A10 Networks:

Application Delivery Controller: Presentation

ACOS release 2.7

Course A10_ADC-2.7v2.1

Customer Driven Innovation

A10 Application Delivery Controller

ACOS release 2.7
Course ACOS_ADC-2.7v2.1

Do not distribute/edit/copy without the

written consent of A10 Networks

Table of Contents
Section 0:
Section 1:
Section 2:
Section 3:
Section 4:
Section 5:
Section 6:
Section 7:
Section 8:
Section 9:

Course Introduction
ACOS Management
Load Balancing Concepts
HTTP
HTTPS
ACOS Acceleration
ACOS Security
High Availability
ACOS Troubleshooting
aFleX

Introduction
Section 0

Contents
Course goals
Materials
Objective for students

Goal of this course

To learn basic load balancing concepts
To learn load balancing of HTTP and HTTPS protocols on the ACOS device
To learn ACOS troubleshooting tools
To prepare students to install, configure and manage the ACOS device

Facilities and materials

Basics:
Schedule (class time / breaks / lunch)
Break and restroom facilities
Communications (cellphone / internet)
WiFi:
Instructor: Tony Griffen <tgriffen@10networks.com>

Material:
Lecture materials
Lab equipment

Additional Resources:
Support web site for latest releases / User Guides / Release Notes / AppNotes
Community http://www.a10support.com/adc/

Class layout - generalized

Management

1.0.0.0/24

.201
.202
.203

1.0.0.(100+n)

VIP1 100.0.0.(20+n)

1.0.0.n

.201
200.0.0.n
Server Data 200.0.0.0/24

3.0.0.1

HA Link

100.0.0.(100+n)
100.0.0.n
Client Data 100.0.0.0/24

HA ID 1
Set ID y
HA ID 2

Source NAT 200.0.0.(20+n)

.202
.203
Application
servers

3.0.0.2

Conventions and substitutions

Throughout the labs substitute the following variables
Variable

Substitute with

Student 1 example

<s1-IP>
<s2-IP>
<nat1-IP>
<vip1-IP>
<ACOS-Mgmt-IP>
<ha-sync-pri>
<ha-sync-sec>
<client-data-IP>
<backup-IP>
<set-ID>

Server 1 IP address
Server 2 IP address
200.0.0.(20+n) where n is your student ID
100.0.0.(20+n) where n is your student ID
A10 device management IP - 1.0.0.n
3.0.0.1
3.0.0.2
100.0.0.(100+n) where n is your student ID
1.0.0.(100+n)
Instructor will assign before the lab

200.0.0.201
200.0.0.202
200.0.0.21
100.0.0.21
1.0.0.1

<ha-ID>

1 for primary device, 2 for secondary in HA

100.0.0.101
1.0.0.101

Introductions
Your name
Role at your company
Location of your home office
Experience with server load balancing
Experience with ACOS devices

ACOS Management
Section 1

Section objectives
Explore ACOS management access
Understand ACOS configuration components
Backup/restore ACOS configuration
Review initial ACOS configuration

ACOS management access

CLI
Console (RS-232 connection / 9600, 8, N, 1)
Telnet (disabled by default)
SSHv2

Web
HTTP (configurable ports - disabled by default)
HTTPS (configurable ports)

Levels of CLI authentication

CLI: Login ID/Password and Enable ID/Password
Web: Admin roles (read-write / read-only)

CLI: Privilege levels

Official name

Common Prompt
name

Purpose

User EXEC Level

user

>

Monitor SLB & CGN, do backups, use simple

diagnostic utilities. From this level user cannot affect
the functioning of the device or change
configuration.

Privileged EXEC
Level

enable

(same as user) + Manage system but not SLB or CGN

configuration. Monitor system.

Privileged EXEC
Level - Config
Mode

config

(config)#

(same as enable) + Configure SLB or CGN. Actions

which could affect SLB or CGN configuration are also
accessible only from here, like config restore.
Enable-level commands can be executed here by
prepending them with do.
4

CLI: Additional prompt indicators

Redundancy
ACOS-Active>
ACOS-Standby>

Clustering
ACOS-Active-vMaster[7/1]>
ACOS-Standby-vBlade[7/2]>

Packet capture
ACOS(axdebug)#

Hostname
ACOS(config)#hostname MyThunder1
MyThunder1(config)#
5

CLI: Help
List options
ACOS>show health monitor ?
WORD<length:1-31>
all-partitions
partition
|

Name
All partition configurations
Per-partition configurations
Output modifiers

Option disambiguation
ACOS>show ic?
icmp
icmpv6

Display ICMP statistics

Display ICMPv6 statistics

Command completion
ACOS>show rad<tab>
ACOS>show radius-server

CLI: Undo
Commands are undone by prepending no
ACOS(config)#ip nat pool nat1 10.0.2.15 10.0.2.16 netmask /24
ACOS(config)#show ip nat pool
Total IP NAT Pools: 1
Pool Name
Start Address
nat1
10.0.2.15

End Address
10.0.2.16

Mask
/24

Gateway
0.0.0.0

HA Group
0

Vrid
default

ACOS(config)#no ip nat pool nat1

ACOS(config)#show ip nat pool

Total IP NAT Pools: 0

CLI: Disabling configuration elements

On configuration elements, "no enable" has the same effect as command "disable"
ACOS#show run | sec slb
slb server s1 10.0.2.18

ACOS(config)#slb server s1
ACOS(config-real server)#no enable
ACOS#show run | sec slb
slb server s1 10.0.2.18
disable

CLI: Regular expressions

A subset of regular expressions can be used at the command line
.

Matches any single character, including white space

Matches 0 or more sequences of the pattern

Matches 1 or more sequences of the pattern

Matches 0 or 1 occurrences of the pattern

Matches the beginning of the string

Matches the end of the string

Underscore matches a comma ",", left brace "{", right brace "}", left parenthesis "(",
right parenthesis ")", the beginning of the string, the end of the string,
or a space.

CLI: Filtering output (section & include)

ACOS supports filtering by piping output to section and include
section retrieves configuration elements containing regex
ACOS#show run | sec slb

slb server s1 10.0.2.18

port 80 tcp
slb service-group http tcp
member s1:80
include retrieves lines containing regex
ACOS#show run | inc slb
slb server s1 10.0.2.18
slb service-group http tcp

10

CLI: OR
To use "|" symbol as OR in inc or sec, escape it with "\" with no spaces around it
ACOS#show run | inc tacacs\|radius
tacacs-server host 1.0.0.100 secret (encrypted_secret) port 49 timeout 12
radius-server host 1.0.0.100 secret (encrypted_secret)

11

CLI: Exiting current level

Exit command takes CLI one level down
ACOS(config-slb vserver-vport)#exit
ACOS(config-slb vserver)#exit

ACOS(config)#exit
ACOS#exit
ACOS>

End command exits out of config

ACOS(config-slb vserver-vport)#end
ACOS#exit
ACOS>

Ctrl-C is a keyboard shortcut for exit in config mode, Ctrl-Z is a shortcut for end

12

CLI: Workflow
With CLI, build your configuration from bottom up
system
redundancy + clustering

servers
nat pools
templates
virtual server
virtual server port

Then apply pre-configured elements on virtual server port (vPort)

To use programming analogy, configuration elements are like functions. Those functions have
to be called from vPort before they take effect.

13

WebUI: Privilege levels

Monitor
Equivalent to CLI User EXEC Level (user)

Config
Equivalent to CLI Privileged EXEC Level - Config Mode (config)

14

WebUI: Workflow
In WebUI, you can build configuration from top down in one of two ways
Config > SLB > Service > Virtual Server (and then add vPort underneath)
Config > SLB > Service > Virtual Service (all from one place)
Necessary configuration elements names are created automatically. Your virtual service is
translated at the CLI level into virtual server + virtual port.
ACOS#show run | sec slb
slb server _s_10.0.2.18 10.0.2.18
port 80 tcp
slb server _s_10.0.2.19 10.0.2.19
port 80 tcp
slb service-group http tcp
member _s_10.0.2.18:80
member _s_10.0.2.19:80
slb virtual-server _10.0.1.12_vserver 10.0.1.12
port 80 http
name vip1-http
service-group http
15

CLI vs. WebUI

CLI benefits
Structured, enhances understanding
Excellent for troubleshooting can display multiple configuration items at the same time

Can be very fast with some familiarity

Requires very little bandwidth to operate device

WebUI benefits
Flexible workflow
Easy admin role definition
Familiar interface
Excellent for monitoring graphical display

16

ACOS configuration components

ACOS configuration components
Configuration file
(optional) aFleX files

(optional) PBSLB files

(optional) SSL certificates and keys
(optional) Geo-location files (option in GSLB and geo-location-based VIP access)

17

Named configuration profiles

Benefits of named profiles
Maintain multiple configurations
Link startup configuration per partition to a named profile
Copy and edit profiles without disrupting normal operations
Maintain single configuration for both physical partitions

Create new profile

ACOS#write memory <new_profile>
ACOS(config)#copy <existing_profile> <new_profile>

See all profiles

ACOS#show startup-config all

Link startup config to profile

ACOS(config)#link startup-config <profile_name> [primary|secondary]

18

ACOS configuration full backup and restore

ACOS full configuration backup
WebUI: Config > System > Maintenance > Backup > System
CLI: ACOS(config)#backup system []

ACOS full configuration restore

WebUI: Config > System > Maintenance > Restore > System
CLI: ACOS(config)#restore []

Note: Supported upload protocols: FTP, SFTP, SCP, RCP, TFTP, and HTTPS (via WebUI)

19

ACOS configuration profile backup and restore

ACOS configuration profile backup
WebUI: Config > System > ConfigFile

[open & copy]

CLI: ACOS(config)#copy <local_profile> [use-mgmt-port] <destination>

ACOS configuration profile restore

WebUI: Config > System > ConfigFile > Add

[paste]

CLI: ACOS(config)#copy [use-mgmt-port] <remote_profile> <local_profile>

Note: Supported upload protocols: FTP, SFTP, SCP, RCP, TFTP, and HTTPS (via WebUI)

20

Backing up other configuration elements

ACOS#export ?
running-config
ssl-cert
ssl-cert-key
ssl-crl
ssl-key
aflex
bw-list
class-list
axdebug
debug_monitor
startup-config
syslog
thales-secworld
thales-kmdata
dnssec-dnskey
dnssec-ds
ip-map-list

Running Config
SSL Cert File
SSL Cert/Key File
SSL Crl File
SSL Key File
aFleX Script Source File
Black/White List File
Class List File
AX Debug Packet File
Debug Monitor Output
Startup Config
Syslog file
Thales security world files - in .tgz format
Thales Kmdata files - in .tgz format
DNSSEC DNSKEY(KSK) file for the zone
DNSSEC DS file for the zone
IP Map List File

21

Erasing configuration
You may erase configuration while preserving access to the device
ACOS(config)#erase ?
preserve-management
preserve-accounts
reload
<cr>

Preserve management ip and default gateway

Preserve admin accounts
Reload after erase

This command also erases profile linked to current startup config (except for
preserve elements) but does not affect other profiles.

22

ACOS software location

ACOS software is stored on
Two disk partitions: primary and secondary
Second partition is designed for easy software rollback

Two Compact Flash partitions: primary and secondary

CF is designed for emergency recovery

Note: Each storage location has its own software and AX configuration

23

ACOS software upgrade options

Check the ACOS running partition
WebUI: Monitor > Overview > Summary > System Information
CLI: ACOS#show bootimage

Upgrade AX devices other partition

WebUI: Configuration > System > Maintenance > Upgrade
CLI: ACOS(config)#upgrade []

Copy running configuration to the other partition or link existing profile to it

ACOS# write memory [primary|secondary]
ACOS(config)#link startup-config <profile_name> [primary|secondary]

Set boot source to the other partition

WebUI: Configuration > System > Settings > Boot
CLI: ACOS(config)#bootimage hd [primary|secondary]

24

ACOS initial configuration

Rollback to Factory configuration
CLI:

ACOS(config)#system-reset
ACOS(config)#end

ACOS#reboot

First step configuration

Connect on the ACOS device console (9600 baud - 8 bits no parity - 1 stop bit)
Default user/password: admin/a10
Configure the management interface and its default gateway
Finish the ACOS configuration via CLI (ssh) or WebUI (https)

25

ACOS initial configuration example

ACOS login: admin
Password:
ACOS>en
Password:
ACOS#conf
ACOS(config)#interface management
ACOS(config-if:management)#ip address 172.31.31.11 /24

ACOS(config-if:management)#ip default-gateway 172.31.31.1

ACOS(config-if:management)#exit
ACOS(config)#exit

26

Lab
Backup your ACOS device using FTP server and local drive

27

Section summary
In this module, we discussed:
AX Management access
Backup and restore procedure

Upgrade and downgrade

AX Layer2 / VLAN

We have performed:
AX configuration back up and restore

28

Load Balancing Concepts

Section 2

Section objectives
Understand main load balancing goals and concepts
Configure ACOS L4 SLB Virtual Server
Configure two common L4 SLB Virtual Server options (Source IP Persistence + NAT)

Load balancing goals

Provide high availability of services

Share load among multiple servers (load balancing)

Topology: One-armed L2 (switched) mode (p. 1 of 2)

VIP = 100.0.0.10

AX Series

100.0.0.0/24

100.0.0.0/24

Internet

100.0.0.[100-200]

SNAT = 100.0.0.50

200.0.0.1

AX Series

Source IP

Dest IP

Source IP

Dest IP

200.0.0.1

100.0.0.10

100.0.0.50

100.0.0.100

AX Series

Dest IP

Source IP

Dest IP

Source IP

200.0.0.1

100.0.0.10

100.0.0.50

100.0.0.100
4

Topology: One-armed L2 (switched) mode (p. 2 of 2)

VIP = 100.0.0.10

Internet

100.0.0.0/24

AX Series

SNAT = 100.0.0.50

100.0.0.[100-200]

100.0.0.0/24

200.0.0.1

Benefits:
No change required on clients or
servers

Easy to test
Clients can be in servers subnet

Points to keep in mind:

Servers lose Client IP visibility (can
be partly remedied by IP header
insertion in HTTP (X-ClientIP
(customizable))
Requires Source NAT on SLB
5

Topology: L3 (routed) mode with SNAT (p. 1 of 2)

VIP = 100.0.0.10

AX Series

100.0.1.0/24

100.0.0.0/24

Internet

100.0.1.[100-200]

SNAT = 100.0.1.50

200.0.0.1

AX Series

Source IP

Dest IP

Source IP

Dest IP

200.0.0.1

100.0.0.10

100.0.1.50

100.0.1.100

AX Series

Dest IP

Source IP

Dest IP

Source IP

200.0.0.1

100.0.0.10

100.0.1.50

100.0.1.100
6

Topology: L3 (routed) mode with SNAT (p. 2 of 2)

VIP = 100.0.0.10

Internet

100.0.0.0/24

AX Series

SNAT = 100.0.1.50

100.0.1.[100-200]

100.0.1.0/24

200.0.0.1

Benefits:
No change required on clients or
servers

Easy to test

Points to keep in mind:

Servers lose Client IP visibility (can
be partly remedied by IP header
insertion in HTTP)
Requires Source NAT on SLB
7

Topology: L3 (routed) mode w/o SNAT (p. 1 of 2)

VIP = 100.0.0.10

100.0.1.0/24

100.0.0.0/24

Internet

100.0.1.[100-200]

AX Series

200.0.0.1

AX Series

Source IP

Dest IP

Source IP

Dest IP

200.0.0.1

100.0.0.10

200.0.0.1

100.0.1.100

AX Series

Dest IP

Source IP

Dest IP

Source IP

200.0.0.1

100.0.0.10

200.0.0.1

100.0.1.100
8

Topology: L3 (routed) mode w/o SNAT (p. 2 of 2)

VIP = 100.0.0.10

Internet

100.0.1.[100-200]

AX Series

100.0.0.0/24

100.0.1.0/24

200.0.0.1

Benefits:
No change required on clients or
servers

Points to keep in mind:

Configure SLB as default gateway on
servers

Provides additional layer of security

Topology: DSR mode (p. 1 of 2)

VIP = 100.0.0.10

100.0.0.0/24

100.0.0.0/24

Internet

100.0.0.[100-200]
Loopback IP = VIP = 100.0.0.10

AX Series

200.0.0.1

AX Series

Source IP

Dest IP

Source IP

Dest IP

200.0.0.1

100.0.0.10
SLB MAC

200.0.0.1

100.0.0.10
Server MAC

Dest IP

Source IP

200.0.0.1

100.0.0.10
10

Topology: DSR mode (p. 2 of 2)

VIP = 100.0.0.10

Internet

100.0.0.0/24

100.0.0.[100-200]
Loopback IP = VIP = 100.0.0.10

AX Series

100.0.0.0/24

200.0.0.1

Benefits:
Highly scalable (SLB processes only
incoming traffic)

Points to keep in mind:

Cant use any ACOS layer 7 features
(aFleX can still be applied at virtual
port level)
Configure VIP IP as loopback on
servers
11

Server Load Balancing (SLB)

ACOS SLB configuration has three core elements:
Servers, Service Groups, Virtual Servers (VIPs)

12

SLB: Server
Minimum configuration
Name
IP address (can use DNS name)

Ports

Server configuration
WebUI: Config > Service > SLB > Server
CLI: AX(config)# slb server <name> []

Server status and statistics

WebUI: Monitor > Service > SLB > Server
CLI: ACOS# show slb server []

13

SLB: Service Group

Minimum configuration
Name
Type (TCP/UDP)

LB Algorithm
At least one Server/Port

14

Load balancing algorithms

Service group load-balancing algorithms
Round-Robin
Least Connection

Service Least Connection

Weighted Round Robin
Weighted Least Connection
Service Weighted Least Connection
Fastest Response time
Least Request
Round Robin Strict
Stateless (new in release 2.4.2; see notes)
15

Health Monitor
Service availability is checked using health monitors
Health monitors can be applied to:
Server

Server:Port
Service Group

Health monitors can test server availability

On layer 3: ping (icmp)
On layer 4: tcp, udp
On layer 7 (application): http, https, ftp, smtp, pop3, snmp, dns, radius, ldap, rtsp, sip, ntp
Via manually created scripts

Multiple L3/L4/L7 tests can also be combined in a Boolean expression (and/or/not)

16

Applying health monitor

Physical server health monitor
If HM fails, that server is considered down and service groups configured with that specific
server stop using it for load balancing
Note: Default Server health monitor is icmp.

Physical server port health monitoring

If HM fails, that server port is considered down and service groups configured with that
specific server:port stop using it for load balancing
Note: Default TCP Server Port Health Monitor is tcp handshake

Service group health monitor

If HM fails for a specific member, the service group stops using this member for load
balancing
Note: By default there is no health monitor configured on Service Group
17

Source IP persistence
When to use Source IP persistence
Source IP persistence must be used when clients must have their future connections/traffic
terminated on the same server

18

Source IP persistence template

Create Source IP Persistence Template
Name
Type:Port (persistence per VIP:Port)
Server (persistence per VIP)
Service-Group (persistence per URL or Host)
Timeout: How long inactive entries are saved (default = 5 minutes)
Don't Honor Conn Rules: Ignore connection limits defined on Servers and Server Ports and
connect new clients' connections to the Server (default = disabled)
Netmask: Granularity of Client IP address hashing (default = 255.255.255.255 for the most
granularity)

Assign the Source IP Persistence Template to the Virtual Server Port

19

NAT: SLB Source NAT template

Create IP Source NAT Pool:
Name: Name of the template
Start IP address (can be the AX interface IP)
End IP address (can be the same as Start IP)
Note: If the "Start" and "End IP address" are the same, the AX will NAT with
one unique IP address and can NAT up to 64k flows
Netmask (used by "IP Source NAT Group" when servers are on different subnets)

(optional) Gateway: Specify a gateway to use to reply to the clients' requests

(optional) "HA Group": Specify the HA group to tie to the SLB source NAT pool

Assign the SLB Source NAT Pool to the Virtual Server Port

20

SLB: Virtual Server

Minimum configuration
Name
IP address (accessed by end users)

Virtual Server Ports (usually)

21

SLB: Virtual Server Port (vPort)

Minimum configuration
Type: (TCP/UDP/HTTP/HTTPS/Fast-HTTP/RTSP/FTP/MMS/
SSL-Proxy/SMTP/SIP/SIP-TCP/SIP-TLS/Others)
Port
Service Group (usually)

Pre-configured elements are applied here

22

SLB processing order: Virtual Server

Virtual Servers are processed from the most specific to the least specific. Example:
slb virtual-server acme 10.0.1.12
port 80 http

service-group acme
slb virtual-server emca 10.0.1.14
port 0 tcp
service-group emca

slb virtual-server default 0.0.0.0

port 0 tcp
service-group default

Virtual Servers are displayed in the order of processing from the CLI

23

SLB processing order: Virtual Server Port (vPort)

vPorts are displayed under Virtual Server in the order they were added but processed
from most specific to least specific. Example:
slb virtual-server default 0.0.0.0
port 0 tcp
service-group default
port 80 tcp
service-group http

In the above example port 80 will be matched against incoming connection first

24

SLB processing order: vPort configuration elements

Configuration elements applied on the Virtual Server Port are processed in the
following order:
Layer 4:
DNS template
Policy template
All other templates
Service group

Layer 7:
Cookie persistence template
aFleX script
All other templates
Service group

25

Lab
Configure Layer 4 SLB Virtual Server (VIP)
Physical servers
Service Group

Source NAT
Source IP Persistence
Virtual Server

Verify functionality

26

Section summary
In this section we discussed:
Load balancings main goals: server load sharing and high availability of services
Load balancers network integration modes: routed, one-arm, transparent, and DSR

Two common L4 SLB options and their ACOS configuration

We have configured the following:

ACOS Layer 4 SLB Virtual Server
Source IP Persistence
SLB Source NAT

27

HTTP
Section 3

Section objectives
Understand HTTP
Understand ACOS HTTP load balancing
Configure HTTP Virtual Server

HTTP protocol
HTTP RFC is 2616 (http://www.w3.org/Protocols/rfc2616/rfc2616.html)
HTTP (Hypertext Transfer Protocol) is an unencrypted TCP protocol used to access web
content (usually on port 80)
Note: HTTPS uses the same protocol with explicit SSL encryption for higher security (usually on
port 443)

HTTP is a sequence of network request/response transactions

Note: Browsers open multiple TCP sessions to download multiple objects from 1 web site in
parallel (2 sessions with IE5.5/6.0, 6 sessions with IE8, 15 sessions with Firefox 3.x)

Request and response options are sent via headers

HTTP request
Main request methods
"GET url": Request object from server
"POST url": Send data/object to server
Others: HEAD, CONNECT
Note: The Host (such as www.a10networks.com) is not a part of the url but is listed in the
"Host header in the request

Main request headers

"Host": Site name
"Connection: Keep-Alive" : Client support for using the same session for multiple
request/response transactions
"Accept-Encoding: gzip, deflate": Support for HTTP compression
"Cookie": Text used to keep track of user information

HTTP response codes

Main server response codes
200: OK (object in the response)
301: Redirect permanently

302: Temporary redirect

304: Not Modified
404: Page not found
5xx: Server error

HTTP response headers

Main response headers
"Last-Modified": When object was last modified
"Etag": Entity tag (used to detect object changes)

"Connection: Keep-Alive": Server support for using the same session for multiple
request/response transactions
"Set-Cookie": Asks user to save cookie to keep track of user information
"Cache-Control" / "Pragma": Cacheability of the object

SLB configuration for HTTP (p. 1 of 5)

Load Balancers don't need a specific configuration for basic HTTP load balancing - Any
L4 SLB VIP works for HTTP services
However, advanced load balancers provide techniques for improving HTTP services
Better Availability
Better Flexibility
Better Performance/Acceleration
Better Security

AX offers advanced flexibility options for web applications via HTTP templates
HTTP templates are associated with virtual server ports of service type HTTP" or
"HTTPS

SLB configuration for HTTP (p. 2 of 5)

HTTP Health Monitor
ACOS provides the ability to test HTTP/HTTPS services using Health Monitors
HTTP/HTTPS Health Monitors have the following required parameters:
Port: TCP port
Method (GET or HEAD or POST)
URL

And the following optional parameters:

User + Password: For web sites that require authentication
Expect: Server Response code or Server text
Maintenance Code: To automatically mark the server in maintenance, rather than down (so users
with persistence to that server remain on that server)

SLB configuration for HTTP (p. 3 of 5)

URL failover
When all servers have failed, the ACOS can send an HTTP redirect to a backup site.
ACOS(config)# slb template http <template_name>
ACOS(config-http)# failover-url ?
WORD<length:1-255>

Failover URL Name

SLB configuration for HTTP (p. 4 of 5)

Retry HTTP request on HTTP 5xx
When the Server replies with a 5xx error, by default AX forwards it to the client. The retry
option tells the ACOS to resend the request to another Server in the Service Group.
The following options are available:
"On HTTP 5xx code for each request": The client request is resent to a new server
"On HTTP 5xx code": The client request is resent to a new server + the server that replied with the
5xx is not used for new requests for 30 seconds

"#": Number of servers that can be tried

Logging: Generates logs when this event happens

10

SLB configuration for HTTP (p. 5 of 5)

Client IP header insertion
In Web server logs, the client IP address is logged. Web servers retrieve the client IP
information from the source IP address.
Some ACOS advanced HTTP options (Connection Reuse or Source NAT) force the ACOS to
establish the connection to the server with an ACOS IP address. In such case, the Web server
loses the client IP address information.
To allow Web Servers to log Client IP address information, the ACOS can inject the Client IP
information in a request header.
ACOS(config-http)#insert-client-ip ?
WORD<length:1-63>
replace
<cr>

HTTP Header Name for inserting Client IP

Replace the existing header

11

Lab
Configure layer 7 HTTP Virtual Server
Physical servers
HTTP Health Monitor

Service Group
Source NAT
Source IP Persistence
Virtual Server
HTTP Templates
Header rewriting/insertion
URL Failover

Verify functionality
12

Section summary
In this section we discussed HTTP protocol
We have configured the following:
HTTP Virtual Server

HTTP health monitor

URL switching
Response header insertion

13

HTTPS
Section 4

Section objectives
Understand HTTPS
Understand ACOS HTTPS load balancing and its options
Configure HTTPS Virtual Server

HTTPS protocol
HTTPS (HTTP over TLS) RFC is 2818 (http://www.ietf.org/rfc/rfc2818.txt)
HTTPS is the "secured" version of HTTP (usually port 443)
HTTPS offers
Server Authentication (with server certificates)
(optional) Client Authentication (with client certificates)
Encryption (with TLS/SSL)

Server authentication
TLS/SSL is based on public certificates and private keys
Certificates are issued and signed by Certificate Authority (CA)
HTTPS clients first request the server public certificate and validate it using list of
trusted CAs
When the server certificate is validated (name, date, etc.), the client sends its HTTP
request

SSL Negotiation
SYN (TCP Port 443)

SYN/ACK
ACK
CLIENT_HELLO (Highest SSL Version, Ciphers Supported, Data Compression Methods, SessionID, Random Data)
SERVER_HELLO (Selected SSL Version, Selected Cipher, Selected Data Compr. Method, Assigned SessionID, Random Data)
CERTIFICATE (Public Key, Authentication Signature)
SERVER_DONE
CERTIFICATE_VERIFY (Client informs the server that it has verified the server's certificate)
CHANGE_CIPHER_SPEC (contents of subsequent SSL record data sent by the client during the SSL session will be encrypted)
FINISHED (digest of all the SSL handshake commands so far for validation)
CHANGE_CIPHER_SPEC (subsequent data sent by the server during the SSL session will be encrypted)
FINISHED (digest of all the SSL handshake commands so far for validation)
Client sends server symmetric secret key encrypted with servers public key.
From now user data is encrypted.
5

HTTPS communication with clients

Client SSL templates
To enable HTTPS communication with the Clients
Client SSL template
Public certificate that will be presented to Clients
Private key (and its passphrase)
SSL cipher supported ("encrypted algorithm")
(optional) Client certificate request

HTTPS communication with servers

Server SSL templates
To enable HTTPS communication with the Servers
Server SSL template
SSL cipher supported ("encrypted algorithm")
(optional) CA that will be used to validate the Servers certificate

Secure redirect with SSL Offload

URL redirect / rewrite
When the Server replies with an HTTP redirect, the AX can rewrite it with a new value.
This option usually is used for transparent "SSL-ization" of HTTP web applications.
ACOS(config)# slb template http <template_name>
ACOS(config-http)# redirect-rewrite secure

Cookie persistence
When to use cookie persistence
Like Source IP Persistence, Cookie Persistence is used when HTTP/HTTPS clients must have
their future connections/traffic terminated on the same server.
But Cookie Persistence provides more granularity, since even different users coming from the
same Proxy (same IP address) will get different persistence with Cookie Persistence.

10

Lab
Configure layer 7 HTTPS Virtual Server
Physical servers
Service Group

SSL Certificate
SSL Template
Source NAT
Cookie Persistence
Virtual Server
Transparent redirect

Verify functionality

11

Section summary
In this section we discussed HTTPS protocol
We have configured the following:
HTTPS Virtual Server using HTTP and HTTPS servers

HTTPS redirect
Cookie persistence

12

ACOS Acceleration
Section 5

Section objectives
Understand and configure advanced ACOS acceleration options:
Connection Reuse
HTTP compression

RAM Caching

Connection Reuse (p. 1 of 2)

Web servers need to manage:
New clients (open new sessions)
Clients leaving (close sessions)

Maintain all connected clients sessions

Note: Web browsers keep their TCP connections open - even when all objects have
been loaded

Connection Reuse (p. 2 of 2)

Connection Reuse off loads the server TCP stack
This option provides faster server response time and higher server scalability
Connection reuse
Terminates all clients connections to the ACOS device
Maintains persistent connections to the Servers
Sends all clients requests on the same persistent connections

Note: Connection Reuse requires SLB Source NAT

Note2: HTTP Keep-alive should be enabled on the web servers

SSL Offload
SSL Offload relieves the server of SSL tasks
This option provides faster server response time and higher server scalability
ACOS receives HTTPS client traffic and sends HTTP traffic to the servers

HTTP compression
Compresses HTTP/HTTPS objects
Uses less bandwidth and provides faster client download time
ACOS HTTP compression
Compresses objects sent to the clients (Note: By default, "text" (such as html/css/js) and
"application" (such as doc/xls/ppt/pdf))
If HTTP compression is enabled on the servers, ACOS transparently offloads this task from
servers

RAM Caching
Caches HTTP/HTTPS static and dynamic content in ACOS RAM
Delivers cached objects to clients directly from the ACOS Cache, offloading servers
Provides faster client download time and higher server scalability

RAM Caching HTTP response codes

Caches objects unless explicitly denied by the server's response
Caches responses with the following codes:
200 OK

203 Non-Authoritative response

300 Multiple Choices
301 Moved Permanently
302 Found (only if Expires header is also present)
410 Gone

RAM Caching limitations

Does not support client HTTP range requests (they are sent to the servers)
Does not cache server responses with "Vary" header (except "Vary: Accept-Encoding")
Does not cache server responses with "Warning" header
Does not cache server responses if requests had an "Authorization" header (even if
the server specifies "Cache-Control: public)
Does not cache incomplete (partial) responses

RAM Caching dynamic objects

Allows the ACOS to Cache non-static objects
Need to understand application behavior to determine cacheability
What is to be cached?

How long is the cached content valid?

What is the trigger that would cause the response to change?

Parameterized requests
The URL matches a specific pattern.
Specific query parameters are present.
Specific cookies in the request are present.
Specific HTTP headers in the request are present.

10

RAM Caching dynamic objects caveats

When not to use dynamic caching
Response sets cookies specific to that session. Example: response to a login page.
Response contains data specific to a previous action in the session. Example: confirmation
number for a transaction that was just executed.
Response contains data that becomes stale based on a future action. Example: portfolio page
of a brokerage account user changes when the user executes transactions.
Different versions of the response cannot be distinguished by using the URL, query
parameters, or cookies in the request. Example: response contains personalized settings, such
as the user name but no query parameter or cookie directly identifies the user.

11

RAM Caching dynamic objects policies

Cacheability rules determine what is cacheable and what is not
Caching policies can be used to override/augment standard HTTP behavior
Policies are specified as follows:
policy <condition> <action>
Where: <condition> is of the form uri <pattern>, <action> is
cache <seconds>, no-cache, or invalidate <entry>
Note: More sophisticated conditions will be supported in future using aFleX

policies

Policies are evaluated in the order they are specified. The action in the first policy that
matches will be applied.

12

RAM Caching dynamic objects example

You have a web application with the following URLs:
http://x.y.com/list
http://x.y.com/add?a=p1&b=p2
http://x.y.com/del?c=p3
http://x.y.com/private?user=u1

lists all items from database

adds item to database
deletes item from database
private info for user

The list URI gets a lot of hits. It makes sense to cache that URI while it remains up to
date. However, when the user does an add/delete operation, or one of the other URIs
arrives, the database would change and the cached list needs to be refreshed.

13

Lab
Configure layer 7 HTTP Virtual Server
Physical servers
Service Group

Source NAT
Cookie Persistence
Virtual Server
Connection Reuse
Compression template
RAM Caching template

Verify functionality

14

Section summary
In this section, you have configured the following ACOS acceleration options:
Connection Reuse
SSL offload

HTTP compression
RAM Caching

15

ACOS Security
Section 6

Section objectives
Understand advanced ACOS security options
DDoS protection
PBSLB

ACL
Management security

DDoS protection (p. 1 of 2)

ACOS provides protection against Distributed Denial of Service (DDoS) attacks
Note: AX 2200 / AX 3100 / AX 3200 / AX 5100 / AX 5200 provide DDoS protection in hardware.
Other models provide DDoS protection in software.

DDoS basic filters

DDoS configuration
WebUI: Config > SLB > Global
CLI: ACOS(config)# ip anomaly-drop <DDoS-type>

DDoS protection (p. 2 of 2)

Advanced DDoS filters are also available with system-wide PBSLB
Invalid HTTP or SSL payload or DNS
Zero-Length TCP Window

Out-of-sequence packet

Policy Based Server Load Balancing (PBSLB) (p. 1 of 2)

Using PBSLB list:
Filter users (block and/or forward to specific service groups)

Note: IPv6 addresses are not supported in PBSLB.

PBSLB (p. 2 of 2)
Using Class List you can limit users on their:
Layer 4 traffic:
Connection Limit
Connection-Rate Limit per 100 ms

Layer 7 traffic (for HTTP / HTTPS / DNS):

Request Limit
Request-Rate Limit per 100 ms

Note: IPv6 addresses are supported in class lists.

PBSLB Class List details

Large list support
Up to 8 M IP addresses
Up to 64 K IP subnets

Up to 32 group IDs

Highly efficient
Lists are stored in hash tables
Can process Gbps of traffic

(PBSLB list only) Automatic list download

AX device can update its PBSLB list automatically at specific intervals via TFTP

Access Control List (ACL)

ACOS supports standard and extended Access Control Lists (ACLs)
ACL can be applied to data interfaces, management interface, and virtual server ports
Remark, re-sequencing and logging options are supported (Cisco/Foundry format)
ACL components
[no] access-list acl-num [seq-num] {permit | deny | remark string} ip
{any | host host-src-ipaddr | net-src-ipaddr {filter-mask | /masklength}} {any | host host-dst-ipaddr | net-dst-ipaddr {filter-mask |
/mask-length}} [log [transparent-session-only]

Management security
ACOS provides advanced management security options
Multiple management accounts with distinct levels of access
Interface level access for individual access types (ICMP / Telnet / SSH / HTTP / HTTPS / SNMP)

Management account with lockout in response to excessive invalid password

External Authentication support with RADIUS , TACACS+, and LDAP
Private partitions

Note: See ACOS Series Configuration Guide for more information

Section summary
In this module, we presented ACOS advanced security options:
DDoS protection
PBSLB

ACL
Management security

10

High Availability (HA)

Section 7

Section objectives
Discuss High Availability and its options
Active-Standby mode
Active-Active mode

Configure Active-Standby HA

Active-Standby mode
Active ACOS device processes all the
production traffic
Standby ACOS device does not process
any production traffic
Standby ACOS device optionally mirrors
L4 session information from Active
Reliability is scaled but not performance

Active-Standby Failover
Peer ACOS device is elected as active
Gratuitous ARPs for virtual, floating and
NAT IPs are sent

Existing mirrored sessions are picked up

by newly elected active ACOS device
New sessions are served by newly
elected active

Active-Active mode
Both ACOS devices process the
production traffic
Session and state information is mirrored
between both ACOS devices
Performance is scaled in addition to
reliability
Note: Do not exceed 50% utilization on
each unit for full HA

Active-Active Failover
Peer ACOS device is elected active for HA
group 2 and sends gratuitous ARPs for
virtual IPs, floating IPs, and NAT IPs

Existing mirrored sessions are picked up

by peer ACOS device
Peer ACOS device serves requests for
both HA groups

HA support
All ACOS integration modes support HA
Routed mode
Active-Standby, Active-Active

One-Arm mode
Active-Standby, Active-Active

Transparent mode
L2 Active-Standby

DSR mode
Active-Standby, Active-Active

Initial selection of Active ACOS device

After initial selection, ACOS device
remains Active unless :
Standby stops receiving HA
heartbeat from Active
HA interface status of the Active
becomes lower than Standbys
VLAN-based failover is triggered
Gateway-based failover is triggered
HA pre-emption is enabled, and the
configured HA priority is changed to
be higher on the Standby
8

Events causing HA Failover

By default, a failover occurs only in the
following cases:

unavailability of real servers causes the

Standby AX to have the greater HA priority
for the VIPs HA group

Standby stops receiving HA heartbeat form

By default, failover does not occur due to
Active
HA interface state changes give the
Standby device a better HA state than the
Active device
VLAN-based failover is configured and the
VLAN becomes inactive.

HA configuration changes to the HA

priority.
To enable the ACOS devices to failover in
response to changes in priority, enable HA
pre-emption.

Gateway-based failover is configured and

the gateway becomes unavailable.

VIP-based failover is configured and the

Active-Standby configuration (p. 1 of 2)

Configure HA Global settings
Identifier (A1 = 1 , A2 = 2)
HA Status: Enabled
(optional) HA Mirroring IP address: Remote ACOS device Sync interface
(optional) Preempt: to failover to a higher ACOS devicewhen available
Group1 with priority 200 on A1 (priority 100 on A2)
Floating VIP for Group1: IP addresses defined on servers' gateway (VRRP-like)
(optional) IP and VLAN check (Note: IPs have to be defined as SLB-Server too)

Configure HA interfaces
All interfaces used with production traffic (+ ACOS device interlink if exists)
Note: We recommend a dedicated direct interlink between the ACOS devices so sync traffic is
off the production network

10

Active-Standby configuration (p. 2 of 2)

Configure NAT pool HA settings
In IP Source NAT, associate the HA Group with IPv4 Pools, IPv6 Pools, NAT Ranges, or Static
NAT

Configure VIP HA settings

In VIP settings, associate HA Group with the VIP
(optional) Enable Dynamic Server Weight: Reduce the AX HA Group priority when a server is
down
(optional) Enable HA Connection Mirroring on the VIP ports: To synchronize SLB session table
(available for TCP, UDP, RTSP, FTP, MMS and SIP VIP types)
Note: For HTTP/HTTPS VIP types, the client session is terminated on the ACOS device. HA
Connection Mirroring is not available for these VIP types.

11

Active-Active configuration
Same as Active-Standby with two groups defined
Step2:
Group1 with priority 200 on AX1 (priority 100 on A2)

Group2 with priority 100 on AX1 (priority 200 on A2)

Step3:
Associate Group1 with half of the VIPs and Group2 with the second half

Step4:
Associate Group1 with the NAT Pools used by VIPs in Group1 and Group2 with the NAT Pools used
by VIPs in Group2

12

Lab
Configure HA Active/Standby mode with your neighbor

13

Section summary
We discussed High Availability modes
Active-Standby
Active-Active

We have configured Active Standby HA mode

14

ACOS Troubleshooting
Section 8

Section objectives
Learn ACOS troubleshooting tools
Use session-related commands
Perform packet trace in ACOS using axdebug

Log
ACOS logs many informational, warning, and error messages. show
to check when experiencing issues.

log

is the first place

Port/Interface up/down messages

L2 loop detection warnings
Unicast/Multicast/Broadcast packet limit warnings
MAC address movement warnings
Duplicate IP warnings
Server & service port up/down messages
Application-specific error messages: SLB, PBSLB, HTTP, HA, AFLEX, []

Monitoring
WebUI: Monitor > System > Logging > Logging
CLI: ACOS#show log [ | inc <reg_ex> ]

Audit log
ACOS logs administrative actions with username, date, and time stamp. It also logs
new administrative sessions.
Examples
Sep 30 2013 12:21:04 [admin] web: add Source IP Persistence template
[pers1] successfully.
Sep 30 2013 11:41:54 [admin] cli: vcs device-context device 2
Sep 30 2013 12:29:28 A web session[1] opened, username: admin, remote
host: 10.254.102.12

Monitoring
WebUI: Monitor > System > Logging > Audit
CLI: ACOS#show audit [ | inc <reg_ex> ]

Exporting logs
Set up permanent logging on remote server
WebUI: Config > System > Settings > Log
CLI: ACOS(config)#logging []

Export existing logs

WebUI: Monitor > System > Logging > [ Logging | Audit ] > Export

(save to laptop)

CLI: ACOS#export syslog messages [use-mgmt-port] <remote_destination>

(this exports combined audit and syslog logs plus system messages it is a lot larger
than normal log and audit output)

Correlating log to audit log

Use built-in include and section utilities to find corresponding lines in log, audit log,
and running config
ACOS#show log
:45 Warning [ACOS]:Duplicated IP 10.0.1.1 MAC
000c.2976.5904 from Port 1 VLAN 3 detected
ACOS# show audit | inc
Sep 24 2013 09:56:46
Sep 24 2013 09:56:28

[admin] cli: port 80 http

[admin] cli: slb virtual-server vip1 10.0.1.1

ACOS(config)#show run | sec 10.0.1.1

ip route 0.0.0.0 /0 10.0.1.1
slb virtual-server vip1 10.0.1.1
port 80 http

Server health check

Display health check statistics
ACOS#show health stat
[long list of statistics]
IP address
Port
10.0.2.18
10.0.2.19
80
10.0.2.18
80
10.0.2.19
80

Health monitor
default
default
web
web

Status
UP
UP
UP
UP

Cause(Up/Down)
11 /0 @0
20 /0 @0
10 /0 @0
10 /0 @0

Retry
0
0
0
0

PIN
0 /0
0 /0
0 /0
0 /0

0
0
0
0

see CLI Reference manual for codes

Show running health monitors

ACOS#show health monitor
Idle = Not used by any server In use = Used by server
Monitor Name
Interval Retries Timeout Up-Retries
ping
5
3
5
1
web
5
3
5
1

Method
ICMP
HTTP

Status
In use
In use

Examining running config

Examine running config with the following tools
ACOS#show run [ | sec ^[0-z] ]
the optional element at the end of this command strips blank lines from the output

ACOS#show run | sec <config_element>

ACOS#show slb []
statistics for each configuration element

ACOS#show ha [config]

ACOS#show vrrp-a [ config | detail ]

ACOS#show vcs [ summary | message-buffer ]

Layers 1-4
Layer 1-2
ACOS#show int []

Layer 3
ACOS#show arp
ACOS#show ip route
ACOS#show access-list
ACOS#show run | sec router

Layer 4
ACOS#show slb l4
host#telnet <ip> <port>
ACOS#axdebug

Layer 7: HTTP
Show enabled L7 features
ACOS#show run | sec slb

Try without the advanced features first (compression, connection reuse, and so on)

Packet trace
ACOS#axdebug

Is server receiving the request sent by the ACOS device?

Any standard HTTP header missing? (host, method, and so on)
Do all of the HTTP headers have desired values?
Response Code from servers response?
Size of request / response payload?
Is it taking a long time to process the request?
What are the cookies?

10

Layer 7: HTTPS
Show enabled features
ACOS#show run | sec slb

Are client-ssl and server-ssl templates applied on vport?

Packet trace
ACOS#axdebug

Is client able to finish SSL Handshake with VIP?

Is ACOS device able to finish SSL Handshake with server?
Any issues pertaining to redirect?

Decrypted trace
Are there any absolute links in Javascripts / Links / Images (http://xxx)?

11

ACOS Performance
Show memory utilization
ACOS#show memory [ system ]
System Memory Usage:
Total(KB) Free
16456546
8224340

Shared
0

Buffers
2420

Cached
159084

Usage
49.0%

Show cpu utilization

ACOS#show cpu [ interval [] ]
shows utilization per cpu for the past minute. Customizable interval triggers continuous updates.

Show resource limits

ACOS#show system resource-usage
shows minimum, maximum, default, and currently set limits for configuration items

12

ShowTech
ShowTech is a comprehensive collection of output from many troubleshooting
utilities. When contacting A10 Tech Support you will be asked to generate one.
WebUI: generate new file and save to laptop
Monitor > System > Diagnosis > Show Techsupport

WebUI: view and save previously generated files

Monitor > System > Diagnosis > ShowTech File

CLI: generate and export file to a remote server or view on the screen
AX# show techsupport [export] [use-mgmt-port] [<remote_destination>]

13

axdebug
axdebug
Captured files are in pcap format (Wireshark / tcpdump)
Able to see every detail of the packets the AX receives & sends

axdebug is session based

If one pkt matches filter, dump all the following pkts in the same session

14

axdebug filters
Build filters to fine tune your capture
Multiple conditions within a filter are ANDed, multiple filters are ORed.

axdebug example
ACOS#axdebug
ACOS(axdebug)#filter 1
ACOS(axdebug-filter:1)#ip 1.2.3.4 /32
ACOS(axdebug)#capture save <file_name>

Stop axdebug trace

ACOS#no axdebug

Export axdebug trace

ACOS#export axdebug <filename> [use-mgmt-port] <destination>

15

Session filtering
Fine tune session monitoring by using filters
ACOS(config)#session-filter <filter_name> []

Example
ACOS(config)#session-filter c1 source-addr 10.0.1.161 dest-addr 10.0.1.12
dest-port 80
ACOS#show session filter c1
Prot Forward Source
Tcp 10.0.1.161:36690
Tcp 10.0.1.161:36660

Forward Dest
10.0.1.12:80
10.0.1.12:80

Reverse Source Reverse Dest

10.0.2.18:80
10.0.2.16:14075
10.0.2.18:80
10.0.2.16:14045

Age
0
0

Hash Flags Type

1
NSe1 SLB-L7
1
NSe1 SLB-L7

16

Lab
Use session-control and packet-level CLI tools

17

aFleX
Section 9

Section objectives
Understand purpose of aFleX
Import and execute aFleX script

aFleX scripting language

aFleX is a powerful and flexible ACOS feature that you can use to manage your traffic
and provide enhanced benefits/services
aFleX uses industry-standard Tcl (Tools command language) based syntax
Standard Tcl commands
Special set of extensions provided by ACOS

aFleX allows:
Content inspection (headers / data)
Actions on traffic
Block traffic
Redirect traffic to a specific Service Group (pool) or Server (node)

Modify traffic content

aFleX elements (p. 1 of 3)

aFleX scripts are made up of three basic elements:
Events
Tests

Actions

Events
aFleX scripts are event-driven, which means that the AX system triggers the aFleX whenever
that event occurs. Examples:
HTTP_REQUEST is triggered when an HTTP request is received.
CLIENT_ACCCEPTED is triggered when a client has established a connection.

aFleX elements (p. 2 of 3)

Operators
Standard Tcl operators
Relational operators: contains, matches, equals, starts_with, ends_with, matches_regex

Logical operators: not, and, or

aFleX commands
Used to query for data, manipulate data, or specify a traffic destination. These may be
grouped into three main categories:
Statement commands
Example: "pool <name> directs traffic to the named load balancing pool

aFleX elements (p. 3 of 3)

Commands that query or manipulate data, examples:
"IP::remote_addr returns the remote IP address of a connection
"HTTP::header remove <name> removes the last occurrence of the named header from a
request or response
Utility commands - useful for parsing and manipulating content, example:
"decode_uri <string> decodes the named string using HTTP URI encoding and returns the
result

Note: aFleX is extensible. In future releases, additional aFleX events and aFleX
commands will be added

aFleX configuration
Place aFleX script on the ACOS device
Using CLI
Use a computer with any text editor to write an aFleX script and save it as a file.

Use import aflex command to import the aFleX file from a server to ACOS.
aFleX CLI syntax check: "aflex check <name>".

Using WebUI
With ACOS web interface, users can directly type in aFleX scripts and save them on the ACOS device
under "Config > Service > aFleX".

Using aFleX Editor

aFleX editor can download/upload aFleX scripts from/to the ACOS device. Moreover, it can do syntax
checking. It also has syntax highlighting, keyword auto-completion, etc.

aFleX examples (p. 1 of 2)

Redirect a specific client to a specific service group
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 10.10.10.10] } {
pool sg2
}
}
Note: This could also be achieved by PBSLB.

Redirect clients to https for the host secure.abc.com

when HTTP_REQUEST {
if {[HTTP::host] equals "secure.abc.com"} {
HTTP::redirect https://[HTTP::host][HTTP::uri]
}
}
Note: This could NOT be achieved by PBSLB

aFleX examples (p. 2 of 2)

Redirect clients to specific pools in function of the url
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/finance" } {

pool finance_pool
} elseif { [HTTP::uri] starts_with "/dev" } {
pool dev_pool
}
}

Lab
Enter and verify aFleX script to block HTTP access to a designated directory

10

Summary
We discussed the purpose of aFleX
We wrote and executed a working aFleX script

11

Table of Contents
Section 0:
Section 1:
Section 2:
Section 3:
Section 4:
Section 5:
Section 6:
Section 7:
Section 8:
Section 9:

Course Introduction
Load Balancing Concepts
ACOS Management
HTTP
HTTPS
ACOS Acceleration
ACOS Security
High Availability
ACOS Troubleshooting
aFleX

12