Professional Documents
Culture Documents
500-101 28+1 4 Alteon Level1 TrainingManual
500-101 28+1 4 Alteon Level1 TrainingManual
April 2012
Alteon Level 1 Training Manual
Page 2
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
TABLE OF CONTENTS
Page 3
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
All cables to the devices are connected, please keep this in mind.
All documentation, tools, software, applications and feature key codes are on the CD-ROM of
each Team-PC.
The following equipment is required for each delegate to complete the labs:
Page 4
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Lab Overview
Purpose
This document provides details about the technical training topics covered during
RadwareAlteon 500-101 Alteon – Level 1 technical training curriculum.
This course covers basic configurations and troubleshooting in local server load balancing,
persistent slb, content slb, and SSL-Acceleration. The Application Switch Level 1 training is for
students who have good knowledge of network switching and routing features using standard
protocols.
The training material for this course consists of a PowerPoint Presentation for theories and a
Training Manual for hands-on to be used in tandem.
The features and functions of Radware Alteon devices discussed in this document based on
version 28.1.
If your RadwareAlteon device is running an older or newer version of firmware or if you are
using an different version of APSolute Vision, some of the features and implementations
discussed in this manual may not be available or some terminology might be different.
.
For your existing onsite device, please contact Radware technical support at
support@RadwareAlteon.com.
Page 5
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK PWR OK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK PWR OK
1000 1000
10/100 10/100
SY S OK SY S OK
PWR RS T CONS OLE US B 1 2 3 4 5 6/MNG 1 7 8 PW R RS T CONS OLE US B 1 2 3 4 5 6/MNG 1 7 8
Alteon 4408
ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK PWR OK
1000
10/100
SY S OK
PWR RS T CONS OLE US B 1 2 3 4 5 6/MNG 1 7 8
Page 6
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
# = team number
1000
10/100
SYS OK
RemoteSecure-SSH: 7600 + #
PWR RST CONS OLE USB G1 G2
SY S OK
PW R RS T CONS OLE US B 1 2 3 4 5 6/MNG 1 7 8
if2 = 10.200.#.#
Server net on port 2 → Vlan 14 →
if-2 = 10.200.#.# /24
VIP = 192.168.100.200 + #
ServerDFGW = 10.200.#.#
Page 7
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
# = team number
RemoteClient # RemoteClient #
Connection Information
DHCP DHCP
192.168.150.x/24 192.168.150.x/24
Remote XP-Client via VNC:
IP for Mahwah: njlab1.radware.net
IP for Munich: lab-muc.radware.com
Port: 5900 + #
Password: radware
Switch
Remote Serial (telnet): 7100 + #
Management port:
RemoteSecure-SSH: 7600 + #
Remote SecureWBM: 7700 + # 192.168.150.100
Load Balancing:
Routers
Remote VIP port 80: 7400 + #
192.168.100.254
Client-Net = 192.168.100.0/24
Alteon Information
SYS OK
PWR RS T CONSOLE USB 1 2 3 4 5 6/MNG 1 7 8
1000
ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK PW R OK
Alteon-even
VR 192.168.100.odd#
10/100
SY S OK
PW R RS T CONS OLE US B 1 2 3 4 5 6/MNG 1 7 8
VSR= 192.168.100.odd#+200
VIP= 192.168.100.odd#+200
Web1 = 10.200.odd#.100
Web2 = 10.200.odd#.200
VIP = 192.168.100.200 + #
ServerDFGW = 10.200.#.#
Page 8
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Overview
Description
You can access a RadwareAlteon Application Application Switch, also called an Application
Delivery Controller (ADC), for management purposes, by following ways:
• Via Command Line Interface (CLI): Using a serial connection via the console port and
access and configure the Alteon by using a computer running any terminal emulation
software or on any Ethernet port by a Telnet or SSH connection.
• Via a Graphical User Interface: any java enabled browser application can manage via
HTTP or HTTPS the ADC; this is called the Browser Based Interface (BBI). Another
possibility is using SNMP and the Application Switch Element Manager (ASEM)
application.
The management port on the Alteon is used exclusively for managing the switch via an out-of-
band Fast Ethernet. In-band (on all data ports) or out-of-band (management port) connections
via Telnet, SSH, HTTP or HTTPS are possible. You can upgrade switch code via TFTP or
FTP, and configuration backup and restore via TFTP, FTP or SCP is possible. There is an
option to keep these management port settings by booting from factory-default config block.
An Alteon supports up to 2048 VLANs per switch, and any number between 1 and 4090 can
identify each VLAN. VLANs are setup on a per-port basis. Each VLAN can have any number
of switch ports in its membership. Each port in the switch has a configurable default VLAN
number, known as its PVID. The factory default value for all PVIDs is 1.
Each port on the switch can belong to one or more VLANs. Any port that belongs to multiple
VLANs, however, must have VLAN tagging enabled. The Alteon supports 802.1Q VLAN
tagging, providing standards-based VLAN support for Ethernet systems. Tagging adds the
VLAN identifier in the frame header, allowing multiple VLANs per port. Since tagging
fundamentally changes the format of frames transmitted on a tagged port, you must carefully
plan network designs to prevent tagged frames from being transmitted to devices that do not
support 802.1Q VLAN tags. By default, the VLAN tagging is set to off and a single VLAN,
number 1, is setup on each port.
Page 9
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
An interface is a logical network definition. For each different direct connected network, a
separate interface is required. The associated number is independent of any physical port or
VLAN. For easier management often the port, VLAN, and interface use all the same number
or a number based on a custom specific logic. The mask describes the size of this network.
The address defines your local IP address, which accesses this direct connected network. By
default, IP-v4 is enabled, and IP-v6 is supported. VLAN 1 is automatically associated with a
new interface, if not changed. The VLAN value associates this network to one or more ports
with the same number as the network. Another interface associated to a same VLAN enables
both networks on this Ethernet port or ports. This is called multineting. A similar behavior is
enabling tagging and associating some VLANs to a port. Each interface associated to one of
these VLANs will also associate to these ports.
Without Layer 3 IP routing on the switch, an unknown destination IP address is sent to the
default gateway (GW). Default GWs 1 to 4 are not assigned to any VLAN. The Strict Metric
always uses the device with the lowest number. In case of failure, the next highest number is
used. The round-robin Metric uses the next higher GW number for each session. After
reaching the highest configured number, it starts from the lowest again. ICMP messages are
the default for health checks. Alternatively, use the ARP protocol.
GWs 5 through 259 are each associated to a separate single VLAN. All unknown destination
IP addresses for a VLAN are send to the associated GW. If this GW fails, the switch uses GW
1-4 if present, if not present, no routing is possible.
Objectives
After completing this lab, you will be able to:
• Log in to the switch
• Configure VLANs and interfaces
• Back up a configuration
• Use BBI and ASEM GUIs
Equipment
The following equipment is required to complete this lab:
• 1 Classroom PC (in front of you)
• 1 Alteon
• 1 Team-PC, (interface between remote and local lab)
• 2 Servers (web application)
• 1 FTP/TFTP server on your Team-PC
Page 10
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Assignment
Physically, your network is wired as per the diagram on the Lab Configuration
pages. In order to configure this Alteon, connect to the serial port. On your
Team-PCs, the Putty application is already set up. Individual settings to
connect via serial to the Alteon are already configured. Be aware a serial
connection to an Alteon can only be established from one PC at one time. The
second connection will fail. For a second connection enable Telnet or SSH or
use any GUI.
IMPORTANT:
X indicates any IP Address assigned by DCHP on your Team-PC.
Page 11
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
A not configured Alteon show no configuration data between line with /* Version
information and line script end.
Page 12
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Lab Configuration:
/boot/conf factory short form /b/co f
Next boot will use factory default config block instead of active.
Confirm : Do you want to keep management port connectivity? [y/n]: n
reset short form r, reboots the switch to activate setting
y confirms reset
4. Press Enter to reboot the switch. After approximately 1 minute, log into the switch using
the admin password.
Lab Configuration
/boot/mgmt ena
Current state of mgmt port is Disabled
Globally [ena|dis] mgmt port (requires a switch reset): ena
Confirm Globally enable mgmt port (requires a switch reset) [y/n]: y
Reset will use software "imageX" and the factory default config block.
>> Note that this will RESTART the Spanning Tree,
>> which will likely cause an interruption in network service.
Confirm reset [y/n]: y
Page 13
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
/cfg/sys/mmgmt
addr 10.10.242.#
mask 255.255.248.0
gw 10.10.240.1
tftp mgmt
ena
apply
save
y
y
If you want to continue by a graphical interface instead of CLI continue with page 22.
Page 14
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Syntax:
/cfg/l2/vlan {Vlan Number}/add {Physical Port1}/add {Physical
Port2}/etc … create a new VLAN and adds specified port(s)
Lab Configuration:
/cfg/l2/vlan 11/add 1 creates VLAN for clients, VLAN 11, type L2 not 12!
y moves port from VLAN1 (default) to VLAN 11,
.................. does not tag it
ena enables VLAN
../vlan 14/add 2/ena creates VLAN for clients, VLAN 14
y moves port from VLAN1 (default) to VLAN 1,no tagging
apply activates configuration change
should be done after each complete configuration step.
2. Turn off Spanning Tree Group (STG) on the switch. This protocol is used to avoid Layer 2
loops. It should be enabled or disabled depending on the customer’s network. For training
purposes at this and following labs, we always disable it.
Syntax:
/cfg/l2/stg {ST number}/{off, on} up to 16 different ST groups possible
Lab Configuration:
/cfg/l2/stg 1/off this disables STP group 1, default group is 1
apply activates configuration change
3. Configure the interfaces for the switch as shown in the Lab Description pages. You must
create a separate interface for each network that you want to connect directly to this
switch. The interface index number used is independent of any physical port, VLAN etc. A
common number for port, VLAN and interface will simplify debugging and management.
Syntax:
/cfg/l3/if {interface number}/{item parameter}/{item parameter}
up to 255 different networks are supported
Lab Configuration:
/cfg/l3/if 1 we start to configure interface 1
mask 255.255.255.0 enter the mask to calculate broadcast address
addr 192.168.100.# refer to lab description for your IP address,
vlan 11 associates this IF to VLAN 11, to use it on port 1
ena to enable the interface 1
For the second network, the Web server network, you need an additional interface. It is
also possible to put all parameters on one line separated by a forward slash.
/c/l3/if 2/vlan 14/mask 255.255.255.0/addr 10.200.#.#/ena
Page 15
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
4. Set the default gateway. Destination IP addresses that are not from local networks or do
not match routing table entries are sent to this destination. GW 1 to 4 is for all VLANs, GW
5 to 259 can each be associated to one VLAN. An important option is to switch from ICMP
to ARP health check.
Syntax:
/cfg/l3/gw {gateway number}/{parameter}/{parameter}
Lab Configuration:
/cfg/l3/gw 1 Gateway 1 (up to 4) is for all VLANs.
addr 192.168.100.254 interface of the next hop router
ena enables the default gateway
apply activates the switch configuration
5. To distinguish different switches, especially if there are several for a solution, create an
individual CLI prompt. At system SNMP, define a character string and activate it by set
hprompt to enable.
Syntax:
/cfg/sys/ssnmp/name “string”
/cfg/sys/hprompt ena
Lab Configuration:
/cfg/sys/ssnmp/name “team#>” define a character string
/cfg/sys/hprompt ena activate individual CLI prompt
6. Enable remote access. All different variations for CLI, BBI, and socket-based com-
munication as well as user passwords and access rate settings per protocol are available.
Syntax:
/cfg/sys/access/{access protocol}/{parameter}
Lab Configuration:
/cfg/sys/access/tnet ena enables telnet access via if-address
/cfg/sys/access/sshd/on enables ssh access via if-address
enable ssh or telnet only via serial connection
apply activates remote access
save saves the switch configuration, confirm with y
Page 16
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
8. Ping the remote devices on the network from your Alteon CLI to confirm Layer 3
connectivity.
Syntax:
ping {host name} or {IP address} optional number of attempts {tries 1-32},
interval between packets {msec delay} on which port {-mgmt or –data} packet will be
sent.
9. Open any browser on your client PC to retrieve a Web page from each server to confirm
HTTP is operational
http://10.200.#.100 e.g. for team21 http://10.200.21.100
10. Use telnet or SSH on the client to connect directly to the switch. Enter admin as the
password to access the switch.
The purpose of this hands-on was to familiarise yourself with the console
connection setup After completing your configuration, you were shown how to
enable, apply, and save your settings for future use.
Please go ahead with the exercises on the following pages to save the
configuration of this switch.
Page 17
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon
n Level 1 Training Manua
al
Cu
ut and Pa
aste Sw
witch Con
nfiguration
OBJ JECTIVE:
Editt the switch configuration using co
opy and pas
ste.
ASS SIGNMENT T:
Takke the active
e configurattion file and modify it by
y copying a command string to the
board, pastting it to the terminal interface and
clipb d saving it as your new active conffiguration.
1. Configure what
w outputt to display on
o the term
minal screen. Use the v
verbose co
ommand.
Syntax:
verrbose {0, 1, 2} Sets S the lev
vel of inform
mation displa
ayed on the
e screen:
0 =Q
Quiet: Nothing appearss except errrors—not evven promptts.
1 =N
Normal: Proompts and requested
r output
o are shown, but nno menus.
2 =V
Verbose: Evverything iss shown.
Whe en used witthout a valu ent setting iss displayed.
ue, the curre
2. Save the sw
witch configguration as a text file:
Lab Configuration:
a) Typpe verbose e 0 on the switch, this s puts the sw witch in ‘quiet’ mode.
b) Dispplay the con nfiguration by
b the /cfg g/dump co ommand, mark all or pa arts of this
config, copy it to
t the clipbooard and pa aste it to a text
t file. As alternative to mark-
cop
py-paste, yo t terminall feature to copy data input to a file.
ou can use the
For Putty application:
ect Change Settings Æ session Æ Logging Æ printable o
sele output
Lab
bel the file SW.txt
S and save
s it in the
e desktop of o your Team m-PC
c) Typpe verbose e 2 <enter r> on the switch, and d restore de efault mode..
3. Edit the sw uration file, SW.txt, storred in the desktop directory using any text
witch configu
editor (e.g. Wordpad).
Page 18
4. Make a change. For example, add an interface type in the following line below the “if 2”
command lines at SW.txt file:
/cfg/l3/if 4/mask 255.255.255.0/addr 172.16.1.1/broad 172.16.1.255/ena
Using a single line or any amount of spaces and tabs are allowed.
5. Copy the command line you just typed onto the clipboard Mark:
/cfg/l3/if 4/mask 255.255.255.0/addr 172.16.1.1/broad 172.16.1.255/ena
Paste this line to Alteon terminal window and watch terminal output.
6. Log into the switch and double check that this change is pending.
diff check if change is received
8. Dump the switch configuration to the screen and verify that the edited line was applied:
/cfg/dump or short /c/d
In this lab exercise, you learned how to drag and drop a series of commands into the terminal
interface, and how to set up a switch configuration from a saved text file.
Page 19
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
OBJECTIVE:
To become familiar with uploading and downloading a configuration file to an FTP or TFTP
server.
ASSIGNMENT:
Use the FTP/TFTP server 3CDeamon (3CD) located in your Team-PC quick launch
area. Transfer the current configuration from the switch to Team-PC using the FTP or
TFTP server. Set the switch back to factory default. To restore the configuration you
must set up at minimum a public interface and depending on your topologies a default
gateway. No VLAN/STG config is necessary. Transfer the stored file from the
FTP/TFTP server back to your switch.
Do not forget to verify that the configuration was transmitted correctly to the switch or the
FTP/TFTP server when uploading and downloading switch configuration files.
1. Start the 3CD FTP or TFTP service on your Team-PC. If it is not installed, a copy of this
application is on your CD-ROM drive tools folder.
2. Write down the IP address of your local PC, which is the FTP/TFTP server:___________
Check the configuration file of the FTP or TFTP server. The user directory point to where
the files will be stored or loaded.
Page 20
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
1. Store the Alteon configuration on your Team-PC. You can use either FTP or TFTP.
Lab configuration:
/cfg/ptcfg used to upload the active configuration to a FTP server
Enter IP address of FTP/TFTP server: 192.168.150.x addr of your Team-PC
Enter name of file on FTP/TFTP server: Router.doc
Enter username for FTP server or hit return for TFTP server: anonymous
Enter password for username on FTP server: any
2. Check is the file (Router.doc) created on the Team-PC by checking the root directory of
the server application. Open this file with the WordPad text editor.
5. Set your switch to factory default to clear all current configuration settings. Loading this
setting requires resetting the switch. Keep your management interface.
/boot/conf f/reset
6. After reboot, log in again and enter the following commands to set up an interface and a
default gateway for communication to Team-PC.
/cfg/l3/if 1/mask 255.255.255.0/addr 192.168.100.#/ena
/cfg/l3/gw 1/addr 192.168.100.254/ena
/cfg/port 2/dis to isolate server net
apply activates new setting
ping 192.168.150.x to verify communication to FTP-Server/Team-pC
8. To load the restored config at the next reboot, select active config
/boot/conf active
This lab should have made you more comfortable with the ptcfg and the gtcfg
commands to upload and download a switch configuration onto a FTP or TFTP server.
Page 21
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
OBJECTIVE:
Monitor and configure the switch using the Browser Based Interface (BBI) also called Web UI
and Application Switch Element Manager (ASEM).
ASSIGNMENT:
Use the configuration from the previous lab. Enable SNMP for ASEM and HTTP for remote
BBI access to the switch. View or modify the switch configuration.
Lab configuration:
/cfg/sys/access/http e
wport 8000 optional set HTTP server listening to port number 8000
2. apply
Page 22
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon
n Level 1 Training Manua
al
ert VLAN ID
Inse D 11, Name e, Enable it and associate Spanniing Tree Grroup 1, sele
ect
Avaailable port 1 and move ss Submit and
e it to Configured. Pres a Apply button to acctivate this
change. Each change
c is confirmed
c att BBI Log Messages
M fie
eld.
Addd another VLLAN ID 14 and use po ort 2.
Page 23
2
9. Configure the interfaces for the switch as shown in the Lab Description pages. You must
create a separate interface for each network that you want to connect directly to this
switch. The interface index number used is independent of any physical port, VLAN etc. A
common number for port, VLAN and interface will simplify debugging and management. At
Configure tab select Layer3, IP Interfaces and click the Add button.
10. Set the default gateway. Any destination IP address not from local networks or do not
match routing table entries sent to this destination. GW 1 to 4 is for all VLANs, GW 5 to 259
can each be associated to one VLAN. Select Gateways and Add, Gateway ID 1, IP
Address is 192.168.100.254 and turn state to Enable and click Submit and Apply buttons
to activate this change. The settings are for all teams equal.
Page 24
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon
n Level 1 Training Manua
al
11. For CLI acccess are alsso some op ptions availaable. A login
n banner dissplays at CL LI login som
me
customer depend
d inforrmation. A notice
n is vis
sible at logo
out. If you arre too fast lo
ogged out
during conffiguration, adjust
a Idle Timeout.
T This value is also
a applica
able for HTT TP and
HTTPS acccess. Instea ad of a standard promp pt the SNMP P name is d displayed by y selecting
Hostname. These options are at Configure-
C -System-Ma anagementt Access-C CLI or SNMP P.
Page 25
2
System- Poorts-Genera
al or Layer 1 to IP spec
cific details.
Layer 2- ma
ain menue
System-Ca
apacity, disp
plays maxim
mum and alllocated amo
ount of item
ms
Layer 2 and
d sub menu
us for FDB, STG Trunk
k and Port Teams
T
Layer 3 and
d sub menu
us for Route
es, Interface
es and seve
eral routing protocols.
Page 26
2
/c/sys/mmgmt
addr 10.10.242.21
mask 255.255.248.0
broad 10.10.247.255
gw 10.10.240.1
ena
tftp mgmt
/c/sys/mmgmt/port
speed any
mode any
auto on
/c/sys
idle 999
/c/sys/access
snmp w
http ena
tnet ena
/c/port 1
pvid 11
/c/port 2
pvid 14
/c/l2/vlan 1
learn ena
def 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 … 28
/c/l2/vlan 11
ena
name "VLAN 11"
learn ena
def 1
/c/l2/vlan 14
ena
name "VLAN 14"
learn ena
def 2
Page 27
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
/c/l2/stg 1/off
/c/l2/stg 1/clear
/c/l2/stg 1/add 1 11 14
/c/l3/if 1
ena
ipver v4
addr 192.168.100.21
vlan 11
/c/l3/if 2
ena
ipver v4
addr 10.200.21.21
mask 255.255.255.0
broad 10.200.21.255
vlan 14
/c/l3/gw 1
ena
ipver v4
addr 192.168.100.254
Page 28
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Overview
Description
Server Load Balancing (SLB) allows you to configure the Alteon to balance user session
traffic among a pool of available servers that provide shared services. In an average
network that employs multiple servers without server load balancing, each server usually
specializes in providing one or two unique services. If one of these servers provides
access to applications or data that is in high demand, it can become over-utilized. Placing
this kind of strain on a server can decrease the performance of the entire network, as user
requests are rejected by the server and then resubmitted by the user stations. Ironically,
over-utilization of key servers often happens in networks where other servers are actually
available. The solution to getting the most from your servers is SLB. With this software
feature, the switch is aware of the services provided by each server. The switch can direct
user session traffic to an appropriate server, based on a variety of load-balancing
algorithms. To provide load balancing for any particular type of service, each server in the
pool must have access to identical content, either directly (duplicated on each server) or
through a back-end network (mounting the same file system or database server). The
Alteon, with the SLB feature enabled, acts as a front-end to the servers, interpreting user
session requests and distributing them among the available servers.
Load balancing in the Alteon Operating System can be done in the following ways:
• Virtual server-based load balancing; this is the traditional load balancing method.
The switch is configured to act as a virtual server and is given a virtual server IP
address (or range of addresses) for each collection of services it distributes.
Depending on your switch model, there can be as many as 1024 virtual servers on
the switch, each distributing up to eight different services. Each virtual server
points to a list of up to 1024 IP addresses of real servers in a pool where its
services reside. This pool is called a group. A maximum of 1024 groups are
possible. The method of distribution, called the metric, and how to determine a real
server as healthy, the health check (hc), are important configuration parameters.
When the user stations request connections to a service, they communicate with a
virtual server on the switch. When the switch receives the request, it binds the
session to the IP address of the best available real server and remaps the fields in
each frame from virtual addresses to real addresses. HTTPS, HTTP, IP, FTP,
RTSP, and IDS, are examples of some of the services that use virtual servers for
load balancing.
Page 29
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
• Filtered-based load balancing; A filter allows you to control the types of traffic
permitted through the switch. Filters are configured to allow, deny, or redirect traffic
according to the IP address, protocol, or Layer 4 port criteria. In filtered-based load
balancing, a filter is used to redirect traffic to a real server group. If the group is
configured with more than one real server entry, redirected traffic is load balanced
among the available real servers in the group. For example SSL acceleration,
Firewalls, WAP with RADIUS snooping, IDS, and WAN links use redirection filters
to load balance traffic.
• Content-based load balancing; Content-based load balancing uses Layer 7
application data, such as URL, cookies, and Host Headers, to make intelligent load
balancing decisions. URL-based load balancing, browser-smart load balancing and
cookie-based preferential load balancing are a few examples of content-based
load balancing.
When deploying SLB, there are a few key aspects to consider. In standard SLB, all client
requests to a virtual server IP address and all responses from the real servers must pass
through the switch. If there is a path between the client and the real servers that does not
pass through the switch, the Alteon can be configured to proxy requests to guarantee that
responses use the correct path. Identical content must be available to each server in the
same pool. Either static applications and data are duplicated on each real server in the
pool or dynamic applications where each real server in the pool has access to the same
data through use of a shared file system or back-end database server. To take advantage
of multi-CPU or multi-processor servers, configure the Alteon Operating System to map a
single virtual port to multiple real ports. This capability allows the site managers, for
example, to differentiate users of a service by using multiple service ports to process client
requests. This feature allows the network administrator to configure up to 16 real ports for
a single service port, and it is supported in Layer 4 and Layer 7 and in cookie-based and
SSL-persistent switching environments. When mapping multiple real ports on each real
server to a virtual port, the Alteon treats the real server IP address/port mapping
combination as a distinct real server.
Clients and servers can be connected through different ports or through the same switch
port. Each port in use on the switch can be configured to process client requests, server
traffic, or both. Configure only the necessary processes since each one requires switch
resources. It is possible to enable or disable processing on a port independently for each
type of Layer 4 traffic. Ports that are configured for Layer 4 client processing, process user
request traffic, which provides address translation from the virtual server IP to the real
server IP address. Ports configured for Layer 4 server processing, process application
responses to user requests. Translation from the real server IP address to the virtual
server IP address occurs on the server enabled port. Real servers are connected to the
Alteon directly, or through a router, or another switch. Switch ports configured for Layer 4
client/server processing can simultaneously provide Layer 2 switching and IP routing
functions. The switch must have an IP route to all of the real servers that receive switching
services.
Page 30
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
For each network directly attached to this switch, an IP interface is required. Suitable
Layer 2 settings, Spanning Tree or VLANs as well as static or dynamic routing must be set
up. For each real server, you assign a real server number, specify its actual IP address,
and enable the real server. Define a real server group and add all real servers belonging
to the same application to this service group. All client requests are addressed to a virtual
server IP address (VIP) on a virtual server (VIRT) defined on the switch. Clients acquire
the virtual server IP address through normal DNS resolution. Only a Layer 3 IP address or
usually a Layer 4 service is assigned this VIP.
By default, the service protocol is TCP, although UDP is also possible. For example,
HTTP or TCP destination port 80 is configured as the service running on this virtual
server, and this service is associated with the real server group containing all real servers
for this application. This switch is not limited to HTTP Web service. Other TCP/UDP/IP
services can be configured in a similar fashion. The protocol and a destination port must
always be specified. Well known services are set up only by the name. For a list of other
well-known services and ports, see "Well-Known Application Ports" in the Application
Guide. A maximum of eight services are possible per VIRT. If more services are required,
create another VIRT using the same VIP again for the next eight services and so on. The
Server Load Balancing feature must be turned on. After applying all configurations, the
health check process starts and should report the available real server with the lowest
number. If one server is up an “up” message for the VIP is displayed as well. For all other
real servers a similar up message follows. If there is load balancing for different real ports
on the single real servers, a separate message displays for each port.
Objectives
After completing this lab, you will be able to:
• Connect to the Alteon using a console connection.
• Configure standard SLB.
• Repeat to save configurations to file.
• Optional, set up load balancing services on multiple Layer 4 ports.
Page 31
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Assignment
All your network devices are connected via Ethernet cables as shown in the
Lab Description pages. In order to configure this switch, connect serial to your
assigned switch via a terminal server.
Configure the Alteon to support basic load balancing.
If you successfully completed the previous basic lab, start with step one.
Otherwise, perform the basic configuration described in Basic Switch
Configuration. Set up Layer 4 real servers and bind them to a group. Use
round robin as the metric and TCP for the health check. Configure a virtual
server with a virtual IP and HTTP as the load balancing service. Associate it to
the previously configured group. Enable client and server Layer 4 processes
on the ports. Enable the server load balancing feature. Please watch the
health check messages on your terminal screen after applying this config.
Save this configuration to file. Connect to the VIP Home Page using Internet
Explorer or FireFox browser and test SLB functionality.
Optionally, set up load balancing for multiple ports. Assign the application port
number used by the individual server on the switch to the real server
configuration supporting this service. Change the real port for the VIP/service
to zero value to enable real port look up.
Page 32
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Configure Switch
Console Setup
On your Team-PC, the Putty application is already set up with individual icons
to connect via serial to the Alteon. Be aware that a serial connection can only
established from one PC to one switch. The second connection will fail. For a
second connection enable Telnet or SSH or use any GUI.
CLI SLB configuration of the Switch
1. If you like to use the graphical user interface (BBI) instead CLI ensure to have it enabled.
See page 22 how to do, if not already done. Continue on page 101.
2. Log into the switch, enter the admin password – admin.
3. Check the current configuration of your switch. The cfg menu dump option displays all the
differences settings to Radware factory default configuration.
Syntax:
/cfg/{submenue} all parameter setup for the RadwareAlteon Alteon is done at different
cfg sub menus.
Lab Configuration:
/cfg/dump shorthand /c/d
This displays your configuration. Check the printout, to make sure all entered data is
correct and enabled. Use ping to PCs and server to test the config.
4. Configure PIP to translate SrcIP to server net address
Syntax:
/cfg/slb/pip/type port or vlan select general pip mode
/cfg/slb/pip/address physical-port add IP address static for port
Lab Configuration:
/c/slb/pip/type port you can also skip this line since it is default
/c/slb/pip/add 10.200.#.42 1 add a static s-address translation on port 1
Syntax:
rip {real server IP address} IP address of real server
Lab Configuration:
rip 10.200.#.100 replace # by your team number
ena enables each real server
Page 33
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
It is also possible to put all commands into a single command line. For example go up one
menu .., select a next server index real 2, provide IP address rip 10.200.21.200
and enable it.
../real 2/rip 10.200.#.200/ena Server2 setup. Replace # by your team
number again.
apply activates configuration
6. Add all real servers belonging together for a service to a group
Syntax:
/cfg/slb/group {group index number} add all real servers and group parameters
at this menu.
Lab Configuration:
/cfg/slb/group 1 shorthand /c/sl/gr 1
Syntax:
add {real server index} Number of the real server configured in step
Lab Configuration:
add 1 add real server 1 to group 1
add 2 add real server 2 to group 1
Syntax:
metric {algorithm to select next rip} even distribution metrics are
leastconns, roundrobin, response and bandwidth. Default value is leastconns.
Lab Configuration:
metric roundrobin enable round robin distribution
Syntax:
health {rip availability test method } several options from link, arp, icmp,
tcp up to content specific are available.
Default value is tcp.
Lab Configuration:
health icmp enables ping to health check real server
7. Configure the virtual IP. This is the entry or termination IP address for a specific service.
Syntax:
/cfg/slb/virt {virtual server index number} set up all parameters for a
virtual server at this menu.
Lab Configuration:
/cfg/slb/virt 1 shorthand /c/sl/vi 1
Syntax:
vip {virtual server IP address} IP address of virtual server
Lab Configuration:
vip 192.168.100.2# replace # by your team number
ena enables each virtual server
Page 34
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Syntax:
service {virtual port name} The virtual port name can be
a well-known port name, such as http, ftp, etc. or a service number. The allowable port
range is from 9 to 65534. For a list of all names, look up the Command Reference Guide
and search for ‘sport’ at ‘/cfg/slb/filt’ section. By default, group 1 is associated. Specify
different numbers.
Lab Configuration:
service http shorthand se 80
8. Enable the client on the client port and server processing on the server port. In case of
PIP skip server processing. Setup only proxy processing.
Syntax:
/cfg/slb/port {number}/{service ena} Enable a required SLB service on this
specific physical port. Services are client, server, proxy etc.
Lab Configuration:
/cfg/slb/port 1/client ena shorthand /c/sl/po 1/cl e
/cfg/slb/port 1/proxy ena shorthand ../po 1/pr e
9. Turn the SLB feature on, and apply and save the switch configuration
Syntax:
/cfg/slb/{processing status} Value on, enables SLB feature. Default is off.
Lab Configuration:
/cfg/slb/on short hand /c/sl/on
apply .... this activates the configuration
save ..... this writes config to flash memory and confirm y
y ........ confirms writing
10. After applying your changes, the switch should report that the real and virtual servers are
operational.
Date Time NOTICE slb: real server 10.200.1.100:80 operational
Date Time NOTICE slb: Services are available for virtual server
192.168.100.221
Date Time NOTICE slb: real server 10.200.1.200:80 operational
11. Log in to the switch and check the current SLB configuration.
Lab Configuration:
/c/slb/cur
Page 35
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
12. Verify that SLB is working. Open a Web browser on Team-PC e.g. FireFox or MS Internet
Explorer.
For example, for team 21 enter http://192.168.100.221
You should see a response showing that you have reached Server 1 or Server 2.
If you refresh the screen by pressing CTRL/F5, the display does not change. The reason
for this behavior is that this session (HTTP 1.1) still remains! To get load balancing, close
the browser and open a new window. For your convenience set http://192.168.100.2# as
default start page.
13. Verify SLB is working from the statistics menu in the switch.
Syntax:
/stats/slb/virt {virtual server}
Lab Configuration:
/stat/slb/virt 1 shorthand /st/sl/vi 1
14. Generate traffic by opening a new browser window to your VIP several times; return to the
switch CLI and note changes to the switch statistics.
In the switch CLI, press the cursor “Ç” key to repeat the command to display statistics.
(command /stats/slb/virt 1)
15. Clear the session table and repeat testing SLB (steps 11 through 14)
Syntax:
/stats/slb/{Layer-4-item} The Clear option resets all non-operating SLB
statistics on the Alteon to zero. This command does not reset the switch and does not
affect the counters required for Layer 4 and Layer 7 operation, such as current real server
sessions and all related SNMP counters.
Lab Operation:
/stat/slb/clear shorthand /st/sl/cl
16. Save this SLB configuration to a file on the Team-PC. This configuration will be the base
for the following labs.
Lab Configuration:
/cfg/ptcfg and specify team PC IP address, file name and for FTP account and password.
Alternatively dump configuration and copy and paste configuration into a text file.
Lab Configuration:
/cfg/dump shorthand /c/d
Mark configuration and copy it to clipboard. Paste it to a text editor. Use Notepad etc.
Page 36
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Load balancing for available services on different servers is an option. There are two web
servers. One equipped with two CPUs, the other with four CPUs. For each CPU a separate
Web application instance, e.g. Apache, is installed. Our customer wants to have an even load
based balancing on each of these CPUs. Set up the real servers for multi-port SLB using the
switch CLI.
Syntax:
/cfg/slb/real {real server index number}/addport {L4-port number
used at application} set up Layer 4 port numbers used at application for a real
server.
Lab Configuration:
/cfg/slb/real 1/addport 80 shorthand /c/sl/re 1/add 80
/cfg/slb/real 1/addport 81 shorthand add 81
/cfg/slb/real 2/addport 80 shorthand ../re 2/add 80
/cfg/slb/real 2/addport 81 shorthand add 81
/cfg/slb/real 2/addport 82 shorthand add 82
/cfg/slb/real 2/addport 83 shorthand add 83
Syntax:
/cfg/slb/real {rip number}/weight {multiplier for load} Sets the
weighting value (1 to 48) that this real server will be given in the load balancing algorithms.
Higher weighting values force the server to receive more connections than the other
servers configured in the same real server group. By default, value one is set.
Lab Configuration:
/cfg/slb/real 2/weight 2 shorthand /c/sl/re 2/we 2
17. If multiple service ports per real server are set up, a separate metric for these services is
available.
Syntax:
/cfg/slb/group {group number}/rmetric {metric} Real server metric usage
can be roundrobin, hash, or leastconns. Default is roundrobin.
Lab Configuration:
/cfg/slb/group 1/rmetric roundrobin
18. Set up the real port for a service on a virtual server for MultiPort SLB. The allowable real
L4-port range is from 1 to 65534. If set to 0 multiple real port is enabled. The configured
metric at group level first selects a real server. If rport is set to zero the rmetric determines
the selected port depending on configured values and healthy services at the real server.
Only one service per virt can be set to rport 0.
Syntax:
/cfg/slb/virt {virt number}/service {L4-port number}/rport {real
L4-port number}
Lab Configuration:
/cfg/slb/virt 1/service 80/rport 0
apply .... this activates the configuration
Page 37
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Did you have all nine-health check messages? Why you got only three?
19. Access web server via VIP and generate traffic by opening several Browser windows.
Lab Operation:
/stat/slb/virt 1
19. Remove setting for all real server weighting and turn rport back to 80 for the next labs.
Page 38
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Page 39
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
/c/slb
on
/c/slb/real 1
ena
rip 10.200.21.100
name "server1"
addport 80
addport 81
/c/slb/real 2
ena
rip 10.200.21.200
name "server2"
addport 80
addport 81
addport 82
addport 83
/c/slb/group 1
metric roundrobin
add 1
add 2
/c/slb/pip/type vlan
/c/slb/pip/type port
/c/slb/pip/add 10.200.21.42 1
/c/slb/port 1
client ena
proxy ena
/c/slb/virt 1
ena
vip 192.168.100.221
/c/slb/virt 1/service http
group 1
rport 0
/
Page 40
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Overview
Description
In a typical SLB environment, traffic comes from various client networks across the Internet to
the virtual server IP address on the Alteon. The switch then load balances this traffic among
the available real servers. Some SLB services require that a series of client requests go to the
same real server so that session-specific state data can be retained between connections.
Services of this nature include Web search results, multi-page forms that the user fills in, or
custom Web-based applications typically created by using scripts. Connections for these
types of services must be configured as persistent. In any authenticated Web-based
application, it is necessary to provide a persistent connection between a client and the content
server to which it is connected. Because HTTP does not carry any state information for these
applications, it is important for the browser to be mapped to the same real server for each
HTTP request until the transaction is complete. This ensures that the client traffic is not load
balanced mid-session to a different real server, forcing the user to restart the entire
transaction. Persistence-based SLB enables the network administrator to configure the
network to redirect requests from a client to the same real server that initially handled the
request. In the Alteon, persistence can be based on source IP address, cookies, and Secure
Sockets Layer (SSL) session ID.
Until recently, the only way to achieve TCP/IP session persistence was to use the source IP
address as the key identifier. There are two major conditions which cause problems when
session persistence is based on a packet’s IP source address. Proxied clients appear to the
switch as a single source IP address. Requests are directed to the same server, without the
benefit of load balancing the traffic across multiple servers. Persistence is supported without
the capability of effectively distributing traffic load. When individual clients share a pool of
source IP addresses, persistence for any given request cannot be assured. Although each
source IP address is directed to a specific server, the source IP address itself is randomly
selected, thereby making it impossible to predict which server will receive the request. SLB is
supported, but without persistence for any given client. For IP-load balancing at OSI Layer
3/4, metrics minmisses, hash, phash and timer based available. HTTP and HTTPS
persistence based on client IP allows you to store this session based on the client IP address
for a configurable time at the session table. This enables a common persistence for both
HTTP and HTTPS sessions.
Page 41
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Cookies are strings passed via HTTP from servers to browsers. Based on the mode of
operation, cookies are inserted by either the Alteon or the server. After a client receives a
cookie, a server can poll that cookie with a GET command, which allows the querying server
to positively identify the client as the one that received the cookie earlier. The cookie-based
persistence feature solves the proxy server problem and gives better load distribution at the
server site. In the Alteon, cookies are used to route client traffic back to the same physical
server to maintain session persistence.
The SSL session ID is effective only when the server is running SSL transactions. Because of
the heavy processing load required to maintain SSL connections, most network configurations
use SSL only when it is necessary. On some computer operating systems, this SSL session
ID is changed at intervals. Depending on the length of the interval, persistency might not work
well for these systems.
Objectives
After completing this lab, you will be able to do the following:
• Configuring IP persistence by using Hash or Minmisses
• Configuring L7 cookie persistence by using passive, rewrite or insert mode
Page 42
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Assignment
Physically your network is wired according to the Lab Description diagram.
Connect to the switch for configuration via the terminal server, SSH or telnet to
the switch.
If your previous SLB configuration is no longer working, set the switch back to
the factory default and load the saved SLB configuration.
The first exercise will be a Layer 3 persistent configuration. Since L3 handles
only IP addresses, hash or minmisses are used as the metric.
The next exercise enhances the setup with Layer 7 persistency. As this
depends on the application, we will use HTTP as the L7 application in this lab.
Passive cookies, cookie rewrite, and cookie insert will be used to provide
persistence.
4. Optional, you can restore the switch configuration on CLI via FTP/TFTP. Use the
FTP/TFTP server installed on your Team-PC, the 3CDaemon application. For details, see
the section “Upload and Download Config to FTP/TFTP Server” in the Basic Configuration
lab on page 20.
Lab Configuration:
/cfg/gtcfg retrieve config data.
5. Optional, you can restore the switch configuration on BBI via FTP/TFTP. Use the
FTP/TFTP server installed on your Team-PC, the 3CDaemon application. For details, see
the basic configuration lab page 24.
Page 43
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon
n Level 1 Training Manua
al
Co
onfigure Persistency forr Layer 3 Load Balancin
B ng
1. Enable HA ASH as the metric:
Syntax:
/cfg/slb/ /group {g group-ind dex-numbe er}/metri ic {algor rithms} me etric sets th
he
load balanccing algorith
hm used forr determinin
ng which rea
al server in the group will
w be the
target of the
e next clien
nt request. For ency, hash, phash or m
F persiste minmisses are possible..
Lab Configuration:
/cfg/slb//group 1/ /metric phash
p sho
orthand /c/
/sl/gr 1/
/me pha
Current real
r serv
ver group
p 1:
name , metric phash
p mas
sk 255.25
55.255.25
55, backu
up none, ...
real se
ervers:
/stat/slb/grroup 1
Real serve
R er group 1 stats:
C
Current Total Highest
R
Real IP ad
ddress Ses
ssions Sessions
S S
Sessions Octet
ts
-
---- -----
----------
-------- --------
- ----------
- - --------
- -------
------
1 10.200.2
21.100 2 2 2 379701
3
2 10.200.2
21.200 0 0 0 37620
-
---- -----
----------
-------- --------
- ----------
- - --------
- -------
------
2 2 2 41
17321
The resultss of this /sta
at query will vary accord
ding to the configuratio
c on specific to
t your
group. The e numbers willw not be the same, th his is just an
n example.
6. Change the
e value from
m phash to minmisses
m d 4 or optional 3 and 5.
and repeat steps 2 and 5
Page 44
4
2. Enable Direct Access Mode (DAM) on the switch to allow you to perform port mapping for
content load balancing.
Syntax:
/cfg/slb/adv/direct {status} it is by default disabled
Lab Configuration:
/cfg/slb/adv/direct ena shorthand /c/sl/adv/di e
3. Select the appropriate load balancing metric for the real server group if no cookie is
present. Choose a non-persistent metric
Syntax:
metric {algorithm to select next rip} even distribution metrics are
leastconns, roundrobin, response and bandwidth. Default value is leastconns.
Lab Configuration:
/c/slb/group 1/metric roundrobin enable round robin distribution
apply activate configuration
cur verify your configuration
4. To have cookie persistency, we need to get a cookie from the web server. The web
application on port 88 is cookie enabled.
Syntax:
/cfg/slb/virt {number}/service {port number}/rport {port number}
At the browser a standard port is selected and then translated to the port number specified
at rport prompt.
Lab Configuration:
/cfg/slb/virt 1/service 80/rport 88
At the browser a standard port 80 is selected and then translated to rport 88.
apply activate configuration
5. Clear the session table, open a new browser to your VIP several times, and get SLB
statistics
Syntax:
/stats/slb/{Layer-4-item} The option clear resets all non-operating SLB
statistics on the Alteon to zero. This command does not reset the switch and does not
affect the counters required for Layer 4 and Layer 7 operation, such as current real server
sessions and all related SNMP counters.
Lab Operation:
/stat/slb/clear shorthand /st/sl/cl
Generate traffic by opening a new browser window to your VIP several times; return to the
switch CLI and execute the command for displaying statistics. Note changes.
Page 45
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Lab Operation:
/stats/slb/virt 1 shorthand /st/sl/vi 1
6. By default, the switch checks the case of any string, e.g. a cookie name. Disable case
sensitivity if there is no need to discriminate between upper and lower case.
Syntax:
/cfg/slb/layer7/slb/case {mode}
Lab Configuration:
/cfg/slb/layer7/slb/case dis/apply
7. Enable passive cookie-based persistence on the virtual server service.
Syntax:
/cfg/slb/virt {virtual-server}/service {port}
pbind {option mode name offset length URI}
option is the type of persistent bindings. It is disabled by default. Possible options are
clientip, sslid and cookie.
For cookie, mode can be passive, rewrite or insert.
name specifies the cookie name that this service is looking for.
offset is for passive mode, and is the starting point of the cookie value (1-64 bytes)
length is for passive mode, and is the number of bytes to extract (1-64),
URI is lookup cookie in the URI field. If the cookie name or value is in the URI, enter e to
enable this option to look for cookie in the HTTP header, enter d to disable this option.
Lab Configuration:
/cfg/slb/virt 1/service 80 (or HTTP) shorthand /c/sl/vi 1/se 80
pbind you can enter all parameters in one line or be prompted for each separately
Enter clientip|cookie|sslid|disable persistence mode: cookie
Enter passive|rewrite|insert cookie persistence mode [p/r/i]: p
Enter Cookie Name: ASPSESS*
Enter the starting point of the cookie value [1-64]: 1
Enter number of bytes to extract [1-64]: 16
Look for cookie in URI [e|d]: d select disable, to look at HTTP header
apply
NOTE: If you want the switch to look for a cookie in the URL, enable “Look for cookie in
URI”. An example is in the Alteon Application Guide, at the Persistence chapter.
For testing passive cookies, refer to step 9&10. Since rewrite cookies is very similar skip it
and do test for rewrite settings only.
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon
n Level 1 Training Manua
al
Lab Configuration:
/cfg/slb/ /virt 1/s service 80 8 (or HT TTP) short--hand /c/s sl/vi 1/s se 80
pbind you u can enterr all parame
eters in one
e line or be prompted
p fo
or each sep
parately
Enter cli ientip|co ookie|ssl lid|disab ble persi istence m mode: cookie
Enter pas ssive|rew write|ins sert cook kie persi istence m mode [p/r/i]: r
Enter Coo okie Name e: ASPSE ESS*
Enter num mber of bytes
b to extract [8,16]: 8
Look for cookie in i URI [e e|d]: d disable, to
t look at HT
TTP header
apply
9. Confirm the
e cookie operation. Configure your browser to
o ignore coo
okies.
Lab Operattion:
/stat/slb b/clear atistics
to clear sta
Page 47
4
11. Change the VIP service HTTP rport value from 88 to 80 to simulate a server without
cookie support.
NOTE: If you have enough time left, also try date and duration cookie options.
13. Open a Web browser and select VIP. E.g.http://192.168.100.221. This page will stay
persistent without using any cookie from a Web server.
14. Display cookie with Life HTTP headers tool from Firefox browser. Decode the cookie hex
value by the build in command.
/info/slb/cookie 0x3e45de63f4e7afd9baeebabf
Virtual IP address: 192.168.100.221
Real IP address: 10.200.21.100
Real Server Port: 80
Real Server Index: 1
15. Remove all persistency settings for virtual server for the next labs. Change the rport from
88 to 80 if not already done at step 11.
Page 48
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Page 49
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
/c/slb/virt 1
ena
vip 192.168.100.221
/c/slb/virt 1/service http
group 1
…
/c/slb/virt 1
ena
vip 192.168.100.221
/c/slb/virt 1/service http
group 1
rport 88
dbind ena
/c/slb/virt 1/service 80/pbind cookie passive ASPSESS* 1 16 disable
/c/slb/virt 1/service 80/rcount 1
Page 50
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Overview
Description
Traditionally, redirecting Web requests using content or user classification has been a function
of Web servers. However, Internet traffic and business growth is fast outpacing that of
computing power. Offloading content classification to Alteon provides advantages for the
entire Web site infrastructure. By examining the URL in a Web request, the Alteon can
determine the type of content requested, and direct the request to servers hosting the
requested URL. With content switching, Web site content can be segregated with no change
to the applications. This allows partial, instead of entire, content mirroring on each server and
makes it easy for e-businesses to deploy servers optimized for specific content types or
processing functions. HTTP version 1.1 allows multiple HTTP transactions to be transported
over a single TCP connection to reduce TCP processing overhead. A Layer 4 Alteon with no
content intelligence will forward all HTTP 1.1 requests on each TCP connection to a single
server. In contrast, a content switch can forward each request within the TCP connection to a
different server, increasing load distribution granularity. This optimizes resource utilization and
speeds overall Web site performance. Virtual hosting conserves IP addresses by allowing
multiple domains to be represented by a single public IP address. When a content-intelligent
Alteon receives a client request for the shared IP address, it can extract the requested domain
name from the “Host Header” portion of the HTTP header, concatenate it with the IP address
to obtain the unique host identifier, and redirect the request to the appropriate server or server
farm. Content-intelligent Alteon allow Webmasters to customize server health checks to verify
content accessibility in large Web sites. As the amount of content grows and information is
distributed across different server farms, flexible, customizable content health checks are
critical to ensuring end-to-end availability.
Working with session content is much more demanding than examining TCP/IP protocol
headers because content is non-deterministic. Content identifiers such as URLs and cookies
can be of varying lengths and can appear at unpredictable locations within a request.
Scanning through session traffic for a specific string is far more processor intensive than
looking at a known location in a session for a specific number of bytes. Parsing content
requests means temporarily terminating the TCP connection from a client. In other words, the
Alteon must first pretend that it is the server, ask the client what it wants, examine the request,
and then open a connection to an appropriate server. While this is happening, the Alteon must
temporarily buffer the request, which consumes system memory. This temporary termination
is called a “delayed binding" With delayed binding, two independent TCP connections span a
Web session: one from the client to the Alteon and the second from the Alteon to the selected
Page 51
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
server. The Alteon must modify the TCP header, including performing TCP sequence number
translation and recalculating checksums on every packet that travels between the client and
the server, for the duration of the session. This function, known as “TCP connection splicing,”
heavily tasks an Alteon, particularly when the switch must process thousands of these
sessions simultaneously. In addition to real-time traffic and connection processing, a content
switch needs to monitor the servers to ensure that requests are forwarded to the best
performing and healthy servers. This monitoring involves more than simple ICMP or TCP
connection tests as servers continue to process network protocols while failing to retrieve any
content. Furthermore, if content is segregated in different servers or server farms, the Alteon
must provide a flexible, user-customizable mechanism allowing a relevant set of application
and content tests to be applied to each server or server farm.
Alteon Operating System allows you to load balance HTTP requests based on different HTTP
header information, such as Cookie-Header for persistent or content load balancing, Host-
Header for virtual hosting, or User-Agent for browser-smart load balancing. When Layer 7
load balancing is configured, an Alteon does not support IP fragments. If IP fragments were
supported in this mode, the switch would have to buffer, re-assemble, and inspect packets
before making a forwarding decision. String-based SLB allows you to optimize resource
access and server performance. Content dispersion can be optimized by making load-
balancing decisions on the entire path and filename of each URL. Both HTTP 1.0 and HTTP
1.1 requests are supported. For content matching you can configure up to 1024 strings
comprised of 40 bytes each. Each request is then examined against the Layer 7 request
defined at the virtual server. On matching, this request is then forwarded to a real server
supporting this string. String requests are load balanced among multiple servers matching the
same pattern, according to the load balancing metric configured for the real server group.
Objectives
After completing this lab, you will be able to do following:
• Define strings of URL or other variables.
• Distinguish between different strings and enable the real server
to handle them.
• Use regular expressions to create complex string matches.
Page 52
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Assignment
Physically your network is wired according to the Lab Description. Connect to the
switch for configuration via the terminal server, SSH or telnet to the switch.
If your previous SLB configuration is no longer working, set the switch back to the
factory default and load the saved SLB configuration. If you decide to keep the
previous persistency lab, disable persistent binding (pbind)! It has a higher priority and
content load balancing will not work.
In the first exercise, you will load balance your http requests depending on the URL. At
the root directory of web server 2 a subdirectory “/images” is located. It contains three
image files, img1.jpg, img2.jpg and img3.jpg. Your task is to configure URL strings and
enable real server 2 to handle these requests.
The second exercise is to enhance this lab using regular expressions. Web server 1
will host file “alteo.htm” server 2 will host “altea.htm” and “alter.htm”. You have to
configure suitable URL strings, enable these strings at suitable servers and do SLB
selection using regular expression.
The third exercise is to check for browser-related strings. Depending on the default
language of the browser request, server 1 or 2 is selected.
Page 53
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
3. Select roundrobin as the default load balancing metric for the real server group. This is for
training setup recommended. For real life, use any suitable metric.
Lab Configuration:
metric roundrobin enable round robin distribution
4. Disable persistent binding for the virtual server service. Pbind takes precedence over
string load balancing.
Lab Configuration:
/cfg/slb/virt 1/service 80
pbind disable deactivate persistent binding
apply activate configuration
cur verify your configuration
Then generate traffic by opening a new browser window to your VIP several times; return
to the switch CLI to execute the command for displaying statistics.
Lab Operation:
/stats/slb/virt 1 shorthand /st/sl/vi 1
6. Before 28.1 Alteon checks the case of any string, e.g. a URL name, by default,. Disable it
if there is no need to distinguish between upper and lower case.
Syntax:
/cfg/slb/layer7/slb/case {mode}
Lab Configuration:
/cfg/slb/layer7/slb/case dis
Page 54
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
2. Add an index number for the URL string to the real server config. If real server 2 cannot
handle any address request other than “/images”, do not add string 1 as an option.
Syntax:
/cfg/slb/real 2/layer7/addlb {index-number-of-string}
Assign lookup URL string index number to real server number.
Lab Configuration:
/cfg/slb/real 2/layer7
addlb 1 to also support other strings like index.html page
addlb 2 to support string #2, “/images” on real server 2
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Lab Configuration:
/cfg/slb/virt 1/service 80/http/httpslb urlslb
apply
save
y
/cfg/dump to review the saved configurations
5. Open a browser on the client and access the VIP http://192.168.100.221. Test the
configuration and check the working status. Close and reopen the client browser several
times. Check the statistics in the switch to verify activity.
Lab Operation:
/stat/slb/layer7/str
------------------------------------------------------------------
SLB String stats:
ID SLB String Hits
1 any 19
2 /images 0
Lab Operation:
/stat/slb/virt 1
------------------------------------------------------------------
Virtual server 1 stats:
Current Total Highest
Real IP address Sessions Sessions Sessions Octets
---- --------------------------- -------- ---------- -------- ---------------
1 webserver1 0 9 5 11283
2 webserver2 0 10 6 12533
---- --------------------------- -------- ---------- -------- ---------------
192.168.100.221 0 19 11 23816
6. Access the image file from the client web browser. The files img1.jpg, img2.jpg and
img3.jpg are available on server 2. Close and reopen the client browser several times to
http://192.168.100.221/images/img1.jpg.
Lab Operation:
/stat/slb/layer7/str
------------------------------------------------------------------
SLB String stats:
ID SLB String Hits
1 any 19
2 /images 7
Lab Operation:
/stat/slb/virt 1
Virtual server 1 stats:
Current Total Highest
Real IP address Sessions Sessions Sessions Octets
---- --------------------------- -------- ---------- -------- ---------------
1 webserver1 0 9 5 11283
2 webserver2 0 17 6 261943
---- --------------------------- -------- ---------- -------- ---------------
192.168.100.221 0 26 11 273226
Page 56
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Perform the test a couple of times. Compare the Web browser request and output
displayed in the browser window.
Review the switch statistics. All requests to the “/images” folder should be directed to real
server 2. In a large server farm environment, the “/images” folder could be duplicated and
load balanced across several servers.
2. Add the index number for the URL string to the real server config: Add ‘alte[^ar]’, which is
a regular expression for ‘alteo’ string in our configuration, to real server 1. Add ‘alte[ar]’,
which represents both strings ‘alter’ and ‘altea’, to real server 2. To enable LB to allow
‘index.htm’ on real server 1, add index 1 to it.
Syntax:
/cfg/slb/real {no}/layer7/addlb {index-number-of-string}
Assign lookup URL string index number to real server number.
Lab Configuration:
/cfg/slb/real 1/layer7/addlb 3 adds string 3 “alte[^ar]” to real server 1
addlb 1 adds string 1 “any” to real server 1 to also allow “index.htm” page
../../re 2/la/a 4 short form to add string 4 “alte[ar]” to real server 2
Page 57
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
3. Test your configuration. Send the following requests from your browser at Team-PC to
VIP. The following example is for team 21. Use your team number, please.
http://192.168.100.221/alteo.htm,
http://192.168.100.221/alter.htm,
http://192.168.100.221/altea.htm
All “alteo” requests terminate at Web server 1. All “altea” and “alter” requests are sent to
server 2 since the load balancing string that excluded URLs ending in “a” and “r” was
assigned to the server 2.
Others Lookup
1. In this lab section, your task is to configure Layer 7 string lookup to detect the default
language support of the browser used for this request.
2. Modify your virtual server, to look up the Accept-Language HTTP header field.
Syntax:
/cfg/slb/virt {server-number}/service {port-number}/
httpslb {option operator option}
Possible options are: urlslb, host, cookie, browser, urlhash, headerhash, others,
Possible operator: and, or, none
Lab Configuration:
/cfg/slb/virt 1/service http/http/httpslb
Application: urlslb|host|cookie|…|headerhash|others|none
Select Application: others
Operation: and|or|none
Select Operation: none
Enter new HTTP header name: Accept-Language
apply
3. Configure header variable strings and add an index number to the real server config. Real
server 1 represents the contents for ‘en’ string, real server 2 is responsible for ‘de’ string.
Language string depends on browser type. Add strings for e.g. en and de. For other
regions, choose appropriate language strings.
Lab Configuration:
/cfg/slb/layer7/slb/addstr en add a new index for “en” string
adds de add a new index for “de” string and apply it
cur see list of cur paths (any, /images)
Page 58
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Error message:
No available server to handle this request
…
Number of entries: two
1: any, cont 1024
2: /images, cont 1024
3: alte[ar], cont 1024
4: alte[^ar], cont 1024
5: en, cont 1024
6: de, cont 1024
Lab Configuration:
/cfg/slb/real 1/layer7/addlb 5 assign string 5 “en” to real server 1
../../re 2/la/a 6 short form to add string 6 “de” to real server 2
apply
4. Access your home page e.g. team 21 http://192.168.21.221. Change the browser
language string according your lb setup. You will see that Web server 1 supports requests
with preferred string 5, language English. Server 2 will provide content for string 6, for
German users (de).
Page 59
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
/c/slb
on
/c/slb/adv
direct ena
/c/slb/real 1
ena
rip 10.200.21.100
name "webserver1"
/c/slb/real 2
ena
rip 10.200.21.200
name "webserver2"
/c/slb/group 1
metric roundrobin
add 1
add 2
/c/slb/pip/type vlan
/c/slb/pip/type port
/c/slb/pip/add 10.200.21.42 1
/c/slb/port 1
client ena
proxy ena
/c/slb/virt 1
ena
vip 192.168.100.221
/c/slb/virt 1/service http
group 1
dbind ena
/c/slb/layer7/slb
ren 2 "/images"
ren 3 "alte[^ar]"
ren 4 "alte[ar]"
ren 5 "en"
ren 6 "de"
/c/slb/real 1/layer7
addlb 1
addlb 3
addlb 5
/c/slb/real 2/layer7
addlb 1
addlb 2
addlb 4
addlb 6
/c/slb/virt 1/service http
httpslb others Accept-Language
Page 60
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
2. All real server supporting above defined string need to be in a common group. Therefore,
we generate an additional group with only these server(s). A separate content health
check would be possible and useful.
Syntax:
/cfg/slb/group #/add <real server #>
health http
content <file to query>
Lab Configuration:
/cfg/slb/group 2/add 2 shorthand /c/sl/gr 2/add 2
health http/content "images/img1.jpg"
Page 61
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Lab Configuration:
/c/slb/virt 1/service http/cntrules
Enter Content Based Services Rule number (1-12800): 10
cntclss
Current content class:
New content class: image
action
Current action type: group
Enter new action type [group|redirect|discard]: <enter-key>
group
Current real server group: 1
Enter new real server group [1-1024]: 2
ena
apply skip saving this configuration, allow you to delete configuration by
revert apply command
4. Open a browser on the client and access the VIP http://192.168.100.221 or http://lab-
muc.radware.com:7421. Test the configuration and check the working status. Close and
reopen the client browser several times. Check the statistics in the switch to verify activity.
Lab Operation:
/stat/slb/virt 1
------------------------------------------------------------------
Virtual server 1 stats:
Current Total Highest
Real IP address Sessions Sessions Sessions Octets
---- --------------------------- -------- ---------- -------- ---------------
1 webserver1 0 2 1 503
2 webserver2 0 2 1 504
---- --------------------------- -------- ---------- -------- ---------------
192.168.100.221 0 2 1 504
Page 62
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
5. Access the image file from the client web browser. The files img1.jpg, img2.jpg and
img3.jpg are available on server 2. Close and reopen the client browser several times to
http://192.168.100.221/images/img1.jpg
or http://lab-muc.radware.com:7421//images/img1.jpg
Lab Operation:
/stat/slb/virt 1
Virtual server 1 stats:
Current Total Highest
Real IP address Sessions Sessions Sessions Octets
---- --------------------------- -------- ---------- -------- ---------------
1 webserver1 0 2 1 503
2 webserver2 0 17 6 61943
---- --------------------------- -------- ---------- -------- ---------------
192.168.100.221 0 19 7 62446
Perform the test a couple of times. Compare the Web browser request and output
displayed in the browser window.
Review the switch statistics. All requests to the “/images” folder should be directed to real
server 2. In a large server farm environment, the “/images” folder could be duplicated and
load balanced across several servers.
Page 63
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Lab Configuration:
/c/slb/layer7/slb/cntclss/
Enter Class id: alte1
path
Enter path id: 1
path
Current path to match:
Enter new path to match: alte[^ar]
match regex
Current matching type: include
New matching type: regex
../../cntclss/
Enter Class id: alte2
path
Enter path id: 1
path
Current path to match:
Enter new path to match: alte[ar]
match regex
Current matching type: include
New matching type: regex
Since we are using case the default values, we skip any setup about.
7. All real server supporting string “alte[^ar].htm” need to be in a common group. Therefore,
we generate an additional group with only these server(s).
Lab Configuration:
/cfg/slb/group 3/add 1 shorthand /c/sl/gr 3/add 1
Lab Configuration:
/c/slb/virt 1/service http/cntrules
Enter Content Based Services Rule number (1-12800): 20
cntclss
Current content class:
New content class: alte1
group
Current real server group: 1
Enter new real server group [1-1024]: 3
ena
apply skip saving this configuration, allow you to delete configuration by
revert apply command
Page 64
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
9. Test your configuration. Send the following requests from your browser at Team-PC to
VIP. The following example is for team 21. Use your team number, please.
http://192.168.100.221/alteo.htm,
http://192.168.100.221/alter.htm,
http://192.168.100.221/altea.htm
Lab Configuration:
/c/slb/virt 1/service http/cntrules
Enter Content Based Services Rule number (1-12800): 10
cntclss
Current content class:
New content class: lang
group
Current real server group: 1
Enter new real server group [1-1024]: 3
ena
apply skip saving this configuration, allow you to delete configuration by
revert apply command
Page 65
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
12. Access your home page e.g. team 21 http://192.168.100.221. Change the
browser language preference string according your lb setup. You will see
that Web server 1 supports requests with preferred string language German.
Check statistics on loadbalancer.
Page 66
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
/c/slb
on
/c/slb/adv
direct ena
/c/slb/real 1
ena
ipver v4
rip 10.200.21.100
/c/slb/real 2
ena
ipver v4
rip 10.200.21.200
/c/slb/group 1
ipver v4
metric roundrobin
add 1
add 2
/c/slb/group 2
ipver v4
health http
content "images/img1.jpg"
add 2
/c/slb/pip/type vlan
/c/slb/pip/type port
/c/slb/pip/add 10.200.21.42 1
/c/slb/port 1
client ena
proxy ena
/c/slb/virt 1
ena
ipver v4
vip 192.168.100.221
/c/slb/virt 1/service 80 http
group 1
dbind forceproxy
/c/slb/virt 1/service 80 http/cntrules 10
ena
cntclss "image"
group 2
/c/slb/layer7/slb
/c/slb/layer7/slb/cntclss image http
/c/slb/layer7/slb/cntclss image http/path image1
path "image"
Page 67
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Regular expression
Header „Accept-Language“
Page 68
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
SSL Acceleration
Overview
Secure Sockets Layer (SSL) is a security layer that can be added to various communication
protocols in order to serve four main purposes that contribute together to establishing a
secure communication channel.
Models 4408, 4416 and 5412 loaded with software ver. 27 can offload heavy client SSL
actions from servers and deliver them with clear HTTP traffic, or if needed, weaker-encrypted
traffic to ease the stress. SSL is configured by means of a reusable SSL policy in the ADC
configuration, which enables quicker and safer setup of new services. Options include control
the SSL cipher-suites and pass SSL information to Web Applications for logging or for use as
part of application logic. SSL using SHA-2 certificates is supported. In order to support the
new SSL capabilities, ADC now includes a certificate and other PKI-components repository,
which allows safe holding and management of all components and required actions, as well
as bulk import of the Alteon 2424-SSL certificates repository content for easy migration.
This lab unit discusses Alteon’s Alteon SSL offloading capabilities, which performs encryption,
decryption, and verification of Secure Sockets Layer (SSL) transmissions between clients and
servers, relieving the back-end servers of this task. This enables the back-end servers to
maximize their performance and efficiency, resulting in faster server response times and
increased server capacity to handle more users that are concurrent.
Authentication
Each communicating partner should be able to verify that the other is who it
claims to be and not an impostor.
Privacy
A third party should not be able to eavesdrop on a private communication.
Integrity
The protocol should automatically or easily detect any tampering with the
transmission.
Non-repudiation
The sender should not be able to claim that they did not send what the
receiver received.
For Alteon to provide SSL Offloading, you must configure, enable, and apply the following
three components:
SSL Virtual Service
You must define an HTTPS or SSL virtual service and associate to it both an SSL server
certificate, and an SSL policy that governs the behavior of the SSL virtual service.
SSL Policy
You must define an SSL policy and associate it to the SSL virtual service. An SSL policy
includes the definition of the ciphers that enable SSL handshaking, as well as the type of
traffic that is sent to the back-end servers. A single SSL policy can be reused across multiple
virtual services.
Page 69
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Certificate Repository
You must supply a server certificate that you associate with the SSL virtual service. The
server certificate includes the attributes needed to perform SSL handshaking and enable the
decryption and encryption of the traffic related to the virtual service. You can associate only a
single server certificate to a virtual service, but the same server certificate can be used by
multiple services. The certificate repository may include Server Certificates, Intermediate CA
Certificates, and Trusted CA Certificates
A server certificate
is a type of certificate used to identify servers during SSL handshake. You either import a pre-
existing server certificate using the /cfg/slb/ssl/certs/ import command, or you can generate
your own on the Alteon Alteon. When you generate your own server certificate, if an
underlying Certificate Signing Request (CSR) and/or key pair do not already exist by the same
name as the server certificate, they are generated along with the server certificate. The
resulting server certificate is a "self-signed" server certificate, meaning it was issued by the
server for itself. This kind of a certificate is good for testing purposes, as real users will
experience various warning messages if used for the real SSL service. In order to be used in
the real-life SSL environment, the server certificate must be issued (signed) by a Certificate
Authority (CA), which is trusted by the client's browsers. To achieve this, once the certificate's
CSR is generated, you must submit it to a trusted Certificate Authority (CA) for signing. If the
request is successful, the CA sends back a certificate that has been digitally signed by its own
key, which you import using the /cfg/slb/ssl/certs/import command, ensuring that it is not
imported to the same entity name as the CSR.
Intermediate CA certificates
are used when the CA providing the virtual service's server certificate is not directly trusted by
the end user’s Web browsers. This is typical in an organization that has its own CA server for
generating server's certificates. In order to construct the trust chain from the user’s browser
list of trusted CAs to the organization's CA server, an intermediate CA certificate or chain of
certificates can be provided. You can optionally bind an intermediate Certificate Authority (CA)
certificate to the SSL policy. These certificates are not created on the switch—you must first
import them. You can also create a group of intermediate certificates (a complete CA chain)
and bind it to the SSL policy.
Trusted CA certificates
are certificates that come from a Certificate Authority that your organization uses to provide
users with certificates (client certificates). Trusted CA certificates are associated to client
authentication policies. If you use this option, you must specify the trusted client CA certificate
or group of trusted client CA certificates to allow Alteon to know which client certificates to
accept.
Client Authentication Policies
SSL client authentication enables a server to confirm a client's identity as part of the SSL
handshake process. A client's certificate and public ID are checked to be valid and that they
were issued by a trusted Certificate Authority (CA). If the certificate is valid, the handshake
process is completed, allowing data to be sent to the intended destination. If the certificate is
not valid, the session is terminated. When using SSL Offloading, you can optionally define a
client authentication policy that authenticates the client’s identity. You associate a client
authentication policy to an SSL policy, and the SSL policy, in turn, is associated to a virtual
service. To authenticate the client's identity, you import a CA certificate into Alteon. This CA
certificate is used when Alteon receives a client certificate to validate it. By checking that it
was generated by this trusted CA. Additionally, you can configure Alteon to ensure that the
client certificates were not revoked by checking their statuses using OCSP (Online Certificate
Status Protocol).
Page 70
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Assignment
All Alteon switch devices are connected via Ethernet cables as pictured at lab diagram.
In order to configure this switch, connect serial to your assigned switch via a terminal
server.
If your last lab was a VRRP or FWLB lab, remove all configuration settings and restore
factory default setting.
Configure the Alteon to support basic load balancing.
At this lab, we want to:
Setup a VIP with SSL offloading
Display acceleration log and statistics
Page 71
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Configure Switch
Console Setup
At your Team-PC, Putty application is already set up individual icons to connect via
serial to the Alteon.
1. Verify SLB is working. If not refer to lab “Server Load Balancing”.
2. Setup a basic HTTPS service. A VIP with service HTTPS terminates a client
SSL request using a SSL-policy and a server certificate.
3. Generate a self signed server certificate
Syntax:
/cfg/slb/ssl/cert
srvrcert Server Certificate Menu
request Certificate Signing Request (CSR) Menu
keypair Key-Pair Menu
trustca Trusted CA Certificate Menu
intermca Intermediate CA Certificate Menu
group Certificates Group Menu
defaults Set certificate default values
import Import certificates
export Export certificates
Lab Configuration:
We setup a self-signed server certificate.
/cfg/slb/ssl/cert/srvrcert Select cert menu
Enter server certificate id (alphanumeric): selfs-cert
Server certificate selfs-cert# name MySelfSignedCert
Server certificate selfs-cert# generate
This operation will generate a self-signed server certificate.
Enter key size [512|1024|2048|4096] [1024]:<enter>
Enter server certificate hash algorithm [md5|..[sha1]:<enter>
Enter certificate Common Name: www.team28.com
Use certificate default values? [y/n]: n
Enter certificate Country Name (2-letter code) []: US
Enter certificate State or Province Name (full name) []: NJ
Enter certificate locality name (e.g. city) []: Mahwah
Enter certificate Organization Name (e.g. company) []: Radware
Enter certificate Organizational Unit Name []: Training
Enter certificate Email []: GuentherM@radware.com
Enter certificate validation period in days (1-3650) [365]: 20
Page 72
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
GUI Instructions
To setup using graphical user interface. Use ether CLI or BBI!
Select on Configure tab ÆSLB Æ SSL and select for SSL Enabled. Press the
Submit button.
On Configure tab press Certificate Repository, and Generate a new policy.
Insert at ID: selfs-cert, a descriptive name at Policy Name, set the other
parameter as described above at CLI. There should now three entries, A key-
Pair, A Certificate Request and the Server Certificate.
Lab Operation:
cfg/slb/ssl/sslpol mypol set policy id
name "Easy SSL Policy" label this policy
cipher a long list appears, <tab> complete selection
Current cipher-suite allowed for SSL: rsa use default
Enter new cipher-suite allowed for SSL: medium 128 bit key
ena enable this policy
apply
Page 73
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Press Add tab and Generate a new ssl policy. Insert at ID: mypol, a
descriptive name at Policy Name, Enable, set Cipher Suite to medium and
keep other parameters on default values.
Syntax
ssl ssl menu
srvrcert Set SSL server certificate for this virtual service
sslpol Set SSL policy for this virtual service
cur Display current SSL configuration
Lab Operation:
/cfg/slb/virt 1/service https/ssl
SSL Load Balancing# srvrcert selfs-cert associate cert
SSL Load Balancing# sslpol mypol associate policy
Note: Backend servers listening port (rport) was changed from
443 to 80 due to the use of No backend encryption. For a
different
network setting, rport can be configured manually.
Page 74
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
8. Check statistics, open several times a browser window and close it.
CLI: /stat/slb/virt 1
Page 75
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
10. Enable Application Services Trace Log. Application services trace logging may
cause performance impact on Alteon traffic processing capabilities. Make sure
to disable when done!
Syntax
/maint/applog
export Export application services trace log via FTP/TFTP/SCP
clearlog Clear application services trace log
compress Enable/disable log compression activities
caching Enable/disable log caching activities
ssl Enable/disable log ssl activities
http Enable/disable log http activities
httpmod Enable/disable log http modifications activities
dump Dump application services trace log configuration
Lab Operation:
ssl
Current logging ssl activities: disabled
Enter new logging ssl activities [d/e]: e
11 Create some traffic by accessing several times the https server page
12 Export log data to your Team-PC, turn on 3CD and listen to TFTP service.
Lab Operation:
/maint/applog/export
Enter hostname or IP address of FTP/TFTP/SCP server: 192.168.150.x
Enter username for FTP/SCP server or hit return for TFTP
server:<enter>
Dump logs in W3C format? (n for internal format) [y/n] [y]: n
Log file successfully transfered to :xxx_internal_logger.tar.gz
13 Extract the .tar.gz file. For each SP there is a separate file with log data. Your
connection data is stored depending the VMA feature at one of these
files.Open it with MS-Wordpad.
Page 76
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
/c/l3/dns
prima 192.168.150.253
/c/sys/ntp
on
prisrv 192.168.150.253
/c/slb/ssl/certs/keypair selfs-cert
/c/slb/ssl/certs/request selfs-cert
/c/slb/ssl/certs/import request "selfs-cert" text
-----BEGIN CERTIFICATE REQUEST-----
MIIBzzCCATgCAQAwgY4xFzAVBgNVBAMTDnd3dy50ZWFtMjguY29tMQswCQYDVQQG
EwJ1czELMAkGA1UECBMCTkoxDjAMBgNVBAcTBU1haHdhMRAwDgYDVQQKEwdSYWR3
YXJlMREwDwYDVQQLEwhUcmFpbmluZzEkMCIGCSqGSIb3DQEJARYVR3VlbnRoZXJN
QHJhZHdhcmUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5AnpXIE1W
hosbNqmIAZlYEVAzIh6pArreRJc3eYkcIfDc6JQnfMbt85ewBZM2BOpnyBrbDKYP
g+67eyQOUIr1QNP3NM52xBMKjiiek/EyT8jxcDBmmb67YAmf0mEZahfj/vjSbR1J
oV2QeZzStF0INUOC9bL5gxGIzZFhycUFIQIDAQABoAAwDQYJKoZIhvcNAQEFBQAD
gYEAjwWvLZShRywOU0bynfw7WKtijIilZ2VYiGmbwOPQJhtQPR5WjM3RWL4CtFVr
rnhMg+qvouaVmatduMoGCmIPrTky4khL3yhnYzaw+Cir5cgD+vk9NKGkCSJX86+p
UZpRTDLE8n2AJuz1GTApykQSjldd3rHaRKr34YDUKNz9ZcI=
-----END CERTIFICATE REQUEST-----
/c/slb/ssl/certs/srvrcert selfs-cert
name "MySelfSignedCert"
/c/slb/ssl/certs/import srvrcert "selfs-cert" text
-----BEGIN CERTIFICATE-----
MIID3DCCA0WgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBjjEXMBUGA1UEAxMOd3d3
LnRlYW0yOC5jb20xCzAJBgNVBAYTAnVzMQswCQYDVQQIEwJOSjEOMAwGA1UEBxMF
TWFod2ExEDAOBgNVBAoTB1JhZHdhcmUxETAPBgNVBAsTCFRyYWluaW5nMSQwIgYJ
KoZIhvcNAQkBFhVHdWVudGhlck1AcmFkd2FyZS5jb20wHhcNMTAwOTIyMjIzMTIy
WhcNMTAxMDEyMjIzMTIyWjCBjjEXMBUGA1UEAxMOd3d3LnRlYW0yOC5jb20xCzAJ
BgNVBAYTAnVzMQswCQYDVQQIEwJOSjEOMAwGA1UEBxMFTWFod2ExEDAOBgNVBAoT
B1JhZHdhcmUxETAPBgNVBAsTCFRyYWluaW5nMSQwIgYJKoZIhvcNAQkBFhVHdWVu
dGhlck1AcmFkd2FyZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALkC
elcgTVaGixs2qYgBmVgRUDMiHqkCut5Elzd5iRwh8NzolCd8xu3zl7AFkzYE6mfI
GtsMpg+D7rt7JA5QivVA0/c0znbEEwqOKJ6T8TJPyPFwMGaZvrtgCZ/SYRlqF+P+
+NJtHUmhXZB5nNK0XQg1Q4L1svmDEYjNkWHJxQUhAgMBAAGjggFGMIIBQjAPBgNV
HRMBAf8EBTADAQH/MBEGCWCGSAGG+EIBAQQEAwICRDAyBglghkgBhvhCAQ0EJRYj
QWx0ZW9uL05vcnRlbCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFFtc
HE4A4iRbAYa9g/6Vrm07kJ5fMIG7BgNVHSMEgbMwgbCAFFtcHE4A4iRbAYa9g/6V
rm07kJ5foYGUpIGRMIGOMRcwFQYDVQQDEw53d3cudGVhbTI4LmNvbTELMAkGA1UE
BhMCdXMxCzAJBgNVBAgTAk5KMQ4wDAYDVQQHEwVNYWh3YTEQMA4GA1UEChMHUmFk
d2FyZTERMA8GA1UECxMIVHJhaW5pbmcxJDAiBgkqhkiG9w0BCQEWFUd1ZW50aGVy
TUByYWR3YXJlLmNvbYIBATALBgNVHQ8EBAMCAuQwDQYJKoZIhvcNAQEFBQADgYEA
C3gewnmYnTXhiEm+EkxCMmIKlSZoemQvHDK8wTJ5EdMM/v/WvswIuERaFoPYZInC
1Hb0ukebH2flFQSxZp84tDHTvUqrFjxB4ajp/rTNZadd6BeUUzbCQA7YU51k3aho
o//1h/FJTPMfhGIasG3BtArt8IIrzO74OyUPLjjelK0=
-----END CERTIFICATE-----
Page 77
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
/c/slb/ssl
on
/c/slb/ssl/sslpol mypol
name Easy SSL Policy
cipher medium
ena
/c/slb
on
/c/slb/adv
direct ena
/c/slb/real 1
ena
ipver v4
rip 10.200.28.100
/c/slb/real 2
ena
ipver v4
rip 10.200.28.200
/c/slb/group 1
ipver v4
metric roundrobin
add 1
add 2
/c/slb/pip/type vlan
/c/slb/pip/type port
/c/slb/pip/add 10.200.21.42 1
/c/slb/port 1
client ena
proxy ena
/c/slb/virt 1
ena
ipver v4
vip 192.168.100.228
/c/slb/virt 1/service 80 http
group 1
/c/slb/virt 1/service 443 https
group 1
rport 80
/c/slb/virt 1/service 443 https/ssl
srvrcert selfs-cert
sslpol mypol
/c/sys/access/https/port 8443
/c/sys/access/https/https e
/
script end /**** DO NOT EDIT THIS LINE!
Page 78
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Switch Troubleshooting
Overview
Description
The types of problems that typically occur with networks are connectivity and
performance. The Alteon supports a diverse range of network architectures and
protocols; some are used to maintain and monitor connectivity and isolate the
connectivity faults.
This section provides conceptual information about the methods and tools used
for troubleshooting and isolating problems in the Alteon. It will help you to use
the common commands to check switch status and to ensure successful switch
maintenance activities.
Objectives
After completing this lab, you will be able to use the following commands:
• Config
• Info
• Statistics
• Global
Assignment
Learn to use the diff command to view changes before saving them. Review
the CLI commands to check critical switch functions (such as port speed, STP
configuration, SLB configuration, etc). Cultivate the ability to spot errors in your
configuration.
To familiarize yourself with the techniques to gather switch statistical data for
troubleshooting.
You can use configuration from any previous lab for doing this lab.
Page 79
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Start with the diff command to review changes. Do all the other commands until the last
diff command again. Watch the different outputs. All these commands are at any menu
and at any path available.
Syntax:
diff {option} Show any pending configuration changes. The flash option displays
all data that will be lost if the switch reboots.
Lab Configuration:
/cfg/l3/if 42/mask 255.255.255.0/addr 172..16.1.1/en
diff
Current config is identical to new config.
If all configuration date in floatable RAM is already applied and saved, no data is
displayed. Change the configuration and run the diff command again.
Lab Configuration:
/cfg/l3/if 42/mask 255.255.255.0/addr 172.16.1.1/en
diff
Ö Pending configuration
/c/l3/if 42
ena
ipver v4
addr 172.16.1.1
mask 255.255.255.0
broad 172.16.1.255
apply current config is now identical to new config
Page 80
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
2. Use the Port menu to configure settings for individual physical switch ports. This command
is enabled by default. Port configuration is slightly different on Alteon 2000 series and
3408.
Syntax:
/cfg/port {numper-of-physical-port}/{option}
Enables all settings for a physical port on an Alteon
/cfg/port {numper-of-physical-port}/fast/{option}
Enables all settings for a fast Ethernet physical port on an Alteon
/cfg/port {numper-of-physical-port}/gig/{option}
Enables all settings for a gigabit Ethernet physical port on an Alteon
/cfg/port {numper-of-physical-port}/cop/{option}
Enables all settings for a physical RJ45 port in range 3-6 on a 3408 switch
/cfg/port {numper-of-physical-port}/sfp/{option}
Enables all settings for a physical GBIC port in range 3-6 on a 3408 switch
Lab Configuration:
/cfg/port 1/cur display current port 1 configuration
/c/port 1/fast/cur display port 1 fast Ethernet configuration
3. View switch performance statistics in both the user and administrator command modes.
This menu displays traffic statistics on a port-by-port basis. Traffic statistics include
SNMP Management Information Base (MIB) objects. The displayed interval is from the
last switch reboot or counter reset until the present.
Syntax:
/stats/port {physical-port-number}/{option}
Displays statistic values for a physical port. Values in the range of Layer 1 up to Layer 3
are available. The clear option resets values.
Lab Configuration:
/stat/port 1/link
/stat/port 1/ether
/stat/port 1/if
4. When multiple paths exist on a network, Spanning Tree Protocol (STP) configures the
network so that a switch uses only the most efficient path. Spanning Tree Protocol (STP)
detects and eliminates logical loops in a bridged or switched network. STP forces
redundant data paths into a standby (blocked) state. If the most efficient path fails,
Spanning Tree automatically sets up another active path on the network to sustain
network operations. Thus, STP is used to prevent loops in the network topology.
Alteon Operating System supports the IEEE 802.1p Spanning Tree Protocol (STP). Alteon
Operating System supports up to 16 instances of Spanning Trees or Spanning Tree
groups. Each VLAN can be placed in only one Spanning Tree group per switch except for
the default Spanning Tree group (STG 1). The default Spanning Tree group (1) can have
more than one VLAN. All other Spanning Tree groups
(2-16) can have only one VLAN associated with it. Spanning Tree can be enabled or
disabled for each port. Multiple Spanning Trees can be enabled on tagged or untagged
ports. Spanning tree group 1 is turned on by default.
Page 81
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Syntax:
/cfg/l2/stg {numper-of-STP-group}/{option}
Enables all settings for Spanning Tree Groups 1 to 16
Lab Configuration:
/cfg/l2/stg 1/cur
Syntax:
/info/l2/stg
Displays all settings for Spanning Tree Groups 1 to 16
Lab Configuration:
/info/l2/stg
Syntax:
/maint/tsdmp
Dumps all Alteon information, statistics, and configuration to your CLI screen. You can log
the tsdump output into a file, and send it to Radware Technical Support for debugging
purposes.
Lab Configuration:
/maint/tsdmp
Confirm dumping all information, statistics, and configuration
[y/n] : y
Syntax:
/maint/pttsdmp {hostname filename -tftp|username password [-mgmt|-
data]}
Dumps data to a server specified by hostname. Data is stored at filename. AS transport protocol
is FTP or TFTP via a management or data port.
Lab Configuration:
/maint/pttsdmp
Enter hostname or IP address of FTP/TFTP server: 192.168.150.x
Enter name of file on FTP/TFTP server: dump.txt
Enter username for FTP server or hit return for TFTP server:
username
Enter password for username on FTP server: password
Connecting to 192.168.150.69...
6. The panic command causes the switch to immediately dump state information to flash
memory and automatically reboot. Technical support may request a panic dump for
analysis of an open case. Use ptdump to transmit the system dump to a TFTP or FTP
server and store it in a file.
Syntax:
/maint/panic
Page 82
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Dumps all switch state information. You can log the tsdump output into a file, and send it
to Radware Technical Support for debugging purposes.
Lab Configuration:
/maint/panic
Confirm dumping and reboot [y/n] : y
Syntax:
/maint/ptdump {hostname filename -tftp|username password [-mgmt|-data]}
Dumps data to a server specified by hostname. Data is stored in filename. AS transport protocol
is FTP or TFTP via a management or data port.
Lab Configuration:
/maint/ptdmp
Enter hostname or IP address of FTP/TFTP server: 192.168.150.x
Enter name of file on FTP/TFTP server: dump.txt
Enter username for FTP server or hit return for TFTP server: username
Enter password for username on FTP server: password
Connecting to 192.168.150.69...
7. You must reset the switch to make your software image file or configuration block changes
take effect. For two other features, Nortel-Multiple-Spanning-Tree (/cfg/l2/ntmstg) and
jumbo frames at VLAN (/cfg/l2/vlan x/jumbo) a reset is also required.
Syntax:
/boot/reset {option}
The hard option acts like a power cycling of an Alteon. The two other options are booting from
other image <Ctrl>-o or select to load factory default database <Ctrl>-f.
Lab Configuration:
/boot/reset shorthand /b/c
/boot/reset hard shorthand /b/c hard
>> Note that this will RESTART the Spanning Tree,
>> which will likely cause an interruption in network service.
Confirm reset [y/n]: y
8. To debug Virtual Matrix Architecture feature, you can display the assigned SP (Switch
Processor) for a source IP address and a destination IP address when VMA with
destination IP is enabled. For IP version 6 use command vmasp6.
Syntax:
/maint/debug/vmasp {option, option, option}
The options required are, Source-IP-address, destination IP address, and Source-Port if
enabled. Configuration is at path /cfg/slb/adv/ vmadip or vmasport.
Page 83
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Lab Configuration:
/maint/debug/vmasp
Enter Source IP address : 1.2.3.4
Enter Destination IP address : 2.3.4.5
Enter source port : 1234
shorthand /m/d/vmasp 1.2.3.4 2.3.4.5 1234
VMA for source IP 1.2.3.4 and destination IP 2.3.4.5 and source port
1234 is SP 3
9. You can display the Real server number, real IP address, MAC address, VLAN, physical
switch port, layer on which the health check is performed, and the health check result.
Syntax:
/info/slb/real {real-server-number}
For real servers, the possible range is from 1 to 1023.
Lab Configuration:
/info/slb/real 1
1: 10.200.21.100, 00:0c:29:59:68:0e, vlan 11, port 2, health 4, up
real ports:
rport 80, up # indicates layer of HC
Real server group 1 , Workload Manager none
Virtual services:
http: vport http, rtspslb none
10. You can display the Server Load Balancing values for Layer 4 services.
Syntax:
/stats/slb/{options}
For all real servers, groups, virtual servers etc. statistics are available.
Lab Configuration:
/stat/slb/real 1
/stat/slb/real 2
/stat/slb/group 1
/stat/slb/virt 1
/stat/slb/filt 1
11. Is a filter working and does it match a configured rule? Enables or disables generating
messages displayed at the terminal and sent to the configured syslog server when a filter
match occurs.
Syntax:
/cfg/slb/filt {filter-number}/adv/log {options}
This option is disabled by default. Logging can be enabled per filter.
Lab Configuration:
/cfg/slb/filt #/adv/log ena always prints an info line at the console if filter
criteria are met.
Page 84
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Perform the following commands using the current SLB configuration Some of the commands
you did previously are noted in the table below for reference.
Page 85
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Page 86
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Overview
Description
In a high-availability network topology, no device can create a single point-of-failure for the
network or force a single point-of-failure to any other part of the network. This means that your
network will remain in service despite the failure of any single device. To achieve this usually
requires redundancy for all vital network components. VRRP enables redundant router
configurations within a LAN, providing alternate router paths for a host to eliminate single points-
of-failure within a network. Each participating VRRP-capable routing device is configured with
the same virtual router IP address and ID number. One of the virtual routers is elected as the
master, based on a number of priority criteria, and assumes control of the shared virtual router
IP address. If the master fails, one of the backup virtual routers will take control of the virtual
router IP address and actively process traffic addressed to it. Because the router associated
with a given alternate path supported by VRRP uses the same IP address and MAC address as
the routers for other paths, the host’s gateway information does not change, no matter what path
is used. A VRRP-based redundancy schema reduces administrative overhead because hosts
need not be configured with multiple default gateways. The IP address of a VRRP virtual
interface router (VIR) and virtual server router (VSR) must be in the same IP subnet as the
interface to which it is assigned.
Virtual Router
VRRP routers on two or more independent Alteon can be configured to form a virtual router
(RFC 2338). Each virtual router consists of a user-configured virtual router identifier (VRID) and
an IP address. The VRID is used to build the virtual router MAC Address. The five highest-order
octets of the virtual router MAC Address are the standard MAC prefix (00-00-5E-00-01) defined
in RFC 2338. The VRID is used to form the lowest-order octet.
Page 87
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Page 88
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Assignment
Your previous labs used a single switch for all SLB configurations. Now we will
enhance it by a second switch for high availability (HA). Network cables are
connected according to the diagram on the previous page.
For this lab, two delegates always need to work together! Preferred teams 21+22,
23+24, 25+26, and 27+28 form a redundant configuration consisting of an “odd” and
“even” switch.
All examples in the description below are for team21/22. Other teams should use IP
addresses and VRIDs according to their team number. At the application server side
network, we need for both switches a common network. Use the odd team number for
configuring this network! Do not use the even team numbers at this lab.
Connect to the odd switch; 2424 team21. Set the odd switch to the factory default.
For each interface or VIP, a separate virtual router (VIP / VSR) is necessary. Set the
interface IP addresses according the lab layout diagram. For Team21, Interface 1, the
configured IP-Address is 192.168.100.31. The interface addresses from previous labs
are now used as VIR, 192.168.100.21, VRID 21. For the interfaces towards web
servers, the odd switch network is used. Interface 2 will be 10.200.21.31. VIR is
192.168.21.21, VRID 31. This is common in the real world since all routing entries on
other devices need no change. Priorities for both VIRs are set to 101. Configure
tracking and choose “Active-Standby mode” (share=disable) for all VRs.
Configure SLB and configure synchronization without priorities. Set the sync peer to
the interface 2 IP address of the even switch. VIP+VSR for both switches are
192.168.100.221, VRID 41. Priority for VSR is set to 101.
Connect to the even switch, check that the OS version used is the same as on the
odd switch, set up Layer 2, VLAN 11 and 14, and Layer 3 parameters. Interface 1 is
set to 192.168.100.41 and interface 2 uses 10.200.21.41. Set the sync peer to the
interface 2 IP address of the odd switch.
Connect to the odd switch; synchronize VRRP and SLB values with the even switch.
Test SLB; disable ports to simulate missing link connections and trigger failover, etc.
Page 89
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Configure Switch
CLI configuration for the odd-Alteon, for even Alteon jump to step 11:
1. If you like to configure the Alteon by BBI continue on page 119. For CLI configuration
connect to the odd-switch (e.g. Team-21) port via terminal server serial. Log in to the
switch, enter the admin password – admin.
2. Set the switch to the factory default and reset it.
Lab Configuration:
/boot/conf factory/reset short form /b/co f/r
y confirms reset, pressing <enter> reboots the switch
3. Wait approximately one minute, log in to the switch using the admin password.
5. Turn off Spanning Tree on the switch and save the configuration.
Lab Configuration:
/cfg/l2/stg 1/off this disables STP group 1, default group is 1
apply activate configuration change
6. Create two interfaces for public and private networks, and add a default gateway.
Lab Configuration:
/cfg/l3/if 1/ena/vlan 11/mask 255.255.255.0/addr 192.168.100.odd#+10
/cfg/l3/if 2/ena/vlan 14/mask 255.255.255.0/addr 10.200.odd#.odd#+10
Page 90
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Syntax:
/cfg/l3/vrrp/vr {VR-number}/{options}
Set all the Options parameters required for a single VR router.
Lab Configuration:
/cfg/l3/vrrp/vr 1 define VR1
vrid odd# set to virtual MAC Addr. 00-00-5E-00-01-15 (team 21)
addr 192.168.100.odd# Public VIR Address, e.g. addr 192.168.100.21
share dis switch from active-active to active-standby
if 1 communicates via interface 1
prio 101 set priority to 101,
ena enable VR
track/l4pts ena track ports layer 4 (client/server process) enabled
It is also possible to put all commands into a single line. Configure vr2 this way:
Lab Configuration:
/cfg/l3/vrrp/vr 2/vrid odd#+10/addr 10.200.odd#.odd#/share dis/
if 2 /prio 101/ ena/track/l4pts ena
10. Test your setup. Are both Web servers accessible by ping and browser access?
Page 91
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
14. Adjust Layer2. Assign port 1 to VLAN 11 and port 2 to VLAN 14.
Lab Configuration:
15. Turn off Spanning Tree on the switch and save the configuration.
Lab Configuration:
/cfg/l2/stg 1/off this disables STP group 1, default group is 1
apply activate configuration change
16. Create two interfaces for public and private networks, and add a default gateway.
Lab Configuration:
/cfg/l3/if 1/ena/vlan 11/mask 255.255.255.0/addr 192.168.100.#+20
/cfg/l3/if 2/ena/vlan 14/mask 255.255.255.0/addr 10.200.odd#.odd#+20
17. Configure Virtual Interface Routers. For each interface, a separate router is
required. If possible, use the same value for VR-number, VR-ID and IF. This
simplifies management. If this is not possible, suitable documentation is required.
Syntax:
/cfg/l3/vrrp/{option}
This option turn this VRRP feature on or off.
Lab Configuration:
/cfg/l3/vrrp/on enables VRRP feature
Page 92
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Syntax:
/cfg/l3/vrrp/vr {VR-number}/{options}
Set all the Options parameters required for a single VR router.
Lab Configuration:
/cfg/l3/vrrp/vr 1 define VR1
vrid odd# set to virtual MAC Addr. 00-00-5E-00-01-15 (team 22)
addr 192.168.100.odd# Public VIR Address, e.g. addr 192.168.100.21
share dis switch from active-active to active-standby
if 1 communicates via interface 1
prio 100 set priority to 100 or skip line,
ena enable VR
track/l4pts ena track ports layer 4 (client/server process) enabled
It is also possible to put all commands into a single line. Configure vr2 this way:
Lab Configuration:
/cfg/l3/vrrp/vr 2/vrid odd#+10/addr 10.200.odd#.odd#/share dis/
if 2/ena/track/l4pts ena
20. Test your setup. Are both Web servers accessible by ping and browser access?
Page 93
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
21. Edit the saved odd-switch configuration, (step 9). Edit the management address to meet the
previous even team number. Change the interface 1 address to 192.168.100.odd#+20
and IF 2 to 10.200.odd#.odd#+20. Remove all /cfg/l3/vrrp configuration. Adjust peer 1
address to 10.200.odd#.odd#+10. Save this configuration as a new file.
22. Open a second Putty window, connect via serial to even-switch, and set the switch
to the factory default configuration. Double-check; is the image version used equal
to the version of odd-switch? If not, upgrade or downgrade to make the versions
match. Select verbose 1 mode to suppress displaying of menu for each command
line. Enter Layer 2, Layer 3 and sync data by copying and pasting from the file.
Apply and save this configuration.
23. Select the odd-switch terminal and sync VRRP and SLB settings.
Lab Configuration:
/o/sl/sy shorthand
y confirm configuration sync
24. Watch the display of the even-switch terminal window after the changes are received.
There is no need to apply and save the configuration on even-switch. These two
commands are automatically executed in the background. The example below is for
team 21.
27. Watch the messages for the new VR. It is the VR master.
Page 94
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
1. Open a command prompt window on Team-PC. The examples below are for team 21.
Lab Configuration:
ping 192.168.100.21 ping to public VIR
ping 10.200.21.21 ping to VIP/VSR
2. Open a web browser, http://192.168.100.221 and access web servers. The well-known
home page should appear on screen.
Lab Configuration:
/info/l3/vrrp
What is the current priority? ________
Is this switch the master or backup? _________
Lab Configuration:
/stats/l3/vrrp
Lab Configuration:
/stats/vrrp
How many VRRP advertisements have been received? ____________
How many VRRP advertisements have been sent out? _____________
6. Establish two serial connections if not already done, one to the odd-switch another to the
even-switch. To simulate a fault, disable port 1 of odd-switch
Lab Configuration:
/cfg/port 1/dis/apply
Page 95
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
9. Access even-switch:
Lab Configuration:
/info/l3/vrrp
What is the priority? ________
Is this switch the master or backup? _________
Lab Configuration:
/stats/l3/vrrp
How many VRRP advertisements have been received? ______________
How many VRRP advertisements have been sent out? ______________
Lab Configuration:
/stats/l3/vrrp
How many VRRP advertisements have been received? ____________________
How many VRRP advertisements have been sent out? ____________________
Page 96
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
/c/sys/mmgmt
addr 10.10.242.21
mask 255.255.248.0
broad 10.10.247.255
gw 10.10.240.1
ena
/c/sys/mmgmt/port
speed any
mode any
auto on
/c/port 1
pvid 11
/c/port 2
pvid 14
/c/port 9
dis
/c/l2/vlan 1
learn ena
def 3 4 5 6 7 8 9 10 11 12 … 27 28
/c/l2/vlan 11
ena
name "public"
learn ena
def 1
/c/l2/vlan 14
ena
name "private"
learn ena
def 2
/c/l2/stg 1/off
/c/l2/stg 1/clear
/c/l2/stg 1/add 1 11 14
/c/l3/if 1
ena
addr 192.168.100.31
vlan 11
/c/l3/if 2
ena
addr 10.200.21.31
mask 255.255.255.0
broad 10.200.21.255
vlan 14
/c/l3/gw 1
ena
addr 192.168.100.254
Page 97
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
/c/l3/vrrp/on
/c/l3/vrrp/vr 1
ena
vrid 21
if 1
prio 101
addr 192.168.100.21
share dis
track
l4pts e
/c/l3/vrrp/vr 2
ena
vrid 31
if 2
prio 101
addr 10.200.21.21
share dis
track
l4pts e
/c/l3/vrrp/vr 3
ena
vrid 41
if 1
prio 101
addr 192.168.100.221
share dis
track
l4pts e
/c/slb
on
/c/slb/sync
prios d
/c/slb/sync/peer 1
ena
addr 10.200.21.41
/c/slb/real 1
ena
rip 10.200.21.100
/c/slb/real 2
ena
rip 10.200.21.200
/c/slb/group 1
metric roundrobin
add 1
add 2
/c/slb/pip/type vlan
/c/slb/pip/type port
/c/slb/pip/add 10.200.21.42 1
/c/slb/port 1
client ena
proxy ena
/c/slb/virt 1
ena
vip 192.168.21.221
/c/slb/virt 1/service http
group 1
Page 98
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
/c/sys/mmgmt
addr 10.10.242.22
mask 255.255.248.0
broad 10.10.247.255
gw 10.10.240.1
ena
/c/sys/mmgmt/port
speed any
mode any
auto on
/c/port 1
pvid 11
/c/port 2
pvid 14
/c/port 9
dis
/c/l2/vlan 1
learn ena
def 3 4 5 6 7 8 9 10 11 12 … 27 28
/c/l2/vlan 11
ena
name "public"
learn ena
def 1
/c/l2/vlan 14
ena
name "private"
learn ena
def 2
/c/l2/stg 1/off
/c/l2/stg 1/clear
/c/l2/stg 1/add 1 11 14
/c/l3/if 1
ena
addr 192.168.100.41
vlan 11
/c/l3/if 2
ena
addr 10.200.21.41
mask 255.255.255.0
broad 10.200.21.255
vlan 14
/c/l3/gw 1
ena
addr 192.168.100.254
Page 99
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
/c/l3/vrrp/on
/c/l3/vrrp/vr 1
ena
vrid 21
if 1
addr 192.168.100.21
share dis
track
l4pts e
/c/l3/vrrp/vr 2
ena
vrid 31
if 2
addr 10.200.21.21
share dis
track
l4pts e
/c/l3/vrrp/vr 3
ena
vrid 41
if 1
addr 192.168.100.221
share dis
track
l4pts e
/c/slb
on
/c/slb/sync
prios d
/c/slb/sync/peer 1
ena
addr 10.200.21.31
/c/slb/real 1
ena
rip 10.200.21.100
/c/slb/real 2
ena
rip 10.200.21.200
/c/slb/group 1
metric roundrobin
add 1
add 2
/c/slb/pip/type vlan
/c/slb/pip/type port
/c/slb/pip/add 10.200.21.43 1
/c/slb/port 1
client ena
proxy ena
/c/slb/virt 1
ena
vip 192.168.100.221
/c/slb/virt 1/service http
group 1
Page 100
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
2. Configure as next
step both real
servers for this
application. Select
SLB, Real Servers
and use ADD button
to specify
parameters for both
real servers. The
internal reference
number ID, IP
Address and State
are mandatory.
Enter next real
server parameters.
If finished with the first, click on More. After last real server click on Submit and Apply.
3. Add all real servers belonging to this application to a group (farm). Important parameters
like health check and metric are specified at this group also. Select SLB, Server Group
and use ADD button to specify parameters. The internal reference number ID, is
mandatory. Change SLB Metric for this lab to Round Robin and Submit this change.
Page 101
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon
n Level 1 Training Manua
al
Next is to associate
a the real serve n Add butto
ers. Click on on below Re
eal Servers, check all
real serverss you will addd and presss Add Rea al or Add bu nding on version. Click
utton depen
Submit and d Apply.
Add proxy setting
s for port
p 1
4. Configure the
t virtual IP P.
This is the entry or
terminationn IP addresss
for a speciffic service.
Select SLB B, Virtual
Servers an nd press the e
ADD button n. Virtual
Server ID, Name, VIP P
Address and State arre
mandatory parameterss.
Submit thiss change.
5. Click the ID
D number, scroll
s down the new opened windo ow and clickk Add to specify Servicce
Port 80. Foor this lab no nal parametter is requirred. Submitt and Apply
one addition y this changge.
Page 10
02
6. Final changge for our basic SLB laab is the acttivation of client and se
erver proces ssing on the
e
ingress andd egress poorts. Select SLB,
S Portss and click ono the numb ber for the port
p you wa ant
to change. If you wantt to change several porrts the same e manner, ttick all appropriate portts
n Bulk Edit. Select portt 1 and tick client, tick server for port 2, Sub
and click on bmit each
change and d Apply it.
Page 10
03
9. Use a different browse er and openn a new window to the VIP. For Te eam21 this is
http://192.1
168.100.221
Create somme traffic byy refreshing the browse er. Why is th
he Alteon no ot selecting
g the second
d
real server?
? Close thiss browser and open a new n one. Why
W is now tthe second real server
selected?
If at modern browsers a tab is ope om internal cache.
en, it will grrab the conttent only fro
10. Check statiistics, selecct Monitor, SLB, Virtuaal Servers at BBI wind
dow. Real servers
s or
Server Gro
oups displayys details on n these item
ms.
11. Load balanncing for ava
ailable services on diffe
erent servers is an opttion. There are
a two web
b
servers. On
ne equipped d with two CPUs,
C the other
o with fo
our CPUs. FFor each CP PU a
Page 10
04
separate Web application instance, e.g. Apache, is installed. Our customer wants to have
an even load balancing based on each of these CPUs. Set up the real servers for multi-
port SLB. Add for real server 1 ports 80 and 81, for real server 2 ports 80 to 83. To ensure
to have the same load on all CPUs increase weight to 2 for real server 2. Invoke this
feature by setting the real port for the HTTP service to 0.
At Configure, SLB, Real Server, Advanced scroll down to Service Ports and Add port
numbers. For each add you need to select the advanced menu again.
At SLB Virtual Server, Services Port 80, edit settings, check Single
change Service Port 80 => 0
Page 105
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
12. See messages on CLI window. For each port is now a separate health check generated.
13. For the next hands-on we do not need this multi rport setting. Therefore , remove step 11.
Click on Revert Apply button.
Page 106
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon
n Level 1 Training Manua
al
BB
BI Layer 7 Passive Cook
kie Pers
sistence Configu
uration
2. Select an appropriate
a load balanccing metric for the real server grou up if no coo
okie is
present. Ch
hoose a non n-persistentt metric. For our lab we
e will selectt round robin
n. Select
Configure,, SLB, Servver Group, Group 1 an nd set SLB Metric to Ro ound Robin.
For testing
g passive coookies, refer to step 7 to
t 10. Since
e rewrite coo
okies is verry similar skkip
it and do te
est for rewritte settings only.
o
6. Enable rew
write cookie--based perssistence on the virtual server
s service. Select Configure,,
SLB, Virtual Servers,, Port 80 annd set Persistence to Cookie.
C Sevveral additional fields
s
are now avvailable. Usse Mode Re arch Up to 1 Responses, Name AS
ewrite, Sea SPSESS*,
Length 8, Search
S in Heeader. Sub bmit and Apply chang ges.
Page 10
08
10. Return to th
he switch BBI
B and refre esh the
window to display
d statistics. Note
changes. To
T get new session
s requests,
you need too close the browser an nd open a neew window otherwise tthe
date is read
d from the browser
b cacche instead of the Supe
er Veda serrver.
Page 10
09
Page 110
>> Server
S Load Balancing In
nformation# cookie
Virt
tual IP addr
ress: 192.168
8.100.221
Real
l IP address: 10.200.21.
.100
Real
l Server Por
rt: 80
Real
l Server Ind
dex: 1
Page 111
BB
BI Conte
ent Load
d Balanc
cing Con
nfiguration
2. Select an appropriate
a load balanccing metric for the real server grou
up if no strin
ng is presen
nt.
Choose a non-persiste
n F our lab we will sele
ent metric. For ect round roobin. Select Configure,
SLB, Serveer Group, Group
G 1 and d set SLB Metric
M to Ro
ound Robin n. Submit change.
c
3. Double che
eck persisteent binding for
f the virtuaal server se
ervice is disabled. Pbin
nd takes
precedencee over string
g load balanncing. Select Configurre, SLB, Virtual serve ers, port 80
0.
Is paramete
er Persistennce set to Disabled?
D
4. Double che
eck is SLB working.
w Cle
ear the sess
sion table
CLI Operattion:
/stat/slb b/clear
Page 112
7. Add an inde
ex number for the URL L string to th
he real servver config. Iff real server 2 can
handle add
ditional page
es than “/im
mages”, for e.g.
e “index.h html” add sttring 1 as an n option.
Select Con
nfigure, SLBB, Real Serrvers, ID 2.. Set radio button
b to Ad dvanced an nd scroll
ayer 7. Move
down to La e both strinngs into configured bo ox. Submit cchange.
Page 113
9. Test this ne
ew setup. Open
O a browwser and ac
ccess files on
o the imagee path. The
e files
img1.jpg, im
mg2.jpg andd img3.jpg are
a available on serverr 2. Close and reopen the
t client
browser seeveral times to http://19
92.168.100.221/image es/img1.jpg
g. Check sta
atistics at
Monitor, SLB, Layer7 7, string tabb.
Page 114
12. Add the inddex numberr for the URL string to the t real servver config: A Add ‘alte[^a
ar]’, which iss
a regular exxpression fo
or ‘alteo’ strring in our configuratio
c n, to real se
erver 1. Addd ‘alte[ar]’,
which repre esents both strings ‘alteer’ and ‘alte
ea’, to real server
s 2. To
o allow LB foor ‘index.htmm’
string on re
eal server 1, add index 1 to it.
Select Con nfigure, SLBB, Real Serrvers, ID 1.. Set radio button
b to Ad
dvanced an nd scroll
down to La ayer 7. Movee any and alte[^ar]
a strrings into co
onfigured boox and Sub bmit change e.
Select Con nfigure, SLBB, Real Serrvers, ID 2.. Set radio button
b to Ad
dvanced an nd scroll
down to La ayer 7. Movee alte[ar] sttring into coonfigured bo ox and Submit change e.
Page 115
15. Configure header variable stringss and add ana index number to the e real serverr config. Re eal
server 1 represents the contents for ‘en’ strin
ng, real servver 2 is resp
ponsible forr ‘de’ string.
Language string
s depends on brow wser type. Add
A strings for e.g. en and de. Forr other
regions, choose approopriate language strings. Configure, SLB, La ayer 7 Reso ources,
Strings. Prress Add annd insert at SLB Stringg field en an
nd then de. Keep otherr parameterrs
on default. Submit thiss change.
Page 116
16. Add the index number for the URL string to the real server config: Add ‘en’ to real server 1
and ‘de’, to real server 2. Kepp the other previously associated strings.
Select Configure, SLB, Real Servers, ID 1. Set radio button to Advanced and scroll
down to Layer 7. Move any and en string into configured box and Submit change.
Select Configure, SLB, Real Servers, ID 2. Set radio button to Advanced and scroll
down to Layer 7. Move de string into configured box and Submit change.
17. Modify VIP service HTTP to lookup at the HTTP header now the Accept-Language string.
Select Configure, SLB, Virtual Servers, ID 1 port 80. At section Basic set Application to
HTTP-L7 and at section HTTP set HTTP SLB to others and HTTP Header Name to
Accept-Language. Submit and Apply change.
Page 117
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon
n Level 1 Training Manua
al
Page 118
BB
BI config
guration for VRR
RP
The
e odd-swittch:
1. Connect via a a browserr to the mannagement in nterface 10.10.242.# a and set the switch
s to
load factoryy default co
onfiguration on next boo Configure, System,
ot and reset it. Select C
Download//Upload, Configuratio on tab, secttion Version
n Managem ment. Set Next
N Boot
Block to Fa
actory and thet radio bu utton to Do Not Erase and Submit change. If there is
no reset bu
utton at this page, move e to the sofftware tab to
t press the ere the Resset button.
Lab Configuration:
>> Configurration# /cfg/ssys/access/htttp e/apply
Current HTT
TP server acccess: disableed
New HTTP server access: enabledd
Page 119
4. Configure the interfaces for the switch as shown in the Lab Description pages. You must
create a separate interface for each network that you want to connect directly to this
switch. The interface index number used is independent of any physical port, VLAN etc. A
common number for port, VLAN and interface will simplify debugging and management.
At Configure tab select Layer3, IP Interfaces and click the Add button.
Insert Interface ID 1, IP Addresses are 192.168.100.#+10 (team 21 e.g. 192.168.100.31).
# is your team number. Mask is a C-Class one. Associate VLAN 11 for public net.
Enable state and click Submit and Apply buttons to activate this change. Add another
interface 2 for your private net. IP Address is 10.200.#.#+10 /24 (team 21 e.g.
10.200.21.31).
Page 120
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon
n Level 1 Training Manua
al
6. Configure Virtual
V Interrface Routers. For each h interface, a separate router is
required. If possible, use
u the sam me value for VR-numbe er, VR-ID an
nd IF. This
simplifies managemen
m nt. If this is not
n possible e, suitable documentat
d tion is required.
Select Con nfigure, Lay yer 3, VRRP P, set State
e to Enabledd and Subm mit change.
Page 12
21
Page 12
22
13. Setup SLB. Set up Re ealServer1, RealServerr2, group them and cre eate a VIP
192.168.10 00.2odd#. Enable
E the client
c and se
erver processses and too enable the
e SLB
feature. If you
y can’t remember the e details, re
efer to the SLB
S lab, on page 101. Test
T
access to this VIP by your
y browseer.
Page 12
23
Watch on both
b switche
es the changed status of the VRR Select Con
RP routers. S nfigure,
Layer 3, VRRP,
V Virttual Route
ers
At odd Sw
witch
At even Sw
witch
Page 12
24
1000
10/100
SYS OK
RemoteSecure-SSH: 76 ___
PWR RST CONS OLE USB G1 G2
SY S OK
PW R RS T CONS OLE US B 1 2 3 4 5 6/MNG 1 7 8
if2 =
Server net on port 2 → Vlan 14 → 10.200.___.___
if-2 = 10.200.___.___ /24
VIP-1 = 192.168.100.___
Web1 = 10.200.___.100
Web2 = 10.200.___.200
Page 125
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Page 126
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Client-Net = 192.168.100.0/24
Alteon Information
SYS OK
PWR RS T CONSOLE USB 1 2 3 4 5 6/MNG 1 7 8
1000
ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK ACT LINK PW R OK
Alteon-even
VR 192.168.100.odd___
10/100
SY S OK
PW R RS T CONS OLE US B 1 2 3 4 5 6/MNG 1 7 8
VSR= 192.168.100.___
VIP= 192.168.100.___
Web1 = 10.200.___.100
Web2 = 10.200.___.200
Page 127
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual
Page 128
© Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.