request is received. CLIENT_ACCCEPTED is triggered when a client has established a connection.
Operators
Standard Tcl operators Relational operators: contains, matches, equals, starts_with, ends_with, matches_regex Logical operators: not, and, or
164
aFleX
Elements of an aFleX script (cont.)
aFleX commands
Used to query for data, manipulate data, or specify a traffic destination. These may be grouped into three main categories: Statement commands Example: "pool <name> directs traffic to the named load balancing pool Commands that query or manipulate data Examples: "IP::remote_addr returns the remote IP address of a connection "HTTP::header remove <name> removes the last occurrence of the named header from a request or response Utility commands - useful for parsing and manipulating content Example: "decode_uri <string> decodes the named string using HTTP URI encoding and returns the result
Note: aFleX is extensible. In future releases, additional aFleX events and aFleX commands will be added.
165
aFleX
aFleX configuration
1. Place the aFleX script on the AX
Using the CLI Use a computer with any text editor to write an aFleX script and save it as a file. Use import aflex command to import the aFleX file from the computer to AX. aFleX CLI syntax check: "aflex check <name>". Using the WebUI With AXs web interface, users can directly type in aFleX scripts and save them on the AX under "Config > Service > aFleX". Using the aFleX Editor The aFleX editor can download/upload aFleX scripts from/to the AX. Moreover, it can do syntax checking. As an editor, it also has syntax highlighting, keyword auto-completion, etc.
166
aFleX
aFleX configuration (cont.)
2. Assign aFleX script to VIP port
WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server <name> AX(config-slb vserver)# port N tcp AX(config-slb vserver-vport)# aflex <name>
aFleX statistics
WebUI: Monitor > Service > aFleX CLI: AX# show aflex []
167
aFleX
aFleX examples
Redirect a specific client to a specific service group
When CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 10.10.10.10] } { pool sg2 } }
Note: This could be achieved by PBSLB too. Redirect clients to https for the host secure.abc.com
when HTTP_REQUEST { if {[HTTP::host] equals "secure.abc.com"} { HTTP::redirect https://[HTTP::host][HTTP::uri] } }
aFleX
aFleX examples
Redirect clients to specific pools in function of the url
when HTTP_REQUEST { if { [HTTP::uri] starts_with "/finance" } { pool finance_pool } elseif { [HTTP::uri] starts_with "/dev" } { pool dev_pool } }
169
Module 7 Lesson2
170
Control Kernel CLI, GUI, Management Tasks and Health Checking Flexible Traffic ASIC (FTA) Distributes Traffic Across L4-7 CPUs, Efficient Network I/O, DDoS Switching & Routing ASIC L2 & L3 Processing and Security
171
All application delivery traffic handled by ACOS Efficient use of memory no duplicate data
172
Processing Efficiency
Eliminates unneeded cycles for faster processing
Zero locking, zero buffer copy, zero IPC, zero scheduling, zero interrupt
173
Legacy approach
174
AX Series eliminates IPC and maximizes performance Data required by all CPUs is processed in the same location without other CPU notification/reliance Accurate real-time decision criteria, e.g. rate-limiting, connection-limit, max TCP connections, server selection, tracked global variables used for decisions or any shared data set Maximizes memory no redundant copies of information per core. More total system memory
175
176
Shared Memory
Non-shared Memory
177
Summary
In this module, we presented the following advanced AX flexibility options:
Cookie persistence aFleX
And also configured them on the AX. We also presented the ACOS architecture.
178
179
Module objectives
Understand the different types of AX management access Understand the AX configuration components and how to backup/restore AX configuration Understand the AX software components and how to upgrade/downgrade AX Understand VLAN on AX Learn initial AX configuration Learn troubleshooting techniques and tools Understand AX Release Process and how to contact AX support
180
AX management access
CLI
Console (RS-232 connection / 9600, 8, N, 1) Telnet (disabled by default) SSHv2
Web
HTTP (configurable ports - disabled by default) HTTPS (configurable ports)
Web:
User roles (read-write / read-only)
181
AX configuration components
AX configuration components
Configuration file (optional) aFleX files (optional) PBSLB files (optional) SSL certificates and keys (optional) Geo-location files (option in GSLB and geo-location-based VIP access)
182
AX configuration components
AX full configuration backup
Full AX configuration can be backed up
WebUI: Configuration > System > Maintenance > Backup > System CLI: AX(config)# backup config []
Note: Supported upload protocols: FTP, SCP, RCP, TFTP, and HTTPS (via WebUI)
183
AX software management
AX software is stored on
Two disk partitions: primary and secondary
Second partition is designed for easy software rollback
Note: Each storage location has its own software and AX configuration
184
AX software management
AX software upgrade recommended steps
Back up your system
(covered on previous slide)
VLAN
VLAN allows AX to
Bind multiple physical interfaces to same broadcast domain
186
VLAN
VLAN allows AX to (cont.)
Bind one physical interface to multiple layer2 broadcast domains
187
VLAN
VLAN configuration steps
1.
VLAN creation
VLAN ID Physical interfaces tagged and untagges (optional) VLAN Name (optional) Virtual Interface
2.
188
VLAN
VLAN configuration
VLAN creation
WebUI: Config > Network > VLAN CLI: AX(config)# vlan []
189
VLAN
Important Point
Always configure virtual interfaces in AX routed mode integration to avoid loop!!!
190
192
Troubleshooting methodology
Layer 2 and 3: Data Link & Network Layers
Check network connectivity
AX# ping
Check routes
AX# show ip fib + AX# show ip route
Layer 7
Check for application specific errors
193
Troubleshooting tools
AX log (AX# show log)
AX logs many informational, warning, and error messages, the first place to check when experiencing any issues
Port/Interface up/down messages L2 loop detection warnings Unicast/Multicast/Broadcast packet limit warnings MAC address movement warnings Duplicate IP warnings Server & service port up/down messages Application specific error messages: SLB, PBSLB, HTTP, HA, etc.
194
Troubleshooting tools
Debug
WebUI
AXs WebUI provides a number of report graphs that can help you identify any potential issues Example: CPU and server/virtual-server load information can help identify time periods when the system was under stress
SNMP
SNMP clients can query AX for status information AX can be configured to send SNMP traps to servers/receivers
195
Troubleshooting tools
Debug (cont.)
debug packet <filters>
Define a set of filters for packet capture Example: interface, IP address, protocol, port number, etc.
debug monitor
Use this command after defining a filter to display captured packets on screen Make sure your filter is specific enough to capture only the packets needed for debugging The CLI may become temporarily unresponsive if a large number of packets are captured to the screen
196
Troubleshooting tools
AXdebug
More filter options than debug packet Allows saving captured packets to a local file (in tcpdump/Wireshark format) and then exporting off the AX
Show techsupport
Provides important debug information for the A10 Support team When possible, issue the command once before, during, and after the issue being experienced Note: Make sure your terminal session has enough scroll back lines to capture the full output (or log it to a text file)
Backup log
Provides detailed system information for debugging Compresses data and exports the file off the AX
197
AX Release Process
AX provides 5 different releases
Major
Major features/enhancements (between 12 - 14 months)
Enhancement
Enhancements (between 6 - 8 months)
Minor
Periodic bug fixes and minor enhancements (between 3 - 4 months)
Patch
Collection of P1/P2 fixes and previous patch fixes (between 4-5 weeks)
Special Patch
Emergency patch for a specific customer (2-3 days)
Note: New hardware platforms support only the newest release available on their release date
198
AX Release Process
AX releases tests
MAJOR Unit Functional Negative Stress Regression Sys Integration Performance Scalability Stability Alpha Beta New features New features Full Full Manual=full Automated=full Full Full Full 2 weeks Full Full Enhancement New features New features Full Affected Manual=affected Automated=full Full Affected Affected 1 week Affected Affected Minor Fixes Fixes Affected None Manual=affected Automated=full Partial Affected Affected 3 days Affected None PATCH Fixes Fixes None None Manual=affected Automated=full Partial as needed None None 1 day None None
199
AX Release Process
QA patch release process
Defect report
Approve
Release
Functional Test
Alpha Test
Test
AX Release Process
AX provides 5 different releases type
Major (X.Y.M-Pn build N)
Major features/enhancements (between 12 - 14 months)
Note: New hardware platforms support only the newest release available on their release date Note: build N information may be removed in the future
201
Training
Support SEs Core Engineers on Tier 2 support rotation
Passionate
Really care about customers Company directive: Customer issue is #1 Priority
203
206
Priority 1: Network Down Priority 1 < 1 Hour* < 1 Hour Priority 2: Serious Performance Degradation Priority Priority 3: Performance Impact, Installation Issue 2 < 1 Hour < 4 Hours Priority 4: Information request Priority 3 < 8 Hour < 2 Day
Note: 1 and 2 Priority 4 Priority < 8 Hour issues should be4reported via phone (1-888-TACS< Day Support Engineer A10) * 30 minutes of less
207
Escalation
Level 1
Level 3 (after 4 hours) VP, Engineering/ Sales Director, Technical Support TAC Engineer
CEO
TAC Engineer
TAC Engineer
Flagged
TAC Engineer
TAC Engineer
TAC Engineer
TAC Engineer
208
Summary
In this module, we presented:
AX Management AX troubleshooting techniques and tools AX Release Process and how to contact AX support
209