500-101 28+1 4 Alteon Level1 TrainingManual

Training Manual
Alteon Application Switch – Level 1

Course 500-101
April 2012
Alteon Level 1 Training Manual
United States and international copyright laws protect this document.

Neither this document nor any material contained within it may be
duplicated, copied or reproduced, in whole or part, without the expressed
written consent of Radware, Inc.
Version 28.1_v4
Page 2
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
TABLE OF CONTENTS
Lab Overview .................................................................................................................... 5

Basic Switch Configuration ............................................................................................... 9
Overview ........................................................................................................................ 9
Assignment .................................................................................................................. 11
Server Load Balancing .................................................................................................... 29
Overview ...................................................................................................................... 29
Assignment .................................................................................................................. 32
Persistent Load Balancing .............................................................................................. 41
Overview ...................................................................................................................... 41
Assignment .................................................................................................................. 43
Content Load Balancing .................................................................................................. 51
Overview ...................................................................................................................... 51
Assignment .................................................................................................................. 53
Content SLB Configuration Using Server String Association....................................... 55
Content SLB Configuration Using Content Class Association ..................................... 61
SSL Acceleration............................................................................................................. 69
Overview ...................................................................................................................... 69
Assignment .................................................................................................................. 71
Switch Troubleshooting ................................................................................................... 79
Overview ...................................................................................................................... 79
Assignment .................................................................................................................. 79
Virtual Router Redundancy ............................................................................................. 87
Overview ...................................................................................................................... 87
Assignment .................................................................................................................. 89
BBI – Web Based Management Labs ........................................................................... 101
BBI SLB configuration of the Switch .......................................................................... 101
BBI Layer 7 Passive Cookie Persistence Configuration ............................................ 107
BBI Content Load Balancing Configuration ............................................................... 112
BBI configuration for VRRP ....................................................................................... 119
Page 3
Description of the Lab Environment

This LAB kit consists of Alteon, virtual PCs, called Team-PCs and for each switch, a pair of
servers.
Access to Team-PCs from the classroom PC is via VNC application. A copy of a VNC client is
in the tools folder on your USB stick. Product documentation and useful information is also on
this USB stick. All Team-PCs and web servers are preconfigured. Your instructor will assign
the URL and port you need to use. Course delegates have serial access to all RadwareAlteon
switches via a terminal server. At your Team-PC, quick start area, use preconfigured Putty
application. For FTP, TFTP and syslog, use the 3CD application. Both icons are located at the
Quick Launch area.
All cables to the devices are connected, please keep this in mind.
All documentation, tools, software, applications and feature key codes are on the CD-ROM of
each Team-PC.
The following equipment is required for each delegate to complete the labs:
1 Local Workstation (Laptop) capable of running VNC, Web and Putty
At the remote lab location:

1 Alteon
1 Team-PC, (interface between remote and local lab)
4 Web servers
Page 4
Lab Overview
Purpose
This document provides details about the technical training topics covered during
RadwareAlteon 500-101 Alteon – Level 1 technical training curriculum.
This course covers basic configurations and troubleshooting in local server load balancing,
persistent slb, content slb, and SSL-Acceleration. The Application Switch Level 1 training is for
students who have good knowledge of network switching and routing features using standard
protocols.
The training material for this course consists of a PowerPoint Presentation for theories and a
Training Manual for hands-on to be used in tandem.
The features and functions of Radware Alteon devices discussed in this document based on
version 28.1.
If your RadwareAlteon device is running an older or newer version of firmware or if you are
using an different version of APSolute Vision, some of the features and implementations
discussed in this manual may not be available or some terminology might be different.
.
For your existing onsite device, please contact Radware technical support at
support@RadwareAlteon.com.
The following font conventions used in this manual:

• Bold – indicates the buttons or menu selections in the ASEM or Browser Based Interface
(BBI) graphical user interface (GUI) used to reach a particular screen or window.
• Underline – indicates an option area within an ASEM or BBI screen or window such as drop-
down lists, check boxes, etc.
• Italics – indicates the value or setting supplied in a window or screen.
• Courier – indicates CLI commands on serial, Telnet or SSH connections.
{value-A, value-B}– indicates available CLI command options.
Page 5
Lab Configuration for All Teams
Alteon 4408 Alteon 4408
ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK PWR OK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK PWR OK
1000 1000
10/100 10/100
SY S OK SY S OK
PWR RS T CONS OLE US B 1 2 3 4 5 6/MNG 1 7 8 PW R RS T CONS OLE US B 1 2 3 4 5 6/MNG 1 7 8
Alteon 4408
ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK PWR OK
1000
10/100
SY S OK
PWR RS T CONS OLE US B 1 2 3 4 5 6/MNG 1 7 8
Page 6
Detailed Lab Configuration for Each Delegate / Group
Remote Lab - Alteon
# = team number
Connection Information RemoteClient #

DHCP
Remote XP-Client via VNC: 192.168.150.x/24
IP for Mahwah: njlab1.radware.net
IP for Munich: lab-muc.radware.com
Port: 5900 + #
Password: radware Switch
APSolute Vision
Remote Serial (telnet): 7110 + #
Management port:
AppSolute Vision APSolute Application Delivery
ACT LINK ACT LINK PWR OK
1000
10/100
SYS OK
RemoteSecure-SSH: 7600 + #
PWR RST CONS OLE USB G1 G2
Remote SecureWBM: 7700 + # 192.168.150.100 10.10.240.10

Load Balancing: Router
Remote VIP port 80: 7400 + # 192.168.100.254 10.10.240.1
Management-
Network:
10.10.240.0/21
Alteon Information (255.255.248.0)
Switch
Serial Terminal Server information: Terminal
IP: 192.168.150.252 Server
Port: 7010 + Team#
Using Telnet MNG = 10.10.242.#
if1 = 192.168.100.#
Client net on port 1 → Vlan 11 → 1000
ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK
Alteon 4408
ACT LINK ACT LINK PW R OK
if-1 = 192.168.100.# /24

10/100
SY S OK
PW R RS T CONS OLE US B 1 2 3 4 5 6/MNG 1 7 8
if2 = 10.200.#.#
Server net on port 2 → Vlan 14 →
if-2 = 10.200.#.# /24
AL-# MNG-1 = 10.10.242.#/21
AL’s Gateway = 192.168.100.254 Switch
VIP-1 = 192.168.100.# + 200

Web1 = 10.200.#.100
Web2 = 10.200.#.200
Alteon-Team # will be assigned

by your training engineer Team-# Team-#
Web1 Web2
10.200.#.100 10.200.#.200
VIP = 192.168.100.200 + #
ServerDFGW = 10.200.#.#
Page 7
Detailed Redundant Lab Configuration for Each Delegate /

Group
VRRP Remote Lab - Alteon
# = team number
RemoteClient # RemoteClient #
Connection Information
DHCP DHCP
192.168.150.x/24 192.168.150.x/24
Remote XP-Client via VNC:
Port: 5900 + #
Password: radware
Switch
Remote Serial (telnet): 7100 + #
Management port:
RemoteSecure-SSH: 7600 + #
Remote SecureWBM: 7700 + # 192.168.150.100
Load Balancing:
Routers
Remote VIP port 80: 7400 + #
192.168.100.254
Client-Net = 192.168.100.0/24
Alteon Information
Serial Terminal Server information:

IP: 192.168.150.252
Port: 7010 + Team#
Using Telnet Alteon-odd 1000
10/100
Alteon 4408
AC T LINK ACT LINK PWR OK
SYS OK
PWR RS T CONSOLE USB 1 2 3 4 5 6/MNG 1 7 8
Client net on port 1 → Vlan 11 → Alteon 4408
1000
ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK PW R OK
Alteon-even
VR 192.168.100.odd#
10/100
SY S OK
ALodd-# if-1 = 192.168.100.odd#+50 /24

ALeven-# if-1 = 192.168.100.odd#+100 /24
Gateway = 192.168.100.254
Server net on port 2 → Vlan 14 → Server-Net = 10.200.#.0/24

VR 10.200.odd#.odd#
ALodd-# if2 = 10.200.odd#.1 /24 Switch
ALeven-# if2 = 10.200.odd#.2 /24
VSR= 192.168.100.odd#+200
VIP= 192.168.100.odd#+200
Web1 = 10.200.odd#.100
Web2 = 10.200.odd#.200
AL-# MNG = 10.10.242.#/21 Team-# Team-#

Web1 Web2
10.200.#.100 10.200.#.200
VIP = 192.168.100.200 + #
ServerDFGW = 10.200.#.#
Page 8
Basic Switch Configuration
Overview
Description
You can access a RadwareAlteon Application Application Switch, also called an Application
Delivery Controller (ADC), for management purposes, by following ways:
• Via Command Line Interface (CLI): Using a serial connection via the console port and
access and configure the Alteon by using a computer running any terminal emulation
software or on any Ethernet port by a Telnet or SSH connection.
• Via a Graphical User Interface: any java enabled browser application can manage via
HTTP or HTTPS the ADC; this is called the Browser Based Interface (BBI). Another
possibility is using SNMP and the Application Switch Element Manager (ASEM)
application.
The management port on the Alteon is used exclusively for managing the switch via an out-of-
band Fast Ethernet. In-band (on all data ports) or out-of-band (management port) connections
via Telnet, SSH, HTTP or HTTPS are possible. You can upgrade switch code via TFTP or
FTP, and configuration backup and restore via TFTP, FTP or SCP is possible. There is an
option to keep these management port settings by booting from factory-default config block.
An Alteon supports up to 2048 VLANs per switch, and any number between 1 and 4090 can
identify each VLAN. VLANs are setup on a per-port basis. Each VLAN can have any number
of switch ports in its membership. Each port in the switch has a configurable default VLAN
number, known as its PVID. The factory default value for all PVIDs is 1.
Each port on the switch can belong to one or more VLANs. Any port that belongs to multiple
VLANs, however, must have VLAN tagging enabled. The Alteon supports 802.1Q VLAN
tagging, providing standards-based VLAN support for Ethernet systems. Tagging adds the
VLAN identifier in the frame header, allowing multiple VLANs per port. Since tagging
fundamentally changes the format of frames transmitted on a tagged port, you must carefully
plan network designs to prevent tagged frames from being transmitted to devices that do not
support 802.1Q VLAN tags. By default, the VLAN tagging is set to off and a single VLAN,
number 1, is setup on each port.
Page 9
An interface is a logical network definition. For each different direct connected network, a
separate interface is required. The associated number is independent of any physical port or
VLAN. For easier management often the port, VLAN, and interface use all the same number
or a number based on a custom specific logic. The mask describes the size of this network.
The address defines your local IP address, which accesses this direct connected network. By
default, IP-v4 is enabled, and IP-v6 is supported. VLAN 1 is automatically associated with a
new interface, if not changed. The VLAN value associates this network to one or more ports
with the same number as the network. Another interface associated to a same VLAN enables
both networks on this Ethernet port or ports. This is called multineting. A similar behavior is
enabling tagging and associating some VLANs to a port. Each interface associated to one of
these VLANs will also associate to these ports.
Without Layer 3 IP routing on the switch, an unknown destination IP address is sent to the
default gateway (GW). Default GWs 1 to 4 are not assigned to any VLAN. The Strict Metric
always uses the device with the lowest number. In case of failure, the next highest number is
used. The round-robin Metric uses the next higher GW number for each session. After
reaching the highest configured number, it starts from the lowest again. ICMP messages are
the default for health checks. Alternatively, use the ARP protocol.
GWs 5 through 259 are each associated to a separate single VLAN. All unknown destination
IP addresses for a VLAN are send to the associated GW. If this GW fails, the switch uses GW
1-4 if present, if not present, no routing is possible.
Objectives
After completing this lab, you will be able to:
• Log in to the switch
• Configure VLANs and interfaces
• Back up a configuration
• Use BBI and ASEM GUIs
Equipment
The following equipment is required to complete this lab:
• 1 Classroom PC (in front of you)
• 1 Alteon
• 1 Team-PC, (interface between remote and local lab)
• 2 Servers (web application)
• 1 FTP/TFTP server on your Team-PC
Page 10
Assignment
Physically, your network is wired as per the diagram on the Lab Configuration
pages. In order to configure this Alteon, connect to the serial port. On your
Team-PCs, the Putty application is already set up. Individual settings to
connect via serial to the Alteon are already configured. Be aware a serial
connection to an Alteon can only be established from one PC at one time. The
second connection will fail. For a second connection enable Telnet or SSH or
use any GUI.
Task 1: Set up this Alteon to operate as a router:

Start by checking that the device is set to the factory default.
Configure two VLANs, for public and private networks, and two
INTERFACES according to the IP plan on the Lab Description pages.
Set up a DEFAULT GATEWAY to complete the setup.
Test access from Team-PC to server1 and 2. Ping 10.200.#.100 or .200
and browse to http://10.200.#.100 or .200.
Task 2: Using the copy and paste feature to modify or backup your
configuration data.
Task 3: Back up your configuration. using FTP/TFTP protocol.
Task 4: Set up the two GUI management interfaces BBI and ASEM.
IMPORTANT:
X indicates any IP Address assigned by DCHP on your Team-PC.
# indicates your Team number assigned by your instructor.
Page 11
Configuring the Alteon Management Interface

Configuration steps 1 through 6 may have been completed by your instructor. We recommend
that you still go through these steps.
1. Log into the Alteon:

a. Open Putty; connect to Team#-4408. Details about on Lab Configuration diagram.
b. Press one or more times <enter> key to get the prompt.
c. Enter the admin password – admin.
2. Check whether the switch is set to factory default:

Display all the differences from a standard configuration on your terminal. In the main
menu, select cfg.
>> Main# /cfg/dump <enter> short form /c/d

script start "Alteon Application Switch 4408" 4 /**** DO NOT EDIT THIS LINE!
/* Version 27.Y.Z, Base MAC address 00:03:b2:71:b5:c0
/
script end /**** DO NOT EDIT THIS LINE!
A not configured Alteon show no configuration data between line with /* Version
information and line script end.
Page 12
3. If there is any configuration, set the switch to factory default.

Syntax:
/boot/conf {location of config db} active or backup are customer
configurations copied from floatable memory, the Radware preconfigured setting is
factory.
Lab Configuration:
/boot/conf factory short form /b/co f
Next boot will use factory default config block instead of active.
Confirm : Do you want to keep management port connectivity? [y/n]: n
reset short form r, reboots the switch to activate setting
y confirms reset
4. Press Enter to reboot the switch. After approximately 1 minute, log into the switch using
the admin password.
5. Enable for a 4408 switch port 6 as out of band management port.

Syntax
/boot/mgmt ena turn port 6 from data to a separate management port
Lab Configuration
/boot/mgmt ena
Current state of mgmt port is Disabled
Globally [ena|dis] mgmt port (requires a switch reset): ena
Confirm Globally enable mgmt port (requires a switch reset) [y/n]: y
Reset will use software "imageX" and the factory default config block.
>> Note that this will RESTART the Spanning Tree,
>> which will likely cause an interruption in network service.
Confirm reset [y/n]: y
6. Setup a separate management interface for the management port.

Syntax:
/cfg/sys/mmgmt
addr {management IP-address}
mask {Netmask for management port}
gw {default gateway IP-address for mgmnt net}
applications {data|mgmt} all management applications use by default the data
port! Move it maybe to the management port.
ena Management port need to be enabled
/c/sys/mmgmt/port
speed {10|100|any} sets the speed of the link with the Management port. Default is any.
mode { full|half|any} sets half or full duplex mode. Default is any
auto { on|off} sets auto negotiation for the port. Default is on
apply without apply, settings are in pending
save writes all changes to flash memory
y confirms saving to FLASH
y selects active as the next boot database
Page 13
Lab Configuration, keep the default port parameters:
/cfg/sys/mmgmt
addr 10.10.242.#
mask 255.255.248.0
gw 10.10.240.1
tftp mgmt
ena
apply
save
y
y
After following message, the management network is ready to use:
>> Management Port#

<date,time> NOTICE ip: management port default gateway 10.10.240.1 operational
If you want to continue by a graphical interface instead of CLI continue with page 22.
Page 14
Command Line User Interfaces (CLI)

1. Create new VLANs for ingress and egress ports. We keep unused ports on VLAN 1. By
default all ports are enabled. Double check, if not a single port is maybe disabled.
Syntax:
/cfg/l2/vlan {Vlan Number}/add {Physical Port1}/add {Physical
Port2}/etc … create a new VLAN and adds specified port(s)
Lab Configuration:
/cfg/l2/vlan 11/add 1 creates VLAN for clients, VLAN 11, type L2 not 12!
y moves port from VLAN1 (default) to VLAN 11,
.................. does not tag it
ena enables VLAN
../vlan 14/add 2/ena creates VLAN for clients, VLAN 14
y moves port from VLAN1 (default) to VLAN 1,no tagging
apply activates configuration change
should be done after each complete configuration step.
2. Turn off Spanning Tree Group (STG) on the switch. This protocol is used to avoid Layer 2
loops. It should be enabled or disabled depending on the customer’s network. For training
purposes at this and following labs, we always disable it.
Syntax:
/cfg/l2/stg {ST number}/{off, on} up to 16 different ST groups possible
Lab Configuration:
/cfg/l2/stg 1/off this disables STP group 1, default group is 1
apply activates configuration change
3. Configure the interfaces for the switch as shown in the Lab Description pages. You must
create a separate interface for each network that you want to connect directly to this
switch. The interface index number used is independent of any physical port, VLAN etc. A
common number for port, VLAN and interface will simplify debugging and management.
Syntax:
/cfg/l3/if {interface number}/{item parameter}/{item parameter}
up to 255 different networks are supported
Lab Configuration:
/cfg/l3/if 1 we start to configure interface 1
mask 255.255.255.0 enter the mask to calculate broadcast address
addr 192.168.100.# refer to lab description for your IP address,
vlan 11 associates this IF to VLAN 11, to use it on port 1
ena to enable the interface 1
For the second network, the Web server network, you need an additional interface. It is
also possible to put all parameters on one line separated by a forward slash.
/c/l3/if 2/vlan 14/mask 255.255.255.0/addr 10.200.#.#/ena
Page 15
4. Set the default gateway. Destination IP addresses that are not from local networks or do
not match routing table entries are sent to this destination. GW 1 to 4 is for all VLANs, GW
5 to 259 can each be associated to one VLAN. An important option is to switch from ICMP
to ARP health check.
Syntax:
/cfg/l3/gw {gateway number}/{parameter}/{parameter}
Lab Configuration:
/cfg/l3/gw 1 Gateway 1 (up to 4) is for all VLANs.
addr 192.168.100.254 interface of the next hop router
ena enables the default gateway
apply activates the switch configuration
5. To distinguish different switches, especially if there are several for a solution, create an
individual CLI prompt. At system SNMP, define a character string and activate it by set
hprompt to enable.
Syntax:
/cfg/sys/ssnmp/name “string”
/cfg/sys/hprompt ena
Lab Configuration:
/cfg/sys/ssnmp/name “team#>” define a character string
/cfg/sys/hprompt ena activate individual CLI prompt
6. Enable remote access. All different variations for CLI, BBI, and socket-based com-
munication as well as user passwords and access rate settings per protocol are available.
Syntax:
/cfg/sys/access/{access protocol}/{parameter}
Lab Configuration:
/cfg/sys/access/tnet ena enables telnet access via if-address
/cfg/sys/access/sshd/on enables ssh access via if-address
enable ssh or telnet only via serial connection
apply activates remote access
save saves the switch configuration, confirm with y
7. Check the current configuration of your switch
/cfg/dump this displays your configuration information

Check that the IP interfaces, addresses and subnet masks that you have just configured
are correctly shown and are enabled in the configuration.
Page 16
8. Ping the remote devices on the network from your Alteon CLI to confirm Layer 3
connectivity.
Syntax:
ping {host name} or {IP address} optional number of attempts {tries 1-32},
interval between packets {msec delay} on which port {-mgmt or –data} packet will be
sent.
Lab Configuration, type at Alteon command line:

ping 10.200.#.100 e.g. for team21 ping 10.200.21.100
9. Open any browser on your client PC to retrieve a Web page from each server to confirm
HTTP is operational
http://10.200.#.100 e.g. for team21 http://10.200.21.100
10. Use telnet or SSH on the client to connect directly to the switch. Enter admin as the
password to access the switch.
Open CMD window or use Putty application: telnet 192.168.100.#
Logout from telnet session
Use Putty to connect via SSH: 192.168.100.# port 22
The purpose of this hands-on was to familiarise yourself with the console
connection setup After completing your configuration, you were shown how to
enable, apply, and save your settings for future use.
An acronym to help remember how to save your work is:

EASY (E = Enable, A = Apply, S = Save, Y = Yes, to confirm the save)
Please go ahead with the exercises on the following pages to save the
configuration of this switch.
Page 17
Alteon
n Level 1 Training Manua
al
Cu
ut and Pa
aste Sw
witch Con
nfiguration
OBJ JECTIVE:
Editt the switch configuration using co
opy and pas
ste.
ASS SIGNMENT T:
Takke the active
e configurattion file and modify it by
y copying a command string to the
board, pastting it to the terminal interface and
clipb d saving it as your new active conffiguration.
Notte: Dependding on the terminal

t clie
ent being us
sed (e.g. Pu
utty, XTERMM, HyperTe erminal, etc..),
be aware
a of thee length of the
t lines traansmitted and that the application can insert end-of-line
e
characters thatt can affect the configu
uration downnload operaation.
1. Configure what
w outputt to display on
o the term
minal screen. Use the v
verbose co
ommand.
Syntax:
verrbose {0, 1, 2} Sets S the lev
vel of inform
mation displa
ayed on the
e screen:
0 =Q
Quiet: Nothing appearss except errrors—not evven promptts.
1 =N
Normal: Proompts and requested
r output
o are shown, but nno menus.
2 =V
Verbose: Evverything iss shown.
Whe en used witthout a valu ent setting iss displayed.
ue, the curre
2. Save the sw
witch configguration as a text file:
Lab Configuration:
a) Typpe verbose e 0 on the switch, this s puts the sw witch in ‘quiet’ mode.
b) Dispplay the con nfiguration by
b the /cfg g/dump co ommand, mark all or pa arts of this
config, copy it to
t the clipbooard and pa aste it to a text
t file. As alternative to mark-
cop
py-paste, yo t terminall feature to copy data input to a file.
ou can use the
For Putty application:
ect Change Settings Æ session Æ Logging Æ printable o
sele output
Lab
bel the file SW.txt
S and save
s it in the
e desktop of o your Team m-PC
c) Typpe verbose e 2 <enter r> on the switch, and d restore de efault mode..
3. Edit the sw uration file, SW.txt, storred in the desktop directory using any text
witch configu
editor (e.g. Wordpad).
Page 18
© Radware 2011. All rights

s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
4. Make a change. For example, add an interface type in the following line below the “if 2”
command lines at SW.txt file:
/cfg/l3/if 4/mask 255.255.255.0/addr 172.16.1.1/broad 172.16.1.255/ena
Using a single line or any amount of spaces and tabs are allowed.
5. Copy the command line you just typed onto the clipboard Mark:
/cfg/l3/if 4/mask 255.255.255.0/addr 172.16.1.1/broad 172.16.1.255/ena
Paste this line to Alteon terminal window and watch terminal output.
6. Log into the switch and double check that this change is pending.
diff check if change is received
7. Activate this change and save it to non-floatable memory:

apply
save
y
8. Dump the switch configuration to the screen and verify that the edited line was applied:
/cfg/dump or short /c/d
In this lab exercise, you learned how to drag and drop a series of commands into the terminal
interface, and how to set up a switch configuration from a saved text file.
Page 19
Upload and download configuration to an FTP/TFTP Server
OBJECTIVE:
To become familiar with uploading and downloading a configuration file to an FTP or TFTP
server.
ASSIGNMENT:
Use the FTP/TFTP server 3CDeamon (3CD) located in your Team-PC quick launch
area. Transfer the current configuration from the switch to Team-PC using the FTP or
TFTP server. Set the switch back to factory default. To restore the configuration you
must set up at minimum a public interface and depending on your topologies a default
gateway. No VLAN/STG config is necessary. Transfer the stored file from the
FTP/TFTP server back to your switch.
Do not forget to verify that the configuration was transmitted correctly to the switch or the
FTP/TFTP server when uploading and downloading switch configuration files.
public net private net

Team-PC
1
2
3CD FTP/TFTP server application
Figure: FTP / TFTP server configuration
1. Start the 3CD FTP or TFTP service on your Team-PC. If it is not installed, a copy of this
application is on your CD-ROM drive tools folder.
2. Write down the IP address of your local PC, which is the FTP/TFTP server:___________
Check the configuration file of the FTP or TFTP server. The user directory point to where
the files will be stored or loaded.
Page 20
1. Store the Alteon configuration on your Team-PC. You can use either FTP or TFTP.
Syntax for communications dialog:

/cfg/ptcfg used to upload the active configuration to a TFTP/FTP server
/cfg/gtcfg used to download into active config from a TFTP/FTP server
Enter IP address of FTP/TFTP server: {IP address of TFTP/FTP server}
Enter name of file on FTP/TFTP server: {file name}
Enter username for FTP server or hit return for TFTP server: {account for FTP}
Enter password for username on FTP server: {password for FTP}
Lab configuration:
/cfg/ptcfg used to upload the active configuration to a FTP server
Enter IP address of FTP/TFTP server: 192.168.150.x addr of your Team-PC
Enter name of file on FTP/TFTP server: Router.doc
Enter username for FTP server or hit return for TFTP server: anonymous
Enter password for username on FTP server: any
2. Check is the file (Router.doc) created on the Team-PC by checking the root directory of
the server application. Open this file with the WordPad text editor.
5. Set your switch to factory default to clear all current configuration settings. Loading this
setting requires resetting the switch. Keep your management interface.
/boot/conf f/reset
6. After reboot, log in again and enter the following commands to set up an interface and a
default gateway for communication to Team-PC.
/cfg/l3/if 1/mask 255.255.255.0/addr 192.168.100.#/ena
/cfg/l3/gw 1/addr 192.168.100.254/ena
/cfg/port 2/dis to isolate server net
apply activates new setting
ping 192.168.150.x to verify communication to FTP-Server/Team-pC
7. Restore the switch configuration again. Enter the following commands:

/cfg/gtcfg command to replace active configuration with downloaded file
Enter IP address of FTP/TFTP server: 192.168.150.x addr. of your Team-PC
Enter name of file on FTP/TFTP server: Router.doc stored file name
Enter username for FTP server or hit return for TFTP server: anonymous
Enter password for username on FTP server: any
apply
save confirm with y
8. To load the restored config at the next reboot, select active config
/boot/conf active
9. Check to see if your previously saved configuration has been restored.

Lab Configuration:
/c/d
This lab should have made you more comfortable with the ptcfg and the gtcfg
commands to upload and download a switch configuration onto a FTP or TFTP server.
Page 21
Graphical Web User Interface, Browser Based Interface (BBI)
OBJECTIVE:
Monitor and configure the switch using the Browser Based Interface (BBI) also called Web UI
and Application Switch Element Manager (ASEM).
ASSIGNMENT:
Use the configuration from the previous lab. Enable SNMP for ASEM and HTTP for remote
BBI access to the switch. View or modify the switch configuration.
1. Enable HTTP access to the switch.

Syntax:
/cfg/sys/access/{type of access} {parmeter}
Lab configuration:
/cfg/sys/access/http e
wport 8000 optional set HTTP server listening to port number 8000
2. apply
3. From Team-PC machine, start

a web browser and enter the
IP address of interface 1 on
the switch in the address box.
Log in to the switch.
http://10.10.242.#
User Name: admin
Password: admin
4. Enable HTTPS for encrypted

access to the switch.
Lab configuration:
/cfg/sys/acces/https
https e Enable/disable HTTPS server access
5. apply activate HTTPS setting / generate a HTTPS certificate
6. generate Generate self-signed HTTPS server certificate

Country Name (2 letter code) [US]: DE
State or Province Name (full name) [NJ]: Bavaria
Locality Name (eg, city) [Mahwah]: Munich
Organization Name (eg, company) [Radware Ltd.]: Radware
Organizational Unit Name (eg, section) [Engineering]: Training
Common Name (eg, YOUR name) [Radware Inc.]: GuentherM
Email (eg, email address) [info@radware.com]: training@radware.com
Confirm generating certificate? [y/n]: y
Generating certificate. Please wait (approx 30 seconds)
restarting SSL agent
Page 22
Alteon
al
7. certSave Savve HTTPS server

s certifficate
8. Create two new VLAN Ns for ingresss and egress ports. We

W keep unu used ports on
o VLAN 1.
e enabled. At configurre tab selecct Layer2, V
By default, all ports are VLANs and click the
Add buttonn.
ert VLAN ID
Inse D 11, Name e, Enable it and associate Spanniing Tree Grroup 1, sele
ect
Avaailable port 1 and move ss Submit and
e it to Configured. Pres a Apply button to acctivate this
change. Each change
c is confirmed
c att BBI Log Messages
M fie
eld.
Addd another VLLAN ID 14 and use po ort 2.
Disable Spanning Tree.

Select on Lay
yer2,
Spa e number 1
anningTree
and
d turn Enab
bled to
Dis
sabled. Submit and
Appply change
e.
Page 23
2

s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
common number for port, VLAN and interface will simplify debugging and management. At
Configure tab select Layer3, IP Interfaces and click the Add button.
Insert Interface ID 1, IP Addresses are 192.168.100.#. # is your team number. Mask is a C-

Class one. Associate VLAN 11 for public net. Enable state and click Submit and Apply
buttons to activate this change.
Add another interface 2 for your private net. IP Address is 10.200.#.# /24.
10. Set the default gateway. Any destination IP address not from local networks or do not
match routing table entries sent to this destination. GW 1 to 4 is for all VLANs, GW 5 to 259
can each be associated to one VLAN. Select Gateways and Add, Gateway ID 1, IP
Address is 192.168.100.254 and turn state to Enable and click Submit and Apply buttons
to activate this change. The settings are for all teams equal.
Page 24
Alteon
al
11. For CLI acccess are alsso some op ptions availaable. A login
n banner dissplays at CL LI login som
me
customer depend
d inforrmation. A notice
n is vis
sible at logo
out. If you arre too fast lo
ogged out
during conffiguration, adjust
a Idle Timeout.
T This value is also
a applica
able for HTT TP and
HTTPS acccess. Instea ad of a standard promp pt the SNMP P name is d displayed by y selecting
Hostname. These options are at Configure-
C -System-Ma anagementt Access-C CLI or SNMP P.
12. Check the current

c configuration of ch. Click on Dump at th
o your switc he global co
ommands
line. A new
w tab openss and displaays the conffiguration file
e. If not all parameters s are visible
check DIFF a pending and not applied config
F. This command lists all gurations.
13. Save this basic

b configuration to a file on the Team-PC. Start FTP/T
TFTP serveer on your
Team-PC. At A your Tea am-PC quicck launch arrea click on 3CDaemonn. By default the server
is set to use
e the
desktop as user
directory. At
A your
BBI window w go to
Configure,, System,
Download//Upload,
Configurattion. At
section Imp port /
Export sele ect
Export from
Device,
Manageme ent Port
and FTP. Enter
E your
Team_PC IP
Address,
Username is
anonymou us,
Password anya and
as Filename
Basic.txt. Submit
S
these param meters.
Page 25
2

s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
al
14. View the seettings in the Web UI.

By default, the Web UI starts in Configure
C mode. Selectt Monitor mo ode, which allows you
to view info
ormation about the swittch. Some interesting information::
System- Poorts-Genera
al or Layer 1 to IP spec
cific details.
Layer 2- ma
ain menue
System-Ca
apacity, disp
plays maxim
mum and alllocated amo
ount of item
ms
Layer 2 and
d sub menu
us for FDB, STG Trunk
k and Port Teams
T
Layer 3 and
d sub menu
us for Route
es, Interface
es and seve
eral routing protocols.
SLB and otther menus we will use

e later.
Page 26
2

s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Printout for Switch Configuration (Team21)
/c/sys/mmgmt
addr 10.10.242.21
mask 255.255.248.0
broad 10.10.247.255
gw 10.10.240.1
ena
tftp mgmt
/c/sys/mmgmt/port
speed any
mode any
auto on
/c/sys
idle 999
/c/sys/access
snmp w
http ena
tnet ena
/c/port 1
pvid 11
/c/port 2
pvid 14
/c/l2/vlan 1
learn ena
def 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 … 28
/c/l2/vlan 11
ena
name "VLAN 11"
learn ena
def 1
/c/l2/vlan 14
ena
name "VLAN 14"
learn ena
def 2
Page 27
/c/l2/stg 1/off
/c/l2/stg 1/clear
/c/l2/stg 1/add 1 11 14
/c/l3/if 1
ena
ipver v4
addr 192.168.100.21
vlan 11
/c/l3/if 2
ena
ipver v4
addr 10.200.21.21
mask 255.255.255.0
broad 10.200.21.255
vlan 14
/c/l3/gw 1
ena
ipver v4
addr 192.168.100.254
Page 28
Server Load Balancing
Overview
Description
Server Load Balancing (SLB) allows you to configure the Alteon to balance user session
traffic among a pool of available servers that provide shared services. In an average
network that employs multiple servers without server load balancing, each server usually
specializes in providing one or two unique services. If one of these servers provides
access to applications or data that is in high demand, it can become over-utilized. Placing
this kind of strain on a server can decrease the performance of the entire network, as user
requests are rejected by the server and then resubmitted by the user stations. Ironically,
over-utilization of key servers often happens in networks where other servers are actually
available. The solution to getting the most from your servers is SLB. With this software
feature, the switch is aware of the services provided by each server. The switch can direct
user session traffic to an appropriate server, based on a variety of load-balancing
algorithms. To provide load balancing for any particular type of service, each server in the
pool must have access to identical content, either directly (duplicated on each server) or
through a back-end network (mounting the same file system or database server). The
Alteon, with the SLB feature enabled, acts as a front-end to the servers, interpreting user
session requests and distributing them among the available servers.
Load balancing in the Alteon Operating System can be done in the following ways:
• Virtual server-based load balancing; this is the traditional load balancing method.
The switch is configured to act as a virtual server and is given a virtual server IP
address (or range of addresses) for each collection of services it distributes.
Depending on your switch model, there can be as many as 1024 virtual servers on
the switch, each distributing up to eight different services. Each virtual server
points to a list of up to 1024 IP addresses of real servers in a pool where its
services reside. This pool is called a group. A maximum of 1024 groups are
possible. The method of distribution, called the metric, and how to determine a real
server as healthy, the health check (hc), are important configuration parameters.
When the user stations request connections to a service, they communicate with a
virtual server on the switch. When the switch receives the request, it binds the
session to the IP address of the best available real server and remaps the fields in
each frame from virtual addresses to real addresses. HTTPS, HTTP, IP, FTP,
RTSP, and IDS, are examples of some of the services that use virtual servers for
load balancing.
Page 29
• Filtered-based load balancing; A filter allows you to control the types of traffic
permitted through the switch. Filters are configured to allow, deny, or redirect traffic
according to the IP address, protocol, or Layer 4 port criteria. In filtered-based load
balancing, a filter is used to redirect traffic to a real server group. If the group is
configured with more than one real server entry, redirected traffic is load balanced
among the available real servers in the group. For example SSL acceleration,
Firewalls, WAP with RADIUS snooping, IDS, and WAN links use redirection filters
to load balance traffic.
• Content-based load balancing; Content-based load balancing uses Layer 7
application data, such as URL, cookies, and Host Headers, to make intelligent load
balancing decisions. URL-based load balancing, browser-smart load balancing and
cookie-based preferential load balancing are a few examples of content-based
load balancing.
When deploying SLB, there are a few key aspects to consider. In standard SLB, all client
requests to a virtual server IP address and all responses from the real servers must pass
through the switch. If there is a path between the client and the real servers that does not
pass through the switch, the Alteon can be configured to proxy requests to guarantee that
responses use the correct path. Identical content must be available to each server in the
same pool. Either static applications and data are duplicated on each real server in the
pool or dynamic applications where each real server in the pool has access to the same
data through use of a shared file system or back-end database server. To take advantage
of multi-CPU or multi-processor servers, configure the Alteon Operating System to map a
single virtual port to multiple real ports. This capability allows the site managers, for
example, to differentiate users of a service by using multiple service ports to process client
requests. This feature allows the network administrator to configure up to 16 real ports for
a single service port, and it is supported in Layer 4 and Layer 7 and in cookie-based and
SSL-persistent switching environments. When mapping multiple real ports on each real
server to a virtual port, the Alteon treats the real server IP address/port mapping
combination as a distinct real server.
Clients and servers can be connected through different ports or through the same switch
port. Each port in use on the switch can be configured to process client requests, server
traffic, or both. Configure only the necessary processes since each one requires switch
resources. It is possible to enable or disable processing on a port independently for each
type of Layer 4 traffic. Ports that are configured for Layer 4 client processing, process user
request traffic, which provides address translation from the virtual server IP to the real
server IP address. Ports configured for Layer 4 server processing, process application
responses to user requests. Translation from the real server IP address to the virtual
server IP address occurs on the server enabled port. Real servers are connected to the
Alteon directly, or through a router, or another switch. Switch ports configured for Layer 4
client/server processing can simultaneously provide Layer 2 switching and IP routing
functions. The switch must have an IP route to all of the real servers that receive switching
services.
Page 30
For each network directly attached to this switch, an IP interface is required. Suitable
Layer 2 settings, Spanning Tree or VLANs as well as static or dynamic routing must be set
up. For each real server, you assign a real server number, specify its actual IP address,
and enable the real server. Define a real server group and add all real servers belonging
to the same application to this service group. All client requests are addressed to a virtual
server IP address (VIP) on a virtual server (VIRT) defined on the switch. Clients acquire
the virtual server IP address through normal DNS resolution. Only a Layer 3 IP address or
usually a Layer 4 service is assigned this VIP.
By default, the service protocol is TCP, although UDP is also possible. For example,
HTTP or TCP destination port 80 is configured as the service running on this virtual
server, and this service is associated with the real server group containing all real servers
for this application. This switch is not limited to HTTP Web service. Other TCP/UDP/IP
services can be configured in a similar fashion. The protocol and a destination port must
always be specified. Well known services are set up only by the name. For a list of other
well-known services and ports, see "Well-Known Application Ports" in the Application
Guide. A maximum of eight services are possible per VIRT. If more services are required,
create another VIRT using the same VIP again for the next eight services and so on. The
Server Load Balancing feature must be turned on. After applying all configurations, the
health check process starts and should report the available real server with the lowest
number. If one server is up an “up” message for the VIP is displayed as well. For all other
real servers a similar up message follows. If there is load balancing for different real ports
on the single real servers, a separate message displays for each port.
Objectives
After completing this lab, you will be able to:
• Connect to the Alteon using a console connection.
• Configure standard SLB.
• Repeat to save configurations to file.
• Optional, set up load balancing services on multiple Layer 4 ports.
Page 31
Assignment
All your network devices are connected via Ethernet cables as shown in the
Lab Description pages. In order to configure this switch, connect serial to your
assigned switch via a terminal server.
Configure the Alteon to support basic load balancing.
If you successfully completed the previous basic lab, start with step one.
Otherwise, perform the basic configuration described in Basic Switch
Configuration. Set up Layer 4 real servers and bind them to a group. Use
round robin as the metric and TCP for the health check. Configure a virtual
server with a virtual IP and HTTP as the load balancing service. Associate it to
the previously configured group. Enable client and server Layer 4 processes
on the ports. Enable the server load balancing feature. Please watch the
health check messages on your terminal screen after applying this config.
Save this configuration to file. Connect to the VIP Home Page using Internet
Explorer or FireFox browser and test SLB functionality.
Optionally, set up load balancing for multiple ports. Assign the application port
number used by the individual server on the switch to the real server
configuration supporting this service. Change the real port for the VIP/service
to zero value to enable real port look up.
Page 32
Configure Switch
Console Setup
On your Team-PC, the Putty application is already set up with individual icons
to connect via serial to the Alteon. Be aware that a serial connection can only
established from one PC to one switch. The second connection will fail. For a
second connection enable Telnet or SSH or use any GUI.
CLI SLB configuration of the Switch
1. If you like to use the graphical user interface (BBI) instead CLI ensure to have it enabled.
See page 22 how to do, if not already done. Continue on page 101.
2. Log into the switch, enter the admin password – admin.
3. Check the current configuration of your switch. The cfg menu dump option displays all the
differences settings to Radware factory default configuration.
Syntax:
/cfg/{submenue} all parameter setup for the RadwareAlteon Alteon is done at different
cfg sub menus.
Lab Configuration:
/cfg/dump shorthand /c/d
This displays your configuration. Check the printout, to make sure all entered data is
correct and enabled. Use ping to PCs and server to test the config.
4. Configure PIP to translate SrcIP to server net address
Syntax:
/cfg/slb/pip/type port or vlan select general pip mode
/cfg/slb/pip/address physical-port add IP address static for port
Lab Configuration:
/c/slb/pip/type port you can also skip this line since it is default
/c/slb/pip/add 10.200.#.42 1 add a static s-address translation on port 1
5. Configure both real servers.

Syntax:
/cfg/slb/real {real server index number} set up all parameters for a real
server at this menu.
Lab Configuration:
/cfg/slb/real 1 shorthand /c/sl/re 1
Syntax:
rip {real server IP address} IP address of real server
Lab Configuration:
rip 10.200.#.100 replace # by your team number
ena enables each real server
Page 33
It is also possible to put all commands into a single command line. For example go up one
menu .., select a next server index real 2, provide IP address rip 10.200.21.200
and enable it.
../real 2/rip 10.200.#.200/ena Server2 setup. Replace # by your team
number again.
apply activates configuration
6. Add all real servers belonging together for a service to a group
Syntax:
/cfg/slb/group {group index number} add all real servers and group parameters
at this menu.
Lab Configuration:
/cfg/slb/group 1 shorthand /c/sl/gr 1
Syntax:
add {real server index} Number of the real server configured in step
Lab Configuration:
add 1 add real server 1 to group 1
add 2 add real server 2 to group 1
Syntax:
metric {algorithm to select next rip} even distribution metrics are
leastconns, roundrobin, response and bandwidth. Default value is leastconns.
Lab Configuration:
metric roundrobin enable round robin distribution
Syntax:
health {rip availability test method } several options from link, arp, icmp,
tcp up to content specific are available.
Default value is tcp.
Lab Configuration:
health icmp enables ping to health check real server
apply activates configuration

cur verifies your configuration
7. Configure the virtual IP. This is the entry or termination IP address for a specific service.
Syntax:
/cfg/slb/virt {virtual server index number} set up all parameters for a
virtual server at this menu.
Lab Configuration:
/cfg/slb/virt 1 shorthand /c/sl/vi 1
Syntax:
vip {virtual server IP address} IP address of virtual server
Lab Configuration:
vip 192.168.100.2# replace # by your team number
ena enables each virtual server
Page 34
Syntax:
service {virtual port name} The virtual port name can be
a well-known port name, such as http, ftp, etc. or a service number. The allowable port
range is from 9 to 65534. For a list of all names, look up the Command Reference Guide
and search for ‘sport’ at ‘/cfg/slb/filt’ section. By default, group 1 is associated. Specify
different numbers.
Lab Configuration:
service http shorthand se 80
8. Enable the client on the client port and server processing on the server port. In case of
PIP skip server processing. Setup only proxy processing.
Syntax:
/cfg/slb/port {number}/{service ena} Enable a required SLB service on this
specific physical port. Services are client, server, proxy etc.
Lab Configuration:
/cfg/slb/port 1/client ena shorthand /c/sl/po 1/cl e
/cfg/slb/port 1/proxy ena shorthand ../po 1/pr e
9. Turn the SLB feature on, and apply and save the switch configuration
Syntax:
/cfg/slb/{processing status} Value on, enables SLB feature. Default is off.
Lab Configuration:
/cfg/slb/on short hand /c/sl/on
apply .... this activates the configuration
save ..... this writes config to flash memory and confirm y
y ........ confirms writing
10. After applying your changes, the switch should report that the real and virtual servers are
operational.
Date Time NOTICE slb: real server 10.200.1.100:80 operational
Date Time NOTICE slb: Services are available for virtual server
192.168.100.221
Date Time NOTICE slb: real server 10.200.1.200:80 operational
11. Log in to the switch and check the current SLB configuration.
Lab Configuration:
/c/slb/cur
Page 35
12. Verify that SLB is working. Open a Web browser on Team-PC e.g. FireFox or MS Internet
Explorer.
For example, for team 21 enter http://192.168.100.221
You should see a response showing that you have reached Server 1 or Server 2.
If you refresh the screen by pressing CTRL/F5, the display does not change. The reason
for this behavior is that this session (HTTP 1.1) still remains! To get load balancing, close
the browser and open a new window. For your convenience set http://192.168.100.2# as
default start page.
13. Verify SLB is working from the statistics menu in the switch.
Syntax:
/stats/slb/virt {virtual server}
Lab Configuration:
/stat/slb/virt 1 shorthand /st/sl/vi 1
14. Generate traffic by opening a new browser window to your VIP several times; return to the
switch CLI and note changes to the switch statistics.
In the switch CLI, press the cursor “Ç” key to repeat the command to display statistics.
(command /stats/slb/virt 1)
15. Clear the session table and repeat testing SLB (steps 11 through 14)
Syntax:
/stats/slb/{Layer-4-item} The Clear option resets all non-operating SLB
statistics on the Alteon to zero. This command does not reset the switch and does not
affect the counters required for Layer 4 and Layer 7 operation, such as current real server
sessions and all related SNMP counters.
Lab Operation:
/stat/slb/clear shorthand /st/sl/cl
16. Save this SLB configuration to a file on the Team-PC. This configuration will be the base
for the following labs.
Start the 3CD FTP/TFTP server on your team PC.
Lab Configuration:
/cfg/ptcfg and specify team PC IP address, file name and for FTP account and password.
Alternatively dump configuration and copy and paste configuration into a text file.
Lab Configuration:
/cfg/dump shorthand /c/d
Mark configuration and copy it to clipboard. Paste it to a text editor. Use Notepad etc.
Page 36
Load balancing for available services on different servers is an option. There are two web
servers. One equipped with two CPUs, the other with four CPUs. For each CPU a separate
Web application instance, e.g. Apache, is installed. Our customer wants to have an even load
based balancing on each of these CPUs. Set up the real servers for multi-port SLB using the
switch CLI.
Syntax:
/cfg/slb/real {real server index number}/addport {L4-port number
used at application} set up Layer 4 port numbers used at application for a real
server.
Lab Configuration:
/cfg/slb/real 1/addport 80 shorthand /c/sl/re 1/add 80
/cfg/slb/real 1/addport 81 shorthand add 81
/cfg/slb/real 2/addport 80 shorthand ../re 2/add 80
Syntax:
/cfg/slb/real {rip number}/weight {multiplier for load} Sets the
weighting value (1 to 48) that this real server will be given in the load balancing algorithms.
Higher weighting values force the server to receive more connections than the other
servers configured in the same real server group. By default, value one is set.
Lab Configuration:
/cfg/slb/real 2/weight 2 shorthand /c/sl/re 2/we 2
17. If multiple service ports per real server are set up, a separate metric for these services is
available.
Syntax:
/cfg/slb/group {group number}/rmetric {metric} Real server metric usage
can be roundrobin, hash, or leastconns. Default is roundrobin.
Lab Configuration:
/cfg/slb/group 1/rmetric roundrobin
18. Set up the real port for a service on a virtual server for MultiPort SLB. The allowable real
L4-port range is from 1 to 65534. If set to 0 multiple real port is enabled. The configured
metric at group level first selects a real server. If rport is set to zero the rmetric determines
the selected port depending on configured values and healthy services at the real server.
Only one service per virt can be set to rport 0.
Syntax:
/cfg/slb/virt {virt number}/service {L4-port number}/rport {real
L4-port number}
Lab Configuration:
/cfg/slb/virt 1/service 80/rport 0
apply .... this activates the configuration
Page 37
For each port of real servers a separate confirmation line is printed.

Date Time NOTICE slb: real service 10.200.21.100:80 operational
Date Time NOTICE slb: real server 10.200.21.100 operational
Date Time NOTICE slb: Services are available for Virtual Server
1:192.168.100.221
Date Time NOTICE slb: real server 10.200.21.200 operational
Did you have all nine-health check messages? Why you got only three?
Correct your configuration, please. See sample configuration on next pages.
19. Access web server via VIP and generate traffic by opening several Browser windows.
Lab Operation:
/stat/slb/virt 1
19. Remove setting for all real server weighting and turn rport back to 80 for the next labs.
Page 38
Printout for SLB configuration (team 21)

/c/sys/mmgmt
addr 10.10.242.21
mask 255.255.248.0
broad 10.10.247.255
gw 10.10.240.1
ena
tftp mgmt
/c/sys/mmgmt/port
speed any
mode any
auto on
/c/sys
idle 999
/c/port 1
pvid 11
/c/port 2
pvid 14
/c/l2/vlan 1
def 3 4 5 6 7 8 9 10 11 12 … 27 28
/c/l2/vlan 11
ena
name "public"
def 1
/c/l2/vlan 14
ena
name "private"
def 2
/c/l2/stg 1/off
/c/l2/stg 1/clear
/c/l2/stg 1/add 1 11 14
/c/sys/sshd/on
/c/l3/if 1
ena
addr 192.168.100.21
vlan 11
/c/l3/if 2
ena
addr 10.200.21.21
mask 255.255.255.0
broad 10.200.21.255
vlan 14
/c/l3/gw 1
ena
addr 192.168.100.254
Page 39
/c/slb
on
/c/slb/real 1
ena
rip 10.200.21.100
name "server1"
addport 80
addport 81
/c/slb/real 2
ena
rip 10.200.21.200
name "server2"
addport 80
addport 81
addport 82
addport 83
/c/slb/group 1
metric roundrobin
add 1
add 2
/c/slb/pip/type vlan
/c/slb/pip/type port
/c/slb/pip/add 10.200.21.42 1
/c/slb/port 1
client ena
proxy ena
/c/slb/virt 1
ena
vip 192.168.100.221
/c/slb/virt 1/service http
group 1
rport 0
/
Page 40
Persistent Load Balancing
Overview
Description
In a typical SLB environment, traffic comes from various client networks across the Internet to
the virtual server IP address on the Alteon. The switch then load balances this traffic among
the available real servers. Some SLB services require that a series of client requests go to the
same real server so that session-specific state data can be retained between connections.
Services of this nature include Web search results, multi-page forms that the user fills in, or
custom Web-based applications typically created by using scripts. Connections for these
types of services must be configured as persistent. In any authenticated Web-based
application, it is necessary to provide a persistent connection between a client and the content
server to which it is connected. Because HTTP does not carry any state information for these
applications, it is important for the browser to be mapped to the same real server for each
HTTP request until the transaction is complete. This ensures that the client traffic is not load
balanced mid-session to a different real server, forcing the user to restart the entire
transaction. Persistence-based SLB enables the network administrator to configure the
network to redirect requests from a client to the same real server that initially handled the
request. In the Alteon, persistence can be based on source IP address, cookies, and Secure
Sockets Layer (SSL) session ID.
Until recently, the only way to achieve TCP/IP session persistence was to use the source IP
address as the key identifier. There are two major conditions which cause problems when
session persistence is based on a packet’s IP source address. Proxied clients appear to the
switch as a single source IP address. Requests are directed to the same server, without the
benefit of load balancing the traffic across multiple servers. Persistence is supported without
the capability of effectively distributing traffic load. When individual clients share a pool of
source IP addresses, persistence for any given request cannot be assured. Although each
source IP address is directed to a specific server, the source IP address itself is randomly
selected, thereby making it impossible to predict which server will receive the request. SLB is
supported, but without persistence for any given client. For IP-load balancing at OSI Layer
3/4, metrics minmisses, hash, phash and timer based available. HTTP and HTTPS
persistence based on client IP allows you to store this session based on the client IP address
for a configurable time at the session table. This enables a common persistence for both
HTTP and HTTPS sessions.
Page 41
Cookies are strings passed via HTTP from servers to browsers. Based on the mode of
operation, cookies are inserted by either the Alteon or the server. After a client receives a
cookie, a server can poll that cookie with a GET command, which allows the querying server
to positively identify the client as the one that received the cookie earlier. The cookie-based
persistence feature solves the proxy server problem and gives better load distribution at the
server site. In the Alteon, cookies are used to route client traffic back to the same physical
server to maintain session persistence.
The SSL session ID is effective only when the server is running SSL transactions. Because of
the heavy processing load required to maintain SSL connections, most network configurations
use SSL only when it is necessary. On some computer operating systems, this SSL session
ID is changed at intervals. Depending on the length of the interval, persistency might not work
well for these systems.
Objectives
After completing this lab, you will be able to do the following:
• Configuring IP persistence by using Hash or Minmisses
• Configuring L7 cookie persistence by using passive, rewrite or insert mode
Page 42
Assignment
Physically your network is wired according to the Lab Description diagram.
Connect to the switch for configuration via the terminal server, SSH or telnet to
the switch.
If your previous SLB configuration is no longer working, set the switch back to
the factory default and load the saved SLB configuration.
The first exercise will be a Layer 3 persistent configuration. Since L3 handles
only IP addresses, hash or minmisses are used as the metric.
The next exercise enhances the setup with Layer 7 persistency. As this
depends on the application, we will use HTTP as the L7 application in this lab.
Passive cookies, cookie rewrite, and cookie insert will be used to provide
persistence.
Basic configuration of the Switch

1. If the content SLB configuration no longer works follow step 2, then step 3 or 4. Otherwise,
skip these steps and continue with step 5.
2. Set the switch back to the factory default config. Log into the switch, enter the admin
password, select factory configuration and reboot the switch
Lab Configuration:
admin
/boot/config factory
reset
3. Open Notepad, and copy and paste the SLB configuration from your file to the clipboard.
Open Putty and insert the clipboard contents using the right mouse button. It is easier for
debugging to split this into 3 steps. First, copy and paste the Layer 2 configuration data to
the switch CLI and apply it. Then copy and paste Layer 3 data, and finally Layer 4 data.
One layer after the other.
4. Optional, you can restore the switch configuration on CLI via FTP/TFTP. Use the
FTP/TFTP server installed on your Team-PC, the 3CDaemon application. For details, see
the section “Upload and Download Config to FTP/TFTP Server” in the Basic Configuration
lab on page 20.
Lab Configuration:
/cfg/gtcfg retrieve config data.
5. Optional, you can restore the switch configuration on BBI via FTP/TFTP. Use the
FTP/TFTP server installed on your Team-PC, the 3CDaemon application. For details, see
the basic configuration lab page 24.
Page 43
Alteon
al
Co
onfigure Persistency forr Layer 3 Load Balancin
B ng
1. Enable HA ASH as the metric:
Syntax:
/cfg/slb/ /group {g group-ind dex-numbe er}/metri ic {algor rithms} me etric sets th
he
load balanccing algorith
hm used forr determinin
ng which rea
al server in the group will
w be the
target of the
e next clien
nt request. For ency, hash, phash or m
F persiste minmisses are possible..
Lab Configuration:
/cfg/slb//group 1/ /metric phash
p sho
orthand /c/
/sl/gr 1/
/me pha
2. Verify that the

t metric for
f group 1 was
w change
ed to phash
h:
Lab Operattion:
/cfg/slb/ /group 1/ /cur
Current real
r serv
ver group
p 1:
name , metric phash
p mas
sk 255.25
55.255.25
55, backu
up none, ...
real se
ervers:
3. Optional usse BBI to ch

hange metric to Persisttent Hash:
Select Connfigure, SLBB, Server Groups,
G Grroup 1 and adjust SLB
B Metric to Persistent
P
Hash
4. Now verify that the sw

witch is sendding sessionns from the client machhine to the same
s real
server. In the
t SLB con nfiguration from
f evious exerrcise, you should have seen the
the pre
web page change
c whe en you make a fresh ac ccess. In the case of S
SLB with perrsistence
me server no matter ho
your client should stayy on the sam ow many timmes you refrresh or makke
a new acce ess.
/stat/slb/grroup 1
Real serve
R er group 1 stats:
C
Current Total Highest
R
Real IP ad
ddress Ses
ssions Sessions
S S
Sessions Octet
ts
-
---- -----
----------
-------- --------
- ----------
- - --------
- -------
------
1 10.200.2
21.100 2 2 2 379701
3
2 10.200.2
21.200 0 0 0 37620
-
---- -----
----------
-------- --------
- ----------
- - --------
- -------
------
2 2 2 41
17321
The resultss of this /sta
at query will vary accord
ding to the configuratio
c on specific to
t your
group. The e numbers willw not be the same, th his is just an
n example.
5. Optional usse instead CLI

C the
BBI to watcch the group p
statistics. Select
S Monitor,
SLB, Serve er Groups and
select Grou up 1 or sele
ect
service of virtual serrver.
6. Change the
e value from
m phash to minmisses
m d 4 or optional 3 and 5.
and repeat steps 2 and 5
Page 44
4

s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Enable Layer 7 Passive Cookie Persistence (for HTTP only)

1. Configure standard SLB, as described on page 33. Verify correct SLB operations. If you
like to configure the cookie persistency via a BBI interface continue on page 107.
2. Enable Direct Access Mode (DAM) on the switch to allow you to perform port mapping for
content load balancing.
Syntax:
/cfg/slb/adv/direct {status} it is by default disabled
Lab Configuration:
/cfg/slb/adv/direct ena shorthand /c/sl/adv/di e
3. Select the appropriate load balancing metric for the real server group if no cookie is
present. Choose a non-persistent metric
Syntax:
metric {algorithm to select next rip} even distribution metrics are
leastconns, roundrobin, response and bandwidth. Default value is leastconns.
Lab Configuration:
/c/slb/group 1/metric roundrobin enable round robin distribution
apply activate configuration
cur verify your configuration
4. To have cookie persistency, we need to get a cookie from the web server. The web
application on port 88 is cookie enabled.
Syntax:
/cfg/slb/virt {number}/service {port number}/rport {port number}
At the browser a standard port is selected and then translated to the port number specified
at rport prompt.
Lab Configuration:
/cfg/slb/virt 1/service 80/rport 88
At the browser a standard port 80 is selected and then translated to rport 88.
5. Clear the session table, open a new browser to your VIP several times, and get SLB
statistics
Syntax:
/stats/slb/{Layer-4-item} The option clear resets all non-operating SLB
statistics on the Alteon to zero. This command does not reset the switch and does not
affect the counters required for Layer 4 and Layer 7 operation, such as current real server
sessions and all related SNMP counters.
Lab Operation:
/stat/slb/clear shorthand /st/sl/cl
Generate traffic by opening a new browser window to your VIP several times; return to the
switch CLI and execute the command for displaying statistics. Note changes.
Page 45
Lab Operation:
/stats/slb/virt 1 shorthand /st/sl/vi 1
6. By default, the switch checks the case of any string, e.g. a cookie name. Disable case
sensitivity if there is no need to discriminate between upper and lower case.
Syntax:
/cfg/slb/layer7/slb/case {mode}
Lab Configuration:
/cfg/slb/layer7/slb/case dis/apply
7. Enable passive cookie-based persistence on the virtual server service.
Syntax:
/cfg/slb/virt {virtual-server}/service {port}
pbind {option mode name offset length URI}
option is the type of persistent bindings. It is disabled by default. Possible options are
clientip, sslid and cookie.
For cookie, mode can be passive, rewrite or insert.
name specifies the cookie name that this service is looking for.
offset is for passive mode, and is the starting point of the cookie value (1-64 bytes)
length is for passive mode, and is the number of bytes to extract (1-64),
URI is lookup cookie in the URI field. If the cookie name or value is in the URI, enter e to
enable this option to look for cookie in the HTTP header, enter d to disable this option.
Lab Configuration:
/cfg/slb/virt 1/service 80 (or HTTP) shorthand /c/sl/vi 1/se 80
pbind you can enter all parameters in one line or be prompted for each separately
Enter clientip|cookie|sslid|disable persistence mode: cookie
Enter passive|rewrite|insert cookie persistence mode [p/r/i]: p
Enter Cookie Name: ASPSESS*
Enter the starting point of the cookie value [1-64]: 1
Enter number of bytes to extract [1-64]: 16
Look for cookie in URI [e|d]: d select disable, to look at HTTP header
apply
NOTE: If you want the switch to look for a cookie in the URL, enable “Look for cookie in
URI”. An example is in the Alteon Application Guide, at the Persistence chapter.
For testing passive cookies, refer to step 9&10. Since rewrite cookies is very similar skip it
and do test for rewrite settings only.
8. Enable rewrite cookie-based persistence on the virtual server service

Syntax:
pbind {option mode name length URI}
length is for rewrite mode - 8 bytes for RIP and 16 for RIP&VIP IP address insert.
URI is lookup cookie in the URI field. If the cookie name or value is in the URI, enter e to
enable this option to look for cookie in the HTTP header, enter d to disable this option.
Page 46
Alteon
al
Lab Configuration:
/cfg/slb/ /virt 1/s service 80 8 (or HT TTP) short--hand /c/s sl/vi 1/s se 80
pbind you u can enterr all parame
eters in one
e line or be prompted
p fo
or each sep
parately
Enter cli ientip|co ookie|ssl lid|disab ble persi istence m mode: cookie
Enter pas ssive|rew write|ins sert cook kie persi istence m mode [p/r/i]: r
Enter Coo okie Name e: ASPSE ESS*
Enter num mber of bytes
b to extract [8,16]: 8
Look for cookie in i URI [e e|d]: d disable, to
t look at HT
TTP header
apply
9. Confirm the
e cookie operation. Configure your browser to
o ignore coo
okies.
Lab Operattion:
/stat/slb b/clear atistics
to clear sta
Generate trraffic by ope

ening a new w browser
window to your
y VIP seeveral timess, e.g.
http://192.168.100.221 1
Return to th
he switch CLI
C and execcute the
command to t display sttatistics. No
ote changes
s.
Lab Operattion:
/stats/sl lb/virt 1 to displayy statistics
Close all brrowser sesssions.
10. Change cookie settinggs in your brrowser to

enable coookies and re
epeat the abbove Lab
Operation steps.
s For Firefox
F ensuure to accep
pt
a cookie fro
om the VIP.. Add a suita
able
exception.
Page 47
4

s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
11. Change the VIP service HTTP rport value from 88 to 80 to simulate a server without
cookie support.
12. Enable insert cookie-based persistence on the virtual server service.

Syntax:
pbind {option mode name expiration domain-name secure}
expiration is for cookie lifetime, and can be date duration or none (browser session
length)
Cookie path specifies the subset of URLs on the origin server to which this cookie applies.
Secure is a boolean attribute; y directs the user agent to use secure connection (Hashed
cookie) to obtain content associated with the cookie.
.
Lab Configuration:
/cfg/slb/virt 1/service 80 (or HTTP) short-hand /c/sl/vi 1/se 80
pbind you can enter all parameters in one line or be prompted for each separately
Enter clientip|cookie|sslid|disable persistence mode: cookie
Enter passive|rewrite|insert cookie persistence mode [p/r/i]: i
Enter Cookie Name {AlteonP}: <enter-key>
Enter insert-cookie expiration as either :
... a date <MM/dd/yy[@hh:mm]> (e.g. 12/31/01@23:59)
... a duration <days[:hours[:minutes]]> (e.g. 45:30:90)
... or none <return>
Enter cookie expiration: <enter-key>
Insert cookie domain name? (y/n) [n] <enter-key>
Enter path(Maximum of 32 characters): <enter-key>
Is cookie secure[y/n]: n
apply
NOTE: If you have enough time left, also try date and duration cookie options.
13. Open a Web browser and select VIP. E.g.http://192.168.100.221. This page will stay
persistent without using any cookie from a Web server.
14. Display cookie with Life HTTP headers tool from Firefox browser. Decode the cookie hex
value by the build in command.
/info/slb/cookie 0x3e45de63f4e7afd9baeebabf
Virtual IP address: 192.168.100.221
Real IP address: 10.200.21.100
Real Server Port: 80
Real Server Index: 1
15. Remove all persistency settings for virtual server for the next labs. Change the rport from
88 to 80 if not already done at step 11.
Page 48
Printout for persistent SLB configuration (team 21)
SLB with hash metric:

/c/port 1
pvid 11
/c/port 2
pvid 14
/c/port 9
dis
/c/l2/vlan 1
def 3 4 5 6 7 8 9 10 11 12 ... 27 28
/c/l2/vlan 11
ena
name "public"
def 1
/c/l2/vlan 14
ena
name "private"
def 2
/c/stg 1/off
/c/stg 1/clear
/c/stg 1/add 1 11 14
/c/l3/if 1
ena
addr 192.168.100.21
vlan 11
/c/l3/if 2
ena
addr 10.200.21.21
mask 255.255.255.0
broad 10.200.21.255
vlan 14
/c/slb
on
/c/slb/real 1
ena
rip 10.200.21.100
name "webserver1"
/c/slb/real 2
ena
rip 10.200.21.200
name "webserver2"
/c/slb/group 1
metric phash
add 1
add 2
/c/slb/pip/add 10.200.21.42 1
/c/slb/port 1
client ena
proxy ena
Page 49
/c/slb/virt 1
ena
vip 192.168.100.221
group 1
SLB with passive cookie:

/c/slb/adv
direct ena
…
/c/slb/virt 1
ena
vip 192.168.100.221
group 1
rport 88
dbind ena
/c/slb/virt 1/service 80/pbind cookie passive ASPSESS* 1 16 disable
/c/slb/virt 1/service 80/rcount 1
SLB with cookie rewrite:

/c/slb/virt 1/service 80/pbind cookie rewrite ASPSESS* 1 8 disable
SLB with cookie insert:

/c/slb/virt 1/service 80/pbind cookie insert
Page 50
Content Load Balancing
Overview
Description
Traditionally, redirecting Web requests using content or user classification has been a function
of Web servers. However, Internet traffic and business growth is fast outpacing that of
computing power. Offloading content classification to Alteon provides advantages for the
entire Web site infrastructure. By examining the URL in a Web request, the Alteon can
determine the type of content requested, and direct the request to servers hosting the
requested URL. With content switching, Web site content can be segregated with no change
to the applications. This allows partial, instead of entire, content mirroring on each server and
makes it easy for e-businesses to deploy servers optimized for specific content types or
processing functions. HTTP version 1.1 allows multiple HTTP transactions to be transported
over a single TCP connection to reduce TCP processing overhead. A Layer 4 Alteon with no
content intelligence will forward all HTTP 1.1 requests on each TCP connection to a single
server. In contrast, a content switch can forward each request within the TCP connection to a
different server, increasing load distribution granularity. This optimizes resource utilization and
speeds overall Web site performance. Virtual hosting conserves IP addresses by allowing
multiple domains to be represented by a single public IP address. When a content-intelligent
Alteon receives a client request for the shared IP address, it can extract the requested domain
name from the “Host Header” portion of the HTTP header, concatenate it with the IP address
to obtain the unique host identifier, and redirect the request to the appropriate server or server
farm. Content-intelligent Alteon allow Webmasters to customize server health checks to verify
content accessibility in large Web sites. As the amount of content grows and information is
distributed across different server farms, flexible, customizable content health checks are
critical to ensuring end-to-end availability.
Working with session content is much more demanding than examining TCP/IP protocol
headers because content is non-deterministic. Content identifiers such as URLs and cookies
can be of varying lengths and can appear at unpredictable locations within a request.
Scanning through session traffic for a specific string is far more processor intensive than
looking at a known location in a session for a specific number of bytes. Parsing content
requests means temporarily terminating the TCP connection from a client. In other words, the
Alteon must first pretend that it is the server, ask the client what it wants, examine the request,
and then open a connection to an appropriate server. While this is happening, the Alteon must
temporarily buffer the request, which consumes system memory. This temporary termination
is called a “delayed binding" With delayed binding, two independent TCP connections span a
Web session: one from the client to the Alteon and the second from the Alteon to the selected
Page 51
server. The Alteon must modify the TCP header, including performing TCP sequence number
translation and recalculating checksums on every packet that travels between the client and
the server, for the duration of the session. This function, known as “TCP connection splicing,”
heavily tasks an Alteon, particularly when the switch must process thousands of these
sessions simultaneously. In addition to real-time traffic and connection processing, a content
switch needs to monitor the servers to ensure that requests are forwarded to the best
performing and healthy servers. This monitoring involves more than simple ICMP or TCP
connection tests as servers continue to process network protocols while failing to retrieve any
content. Furthermore, if content is segregated in different servers or server farms, the Alteon
must provide a flexible, user-customizable mechanism allowing a relevant set of application
and content tests to be applied to each server or server farm.
Alteon Operating System allows you to load balance HTTP requests based on different HTTP
header information, such as Cookie-Header for persistent or content load balancing, Host-
Header for virtual hosting, or User-Agent for browser-smart load balancing. When Layer 7
load balancing is configured, an Alteon does not support IP fragments. If IP fragments were
supported in this mode, the switch would have to buffer, re-assemble, and inspect packets
before making a forwarding decision. String-based SLB allows you to optimize resource
access and server performance. Content dispersion can be optimized by making load-
balancing decisions on the entire path and filename of each URL. Both HTTP 1.0 and HTTP
1.1 requests are supported. For content matching you can configure up to 1024 strings
comprised of 40 bytes each. Each request is then examined against the Layer 7 request
defined at the virtual server. On matching, this request is then forwarded to a real server
supporting this string. String requests are load balanced among multiple servers matching the
same pattern, according to the load balancing metric configured for the real server group.
Objectives
After completing this lab, you will be able to do following:
• Define strings of URL or other variables.
• Distinguish between different strings and enable the real server
to handle them.
• Use regular expressions to create complex string matches.
Page 52
Assignment
Physically your network is wired according to the Lab Description. Connect to the
switch for configuration via the terminal server, SSH or telnet to the switch.
If your previous SLB configuration is no longer working, set the switch back to the
factory default and load the saved SLB configuration. If you decide to keep the
previous persistency lab, disable persistent binding (pbind)! It has a higher priority and
content load balancing will not work.
In the first exercise, you will load balance your http requests depending on the URL. At
the root directory of web server 2 a subdirectory “/images” is located. It contains three
image files, img1.jpg, img2.jpg and img3.jpg. Your task is to configure URL strings and
enable real server 2 to handle these requests.
The second exercise is to enhance this lab using regular expressions. Web server 1
will host file “alteo.htm” server 2 will host “altea.htm” and “alter.htm”. You have to
configure suitable URL strings, enable these strings at suitable servers and do SLB
selection using regular expression.
The third exercise is to check for browser-related strings. Depending on the default
language of the browser request, server 1 or 2 is selected.
Basic Configuration of the Switch

1. If the content SLB configuration no longer works, follow step 2, then step 3 or 4.
Otherwise, skip these steps and continue to step 5.
2. Set the switch back to the factory default config. Log into the switch, enter the
admin password, select factory configuration and reboot the switch
Lab Configuration:
admin
/boot/conf factory
reset
3. Open Notepad and copy and paste the SLB configuration from your file to the
clipboard. Open Putty and insert the clipboard contents using the right mouse
button. It is easier for debugging to split this into 3 steps. First, copy and paste the
Layer 2 configuration data to the switch CLI and apply it. Then copy and paste the
Layer 3 data and finally the Layer 4 data. One layer after the other.
4. Optional, you can save and restore the switch configuration via FTP/TFTP. Use the
FTP/TFTP server installed on your Team-PC, the 3CD application. For details, see
the section “Upload and Download Config to FTP/TFTP Server” in the Basic
Configuration lab.
Lab Configuration:
/cfg/gtcfg retrieve config data.
Page 53
Content SLB Configuration General

1. Configure standard SLB, verify setup SLB operates correct.
2. Enable Direct Access Mode (DAM) to perform content load balancing.

Syntax:
/cfg/slb/adv/direct {status} it is disabled by default
Lab Configuration:
3. Select roundrobin as the default load balancing metric for the real server group. This is for
training setup recommended. For real life, use any suitable metric.
Lab Configuration:
metric roundrobin enable round robin distribution
4. Disable persistent binding for the virtual server service. Pbind takes precedence over
string load balancing.
Lab Configuration:
/cfg/slb/virt 1/service 80
pbind disable deactivate persistent binding
cur verify your configuration
5. Double check is SLB working. Clear the session table

Syntax:
Lab Operation:
/stat/slb/clear
Then generate traffic by opening a new browser window to your VIP several times; return
to the switch CLI to execute the command for displaying statistics.
Lab Operation:
/stats/slb/virt 1 shorthand /st/sl/vi 1
6. Before 28.1 Alteon checks the case of any string, e.g. a URL name, by default,. Disable it
if there is no need to distinguish between upper and lower case.
Syntax:
/cfg/slb/layer7/slb/case {mode}
Lab Configuration:
/cfg/slb/layer7/slb/case dis
Page 54
Content SLB Configuration Using Server String Association

1. When SLB is working correctly, continue with the URL config. Define the first URL string.
Syntax:
/cfg/slb/layer7/slb/addstr {type-of-string}
For type of string l7lkup (for ASCII content lb) or pattern (for Dos/ITM, binary or ASCII).
l7lkup is selected by default
Configure HTTP header string? (y/n) [n]
Boolean value, enable to define SOAP Action header, default value is no.
Enter SLB string: {string-definition}
Specify lookup URL string.
Lab Configuration:
/cfg/slb/layer7/slb/addstr <enter-key>
Enter type of string [l7lkup|pattern]: l7lkup (L7LKUP not
171KUP)
Select Application (http|dns|other) [other]: <enter-key>
Enter SLB string: /images
apply
cur see list of cur paths (any, /images)
Error message:
No available server to handle this request
…
Number of entries: two
1: any, cont 1024
2: /images, cont 1024
2. Add an index number for the URL string to the real server config. If real server 2 cannot
handle any address request other than “/images”, do not add string 1 as an option.
Syntax:
/cfg/slb/real 2/layer7/addlb {index-number-of-string}
Assign lookup URL string index number to real server number.
Lab Configuration:
/cfg/slb/real 2/layer7
addlb 1 to also support other strings like index.html page
addlb 2 to support string #2, “/images” on real server 2
3. To enable L7 lookup, switch on direct access mode, if not already done.

Syntax:
/cfg/slb/adv/direct {status} it is disabled by default.
Lab Configuration:
4. Enable URLSLB for the virtual service IP Address.

Syntax:
/cfg/slb/virt {server-number}/service {port-number}/http
httpslb {option operator option}
Possible options are: urlslb, host, cookie, browser, urlhash, headerhash, others,
Possible operator: and, or, none
A new line between “httpslb” and “option” prompts to input an operator value.
Page 55
Lab Configuration:
/cfg/slb/virt 1/service 80/http/httpslb urlslb
apply
save
y
/cfg/dump to review the saved configurations
5. Open a browser on the client and access the VIP http://192.168.100.221. Test the
configuration and check the working status. Close and reopen the client browser several
times. Check the statistics in the switch to verify activity.
Lab Operation:
/stat/slb/layer7/str
------------------------------------------------------------------
SLB String stats:
ID SLB String Hits
1 any 19
2 /images 0
Lab Operation:
/stat/slb/virt 1
------------------------------------------------------------------
Virtual server 1 stats:
Real IP address Sessions Sessions Sessions Octets
---- --------------------------- -------- ---------- -------- ---------------
1 webserver1 0 9 5 11283
2 webserver2 0 10 6 12533
---- --------------------------- -------- ---------- -------- ---------------
192.168.100.221 0 19 11 23816
6. Access the image file from the client web browser. The files img1.jpg, img2.jpg and
img3.jpg are available on server 2. Close and reopen the client browser several times to
http://192.168.100.221/images/img1.jpg.
Lab Operation:
------------------------------------------------------------------
SLB String stats:
ID SLB String Hits
1 any 19
2 /images 7
>> Layer 7 Statistics# /st/sl/v 1

------------------------------------------------------------------
Lab Operation:
/stat/slb/virt 1
---- --------------------------- -------- ---------- -------- ---------------
1 webserver1 0 9 5 11283
2 webserver2 0 17 6 261943
---- --------------------------- -------- ---------- -------- ---------------
192.168.100.221 0 26 11 273226
Page 56
Perform the test a couple of times. Compare the Web browser request and output
displayed in the browser window.
Review the switch statistics. All requests to the “/images” folder should be directed to real
server 2. In a large server farm environment, the “/images” folder could be duplicated and
load balanced across several servers.
Regular Expression Configuration

1. Continue with the URL SLB config from the last lab. We will add regular expressions to
select specific real servers. Web server 1 will host file “alteo.htm”. Web server 2 will host
“altea.htm” and “alter.htm”. The regular expression “alte[ar].htm” allows selection of the
content stored on server 2. Inverting this regular expression avoids selection of this
machine. “alte[âr].htm” allows access to “alteo.htm” and of course to many other “htm”
pages. Therefore, this is useful as an example but not for real life.
Syntax:
/cfg/slb/layer7/slb/addstr {type-of-string}
For type of string l7lkup (for ASCII content lb) or pattern (for Dos/ITM, binary or ASCII).
l7lkup is selected by default
Configure HTTP header string? (y/n) [n]
Boolean value to define SOAP Action header, default value no.
Enter SLB string: {string-definition}
Specify lookup URL string.
Lab Configuration:
/cfg/slb/layer7/slb/addstr alte[âr] add a new index for alte[âr]
addstr alte[ar] add a new index for alte[ar]
apply
Error message:
…
1: any, cont 1024
3: alte[âr], cont 1024
4: alte[ar], cont 1024
2. Add the index number for the URL string to the real server config: Add ‘alte[âr]’, which is
a regular expression for ‘alteo’ string in our configuration, to real server 1. Add ‘alte[ar]’,
which represents both strings ‘alter’ and ‘altea’, to real server 2. To enable LB to allow
‘index.htm’ on real server 1, add index 1 to it.
Syntax:
/cfg/slb/real {no}/layer7/addlb {index-number-of-string}
Assign lookup URL string index number to real server number.
Lab Configuration:
/cfg/slb/real 1/layer7/addlb 3 adds string 3 “alte[âr]” to real server 1
addlb 1 adds string 1 “any” to real server 1 to also allow “index.htm” page
../../re 2/la/a 4 short form to add string 4 “alte[ar]” to real server 2
Page 57
3. Test your configuration. Send the following requests from your browser at Team-PC to
VIP. The following example is for team 21. Use your team number, please.
http://192.168.100.221/alteo.htm,
http://192.168.100.221/alter.htm,
http://192.168.100.221/altea.htm
4. Check statistics on loadbalancer.

Lab Operation:
/stat/slb/layer7/str and /stat/slb/virt 1.
>> Server Load Balancing Statistics# /stat/slb/layer7/str

------------------------------------------------------------------
SLB String stats:
ID SLB String Hits
1 any 72
2 /images 7
3 alte[âr] 1
4 alte[ar] 2
All “alteo” requests terminate at Web server 1. All “altea” and “alter” requests are sent to
server 2 since the load balancing string that excluded URLs ending in “a” and “r” was
assigned to the server 2.
Others Lookup
1. In this lab section, your task is to configure Layer 7 string lookup to detect the default
language support of the browser used for this request.
2. Modify your virtual server, to look up the Accept-Language HTTP header field.
Syntax:
/cfg/slb/virt {server-number}/service {port-number}/
httpslb {option operator option}
Possible options are: urlslb, host, cookie, browser, urlhash, headerhash, others,
Possible operator: and, or, none
Lab Configuration:
/cfg/slb/virt 1/service http/http/httpslb
Application: urlslb|host|cookie|…|headerhash|others|none
Select Application: others
Operation: and|or|none
Select Operation: none
Enter new HTTP header name: Accept-Language
apply
3. Configure header variable strings and add an index number to the real server config. Real
server 1 represents the contents for ‘en’ string, real server 2 is responsible for ‘de’ string.
Language string depends on browser type. Add strings for e.g. en and de. For other
regions, choose appropriate language strings.
Lab Configuration:
/cfg/slb/layer7/slb/addstr en add a new index for “en” string
adds de add a new index for “de” string and apply it
Page 58
Error message:
…
1: any, cont 1024
3: alte[ar], cont 1024
4: alte[âr], cont 1024
5: en, cont 1024
6: de, cont 1024
Lab Configuration:
/cfg/slb/real 1/layer7/addlb 5 assign string 5 “en” to real server 1
../../re 2/la/a 6 short form to add string 6 “de” to real server 2
apply
4. Access your home page e.g. team 21 http://192.168.21.221. Change the browser
language string according your lb setup. You will see that Web server 1 supports requests
with preferred string 5, language English. Server 2 will provide content for string 6, for
German users (de).
5. Check statistics on loadbalancer.

Lab Operation:
>> Server Load Balancing Statistics# /stats/slb/layer7/str
--------------------------------------------------------------
SLB String stats:
ID SLB String Hits
1 any 81
2 /images 7
3 alte[âr] 1
4 alte[ar] 4
5 en 38
6 de 18
Page 59
Printout for Alteon team 21
Layer 2/3 like previous lab setup, therefore it is not displayed.
/c/slb
on
/c/slb/adv
direct ena
/c/slb/real 1
ena
rip 10.200.21.100
name "webserver1"
/c/slb/real 2
ena
rip 10.200.21.200
name "webserver2"
/c/slb/group 1
metric roundrobin
add 1
add 2
/c/slb/pip/add 10.200.21.42 1
/c/slb/port 1
client ena
proxy ena
/c/slb/virt 1
ena
vip 192.168.100.221
group 1
dbind ena
/c/slb/layer7/slb
ren 2 "/images"
ren 3 "alte[âr]"
ren 4 "alte[ar]"
ren 5 "en"
ren 6 "de"
/c/slb/real 1/layer7
addlb 1
addlb 3
addlb 5
/c/slb/real 2/layer7
addlb 1
addlb 2
addlb 4
addlb 6
httpslb others Accept-Language
Page 60
Content SLB Configuration Using Content Class Association

1. When SLB is working correctly, continue with the URL config. Define the URL-path
string “images”.
Syntax:
/cfg/slb/layer7/slb/cntclss
Class id specifies a name bind to the http service
Enter Class id: <string>
At the class specify what you are looking for
hostname - URL Hostname lookup Menu
path - URL Path lookup Menu
filename - URL File Name lookup Menu
filetype - URL File Type lookup Menu
header - Header lookup Menu
cookie - Cookie lookup Menu
text - Text lookup Menu
xmltag - XML tag lookup Menu
logexp - Set logical expression between classes
copy - Copy HTTP content class
del - Delete HTTP content clas
An class can have multiple elements. Therefore an additional id is required.
Repeat the selected class again specify string and details of the string location.
<class>
Enter new <class> to match: <string>
match
Current matching type: include
Enter new matching type [sufx|prefx|equal|include|regex]:
If your application need to distinguish upper and lower case char, enable case.
case ena
Lab Configuration:
/c/slb/layer7/slb/cntclss/
Enter Class id: image we name it like the string
path
Enter path id: 1 numerical id’s also possible
path
Current path to match:
Enter new path to match: image this is the string we want to look about
2. All real server supporting above defined string need to be in a common group. Therefore,
we generate an additional group with only these server(s). A separate content health
check would be possible and useful.
Syntax:
/cfg/slb/group #/add <real server #>
health http
content <file to query>
Lab Configuration:
/cfg/slb/group 2/add 2 shorthand /c/sl/gr 2/add 2
health http/content "images/img1.jpg"
Page 61

Syntax:
/c/slb/virt 1/service http/cntrules
Enter Content Based Services Rule number (1-12800): <determines prio>
Options for content rules:
name - Set descriptive content rule name
cntclss - Set content class for this rule
action - Set action type for this rule
group - Set real server group number for this rule
redirect - Set application redirection location for this rule
copy - Copy rule
ena - Enable rule
dis - Disable rule
Lab Configuration:
Enter Content Based Services Rule number (1-12800): 10
cntclss
Current content class:
New content class: image
action
Current action type: group
Enter new action type [group|redirect|discard]: <enter-key>
group
Current real server group: 1
Enter new real server group [1-1024]: 2
ena
apply skip saving this configuration, allow you to delete configuration by
revert apply command
4. Open a browser on the client and access the VIP http://192.168.100.221 or http://lab-
muc.radware.com:7421. Test the configuration and check the working status. Close and
reopen the client browser several times. Check the statistics in the switch to verify activity.
Lab Operation:
/stat/slb/virt 1
------------------------------------------------------------------
---- --------------------------- -------- ---------- -------- ---------------
1 webserver1 0 2 1 503
---- --------------------------- -------- ---------- -------- ---------------
192.168.100.221 0 2 1 504
Page 62
5. Access the image file from the client web browser. The files img1.jpg, img2.jpg and
img3.jpg are available on server 2. Close and reopen the client browser several times to
http://192.168.100.221/images/img1.jpg
or http://lab-muc.radware.com:7421//images/img1.jpg
Lab Operation:
/stat/slb/virt 1
---- --------------------------- -------- ---------- -------- ---------------
2 webserver2 0 17 6 61943
---- --------------------------- -------- ---------- -------- ---------------
192.168.100.221 0 19 7 62446
Perform the test a couple of times. Compare the Web browser request and output
displayed in the browser window.
Review the switch statistics. All requests to the “/images” folder should be directed to real
server 2. In a large server farm environment, the “/images” folder could be duplicated and
load balanced across several servers.
Regular Expression Configuration

6. Continue with the URL SLB config from the last lab. We will add regular expressions to
select specific real servers. Web server 1 will host file “alteo.htm”. Web server 2 will host
“altea.htm” and “alter.htm”. The regular expression “alte[ar].htm” allows selection of the
content stored on server 2. Inverting this regular expression avoids selection of this
machine. “alte[âr].htm” allows access to “alteo.htm” and of course to many other
“alteX.htm” pages. Therefore, this is useful as an example but not for real life.
Syntax:
/cfg/slb/layer7/slb/cntclss
Class id specifies a name bind to the http service
Enter Class id: <string>
At the class specify what you are looking for
hostname - URL Hostname lookup Menu
path - URL Path lookup Menu
filename - URL File Name lookup Menu
filetype - URL File Type lookup Menu
header - Header lookup Menu
cookie - Cookie lookup Menu
...
An class can have multiple elements. Therefore an additional id is required.
Repeat the selected class again specify string and details of the string location.
<class>
Enter new <class> to match: <string>
match
Enter new matching type [sufx|prefx|equal|include|regex]:
Page 63
Lab Configuration:
Enter Class id: alte1
path
Enter path id: 1
path
Enter new path to match: alte[âr]
match regex
New matching type: regex
../../cntclss/
Enter Class id: alte2
path
Enter path id: 1
path
Enter new path to match: alte[ar]
match regex
New matching type: regex
Since we are using case the default values, we skip any setup about.
7. All real server supporting string “alte[âr].htm” need to be in a common group. Therefore,
we generate an additional group with only these server(s).
Lab Configuration:
/cfg/slb/group 3/add 1 shorthand /c/sl/gr 3/add 1
Lab Configuration:
cntclss
New content class: alte1
group
ena
Page 64
9. Test your configuration. Send the following requests from your browser at Team-PC to
VIP. The following example is for team 21. Use your team number, please.
http://192.168.100.221/alteo.htm,
http://192.168.100.221/alter.htm,
http://192.168.100.221/altea.htm
HTTP Header Lookup

10. When SLB is working correctly, continue with the URL config. Define the URL-path
string “images”.
Lab Configuration:
Enter Class id: lang we name it lang string
header
Enter header id: 1
header
Current header to match: name= value=
Enter new header name to match or none []:Accept-Language
Enter new header value to match or none []:de
Lab Configuration:
cntclss
New content class: lang
group
ena
Page 65
12. Access your home page e.g. team 21 http://192.168.100.221. Change the
browser language preference string according your lb setup. You will see
that Web server 1 supports requests with preferred string language German.
Check statistics on loadbalancer.
Page 66
Printout for Alteon team 21

Layer 2/3 like previous lab setup, therefore it is not displayed.
/c/slb
on
/c/slb/adv
direct ena
/c/slb/real 1
ena
ipver v4
rip 10.200.21.100
/c/slb/real 2
ena
ipver v4
rip 10.200.21.200
/c/slb/group 1
ipver v4
metric roundrobin
add 1
add 2
/c/slb/group 2
ipver v4
health http
content "images/img1.jpg"
add 2
/c/slb/pip/add 10.200.21.42 1
/c/slb/port 1
client ena
proxy ena
/c/slb/virt 1
ena
ipver v4
vip 192.168.100.221
/c/slb/virt 1/service 80 http
group 1
dbind forceproxy
/c/slb/virt 1/service 80 http/cntrules 10
ena
cntclss "image"
group 2
/c/slb/layer7/slb
/c/slb/layer7/slb/cntclss image http
/c/slb/layer7/slb/cntclss image http/path image1
path "image"
Page 67
Regular expression

ena
cntclss "alte1"
group 3
ena
cntclss "alte2"
group 2
/c/slb/layer7/slb
/c/slb/layer7/slb/cntclss alte1 http
/c/slb/layer7/slb/cntclss alte1 http/path 1
path "alte[âr].htm"
match regex
/c/slb/layer7/slb/cntclss alte2 http
/c/slb/layer7/slb/cntclss alte2 http/path 1
path "alte[ar].htm"
match regex
Header „Accept-Language“

ena
cntclss "lang"
group 3
/c/slb/layer7/slb
/c/slb/layer7/slb/cntclss lang http
/c/slb/layer7/slb/cntclss lang http/header 1
header NAME=Accept-Language VALUE=de
Page 68
SSL Acceleration
Overview
Secure Sockets Layer (SSL) is a security layer that can be added to various communication
protocols in order to serve four main purposes that contribute together to establishing a
secure communication channel.
Models 4408, 4416 and 5412 loaded with software ver. 27 can offload heavy client SSL
actions from servers and deliver them with clear HTTP traffic, or if needed, weaker-encrypted
traffic to ease the stress. SSL is configured by means of a reusable SSL policy in the ADC
configuration, which enables quicker and safer setup of new services. Options include control
the SSL cipher-suites and pass SSL information to Web Applications for logging or for use as
part of application logic. SSL using SHA-2 certificates is supported. In order to support the
new SSL capabilities, ADC now includes a certificate and other PKI-components repository,
which allows safe holding and management of all components and required actions, as well
as bulk import of the Alteon 2424-SSL certificates repository content for easy migration.
This lab unit discusses Alteon’s Alteon SSL offloading capabilities, which performs encryption,
decryption, and verification of Secure Sockets Layer (SSL) transmissions between clients and
servers, relieving the back-end servers of this task. This enables the back-end servers to
maximize their performance and efficiency, resulting in faster server response times and
increased server capacity to handle more users that are concurrent.
Authentication
Each communicating partner should be able to verify that the other is who it
claims to be and not an impostor.
Privacy
A third party should not be able to eavesdrop on a private communication.
Integrity
The protocol should automatically or easily detect any tampering with the
transmission.
Non-repudiation
The sender should not be able to claim that they did not send what the
receiver received.
For Alteon to provide SSL Offloading, you must configure, enable, and apply the following
three components:
SSL Virtual Service
You must define an HTTPS or SSL virtual service and associate to it both an SSL server
certificate, and an SSL policy that governs the behavior of the SSL virtual service.
SSL Policy
You must define an SSL policy and associate it to the SSL virtual service. An SSL policy
includes the definition of the ciphers that enable SSL handshaking, as well as the type of
traffic that is sent to the back-end servers. A single SSL policy can be reused across multiple
virtual services.
Page 69
Certificate Repository
You must supply a server certificate that you associate with the SSL virtual service. The
server certificate includes the attributes needed to perform SSL handshaking and enable the
decryption and encryption of the traffic related to the virtual service. You can associate only a
single server certificate to a virtual service, but the same server certificate can be used by
multiple services. The certificate repository may include Server Certificates, Intermediate CA
Certificates, and Trusted CA Certificates
A server certificate
is a type of certificate used to identify servers during SSL handshake. You either import a pre-
existing server certificate using the /cfg/slb/ssl/certs/ import command, or you can generate
your own on the Alteon Alteon. When you generate your own server certificate, if an
underlying Certificate Signing Request (CSR) and/or key pair do not already exist by the same
name as the server certificate, they are generated along with the server certificate. The
resulting server certificate is a "self-signed" server certificate, meaning it was issued by the
server for itself. This kind of a certificate is good for testing purposes, as real users will
experience various warning messages if used for the real SSL service. In order to be used in
the real-life SSL environment, the server certificate must be issued (signed) by a Certificate
Authority (CA), which is trusted by the client's browsers. To achieve this, once the certificate's
CSR is generated, you must submit it to a trusted Certificate Authority (CA) for signing. If the
request is successful, the CA sends back a certificate that has been digitally signed by its own
key, which you import using the /cfg/slb/ssl/certs/import command, ensuring that it is not
imported to the same entity name as the CSR.
Intermediate CA certificates
are used when the CA providing the virtual service's server certificate is not directly trusted by
the end user’s Web browsers. This is typical in an organization that has its own CA server for
generating server's certificates. In order to construct the trust chain from the user’s browser
list of trusted CAs to the organization's CA server, an intermediate CA certificate or chain of
certificates can be provided. You can optionally bind an intermediate Certificate Authority (CA)
certificate to the SSL policy. These certificates are not created on the switch—you must first
import them. You can also create a group of intermediate certificates (a complete CA chain)
and bind it to the SSL policy.
Trusted CA certificates
are certificates that come from a Certificate Authority that your organization uses to provide
users with certificates (client certificates). Trusted CA certificates are associated to client
authentication policies. If you use this option, you must specify the trusted client CA certificate
or group of trusted client CA certificates to allow Alteon to know which client certificates to
accept.
Client Authentication Policies
SSL client authentication enables a server to confirm a client's identity as part of the SSL
handshake process. A client's certificate and public ID are checked to be valid and that they
were issued by a trusted Certificate Authority (CA). If the certificate is valid, the handshake
process is completed, allowing data to be sent to the intended destination. If the certificate is
not valid, the session is terminated. When using SSL Offloading, you can optionally define a
client authentication policy that authenticates the client’s identity. You associate a client
authentication policy to an SSL policy, and the SSL policy, in turn, is associated to a virtual
service. To authenticate the client's identity, you import a CA certificate into Alteon. This CA
certificate is used when Alteon receives a client certificate to validate it. By checking that it
was generated by this trusted CA. Additionally, you can configure Alteon to ensure that the
client certificates were not revoked by checking their statuses using OCSP (Online Certificate
Status Protocol).
Page 70
Assignment
All Alteon switch devices are connected via Ethernet cables as pictured at lab diagram.
In order to configure this switch, connect serial to your assigned switch via a terminal
server.
If your last lab was a VRRP or FWLB lab, remove all configuration settings and restore
factory default setting.
Configure the Alteon to support basic load balancing.
At this lab, we want to:
Setup a VIP with SSL offloading
Display acceleration log and statistics
Page 71
Configure Switch
Console Setup
At your Team-PC, Putty application is already set up individual icons to connect via
serial to the Alteon.
1. Verify SLB is working. If not refer to lab “Server Load Balancing”.
2. Setup a basic HTTPS service. A VIP with service HTTPS terminates a client
SSL request using a SSL-policy and a server certificate.
3. Generate a self signed server certificate
Syntax:
/cfg/slb/ssl/cert
srvrcert Server Certificate Menu
request Certificate Signing Request (CSR) Menu
keypair Key-Pair Menu
trustca Trusted CA Certificate Menu
intermca Intermediate CA Certificate Menu
group Certificates Group Menu
defaults Set certificate default values
import Import certificates
export Export certificates
Lab Configuration:
We setup a self-signed server certificate.
/cfg/slb/ssl/cert/srvrcert Select cert menu
Enter server certificate id (alphanumeric): selfs-cert
Server certificate selfs-cert# name MySelfSignedCert
Server certificate selfs-cert# generate
This operation will generate a self-signed server certificate.
Enter key size [512|1024|2048|4096] [1024]:<enter>
Enter server certificate hash algorithm [md5|..[sha1]:<enter>
Enter certificate Common Name: www.team28.com
Use certificate default values? [y/n]: n
Enter certificate Country Name (2-letter code) []: US
Enter certificate State or Province Name (full name) []: NJ
Enter certificate locality name (e.g. city) []: Mahwah
Enter certificate Organization Name (e.g. company) []: Radware
Enter certificate Organizational Unit Name []: Training
Enter certificate Email []: GuentherM@radware.com
Enter certificate validation period in days (1-3650) [365]: 20
Self signed server certificate, certificate signing

request and key pair added.
apply
Page 72
6. Enable SSL feature.

Syntax and Lab Operation:
/cfg/slb/ssl/on turn all SSL features to on.
GUI Instructions
To setup using graphical user interface. Use ether CLI or BBI!
Select on Configure tab ÆSLB Æ SSL and select for SSL Enabled. Press the
Submit button.
On Configure tab press Certificate Repository, and Generate a new policy.
Insert at ID: selfs-cert, a descriptive name at Policy Name, set the other
parameter as described above at CLI. There should now three entries, A key-
Pair, A Certificate Request and the Server Certificate.
7. Setup a SSL policy. This is used to select which cipher is used.

Syntax:
/cfg/slb/ssl/sslpol <id>
name Set policy name
passinfo Pass SSL Information to Backend Servers Menu
cipher Set allowed cipher-suites in frontend SSL
intermca Set Intermediate CA certificate chain
becipher Set allowed cipher-suites in backend SSL
authpol Set client authentication policy
convuri Set Host regex for HTTP redirection conversion
bessl Enable/Disable backend SSL encryption
convert Enable/Disable HTTP redirection conversion
ena Enable policy
dis Disable policy
del Delete Policy
Lab Operation:
cfg/slb/ssl/sslpol mypol set policy id
name "Easy SSL Policy" label this policy
cipher a long list appears, <tab> complete selection
Current cipher-suite allowed for SSL: rsa use default
Enter new cipher-suite allowed for SSL: medium 128 bit key
ena enable this policy
apply
Setup using graphical user interface. Use either CLI or BBI!
Select on Configure tab ÆSLB Æ SSL Æ SSL Policies
Page 73
Press Add tab and Generate a new ssl policy. Insert at ID: mypol, a
descriptive name at Policy Name, Enable, set Cipher Suite to medium and
keep other parameters on default values.
8. Create HTTPS service for VIP address

Syntax
/cfg/slb/virt 1/service https/http
http HTTP Load Balancing Menu
ssl SSL Load Balancing Menu
group Set real server group number
rport Set real port
and some more menu options …
Syntax
ssl ssl menu
srvrcert Set SSL server certificate for this virtual service
sslpol Set SSL policy for this virtual service
cur Display current SSL configuration
Lab Operation:
/cfg/slb/virt 1/service https/ssl
SSL Load Balancing# srvrcert selfs-cert associate cert
SSL Load Balancing# sslpol mypol associate policy
Note: Backend servers listening port (rport) was changed from
443 to 80 due to the use of No backend encryption. For a
different
network setting, rport can be configured manually.
apply and save config

Setup using graphical user interface. Use ether CLI or BBI!

Select on Configure tab ÆSLB Æ Virtual Servers
Select Virt Server ID 1,scroll dow in new window and click Add button. At Basic
section field Service Port is 443, Real is 80. Scroll down to SSL, select for
Server Certificate selfs-cert and for SSL Policy plain.
Page 74
9. Test the configuration.

Open a browser on the client and access the web server
https://www.team#.com
8. Check statistics, open several times a browser window and close it.
CLI: /stat/slb/virt 1
BBI: Monitor Æ SLB Æ Virtual Servers Æ 1 Æ https(443)
Page 75
10. Enable Application Services Trace Log. Application services trace logging may
cause performance impact on Alteon traffic processing capabilities. Make sure
to disable when done!
Syntax
/maint/applog
export Export application services trace log via FTP/TFTP/SCP
clearlog Clear application services trace log
compress Enable/disable log compression activities
caching Enable/disable log caching activities
ssl Enable/disable log ssl activities
http Enable/disable log http activities
httpmod Enable/disable log http modifications activities
dump Dump application services trace log configuration
Lab Operation:
ssl
Current logging ssl activities: disabled
Enter new logging ssl activities [d/e]: e
11 Create some traffic by accessing several times the https server page
12 Export log data to your Team-PC, turn on 3CD and listen to TFTP service.
Lab Operation:
/maint/applog/export
Enter hostname or IP address of FTP/TFTP/SCP server: 192.168.150.x
Enter username for FTP/SCP server or hit return for TFTP
server:<enter>
Dump logs in W3C format? (n for internal format) [y/n] [y]: n
Log file successfully transfered to :xxx_internal_logger.tar.gz
13 Extract the .tar.gz file. For each SP there is a separate file with log data. Your
connection data is stored depending the VMA feature at one of these
files.Open it with MS-Wordpad.
14 Do not forget to disable Application Services Trace Logging.
Page 76
SSL Acceleration (team 28)

Layer 2/ 3 setup as done on basic lab.
/c/l3/dns
prima 192.168.150.253
/c/sys/ntp
on
prisrv 192.168.150.253
/c/slb/ssl/certs/keypair selfs-cert
/c/slb/ssl/certs/request selfs-cert
/c/slb/ssl/certs/import request "selfs-cert" text
-----BEGIN CERTIFICATE REQUEST-----
MIIBzzCCATgCAQAwgY4xFzAVBgNVBAMTDnd3dy50ZWFtMjguY29tMQswCQYDVQQG
EwJ1czELMAkGA1UECBMCTkoxDjAMBgNVBAcTBU1haHdhMRAwDgYDVQQKEwdSYWR3
YXJlMREwDwYDVQQLEwhUcmFpbmluZzEkMCIGCSqGSIb3DQEJARYVR3VlbnRoZXJN
QHJhZHdhcmUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5AnpXIE1W
hosbNqmIAZlYEVAzIh6pArreRJc3eYkcIfDc6JQnfMbt85ewBZM2BOpnyBrbDKYP
g+67eyQOUIr1QNP3NM52xBMKjiiek/EyT8jxcDBmmb67YAmf0mEZahfj/vjSbR1J
oV2QeZzStF0INUOC9bL5gxGIzZFhycUFIQIDAQABoAAwDQYJKoZIhvcNAQEFBQAD
gYEAjwWvLZShRywOU0bynfw7WKtijIilZ2VYiGmbwOPQJhtQPR5WjM3RWL4CtFVr
rnhMg+qvouaVmatduMoGCmIPrTky4khL3yhnYzaw+Cir5cgD+vk9NKGkCSJX86+p
UZpRTDLE8n2AJuz1GTApykQSjldd3rHaRKr34YDUKNz9ZcI=
-----END CERTIFICATE REQUEST-----
/c/slb/ssl/certs/srvrcert selfs-cert
name "MySelfSignedCert"
/c/slb/ssl/certs/import srvrcert "selfs-cert" text
-----BEGIN CERTIFICATE-----
MIID3DCCA0WgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBjjEXMBUGA1UEAxMOd3d3
LnRlYW0yOC5jb20xCzAJBgNVBAYTAnVzMQswCQYDVQQIEwJOSjEOMAwGA1UEBxMF
TWFod2ExEDAOBgNVBAoTB1JhZHdhcmUxETAPBgNVBAsTCFRyYWluaW5nMSQwIgYJ
KoZIhvcNAQkBFhVHdWVudGhlck1AcmFkd2FyZS5jb20wHhcNMTAwOTIyMjIzMTIy
WhcNMTAxMDEyMjIzMTIyWjCBjjEXMBUGA1UEAxMOd3d3LnRlYW0yOC5jb20xCzAJ
BgNVBAYTAnVzMQswCQYDVQQIEwJOSjEOMAwGA1UEBxMFTWFod2ExEDAOBgNVBAoT
B1JhZHdhcmUxETAPBgNVBAsTCFRyYWluaW5nMSQwIgYJKoZIhvcNAQkBFhVHdWVu
dGhlck1AcmFkd2FyZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALkC
elcgTVaGixs2qYgBmVgRUDMiHqkCut5Elzd5iRwh8NzolCd8xu3zl7AFkzYE6mfI
GtsMpg+D7rt7JA5QivVA0/c0znbEEwqOKJ6T8TJPyPFwMGaZvrtgCZ/SYRlqF+P+
+NJtHUmhXZB5nNK0XQg1Q4L1svmDEYjNkWHJxQUhAgMBAAGjggFGMIIBQjAPBgNV
HRMBAf8EBTADAQH/MBEGCWCGSAGG+EIBAQQEAwICRDAyBglghkgBhvhCAQ0EJRYj
QWx0ZW9uL05vcnRlbCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFFtc
HE4A4iRbAYa9g/6Vrm07kJ5fMIG7BgNVHSMEgbMwgbCAFFtcHE4A4iRbAYa9g/6V
rm07kJ5foYGUpIGRMIGOMRcwFQYDVQQDEw53d3cudGVhbTI4LmNvbTELMAkGA1UE
BhMCdXMxCzAJBgNVBAgTAk5KMQ4wDAYDVQQHEwVNYWh3YTEQMA4GA1UEChMHUmFk
d2FyZTERMA8GA1UECxMIVHJhaW5pbmcxJDAiBgkqhkiG9w0BCQEWFUd1ZW50aGVy
TUByYWR3YXJlLmNvbYIBATALBgNVHQ8EBAMCAuQwDQYJKoZIhvcNAQEFBQADgYEA
C3gewnmYnTXhiEm+EkxCMmIKlSZoemQvHDK8wTJ5EdMM/v/WvswIuERaFoPYZInC
1Hb0ukebH2flFQSxZp84tDHTvUqrFjxB4ajp/rTNZadd6BeUUzbCQA7YU51k3aho
o//1h/FJTPMfhGIasG3BtArt8IIrzO74OyUPLjjelK0=
-----END CERTIFICATE-----
Page 77
/c/slb/ssl
on
/c/slb/ssl/sslpol mypol
name Easy SSL Policy
cipher medium
ena
/c/slb
on
/c/slb/adv
direct ena
/c/slb/real 1
ena
ipver v4
rip 10.200.28.100
/c/slb/real 2
ena
ipver v4
rip 10.200.28.200
/c/slb/group 1
ipver v4
metric roundrobin
add 1
add 2
/c/slb/pip/add 10.200.21.42 1
/c/slb/port 1
client ena
proxy ena
/c/slb/virt 1
ena
ipver v4
vip 192.168.100.228
/c/slb/virt 1/service 80 http
group 1
/c/slb/virt 1/service 443 https
group 1
rport 80
/c/slb/virt 1/service 443 https/ssl
srvrcert selfs-cert
sslpol mypol
/c/sys/access/https/port 8443
/c/sys/access/https/https e
/
script end /**** DO NOT EDIT THIS LINE!
Page 78
Switch Troubleshooting
Overview
Description
The types of problems that typically occur with networks are connectivity and
performance. The Alteon supports a diverse range of network architectures and
protocols; some are used to maintain and monitor connectivity and isolate the
connectivity faults.
This section provides conceptual information about the methods and tools used
for troubleshooting and isolating problems in the Alteon. It will help you to use
the common commands to check switch status and to ensure successful switch
maintenance activities.
Objectives
After completing this lab, you will be able to use the following commands:
• Config
• Info
• Statistics
• Global
Assignment
Learn to use the diff command to view changes before saving them. Review
the CLI commands to check critical switch functions (such as port speed, STP
configuration, SLB configuration, etc). Cultivate the ability to spot errors in your
configuration.
To familiarize yourself with the techniques to gather switch statistical data for
troubleshooting.
You can use configuration from any previous lab for doing this lab.
Page 79
Use Basic Commands in CLI
1. Use the diff or revert command.
Start with the diff command to review changes. Do all the other commands until the last
diff command again. Watch the different outputs. All these commands are at any menu
and at any path available.
Syntax:
diff {option} Show any pending configuration changes. The flash option displays
all data that will be lost if the switch reboots.
Lab Configuration:
/cfg/l3/if 42/mask 255.255.255.0/addr 172..16.1.1/en
diff
Current config is identical to new config.
If all configuration date in floatable RAM is already applied and saved, no data is
displayed. Change the configuration and run the diff command again.
Lab Configuration:
/cfg/l3/if 42/mask 255.255.255.0/addr 172.16.1.1/en
diff
Ö Pending configuration
/c/l3/if 42
ena
ipver v4
addr 172.16.1.1
mask 255.255.255.0
broad 172.16.1.255
apply current config is now identical to new config
diff flash displays unsaved config data

Ö Pending configuration
/c/l3/if 42
ena
ipver v4
addr 172.16.1.1
mask 255.255.255.0
broad 172.16.1.255
revert apply remove applied but unsaved configuration changes

Confirm reverting unsaved changes [y/n]: y
diff nothing to display since all config data are in sync
Page 80
2. Use the Port menu to configure settings for individual physical switch ports. This command
is enabled by default. Port configuration is slightly different on Alteon 2000 series and
3408.
Syntax:
/cfg/port {numper-of-physical-port}/{option}
Enables all settings for a physical port on an Alteon
/cfg/port {numper-of-physical-port}/fast/{option}
Enables all settings for a fast Ethernet physical port on an Alteon
/cfg/port {numper-of-physical-port}/gig/{option}
Enables all settings for a gigabit Ethernet physical port on an Alteon
/cfg/port {numper-of-physical-port}/cop/{option}
Enables all settings for a physical RJ45 port in range 3-6 on a 3408 switch
/cfg/port {numper-of-physical-port}/sfp/{option}
Enables all settings for a physical GBIC port in range 3-6 on a 3408 switch
Lab Configuration:
/cfg/port 1/cur display current port 1 configuration
/c/port 1/fast/cur display port 1 fast Ethernet configuration
3. View switch performance statistics in both the user and administrator command modes.
This menu displays traffic statistics on a port-by-port basis. Traffic statistics include
SNMP Management Information Base (MIB) objects. The displayed interval is from the
last switch reboot or counter reset until the present.
Syntax:
/stats/port {physical-port-number}/{option}
Displays statistic values for a physical port. Values in the range of Layer 1 up to Layer 3
are available. The clear option resets values.
Lab Configuration:
/stat/port 1/link
/stat/port 1/ether
/stat/port 1/if
4. When multiple paths exist on a network, Spanning Tree Protocol (STP) configures the
network so that a switch uses only the most efficient path. Spanning Tree Protocol (STP)
detects and eliminates logical loops in a bridged or switched network. STP forces
redundant data paths into a standby (blocked) state. If the most efficient path fails,
Spanning Tree automatically sets up another active path on the network to sustain
network operations. Thus, STP is used to prevent loops in the network topology.
Alteon Operating System supports the IEEE 802.1p Spanning Tree Protocol (STP). Alteon
Operating System supports up to 16 instances of Spanning Trees or Spanning Tree
groups. Each VLAN can be placed in only one Spanning Tree group per switch except for
the default Spanning Tree group (STG 1). The default Spanning Tree group (1) can have
more than one VLAN. All other Spanning Tree groups
(2-16) can have only one VLAN associated with it. Spanning Tree can be enabled or
disabled for each port. Multiple Spanning Trees can be enabled on tagged or untagged
ports. Spanning tree group 1 is turned on by default.
Page 81
Syntax:
/cfg/l2/stg {numper-of-STP-group}/{option}
Enables all settings for Spanning Tree Groups 1 to 16
Lab Configuration:
/cfg/l2/stg 1/cur
Syntax:
/info/l2/stg
Displays all settings for Spanning Tree Groups 1 to 16
Lab Configuration:
/info/l2/stg
5. After contacting RadwareAlteon support, a tsdump is often requested. To get this

important data, turn on capture on your terminal emulation to record the large amount of
data.
Syntax:
/maint/tsdmp
Dumps all Alteon information, statistics, and configuration to your CLI screen. You can log
the tsdump output into a file, and send it to Radware Technical Support for debugging
purposes.
Lab Configuration:
/maint/tsdmp
Confirm dumping all information, statistics, and configuration
[y/n] : y
Syntax:
/maint/pttsdmp {hostname filename -tftp|username password [-mgmt|-
data]}
Dumps data to a server specified by hostname. Data is stored at filename. AS transport protocol
is FTP or TFTP via a management or data port.
Lab Configuration:
/maint/pttsdmp
Enter hostname or IP address of FTP/TFTP server: 192.168.150.x
Enter name of file on FTP/TFTP server: dump.txt
Enter username for FTP server or hit return for TFTP server:
username
Enter password for username on FTP server: password
Connecting to 192.168.150.69...
6. The panic command causes the switch to immediately dump state information to flash
memory and automatically reboot. Technical support may request a panic dump for
analysis of an open case. Use ptdump to transmit the system dump to a TFTP or FTP
server and store it in a file.
Syntax:
/maint/panic
Page 82
Dumps all switch state information. You can log the tsdump output into a file, and send it
to Radware Technical Support for debugging purposes.
Lab Configuration:
/maint/panic
Confirm dumping and reboot [y/n] : y
Syntax:
/maint/ptdump {hostname filename -tftp|username password [-mgmt|-data]}
Dumps data to a server specified by hostname. Data is stored in filename. AS transport protocol
is FTP or TFTP via a management or data port.
Lab Configuration:
/maint/ptdmp
Enter hostname or IP address of FTP/TFTP server: 192.168.150.x
Enter name of file on FTP/TFTP server: dump.txt
Enter username for FTP server or hit return for TFTP server: username
Enter password for username on FTP server: password
Connecting to 192.168.150.69...
7. You must reset the switch to make your software image file or configuration block changes
take effect. For two other features, Nortel-Multiple-Spanning-Tree (/cfg/l2/ntmstg) and
jumbo frames at VLAN (/cfg/l2/vlan x/jumbo) a reset is also required.
Syntax:
/boot/reset {option}
The hard option acts like a power cycling of an Alteon. The two other options are booting from
other image <Ctrl>-o or select to load factory default database <Ctrl>-f.
Lab Configuration:
/boot/reset shorthand /b/c
/boot/reset hard shorthand /b/c hard
>> Note that this will RESTART the Spanning Tree,
>> which will likely cause an interruption in network service.
Confirm reset [y/n]: y
Using <ctrl> <shift> – or <ctrl>7 acts as a “Console RESET KEY in thread

unknown (tid=0, cmd=0)” command on the switch. It generates a maintenance (panic)
dump and resets the switch.
8. To debug Virtual Matrix Architecture feature, you can display the assigned SP (Switch
Processor) for a source IP address and a destination IP address when VMA with
destination IP is enabled. For IP version 6 use command vmasp6.
Syntax:
/maint/debug/vmasp {option, option, option}
The options required are, Source-IP-address, destination IP address, and Source-Port if
enabled. Configuration is at path /cfg/slb/adv/ vmadip or vmasport.
Page 83
Lab Configuration:
/maint/debug/vmasp
Enter Source IP address : 1.2.3.4
Enter Destination IP address : 2.3.4.5
Enter source port : 1234
shorthand /m/d/vmasp 1.2.3.4 2.3.4.5 1234
VMA for source IP 1.2.3.4 and destination IP 2.3.4.5 and source port
1234 is SP 3
9. You can display the Real server number, real IP address, MAC address, VLAN, physical
switch port, layer on which the health check is performed, and the health check result.
Syntax:
/info/slb/real {real-server-number}
For real servers, the possible range is from 1 to 1023.
Lab Configuration:
/info/slb/real 1
1: 10.200.21.100, 00:0c:29:59:68:0e, vlan 11, port 2, health 4, up
real ports:
rport 80, up # indicates layer of HC
Real server group 1 , Workload Manager none
Virtual services:
http: vport http, rtspslb none
10. You can display the Server Load Balancing values for Layer 4 services.
Syntax:
/stats/slb/{options}
For all real servers, groups, virtual servers etc. statistics are available.
Lab Configuration:
/stat/slb/real 1
/stat/slb/real 2
/stat/slb/group 1
/stat/slb/virt 1
/stat/slb/filt 1
11. Is a filter working and does it match a configured rule? Enables or disables generating
messages displayed at the terminal and sent to the configured syslog server when a filter
match occurs.
Syntax:
/cfg/slb/filt {filter-number}/adv/log {options}
This option is disabled by default. Logging can be enabled per filter.
Lab Configuration:
/cfg/slb/filt #/adv/log ena always prints an info line at the console if filter
criteria are met.
Page 84
Perform the following commands using the current SLB configuration Some of the commands
you did previously are noted in the table below for reference.
CLI COMMAND COMMENT
LAYER 2 – useful CLI commands

/info/sys Provides system information, IP, software version, etc.
/info/link Provides port link status
/info/fdb/dump Provides forwarding database information, VLANs,
etc.
/info/arp/dump Provides ARP table information
/info/ip Provides IP information
/c/dump Provides switch configuration dump
/stat/port <num>/ <ether/if/link> Provides port statistics
/stat/port <num>/maint Provides port maintenance statistics
/stat/if <num> Provides identified interface information
/stats/mp Provides management processor utilization information
LAYER 4 – useful CLI commands

/info/slb Provides SLB information
/info/dump Provides dump of current switch information
/c/slb/cur Provides SLB current configuration review
/stat/slb/real <real-server-num> Provides statistics by real IP (RIP)
/stat/slb/group <real-server-group Provides useful group information
#>
/stat/slb/virt <virtual-server-num> Provides virtual services information (e.g., VIPs, etc.)
/stat/slb/maint Provides SLB maintenance statistics
/stats/dump Provides switch statistics information
/info/slb/sess Provides SLB session information
Page 85
This page is for your notes.
Page 86
Virtual Router Redundancy
Overview
Description
In a high-availability network topology, no device can create a single point-of-failure for the
network or force a single point-of-failure to any other part of the network. This means that your
network will remain in service despite the failure of any single device. To achieve this usually
requires redundancy for all vital network components. VRRP enables redundant router
configurations within a LAN, providing alternate router paths for a host to eliminate single points-
of-failure within a network. Each participating VRRP-capable routing device is configured with
the same virtual router IP address and ID number. One of the virtual routers is elected as the
master, based on a number of priority criteria, and assumes control of the shared virtual router
IP address. If the master fails, one of the backup virtual routers will take control of the virtual
router IP address and actively process traffic addressed to it. Because the router associated
with a given alternate path supported by VRRP uses the same IP address and MAC address as
the routers for other paths, the host’s gateway information does not change, no matter what path
is used. A VRRP-based redundancy schema reduces administrative overhead because hosts
need not be configured with multiple default gateways. The IP address of a VRRP virtual
interface router (VIR) and virtual server router (VSR) must be in the same IP subnet as the
interface to which it is assigned.
Virtual Router
VRRP routers on two or more independent Alteon can be configured to form a virtual router
(RFC 2338). Each virtual router consists of a user-configured virtual router identifier (VRID) and
an IP address. The VRID is used to build the virtual router MAC Address. The five highest-order
octets of the virtual router MAC Address are the standard MAC prefix (00-00-5E-00-01) defined
in RFC 2338. The VRID is used to form the lowest-order octet.
Owners and Renters

Only one of the VRRP routers in a virtual interface router may be configured as the IP address
owner. The owner is the virtual router (Alteon) whose virtual interface router’s IP address is
equal to the real interface address. This router responds to packets addressed to the virtual
interface router’s IP address for ICMP pings, TCP connections, and so on. If the owner is not
available, the backup becomes the master and takes over responsibility for packet forwarding
and responding to ARP requests. However, because this switch is not the owner, it does not
have a real interface configured with the virtual interface router’s IP address. If the IP address
owner is available, it will always become the virtual router master. There is no requirement for
any VRRP router to be the IP address owner. Most VRRP installations choose not to implement
an IP address owner. VRRP routers that are not equal to the IP address are called Renters. A
priority value is used to determine which VRRP router should be the master in a group of
renters.,.
Page 87
Virtual Router States

Within each virtual router, one switch VRRP router instance is selected to be the virtual
router master.
Master The virtual router master forwards received packets. It also responds to Address
Resolution Protocol (ARP) requests sent to the virtual router’s IP address. Finally, the virtual
router master sends out periodic advertisements (Multicast messages) containing VRRP-IP
address, VR-ID and priority to let other VRRP routers know it is alive.
Backup Within a virtual router, the VRRP routers not selected to be the master are known as
virtual router backups. Should the virtual router master fail, one of the virtual router backups
becomes the master and assumes its responsibilities.
Init If there is no port in the virtual router’s VLAN with an active link, the interface for the
VLAN fails, thus placing the virtual router into the INIT state. The INIT state identifies that the
virtual router is waiting for a startup event. If it receives a startup event, it will either transition
to master if its priority is 255, (the IP address owner) or transition to the backup state if it is
not the IP address owner.
How VRRP Priority Decides Which Switch is the Master

Each VRRP router that is not an owner is configured with a priority between 1–254.
According to the VRRP standard, an owner has a priority of 255. A bidding process
determines which VRRP router is or becomes the master—the VRRP router with the highest
priority. Owners have a higher priority than the range permitted for non-owners. If there is an
IP address owner, it is always the master for the virtual interface router, as long as it is
available. The master periodically sends advertisements to an IP multicast address. As long
as the backups receive these advertisements, they remain in the backup state. If a backup
does not receive an advertisement for three advertisement intervals, it initiates a bidding
process to determine which VRRP router has the highest priority and takes over as master.
If, at any time, a backup determines that it has a higher priority than the current master, it can
preempt the master and become the master itself, unless configured not to do so. In
preemption, the backup assumes the role of master and begins to send its own
advertisements. The current master sees that the backup has higher priority and will stop
functioning as the master. A backup router can stop receiving advertisements for one of two
reasons—the master can be down, or all communication links between the master and the
backup can be down. If the master has failed, it is clearly desirable for the backup (or one of
the backups, if there are more than one) to become the master. If the master is healthy but
communication between the master and the backup has failed, there will then be two masters
within the virtual router. To prevent this from happening, configure redundant links to be used
between the switches that form a virtual router.
Determining How to Configure Priority

Think of a virtual router’s priority as a starting value that increases or decreases depending
on the parameters that are tracked. For example, if you configure the virtual router to track
the link state of the physical ports, one port-losing link would cause the virtual router’s priority
to decrease by 2 priority points. In order to ensure that this decrease in priority causes
failover from the current master to the backup virtual router, you should set the "base" priority
of the Master switch to be only 1 point higher than the backup; for example priority 101 for
master, 100 for backup. If the master and backup switches were set to priorities 110 and 100
respectively, a single port failure would only decrease the master switch’s priority to 108. As
108 is still higher than the backup’s priority of 100, the master switch would not fail over due
to the loss of one port’s link. It is also common to have a priority of 99 on the backup and 100
on the master. Whenever you change the backup switch configuration, you must synchronize
the master switch using /oper/slb/sync command.
Page 88
Assignment
Your previous labs used a single switch for all SLB configurations. Now we will
enhance it by a second switch for high availability (HA). Network cables are
connected according to the diagram on the previous page.
For this lab, two delegates always need to work together! Preferred teams 21+22,
23+24, 25+26, and 27+28 form a redundant configuration consisting of an “odd” and
“even” switch.
All examples in the description below are for team21/22. Other teams should use IP
addresses and VRIDs according to their team number. At the application server side
network, we need for both switches a common network. Use the odd team number for
configuring this network! Do not use the even team numbers at this lab.
Connect to the odd switch; 2424 team21. Set the odd switch to the factory default.
For each interface or VIP, a separate virtual router (VIP / VSR) is necessary. Set the
interface IP addresses according the lab layout diagram. For Team21, Interface 1, the
configured IP-Address is 192.168.100.31. The interface addresses from previous labs
are now used as VIR, 192.168.100.21, VRID 21. For the interfaces towards web
servers, the odd switch network is used. Interface 2 will be 10.200.21.31. VIR is
192.168.21.21, VRID 31. This is common in the real world since all routing entries on
other devices need no change. Priorities for both VIRs are set to 101. Configure
tracking and choose “Active-Standby mode” (share=disable) for all VRs.
Configure SLB and configure synchronization without priorities. Set the sync peer to
the interface 2 IP address of the even switch. VIP+VSR for both switches are
192.168.100.221, VRID 41. Priority for VSR is set to 101.
Connect to the even switch, check that the OS version used is the same as on the
odd switch, set up Layer 2, VLAN 11 and 14, and Layer 3 parameters. Interface 1 is
set to 192.168.100.41 and interface 2 uses 10.200.21.41. Set the sync peer to the
interface 2 IP address of the odd switch.
Connect to the odd switch; synchronize VRRP and SLB values with the even switch.
Test SLB; disable ports to simulate missing link connections and trigger failover, etc.
Page 89
Configure Switch
CLI configuration for the odd-Alteon, for even Alteon jump to step 11:
1. If you like to configure the Alteon by BBI continue on page 119. For CLI configuration
connect to the odd-switch (e.g. Team-21) port via terminal server serial. Log in to the
switch, enter the admin password – admin.
2. Set the switch to the factory default and reset it.
Lab Configuration:
/boot/conf factory/reset short form /b/co f/r
y confirms reset, pressing <enter> reboots the switch
3. Wait approximately one minute, log in to the switch using the admin password.
4. Adjust Layer2. Assign port 1 to VLAN 11 and port 2 to VLAN 14.

Lab Configuration:
/cfg/l2/vlan 11/add 1/ena create vlan 11 for clients, add port 1

y move port from vlan1 (default) to vlan 11, do
not tag it
../vlan 14/add 2/ena create vlan 14 for server, add port 2
not tag it
apply activate configuration change
5. Turn off Spanning Tree on the switch and save the configuration.
Lab Configuration:
6. Create two interfaces for public and private networks, and add a default gateway.
Lab Configuration:
/cfg/l3/if 1/ena/vlan 11/mask 255.255.255.0/addr 192.168.100.odd#+10
/cfg/l3/if 2/ena/vlan 14/mask 255.255.255.0/addr 10.200.odd#.odd#+10
/cfg/l3/gw 1/addr 192.168.100.254/ena/apply
7. Configure Virtual Interface Routers. For each interface, a separate router is

required. If possible, use the same value for VR-number, VR-ID and IF. This
simplifies management. If this is not possible, suitable documentation is required.
Syntax:
/cfg/l3/vrrp/{option}
This option turn this VRRP feature on or off.
Lab Configuration:
/cfg/l3/vrrp/on enables VRRP feature
Page 90
Syntax:
/cfg/l3/vrrp/vr {VR-number}/{options}
Set all the Options parameters required for a single VR router.
Lab Configuration:
/cfg/l3/vrrp/vr 1 define VR1
vrid odd# set to virtual MAC Addr. 00-00-5E-00-01-15 (team 21)
addr 192.168.100.odd# Public VIR Address, e.g. addr 192.168.100.21
share dis switch from active-active to active-standby
if 1 communicates via interface 1
prio 101 set priority to 101,
ena enable VR
track/l4pts ena track ports layer 4 (client/server process) enabled
It is also possible to put all commands into a single line. Configure vr2 this way:
Lab Configuration:
/cfg/l3/vrrp/vr 2/vrid odd#+10/addr 10.200.odd#.odd#/share dis/
if 2 /prio 101/ ena/track/l4pts ena
8. Set up Layer 4 synchronization configuration parameters. Disable synchronize priorities;

otherwise, you need to manually adjust the partner switch after doing a sync. The peer
address is a opposite interface. We will use the private interface.
Syntax:
/cfg/slb/sync/{options}
Options set all the different parameters required for config or session synchronization.
Lab Configuration:
/cfg/slb/sync/prio dis
/cfg/slb/sync/peer 1/ena/addr 10.200.odd#.odd#+20
apply and save
After applying your changes, the switch should report VRRP

status:
<date> <time> NOTICE vrrp: virtual router 192.168.100.21 is now
master
master
9. Save the configuration to a file using copy and paste.
10. Test your setup. Are both Web servers accessible by ping and browser access?
Page 91
Configuration for the even-switch:

do steps 11-20 if two delegates configure two separate Alteons.
If a single person configures both Alteons do only steps 21-24.
11. Connect to the even-switch (e.g. Team-22) port via terminal server serial. Log in to the
switch, enter the admin password – admin.
12. Set the switch to the factory default and reset it.
Lab Configuration:
/boot/conf factory/reset short form /b/co f/r
y confirms reset, pressing <enter> reboots the switch
13. Wait approximately one minute, log in to the switch using the admin password.
14. Adjust Layer2. Assign port 1 to VLAN 11 and port 2 to VLAN 14.
Lab Configuration:
/cfg/l2/vlan 11/add 1/ena create vlan 11 for clients, add port 1

not tag it
../vlan 14/add 2/ena create vlan 14 for server, add port 2
not tag it
15. Turn off Spanning Tree on the switch and save the configuration.
Lab Configuration:
16. Create two interfaces for public and private networks, and add a default gateway.
Lab Configuration:
/cfg/l3/if 1/ena/vlan 11/mask 255.255.255.0/addr 192.168.100.#+20
/cfg/l3/if 2/ena/vlan 14/mask 255.255.255.0/addr 10.200.odd#.odd#+20
/cfg/l3/gw 1/addr 192.168.100.254/ena/apply
17. Configure Virtual Interface Routers. For each interface, a separate router is
required. If possible, use the same value for VR-number, VR-ID and IF. This
simplifies management. If this is not possible, suitable documentation is required.
Syntax:
/cfg/l3/vrrp/{option}
This option turn this VRRP feature on or off.
Lab Configuration:
/cfg/l3/vrrp/on enables VRRP feature
Page 92
Syntax:
/cfg/l3/vrrp/vr {VR-number}/{options}
Set all the Options parameters required for a single VR router.
Lab Configuration:
/cfg/l3/vrrp/vr 1 define VR1
vrid odd# set to virtual MAC Addr. 00-00-5E-00-01-15 (team 22)
addr 192.168.100.odd# Public VIR Address, e.g. addr 192.168.100.21
share dis switch from active-active to active-standby
if 1 communicates via interface 1
prio 100 set priority to 100 or skip line,
ena enable VR
track/l4pts ena track ports layer 4 (client/server process) enabled
It is also possible to put all commands into a single line. Configure vr2 this way:
Lab Configuration:
/cfg/l3/vrrp/vr 2/vrid odd#+10/addr 10.200.odd#.odd#/share dis/
if 2/ena/track/l4pts ena
18. Set up Layer 4 synchronization configuration parameters. Disable synchronize priorities;

otherwise, you need to manually adjust the partner switch after doing a sync. The peer
address is the opposite public or private interface.
Syntax:
/cfg/slb/sync/{options}
Options set all the different parameters required for config or session synchronization.
Lab Configuration:
/cfg/slb/sync/prio dis
/cfg/slb/sync/peer 1/ena/addr 10.200.odd#.odd#+10
apply and save
After applying your changes, the switch should report VRRP

status:
backup
backup
19. Save the configuration to a file using copy and paste.
20. Test your setup. Are both Web servers accessible by ping and browser access?
Continue with step 25.
Page 93
Configuration for the even-switch:

If a single person configures both Alteons do only steps 21-24.
21. Edit the saved odd-switch configuration, (step 9). Edit the management address to meet the
previous even team number. Change the interface 1 address to 192.168.100.odd#+20
and IF 2 to 10.200.odd#.odd#+20. Remove all /cfg/l3/vrrp configuration. Adjust peer 1
address to 10.200.odd#.odd#+10. Save this configuration as a new file.
22. Open a second Putty window, connect via serial to even-switch, and set the switch
to the factory default configuration. Double-check; is the image version used equal
to the version of odd-switch? If not, upgrade or downgrade to make the versions
match. Select verbose 1 mode to suppress displaying of menu for each command
line. Enter Layer 2, Layer 3 and sync data by copying and pasting from the file.
Apply and save this configuration.
23. Select the odd-switch terminal and sync VRRP and SLB settings.
Lab Configuration:
/o/sl/sy shorthand
y confirm configuration sync
24. Watch the display of the even-switch terminal window after the changes are received.
There is no need to apply and save the configuration on even-switch. These two
commands are automatically executed in the background. The example below is for
team 21.

backup
backup
Common task done on odd Alteon:

25. Setup SLB on odd system only. Set up RealServer1, RealServer2, group them and
create a VIP 192.168.100.2odd#. Do not forget the PIP and proxy/client processes and
enable the SLB feature. If you can’t remember the details, refer to the SLB lab, on page
30/31 steps 3 to 8. Use for PIP different IP-addresses, .42 and .43 for e.g.
26. Configure VSR on odd-switch for redundancy on Layer 4.

Lab Configuration:
/cfg/l3/vrrp/vr 3/vrid odd#+20/addr 192.168.100.2odd#/prio
101/share dis/
if 1/ena/track/l4pts ena/apply new VSR settings.
27. Watch the messages for the new VR. It is the VR master.
28. Synchronize the VRRP & SLB config to even-Alteon

Lab Configuration:
/oper/slb/sync
Y
Page 94
Test the VRRP configuration
1. Open a command prompt window on Team-PC. The examples below are for team 21.
Lab Configuration:
ping 192.168.100.21 ping to public VIR
ping 10.200.21.21 ping to VIP/VSR
2. Open a web browser, http://192.168.100.221 and access web servers. The well-known
home page should appear on screen.
3. Access Odd-switch CLI:

Lab Configuration:
/cfg/l3/vrrp/cur
What is the configured priority? ________
Lab Configuration:
/info/l3/vrrp
What is the current priority? ________
Is this switch the master or backup? _________
Lab Configuration:
/stats/l3/vrrp
4. How many VRRP advertisements have been received? _____________
How many VRRP advertisements have been sent out? ____________________
5. Access even-switch CLI:

Lab Configuration:
/cfg/l3/vrrp/cur
What is the configured priority? ________
Lab Configuration:
/info/l3/vrrp
What is the current priority? ________
Lab Configuration:
/stats/vrrp
How many VRRP advertisements have been received? ____________
How many VRRP advertisements have been sent out? _____________
6. Establish two serial connections if not already done, one to the odd-switch another to the
even-switch. To simulate a fault, disable port 1 of odd-switch
Lab Configuration:
/cfg/port 1/dis/apply
Page 95
Note the operational messages on both switches.
7. Access Odd-switch CLI:

Lab Configuration:
/info/l3/vrrp
What is the priority? ________
What is the status of this switch? _________
Lab Configuration:
/stats/l3/vrrp
How many VRRP advertisements have been received? ______________
How many VRRP advertisements have been sent out? ______________
8. Enable ports from Odd-switch.

/cfg/port 1/ena/apply
Note any operational messages on odd- and even-switch.
_________________________________________________________________
_________________________________________________________________
9. Access even-switch:
Lab Configuration:
/info/l3/vrrp
Lab Configuration:
/stats/l3/vrrp
How many VRRP advertisements have been received? ______________
How many VRRP advertisements have been sent out? ______________
10. Access Odd-switch:

Lab Configuration:
/info/l3/vrrp
Lab Configuration:
/stats/l3/vrrp
How many VRRP advertisements have been received? ____________________
How many VRRP advertisements have been sent out? ____________________
Page 96
Printout for odd-switch, example for Team 21
/c/sys/mmgmt
addr 10.10.242.21
mask 255.255.248.0
broad 10.10.247.255
gw 10.10.240.1
ena
/c/sys/mmgmt/port
speed any
mode any
auto on
/c/port 1
pvid 11
/c/port 2
pvid 14
/c/port 9
dis
/c/l2/vlan 1
learn ena
def 3 4 5 6 7 8 9 10 11 12 … 27 28
/c/l2/vlan 11
ena
name "public"
learn ena
def 1
/c/l2/vlan 14
ena
name "private"
learn ena
def 2
/c/l2/stg 1/off
/c/l2/stg 1/clear
/c/l2/stg 1/add 1 11 14
/c/l3/if 1
ena
addr 192.168.100.31
vlan 11
/c/l3/if 2
ena
addr 10.200.21.31
mask 255.255.255.0
broad 10.200.21.255
vlan 14
/c/l3/gw 1
ena
addr 192.168.100.254
Page 97
/c/l3/vrrp/on
/c/l3/vrrp/vr 1
ena
vrid 21
if 1
prio 101
addr 192.168.100.21
share dis
track
l4pts e
/c/l3/vrrp/vr 2
ena
vrid 31
if 2
prio 101
addr 10.200.21.21
share dis
track
l4pts e
/c/l3/vrrp/vr 3
ena
vrid 41
if 1
prio 101
addr 192.168.100.221
share dis
track
l4pts e
/c/slb
on
/c/slb/sync
prios d
/c/slb/sync/peer 1
ena
addr 10.200.21.41
/c/slb/real 1
ena
rip 10.200.21.100
/c/slb/real 2
ena
rip 10.200.21.200
/c/slb/group 1
metric roundrobin
add 1
add 2
/c/slb/pip/add 10.200.21.42 1
/c/slb/port 1
client ena
proxy ena
/c/slb/virt 1
ena
vip 192.168.21.221
group 1
Page 98
Printout for even-switch, VRRP&SLB settings are equal except

priority
/c/sys/mmgmt
addr 10.10.242.22
mask 255.255.248.0
broad 10.10.247.255
gw 10.10.240.1
ena
/c/sys/mmgmt/port
speed any
mode any
auto on
/c/port 1
pvid 11
/c/port 2
pvid 14
/c/port 9
dis
/c/l2/vlan 1
learn ena
def 3 4 5 6 7 8 9 10 11 12 … 27 28
/c/l2/vlan 11
ena
name "public"
learn ena
def 1
/c/l2/vlan 14
ena
name "private"
learn ena
def 2
/c/l2/stg 1/off
/c/l2/stg 1/clear
/c/l2/stg 1/add 1 11 14
/c/l3/if 1
ena
addr 192.168.100.41
vlan 11
/c/l3/if 2
ena
addr 10.200.21.41
mask 255.255.255.0
broad 10.200.21.255
vlan 14
/c/l3/gw 1
ena
addr 192.168.100.254
Page 99
/c/l3/vrrp/on
/c/l3/vrrp/vr 1
ena
vrid 21
if 1
addr 192.168.100.21
share dis
track
l4pts e
/c/l3/vrrp/vr 2
ena
vrid 31
if 2
addr 10.200.21.21
share dis
track
l4pts e
/c/l3/vrrp/vr 3
ena
vrid 41
if 1
addr 192.168.100.221
share dis
track
l4pts e
/c/slb
on
/c/slb/sync
prios d
/c/slb/sync/peer 1
ena
addr 10.200.21.31
/c/slb/real 1
ena
rip 10.200.21.100
/c/slb/real 2
ena
rip 10.200.21.200
/c/slb/group 1
metric roundrobin
add 1
add 2
/c/slb/pip/add 10.200.21.43 1
/c/slb/port 1
client ena
proxy ena
/c/slb/virt 1
ena
vip 192.168.100.221
group 1
Page 100
BBI – Web Based Management Labs
BBI SLB configuration of the Switch

1. To setup a SLB solution you start by enabling the SLB feature. At Configure tab select
SLB, turn SLB to Enabled and press the Submit button.
2. Configure as next
step both real
servers for this
application. Select
SLB, Real Servers
and use ADD button
to specify
parameters for both
real servers. The
internal reference
number ID, IP
Address and State
are mandatory.
Enter next real
server parameters.
If finished with the first, click on More. After last real server click on Submit and Apply.
3. Add all real servers belonging to this application to a group (farm). Important parameters
like health check and metric are specified at this group also. Select SLB, Server Group
and use ADD button to specify parameters. The internal reference number ID, is
mandatory. Change SLB Metric for this lab to Round Robin and Submit this change.
Page 101
Alteon
al
Next is to associate
a the real serve n Add butto
ers. Click on on below Re
eal Servers, check all
real serverss you will addd and presss Add Rea al or Add bu nding on version. Click
utton depen
Submit and d Apply.
Add proxy setting
s for port
p 1
4. Configure the
t virtual IP P.
This is the entry or
terminationn IP addresss
for a speciffic service.
Select SLB B, Virtual
Servers an nd press the e
ADD button n. Virtual
Server ID, Name, VIP P
Address and State arre
mandatory parameterss.
Submit thiss change.
5. Click the ID
D number, scroll
s down the new opened windo ow and clickk Add to specify Servicce
Port 80. Foor this lab no nal parametter is requirred. Submitt and Apply
one addition y this changge.
Page 10
02

s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
al
6. Final changge for our basic SLB laab is the acttivation of client and se
erver proces ssing on the
e
ingress andd egress poorts. Select SLB,
S Portss and click ono the numb ber for the port
p you wa ant
to change. If you wantt to change several porrts the same e manner, ttick all appropriate portts
n Bulk Edit. Select portt 1 and tick client, tick server for port 2, Sub
and click on bmit each
change and d Apply it.
7. Check new w configuratiion. Click on sage Curreent config is identical to new

n Diff, mess
config. sho
ould appear. Diff Flash h displays all SLB confiiguration sin
nce it is at current
c not
saved and Dump show ws the whole switch co onfiguration. Save conffiguration now.
Page 10
03

s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
al
8. Save this SLB

S configuration to a file
f on the Team-PC.
T T
This configu
uration will be
b the base
for the follo
owing labs. Start
S FTP/T TFTP serve
er on your Team-PC.
T A
At quick launnch click on
n
3CDaemon n. By
default the server
is set to usee the
desktop as user
directory. At
A your
BBI window w go to
Configure,, System,
Download//Upload,
Configurattion. At
section Imp port /
Export sele ect
Export from
Device,
Manageme ent Port
and FTP. Enter
E your
Team_PC IP
Address,
Username is
anonymou us,
Password anya and
as Filename
SLB.txt. Su ubmit
these param meters.
9. Use a different browse er and openn a new window to the VIP. For Te eam21 this is
http://192.1
168.100.221
Create somme traffic byy refreshing the browse er. Why is th
he Alteon no ot selecting
g the second
d
real server?
? Close thiss browser and open a new n one. Why
W is now tthe second real server
selected?
If at modern browsers a tab is ope om internal cache.
en, it will grrab the conttent only fro
10. Check statiistics, selecct Monitor, SLB, Virtuaal Servers at BBI wind
dow. Real servers
s or
Server Gro
oups displayys details on n these item
ms.
11. Load balanncing for ava
ailable services on diffe
erent servers is an opttion. There are
a two web
b
servers. On
ne equipped d with two CPUs,
C the other
o with fo
our CPUs. FFor each CP PU a
Page 10
04

s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
separate Web application instance, e.g. Apache, is installed. Our customer wants to have
an even load balancing based on each of these CPUs. Set up the real servers for multi-
port SLB. Add for real server 1 ports 80 and 81, for real server 2 ports 80 to 83. To ensure
to have the same load on all CPUs increase weight to 2 for real server 2. Invoke this
feature by setting the real port for the HTTP service to 0.
At Configure, SLB, Real Server, Advanced scroll down to Service Ports and Add port
numbers. For each add you need to select the advanced menu again.
For server 2 set weight to 2
At SLB Virtual Server, Services Port 80, edit settings, check Single
change Service Port 80 => 0
Page 105
12. See messages on CLI window. For each port is now a separate health check generated.
13. For the next hands-on we do not need this multi rport setting. Therefore , remove step 11.
Click on Revert Apply button.
Page 106
Alteon
al
BB
BI Layer 7 Passive Cook
kie Pers
sistence Configu
uration
1. Enable Direect Access Mode (DAM M) on the sw

witch to allo
ow you to pe
erform port mapping fo
or
content loa g. At Config
ad balancing gure, SLB, set Direct Access
A Modde to Enablled.
2. Select an appropriate
a load balanccing metric for the real server grou up if no coo
okie is
present. Ch
hoose a non n-persistentt metric. For our lab we
e will selectt round robin
n. Select
Configure,, SLB, Servver Group, Group 1 an nd set SLB Metric to Ro ound Robin.
3. To have coookie persistency, we need

n to get a cookie fro
om the web server. The e web
application on port 88 is cookie enabled. Select Configure, SLB, V Virtual serv vers, click
on Port 80 (http) link. Set the radio button to
t single an nd enter at rreal port 88
8.
4. By default, the switch checks the case of any y string, e.g

g. a cookie n
name. Disaable case
sensitivity if there is no
o need to diiscriminate between up pper and lowwer case. Select
S
Configure,, SLB, Laye er
7 Resources and turn n
CSSM para ameter to
Disabled.
Page 10
07

s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
al
5. Enable passsive cookie n the virtual server servvice. Selectt Configure

e-based perrsistence on e,
SLB, Virtual Servers,, Port 80 an
nd set Persistence to Cookie.
C Sev veral additional fieldss
are now avvailable. Usse Mode Paassive, Namme ASPSES SS*, Numbe er of Bytes to Extract 8,
8
U Disable
Search in URI ed and Coo okie Value Starting
S Poinnt 1. Submmit and App ply changess.
For testing
g passive coookies, refer to step 7 to
t 10. Since
e rewrite coo
okies is verry similar skkip
it and do te
est for rewritte settings only.
o
6. Enable rew
write cookie--based perssistence on the virtual server
s service. Select Configure,,
SLB, Virtual Servers,, Port 80 annd set Persistence to Cookie.
C Sevveral additional fields
s
are now avvailable. Usse Mode Re arch Up to 1 Responses, Name AS
ewrite, Sea SPSESS*,
Length 8, Search
S in Heeader. Sub bmit and Apply chang ges.
7. Confirm the o block coo

e cookie operation. Configure your browser to okies.
B Monitorr, SLB, Virtual Servers

Check statiistics. On BBI s, Port 80
Page 10
08

s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
al
Clear statisstics counte

er on CLI window:
/stat/slb b/clear atistics
to clear sta
Generate trraffic by opeening a neww browser window

w our VIP several times, e.g.
to yo
http://192.168.100.221 1
Return to th
he switch BBI
B and refre esh the
window to display
d statistics. Note
changes.
8. Change cookie setting gs in your brrowser to

accept coookies and reepeat the abbove Lab
Operation steps.
s For Firefox
F ensuure to
accept a coookie from the
t VIP. Add da
suitable excception.
9. Generate trraffic by ope

ening a neww browser
window to your
y VIP seeveral timess, e.g.
http://192.168.100.221 1
10. Return to th
he switch BBI
B and refre esh the
window to display
d statistics. Note
changes. To
T get new session
s requests,
you need too close the browser an nd open a neew window otherwise tthe
date is read
d from the browser
b cacche instead of the Supe
er Veda serrver.
11. Change thee VIP servicce HTTP rpoort value fro

om 88 to 80
0 to simulate
e a server without
w
cookie support. Set Coonfigure, SLB,
S Virtual Servers, Port
P 80 Serrvice Port to
o 80.
Page 10
09

s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
al
12. Enable inseert cookie-b

based persisstence on th erver servicce. Set Configure,
he virtual se
SLB, Virtual Servers,, Port 80 Peersistence Mode
M to Ins
sert, Name to Alteon_ _P and
o 0 days : 8 hours : 0 minutes. Submit and Apply chan
a duration of nge.
13. Use Firefoxx browser and

a turn Live
eHTTPhead
ders on. The date is a
always UTC
C time
depending on your tim
me zone.
Page 110

s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
al
14. At CLI youu can on /inffo/slb/cookie

e decode th
he Set-Cookkie value un
nd get usefu
ul
information
ns.
>> Server
S Load Balancing In
nformation# cookie
er 16 or 20 or 24 bytes cookie valu

Ente ue as 0xXXXX
XXXXXXXXXXXX
XX: 0x2389127e9af8b0b4b
baeebabf
Virt
tual IP addr
ress: 192.168
8.100.221
Real
l IP address: 10.200.21.
.100
Real
l Server Por
rt: 80
Real
l Server Ind
dex: 1
B Monitorr, SLB, Virtual Servers

15. Check statiistics. On BBI s, Port 80. Note chang
ges. To get
new sessio on requests,, you need to
t close the
e browser and open a n new windoww otherwise
the date is read from the browserr cache inste
ead of the web
w server.
16. Remove all persistenccy settings for

f virtual seerver for the
e next labs. Change the
e rport from
m
88 to 80 if not
n already done at ste ep 11. If you
ur last savedd configuraten was basic SLB
press Reve ert Apply button. To doouble checkk do a Diff Flash
F beforre.
Page 111

s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
al
BB
BI Conte
ent Load
d Balanc
cing Con
nfiguration
1. Enable Direect Access Mode (DAM M) on the sw

witch to allo
ow you to pe
erform port mapping fo
or
content loa g. At Config
ad balancing gure, SLB, set Direct Access
A Modde to Enablled. Submiit
change.
2. Select an appropriate
a load balanccing metric for the real server grou
up if no strin
ng is presen
nt.
Choose a non-persiste
n F our lab we will sele
ent metric. For ect round roobin. Select Configure,
SLB, Serveer Group, Group
G 1 and d set SLB Metric
M to Ro
ound Robin n. Submit change.
c
3. Double che
eck persisteent binding for
f the virtuaal server se
ervice is disabled. Pbin
nd takes
precedencee over string
g load balanncing. Select Configurre, SLB, Virtual serve ers, port 80
0.
Is paramete
er Persistennce set to Disabled?
D
4. Double che
eck is SLB working.
w Cle
ear the sess
sion table
CLI Operattion:
/stat/slb b/clear
Generate trraffic by ope

ening a new
w browser window
w to yo
our VIP sevveral times; return to th
he
switch CLI//BBI for disp
playing SLB
B statistics.
Page 112

s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
al
5. By default, the switch checks the case of any y string, e.g

g. a cookie n
name. Disable case
sensitivity if there is no
o need to diiscriminate between up pper and lowwer case. Select
S
Configure,, SLB, Laye er 7 Resources and tu urn CSSM parameter
p o Disabled
to d.
6. When SLB is working correctly, continue with h the URL configuratio

c on. We wantt to look for the
URL string “images” which
w is onlyy located at server 2. Define
D URL string. Select
this U
Configure,, SLB, Laye er 7 Resources, Strings. Keep all a paramete ers on defau
ult and inserrt at
SLB String field /images. Submitt this chang ge.
7. Add an inde
ex number for the URL L string to th
he real servver config. Iff real server 2 can
handle add
ditional page
es than “/im
mages”, for e.g.
e “index.h html” add sttring 1 as an n option.
Select Con
nfigure, SLBB, Real Serrvers, ID 2.. Set radio button
b to Ad dvanced an nd scroll
ayer 7. Move
down to La e both strinngs into configured bo ox. Submit cchange.
Page 113

s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
al
8. Enable URLSLB for th he virtual se

ervice IP Address servicce HTTP. SSelect Conffigure, SLB
B,
Virtual Serrvers, ID 1 port 80. At section Basic set Application to H
HTTP-L7 annd at section
n
HTTP set HTTP
H t URL SLB
SLB to B. Submit and Apply change.
9. Test this ne
ew setup. Open
O a browwser and ac
ccess files on
o the imagee path. The
e files
img1.jpg, im
mg2.jpg andd img3.jpg are
a available on serverr 2. Close and reopen the
t client
browser seeveral times to http://19
92.168.100.221/image es/img1.jpg
g. Check sta
atistics at
Monitor, SLB, Layer7 7, string tabb.
Page 114

s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
al
10. To test SLB dex page usse the wfetc

B for the ind ch tool. It iss at the quicck start area
a. Here you
u
can set howw an http reequest is sent to the se
erver. Set Ho ost to your VIP IP addrress and
keep all oth
her parametters at defa uest a page press the G
ault. To requ GO! button.. Both web
server shouuld responsse, one after the other since
s the an ny string is associated real 2
server. Reeal 1 has no o special settup and responds to an ny request.
11. At next, we e want to se

etup a solution using re egular expre
essions. We eb server 1 will host file
e
“alteo.htm”. Web serve m” and “alter.htm”. The regular exp
er 2 will hosst “altea.htm pression
“alte[ar].htm
m” allows se t content stored on server
election of the s 2. Invverting this regular
expression avoids sele ection of this machine. “alte[âr].hhtm” allows access to “a alteo.htm”
and of courrse to manyy other “alte eoX.htm” pa ages. Thereffore, this is useful onlyy as an lab
example. Select
S Configure, SLB B, Layer 7 Resources,
R Strings. P Press Add anda insert att
SLB String field alte[^âr] and the en alte[ar]. Keep
K other parameterss on defaultt. Submit
this change e.
12. Add the inddex numberr for the URL string to the t real servver config: A Add ‘alte[â
ar]’, which iss
a regular exxpression fo
or ‘alteo’ strring in our configuratio
c n, to real se
erver 1. Addd ‘alte[ar]’,
which repre esents both strings ‘alteer’ and ‘alte
ea’, to real server
s 2. To
o allow LB foor ‘index.htmm’
string on re
eal server 1, add index 1 to it.
Select Con nfigure, SLBB, Real Serrvers, ID 1.. Set radio button
b to Ad
dvanced an nd scroll
down to La ayer 7. Movee any and alte[âr]
a strrings into co
onfigured boox and Sub bmit change e.
Select Con nfigure, SLBB, Real Serrvers, ID 2.. Set radio button
b to Ad
dvanced an nd scroll
down to La ayer 7. Movee alte[ar] sttring into coonfigured bo ox and Submit change e.
Page 115

s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
al
13. Test your configuration

c n. Send thee following requests
r fro
om your brow
wser at Tea
am-PC to
VIP. The foollowing exa
ample is forr team 21. Use
U your team numberr, please.
http://192.168.100.2221/alteo.htmm,
http://192.168.100.2221/alter.htm
m,
http://192.168.100.2221/altea.htmm
14. In this lab section,

s you ur task is to configure Layer
L 7 strin o detect the default
ng lookup to
language support
s of th
he browser used for this request. Modify
M yourr virtual serv
ver setting to
t
look up thee Accept-Language string at HTTP P header. We
W will assume real serrver 1 is
responsible e for Englishh and real server
s 2 for another lannguage, e.g
g. German.
15. Configure header variable stringss and add ana index number to the e real serverr config. Re eal
server 1 represents the contents for ‘en’ strin
ng, real servver 2 is resp
ponsible forr ‘de’ string.
Language string
s depends on brow wser type. Add
A strings for e.g. en and de. Forr other
regions, choose approopriate language strings. Configure, SLB, La ayer 7 Reso ources,
Strings. Prress Add annd insert at SLB Stringg field en an
nd then de. Keep otherr parameterrs
on default. Submit thiss change.
Page 116

s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
16. Add the index number for the URL string to the real server config: Add ‘en’ to real server 1
and ‘de’, to real server 2. Kepp the other previously associated strings.
Select Configure, SLB, Real Servers, ID 1. Set radio button to Advanced and scroll
down to Layer 7. Move any and en string into configured box and Submit change.
Select Configure, SLB, Real Servers, ID 2. Set radio button to Advanced and scroll
down to Layer 7. Move de string into configured box and Submit change.
17. Modify VIP service HTTP to lookup at the HTTP header now the Accept-Language string.
Select Configure, SLB, Virtual Servers, ID 1 port 80. At section Basic set Application to
HTTP-L7 and at section HTTP set HTTP SLB to others and HTTP Header Name to
Accept-Language. Submit and Apply change.
Page 117
Alteon
al
18. Select at Firefox English and IE German

G as default
d lang
guage. Set a single lan
nguage for
each browsser!
19. Test this ne

ew setup. Open
O a browwser and acccess the team VIP. Fo or team 21, close and
wser severall times to htttp://192.16
reopen the client brow 68.100.221. Check stattistics at
Monitor, SLB, Layer7 7, string tab
b.
Page 118

s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
al
BB
BI config
guration for VRR
RP
The
e odd-swittch:
1. Connect via a a browserr to the mannagement in nterface 10.10.242.# a and set the switch
s to
load factoryy default co
onfiguration on next boo Configure, System,
ot and reset it. Select C
Download//Upload, Configuratio on tab, secttion Version
n Managem ment. Set Next
N Boot
Block to Fa
actory and thet radio bu utton to Do Not Erase and Submit change. If there is
no reset bu
utton at this page, move e to the sofftware tab to
t press the ere the Resset button.
2. After reset, you lost the http acce

ess to the Alteon.
A Logo
on serial and
d enable htttp access
again.
Lab Configuration:
>> Configurration# /cfg/ssys/access/htttp e/apply
Current HTT
TP server acccess: disableed
New HTTP server access: enabledd
3. Create two new VLAN Ns for ingresss and egress ports. We

W keep unu used ports on
o VLAN 1.
e enabled. At configurre tab selecct Layer2, V
By default, all ports are VLANs and click the
Add buttonn.
Insert VLAN ID 11, Name, Enab ble it and as

ssociate Spa
anning Tre ee Group 1, select
Available port
p 1 and move
m it to Configured.
C Press
P Submmit and App ply button to
t activate
this change
e. Each chaange is conffirmed at BBBI Log Messsages field.
Add anotheer VLAN ID 14 and use e port 2.
Page 119

s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Disable Spanning Tree.

Select on Layer2,
SpanningTree number 1
and turn Enabled to
Disabled. Submit and
Apply change.
common number for port, VLAN and interface will simplify debugging and management.
At Configure tab select Layer3, IP Interfaces and click the Add button.
Insert Interface ID 1, IP Addresses are 192.168.100.#+10 (team 21 e.g. 192.168.100.31).
# is your team number. Mask is a C-Class one. Associate VLAN 11 for public net.
Enable state and click Submit and Apply buttons to activate this change. Add another
interface 2 for your private net. IP Address is 10.200.#.#+10 /24 (team 21 e.g.
10.200.21.31).
Page 120
Alteon
al
5. Set the deffault gatewa

ay. Any destination IP address
a nott from local networks or
o do not
match routiing table en
ntries sent to nation. GW 1 to 4 is forr all VLANs, GW 5 to 259
o this destin 2
can each beb associateed to one VL LAN. Select Gateways s and Add, Gateway ID 1, IP
Address is 192.168.10 00.254 and turn state to o Enable and click Submit and Apply
A button
ns
to activate this change
e. The settin
ngs are for all
a teams eq qual.
6. Configure Virtual
V Interrface Routers. For each h interface, a separate router is
required. If possible, use
u the sam me value for VR-numbe er, VR-ID an
nd IF. This
simplifies managemen
m nt. If this is not
n possible e, suitable documentat
d tion is required.
Select Con nfigure, Lay yer 3, VRRP P, set State
e to Enabledd and Subm mit change.
For ISP-Neet interface select

s Conffigure, Laye
er 3, VRRP, Virtual Rou uters and prress
Add buttonn. Select Ad dvanced radio
r butto
on, and provide parameters for Ro outer ID
#, VR ID #, IP Addresss 192.168.1100.#, Interfface 1, Priority 101, Sta
ate Enabled d,
Tracking SLB, Advancced Sharing g Disabled and click Submit butto on to activate this
change.
Page 12
21

s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
al
For Applica ace press Add

ation-Serverr-Net interfa A and Advanced button again.
Provide parameters fo D #+10, VR ID #+10, IP
or Router ID P Address 10.200.#.#,
Interface 2,, Priority 10
01, State En
nabled, Traccking SLB, Advanced Sharing Dis sabled
and click Submit and Apply butto ate this change.
ons to activa
After pressing the Reffresh button

n both VRs should be in Master m
mode.
7. Set up Laye er 4 synchrronization co

onfiguration
n parameterrs. Disable ssynchronize e priorities;
otherwise, you need to o manually adjust the priority
p at pa
artner switcch after doin
ng a sync.
The peer address is th he opposite private inte
erface. Seleect Configu ure, SLB, Advanced,
Sync tab, remove
r ecks for BW
che WM and VRR RP Prioritiees, set Id 1 to 10.200.221.#+20,
o Enabled and
set State to a Submitt, Apply and Save cha ange.
Page 12
22

s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
al
8. Test your setup.

s Are both
b Web seervers (10.2
200.#.100 and .200) acccessible by
y ping and
browser acccess? If yess, continue by step 9 otherwise
o sttart debugging. Check Dump
printout or repeat step
ps 3 to 7 aga
ain.
9. At this step
p we want too configure the second (even) Alte eon of this h
high availab
bility
solution. Yoou need to repeat stepps 1 to 5 for this secondd switch. Thhe paramete ers for step
3 and 5 aree exact the same
s as for the odd swwitch. At ste
ep 4 for the IP Addressses use on
ISP-Net 19 92.168.100.##+20 and at App-Serve er-Net 10.200.#.#+20. Skip step 6 and
continue byy step 7. Usse as peer ID 1 the App p-Server-Ne et interface address off the odd
switch (10.2200.#.#+100).
10. Now we wa ant to synch
hronize the configuratio
on to the pe
eer switch. A
At the BBI of
o the odd
Alteon at Configure,
C S
SLB, Advannced, Sync c tab, Peer Switch preess Submit for
Synchronizze configura
ation to peer switches button.
b
11. At CLI wind

dow watch the
t changess.
At od
dd switch:
Sendiing Config .
Waitiing for peer too finish configg apply/save ...
At evven switch:
Confiiguration on 10.200.21.41 has
h now been synchronized.
12. Test your setup

s again.. Are both Web
W servers s (10.200.#.100 and .2200) accessible by ping
g
and browseer access? If yes, continue otherw
wise start de
ebugging.
13. Setup SLB. Set up Re ealServer1, RealServerr2, group them and cre eate a VIP
192.168.10 00.2odd#. Enable
E the client
c and se
erver processses and too enable the
e SLB
feature. If you
y can’t remember the e details, re
efer to the SLB
S lab, on page 101. Test
T
access to this VIP by your
y browseer.
14. To avoid a duplicated VIP Addresss, configure e a VSR on n odd-switch

h for
redundancyy on Layer 4.4 Select Coonfigure, Layer
L 3, VRRRP, press AAdd button.
Select Adv vanced radio button, an
nd provide parameterss for Router ID #+20, VRV ID
#+20, IP Ad ddress 192..168.100.2#
#, Interface 1, Priority 101,
1 State E
Enabled,
Tracking SLB, Advancced Sharing g Disabled and click Submit and Apply butto on to
activate thiss change.
Page 12
23

s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
al
15. Watch the messages for

f the new VR. It is a VR
V master.
16. Synchronizze the VRRP onfiguration to the even

P & SLB co n-switch. Se
ee step 10 for BBI or
at CLI wind
dow execute
e:
/oper/slb b/sync
Y
17. Test the VRRRP configu

uration. At the
t current Master VRss disable on ne physical port, for e.g
g.
ect Configu
port 1. Sele ure, Systemm, Physicall Ports, Porrt 1, State D
Disabled. Submit
S and
Apply chan nge.
Watch on both
b switche
es the changed status of the VRR Select Con
RP routers. S nfigure,
Layer 3, VRRP,
V Virttual Route
ers
At odd Sw
witch
At even Sw
witch
Page 12
24

s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Remote Lab - Alteon
Team number ___
Connection Information RemoteClient #

DHCP
Remote XP-Client via VNC: 192.168.150.x/24
Port: 59___
Password: radware Switch
APSolute Vision
Remote Serial (telnet): 71 ___
Management port:
AppSolute Vision APSolute Application Delivery
ACT LINK ACT LINK PWR OK
1000
10/100
SYS OK
RemoteSecure-SSH: 76 ___
PWR RST CONS OLE USB G1 G2
Remote SecureWBM: 77 ___ 192.168.150.100 10.10.240.10

Load Balancing: Router
Remote VIP port 80: 74 ___ 192.168.100.254 10.10.240.1
Management-
Network:
10.10.240.0/21
Alteon Information (255.255.248.0)
Switch
Serial Terminal Server information: Terminal
IP: 192.168.150.252 Server
Port: 70___
Using Telnet MNG = 10.10.242.___
if1 = 192.168.100.___
Client net on port 1 → Vlan 11 → 1000
Alteon 4408
ACT LINK ACT LINK PW R OK
if-1 = 192.168.100.___ /24

10/100
SY S OK
if2 =
Server net on port 2 → Vlan 14 → 10.200.___.___
if-2 = 10.200.___.___ /24
AL-# MNG-1 = 10.10.242.___/21
AL’s Gateway = 192.168.100.254 Switch
VIP-1 = 192.168.100.___
Web1 = 10.200.___.100
Web2 = 10.200.___.200
Alteon-Team ___ is assigned to

Web1 Web2
you by your training engineer 10.200.___.100 10.200.___.200
VIP = 192.168.100.200 + ___

ServerDFGW = 10.200.___.___
Page 125
Page 126
VRRP Remote Lab - Alteon
Team number ___

RemoteClient # RemoteClient #
Connection Information
DHCP DHCP
192.168.150.__ /24 192.168.150.__ /24
Remote XP-Client via VNC:
Port: 59___
Password: radware
Switch
Remote Serial (telnet): 71___
Management port:
RemoteSecure-SSH: 76 ___
Remote SecureWBM: 77 ___ 192.168.150.100
Load Balancing:
Routers
Remote VIP port 80: 74 ___
192.168.100.254
Client-Net = 192.168.100.0/24
Alteon Information
Serial Terminal Server information:

IP: 192.168.150.252
Port: 70___
Using Telnet Alteon-odd 1000
10/100
Alteon 4408
AC T LINK ACT LINK PWR OK
SYS OK
PWR RS T CONSOLE USB 1 2 3 4 5 6/MNG 1 7 8
Client net on port 1 → Vlan 11 → Alteon 4408
1000
ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK PW R OK
Alteon-even
VR 192.168.100.odd___
10/100
SY S OK
ALodd-# if-1 = 192.168.100.odd___ /24

ALeven-# if-1 = 192.168.100.odd___ /24
Gateway = 192.168.100.254
Server-Net = 10.200.___.0/
Server net on port 2 → Vlan 14 → 24
VR 10.200.___.___
ALodd-# if2 = 10.200.___.1 /24 Switch
ALeven-# if2 = 10.200.___.2 /24
VSR= 192.168.100.___
VIP= 192.168.100.___
Web1 = 10.200.___.100
Web2 = 10.200.___.200
AL-# MNG = 10.10.242.___/21 Team-___ Team-___

Web1 Web2
10.200.___.100 10.200.___.200
VIP = 192.168.100. ___

ServerDFGW = 10.200.___.___
Page 127
Page 128

500-101 28+1 4 Alteon Level1 TrainingManual

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

500-101 28+1 4 Alteon Level1 TrainingManual

Uploaded by

Copyright:

Available Formats

Training Manual

Alteon Application Switch – Level 1

United States and international copyright laws protect this document.

Lab Overview .................................................................................................................... 5

Description of the Lab Environment

1 Local Workstation (Laptop) capable of running VNC, Web and Putty

At the remote lab location:

The following font conventions used in this manual:

Lab Configuration for All Teams

Alteon 4408 Alteon 4408

Detailed Lab Configuration for Each Delegate / Group

Remote Lab - Alteon

Connection Information RemoteClient #

Remote SecureWBM: 7700 + # 192.168.150.100 10.10.240.10

ACT LINK ACT LINK PW R OK

if-1 = 192.168.100.# /24

AL-# MNG-1 = 10.10.242.#/21

AL’s Gateway = 192.168.100.254 Switch

VIP-1 = 192.168.100.# + 200

Alteon-Team # will be assigned

Detailed Redundant Lab Configuration for Each Delegate /

VRRP Remote Lab - Alteon

Serial Terminal Server information:

AC T LINK ACT LINK PWR OK

Client net on port 1 → Vlan 11 → Alteon 4408

ALodd-# if-1 = 192.168.100.odd#+50 /24

Server net on port 2 → Vlan 14 → Server-Net = 10.200.#.0/24

AL-# MNG = 10.10.242.#/21 Team-# Team-#

Basic Switch Configuration

Task 1: Set up this Alteon to operate as a router:

# indicates your Team number assigned by your instructor.

Configuring the Alteon Management Interface

1. Log into the Alteon:

2. Check whether the switch is set to factory default:

>> Main# /cfg/dump <enter> short form /c/d

3. If there is any configuration, set the switch to factory default.

5. Enable for a 4408 switch port 6 as out of band management port.

6. Setup a separate management interface for the management port.

Lab Configuration, keep the default port parameters:

After following message, the management network is ready to use:

>> Management Port#

Command Line User Interfaces (CLI)

7. Check the current configuration of your switch

/cfg/dump this displays your configuration information

Lab Configuration, type at Alteon command line:

Open CMD window or use Putty application: telnet 192.168.100.#

Logout from telnet session

Use Putty to connect via SSH: 192.168.100.# port 22

An acronym to help remember how to save your work is:

Notte: Dependding on the terminal

© Radware 2011. All rights

7. Activate this change and save it to non-floatable memory:

Upload and download configuration to an FTP/TFTP Server

public net private net

3CD FTP/TFTP server application

Figure: FTP / TFTP server configuration

Syntax for communications dialog:

7. Restore the switch configuration again. Enter the following commands:

9. Check to see if your previously saved configuration has been restored.

Graphical Web User Interface, Browser Based Interface (BBI)

1. Enable HTTP access to the switch.

3. From Team-PC machine, start

4. Enable HTTPS for encrypted