This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
A10 Networks:AX Planning, Deployment and Management
Class
Course AX-DSC-001.12
2
Table of Contents
� Module 1: Course Introduction
� Module 2: AX Product Line
� Module 3: Basic Load Balancing Concepts and Relate d AX Configuration & Management
� Module 4: FTP, HTTP and HTTPS Protocols
� Module 5: AX Acceleration
� Module 6: AX Security
� Module 7: AX Power and Flexibility
� Module 8: AX Management and Troubleshooting
3
Course Introduction
Module 1
4
Module objectives
� Understand the course goals
� Understand the objective for the students
5
Goal of this course
� To present the A10 Networks AX product line
� To teach the basic load balancing concepts
� To present FTP, HTTP and HTTPS protocols
� To teach advanced AX load balancing concepts
� To prepare students to install, configure and manag e the AX device
6
Course map
� Module 2: AX Product Line
� Module 3: Basic Load Balancing Concepts and Relate d AX Configuration & Management
� Module 4: FTP, HTTP and HTTPS Protocols
� Module 5: AX Acceleration Components
� Module 6: AX Security Components
� Module 7: AX Power and Flexibility
� Module 8: AX Management and Troubleshooting
7
AX Product Line
Module 2
8
Module objectives
� Understand the AX solution / market
� Understand the AX product portfolio
� Understand the feature set
� Understand the licensing
9
AX solution / market:AX – new generation load balancers
� New Generation in Design and Performance
� Single CPU or Multi-CPU with instruction blocking
� Server Port HM status� WebUI: Monitor > Service > SLB > Server (expand Server)
� CLI: AX# show slb server <server-name>
40
Server health monitor
� Health Monitoring is done on the Server� If HM fails, that server will be considered down and service groups
configured with that specific server will stop using it for load balancing
Note: Default Server health monitor is icmp.
� Server HM configuration� WebUI: Config > Service > SLB > Server – "Health Monitor"
� CLI: AX(config)# slb server <server-name>
AX(config-real server)# health-check <hm-name>
� Server HM status� WebUI: Monitor > Service > SLB > Server (expand Server )
� CLI: AX# show slb Server <server-name>
41
Common SLB VIP Options
Module 3 – Lesson2
42
Source IP persistence
� When to use Source IP persistence� Source IP persistence must be used when clients must have their future
connections/traffic terminated on the same server
43
Source IP persistence
� Source IP persistence configuration steps1. Create one Source IP Persistence Template
� Name� Type: Port (persistence per VIP:Port)
or Server (persistence per VIP)or Service-Group (persistence per URL or Host switching – see
Module 4 – lesson 2)� Timeout: How long inactive entries are saved (default = 5 minutes)� Don't Honor Conn Rules: Ignore connection limits defined on Servers and
Server Ports and connect new clients' connections to the Server (default = disabled)
� Netmask: Granularity of Client IP address hashing (default = 255.255.255.255 for the most granularity)
2. Assign the Source IP Persistence Template to the Virtual Server Port
44
Source IP persistence
� Source IP persistence configuration� Create one Source IP Persistence Template
� WebUI: Config > Service > Template > Persistent > Source IP Persistence� CLI: AX(config)# slb template persist source-ip <name>
� Assign the Source IP Persistence Template to the Virtual Server Port� WebUI: Config > Service > SLB > Virtual Server > Port� CLI: AX(config)# slb virtual-server <name>
� When to use SLB source NAT� SLB Source NAT must be used when server responses don't
automatically pass through the AX, such as in One-Arm mode or when servers and the AX are in different subnets
47
Network Address Translation – SLB source NAT
� SLB source NAT configuration steps1. Create one IP Source NAT Pool:
• Name: Name of the template• Start IP address: First IP address for the SLB source NAT (can be the AX
interface IP address)• End IP address: Last IP address for the SLB source NAT (can be the same as
"Start IP address")Note: If the "Start" and "End IP address" are the same, the AX will NAT with one unique IP address and can NAT up to 64k flows.
• Netmask: Specify the netmask of the SLB source IP addresses.Note: This is used by the "IP Source NAT – Group" when servers are in different subnets (see AX Config Guide for more information).
• (optional) Gateway: Specify a specific gateway to use to reply to the clients' requests when SLB Source NAT has been used.
• (optional) "HA Group": Specify the HA group to tie to the SLB source NAT pool.
2. Assign the SLB Source NAT Pool to the Virtual Server Port
48
Network Address Translation – SLB source NAT
� SLB source NAT configuration1. Create one IP Source NAT Pool:
� WebUI: Config > Service > IP Source NAT > IPv4 Pool
� CLI: AX(config)# ip nat pool <pool-name>
2. Assign the SLB Source NAT Pool to the Virtual Server Port� WebUI: Config > Service > SLB > Virtual Server > Port
� Static Layer3 NAT configuration� Create IP Static NAT
� WebUI: Config > Service > IP Source NAT > Static NAT
� CLI: AX(config)# ip nat inside source static [original-IP@] [NAT-IP@]
� Or create NAT Range� WebUI: Config > Service > IP Source NAT > NAT Range
� CLI: AX(config)# ip nat range-list […]
59
Network Address Translation – Layer3 NAT
� Static Layer3 NAT configuration (cont.)� Enable inside NAT on AX inside and outside interfaces
� On the inside interfaces� WebUI: Config > Service > IP Source NAT > Interface� CLI: AX(config)# interface ethernet #
AX(config-if:ethernetx)# ip nat inside
� On the outside interfaces� WebUI: Config > Service > IP Source NAT > Interface� CLI: AX(config)# interface ethernet #
AX(config-if:ethernetx)# ip nat outside
� Enable Static Host Source NAT (if IP Static NAT used)� WebUI: Config > Service > IP Source NAT > Global
� CLI: AX(config)# ip nat allow-static-host
60
Network Address Translation – Layer3 NAT
� Static Layer3 NAT statistics� WebUI: Monitor > Service > IP Source NAT > Static NAT
� CLI: AX# show ip nat static-binding statistics
61
Network Address Translation
� Virtual Server Port option "Source NAT traffic agai nst VIP"� This option allows the AX administrator to apply the Layer3 NAT settings
on the VIP for the internal clients
� If SLB source NAT is also configured, all clients not using Layer3 NAT will use the SLB source NAT Pool
62
Summary
� In this module, we discussed:� Load Balancing’s main goals: server load sharing and high availability of
services
� Load Balancers can be integrated in different ways into existing architectures, all supported by AX
� And also:� Configured one AX L4 SLB VIP
� Explained two common L4 SLB options and their AX configuration: Source IP Persistence and NAT
� Configured Source IP Persistence, SLB Source NAT and static Layer3 NAT on AX
63
FTP, HTTP and HTTPS protocols
Module 4
64
Module objectives
� Understand protocols� FTP� HTTP� HTTPS
� Understand Load Balancing specifics for each
� Configure FTP, HTTP and HTTPS VIPs
65
FTP protocol
Module 4 – Lesson1
66
FTP protocol
� File Transfer Protocol (FTP) RFC is 959 (http://www.w3.org/Protocols/rfc959/ )
� FTP is an unencrypted TCP protocol used to transfer files between clients and servers
� FTP has 2 connections� Control session
� Data Session
67
FTP protocol
� FTP Control Session� Used for client/server communication. No data is sent on this connection.
� This session is established from the client to the server (usually on port 21).
� FTP Data session� This session is open "on demand" when there is need to send data
between the client and the server.
� Used for client/server data exchange only.
Important Notes:� The Control Session remains open for the duration of the FTP connection
� The data session will be closed at the end of each object transfer. If you transfer 3 files, you'll have 3 data sessions (one at a time).
�
68
FTP protocol
� FTP Data session – 2 modesThere are two data session modes. The mode is negotiated between the
client/server on the control session.
� Active Mode (default)� In the control session, the client tells the server what IP and TCP port to use to
establish the data connection.
� The server establishes the data connection to the client, and data requested in the control session can be exchanged.
69
FTP protocol
� FTP Data session – 2 modes (cont.)� Passive Mode
� In the control session, the server tells the client what IP and TCP port to use to establish the data session.
� The client establishes the data connection to the server, and data requested in the control session can be exchanged.
70
Load balancer configuration for FTP applications
� Control session resets� During data exchange (in the data
session) there is no activity in the control session.
� Load Balancers track activity on load balanced sessions and flush stale connections. If the data transfer takes too long, the control connection will be dropped.
71
Load balancer configuration for FTP applications
� Active Mode - Data session established from the serv er IP@ (not the VIP IP@)
� Client establishes control connection to the VIP.� With Active Mode, the client expects the data session from the VIP IP@
and not the Server IP@.
72
Load balancer configuration for FTP applications
� Passive Mode - Data session established to the serve r IP@ (not the VIP IP@)
� Client establishes control connection to the VIP.
� With Passive Mode, the client expects to open the data session to the VIP@ and not the Server IP@.
73
Load balancer configuration for FTP applications
� Control session resets� Solution is to increase SLB aging time on Load Balancer
� However, on AX, control and data session times are linked, so there is no need to update the timer.
Note: AX default aging time is 120 seconds
74
Load balancer configuration for FTP applications
� AX configuration to update default aging timerFor example, to allow users to spend more than 120 seconds betweenFTP commands.
1. Create a TCP template with 15,000 seconds Idle Timeout� WebUI: Config > Service > Template > L4 > TCP� CLI: AX(config)# slb template tcp <name>
AX(config-l4 tcp)# idle-timeout 15000
2. Assign the TCP template to the Virtual Server Port
� WebUI: Config > Service > SLB > Virtual Server > Port� CLI: AX(config)# slb virtual-server <name>
AX(config-slb vserver)# port N tcp
AX(config-slb vserver-vport)# template tcp <name>
� Show aging time of SLB entries� CLI: AX# show session […]
75
Load balancer configuration for FTP applications
� Active Mode - Data session established from the serv er IP@ (not VIP IP@)
� Load Balancers need to automatically Source NAT the data connection from the servers with the VIP IP@.
� This is done automatically on AX when the SLB VIP is defined as FTP type
� AX configuration:� WebUI: Config > Service > SLB > Virtual Server > Port
� CLI: AX(config)# slb virtual-server <name>
AX(config-slb vserver)# port N ftp
76
Load balancer configuration for FTP applications
� Passive Mode - Data session established to the serve r IP@ (not the VIP IP@)
� Load Balancers need to automatically Source NAT the data connection from the servers with the VIP IP@.
� This is done automatically on AX when the SLB VIP is defined as service type FTP
� AX configuration:� WebUI: Config > Service > SLB > Virtual Server > Port� CLI: AX(config)# slb virtual-server <name>
AX(config-slb vserver)# port N ftp
77
HTTP protocol
Module 4 – Lesson2
78
HTTP protocol
� HTTP RFC is 2616 (http://www.w3.org/Protocols/rfc2616/rfc2616.html )
� HTTP (Hypertext Transfer Protocol) is an unencrypte d TCP protocol used to access web content (usually on por t 80)
Note: HTTPS uses the same protocol with explicit SSL encryption for higher security (usually on port 443)
� HTTP is a sequence of network request/response transactions
Important Note: Browsers open multiple TCP sessions to download multiple objects from 1 web site in parallel (2 sessions with IE5.5/6.0, 6 sessions with IE8, 15 sessions with Firefox 3.x)
� Request and response options are sent via headers
79
HTTP requests
� Main request methods� "GET url": Request object from server
� "POST url": Send data/object to server
� Others: HEAD, CONNECT
Important Note: The Host (such as www.a10networks.com) is not part of the url, but is listed in the "Host“ header in the request
� Main request headers� "Host": Site name
� "Connection: Keep-Alive" : Client support for using the same session for multiple request/response transactions
� "Accept-Encoding: gzip, deflate": Support for HTTP compression
� "Cookie": Text used to keep track of user information
80
HTTP responses
� Main server response codes� 200: OK (object in the response)
� 301: Redirect permanently
� 302: Temporary redirect
� 304: Not Modified
� 404: Page not found
� 5xx: Server error
� Main response headers� "Last-Modified": When object was last modified
� "Etag": Entity tag (used to detect object changes)
� "Connection: Keep-Alive": Server support for using the same session for multiple request/response transactions
� "Set-Cookie": Asks user to save cookie to keep track of user information
� "Cache-Control" / "Pragma": Cacheability of the object
81
HTTP example (using HttpFox)
82
Load balancer configuration for HTTP applications
� Load Balancers don't need a specific configuration for basic HTTP load balancing - Any L4 SLB VIP works for HTTP services
� However, advanced load balancers provide techniques for improving HTTP services
� Better Availability (see below)
� Better Flexibility (see below and Module 7 - aFleX)
� Better Performance/Acceleration (see Module 5)
� Better Security (see below and Module 6)
83
Load balancer configuration for HTTP applications – greater availability
� HTTP Health Monitor� AX provides the ability to test HTTP/HTTPS services using Health
Monitors
� HTTP/HTTPS Health Monitors have the following required parameters:� Port: TCP port
� Method (GET or HEAD or POST)
� URL
� And the following optional parameters:� User + Password: For web sites that require authentication
� Expect: Server Response code or Server text
� Maintenance Code: To automatically mark the server in maintenance, rather than down (so users with persistence to that server remain on that server)
84
Load balancer configuration for HTTP applications – greater flexibility
� AX offers advanced flexibility options for web appl ications
� These options are available via HTTP templates� WebUI: Config > Service > Template > Application > HTTP� CLI: AX(config)# slb template http <name> […]
� HTTP templates are associated with virtual server p orts of service type “HTTP" or "HTTPS”
85
Load balancer configuration for HTTP applications – greater flexibility
� HTTP template options� URL Hash switching
� Load Balancing of Servers is done based on hash on the URL (beginning or end of the URL).
� This option is usually used for Web Cache load balancing.
� Host/URL switching� Selection of Servers is done based on Host or URL (beginning or end).
� This option also is usually used for Web Cache load balancing.
� Request/Response Header Erasure/Insertion� Allows the AX to insert or remove
� client request header (such as "Accept-Encoding")� server response header (such as "Cache-Control")
� This option usually is used to centrally change web server behavior without changing the web servers’ configuration.
86
Load balancer configuration for HTTP applications – greater flexibility
� Allows HTTP/HTTPS load balancing per request (instead of per session).
� This option usually is used when the load among the Servers is unequal.
87
Load balancer configuration for HTTP applications – greater security
� AX offers advanced security options for web applica tions
� These options are available via HTTP templates� WebUI: Config > Service > Template > Application > HTTP� CLI: AX(config)# slb template http <name> […]
� HTTP templates are associated with virtual server p orts of service type "HTTP" or "HTTPS”
Note: Some of the following options can be considered as availability and flexibility options too.
88
Load balancer configuration for HTTP applications – greater security
� URL failover� When all servers are disabled or have failed, the AX can send an HTTP
redirect to a "backup site" or "sorry page".
� This option usually is used with "backup sites" or "sorry pages".
89
Load balancer configuration for HTTP applications – greater security
� URL redirect / rewrite� When the Server replies with an HTTP redirect, the AX can rewrite it with
a new value.
� This option usually is used for transparent "SSL-ization" of HTTP web applications.
90
Load balancer configuration for HTTP applications – greater security
� Retry HTTP request on HTTP 5xx� When the Server replies with a 5xx error, by default the AX forwards it to
the client. The retry option allows the AX to resend the request to another Server in the Service Group.
� The following options are available:� "On HTTP 5xx code for each request": The client request is resent to a new
server
� "On HTTP 5xx code": The client request is resent to a new server + the server that replied with the 5xx is not used for new requests for 30 seconds
� "#": Number of servers that can be tried
� Logging: Generates logs when this event happens (not available in WebUI in AX 2.4.2)
91
Load balancer configuration for HTTP applications – greater security
� Client IP header insertion� In Web server logs, the client IP address is logged. Web servers retrieve
the client IP information from the source IP address.
� Some AX advanced HTTP options (Connection Reuse or Source NAT) force the AX to establish the connection to the server with an AX IP address. In this cases, the Web server loses the client IP address information.
� To allow Web Servers to log Client IP address information, the AX can inject the Client IP information in a request header.
92
HTTPS protocol
Module 4 – Lesson3
93
HTTPS protocol
� HTTPS (HTTP over TLS) RFC is 2818 (http://www.ietf.org/rfc/rfc2818.txt )
� HTTPS is the "secured" version of HTTP (usually por t 443)
� HTTPS offers� Server Authentication (with server certificates)
� TLS/SSL is based on public certificates / private k eys
� Certificates are issued and signed by Certificate A uthority (CA)
� HTTPS clients first request the server public certi ficate and validates it using list of trusted CAs
� When the server certificate is validated (name, dat e, etc.), the client sends its HTTP requests
95
How does the encryption work?
� Once the server is trusted, the client and server n egotiate a "session key" to encrypt the traffic
� The session key is negotiated via an asymmetric encryption protocol using long keys (usually 2048 b its)
Note: This step is very CPU intensive (asymmetric encryption)
� Once the"session key is negotiated, the HTTPS client requests / server responses are sent encrypted
Note: Less CPU intensive (symmetric encryption)
Note: If the client re-establishes a new TCP session before the session key expires, it will propose to the server to use it (SSL session ID reuse option). The server can accept or refuse it. If refused, a new session key is negotiated.
96
Load balancer configuration for HTTPS applications
� Load balancers don't need a specific configuration for HTTPS load balancing - Any L4 SLB VIP works for HTTP S services
� However, advanced load balancers provide techniques to improve HTTPS services
� Better Availability (see Module 4 - lesson 2)
� Better Flexibility (see Module 4 - lesson 2 and Module 7 - aFleX)
� Better Performance/Acceleration (see Module 5)
� Better Security (see Module 4 - lesson 2 and Module 6)
97
Load balancer configuration for HTTPS applications
� AX offers advanced flexibility/performance/security options for HTTPS applications
� These options are available via HTTP templates� WebUI: Config > Service > Template > Application > HTTP� CLI: AX(config)# slb template http <name> […]
� HTTP templates are associated with virtual server p orts of type "HTTP" or "HTTPS”.
98
HTTPS communication with clients
� Client SSL templates� To enable HTTPS communication with the Clients� Client SSL template
� Public certificate that will be presented to Clients� Private key (and its passphrase)� SSL cipher supported ("encrypted algorithm")� (optional) Client certificate request
99
HTTPS communication with clients
� HTTPS communication with clients – configuration1. Import SSL public certificates and private key on the AX
Note: Self-Signed certificates can be created on the AX too� WebUI: Config > Service > SSL Managament > Certificate� CLI: AX(config)# import ssl-cert <name>
� And also:� Explained the specific Load Balancer configuration required for each
protocol
� Explained specific Load Balancer options available for each protocol for better availability, flexibility, performance and security
� Configured FTP, HTTP, and HTTPS VIPs on the AX
104
AX Acceleration
Module 5
105
Module objectives
� Understand the advanced AX options for acceleration� Connection Reuse� SSL offload� HTTP compression� RAM Caching
� Configure advanced AX options for acceleration
106
Connection reuse
� Web servers need to manage:� New clients (open new sessions)� Clients leaving (close sessions)� Maintain all connected clients sessions
Note: Web browsers keep their TCP connections open - even when all objects have been loaded
107
Connection reuse
� Connection Reuse off loads the server TCP stack
� This option provides faster server response time an d higher server scalability
� Connection reuse� Terminates all client’s connections to the AX� Maintains persistent connections to the Servers� Sends all client’s requests on the same persistent connections
Note: Connection Reuse requires SLB Source NAT
Note2: HTTP Keep-alive should be enabled on the web servers
108
Connection reuse
� Connection reuse – configuration1. Create a Connection Reuse template
Note: On AX models with a Hardware Based Compression module, you need to enable Hardware Based Compression first� WebUI: Config > Service > SLB > Global� CLI: AX(config)# slb hw-compression
� AX RAM Caching for dynamic objects� Allows the AX to Cache non-static objects
� Need to understand application behavior to determine cacheability� What is to be cached?
� How long is the cached content valid?
� What is the trigger that would cause the response to change?
� Parameterized requests� The URL matches a specific pattern.
� Specific query parameters are present.
� Specific cookies in the request are present.
� Specific HTTP headers in the request are present.
� Policies� Cacheability rules determine what is cacheable and what is not
� Invalidation rules
119
RAM Caching
� When not to use dynamic caching� The response sets cookies specific to that session.
� Example: the response to a login page
� The response contains data specific to a previous action in the session.� Example: a confirmation number for a transaction that was just executed
� The life of a response is indeterminate; that is, the response contains data that becomes stale based on a future action.
� Example: the portfolio page of a brokerage account user changes when the user executes transactions.
� Different versions of the response cannot be distinguished by using the URL, query parameters, or cookies in the request.
� Example: the response contains personalized settings, such as the user name but no query parameter or cookie directly identifies the user.
120
RAM Caching
� Dynamic caching – caching policies� Caching policies can be used to override/augment standard HTTP
behavior
� Policies are specified as follows:policy <condition> <action>
Where:
<condition> is of the form uri <pattern>
<action> is cache <seconds>, no-cache, or invalidate <entry>
Note: More sophisticated conditions will be supported in future using aFleX policies
� Policies are evaluated in the order they are specified. The action in the first policy that matches will be applied.
121
RAM Caching
� Dynamic caching example� Let's say there is a web application with the following URLs:
� http://x.y.com/list lists all items from database
� http://x.y.com/add?a=p1&b=p2 adds item to database
� http://x.y.com/del?c=p3 deletes item from database
� http://x.y.com/private?user=u1 private info for user
� This is a simple example, but is also a very common scenario, and is representative of many sites on the web today.
� In this case, the list URI will be hit by a lot of users. Thus it would make sense to cache the URI as long as it remains up to date.
� However, when the user does an add/delete operation, or one of the other URIs arrives, the database would change and the cached list will have to be refreshed.
122
RAM Caching
� WebUI configuration for the example
123
Summary
� In this module, we presented the AX acceleration op tions:� Connection Reuse� SSL offload� HTTP compression� RAM Caching
� And also configured them on the AX.
124
AX Security
Module 6
125
Module objectives
� Understand the advanced AX options for security� DDoS protection
� PBSLB
� ACL
� Management security
� High Availability (HA)
� Configure HA on AX devices
126
Points to keep in mind
� Some advanced HTTP/HTTPS security options are detai led in Module 4 (HTTP Templates)
� This module (Module 6) presents other AX advanced security options
Note: aFleX (covered in Module 7) also can be considered a security option
127
DDoS protection
� AX provides enhanced protection against DDoS(Distributed Denial of Service) attacks
Note: AX 2200 / AX 3100 / AX 3200 / AX 5100 / AX 5200 provide DDoSprotection in hardware. Other models provide DDoS protection in software.
� Advanced DDoS filters are also available with system -wide PBSLB
Note: PBSLB is detailed on the next slide.� Invalid HTTP or SSL payload or DNS� Zero-Length TCP Window� Out-of-sequence packet
� Advanced DDoS configuration� CLI only: AX(config)# ip anomaly-drop <DDoS-type>
[threshold]
� Basic and advanced DDoS statistics� WebUI (basic only): Monitor > Service > Application > Switch
� CLI:(basic only) AX# show slb switch […]
� CLI:(basic only) AX# show slb l4 and show pbslb client [ip@]
129
Policy-based SLB
� Policy-based SLB (PBSLB) allows "black lists" and " white lists" with individual clients or subnets
Note: IPv6 addresses are not supported in PBSLB.
� PBSLB denies client traffic based on:� IP address / subnet� (optional) # of connections from that IP address / subnet� (optional) can permit client, but select another Service Group
130
Policy-based SLB
� PBSLB specifics� Large list support
� Up to 8 M IP addresses
� Up to 64 K IP subnets
� Up to 32 group IDs
� Highly efficient� B/W lists are stored in hash tables
� Can process Gbps of traffic
� Automatic B/W list support� AX can update its B/W automatically at specific intervals via TFTP
� PBSLB components� PBSLB is a list of text entries, as follows:
� WebUI: Config > Service > SLB > Virtual Server > Port� CLI: AX(config)# slb virtual-server <name>
AX(config-slb vserver)# port N <type>
AX(config-slb vserver-vport)# access-list <name>
136
Access Control Lists
� ACL statistics� CLI (only) AX# show access-list
137
Management security
� AX provides advanced management security options� Multiple management accounts with distinct levels of access� Interface level access for individual access types (ICMP / Telnet / SSH /
HTTP / HTTPS / SNMP)� Management account with lockout in response to excessive invalid
password� External Authentication support with RADIUS and TACACS+� Private partitions
Note: See AX Series Configuration Guide for more information
138
High Availability (HA)
� High Availability Design Options� Active-Standby mode
� Active-Active mode
� Layer 2/3 Hot Standby mode
139
High Availability (HA)
� Active-Standby Mode� Active AX processes all the
production traffic
� Standby AX does not process any production traffic
� Standby AX mirrors all session information from Active AX
� Reliability is scaled but not performance
140
High Availability (HA)
� Active-Standby Failover� Peer AX elected as active
� Gratuitous ARPs for virtual, floating and NAT IPs are sent
� Existing mirrored sessions are picked up by newly elected active AX
� New sessions are served by newly elected active AX
141
High Availability (HA)
� Active-Active Mode� Both AX units process
the production traffic
� Session and state information is mirrored between both AX units
� Performance is scaled in addition to reliability
Note: Don't exceed 50% utilization on each unit for full HA
142
High Availability (HA)
� Active-Active Failover� Peer AX is elected active for
HA group 2 and sends gratuitous ARPs for virtual IPs, floating IPs, and NAT IPs
� Existing mirrored sessions are picked up by peer AX
� Peer AX serves requests for both HA groups
143
High Availability (HA)
� L2/3 Hot Standby Mode� Active AX processes all the
production traffic
� Standby AX does not process any production traffic
� Standby AX mirrors all session information from Active AX
� Standby becomes non-forwarding but is reachable for management traffic, sends and receives HA heartbeats, receives sync sessions from peer, and performs health checks
Note: Loop elimination protocols such as STP are not required
144
High Availability (HA)
� L2/3 Hot Standby Failover� Peer AX elected new active
� Gratuitous ARPs for virtual, floating and NAT IPs are sent
� New active becomes fully forwarding and existing mirrored sessions continue
145
High Availability
� All AX integration modes support HA� Routed mode
� Active-Standby, Active-Active and L3 Hot Standby modes
� One-Arm mode� Active-Standby and Active-Active modes and L3 Hot Standby modes
� Transparent mode� L2 Hot Standby mode
� DSR mode� Active-Standby, Active-Active and L3 Hot Standby modes
146
High Availability
� HA Active-Standby Mode – configuration steps1. Configure HA interfaces
� All interfaces used with production traffic (+ AX interlink if exists)
Note: We recommend a dedicated direct interlink between the AX so synctraffic is off the production network.
2. Configure HA Global settings� Identifier (AX1 = 1 , AX2 = 2)
� HA Status: Enabled
� (optional) HA Mirroring IP address: Remote AX Sync interface
� (optional) Preempt: to failover to a higher AX when available
� Group1 with priority 200 on AX1 (priority 100 on AX2)
� Floating VIP for Group1: IP addresses defined on servers' gateway (VRRP-like)
� (optional) IP@ and VLAN checkNote: IP@ have to be defined as SLB-Server too
147
High Availability
� HA Active-Standby Mode – configuration steps (cont.)3. Configure VIP HA settings
� In VIP settings, associate HA Group with the VIP
� (optional) Enable Dynamic Server Weight: Reduce the AX HA Group priority when a server is down
� (optional) Enable HA Connection Mirroring on the VIP ports: To synchronize SLB session table (available for TCP, UDP, RTSP, FTP, MMS and SIP VIP types)
Note: For HTTP/HTTPS VIP types, the client session is terminated on the AX device. HA Connection Mirroring is not available for these VIP types.
4. Configure NAT pool HA settings� In IP Source NAT, associate the HA Group with IPv4 Pools, IPv6 Pools, NAT
Ranges, or Static NAT.
148
High Availability
� HA Active-Active Mode – configuration steps� Same as Active-Passive with two groups defined
� Step2:� Group1 with priority 200 on AX1 (priority 100 on AX2)� Group2 with priority 100 on AX1 (priority 200 on AX2)
� Step3:� Associate Group1 with half of the VIPs and Group2 with the second half
� Step4:� Associate Group1 with the NAT Pools used by VIPs in Group1 and
Group2 with the NAT Pools used by VIPs in Group2
149
High Availability
� HA Layer2/3 Mode – configuration steps� Same as Active-Passive except for step 2
2. Configure HA Inline Mode� Enable� Preferred port: Port used to sync configuration and sessions� (optional) Restart port list: Add AX interfaces in production� (optional) L3 mode enabled: If AX in Layer3 Inline mode
150
High Availability
� HA Active-Standby Mode – configuration1. Configure HA interfaces
� WebUI: Config > HA > Setting > HA Global� CLI: AX(config)# ha interface […]
2. Configure HA Global settings� Active-Standby or Active-Active Modes:
� WebUI : Config > HA > Setting > HA Global� CLI: AX(config)# ha […]
Note: If IP@ check is configured, define these IP@ in SLB-Server too.� L2/3 Modes:
� WebUI : Config > HA > Setting > HA Inline Mode� CLI: AX(config)# ha [inline-mode | l3-inline-mode]
151
High Availability
� HA Active-Standby Mode – configuration (cont.)3. Configure VIP HA settings
� Understand the advanced AX options for flexibility� Cookie persistence
� aFleX
� Understand AX Advanced Core Operating System (ACOS)
158
AX Flexibility
Module 7 – Lesson1
159
Points to keep in mind
� Some advanced HTTP/HTTPS flexibility options alread y have been detailed in Module 4 (HTTP Templates)
� This module (Module 7) presents other advanced AX flexibility options
160
Cookie persistence
� When to use cookie persistence� Like Source IP Persistence, Cookie Persistence is used when
HTTP/HTTPS clients must have their future connections/traffic terminated on the same server.
� But Cookie Persistence provides more granularity, since even different users coming from the same Proxy (same IP address) will get different persistence with Cookie Persistence.
� AX Series eliminates IPC and maximizes performance� Data required by all CPUs is processed in the same location without other CPU notification/reliance� Accurate real-time decision criteria, e.g. rate-limiting, connection-limit, max TCP connections, server selection, tracked global variables used for decisions or any shared data set� Maximizes memory – no redundant copies of information per core. More total system memory
AX Series Shared Memory
176
Shared Memory Efficiency
� Shared Memory� One copy of each item kept in memory, for example� PBSLB List uses 64 MB of RAM, Total AX Memory Usage = 64MB RAM� Cached Objects, 10 x 0.5 MB, Total AX Memory Usage = 5 MB� Total 69 MB of RAM used
� Without Shared Memory� Multiple copies of each item kept in each cores memory, for example 32 cores� PBSLB List uses 64 MB of RAM per core, Total Memory Usage = 2048 MB RAM� Cached Objects, 10 x 0.5 MB per core, Total Memory Usage = 160 MB� Total 2208 MB of RAM used
� Total system memory is reduced dramatically by the non-shared memory architecture
177
ACOS Versus Legacy OS
ACOS Legacy OS
ACOS Designed for multi-core
Not Designed for multi-core
32-bit or 64-bit OS
(With Feature Parity)32-bit OS Only
Decoupled CPU Architecture
Coupled CPU Architecture
Shared Memory Non-shared Memory
No IPC (Inter Process Communication)
IPC (Inter Process Communication)
Optimized Flow Distribution
Software Based Flow Distribution
178
Summary
� In this module, we presented the following advanced AX flexibility options:
� Cookie persistence� aFleX
� And also configured them on the AX.
� We also presented the ACOS architecture.
179
AX Management and Troubleshooting
Module 8
180
Module objectives
� Understand the different types of AX management acc ess
� Understand the AX configuration components and how to backup/restore AX configuration
� Understand the AX software components and how to upgrade/downgrade AX
� Understand VLAN on AX
� Learn initial AX configuration
� Learn troubleshooting techniques and tools
� Understand AX Release Process and how to contact AX support
181
AX management access
� CLI� Console (RS-232 connection / 9600, 8, N, 1)
� Telnet (disabled by default)
� SSHv2
� Web� HTTP (configurable ports - disabled by default)
� HTTPS (configurable ports)
� Levels of CLI authentication� CLI:
� Login ID/Password
� Enable ID/Password
� Web:� User roles (read-write / read-only)
182
AX configuration components
� AX configuration components� Configuration file
� (optional) aFleX files
� (optional) PBSLB files
� (optional) SSL certificates and keys
� (optional) Geo-location files (option in GSLB and geo-location-based VIP access)
183
AX configuration components
� AX full configuration backup� Full AX configuration can be backed up
� WebUI: Configuration > System > Maintenance > Backup > System
� CLI: AX(config)# backup config […]
� AX full configuration restore� Full AX configuration can be restored
� WebUI: Configuration > System > Maintenance > Restore > System
� AX software is stored on� Two disk partitions: primary and secondary
� Second partition is designed for easy software rollback
� Two Compact Flash partitions: primary and secondary� CF is designed for emergency recovery
Note: Each storage location has its own software and AX configuration
185
AX software management
� AX software upgrade recommended steps� Back up your system� (covered on previous slide)
� Check the AX running partition� WebUI: Monitor > Overview > Summary > System Information
� CLI: AX# show bootimage
� Upgrade the AX device’s other partition� WebUI: Configuration > System > Maintenance > Upgrade
� CLI: AX(config)# upgrade […]
� Copy the running configuration to the other partition� CLI only: AX# write memory [primary|secondary]
� Set the boot source to the other partition� WebUI: Configuration > System > Settings > Boot
� CLI: AX(config)# bootimage hd [primary|secondary]
� Restart from the other partition� WebUI: Configuration > System > Settings > Action > Reboot
� CLI: AX# reboot
186
VLAN
� VLAN allows AX to� Bind multiple physical interfaces to same broadcast domain
187
VLAN
� VLAN allows AX to (cont.)� Bind one physical interface to multiple layer2 broadcast domains
188
VLAN
� VLAN configuration steps1. VLAN creation
� VLAN ID
� Physical interfaces tagged and untagges
� (optional) VLAN Name
� (optional) Virtual Interface
2. Virtual Interface (when selected in the VLAN configuration)� IP address
� Netmask
� (optional) all ethernet options such as ACL, secondary IP@
189
VLAN
� VLAN configuration� VLAN creation
� WebUI: Config > Network > VLAN
� CLI: AX(config)# vlan […]
� Virtual Interface (when selected in the VLAN configuration)� WebUI: Config > Network > Interface > Virtual
� CLI: AX(config)# interface ve […]
190
VLAN
� Important Point� Always configure virtual interfaces in
AX routed mode integration to avoidloop!!!
191
First Steps configuration
� Rollback to Factory configuration� CLI: AX(config)# system-reset
AX(config)# end
AX# reboot
� First Step configuration� Connect on the AX console (9600 baud - 8 bits – no parity - 1 stop bit)
� Default user/password: admin/a10
� Configure the management interface, its default gateway
� Finish the AX configuration via CLI (ssh) or WebUI (https)� Configure Production interfaces (vlan, ethernet/ve interfaces)� Enable production interfaces
� (optional) Configure routing (static/dynamic)� (optional) Configure specific management rights� Configure Servers / Service Groups / Virtual Servers� etc