Escolar Documentos
Profissional Documentos
Cultura Documentos
Course AX-DSC-001.12
Table of Contents
Module 5: AX Acceleration
Module 6: AX Security
Module 1
Module objectives
4
Goal of this course
Course map
6
AX Product Line
Module 2
Module objectives
8
AX solution / market:
AX new generation load balancers
AX solution / market:
AX new generation customer benefits
Basic LB benefits
Share load among multiple servers (load balancing)
Provide high availability of services
10
789
AX 32-bit Series Models
AX 3200-11
Price
AX 2200-11
8.7 Gbps
541,000 L4 CPS
7.4 Gbps
AX 1000-11 302,000 L4 CPS
4 Gbps
153,000 L4 CPS
Overall Performance
11
789
AX 64-bit Series Models
AX 5200
AX 5100
40 Gbps
40 Gbps 3 Million L4 CPS
2 Million L4 CPS
AX 3000-11*
Price
AX 2600* 30 Gbps
AX 2500 850,000 L4 CPS
19 Gbps
355,000 L4 CPS Large Enterprise or
11 Gbps Service Provider
300,000 L4 CPS
Overall Performance
12
AX product line
Hardware Acceleration
Linear Decoupled Architecture Yes Yes Yes Yes Yes Yes
Flexible Traffic ASIC No No No Yes Yes Yes
SSL Acceleration ASIC Yes Yes Yes Yes Yes Yes
Switching and Routing ASIC No No No Yes Yes Yes
Hardware Compression ASIC No No Option Option Option Option
13
AX product line
Ethernet Interfaces:
Gigabit Copper 8 24 0 16 16 8 0 0
Gigabit Fiber SFP Mini GBIC 4 0 24 8 0 8 4 4
10 Gigabit Fiber SFP+ 0 0 0 0 4 4 8 16
Storage SSD
400 W RPS 400 W RPS 400 W RPS 900W RPS 900W RPS
Dual Power Supplies
100 to 240 VAC, Frequency 50-60 Hz
Hardware Acceleration
Linear Decoupled Architecture Yes Yes Yes Yes Yes
Flexible Traffic ASIC No No No Yes x4 Yes x4
SSL Acceleration ASIC Yes Yes Yes No No
Multi-ASIC High Performance SSL Option Option Option Option Option
Switching and Routing ASIC No No No Yes Yes
Hardware Compression ASIC Option Option Option Option Option
14
AX feature set
15
AX licensing
16
Summary
17
Module 3
18
Module objectives
19
Module 3 Lesson1
20
Main load balancing goals and concepts
21
Routed Mode
22
Methods of load balancer integration into
network
Routed Mode
23
One-Arm Mode
24
Methods of load balancer integration into
network
One-Arm Mode
Transparent Mode
26
Methods of load balancer integration into
network
Transparent Mode
27
DSR Mode
28
Methods of load balancer integration into
network
DSR Mode
29
30
Servers
Minimum configuration
Name
IP address (can use DNS name)
Ports
Server configuration
WebUI: Config > Service > SLB > Server
CLI: AX(config)# slb server <name> []
31
Service groups
Minimum configuration
Name
Type (TCP/UDP)
LB Algorithm
At least one Server/Port
32
Service groups
33
Minimum configuration
Name
IP address (accessed by end-users)
Virtual Server Ports (usually)
34
Virtual server (VIP)
Virtual server port (VIP port)
Minimum configuration
Type (TCP/UDP/HTTP/HTTPS/Fast-HTTP/RTSP/FTP/MMS/
SSL-Proxy/SMTP/SIP/SIP-TCP/SIP-TLS/Others)
Port
Service Group (usually)
35
Health monitors
36
Health monitors
37
38
Server port health monitor
Server HM configuration
WebUI: Config > Service > SLB > Server "Health Monitor"
CLI: AX(config)# slb server <server-name>
AX(config-real server)# health-check <hm-name>
Server HM status
WebUI: Monitor > Service > SLB > Server (expand Server )
CLI: AX# show slb Server <server-name>
40
Module 3 Lesson2
41
Source IP persistence
42
Source IP persistence
43
Source IP persistence
44
Network Address Translation
45
46
Network Address Translation SLB source NAT
47
48
Network Address Translation SLB source NAT
49
50
Network Address Translation Layer3 NAT
51
52
Network Address Translation Layer3 NAT
53
54
Network Address Translation Layer3 NAT
55
56
Network Address Translation Layer3 NAT
57
58
Network Address Translation Layer3 NAT
59
60
Network Address Translation
If SLB source NAT is also configured, all clients not using Layer3 NAT
will use the SLB source NAT Pool
61
Summary
And also:
Configured one AX L4 SLB VIP
Explained two common L4 SLB options and their AX configuration:
Source IP Persistence and NAT
Configured Source IP Persistence, SLB Source NAT and static Layer3
NAT on AX
62
FTP, HTTP and HTTPS protocols
Module 4
63
Module objectives
Understand protocols
FTP
HTTP
HTTPS
64
Module 4 Lesson1
FTP protocol
65
FTP protocol
66
FTP protocol
Important Notes:
The Control Session remains open for the duration of the FTP connection
The data session will be closed at the end of each object transfer. If you
transfer 3 files, you'll have 3 data sessions (one at a time).
67
FTP protocol
68
FTP protocol
69
70
Load balancer configuration for FTP applications
71
72
Load balancer configuration for FTP applications
73
74
Load balancer configuration for FTP applications
75
76
Module 4 Lesson2
HTTP protocol
77
HTTP protocol
78
HTTP requests
79
HTTP responses
81
82
Load balancer configuration for HTTP
applications greater availability
83
84
Load balancer configuration for HTTP
applications greater flexibility
This option usually is used to centrally change web server behavior without
changing the web servers configuration.
85
86
Load balancer configuration for HTTP
applications greater security
87
URL failover
When all servers are disabled or have failed, the AX can send an HTTP
redirect to a "backup site" or "sorry page".
This option usually is used with "backup sites" or "sorry pages".
88
Load balancer configuration for HTTP
applications greater security
89
90
Load balancer configuration for HTTP
applications greater security
91
Module 4 Lesson3
HTTPS protocol
92
HTTPS protocol
HTTPS offers
Server Authentication (with server certificates)
(optional) Client Authentication (with client certificates)
Encryption (with TLS/SSL)
93
94
How does the encryption work?
Note: If the client re-establishes a new TCP session before the session
key expires, it will propose to the server to use it (SSL session ID reuse
option). The server can accept or refuse it. If refused, a new session key
is negotiated.
95
96
Load balancer configuration for HTTPS
applications
97
98
HTTPS communication with clients
99
100
HTTPS communication with servers
101
SSL statistics
WebUI: Monitor > Service > Application > SSL
CLI: AX# show slb ssl stats
102
Summary
And also:
Explained the specific Load Balancer configuration required for each
protocol
Explained specific Load Balancer options available for each protocol for
better availability, flexibility, performance and security
Configured FTP, HTTP, and HTTPS VIPs on the AX
103
AX Acceleration
Module 5
104
Module objectives
105
Connection reuse
Note: Web browsers keep their TCP connections open - even when all
objects have been loaded
106
Connection reuse
Connection reuse
Terminates all clients connections to the AX
Maintains persistent connections to the Servers
Sends all clients requests on the same persistent connections
Connection reuse
108
SSL offload
109
SSL offload
110
HTTP compression
AX HTTP compression
Compresses objects sent to the clients
Note: By default, "text" (such as html/css/js) and "application" (such as
doc/xls/ppt/pdf)
If HTTP compression is enabled on the servers, AX transparently offloads
this task from servers
111
HTTP compression
112
HTTP compression
113
RAM Caching
114
RAM Caching
AX RAM Caching
Caches objects unless explicitly denied by the server's response
Caches responses with the following codes:
200 OK
203 Non-Authoritative response
300 Multiple Choices
301 Moved Permanently
302 Found (only if Expires header is also present)
410 Gone
115
RAM Caching
116
RAM Caching
117
RAM Caching
118
RAM Caching
119
RAM Caching
120
RAM Caching
121
RAM Caching
122
Summary
123
AX Security
Module 6
124
Module objectives
Configure HA on AX devices
125
126
DDoS protection
DDoS configuration
WebUI: Config > SLB > Global
CLI: AX(config)# ip anomaly-drop <DDoS-type>
127
DDoS protection
129
Policy-based SLB
PBSLB specifics
Large list support
Up to 8 M IP addresses
Up to 64 K IP subnets
Up to 32 group IDs
Highly efficient
B/W lists are stored in hash tables
Can process Gbps of traffic
Automatic B/W list support
AX can update its B/W automatically at specific intervals via TFTP
PBSLB components
PBSLB is a list of text entries, as follows:
ipaddr [/network-mask] [group-id] [#conn-limit] [;comment-string]
130
Policy-based SLB
PBSLB configuration
1. Create or Import a PBSLB list
WebUI (creation or import): Config > Service > PBSLB
CLI (import): AX(config)# import bw-list []
2. Create a PBSLB Policy template
WebUI: Config > Service > Template > PBSLB Policy
CLI (import): AX(config)# slb template policy <name> []
3. Assign the PBSLB Policy template to the Virtual Server Port
WebUI: Config > Service > SLB > Virtual Server > Port
CLI: AX(config)# slb virtual-server <name>
AX(config-slb vserver)# port N <type>
AX(config-slb vserver-vport)# template policy <name>
PBSLB statistics
WebUI: Monitor > Service > PBSLB
CLI(basic only): AX# show pbslb []
131
Policy-based SLB
132
Access Control Lists
133
ACL components
[no] access-list acl-num [seq-num]
{permit | deny | remark string}
ip {any | host host-src-ipaddr | net-src-ipaddr
{filter-mask | /mask-length}}
{any | host host-dst-ipaddr | net-dst-ipaddr
{filter-mask | /mask-length}}
[log [transparent-session-only]
ACL configuration
1. Create an ACL
WebUI: Config > Network > ACL
CLI: AX(config)# access-list []
134
Access Control Lists
ACL configuration
2. Assign the ACL to Data interfaces, Management interface, or Virtual
Server Ports
Data Interface:
WebUI: Config > Network > Interfaces > LAN
CLI: AX(config)# interface ethernet 1
AX(config-if:ethernet1)# access-list <num> in
Management:
CLI only: AX(config)# interface management
AX(config-if:ethernet1)# access-list <num> in
Virtual Server Port:
WebUI: Config > Service > SLB > Virtual Server > Port
CLI: AX(config)# slb virtual-server <name>
AX(config-slb vserver)# port N <type>
AX(config-slb vserver-vport)# access-list <name>
135
ACL statistics
CLI (only) AX# show access-list
136
Management security
137
138
High Availability (HA)
Active-Standby Mode
Active AX processes all the
production traffic
Standby AX does not process any
production traffic
Standby AX mirrors all session
information from Active AX
Reliability is scaled but not
performance
139
Active-Standby Failover
Peer AX elected as active
Gratuitous ARPs for virtual,
floating and NAT IPs are sent
Existing mirrored sessions are
picked up by newly elected active
AX
New sessions are served by newly
elected active AX
140
High Availability (HA)
Active-Active Mode
Both AX units process
the production traffic
Session and state
information is mirrored
between both AX units
Performance is scaled in
addition to reliability
Note: Don't exceed 50%
utilization on each unit
for full HA
141
Active-Active Failover
Peer AX is elected active for
HA group 2 and sends
gratuitous ARPs for virtual IPs,
floating IPs, and NAT IPs
Existing mirrored sessions are
picked up by peer AX
Peer AX serves requests for
both HA groups
142
High Availability (HA)
143
144
High Availability
145
High Availability
146
High Availability
147
High Availability
Step3:
Associate Group1 with half of the VIPs and Group2 with the second half
Step4:
Associate Group1 with the NAT Pools used by VIPs in Group1 and
Group2 with the NAT Pools used by VIPs in Group2
148
High Availability
149
High Availability
150
High Availability
151
High Availability
Configuration synchronization
WebUI: Config > HA > Config Sync
CLI: AX(config)# ha sync [all | data-files | running-
config | startup-config] to-[running-config|startup-
config] [with-reload] [all-partitions | partition]
Note: We recommend to sync "All" to the "startup-config + reload"
HA status
WebUI: Monitor > HA > Group
CLI: AX# show ha
153
High Availability
HA statistics
WebUI: Monitor > HA > Status
CLI: AX# show ha detail
154
Summary
155
Module 7
156
Module objectives
157
Module 7 Lesson1
AX Flexibility
158
Points to keep in mind
159
Cookie persistence
160
Cookie persistence
161
Cookie persistence
162
aFleX
What is aFleX?
aFleX is a powerful and flexible AX feature that you can use to manage
your traffic and provide enhanced benefits/services
aFleX uses industry-standard Tcl (Tools command language) based
syntax
Stantard Tcl commands
Special set of extensions provided by the AX
aFleX allows:
Content inspection (headers / data)
Actions on traffic
Block traffic
163
aFleX
Examples:
"IP::remote_addr returns the remote IP address of a connection
aFleX
aFleX configuration
1. Place the aFleX script on the AX
Using the CLI
Use a computer with any text editor to write an aFleX script and save it as
a file.
Use import aflex command to import the aFleX file from the
computer to AX.
aFleX CLI syntax check: "aflex check <name>".
166
aFleX
aFleX statistics
WebUI: Monitor > Service > aFleX
CLI: AX# show aflex []
167
aFleX
aFleX examples
Redirect a specific client to a specific service group
When CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 10.10.10.10] } {
pool sg2
}
}
Note: This could be achieved by PBSLB too.
Redirect clients to https for the host secure.abc.com
when HTTP_REQUEST {
if {[HTTP::host] equals "secure.abc.com"} {
HTTP::redirect https://[HTTP::host][HTTP::uri]
}
}
Note: This could NOT be achieved by PBSLB.
168
aFleX
aFleX examples
Redirect clients to specific pools in function of the url
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/finance" } {
pool finance_pool
} elseif { [HTTP::uri] starts_with "/dev" } {
pool dev_pool
}
}
169
Module 7 Lesson2
170
ACOS Architecture Overview
171
172
ACOS = Resource Efficiency
Processing Efficiency
Eliminates unneeded cycles for faster processing
Zero locking, zero buffer copy, zero IPC, zero scheduling, zero interrupt
173
AX Series Shared
Memory
Replicate to
each cores
dedicated
memory
Legacy approach
174
AX Shared Memory Advantage
AX Series Shared
Memory
175
Shared Memory
One copy of each item kept in memory, for example
PBSLB List uses 64 MB of RAM, Total AX Memory Usage = 64MB RAM
Cached Objects, 10 x 0.5 MB, Total AX Memory Usage = 5 MB
Total 69 MB of RAM used
176
ACOS Versus Legacy OS
ACOS Legacy OS
32-bit or 64-bit OS
32-bit OS Only
(With Feature Parity)
177
Summary
178
AX Management and Troubleshooting
Module 8
179
Module objectives
CLI
Console (RS-232 connection / 9600, 8, N, 1)
Telnet (disabled by default)
SSHv2
Web
HTTP (configurable ports - disabled by default)
HTTPS (configurable ports)
AX configuration components
AX configuration components
Configuration file
(optional) aFleX files
(optional) PBSLB files
(optional) SSL certificates and keys
(optional) Geo-location files (option in GSLB and geo-location-based VIP
access)
182
AX configuration components
183
AX software management
AX software is stored on
Two disk partitions: primary and secondary
Second partition is designed for easy software rollback
Two Compact Flash partitions: primary and secondary
CF is designed for emergency recovery
Note: Each storage location has its own software and AX configuration
184
AX software management
185
VLAN
VLAN allows AX to
Bind multiple physical interfaces to same broadcast domain
186
VLAN
187
VLAN
188
VLAN
VLAN configuration
VLAN creation
WebUI: Config > Network > VLAN
CLI: AX(config)# vlan []
Virtual Interface (when selected in the VLAN configuration)
WebUI: Config > Network > Interface > Virtual
CLI: AX(config)# interface ve []
189
VLAN
Important Point
Always configure virtual interfaces in
AX routed mode integration to avoid
loop!!!
190
First Steps configuration
etc
191
192
Troubleshooting methodology
193
Troubleshooting tools
194
Troubleshooting tools
Debug
WebUI
AXs WebUI provides a number of report graphs that can help you identify any
potential issues
Example: CPU and server/virtual-server load information can help identify time
periods when the system was under stress
SNMP
SNMP clients can query AX for status information
AX can be configured to send SNMP traps to servers/receivers
195
Troubleshooting tools
Debug (cont.)
debug packet <filters>
Define a set of filters for packet capture
Example: interface, IP address, protocol, port number, etc.
debug http/ssl/ (etc.)
Captures application specific debug information
debug monitor
Use this command after defining a filter to display captured packets on screen
Make sure your filter is specific enough to capture only the packets needed for
debugging
The CLI may become temporarily unresponsive if a large number of packets
are captured to the screen
196
Troubleshooting tools
AXdebug
More filter options than debug packet
Allows saving captured packets to a local file (in tcpdump/Wireshark
format) and then exporting off the AX
Show techsupport
Provides important debug information for the A10 Support team
When possible, issue the command once before, during, and after the
issue being experienced
Note: Make sure your terminal session has enough scroll back lines to
capture the full output (or log it to a text file)
Backup log
Provides detailed system information for debugging
Compresses data and exports the file off the AX
197
AX Release Process
Note: New hardware platforms support only the newest release available on
their release date
198
AX Release Process
AX releases tests
MAJOR Enhancement Minor PATCH
Unit New features New features Fixes Fixes
Functional New features New features Fixes Fixes
Negative Full Full Affected None
Stress Full Affected None None
Regression Manual=full Manual=affected Manual=affected Manual=affected
Automated=full Automated=full Automated=full Automated=full
Sys Integration Full Full Partial Partial as needed
AX Release Process
Release
Approve
Functional Test
Alpha Test
200
AX Release Process
201
Training
Support
SEs
Core Engineers on Tier 2 support rotation
Passionate
Really care about customers
Company directive:
Customer issue is #1 Priority
203
How to contact AX support
Trace
Backup log
204
Trace
Backup log
205
How to contact AX support
206
Priority 2
Priority < 1 Hour
3: Performance < 4 HoursIssue
Impact, Installation Support Engineer
Priority 4: Information request
Priority 3 < 8 Hour < 2 Day Support Engineer
Note:
Priority 4 Priority <1 8and 2 issues should be
Hour < 4reported
Day via phone (1-888-TACS-
Support Engineer
A10)
* 30 minutes of less
207
How to contact AX support
Escalation metrics
Priority 3, Flagged
TAC Engineer TAC Engineer TAC Engineer TAC Manager
Medium
Priority 4, Flagged
TAC Engineer TAC Engineer TAC Engineer TAC Engineer
Low (after 14 days)
208
Summary
209