500-101 27.0 12 Alteon Level1 TrainingManual

Training Manual
Alteon Application Switch Level 1 Course 500-101 May 2011
Alteon Level 1 Training Manual
This document is protected by United States and international copyright laws. Neither this document nor any material contained within it may be duplicated, copied or reproduced, in whole or part, without the expressed written consent of Radware, Inc.
Page 2
Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.
TABLE OF CONTENTS
Lab Overview .................................................................................................................... 5 Basic Switch Configuration ............................................................................................... 9 Overview ........................................................................................................................ 9 Assignment .................................................................................................................. 11 Server Load Balancing .................................................................................................... 29 Overview ...................................................................................................................... 29 Assignment .................................................................................................................. 32 Persistent Load Balancing .............................................................................................. 41 Overview ...................................................................................................................... 41 Assignment .................................................................................................................. 43 Content Load Balancing .................................................................................................. 51 Overview ...................................................................................................................... 51 Assignment .................................................................................................................. 53 SSL Acceleration............................................................................................................. 61 Overview ...................................................................................................................... 61 Assignment .................................................................................................................. 63 Switch Troubleshooting ................................................................................................... 71 Overview ...................................................................................................................... 71 Assignment .................................................................................................................. 71 Virtual Router Redundancy ............................................................................................. 79 Overview ...................................................................................................................... 79 Assignment .................................................................................................................. 81 BBI Web Based Management Labs ............................................................................. 93 BBI SLB configuration of the Switch ............................................................................ 93 BBI Layer 7 Passive Cookie Persistence Configuration .............................................. 99 BBI Content Load Balancing Configuration ............................................................... 104 BBI configuration for VRRP ....................................................................................... 111
Page 3
Description of the Lab Environment

This LAB kit consists of RadwareAlteon application switches, virtual PCs, called Team-PCs and for each switch, a pair of servers. Access to Team-PCs from the classroom PC is via VNC application. A copy of a VNC client is in the tools folder on your USB stick. Product documentation and useful information is also on this USB stick. All Team-PCs and web servers are preconfigured. The URL and port you need to use will be assigned by your instructor. Course delegates have serial access to all RadwareAlteon switches via a terminal server. At your Team-PC, quick start area, use preconfigured Putty application. For FTP, TFTP and syslog, use the 3CD application. Both icons are located at the Quick Launch area. All cables to the devices are connected, please keep this in mind. All documentation, tools, software, applications and feature key codes are on the CD-ROM of each Team-PC.
The following equipment is required for each delegate to complete the labs: 1 Local Workstation (Laptop) capable of running VNC, Web and Putty At the remote lab location: 1 RadwareAlteon Application switch (AS) 1 Team-PC, (interface between remote and local lab) 4 Web servers
Page 4
Lab Overview
Purpose
This document provides details about the technical training topics covered during RadwareAlteon 500-101 Application Switch Level 1 technical training curriculum. This course covers basic configurations and troubleshooting in local server load balancing, persistent slb, content slb, and SSL-Acceleration. The Application Switch Level 1 training is for students who have good knowledge of network switching and routing features using standard protocols. The training material for this course consists of a PowerPoint Presentation for theories and a Training Manual for hands-on to be used in tandem. The features and functions of Radware Alteon devices discussed in this document are based on version 27. If your RadwareAlteon device is running an older or newer version of firmware or if you are using an older version of Application Switch Element Manager (ASEM), some of the features and implementations discussed in this manual may not be available or some terminology might be different. . For your existing onsite device, please contact Radware technical support at support@RadwareAlteon.com.
The following font conventions are used in this manual: Bold indicates the buttons or menu selections in the ASEM or Browser Based Interface (BBI) graphical user interface (GUI) used to reach a particular screen or window. Underline indicates an option area within an ASEM or BBI screen or window such as dropdown lists, check boxes, etc. Italics indicates the value or setting supplied in a window or screen. Courier indicates CLI commands on serial, Telnet or SSH connections. {value-A, value-B} indicates available CLI command options.
Page 5
Lab Configuration for All Teams
ClassroomPC connectviaVNC toTeamPCs
TerminalServer toeachcontentswitch oneserialconnection
8virtual TeamPCs
Router
8Alteon
2Server/Team
Page 6
Detailed Lab Configuration for Each Delegate / Group
public net
1 2 6
private net
management net
Server1: 10.200.#.100 Server2: 10.200.#.200 Def. GW: 10.200.#.# URL for lab access: Europe (Munich Lab): lab-muc.radware.com or IP: 88.217.164.10 Americas (NJ Lab): njlab1.radware.net or IP: 65.217.163.34 VNC Remote access to Team-PC: Port: 5901 to 5930 Password: team1 team30 Remote access to Management IP address: Americas (NJ Lab): njlab1.radware.net or IP: 65.217.163.34 Direct SSH: Port: 7601 until 7630 Direct SSL : Port: 7701 until 7730 URL: lab-muc.radware.com or IP: 88.217.164.10 Serial access via telnet: Port: 4231 until 4238 Access via http to VIP: Port: 4921 until 4928
Alteon Application team switch: Management net: IP 10.10.242.# Mask 255.255.248.0 GW 10.10.240.1 Public net: Vlan 11 IP 192.168.100.# /24 GW 192.168.100.254 Virtual IP: VIP 192.168.100.2# Port 2 private net: Vlan 14 IP 10.200.#.# /24
# indicates your Team number assigned by your instructor.

Page 7
Detailed Redundant Lab Configuration for Each Delegate / Group

Team-PC odd
public net
Odd team switch
private net
Server 1 10.10.#.100 Even tean switch
Team-PC even
Server 2 10.10.#.200
Server1: 10.200.#.100 Server2: 10.200.#.200 Def. GW: 10.200.#.#
Access to remote lab see previous page.
Odd team switch: Port 1 public net VLAN 11 IP 192.168.100.#+10/24 GW 192.168.100.254 VIR 192.168.100.# VRID # Priority 101 Port 2 private net VLAN 14 IP 10.200.#.#+10/24 VIR 10.200.#.# VRID #+10 Priority 101 Virtual IP: VIP 192.168.100.2# VSR 192.168.100.2# VRID #+20 Priority 101
Even team switch: Port 1 public net VLAN 11 IP 192.168.100.#+20/24 GW 192.168.100.254 VIR 192.168.100.# VRID # Priority 100 Port 2 private net VLAN 14 IP 10.200.#.#+20/24 VIR 10.200.#.# VRID #+10 Priority 100
VIP 192.168.100.2# VSR 192.168.100.2# VRID #+20 Priority 100

Page 8
Basic Switch Configuration
Overview
Description
A RadwareAlteon Application Switch (AAS) is based on a Layer 2 switch not on a Router. For management purposes, you can access the switch in the following ways: Via Command Line Interface (CLI): Using a serial connection via the console port and access and configure the application switch by using a computer running any terminal emulation software or on any Ethernet port by a Telnet or SSH connection. Via a Graphical User Interface: any java enabled browser application can manage via HTTP or HTTPS the AAS; this is called the Browser Based Interface (BBI). Another possibility is using SNMP and the Application Switch Element Manager (ASEM) application. The management port on the Application Switch is used exclusively for managing the switch via an out-of-band Fast Ethernet. In-band (on all data ports) or out-of-band (management port) connections via Telnet, SSH, HTTP or HTTPS are possible. You can upgrade switch code via TFTP or FTP, and configuration backup and restore via TFTP, FTP or SCP is possible. There is an option to keep these management port settings by booting from factory-default config block. An Application Switch supports up to 2048 VLANs per switch, and any number between 1 and 4090 can identify each VLAN. VLANs are setup on a per-port basis. Each VLAN can have any number of switch ports in its membership. Each port in the switch has a configurable default VLAN number, known as its PVID. The factory default value for all PVIDs is 1. Each port on the switch can belong to one or more VLANs. Any port that belongs to multiple VLANs, however, must have VLAN tagging enabled. The Application Switch supports 802.1Q VLAN tagging, providing standards-based VLAN support for Ethernet systems. Tagging adds the VLAN identifier in the frame header, allowing multiple VLANs per port. Since tagging fundamentally changes the format of frames transmitted on a tagged port, you must carefully plan network designs to prevent tagged frames from being transmitted to devices that do not support 802.1Q VLAN tags. By default, the VLAN tagging is set to off and a single VLAN, number 1, is setup on each port.
Page 9
An interface is a logical network definition. For each different direct connected network, a separate interface is required. The associated number is independent of any physical port or VLAN. For easier management often the port, VLAN, and interface use all the same number or a number based on a custom specific logic. The mask describes the size of this network. The address defines your local IP address, which accesses this direct connected network. By default, IP-v4 is enabled, and IP-v6 is supported. VLAN 1 is automatically associated with a new interface, if not changed. The VLAN value associates this network to one or more ports with the same number as the network. Another interface associated to a same VLAN enables both networks on this Ethernet port or ports. This is called multineting. A similar behavior is enabling tagging and associating some VLANs to a port. Each interface associated to one of these VLANs will also associate to these ports. Without Layer 3 IP routing on the switch, an unknown destination IP address is sent to the default gateway (GW). Default GWs 1 to 4 are not assigned to any VLAN. The Strict Metric always uses the device with the lowest number. In case of failure, the next highest number is used. The round-robin Metric uses the next higher GW number for each session. After reaching the highest configured number, it starts from the lowest again. ICMP messages are the default for health checks. Alternatively, use the ARP protocol. GWs 5 through 259 are each associated to a separate single VLAN. All unknown destination IP addresses for a VLAN are send to the associated GW. If this GW fails, the switch uses GW 1-4 if present, if not present, no routing is possible.
Objectives
After completing this lab, you will be able to: Log in to the switch Configure VLANs and interfaces Back up a configuration Use BBI and ASEM GUIs
Equipment
The following equipment is required to complete this lab: 1 Classroom PC (in front of you) 1 Application Switch 1 Team-PC, (interface between remote and local lab) 2 Servers (web application) 1 FTP/TFTP server on your Team-PC
Page 10
Assignment
Physically, your network is wired as per the diagram on the Lab Description pages. In order to configure this Application switch, connect to the serial port. On the remote Team-PC, the Putty application is preconfigured to connect via a terminal server to the serial port. Task 1: Set up this Application Switch to operate as a router: Start by checking that the device is set to the factory default. Configure two VLANs, for public and private networks, and two INTERFACES according to the IP plan on the Lab Description pages. Set up a DEFAULT GATEWAY to complete the setup. Test access from Team-PC to server1 and 2. Ping 10.200.#.100 or .200 and browse to http://10.200.#.100 or .200.
Task 2: Using the copy and paste feature to modify or backup your configuration data. Task 3: Back up your configuration. using FTP/TFTP protocol. Task 4: Set up the two GUI management interfaces BBI and ASEM.
IMPORTANT: X indicates any IP Address assigned by DCHP on your Team-PC.
On your Team-PCs, the Putty application is already set up. Individual settings to connect via serial to the Application switches are already configured. If the application is missing, check the CD-ROM Be aware a serial connection to an Application switch can only be established from one PC at one time. The second connection will fail. For a second connection enable Telnet or SSH or use any GUI.
Page 11
Configuring the Application Switch Management Interface

Configuration steps 1 through 6 may have been completed by your instructor. We recommend that you still go through these steps. 1. Log into the Application Switch: a. Open Putty; connect to Team#-4408. b. Enter the admin password admin.
2. Check whether the switch is set to factory default: Display all the differences from a standard configuration on your terminal. In the main menu, select cfg.
>> Main# /cfg/dump short form /c/d script start "Alteon Application Switch 4408" 4 /**** DO NOT EDIT THIS LINE! /* Version 27.Y.Z, Base MAC address 00:03:b2:71:b5:c0 / script end /**** DO NOT EDIT THIS LINE! There should be no configuration data between /* Version and script end.
Page 12
3. If there is any configuration, set the switch to factory default. Syntax: /boot/conf {location of config db} active or backup are customer configurations copied from floatable memory, the Radware preconfigured setting is factory. Lab Configuration: /boot/conf factory short form /b/co f reset short form r, resets the switch to activate setting y confirms reset 4. Press Enter to reboot the switch. After approximately 1 minute, log into the switch using the admin password. 5. Enable for a 4408 switch port 6 as out of band management port. Syntax /boot/mgmt ena turn port 6 from data to a separate management port Lab Configuration /boot/mgmt ena Current state of mgmt port is Disabled Globally [ena|dis] mgmt port (requires a switch reset): ena Mgmt port state changed. reset 6. Setup a separate management interface for the management port. Syntax: /cfg/sys/mmgmt addr {management IP-address} mask {Netmask for management port} gw {default gateway IP-address for mgmnt net} applications {data|mgmt} all management applications use by default the data port! Move it maybe to the management port. ena Management port need to be enabled /c/sys/mmgmt/port speed {10|100|any} sets the speed of the link with the Management port. Default is any. mode { full|half|any} sets half or full duplex mode. Default is any auto { on|off} sets auto negotiation for the port. Default is on apply without apply, settings are in pending save writes all changes to flash memory y confirms saving to FLASH y selects active as the next boot database Lab Configuration, keep the default port parameters: /cfg/sys/mmgmt addr 10.10.242.# mask 255.255.248.0 gw 10.10.240.1 tftp mgmt ena
Page 13
apply save y y After following message, the management network is ready to use: >> Management Port# <date,time> NOTICE ip: management port default gateway 10.10.240.1 operational If you want to continue by a graphical interface instead of CLI continue with page 22.
Page 14
Command Line User Interfaces (CLI)

1. Create new VLANs for ingress and egress ports. We keep unused ports on VLAN 1. By default all ports are enabled. Double check, if not a single port is maybe disabled. Syntax: /cfg/l2/vlan {Vlan Number}/add {Physical Port1}/add {Physical Port2}/etc create a new VLAN and adds specified port(s) Lab Configuration: /cfg/l2/vlan 11/add 1 y .................. ena ../vlan 14/add 2/ena y apply
creates VLAN for clients, VLAN 11, type L2 not 12! moves port from VLAN1 (default) to VLAN 11, does not tag it enables VLAN creates VLAN for clients, VLAN 14 moves port from VLAN1 (default) to VLAN 1,no tagging activates configuration change should be done after each complete configuration step.
2. Turn off Spanning Tree Group (STG) on the switch. This protocol is used to avoid Layer 2 loops. It should be enabled or disabled depending on the customers network. For training purposes at this and following labs, we always disable it. Syntax: /cfg/l2/stg {ST number}/{off, on} Lab Configuration: /cfg/l2/stg 1/off apply
up to 16 different ST groups possible
this disables STP group 1, default group is 1 activates configuration change
3. Configure the interfaces for the switch as shown in the Lab Description pages. You must create a separate interface for each network that you want to connect directly to this switch. The interface index number used is independent of any physical port, VLAN etc. A common number for port, VLAN and interface will simplify debugging and management. Syntax: /cfg/l3/if {interface number}/{item parameter}/{item parameter} up to 255 different networks are supported Lab Configuration: /cfg/l3/if 1 mask 255.255.255.0 addr 192.168.100.# vlan 11 ena
we start to configure interface 1 enter the mask to calculate broadcast address refer to lab description for your IP address, associates this IF to VLAN 11, to use it on port 1 to enable the interface 1
For the second network, the Web server network, you need an additional interface. It is also possible to put all parameters on one line separated by a forward slash. /c/l3/if 2/vlan 14/mask 255.255.255.0/addr 10.200.#.#/ena
Page 15
4. Set the default gateway. Destination IP addresses that are not from local networks or do not match routing table entries are sent to this destination. GW 1 to 4 is for all VLANs, GW 5 to 259 can each be associated to one VLAN. An important option is to switch from ICMP to ARP health check. Syntax: /cfg/l3/gw {gateway number}/{parameter}/{parameter} Lab Configuration: /cfg/l3/gw 1 addr 192.168.100.254 ena apply
Gateway 1 (up to 4) is for all VLANs. interface of the next hop router enables the default gateway activates the switch configuration
5. To distinguish different switches, especially if there are several for a solution, create an individual CLI prompt. At system SNMP, define a character string and activate it by set hprompt to enable. Syntax: /cfg/sys/ssnmp/name string /cfg/sys/hprompt ena Lab Configuration: /cfg/sys/ssnmp/name team#> /cfg/sys/hprompt ena
define a character string activate individual CLI prompt
6. Enable remote access. All different variations for CLI, BBI, and socket-based communication as well as user passwords and access rate settings per protocol are available. Syntax: /cfg/sys/access/{access protocol}/{parameter} Lab Configuration: /cfg/sys/access/tnet ena /cfg/sys/access/sshd/on apply save
enables telnet access via if-address enables ssh access via if-address enable ssh or telnet only via serial connection activates remote access saves the switch configuration, confirm with y
7.
Check the current configuration of your switch /cfg/dump this displays your configuration information Check that the IP interfaces, addresses and subnet masks that you have just configured are correctly shown and are enabled in the configuration.
Page 16
8.
Ping the remote devices on the network from your Application switch CLI to confirm Layer 3 connectivity. Syntax:
ping {host name} or {IP address} optional number of attempts {tries 1-32}, interval between packets {msec delay} on which port {-mgmt or data} packet will be sent.
Lab Configuration, type at Application switch command line: ping 10.200.#.100 e.g. for team21 ping 10.200.21.100 9. Open any browser on your client PC to retrieve a Web page from each server to confirm HTTP is operational http://10.200.#.100 e.g. for team21 http://10.200.21.100 10. Use telnet or SSH on the client to connect directly to the switch. Enter admin as the password to access the switch. Open CMD window or use Putty application: telnet 192.168.100.# Use Putty to connect via SSH: 192.168.100.# port 22
The purpose of this hands-on was to familiarise yourself with the console connection setup After completing your configuration, you were shown how to enable, apply, and save your settings for future use.
An acronym to help remember how to save your work is:
EASY (E = Enable, A = Apply, S = Save, Y = Yes, to confirm the save)
Please go ahead with the exercises on the following pages to save the configuration of this switch.
Page 17
Alteon n Level 1 Training Manua al
Cu ut and Pa aste Sw witch Con nfiguration

JECTIVE: OBJ Edit t the switch configuration using co opy and pas ste. SIGNMENT T: ASS Tak ke the active e configurat tion file and modify it by y copying a command string to the clipb board, past ting it to the terminal interface and d saving it as your new active conf figuration. Not te: Depend ding on the terminal t clie ent being us sed (e.g. Pu utty, XTERM M, HyperTe erminal, etc. .), be aware a of the e length of the t lines tra ansmitted and that the application can insert end-of-line e characters that t can affect the configu uration down nload opera ation.
1. Configure what w output t to display on o the term minal screen. Use the v verbose co ommand.
Syntax: ver rbose {0, 1, 2} Sets S the lev vel of inform mation displa ayed on the e screen: 0 =Q Quiet: Nothing appears s except err rorsnot ev ven prompt ts. 1 =N Normal: Pro ompts and requested r output o are shown, but n no menus. 2 =V Verbose: Ev verything is s shown. Whe en used wit thout a valu ue, the curre ent setting is s displayed. 2. Save the sw witch config guration as a text file: Lab Configuration: a) Typ pe verbose e 0 on the switch, this s puts the sw witch in quiet mode. b) Disp play the con nfiguration by b the /cfg g/dump co ommand, mark all or pa arts of this config, copy it to t the clipbo oard and pa aste it to a text t file. As alternative to markcop py-paste, yo ou can use the t terminal l feature to copy data input to a file. For Putty application: sele ect Change Settings session Logging printable o output Lab bel the file SW.txt S and save s it in the e desktop of o your Team m-PC c) Typ pe verbose e 2 <enter r> on the switch, and d restore de efault mode. .
witch configu uration file, SW.txt, stor red in the desktop directory using any text 3. Edit the sw editor (e.g. Wordpad).
Page 18
Radware 2011. All rights s reserved. Dis stribution of this s document nee eds approval fro om Radware Kno owledge & Educ cation Services s.
4. Make a change. For example, add an interface type in the following line below the if 2 command lines at SW.txt file: /cfg/l3/if 4/mask 255.255.255.0/addr 172.16.1.1/broad 172.16.1.255/ena Using a single line or any amount of spaces and tabs are allowed. 5. Copy the command line you just typed onto the clipboard Mark: /cfg/l3/if 4/mask 255.255.255.0/addr 172.16.1.1/broad 172.16.1.255/ena Paste this line to Application Switch terminal window and watch terminal output.
6. Log into the switch and double check that this change is pending. diff check if change is received
7. Activate this change and save it to non-floatable memory: apply save y
8. Dump the switch configuration to the screen and verify that the edited line was applied: /cfg/dump or short /c/d
In this lab exercise, you learned how to drag and drop a series of commands into the terminal interface, and how to set up a switch configuration from a saved text file.
Page 19
Upload and download configuration to an FTP/TFTP Server

OBJECTIVE: To become familiar with uploading and downloading a configuration file to an FTP or TFTP server.
ASSIGNMENT: Use the FTP/TFTP server 3CDeamon (3CD) located in your Team-PC quick launch area. Transfer the current configuration from the switch to Team-PC using the FTP or TFTP server. Set the switch back to factory default. To restore the configuration you must set up at minimum a public interface and depending on your topologies a default gateway. No VLAN/STG config is necessary. Transfer the stored file from the FTP/TFTP server back to your switch. Do not forget to verify that the configuration was transmitted correctly to the switch or the FTP/TFTP server when uploading and downloading switch configuration files.
Team-PC
public net
1
private net
2
3CD FTP/TFTP server application
Figure: FTP / TFTP server configuration
1.
Start the 3CD FTP or TFTP service on your Team-PC. If it is not installed, a copy of this application is on your CD-ROM drive tools folder. Write down the IP address of your local PC, which is the FTP/TFTP server:___________ Check the configuration file of the FTP or TFTP server. The user directory point to where the files will be stored or loaded.
2.
Page 20
1.
Store the Application Switch configuration on your Team-PC. You can use either FTP or TFTP. Syntax for communications dialog: /cfg/ptcfg used to upload the active configuration to a TFTP/FTP server /cfg/gtcfg used to download into active config from a TFTP/FTP server Enter IP address of FTP/TFTP server: {IP address of TFTP/FTP server} Enter name of file on FTP/TFTP server: {file name} Enter username for FTP server or hit return for TFTP server: {account for FTP} Enter password for username on FTP server: {password for FTP} Lab configuration: /cfg/ptcfg used to upload the active configuration to a FTP server Enter IP address of FTP/TFTP server: 192.168.150.x addr of your Team-PC Enter name of file on FTP/TFTP server: Router.doc Enter username for FTP server or hit return for TFTP server: anonymous Enter password for username on FTP server: any
2. Check is the file (Router.doc) created on the Team-PC by checking the root directory of the server application. Open this file with the WordPad text editor. 5. Set your switch to factory default to clear all current configuration settings. Loading this setting requires resetting the switch. Keep your management interface. /boot/conf f/reset 6. After reboot, log in again and enter the following commands to set up an interface and a default gateway for communication to Team-PC. /cfg/l3/if 1/mask 255.255.255.0/addr 192.168.100.#/ena /cfg/l3/gw 1/addr 192.168.100.254/ena /cfg/port 2/dis to isolate server net apply activates new setting ping 192.168.150.x to verify communication to FTP-Server/Team-pC 7. Restore the switch configuration again. Enter the following commands: /cfg/gtcfg command to replace active configuration with downloaded file Enter IP address of FTP/TFTP server: 192.168.150.x addr. of your Team-PC Enter name of file on FTP/TFTP server: Router.doc stored file name Enter username for FTP server or hit return for TFTP server: anonymous Enter password for username on FTP server: any apply save confirm with y
8. To load the restored config at the next reboot, select active config /boot/conf active 9. Check to see if your previously saved configuration has been restored. Lab Configuration: /c/d This lab should have made you more comfortable with the ptcfg and the gtcfg commands to upload and download a switch configuration onto a FTP or TFTP server.
Page 21
Graphical Web User Interface, Browser Based Interface (BBI)

OBJECTIVE: Monitor and configure the switch using the Browser Based Interface (BBI) also called Web UI and Application Switch Element Manager (ASEM).
ASSIGNMENT:
Use the configuration from the previous lab. Enable SNMP for ASEM and HTTP for remote BBI access to the switch. View or modify the switch configuration. 1. Enable HTTP access to the switch. Syntax: /cfg/sys/access/{type of access} {parmeter} Lab configuration: /cfg/sys/access/http e wport 8000 optional set HTTP server listening to port number 8000 2. apply 3. From Team-PC machine, start a web browser and enter the IP address of interface 1 on the switch in the address box. Log in to the switch. http://10.10.242.# User Name: admin Password: admin 4. Enable HTTPS for encrypted access to the switch. Lab configuration: /cfg/sys/acces/https https e Enable/disable HTTPS server access 5. apply activate HTTPS setting / generate a HTTPS certificate
6. generate Generate self-signed HTTPS server certificate Country Name (2 letter code) [US]: DE State or Province Name (full name) [NJ]: Bavaria Locality Name (eg, city) [Mahwah]: Munich Organization Name (eg, company) [Radware Ltd.]: Radware Organizational Unit Name (eg, section) [Engineering]: Training Common Name (eg, YOUR name) [Radware Inc.]: GuentherM Email (eg, email address) [info@radware.com]: training@radware.com Confirm generating certificate? [y/n]: y Generating certificate. Please wait (approx 30 seconds) restarting SSL agent
Page 22
7. certSave
Sav ve HTTPS server s certif ficate
8. Create two new VLAN Ns for ingres ss and egress ports. We W keep unu used ports on o VLAN 1. By default, all ports are e enabled. At configur re tab selec ct Layer2, V VLANs and click the Add button n.
Inse ert VLAN ID D 11, Name e, Enable it and associate Spanni ing Tree Gr roup 1, sele ect Ava ailable port 1 and move e it to Configured. Pres ss Submit and a Apply button to ac ctivate this change. Each change c is confirmed c at t BBI Log Messages M fie eld. Add d another VL LAN ID 14 and use po ort 2.
Disable Spanning Tree. yer2, Select on Lay anningTree e number 1 Spa and d turn Enab bled to Dis sabled. Submit and App ply change e.
Page 23 2
9. Configure the interfaces for the switch as shown in the Lab Description pages. You must create a separate interface for each network that you want to connect directly to this switch. The interface index number used is independent of any physical port, VLAN etc. A common number for port, VLAN and interface will simplify debugging and management. At Configure tab select Layer3, IP Interfaces and click the Add button.
Insert Interface ID 1, IP Addresses are 192.168.100.#. # is your team number. Mask is a CClass one. Associate VLAN 11 for public net. Enable state and click Submit and Apply buttons to activate this change. Add another interface 2 for your private net. IP Address is 10.200.#.# /24.
10. Set the default gateway. Any destination IP address not from local networks or do not match routing table entries sent to this destination. GW 1 to 4 is for all VLANs, GW 5 to 259 can each be associated to one VLAN. Select Gateways and Add, Gateway ID 1, IP Address is 192.168.100.254 and turn state to Enable and click Submit and Apply buttons to activate this change. The settings are for all teams equal.
Page 24
11. For CLI acc cess are als so some op ptions availa able. A login n banner dis splays at CL LI login som me customer depend d infor rmation. A notice n is vis sible at logo out. If you ar re too fast lo ogged out during conf figuration, adjust a Idle Timeout. T This value is also a applica able for HTT TP and HTTPS acc cess. Instea ad of a standard promp pt the SNMP P name is d displayed by y selecting Hostname. These options are at ConfigureC -System-Ma anagement t Access-C CLI or SNMP P.
12. Check the current c configuration of o your switc ch. Click on Dump at th he global co ommands line. A new w tab opens s and displa ays the conf figuration file e. If not all parameters s are visible check DIFF F. This command lists all a pending and not applied config gurations.
13. Save this basic b configuration to a file on the Team-PC. Start FTP/T TFTP serve er on your Team-PC. At A your Tea am-PC quic ck launch ar rea click on 3CDaemon n. By default the server is set to use e the desktop as user directory. At A your BBI window w go to Configure, , System, Download/ /Upload, Configurat tion. At section Imp port / Export sele ect Export from Device, Manageme ent Port and FTP. Enter E your Team_PC IP Address, Username is anonymou us, Password any a and as Filename Basic.txt. Submit S these param meters.
Page 25 2
14. View the se ettings in the Web UI. By default, the Web UI starts in Configure C mode. Select t Monitor mo ode, which allows you to view info ormation about the swit tch. Some interesting information: :
System- Po orts-Genera al or Layer 1 to IP spec cific details. Layer 2- ma ain menue
System-Ca apacity, disp plays maxim mum and all located amo ount of item ms Layer 2 and d sub menu us for FDB, STG Trunk k and Port Teams T Layer 3 and d sub menu us for Route es, Interface es and seve eral routing protocols. SLB and ot ther menus we will use e later.
Page 26 2
Application Switch Element Manager Interface (ASEM)

Asem is only supported until version 26, not for version 27! 1. The ASEM application is already installed. A copy is on the CD drive: SwitchImages\ITMimages\Rel.6.1\install.exe located. 2. Perform this step only if this application is not present! The file is located on the local CDROM of your Team-PC. Install only the client and maybe the documentation. Do not install the server or the HP OpenView option! 3. Enable SNMP access to the switch. Syntax: /cfg/sys/access/{type of access} {parameter} Lab configuration: 4. /cfg/sys/access/snmp w apply/save y 5. To open the connection to your switch, click the quick launch Radware Alteon ASEM Client icon or select ASEM application from the Programs menu. 6. Press <ctrl>o keys or click at the folder icon or select General and Open 7. A new window opens. In the Device Name field, enter your public interface IP address und press Enter key. For team 21 key in 192.168.100.21 You should now see a graphical representation of the switch. 8. Click on + sign in front of folder labeled Switch. A port list expands. Click on Port3 icon. On right window the port overview changes to port details with General, Port, Spanning Tree and Filtering tabs. Click the Port tab and modify state to disabled. The Set icon now turns from grey to bold. Press it, then press the Apply icon right of the set icon and confirm OK. Within a few seconds the Port 3 icon turns from orange (open port) to red (disabled port). 9. Play with other menus. If you change something you can also watch this change on CLI and BBI windows. Each change in ASEM needs confirmed by Set and Apply buttons at the bottom of any screen.
Page 27
Printout for Switch Configuration (Team21)

/c/sys/mmgmt addr 10.10.242.21 mask 255.255.248.0 broad 10.10.247.255 gw 10.10.240.1
ena tftp mgmt

/c/sys/mmgmt/port speed any mode any auto on /c/sys idle 999 /c/sys/access snmp w http ena tnet ena /c/port 1 pvid 11 /c/port 2 pvid 14 /c/l2/vlan 1 learn ena def 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 28 /c/l2/vlan 11 ena name "VLAN 11" learn ena def 1 /c/l2/vlan 14 ena name "VLAN 14" learn ena def 2 /c/l2/stg 1/off /c/l2/stg 1/clear /c/l2/stg 1/add 1 11 14 /c/l3/if 1 ena ipver v4 addr 192.168.100.21 vlan 11 /c/l3/if 2 ena ipver v4 addr 10.200.21.21 mask 255.255.255.0 broad 10.200.21.255 vlan 14 /c/l3/gw 1 ena ipver v4 addr 192.168.100.254
Page 28
Server Load Balancing
Overview
Description
Server Load Balancing (SLB) allows you to configure the RadwareAlteon Application Switch to balance user session traffic among a pool of available servers that provide shared services. In an average network that employs multiple servers without server load balancing, each server usually specializes in providing one or two unique services. If one of these servers provides access to applications or data that is in high demand, it can become over-utilized. Placing this kind of strain on a server can decrease the performance of the entire network, as user requests are rejected by the server and then resubmitted by the user stations. Ironically, over-utilization of key servers often happens in networks where other servers are actually available. The solution to getting the most from your servers is SLB. With this software feature, the switch is aware of the services provided by each server. The switch can direct user session traffic to an appropriate server, based on a variety of load-balancing algorithms. To provide load balancing for any particular type of service, each server in the pool must have access to identical content, either directly (duplicated on each server) or through a back-end network (mounting the same file system or database server). The Application Switch, with the SLB feature enabled, acts as a front-end to the servers, interpreting user session requests and distributing them among the available servers.
Load balancing in the Application Switch Operating System can be done in the following ways: Virtual server-based load balancing; this is the traditional load balancing method. The switch is configured to act as a virtual server and is given a virtual server IP address (or range of addresses) for each collection of services it distributes. Depending on your switch model, there can be as many as 1024 virtual servers on the switch, each distributing up to eight different services. Each virtual server points to a list of up to 1024 IP addresses of real servers in a pool where its services reside. This pool is called a group. A maximum of 1024 groups are possible. The method of distribution, called the metric, and how to determine a real server as healthy, the health check (hc), are important configuration parameters. When the user stations request connections to a service, they communicate with a virtual server on the switch. When the switch receives the request, it binds the session to the IP address of the best available real server and remaps the fields in each frame from virtual addresses to real addresses. HTTPS, HTTP, IP, FTP, RTSP, and IDS, are examples of some of the services that use virtual servers for load balancing.
Page 29
Filtered-based load balancing; A filter allows you to control the types of traffic permitted through the switch. Filters are configured to allow, deny, or redirect traffic according to the IP address, protocol, or Layer 4 port criteria. In filtered-based load balancing, a filter is used to redirect traffic to a real server group. If the group is configured with more than one real server entry, redirected traffic is load balanced among the available real servers in the group. For example SSL acceleration, Firewalls, WAP with RADIUS snooping, IDS, and WAN links use redirection filters to load balance traffic. Content-based load balancing; Content-based load balancing uses Layer 7 application data, such as URL, cookies, and Host Headers, to make intelligent load balancing decisions. URL-based load balancing, browser-smart load balancing and cookie-based preferential load balancing are a few examples of content-based load balancing.
When deploying SLB, there are a few key aspects to consider. In standard SLB, all client requests to a virtual server IP address and all responses from the real servers must pass through the switch. If there is a path between the client and the real servers that does not pass through the switch, the Application Switch can be configured to proxy requests to guarantee that responses use the correct path. Identical content must be available to each server in the same pool. Either static applications and data are duplicated on each real server in the pool or dynamic applications where each real server in the pool has access to the same data through use of a shared file system or back-end database server. To take advantage of multi-CPU or multi-processor servers, configure the Application Switch Operating System to map a single virtual port to multiple real ports. This capability allows the site managers, for example, to differentiate users of a service by using multiple service ports to process client requests. This feature allows the network administrator to configure up to 16 real ports for a single service port, and it is supported in Layer 4 and Layer 7 and in cookie-based and SSL-persistent switching environments. When mapping multiple real ports on each real server to a virtual port, the Application Switch treats the real server IP address/port mapping combination as a distinct real server.
Clients and servers can be connected through different ports or through the same switch port. Each port in use on the switch can be configured to process client requests, server traffic, or both. Configure only the necessary processes since each one requires switch resources. It is possible to enable or disable processing on a port independently for each type of Layer 4 traffic. Ports that are configured for Layer 4 client processing, process user request traffic, which provides address translation from the virtual server IP to the real server IP address. Ports configured for Layer 4 server processing, process application responses to user requests. Translation from the real server IP address to the virtual server IP address occurs on the server enabled port. Real servers are connected to the Application Switch directly, or through a router, or another switch. Switch ports configured for Layer 4 client/server processing can simultaneously provide Layer 2 switching and IP routing functions. The switch must have an IP route to all of the real servers that receive switching services.
Page 30
For each network directly attached to this switch, an IP interface is required. Suitable Layer 2 settings, Spanning Tree or VLANs as well as static or dynamic routing must be set up. For each real server, you assign a real server number, specify its actual IP address, and enable the real server. Define a real server group and add all real servers belonging to the same application to this service group. All client requests are addressed to a virtual server IP address (VIP) on a virtual server (VIRT) defined on the switch. Clients acquire the virtual server IP address through normal DNS resolution. Only a Layer 3 IP address or usually a Layer 4 service is assigned this VIP. By default, the service protocol is TCP, although UDP is also possible. For example, HTTP or TCP destination port 80 is configured as the service running on this virtual server, and this service is associated with the real server group containing all real servers for this application. This switch is not limited to HTTP Web service. Other TCP/UDP/IP services can be configured in a similar fashion. The protocol and a destination port must always be specified. Well known services are set up only by the name. For a list of other well-known services and ports, see "Well-Known Application Ports" in the Application Guide. A maximum of eight services are possible per VIRT. If more services are required, create another VIRT using the same VIP again for the next eight services and so on. The Server Load Balancing feature must be turned on. After applying all configurations, the health check process starts and should report the available real server with the lowest number. If one server is up an up message for the VIP is displayed as well. For all other real servers a similar up message follows. If there is load balancing for different real ports on the single real servers, a separate message displays for each port.
Objectives
After completing this lab, you will be able to: Connect to the Application Switch using a console connection. Configure standard SLB. Repeat to save configurations to file. Optional, set up load balancing services on multiple Layer 4 ports.
Page 31
Assignment
All your network devices are connected via Ethernet cables as shown in the Lab Description pages. In order to configure this switch, connect serial to your assigned switch via a terminal server. Configure the application switch to support basic load balancing. If you successfully completed the previous basic lab, start with step one. Otherwise, perform the basic configuration described in Basic Switch Configuration. Set up Layer 4 real servers and bind them to a group. Use round robin as the metric and TCP for the health check. Configure a virtual server with a virtual IP and HTTP as the load balancing service. Associate it to the previously configured group. Enable client and server Layer 4 processes on the ports. Enable the server load balancing feature. Please watch the health check messages on your terminal screen after applying this config. Save this configuration to file. Connect to the VIP Home Page using Internet Explorer or FireFox browser and test SLB functionality. Optionally, set up load balancing for multiple ports. Assign the application port number used by the individual server on the switch to the real server configuration supporting this service. Change the real port for the VIP/service to zero value to enable real port look up.
Page 32
Configure Switch
Console Setup
On your Team-PC, the Putty application is already set up with individual icons to connect via serial to the Application switches. Be aware that a serial connection can only established from one PC to one switch. The second connection will fail. For a second connection enable Telnet or SSH or use any GUI.
CLI SLB configuration of the Switch

1. If you like to use the graphical user interface (BBI) instead CLI ensure to have it enabled. See page 22 how to do, if not already done. Continue on page 93. 2. Log into the switch, enter the admin password admin. 3. Check the current configuration of your switch. The cfg menu dump option displays all the differences settings to Radware factory default configuration. Syntax: /cfg/{submenue} all parameter setup for the RadwareAlteon Application switch is done at different cfg sub menus. Lab Configuration: /cfg/dump shorthand /c/d
This displays your configuration. Check the printout, to make sure all entered data is correct and enabled. Use ping to PCs and server to test the config. 4. Configure both real servers. Syntax: /cfg/slb/real {real server index number} set up all parameters for a real server at this menu. Lab Configuration: /cfg/slb/real 1 shorthand /c/sl/re 1
Syntax: rip {real server IP address} IP address of real server Lab Configuration: rip 10.200.#.100 replace # by your team number ena enables each real server It is also possible to put all commands into a single command line. For example go up one menu .., select a next server index real 2, provide IP address rip 10.200.21.200 and enable it. ../real 2/rip 10.200.#.200/ena Server2 setup. Replace # by your team number again. apply activates configuration 5. Add all real servers belonging together for a service to a group Syntax: /cfg/slb/group {group index number} add all real servers and group parameters at this menu.
Page 33
Lab Configuration: /cfg/slb/group 1
shorthand /c/sl/gr 1
Syntax: add {real server index} Number of the real server configured in step Lab Configuration: add 1 add real server 1 to group 1 add 2 add real server 2 to group 1 Syntax: metric {algorithm to select next rip} even distribution metrics are leastconns, roundrobin, response and bandwidth. Default value is leastconns. Lab Configuration: metric roundrobin enable round robin distribution Syntax: health {rip availability test method } several options from link, arp, icmp, tcp up to content specific are available. Default value is tcp. Lab Configuration: health icmp enables ping to health check real server apply cur activates configuration verifies your configuration
6. Configure the virtual IP. This is the entry or termination IP address for a specific service. Syntax: /cfg/slb/virt {virtual server index number} set up all parameters for a virtual server at this menu. Lab Configuration: /cfg/slb/virt 1 shorthand /c/sl/vi 1
Syntax: vip {virtual server IP address} IP address of virtual server Lab Configuration: vip 192.168.100.2# replace # by your team number ena enables each virtual server Syntax: service {virtual port name} The virtual port name can be a well-known port name, such as http, ftp, etc. or a service number. The allowable port range is from 9 to 65534. For a list of all names, look up the Command Reference Guide and search for sport at /cfg/slb/filt section. By default, group 1 is associated. Specify different numbers. Lab Configuration: service http shorthand se 80
Page 34
7. Enable the client on the client port and server processing on the server port. Syntax: /cfg/slb/port {number}/{service ena} Enable a required SLB service on this specific physical port. Services are client, server, proxy etc. Lab Configuration: /cfg/slb/port 1/client ena shorthand /c/sl/po 1/cl e /cfg/slb/port 2/server ena shorthand ../po 2/se e
8. Turn the SLB feature on, and apply and save the switch configuration Syntax: /cfg/slb/{processing status} Value on, enables SLB feature. Default is off. Lab Configuration: /cfg/slb/on short hand /c/sl/on apply .... this activates the configuration save ..... this writes config to flash memory and confirm y y ........ confirms writing
9. After applying your changes, the switch should report that the real and virtual servers are operational. Date Time NOTICE slb: real server 10.200.1.100:80 operational Date Time NOTICE slb: Services are available for virtual server 192.168.100.221 Date Time NOTICE slb: real server 10.200.1.200:80 operational
10. Log in to the switch and check the current SLB configuration. Lab Configuration: /c/slb/cur
11. Verify that SLB is working. Open a Web browser on Team-PC e.g. FireFox or MS Internet Explorer. For example, for team 21 enter http://192.168.100.221 You should see a response showing that you have reached Server 1 or Server 2. If you refresh the screen by pressing CTRL/F5, the display does not change. The reason for this behavior is that this session (HTTP 1.1) still remains! To get load balancing, close
Page 35
the browser and open a new window. For your convenience set http://192.168.100.2# as default start page.
12. Verify SLB is working from the statistics menu in the switch. Syntax: /stats/slb/virt {virtual server} Lab Configuration: /stat/slb/virt 1 shorthand /st/sl/vi 1
13. Generate traffic by opening a new browser window to your VIP several times; return to the switch CLI and note changes to the switch statistics. In the switch CLI, press the cursor key to repeat the command to display statistics. (command /stats/slb/virt 1)
14. Clear the session table and repeat testing SLB (steps 11 through 14) Syntax: /stats/slb/{Layer-4-item} The Clear option resets all non-operating SLB statistics on the Application Switch to zero. This command does not reset the switch and does not affect the counters required for Layer 4 and Layer 7 operation, such as current real server sessions and all related SNMP counters. Lab Operation: /stat/slb/clear
shorthand /st/sl/cl
15. Save this SLB configuration to a file on the Team-PC. This configuration will be the base for the following labs. Start the 3CD FTP/TFTP server on your team PC. Lab Configuration: /cfg/ptcfg and specify team PC IP address, file name and for FTP account and password. Alternatively dump configuration and copy and paste configuration into a text file. Lab Configuration: /cfg/dump shorthand /c/d
Mark configuration and copy it to clipboard. Paste it to a text editor. Use Notepad or any other editor.
Page 36
16. Load balancing for available services on different servers is an option. There are two web servers. One equipped with two CPUs, the other with four CPUs. For each CPU a separate Web application instance, e.g. Apache, is installed. Our customer wants to have an even load based balancing on each of these CPUs. Set up the real servers for multiport SLB using the switch CLI. Syntax: /cfg/slb/real {real server index number}/addport {L4-port number used at application} set up Layer 4 port numbers used at application for a real server. Lab Configuration: /cfg/slb/real 1/addport /cfg/slb/real 1/addport /cfg/slb/real 2/addport /cfg/slb/real 2/addport /cfg/slb/real 2/addport /cfg/slb/real 2/addport 80 81 80 81 82 83 shorthand shorthand shorthand shorthand shorthand shorthand /c/sl/re 1/add 80 add 81 ../re 2/add 80 add 81 add 82 add 83
Syntax: /cfg/slb/real {rip number}/weight {multiplier for load} Sets the weighting value (1 to 48) that this real server will be given in the load balancing algorithms. Higher weighting values force the server to receive more connections than the other servers configured in the same real server group. By default, value one is set. Lab Configuration: /cfg/slb/real 2/weight 2 shorthand /c/sl/re 2/we 2
17. If multiple service ports per real server are set up, a separate metric for these services is available. Syntax: /cfg/slb/group {group number}/rmetric {metric} Real server metric usage can be roundrobin, hash, or leastconns. Default is roundrobin. Lab Configuration: /cfg/slb/group 1/rmetric roundrobin
18. Set up the real port for a service on a virtual server for MultiPort SLB. The allowable real L4-port range is from 1 to 65534. If set to 0 multiple real port is enabled. The configured metric at group level first selects a real server. If rport is set to zero the rmetric determines the selected port depending on configured values and healthy services at the real server. Only one service per virt can be set to rport 0. Syntax: /cfg/slb/virt {virt number}/service {L4-port number}/rport {real L4-port number} Lab Configuration: /cfg/slb/virt 1/service 80/rport 0 apply .... this activates the configuration
Page 37
For each port of real servers a separate confirmation line is printed. Date Time NOTICE slb: real service 10.200.21.100:80 operational Date Time NOTICE slb: Services are available for Virtual Server 1:192.168.100.221 Date Time NOTICE slb: real service 10.200.21.100:81 operational Date Time NOTICE slb: real service 10.200.21.200:80 operational Date Time NOTICE slb: real service 10.200.21.200:81 operational Date Time NOTICE slb: real service 10.200.21.200:82 operational Date Time NOTICE slb: real service 10.200.21.200:83 operational Did you have all six health check messages? Why you got only three? 19. Access web server via VIP and generate traffic by opening several Browser windows. Lab Operation: /stat/slb/virt 1 19. Remove setting for all real server weighting and turn rport back to 80 for the next labs.
Page 38
Printout for SLB configuration (team 21)

/c/sys/mmgmt addr 10.10.242.21 mask 255.255.248.0 broad 10.10.247.255 gw 10.10.240.1 ena tftp mgmt /c/sys/mmgmt/port speed any mode any auto on /c/sys idle 999 /c/port 1 pvid 11 /c/port 2 pvid 14 /c/l2/vlan 1 def 3 4 5 6 7 8 9 10 11 12 27 28 /c/l2/vlan 11 ena name "public" def 1 /c/l2/vlan 14 ena name "private" def 2 /c/l2/stg 1/off /c/l2/stg 1/clear /c/l2/stg 1/add 1 11 14 /c/sys/sshd/on /c/l3/if 1 ena addr 192.168.100.21 vlan 11 /c/l3/if 2 ena addr 10.200.21.21 mask 255.255.255.0 broad 10.200.21.255 vlan 14 /c/l3/gw 1 ena addr 192.168.100.254
Page 39
/c/slb on /c/slb/real 1 ena rip 10.200.21.100 name "server1" addport 80 addport 81 /c/slb/real 2 ena rip 10.200.21.200 name "server2" addport 80 addport 81 addport 82 addport 83 /c/slb/group 1 metric roundrobin add 1 add 2 /c/slb/port 1 client ena /c/slb/port 2 server ena /c/slb/virt 1 ena vip 192.168.100.221 /c/slb/virt 1/service http group 1 rport 0 /
Page 40
Persistent Load Balancing
Overview
Description
In a typical SLB environment, traffic comes from various client networks across the Internet to the virtual server IP address on the RadwareAlteon Application Switch. The switch then load balances this traffic among the available real servers. Some SLB services require that a series of client requests go to the same real server so that session-specific state data can be retained between connections. Services of this nature include Web search results, multi-page forms that the user fills in, or custom Web-based applications typically created by using scripts. Connections for these types of services must be configured as persistent. In any authenticated Web-based application, it is necessary to provide a persistent connection between a client and the content server to which it is connected. Because HTTP does not carry any state information for these applications, it is important for the browser to be mapped to the same real server for each HTTP request until the transaction is complete. This ensures that the client traffic is not load balanced mid-session to a different real server, forcing the user to restart the entire transaction. Persistence-based SLB enables the network administrator to configure the network to redirect requests from a client to the same real server that initially handled the request. In the Application Switch, persistence can be based on source IP address, cookies, and Secure Sockets Layer (SSL) session ID. Until recently, the only way to achieve TCP/IP session persistence was to use the source IP address as the key identifier. There are two major conditions which cause problems when session persistence is based on a packets IP source address. Proxied clients appear to the switch as a single source IP address. Requests are directed to the same server, without the benefit of load balancing the traffic across multiple servers. Persistence is supported without the capability of effectively distributing traffic load. When individual clients share a pool of source IP addresses, persistence for any given request cannot be assured. Although each source IP address is directed to a specific server, the source IP address itself is randomly selected, thereby making it impossible to predict which server will receive the request. SLB is supported, but without persistence for any given client. For IP-load balancing at OSI Layer 3/4, metrics minmisses, hash, phash and timer based available. HTTP and HTTPS persistence based on client IP allows you to store this session based on the client IP address for a configurable time at the session table. This enables a common persistence for both HTTP and HTTPS sessions.
Page 41
Cookies are strings passed via HTTP from servers to browsers. Based on the mode of operation, cookies are inserted by either the Application Switch or the server. After a client receives a cookie, a server can poll that cookie with a GET command, which allows the querying server to positively identify the client as the one that received the cookie earlier. The cookie-based persistence feature solves the proxy server problem and gives better load distribution at the server site. In the Application Switch, cookies are used to route client traffic back to the same physical server to maintain session persistence. The SSL session ID is effective only when the server is running SSL transactions. Because of the heavy processing load required to maintain SSL connections, most network configurations use SSL only when it is necessary. On some computer operating systems, this SSL session ID is changed at intervals. Depending on the length of the interval, persistency might not work well for these systems.
Objectives
After completing this lab, you will be able to do the following: Configuring IP persistence by using Hash or Minmisses Configuring L7 cookie persistence by using passive, rewrite or insert mode
Page 42
Assignment
Physically your network is wired according to the Lab Description diagram. Connect to the switch for configuration via the terminal server, SSH or telnet to the switch. If your previous SLB configuration is no longer working, set the switch back to the factory default and load the saved SLB configuration. The first exercise will be a Layer 3 persistent configuration. Since L3 handles only IP addresses, hash or minmisses are used as the metric. The next exercise enhances the setup with Layer 7 persistency. As this depends on the application, we will use HTTP as the L7 application in this lab. Passive cookies, cookie rewrite, and cookie insert will be used to provide persistence.
Basic configuration of the Switch

1. If the content SLB configuration no longer works follow step 2, then step 3 or 4. Otherwise, skip these steps and continue with step 5. 2. Set the switch back to the factory default config. Log into the switch, enter the admin password, select factory configuration and reboot the switch Lab Configuration: admin /boot/config factory reset 3. Open Notepad, and copy and paste the SLB configuration from your file to the clipboard. Open Putty and insert the clipboard contents using the right mouse button. It is easier for debugging to split this into 3 steps. First, copy and paste the Layer 2 configuration data to the switch CLI and apply it. Then copy and paste Layer 3 data, and finally Layer 4 data. One layer after the other. 4. Optional, you can restore the switch configuration on CLI via FTP/TFTP. Use the FTP/TFTP server installed on your Team-PC, the 3CDaemon application. For details, see the section Upload and Download Config to FTP/TFTP Server in the Basic Configuration lab on page 20. Lab Configuration: /cfg/gtcfg retrieve config data.
5. Optional, you can restore the switch configuration on BBI via FTP/TFTP. Use the FTP/TFTP server installed on your Team-PC, the 3CDaemon application. For details, see the basic configuration lab page 24.
Page 43
Co onfigure Persistency for r Layer 3 Load Balancin B ng

1. Enable HA ASH as the metric: Syntax: /cfg/slb/ /group {g group-ind dex-numbe er}/metri ic {algor rithms} me etric sets th he load balanc cing algorith hm used for r determinin ng which rea al server in the group will w be the target of the e next clien nt request. For F persiste ency, hash, phash or m minmisses are possible. . Lab Configuration: /group 1/ /metric phash p /cfg/slb/ sho orthand /c/ /sl/gr 1/ /me pha
2. Verify that the t metric for f group 1 was w change ed to phash h: Lab Operat tion: /cfg/slb/ /group 1/ /cur Current real r serv ver group p 1: name , metric phash, p ba ackup non ne, realt thr 0 health tcp, con ntent real se ervers: 3. Optional us se BBI to ch hange metric to Persist tent Hash: Select Con nfigure, SLB B, Server Groups, G Gr roup 1 and adjust SLB B Metric to Persistent P Hash 4. Now verify that the sw witch is send ding session ns from the client mach hine to the same s real server. In the t SLB con nfiguration from f the pre evious exer rcise, you should have seen the web page change c whe en you make a fresh ac ccess. In the case of S SLB with per rsistence your client should stay y on the sam me server no matter ho ow many tim mes you refr resh or mak ke a new acce ess. roup 1 /stat/slb/gr
Real serve R er group 1 stats: C Current Total Highest Ses R Real IP ad ddress ssions Sessions S S Sessions ------------------------ ----------------- -------1 10.200.2 21.100 2 2 2 0 0 0 2 10.200.2 21.200 ------------------------ ----------------- -------2 2 2
Octet ts -----------379701 3 37620 -----------41 17321
The results s of this /sta at query will vary accord ding to the configuratio c on specific to t your group. The e numbers will w not be the same, th his is just an n example. 5. Optional us se instead CLI C the BBI to watc ch the group p statistics. Select S Monitor, SLB, Serve er Groups and select Grou up 1 or sele ect service of virtual ser rver.
e value from m phash to minmisses m and repeat steps 2 and d 4 or optional 3 and 5. 5 6. Change the
Page 44 4
Enable Layer 7 Passive Cookie Persistence (for HTTP only)

1. Configure standard SLB, as described on page 33. Verify correct SLB operations. If you like to configure the cookie persistency via a BBI interface continue on page 99. 2. Enable Direct Access Mode (DAM) on the switch to allow you to perform port mapping for content load balancing. Syntax: /cfg/slb/adv/direct {status} it is by default disabled Lab Configuration: /cfg/slb/adv/direct ena shorthand /c/sl/adv/di e
3. Select the appropriate load balancing metric for the real server group if no cookie is present. Choose a non-persistent metric Syntax: metric {algorithm to select next rip} even distribution metrics are leastconns, roundrobin, response and bandwidth. Default value is leastconns. Lab Configuration: /c/slb/cfg/metric roundrobin apply cur enable round robin distribution activate configuration verify your configuration
4. To have cookie persistency, we need to get a cookie from the web server. The web application on port 88 is cookie enabled. Syntax: /cfg/slb/virt {number}/service {port number}/rport {port number} At the browser a standard port is selected and then translated to the port number specified at rport prompt. Lab Configuration: /cfg/slb/virt 1/service 80/rport 88 At the browser a standard port 80 is selected and then translated to rport 88. apply activate configuration
5. Clear the session table, open a new browser to your VIP several times, and get SLB statistics Syntax: /stats/slb/{Layer-4-item} The option clear resets all non-operating SLB statistics on the Application Switch to zero. This command does not reset the switch and does not affect the counters required for Layer 4 and Layer 7 operation, such as current real server sessions and all related SNMP counters. Lab Operation: /stat/slb/clear shorthand /st/sl/cl
Generate traffic by opening a new browser window to your VIP several times; return to the switch CLI and execute the command for displaying statistics. Note changes.
Page 45
Lab Operation: /stats/slb/virt 1
shorthand /st/sl/vi 1
6. By default, the switch checks the case of any string, e.g. a cookie name. Disable case sensitivity if there is no need to discriminate between upper and lower case. Syntax:
/cfg/slb/layer7/slb/case {mode}
Lab Configuration: /cfg/slb/layer7/slb/case dis/apply 7. Enable passive cookie-based persistence on the virtual server service. Syntax: /cfg/slb/virt {virtual-server}/service {port} pbind {option mode name offset length URI} option is the type of persistent bindings. It is disabled by default. Possible options are clientip, sslid and cookie. For cookie, mode can be passive, rewrite or insert. name specifies the cookie name that this service is looking for. offset is for passive mode, and is the starting point of the cookie value (1-64 bytes) length is for passive mode, and is the number of bytes to extract (1-64), URI is lookup cookie in the URI field. If the cookie name or value is in the URI, enter e to enable this option to look for cookie in the HTTP header, enter d to disable this option. Lab Configuration: /cfg/slb/virt 1/service 80 (or HTTP) shorthand /c/sl/vi 1/se 80 pbind you can enter all parameters in one line or be prompted for each separately Enter clientip|cookie|sslid|disable persistence mode: cookie Enter passive|rewrite|insert cookie persistence mode [p/r/i]: p Enter Cookie Name: ASPSESS* Enter the starting point of the cookie value [1-64]: 1 Enter number of bytes to extract [1-64]: 16 Look for cookie in URI [e|d]: d select disable, to look at HTTP header apply NOTE: If you want the switch to look for a cookie in the URL, enable Look for cookie in URI. An example is in the Alteon Application Guide, at the Persistence chapter. For testing passive cookies, refer to step 9&10. Since rewrite cookies is very similar skip it and do test for rewrite settings only.
8. Enable rewrite cookie-based persistence on the virtual server service Syntax: /cfg/slb/virt {virtual-server}/service {port} pbind {option mode name length URI} option is the type of persistent bindings. It is disabled by default. Possible options are clientip, sslid and cookie. For cookie, mode can be passive, rewrite or insert. name specifies the cookie name that this service is looking for. length is for rewrite mode - 8 bytes for RIP and 16 for RIP&VIP IP address insert. URI is lookup cookie in the URI field. If the cookie name or value is in the URI, enter e to enable this option to look for cookie in the HTTP header, enter d to disable this option.
Page 46
Lab Configuration: /cfg/slb/ /virt 1/s service 80 8 (or HT TTP) short-hand /c/s sl/vi 1/s se 80 pbind you u can enter r all parame eters in one e line or be prompted p fo or each sep parately Enter cli ientip|co ookie|ssl lid|disab ble persi istence m mode: cookie Enter pas ssive|rew write|ins sert cook kie persi istence m mode [p/r/i]: r Enter Coo okie Name e: ASPSE ESS* Enter num mber of bytes b to extract [8,16]: 8 disable, to Look for cookie in i URI [e e|d]: d t look at HT TTP header apply
e cookie operation. Configure your browser to o ignore coo okies. 9. Confirm the
tion: Lab Operat /stat/slb b/clear
atistics to clear sta
raffic by ope ening a new w browser Generate tr window to your y VIP se everal times s, e.g. http://192.168.100.221 1 Return to th he switch CLI C and exec cute the command to t display st tatistics. No ote changes s. Lab Operat tion: /stats/sl lb/virt 1 to display y statistics Close all br rowser sess sions.
10. Change cookie setting gs in your br rowser to enable coo okies and re epeat the ab bove Lab Operation steps. s For Firefox F ensu ure to accep pt a cookie fro om the VIP. . Add a suita able exception.
Page 47 4
11. Change the VIP service HTTP rport value from 88 to 80 to simulate a server without cookie support. 12. Enable insert cookie-based persistence on the virtual server service. Syntax: /cfg/slb/virt {virtual-server}/service {port} pbind {option mode name expiration domain-name secure} option is the type of persistent bindings. It is disabled by default. Possible options are clientip, sslid and cookie. For cookie, mode can be passive, rewrite or insert. name specifies the cookie name that this service is looking for. expiration is for cookie lifetime, and can be date duration or none (browser session length) Cookie path specifies the subset of URLs on the origin server to which this cookie applies. Secure is a boolean attribute; y directs the user agent to use secure connection (Hashed cookie) to obtain content associated with the cookie. . Lab Configuration: /cfg/slb/virt 1/service 80 (or HTTP) short-hand /c/sl/vi 1/se 80 pbind you can enter all parameters in one line or be prompted for each separately Enter clientip|cookie|sslid|disable persistence mode: cookie Enter passive|rewrite|insert cookie persistence mode [p/r/i]: i Enter Cookie Name {AlteonP}: <enter-key> Enter insert-cookie expiration as either : ... a date <MM/dd/yy[@hh:mm]> (e.g. 12/31/01@23:59) ... a duration <days[:hours[:minutes]]> (e.g. 45:30:90) ... or none <return> Enter cookie expiration: <enter-key> Insert cookie domain name? (y/n) [n] <enter-key> Enter path(Maximum of 32 characters): <enter-key> Is cookie secure[y/n]: n apply NOTE: If you have enough time left, also try date and duration cookie options.
13. Open a Web browser and select VIP. E.g.http://192.168.100.221. This page will stay persistent without using any cookie from a Web server. 14. Display cookie with Life HTTP headers tool from Firefox browser. Decode the cookie hex value by the build in command. /info/slb/cookie 0x3e45de63f4e7afd9baeebabf Virtual IP address: 192.168.100.221 Real IP address: 10.200.21.100 Real Server Port: 80 Real Server Index: 1 15. Remove all persistency settings for virtual server for the next labs. Change the rport from 88 to 80 if not already done at step 11.
Page 48
Printout for persistent SLB configuration (team 21)

SLB with hash metric:
/c/port 1 pvid 11 /c/port 2 pvid 14 /c/port 9 dis /c/l2/vlan 1 def 3 4 5 6 7 8 9 10 11 12 ... 27 28 /c/l2/vlan 11 ena name "public" def 1 /c/l2/vlan 14 ena name "private" def 2 /c/stg 1/off /c/stg 1/clear /c/stg 1/add 1 11 14 /c/l3/if 1 ena addr 192.168.100.21 vlan 11 /c/l3/if 2 ena addr 10.200.21.21 mask 255.255.255.0 broad 10.200.21.255 vlan 14 /c/slb on /c/slb/real 1 ena rip 10.200.21.100 name "webserver1" /c/slb/real 2 ena rip 10.200.21.200 name "webserver2" /c/slb/group 1 metric phash add 1 add 2
/c/slb/port 1 client ena /c/slb/port 2 server ena

/c/slb/virt 1 ena vip 192.168.100.221 /c/slb/virt 1/service http group 1 Page 49
SLB with passive cookie:

/c/slb/adv direct ena
/c/slb/virt 1 ena vip 192.168.100.221 /c/slb/virt 1/service http group 1 rport 88 dbind ena /c/slb/virt 1/service 80/pbind cookie passive ASPSESS* 1 16 disable /c/slb/virt 1/service 80/rcount 1
SLB with cookie rewrite:

/c/slb/virt 1/service 80/pbind cookie rewrite ASPSESS* 1 8 disable
SLB with cookie insert:

/c/slb/virt 1/service 80/pbind cookie insert
Page 50
Content Load Balancing
Overview
Description
Traditionally, redirecting Web requests using content or user classification has been a function of Web servers. However, Internet traffic and business growth is fast outpacing that of computing power. Offloading content classification to Application Switches provides advantages for the entire Web site infrastructure. By examining the URL in a Web request, the Application Switch can determine the type of content requested, and direct the request to servers hosting the requested URL. With content switching, Web site content can be segregated with no change to the applications. This allows partial, instead of entire, content mirroring on each server and makes it easy for e-businesses to deploy servers optimized for specific content types or processing functions. HTTP version 1.1 allows multiple HTTP transactions to be transported over a single TCP connection to reduce TCP processing overhead. A Layer 4 Application Switch with no content intelligence will forward all HTTP 1.1 requests on each TCP connection to a single server. In contrast, a content switch can forward each request within the TCP connection to a different server, increasing load distribution granularity. This optimizes resource utilization and speeds overall Web site performance. Virtual hosting conserves IP addresses by allowing multiple domains to be represented by a single public IP address. When a content-intelligent Application Switch receives a client request for the shared IP address, it can extract the requested domain name from the Host Header portion of the HTTP header, concatenate it with the IP address to obtain the unique host identifier, and redirect the request to the appropriate server or server farm. Contentintelligent Application Switches allow Webmasters to customize server health checks to verify content accessibility in large Web sites. As the amount of content grows and information is distributed across different server farms, flexible, customizable content health checks are critical to ensuring end-to-end availability. Working with session content is much more demanding than examining TCP/IP protocol headers because content is non-deterministic. Content identifiers such as URLs and cookies can be of varying lengths and can appear at unpredictable locations within a request. Scanning through session traffic for a specific string is far more processor intensive than looking at a known location in a session for a specific number of bytes. Parsing content requests means temporarily terminating the TCP connection from a client. In other words, the Application Switch must first pretend that it is the server, ask the client what it wants, examine the request, and then open a connection to an appropriate server. While this is happening, the Application Switch must temporarily buffer the request, which consumes system memory. This temporary termination is called a delayed binding" With delayed binding, two independent TCP connections span a Web session: one from the client to the Application Switch and the second from the Application Switch to the selected
Page 51
server. The Application Switch must modify the TCP header, including performing TCP sequence number translation and recalculating checksums on every packet that travels between the client and the server, for the duration of the session. This function, known as TCP connection splicing, heavily tasks an Application Switch, particularly when the switch must process thousands of these sessions simultaneously. In addition to real-time traffic and connection processing, a content switch needs to monitor the servers to ensure that requests are forwarded to the best performing and healthy servers. This monitoring involves more than simple ICMP or TCP connection tests as servers continue to process network protocols while failing to retrieve any content. Furthermore, if content is segregated in different servers or server farms, the Application Switch must provide a flexible, user-customizable mechanism allowing a relevant set of application and content tests to be applied to each server or server farm. RadwareAlteon Application Switch Operating System allows you to load balance HTTP requests based on different HTTP header information, such as Cookie-Header for persistent or content load balancing, Host-Header for virtual hosting, or User-Agent for browser-smart load balancing. When Layer 7 load balancing is configured, an Application Switch does not support IP fragments. If IP fragments were supported in this mode, the switch would have to buffer, re-assemble, and inspect packets before making a forwarding decision. String-based SLB allows you to optimize resource access and server performance. Content dispersion can be optimized by making load-balancing decisions on the entire path and filename of each URL. Both HTTP 1.0 and HTTP 1.1 requests are supported. For content matching you can configure up to 1024 strings comprised of 40 bytes each. Each request is then examined against the Layer 7 request defined at the virtual server. On matching, this request is then forwarded to a real server supporting this string. String requests are load balanced among multiple servers matching the same pattern, according to the load balancing metric configured for the real server group.
Objectives
After completing this lab, you will be able to do following: Define strings of URL or other variables. Distinguish between different strings and enable the real server to handle them. Use regular expressions to create complex string matches.
Page 52
Assignment
Physically your network is wired according to the Lab Description. Connect to the switch for configuration via the terminal server, SSH or telnet to the switch. If your previous SLB configuration is no longer working, set the switch back to the factory default and load the saved SLB configuration. If you decide to keep the previous persistency lab, disable persistent binding (pbind)! It has a higher priority and content load balancing will not work. In the first exercise, you will load balance your http requests depending on the URL. At the root directory of web server 2 a subdirectory /images is located. It contains three image files, img1.jpg, img2.jpg and img3.jpg. Your task is to configure URL strings and enable real server 2 to handle these requests. The second exercise is to enhance this lab using regular expressions. Web server 1 will host file alteo.htm server 2 will host altea.htm and alter.htm. You have to configure suitable URL strings, enable these strings at suitable servers and do SLB selection using regular expression. The third exercise is to check for browser-related strings. Depending on the default language of the browser request, server 1 or 2 is selected.
Basic Configuration of the Switch

1. If the content SLB configuration no longer works, follow step 2, then step 3 or 4. Otherwise, skip these steps and continue to step 5. 2. Set the switch back to the factory default config. Log into the switch, enter the admin password, select factory configuration and reboot the switch Lab Configuration: admin /boot/conf factory reset 3. Open Notepad and copy and paste the SLB configuration from your file to the clipboard. Open Putty and insert the clipboard contents using the right mouse button. It is easier for debugging to split this into 3 steps. First, copy and paste the Layer 2 configuration data to the switch CLI and apply it. Then copy and paste the Layer 3 data and finally the Layer 4 data. One layer after the other. 4. Optional, you can save and restore the switch configuration via FTP/TFTP. Use the FTP/TFTP server installed on your Team-PC, the 3CD application. For details, see the section Upload and Download Config to FTP/TFTP Server in the Basic Configuration lab. Lab Configuration: /cfg/gtcfg retrieve config data.
Page 53
URL SLB Configuration of the Switch

1. Configure standard SLB, as described on page 93. Verify correct SLB operations. If you like to configure the content load balancing via a BBI interface continue on page 104. 2. Enable Direct Access Mode (DAM) on the switch to allow you to perform port mapping for content balancing. Syntax: /cfg/slb/adv/direct {status} it is disabled by default Lab Configuration: /cfg/slb/adv/direct ena shorthand /c/sl/adv/di e
3. Select roundrobin as the default load balancing metric for the real server group. Lab Configuration: metric roundrobin enable round robin distribution
4. Disable persistent binding for the virtual server service. Pbind takes precedence over string load balancing. Lab Configuration: /cfg/slb/virt 1/service pbind disable apply cur 80 deactivate persistent binding activate configuration verify your configuration
5. Double check is SLB working. Clear the session table Syntax: Lab Operation: /stat/slb/clear Then generate traffic by opening a new browser window to your VIP several times; return to the switch CLI to execute the command for displaying statistics. Lab Operation: /stats/slb/virt 1 shorthand /st/sl/vi 1
6. By default, this switch checks the case of any string, e.g. a URL name. Disable it if there is no need to distinguish between upper and lower case. Syntax:
/cfg/slb/layer7/slb/case {mode}
Lab Configuration: /cfg/slb/layer7/slb/case dis apply
Page 54
7. When SLB is working correctly, continue with the URL config. Define the first URL string. Syntax: /cfg/slb/layer7/slb/addstr {type-of-string} For type of string l7lkup (for ASCII content lb) or pattern (for Dos/ITM, binary or ASCII). l7lkup is selected by default Configure HTTP header string? (y/n) [n] Boolean value, enable to define SOAP Action header, default value is no. Enter SLB string: {string-definition} Specify lookup URL string. Lab Configuration: /cfg/slb/layer7/slb/addstr <enter-key> Enter type of string [l7lkup|pattern]: l7lkup (L7LKUP not 171KUP) Configure HTTP header string? (y/n) [n] <enter-key> Enter SLB string: /images apply cur see list of cur paths (any, /images) Error message: No available server to handle this request
Number of entries: two 1: any, cont 1024 2: /images, cont 1024 8. Add an index number for the URL string to the real server config. If real server 2 cannot handle any address request other than /images, do not add string 1 as an option. Syntax: /cfg/slb/real 2/layer7/addlb {index-number-of-string} Assign lookup URL string index number to real server number. Lab Configuration: /cfg/slb/real 2/layer7 addlb 1 to also support other strings like index.html page addlb 2 to support string #2, /images on real server 2
9. To enable L7 lookup, switch on direct access mode, if not already done. Syntax: /cfg/slb/adv/direct {status} it is disabled by default. Lab Configuration: /cfg/slb/adv/direct ena shorthand /c/sl/adv/di e
10. Enable URLSLB for the virtual service IP Address. Syntax: /cfg/slb/virt {server-number}/service {port-number}/http httpslb {option operator option} Possible options are: urlslb, host, cookie, browser, urlhash, headerhash, others, Possible operator: and, or, none A new line between httpslb and option prompts to input an operator value.
Page 55
Lab Configuration: /cfg/slb/virt 1/service 80/http/httpslb urlslb apply save y /cfg/dump to review the saved configurations
11. Open a browser on the client and access the VIP http://192.168.100.221. Test the configuration and check the working status. Close and reopen the client browser several times. Check the statistics in the switch to verify activity. Lab Operation: /stat/slb/layer7/str
-----------------------------------------------------------------SLB String stats: ID SLB String Hits 1 any 19 2 /images 0
Lab Operation: /stat/slb/virt 1

-----------------------------------------------------------------Virtual server 1 stats: Current Total Highest Real IP address Sessions Sessions Sessions Octets ---- --------------------------- -------- ---------- -------- --------------1 webserver1 0 9 5 11283 2 webserver2 0 10 6 12533 ---- --------------------------- -------- ---------- -------- --------------192.168.100.221 0 19 11 23816
12. Access the image file from the client web browser. The files img1.jpg, img2.jpg and img3.jpg are available on server 2. Close and reopen the client browser several times to http://192.168.100.221/images/img1.jpg. Lab Operation: /stat/slb/layer7/str
-----------------------------------------------------------------SLB String stats: ID SLB String Hits 1 any 19 2 /images 7 >> Layer 7 Statistics# /st/sl/v 1 ------------------------------------------------------------------
Lab Operation: /stat/slb/virt 1

Virtual server 1 stats: Real ---1 2 ---Current Total Highest IP address Sessions Sessions Sessions --------------------------- -------- ---------- -------webserver1 0 9 5 webserver2 0 17 6 --------------------------- -------- ---------- -------192.168.100.221 0 26 11 Octets --------------11283 261943 --------------273226
Page 56
Perform the test a couple of times. Compare the Web browser request and output displayed in the browser window. Review the switch statistics. All requests to the /images folder should be directed to real server 2. In a large server farm environment, the /images folder could be duplicated and load balanced across several servers.
Regular Expression Configuration

1. Continue with the URL SLB config from the last lab. We will add regular expressions to select specific real servers. Web server 1 will host file alteo.htm. Web server 2 will host altea.htm and alter.htm. The regular expression alte[ar].htm allows selection of the content stored on server 2. Inverting this regular expression avoids selection of this machine. alte[âr].htm allows access to alteo.htm and of course to many other htm pages. Therefore, this is useful as an example but not for real life. Syntax: /cfg/slb/layer7/slb/addstr {type-of-string} For type of string l7lkup (for ASCII content lb) or pattern (for Dos/ITM, binary or ASCII). l7lkup is selected by default Configure HTTP header string? (y/n) [n] Boolean value to define SOAP Action header, default value no. Enter SLB string: {string-definition} Specify lookup URL string. Lab Configuration: /cfg/slb/layer7/slb/addstr alte[âr] add a new index for alte[âr] addstr alte[ar] add a new index for alte[ar] apply cur see list of cur paths (any, /images) Error message: No available server to handle this request Number of entries: two 1: any, cont 1024 2: /images, cont 1024 3: alte[âr], cont 1024 4: alte[ar], cont 1024
2. Add the index number for the URL string to the real server config: Add alte[âr], which is a regular expression for alteo string in our configuration, to real server 1. Add alte[ar], which represents both strings alter and altea, to real server 2. To enable LB to allow index.htm on real server 1, add index 1 to it. Syntax: /cfg/slb/real {no}/layer7/addlb {index-number-of-string} Assign lookup URL string index number to real server number. Lab Configuration: /cfg/slb/real 1/layer7/addlb 3 adds string 3 alte[âr] to real server 1 addlb 1 adds string 1 any to real server 1 to also allow index.htm page ../../re 2/la/a 4 short form to add string 4 alte[ar] to real server 2
Page 57
3. Test your configuration. Send the following requests from your browser at Team-PC to VIP. The following example is for team 21. Use your team number, please. http://192.168.100.221/alteo.htm, http://192.168.100.221/alter.htm, http://192.168.100.221/altea.htm 4. Check statistics on loadbalancer. Lab Operation: /stat/slb/layer7/str and /stat/slb/virt 1.
>> Server Load Balancing Statistics# /stat/slb/layer7/str -----------------------------------------------------------------SLB String stats: ID SLB String Hits 1 any 72 2 /images 7 3 alte[^ra] 1 4 alte[ra] 2
All alteo requests terminate at Web server 1. All altea and alter requests are sent to server 2 since the load balancing string that excluded URLs ending in a and r was assigned to the server 2.
Others Lookup
1. In this lab section, your task is to configure Layer 7 string lookup to detect the default language support of the browser used for this request. 2. Modify your virtual server, to look up the Accept-Language HTTP header field. Syntax: /cfg/slb/virt {server-number}/service {port-number}/ httpslb {option operator option} Possible options are: urlslb, host, cookie, browser, urlhash, headerhash, others, Possible operator: and, or, none Lab Configuration: /cfg/slb/virt 1/service http/http/httpslb Application: urlslb|host|cookie||headerhash|others|none Select Application: others Operation: and|or|none Select Operation: none Enter new HTTP header name: Accept-Language apply 3. Configure header variable strings and add an index number to the real server config. Real server 1 represents the contents for en-us string, real server 2 is responsible for de string. Language string depends on browser type. Add strings for e.g. en-us and de. For other regions, choose appropriate language strings. Lab Configuration: /cfg/slb/layer7/slb/addstr en-us add a new index for en-us string adds de add a new index for de string and apply it cur see list of cur paths (any, /images)
Page 58
Error message: No available server to handle this request
Number of entries: two 1: any, cont 1024 2: /images, cont 1024 3: alte[ar], cont 1024 4: alte[âr], cont 1024 5: en-us, cont 1024 6: de, cont 1024 Lab Configuration: /cfg/slb/real 1/layer7/addlb 5 ../../re 2/la/a 6 apply
assign string 5 en-us to real server 1 short form to add string 6 de to real server 2
4. Access your home page e.g. team 21 http://192.168.21.221. Change the browser language string according your lb setup. You will see that Web server 1 supports requests with preferred string 5, language English. Server 2 will provide content for string 6, for German users (de).
5. Check statistics on loadbalancer. Lab Operation: /stat/slb/layer7/str

>> Server Load Balancing Statistics# /stats/slb/layer7/str -------------------------------------------------------------SLB String stats: ID SLB String Hits 1 any 81 2 /images 7 3 alte[^ra] 1 4 alte[ra] 4 5 en-us 38 6 de 18
Page 59
Printout for Application Switch team 21

Layer 2/3 like previous lab setup, therefore it is not displayed.
/c/slb on /c/slb/adv direct ena /c/slb/real 1 ena rip 10.200.21.100 name "webserver1" /c/slb/real 2 ena rip 10.200.21.200 name "webserver2" /c/slb/group 1 metric roundrobin add 1 add 2 /c/slb/port 1 client ena /c/slb/virt 1 ena vip 192.168.100.221 /c/slb/virt 1/service http group 1 dbind ena /c/slb/layer7/slb ren 2 "/images" ren 3 "alte[^ra]" ren 4 "alte[ra]" ren 5 "en-us" ren 6 "de" /c/slb/real 1/layer7 addlb 1 addlb 3 addlb 5 /c/slb/real 2/layer7 addlb 1 addlb 2 addlb 4 addlb 6 /c/slb/virt 1/service http httpslb others Accept-Language
Page 60
SSL Acceleration
Overview
Secure Sockets Layer (SSL) is a security layer that can be added to various communication protocols in order to serve four main purposes that contribute together to establishing a secure communication channel. Models 4408, 4416 and 5412 loaded with software ver. 27 can offload heavy client SSL actions from servers and deliver them with clear HTTP traffic, or if needed, weaker-encrypted traffic to ease the stress. SSL is configured by means of a reusable SSL policy in the AAS configuration, which enables quicker and safer setup of new services. Options include control the SSL cipher-suites and pass SSL information to Web Applications for logging or for use as part of application logic. SSL using SHA-2 certificates is supported. In order to support the new SSL capabilities, AAS now includes a certificate and other PKI-components repository, which allows safe holding and management of all components and required actions, as well as bulk import of the Alteon 2424-SSL certificates repository content for easy migration. This lab unit discusses Alteons Application Switch SSL offloading capabilities, which performs encryption, decryption, and verification of Secure Sockets Layer (SSL) transmissions between clients and servers, relieving the back-end servers of this task. This enables the back-end servers to maximize their performance and efficiency, resulting in faster server response times and increased server capacity to handle more users that are concurrent. Authentication Each communicating partner should be able to verify that the other is who it claims to be and not an impostor. Privacy A third party should not be able to eavesdrop on a private communication. Integrity The protocol should automatically or easily detect any tampering with the transmission. Non-repudiation The sender should not be able to claim that they did not send what the receiver received. For Alteon to provide SSL Offloading, you must configure, enable, and apply the following three components: SSL Virtual Service You must define an HTTPS or SSL virtual service and associate to it both an SSL server certificate, and an SSL policy that governs the behavior of the SSL virtual service. SSL Policy You must define an SSL policy and associate it to the SSL virtual service. An SSL policy includes the definition of the ciphers that enable SSL handshaking, as well as the type of traffic that is sent to the back-end servers. A single SSL policy can be reused across multiple virtual services.
Page 61
Certificate Repository You must supply a server certificate that you associate with the SSL virtual service. The server certificate includes the attributes needed to perform SSL handshaking and enable the decryption and encryption of the traffic related to the virtual service. You can associate only a single server certificate to a virtual service, but the same server certificate can be used by multiple services. The certificate repository may include Server Certificates, Intermediate CA Certificates, and Trusted CA Certificates A server certificate is a type of certificate used to identify servers during SSL handshake. You either import a preexisting server certificate using the /cfg/slb/ssl/certs/ import command, or you can generate your own on the Alteon Application Switch. When you generate your own server certificate, if an underlying Certificate Signing Request (CSR) and/or key pair do not already exist by the same name as the server certificate, they are generated along with the server certificate. The resulting server certificate is a "self-signed" server certificate, meaning it was issued by the server for itself. This kind of a certificate is good for testing purposes, as real users will experience various warning messages if used for the real SSL service. In order to be used in the real-life SSL environment, the server certificate must be issued (signed) by a Certificate Authority (CA), which is trusted by the client's browsers. To achieve this, once the certificate's CSR is generated, you must submit it to a trusted Certificate Authority (CA) for signing. If the request is successful, the CA sends back a certificate that has been digitally signed by its own key, which you import using the /cfg/slb/ssl/certs/import command, ensuring that it is not imported to the same entity name as the CSR. Intermediate CA certificates are used when the CA providing the virtual service's server certificate is not directly trusted by the end users Web browsers. This is typical in an organization that has its own CA server for generating server's certificates. In order to construct the trust chain from the users browser list of trusted CAs to the organization's CA server, an intermediate CA certificate or chain of certificates can be provided. You can optionally bind an intermediate Certificate Authority (CA) certificate to the SSL policy. These certificates are not created on the switchyou must first import them. You can also create a group of intermediate certificates (a complete CA chain) and bind it to the SSL policy. Trusted CA certificates are certificates that come from a Certificate Authority that your organization uses to provide users with certificates (client certificates). Trusted CA certificates are associated to client authentication policies. If you use this option, you must specify the trusted client CA certificate or group of trusted client CA certificates to allow Alteon to know which client certificates to accept. Client Authentication Policies SSL client authentication enables a server to confirm a client's identity as part of the SSL handshake process. A client's certificate and public ID are checked to be valid and that they were issued by a trusted Certificate Authority (CA). If the certificate is valid, the handshake process is completed, allowing data to be sent to the intended destination. If the certificate is not valid, the session is terminated. When using SSL Offloading, you can optionally define a client authentication policy that authenticates the clients identity. You associate a client authentication policy to an SSL policy, and the SSL policy, in turn, is associated to a virtual service. To authenticate the client's identity, you import a CA certificate into Alteon. This CA certificate is used when Alteon receives a client certificate to validate it. By checking that it was generated by this trusted CA. Additionally, you can configure Alteon to ensure that the client certificates were not revoked by checking their statuses using OCSP (Online Certificate Status Protocol).
Page 62
Assignment
All Alteon switch devices are connected via Ethernet cables as pictured at lab diagram. In order to configure this switch, connect serial to your assigned switch via a terminal server. If your last lab was a VRRP or FWLB lab, remove all configuration settings and restore factory default setting. Configure the application switch to support basic load balancing. At this lab, we want to: Setup a VIP with SSL offloading Display acceleration log and statistics
Page 63
Configure Switch
Console Setup
At your Team-PC, Putty application is already set up individual icons to connect via serial to the Application switches. 1. 2. 3. Verify SLB is working. If not refer to lab Server Load Balancing. Setup a basic HTTPS service. A VIP with service HTTPS terminates a client SSL request using a SSL-policy and a server certificate. Generate a self signed server certificate Syntax: /cfg/slb/ssl/cert srvrcert request keypair trustca intermca group defaults import export Server Certificate Menu Certificate Signing Request (CSR) Menu Key-Pair Menu Trusted CA Certificate Menu Intermediate CA Certificate Menu Certificates Group Menu Set certificate default values Import certificates Export certificates
Lab Configuration: We setup a self-signed server certificate. /cfg/slb/ssl/cert/srvrcert Select cert menu Enter server certificate id (alphanumeric): selfs-cert Server certificate selfs-cert# name MySelfSignedCert Server certificate selfs-cert# generate This operation will generate a self-signed server certificate. Enter key size [512|1024|2048|4096] [1024]:<enter> Enter server certificate hash algorithm [md5|..[sha1]:<enter> Enter certificate Common Name: www.team28.com Use certificate default values? [y/n]: n Enter certificate Country Name (2-letter code) []: US Enter certificate State or Province Name (full name) []: NJ Enter certificate locality name (e.g. city) []: Mahwa Enter certificate Organization Name (e.g. company) []: Radware Enter certificate Organizational Unit Name []: Training Enter certificate Email []: GuentherM@radware.com Enter certificate validation period in days (1-3650) [365]: 20 Self signed server certificate, certificate signing request and key pair added. apply
Page 64
6.
Enable SSL feature. Syntax and Lab Operation: /cfg/slb/ssl/on turn all SSL features to on.
7.
Setup using graphical user interface. Use ether CLI or BBI! Select on Configure tab SLB SSL and select for SSL Enabled. Press the Submit button. On Configure tab press Certificate Repository, and Generate a new policy. Insert at ID: selfs-cert, a descriptive name at Policy Name, set the other parameter as described above at CLI. There should now three entries, A keyPair, A Certificate Request and the Server Certificate.
8.
Setup a SSL policy. This is used to select which cipher is used. Syntax: /cfg/slb/ssl/sslpol <id> name Set policy name passinfo Pass SSL Information to Backend Servers Menu cipher Set allowed cipher-suites in frontend SSL intermca Set Intermediate CA certificate chain becipher Set allowed cipher-suites in backend SSL authpol Set client authentication policy convuri Set Host regex for HTTP redirection conversion bessl Enable/Disable backend SSL encryption convert Enable/Disable HTTP redirection conversion ena Enable policy dis Disable policy del Delete Policy Lab Operation: cfg/slb/ssl/sslpol plain set policy id name "Easy SSL Policy" label this policy cipher a long list appears, <tab> complete selection Current cipher-suite allowed for SSL: rsa use default Enter new cipher-suite allowed for SSL: medium 128 bit key ena enable this policy apply
9.
Setup using graphical user interface. Use ether CLI or BBI! Select on Configure tab SLB SSL SSL Policies Press Add tab and Generate a new ssl policy. Insert at ID: plain, a descriptive name at Policy Name, Enable, set Cipher Suite to medium and keep other parameters on default values.
Page 65
Create HTTPS service for VIP address Syntax /cfg/slb/virt 1/service https/http http ssl group rport HTTP Load Balancing Menu SSL Load Balancing Menu Set real server group number Set real port
and some more menu options Syntax ssl srvrcert sslpol cur ssl menu Set SSL server certificate for this virtual service Set SSL policy for this virtual service Display current SSL configuration
Lab Operation: /cfg/slb/virt 1/service https/ssl SSL Load Balancing# srvrcert selfs-cert SSL Load Balancing# sslpol plain associate cert associate policy
Note: Backend servers listening port (rport) was changed from 443 to 80 due to the use of No backend encryption. For a different network setting, rport can be configured manually.
apply and save config /cfg/dump to review the saved configurations
10.
Setup using graphical user interface. Use ether CLI or BBI! Select on Configure tab SLB Virtual Servers Select Virt Server ID 1,scroll dow in new window and click Add button. At Basic section field Service Port is 443, Real is 80. Scroll down to SSL, select for Server Certificate selfs-cert and for SSL Policy plain.
Page 66
11.
Test the configuration. Open a browser on the client and access the web server https://www.team#.com
12.
Check statistics, open several times a browser window and close it. CLI: /stat/slb/virt 1
BBI: Monitor SLB Virtual Servers 1 https(443)
Page 67
13.
Enable Application Services Trace Log. Application services trace logging may cause performance impact on Alteon traffic processing capabilities. Make sure to disable when done! Syntax /maint/applog export clearlog compress caching ssl http httpmod dump Export application services trace log via FTP/TFTP/SCP Clear application services trace log Enable/disable log compression activities Enable/disable log caching activities Enable/disable log ssl activities Enable/disable log http activities Enable/disable log http modifications activities Dump application services trace log configuration
Lab Operation: ssl Current logging ssl activities: disabled Enter new logging ssl activities [d/e]: e 13 14 Create some traffic by accessing several times the https server page Export log data to your Team-PC, turn on 3CD and listen to TFTP service. Lab Operation: /maint/applog/export Enter hostname or IP address of FTP/TFTP/SCP server: 192.168.150.x Enter username for FTP/SCP server or hit return for TFTP server:<enter> Dump logs in W3C format? (n for internal format) [y/n] [y]: n Log file successfully transfered to :xxx_internal_logger.tar.gz
15
Extract the .tar.gz file. For each SP there is a separate file with log data. Your connection data is stored depending the VMA feature at one of these files.Open it with MS-Wordpad. Do not forget to disable Application Services Trace Logging.
16
Page 68
SSL Acceleration (team 28)

Layer 2/ 3 setup as done on basic lab. /c/l3/dns prima 192.168.150.253 /c/sys/ntp on prisrv 192.168.150.253 /c/slb/ssl/certs/keypair selfs-cert /c/slb/ssl/certs/request selfs-cert /c/slb/ssl/certs/import request "selfs-cert" text -----BEGIN CERTIFICATE REQUEST----MIIBzzCCATgCAQAwgY4xFzAVBgNVBAMTDnd3dy50ZWFtMjguY29tMQswCQYDVQQG EwJ1czELMAkGA1UECBMCTkoxDjAMBgNVBAcTBU1haHdhMRAwDgYDVQQKEwdSYWR3 YXJlMREwDwYDVQQLEwhUcmFpbmluZzEkMCIGCSqGSIb3DQEJARYVR3VlbnRoZXJN QHJhZHdhcmUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5AnpXIE1W hosbNqmIAZlYEVAzIh6pArreRJc3eYkcIfDc6JQnfMbt85ewBZM2BOpnyBrbDKYP g+67eyQOUIr1QNP3NM52xBMKjiiek/EyT8jxcDBmmb67YAmf0mEZahfj/vjSbR1J oV2QeZzStF0INUOC9bL5gxGIzZFhycUFIQIDAQABoAAwDQYJKoZIhvcNAQEFBQAD gYEAjwWvLZShRywOU0bynfw7WKtijIilZ2VYiGmbwOPQJhtQPR5WjM3RWL4CtFVr rnhMg+qvouaVmatduMoGCmIPrTky4khL3yhnYzaw+Cir5cgD+vk9NKGkCSJX86+p UZpRTDLE8n2AJuz1GTApykQSjldd3rHaRKr34YDUKNz9ZcI= -----END CERTIFICATE REQUEST----/c/slb/ssl/certs/srvrcert selfs-cert name "MySelfSignedCert" /c/slb/ssl/certs/import srvrcert "selfs-cert" text -----BEGIN CERTIFICATE----MIID3DCCA0WgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBjjEXMBUGA1UEAxMOd3d3 LnRlYW0yOC5jb20xCzAJBgNVBAYTAnVzMQswCQYDVQQIEwJOSjEOMAwGA1UEBxMF TWFod2ExEDAOBgNVBAoTB1JhZHdhcmUxETAPBgNVBAsTCFRyYWluaW5nMSQwIgYJ KoZIhvcNAQkBFhVHdWVudGhlck1AcmFkd2FyZS5jb20wHhcNMTAwOTIyMjIzMTIy WhcNMTAxMDEyMjIzMTIyWjCBjjEXMBUGA1UEAxMOd3d3LnRlYW0yOC5jb20xCzAJ BgNVBAYTAnVzMQswCQYDVQQIEwJOSjEOMAwGA1UEBxMFTWFod2ExEDAOBgNVBAoT B1JhZHdhcmUxETAPBgNVBAsTCFRyYWluaW5nMSQwIgYJKoZIhvcNAQkBFhVHdWVu dGhlck1AcmFkd2FyZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALkC elcgTVaGixs2qYgBmVgRUDMiHqkCut5Elzd5iRwh8NzolCd8xu3zl7AFkzYE6mfI GtsMpg+D7rt7JA5QivVA0/c0znbEEwqOKJ6T8TJPyPFwMGaZvrtgCZ/SYRlqF+P+ +NJtHUmhXZB5nNK0XQg1Q4L1svmDEYjNkWHJxQUhAgMBAAGjggFGMIIBQjAPBgNV HRMBAf8EBTADAQH/MBEGCWCGSAGG+EIBAQQEAwICRDAyBglghkgBhvhCAQ0EJRYj QWx0ZW9uL05vcnRlbCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFFtc HE4A4iRbAYa9g/6Vrm07kJ5fMIG7BgNVHSMEgbMwgbCAFFtcHE4A4iRbAYa9g/6V rm07kJ5foYGUpIGRMIGOMRcwFQYDVQQDEw53d3cudGVhbTI4LmNvbTELMAkGA1UE BhMCdXMxCzAJBgNVBAgTAk5KMQ4wDAYDVQQHEwVNYWh3YTEQMA4GA1UEChMHUmFk d2FyZTERMA8GA1UECxMIVHJhaW5pbmcxJDAiBgkqhkiG9w0BCQEWFUd1ZW50aGVy TUByYWR3YXJlLmNvbYIBATALBgNVHQ8EBAMCAuQwDQYJKoZIhvcNAQEFBQADgYEA C3gewnmYnTXhiEm+EkxCMmIKlSZoemQvHDK8wTJ5EdMM/v/WvswIuERaFoPYZInC 1Hb0ukebH2flFQSxZp84tDHTvUqrFjxB4ajp/rTNZadd6BeUUzbCQA7YU51k3aho o//1h/FJTPMfhGIasG3BtArt8IIrzO74OyUPLjjelK0= -----END CERTIFICATE-----
Page 69
/c/slb/ssl on /c/slb/ssl/sslpol plain name Easy SSL Policy cipher medium ena
/c/slb on /c/slb/adv direct ena /c/slb/real 1 ena ipver v4 rip 10.200.28.100 /c/slb/real 2 ena ipver v4 rip 10.200.28.200 /c/slb/group 1 ipver v4 metric roundrobin add 1 add 2 /c/slb/port 1 client ena /c/slb/port 2 server ena /c/slb/virt 1 ena ipver v4 vip 192.168.100.228 /c/slb/virt 1/service 80 http group 1 /c/slb/virt 1/service 443 https group 1 rport 80 /c/slb/virt 1/service 443 https/ssl srvrcert selfs-cert sslpol plain /c/sys/access/https/port 8443 /c/sys/access/https/https e / script end /**** DO NOT EDIT THIS LINE!
Page 70
Switch Troubleshooting
Overview
Description
The types of problems that typically occur with networks are connectivity and performance. The RadwareAlteon Application Switch supports a diverse range of network architectures and protocols; some are used to maintain and monitor connectivity and isolate the connectivity faults. This section provides conceptual information about the methods and tools used for troubleshooting and isolating problems in the Application Switch. It will help you to use the common commands to check switch status and to ensure successful switch maintenance activities.
Objectives
After completing this lab, you will be able to use the following commands: Config Info Statistics Global
Assignment
Learn to use the diff command to view changes before saving them. Review the CLI commands to check critical switch functions (such as port speed, STP configuration, SLB configuration, etc). Cultivate the ability to spot errors in your configuration. To familiarize yourself with the techniques to gather switch statistical data for troubleshooting. You can use configuration from any previous lab for doing this lab.
Page 71
Use Basic Commands in CLI

1. Use the diff or revert command. Start with the diff command to review changes. Do all the other commands until the last diff command again. Watch the different outputs. All these commands are at any menu and at any path available. Syntax: diff {option} Show any pending configuration changes. The flash option displays all data that will be lost if the switch reboots. Lab Configuration: /cfg/l3/if 42/mask 255.255.255.0/addr 172..16.1.1/en diff Current config is identical to new config. If all configuration date in floatable RAM is already applied and saved, no data is displayed. Change the configuration and run the diff command again. Lab Configuration: /cfg/l3/if 42/mask 255.255.255.0/addr 172.16.1.1/en diff Pending configuration /c/l3/if 42 ena ipver v4 addr 172.16.1.1 mask 255.255.255.0 broad 172.16.1.255 apply current config is now identical to new config diff flash Pending configuration /c/l3/if 42 ena ipver v4 addr 172.16.1.1 mask 255.255.255.0 broad 172.16.1.255 displays unsaved config data
revert apply remove applied but unsaved configuration changes Confirm reverting unsaved changes [y/n]: y diff nothing to display since all config data are in sync
Page 72
2. Use the Port menu to configure settings for individual physical switch ports. This command is enabled by default. Port configuration is slightly different on Application Switches 2000 series and 3408. Syntax: /cfg/port {numper-of-physical-port}/{option} Enables all settings for a physical port on an Application switch /cfg/port {numper-of-physical-port}/fast/{option} Enables all settings for a fast Ethernet physical port on an Application switch /cfg/port {numper-of-physical-port}/gig/{option} Enables all settings for a gigabit Ethernet physical port on an Application switch /cfg/port {numper-of-physical-port}/cop/{option} Enables all settings for a physical RJ45 port in range 3-6 on a 3408 switch /cfg/port {numper-of-physical-port}/sfp/{option} Enables all settings for a physical GBIC port in range 3-6 on a 3408 switch Lab Configuration: /cfg/port 1/cur /c/port 1/fast/cur display current port 1 configuration display port 1 fast Ethernet configuration
3.
View switch performance statistics in both the user and administrator command modes. This menu displays traffic statistics on a port-by-port basis. Traffic statistics include SNMP Management Information Base (MIB) objects. The displayed interval is from the last switch reboot or counter reset until the present. Syntax: /stats/port {physical-port-number}/{option} Displays statistic values for a physical port. Values in the range of Layer 1 up to Layer 3 are available. The clear option resets values. Lab Configuration: /stat/port 1/link /stat/port 1/ether /stat/port 1/if
4. When multiple paths exist on a network, Spanning Tree Protocol (STP) configures the network so that a switch uses only the most efficient path. Spanning Tree Protocol (STP) detects and eliminates logical loops in a bridged or switched network. STP forces redundant data paths into a standby (blocked) state. If the most efficient path fails, Spanning Tree automatically sets up another active path on the network to sustain network operations. Thus, STP is used to prevent loops in the network topology. Application Switch Operating System supports the IEEE 802.1p Spanning Tree Protocol (STP). Application Switch Operating System supports up to 16 instances of Spanning Trees or Spanning Tree groups. Each VLAN can be placed in only one Spanning Tree group per switch except for the default Spanning Tree group (STG 1). The default Spanning Tree group (1) can have more than one VLAN. All other Spanning Tree groups (2-16) can have only one VLAN associated with it. Spanning Tree can be enabled or disabled for each port. Multiple Spanning Trees can be enabled on tagged or untagged ports. Spanning tree group 1 is turned on by default.
Page 73
Syntax: /cfg/l2/stg {numper-of-STP-group}/{option} Enables all settings for Spanning Tree Groups 1 to 16 Lab Configuration: /cfg/l2/stg 1/cur Syntax: /info/l2/stg Displays all settings for Spanning Tree Groups 1 to 16 Lab Configuration: /info/l2/stg
5.
After contacting RadwareAlteon support, a tsdump is often requested. To get this important data, turn on capture on your terminal emulation to record the large amount of data. Syntax: /maint/tsdmp Dumps all Application Switch information, statistics, and configuration to your CLI screen. You can log the tsdump output into a file, and send it to Radware Technical Support for debugging purposes. Lab Configuration: /maint/tsdmp Confirm dumping all information, statistics, and configuration [y/n] : y
Syntax: /maint/pttsdmp {hostname filename -tftp|username password [-mgmt|data]} Dumps data to a server specified by hostname. Data is stored at filename. AS transport protocol is FTP or TFTP via a management or data port. Lab Configuration: /maint/pttsdmp Enter hostname or IP address of FTP/TFTP server: 192.168.150.x Enter name of file on FTP/TFTP server: dump.txt Enter username for FTP server or hit return for TFTP server: username Enter password for username on FTP server: password Connecting to 192.168.150.69...
6. The panic command causes the switch to immediately dump state information to flash memory and automatically reboot. Technical support may request a panic dump for analysis of an open case. Use ptdump to transmit the system dump to a TFTP or FTP server and store it in a file. Syntax: /maint/panic
Page 74
Dumps all switch state information. You can log the tsdump output into a file, and send it to Radware Technical Support for debugging purposes. Lab Configuration: /maint/panic Confirm dumping and reboot [y/n] : y Syntax: /maint/ptdump {hostname filename -tftp|username password [-mgmt|-data]} Dumps data to a server specified by hostname. Data is stored in filename. AS transport protocol is FTP or TFTP via a management or data port. Lab Configuration: /maint/ptdmp Enter hostname or IP address of FTP/TFTP server: 192.168.150.x Enter name of file on FTP/TFTP server: dump.txt Enter username for FTP server or hit return for TFTP server: username Enter password for username on FTP server: password Connecting to 192.168.150.69...
7. You must reset the switch to make your software image file or configuration block changes take effect. For two other features, Nortel-Multiple-Spanning-Tree (/cfg/l2/ntmstg) and jumbo frames at VLAN (/cfg/l2/vlan x/jumbo) a reset is also required. Syntax: /boot/reset {option} The hard option acts like a power cycling of an Application Switch. The two other options are booting from other image <Ctrl>-o or select to load factory default database <Ctrl>-f. Lab Configuration: /boot/reset shorthand /b/c /boot/reset hard shorthand /b/c hard >> Note that this will RESTART the Spanning Tree, >> which will likely cause an interruption in network service. Confirm reset [y/n]: y Using <ctrl> <shift> or <ctrl>7 acts as a Console RESET KEY in thread unknown (tid=0, cmd=0) command on the switch. It generates a maintenance (panic) dump and resets the switch.
8. To debug Virtual Matrix Architecture feature, you can display the assigned SP (Switch Processor) for a source IP address and a destination IP address when VMA with destination IP is enabled. For IP version 6 use command vmasp6. Syntax: /maint/debug/vmasp {option, option, option} The options required are, Source-IP-address, destination IP address, and Source-Port if enabled. Configuration is at path /cfg/slb/adv/ vmadip or vmasport.
Page 75
Lab Configuration: /maint/debug/vmasp Enter Source IP address : 1.2.3.4 Enter Destination IP address : 2.3.4.5 Enter source port : 1234 shorthand /m/d/vmasp 1.2.3.4 2.3.4.5 1234 VMA for source IP 1.2.3.4 and destination IP 2.3.4.5 and source port 1234 is SP 3
9. You can display the Real server number, real IP address, MAC address, VLAN, physical switch port, layer on which the health check is performed, and the health check result. Syntax: /info/slb/real {real-server-number} For real servers, the possible range is from 1 to 1023. Lab Configuration: /info/slb/real 1 1: 10.200.21.100, 00:0c:29:59:68:0e, vlan 11, port 2, health 4, up real ports: rport 80, up # indicates layer of HC Real server group 1 , Workload Manager none Virtual services: http: vport http, rtspslb none
10. You can display the Server Load Balancing values for Layer 4 services. Syntax: /stats/slb/{options} For all real servers, groups, virtual servers etc. statistics are available. Lab Configuration: /stat/slb/real 1 /stat/slb/real 2 /stat/slb/group 1 /stat/slb/virt 1 /stat/slb/filt 1
11. Is a filter working and does it match a configured rule? Enables or disables generating messages displayed at the terminal and sent to the configured syslog server when a filter match occurs. Syntax: /cfg/slb/filt {filter-number}/adv/log {options} This option is disabled by default. Logging can be enabled per filter. Lab Configuration: /cfg/slb/filt #/adv/log ena criteria are met. always prints an info line at the console if filter
Page 76
Perform the following commands using the current SLB configuration Some of the commands you did previously are noted in the table below for reference.
CLI COMMAND LAYER 2 useful CLI commands /info/sys /info/link
COMMENT
Provides system information, IP, software version, etc. Provides port link status
/info/fdb/dump
/info/arp/dump /info/ip /c/dump /stat/port <num>/ <ether/if/link> /stat/port <num>/maint /stat/if <num> /stats/mp
Provides forwarding database information, VLANs, etc.

Provides ARP table information Provides IP information Provides switch configuration dump Provides port statistics Provides port maintenance statistics Provides identified interface information Provides management processor utilization information
LAYER 4 useful CLI commands

/info/slb /info/dump /c/slb/cur /stat/slb/real <real-server-num> /stat/slb/group <real-server-group #> /stat/slb/virt <virtual-server-num> /stat/slb/maint /stats/dump /info/slb/sess Provides SLB information Provides dump of current switch information Provides SLB current configuration review Provides statistics by real IP (RIP) Provides useful group information Provides virtual services information (e.g., VIPs, etc.) Provides SLB maintenance statistics Provides switch statistics information Provides SLB session information
Page 77
This page is for your notes.
Page 78
Virtual Router Redundancy
Overview
Description
In a high-availability network topology, no device can create a single point-of-failure for the network or force a single point-of-failure to any other part of the network. This means that your network will remain in service despite the failure of any single device. To achieve this usually requires redundancy for all vital network components. VRRP enables redundant router configurations within a LAN, providing alternate router paths for a host to eliminate single pointsof-failure within a network. Each participating VRRP-capable routing device is configured with the same virtual router IP address and ID number. One of the virtual routers is elected as the master, based on a number of priority criteria, and assumes control of the shared virtual router IP address. If the master fails, one of the backup virtual routers will take control of the virtual router IP address and actively process traffic addressed to it. Because the router associated with a given alternate path supported by VRRP uses the same IP address and MAC address as the routers for other paths, the hosts gateway information does not change, no matter what path is used. A VRRP-based redundancy schema reduces administrative overhead because hosts need not be configured with multiple default gateways. The IP address of a VRRP virtual interface router (VIR) and virtual server router (VSR) must be in the same IP subnet as the interface to which it is assigned. Virtual Router VRRP routers on two or more independent Application Switches can be configured to form a virtual router (RFC 2338). Each virtual router consists of a user-configured virtual router identifier (VRID) and an IP address. The VRID is used to build the virtual router MAC Address. The five highest-order octets of the virtual router MAC Address are the standard MAC prefix (0000-5E-00-01) defined in RFC 2338. The VRID is used to form the lowest-order octet. Owners and Renters Only one of the VRRP routers in a virtual interface router may be configured as the IP address owner. The owner is the virtual router (Application Switch) whose virtual interface routers IP address is equal to the real interface address. This router responds to packets addressed to the virtual interface routers IP address for ICMP pings, TCP connections, and so on. If the owner is not available, the backup becomes the master and takes over responsibility for packet forwarding and responding to ARP requests. However, because this switch is not the owner, it does not have a real interface configured with the virtual interface routers IP address. If the IP address owner is available, it will always become the virtual router master. There is no requirement for any VRRP router to be the IP address owner. Most VRRP installations choose not to implement an IP address owner. VRRP routers that are not equal to the IP address are called Renters. A priority value is used to determine which VRRP router should be the master in a group of renters.,.
Page 79
Virtual Router States Within each virtual router, one switch VRRP router instance is selected to be the virtual router master. Master The virtual router master forwards received packets. It also responds to Address Resolution Protocol (ARP) requests sent to the virtual routers IP address. Finally, the virtual router master sends out periodic advertisements (Multicast messages) containing VRRP-IP address, VR-ID and priority to let other VRRP routers know it is alive. Backup Within a virtual router, the VRRP routers not selected to be the master are known as virtual router backups. Should the virtual router master fail, one of the virtual router backups becomes the master and assumes its responsibilities. Init If there is no port in the virtual routers VLAN with an active link, the interface for the VLAN fails, thus placing the virtual router into the INIT state. The INIT state identifies that the virtual router is waiting for a startup event. If it receives a startup event, it will either transition to master if its priority is 255, (the IP address owner) or transition to the backup state if it is not the IP address owner. How VRRP Priority Decides Which Switch is the Master Each VRRP router that is not an owner is configured with a priority between 1254. According to the VRRP standard, an owner has a priority of 255. A bidding process determines which VRRP router is or becomes the masterthe VRRP router with the highest priority. Owners have a higher priority than the range permitted for non-owners. If there is an IP address owner, it is always the master for the virtual interface router, as long as it is available. The master periodically sends advertisements to an IP multicast address. As long as the backups receive these advertisements, they remain in the backup state. If a backup does not receive an advertisement for three advertisement intervals, it initiates a bidding process to determine which VRRP router has the highest priority and takes over as master. If, at any time, a backup determines that it has a higher priority than the current master, it can preempt the master and become the master itself, unless configured not to do so. In preemption, the backup assumes the role of master and begins to send its own advertisements. The current master sees that the backup has higher priority and will stop functioning as the master. A backup router can stop receiving advertisements for one of two reasonsthe master can be down, or all communication links between the master and the backup can be down. If the master has failed, it is clearly desirable for the backup (or one of the backups, if there are more than one) to become the master. If the master is healthy but communication between the master and the backup has failed, there will then be two masters within the virtual router. To prevent this from happening, configure redundant links to be used between the switches that form a virtual router. Determining How to Configure Priority Think of a virtual routers priority as a starting value that increases or decreases depending on the parameters that are tracked. For example, if you configure the virtual router to track the link state of the physical ports, one port-losing link would cause the virtual routers priority to decrease by 2 priority points. In order to ensure that this decrease in priority causes failover from the current master to the backup virtual router, you should set the "base" priority of the Master switch to be only 1 point higher than the backup; for example priority 101 for master, 100 for backup. If the master and backup switches were set to priorities 110 and 100 respectively, a single port failure would only decrease the master switchs priority to 108. As 108 is still higher than the backups priority of 100, the master switch would not fail over due to the loss of one ports link. It is also common to have a priority of 99 on the backup and 100 on the master. Whenever you change the backup switch configuration, you must synchronize the master switch using /oper/slb/sync command.
Page 80
Assignment
Your previous labs used a single switch for all SLB configurations. Now we will enhance it by a second switch for high availability (HA). Network cables are connected according to the diagram on the previous page. For this lab, two delegates always need to work together! Preferred teams 21+22, 23+24, 25+26, and 27+28 form a redundant configuration consisting of an odd and even switch. All examples in the description below are for team21/22. Other teams should use IP addresses and VRIDs according to their team number. At the application server side network, we need for both switches a common network. Use the odd team number for configuring this network! Do not use the even team numbers at this lab. Connect to the odd switch; 2424 team21. Set the odd switch to the factory default. For each interface or VIP, a separate virtual router (VIP / VSR) is necessary. Set the interface IP addresses according the lab layout diagram. For Team21, Interface 1, the configured IP-Address is 192.168.100.31. The interface addresses from previous labs are now used as VIR, 192.168.100.21, VRID 21. For the interfaces towards web servers, the odd switch network is used. Interface 2 will be 10.200.21.31. VIR is 192.168.21.21, VRID 31. This is common in the real world since all routing entries on other devices need no change. Priorities for both VIRs are set to 101. Configure tracking and choose Active-Standby mode (share=disable) for all VRs. Configure SLB and configure synchronization without priorities. Set the sync peer to the interface 2 IP address of the even switch. VIP+VSR for both switches are 192.168.100.221, VRID 41. Priority for VSR is set to 101. Connect to the even switch, check that the OS version used is the same as on the odd switch, set up Layer 2, VLAN 11 and 14, and Layer 3 parameters. Interface 1 is set to 192.168.100.41 and interface 2 uses 10.200.21.41. Set the sync peer to the interface 2 IP address of the odd switch. Connect to the odd switch; synchronize VRRP and SLB values with the even switch. Test SLB; disable ports to simulate missing link connections and trigger failover, etc.
Page 81
Configure Switch
CLI configuration for the odd-switch:
1. If you like to configure the switch by BBI continue on page 111. For CLI configuration connect to the odd-switch (e.g. Team-21) port via terminal server serial. Log in to the switch, enter the admin password admin. 2. Set the switch to the factory default and reset it. Lab Configuration: /boot/conf factory/reset short form /b/co f/r y confirms reset, pressing <enter> reboots the switch 3. Wait approximately one minute, log in to the switch using the admin password. 4. Adjust Layer2. Assign port 1 to VLAN 11 and port 2 to VLAN 14. Lab Configuration: /cfg/l2/vlan 11/add 1/ena y not tag it ../vlan 14/add 2/ena y not tag it apply create vlan 11 for clients, add port 1 move port from vlan1 (default) to vlan 11, do create vlan 14 for server, add port 2 move port from vlan1 (default) to vlan 14, do activate configuration change
5. Turn off Spanning Tree on the switch and save the configuration. Lab Configuration: /cfg/l2/stg 1/off this disables STP group 1, default group is 1 apply activate configuration change
6. Create two interfaces for public and private networks, and add a default gateway. Lab Configuration: /cfg/l3/if 1/ena/vlan 11/mask 255.255.255.0/addr 192.168.100.#+10 /cfg/l3/if 2/ena/vlan 14/mask 255.255.255.0/addr 10.200.#.#+10 /cfg/l3/gw 1/addr 192.168.100.254/ena/apply
7. Configure Virtual Interface Routers. For each interface, a separate router is required. If possible, use the same value for VR-number, VR-ID and IF. This simplifies management. If this is not possible, suitable documentation is required. Syntax: /cfg/l3/vrrp/{option} This option turn this VRRP feature on or off. Lab Configuration: /cfg/l3/vrrp/on enables VRRP feature
Page 82
Syntax: /cfg/l3/vrrp/vr {VR-number}/{options} Set all the Options parameters required for a single VR router. Lab Configuration: /cfg/l3/vrrp/vr 1 vrid odd# addr 192.168.100.odd# share dis if 1 prio 101 ena track/l4pts ena define VR1 set to virtual MAC Addr. 00-00-5E-00-01-15 (team 21) Public VIR Address, e.g. addr 192.168.100.21 switch from active-active to active-standby communicates via interface 1 set priority to 101, enable VR track ports layer 4 (client/server process) enabled
It is also possible to put all commands into a single line. Configure vr2 this way: Lab Configuration: /cfg/l3/vrrp/vr 2/vrid odd#+10/addr 10.200.odd#.odd#/share dis/ if 2 /prio 101/ ena/track/l4pts ena
8. Set up Layer 4 synchronization configuration parameters. Disable synchronize priorities; otherwise, you need to manually adjust the partner switch after doing a sync. The peer address is the opposite public or private interface. Syntax: /cfg/slb/sync/{options} Options set all the different parameters required for config or session synchronization. Lab Configuration: /cfg/slb/sync/prio dis /cfg/slb/sync/peer 1/ena/addr 10.200.odd#.odd#+20 apply and save After applying your changes, the switch should report VRRP status: <date> <time> NOTICE vrrp: virtual router 192.168.100.21 is now master <date> <time> NOTICE vrrp: virtual router 10.200.21.21 is now master
9. Save the configuration to a file using copy and paste.
10. Test your setup. Are both Web servers accessible by ping and browser access?
Page 83
Configuration for the even-switch: do steps 11-20 if two delegates share two switches. If a single person configures both switches do only steps 21-24.
11. Connect to the even-switch (e.g. Team-22) port via terminal server serial. Log in to the switch, enter the admin password admin. 12. Set the switch to the factory default and reset it. Lab Configuration: /boot/conf factory/reset short form /b/co f/r y confirms reset, pressing <enter> reboots the switch 13. Wait approximately one minute, log in to the switch using the admin password. 14. Adjust Layer2. Assign port 1 to VLAN 11 and port 2 to VLAN 14. Lab Configuration: /cfg/l2/vlan 11/add 1/ena y not tag it ../vlan 14/add 2/ena y not tag it apply create vlan 11 for clients, add port 1 move port from vlan1 (default) to vlan 11, do create vlan 14 for server, add port 2 move port from vlan1 (default) to vlan 14, do activate configuration change
15. Turn off Spanning Tree on the switch and save the configuration. Lab Configuration: /cfg/l2/stg 1/off this disables STP group 1, default group is 1 apply activate configuration change
16. Create two interfaces for public and private networks, and add a default gateway. Lab Configuration: /cfg/l3/if 1/ena/vlan 11/mask 255.255.255.0/addr 192.168.100.#+20 /cfg/l3/if 2/ena/vlan 14/mask 255.255.255.0/addr 10.200.odd#.odd#+20 /cfg/l3/gw 1/addr 192.168.100.254/ena/apply
17. Configure Virtual Interface Routers. For each interface, a separate router is required. If possible, use the same value for VR-number, VR-ID and IF. This simplifies management. If this is not possible, suitable documentation is required. Syntax: /cfg/l3/vrrp/{option} This option turn this VRRP feature on or off. Lab Configuration: /cfg/l3/vrrp/on enables VRRP feature
Syntax: /cfg/l3/vrrp/vr {VR-number}/{options} Set all the Options parameters required for a single VR router.
Page 84
Lab Configuration: /cfg/l3/vrrp/vr 1 vrid odd# addr 192.168.100.odd# share dis if 1 prio 100 ena track/l4pts ena
define VR1 set to virtual MAC Addr. 00-00-5E-00-01-15 (team 22) Public VIR Address, e.g. addr 192.168.100.21 switch from active-active to active-standby communicates via interface 1 set priority to 100 or skip line, enable VR track ports layer 4 (client/server process) enabled
It is also possible to put all commands into a single line. Configure vr2 this way: Lab Configuration: /cfg/l3/vrrp/vr 2/vrid odd#+10/addr 10.200.odd#.odd#/share dis/ if 2/ena/track/l4pts ena
18. Set up Layer 4 synchronization configuration parameters. Disable synchronize priorities; otherwise, you need to manually adjust the partner switch after doing a sync. The peer address is the opposite public or private interface. Syntax: /cfg/slb/sync/{options} Options set all the different parameters required for config or session synchronization. Lab Configuration: /cfg/slb/sync/prio dis /cfg/slb/sync/peer 1/ena/addr 10.200.odd#.odd#+10 apply and save After applying your changes, the switch should report VRRP status: <date> <time> NOTICE vrrp: virtual router 192.168.100.21 is now backup <date> <time> NOTICE vrrp: virtual router 10.200.21.21 is now backup
19. Save the configuration to a file using copy and paste.
20. Test your setup. Are both Web servers accessible by ping and browser access?
Continue with step 25.
Page 85
21. Edit the saved odd-switch configuration, (step 9). Edit the management address to meet the previous even team number. Change the interface 1 address to 192.168.100.odd#+20 and IF 2 to 10.200.odd#.odd#+20. Remove all /cfg/l3/vrrp configuration. Adjust peer 1 address to 10.200.odd#.odd#+10. Save this configuration as a new file.
22. Open a second Putty window, connect via serial to even-switch, and set the switch to the factory default configuration. Double-check; is the image version used equal to the version of odd-switch? If not, upgrade or downgrade to make the versions match. Enter Layer 2, Layer 3 and sync data by copying and pasting from the file. Apply and save this configuration.
23. Select the odd-switch terminal and sync VRRP and SLB settings. Lab Configuration: /o/sl/sy y shorthand confirm configuration sync
24. Watch the display of the even-switch terminal window after the changes are received. There is no need to apply and save the configuration on even-switch. These two commands are automatically executed in the background. The example below is for team 21. <date> <time> backup <date> <time> backup NOTICE NOTICE vrrp: virtual router 192.168.100.21 is now vrrp: virtual router 10.200.21.21 is now
25. Setup SLB. Set up RealServer1, RealServer2, group them and create a VIP 192.168.100.2odd#. Do not forget the client and server processes and to enable the SLB feature. If you cant remember the details, refer to the SLB lab, on page 30/31 steps 3 to 8.
26. Configure VSR on odd-switch for redundancy on Layer 4. Lab Configuration: /cfg/l3/vrrp/vr 3/vrid odd#+20/addr 192.168.100.2odd#/prio 101/share dis/ if 1/ena/track/l4pts ena/apply new VSR settings.
27. Watch the messages for the new VR. It is the VR master.
28. Synchronize the VRRP & SLB config to even-switch Lab Configuration: /oper/slb/sync Y
Page 86
Test the VRRP configuration

1. Open a command prompt window on Team-PC. The examples below are for team 21. Lab Configuration: ping 192.168.100.21 ping 10.200.21.21 ping to public VIR ping to VIP/VSR
2. Open a web browser, http://192.168.100.221 and access web servers. The well-known home page should appear on screen.
3.
Access Odd-switch CLI: Lab Configuration: /cfg/l3/vrrp/cur What is the configured priority? ________ Lab Configuration: /info/l3/vrrp What is the current priority? ________ Is this switch the master or backup? _________ Lab Configuration: /stats/l3/vrrp
4. How many VRRP advertisements have been received? _____________ How many VRRP advertisements have been sent out? ____________________
5. Access even-switch CLI: Lab Configuration: /cfg/l3/vrrp/cur What is the configured priority? ________ Lab Configuration: /info/l3/vrrp What is the current priority? ________ Is this switch the master or backup? _________ Lab Configuration: /stats/vrrp How many VRRP advertisements have been received? ____________ How many VRRP advertisements have been sent out? _____________
6. Establish two serial connections if not already done, one to the odd-switch another to the even-switch. To simulate a fault, disable port 1 of odd-switch Lab Configuration: /cfg/port 1/dis/apply
Page 87
Note the operational messages on both switches. 7. Access Odd-switch CLI: Lab Configuration: /info/l3/vrrp What is the priority? ________ What is the status of this switch? _________ Lab Configuration: /stats/l3/vrrp How many VRRP advertisements have been received? ______________ How many VRRP advertisements have been sent out? ______________ 8. Enable ports from Odd-switch. /cfg/port 1/ena/apply Note any operational messages on odd- and even-switch. _________________________________________________________________ _________________________________________________________________ 9. Access even-switch: Lab Configuration: /info/l3/vrrp What is the priority? ________ Is this switch the master or backup? _________ Lab Configuration: /stats/l3/vrrp How many VRRP advertisements have been received? ______________ How many VRRP advertisements have been sent out? ______________ 10. Access Odd-switch: Lab Configuration: /info/l3/vrrp What is the priority? ________ Is this switch the master or backup? _________ Lab Configuration: /stats/l3/vrrp How many VRRP advertisements have been received? ____________________ How many VRRP advertisements have been sent out? ____________________
Page 88
Printout for odd-switch, example for Team 21

/c/sys/mmgmt addr 10.10.242.21 mask 255.255.248.0 broad 10.10.247.255 gw 10.10.240.1 ena /c/sys/mmgmt/port speed any mode any auto on /c/port 1 pvid 11 /c/port 2 pvid 14 /c/port 9 dis /c/l2/vlan 1 learn ena def 3 4 5 6 7 8 9 10 11 12 27 28 /c/l2/vlan 11 ena name "public" learn ena def 1 /c/l2/vlan 14 ena name "private" learn ena def 2 /c/l2/stg 1/off /c/l2/stg 1/clear /c/l2/stg 1/add 1 11 14 /c/l3/if 1 ena addr 192.168.100.31 vlan 11 /c/l3/if 2 ena addr 10.200.21.31 mask 255.255.255.0 broad 10.200.21.255 vlan 14 /c/l3/gw 1 ena addr 192.168.100.254
Page 89
/c/l3/vrrp/on /c/l3/vrrp/vr 1 ena vrid 21 if 1 prio 101 addr 192.168.100.21 share dis track l4pts e /c/l3/vrrp/vr 2 ena vrid 31 if 2 prio 101 addr 10.200.21.21 share dis track l4pts e /c/l3/vrrp/vr 3 ena vrid 41 if 1 prio 101 addr 192.168.100.221 share dis track l4pts e /c/slb on /c/slb/sync prios d /c/slb/sync/peer 1 ena addr 10.200.21.41 /c/slb/real 1 ena rip 10.200.21.100 /c/slb/real 2 ena rip 10.200.21.200 /c/slb/group 1 metric roundrobin add 1 add 2 /c/slb/port 1 client ena /c/slb/port 2 server ena /c/slb/virt 1 ena vip 192.168.21.221 /c/slb/virt 1/service http group 1
Page 90
Printout for even-switch, VRRP&SLB settings are equal except priority

/c/sys/mmgmt addr 10.10.242.22 mask 255.255.248.0 broad 10.10.247.255 gw 10.10.240.1 ena /c/sys/mmgmt/port speed any mode any auto on /c/port 1 pvid 11 /c/port 2 pvid 14 /c/port 9 dis /c/l2/vlan 1 learn ena def 3 4 5 6 7 8 9 10 11 12 27 28 /c/l2/vlan 11 ena name "public" learn ena def 1 /c/l2/vlan 14 ena name "private" learn ena def 2 /c/l2/stg 1/off /c/l2/stg 1/clear /c/l2/stg 1/add 1 11 14 /c/l3/if 1 ena addr 192.168.100.41 vlan 11 /c/l3/if 2 ena addr 10.200.21.41 mask 255.255.255.0 broad 10.200.21.255 vlan 14 /c/l3/gw 1 ena addr 192.168.100.254
Page 91
/c/l3/vrrp/on /c/l3/vrrp/vr 1 ena vrid 21 if 1 addr 192.168.100.21 share dis track l4pts e /c/l3/vrrp/vr 2 ena vrid 31 if 2 addr 10.200.21.21 share dis track l4pts e /c/l3/vrrp/vr 3 ena vrid 41 if 1 addr 192.168.100.221 share dis track l4pts e /c/slb on /c/slb/sync prios d /c/slb/sync/peer 1 ena addr 10.200.21.31 /c/slb/real 1 ena rip 10.200.21.100 /c/slb/real 2 ena rip 10.200.21.200 /c/slb/group 1 metric roundrobin add 1 add 2 /c/slb/port 1 client ena /c/slb/port 2 server ena /c/slb/virt 1 ena vip 192.168.100.221 /c/slb/virt 1/service http group 1
Page 92
BBI Web Based Management Labs
BBI SLB configuration of the Switch

1. To setup a SLB solution you start by enabling the SLB feature. At Configure tab select SLB, turn SLB to Enabled and press the Submit button.
2. Configure as next step both real servers for this application. Select SLB, Real Servers and use ADD button to specify parameters for both real servers. The internal reference number ID, IP Address and State are mandatory. Enter next real server parameters. If finished with the first, click on More. After last real server click on Submit and Apply.
3. Add all real servers belonging to this application to a group (farm). Important parameters like health check and metric are specified at this group also. Select SLB, Server Group and use ADD button to specify parameters. The internal reference number ID, is mandatory. Change SLB Metric for this lab to Round Robin and Submit this change.
Page 93
Next is to associate a the real serve ers. Click on n Add butto on below Re eal Servers, check all real servers s you will ad dd and pres ss Add Rea al or Add bu utton depen nding on version. Click Submit and d Apply.
4. Configure the t virtual IP. This is the t entry or termination IP address for r a specific service. Se elect SLB, Virtual Ser rvers and press the ADD A button. Virt tual Server ID, Name, VIP Addres ss and State are mandatory m parameters s. Submit this change e.
Page 94 9
5. Click the ID D number, scroll s down the new opened windo ow and click k Add to specify Servic ce Port 80. Fo or this lab no one addition nal paramet ter is requir red. Submit t and Apply y this chang ge.
6. Final chang ge for our basic SLB la ab is the act tivation of client and se erver proces ssing on the e ingress and d egress po orts. Select SLB, S Ports s and click on o the numb ber for the port p you wa ant to change. If you want t to change several por rts the same e manner, t tick all appropriate port ts and click on n Bulk Edit. Select port t 1 and tick client, tick server for port 2, Sub bmit each change and d Apply it.
Page 95 9
7. Check new w configurati ion. Click on n Diff, mess sage Curre ent config is identical to new config. sho ould appear. Diff Flash h displays all SLB confi iguration sin nce it is at current c not saved and Dump show ws the whole switch co onfiguration. Save conf figuration now. 8. Save this SLB S configuration to a file f on the Team-PC. T T This configu uration will be b the base for the follo owing labs. Start S FTP/T TFTP serve er on your Team-PC. T A At quick laun nch click on n 3CDaemon n. By default the server e the is set to use desktop as user directory. At A your BBI window w go to Configure, , System, Download/ /Upload, Configurat tion. At section Imp port / Export sele ect Export from Device, ent Port Manageme and FTP. Enter E your Team_PC IP Address, Username is us, anonymou Password any a and as Filename SLB.txt. Su ubmit these param meters.
9. Use a different browse er and open n a new window to the VIP. For Te eam21 this is 168.100.221 http://192.1 Create som me traffic by y refreshing the browse er. Why is th he Alteon no ot selecting g the second d real server? ? Close this s browser and open a new n one. Why W is now t the second real server selected? en, it will gr rab the cont tent only fro om internal cache. If at modern browsers a tab is ope
Page 96 9
10. Check statistics, select Monitor, SLB, Virtual Servers at BBI window. Real servers or Server Groups displays details on these items. 11. Load balancing for available services on different servers is an option. There are two web servers. One equipped with two CPUs, the other with four CPUs. For each CPU a separate Web application instance, e.g. Apache, is installed. Our customer wants to have an even load balancing based on each of these CPUs. Set up the real servers for multiport SLB. Add for real server 1 ports 80 and 81, for real server 2 ports 80 to 83. To ensure to have the same load on all CPUs increase weight to 2 for real server 2. Invoke this feature by setting the real port for the HTTP service to 0. At Configure, SLB, Real Server, Advanced scroll down to Service Ports and Add port numbers. For each add you need to select the advanced menu again.
For server 2 set weight to 2
Page 97
At SLB Virtual Server, Services Port 80, edit settings, check Single change Service Port 80 => 0
12. See messages on CLI window. For each port is now a separate health check generated.
13. For the next hands-on we do not need this multi rport setting. Therefore , remove step 11. Click on Revert Apply button.
Page 98
BB BI Layer 7 Passive Cook kie Pers sistence Configu uration

1. Enable Dire ect Access Mode (DAM M) on the sw witch to allo ow you to pe erform port mapping fo or content loa ad balancing g. At Config gure, SLB, set Direct Access A Mod de to Enabl led.
2. Select an appropriate a load balanc cing metric for the real server grou up if no coo okie is present. Ch hoose a non n-persistent t metric. For our lab we e will select t round robin n. Select Configure, , SLB, Serv ver Group, Group 1 an nd set SLB Metric to Ro ound Robin.
3. To have co ookie persistency, we need n to get a cookie fro om the web server. The e web application on port 88 is cookie enabled. Select Configure, SLB, V Virtual serv vers, click on Port 80 (http) link. Set the radio button to t single an nd enter at r real port 88 8.
4. By default, the switch checks the case of any y string, e.g g. a cookie n name. Disa able case sensitivity if there is no o need to di iscriminate between up pper and low wer case. Select S Configure, , SLB, Laye er 7 Resources and turn n CSSM para ameter to Disabled.
Page 99 9
5. Enable pas ssive cookie e-based per rsistence on n the virtual server serv vice. Select t Configure e, SLB, Virtual Servers, , Port 80 an nd set Persistence to Cookie. C Sev veral additional fields s are now av vailable. Us se Mode Pa assive, Nam me ASPSES SS*, Numbe er of Bytes to Extract 8, 8 Search in URI U Disable ed and Coo okie Value Starting S Poin nt 1. Subm mit and App ply changes s.
For testing g passive co ookies, refer to step 7 to t 10. Since e rewrite coo okies is ver ry similar sk kip it and do te est for rewrit te settings only. o
write cookie-based pers sistence on the virtual server s service. Select Configure, , 6. Enable rew SLB, Virtual Servers, , Port 80 an nd set Persistence to Cookie. C Sev veral additional fields s are now av vailable. Us se Mode Re ewrite, Sea arch Up to 1 Responses, Name AS SPSESS*, Length 8, Search S in He eader. Sub bmit and Apply chang ges. e cookie operation. Configure your browser to o block coo okies. 7. Confirm the
Check stati istics. On BBI B Monitor r, SLB, Virtual Servers s, Port 80

Page 10 00
Clear statis stics counte er on CLI window: /stat/slb b/clear atistics to clear sta raffic by ope ening a new w browser window w to yo our VIP several times, e.g. Generate tr http://192.168.100.221 1 Return to th he switch BBI B and refre esh the window to display d statistics. Note changes. 8. Change cookie setting gs in your br rowser to accept coo okies and re epeat the ab bove Lab Operation steps. s For Firefox F ensu ure to accept a co ookie from the t VIP. Add da suitable exc ception. raffic by ope ening a new w browser 9. Generate tr window to your y VIP se everal times s, e.g. http://192.168.100.221 1 he switch BBI B and refre esh the 10. Return to th window to display d statistics. Note changes. To T get new session s requests, you need to o close the browser an nd open a ne ew window otherwise t the date is read d from the browser b cac che instead of the Supe er Veda ser rver.
e VIP servic ce HTTP rpo ort value fro om 88 to 80 0 to simulate e a server without w 11. Change the cookie support. Set Co onfigure, SLB, S Virtual Servers, Port P 80 Ser rvice Port to o 80.
Page 10 01
12. Enable inse ert cookie-b based persis stence on th he virtual se erver servic ce. Set Configure, SLB, Virtual Servers, , Port 80 Pe ersistence Mode M to Ins sert, Name to Alteon_ _P and a duration of o 0 days : 8 hours : 0 minutes. Submit and Apply chan nge.
13. Use Firefox x browser and a turn Live eHTTPhead ders on. The date is a always UTC C time depending on your tim me zone.
Page 10 02
14. At CLI you u can on /inf fo/slb/cookie e decode th he Set-Cook kie value un nd get usefu ul information ns.
>> Server S Load Balancing In nformation# cookie Ente er 16 or 20 or 24 bytes cookie valu ue as 0xXXXX XXXXXXXXXXXX XX: Virt tual IP addr ress: 192.168 8.100.221 Real l IP address: 10.200.21. .100 Real l Server Por rt: 80 Real l Server Ind dex: 1 0x2389127e9af8b0b4b baeebabf
15. Check stati istics. On BBI B Monitor r, SLB, Virtual Servers s, Port 80. Note chang ges. To get new sessio on requests, , you need to t close the e browser and open a n new window w otherwise the date is read from the browser r cache inste ead of the web w server.
cy settings for f virtual se erver for the e next labs. Change the e rport from m 16. Remove all persistenc 88 to 80 if not n already done at ste ep 11. If you ur last saved d configuraten was basic SLB press Reve ert Apply button. To do ouble check k do a Diff Flash F befor re.
Page 10 03
BB BI Conte ent Load d Balanc cing Con nfiguration

1. Enable Dire ect Access Mode (DAM M) on the sw witch to allo ow you to pe erform port mapping fo or content loa ad balancing g. At Config gure, SLB, set Direct Access A Mod de to Enabl led. Submi it change.
2. Select an appropriate a load balanc cing metric for the real server grou up if no strin ng is presen nt. Choose a non-persiste n ent metric. For F our lab we will sele ect round ro obin. Select Configure, SLB, Serve er Group, Group G 1 and d set SLB Metric M to Ro ound Robin n. Submit change. c
3. Double che eck persiste ent binding for f the virtua al server se ervice is disabled. Pbin nd takes precedence e over string g load balan ncing. Select Configur re, SLB, Virtual serve ers, port 80 0. Is paramete er Persisten nce set to Disabled? D 4. Double che eck is SLB working. w Cle ear the sess sion table CLI Operat tion: /stat/slb b/clear raffic by ope ening a new w browser window w to yo our VIP sev veral times; return to th he Generate tr switch CLI/ /BBI for disp playing SLB B statistics.
Page 10 04
5. By default, the switch checks the case of any y string, e.g g. a cookie n name. Disable case sensitivity if there is no o need to di iscriminate between up pper and low wer case. Select S Configure, , SLB, Laye er 7 Resources and tu urn CSSM parameter p to o Disabled d.
6. When SLB is working correctly, continue with h the URL configuratio c on. We want t to look for the URL string images which w is only y located at server 2. Define D this U URL string. Select Configure, , SLB, Laye er 7 Resources, Strings. Keep all a paramete ers on defau ult and inser rt at SLB String field /images. Submit t this chang ge.
7. Add an inde ex number for the URL L string to th he real serv ver config. If f real server 2 can handle add ditional page es than /im mages, for e.g. e index.h html add st tring 1 as an n option. Select Con nfigure, SLB B, Real Ser rvers, ID 2. . Set radio button b to Ad dvanced an nd scroll down to La ayer 7. Move e both strin ngs into configured bo ox. Submit c change.
Page 10 05
8. Enable URLSLB for th he virtual se ervice IP Address servic ce HTTP. S Select Conf figure, SLB B, Virtual Ser rvers, ID 1 port 80. At section Basic set Application to H HTTP-L7 an nd at section n HTTP set HTTP H SLB to t URL SLB B. Submit and Apply change.
9. Test this ne ew setup. Open O a brow wser and ac ccess files on o the image e path. The e files img1.jpg, im mg2.jpg and d img3.jpg are a available on server r 2. Close and reopen the t client browser se everal times to http://19 92.168.100.221/image es/img1.jpg g. Check sta atistics at Monitor, SLB, Layer7 7, string tab b.
Page 10 06
10. To test SLB B for the ind dex page us se the wfetc ch tool. It is s at the quic ck start area a. Here you u can set how w an http re equest is sent to the se erver. Set Ho ost to your VIP IP addr ress and keep all oth her paramet ters at defa ault. To requ uest a page press the G GO! button. . Both web server shou uld respons se, one after the other since s the an ny string is associated real 2 server. Re eal 1 has no o special set tup and responds to an ny request.
11. At next, we e want to se etup a solution using re egular expre essions. We eb server 1 will host file e alteo.htm. Web serve er 2 will hos st altea.htm m and alter.htm. The regular exp pression alte[ar].htm m allows se election of the t content stored on server s 2. Inv verting this regular expression avoids sele ection of this machine. alte[âr].h htm allows access to a alteo.htm and of cour rse to many y other alte eoX.htm pa ages. Theref fore, this is useful only y as an lab Strings. P example. Select S Configure, SLB B, Layer 7 Resources, R Press Add and a insert at t SLB String field alte[^ âr] and the en alte[ar]. Keep K other parameters s on default t. Submit this change e.
dex number r for the URL string to the t real serv ver config: A Add alte[â ar], which is s 12. Add the ind a regular ex xpression fo or alteo str ring in our configuratio c n, to real se erver 1. Add d alte[ar], which repre esents both strings alte er and alte ea, to real server s 2. To o allow LB fo or index.htm m string on re eal server 1, add index 1 to it. Select Con nfigure, SLB B, Real Ser rvers, ID 1. . Set radio button b to Ad dvanced an nd scroll down to La ayer 7. Move e any and alte[âr] a str rings into co onfigured bo ox and Sub bmit change e. Select Con nfigure, SLB B, Real Ser rvers, ID 2. . Set radio button b to Ad dvanced an nd scroll down to La ayer 7. Move e alte[ar] st tring into co onfigured bo ox and Submit change e.
Page 10 07
13. Test your configuration c n. Send the e following requests r fro om your brow wser at Tea am-PC to VIP. The fo ollowing exa ample is for r team 21. Use U your team number r, please. http://192.168.100.22 21/alteo.htm m, http://192.168.100.22 21/alter.htm m, http://192.168.100.22 21/altea.htm m
s you ur task is to configure Layer L 7 strin ng lookup to o detect the default 14. In this lab section, language support s of th he browser used for this request. Modify M your r virtual serv ver setting to t look up the e Accept-Language string at HTTP P header. We W will assume real ser rver 1 is responsible e for English h and real server s 2 for another lan nguage, e.g g. German. s and add an a index number to the e real server r config. Re eal 15. Configure header variable strings server 1 represents the contents for en strin ng, real serv ver 2 is resp ponsible for r de string. Language string s depends on brow wser type. Add A strings for e.g. en and de. For r other regions, choose appro opriate language strings. Configure, SLB, La ayer 7 Reso ources, ress Add an nd insert at SLB String g field en an nd then de. Keep other r parameter rs Strings. Pr on default. Submit this s change.
Page 10 08
16. Add the index number for the URL string to the real server config: Add en to real server 1 and de, to real server 2. Kepp the other previously associated strings. Select Configure, SLB, Real Servers, ID 1. Set radio button to Advanced and scroll down to Layer 7. Move any and en string into configured box and Submit change. Select Configure, SLB, Real Servers, ID 2. Set radio button to Advanced and scroll down to Layer 7. Move de string into configured box and Submit change.
17. Modify VIP service HTTP to lookup at the HTTP header now the Accept-Language string. Select Configure, SLB, Virtual Servers, ID 1 port 80. At section Basic set Application to HTTP-L7 and at section HTTP set HTTP SLB to others and HTTP Header Name to Accept-Language. Submit and Apply change.
Page 109
18. Select at Firefox English and IE German G as default d lang guage. Set a single lan nguage for each brows ser!
ew setup. Open O a brow wser and ac ccess the team VIP. Fo or team 21, close and 19. Test this ne reopen the client brow wser several l times to ht ttp://192.16 68.100.221. Check stat tistics at Monitor, SLB, Layer7 7, string tab b.
Page 110
BB BI config guration for VRR RP

The e odd-swit tch:
1. Connect via a a browser r to the man nagement in nterface 10.10.242.# a and set the switch s to load factory y default co onfiguration on next boo ot and reset it. Select C Configure, System, Download/ /Upload, Configuratio on tab, sect tion Version n Managem ment. Set Next N Boot Block to Fa actory and the t radio bu utton to Do Not Erase and Submit change. If there is no reset bu utton at this page, move e to the sof ftware tab to t press the ere the Res set button.
ess to the Alteon. A Logo on serial and d enable htt tp access 2. After reset, you lost the http acce again. Lab Configuration: >> Configur ration# /cfg/s sys/access/ht ttp e/apply Current HTT TP server acc cess: disable ed New HTTP server access: enabled d 3. Create two new VLAN Ns for ingres ss and egress ports. We W keep unu used ports on o VLAN 1. By default, all ports are e enabled. At configur re tab selec ct Layer2, V VLANs and click the Add button n.
Insert VLAN ID 11, Name, Enab ble it and as ssociate Spa anning Tre ee Group 1, select Available port p 1 and move m it to Configured. C Press P Subm mit and App ply button to t activate this change e. Each cha ange is conf firmed at BB BI Log Mess sages field. Add anothe er VLAN ID 14 and use e port 2.
Page 111
Disable Spanning Tree. Select on Layer2, SpanningTree number 1 and turn Enabled to Disabled. Submit and Apply change.
4. Configure the interfaces for the switch as shown in the Lab Description pages. You must create a separate interface for each network that you want to connect directly to this switch. The interface index number used is independent of any physical port, VLAN etc. A common number for port, VLAN and interface will simplify debugging and management.
At Configure tab select Layer3, IP Interfaces and click the Add button. Insert Interface ID 1, IP Addresses are 192.168.100.#+10 (team 21 e.g. 192.168.100.31). # is your team number. Mask is a C-Class one. Associate VLAN 11 for public net. Enable state and click Submit and Apply buttons to activate this change. Add another interface 2 for your private net. IP Address is 10.200.#.#+10 /24 (team 21 e.g. 10.200.21.31).
Page 112
5. Set the def fault gatewa ay. Any destination IP address a not t from local networks or o do not match routi ing table en ntries sent to o this destin nation. GW 1 to 4 is for r all VLANs, GW 5 to 259 2 can each be b associate ed to one VL LAN. Select Gateways s and Add, Gateway ID 1, IP Address is 192.168.10 00.254 and turn state to o Enable and click Submit and Apply A button ns to activate this change e. The settin ngs are for all a teams eq qual.
V Inter rface Routers. For each h interface, a separate router is 6. Configure Virtual required. If possible, use u the sam me value for VR-numbe er, VR-ID an nd IF. This simplifies managemen m nt. If this is not n possible e, suitable documentat d tion is required. Select Con nfigure, Lay yer 3, VRRP P, set State e to Enabled d and Subm mit change.
et interface select s Conf figure, Laye er 3, VRRP, Virtual Rou uters and pr ress For ISP-Ne Add button n. Select Ad dvanced radio r butto on, and provide parameters for Ro outer ID #, VR ID #, IP Address s 192.168.1 100.#, Interf face 1, Priority 101, Sta ate Enabled d, Tracking SLB, Advanc ced Sharing g Disabled and click Submit butto on to activate this change.
Page 113
For Applica ation-Server r-Net interfa ace press Add A and Advanced button again. Provide parameters fo or Router ID D #+10, VR ID #+10, IP P Address 10.200.#.#, Interface 2, , Priority 10 01, State En nabled, Trac cking SLB, Advanced Sharing Dis sabled and click Submit and Apply butto ons to activa ate this change.
After pressing the Ref fresh button n both VRs should be in Master m mode.
7. Set up Laye er 4 synchr ronization co onfiguration n parameter rs. Disable s synchronize e priorities; otherwise, you need to o manually adjust the priority p at pa artner switc ch after doin ng a sync. he opposite private inte erface. Sele ect Configu ure, SLB, Advanced, The peer address is th Sync tab, remove r che ecks for BW WM and VRR RP Prioritie es, set Id 1 to 10.200.2 21.#+20, set State to o Enabled and a Submit t, Apply and Save cha ange.
Page 114
s Are both b Web se ervers (10.2 200.#.100 and .200) ac ccessible by y ping and 8. Test your setup. browser ac ccess? If yes s, continue by step 9 otherwise o st tart debugging. Check Dump printout or repeat step ps 3 to 7 aga ain. p we want to o configure the second (even) Alte eon of this h high availab bility 9. At this step solution. Yo ou need to repeat step ps 1 to 5 for this second d switch. Th he paramete ers for step 3 and 5 are e exact the same s as for the odd sw witch. At ste ep 4 for the IP Address ses use on ISP-Net 19 92.168.100.# #+20 and at App-Serve er-Net 10.200.#.#+20. Skip step 6 and continue by y step 7. Us se as peer ID 1 the App p-Server-Ne et interface address of f the odd switch (10.2 200.#.#+10 0). ant to synch hronize the configuratio on to the pe eer switch. A At the BBI of o the odd 10. Now we wa Alteon at Configure C , SLB, S Advan nced, Sync c tab, Peer Switch pre ess Submit for Synchroniz ze configura ation to peer switches button. b
dow watch the t changes s. 11. At CLI wind At od dd switch:

Sendi ing Config . Waiti ing for peer to o finish config g apply/save ...
At ev ven switch:
Confi iguration on 10.200.21.41 has h now been synchronized.
s again. . Are both Web W servers s (10.200.#.100 and .2 200) accessible by ping g 12. Test your setup and browse er access? If yes, continue otherw wise start de ebugging. 13. Setup SLB. Set up Re ealServer1, RealServer r2, group them and cre eate a VIP 00.2odd#. Enable E the client c and se erver proces sses and to o enable the e SLB 192.168.10 feature. If you y cant remember the e details, re efer to the SLB S lab, on page 93. Te est access to this VIP by your bro owser. ss, configure e a VSR on n odd-switch h for 14. To avoid a duplicated VIP Addres redundancy y on Layer 4. 4 Select Co onfigure, Layer L 3, VR RRP, press A Add button. Select Adv vanced radio button, an nd provide parameters s for Router ID #+20, VR V ID #+20, IP Ad ddress 192. .168.100.2# #, Interface 1, Priority 101 1 , State E Enabled, Tracking SLB, Advanc ced Sharing g Disabled and click Submit and Apply butto on to activate this s change.
Page 115
15. Watch the messages for f the new VR. It is a VR V master.
16. Synchroniz ze the VRRP P & SLB co onfiguration to the even n-switch. Se ee step 10 for BBI or at CLI wind dow execute e: /oper/slb b/sync Y RRP configu uration. At the t current Master VRs s disable on ne physical port, for e.g g. 17. Test the VR port 1. Sele ect Configu ure, System m, Physical l Ports, Por rt 1, State D Disabled. Submit S and Apply chan nge.
Watch on both b switche es the changed status of the VRR RP routers. S Select Con nfigure,
Layer 3, VRRP, V Virt tual Route ers At odd Sw witch
At even Sw witch
Page 116

500-101 27.0 12 Alteon Level1 TrainingManual

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

500-101 27.0 12 Alteon Level1 TrainingManual

Enviado por

Direitos autorais:

Formatos disponíveis

Training Manual

Alteon Application Switch Level 1 Course 500-101 May 2011

Alteon Level 1 Training Manual

Alteon Level 1 Training Manual

Alteon Level 1 Training Manual

Description of the Lab Environment

Alteon Level 1 Training Manual

Alteon Level 1 Training Manual

Lab Configuration for All Teams

ClassroomPC connectviaVNC toTeamPCs

TerminalServer toeachcontentswitch oneserialconnection

Alteon Level 1 Training Manual

Detailed Lab Configuration for Each Delegate / Group

# indicates your Team number assigned by your instructor.

Alteon Level 1 Training Manual

Detailed Redundant Lab Configuration for Each Delegate / Group

Server 1 10.10.#.100 Even tean switch

Server1: 10.200.#.100 Server2: 10.200.#.200 Def. GW: 10.200.#.#

Access to remote lab see previous page.

VIP 192.168.100.2# VSR 192.168.100.2# VRID #+20 Priority 100

# indicates your Team number assigned by your instructor.

Alteon Level 1 Training Manual

Basic Switch Configuration

Alteon Level 1 Training Manual

Alteon Level 1 Training Manual

IMPORTANT: X indicates any IP Address assigned by DCHP on your Team-PC.

# indicates your Team number assigned by your instructor.

Alteon Level 1 Training Manual

Configuring the Application Switch Management Interface

Alteon Level 1 Training Manual

Alteon Level 1 Training Manual

Alteon Level 1 Training Manual

Command Line User Interfaces (CLI)

up to 16 different ST groups possible

this disables STP group 1, default group is 1 activates configuration change

Alteon Level 1 Training Manual

define a character string activate individual CLI prompt

Alteon Level 1 Training Manual

An acronym to help remember how to save your work is:

EASY (E = Enable, A = Apply, S = Save, Y = Yes, to confirm the save)

Alteon n Level 1 Training Manua al

Cu ut and Pa aste Sw witch Con nfiguration

Alteon Level 1 Training Manual

7. Activate this change and save it to non-floatable memory: apply save y

Alteon Level 1 Training Manual

Upload and download configuration to an FTP/TFTP Server

3CD FTP/TFTP server application

Figure: FTP / TFTP server configuration

Alteon Level 1 Training Manual

Alteon Level 1 Training Manual

Graphical Web User Interface, Browser Based Interface (BBI)

Alteon n Level 1 Training Manua al

Sav ve HTTPS server s certif ficate

Alteon Level 1 Training Manual

Alteon n Level 1 Training Manua al

Alteon n Level 1 Training Manua al

System- Po orts-Genera al or Layer 1 to IP spec cific details. Layer 2- ma ain menue

Alteon Level 1 Training Manual

Application Switch Element Manager Interface (ASEM)

Alteon Level 1 Training Manual

Printout for Switch Configuration (Team21)

ena tftp mgmt

Alteon Level 1 Training Manual