Escolar Documentos
Profissional Documentos
Cultura Documentos
Headquarters
www.a10networks.com
A10 Networks, the A10 logo, ACOS, aFleX, aXAPI, IDaccess, IDsentrie, IP-to-ID,
and VirtualN are trademarks or registered trademarks of A10 Networks, Inc. All other
trademarks are property of their respective owners.
Published by:
A10 Networks, Inc.
2309 Bering Dr.
San Jose, CA 95131-1125
USA
©
A10 Networks, Inc. 11/11/2009 - All Rights Reserved
Disclaimer
The information presented in this document describes the specific products noted and
does not imply nor grant a guarantee of any technical performance nor does it provide
cause for any eventual claims resulting from the use or misuse of the products de-
scribed herein or errors and/or omissions. A10 Networks, Inc. reserves the right to
make technical and other changes to their products and documents at any time and
without prior notification.
Environmental Considerations
Some electronic components may possibly contain dangerous substances. For infor-
mation on specific component types, please contact the manufacturer of that compo-
nent. Always consult local authorities for regulations regarding proper disposal of
electronic components in your area.
Further Information
For additional information about A10 products, terms and conditions of delivery, and
pricing, contact your nearest A10 Networks, Inc. location which can be found by vis-
iting www.a10networks.com.
AX Series - Configuration Guide
About This Document
This document assumes that you have already performed the basic deploy-
ment tasks described in the AX Series Installation Guide.
P e r f o r m a n c e b yD e s i g n 3 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
About This Document
reliability, and establishes a new industry-leading price/performance For
more detailed information, see “System Overview” on page 17.
Audience
This document is intended for use by network architects for determining
applicability and planning implementation, and for system administrators
for provision and maintenance of the A10 Networks AX Series.
Icon Description
Layer 2 switch
Layer 3 router
4 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Contents
About This Document 3
System Description – The AX Series .................................................................................................... 3
Audience.................................................................................................................................................. 4
Representations of Layer 2 and Layer 3 Devices ................................................................................ 4
System Overview 17
AX Series Features............................................................................................................................... 17
ACOS Architecture ............................................................................................................................... 18
AX Software Processes .................................................................................................................. 19
Hardware Interfaces ............................................................................................................................. 20
Software Interfaces............................................................................................................................... 21
Server Load Balancing......................................................................................................................... 21
Intelligent Server Selection ............................................................................................................. 22
Configuration Templates ................................................................................................................. 23
Global Server Load Balancing............................................................................................................. 25
Outbound Link Load Balancing .......................................................................................................... 25
Transparent Cache Switching ............................................................................................................. 25
Firewall Load Balancing....................................................................................................................... 25
Where Do I Start?.................................................................................................................................. 25
Basic Setup 27
Logging On............................................................................................................................................ 27
Logging Onto the CLI ...................................................................................................................... 28
Logging Onto the GUI ..................................................................................................................... 29
Configuring Basic System Parameters .............................................................................................. 32
Setting the Hostname and Other DNS Parameters ........................................................................ 32
Setting the CLI Banners .................................................................................................................. 33
Setting Time/Date Parameters ....................................................................................................... 34
Configuring Syslog Settings ............................................................................................................ 37
Enabling SNMP .............................................................................................................................. 41
SNMP Traps ................................................................................................................................ 42
SNMP Communities and Views .................................................................................................. 43
SNMP Configuration Steps ......................................................................................................... 44
Configuration Examples ...................................................................................................................... 47
P e r f o r m a n c e D e s i g n b y 5 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Contents
Network Setup 53
Overview ................................................................................................................................................53
IP Subnet Support .......................................................................................................................... 53
Transparent Mode .................................................................................................................................54
Configuration Example ................................................................................................................... 56
Transparent Mode in Multinetted Environment ..................................................................................62
Configuration Example ................................................................................................................... 64
Route Mode............................................................................................................................................68
Configuration Example ................................................................................................................... 69
Direct Server Return in Transparent Mode .........................................................................................74
Configuration Example ................................................................................................................... 76
Direct Server Return in Route Mode....................................................................................................79
Configuration Example ................................................................................................................... 80
Direct Server Return in Mixed Layer 2/Layer 3 Environment............................................................82
6 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Contents
Content Compression ........................................................................................................................ 122
Hardware-Based Compression ..................................................................................................... 123
How the AX Device Determines Whether to Compress a File ...................................................... 125
Configuring Content Compression ................................................................................................ 126
Client IP Insertion / Replacement...................................................................................................... 129
Configuring Client IP Insertion / Replacement .............................................................................. 132
Header Insertion / Erasure ................................................................................................................. 133
Configuring Header Insertion / Replacement ................................................................................ 134
Configuring Header Erasure ......................................................................................................... 137
URL Redirect Rewrite......................................................................................................................... 138
Configuring URL Redirect Rewrite ................................................................................................ 138
Strict Transaction Switching ............................................................................................................. 140
Enabling Strict Transaction Switching .......................................................................................... 140
P e r f o r m a n c e D e s i g nb y 7 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Contents
8 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Contents
Configuring Server and Service Port Templates ............................................................................. 285
Applying a Server or Service Port Template .................................................................................... 286
Binding a Server Template to a Real Server ................................................................................ 287
Binding a Server Port Template to a Real Server Port ................................................................. 288
Binding a Virtual Server Template to a Virtual Server .................................................................. 288
Binding a Virtual Server Port Template to a Virtual Service Port .................................................. 289
Binding a Server Port Template to a Service Group ..................................................................... 289
Connection Limiting ........................................................................................................................... 290
Setting a Connection Limit ........................................................................................................ 290
Connection Rate Limiting .................................................................................................................. 292
Slow-Start............................................................................................................................................ 294
P e r f o r m a n c e D e s i g nb y 9 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Contents
10 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Contents
Support for no-cache and max-age=0 Cache-Control Headers ................................................... 413
RAM Caching Notes ..................................................................................................................... 413
Configuring RAM Caching ................................................................................................................. 414
P e r f o r m a n c e D e s i g nb y 11 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Contents
12 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Contents
Traffic Security Features 533
DDoS Protection ................................................................................................................................. 533
Enabling DDoS Protection ............................................................................................................ 534
SYN Cookies ....................................................................................................................................... 535
The Service Provided By SYN Cookies ........................................................................................ 535
Enabling Hardware-Based SYN Cookies ..................................................................................... 537
Configuration when Target VIP and Client-side Router Are in Different Subnets ..................... 537
Enabling Software-Based SYN Cookies ....................................................................................... 538
Configuring Layer 2/3 SYN Cookie Support ................................................................................. 539
ICMP Rate Limiting ............................................................................................................................. 540
Source-IP Based Connection Rate Limiting..................................................................................... 543
Parameters ................................................................................................................................... 543
Log Messages .............................................................................................................................. 544
Deployment Considerations .......................................................................................................... 544
Configuration ............................................................................................................................. 545
Configuration Examples ................................................................................................................ 546
Access Control Lists (ACLs) ............................................................................................................. 547
How ACLs Are Used ..................................................................................................................... 548
Configuring Standard IPv4 ACLs .................................................................................................. 549
Configuring Extended IPv4 ACLs ................................................................................................. 551
Configuring Extended IPv6 ACLs ................................................................................................. 555
Adding a Remark to an ACL ......................................................................................................... 558
Applying an ACL to an Interface ................................................................................................... 558
Applying an ACL to a Virtual Server Port ...................................................................................... 559
Using an ACL to Control Management Access ............................................................................ 560
Using an ACL for NAT .................................................................................................................. 560
Resequencing ACL Rules ............................................................................................................. 561
Policy-Based SLB (PBSLB) ............................................................................................................... 563
Configuring a Black/White List ...................................................................................................... 564
Configuring Policy-Based SLB on the AX Device ......................................................................... 565
Displaying PBSLB Information .................................................................................................. 573
P e r f o r m a n c e D e s i g nb y 13 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Contents
Configuring Role-Based Administration...........................................................................................583
Configuring Private Partitions ....................................................................................................... 583
Changing the Maximum Number of aFleX Policies Allowed in a Partition ................................ 584
Migrating Resources Between Partitions .................................................................................. 585
Deleting a Partition .................................................................................................................... 585
Configuring Partition Admin Accounts .......................................................................................... 586
CLI Example ................................................................................................................................. 588
Viewing and Saving the Configuration..............................................................................................589
Viewing the Configuration ............................................................................................................ 589
Saving the Configuration .............................................................................................................. 590
Switching To Another Partition..........................................................................................................591
Synchronizing the Configuration.......................................................................................................592
Operator Management of Real Servers .............................................................................................594
14 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Contents
SSL Certificate Management 647
Overview.............................................................................................................................................. 647
SSL Process ................................................................................................................................. 647
CA-Signed and Self-Signed Certificates ................................................................................... 650
SSL Templates .......................................................................................................................... 650
Certificate Installation Process ..................................................................................................... 653
Requesting and Installing a CA-Signed Certificate ................................................................... 653
Installing a Self-Signed Certificate ............................................................................................ 655
Generating a Key and CSR for a CA-Signed Certificate ................................................................. 655
Importing a Certificate and Key......................................................................................................... 658
Generating a Self-Signed Certificate ................................................................................................ 659
Importing a CRL.................................................................................................................................. 661
Exporting Certificates, Keys, and CRLs ........................................................................................... 662
Exporting a Certificate and Key .................................................................................................... 662
Exporting a CRL ........................................................................................................................... 663
Creating a Client-SSL or Server-SSL Template and Binding it to a VIP ........................................ 664
Creating an SSL Template ........................................................................................................... 664
Binding an SSL Template to a VIP ............................................................................................... 665
Converting Certificates and CRLs to PEM Format .......................................................................... 665
Converting SSL Certificates to PEM Format ................................................................................ 666
Converting CRLs from DER to PEM Format ................................................................................ 667
Using the Management Interface as the Source for Management Traffic 669
Route Tables ....................................................................................................................................... 669
Management Routing Options........................................................................................................... 670
Enabling Use of the Management Interface as the Source for Automated Management
Traffic ............................................................................................................................................ 671
Using the Management Interface as the Source Interface for Manually Generated
Management Traffic ...................................................................................................................... 672
Commands at the User EXEC Level ......................................................................................... 672
Commands at the Privileged EXEC Level ................................................................................. 672
Commands at the Global Configuration Level ........................................................................... 672
Show Commands ...................................................................................................................... 673
P e r f o r m a n c e D e s i g nb y 15 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Contents
16 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
AX Series Features
System Overview
This chapter provides a brief overview of the AX Series system and fea-
tures. For more information, see the other chapters in this guide.
AX Series Features
Key features of the AX Series include:
• Rack-mountable 2U chassis
• Multi-core, multi-CPU system with offload features give the CPU more
cycles for L4-L7 processing
• Wire-speed L2/L3 switching
P e r f o r m a n c e b yD e s i g n 17 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
ACOS Architecture
• Transparent Cache Switching (TCS)
ACOS Architecture
The AX Series uses embedded Advanced Core Operating System (ACOS)
architecture. ACOS is built on top of a set of Symmetric Multi-Processing
CPUs and uses shared memory architecture to maximize application data
delivery.
18 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
ACOS Architecture
The AX Series inspects packets at Layers 2, 3, 4, and 7 and uses hardware-
assisted forwarding. Packets are processed and forwarded based on the
AX Series configuration.
You can deploy the AX Series into your network in transparent mode or
gateway (route) mode.
• Transparent mode – The AX device has a single IP interface. For multi-
netted environments, you can configure multiple Virtual LANs
(VLANs).
• Route mode – Each AX interface is in a separate IP subnet. Open Short-
est Path First (OSPF) and Routing Information Protocol (RIP) are sup-
ported.
AX Software Processes
The AX software performs its many tasks using the following processes:
• a10mon – Parent process of the AX device. This process is executed
when the system comes up. The a10mon process is responsible for the
following:
• Responsible for bringing AX user-space processes up and down
• Monitors all its child processes and restarts a process and all depen-
dent processes if any of them die.
• syslogd – System logger daemon that logs kernel and system events.
• a10stat – Monitors the status of all the main processes of the AX device,
such as a10switch (on models AX2200 and higher) and a10lb.
The a10stat process probes every thread within these processes to ensure
that they are responsive. If a thread is deemed unhealthy, a10stat kills
the process, after which a10mon restarts the process and other processes
associated with it.
• a10switch – Contains libraries and APIs to program the Switching ASIC
to perform Layer 2 and Layer 3 switching at wire speed.
• a10hm – Performs health-checking for real servers and services. This
process sends pre-configured requests to external servers at pre-defined
intervals. If a server or individual service does not respond, it is marked
P e r f o r m a n c e b yD e s i g n 19 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Hardware Interfaces
down. Once the server or service starts responding again, it is marked
up.
• a10rt – Routing daemon, which maintains the routing table with routes
injected from OSPF and RIP routing protocols, as well as static routes.
• a10rip – Implements RIPv1 and v2 routing protocols.
• a10lb – The heart of the AX device. This process contains all the intelli-
gence to perform Server Load Balancing.
• rimacli – This process is automatically invoked when an admin logs into
the AX device through an interface address. The admin is presented a
Command Line Interface (CLI) that can issue and save commands to
configure the system.
Hardware Interfaces
• 1000BaseT (GOC) + SFP Mini GBIC Fiber Ports
• On models AX 3100 and AX 3200, 10G XFP-SR (short range) single-
mode fiber port or XFP-LR (long range) multi-mode fiber port, depend-
ing on order
• Management Ethernet Port
• RJ-45 Console Port
Generally, the fiber ports do not require any configuration other than IP
interface(s). When you plug in a port, the port speed and mode (full-duplex
or half-duplex) are automatically negotiated with the other end of the link.
20 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Software Interfaces
Software Interfaces
• Graphical User Interface (GUI)
• Command Line Interface (CLI) accessible using console, Telnet, or
Secure Shell (v1 and v2)
• Simple Network Management Protocol (SNMP) v1, v2c, and v3
• XML Application Programming Interface (aXAPI)
You can easily grow server farms in response to changing traffic flow, while
protecting the servers behind a common virtual IP address. From the per-
spective of a client who accesses services, requests go to and arrive from a
single IP address. The client is unaware that the server is in fact multiple
servers managed by an AX device. The client simply receives faster, more
reliable service.
Moreover, you do not need to wait for DNS entries to propagate for new
servers. To add a new server, you simply add it to the AX configuration for
the virtual server, and the new real server becomes accessible immediately.
P e r f o r m a n c e b yD e s i g n 21 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Server Load Balancing
FIGURE 2 SLB Example
22 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Server Load Balancing
Configuration Templates
SLB configuration is simplified by the use of templates. Templates simplify
configuration by enabling you to configure common settings once and use
them in multiple service configurations. The AX device provides templates
to control server and port configuration parameters, connectivity parame-
ters, and application parameters.
The AX device provides the following types of server and port configura-
tion templates:
• Server – Controls parameters for real servers
• TCP – Controls the idle timeout for unused sessions and specifies
whether the AX device sends TCP Resets to clients or servers after a
session times out
• UDP – Controls the idle timeout for unused sessions and specifies how
quickly sessions are terminated after a server response is received
P e r f o r m a n c e b yD e s i g n 23 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Server Load Balancing
• Cookie persistence – Inserts a cookie into server replies to clients, to
direct clients to the same service group, real server, or real service port
for subsequent requests for the service
• Source-IP persistence – Directs a given client, identified by its IP
address, to the same service port, server, or service group
• Destination-IP persistence – Configures persistence to real servers based
on destination IP address
• SSL session-ID persistence – Directs all client requests for a given vir-
tual port, and that have a given SSL session ID, to the same real server
and real port
• SIP – Customizes settings for load balancing of Session Initiation Proto-
col (SIP) traffic
• SMTP – Configures STARTTLS support for Simple Mail Transfer Pro-
tocol (SMTP) clients
• Streaming-media – Directs client requests based on the requested con-
tent
For descriptions of all the parameters you can control using templates, see
“Server and Port Templates” on page 281 and “Service Template Parame-
ters” on page 599.
24 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Global Server Load Balancing
Where Do I Start?
• To configure basic system settings, see “Basic Setup” on page 27.
P e r f o r m a n c e b yD e s i g n 25 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Where Do I Start?
26 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Logging On
Basic Setup
This chapter describes how to log onto the AX device and how to configure
the following basic system parameters:
• Hostname and other Domain Name Server (DNS) settings
• Date/time settings
After you are through with this chapter, go to “Network Setup” on page 53.
Note: The only basic parameters that you are required to configure are date/time
settings. Configuring the other parameters is optional.
Note: This chapter does not describe how to access the out-of-band manage-
ment interface. For that information, see the AX Series Advanced Traffic
Manager Installation Guide.
Logging On
AX Series devices provide the following management interfaces:
• Command-Line Interface (CLI) – Text-based interface in which you
type commands on a command line. You can access the CLI directly
through the serial console or over the network using either of the
following protocols:
• Secure protocol – Secure Shell (SSH) version 1 or version 2
• Unsecure protocol – Telnet (if enabled)
P e r f o r m a n c e b yD e s i g n 27 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Logging On
• Secure protocol – Hypertext Transfer Protocol over Secure Socket
Layer (HTTPS)
• Unsecure protocol – Hypertext Transfer Protocol (HTTP)
Note: By default, Telnet access is disabled on all interfaces, including the man-
agement interface. SSH, HTTP, HTTPS, and SNMP access are enabled by
default on the management interface only, and disabled by default on all
data interfaces.
2. Generally, if this the first time the SSH client has accessed the AX
device, the SSH client displays a security warning. Read the warning
carefully, then acknowledge the warning to complete the connection.
(Press Enter.)
Note: The “AX” in the CLI prompt is the hostname configured on the device,
which is “AX” by default. If the hostname has already been changed, the
new hostname appears in the prompt instead of “AX”.
5. To access the Privileged EXEC level of the CLI and allow access to all
configuration levels, enter the enable command.
At the Password: prompt, enter the enable password. (This is not the
same as the admin password, although it is possible to configure the
same value for both passwords.)
28 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Logging On
If the enable password is correct, the command prompt for the Privi-
leged EXEC level of the CLI appears: AX#
6. To access the global configuration level, enter the config command. The
following command prompt appears: AX(config)#
P e r f o r m a n c e b y
D e s i g n 29 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Logging On
FIGURE 3 GUI Login Dialog (Internet Explorer)
Note: The default admin username and password are “admin”, “a10”.
30 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Logging On
FIGURE 4 Monitor > Overview > Summary
Note: For more information about the GUI, see the AX Series GUI Reference or
the GUI online help.
P e r f o r m a n c e b yD e s i g n 31 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Basic System Parameters
2. In the Hostname field, edit the name to one that will uniquely identify
this particular AX device (for example, “AX-SLB1”).
3. In the DNS Suffix field, enter the domain name to which the host
(AX Series) belongs.
4. In the Primary DNS field, enter the IP address of the external DNS
server the AX Series should use for resolving DNS queries.
6. Click OK.
32 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Basic System Parameters
Note: The “ > ” or “ # ” character and characters in parentheses before “ # ” indi-
cate the CLI level you are on and are not part of the hostname.
3. To set the default domain name (DNS suffix) for hostnames on the AX
device, use the following command:
ip dns suffix string
4. To specify the DNS servers the AX should use for resolving DNS
requests, use the following command:
ip dns {primary | secondary ipaddr}
The primary option specifies the DNS server the AX device should
always try to use first. The secondary option specifies the DNS server
that the AX device should use if the primary DNS server is unavailable.
If you configure a banner message that occupies multiple lines, you must
specify the end marker that indicates the end of the last line. The end marker
is a simple string up to 2-characters long, each of the which must be an
ASCII character from the following range: 0x21-0x7e.
The multi-line banner text starts from the first line and ends at the marker. If
the end marker is on a new line by itself, the last line of the banner text will
be empty. If you do not want the last line to be empty, put the end marker at
the end of the last non-empty line.
P e r f o r m a n c e b yD e s i g n 33 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Basic System Parameters
3. To configure a banner:
a. Select the banner type, single-line or multi-line.
b. If you selected multi-line, enter the delimiter value in the End
Marker field.
c. Enter the message in the Login Banner or Exec Banner field.
If the message is a multi-line message, press Enter / Return at the
end of every line. Do not type the end marker at the end of the mes-
sage. The GUI automatically places the end marker at the end of the
message text in the configuration.
4. If you are configuring both messages, repeat step 3 for the other mes-
sage.
5. Click OK.
The login option changes the first banner, which is displayed after you enter
the admin username. The exec option changes the second banner, which is
displayed after you enter the admin password.
To use blank spaces within the banner, enclose the entire banner string with
double quotation marks.
• Set the system time and date manually or configure the AX device to use
a Network Time Protocol (NTP) server.
34 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Basic System Parameters
The default timezone is Europe/Dublin, which is equivalent to Greenwich
Mean Time (GMT). The time and date are not set at the factory, so must
manually set them or configure NTP.
Note: You do not need to configure Daylight Savings Time. The AX device
automatically adjusts the time for Daylight Savings Time based on the
timezone you select.
3. Click OK.
Enter the following command at the global configuration level of the CLI:
P e r f o r m a n c e b yD e s i g n 35 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Basic System Parameters
To view the available timezones, enter the following command:
clock timezone ?
2. To enable NTP and synchronize the AX clock with the NTP server,
enter the following command:
ntp enable
2. Enter the following command at the Privileged EXEC level of the CLI:
clock set time day month year
Enter the time and date in the following format:
time – hh:mm:ss
day – 1-31
month – January, February, March, ...
year – 2008, 2009 ...
Note: The clock is based on 24 hours. For example, for 1 p.m., enter the hour as
“13”.
36 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Basic System Parameters
• Email address(es)
Logging to the local buffer and to CLI sessions is enabled by default. Log-
ging to other places requires additional configuration. The standard Syslog
message severity levels are supported:
• Emergency – 0
• Alert – 1
• Critical – 2
• Error – 3
• Warning – 4
• Notification – 5
• Information – 6
• Debugging – 7
P e r f o r m a n c e b yD e s i g n 37 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Basic System Parameters
38 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Basic System Parameters
TABLE 2 Configurable System Log Settings (Continued)
Parameter Description Supported Values
SMTP Server IP address or fully-qualified domain name of an Any valid IP address or fully-quali-
email server using Simple Message Transfer Proto- fied domain name.
col. Default: None configured
Note: By default, the AX device can reach SMTP
servers only if they are reachable through the AX
device’s data ports, not the management port. To
enable the AX device to reach SMTP servers through
the management port, see “Using the Management
Interface as the Source for Management Traffic” on
page 669.
SMTP Server Protocol port to which email messages sent to the Any valid protocol port number
Port SMTP server are addressed. Default: 25
The AX device uses a log rate limiting mechanism to ensure against over-
flow of external log servers and the internal logging buffer.
The rate limit for external logging is 15,000 messages per second from the
AX device.
The rate limit for internal logging is 32 messages per second from the AX
device.
• If the number of new messages within a one-second interval exceeds 32,
then during the next one-second interval, the AX sends log messages
only to the external log servers.
• If the number of new messages generated within the new one-second
interval is 32 or less, then during the following one-second interval, the
AX will again send messages to the local logging buffer as well as the
external log server. In any case, all messages (up to 15,000 per second)
get sent to the external log servers.
P e r f o r m a n c e b yD e s i g n 39 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Basic System Parameters
• 50 messages are queued.
• 10 minutes passes since the previous email.
4. Click OK.
2. To change the severity level of messages that are logged in other places,
use the following command:
logging target severity-level
The target can be one of the following:
• console – Serial console
• email – Email
• monitor – Telnet and SSH sessions
• syslog – external Syslog host
• trap – external SNMP trap host
Note: Only severity levels emergency, alert, critical, and notification can be
sent by email.
40 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Basic System Parameters
If you use the command to add some log servers, then need to add a new
log server later, you must enter all server IP addresses in the new com-
mand. Each time you enter the logging host command, it replaces any
set of servers and syslog port configured by the previous logging host
command.
4. To configure the AX device to send log messages by email, use the fol-
lowing commands to specify the email server and the email addresses:
smtp {hostname | ipaddr} [port protocol-port]
The port option specifies the protocol port to which to send email. The
default is 25.
logging email-address address [...]
To enter more than one address, use a space between each address.
Enabling SNMP
AX devices support the following SNMP versions: v1, v2c, v3. SNMP is
disabled by default.
You can configure the AX device to send SNMP traps to the Syslog and to
external trap receivers. You also can configure read (GET) access to SNMP
Management Information Base (MIB) objects on the AX device by external
SNMP managers.
P e r f o r m a n c e b yD e s i g n 41 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Basic System Parameters
SNMP Traps
Table 3 lists the SNMP traps supported by the AX device. All traps are dis-
abled by default.
42 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Basic System Parameters
TABLE 3 AX SNMP Traps (Continued)
Trap Category Trap Description
Server Load Balancing Server Up Indicates that an SLB server has come up.
(SLB) Server Down Indicates that an SLB server has gone down.
Service Up Indicates that an SLB service has come up.
Service Down Indicates that an SLB service has gone down.
Server Connection Indicates that an SLB server has reached its configured con-
Limit nection limit.
Server Connection Indicates that an SLB server has reached its configured con-
Resume nection-resume value.
Service Connection Indicates that an SLB service has reached its configured
Limit connection limit.
Service Connection Indicates that an SLB service has reached its configured
Resume connection-resume value.
Virtual Port Up Indicates that an SLB virtual service port has come up. An
SLB virtual server’s service port is up when at least one
member (real server and real port) in the service group
bound to the virtual port is up.
Virtual Port Down Indicates that an SLB virtual service port has gone down.
Community strings are similar to passwords. You can minimize security risk
by applying the same principles to selecting a community name as you
would to selecting a password. Use a hard-to-guess string and avoid use of
commonly used community names such as “public” or “private”.
You also can restrict access to specific Object IDs (OIDs) within the MIB,
on an individual community basis. OIDs indicate the position of a set of
MIB objects in the global MIB tree. The OID for A10 Networks AX Series
objects is 1.3.6.1.4.1.22610.
P e r f o r m a n c e b y
D e s i g n 43 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Basic System Parameters
SNMP Views
An SNMP view is like a filter that permits or denies access to a specific OID
or portions of an OID. You can configure SNMP user groups and individual
SNMP users, and allow or disallow them to read specific portions of the AX
MIBs using different views.
When you configure an SNMP user group or user, you specify the SNMP
version. SNMP v1 and v2c do not support authentication or encryption of
SNMP packets. SNMPv3 does. You can enable authentication, encryption,
or both, on an individual SNMP user-group basis when you configure the
groups. You can specify the authentication method and the password for
individual SNMP users when you configure the users.
To configure SNMP:
1. Optionally, configure location and contact information.
You are not required to perform these configuration tasks in precisely this
order. The workflow in the GUI is slightly different from the workflow
shown here.
Note: By default, the AX device can reach remote logging and trap servers only if
they are reachable through the AX device’s data ports, not the management port. To
enable the AX device to reach remote logging and trap servers through the manage-
ment port, see “Using the Management Interface as the Source for Management
Traffic” on page 669.
44 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Basic System Parameters
USING THE GUI
P e r f o r m a n c e b yD e s i g n 45 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Basic System Parameters
f. Click Add to add the receiver.
g. Repeat step b through step f for each trap receiver.
6. Click OK.
Note: When there are unsaved configuration changes on the AX device, the
Save button flashes.
46 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Examples
4. To configure views, groups, and users, use the following commands:
snmp-server view view-name oid [oid-mask]
{included | excluded}
snmp-server group group-name
{v1 | v2c | v3 {auth | noauth | priv}}
read view-name
snmp-server user username group groupname
{v1 | v2 | v3 [auth {md5 | sha} password
[encrypted]]}
5. To enable the SNMP agent and SNMP traps, use the following com-
mand:
snmp-server enable
[
traps [
snmp [trap-name]
system [trap-name]
ha [trap-name]
slb [trap-name]
]
]
Configuration Examples
The following examples show how to configure the system settings
described in this chapter.
GUI EXAMPLE
The following examples show the GUI screens used for configuration of the
basic system settings described in this chapter.
P e r f o r m a n c e b yD e s i g n 47 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Examples
FIGURE 5 Config > Network > DNS > DNS tab
48 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Examples
FIGURE 6 Config > System > Time > Date/Time tab
P e r f o r m a n c e b yD e s i g n 49 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Examples
FIGURE 8 Config > System > SNMP
FIGURE 9 Config > System > SNMP > Trap List tab
50 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Examples
FIGURE 10 Save Button
CLI EXAMPLE
The following commands log onto the CLI, access the global configuration
level, and set the hostname and configure the other DNS settings:
login as: admin
Welcome to AX
Using keyboard-interactive authentication.
Password:********
Last login: Tue Jan 13 19:51:56 2009 from 192.168.1.144
AX>enable
Password:********
AX#config
AX(config)#hostname AX-SLB2
AX(config)#ip dns suffix ourcorp
AX(config)#ip dns primary 10.10.20.25
AX(config)#ip dns secondary 192.168.1.25
The following examples set the login banner to “welcome to login mode”
and set the EXEC banner to “welcome to exec mode”:
AX(config)#banner login “welcome to login mode”
AX(config)#banner exec “welcome to exec mode”
P e r f o r m a n c e b yD e s i g n 51 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Examples
The following commands set the timezone and NTP parameters:
AX(config)#clock timezone ?
Pacific/Midway (GMT-11:00)Midway Island, Samoa
Pacific/Honolulu (GMT-10:00)Hawaii
America/Anchorage (GMT-09:00)Alaska
America/Tijuana (GMT-08:00)Pacific Time(US & Canada); Tijuana
America/Los_Angeles (GMT-08:00)Pacific Time
...
The following commands enable SNMP and all traps, configure the AX
device to send traps to an external trap receiver, and configure a community
string for use by external SNMP managers to read MIB data from the AX
device.
AX(config)#snmp-server location ourcorp-HQ
AX(config)#snmp-server contact Me_admin1
AX(config)#snmp-server enable trap
AX(config)#snmp-server community read ourcorpsnmp
AX(config)#snmp-server host 192.168.10.11 ourcorpsnmp
52 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
Network Setup
This chapter describes how to insert the AX device into your network.
After you complete the setup tasks in this chapter that are applicable to your
network, the AX device will be ready to configure for its primary function:
load balancing.
Overview
AX Series devices can be inserted into your network with minimal or no
changes to your existing network. You can insert the AX device into your
network as a Layer 2 switch or a Layer 3 router.
The same Layer 4-7 features are available with either deployment option.
Examples are provided in this chapter for the following types of network
deployment:
• Transparent mode
IP Subnet Support
Each AX device has a management interface and data interfaces. The man-
agement interface is a physical Ethernet port. A data interface is a physical
Ethernet port, a trunk group, or a virtual Ethernet (VE) interface.
P e r f o r m a n c e b yD e s i g n 53 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Transparent Mode
An AX device deployed in transparent mode (Layer 2) can have a single IP
address for all data interfaces. The IP address of the data interfaces must be
in a different subnet than the management interface’s address.
Transparent Mode
Figure 11 shows an example of an AX Series device deployed in transparent
mode.
54 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Transparent Mode
The blue arrows show the traffic flow for client-server traffic; in this exam-
ple, between clients and server 10.10.10.3.
Note: For simplicity, this example and the other examples in this chapter show
the physical links on single Ethernet ports. Everywhere a single Ethernet
connection is shown, you can use a trunk, which is a set of multiple ports
configured as a single logical link.
Similarly, where a single gateway router is shown, a pair of routers in a
Virtual Router Redundancy Protocol (VRRP) configuration could be
used. In this case, the gateway address used by hosts and Layer 2 switches
is the virtual IP address of the pair of routers.
This example does not use Layer 3 Network Address Translation (NAT) but
does use the default SLB NAT settings. (For a description, see “SLB Source
NAT” on page 484.)
HTTP requests from clients for virtual server 10.10.10.99 are routed by the
Layer 3 router to the AX device. SLB on the AX device selects a real server
and sends the request to the server. The server reply passes back through the
AX device to clients.
P e r f o r m a n c e b yD e s i g n 55 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Transparent Mode
Configuration Example
This section shows the GUI screens and CLI commands needed to imple-
ment the configuration shown in Figure 11.
The following figures show the GUI screens used to implement the configu-
ration shown in Figure 11. Here and elsewhere in this guide, the command
paths used to access a GUI screen are listed in the figure caption.
Interface Configuration
Note: For reference, Figure 12 shows the entire interface. Subsequent figures
show only the relevant configuration page.
56 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Transparent Mode
P e r f o r m a n c e b yD e s i g n 57 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Transparent Mode
Service group configuration
58 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Transparent Mode
Virtual server configuration
P e r f o r m a n c e b yD e s i g n 59 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Transparent Mode
FIGURE 17 Config > Service > SLB > Virtual Server - Virtual Server Port
tab
60 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Transparent Mode
USING THE CLI
The following commands configure the global IP address and default gate-
way:
AX(config)#ip address 10.10.10.2 /24
AX(config)#ip default-gateway 10.10.10.1
The following commands enable the Ethernet interfaces used in the exam-
ple:
AX(config)#interface ethernet 1
AX(config-if:ethernet1)#enable
AX(config-if:ethernet1)#interface ethernet 2
AX(config-if:ethernet2)#enable
AX(config-if:ethernet2)#interface ethernet 3
AX(config-if:ethernet3)#enable
AX(config-if:ethernet3)#exit
The following commands add the SLB configuration. (For more informa-
tion about SLB commands, see the SLB configuration chapters in this
guide. Also see the AX Series CLI Reference.)
P e r f o r m a n c e b yD e s i g n 61 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Transparent Mode in Multinetted Environment
This example is similar to the example in Figure 11, except the real servers
are in separate subnets. Each server uses the router as its default gateway,
but at a different subnet address.
62 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Transparent Mode in Multinetted Environment
The blue arrows show the traffic flow for client-server traffic; in this exam-
ple, between clients and server 10.10.10.4.
To enable the AX device to pass traffic for multiple subnets, the device is
configured with multiple VLANs. The interfaces in subnet 10.10.10.x are in
VLAN 1. The interfaces in the 10.10.20.x subnet are in VLAN 2.
Note: In this example, each AX interface is in only one VLAN and can therefore
be untagged. The AX device could be connected to the router by a single
link, in which case the AX link with the router would be in two VLANs
and would need to tagged in at least one of the VLANs. (If an interface is
in multiple VLANs, the interface can be untagged in only one of the
VLANs.)
The default SLB NAT settings allow client traffic to reach the server in the
10.10.20.x subnet, even though this is not the subnet that contains the AX
device’s IP address.
Note: The AX device initiates health checks using the last (highest numbered)
IP address in the pool as the source IP address. In addition, the AX device
will only respond to control traffic (for example, management and ICMP
traffic) from the NATted subnet if the control traffic is sent to the last IP
address in the pool.
P e r f o r m a n c e b yD e s i g n 63 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Transparent Mode in Multinetted Environment
Configuration Example
This section shows the GUI screens and CLI commands needed to imple-
ment the configuration shown in Figure 18.
Note: GUI examples are shown here only for the configuration elements that are
new in this section (VLAN and Source NAT pool). For examples of the
GUI screens for the rest of the configuration, see “Transparent Mode” on
page 54.
FIGURE 20 Config > Service > IP Source NAT > IPv4 Pool
64 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Transparent Mode in Multinetted Environment
FIGURE 21 Config > Service > SLB > Virtual Server - Virtual Server Port
tab
P e r f o r m a n c e b yD e s i g n 65 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Transparent Mode in Multinetted Environment
The following commands configure the global IP address and default gate-
way:
AX(config)#ip address 10.10.10.2 /24
AX(config)#ip default-gateway 10.10.10.1
The following commands enable the Ethernet interfaces used in the exam-
ple:
AX(config)#interface ethernet 1
AX(config-if:ethernet1)#enable
AX(config-if:ethernet1)#interface ethernet 2
AX(config-if:ethernet2)#enable
AX(config-if:ethernet2)#interface ethernet 3
AX(config-if:ethernet3)#enable
AX(config-if:ethernet3)#interface ethernet 4
AX(config-if:ethernet4)#enable
AX(config-if:ethernet4)#exit
The following commands add the SLB configuration. The source-nat com-
mand enables the IP address pool configured above to be used for NATting
health check traffic between the AX device and the real server. (For more
information about SLB commands, see the SLB configuration chapters in
this guide. Also see the AX Series CLI Reference.)
66 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Transparent Mode in Multinetted Environment
Commands to configure the real servers
AX(config)#slb server rs1 10.10.10.4
AX(config-real server)#port 80 tcp
AX(config-real server-node port)#exit
AX(config-real server)#exit
AX(config)#slb server rs2 10.10.20.4
AX(config-real server)#port 80 tcp
AX(config-real server-node port)#exit
AX(config-real server)#exit
P e r f o r m a n c e b yD e s i g n 67 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Route Mode
Route Mode
Figure 22 shows an example of an AX device deployed in route mode.
The blue arrows show the traffic flow for client-server traffic; in this exam-
ple, between clients and server 192.168.4.101. This example shows a data-
base server that is not part of the SLB configuration but that is used by the
real servers when fulfilling client requests. Real servers can reach the data-
base server through the AX device just as they would through any other
68 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Route Mode
router. Replies to clients still travel from the real servers through the AX
device back to the client.
Although this example shows single physical links, you could use trunks as
physical links. You also could use multiple VLANs. In this case, the IP
addresses would be configured on Virtual Ethernet (VE) interfaces, one per
VLAN, instead of being configured on individual Ethernet ports.
Source NAT is not required for this configuration. The AX can send health
checks to the real servers and receive the replies without NAT.
Configuration Example
This section shows the GUI screens and CLI commands needed to imple-
ment the configuration shown in Figure 22.
Note: GUI examples are shown here only for the configuration elements that are
new in this section (configuration of routing parameters). For examples of
the GUI screens for the SLB configuration, see “Transparent Mode” on
page 54.
P e r f o r m a n c e b yD e s i g n 69 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Route Mode
FIGURE 23 Config > Network > Interface > LAN > IPv4
70 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Route Mode
FIGURE 25 Config > Network > Route > RIP > Route > General
FIGURE 26 Config > Network > Route > RIP > Interface
FIGURE 27 Config > Network > Route > RIP > Route > Network
P e r f o r m a n c e b yD e s i g n 71 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Route Mode
The following commands enable the Ethernet interfaces used in the exam-
ple and configure IP addresses on them:
AX(config)#interface ethernet 1
AX(config-if:ethernet1)#enable
AX(config-if:ethernet1)#ip address 10.10.10.2 /24
AX(config-if:ethernet1)#interface ethernet 2
AX(config-if:ethernet2)#enable
AX(config-if:ethernet2)#ip address 192.168.3.100 /24
AX(config-if:ethernet2)#interface ethernet 3
AX(config-if:ethernet3)#enable
AX(config-if:ethernet3)#ip address 192.168.1.111 /24
AX(config-if:ethernet3)#exit
AX(config-if:ethernet3)#interface ethernet 4
AX(config-if:ethernet4)#enable
AX(config-if:ethernet4)#ip address 192.168.2.100 /24
AX(config-if:ethernet4)#exit
72 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Route Mode
AX(config-router-rip)#network 192.168.3.0 /24
AX(config-router-rip)#exit
The following commands add the SLB configuration. (For more informa-
tion about SLB commands, see the SLB configuration chapters in this
guide. Also see the AX Series CLI Reference.)
P e r f o r m a n c e b yD e s i g n 73 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Direct Server Return in Transparent Mode
The blue arrows show the traffic flow for client-server traffic; in this exam-
ple, between clients and servers 10.10.10.3-4. Client request traffic for the
virtual server IP address, 10.10.10.99, is routed to the AX device. However,
server reply traffic does not pass back through the AX device.
74 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Direct Server Return in Transparent Mode
DSR Health Checking
Layer 3 and Layer 4-7 health checks are supported in DSR configurations.
The target of the Layer 3 health checks can be the real IP addresses of the
servers, or the virtual IP address, depending on your preference.
• To send the Layer 3 health checks to the real server IP addresses, you
can use the default Layer 3 health method (ICMP).
• To send the Layer 3 health checks to the virtual IP address instead:
• Configure an ICMP health method with the transparent option
enabled, and with the alias address set to the virtual IP address.
• Globally enable DSR health checking.
Layer 4-7 health checks are sent to the same IP address as the Layer 3 health
checks, and then addressed to the specific protocol port. You can use the
default TCP and UDP health monitors or configure new health monitors.
This example uses the default TCP health monitor.
Requirements
Note: In the current release, for IPv4 VIPs, DSR is supported on virtual port
types (service types) TCP, UDP, FTP, and RTSP. For IPv6 VIPs, DSR is
supported on virtual port types TCP, UDP, and RTSP.
• Requirements on the real server:
• A loopback interface must be configured with the virtual server IP
address.
• ARP replies from the loopback interfaces must be disabled. (This
applies to the loopback interfaces that have the virtual server IP
address.)
P e r f o r m a n c e b yD e s i g n 75 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Direct Server Return in Transparent Mode
Configuration Example
This section shows how to implement the configuration shown in Figure 28.
Note: This example does not include configuration of the real servers, or config-
uration of the virtual server other than the steps for enabling DSR.
3. Enter the IP address, network mask or prefix length, and default gate-
way address. (In this example, use the IPv4 tab and enter 10.10.10.2,
255.255.255.0, and 10.10.10.1.)
4. Click OK.
3. Click on the checkbox next to the interface number to enable (for exam-
ple, “e3”).
4. Click Enable. The icon in the Status column changes to a green check-
mark to indicate that the interface is enabled.
3. Select the virtual port and click Edit, or click Add to create a new one.
4. On the Virtual Server Port tab, select Enabled next to Direct Server
Return. Configure other settings if needed. (The other settings are not
specific to DSR and depend on the application.)
5. Click OK. The virtual port list for the virtual server reappears.
76 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Direct Server Return in Transparent Mode
USING THE CLI
The following commands configure the global IP address and default gate-
way:
AX(config)#ip address 10.10.10.2 /24
AX(config)#ip default-gateway 10.10.10.1
The following commands enable the Ethernet interface connected to the cli-
ents and server:
AX(config)#interface ethernet 3
AX(config-if:ethernet3)#enable
AX(config-if:ethernet3)#exit
The following commands add the SLB configuration. (For more informa-
tion about SLB commands, see the SLB configuration chapters in this
guide. Also see the AX Series CLI Reference.)
P e r f o r m a n c e b yD e s i g n 77 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Direct Server Return in Transparent Mode
For DSR to work, a loopback interface with the IP address of the virtual
server must be configured on each real server, and ARP replies from the
loopback address must be disabled.
78 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Direct Server Return in Route Mode
The configuration is very similar to the one for DSR in transparent mode,
except the AX device uses an IP interface configured on an individual
Ethernet port instead of a global IP address.
The requirements for the AX device and real servers are the same as those
for DSR in transparent mode. (See “Direct Server Return in Transparent
Mode” on page 74.)
P e r f o r m a n c e b yD e s i g n 79 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Direct Server Return in Route Mode
Configuration Example
This section shows how to implement the configuration shown in Figure 29.
Note: The following examples only show the part of the configuration that dif-
fers from deployment of DSR in transparent mode. The only difference is
configuration of the IP interface on the Ethernet interface connected to the
router, and configuration of a default route.
3. In the Interface column, click on the interface name (for example, “e3”).
6. Click OK.
3. Click Add.
6. Click OK.
80 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Direct Server Return in Route Mode
USING THE CLI
The following commands enable the Ethernet interface used in the example
and configure an IP address on it:
AX(config)#interface ethernet 3
AX(config-if:ethernet3)#enable
AX(config-if:ethernet3)#ip address 10.10.10.2 /24
AX(config-if:ethernet3)#exit
The rest of the configuration commands are the same as those shown in
“Direct Server Return in Transparent Mode” on page 74, beginning with
configuration of the real servers.
P e r f o r m a n c e b yD e s i g n 81 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Direct Server Return in Mixed Layer 2/Layer 3 Environment
Note: The deployment described in this section is useful for deploying backup
servers to use only if primary servers are unavailable.
In this example, two real servers are used as the primary servers for VIP
10.10.10.99:80. They are in the same IP subnet as the AX device. Each of
them is configured for DSR: destination NAT is disabled on the virtual port.
82 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Direct Server Return in Mixed Layer 2/Layer 3 Environment
To deploy the backup server:
• In the service group, assign a higher priority to the members for the pri-
mary servers, so that the member for the backup server has the lower
priority. By default, the AX device will not use the lower-priority server
(the backup server) unless all the primary servers are down. Use the
same priority for all the primary servers.
• Enable destination NAT on the backup server. By default, destination
NAT is unset on real ports, and is set by the virtual port . Normally, des-
tination NAT is disabled on virtual ports used for DSR. However, desti-
nation NAT needs to be enabled on the real port on the backup server.
To enable destination NAT on a real port, create a real port template,
enable destination NAT in the template, and bind the template to the real
port. Destination NAT can not be set directly on an individual real port.
Enabling destination NAT for the backup server allows the server to
remain on a different subnet from the AX device, and still be used for
the VIP that normally is served by DSR. The backup server does not
need to be moved to a Layer 2 connection to the AX device and the
server’s IP address does not need to be changed. It can remain on a dif-
ferent subnet from the AX device and the primary servers.
3. Click on the service group name or click Add to create a new one.
5. In the Server section, when adding a member, select 16 from the Priority
field, for each of the primary server ports. Select 1 for the backup server
port.
Note: If you are modifying a member that is already in the list, click the check-
box in the row containing the member information, select the priority,
then click Update.
6. Click OK.
P e r f o r m a n c e b yD e s i g n 83 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Direct Server Return in Mixed Layer 2/Layer 3 Environment
Enable destination NAT on the backup server’s port
1. Configure a server port template:
a. Select Config > Service > SLB.
b. On the menu bar, select Template > Server Port.
c. Click Add.
d. Enter a name for the template in the Name field.
• In the Server Port Template section, select Disabled next to
Direct Server Return.
• In the real server Port section, select the checkbox next to the
port, select the port template from the Server Port Template
drop-down list, and click Update.
84 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Direct Server Return in Mixed Layer 2/Layer 3 Environment
FIGURE 31 Config > Service > SLB > Service Group
FIGURE 32 Config > Service > SLB > Template > Server Port
P e r f o r m a n c e b yD e s i g n 85 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Direct Server Return in Mixed Layer 2/Layer 3 Environment
FIGURE 33 Config > Service > SLB > Server - General and Port sections
To set the priority values of the primary servers to a higher value than the
backup server, re-add the members for the primary servers’ ports, and use
the priority option. Set the priority to a value higher than 1 (the default).
Use the same priority value on each of the primary server’s member ports.
To enable destination NAT on a service port within a service group, use the
dest-nat option in a server port template, then bind that template to the
server port in the service group.
86 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Direct Server Return in Mixed Layer 2/Layer 3 Environment
CLI Example
The following commands configure a server port template for the backup
server and bind it to the HTTP port on the backup server:
AX(config)#slb template port dsrbackup
AX(config-rport)#dest-nat
AX(config-rport)#exit
AX(config)#slb server secondarys1 192.168.1.10
AX(config-real server)#port 80 tcp
AX(config-real server-node port)#template port dsrbackup
P e r f o r m a n c e b yD e s i g n 87 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Direct Server Return in Mixed Layer 2/Layer 3 Environment
88 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
This chapter describes HTTP load balancing and how to configure it.
Overview
HTTP load balancing manages HTTP traffic across a Web server farm.
Figure 34 shows an example of an HTTP load balancing deployment.
Note: The network topologies in application examples such as this one are sim-
plified to focus on the application. For example, the Internet router con-
necting the clients to the AX device is not shown here. Likewise, a single
AX is shown. Your configuration might use an AX pair for High Avail-
ability (HA).
P e r f o r m a n c e b yD e s i g n 89 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
In this example, a server farm consisting of three servers provides content
for Web site www.example.com. Clients access the site through its virtual
IP address, 192.168.10.11. When the AX device receives a client request for
the HTTP port (80) on 192.168.10.11, the AX device selects a real server
and sends the client request to the server.
For simplicity in this example, the real servers use the default protocol port
number for HTTP (80). The port numbers on the real and virtual servers are
not required to match.
The client is unaware of the real IP address of the real server, nor is the cli-
ent aware that the site actually consists of multiple servers. After selecting a
real server, the AX device automatically performs the necessary Network
Address Translation (NAT) to send the client request to the server, receive
the reply from the server, and send the reply to the client. From the client’s
perspective, the Web session is between the client and port 80 on
192.168.10.11.
SERVICE GROUPS
A service group contains a set of real servers from which the AX device can
select to service a client request.
This example uses a single service group that contains all the real servers
and the applicable service port (80). During configuration, you bind the ser-
vice group to the virtual port(s) on the virtual server.
The AX device selects a server based on the load balancing method used by
the service group, and on additional criteria relevant to the load balancing
method.
In this example, the default load balancing method, round robin, is used.
The round robin method selects servers in rotation. For example, the first
client request is sent to server web-2, the next client request is sent to server
web-3, and so on.
VIRTUAL SERVER
The virtual server in this example has IP address 192.168.10.11 and virtual
service port 80. When you configure a virtual service port, you specify the
protocol port number for the port. You also specify the service type. The AX
device supports the following service types for HTTP ports:
• HTTP – Complete TCP stack. Use this service type if you plan to cus-
tomize any templates. For example, if you plan to use SSL (HTTPS load
balancing or SSL offload), or customize the HTTP template to change
information in the HTTP headers of server replies, use the HTTP service
90 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
type. Also use this service type for stream-based applications such as
RAM Caching and compression.
• Fast-HTTP – Streamlined hybrid stack for high performance. If you do
not plan to offload SSL or customize any templates, use Fast-HTTP.
(For a complete list of the service types, see “Virtual Service Port Parame-
ters” on page 640.)
TEMPLATES
Templates are sets of configuration parameters that apply to specific service
types or to servers and service ports. This example uses the default settings
for each of the templates that are automatically applied to the HTTP service
type and to the real and virtual servers and ports. The rest of the information
in this section is for reference but is not required reading to continue with
this example.
Service Templates
P e r f o r m a n c e b yD e s i g n 91 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
The following types of templates also can be used with HTTP service ports.
However, these types of templates do not have “default” templates that are
applied automatically.
• Cookie Persistence – Inserts a cookie in the HTTP header of a server
reply before sending the reply to the client. The cookie ensures that sub-
sequent requests from the client for the same virtual server and virtual
port are directed to the same service group, real server, or real service
port.
• Source-IP Persistence – Similar to cookie persistence, except the AX
device does not insert cookies. Instead, clients are directed to the same
resource in the server farm for every request, for the duration of a con-
figurable timer on the AX device. The granularity of the persistence can
be set to always use the same real server port, the same real server, or
the same service group.
For more information about server and port templates, see the following:
• “Server and Port Templates” on page 281 in this guide
92 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring HTTP Load Balancing
HEALTH MONITORS
This example uses the following types of health monitors to check the real
servers:
• Ping – A Layer 3 health method that sends an ICMP echo request to the
real server’s IP address. The server passes the health check if the AX
device receives a ping reply.
• TCP – By default, every 30 seconds the AX device sends a connection
request (TCP SYN) to each load balanced TCP port on each server, in
this case ports 80 and 443. A TCP port passes the health check if the
server replies to the AX device by sending a TCP SYN ACK. By
default, the AX device completes the TCP handshake.
In addition to these default health checks, you can configure health monitors
for specific service types. This example uses an HTTP health monitor, with
the following default settings.
• Every 30 seconds, the AX device sends an HTTP GET request for the
default index page.
• The HTTP service port passes the health check if the requested page is
present on the server and the server replies with an OK message (200).
(For more information about health monitors and their configurable options,
see “Health Monitoring” on page 297.)
3. Configure the service group. Add the real servers and service ports to
the group.
P e r f o r m a n c e b yD e s i g n 93 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring HTTP Load Balancing
3. Click Add.
5. On the Method tab, select HTTP from the Type drop-down list.
The other configuration fields on the tab change to those that apply to
HTTP health monitors.
6. Optionally, select or enter additional options for the health monitor. (See
“Health Monitoring” on page 297.)
In this example, you can use all the default settings
7. Click OK. The new monitor appears in the health monitor table.
FIGURE 35 Config > Service > Health Monitor > Health Monitor
94 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring HTTP Load Balancing
To configure the real servers
Perform the following procedure separately for each real server.
1. Select Config > Service > SLB.
3. Click Add.
4. On the General tab, enter a name for the server in the Name field.
Note: Enter the server’s real address, not the virtual server IP address.
6. In the Health Monitor drop-down list, select ping or leave the monitor
unset.
Note: If you leave the monitor unset, the Layer 3 health monitor that comes in
the AX configuration by default is used. (See “Default Health Checks” on
page 297.)
7. On the Port tab, enter the number of the service port on the real server in
the Port field. In this example, enter “80”.
8. In the Health Monitor drop-down list, select the HTTP health monitor
configured in “To configure an HTTP health method” on page 94.
10. Click OK. The real server appears in the server table.
P e r f o r m a n c e b yD e s i g n 95 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring HTTP Load Balancing
FIGURE 36 Config > Service > SLB > Server
FIGURE 37 Config > Service > SLB > Server (real servers added)
Note: The AX device begins sending health checks to a real server’s IP address
and service ports as soon as you finish configuring the server. The overall
health status for the server is shown in the Health column. If the status is
Down ( ) instead of Up ( ), verify that health monitors are config-
ured for all the service ports. The default Layer 3 health method is auto-
matically used for the Layer 3 health check, unless you selected another
health method instead.
96 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring HTTP Load Balancing
To configure the service group
1. Select Config > Service > SLB, if not still selected.
3. Click Add.
4. On the Service Group tab, select the load-balancing method from the
Algorithm drop-down list.
For this example, you can leave the default selected: Round Robin
5. On the Server tab, select a real server from the Server drop-down list.
7. Click Add.
9. Click OK. The new group appears in the service group table.
P e r f o r m a n c e b yD e s i g n 97 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring HTTP Load Balancing
To configure the virtual server
1. Select Config > Service > SLB, if not still selected.
4. On the General tab, enter a name for the virtual server in the Name field.
5. In the IP Address field, enter the IP address that clients will request.
6. On the Port tab, click Add. The Virtual Server Port tab appears.
7. In the Type drop-down list, select the service type. In this example,
select Fast-HTTP.
8. In the Port field, enter the service port number. In this example, enter
“80”.
10. Click OK. The port appears in the Port list of the Port tab.
11. Click OK. The virtual server appears in the virtual server table.
98 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring HTTP Load Balancing
FIGURE 39 Config > Service > SLB > Virtual Server
P e r f o r m a n c e b yD e s i g n 99 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring HTTP Load Balancing
FIGURE 40 Config > Service > SLB > Virtual Server - Port tab
Note: The command syntax shown in this section is simplified for the configu-
ration example in this chapter. For complete syntax information about any
command, see the AX Series CLI Reference.
1. To configure HTTP and HTTPS health methods, use the following com-
mands:
health monitor monitor-name
Enter this command at the global configuration level of the CLI, for
each monitor to be configured. The command changes the CLI to the
configuration level for the monitor. At the monitor configuration level,
enter the following command:
method http
100 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring HTTP Load Balancing
Entering this command, without entering additional commands at this
level, configures the monitor to use all the default settings for the HTTP
method.
To customize settings for a health monitor, use additional commands at
the configuration level for the monitor.
4. To configure the virtual server and virtual port, use the following com-
mands:
slb virtual-server name ipaddr
This command changes the CLI to the configuration level for the virtual
server, where you can use the following command to add the virtual port
to the server:
port port-number fast-http
or
P e r f o r m a n c e b yD e s i g n 101 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring HTTP Load Balancing
port port-num http
For this example, use the first command (the one with fast-http as the
service type) and specify “80” as the port-num.
The port command changes the CLI to the configuration level for the
virtual port, where you can use the following command to bind the vir-
tual port to the service group:
service-group group-name
The group-name is the name of the service group configured in step 3.
CLI EXAMPLE
102 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring HTTP Load Balancing
The following commands configure the virtual server:
AX(config)#slb virtual-server web-vip 192.168.10.11
AX(config-slb virtual server)#port 80 fast-http
AX(config-slb virtual server-slb virtua...)#service-group sg-web
AX(config-slb virtual server-slb virtua...)#exit
P e r f o r m a n c e b yD e s i g n 103 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring HTTP Load Balancing
104 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
This chapter describes the HTTP options you can configure in HTTP tem-
plates, and provides examples of their use.
Overview
HTTP templates provide many SLB options. Some options control selection
of real servers or service groups, while other options modify HTTP header
information or enhance website performance.
P e r f o r m a n c e b yD e s i g n 105 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
ancing of server selection. (See “Strict Transaction Switching” on
page 140.)
• Fast-HTTP
• HTTPS
106 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
USING THE GUI
5. Select or enter values for the template options you want to use. The
remaining sections in this chapter describe the fields for configuring
each option.
Note: Some settings are on the other HTTP template tabs (App switching, Redi-
rect Rewrite, and Compression).
6. When finished, click OK. The template appears in the HTTP template
list.
3. To edit an existing virtual server, select it. To configure a new one, Click
Add. The General tab appears.
5. Select the port or Click Add. The Virtual Server Port tab appears.
9. Click OK. The port appears in the Port list of the Port tab.
P e r f o r m a n c e b yD e s i g n 107 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
URL Hash Switching
This command changes the CLI to the configuration level for the template.
The remaining sections in this chapter describe the commands for configur-
ing each option.
When enabled, URL hashing selects a real server for the first request for
given content, and assigns a hash value to the server for the content. The
AX device then sends all subsequent requests for the content to the same
real server.
108 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
URL Hash Switching
FIGURE 41 URL Hashing
In this example, a service group contains three real servers. Each of the real
servers contains the same set of .html(l), .pdf, and .jpg files. The AX device
is configured to calculate a hash value based on the last 3 bytes of the URL
string in the client request, and assign the hash value to a server.
After assigning a hash value to a server, the AX device sends all requests
that match the hash value to the same real server. In this example, all
requests that end with “pdf” are sent to the same server.
If the real server becomes unavailable, the AX device selects another server,
assigns a hash value to it, and uses that server for all subsequent requests for
URL strings that have the same hash value.
P e r f o r m a n c e b yD e s i g n 109 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
URL Hash Switching
Hash Options
The example in Figure 41 calculates hash values based on the last 3 bytes of
the URL strings.
3. Select the URL Hash checkbox. This activates the configuration fields.
5. Click OK.
Enter the following command at the configuration level for the HTTP tem-
plate:
CLI Example
110 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
URL / Host Switching
The following commands configure the HTTP template:
AX(config)#slb template http hash
AX(config-HTTP template)#url-hash-persist last 3
AX(config-HTTP template)#url-switching ends-with .htm
AX(config-HTTP template)#exit
The following commands bind the HTTP template to virtual port 80:
AX(config)#slb virtual-server vs1 1.1.1.1
AX(config-slb virtual server)#port 80 http
AX(config-slb virtual server-slb virtua...)#service-group sg1
AX(config-slb virtual server-slb virtua...)#template http hash
You can configure an HTTP template with one of the following service-
group switching options:
• URL switching – Selects a service group based on the URL path in the
GET line of the HTTP request’s header
• Host switching – Selects a service group based on the domain name in
the Host field of the HTTP request’s header
Note: If you plan to use URL / host switching along with cookie persistence,
you must enable the match-type service-group option in the cookie persis-
tence template. (See “Using URL / Host Switching along with Cookie
Persistence” on page 115.)
P e r f o r m a n c e b yD e s i g n 111 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
URL / Host Switching
FIGURE 42 URL Switching
Note: An HTTP template can be configured with only one type of service-group
switching, URL switching or host switching.
112 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
URL / Host Switching
Match Options
URL / host switching selects a service group based on rules that map part of
the URL string or host (domain name) to the service group. You can use the
following match options in URL / host switching rules:
• Starts-with string – matches only if the URL or host name starts with the
specified string.
• Contains string – matches if the specified string appears anywhere
within the URL or host name.
• Ends-with string – matches only if the URL or host name ends with the
specified string.
These match options are always applied in the following order, regardless of
the order in which the rules appear in the configuration. The service group
for the first match is used.
• Starts-with
• Contains
• Ends-with
If a template has more than one rule with the same option (starts-with, con-
tains, or ends-with) and a URL or host name matches on more than one of
them, the most-specific match is always used. For example, if a template
has the following rules, requests for host “www.ddeeff.org” will always be
directed to service group http-sgf:
host-switching contains d service-group http-sgd
host-switching contains dd service-group http-sge
host-switching contains dde service-group http-sgf
If you use the starts-with option with URL switching, use a slash in front of
the URL string. For example:
url-switching starts-with /urlexample service-group http-sg1
P e r f o r m a n c e b yD e s i g n 113 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
URL / Host Switching
6. Click Add.
Enter one of the following commands at the configuration level for the
HTTP template:
url-switching
{starts-with | contains | ends-with} url-string
service-group service-group-name
114 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
URL / Host Switching
host-switching
{starts-with |contains | ends-with} host-string
service-group service-group-name
CLI Example
The following commands bind the HTTP template and service group sg-abc
to virtual port 80:
AX(config)#slb virtual-server vs1 1.1.1.1
AX(config-slb virtual server)#port 80 http
AX(config-slb virtual server-slb virtua...)#template http urlswitch
AX(config-slb virtual server-slb virtua...)#service-group sg-abc
The following commands bind the HTTP template and service group sg-123
to virtual port 80:
AX(config)#slb virtual-server vs1 1.1.1.1
AX(config-slb virtual server)#port 80 http
AX(config-slb virtual server-slb virtua...)#template http urlswitch
AX(config-slb virtual server-slb virtua...)#service-group sg-123
P e r f o r m a n c e b yD e s i g n 115 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
URL / Host Switching
To continue using URL switching or host switching to select a service group
for each request, enable the service-group option in the cookie persistence
template. In this case, for each request from the client, the AX device first
selects a service group, then uses information in the cookie to select the real
server and port within the service group.
In this example, URL switching and cookie persistence are both configured,
and the service-group option is enabled in the cookie persistence template.
For each client request, URL switching selects a service group first. Then,
after a service group is selected, a real server and port are selected within
the service group.
116 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
URL / Host Switching
• If the client’s request does not have a persistence cookie that includes
the selected service group, the AX device uses SLB to select a server,
then inserts a persistence cookie into the reply from the server. The
cookie includes the service group name.
• If the client’s request already has a persistence cookie containing the
name of the selected service group, the AX device uses the information
in the cookie to select the same server within the service group.
For example, the first time service group sgabc is selected by URL switch-
ing, the AX device inserts a cookie into the server's reply, to ensure that the
same server is used the next time URL switching selects sgabc. The first
time service group sg123 is selected by URL switching, the AX device
inserts a second cookie into the server’s reply, to ensure that the same server
is used the next time URL switching selects sg123. Even though URL
switching does not always select the same service group, the same server
within the selected service group is always selected.
Note: The port option is shown in parentheses because the CLI does not have a
“port” keyword. If you do not set the match type to server (see below),
the match type is automatically “port”.
• match-type server – Subsequent requests from the client for the same
VIP will be sent to the same real server, provided that all virtual ports of
the VIP use the same cookie persistence template with match-type set to
server. URL switching or host switching is used only for the first
request.
The cookie that the AX device inserts into the server reply has the fol-
lowing format:
Set-Cookie: cookiename=rserverIP
P e r f o r m a n c e b yD e s i g n 117 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
URL / Host Switching
• match-type (port) service-group – Subsequent requests from the client
will be sent to the same real port on the same real server, within the ser-
vice group selected by URL switching or host switching. URL switch-
ing or host switching is still used for every request.
The cookie that the AX device inserts into the server reply has the fol-
lowing format:
Set-Cookie: cookiename-vport-servicegroupname=rserverIP_rport
• match-type server service-group – Subsequent requests from the cli-
ent for the same VIP will be sent to the same real server, within the ser-
vice group selected by URL switching or host switching. URL
switching or host switching is still used for every request.
The cookie that the AX device inserts into the server reply has the fol-
lowing format:
Set-Cookie: cookiename-servicegroupname=rserverIP
To enable the service-group option, use the following command at the con-
figuration level for the cookie persistence template:
[no] match-type
{server [service-group] | service-group}
To use the service-group option with port-level granularity, enter the fol-
lowing command: match-type service-group
To use the service-group option with server-level granularity, enter the fol-
lowing command: match-type server service-group
CLI Example
118 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
URL Failover
For more information, see the description of the slb template persist
source-ip command in the “Config Commands: SLB Templates” chapter of
the AX Series CLI Reference.
URL Failover
The AX device can send an HTTP 302 Redirect message to a client when
the real servers for the URL requested by the client are unavailable.
P e r f o r m a n c e b yD e s i g n 119 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
URL Failover
In this example, a client sends a request for www.example.com (virtual IP
address 192.168.10.10). However, this VIP is unavailable because all the
real servers are failing their health checks. The AX device is configured to
send an HTTP 302 Redirect message if the VIP is down, redirecting clients
to www.example.com.
By default, URL failover is not configured. To configure it, you specify the
URL to which to redirect clients. Like the other HTTP options, you can
apply this option to a virtual port by configuring the option in an HTTP tem-
plate, and binding the template to the virtual port.
Note: The URL failover option does not affect redirect messages sent by real
servers. To alter redirect messages from real servers, use the URL redi-
rect-rewrite option instead. (See “URL Redirect Rewrite” on page 138.)
2. In the URL Failover field of the HTTP tab, enter the URL to which to
redirect clients.
Enter the following command at the configuration level for the HTTP tem-
plate:
failover-url url-string
CLI Example
120 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
5xx Retry and Reassignment
The following commands bind the HTTP template to virtual port 80:
AX(config)#slb virtual-server vs1 1.1.1.1
AX(config-slb virtual server)#port 80 http
AX(config-slb virtual server-slb virtua...)#template http urlfailover
HTTP templates have an option to override this behavior. You can configure
the AX device to retry sending a client’s request to a service port that replies
with an HTTP 5xx status code, and reassign the request to another server if
the first server replies with a 5xx status code. The AX device is allowed to
reassign the request up to the configured number of retries.
For example, assume that a service group has three members (s1, s2, and
s3), and the retry is set to 1. In this case, if s1 replies with a 5xx status code,
the AX device reassigns the request to s2. If s2 also responds with a 5xx sta-
tus code, the AX device will not reassign the request to s3, because the max-
imum number of retries has already been used.
Depending on the 5xx retry option you configure, either the service port and
server remain eligible for more client requests, or the AX device briefly
stops sending client requests to the service port and server.
Note: Use of this HTTP template option also requires the strict-transaction-
switch option to be used in the same HTTP template. (See “Strict Transac-
tion Switching” on page 140.)
P e r f o r m a n c e b yD e s i g n 121 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Content Compression
The first command continues to use the service port and server for client
requests, even after a reassignment has occurred. The second command
briefly stops using the service port and server after a reassignment occurs.
The num option specifies the number of times the AX device will resend the
request to the server before assigning the request to another server. You can
specify 1-3 retries. The default is 3.
An HTTP template can contain only one of the commands shown above.
CLI Example
The following commands configure an HTTP template to reselect a server if
the initially selected server responds 4 times to a client’s request with a 5xx
status code. The AX device briefly stops using the service port and server
following reassignment.
AX(config)#slb template http 5xxretry
AX(config-HTTP)#strict-transaction-switch
AX(config-HTTP)#retry-on-5xx
Content Compression
Most types of real servers are able to compress media (content) before send-
ing it to clients. Compression reduces the amount of bandwidth required to
send content to clients.
Accept-Encoding Field
122 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Content Compression
If compression is enabled on the real server, the real server will compress
content before sending it to a client, if the client’s request contains the
Accept-Encoding field with the “compress” value for the requested content
type.
If you still want the server to compress some content, you can configure the
AX device to leave the Accept-Request field unchanged. In this case, com-
pression is performed by the real server instead of the AX device, if the
server is configured to perform the compression. The AX device can still
compress content that the real server does not compress.
Compression Level
The AX device supports compression level 1-9. Each level provides a
higher compression ratio, beginning with level 1, which provides the lowest
compression ratio. A higher compression ratio results in a smaller file size
after compression. However, higher compression levels also require more
CPU processing than lower compression levels, so performance can be
affected.
The default compression level is 1, which provides the fastest compression
speed but with the lowest compression ratio.
Hardware-Based Compression
Hardware-based compression is available using an optional hardware mod-
ule in new AX devices, on the following models: AX 2100, AX 2200,
AX 3100, and AX 3200.
Note: Installation of the compression module into AX devices in the field is not
supported. Contact A10 Networks for information on obtaining an AX
device that includes the module.
P e r f o r m a n c e b yD e s i g n 123 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Content Compression
Hardware-based compression is disabled by default. When you enable it, all
compression settings configured in HTTP templates, except the compres-
sion level, are used.
124 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Content Compression
P e r f o r m a n c e b yD e s i g n 125 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Content Compression
6. Click OK.
Note: If the Hardware Compression option is not present, your AX device does
not contain a compression module.
126 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Content Compression
USING THE CLI
Enter this command at the global configuration level of the CLI. The com-
mand changes the CLI to the configuration level for the template.
This command changes the minimum payload size that is eligible for com-
pression. You can specify 0-2147483647 bytes. The default is 120 bytes.
P e r f o r m a n c e b yD e s i g n 127 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Content Compression
does not compress. This option is disabled by default, which means the AX
device performs all the compression.
Note: If the slb hw-compression and show slb hw-compression commands are
not in the CLI, your AX device does not contain a compression module.
CLI Example
128 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Client IP Insertion / Replacement
No tuple error 0
Parse req fail 0
Server selection fail 0
Fwd req fail 0
Fwd req data fail 0
Req retransmit 0
Req pkt out-of-order 0
Server reselection 0
Server premature close 0
Server conn made 50
Source NAT failure 0
Tot data before compress 1373117
Tot data after compress 404410
P e r f o r m a n c e b yD e s i g n 129 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Client IP Insertion / Replacement
real server. Instead, the source IP address of the request is the address into
which the AX device translated the client’s IP address.
To add the client’s IP address back to the request, you do not need to change
the network configuration or NAT settings. Instead, you can simply enable
the AX device to insert the client’s IP address into the header of the client’s
GET request before sending the request to a real server.
130 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Client IP Insertion / Replacement
FIGURE 46 Client IP Insertion
In this example, SLB source NAT changes the source address of the client’s
GET request from 192.168.100.3 to 10.20.20.11. However, the client’s
source IP address is preserved within the HTTP header of the request, by
inserting the address into the X-ClientIP field.
P e r f o r m a n c e b yD e s i g n 131 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Client IP Insertion / Replacement
This option inserts the client’s IP address into the X-ClientIP field by
default. However, you can specify another field name instead. For example,
you can configure the option to insert the client IP address into the
X-Forwarded-For field.
Note: To insert HTTP header fields with other types of values, or to erase fields,
see “Header Insertion / Erasure” on page 133.
Replace Option
Without this option, the client IP address is appended to the lists of client IP
addresses already in the header. For example, if the header already contains
“X-Forwarded-For:1.1.1.1”, the field:value pair becomes
“X-Forwarded-For:1.1.1.1, 2.2.2.2”.
2. On the HTTP template, select the “Header Name for Inserting Client IP”
checkbox.
This enables the option and displays the name of the header field to
which the client IP address will be added.
3. Optionally, to replace any client addresses that are already in the header,
select Replace. Without this option, the client IP address is appended to
the lists of client IP addresses already in the header.
4. To change the name of the field, edit the name. Otherwise, leave the
field name set to the default (X-ClientIP).
132 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Header Insertion / Erasure
USING THE CLI
Enter the following command at the configuration level for the HTTP tem-
plate:
The replace option replaces any client addresses that are already in the
header.
CLI Example
The following commands bind the HTTP template to virtual port 80:
AX(config)#slb virtual-server vs1 1.1.1.1
AX(config-slb virtual server)#port 80 http
AX(config-slb virtual server-slb virtua...)#template http insertclientip
Note: The header insert, replace, and erase options described in this section are
not supported with the fast-http service type. The AX device does not
allow an HTTP template with any of these header options to be bound to a
fast-http virtual port. Likewise, the AX device does not allow any of the
P e r f o r m a n c e b yD e s i g n 133 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Header Insertion / Erasure
header options to be added to an HTTP template that is already bound to a
fast-http virtual port.
Note: To configure the AX device to insert the client’s IP address, see “Client IP
Insertion / Replacement” on page 129.
134 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Header Insertion / Erasure
Effect When insert-if-not-exist Is Used
If you configure an HTTP template to insert “Cookie: c=3”, and you use the
insert-if-not-exist option, the client’s header is changed only if it does not
contain any “Cookie” headers. Therefore, the client request in this example
is unchanged:
GET / HTTP/1.1
Host: www.example.com
Cookie: a=1
Cookie: b=2
...
P e r f o r m a n c e b yD e s i g n 135 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Header Insertion / Erasure
c. Click Add.
4. To insert a response header, follow the same steps as those for inserting
a request header, but use the Response section of the tab.
The field:value pair indicates the header field name and the value to insert.
• By default, if a packet already contains one or more headers with the
specified field name, the command replaces the first header.
• If you use the insert-always option, the command always inserts the
field:value pair. If the request already contains a header with the same
field name, the new field:value pair is added after the existing
field:value pair. Existing headers are not replaced.
• If you use the insert-if-not-exist option, the command inserts the header
only if the packet does not already contain a header with the same field
name.
To insert a field:value pair into response headers, use the following com-
mand:
CLI Examples
The following command configures an HTTP template that inserts
“Cookie: c=3” into every HTTP request. If the request already contains
“Cookie” headers, the first header is replaced.
AX(config)#slb template http replace-cookie
AX(config-HTTP template)#request-header-insert "Cookie: c=3"
136 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Header Insertion / Erasure
AX(config)#slb template http add-cookie
AX(config-HTTP template)#request-header-insert "Cookie: c=3" insert-always
4. To erase a response header, follow the same steps as those for erasing a
request header, but use the Response section of the tab.
P e r f o r m a n c e b yD e s i g n 137 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
URL Redirect Rewrite
CLI Example
138 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
URL Redirect Rewrite
3. To change the URL:
a. In the Pattern field, enter the URL string to be changed.
b. In the Redirect To field, enter the new URL.
5. Click OK.
To change the URL in redirect messages from servers, enter the following
command at the configuration level for the HTTP template:
The default SSL port number (tcp-portnum) is 443. If you do not spec-
ify a port number, the AX device does not include a port number in the
URL. In this case, the client browser adds the SSL port number when send-
ing a request to the redirect URL.
If you do specify the port number, the AX includes the port number in the
redirect URL.
CLI Example
The following commands configure the HTTP template. Redirect URLs that
begin with “http://” are changed to “https://”. The URLs in the redirect mes-
sages are otherwise unchanged.
AX(config)#slb template http secureredirect
AX(config-HTTP template)#redirect-rewrite secure
AX(config-HTTP template)#exit
P e r f o r m a n c e b yD e s i g n 139 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Strict Transaction Switching
The following commands bind the HTTP template to virtual port 80:
AX(config)#slb virtual-server vs1 1.1.1.1
AX(config-slb virtual server)#port 80 http
AX(config-slb virtual server-slb virtua...)#template http secureredirect
If the load among real servers appears to be unbalanced, you can enable
strict transaction switching to rebalance the load. The strict transaction
switching option forces the AX device to perform server selection for each
request within every session.
Note: Use this option only if needed, and disable the option once the server load
is rebalanced. This option makes server selection much more granular but
also uses more AX system resources.
strict-transaction-switch
140 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
Overview
FTP load balancing optimizes the download experience for clients by bal-
ancing FTP traffic across servers in a server farm. You can provide clients
with a single, published virtual IP address for large files, and serve the files
from a set of real servers.
P e r f o r m a n c e b yD e s i g n 141 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
In this example, FTP files are served by three real servers. Each server has
the same set of files available for download. One of the servers also pro-
vides the HTML pages for the download site.
The AX device supports both the passive and port FTP modes.
The AX Series device sends all HTTP requests to server ftp-2, and balances
FTP requests among servers ftp-2, ftp-3, and ftp-4. In this example, the
load-balancing method is changed from the default, round robin, to
weighted round robin.
Service Groups
This example uses a single service group containing all three servers. To
provide weighted load balancing as described above, the load balancing
method is changed from the default (round robin) to weighted round robin.
Templates
The default HTTP template is assigned to the virtual HTTP port by default.
However, the parameters in the default HTTP template are unset by default.
For this configuration, you do not need to configure a different HTTP tem-
plate or change settings in the default one.
142 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FTP Load Balancing
For more information about templates, see the following:
• “Service Template Parameters” on page 599
Health Monitors
This example uses the following health monitors to check the real servers:
• Ping – Tests Layer 3 connectivity to the servers. The Ping health moni-
tor is already configured by default, and is enabled by default when you
add the real server.
• HTTP – Tests the HTTP port by requesting a Web page from the port. In
this example, the default settings are used: Every 30 seconds, the AX
device sends an HTTP Get request for the index.html page.
• FTP – Tests the FTP port by sending a login request to the port. In this
example, the default settings are used: Every 30 seconds, the AX device
sends an anonymous FTP login request to port 21.
The HTTP and FTP monitors must be configured and applied to the real
server ports.
The AX device has default Layer 4 health checks it uses to test the TCP and
UDP transport layers. This configuration also uses those health checks. (For
information, see “Default Health Checks” on page 297.)
P e r f o r m a n c e b yD e s i g n 143 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FTP Load Balancing
c. Assign weight 80 to the HTTP/FTP server. Assign weight 100 to
each of the FTP servers that will not also be handling HTTP. These
weights will cause the AX device to select the HTTP/FTP server for
FTP only 80% as often as each of the other servers.
3. Configure a TCP template and set the idle time in the template to a high
value.
4. Configure a service group for HTTP and add the HTTP server to it.
5. Configure another service group for FTP and add the FTP servers to it.
2. Click Add.
3. On the Health Monitor tab, enter a name for the monitor in the Name
field.
5. On the Method tab, select HTTP from the Type drop-down list.
6. Click OK. The new health monitor appears in the health monitor table.
144 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FTP Load Balancing
FIGURE 48 Config > Service > Health Monitor (for HTTP monitor)
FIGURE 49 Config > Service > Health Monitor - Method tab (for FTP
monitor)
P e r f o r m a n c e b yD e s i g n 145 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FTP Load Balancing
FIGURE 50 Config > Service > Health Monitor (showing configured health
monitors)
3. Click Add.
4. On the General tab, enter a name for the server in the Name field.
6. Change the weight be editing the number in the Weight field. In this
example, change the weight for the HTTP/FTP server to 80 and change
the weights of the two other FTP servers to 100.
7. On the Port tab, enter the HTTP (or FTP) port number in the Port field.
9. In the Health Monitor drop-down list, select the HTTP or FTP health
monitor you configured in “To configure the health monitors” on
page 144. (Select the monitor that matches the port type, HTTP or FTP.)
10. Click Add. The new port appears in the port list.
11. Click OK. The new server appears in the server table.
12. Repeat step 3 through step 11 for each of the other real servers.
146 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FTP Load Balancing
FIGURE 51 Config > Service > SLB > Server (ftp-2)
P e r f o r m a n c e b yD e s i g n 147 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FTP Load Balancing
FIGURE 52 Config > Service > SLB > Server (ftp-3)
148 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FTP Load Balancing
FIGURE 53 Config > Service > SLB > Server (ftp-4)
FIGURE 54 Config > Service > SLB > Server (showing configured real
servers)
P e r f o r m a n c e b yD e s i g n 149 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FTP Load Balancing
To configure the TCP template for FTP
1. Select Config > Service > Template.
3. Click Add.
6. Click OK. The new template appears in the TCP template table.
3. Click Add.
6. In the Algorithm field, select the load balancing method. For this exam-
ple, select Weighted Round Robin.
150 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FTP Load Balancing
9. Click Add. The server and port appear in the member list. Repeat for
each combination of server and port. In this example, add member
10.10.10.2 for port 80 and again for port 21 to service group http-grp.
10. Click OK. The new service group appears in the service group table.
P e r f o r m a n c e b yD e s i g n 151 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FTP Load Balancing
FIGURE 57 Config > Service > Service Group (for FTP)
FIGURE 58 Config > Service > Service Group (service groups added)
152 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FTP Load Balancing
To configure the virtual server
1. Select Config > Service > SLB.
3. Click Add.
5. Enter the virtual IP address in the IP Address field. This is the IP address
to which clients will send HTTP and FTP requests.
6. On the Port tab, click Add. The Virtual Server Port tab appears.
8. Edit the number in the Port field to match the protocol port that clients
will request at the virtual IP address.
10. Click OK. The port and service group appear in the virtual port list.
12. Click OK. The new virtual server appears in the virtual server table.
P e r f o r m a n c e b yD e s i g n 153 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FTP Load Balancing
FIGURE 59 Config > Service > Virtual Server
154 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FTP Load Balancing
FIGURE 60 Config > Service > Virtual Server - Virtual Server Port tab (for
HTTP)
P e r f o r m a n c e b yD e s i g n 155 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FTP Load Balancing
FIGURE 61 Config > Service > Virtual Server - Virtual Server Port tab (for
FTP)
156 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FTP Load Balancing
FIGURE 62 Config > Service > Virtual Server - Port tab (ports added)
FIGURE 63 Config > Service > Virtual Server (virtual server added)
P e r f o r m a n c e b yD e s i g n 157 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FTP Load Balancing
3. To configure the TCP template for FTP, use the following commands:
slb template tcp template-name
This command creates the TCP template and changes the CLI to the
configuration level for the template.
idle-timeout seconds
158 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FTP Load Balancing
The idle-timeout command specifies the number of seconds a TCP ses-
sion can remain idle. The default is 60 seconds. For this example, set the
idle timeout to 1500 seconds (the maximum).
P e r f o r m a n c e b yD e s i g n 159 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FTP Load Balancing
port port-number http
port port-number ftp
The port commands add virtual ports for HTTP and FTP. For each port,
the command changes the CLI to the configuration level for the port,
where the following commands are used:
service-group group-name
template tcp template-name
The service-group command binds the virtual port to a service group.
The template tcp command binds the virtual port to a TCP template.
The following commands configure the HTTP and FTP health monitors:
AX(config)#health monitor http-monitor
AX(config-health:monitor)#method http
AX(config-health:monitor)#exit
AX(config)#health monitor ftp-monitor
AX(config-health:monitor)#method ftp
AX(config-health:monitor)#exit
160 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FTP Load Balancing
AX(config-real server-node port)#exit
AX(config-real server)#exit
The following commands configure the TCP template for use with FTP:
AX(config)#slb template tcp ftp-longidletime
AX(config-L4 TCP LB template)#idle-timeout 15000
AX(config-L4 TCP LB template)#exit
P e r f o r m a n c e b yD e s i g n 161 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FTP Load Balancing
162 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
This chapter describes Session Initiation Protocol (SIP) load balancing and
how to configure it.
Overview
AX Series devices support SIP load balancing. SIP load balancing balances
SIP registration messages from clients across a service group of SIP Regis-
trar servers. SIP load balancing enables you to offload registration process-
ing from other SIP servers so those servers can more efficiently process
other SIP traffic.
Figure 64 shows an example of a SIP load balancing configuration. The
commands to implement this configuration are shown in “Configuring SIP
Load Balancing” on page 164.
P e r f o r m a n c e b yD e s i g n 163 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring SIP Load Balancing
2. Configure a real server for each SIP Registrar server, add the SIP port to
the server, and assign the SIP health monitor to the port.
3. Configure a real server as a proxy for each SIP server that will handle
SIP messages other than registration messages. Add the SIP port to each
server. The SIP port can be the same on the Registrar servers and these
proxy servers. The AX selects a service group based on the message
type.
4. Configure a service group for the Registrar servers and add them to the
group.
5. Configure a service group for the other SIP servers and add them to the
group. This is the SIP proxy group.
7. Configure a virtual server containing the SIP port and bind the port to
the SIP proxy group. Add the SIP proxy service group and the SIP tem-
plate to the port.
164 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring SIP Load Balancing
h. Click OK. The new SIP health monitor appears in the Health Moni-
tor table.
4. Use the same steps to configure a real server as a proxy for each SIP
server that will handle SIP messages other than registration messages.
The steps are the same as the steps for adding the Registrar servers. (See
Figure 68.)
5. To configure a service group for the Registrar servers and add them to
the group:
a. Select Service Group on the menu bar.
b. Click Add.
c. On the Service Group tab, enter a name for the group.
d. In the Type drop-down list, select UDP.
e. On the Port tab, select the real server for the SIP Registrar server
from the Server drop-down list.
f. In the Port field, enter the SIP port number.
P e r f o r m a n c e b yD e s i g n 165 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring SIP Load Balancing
g. Click Add.
h. Repeat for each Registrar server.
i. Click OK. The new service group appears in the service group table.
6. Use the same steps to configure a service group for the other SIP servers
and add them to the group. This is the SIP proxy group.
166 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring SIP Load Balancing
GUI CONFIGURATION EXAMPLE
FIGURE 65 Config > Service > Health Monitor > Health Monitor
(example for Registrar servers)
FIGURE 66 Config > Service > Health Monitor > Health Monitor
(example for other SIP servers)
P e r f o r m a n c e b yD e s i g n 167 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring SIP Load Balancing
FIGURE 67 Config > Service > SLB > Server
FIGURE 68 Config > Service > SLB > Server - Registrar and Proxy servers
added
168 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring SIP Load Balancing
FIGURE 69 Config > Service > Service Group (registrar group)
FIGURE 71 Config > Service > Template > Application > SIP
P e r f o r m a n c e b yD e s i g n 169 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring SIP Load Balancing
FIGURE 72 Config > Service > Template > Application > SIP - template
added
170 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring SIP Load Balancing
USING THE CLI
1. To configure a SIP health monitor using the SIP health method, use the
following commands:
health monitor monitor-name
Enter this command at the global Config level.
method sip [register [port port-num]]
Enter this command at the configuration level for the health method.
The SIP health monitor sends an OPTION request to port 5060 by
default.
To send a REGISTER request instead, use the register option. To send
the request to a port other than 5060, use the port option to specify the
port number.
2. To configure a real server for a SIP Registrar server, add the SIP port to
it, and apply the SIP health monitor to the port, use the following com-
mands:
slb server server-name ipaddr
Enter this command at the global Config level.
port port-num udp
Enter this command at the configuration level for the real server.
health-check monitor-name
Enter this command at the configuration level for the SIP port.
3. To configure a real server as a proxy for each SIP server that will handle
SIP messages other than registration messages, use the same commands
as in step 2.
4. To configure a service group for the Registrar servers and add them to
the group, use the following commands:
slb service-group group-name udp
Enter this command at the global Config level.
member server-name [priority number]
Enter this command at the configuration level for the service group.
5. To configure a service group for the other SIP servers and add them to
the group, use the same commands as in step 4.
P e r f o r m a n c e b yD e s i g n 171 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring SIP Load Balancing
Enter this command at the global Config level.
registrar service-group group-name
header-erase string
header-insert string
header-replace string new-string
timeout minutes
pass-real-server-ip-for-acl acl-id
The header-erase, header-insert, and header-replace commands edit
information in the SIP header of each SIP packet before sending it to the
service group. Each command erases, inserts, or replaces a single header
field.
The timeout command specifies how many minutes the AX device
leaves a SIP call session up. You can specify 1-250 minutes. The default
is 30.
The pass-real-server-ip-for-acl command disables reverse NAT based
for traffic from the server, based on IP address. This command is useful
in cases where a SIP server needs to reach another server, and the traffic
must pass through the AX device. (See “Disabling Reverse NAT Based
on Destination IP Address” on page 174.)
Enter these commands at the configuration level for the SIP template.
Caution: A10 Networks recommends that you do not set the timeout
to a value lower than 30 minutes. The SIP termination message
(Bye) does not necessarily go through the AX device, thus the AX
device does not know for certain that a conversation has ended.
7. To configure a virtual server for the SIP proxy servers (the servers that
will handle all other SIP traffic except registration messages), use the
following commands:
slb virtual-server name ipaddr
Enter this command at the global Config level.
port port-number sip
Enter this command at the configuration level for the virtual server.
service-group group-name
template sip template-name
Enter these commands at the configuration level for the virtual port.
172 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring SIP Load Balancing
CLI CONFIGURATION EXAMPLE
The commands in the following example implement the SIP load balancing
configuration shown in Figure 64 on page 163.
P e r f o r m a n c e b yD e s i g n 173 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring SIP Load Balancing
The following commands configure the service groups:
AX(config)#slb service-group Registrar_gp udp
AX(config-slb service group)#member Registrar1:5060
AX(config-slb service group)#member Registrar2:5060
AX(config-slb service group)#exit
AX(config)#slb service-group sip5060 udp
AX(config-slb service group)#member Proxy3:5060
AX(config-slb service group)#member Proxy4:5060
AX(config-slb service group)#exit
The following commands configure the VIP for the SIP registrar:
AX(config)#slb virtual-server sip1 192.168.20.1
AX(config-slb virtual server)#port 5060 sip
AX(config-slb virtual server-slb virtua...)#service-group sip5060
AX(config-slb virtual server-slb virtua...)#template sip Registrar_template
174 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring SIP Load Balancing
FIGURE 75 Revere NAT Disabled for Traffic from a SIP Server
By default, the AX device performs reverse NAT on all traffic from a SIP
server before forwarding the traffic. Reverse NAT translates the source IP
address of return traffic from servers to clients back into the VIP address
before forwarding the traffic to clients.
However, if the SIP server needs to reach another server, and the traffic
must pass through the AX device, the destination server will receive the
traffic from the VIP address instead of the SIP server address.
2. Configure a SIP template that disables reverse NAT based on the ACL.
P e r f o r m a n c e b yD e s i g n 175 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring SIP Load Balancing
3. Click on the template name of click Add to create a new one.
4. Select the ACL from the Pass Real Server IP for ACL drop-down list.
CLI Example
The commands in this section are applicable to Figure 75.
The following commands bind the SIP template to the SIP virtual port:
AX(config)#slb virtual-server sip-vip 192.168.20.1
AX(config-slb vserver)#port 5060 sip
AX(config-slb vserver-vport)#template sip sip1
176 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
Overview
The AX device provides the following types of SSL optimization:
• SSL Offload – The AX device applies Layer 7 features to HTTPS traffic
per your configured HTTP template options, such as those described in
“HTTP Options for SLB” on page 105.
• SSL proxy – The AX device acts as a Layer 4 SSL proxy for TCP ser-
vices such as POPS, SMTPS, IMAPS, and LDAPS.
SSL offload uses service type (virtual port type) HTTPS, and supports deep
packet inspection and header manipulation. SSL proxy uses service type
SSL-proxy and provides Layer 4 SLB but does not provide deep packet
inspection or header manipulation.
Note: The AX device devices also support STARTTLS acceleration and encryp-
tion. See “STARTTLS for Secure SMTP” on page 195.
P e r f o r m a n c e b yD e s i g n 177 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Client SSL
Implement SSL proxy if the following are true:
• The traffic will be SSL-secured traffic over TCP, but not necessarily
HTTPS traffic.
• Layer 7 features are not required.
2. Configure a client SSL template and add the certificate and key to it.
178 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Client SSL
m. Click Open. The path and filename appear in the Source field.
n. Click OK. The key appears in the certificate and key list.
2. To configure a client SSL template and add the certificate and key to it:
a. Select Configure > Service > Template.
b. Select SSL > Client SSL from the menu bar.
c. Click Add.
d. On the Client SSL tab, enter a name for the template in the Name
field.
e. In the Certificate Name drop-down list, select the certificate you
imported in the previous step.
f. In the Key Name field, select the private key you imported in the
previous step.
g. If the files are secured with a passphrase, enter the passphrase.
h. Click OK. The new template appears in the Client SSL template
table.
FIGURE 76 Configure > Service > SSL Management - Import (for the
certificate)
FIGURE 77 Configure > Service > SSL Management - Import (for the
private key)
P e r f o r m a n c e b yD e s i g n 179 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Client SSL
FIGURE 78 Configure > Service > Template > SSL > Client SSL
180 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Client SSL
CLI CONFIGURATION EXAMPLE
The following commands import certificates and keys, and configure a cli-
ent-SSL template to use them.
The following commands configure a client SSL template to use the certifi-
cate and key:
AX(config)#slb template client-ssl sslcert-tmplt
AX(config-client SSL template)#cert sslcert.crt
AX(config-client SSL template)#key sslcertkey.pem
AX(config-client SSL template)#exit
P e r f o r m a n c e b yD e s i g n 181 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring HTTPS Offload
3. Configure a service group for the servers and add them to the group.
5. Configure a virtual server and add a virtual port that has the service type
https. Bind the service-group to the virtual port and to the HTTP tem-
plate (if configured) and client-SSL template.
2. To configure a service group for the servers and add them to the group:
a. Select Service Group on the menu bar.
b. Click Add.
c. On the Service Group tab, enter a name for the service group.
d. In the Type drop-down list, select TCP, if not already selected.
e. Select the health monitor, if your configuration will use one.
f. On the Port tab, select a server from the Server drop-down list.
182 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring HTTPS Offload
g. Enter the service port in the Port field.
h. Click Add. The port appears in the list.
i. Repeat step f through step h for each server.
j. Click OK. The new service group appears in the service group table.
P e r f o r m a n c e b yD e s i g n 183 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring HTTPS Offload
184 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring HTTPS Offload
FIGURE 80 Configure > Service > SLB > Service Group
P e r f o r m a n c e b yD e s i g n 185 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring HTTPS Offload
FIGURE 82 Configure > Service > SLB > Virtual Server - Port tab
2. To configure a service group for the servers and add them to the group,
use the following commands:
slb service-group group-name tcp
186 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring HTTPS Offload
Enter this command at the global Config level.
member server-name [priority number]
Enter this command at the configuration level for the service group.
4. To configure a virtual server and HTTPS virtual port, use the following
commands:
slb virtual-server name ipaddr
Enter this command at the global Config level.
port port-number https
Enter this command at the configuration level for the virtual server.
service-group group-name
template http template-name
template client-ssl template-name
Enter these commands at the configuration level for the virtual port to
bind the port to the service group and the application templates.
The following commands configure a service group for the HTTPS servers:
AX(config)#slb service-group HTTPS_servers tcp
AX(config-slb service group)#member HTTPS1:443
AX(config-slb service group)#member HTTPS2:443
AX(config-slb service group)#exit
P e r f o r m a n c e b yD e s i g n 187 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring the SSL Proxy Feature
The following commands configure the VIP to which clients will send
HTTPS traffic:
AX(config)#slb virtual-server v1 10.6.6.6
AX(config-slb virtual server)#port 443 https
AX(config-slb virtual server-slb virtua...)#service-group HTTPS_servers
AX(config-slb virtual server-slb virtua...)#template http HTTPS_1
AX(config-slb virtual server-slb virtua...)#template client-ssl sslcert-tmplt
3. Configure a service group for the servers and add them to the group.
4. Configure a virtual server and add a virtual port that has the service type
ssl-proxy. Bind the service-group to the virtual port and to the client-
SSL template.
2. To configure a service group for the servers and add them to the group:
a. Select Service Group on the menu bar.
b. Click Add.
188 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring the SSL Proxy Feature
c. On the Service Group tab, enter a name for the service group.
d. In the Type drop-down list, select TCP, if not already selected.
e. Select the health monitor, if your configuration will use one.
f. On the Port tab, select a server from the Server drop-down list.
g. Enter the service port in the Port field.
h. Click Add. The port appears in the list.
i. Repeat step f through step h for each server.
j. Click OK. The new service group appears in the service group table.
P e r f o r m a n c e b yD e s i g n 189 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring the SSL Proxy Feature
190 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring the SSL Proxy Feature
FIGURE 84 Configure > Service > SLB > Service Group
P e r f o r m a n c e b yD e s i g n 191 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring the SSL Proxy Feature
FIGURE 86 Configure > Service > SLB > Virtual Server - Port tab
2. To configure a service group for the servers and add them to the group,
use the following commands:
slb service-group group-name tcp
Enter this command at the global Config level.
member server-name [priority number]
Enter this command at the configuration level for the service group.
192 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring the SSL Proxy Feature
3. To configure a virtual server and port for the TCP service, use the fol-
lowing commands:
slb virtual-server name ipaddr
Enter this command at the global Config level.
port port-number ssl-proxy
Enter this command at the configuration level for the virtual server.
service-group group-name
template client-ssl template-name
Enter these commands at the configuration level for the virtual port.
The following commands configure a service group for the POP servers:
AX(config)#slb service-group POP_servers tcp
AX(config-slb service group)#member POP1:110
AX(config-slb service group)#member POP2:110
AX(config-slb service group)#exit
The following commands configure the VIP to which clients will send
POPS traffic:
AX(config)#slb virtual-server v1 10.6.6.6
AX(config-slb virtual server)#port 110 ssl-proxy
AX(config-slb virtual server-slb virtua...)#service-group SMTP_servers
AX(config-slb virtual server-slb virtua...)#template client-ssl sslcert-tmplt
P e r f o r m a n c e b yD e s i g n 193 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring the SSL Proxy Feature
194 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
Overview
AX Series devices support the STARTTLS feature. STARTTLS is an exten-
sion to SMTP that enables you to secure mail traffic to and from your leg-
acy SMTP servers. SMTP itself does not provide any security.
FIGURE 87 STARTTLS
P e r f o r m a n c e b yD e s i g n 195 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
Additional SMTP Security Options
In addition to providing encryption of mail traffic for clients, the AX
STARTTLS feature has additional security options:
• Require STARTTLS – By default, client use of STARTTLS is optional.
You can configure the AX to require STARTTLS. In this case, before
any mail transactions are allowed, the client must issue the STARTTLS
command to establish a secured session.
If the client does not issue the STARTTLS command, the AX sends the
following message to the client: "530 - Must issue a STARTTLS com-
mand first”
• Disable SMTP commands – By default, the VRFY, EXPN, and TURN
commands are allowed. You can disable support of any of these com-
mands. In this case, if the client tries to issue a disabled SMTP com-
mand, the AX sends the following message to the client: “502 -
Command not implemented”
Domain Switching
By default, SMTP traffic from all client domains is sent to the same service
group. You can configure multiple service groups and send traffic to the
groups based on the client domain. For example, you can send SMTP traffic
from clients in domain "CorpA" to a different service group than SMTP
traffic from clients in domain "CorpB".
196 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring STARTTLS
Configuring STARTTLS
To configure STARTTLS:
1. Import a certificate and its key to use for TLS sessions with clients.
2. Configure a client SSL template and add the certificate and its key to it.
3. Configure a real server for each SMTP server and add the SMTP port to
the server.
4. Configure a service group for the SMTP servers and add them to the
group.
6. Configure a virtual server and port for the SMTP address to which cli-
ents will send SMTP traffic, and add the SMTP service group and
SMTP template to the port.
P e r f o r m a n c e b yD e s i g n 197 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring STARTTLS
In the GUI, most of the configuration steps (step 1 through step 4 above) for
STARTTLS are the same as those for SSL proxy support. (See “Configuring
the SSL Proxy Feature” on page 188.)
6. Click OK. The new template appears in the SMTP template table.
198 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring STARTTLS
To configure a virtual server for STARTTLS (step 6 above):
1. Select Configure > Service > Server.
3. Click Add.
4. On the General tab, enter general settings for the virtual server:
a. Enter a name for the virtual server.
b. In the IP address field, enter the VIP address.
P e r f o r m a n c e b yD e s i g n 199 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring STARTTLS
FIGURE 89 Config > Service > Template > Application > SMTP
200 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring STARTTLS
FIGURE 90 Config > Service > SLB > Virtual Server - Port tab
P e r f o r m a n c e b yD e s i g n 201 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring STARTTLS
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• rcp://[user@]host/file
3. To configure a real server for an SMTP server, use the following com-
mands:
slb server server-name ipaddr
Enter this command at the global Config level.
port port-num tcp
Enter this command at the configuration level for the real server.
4. To configure a service group for the SMTP servers and add them to the
group, use the following commands:
slb service-group group-name tcp
Enter this command at the global Config level.
member server-name [priority number]
Enter this command at the configuration level for the service group.
202 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring STARTTLS
The disable option of the starttls command disables STARTTLS sup-
port on the VIP that uses the SMTP template.
The domain-switching command is required only if you have multiple
service groups and you want to direct SMTP clients to specific service
groups based on the client's domain.
6. To configure a virtual server and port for the SMTP address to which
clients will send SMTP traffic, add the SMTP service group, and add the
SMTP and client SSL templates to the port, use the following com-
mands:
slb virtual-server name ipaddr
Enter this command at the global Config level.
port port-num smtp
Enter this command at the configuration level for the virtual server.
service-group group-name
template smtp template-name
template client-ssl template-name
Enter these commands at the configuration level for the virtual port.
P e r f o r m a n c e b yD e s i g n 203 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring STARTTLS
The following commands configure a client SSL template to use the certifi-
cate and key:
AX(config)#slb template client-ssl mailcert-tmplt
AX(config-client SSL template)#cert starttls.crt
AX(config-client SSL template)#key tlscertkey.pem
AX(config-client SSL template)#exit
The following commands configure a service group for the SMTP servers:
AX(config)#slb service-group SMTP_servers tcp
AX(config-slb service group)#member SMTP1:25
AX(config-slb service group)#member SMTP2:25
AX(config-slb service group)#exit
204 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring STARTTLS
The following commands configure the STMP template. In this example,
additional security is added by enforcing STARTTLS and by disabling the
SMTP commands VRFY, EXPN, and TURN.
AX(config)#slb template smtp starttls-tmplt
AX(config-slb template)#server-domain “mycorp.com”
AX(config-slb template)#service-ready-message “MyCorp ESMTP mail service is
ready”
AX(config-slb template)#starttls enforced
AX(config-slb template)#command-disable vrfy expn turn
The following commands configure the VIP to which mail clients will send
SMTP traffic:
AX(config)#slb virtual-server v1 10.1.1.1
AX(config-slb virtual server)#port 25 smtp
AX(config-slb virtual server-slb virtua...)#service-group SMTP_servers
AX(config-slb virtual server-slb virtua...)#template client-ssl mailcert-tmplt
AX(config-slb virtual server-slb virtua...)#template smtp starttls-tmplt
P e r f o r m a n c e b yD e s i g n 205 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring STARTTLS
206 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
Overview
AX Series devices support content-aware load balancing of the following
widely used streaming-media types:
• Real Time Streaming Protocol (RTSP)
Note: The AX Series also supports load balancing of Session Initiation Protocol
(SIP) sessions. For information, see “SIP Load Balancing” on page 163.
P e r f o r m a n c e b yD e s i g n 207 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
FIGURE 91 Streaming-Media Load Balancing
In this example, a server farm provides streaming content in both RTSP and
MMS format. All the servers are allowed to serve HTTP and HTTPS
requests. Two of the servers (stream-rs2 and stream-rs3) are configured to
serve RTSP and MMS requests.
Service Groups
This example uses the following service groups:
• all80-grp – The servers in this service group provide HTTP and HTTPS
service. In this example, all the servers are members of this service
group.
• rtsp554-grp – The servers in this service group provide RTSP content.
208 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Streaming-Media SLB
Note: Using separate service groups makes it easier to adapt the configuration
when the server farm grows. For example, if RTSP and MMS content is
separated onto different servers, the membership of the RTSP group can
easily be edited to include only the RTSP servers, and so on.
Templates
By default, the default TCP template is applied to RTSP and MMS traffic.
(For information, see “TCP Template Parameters” on page 624.)
Health Monitors
This example uses the default Layer 3 health check (ping) and the default
Layer 4 TCP health check.
3. Configure the virtual server by adding virtual service ports for the
streaming-media services.
Most of the configuration procedures are the same as the configuration pro-
cedures for other types of SLB.
3. Click Add.
6. Click OK.
P e r f o r m a n c e b yD e s i g n 209 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Streaming-Media SLB
When configuring the virtual server, select RTSP or MMS as the service
port type.
210 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Streaming-Media SLB
CLI CONFIGURATION EXAMPLE
P e r f o r m a n c e b yD e s i g n 211 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Streaming-Media SLB
The following commands configure the service groups:
AX(config)#slb service-group all80-grp tcp
AX(config-slb service group)#member stream-rs1:80
AX(config-slb service group)#member stream-rs1:443
AX(config-slb service group)#member stream-rs2:80
AX(config-slb service group)#member stream-rs2:443
AX(config-slb service group)#member stream-rs3:80
AX(config-slb service group)#member stream-rs3:443
AX(config-slb service group)#exit
AX(config)#slb service-group rtsp554-grp tcp
AX(config-slb service group)#member stream-rs2:554
AX(config-slb service group)#member stream-rs3:554
AX(config-slb service group)#exit
AX(config)#slb service-group mms1755-grp tcp
AX(config-slb service group)#member stream-rs2:1755
AX(config-slb service group)#member stream-rs3:1755
AX(config-slb service group)#exit
212 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
This chapter describes Layer 4 load balancing of TCP and UDP traffic and
how to configure it.
Note: The Layer 4 load balancing described in this chapter requires you to spec-
ify the protocol port numbers to be load balanced. To load balance traffic
based solely on transport protocol (TCP, UDP, or other), see “IP Protocol
Load Balancing” on page 221.
Overview
In addition to load balancing for well-known and widely used types of ser-
vices such as HTTP, HTTPS, and FTP, AX devices also support Layer 4
load balancing for custom applications. If a service you need to load balance
is not one of the well-known service types recognized by the AX device,
you still can configure Layer 4 TCP or UDP load balancing for the service.
P e r f o r m a n c e b yD e s i g n 213 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
FIGURE 92 Layer 4 SLB
Layer 4 load balancing balances traffic based on the transport protocol (TCP
or UDP) and the protocol port number. The payload of the UDP or TCP
packets is not examined.
Note: To configure deeper packet inspection for custom applications, you can
use aFleX policies. For example, you can configure an aFleX policy to
examine the byte value at a certain position within each client request
packet and select a server based on the value of the byte. For information
about aFleX policies, see the AX Series aFleX Reference.
SERVICE GROUPS
This example uses a single service group that contains all the real servers.
The service group uses the default load balancing method (round robin).
214 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
VIRTUAL SERVER
The custom application on the real servers is accessed at TCP port 1020 by
clients through virtual IP address 192.168.55.55.
TEMPLATES
The AX device has default TCP and UDP templates. You can use the
default template or configure another TCP or UDP template and use that
one instead. If your Layer 4 load balancing configuration is for a TCP appli-
cation and you do not bind a TCP template to the virtual port, the default
TCP template is used. For a UDP application, the default UDP template is
used unless you bind another UDP template to the virtual port.
One of the parameters you can configure in TCP and UDP templates is the
idle time. Depending on the requirements of your application, you can
reduce or increase the amount of time the AX device allows a session to
remain idle.
For more information about the parameters controlled by TCP and UDP
templates, see the following sections:
• “TCP Template Parameters” on page 624
P e r f o r m a n c e b yD e s i g n 215 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Layer 4 Load Balancing
HEALTH MONITORS
This example uses the default Layer 3 and Layer 4 health monitors. The
Layer 3 monitor (Ping) and the applicable Layer 4 monitor (TCP or UDP)
are enabled by default when you configure the real server and real service
ports.
Note: You can create an external health monitor using a script and import the
monitor onto the AX device. For information, see “Health Monitoring” on
page 297.
2. Configure a service group. Add the real servers, service port, and any
custom templates to the group.
5. Configure the virtual server. Bind the virtual service port on the virtual
server to the service group and custom templates, if configured.
216 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Layer 4 Load Balancing
2. To configure the service group:
a. Select Config > Service > SLB, if not already selected.
b. Select Service Group on the menu bar.
c. Click Add.
d. On the Service Group tab, enter a name for the service group.
e. In the Type drop-down list, select the transport protocol for the
application, TCP or UDP.
f. On the Server tab, select a server from the Server drop-down list.
g. Enter the protocol port number in the Port field.
h. Click Add.
i. Repeat step f through step h for each server and port.
j. Click OK. The service group appears in the Service Group table.
P e r f o r m a n c e b yD e s i g n 217 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Layer 4 Load Balancing
d. Enter a name for the virtual server.
e. In the IP Address field, enter the virtual IP address to which clients
will send requests.
f. Select or enter other general settings as needed.
g. On the Port tab, click Add. The Virtual Server Port tab appears.
h. In the Type drop-down list, select the transport protocol for the
application, TCP or UDP.
i. Enter the application port number in the Port field.
j. If you configured any custom templates, select them from the drop-
down lists for each template type.
k. Enter or select other values as needed.
l. Click OK. The port appears in the port section.
m. Click OK again. The virtual server appears in the virtual server list.
218 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Layer 4 Load Balancing
3. To configure a custom TCP or UDP template, use the following com-
mands at the global configuration level of the CLI:
slb template tcp template-name
slb template udp template-name
These commands create the template and change the CLI to the configu-
ration level for the template, where additional commands are available.
(See “TCP Template Parameters” on page 624 or “UDP Template
Parameters” on page 626. Also see the “Config Commands: SLB Tem-
plates” chapter in the AX Series CLI Reference.)
P e r f o r m a n c e b yD e s i g n 219 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Layer 4 Load Balancing
CLI EXAMPLE
220 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
Overview
IP protocol load balancing enables you to easily load balance traffic based
solely on whether the traffic is TCP, UDP, or other (not UDP or TCP), with-
out the need to specify the protocol port numbers to be load balanced.
You can combine IP protocol load balancing with other load balancing con-
figurations. For example, you can use IP protocol load balancing along with
HTTP load balancing. In this case, HTTP traffic to the VIP HTTP port num-
ber is load balanced separately from traffic to other port numbers.
P e r f o r m a n c e b yD e s i g n 221 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
FIGURE 93 IP Protocol Load Balancing
This example uses separate service groups for each of the following types of
traffic:
• HTTP traffic addressed to TCP port 80 is sent to service group http-grp.
• All TCP traffic addressed to any TCP port except port 80 is sent to ser-
vice group tcp-grp.
222 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
• All UDP traffic, addressed to any UDP port, is sent to service group
udp-grp.
• All other traffic (all non TCP/UDP traffic) is sent to service group oth-
ers-grp.
Although this example shows separate service groups for each type of traf-
fic, you can use the same service group for multiple traffic types.
Health checking does not apply to the wildcard port. When you configure IP
protocol load balancing, make sure to disable health checking of port 0. If
you leave health checking enabled, the port will be marked down and the
client’s request therefore will not be serviced.
SLB NAT
For client request traffic to which IP protocol load balancing applies, the
AX device translates only the destination IP address, not the protocol port
number. The AX device translates the destination IP address in the request
from the VIP address to a real server’s IP address. The AX device then
sends the request to the same protocol port number as the one requested by
the client. (Likewise, the AX device does not translate the port number to
“0”.)
Template Support
P e r f o r m a n c e b yD e s i g n 223 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring IP Protocol Load Balancing
Direct Server Return
2. Configure the service group(s). To add members (real servers) for traffic
to which IP protocol load balancing will apply, specify 0 as the protocol
port for the member.
224 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring IP Protocol Load Balancing
3. Configure the virtual server. Bind virtual port 0 to the service group(s)
that have members for port 0. Specify one of the following as the service
type:
• TCP
• UDP
• Others
Note: For load balancing of non-TCP/UDP traffic, you can specify TCP or UDP
as the transport protocol, in the configurations of the real server ports and
service groups. If the port number is 0 and the service type on the virtual
port is “others”, the AX device will load balance the traffic as non-TCP/
UDP traffic.
2. On the Service Group tab, enter 0 as the port number on the Service
Group tab.
3. On the Virtual Server Port tab (Config > Service > SLB > Virtual
Server), select TCP, UDP, or Others in the Type drop-down list.
For simplicity, the example assumes that only the default TCP health check
is used for port 80. Health checking does not apply to the wildcard port
number and is therefore disabled. Health checking of other, explicitly speci-
fied port numbers is still supported as in previous releases.
AX(config)#slb server rs1 10.10.10.21
AX(config-real server)#port 80 tcp
AX(config-real server)#exit
AX(config)#slb server rs2 10.10.10.22
AX(config-real server)#port 80 tcp
AX(config-real server)#exit
AX(config)#slb server rs3 10.10.20.21
AX(config-real server)#port 0 tcp
P e r f o r m a n c e b yD e s i g n 225 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring IP Protocol Load Balancing
AX(config-real server)#no health-check
AX(config-real server)#exit
AX(config)#slb server rs4 10.10.20.22
AX(config-real server)#port 0 tcp
AX(config-real server)#no health-check
AX(config-real server)#exit
AX(config)#slb server rs5 10.10.30.21
AX(config-real server)#port 0 udp
AX(config-real server)#no health-check
AX(config-real server)#exit
AX(config)#slb server rs6 10.10.30.22
AX(config-real server)#port 0 udp
AX(config-real server)#no health-check
AX(config-real server)#exit
AX(config)#slb server rs7 10.10.40.21
AX(config-real server)#port 0 tcp
AX(config-real server)#no health-check
AX(config-real server)#exit
AX(config)#slb server rs8 10.10.40.22
AX(config-real server)#port 0 tcp
AX(config-real server)#no health-check
AX(config-real server)#exit
226 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring IP Protocol Load Balancing
The following commands configure the virtual server.
AX(config)#slb virtual-server vip1 192.168.2.1
AX(config-slb virtual server)#port 80 tcp
AX(config-slb virtual server-slb virtua...)#service-group http-grp
AX(config-slb virtual server-slb virtua...)#exit
AX(config-slb virtual server)#port 0 tcp
AX(config-slb virtual server-slb virtua...)#service-group tcp-grp
AX(config-slb virtual server-slb virtua...)#exit
AX(config-slb virtual server)#port 0 udp
AX(config-slb virtual server-slb virtua...)#service-group udp-grp
AX(config-slb virtual server-slb virtua...)#exit
AX(config-slb virtual server)#port 0 others
AX(config-slb virtual server-slb virtua...)#service-group tcp-others
To display configuration information and statistics, you can use the same
show commands used for other types of SLB:
show session
P e r f o r m a n c e b yD e s i g n 227 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring IP Protocol Load Balancing
228 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring a Wildcard VIP
Wildcard VIPs
You can create SLB configurations that use wildcard VIPs and wildcard vir-
tual ports. A wildcard VIP matches on any destination IP address. Likewise,
a wildcard virtual port matches on any port number.
You can use wildcard VIPs for all types of load balancing:
• SLB
• IP load balancing
Note: Use of wildcard VIPs and interface-based SYN cookies is not supported.
You can configure multiple wildcard VIPs and wildcard ports. The AX
device allows multiple VIPs to have IP address 0.0.0.0. Likewise, multiple
ports that have port number 0 are allowed.
In the current release, wildcard ports must have service type TCP or HTTP.
Other service types are not supported on wildcard ports in the current
release.
P e r f o r m a n c e b yD e s i g n 229 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring a Wildcard VIP
Promiscuous VIP support must be enabled on the interface connected to cli-
ents who will access wildcard VIPs. By default, promiscuous VIP support is
disabled.
Note: The ACL acts as a “catch-all”, and treats any IP address permitted by the
ACL, and received on the promiscuous VIP interface, as a wildcard VIP.
A10 Networks recommends that you use the most restrictive ACL possi-
ble, to permit only the IP addresses that should be treated as VIPs and
deny all other IP addresses.
If you do not configure a default wildcard VIP, traffic that does not match
any of the ACLs bound to the other wildcard VIPs is forwarded at Layer 2/
3, if applicable.
AX Release 2.0.2 and later supports forwarding of wildcard VIP traffic that
is not bound to a service group. The AX device creates a session for the traf-
fic and forwards it at Layer 2/3. This feature is useful in mixed wildcard vir-
tual server environments where Layer 4-7 features apply to certain VIPs and
Layer 2/3 forwarding applies to other traffic.
In AX releases prior to 2.0.2, Layer 4 traffic for a wildcard VIP that is not
bound to a service group is dropped.
4. On the General tab, enter a name for the virtual server in the Name field.
230 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring a Wildcard VIP
5. Select the Wildcard checkbox next to the Name field. Selecting this
checkbox causes the Access List drop-down list to appear in place of the
IP Address field.
2. Click on the interface name to display the configuration tabs for the
interface.
5. Click OK.
FIGURE 94 Config > Service > SLB > Virtual Server - wildcard VIP
configuration
P e r f o r m a n c e b yD e s i g n 231 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring a Wildcard VIP
FIGURE 95 Config > Service > SLB > Virtual Server - promiscuous VIP
support
To configure a wildcard VIP, use the following command at the global con-
figuration level of the CLI:
The ipaddr is used as the name of the virtual server and can be an IPv4
address or an IPv6 address.
If you specify an ACL, the ACL is used to control the clients allowed to
access the VIPs and the VIP addresses managed by the wildcard VIP. The
source address in the ACL filters the clients. The destination address in the
ACL filters the VIPs.
To enable promiscuous VIP support, use the following command at the con-
figuration level for each interface connected to clients:
[no] ip allow-promiscuous-vip
232 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring a Wildcard VIP
Configuration Examples
P e r f o r m a n c e b yD e s i g n 233 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring a Wildcard VIP
234 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
P e r f o r m a n c e b yD e s i g n 235 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
When the AX device receives a request from a client, the AX device uses
SLB load balancing to select one of the WAN links. The AX device then
uses source IP NAT to translate the client’s private IP address into a public
IP address, then sends the client’s request to the next-hop router for the
selected WAN link.
When the AX device receives the server’s reply to the client’s request, the
AX device translates the destination IP address from the NAT address back
into the client’s private IP address, then forwards the reply to the client.
The pools do not need to contain more than a few addresses. The AX device
internally uses a separate protocol port number for each client session on a
pool address.
236 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
4. Configure a real server for each link to be load balanced. Add wildcard
ports (TCP 0, UDP 0, or both) to the server.
Note: You can use Layer 3 health checking (ICMP ping) to check the health of
the router’s IP interface. However, the configuration requires health
checking to be disabled on the wildcard ports added for a router. The
router will not respond to these health checks. If you leave health check-
ing enabled on the wildcard ports, the AX device will mark the ports
down and LLB will not work.
5. Configure a service group for the links (real servers). If the real server
configurations for the links have both TCP and UDP ports, configure a
service group for TCP and another service group for UDP.
P e r f o r m a n c e b yD e s i g n 237 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
CLI Example
The following commands configure the IP source NAT pools and pool
group:
AX(config)#ip nat pool nat10 192.168.10.3 192.168.10.4 netmask /24
AX(config)#ip nat pool nat20 192.168.20.3 192.168.20.4 netmask /24
AX(config)#ip nat pool-group outbound-nat-group nat10 nat20
Note: For simplicity, this example uses a single Ethernet port for each interface
to the clients and the next-hop routers. You also can use trunk interfaces,
virtual Ethernet (VE) interfaces, or both.
AX(config)#interface ethernet 3
AX(config-if: ethernet3)#ip address 10.10.10.1 255.255.255.0
AX(config-if: ethernet3)#ip allow-promiscuous-vip
AX(config-if: ethernet3)#exit
AX(config)#interface ethernet 4
AX(config-if: ethernet4)#ip address 10.20.20.1 255.255.255.0
AX(config-if: ethernet4)#ip allow-promiscuous-vip
AX(config-if: ethernet4)#exit
238 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
The following commands configure a real server for each link to be load
balanced:
AX(config)#slb server link-101 192.168.10.1
AX(config-real server)#port 0 tcp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
AX(config-real server)#port 0 udp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
AX(config-real server)#exit
AX(config)#slb server link-201 192.168.20.1
AX(config-real server)#port 0 tcp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
AX(config-real server)#port 0 udp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
AX(config-real server)#exit
P e r f o r m a n c e b yD e s i g n 239 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
240 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
P e r f o r m a n c e b yD e s i g n 241 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
In this example, a client sends a request for content that is hosted by the
content server. The AX device redirects the client’s request to the cache
server. If the cache server has the requested content, the cache server sends
the content to the AX device, which sends the content to the client.
If the content is cacheable, but the cache server does not have the requested
content or the content is stale, the cache server requests the content from the
content server, caches the content, then sends the content to the AX device,
which sends the content to the client.
Granularity of TCS
If your network uses multiple cache servers, you can configure destination-
IP persistence, to always select the same cache server for content from a
given destination IP address. This technique reduces cache misses, by
ensuring that requests for a given site IP address always go to the same
cache server.
For even greater control, you can configure the AX device to select from
among multiple cache service groups based on the requested URL. When
combined with destination-IP persistence, this method allows you to control
initial selection of the cache service group, after which the AX device
always sends requests for the same content to the same cache server within
the cache service group.
Application Templates
TCS does not require configuration of any application templates. However,
you can use the following types of application templates for advanced fea-
tures, such as URL-based Layer 7 TCS:
• HTTP template – If you want to selectively redirect client requests
based on URL strings, you can use an HTTP template containing URL
switching rules. When a client request matches the URL string in a URL
242 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
switching rule, the AX device selects the service group specified in the
URL switching rule, instead of the service group bound to the virtual
port.
For example, you can configure a URL switching rule that matches on
any URL that contains “.mycorp/”. In this case, requests for any URL
that contains “.mycorp/” are sent to the service group that contains the
cache server. Requests for other URLs are sent to the gateway router
instead.
In a Layer 7 TCS configuration that uses URL switching, a separate real
server is required for the gateway router, and the real server is required
to be placed in its own service group. The gateway router’s service
group is used as the default service group for the virtual port. Client
requests to a URL that does not match a URL switching rule are sent to
the gateway router’s service group instead of the cache server’s service
group.
• Destination-IP persistence template – In deployments that use multiple
cache servers, you can use a destination-IP persistence template to
ensure that the same cache server is used for every request for content
on a given content server. The AX device uses standard SLB to select a
cache server for the first request to a real server IP address, and assigns a
hash value to the server. All subsequent requests for the same real server
are sent to the same cache server.
By always using the same cache server for content from a given server, a
destination-IP persistence template can reduce duplication of content on
multiple cache servers, and can also reduce cache misses.
• RAM caching template – To also cache some content on the AX device
itself, you can use a RAM caching template. In this case, the AX device
directly serves content that is cached on the AX device, and only sends
requests to the cache server for content that is not cached on the AX
device.
• Connection reuse template – You can use a connection reuse template to
reuse TCP connections. When a client’s session ends, the TCP connec-
tion is not terminated. Instead, the connection is reused for a new client
session.
Some cache servers can use the client’s IP address instead of the cache
server’s IP address as the source address when obtaining content requested
by the client. A cache server operating in this mode is a spoofing cache
server. Configuration for a spoofing cache server includes a couple of addi-
tional steps. (See “Enabling Support for Cache Spoofing” on page 254.)
P e r f o r m a n c e b yD e s i g n 243 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
2. Configure an extended ACL that uses the permit action and that matches
on client addresses as the source address, and on the content server
address as the destination address.
3. Configure a real server for the cache server. Add the TCP or UDP port;
for example, TCP port 80.
If the cache server will spoof client IP addresses when requesting con-
tent from content servers, enable cache spoofing support.
4. Configure a service group for the cache server and add the cache server
to it.
6. If the cache server will spoof client IP addresses when requesting con-
tent from content servers, enable cache spoofing support on the AX
interface connected to the cache server, and on the real server (cache
server).
244 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
CLI Example
P e r f o r m a n c e b yD e s i g n 245 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
The following commands configure a real server for the cache server. TCP
port 80 is added to the real server.
AX(config)#slb server cache-rs 110.110.110.10
AX(config-real server)#port 80 tcp
AX(config-real server-node port)#exit
246 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
The following command configures a service group for the cache server:
AX(config)#slb service-group sg-tcs tcp
AX(config-slb svc group)#member cache-rs:80
AX(config-slb svc group)#exit
The following commands configure a wildcard VIP and bind it to the ACL:
AX(config)#slb virtual-server wildcard 0.0.0.0 acl 198
AX(config-slb vserver)#port 80 tcp
AX(config-slb vserver-vport)#service-group sg-tcs
AX(config-slb vserver-vport)#no-dest-nat
Figure 99 on page 248 shows an example of the first method, which does
not use URL switching rules. Figure 100 on page 249 shows an example of
the second method, which does use URL switching rules.
P e r f o r m a n c e b yD e s i g n 247 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
248 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
P e r f o r m a n c e b yD e s i g n 249 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
2. Configure an extended ACL that uses the permit action and that matches
on client addresses as the source address, and on the content server
address as the destination address.
3. Configure a real server for the cache server. Add the TCP port; for
example, TCP port 80.
4. Configure a service group for the cache server and add the cache server
to it.
CLI Example
The following commands configure a wildcard VIP and bind it to the ACL:
AX(config)#slb virtual-server wildcard 0.0.0.0 acl 198
AX(config-slb vserver)#port 80 http
AX(config-slb vserver-vport)#service-group sg-tcs
AX(config-slb vserver-vport)#no-dest-nat
2. Configure an extended ACL that uses the permit action and that matches
on client addresses as the source address, and on the content server
address as the destination address.
3. Configure a real server for the cache server. Add the TCP or UDP port;
for example, TCP port 80.
250 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
4. Configure a real server for the next-hop router through which the AX
device will reach the content servers. Add the same TCP port number as
the one on the cache server (for example, TCP port 80). Disable health
checking on the port.
5. Configure a service group for the cache server and add the cache server
to it.
6. Configure a separate service group for the router, and add the router to
it.
CLI Example
The following commands configure a real server for the gateway router:
AX(config)#slb server router 10.10.10.20
AX(config-real server)#port 80 tcp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
P e r f o r m a n c e b yD e s i g n 251 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
The following commands configure a wildcard VIP and bind it to the ACL:
AX(config)#slb virtual-server wildcard 0.0.0.0 acl 198
AX(config-slb vserver)#port 80 http
AX(config-slb vserver-vport)#service-group sg-router
AX(config-slb vserver-vport)#template http http1
AX(config-slb vserver-vport)#no-dest-nat
To optimize TCS in deployments that use more than one cache server, use a
destination-IP persistence template.
CLI Example
252 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
P e r f o r m a n c e b yD e s i g n 253 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
The following commands configure the VIP. The commands are the same as
those used for Layer 7 TCS, with the addition of a command to bind the
destination-IP persistence template to the virtual port.
AX(config)#slb virtual-server wildcard 0.0.0.0 acl 198
AX(config-slb vserver)#port 80 http
AX(config-slb vserver-vport)#template http http1
AX(config-slb vserver-vport)#service-group sg-router
AX(config-slb vserver-vport)#no-dest-nat
AX(config-slb vserver-vport)#template persist destination-ip d-sticky
AX(config-slb vserver-vport)#exit
AX(config-slb vserver)#exit
If the cache server spoofs client IP addresses when requesting content from
servers, the following additional configuration is required:
1. Enable cache spoofing support on the AX interface connected to the
spoofing cache server. In the CLI, enter the following command at the
configuration level for the AX interface:
cache-spoofing-port
2. In the real server configuration for the cache server, enable spoof cach-
ing support. In the CLI, enter the following command at the configura-
tion level for the real server:
spoofing-cache
CLI Example
The commands in this section enable cache spoofing support for the TCS
configuration shown in Figure 101.
AX(config)#interface ethernet 5
AX(config-if:ethernet5)#ip address 110.110.110.254 255.255.255.0
AX(config-if:ethernet5)#ip cache-spoofing-port
AX(config-if:ethernet5)#exit
AX(config)#slb server cache-rs 110.110.110.10
AX(config-real server)#spoofing-cache
AX(config-real server)#port 80 tcp
254 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
Overview
AX Series devices support Firewall Load Balancing (FWLB). FWLB load
balances server-client sessions across firewalls. Figure 102 shows an exam-
ple FWLB topology.
P e r f o r m a n c e b yD e s i g n 255 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
This example shows two pairs of AX devices. One pair is located on the
public (unprotected) side of the network. The other pair is located on the
secured side of the network. Each pair is configured for High Availability
(HA). One member of the pair is the Active AX device and the other is a hot
Standby.
SLB for the real servers is configured on one of the AX pairs. You can con-
figure SLB for the servers on either AX pair. However, do not add the SLB
configuration to both AX pairs.
• Virtual IP addresses
Firewall Groups
This example uses a single firewall group for both firewall nodes. When
you configure FWLB, make sure to configure a firewall group for the fire-
walls rather than an SLB service group.
Templates
Although this example does not use one, you can use a source-IP persis-
tence template in an FWLB configuration. You can bind a source-IP persis-
tence template to the virtual firewall or to individual service ports on the
virtual firewall.
• If you apply a source-IP persistence template to the virtual firewall, the
AX device sends all traffic from a given source address through the
same firewall.
• If you apply a source-IP persistence template to an individual service
port on the virtual firewall, the AX device sends all traffic from a given
client for that service port through the same firewall.
256 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
Health Monitors
To monitor the health of a firewall, use a Layer 3 monitor with the ICMP
method, and with transparent mode enabled. This type of health monitor
verifies a firewall’s health by verifying the path through the firewall to the
AX device or HA pair on the other side of the firewall.
P e r f o r m a n c e b yD e s i g n 257 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
In this topology, each AX device is directly connected to only two of the
four firewalls, but can reach the other two firewalls at Layer 2 through the
other AX device. In this topology, one AX device is active for SLB and
FWLB and the other AX device is a hot standby for these services. The
standby AX device allows Layer 2 client-server traffic to pass through but
blocks other traffic. The active AX device load balances client-server traffic
across all four firewalls.
For example, assume that External AX1 is the active member of the HA pair
(is the one actively performing SLB and FWLB). External AX1 is directly
connected to the firewalls with interfaces 20.1.1.1 and 20.1.1.2, but can also
reach the other two firewalls by sending the traffic at Layer 2 through Exter-
nal AX2. External AX2, the standby for SLB and FWLB, allows client-
server traffic to pass through at Layer 2.
Static IP Routes
258 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
In the example above, External AX1 has the following static routes:
• Destination: 30.1.1.0 Next hop: 20.1.1.1 – This route reaches the fire-
wall VE subnet of the internal AX devices, through one of the firewalls.
• Destination: 40.1.1.0 Next hop: 20.1.1.1 – This route reaches the VE
subnet of the real servers, through one of the firewalls.
Notice that on each AX device, both static routes use the same next hop.
This is not required but it is recommended. Using the same hop does not
present a single point of failure. If the route to the specified next hop goes
down, the AX device automatically looks for another path to the route's des-
tination through another firewall.
P e r f o r m a n c e b yD e s i g n 259 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
FWLB Parameters
FWLB Parameters
Table 4 lists the FWLB parameters.
260 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
FWLB Parameters
TABLE 4 FWLB Parameters (Continued)
Parameter Description and Syntax Supported Values
Service ports Specifies the service ports to load balance. Protocol port number, 1-65535
(Optional) port port-number {tcp | udp} Default: No service ports are specified,
Config > Service > Firewall > Firewall Virtual which means all traffic is load bal-
server - Port tab anced.
(See the “Firewall Virtual Service Port Parameters”
below for additional port settings)
Firewall group Specifies the firewall group to use. Name of a configured firewall group
(Required) You also can specify a firewall group on individual Default: not set
service ports. If you specify a firewall group at each
level, the firewall group specified for the individual
service port takes precedence.
[no] service-group group-name
Config > Service > Firewall > Firewall Virtual
server
High Availabil- Specifies the HA group to use for the virtual fire- 1-31
ity (HA) group wall’s traffic. Default: not set
(Optional) [no] ha-group group-id
Config > Service > Firewall > Firewall Virtual
server
Session synchro- Synchronizes active sessions onto the standby AX Enabled or disabled
nization in the HA pair, to prevent the sessions from being Default: Disabled
(Optional) interrupted if an HA failover occurs.
[no] ha-conn-mirror
Config > Service > Firewall > Firewall Virtual
server
Source-IP persis- Sends all traffic from a given source address to the Name of a configured source-IP per-
tence template same firewall. sistence template
(Optional) You also can specify a source-IP persistence tem- Default: not set
plate on individual service ports. If you specify a
template at each level, the template specified for the
individual service port takes precedence.
Note: The match-type option is not applicable to
FWLB. The match type for FWLB is always server,
which sets the granularity of source-IP persistence
to individual firewalls, not firewall groups or indi-
vidual service ports.
[no] template persist source-ip
template-name
This parameter cannot be configured using the GUI.
P e r f o r m a n c e b y
D e s i g n 261 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
FWLB Parameters
TABLE 4 FWLB Parameters (Continued)
Parameter Description and Syntax Supported Values
TCP idle timeout Specifies the number of seconds a TCP session 60-15000 seconds
(Optional) through a firewall can remain idle before the AX Default: 300 seconds
device terminates the session.
[no] tcp-idle-timeout seconds
Config > Service > Firewall > Firewall Virtual
server
Note: The idle timeout applied to a session can
come from the idle timeout configured here, the idle
timeout configured on the virtual firewall port, or
the idle time configured in SLB. See “TCP and
UDP Session Aging” on page 263.
UDP idle time- Specifies the number of seconds a UDP session 60-15000 seconds
out through a firewall can remain idle before the AX Default: 300 seconds
(Optional) device terminates the session.
[no] udp-idle-timeout seconds
Config > Service > Firewall > Firewall Virtual
server
Note: The idle timeout applied to a session can
come from the idle timeout configured here, the idle
timeout configured on the virtual firewall port, or
the idle time configured in SLB. See “TCP and
UDP Session Aging” on page 263.
Firewall Virtual Service Port Parameters
Firewall group Specifies the firewall group to use. Name of a configured firewall group
(Optional) If you specify a firewall group at this level, the fire- Default: not set
wall group specified here takes precedence over the
firewall group specified at the firewall level.
[no] service-group group-name
Config > Service > Firewall > Firewall Virtual
server - Port tab
Source-IP persis- Sends all traffic from a given source address to the Name of a configured source-IP per-
tence template same firewall. sistence template
(Optional) If you specify a source-IP persistence template at Default: not set
this level, the template specified here takes prece-
dence over the template specified at the firewall
level.
[no] template persist source-ip
template-name
This parameter cannot be configured using the GUI.
262 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
FWLB Parameters
TABLE 4 FWLB Parameters (Continued)
Parameter Description and Syntax Supported Values
TCP/UDP idle Specifies the number of seconds a session through a 60-15000 seconds
timeout firewall on this service port can remain idle before Default: 300 seconds
(Optional) the AX device terminates the session.
[no] idle-timeout seconds
Config > Service > Firewall > Firewall Virtual
server - Port tab
Note: The idle timeout applied to a session can
come from the idle timeout configured here, the idle
timeout configured on the virtual firewall, or the
idle time configured in SLB. See “TCP and UDP
Session Aging” on page 263.
Note: In the current release, the TCP idle-timeout settings in FWLB are never
used. The AX device allows you to configure them but they are not used.
P e r f o r m a n c e b y
D e s i g n 263 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FWLB
Configuring FWLB
To configure FWLB:
1. Configure High Availability (HA) parameters: HA ID, HA group, ses-
sion synchronization, and floating IP address.
To apply FWLB only to traffic for specific services, create a virtual port for
each service, and bind the firewall group to each virtual port. If FWLB will
apply to all traffic types, do not configure any virtual ports on the virtual
firewall.
If the AX device is configured for HA, specify the HA group ID to use for
the virtual port.
Note: The essential steps are described in this section. For the complete list of
FWLB settings you can configure, see Table 4 on page 260.
3. Click Add.
4. On the Health Monitor tab, enter a name for the health monitor.
5. On the Method tab, select ICMP from the Type drop-down list.
264 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FWLB
8. Click OK. The new health monitor appears in the Health Monitor table.
5. Select the health method to use for checking the path through the fire-
wall to the other AX device.
If an HA pair is configured on the other side of the firewall, enter the
floating IP address of the HA pair.
P e r f o r m a n c e b yD e s i g n 265 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FWLB
FIGURE 105 Config > Service > Firewall > Firewall Node
3. On the Firewall Group tab, enter a name for the service group.
5. Click Add.
7. Click OK. The firewall group appears in the Firewall Group table.
FIGURE 106 Config > Service > Firewall > Firewall Group
266 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FWLB
To configure the virtual firewall
1. Select Virtual Firewall Server on the menu bar.
2. Click Add.
5. If you want to load balance all types of traffic through the firewalls,
click OK to complete the configuration. Otherwise, to load balance only
specific services, go to step 6.
P e r f o r m a n c e b yD e s i g n 267 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FWLB
FIGURE 107 Config > Service > Firewall > Firewall Virtual Server
FIGURE 108 Config > Service > Firewall > Firewall Virtual Server - Port tab
268 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FWLB
USING THE CLI
1. To configure HA parameters, use the following commands at the global
configuration level of the CLI:
ha id {1 | 2}
ha group group-id priority number
ha conn-mirror ip ipaddr
ha interface ethernet port-num
[router-interface | server-interface | both]
[no-heartbeat | vlan vlan-id]
floating-ip ipaddr ha-group group-id
2. To configure a health check for a firewall path, use the following com-
mands:
health monitor monitor-name
[interval seconds | retry number |
timeout seconds]
Enter this command at the global Config level.
method icmp transparent ipaddr
Enter this command at the configuration level for the health monitor.
The transparent option is required and configures the health method to
check the full path through the firewall to the other AX. The ipaddr
specifies the IP address of the AX on the other side of the firewall. In an
HA configuration, the ipaddr is the floating IP address of the HA group
on the other side of the firewall.
3. To configure a firewall and assign a health monitor to it, use the follow-
ing commands:
fwlb node fwall-name ipaddr
Enter this command at the global Config level.
health-check monitor-name
Enter this command at the configuration level for the firewall.
4. To configure a firewall group and add the firewalls to it, use the follow-
ing commands:
fwlb service-group group-name
Enter this command at the global Config level.
member fwall-name [priority num]
method least-connection
P e r f o r m a n c e b yD e s i g n 269 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FWLB
The priority option enables you to designate some firewalls as backups
(the lower priority firewalls) to be used only if the higher priority fire-
walls all are unavailable.
The method command is optional and changes the load-balancing
method from round-robin (the default) to least-connections.
Enter these commands at the configuration level for the firewall group.
270 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FWLB
CLI CONFIGURATION EXAMPLE—TOPOLOGY USING LAYER 2 SWITCHES
P e r f o r m a n c e b yD e s i g n 271 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FWLB
The following commands configure the firewalls:
AX-Ext-A(config)#fwlb node fw1 10.1.1.1
AX-Ext-A(config-firewall node)#health-check fwpathcheck
AX-Ext-A(config-firewall node)#exit
AX-Ext-A(config)#fwlb node fw2 10.1.1.2
AX-Ext-A(config-firewall node)#health-check fwpathcheck
AX-Ext-A(config-firewall node)#exit
272 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FWLB
AX-Ext-S(config-fwlb service group)#exit
AX-Ext-S(config)#fwlb virtual-firewall default
AX-Ext-S(config-fwlb virtual firewall default)#ha-group 1
AX-Ext-S(config-fwlb virtual firewall default)#port 80 tcp
AX-Ext-S(config-fwlb virtual firewall default...)#service-group fwsg
AX-Ext-S(config-fwlb virtual firewall default...)#ha-conn-mirror
P e r f o r m a n c e b yD e s i g n 273 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FWLB
CLI Commands on Internal AX (Standby)
AX-Int-S(config)#ha id 2
AX-Int-S(config)#ha group 1 priority 1
AX-Int-S(config)#ha interface ethernet 1
AX-Int-S(config)#ha interface ethernet 2
AX-Int-S(config)#ha conn-mirror ip 10.5.1.5
AX-Int-S(config)#floating-ip 10.5.1.100 ha-group 1
AX-Int-S(config)#floating-ip 10.20.1.100 ha-group 1
AX-Int-S(config)#health monitor fwpathcheck
AX-Int-S(config-health:monitor)#method icmp transparent 10.1.1.100
AX-Int-S(config-health:monitor)#exit
AX-Int-S(config)#fwlb node fw1 10.5.1.1
AX-Int-S(config-firewall node)#health-check fwpathcheck
AX-Int-S(config-firewall node)#exit
AX-Int-S(config)#fwlb node fw2 10.5.1.2
AX-Int-S(config-firewall node)#health-check fwpathcheck
AX-Int-S(config-firewall node)#exit
AX-Int-S(config)#fwlb service-group fwsg
AX-Int-S(config-fwlb service group)#member fw1
AX-Int-S(config-fwlb service group)#member fw2
AX-Int-S(config-fwlb service group)#exit
AX-Int-S(config)#fwlb virtual-firewall default
AX-Int-S(config-fwlb virtual firewall default)#ha-group 1
AX-Int-S(config-fwlb virtual firewall default)#port 80 tcp
AX-Int-S(config-fwlb virtual firewall default...)#service-group fwsg
AX-Int-S(config-fwlb virtual firewall default...)#ha-conn-mirror
274 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FWLB
CLI CONFIGURATION EXAMPLE—TOPOLOGY WITHOUT LAYER 2 SWITCHES
The following sections show the CLI commands for configuring interfaces,
FWLB, and HA on each of the AX devices shown in Figure 103 on
page 257. For simplicity, the SLB configuration is not shown.
P e r f o r m a n c e b yD e s i g n 275 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FWLB
The following commands configure global HA parameters:
Ext-AX1(config)#ha id 1
Ext-AX1(config)#ha group 1 priority 200
Ext-AX1(config)#ha interface ethernet 1
Ext-AX1(config)#ha interface ethernet 2
Ext-AX1(config)#ha interface ethernet 4
Ext-AX1(config)#ha conn-mirror ip 50.1.1.2
Ext-AX1(config)#ha preemption-enable
Ext-AX1(config)#floating-ip 20.1.1.254 ha-group 1
276 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FWLB
Ext-AX1(config-slb virtual firewall default...)#service-group fwsg
Ext-AX1(config-slb virtual firewall default...)#ha-conn-mirror
This configuration is like the configuration for External AX1, with the fol-
lowing exceptions:
• The VE IP addresses are different (although they are in the same subnets
as those on the other AX device).
• The HA ID, priority, and connection mirroring IP address are different
from the other AX device.
P e r f o r m a n c e b yD e s i g n 277 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FWLB
Ext-AX2(config)#ha interface ethernet 1
Ext-AX2(config)#ha interface ethernet 2
Ext-AX2(config)#ha interface ethernet 4
Ext-AX2(config)#ha conn-mirror ip 50.1.1.1
Ext-AX2(config)#ha preemption-enable
Ext-AX2(config)#floating-ip 20.1.1.254 ha-group 1
This configuration is like the configuration for External AX1, with the fol-
lowing exceptions:
• The VE IP addresses and subnets are different. (The VLAN numbers
and some of the VE numbers also are different, but this is not required.
For simplicity, the VLAN numbers were selected to match the subnet
numbers.)
• The static routes are different.
278 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FWLB
The following commands configure the VE interface to the servers:
Int-AX1(config)#vlan 40
Int-AX1(config-vlan:40)#untagged ethernet 2
Int-AX1(config-vlan:40)#router-interface ve 2
Int-AX1(config-vlan:40)#exit
Int-AX1(config)#interface ve 2
Int-AX1(config-if:ve2)#ip address 40.1.1.10 255.255.255.0
Int-AX1(config-if:ve2)#exit
This configuration is like the configuration for Internal AX1, with the fol-
lowing exceptions:
• The VE IP addresses are different (although they are in the same subnets
as those on the other AX device).
• The HA ID, priority, and connection mirroring IP address are different
from the other AX device.
P e r f o r m a n c e b yD e s i g n 279 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring FWLB
The health monitor and FWLB configuration is the same. For brevity, it is
not shown.
Int-AX2(config)#trunk 1
Int-AX2(config-trunk:1)#ethernet 9 to 10
Int-AX2(config-trunk:1)#exit
Int-AX2(config)#vlan 60
Int-AX2(config-vlan:60)#untagged ethernet 9 to 10
Int-AX2(config-vlan:60)#router-interface ve 60
Int-AX2(config-vlan:60)#exit
Int-AX2(config)#interface ve 60
Int-AX2(config-if:ve60)#ip address 60.1.1.2 255.255.255.0
Int-AX2(config-if:ve60)#exit
Int-AX2(config)#vlan 40
Int-AX2(config-vlan:40)#untagged ethernet 2
Int-AX2(config-vlan:40)#router-interface ve 2
Int-AX2(config-vlan:40)#exit
Int-AX2(config)#interface ve 2
Int-AX2(config-if:ve2)#ip address 40.1.1.20 255.255.255.0
Int-AX2(config-if:ve2)#exit
Int-AX2(config)#vlan 30
Int-AX2(config-vlan:30)#untagged ethernet 1 ethernet 3 ethernet 13
Int-AX2(config-vlan:30)#router-interface ve 1
Int-AX2(config-vlan:30)#exit
Int-AX2(config)#interface ve 1
Int-AX2(config-if:ve1)#ip address 30.1.1.20 255.255.255.0
Int-AX2(config-if:ve1)#exit
Int-AX2(config)#ip route 10.1.1.0 /24 30.1.1.1
Int-AX2(config)#ip route 20.1.1.0 /24 30.1.1.1
Int-AX2(config)#ha id 2
Int-AX2(config)#ha group 1 priority 100
Int-AX2(config)#ha interface ethernet 1
Int-AX2(config)#ha interface ethernet 2
Int-AX2(config)#ha interface ethernet 3
Int-AX2(config)#ha conn-mirror ip 60.1.1.1
Int-AX2(config)#ha preemption-enable
Int-AX2(config)#floating-ip 40.1.1.254 ha-group 1
280 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
This chapter describes how to configure parameters for multiple servers and
service ports using server and port templates.
Overview
The AX device supports the following types of templates for configuration
of SLB servers and ports:
• Server – Contains configuration parameters for real servers
These template types provide the same benefit as other template types. They
allow you to configure a set of parameter values and apply the set of values
to multiple configuration items. In this case, you can configure sets of
parameters (templates) for SLB assets (servers and service ports) and apply
the parameters to multiple servers or ports.
Some of the parameters that can be set using a template can also be set or
changed on the individual server or port.
• If a parameter is set (or changed from its default) in both a template and
on the individual server or port, the setting on the individual server or
port takes precedence.
• If a parameter is set (or changed from its default) in a template but is not
set or changed from its default on the individual server or port, the set-
ting in the template takes precedence.
P e r f o r m a n c e b yD e s i g n 281 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
282 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
TABLE 5 SLB Port and Server Template Parameters (Continued)
Template Type Parameter Description
Real Server Port Health monitor Assigns a configured Layer 4-7 health monitor to all service
ports that use the template. (See “Configuring and Applying
a Health Method” on page 303.)
In-band health monitor Provides rapid server status change and reassignment based
on client-server traffic.
This is an enhanced health check mechanism that works
independently of the standard out-of-band health mecha-
nism. See “In-Band Health Monitoring” on page 322.
Connection limit Specifies the maximum number of connections allowed on
any real port that uses the template. (See “Connection Lim-
iting” on page 290.)
Connection rate limit- Limits the rate of new connections the AX is allowed to
ing send to any real port that uses the template. (See “Connec-
tion Rate Limiting” on page 292.)
Destination NAT Enables destination Network Address Translation (NAT).
Destination NAT is enabled by default, but is disabled in
Direct Server Return (DSR) configurations.
You can re-enable destination NAT on individual ports for
deployment of mixed DSR configurations. See “Direct
Server Return in Mixed Layer 2/Layer 3 Environment” on
page 82.
DSCP Sets the differentiated services code point (DSCP) value in
the IP header of a client request before sending the request
to a server.
Slow start Provides time for real ports that use the template to ramp-up
after TCP/UDP service is enabled, by temporarily limiting
the number of new connections on the ports. (See “Slow-
Start” on page 294.)
Source NAT Specifies the IP NAT pool to use for assigning a source IP
address to client traffic addressed to the port. For informa-
tion about NAT, see “Network Address Translation” on
page 483
Weight Biases load-balancing selection of this port. A higher weight
gives more favor to the server and port relative to the other
servers and ports.
For an example of weighted SLB, see “FTP Load Balanc-
ing” on page 141. (The example configures weights directly
on the real service ports rather than using templates, but still
illustrates how the weight option works.)
Note: The weight option applies only to the weighted-least-
connection, service-weighted-least-connection, and
weighted-round-robin load-balancing methods.
P e r f o r m a n c e b y
D e s i g n 283 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
TABLE 5 SLB Port and Server Template Parameters (Continued)
Template Type Parameter Description
Virtual Server Connection limit Specifies the maximum number of connections allowed on
any VIP that uses the template. (See “Connection Limiting”
on page 290.)
Connection rate limit- Limits the rate of new connections the AX is allowed to
ing send to any VIP that uses the template. (See “Connection
Rate Limiting” on page 292.)
ICMP rate limiting Limits the rate at which ICMP packets can be sent to the
VIP. (See “ICMP Rate Limiting” on page 540.)
Virtual Server Port Connection limit Specifies the maximum number of connections allowed on
any virtual service port that uses the template. (See “Con-
nection Limiting” on page 290.)
Connection rate limit- Limits the rate of new connections the AX is allowed to
ing send to any virtual service port that uses the template. (See
“Connection Rate Limiting” on page 292.)
The default server and port templates are each named “default”. The default
settings in the templates are the same as the default settings for the parame-
ters that can be set in the templates.
284 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Server and Service Port Templates
3. Click Add to create a new one or click on the name of a configured tem-
plate to edit it. The configuration tab for the template appears.
5. Enter or edit other settings. (See the descriptions in the sections below
for information.)
6. Click OK.
The template name can be 1-31 characters. These commands change the
CLI to the configuration level for the template. To modify the default tem-
plate, specify the name “default” (without the quotation marks).
P e r f o r m a n c e b yD e s i g n 285 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Applying a Server or Service Port Template
To display the settings in a template, use one of the following commands:
show slb template server template-name
show slb template port template-name
show slb template virtual-server template-name
show slb template virtual-port template-name
CLI Example
The following commands configure a new real server template and bind the
template to two real servers:
AX(config)#slb template server rs-tmplt1
AX(config-rserver)#health-check ping2
AX(config-rserver)#conn-limit 500000
AX(config-rserver)#exit
AX(config)#slb server rs1 10.1.1.99
AX(config-real server)#template server rs-tmplt1
AX(config-real server)#exit
AX(config)#slb server rs2 10.1.1.100
AX(config-real server)#template server rs-tmplt1
This example includes the commands to bind the template to real servers.
For information about binding the templates, see “Applying a Server or Ser-
vice Port Template” on page 286.
If you create a new server or port template, the template takes effect only
after you bind it to servers or ports.
Table 6 lists the types of bindings that are supported for server and port tem-
plates.
286 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Applying a Server or Service Port Template
The following subsections describe how to bind server and port templates to
servers, ports, and service group members. For configuration examples, see
the feature sections referred to in Table 5 on page 282.
4. Select the template from the Server Template drop-down list. To create
one, click create.
Enter the following command at the configuration level for the real server:
P e r f o r m a n c e b yD e s i g n 287 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Applying a Server or Service Port Template
4. On the Port tab, select the template from the Server Port Template drop-
down list. To create one, click create.
5. Click Update.
Enter the following command at the configuration level for the real port:
4. Select the template from the Virtual Server Template drop-down list. To
create one, click create.
Enter the following command at the configuration level for the virtual
server:
288 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Applying a Server or Service Port Template
5. Select the template from the Virtual Server Port Template drop-down
list.
6. Click OK.
Enter the following command at the configuration level for the virtual ser-
vice port:
3. On the Server tab, select the server port template from the Server Port
Template drop-down list.
4. Click OK.
P e r f o r m a n c e b yD e s i g n 289 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Connection Limiting
At the configuration level for the service group, use the template tem-
plate-name option with the member command:
Connection Limiting
By default, the AX device does not limit the number of concurrent connec-
tions on a server or service port. If certain servers or services are becoming
oversaturated, you can set a connection limit. The AX device stops sending
new connection requests to a server or port when that server or port reaches
its maximum allowed number of concurrent connections.
Connection limiting can be set in real server templates, real port templates,
virtual server templates, and virtual port templates.
To set a connection limit in a server or port template, use either of the fol-
lowing methods.
290 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Connection Limiting
USING THE GUI
On the configuration tab for the template:
1. Select the Connection Limit Status checkbox to display the configura-
tion fields.
4. (Virtual Server or Virtual Server Port Templates only) Select the action
to take for connections that occur after the limit is reached: Drop or
Reset.
5. Click OK.
CLI Example
The following commands set the connection limit to 500,000 concurrent
connections in a real server template, then bind the template to real servers:
AX(config)#slb template server rs-tmplt1
AX(config-rserver)#conn-limit 500000
AX(config-rserver)#exit
AX(config)#slb server rs1 10.1.1.99
AX(config-real server)#template server rs-tmplt1
AX(config-real server)#exit
AX(config)#slb server rs2 10.1.1.100
AX(config-real server)#template server rs-tmplt1
P e r f o r m a n c e b yD e s i g n 291 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Connection Rate Limiting
When a server or service port reaches its connection limit, the AX device
stops using the server or service port.
2. Enter the connection rate limit in the field next to the checkbox.
4. Select the action to take for connections that exceed the limit: Drop or
Reset.
292 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Connection Rate Limiting
5. (Virtual Server or Virtual Server Port Templates only) Select the action
to take for connections that occur after the limit is reached: Drop or
Reset.
6. Click OK.
CLI Example
The following commands configure connection rate limiting in a real server
template, then bind the template to real servers.
AX(config)#slb template server rs-tmplt1
AX(config-rserver)#conn-rate-limit 50000
AX(config-rserver)#exit
AX(config)#slb server rs1 10.1.1.99
P e r f o r m a n c e b yD e s i g n 293 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Slow-Start
AX(config-real server)#template server rs-tmplt1
AX(config-real server)#exit
AX(config)#slb server rs2 10.1.1.100
AX(config-real server)#template server rs-tmplt1
Slow-Start
The slow-start feature allows time for a server or real service port to ramp
up after TCP/UDP service on a server is enabled, by temporarily limiting
the number of new connections on the server or port.
You can configure the slow-start parameters described in this section in real
server templates and real port templates.
Note: Alternatively, you can enable slow-start on individual real servers. How-
ever, the ramp-up settings on individual servers are not configurable. The
settings are the same as the default ramp-up settings in server and port
templates.
Ramp-Up Parameters
The default ramp-up is as follows: when enabled, the feature first limits the
server to 128 new connections per second for the first 10 seconds, then dou-
bles the number of new connections allowed in every subsequent 10-second
interval until 4096 new connections per second are allowed. The ramp up
continues for a total of 60 seconds.
294 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Slow-Start
allow. The connection addition can be 1-4095 new connections per
second.
• Ramp-up interval – The ramp-up interval specifies the number of sec-
onds between each increase of the number of new connections allowed.
For example, if the ramp-up interval is 10 seconds, the number of new
connections per second to allow is increased every 10 seconds. The
ramp-up interval can be 1-60 seconds. The default is 10 seconds.
• Ending connections per second – The ending connections per second is
the number of new connections per second at which the ramp-up is com-
pleted. You can specify from 1-65535 new connections per second. The
default is 4096.
Note: For the connection increment, you can specify a scale factor or a connec-
tion addition. The ending connections per second must be higher than the
starting connections per second.
On the configuration tab for the real server template or real port template:
1. Select the Slow Start checkbox to activate the configuration fields.
2. Enter the starting number of connections per second in the field to the
right of "From".
4. Enter the connection increment in the field next to the increment method
you selected.
7. Click OK.
[no] slow-start
[from starting-conn-per-second]
[times scale-factor | add conn-incr]
[every interval]
[till ending-conn-per-second]
P e r f o r m a n c e b yD e s i g n 295 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Slow-Start
CLI Example
The following commands enable slow start in a real server template, using
the default settings, and bind the template to real servers.
AX(config)#slb template server rs-tmplt1
AX(config-rserver)#slow-start
AX(config-rserver)#exit
AX(config)#slb server rs1 10.1.1.99
AX(config-real server)#template server rs-tmplt1
AX(config-real server)#exit
AX(config)#slb server rs2 10.1.1.100
AX(config-real server)#template server rs-tmplt1
296 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Default Health Checks
Health Monitoring
AX Series devices can regularly check the health of real servers and service
ports. Health checks ensure that client requests go only to available servers.
Servers or ports that respond appropriately to health checks remain eligible
to serve client requests. A server or port that does not respond appropriately
to a health check is temporarily removed from service, until the server or
port is healthy again.
The AX device always performs Layer 3 and Layer 4 health checks using
these methods, unless you disable them on the real server or service port or
configure other monitors for the same methods (ICMP, TCP, or UDP).
The ICMP, TCP, and UDP monitors are used even if you also apply addi-
tional configured monitors to a service port.
P e r f o r m a n c e b yD e s i g n 297 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Health Method Timers
Note: The timeout does not apply to externally configured health monitors.
Multiple health method instances can be defined using the same method
type and different parameters. Likewise, multiple health monitors can use
the same health method to check different servers.
Note: To configure a health monitor for Direct Server Return (DSR), see “Con-
figuring Health Monitoring of Virtual IP Addresses in DSR Deploy-
ments” on page 308.
298 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Health Method Types
P e r f o r m a n c e b y
D e s i g n 299 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Health Method Types
TABLE 7 Internal Health Method Types (Continued)
Configuration Required
Type Description Successful If... on Target Server
HTTP / AX Series sends an HTTP GET, Server replies with OK message Requested page (URL) must
HTTPS HEAD, or POST request to the (200), by default. You can con- be present on the server.
specified TCP port and URL. figure the response code(s) and For GET requests, the string
• GET requests the entire page. record type required for a suc- specified as the expected
cessful health check. reply must be present.
• HEAD requests only the
meta-information in the For GET requests, the server For POST operations, the
header. also must reply with the field names specified in the
requested content or meta-infor- health check must be present
• POST attempts to write infor-
mation in the page header. The on the requested page.
mation to the server. For
response must include the string
POST requests, you must For HTTPS health checks,
specified in the Expect field on
specify the target field names SSL support must be enabled
the AX Series.
and the values to post. (For on the server.
more information, see “Con- For HEAD requests, the
A certificate does not need to
figuring POST Requests in AX Series ignores the Expect
be installed on the AX device.
HTTP/HTTPS Health Moni- field and only checks for the
The AX device always
tors” on page 310.) server reply message.
accepts the server certificate
If a user name and password are For POST operations, the data presented by the server.
required to access the page, they must be posted without error.
also must be specified in the
health check configuration.
By default, the real server’s IP
address is placed in the request
header’s Host: field. You can
configure a different value if
needed.
The following types of authenti-
cation are supported: basic,
digest and NT LAN Manager
(NTLM) authentication. If you
specify a username and pass-
word, the health monitor will try
to use basic authentication first.
If this try succeeds, the authenti-
cation process is complete. Oth-
erwise, the health monitor will
negotiate with the server to
select another authentication
method, and retry the health
check using that authentication
method.
ICMP AX Series sends an ICMP echo Server replies with an ICMP Server must be configured to
request (ping) to the server. echo reply message. reply to ICMP echo requests.
Note: This is a Layer 3 health
check only. Use the other
method types to check the health
of a specific application.
300 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Health Method Types
TABLE 7 Internal Health Method Types (Continued)
Configuration Required
Type Description Successful If... on Target Server
LDAP AX Series sends an LDAP Server sends a reply containing If a Distinguished Name and
request to the LDAP port. result code 0. password are sent in the
Optionally, the request can be health check, they must match
directed to a specific Distin- these values on the LDAP
guished Name. server.
Optionally, SSL can be enabled A certificate does not need to
for the health check. be installed on the AX Series.
The AX Series always accepts
The AX Series also must send a
the server certificate pre-
valid password, if one is required
sented by the server.
by the server.
NTP AX Series sends an NTP client Server sends a standard NTP NTP service must be running.
message to UDP port 123. 48-byte reply packet.
POP3 AX Series sends a POP3 user Server replies with an OK mes- Requested user name and
login request with the specified sage. password must be valid on the
user parameter. The AX Series then sends the server.
password specified in the health
check configuration. The
AX Series expects the server to
reply with another OK message.
RADIUS AX Series sends a Password Server sends Access Accepted Requested user name and
Authentication Protocol (PAP) message (reply code 2). password must be configured
request to authenticate the user in the server’s user database.
name and password specified in Likewise, the shared secret
the health check configuration. sent in the health check must
be valid on the server.
RTSP AX Series sends a request for Server replies with information The file must be present on
information about the file speci- about the specified file. the RTSP server.
fied in the health check configu-
ration.
SIP AX Series sends a SIP OPTION Server replies with 200 - OK. None.
request or REGISTER request.
SMTP AX Series sends an SMTP Hello Server sends an OK message Server recognizes and accepts
message. (reply code 250). the domain of sender. If
SMTP service is running and
can reply to Hello messages,
the server can pass the health
check.
SNMP AX Series sends an SNMP Get Server replies with the value of Requested OID and the
or Get Next request to the speci- the OID. SNMP community must both
fied OID, from the specified be valid on the server.
community.
P e r f o r m a n c e b y
D e s i g n 301 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Health Method Types
TABLE 7 Internal Health Method Types (Continued)
Configuration Required
Type Description Successful If... on Target Server
TCP AX Series sends a connection Server replies with a TCP SYN Destination TCP port of the
request (TCP SYN) to the speci- ACK. health check must be valid on
fied TCP port on the server. By default, the AX device com- the server.
pletes the TCP handshake with
the server:
AX -> Server
SYN ->
<- SYN-ACK
ACK ->
FIN-ACK ->
<- FIN-ACK
ACK ->
SYN ->
<- SYN-ACK
RST ->
UDP AX Series sends a packet with a Server does either of the follow- Destination UDP port of the
valid UDP header and a garbage ing: health check must be valid on
payload to the specified UDP • Replies from the specified the server.
port on the server. UDP port with any type of
packet.
• Does not reply at all.
The server fails the health check
only if the server replies with an
ICMP Error message.
302 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring and Applying a Health Method
After you bind the health monitor to a real server port, health checks using
the monitor are addressed to the real server port number instead of the port
number specified in the health monitor’s configuration. In this case, you can
override the IP address or port using the override options described in
“Overriding the Target IP Address or Protocol Port Number” on page 315.
2. Apply the monitor to the real server (for Layer 3 checks) or service port.
You can apply a health monitor to a server or port in either of the follow-
ing ways:
• Apply the health monitor to a server or port template, then bind the
template to the server or port.
• Apply the health monitor directly to the individual server or port.
P e r f o r m a n c e b yD e s i g n 303 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring and Applying a Health Method
3. Click Add.
5. On the Method tab, select the monitor type from the Type drop-down
list. The rest of the configuration fields change depending on the moni-
tor type. (See “Health Method Types” on page 298.)
7. Click OK. The new monitor appears in the Health Monitor table.
2. In the AX management GUI, select Config > Service > Health Monitor.
4. Click Add.
4. Select the health monitor from the Health Monitor drop-down list.
304 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring and Applying a Health Method
5. Configure other settings if needed. (See “Server and Port Templates” on
page 281.)
6. Click OK.
4. Select the health monitor from the Health Monitor drop-down list.
6. Click OK.
4. To apply a Layer 3 health monitor to the server, select the health monitor
from the Health Monitor drop-down list on the General tab.
7. Click OK.
P e r f o r m a n c e b yD e s i g n 305 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring and Applying a Health Method
To apply a Layer 3 health monitor to a service group
1. Select Config > Service > SLB.
4. Select the health monitor from the Health Monitor drop-down list on the
Service Group tab.
6. Click OK.
(For more information about how health monitors are used when applied to
service groups, see “Service Group Health Checks” on page 318.)
2. At the configuration level for the monitor, use the following command
to specify the method to use:
[no] method method-name
The method-name can be one of the types listed in “Health Method
Types” on page 298. Also see that section for additional options you can
specify. For syntax information, see the “Config Commands: SLB
Health Monitors” chapter in the AX Series CLI Reference.
306 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring and Applying a Health Method
To import an externally configured monitor
1. Create a Tcl script for the monitor. (For an example, see “External
Health Method Examples” on page 331.)
2. At the global configuration level of the AX CLI, use the following com-
mand to import the monitor script:
health external import [description] url
The url specifies the file transfer protocol, username (if required), and
directory path.
You can enter the entire URL on the command line or press Enter to dis-
play a prompt for each part of the URL. If you enter the entire URL and
a password is required, you will still be prompted for the password. To
enter the entire URL:
tftp://host/program-name
ftp://[user@]host[:port]/program-name
scp://[user@]host/program-name
rcp://[user@]host/program-name
3. Create a new health monitor to use the script by entering the following
command at the global config level:
health monitor monitor-name
This command changes the CLI to the configuration level for the new
health monitor.
4. At the configuration level for the monitor, use the following command
to associate the script with the new monitor:
method external [port port-num] program program-
name [arguments argument-string]
For port-num, specify the service port number on the real server.
Use the following command at the configuration level for the server tem-
plate (if applying a monitor that uses the ping method) or at the configura-
tion level for the service port template (for all other method types).
health-check [monitor-name]
P e r f o r m a n c e b yD e s i g n 307 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring and Applying a Health Method
To apply the monitor to an individual real server or service port
Use the following command at the configuration level for the server (if
applying a monitor that uses the ping method) or at the configuration level
for the service port (for all other method types).
health-check [monitor-name]
The target of the Layer 3 health checks can be the real IP addresses of the
servers, or the virtual IP address, depending on your preference.
• To send the Layer 3 health checks to the real server IP addresses, you
can use the default Layer 3 health method (ICMP).
• To send the Layer 3 health checks to the virtual IP address instead:
• Configure an ICMP health method with the transparent option
enabled, and with the alias address set to the virtual IP address.
• Globally enable DSR health checking.
Layer 4-7 health checks are sent to the same IP address as the Layer 3 health
checks, and then addressed to the specific protocol port. You can use the
default TCP and UDP health monitors or configure new health monitors.
This example uses the default TCP health monitor.
Note: The following sections show how to configure Layer 3 health checking of
virtual IP addresses and how to globally enable DSR health checking of
virtual IP addresses. A complete DSR deployment requires additional
configuration. See the examples in “Network Setup” on page 49.
308 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring and Applying a Health Method
5. Click Method to display the tab.
3. Click Apply.
Enter this command at the global Config level of the CLI. The CLI changes
to the configuration level for the health method.
Use the following command at the global Config level of the CLI:
slb dsr-health-check-enable
P e r f o r m a n c e b yD e s i g n 309 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring and Applying a Health Method
2. Click Add.
3. On the Health Monitor tab, enter a name for the monitor in the Name
field.
4. On the Method tab, select HTTP or HTTPS from the Type drop-down
list. Configuration fields for HTTP or HTTPS health monitoring options
appear.
7. Click OK.
310 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring and Applying a Health Method
FIGURE 109 HTTP Health Monitor with POST Operation
This command creates the health monitor, but does not configure the health
method used by the monitor. If you enter the monitor-name without entering
any other options, the CLI changes to the configuration level for the moni-
tor. If you enter any of the timer options, the timer value is changed instead.
At the configuration level for the health monitor, enter one of the following
commands:
P e r f o r m a n c e b yD e s i g n 311 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring and Applying a Health Method
[no] method http
[port port-num]
[url {GET | HEAD} url-path |
POST url-path postdata string]
[host {ipv4-addr | ipv6-addr | domain-name}
[:port-num]]
[expect {string | response-code code-list}]
[username name]
or
[no] method https
[port port-num]
[url {GET | HEAD} url-path |
POST url-path postdata string]
[host {ipv4-addr | ipv6-addr | domain-name}
[:port-num]]
[expect {string | response-code code-list}]
[username name]
In the postdata string, use “=” between a field name and the value you are
posting to it. If you post to multiple fields, use “&” between the fields. For
example: postdata fieldname1=value&fieldname1=value
CLI Example
The following commands configure an HTTP health method that uses a
POST operation to post firstname=abc and lastname=xyz to /postdata.asp
on the tested server:
AX(config)#health monitor http1
AX(config-health:monitor)#method http url POST /postdata.asp postdata first-
name=abc&lastname=xyz
312 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring and Applying a Health Method
another DNS server if the tested server can not fulfill the request using
its own database. Recursion is enabled by default.
• Record type expected from the server – You can specify one of the fol-
lowing record types:
• A – IPv4 address record
• CNAME – Canonical name record for a DNS alias
• SOA – Start of authority record
• PTR – Pointer record for a domain name
• MX – Mail Exchanger record
• TXT – Text string
• AAAA – IPv6 address record
By default, the AX device expects the DNS server to respond to the
health check with an A record.
2. Click Add.
3. On the Health Monitor tab, enter a name for the monitor in the NAme
field.
4. On the Method tab, select DNS from the Type drop-down list. Configu-
ration fields for DNS health monitoring options appear.
5. If the DNS server to be tested does not listen for DNS traffic on the
default DNS port (53), edit the port number in the Port field.
6. To test a specific server, click IP Address and enter the address in the IP
Address field. Otherwise, to test based on a domain name sent in the
health check, leave Domain selected and enter the domain name in the
Domain field.
7. If you left Domain selected, select the record type the server is expected
to send in reply to health checks. Select the record type from the Type
drop-down list.
9. To specify the response codes that are valid for passing a health check,
enter the codes in the Expect field. To specify a range, use a dash. Sepa-
rate the codes (and code ranges) with commas.
P e r f o r m a n c e b yD e s i g n 313 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring and Applying a Health Method
FIGURE 110 DNS Health Monitor
This command creates the health monitor, but does not configure the health
method used by the monitor. If you enter the monitor-name without entering
any other options, the CLI changes to the configuration level for the moni-
tor. If you enter any of the timer options, the timer value is changed instead.
At the configuration level for the health monitor, enter the following com-
mand:
314 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring and Applying a Health Method
[no] method dns {ipaddr | domain domain-name}
[
expect response-code code-list |
port port-num |
recurse {enabled | disabled} |
type {A | CNAME | SOA | PTR | MX | TXT | AAAA}
]
CLI Example
The following commands configure a DNS health monitor that sends a
query for www.example.com, and expects an Address record and any of the
following response codes in reply: 0, 1, 2, 3, or 5:
AX(config)#health monitor dnshm1
AX(config-health:monitor)#method dns domain www.example.com expect response-
code 0-3,5
P e r f o r m a n c e b yD e s i g n 315 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring and Applying a Health Method
FIGURE 111 Example of Health-check Address Override
In this example, the real servers managed by the site AX are configured as
service IPs 192.168.100.100-102 on the GSLB AX. The health-check met-
ric is enabled in the GSLB policy, so health checks are needed to verify that
the service IPs are healthy. One way to do so is to check the health of the
ISP link connected to the site AX device.
316 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring and Applying a Health Method
the device addresses the health check to 192.168.1.1, the override address,
instead of addressing the health check to the service IP addresses.
Override Parameters
The override is used only if applicable to the method (health check type)
and the target. An IP address override is applicable only if the target has the
same address type (IPv4 or IPv6) as the override address.
2. Click on the health monitor name or click Add to create a new one.
4. For other health methods, select the type, then enter the target protocol
port number in the Override Port field.
Use one of the following commands at the configuration level for the health
monitor:
[no] override-ipv4 ipaddr
[no] override-ipv6 ipv6addr
[no] override-port portnum
P e r f o r m a n c e b yD e s i g n 317 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Group Health Checks
The following commands configure a health monitor for the service IPs
shown in Figure 111 on page 316, and apply the monitor to the service IPs.
AX(config)#health monitor site1-hm
AX(config-health:monitor)#method icmp
AX(config-health:monitor)#override-ipv4 192.168.1.1
AX(config-health:monitor)#exit
AX(config)#gslb service-ip gslb-srvc1 192.168.100.100
AX(config-gslb service-ip)#health-check site1-hm
AX(config-gslb service-ip)#exit
AX(config)#gslb service-ip gslb-srvc2 192.168.100.101
AX(config-gslb service-ip)#health-check site1-hm
AX(config-gslb service-ip)#exit
AX(config)#gslb service-ip gslb-srvc3 192.168.100.102
AX(config-gslb service-ip)#health-check site1-hm
318 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Group Health Checks
FIGURE 112 Service Group Health Checks
In this example, a single server provides content for the following sites:
• www.media-rts.com
• www.media-tuv.com
• www.media-wxyz.com
All sites can be reached on HTTP port 80 on the server. The health check
configured on the port in the real server configuration results in the same
health status for all three sites. All of them either are up or are down.
In this case, if one of the sites is taken down for maintenance, the health sta-
tus of that site will still be up, since the real port still responds to the health
check configured on the port.
You can configure the AX device to separately test the health of each site,
by assigning each site to a separate service group, and assigning a separate
Layer 7 health monitor to each of the service groups. In this case, if a site is
taken down for maintenance, that site fails its health check while the other
sites still pass their health checks, on the same real port.
P e r f o r m a n c e b yD e s i g n 319 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Group Health Checks
server’s HTTP port is up, a site will fail its health check if the URL
requested by its health check is unavailable.
Health checks can be applied to the same resource (real server or port) at the
following levels:
1. In a service group that contains the server and port as a member
In cases where health checks are applied at multiple levels, they have the
priority listed above. For example, if a service group health check is config-
ured, the health of a service is based on that health check, not on a health
check at the server port template or individual port configuration level.
Service group health status applies only within the context of the service
group. For example, a health check of the same port from another service
group can result in a different health status, depending on the resource
requested by the health check.
On the Service Group configuration tab, select the monitor from the Health
Monitor list or click “create” to create a new one and select it.
Use the following command at the configuration level for the service group:
CLI Example
The commands in this section implement the configuration shown in
Figure 112.
320 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Group Health Checks
The following commands configure the health monitors for each site on the
server:
AX(config)#health monitor qrs
AX(config-health:monitor)#method http url GET /media-qrs/index.html
AX(config-health:monitor)#exit
AX(config)#health monitor tuv
AX(config-health:monitor)#method http url GET /media-tuv/index.html
AX(config-health:monitor)#exit
AX(config)#health monitor wxyz
AX(config-health:monitor)#method http url GET /media-wxyz/index.html
AX(config-health:monitor)#exit
P e r f o r m a n c e b yD e s i g n 321 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
In-Band Health Monitoring
AX(config-slb vserver-vport)#exit
AX(config-slb vserver)#exit
AX(config)#slb virtual-server media-wxyz 192.168.1.12
AX(config-slb vserver)#port 80 http
AX(config-slb vserver-vport)#service-group wxyz
AX(config-slb vserver-vport)#exit
AX(config-slb vserver)#exit
In the current release, in-band health monitoring is supported for the follow-
ing service types:
• TCP
• HTTP
• HTTPS
The in-band health check works independently of and supplements the stan-
dard Layer 4 health check. For example, for TCP, the standard health check
works as follows by default:
This is the same Layer 4 health check available in previous releases and has
the same defaults.
Note: A10 Networks recommends that you continue to use standard Layer 4
health monitoring even if you enable in-band health monitoring. Without
standard health monitoring, a server port marked down by an in-band
health check remains down.
322 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
In-Band Health Monitoring
How In-Band Layer 4 Health Monitoring Works
When the AX device marks a server port down, the device generates a log
message and an SNMP trap, if logging or SNMP traps are enabled. The
message and trap are the same as those generated when a server port fails a
standard health check. However, you can discern whether the port was
marked down due to a failed in-band health check or standard health check,
based on the module name listed in the message.
• A10LB – The port was marked down by an in-band health check.
P e r f o r m a n c e b yD e s i g n 323 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
In-Band Health Monitoring
In-band health monitoring does not mark ports up. Only standard health
monitoring marks ports up. So messages and traps for server ports coming
up are generated only by the A10HM module.
2. Bind the port template to real server ports, either directly or in a service
group.
8. Click OK.
To bind the template to a server port, see “Binding a Server Port Template to
a Real Server Port” on page 288.
[no] inband-health-check
[retry maximum-retries]
[reassign maximum-reassigns]
324 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Consecutive Health Checks Within a Health Check Period
CLI Example
You can configure this parameter on an individual health monitor basis. The
setting applies to all health checks that are performed using the health mon-
itor.
4. On the Health Monitor tab, enter a name for the monitor (if new).
P e r f o r m a n c e b yD e s i g n 325 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
On-Demand Health Checks
5. In the Consec Pass Req’d field, enter the number of consecutive times
the target must pass the same periodic health check.
6. If new, on the Method tab, select the monitor type from the Type drop-
down list, and enter or select settings for the monitor.
7. Click OK.
3. Select the health monitor to use from the Health Monitor drop-down list.
4. To test a specific service, enter the protocol port number for the service
in the Port field.
5. Click Start.
The status of the server or service appears in the Status message area.
Note: If an override IP address and protocol port are set in the health monitor
configuration, the AX device will use the override address and port, even
if you specify an address and port when you send the on-demand health
check.
To test the health of a server, use the following command at the EXEC,
Privileged EXEC, or global configuration level of the CLI:
health-test {ipaddr | ipv6 ipv6addr} [count num]
[monitorname monitor-name] [port portnum]
326 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Displaying Health Status
The ipaddr | ipv6 ipv6addr option specifies the IPv4 or IPv6 address of the
device to test.
The count num option specifies the number of health checks to send to the
device. You can specify 1-65535. The default is 1.
The monitorname monitor-name option specifies the health monitor to use.
The health monitor must already be configured. By default, the default
Layer 3 health check (ICMP ping) is used.
The port portnum option specifies the protocol port to test, 1-65535. By
default, the protocol port number specified in the health monitor configura-
tion is used.
Note: If an override IP address and protocol port are set in the health monitor
configuration, the AX device will use the override address and port, even
if you specify an address and port when you send the on-demand health
check.
CLI Example
The following command tests port 80 on server 192.168.1.66, using config-
ured health monitor hm80:
AX#health-test 192.168.1.66 monitorname hm80
node status UP.
P e r f o r m a n c e b yD e s i g n 327 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Displaying Health Status
Virtual server health status is also displayed in the virtual server list dis-
played by Config > Service > SLB > Virtual Server.
For information about the virtual server health state icons, see the
“Monitor > Overview > Status” section in the “Monitor Mode” chapter of
the AX Series GUI Reference.
Real server health status is also displayed in the real server list displayed by
Config > Service > SLB > Server.
For information about the real server health state icons, see the
“Monitor > Service > Server” section in the “Monitor Mode” chapter of the
AX Series GUI Reference.
Use the following command. The health is shown in the State field. For
descriptions of each health state, see the AX Series CLI Reference.
328 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Displaying Health Status
Here is an example:
AX#show slb virtual-server "vs 1"
Virtual server: vs 1 State: Down IP: 1.1.1.201
Pri Port/State Curr-conn Total-conn Rx-Pkt Tx-Pkt
------------------------------------------------------------------------
Use the following command. The health is shown in the State field. For
descriptions of each health state, see the AX Series CLI Reference.
P e r f o r m a n c e b y
D e s i g n 329 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Displaying Health Status
Here is an example:
AX#show slb server
Total Number of Services configured: 5
Current = Current Connections, Total = Total Connections
Req-pkt = Request packets, Resp-pkt = Response packets
Service Current Total Req-pkt Resp-pkt State
------------------------------------------------------------------------------
s1:80/tcp 0 0 0 0 Down
s1:53/udp 0 0 0 0 Down
s1:85/udp 0 0 0 0 Down
s1: Total 0 0 0 0 Down
...
Here is an example:
AX#show health stat
Health monitor statistics
Total run time: : 2 hours 1345 seconds
Number of burst: : 0
Number of timer adjustment: : 0
Timer offset: : 0
Opened socket: : 1140
Open socket failed: : 0
Close socket: : 1136
Send packet: : 0
Send packet failed: : 259379
Receive packet: : 0
Receive packet failed : 0
Retry times: : 4270
Timeout: : 0
Unexpected error: : 0
330 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
External Health Method Examples
• Shell
• Tcl
Utility commands such as ping, ping6, wget, dig, and so on are supported.
To use the external method, you must import the program onto the
AX Series device. The script execution result indicates the server status,
which must be stored in ax_env(Result).
P e r f o r m a n c e b yD e s i g n 331 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
External Health Method Examples
Here is the ext.tcl file:
# Init server status to "DOWN"
set ax_env(Result) 1
# Open a socket
if {[catch {socket $ax_env(ServerHost) $ax_env(ServerPort)} sock]} {
puts stderr "$ax_env(ServerHost): $sock"
} else {
fconfigure $sock -buffering none -eofchar {}
close $sock
}
332 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
External Health Method Examples
my $host = $ENV{'HM_SRV_IPADDR'};
my $port = 80;
if (defined($ENV{'HM_SRV_PORT'})) {
$port = $ENV{'HM_SRV_PORT'};
}
# vim: tw=78:sw=3:tabstop=3:autoindent:expandtab
P e r f o r m a n c e b yD e s i g n 333 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
External Health Method Examples
334 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
This chapter describes Global Server Load Balancing (GSLB). GSLB pro-
vides SLB service across multiple sites.
Overview
Global Server Load Balancing (GSLB) extends load balancing to global
geographic scale. AX Series GSLB uses the DNS proxy method to add
intelligence to DNS. GSLB evaluates the server IP addresses in DNS replies
and changes the order of the addresses in the replies so that the best avail-
able host IP address is the preferred choice.
AX Series GSLB provides the following key advantages:
• Protects businesses from down time due to site failures
P e r f o r m a n c e b yD e s i g n 335 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
Figure 113 shows an example of a GSLB configuration.
In this example, the GSLB AX device (the GSLB controller) globally load
balances client requests for “www.a10.com”.
The a10.com services reside on real servers at two sites. At each site, an AX
device provides SLB for the real servers. On the GSLB AX device, the sites
are grouped into a zone for the service.
When the GSLB AX device receives the DNS reply, the device re-orders the
IP addresses in the reply based on the results of site evaluation using the
configured GSLB metrics. The GSLB AX device also makes other changes
336 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
to the DNS reply, such as shortening the TTL of the IP Address records, if
specified by the GSLB configuration. The GSLB AX device then sends the
modified DNS reply to the client.
When the client receives the DNS reply, the client then sends the HTTP
request to the IP address that the GSLB AX device placed at the top of the
IP address list in the DNS reply.
Advantages of GSLB
In standard DNS, when a client wants to connect to a host and has the host-
name but not the IP address, the client sends a lookup request to its local
DNS server. The local DNS server checks its local database.
• If the database contains an Address record for the requested host name,
the DNS server sends the IP address for the host name back to the client.
The client can then access the host.
• If the local DNS server does not have an Address record for the
requested server, the local DNS server makes recursive queries to the
root and intermediate DNS servers, which results in authoritative DNS
server addresses. When a request reaches an authoritative DNS server,
that DNS server sends a reply to the DNS query. The client’s local DNS
server then sends the reply to the client. The client now can access the
requested host.
In today’s redundant data centers and multiple service provider sites, a host
name can reside at multiple data centers or sites, with different IP addresses.
When this is the case, the authoritative DNS server for the host sends multi-
ple IP addresses in its replies to DNS queries. Standard DNS servers can
provide only rudimentary load sharing for the addresses, using a simple
round-robin algorithm to rotate the list of addresses for each query. Thus,
the address that is listed first in the last reply sent by the DNS server is
rotated to be the last address listed in the next reply, and so on.
P e r f o r m a n c e b yD e s i g n 337 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
GSLB Policy
GSLB evaluates the service IP addresses listed in replies from DNS servers
to clients, re-orders the addresses based on that evaluation, and sends the
DNS replies to clients with the re-ordered IP address lists. As a result of this
process, each client receives a DNS reply that has the best service IP
address listed first.
GSLB selects the best site IP address using a GSLB policy. A GSLB policy
consists of one or more of the following metrics:
1. health-check – Services that pass health checks are preferred.
2. weighted-ip – Service IP addresses with higher administratively
assigned weights are used more often than service IP addresses with
lower weights. (See “Weighted-IP and Weighted-Site” on page 339.)
3. weighted-site – Sites with higher administratively assigned weights are
preferred. Sites with higher administratively assigned weights are used
more often than sites with lower weights. (See “Weighted-IP and
Weighted-Site” on page 339.)
4. session capacity – Sites with more available sessions based on respec-
tive maximum session capacity are preferred.
5. active-servers – Sites with the most currently active servers are pre-
ferred.
6. active-rtt – Sites with faster round-trip-times for DNS queries and
replies between a site AX device and the GSLB local DNS are pre-
ferred.
7. passive-rtt – Services with faster response times to clients are preferred.
8. geographic – Services located within the client’s geographic region are
preferred.
9. connection-load – Sites that are not exceeding their thresholds for new
connections are preferred.
338 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
10. num-session – Sites that are not exceeding available session capacity
threshold compared to other sites are treated as having the same prefer-
ence.
11. admin-preference – The site with the highest administratively set prefer-
ence is selected.
12. bw-cost – Selects sites based on bandwidth utilization on the site AX
links.
13. least-response – Service IP addresses with the fewest hits are preferred.
14. ordered-ip – Service IP addresses are administratively prioritized. The
prioritized list is sent to the next metric for further evaluation. If
ordered-ip is the last metric, the prioritized list is sent to the client. (See
“Ordered-IP” on page 340.)
15. round-robin – Sites are selected in sequential order. (See “Tie-Breaker”
on page 340.)
The GSLB AX device uses each enabled GSLB metric to select or eliminate
service IP addresses, then passes the subset of addresses that pass the met-
ric’s criteria to the next metric, and so on, to sort (re-order) the list of
addresses. The GSLB AX device then replaces the IP address list in the
DNS reply with the re-ordered list before sending the reply to the client.
The metric order and the configuration of each metric are specified in a
GSLB policy. Policies can be applied to GSLB zones and to individual ser-
vices. The GSLB AX device has a default GSLB policy, named “default”,
that is automatically applied to a zone or service, unless you configure and
assign a different policy to the zone or service.
For example, if there are two sites (A and B), and A has weight 2 whereas B
has weight 4, GSLB will select site B twice as often as site A. Specifically,
GSLB will select site B the first 4 times, and will then select site A the next
2 times. This cycle then repeats: B is chosen 4 times, then A is chosen the
next 2 times, then B is chosen the next 4 times, and so on.
Note: If DNS caching is used, the cycle starts over if the cache aging timer
expires.
P e r f o r m a n c e b yD e s i g n 339 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
Ordered-IP
Most metrics select a site or IP address as the best address. However, the
ordered-ip metric does not select or eliminate sites or IP addresses. Instead,
the ordered-ip metric re-orders the IP addresses based on the metric’s con-
figuration in the GSLB policy.
If there are any more metrics after ordered-ip, the re-ordered list is sent to
the next metric.
If you plan to use the ordered-ip metric, you need to disable the round-robin
metric. Otherwise, round-robin will be used as the tie-breaker and the
ordered IP list will be ignored.
Tie-Breaker
If all the enabled metrics in the policy result in a tie (do not definitively
select a single site as the best site), the AX device uses round-robin to select
a site. This is true even if the round-robin metric is disabled in the GSLB
policy.
Note: If the last metric is ordered-ip, and round-robin is disabled, the prioritized
list of IP addresses is sent to the client. Round-robin is not used.
Health Checks
The health-check metric checks the availability (health) of the real servers
and service ports. Sites whose real servers and service ports respond to the
health checks are preferred over sites in which servers or service ports are
unresponsive to the health checks.
ICMP (Layer 3 health check), TCP, UDP, HTTP, HTTPS, FTP, SMTP,
POP3, SNMP, DNS, RADIUS, LDAP, RTSP, SIP
You can use the default health methods or configure new methods for any of
these services.
Note: The default health monitor for a service is the default Layer 3 health mon-
itor (ICMP ping). The default health monitor for a service port is the
default TCP or UDP monitor, depending on the transport protocol.
If you leave the health monitor for a service left at its default setting (the
default ICMP ping health check), the health checks are performed within
the GSLB protocol. This requires the GSLB protocol to be enabled on the
site AX devices as well as the GSLB controller.
340 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
If you use a custom health monitor, or you explicitly apply the default
Layer 3 health monitor to the service, the GSLB protocol is not used for
any of the health checks. In this case, the GSLB protocol is not required to
be enabled on the site AX devices, although use of the protocol is still rec-
ommended.
If you use a custom health monitor for a service port, the port number
specified in the service configuration is used instead of the port number
specified in the health monitor configuration.
Geo-Location
You can configure GSLB to prefer site VIPs for DNS replies that are geo-
graphically closer to the clients. For example, if a domain is served by sites
in both the USA and Asia, you can configure GSLB to favor the USA site
for USA clients while preferring the Asian site for Asian clients.
To configure geo-location:
• Leave the geographic GSLB metric enabled.
• Load geo-location data. You can load geo-location data from a file or
manually configure individual geo-location mappings.
CNAME Support
As an extension to geo-location support, you can configure GSLB to send a
Canonical Name (CNAME) record instead of an Address record in DNS
replies to clients. A CNAME record maps a domain name to an alias for that
domain. For example, you can configure aliases such as the following for
domain “a10.com”, and associate the aliases with different geo-locations:
• www.a10.co.cn
• www.1.a10.com
• ftp.a10.com
P e r f o r m a n c e b yD e s i g n 341 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
To configure CNAME support:
• Configure geo-location as described above.
• For individual services in the zone, configure the aliases and associate
them with geo-locations.
DNS Options
DNS options provide additional control over the IP addresses listed in DNS
replies to clients. After the GSLB AX device uses the metrics to select and
prioritize the IP addresses for the DNS reply, the AX device applies the
enabled DNS options to the list.
342 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
• dns geoloc-policy – Returns the alias name configured for the client’s
geo-location.
• dns ip-replace – Replaces the IP addresses with the set of addresses
administratively assigned to the service in the zone configuration.
• dns server – Enables the GSLB AX device to act as a DNS server, for
specific service IPs in the GSLB zone.
• dns sticky – Sends the same service IP address to a client for all requests
from that client for the service address.
• dns ttl – Overrides the TTL set in the DNS reply. (For more information
about this option, see “TTL Override” on page 343.)
The cname-detect and external-ip options are enabled by default. All the
other DNS options are disabled by default.
If more than one of the following options are enabled, GSLB uses them in
the order listed, beginning with sticky:
1. sticky
2. server
3. cache
4. proxy
Note: GSLB does not have a separately configurable “proxy” option. The proxy
option is automatically enabled when you configure the DNS proxy as
part of GSLB configuration.
The site address selected by the first option that is applicable to the client
and requested service is used.
TTL Override
GSLB ensures that DNS replies to clients contain the optimal set of IP
addresses based on current network conditions. However, if the DNS TTL
value assigned to the Address records is long, the local DNS servers used by
clients might cache the replies for a long time, and send those stale replies to
clients. Thus, even though the GSLB AX device has current information,
clients might receive outdated information.
To ensure that the clients’ local DNS servers do not cache the DNS replies
for too long, you can configure the GSLB AX device to override the TTL
values of the Address records in the DNS replies before sending the replies
to clients.
P e r f o r m a n c e b yD e s i g n 343 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
The TTL of the DNS reply can be overridden in two different places in the
GSLB configuration:
1. If a GSLB policy is assigned to the individual service, the TTL set in
that policy is used.
AX devices use the GSLB protocol for GSLB management traffic. The pro-
tocol is required to be enabled on the GSLB controller. The protocol is rec-
ommended on site AX devices but is not required. However, some GSLB
policy metrics require the protocol to be enabled on the site AX devices as
well as the GSLB controller:
• session-capacity
• active-rtt
• passive-rtt
• connection-load
• num-session
• least-response
The GSLB protocol is required in order to collect the site information pro-
vided for these metrics.
Note: The GSLB protocol is also required for the health-check metric, if the
default health checks are used. If you modify the health checks, the GSLB
protocol is not required. (See “Health Checks” on page 340.)
344 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
Configuration Overview
Configuration is required on the GSLB AX device (GSLB controller) and
the site AX devices.
3. Configure a GSLB policy (unless you plan to use the default policy set-
tings, described in “GSLB Policy” on page 338).
4. Configure services.
5. Configure sites.
6. Configure a zone.
Note: If you plan to run GSLB in server mode, the proxy DNS server does not
require configuration of a real server or service group. Only the VIP is
required. However, if you plan to run GSLB in proxy mode, the real
server and service group are required along with the VIP. (Server and
proxy mode are configured as DNS options. See “DNS Options” on
page 342.)
2. Enable the GSLB protocol for the GSLB site device function.
P e r f o r m a n c e b yD e s i g n 345 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
Configuration takes place at the following levels:
Zone
Service IP
Site
SLB device
The parameters you can configure at each level are described in “GSLB
Parameters” on page 378.
The following sections describe the GSLB configuration steps in the GUI
and in the CLI. Required commands and commonly used options are listed.
For advanced commands and options, see “GSLB Parameters” on page 378.
Note: Each of the following configuration sections shows the CLI and GUI
methods for configuration. For complete configuration examples, see
“Configuration Examples” on page 397.
Use a DNS health monitor for the local DNS server. You also can use a
Layer 3 health monitor to check the IP reachability of the server.
For the GSLB service, use health monitors for the application types of the
services. For example, for an HTTP service, use an HTTP health monitor. If
the health-check metric is enabled in the GSLB policy, the metric will use
the results of service health checks to select sites.
To monitor the health of the real servers providing the services, configure
health monitors on the site SLB devices.
Configure the health monitors for the proxied DNS server and the GSLB
services on the GSLB AX device. Configure the health monitors for real
servers and their services on the site AX devices.
346 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
Configuration of health monitors is the same as for standard SLB. There are
no special health monitoring options or requirements for GSLB. For config-
uration information, see “Health Monitoring” on page 257.
To configure the GSLB DNS proxy, use either of the following methods.
Note: The GUI will not accept the configuration if the IP address you enter here
is the same as the real DNS server IP address you enter when configuring
the service group for this proxy (below).
7. In the Port field, enter the DNS port number, if not already filled in.
8. In the Service Group field, select “create”. The Service Group and
Server tabs appear.
11. On the Server tab, in the Server drop-down list, enter the IP address of
the DNS server. Enter the real IP address of the DNS server, not the IP
address you are assigning to the DNS proxy.
12. Enter the DNS port number in the Port field and click Add. The server
information appears on the tab.
P e r f o r m a n c e b yD e s i g n 347 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
13. Click OK. The GSLB Port tab re-appears.
15. Click OK. The DNS proxy appears in the DNS proxy table.
2. To configure a service group and add the DNS proxy (real server) to it,
use the following commands:
slb service-group group-name udp
Use this command at the global configuration level of the CLI. The
command creates the service group and changes the CLI to the configu-
ration level for it. To add the DNS server to the service group, use the
following command:
member server-name:port-num
3. To configure a virtual server for the DNS proxy and bind it to the real
server and service group, use the following commands:
slb virtual-server name ipaddr
Use this command at the global configuration level of the CLI. The
command creates the virtual server changes the CLI to the configuration
level for it. To add the DNS port, use the following command:
port port-number udp
This command changes the CLI to the configuration level for the DNS
port. To bind the DNS port to the DNS proxy service group and enable
GSLB on the port, use the following commands:
service-group group-name
348 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
gslb-enable
In the “default” GSLB policy, the following metrics are enabled by default:
• health-check
• geographic
• round-robin
The other metrics are disabled. (For detailed information about policy
parameters and their defaults, see “GSLB Parameters” on page 378.)
Note: Although the geographic metric is enabled by default, there are no default
geo-location mappings. To use the geographic metric, you must load or
manually configure geo-location mappings. (See “Loading or Configur-
ing Geo-Location Mappings” on page 363 later in this section.)
4. If you are configuring a new policy, enter a name in the Name field on
the General tab.
5. On the Metrics tab, drag-and-drop the metric from one column to the
other. For example, to disable the health-check metric, drag-and-drop it
from the In Use column to the Not In Use column.
If you are enabling a metric, drag it to the position you want it to be used
in the processing order. For example, if you are enabling the Admin
P e r f o r m a n c e b yD e s i g n 349 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
Preference metric and you want this metric to be used first, drag-and-
drop the metric to the top of the In Use column.
7. Click OK.
To enable a metric, enter the metric name at the configuration level for the
policy. For example, to enable the admin-preference metric, enter the fol-
lowing command:
AX(config gslb-policy)#admin-preference
To disable a GSLB metric, use the “no” form of the command for the met-
ric, at the configuration level for the policy. For example, to disable the
health-check metric, enter the following command at the configuration level
for the policy:
AX(config gslb-policy)#no health-check
To set DNS options, use the following command at the configuration level
for the policy. (For descriptions, see “DNS Options” on page 342 and
Table 9, “GSLB Policy Parameters,” on page 387.)
[no] dns
{
action |
active-only |
addition-mx |
best-only |
cache [aging-time {seconds | ttl}] |
cname-detect |
external-ip |
geoloc-action |
geoloc-alias |
geoloc-policy |
ip-replace |
server [authoritative] |
sticky [/prefix-length] [aging-time minutes] |
ttl num
}
350 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
Changing the Metric Order
4. If you are configuring a new policy, enter a name in the Name field on
the General tab.
6. Click OK.
The metric option specifies a metric and can be one of the following:
• active-rtt
• active-servers
• admin-preference
• bw-cost
• capacity
• connection-load
• geographic
• health-check
• least-response
• num-session
• ordered-ip
P e r f o r m a n c e b yD e s i g n 351 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
• passive-rtt
• weighted-ip
• weighted-site
If you are planning to use the active-RTT or passive-RTT metric, read this
section. Otherwise, you can skip the section. Both these metrics are disabled
by default.
Active RTT
Active RTT measures the round-trip-time for a DNS query and reply
between a site AX device and the GSLB local DNS.
The active RTT metric is disabled by default. You can enable it to take
either a single sample (single shot) or multiple samples at regular intervals.
You can configure active RTT to take a single sample or periodic samples.
Default Settings
When you enable Active RTT, a site AX device sends 5 DNS requests to the
GSLB domain’s local DNS. The GSLB AX device averages the RTT times
of the 5 samples.
The single-shot option is useful if you do not want to frequently update the
active RTT measurements. For example, if the GSLB domain's clients tend
to remain logged on for long periods of time, using the single-shot option
ensures that clients are not frequently sent to differing sites based on active
RTT measurements.
352 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
The single-shot has the following additional options:
• timeout – Specifies the number of seconds each site AX device should
wait for the DNS reply. If the reply does not arrive within the specified
timeout, the site becomes ineligible for selection, in cases where selec-
tion is based on the active RTT metric. You can specify 1-255 seconds.
The default is 3 seconds.
• skip – Specifies the number of site AX devices that can exceed their sin-
gle-shot timeouts, without the active RTT metric itself being skipped by
the GSLB AX device during site selection. You can skip from 1-31 sites.
The default is 3.
Multiple Samples
To periodically retake active RTT samples, do not use the single-shot
option. In this case, the AX device uses the averaged RTT based on the
number of samples measured for the intervals.
For example, if you set active RTT to use 3 samples with an interval of 5
seconds, the RTT is the average RTT for the last 3 samples, collected in 5-
second intervals. If you configure single-shot instead, a single sample is
taken.
Store-By
By default, the GSLB AX device stores one active RTT measurement per
site SLB device. Optionally, you can configure the GSLB AX device to
store one measurement per geo-location instead. This option is configurable
on individual GSLB sites. (See “Changing Active RTT Settings for a Site”
on page 355.)
Tolerance
The default measurement tolerance is 10 percent. If the RTT measurements
for more than one site are within 10 percent, the GSLB AX device considers
the sites to be equal in terms of active RTT. You can adjust the tolerance to
any value from 0-100 percent.
P e r f o r m a n c e b yD e s i g n 353 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
3. Click on the policy name or click Add to create a new one.
4. Drag-and-drop Active RTT from the Not In Use column to the In Use
column.
5. Click the plus sign to display the Active RTT configuration fields.
7. To change settings for single-shot, edit the values in the Timeout and
Skip fields.
8. To change settings for multiple samples, edit the values in the Samples
and Tolerance fields.
9. Click OK.
If you omit all the options, the site AX device send 5 DNS requests to the
GSLB domain’s local DNS. The GSLB AX device averages the RTT times
of the 5 samples. The active RTT measurements are regularly updated. You
can use the samples option to change the number of samples to 1-8.
To enable single-shot RTT instead, use the single-shot option. For singe-
shot, you also can use the skip and timeout options. (See the descriptions
above, in “Single Sample (Single Shot)” on page 352)
For descriptions of the store-by and tolerance options, see “Store-By” on
page 353 and “Tolerance” on page 353.
CLI Examples
The following commands access the configuration level for GSLB policy
“gslbp2” and enable the active RTT metric, using all the default settings:
AX(config)#gslb policy gslbp2
AX(config gslb-policy)#active-rtt
354 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
The following commands access the configuration level for GSLB policy
“gslbp3” and enable the active RTT metric, using single-shot settings:
AX(config)#gslb policy gslbp3
AX(config gslb-policy)#active-rtt single-shot
AX(config gslb-policy)#active-rtt skip 3
In this example, each site AX device will send a single DNS query to the
GSLB domain’s local DNS, and wait 3 seconds (the default) for a reply. The
site AX devices will then send their RTT measurements to the GSLB AX
device. However, if more than 3 site AX devices fail to send their RTT mea-
surements to the GSLB AX device, the AX device will not use the active
RTT metric.
P e r f o r m a n c e b yD e s i g n 355 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
Note: Active RTT settings for a site cannot be changed using the GUI.
Use the following command at the configuration level for the site:
[no] active-rtt
aging-time minutes |
bind-geoloc |
range-factor num |
smooth-factor num
Passive RTT
Passive RTT measures the round-trip-time between when the site AX
device receives a client’s TCP connection (SYN) and the time when the site
AX device receives acknowledgement (ACK) back from the client for the
connection.
4. Drag-and-drop Passive RTT from the Not In Use column to the In Use
column.
5. Click the plus sign to display the Passive RTT configuration fields.
6. To change sample settings, edit the values in the Samples and Tolerance
fields. (These parameters work the same as they do for active RTT. See
“Multiple Samples” on page 353 and “Tolerance” on page 353.)
7. Click OK.
356 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
USING THE CLI
Enter the following command at the configuration level for the GSLB pol-
icy:
[no] passive-rtt
[samples num-samples]
[tolerance num-percentage]
If you are planning to use the bw-cost metric, read this section. Otherwise,
you can skip the section. The bw-cost metric is disabled by default.
The bw-cost metric selects sites based on bandwidth utilization on the site
AX links.
P e r f o r m a n c e b yD e s i g n 357 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
How Bandwidth Cost Is Measured
The GSLB AX device sends the SNMP requests at regular intervals. Once a
site is ineligible, the site can become eligible again at the next interval if the
utilization incrementation is below the configured limit minus the threshold
percentage. (See below.)
Configuration Requirements
358 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
Configuring Bandwidth Cost
Note: SNMP template configuration is not supported in the GUI. Use the CLI to
configure the template, then use the following GUI procedures.
Note: If the object is part of a table, make sure to append the table index to the
end of the OID. Otherwise, the AX device will return an error.
P e r f o r m a n c e b yD e s i g n 359 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
SNMPv1 / v2c Commands:
[no] community community-string
The community command specifies the community string required for
authentication.
SNMPv3 Commands:
[no] username name
This command specifies the SNMPv3 username required for access to the
SNMP agent on the site AX device.
[no] security-level
{no-auth | auth-no-priv | auth-priv}
This command specifies the SNMPv3 security level:
• no-auth – Authentication is not used and encryption (privacy) is not
used. This is the default.
• auth-no-priv – Authentication is used but encryption is not used.
[no] context-engine-id id
[no] context-name id
[no] security-engine-id id
The context-engine-id command specifies the ID of the SNMPv3 protocol
engine running on the site AX device. The context-name command speci-
fies an SNMPv3 collection of management information objects accessible
by an SNMP entity. The security-engine-id command specifies the ID of
360 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
the SNMPv3 security engine running on the site AX device. For each com-
mand, the ID is a string 1-127 characters long.
[no] interface id
The interface command specifies the SNMP interface ID.
Additional Commands:
[no] interval seconds
[no] port port-num
The interval command specifies the amount of time between each SNMP
GET to the site AX devices. You can specify 1-999 seconds. The default
is 3.
The port command specifies the protocol port on which the site AX devices
listen for the SNMP requests from the GSLB AX device. You can specify 1-
65535. The default is 161.
The limit specifies the maximum amount the SNMP object queried by the
GSLB AX device can increment since the previous query, in order for the
site to remain eligible for selection as the best site. You can specify 0-
2147483647. There is no default.
If a site becomes ineligible due to being over the limit, the percentage
parameter is used. In order to become eligible for selection again, the site’s
limit value must not increment more than
limit*threshold-percentage.
P e r f o r m a n c e b yD e s i g n 361 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
To display bw-cost data for a site
Use the following command:
show gslb site [site-name] bw-cost
The following commands apply the SNMP template to a site and set the
bandwidth increment limit and threshold:
AX(config)#gslb site usa
AX(config gslb-site)#template snmp-1
AX(config gslb-site)#bw-cost limit 100000 threshold 90
AX(config gslb-site)#exit
The following commands enable the bw-cost metric in the GSLB policy:
AX(config)#gslb policy pol1
AX(config-gslb policy)#bw-cost
AX(config-gslb policy)#exit
362 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
CLI Example – SNMPv3
The following commands configure a GSLB SNMP template for SNMPv3.
In this example, authentication and encryption are both used.
AX(config)#gslb template snmp snmp-2
AX(config-gslb template snmp)#security-level auth-priv
AX(config-gslb template snmp)#host 192.168.214.124
AX(config-gslb template snmp)#username read
AX(config-gslb template snmp)#oid .1.3.6.1.2.1.2.2.1.16.12
AX(config-gslb template snmp)#priv-proto des
AX(config-gslb template snmp)#auth-key 12345678
AX(config-gslb template snmp)#priv-key 12345678
The other commands are the same as those shown in “CLI Example –
SNMPv2c” on page 362.
You can load the geo-location database from one of the following types of
files:
• Internet Assigned Numbers Authority (IANA) database – The IANA
database contains the geographic locations of the IP address ranges and
subnets assigned by the IANA. The IANA database is included in the
AX system software. However, it is unloaded (not used) by default.
• Custom database in CSV format – You can load a custom geo-location
database from a file in comma-separated-values (CSV) format. This
option requires configuration of a CSV template on the AX device.
P e r f o r m a n c e b yD e s i g n 363 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
When you load the CSV file, the data is formatted based on the tem-
plate.
Geo-Location Mappings
If more than one geo-location matches a client’s IP address, the most spe-
cific match is used. For example, if a client is in the same city as a site AX,
that site will be preferred. If the client and site are in the same state but in
different cities, the site in that state will be preferred.
Only one database can be active. If you load more than one database, the
most-recently loaded one becomes the active one. The older database is no
longer used. Data from the older database is not merged into the new data-
base.
The example above shows the file displayed in a text editor. The same file
looks like the example in Figure 114 if displayed in a spreadsheet applica-
tion. However, when the file is saved to CSV format, the file is essentially
as shown above.
364 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
FIGURE 114 CSV File in Spreadsheet Application
The database file can contain more types of information (fields) than are
required for the GSLB database. When you load the file into the geo-loca-
tion database, the CSV template on the AX device is used to filter the file to
extract the required data. In this example, only the fields shown in bold type
will be extracted and placed into the geo-location database:
"1159363840","1159364095","US","UNITED STATES","NA","NORTH AMERICA","EST","MA","MASSA-
CHUSETTS","COMMRAIL INC","MARLBOROUGH","MIDDLESEX","42.3495","-71.5482"
The IP addresses in this example are in bin4 format. Dotted decimal format
(for example: 69.26.125.0) is also supported. If you use bin4 format, the AX
device automatically converts the addresses into dotted decimal format
when you load the database into GSLB.
If you want to use bin4 format in the CSV file, here is how to convert an IP
address from dotted-decimal format to bin4 format:
1. Convert each node into Hex.
P e r f o r m a n c e b yD e s i g n 365 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
CSV File Field Delimiters
The fields in the CSV file must be separated by a delimiter. By default, the
AX device interprets commas as delimiters. When you configure the CSV
template on the AX device, you can set the delimiter to any valid ASCII
character.
3. On the Load/Unload tab, enter “iana” in the File field. Leave the Tem-
plate field blank.
4. Click Add.
2. Configure a CSV template for the file. The CSV template specifies the
field positions for IP address and location information.
366 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
USING THE GUI
4. If the CSV file uses a character other than a comma to delimit fields,
enter the delimiter character in the Delimiter field.
5. In each data field, indicate the field’s position in the CSV file. For exam-
ple, if the destination IP address or subnet is listed in the CSV file in
data field 4, enter “4” in the IP-To field.
6. Click Add.
2. On the menu bar, select Geo-location > Import, if not already selected..
4. Enter the filename and the access parameters required to copy the file
from the remote server.
5. Click Add.
2. On the menu bar, select Geo-location > Import, if not already selected..
4. In the Template field, enter the name of the template to use for format-
ting the data.
P e r f o r m a n c e b yD e s i g n 367 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
On the AX device, you must configure a CSV template for the database file.
When you load the file into GSLB, the AX device uses the template to
extract the data and load it into the GSLB database.
1. Use the following command at the global configuration level of the
CLI:
[no] gslb template csv template-name
This command creates the template and changes the CLI to the configu-
ration level for it.
2. Use the following command to identify the field positions for the geo-
location data:
[no] field num {ip-from | ip-to-mask |
continent | country | state | city}
The num option specifies the field position within the CSV file. You can
specify 1-64. The following options specify the type of geo-location
data that is located in the field position:
• ip-from – Specifies the beginning IP address in the range or subnet.
• ip-to-mask – Specifies the ending IP address in the range, or the
subnet mask.
• continent – Specifies the continent where the IP address range or
subnet is located.
• country – Specifies the country where the IP address range or subnet
is located.
• state – Specifies the state where the IP address range or subnet is
located.
• city – Specifies the city where the IP address range or subnet is
located.
3. If the CSV file uses a character other than a comma to delimit fields, use
the following command to specify the character used in the file:
[no] delimiter {character | ASCII-code}
You can type the character or enter its decimal ASCII code (0-255).
To import the CSV file onto the AX device, use the following command at
the Privileged EXEC or global configuration level of the CLI:
368 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
You can enter the entire URL on the command line or press Enter to display
a prompt for each part of the URL. If you enter the entire URL and a pass-
word is required, you will still be prompted for the password. To enter the
entire URL:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• rcp://[user@]host/file
(For information about the use-mgmt-port option, see “Using the Manage-
ment Interface as the Source for Management Traffic” on page 669.)
To load the CSV file, use the following command at the global configura-
tion level of the CLI:
Use the file name you specified when you imported the CSV file, and the
name of the CSV template to be used for extracting data from the file.
Note: The file-name option is available only if you have already imported a geo-
location database file.
To display information about CSV files that have been loaded are currently
being loaded, use the following command:
P e r f o r m a n c e b yD e s i g n 369 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
Note: If you configure geo-locations globally and at the configuration level for
individual sites, and a client IP address matches both a globally config-
ured geo-location and a geo-location configured on a site, the globally
configured geo-location is used by default. To configure the GSLB AX
device to use geo-locations configured on individual sites instead, use the
geo-location match-first policy command at the configuration level for
the policy.
The geo-location database appears. You can use the find options to display
database entries or statistics for specific geo-locations or IP addresses.
The geo-location-name option displays the database entry for the specified
location.
370 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
The ip-range option displays entries for the specified IP address range.
The depth num option filters the display to show only the location entries at
the specified depth or higher. For example, to display only continent and
country entries and hide individual state and city entries, specify depth 2.
CLI Example
The following commands initiate loading the data from the CSV file into
the geo-location database, and display the status of the load operation:
AX(config)#gslb geo-location load test1.csv test1-tmplte
AX(config)#show gslb geo-location file
T = T(Template)/B(Built-in), Per = Percentage of loading
Filename T Template Per Lines Success Error
------------------------------------------------------------------------------
test1 T t1 98% 11 10 0
P e r f o r m a n c e b yD e s i g n 371 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
The following command displays the geo-location database. The data that
was extracted from the CSV file is shown here in bold type.
AX(config)#show gslb geo-location db
Global
Name From To Last Hits Sub T
------------------------------------------------------------------------------
NA (empty) (empty) (empty) 0 1 G
Configure Services
To configure GSLB services, use either of the following methods.
3. Click Add.
372 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
5. If needed, assign an external IP address to the service IP. The external IP
address allows a service IP that has an internal IP address to be reached
from outside the internal network.
7. Click OK.
This command changes the CLI to the configuration level for the service.
external-ip ipaddr
health-check monitor-name
P e r f o r m a n c e b yD e s i g n 373 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
Configure Sites
To configure GSLB sites, use either of the following methods.
3. Click Add.
6. On the IP-Server tab, add services to the site. Select a service from the
drop-down list and click Add. Repeat for each service.
This command changes the CLI to the configuration level for the site. To
associate an IP service with this site, use the following command:
ip-server service-ip
The ipaddr is the IP address of a real server load balanced by the site.
374 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
To specify the AX device that provides SLB at the site, use the following
command:
To add the GSLB VIP server to the SLB device, use the following com-
mand:
Configure a Zone
To configure a GSLB zone, use either of the following methods.
3. Click Add.
5. On the Service tab, click Add. (See Figure 123 on page 408.)
The service configuration tabs appear.
P e r f o r m a n c e b yD e s i g n 375 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
The zone-url is the URL that clients will send in DNS queries.
This command changes the CLI to the configuration level for the zone. To
add a service to the zone, use the following command:
The port is the application port for the server and must be the same port
name or number specified on the service VIP.
4. Click OK.
To enable the GSLB protocol on the GSLB AX device, use the following
command at the global configuration level of the CLI:
376 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Overview
To enable the GSLB protocol on a site AX device, use the following com-
mand at the global configuration level of the CLI:
P e r f o r m a n c e b yD e s i g n 377 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
GSLB Parameters
GSLB Parameters
Table 8 lists the GSLB parameters.
378 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
GSLB Parameters
TABLE 8 GSLB Parameters (Continued)
Parameter Description and Syntax Supported Values
policy Configures a GSLB policy. GSLB policies config- Default: The “default” GSLB policy is
(Optional) ure the GSLB metrics used to select the best sites used, unless you configure another
and site IP addresses to return in DNS replies to cli- policy and apply it to the zone.
ents.
[no] gslb policy
{default | policy-name}
Config > Service > GSLB > Policy
service-ip Configures a virtual IP address (VIP) for a service. The vip-name can be up to 31 alphanu-
(Required) In GSLB, service IP addresses are VIPs that repre- meric characters.
sent services that are provided by servers connected
to the site AX devices.
[no] gslb service-ip vip-name
[ipaddr]
Config > Service > GSLB > Service IP
site Configures a site. A GSLB zone can contain one or The site-name can be up to 31 alpha-
(Required) more sites. Each site has at least one AX device pro- numeric characters.
viding load balancing for the site’s services. Default: None
[no] gslb site site-name
Config > Service > GSLB > Site
See “Site Parameters” below.
zone Configures a zone. The zone identifies the top-level The zone-url is the URL of the zone
(Required) URL for the services load balanced by GSLB. and can be up to 127 alphanumeric
[no] gslb zone zone-url characters.
Config > Service > GSLB > Zone Default: None
See “Zone Parameters” below. Note: You can use lower case charac-
ters and upper case characters. How-
ever, since Internet domain names are
case-insensitive, the AX device inter-
nally converts all upper case characters
in GSLB zone names to lower case.
Service-IP Parameters
service-ip status Enables or disables the service-ip. Default: Enabled
(Required) disable | enable
Config > Service > GSLB > Service-IP
external IP Assigns an external IP address to the service IP. The Default: None
address external IP address allows a service IP that has an
internal IP address to be reached from outside the
internal network.
[no] external-ip ipaddr
Config > Service > GSLB > Service-IP
P e r f o r m a n c e b y
D e s i g n 379 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
GSLB Parameters
TABLE 8 GSLB Parameters (Continued)
Parameter Description and Syntax Supported Values
health check Enables or disables monitoring for the service IP Default: The default Layer 3 health
address. You can specify any health monitor (Layer monitor (ICMP ping) is used.
3, 4 or 7).
[no] health-check [monitor-name]
Config > Service > GSLB > Service-IP
service port Adds a service port to the service IP address. The Valid protocol port number and service
command also changes the CLI to the configuration type
level for the specified service port, where the fol- Default: None
lowing service port-related commands are available:
port num {tcp | udp}
Config > Service > GSLB > Service-IP
Site Parameters
active-rtt Configures options for the Active RTT metric. aging-time – Specifies the maximum
(Optional) [no] active-rtt amount of time a stored active-RTT
aging-time minutes | result can be used. You can specify 1-
bind-geoloc | 60 minutes. The default is 10 minutes.
range-factor num | bind-geoloc – Stores the active-RTT
smooth-factor num measurements on a per geo-location
Note: Configuration of these parameters is not sup- basis. Without this option, the mea-
ported in the GUI. surements are stored on a per site-SLB
device basis.
range-factor – Specifies the maximum
percentage a new active-RTT measure-
ment can differ from the previous mea-
surement. If the new measurement
differs from the previous measurement
by more than the allowed percentage,
the new measurement is discarded and
the previous measurement is used
again.
For example, if the range-factor is set
to 25 (the default), a new measurement
that has a value from 75% to 125% of
the previous value can be used. A mea-
surement that is less than 75% or more
than 125% of the previous measure-
ment can not be used.
You can specify 1-1000. The default is
25.
smooth-factor – Blends the new mea-
surement with the previous one, to
smoothen the measurements. You can
specify 1-100. The default is 10.
380 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
GSLB Parameters
TABLE 8 GSLB Parameters (Continued)
Parameter Description and Syntax Supported Values
bw-cost Configures options for the bw-cost metric: limit – Specifies the maximum amount
(Optional) [no] bw-cost limit limit the SNMP object queried by the GSLB
threshold percentage AX device can increment since the
previous query, in order for the site to
Note: Configuration of these parameters is not sup-
remain eligible for selection as the best
ported in the GUI.
site. You can specify 0-2147483647.
There is no default.
If a site becomes ineligible due to
being over the limit, the percentage
parameter is used. In order to become
eligible for selection again, the site’s
limit value must not increment more
than limit*threshold-per-
centage.
You can specify 0-100. There is no
default.
threshold percentage – For a site to
regain eligibility when bw-cost is
being compared, the SNMP object’s
incremental value must be below the
threshold-percentage of the limit
value.
For example, if the limit value is
80000 and the threshold is 90, the limit
value must increment by 72000 or less,
in order for the site to become eligible
again based on bandwidth cost. Once a
site again becomes eligible, the SNMP
object’s value is again allowed to
increment by as much as the band-
width limit value (80000, in this exam-
ple).
geo-location Associates the site with a specific geographic loca- The location-name can be up to 127
(Optional) tion. alphanumeric characters.
[no] geo-location location-name Default: None
Config > Service > GSLB > Site - Geo-location tab
Note: This option is applicable only for manually
configuring geo-location mappings. If you plan to
load geo-location mappings from a file instead, you
do not need to use this option.
P e r f o r m a n c e b y
D e s i g n 381 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
GSLB Parameters
TABLE 8 GSLB Parameters (Continued)
Parameter Description and Syntax Supported Values
ip-server Associates a real server with this site. Default: None
(Optional) [no] ip-server service-name
Config > Service > GSLB > Site - IP Server tab
Note: Generally, virtual servers rather than real
servers are associated with a site. To associate a vir-
tual server with a site, use the vip-server option at
the SLB device configuration level. (See “SLB
device parameters”.)
passive-rtt Configures options for the passive RTT metric. The See the description for active-rtt,
(Optional) options are the same as those for active-rtt. (See above.
above.)
[no] passive-rtt
aging-time minutes |
bind-geoloc |
range-factor num |
smooth-factor num
Note: Configuration of these parameters is not sup-
ported in the GUI.
slb-device Specifies the AX device that provides SLB for the The device-name can be up to 31
(Required) site. alphanumeric characters. The IP
[no] slb-dev device-name ipaddr address must be an address that can be
reached by the GSLB AX device.
Config > Service > GSLB > Site - SLB Device tab
Default: None
template Binds a template to the site. To use the bw-cost met- Name of configured SNMP template.
(Optional) ric, use this option to bind a GSLB SNMP template Default: None
to the site.
[no] template template-name
Note: Configuration of this parameter is not sup-
ported in the GUI.
weight Assigns a weight to the site. If the weighted-site The weight can be from 1 – 100.
(Optional) metric is enabled in the policy and all metrics before Default: 1
weighted-site result in a tie, the site with the highest
weight is preferred.
[no] weight num
Config > Service > GSLB > Site - General tab
SLB Device Parameters
admin-prefer- Assigns a preference value to the SLB device. If the You can specify from 0 – 255.
ence admin-preference metric is enabled in the policy Default: 100
(Optional) and all metrics before this one result in a tie, the
SLB device with the highest admin-preference
value is preferred.
[no] admin-preference num
Config > Service > GSLB > Site - SLB-Device tab
382 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
GSLB Parameters
TABLE 8 GSLB Parameters (Continued)
Parameter Description and Syntax Supported Values
passive-rtt-timer For passive RTT, specifies the number of seconds 1-255
(Optional) during which samples are collected during each Default: 3
sampling period. You can specify 1-255. The
default is 3.
[no] passive-rtt-timer num
To prevent samples from being taken for this
device, use the no passive-rtt-timer command.
Note: Configuration of this parameter is not sup-
ported in the GUI.
vip-server Maps this SLB site to a globally configured GSLB The name must be the name of a con-
(Required) service IP address (configured by the service-ip figured service IP. (To configure the
option). service IP, use the gslb service-ip
[no] vip-server name command.)
Config > Service > GSLB > Site - SLB-Device tab Default: None
Zone Parameters
dns-mx-record Configures a DNS Mail Exchange (MX) record for The name is the fully-qualified domain
(Optional) the zone. The name is the fully-qualified domain name of the mail server for the zone.
name of the mail server for the zone. The priority can be 0-65535. There is
If more than MX record is configured for the same no default preference.
zone, the priority specifies the order in which the Default: None
mail server should attempt to deliver mail to the MX
hosts. The MX with the lowest preference value has
the highest priority and is tried first. The priority
can be 0-65535. There is no default.
MX records configured on a zone are used only for
services on which MX records are not configured.
[no] dns-mx-record name
priority
Config > Service > GSLB > Zone - Click Add on
the Service tab to display the DNS MX Record tab.
policy Applies a GSLB policy to the zone. The policy-name can be up to 31
(Optional) [no] policy policy-name alphanumeric characters.
Config > Service > GSLB > Zone Default: The “default” GSLB policy is
used, unless you configure another
See “Policy Parameters” on page 387.
policy and apply it to the zone.
service Adds a service to the zone. The GSLB AX Series The port can be a well-known name
(Required) verifies the availability of the service by sending a recognized by the CLI or a port num-
health check to the specified service port. ber from 1 to 65535.
[no] service port service-name The service-name can be up to 31
Config > Service > GSLB > Zone - Service tab alphanumeric characters. (For the
same reason described for zone names,
The health check must be assigned to the individual
the AX device converts all upper case
service. See “Service Parameters” below.
characters in GSLB service names to
lower case.)
Default: None
P e r f o r m a n c e b y
D e s i g n 383 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
GSLB Parameters
TABLE 8 GSLB Parameters (Continued)
Parameter Description and Syntax Supported Values
ttl Changes the TTL of each DNS record contained in You can specify from 0 to 1000000
(Optional) DNS replies received from the DNS for which the (1,000,000) seconds.
AX Series is a proxy, for this zone. Default: 10 seconds
TTL can be set at different levels of the GSLB con-
figuration; however, only one of the TTL settings is
used. (See “DNS Options” on page 342.)
ttl seconds [no]
Config > Service > GSLB > Zone
The health check must be assigned to the individual
service. See “Service Parameters” below.
Service Parameters
action Specifies the action to perform for DNS traffic. You can specify one of the following:
(Optional) Note: Use of the actions configured for services • Drop – Drops DNS queries from the
also must be enabled in the GSLB policy, using the local DNS server.
DNS action option. See Table 9, “GSLB Policy • Reject – Rejects DNS queries from
Parameters,” on page 387. the local DNS server and returns the
[no] action {drop | reject | “Refused” message in replies.
forward {both | query | response}} • Forward – Forwards requests or
Config > Service > GSLB > Zone - Click Add on queries, as follows:
the Service tab to display the Service tab. • Forward both – Forwards queries
to the Authoritative DNS server,
and forwards responses to the
local DNS server.
• Forward query – Forwards que-
ries to the Authoritative DNS
server, but does not forward
responses to the local DNS
server.
• Forward response – Forwards
responses to the local DNS
server, but does not forward que-
ries to the Authoritative DNS
server.
384 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
GSLB Parameters
TABLE 8 GSLB Parameters (Continued)
Parameter Description and Syntax Supported Values
dns-a-record Configures a DNS Address (A) record for the ser- weight – Assigns a weight to the ser-
(Optional) vice, for use with the DNS replace-ip option in the vice. If the weighted-ip metric is
GSLB policy. enabled in the policy and all metrics
dns-a-record before weighted-ip result in a tie, the
{service-name | service-ipaddr} service on the site with the highest
{weight num | static | weight is selected. The weight can be
as-replace | no-resp} 1-100. By default, the weight is not
Config > Service > GSLB > Zone - Click Add on set.
the Service tab to display the DNS Address Record static – This option is used with the
tab. dns server option in the policy. When
Note: The no-resp option is not valid with the static both options are set (static here and
or as-replace option. If you use no-resp, you cannot dns server in the policy), the GSLB
use static or as-replace. AX device acts as the DNS server for
the IP address set here by service-ip.
This option is disabled by default.
as-replace – This option is used with
the ip-replace option in the policy.
When both options are set (as-replace
here and ip-replace in the policy), the
client receives only the IP address set
here by service-ip. This option is dis-
abled by default.
no-resp – Prevents the IP address for
this site from being included in DNS
replies to clients. This option is dis-
abled by default.
dns-cname- Configures DNS Canonical Name (CNAME) Default: None
record records for the service.
(Optional) dns-cname-record alias
[alias ...]
Config > Service > GSLB > Zone - Click Add on
the Service tab to display the DNS CName Record
tab.
P e r f o r m a n c e b y
D e s i g n 385 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
GSLB Parameters
TABLE 8 GSLB Parameters (Continued)
Parameter Description and Syntax Supported Values
dns-mx-record Configures a DNS Mail Exchange (MX) record for The name is the fully-qualified domain
(Optional) the service. name of the mail server for the service.
If more than MX record is configured for the same The priority can be 0-65535. There is
service, the priority specifies the order in which the no default.
mail server should attempt to deliver mail to the MX
hosts. The MX record with the lowest priority num-
ber has the highest priority and is tried first.
dns-mx-record name priority
Config > Service > GSLB > Zone - Click Add on
the Service tab to display the DNS MX Record tab.
Note: If you want the GSLB AX device to return
the IP address of the mail service in response to MX
requests, you must configure A records for the mail
service.
geo-location Maps an alias to the specified geographic location The location-name is a global GSLB
(Optional) for this service. parameter and must already be config-
[no] geo-location location-name ured. (See “Global GSLB parameters”
alias url and “Site parameters” above.)
Config > Service > GSLB > Zone - Click Add on The alias is a service parameter and
the Service tab to display the Geo-location tab. must already be configured. (See
above.)
This CNAME overrides any CNAME globally con-
figured for the zone. Default: None
ip-order Specifies the order in which to list the service IP Each service-ipaddr is a virtual IP
(Optional) addresses (VIPs) for this service in the DNS replies address assigned to the service at this
to clients. site.
The ip-order is one of the metrics used to select the Generally, each service will have a dif-
best IP address for a service. ferent virtual IP address for each real
[no] ip-order server that provides the service at the
{service-name | service-ipaddr} site.
[service-ipaddr ...]
Config > Service > GSLB > Zone - Click Add on
the Service tab to display the DNS Address Record
tab.
policy Applies the specified GSLB policy to the service. The policy-name can be up to 31
(Optional) [no] policy policy-name alphanumeric characters.
Config > Service > GSLB > Zone - Click Add on You must configure the policy before
the Service tab to display the Service tab. you apply it.
Default: The GSLB policy applied to
the zone is also applied to the services
in that zone. If no policy is applied to
the zone, the “default” GSLB policy is
applied.
386 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
GSLB Parameters
Policy Parameters
Table 9 lists the GSLB policy parameters.
P e r f o r m a n c e b y
D e s i g n 387 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
GSLB Parameters
TABLE 9 GSLB Policy Parameters (Continued)
Parameter Description and Syntax Supported Values
connection-load Sites that are at or below their thresholds of average The state is one of the following:
new connections per second are preferred over sites • Enabled
that are above their thresholds.
• Disabled – This is the default.
[no] connection-load
The limit can be from 1 to 999999999
[limit average-load] |
(999,999,999). The default is not set
[samples num interval seconds]
(unlimited).
Config > Service > GSLB > Policy - Metrics tab
The samples can be from 1 to 8. The
default is 5.
Note: This metric requires the GSLB protocol to be The interval can be from 1 to 60 sec-
enabled on the site AX devices. (See “Metrics That onds. The default is 5 seconds.
Require the GSLB Protocol on Site AX Devices” on
page 344.)
geographic Service IP addresses for the geographic region The state is one of the following:
where the client is located are preferred over • Enabled – This is the default.
addresses from other regions.
• Disabled
The GSLB AX Series selects the geographic region
by matching the client’s IP address with the GSLB
address ranges configured using geo-location
options.
[no] geographic
Config > Service > GSLB > Policy - Metrics tab
health-check Service IP addresses that pass their health checks The state is one of the following:
are preferred over addresses that do not pass their • Enabled – This is the default.
health checks.
• Disabled
An IP address that fails its health check is not auto-
matically ineligible to be included in the DNS reply
to a client.
[no] health-check
Config > Service > GSLB > Policy - Metrics tab
388 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
GSLB Parameters
TABLE 9 GSLB Policy Parameters (Continued)
Parameter Description and Syntax Supported Values
num-session Sites that are at or below their thresholds of current The state is one of the following:
available sessions are preferred over sites that are • Enabled
above their thresholds.
• Disabled – This is the default.
The tolerance specifies the percentage by which the
When you enable the num-session
number of available sessions on site SLB devices
metric, the default tolerance is 10 per-
can differ without causing the num-session metric to
cent.
select one SLB device over another. Thus, minor
differences among SLB devices do not cause fre-
quent, unnecessary changes in site preference.
Example:
Site A has 800,000 sessions available and Site B has
600,000 sessions available. The difference between
the two sites is 200,000 available sessions. If num-
session is set to 10, then Site A is preferred because
200,000 is larger than 10% of 800,000, which is
80,000.
[no] num-session [tolerance num]
Config > Service > GSLB > Policy - Metrics tab
P e r f o r m a n c e b y
D e s i g n 389 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
GSLB Parameters
TABLE 9 GSLB Policy Parameters (Continued)
Parameter Description and Syntax Supported Values
passive-rtt Sites with faster round-trip times (RTTs) between a The state is one of the following:
client and the site are preferred over sites with • Enabled
slower times. The passive RTT is the time between
• Disabled – This is the default.
when the site AX device receives a client’s TCP
connection (SYN) and the time when the site AX When you enable the passive-rtt met-
device receives acknowledgement (ACK) back ric, the default number of samples is 5.
from the client for the connection. Passive RTT The default store-by is slb-device. The
measurements are taken for client addresses in each default tolerance is 10 percent.
/24 subnet range.
Passive RTT tolerance is a percentage from 0 to
100. It specifies how much the RTT values of sites
must differ in order for GSLB to prefer one site over
the other based on RTT.
Example:
Site A’s RTT value is 0.3 seconds and Site B’s RTT
value is 0.32 seconds. If the passive RTT tolerance
is 10% then the two sites are treated as having the
same passive RTT preference.
[no] passive-rtt
[samples num-samples]
[store-by {geo-location |
slb-device}]
[tolerance num-percentage]
Config > Service > GSLB > Policy - Metrics tab
390 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
GSLB Parameters
TABLE 9 GSLB Policy Parameters (Continued)
Parameter Description and Syntax Supported Values
session-capacity Sites that have not exceeded their thresholds for The state is one of the following:
their respective maximum TCP/UDP sessions are • Enabled
preferred over sites that have exceeded their thresh-
• Disabled – This is the default.
olds.
The threshold can be from 0 to 100
Example:
percent. The default is 90.
Site A’s maximum session capacity is 800,000 and
Site B’s maximum session capacity is 500,000. If
the session-capacity threshold is set to 90, then for
Site A the capacity threshold is 90% of 800,000,
which is 720,000. Likewise, the capacity threshold
for Site B is 90% of 500,000, which is 450,000.
[no] capacity [threshold num]
Config > Service > GSLB > Policy - Metrics tab
P e r f o r m a n c e b y
D e s i g n 391 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
GSLB Parameters
TABLE 9 GSLB Policy Parameters (Continued)
Parameter Description and Syntax Supported Values
metric-order Assigns a geographic location to an IP address You can specify one or more of the fol-
range. GSLB forwards client requests from lowing metrics (listed alphabetically):
addresses within the range to the GSLB site that • active-rtt
serves the location.
• active-servers
[no] metric-order metric
• admin-preference
[metric ...]
Config > Service > GSLB > Policy - Metrics tab • bw-cost
• capacity
• connection-load
The first metric you specify becomes the primary
metric. If you specify additional parameters, they • geographic
are used in the priority you specify. All remaining • health-check
metrics are prioritized to follow the metrics you • least-response
specify.
• num-session
For example, if you specify only the ordered-ip met-
• ordered-ip
ric with the command, and the metric order in the
policy has not been changed previously, the • passive-rtt
ordered-ip metric becomes the first metric. The • weighted-ip
health-check metric becomes the second metric, the • weighted-site
weighted-ip metric becomes the third metric, and so
on. Default metric order: See “GSLB Pol-
icy” on page 338.
DNS Parameters
action Enable GSLB to perform the DNS actions specified The state is one of the following:
in the service configurations. • Enabled
[no] dns action
• Disabled – This is the default.
Config > Service > GSLB > Policy - DNS Options
tab
Note: To configure the DNS action for a service,
use the action option at the configuration level
for the service. See Table 8, “GSLB Parameters,” on
page 378.
active-only Removes IP addresses from DNS replies when The state is one of the following:
those addresses fail a health check. • Enabled
Note: If none of the IP addresses in the DNS reply • Disabled – This is the default.
pass the health check, the GSLB AX Series does not
use this metric, since it would result in an empty IP
address list.
[no] dns active-only
Config > Service > GSLB > Policy - DNS Options
tab
392 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
GSLB Parameters
TABLE 9 GSLB Policy Parameters (Continued)
Parameter Description and Syntax Supported Values
addition-mx Appends MX records in the Additional section in The state is one of the following:
replies for A records, when the device is configured • Enabled
for DNS proxy or cache mode.
• Disabled – This is the default.
[no] dns addition-mx
Config > Service > GSLB > Policy - DNS Options
tab
best-only Removes all IP addresses from DNS replies except The state is one of the following:
for the address selected as the best address by the • Enabled
GSLB policy metrics.
• Disabled – This is the default.
[no] dns best-only
Config > Service > GSLB > Policy - DNS Options
tab
cache Caches DNS replies and uses them when replying to The state is one of the following:
clients, instead of sending a new DNS request for • Enabled
every client query.
• Disabled – This is the default.
[no] dns cache
The aging time can be
[aging-time seconds | ttl]
1-1,000,000,000 seconds (nearly 32
Config > Service > GSLB > Policy - DNS Options years).
tab
Default: TTL set by the DNS server in
For more information on this option, see “Order in the reply
Which Sticky, Server, Cache, and Proxy Options
Note: If you change the value and later
Are Used” on page 343.
want to restore it to the default, use the
ttl option.
cname-detect Applies GSLB to CNAME records. The state is one of the following:
[no] dns cname-detect • Enabled – This is the default.
Config > Service > GSLB > Policy - DNS Options • Disabled
tab
external-ip Returns the external IP address configured for a ser- The state is one of the following:
vice IP. If this option is disabled, the internal • Enabled – This is the default.
address is returned instead.
• Disabled
[no] dns external-ip
Config > Service > GSLB > Policy - DNS Options
tab
Note: The external IP address must be configured
on the service IP. Use the external-ip option at the
configuration level for the service IP. See Table 8,
“GSLB Parameters,” on page 378.
P e r f o r m a n c e b y
D e s i g n 393 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
GSLB Parameters
TABLE 9 GSLB Policy Parameters (Continued)
Parameter Description and Syntax Supported Values
geoloc-action Performs the DNS traffic handling action specified The state is one of the following:
for the client’s geo-location. The action is specified • Enabled
as part of service configuration in a zone.
• Disabled – This is the default.
[no] dns geoloc-action
Config > Service > GSLB > Policy - DNS Options
tab
Note: To configure the DNS action for a service,
use the geo-location action option at the configura-
tion level for the service. See Table 8, “GSLB
Parameters,” on page 378.
geoloc-alias Returns the alias name configured for the client’s The state is one of the following:
geo-location. • Enabled
[no] dns geoloc-alias
• Disabled – This is the default.
Config > Service > GSLB > Policy - DNS Options
tab
geoloc-policy Uses the GSLB policy assigned to the client’s geo- The state is one of the following:
location. • Enabled
[no] dns geoloc-policy
• Disabled – This is the default.
Config > Service > GSLB > Policy - DNS Options
tab
ip-replace Replaces the IP addresses in the DNS reply with the The state is one of the following:
service IP addresses configured for the service. • Enabled
[no] dns ip-replace • Disabled – This is the default.
Config > Service > GSLB > Policy - DNS Options
tab
394 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
GSLB Parameters
TABLE 9 GSLB Policy Parameters (Continued)
Parameter Description and Syntax Supported Values
server Directly responds to Address queries for specific The state is one of the following:
service IP addresses in the GSLB zone. (The AX • Enabled
device still forwards other types of queries to the
• Disabled – This is the default.
DNS server.)
Other defaults:
If you use this option, you do not need to use the
cname-detect option. When a client requests a con- • addition-mx – Disabled
figured alias name, GSLB applies the policy to the • authoritative – The AX device is a
CNAME records. non-authoritative DNS server for
• addition-mx – enables the GSLB AX device to the zone domain.
provide the A record containing the mail server’s • mx – Disabled
IP address in the Additional section, when the
device is configured for DNS server mode.
• authoritative – makes the AX device the authori-
tative DNS server for the GSLB zone, for the
service IPs in which you enable the static option.
If you omit the authoritative option, the AX
device is a non-authoritative DNS server for the
zone domain. The full-list option appends all A
records in the Authoritative section of DNS
replies.
• mx – Provides the MX record in the Answer sec-
tion, and the A record for the mail server in the
Additional section, when the device is configured
for DNS server mode.
To place the server option into effect, you also must
enable the static option on the individual service IP.
[no] dns server addition-mx
[no] dns server authoritative
[full-list]
[no] dns server mx
Config > Service > GSLB > Policy - DNS Options
tab
For more information on this option, see “Order in
Which Sticky, Server, Cache, and Proxy Options
Are Used” on page 343.
P e r f o r m a n c e b y
D e s i g n 395 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
GSLB Parameters
TABLE 9 GSLB Policy Parameters (Continued)
Parameter Description and Syntax Supported Values
sticky Sends the same service IP address to a client for all The state is one of the following:
requests from that client for the service address. • Enabled
[no] dns sticky [/prefix-length] • Disabled – This is the default.
[aging-time minutes]
The default prefix is /32, which causes
The /prefix-length option adjusts the granularity of
the AX device to maintain separate
the feature.
stickiness information for each local
Config > Service > GSLB > Policy - DNS Options DNS server. For example, if two cli-
tab ents use DNS 10.10.10.25 as their
The aging-time option specifies how many minutes local DNS server, and two other clients
a DNS reply remains sticky. You can specify 1- use DNS 10.20.20.99 as their local
65535 minutes. DNS server, the AX maintains sepa-
Note: If you enable the sticky option, the sticky rate stickiness information for each set
time must be as long or longer than the zone TTL. of clients, by maintaining separate
(Use the ttl command at the configuration level for stickiness information for each of the
the zone.) local DNS servers.
For more information on this option, see “Order in The aging time can be 1-65535 min-
Which Sticky, Server, Cache, and Proxy Options utes. Default: 5 minutes
Are Used” on page 343.
ttl Specifies the value to which the AX Series changes You can specify from 0 to 1000000
the TTL of each DNS record contained in DNS (1,000,000) seconds.
replies received from the DNS for which the Default: 10 seconds
AX Series is a proxy.
[no] dns ttl num
Config > Service > GSLB > Policy - DNS Options
tab
Geo-location Parameters
geo-location Assigns a geographic location to an IP address The location-name can be up to 127
range. GSLB forwards client requests from alphanumeric characters.
addresses within the range to the GSLB site that Default location: None
serves the location. This is an alternative to loading
Default match-first: global
a geo-location database.
[no] geo-location location-name
start-ip-addr [mask ip-mask]
[end-ip-addr]
This parameter cannot be configured using the GUI.
[no] geo-location match-first
{global | policy}
The match-first parameter specifies whether to
match the requested IP address with the global geo-
location table or with the geo-location table config-
ured in the policy.
The geo-location mapping cannot be configured
using the GUI. To configure the match-first parame-
ter, select Config > Service > GSLB > Policy - Geo-
location tab
396 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Examples
Configuration Examples
These examples implement the GSLB configuration shown in Figure 113
on page 336. The examples assume that the default GSLB policy is used,
without any changes to the policy settings.
CLI Example
The following commands configure a health monitor for the local DNS
server to be proxied:
AX-Controller(config)#health monitor dns-53
AX-Controller(config-health:monitor)#method dns domain example.com
AX-Controller(config-real server)#exit
The following command loads the IANA file into the geo-location database:
AX-Controller(config)#gslb geo-location load iana
P e r f o r m a n c e b yD e s i g n 397 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Examples
The following commands configure the sites. For each site SLB device,
enter the IP address of the AX Series device that provides SLB at the site.
For the VIP server names, enter the service IP name specified above.
AX-Controller(config)#gslb site usa
AX-Controller(config-gslb site)#slb-dev ax-a 2.1.1.1
AX-Controller(config-gslb site-slb dev)#vip-server servicevip1
AX-Controller(config-gslb site-slb dev)#exit
AX-Controller(config-gslb site)#exit
AX-Controller(config)#gslb site asia
AX-Controller(config-gslb site)#slb-dev ax-b 3.1.1.1
AX-Controller(config-gslb site-slb dev)#vip-server servicevip2
AX-Controller(config-gslb site-slb dev)#exit
AX-Controller(config-gslb site)#exit
398 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Examples
Configuration on Site AX Device AX-A
The following commands configure SLB on site AX device AX-A in
Figure 113 on page 336:
Site-AX-A(config)#slb server www 2.1.1.2
Site-AX-A(config-real server)#port 80 tcp
Site-AX-A(config-real server-node port)#exit
Site-AX-A(config-real server)#exit
Site-AX-A(config)#slb server www2 2.1.1.3
Site-AX-A(config-real server)#port 80 tcp
Site-AX-A(config-real server-node port)#exit
Site-AX-A(config-real server)#exit
Site-AX-A(config)#slb service-group www tcp
Site-AX-A(config-slb service group)#member www:80
Site-AX-A(config-slb service group)#member www2:80
Site-AX-A(config-slb service group)#exit
Site-AX-A(config)#slb virtual-server www 2.1.1.10
Site-AX-A(config-slb virtual server)#port 80 http
Site-AX-A(config-slb virtual server-slb virtua...)#service-group www
Site-AX-A(config-slb virtual server-slb virtua...)#exit
Site-AX-A(config-slb virtual server)#exit
Note: The virtual server IP address must be the same as the GSLB service IP
address configured on the GSLB AX device.
P e r f o r m a n c e b yD e s i g n 399 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Examples
Site-AX-B(config-slb virtual server)#exit
Site-AX-B(config)#gslb protocol enable device
GUI Example
3. Click Add.
5. On the Method tab, select DNS from the Type drop-down list.
6. In the Domain field, enter the domain name. (Generally, this is the same
as the GSLB zone name you will configure.)
Note: The GUI will not accept the configuration if the IP address you enter here
is the same as the real DNS server IP address you enter when configuring
the service group for this proxy. (below).
f. On the GSLB Port tab, click Add. The GSLB Port tab appears.
400 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Examples
b. Enter the service group information. For this example, enter the fol-
lowing:
• Name – gslb-proxy-sg-1
• Port type – UDP
• Load-balancing metric (algorithm) – Round-Robin
• Health Monitor – “default”
c. On the Server tab, enter the DNS server’s real IP address in the
Server field, and enter the DNS port number in the port field.
d. Click Add. The DNS port appears in the list. (See Figure 116 on
page 402.)
e. Click OK. The GSLB Port tab reappears. In the service drop-down
list, the service group you just configured is selected. (See
Figure 117 on page 402.)
FIGURE 115 Configure > Service > GSLB > DNS Proxy
P e r f o r m a n c e b yD e s i g n 401 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Examples
FIGURE 116 Configure > Service > GSLB > DNS Proxy - service group
configuration
FIGURE 117 Configure > Service > GSLB > DNS Proxy - service group
selected
402 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Examples
FIGURE 118 Configure > Service > GSLB > DNS Proxy - GSLB port
configured
FIGURE 119 Configure > Service > GSLB > DNS Proxy - DNS proxy
configured
3. On the Load/Unload tab, enter “iana” in the File field. Leave the Tem-
plate field blank.
4. Click Add.
Configure Services
1. Select Config > Service > GSLB.
3. Click Add.
P e r f o r m a n c e b yD e s i g n 403 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Examples
4. Enter the service name and IP address. For this example, enter the fol-
lowing:
• Name – servicevip1
• IP Address – 2.1.1.10 (This is the VIP address of a site. Configure a
separate GSLB service IP for each SLB VIP.)
7. Click OK.
404 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Examples
Configure Sites
1. Select Config > Service > GSLB.
3. Click Add.
6. On the IP-Server tab, add services to the site. Select a service from the
drop-down list and click Add. Repeat for each service.
P e r f o r m a n c e b yD e s i g n 405 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Examples
FIGURE 121 Configure > Service > GSLB > Site - SLB Device
FIGURE 122 Configure > Service > GSLB > Site - site parameters selected
406 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Examples
Configure a Zone
1. Select Config > Service > GSLB.
3. Click Add.
5. On the Service tab, click Add. (See Figure 123 on page 408.)
The service configuration tabs appear.
P e r f o r m a n c e b yD e s i g n 407 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Examples
FIGURE 123 Configure > Service > GSLB > Zone
408 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Examples
Enable the GSLB Protocol
1. Select Config > Service > GSLB.
4. Click OK.
SLB configuration is the same with or without GSLB, and is not described
here.
To enable the AX device to run GSLB as a site AX device, perform the fol-
lowing steps on each site AX device:
1. Select Config > Service > GSLB.
4. Click OK.
P e r f o r m a n c e b yD e s i g n 409 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuration Examples
410 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
RAM Caching
You can use the AX device as a transparent cache server, along with the
device’s many other uses.
Overview
The RAM Cache is a high-performance, in-memory Web cache that by
default caches HTTP responses (RFC 2616 compliant). The RAM Cache
can store a variety of static and dynamic content and serve this content
instantly and efficiently to a large number of users.
• 410 – Gone
P e r f o r m a n c e b yD e s i g n 411 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
However, if there is no Content-Length header, the response will not be
cached.
Dynamic Caching
You can enhance RAM caching performance with dynamic RAM caching.
Dynamic RAM caching is useful in situations where the response to a client
request can be used multiple times before the response expires. Here are
some examples where dynamic RAM caching is beneficial:
• The same response is usable by multiple users within a certain period of
time. In this case, dynamic RAM caching is useful even if the cache
expiration period is very small, if enough users access the response
within that period. For example, dynamic RAM caching is beneficial for
a hierarchical directory that is generated dynamically but presents the
same view to all users that request it.
• The response is usable by only a single user but the user accesses it mul-
tiple times. For example, if the response generated in one session can be
used unchanged in a second session.
Host Verification
RAM caching has an optional host verification feature. Host verification
supports multiple name-based virtual hosts. Name-based virtual hosts are
host names that share the same IP address. For example, the real server IP
address 192.168.209.34 could be shared by the following virtual hosts:
• www.abc.com
• www.xyz.com
If you enable host verification, the AX device caches the host name along
with the URI. For example, for http://www.abc.com/index.html, the AX
device caches the content, “/index.html”, and “abc.com”. If a new request is
received, for http://www.xyz.com/index.html, the AX device checks the
cache for content indexed by both “/index.html” and “xyz.com”. The AX
412 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
device serves the content to the client only if the content was cached for
“xyz.com”.
• Cache-Control: max-age=0
However, for security, support for these headers is disabled by default. Thee
headers can make the AX device vulnerable to Denial of Service (DoS)
attacks.
To enforce strict RFC compliance, you can enable support for the headers.
P e r f o r m a n c e b yD e s i g n 413 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring RAM Caching
2. Configure a service group and add the real servers to it, if not already
configured.
3. Configure a cache template with settings for the type and size of content
to be cached. Optionally, configure dynamic caching policies.
4. Configure the virtual server, and bind the service group and cache tem-
plate to the service ports for which caching will be provided.
4. Enter a name for the template, if you are creating a new one.
5. Enter or change any settings for which you do not want to use the
default settings.
414 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring RAM Caching
To configure a no-cache policy:
a. In the URI field, enter the portion of the URI string to match on.
b. Select No Cache from the Action drop-down list.
c. Click Add.
To configure an invalidate policy:
a. In the URI field, enter the portion of the URI string to match on.
b. Select Invalidate from the Action drop-down list. The Pattern field
appears. Enter the portion of the URL string on which to match. For
example, to invalidate “/list” objects when the URL contains “/add”,
enter “/add” (without the quotation marks).
7. Click OK.
• Monitor > Service > Application > RAM Caching > Objects
• Monitor > Service > Application > RAM Caching > Replacement
The Details menu option displays RAM caching statistics. The Objects
option displays cached entries. The Replacement option shows entry
replacement information.
3. Click on the checkbox next to the filename of each log file you want to
export.
4. Click Export.
To delete log archive files, click the checkbox next to each file you want to
delete, and click Delete.
P e r f o r m a n c e b yD e s i g n 415 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring RAM Caching
The commands for configuring the real servers, service group, and virtual
server are the same as those used for configuring other types of SLB. These
configuration items have no commands or options specific to RAM caching.
[no] accept-reload-req
This command enables support for the following Cache-Control headers:
• Cache-Control: no-cache
• Cache-Control: max-age=0
When support for these headers is enabled, either header causes the AX
device to reload the cached object from the origin server.
[no] default-policy-nocache
This command changes the default cache policy in the template from cache
to nocache. This option gives you tighter control over content caching.
When you use the default no-cache policy, the only content that is cached is
cacheable content whose URI matches an explicit cache policy.
[no] max-cache-size MB
This command specifies the size of the AX RAM cache. You can specify
1-512 MB. The default is 10 MB.
The total size of all RAM caches combined can be 512 MB on systems with
2 GB of memory and 1024 MB on systems with 4 GB of memory. (To dis-
play the amount of memory your system has, enter the show version com-
mand.)
416 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring RAM Caching
[no] max-content-size bytes
This command specifies the maximum object size that can be cached. The
AX device will not cache objects larger than this size. You can specify
1-8000000 bytes (8 MB). The default is 50000 bytes (50 Kbytes).
• invalidate inv-pattern – Invalidates the content that has been cached for
inv-pattern.
If a URI matches the pattern in more than one policy command, the policy
command with the most specific match is used.
P e r f o r m a n c e b yD e s i g n 417 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring RAM Caching
Host Verification Command
[no] verify-host
This command enables the AX device to cache the host name in addition to
the URI for cached content. Use this command if a real server that contains
cacheable content will host more than one host name (for example,
www.abc.com and www.xyz.com).
Show Commands
To display client sessions that are using cached content, use the following
command:
show session
Basic Configuration
The commands in this example enable RAM caching for virtual service port
TCP 80 on VIP “cached-vip”.
418 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring RAM Caching
The following commands configure the real servers.
AX(config)#slb server 192.168.90.34
AX(config-real server)#port 80 tcp
AX(config-real server-node port)#exit
AX(config-real server)#port 443 tcp
AX(config-real server-node port)#exit
AX(config-real server)#exit
AX(config)#slb server 192.168.90.35
AX(config-real server)#port 80 tcp
AX(config-real server-node port)#exit
AX(config-real server)#port 443 tcp
AX(config-real server-node port)#exit
AX(config-real server)#exit
The following commands configure the virtual server and bind the RAM
caching template and the service group to virtual HTTP service port 80.
AX(config)#slb virtual-server cached-vip 10.10.10.101
AX(config-slb virtual server)#port 80 http
AX(config-slb virtual server-slb virtua...)#service-group cached-group
AX(config-slb virtual server-slb virtua...)#template cache ramcache
P e r f o r m a n c e b yD e s i g n 419 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring RAM Caching
Curr Free Conn 1923655
Conn Count 5287134
Conn Freed 5113720
tcp syn half open 0
Prot Forward Source Forward Dest Reverse Source Reverse Dest Age
---------------------------------------------------------------------------------------
Tcp 10.10.10.61:25058 10.10.10.10:80 * * 600
Tcp 10.10.10.60:9239 10.10.10.11:80 * * 600
Tcp 10.10.10.61:1838 10.10.10.10:80 * * 600
Tcp 10.10.10.65:47834 10.10.10.11:80 * * 600
Tcp 10.10.10.62:55613 10.10.10.11:80 * * 600
Tcp 10.10.10.57:9233 10.10.10.11:80 * * 600
420 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring RAM Caching
The following command shows cached objects.
AX#show slb cache entries cached-vip 80
cahed-vip:80
Host Object URL Bytes Status Expires in
---------------------------------------------------------------------------------------
10.20.0.120 /static4K/4K8663.txt 4310 FR 2968 s
10.20.0.120 /static4K/4K8662.txt 4325 FR 2968 s
10.20.0.120 /static4K/4K8661.txt 4325 FR 2968 s
The Status column indicates the status. In this example, all entries are fresh
(FR). For more information, see the AX Series CLI Reference.
The /list URI is visited by many users and therefore should be cached, so
long as the content is current. However, the /private URI contain private
data for a specific user, and should not be cached.
The /add and /del URLs modify the content of the list page. When either
type of URI is observed by the AX device, the currently cached content for
the /list URI should be invalidated, so that new requests for the URI are not
served with a stale page.
P e r f o r m a n c e b yD e s i g n 421 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring RAM Caching
The policy that matches on “/list” caches content for 50 minutes. The policy
that matches on “/private” does not cache content. The policies that match
on “/add” and “/del” invalidate the cached “/list” content.
This policy is configured to flush (invalidate) all cached entries that have “/
story” in the URI. The policy is activated when a request is received with
the URI “/flush”.
422 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
High Availability
This chapter describes High Availability (HA) and how to configure it.
Overview
High Availability (HA) is an AX feature that provides AX-level redundancy
to ensure continuity of service to clients. In HA configurations, AX devices
are deployed in pairs. If one AX device in the HA pair becomes unavailable,
the other AX device takes over.
Note: Both AX devices in an HA pair should be the same model and should be
running the same software version. Using different AX models or differ-
ent software versions in an HA pair is not supported.
P e r f o r m a n c e b yD e s i g n 423 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
Layer 3 Active-Standby HA
Figure 125 shows an example of an Active-Standby configuration.
424 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
In this example, each AX device provides SLB for two virtual servers, VIP1
and VIP2.
P e r f o r m a n c e b yD e s i g n 425 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
Layer 3 Active-Active HA
Figure 126 shows an example of an Active-Active configuration.
426 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
This configuration is similar to the configuration for Active-Standby shown
in Figure 125, with the following exceptions:
• Both HA groups are configured on each of the AX devices. In Active-
Standby, only a single HA group is configured.
• The priority values have been set so that each HA group has a higher
priority on one AX device than it does on the other AX device. In this
example, HA group 1 has a higher priority on AX2, whereas HA group
2 has a higher priority on AX1.
• On each AX device, one of the VIPs is assigned to HA group 1 and the
other VIP is assigned to HA group 2.
• On both AX devices, HA pre-emption is enabled. HA pre-emption
enables the devices to use the HA group priority values to select the
Active and Standby AX device for each VIP. Without HA pre-emption,
the AX selection is based on which of the AX devices comes up first.
P e r f o r m a n c e b yD e s i g n 427 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
428 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
Each real server is connected to the router pair through a Layer 2 switch.
Neither the Layer 2 switches nor the routers are running Spanning Tree Pro-
tocol (STP). The network does not have any Layer 2 loops because the
Layer 2 switches are not connected directly together, and the routers do not
forward Layer 2 traffic.
P e r f o r m a n c e b yD e s i g n 429 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
FIGURE 128 Layer 2 Inline HA Deployment
Restrictions
• Supported for Active-Standby HA deployments only. Not supported for
Active-Active HA.
• Inline mode is designed for one HA group in Hot-Standby mode. Do not
configure more than one HA group on an AX running in inline mode.
430 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
• In order to prevent Layer 2 loops in a Layer 2 host-standby environ-
ment, the Standby AX does not forward traffic. In addition, the Active
AX in the HA pair is designed to not forward packets destined for the
Standby AX. Depending on the network topology, certain traffic to the
Standby AX might be dropped if it must first pass through the Active
AX.
• IPv6 traffic is not supported.
Preferred HA Port
When you enable inline mode on an AX, the AX uses a preferred HA port
for session synchronization and for management traffic between the AX
devices in the HA pair. For example, if you use the CLI on one AX to ping
the other AX, the ping packets are sent only on the preferred HA port. Like-
wise, the other AX sends the ping reply only on its preferred HA port.
• SSH
• Ping
Optionally, you can designate the preferred HA port when you enable inline
mode. In Figure 128 on page 430, Ethernet interface 5 on each AX has been
configured as the preferred HA port.
P e r f o r m a n c e b yD e s i g n 431 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
Note: The preferred port must be added as an HA interface and heartbeat mes-
sages must be enabled on the interface.
Port Restart
For example, in Figure 128 on page 430, while AX1 is still Active, the
active router (the one on the left) uses the MAC entries it has learned on its
link with AX1 to reach downstream devices. If the link with AX1 goes
down, the router flushes the MAC entries. The router then relearns the
MAC addresses on the link with AX2 when it becomes the Active AX.
This mechanism is applicable when the link with AX1 goes down. How-
ever, if the transition from Active to Standby does not involve failure of the
router's link with AX1, the router does not flush its learned MAC entries on
the link. As a result, the router might continue to send traffic for down-
stream devices through the router's link with AX1. Since AX1 is now the
Standby, it drops the traffic, thereby causing reachability issues.
Note: You must omit at least one port connecting the AX devices from the
restart port-list. This is so that heartbeat messages between the AX
devices are maintained; otherwise, flapping might occur.
432 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
P e r f o r m a n c e b yD e s i g n 433 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
Normally, this topology would introduce a traffic loop. However, the HA
inline mode prevents loops by logically blocking through traffic on the
standby AX device. Spanning Tree Protocol (STP) is not required in order
to prevent loops.
Restrictions
• Supported for Active-Standby HA deployments only. Not supported for
Active-Active HA.
• Inline mode is designed for one HA group in Hot-Standby mode. Do not
configure more than one HA group on an AX running in inline mode.
• In order to prevent Layer 2 loops in a Layer 2 host-standby environ-
ment, the Standby AX does not forward traffic. In addition, the Active
AX in the HA pair is designed to not forward packets destined for the
Standby AX. Depending on the network topology, certain traffic to the
Standby AX might be dropped if it must first pass through the Active
AX.
• IPv6 traffic is not supported.
HA Messages
The AX devices in an HA pair communicate their HA status with the fol-
lowing types of messages:
• HA heartbeat messages
434 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
HA Heartbeat Messages
The heartbeat interval and retry count are configurable. (See “HA Configu-
ration Parameters” on page 445.)
Gratuitous ARPs
Devices that receive the ARPs learn that the MAC address for the AX HA
pair has moved, and update their forwarding tables accordingly.
The Active AX device sends the gratuitous ARPs immediately upon becom-
ing the Active AX device. To make sure ARPs are being received by the tar-
get addresses, the AX device re-sends the ARPs 4 additional times, at 500-
millisecond intervals.
After this, the AX device sends gratuitous ARPs every 30 seconds to keep
its IP information current.
P e r f o r m a n c e b yD e s i g n 435 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
HA Interfaces
When configuring HA, you specify each of the interfaces that are HA inter-
faces. An HA interface is an interface that is connected to an upstream
router, a real server, or the other AX device in the HA pair.
Note: If the heartbeat messages from one AX device to the other will pass
though a Layer 2 switch, the switch must be able to pass UDP IP multi-
cast packets.
During selection of the active AX, the AX with the highest state becomes
the active AX and all HA interfaces on that AX become active. For exam-
ple, if one AX is UP and the other AX is only Partially Up, the AX that is
UP becomes the active AX.
436 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
If each AX has the same state, the active AX is selected as follows:
• If HA pre-emption is disabled (the default), the first AX to come up is
the active AX.
• If HA pre-emption is enabled, the AX with the higher HA group priority
becomes active for that group. If the group priorities on the two AX
devices are also the same, the AX that has the lowest HA ID (1 or 2)
becomes active.
Session Synchronization
HA session synchronization sends information about active client sessions
to the Standby AX device. If a failover occurs, the client sessions are main-
tained without interruption. Session synchronization is optional. Without it,
a failover causes client sessions to be terminated. Session synchronization
can be enabled on individual virtual ports.
Session synchronization is required for config sync. Config sync uses the
session synchronization link. (For more information, “Synchronizing Con-
figuration Information” on page 477.)
P e r f o r m a n c e b yD e s i g n 437 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
VLAN-based Failover
If the AX device does not receive any traffic on the VLAN before the time-
out expires, a failover occurs. The timeout can be 2-600 seconds. You must
specify the timeout. Although there is no default, A10 recommends trying
30 seconds.
Gateway-based Failover
Likewise, if the gateway becomes available again and all gateways pass
their health checks, the AX device recalculates its HA status according to
the HA interface counts. If the new HA status of the AX device is higher
than the other AX device’s HA status, a failover occurs.
438 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
Configuration of gateway-based failover requires the following steps:
1. Configure a health monitor that uses the ICMP method.
2. Configure the gateway as an SLB real server and apply the ICMP health
monitor to the server.
3. Enable HA checking for the gateway.
VIP-based Failover
When you configure an HA group ID, you also specify its priority. If HA
pre-emption is enabled, the HA group’s priority can be used to determine
which AX device in the HA pair becomes the Active AX for the HA group.
In this case, the AX device that has a higher value for the group’s priority
becomes the Active AX device for the group.
When a real server becomes available again, the weight value that was sub-
tracted from the HA group’s priority is re-added. If this results in the prior-
ity value being higher than on the other AX device, the virtual server is
failed over again to the AX device with the higher priority value for the
group.
P e r f o r m a n c e b yD e s i g n 439 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
After initial selection of the Active AX device, that device remains the
Active AX device unless one of the following events occurs:
• The Standby AX device stops receiving HA heartbeat messages from
the Active AX device.
• The HA interface status of the Active AX device becomes lower than
the HA interface status of the Standby AX device.
• VLAN-based failover is configured and the VLAN becomes inactive.
440 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
• Gateway-based failover is configured and the gateway becomes unavail-
able.
• HA pre-emption is enabled, and the configured HA priority is changed
to be higher on the Standby AX device.
P e r f o r m a n c e b yD e s i g n 441 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
FIGURE 131 HA Failover
442 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
HA Pre-Emption
By default, a failover occurs only in the following cases:
• The Standby AX device stops receiving HA heartbeat messages form
the other AX device in the HA pair.
• HA interface state changes give the Standby AX device a better HA
state than the Active AX device. (See “HA Interfaces” on page 436.)
• VLAN-based failover is configured and the VLAN becomes inactive.
(See “VLAN-based Failover” on page 438.)
• Gateway-based failover is configured and the gateway becomes unavail-
able. (See “Gateway-based Failover” on page 438.)
• VIP-based failover is configured and the unavailability of real servers
causes the Standby AX to have the greater HA priority for the VIP’s HA
group. (See “VIP-based Failover” on page 439.)
P e r f o r m a n c e b yD e s i g n 443 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
HA Sets
Optionally, you can provide even more redundancy by configuring multiple
sets of HA pairs.
You can configure up to 7 HA sets. This feature is supported for Layer 2 and
Layer 3 HA configurations. The set ID can be specified along with the HA
ID. (For syntax information, see Table 10 on page 445.)
444 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
HA Configuration Parameters
Table 10 lists the HA parameters.
TABLE 10 HA Parameters
Parameter Description and Syntax Supported Values
Global HA Parameters
HA ID HA ID of the AX device, and HA set to which the HA ID: 1 or 2
and AX device belongs. HA set ID: 1-7
HA set ID The HA ID uniquely identifies the AX device Default: Neither parameter is set
within the HA pair.
The HA set ID specifies the HA set to which the AX
device belongs. This parameter is applicable to con-
figurations that use multiple AX pairs.
[no] ha id {1 | 2} [set-id num]
Config > HA > Setting > HA Global - General tab
HA group ID Uniquely identifies the HA group on an individual HA group ID: 1-31
AX device. Priority: 1 (low priority) to 255 (high
The priority value can be used during selection of priority
the Active AX device. (See“How the Active AX Default: not set
Device Is Selected” on page 440.)
[no] ha group group-id priority num
Config > HA > Setting > HA Global - Group tab
Floating IP IP address that downstream devices should use as Default: not set
address their default gateway. The same address is shared by
both AX devices in the HA pair. Regardless of
which device is Active, downstream devices can
reach their default gateway at this IP address.
[no] floating-ip ipaddr
ha-group group-id
Config > HA > Setting > HA Global - Floating IP
Address tab
P e r f o r m a n c e b y
D e s i g n 445 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
TABLE 10 HA Parameters (Continued)
Parameter Description and Syntax Supported Values
HA interfaces Interfaces used for HA management. AX Ethernet interfaces
HA heartbeat messages are sent on HA interfaces, Default: not set
unless you use the option to disable the messages.
At least one HA interface must be specified. If the
interface is tagged, then a VLAN ID must be speci-
fied if heartbeat messages are enabled on the inter-
face.
If you specify the interface type (server, router, or
both), changes to the interface state can control
failover. (See “HA Interfaces” on page 436 and
“How the Active AX Device Is Selected” on
page 440.)
[no] ha interface ethernet port-num
[router-interface |
server-interface | both]
[no-heartbeat | vlan vlan-id]
Config > Network > Interface > LAN - Select the
interface and then click the HA tab.
VLAN-based Enables the AX device to change its HA status Valid VLAN ID
HA based on the health of a VLAN. Default: not set
When HA checking is enabled for a VLAN, the The timeout can be 2-600 seconds.
active AX device in the HA pair monitors traffic
Although there is no default timeout,
activity on the VLAN. If there is no traffic on the
A10 recommends trying 30 seconds.
VLAN for half the duration of a configurable time-
out, the AX device attempts to generate traffic by
issuing ping requests to servers if configured, or
broadcast ARP requests through the VLAN.
If the AX device does not receive any traffic on the
VLAN before the timeout expires, a failover occurs.
[no] ha check vlan vlan-id timeout
seconds
Config > HA > Setting > HA Global - Status Check
tab
Gateway-based Enables the AX device to change its HA status IP address of the gateway
HA based on the health of a gateway router. Default: not set
If the gateway fails a Layer 3 (ICMP) health check, Additional configuration is required.
the AX device changes its HA status to Down. If the (See “Gateway-based Failover” on
HA status of the other AX device is higher than page 438.)
Down, a failover occurs.
[no] ha check gateway ipaddr
Config > HA > Setting > HA Global - Status Check
tab
446 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
TABLE 10 HA Parameters (Continued)
Parameter Description and Syntax Supported Values
Session synchro- Enables the AX devices to share information about IP address of the other AX device
nization active client sessions. If a failover occurs, client ses- Default: not set
(Also called sions continue uninterrupted. The Standby AX
“connection mir- device, when it becomes Active, uses the session
roring”) information it received from the Active AX device
before the failover to continue the sessions without
terminating them.
To enable session synchronization, specify the IP
address of the other AX device in the HA pair.
Session synchronization does not apply to DNS ses-
sions. Since these sessions are typically very short
lived, there is no benefit to synchronizing them.
Note: This option also requires session synchroni-
zation to be enabled on the individual virtual service
ports. (See “HA Parameters for Virtual Service
Ports” below.)
[no] ha conn-mirror ip ipaddr
Config > HA > Setting > HA Global - General tab
Pre-emption Controls whether failovers can be caused by config- Enabled or disabled
uration changes to HA priority or HA ID. Default: disabled
[no] ha preemption-enable
Config > HA > Setting > HA Global - General tab
HA heartbeat Interval at which the AX device sends HA heartbeat 1-255 units of 100 milliseconds
interval messages on its HA interfaces. (ms) each
[no] ha time-interval Default: 200 ms
100-msec-units
Config > HA > Setting > HA Global - General tab
Retry count Number of HA heartbeat intervals the Standby 2-255
device will wait for a heartbeat message from the Default: 5
Active AX device before failing over to become the
Active AX device.
[no] ha timeout-retry-count num
Config > HA > Setting > HA Global - General tab
ARP repeat Number of additional gratuitous ARPs, in addition 1-255
count to the first ones, an AX sends after transitioning Default: 4 additional gratuitous
from Standby to Active in an HA configuration.
ARPs, for a total of 5
[no] ha arp-retry num
Config > HA > Setting > HA Global - General tab
P e r f o r m a n c e b y
D e s i g n 447 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
TABLE 10 HA Parameters (Continued)
Parameter Description and Syntax Supported Values
Global HA Parameters for Layer 2 Inline Mode
Inline mode state Enables Layer 2 inline mode and, optionally, speci- Enabled or disabled
fies the HA interface to use for session synchroniza- Default: disabled
tion and for management traffic between the AX
When inline mode is enabled, the pre-
devices.
ferred port is selected as described in
[no] ha inline-mode “Preferred HA Port” on page 431.
[preferred-port port-num]
Config > HA > Setting - HA Inline Mode tab
Restart port list List of Ethernet interfaces on the previously Active AX Ethernet interfaces
AX device to toggle (shut down and restart) follow- Default: not set
ing HA failover.
[no] ha restart-port-list ethernet
port-list
Config > HA > Setting - HA Inline Mode tab
Port restart time Amount of time interfaces in the restart port list 1-100 units of 100 milliseconds (ms)
remain disabled following a failover. Default: 20 units of 100 ms (2 sec-
[no] ha restart-time 100-msec-units onds)
Config > HA > Setting - HA Inline Mode tab
Global HA Parameters for Layer 3 Inline Mode
Inline mode state Enables Layer 3 inline mode. Enabled or disabled
[no] ha l3-inline-mode Default: disabled
Note: This option is not configurable using the
GUI.
HA Parameters for Virtual Servers
HA group ID HA group ID for a virtual server. 1-31
This is required to enable HA for the VIP. Default: not set
[no] ha-group group-id
Config > Service > SLB > Virtual Server
Server weight Weight value assigned to real servers bound to the 1-255
virtual server. Not set
The weight is used for VIP-based failover. (See
“VIP-based Failover” on page 439.)
[no] ha-dynamic server-weight
Config > Service > SLB > Virtual Server - Select
the HA group, then select the Dynamic Server
Weight.
448 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
TABLE 10 HA Parameters (Continued)
Parameter Description and Syntax Supported Values
HA Parameters for Virtual Service Ports
Session Enables active client sessions on this virtual port to Enabled or disabled
synchronization continue uninterrupted following a failover. Default: disabled
(Also called Note: This option also requires session synchroni-
“connection mir- zation to be enabled globally. (See “Global HA
roring”) Parameters” above.)
[no] ha-conn-mirror
Config > Service > SLB > Virtual Server - Port tab
HA Parameters for Firewall Load Balancing (FWLB)
Note: For an example of an FWLB HA configuration, see “Firewall Load Balancing” on page 255.
HA group ID HA group ID for a virtual firewall or virtual firewall 1-31
port. Default: not set
[no] ha-group group-id
Config > Service > Firewall > Firewall Virtual
Server (for virtual firewall)
Config > Service > Firewall > Firewall Virtual
Server - Port tab (for virtual firewall port)
Session Enables active client sessions on this virtual firewall Enabled or disabled
synchronization port to continue uninterrupted following a failover. Default: disabled
Note: This option also requires session synchroni-
zation to be enabled globally. (See “Global HA
Parameters” above.)
[no] ha-conn-mirror
Config > Service > Firewall > Firewall Virtual
Server (for virtual firewall)
Config > Service > Firewall > Firewall Virtual
Server - Port tab (for virtual firewall port)
HA Parameters for IP Network Address Translation (NAT) Pools
HA group ID HA group ID for IP NAT. 1-31
Option with ip nat pool, ipv6 nat pool, or ip nat Default: not set
inside command: ha-group group-id
Config > Service > IP Source NAT > IPv4 Pool
Config > Service > IP Source NAT > IPv6 Pool
Config > Service > IP Source NAT > NAT Range
P e r f o r m a n c e b y
D e s i g n 449 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Layer 3 HA
Configuring Layer 3 HA
To configure Layer 3 HA:
1. Configure the following global HA parameters:
• HA ID
• HA group ID and priority. For an Active-Standby configuration,
configure one group ID. For Active-Active, configure multiple HA
group IDs.
• Floating IP address (optional)
• Session synchronization (optional)
• HA pre-emption (optional)
Note: Enter the real IP address of the AX device, not the floating IP address that
downstream devices will use as their default gateway address.
450 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Layer 3 HA
3. On the Floating IP Address tab, configure the floating IP addresses for
the HA groups.
a. Select an HA group from the Group Name drop-down list.
b. Select the address type (IPv4 or IPv6).
c. Enter the floating IP address for the group.
d. Click Add.
e. If you are configuring Active-Active, select the next HA group from
the Group Name drop-down list, and repeat the previous steps.
4. Click OK.
Configuring HA Interfaces
1. Select Config > Network > Interface.
2. On the menu bar, select LAN. The list of the AX device’s physical
Ethernet data interfaces appears.
3. Perform the following steps for each HA interface. (For information, see
“HA Interfaces” on page 436.)
a. Click on the interface number.
b. On the HA tab, select Enabled next to HA Enabled.
c. To specify the interface type, select one of the following or leave the
setting None:
• Router-Interface
• Server-Interface
• Both
d. To enable HA heartbeat messages, select Enabled next to Heartbeat.
e. To restrict the HA heartbeat messages to a specific VLAN, enter the
VLAN ID in the VLAN field.
f. Click OK.
3. Click on the virtual server name or click Add to add a new one.
4. On the General tab, select the HA group ID from the HA Group drop-
down list.
P e r f o r m a n c e b yD e s i g n 451 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Layer 3 HA
Note: The Dynamic Server Weight option is used for VIP-based failover. For
information, see “VIP-based Failover” on page 439.
Note: The GUI does not support enabling connection mirroring on some types
of service ports. However, you can enable connection mirroring for these
service types using the CLI.
452 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Layer 3 HA
HA Configuration of AX1
FIGURE 134 Config > Service > SLB > Virtual Server (VIP1)
P e r f o r m a n c e b yD e s i g n 453 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Layer 3 HA
FIGURE 135 Config > Service > SLB > Virtual Server (VIP2)
HA Configuration of AX2
454 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Layer 3 HA
FIGURE 137 Config > Service > SLB > Virtual Server (VIP1)
FIGURE 138 Config > Service > SLB > Virtual Server (VIP2)
P e r f o r m a n c e b yD e s i g n 455 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Layer 3 HA
Use the same HA group ID for the same virtual server, on both AX
devices.
4. If IP NAT pools are configured, use the following option with the ip nat
pool or ipv6 nat pool command.
ha-group group-id
(For the complete command syntax, see Table 10 on page 445.)
Commands on AX1
This examples shows the CLI commands to implement the Active-Active
configuration shown in Figure 126 on page 426.
Later in the configuration, each virtual server will need to be added to one
or the other of the HA groups.
AX1(config)#ha id 1
AX1(config)#ha group 1 priority 1
AX1(config)#ha group 2 priority 255
456 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Layer 3 HA
Heartbeat messages are disabled on all HA interfaces except the dedicated
HA link between the AX devices.
AX1(config)#ha interface ethernet 1 router-interface no-heartbeat
AX1(config)#ha interface ethernet 2 router-interface no-heartbeat
AX1(config)#ha interface ethernet 3 server-interface no-heartbeat
AX1(config)#ha interface ethernet 4 server-interface no-heartbeat
AX1(config)#ha interface ethernet 5
P e r f o r m a n c e b yD e s i g n 457 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Layer 3 HA
Commands on AX2
Here are the commands for AX2. The priority values for the groups are dif-
ferent from the values set on AX1, so that group 1 has higher priority on this
AX device than on AX1. Likewise, the priority of group 2 is set so that its
priority is higher on AX1.
AX2(config)#ha id 2
AX2(config)#ha group 1 priority 255
AX2(config)#ha group 2 priority 1
The floating IP addresses must be the same as the ones set on AX1.
AX2(config)#floating-ip 10.10.10.1 ha-group 1
AX2(config)#floating-ip 10.10.10.100 ha-group 2
AX2(config)#ha interface ethernet 1 router-interface no-heartbeat
AX2(config)#ha interface ethernet 2 router-interface no-heartbeat
AX2(config)#ha interface ethernet 3 server-interface no-heartbeat
AX2(config)#ha interface ethernet 4 server-interface no-heartbeat
AX2(config)#ha interface ethernet 5
The HA configuration for virtual servers and virtual ports is identical to the
configuration on AX1.
AX2(config)#slb virtual-server VIP1
AX2(config-slb virtual server)#ha group 1
AX2(config-slb virtual server)#port 80 tcp
AX2(config-slb virtual server-slb virtua...)#ha-conn-mirror
AX2(config-slb virtual server-slb virtua...)#exit
AX2(config-slb virtual server)#exit
AX2(config)#slb virtual-server VIP2
AX2(config-slb virtual server)#ha group 2
AX2(config-slb virtual server)#port 80 tcp
AX2(config-slb virtual server-slb virtua...)#ha-conn-mirror
AX2(config-slb virtual server-slb virtua...)#exit
AX2(config-slb virtual server)#exit
458 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Layer 2 HA (Inline Mode)
P e r f o r m a n c e b yD e s i g n 459 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Layer 2 HA (Inline Mode)
Note: Enter the real IP address of the AX device, not the floating IP address that
downstream devices will use as their default gateway address.
3. On the Floating IP Address tab, configure the floating IP address for the
HA group.
a. Select an HA group 1 from the Group Name drop-down list.
b. Select the address type (IPv4 or IPv6).
c. Enter the floating IP address for the group.
d. Click Add.
4. Click OK.
2. On the menu bar, select LAN. The list of the AX device’s physical
Ethernet data interfaces appears.
3. Perform the following steps for each HA interface. (For information, see
“HA Interfaces” on page 436.)
a. Click on the interface number.
b. On the HA tab, select Enabled next to HA Enabled.
460 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Layer 2 HA (Inline Mode)
c. To specify the interface type, select one of the following or leave the
setting None:
• Router-Interface
• Server-Interface
• Both
d. To enable HA heartbeat messages, select Enabled next to Heartbeat.
e. To restrict the HA heartbeat messages to a specific VLAN, enter the
VLAN ID in the VLAN field.
f. Click OK.
7. Click OK.
P e r f o r m a n c e b yD e s i g n 461 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Layer 2 HA (Inline Mode)
FIGURE 139 Config > HA > Setting
462 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Layer 2 HA (Inline Mode)
USING THE CLI
Commands on AX1
The following command enables inline HA mode and specifies the pre-
ferred HA port.
AX1(config)#ha inline-mode preferred-port 5
The following command specifies the IP address of the other AX, to use for
session synchronization.
AX1(config)#ha conn-mirror ip 172.168.10.3
The following command configures the floating IP address for the real serv-
ers to use as their default gateway address.
AX1(config)#floating-ip 172.168.10.1 ha-group 1
P e r f o r m a n c e b yD e s i g n 463 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Layer 2 HA (Inline Mode)
The following commands configure a health method, real servers, a server
group, and a VIP for an HTTP service.
AX1(config)#health monitor myHttp interval 10 retry 2 timeout 3
AX1(config-health:monitor)#method http url HEAD /index.html
AX1(config-health:monitor)#exit
AX1(config)#slb server s1 172.168.10.30
AX1(config-real server)#port 80 tcp
AX1(config-real server-node port)#health-check myHttp
AX1(config-real server-node port)#exit
AX1(config-real server)#exit
AX1(config)#slb server s2 172.168.10.31
AX1(config-real server)#port 80 tcp
AX1(config-real server-node port)#health-check myHttp
AX1(config-real server-node port)#exit
AX1(config-real server)#exit
AX1(config)#slb service-group g80 tcp
AX1(config-slb service group)#member s1:80
AX1(config-slb service group)#member s2:80
AX1(config-slb service group)#exit
AX1(config)#slb virtual-server v1 172.168.10.80
AX1(config-slb virtual server)#ha-group 1
AX1(config-slb virtual server)#port 80 tcp
AX1(config-slb virtual server-slb virtua...)#service-group g80
AX1(config-slb virtual server-slb virtua...)#ha-conn-mirror
Commands on AX2
Here are the commands for implementing HA on the standby AX, AX2.
Most of the commands are the same as those on AX1, with the following
exceptions:
• The HA ID is 2.
• The HA priority is 1.
464 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Layer 2 HA (Inline Mode)
AX2(config)#ha interface ethernet 5
AX2(config)#ha inline-mode preferred-port 5
AX2(config)#ha restart-port-list ethernet 1 to 2
AX2(config)#ha preemption-enable
AX2(config)#ha conn-mirror ip 172.168.10.2
AX2(config)#floating-ip 172.168.10.1 ha-group 1
AX2(config)#health monitor myHttp interval 10 retry 2 timeout 3
AX2(config-health:monitor)#method http url HEAD /index.html
AX2(config-health:monitor)#exit
AX2(config)#slb server s1 172.168.10.30
AX2(config-real server)#port 80 tcp
AX2(config-real server-node port)#health-check myHttp
AX2(config-real server-node port)#exit
AX2(config-real server)#exit
AX2(config)#slb server s2 172.168.10.31
AX2(config-real server)#port 80 tcp
AX2(config-real server-node port)#health-check myHttp
AX2(config-real server-node port)#exit
AX2(config-real server)#exit
AX2(config)#slb service-group g80 tcp
AX2(config-slb service group)#member s1:80
AX2(config-slb service group)#member s2:80
AX2(config-slb service group)#exit
AX2(config)#slb virtual-server v1 172.168.10.80
AX2(config-slb virtual server)#ha-group 1
AX2(config-slb virtual server)#port 80 tcp
AX2(config-slb virtual server-slb virtua...)#service-group g80
AX2(config-slb virtual server-slb virtua...)#ha-conn-mirror
P e r f o r m a n c e b yD e s i g n 465 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Layer 3 HA (Inline Mode)
Note: The GUI does not support configuration of Layer 3 inline mode in the
current release.
466 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Layer 3 HA (Inline Mode)
Commands on AX1
P e r f o r m a n c e b yD e s i g n 467 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Layer 3 HA (Inline Mode)
The following commands configure the HA interfaces. Each interface that is
connected to a server, a router, or the other AX can be configured as an HA
interface. (Make sure to add the dedicated HA link between the AX devices
as one of the HA interfaces.)
AX1(config)#ha interface ethernet 1 router-interface no-heartbeat
AX1(config)#ha interface ethernet 2 router-interface no-heartbeat
AX1(config)#ha interface ethernet 3 server-interface
AX1(config)#ha interface ethernet 4 server-interface
AX1(config)#ha interface ethernet 5
The following command specifies the IP address of the other AX, to use for
session synchronization.
AX1(config)#ha conn-mirror ip 172.168.10.3
The following command configures the floating IP address for the real serv-
ers to use as their default gateway address.
AX1(config)#floating-ip 172.168.10.1 ha-group 1
468 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Layer 3 HA (Inline Mode)
AX1(config-real server)#exit
AX1(config)#slb service-group g80 tcp
AX1(config-slb service group)#member s1:80
AX1(config-slb service group)#member s2:80
AX1(config-slb service group)#exit
AX1(config)#slb virtual-server v1 172.168.10.80
AX1(config-slb virtual server)#ha-group 1
AX1(config-slb virtual server)#port 80 tcp
AX1(config-slb virtual server-slb virtua...)#service-group g80
AX1(config-slb virtual server-slb virtua...)#ha-conn-mirror
Commands on AX2
Here are the commands for implementing HA on AX2. Most of the com-
mands are the same as those on AX1, with the following exceptions:
• The IP interfaces are different.
• The HA ID is 2.
• The HA priority is 1.
P e r f o r m a n c e b yD e s i g n 469 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Layer 3 HA (Inline Mode)
AX2(config-vlan:5)#router-interface ve 5
AX2(config-vlan:5)#exit
AX2(config)#interface ve1
AX2(config-if:ve1)#ip address 172.168.10.23 /24
AX2(config-if:ve1)#interface ve5
AX2(config-if:ve5)#ip address 172.168.20.3 /24
AX2(config-if:ve5)#exit
AX2(config)#ha id 2
AX2(config)#ha group 1 priority 1
AX2(config)#ha interface ethernet 1 router-interface no-heartbeat
AX2(config)#ha interface ethernet 2 router-interface no-heartbeat
AX2(config)#ha interface ethernet 3 server-interface
AX2(config)#ha interface ethernet 4 server-interface
AX2(config)#ha interface ethernet 5
AX2(config)#ha l3-inline-mode
AX2(config)#ha restart-port-list ethernet 1 to 2
AX2(config)#ha preemption-enable
AX2(config)#ha conn-mirror ip 172.168.10.2
AX2(config)#floating-ip 172.168.10.1 ha-group 1
AX2(config)#health monitor myHttp interval 10 retry 2 timeout 3
AX2(config-health:monitor)#method http url HEAD /index.html
AX2(config-health:monitor)#exit
AX2(config)#slb server s1 172.168.10.30
AX2(config-real server)#port 80 tcp
AX2(config-real server-node port)#health-check myHttp
AX2(config-real server-node port)#exit
AX2(config-real server)#exit
AX2(config)#slb server s2 172.168.10.31
AX2(config-real server)#port 80 tcp
AX2(config-real server-node port)#health-check myHttp
AX2(config-real server-node port)#exit
AX2(config-real server)#exit
AX2(config)#slb service-group g80 tcp
AX2(config-slb service group)#member s1:80
AX2(config-slb service group)#member s2:80
AX2(config-slb service group)#exit
AX2(config)#slb virtual-server v1 172.168.10.80
AX2(config-slb virtual server)#ha-group 1
AX2(config-slb virtual server)#port 80 tcp
AX2(config-slb virtual server-slb virtua...)#service-group g80
AX2(config-slb virtual server-slb virtua...)#ha-conn-mirror
470 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Optional Failover Triggers
• Gateway-based failover
• VIP-based failover
2. On the Status Check tab, enter the VLAN ID in the VLAN ID field.
4. Click Add.
5. Repeat step 2 through step 4 for each VLAN to be monitored for HA.
6. Click OK.
To enable HA checking for a VLAN, use the following command at the glo-
bal configuration level of the CLI:
P e r f o r m a n c e b yD e s i g n 471 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Optional Failover Triggers
The timeout can be 2-600 seconds. You must specify the timeout. Although
there is no default, A10 recommends trying 30 seconds.
2. Configure the gateway as an SLB real server and apply the ICMP health
monitor to the server:
a. Select Config > Service > SLB.
b. Select Server on the menu bar.
c. Click Add. The General tab appears.
d. On the General tab, enter a name for the gateway in the Name field.
e. In the IP Address field, enter the IP address of the gateway.
f. In the Health Monitor drop-down list, select the ICMP health moni-
tor you configured in step 1.
g. Click OK.
472 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Optional Failover Triggers
c. Click Add.
d. Repeat step b and step c for each gateway to be monitored for HA.
e. Click OK.
2. To configure the gateway as an SLB real server and apply the health
monitor to the server, use the following command.
[no] slb server server-name ipaddr
[no] health-check monitor-name
3. To enable HA health checking for the gateway, use the following com-
mand at the global configuration level.
[no] ha check gateway ipaddr
CLI Example
The following commands configure a real server for the gateway and apply
the health monitor to it:
AX(config)#slb server gateway1 10.10.10.1
AX(config-real server)#health-check gatewayhm1
AX(config-real server)#exit
P e r f o r m a n c e b yD e s i g n 473 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Optional Failover Triggers
4. Click on the virtual server name or click Add to create a new one.
Note: If the HA Group drop-down list does not have any group IDs, you still
need to configure global HA parameters. See “Configuring Global HA
Parameters” on page 450.
7. Click OK.
Enter this command at the configuration level for a virtual server, to assign
the virtual server to the HA group. The group-id can be 1-31.
474 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Optional Failover Triggers
Enter this command at the configuration level for the virtual server to
enable VIP-based failover. The server-weight specifies the amount to sub-
tract from the HA group's priority value for each real server that becomes
unavailable. The weight can be 1-255. The default is 1.
CLI Example
P e r f o r m a n c e b yD e s i g n 475 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Enabling Session Synchronization
4. Click OK or Apply.
7. Click OK again.
476 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Synchronizing Configuration Information
USING THE CLI
[no] ha-conn-mirror
CLI Example
The following commands access the configuration level for a virtual port
and enable connection mirroring on the port:
AX(config)#slb virtual-server vip1 10.10.10.100
AX(config-slb virtual server)#port 80 tcp
AX(config-slb virtual server-slb virtua...)#ha-conn-mirror
P e r f o r m a n c e b yD e s i g n 477 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Synchronizing Configuration Information
Requirements
SSH management access must be enabled on both ends of the link. (See
“Securing Admin Access by Ethernet” on page 515.)
• Floating IP addresses
• IP NAT configuration
• Health monitors
• SLB
• FWLB
• GSLB
• Data Files:
• aFleX files
• External health check files
• SSL certificate and private-key files
• Black/white-list files
Note: For IP NAT configuration items to be backed up, you must specify an HA
group ID as part of the NAT configuration.
478 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Synchronizing Configuration Information
Configuration Items That Are Not Backed Up
• MAC addresses
• Management IP addresses
• Trunks or VLANs
• Interface settings
P e r f o r m a n c e b y
D e s i g n 479 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Synchronizing Configuration Information
An admin who is logged on with Root or Read-Write (Super Admin) privi-
leges can synchronize for all Role-Based Administration (RBA) partitions
or for a specific partition.
Caveats
Before synchronizing the Active and Standby AX devices, verify that both
are running the same software version. HA configuration synchronization
between two different software versions is not recommended, since some
configuration commands in the newer version might not be supported in the
older version.
Performing HA Synchronization
To synchronize the AX devices in an HA configuration, use the CLI com-
mands described below.
2. In the User and Password fields, enter the admin username and pass-
word for logging onto the other AX device.
480 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Synchronizing Configuration Information
4. Next to Operation, select the information to be copied to the other AX
device:
• All – Copies all the following to the other AX device:
• Floating IP addresses
• IP NAT configuration
• Access control lists (ACLs)
• Health monitors
• Policy-based SLB (black/white lists)
• SLB
• FWLB
• GSLB
• Data files (see below)
The items listed above that appear in the configuration file are cop-
ied to the other AX device’s running-config.
• Data Files – Copies only the SSL certificates and private-key files,
aFleX files, External health heck files, and black/white-list files to
the other AX device
• Running-config – Copies everything listed for the All option, except
the data files, from this AX device’s running-config
• Startup-config – Copies everything listed for the All option, except
the data files, from this AX device’s startup-config
5. Next to Peer Option, select the target for the synchronization:
• To Running-config – Copies the items selected in step 4 to the other
AX device’s running-config
• To Startup-config – Copies the items selected in step 4 to the other
AX device’s startup-config
6. To reload the other AX device after synchronization, select With
Reload. Otherwise, the other AX device is not reloaded following the
synchronization.
Note: In some cases, reload of the other AX device either is automatic or is not
allowed. See Table 11 on page 479.
7. Click OK.
The ha sync commands are available at the global configuration level of the
CLI.
P e r f o r m a n c e b yD e s i g n 481 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Synchronizing Configuration Information
To synchronize data files and the running-config, use the following com-
mand:
ha sync all
{to-startup-config [with-reload] |
to-running-config}
[all-partitions | partition partition-name]
Note: In some cases, reload of the other AX device either is automatic or is not
allowed. See Table 11 on page 479.
ha sync startup-config
{to-startup-config [with-reload] |
to-running-config}
[all-partitions | partition partition-name]
ha sync running-config
{to-startup-config [with-reload] |
to-running-config}
[all-partitions | partition partition-name]
To synchronize the data files by copying the Active AX device’s data files
to the Standby AX device, use the following command:
ha sync data-files
[all-partitions | partition partition-name]
482 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
SLB NAT
This chapter describes Network Address Translation (NAT) and how to con-
figure it. NAT translates the source or destination IP address of a packet
before forwarding the packet.
The AX device uses NAT to perform SLB. The AX device also supports tra-
ditional Layer 3 NAT, which you can configure if required by your network.
SLB NAT
AX Series devices automatically perform destination NAT for client-VIP
SLB traffic. Figure 141 shows an example.
P e r f o r m a n c e b yD e s i g n 483 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
SLB NAT
• Before forwarding a client packet to a real server, the AX device trans-
lates the destination IP address from the virtual server IP address (VIP)
to the IP address of the real server.
• The AX device reverses the translation before sending the server reply
to the client. The source IP address is translated from the real server’s IP
address to the VIP address.
The default SLB NAT behavior does not translate the client’s IP address.
• The VIP and real servers are in different subnets. In cases where real
servers are in a different subnet than the VIP, source NAT ensures that
reply traffic from a server will pass back through the AX device. (See
“Source NAT for Servers in Other Subnets” on page 489.)
• Use of different real port numbers for the same service within a service
group, when non-standard port numbers (higher than 1023) are used.
(See “Auto-Port Translation” on page 675.)
Connection Reuse
484 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
SLB NAT
TCP connection established, and reuses the connection for the next client
that uses the real server.
Connection reuse requires SLB source NAT. Since the TCP connection with
the real server needs to remain established after a client’s session ends, the
client’s IP address cannot be used as the source address for the connection,
Instead, the source address must be an IP address from a NAT pool or pool
group configured on the AX device.
The pool or pool group must have a unique IP address for each reusable
TCP connection you want to establish.
3. If you plan to use policy-based source NAT, to select from among multi-
ple pools based on source IP address, configure an ACL for each of the
client address ranges that will use its own pool.
4. Enable source NAT on the virtual service port and specify the pool or
pool group to use for the source addresses. If you are configuring pol-
icy-based source NAT, bind each ACL to its pool.
P e r f o r m a n c e b yD e s i g n 485 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
SLB NAT
486 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
SLB NAT
h. Do one of the following:
• To use a single pool or pool group for all source addresses, select
the pool from the Source NAT pool drop-down list.
• To use separate pools based on source addresses, use the
ACL-SNAT Binding fields to bind each ACL to its pool.
For each binding, select the ACL from the Access List drop-
down list, select the pool from the Source NAT Pool drop-down
list, and click Add.
i. Do not click OK yet. Go to step 4.
P e r f o r m a n c e b yD e s i g n 487 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
SLB NAT
This command creates the template and changes the CLI to configura-
tion level for the template. Use the following commands to configure
the template, or use the default settings:
limit-per-server number
timeout seconds
The limit-per-server command specifies the maximum number of reus-
able connections to establish with each real server. You can specify 0-
65535. For unlimited connections, specify 0. The default is 1000.
The timeout command specifies the maximum number of seconds a
reusable connection can remain idle before it times out. You can specify
1-3600 seconds. The default is 2400 seconds (40 minutes).
Note: If you do not specify a NAT pool with this command, the ACL is used
only to filter the traffic.
4. Add the connection reuse template to the virtual port, use the following
command at the configuration level for the virtual port:
template connection-reuse template-name
CLI Example
The following commands configure standard ACLs that match on different
client addresses:
AX(config)#access-list 30 permit ip 192.168.1.1
AX(config)#access-list 50 permit ip 192.168.20.69
488 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
SLB NAT
The following commands configure a real server and a service group:
AX(config)#slb server s1 192.168.19.48
AX(config-real server)#port 80 tcp
AX(config-real server-node port)#exit
AX(config-real server)#exit
AX(config)#slb service-group group80 tcp
AX(config-slb service group)#method weighted-rr
AX(config-slb service group)#member s1:80
AX(config-slb service group)#exit
You can enable source NAT on a virtual port in either of the following ways:
• Use the the source-nat option to bind a single IP address pool or pool
group to the virtual port. This option is applicable if all the real servers
are in the same subnet.
• Use sets of ACL-pool pairs, one for each real server subnet. You must
use this method if the real servers are in multiple subnets. This section
describes how to use this method.
For the real server to be able to send replies back through the AX device,
use an extended ACL. The source IP address must match on the client
address. The destination IP address must match on the real server address.
The action must be permit.
The ACL should not match on the virtual IP address (unless the virtual IP
address is in the same subnet as the real servers, in which case source NAT
is probably not required). Figure 142 on page 490 shows an example.
P e r f o r m a n c e b yD e s i g n 489 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
SLB NAT
FIGURE 142 Multiple NAT Pools Bound to a Virtual Port
In this example, a service group has real servers that are located in two dif-
ferent subnets. The VIP is not in either of the subnets. To ensure that reply
traffic from a server will pass back through the AX device, the AX device
uses IP source NAT.
To implement IP source NAT, two pairs of ACL and IP address pool are
bound to the virtual port. Each ACL-pool pair contains the following:
• An extended ACL whose source IP address matches on client addresses
and whose destination IP address matches on the real server’s subnet.
• An IP address pool or pool group containing translation addresses in the
real server’s subnet.
490 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
SLB NAT
For example, if SLB selects a real server in the 10.10.10.x subnet, then the
source IP address is translated from the client’s address to an address in
pool 1. When the server replies, it replies to the address from pool 1.
Note: In most cases, destination NAT does not need to be configured for SLB.
The AX device automatically translates the VIP address into a real server
address before forwarding a request to the server.
CLI Example
First, the ACLs are configured. In each ACL, “any” is used to match on all
clients. The destination address is the subnet where the real servers are
located.
AX(config)#access-list 100 permit any 10.10.10.0 /24
AX(config)#access-list 110 permit any 10.10.20.0 /24
The following commands configure the IP address pools. Each pool con-
tains addresses in one of the real server subnets.
AX(config)#ip nat pool pool1 10.10.10.100 10.10.10.101 netmask /24
AX(config)#ip nat pool pool2 10.10.20.100 10.10.20.101 netmask /24
The following commands bind the ACLs and IP address pools to a virtual
port on the VIP:
AX(config)#slb virtual-server vip1 192.168.1.100
AX(config-slb virtual server)#port 80 tcp
AX(config-slb virtual server-slb virtua...)#access-list 100 source-nat-pool
pool1
AX(config-slb virtual server-slb virtua...)#access-list 110 source-nat-pool
pool2
This type of NAT is especially useful for applications that have intensive
payload transfers, such as FTP and streaming media.
P e r f o r m a n c e b yD e s i g n 491 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
SLB NAT
When DSR is enabled, only the destination MAC address is translated from
the VIP’s MAC address to the real server’s IP address. The destination IP
address is still the VIP.
To use DSR, the AX device and the real servers must be in the same Layer 2
subnet. The VIP address must be configured as a loopback address on the
real servers.
Note: To configure health checking for DSR, see “Configuring Health Monitor-
ing of Virtual IP Addresses in DSR Deployments” on page 308.
Note: For examples of DSR configurations, see “Network Setup” on page 53.
4. If you are adding a new virtual server, enter the general server settings.
5. Click Port.
6. Select the port and click Edit, or click Add. The Virtual Server Port tab
appears.
9. Click OK.
Enter the following CLI command at the configuration level for the virtual
port:
no-dest-nat
492 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
IP Source NAT
When this option is enabled, the AX device checks the configured IP NAT
pools for an IP address range that includes the server IP address (the source
address of the traffic). If the address range in a pool does include the
server’s IP address, and a default gateway is defined for the pool, the AX
device forwards the server traffic through the pool’s default gateway.
This feature is disabled by default. To enable it, use the following command
at the global configuration level of the CLI:
IP Source NAT
Independently of SLB NAT, you can configure traditional, Layer 3 IP
source NAT. IP source NAT translates internal host addresses into routable
addresses before sending the host’s traffic to the Internet. When reply traffic
is received, the AX device then retranslates addresses back into internal
addresses before sending the reply to the client.
P e r f o r m a n c e b yD e s i g n 493 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
IP Source NAT
The addresses within an individual pool still must be contiguous, but
you can have gaps between the ending address in one pool and the start-
ing address in another pool. You also can use pools that are in different
subnets.
A pool group can contain up to 5 pools. Pool group members must
belong to the same protocol family (IPv4 or IPv6) and must use the
same HA ID. A pool can be a member of multiple pool groups. Up to 50
NAT pool groups are supported.
If a pool group contains pools in different subnets, the AX device selects
the pool that matches the outbound subnet. For example, of there are
two routes to a given destination, in different subnets, and the pool
group has a pool for one of those subnets, the AX selects the pool that is
in the subnet for the outbound route.
The AX device searches the pools beginning with the first one added to
the group, and selects the first match. If none of the pools are in the des-
tination subnet, the AX uses the first pool that has available addresses.
• Inside NAT setting on the interface connected to the inside host.
Note: The AX device enables you to specify the default gateway for an IP
source NAT pool to use. However, the pool’s default gateway can be used
only if the data route table already has either a default route or a direct
route to the destination of the NAT traffic. In this case, the pool’s default
gateway will override the route, for NAT traffic that uses the pool.
If the data route table does not have a default route or a direct route to the
NAT traffic destination, the pool’s default gateway can not be used. In this
case, the NAT traffic can not reach its destination.
494 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
IP Source NAT
3. Enable inside source NAT and map the ACL to the pool.
Note: In step 3, the GUI supports binding IPv4 pools to ACLs but not IPv6
pools. To bind an IPv6 pool to an ACL, use the CLI instead.
1. To configure an ACL to identify the inside addresses that need to be
translated:
a. Select Config > Network > ACL.
b. Select the ACL type, Standard or Extended, on the menu bar.
c. Click Add.
d. Enter or select the values to filter.
e. Click OK. The new ACL appears in the Standard ACL table or
Extended ACL table.
f. Click OK to commit the ACL change.
P e r f o r m a n c e b yD e s i g n 495 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
IP Source NAT
h. To use session synchronization for NAT translations, select the HA
group.
i. Click OK.
3. To enable inside source NAT and map the ACL to the pool:
a. Select Config > Service > IP Source NAT, if not already selected.
b. Select Binding on the menu bar.
c. Select the ACL number from the ACL drop-down list.
d. Select the pool ID from the NAT Pool drop-down list.
e. Click Add. The new binding appears in the ACL section.
f. Click OK.
496 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
IP Source NAT
FIGURE 143 Configure > Network > ACL > Standard ACL
FIGURE 144 Configure > Service > IP Source NAT > IPv4 Pool
FIGURE 145 Configure > Service > IP Source NAT > Binding
P e r f o r m a n c e b yD e s i g n 497 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
IP Source NAT
FIGURE 146 Configure > Service > IP Source NAT > Interface
498 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
IP Source NAT
or
access-list acl-num {permit | deny} {tcp | udp}
3. To enable inside source NAT and map the ACL to the pool, use the fol-
lowing command:
ip nat inside source list acl-name
pool {pool-name | pool-group-name}
P e r f o r m a n c e b yD e s i g n 499 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
IP Source NAT
fied by the ACL configured in step 1 and used by the commands in
step 2 and step 3.
CLI EXAMPLE
The following command enables inside source NAT and associates the ACL
with the pool:
AX(config)#ip nat inside source list 1 pool pool1
The following commands enable inside source NAT on the interface con-
nected to the internal hosts:
AX(config)#interface ethernet 4
AX(config-if:ethernet4)#ip nat inside
500 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
IP Source NAT
Note: The GUI supports configuring a static NAT range but does not support
configuring individual mappings.
1. To configure the static translations of internal host addresses to external
addresses:
a. Select NAT Range on the menu bar.
b. Click Add.
c. Enter a name for the range.
d. Select the address type (IPv4 or IPv6)
e. In the From fields, enter the first (lowest numbered) address and
network mask in the range of inside host addresses to be translated.
f. In the To field, enter the first (lowest numbered) address and net-
work mask in the range of external addresses into which to translate
the inside host addresses.
g. In the Count field, enter the number of addresses to be translated.
h. To apply HA to the addresses, select the HA group.
i. Click OK.
P e r f o r m a n c e b yD e s i g n 501 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
IP Source NAT
3. To enable outside NAT on the interfaces connected to the Internet:
a. Select Interface on the menu bar.
b. Select the interface from the Interface drop-down list.
c. Select Outside in the Direction drop-down list.
d. Click OK.
e. Repeat for each outside interface.
2. If you used the ip nat inside source command, enter the following com-
mand at the global configuration level of the CLI, to enable static NAT
support:
ip nat allow-static-host
Note: This step is not required if you use a static source NAT range list instead.
502 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
IP Source NAT
The interface command changes the CLI to the configuration level for
the interface connected to the internal hosts.
CLI EXAMPLE
P e r f o r m a n c e b yD e s i g n 503 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
IP Source NAT
AX#show ip
System is running in Transparent Mode
IP address: 172.168.101.4 255.255.255.0
IP Gateway address: 172.168.101.251
SMTP Server address: Not configured
In this configuration, the AX device will initiate health checks using the last
IP address in the pool as the source IP address. In this example, the AX
device will use IP address 173.168.10.25. In addition, the AX device will
only respond to control traffic directed to 173.168.10.25 from the
173.168.10.0/24 subnet.
IP NAT in HA Configurations
If you are using IP source NAT or full NAT in an HA configuration, make
sure to add the NAT pool or range list to an HA group. Doing so allows a
newly Active AX device to properly continue management of NAT
resources following a failover.
In the GUI, you can select the HA group from the HA Group drop-down list
on the following configuration tabs:
• Config > Service > IP Source NAT > IPv4 Pool
In the CLI, the ha-group-id option is supported with the following NAT
commands:
504 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
IP Source NAT
[no] ipv6 nat pool pool-name start-ipv6-addr
end-ipv6-addr netmask mask-length [gateway ipaddr]
[ha-group-id group-id]
P e r f o r m a n c e b yD e s i g n 505 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
IP Source NAT
506 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Additional Admin Accounts
The following sections describe these features and show how to configure
them.
Note: If you have not already changed the default “admin” password and the
enable password, A10 Networks recommends that you do so now, before
implementing security options described in this chapter.
When logged onto the AX device with the admin account, you can config-
ure additional admin accounts. For each admin account, you can configure
the following settings:
• Username and password
Note: You cannot change the privilege level of the “admin” account or disable
it.
P e r f o r m a n c e b yD e s i g n 507 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Additional Admin Accounts
5. Enter the password for the new admin account in the Password and Con-
firm Password fields.
Note: To allow access from any host, leave the Trusted Host IP Address and
Netmask fields blank.
508 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Additional Admin Accounts
• Partition RS Operator – The admin is assigned to a private partition
but has permission only to view service port statistics for real serv-
ers in the partition, and to disable or re-enable the real servers and
their service ports.
Note: The Partition roles apply to Role-Based Administration (RBA). For infor-
mation about this feature, see “Role-Based Administration” on page 577.
9. Click OK.
P e r f o r m a n c e b yD e s i g n 509 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Additional Admin Accounts
510 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Additional Admin Accounts
4. To verify the new admin account, enter the following command:
show admin
CLI EXAMPLES
P e r f o r m a n c e b yD e s i g n 511 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Additional Admin Accounts
Note: To delete an admin account, you first must terminate any active sessions
the admin account has open. The account is not deleted if there are any
open sessions for the account.
3. To delete the admin account, use the following command at the global
configuration level:
no admin admin-username
512 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Admin Lockout
5. Click OK.
P e r f o r m a n c e b yD e s i g n 513 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Admin Lockout
To view lockout status or manually unlock a locked account:
1. Select Monitor > System > Admin.
3. Click Unlock.
3. Enter the following command to access the configuration level for the
admin account:
admin admin-username
514 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Securing Admin Access by Ethernet
You can enable or disable management access, for individual access types
and interfaces. You also can use an Access Control List (ACL) to permit or
deny management access through the interface by specific hosts or subnets.
To set management access through Ethernet interfaces, use either of the fol-
lowing methods.
For example, if you disable Telnet access to a data interface, but you also
enable access to the interface using an ACL with permit rules, the ACL per-
mits Telnet (and all other) access to the interface, for traffic that matches the
permit rules in the ACL.
Each ACL has an implicit deny any any rule at the end. If the management
traffic’s source address does not match a permit rule in the ACL, the
implicit deny any any rule is used to deny access.
On data interfaces, you can disable or enable access to specific services and
also use an ACL to control access. However, on the management interface,
P e r f o r m a n c e b yD e s i g n 515 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Securing Admin Access by Ethernet
you can disable or enable access to specific services or control access using
an ACL, but you can not do both.
2. For each interface (each row), select or de-select the checkboxes for the
access types.
3. To use an ACL to control access, select the ACL from the ACL drop-
down list in the row for the interface.
4. After selecting the settings for all the interfaces, click OK.
To reset the access settings to the defaults listed in Table 13, click Reset to
Default.
disable-management service
{all | ssh | telnet | http | https | snmp | ping}
{management | ethernet port-num [to port-num] |
ve ve-num [to ve-num]}
or
516 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Securing Admin Access by Ethernet
• all – Disables access to all the management services listed below.
• ping – Disables ping replies from AX interfaces. This option does not
affect the AX device’s ability to ping other devices.
Note: Disabling ping replies from being sent by the AX device does not affect
the device’s ability to ping other devices.
In the second command, the acl acl-id option specifies an ACL. Manage-
ment access from any host address that matches the ACL is either permitted
or denied, depending on the action (permit or deny) used in the ACL.
CLI Examples:
The following command disables HTTP access to the out-of-band manage-
ment interface:
AX(config)#disable-management service http management
You may lose connection by disabling the http service.
Continue? [yes/no]:yes
enable-management service
{all | ssh | telnet | http | https | snmp | ping}
{management | ethernet port-num [to port-num] |
ve ve-num [to ve-num]}
or
CLI Example:
P e r f o r m a n c e b yD e s i g n 517 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Securing Admin Access by Ethernet
The following command enables Telnet access to data interface 6:
AX(config)#enable-management service telnet ethernet 6
CLI EXAMPLES
Here is an example for an AX device that has 10 Ethernet data ports. In this
example, all the access settings are set to their default values.
AX#show management
PING SSH Telnet HTTP HTTPS SNMP ACL
------------------------------------------------------
mgmt on on off on on on -
1 on off off off off off -
2 on off off off off off -
3 on off off off off off -
4 on off off off off off -
5 on off off off off off -
6 on off off off off off -
7 on off off off off off -
9 on off off off off off -
10 on off off off off off -
ve1 on off off off off off -
518 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Changing Web Access Settings
Here is an example after entering the commands used in the configuration
examples above.
AX#show management
PING SSH Telnet HTTP HTTPS SNMP ACL
------------------------------------------------------
mgmt on on off off on on -
1 on off off off off off 1
2 on off off off off off 1
3 on off off off off off 1
4 on off off off off off 1
5 on off off off off off 1
6 on off on off off off 1
7 on off off off off off 1
9 on off off off off off 1
10 on off off off off off 1
ve1 on off off off off off -
P e r f o r m a n c e b yD e s i g n 519 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Changing Web Access Settings
TABLE 14 Default Web Access Settings (Continued)
Parameter Description Default
HTTPS port Protocol port number for the secure (HTTPS) 443
port.
Timeout Number of minutes a Web management ses- Range: 0-60
sion can remain idle before it times out and is minutes
terminated by the AX device. To disable
the timeout,
specify 0.
Default: 10
minutes
aXAPI Timeout Number of minutes an aXAPI session can 0-60 min-
remain idle before being terminated. utes. f you
Once the aXAPI session is terminated, the specify 0,
session ID generated by the AX device sessions
for the session is no longer valid. never time
Note: For information about aXAPI, see the out.
AX Series aXAPI Reference. Default: 10
minutes
Note: If you disable HTTP or HTTPS access, any sessions on the management
GUI are immediately terminated.
4. Click OK.
Note: The Preference tab sets the default IP address type (IPv4 or IPv6) for GUI
configuration fields that require an IP address. The tab does not affect
access to the GUI itself.
520 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring AAA for Admin Access
USING THE CLI
At the global configuration level of the CLI, use the following command:
[no] web-service
{
axapi-timeout-policy idle minutes |
auto-redir |
port protocol-port |
secure-port protocol-port |
server |
secure-server |
timeout-policy idle minutes
}
show web-service
CLI EXAMPLE
P e r f o r m a n c e b yD e s i g n 521 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring AAA for Admin Access
Authentication
Authentication grants or denies access based on the credentials presented by
the person who is attempting access. Authentication for management access
to the AX device grants or denies access based on the admin username and
password.
By default, when someone attempts to log into the AX device, the device
checks its local admin database for the username and password entered by
the person attempting to gain access.
You can use TACACS+ or RADIUS for external authentication. Only one
external authentication method can be used.
Authorization
You can configure the AX device to use external TACACS+ servers for
Authorization.
522 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring AAA for Admin Access
To configure Authorization:
• Configure the TACACS+ server to authorize or deny execution of spe-
cific commands or command groups.
• Configure the AX device to send commands to the TACACS+ server for
authorization before executing those commands.
Caution: The most secure option is 15(admin). If you select a lower option, for
example, 1(priv EXEC), make sure to configure the TACACS+ server
to deny any unmatched commands (commands that are not explicitly
allowed by the server). Otherwise, unmatched commands, including
commands at higher levels, will automatically be authorized to exe-
cute.
You can enable the following TACACS+ debug levels for troubleshooting:
• 0x1 – Common system events such as “trying to connect with
TACACS+ servers” and “getting response from TACACS+ servers”.
These events are recorded in the syslog.
• 0x2 – Packet fields sent out and received by the AX Series device, not
including the length fields. These events are written to the terminal.
P e r f o r m a n c e b yD e s i g n 523 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring AAA for Admin Access
• 0x4 – Length fields of the TACACS+ packets will also be displayed on
the terminal.
• 0x8 – Information about TACACS+ MD5 encryption will be sent to the
syslog.
Accounting
You can configure the AX device to use external TACACS+ servers for
Accounting.
Accounting keeps track of user activities while the user is logged on. For
AX admins, you can configure Accounting for the following:
• Login/logoff activity (start/stop accounting)
• Commands
Command Accounting
You can track attempts to execute commands at one of the following CLI
access levels:
• 15(admin) – This is the most extensive level of accounting. Commands
at all CLI levels, including those used to configure admin accounts, are
tracked.
• 14(config) – Commands at all CLI levels except those used to configure
admin accounts are tracked. Commands for configuring admin accounts
are not tracked.
• 1(priv EXEC) – Commands at the Privileged EXEC and User EXEC
levels are tracked. Commands at other levels are not tracked.
• 0 (user EXEC) – Commands at the User EXEC level are tracked. Com-
mands at other levels are not tracked.
The same debug levels that are available for TACACS+ Authorization are
also available for TACACS+ Accounting. (See “TACACS+ Authorization
Debug Options” on page 523 .)
524 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring AAA for Admin Access
3. Configure Authorization:
a. Add the TACACS+ server(s).
b. Specify the command levels to be authorized by TACACS+.
4. Configure Accounting:
a. Add the TACACS+ servers, if not already added for Authorization.
b. Specify whether to track logon/logoff activity. You can track both
logons and logoffs, logoffs only, or neither.
c. Specify the command levels to track.
P e r f o r m a n c e b yD e s i g n 525 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring AAA for Admin Access
5. In the Secret and Confirm Secret fields, enter the shared secret (pass-
word) expected by the RADIUS server when it receives requests.
6. Click OK.
Note: The command syntax shown in this section is simplified to show the
required or more frequently used options. For complete syntax informa-
tion, see the AX Series CLI Reference.
To configure Authentication
1. Use the following command at the global configuration level of the CLI
to add the RADIUS server(s):
radius server {hostname | ipaddr}
secret secret-string
The secret-string is the shared secret (password) expected by the
RADIUS server when it receives requests.
To add a TACACS+ server, use the following command at the global con-
figuration level of the CLI:
526 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring AAA for Admin Access
CLI Example
Note: The command syntax shown in this section is simplified to show the
required or more frequently used options. For complete syntax informa-
tion, see the AX Series CLI Reference.
Note: The configuration options described in this section are available only in
the CLI.
To configure Authorization
1. Use the following command at the global configuration level of the CLI
to add the TACACS+ server(s):
tacacs-server host {hostname | ipaddr}
secret secret-string
P e r f o r m a n c e b yD e s i g n 527 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring AAA for Admin Access
To configure Accounting
1. To configure Accounting for logon/logoff activity, use the following
command:
accounting exec {start-stop | stop-only} tacplus
CLI EXAMPLES
528 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring AAA for Admin Access
EXAMPLE INCLUDING RADIUS SERVER SETUP
client 192.168.1.0/24 {
secret = a10rad
shortname = private-network-1
}
P e r f o r m a n c e b yD e s i g n 529 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring AAA for Admin Access
Creation of dictionary.a10networks File
vi /usr/local/share/freeradius/dictionary.a10networks
#
# The FreeRADIUS Vendor-Specific dictionary.
#
# Version: $Id: dictionary.a10networks,v 1.4 2009/05/05 11:03:56 a10user Exp $
#
# For a complete list of Private Enterprise Codes, see:
#
# http://www.isi.edu/in-notes/iana/assignments/enterprise-numbers
#
BEGIN-VENDOR A10-Networks
530 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring AAA for Admin Access
ATTRIBUTE A10-Single-4 54 String
ATTRIBUTE A10-Single-5 55 String
END-VENDOR A10-Networks
vi /usr/local/share/freeradius/dictionary
add
$INCLUDE dictionary.a10networks #new added for a10networks
P e r f o r m a n c e b yD e s i g n 531 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring AAA for Admin Access
532 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
DDoS Protection
• SYN Cookies
The following sections describe these features and show how to configure
them.
DDoS Protection
AX Series devices provide enhanced protection against distributed denial-
of-service (DDoS) attacks, with IP anomaly filters. The IP anomaly filters
drop packets that contain common signatures of DDoS attacks.
P e r f o r m a n c e b yD e s i g n 533 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
DDoS Protection
Note: On the AX 2000 and AX 2100, the ping-of-death option drops all IP
packets longer than 32000 bytes. On other models, the option drops IP
packets longer than 65535 bytes.
• TCP-no-flag – Drops all TCP packets that do not have any TCP flags set
• TCP-SYN-FIN – Drops all TCP packets in which both the SYN and FIN
flags are set
• TCP-SYN-frag – Drops incomplete (fragmented) TCP Syn packets,
which can be used to launch TCP Syn flood attacks
4. Click OK.
534 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
SYN Cookies
SYN Cookies
AX Series devices provide enhanced protection against TCP SYN flood
attacks, with SYN cookies. SYN cookies enable the AX to continue to serve
legitimate clients during a TCP SYN flood attack, without allowing illegiti-
mate traffic to consume system resources.
The AX device supports SYN cookies for Layer 4-7 SLB traffic and for
Layer 2/3 traffic.
• Layer 4-7 SYN cookies protect against TCP SYN flood attacks directed
at SLB service ports.
• Layer 2/3 SYN cookies protect against TCP SYN flood attacks
attempted in traffic passing through the AX device.
P e r f o r m a n c e b yD e s i g n 535 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
SYN Cookies
You can configure the following dynamic SYN cookie options:
• On-threshold – specifies the maximum number of concurrent half-
open TCP connections allowed on the AX device, before SYN
cookies are enabled. If the number of half-open TCP connections
exceeds the on-threshold, the AX device enables SYN cookies. You
can specify 0-2147483647 half-open connections.
• Off-threshold – option specifies the minimum number of concurrent
half-open TCP connections for which to keep SYN cookies enabled.
If the number of half-open TCP connections falls below this level,
SYN cookies are disabled. You can specify 0-2147483647 half-
open connections.
Note: It may take up to 10 milliseconds for the AX device to detect and respond
to crossover of either threshold.
Hardware-Based or Software-Based
Note: If the target VIP is in a different subnet from the client-side router, use of
hardware-based SYN cookies requires some additional configuration. See
“Configuration when Target VIP and Client-side Router Are in Different
Subnets” on page 537.
536 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
SYN Cookies
6. Click OK.
[no] syn-cookie
[on-threshold num off-threshold num]
Configuration when Target VIP and Client-side Router Are in Different Subnets
Usually, the target VIP in an SLB configuration is in the same subnet as the
client-side router. However, if the target VIP is in a different subnet from the
client-side router, use of hardware-based SYN cookies requires some addi-
tional configuration:
• On the AX device, configure a “dummy” VIP that is in the same subnet
as the client-side router.
• On the client-side router, configure a static route to the VIP, using the
dummy VIP as the next hop.
P e r f o r m a n c e b yD e s i g n 537 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
SYN Cookies
Figure 149 shows an example.
Note: If HA is configured, add both the target VIP and the dummy VIP to the
same HA group, so they will fail over to the HA peer as a unit.
538 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
SYN Cookies
USING THE GUI
1. Select Config> Service > Server.
5. On the Port tab, select the TCP port and click Edit, or click Add.
6. If you are configuring a new port, select TCP in the Type drop-down
list.
9. Click OK.
syn-cookie [sack]
For information about the sack feature, see the AX Series CLI Reference.
P e r f o r m a n c e b yD e s i g n 539 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
ICMP Rate Limiting
2. Optionally, to modify the threshold for TCP handshake completion, use
the following command at the global configuration level of the CLI:
[no] ip tcp syn-cookie threshold seconds
You can specify 1-100 seconds. The default is 4 seconds.
CLI Example
The following commands globally enable SYN cookie support, then enable
Layer 2/3 SYN cookies on Ethernet interfaces 4 and 5:
AX(config)#syn-cookie on-threshold 50000 off-threshold 30000
AX(config)#interface ethernet 4
AX(config-if: ethernet4)#ip tcp syn-cookie
AX(config-if: ethernet4)#interface ethernet 5
AX(config-if: ethernet5)#ip tcp syn-cookie
ICMP rate limiting monitors the rate of ICMP traffic and drops ICMP pack-
ets when the configured thresholds are exceeded.
You can configure ICMP rate limiting filters globally, on individual Ether-
net interfaces, and in virtual server templates. If you configure ICMP rate
limiting filters at more than one of these levels, all filters are applicable.
540 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
ICMP Rate Limiting
• Lockup time – The lockup time is the number of seconds for which the
AX device drops all ICMP traffic, after the maximum rate is exceeded.
The lockup time can be 1-16383 seconds.
Specifying a maximum rate (lockup rate) and lockup time is optional. If you
do not specify them, lockup does not occur.
Note: The maximum rate must be larger than the normal rate.
6. Click OK.
2. Click on the interface name to display the configuration tabs for it.
7. Click OK.
P e r f o r m a n c e b yD e s i g n 541 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
ICMP Rate Limiting
To configure ICMP rate limiting in a virtual server template:
1. Select Config > Service > SLB.
4. Select the ICMP Rate Limit Status checkbox to enable the configuration
fields.
9. Click OK.
CLI Example
The following commands configure a virtual server template that sets ICMP
rate limiting:
AX(config)#slb template virtual-server vip-tmplt
AX(config-vserver)#icmp-rate-limit 25000 lock 30000 60
542 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Source-IP Based Connection Rate Limiting
Parameters
Source-IP based connection rate limiting is configured using the following
parameters:
• Connection limit – Maximum number of connection requests allowed
from a client, within the limit period. The connection limit can be
1-1000000.
• Limit period – Interval to which the connection limit is applied. A client
is conforming to the rate limit if the number of new connection requests
within the limit period does not exceed the connection limit.
The limit period can be one of the following:
• 100 milliseconds (one tenth of a second)
• 1000 milliseconds (one second)
P e r f o r m a n c e b yD e s i g n 543 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Source-IP Based Connection Rate Limiting
Log Messages
The AX device generates two log messages per offending client, per client
activity.
The first message is generated the first time a client exceeds the connection
limit. The message indicates the source (client) address and the destination
address of the session. If lockout is configured, the message also indicates
that the client is locked out.
The second message is generated after the client activity for that period.
This message indicates the number of times the client exceeded the connec-
tion limit. If lockout is enabled, the message also indicates the number of
requests that were dropped during lockout.
In this example, the session is between the same client and destination as the
previous example. During this period of activity, 897 of the requests from
the client were sent after a connection limit had been exceeded, and were
dropped. An additional 2342 requests were dropped because they were
received during the lockout.
Deployment Considerations
The AX device internally uses a session to keep track of user activity. Cur-
rently, the AX device has a capacity of up to 16 million sessions. Up to 8
million of these sessions are available for tracking user activity.
544 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Source-IP Based Connection Rate Limiting
Depending on client profile and activity, as well as the number of virtual
ports configured on the device, you might need to use the shared option to
apply the connection limit to all virtual ports, instead of each individual
port. The default is to apply the connection limit to each individual virtual
port, which uses proportionally more sessions than the shared option.
If you plan to enable logging for this feature, A10 Networks recommends
using an external log server. Log traffic can be heavy during an attack.
If you plan to use this feature with DNS load balancing, A10 Networks rec-
ommends the following:
• Increase the maximum number of Layer 4 sessions. To increase the
maximum number of Layer 4 sessions the system can have, use the fol-
lowing CLI command at the global configuration level of the CLI:
system resource-usage l4-session-count num
The num option specifies the number of Layer 4 sessions.
• Use a short UDP aging time. To set a short UDP aging time, use the fol-
lowing command at the configuration level for the UDP template to
which you plan to bind the DNS virtual port(s):
aging short [seconds]
The seconds option specifies the number of seconds to wait before ter-
minating UDP sessions. If you omit the seconds option, sessions are ter-
minated after the SLB maximum session life (MSL) time expires, after a
request is received and sent out to the server. (The MSL timer is a globally con-
figurable SLB option. For more information, see the AX Series CLI Reference
or AX Series GUI Reference.)
Configuration
Note: The current release does not support configuration or monitoring of this
feature using the GUI.
P e r f o r m a n c e b yD e s i g n 545 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Source-IP Based Connection Rate Limiting
The conn-limit option specifies the connection limit and can be 1-1000000.
The per {100 | 1000} option specifies the limit period, either 100 millisec-
onds or 1000 milliseconds.
The shared option specifies that the connection limit applies in aggregate to
all virtual ports. If you omit this option, the limit applies separately to each
virtual port.
Configuration Examples
CLI Example 1
CLI Example 2
CLI Example 3
546 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Access Control Lists (ACLs)
requests within a given limit period, to one or more virtual ports, the client
is locked out for 3 seconds.
AX(config)#slb conn-rate-limit src-ip 2000 per 100 shared exceed-action log
lock-out 3
Statistics
The following commands display statistics for this feature, then reset the
counters to 0 and verify that they have been reset:
AX(config)#show slb conn-rate-limit src-ip statistics
Threshold check count 1022000
Honor threshold count 20532
Threshold exceeded count 1001408
Lockout drops 60
Log messages sent 20532
DNS requests re-transmitted 1000
No DNS response for request 1021000
AX(config)#clear slb conn-rate-limit src-ip statistics
AX(config)#show slb conn-rate-limit src-ip statistics
Threshold check count 0
Honor threshold count 0
Threshold exceeded count 0
Lockout drops 0
Log messages sent 0
DNS requests re-transmitted 0
No DNS response for request
P e r f o r m a n c e b yD e s i g n 547 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Access Control Lists (ACLs)
An ACL can contain multiple rules. Each rule contains a single permit or
deny statement. Rules are added to the ACL in the order you configure
them. The first rule you add appears at the top of the ACL.
Rules are applied to the traffic in the order they appear in the ACL (from the
top, which is the first rule, downward). The first rule that matches traffic is
used to permit or deny that traffic. After the first rule match, no additional
rules are compared against the traffic.
548 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Access Control Lists (ACLs)
3. Click Add.
4. Enter or select the values to filter. (For descriptions, see the CLI syntax
below.)
5. Click OK. The new ACL appears in the Standard ACL table.
The seq-num option specifies the sequence number of this rule in the ACL.
(See “Resequencing ACL Rules” on page 561.)
The deny | permit option specifies the action to perform on traffic that
matches the ACL:
• deny – Drops the traffic.
The remark option adds a remark to the ACL. (For more information, see
“Adding a Remark to an ACL” on page 558.)
P e r f o r m a n c e b yD e s i g n 549 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Access Control Lists (ACLs)
• net-src-ipaddr {filter-mask | /mask-length} – The ACL matches on any
host in the specified subnet. The filter-mask specifies the portion of the
address to filter:
• Use 0 to match.
• Use 255 to ignore.
Alternatively, you can use mask-length to specify the portion of the address
to filter. For example, you can specify “/24” instead “0.0.0.255” to filter on
a 24-bit subnet.
The log option configures the AX device to generate log messages when
traffic matches the ACL. This option is disabled by default.
When ACL logging is enabled, the AX device writes the log messages to
the local logging buffer. If you configure an external log server, the AX
device also sends the messages to the server.
Note: If you plan to use an external log server, the server must be attached to an
AX data port in order for ACL logging messages to reach the server. They
will not reach the server if the server is attached to the AX management
port.
CLI EXAMPLE
550 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Access Control Lists (ACLs)
3. Click Add.
4. Enter or select the values to filter. (For descriptions, see the CLI syntax
below.)
5. Click OK. The new ACL appears in the Extended ACL table.
[log]
The seq-num option specifies the sequence number of this rule in the ACL.
(See “Resequencing ACL Rules” on page 561.)
The deny | permit option specifies the action to perform on traffic that
matches the ACL:
• deny – Drops the traffic.
P e r f o r m a n c e b yD e s i g n 551 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Access Control Lists (ACLs)
The remark option adds a remark to the ACL. (For more information, see
“Adding a Remark to an ACL” on page 558.)
Alternatively, you can use mask-length to specify the portion of the address
to filter. For example, you can specify “/24” instead “0.0.0.255” to filter on
a 24-bit subnet.
The options for specifying the destination address are the same as those for
specifying the source address.
The log option enables the AX device to generate log messages when traffic
matches the ACL. This option is disabled by default.
When ACL logging is enabled, the AX device writes the log messages to
the local logging buffer. If you configure an external log server, the AX
device also sends the messages to the server.
Note: If you plan to use an external log server, the server must be attached to an
AX data port in order for ACL logging messages to reach the server. They
will not reach the server if the server is attached to the AX management
port.
552 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Access Control Lists (ACLs)
Syntax for Filtering on ICMP Traffic
[log]
The type and code options enable you to filter on ICMP traffic.
The type type-option option matches based on the specified ICMP type.
You can specify one of the following. Enter the type name or the type num-
ber (for example, dest-unreachable or 3). The type-option can be one of the
following:
• any-type – Matches on any ICMP type.
P e r f o r m a n c e b yD e s i g n 553 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Access Control Lists (ACLs)
The code code-num option matches based on the specified ICMP code. To
match on any ICMP code, specify any-code. To match on a specific ICMP
code, specify the code, 0-254.
[log]
The tcp and udp options enable you to filter on protocol port numbers. Use
one of the following options to specify the source port(s) on which to filter:
• eq src-port – The ACL matches on traffic from the specified source
port.
• gt src-port – The ACL matches on traffic from any source port with a
higher number than the specified port.
• lt src-port – The ACL matches on traffic from any source port with a
lower number than the specified port.
• range start-src-port end-src-port – The ACL matches on traffic from
any source port within the specified range.
The same options can be used to specify the destination port(s) on which to
filter.
554 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Access Control Lists (ACLs)
CLI EXAMPLE
Note: The GUI does not support configuration of IPv6 ACLs in the current
release.
Enter this command at the global configuration level of the CLI. The acl-id
can be a string up to 16 characters long. This command changes the CLI to
the configuration level for the ACL, where the following ACL-related com-
mands are available.
[log]
or
P e r f o r m a n c e b yD e s i g n 555 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Access Control Lists (ACLs)
[no] {permit | deny} {tcp | udp}
[log]
Parameter Description
seq-num Sequence number of this rule in the ACL. You
can use this option to resequence the rules in the
ACL.
deny | permit Action to take for traffic that matches the ACL.
deny – Drops the traffic.
permit – Allows the traffic.
ipv6 | icmp Filters on IPv6 or ICMP packets.
tcp | udp Filters on TCP or UDP packets. The tcp and udp
options enable you to filter on protocol port num-
bers.
any |
host host-src-
ipv6addr |
net-src-
ipv6addr /mask-
length Source IP address(es) to filter.
any – The ACL matches on all source IP
addresses.
host host-src-ipv6addr – The ACL
matches only on the specified host IPv6 address.
net-src-ipv6addr /mask-length – The
ACL matches on any host in the specified subnet.
The mask-length specifies the portion of the
address to filter.
556 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Access Control Lists (ACLs)
eq src-port |
gt src-port |
lt src-port |
range start-
src-port
end-src-port For tcp or udp, the source protocol ports to filter.
eq src-port – The ACL matches on traffic
from the specified source port.
gt src-port – The ACL matches on traffic
from any source port with a higher number than
the specified port.
lt src-port – The ACL matches on traffic
from any source port with a lower number than
the specified port.
range start-src-port end-src-port
– The ACL matches on traffic from any source
port within the specified range.
any |
host host-dst-
ipv6addr |
net-dst-
ipv6addr /mask-
length Destination IP address(es) to filter.
eq dst-port |
gt dst-port |
lt dst-port |
range start-
dst-port
end-dst-port For tcp or udp, the destination protocol ports to
filter.
log Configures the AX device to generate log mes-
sages when traffic matches the ACL.
The string can be 1-63 characters. To use blank spaces in the remark,
enclose the entire remark string in double quotes.
P e r f o r m a n c e b yD e s i g n 557 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Access Control Lists (ACLs)
As shown in this example, the remark appears at the top of the ACL, above
the first rule.
To use blank spaces in the remark, enclose the entire remark string in double
quotes, as shown in the example. The ACL must already exist before you
can configure a remark for it.
4. On the IPv4 tab, select the ACL from the Access List field.
5. Click OK.
558 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Access Control Lists (ACLs)
To apply an ACL to a Virtual Ethernet (VE) interface:
1. Select Config > Network > Interface.
6. Click OK.
Access the configuration level for the interface and use the following com-
mand:
access-list acl-num in
To apply a configured ACL to a virtual server port, use either of the follow-
ing methods.
P e r f o r m a n c e b yD e s i g n 559 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Access Control Lists (ACLs)
4. Enter or change information on the General tab, if you are configuring a
new virtual server.
5. On the Port tab, click Add or select a port and click Edit.
6. On the Virtual Server Port tab, select the ACL from the Access List
drop-down list.
7. Click OK.
To apply an ACL to a virtual port in the CLI, use the following command at
the configuration level for the virtual port:
access-list acl-id
560 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Access Control Lists (ACLs)
5. Click Add. The new binding appears in the ACL section.
6. Click OK.
To use a configured ACL in an IPv4 NAT pool, use the following command:
Rules are applied to the traffic in the order they appear in the ACL (from the
top rule, which is the first, downward). The first rule that matches traffic is
used to permit or deny that traffic. After the first rule match, no additional
rules are compared against the traffic.
Each ACL has an implicit deny any rule at the end of the ACL. This rule is
applied to any traffic that does not match any of the configured rules in the
ACL. The deny any rule at the end of the ACL is not displayed and cannot
be removed.
You can resequence the rules in an ACL. When you create an ACL rule, the
AX device assigns a sequence number to the rule and places the rule at the
bottom of the ACL. Here is an example:
AX(config)#access-list 86 permit host 10.10.10.12
AX(config)#access-list 86 deny 10.10.10.0 /24
AX(config)#show access-list ipv4 86
access-list 86 10 permit host 10.10.10.12 log Hits: 0
access-list 86 20 deny 10.10.10.0 0.0.0.255 log Hits: 0
In this example, two rules are configured for ACL 86. The default sequence
numbers are used. The first rule has sequence number 10, and each rule
after that has a sequence number that is higher by 10.
P e r f o r m a n c e b yD e s i g n 561 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Access Control Lists (ACLs)
The intent of this ACL is to deny all access from the 10.10.10.x subnet,
except for access from specific host addresses. In this example, the permit
rule for the host appears before the deny rule for the subnet the host is in, so
the host will be permitted. However, suppose another permit rule is added
for another host in the same subnet.
AX(config)#access-list 86 permit host 10.10.10.13
AX(config)#show access-list ipv4 86
access-list 86 10 permit host 10.10.10.12 log Hits: 0
access-list 86 20 deny 10.10.10.0 0.0.0.255 log Hits: 0
access-list 86 30 permit host 10.10.10.13 log Hits: 0
By default, since no sequence number was specified when the rule was con-
figured, the rule is placed at the end of the ACL. Because the deny rule
comes before the permit rule, host 10.10.10.13 will never be permitted.
To resequence the ACL to work as intended, the deny rule can be deleted,
then re-added. Alternatively, either the deny rule or the second permit rule
can be resequenced to appear in the right place. To change the sequence
number of an ACL rule, delete the rule, then re-add it with the sequence
number.
AX(config)#no access-list 86 30
AX(config)#access-list 86 11 permit host 10.10.10.13 log
AX(config)#show access-list ipv4 86
access-list 86 10 permit host 10.10.10.12 log Hits: 0
access-list 86 11 permit host 10.10.10.13 log Hits: 0
access-list 86 20 deny 10.10.10.0 0.0.0.255 log Hits: 0
In this example, rule 30 is deleted, then re-added with sequence number 11.
The ACL will now work as intended, and permit hosts 10.10.10.12 and
10.10.10.13 while denying all other hosts in the 10.10.10.x subnet. To per-
mit another host, another rule can be added, sequenced to come before the
deny rule.
AX(config)#access-list 86 12 permit host 10.10.10.14 log
AX(config)#show access-list ipv4 86
access-list 86 10 permit host 10.10.10.12 log Hits: 0
access-list 86 11 permit host 10.10.10.13 log Hits: 0
access-list 86 12 permit host 10.10.10.14 log Hits: 0
access-list 86 20 deny 10.10.10.0 0.0.0.255 log Hits: 0
562 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
USING THE GUI
Each row in the Standard ACL and Extended ACL tables is a separate ACL
rule. You can configure multiple rules in the same ACL. In this case, they
still appear as separate rows, with the same ACL number.
The AX device applies the ACL rules in the order they are listed, starting at
the top of the table. The first rule that matches traffic is used to permit or
deny that traffic. After the first rule match, no additional rules are compared
against the traffic.
If you need to re-order the ACL rules, you can do so by clicking the up or
down arrows at the ends of the rows containing the ACL rules.
For traffic that is allowed, you can specify the service group to use. You also
can specify the action to perform (drop or reset) on new connections that
exceed the configured connection threshold for the client address. For
example, you can configure the AX to respond to DDoS attacks from a cli-
ent by dropping excessive connection attempts from the client.
For each address in a black/white list, you can set values for the following
options:
• Group ID – A number from 1 to 31 in a black/white list that identifies a
group of IP host or subnet addresses contained in the list. In a PBSLB
P e r f o r m a n c e b yD e s i g n 563 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
policy template on the AX device, you can map the group to one of the
following actions:
• Drop the traffic
• Reset the connection
• Send the traffic to a specific service group
With either method, the syntax is the same. Add a row for each IP address
(host or subnet), using the following syntax:
The network-mask is optional. The default is 32, which means the address is
a host address.
564 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
Note: The conn-limit is a coarse limit. The larger the number you specify, the
coarser the limit will be. For example, if you specify 100, the AX device
limits the total connections to exactly 100; however, if you specify 1000,
the device limits the connections to not exceed 992.
If the number in the file is larger than the supported maximum (32767),
the parser will use the longest set of digits in the number you enter that
makes a valid value. For example, if the file contains 32768, the parser
will use 3276 as the value. As another example, if the file contains
111111, the parser will use 11111 as the value.
The first row assigns a specific host to group 4. On the AX device, the drop
action will be assigned to this group, thus black listing the client. The sec-
ond row black lists an entire subnet, by assigning it to the same group (4).
The third row sets the maximum number of concurrent connections for a
specific host to 20. The fourth row assigns a specific host to group 2 and
specifies a maximum of 20 concurrent connections.
Note: The AX device allows up to three parser errors when reading the file.
However, after the third parser error, the device stops reading the file.
To configure PBSLB:
1. Configure a black/white list, either remotely or on the AX device itself.
2. If you configure the list remotely, import the list onto the AX device.
3. Optionally, modify the sync interval for the list. The AX regularly syn-
chronizes with the list to make sure the AX version is current.
P e r f o r m a n c e b yD e s i g n 565 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
4. Configure PBSLB settings. You can configure the following settings
directly on individual virtual ports, or configure a policy template and
bind the template to virtual ports.
• Specify the black/white list.
• Optionally, map each group ID used in the list to one of the follow-
ing actions:
• Send the traffic to a specific service group.
• Reset the traffic.
• Drop the traffic.
• Optionally, change the action (drop or reset) the AX will perform on
connections that exceed the limit specified in the list.
• Optionally, if needed for your configuration, change client address
matching from source IP matching to destination IP matching.
Note: These steps assume that the real servers, service groups, and virtual serv-
ers have already been configured.
3. Click Add.
5. From the drop-down list below the Name field, select the black/white
list or click “create” to create or import one.
566 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
c. To import a list from a remote server, select Remote. Enter values
for the following parameters:
• Interval at which the AX device re-imports the list. This option
ensures that changes to the list are automatically replicated on
the AX device.
• File transfer protocol to use.
• IP address or hostname of the device where the list is located.
• Path and filename of the list on the remote device.
d. Click OK. The Policy tab reappears.
Note: If the Use default server selection when preferred method fails option
is enabled on the virtual port, log messages will never be generated for
server-selection failures. To ensure that messages are generated to log
server-selection failures, disable the Use default server selection when
preferred method fails option on the virtual port. This limitation does
not affect failures that occur because a client is over their PBSLB connec-
tion limit. These failures are still logged.
d. Click Add. The group settings appear in the PBSLB list.
e. Repeat the steps above for each group.
8. Select the action to take when traffic exceeds the limit: Drop or Reset.
P e r f o r m a n c e b yD e s i g n 567 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
10. Click OK. The new policy appears in the PBSLB policy list.
568 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
FIGURE 151 Config > Service > SLB > Virtual Server - Virtual Server Port
tab
The url specifies the file transfer protocol, directory path, and filename. The
following URL format is supported:
tftp://host/file
P e r f o r m a n c e b yD e s i g n 569 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
The period seconds option specifies how often the AX device re-imports
the list to ensure that changes to the list are automatically replicated on the
AX. You can specify 60 – 86400 seconds. The default is 300 seconds.
The load option immediately re-imports the list to get the latest changes.
Use this option if you change the list and want to immediately replicate the
changes on the AX device, without waiting for the update period.
Note: A TFTP server is required on the PC and the TFTP server must be run-
ning when you enter the bw-list command.
Note: If you use the load option, the CLI cannot accept any new commands
until the load is completely finished. For large black/white lists, loading
can take a while. Do not abort the load process; doing so can also interrupt
periodic black/white-list updates. If you do accidentally abort the load
process, repeat the command with the load option and allow the load to
complete.
Enter this command at the global configuration level of the CLI. The com-
mand creates the template and changes the CLI to the configuration for the
template, where the following PBSLB-related commands are available.
This command binds a black/white list to the virtual ports that use this tem-
plate.
[no] bw-list id id
{service service-group-name | drop | reset}
[logging [minutes] [fail]]
This command specifies the action to take for clients in the black/white list:
• id – Group ID in the black/white list.
570 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
• logging [minutes] [fail] – Enables logging. The minutes
option specifies how often messages can be generated. This option
reduces overhead caused by frequent recurring messages.
For example, if the logging interval is set to 5 minutes, and the PBSLB
rule is used 100 times within a five-minute period, the AX device gener-
ates only a single message. The message indicates the number of times
the rule was applied since the last message. You can specify a logging
interval from 0 to 60 minutes. To send a separate message for each
event, set the interval to 0.
PBSLB rules that use the service service-group-name option also have a
fail option for logging. The fail option configures the AX device to gen-
erate log messages only when there is a failed attempt to reach a service
group. Messages are not generated for successful connections to the ser-
vice group. The fail option is disabled by default. The option is available
only for PBSLB rules that use the service service-group-name option,
not for rules with the drop or reset option, since any time a drop or reset
rule affects traffic, this indicates a failure condition.
Logging is disabled by default. If you enable it, the default for minutes
is 3.
The AX device uses the same log rate limiting and load balancing fea-
tures for PBSLB logging as those used for ACL logging. See “Log Rate
Limiting” on page 39.
This command specifies the action to take for traffic that is over the limit.
• drop – Drops new connections until the number of concurrent connec-
tions on the virtual port falls below the port’s connection limit. (The
connection limit is set in the black/white list.)
• reset – Resets new connections until the number of concurrent con-
nections on the virtual port falls below the connection limit.
[no] use-destination-ip
This command matches black/white list entries based on the client’s desti-
nation IP address. By default, matching is based on the client’s source IP
P e r f o r m a n c e b yD e s i g n 571 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
address. This option is applicable if you are using a wildcard VIP. (See
“Wildcard VIPs” on page 229.)
To bind the template to a virtual port, use the following command at the
configuration level for the port:
To bind a black/white list to a virtual port, use the following command at the
configuration level for the virtual port:
The name is the name you assign to the list when you import it.
pbslb id id
{service service-group-name | drop | reset}
[logging [minutes] [fail]]]
The drop option immediately drops all connections between the clients in
the list and any servers in the service group. The reset option resets the con-
nections between the clients in the list and any servers in the service group.
The logging option enables logging. The minutes option specifies how often
messages can be generated. This option reduces overhead caused by fre-
quent recurring messages. For example, if the logging interval is set to 5
minutes, and the PBSLB rule is used 100 times within a five-minute period,
the AX device generates only a single message. The message indicates the
number of times the rule was applied since the last message. You can spec-
ify a logging interval from 0 to 60 minutes. To send a separate message for
each event, set the interval to 0. The default is 3 minutes.
PBSLB rules that use the service service-group-name option also have a
fail option for logging. The fail option configures the AX device to generate
log messages only when there is a failed attempt to reach a service group.
Messages are not generated for successful connections to the service group.
The fail option is disabled by default. The option is available only for
PBSLB rules that use the service service-group-name option, not for rules
572 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
with the drop or reset option, since any time a drop or reset rule affects traf-
fic, this indicates a failure condition.
The AX device uses the same log rate limiting and load balancing features
for PBSLB logging as those used for ACL logging. See “Log Rate Limit-
ing” on page 39.
The drop action drops new connections until the number of concurrent con-
nections on the virtual port falls below the threshold. The reset option resets
new connections until the number of concurrent connections on the virtual
port falls below the threshold. The default action is drop.
The name is the name you assign to the list when you import it. The ipaddr
is the client IP address.
P e r f o r m a n c e b yD e s i g n 573 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
The name option specifies a virtual server name. If you use this option, sta-
tistics are displayed only for that virtual server. Otherwise, statistics are
shown for all virtual servers.
574 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
The following commands shows PBSLB information:
AX(config-slb virtual server-slb virtua...)#show pbslb
Total number of PBSLB configured: 1
Virtual Server Port Blacklist/whitelist GID Connection # (Establish Reset Drop)
------------------------------------------------------------------------------
PBSLB_VS1 80 sample-bwlist 2 0 0 0
4 0 0 0
PBSLB_VS2 80 sample-bwlist 2 0 0 0
4 0 0 0
P e r f o r m a n c e b yD e s i g n 575 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
576 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Role-Based Administration
P e r f o r m a n c e b yD e s i g n 577 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
Overview
Figure 152 shows an example of an AX device with multiple partitions.
Admins assigned to the partition for A.com can add, modify, delete and save
only those resources contained in A.com's partition. Likewise, B.com's
admins can add, modify, delete and save only the resources in B.com's parti-
tion.
578 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
Resource Partitions
AX system resources are contained in partitions. The AX device has a sin-
gle shared partition and can have multiple private partitions.
• Shared partition – The shared partition contains resources that can be
configured only by admins with Root or Read Write privileges. By
default, all resources are in the shared partition. There is one shared par-
tition for the device and it is the default partition. The shared partition
cannot be deleted.
• Private partitions – A private partition can be accessed only by the
admins who are assigned to it, and by admins with Root, Read Write, or
Read Only privileges. The AX device does not have any private parti-
tions by default.
Private partitions can be created or deleted only by admins who have Root
or Read Write privileges. A maximum of 128 partitions are supported.
• Virtual servers
• Service groups
• Templates
• Health monitors
• aFleX policies
All other types of resources can reside only in the shared partition and are
not configurable by admins assigned to private partitions.
Resource names must be unique within a partition. However, the same name
can be used for resources in different partitions. For example, partitions
“A.com” and “B.com” can each have a real server named “rs1”. The AX
device is able to distinguish between them.
P e r f o r m a n c e b yD e s i g n 579 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
Use of Shared Resources by Private Resources
SLB resources in private partitions can use SLB resources in the shared par-
tition, but cannot use resources in other private partitions. For example, a
virtual service port in a private partition can be configured to bind to a ser-
vice group in the shared partition, as shown in the following GUI example.
aFleX Policies
By default, aFleX policies act upon resources within the partition that con-
tains the aFleX policy. Some aFleX commands have an option to act upon
service groups in the shared partition instead. (For more information, see
the AX Series aFleX Reference.)
Partition Logos
Each private partition has a logo file associated with it. The logo appears in
the upper left corner of the Web GUI. By default, the A10 Networks logo is
used. Partition admins can replace the A10 Networks logo with a company
logo. The recommended logo size is 180x60 pixels.
The following examples show Web GUI pages for two private partitions. A
company-specific logo has been uploaded for each partition.
580 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
FIGURE 154 Configurable Partition Logos
Administrator Roles
The type of access (read-only or read-write) allowed to an admin, and the
partitions where the access applies, depend on that admin’s privilege level
(role). An admin account can have one of the privilege levels listed in
Table 15 on page 581.
Note: The “Partition” privilege levels apply specifically to admins who are
assigned to private partitions.
P e r f o r m a n c e b y
D e s i g n 581 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
TABLE 15 Admin Privilege Levels (Continued)
Access to Can configure Can Change
Privilege Shared other admin Own
Level (Role) Partition Access to Private Partition accounts Password?
Partition Read Read-only Read-only, for the partition to which the No No
admin is assigned
Partition Real None Read-only for real servers, with permis- No No
Server Opera- sion to view service port statistics, and
tor to disable or enable real servers and real
server ports.
No other read-only or read-write privi-
leges are granted.
All access is restricted to the partition to
which the admin is assigned.
1. Only the admin account named “admin” is allowed to configure other admin accounts, and cannot be deleted. Otherwise,
the Root and Read-write privilege levels are the same.
2. The Root privilege level can also change the passwords of other admins.
All admins can view resources in the shared partition. However, the only
admins who can add, modify, or delete resources in the shared partition are
admins with Root or Read Write privileges. Admins who are assigned to a
partition can view but not modify resources in the shared partition. Admins
assigned to a partition cannot view the resources in any other private parti-
tion.
Only admins with Root or Read Write privileges can select the partition(s)
for which to save changes.
Admins with Real Server Operator privileges can view real servers within
the private partition and can disable or re-enable the real servers and their
individual service ports. These admins have no other privileges.
582 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Role-Based Administration
3. Configure any SLB shared resources that you want to make available to
multiple private partitions. (For information about configuring SLB
resources, see the SLB configuration chapters in this guide.)
Note: This document shows how to set up partitions and assign admins to them.
The partition admins will be able to configure their own SLB resources.
However, you will need to configure connectivity resources such as inter-
faces, VLANs, routing, and so on. You also will need to configure any
additional admin accounts for the partition.
Note: To configure admin accounts, you must be logged in with Root privileges.
5. To upload a logo for the partition, click Browse and navigate to the logo
file.
P e r f o r m a n c e b yD e s i g n 583 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Role-Based Administration
FIGURE 155 Config > System > Admin > Partition
FIGURE 156 Config > System > Admin > Partition - List
The partition-name can be 1-14 characters. (For information about the max-
aflex-file option, see “Changing the Maximum Number of aFleX Policies
Allowed in a Partition” on page 584.)
584 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Role-Based Administration
USING THE GUI
1. Select Config > System > Admin.
3. Select the partition. (Click the checkbox next to the partition name.)
4. Edit the number in the Max aFleX File field. You can specify 1-128.
Deleting a Partition
Only an admin with Root or Read Write privileges can delete a partition.
When a partition is deleted, all resources within the partition also are
deleted.
3. Select the partition. (Click the checkbox next to the partition name.)
4. Click Delete.
no partition [partition-name]
P e r f o r m a n c e b yD e s i g n 585 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Role-Based Administration
If you do not specify a partition name, the CLI displays a prompt to verify
whether you want to delete all partitions and the resources within them.
Enter “y” to confirm or “n” to cancel the request.
6. From the Partition drop-down list, select the partition to which you are
assigning the admin.
7. Click OK. The new admin appears in the admin list with their respective
partition logos.
586 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Role-Based Administration
FIGURE 157 Config > System > Admin > Admin Management
[no] privilege
{partition-write | partition-read |
partition-enable-disable}
partition-name
The admin command creates the admin account and changes the CLI to the
configuration level for the account. The command syntax shown here
includes the password option. You can specify the password with the
admin command, or with the separate password command at the configu-
ration level for the account. The default password is “a10”.
The privilege command specifies the privilege level for the account and
assigns the account to a partition. (The partition-enable-disable option
gives Partition Real Server Operator privileges.)
P e r f o r m a n c e b yD e s i g n 587 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring Role-Based Administration
CLI Example
The following commands configure two private partitions, “companyA”
and “companyB”, and verify that they have been created.
AX(config)#partition companyA
AX(config)#partition companyB
AX(config)#show partition
Max Number allowed: 128
Total Number of partitions configured: 2
Partition Name Max. aFleX File Allowed # of Admins
------------------------------------------------------
companyA 32 0
companyB 32 0
588 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Viewing and Saving the Configuration
• P.R – The admin is assigned to a private partition and has Partition-read
(read-only) privileges within that partition.
• P.RS Op – The admin is assigned to a private partition but has permis-
sion only to view service port statistics for real servers in the partition,
and to disable or re-enable the real servers.
Admins with Root or Read Write privileges can save resources in any parti-
tion. Admins with Partition-write privileges can save only the resources
within their own partition.
show running-config
[all-partitions | partition partition-name]
show startup-config
[all-partitions | partition partition-name]
If you enter the command without either option, the command shows only
the resources that are in the shared partition.
The all-partitions option shows all resources in all partitions. In this case,
the resources in the shared partition are listed first. Then the resources in
each private partition are listed, organized by partition.
P e r f o r m a n c e b yD e s i g n 589 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Viewing and Saving the Configuration
If you specify a private partition-name, only the resources in that partition
are listed.
To save the configuration in the GUI, click the Save button on the title bar.
The GUI automatically saves only the resources that are in the current parti-
tion view. For example, if the partition view is set to the “companyB” pri-
vate partition, only the resources in that partition are saved.
write memory
[all-partitions | partition partition-name]
If you enter the command without either option, the command saves only
the changes for resources that are in the current partition.
The all-partitions option saves changes for all resources in all partitions.
If you specify a private partition-name, only the changes for the resources
in that partition are saved.
Note: The all-partitions and partition partition-name options are not applica-
ble for admins with Partition-write privileges. Partition admins can only
save their respective partitions. For these admins, the command syntax is
590 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Switching To Another Partition
the same as in previous releases. The options are available only to admins
with Root or Read Write privileges.
To change the view to a private partition, use either of the following meth-
ods.
2. Click Yes.
3. Click the Refresh button next to the Partition drop-down list. You must
refresh the page in order for the view change to take effect.
Use the following command at the Privileged EXEC level of the CLI:
P e r f o r m a n c e b yD e s i g n 591 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Synchronizing the Configuration
The following command changes the view to private partition “companyA”:
AX#active-partition companyA
Currently active partition: companyA
show active-partition
An admin with Root or Read Write privileges can specify any partitions(s)
to synchronize.
592 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Synchronizing the Configuration
USING THE CLI
The ha sync commands have new options that enable you to specify the
partition. For admins with Root or Read Write privileges, here is the new
syntax for the ha sync commands:
ha sync all
{to-startup-config [with-reload] |
to-running-config}
[all-partitions | partition partition-name]
ha sync startup-config
{to-startup-config [with-reload] |
to-running-config}
[all-partitions | partition partition-name]
ha sync running-config
{to-startup-config [with-reload] |
to-running-config}
[all-partitions | partition partition-name]
ha sync data-files
[all-partitions | partition partition-name]
For admins logged on with Partition Write privileges, the following syntax
is available:
ha sync data-files
Admins with Partition Write privileges are not allowed to synchronize to the
running-config or to reload the other AX device.
P e r f o r m a n c e b yD e s i g n 593 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Operator Management of Real Servers
Note: Service port statistics are not available in the GUI. To display service port
statistics, use the CLI instead.
2. Select the checkbox next to each server you want to disable or re-enable,
or click Select All to select all of the servers.
Note: Although the GUI displays the Delete and New buttons, these buttons are
not supported for admins with Partition Real Server Operator privileges.
2. Select the checkbox next to each server for which you want to disable or
re-enable service ports, or click Select All to select all of the servers.
3. Click Edit.
594 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Operator Management of Real Servers
5. Select the port numbers you want to disable or re-enable.
A single row appears for each port number. Selecting a row selects the
port number on each of the real servers you selected in step 2.
7. Click OK.
P e r f o r m a n c e b yD e s i g n 595 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Operator Management of Real Servers
CLI Example
login as:compAoper
Welcome to AX
Using keyboard-interactive authentication.
Password:********
Last login: Wed Aug 20 08:58:45 2008 from 192.168.1.130
596 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Operator Management of Real Servers
Use one of the following commands to change the state of the server:
{disable | enable}
To verify the state change, use the show slb server command.
P e r f o r m a n c e b yD e s i g n 597 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Operator Management of Real Servers
598 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
SLB Parameters
This chapter lists the parameters you can configure for Server Load Balanc-
ing (SLB).
Note: For information about server and port configuration templates, see
“Server and Port Templates” on page 281.
Table 18 lists the types of templates that are valid for each service type.
When you configure a virtual port, the AX device automatically adds any
default templates that are applicable to the service type. To override a
default template, you can configure another template of the same type and
bind that template to the virtual port instead.
For example, when you configure a virtual port that has the service type
Fast-HTTP, the following templates are automatically applied to the service
port:
• TCP
• HTTP
P e r f o r m a n c e b yD e s i g n 599 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
For information about the default settings in a template, see the section in
this chapter that describes the template. For the template types listed above,
see the following sections:
• “Connection Reuse Template Parameters” on page 605
A virtual port can have only one of each type of template that is valid for the
port’s service type, so when you add a template to the virtual port, the other
template of the same type is automatically removed from the virtual port.
600 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
P e r f o r m a n c e b y
D e s i g n 601 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
TABLE 17 Cache Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Maximum object Maximum object size that can be cached. The AX 1-8000000 bytes
size device will not cache objects larger than this size. Default: 50000 bytes (50 Kbytes)
[no] max-content-size bytes
Config > Service > Template > Application >
RAM Caching
Minimum object minimum object size that can be cached. The AX 1-8000000 bytes
size device will not cache objects smaller than this size. Default: 500 bytes (1/2 Kbytes)
[no] min-content-size bytes
Config > Service > Template > Application >
RAM Caching
Dynamic Configures dynamic caching. Valid URI pattern.
caching policy [no] policy uri pattern Default: Not set
{cache [seconds] | nocache |
invalidate inv-pattern}
The pattern option specifies the portion of the URI
string to match on.
The other options specify the action to take for URIs
that match the pattern:
• cache [seconds] – Caches the content. By default,
the content is cached for the number of seconds
configured in the template (set by the age com-
mand). To override the aging period set in the
template, specify the number of seconds with the
cache command.
• nocache – Does not cache the content.
• invalidate inv-pattern – Invalidates the content
that has been cached for inv-pattern.
Config > Service > Template > Application >
RAM Caching
Verify host Enables the AX device to cache the host name in Default: Disabled
addition to the URI for cached content. Use this
option if a real server that contains cacheable con-
tent will host more than one host name (for exam-
ple, www.abc.com and www.xyz.com).
[no] verify-host
Config > Service > Template > Application >
RAM Caching
602 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
TABLE 17 Cache Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Replacement Policy used to make room for new objects when the The policy supported in the current
policy RAM cache is full. release is Least Frequently Used
When the RAM cache becomes more than 90% full, (LFU).
the AX device discards the least-frequently used Default: LFU
objects to ensure there is sufficient room for new
objects.
[no] replacement-policy LFU
Config > Service > Template > Application >
RAM Caching
P e r f o r m a n c e b y
D e s i g n 603 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
TABLE 18 Client SSL Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Certificate key Key for the certificate, and the passphrase used to Key name: string of 1-31 characters
encrypt the key. Passphrase: string of 1-16 characters
[no] key key-name Default: None configured
[passphrase passphrase-string]
Config > Service > Template > SSL > Client SSL
AX response to Action that the AX device takes in response to a cli- One of the following:
connection ent’s connection request. • ignore – The AX device does not
request from cli- [no] client-certificate request the client to send its certifi-
ent {ignore | request | require} cate.
Config > Service > Template > SSL > Client SSL • request – The AX device requests
the client to send its certificate. With
this action, the SSL handshake pro-
ceeds even if either of the following
occurs:
• The client sends a NULL certifi-
cate (one with zero length).
• The certificate is invalid, causing
client verification to fail.
Use this option if you want to the
request to trigger an aFleX policy
for further processing.
• require – The AX device requires
the client certificate. This action
requests the client to send its certifi-
cate. However, the SSL handshake
does not proceed (it fails) if the cli-
ent sends a NULL certificate or the
certificate is invalid.
Default: ignore
Certificate CRL to use for verifying that client certificates have Name of a CRL imported onto the AX
Revocation List not been revoked. device
(CRL) When you add a CRL to a client SSL template, the
AX device checks the CRL to ensure that the certif-
icates presented by clients have not been revoked by
the issuing CA.
[no] crl filename
Config > Service > Template > SSL > Client SSL
Note: If you plan to use a CRL, you must set the
Mode to Require.
Note: To use the CRL, you must import it onto the
AX device. (See “Importing SSL Certificates” on
page 467.)
604 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
TABLE 18 Client SSL Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Session cache Maximum number of cached sessions for SSL ses- 0-131072
size sion ID reuse. Default: 0 (session ID reuse is dis-
[no] session-cache-size number abled)
Config > Service > Template > SSL > Client SSL
Ciphers Cipher suite to support for decrypting certificates One or more of the following:
from clients. • SSL3_RSA_DES_192_CBC3_SHA
[no] cipher • SSL3_RSA_DES_40_CBC_SHA
Config > Service > Template > SSL > Client SSL - • SSL3_RSA_DES_64_CBC_SHA
Cipher tab
• SSL3_RSA_RC4_128_MD5
• SSL3_RSA_RC4_128_SHA
• SSL3_RSA_RC4_40_MD5
• TLS1_RSA_AES_128_SHA
• TLS1_RSA_AES_256_SHA
• TLS1_RSA_EXPORT1024_RC4_56
_MD5
• TLS1_RSA_EXPORT1024_RC4_56
_SHA
Default: All the above are enabled.
P e r f o r m a n c e b y
D e s i g n 605 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
TABLE 19 Connection Reuse Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Connection idle Maximum number of seconds a connection can 0-3600 seconds
timeout remain idle before it times out. To disable timeout, specify 0.
[no] timeout seconds Default: 2400 seconds (40 minutes)
Config > Service > Template > Connection Reuse
606 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
TABLE 20 Cookie Persistence Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Match type Changes the granularity of cookie persistence: One of the following:
• Port – The cookie inserted into the HTTP header • Port (selectable in the GUI but not
of the server reply to a client ensures that subse- in the CLI)
quent requests from the client will be sent to • Server
the same real port on the same real server. • Service-group
• Server – The cookie inserted into the HTTP Default: Port
header of the server reply to a client ensures that
subsequent requests from the client for the same
VIP are sent to the same real server. (This
assumes that all virtual ports of the VIP use the
same cookie persistence template with match-
type set to Server.)
• Service Group – Enables support for URL
switching or host switching along with cookie
persistence. Without this option, URL switch-
ing or host switching can be used only for the
initial request from the client. After the ini-
tial request, subsequent requests are always
sent to the same service group.
Note: To use URL switching or host switching,
you also must configure an HTTP template
with the Host Switching or URL Switching
option.
[no] match-type
{server | service-group}
Config > Service > Template > Persistent > Cookie
Persistence
Cookie name Specifies the name of the persistence cookie. String of 1-63 characters
The format of the cookie depends on the match Default: sto-id
type.
[no] name cookie-name
Config > Service > Template > Persistent > Cookie
Persistence
Ignore Ignores connection limit settings configured on real Enabled or Disabled
connection limits servers and real ports. This option is useful for Default: Disabled. By default, the con-
applications in which multiple sessions (connec- nection limit set on real servers and
tions) are likely to be used for the same persistent real ports is used.
cookie.
[no] dont-honor-conn-rules
Config > Service > Template > Persistent > Cookie
Persistence
P e r f o r m a n c e b y
D e s i g n 607 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
608 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
TABLE 21 Destination-IP Persistence Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Hashing netmask Granularity of IP address hashing for initial server Valid IPv4 network mask
port selection. Default: 255.255.255.255
You can specify an IPv4 network mask in dotted
decimal notation.
• To configure initial server port selection to occur
once per destination VIP subnet, configure the
network mask to indicate the subnet length. For
example, to select a server port once for all
requested VIPs within a subnet such as
10.10.10.x, 192.168.1.x, and so on (“class C”
subnets), use mask 255.255.255.0. SLB selects a
server port for the first request to the given VIP
subnet, the sends all other requests for the same
VIP subnet to the same port.
• To configure initial server port selection to occur
independently for each requested VIP, use mask
255.255.255.255. (This is the default.)
[no] netmask ipaddr
Config > Service > Template > Persistent >
Destination IP Persistence
Persistence Number of minutes the mapping of a client source 1-1000 minutes
Timeout IP to a real server persists after the last time traffic Default: 5 minutes
from the client is sent to the server.
[no] timeout timeout-minutes
Config > Service > Template > Persistent >
Destination IP Persistence
Ignore Ignores connection limit settings configured on real Enabled or Disabled
connection limits servers and real ports. This option is useful for Default: Disabled. By default, the con-
applications in which multiple sessions (connec- nection limit set on real servers and
tions) are likely to be used for the same persistent real ports is used.
client source IP address.
[no] dont-honor-conn-rules
Config > Service > Template > Persistent >
Destination IP Persistence
P e r f o r m a n c e b y
D e s i g n 609 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
610 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
TABLE 22 HTTP Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Compression Offloads Web servers from CPU-intensive HTTP Any of the following:
compression operations.
• enable – Enables compression.
[no] compression {enable |
• content-type – Specifies the types
content-type content-string |
of content to compress, based on a
exclude-content-type content-
string in the content-type header of
string | exclude-uri uri-string the HTTP response. The content-
keep-accept-encoding enable |
string can be 1-64 characters long.
level number |
minimum-content-length number} • exclude-content-type – Specifies the
types of content to exclude from
Config > Service > Template > Application > HTTP
compression.
• exclude-uri – Specifies URI strings
(up to 31 characters) to exclude
from compression.
• keep-accept-encoding enable –
Leaves the Accept-Encoding header
in HTTP requests from clients
instead of removing the header.
• level – Specifies the compression
level, 1-9. Each level provides a
higher compression ratio, begin-
ning with level 1, which provides
the lowest compression ratio. A
higher compression ratio results in a
smaller file size after compression.
However, higher compression levels
also require more CPU processing
than lower compression levels, so
performance can be affected.
• minimum-content-length – Speci-
fies the minimum length (in bytes) a
server response can be in order to be
compressed. The length applies to
the content only and does not
include the headers. You can specify
0-2147483647 bytes.
P e r f o r m a n c e b yD e s i g n 611 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
TABLE 22 HTTP Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Compression Compression is disabled by default.
(cont.) When it is enabled, the compression
options have the following defaults:
• content-type – “text” and “applica-
tion” included by default
• exclude-content-type – not set
• exclude-content – not set
• keep-accept-encoding – disabled
• level – 1
• minimum-content-length – 120
bytes
Header insert / Inserts the specified header into an HTTP request or String of 1-256 characters
replace reply. Default: Not set
[no] request-header-insert
field:value [insert-always |
insert-if-not-exist]
[no] response-header-insert
field:value [insert-always |
insert-if-not-exist]
Config > Service > Template > Application > HTTP
Note: These options are not supported with the fast-
http service type. The AX device does not allow an
HTTP template with any of the header erase or
header insert options to be bound to a fast-http vir-
tual port. Likewise, the AX device does not allow
header options to be added to an HTTP template
that is already bound to a fast-http virtual port.
Header erase Erases the specified header from an HTTP request String of 1-256 characters
or reply. Default: Not set
[no] request-header-erase field
[no] response-header-erase field
Config > Service > Template > Application > HTTP
Note: These options are not supported with the fast-
http service type. The AX device does not allow an
HTTP template with any of the header erase or
header insert options to be bound to a fast-http vir-
tual port. Likewise, the AX device does not allow
header options to be added to an HTTP template
that is already bound to a fast-http virtual port.
612 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
TABLE 22 HTTP Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Host switching Selects a service group based on the value in the Each host string can be all or part of an
Host field of the HTTP header. The selection over- IP address or host name.
rides the service group configured on the virtual Default: Not set
port.
If the host-string does not match, the service group
configured on the virtual port is used.
Selection is performed using the following match
filters:
• starts-with host-string – matches only if the
hostname or IP address starts with host-string.
• contains host-string – matches if the host-string
appears anywhere within the hostname or host IP
address.
• ends-with host-string – matches only if the host-
name or IP address ends with host-string.
The match options are always applied in the order
listed above, regardless of the order in which they
appear in the configuration. The service group for
the first match is used.
If a host name matches on more than one match fil-
ter of the same type, the most specific match is used.
[no] host-switching
{starts-with |contains | ends-with}
host-string service-group service-
group-name
Config > Service > Template > Application > HTTP
Client IP insert Inserts the client’s source IP address into HTTP String of 1-256 characters
headers. Default: Not set
[no] insert-client-ip When you enable this option, the client
[http-fieldname] [replace] IP address is inserted into the
Config > Service > Template > Application > HTTP X-ClientIP field by default, without
replacing any client IP addresses
already in the field.
Redirect rewrite Modifies redirects sent by servers by rewriting the Strings of 1-256 characters
matching URL string to the specified value before Default: Not set
sending the redirects to clients.
[no] redirect-rewrite
match url-string
rewrite-to url-string
Config > Service > Template > Application > HTTP
P e r f o r m a n c e b y
D e s i g n 613 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
TABLE 22 HTTP Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Redirect rewrite Changes HTTP redirects sent by servers into Strings of 1-256 characters
secure HTTPS redirects before sending the redirects to cli- Default: Not set
ents.
[no] redirect-rewrite secure
{port tcp-portnum}
Config > Service > Template > Application > HTTP
Strict Forces the AX device to perform the server selec- Enabled or disabled
transaction tion process anew for every HTTP request. Without Default: Disabled
switching this option, the AX device reselects the same server
for subsequent requests (assuming the same server
group is used), unless overridden by other template
options.
[no] strict-transaction-switch
Config > Service > Template > Application > HTTP
URL switching Selects a service group based on the URL string Strings of 1-256 characters
requested by the client. The selection overrides the Default: Not set
service group configured on the virtual port.
[no] url-switching
{starts-with | contains |
ends-with} url-string
service-group service-group-name
If the URL-string does not match, the service group
configured on the virtual port is used.
Selection is performed using the following match
filters:
• starts-with url-string – matches only if the URL
starts with url-string.
• contains url-string – matches if the url-string
appears anywhere within the URL.
• ends-with url-string – matches only if the URL
ends with url-string.
The match options are always applied in the order
listed above, regardless of the order in which they
appear in the configuration. The service group for
the first match is used.
If a URL matches on more than one match filter of
the same type, the most specific match is used.
Config > Service > Template > Application > HTTP
• Note: You can configure a maximum of 16 URL
switching rules in a template. If you need to use
more, use aFleX policies.
614 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
TABLE 22 HTTP Template Parameters (Continued)
Parameter Description and Syntax Supported Values
URL hash Selects a service group based on the hash value of First or last
persistence the first or last bytes of the URL string. The bytes 4-128 bytes
(also called URL option specifies how many bytes to use to calculate Default: Not set
hash switching) the hash value.
Optionally, you can use URL hashing with either
URL switching or host switching. Without URL
switching or host switching configured, URL hash
switching uses the hash value to choose a server
within the default service group. If URL switching
or host switching is configured, for each HTTP
request, the AX device first selects a service group
based on the URL or host switching values, then
calculates the hash value and uses it to choose a
server within the selected service group.
[no] url-hash-persist
{first | last} bytes
Config > Service > Template > Application > HTTP
P e r f o r m a n c e b y
D e s i g n 615 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
TABLE 23 Policy Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Action Specifies the action to take for clients in the black/ The following settings are config-
white list. urable:
[no] bw-list id id • List ID – ID of the black/white list.
{service service-group-name | • Group ID – Group ID in the black/
drop | reset} white list.
[logging [minutes] [fail]]
• Service-group name – Name of an
Config > Service > Template > Application > Policy SLB service group on the AX Series
device.
Note: If the option to use default selection if pre- • Action:
ferred server selection fails is enabled on the virtual • Drop – Drops new connections
port, log messages will never be generated for until the number of concurrent
server-selection failures. To ensure that messages connections on the virtual port
are generated to log server-selection failures, dis- falls below the port’s connection
able the option on the virtual port. This limitation limit. (The connection limit is set
does not affect failures that occur because a client is in the black/white list.)
over their PBSLB connection limit. These failures
• Reset – Resets new connections
are still logged.
until the number of concurrent
connections on the virtual port
falls below the connection limit.
• Logging – Enables logging. You can
specify the number of minutes
between log messages. This option
reduces overhead caused by fre-
quent recurring messages. You can
specify a logging interval from 0 to
60 minutes. To send a separate mes-
sage for each event, set the interval
to 0.
Defaults:
• List ID – None
• Group ID – None
• Action – Not set
• Logging – Disabled. If you enable
logging, the default for minutes is 3.
616 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
P e r f o r m a n c e b y
D e s i g n 617 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
TABLE 24 Source-IP Persistence Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Hashing netmask Granularity of IP address hashing for server port Valid IPv4 network mask
selection. Default: 255.255.255.255
You can specify an IPv4 network mask in dotted
decimal notation.
• To configure server port selection to occur on a
per subnet basis, configure the network mask to
indicate the subnet length. For example, to send
all clients within a subnet such as 10.10.10.x,
192.168.1.x, and so on (“class C” subnets) to the
same server port, use mask 255.255.255.0. SLB
selects a server port for the first client in a given
subnet, the sends all other clients in the same sub-
net to the same port.
• To configure server port selection to occur on a
per client basis, use mask 255.255.255.255. SLB
selects a server port for the first request from a
given client, the sends all other requests from the
same client to the same port. (This is the default.)
[no] netmask ipaddr
Config > Service > Template > Persistent > Source
IP Persistence
Persistence Number of minutes the mapping of a client source 1-1000 minutes
Timeout IP to a real server persists after the last time traffic Default: 5 minutes
from the client is sent to the server.
[no] timeout timeout-minutes
Config > Service > Template > Persistent > Source
IP Persistence
Ignore Ignores connection limit settings configured on real Enabled or Disabled
connection limits servers and real ports. This option is useful for Default: Disabled. By default, the con-
applications in which multiple sessions (connec- nection limit set on real servers and
tions) are likely to be used for the same persistent real ports is used.
client source IP address.
[no] dont-honor-conn-rules
Config > Service > Template > Persistent > Source
IP Persistence
618 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
P e r f o r m a n c e b y
D e s i g n 619 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
620 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
P e r f o r m a n c e b y
D e s i g n 621 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
TABLE 27 SMTP Template Parameters (Continued)
Parameter Description and Syntax Supported Values
STARTTLS Disables support of certain SMTP commands. If a Any of the following: VRFY, EXPN,
command dis- client tries to issue a disabled SMTP command, the TURN
able AX sends the following message to the client: “502 Default: VRFY, EXPN, and TURN are
- Command not implemented” enabled
[no] command-disable [vrfy] [expn]
[turn]
Note: To disable all three commands, simply enter
the following: command-disable
Config > Service > Template > Application >
SMTP
Email server Email server domain. This is the domain for which String
domain the AX Series device provides SMTP load balanc- Default: “mail-server-domain”
ing.
[no] server-domain name
Config > Service > Template > Application >
SMTP
Service ready Text of the SMTP service-ready message sent to cli- String
message ents. The complete message sent to the client is con- Default: “ESMTP mail service ready”
structed as follows:
200 - smtp-domain service-ready-string
[no] service-ready-message string
Config > Service > Template > Application >
SMTP
STARTTLS Specifies whether use of STARTTLS by clients is One of the following:
requirement required. • Disabled – Clients cannot use
starttls STARTTLS. Use this option if you
{disable | optional | enforced} need to disable STARTTLS support
Config > Service > Template > Application > but you do not want to remove the
SMTP configuration.
• Optional – Clients can use START-
TLS but are not required to do so.
• Enforced – Before any mail transac-
tions are allowed, the client must
issue the STARTTLS command to
establish a secured session. If the
client does not issue the STARTTLS
command, the AX sends the follow-
ing message to the client: "530 -
Must issue a STARTTLS command
first”
Default: Disabled
622 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
P e r f o r m a n c e b y
D e s i g n 623 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
TABLE 29 Streaming-media Template Parameters (Continued)
Parameter Description and Syntax Supported Values
URI switching Service group to which to send requests for a spe- Name of a configured service group
cific URI. Default: Requests are sent to the ser-
[no] uri-switching stream vice group that is bound to the virtual
uri-string port.
service-group group-name
Config > Service > Template > Application > RTSP
624 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
P e r f o r m a n c e b y
D e s i g n 625 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
TABLE 31 TCP-Proxy Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Transmit buffer Number of bytes sent by the port that the AX Series 1-2147483647
size will buffer. Default: 16384 bytes
[no] transmit-buffer number
Config > Service > Template > TCP Proxy
Initial window Sets the initial TCP window size in SYN ACK 1-65535 bytes
size packets to clients. The TCP window size in a SYN Default: The AX device uses the TCP
ACK or ACK packet specifies the amount of data window size set by the client or server.
that a client can send before it needs to receive an
ACK.
[no] initial-window-size bytes
Config > Service > Template > TCP Proxy
626 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Template Parameters
TABLE 32 UDP Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Aging Specifies how quickly sessions are terminated when One of the following:
the request is received. • Immediate – Sessions are termi-
aging {immediate | short [seconds]} nated as soon as a response is
Config > Service > Template > L4 > UDP received.
• Short – The AX device waits briefly
before terminating a UDP session.
Note: If you are configuring DNS load balancing,
A10 Networks recommends using the immediate • If you specify the number of sec-
option. onds, the AX device waits the
specified number of seconds after
a request is received and sent out
to the server, then terminates the
session. You can specify 1-32
seconds.
• If you do not specify the number
of seconds, sessions are termi-
nated after the SLB maximum
session life (MSL) time expires,
after a request is received and
sent out to the server. (See “Glo-
bal SLB Parameters” on
page 628.)
Default: Not set. The idle timeout
value in the template is used
instead.
Idle timeout Number of seconds a connection can remain idle 60-15000 seconds
before the AX Series terminates it. Default: 120 seconds
[no] idle-timeout number
Config > Service > Template > L4 > UDP
Server Configures the AX device to select another real Enabled or disabled
reselection server if the server that is bound to an active con- Default: Disabled
nection goes down. Without this option, another
server is not selected.
[no] re-select-if-server-down
Config > Service > Template > L4 > UDP
P e r f o r m a n c e b y
D e s i g n 627 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Global SLB Parameters
{disable | enable}
slb virtual-server [server-name]
[port port-num]
628 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Global SLB Parameters
TABLE 33 Global SLB Parameters (Continued)
Parameter Description and Syntax Supported Values
Hardware-based Enables system-wide protection against TCP SYN Disabled or Enabled
SYN cookies flood attacks. SYN cookies enable the AX device to On-Threshold – 0-2147483647 half-
continue to serve legitimate clients during a TCP open connections
SYN flood attack, without allowing illegitimate Off-Threshold – 0-2147483647 half-
traffic to consume system resources. open connections
• On-Threshold – Specifies the maximum number Default: Disabled
of concurrent half-open TCP connections
allowed on the AX device, before SYN cookies
are enabled. If the number of halfopen TCP con- Note: If you leave the On-Threshold
nections exceeds the on-threshold, the AX device and Off-Threshold fields blank, SYN
enables SYN cookies. You can specify 0- cookies are enabled and are always on
2147483647 half-open connections. regardless of the number of half-open
TCP connections present on the AX
• Off-Threshold - Specifies the minimum number device.
of concurrent half-open TCP connections for
which to keep SYN cookies enabled. If the num-
ber of half-open TCP connections falls below this
level, SYN cookies are disabled. You can specify
0-2147483647 halfopen connections.
[no] syn-cookie
[on-threshold num off-threshold
num]
Config > Service > SLB > Global > Settings
Note: This option is not supported on model
AX 2000 or AX 2100.
Use of IP pool Enables use of IP pool default gateways to forward Enabled or disabled
default gateways traffic from real servers. Default: Disabled
by real servers When this option is enabled, the AX device checks
the configured IP NAT pools for an IP address range
that includes the server IP address (the source
address of the traffic). If the address range in a pool
does include the server’s IP address, and a default
gateway is defined for the pool, the AX device for-
wards the server traffic through the pool’s default
gateway.
[no] slb snat-gwy-for-l3
Note: This parameter is not configurable using the
GUI.
P e r f o r m a n c e b y
D e s i g n 629 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Global SLB Parameters
TABLE 33 Global SLB Parameters (Continued)
Parameter Description and Syntax Supported Values
Source-IP based Protects the system from excessive connection Connection limit – 1-1000000.
connection rate requests from individual clients. Limit period – One of the following:
limiting slb conn-rate-limit src-ip • 100 milliseconds (one tenth of a
conn-limit second)
per {100 | 1000}
• 1000 milliseconds (one second)
[shared]
[exceed-action [log] Scope – One of the following:
[lock-out lockout-period]] • Shared – Connection limit applies
Note: The current release does not support configu- as an aggregate to all virtual ports.
ration of this feature using the GUI. • Not shared – Connection limit
For more information about this feature, see applies separately to each virtual
“Source-IP Based Connection Rate Limiting” on port. (This is the default behavior.
page 543. There is no “Not shared” option.)
Exceed actions – All connection
requests in excess of the connection
limit that are received from a client
within the limit period are dropped.
This action is enabled by default when
you enable the feature, and can not be
disabled. Optionally, you can enable
one or both of the following additional
exceed actions:
• Logging – Generates a log message
when a client exceeds the connec-
tion limit.
• Lockout – Locks out the client for a
specified number of seconds. Dur-
ing the lockout period, all connec-
tion requests from the client are
dropped. The lockout period can be
1-3600 seconds (1 hour). There is
no default.
630 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Global SLB Parameters
TABLE 33 Global SLB Parameters (Continued)
Parameter Description and Syntax Supported Values
Auto-port trans- Configures a range of protocol ports for auto-trans- Range number: 1-3
lation range lation. Auto-translation allows real server protocol Default: Protocol ports 0-1023
port numbers to differ from the protocol port num- assigned to each range
bers used on a virtual server bound to the real serv-
ers, in configurations that do not use source NAT.
You do not need to reconfigure an auto-port transla-
tion range unless the real or virtual port number is
non-standard (above 1023).
Note: If you configure a port range, the ports in the
range are reserved and can not be used by other fea-
tures (for example, NAT pools). To prevent deple-
tion of available ports, it is recommended to use a
narrow port range.
Note: To determine whether you need to change an
auto-port translation range for your configuration,
see “Auto-Port Translation” on page 675.
[no] slb auto-translate-port range
number
range-start port-num
range-end port-num
Config > Service > SLB > Global > Auto Transla-
tion
Hardware-based Enables hardware-based compression. Enabled or disabled
content When you enable hardware-based compression, all Default: Disabled
compression compression settings configured in HTTP tem-
plates, except the compression level, are used.
Hardware-based compression always uses the same
compression level, regardless of the compression
level configured in an HTTP template.
Hardware-based compression is available using an
optional hardware module in new AX devices, on
the following models: AX 2100, AX 2200, AX
3100, and AX 3200. If this option does not appear
on your AX device, the device does not contain a
compression module.
[no] slb hw-compression
Note: This parameter is not configurable using the
GUI.
Fast-path Enables fast-path processing, wherein the AX Enabled (slb fast-path-dis-
processing device does not perform a deep inspection of every able) or disabled (no slb fast-
field within a packet. path-disable)
[no] slb fast-path-disable
Note: This parameter is not configurable using the Default: Enabled. Deep inspection of
GUI. every packet field is enabled.
P e r f o r m a n c e b y
D e s i g n 631 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Real Server Parameters
632 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Real Server Parameters
TABLE 34 Real Server Parameters (Continued)
Configurable in
Supported Real Server
Parameter Description and Syntax Values Template?
Connection Maximum number of connections the server can 1-1000000 (one Yes, but as addi-
resume have before the AX device resumes use of the million) connec- tional parameter
server. Use does not resume until the number of tions with conn-limit
connections reaches the configured maximum or Default: Not set. command (CLI) or
less. The AX device is additional field
[no] conn-resume connections allowed to start under Connection
sending new con- Limit Status (GUI)
Config > Service > SLB > Server
nection requests to
the server as soon
as the number of
connections on the
server falls back
below the connec-
tion limit.
Service port TCP or UDP port number. Transport protocol: N/A
[no] port port-num {tcp | udp} TCP or UDP
Config > Service > SLB > Server - Port tab Port number:
0-65534
(For parameters you can set on the service port, see
“Real Service Port Parameters” on page 634.) Default: None con-
figured
Slow start Allows time for a server to ramp up after the server Enabled or dis- Yes
is enabled or comes online, by temporarily limiting abled Note: Template
the number of new connections on the server. Default: Disabled configuration of
[no] slow-start this feature pro-
Config > Service > SLB > Server - Port tab vides additional
options. See
“Slow-Start” on
page 294.
Weight Administrative weight of the server, used for 1-100 No
weighted load balancing (weighted-least-connection Default: 1
or weighted-round-robin).
[no] weight num
Config > Service > SLB > Server
External IP External IP address, used for reaching a server in a Valid IP address No
address private network from outside the network. Default: Not set
[no] external-ip ipaddr
Note: This parameter can not be configured using
the GUI.
P e r f o r m a n c e b y
D e s i g n 633 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Real Service Port Parameters
TABLE 34 Real Server Parameters (Continued)
Configurable in
Supported Real Server
Parameter Description and Syntax Values Template?
Spoofing Enables support for a spoofing cache server. A Enabled or disa- No
cache spoofing cache server uses the client’s IP address bled
instead of its own as the source address when Default: Disabled
obtaining content requested by the client.
This command applies to the Transparent Cache
Switching (TCS) feature. (see .)
[no] spoofing-cache
Note: This parameter can not be configured using
the GUI.
634 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Real Service Port Parameters
TABLE 35 Real Service Port Parameters (Continued)
Configurable in
Supported Real Port
Parameter Description and Syntax Values Template?
Health check Enables or disables health monitoring and species Enabled or disa- Yes
the monitor to use. bled
[no] health-check [monitor-name] Name of a config-
Config > Service > SLB > Server - Port tab ured health moni-
tor
Default: The AX
performs the
default TCP or
UDP check every
30 seconds. (See
“Default Health
Checks” on
page 297.)
Connection Number of concurrent connections allowed on the 1-1000000 (one Yes
limit service port. million) if config-
[no] conn-limit max-connections ured on the server
port; 1-1048575 if
Config > Service > SLB > Server - Port tab
configured in the
server port tem-
plate
Default: 1000000
if configured on
the server port;
1048575 if config-
ured in the server
port template
Connection Maximum number of connections the port can have 1-1000000 (one Yes, but as addi-
resume before the AX device resumes use of the port. Use million) connec- tional parameter
does not resume until the number of connections tions with conn-limit
reaches the configured maximum or less. Default: Not set. command (CLI) or
[no] conn-resume connections The AX device is additional field
allowed to start under Connection
Config > Service > SLB > Server - Port tab
sending new con- Limit Status (GUI)
nection requests to
the port as soon as
the number of con-
nections on the
port falls back
below the connec-
tion limit.
Weight Administrative weight of the service port, used for 1-100 Yes
weighted load balancing (service-weighted-least- Default: 1
connection).
[no] weight num
Config > Service > SLB > Server - Port tab
P e r f o r m a n c e b y
D e s i g n 635 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Group Parameters
TABLE 35 Real Service Port Parameters (Continued)
Configurable in
Supported Real Port
Parameter Description and Syntax Values Template?
No-SSL Disables SSL for server-side connections. This Enabled or No
option is useful if a server-SSL template is bound to disabled
the virtual port that uses this real port, and you want Default: Disabled
to disable encryption on this real port. (SSL is enabled)
Encryption is disabled by default, but it is enabled
for server-side connections when the real port is
used by a virtual port that is bound to a server-SSL
template.
[no] no-ssl
Config > Service > SLB > Server - Port tab
636 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Service Group Parameters
TABLE 36 Service Group Parameters (Continued)
Parameter Description and Syntax Supported Values
Load balancing Algorithm used to select a real server and service One of the following:
method port to fulfil a client’s request. • Fastest-response – Selects the server
[no] method lb-method with the fastest SYN-ACK response
Config > Service > SLB > Service Group time.
Note: The fastest-response algorithm takes effect • Least-connection – Selects the server
only if the traffic rate on the servers is at least 5 con- that currently has the fewest connec-
nections per second (per server). If the traffic rate is tions.
lower, the first server in the service group usually is • Service-least-connection – Selects
selected. the server port that currently has the
lowest number of total request bytes
and total response bytes, added
together. If there is a tie (two or
more server ports have the lowest
number of total request and
response bytes, combined), SLB
randomly selects a server port.
• Weighted-least-connection – Selects
a server based on a combination of
the server’s administratively
assigned weight and the number of
connections on the server.
• Service-weighted-least-connection
– Same as weighted-least-connec-
tion, but per service.
• Weighted-round-robin – Selects
servers in rotation, biased by the
servers’ administratively assigned
weights.
If the weight value is the same on
each server, this load-balancing
method simply selects the servers in
rotation.
Default: Round robin (simple rotation
without weighting)
Health monitor Assigns a health monitor to all members in the ser- The default health monitor (IP ping) or
vice group. the name of a configured health moni-
This option is useful in cases where the same server tor
provides content for multiple, independent sites. Default: Not set
When you use this feature, if a site is unavailable
(for example, is taken down for maintenance), the
server will fail the health check for that site, and cli-
ents will not be sent to the site. However, other sites
on the same server will pass their health checks, and
clients of those sites will be sent to the server.
[no] health-check monitor-name
Config > Service > SLB > Service Group
P e r f o r m a n c e b y
D e s i g n 637 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Virtual Server Parameters
TABLE 36 Service Group Parameters (Continued)
Parameter Description and Syntax Supported Values
Minimum active Uses backup servers even if some primary servers 1-63
members are up. To configure this parameter, specify the Default: Not set. Backup servers are
number of primary servers that can still be active used only if all primary servers are
before the backup servers are used. unavailable.
The skip-pri-set option specifies whether the When you configure this parameter,
remaining primary servers continue to be used. If the skip-pri-set option is disabled by
you use this option, the AX device uses only the default, for all load-balancing methods
backup servers and stops using any of the primary except round-robin. For round-robin
servers. (the default), skip-pri-set is always
[no] min-active-member num enabled and can not be disabled.
[skip-pri-set]
Config > Service > SLB > Service Group
638 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Virtual Server Parameters
TABLE 37 Virtual Server Parameters (Continued)
Configurable in
Supported Virtual Server
Parameter Description and Syntax Values Template?
Virtual server Configuration template of virtual server parameters. Name of a config- N/A
template [no] slb template virtual-server ured virtual server
template-name template
Config > Service > SLB > Template > Virtual Default: “Default”
Server virtual server tem-
plate
Virtual ser- Service port number and service type. Port number: N/A
vice port num- [no] port port-num service-type 0-65535
ber and service Service type:
Config > Service > SLB > Virtual Server - Port tab
type
Service type can be one of the following: • fast-http
• fast-http – Streamlined Hypertext Transfer Proto- • ftp
col (HTTP) service • http
• ftp – File Transfer Protocol • https
• http – HTTP • mms
• https – Secure HTTP (SSL) • rtsp
• mms – Multimedia Messaging Service • sip
• rtsp – Real Time Streaming Protocol • smtp
• sip – Session Initiation Protocol • ssl-proxy
• smtp – Simple Mail Transfer Protocol • tcp
• ssl-proxy – SSL proxy service • udp
• tcp – Transmission Control Protocol • others
• udp – User Datagram Protocol Default: None con-
• others – Wildcard port used for IP protocol figured
load balancing. (For more information, see
“IP Protocol Load Balancing” on page 221.)
(For parameters you can set on the service port, see
“Virtual Service Port Parameters” on page 640.)
ARP disable Disables or re-enables ARP replies from a virtual Enabled or dis- No
server. abled
[no] arp-disable Default: Disabled;
Config > Service > SLB > Virtual Server ARP replies are
enabled.
HA group ID HA group ID to use for session backup. 1-31 No
[no] ha-group group-id Default: Not set
Config > Service > SLB > Virtual Server
P e r f o r m a n c e b y
D e s i g n 639 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Virtual Service Port Parameters
TABLE 37 Virtual Server Parameters (Continued)
Configurable in
Supported Virtual Server
Parameter Description and Syntax Values Template?
VIP-based Enables dynamic failover based on server weight. 1-255 No
High Avail- The configured amount is subtracted from the HA Default: Not set
ability (HA) group’s priority value for each real server that goes
failover down.
[no] ha-dynamic server-weight
Config > Service > SLB > Virtual Server
640 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Virtual Service Port Parameters
TABLE 38 Virtual Service Port Parameters (Continued)
Configurable in
Supported Virtual Port
Parameter Description and Syntax Values Template?
Virtual State of the virtual service port. Enabled or disa- No
service port [no] {disable | enable} bled
state Default: Enabled
Config > Service > SLB > Virtual Server - Virtual
Server Port tab
Virtual port Configuration template of virtual port parameters. Name of a config- N/A
template [no] slb template virtual-port tem- ured virtual port
plate-name template
Config > Service > SLB > Template > Default: “Default”
Virtual Server Port virtual port tem-
plate
Service group Service group bound to the virtual service port. The Name of a config- No
AX device uses real servers and ports in the service ured service group
group to fulfill requests for the virtual service port. Default: Not set
[no] service-group group-name
Config > Service > SLB > Virtual Server - Virtual
Server Port tab
Template Connection or application template to use for ser- Template type: N/A
vice port parameters. One of the types
[no] template template-type described in “Ser-
template-name vice Template
Parameters” on
Config > Service > SLB > Virtual Server - Virtual
page 599.
Server Port tab
Template name:
Name of a config-
ured template.
Default: Depends
on whether the
template type has a
default and
whether the ser-
vice type uses that
template type. (See
“Service Template
Parameters” on
page 599.)
P e r f o r m a n c e b y
D e s i g n 641 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Virtual Service Port Parameters
TABLE 38 Virtual Service Port Parameters (Continued)
Configurable in
Supported Virtual Port
Parameter Description and Syntax Values Template?
Access ID of an ACL. Valid standard or No
Control List If you do not also specify a NAT pool name, the extended ACL ID
(ACL) ACL is used to deny or permit inbound traffic on the Default: None
service port.
If you do specify a NAT pool name, the ACL does
not permit or deny traffic. Instead, it binds the
source addresses in the ACL to the NAT pool. The
NAT pool is used only for the client addresses in the
ACL.
[no] access-list acl-num
[source-nat-pool pool-name]
Config > Service > SLB > Virtual Server - Virtual
Server Port tab
aFleX policy aFleX policy to use for custom SLB processing. Name of a config- No
[no] aflex aflex-name ured aFleX policy.
Config > Service > SLB > Virtual Server - Virtual Default: None
Server Port tab
Connection Number of concurrent connections allowed on the 0-8000000 (8 mil- Yes, but the range
limit virtual service port. lion) is 1-1048575
[no] conn-limit number 0 means no limit.
Config > Service > SLB > Virtual Server - Virtual Default: Not set
Server Port tab
Session syn- Backs up session information on the Standby AX Enabled or dis- No
chronization device in an HA configuration. When this option is abled
(connection enabled, sessions remain up even following a Default: Disabled
mirroring) failover.
[no] ha-conn-mirror
Config > Service > SLB > Virtual Server - Virtual
Server Port tab
Direct Server Disables destination NAT, so that server responses Enabled or dis- No
Return (DSR) go directly to clients. abled
[no] no-dest-nat Disabled: Destina-
Config > Service > SLB > Virtual Server - Virtual tion NAT is
Server Port tab enabled.
642 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Virtual Service Port Parameters
TABLE 38 Virtual Service Port Parameters (Continued)
Configurable in
Supported Virtual Port
Parameter Description and Syntax Values Template?
Policy-based Uses a black/white list to allow or deny clients who Name of a config- No
SLB (PBSLB) request the service port, select service groups for ured black/white
allowed clients, and drop or reset connections if the list. The list must
connection limit is reached. be imported onto
[no] pbslb bw-list name the AX device.
[no] pbslb id id Default: Not set
{service service-group-name |
drop | reset}
[logging [minutes [fail]]]
[no] pbslb over-limit {drop |
reset}
Note: In the GUI, PBSLB can only be configured
and applied using PBSLB policy templates.
Note: If the option to use default selection if pre-
ferred server selection fails is enabled on the virtual
port, log messages will never be generated for
server-selection failures. To ensure that messages
are generated to log server-selection failures, dis-
able the option on the virtual port. This limitation
does not affect failures that occur because a client is
over their PBSLB connection limit. These failures
are still logged.
(For information about PBSLB, see “Policy-Based
SLB (PBSLB)” on page 563.)
Source NAT Name of a pool of IP addresses to use for Network Name of a config- No
Address Translation (NAT). ured source NAT
[no] source-nat pool pool-name pool.
Config > Service > SLB > Virtual Server - Virtual Default: Not set
Server Port tab
Note: This option is not applicable to the mms or
rtsp service types.
Software- Protects against TCP SYN floods. Enabled or dis- No
based protec- [no] syn-cookie [sack] abled
tion against Default: Disabled
TCP SYN Config > Service > SLB > Virtual Server - Virtual
flood attacks Server Port tab
Note: If hardware-based SYN cookies are sup-
ported on the AX model you are configuring, use
that version of the feature instead. (See “SYN
Cookies” on page 535.)
P e r f o r m a n c e b y
D e s i g n 643 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Virtual Service Port Parameters
TABLE 38 Virtual Service Port Parameters (Continued)
Configurable in
Supported Virtual Port
Parameter Description and Syntax Values Template?
Use receive Sends replies to clients back through the last hop on Enabled or dis- No
hop for which the request for the virtual port's service was abled
responses received. Default: Disabled
[no] use-rcv-hop-for-resp
Config > Service > SLB > Virtual Server - Virtual
Server Port tab
644 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Virtual Service Port Parameters
TABLE 38 Virtual Service Port Parameters (Continued)
Configurable in
Supported Virtual Port
Parameter Description and Syntax Values Template?
Default selec- Continues checking for an available server in other Enabled or disa- No
tion if pre- service groups if all of the servers are down in the bled
ferred server first service group selected by SLB. Default: Enabled
selection fails During SLB selection of the preferred server to use
for a client request, SLB checks the following con-
figuration areas, in the order listed:
P e r f o r m a n c e b y
D e s i g n 645 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Virtual Service Port Parameters
TABLE 38 Virtual Service Port Parameters (Continued)
Configurable in
Supported Virtual Port
Parameter Description and Syntax Values Template?
GSLB enable Enables a DNS port to function as a proxy for Glo- Enabled or dis- No
(DNS proxy bal Server Load Balancing (GSLB) for this virtual abled
ports only) port. Default: Disabled
[no] gslb-enable
Config > Service > SLB > Virtual Server - Virtual
Server Port tab
Note: This option applies only to DNS ports and
only for a virtual service port on a virtual server that
will be used as a DNS proxy on the GSLB AX
device.
646 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
This chapter describes how to install SSL keys, certificates, and Certificate
Revocation Lists (CRLs) on the AX device. Installing these SSL resources
on the AX device enables the AX device to provide SSL services on behalf
of real servers.
You can use the AX device to offload SSL processing from servers or, for
some types of traffic, you can use the AX device as an SSL proxy. (For
more information about SSL offload and SSL proxy, see “SSL Offload and
SSL Proxy” on page 177.)
Overview
Some types of client-server traffic need to be encrypted for security. For
example, traffic for online shopping must be encrypted to secure sensitive
account information from being stolen.
Commonly, clients and servers use Secure Sockets Layer (SSL) or Trans-
port Layer Security (TLS) to secure traffic. For example, a client that is
using a shopping application on a server will encrypt data before sending it
to the server. The server will decrypt the client’s data, then send an
encrypted reply to the client. The client will decrypt the server reply, and so
on.
Note: SSL is an older version of TLS. The AX device supports SSL version 3.0
and TLS version 1.0. The AX device also supports RFC 3268: “AES
Ciphersuites for TLS”. For simplicity, elsewhere this document and other
AX user documents use the term “SSL” to mean both SSL and TLS.
Note: The AX device supports Privacy Enhanced Mail (PEM) format for certif-
icate files and CRLs. AX SSL processing supports PEM format and RSA
encryption.
SSL Process
SSL works using certificates and keys. Typically, a client will begin a secure
session by sending an HTTPS request to a VIP. The request begins an SSL
handshake. The AX device will respond with a digital certificate. From the
client’s perspective, this certificate comes from the server. Once the SSL
handshake is complete, the client begins an encrypted client-server session
with the AX device.
P e r f o r m a n c e b yD e s i g n 647 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
Figure 161 shows a simplified example of an SSL handshake. In this exam-
ple, the AX device is acting as an SSL proxy for backend servers.
To begin, the client sends an HTTPS request. The request includes some
encryption details such as the cipher suites supported by the client.
The server (in this case, the AX device, on behalf of the server), checks for
a client-SSL template bound to the VIP. If a client-SSL template is bound to
the VIP, the AX device sends all the digital certificates and certificate chains
contained in the template to the client. Each digital certificate includes a
public key and various other identifying information.
648 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
The client checks its certificate store (sometimes called the certificate list)
for a copy of the server certificate. If the client does not have a copy of the
server certificate, the client will check for a certificate from the Certificate
Authority (CA) that signed the server certificate.
If the CA that signed the certificate is a root CA, the client should have a
copy of the root CA’s certificate. If the CA that signed the server certificate
is not a root CA, the client should have another certificate or a certificate
chain, which is a nested set of certificates, that includes the CA that signed
the CA’s certificate.
If the client can not validate the server certificate or the certificate is out of
date, the client’s browser may display a certificate warning. Figure 162
shows an example of a certificate warning displayed by Internet Explorer.
P e r f o r m a n c e b yD e s i g n 649 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
SSL Templates
You can install more than one key-certificate pair on the AX device. The
AX device selects the certificate(s) to send a client or server based on the
SSL template bound to the VIP. You can bind the following types of SSL
templates to VIPs:
• Client-SSL template – Contains keys and certificates for SSL-encrypted
traffic between clients and the AX device.
• Server-SSL template – Contains CA certificates for SSL-encrypted traf-
fic between servers and the AX device.
650 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
Client-SSL Template Options
Use client-SSL templates for deployments in which traffic between clients
and the AX device will be SSL-encrypted. Client-SSL templates have the
following options.
For the deployment example in Figure 161 on page 648, only the first
option (Certificate) needs to be configured.
• Certificate – Specifies a server certificate that the AX device will send
to a client, so that the client can validate the server’s identity. The certif-
icate can be generated on the AX device (self-signed) or can be signed
by another entity and imported onto the AX device.
• Key – Specifies a public key for a server certificate. If the CSR used to
request the server certificate is generated on the AX device, the key is
automatically generated. Otherwise, the key must be imported.
• Certificate chain – Specifies a named set of server certificates. You can
add server certificates to the AX device individually, in certificate
chains, or using a combination of individual certificates and certificate
chains. The AX device always sends all individual server certificates
and certificate chains in the template to each client.
• CA certificate – Specifies a CA certificate that the AX device can use to
validate the identity of a client. A CA certificate is needed only if the
AX device will be required to validate the identities of clients. If CA
certificates are required for this purpose, they must be imported onto the
AX device. The AX device is not configured at the factory to contain a
certificate store.
• Certificate Revocation List (CRL) – Specifies a list of client certificates
that have been revoked by the CAs that signed them. This option is
applicable only if the AX device will be required to validate the identi-
ties of clients.
• Connection-request response – Specifies the AX response to connection
requests from clients. This option is applicable only if the AX device
will be required to validate the identities of clients. The response can be
one of the following:
• ignore (default) – The AX device does not request the client to send
its certificate.
• request – The AX device requests the client to send its certificate.
With this action, the SSL handshake proceeds even if either of the
following occurs:
• The client sends a NULL certificate (one with zero length).
• The certificate is invalid, causing client verification to fail.
Use this option if you want to the request to trigger an aFleX policy
for further processing.
P e r f o r m a n c e b yD e s i g n 651 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
• require – The AX device requires the client certificate. This action
requests the client to send its certificate. However, the SSL hand-
shake does not proceed (it fails) if the client sends a NULL certifi-
cate or the certificate is invalid.
• Cipher list – Specifies the cipher suites supported by the AX device.
When the client sends its connection request, it also sends a list of the
cipher suites it can support. The AX device selects the strongest cipher
suite supported by the client that is also enabled in the template, and
uses that cipher suite for traffic with the client. By default, all the fol-
lowing are enabled:
• SSL3_RSA_DES_192_CBC3_SHA
• SSL3_RSA_DES_40_CBC_SHA
• SSL3_RSA_DES_64_CBC_SHA
• SSL3_RSA_RC4_128_MD5
• SSL3_RSA_RC4_128_SHA
• SSL3_RSA_RC4_40_MD5
• TLS1_RSA_AES_128_SHA
• TLS1_RSA_AES_256_SHA
• TLS1_RSA_EXPORT1024_RC4_56_MD5
• TLS1_RSA_EXPORT1024_RC4_56_SHA
• Session cache size – Specifies the maximum number of cached sessions for
SSL session ID reuse.
652 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
This section gives an overview of the process for each type of certificate.
Detailed procedures are provided later in this chapter.
4. After receiving the signed certificate and the CA’s public key from the
CA, import them onto the AX device.
• If the key and certificate are provided by the CA in separate files
(PKCS #7 format), import the certificate. You do not need to import
the key if the CSR was created on the AX device. In this case, the
P e r f o r m a n c e b yD e s i g n 653 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
key is already on the AX device. If the certificate is not in PEM for-
mat, convert it into PEM format.
If the CSR was not created on the AX device, you do need to import
the key also.
• If the key and certificate are provided by the CA in a single file
(PKCS #12 format), convert them into separate files in PEM format,
then import the certificate. If the CSR was not created on the AX
device, you need to import the key also.
See “Converting SSL Certificates to PEM Format” on page 666.
Figure 163 shows the most common way to obtain and install a CA-signed
certificate onto the AX device.
654 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Generating a Key and CSR for a CA-Signed Certificate
Installing a Self-Signed Certificate
3. Click Create.
6. Enter the rest of the certificate information in the remaining fields of the
Certificate section.
7. Enter a passphrase.
8. From the Key drop-down list, select the length (bits) for the key.
9. Click OK. The AX device generates the certificate key and the certifi-
cate signing request (CSR), and displays the CSR. The CSR is displayed
in the Request Text field.
Note: If the browser security settings normally block downloads, you may need
to override the setting. For example, in Internet Explorer, hold the Ctrl
key while clicking Download.
b. Click Save.
P e r f o r m a n c e b yD e s i g n 655 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Generating a Key and CSR for a CA-Signed Certificate
c. Navigate to the save location.
d. Click Save again.
Note: If you prefer to copy-and-paste the CSR, make sure to include everything,
including “-----BEGIN CERTIFICATE REQUEST-----” and “-----END
CERTIFICATE REQUEST-----”.
11. When you receive the certificate from the CA, import it onto the AX
device. (See “Importing a Certificate and Key” on page 658.)
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• rcp://[user@]host/file
• http://[user@]host/file
• https://[user@]host/file
656 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Generating a Key and CSR for a CA-Signed Certificate
• Locality, 0-31 characters
• Country, 2 characters
After the CSR is generated, send the CSR to the CA. After you receive the
signed certificate from the CA, use the import command to import the CA
onto the AX device. The key does not need to be imported. The key is gen-
erated along with the CSR.
The following commands generate and export a CSR, then import the
signed certificate.
AX(config)#slb ssl-create csr slbcsr1 ftp:
Address or name of remote host []?192.168.1.10
User name []?axadmin
Password []?********
File name [/]?slbcsr1
input key bits(512,1024,2048) default 1024:<Enter>
input Common Name, 1~64:slbcsr1
input Division, 0~31:div1
input Organization, 0~63:org2
input Locality, 0~31:westcoast
input State or Province, 0~31:ca
input Country, 2 characters:us
input email address, 0~64:axadmin@example.com
input Pass Phrase, 0~31:csrpword
Confirm Pass Phrase:csrpword
AX(config)#import ca-signedcert1 ftp:
Address or name of remote host []?192.168.1.10
User name []?axadmin
Password []?********
File name [/]?ca-signedcert1
P e r f o r m a n c e b yD e s i g n 657 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Importing a Certificate and Key
Note: If you are importing a CA-signed certificate for which you used the AX
device to generate the CSR, you do not need to import the key. The key is
automatically generated on the AX device when you generate the CSR.
658 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Generating a Self-Signed Certificate
USING THE CLI
To import a certificate and its key, use the following command at the global
Config level of the CLI:
[no] slb ssl-load
{certificate cert-name | private-key-string} url
The url specifies the file transfer protocol, username (if required), directory
path, and filename.
You can enter the entire URL on the command line or press Enter to display
a prompt for each part of the URL. If you enter the entire URL and a pass-
word is required, you will still be prompted for the password. To enter the
entire URL:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• rcp://[user@]host/file
• http://[user@]host/file
• https://[user@]host/file
Alternatively, you can use the following commands at the Privileged EXEC
or global Config level of the CLI:
import ssl-cert file-name url
import ssl-key file-name url
3. Click Create.
P e r f o r m a n c e b yD e s i g n 659 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Generating a Self-Signed Certificate
6. Enter the rest of the certificate information in the remaining fields of the
Certificate section.
7. From the Key drop-down list, select the length (bits) for the key.
8. Click OK. The AX device generates the self-signed certificate and its
key. The new certificate and key appear in the certificate list. The certif-
icate is ready to be used in client-SSL and server-SSL templates.
• Country, 2 characters
The key length, common name, and number of days the certificate is valid
are required. The other information is optional. The default key length is
1024 bits. The default number of days the certificate is valid is 730.
The following commands create a self-signed certificate named “slbcert1”
and verify the configuration:
AX(config)#slb ssl-create certificate slbcert1
input key bits(512,1024,2048) default 1024:<Enter>
input Common Name, 1~64:slbcert1
input Division, 0~31:Div1
input Organization, 0~63:Org2
input Locality, 0~31:WestCoast
input State or Province, 0~31:CA
660 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Importing a CRL
input Country, 2 characters:US
input email address, 0~64:axadmin@example.com
input valid days, 30~3650, default 730:<Enter>
AX(config)#show slb ssl cert
name: slbcert1
type: certificate/key
Common Name: slbcert1
Organization: Org2
Expiration: Apr 10 00:34:34 2010 GMT
Issuer: Self
key size: 1024
Importing a CRL
To import a CRL, place it on the PC that is running the GUI or CLI session,
or onto a PC or file server that can be locally reached over the network.
3. Click Import.
5. Click Open. The path and filename appear in the Source field.
6. Click OK.
To import a CRL, use the following command at the global Config level of
the CLI:
[no] slb ssl-load certificate crl-name url
The url specifies the file transfer protocol, username (if required), directory
path, and filename.
You can enter the entire URL on the command line or press Enter to display
a prompt for each part of the URL. If you enter the entire URL and a pass-
word is required, you will still be prompted for the password. To enter the
entire URL:
P e r f o r m a n c e b yD e s i g n 661 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Exporting Certificates, Keys, and CRLs
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• rcp://[user@]host/file
• http://[user@]host/file
• https://[user@]host/file
3. To export a certificate:
a. Select the certificate. (Click the checkbox next to the certificate
name.)
b. Click Export.
Note: If the browser security settings normally block downloads, you may need
to override the setting. For example, in Internet Explorer, hold the Ctrl
key while clicking Export.
c. Click Save.
d. Navigate to the save location.
e. Click Save again.
4. To export a key:
a. Select the key.
b. Click Export.
c. Click Save.
d. Navigate to the save location.
e. Click Save again.
662 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Exporting Certificates, Keys, and CRLs
USING THE CLI
To export a certificate and its key, use the following commands at the Privi-
leged EXEC or global Config level of the CLI:
export ssl-cert file-name url
export ssl-key file-name url
The url specifies the file transfer protocol, username (if required), directory
path, and filename.
You can enter the entire URL on the command line or press Enter to display
a prompt for each part of the URL. If you enter the entire URL and a pass-
word is required, you will still be prompted for the password. To enter the
entire URL:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• rcp://[user@]host/file
• http://[user@]host/file
• https://[user@]host/file
Exporting a CRL
3. Select the CRL. (Click the checkbox next to the CRL name.)
4. Click Export.
Note: If the browser security settings normally block downloads, you may need
to override the setting. For example, in IE, hold the Ctrl key while click-
ing Export.
5. Click Save.
P e r f o r m a n c e b yD e s i g n 663 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Creating a Client-SSL or Server-SSL Template and Binding it to a VIP
7. Click Save again.
3. Click Add.
Use one of the following commands at the global configuration level of the
CLI:
[no] slb template client-ssl template-name
[no] slb template server-ssl template-name
The command creates the template and changes the CLI to the configuration
level for it. Use the commands at the template configuration level to config-
664 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Converting Certificates and CRLs to PEM Format
ure template parameters. (For information, see “SSL Templates” on
page 650 or the AX Series CLI Reference.)
3. Click on the virtual server name or click Add to create a new one.
5. In the Port section, select a port and click Edit, or click Add to add a new
port. The Virtual Server Port page appears.
7. Click OK.
8. Click OK again.
Use the same command on each port for which SSL will be used.
If a certificate or CRL you plan to import onto the AX device is not in PEM
format, it must be converted to PEM format first, before you import it onto
the AX device.
P e r f o r m a n c e b yD e s i g n 665 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Converting Certificates and CRLs to PEM Format
3. Expand the Certificate folders and navigate to the certificate you want to
convert.
666 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Converting Certificates and CRLs to PEM Format
Steps to perform on the Unix/Linux workstation:
5. Copy the PFX-format file that was created by the Export wizard to a
UNIX machine.
7. Use the vi editor to divide the PKCS12 file into two files, one for the
certificate (.crt) and the other for the private key.
8. To remove the passphrase from the key, use the following command:
$ openssl rsa -in encrypted.key -out unencrypted.key
openssl crl -in filename.der –inform der -outform pem -out file-
name.pem
P e r f o r m a n c e b yD e s i g n 667 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Converting Certificates and CRLs to PEM Format
668 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Route Tables
By default, the AX device attempts to use a route from the main route table
for management connections originated on the AX device. You can enable
the AX device to use the management route table to initiate management
connections instead.
This chapter describes the AX device’s two route tables, for data and man-
agement traffic, and how to configure the device to use the management
route table.
Route Tables
The AX device uses separate route tables for management traffic and data
traffic.
• Management route table – Contains all static routes whose next hops are
connected to the management interface. The management route table
also contains the route to the device configured as the management
default gateway.
• Main route table – Contains all routes whose next hop is connected to a
data interface. These routes are sometimes referred to as data plane
routes. Entries in this table are used for load balancing and for Layer 3
forwarding on data ports.
This route table also contains copies of all static routes in the manage-
ment route table, excluding the management default gateway route.
You can configure the AX device to use the management interface as the
source interface for automated management traffic. In addition, on a case-
by-case basis, you can enable use of the management interface and manage-
ment route table for various types of management connections to remote
devices:
The AX device automatically will use the management route table for reply
traffic on connections initiated by a remote host that reaches the AX device
on the management port. For example, this occurs for SSH or HTTP con-
nections from remote hosts to the AX device.
Note: In AX Release 1.2.4 and earlier, all static routes are stored in the main
route table, even if the next hop is connected to the management interface.
The management route table contains only the route to the subnet directly
P e r f o r m a n c e b yD e s i g n 669 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Management Routing Options
connected to the management interface, and the IP default gateway con-
figured on the management interface. When you upgrade to an AX release
later than 1.2.4, static routes whose next hop is the management interface
are duplicated in the management route table.
• SNMPD
• NTP
• RADIUS
• TACACS+
• SMTP
For example, when use of the management interface as the source interface
for control traffic is enabled, all log messages sent to remote log servers are
sent through the management interface. Likewise, the management route
table is used to find a route to the log server. The AX device does not
attempt to use any routes from the main route table to reach the server, even
if a route in the main route table could be used.
670 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Management Routing Options
• Upgrade of the AX software
• Backups
Caution: If you enable this feature, then downgrade to AX Release 1.2.4 or ear-
lier, it is possible to lose access to the AX device after you downgrade.
This can occur if you configure an external AAA server (TACACS+
server) to authorize CLI commands entered on the AX device, and
the TACACS+ server is connected to the AX device through the man-
agement default gateway.
If this is the case, before you downgrade, remove the TACACS+ con-
figuration from the AX device. After you downgrade, you can re-add
the configuration, but make sure the TACACS+ server can be
reached using a route other than through the management default
gateway.
To enable it, use the following command at the configuration level for the
management interface:
[no] ip control-apps-use-mgmt-port
Here is an example:
AX(config-if:management)#ip control-apps-use-mgmt-port
P e r f o r m a n c e b yD e s i g n 671 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Management Routing Options
672 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Management Routing Options
Show Commands
show techsupport [[use-mgmt-port] export url]
[page]
P e r f o r m a n c e b yD e s i g n 673 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Management Routing Options
674 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Overview
Auto-Port Translation
Overview
The AX device allows you to use different port numbers for a real server
port and its corresponding virtual server port. The AX auto-port translation
feature can automatically translate the port numbers internally. Figure 164
shows an example.
P e r f o r m a n c e b yD e s i g n 675 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring an Auto-Port Translation Range
For standard port numbers (port numbers 0-1023), no additional configura-
tion is required for auto-port translation. For example, if the VIP service
port number is 80 and the real port number is 542, no additional configura-
tion is required.
However, if either or both the real service port number and virtual port num-
ber are non-standard (above 1023), some additional configuration is
required. In this case, you can use either of the following methods to config-
ure support for the translation to a non-standard port number:
• Configure one of the AX device’s auto-port translation ranges to contain
the non-standard port. (This is the more simple option.)
• Configure source Network Address Translation (NAT).
Note: You cannot use auto-port translation as an alternative to source NAT for
connection reuse. Connection reuse requires source NAT. (See See “SLB
Source NAT” on page 484..)
To resolve potential issues with differing real port numbers for the same ser-
vice in the same service group, edit one of the auto-translation ranges to
include the real or virtual port number that is above 1023. It does not matter
which of the ranges you reconfigure.
Note: If you configure a port range, the ports in the range are reserved and can
not be used by other features (for example, NAT pools). To prevent deple-
tion of available ports, it is recommended to use a narrow port range.
3. Click on one of the range names. The Auto Translation tab appears.
Note: If a range has already been configured for use by non-standard port num-
bers, do not reconfigure this range. Instead, select an unconfigured range.
676 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring an Auto-Port Translation Range
4. Edit the port numbers in the Start Port and End Port fields, based on the
guidelines described above.
5. Click OK.
Use the following command at the global configuration level of the CLI:
Specify the protocol port numbers for the range, based on the guidelines
described above.
P e r f o r m a n c e b yD e s i g n 677 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Configuring an Auto-Port Translation Range
678 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
OSPF Parameters
Routing Parameters
This chapter lists the parameters you can configure for the following IP
routing protocols:
• Routing Information Protocol (RIP)
• Open Shortest Path First (OSPF)
Note: RIP and OSPF are supported only on AX devices that are deployed in
route mode. If your device is deployed in transparent mode, these param-
eters do not apply.
Note: For more syntax information, see the AX Series CLI Reference.
OSPF Parameters
The tables in this section list the configurable OSPF parameters.
The AX device can run two separate instances of OSPF. When you config-
ure two instances of OSPF on an AX device, the instances run completely
independently, as two logically separate OSPF routers. The AX device does
not internally share information between the OSPF instances. For example,
if redistribution of RIP routes is enabled for only one OSPF instance, the
AX device does not redistribute RIP routes into the other OSPF instance.
Note: For OSPFv2 commands and options, see the “Config Commands: Router
– OSPF” chapter in the AX Series CLI Reference.
Note: The AX device does not support multiple OSPF networks on a data inter-
face. One OSPF network configuration can enable at most one network
per interface.
For example, assume a data port has 3 IP addresses configured that belong
to 3 separate subnets, S1, S2, and S3. If you configure network S4 with
area A.B.C.D, and S4 contains S1, S2, and S3, then only S1 will be run-
ning OSPF. S2 and S3 will not be known to other OSPF routers.
To work around this limitation, enable OSPF redistribution of directly
connected routes so that OSPF will redistribute S2 and S3 via the network
running on S1.
P e r f o r m a n c e b yD e s i g n 679 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
OSPF Parameters
Note: At least one IP interface must be configured on the AX device, per OSPF
instance, in order to enable OSPF for the first time, and the IP interfaces
must be in separate subnets. When you enable an OSPF instance for the
first time, the AX device will assign a configured IP interface to be the
router ID for that instance. If no IP interfaces are configured, or the only
available interface is already assigned to the other OSPF instance, the
device displays an error message and does not enable the OSPF instance.
After an instance of OSPF is enabled, you can use the router-id command
at the configuration level for the instance to change that instance's router
ID.
680 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
OSPF Parameters
P e r f o r m a n c e b y
D e s i g n 681 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
OSPF Parameters
TABLE 39 Configurable OSPF Parameters – Global (Continued)
Parameter Description and Syntax Supported Values
Router ID Value used by the AX Series to identify itself when A valid IP address.
exchanging route information with other OSPF The address does not need to match an
routers. address configured on the AX device;
The AX Series has only one router ID. The default however, the address must be unique
router ID is the highest-numbered IP address con- within the routing domain.
figured on any of the AX Series Ethernet interfaces. New or changed router IDs require a
[no] router-id ipaddress restart of the OSPF process. To restart
Config > Network > Route > OSPF > Route > the OSPF process, use the following
General CLI command:
clear ip ospf process
Link State LSA status, which controls whether the interface Valid port or VE number.
Advertisements advertises link-state information to OSPF neigh- Default: LSAs are enabled. (No inter-
(LSAs) bors. faces are passive.)
[no] passive-interface {ethernet
port-num | ve vlan-id}
Config > Network > Route > OSPF > Route >
Passive Interface
682 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
OSPF Parameters
P e r f o r m a n c e b y
D e s i g n 683 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
OSPF Parameters
TABLE 40 Configurable OSPF Parameters – Interface (Continued)
Parameter Description Supported Values
Authentication Type of authentication used to validate OSPF route updates One of the following:
sent or received on this interface. • MD – Message Digest 5
[no] ip ospf authentication (MD5)
[message-digest | null] • Null – Authentication is
Config > Network > Route > OSPF > Interface disabled.
Default: Simple key (unless
you use the MD5 or null
option)
Authentication Password used by the interface to authenticate link-state mes- Any string of characters that
String sages exchanged with neighbor OSPF routers. can be entered from the key-
The same authentication string value must be configured on board, up to 8 characters
the neighbor. Otherwise, the interface refuses (drops) the long.
messages. The string cannot contain
This value applies only to simple authentication, not to MD5 blanks.
or null authentication.
[no] ip ospf authentication-key
key-string
Config > Network > Route > OSPF > Interface
Note: For the message-digest-key key-id md5 key-string
option, the CLI lists the encrypted keyword. This keyword
encrypts display of the string in the startup-config and run-
ning-config. Do not enter this keyword. The AX device auto-
matically applies the keyword. Entering the keyword
manually is not valid.
Key Strings Set of MD passwords used by the interface to authenticate Alphanumeric string up to 16
link-state messages exchanged with neighbor OSPF routers. bytes long.
You can enter up to four key strings. The string cannot contain
Each neighbor must be configured with at least one of the blanks.
strings. Otherwise, the interface refuses (drops) the messages.
This value applies only to MD authentication, not to simple
authentication.
[no] ip ospf message-digest-key key-id
md5 key-string
Config > Network > Route > OSPF > Interface
684 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
RIP Parameters
RIP Parameters
The tables in this section list the configurable RIP parameters.
P e r f o r m a n c e b y
D e s i g n 685 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
RIP Parameters
686 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Backing Up System Information
Configuration Management
By default, when you click the Save button in the GUI or enter the write
memory command in the CLI, all unsaved configuration changes are saved
to the startup-config. The next time the AX device is rebooted, the configu-
ration is reloaded from this file.
Note: For upgrade instructions, see the release notes for the AX release to which
you plan to upgrade.
P e r f o r m a n c e b yD e s i g n 687 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Backing Up System Information
688 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Saving Multiple Configuration Files Locally
USING THE CLI
At the Privileged EXCE level of the CLI, use the following command:
The config option backs up the startup-config file, aFleX scripts, and SSL
certificates and keys.
The log option backs up the log entries in the AX device’s syslog buffer.
The url option specifies the file transfer protocol, username, and directory
path. You can enter the entire URL on the command line or press Enter to
display a prompt for each part of the URL. If you enter the entire URL and a
password is required, you will still be prompted for the password. To enter
the entire URL:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• rcp://[user@]host/file
Note: Unless you plan to locally store multiple configurations, you do not need
to use any of the advanced commands or options described in this section.
Just click Save in the GUI or enter the write memory command in the
CLI to save configuration changes. These simple options replace the com-
mands in the startup-config stored in the image area the AX device booted
from with the commands in the running-config.
P e r f o r m a n c e b yD e s i g n 689 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Saving Multiple Configuration Files Locally
Configuration Profiles
Configuration files are managed as configuration profiles. A configuration
profile is simply a configuration file. You can locally save multiple configu-
ration profiles on the AX device. The configuration management commands
described in this section enable you to do the following:
• Save the startup-config or running-config to a configuration profile.
Note: Although the enable and admin passwords are loaded as part of the sys-
tem configuration, they are not saved in the configuration profiles.
Changes to the enable password or to the admin username or password
take effect globally, regardless of the values that were in effect when a
given configuration profile was saved.
write memory
[primary | secondary | profile-name] [cf] |
terminal
690 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Saving Multiple Configuration Files Locally
If you enter write memory primary, the command replaces the configura-
tion profile stored in the primary image area with the running-config. Like-
wise, if you enter write memory secondary, the command replaces the
configuration profile stored in the secondary image area with the running-
config.
The cf option replaces the configuration profile in the specified image area
(primary or secondary) on the compact flash rather than the hard disk. If you
omit this option, the configuration profile in the specified area on the hard
disk is replaced.
When entered without the all or profile-name option, this command dis-
plays the contents of the configuration profile that is currently linked to
"startup-config". To display the contents of a different configuration profile,
use the profile-name option. To display a list of the locally stored configura-
tion profiles, use the all option.
The cf option displays the configuration profile in the specified image area
(primary or secondary) on the compact flash rather than the hard disk. If you
omit this option, the configuration profile in the specified area on the hard
disk is displayed. If the all option is also used, the cf option displays all the
configuration profiles stored on the compact flash.
The cf option copies the profile to the compact flash instead of the hard
disk.
Note: Copying a profile from the compact flash to the hard disk is not sup-
ported.
P e r f o r m a n c e b yD e s i g n 691 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Saving Multiple Configuration Files Locally
(The url option backs up the configuration to a remote device. See “Backing
Up System Information” on page 687.)
To compare any two configuration profiles, enter their profile names instead
of startup-config or running-config.
In the CLI output, the commands in the first profile name you specify are
listed on the left side of the terminal screen. The commands in the other pro-
file that differ from the commands in the first profile are listed on the right
side of the screen, across from the commands they differ from. The follow-
ing flags indicate how the two profiles differ:
• – This command has different settings in the two profiles.
• – This command is in the second profile but not in the first one.
• – This command is in the first profile but not in the second one.
This command enables you to easily test new configurations without replac-
ing the configuration stored in the image area.
The primary | secondary option specifies the image area. If you omit this
option, the image area last used to boot is selected.
692 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Saving Multiple Configuration Files Locally
The cf option links the profile to the specified image area in compact flash
instead of the hard disk.
The profile you link to must be stored on the boot device you select. For
example, if you use the default boot device selection (hard disk), the profile
you link to must be stored on the hard disk. If you specify cf, the profile
must be stored on the compact flash. (To display the profiles stored on the
boot devices, use the show startup-config all and show startup-config all
cf commands.)
Likewise, the next time the AX device is rebooted, the linked configuration
profile is loaded instead of the configuration that is in the image area.
Note: Although the command uses the startup-config option, the command
only deletes the configuration profile linked to “startup-config” if you
enter that profile’s name. The command deletes only the profile you spec-
ify.
CLI EXAMPLES
P e r f o r m a n c e b yD e s i g n 693 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Saving Multiple Configuration Files Locally
file that is currently linked to “startup-config”. If the profile name is
“default”, then “startup-config” is linked to the configuration profile stored
in the image area from which the AX device most recently rebooted.
AX(config)#show startup-config all
Current Startup-config Profile: slb-v6
Profile-Name Size Time
------------------------------------------------------------
1210test 1957 Jan 28 18:39
ipnat 1221 Jan 25 10:43
ipnat-l3 1305 Jan 24 18:22
ipnat-phy 1072 Jan 25 19:39
ipv6 2722 Jan 22 15:05
local-bwlist-123 3277 Jan 23 14:41
mgmt 1318 Jan 28 10:51
slb 1354 Jan 23 18:12
slb-v4 12944 Jan 23 19:32
slb-v6 13414 Jan 23 19:19
694 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Saving Multiple Configuration Files Locally
AX(config)#diff startup-config testcfg1
!Current configuration: 13378 bytes (
!Configuration last updated at 19:18:57 PST Wed Jan 23 2008 (
!Configuration last saved at 19:19:37 PST Wed Jan 23 2008 (
!version 1.2.1 (
! (
hostname AX (
! (
clock timezone America/Tijuana (
! (
ntp server 10.1.11.100 1440 (
! (
...
! (
interface ve 30 (
ip address 30.30.31.1 255.255.255.0 | ip address
10.10.20.1 255.255.255.0
ipv6 address 2001:144:121:3::5/64 | ipv6 address
fc00:300::5/64
! (
! (
> ip nat range-
list v6-1 fc00:300::300/64 2001:144:121:1::900/6
! (
ipv6 nat pool p1 2001:144:121:3::996 2001:144:121:3::999 netm <
! <
slb server ss100 2001:144:121:1::100 <
port 22 tcp <
--MORE--
P e r f o r m a n c e b yD e s i g n 695 of 702
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
Saving Multiple Configuration Files Locally
696 of 702 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
The match-type server option is useful in cases where the same service is
available on multiple service ports on the server. With this option, if the
server port that a client is using for a persistent session goes down, another
service port of the same service type on the same server can be used.
P e r f o r m a n c e b yD e s i g n 697 of 522
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
VIP 192.168.10.11 uses 3 real servers for HTTP service. Two of the servers
have a single protocol port for HTTP. However, one of the servers has
HTTP service on multiple service ports.
The load-balancing method for the service group is used to select a server
and port for the first request from a given client (source IP address). After
this initial selection, subsequent requests from the same client are sent to the
same server.
698 of 522 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
In this case, it is possible that a different server will be selected for the next
request. For example, if an admin needs to perform some maintenance on
port 80, and disables the port in order to prevent it from being used for fur-
ther requests, persistent sessions on the port and server may not remain per-
sistent to the same server.
CLI Example
The commands in this section configure the source-IP persistence template
and the service group in Figure 165 on page 698.
P e r f o r m a n c e b yD e s i g n 699 of 522
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
AX Series - Configuration Guide
700 of 522 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.0.2 11/11/2009
P e r f o r m a n c e b y D e s i g n
702
P e r f o r m a n c e b y D e s i g n
Corporate Headquarters
www.a10networks.com
Asia Headquarters
+86-10-8282-5137
702