Beruflich Dokumente
Kultur Dokumente
b y
D e s i g n
Configuration Guide
Document No.: D-030-01-00-0006
Ver. 2.4.3 6/21/2010
Headquarters
A10 Networks, Inc.
2309 Bering Dr.
San Jose, CA 95131-1125 USA
Tel: +1-408-325-8668 (main)
Tel: +1-408-325-8676 (support)
Fax: +1-408-325-8666
www.a10networks.com
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3
3 of 950
4 of 950
P e r f o r m a n c e
b y
D e s i g n
Corporate Headquarters
A10 Networks, Inc.
2309 Bering Dr.
San Jose, CA 95131-1125 USA
Tel: +1-408-325-8668 (main)
Tel: +1-888-822-7210 (support toll-free in USA)
Tel: +1-408-325-8676 (support direct dial)
Fax: +1-408-325-8666
www.a10networks.com
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
5 of 950
As an alternative to saving the output in a log file captured by your terminal emulation application, you can export the output from the CLI using
the following command:
show techsupport export [use-mgmt-port] url
(For syntax information, see the AX Series CLI Reference.)
6 of 950
P e r f o r m a n c e
b y
D e s i g n
This document assumes that you have already performed the basic deployment tasks described in the AX Series Installation Guide.
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
7 of 950
Audience
This document is intended for use by network architects for determining
applicability and planning implementation, and for system administrators
for provision and maintenance of the A10 Networks AX Series.
Icon
Description
Layer 2 switch
Layer 3 router
8 of 950
P e r f o r m a n c e
b y
D e s i g n
System Overview
25
AX Series Features............................................................................................................................... 25
ACOS Architecture ............................................................................................................................... 27
AX Software Processes .................................................................................................................. 27
Local File Storage ........................................................................................................................... 29
Hardware Interfaces ............................................................................................................................. 30
Software Interfaces............................................................................................................................... 30
Server Load Balancing......................................................................................................................... 31
Intelligent Server Selection ............................................................................................................. 32
Configuration Templates ................................................................................................................. 32
Global Server Load Balancing............................................................................................................. 34
Outbound Link Load Balancing .......................................................................................................... 34
Transparent Cache Switching ............................................................................................................. 34
Firewall Load Balancing....................................................................................................................... 34
Where Do I Start?.................................................................................................................................. 35
Basic Setup
37
Logging On............................................................................................................................................ 37
Logging Onto the CLI ...................................................................................................................... 38
Logging Onto the GUI ..................................................................................................................... 39
Configuring Basic System Parameters .............................................................................................. 41
Setting the Hostname and Other DNS Parameters ........................................................................ 42
Setting the CLI Banners .................................................................................................................. 43
Setting Time/Date Parameters ....................................................................................................... 44
Configuring Syslog Settings ............................................................................................................ 46
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
9 of 950
Network Setup
71
Overview ................................................................................................................................................71
IP Subnet Support .......................................................................................................................... 72
Transparent Mode .................................................................................................................................73
Configuration Example ................................................................................................................... 74
Transparent Mode in Multinetted Environment ..................................................................................80
Configuration Example ................................................................................................................... 82
Route Mode............................................................................................................................................86
Configuration Example ................................................................................................................... 87
Direct Server Return in Transparent Mode .........................................................................................91
Configuration Example ................................................................................................................... 93
Direct Server Return in Route Mode....................................................................................................96
Configuration Example ................................................................................................................... 97
Direct Server Return in Mixed Layer 2/Layer 3 Environment............................................................99
105
109
Overview ..............................................................................................................................................109
Configuring HTTP Load Balancing....................................................................................................113
10 of 950
P e r f o r m a n c e
b y
D e s i g n
125
Overview.............................................................................................................................................. 125
Summary of HTTP Options ........................................................................................................... 125
HTTP Template Configuration ...................................................................................................... 126
URL Hash Switching........................................................................................................................... 128
URL Hash Switching with Server Load Awareness ...................................................................... 130
Configuring URL Hashing ............................................................................................................. 132
URL / Host Switching ......................................................................................................................... 133
Configuring URL / Host Switching ................................................................................................ 136
Using URL / Host Switching along with Cookie Persistence ........................................................ 137
Using URL / Host Switching along with Source IP Persistence .................................................... 141
URL Failover........................................................................................................................................ 141
Configuring URL Failover ............................................................................................................. 142
5xx Retry and Reassignment............................................................................................................. 143
Content Compression ........................................................................................................................ 144
Hardware-Based Compression ..................................................................................................... 146
How the AX Device Determines Whether to Compress a File ...................................................... 147
Configuring Content Compression ................................................................................................ 148
Client IP Insertion / Replacement...................................................................................................... 151
Configuring Client IP Insertion / Replacement .............................................................................. 153
Header Insertion / Erasure ................................................................................................................. 154
Configuring Header Insertion / Replacement ................................................................................ 155
Configuring Header Erasure ......................................................................................................... 158
URL Redirect Rewrite......................................................................................................................... 159
Configuring URL Redirect Rewrite ................................................................................................ 160
Strict Transaction Switching ............................................................................................................. 161
Enabling Strict Transaction Switching .......................................................................................... 162
163
Overview.............................................................................................................................................. 163
Configuring FTP Load Balancing...................................................................................................... 165
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
11 of 950
183
219
Overview ..............................................................................................................................................219
Choosing an SSL Optimization Implementation ........................................................................... 219
Configuring Client SSL .......................................................................................................................220
Configuring HTTPS Offload................................................................................................................224
Configuring the SSL Proxy Feature...................................................................................................231
239
Overview ..............................................................................................................................................239
Configuring STARTTLS ......................................................................................................................241
249
Overview ..............................................................................................................................................249
Configuring Streaming-Media SLB....................................................................................................251
255
Overview ..............................................................................................................................................255
Configuring Layer 4 Load Balancing.................................................................................................258
263
Overview ..............................................................................................................................................263
Configuring IP Protocol Load Balancing ..........................................................................................266
12 of 950
P e r f o r m a n c e
b y
D e s i g n
Wildcard VIPs
271
277
Stateless SLB
285
289
295
Overview.............................................................................................................................................. 295
Configuring Layer 4 TCS.................................................................................................................... 298
Configuring Layer 7 TCS.................................................................................................................... 301
Service Type HTTP Without URL Switching Rules ...................................................................... 304
Service Type HTTP with URL Switching Rules ............................................................................ 305
Optimizing TCS with Multiple Cache Servers ............................................................................... 306
Enabling Support for Cache Spoofing .......................................................................................... 308
Configuring IPv4 TCS in High Availability Layer 3 Inline Mode ..................................................... 309
AX-1 Configuration ....................................................................................................................... 312
AX-2 Configuration ....................................................................................................................... 314
Configuring IPv6 TCS in High Availability Layer 3 Inline Mode ..................................................... 316
AX-1 Configuration ....................................................................................................................... 317
AX-2 Configuration ....................................................................................................................... 320
Configuring TCS for FTP.................................................................................................................... 322
Configuration ................................................................................................................................ 323
327
Overview.............................................................................................................................................. 327
FWLB HA with Direct Connection of AX Devices to Firewalls ...................................................... 329
FWLB Parameters............................................................................................................................... 332
TCP and UDP Session Aging ....................................................................................................... 335
Configuring FWLB .............................................................................................................................. 336
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
13 of 950
353
Overview ..............................................................................................................................................353
Parameters That Can Be Configured Using Server and Port Templates ..................................... 354
Default Server and Service Port Templates ................................................................................. 356
Configuring Server and Service Port Templates..............................................................................357
Applying a Server or Service Port Template.....................................................................................358
Binding a Server Template to a Real Server ................................................................................ 359
Binding a Server Port Template to a Real Server Port ................................................................. 360
Binding a Virtual Server Template to a Virtual Server .................................................................. 360
Binding a Virtual Server Port Template to a Virtual Service Port ................................................. 361
Binding a Server Port Template to a Service Group .................................................................... 361
Connection Limiting............................................................................................................................362
Setting a Connection Limit ........................................................................................................ 363
Connection Rate Limiting...................................................................................................................364
Slow-Start.............................................................................................................................................366
Gratuitous ARPs for Subnet VIPs......................................................................................................369
TCP Reset Option for Session Mismatch..........................................................................................370
Health Monitoring
373
P e r f o r m a n c e
b y
D e s i g n
427
Overview.............................................................................................................................................. 427
Advantages of GSLB .................................................................................................................... 429
Zones, Services, and Sites ........................................................................................................... 430
GSLB Policy .................................................................................................................................. 430
Health Checks ........................................................................................................................... 432
Geo-Location ............................................................................................................................. 433
DNS Options ............................................................................................................................. 435
Metrics That Require the GSLB Protocol on Site AX Devices .................................................. 437
Configuration Overview ..................................................................................................................... 438
Configure Health Monitors ............................................................................................................ 439
Configure the DNS Proxy ............................................................................................................. 440
Configure a GSLB Policy .............................................................................................................. 442
Enabling / Disabling Metrics ...................................................................................................... 442
Changing the Metric Order ........................................................................................................ 444
Configuring RTT Settings .......................................................................................................... 445
Passive RTT .............................................................................................................................. 451
Configuring BW-Cost Settings ................................................................................................... 452
Configuring Alias Admin Preference ......................................................................................... 458
Configuring Weighted Alias ....................................................................................................... 459
Loading or Configuring Geo-Location Mappings ....................................................................... 459
Configure Services ....................................................................................................................... 468
Gateway Health Monitoring ....................................................................................................... 469
CLI ExampleSite with Single Gateway Link ........................................................................... 472
CLI ExampleSite with Multiple Gateway Links ....................................................................... 473
Multiple-Port Health Monitoring ................................................................................................. 473
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
15 of 950
RAM Caching
519
Overview ..............................................................................................................................................519
RFC 2616 Support ....................................................................................................................... 519
If-Modified-Since Header Support ............................................................................................. 520
Support for no-cache and max-age=0 Cache-Control Headers ................................................ 520
Insertion of Age and Via Headers into Cached Responses ...................................................... 521
Cacheability Behavior of AX RAM Cache .................................................................................... 521
Dynamic Caching ......................................................................................................................... 522
Host Verification ........................................................................................................................... 522
Configuring RAM Caching..................................................................................................................523
High Availability
533
Overview ..............................................................................................................................................533
Layer 3 Active-Standby HA .......................................................................................................... 534
Layer 3 Active-Active HA .............................................................................................................. 536
Layer 2 Active-Standby HA (Inline Deployment) .......................................................................... 538
Preferred HA Port ...................................................................................................................... 541
Port Restart ............................................................................................................................... 542
Layer 3 Active-Standby HA (Inline Deployment) .......................................................................... 543
HA Messages ............................................................................................................................... 544
HA Heartbeat Messages ........................................................................................................... 545
Gratuitous ARPs ....................................................................................................................... 545
HA Interfaces ................................................................................................................................ 546
Session Synchronization .............................................................................................................. 547
16 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
17 of 950
607
639
Overview ..............................................................................................................................................639
How LSN Differs from Traditional NAT ......................................................................................... 643
Benefits of LSN ............................................................................................................................ 645
Sticky NAT ................................................................................................................................ 645
Full-Cone NAT .......................................................................................................................... 645
Hairpinning ................................................................................................................................ 647
User Quotas .............................................................................................................................. 647
Static Port Reservation ............................................................................................................. 649
LSN Logging ................................................................................................................................. 650
LSN Operational Logging .......................................................................................................... 650
LSN Traffic Logging .................................................................................................................. 651
LSN NAT Capacities .................................................................................................................... 652
Notes and Limitations ................................................................................................................... 654
Configuring Large-Scale NAT ............................................................................................................655
Configure an LSN NAT Pool ........................................................................................................ 656
Configure a LID ............................................................................................................................ 656
Configure a Class List .................................................................................................................. 657
18 of 950
P e r f o r m a n c e
b y
D e s i g n
Bind the CLass List for Use with LSN ........................................................................................... 658
Enable Inside NAT on the Interface Connected to Internal Clients .............................................. 658
Enable Outside NAT on the Interface Connected to the Internet ................................................. 658
Enable New-path Processing ....................................................................................................... 659
Optional Configuration .................................................................................................................. 659
Configuring Static Mappings ..................................................................................................... 659
Configuring Full-Cone Support .................................................................................................. 659
Configuring External Logging for LSN Traffic Logs ................................................................... 660
Configure the IP Selection Method ............................................................................................ 662
Configuring the LSN SYN Timeout ............................................................................................ 663
Displaying LSN Information............................................................................................................... 663
Clearing LSN Statistics and Sessions .......................................................................................... 664
Configuration Example ...................................................................................................................... 664
669
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
19 of 950
715
DDoS Protection..................................................................................................................................715
Enabling DDoS Protection ............................................................................................................ 717
Configuring IP Anomaly Filters for System-Wide PBSLB ............................................................. 717
Displaying and Clearing IP Anomaly Statistics ............................................................................. 718
SYN Cookies ........................................................................................................................................718
The Service Provided By SYN Cookies ....................................................................................... 719
Enabling Hardware-Based SYN Cookies ..................................................................................... 720
Configuration when Target VIP and Client-side Router Are in Different Subnets ..................... 721
Enabling Software-Based SYN Cookies ...................................................................................... 722
Configuring Layer 2/3 SYN Cookie Support ................................................................................. 723
ICMP Rate Limiting..............................................................................................................................724
Source-IP Based Connection Rate Limiting .....................................................................................726
Parameters ................................................................................................................................... 727
Log Messages .............................................................................................................................. 727
Deployment Considerations ......................................................................................................... 728
Configuration ............................................................................................................................. 729
Configuration Examples ............................................................................................................... 730
DNS Security........................................................................................................................................731
Access Control Lists (ACLs)..............................................................................................................733
How ACLs Are Used .................................................................................................................... 733
Configuring Standard IPv4 ACLs ................................................................................................. 734
Configuring Extended IPv4 ACLs ................................................................................................. 736
Configuring Extended IPv6 ACLs ................................................................................................. 740
Adding a Remark to an ACL ......................................................................................................... 743
Transparent Session Logging ...................................................................................................... 744
Sample Log Messages for Transparent Sessions .................................................................... 744
Configuration ............................................................................................................................. 745
Applying an ACL to an Interface ................................................................................................... 746
Applying an ACL to a Virtual Server Port ..................................................................................... 747
Using an ACL to Control Management Access ............................................................................ 748
Using an ACL for NAT .................................................................................................................. 748
Resequencing ACL Rules ............................................................................................................ 748
20 of 950
P e r f o r m a n c e
b y
D e s i g n
IP Limiting
777
Overview.............................................................................................................................................. 777
Class Lists .................................................................................................................................... 777
Class List Syntax ....................................................................................................................... 778
IP Address Matching ................................................................................................................. 778
Example Class Lists .................................................................................................................. 779
IP Limiting Rules ........................................................................................................................... 779
Match IP Address ...................................................................................................................... 780
Configuring Source IP Limiting......................................................................................................... 781
Configuring a Class List ................................................................................................................ 781
Configuring the IP Limiting Rules ................................................................................................. 785
Applying Source IP Limits ............................................................................................................. 788
Displaying IP Limiting Information ................................................................................................ 790
CLI ExamplesConfiguration ...................................................................................................... 791
Configure System-Wide IP Limiting With a Single Class .......................................................... 791
Configure System-Wide IP Limiting With Multiple Classes ....................................................... 791
Configure IP Limiting on a Virtual Server .................................................................................. 792
Configure IP Limiting on a Virtual Port ...................................................................................... 793
CLI ExamplesDisplay ................................................................................................................ 793
Class Lists ................................................................................................................................. 793
IP Limiting Rules ....................................................................................................................... 795
IP Limiting Statistics .................................................................................................................. 796
Role-Based Administration
797
Overview.............................................................................................................................................. 798
Resource Partitions ...................................................................................................................... 799
Administrator Roles ...................................................................................................................... 801
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
21 of 950
SLB Parameters
819
22 of 950
P e r f o r m a n c e
b y
D e s i g n
885
893
895
901
905
Overview.............................................................................................................................................. 905
SSL Process ................................................................................................................................. 905
Certificate Chain ........................................................................................................................ 907
Certificate Warning from Client Browser ................................................................................... 908
CA-Signed and Self-Signed Certificates ................................................................................... 909
SSL Templates .......................................................................................................................... 910
Certificate Installation Process ..................................................................................................... 912
Requesting and Installing a CA-Signed Certificate ................................................................... 912
Installing a Self-Signed Certificate ............................................................................................ 914
Generating a Key and CSR for a CA-Signed Certificate ................................................................. 915
Importing a Certificate and Key......................................................................................................... 918
Generating a Self-Signed Certificate ................................................................................................ 920
Importing a CRL.................................................................................................................................. 922
Exporting Certificates, Keys, and CRLs ........................................................................................... 923
Exporting a Certificate and Key .................................................................................................... 923
Exporting a CRL ........................................................................................................................... 924
Creating a Client-SSL or Server-SSL Template and Binding it to a VIP ........................................ 925
Creating an SSL Template ........................................................................................................... 925
Binding an SSL Template to a VIP ............................................................................................... 926
Converting Certificates and CRLs to PEM Format .......................................................................... 926
Converting SSL Certificates to PEM Format ................................................................................ 927
Converting CRLs from DER to PEM Format ................................................................................ 928
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
23 of 950
929
Configuration Management
935
VLAN-to-VLAN Bridging
945
24 of 950
P e r f o r m a n c e
b y
D e s i g n
System Overview
This chapter provides a brief overview of the AX Series system and features. For more information, see the other chapters in this guide.
AX Series Features
Key features of the AX Series include:
Application Delivery Features
Comprehensive IPv4/IPv6 Support
Transparent (Layer 2) and gateway (Layer 3) mode support for
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
25 of 950
ing)
Source-IP based connection rate limiting
Policy-Based SLB (black/white lists)
aFleX Tcl-like Scripting Language
XML Application Programming Interface (aXAPI)
System Management
Dedicated management interface
Multiple access methods SSH, Telnet, HTTPS
Web-based Graphical User Interface (GUI) with language localiza
tion
Industry-standard Command Line Interface (CLI) support
On-demand backup of configuration files, logs, and system files
SNMP, syslog, alerting
Virtualized Management, provided by Role-Based Administration
(RBA)
Troubleshooting tools
Port mirroring
Debug subsystem for packet capture
26 of 950
P e r f o r m a n c e
b y
D e s i g n
ACOS Architecture
AX Series devices use embedded Advanced Core Operating System
(ACOS) architecture. ACOS is built on top of a set of Symmetric Multi-Processing CPUs and uses shared memory architecture to maximize application
data delivery.
ACOS is designed to handle high-volume application data with integrated
Layer 2 / Layer 3 processing and integrated SSL acceleration built into the
system. In addition, ACOS incorporates the A10 Networks customizable
aFleX scripting language, which provides administrators with configuration
flexibility for application data redirection.
ACOS inspects packets at Layers 2, 3, 4, and 7 and uses hardware-assisted
forwarding. Packets are processed and forwarded based on ACOS configuration.
You can deploy the AX device into your network in transparent mode or
gateway (route) mode.
Transparent mode The AX device has a single IP interface. For multi-
est Path First (OSPF) and Routing Information Protocol (RIP) are supported.
In either type of deployment, ACOS performs Layer 4-7 switching based on
the SLB configuration settings.
AX Software Processes
The AX software performs its many tasks using the following processes:
a10mon Parent process of the AX device. This process is executed
when the system comes up. The a10mon process is responsible for the
following:
Responsible for bringing AX user-space processes up and down
Monitors all its child processes and restarts a process and all dependent processes if any of them die.
syslogd System logger daemon that logs kernel and system events.
a10logd Fetches all the logs from the AX Log database.
a10timer Schedules and executes scheduled tasks.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
27 of 950
injected from OSPF and RIP routing protocols, as well as static routes.
a10rip Implements RIPv1 and v2 routing protocols.
a10ospf Implements the OSPFv2 routing protocol.
a10snmpd SNMPv2c and v3 agent, which services MIB requests.
a10wa Embedded Web Server residing on the AX device. This process
28 of 950
P e r f o r m a n c e
b y
D e s i g n
If there is a storage shortage, the software dynamically adjusts the maximum number of SLB monitoring objects to prevent consumption of the
remaining storage.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
29 of 950
Hardware Interfaces
1000BaseT (GOC) + SFP Mini GBIC Fiber Ports
On models AX 3100, AX 3200, AX 5100, and AX 5200, 10G XFP-SR
(short range) single-mode fiber port or XFP-LR (long range) multimode fiber port, depending on order
Management Ethernet Port
RJ-45 Console Port
Generally, the fiber ports do not require any configuration other than IP
interface(s). When you plug in a port, the port speed and mode (full-duplex
or half-duplex) are automatically negotiated with the other end of the link.
The management Ethernet port allows an out-of-band IP connection to the
switch for management. The management interface traffic is isolated from
the traffic on the other Ethernet ports.
The serial console port is for direct connection of a laptop PC to the AX
device.
Software Interfaces
Graphical User Interface (GUI)
Command Line Interface (CLI) accessible using console, Telnet, or
30 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
SLB Example
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
31 of 950
Configuration Templates
SLB configuration is simplified by the use of templates. Templates simplify
configuration by enabling you to configure common settings once and use
them in multiple service configurations. The AX device provides templates
to control server and port configuration parameters, connectivity parameters, and application parameters.
The AX device provides the following types of server and port configuration templates:
Server Controls parameters for real servers
Port Controls parameters for service ports on real servers
Virtual server Controls parameters for virtual servers
Virtual port Controls parameters for service ports on virtual servers
and for load balancing based on HTTP header content or the URL
requested by the client, and other options
32 of 950
P e r f o r m a n c e
b y
D e s i g n
establishing and reusing TCP connections with real servers for multiple
client requests
Cookie persistence Inserts a cookie into server replies to clients, to
direct clients to the same service group, real server, or real service port
for subsequent requests for the service
Source-IP persistence Directs a given client, identified by its IP
on destination IP address
SSL session-ID persistence Directs all client requests for a given vir-
tual port, and that have a given SSL session ID, to the same real server
and real port
SIP Customizes settings for load balancing of Session Initiation Proto-
tent
Where applicable, the AX device automatically applies a default template
with commonly used settings. For example, when you configure SLB for
FTP, the AX device automatically applies the default TCP template. If
required by your application, you can configure a different template and
apply that one instead. The configuration examples in this guide show how
to do this.
See the following chapters for examples of SLB configurations:
HTTP Load Balancing on page 109
FTP Load Balancing on page 163
SIP Load Balancing on page 183
SSL Offload and SSL Proxy on page 219
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
33 of 950
For descriptions of all the parameters you can control using templates, see
Server and Port Templates on page 353 and Service Template Parameters on page 819.
34 of 950
P e r f o r m a n c e
b y
D e s i g n
Where Do I Start?
To configure basic system settings, see Basic Setup on page 37.
To configure network settings, see Network Setup on page 71 and
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
35 of 950
36 of 950
P e r f o r m a n c e
b y
D e s i g n
Basic Setup
This chapter describes how to log onto the AX device and how to configure
the following basic system parameters:
Hostname and other Domain Name Server (DNS) settings
CLI banner messages
Date/time settings
System log (Syslog) settings
Simple Network Management Protocol (SNMP) settings
After you are through with this chapter, go to Network Setup on page 71.
Note:
The only basic parameters that you are required to configure are date/time
settings. Configuring the other parameters is optional.
Note:
This chapter does not describe how to access the out-of-band management interface. For that information, see the AX Series Advanced Traffic
Manager Installation Guide.
Caution:
Logging On
AX Series devices provide the following management interfaces:
Command-Line Interface (CLI) Text-based interface in which you
type commands on a command line. You can access the CLI directly
through the serial console or over the network using either of the
following protocols:
Secure protocol Secure Shell (SSH) version 1 or version 2
Unsecure protocol Telnet (if enabled)
Graphical User Interface (GUI) Web-based interface in which you
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
37 of 950
Layer (HTTPS)
Unsecure protocol Hypertext Transfer Protocol (HTTP)
Note:
By default, Telnet access is disabled on all interfaces, including the management interface. SSH, HTTP, HTTPS, and SNMP access are enabled by
default on the management interface only, and disabled by default on all
data interfaces.
Federal Information Processing Standards (FIPS) Compliance
To comply with FIPS security standards, beginning in AX Release 2.4.2,
management access to the AX device has the following requirements:
Web access to GUI The browser used to access the AX GUI must sup-
port encryption keys of 128 bits or longer. Shorter encryption keys (for
example, 40 bits) are not supported. The browser also must support
SSLv3 or TLS 1.0. Browsers that support only SSLv2 are not supported.
SSH access to CLI The SSH client used to access the CLI must sup-
port SSHV2. SSHv1 is not supported. The SSHv2 client must support
one of the following encryption ciphers:
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
Other ciphers are not supported.
38 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
5. To access the Privileged EXEC level of the CLI and allow access to all
configuration levels, enter the enable command.
At the Password: prompt, enter the enable password. (This is not the
same as the admin password, although it is possible to configure the
same value for both passwords.)
If the enable password is correct, the command prompt for the Privileged EXEC level of the CLI appears: AX#
6. To access the global configuration level, enter the config command. The
following command prompt appears: AX(config)#
Browser
IE 7.0, 6.0
Firefox 3.x, 2.x
Safari 3.0
Chrome
Windows
Supported
Linux
N/A
Supported
Not Supported
Not Supported
Supported
N/A
N/A
MAC
N/A
N/A
Supported
N/A
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
39 of 950
40 of 950
P e r f o r m a n c e
b y
D e s i g n
For more information about the GUI, see the AX Series GUI Reference or
the GUI online help.
Note:
P e r f o r m a n c e
b y
If you plan to use the GUI, the Basic System page under Config Mode
also provides configuration access to most of the system parameters
described in this chapter. For information, navigate to Config Mode >
Basic System, then click Help.
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
41 of 950
The > or # character and characters in parentheses before # indicate the CLI level you are on and are not part of the hostname.
3. To set the default domain name (DNS suffix) for hostnames on the AX
device, use the following command:
ip dns suffix string
42 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
43 of 950
44 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
45 of 950
The clock is based on 24 hours. For example, for 1 p.m., enter the hour as
13.
3. To display clock settings, use the following command:
show clock [detail]
46 of 950
P e r f o r m a n c e
b y
D e s i g n
Logging to the local buffer and to CLI sessions is enabled by default. Logging to other places requires additional configuration. The standard Syslog
message severity levels are supported:
Emergency 0
Alert 1
Critical 2
Error 3
Warning 4
Notification 5
Information 6
Debugging 7
Parameter
Disposition
(message target)
Description
Output options for each message level. For each message level, you can select which of the following output options to enable:
Supported Values
The following message levels can be
individually selected for each output
option:
Emergency (0)
Critical (2)
Warning (4)
Alert (1)
Error (3)
Notification (5)
Information (6)
Debug (7)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
47 of 950
Parameter
Facility
Description
Standard Syslog facility to use.
Log Buffer
Entries
Log Server
SMTP Server
SMTP Server
Port
Supported Values
Standard Syslog facilities listed in
RFC 3164.
10000 to 50000 entries
Default: 30000
Any valid IP address or fully-qualified domain name.
Default: None configured
48 of 950
P e r f o r m a n c e
b y
D e s i g n
then during the next one-second interval, the AX sends log messages
only to the external log servers.
If the number of new messages generated within the new one-second
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
49 of 950
Enabling SNMP
AX devices support the following SNMP versions: v1, v2c, v3. SNMP is
disabled by default.
You can configure the AX device to send SNMP traps to the Syslog and to
external trap receivers. You also can configure read (GET) access to SNMP
Management Information Base (MIB) objects on the AX device by external
SNMP managers.
Note:
50 of 950
P e r f o r m a n c e
b y
D e s i g n
tions
RFC 3414, User-based Security Model (USM) for version 3 of the Sim-
face Types
SNMP Traps
Table 3 lists the SNMP traps supported by the AX device. All traps are disabled by default.
TABLE 3
AX SNMP Traps
Trap Category
SNMP
P e r f o r m a n c e
Trap
Link Up
Link Down
b y
Description
Indicates that an Ethernet interface has come up.
Indicates that an Ethernet interface has gone down.
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
51 of 950
Trap Category
System
Trap
Start
Shutdown
Restart
Control CPU utilization
Description
Indicates that the AX device has started.
Indicates that the AX device has shut down.
Indicates that the AX device is going to reboot or reload.
Indicates that the control CPU utilization is higher than
90%.*
High Temperature
If you see this trap, check for fan failure traps. Also check
the installation location to ensure that the chassis room temperature is not too high (40 C or higher) and that the chassis
is receiving adequate air flow.
Indicates that a system fan has failed. Contact A10 Networks.
Indicates that a power supply has failed. Contact A10 Networks.
Indicates that the primary Hard Disk has failed or the RAID
system has failed. Contact A10 Networks. In dual-disk models, the primary Hard Disk is the one on the left, as you are
facing the front of the AX chassis.
Indicates that the secondary Hard Disk has failed or the
RAID system has failed. Contact A10 Networks. The secondary Hard Disk is the one on the right, as you are facing
the front of the AX chassis.
Fan Failure
Power Supply Failure
Primary Hard Disk
Active
Standby
Active-Active
52 of 950
P e r f o r m a n c e
b y
D e s i g n
Trap Category
Server Load Balancing
(SLB)
Trap
Server Up
Server Down
Service Up
Service Down
Server Connection
Limit
Server Connection
Resume
Service Connection
Limit
Service Connection
Resume
Virtual Server
Connection Limit
Virtual Port
Connection Limit
Virtual Server
Connection-Rate Limit
Virtual Port
Connection-Rate Limit
Virtual Port Up
Description
Indicates that an SLB server has come up.
Indicates that an SLB server has gone down.
Indicates that an SLB service has come up.
Indicates that an SLB service has gone down.
Indicates that an SLB server has reached its configured connection limit.
Indicates that an SLB server has reached its configured connection-resume value.
Indicates that an SLB service has reached its configured
connection limit.
Indicates that an SLB service has reached its configured
connection-resume value.
Indicates that the connection limit configured on a virtual
server has been exceeded.
Indicates that the connection limit configured on a virtual
port has been exceeded.
Indicates that the connection rate limit configured on a virtual server has been exceeded.
Indicates that the connection rate limit configured on a virtual port has been exceeded.
Indicates that an SLB virtual service port has come up. An
SLB virtual servers service port is up when at least one
member (real server and real port) in the service group
bound to the virtual port is up.
Indicates that an SLB virtual service port has gone down.
Indicates that the configured SLB application buffer threshold has been exceeded.*
* This threshold is configurable. To use the GUI, navigate to Config > System > Settings >
General > Threshold. In the CLI, use the monitor command at the global configuration level.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
53 of 950
54 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
55 of 950
56 of 950
P e r f o r m a n c e
b y
D e s i g n
Configuration Examples
The following examples show how to configure the system settings
described in this chapter.
GUI EXAMPLE
The following examples show the GUI screens used for configuration of the
basic system settings described in this chapter.
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
57 of 950
58 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
59 of 950
60 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
61 of 950
62 of 950
FIGURE 9
FIGURE 10
Save Button
P e r f o r m a n c e
b y
D e s i g n
CLI EXAMPLE
The following commands log onto the CLI, access the global configuration
level, and set the hostname and configure the other DNS settings:
login as: admin
Welcome to AX
Using keyboard-interactive authentication.
Password:********
Last login: Tue Jan 13 19:51:56 2009 from 192.168.1.144
[type ? for help]
AX>enable
Password:********
AX#config
AX(config)#hostname AX-SLB2
AX-SLB2(config)#ip dns suffix ourcorp
AX-SLB2(config)#ip dns primary 10.10.20.25
AX-SLB2(config)#ip dns secondary 192.168.1.25
The following examples set the login banner to welcome to login mode
and set the EXEC banner to welcome to exec mode:
AX-SLB2(config)#banner login welcome to login mode
AX-SLB2(config)#banner exec welcome to exec mode
Pacific/Honolulu
(GMT-10:00)Hawaii
America/Anchorage
(GMT-09:00)Alaska
America/Tijuana
America/Los_Angeles
(GMT-08:00)Pacific Time
...
AX-SLB2(config)#clock timezone America/Los_Angeles
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
63 of 950
AX-SLB2(config)#smtp ourmailsrvr
AX-SLB2(config)#logging email-address admin1@example.com admin2@example.com
AX-SLB2(config)#logging email 0
The following commands enable SNMP and all traps, configure the AX
device to send traps to an external trap receiver, and configure a community
string for use by external SNMP managers to read MIB data from the AX
device.
AX-SLB2(config)#snmp-server location ourcorp-HQ
AX-SLB2(config)#snmp-server contact Me_admin1
AX-SLB2(config)#snmp-server enable trap
AX-SLB2(config)#snmp-server community read ourcorpsnmp
AX-SLB2(config)#snmp-server host 192.168.10.11 ourcorpsnmp
The following command saves the configuration changes to the startup-config. This is the file from which the AX device loads the configuration following a reboot.
AX-SLB2(config)#write memory
64 of 950
P e r f o r m a n c e
b y
D e s i g n
them immediately.
Boolean Operators
A logging email filter consists of a set of conditions joined by Boolean
expressions (AND / OR / NOT).
The CLI Boolean expression syntax is based on Reverse Polish Notation
(also called Postfix Notation), a notation method that places an operator
(AND, OR, NOT) after all of its operands (in this case, the conditions list).
After listing all the conditions, specify the Boolean operator(s). The following operators are supported:
AND All conditions must match in order for a log message to be
emailed.
OR Any one or more of the conditions must match in order for a log
message to be emailed.
NOT A log message is emailed only if it does not match the conditions
(For more information about Reverse Polish Notation, see the following
link: http://en.wikipedia.org/wiki/Reverse_Polish_notation.)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
65 of 950
66 of 950
P e r f o r m a n c e
b y
D e s i g n
Config > System > Settings > Log - Add (Logging Email Filter
FIGURE 12
Config > System > Settings > Log (Logging Email Filter added)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
67 of 950
filter
filter-num
conditions
The filter-num option specifies the filter number, and can be 1-8.
The conditions list can contain one or more of the following:
level severity-levels Specifies the severity levels of messages to send
to email messages. Messages are emailed only if they come from one of
the specified software modules. For a list of module names, enter ?
instead of a module name, and press Enter.
pattern regex Specifies the string requirements. Standard regular
starting with filter 1. When a message matches a filter, the message will
be emailed based on the buffer settings. No additional filters are used to
examine the message.
A maximum of 8 conditions are supported in a filter.
68 of 950
P e r f o r m a n c e
b y
D e s i g n
is still supported:
logging email severity-level
The severity-level can be one or more of the following: 0, 1, 2, 5, emergency, alert, critical, notification.
The command is treated as a special filter. This filter is placed into effect
only if the command syntax shown above is in the configuration. The
filter has an implicit trigger option for emergency, alert, and critical
messages, to emulate the behavior in previous releases.
CLI Example
The following command configures the AX device to buffer log messages
to be emailed. Messages will be emailed only when the buffer reaches 32
messages, or 30 minutes passes since the previous log message email,
whichever happens first.
AX(config)#logging email buffer number 32 time 30
The following command resets the buffer settings to their default values.
AX(config)#no logging email buffer number time
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
69 of 950
70 of 950
P e r f o r m a n c e
b y
D e s i g n
Network Setup
This chapter describes how to insert the AX device into your network.
After you complete the setup tasks in this chapter that are applicable to your
network, the AX device will be ready to configure for its primary function:
load balancing.
This chapter includes an example for Routing Information Protocol (RIP).
For information about Open Shortest Path First (OSPF), see Open Shortest Path First (OSPF) on page 105.
Note:
Overview
AX Series devices can be inserted into your network with minimal or no
changes to your existing network. You can insert the AX device into your
network as a Layer 2 switch or a Layer 3 router.
The same Layer 4-7 features are available with either deployment option.
You can deploy the AX device as a single unit or as a High Availability
(HA) pair. Deploying a pair of AX devices in an HA configuration provides
an extra level of redundancy to help ensure your site remains available to
clients. For simplicity, the examples in this chapter show deployment of a
single AX device. For information about HA, see High Availability on
page 445.
Examples are provided in this chapter for the following types of network
deployment:
Transparent mode
Transparent mode in multinetted environment
Route mode (also called gateway mode)
Direct Server Return (DSR) in transparent mode
DSR in route mode
DSR in mixed Layer 2/Layer 3 environment
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
71 of 950
IP Subnet Support
Each AX device has a management interface and data interfaces. The management interface is a physical Ethernet port. A data interface is a physical
Ethernet port, a trunk group, or a Virtual Ethernet (VE) interface.
The management interface can have a single IP address.
An AX device deployed in transparent mode (Layer 2) can have a single IP
address for all data interfaces. The IP address of the data interfaces must be
in a different subnet than the management interfaces address.
An AX device deployed in route mode (Layer 3) can have separate IP
addresses on each data interface. No two interfaces can have IP addresses
that are in the same subnet. This applies to the management interface and all
data interfaces.
72 of 950
P e r f o r m a n c e
b y
D e s i g n
Transparent Mode
Figure 13 shows an example of an AX Series device deployed in transparent mode.
FIGURE 13
The blue arrows show the traffic flow for client-server traffic; in this example, between clients and server 10.10.10.3.
In this example, the AX device is inserted directly between the gateway
router and the real servers. The AX device and real servers are all in the
same subnet and all use the router as their default gateway.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
73 of 950
For simplicity, this example and the other examples in this chapter show
the physical links on single Ethernet ports. Everywhere a single Ethernet
connection is shown, you can use a trunk, which is a set of multiple ports
configured as a single logical link.
Similarly, where a single gateway router is shown, a pair of routers in a
Virtual Router Redundancy Protocol (VRRP) configuration could be
used. In this case, the gateway address used by hosts and Layer 2 switches
is the virtual IP address of the pair of routers.
This example does not use Layer 3 Network Address Translation (NAT) but
does use the default SLB NAT settings. (For a description, see SLB Source
NAT on page 609.)
HTTP requests from clients for virtual server 10.10.10.99 are routed by the
Layer 3 router to the AX device. SLB on the AX device selects a real server
and sends the request to the server. The server reply passes back through the
AX device to clients.
Configuration Example
This section shows the GUI screens and CLI commands needed to implement the configuration shown in Figure 13.
74 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
FIGURE 15
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
75 of 950
76 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
77 of 950
78 of 950
FIGURE 18
FIGURE 19
Config > Service > SLB > Virtual Server - Virtual Server Port
P e r f o r m a n c e
b y
D e s i g n
The following commands enable the Ethernet interfaces used in the example:
AX(config)#interface ethernet 1
AX(config-if:ethernet1)#enable
AX(config-if:ethernet1)#interface ethernet 2
AX(config-if:ethernet2)#enable
AX(config-if:ethernet2)#interface ethernet 3
AX(config-if:ethernet3)#enable
AX(config-if:ethernet3)#exit
The following commands add the SLB configuration. (For more information about SLB commands, see the SLB configuration chapters in this
guide. Also see the AX Series CLI Reference.)
Commands to configure the real servers
AX(config)#slb server rs1 10.10.10.3
AX(config-real server)#port 80 tcp
AX(config-real server-node port)#exit
AX(config-real server)#exit
AX(config)#slb server rs2 10.10.20.4
AX(config-real server)#port 80 tcp
AX(config-real server-node port)#exit
AX(config-real server)#exit
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
79 of 950
This example is similar to the example in Figure 13, except the real servers
are in separate subnets. Each server uses the router as its default gateway,
but at a different subnet address.
80 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
P e r f o r m a n c e
b y
The AX device initiates health checks using the last (highest numbered)
IP address in the pool as the source IP address. In addition, the AX device
will only respond to control traffic (for example, management and ICMP
traffic) from the NATted subnet if the control traffic is sent to the last IP
address in the pool.
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
81 of 950
Configuration Example
This section shows the GUI screens and CLI commands needed to implement the configuration shown in Figure 20.
Note:
GUI examples are shown here only for the configuration elements that are
new in this section (VLAN and Source NAT pool). For examples of the
GUI screens for the rest of the configuration, see Transparent Mode on
page 73.
82 of 950
FIGURE 21
FIGURE 22
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
Config > Service > SLB > Virtual Server - Virtual Server Port
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
83 of 950
The following commands enable the Ethernet interfaces used in the example:
AX(config)#interface ethernet 1
AX(config-if:ethernet1)#enable
AX(config-if:ethernet1)#interface ethernet 2
AX(config-if:ethernet2)#enable
AX(config-if:ethernet2)#interface ethernet 3
AX(config-if:ethernet3)#enable
AX(config-if:ethernet3)#interface ethernet 4
AX(config-if:ethernet4)#enable
AX(config-if:ethernet4)#exit
The following commands configure the VLANs. By default, all AX Ethernet data ports are in VLAN 1 by default, so the only configuration required
in this example is to create a second VLAN and add ports to it. The ports
you add to other VLANs are automatically removed from VLAN 1.
AX(config)#vlan 2
AX(config-vlan:2)#untagged ethernet 2 ethernet 4
AX(config-vlan:2)#exit
The following commands add the SLB configuration. The source-nat command enables the IP address pool configured above to be used for NATting
health check traffic between the AX device and the real server. (For more
information about SLB commands, see the SLB configuration chapters in
this guide. Also see the AX Series CLI Reference.)
84 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
85 of 950
Route Mode
Figure 24 shows an example of an AX device deployed in route mode.
FIGURE 24
The blue arrows show the traffic flow for client-server traffic; in this example, between clients and server 192.168.4.101. This example shows a database server that is not part of the SLB configuration but that is used by the
real servers when fulfilling client requests. Real servers can reach the database server through the AX device just as they would through any other
86 of 950
P e r f o r m a n c e
b y
D e s i g n
Configuration Example
This section shows the GUI screens and CLI commands needed to implement the configuration shown in Figure 24.
Note:
GUI examples are shown here only for the configuration elements that are
new in this section (configuration of routing parameters). For examples of
the GUI screens for the SLB configuration, see Transparent Mode on
page 73.
Note:
In the current release, the GUI does not support configuration of RIP or
OSPF.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
87 of 950
88 of 950
FIGURE 25
FIGURE 26
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
89 of 950
The following commands add the SLB configuration. (For more information about SLB commands, see the SLB configuration chapters in this
guide. Also see the AX Series CLI Reference.)
Commands to configure the real servers
AX(config)#slb server rs1 192.168.1.101
AX(config-real server)#port 80 tcp
AX(config-real server-node port)#exit
AX(config-real server)#exit
AX(config)#slb server rs2 192.168.2.101
AX(config-real server)#port 80 tcp
AX(config-real server-node port)#exit
AX(config-real server)#exit
90 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
91 of 950
VIP redistribution is not supported for VIPs that are configured for Direct
Server Return (DSR).
DSR Health Checking
Layer 3 and Layer 4-7 health checks are supported in DSR configurations.
The target of the Layer 3 health checks can be the real IP addresses of the
servers, or the virtual IP address, depending on your preference.
To send the Layer 3 health checks to the real server IP addresses, you
enabled, and with the alias address set to the virtual IP address.
Globally enable DSR health checking.
Layer 4-7 health checks are sent to the same IP address as the Layer 3 health
checks, and then addressed to the specific protocol port. You can use the
default TCP and UDP health monitors or configure new health monitors.
This example uses the default TCP health monitor.
Requirements
This configuration has certain requirements:
Requirements on the AX device:
The AX device, virtual server, and the real servers all must be in the
same subnet.
The virtual server IP address must be configured as a loopback
interface on each real server. (This is performed on the real server
itself, not as part of the real servers configuration on the AX
device.)
DSR must be enabled on the virtual service ports. (Enabling DSR is
equivalent to disabling destination NAT.)
Note:
92 of 950
In the current release, for IPv4 VIPs, DSR is supported on virtual port
types (service types) TCP, UDP, FTP, and RTSP. For IPv6 VIPs, DSR is
supported on virtual port types TCP, UDP, and RTSP.
P e r f o r m a n c e
b y
D e s i g n
address.
ARP replies from the loopback interfaces must be disabled. (This
applies to the loopback interfaces that have the virtual server IP
address.)
Configuration Example
This section shows how to implement the configuration shown in Figure 27.
Note:
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
93 of 950
The following commands enable the Ethernet interface connected to the clients and server:
AX(config)#interface ethernet 3
AX(config-if:ethernet3)#enable
AX(config-if:ethernet3)#exit
The following commands add the SLB configuration. (For more information about SLB commands, see the SLB configuration chapters in this
guide. Also see the AX Series CLI Reference.)
Commands to configure the real servers
AX(config)#slb server rs1 10.10.10.3
AX(config-real server)#port 80 tcp
AX(config-real server-node port)#exit
AX(config-real server)#exit
AX(config)#slb server rs2 10.10.10.4
AX(config-real server)#port 80 tcp
AX(config-real server-node port)#exit
AX(config-real server)#exit
94 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
95 of 950
The configuration is very similar to the one for DSR in transparent mode,
except the AX device uses an IP interface configured on an individual
Ethernet port instead of a global IP address.
The requirements for the AX device and real servers are the same as those
for DSR in transparent mode. (See Direct Server Return in Transparent
Mode on page 91.)
Note:
96 of 950
VIP redistribution is not supported for VIPs that are configured for Direct
Server Return (DSR).
P e r f o r m a n c e
b y
D e s i g n
Configuration Example
This section shows how to implement the configuration shown in Figure 28.
The following examples only show the part of the configuration that differs from deployment of DSR in transparent mode. The only difference is
configuration of the IP interface on the Ethernet interface connected to the
router, and configuration of a default route.
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
97 of 950
The rest of the configuration commands are the same as those shown in
Direct Server Return in Transparent Mode on page 91, beginning with
configuration of the real servers.
98 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
FIGURE 29
In this example, two real servers are used as the primary servers for VIP
10.10.10.99:80. They are in the same IP subnet as the AX device. Each of
them is configured for DSR: destination NAT is disabled on the virtual port.
Another server, 192.168.2.10, is configured as a backup, to be used only if
both primary servers are unavailable. Since the backup server is a valuable
network resource, serving as a server farm backup is only one of its functions. It also used by other applications elsewhere in the network. The AX
device can be configured to use the server as a backup to a DSR server farm,
without changing the network topology.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
99 of 950
mary servers, so that the member for the backup server has the lower
priority. By default, the AX device will not use the lower-priority server
(the backup server) unless all the primary servers are down. Use the
same priority for all the primary servers.
Enable destination NAT on the backup server. By default, destination
NAT is unset on real ports, and is set by the virtual port. Normally, destination NAT is disabled on virtual ports used for DSR. However, destination NAT needs to be enabled on the real port on the backup server.
Enabling destination NAT for the backup server allows the server to
remain on a different subnet from the AX device, and still be used for
the VIP that normally is served by DSR. The backup server does not
need to be moved to a Layer 2 connection to the AX device and the
servers IP address does not need to be changed. It can remain on a different subnet from the AX device and the primary servers.
Destination NAT can not be set directly on an individual real port. To
enable destination NAT on a real port, create a real port template and
enable destination NAT in the template. You can bind the template to the
real port itself, or to the service group member for the port.
If you bind the template to the port itself, the template applies to the
port in all service groups that use the port.
If you bind the template to the service group member instead, the
template applies to the port only within the service group. The template does not apply to the same port when used in other service
groups.
Note:
VIP redistribution is not supported for VIPs that are configured for Direct
Server Return (DSR).
100 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
101 of 950
Config > Service > SLB > Template > Server Port
FIGURE 31
To set the priority values of the primary servers to a higher value than the
backup server, re-add the members for the primary servers ports, and use
the priority option. Set the priority to a value higher than 1 (the default).
Use the same priority value on each of the primary servers member ports.
102 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
103 of 950
104 of 950
P e r f o r m a n c e
b y
D e s i g n
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
105 of 950
Configuration Example
The configuration excerpts in this example configure OSPFv2 and OSPFv3
on an AX device.
Interface Configuration
The following commands configure two physical Ethernet data interfaces.
Each interface is configured with an IPv4 address and an IPv6 address. Each
interface also is added to OSPF area 0 (the backbone area).
The link-state metric (OSPF cost) of Ethernet 2 is set to 30, which is higher
than the default, 10. Based on the cost difference, OSPF routes through
Ethernet 1 will be favored over OSPF route through Ethernet 2, because the
OSPF cost of Ethernet 1 is lower.
interface ethernet 1
ip address 2.2.10.1 255.255.255.0
ipv6 address 5f00:1:2:10::1/64
ipv6 router ospf area 0 tag 1
!
interface ethernet 2
ip address 3.3.3.1 255.255.255.0
ipv6 address 5f00:1:2:20::1/64
ip ospf cost 25
ipv6 router ospf area 0 tag 1
106 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
107 of 950
OSPF Logging
To enable logging for OSPF:
1. Configure router log file settings.
2. Enable OSPF logging (debugging).
The following commands configure router log file settings:
router log file name routerlog
router log file per-protocol
router log file size 10
router log file rotate 4
These commands create a router log file named routerlog. The per-protocol option will log messages for each routing protocol separately. The log
file will hold a maximum 10 MB of data, after which the messages will be
saved in a backup and the log file will be cleared. The log will be backed up
a maximum of 4 times, after which the oldest backup will be deleted to
make room for a new backup.
The following commands enable logging for OSPFv2:
debug a10 ospf
debug ospf all
108 of 950
Note:
Log file settings are retained across reboots but debug settings are not.
Note:
Enabling debug settings that produce lots of output, or enabling all debug
settings, is not recommend for normal operation.
P e r f o r m a n c e
b y
D e s i g n
Overview
HTTP load balancing manages HTTP traffic across a Web server farm.
Figure 32 shows an example of an HTTP load balancing deployment.
The network topologies in application examples such as this one are simplified to focus on the application. For example, the Internet router connecting the clients to the AX device is not shown here. Likewise, a single
AX is shown. Your configuration might use an AX pair for High Availability (HA).
Note:
FIGURE 32
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
109 of 950
SERVICE GROUPS
A service group contains a set of real servers from which the AX device can
select to service a client request.
This example uses a single service group that contains all the real servers
and the applicable service port (80). During configuration, you bind the service group to the virtual port(s) on the virtual server.
The AX device selects a server based on the load balancing method used by
the service group, and on additional criteria relevant to the load balancing
method.
In this example, the default load balancing method, round robin, is used.
The round robin method selects servers in rotation. For example, the first
client request is sent to server web-2, the next client request is sent to server
web-3, and so on.
VIRTUAL SERVER
The virtual server in this example has IP address 192.168.10.11 and virtual
service port 80. When you configure a virtual service port, you specify the
protocol port number for the port. You also specify the service type. The AX
device supports the following service types for HTTP ports:
HTTP Complete TCP stack. Use this service type if you plan to cus-
tomize any templates. For example, if you plan to use SSL (HTTPS load
balancing or SSL offload), or customize the HTTP template to change
information in the HTTP headers of server replies, use the HTTP service
110 of 950
P e r f o r m a n c e
b y
D e s i g n
TEMPLATES
Templates are sets of configuration parameters that apply to specific service
types or to servers and service ports. This example uses the default settings
for each of the templates that are automatically applied to the HTTP service
type and to the real and virtual servers and ports. The rest of the information
in this section is for reference but is not required reading to continue with
this example.
For some of types of templates, the AX configuration has a default template that is automatically applied to a service port unless you apply another
template of the same type instead. (See Service Template Parameters on
page 819.)
Service Templates
For HTTP, the AX configuration applies default templates of each of the
following template types to HTTP service ports:
TCP-Proxy TCP-proxy templates control TCP stack settings, includ-
ing the idle timeout for TCP connections. Unless you need to change the
setting for a TCP/IP stack parameter, you can safely allow the AX
device to apply the default TCP-proxy template to the service types that
use it.
HTTP HTTP templates provide many options, including options to
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
111 of 950
reply before sending the reply to the client. The cookie ensures that subsequent requests from the client for the same virtual server and virtual
port are directed to the same service group, real server, or real service
port.
Source-IP Persistence Similar to cookie persistence, except the AX
device does not insert cookies. Instead, clients are directed to the same
resource in the server farm for every request, for the duration of a configurable timer on the AX device. The granularity of the persistence can
be set to always use the same real server port, the same real server, or
the same service group.
(For an example that uses a source-IP persistence template, see Layer 4
TCP/UDP Load Balancing on page 255.)
Server and Port Templates
The AX device uses templates for configuration of some commonly used
server and port parameters. By default, the following templates are applied:
Default server template Contains configuration parameters for real
servers
Default port template Contains configuration parameters for real ser-
vice ports
Default virtual-server template Contains configuration parameters for
virtual servers
Default virtual-port template Contains configuration parameters for
erence
Config > Service > SLB > Template section in the Config Mode
112 of 950
P e r f o r m a n c e
b y
D e s i g n
HEALTH MONITORS
This example uses the following types of health monitors to check the real
servers:
Ping A Layer 3 health method that sends an ICMP echo request to the
real servers IP address. The server passes the health check if the AX
device receives a ping reply.
TCP By default, every 30 seconds the AX device sends a connection
request (TCP SYN) to each load balanced TCP port on each server, in
this case ports 80 and 443. A TCP port passes the health check if the
server replies to the AX device by sending a TCP SYN ACK. By
default, the AX device completes the TCP handshake.
In addition to these default health checks, you can configure health monitors
for specific service types. This example uses an HTTP health monitor, with
the following default settings.
Every 30 seconds, the AX device sends an HTTP GET request for the
present on the server and the server replies with an OK message (200).
(For more information about health monitors and their configurable options,
see Health Monitoring on page 373.)
3. Configure the service group. Add the real servers and service ports to
the group.
4. Configure the virtual server:
Add the HTTP service port, with service type Fast-HTTP.
Bind the service group to the virtual port.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
113 of 950
114 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
6. In the Health Monitor drop-down list, select ping or leave the monitor
unset.
If you leave the monitor unset, the Layer 3 health monitor that comes in
the AX configuration by default is used. (See Default Health Checks on
page 373.)
Note:
7. In the Port section, enter the number of the service port on the real
server in the Port field. In this example, enter 80.
8. In the Health Monitor drop-down list, select the HTTP health monitor
configured in To configure an HTTP health method on page 114.
9. Click Add. The port appears in the port list.
10. Click OK. The real server appears in the server table.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
115 of 950
Note:
FIGURE 34
FIGURE 35
Config > Service > SLB > Server (real servers added)
116 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
117 of 950
118 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
119 of 950
120 of 950
FIGURE 37
FIGURE 38
section
Config > Service > SLB > Virtual Server - Virtual Server Port
P e r f o r m a n c e
b y
D e s i g n
Note:
1. To configure HTTP and HTTPS health methods, use the following commands:
health monitor monitor-name
Enter this command at the global configuration level of the CLI, for
each monitor to be configured. The command changes the CLI to the
configuration level for the monitor. At the monitor configuration level,
enter the following command:
method http
Entering this command, without entering additional commands at this
level, configures the monitor to use all the default settings for the HTTP
method.
To customize settings for a health monitor, use additional commands at
the configuration level for the monitor.
2. To configure the real servers, use the following commands:
slb server server-name ipaddr
This command changes the CLI to the configuration level for the real
server, where you can use the following command to add the HTTP port
to the server:
port port-num tcp
The port-num specifies the protocol port number. In this example, specify 80.
This command adds the port and changes the CLI to the configuration
level for the port, where you can use the following command to enable
the HTTP health check:
health-check monitor-name
For monitor-name, specify the name of the HTTP health monitor configured in step 1.
3. To configure the service group, use the following commands:
slb service-group group-name tcp
This command changes the CLI to the configuration level for the service
group, where you can use the following command to add the real servers
and service ports to the group:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
121 of 950
CLI EXAMPLE
The following commands configure the HTTP health monitor:
AX(config)#health monitor http-monitor
AX(config-health:monitor)#method http
AX(config-health:monitor)#exit
122 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
123 of 950
124 of 950
P e r f o r m a n c e
b y
D e s i g n
Overview
HTTP templates provide many SLB options. Some options control selection
of real servers or service groups, while other options modify HTTP header
information or enhance website performance.
lated from part of the URL string. (See URL Hash Switching on
page 128.)
URL / host switching Selects a service group based on the URL path
with a 5xx status code instead of sending the status code to the client,
and reassigns the request to another server if the first server continues to
reply with a 5xx status code. (See 5xx Retry and Reassignment on
page 143.)
Strict transaction switching Performs server selection for each request
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
125 of 950
before sending the redirect messages to clients. This option can convert
HTTP URLs into HTTPS URLs, and can modify the domain or URL
path in the redirect message. (See URL Redirect Rewrite on
page 159.)
126 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
6. When finished, click OK. The template appears in the HTTP template
list.
To bind a template to a virtual service port:
1. Select Config > Service > SLB.
2. Select Virtual Server on the menu bar.
3. To edit an existing virtual server, select it. To configure a new one, Click
Add. The General section appears.
4. Click Port. The Port section appears.
5. Select the port or Click Add. The Virtual Server Port section appears.
6. Make sure the port type is HTTP, Fast-HTTP, or HTTPS.
7. In the HTTP Template drop-down list, select the HTTP template.
8. Configure other options if needed. (For example, if you are configuring
a new port, make sure to select the service group.)
9. Click OK. The port appears in the Port list of the Port section.
10. Click OK. The virtual server list reappears.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
127 of 950
128 of 950
P e r f o r m a n c e
b y
D e s i g n
URL Hashing
In this example, a service group contains three real servers. Each of the real
servers contains the same set of .html(l), .pdf, and .jpg files. The AX device
is configured to calculate a hash value based on the last 3 bytes of the URL
string in the client request, and assign the hash value to a server.
After assigning a hash value to a server, the AX device sends all requests
that match the hash value to the same real server. In this example, all
requests that end with pdf are sent to the same server.
If the real server becomes unavailable, the AX device selects another server,
assigns a hash value to it, and uses that server for all subsequent requests for
URL strings that have the same hash value.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
129 of 950
130 of 950
P e r f o r m a n c e
b y
D e s i g n
Load Status
Reported by
Server
0
Description
Server is able to handle all of its own
requests.
AX Action
AX device continues using the server for the
URLs hashed to the server.
Server
S1
S2
S3
P e r f o r m a n c e
b y
AX Action
New requests for /article-new1 are sent only to server S1.
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
131 of 950
Server
S1
S2
S3
S1
S2
S3
Load Status
Reported by
Server
2
0
0
2
1 or 2
0
AX Action
New requests for /article-new1 are distributed between S1 and S2, using
round robin.
New requests for /article-new1 are distributed between S1 and S3, using
round robin.
AX Configuration
On the AX device, URL hash switching with server load awareness does not
require configuration of dedicated backup servers in the service group.
Instead, any primary server can also act as a backup for other servers, based
on server load.
Server load awareness is disabled by default but can easily be enabled in
new or existing URL hash switching configurations. Configure an HTTP
template with URL hash switching. Include the use-server-status (CLI) or
Use Server Status (GUI) option.
132 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
If you plan to use URL / host switching along with cookie persistence,
you must enable the match-type service-group option in the cookie persis-
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
133 of 950
URL Switching
134 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
Match Options
URL / host switching selects a service group based on rules that map part of
the URL string or host (domain name) to the service group. You can use the
following match options in URL / host switching rules:
Starts-with string matches only if the URL or host name starts with the
specified string.
Contains string matches if the specified string appears anywhere
specified string.
These match options are always applied in the following order, regardless of
the order in which the rules appear in the configuration. The service group
for the first match is used.
Starts-with
Contains
Ends-with
If a template has more than one rule with the same option (starts-with, contains, or ends-with) and a URL or host name matches on more than one of
them, the most-specific match is always used. For example, if a template
has the following rules, requests for host www.ddeeff.org will always be
directed to service group http-sgf:
host-switching contains d service-group http-sgd
host-switching contains dd service-group http-sge
host-switching contains dde service-group http-sgf
If you use the starts-with option with URL switching, use a slash in front of
the URL string. For example:
url-switching starts-with /urlexample service-group http-sg1
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
135 of 950
Note:
136 of 950
P e r f o r m a n c e
b y
D e s i g n
The following commands bind the HTTP template and service group sg-abc
to virtual port 80:
AX(config)#slb virtual-server vs1 1.1.1.1
AX(config-slb virtual server)#port 80 http
AX(config-slb virtual server-slb virtua...)#template http urlswitch
AX(config-slb virtual server-slb virtua...)#service-group sg-abc
The following commands bind the HTTP template and service group sg-123
to virtual port 80:
AX(config)#slb virtual-server vs1 1.1.1.1
AX(config-slb virtual server)#port 80 http
AX(config-slb virtual server-slb virtua...)#template http urlswitch
AX(config-slb virtual server-slb virtua...)#service-group sg-123
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
137 of 950
In this example, URL switching and cookie persistence are both configured,
and the service-group option is enabled in the cookie persistence template.
For each client request, URL switching selects a service group first. Then,
after a service group is selected, a real server and port are selected within
the service group.
138 of 950
P e r f o r m a n c e
b y
D e s i g n
the selected service group, the AX device uses SLB to select a server,
then inserts a persistence cookie into the reply from the server. The
cookie includes the service group name.
If the clients request already has a persistence cookie containing the
name of the selected service group, the AX device uses the information
in the cookie to select the same server within the service group.
For example, the first time service group sgabc is selected by URL switching, the AX device inserts a cookie into the server's reply, to ensure that the
same server is used the next time URL switching selects sgabc. The first
time service group sg123 is selected by URL switching, the AX device
inserts a second cookie into the servers reply, to ensure that the same server
is used the next time URL switching selects sg123. Even though URL
switching does not always select the same service group, the same server
within the selected service group is always selected.
Cookie Persistence Match-Type Options
When cookie persistence is configured, the AX device adds a persistence
cookie to the server reply before sending the reply to the client. The clients
browser re-inserts the cookie into each request. The format of the cookie
depends on the match-type setting:
match-type (port) This is the default setting. Subsequent requests
from the client will be sent to the same real port on the same real server.
URL switching or host switching is used only for the first request.
The cookie that the AX device inserts into the server reply has the following format:
Set-Cookie: cookiename-vport=rserverIP_rport
The vport is the virtual port number. The rserverIP is the real server IP
address and the rport is the real server port number.
The port option is shown in parentheses because the CLI does not have a
port keyword. If you do not set the match type to server (see below),
the match type is automatically port.
Note:
match-type server Subsequent requests from the client for the same
VIP will be sent to the same real server, provided that all virtual ports of
the VIP use the same cookie persistence template with match-type set to
server. URL switching or host switching is used only for the first
request.
The cookie that the AX device inserts into the server reply has the following format:
Set-Cookie: cookiename=rserverIP
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
139 of 950
will be sent to the same real port on the same real server, within the service group selected by URL switching or host switching. URL switching or host switching is still used for every request.
The cookie that the AX device inserts into the server reply has the following format:
Set-Cookie: cookiename-vport-servicegroupname=rserverIP_rport
match-type server service-group Subsequent requests from the cli-
ent for the same VIP will be sent to the same real server, within the service group selected by URL switching or host switching. URL
switching or host switching is still used for every request.
The cookie that the AX device inserts into the server reply has the following format:
Set-Cookie: cookiename-servicegroupname=rserverIP
Note:
140 of 950
P e r f o r m a n c e
b y
D e s i g n
URL Failover
The AX device can send an HTTP 302 Redirect message to a client when
the real servers for the URL requested by the client are unavailable.
Figure 42 shows an example.
FIGURE 42
P e r f o r m a n c e
b y
URL Failover
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
141 of 950
The URL failover option does not affect redirect messages sent by real
servers. To alter redirect messages from real servers, use the URL redirect-rewrite option instead. (See URL Redirect Rewrite on page 159.)
142 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
Use of this HTTP template option also requires the strict-transactionswitch option to be used in the same HTTP template. (See Strict Transaction Switching on page 161.)
Note:
This option is supported only for virtual port types HTTP and HTTPS. It
is not supported for fast-HTTP or any other virtual port type.
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
143 of 950
Content Compression
Most types of real servers are able to compress media (content) before sending it to clients. Compression reduces the amount of bandwidth required to
send content to clients.
Although compression optimizes bandwidth, compression also can sometimes actually hinder overall website performance, if the real servers spend
a lot of their CPU resources performing the compression.
To maximize the benefits of content compression, you can enable the AX
device to perform compression for the real servers.
Compression is disabled by default. When you enable it, the AX device
compresses media of types text and application by default. You can
configure the AX device to compress additional media types You also can
configure the AX device to exclude specific media types and even specific
URIs from compression.
144 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
Accept-Encoding Field
An HTTP request from clients usually contains an Accept-Encoding field in
the header. This field indicates to the real server whether the client is willing
to accept compressed content.
If compression is enabled on the real server, the real server will compress
content before sending it to a client, if the clients request contains the
Accept-Encoding field with the compress value for the requested content
type.
By default, when you enable compression on the AX device, the device
removes the entire Accept-Encoding field from the request before sending
the request to the server. As a result, the server does not compress the content before sending it in the reply. The AX device compresses the content,
then sends the reply with the compressed content to the client.
If you still want the server to compress some content, you can configure the
AX device to leave the Accept-Request field unchanged. In this case, compression is performed by the real server instead of the AX device, if the
server is configured to perform the compression. The AX device can still
compress content that the real server does not compress.
Compression Level
The AX device supports compression level 1-9. Each level provides a
higher compression ratio, beginning with level 1, which provides the lowest
compression ratio. A higher compression ratio results in a smaller file size
after compression. However, higher compression levels also require more
CPU processing than lower compression levels, so performance can be
affected.
The default compression level is 1, which provides the fastest compression
speed but with the lowest compression ratio.
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
145 of 950
Hardware-Based Compression
Hardware-based compression is available using an optional hardware module in the following AX models: AX 2100, AX 2200, AX 3100, AX 3200,
and AX 5200.
Note:
Note:
146 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
P e r f o r m a n c e
b y
Content Compression
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
147 of 950
148 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
149 of 950
Note:
CLI Example
The following commands configure an HTTP template called "http-compress" that uses compression level 5 to compress files with media type
"application" or "image". Files with media type "application/zip" are explicitly excluded from compression.
AX(config)#slb template http http-compress
AX(config-HTTP template)#compression enable
AX(config-HTTP template)#compression level 5
AX(config-HTTP template)#compression content-type image
AX(config-HTTP template)#compression exclude-content-type application/zip
The following command displays HTTP compression statistics. The counters are in bytes and apply to all HTTP compression configured in all HTTP
templates on the AX device. The compression counters are shown in bold
type.
AX(config-HTTP template)#show slb http-proxy
Total
-----------------------------------------------------------------Curr Proxy Conns 58
Total Proxy Conns 49
HTTP requests 306
HTTP requests(succ) 269
No proxy error 0
Client RST 17
Server RST 0
No tuple error 0
Parse req fail 0
150 of 950
P e r f o r m a n c e
b y
D e s i g n
177157
177157
177157
68
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
151 of 950
152 of 950
Client IP Insertion
P e r f o r m a n c e
b y
D e s i g n
Note:
Replace Option
By default, the client IP address is appended to addresses already in the target header field. You can configure the AX device to replace any addresses
that are already in the field.
Without this option, the client IP address is appended to the lists of client IP
addresses already in the header. For example, if the header already contains
X-Forwarded-For:1.1.1.1, the field:value pair becomes
X-Forwarded-For:1.1.1.1, 2.2.2.2.
If you enable replacement of the client IP addresses, the field:value pair
becomes X-Forwarded-For:2.2.2.2.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
153 of 950
The following commands bind the HTTP template to virtual port 80:
AX(config)#slb virtual-server vs1 1.1.1.1
AX(config-slb virtual server)#port 80 http
AX(config-slb virtual server-slb virtua...)#template http insertclientip
154 of 950
P e r f o r m a n c e
b y
D e s i g n
The header insert, replace, and erase options described in this section are
not supported with the fast-http service type. The AX device does not
allow an HTTP template with any of these header options to be bound to a
fast-http virtual port. Likewise, the AX device does not allow any of the
header options to be added to an HTTP template that is already bound to a
fast-http virtual port.
Note:
Note:
contains a header with the same field name, the new field:value pair is
added after the existing field:value pair. Existing headers are not
replaced.
Insert-if-not-exist inserts the header only if the packet does not already
the packet already contains one or more headers with the specified field
name, this option replaces the first header.
Effects of the Insert / Replace Options
Here are some examples of the effects of the insert / replace options: insertalways, insert-if-not-exist, and the default (no options). For these examples,
assume that a clients request packet already contains the following Cookie
headers: Cookie: a=1 and Cookie: b=2.
GET / HTTP/1.1
Host: www.example.com
Cookie: a=1
Cookie: b=2
...
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
155 of 950
156 of 950
P e r f o r m a n c e
b y
D e s i g n
field:value pair. If the request already contains a header with the same
field name, the new field:value pair is added after the existing
field:value pair. Existing headers are not replaced.
If you use the insert-if-not-exist option, the command inserts the header
only if the packet does not already contain a header with the same field
name.
To insert a field:value pair into response headers, use the following command:
[no] response-header-insert field:value
[insert-always | insert-if-not-exist]
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
157 of 950
exist
158 of 950
P e r f o r m a n c e
b y
D e s i g n
the client. For example, if the real server redirects the client to
http://www.example1.com, you change the URL to
http://www.example2.com or https://www.example2.com.
Secure redirection You can change an unsecure redirect (HTTP) to a
secure one (HTTPS). For example, if the real server redirects the client
to http://www.example1.com, you change the URL to
https://www.example1.com.
You can use one or both options.
Redirect-Rewrite Rule Matching
If a URL matches on more than redirect-rewrite rule within the same HTTP
template, the AX device selects the rule that has the most specific match to
the URL. For example, if a server sends redirect URL 66.1.1.222/000.html,
and the HTTP template has the redirect-rewrite rules shown below, the AX
device will use the last rule because it is the most specific match to the
URL:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
159 of 950
160 of 950
P e r f o r m a n c e
b y
D e s i g n
The following commands bind the HTTP template to virtual port 80:
AX(config)#slb virtual-server vs1 1.1.1.1
AX(config-slb virtual server)#port 80 http
AX(config-slb virtual server-slb virtua...)#template http secureredirect
P e r f o r m a n c e
b y
Use this option only if needed, and disable the option once the server load
is rebalanced. This option makes server selection much more granular but
also uses more AX system resources.
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
161 of 950
162 of 950
P e r f o r m a n c e
b y
D e s i g n
Overview
FTP load balancing optimizes the download experience for clients by balancing FTP traffic across servers in a server farm. You can provide clients
with a single, published virtual IP address for large files, and serve the files
from a set of real servers.
Figure 45 shows an example of an FTP load balancing solution.
FIGURE 45
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
163 of 950
itly bind this template to the HTTP port on the virtual server. The AX
device automatically binds this template to a virtual TCP port on a virtual server when you create the port, unless you explicitly bind another
TCP template to the virtual port instead.
For FTP, a custom TCP template is required, with the idle time set to a
high value, to prevent FTP download sessions from timing out if they
pause for a while. This custom TCP template must be explicitly bound
to the virtual FTP port on the virtual server. In this case, the custom template is used instead of the default TCP template.
The default HTTP template is assigned to the virtual HTTP port by default.
However, the parameters in the default HTTP template are unset by default.
For this configuration, you do not need to configure a different HTTP template or change settings in the default one.
This example does not include configuration of server or port templates, so
the default templates and their settings are applied.
164 of 950
P e r f o r m a n c e
b y
D e s i g n
Health Monitors
This example uses the following health monitors to check the real servers:
Ping Tests Layer 3 connectivity to the servers. The Ping health moni-
this example, the default settings are used: Every 30 seconds, the AX
device sends an HTTP Get request for the index.html page.
FTP Tests the FTP port by sending a login request to the port. In this
example, the default settings are used: Every 30 seconds, the AX device
sends an anonymous FTP login request to port 21.
The Ping health monitor is already configured by default, and is enabled by
default when you add the real server.
The HTTP and FTP monitors must be configured and applied to the real
server ports.
The AX device has default Layer 4 health checks it uses to test the TCP and
UDP transport layers. This configuration also uses those health checks. (For
information, see Default Health Checks on page 373.)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
165 of 950
166 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
FIGURE 46
FIGURE 47
monitor)
Config > Service > Health Monitor - Method section (for FTP
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
167 of 950
168 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
169 of 950
170 of 950
P e r f o r m a n c e
b y
D e s i g n
FIGURE 52
servers)
Config > Service > SLB > Server (showing configured real
Note:
P e r f o r m a n c e
b y
The Health Monitor column shows the Layer 3 (ICMP ping) health monitors for the real servers, not the Layer4-7 health monitors for individual
server ports.
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
171 of 950
172 of 950
P e r f o r m a n c e
b y
D e s i g n
configuration does not use weights to bias server selection, you can
leave this field set to Round Robin.)
Add members 10.10.10.2-4 for port 21.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
173 of 950
174 of 950
FIGURE 55
FIGURE 56
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
175 of 950
176 of 950
FIGURE 57
FIGURE 58
(for HTTP)
Config > Service > Virtual Server - Virtual Server Port section
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
FIGURE 59
(for FTP)
Config > Service > Virtual Server - Virtual Server Port section
FIGURE 60
Config > Service > Virtual Server - Port section (ports added)
FIGURE 61
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
177 of 950
178 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
179 of 950
The following commands configure the TCP template for use with FTP:
AX(config)#slb template tcp ftp-longidletime
AX(config-L4 TCP LB template)#idle-timeout 15000
AX(config-L4 TCP LB template)#exit
180 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
181 of 950
182 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
183 of 950
184 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
185 of 950
186 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
187 of 950
188 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
189 of 950
190 of 950
FIGURE 65
FIGURE 66
added
Config > Service > SLB > Server - Registrar and Proxy servers
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
FIGURE 67
FIGURE 68
FIGURE 69
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
191 of 950
192 of 950
FIGURE 70
added
Config > Service > Template > Application > SIP - template
FIGURE 71
FIGURE 72
P e r f o r m a n c e
b y
D e s i g n
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
193 of 950
194 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
195 of 950
The following commands configure the VIP for the SIP registrar:
AX(config)#slb virtual-server sip1 192.168.20.1
AX(config-slb virtual server)#port 5060 sip
AX(config-slb virtual server-slb virtua...)#service-group sip5060
AX(config-slb virtual server-slb virtua...)#template sip Registrar_template
196 of 950
P e r f o r m a n c e
b y
D e s i g n
SIP clients send secure SIP requests over TLS. The requests are addressed
to a VIP configured on the AX device. The AX device forwards the requests
to the SIP servers over TCP. Likewise, when the AX device receives SIP
traffic from the SIP servers, the AX device forwards the traffic to the appropriate clients over TLS.
SIP Multiplexing
You can use the AX device to multiplex SIP connections. This is useful in
cases where the SIP servers do not have enough capacity to maintain separate connections for each SIP client. Figure 74 shows an example.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
197 of 950
SIP Multiplexing
In this example, each SIP server can handle a maximum of 256 client connections. However, there are 1000 SIP clients that use the VIP as their SIP
server.
To enable the SIP servers to be used with this many clients, the connectionreuse feature is configured on the AX device. The AX device is allowed to
open a maximum of 100 connections to each server, but uses each connection for multiple clients.
While the AX device is sending a client request on a connection, the connection is in use. However, as soon as the request has been sent, the AX
device frees the connection to be used again. The connection can be used for
the same client or another client. The AX device does not wait for a reply to
the clients request before freeing the connection. Figure 75 shows an example.
FIGURE 75
198 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
lowing options:
Timeout Specifies how long a reusable connection can remain idle
before being terminated.
Limit per server Specifies the maximum number of connections to
the server. (In Figure 74, this option would be set to 100.)
Keep-alive connections Specifies the number of new reusable
connections to open before beginning to reuse the existing connections for new clients.
Client IP insertion When this SIP template feature is enabled, the AX
on page 200)
Client and Server Requirements for SIP Multiplexing
In order for the AX device to be used as a multiplexer for SIP over TCP/
TLS, the clients and SIP servers must meet certain requirements:
The SIP clients must be able to send SIP pings.
The SIP server must be able to reply to SIP pings, with SIP pongs.
The SIP server must be able to include the X-Forward-For header added
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
199 of 950
Note:
200 of 950
SIP Keepalive
P e r f o r m a n c e
b y
D e s i g n
server-selection failures.
Drop the SIP message.
Send a message string.
Example message string sent to client when server can not be
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
201 of 950
server would use to authenticate clients. Configure a client-SSL template and add the certificates and keys to the template.
Configure a virtual server with the IP address to which clients will send
SIP requests. For SIP over TLS Clients, add a protocol port with service
type sips. For SIP over TCP Clients, add a protocol port with service
type sip-tcp. Bind the port to the service group, and to the SIP and
connection-reuse templates. If a client-SSL template is used, bind the
port to the client-SSL template too.
202 of 950
P e r f o r m a n c e
b y
D e s i g n
Otherwise, the GUI procedures for creating the configuration items needed
for SIP over TCP/TLS are the same as in previous releases.
The following figures show examples of the GUI configuration pages for
implementing the SIP multiplexing configuration shown in Figure 74 on
page 198.
FIGURE 77
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
203 of 950
204 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
FIGURE 79
FIGURE 80
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
205 of 950
206 of 950
FIGURE 81
FIGURE 82
FIGURE 83
Config > Service > Template > SSL > Client SSL
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
Config > Service > SLB > Virtual Server - Virtual Server Port
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
207 of 950
208 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
209 of 950
exclude-translation
{body | header string | start-line}
This command disables translation of the virtual IP address and virtual port
in specific portions of SIP messages:
210 of 950
P e r f o r m a n c e
b y
D e s i g n
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
211 of 950
212 of 950
P e r f o r m a n c e
b y
D e s i g n
CLI Example
The commands in this example implement the SIP multiplexing configuration shown in Figure 74 on page 198, and show SIP SLB statistics.
The following commands access the configuration level of the CLI and configure a SIP over TCP health monitor:
AX>enable
AX#config
AX(config)#health monitor sip-over-tcp
AX(config-health:monitor)#method sip tcp
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
213 of 950
The following commands import the certificates and keys to use for authenticating SIP clients:
AX(config)#slb ssl-load certificate ca-cert.pem scp:
Address or name of remote host []?192.168.1.1
User name []?admin
Password []?*********
File name [/]?ca-cert.pem
AX(config)#slb ssl-load private-key ca-certkey.pem scp:
Address or name of remote host []?192.168.1.1
User name []?admin
Password []?*********
File name [/]?ca-certkey.pem
AX(config)#slb ssl-load certificate cert.pem scp:
Address or name of remote host []?192.168.1.1
User name []?admin
Password []?*********
File name [/]?cert.pem
AX(config)#slb ssl-load private-key certkey.pem scp:
Address or name of remote host []?192.168.1.1
User name []?admin
Password []?*********
File name [/]?certkey.pem
214 of 950
P e r f o r m a n c e
b y
D e s i g n
CLI Example
The following command shows SIP SLB statistics:
AX#show slb sip
Total
-----------------------------------------------------------------Curr Proxy Conns
0
Total Proxy Conns
115
Client message
125
Client message (fail)
0
Server message
12
Server message (fail)
0
Client request
119
Client request (succ)
12
Client RST
0
Server RST
113
Parse message fail
0
Server selection fail
0
Server conn made
115
Source NAT failure
0
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
215 of 950
By default, the AX device performs reverse NAT on all traffic from a SIP
server before forwarding the traffic. Reverse NAT translates the source IP
address of return traffic from servers to clients back into the VIP address
before forwarding the traffic to clients.
However, if the SIP server needs to reach another server, and the traffic
must pass through the AX device, the destination server will receive the
traffic from the VIP address instead of the SIP server address.
To disable reverse NAT in this type of situation:
1. Configure an extended ACL that matches on the SIP server IP address
or subnet as the source address, and matches on the destination servers
IP address or subnet as the destination address.
216 of 950
P e r f o r m a n c e
b y
D e s i g n
The following commands bind the SIP template to the SIP virtual port:
AX(config)#slb virtual-server sip-vip 192.168.20.1
AX(config-slb vserver)#port 5060 sip
AX(config-slb vserver-vport)#template sip sip1
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
217 of 950
Note:
218 of 950
P e r f o r m a n c e
b y
D e s i g n
Overview
The AX device provides the following types of SSL optimization:
SSL Offload The AX device applies Layer 7 features to HTTPS traffic
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
219 of 950
HTTPS traffic.
Layer 7 features are not required.
220 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
221 of 950
FIGURE 88
Configure > Service > Template > SSL > Client SSL
222 of 950
P e r f o r m a n c e
b y
D e s i g n
The following commands configure a client SSL template to use the certificate and key:
AX(config)#slb template client-ssl sslcert-tmplt
AX(config-client SSL template)#cert sslcert.crt
AX(config-client SSL template)#key sslcertkey.pem
AX(config-client SSL template)#exit
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
223 of 950
If traffic between the servers and AX device also will be encrypted, you
also need to configure a server-SSL template and bind it to the virtual
port. In configurations that use both client-SSL and server-SSL, use the
HTTPS/SSL port number in the real server configuration.
If only client-SSL is used, use the HTTP port number in the real server
configuration. Use the HTTPS/SSL port number in the virtual server configuration.
Beginning in AX Release 2.4.x, server-SSL without client-SSL is supported. However, in this case, the service type of the virtual port must be
HTTP, not HTTPS.
Note:
224 of 950
P e r f o r m a n c e
b y
D e s i g n
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
225 of 950
226 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
227 of 950
228 of 950
P e r f o r m a n c e
b y
D e s i g n
Configure > Service > SLB > Virtual Server - Port tab
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
229 of 950
The following commands configure a service group for the HTTPS servers:
AX(config)#slb service-group HTTPS_servers tcp
AX(config-slb service group)#member HTTPS1:80
AX(config-slb service group)#member HTTPS2:80
AX(config-slb service group)#exit
230 of 950
P e r f o r m a n c e
b y
D e s i g n
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
231 of 950
232 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
233 of 950
234 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
FIGURE 95
FIGURE 96
Configure > Service > SLB > Virtual Server - Port tab
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
235 of 950
236 of 950
P e r f o r m a n c e
b y
D e s i g n
The following commands configure a service group for the POP servers:
AX(config)#slb service-group POP_servers tcp
AX(config-slb service group)#member POP1:110
AX(config-slb service group)#member POP2:110
AX(config-slb service group)#exit
The following commands configure the VIP to which clients will send
POPS traffic:
AX(config)#slb virtual-server v1 10.6.6.6
AX(config-slb virtual server)#port 110 ssl-proxy
AX(config-slb virtual server-slb virtua...)#service-group SMTP_servers
AX(config-slb virtual server-slb virtua...)#template client-ssl sslcert-tmplt
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
237 of 950
238 of 950
P e r f o r m a n c e
b y
D e s i g n
Overview
AX Series devices support the STARTTLS feature. STARTTLS is an extension to SMTP that enables you to secure mail traffic to and from your legacy SMTP servers. SMTP itself does not provide any security.
When the AX device is configured to perform STARTTLS, the AX acts as a
proxy between SMTP clients and servers. Mail traffic to and from clients is
encrypted by the AX, whereas traffic between the AX and the SMTP servers is clear (not encrypted).
Figure 97 shows an example of the STARTTLS feature.
FIGURE 97
P e r f o r m a n c e
b y
STARTTLS
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
239 of 950
commands are allowed. You can disable support of any of these commands. In this case, if the client tries to issue a disabled SMTP command, the AX sends the following message to the client: 502 Command not implemented
Domain Switching
By default, SMTP traffic from all client domains is sent to the same service
group. You can configure multiple service groups and send traffic to the
groups based on the client domain. For example, you can send SMTP traffic
from clients in domain "CorpA" to a different service group than SMTP
traffic from clients in domain "CorpB".
FIGURE 98
240 of 950
P e r f o r m a n c e
b y
D e s i g n
Configuring STARTTLS
To configure STARTTLS:
1. Import a certificate and its key to use for TLS sessions with clients.
2. Configure a client SSL template and add the certificate and its key to it.
3. Configure a real server for each SMTP server and add the SMTP port to
the server.
4. Configure a service group for the SMTP servers and add them to the
group.
5. Configure an SMTP template. Within the template:
a. Specify the email server domain. The default is mail-serverdomain.
b. Optionally, modify the service ready message. The default message
text is "ESMTP mail service ready". The complete message sent to
the client is constructed as follows:
200 - smtp-domain service-ready-string
c. Optionally, disable one or more of the following SMTP commands:
VRFY, EXPN, or TURN. If a client sends an SMTP command that
is disabled on the AX, the AX sends the following message to the
client: 502 - Command not implemented
d. Optionally, change STARTTLS from being optional to being
required. If you leave the setting "optional", mail clients will be able
to send and receive unencrypted mail.
e. Optionally, load balance SMTP traffic among multiple service
groups based on client domains.
6. Configure a virtual server and port for the SMTP address to which clients will send SMTP traffic, and add the SMTP service group and
SMTP template to the port.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
241 of 950
242 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
243 of 950
244 of 950
P e r f o r m a n c e
b y
D e s i g n
Config > Service > SLB > Virtual Server - Port section
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
245 of 950
246 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
247 of 950
The following commands configure a service group for the SMTP servers:
AX(config)#slb service-group SMTP_servers tcp
AX(config-slb service group)#member SMTP1:25
AX(config-slb service group)#member SMTP2:25
AX(config-slb service group)#exit
The following commands configure the VIP to which mail clients will send
SMTP traffic:
AX(config)#slb virtual-server v1 10.1.1.1
AX(config-slb virtual server)#port 25 smtp
AX(config-slb virtual server-slb virtua...)#service-group SMTP_servers
AX(config-slb virtual server-slb virtua...)#template client-ssl mailcert-tmplt
AX(config-slb virtual server-slb virtua...)#template smtp starttls-tmplt
248 of 950
P e r f o r m a n c e
b y
D e s i g n
Overview
AX Series devices support content-aware load balancing of the following
widely used streaming-media types:
Real Time Streaming Protocol (RTSP)
Microsoft Media Server (MMS)
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
249 of 950
In this example, a server farm provides streaming content in both RTSP and
MMS format. All the servers are allowed to serve HTTP and HTTPS
requests. Two of the servers (stream-rs2 and stream-rs3) are configured to
serve RTSP and MMS requests.
Service Groups
This example uses the following service groups:
all80-grp The servers in this service group provide HTTP and HTTPS
service. In this example, all the servers are members of this service
group.
rtsp554-grp The servers in this service group provide RTSP content.
mms1755-grp The servers in this service group provide MMS content.
250 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
Templates
By default, the default TCP template is applied to RTSP and MMS traffic.
(For information, see TCP Template Parameters on page 854.)
Health Monitors
This example uses the default Layer 3 health check (ping) and the default
Layer 4 TCP health check.
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
251 of 950
252 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
253 of 950
254 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
Overview
In addition to load balancing for well-known and widely used types of services such as HTTP, HTTPS, and FTP, AX devices also support Layer 4
load balancing for custom applications. If a service you need to load balance
is not one of the well-known service types recognized by the AX device,
you still can configure Layer 4 TCP or UDP load balancing for the service.
Figure 102 shows an example of a Layer 4 load balancing implementation.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
255 of 950
Layer 4 SLB
Layer 4 load balancing balances traffic based on the transport protocol (TCP
or UDP) and the protocol port number. The payload of the UDP or TCP
packets is not examined.
In this example, a custom application is running on a server farm consisting
of three real servers. Clients navigate to the VIP to use the custom application.
Note:
SERVICE GROUPS
This example uses a single service group that contains all the real servers.
The service group uses the default load balancing method (round robin).
256 of 950
P e r f o r m a n c e
b y
D e s i g n
VIRTUAL SERVER
The custom application on the real servers is accessed at TCP port 1020 by
clients through virtual IP address 192.168.55.55.
TEMPLATES
The AX device has default TCP and UDP templates. You can use the
default template or configure another TCP or UDP template and use that
one instead. If your Layer 4 load balancing configuration is for a TCP application and you do not bind a TCP template to the virtual port, the default
TCP template is used. For a UDP application, the default UDP template is
used unless you bind another UDP template to the virtual port.
One of the parameters you can configure in TCP and UDP templates is the
idle time. Depending on the requirements of your application, you can
reduce or increase the amount of time the AX device allows a session to
remain idle.
For UDP transaction-based applications, another parameter you can adjust
is how quickly connections are terminated after a server reply is received.
For example, if there are licensing costs associated with active sessions, you
can minimize unnecessary costs by quickly terminating idle sessions, and
immediately terminating connections that are no longer needed.
For more information about the parameters controlled by TCP and UDP
templates, see the following sections:
TCP Template Parameters on page 854
UDP Template Parameters on page 857
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
257 of 950
HEALTH MONITORS
This example uses the default Layer 3 and Layer 4 health monitors. The
Layer 3 monitor (Ping) and the applicable Layer 4 monitor (TCP or UDP)
are enabled by default when you configure the real server and real service
ports.
Note:
You can create an external health monitor using a script and import the
monitor onto the AX device. For information, see Health Monitoring on
page 373.
258 of 950
P e r f o r m a n c e
b y
D e s i g n
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
259 of 950
260 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
261 of 950
CLI EXAMPLE
The following commands configure the real servers:
AX(config)#slb server tcp-2 10.10.10.2
AX(config-real server)#port 1020 tcp
AX(config-real server-node port)#exit
AX(config-real server)#exit
AX(config)#slb server tcp-3 10.10.10.3
AX(config-real server)#port 1020 tcp
AX(config-real server-node port)#exit
AX(config-real server)#exit
AX(config)#slb server tcp-4 10.10.10.4
AX(config-real server)#port 1020 tcp
AX(config-real server-node port)#exit
AX(config-real server)#exit
262 of 950
P e r f o r m a n c e
b y
D e s i g n
Overview
IP protocol load balancing enables you to easily load balance traffic based
solely on whether the traffic is TCP, UDP, or other (not UDP or TCP), without the need to specify the protocol port numbers to be load balanced.
You can combine IP protocol load balancing with other load balancing configurations. For example, you can use IP protocol load balancing along with
HTTP load balancing. In this case, HTTP traffic to the VIP HTTP port number is load balanced separately from traffic to other port numbers.
Figure 103 shows an example of an IP protocol load balancing deployment.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
263 of 950
This example uses separate service groups for each of the following types of
traffic:
HTTP traffic addressed to TCP port 80 is sent to service group http-grp.
All TCP traffic addressed to any TCP port except port 80 is sent to ser-
264 of 950
P e r f o r m a n c e
b y
D e s i g n
udp-grp.
All other traffic (all non TCP/UDP traffic) is sent to service group oth-
ers-grp.
Although this example shows separate service groups for each type of traffic, you can use the same service group for multiple traffic types.
In IP protocol load-balancing configurations, port 0 (zero) is used as a wildcard port and matches on any port number. In configurations where some
protocol port numbers are explicitly specified, SLB for those ports takes
precedence over SLB for the wildcard port (0). In the example above, the
service group configured for TCP port 80 is always used for client requests
addressed to that port, instead of a service group configured for the wildcard
port.
Health checking does not apply to the wildcard port. When you configure IP
protocol load balancing, make sure to disable health checking of port 0. If
you leave health checking enabled, the port will be marked down and the
clients request therefore will not be serviced.
SLB NAT
For client request traffic to which IP protocol load balancing applies, the
AX device translates only the destination IP address, not the protocol port
number. The AX device translates the destination IP address in the request
from the VIP address to a real servers IP address. The AX device then
sends the request to the same protocol port number as the one requested by
the client. (Likewise, the AX device does not translate the port number to
0.)
In configurations where some protocol port numbers are explicitly specified, auto port translation is still supported for the explicitly specified port
numbers. In the example above, SLB NAT can translate TCP port 80 into
another TCP port number if required by the configuration.
Template Support
For TCP or UDP, a TCP or UDP template is applied, as in other types of
SLB. Optionally, you also can use a source-IP persistence template.
For non-TCP/UDP traffic, the TCP template is used.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
265 of 950
ALG application, either enable DSR or configure SLB explicitly for the
ALG service port.
Any application that requires inspection of any part of the client request
266 of 950
P e r f o r m a n c e
b y
D e s i g n
For load balancing of non-TCP/UDP traffic, you can specify TCP or UDP
as the transport protocol, in the configurations of the real server ports and
service groups. If the port number is 0 and the service type on the virtual
port is others, the AX device will load balance the traffic as non-TCP/
UDP traffic.
Note:
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
267 of 950
268 of 950
P e r f o r m a n c e
b y
D e s i g n
To display configuration information and statistics, you can use the same
show commands used for other types of SLB:
show slb virtual
show slb server
show slb service-group
show session
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
269 of 950
270 of 950
P e r f o r m a n c e
b y
D e s i g n
Wildcard VIPs
You can create SLB configurations that use wildcard VIPs and wildcard virtual ports. A wildcard VIP matches on any destination IP address. Likewise,
a wildcard virtual port matches on any port number.
Wildcard VIPs enable you to configure a feature that applies to multiple
VIPs, without the need to re-configure the feature separately for each VIP.
To specify the subset of VIP addresses and ports for which the feature
applies, you can use an ACL. If applicable, the ACL also can specify the
subset of clients allowed to access the VIPs.
You can use wildcard VIPs for all types of load balancing:
SLB
IP load balancing
Transparent Cache Switching (TCS)
Link Load Balancing (LLB)
Firewall Load Balancing (FWLB)
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
271 of 950
The ACL acts as a catch-all, and treats any IP address permitted by the
ACL, and received on the promiscuous VIP interface, as a wildcard VIP.
A10 Networks recommends that you use the most restrictive ACL possible, to permit only the IP addresses that should be treated as VIPs and
deny all other IP addresses.
Default Wildcard VIP
The AX device can have multiple wildcard VIPs, bound to different ACLs.
However, the AX device can have only one IPv4 or IPv6 wildcard VIP that
is not bound to any ACL. This is the default wildcard VIP. The default wildcard VIP is used for traffic that does not match any of the ACLs bound to
other wildcard VIPs.
If you do not configure a default wildcard VIP, traffic that does not match
any of the ACLs bound to the other wildcard VIPs is forwarded at
Layer 2/3, if applicable.
Pass-Through Layer 2/3 Forwarding Support for Layer 4 Wildcard VIP Traffic
AX Release 2.0.2 and later supports forwarding of wildcard VIP traffic that
is not bound to a service group. The AX device creates a session for the traffic and forwards it at Layer 2/3. This feature is useful in mixed wildcard virtual server environments where Layer 4-7 features apply to certain VIPs and
Layer 2/3 forwarding applies to other traffic.
In AX releases prior to 2.0.2, Layer 4 traffic for a wildcard VIP that is not
bound to a service group is dropped.
272 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
273 of 950
274 of 950
P e r f o r m a n c e
b y
D e s i g n
Configuration Examples
See the following:
Outbound Link Load Balancing on page 289
Transparent Cache Switching on page 295
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
275 of 950
276 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
277 of 950
In this example, a server farm consisting of IPv6 and IPv4 servers is configured with an IPv6 VIP address. IPv6 clients send requests to the IPv6 VIP.
The AX device then selects an IPv6 or IPv4 server and forwards the clients
request to the selected server. If the server is an IPv4 server, the AX device
translates the IP protocol of the clients request from IPv6 to IPv4 before
forwarding it to the IPv4 server. Likewise, when the AX device receives the
serverss reply, the AX device translates the reply from IPv4 to IPv6, then
forwards the reply to the client.
Source NAT Requirement
In addition to the standard SLB configuration items (servers, service
groups, the VIP, and so on), SLB-PT requires IP source NAT.
278 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
P e r f o r m a n c e
b y
For simplicity, this example uses only a single pool. If multiple pools are
used, ACLs are also required. The ACLs must match on the client IP
address(es) as the source address. If the real servers and VIP are in different subnets, the ACLs also must match on the real server IP address(es) as
the destination address. (For more information, see Examples Using
Multiple Source NAT Pools on page 282. Also see the Network
Address Translation chapter in the AX Series Configuration Guide.)
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
279 of 950
280 of 950
P e r f o r m a n c e
b y
D e s i g n
The following commands import an SSL certificate and key, and configure
a client-SSL template to use them. The AX device will use the certificate
and key to terminate SSL sessions between clients and the VIP.
AX(config)#slb ssl-load certificate sslcert.pem scp:
Address or name of remote host []?10.10.10.2
User name []?axadmin
Password []?*********
File name [/]?sslcert.pem
AX(config)#slb ssl-load certificate certkey.pem scp:
Address or name of remote host []?10.10.10.2
User name []?axadmin
Password []?*********
File name [/]?certkey.pem
AX(config)#slb template client-ssl cssl
AX(config-client SSL template)#certsslcert.pem
AX(config-client SSL template)#key certkey.pem
AX(config-client SSL template)#exit
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
281 of 950
282 of 950
P e r f o r m a n c e
b y
D e s i g n
Each of the access-list commands binds one of the IPv6 ACLs to the virtual
port. The source-nat-pool option used with each command binds an IPv4
pool to the ACL. When the AX device receives a request for the VIP, the
AX device matches the client address against the source addresses in the
ACLs. The AX device then uses the IPv4 NAT pool bound to the first
matching ACL.
The AX device translates the clients request from an IPv6 packet into an
IPv4 packet. The AX device replaces the clients IPv6 address with an IPv4
address from the selected pool. The IPv6 VIP address is replaced with the
servers IPv4 address.
If the clients address does not match the source address in any of the ACLs,
the request is dropped.
This is different from the behavior if a single NAT pool is used. If only
one NAT pool is bound to the virtual port, the pool is used if the clients
IP type (IPv4 or IPv6) is not the same as the IP type of the selected server.
Otherwise, if the IP type of the client and the selected server is the same,
SLB-PT is not required for the request. The request is sent to the server
with the clients original IP address.
Note:
P e r f o r m a n c e
b y
In the case of IPv4, IPv4 pools are still required if the VIP and the real
servers are in different IPv4 subnets. For more information, see the
Source NAT for Servers in Other Subnets section in the Network
Address Translation chapter of the AX Series Configuration Guide.
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
283 of 950
The following commands bind the IPv6 NAT pools to the virtual port:
AX(config-slb virtual server-slb virtua...)#access-list name v6acl-1 sourcenat-pool v4natpool-2
AX(config-slb virtual server-slb virtua...)#access-list name v6acl-2 sourcenat-pool v6natpool-1
284 of 950
P e r f o r m a n c e
b y
D e s i g n
Stateless SLB
Stateless SLB conserves system resources by operating without session
table entries on the AX device. Session table entries contain information
about sessions, including the client, VIP, and real server IP addresses and
protocol ports. Session table entries also may contain additional state information for specific features.
If the AX device is running short on sessions, you can use stateless SLB
where applicable to make more sessions available for traffic that requires
session table entries.
Stateless SLB is valid for the following types of traffic:
Traffic with very short-lived sessions, such as DNS
Layer 2 Direct Server Return (DSR) traffic
Other types of traffic that do not require features that use session-table
value calculated using the source IP address and source TCP or UDP
port.
Stateless Destination IP+Port Hash Balances server load based on a
based on a hash value calculated using both the source and destination
IP addresses and TCP or UDP ports.
Stateless Source IP Only Hash Balances server load based on a hash
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
285 of 950
A given real server can be used in only one stateless SLB service group. A
real server that is in a stateless SLB service group can not be used in any
other service groups.
Graceful transitions between stateful and stateless SLB in a service group
are not supported.
Mega-proxies may interfere with equal balancing of traffic load among the
multiple data CPUs. In this case, for DNS traffic only, try using the stateless-per-pkt-round-robin method.
Note:
286 of 950
P e r f o r m a n c e
b y
D e s i g n
Configuration of the real servers and virtual server is the same as for stateful
SLB.
CLI Example
The following commands configure a stateless SLB service group for UDP
traffic:
AX(config)#slb service-group dns-stateless udp
AX(config-slb svc group)#member dns1:53
AX(config-slb svc group)#member dns2:53
AX(config-slb svc group)#method stateless-src-dst-ip-hash
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
287 of 950
288 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
289 of 950
nections on it. The connection count is based on client connections initiated on the link by the AX device.
The default is round-robin.
Network Address Translation Requirements
In an outbound LLB topology, the next-hop routers for the WAN links must
be able to send the server reply traffic back to the AX device. To ensure that
the server reply traffic passes back through the AX device, use an IP source
NAT pool for each WAN link.
The pools do not need to contain more than a few addresses. The AX device
internally uses a separate protocol port number for each client session on a
pool address.
SLB destination NAT, which is enabled by default, must be disabled. In a
standard SLB configuration, destination NAT is used to translate the server
address (destination IP address) requested by clients from the VIP address
into the servers real address. However, this NAT operation is not applicable
to outbound LLB.
290 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
5. Configure a service group for the links (real servers). If the real server
configurations for the links have both TCP and UDP ports, configure a
service group for TCP and another service group for UDP.
6. Configure a virtual server with virtual IP address 0.0.0.0 (the wildcard
VIP address). Using the wildcard VIP address enables the configuration
to work for any destination IP address requested by clients.
Add the wildcard TCP port (TCP 0) and bind it to the TCP service
group. Likewise, add the wildcard UDP port and bind it to the the UDP
service group.
Bind the ports to service group(s). On each port, bind the port to the IP
Source NAT pool group and disable destination NAT.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
291 of 950
The following commands enable promiscuous VIP support on the AX interfaces connected to clients.
Note:
For simplicity, this example uses a single Ethernet port for each interface
to the clients and the next-hop routers. You also can use trunk interfaces,
virtual Ethernet (VE) interfaces, or both.
AX(config)#interface ethernet 3
AX(config-if: ethernet3)#ip address 10.10.10.1 255.255.255.0
AX(config-if: ethernet3)#ip allow-promiscuous-vip
AX(config-if: ethernet3)#exit
AX(config)#interface ethernet 4
AX(config-if: ethernet4)#ip address 10.20.20.1 255.255.255.0
AX(config-if: ethernet4)#ip allow-promiscuous-vip
AX(config-if: ethernet4)#exit
The following commands configure the AX interfaces to the next-hop routers for the load-balanced links:
AX(config)#interface ethernet 1
AX(config-if: ethernet1)#ip address 192.168.10.2 255.255.255.0
AX(config-if: ethernet1)#exit
AX(config)#interface ethernet 2
AX(config-if: ethernet2)#ip address 192.168.20.2 255.255.255.0
AX(config-if: ethernet2)#exit
292 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
293 of 950
294 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 6/21/2010
295 of 950
based on URL strings, you can use an HTTP template containing URL
switching rules. When a client request matches the URL string in a URL
296 of 950
P e r f o r m a n c e
b y
D e s i g n
itself, you can use a RAM caching template. In this case, the AX device
directly serves content that is cached on the AX device, and only sends
requests to the cache server for content that is not cached on the AX
device.
Connection reuse template You can use a connection reuse template to
reuse TCP connections. When a clients session ends, the TCP connection is not terminated. Instead, the connection is reused for a new client
session.
Support for Spoofing Caches
Some cache servers can use the clients IP address instead of the cache
servers IP address as the source address when obtaining content requested
by the client. A cache server operating in this mode is a spoofing cache
server. Configuration for a spoofing cache server includes a couple of additional steps. (See Enabling Support for Cache Spoofing on page 308.)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 6/21/2010
297 of 950
298 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
Layer 4 TCS
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 6/21/2010
299 of 950
The following commands configure a real server for the cache server. TCP
port 80 is added to the real server.
AX(config)#slb server cache-rs 110.110.110.10
AX(config-real server)#port 80 tcp
AX(config-real server-node port)#exit
300 of 950
P e r f o r m a n c e
b y
D e s i g n
The following commands configure a wildcard VIP and bind it to the ACL:
AX(config)#slb virtual-server wildcard 0.0.0.0 acl 198
AX(config-slb vserver)#port 80 tcp
AX(config-slb vserver-vport)#service-group sg-tcs
AX(config-slb vserver-vport)#no-dest-nat
rects all HTTP traffic to the cache server. The configuration steps are
very similar to those for Layer 4 TCS. The only difference is use of
HTTP instead of TCP or UDP as the service type of the virtual port.
Service type HTTP with URL switching rules This method uses an
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 6/21/2010
301 of 950
302 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 6/21/2010
303 of 950
304 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
5. Configure a service group for the cache server and add the cache server
to it.
6. Configure a separate service group for the router, and add the router to
it.
7. Configure an HTTP template with URL switching rules. Add a separate
URL switching rule for each URI string based on which to select a service group.
8. Configure a virtual server with virtual IP address 0.0.0.0 (the wildcard
VIP address) and bind it to the ACL.
Add virtual port 80 with service type HTTP and bind it to the service
group containing the cache server. Bind the virtual port to the HTTP
template. Enable disable destination NAT.
Add virtual port 0 with service type HTTP and bind it to the service
group containing the router. Enable disable destination NAT.
CLI Example
The commands in this section implement the TCS configuration shown in
Figure 111 on page 303. The commands for configuring the interfaces and
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 6/21/2010
305 of 950
The following commands configure a wildcard VIP and bind it to the ACL:
AX(config)#slb virtual-server wildcard 0.0.0.0 acl 198
AX(config-slb vserver)#port 80 http
AX(config-slb vserver-vport)#service-group sg-router
AX(config-slb vserver-vport)#template http http1
AX(config-slb vserver-vport)#no-dest-nat
306 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 6/21/2010
307 of 950
308 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 6/21/2010
309 of 950
priority on AX-1.
Pre-emption Pre-emption is enabled, to force initial failover to the AX
interfaces. Interface 1 and 3 are the lead interfaces in trunks, so all the
interfaces in these trunks are HA interfaces.
Session synchronization (connection mirroring) Each AX device is
enabled, when in Active role, to synchronize its sessions onto the other
AX device.
Floating IP address Both AX devices share floating IP address
310 of 950
P e r f o r m a n c e
b y
D e s i g n
inline-mode restart ports. This includes the AX interfaces with the client, cache servers, and content server. Interface 6 is the dedicated HA
link between the AX devices and is not included in the restart list.
SLB Parameters
Real server parameters:
Port type A Layer 4 port type, such as TCP, should be used. HA ses-
associated with the VIP must be an extended ACL that uses the permit
action and that matches on client addresses as the source address, and on
the content server address as the destination address:
Service type The service type of the TCS virtual port must be a
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 6/21/2010
311 of 950
Note:
Templates
For simplicity, the sample configuration in this section does not use any custom templates. For information about the templates that can be used with
TCS, see Application Templates on page 296.
The following CLI examples show how to implement the configuration
shown in Figure 113 on page 309.
AX-1 Configuration
The following commands configure the links:
AX-1(config)#trunk 1
AX-1(config-trunk:1)#ethernet 1 to 2 ethernet 9
AX-1(config-trunk:1)#trunk 3
AX-1(config-trunk:3)#ethernet 3 to 4
AX-1(config-trunk:3)#vlan 11
AX-1(config-vlan:11)#untagged ethernet 3 to 6
AX-1(config-vlan:11)#tagged ethernet 1 to 2 ethernet 9
AX-1(config-vlan:11)#router-interface ve 1
AX-1(config-vlan:11)#interface ethernet 1
AX-1(config-if:ethernet1)#cpu-process
AX-1(config-if:ethernet1)#interface ethernet 3
AX-1(config-if:ethernet3)#ip allow-promiscuous-vip
AX-1(config-if:ethernet3)#cpu-process
AX-1(config-if:ethernet3)#interface ethernet 5
AX-1(config-if:ethernet5)#ip cache-spoofing-port
AX-1(config-if:ethernet5)#cpu-process
AX-1(config-if:ethernet5)#interface ethernet 6
AX-1(config-if:ethernet6)#cpu-process
AX-1(config-if:ethernet6)#interface ve 1
AX-1(config-if:ve1)#ip address 10.10.10.1 255.255.255.0
AX-1(config-if:ve1)#ip allow-promiscuous-vip
AX-1(config-if:ve1)#exit
The following commands configure static routes. One of the routes goes to
the subnet on the other side of the router that connects the AX device to the
content servers. The other static route goes to the subnet on the other side of
312 of 950
P e r f o r m a n c e
b y
D e s i g n
The following command configures an extended ACL that uses the permit
action and that matches on client addresses as the source address, and on the
content server address as the destination address:
AX-1(config)#access-list 198 permit ip any host 20.20.20.11 log
The following commands configure real servers for the cache servers:
AX-1(config)#slb server cache1 10.10.10.10
AX-1(config-real server)#spoofing-cache
AX-1(config-real server)#port 80 tcp
AX-1(config-real server-node port)#exit
AX-1(config-real server)#exit
AX-1(config)#slb server cache2 10.10.10.11
AX-1(config-real server)#spoofing-cache
AX-1(config-real server)#port 80 tcp
AX-1(config-real server-node port)#exit
AX-1(config-real server)#exit
The following commands configure a service group for the real servers:
AX-1(config)#slb service-group sg-cache-80 tcp
AX-1(config-slb svc group)#member cache1:80
AX-1(config-slb svc group)#member cache2:80
AX-1(config-slb svc group)#exit
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 6/21/2010
313 of 950
AX-2 Configuration
Most of the commands on AX-2 are the same as the ones on AX-1, with the
following exceptions:
The ip address command on the VE adds a unique IP address (not the
314 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 6/21/2010
315 of 950
316 of 950
P e r f o r m a n c e
b y
D e s i g n
AX-1 Configuration
The following commands configure the links.
AX-1(config)#trunk 1
AX-1(config-trunk:1)#ethernet 5 to 6
AX-1(config-trunk:1)#vlan 21
AX-1(config-vlan:21)#untagged ethernet 1 to 3
AX-1(config-vlan:21)#router-interface ve 1
AX-1(config-vlan:21)#vlan 22
AX-1(config-vlan:22)#untagged ethernet 2
AX-1(config-vlan:22)#router-interface ve 22
AX-1(config-vlan:22)#vlan 56
AX-1(config-vlan:56)#untagged ethernet 5 to 6
AX-1(config-vlan:56)#router-interface ve 56
AX-1(config-vlan:11)#interface ethernet 1
AX-1(config-if:ethernet1)#cpu-process
AX-1(config-if:ethernet1)#interface ethernet 2
AX-1(config-if:ethernet2)#cpu-process
AX-1(config-if:ethernet2)#ip cache-spoofing-port
AX-1(config-if:ethernet2)#interface ethernet 3
AX-1(config-if:ethernet3)#cpu-process
AX-1(config-if:ethernet3)#interface ethernet 5
AX-1(config-if:ethernet5)#cpu-process
AX-1(config-if:ethernet5)#interface ve 1
AX-1(config-if:ve1)#ipv6 address 2309:e90::2/64
AX-1(config-if:ve1)#ip allow-promiscuous-vip
AX-1(config-if:ve1)#interface ve 22
AX-1(config-if:ve22)#ipv6 address 2409:c90::1/64
AX-1(config-if:ve22)#interface ve 56
AX-1(config-if:ve56)#ipv6 address 2509:c90::1/64
AX-1(config-if:ve56)#ip address 3.3.3.2 255.255.255.0
AX-1(config-if:ve56)#exit
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 6/21/2010
317 of 950
The following commands configure an IPv6 ACL that uses the permit
action and that matches on client addresses as the source address, and on the
content server address as the destination address:
AX-1(config)#ipv6 access-list ipv6-101
AX-1(config-access-list:ipv6-101)#permit ipv6 any host 2309:f90::10 log
AX-1(config-access-list:ipv6-101)#exit
The following commands configure ICMP health checking for the upstream
and downstream routers. The health checks help ensure rapid HA failover.
(See Tip for Ensuring Fast HA Failover on page 604.) The custom ICMP
health monitor configured above is also used.
318 of 950
P e r f o r m a n c e
b y
D e s i g n
The following commands configure real servers for the cache servers:
AX-1(config)#slb server cache1-ipv6 2409:c90::5
AX-1(config-real server)#spoofing-cache
AX-1(config-real server)#health-check icmp
AX-1(config-real server)#port 80 tcp
AX-1(config-real server-node port)#exit
AX-1(config-real server)#exit
AX-1(config)#slb server cache2-ipv6 2409:c90::6
AX-1(config-real server)#spoofing-cache
AX-1(config-real server)#health-check icmp
AX-1(config-real server)#port 80 tcp
AX-1(config-real server-node port)#exit
AX-1(config-real server)#exit
The following commands configure a service group for the real servers
(cache servers):
AX-1(config)#slb service-group cache-ipv6 tcp
AX-1(config-slb svc group)#member cache1-ipv6:80
AX-1(config-slb svc group)#member cache2-ipv6:80
AX-1(config-slb svc group)#exit
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 6/21/2010
319 of 950
AX-2 Configuration
Here are the configuration commands for AX-2. Most of the commands are
exactly the same as on AX-1. Only the following values differ:
IP addresses of the VEs
HA priority
IP address for session synchronization (ha conn-mirror)
AX-2(config)#trunk 1
AX-2(config-trunk:1)#ethernet 5 to 6
AX-2(config-trunk:1)#vlan 21
AX-2(config-vlan:21)#untagged ethernet 1 to 3
AX-2(config-vlan:21)#router-interface ve 1
AX-2(config-vlan:21)#vlan 22
AX-2(config-vlan:22)#untagged ethernet 2
AX-2(config-vlan:22)#router-interface ve 22
AX-2(config-vlan:22)#vlan 56
AX-2(config-vlan:56)#untagged ethernet 5 to 6
AX-2(config-vlan:56)#router-interface ve 56
AX-2(config-vlan:11)#interface ethernet 1
AX-2(config-if:ethernet1)#cpu-process
AX-2(config-if:ethernet1)#interface ethernet 2
AX-2(config-if:ethernet2)#cpu-process
AX-2(config-if:ethernet2)#ip cache-spoofing-port
AX-2(config-if:ethernet2)#interface ethernet 3
AX-2(config-if:ethernet3)#cpu-process
AX-2(config-if:ethernet3)#interface ethernet 5
AX-2(config-if:ethernet5)#cpu-process
AX-2(config-if:ethernet5)#interface ve 1
AX-2(config-if:ve1)#ipv6 address 2309:e90::4/64
AX-2(config-if:ve1)#ip allow-promiscuous-vip
AX-2(config-if:ve1)#interface ve 22
AX-2(config-if:ve22)#ipv6 address 2409:c90::2/64
AX-2(config-if:ve22)#interface ve 56
AX-2(config-if:ve56)#ipv6 address 2509:c90::2/64
AX-2(config-if:ve56)#ip address 3.3.3.3 255.255.255.0
AX-2(config-if:ve56)#exit
AX-2(config)#ipv6 route 2309:d90::/32 2309:e90::1
AX-2(config)#ipv6 route 2309:f90::/32 2309:e90::3
320 of 950
P e r f o r m a n c e
b y
D e s i g n
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 6/21/2010
321 of 950
When a client sends a request to the FTP server, the AX device intercepts
the request and forwards it to the FTP cache server. The cache server then
forwards the requested content to the AX device, if the content is cached.
The AX device forwards the content to the client.
322 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
Configuration
To configure TCS for FTP:
1. Configure the interfaces connected to the clients, the content servers,
and the cache server.
Enable promiscuous VIP on the AX interface(s) connected to the
clients.
Enable cache spoofing on the interface(s) connected to the cache
server.
Unless you are using AX model 1000, 2000, 2100, or 3000, you also
must enable CPU processing on each interface. On these AX models,
CPU processing is automatically used.
2. Configure an extended ACL that uses the permit action and that matches
on client addresses as the source address, and on the content server
address as the destination address.
3. Configure a real server for the cache server. Add an FTP port to the
server.
If the cache server will spoof client IP addresses when requesting content from content servers, enable cache spoofing support.
If the cache server has multiple interfaces, configure a separate real
server for each one.
4. Configure a real server for the next-hop router through which the AX
device will reach the content servers. Add the same FTP port number as
the one on the cache server (for example, port 21). Disable health checking on the port.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 6/21/2010
323 of 950
AX(config)#interface ethernet 1
AX(config-if:ethernet1)#enable
AX(config-if:ethernet1)#ip address 10.10.10.254 255.255.255.0
AX(config-if:ethernet1)#cpu-process
AX(config-if:ethernet1)#exit
AX(config)#interface ethernet 2
AX(config-if:ethernet2)#enable
AX(config-if:ethernet2)#ip address 192.168.19.254 255.255.255.0
AX(config-if:ethernet2)#ip allow-promiscuous-vip
AX(config-if:ethernet2)#cpu-process
AX(config-if:ethernet2)#exit
AX(config)#interface ethernet 5
AX(config-if:ethernet5)#enable
AX(config-if:ethernet5)#ip address 12.12.12.254 255.255.255.0
AX(config-if:ethernet5)#ip cache-spoofing-port
AX(config-if:ethernet5)#cpu-process
AX(config-if:ethernet5)#exit
AX(config)#interface ethernet 6
AX(config-if:ethernet6)#enable
AX(config-if:ethernet6)#ip address 11.11.11.254 255.255.255.0
324 of 950
P e r f o r m a n c e
b y
D e s i g n
The following commands configure real servers for FTP on each of the
cache servers. Cache spoofing is enabled and TCP port 21 is added to each
real server.
AX(config)#slb server ftps1 11.11.11.10
AX(config-real server)#spoofing-cache
AX(config-real server)#port 21 tcp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
AX(config)#slb server ftps2 11.11.11.11
AX(config-real server)#spoofing-cache
AX(config-real server)#port 21 tcp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
The following commands configure an FTP service group for the cache
server:
AX(config)#slb service-group sg-ftps tcp
AX(config-slb svc group)#member ftps1:21
AX(config-slb svc group)#member ftps2:21
AX(config-slb svc group)#exit
The following commands configure a wildcard VIP traffic and bind it to the
ACL. The FTP virtual port is bound to the FTP and router service groups.
Also, destination NAT is disabled.
AX(config)#slb virtual-server wildcard 0.0.0.0 acl 198
AX(config-slb vserver)#port 21 ftp
AX(config-slb vserver-vport)#service-group sg-ftps
AX(config-slb vserver-vport)#no-dest-nat
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 6/21/2010
325 of 950
326 of 950
P e r f o r m a n c e
b y
D e s i g n
Overview
AX Series devices support Firewall Load Balancing (FWLB). FWLB load
balances server-client sessions across firewalls. Figure 116 shows an example FWLB topology.
FIGURE 116
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
327 of 950
AX device sends all traffic from a given source address through the
same firewall.
If you apply a source-IP persistence template to an individual service
port on the virtual firewall, the AX device sends all traffic from a given
client for that service port through the same firewall.
328 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
329 of 950
330 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
331 of 950
FWLB Parameters
Table 6 lists the FWLB parameters.
TABLE 6
FWLB Parameters
Parameter
Supported Values
Firewall
(Required)
Health check
(Optional)
Statistics
collection
health-check monitor-name
Config > Service > Firewall > Firewall Node
Enables or disables collection of statistical data for
the firewall node.
(Optional)
stats-data-enable
Enabled or disabled
Default: enabled
stats-data-disable
Note: Statistical data collection for load-balancing
resources requires collection for system resources to
also be enabled (stats-data-enable).
Note: This feature is not configurable using the
GUI.
Member
Default: None
(Required)
(Required)
[stats-data-disable | statsdata-enable]
332 of 950
P e r f o r m a n c e
b y
D e s i g n
Parameter
Load balancing
method
(Optional)
Supported Values
Default: round robin
[no] least-connection
Config > Service > Firewall > Firewall Group
Enabled or disabled
Default: Enabled
Service ports
[no] disable
Config > Service > Firewall > Firewall Virtual
server
Specifies the service ports to load balance.
(Optional)
(Optional)
Firewall group
(Required)
(Optional)
Session synchronization
(Optional)
1-31
Default: not set
Enabled or disabled
Default: Disabled
[no] ha-conn-mirror
Config > Service > Firewall > Firewall Virtual
server
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
333 of 950
Parameter
Source-IP persistence template
Supported Values
Name of a configured source-IP persistence template
(Optional)
You also can specify a source-IP persistence template on individual service ports. If you specify a
template at each level, the template specified for the
individual service port takes precedence.
60-15000 seconds
Default: 300 seconds
60-15000 seconds
Default: 300 seconds
Statistics
collection
(Optional)
stats-data-enable
Enabled or disabled
Default: enabled
stats-data-disable
Note: Statistical data collection for load-balancing
resources requires collection for system resources to
also be enabled (stats-data-enable).
Note: This feature is not configurable using the
GUI.
334 of 950
P e r f o r m a n c e
b y
D e s i g n
Parameter
Supported Values
(Optional)
If you specify a firewall group at this level, the firewall group specified here takes precedence over the
firewall group specified at the firewall level.
TCP/UDP idle
timeout
(Optional)
60-15000 seconds
Default: 300 seconds
firewall or the UDP virtual firewall port, that idle-timeout is used. Otherwise, if the UDP idle-timeout is not set in FWLB, the idle-timeout in
the default SLB UDP template is used. Unless the default template has
been changed, the idle-timeout is 120 seconds.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
335 of 950
TCP template is used. Unless the default template has been changed, the
idle-timeout is 120 seconds.
For service-type HTTP (Layer 7), the idle-timeout in the default SLB
In the current release, the TCP idle-timeout settings in FWLB are never
used. The AX device allows you to configure them but they are not used.
Configuring FWLB
To configure FWLB:
1. Configure High Availability (HA) parameters: HA ID, HA group, session synchronization, and floating IP address.
2. Configure a health check for each firewall.
3. Configure the firewalls.
4. Configure a firewall group and add the firewalls to the group.
5. Configure a virtual firewall.
To apply FWLB only to traffic for specific services, create a virtual port for
each service, and bind the firewall group to each virtual port. If FWLB will
apply to all traffic types, do not configure any virtual ports on the virtual
firewall.
If the AX device is configured for HA, specify the HA group ID to use for
the virtual port.
Note:
336 of 950
The essential steps are described in this section. For the complete list of
FWLB settings you can configure, see Table 6 on page 332.
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
337 of 950
338 of 950
P e r f o r m a n c e
b y
D e s i g n
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
339 of 950
340 of 950
FIGURE 121
FIGURE 122
section
Config > Service > Firewall > Firewall Virtual Server - Port
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
341 of 950
342 of 950
P e r f o r m a n c e
b y
D e s i g n
ent HA priority. For example, since External AX A uses priority 100 for
the HA group, External AX B uses priority 1.
The floating-ip commands on the each AX device must use addresses
must use the floating IP address of the subnet on which the Internal AX
pair is connected to the firewalls.
Likewise, the method icmp transparent commands on the Internal AX
devices must use the floating IP address of the subnet on which the
External AX pair is connected to the firewalls.
CLI Commands on External AX (Active)
The following commands configure global HA parameters:
AX-Ext-A(config)#ha id 1
AX-Ext-A(config)#ha group 1 priority 100
AX-Ext-A(config)#ha interface ethernet 1
AX-Ext-A(config)#ha interface ethernet 2
AX-Ext-A(config)#ha conn-mirror ip 10.1.1.6
AX-Ext-A(config)#floating-ip 192.168.1.100 ha-group 1
AX-Ext-A(config)#floating-ip 10.1.1.100 ha-group 1
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
343 of 950
344 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
345 of 950
346 of 950
P e r f o r m a n c e
b y
D e s i g n
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
347 of 950
348 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
349 of 950
and some of the VE numbers also are different, but this is not required.
For simplicity, the VLAN numbers were selected to match the subnet
numbers.)
The static routes are different.
The floating IP address and connection mirroring IP address are differ-
ent.
The target IP address of the transparent Layer 3 health check is the float-
The following commands configure the HA management and session synchronization interface to the other AX device.
Int-AX1(config)#trunk 1
Int-AX1(config-trunk:1)#ethernet 9 to 10
Int-AX1(config-trunk:1)#exit
Int-AX1(config)#vlan 60
Int-AX1(config-vlan:60)#untagged ethernet 9 to 10
Int-AX1(config-vlan:60)#router-interface ve 60
Int-AX1(config-vlan:60)#exit
Int-AX1(config)#interface ve 60
Int-AX1(config-if:ve60)#ip address 60.1.1.1 255.255.255.0
Int-AX1(config-if:ve60)#exit
350 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
351 of 950
352 of 950
P e r f o r m a n c e
b y
D e s i g n
Overview
The AX device supports the following types of templates for configuration
of SLB servers and ports:
Server Contains configuration parameters for real servers
Port Contains configuration parameters for real service ports
Virtual-server Contains configuration parameters for virtual servers
Virtual-port Contains configuration parameters for virtual service
ports
These template types provide the same benefit as other template types. They
allow you to configure a set of parameter values and apply the set of values
to multiple configuration items. In this case, you can configure sets of
parameters (templates) for SLB assets (servers and service ports) and apply
the parameters to multiple servers or ports.
Some of the parameters that can be set using a template can also be set or
changed on the individual server or port.
If a parameter is set (or changed from its default) in both a template and
set or changed from its default on the individual server or port, the setting in the template takes precedence.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
353 of 950
Template Type
Real Server
Parameter
Health monitor
Description
Assigns a configured Layer 3 health monitor to all servers
that use the template. (See Configuring and Applying a
Health Method on page 382.)
Connection limit
Specifies the maximum number of connections allowed on
any server that uses the template. (See Connection Limiting on page 362.)
Connection rate limitLimits the rate of new connections the AX is allowed to
ing
send to any server that uses the template. (See Connection
Rate Limiting on page 364.)
Slow start
Provides time for servers that use the template to ramp-up
after TCP/UDP service is enabled, by temporarily limiting
the number of new connections on the server. (See SlowStart on page 366.)
Dynamic server creation using DNS
The following parameters apply to dynamic server creation using DNS. (For more
information about this feature, see Dynamic Real Server Creation Using DNS on
page 885.)
DNS query interval
Specifies how often the AX device sends DNS queries for
the IP addresses of dynamic real servers.
Dynamic server prefix
Changes the prefix added to the front of dynamically created servers.
Minimum TTL ratio
Specifies the minimum initial value for the TTL of dynamic
real servers.
Maximum dynamic
Specifies the maximum number of dynamic real servers that
servers
can be created for a given hostname.
354 of 950
P e r f o r m a n c e
b y
D e s i g n
Template Type
Real Server Port
Parameter
Health monitor
Connection limit
Description
Assigns a configured Layer 4-7 health monitor to all service
ports that use the template. (See Configuring and Applying
a Health Method on page 382.)
Provides rapid server status change and reassignment based
on client-server traffic.
This is an enhanced health check mechanism that works
independently of the standard out-of-band health mechanism. See In-Band Health Monitoring on page 402.
Specifies the maximum number of connections allowed on
any real port that uses the template. (See Connection Limiting on page 362.)
Limits the rate of new connections the AX is allowed to
send to any real port that uses the template. (See Connection Rate Limiting on page 364.)
Enables destination Network Address Translation (NAT).
Destination NAT is enabled by default, but is disabled in
Direct Server Return (DSR) configurations.
DSCP
Source NAT
Weight
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
355 of 950
Template Type
Virtual Server
Parameter
Connection limit
Description
Specifies the maximum number of connections allowed on
any VIP that uses the template. (See Connection Limiting
on page 362.)
Limits the rate of new connections the AX is allowed to
send to any VIP that uses the template. (See Connection
Rate Limiting on page 364.)
Limits the rate at which ICMP packets can be sent to the
VIP. (See ICMP Rate Limiting on page 724.)
Enables gratuitous ARPs for all VIPs in a subnet VIP. (See
Gratuitous ARPs for Subnet VIPs on page 369.)
Specifies the maximum number of connections allowed on
any virtual service port that uses the template. (See Connection Limiting on page 362.)
Limits the rate of new connections the AX is allowed to
send to any virtual service port that uses the template. (See
Connection Rate Limiting on page 364.)
Enables sending of a TCP Reset (RST) in response to a session mismatch. (See TCP Reset Option for Session Mismatch on page 370.)
356 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
357 of 950
This example includes the commands to bind the template to real servers.
For information about binding the templates, see Applying a Server or Service Port Template on page 358.
358 of 950
P e r f o r m a n c e
b y
D e s i g n
Template
Type
Server
Port
Virtual Server
Virtual Server
Port
The settings do not apply to the same port if used in other service groups.
Virtual servers
Virtual server ports
The following subsections describe how to bind server and port templates to
servers, ports, and service group members. For configuration examples, see
the feature sections referred to in Table 7 on page 354.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
359 of 950
360 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
361 of 950
Connection Limiting
By default, the AX device does not limit the number of concurrent connections on a server or service port. If certain servers or services are becoming
oversaturated, you can set a connection limit. The AX device stops sending
new connection requests to a server or port when that server or port reaches
its maximum allowed number of concurrent connections.
Connection Limit Parameters
To configure connection limits, you can set the following parameters :
Connection limit Specifies the maximum number of concurrent con-
maximum number of connections the server or port can have before the
AX device resumes use of the server or port. You can specify 1-1048575
(1 million) connections.
Reset or Drop (virtual servers or virtual server ports only) Specifies
the action to take for connections after the connection limit is reached on
the virtual server or virtual server port. By default, excess connections
are dropped. If you change the action to reset, the connections are reset
instead. Excess connections are dropped by default.
Logging By default, the AX device generates a log message when the
362 of 950
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
363 of 950
364 of 950
P e r f o r m a n c e
b y
D e s i g n
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
365 of 950
Slow-Start
The slow-start feature allows time for a server or real service port to ramp
up after TCP/UDP service on a server is enabled, by temporarily limiting
the total concurrent connections on the server or port.
You can configure the slow-start parameters described in this section in real
server templates and real port templates.
Note:
Alternatively, you can enable slow-start on individual real servers. However, the ramp-up settings on individual servers are not configurable. The
settings are the same as the default ramp-up settings in server and port
templates.
Ramp-Up Parameters
By default, slow-start allows a maximum of 128 new connections during the
first 10 seconds. During each subsequent 10-second interval, the total number of concurrent connections allowed to the server is doubled. Thus, during
the first 20 seconds, the server is allowed to have a total of 256 concurrent
connections. After 59 seconds, slow-start ends the ramp-up and no longer
limits the number of concurrent connections. Table 8 shows the default
ramp-up.
366 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
367 of 950
For the connection increment, you can specify a scale factor or a connection addition. The ending connection limit must be higher than the starting
connection limit.
If a normal runtime connection limit is also configured on the server or
port (for example, by Connection Limiting on page 362), and the normal connection limit is smaller than the slow-start ending connection
limit, the AX device limits slow-start connections to the maximum
allowed by the normal connection limit.
368 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
This option applies only to VIPs that are created using a range of subnet
IP addresses. The option has no effect on VIPs created with a single IP
address.
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
369 of 950
370 of 950
P e r f o r m a n c e
b y
D e s i g n
AX Response
Maintain connection as long as there is
traffic. When there is no traffic, remove
the connection one second later.
Move session from delete queue back into
active session table.
The option is disabled by default, which means the AX device does not send
a RST in response to a session mismatch. You can enable the option in individual virtual port templates.
This option does not apply to sessions that are in the delete queue. If the
AX device receives a packet for a session that has been moved to the
delete queue, the AX device does not send a TCP RST. Instead, the AX
device reactivates the session and allows it to age out normally.
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
371 of 950
372 of 950
P e r f o r m a n c e
b y
D e s i g n
Health Monitoring
AX Series devices can regularly check the health of real servers and service
ports. Health checks ensure that client requests go only to available servers.
Servers or ports that respond appropriately to health checks remain eligible
to serve client requests. A server or port that does not respond appropriately
to a health check is temporarily removed from service, until the server or
port is healthy again.
You can configure health methods on the AX device by configuring settings
for the type of service you are monitoring. You also can configure health
monitors externally using scripts and import the monitors for use by the AX
device.
request (TCP SYN) to the specified TCP port on the server. The port
passes the health check if it replies to the AX device by sending a TCP
SYN ACK. If the port does not reply after the fourth attempt, the AX
device sets the port state to DOWN.
Layer 4 UDP Every 5 seconds, the AX device sends a packet with a
valid UDP header and a garbage payload to the UDP port. The port
passes the health check if it either does not reply, or replies with any
type of packet except an ICMP Error message. If the port replies with an
ICMP Error message, the AX device sets the port state to DOWN.
The default ICMP, TCP, or UDP monitor is not used if you disable it on the
server or port, or you apply a different monitor to the server or port.
Note:
P e r f o r m a n c e
b y
For very large deployments (1000 or more servers), A10 Networks recommends disabling the default Layer 3 health check, and using only
Layer 4-7 health checks. (See Globally Disabling Layer 3 Health
Checks on page 412.)
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
373 of 950
Determination of the server or ports health is not made within the interval. Instead, determination of health is made after the server or port
passes or fails one of the attempts (intervals), or the number of retries is
exhausted.
The default interval is 5 seconds. If you need to fine-tune this interval,
you can change it to a value from 1-180 seconds.
Timeout Number of seconds the AX device waits for a reply to a
health check. If the AX device does not receive the expected reply by
the end of the timeout, the AX device either sends the health check
again (if there are retries left) or marks the server or service down. You
can specify 1-12 seconds. The default is 5 seconds.
The type of reply expected by the AX device depends on the monitor
type. (See Health Method Types on page 377.)
Retries Maximum number of times the AX device will send the same
periodic health check, in order to be marked Up. You can specify 1-10.
The default is 1. (See Consecutive Health Checks Within a Health
Check Period on page 406.)
Note:
374 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
375 of 950
376 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
To configure a health monitor for Direct Server Return (DSR), see Configuring Health Monitoring of Virtual IP Addresses in DSR Deployments on page 386.
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
377 of 950
Description
AX Series sends a lookup
request for the specified domain
name or server IP address.
By default, recursion is allowed.
The tested DNS server is
allowed to send the health
checks request to another DNS
server if the tested server can not
fulfill the request using its own
database. Optionally, you can
disable recursion.
Successful If...
Server sends a reply with the
expected status code (0 by
default) and record type (A by
default).
Configuration Required
on Target Server
Domain name in the lookup
request must be in the servers
database.
FTP
378 of 950
P e r f o r m a n c e
b y
D e s i g n
Description
AX Series sends an HTTP GET,
HEAD, or POST request to the
specified TCP port and URL.
GET requests the entire page.
HEAD requests only the
meta-information in the
header.
POST attempts to write information to the server. For
POST requests, you must
specify the target field names
and the values to post. (For
more information, see Configuring POST Requests in
HTTP/HTTPS Health Monitors on page 388.)
If a user name and password are
required to access the page, they
also must be specified in the
health check configuration.
Successful If...
Server replies with OK message
(200), by default. You can configure the response code(s) and
record type required for a successful health check.
For GET requests, the server
also must reply with the
requested content or meta-information in the page header. The
response must include the string
specified in the Expect field on
the AX Series.
For HEAD requests, the
AX Series ignores the Expect
field and only checks for the
server reply message.
For POST operations, the data
must be posted without error.
Configuration Required
on Target Server
Requested page (URL) must
be present on the server.
For GET requests, the string
specified as the expected
reply must be present.
For POST operations, the
field names specified in the
health check must be present
on the requested page.
For HTTPS health checks,
SSL support must be enabled
on the server.
A certificate does not need to
be installed on the AX device.
The AX device always
accepts the server certificate
presented by the server.
ICMP
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
379 of 950
Description
AX Series sends an LDAP
request to the LDAP port.
Successful If...
Server sends a reply containing
result code 0.
NTP
POP3
RADIUS
RTSP
SIP
SMTP
SNMP
Configuration Required
on Target Server
If a Distinguished Name and
password are sent in the
health check, they must match
these values on the LDAP
server.
None.
380 of 950
P e r f o r m a n c e
b y
D e s i g n
Description
AX Series sends a connection
request (TCP SYN) to the specified TCP port on the server.
Successful If...
Server replies with a TCP SYN
ACK.
By default, the AX device completes the TCP handshake with
the server:
Configuration Required
on Target Server
Destination TCP port of the
health check must be valid on
the server.
AX -> Server
SYN ->
<- SYN-ACK
ACK ->
FIN-ACK ->
<- FIN-ACK
ACK ->
To configure the AX device to
send a RST (Reset) instead of
sending the first ACK, enable
the Halfopen option. In this case,
the health check is performed as
follows:
SYN ->
<- SYN-ACK
UDP
RST ->
Server does either of the following:
Replies from the specified
UDP port with any type of
packet.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
381 of 950
382 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
383 of 950
384 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
385 of 950
enabled, and with the alias address set to the virtual IP address.
Globally enable DSR health checking.
386 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
387 of 950
388 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
389 of 950
In the postdata string, use = between a field name and the value you are
posting to it. If you post to multiple fields, use & between the fields. For
example: postdata fieldname1=value&fieldname1=value. The string can be
up to 255 bytes long.
To use POST data longer than 255 bytes, you must import a POST data file
and use the POST / postfile filename option. To import POST data file up to
2 Kbytes long, use the following command at the global configuration level
of the CLI:
health postfile import filename
390 of 950
P e r f o r m a n c e
b y
D e s i g n
The following commands import a file containing a large HTTP POST data
payload (up to 2 Kbytes), and add the payload to an HTTP health monitor:
AX(config)#health postfile import long-post
AX(config)#health monitor http1
AX2000(config-health:monitor)#method http url post / postfile long-post expect
def
In this example, health checks that use this health monitor will send a POST
request containing the data in postfile, and expect the string def in
response.
the range 0-15, that are valid responses to a health check. If the tested
DNS server responds with any of the expected response codes, the
server passes the health check. By default, the expect list is empty, in
which case the AX device expects status code 0 (No error condition).
Recursion setting (enabled or disabled) Recursion specifies whether
the tested DNS server is allowed to send the health checks request to
another DNS server if the tested server can not fulfill the request using
its own database. Recursion is enabled by default.
Record type expected from the server You can specify one of the fol-
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
391 of 950
392 of 950
P e r f o r m a n c e
b y
D e s i g n
DNS Health
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
393 of 950
394 of 950
P e r f o r m a n c e
b y
D e s i g n
In this example, the real servers managed by the site AX are configured as
service IPs 192.168.100.100-102 on the GSLB AX. The health-check metric is enabled in the GSLB policy, so health checks are needed to verify that
the service IPs are healthy. One way to do so is to check the health of the
ISP link connected to the site AX device.
Because the GSLB AX device is deployed in route mode instead of transparent mode, the transparent option for ICMP health monitors can not be
used to check the remote end of the path. In this case, the health monitor can
be configured with an override IP address, 192.168.1.1, to check the health
of the ISP link to the site where the servers are located. When the AX device
in this example uses the health monitor to check the health of a service IP,
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
395 of 950
The override is used only if applicable to the method (health check type)
and the target. An IP address override is applicable only if the target has the
same address type (IPv4 or IPv6) as the override address.
A protocol port override is applicable to all health methods except ICMP. If
the protocol port number is explicitly configured for the method, the override port number is still used instead.
396 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
397 of 950
In this example, a single server provides content for the following sites:
www.media-rts.com
www.media-tuv.com
www.media-wxyz.com
All sites can be reached on HTTP port 80 on the server. The health check
configured on the port in the real server configuration results in the same
health status for all three sites. All of them either are up or are down.
398 of 950
P e r f o r m a n c e
b y
D e s i g n
server or port
Directly on the individual server or port
In cases where health checks are applied at multiple levels, they have the
following priority:
1. Health check on real server
2. Health check on real servers port
3. Health check on service group
If a health check at the real server level (1) fails, the corresponding real
server, real server port, and service group members are marked Down.
However, if a health check on the service group level (3) fails, only that service group member in that service group is marked Down.
To assign a health monitor to a service group, use either of the following
methods.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
399 of 950
400 of 950
P e r f o r m a n c e
b y
D e s i g n
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
401 of 950
402 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
time the retry counter for any session is exceeded, the AX device increments the reassign counter for the server port. If the reassign counter
exceeds the configured maximum number of reassignments allowed, the
AX device marks the port DOWN.
In this case, the port remains DOWN until the next time the port successfully passes a standard health check. Once the port passes a standard
health check, the AX device starts using the port again and resets the
reassign counter to 0.
You can set the reassign counter to 0-255 reassignments. The default is
25 reassignments.
In-band health monitoring is disabled by default.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
403 of 950
In-band health monitoring does not mark ports up. Only standard health
monitoring marks ports up. So messages and traps for server ports coming
up are generated only by the A10HM module.
404 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
405 of 950
406 of 950
P e r f o r m a n c e
b y
D e s i g n
nance code. In this case, the servers health status changes to Up.
Fail a health check. In this case, the servers status changes to Down.
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
407 of 950
In this example, if the server replies with code 601, the server goes into
maintenance mode, and stays there until the server either fails a health
check (Down) or replies with code 200 (Up).
408 of 950
If an override IP address and protocol port are set in the health monitor
configuration, the AX device will use the override address and port, even
if you specify an address and port when you send the on-demand health
check.
P e r f o r m a n c e
b y
D e s i g n
Note:
CLI Example
The following command tests port 80 on server 192.168.1.66, using configured health monitor hm80:
AX#health-test 192.168.1.66 monitorname hm80
node status UP.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
409 of 950
410 of 950
P e r f o r m a n c e
b y
D e s i g n
health check.
Retries Maximum number of times the AX device will send the same
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
411 of 950
412 of 950
P e r f o r m a n c e
b y
D e s i g n
to be Up. Even if one of the health checks is unsuccessful, the health status is still Up if the other health check is successful. If both of the health
checks are unsuccessful, the health status is Down.
NOT The health status is the opposite of the health check result. For
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
413 of 950
In the CLI, you must enter method compound at the beginning, and sub
in front of each health-monitor name. In the GUI, do not enter method
compound. The GUI automatically enters sub in front of each health
monitor name when you select it.
Note:
The equivalent expressions are shown for clarity but are not valid syntax
on the AX device.
Similarly, to construct a health monitor that ORs two health monitors, use
the following syntax:
method compound sub hm1 sub hm2 OR
This is logically equivalent to the following expression: hm1 | hm2
To construct a health monitor that results in an Up health status if the health
check is unsuccessful, use the following syntax:
method compound sub hm1 NOT
This is logically equivalent to the following expression: ! hm1
To construct more complex expressions, you can enter multiple sets of
health monitors and operators. Here is a quite complex expression:
(! (hm1 | (hm2 & (hm3 | (! hm4))))) | hm5
To configure this expression, use the following syntax:
method compound sub hm1 sub hm2 sub hm3 sub hm4
NOT OR AND OR NOT sub hm5 OR
Considerations
A maximum of 8 sub monitors are supported in a compound monitor. To
use more sub monitors, you can nest compound monitors. (See below.)
The total number of sub monitors plus the number of Boolean operators
ure a compound monitor, then use that compound monitor as a sub monitor in another compound monitor. The maximum nesting depth is 8.
Nesting loops are not allowed.
The timeout and interval parameters of a compound monitor must be set
to values that allow each of the sub monitors to complete their health
checks. If any of the sub modules is unable to complete its health check,
the compound monitors result will always be Down.
414 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
415 of 950
Make sure to use Reverse Polish Notation. (See Compound Health Monitor Syntax on page 413.)
CLI Examples
The following commands configure a compound health monitor in which
both health checks must be successful in order for the resulting health status
to be Up:
416 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
417 of 950
418 of 950
P e r f o r m a n c e
b y
D e s i g n
Current
Total
Fwd-pkt
Rev-pkt
State
-----------------------------------------------------------------------------s1:80/tcp
Down
s1:53/udp
Down
s1:85/udp
Down
s1: Total
Down
...
P e r f o r m a n c e
b y
:
:
:
:
:
:
:
:
:
:
:
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
419 of 950
: 4270
: 0
: 0
IP address
Port Health monitor Status Cause(Up/Down/Retry) PIN
-------------------------------------------------------------------------------10.10.10.99
default
Down
0 /48 /854
2 /0
4.4.4.4
default
Down
0 /48 /854
2 /0
8.4.3.2
default
Down
0 /48 /854
2 /0
99.99.99.99
default
Down
0 /48 /854
2 /0
10.10.10.88
default
Down
0 /48 /854
2 /0
10.10.10.88
80
qrs
Down
0 /34 /0
2 /0
Utility commands such as ping, ping6, wget, dig, and so on are supported.
Configuration
To use an external health method:
1. Configure a health monitor script.
2. Import the script onto the AX device.
3. Configure a health monitor that uses external as the method.
4. In the server configuration, set the health check to use the method.
420 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
421 of 950
Script Examples
TCL Script Example
For Tcl scripts, the health check parameters are transmitted to the script
through the predefined TCL array ax_env. The array variable
ax_env(ServerHost) is the server IP address and ax_env(ServerPort) is the
server port number. Set ax_env(Result) 0 as pass and set the others as fail.
TCL script filenames must use the .tcl extension.
422 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
423 of 950
424 of 950
P e r f o r m a n c e
b y
D e s i g n
ret=$?
if test $ret == 0 ; then
echo "OK"
exit 0
else
echo "Fail"
exit 1
fi
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
425 of 950
426 of 950
P e r f o r m a n c e
b y
D e s i g n
Overview
Global Server Load Balancing (GSLB) extends load balancing to global
geographic scale. AX Series adds intelligence to DNS. GSLB evaluates the
server IP addresses in DNS replies and changes the order of the addresses in
the replies so that the best available host IP address is the preferred choice.
AX Series GSLB provides the following key advantages:
Protects businesses from down time due to site failures
Ensures business continuity and applications availability
Provides faster performance and improved user experience by directing
ple sites
You can deploy GSLB in proxy mode or server mode.
Proxy mode The AX device acts as a proxy for an external DNS
server.
Server mode The AX device directly responds to queries for specific
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
427 of 950
In this example, the GSLB AX device (the GSLB controller) globally load
balances client requests for www.a10.com.
The a10.com services reside on real servers at two sites. At each site, an AX
device provides SLB for the real servers. On the GSLB AX device, the sites
are grouped into a zone for the service.
When a client sends a DNS lookup request for the IP address of
www.a10.com, the GSLB AX device intercepts the request and sends the
same request to the DNS server on behalf of the client.
When the GSLB AX device receives the DNS reply, the device re-orders the
IP addresses in the reply based on the results of site evaluation using the
configured GSLB metrics. The GSLB AX device also makes other changes
428 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
Advantages of GSLB
In standard DNS, when a client wants to connect to a host and has the hostname but not the IP address, the client sends a lookup request to its local
DNS server. The local DNS server checks its local database.
If the database contains an Address record for the requested host name,
the DNS server sends the IP address for the host name back to the client.
The client can then access the host.
If the local DNS server does not have an Address record for the
requested server, the local DNS server makes recursive queries to the
root and intermediate DNS servers, which results in authoritative DNS
server addresses. When a request reaches an authoritative DNS server,
that DNS server sends a reply to the DNS query. The clients local DNS
server then sends the reply to the client. The client now can access the
requested host.
In todays redundant data centers and multiple service provider sites, a host
name can reside at multiple data centers or sites, with different IP addresses.
When this is the case, the authoritative DNS server for the host sends multiple IP addresses in its replies to DNS queries. Standard DNS servers can
provide only rudimentary load sharing for the addresses, using a simple
round-robin algorithm to rotate the list of addresses for each query. Thus,
the address that is listed first in the last reply sent by the DNS server is
rotated to be the last address listed in the next reply, and so on.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
429 of 950
GSLB Policy
GSLB evaluates the service IP addresses listed in replies from DNS servers
to clients, re-orders the addresses based on that evaluation, and sends the
DNS replies to clients with the re-ordered IP address lists. As a result of this
process, each client receives a DNS reply that has the best service IP
address listed first.
GSLB selects the best site IP address using a GSLB policy. A GSLB policy
consists of one or more of the following metrics:
1. health-check Services that pass health checks are preferred.
2. weighted-ip Service IP addresses with higher administratively
assigned weights are used more often than service IP addresses with
lower weights. (See Weighted-IP and Weighted-Site on page 432.)
3. weighted-site Sites with higher administratively assigned weights are
preferred. Sites with higher administratively assigned weights are used
more often than sites with lower weights. (See Weighted-IP and
Weighted-Site on page 432.)
4. session capacity Sites with more available sessions based on respective maximum session capacity are preferred.
5. active-servers Sites with the most currently active servers are preferred.
6. active-rtt Sites with faster round-trip-times for DNS queries and
replies between a site AX device and the GSLB local DNS are preferred.
7. passive-rtt Services with faster response times to clients are preferred.
430 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
Metric order does not apply to the alias-admin-preference and weightedalias metrics. When enabled, alias-admin-preference always has high priority.
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
431 of 950
If DNS caching is used, the cycle starts over if the cache aging timer
expires.
Ordered-IP
Most metrics select a site or IP address as the best address. However, the
ordered-ip metric does not select or eliminate sites or IP addresses. Instead,
the ordered-ip metric re-orders the IP addresses based on the metrics configuration in the GSLB policy.
If there are any more metrics after ordered-ip, the re-ordered list is sent to
the next metric.
If you plan to use the ordered-ip metric, you need to disable the round-robin
metric. Otherwise, round-robin will be used as the tie-breaker and the
ordered IP list will be ignored.
Tie-Breaker
If all the enabled metrics in the policy result in a tie (do not definitively
select a single site as the best site), the AX device uses round-robin to select
a site. This is true even if the round-robin metric is disabled in the GSLB
policy.
Note:
Health Checks
The health-check metric checks the availability (health) of the real servers
and service ports. Sites whose real servers and service ports respond to the
health checks are preferred over sites in which servers or service ports are
unresponsive to the health checks.
432 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
Geo-Location
You can configure GSLB to prefer site VIPs for DNS replies that are geographically closer to the clients. For example, if a domain is served by sites
in both the USA and Asia, you can configure GSLB to favor the USA site
for USA clients while preferring the Asian site for Asian clients.
To configure geo-location:
Leave the geographic GSLB metric enabled.
Load geo-location data. You can load geo-location data from a file or
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
433 of 950
DNS response from the DNS answer, GSLB selects a DNS A record
using IP metrics, then tries to insert the DNS CNAME record into the
answer based on geo-location settings. While inserting the CNAME
record, if the Alias metrics are enabled, GSLB may remove some
CNAME records and related service IPs.
DNS server Enable the geoloc-alias option. After receiving a DNS
query, GSLB tries to insert a DNS CNAME record into the answer
based on the geo-location settings. During insertion, if the Alias metrics
are enabled, GSLB may remove some CNAME records. After finishing
434 of 950
P e r f o r m a n c e
b y
D e s i g n
DNS A record to return, GSLB tries to insert all backup DNS CNAME
records. During insertion, if Alias metrics are enabled, GSLB may
remove some CNAME records. No DNS A records are returned.
This option also requires the dns-cname-record as-backup option on the
service.
DNS Options
DNS options provide additional control over the IP addresses listed in DNS
replies to clients. After the GSLB AX device uses the metrics to select and
prioritize the IP addresses for the DNS reply, the AX device applies the
enabled DNS options to the list.
The following DNS options can be set in GSLB policies:
dns action Enable GSLB to perform DNS actions specified in the serv-
ice configurations.
dns active-only Removes IP addresses for services that did not pass
replies for A records, when the device is configured for DNS proxy or
cache mode.
dns best-only Removes all IP addresses from DNS replies except for
the address selected as the best address by the GSLB policy metrics.
dns cache Caches DNS replies and uses them when replying to clients,
vice IP. If this option is disabled, the internal address is returned instead.
dns geoloc-action Performs the DNS traffic handling action specified
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
435 of 950
geo-location.
dns ip-replace Replaces the IP addresses with the set of addresses
sticky
server
cache
proxy
GSLB does not have a separately configurable proxy option. The proxy
option is automatically enabled when you configure the DNS proxy as
part of GSLB configuration.
The site address selected by the first option that is applicable to the client
and requested service is used.
TTL Override
GSLB ensures that DNS replies to clients contain the optimal set of IP
addresses based on current network conditions. However, if the DNS TTL
value assigned to the Address records is long, the local DNS servers used by
clients might cache the replies for a long time, and send those stale replies to
clients. Thus, even though the GSLB AX device has current information,
clients might receive outdated information.
436 of 950
P e r f o r m a n c e
b y
D e s i g n
The GSLB protocol is required in order to collect the site information provided for these metrics.
Note:
P e r f o r m a n c e
b y
The GSLB protocol is also required for the health-check metric, if the
default health checks are used. If you modify the health checks, the GSLB
protocol is not required. (See Health Checks on page 432.)
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
437 of 950
Configuration Overview
Configuration is required on the GSLB AX device (GSLB controller) and
the site AX devices.
Configuration on GSLB Controller
To configure GSLB on the GSLB AX device:
1. Configure health monitors for the DNS server to be proxied and for the
GSLB services to be load balanced.
2. Configure a DNS proxy.
3. Configure a GSLB policy (unless you plan to use the default policy settings, described in GSLB Policy on page 430).
4. Configure services.
5. Configure sites.
6. Configure a zone.
7. Enable the GSLB protocol for the GSLB controller function.
Note:
If you plan to run GSLB in server mode, the proxy DNS server does not
require configuration of a real server or service group. Only the VIP is
required. However, if you plan to run GSLB in proxy mode, the real
server and service group are required along with the VIP. (Server and
proxy mode are configured as DNS options. See DNS Options on
page 435.)
Configuration on Site AX Device
To configure GSLB on the site AX devices:
1. Configure SLB, if not already configured.
2. Enable the GSLB protocol for the GSLB site device function.
438 of 950
P e r f o r m a n c e
b y
D e s i g n
The parameters you can configure at each level are described in GSLB
Parameters on page 479.
The following sections describe the GSLB configuration steps in the GUI
and in the CLI. Required commands and commonly used options are listed.
For advanced commands and options, see GSLB Parameters on page 479.
Each of the following configuration sections shows the CLI and GUI
methods for configuration. For complete configuration examples, see
Configuration Examples on page 506.
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
439 of 950
The GUI will not accept the configuration if the IP address you enter here
is the same as the real DNS server IP address you enter when configuring
the service group for this proxy (below).
5. (Optional) To add this proxy configuration of the DNS server to a High
Availability (HA) group, select the group.
6. In the GSLB Port section, click Add.
7. In the Port field, enter the DNS port number, if not already filled in.
8. In the Service Group field, select create. The Service Group and
Server sections appear.
9. In the Name field, enter a name for the service group.
10. In the Type drop-down list, select UDP.
11. In the Server section, in the Server drop-down list, enter the IP address
of the DNS server. Enter the real IP address of the DNS server, not the
IP address you are assigning to the DNS proxy.
12. Enter the DNS port number in the Port field and click Add. The server
information appears.
13. Click OK. The GSLB Port section re-appears.
440 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
441 of 950
The other metrics are disabled. (For detailed information about policy
parameters and their defaults, see GSLB Parameters on page 479.)
Note:
442 of 950
P e r f o r m a n c e
b y
D e s i g n
To disable a GSLB metric, use the no form of the command for the metric, at the configuration level for the policy. For example, to disable the
health-check metric, enter the following command at the configuration level
for the policy:
AX(config gslb-policy)#no health-check
To set DNS options, use the following command at the configuration level
for the policy. (For descriptions, see DNS Options on page 435 and
Table 13, GSLB Policy Parameters, on page 494.)
[no] dns
{
action |
active-only |
addition-mx |
backup-alias |
best-only [max-answers] |
cache [aging-time {seconds | ttl}] |
cname-detect |
external-ip |
geoloc-action |
geoloc-alias |
geoloc-policy |
ip-replace |
ipv6 options |
logging {both | query | response}
[geo-location name | ip ipaddr] |
server [addition-mx] [authoritative [full-list]]
[mx] [ns [auto-ns]] [ptr [auto-ptr]] [srv] |
sticky
[/prefix-length]
[aging-time
minutes]
[ipv6-mask mask-length] |
ttl num
}
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
443 of 950
444 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
time (RTT) for a client, the site AX device sends queries for the domain
name to a clients local DNS. An RTT sample consists of the time
between when the site AX device sends a query and when it receives the
response.
Only one active-RTT domain can be configured. It is recommended to
use a domain name that is likely to be in the cache of each clients local
DNS. The default domain name is google.com.
The AX device averages multiple active-RTT samples together to calculate the active-RTT measurement for a client. (See the description of
Track below.)
Interval Specifies the number of seconds between queries. You can
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
445 of 950
RTT data for a client after a query fails. You can specify 1-300 seconds.
The default is 3.
Timeout Specifies the number of milliseconds GSLB will wait for a
collects samples for a client. The samples collected during the track time
are averaged together, and the averaged value is used as the active RTT
measurement for the client. You can specify 15-3600 seconds. The
default is 60 seconds.
The averaged RTT measurement is used until it ages out. The aging time
for averaged RTT measurements is 10 minutes by default and is configurable on individual sites, using the active-rtt aging-time command.
To configure global active-RTT options, use the following command at the
global configuration level of the CLI:
[no] gslb active-rtt
{
domain domain-name |
interval seconds |
retry num |
sleep seconds |
timeout ms |
track seconds
}
Default Settings
When you enable Active RTT, a site AX device sends 5 DNS requests to the
GSLB domains local DNS. The GSLB AX device averages the RTT times
of the 5 samples.
Single Sample (Single Shot)
To take a single sample and use that sample indefinitely, use the single-shot
option. This option instructs each site AX device to send a single DNS
query to the GSLB local DNS.
The single-shot option is useful if you do not want to frequently update the
active RTT measurements. For example, if the GSLB domain's clients tend
to remain logged on for long periods of time, using the single-shot option
ensures that clients are not frequently sent to differing sites based on active
RTT measurements.
446 of 950
P e r f o r m a n c e
b y
D e s i g n
wait for the DNS reply. If the reply does not arrive within the specified
timeout, the site becomes ineligible for selection, in cases where selection is based on the active RTT metric. You can specify 1-255 seconds.
The default is 3 seconds.
skip Specifies the number of site AX devices that can exceed their sin-
gle-shot timeouts, without the active RTT metric itself being skipped by
the GSLB AX device during site selection. You can skip from 1-31 sites.
The default is 3.
Multiple Samples
To periodically retake active RTT samples, do not use the single-shot
option. In this case, the AX device uses the averaged RTT based on the
number of samples measured for the intervals.
For example, if you set active RTT to use 3 samples with an interval of 5
seconds, the RTT is the average RTT for the last 3 samples, collected in 5second intervals. If you configure single-shot instead, a single sample is
taken.
The number of samples can be 1-8. The default is 5 samples.
Store-By
By default, the GSLB AX device stores one active RTT measurement per
site SLB device. Optionally, you can configure the GSLB AX device to
store one measurement per geo-location instead. This option is configurable
on individual GSLB sites. (See Changing Active RTT Settings for a Site
on page 449.)
Tolerance
The default measurement tolerance is 10 percent. If the RTT measurements
for more than one site are within 10 percent, the GSLB AX device considers
the sites to be equal in terms of active RTT. You can adjust the tolerance to
any value from 0-100 percent.
Enabling Active RTT
To enable active RTT, use either of the following methods.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
447 of 950
448 of 950
P e r f o r m a n c e
b y
D e s i g n
The following commands access the configuration level for GSLB policy
gslbp3 and enable the active RTT metric, using single-shot settings:
AX(config)#gslb policy gslbp3
AX(config gslb-policy)#active-rtt single-shot
AX(config gslb-policy)#active-rtt skip 3
In this example, each site AX device will send a single DNS query to the
GSLB domains local DNS, and wait 3 seconds (the default) for a reply. The
site AX devices will then send their RTT measurements to the GSLB AX
device. However, if more than 3 site AX devices fail to send their RTT measurements to the GSLB AX device, the AX device will not use the active
RTT metric.
Changing Active RTT Settings for a Site
You can adjust the following Active RTT settings on individual sites:
aging-time Specifies the maximum amount of time a stored active-
RTT result can be used. You can specify 1-60 minutes. The default is 10
minutes.
bind-geoloc Stores the active-RTT measurements on a per geo-loca-
tion basis. Without this option, the measurements are stored on a per
site-SLB device basis.
ignore-count Specifies the ignore count if RTT is out of range. You
128.
limit Specifies the limit. You can specify 1-1023. The default is 1023.
mask Specifies the maximum RTT allowed for the site. If the RTT
measurement for a site exceeds the configured limit, GSLB does not
eliminate the site. Instead, GSLB moves to the next metric in the policy.
You can specify 0-16383 milliseconds (ms). The default is 16383.
range-factor Specifies the maximum percentage a new active-RTT
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
449 of 950
list, then load the entries from the black/white list into an IP list.
Use this command to configure individual IP list entries.
450 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
Passive RTT
Passive RTT measures the round-trip-time between when the site AX
device receives a clients TCP connection (SYN) and the time when the site
AX device receives acknowledgement (ACK) back from the client for the
connection.
Enabling Passive RTT
To enable passive RTT, use either of the following methods.
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
451 of 950
In the current release, passive RTT settings for a site cannot be changed
using the GUI.
452 of 950
P e r f o r m a n c e
b y
D e s i g n
bandwidth limit configured for the site, the site is eligible to be selected
as the best site.
If the SNMP object value has incremented more than the bandwidth
which the requested MIB object can increment, for the site to be eligible
for selection as the best site.
Bandwidth threshold For a site to regain eligibility when bw-cost is
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
453 of 950
SNMP template configuration is not supported in the GUI. Use the CLI to
configure the template, then use the following GUI procedures.
454 of 950
If the object is part of a table, make sure to append the table index to the
end of the OID. Otherwise, the AX device will return an error.
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
455 of 950
456 of 950
P e r f o r m a n c e
b y
D e s i g n
The following commands apply the SNMP template to a site and set the
bandwidth increment limit and threshold:
AX(config)#gslb site usa
AX(config gslb-site)#template snmp-1
AX(config gslb-site)#bw-cost limit 100000 threshold 90
AX(config gslb-site)#exit
The following commands enable the bw-cost metric in the GSLB policy:
AX(config)#gslb policy pol1
AX(config-gslb policy)#bw-cost
AX(config-gslb policy)#exit
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
457 of 950
The other commands are the same as those shown in CLI Example
SNMPv2c on page 457.
your deployment:
DNS backup-alias
DNS geoloc-alias
3. If using the backup-alias option, use the dns-cname-record as-backup
option on the service.
458 of 950
P e r f o r m a n c e
b y
D e s i g n
your deployment:
DNS backup-alias
DNS geoloc-alias
3. If using the backup-alias option, use the dns-cname-record as-backup
option on the service.
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
459 of 950
You can load more than one geo-location database. When you load a new
database, if the same IP address or IP address range already exists in a
previously loaded database, the address or range is overwritten by the new
database.
Geo-Location Mappings
A geo-location mapping consists of a geo-location name and an IP address
or IP range.
If you manually map a geo-location to an GSLB site, GSLB uses the
mapping.
If no geo-location is configured for a GSLB site, GSLB automatically
AX device to a geo-location.
If more than one geo-location matches a clients IP address, the most specific match is used. For example, if a client is in the same city as a site AX,
that site will be preferred. If the client and site are in the same state but in
different cities, the site in that state will be preferred.
460 of 950
P e r f o r m a n c e
b y
D e s i g n
...
The example above shows the file displayed in a text editor. The same file
looks like the example in Figure 131 if displayed in a spreadsheet application. However, when the file is saved to CSV format, the file is essentially
as shown above.
FIGURE 131
The database file can contain more types of information (fields) than are
required for the GSLB database. When you load the file into the geo-location database, the CSV template on the AX device is used to filter the file to
extract the required data. In this example, only the fields shown in bold type
will be extracted and placed into the geo-location database:
"1159363840","1159364095","US","UNITED STATES","NA","NORTH AMERICA","EST","MA","MASSACHUSETTS","COMMRAIL INC","MARLBOROUGH","MIDDLESEX","42.3495","-71.5482"
The IP addresses in this example are in bin4 format. Dotted decimal format
(for example: 69.26.125.0) is also supported. If you use bin4 format, the AX
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
461 of 950
Combined
Hex Number
Decimal
69.26.125.0
45.1a.7d.00
451a7d00
1159363840
462 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
463 of 950
464 of 950
P e r f o r m a n c e
b y
D e s i g n
(For information about the use-mgmt-port option, see Using the Management Interface as the Source for Management Traffic on page 929.)
Loading the CSV File Data into the Geo-Location Database
To load the CSV file, use the following command at the global configuration level of the CLI:
[no] gslb geo-location load file-name
csv-template-name
Use the file name you specified when you imported the CSV file, and the
name of the CSV template to be used for extracting data from the file.
The file-name option is available only if you have already imported a geolocation database file.
Note:
To display information about CSV files that have been loaded are currently
being loaded, use the following command:
show gslb geo-location file [file-name]
Manually Configuring Geo-Location Mappings
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
465 of 950
466 of 950
P e r f o r m a n c e
b y
D e s i g n
The following commands initiate loading the data from the CSV file into
the geo-location database, and display the status of the load operation:
AX(config)#gslb geo-location load test1.csv test1-tmplte
AX(config)#show gslb geo-location file
T = T(Template)/B(Built-in), Per = Percentage of loading
Filename
T Template
Per Lines
Success Error
-----------------------------------------------------------------------------test1
T t1
98% 11
10
0
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
467 of 950
Configure Services
To configure GSLB services, use either of the following methods.
468 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
469 of 950
470 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
471 of 950
The health status of the individual virtual servers and service ports at the
site is not marked Down.
The following command displays the gateway health status for GSLB sites:
GSLB-AX(config)#show gslb slb-device
Attrs = Attributes, APF = Administrative Preference
Sesn-Num/Uzn = Number/Utilization of Available Sessions
GW = Gateway Status, IPCnt = Count of Service-IPs
P = GSLB Protocol, L = Local Protocol
Device
IP
Attrs APF Sesn-Num
Uzn GW
IPCnt
-------------------------------------------------------------------------------local:self
127.0.0.1
100 0
0%
0
local:self2
127.0.0.1
100 0
0%
0
local:self3
127.0.0.1
100 0
0%
2
remote:site-ax
10.1.1.1
100 0
0% UP 0
472 of 950
P e r f o r m a n c e
b y
D e s i g n
If the same services can be reached through either link, an additional SLBdevice configuration is required:
GSLB-AX(config)#gslb site remote-link-both
GSLB-AX(config-gslb site)#slb-dev site-ax-lnkboth 20.1.1.1
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
473 of 950
Note:
Applying a health monitor is required only if you do not plan to use the
default health monitors. (See Default Health Monitors on page 473.)
The following commands enable a multi-port health check for the HTTP
service www on service IP gslb-srvc2 in GSLB zone abc.com:
474 of 950
P e r f o r m a n c e
b y
D e s i g n
Configure Sites
To configure GSLB sites, use either of the following methods.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
475 of 950
Configure a Zone
To configure a GSLB zone, use either of the following methods.
476 of 950
P e r f o r m a n c e
b y
D e s i g n
If you are planning to use the Passive RTT metric, select the Passive
RTT checkbox to enable collection of passive RTT data on this site
AX device.
4. Click OK.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
477 of 950
478 of 950
P e r f o r m a n c e
b y
D e s i g n
GSLB Parameters
health-checkTable 12 lists the GSLB parameters.
protocol enable
Supported Values
Controller or device.
Default: Disabled
When you enable the GSLB protocol,
the default status interval is 30 seconds.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
479 of 950
Supported Values
Default: The default GSLB policy is
used, unless you configure another
policy and apply it to the zone.
480 of 950
Default: None
Note: You can use lower case characters and upper case characters. However, since Internet domain names are
case-insensitive, the AX device internally converts all upper case characters
in GSLB zone names to lower case.
P e r f o r m a n c e
b y
D e s i g n
Supported Values
The following values are supported:
Domain Specifies the query domain. To measure the active round-trip time (RTT) for a client,
the site AX device sends queries for the domain
name to a clients local DNS. An RTT sample
consists of the time between when the site AX
device sends a query and when it receives the
response.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
481 of 950
(Optional)
Supported Values
Default: Not set
DNS logging
(Optional)
ip-list
(Optional)
Note: The current release does not support configuration of this option using the GUI.
Logging of DNS messages.
Default: None
Startup delay
(Optional)
Note: The current release does not support configuration of this option using the GUI.
Delays startup of GSLB following startup of the AX
device.
0-16384 seconds
Default: 0 (no delay)
GSLB protocol
timers
(Optional)
Note: The current release does not support configuration of this option using the GUI.
Changes timers used by the SLB protocol.
482 of 950
P e r f o r m a n c e
b y
D e s i g n
Supported Values
Service-IP Parameters
service-ip status
(Required)
disable | enable
Config > Service > GSLB > Service-IP
Assigns an external IP address to the service IP. The
external IP address allows a service IP that has an
internal IP address to be reached from outside the
internal network.
[no] external-ip ipaddr
Config > Service > GSLB > Service-IP
Enables or disables monitoring for the service IP
address. You can specify any health monitor (Layer
3, 4 or 7).
Alternatively, you can use the follow-port option to
base the health of the service port on the health of
another port. Specify the other port number.
The protocol option enables or disables use of the
GSLB protocol for health checking of the service.
By default, the protocol option is enabled. If the
GSLB protocol is enabled and can reach the service,
health checking is performed over the GSLB protocol. Otherwise, health checking is performed using
standard network traffic instead.
[no] health-check [monitor-name] |
[follow-port portnum] [protocol]
Config > Service > GSLB > Service-IP
Adds a service port to the service IP address. The
command also changes the CLI to the configuration
level for the specified service port, where the following service port-related commands are available:
port num {tcp | udp}
Config > Service > GSLB > Service-IP
Maps an IPv6 address to an IPv4 service IP.
external IP
address
health check
service port
IPv6 mapping
Default: Enabled
Default: None
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
483 of 950
Supported Values
Site Parameters
active-rtt
(Optional)
[no] active-rtt
aging-time minutes |
bind-geoloc |
ignore-count num |
limit num |
mask {/mask-length | mask-ipaddr} |
range-factor num |
smooth-factor num
Config > Service > GSLB > Site - Options
484 of 950
P e r f o r m a n c e
b y
D e s i g n
(Optional)
(cont.)
bw-cost
(Optional)
Supported Values
You can specify 1-1000. The default is
25.
smooth-factor Blends the new measurement with the previous one, to
smoothen the measurements. You can
specify 1-100. The default is 10.
limit Specifies the maximum amount
the SNMP object queried by the GSLB
AX device can increment since the
previous query, in order for the site to
remain eligible for selection as the best
site. You can specify 0-2147483647.
There is no default.
If a site becomes ineligible due to
being over the limit, the percentage
parameter is used. In order to become
eligible for selection again, the sites
limit value must not increment more
than limit*threshold-percentage. You can specify 0-100.
There is no default.
threshold percentage For a site to
regain eligibility when bw-cost is
being compared, the SNMP objects
incremental value must be below the
threshold-percentage of the limit
value.
geo-location
(Optional)
Default: None
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
485 of 950
(Optional)
Supported Values
Default: None
passive-rtt
(Optional)
[no] passive-rtt
aging-time minutes |
bind-geoloc |
limit num |
mask {/mask-length | mask-ipaddr} |
range-factor num |
smooth-factor num
slb-device
(Required)
template
(Optional)
Binds a template to the site. To use the bw-cost metric, use this option to bind a GSLB SNMP template
to the site.
weight
(Optional)
486 of 950
P e r f o r m a n c e
b y
D e s i g n
Supported Values
gateway health
check
(Optional)
max-client
(Optional)
passive-rtt-timer
(Optional)
vip-server
(Required)
Valid IP address.
Default: Not set
Enabled or disabled
Default: enabled
1-2147483647
Default: 32768
1-255
Default: 3
The name must be the name of a configured service IP. (To configure the
service IP, use the gslb service-ip
command.)
Default: None
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
487 of 950
Supported Values
Zone Parameters
dns-mx-record
(Optional)
dns-ns-record
(Optional)
488 of 950
P e r f o r m a n c e
b y
D e s i g n
Supported Values
Valid DNS server name and mailbox
name.
Defaults: No SOA record is configured
by default. If you configure one, its
parameters have the following default
values:
Refresh 3600 seconds
Retry 900 seconds
Expire 1209600 seconds
Serial The default is based on the
current system time on the GSLB AX
device when you create the SOA
record.
TTL Value of the zone TTL when
you create the SOA record
policy
Note: The current release does not support configuration of this option using the GUI.
Applies a GSLB policy to the zone.
(Optional)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
489 of 950
ttl
(Optional)
Supported Values
The port can be a well-known name
recognized by the CLI, a port number
from 1 to 65535, or * (wildcard matching on any port).
The service-name can be up to 31
alphanumeric characters. (For the
same reason described for zone names,
the AX device converts all upper case
characters in GSLB service names to
lower case.)
Default: None
You can specify from 0 to 1000000
(1,000,000) seconds.
Default: 10 seconds
TTL can be set at different levels of the GSLB configuration; however, only one of the TTL settings is
used. (See DNS Options on page 435.)
ttl seconds [no]
Config > Service > GSLB > Zone
The health check must be assigned to the individual
service. See Service Parameters below.
Service Parameters
action
(Optional)
490 of 950
P e r f o r m a n c e
b y
D e s i g n
Supported Values
as-replace This option is used with
the ip-replace option in the policy.
When both options are set (as-replace
here and ip-replace in the policy), the
client receives only the IP address set
here by service-ip. This option is disabled by default.
no-resp Prevents the IP address for
this site from being included in DNS
replies to clients. This option is disabled by default.
static This option is used with the
dns server option in the policy. When
both options are set (static here and
dns server in the policy), the GSLB
AX device acts as the DNS server for
the IP address set here by service-ip.
This option is disabled by default.
ttl Assigns a TTL to the service, 02147483647. By default, the TTL of
the zone is used. This option can be
used with the dns server option in the
policy, or with DNS proxy mode
enabled in the policy.
weight Assigns a weight to the service. If the weighted-ip metric is
enabled in the policy and all metrics
before weighted-ip result in a tie, the
service on the site with the highest
weight is selected. The weight can be
1-100. By default, the weight is not
set.
dns-cnamerecord
(Optional)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
Default: None
Default: None
491 of 950
(Optional)
dns-ptr-record
dns-ns-record domain-name
[as-backup]
Config > Service > GSLB > Zone - Click Add on
the Service tab to display the DNS NS Record tab.
Configures a DNS pointer record for the service.
dns-ns-record
(Optional)
gateway health
check
(Optional)
geo-location
(Optional)
dns-ptr-record domain-name
Config > Service > GSLB > Zone - Click Add on
the Service tab to display the DNS PTR Record tab.
Allows GSLB to use a Layer 3 health monitor to
check the health of the service by sending health
checks to the site gateway.
[no] health-check gateway
Note: The current release does not support configuration of this option using the GUI.
Maps an alias to the specified geographic location
for this service.
[no] geo-location location-name
alias url
Config > Service > GSLB > Zone - Click Add in the
Service section to display the Geo-location section.
This CNAME overrides any CNAME globally configured for the zone.
492 of 950
Supported Values
The name is the fully-qualified domain
name of the mail server for the service.
The priority can be 0-65535. There is
no default.
Enabled or disabled
Default: enabled
P e r f o r m a n c e
b y
D e s i g n
Supported Values
Each service-ipaddr is a virtual IP
address assigned to the service at this
site.
Generally, each service will have a different virtual IP address for each real
server that provides the service at the
site.
[no] ip-order
{service-name | service-ipaddr}
[service-ipaddr ...]
policy
Config > Service > GSLB > Zone - Click Add in the
Service section to display the DNS Address Record
section.
Applies the specified GSLB policy to the service.
(Optional)
Config > Service > GSLB > Zone - Click Add in the
Service section to display the Service section.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
493 of 950
Policy Parameters
Table 13 lists the GSLB policy parameters.
TABLE 13 GSLB Policy Parameters
Parameter
Supported Values
active-rtt
active-servers
admin-preference
494 of 950
[no] admin-preference
Config > Service > GSLB > Policy - Metrics
P e r f o r m a n c e
b y
D e s i g n
bw-cost
capacity
Supported Values
The state is one of the following:
Enabled
Disabled This is the default.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
495 of 950
geographic
Supported Values
The state is one of the following:
Enabled
Disabled This is the default.
The limit can be from 1 to 999999999
(999,999,999). The default is not set
(unlimited).
The samples can be from 1 to 8. The
default is 5.
The interval can be from 1 to 60 seconds. The default is 5 seconds.
health-check
[no] geographic
Config > Service > GSLB > Policy - Metrics
Service IP addresses that pass their health checks
are preferred over addresses that do not pass their
health checks.
An IP address that fails its health check is not automatically ineligible to be included in the DNS reply
to a client.
[no] health-check
Config > Service > GSLB > Policy - Metrics
Note: This metric requires the GSLB protocol to be
enabled on the site AX devices, if the default health
checks are used on the service IPs. (See Health
Checks on page 432.)
496 of 950
P e r f o r m a n c e
b y
D e s i g n
num-session
Supported Values
The state is one of the following:
[no] least-response
Config > Service > GSLB > Policy - Metrics
Enabled
Example:
Site A has 800,000 sessions available and Site B has
600,000 sessions available. The difference between
the two sites is 200,000 available sessions. If numsession is set to 10, then Site A is preferred because
200,000 is larger than 10% of 800,000, which is
80,000.
[no] num-session [tolerance num]
Config > Service > GSLB > Policy - Metrics
ordered-ip
The prioritized list is sent to the next metric for further evaluation. If ordered-ip is the last metric, the
prioritized list is sent to the client.
The ordered list of IP addresses must be configured
for the service.
To send only the first (top) IP address in the IP list,
use the top-only option.
[no] ordered-ip [top-only]
Config > Service > GSLB > Policy - Metrics
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
497 of 950
Supported Values
The state is one of the following:
Enabled
Disabled This is the default.
When you enable the passive-rtt metric, the default number of samples is 5.
The default store-by is slb-device. The
default tolerance is 10 percent.
round-robin
[no] round-robin
Config > Service > GSLB > Policy - Metrics
498 of 950
P e r f o r m a n c e
b y
D e s i g n
weighted-ip
Supported Values
The state is one of the following:
Enabled
Disabled This is the default.
weighted-site
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
499 of 950
Supported Values
You can specify one or more of the following metrics (listed alphabetically):
active-rtt
active-servers
admin-preference
bw-cost
capacity
metric-fail-break
Forces the GSLB controller to always check all metrics in the policy.
[no] metric-force-check
Config > Service > GSLB > Policy
Enables GSLB to stop if there are no valid service
IPs.
[no] metric-fail-break
Note: In the current release, this option can not be
configured using the GUI.
connection-load
geographic
health-check
least-response
num-session
ordered-ip
passive-rtt
weighted-ip
weighted-site
Default metric order: See GSLB Policy on page 430.
The state is one of the following:
Enabled
Disabled This is the default.
The state is one of the following:
Enabled
Disabled This is the default.
DNS Parameters
action
500 of 950
P e r f o r m a n c e
b y
D e s i g n
addition-mx
backup-alias
best-only
cache
cname-detect
Supported Values
The state is one of the following:
Enabled
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
Enabled
Disabled This is the default.
501 of 950
Supported Values
The state is one of the following:
Enabled This is the default.
Disabled
geoloc-action
geoloc-alias
geoloc-policy
ip-replace
502 of 950
P e r f o r m a n c e
b y
D e s i g n
Supported Values
All options are disabled by default.
logging
Disabled by default
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
503 of 950
Supported Values
The state is one of the following:
Enabled
Disabled This is the default.
Other defaults:
addition-mx Disabled
authoritative The AX device is a
non-authoritative DNS server for
the zone domain.
mx Disabled
authoritative makes the AX device the authoritative DNS server for the GSLB zone domain, for
the service IPs in which you enable the static
option. If you omit the authoritative option, the
AX device is a non-authoritative DNS server for
the zone domain. The full-list option appends all
A records in the Authoritative section of DNS
replies.
mx Provides the MX record in the Answer section, and the A record for the mail server in the
Additional section, when the device is configured
for DNS server mode.
ns [auto-ns] Provides the NS record.
ptr [auto-ptr] Provides the pointer record.
To place the server option into effect, you also must
enable the static option on the individual service IP.
[no] dns server addition-mx
[no] dns server authoritative
[full-list]
[no] dns server mx
[no] dns server ns [auto-ns]
[no] dns server ptr [auto-ptr]
Config > Service > GSLB > Policy - DNS Options
For more information on this option, see Order in
Which Sticky, Server, Cache, and Proxy Options
Are Used on page 436.
504 of 950
P e r f o r m a n c e
b y
D e s i g n
ttl
Supported Values
The state is one of the following:
Enabled
Disabled This is the default.
The default prefix is /32, which causes
the AX device to maintain separate
stickiness information for each local
DNS server. For example, if two clients use DNS 10.10.10.25 as their
local DNS server, and two other clients
use DNS 10.20.20.99 as their local
DNS server, the AX maintains separate stickiness information for each set
of clients, by maintaining separate
stickiness information for each of the
local DNS servers.
The aging time can be 1-65535 minutes. Default: 5 minutes
You can specify from 0 to 1000000
(1,000,000) seconds.
Default: 10 seconds
Geo-location Parameters
geo-location
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
505 of 950
Configuration Examples
These examples implement the GSLB configuration shown in Figure 130
on page 428. The examples assume that the default GSLB policy is used,
without any changes to the policy settings.
CLI Example
Configuration on the GSLB AX Device (GSLB Controller)
The following commands configure a health monitor for the local DNS
server to be proxied:
AX-Controller(config)#health monitor dns-53
AX-Controller(config-health:monitor)#method dns domain example.com
AX-Controller(config-real server)#exit
The following command loads the IANA file into the geo-location database:
AX-Controller(config)#gslb geo-location load iana
506 of 950
P e r f o r m a n c e
b y
D e s i g n
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
507 of 950
Note:
The virtual server IP address must be the same as the GSLB service IP
address configured on the GSLB AX device.
The following command enables the GSLB protocol:
GUI Example
Configuration on the GSLB AX Device (GSLB Controller)
Configure a Health Monitor for the DNS Proxy
1. Select Config > Service > Health Monitor.
2. On the menu bar, select Health Monitor.
3. Click Add.
4. Enter a name for the monitor in the Name field.
508 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
f. In the GSLB Port section, click Add. The GSLB Port section
appears.
2. Configure the service group:
a. In the Service Group drop-down list, select create to create a service group. (See Figure 132 on page 510.)
The Service Group section appears.
b. Enter the service group information. For this example, enter the following:
Name gslb-proxy-sg-1
Port type UDP
Load-balancing metric (algorithm) Round-Robin
Health Monitor default
c. In the Server section, enter the DNS servers real IP address in the
Server field, and enter the DNS port number in the port field.
d. Click Add. The DNS port appears in the list. (See Figure 133 on
page 510.)
e. Click OK. The GSLB Port section reappears. In the service dropdown list, the service group you just configured is selected. (See
Figure 134 on page 511.)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
509 of 950
FIGURE 133 Configure > Service > GSLB > DNS Proxy - service group
configuration
510 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
FIGURE 134
selected
Configure > Service > GSLB > DNS Proxy - service group
FIGURE 135
configured
Configure > Service > GSLB > DNS Proxy - GSLB port
FIGURE 136
configured
Configure > Service > GSLB > DNS Proxy - DNS proxy
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
511 of 950
512 of 950
P e r f o r m a n c e
b y
D e s i g n
Configure Sites
1. Select Config > Service > GSLB.
2. On the menu bar, select Site.
3. Click Add.
4. Enter the site name.
5. In the SLB-Device section, enter information about the AX devices that
provide SLB for the site:
a. Click Add.
b. Enter a name for the device.
c. Enter the IP address at which the GSLB AX device will be able to
reach the site AX device.
d. To add a service to this SLB device, select it from the drop-down list
in the VIP server section and click Add. Repeat for each service.
For this example, enter the following:
Name AX-A
IP Address 2.1.1.1 (This is the IP address of the site AX device
that provides SLB for the site.)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
513 of 950
down list and clicking Add. For this example, add servicevip1
to site usa.
6. In the IP-Server section, add services to the site. Select a service from
the drop-down list and click Add. Repeat for each service.
7. To manually map a geo-location name to the site, enter the geo-location
name in the Geo-location section and click Add.
8. Click OK. The site appears in the Site table.
FIGURE 138
514 of 950
P e r f o r m a n c e
b y
D e s i g n
Configure > Service > GSLB > Site - site parameters selected
Configure a Zone
1. Select Config > Service > GSLB.
2. On the menu bar, select Zone.
3. Click Add.
4. Enter the zone name in the Name field.
5. In the Service section, click Add. (See Figure 140 on page 516.)
The service configuration sections appear.
6. In the Service field, enter the service name.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
515 of 950
516 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
517 of 950
518 of 950
P e r f o r m a n c e
b y
D e s i g n
RAM Caching
You can use the AX device as a transparent cache server, along with the
devices many other uses.
Overview
The RAM Cache is a high-performance, in-memory Web cache that by
default caches HTTP responses (RFC 2616 compliant). The RAM Cache
can store a variety of static and dynamic content and serve this content
instantly and efficiently to a large number of users.
Caching of HTTP content reduces the number of Web server transactions
and hence the load on the servers. Caching of dynamic content reduces the
latency and the computation cost of generating dynamic pages by application servers and database servers. Caching can also result in significant
reduction in page download time and in bandwidth utilization.
RAM caching is especially useful for high-demand objects on a website, for
static content such as images, and when used in conjunction with compression to store compressed responses, eliminating unnecessary overhead.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
519 of 950
was cached before the date and time in the IMS header, the AX device
sends a 304 Not Modified response to the client.
If the requested content is in the cache and is still fresh, and the content
was cached after the date and time in the IMS header, the AX device
sends a 200 OK response, along with the requested page, to the client.
If the requested content is not in the cache, or is in the cache but is stale,
the AX device deletes the IMS header from the request. This forces the
server to send a 200 OK response, which is then immediately cached.
However, for security, support for these headers is disabled by default. Thee
headers can make the AX device vulnerable to Denial of Service (DoS)
attacks.
To enforce strict RFC compliance, you can enable support for the headers.
520 of 950
P e r f o r m a n c e
b y
D e s i g n
onds
Via header indicates the AX software version, in the following format:
AX-CACHE-software-version(major.minor):last-octet-of-VIP address
cached.
A response for a GET request that contains a body is not cached.
A request that contains an Authorization or a Proxy-Authorization
header is not cacheable. The authorization header contains securityrelated information and should not be cached.
A response for a request that contains an If-Match header or an If-
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
521 of 950
Image files are an exception. RAM caching can cache images that have
cookies.
Dynamic Caching
You can enhance RAM caching performance with dynamic RAM caching.
Dynamic RAM caching is useful in situations where the response to a client
request can be used multiple times before the response expires. Here are
some examples where dynamic RAM caching is beneficial:
The same response is usable by multiple users within a certain period of
time. In this case, dynamic RAM caching is useful even if the cache
expiration period is very small, if enough users access the response
within that period. For example, dynamic RAM caching is beneficial for
a hierarchical directory that is generated dynamically but presents the
same view to all users that request it.
The response is usable by only a single user but the user accesses it mul-
tiple times. For example, if the response generated in one session can be
used unchanged in a second session.
Host Verification
RAM caching has an optional host verification feature. Host verification
supports multiple name-based virtual hosts. Name-based virtual hosts are
host names that share the same IP address. For example, the real server IP
address 192.168.209.34 could be shared by the following virtual hosts:
www.abc.com
www.xyz.com
522 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
523 of 950
The Details menu option displays RAM caching statistics. The Objects
option displays cached entries. The Replacement option shows entry
replacement information.
To Export Web Log Archives
1. Select Monitor > Service > Application.
2. On the menu bar, select RAM Caching > Logs.
The list of log archive files appears.
524 of 950
P e r f o r m a n c e
b y
D e s i g n
When support for these headers is enabled, either header causes the AX
device to reload the cached object from the origin server.
[no] age seconds
This command specifies how long a cached object can remain in the AX
RAM cache without being requested. You can specify 1-999999 seconds
(about 11-1/2 days). The default is 3600 seconds (1 hour).
[no] default-policy-nocache
This command changes the default cache policy in the template from cache
to nocache. This option gives you tighter control over content caching.
When you use the default no-cache policy, the only content that is cached is
cacheable content whose URI matches an explicit cache policy.
[no] max-cache-size MB
This command specifies the size of the AX RAM cache.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
525 of 950
526 of 950
P e r f o r m a n c e
b y
D e s i g n
for the number of seconds configured in the template (set by the age
command). To override the aging period set in the template, specify the
number of seconds with the cache command.
nocache Does not cache the content.
invalidate inv-pattern Invalidates the content that has been cached for
inv-pattern.
If a URI matches the pattern in more than one policy command, the policy
command with the most specific match is used.
Wildcard characters (for example: ? and *) are not supported in RAM
Caching policies. For example, if the string pattern contains *, it is
interpreted literally, as the * character.
Note:
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
527 of 950
528 of 950
P e r f o r m a n c e
b y
D e s i g n
The following commands configure the virtual server and bind the RAM
caching template and the service group to virtual HTTP service port 80.
AX(config)#slb virtual-server cached-vip 10.10.10.101
AX(config-slb virtual server)#port 80 http
AX(config-slb virtual server-slb virtua...)#service-group cached-group
AX(config-slb virtual server-slb virtua...)#template cache ramcache
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
529 of 950
Cache Misses
Memory Used
27648
Bytes Served
Entries Cached
Entries Replaced
Entries Cleaned
Total Requests
Cacheable Requests
No-cache Requests
No-cache Responses
IMS Requests
304 Responses
Revalidation Successes
Revalidation Failures
220
37
383579
530 of 950
P e r f o r m a n c e
b y
D e s i g n
The Status column indicates the status. In this example, all entries are fresh
(FR). For more information, see the AX Series CLI Reference.
Dynamic Caching Configuration
Here is an example application of dynamic RAM caching. Web site x.y.com
displays a frequently requested list page, and also serves private pages to
individual clients based on additional requests from clients. Clients also can
add or delete content on the list page.
http://x.y.com/list
http://x.y.com/private?user=u1
http://x.y.com/add?a=p1&b=p2
http://x.y.com/del?c=p3
Dynamic RAM caching policies can be used to effectively manage caching
for this site.
The /list URI is visited by many users and therefore should be cached, so
long as the content is current. However, the /private URI contain private
data for a specific user, and should not be cached.
The /add and /del URLs modify the content of the list page. When either
type of URI is observed by the AX device, the currently cached content for
the /list URI should be invalidated, so that new requests for the URI are not
served with a stale page.
The following commands implement the dynamic RAM caching configuration described above.
AX(config)#slb template cache ram-cache
AX(config-RAM caching template)#policy uri /list cache 3000
AX(config-RAM caching template)#policy uri /private nocache
AX(config-RAM caching template)#policy uri /add invalidate /list
AX(config-RAM caching template)#policy uri /del invalidate /list
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
531 of 950
This policy is configured to flush (invalidate) all cached entries that have
/story in the URI. The policy is activated when a request is received with
the URI /flush.
532 of 950
P e r f o r m a n c e
b y
D e s i g n
High Availability
This chapter describes High Availability (HA) and how to configure it.
Overview
High Availability (HA) is an AX feature that provides AX-level redundancy
to ensure continuity of service to clients. In HA configurations, AX devices
are deployed in pairs. If one AX device in the HA pair becomes unavailable,
the other AX device takes over.
You can configure either of the following types of HA:
Active-Standby One AX device is the primary SLB device for all vir-
the configured virtual services, and is a hot Standby for the other configured virtual services.
Active-Active is supported only on AX devices that are deployed in route
mode. Active-Standby is supported on AX devices deployed in transparent
mode or route mode.
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
533 of 950
Layer 3 Active-Standby HA
Figure 142 shows an example of an Active-Standby configuration.
FIGURE 142
534 of 950
Active-Standby HA
P e r f o r m a n c e
b y
D e s i g n
device must have an HA ID, which can be 1 or 2. The ID must be different on each AX device. The ID can be used as a tie breaker to select the
Active AX device. (See How the Active AX Device Is Selected on
page 551.)
HA group HA group 1 is configured on each AX device. An AX
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
535 of 950
Layer 3 Active-Active HA
Figure 143 shows an example of an Active-Active configuration.
FIGURE 143
Active-Active HA
536 of 950
P e r f o r m a n c e
b y
D e s i g n
enables the devices to use the HA group priority values to select the
Active and Standby AX device for each VIP. Without HA pre-emption,
the AX selection is based on which of the AX devices comes up first.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
537 of 950
538 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
539 of 950
Restrictions
Supported for Active-Standby HA deployments only. Not supported for
Active-Active HA.
Inline mode is designed for one HA group in Hot-Standby mode. Do not
540 of 950
P e r f o r m a n c e
b y
D e s i g n
ment, the Standby AX does not forward traffic. In addition, the Active
AX in the HA pair is designed to not forward packets destined for the
Standby AX. Depending on the network topology, certain traffic to the
Standby AX might be dropped if it must first pass through the Active
AX.
Preferred HA Port
When you enable inline mode on an AX, the AX uses a preferred HA port
for session synchronization and for management traffic between the AX
devices in the HA pair. For example, if you use the CLI on one AX to ping
the other AX, the ping packets are sent only on the preferred HA port. Likewise, the other AX sends the ping reply only on its preferred HA port.
Management traffic between AX devices includes any of the following
types of traffic:
Telnet
SSH
Ping
Optionally, you can designate the preferred HA port when you enable inline
mode. In Figure 145 on page 540, Ethernet interface 5 on each AX has been
configured as the preferred HA port.
The AX selects the Active AX devices preferred HA port as follows:
1. Is a preferred port specified with the inline configuration, and is the port
up? If so, use the port.
2. If no preferred HA port is specified in the configuration or that port is
down, the first HA interface that comes up on the AX is used as the preferred HA port.
3. If the preferred HA port selected by 1. or 2. above goes down, the HA
interface with the lowest port number is used. If that port also goes
down, the HA interface with the next-lowest port number is used, and so
on.
HA heartbeat messages are not restricted to the preferred HA port. Heartbeat messages are sent out all HA interfaces unless you disable the messages on specific interfaces.
Note:
P e r f o r m a n c e
b y
The preferred port must be added as an HA interface and heartbeat messages must be enabled on the interface.
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
541 of 950
Port Restart
When a transition from Standby to Active occurs because the formerly
Active AX device becomes unavailable, the other devices that are directly
connected to the unavailable AX detect that their links to the AX have gone
down. The devices then flush their cached MAC entries on the down links.
For example, in Figure 145 on page 540, while AX1 is still Active, the
active router (the one on the left) uses the MAC entries it has learned on its
link with AX1 to reach downstream devices. If the link with AX1 goes
down, the router flushes the MAC entries. The router then relearns the
MAC addresses on the link with AX2 when it becomes the Active AX.
This mechanism is applicable when the link with AX1 goes down. However, if the transition from Active to Standby does not involve failure of the
router's link with AX1, the router does not flush its learned MAC entries on
the link. As a result, the router might continue to send traffic for downstream devices through the router's link with AX1. Since AX1 is now the
Standby, it drops the traffic, thereby causing reachability issues.
For example, if you administratively force a failover by changing the HA
configurations of the AX devices and enabling HA pre-emption, the link
between the router and AX1 remains up. In this case, the router continues to
have MAC addresses through this link.
To ensure that devices connected to the formerly Active AX flush their
learned MAC entries on their links with AX1, you can enable HA port
restart.
HA port restart toggles a specified set of ports on the formerly Active AX
by disabling the ports, waiting for a specified number of milliseconds, then
re-enabling the ports. Toggling the ports causes the links to go down, which
in turn causes the devices on the other ends of the links to flush their learned
MAC entries on the links. The devices then can relearn MACs through links
with the newly Active AX.
542 of 950
Note:
You must omit at least one port connecting the AX devices from the
restart port-list. This is so that heartbeat messages between the AX
devices are maintained; otherwise, flapping might occur.
Note:
P e r f o r m a n c e
b y
D e s i g n
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
543 of 950
Active-Active HA.
Inline mode is designed for one HA group in Hot-Standby mode. Do not
ment, the Standby AX does not forward traffic. In addition, the Active
AX in the HA pair is designed to not forward packets destined for the
Standby AX. Depending on the network topology, certain traffic to the
Standby AX might be dropped if it must first pass through the Active
AX.
HA Messages
The AX devices in an HA pair communicate their HA status with the following types of messages:
HA heartbeat messages
Gratuitous ARP requests and replies
544 of 950
P e r f o r m a n c e
b y
D e s i g n
HA Heartbeat Messages
Each of the AX devices regularly sends HA heartbeat messages out its HA
interfaces. The Standby AX device listens for the heartbeat messages. If the
Standby AX device stops receiving heartbeat messages from the Active AX
device, the Standby AX device transitions to Active and takes over networking and SLB operations from the other AX device.
By default, heartbeat messages are sent every 200 milliseconds. If the
Standby AX device does not receive a heartbeat message for 1 second
(5 times the heartbeat interval), the Standby AX device transitions to
Active.
The heartbeat interval and retry count are configurable. (See HA Configuration Parameters on page 556.)
Gratuitous ARPs
When an AX transitions from Standby to Active, the newly Active AX
device sends gratuitous ARP requests and replies (ARPs) for the IP address
under HA control. Gratuitous ARPs are sent for the following types of
addresses:
Virtual server IP addresses, for the VIPs that are assigned to an HA
group.
Floating IP address, if configured
NAT pool IP addresses, for NAT pools assigned to an HA group
Devices that receive the ARPs learn that the MAC address for the AX HA
pair has moved, and update their forwarding tables accordingly.
The Active AX device sends the gratuitous ARPs immediately upon becoming the Active AX device. To make sure ARPs are being received by the target addresses, the AX device re-sends the ARPs 4 additional times, at 500millisecond intervals.
After this, the AX device sends gratuitous ARPs every 30 seconds to keep
its IP information current.
The ARP retry count is configurable. (See HA Configuration Parameters
on page 556.)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
545 of 950
HA Interfaces
When configuring HA, you specify each of the interfaces that are HA interfaces. An HA interface is an interface that is connected to an upstream
router, a real server, or the other AX device in the HA pair.
HA heartbeat messages can be sent only on HA interfaces. Optionally, you
can disable the messages on individual interfaces. When you configure an
HA interface that is a tagged member of one or more VLANs, you must
specify the VLAN on which to send the heartbeat messages.
Note:
Note:
If the heartbeat messages from one AX device to the other will pass
though a Layer 2 switch, the switch must be able to pass UDP IP multicast packets.
Changes to the state of an HA interface can trigger a failover. By default,
the HA state of an interface can be Up or Down. Optionally, you can specify
the HA interface type as one of the following:
Server interface A real server can be reached through the interface.
Router interface An upstream router (and ultimately, clients) can be
interface.
If you specify the HA interface type, the HA status of the AX device is
based on the status of the AX link with the real server and/or upstream
router. The HA status can be one of the following:
Up All configured HA router and server interfaces are up.
Partially Up Some HA router or server interfaces are down but at least
The status also is Down if both router interfaces and server interfaces
are not configured and an HA interface goes down.
If both types of interfaces (router interfaces and server interfaces) are configured, the HA interfaces for which a type has not been configured are not
included in the HA interface status determination.
During selection of the active AX, the AX with the highest state becomes
the active AX and all HA interfaces on that AX become active. For exam-
546 of 950
P e r f o r m a n c e
b y
D e s i g n
becomes active for that group. If the group priorities on the two AX
devices are also the same, the AX that has the lowest HA ID (1 or 2)
becomes active.
You can configure up to 31 HA groups on an AX, and assign a separate
HA priority to each. For Active-Standby configurations, use only one
group ID. For Active-Active configurations, use multiple groups IDs and
assign VIPs to different groups.
Note:
Session Synchronization
HA session synchronization sends information about active client sessions
to the Standby AX device. If a failover occurs, the client sessions are maintained without interruption. Session synchronization is optional. Without it,
a failover causes client sessions to be terminated. Session synchronization
can be enabled on individual virtual ports.
Session synchronization applies primarily to Layer 4 sessions. Session synchronization does not apply to DNS sessions. Since these sessions are typically very short lived, there is no benefit to synchronizing them. Likewise,
session synchronization does not apply to static NAT sessions. Synchronization of these sessions is not needed since the newly Active AX device will
create a new flow for the session following failover.
To enable session synchronization, see Enabling Session Synchronization
on page 595.
Session synchronization is required for config sync. Config sync uses the
session synchronization link. (For more information, Synchronizing Configuration Information on page 598.)
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
547 of 950
VLAN-based Failover
You can enable HA checking for individual VLANs. When HA checking is
enabled for a VLAN, the active AX device in the HA pair monitors traffic
activity on the VLAN. If there is no traffic on the VLAN for half the duration of a configurable timeout, the AX device attempts to generate traffic by
issuing ping requests to servers if configured, or broadcast ARP requests
through the VLAN.
If the AX device does not receive any traffic on the VLAN before the timeout expires, a failover occurs. The timeout can be 2-600 seconds. You must
specify the timeout. Although there is no default, A10 recommends trying
30 seconds.
This HA checking method provides a passive means to detect network
health, whereas heartbeat messages are an active mechanism. You can use
either or both methods to check VLAN health. If you use both methods on a
VLAN, A10 recommends that you specify an HA checking interval (timeout) that is much longer than the heartbeat interval.
For a configuration example, see VLAN-Based Failover Example on
page 588.
Gateway-based Failover
Gateway-based failover uses ICMP health monitors to check the availability
of the gateways. If any of the active AX devices gateways fails a health
check, the AX device changes its HA status to Down. If the HA status of the
other AX device is higher than Down, a failover occurs.
Likewise, if the gateway becomes available again and all gateways pass
their health checks, the AX device recalculates its HA status according to
the HA interface counts. If the new HA status of the AX device is higher
than the other AX devices HA status, a failover occurs.
548 of 950
P e r f o r m a n c e
b y
D e s i g n
Route-based Failover
Route-based failover reduces the HA priority of all HA groups on the AX
device, if a specific route is missing from the IPv4 or IPv6 route table.
You can configure this feature for individual IP routes. When you configure
this feature for a route, you also specify the value to subtract from the HA
priority of all HA groups, if the route is missing from the route table.
You can configure this option for up to 100 IPv4 routes and up to 100 IPv6
routes. This option is valid for all types of IP routes supported in this release
(static, RIP, and OSPF).
If the priority of an HA group falls below the priority for the same group on
the other AX device in an HA pair, a failover can be triggered.
Notes
This feature applies only to routes in the data route table. The feature
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
549 of 950
individual port, and both health checks are unsuccessful, only the server
weight is subtracted from the HA groups priority.
For failover to occur due to HA priority changes, the HA pre-emption
VIP-based Failover
VIP-based failover allows service for a VIP to be transferred from one AX
device in an HA pair to the other AX device based on HA status changes of
the real servers.
When you configure an HA group ID, you also specify its priority. If HA
pre-emption is enabled, the HA groups priority can be used to determine
which AX device in the HA pair becomes the Active AX for the HA group.
In this case, the AX device that has a higher value for the groups priority
becomes the Active AX device for the group.
If you enable the dynamic HA option on a virtual server, the AX device
reduces the HA priority of the group assigned to the virtual server, if a real
server becomes unavailable. (A real server is unavailable if it is marked
Down by the AX device because the server failed its health check.) If the
priority value is reduced to a value that is lower than the groups priority
value on the other AX device in the HA pair, and HA pre-emption is
enabled, service of the virtual serve is failed over to the other AX device.
When a real server becomes available again, the weight value that was subtracted from the HA groups priority is re-added. If this results in the priority value being higher than on the other AX device, the virtual server is
failed over again to the AX device with the higher priority value for the
group.
550 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
551 of 950
able.
HA pre-emption is enabled, and the configured HA priority is changed
552 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
HA Failover
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
553 of 950
HA Pre-Emption
By default, a failover occurs only in the following cases:
The Standby AX device stops receiving HA heartbeat messages form
causes the Standby AX to have the greater HA priority for the VIPs HA
group. (See VIP-based Failover on page 550.)
By default, failover does not occur due to HA configuration changes to the
HA priority.
To enable the AX devices to failover in response to changes in priority,
enable HA pre-emption. When pre-emption is enabled, the AX device with
the higher HA priority becomes the Active AX device. If the HA priority is
equal on both AX devices, then the AX device with the lower HA ID (1)
becomes the Active AX device.
Note:
554 of 950
P e r f o r m a n c e
b y
D e s i g n
HA Sets
Optionally, you can provide even more redundancy by configuring multiple
sets of HA pairs.
FIGURE 149
Multiple HA Pairs
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
555 of 950
HA Configuration Parameters
Table 14 lists the HA parameters.
TABLE 14 HA Parameters
Parameter
Supported Values
HA ID
HA ID: 1 or 2
Global HA Parameters
and
HA set ID
556 of 950
P e r f o r m a n c e
b y
D e s i g n
Supported Values
AX Ethernet interfaces
VLAN-based
HA
Valid VLAN ID
Default: not set
The timeout can be 2-600 seconds.
Although there is no default timeout,
A10 recommends trying 30 seconds.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
557 of 950
Supported Values
IP address of the other AX device
Default: not set
Enabled or disabled
Default: disabled
[no] ha preemption-enable
HA heartbeat
interval
Retry count
2-255
Default: 5
558 of 950
1-255
Default: 4 additional gratuitous
P e r f o r m a n c e
b y
D e s i g n
Layer 2/3
forwarding of
Layer 4 traffic on
the Standby AX
device
Supported Values
Valid HA group ID.
If you do not specify a group ID, all
Active groups are forced to change
from Active to Standby status.
Enabled or disabled
Default: Disabled. Layer 4 traffic is
dropped by the Standby AX device.
Enables Layer 2 inline mode and, optionally, specifies the HA interface to use for session synchronization and for management traffic between the AX
devices.
[no] ha inline-mode
[preferred-port port-num]
Enabled or disabled
Default: disabled
When inline mode is enabled, the preferred port is selected as described in
Preferred HA Port on page 541.
AX Ethernet interfaces
Default: not set
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
559 of 950
Supported Values
OSPF on
Standby AX
device
Enabled or disabled
[no] ha l3-inline-mode
Default: disabled
Enabled or disabled
HA group ID
1-31
1-255
Not set
560 of 950
P e r f o r m a n c e
b y
D e s i g n
Supported Values
(Also called
connection mirroring)
Note: This option also requires session synchronization to be enabled globally. (See Global HA
Parameters above.)
Enabled or disabled
Default: disabled
[no] ha-conn-mirror
Config > Service > SLB > Virtual Server - Port
Weight: 1-255
HA group: 1-31. If no group is specified, the weight applies to all HA
groups.
Default: not set
Weight: 1-255
HA group: 1-31. If no group is specified, the weight applies to all HA
groups.
Default: not set
Session
synchronization
Enabled or disabled
Default: disabled
Note: This option also requires session synchronization to be enabled globally. (See Global HA
Parameters above.)
[no] ha-conn-mirror
Config > Service > Firewall > Firewall Virtual
Server (for virtual firewall)
Config > Service > Firewall > Firewall Virtual
Server - Port (for virtual firewall port)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
561 of 950
Supported Values
1-31
562 of 950
P e r f o r m a n c e
b y
D e s i g n
HA Status Indicators
The HA status of an AX device is displayed in the GUI and CLI. The HA
status indicators provide the following information:
Current HA status of the AX device: Active or Standby
Configuration status:
Most recent configuration update The system time and date when
In the GUI
The current HA status is shown as one of the following:
Active
Standby
Not Configured
The GUI does not indicate when the most recent configuration update or
save occurred. This information is available in the CLI. (See below.)
In the CLI
In the CLI, the HA the status is shown in the command prompt. For example:
AX-Active#
or
AX-Standby#
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
563 of 950
AX-Active#show running-config
!Current configuration: 8134 bytes
partition partition-1
!
!Configuration last updated at 08:11:05 IST Mon May 17 2010
!Configuration last saved at 15:16:49 IST Sat May 15 2010
!Configuration last synchronized at 08:15:02 IST Mon May 17 2010
Configuring Layer 3 HA
To configure Layer 3 HA:
1. Configure the following global HA parameters:
HA ID
HA group ID and priority. For an Active-Standby configuration,
configure one group ID. For Active-Active, configure multiple HA
group IDs.
Floating IP address (optional)
Session synchronization (optional)
HA pre-emption (optional)
2. Configure the HA interfaces.
3. Add each virtual server to an HA group.
4. If session synchronization is globally enabled, enable it on the individual virtual ports whose client sessions you want to synchronize.
5. If IP NAT pools are configured, add each pool to an HA group.
564 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
565 of 950
The Dynamic Server Weight option is used for VIP-based failover. For
information, see VIP-based Failover on page 550.
5. Configure other general settings, not related to HA, if needed.
6. If you plan to use session synchronization (connection mirroring) for a
service port:
a. In the Port section, click Add to add a new virtual service port or
select an existing port and click Edit. The Virtual Server Port section appears.
b. Select enabled next to HA Connection Mirror.
c. Click OK. The service port list re-appears.
566 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
567 of 950
Note:
568 of 950
P e r f o r m a n c e
b y
D e s i g n
HA Configuration of AX2
FIGURE 154
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
569 of 950
FIGURE 156
570 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
571 of 950
The following command enables session synchronization (connection mirroring). The feature also will need to be enabled on individual virtual ports,
later in the configuration. The IP address is the real address of the other AX
device.
AX1(config)#ha conn-mirror ip 10.10.30.2
572 of 950
P e r f o r m a n c e
b y
D e s i g n
The floating IP addresses must be the same as the ones set on AX1.
AX2(config)#floating-ip 10.10.10.1 ha-group 1
AX2(config)#floating-ip 10.10.10.100 ha-group 2
AX2(config)#ha interface ethernet 1 router-interface no-heartbeat
AX2(config)#ha interface ethernet 2 router-interface no-heartbeat
AX2(config)#ha interface ethernet 3 server-interface no-heartbeat
AX2(config)#ha interface ethernet 4 server-interface no-heartbeat
AX2(config)#ha interface ethernet 5
The HA configuration for virtual servers and virtual ports is identical to the
configuration on AX1.
AX2(config)#slb virtual-server VIP1
AX2(config-slb virtual server)#ha-group 1
AX2(config-slb virtual server)#port 80 tcp
AX2(config-slb virtual server-slb virtua...)#ha-conn-mirror
AX2(config-slb virtual server-slb virtua...)#exit
AX2(config-slb virtual server)#exit
AX2(config)#slb virtual-server VIP2
AX2(config-slb virtual server)#ha-group 2
AX2(config-slb virtual server)#port 80 tcp
AX2(config-slb virtual server-slb virtua...)#ha-conn-mirror
AX2(config-slb virtual server-slb virtua...)#exit
AX2(config-slb virtual server)#exit
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
573 of 950
If source NAT is not configured for the VIP, but real servers send
responses to a gateway IP address other than the AX floating IP address,
CPU processing must be enabled on the AX interfaces connected to the
real servers. This applies to the following AX models: AX 2200,
AX 3100, AX 3200, AX 5100, and AX 5200. On other models, the option
for CPU processing is not valid and is not required.
types affect the AX devices summary link state for HA. (See HA
Interfaces on page 546.)
Session synchronization (also called connection mirroring) Existing
574 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
575 of 950
576 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
577 of 950
Note:
578 of 950
P e r f o r m a n c e
b y
D e s i g n
The following command enables inline HA mode and specifies the preferred HA port.
AX1(config)#ha inline-mode preferred-port 5
If source NAT is not configured for the VIP, but real servers send
responses to a gateway IP address other than the AX floating IP address,
enter the cpu-process command at the configuration level for each interface connected to the real servers. This requirement applies to the following AX models: AX 2200, AX 3100, AX 3200, AX 5100, and AX 5200.
On other models, the command for CPU processing is not valid and is not
required.
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
579 of 950
The following command configures the floating IP address for the real servers to use as their default gateway address.
AX1(config)#floating-ip 172.168.10.1 ha-group 1
580 of 950
P e r f o r m a n c e
b y
D e s i g n
the Active AX. (On the Active AX, the session synchronization IP
address is the address of the Standby AX.)
AX2(config)#ha id 2
AX2(config)#ha group 1 priority 1
AX2(config)#ha interface ethernet 1 router-interface no-heartbeat
AX2(config)#ha interface ethernet 2 router-interface no-heartbeat
AX2(config)#ha interface ethernet 3 server-interface
AX2(config)#ha interface ethernet 4 server-interface
AX2(config)#ha interface ethernet 5
AX2(config)#ha inline-mode preferred-port 5
AX2(config)#ha restart-port-list ethernet 1 to 2
AX2(config)#ha preemption-enable
AX2(config)#ha conn-mirror ip 172.168.10.2
AX2(config)#floating-ip 172.168.10.1 ha-group 1
AX2(config)#health monitor myHttp interval 10 retry 2 timeout 3
AX2(config-health:monitor)#method http url HEAD /index.html
AX2(config-health:monitor)#exit
AX2(config)#slb server s1 172.168.10.30
AX2(config-real server)#port 80 tcp
AX2(config-real server-node port)#health-check myHttp
AX2(config-real server-node port)#exit
AX2(config-real server)#exit
AX2(config)#slb server s2 172.168.10.31
AX2(config-real server)#port 80 tcp
AX2(config-real server-node port)#health-check myHttp
AX2(config-real server-node port)#exit
AX2(config-real server)#exit
AX2(config)#slb service-group g80 tcp
AX2(config-slb service group)#member s1:80
AX2(config-slb service group)#member s2:80
AX2(config-slb service group)#exit
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
581 of 950
582 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
583 of 950
The following command specifies the IP address of the other AX, to use for
session synchronization.
AX1(config)#ha conn-mirror ip 172.168.10.3
584 of 950
P e r f o r m a n c e
b y
D e s i g n
Commands on AX2
Here are the commands for implementing HA on AX2. Most of the commands are the same as those on AX1, with the following exceptions:
The IP interfaces are different.
The HA ID is 2.
The HA priority is 1.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
585 of 950
586 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
587 of 950
588 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
589 of 950
590 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
redistributed routes.)
The distance num option specifies the metric value (cost) of the route.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
591 of 950
Note:
The lowest possible HA priority value is 1. Deleting 255 sets the HA priority value to 1, regardless of the original priority value.
The following command configures HA route awareness for a dynamic
route to subnet 10.10.10.x with route cost 10. If the IP route table does not
have a dynamic route to this destination with the specified cost, 10 is subtracted from the HA priority value for each HA group.
592 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
593 of 950
594 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
595 of 950
If the HA Connection Mirror option is not displayed, session synchronization is not supported for this service type.
6. Click OK to redisplay the Port tab.
7. Click OK again.
The following commands access the configuration level for a virtual port
and enable connection mirroring on the port:
596 of 950
P e r f o r m a n c e
b y
D e s i g n
OSPF Awareness of HA
The AX device uses HA-aware VIPs, floating IPs, IP NAT pools, and IP
range lists with route redistribution to achieve HA-aware dynamic routing.
However, by default, the OSPF protocol on the AX device is not aware of
the HA state (Active or Standby) of the AX device. Consequently, following
HA failover of an AX device, other OSPF routers might continue forwarding traffic to the Standby AX device (the former Active AX device), instead
of the new Active AX device.
In Layer 3 inline mode, all VLANs on the AX device participate in OSPF
routing by default. (See OSPF Support on Standby AX in Layer 3 Inline
Mode on page 598.)
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
597 of 950
The additional cost for Standby status is removed only if the HA status for
all HA groups on the device is Active. Otherwise, if the status of any of
the groups is Standby, the additional cost remains in effect for all OSPF
interfaces on the device.
Enabling OSPF Awareness of HA
To enable OSPF awareness of HA, use the following command at the OSPF
configuration level.
[no] ha-standby-extra-cost num
The num option specifies the extra cost to add to the AX devices OSPF
interfaces, if the HA status of one or more of the devices HA groups is
Standby. You can specify 1-65535. If the resulting cost value is more than
65535, the cost is set to 65535.
Enter the command on each of the AX devices in the HA pair.
fig
Running-config, to the other AX devices running-config or startup-con-
fig)
598 of 950
P e r f o r m a n c e
b y
D e s i g n
Requirements
Session synchronization (connection mirroring) is required for config sync.
Config sync uses the session synchronization link. To enable session synchronization, see Enabling Session Synchronization on page 595.
SSH management access must be enabled on both ends of the link. (See
Securing Admin Access by Ethernet on page 677.)
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
599 of 950
Partition Write
Standby
Active
Target Config
startup-config
running-config
startup-config
running-config
startup-config
running-config
startup-config
running-config
Reload?
Automatic
Automatic
Optional2
Not reloaded by default
Automatic
Not Allowed
Not Allowed
Not Allowed
Not Allowed
1. Active means the AX device is currently the active device for at least one HA group.
2. If the target AX device is not reloaded, the GUI Save button on the Standby AX device does not blink to indicate
unsaved changes. It is recommended to save the configuration if required to keep the running-config before the next
reboot.
600 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
601 of 950
Performing HA Synchronization
To synchronize the AX devices in an HA configuration, use the CLI commands described below.
602 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
7. Click OK.
Note:
To synchronize data files and the running-config, use the following command:
ha sync all
{to-startup-config [with-reload] |
to-running-config}
[all-partitions | partition partition-name]
In some cases, reload of the other AX device either is automatic or is not
allowed. See Table 15 on page 600.
Note:
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
603 of 950
updated
To help reconvergence occur faster, you can create a real server configuration for each router, and use an ICMP health monitor for checking the health
of the gateways. The health checks keep the ARP entries for the gateway
routers active, which can help to reduce reconvergence time considerably.
In a typical SLB configuration that includes a client-side router and a
server-side router, configure a real server for each router.
To configure health checking of the gateway routers:
1. (Optional) Configure an ICMP health monitor.
For Layer 3 inline deployments, it is recommended to use very short
values (1 second) for the interval and timeout. (For examples of Layer 3
inline HA deployments for TCS, see Transparent Cache Switching on
page 295.)
2. Create an SLB real server configuration for each gateway. If you plan to
use a custom ICMP health monitor (previous step), apply the health
monitor to the server.
Perform these steps on both AX devices in the HA pair.
Note:
604 of 950
The AX device also has an HA gateway health checking feature. This feature also uses ICMP health monitors. However, if you use the HA gateway health checking feature, HA failover is triggered if a gateway fails a
health check. If you use real server configurations instead, as shown in the
following examples, HA failover is not triggered by a failed health check.
P e r f o r m a n c e
b y
D e s i g n
To use the default ICMP health monitor instead, the configuration is even
simpler:
AX(config)#slb server gateway-upstream 192.168.10.1
AX(config-real server)#exit
AX(config)#slb server gateway-downstream 10.10.10.1
AX(config-real server)#exit
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
605 of 950
606 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
This chapter does not include information about Large-Scale NAT (LSN).
For LSN information, see Large-Scale Network Address Translation on
page 639.
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
607 of 950
SLB NAT
AX Series devices can perform source and destination NAT on client-VIP
SLB traffic.
608 of 950
SLB NAT
P e r f o r m a n c e
b y
D e s i g n
lates the destination IP address from the virtual server IP address (VIP)
to the IP address of the real server.
The AX device reverses the translation before sending the server reply
to the client. The source IP address is translated from the real servers IP
address to the VIP address.
The default SLB NAT behavior does not translate the clients IP address.
servers are in a different subnet than the VIP, source NAT ensures that
reply traffic from a server will pass back through the AX device. (See
Source NAT for Servers in Other Subnets on page 614.)
in all NAT pools. For example, you can configure 1 NAT pool containing 500 NAT addresses, or 100 NAT pools containing 5 addresses each,
and so on.
NAT pools Maximum of 100 NAT pools supported.
NAT pool groups Maximum of 50 NAT pool groups supported. Each
Connection Reuse
Connection reuse enables you to reuse TCP connections between the AX
device and real servers for multiple client sessions. When you enable this
feature, the AX device does not tear down a TCP connection with the real
server each time a client ends its session. Instead, the AX device leaves the
TCP connection established, and reuses the connection for the next client
that uses the real server.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
609 of 950
610 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
611 of 950
To configure a pool group, configure a separate IP pool for each contiguous set of addresses, then use the following command to add the pools
to a pool group:
ip nat pool-group pool-group-name
{pool-name ...}
2. To configure a connection reuse template, enter the following command
at the global configuration level to create the template:
slb template connection-reuse template-name
612 of 950
P e r f o r m a n c e
b y
D e s i g n
pool group for all source addresses, use the following command at
the configuration level for the virtual port:
source-nat pool {pool-name | pool-group-name}
To enable policy-based source NAT and use separate pools based on
source IP address, use the following command at the configuration
level for the port. This command binds an ACL to its pool:
access-list acl-num source-nat-pool pool-name
If you do not specify a NAT pool with this command, the ACL is used
only to filter the traffic.
Note:
4. Add the connection reuse template to the virtual port, use the following
command at the configuration level for the virtual port:
template connection-reuse template-name
CLI Example
The following commands configure standard ACLs that match on different
client addresses:
AX(config)#access-list 30 permit ip 192.168.1.1
AX(config)#access-list 50 permit ip 192.168.20.69
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
613 of 950
group to the virtual port. This option is applicable if all the real servers
are in the same subnet.
Use sets of ACL-pool pairs, one for each real server subnet. You must
use this method if the real servers are in multiple subnets. This section
describes how to use this method.
For the real server to be able to send replies back through the AX device,
use an extended ACL. The source IP address must match on the client
address. The destination IP address must match on the real server address.
The action must be permit.
The ACL should not match on the virtual IP address (unless the virtual IP
address is in the same subnet as the real servers, in which case source NAT
is probably not required). Figure 161 on page 615 shows an example.
614 of 950
P e r f o r m a n c e
b y
D e s i g n
In this example, a service group has real servers that are located in two different subnets. The VIP is not in either of the subnets. To ensure that reply
traffic from a server will pass back through the AX device, the AX device
uses IP source NAT.
To implement IP source NAT, two pairs of ACL and IP address pool are
bound to the virtual port. Each ACL-pool pair contains the following:
An extended ACL whose source IP address matches on client addresses
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
615 of 950
Note:
CLI Example
The following commands implement the source NAT configuration shown
in Figure 161 on page 615.
First, the ACLs are configured. In each ACL, any is used to match on all
clients. The destination address is the subnet where the real servers are
located.
AX(config)#access-list 100 permit any 10.10.10.0 /24
AX(config)#access-list 110 permit any 10.10.20.0 /24
The following commands configure the IP address pools. Each pool contains addresses in one of the real server subnets.
AX(config)#ip nat pool pool1 10.10.10.100 10.10.10.101 netmask /24
AX(config)#ip nat pool pool2 10.10.20.100 10.10.20.101 netmask /24
The following commands bind the ACLs and IP address pools to a virtual
port on the VIP:
AX(config)#slb virtual-server vip1 192.168.1.100
AX(config-slb virtual server)#port 80 tcp
AX(config-slb virtual server-slb virtua...)#access-list 100 source-nat-pool
pool1
AX(config-slb virtual server-slb virtua...)#access-list 110 source-nat-pool
pool2
616 of 950
P e r f o r m a n c e
b y
D e s i g n
To configure health checking for DSR, see Configuring Health Monitoring of Virtual IP Addresses in DSR Deployments on page 386.
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
617 of 950
The current release does not support this feature for FTP or RTSP traffic.
Priority for Source IP NAT Configurations on Individual Virtual
Ports
Source IP NAT can be configured on a virtual port in the following ways:
1. ACL-based source NAT (access-list command at virtual port level)
2. VIP source NAT (slb snat-on-vip command at global configuration
level)
3. aFleX policy (aflex command at virtual port level)
4. Non-ACL source NAT (source-nat command at virtual port level)
These methods are used in the order shown above. For example, if IP source
NAT is configured using an ACL on the virtual port, and the slb snat-onvip command is also used, then a pool assigned by the ACL is used for traffic that is permitted by the ACL. For traffic that is not permitted by the
ACL, VIP source NAT can be used instead.
Configuration
To configure IP NAT for VIPs:
1. Configure a pool, range list, or static inside source NAT mapping, that
includes the real IP address(es) of the inside clients.
2. Enable inside NAT on the interface connected to the inside clients.
3. Enable outside NAT on the interface connected to the external VIP servers
You can enable this feature globally or on individual virtual ports:
To globally configure IP NAT support for VIPs, use the following command
at the global configuration level of the CLI:
[no] snat-on-vip
618 of 950
P e r f o r m a n c e
b y
D e s i g n
IP Source NAT
Independently of SLB NAT, you can configure traditional, Layer 3 IP
source NAT. IP source NAT translates internal host addresses into routable
addresses before sending the hosts traffic to the Internet. When reply traffic
is received, the AX device then retranslates addresses back into internal
addresses before sending the reply to the client.
You can configure dynamic or static IP source NAT:
Dynamic source IP NAT Internal addresses are dynamically translated
external addresses.
Configuration Elements for Dynamic NAT
Dynamic NAT uses the following configuration elements:
Access Control List (ACL) to identify the inside host addresses to be
translated
Pool to identify a contiguous range of external addresses into which to
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
619 of 950
host addresses are translated into external addresses from a pool before
the host traffic is sent to the Internet.
Note:
620 of 950
P e r f o r m a n c e
b y
D e s i g n
host addresses are translated into external addresses from a static mapping or a range list before the host traffic is sent to the Internet.
Note:
In step 3, the GUI supports binding IPv4 pools to ACLs but not IPv6
pools. To bind an IPv6 pool to an ACL, use the CLI instead.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
621 of 950
622 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
FIGURE 162
FIGURE 163
FIGURE 164
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
623 of 950
624 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
625 of 950
CLI EXAMPLE
The following commands configure an ACL to specify the internal hosts to
be NATted. In this example, all hosts in the 10.10.10.x subnet are to receive
NAT service for traffic to the Internet.
AX(config)#access-list 1 permit 10.10.10.0 0.0.0.255
The following command enables inside source NAT and associates the ACL
with the pool:
AX(config)#ip nat inside source list 1 pool pool1
The following commands enable inside source NAT on the interface connected to the internal hosts:
AX(config)#interface ethernet 4
AX(config-if:ethernet4)#ip nat inside
626 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
627 of 950
628 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
CLI EXAMPLE
The following commands enable static NAT, configure an IP address range
named nat-list-1 that maps up to 100 local addresses starting from
10.10.10.97 to Internet addresses starting from 192.168.22.50, set Ethernet
interface 2 as the inside NAT interface, and set Ethernet interface 4 as the
outside NAT interface.
AX(config)#ip nat range-list nat-list-1 10.10.10.97 /16 192.168.22.50 /16 count
100
AX(config)#interface ethernet 2
AX(config-if:ethernet2)#ip nat inside
AX(config-if:ethernet2)#exit
AX(config)#interface ethernet 4
AX(config-if:ethernet4)#ip nat outside
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
629 of 950
The AX device is deployed between PPTP clients and the VPN server (VPN
Server using PPTP). The AX interface connected to the PPTP clients is
enabled for inside source NAT. The AX interface connected to the VPN
server is enabled for outside source NAT.
Each client runs a PPTP Network Server (PNS). To set up a VPN session,
the PNS sends an Outgoing-Call-Request to the PPTP Access Concentrator
(PAC), which is the VPN server. The destination TCP port is the PPTP port
(1723 by default). The request includes a Call ID that the PNS chooses.
Because multiple clients may share the same NAT address, the AX device
must ensure that clients do not share the same Call ID as well. Therefore,
the AX device assigns to each client a NAT Call ID (analogous to a NAT
source port for TCP) and modifies the Outgoing-Call-Request to use the
NAT Call ID instead.
The PAC replies to the Outgoing-Call-Request with a Call ID of its own.
This is like a TCP destination port. The AX device does not change the
630 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
enabled by default.)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
631 of 950
In the current release, NAT ALG support for PPTP is not supported with
static NAT or NAT range lists.
Note:
In the current release, NAT ALG support for PPTP can not be disabled or
re-enabled using the GUI.
The ACL must permit IP traffic. The syntax above is for a standard ACL.
If you plan to use an extended ACL instead, make sure to use the ip
option, instead of icmp, tcp, or udp.
To configure the IP address pool, use the following command at the global
configuration level of the CLI:
ip nat pool pool-name start-ipaddr end-ipaddr
netmask {subnet-mask | /mask-length}
[gateway ipaddr] [ha-group-id group-id]
To configure an IP source NAT list, use the following command at the
global configuration level of the CLI:
ip nat inside source list acl-name
pool {pool-name | pool-group-name}
To enable inside source NAT on an interface, use the following command at
the configuration level for the interface:
[no] ip nat inside
To enable outside source NAT on an interface, use the following command
at the configuration level for the interface:
[no] ip nat outside
To enable or disable NAT ALG support for PPTP, use the following command at the global configuration level of the CLI:
ip nat alg pptp {enable | disable}
The feature is enabled by default. The default protocol port number is 1723
and can not be changed.
632 of 950
P e r f o r m a n c e
b y
D e s i g n
The following commands specify the inside NAT interface and the outside
NAT interface.
AX(config)#interface ethernet 1
AX(config-if:ethernet1)#ip address 10.2.2.254 255.255.255.0
AX(config-if:ethernet1)#ip nat inside
AX(config-if:ethernet1)#interface ethernet 2
AX(config-if:ethernet2)#ip address 10.3.3.254 255.255.255.0
AX(config-if:ethernet2)#ip nat outside
Forward Dest
Reverse Source
Reverse Dest
---------------------------------------------------------------------------------------------------------Gre 10.1.1.1:49152
240 1
10.3.3.2:32799
10.3.3.2:32799
192.168.1.100:2109
Tcp 10.1.1.1:2301
240 2
10.3.3.2:1723
10.3.3.2:1723
192.168.1.100:2109
This example shows the GRE session and the TCP session over which the
GRE session is transported. For the GRE session, the number following
each IP address is the PPTP Call ID. For the TCP session, the number is the
TCP protocol port.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
633 of 950
10
634 of 950
P e r f o r m a n c e
b y
D e s i g n
TCP
UDP
ICMP
-----------------------60
300
300
fast
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
635 of 950
external DNS server, must pass through the IP NAT outside interface.
If an ACL is configured on the interface that will receive the DNS
responses (the IP NAT outside interface), the ACL must include a permit rule that allows traffic from the DNS server. Otherwise, the traffic
will be denied by the implicit (non-visible) deny any any rule at the end
of the ACL.
636 of 950
P e r f o r m a n c e
b y
D e s i g n
172.168.101.4 255.255.255.0
IP Gateway address:
172.168.101.251
Not configured
Start Address
End Address
Mask
Gateway
HA Group
---------------------------------------------------------------------------Pool-A
173.168.10.20
173.168.10.25
/24
173.168.10.250 0
In this configuration, the AX device will initiate health checks using the last
IP address in the pool as the source IP address. In this example, the AX
device will use IP address 173.168.10.25. In addition, the AX device will
only respond to control traffic directed to 173.168.10.25 from the
173.168.10.0/24 subnet.
IP NAT in HA Configurations
If you are using IP source NAT or full NAT in an HA configuration, make
sure to add the NAT pool or range list to an HA group. Doing so allows a
newly Active AX device to properly continue management of NAT
resources following a failover.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
637 of 950
638 of 950
P e r f o r m a n c e
b y
/mask-length
D e s i g n
Note:
Note:
Note:
Overview
LSN provides robust NAT support for network carriers (also called Internet Service Providers or ISPs). Carriers can use LSN to provide NAT
service for multiple enterprises and residential clients. Figure 167 shows an
example of a carrier using LSN to provide NAT to residential clients.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
639 of 950
Large-Scale NAT
640 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
After LSN creates an IP address mapping for a client, LSN uses the same
mapping for all traffic between the client and any external IP address. For
example, if client 5.5.5.1 opens multiple HTTP sessions and an email session, LSN uses the same external IP address for the client for all the sessions, as shown in Figure 168.
FIGURE 168
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
641 of 950
observes the FIN messages exchanged by the two end points of the session. If the AX device does not observe the FIN exchange but the session is idle, the mapping is removed when the session ages out.
For a UDP session, the data session is removed when the session ages
out.
For an ICMP session, the data session ends when the ICMP reply is
onds.
udp-timeout Configurable to 60-1500 seconds. The default is 300
seconds.
icmp-timeout Configurable to 60-1500 seconds, or fast. The fast
option uses the SLB maximum session life (MSL), which is 2 seconds
by default. The default is fast.
Optionally, static mappings can be configured. A static mapping never ages
out.
NAT Mapping Removal and Full-Cone Behavior
When a NAT data session is removed, removal of the NAT mapping used by
the data session depends on whether full-cone behavior is present:
If full-cone behavior is not present, the NAT mapping is removed when
all the data session that use the mapping a removed. For example, if a
client uses source port 50000 to connect to two different destinations,
the same NAT mapping is used for both data sessions. (This is endpointindependent mapping.) The NAT mapping is not removed until the data
sessions with both destinations have been removed.
LSN maintains the NAT mapping for a full-cone session for a period of
time, the STUN timeout, after the last data session ends. The STUN timeout
is 2 minutes by default and is configurable. (See STUN Timeout on
page 659.)
642 of 950
P e r f o r m a n c e
b y
D e s i g n
tion.
LSN works for both client-server (traditional) and client-client (P2P)
applications.
The benefits LSN provides that traditional NAT can not provide are
described in this section and in more detail in Benefits of LSN on
page 645.
Traditional NAT works for client-to-server applications, wherein a client
opens a connection to a server and requests data, and the server responds
back to the client. However, traditional NAT is often inadequate for contemporary applications such as peer-to-peer (P2P) file-sharing, instant messengers (IM), and Voice-over-IP (VoIP).
To provide NAT for these types of applications, LSN is required. Figure 169
shows an example of P2P file sharing among LSN clients and other devices.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
643 of 950
644 of 950
P e r f o r m a n c e
b y
D e s i g n
Benefits of LSN
LSN provides the following benefits not provided by traditional NAT:
Sticky NAT
Application transparency through full-cone NAT to support peer-to-peer
(P2P) applications
Hairpinning support
Configurable user quotas to ensure fair allocation of NAT mappings
Static port reservation
Sticky NAT
Once an internal user uses a NAT IP, the user always uses the same NAT IP
for future connections. If all user sessions are cleared, then a different NAT
IP may be assigned.
Some applications that open multiple sessions to the same or multiple servers often do not work well without sticky NAT.
Full-Cone NAT
Traditional NAT works well for client-to-server applications, wherein a client opens a connection to a server and requests data, and the server responds
back to the client. However, traditional NAT is inadequate to support clientto-client applications, such as the following:
Peer-to-peer (P2P) file-sharing applications
Instant messengers (IM)
Voice-over-IP (VoIP)
To overcome the shortcomings of traditional NAT, LSN implements fullcone NAT. Full-cone NAT, also known as one-to-one NAT, has two specific
behaviors:
Endpoint-Independent Mapping (See Figure 168 on page 641.) After
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
645 of 950
traffic from any source to a given mapped client, LSN always allows the
traffic to be forwarded to the internal client regardless of the endpoint.
These techniques provide consistent NAT mapping behavior, enabling client-to-client applications such as P2P, client-to-server applications, and
NAT traversal techniques such as STUN, to work correctly.
Note:
646 of 950
P e r f o r m a n c e
b y
D e s i g n
Hairpinning
Hairpinning allows inside clients to communicate with one another using
their outside addresses. This feature is useful for applications that require
global addresses. Figure 170 shows an example.
FIGURE 170
User Quotas
LSN user quotas limit the number of NAT port mappings allowed for individual internal IP addresses. For example, you can limit each inside IP
address to a maximum of 100 TCP NAT ports. Once a client reaches the
quota, the client is not allowed to open additional TCP sessions.
You can configure separate quotas for each of the following protocols, on a
global or individual LSN Limit-ID (LID) basis:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
647 of 950
648 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
649 of 950
LSN Logging
The AX device generates logs for LSN operational events and for LSN traffic.
Warning
Notice
Event
User-quota creation failure
Full-cone session creation
failure
New inside user unable to
get NAT IP
Current inside user on
NAT IP can not get new
NAT port
User quota exceeded
Message String
LSN: User-quota creation failed (out of memory)
for pool...
LSN: Full-cone session creation failed (out-ofmemory) for pool...
LSN: New user could not get a NAT IP on pool..
LSN: NAT port usage exceeded on pool...
This log indicates that a current NAT IP user with an external IP address
from pool2 could not get a new NAT port session, because no ports were
available. The log indicates 4146 occurrences of the same event.
LSN events are logged to the AX devices local log buffer based on the log
settings for the system.
650 of 950
P e r f o r m a n c e
b y
D e s i g n
sessions
NAT port mapping logs, to indicate creation or freeing of NAT port
Note: In this message and the other port mapping creation messages, the destination
(to dest_ip:dest_port) is not included in the message by default. You can enable
the destination to be included when you configure LSN external logging.
LSN port mapping
created for TCP
LSN port mapping
created for UDP
LSN port mapping for
ICMP freed
LSN port mapping for
TCP freed
LSN port mapping for
UDP freed
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
651 of 950
The following logs indicate the creation and freeing of a port mapping for
UDP.
AX5200 NAT-UDP-C: 10.10.10.100:63226 -> 172.7.7.25:6226 to 172.7.7.100:5300
AX5200 NAT-UDP-F: 10.10.10.100:63226 -> 172.7.7.25:6226
Remote Logging
LSN traffic logs can be sent only to external log servers. LSN traffic logs
are not sent to the AX devices local log buffer.
You can use a group of external log servers. The AX device uses a hash
value based on the client IP address to select an external log server, and
always sends logs for that client to the same server. (For configuration information, see Configuring External Logging for LSN Traffic Logs on
page 660.)
External LSN logging applies only to LSN traffic logs, not to LSN operational event logs.
Note:
652 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
Current
Default
Minimum
Maximum
-------------------------------------------------------------------------l4-session-count
33554432
33554432
8388608
134217728
nat-pool-addr-count
10000
2000
500
10000
real-server-count
1024
1024
512
16384
real-port-count
2048
2048
512
32768
...
The Current column shows the maximum number of LSN pool addresses
currently allowed on the system. The default column shows the default
maximum allowed. In this example, the maximum has been increased by an
administrator, to the highest allowed amount, 10000.
To change the maximum number of LSN pool addresses allowed on the system, use the following command at the global configuration level of the
CLI:
[no]
system
maximum
resource-usage
nat-pool-addr-count
The maximum value can be any value in the range between the values in the
Minimum and Maximum columns in the show system resource-usage output.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
653 of 950
To place a system resource change into effect, you must reload or reboot
the AX device. If you change the maximum number of Layer 4 sessions
(l4-session-count), a reboot is required.
An inside user creates 5 non-port-80 sessions followed by 10 port-80 sessions. In this case:
The first 5 port-80 sessions that finish will always decrement the
654 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
The CLI commands for performing these configuration steps are described
below.
For information about additional options, see the following sections:
Configuring Static Mappings on page 659
Configuring Full-Cone Support on page 659
Configuring External Logging for LSN Traffic Logs on page 660
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
655 of 950
Configure a LID
Use the following commands:
[no] lsn-lid num
Enter this command at the global configuration level of the CLI. The num
specifies the LID number and can be 1-31, for a maximum of 31 LIDs. This
command changes the CLI to the configuration level for the LID, where the
following LID-related commands are available:
656 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
657 of 950
The AX device discards the comment string when you save the class list.
Example Class Lists
Here is an example of a class list for inside subnet 5.5.5.x/24 using LID 2.
658 of 950
P e r f o r m a n c e
b y
D e s i g n
Optional Configuration
The following sections describe additional configuration options.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
659 of 950
660 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
661 of 950
ports used
least-tcp-used-strict Selects the address with the fewest TCP NAT
ports used
least-reserved-strict Selects the address with the fewest NAT ports of
ports reserved
least-reserved-tcp-strict Selects the address with the fewest TCP NAT
ports reserved
least-users Selects the address with the fewest users
662 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
663 of 950
The last command is required before removing a pool from a pool group.
Configuration Example
The commands in this section implement the LSN configuration shown in
Figure 167 on page 640.
The following command configures an LSN NAT pool:
AX(config)#ip nat pool LSN_POOL1 192.168.1.1 192.168.1.254 netmask /24 lsn
The following commands configure an LSN LID. The LID is bound to pool
LSN_POOL1. Per-user quotas are configured for TCP, UDP, and ICMP.
For UDP, this class of users will reserve only 100 UDP ports instead of 300.
An extended quota of sessions per client is allocated for TCP port 25
(SMTP).
AX(config)#lsn-lid 5
AX(config-lsn lid)#source-nat-pool LSN_POOL1
AX(config-lsn lid)#user-quota tcp 100
AX(config-lsn lid)#user-quota udp 300 reserve 100
AX(config-lsn lid)#user-quota icmp 10
AX(config-lsn lid)#extended-user-quota tcp port 25 sessions 3
AX(config-lsn lid)#end
The following commands configure a class list to bind the internal subnet to
the LID:
AX(config)#class-list list1
AX(config-class list)#5.5.5.0 /24 lsn-lid 5
AX(config-class list)#end
664 of 950
P e r f o r m a n c e
b y
D e s i g n
Display Commands
The following commands display LSN information:
AX(config)#end
AX#show class-list list1
Name:
list1
Total single IP:
0
Total IP subnet:
2
Content:
192.168.1.0 /24 lsn-lid 2
192.168.0.0 /16 lsn-lid 1
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
665 of 950
Table 17 describes the fields in the show ip nat lsn pool-statistics output.
TABLE 19 show ip nat lsn pool-statistics fields
Field
Address
Users
666 of 950
ICMP
Freed (ICMP)
Total (ICMP)
Description
NAT (global) IP address.
Number of inside IP addresses currently using the NAT IP
address.
Number of ICMP identifiers currently in use.
Total number of ICMP identifiers freed.
Total number of ICMP identifiers allocated.
UDP
Freed (UDP)
P e r f o r m a n c e
b y
D e s i g n
Description
Total number of UDP ports allocated.
Rsvd (UDP)
TCP
Freed (TCP)
Total (TCP)
Rsvd (TCP)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
667 of 950
668 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
Note:
P e r f o r m a n c e
b y
You cannot change the privilege level of the admin account or disable
it.
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
669 of 950
To allow access from any host, leave the Trusted Host IP Address and
Netmask fields blank.
7. From the Privilege drop-down list, select the access level:
Super Admin Allows access to all levels of the system. This
account is not the Root account and can be deleted. This account
cannot configure other admin accounts. (Only the admin account
that has Root privileges can configure other admin accounts.)
Read Only Admin Allows monitoring access to the system but not
configuration access. In the CLI, this account can only access the
User EXEC and Privileged EXEC levels, not the configuration levels. In the GUI, this account cannot modify configuration information.
Partition Write Admin The admin has read-write privileges within
the private partition to which the admin is assigned. The admin has
read-only privileges for the shared partition.
Partition Read Admin The admin has read-only privileges within
the private partition to which the admin is assigned, and read-only
privileges for the shared partition.
670 of 950
P e r f o r m a n c e
b y
D e s i g n
but has permission only to view service port statistics for real servers in the partition, and to disable or re-enable the real servers and
their service ports.
The Partition roles apply to Role-Based Administration (RBA). For information about this feature, see Role-Based Administration on page 797.
Note:
P e r f o r m a n c e
FIGURE 171
FIGURE 172
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
671 of 950
672 of 950
P e r f o r m a n c e
b y
D e s i g n
CLI EXAMPLES
The following commands add admin adminuser2 with password
12345678 and read-write privilege:
AX(config)#admin adminuser2
AX(config-admin:adminuser2)#password 12345678
AX(config-admin:adminuser2)#privilege write
AX(config-admin:adminuser2)#show admin
UserName
Status
Privilege Partition
------------------------------------------------------admin
Enabled
Root
adminuser2
Enabled
Read/Write
The following commands add admin adminuser3 with password abcdefgh and read-write privilege, and restrict login access to the 10.10.10.x
subnet only:
AX(config)#admin adminuser3
AX(config-admin:adminuser3)#password abcdefgh
AX(config-admin:adminuser3)#privilege write
AX(config-admin:adminuser3)#trusted-host 10.10.10.0 /24
AX(config-admin:adminuser3)#show admin
UserName
Status
Privilege Partition
------------------------------------------------------admin
Enabled
Root
adminuser2
Enabled
Read/Write
adminuser3
Enabled
Read/Write
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
673 of 950
To delete an admin account, you first must terminate any active sessions
the admin account has open. The account is not deleted if there are any
open sessions for the account.
674 of 950
P e r f o r m a n c e
b y
D e s i g n
Duration
Description
Controls whether admin accounts can be
locked.
Number of failed login attempts allowed for
an admin account before it is locked.
Number of minutes the AX device remembers
a failed login attempt.
For an account to be locked, greater than the
number of failed login attempts specified by
the threshold must occur within the reset time.
Number of minutes a locked account remains
locked. To keep accounts locked until you or
another authorized administrator unlocks
them, set the value to 0.
Default
Disabled
5
10 minutes
10 minutes
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
675 of 950
676 of 950
P e r f o r m a n c e
b y
D e s i g n
Ethernet
Management
Interface
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
Ethernet and VE
Data Interfaces
Disabled
Disabled
Disabled
Disabled
Disabled
Enabled
You can enable or disable management access, for individual access types
and interfaces. You also can use an Access Control List (ACL) to permit or
deny management access through the interface by specific hosts or subnets.
To set management access through Ethernet interfaces, use either of the following methods.
Notes Regarding Use of ACLs
If you use an ACL to secure management access, the action in the ACL rule
that matches the management traffics source address is used to permit or
deny access, regardless of other management access settings.
For example, if you disable Telnet access to a data interface, but you also
enable access to the interface using an ACL with permit rules, the ACL permits Telnet (and all other) access to the interface, for traffic that matches the
permit rules in the ACL.
If you want certain types of management access to be disabled on an interface, do not use a permit ACL to control management access to the interface.
Each ACL has an implicit deny any any rule at the end. If the management
traffics source address does not match a permit rule in the ACL, the
implicit deny any any rule is used to deny access.
On data interfaces, you can disable or enable access to specific services and
also use an ACL to control access. However, on the management interface,
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
677 of 950
(MGMT)
ve ve-num [to ve-num] A VE data interface or range of VE data inter-
faces
ethernet port-num [to port-num] An Ethernet data interface or range
678 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
In the second command, the acl acl-id option specifies an ACL. Management access from any host address that matches the ACL is either permitted
or denied, depending on the action (permit or deny) used in the ACL.
CLI Examples:
The following command disables HTTP access to the out-of-band management interface:
AX(config)#disable-management service http management
You may lose connection by disabling the http service.
Continue? [yes/no]:yes
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
679 of 950
CLI EXAMPLES
Here is an example for an AX device that has 10 Ethernet data ports. In this
example, all the access settings are set to their default values.
AX#show management
PING
SSH
Telnet HTTP
HTTPS
SNMP
ACL
-----------------------------------------------------mgmt on
on
off
on
on
on
on
off
off
off
off
off
on
off
off
off
off
off
on
off
off
off
off
off
on
off
off
off
off
off
on
off
off
off
off
off
on
off
off
off
off
off
on
off
off
off
off
off
on
off
off
off
off
off
10
on
off
off
off
off
off
ve1
on
off
off
off
off
off
680 of 950
P e r f o r m a n c e
b y
D e s i g n
SSH
Telnet HTTP
HTTPS
SNMP
ACL
-----------------------------------------------------mgmt on
on
off
off
on
on
on
off
off
off
off
off
on
off
off
off
off
off
on
off
off
off
off
off
on
off
off
off
off
off
on
off
off
off
off
off
on
off
on
off
off
off
on
off
off
off
off
off
on
off
off
off
off
off
10
on
off
off
off
off
off
ve1
on
off
off
off
off
off
HTTP server
HTTP port
HTTPS server
P e r f o r m a n c e
b y
Description
Automatically redirects requests for the unsecured port (HTTP) to the secure port
(HTTPS).
HTTP server on the AX device.
Protocol port number for the unsecured
(HTTP) port.
HTTPS server on the AX device.
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
Default
Enabled
Enabled
80
Enabled
681 of 950
Description
Protocol port number for the secure (HTTPS)
port.
Number of minutes a Web management session can remain idle before it times out and is
terminated by the AX device.
Timeout
aXAPI Timeout
Note:
Default
443
Range: 0-60
minutes
To disable
the timeout,
specify 0.
Default: 10
minutes
0-60 minutes. f you
specify 0,
sessions
never time
out.
Default: 10
minutes
682 of 950
The Preference section sets the default IP address type (IPv4 or IPv6) for
GUI configuration fields that require an IP address. The Preference section does not affect access to the GUI itself.
P e r f o r m a n c e
b y
D e s i g n
CLI EXAMPLE
The following command disables management access on HTTP and verifies
the change:
AX(config)#no web-service server
AX(config)#show web-service
AX Web server:
Idle time:
Http port:
Https port:
Auto redirect:
Https:
Http:
10 minutes
80
443
Enabled
Enabled
Disabled
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
683 of 950
Authentication
Authentication grants or denies access based on the credentials presented by
the person who is attempting access. Authentication for management access
to the AX device grants or denies access based on the admin username and
password.
By default, when someone attempts to log into the AX device, the device
checks its local admin database for the username and password entered by
the person attempting to gain access.
Without additional configuration, the authentication process stops at this
point. If the admin username and password are in the local database, the
person is granted access. Otherwise, they are denied.
You can configure the AX device to also use external RADIUS or
TACACS+ servers for authentication.
You can use TACACS+ or RADIUS for external authentication. Only one
external authentication method can be used.
Authentication Process
You can specify whether to check the local database or the remote server
first. Figure 173 and Figure 174 show the authentication processes used if
the AX device is configured to check RADIUS or TACACS+ before checking the local database.
684 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
685 of 950
686 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
687 of 950
on the server determines whether the admin is granted read-only or readwrite access:
If the command level is 14 or 15, the admin is granted read-write
access in the GUI.
If the command level is 0-13, the admin is granted read-only access
in the GUI.
This authorization process does not apply to admins who log in through
the CLI. (See Authorization for CLI Access on page 688.)
Note:
688 of 950
P e r f o r m a n c e
b y
D e s i g n
The second line grants access to all levels. The admins CLI session begins
at the Privileged EXEC level.
login as: admin4
Using keyboard-interactive authentication.
Password: ********
Last login: Fri Mar 26 20:03:39 2010 from 192.168.1.140
[type ? for help]
AX#
Note:
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
689 of 950
levels are sent to TACACS+ for authorization. Commands at other levels are automatically allowed.
0 (user EXEC) Commands at the User EXEC level are sent to
Caution:
The most secure option is 15(admin). If you select a lower option, for
example, 1(priv EXEC), make sure to configure the TACACS+ server
to deny any unmatched commands (commands that are not explicitly
allowed by the server). Otherwise, unmatched commands, including
commands at higher levels, will automatically be authorized to execute.
TACACS+ Authorization Debug Options
You can enable the following TACACS+ debug levels for troubleshooting:
0x1 Common system events such as trying to connect with
including the length fields. These events are written to the terminal.
0x4 Length fields of the TACACS+ packets will also be displayed on
the terminal.
0x8 Information about TACACS+ MD5 encryption will be sent to the
syslog.
Accounting
You can configure the AX device to use external RADIUS or TACACS+
servers for Accounting.
Accounting keeps track of user activities while the user is logged on. For
AX admins, you can configure Accounting for the following:
Login/logoff activity (start/stop accounting)
Commands
690 of 950
P e r f o r m a n c e
b y
D e s i g n
at all CLI levels, including those used to configure admin accounts, are
tracked.
14(config) Commands at all CLI levels except those used to configure
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
691 of 950
Configuring Authentication
To configure remote authentication, use either of the following methods.
692 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
Configuring Authorization
Note:
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
693 of 950
If using RADIUS, you can set the GUI access levels on the RADIUS
server itself. See Authorization for GUI Access on page 688.
3. Optionally, if using TACACS+, enable Authorization debugging:
authorization debug debug-level
The debug-level can be one of the following: 0x1, 0x2, 0x4, or 0x8.
(See TACACS+ Authorization Debug Options on page 690.)
Configuring Accounting
Note:
Note:
694 of 950
P e r f o r m a n c e
b y
D e s i g n
CLI EXAMPLES
RADIUS Authentication
The following commands configure a pair of RADIUS servers and configure the AX device to use them first, before using the local database. Since
10.10.10.12 is added first, this server will be used as the primary server.
Server 10.10.10.13 will be used only if the primary server is unavailable.
AX(config)#radius-server host 10.10.10.12 secret radp1
AX(config)#radius-server host 10.10.10.13 secret radp2
AX(config)#authentication type radius local
TACACS+ Authorization
The following commands configure the AX device to use TACACS+ server
10.10.10.13 to authorize commands at all CLI levels. In this example, the
none option is not used. As a result, if TACACS+ authorization cannot be
performed (for example, due to server unavailability), the command is
denied.
AX(config)#tacacs-server host 10.10.10.13 secret SharedSecret
AX(config)#authorization commands 15 method tacplus
TACACS+ Accounting
The following commands configure the AX device to use the same
TACACS+ server for accounting of logon/logoff activity and of all command activity:
AX(config)#accounting exec start-stop tacplus
AX(config)#accounting commands 15 stop-only tacplus
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
695 of 950
= a10rad
shortname
= private-network-1
Note:
696 of 950
P e r f o r m a n c e
b y
D e s i g n
EXEC commands only. These are commands at the > and # prompts.
Read-write-Admin The admin can access User EXEC, Privileged
vi /usr/local/share/freeradius/dictionary.a10networks
#
#
#
# Version:
#
#
#
#
http://www.isi.edu/in-notes/iana/assignments/enterprise-numbers
#
VENDOR
A10-Networks
22610
BEGIN-VENDOR A10-Networks
ATTRIBUTE A10-App-Name
String
ATTRIBUTE A10-Admin-Privilege
integer
VALUE
A10-Admin-Privilege Read-only-Admin
VALUE
A10-Admin-Privilege Read-write-Admin
ATTRIBUTE A10-Single-1
51 String
ATTRIBUTE A10-Single-2
52 String
ATTRIBUTE A10-Single-3
53 String
ATTRIBUTE A10-Single-4
54 String
ATTRIBUTE A10-Single-5
55 String
ATTRIBUTE A10-Multi-1
56 String
ATTRIBUTE A10-Multi-2
57 String
ATTRIBUTE A10-Multi-3
58 String
ATTRIBUTE A10-Multi-4
59 String
ATTRIBUTE A10-Multi-5
60 String
END-VENDOR A10-Networks
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
697 of 950
write
Procedure Overview
To configure Windows IAS for AX RADIUS authentication:
1. On the IAS server, create the following access groups:
AX-Admin-Read-Only
AX-Admin-Read-Write
2. On the IAS server, configure a RADIUS client for the AX device.
3. On the IAS server, configure the following remote access policies:
AX-Admin-Read-Only-Policy
AX-Admin-Read-Write-Policy).
698 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
699 of 950
5. Click Create.
6. Enter the following information for the second group:
Group Name AX-Admin-Read-Write
Group Description Read-Write to AX devices
Members Add members as desired using the Add button
7. Click Create.
8. Click Close.
ax2000_slb1
Protocol RADIUS
700 of 950
P e r f o r m a n c e
b y
D e s i g n
192.168.1.238 is the IP address of the AX device that will use the IAS
server for external RADIUS authentication.
Note:
4. Click Next.
5. Enter the following information in the Add RADIUS Client dialog box:
Client address IP address or domain name for the client (AX
device)
Client-Vendor RADIUS Standard
Shared secret Secret to be shared between IAS and AX. You also
will need to enter this in the RADIUS configuration on the AX
device.
Confirm shared secret Same as above
Note:
P e r f o r m a n c e
b y
Do not select Request must contain the Message Authenticator attribute. AX RADIUS authentication does not support this option.
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
701 of 950
6. Click Next.
702 of 950
P e r f o r m a n c e
b y
D e s i g n
3. Click Next.
4. In the Add Remote Access Policy dialog box, click Add.
5. In the Select Attribute dialog box, double-click Client Friendly Name.
6. In the Client-Friendly-Name dialog box, enter the friendly name used to
define the AX device (for example, AX-Admin-Read-Only-Policy) and
click OK.
7. In the same Add Remote Access Policy dialog box as before, click Add
again.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
703 of 950
704 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
705 of 950
706 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
707 of 950
708 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
709 of 950
710 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
18. Click OK for the Configure VSA, Vendor-Specific Attribute Information, and Multivalued Attribute Information dialog boxes.
19. Click Close in the Add Attributes dialog box.
20. Click OK in the Edit Dial-In Profile dialog box. Optionally, read the
suggested help by clicking OK.
21. Click Finish in the Add Remote Access Policy dialog box.
22. To create the second Remote Access Policy, repeat the above steps with
the following changes:
Policy Friendly name AX-Admin-Read-Write-Policy
Group to add AX-Admin-Read-Write
Attribute value 2
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
711 of 950
712 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
713 of 950
Note:
714 of 950
P e r f o r m a n c e
b y
D e s i g n
The following sections describe these features and show how to configure
them.
IP limiting provides a more robust version of the source-IP based connection rate limiting feature. For information, see IP Limiting on page 777.
Note:
DDoS Protection
AX Series devices provide enhanced protection against distributed denialof-service (DDoS) attacks, with IP anomaly filters. The IP anomaly filters
drop packets that contain common signatures of DDoS attacks.
On models AX 2200, AX 3100, AX 3200, AX 5100, and AX 5200,
DDoS protection is hardware-based. On other models, DDoS protection is
software-based.
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
715 of 950
packets
Note:
When these filters are enabled, the AX device checks for these anomalies in
new HTTP or HTTPS connection requests from clients.
Filtering for these anomalies is disabled by default. However, if you configure a system-wide PBSLB policy, the filters are automatically enabled. You
also can configure the filters on an individual basis.
Note:
In the current release, these filters are supported only for HTTP and
HTTPS traffic.
(For information about system-wide PBLSB, see Configuring SystemWide PBSLB on page 754.)
716 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
Threshold
Each of these IP anomaly filters has a configurable threshold. The threshold
specifies the number of times the anomaly is allowed to occur in a clients
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
717 of 950
SYN Cookies
AX Series devices provide enhanced protection against TCP SYN flood
attacks, with SYN cookies. SYN cookies enable the AX to continue to serve
legitimate clients during a TCP SYN flood attack, without allowing illegitimate traffic to consume system resources.
718 of 950
P e r f o r m a n c e
b y
D e s i g n
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
719 of 950
Note:
If the target VIP is in a different subnet from the client-side router, use of
hardware-based SYN cookies requires some additional configuration. See
Configuration when Target VIP and Client-side Router Are in Different
Subnets on page 721.
720 of 950
P e r f o r m a n c e
b y
D e s i g n
Configuration when Target VIP and Client-side Router Are in Different Subnets
Usually, the target VIP in an SLB configuration is in the same subnet as the
client-side router. However, if the target VIP is in a different subnet from the
client-side router, use of hardware-based SYN cookies requires some additional configuration:
On the AX device, configure a dummy VIP that is in the same subnet
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
721 of 950
Note:
If HA is configured, add both the target VIP and the dummy VIP to the
same HA group, so they will fail over to the HA peer as a unit.
722 of 950
P e r f o r m a n c e
b y
D e s i g n
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
723 of 950
packets allowed per second. If the AX device receives more than the
normal rate of ICMP packets, the excess packets are dropped until the
next one-second interval begins. The normal rate can be 1-65535 packets per second.
Maximum rate The IMCP maximum rate is the maximum number of
ICMP packets allowed per second before the AX device locks up ICMP
traffic. When ICMP traffic is locked up, all ICMP packets are dropped
until the lockup expires. The maximum rate can be 1-65535 packets per
second.
Lockup time The lockup time is the number of seconds for which the
AX device drops all ICMP traffic, after the maximum rate is exceeded.
The lockup time can be 1-16383 seconds.
Specifying a maximum rate (lockup rate) and lockup time is optional. If you
do not specify them, lockup does not occur.
Note:
724 of 950
b y
D e s i g n
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
725 of 950
726 of 950
IP limiting provides a more robust version of the source-IP based connection rate limiting feature. For information, see IP Limiting on page 777.
P e r f o r m a n c e
b y
D e s i g n
Parameters
Source-IP based connection rate limiting is configured using the following
parameters:
TCP or UDP Layer 4 protocol for the connections.
Connection limit Maximum number of connection requests allowed
from a client, within the limit period. The connection limit can be
1-1000000.
Limit period Interval to which the connection limit is applied. A client
Log Messages
The AX device generates two log messages per offending client, per client
activity.
The first message is generated the first time a client exceeds the connection
limit. The message indicates the source (client) address and the destination
address of the session. If lockout is configured, the message also indicates
that the client is locked out.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
727 of 950
Source IP ConSource IP
Source IP Con-
Mar 05 2009 14:37:00 Notice [AX]: UDP 51.2.1.81 > 51.1.1.2:53 Source IP
exceeded Connection rate limit in all (897 times, 2342 times in lockout)
In this example, the session is between the same client and destination as the
previous example. During this period of activity, 897 of the requests from
the client were sent after a connection limit had been exceeded, and were
dropped. An additional 2342 requests were dropped because they were
received during the lockout.
Deployment Considerations
The AX device internally uses a session to keep track of user activity. Currently, the AX device has a capacity of up to 16 million sessions. Up to 8
million of these sessions are available for tracking user activity.
Depending on client profile and activity, as well as the number of virtual
ports configured on the device, you might need to use the shared option to
apply the connection limit to all virtual ports, instead of each individual
port. The default is to apply the connection limit to each individual virtual
port, which uses proportionally more sessions than the shared option.
728 of 950
P e r f o r m a n c e
b y
D e s i g n
maximum number of Layer 4 sessions the system can have, use the following CLI command at the global configuration level of the CLI:
system resource-usage l4-session-count num
The num option specifies the number of Layer 4 sessions.
Use a short UDP aging time. To set a short UDP aging time, use the fol-
Configuration
The current release does not support configuration or monitoring of this
feature using the GUI.
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
729 of 950
Configuration Examples
CLI Example 1
The following command allows up to 1000 TCP connection requests per
one-second interval from any individual client. If a client sends more than
1000 requests within a given limit period, the client is locked out for 3 seconds. The limit applies separately to each individual virtual port. Logging is
not enabled.
AX(config)#slb conn-rate-limit src-ip tcp 1000 per 1000 exceed-action lock-out
3
CLI Example 2
The following command allows up to 2000 UDP connection requests per
100-millisecond interval. The limit applies to all virtual ports together. Logging is enabled but lockout is not enabled.
AX(config)#slb conn-rate-limit src-ip udp 2000 per 100 shared exceed-action log
CLI Example 3
The following command allows up to 2000 UDP connection requests per
100-millisecond interval. The limit applies to all virtual ports together. Logging is enabled and lockout is enabled. If a client sends a total of more than
730 of 950
P e r f o r m a n c e
b y
D e s i g n
Statistics
The following commands display statistics for this feature, then reset the
counters to 0 and verify that they have been reset:
AX(config)#show slb conn-rate-limit src-ip statistics
Threshold check count 1022000
Honor threshold
count 20532
1000
count 0
DNS Security
You can configure security for DNS VIPs. DNS security examines DNS
queries addressed to a VIP to ensure that the queries are formed properly
(not malformed). If a malformed DNS query is detected, the AX device
takes one of the following actions, depending on the action specified in the
DNS security policy:
Drops the query
Forwards the query to another service group This option is useful if
you want to quarantine and examine the malformed queries, while still
keeping them away from the DNS server.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
731 of 950
732 of 950
P e r f o r m a n c e
b y
D e s i g n
Since the drop action is specified, malformed DNS queries sent to the virtual DNS server are dropped by the AX device.
address.
Extended IPv4 ACL Extended IPv4 ACLs filter based on source and
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
733 of 950
NAT, use the ACL when configuring the pool. (See Network Address
Translation on page 607.)
734 of 950
P e r f o r m a n c e
b y
D e s i g n
The remark option adds a remark to the ACL. (For more information, see
Adding a Remark to an ACL on page 743.)
The source address to match on is specified by one of the following:
any The ACL matches on all source IP addresses.
host host-src-ipaddr The ACL matches only on the specified host IP
address.
net-src-ipaddr {filter-mask | /mask-length} The ACL matches on any
host in the specified subnet. The filter-mask specifies the portion of the
address to filter:
Use 0 to match.
Use 255 to ignore.
For example, the following filter-mask filters on a 24-bit subnet: 0.0.0.255
Alternatively, you can use mask-length to specify the portion of the address
to filter. For example, you can specify /24 instead 0.0.0.255 to filter on
a 24-bit subnet.
The log option configures the AX device to generate log messages when
traffic matches the ACL. This option is disabled by default. The transparent-session-only option limits logging for an ACL rule to creation and deletion of transparent sessions for traffic that matches the ACL rule. (See
Transparent Session Logging on page 744.)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
735 of 950
If you plan to use an external log server, the server must be attached to an
AX data port in order for ACL logging messages to reach the server. They
will not reach the server if the server is attached to the AX management
port.
CLI EXAMPLE
The following commands configure a standard ACL to deny traffic sent
from subnet 10.10.10.x, and apply the ACL to inbound traffic received on
Ethernet interface 4:
AX(config)#access-list 1 deny 10.10.10.0 0.0.0.255
AX(config)#interface ethernet 4
AX(config-if:ethernet4)#access-list 1 in
736 of 950
P e r f o r m a n c e
b y
D e s i g n
The remark option adds a remark to the ACL. (For more information, see
Adding a Remark to an ACL on page 743.)
The source address to match on is specified by one of the following:
any The ACL matches on all source IP addresses.
host host-src-ipaddr The ACL matches only on the specified host IP
address.
net-src-ipaddr {filter-mask | /mask-length} The ACL matches on any
host in the specified subnet. The filter-mask specifies the portion of the
address to filter:
Use 0 to match.
Use 255 to ignore.
For example, the following filter-mask filters on a 24-bit subnet: 0.0.0.255
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
737 of 950
If you plan to use an external log server, the server must be attached to an
AX data port in order for ACL logging messages to reach the server. They
will not reach the server if the server is attached to the AX management
port.
Syntax for Filtering on ICMP Traffic
[no] access-list acl-num [seq-num]
{permit | deny | remark string} icmp
[type icmp-type [code icmp-code]]
{any | host host-src-ipaddr |
net-src-ipaddr {filter-mask | /mask-length}}
{any | host host-dst-ipaddr |
net-dst-ipaddr {filter-mask | /mask-length}}
[log [transparent-session-only]]
The type and code options enable you to filter on ICMP traffic.
The type type-option option matches based on the specified ICMP type.
You can specify one of the following. Enter the type name or the type number (for example, dest-unreachable or 3). The type-option can be one of the
following:
any-type Matches on any ICMP type.
dest-unreachable | 3 Type 3, destination unreachable
738 of 950
P e r f o r m a n c e
b y
D e s i g n
The code code-num option matches based on the specified ICMP code. To
match on any ICMP code, specify any-code. To match on a specific ICMP
code, specify the code, 0-254.
Syntax for Filtering on Source and Destination IP Addresses and
on TCP or UDP Protocol Port Numbers
[no] access-list acl-num [seq-num]
{permit | deny | remark string} {tcp | udp}
{any | host host-src-ipaddr |
net-src-ipaddr {filter-mask | /mask-length}}
[eq src-port | gt src-port | lt src-port |
range start-src-port end-src-port]
{any | host host-dst-ipaddr |
net-dst-ipaddr {filter-mask | /mask-length}}
[eq dst-port | gt dst-port | lt dst-port |
range start-dst-port end-dst-port]
[log [transparent-session-only]]
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
739 of 950
port.
gt src-port The ACL matches on traffic from any source port with a
CLI EXAMPLE
The following commands configure an extended IPv4 ACL to deny traffic
sent from subnet 10.10.10.x to 10.10.20.5:80, and apply the ACL to
inbound traffic received on Ethernet interface 7:
AX(config)#access-list 100 deny tcp 10.10.10.0 0.0.0.255 10.10.20.5 /32 eq 80
AX(config)#interface ethernet 7
AX(config-if:ethernet7)#access-list 100 in
740 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
741 of 950
Description
seq-num
deny | permit
ipv6 | icmp
tcp | udp
any |
host host-srcipv6addr |
net-srcipv6addr /masklength
Source IP address(es) to filter.
any The ACL matches on all source IP
addresses.
host host-src-ipv6addr The ACL
matches only on the specified host IPv6 address.
net-src-ipv6addr /mask-length The
ACL matches on any host in the specified subnet.
The mask-length specifies the portion of the
address to filter.
eq src-port |
gt src-port |
lt src-port |
range startsrc-port
end-src-port
742 of 950
P e r f o r m a n c e
b y
D e s i g n
Configures the AX device to generate log messages when traffic matches the ACL.
The transparent-session-only option limits logging for an ACL rule to creation and deletion of
transparent sessions for traffic that matches the
ACL rule. (See Transparent Session Logging
on page 744.)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
743 of 950
Hits: 0
Hits: 0
As shown in this example, the remark appears at the top of the ACL, above
the first rule.
To use blank spaces in the remark, enclose the entire remark string in double
quotes, as shown in the example. The ACL must already exist before you
can configure a remark for it.
The interface on which the ACL matched traffic is indicated in brackets (in
this example, eth 1). The addresses are shown as src-ip:port > dst-ip:port.
The ACL number or ACL name is shown at the end of the message.
744 of 950
P e r f o r m a n c e
b y
D e s i g n
ACL
For all other types of transparent IPv6 sessions, a message such as the following is generated:
Feb 24 2010 02:18:07 Notice [AX]:[ve 21] IP 2001:10::100 > 2001:7::40
rule denied this packet (IPV6_LIST)
ACL
Configuration
To configure session filtering for transparent IPv6 sessions on an interface:
1. Configure an IPv6 ACL that uses the log transparent-session-only
option.
2. Apply the ACL to the interface that receives incoming traffic for the sessions.
3. For the following AX models only, enable the cpu-process option on
the interface that receives incoming traffic for the sessions: AX 2200,
AX 3100, AX 3200, AX 5100, and AX 5200.
CLI Example
The following commands configure an IPv6 ACL for transparent session
logging, and apply it to an IPv6 interface:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
745 of 950
746 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
747 of 950
748 of 950
P e r f o r m a n c e
b y
D e s i g n
In this example, two rules are configured for ACL 86. The default sequence
numbers are used. The first rule has sequence number 10, and each rule
after that has a sequence number that is higher by 10.
The intent of this ACL is to deny all access from the 10.10.10.x subnet,
except for access from specific host addresses. In this example, the permit
rule for the host appears before the deny rule for the subnet the host is in, so
the host will be permitted. However, suppose another permit rule is added
for another host in the same subnet.
AX(config)#access-list 86 permit host 10.10.10.13
AX(config)#show access-list ipv4 86
access-list 86 10 permit host 10.10.10.12 log Hits: 0
access-list 86 20 deny 10.10.10.0 0.0.0.255 log Hits: 0
access-list 86 30 permit host 10.10.10.13 log Hits: 0
By default, since no sequence number was specified when the rule was configured, the rule is placed at the end of the ACL. Because the deny rule
comes before the permit rule, host 10.10.10.13 will never be permitted.
To resequence the ACL to work as intended, the deny rule can be deleted,
then re-added. Alternatively, either the deny rule or the second permit rule
can be resequenced to appear in the right place. To change the sequence
number of an ACL rule, delete the rule, then re-add it with the sequence
number.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
749 of 950
In this example, rule 30 is deleted, then re-added with sequence number 11.
The ACL will now work as intended, and permit hosts 10.10.10.12 and
10.10.10.13 while denying all other hosts in the 10.10.10.x subnet. To permit another host, another rule can be added, sequenced to come before the
deny rule.
AX(config)#access-list 86 12 permit host 10.10.10.14 log
AX(config)#show access-list ipv4 86
access-list 86 10 permit host 10.10.10.12 log Hits: 0
access-list 86 11 permit host 10.10.10.13 log Hits: 0
access-list 86 12 permit host 10.10.10.14 log Hits: 0
access-list 86 20 deny 10.10.10.0 0.0.0.255 log Hits: 0
750 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
For traffic that is allowed, you can specify the service group to use. You also
can specify the action to perform (drop or reset) on new connections that
exceed the configured connection threshold for the client address. For
example, you can configure the AX to respond to DDoS attacks from a client by dropping excessive connection attempts from the client.
You can apply PBSLB on a system-wide basis or on individual virtual ports.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
751 of 950
The conn-limit is a coarse limit. The larger the number you specify, the
coarser the limit will be. For example, if you specify 100, the AX device
limits the total connections to exactly 100; however, if you specify 1000,
the device limits the connections to not exceed 992.
If the number in the file is larger than the supported maximum (32767),
the parser will use the longest set of digits in the number you enter that
makes a valid value. For example, if the file contains 32768, the parser
will use 3276 as the value. As another example, if the file contains
111111, the parser will use 11111 as the value.
The ;comment-string is a comment. Everything to the right of the ; is
The first row assigns a specific host to group 4. On the AX device, the drop
action will be assigned to this group, thus black listing the client. The second row black lists an entire subnet, by assigning it to the same group (4).
The third row sets the maximum number of concurrent connections for a
specific host to 20. The fourth row assigns a specific host to group 2 and
specifies a maximum of 20 concurrent connections.
Note:
The AX device allows up to three parser errors when reading the file.
However, after the third parser error, the device stops reading the file.
752 of 950
P e r f o r m a n c e
b y
D e s i g n
resets the timeout value for the entry. (Dynamic entry aging is described
below.)
If the list contains a static entry for the clients host or subnet address,
tions, the dynamic entry is removed. However, if the client has an active
connection, the dynamic entry is not removed until the clients connection ends.
You can set the timeout to 1-127 minutes. The default is 5 minutes.
If client-lockup is enabled, the timeout for a locked up client does not begin
decrementing until the lockup expires. (See Client Lockup on page 755.)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
753 of 950
The logging option enables logging. The minutes option specifies how often
messages can be generated.
754 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
Client Lockup
The over-limit rule in a system-wide PBSLB policy includes an optional
lockup period. If the lockup period is configured, the AX device continues
to enforce the over-limit action for the duration of the lockup.
For example, if the over-limit action is drop and a client exceeds the connection limit specified in the black/white list, the AX device continues to
drop all connection attempts from the client until the lockup expires.
The lockup option is disabled by default. You can enable it by specifying a
lockup period of 1-127 minutes.
The dynamic black/white-list entry for a client does not age while the client
is locked up. After the lockup ends, the timeout for the entry is reset to its
full value and begins decrementing normally as described in Aging of
Dynamic Entries on page 753.
Displaying and Clearing System-Wide PBSLB Information
To display information for system-wide PBSLB, use the following commands:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
755 of 950
ing actions:
Send the traffic to a specific service group.
Reset the traffic.
Drop the traffic.
Optionally, change the action (drop or reset) the AX will perform on
connections that exceed the limit specified in the list.
Optionally, if needed for your configuration, change client address
matching from source IP matching to destination IP matching.
Note:
756 of 950
These steps assume that the real servers, service groups, and virtual servers have already been configured.
P e r f o r m a n c e
b y
D e s i g n
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
757 of 950
If the Use default server selection when preferred method fails option
is enabled on the virtual port, log messages will never be generated for
server-selection failures. To ensure that messages are generated to log
server-selection failures, disable the Use default server selection when
preferred method fails option on the virtual port. This limitation does
not affect failures that occur because a client is over their PBSLB connection limit. These failures are still logged.
d. Click Add. The group settings appear in the PBSLB list.
e. Repeat the steps above for each group.
8. Select the action to take when traffic exceeds the limit: Drop or Reset.
9. Optionally, to match destination traffic against the black/white list,
instead of source traffic, select Use Destination IP.
10. Click OK. The new policy appears in the PBSLB policy list.
11. To bind the PBSLB policy template to a virtual port:
a. Select Config > Service > SLB.
b. On the menu bar, select Virtual Server.
c. Click on the virtual server name or click Add to create a new one.
d. In the Port section, click Add, or select a virtual port and click Edit.
e. In the Virtual Server Port section, select the PBSLB template from
the Policy Template drop-down list.
f. Click OK.
g. Click OK again.
758 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
759 of 950
Config > Service > SLB > Virtual Server - Virtual Server Port
760 of 950
P e r f o r m a n c e
b y
D e s i g n
A TFTP server is required on the PC and the TFTP server must be running when you enter the bw-list command.
Note:
If you use the load option, the CLI cannot accept any new commands
until the load is completely finished. For large black/white lists, loading
can take a while. Do not abort the load process; doing so can also interrupt
periodic black/white-list updates. If you do accidentally abort the load
process, repeat the command with the load option and allow the load to
complete.
To Configure PBSLB Settings Using a Policy Template:
To configure a PBSLB template, use the following commands:
[no] slb template policy template-name
Enter this command at the global configuration level of the CLI. The command creates the template and changes the CLI to the configuration for the
template, where the following PBSLB-related commands are available.
[no] bw-list name file-name
This command binds a black/white list to the virtual ports that use this template.
[no] bw-list id id
service {service-group-name | drop | reset}
[logging [minutes] [fail]]
This command specifies the action to take for clients in the black/white list:
id Group ID in the black/white list.
service-group-name Sends clients to the SLB service group
group.
reset Resets connections for IP addresses that are in the specified
group.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
761 of 950
nection attempts from the client, for the specified number of minutes
(1-127).
logging min Generates a log message when traffic goes over the
limit. The min option specifies the log interval and can be 1-255 minutes.
reset Resets new connections until the number of concurrent con-
762 of 950
P e r f o r m a n c e
b y
D e s i g n
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
763 of 950
tions on the virtual port falls below the ports connection limit. (The
connection limit is set in the black/white list.)
reset Resets new connections until the number of concurrent connec-
tions on the virtual port falls below the connection limit.The connection
threshold is set in the black/white list.
764 of 950
P e r f o r m a n c e
b y
D e s i g n
Url
Size(Byte)
Date
-----------------------------------------------------------------------------sample-bwlist
tftp://myhost/TFTP-Root/AX_
N/A
N/A
bwlists/sample-bwlist.txt
Total: 1
The following commands configure a PBSLB template and bind it to a virtual port:
AX(config)#slb template policy bw1
AX(config-policy)#bw-list name bw1
AX(config-policy)#bw-list id 2 service srvcgroup2
AX(config-policy)#bw-list id 4 drop
AX(config-policy)#exit
AX(config)#slb virtual-server PBSLB_VS1 10.10.10.69
AX(config-slb virtual server)#port 80 http
AX(config-slb virtual server-slb virtua...)#template policy bw1
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
765 of 950
80
80
sample-bwlist
sample-bwlist
766 of 950
P e r f o r m a n c e
b y
D e s i g n
20061
...
Anomaly out of sequence 225408
Anomaly zero window
225361
224639
The following command shows statistics for the system-wide PBSLB policy:
AX(config)#show pbslb system
System
B/W list: bwlist-wc
Virtual Server Port Blacklist/whitelist GID Connection # (Establish Reset Drop)
-------------------------------------------------------------------------------System
bwlist-wc
1
12
0
0
2
0
0
0
------------------+---+---+----------+---------+-----+------+-----+------+---40.40.40.168
/32
20
120
40.40.40.169
/32
20
40.40.40.170
/32
20
40.40.40.171
/32
20
40.40.40.172
/32
20
40.40.40.173
/32
20
120
40.40.40.174
/32
20
120
40.40.40.175
/32
20
120
40.40.40.160
/32
20
120
40.40.40.161
/32
20
120
40.40.40.162
/32
20
40.40.40.163
/32
20
40.40.40.164
/32
20
40.40.40.165
/32
20
120
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
767 of 950
40.40.40.168
Netmask length:
32
Type:
Dynamic
Group ID:
1984
Current connection:
Age:
0 second
Lockup time:
5 minute
Out of sequence:
Zero window:
Bad content:
The AX device determines a clients location by looking up the clients subnet in the geo-location database used by Global Server Load Balancing
(GSLB).
Note:
768 of 950
This feature requires you to load a geo-location database, but does not
require any other configuration of GSLB. The AX system image includes
the Internet Assigned Numbers Authority (IANA) database. By default,
the IANA database is not loaded but you can easily load it, as described in
the configuration procedure later in this section.
P e r f o r m a n c e
b y
D e s i g n
Configuration
To configure geo-location-based access control for a VIP:
1. Configure a black/white list. You can configure the list using a text editor on a PC or enter it directly into the GUI. If you configure the list
using a text editor, import the list onto the AX device.
2. Configure an SLB policy (PBSLB) template. In the template, specify the
black/white list name, and the actions to perform for the group IDs in
the list.
3. Load a geo-location database, if one is not already loaded.
4. Apply the policy template to the virtual port for which you want to control access.
Configuring the Black/White List
You can configure black/white lists in either of the following ways:
Remote option Use a text editor on a PC, then import the list onto the
AX device.
Local option Enter the black/white list directly into a management
GUI window.
With either method, the syntax is the same. The black/white list must be a
text file that contains entries (rows) in the following format:
L "geo-location" group-id #conn-limit
The L indicates that the clients location will be determined using information in the geo-location database.
The geo-location is the string in the geo-location database that is mapped to
the clients IP address; for example, US, US.CA, or US.CA.SanJose.
The group-id is a number from 1 to 31 that identifies a group of clients (geolocations) in the list. The default group ID is 0, which means no group is
assigned. On the AX device, the group ID specifies the action to perform on
client traffic.
The #conn-limit specifies the maximum number of concurrent connections
allowed from a client. The # is required only if you do not specify a group
ID. The connection limit is optional. For simplicity, the examples in this
section do not specify a connection limit.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
769 of 950
L "US.CA"
L "JP"
3. Click OK.
To configure an SLB policy (PBSLB) template:
1. Select Config > Service > Template.
2. On the menu bar, select Application > PBSLB Policy.
3. Click Add.
4. In the Name field, enter a name for the template.
5. From the drop-down list below the Name field, select the black/white
list.
6. Select a group ID from the Group ID drop-down list.
7. Select one of the following from the Action drop-down list.
Drop Drops new connections until the number of concurrent con-
nections on the virtual port falls below the ports connection limit.
(The connection limit is set in the black/white list.)
Reset Resets new connections until the number of concurrent connections on the virtual port falls below the connection limit.
770 of 950
P e r f o r m a n c e
b y
D e s i g n
AX device is listed.
create This option displays the configuration sections for creating
a new service group.
8. Optionally, enable logging. (The AX device uses the same log rate limiting and load balancing features for PBSLB logging as those used for
ACL logging. See Log Rate Limiting on page 48.)
9. Click Add.
10. Repeat step 6 through step 9 for each group ID.
11. Click OK.
To load the IANA geo-location database:
1. Select Config > Service > GSLB.
2. On the menu bar, select Geo-location > Import.
3. In the Load/Unload section, enter iana in the File field. Leave the
Template field blank.
4. Click Add.
If preferred, you can import a custom geo-location database instead. For
information, see Loading or Configuring Geo-Location Mappings on
page 459.
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
771 of 950
772 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
773 of 950
774 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
Connection Limit
100
50
20
Current
Connections
100
37
19
Using the default behavior, the connection request from the client at
US.CA.SanJose ia allowed even though CA has reached its connection
limit. Likewise, a connection request from a client at US.CA is allowed.
However, a connection request from a client whose location match is simply
US is denied.
After these three clients are permitted or denied, the connection permit and
deny counters are incremented as follows:
US Deny counter is incremented by 1.
US.CA Permit counter is incremented by 1.
US.CA.SanJose Permit counter is incremented by 1.
Full-Domain Checking
When full-domain checking is enabled, the AX device checks the current
connection count not only for the clients specific geo-location, but for all
geo-locations higher up in the domain tree.
Based on full-domain checking, all three connection requests from the clients in the example above are denied. This is because the US domain has
reached its connection limit. Likewise, the counters for each domain are
updated as follows:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
775 of 950
776 of 950
P e r f o r m a n c e
b y
D e s i g n
IP Limiting
IP limiting provides a greatly enhanced implementation of the source IP
connection limiting and connection-rate limiting feature available in previous releases. This chapter describes the IP limiting options and how to configure and apply them.
Overview
IP limiting provides the following benefits:
Configuration flexibility You can apply source IP limiting on a sys-
separate set of IP limits to each class. You also can exempt specific clients from being limited.
Separate limits can be configured for each of the following:
Concurrent connections
Connection rate
Concurrent Layer 7 requests
Layer 7 request rate
In the current release, Layer 7 request limiting applies only to the HTTP,
HTTPS, and fast-HTTP virtual port types.
Note:
The following sections describe the IP limiting options and how to configure and apply them.
Class Lists
A class list is a set of IP host or subnet addresses that are mapped to IP limiting rules.
The AX device can support up to 255 class lists. Each class list can contain
up to 8 million host IP addresses and 64,000 subnets.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
777 of 950
The AX device discards the comment string when you save the class list.
IP Address Matching
By default, the AX device matches class-list entries based on the source IP
address of client traffic. Optionally, you can match based on one of the following instead:
Destination IP address Matches based on the destination IP address
header in the HTTP request. You can specify the header when you
enable this option.
778 of 950
P e r f o r m a n c e
b y
D e s i g n
IP Limiting Rules
IP limiting rules specify connection and request limits for clients.
Each IP limiting rule has the following parameters:
Limit ID Number from 1-31 that identifies the rule.
Connection limit Maximum number of concurrent connections
for a client within the limit period. You can specify 1-4294967295 connections. The limit period can be 100-6553500 milliseconds (ms), specified in increments of 100 ms. There is no default.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
779 of 950
client within the limit period. You can specify 1-4294967295 connections. The limit period can be 100-6553500 milliseconds (ms), specified
in increments of 100 ms. There is no default.
Over-limit action Action to take when a client exceeds one or more of
limit action after the client exceeds a limit. The lockout period is activated when a client exceeds any limit. The lockout period can be 1-1023
minutes. There is no default.
Logging Generates log messages when clients exceed a limit. Logging
Match IP Address
By default, the AX device matches class-list entries based on the source IP
address of client traffic. Optionally, you can match based on one of the following instead:
Destination IP address matches based on the destination IP address in
780 of 950
P e r f o r m a n c e
b y
D e s i g n
globally.
For source IP limiting on an individual virtual server or virtual port,
apply the PBSLB policy template to the virtual server or virtual port.
Clients must comply with all IP limiting rules that are applicable to the client. For example, if you configure system-wide IP limiting and also configure IP limiting on an individual virtual server, clients must comply with the
system-wide IP limits and with the IP limits applied to the individual virtual
server accessed by the client.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
781 of 950
782 of 950
P e r f o r m a n c e
b y
D e s i g n
If the class list contains 100 or more entries, it is recommended to use the
File option.
Note:
A class list can be exported only if you use the File option.
6. Configure the class list entries:
a. Enter the IP address and subnet mask.
For a host entry, use mask 255.255.255.255.
For a wildcard entry, enter IP address 0.0.0.0 and network mask
0.0.0.0.
b. Specify the IP limiting rule to apply to the host or subnet address.
Select the system location of the IP limiting rule:
Local The IP limiting rule is configured in a PBSLB policy
template to be applied to a virtual server or virtual port.
Global The IP limiting rule is configured at the system
(global) level, and can be shared by all policy templates.
LSN This option applies only to the Large-Scale NAT feature.
Do not use this option with IP limiting.
Enter the rule number, 1-31.
Make sure to use the same number when you configure the IP limiting
rule.
Note:
c. Click Add.
d. Repeat for each entry.
7. Click OK.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
783 of 950
You also can export class lists to a remote server, using the following command:
export class-list file-name url
Configuring a Class List in the CLI
To configure a class list in the CLI, use the following commands:
[no] class-list name [file]
Enter this command at the global configuration level of the CLI.
The file option saves the class list as a separate file. Without this option, the
class list is instead saved in the startup-config. If the class list contains 100
or more entries, it is recommended to use the file option. The file option is
valid only when you create the class list. After you create the list, the list
remains either in the startup-config or in a separate file, depending on
whether you use the file option when you create the list.
Note:
A class list can be exported only if you use the file option.
The class-list command creates the class list if it is not already configured,
and changes the CLI to the configuration level for the list.
[no] ipaddr /network-mask [glid num | lid num]
To add an entry to the class list, use the command without no.
To modify an entry, use the command without no. Use the same
784 of 950
P e r f o r m a n c e
b y
D e s i g n
ports, you must configure the IP limiting rules in a PBSLB policy template, then apply the template to the virtual server or virtual port.
If you plan to apply IP limits on a system-wide basis, you can configure
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
785 of 950
786 of 950
P e r f o r m a n c e
b y
D e s i g n
To change the match IP address to one of these options, use the following
command at the configuration level for the PBSPB policy template:
[no] class-list client-ip
{l3-dest | l7-header [header-name]}
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
787 of 950
788 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
789 of 950
790 of 950
P e r f o r m a n c e
b y
D e s i g n
CLI ExamplesConfiguration
The examples in this section show how to configure IP limiting.
The following command imports the class list used by the policy:
AX(config)#import class-list global_list ftp:
Address or name of remote host []?1.1.1.2
User name []?axadmin
Password []?*********
File name [/]?global_list
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
791 of 950
The following command imports the class list used by the policy:
AX(config)#import class-list vs_list ftp:
Address or name of remote host []?1.1.1.2
User name []?axadmin
Password []?*********
File name [/]?vs_list
792 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
The following command imports the class list used by the policy:
AX(config)#import class-list vp_list ftp:
Address or name of remote host []?1.1.1.2
User name []?axadmin
Password []?*********
File name [/]?vp_list
CLI ExamplesDisplay
This section shows example show command output for IP limiting.
Class Lists
The following command displays the class-list files on the AX device:
AX#show class-list
Name
IP
Subnet
Location
test
file
user-limit
14
config
Total: 2
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
793 of 950
Description
Name of the class list.
Number of host IP addresses in the class list.
Number of subnets in the class list.
Indicates whether the class list is in the startup-config or in a
standalone file:
config Class list is located in the startup-config.
Total
test
Total IP subnet:
Content:
1.1.1.1 /32 glid 1
2.2.2.2 /32 glid 2
10.1.2.1 /32 lid 1
10.1.2.2 /32 lid 2
20.1.1.0 /24 lid 1
20.1.2.0 /24 lid 2
0.0.0.0 /0 lid 31
The following commands show the closest matching entries for specific IP
addresses in class list test:
AX#show class-list test 1.1.1.1
1.1.1.1 /32 glid 1
AX#show class-list test 1.1.1.2
0.0.0.0 /0 lid 31
The class list contains an entry for 1.1.1.1, so that entry is shown. However,
since the class list does not contain an entry for 1.1.1.2 but does contain a
wildcard entry (0.0.0.0), the wildcard entry is shown.
794 of 950
P e r f o r m a n c e
b y
D e s i g n
IP Limiting Rules
The following command the configuration of each standalone IP limiting
rule:
AX#show lid
lid 1
conn-limit 100
conn-rate-limit 100 per 10
request-limit 1
request-rate-limit 10 per 10
over-limit-action reset log 1
lid 2
conn-limit 20000
conn-rate-limit 2000 per 10
request-limit 200
request-rate-limit 200 per 1
over-limit-action reset log 3
lid 30
conn-limit 10000
conn-rate-limit 1000 per 1
over-limit-action forward log
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
795 of 950
IP Limiting Statistics
The following command shows IP limiting statistics for the entire system:
AX#show pbslb system
System LID statistics (lid 1):
Current connection:
Current connection rate:
Total over connection limit number:
Total over connection rate limit number:
1
0/s
0
0
796 of 950
P e r f o r m a n c e
b y
D e s i g n
Role-Based Administration
The AX Series provides Virtualized Management, through Role-Based
Administration (RBA). RBA allows administrators (admins) to configure
and view SLB resources based on administrative domains (partitions).
RBA supports separate partitions for these types of resources. Partitioning
allows the AX device to be logically segmented to support separate configurations for different customers; for example, separate companies or separate
departments within an enterprise. Admins assigned to a partition can manage only the resources inside that partition.
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
797 of 950
Overview
Figure 179 shows an example of an AX device with multiple partitions.
FIGURE 179
Role-Based Administration
In this example, a service provider hosts an AX device shared by two companies: A.com and B.com. Each company has its own dedicated servers that
they want to manage in entirety. The partition for A.com contains A.com's
SLB resources. Likewise, the partition for B.com contains B.com's SLB
resources.
Admins assigned to the partition for A.com can add, modify, delete and save
only those resources contained in A.com's partition. Likewise, B.com's
admins can add, modify, delete and save only the resources in B.com's partition.
The following sections describe RBA in more detail.
798 of 950
P e r f o r m a n c e
b y
D e s i g n
Resource Partitions
AX system resources are contained in partitions. The AX device has a single shared partition and can have multiple private partitions.
Shared partition The shared partition contains resources that can be
admins who are assigned to it, and by admins with Root, Read Write, or
Read Only privileges. The AX device does not have any private partitions by default.
Private partitions can be created or deleted only by admins who have Root
or Read Write privileges. A maximum of 128 partitions are supported.
(For descriptions of admin privileges, see Table 25 on page 801.)
Types of Resources That Can Be Contained in Private Partitions
Only certain types of resources can be contained in private partitions. In the
current release, a private partition can contain SLB resources only:
Real servers
Virtual servers
Service groups
Templates
Health monitors
Certificates and keys
aFleX policies
All other types of resources can reside only in the shared partition and are
not configurable by admins assigned to private partitions.
Resource names must be unique within a partition. However, the same name
can be used for resources in different partitions. For example, partitions
A.com and B.com can each have a real server named rs1. The AX
device is able to distinguish between them.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
799 of 950
800 of 950
P e r f o r m a n c e
b y
D e s i g n
Administrator Roles
The type of access (read-only or read-write) allowed to an admin, and the
partitions where the access applies, depend on that admins privilege level
(role). An admin account can have one of the privilege levels listed in
Table 25 on page 801.
The Partition privilege levels apply specifically to admins who are
assigned to private partitions.
Note:
Access to
Shared
Partition
Read-write
Read Write
Read Only
Partition Write
Read-write
Read-only
Read-only
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
Can configure
other admin
accounts
Can Change
Own
Password?
Yes1
No
No
No
Yes2
Yes
No
Yes
801 of 950
Access to
Shared
Partition
Read-only
None
Can configure
other admin
accounts
No
Can Change
Own
Password?
No
No
No
802 of 950
P e r f o r m a n c e
b y
D e s i g n
This document shows how to set up partitions and assign admins to them.
The partition admins will be able to configure their own SLB resources.
However, you will need to configure connectivity resources such as interfaces, VLANs, routing, and so on. You also will need to configure any
additional admin accounts for the partition.
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
803 of 950
FIGURE 183
804 of 950
P e r f o r m a n c e
b y
D e s i g n
Deleting a Partition
Only an admin with Root or Read Write privileges can delete a partition.
When a partition is deleted, all resources within the partition also are
deleted.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
805 of 950
806 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
807 of 950
CLI Example
The following commands configure two private partitions, companyA
and companyB, and verify that they have been created.
AX(config)#partition companyA
AX(config)#partition companyB
AX(config)#show partition
Max Number allowed: 128
Total Number of partitions configured: 2
Partition Name
# of Admins
-----------------------------------------------------companyA
32
companyB
32
Status
Privilege Partition
------------------------------------------------------admin
Enabled
Root
compAadmin
Enabled
P.R/W
companyA
compBadmin
Enabled
P.R/W
companyB
808 of 950
P e r f o r m a n c e
b y
D e s i g n
sion only to view service port statistics for real servers in the partition,
and to disable or re-enable the real servers.
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
809 of 950
810 of 950
Caution:
Note:
The all-partitions and partition partition-name options are not applicable for admins with Partition-write privileges. Partition admins can only
save their respective partitions. For these admins, the command syntax is
P e r f o r m a n c e
b y
D e s i g n
Note:
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
811 of 950
Note:
812 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
813 of 950
Service port statistics are not available in the GUI. To display service port
statistics, use the CLI instead.
Note:
Although the GUI displays the Delete and New buttons, these buttons are
not supported for admins with Partition Real Server Operator privileges.
To Disable or Re-Enable Individual Real Server Ports
1. Log in with your Partition Real Server Operator account.
2. Select the checkbox next to each server for which you want to disable or
re-enable service ports, or click Select All to select all of the servers.
3. Click Edit.
4. A list of all the service ports on the selected servers is displayed.
814 of 950
P e r f o r m a n c e
b y
D e s i g n
FIGURE 187
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
815 of 950
Current
Total
Fwd-pkt Rev-pkt
State
-----------------------------------------------------------------------------compArs1:80/tcp
23
320543
1732383
1263164
compArs1: Total
23
321024
1732383
1263164
Up /60 ms
Up
Address
H-check
Wgt = Weight
Status
-----------------------------------------------------------------------------compArs1:80/tcp
7.7.7.7
Default
Enable
1000000
compArs1
7.7.7.7
Default
Disable
1000000
compArs2:80/tcp
8.8.8.8
Default
Enable
1000000
compArs2
8.8.8.8
Default
Enable
1000000
816 of 950
P e r f o r m a n c e
b y
D e s i g n
Address
H-check
Wgt = Weight
Status
-----------------------------------------------------------------------------compArs1:80/tcp
7.7.7.7
Default
Enable
1000000
compArs1
7.7.7.7
Default
Disable
1000000
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
817 of 950
818 of 950
P e r f o r m a n c e
b y
D e s i g n
SLB Parameters
This chapter lists the parameters you can configure for Server Load Balancing (SLB).
This chapter is intended only as a reference. Not every configurable
parameter will apply to a given SLB application. For information about
specific applications, see the individual SLB configuration chapters in
this guide.
Note:
For information about health monitoring parameters, see Health Monitoring on page 373.
For information about GSLB parameters, see Global Server Load Balancing on page 427.
For information about FWLB parameters, see Firewall Load Balancing
on page 327.
Note:
Table 28 lists the types of templates that are valid for each service type.
When you configure a virtual port, the AX device automatically adds any
default templates that are applicable to the service type. To override a
default template, you can configure another template of the same type and
bind that template to the virtual port instead.
For example, when you configure a virtual port that has the service type
Fast-HTTP, the following templates are automatically applied to the service
port:
TCP
HTTP
Connection Reuse (The parameters in this default template are all
unset.)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
819 of 950
Template Type
FastHTTP
Cache
H
T
T
P
H
T
T
P
S
Client SSL
F
T
P
M
M
S
R
T
S
P
S
I
P
SIPTCP
Connection
Reuse
Cookie
Persistence
Destination-IP
Persistence
HTTP
Policy
S
I
P
S
S
M
T
P
SSLProxy
T
C
P
Server SSL
V
V
SIP
V
V
SMTP
V
V
SSL Session-ID
Persistence
Streamingmedia
TCP
Others
DNS
Source-IP
Persistence
U
D
P
V
V
TCP-Proxy
UDP
820 of 950
V
V
V
V
V
V
V
P e r f o r m a n c e
b y
D e s i g n
Age time
Supported Values
String of 1-31 characters
Default: default. The default template has the default values listed
below.
Default cache
action
Enabled or disabled
Default: disabled (Cacheable objects
are cached by default.)
[no] default-policy-nocache
Reload header
support
Enabled or disabled
Default: disabled
Cache-Control: no-cache
Cache-Control: max-age=0
When support for these headers is enabled, either
header causes the AX device to reload the cached
object from the origin server.
[no] accept-reload-req
Cache size
1-512 Mbytes
Default: 80 Mbytes
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
821 of 950
Minimum object
size
Supported Values
1-8000000 bytes
Default: 81920 bytes (80 Kbytes)
1-8000000 bytes
Default: 500 bytes (1/2 Kbytes)
Dynamic
caching policy
Verify host
822 of 950
Default: Disabled
P e r f o r m a n c e
b y
D e s i g n
Via header
insertion
Cookie removal
Supported Values
Default: Disabled (Age header insertion is enabled.)
Default: Disabled
[no] remove-cookies
Replacement
policy
Note: The current release does not support configuration of this option using the GUI.
Policy used to make room for new objects when the
RAM cache is full.
When the RAM cache becomes more than 90% full,
the AX device discards the least-frequently used
objects to ensure there is sufficient room for new
objects.
Supported Values
String of 1-31 characters
Default: default. The default template has the default values listed
below.
Config > Service > Template > SSL > Client SSL
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
823 of 950
Supported Values
Name of a CA certificate imported
onto the AX device
Certificate name
Certificate
key-chain name
Config > Service > Template > SSL > Client SSL
Key for the certificate, and the passphrase used to
encrypt the key.
Config > Service > Template > SSL > Client SSL
824 of 950
P e r f o r m a n c e
b y
D e s i g n
Supported Values
One of the following:
ignore The AX device does not
request the client to send its certificate.
request The AX device requests
the client to send its certificate. With
this action, the SSL handshake proceeds even if either of the following
occurs:
The client sends a NULL certificate (one with zero length).
The certificate is invalid, causing
client verification to fail.
Use this option if you want to the
request to trigger an aFleX policy
for further processing.
require The AX device requires
the client certificate. This action
requests the client to send its certificate. However, the SSL handshake
does not proceed (it fails) if the client sends a NULL certificate or the
certificate is invalid.
Certificate
Revocation List
(CRL)
Default: ignore
Name of a CRL imported onto the AX
device
Session cache
size
0-131072
Default: 0 (session ID reuse is disabled)
Config > Service > Template > SSL > Client SSL
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
825 of 950
Supported Values
One or more of the following:
[no] cipher
SSL3_RSA_DES_40_CBC_SHA
Config > Service > Template > SSL > Client SSL Cipher
SSL3_RSA_DES_64_CBC_SHA
SSL3_RSA_DES_192_CBC3_SHA
SSL3_RSA_RC4_128_MD5
SSL3_RSA_RC4_128_SHA
SSL3_RSA_RC4_40_MD5
TLS1_RSA_AES_128_SHA
TLS1_RSA_AES_256_SHA
TLS1_RSA_EXPORT1024_RC4_56
_MD5
TLS1_RSA_EXPORT1024_RC4_56
_SHA
Close
notification
[no] close-notify
Config > Service > Template > SSL > Client SSL Cipher
Supported Values
String of 1-31 characters
Default: default. The default template has the default values listed
below.
826 of 950
P e r f o r m a n c e
b y
D e s i g n
Supported Values
Limit-per-server 0-65535. For
unlimited connections, specify 0.
Limit-per-server: 1000
0-3600 seconds
To disable timeout, specify 0.
Default: 2400 seconds (40 minutes)
Cookie
expiration
Supported Values
String of 1-31 characters
Default: default. The default template has the default values listed
below.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
827 of 950
Path
Insert always
Supported Values
Valid domain name
1-31 characters
Default: /
Enabled or disabled
[no] insert-always
Config > Service > Template > Persistent > Cookie
Persistence
Match type
Server
Service-group
Default: Port
828 of 950
P e r f o r m a n c e
b y
D e s i g n
Supported Values
String of 1-63 characters
Default: sto-id
Ignore
connection limits
Enabled or Disabled
Default: Disabled. By default, the connection limit set on real servers and
real ports is used.
[no] dont-honor-conn-rules
Config > Service > Template > Persistent > Cookie
Persistence
Supported Values
String of 1-31 characters
Default: default. The default template has the default values listed
below.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
829 of 950
Supported Values
One of the following:
Port Traffic from a given client to the same virtual port is always sent to the same real port. This
is the most granular setting.
Service-group
Server
Default: Port
830 of 950
P e r f o r m a n c e
b y
D e s i g n
Supported Values
Valid IPv4 network mask
Default: 255.255.255.255
Timeout
Ignore
connection limits
Enabled or Disabled
Default: Disabled. By default, the connection limit set on real servers and
real ports is used.
[no] dont-honor-conn-rules
Config > Service > Template > Persistent >
Destination IP Persistence
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
831 of 950
Action for
malformed DNS
queries
(DNS security)
Supported Values
String of 1-31 characters
Default: None.
Drop or forward
Failover URL
Supported Values
String of 1-31 characters
Default: default. The default template has the default values listed
below.
Valid URL
Default: Not set
832 of 950
P e r f o r m a n c e
b y
D e s i g n
Supported Values
1-3
Default: Disabled. The AX device
sends the 5xx status code to the client.
When you enable this option, the
default number of retries is 3.
The first command shown below stops using a service port for 30 seconds after reassignment. The
second command does not.
[no] retry-on-5xx num
[no] retry-on-5xx-per-req num
Config > Service > Template > Application > HTTP
By default, logging of HTTP retries is disabled by
default. To enable logging of HTTP retries, use the
following command at the configuration level for
the HTTP template:
[no] log-retry
Note: The current release does not support configuration of the log-retry option using the GUI.
Logging of
retries
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
Enabled or disabled
Default: disabled
833 of 950
Supported Values
Any of the following:
enable Enables compression.
content-type Specifies the types
of content to compress, based on a
string in the content-type header of
the HTTP response. The contentstring can be 1-64 characters long.
exclude-content-type Specifies the
types of content to exclude from
compression.
exclude-uri Specifies URI strings
(up to 31 characters) to exclude
from compression.
keep-accept-encoding enable
Leaves the Accept-Encoding header
in HTTP requests from clients
instead of removing the header.
level Specifies the compression
level, 1-9. Each level provides a
higher compression ratio, beginning with level 1, which provides
the lowest compression ratio. A
higher compression ratio results in a
smaller file size after compression.
However, higher compression levels
also require more CPU processing
than lower compression levels, so
performance can be affected.
minimum-content-length Specifies the minimum length (in bytes) a
server response can be in order to be
compressed. The length applies to
the content only and does not
include the headers. You can specify
0-2147483647 bytes.
834 of 950
P e r f o r m a n c e
b y
D e s i g n
(cont.)
Supported Values
Compression is disabled by default.
When it is enabled, the compression
options have the following defaults:
content-type text and application included by default
exclude-content-type not set
exclude-content not set
keep-accept-encoding disabled
level 1
Header insert /
replace
minimum-content-length 120
bytes
String of 1-256 characters
Default: Not set
[no] request-header-insert
field:value [insert-always |
insert-if-not-exist]
[no] response-header-insert
field:value [insert-always |
insert-if-not-exist]
Config > Service > Template > Application > HTTP
Header erase
Note: These options are not supported with the fasthttp service type. The AX device does not allow an
HTTP template with any of the header erase or
header insert options to be bound to a fast-http virtual port. Likewise, the AX device does not allow
header options to be added to an HTTP template
that is already bound to a fast-http virtual port.
Erases the specified header from an HTTP request
or reply.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
835 of 950
Supported Values
Each host string can be all or part of an
IP address or host name.
Default: Not set
Redirect rewrite
[no] redirect-rewrite
match url-string
rewrite-to url-string
Config > Service > Template > Application > HTTP
836 of 950
P e r f o r m a n c e
b y
D e s i g n
Strict
transaction
switching
Supported Values
Strings of 1-256 characters
Default: Not set
Enabled or disabled
Default: Disabled
[no] strict-transaction-switch
URL switching
[no] url-switching
{starts-with | contains |
ends-with} url-string
service-group service-group-name
If the URL-string does not match, the service group
configured on the virtual port is used.
Selection is performed using the following match
filters:
starts-with url-string matches only if the URL
starts with url-string.
contains url-string matches if the url-string
appears anywhere within the URL.
ends-with url-string matches only if the URL
ends with url-string.
The match options are always applied in the order
listed above, regardless of the order in which they
appear in the configuration. The service group for
the first match is used.
If a URL matches on more than one match filter of
the same type, the most specific match is used.
Config > Service > Template > Application > HTTP
Note: You can configure a maximum of 16 URL
switching rules in a template. If you need to use
more, use aFleX policies.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
837 of 950
Supported Values
First or last
4-128 bytes
Default: Not set
Enabled or disabled
Default: disabled
[no] term-11client-hdr-conn-close
Note: The current release does not support configuration of this option using the GUI.
838 of 950
P e r f o r m a n c e
b y
D e s i g n
Black/white list
name
Supported Values
String of 1-31 characters
Default: None.
Default:
Timeout for
dynamic clients
1-127 minutes
Default: 5
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
839 of 950
Supported Values
The following settings are configurable:
[no] bw-list id id
{service service-group-name |
drop | reset}
[logging [minutes] [fail]]
Note: If the option to use default selection if preferred server selection fails is enabled on the virtual
port, log messages will never be generated for
server-selection failures. To ensure that messages
are generated to log server-selection failures, disable the option on the virtual port. This limitation
does not affect failures that occur because a client is
over their PBSLB connection limit. These failures
are still logged.
Overlap
840 of 950
P e r f o r m a n c e
b y
D e s i g n
Class list IP
address
matching
Supported Values
Enabled or Disabled
Default: Disabled. Matching is based
on the clients source IP address.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
841 of 950
Supported Values
Valid values:
Limit ID (LID) 1-31
Connection limit 1-1048575
Connection-rate limit
1-4294967295 connections. The
limit period can be 100-6553500
milliseconds (ms), specified in
increments of 100 ms.
Request limit 1-1048575
Request-rate limit 1-4294967295
connections. The limit period can be
100-6553500 milliseconds (ms),
specified in increments of 100 ms.
Over-limit action Drop, Forward,
or Reset
Lockout period 1-1023 minutes
Logging Enabled or disabled. The
logging period can be 0-255 minutes.
Default:
842 of 950
P e r f o r m a n c e
b y
D e s i g n
Supported Values
Disabled
Permit
Deny
Connection number
Connection limit
[no] geo-location share
Note: The current release does not support configuration of this option using the GUI.
Note: It is recommended to enable or disable this
option before enabling GSLB. Changing the state of
this option while GSLB is running can cause the
related statistics counters to be incorrect.
Certificate
Authority (CA)
certificate name
Supported Values
String of 1-31 characters
Default: default. The default template has the default values listed
below.
Config > Service > Template > SSL > Server SSL
Name of the Certificate Authority (CA) certificate
to use for validating server certificates.
[no] ca-cert cert-name
Config > Service > Template > SSL > Server SSL
Note: To use the certificate, you must import it onto
the AX device. (See Importing SSL Certificates
on page 467.)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
843 of 950
Supported Values
One or more of the following:
[no] cipher
SSL3_RSA_DES_40_CBC_SHA
Config > Service > Template > SSL > Server SSL
SSL3_RSA_DES_64_CBC_SHA
SSL3_RSA_DES_192_CBC3_SHA
SSL3_RSA_RC4_128_MD5
SSL3_RSA_RC4_128_SHA
SSL3_RSA_RC4_40_MD5
TLS1_RSA_AES_128_SHA
TLS1_RSA_AES_256_SHA
TLS1_RSA_EXPORT1024_RC4_56
_MD5
TLS1_RSA_EXPORT1024_RC4_56
_SHA
Default: All the above are enabled.
Note:
Supported Values
String of 1-31 characters
Default: None.
844 of 950
P e r f o r m a n c e
b y
D e s i g n
Supported Values
Enabled or disabled
Default: Disabled
[no] client-keep-alive
Server
Keep-Alive
5-300 seconds
Default: 30
[no] insert-client-ip
Select Client Fail
Action
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
845 of 950
Supported Values
The action can be one of the following:
Drop
Reset
Send message
Default: Reset
Enabled or disabled
Default: Disabled
1-250 minutes
Default: 30 minutes
846 of 950
P e r f o r m a n c e
b y
D e s i g n
Registrar service
group
Supported Values
String of 1-31 characters
Default: None.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
847 of 950
Supported Values
1-250 minutes
Default: 30 minutes
Domain name
switching
Supported Values
String of 1-31 characters
Default: default. The default template has the default values listed
below.
Strings
Default: Not set. All client domains
match, and any service group can be
used.
848 of 950
P e r f o r m a n c e
b y
D e s i g n
Supported Values
STARTTLS
command disable
Email server
domain
String
Default: mail-server-domain
Service ready
message
String
Default: ESMTP mail service ready
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
849 of 950
Supported Values
One of the following:
Disabled Clients cannot use
STARTTLS. Use this option if you
need to disable STARTTLS support
but you do not want to remove the
configuration.
Optional Clients can use STARTTLS but are not required to do so.
Enforced Before any mail transactions are allowed, the client must
issue the STARTTLS command to
establish a secured session. If the
client does not issue the STARTTLS
command, the AX sends the following message to the client: "530 Must issue a STARTTLS command
first
Default: Disabled
Supported Values
String of 1-31 characters
Default: default. The default template has the default values listed
below.
850 of 950
P e r f o r m a n c e
b y
D e s i g n
Supported Values
One of the following:
Port Traffic from a given client to the same virtual port is always sent to the same real port. This
is the most granular setting.
Service-group
Server
Default: Port
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
851 of 950
Supported Values
Valid IPv4 network mask
Default: 255.255.255.255
Timeout
Ignore
connection limits
Enabled or Disabled
Default: Disabled. By default, the connection limit set on real servers and
real ports is used.
[no] dont-honor-conn-rules
Config > Service > Template > Persistent > Source
IP Persistence
852 of 950
P e r f o r m a n c e
b y
D e s i g n
Timeout
Supported Values
String of 1-31 characters
Default: default. The default template has the default values listed
below.
1-250 minutes
Default: 5 minutes
Ignore
connection limits
Enabled or Disabled
Default: Disabled. By default, the connection limit set on real servers and
real ports is used.
[no] dont-honor-conn-rules
Config > Service > Template > Persistent >
SSL Session ID Persistence
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
853 of 950
URI switching
Supported Values
String of 1-31 characters
Default: default. The default template has the default values listed
below.
Supported Values
String of 1-31 characters
Default: default. The default template has the default values listed
below.
60-120000 seconds (about 33 hours)
Default: 120 seconds
854 of 950
P e r f o r m a n c e
b y
D e s i g n
Server reset
Supported Values
60-15000 seconds
Default: Not set. The AX device keeps
half-closed sessions open indefinitely.
Enabled or disabled
Default: Disabled
[no] reset-fwd
Client reset
Initial window
size
Enabled or disabled
Default: Disabled
1-65535 bytes
Default: The AX device uses the TCP
window size set by the client or server.
FIN timeout
Supported Values
String of 1-31 characters
Default: default. The default template has the default values listed
below.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
1-60 seconds
Default: 5 seconds
855 of 950
Idle timeout
Nagle algorithm
Receive buffer
size
Retransmit
retries
SYN retries
Time-Wait
Transmit buffer
size
856 of 950
Supported Values
60-15000 seconds
Default: Not set. The AX device keeps
half-closed sessions open indefinitely.
Enabled or disabled
Default: Disabled
1-2147483647 bytes
Default: 87380 bytes
1-20
Default: 3
1-20
Default: 5
1-60 seconds
Default: 5 seconds
1-2147483647
Default: 16384 bytes
P e r f o r m a n c e
b y
D e s i g n
Minimum TCP
MSS size
Supported Values
1-65535 bytes
Default: The AX device uses the TCP
window size set by the client or server.
128-4312
Default: 538
[no] mss
Note: The current release does not support configuration of this option using the GUI.
Supported Values
String of 1-31 characters
Default: default. The default template has the default values listed
below.
One of the following:
Immediate
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
857 of 950
Server
reselection
Supported Values
60-120000 seconds (about 33 hours)
Default: 120 seconds
Enabled or disabled
Default: Disabled
Supported Values
Enabled or disabled
Default: Enabled
858 of 950
P e r f o r m a n c e
b y
D e s i g n
Supported Values
Enabled or disabled
Default: Disabled
Graceful
shutdown
Maximum
session life
1-40 seconds
Default: 2 seconds
Disabled or Enabled
On-Threshold 0-2147483647 halfopen connections
Off-Threshold 0-2147483647 halfopen connections
Default: Disabled
Note: If you leave the On-Threshold
and Off-Threshold fields blank, SYN
cookies are enabled and are always on
regardless of the number of half-open
TCP connections present on the AX
device.
[no] syn-cookie
[on-threshold num off-threshold
num]
Config > Service > SLB > Global > Settings
Note: This option is supported only on models
AX 2200, AX 3100, AX 3200, AX 5100, and
AX 5200.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
859 of 950
Source-IP based
connection rate
limiting
Supported Values
Enabled or disabled
Default: Disabled
860 of 950
P e r f o r m a n c e
b y
D e s i g n
(cont.)
Supported Values
Exceed actions All connection
requests in excess of the connection
limit that are received from a client
within the limit period are dropped.
This action is enabled by default when
you enable the feature, and can not be
disabled. Optionally, you can enable
one or both of the following additional
exceed actions:
Logging Generates a log message
when a client exceeds the connection limit.
Lockout Locks out the client for a
specified number of seconds. During the lockout period, all connection requests from the client are
dropped. The lockout period can be
1-3600 seconds (1 hour). There is
no default.
DNS caching
[no] dns-cache-enable
[no] dns-cache-age seconds
Config > Service > SLB > Global > Settings
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
861 of 950
Supported Values
Enabled or disabled
Default: disabled
Layer 7 request
accounting
Enabled or disabled
Default: disabled
Enabled or disabled
Default: Disabled
862 of 950
P e r f o r m a n c e
b y
D e s i g n
Trunk load
balancing
Fast-path
processing
Supported Values
Name of a configured TCP template.
To use the default TCP template, specify the name default.
Default: The default idle timeout for
pass-through TCP sessions is 30 minutes. The default idle timeout in TCP
templates is 120 seconds.
Enabled or disabled
Default: Enabled.
Statistics
collection
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
Enabled or disabled
Default: Statistical data collection for
system resources is enabled by default.
This also allows collection for those
individual load-balancing resources on
which collection is enabled.
Statistical data collection also is enabled by default on individual load-balancing resources.
863 of 950
Supported Values
The supported values and defaults
depend on the AX model. See the CLI
online help.
Compression
block size
DDoS Protection
Log rate limiting
Max-remote-rate Specifies the maximum number of messages per second that can be sent to
remote log servers.
Exclude-destination Local,
remote, or both
slb rate-limit-logging
[max-local-rate msgs-per-second]
[max-remote-rate msgs-per-second]
[exclude-destination {local |
remote}]
Config > Service > SLB > Global > Rate-Limit Log
864 of 950
6000-32000 bytes
Defaults:
P e r f o r m a n c e
b y
D e s i g n
Parameter
Server name
and IP address
Server state
Note: The name does not need to match the hostname configured on the server.
State of the real server.
[no] {disable | enable}
Real server
template
Health check
Connection
limit
Supported
Values
String of 1-31
characters
Configurable in
Real Server
Template?
N/A
IPv4 or IPv6
address
Default: None configured
Enabled or disabled
No
Default: Enabled
Name of a configured real server
template
Default: Default
real server template
Enabled or disabled
Name of a configured health monitor
Default: Enabled;
ping (ICMP)
1-1000000 (one
million) if configured on the real
server; 1-1048575
if configured in the
server template
N/A
Yes
Yes
Default: 1000000
if configured on
the real server;
1048575 if configured in the server
template
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
865 of 950
Parameter
Connection
resume
Service port
Slow start
Supported
Values
1-1000000 (one
million) connections
Default: Not set.
The AX device is
allowed to start
sending new connection requests to
the server as soon
as the number of
connections on the
server falls back
below the connection limit.
Transport protocol:
TCP or UDP
N/A
Port number:
0-65534
[no] slow-start
Weight
Configurable in
Real Server
Template?
Yes, but as additional parameter
with conn-limit
command (CLI) or
additional field
under Connection
Limit Status (GUI)
1-100
Yes
Note: Template
configuration of
this feature provides additional
options. See
Slow-Start on
page 366.
No
Default: 1
Valid IP address
No
866 of 950
P e r f o r m a n c e
b y
D e s i g n
Parameter
Spoofing
cache
Statistics
collection
Supported
Values
Enabled or disabled
Default: Disabled
Enabled or
disabled
stats-data-enable
Default: enabled
Configurable in
Real Server
Template?
No
No
stats-data-disable
GSLB IPv6
mapping
No
Default: None
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
867 of 950
Parameter
Service port
number and
transport protocol
Service port
state
Real server
port template
Health check
868 of 950
Configurable in
Real Port
Template?
N/A
Supported
Values
TCP or UDP
0-65534
Default: Not set
Note: Port number
0 is a wildcard port
used for IP protocol load balancing. (For more
information, see
IP Protocol Load
Balancing on
page 263.)
Enabled or disabled
No
Default: Enabled
Name of a configured real port template
Default: Default
real port template
Enabled or disabled
Name of a configured health monitor
N/A
Yes
(The follow-port
option can not be
configured using a
template.)
Default: The AX
performs the
default TCP or
UDP check every
5 seconds. (See
Default Health
Checks on
page 373.)
P e r f o r m a n c e
b y
D e s i g n
Parameter
Connection
limit
Connection
resume
Weight
Supported
Values
1-1000000 (one
million) if configured on the server
port; 1-1048575 if
configured in the
server port template
Default: 1000000
if configured on
the server port;
1048575 if configured in the server
port template
1-1000000 (one
million) connections
Default: Not set.
The AX device is
allowed to start
sending new connection requests to
the port as soon as
the number of connections on the
port falls back
below the connection limit.
1-100
Configurable in
Real Port
Template?
Yes
Yes
Default: 1
Enabled or
disabled
No
Default: Disabled
(SSL is enabled)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
869 of 950
Parameter
Statistics
collection
Supported
Values
Enabled or
disabled
stats-data-enable
Default: enabled
Configurable in
Real Port
Template?
No
stats-data-disable
Config > Service > SLB > Server - Port
Member
Supported Values
String of 1-31 characters
TCP or UDP
870 of 950
P e r f o r m a n c e
b y
D e s i g n
Supported Values
One of the following:
Fastest-response Selects the server
with the fastest SYN-ACK response
time.
Least-connection Selects the server
that currently has the fewest connections.
Service-least-connection Selects
the server port that currently has the
fewest connections. If there is a tie,
the port (among those tied) that has
the lowest number of request bytes
plus response bytes is selected. If
there is still a tie, a port is randomly
selected from among the ones that
are still tied.
Weighted-least-connection Selects
a server based on a combination of
the servers administratively
assigned weight and the number of
connections on the server.
Service-weighted-least-connection
Same as weighted-least-connection, but per service.
Least-request Selects the real
server port for which the AX device
is currently processing the fewest
HTTP requests. This method is
applicable to HTTP load balancing.
Weighted-round-robin Selects
servers in rotation, biased by the
servers administratively assigned
weights.
If the weight value is the same on
each server, this load-balancing
method simply selects the servers in
rotation.
(cont.)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
871 of 950
Supported Values
Round Robin Strict Provides a
more exact round-robin method.
The standard, default round robin
method is optimized for high performance. Over time, this optimization
can result in a slight imbalance in
server selection. Server selection is
still basically round robin, but over
time some servers may be selected
slightly more often than others.
The following methods apply only to
stateless SLB. (For more information,
see Stateless SLB on page 285.)
Stateless-src-ip-hash Balances
server load based on a hash value
calculated using the source IP
address and source TCP or UDP
port.
Stateless-src-dst-ip-hash Balances
server load based on a hash value
calculated using both the source and
destination IP addresses and TCP or
UDP ports.
Stateless-dst-ip-hash Balances
server load based on a hash value
calculated using the destination IP
address and destination TCP or
UDP port.
Stateless-per-pkt-round-robin Balances server load by sending each
packet to a different server, in rotation. This method is applicable only
for UDP DNS traffic.
Stateless-src-ip-only-hash Balances server load based on a hash
value calculated using the source IP
address only.
Default: Round robin (simple rotation
without weighting)
872 of 950
P e r f o r m a n c e
b y
D e s i g n
Minimum active
members
Statistics
collection
Supported Values
The default health monitor (IP ping) or
the name of a configured health monitor
Default: Not set
1-63
Default: Not set. Backup servers are
used only if all primary servers are
unavailable.
When you configure this parameter,
the skip-pri-set option is disabled by
default, for all load-balancing methods
except round-robin. For round-robin
(the default), skip-pri-set is always
enabled and can not be disabled.
Enabled or disabled
Default: disabled
Enabled or
disabled
stats-data-enable
Default: enabled
stats-data-disable
Config > Service > SLB > Service Group
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
873 of 950
Parameter
Virtual server
name and virtual IP address
Configurable in
Virtual Server
Template?
N/A
Supported
Values
String of 1-31
characters
IPv4 or IPv6
address
Default: None configured
Enabled or disabled
No
Default: Virtual
servers are enabled
by default. The
when-all-portsdown option is disabled by default.
Virtual server
template
874 of 950
N/A
Default: Default
virtual server template
P e r f o r m a n c e
b y
D e s i g n
Parameter
Virtual
service port
number and
service type
Supported
Values
Port number:
0-65535
Service type:
fast-http
ftp
https
http HTTP
mms
rtsp
sip
smtp
ssl-proxy
tcp
udp
others
Configurable in
Virtual Server
Template?
N/A
http
ARP disable
Default: Disabled;
ARP replies are
enabled.
1-31
[no] arp-disable
Config > Service > SLB > Virtual Server
HA group ID
VIP-based
High Availability (HA)
failover
Enabled or disabled
1-255
No
No
No
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
875 of 950
Parameter
OSPF
redistribution
Supported
Values
Set or not set
Configurable in
Virtual Server
Template?
No
Setting this option enables you to selectively redistribute individual VIPs. Without this option, the VIP
is automatically redistributed if VIP redistribution is
enabled in OSPF.
To redistribute a VIP, set this option on the VIP,
and enter the following command at the OSPF
configuration level: redistribute vip
only-flagged
To exclude this VIP from redistribution, set this
option on the VIP, and enter either of the following commands at the OSPF configuration level:
redistribute vip only-not-flagged or redistribute vip
[no] redistribution-flagged
Statistics
collection
Note: The current release does not support configuration of this option using the GUI.
Enables or disables collection of statistical data for
the virtual server.
Enabled or
disabled
stats-data-enable
Default: enabled
No
stats-data-disable
Config > Service > SLB > Virtual Server
876 of 950
P e r f o r m a n c e
b y
D e s i g n
Parameter
Virtual
service port
number and
service type
Supported
Values
Port number:
0-65535
Service type:
In the CLI, this is set at the virtual server configuration level. In the GUI, this is set on the Virtual
Server Port page.
ftp
Configurable in
Virtual Port
Template?
N/A
fast-http
http
https
mms
rtsp
sip
sip-tls
sips
smtp
ssl-proxy
tcp
udp
Default: None configured
Virtual
service port
state
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
Enabled or disabled
No
Default: Enabled
877 of 950
Parameter
Virtual port
template
Service group
Configurable in
Virtual Port
Template?
N/A
Supported
Values
Name of a configured virtual port
template
Default: Default
virtual port template
Name of a configured service group
No
Template
Template type:
One of the types
described in Service Template
Parameters on
page 819.
N/A
Template name:
Name of a configured template.
Access
Control List
(ACL)
ID of an ACL.
If you do not also specify a NAT pool name, the
ACL is used to deny or permit inbound traffic on the
service port.
Default: Depends
on whether the
template type has a
default and
whether the service type uses that
template type. (See
Service Template
Parameters on
page 819.)
Valid standard or
extended ACL ID
Default: None
No
878 of 950
P e r f o r m a n c e
b y
D e s i g n
Parameter
aFleX policy
Connection
limit
Session
synchronization
(connection
mirroring)
Supported
Values
Name of a configured aFleX policy.
Default: None
Configurable in
Virtual Port
Template?
No
0-8000000 (8 million)
0 means no limit.
Default: Not set
Enabled or disabled
No
Default: Disabled
[no] ha-conn-mirror
Config > Service > SLB > Virtual Server - Virtual
Server Port
Direct Server
Return (DSR)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
Enabled or disabled
No
879 of 950
Parameter
Policy-based
SLB (PBSLB)
Supported
Values
Name of a configured black/white
list. The list must
be imported onto
the AX device.
Configurable in
Virtual Port
Template?
No
Source NAT
No
880 of 950
P e r f o r m a n c e
b y
D e s i g n
Parameter
VIP Source
NAT
Supported
Values
Enabled or disabled
Configurable in
Virtual Port
Template?
No
Default: Disabled
Softwarebased
protection
against TCP
SYN flood
attacks
Use receive
hop for
responses
Enabled or disabled
No
Default: Disabled
Enabled or disabled
No
Default: Disabled
[no] use-rcv-hop-for-resp
Config > Service > SLB > Virtual Server - Virtual
Server Port
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
881 of 950
Parameter
Reset after
server
selection
failure
Default
forwarding
after server
selection
failure
Default
selection if
preferred
server
selection fails
Supported
Values
Enabled or disabled
Configurable in
Virtual Port
Template?
No
Default: disabled
Enabled or disabled
No
Default: disabled
Enabled or disabled
No
Default: Enabled
882 of 950
P e r f o r m a n c e
b y
D e s i g n
Parameter
Default
selection if
preferred
server
selection fails
(cont.)
Supported
Values
Configurable in
Virtual Port
Template?
GSLB enable
(DNS proxy
ports only)
Enabled or disabled
No
Default: Disabled
[no] gslb-enable
Config > Service > SLB > Virtual Server - Virtual
Server Port
Statistics
collection
Enabled or
disabled
stats-data-enable
Default: enabled
No
stats-data-disable
Config > Service > SLB > Virtual Server - Virtual
Server Port
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
883 of 950
884 of 950
P e r f o r m a n c e
b y
D e s i g n
server, the AX device creates the server or, if the server is already created, the AX device refreshes its TTL. The AX device also creates service-group members for the server and its ports.
If the DNS server replies with a CNAME record, the AX device also
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
885 of 732
When a dynamically created real server ages out, only that instance of the
server (its port and service group member) is removed. Other instances
(other IP addresses) for the same server (hostname) are not removed,
unless they also age out. The real server configuration that you entered,
used by the AX device to dynamically create servers, is not removed.
DNS queries for the IP addresses of the dynamic real servers. You can
specify 1-1440 minutes (one day). The default is 10 minutes.
886 of 732
P e r f o r m a n c e
b y
D e s i g n
that can be dynamically created for a given hostname. You can specify
1-1023. The default is 255. After the maximum number of servers is created, the AX device deletes the oldest servers, as determined by the time
it was created, to make room for new ones.
min-ttl-ratio Specifies the minimum initial value for the TTL of
dynamic real servers. This option prevents dynamic real servers from
aging out too quickly due to a small TTL value from the DNS server.
To calculate the minimum TTL value for a dynamic real server, the AX
device multiplies the dns-query-interval by the min-ttl-ratio. For example, if the min-ttl-ratio is 2 and the dns-query-interval is 10 minutes (600
seconds), then the minimum TTL for dynamic real servers is 1200.
The min-ttl-ratio can be 2-15. The default is 2.
Server port template options for dynamic service-group members:
dynamic-member-priority and decrement-delta Sets the initial priority
of dynamic service-group members, and specifies how much to decrement from the priority after each DNS query.
Within a service group, the priorities of the members determine which
of those members can be used to service client requests. Normally, only
the highest priority members can be used. Decrementing the priorities of
dynamic members provides a way to ensure that the service group uses
newer dynamically created members instead of older ones.
The initial priority can be 1-16, and the default is 16. The delta can be
0-8, and the default is 0.
The priority value decrements only when the IP address is not refreshed
after a DNS query. For example, assume a DNS query returns IP address
1.1.1.1, and the AX device creates a dynamic server with priority 16.
However, the latest DNS query returns IP address 2.2.2.2 only. In this
case, the priority of 1.1.1.1 is decremented by the delta value. If a later
DNS query returns 1.1.1.1 again, the priority of server 1.1.1.1 is reset to
16.
If you leave the delta set to its default (0), service-group member priorities are not decremented.
Note:
P e r f o r m a n c e
b y
Settings that also apply to static servers and ports, such as connection and
rate limits, apply individually to each dynamically created server or port.
For example, the connection-rate limit configured in a server template
applies individually to each dynamically created server for a given hostname. The limit is not applied collectively to all dynamically created servers for the hostname.
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
887 of 732
888 of 732
P e r f o r m a n c e
b y
D e s i g n
CLI Example
The following commands configure hostname server parameters in a server
port template and a server template:
AX(config)#slb template port temp-port
AX(config-rport)#dynamic-member-priority 12
AX(config-rport)#exit
AX(config)#slb template server temp-server
AX(config-rserver)#dns-query-interval 5
AX(config-rserver)#min-ttl-ratio 3
AX(config-rserver)#max-dynamic-server 16
AX(config-rserver)#exit
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
889 of 732
The following commands configure a service group and add the hostname
server and static server to it. The port template is bound to the member for
the hostname server and port.
AX(config)#slb service-group sg-test tcp
AX(config-slb svc group)#member s-test1:80 template temp-port
AX(config-slb svc group)#member s-test2:80
AX(config-slb svc group)#exit
The following commands adds the DNS server to use for resolving the real
server hostname into server IP addresses:
AX(config)#ip dns primary 10.10.10.10
s-test1
Hostname:
s1.test.com
State:
Up
Server template:
temp-server
16
Health check:
none
Current connection:
Current request:
Total connection:
1919
890 of 732
P e r f o r m a n c e
b y
D e s i g n
1919
1877
546650
5715
919730
5631
DRS-10.4.2.5-s1.test.com
TTL:
4500
State:
Up
Server template:
test
15
1023
Health check:
none
Current connection:
Current request:
Total connection:
1919
Total request:
1919
1877
546650
5715
919730
5631
Current
Total
Fwd-p
Rev-p
----------------------------------------------------------------------*sg-test
State: All Up
DRS-10.4.2.6-s2.test.com:80
DRS-10.4.2.5-s1.test.com:80
36
1919
5714
5631
s-test2:80
53
265
212
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
891 of 732
State: All Up
Service: DRS-10.4.2.6-s2.test.com:80
UP
Forward packets:
Reverse packets:
Forward bytes:
Reverse bytes:
Current connections:
Persistent connections:
Current requests:
Total requests:
Total connections:
Forward bytes:
msec
Service: DRS-10.4.2.5-s1.test.com:80
Forward packets:
5715
546650
UP
Reverse packets:
5631
Reverse bytes:
919730
Current connections:
10
Persistent connections:
Current requests:
10
Total requests:
Total connections:
1919
1919
msec
1877
Service: s-test1:80
UP
Forward packets:
Forward bytes:
450
31500
Reverse packets:
Reverse bytes:
360
44820
Current connections:
Persistent connections:
Current requests:
Total requests:
Total connections:
90
1877
0
msec
Priority: 1
Member3: DRS-10.4.2.5-s1.test.com:80
Priority: 16
Member1: DRS-10.4.2.5-s-test2:80
Priority: 1
Member2: s-test1:80
892 of 732
Priority: 1
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
893 of 732
starting-ip
The starting-ip option specifies the beginning IP address in the range. The
subnet-mask | /mask-length option specifies the size of the range.
Note:
If you do not specify a network mask, the virtual server is a standard VIP
that has the IP address you specify as the starting-ip address.
CLI Example
The following command configures a set of VIPs for IP addresses 1.1.1.51.1.1.255:
894 of 732
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
The TCP template reset-rev option also can be used to send a RST to clients. In AX releases prior to 2.2.2, the reset-rev option would send a RST
in response to a server selection failure. In AX Release 2.2.2 and later, the
new reset-on-server-selection-fail option must be used instead.
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
895 of 732
896 of 732
P e r f o r m a n c e
b y
D e s i g n
Note:
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
897 of 732
898 of 732
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
899 of 732
900 of 732
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
901 of 950
Scan-all-members
VIP 192.168.10.11 uses 3 real servers for HTTP service. Two of the servers
have a single protocol port for HTTP. However, one of the servers has
HTTP service on multiple service ports.
The load-balancing method for the service group is used to select a server
and port for the first request from a given client (source IP address). After
this initial selection, subsequent requests from the same client are sent to the
same server.
By default, when the match-type is changed to server, the AX device uses
the SLB load-balancing method for the first request to select a member, then
uses fast-path processing to select the first member that has the same IP
address as the server that was initially selected.
In this example, if the load-balancing method chooses port 80 on server s3
for the first request, subsequent requests are also sent to s3. If port 80 goes
down, the next request is still sent to s3, but to a different port on s3.
902 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
903 of 950
904 of 950
P e r f o r m a n c e
b y
D e s i g n
Overview
Some types of client-server traffic need to be encrypted for security. For
example, traffic for online shopping must be encrypted to secure sensitive
account information from being stolen.
Commonly, clients and servers use Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to secure traffic. For example, a client that is
using a shopping application on a server will encrypt data before sending it
to the server. The server will decrypt the clients data, then send an
encrypted reply to the client. The client will decrypt the server reply, and so
on.
Note:
SSL is an older version of TLS. The AX device supports SSL version 3.0
and TLS version 1.0. The AX device also supports RFC 3268: AES
Ciphersuites for TLS. For simplicity, elsewhere this document and other
AX user documents use the term SSL to mean both SSL and TLS.
Note:
The AX device supports Privacy Enhanced Mail (PEM) format for certificate files and CRLs. AX SSL processing supports PEM format and RSA
encryption.
SSL Process
SSL works using certificates and keys. Typically, a client will begin a secure
session by sending an HTTPS request to a VIP. The request begins an SSL
handshake. The AX device will respond with a digital certificate, to provide
verification of the content servers identity. From the clients perspective,
this certificate comes from the server. Once the SSL handshake is complete,
the client begins an encrypted client-server session with the AX device.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
905 of 950
To begin, the client sends an HTTPS request. The request includes some
encryption details such as the cipher suites supported by the client.
The AX device, on behalf of the server, checks for a client-SSL template
bound to the VIP. If a client-SSL template is bound to the VIP, the AX
device sends all the digital certificates contained in the template to the client.
The client browser checks its certificate store (sometimes called the certificate list) for a copy of the server certificate. If the client does not have a
906 of 950
P e r f o r m a n c e
b y
D e s i g n
Certificate Chain
Ultimately, a certificate must be validated by a root CA. Certificates from
root CAs are the most trusted. They do not need to be signed by a higher
(more trusted) CA.
If the CA that signed the certificate is a root CA, the client browser needs a
copy of the root CAs certificate. If the CA that signed the server certificate
is not a root CA, the client browser should have another certificate or a certificate chain that includes the CA that signed the CAs certificate.
A certificate chain contains the chain of signed certificates that leads from
the CA to the signature authority that signed the certificate for the server.
Typically, the certificate authority that signs the server certificate also will
provide the certificate chain. Figure 191 shows an example of a certificate
chain containing three certificates:
FIGURE 191
-----BEGIN CERTIFICATE----ZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsHiyEFGDAmFiRodHRw
Oi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJKoZIhvcNAQEFBQAD
gYEAheIVEe8vArUOZxKkUIGjaYymzJAh8Ty0uUPrikLpQ0IGezByVdbDUJ+HQLGp
2eruTPZpBNADaEfymstIPIxrsuCRhyr3Ymsa2rgzwy9kSXeG83H7E7HxRnpxDNZ8
l+uzpU/rk4j3bO/JVxPZMnwzMWriPSYgL1EKYcOSKyReaxQ=
-----END CERTIFICATE---------BEGIN CERTIFICATE----ZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsHiyEFGDAmFiRodHRw
Oi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJKoZIhvcNAQEFBQAD
gYEAheIVEe8vArUOZxKkUIGjaYymzJAh8Ty0uUPrikLpQ0IGezByVdbDUJ+HQLGp
2eruTPZpBNADaEfymstIPIxrsuCRhyr3Ymsa2rgzwy9kSXeG83H7E7HxRnpxDNZ8
l+uzpU/rk4j3bO/JVxPZMnwzMWriPSYgL1EKYcOSKyReaxQ=
-----END CERTIFICATE---------BEGIN CERTIFICATE----ZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsHiyEFGDAmFiRodHRw
Oi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJKoZIhvcNAQEFBQAD
gYEAheIVEe8vArUOZxKkUIGjaYymzJAh8Ty0uUPrikLpQ0IGezByVdbDUJ+HQLGp
2eruTPZpBNADaEfymstIPIxrsuCRhyr3Ymsa2rgzwy9kSXeG83H7E7HxRnpxDNZ8
l+uzpU/rk4j3bO/JVxPZMnwzMWriPSYgL1EKYcOSKyReaxQ=
-----END CERTIFICATE-----
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
907 of 950
Note:
908 of 950
P e r f o r m a n c e
b y
D e s i g n
signed by a recognized Certificate Authority (CA). To obtain a CAsigned certificate, an admin creates a key and a Certificate Signing
Request (CSR), and sends the CSR to the CA.The CSR includes the key.
The CA then creates and signs a certificate. The admin installs the certificate on the AX device. When a client sends an HTTPS request, the
AX device sends a copy of the certificate to the client, to verify the identity of the server (AX device).
To ensure that clients receive the required chain of certificates, you also
can send clients a certificate chain in addition to the server certificate.
(See Certificate Chain on page 907.)
The example in Figure 190 on page 906 uses a CA-signed certificate.
Self-signed A self-signed certificate is a certificate that is created and
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
909 of 950
SSL Templates
You can install more than one key-certificate pair on the AX device. The
AX device selects the certificate(s) to send a client or server based on the
SSL template bound to the VIP. You can bind the following types of SSL
templates to VIPs:
Client-SSL template Contains keys and certificates for SSL-encrypted
to a client, so that the client can validate the servers identity. The certificate can be generated on the AX device (self-signed) or can be signed
by another entity and imported onto the AX device.
Key Specifies a public key for a server certificate. If the CSR used to
with a root CA certificate, and containing all the intermediary certificates in the authority chain that ends with the authority that signed the
server certificate. (See Certificate Chain on page 907.)
CA certificate Specifies a CA certificate that the AX device can use to
that have been revoked by the CAs that signed them. This option is
applicable only if the AX device will be required to validate the identities of clients.
910 of 950
P e r f o r m a n c e
b y
D e s i g n
When the client sends its connection request, it also sends a list of the
cipher suites it can support. The AX device selects the strongest cipher
suite supported by the client that is also enabled in the template, and
uses that cipher suite for traffic with the client. By default, all the following are enabled:
SSL3_RSA_DES_192_CBC3_SHA
SSL3_RSA_DES_40_CBC_SHA
SSL3_RSA_DES_64_CBC_SHA
SSL3_RSA_RC4_128_MD5
SSL3_RSA_RC4_128_SHA
SSL3_RSA_RC4_40_MD5
TLS1_RSA_AES_128_SHA
TLS1_RSA_AES_256_SHA
TLS1_RSA_EXPORT1024_RC4_56_MD5
TLS1_RSA_EXPORT1024_RC4_56_SHA
Session cache size Specifies the maximum number of cached sessions for
SSL session ID reuse.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
911 of 950
When the server sends its connection request, it also sends a list of the
cipher suites it can support. The AX device selects the strongest cipher
suite supported by the server that is also enabled in the template and
uses that cipher suite for traffic with the server. The same cipher suites
supported in client-SSL templates are supported in server-SSL templates. Support for all of them is enabled by default.
912 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
913 of 950
Note:
914 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
7. Enter a passphrase.
8. From the Key drop-down list, select the length (bits) for the key.
9. Click OK. The AX device generates the certificate key and the certificate signing request (CSR), and displays the CSR. The CSR is displayed
in the Request Text field.
10. To save the CSR to your PC:
a. Click Download.
Note:
If the browser security settings normally block downloads, you may need
to override the setting. For example, in Internet Explorer, hold the Ctrl
key while clicking Download.
b. Click Save.
c. Navigate to the save location.
d. Click Save again.
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
915 of 950
916 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
After the CSR is generated, send the CSR to the CA. After you receive the
signed certificate from the CA, use the import command to import the CA
onto the AX device. The key does not need to be imported. The key is generated along with the CSR.
The following commands generate and export a CSR, then import the
signed certificate.
AX(config)#slb ssl-create csr slbcsr1 ftp:
Address or name of remote host []?192.168.1.10
User name []?axadmin
Password []?********
File name [/]?slbcsr1
input key bits(512,1024,2048) default 1024:<Enter>
input Common Name, 1~64:slbcsr1
input Division, 0~31:div1
input Organization, 0~63:org2
input Locality, 0~31:westcoast
input State or Province, 0~31:ca
input Country, 2 characters:us
input email address, 0~64:axadmin@example.com
input Pass Phrase, 0~31:csrpword
Confirm Pass Phrase:csrpword
AX(config)#import ca-signedcert1 ftp:
Address or name of remote host []?192.168.1.10
User name []?axadmin
Password []?********
File name [/]?ca-signedcert1
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
917 of 950
If you are importing a CA-signed certificate for which you used the AX
device to generate the CSR, you do not need to import the key. The key is
automatically generated on the AX device when you generate the CSR.
918 of 950
P e r f o r m a n c e
b y
D e s i g n
Alternatively, you can use the following commands at the Privileged EXEC
or global Config level of the CLI:
import ssl-cert file-name url
import ssl-key file-name url
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
919 of 950
If you need to create a wildcard certificate, use an asterisk as the first part
of the common name. For example, to create a wildcard certificate for
domain example.com and it sub-domains, enter the following common
name: *.example.com
7. From the Key drop-down list, select the length (bits) for the key.
8. Click OK. The AX device generates the self-signed certificate and its
key. The new certificate and key appear in the certificate list. The certificate is ready to be used in client-SSL and server-SSL templates.
920 of 950
P e r f o r m a n c e
b y
D e s i g n
If you need to create a wildcard certificate, use an asterisk as the first part
of the common name. For example, to create a wildcard certificate for
domain example.com and it sub-domains, enter the following common
name: *.example.com
Note:
The key length, common name, and number of days the certificate is valid
are required. The other information is optional. The default key length is
1024 bits. The default number of days the certificate is valid is 730.
The following commands create a self-signed certificate named slbcert1
and verify the configuration:
AX(config)#slb ssl-create certificate slbcert1
input key bits(512,1024,2048) default 1024:<Enter>
input Common Name, 1~64:slbcert1
input Division, 0~31:Div1
input Organization, 0~63:Org2
input Locality, 0~31:WestCoast
input State or Province, 0~31:CA
input Country, 2 characters:US
input email address, 0~64:axadmin@example.com
input valid days, 30~3650, default 730:<Enter>
AX(config)#show slb ssl cert
name: slbcert1
type: certificate/key
Common Name: slbcert1
Organization: Org2
Expiration: Apr 10 00:34:34 2010 GMT
Issuer: Self
key size: 1024
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
921 of 950
Importing a CRL
To import a CRL, place it on the PC that is running the GUI or CLI session,
or onto a PC or file server that can be locally reached over the network.
922 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
c. Click Save.
d. Navigate to the save location.
e. Click Save again.
4. To export a key:
a. Select the key.
b. Click Export.
c. Click Save.
d. Navigate to the save location.
e. Click Save again.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
923 of 950
Exporting a CRL
USING THE CLI
To export a CRL, use the following command at the Privileged EXEC or
global Config level of the CLI:
export ssl-crl file-name url
If the browser security settings normally block downloads, you may need
to override the setting. For example, in IE, hold the Ctrl key while clicking Export.
5. Click Save.
6. Navigate to the save location.
7. Click Save again.
Note:
924 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
925 of 950
926 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
927 of 950
Although removing the passphrase is optional, A10 Networks recommends that you remove the passphrase for production environments
where Apache must start unattended.
928 of 950
P e r f o r m a n c e
b y
D e s i g n
Route Tables
The AX device uses separate route tables for management traffic and data
traffic.
Management route table Contains all static routes whose next hops are
P e r f o r m a n c e
b y
In AX Release 1.2.4 and earlier, all static routes are stored in the main
route table, even if the next hop is connected to the management interface.
The management route table contains only the route to the subnet directly
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 6/21/2010
929 of 950
routes.
For example, when use of the management interface as the source interface
for control traffic is enabled, all log messages sent to remote log servers are
sent through the management interface. Likewise, the management route
table is used to find a route to the log server. The AX device does not
attempt to use any routes from the main route table to reach the server, even
if a route in the main route table could be used.
In addition, on a case-by-case basis, you can enable use of the management
interface and management route table for the following types of management connections to remote devices:
930 of 950
P e r f o r m a n c e
b y
D e s i g n
Caution:
If you enable this feature, then downgrade to AX Release 1.2.4 or earlier, it is possible to lose access to the AX device after you downgrade.
This can occur if you configure an external AAA server (TACACS+
server) to authorize CLI commands entered on the AX device, and
the TACACS+ server is connected to the AX device through the management default gateway.
If this is the case, before you downgrade, remove the TACACS+ configuration from the AX device. After you downgrade, you can re-add
the configuration, but make sure the TACACS+ server can be
reached using a route other than through the management default
gateway.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 6/21/2010
931 of 950
932 of 950
P e r f o r m a n c e
b y
D e s i g n
Show Commands
show techsupport [[use-mgmt-port] export url]
[page]
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 6/21/2010
933 of 950
934 of 950
P e r f o r m a n c e
b y
D e s i g n
Configuration Management
By default, when you click the Save button in the GUI or enter the write
memory command in the CLI, all unsaved configuration changes are saved
to the startup-config. The next time the AX device is rebooted, the configuration is reloaded from this file.
In addition to these simple configuration management options, the AX
device has advanced configuration management options that allow you to
save multiple configuration files. You can save configuration files remotely
on a server and locally on the AX device itself.
Note:
Note:
Note:
For upgrade instructions, see the release notes for the AX release to which
you plan to upgrade.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
935 of 950
936 of 950
P e r f o r m a n c e
b y
D e s i g n
Unless you plan to locally store multiple configurations, you do not need
to use any of the advanced commands or options described in this section.
Just click Save in the GUI or enter the write memory command in the
CLI to save configuration changes. These simple options replace the commands in the startup-config stored in the image area the AX device booted
from with the commands in the running-config.
Note:
Management of multiple locally stored configuration files is not supported in the GUI.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
937 of 950
Configuration Profiles
Configuration files are managed as configuration profiles. A configuration
profile is simply a configuration file. You can locally save multiple configuration profiles on the AX device. The configuration management commands
described in this section enable you to do the following:
Save the startup-config or running-config to a configuration profile.
Copy locally saved configuration profiles.
Delete locally saved configuration profiles.
Compare two configuration profiles side by side to see the differences
other than the one stored in the image area used for the most recent
reboot. (This is the profile that startup-config refers to by default.)
This option makes it easier to test a configuration without altering the
configuration stored in the image area.
Note:
Although the enable and admin passwords are loaded as part of the system configuration, they are not saved in the configuration profiles.
Changes to the enable password or to the admin username or password
take effect globally, regardless of the values that were in effect when a
given configuration profile was saved.
938 of 950
P e r f o r m a n c e
b y
D e s i g n
b y
Copying a profile from the compact flash to the hard disk is not supported.
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
939 of 950
940 of 950
P e r f o r m a n c e
b y
D e s i g n
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
941 of 950
CLI EXAMPLES
The following command saves the running-config to a configuration profile
named slbconfig2:
AX(config)#write memory slbconfig2
Size
Time
-----------------------------------------------------------1210test
1957
Jan 28
18:39
ipnat
1221
Jan 25
10:43
ipnat-l3
1305
Jan 24
18:22
ipnat-phy
1072
Jan 25
19:39
ipv6
2722
Jan 22
15:05
local-bwlist-123
3277
Jan 23
14:41
mgmt
1318
Jan 28
10:51
slb
1354
Jan 23
18:12
slb-v4
12944
Jan 23
19:32
slb-v6
13414
Jan 23
19:19
942 of 950
P e r f o r m a n c e
b y
D e s i g n
!version 1.2.1
hostname AX
...
!
interface ve 30
ip address
ipv6 address
(
> ip nat range-
<
<
port 22
tcp
<
--MORE--
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
943 of 950
944 of 950
P e r f o r m a n c e
b y
D e s i g n
VLAN-to-VLAN Bridging
VLAN-to-VLAN bridging allows an AX device to selectively bridge traffic
among multiple VLANs. The AX device selectively forwards packets from
one VLAN to another based on the VLAN-to-VLAN bridging configuration
on the AX device. This feature allows the traffic flow between VLANs to be
tightly controlled through the AX device without the need to reconfigure the
hosts in the separate VLANs.
VLAN-to-VLAN bridging is useful in cases where reconfiguring the hosts
on the network either into the same VLAN, or into different IP subnets, is
not desired or is impractical.
You can configure a bridge VLAN group to forward one of the following
types of traffic:
IP traffic only (the default) This option includes typical traffic
Configuration Notes
VLAN-to-VLAN bridging is supported on AX devices deployed in transparent mode (Layer 2) or in gateway mode (Layer 3).
Each VLAN to be bridged must be configured on the AX device. The normal rules for tagging apply:
If an interface belongs to only one VLAN, the interface can be
untagged.
If the interface belongs to more than one VLAN, the interface must be
tagged.
Each VLAN can belong to only a single bridge VLAN group.
Each bridge VLAN group can have a maximum of 8 member VLANs. Traffic from any VLAN in the group is bridged to all other VLANs in the group.
Up to 64 bridge VLAN groups are supported.
If the AX device is deployed in gateway mode, a Virtual Ethernet (VE)
interface is required in the bridge VLAN group.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
945 of 950
946 of 950
P e r f o r m a n c e
b y
D e s i g n
b y
D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 6/21/2010
947 of 950
948 of 950
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
950
b y
D e s i g n
P e r f o r m a n c e
b y
Corporate Headquarters
A10 Networks, Inc.
2309 Bering Dr.
San Jose, CA 95131-1125 USA
Tel: +1-408-325-8668 (main)
Tel: +1-888-822-7210 (support toll-free in USA)
Tel: +1-408-325-8676 (support direct dial)
Fax: +1-408-325-8666
www.a10networks.com
950
D e s i g n