AX Training PDF

A10 Networks:
AX Planning, Deployment and Management

Class
Course AX-DSC-001.12
Table of Contents
Module 1: Course Introduction
Module 2: AX Product Line
Module 3: Basic Load Balancing Concepts and Related AX

Configuration & Management
Module 4: FTP, HTTP and HTTPS Protocols
Module 5: AX Acceleration
Module 6: AX Security
Module 7: AX Power and Flexibility
Module 8: AX Management and Troubleshooting

2
Course Introduction
Module 1
Module objectives
Understand the course goals

Understand the objective for the students
4
Goal of this course
To present the A10 Networks AX product line

To teach the basic load balancing concepts
To present FTP, HTTP and HTTPS protocols
To teach advanced AX load balancing concepts
To prepare students to install, configure and manage the
AX device
Course map
Module 2: AX Product Line

Module 3: Basic Load Balancing Concepts and Related AX
Configuration & Management
Module 4: FTP, HTTP and HTTPS Protocols
Module 5: AX Acceleration Components
Module 6: AX Security Components
Module 7: AX Power and Flexibility
Module 8: AX Management and Troubleshooting
6
AX Product Line
Module 2
Module objectives
Understand the AX solution / market

Understand the AX product portfolio
Understand the feature set
Understand the licensing
8
AX solution / market:
AX new generation load balancers
New Generation in Design and Performance
ACOS Designed for Single CPU or

multi-core CPUs Multi-CPU with
instruction
Hardware blocking
Accelerated
Symmetrical Retrofitted
Multiprocessing Platform
(SMP)
Limited scalability
Flexible Traffic ASIC,
SSL ASIC, Switching Lower throughput
and Routing ASIC
Half the
Highest throughput performance
and performance
SSL ASIC only
AX solution / market:
AX new generation customer benefits
Basic LB benefits
Share load among multiple servers (load balancing)
Provide high availability of services
New Generation LB benefits

Advanced load balancing (ex: based on HTTP request or SIP parameters)
Advanced high availability of services (ex: application simulation and
testing)
Acceleration of services (ex: SSL server offload and HTTP caching)
"Securitization" of services (DDoS protection and DNS Security)
Advanced Flexibility to allow the administrator to create their own LB rules
(using aFleX and aXAPI)
10
789
AX 32-bit Series Models
AX 3200-11
Price
AX 2200-11
8.7 Gbps
541,000 L4 CPS
7.4 Gbps
AX 1000-11 302,000 L4 CPS
4 Gbps
153,000 L4 CPS
Overall Performance
11
789
AX 64-bit Series Models
AX 5200
AX 5100
40 Gbps
40 Gbps 3 Million L4 CPS
2 Million L4 CPS
AX 3000-11*
Price
AX 2600* 30 Gbps
AX 2500 850,000 L4 CPS
19 Gbps
355,000 L4 CPS Large Enterprise or
11 Gbps Service Provider
300,000 L4 CPS
Overall Performance
12
AX product line
32-bit: AX Series Family Interface and hardware options

AX 1000 AX 2000 AX 2100 AX 2200 AX 3100 AX 3200
Ethernet Interfaces:
Gigabit Copper 6 8 8 16 16 16
Gigabit Fiber SFP Mini GBIC 2 2 4 4 4 4
10 Gigabit Fiber SFP+ 0 0 0 0 2 2
Management Interface Yes Yes Yes Yes Yes Yes
Console Port Yes Yes Yes Yes Yes Yes
Storage Single Single Dual Dual Dual Dual
Cooling Fan Fixed Hot Swap Smart Fan

Dual 460 W Dual 460 W Dual 600 W Dual 600 W Dual 600 W
250 W RPS
Power Supplies RPS RPS RPS RPS RPS
100 to 240 VAC, Frequency 50-60 Hz
Hardware Acceleration
Linear Decoupled Architecture Yes Yes Yes Yes Yes Yes
Flexible Traffic ASIC No No No Yes Yes Yes
SSL Acceleration ASIC Yes Yes Yes Yes Yes Yes
Switching and Routing ASIC No No No Yes Yes Yes
Hardware Compression ASIC No No Option Option Option Option
13
AX product line
64-bit: AX Series Family Interface and hardware options

AX 2500 AX 2600 AX 3000 AX 5100 AX 5200
Model Option Code - GC GF GCF GC GCF - -
Ethernet Interfaces:
Gigabit Copper 8 24 0 16 16 8 0 0
Gigabit Fiber SFP Mini GBIC 4 0 24 8 0 8 4 4
10 Gigabit Fiber SFP+ 0 0 0 0 4 4 8 16
Management Interface Yes Yes Yes Yes Yes
Console Port Yes Yes Yes Yes Yes
Storage SSD
Cooling Fan Hot Swap Smart Fan
400 W RPS 400 W RPS 400 W RPS 900W RPS 900W RPS
Dual Power Supplies
100 to 240 VAC, Frequency 50-60 Hz
Hardware Acceleration
Linear Decoupled Architecture Yes Yes Yes Yes Yes
Flexible Traffic ASIC No No No Yes x4 Yes x4
SSL Acceleration ASIC Yes Yes Yes No No
Multi-ASIC High Performance SSL Option Option Option Option Option
Switching and Routing ASIC No No No Yes Yes
Hardware Compression ASIC Option Option Option Option Option
14
AX feature set
Layer 4 and Layer 7 Application aXAPI REST-based XML API for

Acceleration custom management
SSL ASIC
RAM caching static or dynamic Virtualized management
HTTP compression Role-Based and Partition-Based
Management
aFleX L7 TCL scripting for
deep packet inspection Seamless Management for Multiple
Devices
Advanced NAT options
IPv4 and IPv6 load balancing and
AX High-Availability management
Firewall LB Full web interface or industry
standard command line interface
GSLB Global Server Load
Balancing
DNS Application Layer Firewall
Operates in Layer 2/Layer 3
simultaneously Covered in this Training
15
AX licensing
No extra licenses required for performance or features
Each AX is offered with full scalability and benefits
16
Summary
In this module we discussed:

AX is the New Generation of Load Balancers
AX offers a portfolio to meet low-end Enterprise to high-end ISP/SP
needs
AX offers a comprehensive set of load balancing features and other
features such as GSLB, IPv6, Virtualization, NAT and DNS firewall
AX comes feature-complete with no extra licensing required
17
Basic Load Balancing Concepts and Related

AX Configuration & Management
Module 3
18
Module objectives
Understand Main Load Balancing Goals and Concepts

Configure AX Basic L4 SLB VIP configuration steps
Understand and Configure two common L4 SLB VIP
Options (Source IP Persistence + NAT)
19
Module 3 Lesson1
Main LB Goals and Concepts
20
Main load balancing goals and concepts
Share load among multiple servers (load balancing)
Provide high availability of services
21
Methods of load balancer integration into

network
Routed Mode
22
network
Routed Mode
Benefits: Points to keep in mind:

No change required on SLB has to be the servers dgw
clients and servers Clients can't be in the servers'
Servers keep the Client IP@ subnet
visibility
23

network
One-Arm Mode
24
network
One-Arm Mode

No change required on Servers lose the Client IP@
clients and servers visibility
Easy to test Requires Source NAT on SLB
Clients can be in the servers'
subnet
25

network
Transparent Mode
26
network
Transparent Mode

No change required on "Harder to implement servers
clients and servers responses must go through AX"
Servers keeps the Client
IP@ visibility
27

network
DSR Mode
28
network
DSR Mode

Highly sclalable (SLB Cant use any AX layer 7
process only incomming features
traffic) Extra configuration required on
every server (IP Stack update)
29
Server Load Balancing
AX SLB configuration has three core elements:

Servers, Service Groups, Virtual Servers (VIPs)
30
Servers
Minimum configuration
Name
IP address (can use DNS name)
Ports
Server configuration
WebUI: Config > Service > SLB > Server
CLI: AX(config)# slb server <name> []
Server status and statistics

WebUI: Monitor > Service > SLB > Server
CLI: AX# show slb server []
31
Service groups
Name
Type (TCP/UDP)
LB Algorithm
At least one Server/Port
Service group configuration

WebUI: Config > Service > SLB > Service Group
CLI: AX(config)# slb service-group <name> []
Service group status and statistics

WebUI: Monitor > Service > SLB > Service Group
CLI: AX# show slb service-group []
32
Service groups
Service group load-balancing algorithms

Round-Robin
Least Connection
Service Least Connection
Weighted Round Robin
Weighted Least Connection
Service Weighted Least Connection
Fastest Response time
Least Request
Round Robin Strict
Stateless (new in release 2.4.2; see notes)
33
Virtual Server (VIP)
Name
IP address (accessed by end-users)
Virtual Server Ports (usually)
Virtual server configuration

WebUI: Config > Service > SLB > Virtual Server
CLI: AX(config)# slb virtual-server <name> []
Virtual server status and statistics

WebUI: Monitor > Service > SLB > Virtual Server
CLI: AX# show slb virtual-server []
34
Virtual server (VIP)
Virtual server port (VIP port)
Type (TCP/UDP/HTTP/HTTPS/Fast-HTTP/RTSP/FTP/MMS/
SSL-Proxy/SMTP/SIP/SIP-TCP/SIP-TLS/Others)
Port
Service Group (usually)
Virtual server port configuration

WebUI: Config > Service > SLB > Virtual Server > Port
CLI: AX(config)# slb virtual-server <name>
AX(config-slb vserver))# port N <type>
Virtual server port status and statistics

WebUI: Monitor > Service > SLB > Virtual Server
CLI: AX# show slb virtual-server []
35
Health monitors
Service availability is checked using health monitors
Health monitors apply to:

Server
AND/OR Server:Port
AND/OR Service Group
Note: For simplicity, health monitors generally

are applied to service groups.
36
Health monitors
Health monitors can test server availability

On layer 3: ping (icmp)
On layer 4: tcp, udp
On layer7 (application): http, https, ftp, smtp, pop3, snmp, dns, radius,
ldap, rtsp, sip, ntp
Via manually created scripts
Multiple L3/L4/L7 tests can also be combined in a Boolean

expression (and/or/not)
Health monitor configuration

WebUI: Config > Service > Health Monitor
CLI: AX(config)# health monitor []
37
Service group health monitor
Health Monitoring is done on all Service Group members

If HM fails for a specific member, the service group stops using this
member for load balancing
Note: By default there is no health monitor configured on the Service
Group
Service Group HM configuration

WebUI: Config > Service > SLB > Service Group "Health Monitor"
CLI: AX(config)# slb service-group <sg-name> <tcp|udp>
AX(config-slb svc group)# health-check <hm-name>
Service Group HM status

WebUI: Monitor > Service > SLB > Service Group (expand Service
Group)
CLI: AX# show slb service-group <sg-name>
38
Server port health monitor
Health Monitoring is done on the Server Port

If HM fails, that server port will be considered down and service groups
configured with that specific server:port will stop using it for load
balancing
Note: Default Server Port health monitor is tcp handcheck for tcp ports
and udp packets for udp ports.
Server Port HM configuration

WebUI: Config > Service > SLB > Server > Port "Health Monitor"
CLI: AX(config)# slb server <server-name>
AX(config-slb vserver)# port N <tcp|udp>
AX(config-slb vserver-vport)# health-check <hm-name>
Server Port HM status

WebUI: Monitor > Service > SLB > Server (expand Server)
CLI: AX# show slb server <server-name>
39
Server health monitor
Health Monitoring is done on the Server

If HM fails, that server will be considered down and service groups
configured with that specific server will stop using it for load balancing
Note: Default Server health monitor is icmp.
Server HM configuration
WebUI: Config > Service > SLB > Server "Health Monitor"
CLI: AX(config)# slb server <server-name>
AX(config-real server)# health-check <hm-name>
Server HM status
WebUI: Monitor > Service > SLB > Server (expand Server )
CLI: AX# show slb Server <server-name>
40
Module 3 Lesson2
Common SLB VIP Options
41
Source IP persistence
When to use Source IP persistence

Source IP persistence must be used when clients must have their future
connections/traffic terminated on the same server
42
Source IP persistence configuration steps

1. Create one Source IP Persistence Template
Name
Type: Port (persistence per VIP:Port)
or Server (persistence per VIP)
or Service-Group (persistence per URL or Host switching see
Module 4 lesson 2)
Timeout: How long inactive entries are saved (default = 5 minutes)
Don't Honor Conn Rules: Ignore connection limits defined on Servers and
Server Ports and connect new clients' connections to the Server (default =
disabled)
Netmask: Granularity of Client IP address hashing (default = 255.255.255.255
for the most granularity)
2. Assign the Source IP Persistence Template to the Virtual Server Port
43
Source IP persistence configuration

Create one Source IP Persistence Template
WebUI: Config > Service > Template > Persistent > Source IP Persistence
CLI: AX(config)# slb template persist source-ip <name>
Assign the Source IP Persistence Template to the Virtual Server Port
AX(config-slb vserver)# port N tcp
AX(config-slb vserver-vport)# template persist
source-ip <name>
Source IP persistence entries

CLI: AX# show session persist src-ip []
44
Network Address Translation
AX provides multiple NAT services

SLB source NAT
Layer3 NAT
45
Network Address Translation SLB source NAT
When to use SLB source NAT

SLB Source NAT must be used when server responses don't
automatically pass through the AX, such as in One-Arm mode or when
servers and the AX are in different subnets
46
SLB source NAT configuration steps

1. Create one IP Source NAT Pool:
Name: Name of the template
Start IP address: First IP address for the SLB source NAT (can be the AX
interface IP address)
End IP address: Last IP address for the SLB source NAT (can be the same as
"Start IP address")
Note: If the "Start" and "End IP address" are the same, the AX will NAT
with one unique IP address and can NAT up to 64k flows.
Netmask: Specify the netmask of the SLB source IP addresses.
Note: This is used by the "IP Source NAT Group" when servers are in
different subnets (see AX Config Guide for more information).
(optional) Gateway: Specify a specific gateway to use to reply to the clients'
requests when SLB Source NAT has been used.
(optional) "HA Group": Specify the HA group to tie to the SLB source NAT
pool.
2. Assign the SLB Source NAT Pool to the Virtual Server Port
47
SLB source NAT configuration

1. Create one IP Source NAT Pool:
WebUI: Config > Service > IP Source NAT > IPv4 Pool
CLI: AX(config)# ip nat pool <pool-name>
2. Assign the SLB Source NAT Pool to the Virtual Server Port
AX(config-slb vserver)# port N <type>
AX(config-slb vserver-vport)# source-nat
pool <pool-name>
48
SLB source NAT statistics

WebUI: Monitor > Service > IP Source NAT > Pool
CLI: AX# show ip nat pool statistics
49
Network Address Translation Layer3 NAT
When to use Layer3 NAT

Layer3 NAT is used to NAT specific traffic such as clients or servers on
private networks that have to access Internet
50
Dynamic Layer3 NAT

Used to source NAT dynamically internal clients with one or a group of
IP@ (also called NAT n to 1)
51
Dynamic Layer3 NAT configuration steps

1. Create one or more IP Source NAT Pool with the "NATed" IP@
2. (optional) Group IP Source NAT pools in one IP Source NAT Group
3. Create an ACL with the source IP@ to NAT
4. Bind the ACL with the IP Source NAT Pool (or Group Pool)
5. Enable inside NAT on AX inside and outside interfaces
52
Dynamic Layer3 NAT configuration

Create one or more IP Source NAT Pool with the "NATed" IP@
WebUI: Config > Service > IP Source NAT > IPv4 Pool
CLI: AX(config)# ip nat pool <pool-name>
(optional) Group IP Source NAT pools in one IP Source NAT Group
WebUI: Config > Service > IP Source NAT > Group
CLI: AX(config)# ip nat pool-group <pool-group-name>
Create an ACL with the source IP@ to NAT
WebUI: Config > Network > ACL
CLI: AX(config)# access-list []
Bind the ACL with the IP Source NAT Pool (or Group Pool)
WebUI: Config > Service > IP Source NAT > Binding
CLI: AX(config)# ip nat inside source list [acl#] pool
[pool-group-name | pool-name]
53
Dynamic Layer3 NAT configuration (cont.)

Enable inside NAT on AX inside and outside interfaces
On the inside interfaces
WebUI: Config > Service > IP Source NAT > Interface
CLI: AX(config)# interface ethernet #
AX(config-if:ethernetx)# ip nat inside
On the outside interfaces
AX(config-if:ethernetx)# ip nat outside
54
Dynamic Layer3 NAT statistics

WebUI: Monitor > Service > IP Source NAT > Pool
CLI: AX# show ip nat pool statistics
55
Static Layer3 NAT

Used to source NAT statically servers with dedicated IP@ (also called
NAT 1 to 1)
Note: Static NAT allows communication started from outside.
56
Static Layer3 NAT configuration steps

1. Create IP Static NAT or NAT range
2. Enable inside NAT on AX inside and outside interfaces
3. Enable Static Host Source NAT (if IP Static NAT used)
57
Static Layer3 NAT configuration

Create IP Static NAT
WebUI: Config > Service > IP Source NAT > Static NAT
CLI: AX(config)# ip nat inside source static [original-
IP@] [NAT-IP@]
Or create NAT Range
WebUI: Config > Service > IP Source NAT > NAT Range
CLI: AX(config)# ip nat range-list []
58
Static Layer3 NAT configuration (cont.)

Enable inside NAT on AX inside and outside interfaces
On the inside interfaces
AX(config-if:ethernetx)# ip nat inside
On the outside interfaces
AX(config-if:ethernetx)# ip nat outside
Enable Static Host Source NAT (if IP Static NAT used)
WebUI: Config > Service > IP Source NAT > Global
CLI: AX(config)# ip nat allow-static-host
59
Static Layer3 NAT statistics

WebUI: Monitor > Service > IP Source NAT > Static NAT
CLI: AX# show ip nat static-binding statistics
60
Network Address Translation
Virtual Server Port option "Source NAT traffic against VIP"

This option allows the AX administrator to apply the Layer3 NAT settings
on the VIP for the internal clients
If SLB source NAT is also configured, all clients not using Layer3 NAT
will use the SLB source NAT Pool
61
Summary
In this module, we discussed:

Load Balancings main goals: server load sharing and high availability of
services
Load Balancers can be integrated in different ways into existing
architectures, all supported by AX
And also:
Configured one AX L4 SLB VIP
Explained two common L4 SLB options and their AX configuration:
Source IP Persistence and NAT
Configured Source IP Persistence, SLB Source NAT and static Layer3
NAT on AX
62
FTP, HTTP and HTTPS protocols
Module 4
63
Module objectives
Understand protocols
FTP
HTTP
HTTPS
Understand Load Balancing specifics for each
Configure FTP, HTTP and HTTPS VIPs
64
Module 4 Lesson1
FTP protocol
65
FTP protocol
File Transfer Protocol (FTP) RFC is 959

(http://www.w3.org/Protocols/rfc959/)
FTP is an unencrypted TCP protocol used to transfer files

between clients and servers
FTP has 2 connections

Control session
Data Session
66
FTP protocol
FTP Control Session

Used for client/server communication. No data is sent on this connection.
This session is established from the client to the server (usually on port
21).
FTP Data session

This session is open "on demand" when there is need to send data
between the client and the server.
Used for client/server data exchange only.
Important Notes:
The Control Session remains open for the duration of the FTP connection
The data session will be closed at the end of each object transfer. If you
transfer 3 files, you'll have 3 data sessions (one at a time).
67
FTP protocol
FTP Data session 2 modes

There are two data session modes. The mode is negotiated between the
client/server on the control session.
Active Mode (default)
In the control session, the client tells the server what IP and TCP port to use to
establish the data connection.
The server establishes the data connection to the client, and data requested in
the control session can be exchanged.
68
FTP protocol
FTP Data session 2 modes (cont.)

Passive Mode
In the control session, the server tells the client what IP and TCP port to use to
establish the data session.
The client establishes the data connection to the server, and data requested in
the control session can be exchanged.
69
Load balancer configuration for FTP applications
Control session resets

During data exchange (in the data
session) there is no activity in the
control session.
Load Balancers track activity on
load balanced sessions and flush
stale connections. If the data
transfer takes too long, the control
connection will be dropped.
70
Active Mode - Data session established from the server

IP@ (not the VIP IP@)
Client establishes control connection to the VIP.
With Active Mode, the client expects the data session from the VIP IP@
and not the Server IP@.
71
Passive Mode - Data session established to the server IP@

(not the VIP IP@)
Client establishes control connection to the VIP.
With Passive Mode, the client expects to open the data session to the
VIP@ and not the Server IP@.
72
Control session resets

Solution is to increase SLB aging time on Load Balancer
However, on AX, control and data session times are linked, so there is no
need to update the timer.
Note: AX default aging time is 120 seconds
73
AX configuration to update default aging timer

For example, to allow users to spend more than 120 seconds between
FTP commands.
1. Create a TCP template with 15,000 seconds Idle Timeout
WebUI: Config > Service > Template > L4 > TCP
CLI: AX(config)# slb template tcp <name>
AX(config-l4 tcp)# idle-timeout 15000
2. Assign the TCP template to the Virtual Server Port
AX(config-slb vserver-vport)# template tcp <name>
Show aging time of SLB entries

CLI: AX# show session []
74
Active Mode - Data session established from the server

IP@ (not VIP IP@)
Load Balancers need to automatically Source NAT the data connection
from the servers with the VIP IP@.
This is done automatically on AX when the SLB VIP is defined as FTP
type
AX configuration:
AX(config-slb vserver)# port N ftp
75
Passive Mode - Data session established to the server IP@

(not the VIP IP@)
Load Balancers need to automatically Source NAT the data connection
from the servers with the VIP IP@.
This is done automatically on AX when the SLB VIP is defined as service
type FTP
AX configuration:
AX(config-slb vserver)# port N ftp
76
Module 4 Lesson2
HTTP protocol
77
HTTP protocol
HTTP RFC is 2616

(http://www.w3.org/Protocols/rfc2616/rfc2616.html)
HTTP (Hypertext Transfer Protocol) is an unencrypted TCP

protocol used to access web content (usually on port 80)
Note: HTTPS uses the same protocol with explicit SSL encryption for
higher security (usually on port 443)
HTTP is a sequence of network request/response

transactions
Important Note: Browsers open multiple TCP sessions to download
multiple objects from 1 web site in parallel (2 sessions with IE5.5/6.0,
6 sessions with IE8, 15 sessions with Firefox 3.x)
Request and response options are sent via headers
78
HTTP requests
Main request methods

"GET url": Request object from server
"POST url": Send data/object to server
Others: HEAD, CONNECT
Important Note: The Host (such as www.a10networks.com) is not part of
the url, but is listed in the "Host header in the request
Main request headers

"Host": Site name
"Connection: Keep-Alive" : Client support for using the same session for
multiple request/response transactions
"Accept-Encoding: gzip, deflate": Support for HTTP compression
"Cookie": Text used to keep track of user information
79
HTTP responses
Main server response codes

200: OK (object in the response)
301: Redirect permanently
302: Temporary redirect
304: Not Modified
404: Page not found
5xx: Server error
Main response headers

"Last-Modified": When object was last modified
"Etag": Entity tag (used to detect object changes)
"Connection: Keep-Alive": Server support for using the same session for
multiple request/response transactions
"Set-Cookie": Asks user to save cookie to keep track of user information
"Cache-Control" / "Pragma": Cacheability of the object
80
HTTP example (using HttpFox)
81
Load balancer configuration for HTTP

applications
Load Balancers don't need a specific configuration for

basic HTTP load balancing - Any L4 SLB VIP works for
HTTP services
However, advanced load balancers provide techniques for

improving HTTP services
Better Availability (see below)
Better Flexibility (see below and Module 7 - aFleX)
Better Performance/Acceleration (see Module 5)
Better Security (see below and Module 6)
82
applications greater availability
HTTP Health Monitor

AX provides the ability to test HTTP/HTTPS services using Health
Monitors
HTTP/HTTPS Health Monitors have the following required parameters:
Port: TCP port
Method (GET or HEAD or POST)
URL
And the following optional parameters:
User + Password: For web sites that require authentication
Expect: Server Response code or Server text
Maintenance Code: To automatically mark the server in maintenance, rather
than down (so users with persistence to that server remain on that server)
83

applications greater flexibility
AX offers advanced flexibility options for web applications
These options are available via HTTP templates

WebUI: Config > Service > Template > Application > HTTP
CLI: AX(config)# slb template http <name> []
HTTP templates are associated with virtual server ports of

service type HTTP" or "HTTPS
84
HTTP template options

URL Hash switching
Load Balancing of Servers is done based on hash on the URL (beginning or
end of the URL).
This option is usually used for Web Cache load balancing.
Host/URL switching
Selection of Servers is done based on Host or URL (beginning or end).
This option also is usually used for Web Cache load balancing.
Request/Response Header Erasure/Insertion
Allows the AX to insert or remove
client request header (such as "Accept-Encoding")
server response header (such as "Cache-Control")
This option usually is used to centrally change web server behavior without
changing the web servers configuration.
85

HTTP template options (cont.)

Strict Transaction Switching
Allows HTTP/HTTPS load balancing per request (instead of per session).
This option usually is used when the load among the Servers is unequal.
86
applications greater security
AX offers advanced security options for web applications


service type "HTTP" or "HTTPS
Note: Some of the following options can be considered as

availability and flexibility options too.
87

URL failover
When all servers are disabled or have failed, the AX can send an HTTP
redirect to a "backup site" or "sorry page".
This option usually is used with "backup sites" or "sorry pages".
88
URL redirect / rewrite

When the Server replies with an HTTP redirect, the AX can rewrite it with
a new value.
This option usually is used for transparent "SSL-ization" of HTTP web
applications.
89

Retry HTTP request on HTTP 5xx

When the Server replies with a 5xx error, by default the AX forwards it to
the client. The retry option allows the AX to resend the request to another
Server in the Service Group.
The following options are available:
"On HTTP 5xx code for each request": The client request is resent to a new
server
"On HTTP 5xx code": The client request is resent to a new server + the server
that replied with the 5xx is not used for new requests for 30 seconds
"#": Number of servers that can be tried
Logging: Generates logs when this event happens (not available in WebUI in
AX 2.4.2)
90
Client IP header insertion

In Web server logs, the client IP address is logged. Web servers retrieve
the client IP information from the source IP address.
Some AX advanced HTTP options (Connection Reuse or Source NAT)
force the AX to establish the connection to the server with an AX IP
address. In this cases, the Web server loses the client IP address
information.
To allow Web Servers to log Client IP address information, the AX can
inject the Client IP information in a request header.
91
Module 4 Lesson3
HTTPS protocol
92
HTTPS protocol
HTTPS (HTTP over TLS) RFC is 2818

(http://www.ietf.org/rfc/rfc2818.txt)
HTTPS is the "secured" version of HTTP (usually port 443)
HTTPS offers
Server Authentication (with server certificates)
(optional) Client Authentication (with client certificates)
Encryption (with TLS/SSL)
93
How does server authentication work?
TLS/SSL is based on public certificates / private keys
Certificates are issued and signed by Certificate Authority

(CA)
HTTPS clients first request the server public certificate and

validates it using list of trusted CAs
When the server certificate is validated (name, date, etc.),

the client sends its HTTP requests
94
How does the encryption work?
Once the server is trusted, the client and server negotiate a

"session key" to encrypt the traffic
The session key is negotiated via an asymmetric

encryption protocol using long keys (usually 2048 bits)
Note: This step is very CPU intensive (asymmetric encryption)
Once the"session key is negotiated, the HTTPS client

requests / server responses are sent encrypted
Note: Less CPU intensive (symmetric encryption)
Note: If the client re-establishes a new TCP session before the session
key expires, it will propose to the server to use it (SSL session ID reuse
option). The server can accept or refuse it. If refused, a new session key
is negotiated.
95
Load balancer configuration for HTTPS

applications
Load balancers don't need a specific configuration for

HTTPS load balancing - Any L4 SLB VIP works for HTTPS
services
However, advanced load balancers provide techniques to
improve HTTPS services
Better Availability (see Module 4 - lesson 2)
Better Flexibility (see Module 4 - lesson 2 and Module 7 - aFleX)
Better Performance/Acceleration (see Module 5)
Better Security (see Module 4 - lesson 2 and Module 6)
96
Load balancer configuration for HTTPS
applications
AX offers advanced flexibility/performance/security options

for HTTPS applications


type "HTTP" or "HTTPS.
97
HTTPS communication with clients
Client SSL templates

To enable HTTPS communication with the Clients
Client SSL template
Public certificate that will be presented to Clients
Private key (and its passphrase)
SSL cipher supported ("encrypted algorithm")
(optional) Client certificate request
98
HTTPS communication with clients
HTTPS communication with clients configuration

1. Import SSL public certificates and private key on the AX
Note: Self-Signed certificates can be created on the AX too
WebUI: Config > Service > SSL Managament > Certificate
CLI: AX(config)# import ssl-cert <name>
AX(config)# import ssl-key <name>
2. Create a Client SSL template
WebUI: Config > Service > Template > SSL > Client SSL
CLI: AX(config)# slb template client-ssl <name> []
3. Assign the Client SSL template to the Virtual Server Port
AX(config-slb vserver)# port N https
AX(config-slb vserver-vport)# template client-ssl
<name>
99
HTTPS communication with servers
Server SSL templates

To enable HTTPS communication with the Servers
Server SSL template
SSL cipher supported ("encrypted algorithm")
(optional) CA that will be used to validate the Servers certificate
100
HTTPS communication with servers
HTTPS communication with servers configuration

1. (Optional) Import CA public certificate that will be used to validate the
Servers certificate
WebUI: Config > Service > SSL Managament > Certificate
CLI: AX(config)# import ssl-cert <name>
2. Create a Server SSL template
WebUI: Config > Service > Template > SSL > Server SSL
CLI: AX(config)# slb template server-ssl <name> []
3. Assign the Server SSL template to the Virtual Server Port
AX(config-slb vserver)# port N https
AX(config-slb vserver-vport)# template server-ssl
<name>
101
HTTPS virtual port options
SSL statistics
WebUI: Monitor > Service > Application > SSL
CLI: AX# show slb ssl stats
102
Summary
In this module, we presented:

FTP protocol
HTTP protocol
HTTPS protocol
And also:
Explained the specific Load Balancer configuration required for each
protocol
Explained specific Load Balancer options available for each protocol for
better availability, flexibility, performance and security
Configured FTP, HTTP, and HTTPS VIPs on the AX
103
AX Acceleration
Module 5
104
Module objectives
Understand the advanced AX options for acceleration

Connection Reuse
SSL offload
HTTP compression
RAM Caching
Configure advanced AX options for acceleration
105
Connection reuse
Web servers need to manage:

New clients (open new sessions)
Clients leaving (close sessions)
Maintain all connected clients sessions
Note: Web browsers keep their TCP connections open - even when all
objects have been loaded
106
Connection reuse
Connection Reuse off loads the server TCP stack
This option provides faster server response time and

higher server scalability
Connection reuse
Terminates all clients connections to the AX
Maintains persistent connections to the Servers
Sends all clients requests on the same persistent connections
Note: Connection Reuse requires SLB Source NAT

Note2: HTTP Keep-alive should be enabled on the web servers
107
Connection reuse
Connection reuse configuration

1. Create a Connection Reuse template
WebUI: Config > Service > Template > Connection Reuse
CLI: AX(config)# slb template connection-reuse <name> []
2. Assign the Connection Reuse template to the Virtual Server Port
AX(config-slb vserver)# port N http
AX(config-slb vserver-vport)# template
connection-reuse <name>
Note: IP Source NAT also must be configured on the Virtual Server Port
Connection Reuse statistics

WebUI: Monitor > Service > Application > Connection Reuse
CLI: AX# show slb connection-reuse
108
SSL offload
SSL Offload relieves the server of SSL tasks
This option provides faster server response time and

higher server scalability
AX receives HTTPS client traffic and sends HTTP traffic to

the servers
109
SSL offload
SSL offload configuration

HTTPS VIP pointing to HTTP servers (see Module 4 - lesson 3)
(optional) Rewrite servers HTTP redirect response
Note: This is done via an HTTP template containing the Redirect / Rewrite
option
(optional) Rewrite absolute links
Note: This is done via aFleX (see Module 7)
110
HTTP compression
Compresses HTTP/HTTPS objects
Uses less bandwidth and provides faster client download

time
AX HTTP compression
Compresses objects sent to the clients
Note: By default, "text" (such as html/css/js) and "application" (such as
doc/xls/ppt/pdf)
If HTTP compression is enabled on the servers, AX transparently offloads
this task from servers
111
HTTP compression
HTTP compression configuration

1. Create an HTTP template
2. Assign the HTTP template to the Virtual Server Port
AX(config-slb vserver-vport)# template http <name>
Note: On AX models with a Hardware Based Compression module, you
need to enable Hardware Based Compression first
WebUI: Config > Service > SLB > Global
CLI: AX(config)# slb hw-compression
112
HTTP compression
HTTP compression statistics

WebUI: Monitor > Service > Application > Proxy > HTTP
CLI: AX# show slb http-proxy
113
RAM Caching
Caches HTTP/HTTPS static and dynamic content in AX

RAM
Delivers cached objects to clients directly from the AX

Cache, offloading servers from these requests
Provides faster client download time and higher server

scalability
114
RAM Caching
AX RAM Caching
Caches objects unless explicitly denied by the server's response
Caches responses with the following codes:
200 OK
203 Non-Authoritative response
300 Multiple Choices
301 Moved Permanently
302 Found (only if Expires header is also present)
410 Gone
115
RAM Caching
AX RAM Caching limitations

Does not support client HTTP range requests (they are sent to the
servers)
Does not cache server responses with "Vary" header (except "Vary:
Accept-Encoding")
Does not cache server responses with "Warning" header
Does not cache server responses if requests had an "Authorization"
header (even if the server specifies "Cache-Control: public)
Does not cache incomplete (partial) responses
116
RAM Caching
RAM Caching configuration

1. Create a RAM Caching template
WebUI: Config > Service > Template > Application > RAM Caching
CLI: AX(config)# slb template cache <name>
2. Assign the RAM Caching template to the Virtual Server Port
AX(config-slb vserver-vport)# template cache <name>
RAM Caching statistics

WebUI: Monitor > Service > Application > RAM Caching
CLI: AX# show slb cache []
117
RAM Caching
AX RAM Caching for dynamic objects

Allows the AX to Cache non-static objects
Need to understand application behavior to determine cacheability
What is to be cached?
How long is the cached content valid?
What is the trigger that would cause the response to change?
Parameterized requests
The URL matches a specific pattern.
Specific query parameters are present.
Specific cookies in the request are present.
Specific HTTP headers in the request are present.
Policies
Cacheability rules determine what is cacheable and what is not
Invalidation rules
118
RAM Caching
When not to use dynamic caching

The response sets cookies specific to that session.
Example: the response to a login page
The response contains data specific to a previous action in the session.
Example: a confirmation number for a transaction that was just executed
The life of a response is indeterminate; that is, the response contains data
that becomes stale based on a future action.
Example: the portfolio page of a brokerage account user changes when the
user executes transactions.
Different versions of the response cannot be distinguished by using the
URL, query parameters, or cookies in the request.
Example: the response contains personalized settings, such as the user name
but no query parameter or cookie directly identifies the user.
119
RAM Caching
Dynamic caching caching policies

Caching policies can be used to override/augment standard HTTP
behavior
Policies are specified as follows:
policy <condition> <action>
Where:
<condition> is of the form uri <pattern>
<action> is cache <seconds>, no-cache, or invalidate <entry>
Note: More sophisticated conditions will be supported in future using aFleX
policies
Policies are evaluated in the order they are specified. The action in the
first policy that matches will be applied.
120
RAM Caching
Dynamic caching example

Let's say there is a web application with the following URLs:
http://x.y.com/list lists all items from database
http://x.y.com/add?a=p1&b=p2 adds item to database
http://x.y.com/del?c=p3 deletes item from database
http://x.y.com/private?user=u1 private info for user
This is a simple example, but is also a very common scenario, and is
representative of many sites on the web today.
In this case, the list URI will be hit by a lot of users. Thus it would make
sense to cache the URI as long as it remains up to date.
However, when the user does an add/delete operation, or one of the other
URIs arrives, the database would change and the cached list will have to
be refreshed.
121
RAM Caching
WebUI configuration for the example
122
Summary
In this module, we presented the AX acceleration options:

Connection Reuse
SSL offload
HTTP compression
RAM Caching
And also configured them on the AX.
123
AX Security
Module 6
124
Module objectives
Understand the advanced AX options for security

DDoS protection
PBSLB
ACL
Management security
High Availability (HA)
Configure HA on AX devices
125
Points to keep in mind
Some advanced HTTP/HTTPS security options are detailed

in Module 4 (HTTP Templates)
This module (Module 6) presents other AX advanced

security options
Note: aFleX (covered in Module 7) also can be considered a

security option
126
DDoS protection
AX provides enhanced protection against DDoS

(Distributed Denial of Service) attacks
Note: AX 2200 / AX 3100 / AX 3200 / AX 5100 / AX 5200 provide DDoS
protection in hardware. Other models provide DDoS protection in
software.
DDoS basic filters
DDoS configuration
WebUI: Config > SLB > Global
CLI: AX(config)# ip anomaly-drop <DDoS-type>
127
DDoS protection
Advanced DDoS filters are also available with system-wide

PBSLB
Note: PBSLB is detailed on the next slide.
Invalid HTTP or SSL payload or DNS
Zero-Length TCP Window
Out-of-sequence packet
Advanced DDoS configuration

CLI only: AX(config)# ip anomaly-drop <DDoS-type>
[threshold]
Basic and advanced DDoS statistics

WebUI (basic only): Monitor > Service > Application > Switch
CLI:(basic only) AX# show slb switch []
CLI:(basic only) AX# show slb l4 and show pbslb client [ip@]
128
Policy-based SLB
Policy-based SLB (PBSLB) allows "black lists" and "white

lists" with individual clients or subnets
Note: IPv6 addresses are not supported in PBSLB.
PBSLB denies client traffic based on:

IP address / subnet
(optional) # of connections from that IP address / subnet
(optional) can permit client, but select another Service Group
129
Policy-based SLB
PBSLB specifics
Large list support
Up to 8 M IP addresses
Up to 64 K IP subnets
Up to 32 group IDs
Highly efficient
B/W lists are stored in hash tables
Can process Gbps of traffic
Automatic B/W list support
AX can update its B/W automatically at specific intervals via TFTP
PBSLB components
PBSLB is a list of text entries, as follows:
ipaddr [/network-mask] [group-id] [#conn-limit] [;comment-string]
130
Policy-based SLB
PBSLB configuration
1. Create or Import a PBSLB list
WebUI (creation or import): Config > Service > PBSLB
CLI (import): AX(config)# import bw-list []
2. Create a PBSLB Policy template
WebUI: Config > Service > Template > PBSLB Policy
CLI (import): AX(config)# slb template policy <name> []
3. Assign the PBSLB Policy template to the Virtual Server Port
AX(config-slb vserver-vport)# template policy <name>
PBSLB statistics
WebUI: Monitor > Service > PBSLB
CLI(basic only): AX# show pbslb []
131
Policy-based SLB
PBSLB file example

10.10.1.3 4; blocking host (group 4 is defined in the
template with action "drop")
10.10.2.0/24 4; blocking subnet (group 4 is defined in
the template with action "drop")
192.168.1.1/32 2 #20; 20 concurrent connections max for
that host (group 2 is defined in the template with
action "permit with Service Group X")
PBSLB template example
132
Access Control Lists
AX supports standard and extended Access Control Lists

(ACLs)
ACL can be applied to data interfaces, management

interface, and virtual server ports
Remark, re-sequencing and logging options are supported

(Cisco/Foundry format)
IPv4 and IPv6 ACLs are supported
133
ACL components
[no] access-list acl-num [seq-num]
{permit | deny | remark string}
ip {any | host host-src-ipaddr | net-src-ipaddr
{filter-mask | /mask-length}}
{any | host host-dst-ipaddr | net-dst-ipaddr
{filter-mask | /mask-length}}
[log [transparent-session-only]
ACL configuration
1. Create an ACL
WebUI: Config > Network > ACL
CLI: AX(config)# access-list []
134
ACL configuration
2. Assign the ACL to Data interfaces, Management interface, or Virtual
Server Ports
Data Interface:
WebUI: Config > Network > Interfaces > LAN
CLI: AX(config)# interface ethernet 1
AX(config-if:ethernet1)# access-list <num> in
Management:
CLI only: AX(config)# interface management
AX(config-if:ethernet1)# access-list <num> in
Virtual Server Port:
AX(config-slb vserver-vport)# access-list <name>
135
ACL statistics
CLI (only) AX# show access-list
136
Management security
AX provides advanced management security options

Multiple management accounts with distinct levels of access
Interface level access for individual access types (ICMP / Telnet / SSH /
HTTP / HTTPS / SNMP)
Management account with lockout in response to excessive invalid
password
External Authentication support with RADIUS and TACACS+
Private partitions
Note: See AX Series Configuration Guide for more

information
137
High Availability Design Options

Active-Standby mode
Active-Active mode
Layer 2/3 Hot Standby mode
138
Active-Standby Mode
Active AX processes all the
production traffic
Standby AX does not process any
production traffic
Standby AX mirrors all session
information from Active AX
Reliability is scaled but not
performance
139
Active-Standby Failover
Peer AX elected as active
Gratuitous ARPs for virtual,
floating and NAT IPs are sent
Existing mirrored sessions are
picked up by newly elected active
AX
New sessions are served by newly
elected active AX
140
Active-Active Mode
Both AX units process
the production traffic
Session and state
information is mirrored
between both AX units
Performance is scaled in
addition to reliability
Note: Don't exceed 50%
utilization on each unit
for full HA
141
Active-Active Failover
Peer AX is elected active for
HA group 2 and sends
gratuitous ARPs for virtual IPs,
floating IPs, and NAT IPs
Existing mirrored sessions are
picked up by peer AX
Peer AX serves requests for
both HA groups
142
L2/3 Hot Standby Mode

Active AX processes all the
production traffic
Standby AX does not process any
production traffic
Standby AX mirrors all session
information from Active AX
Standby becomes non-forwarding but
is reachable for management traffic,
sends and receives HA heartbeats,
receives sync sessions from peer,
and performs health checks
Note: Loop elimination protocols such
as STP are not required
143
L2/3 Hot Standby Failover

Peer AX elected new active
Gratuitous ARPs for virtual, floating
and NAT IPs are sent
New active becomes fully
forwarding and existing mirrored
sessions continue
144
High Availability
All AX integration modes support HA

Routed mode
Active-Standby, Active-Active and L3 Hot Standby modes
One-Arm mode
Active-Standby and Active-Active modes and L3 Hot Standby modes
Transparent mode
L2 Hot Standby mode
DSR mode
Active-Standby, Active-Active and L3 Hot Standby modes
145
High Availability
HA Active-Standby Mode configuration steps

1. Configure HA interfaces
All interfaces used with production traffic (+ AX interlink if exists)
Note: We recommend a dedicated direct interlink between the AX so sync
traffic is off the production network.
2. Configure HA Global settings
Identifier (AX1 = 1 , AX2 = 2)
HA Status: Enabled
(optional) HA Mirroring IP address: Remote AX Sync interface
(optional) Preempt: to failover to a higher AX when available
Group1 with priority 200 on AX1 (priority 100 on AX2)
Floating VIP for Group1: IP addresses defined on servers' gateway (VRRP-
like)
(optional) IP@ and VLAN check
Note: IP@ have to be defined as SLB-Server too
146
High Availability
HA Active-Standby Mode configuration steps (cont.)

3. Configure VIP HA settings
In VIP settings, associate HA Group with the VIP
(optional) Enable Dynamic Server Weight: Reduce the AX HA Group priority
when a server is down
(optional) Enable HA Connection Mirroring on the VIP ports: To synchronize
SLB session table (available for TCP, UDP, RTSP, FTP, MMS and SIP VIP
types)
Note: For HTTP/HTTPS VIP types, the client session is terminated on the AX
device. HA Connection Mirroring is not available for these VIP types.
4. Configure NAT pool HA settings
In IP Source NAT, associate the HA Group with IPv4 Pools, IPv6 Pools, NAT
Ranges, or Static NAT.
147
High Availability
HA Active-Active Mode configuration steps

Same as Active-Passive with two groups defined
Step2:
Step3:
Associate Group1 with half of the VIPs and Group2 with the second half
Step4:
Associate Group1 with the NAT Pools used by VIPs in Group1 and
Group2 with the NAT Pools used by VIPs in Group2
148
High Availability
HA Layer2/3 Mode configuration steps

Same as Active-Passive except for step 2
2. Configure HA Inline Mode
Enable
Preferred port: Port used to sync configuration and sessions
(optional) Restart port list: Add AX interfaces in production
(optional) L3 mode enabled: If AX in Layer3 Inline mode
149
High Availability
HA Active-Standby Mode configuration

1. Configure HA interfaces
WebUI: Config > HA > Setting > HA Global
CLI: AX(config)# ha interface []
2. Configure HA Global settings
Active-Standby or Active-Active Modes:
WebUI : Config > HA > Setting > HA Global
CLI: AX(config)# ha []
Note: If IP@ check is configured, define these IP@ in SLB-Server too.
L2/3 Modes:
WebUI : Config > HA > Setting > HA Inline Mode
CLI: AX(config)# ha [inline-mode | l3-inline-mode]
150
High Availability
HA Active-Standby Mode configuration (cont.)

3. Configure VIP HA settings
WebUI: Config > Service > SLB > Virtual Server
AX(config-slb vserver))# ha-group <num>
4. Configure NAT settings
WebUI: Config > Service > SLB > IP Source NAT
CLI: AX(config)# ip nat []
151
High Availability
Configuration synchronization
WebUI: Config > HA > Config Sync
CLI: AX(config)# ha sync [all | data-files | running-
config | startup-config] to-[running-config|startup-
config] [with-reload] [all-partitions | partition]
Note: We recommend to sync "All" to the "startup-config + reload"
HA Manual failover can also be initiated with the following:

CLI (from the AX Active): AX(config)# ha force-self-standby
Note: Manual failover can also be done with "preempt enabled" +
changing the HA group priority.
152
High Availability
HA status
WebUI: Monitor > HA > Group
CLI: AX# show ha
153
High Availability
HA statistics
WebUI: Monitor > HA > Status
CLI: AX# show ha detail
154
Summary
In this module, we presented AX advanced security

options:
DDoS protection
PBSLB
ACL
Management security
High-Availability (HA)
And also configured HA.
155
AX Power and Flexibility
Module 7
156
Module objectives
Understand the advanced AX options for flexibility

Cookie persistence
aFleX
Understand AX Advanced Core Operating System (ACOS)
157
Module 7 Lesson1
AX Flexibility
158
Points to keep in mind
Some advanced HTTP/HTTPS flexibility options already

have been detailed in Module 4 (HTTP Templates)
This module (Module 7) presents other advanced AX

flexibility options
159
Cookie persistence
When to use cookie persistence

Like Source IP Persistence, Cookie Persistence is used when
HTTP/HTTPS clients must have their future connections/traffic terminated
on the same server.
But Cookie Persistence provides more granularity, since even different
users coming from the same Proxy (same IP address) will get different
persistence with Cookie Persistence.
160
Cookie persistence
AX Cookie Persistence configuration

Create a Cookie Persistence Template
Name
(optional) Expiration
(optional) Cookie Name
(optional) Domain
(optional) Path
(optional) Match type
(optional) Insert Always
(optional) Don't Honor Conn Rules
Assign the Cookie Persistence Template to the Virtual Server Port
161
Cookie persistence
AX Cookie Persistence configuration (cont.)

Create a Cookie Persistence Template
WebUI: Config > Service > Template > Persistent > Cookie Persistence
CLI: AX(config)# slb template persist cookie <name> []
Assign the Cookie Persistence Template to the Virtual Server Port
AX(config-slb vserver-vport)# template persist cookie
<name>
162
aFleX
What is aFleX?
aFleX is a powerful and flexible AX feature that you can use to manage
your traffic and provide enhanced benefits/services
aFleX uses industry-standard Tcl (Tools command language) based
syntax
Stantard Tcl commands
Special set of extensions provided by the AX
aFleX allows:
Content inspection (headers / data)
Actions on traffic
Block traffic
Redirect traffic to a specific Service Group (pool) or Server (node)
Modify traffic content
163
aFleX
Elements of an aFleX script

aFleX scripts are made up of three basic elements:
Events
Operators
aFleX commands
Events
aFleX scripts are event-driven, which means that the AX system triggers the
aFleX whenever that event occurs.
Examples: HTTP_REQUEST is triggered when an HTTP request is received.
CLIENT_ACCCEPTED is triggered when a client has established a
connection.
Operators
Standard Tcl operators
Relational operators: contains, matches, equals, starts_with, ends_with,
matches_regex
Logical operators: not, and, or
164
aFleX
Elements of an aFleX script (cont.)

aFleX commands
Used to query for data, manipulate data, or specify a traffic destination. These
may be grouped into three main categories:
Statement commands
Example: "pool <name> directs traffic to the named load balancing

pool
Commands that query or manipulate data
Examples:
"IP::remote_addr returns the remote IP address of a connection
"HTTP::header remove <name> removes the last occurrence of the

named header from a request or response
Utility commands - useful for parsing and manipulating content
Example: "decode_uri <string> decodes the named string using HTTP

URI encoding and returns the result
Note: aFleX is extensible. In future releases, additional aFleX events and
aFleX commands will be added.
165
aFleX
aFleX configuration
1. Place the aFleX script on the AX
Using the CLI
Use a computer with any text editor to write an aFleX script and save it as
a file.
Use import aflex command to import the aFleX file from the
computer to AX.
aFleX CLI syntax check: "aflex check <name>".
Using the WebUI

With AXs web interface, users can directly type in aFleX scripts and save
them on the AX under "Config > Service > aFleX".
Using the aFleX Editor
The aFleX editor can download/upload aFleX scripts from/to the AX.
Moreover, it can do syntax checking. As an editor, it also has syntax
highlighting, keyword auto-completion, etc.
166
aFleX
aFleX configuration (cont.)

2. Assign aFleX script to VIP port
AX(config-slb vserver-vport)# aflex <name>
aFleX statistics
WebUI: Monitor > Service > aFleX
CLI: AX# show aflex []
167
aFleX
aFleX examples
Redirect a specific client to a specific service group
When CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 10.10.10.10] } {
pool sg2
}
}
Note: This could be achieved by PBSLB too.
Redirect clients to https for the host secure.abc.com
when HTTP_REQUEST {
if {[HTTP::host] equals "secure.abc.com"} {
HTTP::redirect https://[HTTP::host][HTTP::uri]
}
}
Note: This could NOT be achieved by PBSLB.
168
aFleX
aFleX examples
Redirect clients to specific pools in function of the url
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/finance" } {
pool finance_pool
} elseif { [HTTP::uri] starts_with "/dev" } {
pool dev_pool
}
}
169
Module 7 Lesson2
Advanced Core Operating System
170
ACOS Architecture Overview
SSL Acceleration Module SSL Processing
Application Memory Session Tables, Buffer

Memory, Application Data
L4-7 CPUs L4-7 Processing, Security
Control Kernel CLI, GUI, Management

Tasks and Health Checking
Flexible Traffic ASIC (FTA)

Distributes Traffic Across L4-7 CPUs, Efficient
Network I/O, DDoS
Switching & Routing ASIC

L2 & L3 Processing and Security
171
ACOS Design Highlights
ACOS on the data plane

Zero locking
Zero IPC
Zero interrupt
Zero scheduling
Zero buffer copy for low latency packet processing
Linux on the control plane

Used by Management CPU only
All application delivery traffic handled by ACOS
Efficient use of memory no duplicate data
172
ACOS = Resource Efficiency
Processing Efficiency
Eliminates unneeded cycles for faster processing
Zero locking, zero buffer copy, zero IPC, zero scheduling, zero interrupt
Physical Memory Efficiency

Data is not replicated, multiple copies of data are not needed,
more total memory available
Space saving, non-replication, zero copy, accuracy, real-time data
Input/Output (I/O) Efficiency

Faster overall system processing
Low latency packet processing, optimized drivers, Flexible Traffic ASIC, low
overhead
173
Shared Memory Versus Legacy Approach
AX Series Shared
Memory
Replicate to
each cores
dedicated
memory
Legacy approach
174
AX Shared Memory Advantage
AX Series Shared
Memory
AX Series eliminates IPC and maximizes performance

Data required by all CPUs is processed in the same location without other
CPU notification/reliance
Accurate real-time decision criteria, e.g. rate-limiting, connection-limit, max
TCP connections, server selection, tracked global variables used for decisions
or any shared data set
Maximizes memory no redundant copies of information per core. More
total system memory
175
Shared Memory Efficiency
Shared Memory
One copy of each item kept in memory, for example
PBSLB List uses 64 MB of RAM, Total AX Memory Usage = 64MB RAM
Cached Objects, 10 x 0.5 MB, Total AX Memory Usage = 5 MB
Total 69 MB of RAM used
Without Shared Memory

Multiple copies of each item kept in each cores memory, for example 32 cores
PBSLB List uses 64 MB of RAM per core, Total Memory Usage = 2048 MB RAM
Cached Objects, 10 x 0.5 MB per core, Total Memory Usage = 160 MB
Total 2208 MB of RAM used
Total system memory is reduced dramatically by the non-

shared memory architecture
176
ACOS Versus Legacy OS
ACOS Legacy OS
ACOS Designed for Not Designed for

multi-core multi-core
32-bit or 64-bit OS
32-bit OS Only
(With Feature Parity)
Decoupled CPU Coupled CPU

Architecture Architecture
Shared Memory Non-shared Memory
No IPC (Inter Process IPC (Inter Process

Communication) Communication)
Optimized Flow Software Based Flow

Distribution Distribution
177
Summary
In this module, we presented the following advanced AX

flexibility options:
Cookie persistence
aFleX
And also configured them on the AX.
We also presented the ACOS architecture.
178
AX Management and Troubleshooting
Module 8
179
Module objectives
Understand the different types of AX management access

Understand the AX configuration components and how to
backup/restore AX configuration
Understand the AX software components and how to
upgrade/downgrade AX
Understand VLAN on AX
Learn initial AX configuration
Learn troubleshooting techniques and tools
Understand AX Release Process and how to contact AX
support
180
AX management access
CLI
Console (RS-232 connection / 9600, 8, N, 1)
Telnet (disabled by default)
SSHv2
Web
HTTP (configurable ports - disabled by default)
HTTPS (configurable ports)
Levels of CLI authentication

CLI:
Login ID/Password
Enable ID/Password
Web:
User roles (read-write / read-only)
181
AX configuration components
Configuration file
(optional) aFleX files
(optional) PBSLB files
(optional) SSL certificates and keys
(optional) Geo-location files (option in GSLB and geo-location-based VIP
access)
182
AX full configuration backup

Full AX configuration can be backed up
WebUI: Configuration > System > Maintenance > Backup > System
CLI: AX(config)# backup config []
AX full configuration restore

Full AX configuration can be restored
WebUI: Configuration > System > Maintenance > Restore > System
CLI: AX(config)# restore []
Note: Supported upload protocols: FTP, SCP, RCP, TFTP,

and HTTPS (via WebUI)
183
AX software management
AX software is stored on
Two disk partitions: primary and secondary
Second partition is designed for easy software rollback
Two Compact Flash partitions: primary and secondary
CF is designed for emergency recovery
Note: Each storage location has its own software and AX configuration
184
AX software management
AX software upgrade recommended steps

Back up your system
(covered on previous slide)
Check the AX running partition
WebUI: Monitor > Overview > Summary > System Information
CLI: AX# show bootimage
Upgrade the AX devices other partition
WebUI: Configuration > System > Maintenance > Upgrade
CLI: AX(config)# upgrade []
Copy the running configuration to the other partition
CLI only: AX# write memory [primary|secondary]
Set the boot source to the other partition
WebUI: Configuration > System > Settings > Boot
CLI: AX(config)# bootimage hd [primary|secondary]
Restart from the other partition
WebUI: Configuration > System > Settings > Action > Reboot
CLI: AX# reboot
185
VLAN
VLAN allows AX to
Bind multiple physical interfaces to same broadcast domain
186
VLAN
VLAN allows AX to (cont.)

Bind one physical interface to multiple layer2 broadcast domains
187
VLAN
VLAN configuration steps

1. VLAN creation
VLAN ID
Physical interfaces tagged and untagges
(optional) VLAN Name
(optional) Virtual Interface
2. Virtual Interface (when selected in the VLAN configuration)
IP address
Netmask
(optional) all ethernet options such as ACL, secondary IP@
188
VLAN
VLAN configuration
VLAN creation
WebUI: Config > Network > VLAN
CLI: AX(config)# vlan []
Virtual Interface (when selected in the VLAN configuration)
WebUI: Config > Network > Interface > Virtual
CLI: AX(config)# interface ve []
189
VLAN
Important Point
Always configure virtual interfaces in
AX routed mode integration to avoid
loop!!!
190
First Steps configuration
Rollback to Factory configuration

CLI: AX(config)# system-reset
AX(config)# end
AX# reboot
First Step configuration

Connect on the AX console (9600 baud - 8 bits no parity - 1 stop bit)
Default user/password: admin/a10
Configure the management interface, its default gateway
Finish the AX configuration via CLI (ssh) or WebUI (https)
Configure Production interfaces (vlan, ethernet/ve interfaces)
Enable production interfaces
(optional) Configure routing (static/dynamic)
(optional) Configure specific management rights
Configure Servers / Service Groups / Virtual Servers
etc
191
First Steps configuration
First Step configuration example

AX login: admin
Password:
[type ? for help]
AX>en
Password:
AX#conf
AX(config)#in
AX(config)#interface m
AX(config)#interface management
AX(config-if:management)#ip address 172.31.31.11 /24
AX(config-if:management)#ip default-gateway 172.31.31.1
AX(config-if:management)#exit
AX(config)#exit
192
Troubleshooting methodology
Layer 2 and 3: Data Link & Network Layers

Check network connectivity
AX# ping
Check port/interface status
AX# show interface brief + AX# show interface
Check ARP and MAC tables
AX# show arp + AX# show mac-address-table
Check routes
AX# show ip fib + AX# show ip route
Layer 4: Transport Layer
Check for connection errors
Layer 7
Check for application specific errors
193
Troubleshooting tools
AX log (AX# show log)

AX logs many informational, warning, and error messages, the first place
to check when experiencing any issues
Port/Interface up/down messages
L2 loop detection warnings
Unicast/Multicast/Broadcast packet limit warnings
MAC address movement warnings
Duplicate IP warnings
Server & service port up/down messages
Application specific error messages: SLB, PBSLB, HTTP, HA, etc.
194
Debug
WebUI
AXs WebUI provides a number of report graphs that can help you identify any
potential issues
Example: CPU and server/virtual-server load information can help identify time
periods when the system was under stress
SNMP
SNMP clients can query AX for status information
AX can be configured to send SNMP traps to servers/receivers
195
Debug (cont.)
debug packet <filters>
Define a set of filters for packet capture
Example: interface, IP address, protocol, port number, etc.
debug http/ssl/ (etc.)
Captures application specific debug information
debug monitor
Use this command after defining a filter to display captured packets on screen
Make sure your filter is specific enough to capture only the packets needed for
debugging
The CLI may become temporarily unresponsive if a large number of packets
are captured to the screen
196
AXdebug
More filter options than debug packet
Allows saving captured packets to a local file (in tcpdump/Wireshark
format) and then exporting off the AX
Show techsupport
Provides important debug information for the A10 Support team
When possible, issue the command once before, during, and after the
issue being experienced
Note: Make sure your terminal session has enough scroll back lines to
capture the full output (or log it to a text file)
Backup log
Provides detailed system information for debugging
Compresses data and exports the file off the AX
197
AX Release Process
AX provides 5 different releases

Major
Major features/enhancements (between 12 - 14 months)
Enhancement
Enhancements (between 6 - 8 months)
Minor
Periodic bug fixes and minor enhancements (between 3 - 4 months)
Patch
Collection of P1/P2 fixes and previous patch fixes (between 4-5 weeks)
Special Patch
Emergency patch for a specific customer (2-3 days)
Note: New hardware platforms support only the newest release available on
their release date
198
AX Release Process
AX releases tests
MAJOR Enhancement Minor PATCH
Unit New features New features Fixes Fixes
Functional New features New features Fixes Fixes
Negative Full Full Affected None
Stress Full Affected None None
Regression Manual=full Manual=affected Manual=affected Manual=affected
Automated=full Automated=full Automated=full Automated=full
Sys Integration Full Full Partial Partial as needed
Performance Full Affected Affected None

Scalability Full Affected Affected None
Stability 2 weeks 1 week 3 days 1 day
Alpha Full Affected Affected None
Beta Full Affected None None
199
AX Release Process
QA patch release process

Defect report Support
QA
Release Mgr
Release
Approve
Functional Test
Alpha Test
Regression Test Test Sys Integration

Performance Test
Manual Test
Scalability Test
Automated (as needed)
200
AX Release Process
AX provides 5 different releases type

Major (X.Y.M-Pn build N)
Major features/enhancements (between 12 - 14 months)
Enhancement (X.Y.M-Pn build N)
Enhancements (between 6 - 8 months)
Minor (X.Y.M-Pn build N)
Periodic bug fixes and minor enhancements (between 3 - 4 months)
Patch (X.Y.M-Pn build N)
Collection of P1/P2 fixes and previous patch fixes (between 4-5 weeks)
Special Patch (X.Y.M-Pn build N)
Emergency patch for a specific customer (2-3 days)
Note: New hardware platforms support only the newest release available on
their release date
Note: build N information may be removed in the future
201
Why AX support is better
Qualified support staff

Average 10+ years experience
Training
Support
SEs
Core Engineers on Tier 2 support rotation
Passionate
Really care about customers
Company directive:
Customer issue is #1 Priority
203
How to contact AX support
AX support can be contacted by 3 methods

Phone
From North America: 1 888 822 7210 (1-888-TACSA10)
From International: +1 408 325 8676
24 x 7 x 365 Support
Mon-Fri 6AM-11PM PST + Sat, Sun 9AM 6PM PST
A10 support engineers
All other hours

Call center
When needed: escalation to standby engineers and standby engineers

contact customer immediately
Be ready to provide
Problem description
Showtech (almost always required)
Topology; highly preferred
Trace
Backup log
204
AX support can be contacted by 3 methods (cont.)

Email
support@a10networks.com
A support ticket auto generated
Auto reply email with a ticket number is sent
What information to provide?
Subject with "Priority (if urgent)" + "Customer name" + "Brief description
of ticket + Release number"
Example: "P1: abc.com - Certain VIPs fail to pass traffic release 2.4.2"
Additional information :
Detail problem description
Production, eval, POC, etc,
Expected time of resolution by customer
Showtech attachment (almost always required)
Topology; highly preferred
Trace
Backup log
205
AX support can be contacted by 3 methods (cont.)

Support web site
http://a10networks.com/support
A support ticket auto generated
Auto reply email with a ticket number is sent
What information to provide?
Same as by email (see previous slide).
206
Priority Level levels

Security Acknowledgement Response Ownership
Priority 1: Network Down
Priority 1 < 1 Hour* < 1 Hour Support Manager
Priority 2: Serious Performance Degradation
Priority 2
Priority < 1 Hour
3: Performance < 4 HoursIssue
Impact, Installation Support Engineer
Priority 4: Information request
Priority 3 < 8 Hour < 2 Day Support Engineer
Note:
Priority 4 Priority <1 8and 2 issues should be
Hour < 4reported
Day via phone (1-888-TACS-
Support Engineer
A10)
* 30 minutes of less
207
Escalation metrics
Escalation Level 1 Level 2 Level 3 Level 4 Level 5

(after 1 hour) (after 4 hours) (after 24 hours) (after 7 days)
Priority 1, TAC Engineer/ Director, VP, Engineering/

CEO
Critical Manager Technical Support Sales
Priority 2, Director, Technical VP, Engineering/ CEO

TAC Engineer TAC Manager
High Support Sales
Priority 3, Flagged
TAC Engineer TAC Engineer TAC Engineer TAC Manager
Medium
Priority 4, Flagged
TAC Engineer TAC Engineer TAC Engineer TAC Engineer
Low (after 14 days)
208
Summary
In this module, we presented:

AX Management
AX troubleshooting techniques and tools
AX Release Process and how to contact AX support
209

AX Training PDF

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

AX Training PDF

Enviado por

Direitos autorais:

Formatos disponíveis

A10 Networks:

AX Planning, Deployment and Management

Module 1: Course Introduction

Module 2: AX Product Line

Module 3: Basic Load Balancing Concepts and Related AX

Module 4: FTP, HTTP and HTTPS Protocols

Module 7: AX Power and Flexibility

Module 8: AX Management and Troubleshooting

Understand the course goals

To present the A10 Networks AX product line

Module 2: AX Product Line

Understand the AX solution / market

New Generation in Design and Performance

ACOS Designed for Single CPU or

New Generation LB benefits

32-bit: AX Series Family Interface and hardware options

Management Interface Yes Yes Yes Yes Yes Yes

Console Port Yes Yes Yes Yes Yes Yes

Storage Single Single Dual Dual Dual Dual

Cooling Fan Fixed Hot Swap Smart Fan

64-bit: AX Series Family Interface and hardware options

Management Interface Yes Yes Yes Yes Yes

Console Port Yes Yes Yes Yes Yes

Cooling Fan Hot Swap Smart Fan

Layer 4 and Layer 7 Application aXAPI REST-based XML API for

No extra licenses required for performance or features

Each AX is offered with full scalability and benefits

In this module we discussed:

Basic Load Balancing Concepts and Related

Understand Main Load Balancing Goals and Concepts

Main LB Goals and Concepts

Share load among multiple servers (load balancing)

Provide high availability of services

Methods of load balancer integration into

Benefits: Points to keep in mind:

Methods of load balancer integration into

Benefits: Points to keep in mind:

Methods of load balancer integration into

Benefits: Points to keep in mind:

Methods of load balancer integration into

Benefits: Points to keep in mind:

Server Load Balancing

AX SLB configuration has three core elements:

Server status and statistics

Service group configuration

Service group status and statistics

Service group load-balancing algorithms

Virtual Server (VIP)

Virtual server configuration

Virtual server status and statistics

Virtual server port configuration

Virtual server port status and statistics

Service availability is checked using health monitors

Health monitors apply to:

Note: For simplicity, health monitors generally

Health monitors can test server availability

Multiple L3/L4/L7 tests can also be combined in a Boolean

Health monitor configuration

Service group health monitor

Health Monitoring is done on all Service Group members

Service Group HM configuration

Service Group HM status