ACOS Management Section 1
Section objectives Explore ACOS management access Understand ACOS configuration components Backup/restore ACOS configuration Review initial ACOS configuration
ACOS management access CLI Console (RS-232 connection / 9600, 8, N, 1) Telnet (disabled by default) SSHv2
Web HTTP (configurable ports - disabled by default) HTTPS (configurable ports)
Levels of CLI authentication CLI: Login ID/Password ID/Password and Enable ID/Password ID/Password Web: Admin roles (read-write / read-only)
CLI: Privilege levels Official name
Common name
Prompt
Purpose
User EXEC Level
user
>
Monitor SLB & CGN, do backups, use simple diagnostic utilities. From this level user cannot affect the functioning of the device or change configuration.
Privileged EXEC Level
enable
#
(same as user) + Manage system but not SLB or CGN configuration. Monitor system.
Privileged EXEC Level - Config Mode
config
(config)#
(same as enable) + Configure SLB or CGN. Actions which could affect SLB or CGN configuration are also accessible only from here, like config restore. Enable-level commands can be executed here by prepending them with “do”.
CLI: Additional prompt indicators Redundancy ACOS-Active> ACOS-Standby>
Clustering ACOS-Active-vMaster[7/1]> ACOS-Standby-vBlade[7/2]>
Packet capture ACOS(axdebug)#
Hostname ACOS(config)#hostname MyThunder1 MyThunder1(config)#
CLI: Help List options ACOS>show health monitor ? WORD
all-partitions partition |
Name All partition configurations Per-partition configurations Output modifiers
Option disambiguation ACOS>show ic? icmp icmpv6
Display ICMP statistics Display ICMPv6 statistics
Command completion ACOS>show rad ACOS>show radius-server
CLI: Undo Commands are undone by prepending “no” ACOS(config)#ip nat pool nat1 10.0.2.15 10.0.2.16 netmask /24 ACOS(config)#show ip nat pool Total IP NAT Pools: 1 Pool Name Start Address nat1 10.0.2.15
End Address 10.0.2.16
ACOS(config)#no ip nat pool nat1 ACOS(config)#show ip nat pool Total IP NAT Pools: 0
Mask /24
Gateway 0.0.0.0
HA Group 0
Vrid default
CLI: Disabling configuration elements On configuration elements, "no enable" has the same effect as command "disable" ACOS#show run | sec slb slb server s1 10.0.2.18 ACOS(config)#slb server s1 ACOS(config-real server)#no enable ACOS#show run | sec slb slb server s1 10.0.2.18 disable
CLI: Regular expressions A subset of regular expressions can be used at the command line .
Matches any single character, including white space
*
Matches 0 or more sequences of the pattern
+
Matches 1 or more sequences of the pattern
?
Matches 0 or 1 occurrences of the pattern
^
Matches the beginning of the string
$
Matches the end of the string
_
Underscore matches a comma ",", left brace "{", right brace "}", left parenthesis "(", right parenthesis ")", the beginning of the string, the end of the string, or a space.
CLI: Filtering output (section & include) ACOS supports filtering by piping output to section retrieves
configuration elements containing regex
ACOS#show run | sec slb slb server s1 10.0.2.18 port 80 tcp slb service-group http tcp member s1:80 include retrieves
section and include
lines containing regex
ACOS#show run | inc slb slb server s1 10.0.2.18 slb service-group http tcp
CLI: OR To use "|" symbol as
OR in inc or sec,
escape it with "\" with no spaces around it
ACOS#show run | inc tacacs\|radius tacacs-server host 1.0.0.100 secret (encrypted_secret) port 49 timeout 12 radius-server host 1.0.0.100 secret (encrypted_secret)
CLI: Exiting current level Exit command takes CLI one level down ACOS(config-slb vserver-vport)#exit ACOS(config-slb vserver)#exit ACOS(config)#exit ACOS#exit ACOS>
End command exits out of config ACOS(config-slb vserver-vport)#end ACOS#exit ACOS>
Ctrl-C is a keyboard shortcut for exit in config mode, Ctrl-Z is a shortcut for
end
CLI: Workflow With CLI, build your configuration from bottom up system redundancy + clustering servers nat pools templates virtual server virtual server port
Then apply pre-configured elements on virtual server port (vPort) To use programming analogy, configuration elements are like functions. Those functions have to be called from vPort before they take effect.
WebUI: Privilege levels Monitor Equivalent to CLI User EXEC Level (user)
Config Equivalent to CLI Privileged EXEC Level - Config Mode (config)
WebUI: Workflow In WebUI, you can build configuration from top down in one of two ways Config > SLB > Service > Virtual Server (and then add vPort underneath) Config > SLB > Service > Virtual Service (all from one place) Necessary configuration elements’ names are created automatically. Your virtual service is translated at the
CLI level into virtual server + virtual port. ACOS#show run | sec slb slb server _s_10.0.2.18 10.0.2.18 port 80 tcp slb server _s_10.0.2.19 10.0.2.19 port 80 tcp slb service-group http tcp member _s_10.0.2.18:80 member _s_10.0.2.19:80 slb virtual-server _10.0.1.12_vserver 10.0.1.12 port 80 http name vip1-http service-group http
CLI vs. WebUI CLI benefits Structured, enhances understanding Excellent for troubleshooting – can display multiple configuration items at the same time Can be very fast with some familiarity Requires very little bandwidth to operate device
WebUI benefits Flexible workflow Easy admin role definition Familiar interface Excellent for monitoring – graphical display
ACOS configuration components ACOS configuration components Configuration file (optional) aFleX files (optional) PBSLB files (optional) SSL certificates and keys (optional) Geo-location files (option in GSLB and geo-location-based VIP access)
Named configuration profiles Benefits of named profiles Maintain multiple configurations Link startup configuration per partition to a named profile Copy and edit profiles without disrupting normal operations Maintain single configuration for both physical partitions
Create new profile ACOS#write memory ACOS(config)#copy
See all profiles ACOS#show startup-config all
Link startup config to profile ACOS(config)#link startup-config [primary|secondary]
ACOS configuration full backup and restore ACOS full configuration backup WebUI: Config > System > Maintenance > Backup > System CLI: ACOS(config)#backup system […]
ACOS full configuration restore WebUI: Config > System > Maintenance > Restore > System CLI: ACOS(config)#restore […]
Note: Supported upload protocols: FTP, SFTP, SCP, RCP, TFTP, and HTTPS (via
WebUI)
ACOS configuration profile backup and restore ACOS configuration profile backup WebUI: Config > System > ConfigFile
[open & copy]
CLI: ACOS(config)#copy [use-mgmt-port]
ACOS configuration profile restore WebUI: Config > System > ConfigFile > Add
[paste]
CLI: ACOS(config)#copy [use-mgmt-port]
Note: Supported upload protocols: FTP, SFTP, SCP, RCP, TFTP, and HTTPS (via
WebUI)
Backing up other configuration elements ACOS#export ? running-config ssl-cert ssl-cert-key ssl-crl ssl-key aflex bw-list class-list axdebug debug_monitor startup-config syslog thales-secworld thales-kmdata dnssec-dnskey dnssec-ds ip-map-list
Running Config SSL Cert File SSL Cert/Key File SSL Crl File SSL Key File aFleX Script Source File Black/White List File Class List File AX Debug Packet File Debug Monitor Output Startup Config Syslog file Thales security world files - in .tgz format Thales Kmdata files - in .tgz format DNSSEC DNSKEY(KSK) file for the zone DNSSEC DS file for the zone IP Map List File
Erasing configuration You may erase configuration while preserving access to the device ACOS(config)#erase ? preserve-management preserve-accounts reload
Preserve management ip and default gateway Preserve admin accounts Reload after erase
This command also erases profile linked to current startup config (except for “preserve” elements) but does not affect other profiles.
ACOS software location ACOS software is stored on Two disk partitions: primary and secondary Second partition is designed for easy software rollback
Two Compact Flash partitions: primary and secondary CF is designed for emergency recovery
Note: Each storage location has its own software and AX configuration
ACOS software upgrade options Check the ACOS running partition WebUI: Monitor > Overview > Summary > System Information CLI: ACOS#show bootimage
Upgrade AX device’s other partition WebUI: Configuration > System > Maintenance > Upgrade CLI: ACOS(config)#upgrade […]
Copy running configuration to the other partition or link existing profile to it ACOS# write memory [primary|secondary] ACOS(config)#link startup-config [primary|secondary]
Set boot source to the other partition WebUI: Configuration > System > Settings > Boot CLI: ACOS(config)#bootimage hd [primary|secondary]
ACOS initial configuration Rollback to Factory configuration CLI:
ACOS(config)#system-reset ACOS(config)#end ACOS#reboot
First step configuration Connect on the ACOS device console (9600 baud - 8 bits – no parity - 1 stop bit) Default user/password: admin/a10 Configure the management interface and its default gateway Finish the ACOS configuration via CLI (ssh) or WebUI (https)
ACOS initial configuration example ACOS login: admin Password: ACOS>en Password: ACOS#conf ACOS(config)#interface management ACOS(config-if:management)#ip address 172.31.31.11 /24 ACOS(config-if:management)#ip default-gateway 172.31.31.1 ACOS(config-if:management)#exit ACOS(config)#exit
Lab Backup your ACOS device using FTP server and local drive
Section summary In this module, we discussed: AX Management access Backup and restore procedure Upgrade and downgrade AX Layer2 / VLAN
We have performed: AX configuration back up and restore
Load Balancing Concepts Section 2
Section objectives Understand main load balancing goals and concepts Configure ACOS L4 SLB Virtual Server Configure two common L4 SLB Virtual Server options (Source IP Persistence + NAT)
Load balancing goals Provide high availability of services
Share load among multiple servers (load balancing)
Topology: One-armed L2 (switched) mode (p. 1 of 2) VIP = 100.0.0.10
AXSeries AXSe ries
100.0.0.0/24
100.0.0.0/24
Internet
100.0.0.[100-200]
SNAT SNAT = 100.0.0.50
200.0.0.1
AXSeries
Source IP
Dest IP
Source IP
Dest IP
200.0.0.1
100.0.0.10
100.0.0.50
100.0.0.100
AXSeries
Dest IP
Source IP
Dest IP
Source IP
200.0.0.1
100.0.0.10
100.0.0.50
100.0.0.100
Topology: One-armed L2 (switched) mode (p. 2 of 2) VIP = 100.0.0.10
Internet
100.0.0.0/24
AXSeries AXSe ries
SNAT SNAT = 100.0.0.50
100.0.0.[100-200]
100.0.0.0/24
200.0.0.1
Benefits: No change required on clients or servers Easy to test Clients can be in servers’ subnet
Points to keep in mind: Servers lose Client IP visibility (can be partly remedied by IP header insertion in HTTP (X-ClientIP (customizable)) Requires Source NAT on SLB
Topology: L3 (routed) mode with SNAT (p. 1 of 2) VIP = 100.0.0.10
AXSeries AXSe ries
100.0.1.0/24
100.0.0.0/24
Internet
100.0.1.[100-200]
SNAT SNAT = 100.0.1.50
200.0.0.1
AXSeries
Source IP
Dest IP
Source IP
Dest IP
200.0.0.1
100.0.0.10
100.0.1.50
100.0.1.100
AXSeries
Dest IP
Source IP
Dest IP
Source IP
200.0.0.1
100.0.0.10
100.0.1.50
100.0.1.100
Topology: L3 (routed) mode with SNAT (p. 2 of 2) VIP = 100.0.0.10
Internet
100.0.0.0/24
AXSeries
SNAT = 100.0.1.50
100.0.1.[100-200]
100.0.1.0/24
200.0.0.1
Benefits: No change required on clients or servers Easy to test
Points to keep in mind: Servers lose Client IP visibility (can be partly remedied by IP header insertion in HTTP) Requires Source NAT on SLB
Topology: L3 (routed) mode w/o SNAT (p. 1 of 2) VIP = 100.0.0.10
100.0.1.0/24
100.0.0.0/24
Internet
100.0.1.[100-200]
AXSeries
200.0.0.1
AXSeries
Source IP
Dest IP
Source IP
Dest IP
200.0.0.1
100.0.0.10
200.0.0.1
100.0.1.100
AXSeries
Dest IP
Source IP
Dest IP
Source IP
200.0.0.1
100.0.0.10
200.0.0.1
100.0.1.100
Topology: L3 (routed) mode w/o SNAT (p. 2 of 2) VIP = 100.0.0.10
Internet
100.0.0.0/24
100.0.1.[100-200]
AXSeries
100.0.1.0/24
200.0.0.1
Benefits: No change required on clients or servers Provides additional layer of security
Points to keep in mind: Configure SLB as default gateway on servers
Topology: DSR mode (p. 1 of 2) VIP = 100.0.0.10
100.0.0.0/24
100.0.0.0/24
Internet
100.0.0.[100-200] Loopback IP = VIP = 100.0.0.10
AXSeries
200.0.0.1
AXSeries
Source IP
Dest IP
Source IP
Dest IP
200.0.0.1
100.0.0.10 SLB MAC
200.0.0.1
100.0.0.10 Server MAC
Dest IP
Source IP
200.0.0.1
100.0.0.10
Topology: DSR mode (p. 2 of 2) VIP = 100.0.0.10
Internet
100.0.0.[100-200] Loopback IP = VIP = 100.0.0.10
AXSeries
100.0.0.0/24
100.0.0.0/24
200.0.0.1
Benefits: Highly scalable (SLB processes only incoming traffic)
Points to keep in mind: Can’t use any ACOS layer 7 features (aFleX can still be applied at virtual port level)
Configure VIP IP as loopback on servers
Server Load Balancing (SLB) ACOS SLB configuration has three core elements: Servers, Service Groups, Virtual Servers (VIPs)
SLB: Server Minimum configuration Name IP address (can use DNS name) Ports
Server configuration WebUI: Config > Service > SLB > Server CLI: AX(config)# slb server […]
Server status and statistics WebUI: Monitor > Service > SLB > Server CLI: ACOS# show slb server […]
SLB: Service Group Minimum configuration Name Type (TCP/UDP) LB Algorithm At least one Server/Port
Load balancing algorithms Service group – load-balancing algorithms Round-Robin Least Connection Service Least Connection Weighted Round Robin Weighted Least Connection Service Weighted Least Connection Fastest Response time Least Request Round Robin Strict Stateless (new in release 2.4.2; see notes)
Health Monitor Service availability is checked using health monitors Health monitors can be applied to: Server Server:Port Service Group
Health monitors can test server availability On layer 3: ping (icmp) On layer 4: tcp, udp On layer 7 (application): http, https, ftp, smtp, pop3, snmp, dns, radius, ldap, rtsp, sip, ntp Via manually created scripts
Multiple L3/L4/L7 tests can also be combined in a Boolean expression (and/or/not)
Applying health monitor Physical server health monitor If HM fails, that server is considered down and service groups configured with that specific server stop using it for load balancing Note:
Default Server health monitor is icmp.
Physical server port health monitoring If HM fails, that server port is considered down and service groups configured with that specific server:port stop using it for load balancing Note:
Default TCP Server Port Health Monitor is tcp handshake
Service group health monitor If HM fails for a specific member, the service group stops using this member for load balancing Note:
By default there is no health monitor configured on Service Group
Source IP persistence When to use Source IP persistence Source IP persistence must be used when clients must have their future connections/traffic terminated on the same server
Source IP persistence template Create Source IP Persistence Template Name Type: Port (persistence (persistenc e per VIP:Port) Server (persistence per VIP) Service-Group (persistence per URL or Host) Timeout: How long inactive entries are saved (default = 5 minutes) Don't Honor Conn Rules: Ignore connection limits defined on Servers and Server Ports and connect new clients' connections to the Server (default = disabled) Netmask: Granularity of Client IP address hashing (default ( default = 255.255.255.255 for the most granularity)
Assign the Source IP Persistence Template to the Virtual Server Port
NAT: NA T: SLB Source NA NAT T template Create IP Source NAT Pool: Name: Name of the template Start IP address (can be the AX interface IP) End IP address (can be the same as Start IP) Note:
If the "Start" and "End IP address" are the same, the AX will NAT NAT with one unique IP address and can NAT up to 64k flows
Netmask (used by "IP Source NAT – Group" when servers are on different subnets) (optional) Gateway: Specify a gateway to use to reply to the clients' requests (optional) "HA Group": Specify the HA group to tie to the SLB source NAT pool
Assign the SLB Source NAT NAT Pool to the Virtual Server Port
SLB: Virtual Server Minimum configuration Name IP address (accessed by end users) Virtual Server Ports (usually)
SLB: Virtual Server Port (vPort) Minimum configuration Type: (TCP/UDP/HTTP/HTTPS/Fast-HTTP/RTSP/FTP/MMS/ SSL-Proxy/SMTP/SIP/SIP-TCP/SIP-TLS/Others) Port Service Group (usually)
Pre-configured elements are applied here
SLB processing order: Virtual Server Virtual Servers are processed from the most specific to the least specific. Example: slb virtual-server acme 10.0.1.12
port 80 http service-group acme slb virtual-server emca 10.0.1.14 port 0 tcp
service-group emca slb virtual-server default 0.0.0.0 port 0 tcp service-group default
Virtual Servers are displayed in the order of processing from the CLI
SLB processing order: Virtual Server Port (vPort) vPorts are displayed under Virtual Server in the order they were added but processed from most specific to least specific. Example: slb virtual-server default 0.0.0.0 port 0 tcp service-group default port 80 tcp
service-group http
In the above example port 80 will be matched against incoming connection first
SLB processing order: vPort configuration configuration elements Configuration elements applied on the Virtual Server Port are processed in the following order: Layer 4: DNS template Policy template All other templates Service group
Layer 7: Cookie persistence template aFleX script All other templates Service group
Lab Configure Layer Layer 4 SLB Virtual Server (VIP) Physical servers Service Group Source NAT Source IP Persistence Virtual Server
Verify functionality fun ctionality
Section summary In this section we discussed: Load balancing’s main goals: server load sharing and high availability of services Load balancers network integration modes: routed, one-arm, transparent, and DSR Two Two common L4 SLB options and their ACOS configuration
We have configured the following: ACOS Layer 4 SLB Virtual Server Source IP Persistence SLB Source NAT
HTTP Section 3
Section objectives Understand HTTP Understand ACOS HTTP load balancing Configure HTTP Virtual Server
HTTP protocol HTTP RFC is 2616 (http://www.w3.org/Protocols/rfc2616/rfc2616.html) HTTP (Hypertext Transfer Protocol) is an unencrypted TCP protocol used to access web content (usually on port 80) Note:
HTTPS uses the same protocol with explicit SSL encryption for higher security (usually on port 443)
HTTP is a sequence of network request/response transactions Browsers open multiple TCP sessions to download multiple objects from 1 web s ite in parallel (2 sessions with IE5.5/6.0, 6 sessions with IE8, 15 sessions with Firefox 3.x) Note:
Request and response options are sent via headers
HTTP request Main request methods "GET url": Request object from server "POST url": Send data/object to server Others: HEAD, CONNECT The Host (such as www.a10networks.com) is not a part of the url but is listed in the "Host“ header in the request Note:
Main request headers "Host": Site name "Connection: Keep-Alive" : Client support for using the same session for multiple request/response transactions "Accept-Encoding: gzip, deflate": Support for HTTP compression "Cookie": Text used to keep track of user information
HTTP response codes Main server response codes 200: OK (object in the response) 301: Redirect permanently 302: Temporary redirect 304: Not Modified 404: Page not found 5xx: Server error
HTTP response headers Main response headers "Last-Modified": When object was last modified "Etag": Entity tag (used to detect object changes) "Connection: Keep-Alive": Server support for using the same session for multiple request/response transactions "Set-Cookie": Asks user to save cookie to keep track of user information "Cache-Control" / "Pragma": Cacheability of the object
SLB configuration for HTTP (p. 1 of 5) Load Balancers don't need a specific configuration for basic HTTP load balancing - Any L4 SLB VIP works for HTTP services However ,
advanced load balancers provide techniques for improving HTTP services
Better Availability Better Flexibility Better Performance/Acceleration Better Security
AX offers advanced flexibility options for web applications via HTTP templates HTTP templates are associated with virtual server ports of service type “HTTP" or "HTTPS”
SLB configuration for HTTP (p. 2 of 5) HTTP Health Monitor ACOS provides the ability to test HTTP/HTTPS services using Health Monitors HTTP/HTTPS Health Monitors have the following required parameters: Port: TCP port Method (GET or HEAD or POST) URL
And the following optional parameters: User + Password: For web sites that require authentication Expect: Server Response code or Server text Maintenance Code: To automatically mark the server in maintenance, rather than down (so users with persistence to that server remain on that server)
SLB configuration for HTTP (p. 3 of 5) URL failover When all servers have failed, the ACOS can send an HTTP redirect to a backup site. ACOS(config)# slb template http ACOS(config-http)# failover-url ? WORD
Failover URL Name
SLB configuration for HTTP (p. 4 of 5) Retry HTTP request on HTTP 5xx When the Server replies with a 5xx error, by default AX forwards it to the client. The retry option tells the ACOS to resend the request to another Server in the Service Group. The following options are available: "On HTTP 5xx code for each request": The client request is resent to a new server "On HTTP 5xx code": The client request is resent to a new s erver + the server that replied with the 5xx is not used for new requests for 30 seconds "#": Number of servers that can be tried Logging: Generates logs when this event happens
SLB configuration for HTTP (p. 5 of 5) Client IP header insertion In Web server logs, the client IP address is logged. Web servers retrieve the client IP information from the source IP address. Some ACOS advanced HTTP options (Connection Reuse or Source NAT) force the ACOS to establish the connection to the server with an ACOS IP address. In such case, the Web server loses the client IP address information. To allow Web Servers to log Client IP address information, the ACOS can inject the Client IP information in a request header. ACOS(config-http)#insert-client-ip ? WORD replace
HTTP Header Name for inserting Client IP Replace the existing header
Lab Configure layer 7 HTTP Virtual Server Physical servers HTTP Health Monitor Service Group Source NAT Source IP Persistence Virtual Server HTTP Templates Header rewriting/insertion URL Failover
Verify functionality
Section summary In this section we discussed HTTP protocol We have configured the following: HTTP Virtual Server HTTP health monitor URL switching Response header insertion
HTTPS Section 4
Section objectives Understand HTTPS Understand ACOS HTTPS load balancing and its options Configure HTTPS Virtual Server
HTTPS protocol HTTPS (HTTP over TLS) RFC is 2818 ( http://www.ietf.org/rfc/rfc2818.txt ) HTTPS is the "secured" version of HTTP (usually port 443) HTTPS offers Server Authentication (with server certificates) (optional) Client Authentication (with client certificates) Encryption (with TLS/SSL)
Server authentication TLS/SSL is based on public certificates and private keys Certificates are issued and signed by Certificate Authority (CA) HTTPS clients first request the server public certificate and validate it using list of trusted CAs When the server certificate is validated (name, date, etc.), the client sends its HTTP request
SSL Negotiation SYN (TCP Port 443) SYN/ACK ACK CLIENT_HELLO (Highest SSL Version, Ciphers Supported, Data Compression Methods, SessionID, Random Data) SERVER_HELLO (Selected SSL Version, Selected Cipher, Selected Data Compr. Method, Assigned SessionID, Random Data) CERTIFICATE (Public Key, Authentication Signature) SERVER_DONE CERTIFICATE_VERIFY (Client informs the server that it has verified the server's certificate) CHANGE_CIPHER_SPEC (contents of subsequent SSL record data sent by the client during the SSL session will be encrypted) FINISHED (digest of all the SSL handshake commands so far for validation) CHANGE_CIPHER_SPEC (subsequent data sent by the server during the SSL session will be encrypted) FINISHED (digest of all the SSL handshake commands so far for validation) Client sends server symmetric secret key encrypted with server’s public key. From now user data is encrypted.
HTTPS communication with clients Client SSL templates To enable HTTPS communication with the Clients Client SSL template Public certificate that will be presented to Clients Private key (and its passphrase) SSL cipher supported ("encrypted algorithm") (optional) Client certificate request
HTTPS communication with servers Server SSL templates To enable HTTPS communication with the Servers Server SSL template SSL cipher supported ("encrypted algorithm") (optional) CA that will be used to validate the Server’s certificate
Secure redirect with SSL Offload URL redirect / rewrite When the Server replies with an HTTP redirect, the AX can rewrite it with a new value. This option usually is used for transparent "SSL-ization" of HTTP web applications. ACOS(config)# slb template http ACOS(config-http)# redirect-rewrite secure
Cookie persistence When to use cookie persistence Like Source IP Persistence, Cookie Persistence is used when HTTP/HTTPS clients must have their future connections/traffic terminated on the same server. But Cookie Persistence provides more granularity, since even different users coming from the same Proxy (same IP address) will get different persistence with Cookie Persistence.
Lab Configure layer 7 HTTPS Virtual Server Physical servers Service Group SSL Certificate SSL Template Source NAT Cookie Persistence Virtual Server Transparent redirect
Verify functionality
Section summary In this section we discussed HTTPS protocol We have configured the following: HTTPS Virtual Server using HTTP and HTTPS servers HTTPS redirect Cookie persistence
ACOS Acceleration Section 5
Section objectives Understand and configure advanced ACOS acceleration options: Connection Reuse HTTP compression RAM Caching
Connection Reuse (p. 1 of 2) Web servers need to manage: New clients (open new sessions) Clients leaving (close sessions) Maintain all connected clients sessions
Note: Web browsers keep their TCP connections open - even when all objects have been loaded
Connection Reuse (p. 2 of 2) Connection Reuse off loads the server TCP stack This option provides faster server response time and higher server scalability Connection reuse Terminates all client’s connections to the ACOS device Maintains persistent connections to the Servers Sends all client’s requests on the same persistent connections
Note: Connection Reuse requires SLB Source NAT Note2: HTTP Keep-alive should be enabled on the web servers
SSL Offload SSL Offload relieves the server of SSL tasks This option provides faster server response time and higher server scalability ACOS receives HTTPS client traffic and sends HTTP traffic to the servers
HTTP compression Compresses HTTP/HTTPS objects Uses less bandwidth and provides faster client download time ACOS HTTP compression Compresses objects sent to the clients ( Note: By default, "text" (such as html/css/js) and "application" (such as doc/xls/ppt/pdf)) If HTTP compression is enabled on the servers, ACOS transparently offloads this task from servers
RAM Caching Caches HTTP/HTTPS static and dynamic content in ACOS RAM Delivers cached objects to clients directly from the ACOS Cache, offloading servers Provides faster client download time and higher server scalability
RAM Caching – HTTP response codes Caches objects unless explicitly denied by the server's response Caches responses with the following codes: 200 OK 203 Non-Authoritative response 300 Multiple Choices 301 Moved Permanently 302 Found (only if Expires header is also present) 410 Gone
RAM Caching – limitations Does not support client HTTP range requests (they are sent to the servers) Does not cache server responses with "Vary" header (except "Vary: Accept-Encoding") Does not cache server responses with "Warning" header Does not cache server responses if requests had an "Authorization" header (even if the server specifies "Cache- Control: public”) Does not cache incomplete (partial) responses
RAM Caching – dynamic objects Allows the ACOS to Cache non-static objects Need to understand application behavior to determine cacheability What is to be cached? How long is the cached content valid? What is the trigger that would cause the response to change?
Parameterized requests The URL matches a specific pattern. Specific query parameters are present. Specific cookies in the request are present. Specific HTTP headers in the request are present.
RAM Caching – dynamic objects caveats When not to use dynamic caching Response sets cookies specific to that session. Example: response to a login page. Response contains data specific to a previous action in the session. Example: confirmation number for a transaction that was just executed. Response contains data that becomes stale based on a future action. Example: portfolio page of a brokerage account user changes when the user executes transactions. Different versions of the response cannot be distinguished by using the URL, query parameters, or cookies in the request. Example: response contains personalized settings, such as the user name but no query parameter or cookie directly identifies the user.
RAM Caching – dynamic objects policies Cacheability rules determine what is cacheable and what is not Caching policies can be used to override/augment standard HTTP behavior Policies are specified as follows: policy Where: is of the form uri , is cache , no-cache, or invalidate Note: More sophisticated conditions will be supported in future using aFleX
policies
Policies are evaluated in the order they are specified. The action in the first policy that matches will be applied.
RAM Caching – dynamic objects – example You have a web application with the following URLs: http://x.y.com/list http://x.y.com/add?a=p1&b=p2 http://x.y.com/del?c=p3 http://x.y.com/private?user=u1
lists all items from database adds item to database deletes item from database private info for user
The “list” URI gets a lot of hits. It makes sense to cache that URI while it remains up to date. However, when the user does an add/delete operation, or one of the other URIs arrives, the database would change and the cached list needs to be refreshed.
Lab Configure layer 7 HTTP Virtual Server Physical servers Service Group Source NAT Cookie Persistence Virtual Server Connection Reuse Compression template RAM Caching template
Verify functionality
Section summary In this section, you have configured the following ACOS acceleration options: Connection Reuse SSL offload HTTP compression RAM Caching
ACOS Security Section 6
Section objectives Understand advanced ACOS security options DDoS protection PBSLB ACL Management security
DDoS protection (p. 1 of 2) ACOS provides protection against Distributed Denial of Service (DDoS) attacks Note: AX 2200 / AX 3100 / AX 3200 / AX 5100 / AX 5200 provide DDoS protection in hardware. Other models provide DDoS protection in software.
DDoS basic filters
DDoS configuration WebUI: Config > SLB > Global CLI: ACOS(config)# ip anomaly-drop
DDoS protection (p. 2 of 2) Advanced DDoS filters are also available with system-wide PBSLB for HTTP and HTTPS connections only Invalid HTTP or SSL payload Zero-Length TCP Window Out-of-sequence packet
These filters are disabled by default and are automatically enabled when system-wide PBSLB policy is enabled. The filters can also be configured on an individual basis
Policy Based Server Load Balancing (PBSLB) (p. 1 of 2) PBSLB list uses Black/White lists: Filter users (block and/or forward to specific service groups)
Note: IPv6 addresses are not supported in PBSLB.
PBSLB – Black White List details Can apply system-wide or on individual v-ports Large list support Up to 8 M IP addresses, 64 K IP subnets, Up to 32 group IDs
Lists are stored in highly efficient hash tables for fast processing Supports Dynamic entries via wildcard Available on system wide (not v-port) Configurations. Can set connection limit to drop, reset or lockup clients who don’t match static entries
Create in GUI or import txt file via CLI (no CLI support for creating lists) Can configure automatic list download ACOS can update its PBSLB black/white list automatically at specific intervals via TFTP
Sample Black/White List Format is ipaddr [/network-mask ] [group-id ] [#conn-limit ] [;comment-string] 10.10.1.3 4; blocking a single host. 4 is the drop group 10.10.2.0/24 4; blocking the entire 10.10.2.x subnet 192.168.1.1/32 #20 ; 20 concurrent connections max, no group assigned 192.168.4.69 2 20 ; assign to group 2, and allow 20 max
The group-id is a number from 1 to 31 in a black/white list that identifies a group of IP host or subnet addresses contained in the list. You can map the group to drop the traffic, reset the connection or send the traffic to a specific service group. The default group ID is 0, which means no group is assigned The “#” for connection limit is only required if you do not specify a group id Place a “;” after entry to insert a comment string to describe entry
Connection and Rate limiting with Class Lists Using Class List you can limit users on their: Layer 4 traffic: Connection Limit Connection-Rate Limit per 100 ms
Layer 7 traffic (for HTTP / HTTPS / DNS): Request Limit Request-Rate Limit per 100 ms
Rate Limiting with Class Lists Details ACOS can support up to 255 class lists Each class list can contain up to 8 million host IP addresses and 64,000 subnets Class lists can be configured only in the shared partition. A policy template configured in the shared partition or in a private partition can use a class list configured in the shared partition
Supports both v4 and v6 addresses When connection or request limits are met, Over limit actions can either drop, reset or forward and log the event. Lock out periods on over limit clients can be set from 1 to 1023 minutes By default ACOS matches class-list entries based on client source IP, but can also be configured for Destination IP or HTTP destination header
Access Control List (ACL) ACOS supports standard and extended Access Control Lists (ACLs) ACL can be applied to data interfaces, management interface, and virtual server ports Remark, re-sequencing and logging options are supported (Cisco/Foundry format) ACL components [no] access-list acl-num [seq-num] {permit | deny | remark string} ip {any | host host-src-ipaddr | net-src-ipaddr {filter-mask | /masklength}} {any | host host-dst-ipaddr | net-dst-ipaddr {filter-mask | /mask-length}} [log [transparent-session-only]
Management security ACOS provides advanced management security options Multiple management accounts with distinct levels of access Interface level access for individual access types (ICMP / Telnet / SSH / HTTP / HTTPS / SNMP) Management account with lockout in response to excessive invalid password External Authentication support with RADIUS , TACACS+, and LDAP Private partitions
Note: See ACOS Series Configuration Guide for more information
Section summary In this module, we presented ACOS advanced security options: DDoS protection PBSLB ACL Management security
High Availability (HA) Section 7
Section objectives Discuss High Availability and its options Active-Standby mode Active-Active mode
Configure Active-Standby HA
Active-Standby mode Active ACOS device processes all the production traffic
Standby ACOS device does not process any production traffic Standby ACOS device optionally mirrors L4 session information from Active Reliability is scaled but not performance
Active-Standby Failover Peer ACOS device is elected as active Gratuitous ARPs for virtual, floating and NAT IPs are sent Existing mirrored sessions are picked up by newly elected active ACOS device
New sessions are served by newly elected active
Active-Active mode Both ACOS devices process the production traffic
Session and state information is mirrored between both ACOS devices Performance is scaled in addition to reliability
Note: Do not exceed 50% utilization on each unit for full HA
Active-Active Failover Peer ACOS device is elected active for HA group 2 and sends gratuitous ARPs for virtual IPs, floating IPs, and NAT IPs Existing mirrored sessions are picked up by peer ACOS device
Peer ACOS device serves requests for both HA groups
HA support All ACOS integration modes support HA Routed mode Active-Standby, Active-Active
One-Arm mode Active-Standby, Active-Active
Transparent mode L2 Active-Standby
DSR mode Active-Standby, Active-Active
Initial selection of Active ACOS device After initial selection, ACOS device remains Active unless : Standby stops receiving HA heartbeat from Active HA interface status of the Active becomes lower than Standby’s VLAN-based failover is triggered Gateway-based failover is triggered HA pre-emption is enabled, and the configured HA priority is changed to be higher on the Standby
Events causing HA Failover By default, a failover occurs only in the following cases: Standby stops receiving HA heartbeat form Active HA interface state changes give the Standby device a better HA state than the Active device VLAN-based failover is configured and the VLAN becomes inactive. Gateway-based failover is configured and the gateway becomes unavailable. VIP-based failover is configured and the unavailability of real servers causes the
Standby AX to have the greater HA priority for the VIP’s HA group
By default, failover does not occur due to HA configuration changes to the HA priority. To enable the ACOS devices to failover in response to changes in priority, enable HA pre-emption.
Active-Standby configuration (p. 1 of 2) Configure HA Global settings Identifier (A1 = 1 , A2 = 2) HA Status: Enabled (optional) HA Mirroring IP address: Remote ACOS device Sync interface (optional) Preempt: to failover to a higher ACOS devicewhen available Group1 with priority 200 on A1 (priority 100 on A2) Floating VIP for Group1: IP addresses defined on servers' gateway (VRRP-like) (optional) IP and VLAN check (Note: IPs have to be defined as SLB-Server too )
Configure HA interfaces All interfaces used with production traffic (+ ACOS device interlink if exists) Note: We recommend a dedicated direct interlink between the ACOS devices so sync traffic is off the production network
Active-Standby configuration (p. 2 of 2) Configure NAT pool HA settings In IP Source NAT, associate the HA Group with IPv4 Pools, IPv6 Pools, NAT Ranges, or Static NAT
Configure VIP HA settings In VIP settings, associate HA Group with the VIP (optional) Enable Dynamic Server Weight: Reduce the AX HA Group priority when a server is down (optional) Enable HA Connection Mirroring on the VIP ports: To synchronize SLB session table (available for TCP, UDP, RTSP, FTP, MMS and SIP VIP types) Note: For HTTP/HTTPS VIP types, the client session is terminated on the ACOS device. HA Connection Mirroring is not available for these VIP types.
Active-Active configuration Same as Active-Standby with two groups defined Step2: Group1 with priority 200 on AX1 (priority 100 on A2) Group2 with priority 100 on AX1 (priority 200 on A2)
Step3: Associate Group1 with half of the VIPs and Group2 with the second half
Step4: Associate Group1 with the NAT Pools used by VIPs in Group1 and Group2 with the NAT Pools used by VIPs in Group2
Lab Configure HA Active/Standby mode with your neighbor
Section summary We discussed High Availability modes Active-Standby Active-Active
We have configured Active –Standby HA mode
ACOS Troubleshooting Section 8
Section objectives Learn ACOS troubleshooting tools Use session-related commands Perform packet trace in ACOS using axdebug
Log ACOS logs many informational, warning, and error messages. show log is the first place to check when experiencing issues. Port/Interface up/down messages L2 loop detection warnings Unicast/Multicast/Broadcast packet limit warnings MAC address movement warnings Duplicate IP warnings Server & service port up/down messages Application-specific error messages: SLB, PBSLB, HTTP, HA, AFLEX, […]
Monitoring WebUI: Monitor > System > Logging > Logging CLI: ACOS#show log [ | inc ]
Audit log ACOS logs administrative actions with username, date, and time stamp. It also logs new administrative sessions. Examples Sep 30 2013 12:21:04 [admin] web: add Source IP Persistence template [pers1] successfully. Sep 30 2013 11:41:54 [admin] cli: vcs device-context device 2 Sep 30 2013 12:29:28 A web session[1] opened, username: admin, remote host: 10.254.102.12
Monitoring WebUI: Monitor > System > Logging > Audit CLI: ACOS#show audit [ | inc ]
Exporting logs Set up permanent logging on remote server WebUI: Config > System > Settings > Log CLI: ACOS(config)#logging […]
Export existing logs WebUI: Monitor > System > Logging > [ Logging | Audit ] > Export (save to laptop) CLI: ACOS#export syslog messages [use-mgmt-port] (this exports combined audit and syslog logs plus system messages – it is a lot larger than normal “log” and “audit” output)
Correlating log to audit log Use built-in include and section utilities to find corresponding lines in log, audit log, and running config ACOS#show log :45 Warning [ACOS]:Duplicated IP 10.0.1.1 MAC 000c.2976.5904 from Port 1 VLAN 3 detected ACOS# show audit | inc Sep 24 2013 09:56:46 Sep 24 2013 09:56:28
[admin] cli: port 80 http [admin] cli: slb virtual-server vip1 10.0.1.1
ACOS(config)#show run | sec 10.0.1.1 ip route 0.0.0.0 /0 10.0.1.1 slb virtual-server vip1 10.0.1.1 port 80 http
Server health check Display health check statistics ACOS#show health stat [long list of statistics ] IP address Port Health monitor 10.0.2.18 default 10.0.2.19 80 default 10.0.2.18 80 web 10.0.2.19 80 web see CLI Reference manual for codes
Status UP UP UP UP
Cause(Up/Down) 11 /0 @0 20 /0 @0 10 /0 @0 10 /0 @0
Retry 0 0 0 0
PIN 0 /0 0 /0 0 /0 0 /0
Show running health monitors ACOS#show health monitor Idle = Not used by any server In use = Used by server Monitor Name Interval Retries Timeout Up-Retries ping 5 3 5 1 web 5 3 5 1
Method ICMP HTTP
Status In use In use
0 0 0 0
Examining running config Examine running config with the following tools ACOS#show run [ | sec ^[0-z] ] ↑ the optional element at the end of this command strips blank lines from the output
ACOS#show run | sec ACOS#show slb […] ↑ statistics for each configuration element
ACOS#show ha [config] ACOS#show vrrp-a [ config | detail ] ACOS#show vcs [ summary | message-buffer ]
Layers 1-4 Layer 1-2 ACOS#show int […]
Layer 3 ACOS#show arp ACOS#show ip route ACOS#show access-list ACOS#show run | sec router
Layer 4 ACOS#show slb l4 host#telnet
ACOS#axdebug
Layer 7: HTTP Show enabled L7 features ACOS#show run | sec slb
Try without the advanced features first (compression, connection reuse, and so on)
Packet trace ACOS#axdebug
Is server receiving the request sent by the ACOS device? Any standard HTTP header missing? (host, method, … and so on) Do all of the HTTP headers have desired values? Response Code from server’s response? Size of request / response payload? Is it taking a long time to process the request? What are the cookies?
Layer 7: HTTPS Show enabled features ACOS#show run | sec slb
Are client-ssl and server-ssl templates applied on vport?
Packet trace ACOS#axdebug
Is client able to finish SSL Handshake with VIP? Is ACOS device able to finish SSL Handshake with server? Any issues pertaining to redirect?
Decrypted trace Are there any absolute links in Javascripts / Links / Images (http://xxx)?
ACOS Performance Show memory utilization ACOS#show memory [ system ] System Memory Usage: Total(KB) Free 16456546 8224340
Shared 0
Buffers 2420
Cached 159084
Usage 49.0%
Show cpu utilization ACOS#show cpu [ interval […] ] ↑ shows utilization per cpu for the past minute. Customizable “interval” triggers continuous updates.
Show resource limits ACOS#show system resource-usage ↑ shows minimum, maximum, default, and currently set limits for configuration items
ShowTech ShowTech is a comprehensive collection of output from many troubleshooting utilities. When contacting A10 Tech Support you will be asked to generate one. WebUI: generate new file and save to laptop Monitor > System > Diagnosis > Show Techsupport
WebUI: view and save previously generated files Monitor > System > Diagnosis > ShowTech File
CLI: generate and export file to a remote server or view on the screen AX# show techsupport [export] [use-mgmt-port] []
axdebug axdebug Captured files are in pcap format (Wireshark / tcpdump) Able to see every detail of the packets the AX receives & sends
axdebug is session based If one pkt matches filter, dump all the following pkts in the same session
axdebug filters Build filters to fine tune your capture Multiple conditions within a filter are ANDed, multiple filters are ORed.
axdebug example ACOS#axdebug ACOS(axdebug)#filter 1 ACOS(axdebug-filter:1)#ip 1.2.3.4 /32 ACOS(axdebug)#capture save
Stop axdebug trace ACOS#no axdebug
Export axdebug trace ACOS#export axdebug [use-mgmt-port]
Session filtering Fine tune session monitoring by using filters ACOS(config)#session-filter […]
Example ACOS(config)#session-filter c1 source-addr 10.0.1.161 dest-addr 10.0.1.12 destport 80 ACOS#show session filter c1 Prot Forward Source Tcp 10.0.1.161:36690 Tcp 10.0.1.161:36660
Forward Dest 10.0.1.12:80 10.0.1.12:80
Reverse Source Reverse Dest 10.0.2.18:80 10.0.2.16:14075 10.0.2.18:80 10.0.2.16:14045
Age 0 0
Hash Flags Type 1 NSe1 SLB-L7 1 NSe1 SLB-L7
Lab Use session-control and packet-level CLI tools
aFleX Section 9
Section objectives Understand purpose of aFleX Import and execute aFleX script
aFleX scripting language aFleX is a powerful and flexible ACOS feature that you can use to manage your traffic and provide enhanced benefits/services
aFleX uses industry-standard Tcl (Tools command language) based syntax Standard Tcl commands Special set of extensions provided by ACOS
aFleX allows: Content inspection (headers / data) Actions on traffic Block traffic Redirect traffic to a specific Service Group (pool) or Server (node) Modify traffic content
aFleX elements (p. 1 of 3) aFleX scripts are made up of three basic elements: Events Tests Actions
Events aFleX scripts are event-driven, which means that the AX system triggers the aFleX whenever that event occurs. Examples: HTTP_REQUEST is triggered when an HTTP request is received. CLIENT_ACCCEPTED is triggered when a client has established a connection.
aFleX elements (p. 2 of 3) Operators Standard Tcl operators Relational operators: contains, matches, equals, starts_with, ends_with, matches_regex Logical operators: not, and, or
aFleX commands Used to query for data, manipulate data, or specify a traffic destination. These may be grouped into three main categories: Statement commands Example: "pool “ directs traffic to the named load balancing pool
aFleX elements (p. 3 of 3) Commands that query or manipulate data, examples: "IP::remote_addr“ returns the remote IP address of a connection "HTTP::header remove ” removes the last occurrence of the named header from a request or response
Utility commands - useful for parsing and manipulating content, example: "decode_uri “ decodes the named string using HTTP URI encoding and returns the result
Note: aFleX is extensible. In future releases, additional aFleX events and aFleX commands will be added
aFleX configuration Place aFleX script on the ACOS device Using CLI Use a computer with any text editor to write an aFleX script and save it as a file. Use “import aflex” command to import the aFleX file from a server to ACOS.
aFleX CLI syntax check: "aflex check ".
Using WebUI With ACOS web interface, users can directly type in aFleX scripts and save them on the ACOS device under "Config > Service > aFleX".
Using aFleX Editor aFleX editor can download/upload aFleX scripts from/to the ACOS device. Moreover, it can do syntax checking. It also has syntax highlighting, keyword auto-completion, etc.
aFleX examples (p. 1 of 2) Redirect a specific client to a specific service group when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 10.10.10.10] } { pool sg2 } Note: This could also be achieved by PBSLB. }
Redirect clients to https for the host secure.abc.com when HTTP_REQUEST { if {[HTTP::host] equals "secure.abc.com"} { HTTP::redirect https://[HTTP::host][HTTP::uri] } Note: This could NOT be achieved by PBSLB }
aFleX examples (p. 2 of 2) Redirect clients to specific pools in function of the url when HTTP_REQUEST { if { [HTTP::uri] starts_with "/finance" } { pool finance_pool } elseif { [HTTP::uri] starts_with "/dev" } { pool dev_pool } }
Lab Enter and verify aFleX script to block HTTP access to a designated directory
Summary We discussed the purpose of aFleX We wrote and executed a working aFleX script