Sie sind auf Seite 1von 116

Training Manual

Alteon Application Switch Level 1


Course 500-101

May 2011
Alteon Level 1 Training Manual

This document is protected by United States and international copyright


laws. Neither this document nor any material contained within it may be
duplicated, copied or reproduced, in whole or part, without the expressed
written consent of Radware, Inc.

Page 2

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

TABLE OF CONTENTS

Lab Overview .................................................................................................................... 5


Basic Switch Configuration ............................................................................................... 9
Overview ........................................................................................................................ 9
Assignment .................................................................................................................. 11
Server Load Balancing .................................................................................................... 29
Overview ...................................................................................................................... 29
Assignment .................................................................................................................. 32
Persistent Load Balancing .............................................................................................. 41
Overview ...................................................................................................................... 41
Assignment .................................................................................................................. 43
Content Load Balancing .................................................................................................. 51
Overview ...................................................................................................................... 51
Assignment .................................................................................................................. 53
SSL Acceleration............................................................................................................. 61
Overview ...................................................................................................................... 61
Assignment .................................................................................................................. 63
Switch Troubleshooting ................................................................................................... 71
Overview ...................................................................................................................... 71
Assignment .................................................................................................................. 71
Virtual Router Redundancy ............................................................................................. 79
Overview ...................................................................................................................... 79
Assignment .................................................................................................................. 81
BBI Web Based Management Labs ............................................................................. 93
BBI SLB configuration of the Switch ............................................................................ 93
BBI Layer 7 Passive Cookie Persistence Configuration .............................................. 99
BBI Content Load Balancing Configuration ............................................................... 104
BBI configuration for VRRP ....................................................................................... 111

Page 3

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Description of the Lab Environment


This LAB kit consists of RadwareAlteon application switches, virtual PCs, called Team-PCs
and for each switch, a pair of servers.
Access to Team-PCs from the classroom PC is via VNC application. A copy of a VNC client is
in the tools folder on your USB stick. Product documentation and useful information is also on
this USB stick. All Team-PCs and web servers are preconfigured. The URL and port you
need to use will be assigned by your instructor. Course delegates have serial access to all
RadwareAlteon switches via a terminal server. At your Team-PC, quick start area, use
preconfigured Putty application. For FTP, TFTP and syslog, use the 3CD application. Both
icons are located at the Quick Launch area.

All cables to the devices are connected, please keep this in mind.

All documentation, tools, software, applications and feature key codes are on the CD-ROM of
each Team-PC.

The following equipment is required for each delegate to complete the labs:

1 Local Workstation (Laptop) capable of running VNC, Web and Putty

At the remote lab location:


1 RadwareAlteon Application switch (AS)
1 Team-PC, (interface between remote and local lab)
4 Web servers

Page 4

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Lab Overview

Purpose
This document provides details about the technical training topics covered during
RadwareAlteon 500-101 Application Switch Level 1 technical training curriculum.

This course covers basic configurations and troubleshooting in local server load balancing,
persistent slb, content slb, and SSL-Acceleration. The Application Switch Level 1 training is for
students who have good knowledge of network switching and routing features using standard
protocols.
The training material for this course consists of a PowerPoint Presentation for theories and a
Training Manual for hands-on to be used in tandem.

The features and functions of Radware Alteon devices discussed in this document are based
on version 27.

If your RadwareAlteon device is running an older or newer version of firmware or if you are
using an older version of Application Switch Element Manager (ASEM), some of the features
and implementations discussed in this manual may not be available or some terminology
might be different.
.

For your existing onsite device, please contact Radware technical support at
support@RadwareAlteon.com.

The following font conventions are used in this manual:


Bold indicates the buttons or menu selections in the ASEM or Browser Based Interface
(BBI) graphical user interface (GUI) used to reach a particular screen or window.
Underline indicates an option area within an ASEM or BBI screen or window such as drop-
down lists, check boxes, etc.
Italics indicates the value or setting supplied in a window or screen.
Courier indicates CLI commands on serial, Telnet or SSH connections.
{value-A, value-B} indicates available CLI command options.

Page 5

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Lab Configuration for All Teams

ClassroomPC
connectviaVNC TerminalServer
toTeamPCs toeachcontentswitch
oneserialconnection

8virtual TeamPCs

Router

8Alteon

2Server/Team

Page 6

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Detailed Lab Configuration for Each Delegate / Group

public net private net


1 2

management net

Server1: 10.200.#.100
Server2: 10.200.#.200
Def. GW: 10.200.#.#
URL for lab access:
Europe (Munich Lab): lab-muc.radware.com or IP: 88.217.164.10
Americas (NJ Lab): njlab1.radware.net or IP: 65.217.163.34
VNC Remote access to Team-PC:
Port: 5901 to 5930
Password: team1 team30
Remote access to Management IP address:
Americas (NJ Lab): njlab1.radware.net or IP: 65.217.163.34
Direct SSH: Port: 7601 until 7630
Direct SSL : Port: 7701 until 7730
URL: lab-muc.radware.com or IP: 88.217.164.10
Serial access via telnet: Port: 4231 until 4238
Access via http to VIP: Port: 4921 until 4928

Alteon Application team switch:


Management net:
IP 10.10.242.#
Mask 255.255.248.0
GW 10.10.240.1

Public net:
Vlan 11
IP 192.168.100.# /24
GW 192.168.100.254

Virtual IP:
VIP 192.168.100.2#

Port 2 private net:


Vlan 14
IP 10.200.#.# /24

# indicates your Team number assigned by your instructor.


Page 7

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Detailed Redundant Lab Configuration for Each Delegate /


Group

public net private net


Team-PC odd

Odd team switch


Server 1
10.10.#.100
Even tean switch
Team-PC even

Server 2
10.10.#.200

Server1: 10.200.#.100
Server2: 10.200.#.200
Def. GW: 10.200.#.#

Access to remote lab see previous page.

Odd team switch: Even team switch:

Port 1 public net Port 1 public net


VLAN 11 VLAN 11
IP 192.168.100.#+10/24 IP 192.168.100.#+20/24
GW 192.168.100.254 GW 192.168.100.254
VIR 192.168.100.# VIR 192.168.100.#
VRID # VRID #
Priority 101 Priority 100

Port 2 private net Port 2 private net


VLAN 14 VLAN 14
IP 10.200.#.#+10/24 IP 10.200.#.#+20/24
VIR 10.200.#.# VIR 10.200.#.#
VRID #+10 VRID #+10
Priority 101 Priority 100

Virtual IP:
VIP 192.168.100.2# VIP 192.168.100.2#
VSR 192.168.100.2# VSR 192.168.100.2#
VRID #+20 VRID #+20
Priority 101 Priority 100

# indicates your Team number assigned by your instructor.

Page 8

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Basic Switch Configuration

Overview
Description
A RadwareAlteon Application Switch (AAS) is based on a Layer 2 switch not on a Router. For
management purposes, you can access the switch in the following ways:
Via Command Line Interface (CLI): Using a serial connection via the console port and
access and configure the application switch by using a computer running any terminal
emulation software or on any Ethernet port by a Telnet or SSH connection.
Via a Graphical User Interface: any java enabled browser application can manage via
HTTP or HTTPS the AAS; this is called the Browser Based Interface (BBI). Another
possibility is using SNMP and the Application Switch Element Manager (ASEM)
application.

The management port on the Application Switch is used exclusively for managing the switch
via an out-of-band Fast Ethernet. In-band (on all data ports) or out-of-band (management port)
connections via Telnet, SSH, HTTP or HTTPS are possible. You can upgrade switch code via
TFTP or FTP, and configuration backup and restore via TFTP, FTP or SCP is possible. There
is an option to keep these management port settings by booting from factory-default config
block.

An Application Switch supports up to 2048 VLANs per switch, and any number between 1 and
4090 can identify each VLAN. VLANs are setup on a per-port basis. Each VLAN can have any
number of switch ports in its membership. Each port in the switch has a configurable default
VLAN number, known as its PVID. The factory default value for all PVIDs is 1.

Each port on the switch can belong to one or more VLANs. Any port that belongs to multiple
VLANs, however, must have VLAN tagging enabled. The Application Switch supports 802.1Q
VLAN tagging, providing standards-based VLAN support for Ethernet systems. Tagging adds
the VLAN identifier in the frame header, allowing multiple VLANs per port. Since tagging
fundamentally changes the format of frames transmitted on a tagged port, you must carefully
plan network designs to prevent tagged frames from being transmitted to devices that do not
support 802.1Q VLAN tags. By default, the VLAN tagging is set to off and a single VLAN,
number 1, is setup on each port.

Page 9

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

An interface is a logical network definition. For each different direct connected network, a
separate interface is required. The associated number is independent of any physical port or
VLAN. For easier management often the port, VLAN, and interface use all the same number
or a number based on a custom specific logic. The mask describes the size of this network.
The address defines your local IP address, which accesses this direct connected network. By
default, IP-v4 is enabled, and IP-v6 is supported. VLAN 1 is automatically associated with a
new interface, if not changed. The VLAN value associates this network to one or more ports
with the same number as the network. Another interface associated to a same VLAN enables
both networks on this Ethernet port or ports. This is called multineting. A similar behavior is
enabling tagging and associating some VLANs to a port. Each interface associated to one of
these VLANs will also associate to these ports.

Without Layer 3 IP routing on the switch, an unknown destination IP address is sent to the
default gateway (GW). Default GWs 1 to 4 are not assigned to any VLAN. The Strict Metric
always uses the device with the lowest number. In case of failure, the next highest number is
used. The round-robin Metric uses the next higher GW number for each session. After
reaching the highest configured number, it starts from the lowest again. ICMP messages are
the default for health checks. Alternatively, use the ARP protocol.

GWs 5 through 259 are each associated to a separate single VLAN. All unknown destination
IP addresses for a VLAN are send to the associated GW. If this GW fails, the switch uses GW
1-4 if present, if not present, no routing is possible.

Objectives
After completing this lab, you will be able to:
Log in to the switch
Configure VLANs and interfaces
Back up a configuration
Use BBI and ASEM GUIs

Equipment
The following equipment is required to complete this lab:
1 Classroom PC (in front of you)
1 Application Switch
1 Team-PC, (interface between remote and local lab)
2 Servers (web application)
1 FTP/TFTP server on your Team-PC

Page 10

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Assignment
Physically, your network is wired as per the diagram on the Lab Description
pages. In order to configure this Application switch, connect to the serial port.
On the remote Team-PC, the Putty application is preconfigured to connect via
a terminal server to the serial port.
Task 1: Set up this Application Switch to operate as a router:
Start by checking that the device is set to the factory default.
Configure two VLANs, for public and private networks, and two
INTERFACES according to the IP plan on the Lab Description pages.
Set up a DEFAULT GATEWAY to complete the setup.
Test access from Team-PC to server1 and 2. Ping 10.200.#.100 or .200
and browse to http://10.200.#.100 or .200.
Task 2: Using the copy and paste feature to modify or backup your
configuration data.
Task 3: Back up your configuration. using FTP/TFTP protocol.
Task 4: Set up the two GUI management interfaces BBI and ASEM.

IMPORTANT:
X indicates any IP Address assigned by DCHP on your Team-PC.

# indicates your Team number assigned by your instructor.

On your Team-PCs, the Putty application is already set up. Individual settings
to connect via serial to the Application switches are already configured. If the
application is missing, check the CD-ROM Be aware a serial connection to an
Application switch can only be established from one PC at one time. The
second connection will fail. For a second connection enable Telnet or SSH or
use any GUI.

Page 11

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Configuring the Application Switch Management Interface


Configuration steps 1 through 6 may have been completed by your instructor. We recommend
that you still go through these steps.

1. Log into the Application Switch:


a. Open Putty; connect to Team#-4408.
b. Enter the admin password admin.

2. Check whether the switch is set to factory default:


Display all the differences from a standard configuration on your terminal. In the main
menu, select cfg.

>> Main# /cfg/dump short form /c/d


script start "Alteon Application Switch 4408" 4 /**** DO NOT EDIT THIS LINE!
/* Version 27.Y.Z, Base MAC address 00:03:b2:71:b5:c0
/
script end /**** DO NOT EDIT THIS LINE!

There should be no configuration data between /* Version and script end.

Page 12

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

3. If there is any configuration, set the switch to factory default.


Syntax:
/boot/conf {location of config db} active or backup are customer
configurations copied from floatable memory, the Radware preconfigured setting is
factory.

Lab Configuration:
/boot/conf factory short form /b/co f
reset short form r, resets the switch to activate setting
y confirms reset

4. Press Enter to reboot the switch. After approximately 1 minute, log into the switch using
the admin password.

5. Enable for a 4408 switch port 6 as out of band management port.


Syntax
/boot/mgmt ena turn port 6 from data to a separate management port

Lab Configuration
/boot/mgmt ena
Current state of mgmt port is Disabled
Globally [ena|dis] mgmt port (requires a switch reset): ena
Mgmt port state changed.
reset

6. Setup a separate management interface for the management port.


Syntax:
/cfg/sys/mmgmt
addr {management IP-address}
mask {Netmask for management port}
gw {default gateway IP-address for mgmnt net}
applications {data|mgmt} all management applications use by default the data
port! Move it maybe to the management port.
ena Management port need to be enabled
/c/sys/mmgmt/port
speed {10|100|any} sets the speed of the link with the Management port. Default is any.
mode { full|half|any} sets half or full duplex mode. Default is any
auto { on|off} sets auto negotiation for the port. Default is on
apply without apply, settings are in pending
save writes all changes to flash memory
y confirms saving to FLASH
y selects active as the next boot database

Lab Configuration, keep the default port parameters:


/cfg/sys/mmgmt
addr 10.10.242.#
mask 255.255.248.0
gw 10.10.240.1
tftp mgmt
ena

Page 13

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

apply
save
y
y

After following message, the management network is ready to use:

>> Management Port#


<date,time> NOTICE ip: management port default gateway 10.10.240.1 operational

If you want to continue by a graphical interface instead of CLI continue with page 22.

Page 14

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Command Line User Interfaces (CLI)


1. Create new VLANs for ingress and egress ports. We keep unused ports on VLAN 1. By
default all ports are enabled. Double check, if not a single port is maybe disabled.

Syntax:
/cfg/l2/vlan {Vlan Number}/add {Physical Port1}/add {Physical
Port2}/etc create a new VLAN and adds specified port(s)

Lab Configuration:
/cfg/l2/vlan 11/add 1 creates VLAN for clients, VLAN 11, type L2 not 12!
y moves port from VLAN1 (default) to VLAN 11,
.................. does not tag it
ena enables VLAN
../vlan 14/add 2/ena creates VLAN for clients, VLAN 14
y moves port from VLAN1 (default) to VLAN 1,no tagging
apply activates configuration change
should be done after each complete configuration step.

2. Turn off Spanning Tree Group (STG) on the switch. This protocol is used to avoid Layer 2
loops. It should be enabled or disabled depending on the customers network. For training
purposes at this and following labs, we always disable it.

Syntax:
/cfg/l2/stg {ST number}/{off, on} up to 16 different ST groups possible

Lab Configuration:
/cfg/l2/stg 1/off this disables STP group 1, default group is 1
apply activates configuration change

3. Configure the interfaces for the switch as shown in the Lab Description pages. You must
create a separate interface for each network that you want to connect directly to this
switch. The interface index number used is independent of any physical port, VLAN etc. A
common number for port, VLAN and interface will simplify debugging and management.

Syntax:
/cfg/l3/if {interface number}/{item parameter}/{item parameter}
up to 255 different networks are supported

Lab Configuration:
/cfg/l3/if 1 we start to configure interface 1
mask 255.255.255.0 enter the mask to calculate broadcast address
addr 192.168.100.# refer to lab description for your IP address,
vlan 11 associates this IF to VLAN 11, to use it on port 1
ena to enable the interface 1

For the second network, the Web server network, you need an additional interface. It is
also possible to put all parameters on one line separated by a forward slash.
/c/l3/if 2/vlan 14/mask 255.255.255.0/addr 10.200.#.#/ena

Page 15

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

4. Set the default gateway. Destination IP addresses that are not from local networks or do
not match routing table entries are sent to this destination. GW 1 to 4 is for all VLANs, GW
5 to 259 can each be associated to one VLAN. An important option is to switch from ICMP
to ARP health check.

Syntax:
/cfg/l3/gw {gateway number}/{parameter}/{parameter}

Lab Configuration:
/cfg/l3/gw 1 Gateway 1 (up to 4) is for all VLANs.
addr 192.168.100.254 interface of the next hop router
ena enables the default gateway
apply activates the switch configuration

5. To distinguish different switches, especially if there are several for a solution, create an
individual CLI prompt. At system SNMP, define a character string and activate it by set
hprompt to enable.

Syntax:
/cfg/sys/ssnmp/name string
/cfg/sys/hprompt ena

Lab Configuration:
/cfg/sys/ssnmp/name team#> define a character string
/cfg/sys/hprompt ena activate individual CLI prompt

6. Enable remote access. All different variations for CLI, BBI, and socket-based com-
munication as well as user passwords and access rate settings per protocol are available.

Syntax:
/cfg/sys/access/{access protocol}/{parameter}

Lab Configuration:
/cfg/sys/access/tnet ena enables telnet access via if-address
/cfg/sys/access/sshd/on enables ssh access via if-address
enable ssh or telnet only via serial connection
apply activates remote access
save saves the switch configuration, confirm with y

7. Check the current configuration of your switch

/cfg/dump this displays your configuration information


Check that the IP interfaces, addresses and subnet masks that you have just configured
are correctly shown and are enabled in the configuration.

Page 16

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

8. Ping the remote devices on the network from your Application switch CLI to confirm Layer
3 connectivity.

Syntax:
ping {host name} or {IP address} optional number of attempts {tries 1-32},
interval between packets {msec delay} on which port {-mgmt or data} packet will be
sent.

Lab Configuration, type at Application switch command line:


ping 10.200.#.100 e.g. for team21 ping 10.200.21.100

9. Open any browser on your client PC to retrieve a Web page from each server to confirm
HTTP is operational
http://10.200.#.100 e.g. for team21 http://10.200.21.100

10. Use telnet or SSH on the client to connect directly to the switch. Enter admin as the
password to access the switch.

Open CMD window or use Putty application: telnet 192.168.100.#


Use Putty to connect via SSH: 192.168.100.# port 22

The purpose of this hands-on was to familiarise yourself with the console
connection setup After completing your configuration, you were shown how to
enable, apply, and save your settings for future use.

An acronym to help remember how to save your work is:


EASY (E = Enable, A = Apply, S = Save, Y = Yes, to confirm the save)

Please go ahead with the exercises on the following pages to save the
configuration of this switch.

Page 17

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon
n Level 1 Training Manua
al

Cu
ut and Pa
aste Sw
witch Con
nfiguration

OBJ JECTIVE:
Editt the switch configuration using co
opy and pas
ste.

ASS SIGNMENT T:
Takke the active
e configurattion file and modify it by
y copying a command string to the
board, pastting it to the terminal interface and
clipb d saving it as your new active conffiguration.

Notte: Dependding on the terminal


t clie
ent being us
sed (e.g. Pu
utty, XTERMM, HyperTe erminal, etc..),
be aware
a of thee length of the
t lines traansmitted and that the application can insert end-of-line
e
characters thatt can affect the configu
uration downnload operaation.

1. Configure what
w outputt to display on
o the term
minal screen. Use the v
verbose co
ommand.

Syntax:
verrbose {0, 1, 2} Sets S the lev
vel of inform
mation displa
ayed on the
e screen:
0 =Q
Quiet: Nothing appearss except errrorsnot evven promptts.
1 =N
Normal: Proompts and requested
r output
o are shown, but nno menus.
2 =V
Verbose: Evverything iss shown.
Whe en used witthout a valu ent setting iss displayed.
ue, the curre

2. Save the sw
witch configguration as a text file:
Lab Configuration:
a) Typpe verbose e 0 on the switch, this s puts the sw witch in quiet mode.
b) Dispplay the con nfiguration by
b the /cfg g/dump co ommand, mark all or pa arts of this
config, copy it to
t the clipbooard and pa aste it to a text
t file. As alternative to mark-
cop
py-paste, yo t terminall feature to copy data input to a file.
ou can use the
For Putty application:
ect Change Settings session Logging printable o
sele output
Lab
bel the file SW.txt
S and save
s it in the
e desktop of o your Team m-PC
c) Typpe verbose e 2 <enter r> on the switch, and d restore de efault mode..

3. Edit the sw uration file, SW.txt, storred in the desktop directory using any text
witch configu
editor (e.g. Wordpad).

Page 18

Radware 2011. All rights


s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon Level 1 Training Manual

4. Make a change. For example, add an interface type in the following line below the if 2
command lines at SW.txt file:
/cfg/l3/if 4/mask 255.255.255.0/addr 172.16.1.1/broad 172.16.1.255/ena
Using a single line or any amount of spaces and tabs are allowed.

5. Copy the command line you just typed onto the clipboard Mark:
/cfg/l3/if 4/mask 255.255.255.0/addr 172.16.1.1/broad 172.16.1.255/ena
Paste this line to Application Switch terminal window and watch terminal output.

6. Log into the switch and double check that this change is pending.
diff check if change is received

7. Activate this change and save it to non-floatable memory:


apply
save
y

8. Dump the switch configuration to the screen and verify that the edited line was applied:
/cfg/dump or short /c/d

In this lab exercise, you learned how to drag and drop a series of commands into the terminal
interface, and how to set up a switch configuration from a saved text file.

Page 19

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Upload and download configuration to an FTP/TFTP Server

OBJECTIVE:

To become familiar with uploading and downloading a configuration file to an FTP or TFTP
server.

ASSIGNMENT:

Use the FTP/TFTP server 3CDeamon (3CD) located in your Team-PC quick launch
area. Transfer the current configuration from the switch to Team-PC using the FTP or
TFTP server. Set the switch back to factory default. To restore the configuration you
must set up at minimum a public interface and depending on your topologies a default
gateway. No VLAN/STG config is necessary. Transfer the stored file from the
FTP/TFTP server back to your switch.

Do not forget to verify that the configuration was transmitted correctly to the switch or the
FTP/TFTP server when uploading and downloading switch configuration files.

public net private net


Team-PC
1
2

3CD FTP/TFTP server application

Figure: FTP / TFTP server configuration

1. Start the 3CD FTP or TFTP service on your Team-PC. If it is not installed, a copy of this
application is on your CD-ROM drive tools folder.

2. Write down the IP address of your local PC, which is the FTP/TFTP server:___________
Check the configuration file of the FTP or TFTP server. The user directory point to where
the files will be stored or loaded.

Page 20

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

1. Store the Application Switch configuration on your Team-PC. You can use either FTP
or TFTP.

Syntax for communications dialog:


/cfg/ptcfg used to upload the active configuration to a TFTP/FTP server
/cfg/gtcfg used to download into active config from a TFTP/FTP server
Enter IP address of FTP/TFTP server: {IP address of TFTP/FTP server}
Enter name of file on FTP/TFTP server: {file name}
Enter username for FTP server or hit return for TFTP server: {account for FTP}
Enter password for username on FTP server: {password for FTP}

Lab configuration:
/cfg/ptcfg used to upload the active configuration to a FTP server
Enter IP address of FTP/TFTP server: 192.168.150.x addr of your Team-PC
Enter name of file on FTP/TFTP server: Router.doc
Enter username for FTP server or hit return for TFTP server: anonymous
Enter password for username on FTP server: any

2. Check is the file (Router.doc) created on the Team-PC by checking the root directory of
the server application. Open this file with the WordPad text editor.

5. Set your switch to factory default to clear all current configuration settings. Loading this
setting requires resetting the switch. Keep your management interface.
/boot/conf f/reset

6. After reboot, log in again and enter the following commands to set up an interface and a
default gateway for communication to Team-PC.
/cfg/l3/if 1/mask 255.255.255.0/addr 192.168.100.#/ena
/cfg/l3/gw 1/addr 192.168.100.254/ena
/cfg/port 2/dis to isolate server net
apply activates new setting
ping 192.168.150.x to verify communication to FTP-Server/Team-pC

7. Restore the switch configuration again. Enter the following commands:


/cfg/gtcfg command to replace active configuration with downloaded file
Enter IP address of FTP/TFTP server: 192.168.150.x addr. of your Team-PC
Enter name of file on FTP/TFTP server: Router.doc stored file name
Enter username for FTP server or hit return for TFTP server: anonymous
Enter password for username on FTP server: any
apply
save confirm with y

8. To load the restored config at the next reboot, select active config
/boot/conf active

9. Check to see if your previously saved configuration has been restored.


Lab Configuration:
/c/d

This lab should have made you more comfortable with the ptcfg and the gtcfg
commands to upload and download a switch configuration onto a FTP or TFTP server.

Page 21

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Graphical Web User Interface, Browser Based Interface (BBI)

OBJECTIVE:
Monitor and configure the switch using the Browser Based Interface (BBI) also called Web UI
and Application Switch Element Manager (ASEM).

ASSIGNMENT:

Use the configuration from the previous lab. Enable SNMP for ASEM and HTTP for remote
BBI access to the switch. View or modify the switch configuration.

1. Enable HTTP access to the switch.


Syntax:
/cfg/sys/access/{type of access} {parmeter}

Lab configuration:
/cfg/sys/access/http e
wport 8000 optional set HTTP server listening to port number 8000

2. apply

3. From Team-PC machine, start


a web browser and enter the
IP address of interface 1 on
the switch in the address box.
Log in to the switch.
http://10.10.242.#
User Name: admin
Password: admin

4. Enable HTTPS for encrypted


access to the switch.
Lab configuration:
/cfg/sys/acces/https
https e Enable/disable HTTPS server access

5. apply activate HTTPS setting / generate a HTTPS certificate

6. generate Generate self-signed HTTPS server certificate


Country Name (2 letter code) [US]: DE
State or Province Name (full name) [NJ]: Bavaria
Locality Name (eg, city) [Mahwah]: Munich
Organization Name (eg, company) [Radware Ltd.]: Radware
Organizational Unit Name (eg, section) [Engineering]: Training
Common Name (eg, YOUR name) [Radware Inc.]: GuentherM
Email (eg, email address) [info@radware.com]: training@radware.com
Confirm generating certificate? [y/n]: y
Generating certificate. Please wait (approx 30 seconds)
restarting SSL agent

Page 22

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon
n Level 1 Training Manua
al

7. certSave Savve HTTPS server


s certifficate

8. Create two new VLAN Ns for ingresss and egress ports. We


W keep unu used ports on
o VLAN 1.
By default, all ports are
e enabled. At configurre tab selecct Layer2, V
VLANs and click the
Add buttonn.

Inse
ert VLAN IDD 11, Name e, Enable it and associate Spanniing Tree Grroup 1, sele
ect
Avaailable port 1 and move e it to Configured. Pres
ss Submit and
a Apply button to acctivate this
change. Each change
c is confirmed
c att BBI Log Messages
M fie
eld.
Addd another VLLAN ID 14 and use po ort 2.

Disable Spanning Tree.


Select on Lay
yer2,
SpaanningTree
e number 1
and
d turn Enab
bled to
Dis
sabled. Submit and
Appply change
e.

Page 23
2

Radware 2011. All rights


s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon Level 1 Training Manual

9. Configure the interfaces for the switch as shown in the Lab Description pages. You must
create a separate interface for each network that you want to connect directly to this
switch. The interface index number used is independent of any physical port, VLAN etc. A
common number for port, VLAN and interface will simplify debugging and management. At
Configure tab select Layer3, IP Interfaces and click the Add button.

Insert Interface ID 1, IP Addresses are 192.168.100.#. # is your team number. Mask is a C-


Class one. Associate VLAN 11 for public net. Enable state and click Submit and Apply
buttons to activate this change.
Add another interface 2 for your private net. IP Address is 10.200.#.# /24.

10. Set the default gateway. Any destination IP address not from local networks or do not
match routing table entries sent to this destination. GW 1 to 4 is for all VLANs, GW 5 to 259
can each be associated to one VLAN. Select Gateways and Add, Gateway ID 1, IP
Address is 192.168.100.254 and turn state to Enable and click Submit and Apply buttons
to activate this change. The settings are for all teams equal.

Page 24

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon
n Level 1 Training Manua
al

11. For CLI acccess are alsso some op ptions availaable. A login
n banner dissplays at CL LI login som
me
customer depend
d inforrmation. A notice
n is vis
sible at logo
out. If you arre too fast lo
ogged out
during conffiguration, adjust
a Idle Timeout.
T This value is also
a applica
able for HTT TP and
HTTPS acccess. Instea ad of a standard promp pt the SNMP P name is d displayed by y selecting
Hostname. These options are at Configure-
C -System-Ma anagementt Access-C CLI or SNMP P.

12. Check the current


c configuration of
o your switc
ch. Click on Dump at th he global co
ommands
line. A new
w tab openss and displaays the conffiguration file
e. If not all parameters s are visible
check DIFF a pending and not applied config
F. This command lists all gurations.

13. Save this basic


b configuration to a file on the Team-PC. Start FTP/T
TFTP serveer on your
Team-PC. At A your Tea am-PC quicck launch arrea click on 3CDaemonn. By default the server
is set to use
e the
desktop as user
directory. At
A your
BBI window w go to
Configure,, System,
Download//Upload,
Configurattion. At
section Imp port /
Export sele ect
Export from
Device,
Manageme ent Port
and FTP. Enter
E your
Team_PC IP
Address,
Username is
anonymou us,
Password anya and
as Filename
Basic.txt. Submit
S
these param meters.

Page 25
2

Radware 2011. All rights


s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
n Level 1 Training Manua
al

14. View the seettings in the Web UI.


By default, the Web UI starts in Configure
C mode. Selectt Monitor mo ode, which allows you
to view info
ormation about the swittch. Some interesting information::

System- Poorts-Genera
al or Layer 1 to IP spec
cific details.
Layer 2- ma
ain menue

System-Ca
apacity, disp
plays maxim
mum and alllocated amo
ount of item
ms

Layer 2 and
d sub menu
us for FDB, STG Trunk
k and Port Teams
T

Layer 3 and
d sub menu
us for Route
es, Interface
es and seve
eral routing protocols.

SLB and otther menus we will use


e later.

Page 26
2

Radware 2011. All rights


s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon Level 1 Training Manual

Application Switch Element Manager Interface (ASEM)


Asem is only supported until version 26, not for version 27!
1. The ASEM application is already installed. A copy is on the CD drive: SwitchImages\ITM-
images\Rel.6.1\install.exe located.

2. Perform this step only if this application is not present! The file is located on the local CD-
ROM of your Team-PC. Install only the client and maybe the documentation. Do not install
the server or the HP OpenView option!

3. Enable SNMP access to the switch.


Syntax:
/cfg/sys/access/{type of access} {parameter}

Lab configuration:
4. /cfg/sys/access/snmp w
apply/save
y

5. To open the connection to your switch, click the


quick launch Radware Alteon ASEM Client
icon or select ASEM application from the
Programs menu.

6. Press <ctrl>o keys or click at the folder icon or select General and Open

7. A new window opens. In the Device


Name field, enter your public
interface IP address und press Enter
key.
For team 21 key in 192.168.100.21
You should now see a graphical
representation of the switch.

8. Click on + sign in front of folder


labeled Switch. A port list expands.
Click on Port3 icon. On right window
the port overview changes to port
details with General, Port, Spanning
Tree and Filtering tabs. Click the Port
tab and modify state to disabled.
The Set icon now turns from grey to
bold. Press it, then press the Apply
icon right of the set icon and confirm
OK. Within a few seconds the Port 3 icon turns from orange (open port) to red (disabled
port).

9. Play with other menus. If you change something you can also watch this change on CLI
and BBI windows. Each change in ASEM needs confirmed by Set and Apply buttons at
the bottom of any screen.

Page 27

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Printout for Switch Configuration (Team21)


/c/sys/mmgmt
addr 10.10.242.21
mask 255.255.248.0
broad 10.10.247.255
gw 10.10.240.1
ena
tftp mgmt
/c/sys/mmgmt/port
speed any
mode any
auto on
/c/sys
idle 999
/c/sys/access
snmp w
http ena
tnet ena
/c/port 1
pvid 11
/c/port 2
pvid 14
/c/l2/vlan 1
learn ena
def 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 28
/c/l2/vlan 11
ena
name "VLAN 11"
learn ena
def 1
/c/l2/vlan 14
ena
name "VLAN 14"
learn ena
def 2
/c/l2/stg 1/off
/c/l2/stg 1/clear
/c/l2/stg 1/add 1 11 14
/c/l3/if 1
ena
ipver v4
addr 192.168.100.21
vlan 11
/c/l3/if 2
ena
ipver v4
addr 10.200.21.21
mask 255.255.255.0
broad 10.200.21.255
vlan 14
/c/l3/gw 1
ena
ipver v4
addr 192.168.100.254

Page 28

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Server Load Balancing

Overview
Description
Server Load Balancing (SLB) allows you to configure the RadwareAlteon Application
Switch to balance user session traffic among a pool of available servers that provide
shared services. In an average network that employs multiple servers without server load
balancing, each server usually specializes in providing one or two unique services. If one
of these servers provides access to applications or data that is in high demand, it can
become over-utilized. Placing this kind of strain on a server can decrease the performance
of the entire network, as user requests are rejected by the server and then resubmitted by
the user stations. Ironically, over-utilization of key servers often happens in networks
where other servers are actually available. The solution to getting the most from your
servers is SLB. With this software feature, the switch is aware of the services provided by
each server. The switch can direct user session traffic to an appropriate server, based on
a variety of load-balancing algorithms. To provide load balancing for any particular type of
service, each server in the pool must have access to identical content, either directly
(duplicated on each server) or through a back-end network (mounting the same file
system or database server). The Application Switch, with the SLB feature enabled, acts as
a front-end to the servers, interpreting user session requests and distributing them among
the available servers.

Load balancing in the Application Switch Operating System can be done in the following
ways:
Virtual server-based load balancing; this is the traditional load balancing method.
The switch is configured to act as a virtual server and is given a virtual server IP
address (or range of addresses) for each collection of services it distributes.
Depending on your switch model, there can be as many as 1024 virtual servers on
the switch, each distributing up to eight different services. Each virtual server
points to a list of up to 1024 IP addresses of real servers in a pool where its
services reside. This pool is called a group. A maximum of 1024 groups are
possible. The method of distribution, called the metric, and how to determine a real
server as healthy, the health check (hc), are important configuration parameters.
When the user stations request connections to a service, they communicate with a
virtual server on the switch. When the switch receives the request, it binds the
session to the IP address of the best available real server and remaps the fields in
each frame from virtual addresses to real addresses. HTTPS, HTTP, IP, FTP,
RTSP, and IDS, are examples of some of the services that use virtual servers for
load balancing.

Page 29

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Filtered-based load balancing; A filter allows you to control the types of traffic
permitted through the switch. Filters are configured to allow, deny, or redirect traffic
according to the IP address, protocol, or Layer 4 port criteria. In filtered-based load
balancing, a filter is used to redirect traffic to a real server group. If the group is
configured with more than one real server entry, redirected traffic is load balanced
among the available real servers in the group. For example SSL acceleration,
Firewalls, WAP with RADIUS snooping, IDS, and WAN links use redirection filters
to load balance traffic.
Content-based load balancing; Content-based load balancing uses Layer 7
application data, such as URL, cookies, and Host Headers, to make intelligent load
balancing decisions. URL-based load balancing, browser-smart load balancing and
cookie-based preferential load balancing are a few examples of content-based
load balancing.

When deploying SLB, there are a few key aspects to consider. In standard SLB, all client
requests to a virtual server IP address and all responses from the real servers must pass
through the switch. If there is a path between the client and the real servers that does not
pass through the switch, the Application Switch can be configured to proxy requests to
guarantee that responses use the correct path. Identical content must be available to each
server in the same pool. Either static applications and data are duplicated on each real
server in the pool or dynamic applications where each real server in the pool has access
to the same data through use of a shared file system or back-end database server. To
take advantage of multi-CPU or multi-processor servers, configure the Application Switch
Operating System to map a single virtual port to multiple real ports. This capability allows
the site managers, for example, to differentiate users of a service by using multiple service
ports to process client requests. This feature allows the network administrator to configure
up to 16 real ports for a single service port, and it is supported in Layer 4 and Layer 7 and
in cookie-based and SSL-persistent switching environments. When mapping multiple real
ports on each real server to a virtual port, the Application Switch treats the real server IP
address/port mapping combination as a distinct real server.

Clients and servers can be connected through different ports or through the same switch
port. Each port in use on the switch can be configured to process client requests, server
traffic, or both. Configure only the necessary processes since each one requires switch
resources. It is possible to enable or disable processing on a port independently for each
type of Layer 4 traffic. Ports that are configured for Layer 4 client processing, process user
request traffic, which provides address translation from the virtual server IP to the real
server IP address. Ports configured for Layer 4 server processing, process application
responses to user requests. Translation from the real server IP address to the virtual
server IP address occurs on the server enabled port. Real servers are connected to the
Application Switch directly, or through a router, or another switch. Switch ports configured
for Layer 4 client/server processing can simultaneously provide Layer 2 switching and IP
routing functions. The switch must have an IP route to all of the real servers that receive
switching services.

Page 30

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

For each network directly attached to this switch, an IP interface is required. Suitable
Layer 2 settings, Spanning Tree or VLANs as well as static or dynamic routing must be set
up. For each real server, you assign a real server number, specify its actual IP address,
and enable the real server. Define a real server group and add all real servers belonging
to the same application to this service group. All client requests are addressed to a virtual
server IP address (VIP) on a virtual server (VIRT) defined on the switch. Clients acquire
the virtual server IP address through normal DNS resolution. Only a Layer 3 IP address or
usually a Layer 4 service is assigned this VIP.

By default, the service protocol is TCP, although UDP is also possible. For example,
HTTP or TCP destination port 80 is configured as the service running on this virtual
server, and this service is associated with the real server group containing all real servers
for this application. This switch is not limited to HTTP Web service. Other TCP/UDP/IP
services can be configured in a similar fashion. The protocol and a destination port must
always be specified. Well known services are set up only by the name. For a list of other
well-known services and ports, see "Well-Known Application Ports" in the Application
Guide. A maximum of eight services are possible per VIRT. If more services are required,
create another VIRT using the same VIP again for the next eight services and so on. The
Server Load Balancing feature must be turned on. After applying all configurations, the
health check process starts and should report the available real server with the lowest
number. If one server is up an up message for the VIP is displayed as well. For all other
real servers a similar up message follows. If there is load balancing for different real ports
on the single real servers, a separate message displays for each port.

Objectives
After completing this lab, you will be able to:
Connect to the Application Switch using a console connection.
Configure standard SLB.
Repeat to save configurations to file.
Optional, set up load balancing services on multiple Layer 4 ports.

Page 31

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Assignment
All your network devices are connected via Ethernet cables as shown in the
Lab Description pages. In order to configure this switch, connect serial to your
assigned switch via a terminal server.
Configure the application switch to support basic load balancing.
If you successfully completed the previous basic lab, start with step one.
Otherwise, perform the basic configuration described in Basic Switch
Configuration. Set up Layer 4 real servers and bind them to a group. Use
round robin as the metric and TCP for the health check. Configure a virtual
server with a virtual IP and HTTP as the load balancing service. Associate it to
the previously configured group. Enable client and server Layer 4 processes
on the ports. Enable the server load balancing feature. Please watch the
health check messages on your terminal screen after applying this config.
Save this configuration to file. Connect to the VIP Home Page using Internet
Explorer or FireFox browser and test SLB functionality.
Optionally, set up load balancing for multiple ports. Assign the application port
number used by the individual server on the switch to the real server
configuration supporting this service. Change the real port for the VIP/service
to zero value to enable real port look up.

Page 32

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Configure Switch
Console Setup
On your Team-PC, the Putty application is already set up with individual icons
to connect via serial to the Application switches. Be aware that a serial
connection can only established from one PC to one switch. The second
connection will fail. For a second connection enable Telnet or SSH or use any
GUI.
CLI SLB configuration of the Switch
1. If you like to use the graphical user interface (BBI) instead CLI ensure to have it enabled.
See page 22 how to do, if not already done. Continue on page 93.
2. Log into the switch, enter the admin password admin.
3. Check the current configuration of your switch. The cfg menu dump option displays all the
differences settings to Radware factory default configuration.
Syntax:
/cfg/{submenue} all parameter setup for the RadwareAlteon Application switch is done
at different cfg sub menus.
Lab Configuration:
/cfg/dump shorthand /c/d
This displays your configuration. Check the printout, to make sure all entered data is
correct and enabled. Use ping to PCs and server to test the config.
4. Configure both real servers.
Syntax:
/cfg/slb/real {real server index number} set up all parameters for a real
server at this menu.
Lab Configuration:
/cfg/slb/real 1 shorthand /c/sl/re 1

Syntax:
rip {real server IP address} IP address of real server
Lab Configuration:
rip 10.200.#.100 replace # by your team number
ena enables each real server

It is also possible to put all commands into a single command line. For example go up one
menu .., select a next server index real 2, provide IP address rip 10.200.21.200
and enable it.
../real 2/rip 10.200.#.200/ena Server2 setup. Replace # by your team
number again.
apply activates configuration
5. Add all real servers belonging together for a service to a group
Syntax:
/cfg/slb/group {group index number} add all real servers and group parameters
at this menu.

Page 33

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Lab Configuration:
/cfg/slb/group 1 shorthand /c/sl/gr 1

Syntax:
add {real server index} Number of the real server configured in step
Lab Configuration:
add 1 add real server 1 to group 1
add 2 add real server 2 to group 1

Syntax:
metric {algorithm to select next rip} even distribution metrics are
leastconns, roundrobin, response and bandwidth. Default value is leastconns.
Lab Configuration:
metric roundrobin enable round robin distribution

Syntax:
health {rip availability test method } several options from link, arp, icmp,
tcp up to content specific are available.
Default value is tcp.
Lab Configuration:
health icmp enables ping to health check real server

apply activates configuration


cur verifies your configuration

6. Configure the virtual IP. This is the entry or termination IP address for a specific service.
Syntax:
/cfg/slb/virt {virtual server index number} set up all parameters for a
virtual server at this menu.
Lab Configuration:
/cfg/slb/virt 1 shorthand /c/sl/vi 1

Syntax:
vip {virtual server IP address} IP address of virtual server
Lab Configuration:
vip 192.168.100.2# replace # by your team number
ena enables each virtual server

Syntax:
service {virtual port name} The virtual port name can be
a well-known port name, such as http, ftp, etc. or a service number. The allowable port
range is from 9 to 65534. For a list of all names, look up the Command Reference Guide
and search for sport at /cfg/slb/filt section. By default, group 1 is associated. Specify
different numbers.
Lab Configuration:
service http shorthand se 80

Page 34

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

7. Enable the client on the client port and server processing on the server port.
Syntax:
/cfg/slb/port {number}/{service ena} Enable a required SLB service on this
specific physical port. Services are client, server, proxy etc.
Lab Configuration:
/cfg/slb/port 1/client ena shorthand /c/sl/po 1/cl e
/cfg/slb/port 2/server ena shorthand ../po 2/se e

8. Turn the SLB feature on, and apply and save the switch configuration
Syntax:
/cfg/slb/{processing status} Value on, enables SLB feature. Default is off.

Lab Configuration:
/cfg/slb/on short hand /c/sl/on
apply .... this activates the configuration
save ..... this writes config to flash memory and confirm y
y ........ confirms writing

9. After applying your changes, the switch should report that the real and virtual servers are
operational.
Date Time NOTICE slb: real server 10.200.1.100:80 operational
Date Time NOTICE slb: Services are available for virtual server
192.168.100.221
Date Time NOTICE slb: real server 10.200.1.200:80 operational

10. Log in to the switch and check the current SLB configuration.
Lab Configuration:
/c/slb/cur

11. Verify that SLB is working. Open a Web browser on Team-PC e.g. FireFox or MS
Internet Explorer.
For example, for team 21 enter http://192.168.100.221
You should see a response showing that you have reached Server 1 or Server 2.
If you refresh the screen by pressing CTRL/F5, the display does not change. The reason
for this behavior is that this session (HTTP 1.1) still remains! To get load balancing, close

Page 35

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

the browser and open a new window. For your convenience set http://192.168.100.2# as
default start page.

12. Verify SLB is working from the statistics menu in the switch.
Syntax:
/stats/slb/virt {virtual server}

Lab Configuration:
/stat/slb/virt 1 shorthand /st/sl/vi 1

13. Generate traffic by opening a new browser window to your VIP several times; return to the
switch CLI and note changes to the switch statistics.
In the switch CLI, press the cursor key to repeat the command to display statistics.
(command /stats/slb/virt 1)

14. Clear the session table and repeat testing SLB (steps 11 through 14)
Syntax:
/stats/slb/{Layer-4-item} The Clear option resets all non-operating SLB
statistics on the Application Switch to zero. This command does not reset the switch and
does not affect the counters required for Layer 4 and Layer 7 operation, such as current
real server sessions and all related SNMP counters.

Lab Operation:
/stat/slb/clear shorthand /st/sl/cl

15. Save this SLB configuration to a file on the Team-PC. This configuration will be the base
for the following labs.

Start the 3CD FTP/TFTP server on your team PC.

Lab Configuration:
/cfg/ptcfg and specify team PC IP address, file name and for FTP account and password.

Alternatively dump configuration and copy and paste configuration into a text file.
Lab Configuration:
/cfg/dump shorthand /c/d

Mark configuration and copy it to clipboard. Paste it to a text editor. Use Notepad or any
other editor.

Page 36

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

16. Load balancing for available services on different servers is an option. There are two web
servers. One equipped with two CPUs, the other with four CPUs. For each CPU a
separate Web application instance, e.g. Apache, is installed. Our customer wants to have
an even load based balancing on each of these CPUs. Set up the real servers for multi-
port SLB using the switch CLI.
Syntax:
/cfg/slb/real {real server index number}/addport {L4-port number
used at application} set up Layer 4 port numbers used at application for a real
server.
Lab Configuration:
/cfg/slb/real 1/addport 80 shorthand /c/sl/re 1/add 80
/cfg/slb/real 1/addport 81 shorthand add 81
/cfg/slb/real 2/addport 80 shorthand ../re 2/add 80
/cfg/slb/real 2/addport 81 shorthand add 81
/cfg/slb/real 2/addport 82 shorthand add 82
/cfg/slb/real 2/addport 83 shorthand add 83

Syntax:
/cfg/slb/real {rip number}/weight {multiplier for load} Sets the
weighting value (1 to 48) that this real server will be given in the load balancing algorithms.
Higher weighting values force the server to receive more connections than the other
servers configured in the same real server group. By default, value one is set.
Lab Configuration:
/cfg/slb/real 2/weight 2 shorthand /c/sl/re 2/we 2

17. If multiple service ports per real server are set up, a separate metric for these services is
available.
Syntax:
/cfg/slb/group {group number}/rmetric {metric} Real server metric usage
can be roundrobin, hash, or leastconns. Default is roundrobin.
Lab Configuration:
/cfg/slb/group 1/rmetric roundrobin

18. Set up the real port for a service on a virtual server for MultiPort SLB. The allowable real
L4-port range is from 1 to 65534. If set to 0 multiple real port is enabled. The configured
metric at group level first selects a real server. If rport is set to zero the rmetric determines
the selected port depending on configured values and healthy services at the real server.
Only one service per virt can be set to rport 0.
Syntax:
/cfg/slb/virt {virt number}/service {L4-port number}/rport {real
L4-port number}

Lab Configuration:
/cfg/slb/virt 1/service 80/rport 0
apply .... this activates the configuration

Page 37

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

For each port of real servers a separate confirmation line is printed.


Date Time NOTICE slb: real service 10.200.21.100:80 operational
Date Time NOTICE slb: Services are available for Virtual Server
1:192.168.100.221
Date Time NOTICE slb: real service 10.200.21.100:81 operational
Date Time NOTICE slb: real service 10.200.21.200:80 operational
Date Time NOTICE slb: real service 10.200.21.200:81 operational
Date Time NOTICE slb: real service 10.200.21.200:82 operational
Date Time NOTICE slb: real service 10.200.21.200:83 operational
Did you have all six health check messages? Why you got only three?

19. Access web server via VIP and generate traffic by opening several Browser windows.
Lab Operation:
/stat/slb/virt 1

19. Remove setting for all real server weighting and turn rport back to 80 for the next labs.

Page 38

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Printout for SLB configuration (team 21)


/c/sys/mmgmt
addr 10.10.242.21
mask 255.255.248.0
broad 10.10.247.255
gw 10.10.240.1
ena
tftp mgmt
/c/sys/mmgmt/port
speed any
mode any
auto on
/c/sys
idle 999
/c/port 1
pvid 11
/c/port 2
pvid 14
/c/l2/vlan 1
def 3 4 5 6 7 8 9 10 11 12 27 28
/c/l2/vlan 11
ena
name "public"
def 1
/c/l2/vlan 14
ena
name "private"
def 2
/c/l2/stg 1/off
/c/l2/stg 1/clear
/c/l2/stg 1/add 1 11 14
/c/sys/sshd/on
/c/l3/if 1
ena
addr 192.168.100.21
vlan 11
/c/l3/if 2
ena
addr 10.200.21.21
mask 255.255.255.0
broad 10.200.21.255
vlan 14
/c/l3/gw 1
ena
addr 192.168.100.254

Page 39

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

/c/slb
on
/c/slb/real 1
ena
rip 10.200.21.100
name "server1"
addport 80
addport 81
/c/slb/real 2
ena
rip 10.200.21.200
name "server2"
addport 80
addport 81
addport 82
addport 83
/c/slb/group 1
metric roundrobin
add 1
add 2
/c/slb/port 1
client ena
/c/slb/port 2
server ena
/c/slb/virt 1
ena
vip 192.168.100.221
/c/slb/virt 1/service http
group 1
rport 0
/

Page 40

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Persistent Load Balancing

Overview
Description
In a typical SLB environment, traffic comes from various client networks across the Internet to
the virtual server IP address on the RadwareAlteon Application Switch. The switch then load
balances this traffic among the available real servers. Some SLB services require that a series
of client requests go to the same real server so that session-specific state data can be
retained between connections. Services of this nature include Web search results, multi-page
forms that the user fills in, or custom Web-based applications typically created by using
scripts. Connections for these types of services must be configured as persistent. In any
authenticated Web-based application, it is necessary to provide a persistent connection
between a client and the content server to which it is connected. Because HTTP does not
carry any state information for these applications, it is important for the browser to be mapped
to the same real server for each HTTP request until the transaction is complete. This ensures
that the client traffic is not load balanced mid-session to a different real server, forcing the
user to restart the entire transaction. Persistence-based SLB enables the network
administrator to configure the network to redirect requests from a client to the same real
server that initially handled the request. In the Application Switch, persistence can be based
on source IP address, cookies, and Secure Sockets Layer (SSL) session ID.

Until recently, the only way to achieve TCP/IP session persistence was to use the source IP
address as the key identifier. There are two major conditions which cause problems when
session persistence is based on a packets IP source address. Proxied clients appear to the
switch as a single source IP address. Requests are directed to the same server, without the
benefit of load balancing the traffic across multiple servers. Persistence is supported without
the capability of effectively distributing traffic load. When individual clients share a pool of
source IP addresses, persistence for any given request cannot be assured. Although each
source IP address is directed to a specific server, the source IP address itself is randomly
selected, thereby making it impossible to predict which server will receive the request. SLB is
supported, but without persistence for any given client. For IP-load balancing at OSI Layer
3/4, metrics minmisses, hash, phash and timer based available. HTTP and HTTPS
persistence based on client IP allows you to store this session based on the client IP address
for a configurable time at the session table. This enables a common persistence for both
HTTP and HTTPS sessions.

Page 41

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Cookies are strings passed via HTTP from servers to browsers. Based on the mode of
operation, cookies are inserted by either the Application Switch or the server. After a client
receives a cookie, a server can poll that cookie with a GET command, which allows the
querying server to positively identify the client as the one that received the cookie earlier. The
cookie-based persistence feature solves the proxy server problem and gives better load
distribution at the server site. In the Application Switch, cookies are used to route client traffic
back to the same physical server to maintain session persistence.
The SSL session ID is effective only when the server is running SSL transactions. Because of
the heavy processing load required to maintain SSL connections, most network configurations
use SSL only when it is necessary. On some computer operating systems, this SSL session
ID is changed at intervals. Depending on the length of the interval, persistency might not work
well for these systems.

Objectives
After completing this lab, you will be able to do the following:
Configuring IP persistence by using Hash or Minmisses
Configuring L7 cookie persistence by using passive, rewrite or insert mode

Page 42

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Assignment
Physically your network is wired according to the Lab Description diagram.
Connect to the switch for configuration via the terminal server, SSH or telnet to
the switch.
If your previous SLB configuration is no longer working, set the switch back to
the factory default and load the saved SLB configuration.
The first exercise will be a Layer 3 persistent configuration. Since L3 handles
only IP addresses, hash or minmisses are used as the metric.
The next exercise enhances the setup with Layer 7 persistency. As this
depends on the application, we will use HTTP as the L7 application in this lab.
Passive cookies, cookie rewrite, and cookie insert will be used to provide
persistence.

Basic configuration of the Switch


1. If the content SLB configuration no longer works follow step 2, then step 3 or 4. Otherwise,
skip these steps and continue with step 5.
2. Set the switch back to the factory default config. Log into the switch, enter the admin
password, select factory configuration and reboot the switch
Lab Configuration:
admin
/boot/config factory
reset
3. Open Notepad, and copy and paste the SLB configuration from your file to the clipboard.
Open Putty and insert the clipboard contents using the right mouse button. It is easier for
debugging to split this into 3 steps. First, copy and paste the Layer 2 configuration data to
the switch CLI and apply it. Then copy and paste Layer 3 data, and finally Layer 4 data.
One layer after the other.

4. Optional, you can restore the switch configuration on CLI via FTP/TFTP. Use the
FTP/TFTP server installed on your Team-PC, the 3CDaemon application. For details, see
the section Upload and Download Config to FTP/TFTP Server in the Basic Configuration
lab on page 20.
Lab Configuration:
/cfg/gtcfg retrieve config data.

5. Optional, you can restore the switch configuration on BBI via FTP/TFTP. Use the
FTP/TFTP server installed on your Team-PC, the 3CDaemon application. For details, see
the basic configuration lab page 24.

Page 43

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon
n Level 1 Training Manua
al

Co
onfigure Persistency forr Layer 3 Load Balancin
B ng
1. Enable HA ASH as the metric:
Syntax:
/cfg/slb/ /group {g group-ind dex-numbe er}/metri ic {algor rithms} me etric sets th
he
load balanccing algorith
hm used forr determinin
ng which rea
al server in the group will
w be the
target of the
e next clien
nt request. For ency, hash, phash or m
F persiste minmisses are possible..
Lab Configuration:
/cfg/slb//group 1/ /metric phash
p sho
orthand /c/
/sl/gr 1/
/me pha

2. Verify that the


t metric for
f group 1 was
w change
ed to phash
h:
Lab Operattion:
/cfg/slb/ /group 1/ /cur

Current real
r serv
ver group
p 1:
name , metric phash,
p ba
ackup non
ne, realt
thr 0
health tcp, con
ntent
real se
ervers:

3. Optional usse BBI to ch


hange metric to Persisttent Hash:
Select Connfigure, SLBB, Server Groups,
G Grroup 1 and adjust SLB
B Metric to Persistent
P
Hash

4. Now verify that the sw


witch is sendding sessionns from the client machhine to the same
s real
server. In the
t SLB con nfiguration from
f evious exerrcise, you should have seen the
the pre
web page change
c whe en you make a fresh ac ccess. In the case of S
SLB with perrsistence
me server no matter ho
your client should stayy on the sam ow many timmes you refrresh or makke
a new acce ess.

/stat/slb/grroup 1

Real serve
R er group 1 stats:
C
Current Total Highest
R
Real IP ad
ddress Ses
ssions Sessions
S S
Sessions Octet
ts
-
---- -----
----------
-------- --------
- ----------
- - --------
- -------
------
1 10.200.2
21.100 2 2 2 379701
3
2 10.200.2
21.200 0 0 0 37620
-
---- -----
----------
-------- --------
- ----------
- - --------
- -------
------
2 2 2 41
17321
The resultss of this /sta
at query will vary accord
ding to the configuratio
c on specific to
t your
group. The e numbers willw not be the same, th his is just an
n example.

5. Optional usse instead CLI


C the
BBI to watcch the group p
statistics. Select
S Monitor,
SLB, Serve er Groups and
select Grou up 1 or sele
ect
service of virtual serrver.

6. Change the
e value from
m phash to minmisses
m d 4 or optional 3 and 5.
and repeat steps 2 and 5

Page 44
4

Radware 2011. All rights


s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon Level 1 Training Manual

Enable Layer 7 Passive Cookie Persistence (for HTTP only)


1. Configure standard SLB, as described on page 33. Verify correct SLB operations. If you
like to configure the cookie persistency via a BBI interface continue on page 99.

2. Enable Direct Access Mode (DAM) on the switch to allow you to perform port mapping for
content load balancing.
Syntax:
/cfg/slb/adv/direct {status} it is by default disabled
Lab Configuration:
/cfg/slb/adv/direct ena shorthand /c/sl/adv/di e

3. Select the appropriate load balancing metric for the real server group if no cookie is
present. Choose a non-persistent metric
Syntax:
metric {algorithm to select next rip} even distribution metrics are
leastconns, roundrobin, response and bandwidth. Default value is leastconns.
Lab Configuration:
/c/slb/cfg/metric roundrobin enable round robin distribution
apply activate configuration
cur verify your configuration

4. To have cookie persistency, we need to get a cookie from the web server. The web
application on port 88 is cookie enabled.
Syntax:
/cfg/slb/virt {number}/service {port number}/rport {port number}
At the browser a standard port is selected and then translated to the port number specified
at rport prompt.
Lab Configuration:
/cfg/slb/virt 1/service 80/rport 88
At the browser a standard port 80 is selected and then translated to rport 88.
apply activate configuration

5. Clear the session table, open a new browser to your VIP several times, and get SLB
statistics
Syntax:
/stats/slb/{Layer-4-item} The option clear resets all non-operating SLB
statistics on the Application Switch to zero. This command does not reset the switch and
does not affect the counters required for Layer 4 and Layer 7 operation, such as current
real server sessions and all related SNMP counters.
Lab Operation:
/stat/slb/clear shorthand /st/sl/cl

Generate traffic by opening a new browser window to your VIP several times; return to the
switch CLI and execute the command for displaying statistics. Note changes.

Page 45

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Lab Operation:
/stats/slb/virt 1 shorthand /st/sl/vi 1

6. By default, the switch checks the case of any string, e.g. a cookie name. Disable case
sensitivity if there is no need to discriminate between upper and lower case.
Syntax:
/cfg/slb/layer7/slb/case {mode}
Lab Configuration:
/cfg/slb/layer7/slb/case dis/apply
7. Enable passive cookie-based persistence on the virtual server service.
Syntax:
/cfg/slb/virt {virtual-server}/service {port}
pbind {option mode name offset length URI}
option is the type of persistent bindings. It is disabled by default. Possible options are
clientip, sslid and cookie.
For cookie, mode can be passive, rewrite or insert.
name specifies the cookie name that this service is looking for.
offset is for passive mode, and is the starting point of the cookie value (1-64 bytes)
length is for passive mode, and is the number of bytes to extract (1-64),
URI is lookup cookie in the URI field. If the cookie name or value is in the URI, enter e to
enable this option to look for cookie in the HTTP header, enter d to disable this option.
Lab Configuration:
/cfg/slb/virt 1/service 80 (or HTTP) shorthand /c/sl/vi 1/se 80
pbind you can enter all parameters in one line or be prompted for each separately
Enter clientip|cookie|sslid|disable persistence mode: cookie
Enter passive|rewrite|insert cookie persistence mode [p/r/i]: p
Enter Cookie Name: ASPSESS*
Enter the starting point of the cookie value [1-64]: 1
Enter number of bytes to extract [1-64]: 16
Look for cookie in URI [e|d]: d select disable, to look at HTTP header
apply

NOTE: If you want the switch to look for a cookie in the URL, enable Look for cookie in
URI. An example is in the Alteon Application Guide, at the Persistence chapter.

For testing passive cookies, refer to step 9&10. Since rewrite cookies is very similar skip it
and do test for rewrite settings only.

8. Enable rewrite cookie-based persistence on the virtual server service


Syntax:
/cfg/slb/virt {virtual-server}/service {port}
pbind {option mode name length URI}
option is the type of persistent bindings. It is disabled by default. Possible options are
clientip, sslid and cookie.
For cookie, mode can be passive, rewrite or insert.
name specifies the cookie name that this service is looking for.
length is for rewrite mode - 8 bytes for RIP and 16 for RIP&VIP IP address insert.
URI is lookup cookie in the URI field. If the cookie name or value is in the URI, enter e to
enable this option to look for cookie in the HTTP header, enter d to disable this option.
Page 46

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon
n Level 1 Training Manua
al

Lab Configuration:
/cfg/slb/ /virt 1/s service 80 8 (or HT TTP) short--hand /c/s sl/vi 1/s se 80
pbind you u can enterr all parame
eters in one
e line or be prompted
p fo
or each sep
parately
Enter cli ientip|co ookie|ssl lid|disab ble persi istence m mode: cookie
Enter pas ssive|rew write|ins sert cook kie persi istence m mode [p/r/i]: r
Enter Coo okie Name e: ASPSE ESS*
Enter num mber of bytes
b to extract [8,16]: 8
Look for cookie in i URI [e e|d]: d disable, to
t look at HT
TTP header
apply

9. Confirm the
e cookie operation. Configure your browser to
o ignore coo
okies.

Lab Operattion:
/stat/slb b/clear atistics
to clear sta

Generate trraffic by ope


ening a new w browser
window to your
y VIP seeveral timess, e.g.
http://192.168.100.221 1
Return to th
he switch CLI
C and execcute the
command to t display sttatistics. No
ote changes
s.
Lab Operattion:
/stats/sl lb/virt 1 to displayy statistics
Close all brrowser sesssions.

10. Change cookie settinggs in your brrowser to


enable coookies and re
epeat the abbove Lab
Operation steps.
s For Firefox
F ensuure to accep
pt
a cookie fro
om the VIP.. Add a suita
able
exception.

Page 47
4

Radware 2011. All rights


s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon Level 1 Training Manual

11. Change the VIP service HTTP rport value from 88 to 80 to simulate a server without
cookie support.

12. Enable insert cookie-based persistence on the virtual server service.


Syntax:
/cfg/slb/virt {virtual-server}/service {port}
pbind {option mode name expiration domain-name secure}
option is the type of persistent bindings. It is disabled by default. Possible options are
clientip, sslid and cookie.
For cookie, mode can be passive, rewrite or insert.
name specifies the cookie name that this service is looking for.
expiration is for cookie lifetime, and can be date duration or none (browser session
length)
Cookie path specifies the subset of URLs on the origin server to which this cookie applies.
Secure is a boolean attribute; y directs the user agent to use secure connection (Hashed
cookie) to obtain content associated with the cookie.
.
Lab Configuration:
/cfg/slb/virt 1/service 80 (or HTTP) short-hand /c/sl/vi 1/se 80
pbind you can enter all parameters in one line or be prompted for each separately
Enter clientip|cookie|sslid|disable persistence mode: cookie
Enter passive|rewrite|insert cookie persistence mode [p/r/i]: i
Enter Cookie Name {AlteonP}: <enter-key>
Enter insert-cookie expiration as either :
... a date <MM/dd/yy[@hh:mm]> (e.g. 12/31/01@23:59)
... a duration <days[:hours[:minutes]]> (e.g. 45:30:90)
... or none <return>
Enter cookie expiration: <enter-key>
Insert cookie domain name? (y/n) [n] <enter-key>
Enter path(Maximum of 32 characters): <enter-key>
Is cookie secure[y/n]: n
apply

NOTE: If you have enough time left, also try date and duration cookie options.

13. Open a Web browser and select VIP. E.g.http://192.168.100.221. This page will stay
persistent without using any cookie from a Web server.

14. Display cookie with Life HTTP headers tool from Firefox browser. Decode the cookie hex
value by the build in command.
/info/slb/cookie 0x3e45de63f4e7afd9baeebabf
Virtual IP address: 192.168.100.221
Real IP address: 10.200.21.100
Real Server Port: 80
Real Server Index: 1

15. Remove all persistency settings for virtual server for the next labs. Change the rport from
88 to 80 if not already done at step 11.

Page 48

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Printout for persistent SLB configuration (team 21)

SLB with hash metric:


/c/port 1
pvid 11
/c/port 2
pvid 14
/c/port 9
dis
/c/l2/vlan 1
def 3 4 5 6 7 8 9 10 11 12 ... 27 28
/c/l2/vlan 11
ena
name "public"
def 1
/c/l2/vlan 14
ena
name "private"
def 2
/c/stg 1/off
/c/stg 1/clear
/c/stg 1/add 1 11 14
/c/l3/if 1
ena
addr 192.168.100.21
vlan 11
/c/l3/if 2
ena
addr 10.200.21.21
mask 255.255.255.0
broad 10.200.21.255
vlan 14
/c/slb
on
/c/slb/real 1
ena
rip 10.200.21.100
name "webserver1"
/c/slb/real 2
ena
rip 10.200.21.200
name "webserver2"
/c/slb/group 1
metric phash
add 1
add 2
/c/slb/port 1
client ena
/c/slb/port 2
server ena
/c/slb/virt 1
ena
vip 192.168.100.221
/c/slb/virt 1/service http
group 1

Page 49

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

SLB with passive cookie:


/c/slb/adv
direct ena


/c/slb/virt 1
ena
vip 192.168.100.221
/c/slb/virt 1/service http
group 1
rport 88
dbind ena
/c/slb/virt 1/service 80/pbind cookie passive ASPSESS* 1 16 disable
/c/slb/virt 1/service 80/rcount 1

SLB with cookie rewrite:


/c/slb/virt 1/service 80/pbind cookie rewrite ASPSESS* 1 8 disable

SLB with cookie insert:


/c/slb/virt 1/service 80/pbind cookie insert

Page 50

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Content Load Balancing

Overview
Description
Traditionally, redirecting Web requests using content or user classification has been a function
of Web servers. However, Internet traffic and business growth is fast outpacing that of
computing power. Offloading content classification to Application Switches provides
advantages for the entire Web site infrastructure. By examining the URL in a Web request, the
Application Switch can determine the type of content requested, and direct the request to
servers hosting the requested URL. With content switching, Web site content can be
segregated with no change to the applications. This allows partial, instead of entire, content
mirroring on each server and makes it easy for e-businesses to deploy servers optimized for
specific content types or processing functions. HTTP version 1.1 allows multiple HTTP
transactions to be transported over a single TCP connection to reduce TCP processing
overhead. A Layer 4 Application Switch with no content intelligence will forward all HTTP 1.1
requests on each TCP connection to a single server. In contrast, a content switch can forward
each request within the TCP connection to a different server, increasing load distribution
granularity. This optimizes resource utilization and speeds overall Web site performance.
Virtual hosting conserves IP addresses by allowing multiple domains to be represented by a
single public IP address. When a content-intelligent Application Switch receives a client
request for the shared IP address, it can extract the requested domain name from the Host
Header portion of the HTTP header, concatenate it with the IP address to obtain the unique
host identifier, and redirect the request to the appropriate server or server farm. Content-
intelligent Application Switches allow Webmasters to customize server health checks to verify
content accessibility in large Web sites. As the amount of content grows and information is
distributed across different server farms, flexible, customizable content health checks are
critical to ensuring end-to-end availability.

Working with session content is much more demanding than examining TCP/IP protocol
headers because content is non-deterministic. Content identifiers such as URLs and cookies
can be of varying lengths and can appear at unpredictable locations within a request.
Scanning through session traffic for a specific string is far more processor intensive than
looking at a known location in a session for a specific number of bytes. Parsing content
requests means temporarily terminating the TCP connection from a client. In other words, the
Application Switch must first pretend that it is the server, ask the client what it wants, examine
the request, and then open a connection to an appropriate server. While this is happening, the
Application Switch must temporarily buffer the request, which consumes system memory. This
temporary termination is called a delayed binding" With delayed binding, two independent
TCP connections span a Web session: one from the client to the Application Switch and the
second from the Application Switch to the selected

Page 51

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

server. The Application Switch must modify the TCP header, including performing TCP
sequence number translation and recalculating checksums on every packet that travels
between the client and the server, for the duration of the session. This function, known as
TCP connection splicing, heavily tasks an Application Switch, particularly when the switch
must process thousands of these sessions simultaneously. In addition to real-time traffic and
connection processing, a content switch needs to monitor the servers to ensure that requests
are forwarded to the best performing and healthy servers. This monitoring involves more than
simple ICMP or TCP connection tests as servers continue to process network protocols while
failing to retrieve any content. Furthermore, if content is segregated in different servers or
server farms, the Application Switch must provide a flexible, user-customizable mechanism
allowing a relevant set of application and content tests to be applied to each server or server
farm.

RadwareAlteon Application Switch Operating System allows you to load balance HTTP
requests based on different HTTP header information, such as Cookie-Header for persistent
or content load balancing, Host-Header for virtual hosting, or User-Agent for browser-smart
load balancing. When Layer 7 load balancing is configured, an Application Switch does not
support IP fragments. If IP fragments were supported in this mode, the switch would have to
buffer, re-assemble, and inspect packets before making a forwarding decision. String-based
SLB allows you to optimize resource access and server performance. Content dispersion can
be optimized by making load-balancing decisions on the entire path and filename of each
URL. Both HTTP 1.0 and HTTP 1.1 requests are supported. For content matching you can
configure up to 1024 strings comprised of 40 bytes each. Each request is then examined
against the Layer 7 request defined at the virtual server. On matching, this request is then
forwarded to a real server supporting this string. String requests are load balanced among
multiple servers matching the same pattern, according to the load balancing metric configured
for the real server group.

Objectives
After completing this lab, you will be able to do following:
Define strings of URL or other variables.
Distinguish between different strings and enable the real server
to handle them.
Use regular expressions to create complex string matches.

Page 52

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Assignment
Physically your network is wired according to the Lab Description. Connect to the
switch for configuration via the terminal server, SSH or telnet to the switch.
If your previous SLB configuration is no longer working, set the switch back to the
factory default and load the saved SLB configuration. If you decide to keep the
previous persistency lab, disable persistent binding (pbind)! It has a higher priority and
content load balancing will not work.
In the first exercise, you will load balance your http requests depending on the URL. At
the root directory of web server 2 a subdirectory /images is located. It contains three
image files, img1.jpg, img2.jpg and img3.jpg. Your task is to configure URL strings and
enable real server 2 to handle these requests.
The second exercise is to enhance this lab using regular expressions. Web server 1
will host file alteo.htm server 2 will host altea.htm and alter.htm. You have to
configure suitable URL strings, enable these strings at suitable servers and do SLB
selection using regular expression.
The third exercise is to check for browser-related strings. Depending on the default
language of the browser request, server 1 or 2 is selected.

Basic Configuration of the Switch


1. If the content SLB configuration no longer works, follow step 2, then step 3 or 4.
Otherwise, skip these steps and continue to step 5.
2. Set the switch back to the factory default config. Log into the switch, enter the
admin password, select factory configuration and reboot the switch
Lab Configuration:
admin
/boot/conf factory
reset
3. Open Notepad and copy and paste the SLB configuration from your file to the
clipboard. Open Putty and insert the clipboard contents using the right mouse
button. It is easier for debugging to split this into 3 steps. First, copy and paste the
Layer 2 configuration data to the switch CLI and apply it. Then copy and paste the
Layer 3 data and finally the Layer 4 data. One layer after the other.
4. Optional, you can save and restore the switch configuration via FTP/TFTP. Use the
FTP/TFTP server installed on your Team-PC, the 3CD application. For details, see
the section Upload and Download Config to FTP/TFTP Server in the Basic
Configuration lab.
Lab Configuration:
/cfg/gtcfg retrieve config data.

Page 53

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

URL SLB Configuration of the Switch


1. Configure standard SLB, as described on page 93. Verify correct SLB operations. If you
like to configure the content load balancing via a BBI interface continue on page 104.

2. Enable Direct Access Mode (DAM) on the switch to allow you to perform port mapping for
content balancing.
Syntax:
/cfg/slb/adv/direct {status} it is disabled by default
Lab Configuration:
/cfg/slb/adv/direct ena shorthand /c/sl/adv/di e

3. Select roundrobin as the default load balancing metric for the real server group.
Lab Configuration:
metric roundrobin enable round robin distribution

4. Disable persistent binding for the virtual server service. Pbind takes precedence over
string load balancing.
Lab Configuration:
/cfg/slb/virt 1/service 80
pbind disable deactivate persistent binding
apply activate configuration
cur verify your configuration

5. Double check is SLB working. Clear the session table


Syntax:
Lab Operation:
/stat/slb/clear

Then generate traffic by opening a new browser window to your VIP several times; return
to the switch CLI to execute the command for displaying statistics.
Lab Operation:
/stats/slb/virt 1 shorthand /st/sl/vi 1

6. By default, this switch checks the case of any string, e.g. a URL name. Disable it if there is
no need to distinguish between upper and lower case.
Syntax:
/cfg/slb/layer7/slb/case {mode}
Lab Configuration:
/cfg/slb/layer7/slb/case dis
apply

Page 54

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

7. When SLB is working correctly, continue with the URL config. Define the first URL string.
Syntax:
/cfg/slb/layer7/slb/addstr {type-of-string}
For type of string l7lkup (for ASCII content lb) or pattern (for Dos/ITM, binary or ASCII).
l7lkup is selected by default
Configure HTTP header string? (y/n) [n]
Boolean value, enable to define SOAP Action header, default value is no.
Enter SLB string: {string-definition}
Specify lookup URL string.
Lab Configuration:
/cfg/slb/layer7/slb/addstr <enter-key>
Enter type of string [l7lkup|pattern]: l7lkup (L7LKUP not
171KUP)
Configure HTTP header string? (y/n) [n] <enter-key>
Enter SLB string: /images
apply
cur see list of cur paths (any, /images)
Error message:
No available server to handle this request

Number of entries: two
1: any, cont 1024
2: /images, cont 1024

8. Add an index number for the URL string to the real server config. If real server 2 cannot
handle any address request other than /images, do not add string 1 as an option.
Syntax:
/cfg/slb/real 2/layer7/addlb {index-number-of-string}
Assign lookup URL string index number to real server number.
Lab Configuration:
/cfg/slb/real 2/layer7
addlb 1 to also support other strings like index.html page
addlb 2 to support string #2, /images on real server 2

9. To enable L7 lookup, switch on direct access mode, if not already done.


Syntax:
/cfg/slb/adv/direct {status} it is disabled by default.
Lab Configuration:
/cfg/slb/adv/direct ena shorthand /c/sl/adv/di e

10. Enable URLSLB for the virtual service IP Address.


Syntax:
/cfg/slb/virt {server-number}/service {port-number}/http
httpslb {option operator option}
Possible options are: urlslb, host, cookie, browser, urlhash, headerhash, others,
Possible operator: and, or, none
A new line between httpslb and option prompts to input an operator value.

Page 55

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Lab Configuration:
/cfg/slb/virt 1/service 80/http/httpslb urlslb
apply
save
y
/cfg/dump to review the saved configurations

11. Open a browser on the client and access the VIP http://192.168.100.221. Test the
configuration and check the working status. Close and reopen the client browser several
times. Check the statistics in the switch to verify activity.
Lab Operation:
/stat/slb/layer7/str
------------------------------------------------------------------
SLB String stats:
ID SLB String Hits
1 any 19
2 /images 0

Lab Operation:
/stat/slb/virt 1
------------------------------------------------------------------
Virtual server 1 stats:
Current Total Highest
Real IP address Sessions Sessions Sessions Octets
---- --------------------------- -------- ---------- -------- ---------------
1 webserver1 0 9 5 11283
2 webserver2 0 10 6 12533
---- --------------------------- -------- ---------- -------- ---------------
192.168.100.221 0 19 11 23816

12. Access the image file from the client web browser. The files img1.jpg, img2.jpg and
img3.jpg are available on server 2. Close and reopen the client browser several times to
http://192.168.100.221/images/img1.jpg.
Lab Operation:
/stat/slb/layer7/str
------------------------------------------------------------------
SLB String stats:
ID SLB String Hits
1 any 19
2 /images 7

>> Layer 7 Statistics# /st/sl/v 1


------------------------------------------------------------------

Lab Operation:
/stat/slb/virt 1
Virtual server 1 stats:
Current Total Highest
Real IP address Sessions Sessions Sessions Octets
---- --------------------------- -------- ---------- -------- ---------------
1 webserver1 0 9 5 11283
2 webserver2 0 17 6 261943
---- --------------------------- -------- ---------- -------- ---------------
192.168.100.221 0 26 11 273226

Page 56

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Perform the test a couple of times. Compare the Web browser request and output
displayed in the browser window.
Review the switch statistics. All requests to the /images folder should be directed to real
server 2. In a large server farm environment, the /images folder could be duplicated and
load balanced across several servers.

Regular Expression Configuration


1. Continue with the URL SLB config from the last lab. We will add regular expressions to
select specific real servers. Web server 1 will host file alteo.htm. Web server 2 will host
altea.htm and alter.htm. The regular expression alte[ar].htm allows selection of the
content stored on server 2. Inverting this regular expression avoids selection of this
machine. alte[^ar].htm allows access to alteo.htm and of course to many other htm
pages. Therefore, this is useful as an example but not for real life.
Syntax:
/cfg/slb/layer7/slb/addstr {type-of-string}
For type of string l7lkup (for ASCII content lb) or pattern (for Dos/ITM, binary or ASCII).
l7lkup is selected by default
Configure HTTP header string? (y/n) [n]
Boolean value to define SOAP Action header, default value no.
Enter SLB string: {string-definition}
Specify lookup URL string.
Lab Configuration:
/cfg/slb/layer7/slb/addstr alte[^ar] add a new index for alte[^ar]
addstr alte[ar] add a new index for alte[ar]
apply
cur see list of cur paths (any, /images)
Error message:
No available server to handle this request

Number of entries: two
1: any, cont 1024
2: /images, cont 1024
3: alte[^ar], cont 1024
4: alte[ar], cont 1024

2. Add the index number for the URL string to the real server config: Add alte[^ar], which is
a regular expression for alteo string in our configuration, to real server 1. Add alte[ar],
which represents both strings alter and altea, to real server 2. To enable LB to allow
index.htm on real server 1, add index 1 to it.
Syntax:
/cfg/slb/real {no}/layer7/addlb {index-number-of-string}
Assign lookup URL string index number to real server number.
Lab Configuration:
/cfg/slb/real 1/layer7/addlb 3 adds string 3 alte[^ar] to real server 1
addlb 1 adds string 1 any to real server 1 to also allow index.htm page
../../re 2/la/a 4 short form to add string 4 alte[ar] to real server 2

Page 57

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

3. Test your configuration. Send the following requests from your browser at Team-PC to
VIP. The following example is for team 21. Use your team number, please.
http://192.168.100.221/alteo.htm,
http://192.168.100.221/alter.htm,
http://192.168.100.221/altea.htm

4. Check statistics on loadbalancer.


Lab Operation:
/stat/slb/layer7/str and /stat/slb/virt 1.

>> Server Load Balancing Statistics# /stat/slb/layer7/str


------------------------------------------------------------------
SLB String stats:
ID SLB String Hits
1 any 72
2 /images 7
3 alte[^ra] 1
4 alte[ra] 2

All alteo requests terminate at Web server 1. All altea and alter requests are sent to
server 2 since the load balancing string that excluded URLs ending in a and r was
assigned to the server 2.

Others Lookup
1. In this lab section, your task is to configure Layer 7 string lookup to detect the default
language support of the browser used for this request.
2. Modify your virtual server, to look up the Accept-Language HTTP header field.
Syntax:
/cfg/slb/virt {server-number}/service {port-number}/
httpslb {option operator option}
Possible options are: urlslb, host, cookie, browser, urlhash, headerhash, others,
Possible operator: and, or, none
Lab Configuration:
/cfg/slb/virt 1/service http/http/httpslb
Application: urlslb|host|cookie||headerhash|others|none
Select Application: others
Operation: and|or|none
Select Operation: none
Enter new HTTP header name: Accept-Language
apply

3. Configure header variable strings and add an index number to the real server config. Real
server 1 represents the contents for en-us string, real server 2 is responsible for de
string. Language string depends on browser type. Add strings for e.g. en-us and de. For
other regions, choose appropriate language strings.
Lab Configuration:
/cfg/slb/layer7/slb/addstr en-us add a new index for en-us string
adds de add a new index for de string and apply it
cur see list of cur paths (any, /images)

Page 58

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Error message:
No available server to handle this request

Number of entries: two
1: any, cont 1024
2: /images, cont 1024
3: alte[ar], cont 1024
4: alte[^ar], cont 1024
5: en-us, cont 1024
6: de, cont 1024

Lab Configuration:
/cfg/slb/real 1/layer7/addlb 5 assign string 5 en-us to real server 1
../../re 2/la/a 6 short form to add string 6 de to real server 2
apply

4. Access your home page e.g. team 21 http://192.168.21.221. Change the browser
language string according your lb setup. You will see that Web server 1 supports requests
with preferred string 5, language English. Server 2 will provide content for string 6, for
German users (de).

5. Check statistics on loadbalancer.


Lab Operation:
/stat/slb/layer7/str
>> Server Load Balancing Statistics# /stats/slb/layer7/str
--------------------------------------------------------------
SLB String stats:
ID SLB String Hits
1 any 81
2 /images 7
3 alte[^ra] 1
4 alte[ra] 4
5 en-us 38
6 de 18

Page 59

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Printout for Application Switch team 21

Layer 2/3 like previous lab setup, therefore it is not displayed.

/c/slb
on
/c/slb/adv
direct ena
/c/slb/real 1
ena
rip 10.200.21.100
name "webserver1"
/c/slb/real 2
ena
rip 10.200.21.200
name "webserver2"
/c/slb/group 1
metric roundrobin
add 1
add 2
/c/slb/port 1
client ena
/c/slb/virt 1
ena
vip 192.168.100.221
/c/slb/virt 1/service http
group 1
dbind ena
/c/slb/layer7/slb
ren 2 "/images"
ren 3 "alte[^ra]"
ren 4 "alte[ra]"
ren 5 "en-us"
ren 6 "de"
/c/slb/real 1/layer7
addlb 1
addlb 3
addlb 5
/c/slb/real 2/layer7
addlb 1
addlb 2
addlb 4
addlb 6
/c/slb/virt 1/service http
httpslb others Accept-Language

Page 60

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

SSL Acceleration

Overview
Secure Sockets Layer (SSL) is a security layer that can be added to various communication
protocols in order to serve four main purposes that contribute together to establishing a
secure communication channel.
Models 4408, 4416 and 5412 loaded with software ver. 27 can offload heavy client SSL
actions from servers and deliver them with clear HTTP traffic, or if needed, weaker-encrypted
traffic to ease the stress. SSL is configured by means of a reusable SSL policy in the AAS
configuration, which enables quicker and safer setup of new services. Options include control
the SSL cipher-suites and pass SSL information to Web Applications for logging or for use as
part of application logic. SSL using SHA-2 certificates is supported. In order to support the
new SSL capabilities, AAS now includes a certificate and other PKI-components repository,
which allows safe holding and management of all components and required actions, as well
as bulk import of the Alteon 2424-SSL certificates repository content for easy migration.

This lab unit discusses Alteons Application Switch SSL offloading capabilities, which performs
encryption, decryption, and verification of Secure Sockets Layer (SSL) transmissions between
clients and servers, relieving the back-end servers of this task. This enables the back-end
servers to maximize their performance and efficiency, resulting in faster server response times
and increased server capacity to handle more users that are concurrent.

Authentication
Each communicating partner should be able to verify that the other is who it
claims to be and not an impostor.
Privacy
A third party should not be able to eavesdrop on a private communication.
Integrity
The protocol should automatically or easily detect any tampering with the
transmission.
Non-repudiation
The sender should not be able to claim that they did not send what the
receiver received.
For Alteon to provide SSL Offloading, you must configure, enable, and apply the following
three components:
SSL Virtual Service
You must define an HTTPS or SSL virtual service and associate to it both an SSL server
certificate, and an SSL policy that governs the behavior of the SSL virtual service.
SSL Policy
You must define an SSL policy and associate it to the SSL virtual service. An SSL policy
includes the definition of the ciphers that enable SSL handshaking, as well as the type of
traffic that is sent to the back-end servers. A single SSL policy can be reused across multiple
virtual services.

Page 61

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Certificate Repository
You must supply a server certificate that you associate with the SSL virtual service. The
server certificate includes the attributes needed to perform SSL handshaking and enable the
decryption and encryption of the traffic related to the virtual service. You can associate only a
single server certificate to a virtual service, but the same server certificate can be used by
multiple services. The certificate repository may include Server Certificates, Intermediate CA
Certificates, and Trusted CA Certificates
A server certificate
is a type of certificate used to identify servers during SSL handshake. You either import a pre-
existing server certificate using the /cfg/slb/ssl/certs/ import command, or you can generate
your own on the Alteon Application Switch. When you generate your own server certificate, if
an underlying Certificate Signing Request (CSR) and/or key pair do not already exist by the
same name as the server certificate, they are generated along with the server certificate. The
resulting server certificate is a "self-signed" server certificate, meaning it was issued by the
server for itself. This kind of a certificate is good for testing purposes, as real users will
experience various warning messages if used for the real SSL service. In order to be used in
the real-life SSL environment, the server certificate must be issued (signed) by a Certificate
Authority (CA), which is trusted by the client's browsers. To achieve this, once the certificate's
CSR is generated, you must submit it to a trusted Certificate Authority (CA) for signing. If the
request is successful, the CA sends back a certificate that has been digitally signed by its own
key, which you import using the /cfg/slb/ssl/certs/import command, ensuring that it is not
imported to the same entity name as the CSR.
Intermediate CA certificates
are used when the CA providing the virtual service's server certificate is not directly trusted by
the end users Web browsers. This is typical in an organization that has its own CA server for
generating server's certificates. In order to construct the trust chain from the users browser
list of trusted CAs to the organization's CA server, an intermediate CA certificate or chain of
certificates can be provided. You can optionally bind an intermediate Certificate Authority (CA)
certificate to the SSL policy. These certificates are not created on the switchyou must first
import them. You can also create a group of intermediate certificates (a complete CA chain)
and bind it to the SSL policy.
Trusted CA certificates
are certificates that come from a Certificate Authority that your organization uses to provide
users with certificates (client certificates). Trusted CA certificates are associated to client
authentication policies. If you use this option, you must specify the trusted client CA certificate
or group of trusted client CA certificates to allow Alteon to know which client certificates to
accept.
Client Authentication Policies
SSL client authentication enables a server to confirm a client's identity as part of the SSL
handshake process. A client's certificate and public ID are checked to be valid and that they
were issued by a trusted Certificate Authority (CA). If the certificate is valid, the handshake
process is completed, allowing data to be sent to the intended destination. If the certificate is
not valid, the session is terminated. When using SSL Offloading, you can optionally define a
client authentication policy that authenticates the clients identity. You associate a client
authentication policy to an SSL policy, and the SSL policy, in turn, is associated to a virtual
service. To authenticate the client's identity, you import a CA certificate into Alteon. This CA
certificate is used when Alteon receives a client certificate to validate it. By checking that it
was generated by this trusted CA. Additionally, you can configure Alteon to ensure that the
client certificates were not revoked by checking their statuses using OCSP (Online Certificate
Status Protocol).

Page 62

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Assignment
All Alteon switch devices are connected via Ethernet cables as pictured at lab diagram.
In order to configure this switch, connect serial to your assigned switch via a terminal
server.
If your last lab was a VRRP or FWLB lab, remove all configuration settings and restore
factory default setting.
Configure the application switch to support basic load balancing.
At this lab, we want to:
Setup a VIP with SSL offloading
Display acceleration log and statistics

Page 63

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Configure Switch
Console Setup
At your Team-PC, Putty application is already set up individual icons to connect via
serial to the Application switches.
1. Verify SLB is working. If not refer to lab Server Load Balancing.
2. Setup a basic HTTPS service. A VIP with service HTTPS terminates a client
SSL request using a SSL-policy and a server certificate.
3. Generate a self signed server certificate
Syntax:
/cfg/slb/ssl/cert
srvrcert Server Certificate Menu
request Certificate Signing Request (CSR) Menu
keypair Key-Pair Menu
trustca Trusted CA Certificate Menu
intermca Intermediate CA Certificate Menu
group Certificates Group Menu
defaults Set certificate default values
import Import certificates
export Export certificates

Lab Configuration:
We setup a self-signed server certificate.
/cfg/slb/ssl/cert/srvrcert Select cert menu
Enter server certificate id (alphanumeric): selfs-cert
Server certificate selfs-cert# name MySelfSignedCert
Server certificate selfs-cert# generate
This operation will generate a self-signed server certificate.
Enter key size [512|1024|2048|4096] [1024]:<enter>
Enter server certificate hash algorithm [md5|..[sha1]:<enter>
Enter certificate Common Name: www.team28.com
Use certificate default values? [y/n]: n
Enter certificate Country Name (2-letter code) []: US
Enter certificate State or Province Name (full name) []: NJ
Enter certificate locality name (e.g. city) []: Mahwa
Enter certificate Organization Name (e.g. company) []: Radware
Enter certificate Organizational Unit Name []: Training
Enter certificate Email []: GuentherM@radware.com
Enter certificate validation period in days (1-3650) [365]: 20

Self signed server certificate, certificate signing


request and key pair added.
apply

Page 64

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

6. Enable SSL feature.


Syntax and Lab Operation:

/cfg/slb/ssl/on turn all SSL features to on.

7. Setup using graphical user interface. Use ether CLI or BBI!


Select on Configure tab SLB SSL and select for SSL Enabled. Press the
Submit button.
On Configure tab press Certificate Repository, and Generate a new policy.
Insert at ID: selfs-cert, a descriptive name at Policy Name, set the other
parameter as described above at CLI. There should now three entries, A key-
Pair, A Certificate Request and the Server Certificate.

8. Setup a SSL policy. This is used to select which cipher is used.


Syntax:
/cfg/slb/ssl/sslpol <id>
name Set policy name
passinfo Pass SSL Information to Backend Servers Menu
cipher Set allowed cipher-suites in frontend SSL
intermca Set Intermediate CA certificate chain
becipher Set allowed cipher-suites in backend SSL
authpol Set client authentication policy
convuri Set Host regex for HTTP redirection conversion
bessl Enable/Disable backend SSL encryption
convert Enable/Disable HTTP redirection conversion
ena Enable policy
dis Disable policy
del Delete Policy

Lab Operation:
cfg/slb/ssl/sslpol plain set policy id
name "Easy SSL Policy" label this policy
cipher a long list appears, <tab> complete selection
Current cipher-suite allowed for SSL: rsa use default
Enter new cipher-suite allowed for SSL: medium 128 bit key
ena enable this policy
apply

9. Setup using graphical user interface. Use ether CLI or BBI!


Select on Configure tab SLB SSL SSL Policies
Press Add tab and Generate a new ssl policy. Insert at ID: plain, a descriptive
name at Policy Name, Enable, set Cipher Suite to medium and keep other
parameters on default values.

Page 65

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Create HTTPS service for VIP address


Syntax
/cfg/slb/virt 1/service https/http
http HTTP Load Balancing Menu
ssl SSL Load Balancing Menu
group Set real server group number
rport Set real port
and some more menu options

Syntax
ssl ssl menu
srvrcert Set SSL server certificate for this virtual service
sslpol Set SSL policy for this virtual service
cur Display current SSL configuration

Lab Operation:
/cfg/slb/virt 1/service https/ssl
SSL Load Balancing# srvrcert selfs-cert associate cert
SSL Load Balancing# sslpol plain associate policy
Note: Backend servers listening port (rport) was changed from
443 to 80 due to the use of No backend encryption. For a
different
network setting, rport can be configured manually.

apply and save config


/cfg/dump to review the saved configurations

10. Setup using graphical user interface. Use ether CLI or BBI!
Select on Configure tab SLB Virtual Servers
Select Virt Server ID 1,scroll dow in new window and click Add button. At Basic
section field Service Port is 443, Real is 80. Scroll down to SSL, select for
Server Certificate selfs-cert and for SSL Policy plain.

Page 66

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

11. Test the configuration.


Open a browser on the client and access the web server
https://www.team#.com

12. Check statistics, open several times a browser window and close it.
CLI: /stat/slb/virt 1

BBI: Monitor SLB Virtual Servers 1 https(443)

Page 67

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

13. Enable Application Services Trace Log. Application services trace logging may
cause performance impact on Alteon traffic processing capabilities. Make sure
to disable when done!
Syntax
/maint/applog
export Export application services trace log via FTP/TFTP/SCP
clearlog Clear application services trace log
compress Enable/disable log compression activities
caching Enable/disable log caching activities
ssl Enable/disable log ssl activities
http Enable/disable log http activities
httpmod Enable/disable log http modifications activities
dump Dump application services trace log configuration

Lab Operation:
ssl
Current logging ssl activities: disabled
Enter new logging ssl activities [d/e]: e

13 Create some traffic by accessing several times the https server page

14 Export log data to your Team-PC, turn on 3CD and listen to TFTP service.
Lab Operation:
/maint/applog/export
Enter hostname or IP address of FTP/TFTP/SCP server: 192.168.150.x
Enter username for FTP/SCP server or hit return for TFTP
server:<enter>
Dump logs in W3C format? (n for internal format) [y/n] [y]: n
Log file successfully transfered to :xxx_internal_logger.tar.gz

15 Extract the .tar.gz file. For each SP there is a separate file with log data. Your
connection data is stored depending the VMA feature at one of these
files.Open it with MS-Wordpad.

16 Do not forget to disable Application Services Trace Logging.

Page 68

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

SSL Acceleration (team 28)


Layer 2/ 3 setup as done on basic lab.

/c/l3/dns
prima 192.168.150.253
/c/sys/ntp
on
prisrv 192.168.150.253
/c/slb/ssl/certs/keypair selfs-cert
/c/slb/ssl/certs/request selfs-cert
/c/slb/ssl/certs/import request "selfs-cert" text
-----BEGIN CERTIFICATE REQUEST-----
MIIBzzCCATgCAQAwgY4xFzAVBgNVBAMTDnd3dy50ZWFtMjguY29tMQswCQYDVQQG
EwJ1czELMAkGA1UECBMCTkoxDjAMBgNVBAcTBU1haHdhMRAwDgYDVQQKEwdSYWR3
YXJlMREwDwYDVQQLEwhUcmFpbmluZzEkMCIGCSqGSIb3DQEJARYVR3VlbnRoZXJN
QHJhZHdhcmUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5AnpXIE1W
hosbNqmIAZlYEVAzIh6pArreRJc3eYkcIfDc6JQnfMbt85ewBZM2BOpnyBrbDKYP
g+67eyQOUIr1QNP3NM52xBMKjiiek/EyT8jxcDBmmb67YAmf0mEZahfj/vjSbR1J
oV2QeZzStF0INUOC9bL5gxGIzZFhycUFIQIDAQABoAAwDQYJKoZIhvcNAQEFBQAD
gYEAjwWvLZShRywOU0bynfw7WKtijIilZ2VYiGmbwOPQJhtQPR5WjM3RWL4CtFVr
rnhMg+qvouaVmatduMoGCmIPrTky4khL3yhnYzaw+Cir5cgD+vk9NKGkCSJX86+p
UZpRTDLE8n2AJuz1GTApykQSjldd3rHaRKr34YDUKNz9ZcI=
-----END CERTIFICATE REQUEST-----

/c/slb/ssl/certs/srvrcert selfs-cert
name "MySelfSignedCert"
/c/slb/ssl/certs/import srvrcert "selfs-cert" text
-----BEGIN CERTIFICATE-----
MIID3DCCA0WgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBjjEXMBUGA1UEAxMOd3d3
LnRlYW0yOC5jb20xCzAJBgNVBAYTAnVzMQswCQYDVQQIEwJOSjEOMAwGA1UEBxMF
TWFod2ExEDAOBgNVBAoTB1JhZHdhcmUxETAPBgNVBAsTCFRyYWluaW5nMSQwIgYJ
KoZIhvcNAQkBFhVHdWVudGhlck1AcmFkd2FyZS5jb20wHhcNMTAwOTIyMjIzMTIy
WhcNMTAxMDEyMjIzMTIyWjCBjjEXMBUGA1UEAxMOd3d3LnRlYW0yOC5jb20xCzAJ
BgNVBAYTAnVzMQswCQYDVQQIEwJOSjEOMAwGA1UEBxMFTWFod2ExEDAOBgNVBAoT
B1JhZHdhcmUxETAPBgNVBAsTCFRyYWluaW5nMSQwIgYJKoZIhvcNAQkBFhVHdWVu
dGhlck1AcmFkd2FyZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALkC
elcgTVaGixs2qYgBmVgRUDMiHqkCut5Elzd5iRwh8NzolCd8xu3zl7AFkzYE6mfI
GtsMpg+D7rt7JA5QivVA0/c0znbEEwqOKJ6T8TJPyPFwMGaZvrtgCZ/SYRlqF+P+
+NJtHUmhXZB5nNK0XQg1Q4L1svmDEYjNkWHJxQUhAgMBAAGjggFGMIIBQjAPBgNV
HRMBAf8EBTADAQH/MBEGCWCGSAGG+EIBAQQEAwICRDAyBglghkgBhvhCAQ0EJRYj
QWx0ZW9uL05vcnRlbCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFFtc
HE4A4iRbAYa9g/6Vrm07kJ5fMIG7BgNVHSMEgbMwgbCAFFtcHE4A4iRbAYa9g/6V
rm07kJ5foYGUpIGRMIGOMRcwFQYDVQQDEw53d3cudGVhbTI4LmNvbTELMAkGA1UE
BhMCdXMxCzAJBgNVBAgTAk5KMQ4wDAYDVQQHEwVNYWh3YTEQMA4GA1UEChMHUmFk
d2FyZTERMA8GA1UECxMIVHJhaW5pbmcxJDAiBgkqhkiG9w0BCQEWFUd1ZW50aGVy
TUByYWR3YXJlLmNvbYIBATALBgNVHQ8EBAMCAuQwDQYJKoZIhvcNAQEFBQADgYEA
C3gewnmYnTXhiEm+EkxCMmIKlSZoemQvHDK8wTJ5EdMM/v/WvswIuERaFoPYZInC
1Hb0ukebH2flFQSxZp84tDHTvUqrFjxB4ajp/rTNZadd6BeUUzbCQA7YU51k3aho
o//1h/FJTPMfhGIasG3BtArt8IIrzO74OyUPLjjelK0=
-----END CERTIFICATE-----

Page 69

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

/c/slb/ssl
on
/c/slb/ssl/sslpol plain
name Easy SSL Policy
cipher medium
ena

/c/slb
on
/c/slb/adv
direct ena
/c/slb/real 1
ena
ipver v4
rip 10.200.28.100
/c/slb/real 2
ena
ipver v4
rip 10.200.28.200
/c/slb/group 1
ipver v4
metric roundrobin
add 1
add 2
/c/slb/port 1
client ena
/c/slb/port 2
server ena
/c/slb/virt 1
ena
ipver v4
vip 192.168.100.228
/c/slb/virt 1/service 80 http
group 1
/c/slb/virt 1/service 443 https
group 1
rport 80
/c/slb/virt 1/service 443 https/ssl
srvrcert selfs-cert
sslpol plain
/c/sys/access/https/port 8443
/c/sys/access/https/https e
/
script end /**** DO NOT EDIT THIS LINE!

Page 70

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Switch Troubleshooting

Overview
Description
The types of problems that typically occur with networks are connectivity and
performance. The RadwareAlteon Application Switch supports a diverse range
of network architectures and protocols; some are used to maintain and monitor
connectivity and isolate the connectivity faults.
This section provides conceptual information about the methods and tools used
for troubleshooting and isolating problems in the Application Switch. It will help
you to use the common commands to check switch status and to ensure
successful switch maintenance activities.

Objectives
After completing this lab, you will be able to use the following commands:
Config
Info
Statistics
Global

Assignment
Learn to use the diff command to view changes before saving them. Review
the CLI commands to check critical switch functions (such as port speed, STP
configuration, SLB configuration, etc). Cultivate the ability to spot errors in your
configuration.
To familiarize yourself with the techniques to gather switch statistical data for
troubleshooting.
You can use configuration from any previous lab for doing this lab.

Page 71

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Use Basic Commands in CLI

1. Use the diff or revert command.

Start with the diff command to review changes. Do all the other commands until the last
diff command again. Watch the different outputs. All these commands are at any menu
and at any path available.
Syntax:
diff {option} Show any pending configuration changes. The flash option displays
all data that will be lost if the switch reboots.
Lab Configuration:
/cfg/l3/if 42/mask 255.255.255.0/addr 172..16.1.1/en
diff
Current config is identical to new config.

If all configuration date in floatable RAM is already applied and saved, no data is
displayed. Change the configuration and run the diff command again.
Lab Configuration:
/cfg/l3/if 42/mask 255.255.255.0/addr 172.16.1.1/en
diff
Pending configuration
/c/l3/if 42
ena
ipver v4
addr 172.16.1.1
mask 255.255.255.0
broad 172.16.1.255
apply current config is now identical to new config

diff flash displays unsaved config data


Pending configuration
/c/l3/if 42
ena
ipver v4
addr 172.16.1.1
mask 255.255.255.0
broad 172.16.1.255

revert apply remove applied but unsaved configuration changes


Confirm reverting unsaved changes [y/n]: y

diff nothing to display since all config data are in sync

Page 72

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

2. Use the Port menu to configure settings for individual physical switch ports. This command
is enabled by default. Port configuration is slightly different on Application Switches 2000
series and 3408.
Syntax:
/cfg/port {numper-of-physical-port}/{option}
Enables all settings for a physical port on an Application switch
/cfg/port {numper-of-physical-port}/fast/{option}
Enables all settings for a fast Ethernet physical port on an Application switch
/cfg/port {numper-of-physical-port}/gig/{option}
Enables all settings for a gigabit Ethernet physical port on an Application switch
/cfg/port {numper-of-physical-port}/cop/{option}
Enables all settings for a physical RJ45 port in range 3-6 on a 3408 switch
/cfg/port {numper-of-physical-port}/sfp/{option}
Enables all settings for a physical GBIC port in range 3-6 on a 3408 switch
Lab Configuration:
/cfg/port 1/cur display current port 1 configuration
/c/port 1/fast/cur display port 1 fast Ethernet configuration

3. View switch performance statistics in both the user and administrator command modes.
This menu displays traffic statistics on a port-by-port basis. Traffic statistics include
SNMP Management Information Base (MIB) objects. The displayed interval is from the
last switch reboot or counter reset until the present.
Syntax:
/stats/port {physical-port-number}/{option}
Displays statistic values for a physical port. Values in the range of Layer 1 up to Layer 3
are available. The clear option resets values.
Lab Configuration:
/stat/port 1/link
/stat/port 1/ether
/stat/port 1/if

4. When multiple paths exist on a network, Spanning Tree Protocol (STP) configures the
network so that a switch uses only the most efficient path. Spanning Tree Protocol (STP)
detects and eliminates logical loops in a bridged or switched network. STP forces
redundant data paths into a standby (blocked) state. If the most efficient path fails,
Spanning Tree automatically sets up another active path on the network to sustain
network operations. Thus, STP is used to prevent loops in the network topology.
Application Switch Operating System supports the IEEE 802.1p Spanning Tree Protocol
(STP). Application Switch Operating System supports up to 16 instances of Spanning
Trees or Spanning Tree groups. Each VLAN can be placed in only one Spanning Tree
group per switch except for the default Spanning Tree group (STG 1). The default
Spanning Tree group (1) can have more than one VLAN. All other Spanning Tree groups
(2-16) can have only one VLAN associated with it. Spanning Tree can be enabled or
disabled for each port. Multiple Spanning Trees can be enabled on tagged or untagged
ports. Spanning tree group 1 is turned on by default.
Page 73

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Syntax:
/cfg/l2/stg {numper-of-STP-group}/{option}
Enables all settings for Spanning Tree Groups 1 to 16
Lab Configuration:
/cfg/l2/stg 1/cur

Syntax:
/info/l2/stg
Displays all settings for Spanning Tree Groups 1 to 16
Lab Configuration:
/info/l2/stg

5. After contacting RadwareAlteon support, a tsdump is often requested. To get this


important data, turn on capture on your terminal emulation to record the large amount of
data.

Syntax:
/maint/tsdmp
Dumps all Application Switch information, statistics, and configuration to your CLI screen.
You can log the tsdump output into a file, and send it to Radware Technical Support for
debugging purposes.
Lab Configuration:
/maint/tsdmp
Confirm dumping all information, statistics, and configuration
[y/n] : y

Syntax:
/maint/pttsdmp {hostname filename -tftp|username password [-mgmt|-
data]}
Dumps data to a server specified by hostname. Data is stored at filename. AS transport protocol
is FTP or TFTP via a management or data port.
Lab Configuration:
/maint/pttsdmp
Enter hostname or IP address of FTP/TFTP server: 192.168.150.x
Enter name of file on FTP/TFTP server: dump.txt
Enter username for FTP server or hit return for TFTP server:
username
Enter password for username on FTP server: password
Connecting to 192.168.150.69...

6. The panic command causes the switch to immediately dump state information to flash
memory and automatically reboot. Technical support may request a panic dump for
analysis of an open case. Use ptdump to transmit the system dump to a TFTP or FTP
server and store it in a file.
Syntax:
/maint/panic

Page 74

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Dumps all switch state information. You can log the tsdump output into a file, and send it
to Radware Technical Support for debugging purposes.

Lab Configuration:
/maint/panic
Confirm dumping and reboot [y/n] : y
Syntax:
/maint/ptdump {hostname filename -tftp|username password [-mgmt|-data]}
Dumps data to a server specified by hostname. Data is stored in filename. AS transport protocol
is FTP or TFTP via a management or data port.
Lab Configuration:
/maint/ptdmp
Enter hostname or IP address of FTP/TFTP server: 192.168.150.x
Enter name of file on FTP/TFTP server: dump.txt
Enter username for FTP server or hit return for TFTP server: username
Enter password for username on FTP server: password
Connecting to 192.168.150.69...

7. You must reset the switch to make your software image file or configuration block changes
take effect. For two other features, Nortel-Multiple-Spanning-Tree (/cfg/l2/ntmstg) and
jumbo frames at VLAN (/cfg/l2/vlan x/jumbo) a reset is also required.
Syntax:
/boot/reset {option}
The hard option acts like a power cycling of an Application Switch. The two other options are
booting from other image <Ctrl>-o or select to load factory default database <Ctrl>-f.
Lab Configuration:
/boot/reset shorthand /b/c
/boot/reset hard shorthand /b/c hard
>> Note that this will RESTART the Spanning Tree,
>> which will likely cause an interruption in network service.
Confirm reset [y/n]: y

Using <ctrl> <shift> or <ctrl>7 acts as a Console RESET KEY in thread


unknown (tid=0, cmd=0) command on the switch. It generates a maintenance (panic)
dump and resets the switch.

8. To debug Virtual Matrix Architecture feature, you can display the assigned SP (Switch
Processor) for a source IP address and a destination IP address when VMA with
destination IP is enabled. For IP version 6 use command vmasp6.
Syntax:
/maint/debug/vmasp {option, option, option}
The options required are, Source-IP-address, destination IP address, and Source-Port if
enabled. Configuration is at path /cfg/slb/adv/ vmadip or vmasport.

Page 75

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Lab Configuration:
/maint/debug/vmasp
Enter Source IP address : 1.2.3.4
Enter Destination IP address : 2.3.4.5
Enter source port : 1234
shorthand /m/d/vmasp 1.2.3.4 2.3.4.5 1234
VMA for source IP 1.2.3.4 and destination IP 2.3.4.5 and source port
1234 is SP 3

9. You can display the Real server number, real IP address, MAC address, VLAN, physical
switch port, layer on which the health check is performed, and the health check result.
Syntax:
/info/slb/real {real-server-number}
For real servers, the possible range is from 1 to 1023.
Lab Configuration:
/info/slb/real 1
1: 10.200.21.100, 00:0c:29:59:68:0e, vlan 11, port 2, health 4, up
real ports:
rport 80, up # indicates layer of HC
Real server group 1 , Workload Manager none
Virtual services:
http: vport http, rtspslb none

10. You can display the Server Load Balancing values for Layer 4 services.
Syntax:
/stats/slb/{options}
For all real servers, groups, virtual servers etc. statistics are available.
Lab Configuration:
/stat/slb/real 1
/stat/slb/real 2
/stat/slb/group 1
/stat/slb/virt 1
/stat/slb/filt 1

11. Is a filter working and does it match a configured rule? Enables or disables generating
messages displayed at the terminal and sent to the configured syslog server when a filter
match occurs.
Syntax:
/cfg/slb/filt {filter-number}/adv/log {options}
This option is disabled by default. Logging can be enabled per filter.
Lab Configuration:
/cfg/slb/filt #/adv/log ena always prints an info line at the console if filter
criteria are met.

Page 76

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Perform the following commands using the current SLB configuration Some of the commands
you did previously are noted in the table below for reference.

CLI COMMAND COMMENT

LAYER 2 useful CLI commands


/info/sys Provides system information, IP, software version, etc.
/info/link Provides port link status
/info/fdb/dump Provides forwarding database information, VLANs,
etc.
/info/arp/dump Provides ARP table information
/info/ip Provides IP information
/c/dump Provides switch configuration dump
/stat/port <num>/ <ether/if/link> Provides port statistics
/stat/port <num>/maint Provides port maintenance statistics
/stat/if <num> Provides identified interface information
/stats/mp Provides management processor utilization information

LAYER 4 useful CLI commands


/info/slb Provides SLB information
/info/dump Provides dump of current switch information
/c/slb/cur Provides SLB current configuration review
/stat/slb/real <real-server-num> Provides statistics by real IP (RIP)
/stat/slb/group <real-server-group Provides useful group information
#>
/stat/slb/virt <virtual-server-num> Provides virtual services information (e.g., VIPs, etc.)
/stat/slb/maint Provides SLB maintenance statistics
/stats/dump Provides switch statistics information
/info/slb/sess Provides SLB session information

Page 77

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

This page is for your notes.

Page 78

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Virtual Router Redundancy

Overview
Description
In a high-availability network topology, no device can create a single point-of-failure for the
network or force a single point-of-failure to any other part of the network. This means that your
network will remain in service despite the failure of any single device. To achieve this usually
requires redundancy for all vital network components. VRRP enables redundant router
configurations within a LAN, providing alternate router paths for a host to eliminate single points-
of-failure within a network. Each participating VRRP-capable routing device is configured with
the same virtual router IP address and ID number. One of the virtual routers is elected as the
master, based on a number of priority criteria, and assumes control of the shared virtual router
IP address. If the master fails, one of the backup virtual routers will take control of the virtual
router IP address and actively process traffic addressed to it. Because the router associated
with a given alternate path supported by VRRP uses the same IP address and MAC address as
the routers for other paths, the hosts gateway information does not change, no matter what path
is used. A VRRP-based redundancy schema reduces administrative overhead because hosts
need not be configured with multiple default gateways. The IP address of a VRRP virtual
interface router (VIR) and virtual server router (VSR) must be in the same IP subnet as the
interface to which it is assigned.

Virtual Router
VRRP routers on two or more independent Application Switches can be configured to form a
virtual router (RFC 2338). Each virtual router consists of a user-configured virtual router
identifier (VRID) and an IP address. The VRID is used to build the virtual router MAC Address.
The five highest-order octets of the virtual router MAC Address are the standard MAC prefix (00-
00-5E-00-01) defined in RFC 2338. The VRID is used to form the lowest-order octet.

Owners and Renters


Only one of the VRRP routers in a virtual interface router may be configured as the IP address
owner. The owner is the virtual router (Application Switch) whose virtual interface routers IP
address is equal to the real interface address. This router responds to packets addressed to the
virtual interface routers IP address for ICMP pings, TCP connections, and so on. If the owner is
not available, the backup becomes the master and takes over responsibility for packet
forwarding and responding to ARP requests. However, because this switch is not the owner, it
does not have a real interface configured with the virtual interface routers IP address. If the IP
address owner is available, it will always become the virtual router master. There is no
requirement for any VRRP router to be the IP address owner. Most VRRP installations choose
not to implement an IP address owner. VRRP routers that are not equal to the IP address are
called Renters. A priority value is used to determine which VRRP router should be the master in
a group of renters.,.

Page 79

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Virtual Router States


Within each virtual router, one switch VRRP router instance is selected to be the virtual
router master.
Master The virtual router master forwards received packets. It also responds to Address
Resolution Protocol (ARP) requests sent to the virtual routers IP address. Finally, the virtual
router master sends out periodic advertisements (Multicast messages) containing VRRP-IP
address, VR-ID and priority to let other VRRP routers know it is alive.
Backup Within a virtual router, the VRRP routers not selected to be the master are known as
virtual router backups. Should the virtual router master fail, one of the virtual router backups
becomes the master and assumes its responsibilities.
Init If there is no port in the virtual routers VLAN with an active link, the interface for the
VLAN fails, thus placing the virtual router into the INIT state. The INIT state identifies that the
virtual router is waiting for a startup event. If it receives a startup event, it will either transition
to master if its priority is 255, (the IP address owner) or transition to the backup state if it is
not the IP address owner.

How VRRP Priority Decides Which Switch is the Master


Each VRRP router that is not an owner is configured with a priority between 1254.
According to the VRRP standard, an owner has a priority of 255. A bidding process
determines which VRRP router is or becomes the masterthe VRRP router with the highest
priority. Owners have a higher priority than the range permitted for non-owners. If there is an
IP address owner, it is always the master for the virtual interface router, as long as it is
available. The master periodically sends advertisements to an IP multicast address. As long
as the backups receive these advertisements, they remain in the backup state. If a backup
does not receive an advertisement for three advertisement intervals, it initiates a bidding
process to determine which VRRP router has the highest priority and takes over as master.
If, at any time, a backup determines that it has a higher priority than the current master, it can
preempt the master and become the master itself, unless configured not to do so. In
preemption, the backup assumes the role of master and begins to send its own
advertisements. The current master sees that the backup has higher priority and will stop
functioning as the master. A backup router can stop receiving advertisements for one of two
reasonsthe master can be down, or all communication links between the master and the
backup can be down. If the master has failed, it is clearly desirable for the backup (or one of
the backups, if there are more than one) to become the master. If the master is healthy but
communication between the master and the backup has failed, there will then be two masters
within the virtual router. To prevent this from happening, configure redundant links to be used
between the switches that form a virtual router.

Determining How to Configure Priority


Think of a virtual routers priority as a starting value that increases or decreases depending
on the parameters that are tracked. For example, if you configure the virtual router to track
the link state of the physical ports, one port-losing link would cause the virtual routers priority
to decrease by 2 priority points. In order to ensure that this decrease in priority causes
failover from the current master to the backup virtual router, you should set the "base" priority
of the Master switch to be only 1 point higher than the backup; for example priority 101 for
master, 100 for backup. If the master and backup switches were set to priorities 110 and 100
respectively, a single port failure would only decrease the master switchs priority to 108. As
108 is still higher than the backups priority of 100, the master switch would not fail over due
to the loss of one ports link. It is also common to have a priority of 99 on the backup and 100
on the master. Whenever you change the backup switch configuration, you must synchronize
the master switch using /oper/slb/sync command.

Page 80

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Assignment
Your previous labs used a single switch for all SLB configurations. Now we will
enhance it by a second switch for high availability (HA). Network cables are
connected according to the diagram on the previous page.
For this lab, two delegates always need to work together! Preferred teams 21+22,
23+24, 25+26, and 27+28 form a redundant configuration consisting of an odd and
even switch.
All examples in the description below are for team21/22. Other teams should use IP
addresses and VRIDs according to their team number. At the application server side
network, we need for both switches a common network. Use the odd team number for
configuring this network! Do not use the even team numbers at this lab.
Connect to the odd switch; 2424 team21. Set the odd switch to the factory default.
For each interface or VIP, a separate virtual router (VIP / VSR) is necessary. Set the
interface IP addresses according the lab layout diagram. For Team21, Interface 1, the
configured IP-Address is 192.168.100.31. The interface addresses from previous labs
are now used as VIR, 192.168.100.21, VRID 21. For the interfaces towards web
servers, the odd switch network is used. Interface 2 will be 10.200.21.31. VIR is
192.168.21.21, VRID 31. This is common in the real world since all routing entries on
other devices need no change. Priorities for both VIRs are set to 101. Configure
tracking and choose Active-Standby mode (share=disable) for all VRs.
Configure SLB and configure synchronization without priorities. Set the sync peer to
the interface 2 IP address of the even switch. VIP+VSR for both switches are
192.168.100.221, VRID 41. Priority for VSR is set to 101.
Connect to the even switch, check that the OS version used is the same as on the
odd switch, set up Layer 2, VLAN 11 and 14, and Layer 3 parameters. Interface 1 is
set to 192.168.100.41 and interface 2 uses 10.200.21.41. Set the sync peer to the
interface 2 IP address of the odd switch.
Connect to the odd switch; synchronize VRRP and SLB values with the even switch.
Test SLB; disable ports to simulate missing link connections and trigger failover, etc.

Page 81

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Configure Switch
CLI configuration for the odd-switch:
1. If you like to configure the switch by BBI continue on page 111. For CLI configuration
connect to the odd-switch (e.g. Team-21) port via terminal server serial. Log in to the
switch, enter the admin password admin.
2. Set the switch to the factory default and reset it.
Lab Configuration:
/boot/conf factory/reset short form /b/co f/r
y confirms reset, pressing <enter> reboots the switch
3. Wait approximately one minute, log in to the switch using the admin password.

4. Adjust Layer2. Assign port 1 to VLAN 11 and port 2 to VLAN 14.


Lab Configuration:

/cfg/l2/vlan 11/add 1/ena create vlan 11 for clients, add port 1


y move port from vlan1 (default) to vlan 11, do
not tag it
../vlan 14/add 2/ena create vlan 14 for server, add port 2
y move port from vlan1 (default) to vlan 14, do
not tag it
apply activate configuration change

5. Turn off Spanning Tree on the switch and save the configuration.
Lab Configuration:
/cfg/l2/stg 1/off this disables STP group 1, default group is 1
apply activate configuration change

6. Create two interfaces for public and private networks, and add a default gateway.
Lab Configuration:
/cfg/l3/if 1/ena/vlan 11/mask 255.255.255.0/addr 192.168.100.#+10
/cfg/l3/if 2/ena/vlan 14/mask 255.255.255.0/addr 10.200.#.#+10

/cfg/l3/gw 1/addr 192.168.100.254/ena/apply

7. Configure Virtual Interface Routers. For each interface, a separate router is


required. If possible, use the same value for VR-number, VR-ID and IF. This
simplifies management. If this is not possible, suitable documentation is required.
Syntax:
/cfg/l3/vrrp/{option}
This option turn this VRRP feature on or off.
Lab Configuration:
/cfg/l3/vrrp/on enables VRRP feature

Page 82

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Syntax:
/cfg/l3/vrrp/vr {VR-number}/{options}
Set all the Options parameters required for a single VR router.
Lab Configuration:
/cfg/l3/vrrp/vr 1 define VR1
vrid odd# set to virtual MAC Addr. 00-00-5E-00-01-15 (team 21)
addr 192.168.100.odd# Public VIR Address, e.g. addr 192.168.100.21
share dis switch from active-active to active-standby
if 1 communicates via interface 1
prio 101 set priority to 101,
ena enable VR
track/l4pts ena track ports layer 4 (client/server process) enabled

It is also possible to put all commands into a single line. Configure vr2 this way:
Lab Configuration:
/cfg/l3/vrrp/vr 2/vrid odd#+10/addr 10.200.odd#.odd#/share dis/
if 2 /prio 101/ ena/track/l4pts ena

8. Set up Layer 4 synchronization configuration parameters. Disable synchronize priorities;


otherwise, you need to manually adjust the partner switch after doing a sync. The peer
address is the opposite public or private interface.
Syntax:
/cfg/slb/sync/{options}
Options set all the different parameters required for config or session synchronization.
Lab Configuration:
/cfg/slb/sync/prio dis
/cfg/slb/sync/peer 1/ena/addr 10.200.odd#.odd#+20
apply and save

After applying your changes, the switch should report VRRP


status:
<date> <time> NOTICE vrrp: virtual router 192.168.100.21 is now
master
<date> <time> NOTICE vrrp: virtual router 10.200.21.21 is now
master

9. Save the configuration to a file using copy and paste.

10. Test your setup. Are both Web servers accessible by ping and browser access?

Page 83

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Configuration for the even-switch: do steps 11-20 if two delegates share two
switches. If a single person configures both switches do only steps 21-24.
11. Connect to the even-switch (e.g. Team-22) port via terminal server serial. Log in to the
switch, enter the admin password admin.
12. Set the switch to the factory default and reset it.
Lab Configuration:
/boot/conf factory/reset short form /b/co f/r
y confirms reset, pressing <enter> reboots the switch
13. Wait approximately one minute, log in to the switch using the admin password.

14. Adjust Layer2. Assign port 1 to VLAN 11 and port 2 to VLAN 14.
Lab Configuration:

/cfg/l2/vlan 11/add 1/ena create vlan 11 for clients, add port 1


y move port from vlan1 (default) to vlan 11, do
not tag it
../vlan 14/add 2/ena create vlan 14 for server, add port 2
y move port from vlan1 (default) to vlan 14, do
not tag it
apply activate configuration change

15. Turn off Spanning Tree on the switch and save the configuration.
Lab Configuration:
/cfg/l2/stg 1/off this disables STP group 1, default group is 1
apply activate configuration change

16. Create two interfaces for public and private networks, and add a default gateway.
Lab Configuration:
/cfg/l3/if 1/ena/vlan 11/mask 255.255.255.0/addr 192.168.100.#+20
/cfg/l3/if 2/ena/vlan 14/mask 255.255.255.0/addr 10.200.odd#.odd#+20

/cfg/l3/gw 1/addr 192.168.100.254/ena/apply

17. Configure Virtual Interface Routers. For each interface, a separate router is
required. If possible, use the same value for VR-number, VR-ID and IF. This
simplifies management. If this is not possible, suitable documentation is required.
Syntax:
/cfg/l3/vrrp/{option}
This option turn this VRRP feature on or off.
Lab Configuration:
/cfg/l3/vrrp/on enables VRRP feature

Syntax:
/cfg/l3/vrrp/vr {VR-number}/{options}
Set all the Options parameters required for a single VR router.

Page 84

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Lab Configuration:
/cfg/l3/vrrp/vr 1 define VR1
vrid odd# set to virtual MAC Addr. 00-00-5E-00-01-15 (team 22)
addr 192.168.100.odd# Public VIR Address, e.g. addr 192.168.100.21
share dis switch from active-active to active-standby
if 1 communicates via interface 1
prio 100 set priority to 100 or skip line,
ena enable VR
track/l4pts ena track ports layer 4 (client/server process) enabled

It is also possible to put all commands into a single line. Configure vr2 this way:
Lab Configuration:
/cfg/l3/vrrp/vr 2/vrid odd#+10/addr 10.200.odd#.odd#/share dis/
if 2/ena/track/l4pts ena

18. Set up Layer 4 synchronization configuration parameters. Disable synchronize priorities;


otherwise, you need to manually adjust the partner switch after doing a sync. The peer
address is the opposite public or private interface.
Syntax:
/cfg/slb/sync/{options}
Options set all the different parameters required for config or session synchronization.
Lab Configuration:
/cfg/slb/sync/prio dis
/cfg/slb/sync/peer 1/ena/addr 10.200.odd#.odd#+10
apply and save

After applying your changes, the switch should report VRRP


status:
<date> <time> NOTICE vrrp: virtual router 192.168.100.21 is now
backup
<date> <time> NOTICE vrrp: virtual router 10.200.21.21 is now
backup

19. Save the configuration to a file using copy and paste.

20. Test your setup. Are both Web servers accessible by ping and browser access?

Continue with step 25.

Page 85

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

21. Edit the saved odd-switch configuration, (step 9). Edit the management address to meet the
previous even team number. Change the interface 1 address to 192.168.100.odd#+20
and IF 2 to 10.200.odd#.odd#+20. Remove all /cfg/l3/vrrp configuration. Adjust peer 1
address to 10.200.odd#.odd#+10. Save this configuration as a new file.

22. Open a second Putty window, connect via serial to even-switch, and set the switch
to the factory default configuration. Double-check; is the image version used equal to
the version of odd-switch? If not, upgrade or downgrade to make the versions match.
Enter Layer 2, Layer 3 and sync data by copying and pasting from the file. Apply and
save this configuration.

23. Select the odd-switch terminal and sync VRRP and SLB settings.
Lab Configuration:
/o/sl/sy shorthand
y confirm configuration sync

24. Watch the display of the even-switch terminal window after the changes are received.
There is no need to apply and save the configuration on even-switch. These two
commands are automatically executed in the background. The example below is for
team 21.

<date> <time> NOTICE vrrp: virtual router 192.168.100.21 is now


backup
<date> <time> NOTICE vrrp: virtual router 10.200.21.21 is now
backup

25. Setup SLB. Set up RealServer1, RealServer2, group them and create a VIP
192.168.100.2odd#. Do not forget the client and server processes and to enable the
SLB feature. If you cant remember the details, refer to the SLB lab, on page 30/31 steps
3 to 8.

26. Configure VSR on odd-switch for redundancy on Layer 4.


Lab Configuration:
/cfg/l3/vrrp/vr 3/vrid odd#+20/addr 192.168.100.2odd#/prio
101/share dis/
if 1/ena/track/l4pts ena/apply new VSR settings.

27. Watch the messages for the new VR. It is the VR master.

28. Synchronize the VRRP & SLB config to even-switch


Lab Configuration:
/oper/slb/sync
Y

Page 86

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Test the VRRP configuration

1. Open a command prompt window on Team-PC. The examples below are for team 21.
Lab Configuration:
ping 192.168.100.21 ping to public VIR
ping 10.200.21.21 ping to VIP/VSR

2. Open a web browser, http://192.168.100.221 and access web servers. The well-known
home page should appear on screen.

3. Access Odd-switch CLI:


Lab Configuration:
/cfg/l3/vrrp/cur
What is the configured priority? ________

Lab Configuration:
/info/l3/vrrp
What is the current priority? ________
Is this switch the master or backup? _________
Lab Configuration:
/stats/l3/vrrp

4. How many VRRP advertisements have been received? _____________

How many VRRP advertisements have been sent out? ____________________

5. Access even-switch CLI:


Lab Configuration:
/cfg/l3/vrrp/cur
What is the configured priority? ________
Lab Configuration:
/info/l3/vrrp
What is the current priority? ________
Is this switch the master or backup? _________

Lab Configuration:
/stats/vrrp
How many VRRP advertisements have been received? ____________
How many VRRP advertisements have been sent out? _____________

6. Establish two serial connections if not already done, one to the odd-switch another to the
even-switch. To simulate a fault, disable port 1 of odd-switch
Lab Configuration:
/cfg/port 1/dis/apply

Page 87

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Note the operational messages on both switches.

7. Access Odd-switch CLI:


Lab Configuration:
/info/l3/vrrp
What is the priority? ________
What is the status of this switch? _________
Lab Configuration:
/stats/l3/vrrp
How many VRRP advertisements have been received? ______________
How many VRRP advertisements have been sent out? ______________

8. Enable ports from Odd-switch.


/cfg/port 1/ena/apply
Note any operational messages on odd- and even-switch.
_________________________________________________________________
_________________________________________________________________

9. Access even-switch:
Lab Configuration:
/info/l3/vrrp
What is the priority? ________
Is this switch the master or backup? _________
Lab Configuration:
/stats/l3/vrrp
How many VRRP advertisements have been received? ______________
How many VRRP advertisements have been sent out? ______________

10. Access Odd-switch:


Lab Configuration:
/info/l3/vrrp
What is the priority? ________
Is this switch the master or backup? _________

Lab Configuration:
/stats/l3/vrrp
How many VRRP advertisements have been received? ____________________
How many VRRP advertisements have been sent out? ____________________

Page 88

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Printout for odd-switch, example for Team 21

/c/sys/mmgmt
addr 10.10.242.21
mask 255.255.248.0
broad 10.10.247.255
gw 10.10.240.1
ena
/c/sys/mmgmt/port
speed any
mode any
auto on
/c/port 1
pvid 11
/c/port 2
pvid 14
/c/port 9
dis
/c/l2/vlan 1
learn ena
def 3 4 5 6 7 8 9 10 11 12 27 28
/c/l2/vlan 11
ena
name "public"
learn ena
def 1
/c/l2/vlan 14
ena
name "private"
learn ena
def 2
/c/l2/stg 1/off
/c/l2/stg 1/clear
/c/l2/stg 1/add 1 11 14
/c/l3/if 1
ena
addr 192.168.100.31
vlan 11
/c/l3/if 2
ena
addr 10.200.21.31
mask 255.255.255.0
broad 10.200.21.255
vlan 14
/c/l3/gw 1
ena
addr 192.168.100.254

Page 89

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

/c/l3/vrrp/on
/c/l3/vrrp/vr 1
ena
vrid 21
if 1
prio 101
addr 192.168.100.21
share dis
track
l4pts e
/c/l3/vrrp/vr 2
ena
vrid 31
if 2
prio 101
addr 10.200.21.21
share dis
track
l4pts e
/c/l3/vrrp/vr 3
ena
vrid 41
if 1
prio 101
addr 192.168.100.221
share dis
track
l4pts e
/c/slb
on
/c/slb/sync
prios d
/c/slb/sync/peer 1
ena
addr 10.200.21.41
/c/slb/real 1
ena
rip 10.200.21.100
/c/slb/real 2
ena
rip 10.200.21.200
/c/slb/group 1
metric roundrobin
add 1
add 2
/c/slb/port 1
client ena
/c/slb/port 2
server ena
/c/slb/virt 1
ena
vip 192.168.21.221
/c/slb/virt 1/service http
group 1

Page 90

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

Printout for even-switch, VRRP&SLB settings are equal except


priority

/c/sys/mmgmt
addr 10.10.242.22
mask 255.255.248.0
broad 10.10.247.255
gw 10.10.240.1
ena
/c/sys/mmgmt/port
speed any
mode any
auto on
/c/port 1
pvid 11
/c/port 2
pvid 14
/c/port 9
dis
/c/l2/vlan 1
learn ena
def 3 4 5 6 7 8 9 10 11 12 27 28
/c/l2/vlan 11
ena
name "public"
learn ena
def 1
/c/l2/vlan 14
ena
name "private"
learn ena
def 2
/c/l2/stg 1/off
/c/l2/stg 1/clear
/c/l2/stg 1/add 1 11 14
/c/l3/if 1
ena
addr 192.168.100.41
vlan 11
/c/l3/if 2
ena
addr 10.200.21.41
mask 255.255.255.0
broad 10.200.21.255
vlan 14
/c/l3/gw 1
ena
addr 192.168.100.254

Page 91

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

/c/l3/vrrp/on
/c/l3/vrrp/vr 1
ena
vrid 21
if 1
addr 192.168.100.21
share dis
track
l4pts e
/c/l3/vrrp/vr 2
ena
vrid 31
if 2
addr 10.200.21.21
share dis
track
l4pts e
/c/l3/vrrp/vr 3
ena
vrid 41
if 1
addr 192.168.100.221
share dis
track
l4pts e
/c/slb
on
/c/slb/sync
prios d
/c/slb/sync/peer 1
ena
addr 10.200.21.31
/c/slb/real 1
ena
rip 10.200.21.100
/c/slb/real 2
ena
rip 10.200.21.200
/c/slb/group 1
metric roundrobin
add 1
add 2
/c/slb/port 1
client ena
/c/slb/port 2
server ena
/c/slb/virt 1
ena
vip 192.168.100.221
/c/slb/virt 1/service http
group 1

Page 92

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

BBI Web Based Management Labs

BBI SLB configuration of the Switch


1. To setup a SLB solution you start by enabling the SLB feature. At Configure tab select
SLB, turn SLB to Enabled and press the Submit button.

2. Configure as next
step both real
servers for this
application. Select
SLB, Real Servers
and use ADD button
to specify
parameters for both
real servers. The
internal reference
number ID, IP
Address and State
are mandatory.
Enter next real
server parameters.
If finished with the first, click on More. After last real server click on Submit and Apply.

3. Add all real servers belonging to this application to a group (farm). Important parameters
like health check and metric are specified at this group also. Select SLB, Server Group
and use ADD button to specify parameters. The internal reference number ID, is
mandatory. Change SLB Metric for this lab to Round Robin and Submit this change.

Page 93

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon
n Level 1 Training Manua
al

Next is to associate
a the real serve
ers. Click on
n Add buttoon below Re
eal Servers, check all
real serverss you will addd and presss Add Rea al or Add bu
utton depen
nding on version. Click
Submit and d Apply.

4. Configure the
t virtual
IP. This is the
t entry
or termination IP
address forr a specific
service. Se elect SLB,
Virtual Serrvers and
press the ADD
A
button. Virttual
Server ID, Name,
VIP Addres ss and
State are mandatory
m
parameterss. Submit
this change e.

Page 94
9

Radware 2011. All rights


s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
n Level 1 Training Manua
al

5. Click the ID
D number, scroll
s down the new opened windo ow and clickk Add to specify Servicce
Port 80. Foor this lab no
one addition
nal parametter is requirred. Submitt and Applyy this changge.

6. Final changge for our basic SLB laab is the acttivation of client and se
erver proces ssing on the
e
ingress andd egress poorts. Select SLB,
S Portss and click ono the numb ber for the port
p you wa ant
to change. If you wantt to change several porrts the same e manner, ttick all appropriate portts
and click on
n Bulk Edit. Select portt 1 and tick client, tick server for port 2, Subbmit each
change and d Apply it.

Page 95
9

Radware 2011. All rights


s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
n Level 1 Training Manua
al

7. Check new w configuratiion. Click on sage Curreent config is identical to new


n Diff, mess
config. sho
ould appear. Diff Flash h displays all SLB confiiguration sin
nce it is at current
c not
saved and Dump show ws the whole switch co onfiguration. Save conffiguration now.
8. Save this SLB
S configuration to a file
f on the Team-PC.
T T
This configu
uration will be
b the base
for the follo
owing labs. Start
S FTP/T TFTP serve
er on your Team-PC.
T A
At quick launnch click on
n
3CDaemon n. By
default the server
is set to usee the
desktop as user
directory. At
A your
BBI window w go to
Configure,, System,
Download//Upload,
Configurattion. At
section Imp port /
Export sele ect
Export from
Device,
Manageme ent Port
and FTP. Enter
E your
Team_PC IP
Address,
Username is
anonymou us,
Password anya and
as Filename
SLB.txt. Su ubmit
these param meters.

9. Use a different browse er and openn a new window to the VIP. For Te eam21 this is
168.100.221
http://192.1
Create somme traffic byy refreshing the browse er. Why is th
he Alteon no ot selecting
g the second
d
real server?
? Close thiss browser and open a new n one. Why
W is now tthe second real server
selected?
If at modern browsers a tab is ope om internal cache.
en, it will grrab the conttent only fro

Page 96
9

Radware 2011. All rights


s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon Level 1 Training Manual

10. Check statistics, select Monitor, SLB, Virtual Servers at BBI window. Real servers or
Server Groups displays details on these items.
11. Load balancing for available services on different servers is an option. There are two web
servers. One equipped with two CPUs, the other with four CPUs. For each CPU a
separate Web application instance, e.g. Apache, is installed. Our customer wants to have
an even load balancing based on each of these CPUs. Set up the real servers for multi-
port SLB. Add for real server 1 ports 80 and 81, for real server 2 ports 80 to 83. To ensure
to have the same load on all CPUs increase weight to 2 for real server 2. Invoke this
feature by setting the real port for the HTTP service to 0.
At Configure, SLB, Real Server, Advanced scroll down to Service Ports and Add port
numbers. For each add you need to select the advanced menu again.

For server 2 set weight to 2

Page 97

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon Level 1 Training Manual

At SLB Virtual Server, Services Port 80, edit settings, check Single
change Service Port 80 => 0

12. See messages on CLI window. For each port is now a separate health check generated.

13. For the next hands-on we do not need this multi rport setting. Therefore , remove step 11.
Click on Revert Apply button.

Page 98

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon
n Level 1 Training Manua
al

BB
BI Layer 7 Passive Cook
kie Pers
sistence Configu
uration

1. Enable Direect Access Mode (DAM M) on the sw


witch to allo
ow you to pe
erform port mapping fo
or
content loa
ad balancing
g. At Config
gure, SLB, set Direct Access
A Modde to Enablled.

2. Select an appropriate
a load balanccing metric for the real server grou up if no coo
okie is
present. Ch
hoose a non n-persistentt metric. For our lab we
e will selectt round robin
n. Select
Configure,, SLB, Servver Group, Group 1 an nd set SLB Metric to Ro ound Robin.

3. To have coookie persistency, we need


n to get a cookie fro
om the web server. The e web
application on port 88 is cookie enabled. Select Configure, SLB, V Virtual serv vers, click
on Port 80 (http) link. Set the radio button to
t single an nd enter at rreal port 88
8.

4. By default, the switch checks the case of any y string, e.g


g. a cookie n
name. Disaable case
sensitivity if there is no
o need to diiscriminate between up pper and lowwer case. Select
S
Configure,, SLB, Laye er
7 Resources and turn n
CSSM para ameter to
Disabled.
Page 99
9

Radware 2011. All rights


s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
n Level 1 Training Manua
al

5. Enable passsive cookie


e-based perrsistence on
n the virtual server servvice. Selectt Configuree,
nd set Persistence to Cookie.
SLB, Virtual Servers,, Port 80 an C Sev veral additional fieldss
are now avvailable. Usse Mode Paassive, Namme ASPSES SS*, Numbe er of Bytes to Extract 8,
8
Search in URI
U Disable ed and Coo okie Value Starting
S Poinnt 1. Submmit and App ply changess.

For testing
g passive coookies, refer to step 7 to
t 10. Since
e rewrite coo
okies is verry similar skkip
it and do te
est for rewritte settings only.
o

6. Enable rew
write cookie--based perssistence on the virtual server
s service. Select Configure,,
SLB, Virtual Servers,, Port 80 annd set Persistence to Cookie.
C Sevveral additional fields
s
are now avvailable. Usse Mode Re arch Up to 1 Responses, Name AS
ewrite, Sea SPSESS*,
Length 8, Search
S in Heeader. Sub bmit and Apply chang ges.

7. Confirm the
e cookie operation. Configure your browser to
o block coo
okies.

Check statiistics. On BBI


B Monitorr, SLB, Virtual Servers
s, Port 80

Page 10
00

Radware 2011. All rights


s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
n Level 1 Training Manua
al

Clear statisstics counte


er on CLI window:
/stat/slb b/clear atistics
to clear sta

Generate trraffic by opeening a neww browser window


w our VIP several times, e.g.
to yo
http://192.168.100.221 1
Return to th
he switch BBI
B and refre esh the
window to display
d statistics. Note
changes.

8. Change cookie setting gs in your brrowser to


accept coookies and reepeat the abbove Lab
Operation steps.
s For Firefox
F ensuure to
accept a coookie from the
t VIP. Add da
suitable excception.

9. Generate trraffic by ope


ening a neww browser
window to your
y VIP seeveral timess, e.g.
http://192.168.100.221 1

10. Return to th
he switch BBI
B and refre esh the
window to display
d statistics. Note
changes. To
T get new session
s requests,
you need too close the browser an nd open a neew window otherwise tthe
date is read
d from the browser
b cacche instead of the Supe
er Veda serrver.

11. Change thee VIP servicce HTTP rpoort value fro


om 88 to 80
0 to simulate
e a server without
w
cookie support. Set Coonfigure, SLB,
S Virtual Servers, Port
P 80 Serrvice Port to
o 80.

Page 10
01

Radware 2011. All rights


s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
n Level 1 Training Manua
al

12. Enable inseert cookie-b


based persisstence on th
he virtual se
erver servicce. Set Configure,
SLB, Virtual Servers,, Port 80 Peersistence Mode
M to Ins
sert, Name to Alteon_ _P and
a duration of
o 0 days : 8 hours : 0 minutes. Submit and Apply chan nge.

13. Use Firefoxx browser and


a turn Live
eHTTPhead
ders on. The date is a
always UTC
C time
depending on your tim
me zone.

Page 10
02

Radware 2011. All rights


s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
n Level 1 Training Manua
al

14. At CLI youu can on /inffo/slb/cookie


e decode th
he Set-Cookkie value un
nd get usefu
ul
information
ns.

>> Server
S Load Balancing In
nformation# cookie

er 16 or 20 or 24 bytes cookie valu


Ente ue as 0xXXXX
XXXXXXXXXXXX
XX: 0x2389127e9af8b0b4b
baeebabf

Virt
tual IP addr
ress: 192.168
8.100.221

Real
l IP address: 10.200.21.
.100

Real
l Server Por
rt: 80
Real
l Server Ind
dex: 1

15. Check statiistics. On BBI


B Monitorr, SLB, Virtual Servers s, Port 80. Note chang
ges. To get
new sessio on requests,, you need to
t close the
e browser and open a n new windoww otherwise
the date is read from the browserr cache inste
ead of the web
w server.

16. Remove all persistenccy settings for


f virtual seerver for the
e next labs. Change the
e rport from
m
88 to 80 if not
n already done at ste ep 11. If you
ur last savedd configuraten was basic SLB
press Reve ert Apply button. To doouble checkk do a Diff Flash
F beforre.

Page 10
03

Radware 2011. All rights


s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
n Level 1 Training Manua
al

BB
BI Conte
ent Load
d Balanc
cing Con
nfiguration

1. Enable Direect Access Mode (DAM M) on the sw


witch to allo
ow you to pe
erform port mapping fo
or
content loa
ad balancing
g. At Config
gure, SLB, set Direct Access
A Modde to Enablled. Submiit
change.

2. Select an appropriate
a load balanccing metric for the real server grou
up if no strin
ng is presen
nt.
Choose a non-persiste
n F our lab we will sele
ent metric. For ect round roobin. Select Configure,
SLB, Serveer Group, Group
G 1 and d set SLB Metric
M to Ro
ound Robin n. Submit change.
c

3. Double che
eck persisteent binding for
f the virtuaal server se
ervice is disabled. Pbin
nd takes
precedencee over string
g load balanncing. Select Configurre, SLB, Virtual serve ers, port 80
0.
Is paramete
er Persistennce set to Disabled?
D

4. Double che
eck is SLB working.
w Cle
ear the sess
sion table
CLI Operattion:
/stat/slb b/clear

Generate trraffic by ope


ening a new
w browser window
w to yo
our VIP sevveral times; return to th
he
switch CLI//BBI for disp
playing SLB
B statistics.

Page 10
04

Radware 2011. All rights


s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
n Level 1 Training Manua
al

5. By default, the switch checks the case of any y string, e.g


g. a cookie n
name. Disable case
sensitivity if there is no
o need to diiscriminate between up pper and lowwer case. Select
S
Configure,, SLB, Laye er 7 Resources and tu urn CSSM parameter
p to
o Disabledd.

6. When SLB is working correctly, continue with h the URL configuratio


c on. We wantt to look for the
URL string images which
w is onlyy located at server 2. Define
D URL string. Select
this U
Configure,, SLB, Laye er 7 Resources, Strings. Keep all a paramete ers on defau
ult and inserrt at
SLB String field /images. Submitt this chang ge.

7. Add an inde
ex number for the URL L string to th
he real servver config. Iff real server 2 can
handle add
ditional page
es than /im
mages, for e.g.
e index.h html add sttring 1 as an n option.
Select Con
nfigure, SLBB, Real Serrvers, ID 2.. Set radio button
b to Ad dvanced an nd scroll
down to La
ayer 7. Movee both strinngs into configured bo ox. Submit cchange.

Page 10
05

Radware 2011. All rights


s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
n Level 1 Training Manua
al

8. Enable URLSLB for th he virtual se


ervice IP Address servicce HTTP. SSelect Conffigure, SLB
B,
Virtual Serrvers, ID 1 port 80. At section Basic set Application to H
HTTP-L7 annd at section
n
HTTP set HTTP
H SLB to
t URL SLB B. Submit and Apply change.

9. Test this ne
ew setup. Open
O a browwser and ac
ccess files on
o the imagee path. The
e files
img1.jpg, im
mg2.jpg andd img3.jpg are
a available on serverr 2. Close and reopen the
t client
browser seeveral times to http://19
92.168.100.221/image es/img1.jpg
g. Check sta
atistics at
Monitor, SLB, Layer7 7, string tabb.

Page 10
06

Radware 2011. All rights


s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
n Level 1 Training Manua
al

10. To test SLBB for the ind


dex page usse the wfetc ch tool. It iss at the quicck start area
a. Here you
u
can set howw an http reequest is sent to the se
erver. Set Ho ost to your VIP IP addrress and
keep all oth
her parametters at defa uest a page press the G
ault. To requ GO! button.. Both web
server shouuld responsse, one after the other since
s the an ny string is associated real 2
server. Reeal 1 has no o special settup and responds to an ny request.

11. At next, we e want to se


etup a solution using re egular expre
essions. We eb server 1 will host file
e
alteo.htm. Web serve m and alter.htm. The regular exp
er 2 will hosst altea.htm pression
alte[ar].htm
m allows se t content stored on server
election of the s 2. Invverting this regular
expression avoids sele ection of this machine. alte[^ar].hhtm allows access to a alteo.htm
and of courrse to manyy other alte eoX.htm pa ages. Thereffore, this is useful onlyy as an lab
example. Select
S Configure, SLB B, Layer 7 Resources,
R Strings. P Press Add anda insert att
SLB String field alte[^^ar] and the en alte[ar]. Keep
K other parameterss on defaultt. Submit
this change e.

12. Add the inddex numberr for the URL string to the t real servver config: A Add alte[^a
ar], which iss
a regular exxpression fo
or alteo strring in our configuratio
c n, to real se
erver 1. Addd alte[ar],
which repre esents both strings alteer and alte
ea, to real server
s 2. To
o allow LB foor index.htmm
string on re
eal server 1, add index 1 to it.
Select Con nfigure, SLBB, Real Serrvers, ID 1.. Set radio button
b to Ad
dvanced an nd scroll
down to La ayer 7. Movee any and alte[^ar]
a strrings into co
onfigured boox and Sub bmit change e.
Select Con nfigure, SLBB, Real Serrvers, ID 2.. Set radio button
b to Ad
dvanced an nd scroll
down to La ayer 7. Movee alte[ar] sttring into coonfigured bo ox and Submit change e.

Page 10
07

Radware 2011. All rights


s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
n Level 1 Training Manua
al

13. Test your configuration


c n. Send thee following requests
r fro
om your brow
wser at Tea
am-PC to
VIP. The foollowing exa
ample is forr team 21. Use
U your team numberr, please.
http://192.168.100.2221/alteo.htmm,
http://192.168.100.2221/alter.htm
m,
http://192.168.100.2221/altea.htmm

14. In this lab section,


s you ur task is to configure Layer
L 7 strin o detect the default
ng lookup to
language support
s of th
he browser used for this request. Modify
M yourr virtual serv
ver setting to
t
look up thee Accept-Language string at HTTP P header. We
W will assume real serrver 1 is
responsible e for Englishh and real server
s 2 for another lannguage, e.g
g. German.

15. Configure header variable stringss and add ana index number to the e real serverr config. Re eal
server 1 represents the contents for en strin
ng, real servver 2 is resp
ponsible forr de string.
Language string
s depends on brow wser type. Add
A strings for e.g. en and de. Forr other
regions, choose approopriate language strings. Configure, SLB, La ayer 7 Reso ources,
Strings. Prress Add annd insert at SLB Stringg field en an
nd then de. Keep otherr parameterrs
on default. Submit thiss change.

Page 10
08

Radware 2011. All rights


s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon Level 1 Training Manual

16. Add the index number for the URL string to the real server config: Add en to real server 1
and de, to real server 2. Kepp the other previously associated strings.
Select Configure, SLB, Real Servers, ID 1. Set radio button to Advanced and scroll
down to Layer 7. Move any and en string into configured box and Submit change.
Select Configure, SLB, Real Servers, ID 2. Set radio button to Advanced and scroll
down to Layer 7. Move de string into configured box and Submit change.

17. Modify VIP service HTTP to lookup at the HTTP header now the Accept-Language string.
Select Configure, SLB, Virtual Servers, ID 1 port 80. At section Basic set Application to
HTTP-L7 and at section HTTP set HTTP SLB to others and HTTP Header Name to
Accept-Language. Submit and Apply change.

Page 109

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon
n Level 1 Training Manua
al

18. Select at Firefox English and IE German


G as default
d lang
guage. Set a single lan
nguage for
each browsser!

19. Test this ne


ew setup. Open
O a browwser and acccess the team VIP. Fo or team 21, close and
reopen the client brow 68.100.221. Check stattistics at
wser severall times to htttp://192.16
Monitor, SLB, Layer7 7, string tab
b.

Page 110

Radware 2011. All rights


s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
n Level 1 Training Manua
al

BB
BI config
guration for VRR
RP
The
e odd-swittch:
1. Connect via a a browserr to the mannagement in nterface 10.10.242.# a and set the switch
s to
load factoryy default co
onfiguration on next boo Configure, System,
ot and reset it. Select C
Download//Upload, Configuratio on tab, secttion Version
n Managem ment. Set Next
N Boot
Block to Fa
actory and thet radio bu utton to Do Not Erase and Submit change. If there is
no reset bu
utton at this page, move e to the sofftware tab to
t press the ere the Resset button.

2. After reset, you lost the http acce


ess to the Alteon.
A Logo
on serial and
d enable htttp access
again.

Lab Configuration:
>> Configurration# /cfg/ssys/access/htttp e/apply
Current HTT
TP server acccess: disableed
New HTTP server access: enabledd

3. Create two new VLAN Ns for ingresss and egress ports. We


W keep unu used ports on
o VLAN 1.
By default, all ports are
e enabled. At configurre tab selecct Layer2, V
VLANs and click the
Add buttonn.

Insert VLAN ID 11, Name, Enab ble it and as


ssociate Spa
anning Tre ee Group 1, select
Available port
p 1 and move
m it to Configured.
C Press
P Submmit and App ply button to
t activate
this change
e. Each chaange is conffirmed at BBBI Log Messsages field.
Add anotheer VLAN ID 14 and use e port 2.

Page 111

Radware 2011. All rights


s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon Level 1 Training Manual

Disable Spanning Tree.


Select on Layer2,
SpanningTree number 1
and turn Enabled to
Disabled. Submit and
Apply change.

4. Configure the interfaces for the switch as shown in the Lab Description pages. You must
create a separate interface for each network that you want to connect directly to this
switch. The interface index number used is independent of any physical port, VLAN etc. A
common number for port, VLAN and interface will simplify debugging and management.

At Configure tab select Layer3, IP Interfaces and click the Add button.
Insert Interface ID 1, IP Addresses are 192.168.100.#+10 (team 21 e.g. 192.168.100.31).
# is your team number. Mask is a C-Class one. Associate VLAN 11 for public net.
Enable state and click Submit and Apply buttons to activate this change. Add another
interface 2 for your private net. IP Address is 10.200.#.#+10 /24 (team 21 e.g.
10.200.21.31).

Page 112

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
Alteon
n Level 1 Training Manua
al

5. Set the deffault gatewa


ay. Any destination IP address
a nott from local networks or
o do not
match routiing table en
ntries sent to nation. GW 1 to 4 is forr all VLANs, GW 5 to 259
o this destin 2
can each beb associateed to one VL LAN. Select Gateways s and Add, Gateway ID 1, IP
Address is 192.168.10 00.254 and turn state to o Enable and click Submit and Apply
A button
ns
to activate this change
e. The settin
ngs are for all
a teams eq qual.

6. Configure Virtual
V Interrface Routers. For each h interface, a separate router is
required. If possible, use
u the sam me value for VR-numbe er, VR-ID an
nd IF. This
simplifies managemen
m nt. If this is not
n possible e, suitable documentat
d tion is required.
Select Con nfigure, Lay yer 3, VRRP P, set State
e to Enabledd and Subm mit change.

For ISP-Neet interface select


s Conffigure, Laye
er 3, VRRP, Virtual Rou uters and prress
Add buttonn. Select Ad dvanced radio
r butto
on, and provide parameters for Ro outer ID
#, VR ID #, IP Addresss 192.168.1100.#, Interfface 1, Priority 101, Sta
ate Enabled d,
Tracking SLB, Advancced Sharing g Disabled and click Submit butto on to activate this
change.

Page 113

Radware 2011. All rights


s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
n Level 1 Training Manua
al

For Applicaation-Serverr-Net interfa


ace press Add
A and Advanced button again.
Provide parameters fo D #+10, VR ID #+10, IP
or Router ID P Address 10.200.#.#,
Interface 2,, Priority 10
01, State En
nabled, Traccking SLB, Advanced Sharing Dis sabled
and click Submit and Apply butto ate this change.
ons to activa

n both VRs should be in Master m


After pressing the Reffresh button mode.

7. Set up Laye er 4 synchrronization co


onfiguration
n parameterrs. Disable ssynchronize e priorities;
otherwise, you need to o manually adjust the priority
p at pa
artner switcch after doin
ng a sync.
The peer address is th he opposite private inte
erface. Seleect Configu ure, SLB, Advanced,
Sync tab, remove
r che
ecks for BWWM and VRR RP Prioritiees, set Id 1 to 10.200.221.#+20,
set State to
o Enabled and
a Submitt, Apply and Save cha ange.

Page 114

Radware 2011. All rights


s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
n Level 1 Training Manua
al

8. Test your setup.


s Are both
b Web seervers (10.2
200.#.100 and .200) acccessible by
y ping and
browser acccess? If yess, continue by step 9 otherwise
o sttart debugging. Check Dump
printout or repeat step
ps 3 to 7 aga
ain.
9. At this step
p we want too configure the second (even) Alte eon of this h
high availab
bility
solution. Yoou need to repeat stepps 1 to 5 for this secondd switch. Thhe paramete ers for step
3 and 5 aree exact the same
s as for the odd swwitch. At ste
ep 4 for the IP Addressses use on
ISP-Net 19 92.168.100.##+20 and at App-Serve er-Net 10.200.#.#+20. Skip step 6 and
continue byy step 7. Usse as peer ID 1 the App p-Server-Ne et interface address off the odd
switch (10.2200.#.#+100).
10. Now we wa ant to synch
hronize the configuratio
on to the pe
eer switch. A
At the BBI of
o the odd
Alteon at Configure,
C S
SLB, Advannced, Sync c tab, Peer Switch preess Submit for
Synchronizze configura
ation to peer switches button.
b

11. At CLI wind


dow watch the
t changess.
At od
dd switch:
Sendiing Config .
Waitiing for peer too finish configg apply/save ...
At evven switch:
Confiiguration on 10.200.21.41 has
h now been synchronized.

12. Test your setup


s again.. Are both Web
W servers s (10.200.#.100 and .2200) accessible by ping
g
and browseer access? If yes, continue otherw
wise start de
ebugging.

13. Setup SLB. Set up Re ealServer1, RealServerr2, group them and cre eate a VIP
192.168.10 00.2odd#. Enable
E the client
c and se
erver processses and too enable the
e SLB
feature. If you
y cant remember the e details, re
efer to the SLB
S lab, on page 93. Te
est access
to this VIP by your bro
owser.

14. To avoid a duplicated VIP Addresss, configure e a VSR on n odd-switch


h for
redundancyy on Layer 4.4 Select Coonfigure, Layer
L 3, VRRRP, press AAdd button.
Select Adv vanced radio button, an
nd provide parameterss for Router ID #+20, VRV ID
#+20, IP Ad ddress 192..168.100.2#
#, Interface 1, Priority 101,
1 State E
Enabled,
Tracking SLB, Advancced Sharing g Disabled and click Submit and Apply butto on to
activate thiss change.

Page 115

Radware 2011. All rights


s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.
Alteon
n Level 1 Training Manua
al

15. Watch the messages for


f the new VR. It is a VR
V master.

16. Synchronizze the VRRP onfiguration to the even


P & SLB co n-switch. Se
ee step 10 for BBI or
at CLI wind
dow execute
e:
/oper/slb b/sync
Y

17. Test the VRRRP configu


uration. At the
t current Master VRss disable on ne physical port, for e.g
g.
port 1. Sele
ect Configu
ure, Systemm, Physicall Ports, Porrt 1, State D
Disabled. Submit
S and
Apply chan nge.

Watch on both
b switche RP routers. S
es the changed status of the VRR Select Con
nfigure,
Layer 3, VRRP,
V Virttual Route
ers
At odd Sw
witch

At even Sw
witch

Page 116

Radware 2011. All rights


s reserved. Dis
stribution of this
s document nee
eds approval fro
om Radware Kno
owledge & Educ
cation Services
s.