Configuration Guide Document No.: D-030-01-00-0006 Ver. 2.4.3 11/3/2010 Headquarters A10 Networks, Inc. 2309 Bering Dr. San J ose, CA 95131-1125 USA Tel: +1-408-325-8668 (main) Tel: +1-408-325-8676 (support) Fax: +1-408-325-8666 www.a10networks.com
A10 Networks, Inc. 11/3/2010 - All Rights Reserved
Information in this document is subject to change without notice. Trademarks A10 Networks, the A10 logo, ACOS, aFleX, aFlow, aGalaxy, aVCS, aXAPI, IDaccess, IDSENTRIE, IP to ID, SmartFlow, SoftAX, VirtualADC, Virtual Chassis, and VirtualN are trademarks or registered trademarks of A10 Networks, Inc. All other trademarks are property of their respective owners. Patents Protection A10 Networks products including all AX Series products are protected by one or more of the following US patents and patents pending: 7716378, 7675854, 7647635, 7552126, 20090049537, 20080229418, 20080040789, 20070283429, 20070271598, 20070180101 Confidentiality This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas herein may not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written consent of A10 Networks, Inc. This information may contain forward looking statements and therefore is subject to change. A10 Networks Inc. Software License and End User Agreement Software for all AX Series products contains trade secrets of A10 Networks and its subsidiaries and Customer agrees to treat Software as confidential information. Anyone who uses the Software does so only in compliance with the terms of this Agreement. Customer shall not: 1) reverse engineer, reverse compile, reverse de-assemble or otherwise translate the Software by any means 2) sublicense, rent or lease the Software. Disclaimer The information presented in this document describes the specific products noted and does not imply nor grant a guarantee of any technical performance nor does it provide cause for any eventual claims resulting from the use or misuse of the products described herein or errors and/or omissions. A10 Net- works, Inc. reserves the right to make technical and other changes to their products and documents at any time and without prior notification. No warranty is expressed or implied; including and not limited to warranties of non-infringement, regarding programs, circuitry, descriptions and illustrations herein. Environmental Considerations Some electronic components may possibly contain dangerous substances. For information on specific component types, please contact the manufacturer of that component. Always consult local authorities for regulations regarding proper disposal of electronic components in your area. Further Information For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10 Networks, Inc. location which can be found by visiting www.a10networks.com. P e r f o r m a n c e b y D e s i g n 3 of 1088 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide About This Document End User License Agreement IMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CARE- FULLY. DOWNLOADING, INSTALLING OR USING A10 NETWORKS OR A10 NETWORKS PRODUCTS, OR SUPPLIED SOFTWARE CONSTITUTES ACCEP- TANCE OF THIS AGREEMENT. A10 NETWORKS IS WILLING TO LICENSE THE PRODUCT (AX SERIES) TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS LICENSE AGREEMENT. BY DOWNLOADING OR INSTALL- ING THE SOFTWARE, OR USING THE EQUIPMENT THAT CONTAINS THIS SOFTWARE, YOU ARE BINDING YOURSELF AND THE BUSINESS ENTITY THAT YOU REPRESENT (COLLECTIVELY, "CUSTOMER") TO THIS AGREE- MENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, THEN A10 NETWORKS IS UNWILLING TO LICENSE THE SOFTWARE TO YOU AND DO NOT DOWNLOAD, INSTALL OR USE THE PRODUCT. The following terms of this End User License Agreement ("Agreement") govern Cus- tomer's access and use of the Software, except to the extent there is a separate signed agreement between Customer and A10 Networks governing Customer's use of the Software License. Conditioned upon compliance with the terms and conditions of this Agree- ment, A10 Networks Inc. or its subsidiary licensing the Software instead of A10 Net- works Inc. ("A10 Networks"), grants to Customer a nonexclusive and nontransferable license to use for Customer's business purposes the Software and the Documentation for which Customer has paid all required fees. "Documentation" means written information (whether contained in user or technical manuals, training materials, specifications or otherwise) specifically pertaining to the product or prod- ucts and made available by A10 Networks in any manner (including on CD-Rom, or on-line). Unless otherwise expressly provided in the Documentation, Customer shall use the Software solely as embedded in or for execution on A10 Networks equipment owned or leased by Customer and used for Customer's business purposes. General Limitations. This is a license, not a transfer of title, to the Software and Documentation, and A10 Networks retains ownership of all copies of the Software and Documentation. Customer acknowledges that the Software and Documentation contain trade secrets of A10 Networks, its suppliers or licensors, including but not limited to the specific internal design and structure of individual programs and asso- ciated interface information. Accordingly, except as otherwise expressly provided under this Agreement, Customer shall have no right, and Customer specifically agrees not to: a. transfer, assign or sublicense its license rights to any other person or entity, or use the Software on unauthorized or sec- ondhand A10 Networks equipment b. make error corrections to or otherwise modify or adapt the Software or create derivative works based upon the Software, or permit third parties to do the same 4 of 1088 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide About This Document c. reverse engineer or decompile, decrypt, disassemble or oth- erwise reduce the Software to human readable form, except to the extent otherwise expressly permitted under applicable law notwithstanding this restriction d. disclose, provide, or otherwise make available trade secrets contained within the Software and Documentation in any form to any third party without the prior written consent of A10 Net- works. Customer shall implement reasonable security mea- sures to protect such trade secrets. Software, Upgrades and Additional Products or Copies. For purposes of this Agreement, "Software" and Products shall include (and the terms and conditions of this Agreement shall apply to) computer programs, including firmware and hard- ware, as provided to Customer by A10 Networks or an authorized A10 Networks reseller, and any upgrades, updates, bug fixes or modified versions thereto (collec- tively, "Upgrades") or backup copies of the Software licensed or provided to Cus- tomer by A10 Networks or an authorized A10 Networks reseller. OTHER PROVISIONS OF THIS AGREEMENT: a. CUSTOMER HAS NO LICENSE OR RIGHT TO USE ANY ADDITIONAL COPIES OR UPGRADES UNLESS CUS- TOMER, AT THE TIME OF ACQUIRING SUCH COPY OR UPGRADE, ALREADY HOLDS A VALID LICENSE TO THE ORIGINAL SOFTWARE AND HAS PAID THE APPLICABLE FEE FOR THE UPGRADE OR ADDITIONAL COPIES b. USE OF UPGRADES IS LIMITED TO A10 NETWORKS EQUIPMENT FOR WHICH CUSTOMER IS THE ORIGINAL END USER PURCHASER OR LEASEE OR WHO OTHER- WISE HOLDS A VALID LICENSE TO USE THE SOFTWARE WHICH IS BEING UPGRADED c. THE MAKING AND USE OF ADDITIONAL COPIES IS LIM- ITED TO NECESSARY BACKUP PURPOSES ONLY. Term and Termination. This Agreement and the license granted herein shall remain effective until terminated. All confidentiality obligations of Customer and all limita- tions of liability and disclaimers and restrictions of warranty shall survive termination of this Agreement Export. Software and Documentation, including technical data, may be subject to U.S. export control laws, including the U.S. Export Administration Act and its associ- ated regulations, and may be subject to export or import regulations in other coun- tries. Customer agrees to comply strictly with all such regulations and acknowledges that it has the responsibility to obtain licenses to export, re-export, or import Soft- ware and Documentation. Trademarks. A10 Networks, the A10 logo, ACOS, aFleX, aFlow, aGalaxy, aVCS, aXAPI, IDaccess, IDsentrie, IP-to-ID, SoftAX, Virtual Chassis, and VirtualN are trademarks or registered trademarks of A10 Networks, Inc. All other trademarks are property of their respective owners. P e r f o r m a n c e b y D e s i g n 5 of 1088 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide About This Document Patents Protection. A10 Networks products including all AX Series are protected by one or more of the following US patents and patents pending: 7716378, 7675854, 7647635, 7552126, 20090049537, 20080229418, 20080040789, 20070283429, 20070271598, 20070180101. Limited Warranty Disclaimer of Liabilities. REGARDLESS OF ANY REMEDY SET FORTH FAILS OF ITS ESSENTIAL PURPOSE OR OTHERWISE, IN NO EVENT WILL A10 NET- WORKS OR ITS SUPPLIERS BE LIABLE FOR ANY LOST REVENUE, PROFIT, OR LOST OR DAMAGED DATA, BUSINESS INTERRUPTION, LOSS OF CAPITAL, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIA- BILITY OR WHETHER ARISING OUT OF THE USE OF OR INABILITY TO USE PRODUCT OR OTHERWISE AND EVEN IF A10 NETWORKS OR ITS SUPPLIERS OR LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAM- AGES. In no event shall A10 Networks or its suppliers' or licensors' liability to Customer, whether in contract, (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim or if the Soft- ware is part of another Product, the price paid for such other Product. Customer agrees that the limitations of liability and disclaimers set forth herein will apply regardless of whetherCustomer has accepted the Software or any other prod- uct or service delivered by A10 Networks. Customer acknowledges and agrees that A10 Networks has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between the parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same form an essential basis of the bargain between the parties. The Warranty and the End User License shall be governed by and construed in accordance with the laws of the State of California, without reference to or applica- tion of choice of law rules or principles. If any portion hereof is found to be void or unenforceable, the remaining provisions of the Agreement shall remain in full force and effect. This Agreement constitutes the entire and sole agreement between the parties with respect to the license of the use of A10 Networks Products unless other- wise supersedes by a written signed agreement. 6 of 1088 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide About This Document P e r f o r m a n c e b y D e s i g n 7 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide About This Document Obtaining Technical Assistance For all customers, partners, resellers, and distributors who hold valid A10 Networks Regular and Technical Support service contracts, the A10 Net- works Technical Assistance Center provides support services online and over the phone. Corporate Headquarters A10 Networks, Inc. 2309 Bering Dr. San J ose, CA 95131-1125 USA Tel: +1-408-325-8668 (main) Tel: +1-888-822-7210 (support toll-free in USA) Tel: +1-408-325-8676 (support direct dial) Fax: +1-408-325-8666 www.a10networks.com Collecting SystemInformation The AX device provides a simple method to collect configuration and status information for Technical Support to use when diagnosing system issues. To collect system information, use either of the following methods. USING THE GUI (RECOMMENDED) 1. Log into the GUI. 2. Select Monitor >System >Logging. 3. On the menu bar, click Show Tech. 4. Click Export. The File Download dialog appears. 5. Click Save. The Save As dialog appears. 6. Navigate to the location where you want to save the file, and click Save. 7. Email the file as an attachment to support@A10Networks.com. 8 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide About This Document USING THE CLI 1. Log into the CLI. 2. Enable logging in your terminal emulation application, to capture out- put generated by the CLI. 3. Enter the enable command to access the Privileged EXEC mode of the CLI. Enter your enable password at the Password prompt. 4. Enter the show techsupport command. 5. After the command output finishes, save the output in a file. 6. Email the file as an attachment to support@A10Networks.com. Note: As an alternative to saving the output in a log file captured by your termi- nal emulation application, you can export the output from the CLI using the following command: show techsupport export [ use-mgmt-port] url (For syntax information, see the AX Series CLI Reference.) P e r f o r m a n c e b y D e s i g n 9 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide About This Document About This Document This document describes the features of the A10 Networks AX Series Advanced Traffic Manager. Configuration examples of the major features are provided. Additional information is available for AX Series systems in the following documents. These documents are included on the documentation CD shipped with your AX Series system, and also are available on the A10 Net- works support site: AX Series Installation Guide AX Series GUI Reference AX Series CLI Reference AX Series aFleX Reference AX Series MIB Reference AX Series aXAPI Reference This document assumes that you have already performed the basic deploy- ment tasks described in the AX Series Installation Guide. SystemDescription The AXSeries FIGURE 1 The AXSeries Advanced Traffic Manager The AX Series is the industrys best performing application acceleration switch that helps organizations scale and maximize application availability through the worlds most advanced application delivery platform. The AX Series Advanced Core Operating System (ACOS) accelerates and 10 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide About This Document secures critical business applications, provides the highest performance and reliability, and establishes a new industry-leading price/performance For more detailed information, see System Overview on page27. Audience This document is intended for use by network architects for determining applicability and planning implementation, and for system administrators for provision and maintenance of the A10 Networks AX Series. Representations of Layer 2 and Layer 3 Devices This document uses the following commonly used icons in network topol- ogy examples for vendor-agnostic representations of Layer 2 switches and Layer 3 routers. Icon Description Layer 2 switch Layer 3 router P e r f o r m a n c e b y D e s i g n 11 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Contents End User License Agreement 3 Obtaining Technical Assistance 7 Collecting SystemInformation..............................................................................................................7 About This Document 9 SystemDescription The AXSeries....................................................................................................9 Audience................................................................................................................................................10 Representations of Layer 2 and Layer 3 Devices..............................................................................10 SystemOverview 27 AXSeries Features...............................................................................................................................27 ACOS Architecture...............................................................................................................................29 AX Software Processes .................................................................................................................. 29 Local File Storage ........................................................................................................................... 31 Hardware Interfaces.............................................................................................................................32 Software Interfaces...............................................................................................................................32 Server Load Balancing.........................................................................................................................33 Intelligent Server Selection ............................................................................................................. 34 Configuration Templates ................................................................................................................. 34 Global Server Load Balancing.............................................................................................................36 Outbound Link Load Balancing..........................................................................................................36 Transparent Cache Switching.............................................................................................................36 Firewall Load Balancing.......................................................................................................................36 Where Do I Start?..................................................................................................................................37 Basic Setup 39 Logging On............................................................................................................................................39 Logging Onto the CLI ...................................................................................................................... 40 Logging Onto the GUI ..................................................................................................................... 41 Configuring Basic SystemParameters..............................................................................................43 Setting the Hostname and Other DNS Parameters ........................................................................ 44 Setting the CLI Banners .................................................................................................................. 45 Setting Time/Date Parameters ....................................................................................................... 46 Configuring Syslog Settings ............................................................................................................ 48 12 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Contents Enabling SNMP .............................................................................................................................. 52 SNMP Traps ................................................................................................................................ 53 SNMP Communities and Views .................................................................................................. 55 SNMP Configuration Steps ......................................................................................................... 56 Configuration Examples.......................................................................................................................59 Emailing Log Messages........................................................................................................................66 Network Setup 73 Overview................................................................................................................................................73 IP Subnet Support .......................................................................................................................... 73 Transparent Mode.................................................................................................................................75 Configuration Example ................................................................................................................... 76 Transparent Mode in Multinetted Environment..................................................................................82 Configuration Example ................................................................................................................... 84 Route Mode............................................................................................................................................88 Configuration Example ................................................................................................................... 89 Direct Server Return in Transparent Mode.........................................................................................93 Configuration Example ................................................................................................................... 95 Direct Server Return in Route Mode....................................................................................................98 Configuration Example ................................................................................................................... 99 Direct Server Return in Mixed Layer 2/Layer 3 Environment..........................................................101 Open Shortest Path First (OSPF) 107 Support for Multiple OSPFv2 Processes and OSPFv3 Instances...................................................107 Support for OSPFv2 and OSPFv3 on the Same Interface or Link..................................................107 OSPF MIB Support..............................................................................................................................107 Configuration Example.......................................................................................................................108 Interface Configuration ................................................................................................................. 108 Global OSPF Parameters ............................................................................................................. 109 OSPF Logging .............................................................................................................................. 110 Configuring Router Logging for OSPF ...................................................................................... 110 HTTP Load Balancing 115 Overview..............................................................................................................................................115 Configuring HTTP Load Balancing....................................................................................................120 P e r f o r m a n c e b y D e s i g n 13 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Contents HTTP Options for SLB 131 Overview..............................................................................................................................................131 Summary of HTTP Options ........................................................................................................... 131 HTTP Template Configuration ...................................................................................................... 133 URL Hash Switching...........................................................................................................................134 URL Hash Switching with Server Load Awareness ...................................................................... 136 Configuring URL Hashing ............................................................................................................. 138 URL / Host Switching.........................................................................................................................139 Configuring URL / Host Switching ................................................................................................ 142 Using URL / Host Switching along with Cookie Persistence ........................................................ 143 Using URL / Host Switching along with Source IP Persistence .................................................... 147 URL Failover........................................................................................................................................147 Configuring URL Failover ............................................................................................................. 148 5xx Retry and Reassignment.............................................................................................................149 Content Compression........................................................................................................................150 Hardware-Based Compression ..................................................................................................... 152 How the AX Device Determines Whether to Compress a File ...................................................... 153 Configuring Content Compression ................................................................................................ 154 Client IP Insertion / Replacement......................................................................................................157 Configuring Client IP Insertion / Replacement .............................................................................. 159 Header Insertion / Erasure.................................................................................................................160 Configuring Header Insertion / Replacement ................................................................................ 161 Configuring Header Erasure ......................................................................................................... 164 URL Redirect Rewrite.........................................................................................................................165 Configuring URL Redirect Rewrite ................................................................................................ 166 Strict Transaction Switching.............................................................................................................167 Enabling Strict Transaction Switching .......................................................................................... 168 FTP Load Balancing 169 Overview..............................................................................................................................................169 Configuring FTP Load Balancing......................................................................................................171 SIP Load Balancing 189 Load Balancing for SIP over UDP.....................................................................................................189 Configuring Load Balancing for SIP over UDP ............................................................................. 190 14 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Contents Load Balancing for SIP over TCP/TLS..............................................................................................203 SIP Multiplexing ............................................................................................................................ 203 Client Keepalive and Server Keepalive ........................................................................................ 206 AX Actions if Selection of a Client or SIP Server Fails ................................................................. 207 SLB Network Address Translation for SIP over TCP / TLS .......................................................... 207 Configuring SIP over TCP / TLS for SIP Multiplexing .................................................................. 208 CLI Example ............................................................................................................................. 219 Displaying SIP SLB Statistics .................................................................................................... 221 CLI Example ............................................................................................................................. 221 Disabling Reverse NAT Based on Destination IP Address..............................................................222 IP NAT for SIP......................................................................................................................................224 SSL Offload and SSL Proxy 225 Overview..............................................................................................................................................225 Choosing an SSL Optimization Implementation ........................................................................... 225 Configuring Client SSL.......................................................................................................................226 Configuring HTTPS Offload................................................................................................................230 Configuring the SSL Proxy Feature...................................................................................................237 STARTTLS for Secure SMTP 245 Overview..............................................................................................................................................245 Configuring STARTTLS......................................................................................................................247 Streaming-Media Load Balancing 255 Overview..............................................................................................................................................255 Configuring Streaming-Media SLB....................................................................................................257 Layer 4 TCP/UDP Load Balancing 261 Overview..............................................................................................................................................261 Configuring Layer 4 Load Balancing.................................................................................................264 IP Protocol Load Balancing 269 Overview..............................................................................................................................................269 Configuring IP Protocol Load Balancing..........................................................................................272 P e r f o r m a n c e b y D e s i g n 15 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Contents Wildcard VIPs 277 Configuring a Wildcard VIP...............................................................................................................277 Configuration Examples ............................................................................................................ 281 SLB Protocol Translation 283 Stateless SLB 291 Stateless Load-Balancing Methods..................................................................................................291 Outbound Link Load Balancing 295 Configuring Link Load Balancing .................................................................................................. 297 Transparent Cache Switching 301 Overview..............................................................................................................................................301 Configuring Layer 4 TCS....................................................................................................................304 Configuring Layer 7 TCS....................................................................................................................307 Service Type HTTP Without URL Switching Rules ...................................................................... 310 Service Type HTTP with URL Switching Rules ............................................................................ 311 Optimizing TCS with Multiple Cache Servers ............................................................................... 312 Enabling Support for Cache Spoofing .......................................................................................... 314 Configuring IPv4 TCS in High Availability Layer 3 Inline Mode.....................................................315 AX-1 Configuration ....................................................................................................................... 318 AX-2 Configuration ....................................................................................................................... 320 Configuring IPv6 TCS in High Availability Layer 3 Inline Mode.....................................................322 AX-1 Configuration ....................................................................................................................... 323 AX-2 Configuration ....................................................................................................................... 326 Configuring TCS for FTP....................................................................................................................328 Configuration ................................................................................................................................ 329 Firewall Load Balancing 333 Overview..............................................................................................................................................333 FWLB HA with Direct Connection of AX Devices to Firewalls ...................................................... 335 FWLB Parameters...............................................................................................................................338 TCP and UDP Session Aging ....................................................................................................... 342 Configuring FWLB..............................................................................................................................343 16 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Contents Server and Port Templates 361 Overview..............................................................................................................................................361 Parameters That Can Be Configured Using Server and Port Templates ..................................... 362 Default Server and Service Port Templates ................................................................................. 364 Configuring Server and Service Port Templates..............................................................................365 Applying a Server or Service Port Template.....................................................................................366 Binding a Server Template to a Real Server ................................................................................ 367 Binding a Server Port Template to a Real Server Port ................................................................. 368 Binding a Virtual Server Template to a Virtual Server .................................................................. 368 Binding a Virtual Server Port Template to a Virtual Service Port ................................................. 369 Binding a Server Port Template to a Service Group .................................................................... 369 Connection Limiting............................................................................................................................370 Setting a Connection Limit ........................................................................................................ 371 Connection Rate Limiting...................................................................................................................372 Slow-Start.............................................................................................................................................374 Gratuitous ARPs for Subnet VIPs......................................................................................................377 TCP Reset Option for Session Mismatch..........................................................................................378 Health Monitoring 381 Default Health Checks........................................................................................................................381 Health Method Timers.........................................................................................................................382 Health Check Operation ............................................................................................................... 383 Health Method Types..........................................................................................................................385 Protocol Port Numbers Tested by Health Checks ........................................................................ 390 Configuring and Applying a Health Method.....................................................................................390 Configuring Health Monitoring of Virtual IP Addresses in DSR Deployments .............................. 394 Configuring POST Requests in HTTP/HTTPS Health Monitors ................................................... 396 Customizing DNS Health Monitors ............................................................................................... 399 Overriding the Target IP Address or Protocol Port Number ......................................................... 402 Basing a Ports Health Status on Another Ports Health Status ................................................... 405 Service Group Health Checks............................................................................................................406 Disable Following Failed Health Check.............................................................................................409 In-Band Health Monitoring.................................................................................................................410 Configuring In-Band Health Monitoring ........................................................................................ 412 Consecutive Health Checks Within a Health Check Period............................................................414 P e r f o r m a n c e b y D e s i g n 17 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Contents Maintenance Health Status for Servers in Persistence Configurations........................................415 On-Demand Health Checks................................................................................................................416 Enabling Strict Retries.......................................................................................................................418 Globally Changing Health Monitor Parameters...............................................................................419 Globally Disabling Layer 3 Health Checks .................................................................................... 420 Compound Health Monitors...............................................................................................................421 Displaying Health Status....................................................................................................................425 Using External Health Methods.........................................................................................................428 Configuration ................................................................................................................................ 428 Script Examples ............................................................................................................................ 430 TCL Script Example .................................................................................................................. 430 Perl Script Example ................................................................................................................... 432 Shell Script Example ................................................................................................................. 433 Global Server Load Balancing 435 Overview..............................................................................................................................................435 Advantages of GSLB .................................................................................................................... 437 Zones, Services, and Sites ........................................................................................................... 438 GSLB Policy .................................................................................................................................. 438 Health Checks ........................................................................................................................... 440 Geo-Location ............................................................................................................................. 441 DNS Options ............................................................................................................................. 443 Metrics That Require the GSLB Protocol on Site AX Devices .................................................. 445 Configuration Overview.....................................................................................................................446 Configure Health Monitors ............................................................................................................ 447 Configure the DNS Proxy ............................................................................................................. 448 Configure a GSLB Policy .............................................................................................................. 450 Enabling / Disabling Metrics ...................................................................................................... 450 Changing the Metric Order ........................................................................................................ 452 Configuring RTT Settings .......................................................................................................... 453 Passive RTT .............................................................................................................................. 459 Configuring BW-Cost Settings ................................................................................................... 461 Configuring Alias Admin Preference ......................................................................................... 466 Configuring Weighted Alias ....................................................................................................... 467 Loading or Configuring Geo-Location Mappings ....................................................................... 467 Configure Services ....................................................................................................................... 476 Gateway Health Monitoring ....................................................................................................... 477 CLI ExampleSite with Single Gateway Link ........................................................................... 480 CLI ExampleSite with Multiple Gateway Links ....................................................................... 481 Multiple-Port Health Monitoring ................................................................................................. 481 18 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Contents Configure Sites ............................................................................................................................. 483 Configure a Zone .......................................................................................................................... 484 Enable the GSLB Protocol ........................................................................................................... 485 GSLB Parameters................................................................................................................................487 Policy Parameters ........................................................................................................................ 502 Configuration Examples.....................................................................................................................514 CLI Example ................................................................................................................................. 514 Configuration on the GSLB AX Device (GSLB Controller) ........................................................ 514 Configuration on Site AX Device AX-A ..................................................................................... 515 Configuration on Site AX Device AX-B ..................................................................................... 516 GUI Example ................................................................................................................................ 516 Configuration on the GSLB AX Device (GSLB Controller) ........................................................ 516 Configuration on Site AX Devices ............................................................................................. 526 RAMCaching 527 Overview..............................................................................................................................................527 RFC 2616 Support ....................................................................................................................... 527 If-Modified-Since Header Support ............................................................................................. 528 Support for no-cache and max-age=0 Cache-Control Headers ................................................ 528 Insertion of Age and Via Headers into Cached Responses ...................................................... 529 Cacheability Behavior of AX RAM Cache .................................................................................... 529 Dynamic Caching ......................................................................................................................... 530 Host Verification ........................................................................................................................... 530 Configuring RAMCaching..................................................................................................................531 High Availability 541 Overview..............................................................................................................................................541 Layer 3 Active-Standby HA .......................................................................................................... 542 Layer 3 Active-Active HA .............................................................................................................. 544 Layer 2 Active-Standby HA (Inline Deployment) .......................................................................... 546 Preferred HA Port ...................................................................................................................... 549 Port Restart ............................................................................................................................... 550 Layer 3 Active-Standby HA (Inline Deployment) .......................................................................... 551 HA Messages ............................................................................................................................... 552 HA Heartbeat Messages ........................................................................................................... 553 Gratuitous ARPs ....................................................................................................................... 553 HA Interfaces ................................................................................................................................ 554 Session Synchronization .............................................................................................................. 555 P e r f o r m a n c e b y D e s i g n 19 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Contents Optional Failover Triggers ............................................................................................................ 556 VLAN-based Failover ................................................................................................................ 556 Gateway-based Failover ........................................................................................................... 556 Route-based Failover ................................................................................................................ 557 Real Server or Port Health-based Failover ............................................................................... 557 VIP-based Failover .................................................................................................................... 558 How the Active AX Device Is Selected ......................................................................................... 559 HA Pre-Emption ............................................................................................................................ 562 HA Sets ......................................................................................................................................... 563 HA Configuration Parameters ....................................................................................................... 564 HA Status Indicators..........................................................................................................................571 In the GUI .................................................................................................................................. 571 In the CLI ................................................................................................................................... 571 Configuring Layer 3 HA......................................................................................................................572 Configuring Layer 2 HA (Inline Mode)..............................................................................................582 Layer 2 Inline HA Configuration Example ..................................................................................... 582 Configuring Layer 3 HA (Inline Mode)..............................................................................................590 Layer 3 Inline HA Configuration Example ..................................................................................... 591 Configuring Optional Failover Triggers............................................................................................596 VLAN-Based Failover Example .................................................................................................... 596 Gateway-Based Failover Example ............................................................................................... 597 Route-Based Failover Example .................................................................................................... 599 VIP-Based Failover Example ........................................................................................................ 601 Forcing Active Groups to Change to Standby Status.....................................................................603 Enabling Session Synchronization...................................................................................................603 Configuring OSPF-Related HA Parameters......................................................................................605 OSPF Awareness of HA ............................................................................................................... 605 OSPF Support on Standby AX in Layer 3 Inline Mode ................................................................. 606 Synchronizing Configuration Information........................................................................................606 Configuration Items That Are Backed Up ..................................................................................... 607 Configuration Items That Are Not Backed Up ........................................................................... 608 Performing HA Synchronization .................................................................................................... 610 Tip for Ensuring Fast HA Failover.....................................................................................................612 20 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Contents Network Address Translation 615 SLB NAT...............................................................................................................................................616 SLB Destination NAT ................................................................................................................... 616 SLB Source NAT .......................................................................................................................... 617 IP Source NAT Configuration Limits ......................................................................................... 617 Connection Reuse .................................................................................................................... 617 Source NAT for Servers in Other Subnets ................................................................................ 622 Direct Server Return ..................................................................................................................... 624 IP NAT Support for VIPs .............................................................................................................. 626 Using IP Pool Default Gateways To Forward Traffic from Real Servers ...................................... 627 IP Source NAT......................................................................................................................................627 Configuring Dynamic IP Source NAT ........................................................................................... 629 Configuring Static IP Source NAT ................................................................................................ 635 NAT ALG Support for PPTP ......................................................................................................... 638 Configuring NAT ALG for PPTP ................................................................................................ 639 Fast Aging for IP NATted ICMP and DNS Sessions .................................................................... 642 Client and Server TCP Resets for NATted TCP Sessions ........................................................... 644 Requirements for Translation of DNS Traffic ............................................................................... 644 IP NAT Use in Transparent Mode in Multi-Netted Environment ................................................... 644 NAT Range List Requires AX Interface or Route Within the Global Subnet ................................ 645 IP NAT in HA Configurations ........................................................................................................ 645 Large-Scale Network Address Translation 647 Overview..............................................................................................................................................647 How LSN Differs from Traditional NAT ......................................................................................... 651 Benefits of LSN ............................................................................................................................ 653 Sticky NAT ................................................................................................................................ 653 Full-Cone NAT .......................................................................................................................... 653 Hairpinning ................................................................................................................................ 655 User Quotas .............................................................................................................................. 655 Static Port Reservation ............................................................................................................. 660 LSN Logging ................................................................................................................................. 661 LSN Operational Logging .......................................................................................................... 661 LSN Traffic Logging .................................................................................................................. 662 LSN NAT Capacities .................................................................................................................... 663 Notes and Limitations ................................................................................................................... 665 Configuring Large-Scale NAT............................................................................................................666 Configure an LSN NAT Pool ........................................................................................................ 667 Configure a LID ............................................................................................................................ 667 Configure a Class List .................................................................................................................. 668 P e r f o r m a n c e b y D e s i g n 21 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Contents Bind the CLass List for Use with LSN ........................................................................................... 669 Enable Inside NAT on the Interface Connected to Internal Clients .............................................. 669 Enable Outside NAT on the Interface Connected to the Internet ................................................. 669 Enable New-path Processing ....................................................................................................... 669 Optional Configuration .................................................................................................................. 670 Configuring Static Mappings ..................................................................................................... 670 Enabling Full-Cone Support for Well-Known Ports ................................................................... 670 Configuring External Logging for LSN Traffic Logs ................................................................... 671 Configure the IP Selection Method ............................................................................................ 673 Configuring the LSN SYN Timeout ............................................................................................ 673 Displaying LSN Information...............................................................................................................674 Clearing LSN Statistics and Sessions .......................................................................................... 674 Configuration Example......................................................................................................................675 Management Security Features 679 Configuring Additional Admin Accounts.........................................................................................679 Configuring an Admin Account ..................................................................................................... 680 Deleting an Admin Account .......................................................................................................... 684 Configuring Admin Lockout..............................................................................................................685 Securing Admin Access by Ethernet................................................................................................687 Displaying the Current Management Access Settings .................................................................. 690 Regaining Access if You Accidentally Block All Access ............................................................... 691 Changing Web Access Settings........................................................................................................691 Configuring AAA for Admin Access.................................................................................................694 Authentication ............................................................................................................................... 694 Authentication Process .............................................................................................................. 694 Authorization for GUI Access ........................................................................................................ 698 Authorization for CLI Access ........................................................................................................ 698 RADIUS CLI Authorization ........................................................................................................ 698 TACACS+ CLI Authorization ..................................................................................................... 699 RADIUS Authorization Based on Service-Type ........................................................................ 700 Accounting .................................................................................................................................... 701 Command Accounting (TACACS+ only) ................................................................................... 701 TACACS+ Accounting Debug Options ...................................................................................... 702 Configuring AAA for Admin Access .............................................................................................. 702 Configuring Authentication ........................................................................................................ 703 Configuring Authorization .......................................................................................................... 704 Configuring Accounting ............................................................................................................. 705 22 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Contents Configuring Windows IAS for AX RADIUS Authentication ........................................................... 708 Procedure Overview .................................................................................................................. 709 Configure Access Groups ......................................................................................................... 709 Configure RADIUS Client for AX Device ................................................................................... 710 Configure Remote Access Policies ........................................................................................... 712 Add AD Users to AX Access Groups ........................................................................................ 722 Register the IAS Server in Active Directory .............................................................................. 723 Configure RADIUS in the AX Device ........................................................................................ 724 Test the Configuration ............................................................................................................... 724 Traffic Security Features 725 DDoS Protection..................................................................................................................................725 Enabling DDoS Protection ............................................................................................................ 727 Configuring IP Anomaly Filters for System-Wide PBSLB ............................................................. 727 Displaying and Clearing IP Anomaly Statistics ............................................................................. 728 SYN Cookies........................................................................................................................................728 The Service Provided By SYN Cookies ....................................................................................... 729 Enabling Hardware-Based SYN Cookies ..................................................................................... 730 Configuration when Target VIP and Client-side Router Are in Different Subnets ..................... 731 Enabling Software-Based SYN Cookies ...................................................................................... 732 Configuring Layer 2/3 SYN Cookie Support ................................................................................. 733 ICMP Rate Limiting..............................................................................................................................734 Source-IP Based Connection Rate Limiting.....................................................................................736 Parameters ................................................................................................................................... 737 Log Messages .............................................................................................................................. 737 Deployment Considerations ......................................................................................................... 738 Configuration ............................................................................................................................. 739 Configuration Examples ............................................................................................................... 740 DNS Security........................................................................................................................................741 Access Control Lists (ACLs)..............................................................................................................743 How ACLs Are Used .................................................................................................................... 743 Configuring Standard IPv4 ACLs ................................................................................................. 744 Configuring Extended IPv4 ACLs ................................................................................................. 746 Configuring Extended IPv6 ACLs ................................................................................................. 750 Adding a Remark to an ACL ......................................................................................................... 753 Transparent Session Logging ...................................................................................................... 754 Sample Log Messages for Transparent Sessions .................................................................... 754 Configuration ............................................................................................................................. 755 Applying an ACL to an Interface ................................................................................................... 756 Applying an ACL to a Virtual Server Port ..................................................................................... 757 P e r f o r m a n c e b y D e s i g n 23 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Contents Using an ACL to Control Management Access ............................................................................ 758 Using an ACL for NAT .................................................................................................................. 758 Resequencing ACL Rules ............................................................................................................. 758 Policy-Based SLB (PBSLB)...............................................................................................................761 Configuring a Black/White List ...................................................................................................... 761 Dynamic Black/White-list Client Entries .................................................................................... 762 Configuring System-Wide PBSLB ................................................................................................ 764 Configuring PBSLB for Individual Virtual Ports ............................................................................. 766 Displaying PBSLB Information .................................................................................................. 774 Configuration ExampleSockstress Attack Protection ................................................................ 776 Geo-location-based Access Control for VIPs..................................................................................778 Configuration ............................................................................................................................. 779 Enabling PBSLB Statistics Counter Sharing ............................................................................. 784 Enabling Full-Domain Checking for Connection Limits ............................................................. 785 IP Limiting 787 Overview..............................................................................................................................................787 Class Lists .................................................................................................................................... 787 Class List Syntax ....................................................................................................................... 788 IP Address Matching ................................................................................................................. 788 Example Class Lists .................................................................................................................. 789 IP Limiting Rules ........................................................................................................................... 789 Match IP Address ...................................................................................................................... 790 Configuring Source IP Limiting.........................................................................................................791 Configuring a Class List ................................................................................................................ 791 Configuring the IP Limiting Rules ................................................................................................. 795 Applying Source IP Limits ............................................................................................................. 798 Displaying IP Limiting Information ................................................................................................ 800 CLI ExamplesConfiguration ...................................................................................................... 801 Configure System-Wide IP Limiting With a Single Class .......................................................... 801 Configure System-Wide IP Limiting With Multiple Classes ....................................................... 801 Configure IP Limiting on a Virtual Server .................................................................................. 802 Configure IP Limiting on a Virtual Port ...................................................................................... 803 CLI ExamplesDisplay ................................................................................................................ 803 Class Lists ................................................................................................................................. 803 IP Limiting Rules ....................................................................................................................... 805 IP Limiting Statistics .................................................................................................................. 806 24 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Contents Role-Based Administration 807 Overview..............................................................................................................................................808 Resource Partitions ...................................................................................................................... 809 Administrator Roles ...................................................................................................................... 811 Configuring Role-Based Administration...........................................................................................813 Configuring Private Partitions ....................................................................................................... 813 Changing the Maximum Number of aFleX Policies Allowed in a Partition ................................ 814 Migrating Resources Between Partitions .................................................................................. 815 Deleting a Partition .................................................................................................................... 815 Configuring Partition Admin Accounts .......................................................................................... 816 CLI Example ................................................................................................................................. 818 Viewing and Saving the Configuration..............................................................................................819 Viewing the Configuration ............................................................................................................ 819 Saving the Configuration .............................................................................................................. 820 Switching To Another Partition..........................................................................................................821 Synchronizing the Configuration.......................................................................................................822 Operator Management of Real Servers.............................................................................................824 SLB Parameters 829 Service Template Parameters............................................................................................................829 Cache Template Parameters ....................................................................................................... 831 Client SSL Template Parameters ................................................................................................. 833 Connection Reuse Template Parameters .................................................................................... 836 Cookie Persistence Template Parameters ................................................................................... 837 Destination-IP Persistence Template Parameters ....................................................................... 839 DNS Template Parameters .......................................................................................................... 842 HTTP Template Parameters ........................................................................................................ 842 Policy Template Parameters ........................................................................................................ 849 Server SSL Template Parameters ............................................................................................... 853 SIP Template Parameters (SIP over TCP/TLS) ........................................................................... 854 SIP Template Parameters (SIP over UDP) .................................................................................. 857 SMTP Template Parameters ........................................................................................................ 858 Source-IP Persistence Template Parameters .............................................................................. 860 SSL Session-ID Persistence Template Parameters ..................................................................... 863 Streaming-Media Template Parameters ...................................................................................... 864 TCP Template Parameters ........................................................................................................... 864 TCP-Proxy Template Parameters ................................................................................................ 865 UDP Template Parameters .......................................................................................................... 867 P e r f o r m a n c e b y D e s i g n 25 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Contents Global SLB Parameters......................................................................................................................868 Real Server Parameters.....................................................................................................................874 Real Service Port Parameters............................................................................................................877 Service Group Parameters.................................................................................................................879 Virtual Server Parameters..................................................................................................................884 Virtual Service Port Parameters........................................................................................................887 Dynamic Real Server Creation Using DNS 895 Template Options for Dynamically Created Real Servers...............................................................896 Configuring Dynamic Real Server Creation.....................................................................................898 VIP Creation Based on Subnet 903 Sending a Reset After Server Selection Failure 905 Scan-All-Members Option in Persistence Templates 911 SSL Certificate Management 915 Overview..............................................................................................................................................915 SSL Process ................................................................................................................................. 915 Certificate Chain ........................................................................................................................ 917 Certificate Warning from Client Browser ................................................................................... 918 CA-Signed and Self-Signed Certificates ................................................................................... 919 SSL Templates .......................................................................................................................... 920 Certificate Installation Process ..................................................................................................... 922 Requesting and Installing a CA-Signed Certificate ................................................................... 922 Installing a Self-Signed Certificate ............................................................................................ 924 Generating a Key and CSR for a CA-Signed Certificate.................................................................925 Importing a Certificate and Key.........................................................................................................928 Generating a Self-Signed Certificate................................................................................................930 Importing a CRL..................................................................................................................................932 Exporting Certificates, Keys, and CRLs...........................................................................................933 Exporting a Certificate and Key .................................................................................................... 933 Exporting a CRL ........................................................................................................................... 934 Creating a Client-SSL or Server-SSL Template and Binding it to a VIP........................................935 Creating an SSL Template ........................................................................................................... 935 26 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Contents Binding an SSL Template to a VIP ............................................................................................... 936 Converting Certificates and CRLs to PEMFormat...........................................................................936 Converting SSL Certificates to PEM Format ................................................................................ 937 Converting CRLs from DER to PEM Format ................................................................................ 938 Using the Management Interface as the Source for Management Traffic 939 Route Tables........................................................................................................................................939 Management Routing Options...........................................................................................................940 Enabling Use of the Management Interface as the Source for Automated Management Traffic ........................................................................................................................................... 941 Using the Management Interface as the Source Interface for Manually Generated Management Traffic ..................................................................................................................... 942 Commands at the User EXEC Level ......................................................................................... 942 Commands at the Privileged EXEC Level ................................................................................. 942 Commands at the Global Configuration Level .......................................................................... 942 Show Commands ...................................................................................................................... 943 Configuration Management 945 Backing Up SystemInformation........................................................................................................945 Saving Multiple Configuration Files Locally.....................................................................................947 Configuration Profiles ................................................................................................................... 948 Commands for Local Configuration Management ........................................................................ 948 VLAN-to-VLAN Bridging 955 Configuring VLAN-to-VLAN Bridging ........................................................................................ 956 P e r f o r m a n c e b y D e s i g n 27 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide AX Series Features SystemOverview This chapter provides a brief overview of the AX Series system and fea- tures. For more information, see the other chapters in this guide. AXSeries Features Key features of the AX Series include: Application Delivery Features Comprehensive IPv4/IPv6 Support Transparent (Layer 2) and gateway (Layer 3) mode support for easy deployment into existing infrastructures Network Address Translation (NAT) IPv4-IPv4, IPv4-IPv6, IPv6-IPv4, IPv6-IPv6, ALG support for PPTP, Large-Scale NAT (LSN) OSPFv2 for IPv4, OSPFv3 for IPv6 IPv4/IPv6 static routes DHCP relay Advanced Layer 4/7 Server Load Balancing Fast TCP, fast UDP, fast HTTP, and full HTTP Proxy Comprehensive protocol support: HTTP, HTTPS, FTP, TCP, UDP, SSL, SIP, SMTP, and others Comprehensive load-balancing methods weight-based, con- nection-based, request-based, and response-based methods, as well as simple round robin Protocol translation support for mixed IPv4/IPv6 environments Advanced health monitoring Customizable configuration templates RAM caching of web content Firewall Load Balancing (FWLB) Global Server Load Balancing (GSLB) Transparent Cache Switching (TCS) High Availability (HA) Active-Active, Active-Standby, and Layer 2/3 inline mode configu- rations with sub-second failover Layer 4 session synchronization Configuration synchronization 28 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide AX Series Features Acceleration and Security SSL acceleration and offload Traffic security Management access security Local admin database and support for optional remote RADIUS or TACACS+AAA Spam filter support (Policy-Based SLB) High-speed application of very large black/white lists that filter based on source or destina- tion IP host or subnet address DoS attack detection and prevention Access Control Lists (ACLs) DNS Application Firewall Solution consisting of the following: Traffic validation Drop or redirect malformed DNS queries Dynamic traffic flow regulation: High performance surge protection (connection and rate limit- ing) Source-IP based connection rate limiting Policy-Based SLB (black/white lists) aFleX Tcl-like Scripting Language XML Application Programming Interface (aXAPI) System Management Dedicated management interface Multiple access methods SSH, Telnet, HTTPS Web-based Graphical User Interface (GUI) with language localiza- tion Industry-standard Command Line Interface (CLI) support On-demand backup of configuration files, logs, and system files SNMP, syslog, alerting Virtualized Management, provided by Role-Based Administration (RBA) Troubleshooting tools Port mirroring Debug subsystem for packet capture P e r f o r m a n c e b y D e s i g n 29 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide ACOS Architecture ACOS Architecture AX Series devices use embedded Advanced Core Operating System (ACOS) architecture. ACOS is built on top of a set of Symmetric Multi-Pro- cessing CPUs and uses shared memory architecture to maximize application data delivery. ACOS is designed to handle high-volume application data with integrated Layer 2 / Layer 3 processing and integrated SSL acceleration built into the system. In addition, ACOS incorporates the A10 Networks customizable aFleX scripting language, which provides administrators with configuration flexibility for application data redirection. ACOS inspects packets at Layers 2, 3, 4, and 7 and uses hardware-assisted forwarding. Packets are processed and forwarded based on ACOS configu- ration. You can deploy the AX device into your network in transparent mode or gateway (route) mode. Transparent mode The AX device has a single IP interface. For multi- netted environments, you can configure multiple Virtual LANs (VLANs). Route mode Each AX interface is in a separate IP subnet. Open Short- est Path First (OSPF) is supported. In either type of deployment, ACOS performs Layer 4-7 switching based on the SLB configuration settings. AX Software Processes The AX software performs its many tasks using the following processes: a10mon Parent process of the AX device. This process is executed when the system comes up. The a10mon process is responsible for the following: Responsible for bringing AX user-space processes up and down Monitors all its child processes and restarts a process and all depen- dent processes if any of them die. syslogd System logger daemon that logs kernel and system events. a10logd Fetches all the logs from the AX Log database. a10timer Schedules and executes scheduled tasks. 30 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide ACOS Architecture a10stat Monitors the status of all the main processes of the AX device, such as a10switch (on models AX2200 and higher) and a10lb. The a10stat process probes every thread within these processes to ensure that they are responsive. If a thread is deemed unhealthy, a10stat kills the process, after which a10mon restarts the process and other processes associated with it. a10switch Contains libraries and APIs to program the Switching ASIC to perform Layer 2 and Layer 3 switching at wire speed. a10hm Performs health-checking for real servers and services. This process sends pre-configured requests to external servers at pre-defined intervals. If a server or individual service does not respond, it is marked down. Once the server or service starts responding again, it is marked up. a10rt Routing daemon, which maintains the routing table with routes injected from OSPF, as well as static routes. a10rip Implements RIPv1 and v2 routing protocols. a10ospf Implements the OSPFv2 routing protocol. a10snmpd SNMPv2c and v3 agent, which services MIB requests. a10wa Embedded Web Server residing on the AX device. This process serves the Web-based management Graphical User Interface (GUI). a10gmpd Global SLB (GSLB) daemon. a10snpm_trapd Handles SNMP traps initiated by a10lb. a10lb The heart of the AX device. This process contains all the intelli- gence to perform Server Load Balancing. rimacli This process is automatically invoked when an admin logs into the AX device through an interface address. The admin is presented a Command Line Interface (CLI) that can issue and save commands to configure the system. P e r f o r m a n c e b y D e s i g n 31 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide ACOS Architecture Local File Storage Every AX model includes one of the following types of local file storage device: Solid State Drive (SSD) Used in 64-bit ACOS models: AX 2500, AX 2600, AX 3000, AX 5100 and AX 5200 Hard disk Used in 32-bit ACOS models: AX 1000, AX 2000, AX 2100, AX 2200, AX 3100, and AX 3200 AX devices use local storage for application files and for data objects used for monitoring. The amount of storage used for these types of data depends on the AX model and on how the devices are used. On average, the follow- ing amounts of storage are used for these types of data on 64-bit ACOS models: AX 2500, AX 2600 15 Gigabytes (G) or less AX 3000 20 G or less AX 5100, AX 5200 35 G or less Application files include system images, configuration files, aFleX scripts, certificate and key files, black/white list files, class-list files, log messages, CLI audit log messages, core dump files, show techsupport files (up to 30- days worth), and other miscellaneous files. The size of all application files varies depending on the configuration of the system and other factors. The show techsupport files use no more than 3-4 G. aFleX scripts range from 0-500 KB. Monitoring data includes objects for CPU, disk, memory, global statistics, port statistics, and 30-day SLB statistics. The 30-day SLB statistics include objects for real servers, virtual servers, real ports, virtual ports, server groups, service groups, and service-group members. The 30-day SLB statistics use the most storage among the monitoring objects. For the maximum configuration, the 30-day SLB statistics can use the following amounts of storage on 64-bit ACOS models: AX 2500, AX 2600 3 G or less AX 3000 9 G or less AX 5100, AX 5200 26 G or less If there is a storage shortage, the software dynamically adjusts the maxi- mum number of SLB monitoring objects to prevent consumption of the remaining storage. 32 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Hardware Interfaces Hardware Interfaces 1000BaseT (GOC) +SFP Mini GBIC Fiber Ports On models AX 3100, AX 3200, AX 5100, and AX 5200, 10G XFP-SR (short range) single-mode fiber port or XFP-LR (long range) multi- mode fiber port, depending on order Management Ethernet Port RJ -45 Console Port Generally, the fiber ports do not require any configuration other than IP interface(s). When you plug in a port, the port speed and mode (full-duplex or half-duplex) are automatically negotiated with the other end of the link. The management Ethernet port allows an out-of-band IP connection to the switch for management. The management interface traffic is isolated from the traffic on the other Ethernet ports. The serial console port is for direct connection of a laptop PC to the AX device. Software Interfaces Graphical User Interface (GUI) Command Line Interface (CLI) accessible using console, Telnet, or Secure Shell (v1 and v2) Simple Network Management Protocol (SNMP) v1, v2c, and v3 XML Application Programming Interface (aXAPI) The configuration examples in this manual show how to configure the AX Series using the CLI and GUI. For more information about the AX management interfaces, see the following documents: AX Series GUI Reference AX Series CLI Reference AX Series MIB Reference AX Series aXAPI Reference P e r f o r m a n c e b y D e s i g n 33 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Server Load Balancing Server Load Balancing Server Load Balancing (SLB) is a suite of resource management features that make server farms more reliable and efficient. You can easily grow server farms in response to changing traffic flow, while protecting the servers behind a common virtual IP address. From the per- spective of a client who accesses services, requests go to and arrive from a single IP address. The client is unaware that the server is in fact multiple servers managed by an AX device. The client simply receives faster, more reliable service. Moreover, you do not need to wait for DNS entries to propagate for new servers. To add a new server, you simply add it to the AX configuration for the virtual server, and the new real server becomes accessible immediately. FIGURE 2 SLB Example 34 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Server Load Balancing Intelligent Server Selection The services managed by the AX device are controlled by service groups. A service group is a set of real servers. The AX device selects a real server for a clients request based on a set of tunable criteria including server health, server response time, and server load. These criteria can be tuned for indi- vidual servers and even individual service ports. The AX device provides a robust set of configurable health monitors for checking the health (availability) of servers and individual services. For more information, see Health Monitoring on page381. Configuration Templates SLB configuration is simplified by the use of templates. Templates simplify configuration by enabling you to configure common settings once and use them in multiple service configurations. The AX device provides templates to control server and port configuration parameters, connectivity parame- ters, and application parameters. The AX device provides the following types of server and port configura- tion templates: Server Controls parameters for real servers Port Controls parameters for service ports on real servers Virtual server Controls parameters for virtual servers Virtual port Controls parameters for service ports on virtual servers The AX device provides the following types of connectivity templates: TCP-Proxy Controls TCP/IP stack parameters TCP Controls the idle timeout for unused sessions and specifies whether the AX device sends TCP Resets to clients or servers after a session times out UDP Controls the idle timeout for unused sessions and specifies how quickly sessions are terminated after a server response is received The following types of application templates are provided: HTTP Provides a robust set of options for HTTP header manipulation and for load balancing based on HTTP header content or the URL requested by the client, and other options P e r f o r m a n c e b y D e s i g n 35 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Server Load Balancing Policy Uses Policy-based SLB (PBSLB) to permit or deny clients, or direct them to service groups, based on client black/white lists Cache Caches web content on the AX device to enhance website per- formance for clients Client SSL Offloads SSL validation tasks from real servers Server SSL Validates real servers on behalf of clients Connection reuse Reduces overhead from TCP connection setup by establishing and reusing TCP connections with real servers for multiple client requests Cookie persistence Inserts a cookie into server replies to clients, to direct clients to the same service group, real server, or real service port for subsequent requests for the service Source-IP persistence Directs a given client, identified by its IP address, to the same service port, server, or service group Destination-IP persistence Configures persistence to real servers based on destination IP address SSL session-ID persistence Directs all client requests for a given vir- tual port, and that have a given SSL session ID, to the same real server and real port SIP Customizes settings for load balancing of Session Initiation Proto- col (SIP) traffic SMTP Configures STARTTLS support for Simple Mail Transfer Pro- tocol (SMTP) clients Streaming-media Directs client requests based on the requested con- tent Where applicable, the AX device automatically applies a default template with commonly used settings. For example, when you configure SLB for FTP, the AX device automatically applies the default TCP template. If required by your application, you can configure a different template and apply that one instead. The configuration examples in this guide show how to do this. See the following chapters for examples of SLB configurations: HTTP Load Balancing on page115 FTP Load Balancing on page169 SIP Load Balancing on page189 SSL Offload and SSL Proxy on page225 36 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Global Server Load Balancing STARTTLS for Secure SMTP on page245 Streaming-Media Load Balancing on page255 Layer 4 TCP/UDP Load Balancing on page261 For descriptions of all the parameters you can control using templates, see Server and Port Templates on page361 and Service Template Parame- ters on page829. Global Server Load Balancing Global Server Load Balancing (GSLB) allows you to manage multiple SLB sites and direct clients to the best site. Site selection is based on metrics including the sites health and the sites geographic proximity to the client. For more information, see Global Server Load Balancing on page435. Outbound Link Load Balancing Outbound Link Load Balancing (LLB) balances client-server traffic across a set of WAN links. In outbound LLB, the clients are located on the internal side of the network. The servers are located on the external side of the net- work. For more information, see Outbound Link Load Balancing on page295. Transparent Cache Switching Transparent Cache Switching (TCS) enables you to improve server response times by redirecting client requests for content to cache servers containing the content. For more information, see Transparent Cache Switching on page301. Firewall Load Balancing Firewall Load Balancing (FWLB) maximizes throughput through firewall bottlenecks by load balancing server-client sessions across the firewalls. For more information, see Firewall Load Balancing on page333. P e r f o r m a n c e b y D e s i g n 37 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Where Do I Start? Where Do I Start? To configure basic system settings, see Basic Setup on page39. To configure network settings, see Network Setup on page73 and Routing Parameters on page835. To configure traffic management features (SLB, GSLB, LLB, TCS, and FWLB), see the remaining chapters in this guide. 38 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Where Do I Start? P e r f o r m a n c e b y D e s i g n 39 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Logging On Basic Setup This chapter describes how to log onto the AX device and how to configure the following basic system parameters: Hostname and other Domain Name Server (DNS) settings CLI banner messages Date/time settings System log (Syslog) settings Simple Network Management Protocol (SNMP) settings After you are through with this chapter, go to Network Setup on page73. Note: The only basic parameters that you are required to configure are date/time settings. Configuring the other parameters is optional. Note: This chapter does not describe how to access the out-of-band manage- ment interface. For that information, see the AX Series Advanced Traffic Manager Installation Guide. Caution: When you make configuration changes, be sure to remember to save the changes. Unsaved configuration changes will be lost following a reboot. To save changes, click Save on the top row of the GUI window or enter the write memory command in the CLI. Logging On AX Series devices provide the following management interfaces: Command-Line Interface (CLI) Text-based interface in which you type commands on a command line. You can access the CLI directly through the serial console or over the network using either of the following protocols: Secure protocol Secure Shell (SSH) version 1 or version 2 Unsecure protocol Telnet (if enabled) Graphical User Interface (GUI) Web-based interface in which you click to access configuration or management pages and type or select values to configure or manage the device. You can access the GUI using either of the following protocols: 40 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Logging On Secure protocol Hypertext Transfer Protocol over Secure Socket Layer (HTTPS) Unsecure protocol Hypertext Transfer Protocol (HTTP) Note: By default, Telnet access is disabled on all interfaces, including the man- agement interface. SSH, HTTP, HTTPS, and SNMP access are enabled by default on the management interface only, and disabled by default on all data interfaces. Federal Information Processing Standards (FIPS) Compliance To comply with FIPS security standards, beginning in AX Release 2.4.2, management access to the AX device has the following requirements: Web access to GUI The browser used to access the AX GUI must sup- port encryption keys of 128 bits or longer. Shorter encryption keys (for example, 40 bits) are not supported. The browser also must support SSLv3 or TLS 1.0. Browsers that support only SSLv2 are not supported. SSH access to CLI The SSH client used to access the CLI must sup- port SSHV2. SSHv1 is not supported. The SSHv2 client must support one of the following encryption ciphers: 3des-cbc aes128-cbc aes192-cbc aes256-cbc Other ciphers are not supported. Logging Onto the CLI Note: The AX Series provides advanced features for securing management access to the device. This section assumes that only the basic security set- tings are in place. (For more information about securing management access, see Management Security Features on page679.) To log onto the CLI using SSH: 1. On a PC connected to a network that can access the AX devices man- agement interface, open an SSH connection to the IP address of the management interface. 2. Generally, if this the first time the SSH client has accessed the AX device, the SSH client displays a security warning. Read the warning carefully, then acknowledge the warning to complete the connection. (Press Enter.) P e r f o r m a n c e b y D e s i g n 41 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Logging On 3. At the l ogi n as: prompt, enter the admin username. 4. At the Passwor d: prompt, enter the admin password. If the admin username and password are valid, the command prompt for the User EXEC level of the CLI appears: AX> The User EXEC level allows you to enter a few basic commands, including some show commands as well as ping and traceroute. Note: The AX in the CLI prompt is the hostname configured on the device, which is AX by default. If the hostname has already been changed, the new hostname appears in the prompt instead of AX. 5. To access the Privileged EXEC level of the CLI and allow access to all configuration levels, enter the enable command. At the Passwor d: prompt, enter the enable password. (This is not the same as the admin password, although it is possible to configure the same value for both passwords.) If the enable password is correct, the command prompt for the Privi- leged EXEC level of the CLI appears: AX# 6. To access the global configuration level, enter the config command. The following command prompt appears: AX( conf i g) # Logging Onto the GUI Web access to the AX device is supported on the Web browsers listed in Table1. A screen resolution of at least 1024x768 is recommended. 1. Open one of the Web browsers listed in Table1. 2. In the URL field, enter the IP address of the AX devices management interface. TABLE 1 GUI Browser Support Platform Browser Windows Linux MAC IE 7.0, 6.0 Supported N/A N/A Firefox 3.x, 2.x Supported Supported N/A Safari 3.0 Not Supported N/A Supported Chrome Not Supported Not Supported Not Supported 42 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Logging On 3. If the browser displays a certificate warning, select the option to con- tinue to the server (the AX device). A login dialog is displayed. The name and appearance of the dialog depends on the browser you are using. FIGURE 3 GUI Login Dialog (Internet Explorer) 4. Enter your admin username and password and click OK. Note: The default admin username and password are admin, a10. The Summary page appears, showing at-a-glance information for your AX device. You can access this page again at any time while using the GUI, by selecting Monitor >Overview >Summary. P e r f o r m a n c e b y D e s i g n 43 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Basic System Parameters FIGURE 4 Monitor >Overview >Summary Note: For more information about the GUI, see the AX Series GUI Reference or the GUI online help. Configuring Basic SystemParameters This section describes the basic system parameters and provides CLI and GUI steps for configuring them. Note: If you plan to use the GUI, the Basic System page under Config Mode also provides configuration access to most of the system parameters described in this chapter. For information, navigate to Config Mode > Basic System, then click Help. 44 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Basic System Parameters Setting the Hostname and Other DNS Parameters The default hostname is AX. To change the hostname, use either of the following methods. USING THE GUI 1. Select Config >Network >DNS. The DNS page appears. 2. In the Hostname field, edit the name to one that will uniquely identify this particular AX device (for example, AX-SLB1). 3. In the DNS Suffix field, enter the domain name to which the host (AX Series) belongs. 4. In the Primary DNS field, enter the IP address of the external DNS server the AX Series should use for resolving DNS queries. 5. In the Secondary DNS field, enter the IP address of an external backup DNS server the AX Series should use if the primary DNS server is unavailable. 6. Click OK. USING THE CLI 1. Access the global configuration level of the CLI: AX>enable Passwor d: enable-password AX#config AX( conf i g) # 2. Use the following command to change the hostname: hostname string After you enter this command, the command prompt should change to the same value as the new hostname. Note: The > or # character and characters in parentheses before # indi- cate the CLI level you are on and are not part of the hostname. 3. To set the default domain name (DNS suffix) for hostnames on the AX device, use the following command: ip dns suffix string P e r f o r m a n c e b y D e s i g n 45 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Basic System Parameters 4. To specify the DNS servers the AX should use for resolving DNS requests, use the following command: ip dns {primary | secondary} ipaddr The primary option specifies the DNS server the AX device should always try to use first. The secondary option specifies the DNS server that the AX device should use if the primary DNS server is unavailable. Setting the CLI Banners The CLI displays banner messages when you log onto the CLI. By default, the messages shown in bold type in the following example are displayed: l ogi n as: admi n Welcome to AX Usi ng keyboar d- i nt er act i ve aut hent i cat i on. Passwor d: Last l ogi n: Thu Feb 7 13: 44: 32 2008 f r om 192. 168. 1. 144 [type ? for help] You can format banner text as a single line or multiple lines. If you configure a banner message that occupies multiple lines, you must specify the end marker that indicates the end of the last line. The end marker is a simple string up to 2-characters long, each of the which must be an ASCII character from the following range: 0x21-0x7e. The multi-line banner text starts from the first line and ends at the marker. If the end marker is on a new line by itself, the last line of the banner text will be empty. If you do not want the last line to be empty, put the end marker at the end of the last non-empty line. USING THE GUI 1. Select Config >System >Settings. 2. On the menu bar, select Terminal >Banner. 3. To configure a banner: a. Select the banner type, single-line or multi-line. b. If you selected multi-line, enter the delimiter value in the End Marker field. 46 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Basic System Parameters c. Enter the message in the Login Banner or Exec Banner field. If the message is a multi-line message, press Enter / Return at the end of every line. Do not type the end marker at the end of the mes- sage. The GUI automatically places the end marker at the end of the message text in the configuration. 4. If you are configuring both messages, repeat step3 for the other mes- sage. 5. Click OK. USING THE CLI To change one or both banners, use the following command: [ no] banner {exec | login} [ multi-line end-marker] line The login option changes the first banner, which is displayed after you enter the admin username. The exec option changes the second banner, which is displayed after you enter the admin password. To use blank spaces within the banner, enclose the entire banner string with double quotation marks. Setting Time/Date Parameters To configure time/date parameters: Set the timezone. Set the system time and date manually or configure the AX device to use a Network Time Protocol (NTP) server. The default timezone is Europe/Dublin, which is equivalent to Greenwich Mean Time (GMT). The time and date are not set at the factory, so must manually set them or configure NTP. Note: You do not need to configure Daylight Savings Time. The AX device automatically adjusts the time for Daylight Savings Time based on the timezone you select. Note: When you change the AX timezone or system time, the statistical data- base is cleared. This database contains general system statistics (perfor- mance, and CPU, memory, and disk utilization) and SLB statistics. For P e r f o r m a n c e b y D e s i g n 47 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Basic System Parameters example, in the GUI, the graphs displayed on the Monitor >Overview page are cleared. USING THE GUI 1. Select Config >System >Time. The Date/Time page appears. To set the time and date by synchronizing them with the time and date on the PC from which you are running the GUI, click Sync Local Time. To configure the time and date manually: a. Enter the date in the Date field or select the date using the calendar. b. Enter the time in the Time field. To set the time and date using NTP: a. Select the Automatically Synchronize with Internet Time Server checkbox. b. In the NTP Server field, enter the NTP servers IP address. c. In the Update System Clock Every field, enter the number of min- utes you want the AX device to wait between synchronizations with the NTP server. 2. To select the timezone: a. Click Time Zone. b. From the Time Zone Name pull-down list, select the time zone. c. Click OK. d. Click Date/Time to re-display the section, if not already displayed. 3. Click OK. USING THE CLI To set the timezone Enter the following command at the global configuration level of the CLI: clock timezone timezone [nodst] The nodst option disables Daylight Savings Time (DST) for the zone. DST is enabled by default, if applicable to the timezone. To view the available timezones, enter the following command: clock timezone ? 48 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Basic System Parameters To configure the AX device to use NTP 1. To specify the NTP server to use, enter the following command at the global configuration level of the CLI: ntp server {hostname | ipaddr} [ minutes] The minutes option sets the synchronization interval, which specifies how often the AX polls the NTP server for updated time information. You can specify 1-518400 minutes. The default is 1440 minutes. You can configure a maximum of 4 NTP servers. 2. To enable NTP and synchronize the AX clock with the NTP server, enter the following command: ntp enable To set the time and date manually 1. Return to the Privileged EXEC level of the CLI by entering the exit command. 2. Enter the following command at the Privileged EXEC level of the CLI: clock set time day month year Enter the time and date in the following format: time hh:mm:ss day 1-31 month J anuary, February, March, ... year 2008, 2009 ... Note: The clock is based on 24 hours. For example, for 1 p.m., enter the hour as 13. 3. To display clock settings, use the following command: show clock [ detail] Configuring Syslog Settings The AX device logs system events with Syslog messages. The AX device can send Syslog messages to the following places: Local buffer Console CLI session Console SSH and Telnet sessions P e r f o r m a n c e b y D e s i g n 49 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Basic System Parameters External Syslog server Email address(es) SNMP servers (for events that are logged by SNMP traps) Logging to the local buffer and to CLI sessions is enabled by default. Log- ging to other places requires additional configuration. The standard Syslog message severity levels are supported: Emergency 0 Alert 1 Critical 2 Error 3 Warning 4 Notification 5 Information 6 Debugging 7 Table2 lists the configurable Syslog parameters. TABLE 2 Configurable SystemLog Settings Parameter Description Supported Values Disposition (message target) Output options for each message level. For each mes- sage level, you can select which of the following out- put options to enable: Console Messages are displayed in Console ses- sions. Buffered Messages are stored in the system log buffer. Email Messages are sent to the email addresses in the Email To list. (See below.) SNMP SNMP traps are generated and sent to the SNMP receivers. Syslog Messages are sent to the external log servers specified in the Log Server fields. (See below.) Monitor Messages are displayed in Telnet and SSH sessions. Note: For information about emailing log messages, see Emailing Log Messages on page66. The following message levels can be individually selected for each output option: Emergency (0) Alert (1) Critical (2) Error (3) Warning (4) Notification (5) Information (6) Debug (7) Only Emergency, Alert, and Critical can be selected for SNMP. Only Emergency, Alert, Critical, and Notification can be selected for Email. 50 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Basic System Parameters Log Rate Limiting The AX device uses a log rate limiting mechanism to ensure against over- flow of external log servers and the internal logging buffer. The rate limit for external logging is 15,000 messages per second from the AX device. Facility Standard Syslog facility to use. Standard Syslog facilities listed in RFC 3164. Log Buffer Entries Maximum number of log entries the log buffer can store. 10000 to 50000 entries Default: 30000 Log Server IP addresses or fully-qualified domain names of external log servers. Only the message levels for which Syslog is selected in the Disposition list are sent to log servers. Note: By default, the AX device can reach remote log servers only if they are reachable through the AX devices data ports, not the management port. To enable the AX device to reach remote log servers through the management port, see Using the Man- agement Interface as the Source for Management Traffic on page939. Any valid IP address or fully-quali- fied domain name. Default: None configured Log Server Port Protocol port to which log messages sent to external log servers are addressed. Any valid protocol port number Default: 514 Email To Email addresses to which to send log messages. Only the message levels for which Email is selected in the Disposition list are sent to log servers. Valid email address. Click the down arrow next to the input field to add another address (up to 10). Each email address can be a maxi- mum of 31 characters long. SMTP Server IP address or fully-qualified domain name of an email server using Simple Message Transfer Proto- col. Note: By default, the AX device can reach SMTP servers only if they are reachable through the AX devices data ports, not the management port. To enable the AX device to reach SMTP servers through the management port, see Using the Management Interface as the Source for Management Traffic on page939. Any valid IP address or fully-quali- fied domain name. Default: None configured SMTP Server Port Protocol port to which email messages sent to the SMTP server are addressed. Any valid protocol port number Default: 25 TABLE 2 Configurable SystemLog Settings (Continued) Parameter Description Supported Values P e r f o r m a n c e b y D e s i g n 51 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Basic System Parameters The rate limit for internal logging is 32 messages per second from the AX device. If the number of new messages within a one-second interval exceeds 32, then during the next one-second interval, the AX sends log messages only to the external log servers. If the number of new messages generated within the new one-second interval is 32 or less, then during the following one-second interval, the AX will again send messages to the local logging buffer as well as the external log server. In any case, all messages (up to 15,000 per second) get sent to the external log servers. USING THE GUI 1. Select Config >System >Settings. 2. Select Log on the menu bar. 3. Change settings as needed. (For descriptions of the settings, see Table2.) 4. Click OK. USING THE CLI 1. To change the severity level of messages that are logged in the local buffer, use the following command: logging buffered severity-level 2. To change the severity level of messages that are logged in other places, use the following command: logging target severity-level The target can be one of the following: console Serial console email Email monitor Telnet and SSH sessions syslog external Syslog host trap external SNMP trap host Note: Only severity levels emergency, alert, critical, and notification can be sent by email. Sending log messages by email requires additional configu- ration. See Emailing Log Messages on page66. 52 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Basic System Parameters 3. To configure the AX device to send log messages to an external Syslog server, use the following command to specify the server: logging host ipaddr [ ipaddr. . . ] [ port protocol-port] You can enter more than one server IP address on the same command line. The default protocol port is 514. You can specify only one protocol port with the command. All servers must use the same protocol port to listen for syslog messages. If you use the command to add some log servers, then need to add a new log server later, you must enter all server IP addresses in the new com- mand. Each time you enter the logging host command, it replaces any set of servers and syslog port configured by the previous logging host command. 4. To configure the AX device to send log messages by email, use the fol- lowing commands to specify the email server and the email addresses: smtp {hostname | ipaddr} [ port protocol-port] The port option specifies the protocol port to which to send email. The default is 25. logging email-address address [ ...] To enter more than one address, use a space between each address. 5. To send event messages to an external SNMP server, see Enabling SNMP on page52. Enabling SNMP AX devices support the following SNMP versions: v1, v2c, v3. SNMP is disabled by default. You can configure the AX device to send SNMP traps to the Syslog and to external trap receivers. You also can configure read (GET) access to SNMP Management Information Base (MIB) objects on the AX device by external SNMP managers. Note: SNMP access to the AX device is read-only. SET operations (write access) are not supported. The AX device supports the following SNMP-related RFCs: RFC 1157, A Simple Network Management Protocol (SNMP) RFC 1901, Introduction to Community-based SNMPv2 RFC 2233, The Interfaces Group MIB using SMIv2 P e r f o r m a n c e b y D e s i g n 53 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Basic System Parameters RFC 2576, Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework 2790, Host Resources MIB The following subtrees are supported: hrSystem: .1.3.6.1.2.1.25.1 hrStorage: .1.3.6.1.2.1.25.2 hrDeviceTable: .1.3.6.1.2.1.25.3.2 hrProcessorTable: .1.3.6.1.2.1.25.3.3 RFC 3410, Introduction and Applicability Statements for Internet Stan- dard Management Framework RFC 3411, An Architecture for Describing Simple Network Manage- ment Protocol (SNMP) Management Frameworks RFC 3412, Message Processing and Dispatching for the Simple Net- work Management Protocol (SNMP) RFC 3413, Simple Network Management Protocol (SNMP) Applica- tions RFC 3414, User-based Security Model (USM) for version 3 of the Sim- ple Network Management Protocol (SNMPv3) RFC 3415, View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP) RFC 3635, Definitions of Managed Objects for the Ethernet-like Inter- face Types SNMP Traps Table3 lists the SNMP traps supported by the AX device. All traps are dis- abled by default. TABLE 3 AX SNMP Traps Trap Category Trap Description SNMP Link Up Indicates that an Ethernet interface has come up. Link Down Indicates that an Ethernet interface has gone down. 54 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Basic System Parameters System Start Indicates that the AX device has started. Shutdown Indicates that the AX device has shut down. Restart Indicates that the AX device is going to reboot or reload. Control CPU utilization Indicates that the control CPU utilization is higher than 90%. *
Data CPU utilization Indicates that data CPU utilization is higher than 90%. *
High Temperature Indicates that the temperature inside the AX chassis is too high (68 C or higher). *
If you see this trap, check for fan failure traps. Also check the installation location to ensure that the chassis room tem- perature is not too high (40 C or higher) and that the chassis is receiving adequate air flow. Fan Failure Indicates that a system fan has failed. Contact A10 Net- works. Power Supply Failure Indicates that a power supply has failed. Contact A10 Net- works. Primary Hard Disk Indicates that the primary Hard Disk has failed or the RAID system has failed. Contact A10 Networks. In dual-disk mod- els, the primary Hard Disk is the one on the left, as you are facing the front of the AX chassis. Secondary Hard Disk Indicates that the secondary Hard Disk has failed or the RAID system has failed. Contact A10 Networks. The sec- ondary Hard Disk is the one on the right, as you are facing the front of the AX chassis. Note: This trap does not apply to the following models: AX 2500, AX 2600, AX 3000, AX 5100, or AX 5200. High Disk Usage Indicates that hard disk usage on the AX device is high (85% or higher). *
High Memory Usage Indicates that the memory usage on the AX device is high (95% or higher). *
Packet Buffer drop Indicates that the AX device is dropping too many packets (100 or more during a 10-second interval). *
Network Trunk Ports Threshold Indicates that the trunk ports threshold feature has disabled trunk members because the number of up ports in the trunk has fallen below the configured threshold. High Availability (HA) Active Indicates that the AX device is going from HA Standby mode to Active mode. Standby Indicates that the AX device is going from HA Active mode to Standby mode. Active-Active Indicates that an Active-Active HA configuration has been enabled. TABLE 3 AX SNMP Traps (Continued) Trap Category Trap Description P e r f o r m a n c e b y D e s i g n 55 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Basic System Parameters * This threshold is configurable. To use the GUI, navigate to Config >System >Settings > General >Threshold. In the CLI, use the monitor command at the global configuration level. SNMP Communities and Views You can allow external SNMP managers to access the values of MIB objects from the AX device. To allow remote read-only access to AX MIB objects, configure one or both of the following types of access. SNMP Community Strings An SNMP community string is a string that an SNMP manager can present to the AX device when requesting MIB values. Community strings are similar to passwords. You can minimize security risk by applying the same principles to selecting a community name as you Server Load Balancing (SLB) Server Up Indicates that an SLB server has come up. Server Down Indicates that an SLB server has gone down. Service Up Indicates that an SLB service has come up. Service Down Indicates that an SLB service has gone down. Server Connection Limit Indicates that an SLB server has reached its configured con- nection limit. Server Connection Resume Indicates that an SLB server has reached its configured con- nection-resume value. Service Connection Limit Indicates that an SLB service has reached its configured connection limit. Service Connection Resume Indicates that an SLB service has reached its configured connection-resume value. Virtual Server Connection Limit Indicates that the connection limit configured on a virtual server has been exceeded. Virtual Port Connection Limit Indicates that the connection limit configured on a virtual port has been exceeded. Virtual Server Connection-Rate Limit Indicates that the connection rate limit configured on a vir- tual server has been exceeded. Virtual Port Connection-Rate Limit Indicates that the connection rate limit configured on a vir- tual port has been exceeded. Virtual Port Up Indicates that an SLB virtual service port has come up. An SLB virtual servers service port is up when at least one member (real server and real port) in the service group bound to the virtual port is up. Virtual Port Down Indicates that an SLB virtual service port has gone down. Application Buffer Threshold Indicates that the configured SLB application buffer thresh- old has been exceeded. *
TABLE 3 AX SNMP Traps (Continued) Trap Category Trap Description 56 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Basic System Parameters would to selecting a password. Use a hard-to-guess string and avoid use of commonly used community names such as public or private. You also can restrict access to specific Object IDs (OIDs) within the MIB, on an individual community basis. OIDs indicate the position of a set of MIB objects in the global MIB tree. The OID for A10 Networks AX Series objects is 1.3.6.1.4.1.22610. SNMP Views An SNMP view is like a filter that permits or denies access to a specific OID or portions of an OID. You can configure SNMP user groups and individual SNMP users, and allow or disallow them to read specific portions of the AX MIBs using different views. When you configure an SNMP user group or user, you specify the SNMP version. SNMP v1 and v2c do not support authentication or encryption of SNMP packets. SNMPv3 does. You can enable authentication, encryption, or both, on an individual SNMP user-group basis when you configure the groups. You can specify the authentication method and the password for individual SNMP users when you configure the users. SNMP Configuration Steps To configure SNMP: 1. Optionally, configure location and contact information. 2. Optionally, configure external SNMP trap receivers. 3. Optionally, configure one or more read-only communities. 4. Optionally, configure views, groups, and users. 5. Enable the SNMP agent and SNMP traps. 6. Save the configuration changes. You are not required to perform these configuration tasks in precisely this order. The workflow in the GUI is slightly different from the workflow shown here. Note: By default, the AX device can reach remote logging and trap servers only if they are reachable through the AX devices data ports, not the management port. To enable the AX device to reach remote logging and trap servers through the manage- ment port, see Using the Management Interface as the Source for Management Traffic on page939. P e r f o r m a n c e b y D e s i g n 57 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Basic System Parameters USING THE GUI Note: To configure support for SNMPv3 or to configure views, groups, and users, use the CLI. The current release does not support configuration of SNMPv3 using the GUI. 1. Select Config >System >SNMP. 2. In the General section, configure general settings: a. To enable SNMP, select Enabled next to System SNMP Service. b. In the System Location field, enter a description of the AX devices location. c. In the System Contact field, enter the name or email address of the AX administrator to contact for system issues. 3. In the Community section, configure community strings: a. Click Community. b. In the SNMP Community field, enter a community name. c. To restrict SNMP access to a specific host or subnet, enter a host- name or an IP address and network mask in the Hostname (IP/ Mask) field. By default, any host can access the SNMP agent on the AX device. d. In the Object Identifier field, enter the OID at which SNMP man- agement applications can reach the AX device. e. Click Add. f. Repeat stepb through stepe for each combination of community string, management host, and OID. 4. In the Trap section, specify external trap receivers: a. Click Trap. b. In the Community field, enter the name of the community sending the traps. c. In the IP Address (host) field, enter the IP address or fully-qualified hostname of the SNMP trap receiver. d. If the trap receiver does not use the standard protocol port to listen for traps, change the port number in the Port field. e. Select SNMP the version from the Version drop-down list: V1 V2c 58 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Basic System Parameters f. Click Add to add the receiver. g. Repeat stepb through stepf for each trap receiver. 5. In the Trap List section, enable traps: a. Click Trap List. b. To enable all traps, select All Traps. Otherwise, select the individual traps you want to enable. 6. Click OK. 7. To save the configuration changes, click the Save button. Note: When there are unsaved configuration changes on the AX device, the Save button flashes. USING THE CLI All SNMP configuration commands are available at the global configura- tion level of the CLI. 1. To configure location and contact information, use the following com- mands: snmp-server location location snmp-server contact contact-name 2. To configure external SNMP trap receivers, use the following com- mand: snmp-server host trap-receiver [ version {v1 | v2c}] community-string [ udp-port port-num] 3. To configure one or more read-only communities, use the following command: snmp-server community read ro-community-string [oid oid-value] [remote {hostname | ipaddr mask-length | ipv6-addr/prefix-length}] P e r f o r m a n c e b y D e s i g n 59 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Examples 4. To configure views, groups, and users, use the following commands: snmp-server view view-name oid [ oid-mask] {included | excluded} snmp-server group group-name {v1 | v2c | v3 {auth | noauth | priv}} read view-name snmp-server user username group groupname {v1 | v2 | v3 [ auth {md5 | sha} password [ encrypted] ] } 5. To enable the SNMP agent and SNMP traps, use the following com- mand: snmp-server enable [ traps [ snmp [ trap-name] | system [ trap-name] | network [ trap-name] | ha [ trap-name] | slb [ trap-name] ] ] 6. To save the configuration changes, use the following command at the Privileged EXEC level or any configuration level of the CLI: write memory Configuration Examples The following examples show how to configure the system settings described in this chapter. GUI EXAMPLE The following examples show the GUI screens used for configuration of the basic system settings described in this chapter. Note: The GUI does not support configuration of SNMPv3 settings. 60 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Examples FIGURE 5 Config >Network >DNS >DNS P e r f o r m a n c e b y D e s i g n 61 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Examples FIGURE 6 Config >System>Time >Date/Time 62 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Examples FIGURE 7 Config >System>Settings >Log P e r f o r m a n c e b y D e s i g n 63 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Examples FIGURE 8 Config >System>SNMP 64 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Examples FIGURE 9 Config >System>SNMP >Trap List FIGURE 10 Save Button P e r f o r m a n c e b y D e s i g n 65 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Examples CLI EXAMPLE The following commands log onto the CLI, access the global configuration level, and set the hostname and configure the other DNS settings: l ogi n as: admin Wel come t o AX Usi ng keyboar d- i nt er act i ve aut hent i cat i on. Passwor d: ******** Last l ogi n: Tue J an 13 19: 51: 56 2009 f r om192. 168. 1. 144 [ t ype ? f or hel p] AX>enable Passwor d: ******** AX#config AX( conf i g) #hostname AX-SLB2 AX- SLB2( conf i g) #ip dns suffix ourcorp AX- SLB2( conf i g) #ip dns primary 10.10.20.25 AX- SLB2( conf i g) #ip dns secondary 192.168.1.25 The following examples set the login banner to welcome to login mode and set the EXEC banner to welcome to exec mode: AX- SLB2( conf i g) #banner login welcome to login mode AX- SLB2( conf i g) #banner exec welcome to exec mode The following commands set the timezone and NTP parameters: AX- SLB2( conf i g) #clock timezone ? Paci f i c/ Mi dway ( GMT- 11: 00) Mi dway I sl and, Samoa Paci f i c/ Honol ul u ( GMT- 10: 00) Hawai i Amer i ca/ Anchor age ( GMT- 09: 00) Al aska Amer i ca/ Ti j uana ( GMT- 08: 00) Paci f i c Ti me( US & Canada) ; Ti j uana Amer i ca/ Los_Angel es ( GMT- 08: 00) Paci f i c Ti me . . . AX- SLB2( conf i g) #clock timezone America/Los_Angeles AX- SLB2( conf i g) #ntp server 10.1.4.20 AX- SLB2( conf i g) #ntp server enable The following commands configure the AX device to send system log mes- sages to an external syslog server and to email Emergency messages to the system admins. In this example, the message levels sent to the external server are left at the default, Error (3) and above. By default, the same mes- 66 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Emailing Log Messages sage levels are sent to the management terminal in CLI sessions. The mes- sage level emailed to admins is set to Emergency (0) messages only. AX- SLB2( conf i g) #logging host 192.168.10.10 AX- SLB2( conf i g) #smtp ourmailsrvr AX- SLB2( conf i g) #logging email-address admin1@example.com admin2@exam- ple.com AX- SLB2( conf i g) #logging email 0 The following commands enable SNMP and all traps, configure the AX device to send traps to an external trap receiver, and configure a community string for use by external SNMP managers to read MIB data from the AX device. AX- SLB2( conf i g) #snmp-server location ourcorp-HQ AX- SLB2( conf i g) #snmp-server contact Me_admin1 AX- SLB2( conf i g) #snmp-server enable trap AX- SLB2( conf i g) #snmp-server community read ourcorpsnmp AX- SLB2( conf i g) #snmp-server host 192.168.10.11 ourcorpsnmp The following command saves the configuration changes to the startup-con- fig. This is the file from which the AX device loads the configuration fol- lowing a reboot. AX- SLB2( conf i g) #write memory Emailing Log Messages You can configure the AX device to email log messages, using email log fil- ters. By default, emailing of log messages is disabled. Log email filters consist of the following parameters: Filter ID Filter number, 1-8. Conditions One or more of the following: Severity Severity levels of messages to send in email. If you do not specify a message level, messages of any severity level match the filter and can be emailed. Software Module Software modules for which to email messages. Messages are emailed only if they come from one of the specified software modules. If you do not specify a software module, mes- sages from all modules match the filter and can be emailed. Regular Expression Message text to match on. Standard regular expression syntax is supported. Only messages that meet the criteria of the regular expression can be emailed. The regular expression P e r f o r m a n c e b y D e s i g n 67 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Emailing Log Messages can be a simple text string or a more complex expression using stan- dard regular expression logic. If you do not specify a regular expres- sion, messages with any text match the filter and can be emailed. Operators Set of Boolean operators (AND, OR, NOT) that specify how the conditions should be compared. (See Boolean Operators on page67.) Trigger option Specifies whether to buffer matching messages or send them immediately. Boolean Operators A logging email filter consists of a set of conditions joined by Boolean expressions (AND / OR / NOT). The CLI Boolean expression syntax is based on Reverse Polish Notation (also called Postfix Notation), a notation method that places an operator (AND, OR, NOT) after all of its operands (in this case, the conditions list). After listing all the conditions, specify the Boolean operator(s). The follow- ing operators are supported: AND All conditions must match in order for a log message to be emailed. OR Any one or more of the conditions must match in order for a log message to be emailed. NOT A log message is emailed only if it does not match the conditions (For more information about Reverse Polish Notation, see the following link: http://en.wikipedia.org/wiki/Reverse_Polish_notation.) USING THE GUI 1. Select Config >System >Settings. 2. On the menu bar, select Log. 3. In the Logging Email Filter section, click Add. A configuration page for the filter appears. 4. In the ID field, enter the filter ID, 1-8. 5. To immediately send matching messages in an email instead of buffer- ing them, select Trigger. Otherwise, matching messages are buffered until the message buffer becomes full or the send timer for emailed log messages expires. 68 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Emailing Log Messages 6. Construct the rest of the filter by selecting the conditions. Note: The conditions must be selected in the order described here. Otherwise, the filter will be invalid. If you accidentally configure an invalid filter, you can click Clear to remove the filter conditions and start again. a. Select the message severity level from the Level drop-down list, and click Add. To add more severity levels, repeat this step for each severity level. b. Optionally, select a software module from the Module drop-down list, and click Add. To add more modules, repeat this step for each module. c. Optionally, enter a regular expression in the Pattern field to specify message text to match on, and click Add. d. Select the operator from the Operator drop-down list, and click Add. 7. Click OK. The new filter appears in the Logging Email Filter section on the Log page. 8. Optionally, to change the maximum number of log messages to buffer before sending them in email, edit the number in the Logging Email Buffer Number field. You can specify 16-256 messages. The default is 50. 9. Optionally, to change the number of minutes the AX device waits before sending all buffered messages, edit the number in the Logging Email Buffer Time field. This option takes affect if the buffer does not reach the maximum number of messages allowed. You can specify 10-1440 minutes. The default is 10. 10. When finished configuring log settings, click OK. P e r f o r m a n c e b y D e s i g n 69 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Emailing Log Messages FIGURE 11 Config >System>Settings >Log - Add (Logging Email Filter section) FIGURE 12 Config >System>Settings >Log (Logging Email Filter added) USING THE CLI To configure log email settings, use the following commands at the global configuration level of the CLI: [ no] logging email buffer [ number num] [ time minutes] 70 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Emailing Log Messages This command configures message buffering. The number option specifies the maximum number of messages to buffer. You can specify 16-256. The default is 50. The time option specifies how long to wait before sending all buffered messages, if the buffer contains fewer than the maximum allowed number of messages. You can specify 10-1440 minutes. The default is 10. Whenever an email is triggered, the email will contain all buffered log mes- sages. [ no] logging email filter filter-num conditions operators [ trigger] The filter-num option specifies the filter number, and can be 1-8. The conditions list can contain one or more of the following: level severity-levels Specifies the severity levels of messages to send in email. You can specify the severity levels by number (0-7) or by name: emergency, alert, critical, error, warning, notification, infor- mation, or debugging. mod software-module-name Specifies the software modules for which to email messages. Messages are emailed only if they come from one of the specified software modules. For a list of module names, enter ? instead of a module name, and press Enter. pattern regex Specifies the string requirements. Standard regular expression syntax is supported. Only messages that meet the criteria of the regular expression will be emailed. The regular expression can be a simple text string or a more complex expression using standard regular expression logic. The operators are a set of Boolean operators (AND, OR, NOT) that specify how the conditions should be compared. (See Filter Syntax below.) The trigger option immediately sends the matching messages in an email instead of buffering them. If you omit this option, the messages are buffered based on thelogging email buffer settings. Considerations You can configure up to 8 filters. The filters are used in numerical order, starting with filter 1. When a message matches a filter, the message will be emailed based on the buffer settings. No additional filters are used to examine the message. A maximum of 8 conditions are supported in a filter. P e r f o r m a n c e b y D e s i g n 71 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Emailing Log Messages The total number of conditions plus the number of Boolean operators supported in a filter is 16. For backward compatibility, the following syntax from previous releases is still supported: logging email severity-level The severity-level can be one or more of the following: 0, 1, 2, 5, emer- gency, alert, critical, notification. The command is treated as a special filter. This filter is placed into effect only if the command syntax shown above is in the configuration. The filter has an implicit trigger option for emergency, alert, and critical messages, to emulate the behavior in previous releases. CLI Example The following command configures the AX device to buffer log messages to be emailed. Messages will be emailed only when the buffer reaches 32 messages, or 30 minutes passes since the previous log message email, whichever happens first. AX( conf i g) #logging email buffer number 32 time 30 The following command resets the buffer settings to their default values. AX( conf i g) #no logging email buffer number time The following command configures a filter that matches on log messages if they are information-level messages and contain the string abc. The trig- ger option is not used, so the messages will be buffered rather than emailed immediately. AX( conf i g) #logging email filter 1 level information pattern "abc" and The following command reconfigures the filter to immediately email matching messages. AX( conf i g) #logging email filter 1 level information pattern "abc" and trigger 72 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Emailing Log Messages P e r f o r m a n c e b y D e s i g n 73 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Network Setup This chapter describes how to insert the AX device into your network. After you complete the setup tasks in this chapter that are applicable to your network, the AX device will be ready to configure for its primary function: load balancing. Overview AX Series devices can be inserted into your network with minimal or no changes to your existing network. You can insert the AX device into your network as a Layer 2 switch or a Layer 3 router. The same Layer 4-7 features are available with either deployment option. You can deploy the AX device as a single unit or as a High Availability (HA) pair. Deploying a pair of AX devices in an HA configuration provides an extra level of redundancy to help ensure your site remains available to clients. For simplicity, the examples in this chapter show deployment of a single AX device. For information about HA, see High Availability on page445. Examples are provided in this chapter for the following types of network deployment: Transparent mode Transparent mode in multinetted environment Route mode (also called gateway mode) Direct Server Return (DSR) in transparent mode DSR in route mode DSR in mixed Layer 2/Layer 3 environment IP Subnet Support Each AX device has a management interface and data interfaces. The man- agement interface is a physical Ethernet port. A data interface is a physical Ethernet port, a trunk group, or a Virtual Ethernet (VE) interface. 74 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview The management interface can have a single IP address. An AX device deployed in transparent mode (Layer 2) can have a single IP address for all data interfaces. The IP address of the data interfaces must be in a different subnet than the management interfaces address. An AX device deployed in route mode (Layer 3) can have separate IP addresses on each data interface. No two interfaces can have IP addresses that are in the same subnet. This applies to the management interface and all data interfaces. P e r f o r m a n c e b y D e s i g n 75 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Transparent Mode Transparent Mode Figure13 shows an example of an AX Series device deployed in transpar- ent mode. FIGURE 13 AX Deployment Example Transparent Mode The blue arrows show the traffic flow for client-server traffic; in this exam- ple, between clients and server 10.10.10.3. In this example, the AX device is inserted directly between the gateway router and the real servers. The AX device and real servers are all in the same subnet and all use the router as their default gateway. 76 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Transparent Mode Note: For simplicity, this example and the other examples in this chapter show the physical links on single Ethernet ports. Everywhere a single Ethernet connection is shown, you can use a trunk, which is a set of multiple ports configured as a single logical link. Similarly, where a single gateway router is shown, a pair of routers in a Virtual Router Redundancy Protocol (VRRP) configuration could be used. In this case, the gateway address used by hosts and Layer 2 switches is the virtual IP address of the pair of routers. This example does not use Layer 3 Network Address Translation (NAT) but does use the default SLB NAT settings. (For a description, see SLB Source NAT on page617.) HTTP requests from clients for virtual server 10.10.10.99 are routed by the Layer 3 router to the AX device. SLB on the AX device selects a real server and sends the request to the server. The server reply passes back through the AX device to clients. Configuration Example This section shows the GUI screens and CLI commands needed to imple- ment the configuration shown in Figure13. USING THE GUI The following figures show the GUI screens used to implement the configu- ration shown in Figure13. Here and elsewhere in this guide, the command paths used to access a GUI screen are listed in the figure caption. Interface Configuration FIGURE 14 Config >Network >Interface >Transparent P e r f o r m a n c e b y D e s i g n 77 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Transparent Mode Note: For reference, Figure14 shows the entire interface. Subsequent figures show only the relevant configuration page. FIGURE 15 Config >Network >Interface >LAN Real server configuration The following screen examples show the GUI pages for basic SLB configu- ration. To implement changes entered on a GUI configuration page, click OK at the bottom of the page. 78 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Transparent Mode FIGURE 16 Config >Service >SLB >Server P e r f o r m a n c e b y D e s i g n 79 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Transparent Mode Service group configuration FIGURE 17 Config >Service >SLB >Service Group 80 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Transparent Mode Virtual server configuration FIGURE 18 Config >Service >SLB >Virtual Server FIGURE 19 Config >Service >SLB >Virtual Server - Virtual Server Port P e r f o r m a n c e b y D e s i g n 81 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Transparent Mode USING THE CLI The following commands configure the global IP address and default gate- way: AX( conf i g) #ip address 10.10.10.2 /24 AX( conf i g) #ip default-gateway 10.10.10.1 The following commands enable the Ethernet interfaces used in the exam- ple: AX( conf i g) #interface ethernet 1 AX( conf i g- i f : et her net 1) #enable AX( conf i g- i f : et her net 1) #interface ethernet 2 AX( conf i g- i f : et her net 2) #enable AX( conf i g- i f : et her net 2) #interface ethernet 3 AX( conf i g- i f : et her net 3) #enable AX( conf i g- i f : et her net 3) #exit The following commands add the SLB configuration. (For more informa- tion about SLB commands, see the SLB configuration chapters in this guide. Also see the AX Series CLI Reference.) Commands to configure the real servers AX( conf i g) #slb server rs1 10.10.10.3 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server rs2 10.10.20.4 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit Commands to configure the service group AX( conf i g) #slb service-group sg-web tcp AX( conf i g- sl b ser vi ce gr oup) #member rs1:80 AX( conf i g- sl b ser vi ce gr oup) #member rs2:80 AX( conf i g- sl b ser vi ce gr oup) #exit Commands to configure the virtual server AX( conf i g) #slb virtual-server vip1 10.10.10.99 AX( conf i g- sl b vi r t ual ser ver ) #port 80 fast-http AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group sg-web 82 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Transparent Mode in Multinetted Environment Transparent Mode in Multinetted Environment Figure20 shows an example of an AX device deployed in transparent mode, in a multinetted environment. FIGURE 20 AX Deployment Example Transparent Mode in Multinetted Environment This example is similar to the example in Figure13, except the real servers are in separate subnets. Each server uses the router as its default gateway, but at a different subnet address. P e r f o r m a n c e b y D e s i g n 83 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Transparent Mode in Multinetted Environment The blue arrows show the traffic flow for client-server traffic; in this exam- ple, between clients and server 10.10.10.4. To enable the AX device to pass traffic for multiple subnets, the device is configured with multiple VLANs. The interfaces in subnet 10.10.10.x are in VLAN 1. The interfaces in the 10.10.20.x subnet are in VLAN 2. Note: In this example, each AX interface is in only one VLAN and can therefore be untagged. The AX device could be connected to the router by a single link, in which case the AX link with the router would be in two VLANs and would need to tagged in at least one of the VLANs. (If an interface is in multiple VLANs, the interface can be untagged in only one of the VLANs.) Layer 3 IP Source NAT The default SLB NAT settings allow client traffic to reach the server in the 10.10.20.x subnet, even though this is not the subnet that contains the AX devices IP address. However, in a multinetted environment where the AX device is deployed in transparent mode, source NAT is required, to allow health checking of server 10.10.20.4 and its application port. In this example, an address pool containing a range of addresses in the 10.10.20.x subnet is configured. The pool configuration includes the default gateway for the 10.10.20.x subnet (10.10.20.1). Without a gateway speci- fied for the NAT pool, the AX device would attempt to send reply traffic using its own gateway (10.10.10.x), which is in a different subnet. The NAT configuration also includes enabling source NAT on the service port (in this example, 80) on the virtual server. Note: The AX device initiates health checks using the last (highest numbered) IP address in the pool as the source IP address. In addition, the AX device will only respond to control traffic (for example, management and ICMP traffic) from the NATted subnet if the control traffic is sent to the last IP address in the pool. 84 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Transparent Mode in Multinetted Environment Configuration Example This section shows the GUI screens and CLI commands needed to imple- ment the configuration shown in Figure20. Note: GUI examples are shown here only for the configuration elements that are new in this section (VLAN and Source NAT pool). For examples of the GUI screens for the rest of the configuration, see Transparent Mode on page75. USING THE GUI FIGURE 21 Config >Network >VLAN FIGURE 22 Config >Service >IP Source NAT >IPv4 Pool P e r f o r m a n c e b y D e s i g n 85 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Transparent Mode in Multinetted Environment FIGURE 23 Config >Service >SLB >Virtual Server - Virtual Server Port 86 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Transparent Mode in Multinetted Environment USING THE CLI The following commands configure the global IP address and default gate- way: AX( conf i g) #ip address 10.10.10.2 /24 AX( conf i g) #ip default-gateway 10.10.10.1 The following commands enable the Ethernet interfaces used in the exam- ple: AX( conf i g) #interface ethernet 1 AX( conf i g- i f : et her net 1) #enable AX( conf i g- i f : et her net 1) #interface ethernet 2 AX( conf i g- i f : et her net 2) #enable AX( conf i g- i f : et her net 2) #interface ethernet 3 AX( conf i g- i f : et her net 3) #enable AX( conf i g- i f : et her net 3) #interface ethernet 4 AX( conf i g- i f : et her net 4) #enable AX( conf i g- i f : et her net 4) #exit The following commands configure the VLANs. By default, all AX Ether- net data ports are in VLAN 1 by default, so the only configuration required in this example is to create a second VLAN and add ports to it. The ports you add to other VLANs are automatically removed from VLAN 1. AX( conf i g) #vlan 2 AX( conf i g- vl an: 2) #untagged ethernet 2 ethernet 4 AX( conf i g- vl an: 2) #exit The following command configures a pool of IP addresses for use by source NAT. The pool is in the same subnet as real server 10.10.20.4. AX( conf i g) #ip nat pool pool1 10.10.20.100 10.10.20.101 netmask /24 gateway 10.10.20.1 The following commands add the SLB configuration. The source-nat com- mand enables the IP address pool configured above to be used for NATting health check traffic between the AX device and the real server. (For more information about SLB commands, see the SLB configuration chapters in this guide. Also see the AX Series CLI Reference.) P e r f o r m a n c e b y D e s i g n 87 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Transparent Mode in Multinetted Environment Commands to configure the real servers AX( conf i g) #slb server rs1 10.10.10.4 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server rs2 10.10.20.4 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit Commands to configure the service group AX( conf i g) #slb service-group sg-web tcp AX( conf i g- sl b ser vi ce gr oup) #member rs1:80 AX( conf i g- sl b ser vi ce gr oup) #member rs2:80 AX( conf i g- sl b ser vi ce gr oup) #exit Commands to configure the virtual server AX( conf i g) #slb virtual-server vip1 10.10.10.99 AX( conf i g- sl b vi r t ual ser ver ) #port 80 fast-http AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #source-nat pool pool1 AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group sg-web 88 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Route Mode Route Mode Figure24 shows an example of an AX device deployed in route mode. FIGURE 24 AX Deployment Example Route Mode The blue arrows show the traffic flow for client-server traffic; in this exam- ple, between clients and server 192.168.4.101. This example shows a data- base server that is not part of the SLB configuration but that is used by the real servers when fulfilling client requests. Real servers can reach the data- base server through the AX device just as they would through any other P e r f o r m a n c e b y D e s i g n 89 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Route Mode router. Replies to clients still travel from the real servers through the AX device back to the client. In this example, the AX device has separate IP interfaces in different sub- nets on each of the interfaces connected to the network. The AX device can be configured with static IP routes and can be enabled to run OSPF. In this example, a static route is configured to use as the default route through 10.10.10.1. Although this example shows single physical links, you could use trunks as physical links. You also could use multiple VLANs. In this case, the IP addresses would be configured on Virtual Ethernet (VE) interfaces, one per VLAN, instead of being configured on individual Ethernet ports. Since the AX device is a router in this deployment, downstream devices can use the AX device as their default gateway. The database server would use 192.168.3.100 as its default gateway, the router connected to port 3 would use 192.168.1.111 as its default gateway, and the Layer 2 switch connected to 192.168.2.100 would use that address as its default gateway. If a pair of AX devices in a High Availability (HA) configuration is used, the downstream devices would use a floating IP address shared by the two AX devices as their default gateway. (For more on HA, see High Availabil- ity on page445.) Source NAT is not required for this configuration. The AX can send health checks to the real servers and receive the replies without NAT. Configuration Example This section shows the GUI screens and CLI commands needed to imple- ment the configuration shown in Figure24. Note: GUI examples are shown here only for the configuration elements that are new in this section (configuration of routing parameters). For examples of the GUI screens for the SLB configuration, see Transparent Mode on page75. Note: In the current release, the GUI does not support configuration of OSPF. 90 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Route Mode USING THE GUI FIGURE 25 Config >Network >Interface >LAN >IPv4 FIGURE 26 Config >Network >Route >IPv4 Static P e r f o r m a n c e b y D e s i g n 91 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Route Mode USING THE CLI The following commands enable the Ethernet interfaces used in the exam- ple and configure IP addresses on them: AX( conf i g) #interface ethernet 1 AX( conf i g- i f : et her net 1) #enable AX( conf i g- i f : et her net 1) #ip address 10.10.10.2 /24 AX( conf i g- i f : et her net 1) #interface ethernet 2 AX( conf i g- i f : et her net 2) #enable AX( conf i g- i f : et her net 2) #ip address 192.168.3.100 /24 AX( conf i g- i f : et her net 2) #interface ethernet 3 AX( conf i g- i f : et her net 3) #enable AX( conf i g- i f : et her net 3) #ip address 192.168.1.111 /24 AX( conf i g- i f : et her net 3) #exit AX( conf i g- i f : et her net 3) #interface ethernet 4 AX( conf i g- i f : et her net 4) #enable AX( conf i g- i f : et her net 4) #ip address 192.168.2.100 /24 AX( conf i g- i f : et her net 4) #exit The following command configures the default route through 10.10.10.1: AX( conf i g) #ip route 0.0.0.0 /0 10.10.10.1 The following commands add the SLB configuration. (For more informa- tion about SLB commands, see the SLB configuration chapters in this guide. Also see the AX Series CLI Reference.) Commands to configure the real servers AX( conf i g) #slb server rs1 192.168.1.101 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server rs2 192.168.2.101 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit Commands to configure the service group AX( conf i g) #slb service-group sg-web tcp AX( conf i g- sl b ser vi ce gr oup) #member rs1:80 AX( conf i g- sl b ser vi ce gr oup) #member rs2:80 AX( conf i g- sl b ser vi ce gr oup) #exit 92 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Route Mode Commands to configure the virtual server AX( conf i g) #slb virtual-server vip1 10.10.10.99 AX( conf i g- sl b vi r t ual ser ver ) #port 80 http AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group sg-web P e r f o r m a n c e b y D e s i g n 93 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Direct Server Return in Transparent Mode Direct Server Return in Transparent Mode Figure27 shows an example of an AX device deployed in transparent mode, in a Direct Server Return (DSR) configuration. In a DSR configura- tion, replies from real servers do not necessarily pass through the AX device. FIGURE 27 AX Deployment Example DSR in Transparent Mode In this example, the AX device is attached to the network in a one-armed configuration. A single link connects the AX device to the network. The 94 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Direct Server Return in Transparent Mode link can be on a single Ethernet port or a trunk. This example uses a single Ethernet port. The blue arrows show the traffic flow for client-server traffic; in this exam- ple, between clients and servers 10.10.10.3-4. Client request traffic for the virtual server IP address, 10.10.10.99, is routed to the AX device. However, server reply traffic does not pass back through the AX device. Note: VIP redistribution is not supported for VIPs that are configured for Direct Server Return (DSR). DSR Health Checking Layer 3 and Layer 4-7 health checks are supported in DSR configurations. The target of the Layer 3 health checks can be the real IP addresses of the servers, or the virtual IP address, depending on your preference. To send the Layer 3 health checks to the real server IP addresses, you can use the default Layer 3 health method (ICMP). To send the Layer 3 health checks to the virtual IP address instead: Configure an ICMP health method with the transparent option enabled, and with the alias address set to the virtual IP address. Globally enable DSR health checking. Layer 4-7 health checks are sent to the same IP address as the Layer 3 health checks, and then addressed to the specific protocol port. You can use the default TCP and UDP health monitors or configure new health monitors. This example uses the default TCP health monitor. Requirements This configuration has certain requirements: Requirements on the AX device: The AX device, virtual server, and the real servers all must be in the same subnet. The virtual server IP address must be configured as a loopback interface on each real server. (This is performed on the real server itself, not as part of the real servers configuration on the AX device.) DSR must be enabled on the virtual service ports. (Enabling DSR is equivalent to disabling destination NAT.) Note: In the current release, for IPv4 VIPs, DSR is supported on virtual port types (service types) TCP, UDP, FTP, and RTSP. For IPv6 VIPs, DSR is supported on virtual port types TCP, UDP, and RTSP. P e r f o r m a n c e b y D e s i g n 95 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Direct Server Return in Transparent Mode Requirements on the real server: A loopback interface must be configured with the virtual server IP address. ARP replies from the loopback interfaces must be disabled. (This applies to the loopback interfaces that have the virtual server IP address.) Configuration Example This section shows how to implement the configuration shown in Figure27. USING THE GUI Note: This example does not include configuration of the real servers, or config- uration of the virtual server other than the steps for enabling DSR. Specify the AX devices IP address and default gateway 1. Select Config >Network >Interface. 2. On the menu bar, select Transparent. 3. Enter the IP address, network mask or prefix length, and default gate- way address. (In this example, use the IPv4 section and enter 10.10.10.2, 255.255.255.0, and 10.10.10.1.) 4. Click OK. Enable Ethernet interface(s) 1. Select Config >Network >Interface. 2. On the menu bar, select LAN. 3. Click on the checkbox next to the interface number to enable (for exam- ple, e3). 4. Click Enable. The icon in the Status column changes to a green check- mark to indicate that the interface is enabled. Enable DSR on virtual ports 1. Select Config >Service >Server >Virtual Server. 2. Select the virtual server or click Add to create a new one. 3. Select the virtual port and click Edit, or click Add to create a new one. 96 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Direct Server Return in Transparent Mode 4. In the Virtual Server Port section, select Enabled next to Direct Server Return. Configure other settings if needed. (The other settings are not specific to DSR and depend on the application.) 5. Click OK. The virtual port list for the virtual server reappears. 6. Click OK again. The virtual server list reappears. USING THE CLI The following commands configure the global IP address and default gate- way: AX( conf i g) #ip address 10.10.10.2 /24 AX( conf i g) #ip default-gateway 10.10.10.1 The following commands enable the Ethernet interface connected to the cli- ents and server: AX( conf i g) #interface ethernet 3 AX( conf i g- i f : et her net 3) #enable AX( conf i g- i f : et her net 3) #exit The following commands add the SLB configuration. (For more informa- tion about SLB commands, see the SLB configuration chapters in this guide. Also see the AX Series CLI Reference.) Commands to configure the real servers AX( conf i g) #slb server rs1 10.10.10.3 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server rs2 10.10.10.4 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit Commands to configure the service group AX( conf i g) #slb service-group sg-web tcp AX( conf i g- sl b ser vi ce gr oup) #member rs1:80 AX( conf i g- sl b ser vi ce gr oup) #member rs2:80 AX( conf i g- sl b ser vi ce gr oup) #exit P e r f o r m a n c e b y D e s i g n 97 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Direct Server Return in Transparent Mode Commands to configure the virtual server AX( conf i g) #slb virtual-server vip1 10.10.10.99 AX( conf i g- sl b vi r t ual ser ver ) #port 80 tcp AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group sg-web AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #no-dest-nat CONFIGURATION ON THE REAL SERVERS For DSR to work, a loopback interface with the IP address of the virtual server must be configured on each real server, and ARP replies from the loopback address must be disabled. Here is an example for a Unix/Linux server: i f conf i g l o: 0 10. 10. 10. 99 net mask 255. 255. 255. 255 - ar p up echo 1 > / pr oc/ sys/ net / i pv4/ conf / al l / ar p_i gnor e echo 1 > / pr oc/ sys/ net / i pv4/ conf / et h0/ ar p_i gnor e echo 2 > / pr oc/ sys/ net / i pv4/ conf / al l / ar p_announce echo 2 > / pr oc/ sys/ net / i pv4/ conf / et h0/ ar p_announce 98 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Direct Server Return in Route Mode Direct Server Return in Route Mode Figure28 shows an example of an AX device deployed in a DSR configura- tion in route mode. FIGURE 28 AX Deployment Example DSR in Route Mode The configuration is very similar to the one for DSR in transparent mode, except the AX device uses an IP interface configured on an individual Ethernet port instead of a global IP address. The requirements for the AX device and real servers are the same as those for DSR in transparent mode. (See Direct Server Return in Transparent Mode on page93.) Note: VIP redistribution is not supported for VIPs that are configured for Direct Server Return (DSR). P e r f o r m a n c e b y D e s i g n 99 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Direct Server Return in Route Mode Configuration Example This section shows how to implement the configuration shown in Figure28. Note: The following examples only show the part of the configuration that dif- fers from deployment of DSR in transparent mode. The only difference is configuration of the IP interface on the Ethernet interface connected to the router, and configuration of a default route. USING THE GUI Configure an IP address on the Ethernet port 1. Select Config >Network >Interface. 2. On the menu bar, select LAN. 3. In the Interface column, click on the interface name (for example, e3). 4. In the General section, click Enabled next to Status. 5. In the IPv4 section, enter the IP address and network mask. 6. Click OK. Configure a default route 1. Select Config >Network >Route. 2. On the menu bar, select IPv4 Static. 3. Click Add. 4. Enter 0.0.0.0 in the IP Address and Netmask fields. 5. Enter the IP address of the gateway router in the Gateway field. 6. Click OK. 100 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Direct Server Return in Route Mode USING THE CLI The following commands enable the Ethernet interface used in the example and configure an IP address on it: AX( conf i g) #interface ethernet 3 AX( conf i g- i f : et her net 3) #enable AX( conf i g- i f : et her net 3) #ip address 10.10.10.2 /24 AX( conf i g- i f : et her net 3) #exit The following command configures the default route through 10.10.10.1: AX( conf i g) #ip route 0.0.0.0 /0 10.10.10.1 The rest of the configuration commands are the same as those shown in Direct Server Return in Transparent Mode on page93, beginning with configuration of the real servers. P e r f o r m a n c e b y D e s i g n 101 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Direct Server Return in Mixed Layer 2/Layer 3 Environment Direct Server Return in Mixed Layer 2/Layer 3 Environment You can configure the AX device to use some servers as backups in a DSR deployment. The backup servers are not required to be connected to the AX device at Layer 2 or in the same IP subnet. Figure29 shows an example that uses a backup server in a different subnet. Note: The deployment described in this section is useful for deploying backup servers to use only if primary servers are unavailable. FIGURE 29 Backup Server in DSR Configuration In this example, two real servers are used as the primary servers for VIP 10.10.10.99:80. They are in the same IP subnet as the AX device. Each of them is configured for DSR: destination NAT is disabled on the virtual port. Another server, 192.168.2.10, is configured as a backup, to be used only if both primary servers are unavailable. Since the backup server is a valuable network resource, serving as a server farm backup is only one of its func- tions. It also used by other applications elsewhere in the network. The AX device can be configured to use the server as a backup to a DSR server farm, without changing the network topology. 102 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Direct Server Return in Mixed Layer 2/Layer 3 Environment To deploy the backup server: In the service group, assign a higher priority to the members for the pri- mary servers, so that the member for the backup server has the lower priority. By default, the AX device will not use the lower-priority server (the backup server) unless all the primary servers are down. Use the same priority for all the primary servers. Enable destination NAT on the backup server. By default, destination NAT is unset on real ports, and is set by the virtual port. Normally, desti- nation NAT is disabled on virtual ports used for DSR. However, destina- tion NAT needs to be enabled on the real port on the backup server. Enabling destination NAT for the backup server allows the server to remain on a different subnet from the AX device, and still be used for the VIP that normally is served by DSR. The backup server does not need to be moved to a Layer 2 connection to the AX device and the servers IP address does not need to be changed. It can remain on a dif- ferent subnet from the AX device and the primary servers. Destination NAT can not be set directly on an individual real port. To enable destination NAT on a real port, create a real port template and enable destination NAT in the template. You can bind the template to the real port itself, or to the service group member for the port. If you bind the template to the port itself, the template applies to the port in all service groups that use the port. If you bind the template to the service group member instead, the template applies to the port only within the service group. The tem- plate does not apply to the same port when used in other service groups. Note: VIP redistribution is not supported for VIPs that are configured for Direct Server Return (DSR). USING THE GUI Configure a port template to enable destination NAT on the backup servers port 1. Select Config >Service >SLB. 2. On the menu bar, select Template >Server Port. 3. Click Add. 4. Enter a name for the template in the Name field. P e r f o r m a n c e b y D e s i g n 103 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Direct Server Return in Mixed Layer 2/Layer 3 Environment 5. Select Disabled next to Direct Server Return. 6. Click OK. Configure the service group 1. Select Config >Service >SLB. 2. On the menu bar, select Service Group. 3. Click on the service group name or click Add to create a new one. 4. If this is a new service group, enter the name. 5. Add the primary servers to the service group: a. Select a primary server from the Server drop-down list. Note: If you are modifying a member that is already in the list, click the check- box in the row containing the member information, select the priority, then click Update. b. Enter the protocol port number in the Port field. c. Select 16 from the Priority drop-down list. d. Click Add. e. Repeat for the other primary server. 6. Add the backup server to the service group: a. Select the backup server from the Server drop-down list. b. Enter the protocol port number in the Port field. c. Select the port template for the backup server from the Server Port Template drop-down list. This is the template configured in Con- figure a port template to enable destination NAT on the backup servers port on page102. d. Leave 1 selected in the Priority drop-down list. e. Click Add. 7. Click OK. 104 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Direct Server Return in Mixed Layer 2/Layer 3 Environment FIGURE 30 Config >Service >SLB >Template >Server Port FIGURE 31 Config >Service >SLB >Service Group To set the priority values of the primary servers to a higher value than the backup server, re-add the members for the primary servers ports, and use the priority option. Set the priority to a value higher than 1 (the default). Use the same priority value on each of the primary servers member ports. P e r f o r m a n c e b y D e s i g n 105 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Direct Server Return in Mixed Layer 2/Layer 3 Environment To enable destination NAT on a service port within a service group, use the dest-nat option in a server port template, then bind that template to the server port in the service group. CLI Example The following commands configure a server port template for the backup server: AX( conf i g) #slb template port dsrbackup AX( conf i g- r por t ) #dest-nat AX( conf i g- r por t ) #exit The following commands add the members to the service group: AX( conf i g) #slb service-group sg-dsr tcp AX( conf i g- sl b ser vi ce gr oup) #member primarys1:80 priority 16 AX( conf i g- sl b ser vi ce gr oup) #member primarys2:80 priority 16 AX( conf i g- sl b ser vi ce gr oup) #member secondarys1:80 template port dsrbackup 106 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Direct Server Return in Mixed Layer 2/Layer 3 Environment P e r f o r m a n c e b y D e s i g n 107 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Support for Multiple OSPFv2 Processes and OSPFv3 Instances Open Shortest Path First (OSPF) The AX device supports the following OSPF versions: OSPFv2 for IPv4 OSPFv3 for IPv6 This chapter provides configuration examples. For detailed CLI syntax information, see the AX Series CLI Reference. Support for Multiple OSPFv2 Processes and OSPFv3 Instances AX Release 2.4.3 supports up to 65535 OSPFv2 processes on a single AX device. Only a single OSPFv2 process can run on a given interface. Each IPv6 link can run up to 65535 OSPFv3 instances, on the same link. Each OSPF process or instance is completely independent of the other OSPF processes or instances on the device. They do not share any informa- tion directly. However, you can configure redistribution of routes between them. Support for OSPFv2 and OSPFv3 on the Same Interface or Link You can configure OSPFv2 and OSPFv3 on the same interface or link. OSPFv2 configuration commands affect only the IPv4 routing domain, while OSPFv3 configuration commands affect only the IPv6 routing domain. OSPF MIB Support AX Release 2.4.3 includes support for the following OSPF MIBs: RFC 1850 OSPFv2 Management Information Base draft-ietf-ospf-ospfv3-mib-08 OSPFv3 Management Information Base 108 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Example Configuration Example The configuration excerpts in this example configure OSPFv2 and OSPFv3 on an AX device. Interface Configuration The following commands configure two physical Ethernet data interfaces. Each interface is configured with an IPv4 address and an IPv6 address. Each interface also is added to OSPF area 0 (the backbone area). The link-state metric (OSPF cost) of Ethernet 2 is set to 30, which is higher than the default, 10. Based on the cost difference, OSPF routes through Ethernet 1 will be favored over OSPF route through Ethernet 2, because the OSPF cost of Ethernet 1 is lower. i nt er f ace et her net 1 i p addr ess 2. 2. 10. 1 255. 255. 255. 0 i pv6 addr ess 5f 00: 1: 2: 10: : 1/ 64 i pv6 r out er ospf ar ea 0 t ag 1 ! i nt er f ace et her net 2 i p addr ess 3. 3. 3. 1 255. 255. 255. 0 i pv6 addr ess 5f 00: 1: 2: 20: : 1/ 64 i p ospf cost 25 i pv6 r out er ospf ar ea 0 t ag 1 The following commands configure two Virtual Ethernet (VE) interfaces. On VE 3, an IPv4 address is configured. On VE 4, an IPv4 address and an IPv6 address are configured. OSPFv2 authentication is configured on VE 3, and the OSPF cost is set to 20. On VE 4, the OSPF cost is set to 15. i nt er f ace ve 3 i p addr ess 1. 1. 1. 2 255. 255. 255. 0 i p ospf aut hent i cat i on message- di gest i p ospf message- di gest - key 1 md5 abc i p ospf cost 20 ! P e r f o r m a n c e b y D e s i g n 109 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Example i nt er f ace ve 4 i p addr ess 1. 1. 60. 2 255. 255. 255. 0 i pv6 addr ess 5f 00: 1: 1: 60: : 2/ 64 i p ospf cost 15 Global OSPF Parameters The following commands configure global settings for OSPFv2 process 2. The router ID is set to 2.2.2.2. Subnets 1.1.x.x, 2.2.10.x, and 3.3.3.x are added to the backbone area. Redistribution is enabled for static routes, routes to VIPs, IP source NAT addresses, and floating IP addresses (used by HA). In addition, an extra HA cost is configured, and the SPF timer is changed. r out er ospf 2 ospf r out er - i d 2. 2. 2. 2 ha- st andby- ext r a- cost 25 t i mer s spf exp 500 50000 r edi st r i but e st at i c met r i c 5 met r i c- t ype 1 r edi st r i but e vi p met r i c 500 met r i c- t ype 1 r edi st r i but e i p- nat r edi st r i but e f l oat i ng- i p met r i c- t ype 1 net wor k 1. 1. 0. 0 0. 0. 255. 255 ar ea 0 net wor k 2. 2. 10. 0 0. 0. 0. 255 ar ea 0 net wor k 3. 3. 3. 0 0. 0. 0. 255 ar ea 0 The following commands configure global settings for OSPFv3 instance 1. The router ID is set to 3.3.3.3. A stub area is added, redistribution is enabled, and the SPF timer is changed. r out er i pv6 ospf 1 r out er - i d 3. 3. 3. 3 r edi st r i but e st at i c met r i c 5 met r i c- t ype 1 r edi st r i but e i p- nat r edi st r i but e f l oat i ng- i p ar ea 1 st ub t i mer s spf exp 500 50000 110 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Example OSPF Logging Router logging is disabled by default. You can enable router logging to one or more of the following destinations: CLI terminal (stdout) Local logging buffer Local file External log servers Note: Log file settings are retained across reboots but debug settings are not. Note: Enabling debug settings that produce lots of output, or enabling all debug settings, is not recommend for normal operation. Configuring Router Logging for OSPF To configure router logging for OSPF: 1. Enable output options. 2. Set severity level and facility. 3. Enable debug options to generate output. For additional syntax information, including show and clear commands for router logging, see the AX Series CLI Reference. 1. Enable output options: To enable output to the terminal, use the following command at the global configuration level of the CLI: router log stdout To enable output to the local logging buffer, use the following command at the global configuration level of the CLI: router log syslog To enable output to a local file, use the following command at the global configuration level of the CLI: P e r f o r m a n c e b y D e s i g n 111 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Example [ no] router log file { name string | per-protocol | rotate num | size Mbytes } To enable output to a remote log server, use the following command at the global configuration level of the CLI: logging host ipaddr [ ipaddr. . . ] [ port protocol-port] Up to 10 remote logging servers are supported. 2. Set severity level and facility: The default severity level for router logging is 7 (debugging). The default facility is local0. To change set the severity level for messages output to the terminal, use the following command at the global configuration level of the CLI: logging monitor severity-level The severity-level can be one of the following: 0 or emergency 1 or alert 2 or critical 3 or error 4 or warning 5 or notification 6 or information 7 or debugging To change the severity level for messages output to the local logging buffer, use the following command at the global configuration level of the CLI: logging buffered severity-level To change the severity level for messages output to external log servers, use the following command at the global configuration level of the CLI: logging syslog severity-level 112 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Example To change the severity level for messages output to a file, use the following command at the global configuration level of the CLI: router log trap severity-level To change the facility, use the following command at the global configura- tion level of the CLI: logging facility facility-name Thefacility-name can be one of the following: local0 local1 local2 local3 local4 local5 local6 local7 3. Enable debug options to generate output: To enable debugging for OSPF, use the following commands at the global configuration level or Privileged EXEC level of the CLI: debug a10 [ ipv6] ospf debug [ ipv6] ospf type The ipv6 option enables debugging for OSPFv3. Without the ipv6 option, debugging is enabled for OSPFv2. The type specifies the types of OSPF information to log, and can be one or more of the following: all Enables debugging for all information types listed below. events Enables debugging for OSPF events. ifsm Enables debugging for the OSPF Interface State Machine (IFSM). lsa Enables debugging for OSPF Link State Advertisements (LSAs). nfsm Enables debugging for the OSPF Neighbor State Machine (NFSM). P e r f o r m a n c e b y D e s i g n 113 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Example nsm Enables debugging for the Network Services Module (NSM). The NSM deals with use of ACLs, route maps, interfaces, and other net- work parameters. packet Enables debugging for OSPF packets. route Enables debugging for OSPF routes. For each level, both debug commands are required. CLI Example The following commands configure OSPFv2 logging to a local file. AX( conf i g) #router log file name ospf-log AX( conf i g) #router log file per-protocol AX( conf i g) #router log file size 100 AX( conf i g) #debug a10 ospf all AX( conf i g) #debug ospf packet These commands create a router log file named ospf-log. The per-proto- col option will log messages for each routing protocol separately. The log file will hold a maximum 100 MB of data, after which the messages will be saved in a backup and the log file will be cleared. The following command displays the contents of the local router log file: AX( conf i g) #show router log file ospfd 2010/ 04/ 21 09: 57: 20 OSPF: I FSM[ ve 3: 1. 1. 1. 2] : Hel l o t i mer expi r e 2010/ 04/ 21 09: 57: 20 OSPF: SEND[ Hel l o] : To 224. 0. 0. 5 vi a ve 3: 1. 1. 1. 2, l engt h 64 2010/ 04/ 21 09: 57: 20 OSPF: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2010/ 04/ 21 09: 57: 20 OSPF: Header 2010/ 04/ 21 09: 57: 20 OSPF: Ver si on 2 2010/ 04/ 21 09: 57: 20 OSPF: Type 1 ( Hel l o) 2010/ 04/ 21 09: 57: 20 OSPF: Packet Len 48 2010/ 04/ 21 09: 57: 20 OSPF: Rout er I D 2. 2. 2. 2 2010/ 04/ 21 09: 57: 20 OSPF: Ar ea I D 0. 0. 0. 0 2010/ 04/ 21 09: 57: 20 OSPF: Checksum0x0 2010/ 04/ 21 09: 57: 20 OSPF: I nst ance I D 0 2010/ 04/ 21 09: 57: 20 OSPF: AuType 2 2010/ 04/ 21 09: 57: 20 OSPF: Cr ypt ogr aphi c Aut hent i cat i on 2010/ 04/ 21 09: 57: 20 OSPF: Key I D 1 114 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Example 2010/ 04/ 21 09: 57: 20 OSPF: Aut h Dat a Len 16 2010/ 04/ 21 09: 57: 20 OSPF: Sequence number 1271830931 2010/ 04/ 21 09: 57: 20 OSPF: Hel l o 2010/ 04/ 21 09: 57: 20 OSPF: Net wor kMask 255. 255. 255. 0 2010/ 04/ 21 09: 57: 20 OSPF: Hel l oI nt er val 10 2010/ 04/ 21 09: 57: 20 OSPF: Opt i ons 0x2 ( - | - | - | - | - | - | E| - ) 2010/ 04/ 21 09: 57: 20 OSPF: Rt r Pr i or i t y 1 2010/ 04/ 21 09: 57: 20 OSPF: Rt r DeadI nt er val 40 2010/ 04/ 21 09: 57: 20 OSPF: DRout er 1. 1. 1. 200 2010/ 04/ 21 09: 57: 20 OSPF: BDRout er 1. 1. 1. 2 2010/ 04/ 21 09: 57: 20 OSPF: # Nei ghbor s 1 2010/ 04/ 21 09: 57: 20 OSPF: Nei ghbor 31. 31. 31. 31 2010/ 04/ 21 09: 57: 20 OSPF: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2010/ 04/ 21 09: 57: 21 OSPF: I FSM[ et her net 2: 3. 3. 3. 1] : Hel l o t i mer expi r e 2010/ 04/ 21 09: 57: 21 OSPF: SEND[ Hel l o] : To 224. 0. 0. 5 vi a et her net 2: 3. 3. 3. 1, l engt h 48 2010/ 04/ 21 09: 57: 21 OSPF: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2010/ 04/ 21 09: 57: 21 OSPF: Header 2010/ 04/ 21 09: 57: 21 OSPF: Ver si on 2 2010/ 04/ 21 09: 57: 21 OSPF: Type 1 ( Hel l o) 2010/ 04/ 21 09: 57: 21 OSPF: Packet Len 48 2010/ 04/ 21 09: 57: 21 OSPF: Rout er I D 2. 2. 2. 2 2010/ 04/ 21 09: 57: 21 OSPF: Ar ea I D 0. 0. 0. 0 2010/ 04/ 21 09: 57: 21 OSPF: Checksum0x49eb 2010/ 04/ 21 09: 57: 21 OSPF: I nst ance I D 0 2010/ 04/ 21 09: 57: 21 OSPF: AuType 0 2010/ 04/ 21 09: 57: 21 OSPF: Hel l o 2010/ 04/ 21 09: 57: 21 OSPF: Net wor kMask 255. 255. 255. 0 2010/ 04/ 21 09: 57: 21 OSPF: Hel l oI nt er val 10 2010/ 04/ 21 09: 57: 21 OSPF: Opt i ons 0x2 ( - | - | - | - | - | - | E| - ) 2010/ 04/ 21 09: 57: 21 OSPF: Rt r Pr i or i t y 1 2010/ 04/ 21 09: 57: 21 OSPF: Rt r DeadI nt er val 40 2010/ 04/ 21 09: 57: 21 OSPF: DRout er 3. 3. 3. 2 2010/ 04/ 21 09: 57: 21 OSPF: BDRout er 3. 3. 3. 1 2010/ 04/ 21 09: 57: 21 OSPF: # Nei ghbor s 1 2010/ 04/ 21 09: 57: 21 OSPF: Nei ghbor 81. 81. 81. 81 . . . P e r f o r m a n c e b y D e s i g n 115 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview HTTP Load Balancing This chapter describes HTTP load balancing and how to configure it. Note: Fast-HTTP is optimized for very high performance information transfer in comparison to regular HTTP. Due to this optimization, fast-HTTP does not support all the comprehensive capabilities of HTTP such as header insertion and manipulation. It is recom- mended not to use fast-HTTP for applications that require compete data transfer integrity. Overview HTTP load balancing manages HTTP traffic across a Web server farm. Figure32 shows an example of an HTTP load balancing deployment. Note: The network topologies in application examples such as this one are sim- plified to focus on the application. For example, the Internet router con- necting the clients to the AX device is not shown here. Likewise, a single AX is shown. Your configuration might use an AX pair for High Avail- ability (HA). 116 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview FIGURE 32 HTTP Load Balancing In this example, a server farm consisting of three servers provides content for Web site www.example.com. Clients access the site through its virtual IP address, 192.168.10.11. When the AX device receives a client request for the HTTP port (80) on 192.168.10.11, the AX device selects a real server and sends the client request to the server. For simplicity in this example, the real servers use the default protocol port number for HTTP (80). The port numbers on the real and virtual servers are not required to match. The client is unaware of the real IP address of the real server, nor is the cli- ent aware that the site actually consists of multiple servers. After selecting a real server, the AX device automatically performs the necessary Network Address Translation (NAT) to send the client request to the server, receive the reply from the server, and send the reply to the client. From the clients perspective, the Web session is between the client and port 80 on 192.168.10.11. P e r f o r m a n c e b y D e s i g n 117 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview SERVICE GROUPS A service group contains a set of real servers from which the AX device can select to service a client request. This example uses a single service group that contains all the real servers and the applicable service port (80). During configuration, you bind the ser- vice group to the virtual port(s) on the virtual server. The AX device selects a server based on the load balancing method used by the service group, and on additional criteria relevant to the load balancing method. In this example, the default load balancing method, round robin, is used. The round robin method selects servers in rotation. For example, the first client request is sent to server web-2, the next client request is sent to server web-3, and so on. VIRTUAL SERVER The virtual server in this example has IP address 192.168.10.11 and virtual service port 80. When you configure a virtual service port, you specify the protocol port number for the port. You also specify the service type. The AX device supports the following service types for HTTP ports: HTTP Complete TCP stack. Use this service type if you plan to cus- tomize any templates. For example, if you plan to use SSL (HTTPS load balancing or SSL offload), or customize the HTTP template to change information in the HTTP headers of server replies, use the HTTP service type. Also use this service type for stream-based applications such as RAM Caching and compression. Fast-HTTP Streamlined hybrid stack for high performance. If you do not plan to offload SSL or customize any templates, use Fast-HTTP. (For a complete list of the service types, see Virtual Service Port Parame- ters on page887.) TEMPLATES Templates are sets of configuration parameters that apply to specific service types or to servers and service ports. This example uses the default settings for each of the templates that are automatically applied to the HTTP service type and to the real and virtual servers and ports. The rest of the information in this section is for reference but is not required reading to continue with this example. 118 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview For some of types of templates, the AX configuration has a default tem- plate that is automatically applied to a service port unless you apply another template of the same type instead. (See Service Template Parameters on page829.) Service Templates For HTTP, the AX configuration applies default templates of each of the following template types to HTTP service ports: TCP-Proxy TCP-proxy templates control TCP stack settings, includ- ing the idle timeout for TCP connections. Unless you need to change the setting for a TCP/IP stack parameter, you can safely allow the AX device to apply the default TCP-proxy template to the service types that use it. HTTP HTTP templates provide many options, including options to change information in the HTTP header, enable compression, and select a service group based on the URL requested by the client. By default, all the options in this template are disabled or not set, so you can safely allow the AX device to apply the default for this template type too. Connection Reuse Allows TCP connections between the AX device and real servers to be reused for multiple clients instead of terminating a connection and starting a new one for each new client. Although the default connection reuse template is automatically applied, the default settings in the template disable connection reuse. Unless you want to use connection reuse, you can ignore this template. (Connection reuse requires additional configuration. See Connection Reuse on page617.) The following types of templates also can be used with HTTP service ports. However, these types of templates do not have default templates that are applied automatically. Cookie Persistence Inserts a cookie in the HTTP header of a server reply before sending the reply to the client. The cookie ensures that sub- sequent requests from the client for the same virtual server and virtual port are directed to the same service group, real server, or real service port. Source-IP Persistence Similar to cookie persistence, except the AX device does not insert cookies. Instead, clients are directed to the same resource in the server farm for every request, for the duration of a con- figurable timer on the AX device. The granularity of the persistence can be set to always use the same real server port, the same real server, or the same service group. P e r f o r m a n c e b y D e s i g n 119 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview (For an example that uses a source-IP persistence template, see Layer 4 TCP/UDP Load Balancing on page261.) Server and Port Templates The AX device uses templates for configuration of some commonly used server and port parameters. By default, the following templates are applied: Default server template Contains configuration parameters for real servers Default port template Contains configuration parameters for real ser- vice ports Default virtual-server template Contains configuration parameters for virtual servers Default virtual-port template Contains configuration parameters for virtual service ports Each of the default templates is named default. For more information about server and port templates, see the following: Server and Port Templates on page361 in this guide Config Commands: SLB Templates chapter in the AX Series CLI Ref- erence Config >Service >SLB >Template section in the Config Mode chapter of the AX Series GUI Reference HEALTH MONITORS This example uses the following types of health monitors to check the real servers: Ping A Layer 3 health method that sends an ICMP echo request to the real servers IP address. The server passes the health check if the AX device receives a ping reply. TCP By default, every 30 seconds the AX device sends a connection request (TCP SYN) to each load balanced TCP port on each server, in this case ports 80 and 443. A TCP port passes the health check if the server replies to the AX device by sending a TCP SYN ACK. By default, the AX device completes the TCP handshake. In addition to these default health checks, you can configure health monitors for specific service types. This example uses an HTTP health monitor, with the following default settings. 120 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring HTTP Load Balancing Every 30 seconds, the AX device sends an HTTP GET request for the default index page. The HTTP service port passes the health check if the requested page is present on the server and the server replies with an OK message (200). (For more information about health monitors and their configurable options, see Health Monitoring on page381.) Configuring HTTP Load Balancing To configure the HTTP load balancing solution described in Overview on page115, perform the following tasks on the AX device: 1. Configure an HTTP health monitor. 2. Configure the real servers. On each real server: Add the HTTP service port. Enable the HTTP health monitor. 3. Configure the service group. Add the real servers and service ports to the group. 4. Configure the virtual server: Add the HTTP service port, with service type Fast-HTTP. Bind the service group to the virtual port. USING THE GUI To configure an HTTP health method 1. Select Config >Service >Health Monitor. 2. Select Health Monitor on the menu bar. 3. Click Add. 4. In the Health Monitor section, enter a name for the monitor. 5. In the Method section, select HTTP from the Type drop-down list. The other configuration fields change to those that apply to HTTP health monitors. P e r f o r m a n c e b y D e s i g n 121 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring HTTP Load Balancing 6. Optionally, select or enter additional options for the health monitor. (See Health Monitoring on page381.) In this example, you can use all the default settings 7. Click OK. The new monitor appears in the health monitor table. FIGURE 33 Config >Service >Health Monitor >Health Monitor To configure the real servers Perform the following procedure separately for each real server. 1. Select Config >Service >SLB. 2. Select Server on the menu bar. 3. Click Add. 4. In the General section, enter a name for the server in the Name field. 5. In the IP Address field, enter the IP address of the server. Note: Enter the servers real address, not the virtual server IP address. 122 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring HTTP Load Balancing 6. In the Health Monitor drop-down list, select ping or leave the monitor unset. Note: If you leave the monitor unset, the Layer 3 health monitor that comes in the AX configuration by default is used. (See Default Health Checks on page381.) 7. In the Port section, enter the number of the service port on the real server in the Port field. In this example, enter 80. 8. In the Health Monitor drop-down list, select the HTTP health monitor configured in To configure an HTTP health method on page120. 9. Click Add. The port appears in the port list. 10. Click OK. The real server appears in the server table. FIGURE 34 Config >Service >SLB >Server P e r f o r m a n c e b y D e s i g n 123 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring HTTP Load Balancing FIGURE 35 Config >Service >SLB >Server (real servers added) Note: The AX device begins sending health checks to a real servers IP address and service ports as soon as you finish configuring the server. The overall health status for the server is shown in the Health column. If the status is Down ( ) instead of Up ( ), verify that health monitors are config- ured for all the service ports. The default Layer 3 health method is auto- matically used for the Layer 3 health check, unless you selected another health method instead. To configure the service group 1. Select Config >Service >SLB, if not still selected. 2. Select Service Group on the menu bar. 3. Click Add. 4. In the Service Group section, select the load-balancing method from the Algorithm drop-down list. For this example, you can leave the default selected: Round Robin 5. In the Server section, select a real server from the Server drop-down list. 6. In the port field, enter the service port number. 7. Click Add. 8. Repeat step5 through step7 for each real server. 9. Click OK. The new group appears in the service group table. 124 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring HTTP Load Balancing FIGURE 36 Config >Service >SLB >Service Group P e r f o r m a n c e b y D e s i g n 125 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring HTTP Load Balancing To configure the virtual server 1. Select Config >Service >SLB, if not still selected. 2. Select Virtual Server on the menu bar. 3. Click Add. The General section appears. 4. In the General section, enter a name for the virtual server in the Name field. 5. In the IP Address field, enter the IP address that clients will request. 6. In the Port section, click Add. The Virtual Server Port section appears. 7. In the Type drop-down list, select the service type. In this example, select Fast-HTTP. 8. In the Port field, enter the service port number. In this example, enter 80. 9. In the Service Group drop-down list, select the service group. 10. Click OK. The port appears in the Port list of the Port section. 11. Click OK. The virtual server appears in the virtual server table. 126 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring HTTP Load Balancing FIGURE 37 Config >Service >SLB >Virtual Server FIGURE 38 Config >Service >SLB >Virtual Server - Virtual Server Port section P e r f o r m a n c e b y D e s i g n 127 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring HTTP Load Balancing USING THE CLI Note: The command syntax shown in this section is simplified for the configu- ration example in this chapter. For complete syntax information about any command, see the AX Series CLI Reference. 1. To configure HTTP and HTTPS health methods, use the following com- mands: health monitor monitor-name Enter this command at the global configuration level of the CLI, for each monitor to be configured. The command changes the CLI to the configuration level for the monitor. At the monitor configuration level, enter the following command: method http Entering this command, without entering additional commands at this level, configures the monitor to use all the default settings for the HTTP method. To customize settings for a health monitor, use additional commands at the configuration level for the monitor. 2. To configure the real servers, use the following commands: slb server server-name ipaddr This command changes the CLI to the configuration level for the real server, where you can use the following command to add the HTTP port to the server: port port-num tcp The port-num specifies the protocol port number. In this example, spec- ify 80. This command adds the port and changes the CLI to the configuration level for the port, where you can use the following command to enable the HTTP health check: health-check monitor-name For monitor-name, specify the name of the HTTP health monitor config- ured in step1. 3. To configure the service group, use the following commands: slb service-group group-name tcp This command changes the CLI to the configuration level for the service group, where you can use the following command to add the real servers and service ports to the group: 128 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring HTTP Load Balancing member server-name:portnum The portnum is the protocol port number of the service to be load bal- anced. In this example, specify 80. Repeat the command for each real server. 4. To configure the virtual server and virtual port, use the following com- mands: slb virtual-server name ipaddr This command changes the CLI to the configuration level for the virtual server, where you can use the following command to add the virtual port to the server: port port-number fast-http or port port-num http For this example, use the first command (the one with fast-http as the service type) and specify 80 as the port-num. The port command changes the CLI to the configuration level for the virtual port, where you can use the following command to bind the vir- tual port to the service group: service-group group-name The group-name is the name of the service group configured in step3. CLI EXAMPLE The following commands configure the HTTP health monitor: AX( conf i g) #health monitor http-monitor AX( conf i g- heal t h: moni t or ) #method http AX( conf i g- heal t h: moni t or ) #exit The following commands configure the real servers: AX( conf i g) #slb server web-2 10.10.10.2 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver - node por t ) #health-check http-hmon AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server web-3 10.10.10.3 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver - node por t ) #health-check http-hmon AX( conf i g- r eal ser ver - node por t ) #exit P e r f o r m a n c e b y D e s i g n 129 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring HTTP Load Balancing AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server web-4 10.10.10.4 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver - node por t ) #health-check http-hmon AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit The following commands configure the service group: AX( conf i g) #slb service-group sg-web tcp AX( conf i g- sl b ser vi ce gr oup) #member web-2:80 AX( conf i g- sl b ser vi ce gr oup) #member web-3:80 AX( conf i g- sl b ser vi ce gr oup) #member web-4:80 AX( conf i g- sl b ser vi ce gr oup) #exit The following commands configure the virtual server: AX( conf i g) #slb virtual-server web-vip 192.168.10.11 AX( conf i g- sl b vi r t ual ser ver ) #port 80 fast-http AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group sg-web AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #exit 130 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring HTTP Load Balancing P e r f o r m a n c e b y D e s i g n 131 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview HTTP Options for SLB This chapter describes the HTTP options you can configure in HTTP tem- plates, and provides examples of their use. Overview HTTP templates provide many SLB options. Some options control selection of real servers or service groups, while other options modify HTTP header information or enhance website performance. HTTP templates can be used with the following service (virtual port) types: HTTP HTTPS Fast-HTTP Note: Fast-HTTP is optimized for very high performance information transfer in comparison to regular HTTP. Due to this optimization, fast-HTTP does not support all the comprehensive capabilities of HTTP such as header insertion and manipulation. It is recom- mended not to use fast-HTTP for applications that require compete data transfer integrity. Summary of HTTP Options This section briefly describes each of the options you can configure in HTTP templates. Options for Server and Service Group Selection You can use the following HTTP options to select real servers or service groups. The server selection options override selection by the load-balanc- ing method. By default, the AX device uses the load-balancing method set for the service group to select a real server. URL hash switching Selects a real server based on a hash value calcu- lated from part of the URL string. (See URL Hash Switching on page134.) 132 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview URL / host switching Selects a service group based on the URL path or domain in the clients GET request. (See URL / Host Switching on page139.) Failover URL If the URL in GET request cannot be reached due to server unavailability, the AX device sends a 302 Redirect to the client. (See URL Failover on page147.) 5xx retry and reassignment Retries a server that replies to a request with a 5xx status code instead of sending the status code to the client, and reassigns the request to another server if the first server continues to reply with a 5xx status code. (See 5xx Retry and Reassignment on page149.) Strict transaction switching Performs server selection for each request within a client-server session, rather than performing server-selection once per session. This option provides a simple method to force rebal- ancing of server selection. (See Strict Transaction Switching on page167.) Performance Enhancing Option Content Compression You can configure the AX device to offload content compression from real servers. Enabling content compression on the AX device can help increase overall website performance by freeing real server resources from CPU-intensive compression tasks. (See Content Compression on page150.) Options that Modify HTTP Requests Client IP insertion Inserts the clients IP address into GET requests before sending the requests to a real server. The address is added as a value to the X-ClientIP field by default. Optionally, you can add the cli- ent address to a different field instead; for example: X-Forwarded-For. (See Client IP Insertion / Replacement on page157.) Header insertion / erasure Inserts a field:value pair into requests or responses, or deletes a header. (See Header Insertion / Erasure on page160.) Options that Modify Server Replies Redirect rewrite Modifies 302 Redirect messages from real servers before sending the redirect messages to clients. This option can convert HTTP URLs into HTTPS URLs, and can modify the domain or URL path in the redirect message. (See URL Redirect Rewrite on page165.) P e r f o r m a n c e b y D e s i g n 133 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview HTTP Template Configuration To use the options in an HTTP template, you must configure the template, then bind the template to virtual service ports. You can bind an HTTP tem- plate to the following types of virtual service ports: HTTP Fast-HTTP HTTPS To configure an HTTP template and bind it to a virtual service port, use either of the following methods: USING THE GUI To configure an HTTP template: 1. Select Config >Service >Template. 2. Select Application >HTTP on the menu bar. 3. Click Add. The HTTP section appears. 4. Enter a name for the template. 5. Select or enter values for the template options you want to use. The remaining sections in this chapter describe the fields for configuring each option. Note: Some settings are on the other HTTP template sections (App switching, Redirect Rewrite, and Compression). 6. When finished, click OK. The template appears in the HTTP template list. To bind a template to a virtual service port: 1. Select Config >Service >SLB. 2. Select Virtual Server on the menu bar. 3. To edit an existing virtual server, select it. To configure a new one, Click Add. The General section appears. 4. Click Port. The Port section appears. 5. Select the port or Click Add. The Virtual Server Port section appears. 134 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide URL Hash Switching 6. Make sure the port type is HTTP, Fast-HTTP, or HTTPS. 7. In the HTTP Template drop-down list, select the HTTP template. 8. Configure other options if needed. (For example, if you are configuring a new port, make sure to select the service group.) 9. Click OK. The port appears in the Port list of the Port section. 10. Click OK. The virtual server list reappears. USING THE CLI To configure an HTTP template, enter the following command at the global configuration level of the CLI: slb template http template-name This command changes the CLI to the configuration level for the template. The remaining sections in this chapter describe the commands for configur- ing each option. To bind a template to a virtual service port, enter the following command at the configuration level for the port: template http template-name URL Hash Switching URL hash switching provides a simple method for optimizing a server farm in which the same content is served by multiple servers. This feature enhances website performance by taking advantage of content caching on the real servers. When enabled, URL hashing selects a real server for the first request for given content, and assigns a hash value to the server for the content. The AX device then sends all subsequent requests for the content to the same real server. Figure39 shows an example of URL hashing. P e r f o r m a n c e b y D e s i g n 135 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide URL Hash Switching FIGURE 39 URL Hashing In this example, a service group contains three real servers. Each of the real servers contains the same set of .html(l), .pdf, and .jpg files. The AX device is configured to calculate a hash value based on the last 3 bytes of the URL string in the client request, and assign the hash value to a server. After assigning a hash value to a server, the AX device sends all requests that match the hash value to the same real server. In this example, all requests that end with pdf are sent to the same server. If the real server becomes unavailable, the AX device selects another server, assigns a hash value to it, and uses that server for all subsequent requests for URL strings that have the same hash value. 136 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide URL Hash Switching Hash Options You can specify the following hash options: Bytes Specifies how many bytes of the URL string to use to calculate the hash value. First or last Specifies which end of the URL string to use to calculate the hash value. The example in Figure39 calculates hash values based on the last 3 bytes of the URL strings. URL Hash Switching with Server Load Awareness AX Release 2.4.3 has a new URL hash switching option that provides server load awareness. This feature allows servers to act as backups to other servers, based on server load. Normally, URL hashing selects a server for the first request for a given URL, then uses the same server for all subsequent requests for the same URL. In cases where a given URL becomes wildly popular (for example, a viral video), the server for that URL can become overwhelmed. The server load awareness option provides a way to avoid server outage in this type of situation. After some configuration on the server and on the AX device, the AX device can learn a servers load status from the server. Server Configuration This feature requires some custom configuration on the server. The server must be configured to insert an HTTP header named Server-Status in the servers responses. The header must have one of the following values: 0, 1, or 2. Ser ver - St at us: l oad=N The value N can be 0, 1, or 2. The AX device manages requests to the server based on the Server-Status code. Table4 describes the valid load status codes that can be reported by a server. P e r f o r m a n c e b y D e s i g n 137 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide URL Hash Switching The system conditions that result in reporting 0, 1, or 2 depend on how you program calculation of the code. For example, you can program the server to set the Server-Status code based on CPU utilization, memory utilization, I/O utilization, and so on. For a CPU-intensive application, you could calculate the Server-Status code based on CPU utilization. For an I/O-intensive application, you could calcu- late the Server-Status code based on I/O utilization. Server Load Awareness Load-Balancing Example Here is an example of how server load awareness works. In this example, URL hash switching is used to balance traffic load across three servers: S1, S2, and S3. Assume that the first request for URI /article-new1 is hashed to S1. Subse- quent requests are load balanced as listed in Table4. TABLE 4 Server-Status Load Values Load Status Reported by Server Description AX Action 0 Server is able to handle all of its own requests. Server also can handle requests for other servers if necessary. AX device continues using the server for the URLs hashed to the server. If necessary, AX device also uses the server to help with URLs hashed to servers that have load status 2. 1 Server is able to handle its own requests. However, server can not handle requests for other servers. AX device continues using the server for the URLs hashed to the server. AX device does not use the server to help handle requests for other servers. 2 Server is overloaded and needs help handling its own requests. Requests are distributed among this server and at least one other server (with load status 0), in round robin fashion. AX device uses servers that have load status0 to help handle the overloaded servers requests. Note: If no other servers are able to help, all servers in the service group are pulled in to help. Requests will be sent round-robin among the busy servers. For example, if there are 3 servers, and s1 returns status 2, s2 returns 1, and s3 returns 0, then the traffic is sent round-robin between s1 and s3. How- ever, if s3 returns 1 or 2, then the traffic is sent round-robin among all 3 servers. 138 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide URL Hash Switching AX Configuration On the AX device, URL hash switching with server load awareness does not require configuration of dedicated backup servers in the service group. Instead, any primary server can also act as a backup for other servers, based on server load. Server load awareness is disabled by default but can easily be enabled in new or existing URL hash switching configurations. Configure an HTTP template with URL hash switching. Include theuse-server-status (CLI) or Use Server Status (GUI) option. Configuring URL Hashing The following sections show how to configure URL hashing. USING THE GUI 1. Access the configuration sections for the template. (See HTTP Tem- plate Configuration on page133.) 2. Click App Switching. 3. Select the URL Hash checkbox. This activates the configuration fields. 4. To set the hashing granularity: a. Select the position in the URL upon which to calculate the hash value. b. Enter the number of bytes to use for calculating the hash value. TABLE 5 Server-Status Load-Balancing Example Server Load Status Reported by Server AX Action S1 0 New requests for /article-new1 are sent only to server S1. S2 0 S3 0 S1 2 New requests for /article-new1 are distributed between S1 and S2, using round robin. S2 0 S3 0 S1 2 New requests for /article-new1 are distributed between S1 and S3, using round robin. S2 1 or 2 S3 0 P e r f o r m a n c e b y D e s i g n 139 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide URL / Host Switching 5. If you plan to use the server load awareness option, select the Use Server Status checkbox. 6. Click OK. USING THE CLI Enter the following command at the configuration level for the HTTP tem- plate: url-hash-persist {first | last} bytes [ use-server-status] CLI Examples The following commands implement the URL hashing configuration shown in Figure39 on page135. AX( conf i g) #slb template http hash AX( conf i g- HTTP t empl at e) #url-hash-persist last 3 AX( conf i g- HTTP t empl at e) #url-switching ends-with .htm AX( conf i g- HTTP t empl at e) #exit AX( conf i g) #slb virtual-server vs1 1.1.1.1 AX( conf i g- sl b vi r t ual ser ver ) #port 80 http AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group sg1 AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #template http hash The following commands configure an HTTP template for URL hash switching with server load awareness: AX( conf i g) #slb template http url-hash AX( conf i g- HTTP t empl at e) #url-hash-persist last 12 use-server-status URL / Host Switching The AX device supports multiple service groups. URL / host switching enables an AX device to select a service group based on the URL or domain name in a clients GET request. The selection overrides the service group configured on the virtual port. You can configure an HTTP template with one of the following service- group switching options: URL switching Selects a service group based on the URL path in the GET line of the HTTP requests header 140 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide URL / Host Switching Host switching Selects a service group based on the domain name in the Host field of the HTTP requests header Note: If you plan to use URL / host switching along with cookie persistence, you must enable the match-type service-group option in the cookie persis- tence template. (See Using URL / Host Switching along with Cookie Persistence on page143.) Figure40 shows an example of URL switching. FIGURE 40 URL Switching In this example, the AX device is configured to use separate service groups for URLs in the www.example.com domain. The real servers in service group sg-abc provide content for www.example.com/abc. The real servers in service group sg-123 provide content for www.example.com/123. URL switching rules configured on the AX device select a service group based on the beginning of the URL on the GET line of client requests. P e r f o r m a n c e b y D e s i g n 141 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide URL / Host Switching Requests for URLs that begin with /abc are sent to service group sg-abc. Likewise, requests for URLs that begin with /123 are sent to service group sg-123. Note: An HTTP template can be configured with only one type of service-group switching, URL switching or host switching. However, if you need to use both types of switching, you can do so with an aFleX script. Match Options URL / host switching selects a service group based on rules that map part of the URL string or host (domain name) to the service group. You can use the following match options in URL / host switching rules: Starts-with string matches only if the URL or host name starts with the specified string. Contains string matches if the specified string appears anywhere within the URL or host name. Ends-with string matches only if the URL or host name ends with the specified string. These match options are always applied in the following order, regardless of the order in which the rules appear in the configuration. The service group for the first match is used. Starts-with Contains Ends-with If a template has more than one rule with the same option (starts-with, con- tains, or ends-with) and a URL or host name matches on more than one of them, the most-specific match is always used. For example, if a template has the following rules, requests for host www.ddeeff.org will always be directed to service group http-sgf: host-switching contains d service-group http-sgd host-switching contains dd service-group http-sge host-switching contains dde service-group http-sgf If you use the starts-with option with URL switching, use a slash in front of the URL string. For example: url-switching starts-with /urlexample service-group http-sg1 142 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide URL / Host Switching Configuring URL / Host Switching The following sections show how to configure URL / host switching. USING THE GUI 1. Access the configuration sections for the template. (See HTTP Tem- plate Configuration on page133.) 2. Click App Switching. 3. Select the type of switching, URL or Host. This activates configuration fields for the type of switching you select. 4. For URL switching: a. In the URL field, enter the URL. b. In the Service Group drop-down list, select the service group to which to send client requests. c. In the Match Type drop-down list, select the match option to use. Note: The Match match option is a deprecated version of the Contains option. Use Contains instead of Match. 5. For host switching: a. In the Host field, enter the domain name. b. In the Service Group drop-down list, select the service group to which to send client requests. c. In the Match Type drop-down list, select the match option to use. Note: The Match match option is a deprecated version of the Contains option. Use Contains instead of Match. 6. Click Add. 7. Click OK. The HTTP template list reappears. USING THE CLI Enter one of the following commands at the configuration level for the HTTP template: url-switching {starts-with | contains | ends-with} url-string service-group service-group-name P e r f o r m a n c e b y D e s i g n 143 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide URL / Host Switching host-switching {starts-with | contains | ends-with} host-string service-group service-group-name CLI Example The following commands implement the URL switching configuration shown in Figure40 on page140. The following commands configure the HTTP template: AX( conf i g) #slb template http urlswitch AX( conf i g- HTTP t empl at e) #url-switching starts-with abc service-group sg-abc AX( conf i g- HTTP t empl at e) #url-switching starts-with 123 service-group sg-123 AX( conf i g- HTTP t empl at e) #exit The following commands bind the HTTP template and service group sg-abc to virtual port 80: AX( conf i g) #slb virtual-server vs1 1.1.1.1 AX( conf i g- sl b vi r t ual ser ver ) #port 80 http AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #template http urlswitch AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group sg-abc The following commands bind the HTTP template and service group sg-123 to virtual port 80: AX( conf i g) #slb virtual-server vs1 1.1.1.1 AX( conf i g- sl b vi r t ual ser ver ) #port 80 http AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #template http urlswitch AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group sg-123 Using URL / Host Switching along with Cookie Persistence The AX device supports use of URL / host switching and cookie persistence in the same SLB configuration. However, to enable this support, you must enable the match-type service-group option in the cookie persistence tem- plate. By default, the service-group option is disabled in cookie persistence tem- plates. In this case, URL switching or host switching is used only for the initial request from a client. After the initial request, the same service group is always used for subsequent requests from the same client. 144 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide URL / Host Switching To continue using URL switching or host switching to select a service group for each request, enable the service-group option in the cookie persistence template. In this case, for each request from the client, the AX device first selects a service group, then uses information in the cookie to select the real server and port within the service group. Figure41 shows an example. FIGURE 41 URL Switching with Cookie Persistence In this example, URL switching and cookie persistence are both configured, and the service-group option is enabled in the cookie persistence template. For each client request, URL switching selects a service group first. Then, after a service group is selected, a real server and port are selected within the service group. P e r f o r m a n c e b y D e s i g n 145 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide URL / Host Switching If the clients request does not have a persistence cookie that includes the selected service group, the AX device uses SLB to select a server, then inserts a persistence cookie into the reply from the server. The cookie includes the service group name. If the clients request already has a persistence cookie containing the name of the selected service group, the AX device uses the information in the cookie to select the same server within the service group. For example, the first time service group sgabc is selected by URL switch- ing, the AX device inserts a cookie into the server's reply, to ensure that the same server is used the next time URL switching selects sgabc. The first time service group sg123 is selected by URL switching, the AX device inserts a second cookie into the servers reply, to ensure that the same server is used the next time URL switching selects sg123. Even though URL switching does not always select the same service group, the same server within the selected service group is always selected. Cookie Persistence Match-Type Options When cookie persistence is configured, the AX device adds a persistence cookie to the server reply before sending the reply to the client. The clients browser re-inserts the cookie into each request. The format of the cookie depends on the match-type setting: match-type (port) This is the default setting. Subsequent requests from the client will be sent to the same real port on the same real server. URL switching or host switching is used only for the first request. The cookie that the AX device inserts into the server reply has the fol- lowing format: Set-Cookie: cookiename-vport=rserverIP_rport The vport is the virtual port number. The rserverIP is the real server IP address and the rport is the real server port number. Note: The port option is shown in parentheses because the CLI does not have a port keyword. If you do not set the match type to server (see below), the match type is automatically port. match-type server Subsequent requests from the client for the same VIP will be sent to the same real server, provided that all virtual ports of the VIP use the same cookie persistence template with match-type set to server. URL switching or host switching is used only for the first request. The cookie that the AX device inserts into the server reply has the fol- lowing format: Set-Cookie: cookiename=rserverIP 146 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide URL / Host Switching match-type (port) service-group Subsequent requests from the client will be sent to the same real port on the same real server, within the ser- vice group selected by URL switching or host switching. URL switch- ing or host switching is still used for every request. The cookie that the AX device inserts into the server reply has the fol- lowing format: Set-Cookie: cookiename-vport-servicegroupname=rserverIP_rport match-type server service-group Subsequent requests from the cli- ent for the same VIP will be sent to the same real server, within the ser- vice group selected by URL switching or host switching. URL switching or host switching is still used for every request. The cookie that the AX device inserts into the server reply has the fol- lowing format: Set-Cookie: cookiename-servicegroupname=rserverIP Note: For security, address information in the persistence cookies is encrypted. USING THE CLI To enable the service-group option, use the following command at the con- figuration level for the cookie persistence template: [ no] match-type {server [ service-group] | service-group} The default granularity is port-level granularity as described above. (There is no port keyword.) To use the service-group option with port-level granularity, enter the fol- lowing command: match-type service-group To use the service-group option with server-level granularity, enter the fol- lowing command: match-type server service-group CLI Example The following commands configure a cookie persistence template named persist-cookie-sg and enable port-level persistence with support for URL switching or host switching: AX( conf i g) #slb template persist cookie persist-cookie-sg AX( conf i g- cooki e per si st ence t empl at e) #name SGCookie AX( conf i g- cooki e per si st ence t empl at e) #match-type service-group P e r f o r m a n c e b y D e s i g n 147 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide URL Failover Using URL / Host Switching along with Source IP Persistence By default, if URL / host switching is configured along with source IP per- sistence, the URL / host switching settings are not used. Instead, the default service group is always selected. To enable URL / host switching to be used along with source IP persistence, you must use the match-type service- group option in the source IP persistence template. For more information, see the description of the slb template persist source-ip command in the Config Commands: SLB Templates chapter of the AX Series CLI Reference. URL Failover The AX device can send an HTTP 302 Redirect message to a client when the real servers for the URL requested by the client are unavailable. Figure42 shows an example. FIGURE 42 URL Failover 148 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide URL Failover In this example, a client sends a request for www.example.com (virtual IP address 192.168.10.10). However, this VIP is unavailable because all the real servers are failing their health checks. The AX device is configured to send an HTTP 302 Redirect message if the VIP is down, redirecting clients to www.example2.com. By default, URL failover is not configured. To configure it, you specify the URL to which to redirect clients. Like the other HTTP options, you can apply this option to a virtual port by configuring the option in an HTTP tem- plate, and binding the template to the virtual port. Note: The URL failover option does not affect redirect messages sent by real servers. To alter redirect messages from real servers, use the URL redi- rect-rewrite option instead. (See URL Redirect Rewrite on page165.) Configuring URL Failover The following sections show how to configure URL failover. USING THE GUI 1. Access the configuration sections for the template. (See HTTP Tem- plate Configuration on page133.) 2. In the URL Failover field of the HTTP section, enter the URL to which to redirect clients. 3. Click OK. The HTTP template list reappears. USING THE CLI Enter the following command at the configuration level for the HTTP tem- plate: failover-url url-string CLI Example The following commands implement the URL failover configuration shown in Figure42 on page147. The following commands configure the HTTP template: AX( conf i g) #slb template http urlfailover AX( conf i g- HTTP t empl at e) #failover-url www.example2.com AX( conf i g- HTTP t empl at e) #exit P e r f o r m a n c e b y D e s i g n 149 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide 5xx Retry and Reassignment The following commands bind the HTTP template to virtual port 80: AX( conf i g) #slb virtual-server vs1 1.1.1.1 AX( conf i g- sl b vi r t ual ser ver ) #port 80 http AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #template http urlfailover 5xx Retry and Reassignment By default, if a real server replies to a request with a 5xx status code (for example, HTTP 503 Service Unavailable), the AX device forwards the error to the client. HTTP templates have an option to override this behavior. You can configure the AX device to retry sending a clients request to a service port that replies with an HTTP 5xx status code, and reassign the request to another server if the first server replies with a 5xx status code. The AX device is allowed to reassign the request up to the configured number of retries. For example, assume that a service group has three members (s1, s2, and s3), and the retry is set to 1. In this case, if s1 replies with a 5xx status code, the AX device reassigns the request to s2. If s2 also responds with a 5xx sta- tus code, the AX device will not reassign the request to s3, because the max- imum number of retries has already been used. Depending on the 5xx retry option you configure, either the service port and server remain eligible for more client requests, or the AX device stops send- ing client requests to the service port and server for 30 seconds. Note: Server re-selection is not performed if Layer 3 features such as PBSLB or source-IP persistence are configured on the virtual port. These features override the server re-selection. Note: Use of this HTTP template option also requires the strict-transaction- switch option to be used in the same HTTP template. (See Strict Transac- tion Switching on page167.) Note: This option is supported only for virtual port types HTTP and HTTPS. It is not supported for fast-HTTP or any other virtual port type. USING THE CLI To configure server re-selection if a real server repeatedly replies with 5xx status codes, use one of the following commands at the configuration level for the HTTP template. [ no] retry-on-5xx-per-req num [ no] retry-on-5xx num 150 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Content Compression The first command continues to use the service port and server for client requests, even after a reassignment has occurred. The second command stops using the service port and server for 30 seconds after a reassignment occurs. The num option specifies the number of times the AX device will resend the request to the server before assigning the request to another server. You can specify 1-3 retries. The default is 3. An HTTP template can contain only one of the commands shown above. By default, logging of HTTP retries is disabled by default. To enable log- ging of HTTP retries, use the following command at the configuration level for the HTTP template: [ no] log-retry CLI Example The following commands configure an HTTP template to reselect a server if the initially selected server responds 4 times to a clients request with a 5xx status code. The AX device stops using the service port and server for 30 seconds following reassignment. AX( conf i g) #slb template http 5xxretry AX( conf i g- HTTP) #strict-transaction-switch AX( conf i g- HTTP) #retry-on-5xx Content Compression Most types of real servers are able to compress media (content) before send- ing it to clients. Compression reduces the amount of bandwidth required to send content to clients. Although compression optimizes bandwidth, compression also can some- times actually hinder overall website performance, if the real servers spend a lot of their CPU resources performing the compression. To maximize the benefits of content compression, you can enable the AX device to perform compression for the real servers. Compression is disabled by default. When you enable it, the AX device compresses media of types text and application by default. You can configure the AX device to compress additional media types You also can configure the AX device to exclude specific media types and even specific URIs from compression. P e r f o r m a n c e b y D e s i g n 151 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Content Compression Note: Compression is supported only for HTTP and HTTPS virtual ports. Com- pression is not supported of fast-HTTP virtual ports. Accept-Encoding Field An HTTP request from clients usually contains an Accept-Encoding field in the header. This field indicates to the real server whether the client is willing to accept compressed content. If compression is enabled on the real server, the real server will compress content before sending it to a client, if the clients request contains the Accept-Encoding field with the compress value for the requested content type. By default, when you enable compression on the AX device, the device removes the entire Accept-Encoding field from the request before sending the request to the server. As a result, the server does not compress the con- tent before sending it in the reply. The AX device compresses the content, then sends the reply with the compressed content to the client. If you still want the server to compress some content, you can configure the AX device to leave the Accept-Request field unchanged. In this case, com- pression is performed by the real server instead of the AX device, if the server is configured to perform the compression. The AX device can still compress content that the real server does not compress. Compression Level The AX device supports compression level 1-9. Each level provides a higher compression ratio, beginning with level 1, which provides the lowest compression ratio. A higher compression ratio results in a smaller file size after compression. However, higher compression levels also require more CPU processing than lower compression levels, so performance can be affected. The default compression level is 1, which provides the fastest compression speed but with the lowest compression ratio. Note: The actual performance impact of a given compression level depends on the content being compressed. For example, if the content has a lot of repeated string patterns (for example, XML files), compression is faster than it is for content with few repeated string patterns (for example, graphics). 152 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Content Compression Hardware-Based Compression Hardware-based compression is available using an optional hardware mod- ule in the following AX models: AX 2100, AX 2200, AX 3100, AX 3200, and AX 5200. Note: Installation of the compression module into AX devices in the field is not supported. Contact A10 Networks for information on obtaining an AX device that includes the module. Hardware-based compression is disabled by default. When you enable it, all compression settings configured in HTTP templates, except the compres- sion level, are used. Note: Hardware-based compression is automatically set on the module and can not be set using a template. The module always uses the same compres- sion level, regardless of the compression level configured in an HTTP template. P e r f o r m a n c e b y D e s i g n 153 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Content Compression How the AX Device Determines Whether to Compress a File The AX device uses the following process to determine whether to com- press a file before sending it to a client. FIGURE 43 Content Compression Note: If the AX device is configured to leave the Accept-Encoding field unchanged, and the real server has already compressed the file, the AX device forwards the compressed file without recompressing it. 154 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Content Compression Configuring Content Compression The following sections show how to configure content compression. USING THE GUI 1. Access the configuration sections for the HTTP template. (See HTTP Template Configuration on page133.) 2. Click Enabled next to Compression Flag. 3. To keep the Accept-Encoding field in client requests, select Enabled next to Compression Keep Accept Encoding. Otherwise, to remove the field, leave this option disabled. 4. To specify the minimum content length that is eligible for compression, enter the minimum number of bytes the content must be in the Compres- sion Content Length field. 5. To add more content types to be compressed: a. Click Compression Type. b. In the Type field, enter the string for a content type to compress. c. Click Add. d. Repeat stepb and stepc for each type of content to compress. 6. Click OK. 7. If your AX device supports hardware-based compression, enable the feature: a. Select Config >Service >SLB. b. On the menu bar, select Global. c. Select Enabled next to Hardware Compression. d. Click OK. Note: If the Hardware Compression option is not present, your AX device does not contain a compression module. P e r f o r m a n c e b y D e s i g n 155 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Content Compression USING THE CLI To configure HTTP compression, use the following commands: [ no] slb template http template-name Enter this command at the global configuration level of the CLI. The com- mand changes the CLI to the configuration level for the template. [ no] compression enable This command enables HTTP compression. [ no] compression level number This command changes the compression level (for software-based compres- sion only). The number option specifies the compression level and can be 1-9. The default is 1. [ no] compression minimum-content-length number This command changes the minimum payload size that is eligible for com- pression. You can specify 0-2147483647 bytes. The default is 120 bytes. [ no] compression content-type content-string [ no] compression exclude-content-type content-string These commands explicitly include or exclude specific media types for compression. By default, media types text and application are included and all other media types are excluded. The order in which content-type and exclude-content-type filters appear in the configuration does not matter. [ no] compression exclude-uri uri-string This command excludes an individual URI from being compressed. The URI string can be 1-31 characters. An HTTP template can exclude up to 10 URI strings. [ no] compression keep-accept-encoding This command configures the AX device to leave the Accept-Encoding field in HTTP requests from clients instead of removing the field. When keep-accept-encoding is enabled, compression is performed by the real server instead of the AX device, if the server is configured to perform the compression. The AX device compresses the content that the real server does not compress. This option is disabled by default, which means the AX device performs all the compression. 156 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Content Compression To display compression statistics, use the following command: show slb http-proxy [ detail] To enable hardware-based compression (if supported on your AX device), use the following command at the global configuration level of the CLI: [ no] slb hw-compression To display statistics for the feature, use the following command: show slb hw-compression Note: If the slb hw-compression and show slb hw-compression commands are not in the CLI, your AX device does not contain a compression module. CLI Example The following commands configure an HTTP template called "http-com- press" that uses compression level 5 to compress files with media type "application" or "image". Files with media type "application/zip" are explic- itly excluded from compression. AX( conf i g) #slb template http http-compress AX( conf i g- HTTP t empl at e) #compression enable AX( conf i g- HTTP t empl at e) #compression level 5 AX( conf i g- HTTP t empl at e) #compression content-type image AX( conf i g- HTTP t empl at e) #compression exclude-content-type application/zip The following command displays HTTP compression statistics. The coun- ters are in bytes and apply to all HTTP compression configured in all HTTP templates on the AX device. The compression counters are shown in bold type. AX( conf i g- HTTP t empl at e) #show slb http-proxy Tot al - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cur r Pr oxy Conns 58 Tot al Pr oxy Conns 49 HTTP r equest s 306 HTTP r equest s( succ) 269 No pr oxy er r or 0 Cl i ent RST 17 Ser ver RST 0 No t upl e er r or 0 Par se r eq f ai l 0 P e r f o r m a n c e b y D e s i g n 157 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Client IP Insertion / Replacement Ser ver sel ect i on f ai l 0 Fwd r eq f ai l 0 Fwd r eq dat a f ai l 0 Req r et r ansmi t 0 Req pkt out - of - or der 0 Ser ver r esel ect i on 0 Ser ver pr emat ur e cl ose 0 Ser ver conn made 50 Sour ce NAT f ai l ur e 0 Tot data before compress 1373117 Tot data after compress 404410 The following commands enable hardware-based compression and display statistics for the feature: AX( conf i g) #slb hw-compression AX( conf i g) #show slb hw-compression Har dwar e compr essi on devi ce i s i nst al l ed. Har dwar e compr essi on modul e i s enabl ed. Tot al - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - t ot al r equest count 177157 t ot al submi t count 177157 t ot al r esponse count 177157 t ot al f ai l ur e count 0 l ast f ai l ur e code 0 compr essi on queue f ul l 0 max queued r equest count 84 max queued submi t count 68 Client IP Insertion / Replacement Many websites find it useful to know the IP addresses of clients. When the default Network Address Translation (NAT) settings for SLB are used, the source IP address of a request received by the AX device continues to be the source IP address when the AX device sends the request to a real server. The real server therefore knows the IP addresses of its clients. (An example is shown in Figure160 on page616.) However, in configurations where IP source NAT is enabled for SLB, the clients IP address is not the source IP address in the request received by the real server. Instead, the source IP address of the request is the address into which the AX device translated the clients IP address. 158 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Client IP Insertion / Replacement To add the clients IP address back to the request, you do not need to change the network configuration or NAT settings. Instead, you can simply enable the AX device to insert the clients IP address into the header of the clients GET request before sending the request to a real server. Figure44 shows an example of client IP insertion. FIGURE 44 Client IP Insertion P e r f o r m a n c e b y D e s i g n 159 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Client IP Insertion / Replacement In this example, SLB source NAT changes the source address of the clients GET request from 192.168.100.3 to 10.20.20.11. However, the clients source IP address is preserved within the HTTP header of the request, by inserting the address into the X-ClientIP field. This option inserts the clients IP address into the X-ClientIP field by default. However, you can specify another field name instead. For example, you can configure the option to insert the client IP address into the X-Forwarded-For field. Note: To insert HTTP header fields with other types of values, or to erase fields, see Header Insertion / Erasure on page160. Replace Option By default, the client IP address is appended to addresses already in the tar- get header field. You can configure the AX device to replace any addresses that are already in the field. Without this option, the client IP address is appended to the lists of client IP addresses already in the header. For example, if the header already contains X-Forwarded-For:1.1.1.1, the field:value pair becomes X-Forwarded-For:1.1.1.1, 2.2.2.2. If you enable replacement of the client IP addresses, the field:value pair becomes X-Forwarded-For:2.2.2.2. Configuring Client IP Insertion / Replacement The following sections show how to enable client IP insertion / replace- ment. USING THE GUI 1. Access the configuration sections for the template. (See HTTP Tem- plate Configuration on page133.) 2. On the HTTP template, select the Header Name for Inserting Client IP checkbox. This enables the option and displays the name of the header field to which the client IP address will be added. 3. Optionally, to replace any client addresses that are already in the header, select Replace. Without this option, the client IP address is appended to the lists of client IP addresses already in the header. 160 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Header Insertion / Erasure 4. To change the name of the field, edit the name. Otherwise, leave the field name set to the default (X-ClientIP). 5. Click OK. The HTTP template list reappears. USING THE CLI Enter the following command at the configuration level for the HTTP tem- plate: insert-client-ip [ http-fieldname] [ replace] The http-fieldname option specifies the HTTP field, for example: X-Forwarded-For. Without this option, the client IP address is inserted into the X-ClientIP field. The replace option replaces any client addresses that are already in the header. CLI Example The following commands implement the client IP insertion configuration shown in Figure44 on page158. The following commands configure the HTTP template: AX( conf i g) #slb template http insertclientip AX( conf i g- HTTP t empl at e) #insert-client-ip AX( conf i g- HTTP t empl at e) #exit The following commands bind the HTTP template to virtual port 80: AX( conf i g) #slb virtual-server vs1 1.1.1.1 AX( conf i g- sl b vi r t ual ser ver ) #port 80 http AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #template http insertclientip Header Insertion / Erasure You can configure the AX device to insert, replace, or erase headers in cli- ent requests or server responses. Like other HTTP options, header insertion and erasure are configured using HTTP template options. Insert and delete options can be used in the same HTTP template. An HTTP template can contain options to insert, replace, or erase a maxi- mum of 8 headers. P e r f o r m a n c e b y D e s i g n 161 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Header Insertion / Erasure Note: The header insert, replace, and erase options described in this section are not supported with the fast-http service type. The AX device does not allow an HTTP template with any of these header options to be bound to a fast-http virtual port. Likewise, the AX device does not allow any of the header options to be added to an HTTP template that is already bound to a fast-http virtual port. Note: To configure the AX device to insert the clients IP address, see Client IP Insertion / Replacement on page157. Note: Header insertion is not supported on fast-HTTP virtual ports. Configuring Header Insertion / Replacement To configure header insertion or replacement, specify the header (the field:value pair), and the insert or replace option. The insert / replace option can be one of the following: Insert-always always inserts the field:value pair. If the request already contains a header with the same field name, the new field:value pair is added after the existing field:value pair. Existing headers are not replaced. Insert-if-not-exist inserts the header only if the packet does not already contain a header with the same field name. Default behavior (neither of the options above) inserts the header. If the packet already contains one or more headers with the specified field name, this option replaces the last header. Effects of the Insert / Replace Options Here are some examples of the effects of the insert / replace options: insert- always, insert-if-not-exist, and the default (no options). For these examples, assume that a clients request packet already contains the following Cookie headers: Cookie: a=1 and Cookie: b=2. GET / HTTP/ 1. 1 Host : www. exampl e. com Cooki e: a=1 Cooki e: b=2 . . . 162 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Header Insertion / Erasure Effect When insert-always Is Used If you configure an HTTP template to insert Cookie: c=3, and you use the insert-always option, the clients header is changed as follows: GET / HTTP/ 1. 1 Host : www. exampl e. com Cooki e: a=1 Cooki e: b=2 Cooki e: c=3 . . . Effect When insert-if-not-exist Is Used If you configure an HTTP template to insert Cookie: c=3, and you use the insert-if-not-exist option, the clients header is changed only if it does not contain any Cookie headers. Therefore, the client request in this example is unchanged: GET / HTTP/ 1. 1 Host : www. exampl e. com Cooki e: a=1 Cooki e: b=2 . . . Effect When Default Behavior (Neither Option Above) Is Used If you configure an HTTP template to insert Cookie: c=3, but you do not use either the insert-always or insert-if-not-exist option, the header is always inserted into the request. If the packet already contains a Cookie header, the header is replaced. If the packet contains multiple Cookie headers, the first one is replaced. Here is the result: GET / HTTP/ 1. 1 Host : www. exampl e. com Cooki e: c=3 Cooki e: b=2 . . . USING THE GUI 1. Access the configuration sections for the template. (See HTTP Tem- plate Configuration on page133.) 2. Click Header Insert. 3. To insert a request header: a. In the Request section, enter the name:value pair in the Name field. b. By default, if a packet already contains one or more headers with the specified field name, the command replaces the first header. Option- P e r f o r m a n c e b y D e s i g n 163 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Header Insertion / Erasure ally, to change this behavior, select one of the following options from the drop-down list next to the Name field: Insert Always The AX device always inserts the field:value pair. If the request already contains a header with the same field name, the new field:value pair is added after the existing field:value pair. Existing headers are not replaced. Insert if not already present The AX device inserts the header only if the packet does not already contain a header with the same field name. c. Click Add. 4. To insert a response header, follow the same steps as those for inserting a request header, but use the Response section. 5. Click OK. The HTTP template list reappears. USING THE CLI To insert a header, use the following command: [ no] request-header-insert field:value [ insert-always | insert-if-not-exist] The field:value pair indicates the header field name and the value to insert. By default, if a packet already contains one or more headers with the specified field name, the command replaces the first header. If you use the insert-always option, the command always inserts the field:value pair. If the request already contains a header with the same field name, the new field:value pair is added after the existing field:value pair. Existing headers are not replaced. If you use the insert-if-not-exist option, the command inserts the header only if the packet does not already contain a header with the same field name. To insert a field:value pair into response headers, use the following com- mand: [ no] response-header-insert field:value [ insert-always | insert-if-not-exist] 164 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Header Insertion / Erasure CLI Examples The following command configures an HTTP template that inserts Cookie: c=3 into every HTTP request. If the request already contains Cookie headers, the first header is replaced. AX( conf i g) #slb template http replace-cookie AX( conf i g- HTTP t empl at e) #request-header-insert "Cookie: c=3" The following command configures an HTTP template that always inserts Cookie: c=3 into HTTP requests, but does not replace other Cookie headers. The Cookie: c=3 header is added after any Cookie headers that are already present in the request. AX( conf i g) #slb template http add-cookie AX( conf i g- HTTP t empl at e) #request-header-insert "Cookie: c=3" insert-always The following command configures an HTTP template that inserts Cookie: c=3 into HTTP requests, but only if the requests do not already have a Cookie header. AX( conf i g) #slb template http add-cookie-unless-present AX( conf i g- HTTP t empl at e) #request-header-insert "Cookie: c=3" insert-if-not- exist Configuring Header Erasure The following sections show how to erase headers from HTTP requests or responses. USING THE GUI 1. Access the configuration sections for the template. (See HTTP Tem- plate Configuration on page133.) 2. Click Header Erase. 3. To erase a request header: a. In the Request section, enter the field name (the name portion of the name:value pair) in the Name field. b. Click Add. 4. To erase a response header, follow the same steps as those for erasing a request header, but use the Response section. 5. Click OK. The HTTP template list reappears. P e r f o r m a n c e b y D e s i g n 165 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide URL Redirect Rewrite USING THE CLI To erase a header from requests, use the following command: [ no] request-header-erase field The field value specifies the header name. To erase a header from responses, use the following command: [ no] response-header-erase field CLI Example The following command removes the Set-Cookie header from HTTP responses: AX( conf i g- HTTP t empl at e) #response-header-erase Set-Cookie URL Redirect Rewrite The AX device can be configured to alter redirect messages sent by real servers. You can use redirect-rewrite options to make the following types of changes: URL change You can change the URL before sending the redirect to the client. For example, if the real server redirects the client to http://www.example1.com, you change the URL to http://www.example2.com or https://www.example2.com. Secure redirection You can change an unsecure redirect (HTTP) to a secure one (HTTPS). For example, if the real server redirects the client to http://www.example1.com, you change the URL to https://www.example1.com. You can use one or both options. Redirect-Rewrite Rule Matching If a URL matches on more than redirect-rewrite rule within the same HTTP template, the AX device selects the rule that has the most specific match to the URL. For example, if a server sends redirect URL 66.1.1.222/000.html, and the HTTP template has the redirect-rewrite rules shown below, the AX device will use the last rule because it is the most specific match to the URL: 166 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide URL Redirect Rewrite sl b t empl at e ht t p 1 r edi r ect - r ewr i t e mat ch / 00 r ewr i t e- t o ht t p: / / 66. 1. 1. 202/ a r edi r ect - r ewr i t e mat ch / 000. ht ml r ewr i t e- t o / 001. gi f r edi r ect - r ewr i t e mat ch 66. 1. 1. 222/ 000. ht ml r ewr i t e- t o 66. 1. 1. 202/ 003. bmp Configuring URL Redirect Rewrite USING THE GUI 1. Access the configuration sections for the template. (See HTTP Tem- plate Configuration on page133.) 2. Click Redirect Rewrite. 3. To change the URL: a. In the Pattern field, enter the URL string to be changed. b. In the Redirect To field, enter the new URL. 4. To change http:// to https://: a. Select Enable next to HTTPS Rewrite. b. To change the SSL port number, edit the number in the field. (The default is 443.) 5. Click OK. USING THE CLI To change the URL in redirect messages from servers, enter the following command at the configuration level for the HTTP template: redirect-rewrite match url-string rewrite-to url-string To change http:// to https://, enter the following command at the config- uration level for the HTTP template: redirect-rewrite secure {port tcp-portnum} The default SSL port number (tcp-portnum) is 443. If you do not spec- ify a port number, the AX device does not include a port number in the URL. In this case, the client browser adds the SSL port number when send- ing a request to the redirect URL. P e r f o r m a n c e b y D e s i g n 167 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Strict Transaction Switching If you do specify the port number, the AX includes the port number in the redirect URL. CLI Example The following commands configure the AX device to change unsecure URLs to secure URLs in redirect messages. The following commands configure the HTTP template. Redirect URLs that begin with http:// are changed to https://. The URLs in the redirect mes- sages are otherwise unchanged. AX( conf i g) #slb template http secureredirect AX( conf i g- HTTP t empl at e) #redirect-rewrite secure AX( conf i g- HTTP t empl at e) #exit The following commands bind the HTTP template to virtual port 80: AX( conf i g) #slb virtual-server vs1 1.1.1.1 AX( conf i g- sl b vi r t ual ser ver ) #port 80 http AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #template http secureredirect Strict Transaction Switching By default, the AX device performs server selection once for a client ses- sion. After the initial selection, all requests within that session are automati- cally sent to the same real server. A new server is selected during the session only if the server that was originally selected is no longer available. If the load among real servers appears to be unbalanced, you can enable strict transaction switching to rebalance the load. The strict transaction switching option forces the AX device to perform server selection for each request within every session. Note: Use this option only if needed, and disable the option once the server load is rebalanced. This option makes server selection much more granular but also uses more AX system resources. 168 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Strict Transaction Switching Enabling Strict Transaction Switching The following sections show how to enable strict transaction switching. USING THE GUI 1. Access the configuration sections for the template. (See HTTP Tem- plate Configuration on page133.) 2. In the HTTP section, select Enabled next to Strict Transaction Switch. 3. Click OK. The HTTP template list reappears. USING THE CLI To enable strict transaction switching, enter the following command at the configuration level for the HTTP template: strict-transaction-switch P e r f o r m a n c e b y D e s i g n 169 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview FTP Load Balancing This chapter describes how to configure SLB for FTP services. Overview FTP load balancing optimizes the download experience for clients by bal- ancing FTP traffic across servers in a server farm. You can provide clients with a single, published virtual IP address for large files, and serve the files from a set of real servers. Figure45 shows an example of an FTP load balancing solution. FIGURE 45 FTP Load Balancing 170 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview In this example, FTP files are served by three real servers. Each server has the same set of files available for download. One of the servers also pro- vides the HTML pages for the download site. The AX device supports both the passive and port FTP modes. The AX Series device sends all HTTP requests to server ftp-2, and balances FTP requests among servers ftp-2, ftp-3, and ftp-4. In this example, the load-balancing method is changed from the default, round robin, to weighted round robin. By assigning a weight to a real server and using a weighted load-balancing metric, you can bias load-balancing decisions to favor that server. This example assumes that the servers have equivalent capacity and perfor- mance. The differing weights compensate for the greater load to be placed on the server that is handling the HTTP requests. Service Groups This example uses a single service group containing all three servers. To provide weighted load balancing as described above, the load balancing method is changed from the default (round robin) to weighted round robin. Templates In this example, two TCP templates are required. For HTTP, the default TCP template is used. You do not need to explic- itly bind this template to the HTTP port on the virtual server. The AX device automatically binds this template to a virtual TCP port on a vir- tual server when you create the port, unless you explicitly bind another TCP template to the virtual port instead. For FTP, a custom TCP template is required, with the idle time set to a high value, to prevent FTP download sessions from timing out if they pause for a while. This custom TCP template must be explicitly bound to the virtual FTP port on the virtual server. In this case, the custom tem- plate is used instead of the default TCP template. The default HTTP template is assigned to the virtual HTTP port by default. However, the parameters in the default HTTP template are unset by default. For this configuration, you do not need to configure a different HTTP tem- plate or change settings in the default one. This example does not include configuration of server or port templates, so the default templates and their settings are applied. P e r f o r m a n c e b y D e s i g n 171 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FTP Load Balancing For more information about templates, see the following: Service Template Parameters on page829 Server and Port Templates on page361 Health Monitors This example uses the following health monitors to check the real servers: Ping Tests Layer 3 connectivity to the servers. The Ping health moni- tor is already configured by default, and is enabled by default when you add the real server. HTTP Tests the HTTP port by requesting a Web page from the port. In this example, the default settings are used: Every 30 seconds, the AX device sends an HTTP Get request for the index.html page. FTP Tests the FTP port by sending a login request to the port. In this example, the default settings are used: Every 30 seconds, the AX device sends an anonymous FTP login request to port 21. The Ping health monitor is already configured by default, and is enabled by default when you add the real server. The HTTP and FTP monitors must be configured and applied to the real server ports. The AX device has default Layer 4 health checks it uses to test the TCP and UDP transport layers. This configuration also uses those health checks. (For information, see Default Health Checks on page381.) Configuring FTP Load Balancing To configure FTP load balancing: 1. Configure HTTP and FTP health methods, to use for checking the health of the HTTP and FTP ports on the servers. 2. Configure the real servers: a. For each server, add its FTP port and enable health checking of the port, using the FTP health method configured in step1. b. For the server that will serve the Web pages, add the servers HTTP port and enable health checking of the port, using the HTTP health method configured in step1. 172 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FTP Load Balancing c. Assign weight 80 to the HTTP/FTP server. Assign weight 100 to each of the FTP servers that will not also be handling HTTP. These weights will cause the AX device to select the HTTP/FTP server for FTP only 80% as often as each of the other servers. 3. Configure a TCP template and set the idle time in the template to a high value. 4. Configure a service group for HTTP and add the HTTP server to it. 5. Configure another service group for FTP and add the FTP servers to it. 6. Configure the virtual server: a. Add TCP ports for HTTP and FTP. b. Bind the HTTP port to the HTTP service group. c. Bind the FTP port to the FTP service group and to the TCP tem- plate. USING THE GUI To configure the health monitors 1. Select Config >Service >Health Monitor. 2. Click Add. 3. In the Health Monitor section, enter a name for the monitor in the Name field. 4. Click Method. 5. In the Method section, select HTTP from the Type drop-down list. 6. Click OK. The new health monitor appears in the health monitor table. 7. Repeat step2 through step6 to configure the FTP health monitor. In step5, select FTP instead of HTTP. P e r f o r m a n c e b y D e s i g n 173 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FTP Load Balancing FIGURE 46 Config >Service >Health Monitor (for HTTP monitor) FIGURE 47 Config >Service >Health Monitor - Method section (for FTP monitor) 174 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FTP Load Balancing FIGURE 48 Config >Service >Health Monitor (showing configured health monitors) To configure the real servers 1. Select Config >Service >SLB. 2. Select Server on the menu bar. 3. Click Add. 4. In the General section, enter a name for the server in the Name field. 5. Enter the IP address of the server in the IP Address field. 6. Change the weight be editing the number in the Weight field. In this example, change the weight for the HTTP/FTP server to 80 and change the weights of the two other FTP servers to 100. 7. In the Port section, enter the HTTP (or FTP) port number in the Port field. 8. Leave the transport protocol set to TCP. 9. In the Health Monitor drop-down list, select the HTTP or FTP health monitor you configured in To configure the health monitors on page172. (Select the monitor that matches the port type, HTTP or FTP.) 10. Click Add. The new port appears in the port list. 11. Click OK. The new server appears in the server table. 12. Repeat step3 through step11 for each of the other real servers. P e r f o r m a n c e b y D e s i g n 175 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FTP Load Balancing FIGURE 49 Config >Service >SLB >Server (ftp-2) 176 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FTP Load Balancing FIGURE 50 Config >Service >SLB >Server (ftp-3) P e r f o r m a n c e b y D e s i g n 177 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FTP Load Balancing FIGURE 51 Config >Service >SLB >Server (ftp-4) FIGURE 52 Config >Service >SLB >Server (showing configured real servers) Note: The Health Monitor column shows the Layer 3 (ICMP ping) health moni- tors for the real servers, not the Layer4-7 health monitors for individual server ports. 178 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FTP Load Balancing To configure the TCP template for FTP 1. Select Config >Service >Template. 2. Select L4 >TCP on the menu bar. 3. Click Add. 4. Enter a name for the template in the Name field. 5. In the Idle Timeout field, enter 15000. 6. Click OK. The new template appears in the TCP template table. FIGURE 53 Config >Service >Template >L4 >TCP To configure a service group for HTTP 1. Select Config >Service >SLB. 2. Select Service Group on the menu bar, if not already selected. 3. Click Add. 4. In the Service Group section, enter a name in the Name field. 5. Leave the transport protocol set to TCP. 6. In the Algorithm field, select the load balancing method. For this exam- ple, select Weighted Round Robin. 7. Enter the real servers IP address in the Server field. 8. Enter the protocol port in the Port field. P e r f o r m a n c e b y D e s i g n 179 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FTP Load Balancing 9. Click Add. The server and port appear in the member list. Repeat for each combination of server and port. In this example, add member 10.10.10.2 for port 80 and again for port 21 to service group http-grp. 10. Click OK. The new service group appears in the service group table. FIGURE 54 Config >Service >Service Group (for HTTP) To configure a service group for FTP Repeat the procedure in To configure a service group for HTTP on page178, with the following differences: In the Algorithm drop-down list, select Weighted Round Robin. (If your configuration does not use weights to bias server selection, you can leave this field set to Round Robin.) Add members 10.10.10.2-4 for port 21. 180 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FTP Load Balancing FIGURE 55 Config >Service >Service Group (for FTP) FIGURE 56 Config >Service >Service Group (service groups added) P e r f o r m a n c e b y D e s i g n 181 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FTP Load Balancing To configure the virtual server 1. Select Config >Service >SLB. 2. Select Virtual Server on the menu bar, if not already selected. 3. Click Add. 4. In the General section, enter a name in the Name field. 5. Enter the virtual IP address in the IP Address field. This is the IP address to which clients will send HTTP and FTP requests. 6. In the Port section, click Add. The Virtual Server Port section appears. 7. In the Type drop-down list, select the service type. In this example, there are two services, HTTP and FTP. Select HTTP first and go to the next step. 8. Edit the number in the Port field to match the protocol port that clients will request at the virtual IP address. 9. Select the service group from Service Group drop-down list. In this example, select http-grp for HTTP and ftp-grp for FTP. 10. Click OK. The port and service group appear in the virtual port list. 11. Repeat from step6 for the FTP service. In this example, select the TCP template you configured in To config- ure the TCP template for FTP on page178. 12. Click OK. The new virtual server appears in the virtual server table. 182 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FTP Load Balancing FIGURE 57 Config >Service >Virtual Server FIGURE 58 Config >Service >Virtual Server - Virtual Server Port section (for HTTP) P e r f o r m a n c e b y D e s i g n 183 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FTP Load Balancing FIGURE 59 Config >Service >Virtual Server - Virtual Server Port section (for FTP) FIGURE 60 Config >Service >Virtual Server - Port section (ports added) FIGURE 61 Config >Service >Virtual Server (virtual server added) 184 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FTP Load Balancing USING THE CLI 1. To configure the health monitors, use the following commands: health monitor monitor-name Enter this command at the global Config level of the CLI to create a monitor and access the configuration level for it. To configure an HTTP health method, use the following command at the configuration level for the monitor: method http To configure an FTP health method, use the following command at the configuration level for the monitor: method ftp In this example, none of the optional parameters are used. The default settings are used for both types of health monitors. (For information about the optional parameters, see the AX Series CLI Reference.) 2. To configure the real servers, use the following commands: slb server server-name ipaddr Enter this command at the global Config level of the CLI. The command creates the server and changes the CLI to the configuration level for it. weight number The slb server command creates the real server. The weight command assigns a weight to the server, for use with weighted load-balancing methods. port port-num tcp The port command adds a TCP port for HTTP or FTP, and changes the CLI to the configuration level for the port. Enter a separate port com- mand for each port number to be load balanced. To assign the HTTP or FTP health monitor to a port, use the following command at the configuration level for the port. health-check monitor-name 3. To configure the TCP template for FTP, use the following commands: slb template tcp template-name This command creates the TCP template and changes the CLI to the configuration level for the template. idle-timeout seconds P e r f o r m a n c e b y D e s i g n 185 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FTP Load Balancing The idle-timeout command specifies the number of seconds a TCP ses- sion can remain idle. For this example, set the idle timeout to 15000 sec- onds. 4. To configure a service group for HTTP, use the following commands: slb service-group group-name tcp This command creates the service group and changes the CLI to the con- figuration level for it. member server-name:portnum The member command adds the HTTP server to the service group. The server-name is the name you used when you configured the real server. The portnum is the protocol port number configured on the real server. Use the following command to change the load balancing method to weighted round robin: method weighted-rr 5. To configure a service group for FTP, use the following commands: slb service-group group-name tcp This command creates the service group and changes the CLI to the con- figuration level for it. member server-name:portnum method weighted-rr The member command adds the servers and their ports to the service group. Enter a separate command for each port. The method command changes the load-balancing method from the default (simple round robin) to weighted round robin. 6. To configure the virtual server, use the following commands: slb virtual-server name ipaddr This command creates the virtual server and changes the CLI to the con- figuration level for it. port port-number http port port-number ftp The port commands add virtual ports for HTTP and FTP. For each port, the command changes the CLI to the configuration level for the port, where the following commands are used: service-group group-name template tcp template-name 186 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FTP Load Balancing The service-group command binds the virtual port to a service group. The template tcp command binds the virtual port to a TCP template. CLI CONFIGURATION EXAMPLE The following commands configure the HTTP and FTP health monitors: AX( conf i g) #health monitor http-monitor AX( conf i g- heal t h: moni t or ) #method http AX( conf i g- heal t h: moni t or ) #exit AX( conf i g) #health monitor ftp-monitor AX( conf i g- heal t h: moni t or ) #method ftp AX( conf i g- heal t h: moni t or ) #exit The following commands configure the real servers: AX( conf i g) #slb server ftp-2 10.10.10.2 AX( conf i g- r eal ser ver ) #weight 80 AX( conf i g- r eal ser ver ) #port 8801 tcp AX( conf i g- r eal ser ver - node por t ) #health-check http-monitor AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #port 21 tcp AX( conf i g- r eal ser ver - node por t ) #health-check ftp-monitor AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server ftp-3 10.10.10.3 AX( conf i g- r eal ser ver ) #weight 100 AX( conf i g- r eal ser ver ) #port 21 tcp AX( conf i g- r eal ser ver - node por t ) #health-check ftp-monitor AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server ftp-4 10.10.10.4 AX( conf i g- r eal ser ver ) #weight 100 AX( conf i g- r eal ser ver ) #port 21 tcp AX( conf i g- r eal ser ver - node por t ) #health-check ftp-monitor AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit The following commands configure the TCP template for use with FTP: AX( conf i g) #slb template tcp ftp-longidletime AX( conf i g- L4 TCP LB t empl at e) #idle-timeout 15000 AX( conf i g- L4 TCP LB t empl at e) #exit P e r f o r m a n c e b y D e s i g n 187 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FTP Load Balancing The following commands configure the service group for HTTP: AX( conf i g) #slb service-group http-grp tcp AX( conf i g- sl b ser vi ce gr oup) #member ftp-2:8801 AX( conf i g- sl b ser vi ce gr oup) #exit The following commands configure the service group for FTP: AX( conf i g) #slb service-group ftp-grp tcp AX( conf i g- sl b ser vi ce gr oup) #member ftp-2:21 AX( conf i g- sl b ser vi ce gr oup) #member ftp-3:21 AX( conf i g- sl b ser vi ce gr oup) #member ftp-4:21 AX( conf i g- sl b ser vi ce gr oup) #method weighted-rr AX( conf i g- sl b ser vi ce gr oup) #exit The following commands configure the virtual server: AX( conf i g) #slb virtual-server ftp-vip 192.168.10.21 AX( conf i g- sl b vi r t ual ser ver ) #port 80 http AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group http-grp AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #exit AX( conf i g- sl b vi r t ual ser ver ) #port 21 ftp AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group ftp-grp AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #template tcp ftp-longidletime 188 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FTP Load Balancing P e r f o r m a n c e b y D e s i g n 189 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over UDP SIP Load Balancing This chapter describes Session Initiation Protocol (SIP) load balancing and how to configure it. You can configure load balancing for SIP over UDP or SIP over TCP/TLS. Note: IP source NAT is not supported on SIP virtual ports. Load Balancing for SIP over UDP AX Series devices support SIP load balancing. SIP load balancing balances SIP registration messages from clients across a service group of SIP Regis- trar servers. SIP load balancing enables you to offload registration process- ing from other SIP servers so those servers can more efficiently process other SIP traffic. Figure62 shows an example of a SIP load balancing configuration. The commands to implement this configuration are shown in Configuring Load Balancing for SIP over UDP on page190. 190 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over UDP FIGURE 62 SIP Load Balancing Configuring Load Balancing for SIP over UDP To configure load balancing for SIP over UDP: 1. Configure SIP health monitors using the SIP health method. 2. Configure a real server for each SIP Registrar server, add the SIP port to the server, and assign the SIP health monitor to the port. 3. Configure a real server as a proxy for each SIP server that will handle SIP messages other than registration messages. Add the SIP port to each server. The SIP port can be the same on the Registrar servers and these proxy servers. The AX selects a service group based on the message type. 4. Configure a service group for the Registrar servers and add them to the group. 5. Configure a service group for the other SIP servers and add them to the group. This is the SIP proxy group. P e r f o r m a n c e b y D e s i g n 191 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over UDP 6. Configure a SIP template to redirect all SIP registration messages to the SIP Registrar service group. 7. Configure a virtual server containing the SIP port and bind the port to the SIP proxy group. Add the SIP proxy service group and the SIP tem- plate to the port. The following sections provide detailed steps and examples. USING THE GUI 1. Configure a SIP health monitor for the Registrar servers: a. Select Config >Service >Health Monitor. b. Select Health Monitor on the menu bar. c. Click Add. d. In the Health Monitor section, enter a name for the health monitor. e. In the Method section, select SIP in the Type drop-down list. f. To send health checks to the default SIP port (5060), leave the port unchanged. Otherwise, to send the request to a different port, edit the port num- ber in the Port field. g. Select Register to send a REGISTER request. (By default, an OPTION request is sent instead.) h. Click OK. The new SIP health monitor appears in the Health Moni- tor table. 2. Configure a SIP health monitor for the other SIP servers: a. Click Add. b. In the Health Monitor section, enter a name for the health monitor. c. In the Method section, select SIP in the Type drop-down list. d. To use the default monitoring settings for SIP (OPTION request sent to port 5060), leave the other settings unchanged. e. Click OK. The new SIP health monitor appears in the Health Moni- tor table. 3. Configure a real server for the SIP Registrar server: a. Select Config >Service >SLB. b. Select Server on the menu bar. c. Click Add. 192 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over UDP d. In the General section, enter a name for the Registrar server. e. Enter the IP address of the server. f. In the Port section, enter the SIP port number in the Port field. g. In the Protocol drop-down list, select UDP. h. In the Health Monitor drop-down list, select the health monitor. i. Click Add. The port appears in the Port list. j. Click OK. The server appears in the real server table. 4. Use the same steps to configure a real server as a proxy for each SIP server that will handle SIP messages other than registration messages. The steps are the same as the steps for adding the Registrar servers. (See Figure66.) 5. To configure a service group for the Registrar servers and add them to the group: a. Select Service Group on the menu bar. b. Click Add. c. In the Service Group section, enter a name for the group. d. In the Type drop-down list, select UDP. e. In the Port section, select the real server for the SIP Registrar server from the Server drop-down list. f. In the Port field, enter the SIP port number. g. Click Add. h. Repeat for each Registrar server. i. Click OK. The new service group appears in the service group table. 6. Use the same steps to configure a service group for the other SIP servers and add them to the group. This is the SIP proxy group. 7. To configure a SIP template to redirect all SIP registration messages to the SIP Registrar service group: a. Select Config >Service >Template. b. Select Application >SIP from the menu bar. c. Click Add. d. Enter a name for the template. e. Optionally, erase, insert, or replace text in the SIP header. P e r f o r m a n c e b y D e s i g n 193 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over UDP f. In the Registrar Service Group drop-down list, select the service group. g. Click OK. The new SIP template appears in the SIP template table. 8. To configure a virtual server for the SIP proxy: a. Select Config >Service >SLB. b. Select Virtual Server on the menu bar. c. Click Add. d. In the General section, enter a name for the virtual server. e. In the IP Address field, enter the IP address to which clients will send SIP Registration messages. f. In the Port section, select SIP from the Type drop-down list. g. In the Port field, enter the SIP port number. h. In the Service Group drop-down list, select the SIP service group you created above for non-registration traffic. i. In the SIP Template drop-down list, select the SIP template. j. Click Add. The port appears in the Port list for the virtual server. k. Click OK. The virtual server appears in the virtual server table. 194 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over UDP GUI CONFIGURATION EXAMPLE The following GUI examples show the configuration steps. FIGURE 63 Config >Service >Health Monitor >Health Monitor (example for Registrar servers) P e r f o r m a n c e b y D e s i g n 195 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over UDP FIGURE 64 Config >Service >Health Monitor >Health Monitor (example for other SIP servers) 196 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over UDP FIGURE 65 Config >Service >SLB >Server FIGURE 66 Config >Service >SLB >Server - Registrar and Proxy servers added P e r f o r m a n c e b y D e s i g n 197 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over UDP FIGURE 67 Config >Service >Service Group (registrar group) FIGURE 68 Config >Service >Service Group - groups added FIGURE 69 Config >Service >Template >Application >SIP 198 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over UDP FIGURE 70 Config >Service >Template >Application >SIP - template added FIGURE 71 Config >Service >Virtual Server - Port section FIGURE 72 Config >Service >Virtual Server - server added P e r f o r m a n c e b y D e s i g n 199 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over UDP USING THE CLI 1. To configure a SIP health monitor using the SIP health method, use the following commands: health monitor monitor-name Enter this command at the global Config level. method sip [ register [ port port-num] ] Enter this command at the configuration level for the health method. The SIP health monitor sends an OPTION request to port 5060 by default. To send a REGISTER request instead, use the register option. To send the request to a port other than 5060, use the port option to specify the port number. 2. To configure a real server for a SIP Registrar server, add the SIP port to it, and apply the SIP health monitor to the port, use the following com- mands: slb server server-name ipaddr Enter this command at the global Config level. port port-num udp Enter this command at the configuration level for the real server. health-check monitor-name Enter this command at the configuration level for the SIP port. 3. To configure a real server as a proxy for each SIP server that will handle SIP messages other than registration messages, use the same commands as in step2. 4. To configure a service group for the Registrar servers and add them to the group, use the following commands: slb service-group group-name udp Enter this command at the global Config level. member server-name [ priority number] Enter this command at the configuration level for the service group. 5. To configure a service group for the other SIP servers and add them to the group, use the same commands as in step4. 6. To configure a SIP template to redirect all SIP registration messages to the SIP Registrar service group, use the following commands: slb template sip template-name 200 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over UDP Enter this command at the global Config level. registrar service-group group-name header-erase string header-insert string header-replace string new-string timeout minutes pass-real-server-ip-for-acl acl-id The header-erase, header-insert, and header-replace commands edit information in the SIP header of each SIP packet before sending it to the service group. Each command erases, inserts, or replaces a single header field. The timeout command specifies how many minutes the AX device leaves a SIP call session up. You can specify 1-250 minutes. The default is 30. The pass-real-server-ip-for-acl command disables reverse NAT based for traffic from the server, based on IP address. This command is useful in cases where a SIP server needs to reach another server, and the traffic must pass through the AX device. (See Disabling Reverse NAT Based on Destination IP Address on page222.) Enter these commands at the configuration level for the SIP template. Caution: A10 Networks recommends that you do not set the timeout to a value lower than 30 minutes. The SIP termination message (Bye) does not necessarily go through the AX device, thus the AX device does not know for certain that a conversation has ended. 7. To configure a virtual server for the SIP proxy servers (the servers that will handle all other SIP traffic except registration messages), use the following commands: slb virtual-server name ipaddr Enter this command at the global Config level. port port-number sip Enter this command at the configuration level for the virtual server. service-group group-name template sip template-name Enter these commands at the configuration level for the virtual port. P e r f o r m a n c e b y D e s i g n 201 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over UDP CLI CONFIGURATION EXAMPLE The commands in the following example implement the SIP load balancing configuration shown in Figure62 on page190. The following commands configure the SIP health monitors: AX( conf i g) #health monitor sip_monitor AX( conf i g- heal t h: moni t or ) #method sip AX ( conf i g- heal t h: moni t or ) #exit AX( conf i g) #health monitor sipreg_monitor AX( conf i g- heal t h: moni t or ) #method sip register AX ( conf i g- heal t h: moni t or ) #exit The following commands configure the Registrar servers: AX( conf i g) #slb server Registrar1 10.10.10.56 AX( conf i g- r eal ser ver ) #port 5060 udp AX ( conf i g- r eal ser ver - node por t ) #health-check sipreg_monitor AX ( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server Registrar2 10.10.10.57 AX( conf i g- r eal ser ver ) #port 5060 udp AX ( conf i g- r eal ser ver - node por t ) #health-check sipreg_monitor AX ( conf i g- r eal ser ver - node por t ) # #exit AX( conf i g- r eal ser ver exit The following commands configure the SIP proxy servers: AX( conf i g) #slb server Proxy3 10.10.20.11 AX( conf i g- r eal ser ver ) #port 5060 udp AX ( conf i g- r eal ser ver - node por t ) #health-check sip_monitor AX ( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server Proxy4 10.10.20.12 AX( conf i g- r eal ser ver ) #port 5060 udp AX ( conf i g- r eal ser ver - node por t ) #health-check sip_monitor AX ( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit 202 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over UDP The following commands configure the service groups: AX( conf i g) #slb service-group Registrar_gp udp AX( conf i g- sl b ser vi ce gr oup) #member Registrar1:5060 AX( conf i g- sl b ser vi ce gr oup) #member Registrar2:5060 AX( conf i g- sl b ser vi ce gr oup) #exit AX( conf i g) #slb service-group sip5060 udp AX( conf i g- sl b ser vi ce gr oup) #member Proxy3:5060 AX( conf i g- sl b ser vi ce gr oup) #member Proxy4:5060 AX( conf i g- sl b ser vi ce gr oup) #exit The following commands configure the SIP template: AX( conf i g) #slb template sip Registrar_template AX( conf i g- SI P LB t empl at e) #registrar service-group Registrar_gp AX( conf i g- SI P LB t empl at e) #header-insert Max-Forwards:22 AX( conf i g- SI P LB t empl at e) #header-replace Max-Forwards 15 AX( conf i g- SI P LB t empl at e) #header-erase Contact AX( conf i g- SI P LB t empl at e) #exit The following commands configure the VIP for the SIP registrar: AX( conf i g) #slb virtual-server sip1 192.168.20.1 AX( conf i g- sl b vi r t ual ser ver ) #port 5060 sip AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group sip5060 AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #template sip Registrar_template P e r f o r m a n c e b y D e s i g n 203 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over TCP/TLS Load Balancing for SIP over TCP/TLS SIP over TCP/TLS enables the AX device to act as a secure SIP proxy for SIP servers. Figure73 shows an example of this feature. FIGURE 73 SIP over TCP / TLS SIP clients send secure SIP requests over TLS. The requests are addressed to a VIP configured on the AX device. The AX device forwards the requests to the SIP servers over TCP. Likewise, when the AX device receives SIP traffic from the SIP servers, the AX device forwards the traffic to the appro- priate clients over TLS. SIP Multiplexing You can use the AX device to multiplex SIP connections. This is useful in cases where the SIP servers do not have enough capacity to maintain sepa- rate connections for each SIP client. Figure74 shows an example. 204 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over TCP/TLS FIGURE 74 SIP Multiplexing
In this example, each SIP server can handle a maximum of 256 client con- nections. However, there are 1000 SIP clients that use the VIP as their SIP server. To enable the SIP servers to be used with this many clients, the connection- reuse feature is configured on the AX device. The AX device is allowed to open a maximum of 100 connections to each server, but uses each connec- tion for multiple clients. While the AX device is sending a client request on a connection, the con- nection is in use. However, as soon as the request has been sent, the AX device frees the connection to be used again. The connection can be used for the same client or another client. The AX device does not wait for a reply to the clients request before freeing the connection. Figure75 shows an exam- ple. FIGURE 75 SIP Connection Reuse P e r f o r m a n c e b y D e s i g n 205 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over TCP/TLS In this example, the AX device sends requests for 3 different clients before receiving the reply to the first request. To identify the client to which to forward the reply, the AX device examines the X-Forwarded-For header in the reply. Note: The operation of connection reuse for SIP over TCP is different from the operation of connection reuse for HTTP. For HTTP, the AX device does not free a connection after sending a clients request. Instead, the AX device frees the connection only after receiving a response to the request. AX Requirements for SIP Multiplexing In addition to the requirements for any SIP over TCP / TLS configuration (described in the configuration section), the following items are required for SIP multiplexing: Connection-reuse template Connection-reuse templates have the fol- lowing options: Timeout Specifies how long a reusable connection can remain idle before being terminated. Limit per server Specifies the maximum number of connections to the server. (In Figure74, this option would be set to 100.) Keep-alive connections Specifies the number of new reusable connections to open before beginning to reuse the existing connec- tions for new clients. Client IP insertion When this SIP template feature is enabled, the AX device inserts an X-Forwarded-For header into the clients request before forwarding the request to the SIP server. The header contains the clients IP address and client port number. The AX device expects the server to send back this header, and uses the header to identify the client to which to send replies from the SIP server. Server keepalive (described in Client Keepalive and Server Keepalive on page206) Client and Server Requirements for SIP Multiplexing In order for the AX device to be used as a multiplexer for SIP over TCP/ TLS, the clients and SIP servers must meet certain requirements: The SIP clients must be able to send SIP pings. The SIP server must be able to reply to SIP pings, with SIP pongs. The SIP server must be able to include the X-Forward-For header added to the clients request by the AX device, in replies to the client. 206 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over TCP/TLS Client Keepalive and Server Keepalive The AX device can send and receive SIP keepalive messages: Ping A SIP ping is a 4-byte message containing a double carriage return line feed (CRLF). Pong The reply to a SIP ping is called a pong. A pong is a 2-byte message containing a single CRLF. Client keepalive enables the AX device to reply to SIP pings sent by clients instead of forwarding them to the SIP server. This feature is applicable regardless of whether you use the AX device to multiplex SIP connections. Server keepalive enables the AX device to generate SIP pings and send them to the server. The AX device uses server keepalive to prevent the reus- able connections to the server from aging out. If the AX device does not receive a pong before the connection-reuse timeout expires, the AX device closes the connection. Server keepalives apply only to configurations that include connection reuse, such as a configuration that uses the AX device as a SIP multiplexer. Figure76 shows an example of a configuration that uses both SIP keepalive features. FIGURE 76 SIP Keepalive Note: If connection reuse is configured, even if client keepalive is disabled, the AX device will respond to a client SIP ping with a pong. P e r f o r m a n c e b y D e s i g n 207 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over TCP/TLS AX Actions if Selection of a Client or SIP Server Fails You can configure the action the AX device takes if selection of a SIP client or a SIP server fails. The action can be one of the following: Reset the connection. This is the default for client-selection failures and server-selection failures. Drop the SIP message. Send a message string. Example message string sent to client when server can not be reached: 504 Server Time-out Example message string sent to server when client can not be reached: 480 Temporarily Unavailable SLB Network Address Translation for SIP over TCP / TLS SLB Network Address Translation (NAT) is used for SIP over TCP / TLS load balancing in much the same way SLB NAT is used for load balancing other types of traffic. When a client sends a SIP request, the request is addressed to the virtual IP address (VIP) and protocol port number configured on the AX device for the SIP servers. The AX device translates the destination IP address and port of the request from the VIP to the real IP address and port of a SIP server. The AX device does not change the client IP address or source proto- col port number. Likewise, when the AX device receives a SIP packet from a SIP server, the AX device translates the source IP address and port from the servers real IP address and SIP port to the VIP address and port, then sends the packet to the client. By default, the AX device also translates the client IP address and protocol port number where they are used in some other parts of the SIP packet. However, the AX device does not translate server addresses or protocol port numbers in the following headers: Call-ID header X-Forwarded-For header Via headers, except for the top Via header 208 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over TCP/TLS You can disable translation in any of the following places in the packet: Start line Individual headers Body For example, if the client is required to be authenticated before registration, and the authentication realm is the VIP instead of a domain name, the AX device must not translate the virtual IP address and port into a real server address and port in the Authorization header. Otherwise, authentication will fail. Configuring SIP over TCP / TLS for SIP Multiplexing To configure an AX device for secure SIP multiplexing: Optionally, configure a health monitor for SIP over TCP. Configure a real server for each SIP server. Use the SIP protocol port number on the server (for example, 5060) as the port number. Use TCP as the protocol type. Use a Layer 4 TCP health monitor. When you add the TCP port, the default TCP health monitor is automatically applied to the port and enabled. Configure a service group containing the real servers. Configure a SIP template with at least the following options enabled: Client IP insertion Client keepalive Server keepalive Configure a connection-reuse template. Set the limit-per-server option to the maximum number of SIP connections to allow on each SIP server. If clients will use SIP over TLS, import the certificates and keys the SIP server would use to authenticate clients. Configure a client-SSL tem- plate and add the certificates and keys to the template. Configure a virtual server with the IP address to which clients will send SIP requests. For SIP over TLS Clients, add a protocol port with service type sips. For SIP over TCP Clients, add a protocol port with service type sip-tcp. Bind the port to the service group, and to the SIP and connection-reuse templates. If a client-SSL template is used, bind the port to the client-SSL template too. P e r f o r m a n c e b y D e s i g n 209 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over TCP/TLS USING THE GUI The GUI items that are new in AX Releases 2.2.2 are the additional options for SIP templates, and the following new service types for virtual ports: SIP-TCP SIP-TLS Otherwise, the GUI procedures for creating the configuration items needed for SIP over TCP/TLS are the same as in previous releases. The following figures show examples of the GUI configuration pages for implementing the SIP multiplexing configuration shown in Figure74 on page204. FIGURE 77 Config >Service >SLB >Server 210 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over TCP/TLS FIGURE 78 Config >Service >SLB >Service Group P e r f o r m a n c e b y D e s i g n 211 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over TCP/TLS FIGURE 79 Config >Service >Template >Application >SIP FIGURE 80 Config >Service >Template >Connection Reuse 212 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over TCP/TLS FIGURE 81 Config >Service >SSL Management - import certificate FIGURE 82 Config >Service >SSL Management - import key FIGURE 83 Config >Service >Template >SSL >Client SSL P e r f o r m a n c e b y D e s i g n 213 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over TCP/TLS FIGURE 84 Config >Service >SLB >Virtual Server - Virtual Server Port 214 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over TCP/TLS FIGURE 85 Config >Service >SLB >Virtual Server - port section contains virtual port configured on Virtual Server Port page (above) USING THE CLI This section shows the CLI commands that are specific to SIP configura- tion. To Configure a SIP over TCP Health Monitor Use the following commands: [ no] health monitor monitor-name Use this command at the global configuration level of the CLI. This com- mand changes the CLI to the configuration level for the health monitor, where the following command is available: [ no] method sip tcp P e r f o r m a n c e b y D e s i g n 215 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over TCP/TLS To Configure Real Servers Use the following commands: slb server server-name ipaddr Use this command at the global configuration level of the CLI. For the ipaddr, use the SIP servers real IP address. This command changes the CLI to the configuration level for the server, where the following command is available: port port-num tcp For the port-num, use the protocol port number on which the SIP server lis- tens for SIP traffic. This command changes the CLI to the configuration level for the port, where the following command is available: [ no] healthcheck monitor-name Use this command to apply the SIP over TCP health monitor to the port. To Configure a Service Group Use the following commands: slb service-group group-name tcp Use this command at the global configuration level of the CLI. This com- mand changes the CLI to the configuration level for the service group, where the following command is available: member server-name:port-num For the server-name, use the name specified in the real server configuration. For the port-num, use the SIP port number specified in the real server con- figuration. To Configure a SIP Template Use the following commands. Note: In the current release, the SIP template options described below are valid only for SIP over TCP/TLS. Other SIP template options, such as header- insert, header-erase, and so on are valid only for SIP over UDP. slb template sip template-name Use this command at the global configuration level of the CLI. This com- mand changes the CLI to the configuration level for the template, where the following commands are available. 216 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over TCP/TLS insert-client-ip This command inserts an X-Forwarded-For: IP-address:port header into SIP packets from the client to the SIP server. The header contains the client IP address and source protocol port number. The AX device uses the header to identify the client when forwarding a server reply. This option is disabled by default. client-keep-alive This command enables the AX device to respond to SIP pings from clients on behalf of SIP servers. When this option is enabled, the AX device responds to a SIP ping from a client with a pong. This option is disabled by default. Note: If connection reuse is configured, even if client keepalive is disabled, the AX device will respond to a client SIP ping with a pong. server-keep-alive seconds This command specifies how often the AX device sends a SIP ping on each reusable connection with the SIP server. The AX device silently drops the servers pong reply. If the server does not reply to a SIP ping within the connection-reuse time- out, the AX device closes the connection. (The connection-reuse timeout is configured by the timeout command at the configuration level for the con- nection-reuse template.) You can specify 5-300 seconds. The default is 30 seconds. select-client-fail {string | drop} select-server-fail {string | drop} These commands change the AX response when selection of a SIP client or server fails. By default, the AX device resets the connection. To change the response when a client can not be reached, use the select-client-fail com- mand. To change the response when a SIP server can not be reached, use the select-server-fail command. You can specify one of the following actions: string Send a message string. If the message string contains a blank, use double quotation marks around the string. drop Drops the traffic. exclude-translation {body | header string | start-line} This command disables translation of the virtual IP address and virtual port in specific portions of SIP messages: P e r f o r m a n c e b y D e s i g n 217 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over TCP/TLS body Does not translate virtual IP addresses and virtual ports in the body of the message. header string Does not translate virtual IP addresses and virtual ports in the specified header. start-line Does not translate virtual IP addresses and virtual ports in the SIP request line or status line. (For default information, see SLB Network Address Translation for SIP over TCP / TLS on page207.) timeout minutes This command specifies the number of minutes a SIP session can remain idle before the AX device terminates it. You can specify 1-250 minutes. The default is 30 minutes. To Configure a Connection-Reuse Template Use the following commands: slb template connection-reuse template-name Use this command at the global configuration level of the CLI. This com- mand changes the CLI to the configuration level for the template, where the following commands are available. limit-per-server number This command specifies the maximum number of reusable connections per server port. You can specify 0-65535. 0 means unlimited. The default is 1000. keep-alive-conn number This command specifies the number of new reusable connections to open before beginning to reuse existing connections. You can specify 1-1024 connections. The default is 100. timeout seconds This command specifies the maximum number of seconds a connection can remain idle before it times out. You can specify 1-3600 seconds. The default is 2400 seconds. To Configure a Client-SSL Template Before configuring the template, use the following command to import the certificates and keys. Use this command at the global configuration level of the CLI. 218 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over TCP/TLS [ no] slb ssl-load {certificate file-name | private-key file-name} [ use-mgmt-port] url The use-mgmt-port option uses the AX devices management route table and management port to communicate with the remote server. Without this option, the AX device uses the main route table and a data interface to com- municate with the remote server. The url specifies the file transfer protocol (tftp:, ftp:, scp:, or rcp:), user- name (if required), and directory path. You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. If you enter the entire URL and a password is required, you will still be prompted for the password. To enter the entire URL: tftp://host/file ftp://[ user@] host[ :port] /file scp://[ user@] host/file rcp://[ user@] host/file To configure the client-SSL template, use the following commands: slb template client-ssl template-name Use this command at the global configuration level of the CLI. The com- mand changes the CLI to the configuration level for the template. For infor- mation about the template options, see the AX Series CLI Reference. To Configure a Virtual Server Use the following commands: slb virtual-server name ipaddr Use this command at the global configuration level of the CLI. For the ipaddr, use the IP address to which clients will send SIP traffic. This com- mand changes the CLI to the configuration level for the virtual server, where the following commands are available: port port-number sips port port-number sip-tcp Use the sips option to add a port for SIP over TLS clients. Use the sip-tcp option to add a port for SIP over TCP clients. This command changes the CLI to the configuration level for the virtual port, where the following com- mands are available: P e r f o r m a n c e b y D e s i g n 219 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over TCP/TLS service-group group-name This command binds a service group to the virtual port. template sip template-name template connection-reuse template-name template client-ssl template-name These commands bind templates to the virtual port. CLI Example The commands in this example implement the SIP multiplexing configura- tion shown in Figure74 on page204, and show SIP SLB statistics. The following commands access the configuration level of the CLI and con- figure a SIP over TCP health monitor: AX>enable AX#config AX( conf i g) #health monitor sip-over-tcp AX( conf i g- heal t h: moni t or ) #method sip tcp The following commands configure the real servers: AX>enable AX#config AX( conf i g) #slb server siptls-rs1 10.4.2.1 AX( conf i g- r eal ser ver ) #port 5060 tcp AX( conf i g- r eal ser ver ) #healthcheck sip-over-tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server siptls-rs2 10.4.2.2 AX( conf i g- r eal ser ver ) #port 5060 tcp AX( conf i g- r eal ser ver ) #healthcheck sip-over-tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit The following commands configure the service group: AX( conf i g) #slb service-group siptls-sg tcp AX( conf i g- sl b ser vi ce gr oup) #member siptls-rs1 10.4.2.1:5060 AX( conf i g- sl b ser vi ce gr oup) #member siptls-rs2 10.4.2.2:5060 AX( conf i g- sl b ser vi ce gr oup) #exit 220 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over TCP/TLS The following commands configure the SIP template: AX( conf i g) #slb template sip siptls-tmplt AX( conf i g- SI P LB t empl at e) #insert-client-ip AX( conf i g- SI P LB t empl at e) #client-keep-alive AX( conf i g- SI P LB t empl at e) #select-client-fail "480 Temporarily Unavailable" AX( conf i g- SI P LB t empl at e) #select-server-fail "504 Server Time-out" AX( conf i g- SI P LB t empl at e) #exclude-translation header Authentication AX( conf i g- SI P LB t empl at e) #exit The following commands configure the connection-reuse template: AX( conf i g) #slb template connection-reuse siptls-tmplt AX( conf i g- connect i on r euse t empl at e) #limit-per-server 100 AX( conf i g- connect i on r euse t empl at e) #keep-alive-conn 64 AX( conf i g- connect i on r euse t empl at e) #exit The following commands import the certificates and keys to use for authen- ticating SIP clients: AX( conf i g) #slb ssl-load certificate ca-cert.pem scp: Addr ess or name of r emot e host [ ] ?192.168.1.1 User name [ ] ?admin Passwor d [ ] ?********* Fi l e name [ / ] ?ca-cert.pem AX( conf i g) #slb ssl-load private-key ca-certkey.pem scp: Addr ess or name of r emot e host [ ] ?192.168.1.1 User name [ ] ?admin Passwor d [ ] ?********* Fi l e name [ / ] ?ca-certkey.pem AX( conf i g) #slb ssl-load certificate cert.pem scp: Addr ess or name of r emot e host [ ] ?192.168.1.1 User name [ ] ?admin Passwor d [ ] ?********* Fi l e name [ / ] ?cert.pem AX( conf i g) #slb ssl-load private-key certkey.pem scp: Addr ess or name of r emot e host [ ] ?192.168.1.1 User name [ ] ?admin Passwor d [ ] ?********* Fi l e name [ / ] ?certkey.pem The following commands configure the client-SSL template: AX( conf i g) #slb template client-ssl siptls-tmplt AX( conf i g- cl i ent SSL t empl at e) #ca-cert ca-cert.pem AX( conf i g- cl i ent SSL t empl at e) #cert cert.pem AX( conf i g- cl i ent SSL t empl at e) #key certkey.pem AX( conf i g- cl i ent SSL t empl at e) #exit P e r f o r m a n c e b y D e s i g n 221 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Load Balancing for SIP over TCP/TLS The following commands configure the virtual server: AX( conf i g) #slb virtual-server siptls-vip 10.1.54.4 AX( conf i g- sl b vi r t ual ser ver ) #port 5061 sips AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group siptls-sg AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #template sip siptls-tmplt AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #template connection-reuse siptls-tmplt AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #template client-ssl siptls-tmplt Displaying SIP SLB Statistics To display SIP SLB statistics, use the following command: show slb sip [ detail] The detail option shows statistics separately for each CPU. Without this option, aggregate statistics are shown for all CPUs. CLI Example The following command shows SIP SLB statistics: AX#show slb sip Tot al - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cur r Pr oxy Conns 0 Tot al Pr oxy Conns 115 Cl i ent message 125 Cl i ent message ( f ai l ) 0 Ser ver message 12 Ser ver message ( f ai l ) 0 Cl i ent r equest 119 Cl i ent r equest ( succ) 12 Cl i ent RST 0 Ser ver RST 113 Par se message f ai l 0 Ser ver sel ect i on f ai l 0 Ser ver conn made 115 Sour ce NAT f ai l ur e 0 222 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Disabling Reverse NAT Based on Destination IP Address Disabling Reverse NAT Based on Destination IP Address You can use a SIP template to disable reverse NAT for traffic from servers, based on IP address. This option is useful in cases where a SIP server needs to reach another server, and the traffic must pass through the AX device. Figure86 shows an example. FIGURE 86 Revere NAT Disabled for Traffic froma SIP Server By default, the AX device performs reverse NAT on all traffic from a SIP server before forwarding the traffic. Reverse NAT translates the source IP address of return traffic from servers to clients back into the VIP address before forwarding the traffic to clients. However, if the SIP server needs to reach another server, and the traffic must pass through the AX device, the destination server will receive the traffic from the VIP address instead of the SIP server address. To disable reverse NAT in this type of situation: 1. Configure an extended ACL that matches on the SIP server IP address or subnet as the source address, and matches on the destination servers IP address or subnet as the destination address. P e r f o r m a n c e b y D e s i g n 223 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Disabling Reverse NAT Based on Destination IP Address 2. Configure a SIP template that disables reverse NAT based on the ACL. 3. Bind the SIP template to the SIP virtual port. USING THE GUI 1. Select Config >Service >Template. 2. On the menu bar, select Application >SIP. 3. Click on the template name of click Add to create a new one. 4. Select the ACL from the Pass Real Server IP for ACL drop-down list. USING THE CLI To disable reverse NAT based on the IP addresses in an extended ACL, use the following command at the configuration level for the SIP template: [ no] pass-real-server-ip-for-acl acl-id The acl-id specifies an extended ACL ID (100-199). CLI Example The commands in this section are applicable to Figure86. The following command configures an extended ACL that matches on the SIP servers subnet and on the database servers subnet: AX( conf i g) #access-list 101 permit ip 10.10.10.0 /24 10.20.20.0 /24 The following commands configure a SIP template that disables reverse NAT for traffic that matches the ACL: AX( conf i g) #slb template sip sip1 AX( conf i g- si p) #pass-real-server-ip-for-acl 101 AX( conf i g- si p) #exit The following commands bind the SIP template to the SIP virtual port: AX( conf i g) #slb virtual-server sip-vip 192.168.20.1 AX( conf i g- sl b vser ver ) #port 5060 sip AX( conf i g- sl b vser ver - vpor t ) #template sip sip1 224 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide IP NAT for SIP IP NAT for SIP The AX device supports IP NAT for SIP. This feature allows clients in a pri- vate network to make SIP calls to outside SIP servers, without revealing the IP addresses of the clients to the servers. Dynamic NAT and static NAT are both supported. Note: Only the SIP signalling packets are NATted. The media packets are not NATted. To configure IP NAT for SIP: 1. Configure a pool, range list, or static inside source NAT mapping, that includes the real IP address(es) of the inside clients. 2. Enable inside NAT on the interface connected to the inside clients. 3. Enable outside NAT on the interface connected to the external SIP serv- ers. CLI Example The following configuration excerpt uses dynamic NAT. access- l i st 1 per mi t any ! i nt er f ace et her net 3 i p addr ess 171. 1. 1. 1 255. 255. 255. 0 i p nat i nsi de ! i nt er f ace et her net 5 i p addr ess 2. 2. 2. 1 255. 255. 255. 0 i p nat out si de ! i p nat pool xi n 2. 2. 2. 100 2. 2. 2. 100 net mask / 32 i p nat i nsi de sour ce l i st 1 pool xi n P e r f o r m a n c e b y D e s i g n 225 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview SSL Offload and SSL Proxy This chapter describes how to configure optimization of Secure Sockets Layer (SSL). Overview The AX device provides the following types of SSL optimization: SSL Offload The AX device applies Layer 7 features to HTTPS traffic per your configured HTTP template options, such as those described in HTTP Options for SLB on page131. SSL proxy The AX device acts as a Layer 4 SSL proxy for TCP ser- vices such as POPS, SMTPS, IMAPS, and LDAPS. SSL offload uses service type (virtual port type) HTTPS, and supports deep packet inspection and header manipulation. SSL proxy uses service type SSL-proxy and provides Layer 4 SLB but does not provide deep packet inspection or header manipulation. Both types of SSL optimization perform SSL handshakes, as well as encryption / decryption. SSL certificates and keys are required. You can import the certificates and keys or create them on the AX device. Note: The AX device also supports STARTTLS acceleration and encryption. See STARTTLS for Secure SMTP on page245. Choosing an SSL Optimization Implementation To choose which of the SSL optimization features to implement in your server farm, consider the following. Implement SSL offload if the following are true: The traffic will be HTTPS traffic. Layer 7 processing (deep packet inspection or manipulation) is required. 226 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Client SSL Implement SSL proxy if the following are true: The traffic will be SSL-secured traffic over TCP, but not necessarily HTTPS traffic. Layer 7 features are not required. Configuring Client SSL 1. Import or create a certificate and its key to use for TLS sessions with clients. You can create a self-signed certificate on the AX device or import a certificate. The configuration example in this chapter uses an imported certificate. For more information about certificate options, see SSL Certificate Management on page915. 2. Configure a client SSL template and add the certificate and key to it. USING THE GUI 1. To import a certificate and its key to use for TLS sessions with clients: a. Click Import. b. In the Name field, enter a name for the certificate. This is the name you will refer to when adding the certificate to a client-SSL or server-SSL template. c. Select the certificate location: Local The file is on the PC you are using to run the GUI, or is on a PC or server in the local network. Remote The file is on a remote server. d. Select the format of the certificate from the Certificate Format drop- down list. e. If you selected Local, click Browse next to the Certificate Source field and navigate to the location of the certificate. If you selected Remote: To use the management interface as the source interface for the connection to the remote device, select Use Management Port. Oth- erwise, the AX device will attempt to reach the remote server through a data interface. Select the file transfer protocol: HTTP, HTTPS, FTP, TFTP, RCP, or SCP. P e r f o r m a n c e b y D e s i g n 227 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Client SSL In the URL field, enter the directory path and filename. If needed, change the protocol port number n the port field. By default, the default port number for the selected file transfer proto- col is used. In the User and Password fields, enter the username and password required for access to the remote server. f. Click Open. The path and filename appear in the Source field. g. If applicable, repeat the steps above for the private key. h. Click OK. The certificate and key appear in the certificate and key list. 2. To configure a client SSL template and add the certificate and key to it: a. Select Configure >Service >Template. b. Select SSL >Client SSL from the menu bar. c. Click Add. d. On the Client SSL tab, enter a name for the template in the Name field. e. In the Certificate Name drop-down list, select the certificate you imported in the previous step. f. In the Key Name field, select the private key you imported in the previous step. g. If the files are secured with a passphrase, enter the passphrase. h. Click OK. The new template appears in the Client SSL template table. 228 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Client SSL GUI CONFIGURATION EXAMPLE The following GUI examples show the configuration steps. FIGURE 87 Configure >Service >SSL Management - Import (for the certificate) FIGURE 88 Configure >Service >Template >SSL >Client SSL USING THE CLI 1. To import a certificate and key, use the following commands at the glo- bal Config level of the CLI: slb ssl-load certificate file-name url slb ssl-load key file-name url The url specifies the file transfer protocol, username (if required), direc- tory path, and filename. P e r f o r m a n c e b y D e s i g n 229 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Client SSL You can enter the entire URL on the command line or press Enter to dis- play a prompt for each part of the URL. If you enter the entire URL and a password is required, you will still be prompted for the password. To enter the entire URL: tftp://host/file ftp://[ user@] host[ :port] /file scp://[ user@] host/file rcp://[ user@] host/file 2. To configure a client SSL template, use the following commands: slb template client-ssl template-name Enter this command at the global Config level. cert cert-name Enter this command at the configuration level for the client SSL tem- plate. key key-name [ passphrase passphrase-string] CLI CONFIGURATION EXAMPLE The following commands import certificates and keys, and configure a cli- ent-SSL template to use them. The following commands import an SSL certificate and key: AX( conf i g) #slb ssl-load certificate sslcert1.crt ftp: Addr ess or name of r emot e host [ ] ?1.1.1.2 User name [ ] ?axadmin Passwor d [ ] ?********* Fi l e name [ / ] ?sslcert1.crt AX( conf i g) #slb ssl-load key sslcertkey.pem ftp: Addr ess or name of r emot e host [ ] ?1.1.1.2 User name [ ] ?axadmin Passwor d [ ] ?********* Fi l e name [ / ] ?sslcertkey.pem The following commands configure a client SSL template to use the certifi- cate and key: AX( conf i g) #slb template client-ssl sslcert-tmplt AX( conf i g- cl i ent SSL t empl at e) #cert sslcert.crt AX( conf i g- cl i ent SSL t empl at e) #key sslcertkey.pem AX( conf i g- cl i ent SSL t empl at e) #exit 230 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring HTTPS Offload Configuring HTTPS Offload To configure the AX device to perform Layer 7 SLB for HTTPS clients: 1. Configure client SSL. (See Configuring Client SSL on page226.) 2. Configure the real servers for the TCP service. 3. Configure a service group for the servers and add them to the group. 4. If needed for your specific application, configure HTTP template options. (For information and examples, see HTTP Options for SLB on page131.) 5. Configure a virtual server and add a virtual port that has the service type https. Bind the service-group to the virtual port and to the HTTP tem- plate (if configured) and client-SSL template. Note: If traffic between the servers and AX device also will be encrypted, you also need to configure a server-SSL template and bind it to the virtual port. In configurations that use both client-SSL and server-SSL, use the HTTPS/SSL port number in the real server configuration. If only client-SSL is used, use the HTTP port number in the real server configuration. Use the HTTPS/SSL port number in the virtual server con- figuration. Beginning in AX Release 2.4.x, server-SSL without client-SSL is sup- ported. However, in this case, the service type of the virtual port must be HTTP, not HTTPS. Note: The AX device allocates processing resources to HTTPS virtual ports when you bind them to an SSL template. This results in increased CPU utilization, regardless of whether traffic is active on the virtual port. USING THE GUI 1. To configure real servers: a. Select Config >Service >SLB. b. Select Server on the menu bar. c. Click Add. The General tab appears. d. On the General tab, enter a name for the server and enter its IP address, in the Name and IP Address fields. e. On the Port tab, enter the port number in the Port field. f. In the Protocol drop-down list, select TCP, if not already selected. P e r f o r m a n c e b y D e s i g n 231 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring HTTPS Offload g. Select the health monitor, if your configuration will use one. h. Click Add. The port appears in the Port list. i. Click OK. The server appears in the server table. j. Repeat for each real server. 2. To configure a service group for the servers and add them to the group: a. Select Service Group on the menu bar. b. Click Add. c. On the Service Group tab, enter a name for the service group. d. In the Type drop-down list, select TCP, if not already selected. e. Select the health monitor, if your configuration will use one. f. On the Port tab, select a server from the Server drop-down list. g. Enter the service port in the Port field. h. Click Add. The port appears in the list. i. Repeat stepf through steph for each server. j. Click OK. The new service group appears in the service group table. 3. To configure HTTP template options, see HTTP Options for SLB on page131. 4. To configure a virtual server for SSL offload: a. Select Virtual Server on the menu bar. b. Click Add. c. On the General tab, enter a name for the virtual server. d. In the IP Address field, enter the VIP address. e. On the Port tab, click Add. f. In the Type drop-down list, select HTTPS. g. In the Port field, enter the service port number. h. In the Service Group drop-down list, select the service group. i. If a custom HTTP template has been configured for this application, select the template from the HTTP Template drop-down list. j. In the Client-SSL Template drop-down list, select the template. k. Click OK. The HTTPS port appears in the port list for the virtual server. l. Click OK again. The new virtual server appears in the virtual server table. 232 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring HTTPS Offload GUI CONFIGURATION EXAMPLE The following GUI examples show the configuration steps. FIGURE 89 Configure >Service >SLB >Server P e r f o r m a n c e b y D e s i g n 233 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring HTTPS Offload FIGURE 90 Configure >Service >SLB >Service Group 234 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring HTTPS Offload FIGURE 91 Configure >Service >SLB >Virtual Server P e r f o r m a n c e b y D e s i g n 235 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring HTTPS Offload FIGURE 92 Configure >Service >SLB >Virtual Server - Port tab USING THE CLI 1. To configure a real server, use the following commands: slb server server-name ipaddr Enter this command at the global Config level. port port-num tcp Enter this command at the configuration level for the real server. 2. To configure a service group for the servers and add them to the group, use the following commands: slb service-group group-name tcp Enter this command at the global Config level. member server-name [ priority number] Enter this command at the configuration level for the service group. 3. To configure HTTP template options, see HTTP Options for SLB on page131. 236 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring HTTPS Offload 4. To configure a virtual server and HTTPS virtual port, use the following commands: slb virtual-server name ipaddr Enter this command at the global Config level. port port-number https Enter this command at the configuration level for the virtual server. service-group group-name template http template-name template client-ssl template-name Enter these commands at the configuration level for the virtual port to bind the port to the service group and the application templates. CLI CONFIGURATION EXAMPLE The following commands configure SSL offload. The feature is enabled by the https option of the port command at the virtual server configuration level of the CLI. The following commands configure the real servers: AX( conf i g) #slb server HTTPS1 10.5.5.2 AX( conf i g- r eal ser ver ) #port 80 tcp AX ( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server HTTPS2 10.5.5.3 AX( conf i g- r eal ser ver ) #port 80 tcp AX ( conf i g- r eal ser ver - node por t ) # #exit AX( conf i g- r eal ser ver ) #exit The following commands configure a service group for the HTTPS servers: AX( conf i g) #slb service-group HTTPS_servers tcp AX( conf i g- sl b ser vi ce gr oup) #member HTTPS1:80 AX( conf i g- sl b ser vi ce gr oup) #member HTTPS2:80 AX( conf i g- sl b ser vi ce gr oup) #exit P e r f o r m a n c e b y D e s i g n 237 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring the SSL Proxy Feature The following commands configure the VIP to which clients will send HTTPS traffic: AX( conf i g) #slb virtual-server v1 10.6.6.6 AX( conf i g- sl b vi r t ual ser ver ) #port 443 https AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group HTTPS_servers AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #template http HTTPS_1 AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #template client-ssl sslcert-tmplt Configuring the SSL Proxy Feature To configure the AX device as an SSL proxy for a TCP service: 1. Configure client SSL. (See Configuring Client SSL on page226.) 2. Configure the real servers for the TCP service. 3. Configure a service group for the servers and add them to the group. 4. Configure a virtual server and add a virtual port that has the service type ssl-proxy. Bind the service-group to the virtual port and to the client- SSL template. USING THE GUI 1. To configure real servers: a. Select Config >Service >SLB. b. Select Server on the menu bar. c. Click Add. The General tab appears. d. On the General tab, enter a name for the server and enter its IP address, in the Name and IP Address fields. e. On the Port tab, enter the port number in the Port field. f. In the Protocol drop-down list, select TCP, if not already selected. g. Select the health monitor, if your configuration will use one. h. Click Add. The port appears in the Port list. i. Click OK. The server appears in the server table. j. Repeat for each real server. 2. To configure a service group for the servers and add them to the group: a. Select Service Group on the menu bar. b. Click Add. 238 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring the SSL Proxy Feature c. On the Service Group tab, enter a name for the service group. d. In the Type drop-down list, select TCP, if not already selected. e. Select the health monitor, if your configuration will use one. f. On the Port tab, select a server from the Server drop-down list. g. Enter the service port in the Port field. h. Click Add. The port appears in the list. i. Repeat stepf through steph for each server. j. Click OK. The new service group appears in the service group table. 3. To configure a virtual server for SSL proxy: a. Select Virtual Server on the menu bar. b. Click Add. c. On the General tab, enter a name for the virtual server. d. In the IP Address field, enter the VIP address. e. On the Port tab, click Add. f. In the Type drop-down list, select SSL-Proxy. g. In the Port field, enter the service port number. h. In the Service Group drop-down list, select the service group. i. In the Client-SSL Template drop-down list, select the template. j. Click OK. The SSL proxy port appears in the port list for the virtual server. k. Click OK again. The new virtual server appears in the virtual server table. P e r f o r m a n c e b y D e s i g n 239 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring the SSL Proxy Feature GUI CONFIGURATION EXAMPLE The following GUI examples show the configuration steps. FIGURE 93 Configure >Service >SLB >Server 240 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring the SSL Proxy Feature FIGURE 94 Configure >Service >SLB >Service Group P e r f o r m a n c e b y D e s i g n 241 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring the SSL Proxy Feature FIGURE 95 Configure >Service >SLB >Virtual Server FIGURE 96 Configure >Service >SLB >Virtual Server - Port tab 242 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring the SSL Proxy Feature USING THE CLI 1. To configure a real server, use the following commands: slb server server-name ipaddr Enter this command at the global Config level. port port-num tcp Enter this command at the configuration level for the real server. 2. To configure a service group for the servers and add them to the group, use the following commands: slb service-group group-name tcp Enter this command at the global Config level. member server-name [ priority number] Enter this command at the configuration level for the service group. 3. To configure a virtual server and port for the TCP service, use the fol- lowing commands: slb virtual-server name ipaddr Enter this command at the global Config level. port port-number ssl-proxy Enter this command at the configuration level for the virtual server. service-group group-name template client-ssl template-name Enter these commands at the configuration level for the virtual port. P e r f o r m a n c e b y D e s i g n 243 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring the SSL Proxy Feature CLI CONFIGURATION EXAMPLE The following commands configure proxy SSL for POPS. The same com- mands can be used to configure SSL proxy for other TCP services. In each case, the feature is enabled by the ssl-proxy option of the port command at the virtual server configuration level of the CLI. The following commands configure the real servers: AX( conf i g) #slb server POP1 10.5.5.2 AX( conf i g- r eal ser ver ) #port 110 tcp AX ( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server POP2 10.5.5.3 AX( conf i g- r eal ser ver ) #port 110 tcp AX ( conf i g- r eal ser ver - node por t ) # #exit AX( conf i g- r eal ser ver ) #exit The following commands configure a service group for the POP servers: AX( conf i g) #slb service-group POP_servers tcp AX( conf i g- sl b ser vi ce gr oup) #member POP1:110 AX( conf i g- sl b ser vi ce gr oup) #member POP2:110 AX( conf i g- sl b ser vi ce gr oup) #exit The following commands configure the VIP to which clients will send POPS traffic: AX( conf i g) #slb virtual-server v1 10.6.6.6 AX( conf i g- sl b vi r t ual ser ver ) #port 110 ssl-proxy AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group SMTP_servers AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #template client-ssl sslcert-tmplt 244 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring the SSL Proxy Feature P e r f o r m a n c e b y D e s i g n 245 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview STARTTLS for Secure SMTP This chapter describes how to configure the AX device to secure Simple Mail Transfer Protocol (SMTP) mail using STARTTLS. Overview AX Series devices support the STARTTLS feature. STARTTLS is an exten- sion to SMTP that enables you to secure mail traffic to and from your leg- acy SMTP servers. SMTP itself does not provide any security. When the AX device is configured to perform STARTTLS, the AX acts as a proxy between SMTP clients and servers. Mail traffic to and from clients is encrypted by the AX, whereas traffic between the AX and the SMTP serv- ers is clear (not encrypted). Figure97 shows an example of the STARTTLS feature. FIGURE 97 STARTTLS 246 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Additional SMTP Security Options In addition to providing encryption of mail traffic for clients, the AX STARTTLS feature has additional security options: Require STARTTLS By default, client use of STARTTLS is optional. You can configure the AX to require STARTTLS. In this case, before any mail transactions are allowed, the client must issue the STARTTLS command to establish a secured session. If the client does not issue the STARTTLS command, the AX sends the following message to the client: "530 - Must issue a STARTTLS com- mand first Disable SMTP commands By default, the VRFY, EXPN, and TURN commands are allowed. You can disable support of any of these com- mands. In this case, if the client tries to issue a disabled SMTP com- mand, the AX sends the following message to the client: 502 - Command not implemented Domain Switching By default, SMTP traffic from all client domains is sent to the same service group. You can configure multiple service groups and send traffic to the groups based on the client domain. For example, you can send SMTP traffic from clients in domain "CorpA" to a different service group than SMTP traffic from clients in domain "CorpB". FIGURE 98 STARTTLS Domain Switching P e r f o r m a n c e b y D e s i g n 247 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring STARTTLS Configuring STARTTLS To configure STARTTLS: 1. Import a certificate and its key to use for TLS sessions with clients. 2. Configure a client SSL template and add the certificate and its key to it. 3. Configure a real server for each SMTP server and add the SMTP port to the server. 4. Configure a service group for the SMTP servers and add them to the group. 5. Configure an SMTP template. Within the template: a. Specify the email server domain. The default is mail-server- domain. b. Optionally, modify the service ready message. The default message text is "ESMTP mail service ready". The complete message sent to the client is constructed as follows: 200 - smtp-domain service-ready-string c. Optionally, disable one or more of the following SMTP commands: VRFY, EXPN, or TURN. If a client sends an SMTP command that is disabled on the AX, the AX sends the following message to the client: 502 - Command not implemented d. Optionally, change STARTTLS from being optional to being required. If you leave the setting "optional", mail clients will be able to send and receive unencrypted mail. e. Optionally, load balance SMTP traffic among multiple service groups based on client domains. 6. Configure a virtual server and port for the SMTP address to which cli- ents will send SMTP traffic, and add the SMTP service group and SMTP template to the port. 248 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring STARTTLS USING THE GUI In the GUI, most of the configuration steps (step1 through step4 above) for STARTTLS are the same as those for SSL proxy support. (See Configuring the SSL Proxy Feature on page237.) To configure an SMTP template for STARTTLS (step 5 above): 1. Select Configure >Service >Template. 2. Select Application >SMTP from the menu bar. 3. Click Add. The SMTP section appears. 4. In the SMTP section, enter general settings for the template: a. In the Name field, enter a name for the template. b. To force clients to use STARTTLS, select Enforced next to START- TLS. c. To disable STARTTLS commands sent by the client, select the com- mands to disable. d. In the Server Domain field, enter the domain for which the AX will provide STARTTLS service. e. In the Service Ready Message field, enter the message that the AX will send to client to inform them that the STARTTLS service is ready. 5. To configure domain switching settings: a. In the Client Domain Switching section, enter the client SMTP domain in the Client Domain field. b. In the Service Group drop-down list, select the service group to use for the client domain. c. Click Add. d. Repeat for each client domain. 6. Click OK. The new template appears in the SMTP template table. P e r f o r m a n c e b y D e s i g n 249 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring STARTTLS To configure a virtual server for STARTTLS (step 6 above): 1. Select Configure >Service >SLB. 2. Select Virtual Server on the menu bar. 3. Click Add. 4. In the General section, enter general settings for the virtual server: a. Enter a name for the virtual server. b. In the IP address field, enter the VIP address. 5. Configure port settings for the virtual server: a. In the Port section, click Add. The Virtual Server Port section appears. b. In the Type drop-down list, select SMTP. c. In the Port field, enter the service port number. d. In the Service Group drop-down list, select the service group. e. In the Client-SSL Template drop-down list, select the client SSL template. f. In the SMTP Template drop-down list, select the SMTP template. g. Click OK. The port appears in the port list for the virtual server. h. Click OK again. The new virtual server appears in the virtual server table. 250 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring STARTTLS GUI CONFIGURATION EXAMPLE The following GUI examples show the configuration steps. FIGURE 99 Config >Service >Template >Application >SMTP P e r f o r m a n c e b y D e s i g n 251 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring STARTTLS FIGURE 100 Config >Service >SLB >Virtual Server - Port section USING THE CLI 1. To import a certificate and its key, use the following commands at the global Config level of the CLI: slb ssl-load certificate file-name url slb ssl-load key file-name url The url specifies the file transfer protocol, username (if required), direc- tory path, and filename. You can enter the entire URL on the command line or press Enter to dis- play a prompt for each part of the URL. If you enter the entire URL and a password is required, you will still be prompted for the password. To enter the entire URL: tftp://host/file ftp://[ user@] host[ :port] /file scp://[ user@] host/file rcp://[ user@] host/file 2. To configure a client SSL template, use the following commands: slb template client-ssl template-name 252 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring STARTTLS Enter this command at the global Config level. cert cert-name Enter this command at the configuration level for the client SSL tem- plate. key key-name [ passphrase passphrase-string] 3. To configure a real server for an SMTP server, use the following com- mands: slb server server-name ipaddr Enter this command at the global Config level. port port-num tcp Enter this command at the configuration level for the real server. 4. To configure a service group for the SMTP servers and add them to the group, use the following commands: slb service-group group-name tcp Enter this command at the global Config level. member server-name [ priority number] Enter this command at the configuration level for the service group. 5. To configure an SMTP template, use the following commands: slb template smtp template-name Enter this command at the global Config level. Use the following com- mands at the configuration level for the SMTP template to set SMTP options: server-domain name service-ready-message string starttls {disable | optional | enforced} domain-switching match string service-group group-name The disable option of the starttls command disables STARTTLS sup- port on the VIP that uses the SMTP template. The domain-switching command is required only if you have multiple service groups and you want to direct SMTP clients to specific service groups based on the client's domain. 6. To configure a virtual server and port for the SMTP address to which clients will send SMTP traffic, add the SMTP service group, and add the P e r f o r m a n c e b y D e s i g n 253 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring STARTTLS SMTP and client SSL templates to the port, use the following com- mands: slb virtual-server name ipaddr Enter this command at the global Config level. port port-num smtp Enter this command at the configuration level for the virtual server. service-group group-name template smtp template-name template client-ssl template-name Enter these commands at the configuration level for the virtual port. Displaying STARTTLS Statistics To display STARTTLS statistics, use the following command at the Privi- leged EXEC level or any configuration level of the CLI: show slb smtp [ detail] CLI CONFIGURATION EXAMPLE The following commands implement the STARTTLS configuration shown in Figure97 on page245. To begin, the following commands import an SSL certificate and key: AX( conf i g) #slb ssl-load certificate starttls.crt ftp: Addr ess or name of r emot e host [ ] ?1.1.1.2 User name [ ] ?axadmin Passwor d [ ] ?********* Fi l e name [ / ] ?starttls.crt AX( conf i g) #slb ssl-load key tlscertkey.pem ftp: Addr ess or name of r emot e host [ ] ?1.1.1.2 User name [ ] ?axadmin Passwor d [ ] ?********* Fi l e name [ / ] ?tlscertkey.pem 254 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring STARTTLS The following commands configure a client SSL template to use the certifi- cate and key: AX( conf i g) #slb template client-ssl mailcert-tmplt AX( conf i g- cl i ent SSL t empl at e) #cert starttls.crt AX( conf i g- cl i ent SSL t empl at e) #key tlscertkey.pem AX( conf i g- cl i ent SSL t empl at e) #exit The following commands configure the SMTP real servers: AX( conf i g) #slb server SMTP1 10.1.1.2 AX( conf i g- r eal ser ver ) #port 25 tcp AX ( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server SMTP2 10.1.1.3 AX( conf i g- r eal ser ver ) #port 25 tcp AX ( conf i g- r eal ser ver - node por t ) # #exit AX( conf i g- r eal ser ver ) #exit The following commands configure a service group for the SMTP servers: AX( conf i g) #slb service-group SMTP_servers tcp AX( conf i g- sl b ser vi ce gr oup) #member SMTP1:25 AX( conf i g- sl b ser vi ce gr oup) #member SMTP2:25 AX( conf i g- sl b ser vi ce gr oup) #exit The following commands configure the STMP template. In this example, additional security is added by enforcing STARTTLS and by disabling the SMTP commands VRFY, EXPN, and TURN. AX( conf i g) #slb template smtp starttls-tmplt AX( conf i g- sl b t empl at e) #server-domain mycorp.com AX( conf i g- sl b t empl at e) #service-ready-message MyCorp ESMTP mail service is ready AX( conf i g- sl b t empl at e) #starttls enforced AX( conf i g- sl b t empl at e) #command-disable vrfy expn turn The following commands configure the VIP to which mail clients will send SMTP traffic: AX( conf i g) #slb virtual-server v1 10.1.1.1 AX( conf i g- sl b vi r t ual ser ver ) #port 25 smtp AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group SMTP_servers AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #template client-ssl mailcert-tmplt AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #template smtp starttls-tmplt P e r f o r m a n c e b y D e s i g n 255 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Streaming-Media Load Balancing This chapter describes streaming-media load balancing and how to config- ure it. Overview AX Series devices support content-aware load balancing of the following widely used streaming-media types: Real Time Streaming Protocol (RTSP) Microsoft Media Server (MMS) Note: The AX Series also supports load balancing of Session Initiation Protocol (SIP) sessions. For information, see SIP Load Balancing on page189. Figure101 shows an example of a streaming-media load balancing solution. 256 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview FIGURE 101 Streaming-Media Load Balancing In this example, a server farm provides streaming content in both RTSP and MMS format. All the servers are allowed to serve HTTP and HTTPS requests. Two of the servers (stream-rs2 and stream-rs3) are configured to serve RTSP and MMS requests. Service Groups This example uses the following service groups: all80-grp The servers in this service group provide HTTP and HTTPS service. In this example, all the servers are members of this service group. rtsp554-grp The servers in this service group provide RTSP content. mms1755-grp The servers in this service group provide MMS content. P e r f o r m a n c e b y D e s i g n 257 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Streaming-Media SLB Note: Using separate service groups makes it easier to adapt the configuration when the server farm grows. For example, if RTSP and MMS content is separated onto different servers, the membership of the RTSP group can easily be edited to include only the RTSP servers, and so on. Templates By default, the default TCP template is applied to RTSP and MMS traffic. (For information, see TCP Template Parameters on page864.) Health Monitors This example uses the default Layer 3 health check (ping) and the default Layer 4 TCP health check. Configuring Streaming-Media SLB To configure streaming-media load balancing: 1. Configure the real servers. Make sure to add the RTSP or MMS ports. 2. Configure service groups. If both supported streaming-media types are used (RTSP and MMS), make sure to configure a separate service group for each type. 3. Configure the virtual server by adding virtual service ports for the streaming-media services. Most of the configuration procedures are the same as the configuration pro- cedures for other types of SLB. USING THE GUI To configure a streaming-media template: 1. Select Config >Service >Template. 2. Select Application >RTSP on the menu bar. 3. Click Add. 4. Enter a name for the template. 5. Configure other options, if applicable to your configuration. 6. Click OK. 258 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Streaming-Media SLB When configuring the virtual server, select RTSP or MMS as the service port type. USING THE CLI 1. To configure the real servers, use the following commands: slb server server-name ipaddr Enter this command at the global Config level of the CLI. The command creates the server and changes the CLI to the configura- tion level for it. port port-num tcp Available at the configuration level for the server, the port command adds a TCP port and changes the CLI to the configuration level for the port. Enter a separate port command for each port number to be load balanced. 2. To configure the service groups, use the following commands: slb service-group group-name tcp This command creates the service group and changes the CLI to the con- figuration level for it. member server-name:portnum The member command adds a server to the service group. The server- name is the name you used when you configured the real server. The portnum is the protocol port number configured on the real server. 3. To configure the virtual server, use the following commands: slb virtual-server name ipaddr This command creates the virtual server and changes the CLI to the con- figuration level for it. port port-number http port port-number https port port-number rtsp port port-number mms The port commands add virtual ports for each service to be load bal- anced. For each port, the command changes the CLI to the configuration level for the port, where the following command is used: service-group group-name The service-group command binds the virtual port to a service group. P e r f o r m a n c e b y D e s i g n 259 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Streaming-Media SLB CLI CONFIGURATION EXAMPLE The following commands configure the real servers: AX( conf i g) #slb server stream-rs1 192.168.66.21 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #port 443 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server stream-rs2 192.168.66.22 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #port 443 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit AX( conf i g- r eal ser ver ) #port 1755 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #port 554 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server stream-rs3 192.168.66.23 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #port 443 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #port 1755 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #port 554 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit 260 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Streaming-Media SLB The following commands configure the service groups: AX( conf i g) #slb service-group all80-grp tcp AX( conf i g- sl b ser vi ce gr oup) #member stream-rs1:80 AX( conf i g- sl b ser vi ce gr oup) #member stream-rs1:443 AX( conf i g- sl b ser vi ce gr oup) #member stream-rs2:80 AX( conf i g- sl b ser vi ce gr oup) #member stream-rs2:443 AX( conf i g- sl b ser vi ce gr oup) #member stream-rs3:80 AX( conf i g- sl b ser vi ce gr oup) #member stream-rs3:443 AX( conf i g- sl b ser vi ce gr oup) #exit AX( conf i g) #slb service-group rtsp554-grp tcp AX( conf i g- sl b ser vi ce gr oup) #member stream-rs2:554 AX( conf i g- sl b ser vi ce gr oup) #member stream-rs3:554 AX( conf i g- sl b ser vi ce gr oup) #exit AX( conf i g) #slb service-group mms1755-grp tcp AX( conf i g- sl b ser vi ce gr oup) #member stream-rs2:1755 AX( conf i g- sl b ser vi ce gr oup) #member stream-rs3:1755 AX( conf i g- sl b ser vi ce gr oup) #exit The following commands configure the virtual server: AX( conf i g) #slb virtual-server streaming-vip 192.168.69.4 AX( conf i g- sl b vi r t ual ser ver ) #port 80 http AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group all80-grp AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #exit AX( conf i g- sl b vi r t ual ser ver ) #port 443 https AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group all80-grp AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #exit AX( conf i g- sl b vi r t ual ser ver ) #port 554 rtsp AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group rtsp554-grp AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #exit AX( conf i g- sl b vi r t ual ser ver ) #port 1755 mms AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group mms1755-grp AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #exit P e r f o r m a n c e b y D e s i g n 261 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Layer 4 TCP/UDP Load Balancing This chapter describes Layer 4 load balancing of TCP and UDP traffic and how to configure it. Note: The Layer 4 load balancing described in this chapter requires you to spec- ify the protocol port numbers to be load balanced. To load balance traffic based solely on transport protocol (TCP, UDP, or other), see IP Protocol Load Balancing on page269. Overview In addition to load balancing for well-known and widely used types of ser- vices such as HTTP, HTTPS, and FTP, AX devices also support Layer 4 load balancing for custom applications. If a service you need to load balance is not one of the well-known service types recognized by the AX device, you still can configure Layer 4 TCP or UDP load balancing for the service. Figure102 shows an example of a Layer 4 load balancing implementation. 262 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview FIGURE 102 Layer 4 SLB Layer 4 load balancing balances traffic based on the transport protocol (TCP or UDP) and the protocol port number. The payload of the UDP or TCP packets is not examined. In this example, a custom application is running on a server farm consisting of three real servers. Clients navigate to the VIP to use the custom applica- tion. Note: To configure deeper packet inspection for custom applications, you can use aFleX policies. For example, you can configure an aFleX policy to examine the byte value at a certain position within each client request packet and select a server based on the value of the byte. For information about aFleX policies, see the AX Series aFleX Reference. SERVICE GROUPS This example uses a single service group that contains all the real servers. The service group uses the default load balancing method (round robin). P e r f o r m a n c e b y D e s i g n 263 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview VIRTUAL SERVER The custom application on the real servers is accessed at TCP port 1020 by clients through virtual IP address 192.168.55.55. TEMPLATES The AX device has default TCP and UDP templates. You can use the default template or configure another TCP or UDP template and use that one instead. If your Layer 4 load balancing configuration is for a TCP appli- cation and you do not bind a TCP template to the virtual port, the default TCP template is used. For a UDP application, the default UDP template is used unless you bind another UDP template to the virtual port. One of the parameters you can configure in TCP and UDP templates is the idle time. Depending on the requirements of your application, you can reduce or increase the amount of time the AX device allows a session to remain idle. For UDP transaction-based applications, another parameter you can adjust is how quickly connections are terminated after a server reply is received. For example, if there are licensing costs associated with active sessions, you can minimize unnecessary costs by quickly terminating idle sessions, and immediately terminating connections that are no longer needed. For more information about the parameters controlled by TCP and UDP templates, see the following sections: TCP Template Parameters on page864 UDP Template Parameters on page867 Optionally, you also can configure a source-IP persistence template and bind it to the virtual port. The example in this chapter uses a source-IP per- sistence template that is configured to send all traffic from a given client IP address to the same real server. Without this custom template, different requests from a given client can be sent to different servers, based simply on the load balancing method. See Source-IP Persistence Template Parameters on page860. 264 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 4 Load Balancing HEALTH MONITORS This example uses the default Layer 3 and Layer 4 health monitors. The Layer 3 monitor (Ping) and the applicable Layer 4 monitor (TCP or UDP) are enabled by default when you configure the real server and real service ports. Note: You can create an external health monitor using a script and import the monitor onto the AX device. For information, see Health Monitoring on page381. Configuring Layer 4 Load Balancing To configure Layer 4 load balancing: 1. Configure the real servers. Add the custom applications TCP or UDP port number, with the applicable service type (TCP or UDP). 2. Configure a service group. Add the real servers, service port, and any custom templates to the group. 3. If applicable, configure a custom TCP or UDP template. 4. If applicable, configure a source-IP persistence template. 5. Configure the virtual server. Bind the virtual service port on the virtual server to the service group and custom templates, if configured. USING THE GUI 1. To configure the real servers: a. Select Config >Service >SLB. b. Select Server on the menu bar. c. Click Add. d. In the General section, configure general settings for the server. e. In the Port section, enter the protocol port number of the application in the port field. f. In the Type drop-down list, select the transport protocol for the application, TCP or UDP. g. Configure other port settings if needed, then click Add. The applica- tion port appears in the Port list. h. Click OK. The real server appears in the real server table. P e r f o r m a n c e b y D e s i g n 265 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 4 Load Balancing 2. To configure the service group: a. Select Config >Service >SLB, if not already selected. b. Select Service Group on the menu bar. c. Click Add. d. In the Service Group section, enter a name for the service group. e. In the Type drop-down list, select the transport protocol for the application, TCP or UDP. f. In the Server section, select a server from the Server drop-down list. g. Enter the protocol port number in the Port field. h. Click Add. i. Repeat stepf through steph for each server and port. j. Click OK. The service group appears in the Service Group table. 3. To configure a custom TCP or UDP template: a. Select Config >Service >Template. b. Select L4 >TCP or L4 >UDP on the menu bar. c. Click Add. d. Enter a name for the template. e. Edit template settings as needed for your application. (See TCP Template Parameters on page864 or UDP Template Parameters on page867.) f. Click OK. 4. To configure a source-IP persistence template: a. Select Config >Service >Template. b. Select Persistent >Source IP Persistent on the menu bar. c. Click Add. d. Enter a name for the template. e. Edit template settings as needed for your application. (See Source- IP Persistence Template Parameters on page860.) f. Click OK. 5. To configure the virtual server: a. Select Config >Service >SLB, if not already selected. b. Select Virtual Server on the menu bar. c. Click Add. 266 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 4 Load Balancing d. Enter a name for the virtual server. e. In the IP Address field, enter the virtual IP address to which clients will send requests. f. Select or enter other general settings as needed. g. In the Port section, click Add. The Virtual Server Port section appears. h. In the Type drop-down list, select the transport protocol for the application, TCP or UDP. i. Enter the application port number in the Port field. j. If you configured any custom templates, select them from the drop- down lists for each template type. k. Enter or select other values as needed. l. Click OK. The port appears in the port section. m. Click OK again. The virtual server appears in the virtual server list. USING THE CLI 1. To configure the real servers, use the following commands: slb server server-name ipaddr This command changes the CLI to the configuration level for the real server, where you can use the following command to add the TCP or UDP port to the server: port port-num {tcp | udp} The port-num specifies the protocol port number. In this example, spec- ify 1020. This command adds the port and changes the CLI to the configuration level for the port, where additional commands are available. (For infor- mation, see the AX Series CLI Reference.) 2. To configure the service group, use the following commands: slb service-group group-name {tcp | udp} This command changes the CLI to the configuration level for the service group, where you can use the following command to add the real servers and service ports to the group: member server-name:portnum The portnum is the protocol port number of the service to be load bal- anced. In this example, specify tcp-2:1020. Repeat the command for tcp-3:1020 and tcp-4:1020. P e r f o r m a n c e b y D e s i g n 267 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 4 Load Balancing 3. To configure a custom TCP or UDP template, use the following com- mands at the global configuration level of the CLI: slb template tcp template-name slb template udp template-name These commands create the template and change the CLI to the configu- ration level for the template, where additional commands are available. (See TCP Template Parameters on page864 or UDP Template Parameters on page867. Also see the Config Commands: SLB Tem- plates chapter in the AX Series CLI Reference.) 4. To configure a source-IP persistence template, use the following com- mand at the global configuration level of the CLI: slb template persist source-ip template-name 5. To configure the virtual server, use the following commands: slb virtual-server name ipaddr This command changes the CLI to the configuration level for the virtual server, where you can use the following command to add the virtual port to the server: port port-number {tcp | udp} For this example, specify tcp and 1020 as the port-num. The port command changes the CLI to the configuration level for the virtual port, where you can use the following command to bind the vir- tual port to the service group: service-group group-name The group-name is the name of the service group configured in step2. If you configured a custom template, use the following command to bind the template to the service group: template template-type template-name 268 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 4 Load Balancing CLI EXAMPLE The following commands configure the real servers: AX( conf i g) #slb server tcp-2 10.10.10.2 AX( conf i g- r eal ser ver ) #port 1020 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server tcp-3 10.10.10.3 AX( conf i g- r eal ser ver ) #port 1020 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server tcp-4 10.10.10.4 AX( conf i g- r eal ser ver ) #port 1020 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit The following commands configure the service group: AX( conf i g) #slb service-group tcp-sg tcp AX( conf i g- sl b ser vi ce gr oup) #member tcp-2:1020 AX( conf i g- sl b ser vi ce gr oup) #member tcp-3:1020 AX( conf i g- sl b ser vi ce gr oup) #member tcp-4:1020 AX( conf i g- sl b ser vi ce gr oup) #exit The following commands configure a source-IP persistence template: AX( conf i g) #slb template persist source-ip app1020persist AX( conf i g- sour ce i p per si st ence t empl at e) #match-type server AX( conf i g- sour ce i p per si st ence t empl at e) #exit The following commands configure the virtual server: AX( conf i g) #slb virtual-server web-vip 192.168.55.55 AX( conf i g- sl b vi r t ual ser ver ) #port 1020 tcp AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group tcp-sg AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #template persist source-ip app1020persist P e r f o r m a n c e b y D e s i g n 269 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview IP Protocol Load Balancing This chapter describes load balancing of traffic based solely on transport protocol (TCP, UDP, or other), without the need to specify the protocol port numbers to be load balanced. Overview IP protocol load balancing enables you to easily load balance traffic based solely on whether the traffic is TCP, UDP, or other (not UDP or TCP), with- out the need to specify the protocol port numbers to be load balanced. You can combine IP protocol load balancing with other load balancing con- figurations. For example, you can use IP protocol load balancing along with HTTP load balancing. In this case, HTTP traffic to the VIP HTTP port num- ber is load balanced separately from traffic to other port numbers. Figure103 shows an example of an IP protocol load balancing deployment. 270 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview FIGURE 103 IP Protocol Load Balancing This example uses separate service groups for each of the following types of traffic: HTTP traffic addressed to TCP port 80 is sent to service group http-grp. All TCP traffic addressed to any TCP port except port 80 is sent to ser- vice group tcp-grp. P e r f o r m a n c e b y D e s i g n 271 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview All UDP traffic, addressed to any UDP port, is sent to service group udp-grp. All other traffic (all non TCP/UDP traffic) is sent to service group oth- ers-grp. Although this example shows separate service groups for each type of traf- fic, you can use the same service group for multiple traffic types. In IP protocol load-balancing configurations, port 0 (zero) is used as a wild- card port and matches on any port number. In configurations where some protocol port numbers are explicitly specified, SLB for those ports takes precedence over SLB for the wildcard port (0). In the example above, the service group configured for TCP port 80 is always used for client requests addressed to that port, instead of a service group configured for the wildcard port. Health checking does not apply to the wildcard port. When you configure IP protocol load balancing, make sure to disable health checking of port 0. If you leave health checking enabled, the port will be marked down and the clients request therefore will not be serviced. SLB NAT For client request traffic to which IP protocol load balancing applies, the AX device translates only the destination IP address, not the protocol port number. The AX device translates the destination IP address in the request from the VIP address to a real servers IP address. The AX device then sends the request to the same protocol port number as the one requested by the client. (Likewise, the AX device does not translate the port number to 0.) In configurations where some protocol port numbers are explicitly speci- fied, auto port translation is still supported for the explicitly specified port numbers. In the example above, SLB NAT can translate TCP port 80 into another TCP port number if required by the configuration. Template Support For TCP or UDP, a TCP or UDP template is applied, as in other types of SLB. Optionally, you also can use a source-IP persistence template. For non-TCP/UDP traffic, the TCP template is used. 272 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring IP Protocol Load Balancing Direct Server Return For either of the following types of applications, IP protocol load balancing is supported only when Direct Server Return (DSR) is enabled on the virtual port. Application Layer Gateway (ALG) applications, such as FTP. For an ALG application, either enable DSR or configure SLB explicitly for the ALG service port. Any application that requires inspection of any part of the client request packet other than the destination IP address Note: In the CLI, DSR is enabled by the no-dest-nat command. Comparison of IP Protocol Load Balancing to Layer 4 TCP/UDP Load Balancing IP protocol load balancing is similar to Layer 4 load balancing, except IP protocol load balancing enables you to load balance non-TCP/UDP traffic. Layer 4 load balancing applies only to TCP or UDP traffic. In addition, IP protocol load balancing uses a wildcard port number that matches on any TCP port, UDP port, or any non-TCP/UDP port, depending on the configu- ration. Layer 4 load balancing requires you to explicitly specify the protocol port numbers to load balance. Configuring IP Protocol Load Balancing To configure IP protocol load balancing: 1. Configure the real servers. For each real server that will service requests to IP protocol load-balanced traffic, add service port 0 (the wildcard port). Disable health checking of port 0. Health checking does not apply to the wildcard port. 2. Configure the service group(s). To add members (real servers) for traffic to which IP protocol load balancing will apply, specify 0 as the protocol port for the member. P e r f o r m a n c e b y D e s i g n 273 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring IP Protocol Load Balancing 3. Configure the virtual server. Bind virtual port 0 to the service group(s) that have members for port 0. Specify one of the following as the service type: TCP UDP Others Note: For load balancing of non-TCP/UDP traffic, you can specify TCP or UDP as the transport protocol, in the configurations of the real server ports and service groups. If the port number is 0 and the service type on the virtual port is others, the AX device will load balance the traffic as non-TCP/ UDP traffic. USING THE GUI Configuration of IP protocol SLB is similar to configuration of TCP/UDP SLB, with the following differences. 1. In the real server Port section (Config >Service >SLB >Server), enter 0 in the Port field. 2. In the Service Group section, enter 0 as the port number on the Service Group page. 3. In the Virtual Server Port section (Config >Service >SLB >Virtual Server), select TCP, UDP, or Others in the Type drop-down list. USING THE CLI The following commands configure the real servers shown in Figure103 on page270. For simplicity, the example assumes that only the default TCP health check is used for port 80. Health checking does not apply to the wildcard port number and is therefore disabled. Health checking of other, explicitly speci- fied port numbers is still supported as in previous releases. AX( conf i g) #slb server rs1 10.10.10.21 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server rs2 10.10.10.22 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server rs3 10.10.20.21 AX( conf i g- r eal ser ver ) #port 0 tcp 274 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring IP Protocol Load Balancing AX( conf i g- r eal ser ver ) #no health-check AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server rs4 10.10.20.22 AX( conf i g- r eal ser ver ) #port 0 tcp AX( conf i g- r eal ser ver ) #no health-check AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server rs5 10.10.30.21 AX( conf i g- r eal ser ver ) #port 0 udp AX( conf i g- r eal ser ver ) #no health-check AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server rs6 10.10.30.22 AX( conf i g- r eal ser ver ) #port 0 udp AX( conf i g- r eal ser ver ) #no health-check AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server rs7 10.10.40.21 AX( conf i g- r eal ser ver ) #port 0 tcp AX( conf i g- r eal ser ver ) #no health-check AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server rs8 10.10.40.22 AX( conf i g- r eal ser ver ) #port 0 tcp AX( conf i g- r eal ser ver ) #no health-check AX( conf i g- r eal ser ver ) #exit The following commands configure the service groups. AX( conf i g) #slb service-group http-grp tcp AX( conf i g- sl b ser vi ce gr oup) #member rs1:80 AX( conf i g- sl b ser vi ce gr oup) #member rs2:80 AX( conf i g- sl b ser vi ce gr oup) #exit AX( conf i g) #slb service-group tcp-grp tcp AX( conf i g- sl b ser vi ce gr oup) #member rs3:0 AX( conf i g- sl b ser vi ce gr oup) #member rs4:0 AX( conf i g- sl b ser vi ce gr oup) #exit AX( conf i g) #slb service-group udp-grp udp AX( conf i g- sl b ser vi ce gr oup) #member rs5:0 AX( conf i g- sl b ser vi ce gr oup) #member rs6:0 AX( conf i g- sl b ser vi ce gr oup) #exit AX( conf i g) #slb service-group others-grp tcp AX( conf i g- sl b ser vi ce gr oup) #member rs7:0 AX( conf i g- sl b ser vi ce gr oup) #member rs8:0 AX( conf i g- sl b ser vi ce gr oup) #exit P e r f o r m a n c e b y D e s i g n 275 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring IP Protocol Load Balancing The following commands configure the virtual server. AX( conf i g) #slb virtual-server vip1 192.168.2.1 AX( conf i g- sl b vi r t ual ser ver ) #port 80 tcp AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group http-grp AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #exit AX( conf i g- sl b vi r t ual ser ver ) #port 0 tcp AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group tcp-grp AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #exit AX( conf i g- sl b vi r t ual ser ver ) #port 0 udp AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group udp-grp AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #exit AX( conf i g- sl b vi r t ual ser ver ) #port 0 others AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group tcp-others To display configuration information and statistics, you can use the same show commands used for other types of SLB: show slb virtual show slb server show slb service-group show session 276 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring IP Protocol Load Balancing P e r f o r m a n c e b y D e s i g n 277 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring a Wildcard VIP Wildcard VIPs You can create SLB configurations that use wildcard VIPs and wildcard vir- tual ports. A wildcard VIP matches on any destination IP address. Likewise, a wildcard virtual port matches on any port number. Wildcard VIPs enable you to configure a feature that applies to multiple VIPs, without the need to re-configure the feature separately for each VIP. To specify the subset of VIP addresses and ports for which the feature applies, you can use an ACL. If applicable, the ACL also can specify the subset of clients allowed to access the VIPs. You can use wildcard VIPs for all types of load balancing: SLB IP load balancing Transparent Cache Switching (TCS) Link Load Balancing (LLB) Firewall Load Balancing (FWLB) Note: Use of wildcard VIPs and interface-based SYN cookies is not supported. Configuring a Wildcard VIP The procedure for configuring a wildcard VIP is the same as the procedure for configuring a standard VIP, except you have the option to bind an ACL to the wildcard VIP. IPv4 wildcard VIPs have IP address 0.0.0.0. IPv6 wildcard VIPs have address :: (double colon). Wildcard protocol ports have port number 0. You can configure multiple wildcard VIPs and wildcard ports. The AX device allows multiple VIPs to have IP address 0.0.0.0 or ::. Likewise, mul- tiple ports that have port number 0 are allowed. Promiscuous VIP support must be enabled on the interface connected to cli- ents who will access wildcard VIPs. By default, promiscuous VIP support is disabled. 278 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring a Wildcard VIP Note: The ACL acts as a catch-all, and treats any IP address permitted by the ACL, and received on the promiscuous VIP interface, as a wildcard VIP. A10 Networks recommends that you use the most restrictive ACL possi- ble, to permit only the IP addresses that should be treated as VIPs and deny all other IP addresses. Default Wildcard VIP The AX device can have multiple wildcard VIPs, bound to different ACLs. However, the AX device can have only one IPv4 or IPv6 wildcard VIP that is not bound to any ACL. This is the default wildcard VIP. The default wild- card VIP is used for traffic that does not match any of the ACLs bound to other wildcard VIPs. If you do not configure a default wildcard VIP, traffic that does not match any of the ACLs bound to the other wildcard VIPs is forwarded at Layer 2/3, if applicable. Pass-Through Layer 2/3 Forwarding Support for Layer 4 Wild- card VIP Traffic AX Release 2.0.2 and later supports forwarding of wildcard VIP traffic that is not bound to a service group. The AX device creates a session for the traf- fic and forwards it at Layer 2/3. This feature is useful in mixed wildcard vir- tual server environments where Layer 4-7 features apply to certain VIPs and Layer 2/3 forwarding applies to other traffic. In AX releases prior to 2.0.2, Layer 4 traffic for a wildcard VIP that is not bound to a service group is dropped. USING THE GUI To configure a wildcard VIP: 1. Select Config >Service >SLB. 2. Select Virtual Server on the menu bar. 3. Click Add. The General section appears. 4. In the General section, enter a name for the virtual server in the Name field. 5. Select the Wildcard checkbox next to the Name field. Selecting this checkbox causes the Access List drop-down list to appear in place of the IP Address field. 6. Select the ACL from the Access List drop-down list. P e r f o r m a n c e b y D e s i g n 279 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring a Wildcard VIP 7. Select the IP version, IPv4 or IPv6. 8. Configure other VIP settings, then click OK. To enable promiscuous VIP support: 1. Select Network >Interface. 2. Click on the interface name to display the configuration sections for the interface. 3. Click on VIP to display the configuration fields. 4. Select Enabled next to Allow Promiscuous VIP. 5. Click OK. FIGURE 104 Config >Service >SLB >Virtual Server - wildcard VIP configuration 280 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring a Wildcard VIP FIGURE 105 Config >Network >Interface - VIP section USING THE CLI To configure a wildcard VIP, use the following command at the global con- figuration level of the CLI: [ no] slb virtual-server name {0.0.0.0 | ::} [ acl acl-id] For an IPv4 wildcard VIP, enter IP address 0.0.0.0. For an IPv6 wildcard VIP, enter IP address :: (double colon). If you specify an ACL, the ACL is used to control the clients allowed to access the VIPs and the VIP addresses managed by the wildcard VIP. The source address in the ACL filters the clients. The destination address in the ACL filters the VIPs. To enable promiscuous VIP support, use the following command at the con- figuration level for each interface connected to clients: [ no] ip allow-promiscuous-vip P e r f o r m a n c e b y D e s i g n 281 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring a Wildcard VIP Configuration Examples See the following: Outbound Link Load Balancing on page295 Transparent Cache Switching on page301 282 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring a Wildcard VIP P e r f o r m a n c e b y D e s i g n 283 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide SLB Protocol Translation SLB Protocol Translation (SLB-PT) enables IPv4 servers to be used for serving content to IPv6 clients. Likewise, SLB-PT enables IPv6 servers to be used for serving content to IPv4 clients. Server farms can contain both IPv4 and IPv6 servers. SLB-PT is supported for the following virtual port types: UDP TCP Fast-HTTP HTTP HTTPS SSL-proxy SMTP Figure106 shows an example of a SLB-PT deployment that uses a mixed server farm of IPv4 and IPv6 servers to serve IPv6 clients. 284 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide FIGURE 106 SLB Protocol Translation In this example, a server farm consisting of IPv6 and IPv4 servers is config- ured with an IPv6 VIP address. IPv6 clients send requests to the IPv6 VIP. The AX device then selects an IPv6 or IPv4 server and forwards the clients request to the selected server. If the server is an IPv4 server, the AX device translates the IP protocol of the clients request from IPv6 to IPv4 before forwarding it to the IPv4 server. Likewise, when the AX device receives the serverss reply, the AX device translates the reply from IPv4 to IPv6, then forwards the reply to the client. Source NAT Requirement In addition to the standard SLB configuration items (servers, service groups, the VIP, and so on), SLB-PT requires IP source NAT. P e r f o r m a n c e b y D e s i g n 285 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide As a minimum requirement, a single NAT pool is required, for the IP type (IPv4 or IPv6) that differs from the IP type of clients. In this example, an IPv4 pool is required. The pool is used if the AX device selects an IPv4 server for an IPv6 clients request. The pool must be bound to each of the virtual ports that has a corresponding real port on an IPv4 server. If the deployment also will send IPv4 client requests to IPv6 servers, an IPv6 pool is also required. For simplicity, the CLI example below uses a single IPv4 NAT pool. Fol- lowing the example, the Examples Using Multiple Source NAT Pools on page288 section describes how to use multiple pools. CLI Example The following commands configure the SLB-PT deployment shown in Figure106 on page284. All of the CLI commands are also present in AX 2.2.x releases. Unlike previous releases, the AX device does not require the VIP and real server IP addresses to be of the same IP type (IPv4 or IPv6). The following commands configure the Ethernet interfaces connected to the clients and servers: AX( conf i g) #interface ethernet 1 AX( conf i g- i f : et her net 1) #ip address 192.168.217.100 255.255.255.0 AX( conf i g- i f : et her net 1) #ipv6 address 2001:558:ff4e:2::100/64 AX( conf i g- i f : et her net 1) #enable AX( conf i g- i f : et her net 1) #interface ethernet 2 AX( conf i g- i f : et her net 2) #ipv6 address 2001:32::2020:2001/64 AX( conf i g- i f : et her net 2) #enable AX( conf i g- i f : et her net 2) #exit The following command configures an IPv4 source NAT pool. AX( conf i g) #ip nat pool v4natpool-1 192.168.217.200 192.168.217.202 netmask /24 Note: For simplicity, this example uses only a single pool. If multiple pools are used, ACLs are also required. The ACLs must match on the client IP address(es) as the source address. If the real servers and VIP are in differ- ent subnets, the ACLs also must match on the real server IP address(es) as the destination address. (For more information, see Examples Using Multiple Source NAT Pools on page288. Also see the Network Address Translation chapter in the AX Series Configuration Guide.) 286 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide The following commands configure the IPv4 real servers. For simplicity, all the IPv4 and IPv6 servers have the same real ports. AX( conf i g) #slb server v4server-1 192.168.217.10 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #port 53 udp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #port 443 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #port 25 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server v4server-2 192.168.217.11 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #port 53 udp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #port 443 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #port 25 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit The following commands configure the IPv6 real servers: AX( conf i g) #slb server v6server-1 2001:558:ff4e:2::1 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #port 53 udp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #port 443 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #port 25 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server v6server-2 2001:558:ff4e:2::2 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #port 53 udp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #port 443 tcp AX( conf i g- r eal ser ver - node por t ) #exit P e r f o r m a n c e b y D e s i g n 287 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide AX( conf i g- r eal ser ver ) #port 25 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit The following commands configure the service group: AX( conf i g) #slb service-group sgv4v6 AX( conf i g- sl b ser vi ce gr oup) #member v4server-1:80 AX( conf i g- sl b ser vi ce gr oup) #member v4server-2:80 AX( conf i g- sl b ser vi ce gr oup) #member v6server-1:80 AX( conf i g- sl b ser vi ce gr oup) #member v6server-2:80 AX( conf i g- sl b ser vi ce gr oup) #member v4server-1:53 AX( conf i g- sl b ser vi ce gr oup) #member v4server-2:53 AX( conf i g- sl b ser vi ce gr oup) #member v6server-1:53 AX( conf i g- sl b ser vi ce gr oup) #member v6server-2:53 AX( conf i g- sl b ser vi ce gr oup) #member v4server-1:443 AX( conf i g- sl b ser vi ce gr oup) #member v4server-2:443 AX( conf i g- sl b ser vi ce gr oup) #member v6server-1:443 AX( conf i g- sl b ser vi ce gr oup) #member v6server-2:443 AX( conf i g- sl b ser vi ce gr oup) #member v4server-1:25 AX( conf i g- sl b ser vi ce gr oup) #member v4server-2:25 AX( conf i g- sl b ser vi ce gr oup) #member v6server-1:25 AX( conf i g- sl b ser vi ce gr oup) #member v6server-2:25 AX( conf i g- sl b ser vi ce gr oup) #exit The following commands import an SSL certificate and key, and configure a client-SSL template to use them. The AX device will use the certificate and key to terminate SSL sessions between clients and the VIP. AX( conf i g) #slb ssl-load certificate sslcert.pem scp: Addr ess or name of r emot e host [ ] ?10.10.10.2 User name [ ] ?axadmin Passwor d [ ] ?********* Fi l e name [ / ] ?sslcert.pem AX( conf i g) #slb ssl-load certificate certkey.pem scp: Addr ess or name of r emot e host [ ] ?10.10.10.2 User name [ ] ?axadmin Passwor d [ ] ?********* Fi l e name [ / ] ?certkey.pem AX( conf i g) #slb template client-ssl cssl AX( conf i g- cl i ent SSL t empl at e) #certsslcert.pem AX( conf i g- cl i ent SSL t empl at e) #key certkey.pem AX( conf i g- cl i ent SSL t empl at e) #exit 288 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide The following commands configure the VIP: AX( conf i g) #slb virtual-server v6vip 2001:32::2020:2000 AX( conf i g- sl b vi r t ual ser ver ) #port 80 http AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #source-nat pool v4natpool-1 AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group sgv4v6 AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #exit AX( conf i g- sl b vi r t ual ser ver ) #port 53 udp AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #source-nat pool v4natpool-1 AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group sgv4v6 AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #exit AX( conf i g- sl b vi r t ual ser ver ) #port 443 https AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #source-nat pool v4natpool-1 AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #template client-ssl cssl AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group sgv4v6 AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #exit AX( conf i g- sl b vi r t ual ser ver ) #port 25 smtp AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #source-nat pool v4natpool-1 AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group sgv4v6 AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #exit EXAMPLES USING MULTIPLE SOURCE NAT POOLS The example shown above uses only a single NAT pool, for access to the IPv4 servers. If multiple pools are used, then different CLI syntax is required. Multiple IPv4 Pools Here is an example that uses multiple IPv4 pools. First, IPv6 ACLs that match on the client IP address(es) are configured. A separate ACL is required for each NAT pool. AX( conf i g) #ipv6 access-list v6acl-1 AX( conf i g- access- l i st : v6acl - 1) #permit ipv6 2001:32::/96 any AX( conf i g- access- l i st : v6acl - 1) #exit AX( conf i g) #ipv6 access-list v6acl-2 AX( conf i g- access- l i st : v6acl - 2) #permit ipv6 2001:64::/96 any AX( conf i g- access- l i st : v6acl - 2) #exit The following commands configure the IPv4 NAT pools: AX( conf i g) #ip nat pool v4natpool-1 192.168.217.200 192.168.217.200 netmask /24 AX( conf i g) #ip nat pool v4natpool-2 192.168.217.220 192.168.217.220 netmask /24 P e r f o r m a n c e b y D e s i g n 289 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide The following commands access the configuration level for a virtual port on the VIP and configure the port to use the IPv4 pools: AX( conf i g) #slb virtual-server v6vip 2001:32::2020:2000 AX( conf i g- sl b vi r t ual ser ver ) #port 80 http AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #access-list name v6acl-1 source- nat-pool v4natpool-1 AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #access-list name v6acl-2 source- nat-pool v4natpool-2 Each of the access-list commands binds one of the IPv6 ACLs to the virtual port. The source-nat-pool option used with each command binds an IPv4 pool to the ACL. When the AX device receives a request for the VIP, the AX device matches the client address against the source addresses in the ACLs. The AX device then uses the IPv4 NAT pool bound to the first matching ACL. The AX device translates the clients request from an IPv6 packet into an IPv4 packet. The AX device replaces the clients IPv6 address with an IPv4 address from the selected pool. The IPv6 VIP address is replaced with the servers IPv4 address. If the clients address does not match the source address in any of the ACLs, the request is dropped. Note: This is different from the behavior if a single NAT pool is used. If only one NAT pool is bound to the virtual port, the pool is used if the clients IP type (IPv4 or IPv6) is not the same as the IP type of the selected server. Otherwise, if the IP type of the client and the selected server is the same, SLB-PT is not required for the request. The request is sent to the server with the clients original IP address. Multiple IPv4 and IPv6 Pools It is not required to use pools of the same IP type as the IP type used by cli- ents. For example, IPv6 pools are not required for IPv6 clients. Using pools of the same IP type as the client IP type provides a way to con- trol access to the real servers. When multiple pools are bound to a virtual port, the clients IP address must match the source address in at least one of the ACLs associated with the pools. Otherwise, the clients traffic is dropped. Note: In the case of IPv4, IPv4 pools are still required if the VIP and the real servers are in different IPv4 subnets. For more information, see the Source NAT for Servers in Other Subnets section in the Network Address Translation chapter of the AX Series Configuration Guide. 290 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide This example builds on the example in Multiple IPv4 Pools on page288. The virtual port will have 4 pools: 2 IPv4 pools and 2 IPv6 pools. Each of the IPv6 ACLs will be bound to an IPv4 pool and an IPv6 pool. If SLB selects an IPv4 server, the IPv4 pool bound to the ACL that matches the cli- ents IP address will be used. Likewise, if SLB selects an IPv6 server, the IPv6 pool bound to the ACL will be used. The following commands configure the IPv6 NAT pools: AX( conf i g) #ipv6 nat pool v6natpool-1 2001:32::2020:2010 2001:32::2020:2010 net- mask 64 AX( conf i g) #ipv6 nat pool v6natpool-2 2001:32::2020:2020 2001:32::2020:2020 net- mask 64 The following commands bind the IPv6 NAT pools to the virtual port: AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #access-list name v6acl-1 source- nat-pool v4natpool-2 AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #access-list name v6acl-2 source- nat-pool v6natpool-1 P e r f o r m a n c e b y D e s i g n 291 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Stateless Load-Balancing Methods Stateless SLB Stateless SLB conserves system resources by operating without session table entries on the AX device. Session table entries contain information about sessions, including the client, VIP, and real server IP addresses and protocol ports. Session table entries also may contain additional state infor- mation for specific features. If the AX device is running short on sessions, you can use stateless SLB where applicable to make more sessions available for traffic that requires session table entries. Stateless SLB is valid for the following types of traffic: Traffic with very short-lived sessions, such as DNS Layer 2 Direct Server Return (DSR) traffic Other types of traffic that do not require features that use session-table entries. (See Limitations on page292.) You can enable stateless SLB on an individual service-group basis, by selecting a stateless SLB load-balancing method for the group. (See Using the CLI on page293.) Stateless Load-Balancing Methods The following stateless SLB are available: Stateless Source IP+Port Hash Balances server load based on a hash value calculated using the source IP address and source TCP or UDP port. Stateless Destination IP+Port Hash Balances server load based on a hash value calculated using the destination IP address and destination TCP or UDP port. Stateless Source and Destination IP+Port Hash Balances server load based on a hash value calculated using both the source and destination IP addresses and TCP or UDP ports. Stateless Source IP Only Hash Balances server load based on a hash value calculated using the source IP address only. Stateless Per-Packet Round Robin Balances server load by sending each packet to a different server, in rotation. 292 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Stateless Load-Balancing Methods Limitations Stateless SLB is not valid for the following features or traffic types: Rate limiting ACLs IP source NAT HA session synchronization Application Layer Gateway (ALG) Layer 3 DSR SLB-PT IPv6 A given real server can be used in only one stateless SLB service group. A real server that is in a stateless SLB service group can not be used in any other service groups. Graceful transitions between stateful and stateless SLB in a service group are not supported. Mega-proxies may interfere with equal balancing of traffic load among the multiple data CPUs. In this case, for DNS traffic only, try using the state- less-per-pkt-round-robin method. Note: The stateless-per-pkt-round-robin method is valid only for DNS traffic. USING THE GUI On the service group configuration page, select one of the following from the Algorithm drop-down list: Stateless Source IP+Port Hash Stateless Destination IP+Port Hash Stateless Src and Dst IP+Port Hash Stateless Source IP Only Hash Stateless Per-Packet Round Robin P e r f o r m a n c e b y D e s i g n 293 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Stateless Load-Balancing Methods USING THE CLI To enable stateless SLB for a service group, use one of the following options with the method command, at the configuration level for the service group: stateless-dst-ip-hash stateless-src-dst-ip-hash stateless-src-ip-hash stateless-per-pkt-round-robin stateless-src-ip-only-hash Configuration of the real servers and virtual server is the same as for stateful SLB. CLI Example The following commands configure a stateless SLB service group for UDP traffic: AX( conf i g) #slb service-group dns-stateless udp AX( conf i g- sl b svc gr oup) #member dns1:53 AX( conf i g- sl b svc gr oup) #member dns2:53 AX( conf i g- sl b svc gr oup) #method stateless-src-dst-ip-hash 294 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Stateless Load-Balancing Methods P e r f o r m a n c e b y D e s i g n 295 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Outbound Link Load Balancing The AX Series supports outbound Link Load Balancing (LLB). Outbound LLB enables you to balance client-server traffic across a set of WAN links. In outbound LLB, the clients are located on the internal side of the network. The servers are located on the external side of the network. Figure107 shows an example of outbound LLB. FIGURE 107 Link Load Balancing 296 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide In this example, the AX device is configured to balance client traffic across a set of two WAN links, through next-hop routers 192.168.10.1 and 192.168.20.1. When the AX device receives a request from a client, the AX device uses SLB load balancing to select one of the WAN links. The AX device then uses source IP NAT to translate the clients private IP address into a public IP address, then sends the clients request to the next-hop router for the selected WAN link. When the AX device receives the servers reply to the clients request, the AX device translates the destination IP address from the NAT address back into the clients private IP address, then forwards the reply to the client. Load Balancing Methods You can use either of the following load balancing methods to load balance traffic across the WAN links: Round-robin Selects the links in simple rotation. This results in each link being selected an equal number of times. Least-connections Selects the link that has the least current client con- nections on it. The connection count is based on client connections initi- ated on the link by the AX device. The default is round-robin. Network Address Translation Requirements In an outbound LLB topology, the next-hop routers for the WAN links must be able to send the server reply traffic back to the AX device. To ensure that the server reply traffic passes back through the AX device, use an IP source NAT pool for each WAN link. The pools do not need to contain more than a few addresses. The AX device internally uses a separate protocol port number for each client session on a pool address. SLB destination NAT, which is enabled by default, must be disabled. In a standard SLB configuration, destination NAT is used to translate the server address (destination IP address) requested by clients from the VIP address into the servers real address. However, this NAT operation is not applicable to outbound LLB. P e r f o r m a n c e b y D e s i g n 297 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Link Load Balancing To configure LLB: 1. Configure an IP source NAT pool for each link to be load balanced. The address range in a pool must be in the same subnet as the next-hop routers interface with the AX device. Configure a pool group and add the pools to it. 2. Configure the AX interfaces connected to the clients. Enable promiscu- ous VIP support on the interfaces. 3. Configure the AX interfaces connected to the next-hop routers for the links to be load balanced. (Do not enable promiscuous VIP on these interfaces.) 4. Configure a real server for each link to be load balanced. Add wildcard ports (TCP 0, UDP 0, or both) to the server. Note: You can use Layer 3 health checking (ICMP ping) to check the health of the routers IP interface. However, the configuration requires health checking to be disabled on the wildcard ports added for a router. The router will not respond to these health checks. If you leave health check- ing enabled on the wildcard ports, the AX device will mark the ports down and LLB will not work. 5. Configure a service group for the links (real servers). If the real server configurations for the links have both TCP and UDP ports, configure a service group for TCP and another service group for UDP. 6. Configure a virtual server with virtual IP address 0.0.0.0 (the wildcard VIP address). Using the wildcard VIP address enables the configuration to work for any destination IP address requested by clients. Add the wildcard TCP port (TCP 0) and bind it to the TCP service group. Likewise, add the wildcard UDP port and bind it to the the UDP service group. Bind the ports to service group(s). On each port, bind the port to the IP Source NAT pool group and disable destination NAT. 298 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide CLI Example The commands in this example implement the LLB configuration shown in Figure107 on page295. The following commands configure the IP source NAT pools and pool group: AX( conf i g) #ip nat pool nat10 192.168.10.3 192.168.10.4 netmask /24 AX( conf i g) #ip nat pool nat20 192.168.20.3 192.168.20.4 netmask /24 AX( conf i g) #ip nat pool-group outbound-nat-group nat10 nat20 The following commands enable promiscuous VIP support on the AX inter- faces connected to clients. Note: For simplicity, this example uses a single Ethernet port for each interface to the clients and the next-hop routers. You also can use trunk interfaces, virtual Ethernet (VE) interfaces, or both. AX( conf i g) #interface ethernet 3 AX( conf i g- i f : et her net 3) #ip address 10.10.10.1 255.255.255.0 AX( conf i g- i f : et her net 3) #ip allow-promiscuous-vip AX( conf i g- i f : et her net 3) #exit AX( conf i g) #interface ethernet 4 AX( conf i g- i f : et her net 4) #ip address 10.20.20.1 255.255.255.0 AX( conf i g- i f : et her net 4) #ip allow-promiscuous-vip AX( conf i g- i f : et her net 4) #exit The following commands configure the AX interfaces to the next-hop rout- ers for the load-balanced links: AX( conf i g) #interface ethernet 1 AX( conf i g- i f : et her net 1) #ip address 192.168.10.2 255.255.255.0 AX( conf i g- i f : et her net 1) #exit AX( conf i g) #interface ethernet 2 AX( conf i g- i f : et her net 2) #ip address 192.168.20.2 255.255.255.0 AX( conf i g- i f : et her net 2) #exit P e r f o r m a n c e b y D e s i g n 299 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide The following commands configure a real server for each link to be load balanced: AX( conf i g) #slb server link-101 192.168.10.1 AX( conf i g- r eal ser ver ) #port 0 tcp AX( conf i g- r eal ser ver - node por t ) #no health-check AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #port 0 udp AX( conf i g- r eal ser ver - node por t ) #no health-check AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server link-201 192.168.20.1 AX( conf i g- r eal ser ver ) #port 0 tcp AX( conf i g- r eal ser ver - node por t ) #no health-check AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #port 0 udp AX( conf i g- r eal ser ver - node por t ) #no health-check AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit The following commands configure service groups for the links: AX( conf i g) #slb service-group outbound-tcp-links tcp AX( conf i g- sl b svc gr oup) #member link-101:0 AX( conf i g- sl b svc gr oup) #member link-201:0 AX( conf i g- sl b svc gr oup) #exit AX( conf i g) #slb service-group outbound-udp-links udp AX( conf i g- sl b svc gr oup) #member link-101:0 AX( conf i g- sl b svc gr oup) #member link-201:0 AX( conf i g- sl b svc gr oup) #exit The following commands configure the virtual server: AX( conf i g) #slb virtual-server wildcard-vip 0.0.0.0 AX( conf i g- sl b vser ver ) #port 0 tcp AX( conf i g- sl b vser ver - vpor t ) #service-group outbound-tcp-links AX( conf i g- sl b vser ver - vpor t ) #source-nat pool outbound-nat-group AX( conf i g- sl b vser ver - vpor t ) #no-dest-nat AX( conf i g- sl b vser ver - vpor t ) #exit AX( conf i g- sl b vser ver ) #port 0 udp AX( conf i g- sl b vser ver - vpor t ) #service-group outbound-udp-links AX( conf i g- sl b vser ver - vpor t ) #source-nat pool outbound-nat-group AX( conf i g- sl b vser ver - vpor t ) #no-dest-nat 300 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide P e r f o r m a n c e b y D e s i g n 301 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Overview Transparent Cache Switching Overview The AX Series supports Transparent Cache Switching (TCS). TCS enables you to improve server response times by redirecting client requests for con- tent to cache servers containing the content. Figure108 shows an example. FIGURE 108 Transparent Cache Switching 302 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Overview In this example, a client sends a request for content that is hosted by the content server. The AX device redirects the clients request to the cache server. If the cache server has the requested content, the cache server sends the content to the AX device, which sends the content to the client. If the content is cacheable, but the cache server does not have the requested content or the content is stale, the cache server requests the content from the content server, caches the content, then sends the content to the AX device, which sends the content to the client. Granularity of TCS You can configure Layer 4 TCS or Layer 7 TCS. Layer 4 TCS Sends all TCP or UDP traffic addressed to the content server to the cache server instead Layer 7 TCS You can configure Layer 7 TCS with either of the fol- lowing levels of granularity: Sends all HTTP requests to the cache server and sends all other requests to the content server Sends HTTP requests for specific URLs to the cache server, and sends other requests to the content server Optimizing When Using Multiple Cache Servers If your network uses multiple cache servers, you can configure destination- IP persistence, to always select the same cache server for content from a given destination IP address. This technique reduces cache misses, by ensuring that requests for a given site IP address always go to the same cache server. For even greater control, you can configure the AX device to select from among multiple cache service groups based on the requested URL. When combined with destination-IP persistence, this method allows you to control initial selection of the cache service group, after which the AX device always sends requests for the same content to the same cache server within the cache service group. Application Templates TCS does not require configuration of any application templates. However, you can use the following types of application templates for advanced fea- tures, such as URL-based Layer 7 TCS: HTTP template If you want to selectively redirect client requests based on URL strings, you can use an HTTP template containing URL switching rules. When a client request matches the URL string in a URL P e r f o r m a n c e b y D e s i g n 303 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Overview switching rule, the AX device selects the service group specified in the URL switching rule, instead of the service group bound to the virtual port. For example, you can configure a URL switching rule that matches on any URL that contains .mycorp/. In this case, requests for any URL that contains .mycorp/ are sent to the service group that contains the cache server. Requests for other URLs are sent to the gateway router instead. In a Layer 7 TCS configuration that uses URL switching, a separate real server is required for the gateway router, and the real server is required to be placed in its own service group. The gateway routers service group is used as the default service group for the virtual port. Client requests to a URL that does not match a URL switching rule are sent to the gateway routers service group instead of the cache servers service group. Destination-IP persistence template In deployments that use multiple cache servers, you can use a destination-IP persistence template to ensure that the same cache server is used for every request for content on a given content server. The AX device uses standard SLB to select a cache server for the first request to a real server IP address, and assigns a hash value to the server. All subsequent requests for the same real server are sent to the same cache server. By always using the same cache server for content from a given server, a destination-IP persistence template can reduce duplication of content on multiple cache servers, and can also reduce cache misses. RAM caching template To also cache some content on the AX device itself, you can use a RAM caching template. In this case, the AX device directly serves content that is cached on the AX device, and only sends requests to the cache server for content that is not cached on the AX device. Connection reuse template You can use a connection reuse template to reuse TCP connections. When a clients session ends, the TCP connec- tion is not terminated. Instead, the connection is reused for a new client session. Support for Spoofing Caches Some cache servers can use the clients IP address instead of the cache servers IP address as the source address when obtaining content requested by the client. A cache server operating in this mode is a spoofing cache server. Configuration for a spoofing cache server includes a couple of addi- tional steps. (See Enabling Support for Cache Spoofing on page314.) 304 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring Layer 4 TCS High Availability Support You can deploy TCS in High Availability (HA) configurations. For an example of TCS deployed in Layer 3 inline mode of HA, see Configuring IPv4 TCS in High Availability Layer 3 Inline Mode on page315. Configuring Layer 4 TCS To configure Layer 4 TCS: 1. Configure the interfaces connected to the clients, the content servers, and the cache server. Enable promiscuous VIP on the AX interface(s) connected to the clients. 2. Configure an extended ACL that uses the permit action and that matches on client addresses as the source address, and on the content server address as the destination address. 3. Configure a real server for the cache server. Add the TCP or UDP port; for example, TCP port 80. If the cache server will spoof client IP addresses when requesting con- tent from content servers, enable cache spoofing support. 4. Configure a service group for the cache server and add the cache server to it. 5. Configure a virtual server with virtual IP address 0.0.0.0 (the wildcard VIP address) and bind it to the ACL. Add virtual port 80 and bind it to the service group containing the cache server. Disable destination NAT on the virtual port. 6. If the cache server will spoof client IP addresses when requesting con- tent from content servers, enable cache spoofing support on the AX interface connected to the cache server, and on the real server (cache server). P e r f o r m a n c e b y D e s i g n 305 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring Layer 4 TCS CLI Example The commands in this section implement the TCS configuration shown in Figure109. FIGURE 109 Layer 4 TCS 306 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring Layer 4 TCS The following commands configure the AX interface to the client. Promis- cuous VIP is enabled on the interface. AX( conf i g) #trunk 4 AX( conf i g- t r unk: 4) #ethernet 3 to 4 AX( conf i g- t r unk: 4) #exit AX( conf i g) #vlan 4 AX( conf i g- vl an: 4) #tagged ethernet 3 to 4 AX( conf i g- vl an: 4) #router-interface ve 4 AX( conf i g- vl an: 4) #exit AX( conf i g) #interface ve 4 AX( conf i g- i f : ve4) #ip address 192.168.19.1 255.255.255.0 AX( conf i g- i f : ve4) #ip allow-promiscuous-vip AX( conf i g- i f : ve4) #exit The following commands configure the AX interface to the content server. AX( conf i g) #trunk 2 AX( conf i g- t r unk: 2) #ethernet 1 to 2 AX( conf i g- t r unk: 2) #exit AX( conf i g) #vlan 2 AX( conf i g- vl an: 2) #tagged ethernet 1 to 2 AX( conf i g- vl an: 2) #router-interface ve 2 AX( conf i g- vl an: 2) #exit AX( conf i g) #interface ve 2 AX( conf i g- i f : ve2) #ip address 10.10.10.1 255.255.0.0 AX( conf i g- i f : ve2) #exit The following commands configure the interface to the cache server: AX( conf i g) #interface ethernet 5 AX( conf i g- i f : et her net 5) #ip address 110.110.110.254 255.255.255.0 AX( conf i g- i f : et her net 5) #exit The following command configures an extended ACL to match on clients and on the content server. The ACL in this example matches on any source address (client IP address) and on the destination IP address of the content server. AX( conf i g) #access-list 198 permit ip any host 20.20.20.10 log The following commands configure a real server for the cache server. TCP port 80 is added to the real server. AX( conf i g) #slb server cache-rs 110.110.110.10 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver - node por t ) #exit P e r f o r m a n c e b y D e s i g n 307 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring Layer 7 TCS The following command configures a service group for the cache server: AX( conf i g) #slb service-group sg-tcs tcp AX( conf i g- sl b svc gr oup) #member cache-rs:80 AX( conf i g- sl b svc gr oup) #exit The following commands configure a wildcard VIP and bind it to the ACL: AX( conf i g) #slb virtual-server wildcard 0.0.0.0 acl 198 AX( conf i g- sl b vser ver ) #port 80 tcp AX( conf i g- sl b vser ver - vpor t ) #service-group sg-tcs AX( conf i g- sl b vser ver - vpor t ) #no-dest-nat Configuring Layer 7 TCS Layer 7 TCS can be configured in either of the following ways. Select one of these methods based on the level of granularity you want to use for traffic redirection. Service type HTTP without URL switching rules This method redi- rects all HTTP traffic to the cache server. The configuration steps are very similar to those for Layer 4 TCS. The only difference is use of HTTP instead of TCP or UDP as the service type of the virtual port. Service type HTTP with URL switching rules This method uses an HTTP template containing URL switching rules. Traffic that matches a URL switching rule is redirected to the cache server. Other traffic is sent to the gateway router. This method requires configuration of a separate real server and service group for the gateway router. Figure110 on page308 shows an example of the first method, which does not use URL switching rules. Figure111 on page309 shows an example of the second method, which does use URL switching rules. 308 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring Layer 7 TCS FIGURE 110 Layer 7 TCS Without URL Switching Rules P e r f o r m a n c e b y D e s i g n 309 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring Layer 7 TCS FIGURE 111 Layer 7 TCS Using URL Switching Rules 310 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring Layer 7 TCS Service Type HTTP Without URL Switching Rules To configure this type of Layer 7 TCS: 1. Configure the interfaces connected to the clients, the content servers, and the cache server. Enable promiscuous VIP on the AX interface(s) connected to the clients. 2. Configure an extended ACL that uses the permit action and that matches on client addresses as the source address, and on the content server address as the destination address. 3. Configure a real server for the cache server. Add the TCP port; for example, TCP port 80. 4. Configure a service group for the cache server and add the cache server to it. 5. Configure a virtual server with virtual IP address 0.0.0.0 (the wildcard VIP address) and bind it to the ACL. Add virtual port 80 with service type HTTP and bind it to the service group containing the cache server. Enable disable destination NAT on the virtual port. CLI Example The commands in this section implement the TCS configuration shown in Figure110 on page308. The commands for configuring the interfaces and ACL, and the real server and service group for the cache server, are the same as those used in the Layer 4 TCS example, and are therefore not shown. The following commands configure a wildcard VIP and bind it to the ACL: AX( conf i g) #slb virtual-server wildcard 0.0.0.0 acl 198 AX( conf i g- sl b vser ver ) #port 80 http AX( conf i g- sl b vser ver - vpor t ) #service-group sg-tcs AX( conf i g- sl b vser ver - vpor t ) #no-dest-nat P e r f o r m a n c e b y D e s i g n 311 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring Layer 7 TCS Service Type HTTP with URL Switching Rules To configure this type of Layer 7 TCS: 1. Configure the interfaces connected to the clients, the content servers, and the cache server. Enable promiscuous VIP on the AX interface(s) connected to the clients. 2. Configure an extended ACL that uses the permit action and that matches on client addresses as the source address, and on the content server address as the destination address. 3. Configure a real server for the cache server. Add the TCP or UDP port; for example, TCP port 80. 4. Configure a real server for the next-hop router through which the AX device will reach the content servers. Add the same TCP port number as the one on the cache server (for example, TCP port 80). Disable health checking on the port. Note: The configuration requires health checking to be disabled on the router port. The router will not respond to the health check. If you leave health checking enabled, the AX device will mark the port down and TCS will not work. 5. Configure a service group for the cache server and add the cache server to it. 6. Configure a separate service group for the router, and add the router to it. 7. Configure an HTTP template with URL switching rules. Add a separate URL switching rule for each URI string based on which to select a ser- vice group. 8. Configure a virtual server with virtual IP address 0.0.0.0 (the wildcard VIP address) and bind it to the ACL. Add virtual port 80 with service type HTTP and bind it to the service group containing the cache server. Bind the virtual port to the HTTP template. Enable disable destination NAT. Add virtual port 0 with service type HTTP and bind it to the service group containing the router. Enable disable destination NAT. CLI Example The commands in this section implement the TCS configuration shown in Figure111 on page309. The commands for configuring the interfaces and 312 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring Layer 7 TCS ACL, and the real server and service group for the cache server, are the same as those used in the Layer 4 TCS example, and are therefore not shown. The following commands configure a real server for the gateway router: AX( conf i g) #slb server router 10.10.10.20 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver - node por t ) #no health-check AX( conf i g- r eal ser ver - node por t ) #exit The following commands configure a service group for the router: AX( conf i g) #slb service-group sg-router tcp AX( conf i g- sl b svc gr oup) #member router:80 AX( conf i g- sl b svc gr oup) #exit The following commands configure an HTTP template containing URL switching rules. Client requests for any URL that contains .examplecorp/ or .mycorp/ will be redirected to the service group for the cache server. Requests for any other URL will instead be sent to the service group for the router. AX( conf i g) #slb template http http1 AX( conf i g- HTTP t empl at e) #url-switching contains .examplecorp/ service-group sg-tcs AX( conf i g- HTTP t empl at e) #url-switching contains .mycorp/ service-group sg-tcs AX( conf i g- HTTP t empl at e) #exit The following commands configure a wildcard VIP and bind it to the ACL: AX( conf i g) #slb virtual-server wildcard 0.0.0.0 acl 198 AX( conf i g- sl b vser ver ) #port 80 http AX( conf i g- sl b vser ver - vpor t ) #service-group sg-router AX( conf i g- sl b vser ver - vpor t ) #template http http1 AX( conf i g- sl b vser ver - vpor t ) #no-dest-nat Optimizing TCS with Multiple Cache Servers To optimize TCS in deployments that use more than one cache server, use a destination-IP persistence template. CLI Example The commands in this section implement the TCS configuration shown in Figure112. Only the commands specific to destination-IP persistence are P e r f o r m a n c e b y D e s i g n 313 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring Layer 7 TCS shown. The other commands are the same as those shown in the previous sections. FIGURE 112 TCS with Multiple Cache Servers The following commands configure the destination-IP persistence template: AX( conf i g) #slb template persist destination-ip d-sticky AX( conf i g- dest i p per si st ence t empl at e) #match-type service-group Note: The match-type service-group command is required, to enable use of URL switching and persistence in the same configuration. 314 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring Layer 7 TCS The following commands configure the VIP. The commands are the same as those used for Layer 7 TCS, with the addition of a command to bind the destination-IP persistence template to the virtual port. AX( conf i g) #slb virtual-server wildcard 0.0.0.0 acl 198 AX( conf i g- sl b vser ver ) #port 80 http AX( conf i g- sl b vser ver - vpor t ) #template http http1 AX( conf i g- sl b vser ver - vpor t ) #service-group sg-router AX( conf i g- sl b vser ver - vpor t ) #no-dest-nat AX( conf i g- sl b vser ver - vpor t ) #template persist destination-ip d-sticky AX( conf i g- sl b vser ver - vpor t ) #exit AX( conf i g- sl b vser ver ) #exit Enabling Support for Cache Spoofing If the cache server spoofs client IP addresses when requesting content from servers, the following additional configuration is required: 1. Enable cache spoofing support on the AX interface connected to the spoofing cache server. In the CLI, enter the following command at the configuration level for the AX interface: cache-spoofing-port 2. In the real server configuration for the cache server, enable spoof cach- ing support. In the CLI, enter the following command at the configura- tion level for the real server: spoofing-cache CLI Example The commands in this section enable cache spoofing support for the TCS configuration shown in Figure112. AX( conf i g) #interface ethernet 5 AX( conf i g- i f : et her net 5) #ip address 110.110.110.254 255.255.255.0 AX( conf i g- i f : et her net 5) #ip cache-spoofing-port AX( conf i g- i f : et her net 5) #exit AX( conf i g) #slb server cache-rs 110.110.110.10 AX( conf i g- r eal ser ver ) #spoofing-cache AX( conf i g- r eal ser ver ) #port 80 tcp P e r f o r m a n c e b y D e s i g n 315 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring IPv4 TCS in High Availability Layer 3 Inline Mode Configuring IPv4 TCS in High Availability Layer 3 Inline Mode \You can use High Availability (HA) to provide redundancy and failover for TCS. This section shows an example for IPv4 Layer 3 inline mode HA. Layer 3 HA for inline mode is beneficial in network topologies where the AX interfaces with the clients and cache servers are in the same subnet. Figure113 shows an example. FIGURE 113 TCS in HA Layer 3 Inline Mode 316 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring IPv4 TCS in High Availability Layer 3 Inline Mode Interface Parameters In this configuration, each AX device connects to the client, cache servers, and content server on a single IP interface: AX-1 Connected on IP interface 10.10.10.1, which is assigned to VE 1 on a VLAN containing Ethernet data ports 3-11 AX-2 Connected on IP interface 10.10.10.2, which is assigned to VE 1 on a VLAN containing Ethernet data ports 3-11 The following interface parameters are required: Promiscuous VIP Must be enabled on the interface connected to cli- ents, and on the IP interface assigned to the VE on the VLAN containing the interfaces to the clients, content servers, and cache servers. Cache spoofing If the cache server will spoof client IP addresses when requesting content from content servers, enable cache spoofing support on the AX interface connected to the cache server. CPU processing CPU processing is required for Layer 3 inline mode. Enable it on all interfaces connected to clients, content servers, and cache servers. Also enable it on the dedicated HA link and on the static routes to the client and content server subnets. HA Parameters This configuration uses the following HA parameters. The last two in this list apply specifically to inline mode. The other HA parameters apply to all types of HA configurations. HA ID AX-1 uses HA ID 1. AX-2 uses HA ID 2. HA group and priority A single HA group is configured, with a higher priority on AX-1. Pre-emption Pre-emption is enabled, to force initial failover to the AX device with the higher priority. HA interfaces Ethernet interfaces 1, 3, and 6 are configured as HA interfaces. Interface 1 and 3 are the lead interfaces in trunks, so all the interfaces in these trunks are HA interfaces. Session synchronization (connection mirroring) Each AX device is enabled, when in Active role, to synchronize its sessions onto the other AX device. Floating IP address Both AX devices share floating IP address 10.10.10.250 for HA group 1. L3-inline mode This must be enabled on each AX device. P e r f o r m a n c e b y D e s i g n 317 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring IPv4 TCS in High Availability Layer 3 Inline Mode Restart port list Interfaces 1 to 5 and interface 9 are designated as inline-mode restart ports. This includes the AX interfaces with the cli- ent, cache servers, and content server. Interface 6 is the dedicated HA link between the AX devices and is not included in the restart list. SLB Parameters Real server parameters: Port type A Layer 4 port type, such as TCP, should be used. HA ses- sion synchronization is supported only for Layer 4 sessions. Cache spoofing If the cache server will spoof client IP addresses when requesting content from content servers, enable cache spoofing support on the real server configuration for the cache server. Service group parameters: Type Typically, the type should be TCP. Members Add the real servers configured for the cache servers. In a Layer 7 TCS configuration that uses URL switching, a separate real server is required for the gateway router, and the real server is required to be placed in its own service group. (See Configuring Layer 7 TCS on page307.) The example in Figure113 on page315 does not use Layer 7 switching. Virtual server parameters: VIP The VIP address must be 0.0.0.0 (a wildcard VIP). The ACL associated with the VIP must be an extended ACL that uses the permit action and that matches on client addresses as the source address, and on the content server address as the destination address: Service type The service type of the TCS virtual port must be a Layer 4 service type (TCP). HA group Add the virtual server to the HA group. Destination NAT Destination NAT must be disabled. Session synchronization Enable this feature so that customer sessions are synchronized from the Active AX device to the standby AX device. Note: If spoof-caching is enabled, the AX device creates a transparent session from the cache to the server. This session is not synchronized. However, the main session from the client to the cache server is always synchro- nized. 318 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring IPv4 TCS in High Availability Layer 3 Inline Mode Note: In the current release, client sessions will be reset if an HA failover occurs. In most cases, the reset will not be noticeable. However, if a client is downloading a large file, the reset may be noticeable, because the download progress is not retained after the session is reset. Templates For simplicity, the sample configuration in this section does not use any cus- tom templates. For information about the templates that can be used with TCS, see Application Templates on page302. The following CLI examples show how to implement the configuration shown in Figure113 on page315. AX-1 Configuration The following commands configure the links: AX- 1( conf i g) #trunk 1 AX- 1( conf i g- t r unk: 1) #ethernet 1 to 2 ethernet 9 AX- 1( conf i g- t r unk: 1) #trunk 3 AX- 1( conf i g- t r unk: 3) #ethernet 3 to 4 AX- 1( conf i g- t r unk: 3) #vlan 11 AX- 1( conf i g- vl an: 11) #untagged ethernet 3 to 6 AX- 1( conf i g- vl an: 11) #tagged ethernet 1 to 2 ethernet 9 AX- 1( conf i g- vl an: 11) #router-interface ve 1 AX- 1( conf i g- vl an: 11) #interface ethernet 1 AX- 1( conf i g- i f : et her net 1) #cpu-process AX- 1( conf i g- i f : et her net 1) #interface ethernet 3 AX- 1( conf i g- i f : et her net 3) #ip allow-promiscuous-vip AX- 1( conf i g- i f : et her net 3) #cpu-process AX- 1( conf i g- i f : et her net 3) #interface ethernet 5 AX- 1( conf i g- i f : et her net 5) #ip cache-spoofing-port AX- 1( conf i g- i f : et her net 5) #cpu-process AX- 1( conf i g- i f : et her net 5) #interface ethernet 6 AX- 1( conf i g- i f : et her net 6) #cpu-process AX- 1( conf i g- i f : et her net 6) #interface ve 1 AX- 1( conf i g- i f : ve1) #ip address 10.10.10.1 255.255.255.0 AX- 1( conf i g- i f : ve1) #ip allow-promiscuous-vip AX- 1( conf i g- i f : ve1) #exit The following commands configure static routes. One of the routes goes to the subnet on the other side of the router that connects the AX device to the content servers. The other static route goes to the subnet on the other side of P e r f o r m a n c e b y D e s i g n 319 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring IPv4 TCS in High Availability Layer 3 Inline Mode the router that connects the AX device to the client. CPU processing is also enabled on the routes. AX- 1( conf i g) #ip route 20.20.20.0 /24 10.10.10.20 cpu-process AX- 1( conf i g) #ip route 192.168.19.0 /24 10.10.10.254 cpu-process The following command configures an extended ACL that uses the permit action and that matches on client addresses as the source address, and on the content server address as the destination address: AX- 1( conf i g) #access-list 198 permit ip any host 20.20.20.11 log The following commands configure the global HA parameters: AX- 1( conf i g) #ha id 1 AX- 1( conf i g) #ha group 1 priority 200 AX- 1( conf i g) #ha interface ethernet 1 AX- 1( conf i g) #ha interface ethernet 3 AX- 1( conf i g) #ha interface ethernet 6 AX- 1( conf i g) #ha conn-mirror ip 10.10.10.2 AX- 1( conf i g) #ha preemption-enable AX- 1( conf i g) #floating-ip 10.10.10.250 ha-group 1 AX- 1( conf i g) #ha l3-inline-mode AX- 1( conf i g) #ha restart-port-list ethernet 1 to 5 ethernet 9 The following commands configure real servers for the cache servers: AX- 1( conf i g) #slb server cache1 10.10.10.10 AX- 1( conf i g- r eal ser ver ) #spoofing-cache AX- 1( conf i g- r eal ser ver ) #port 80 tcp AX- 1( conf i g- r eal ser ver - node por t ) #exit AX- 1( conf i g- r eal ser ver ) #exit AX- 1( conf i g) #slb server cache2 10.10.10.11 AX- 1( conf i g- r eal ser ver ) #spoofing-cache AX- 1( conf i g- r eal ser ver ) #port 80 tcp AX- 1( conf i g- r eal ser ver - node por t ) #exit AX- 1( conf i g- r eal ser ver ) #exit The following commands configure a service group for the real servers: AX- 1( conf i g) #slb service-group sg-cache-80 tcp AX- 1( conf i g- sl b svc gr oup) #member cache1:80 AX- 1( conf i g- sl b svc gr oup) #member cache2:80 AX- 1( conf i g- sl b svc gr oup) #exit 320 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring IPv4 TCS in High Availability Layer 3 Inline Mode The following commands configure the virtual server: AX- 1( conf i g) #slb virtual-server wildcard 0.0.0.0 acl 198 AX- 1( conf i g- sl b vser ver ) #ha-group 1 AX- 1( conf i g- sl b vser ver ) #port 80 tcp AX- 1( conf i g- sl b vser ver - vpor t ) #service-group sg-cache-80 AX- 1( conf i g- sl b vser ver - vpor t ) #no-dest-nat AX- 1( conf i g- sl b vser ver - vpor t ) #ha-conn-mirror AX-2 Configuration Most of the commands on AX-2 are the same as the ones on AX-1, with the following exceptions: Theip address command on the VE adds a unique IP address (not the address of the other AX device). Theha id command assigns HA ID 2 instead of HA ID 1. The ha group command assigns a lower priority to the group. The ha conn-mirror command refers to the IP address of AX-1. AX- 2( conf i g) #trunk 1 AX- 2( conf i g- t r unk: 1) #ethernet 1 to 2 ethernet 9 AX- 2( conf i g- t r unk: 1) #trunk 3 AX- 2( conf i g- t r unk: 3) #ethernet 3 to 4 AX- 2( conf i g- t r unk: 3) #vlan 11 AX- 2( conf i g- vl an: 11) #untagged ethernet 3 to 6 AX- 2( conf i g- vl an: 11) #tagged ethernet 1 to 2 ethernet 9 AX- 2( conf i g- vl an: 11) #router-interface ve 1 AX- 2( conf i g- vl an: 11) #interface ethernet 1 AX- 2( conf i g- i f : et her net 1) #cpu-process AX- 2( conf i g- i f : et her net 1) #interface ethernet 3 AX- 2( conf i g- i f : et her net 3) #ip allow-promiscuous-vip AX- 2( conf i g- i f : et her net 3) #cpu-process AX- 2( conf i g- i f : et her net 3) #interface ethernet 5 AX- 2( conf i g- i f : et her net 5) #ip cache-spoofing-port AX- 2( conf i g- i f : et her net 5) #cpu-process AX- 2( conf i g- i f : et her net 5) #interface ethernet 6 AX- 2( conf i g- i f : et her net 6) #cpu-process AX- 2( conf i g- i f : et her net 6) #interface ve 1 AX- 2( conf i g- i f : ve1) #ip address 10.10.10.2 255.255.255.0 AX- 2( conf i g- i f : ve1) #ip allow-promiscuous-vip AX- 2( conf i g- i f : ve1) #exit P e r f o r m a n c e b y D e s i g n 321 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring IPv4 TCS in High Availability Layer 3 Inline Mode AX- 2( conf i g) #ip route 20.20.20.0 /24 10.10.10.20 cpu-process AX- 2( conf i g) #ip route 192.168.19.0 /24 10.10.10.254 cpu-process AX- 2( conf i g) #access-list 198 permit ip any host 20.20.20.11 log AX- 2( conf i g) #ha id 2 AX- 2( conf i g) #ha group 1 priority 180 AX- 2( conf i g) #ha interface ethernet 1 AX- 2( conf i g) #ha interface ethernet 3 AX- 2( conf i g) #ha interface ethernet 6 AX- 2( conf i g) #ha conn-mirror ip 10.10.10.1 AX- 2( conf i g) #ha preemption-enable AX- 2( conf i g) #floating-ip 10.10.10.250 ha-group 1 AX- 2( conf i g) #ha l3-inline-mode AX- 2( conf i g) #ha restart-port-list ethernet 1 to 5 ethernet 9 AX- 2( conf i g) #slb server cache1 10.10.10.10 AX- 2( conf i g- r eal ser ver ) #spoofing-cache AX- 2( conf i g- r eal ser ver ) #port 80 tcp AX- 2( conf i g- r eal ser ver - node por t ) #exit AX- 2( conf i g- r eal ser ver ) #exit AX- 2( conf i g) #slb server cache2 10.10.10.11 AX- 2( conf i g- r eal ser ver ) #spoofing-cache AX- 2( conf i g- r eal ser ver ) #port 80 tcp AX- 2( conf i g- r eal ser ver - node por t ) #exit AX- 2( conf i g- r eal ser ver ) #exit AX- 2( conf i g) #slb service-group sg-cache-80 tcp AX- 2( conf i g- sl b svc gr oup) #member cache1:80 AX- 2( conf i g- sl b svc gr oup) #member cache2:80 AX- 2( conf i g- sl b svc gr oup) #exit AX- 2( conf i g) #slb virtual-server wildcard 0.0.0.0 acl 198 AX- 2( conf i g- sl b vser ver ) #ha-group 1 AX- 2( conf i g- sl b vser ver ) #port 80 tcp AX- 2( conf i g- sl b vser ver - vpor t ) #service-group sg-cache-80 AX- 2( conf i g- sl b vser ver - vpor t ) #no-dest-nat AX- 2( conf i g- sl b vser ver - vpor t ) #ha-conn-mirror 322 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring IPv6 TCS in High Availability Layer 3 Inline Mode Configuring IPv6 TCS in High Availability Layer 3 Inline Mode Figure114 shows an example of a TCS deployment in HA Layer 3 Inline mode. FIGURE 114 TCS HA Layer 3 Inline Mode P e r f o r m a n c e b y D e s i g n 323 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring IPv6 TCS in High Availability Layer 3 Inline Mode The configuration requirements and syntax are the same as for IPv4. The only difference is use of IPv6 addresses instead of IPv4 addresses. AX-1 Configuration The following commands configure the links. AX- 1( conf i g) #trunk 1 AX- 1( conf i g- t r unk: 1) #ethernet 5 to 6 AX- 1( conf i g- t r unk: 1) #vlan 21 AX- 1( conf i g- vl an: 21) #untagged ethernet 1 to 3 AX- 1( conf i g- vl an: 21) #router-interface ve 1 AX- 1( conf i g- vl an: 21) #vlan 22 AX- 1( conf i g- vl an: 22) #untagged ethernet 2 AX- 1( conf i g- vl an: 22) #router-interface ve 22 AX- 1( conf i g- vl an: 22) #vlan 56 AX- 1( conf i g- vl an: 56) #untagged ethernet 5 to 6 AX- 1( conf i g- vl an: 56) #router-interface ve 56 AX- 1( conf i g- vl an: 11) #interface ethernet 1 AX- 1( conf i g- i f : et her net 1) #cpu-process AX- 1( conf i g- i f : et her net 1) #interface ethernet 2 AX- 1( conf i g- i f : et her net 2) #cpu-process AX- 1( conf i g- i f : et her net 2) #ip cache-spoofing-port AX- 1( conf i g- i f : et her net 2) #interface ethernet 3 AX- 1( conf i g- i f : et her net 3) #cpu-process AX- 1( conf i g- i f : et her net 3) #interface ethernet 5 AX- 1( conf i g- i f : et her net 5) #cpu-process AX- 1( conf i g- i f : et her net 5) #interface ve 1 AX- 1( conf i g- i f : ve1) #ipv6 address 2309:e90::2/64 AX- 1( conf i g- i f : ve1) #ip allow-promiscuous-vip AX- 1( conf i g- i f : ve1) #interface ve 22 AX- 1( conf i g- i f : ve22) #ipv6 address 2409:c90::1/64 AX- 1( conf i g- i f : ve22) #interface ve 56 AX- 1( conf i g- i f : ve56) #ipv6 address 2509:c90::1/64 AX- 1( conf i g- i f : ve56) #ip address 3.3.3.2 255.255.255.0 AX- 1( conf i g- i f : ve56) #exit Note: The cpu-process command is applicable only to models AX 2200, AX 3100, AX 3200, AX 5100, and AX 5200. The command is required for TCS HA on those models. The command does not appear in the CLI on other models and is not required on those models. 324 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring IPv6 TCS in High Availability Layer 3 Inline Mode On models AX 5100 and AX 5200, when configured in HA inline mode, all traffic going through the system is examined by the CPU for process- ing. Packets are not directly forwarded by the Layer 2/3 ASIC before examination by the CPU. The following commands configure static routes. One of the routes goes to the subnet on the other side of the router that connects the AX device to the content servers. The other static route goes to the subnet on the other side of the router that connects the AX device to the client. CPU processing is also enabled on the routes. AX- 1( conf i g) #ipv6 route 2309:d90::/32 2309:e90::1 AX- 1( conf i g) #ipv6 route 2309:f90::/32 2309:e90::3 The following commands configure an IPv6 ACL that uses the permit action and that matches on client addresses as the source address, and on the content server address as the destination address: AX- 1( conf i g) #ipv6 access-list ipv6-101 AX- 1( conf i g- access- l i st : i pv6- 101) #permit ipv6 any host 2309:f90::10 log AX- 1( conf i g- access- l i st : i pv6- 101) #exit The following commands configure the global HA parameters: AX- 1( conf i g) #ha id 1 set-id 1 AX- 1( conf i g) #ha l3-inline-mode AX- 1( conf i g) #ha group 1 priority 200 AX- 1( conf i g) #ha interface ethernet 1 server-interface no-heartbeat AX- 1( conf i g) #ha interface ethernet 3 router-interface no-heartbeat AX- 1( conf i g) #ha interface ethernet 5 AX- 1( conf i g) #ha restart-port-list ethernet 1 ethernet 3 AX- 1( conf i g) #ha conn-mirror ip 3.3.3.3 AX- 1( conf i g) #ha preemption-enable AX- 1( conf i g) #floating-ip 2409:c90::100 ha-group 1 AX- 1( conf i g) #floating-ip 2309:e90::100 ha-group 1 The following commands configure a custom ICMP health monitor with very short interval and timeout values. In Layer 3 inline HA configurations, the short interval and timeout values help eliminate traffic disruption fol- lowing HA failover. AX- 1( conf i g) #health monitor icmp interval 1 timeout 1 The following commands configure ICMP health checking for the upstream and downstream routers. The health checks help ensure rapid HA failover. (See Tip for Ensuring Fast HA Failover on page612.) The custom ICMP health monitor configured above is also used. P e r f o r m a n c e b y D e s i g n 325 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring IPv6 TCS in High Availability Layer 3 Inline Mode AX- 1( conf i g) #slb server up-router 2309:e90::1 AX- 1( conf i g- r eal ser ver ) #health-check icmp AX- 1( conf i g- r eal ser ver ) #exit AX- 1( conf i g) #slb server down-router 2309:e90::3 AX- 1( conf i g- r eal ser ver ) #health-check icmp AX- 1( conf i g- r eal ser ver ) #exit The following commands configure real servers for the cache servers: AX- 1( conf i g) #slb server cache1-ipv6 2409:c90::5 AX- 1( conf i g- r eal ser ver ) #spoofing-cache AX- 1( conf i g- r eal ser ver ) #health-check icmp AX- 1( conf i g- r eal ser ver ) #port 80 tcp AX- 1( conf i g- r eal ser ver - node por t ) #exit AX- 1( conf i g- r eal ser ver ) #exit AX- 1( conf i g) #slb server cache2-ipv6 2409:c90::6 AX- 1( conf i g- r eal ser ver ) #spoofing-cache AX- 1( conf i g- r eal ser ver ) #health-check icmp AX- 1( conf i g- r eal ser ver ) #port 80 tcp AX- 1( conf i g- r eal ser ver - node por t ) #exit AX- 1( conf i g- r eal ser ver ) #exit The following commands configure a service group for the real servers (cache servers): AX- 1( conf i g) #slb service-group cache-ipv6 tcp AX- 1( conf i g- sl b svc gr oup) #member cache1-ipv6:80 AX- 1( conf i g- sl b svc gr oup) #member cache2-ipv6:80 AX- 1( conf i g- sl b svc gr oup) #exit The following commands configure the virtual server: AX- 1( conf i g) #slb virtual-server wildcard-ipv6 :: ipv6-acl ipv6-101 AX- 1( conf i g- sl b vser ver ) #ha-group 1 AX- 1( conf i g- sl b vser ver ) #port 80 tcp AX- 1( conf i g- sl b vser ver - vpor t ) #service-group cache-ipv6 AX- 1( conf i g- sl b vser ver - vpor t ) #no-dest-nat AX- 1( conf i g- sl b vser ver - vpor t ) #ha-conn-mirror 326 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring IPv6 TCS in High Availability Layer 3 Inline Mode AX-2 Configuration Here are the configuration commands for AX-2. Most of the commands are exactly the same as on AX-1. Only the following values differ: IP addresses of the VEs HA priority IP address for session synchronization (ha conn-mirror) AX- 2( conf i g) #trunk 1 AX- 2( conf i g- t r unk: 1) #ethernet 5 to 6 AX- 2( conf i g- t r unk: 1) #vlan 21 AX- 2( conf i g- vl an: 21) #untagged ethernet 1 to 3 AX- 2( conf i g- vl an: 21) #router-interface ve 1 AX- 2( conf i g- vl an: 21) #vlan 22 AX- 2( conf i g- vl an: 22) #untagged ethernet 2 AX- 2( conf i g- vl an: 22) #router-interface ve 22 AX- 2( conf i g- vl an: 22) #vlan 56 AX- 2( conf i g- vl an: 56) #untagged ethernet 5 to 6 AX- 2( conf i g- vl an: 56) #router-interface ve 56 AX- 2( conf i g- vl an: 11) #interface ethernet 1 AX- 2( conf i g- i f : et her net 1) #cpu-process AX- 2( conf i g- i f : et her net 1) #interface ethernet 2 AX- 2( conf i g- i f : et her net 2) #cpu-process AX- 2( conf i g- i f : et her net 2) #ip cache-spoofing-port AX- 2( conf i g- i f : et her net 2) #interface ethernet 3 AX- 2( conf i g- i f : et her net 3) #cpu-process AX- 2( conf i g- i f : et her net 3) #interface ethernet 5 AX- 2( conf i g- i f : et her net 5) #cpu-process AX- 2( conf i g- i f : et her net 5) #interface ve 1 AX- 2( conf i g- i f : ve1) #ipv6 address 2309:e90::4/64 AX- 2( conf i g- i f : ve1) #ip allow-promiscuous-vip AX- 2( conf i g- i f : ve1) #interface ve 22 AX- 2( conf i g- i f : ve22) #ipv6 address 2409:c90::2/64 AX- 2( conf i g- i f : ve22) #interface ve 56 AX- 2( conf i g- i f : ve56) #ipv6 address 2509:c90::2/64 AX- 2( conf i g- i f : ve56) #ip address 3.3.3.3 255.255.255.0 AX- 2( conf i g- i f : ve56) #exit AX- 2( conf i g) #ipv6 route 2309:d90::/32 2309:e90::1 AX- 2( conf i g) #ipv6 route 2309:f90::/32 2309:e90::3 P e r f o r m a n c e b y D e s i g n 327 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring IPv6 TCS in High Availability Layer 3 Inline Mode AX- 2( conf i g) #ipv6 access-list ipv6-101 AX- 2( conf i g- access- l i st : i pv6- 101) #permit ipv6 any host 2309:f90::10 log AX- 2( conf i g- access- l i st : i pv6- 101) #exit AX- 2( conf i g) #ha id 1 set-id 1 AX- 2( conf i g) #ha l3-inline-mode AX- 2( conf i g) #ha group 1 priority 100 AX- 2( conf i g) #ha interface ethernet 1 server-interface no-heartbeat AX- 2( conf i g) #ha interface ethernet 3 router-interface no-heartbeat AX- 2( conf i g) #ha interface ethernet 5 AX- 2( conf i g) #ha restart-port-list ethernet 1 ethernet 3 AX- 2( conf i g) #ha conn-mirror ip 3.3.3.2 AX- 2( conf i g) #ha preemption-enable AX- 2( conf i g) #floating-ip 2409:c90::100 ha-group 1 AX- 2( conf i g) #floating-ip 2309:e90::100 ha-group 1 AX- 2( conf i g) #health monitor icmp interval 1 timeout 1 AX- 2( conf i g) #slb server up-router 2309:e90::1 AX- 2( conf i g- r eal ser ver ) #health-check icmp AX- 2( conf i g- r eal ser ver ) #exit AX- 2( conf i g) #slb server down-router 2309:e90::3 AX- 2( conf i g- r eal ser ver ) #health-check icmp AX- 2( conf i g- r eal ser ver ) #exit AX- 2( conf i g) #slb server cache1-ipv6 2409:c90::5 AX- 2( conf i g- r eal ser ver ) #spoofing-cache AX- 2( conf i g- r eal ser ver ) #health-check icmp AX- 2( conf i g- r eal ser ver ) #port 80 tcp AX- 2( conf i g- r eal ser ver - node por t ) #exit AX- 2( conf i g- r eal ser ver ) #exit AX- 2( conf i g) #slb server cache2-ipv6 2409:c90::6 AX- 2( conf i g- r eal ser ver ) #spoofing-cache AX- 2( conf i g- r eal ser ver ) #health-check icmp AX- 2( conf i g- r eal ser ver ) #port 80 tcp AX- 2( conf i g- r eal ser ver - node por t ) #exit AX- 2( conf i g- r eal ser ver ) #exit AX- 2( conf i g) #slb service-group cache-ipv6 tcp AX- 2( conf i g- sl b svc gr oup) #member cache1-ipv6:80 AX- 2( conf i g- sl b svc gr oup) #member cache2-ipv6:80 AX- 2( conf i g- sl b svc gr oup) #exit AX- 2( conf i g) #slb virtual-server wildcard-ipv6 :: ipv6-acl ipv6-101 AX- 2( conf i g- sl b vser ver ) #ha-group 1 AX- 2( conf i g- sl b vser ver ) #port 80 tcp AX- 2( conf i g- sl b vser ver - vpor t ) #service-group cache-ipv6 328 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring TCS for FTP AX- 2( conf i g- sl b vser ver - vpor t ) #no-dest-nat AX- 2( conf i g- sl b vser ver - vpor t ) #ha-conn-mirror Configuring TCS for FTP You can configure the AX device to use cache servers for FTP traffic. Figure115 shows an example. FIGURE 115 Transparent Cache Switching for FTP When a client sends a request to the FTP server, the AX device intercepts the request and forwards it to the FTP cache server. The cache server then forwards the requested content to the AX device, if the content is cached. The AX device forwards the content to the client. P e r f o r m a n c e b y D e s i g n 329 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring TCS for FTP If the requested content is not already cached, the cache server obtains the content from the FTP server and caches it. The AX device forwards the con- tent to the client. Each cache server in this example has two physical interfaces. One of the interfaces receives client requests forwarded by the AX device. The other interface communicates with the FTP server, and forwards cached content to the AX device. Only the interfaces that receive client requests from the AX device need to be configured as real servers. Note: In this example, the content transferred by FTP is cached on the cache servers. However, this feature also can be used if the device is a firewall instead of an FTP cache server. In that case, the firewall is used to exam- ine the traffic that is transferred to or from the FTP server by the client. Configuration To configure TCS for FTP: 1. Configure the interfaces connected to the clients, the content servers, and the cache server. Enable promiscuous VIP on the AX interface(s) connected to the clients. Enable cache spoofing on the interface(s) connected to the cache server. Unless you are using AX model 1000, 2000, 2100, or 3000, you also must enable CPU processing on each interface. On these AX models, CPU processing is automatically used. 2. Configure an extended ACL that uses the permit action and that matches on client addresses as the source address, and on the content server address as the destination address. 3. Configure a real server for the cache server. Add an FTP port to the server. If the cache server will spoof client IP addresses when requesting con- tent from content servers, enable cache spoofing support. If the cache server has multiple interfaces, configure a separate real server for each one. 4. Configure a real server for the next-hop router through which the AX device will reach the content servers. Add the same FTP port number as the one on the cache server (for example, port 21). Disable health check- ing on the port. 330 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring TCS for FTP Note: The configuration requires health checking to be disabled on the router port. The router will not respond to the health check. If you leave health checking enabled, the AX device will mark the port down and TCS will not work. 5. Configure a service group for the cache servers and add them to it. 6. Configure a separate service group for the router, and add the router to it. 7. Configure a virtual server with virtual IP address 0.0.0.0 (the wildcard VIP address) and bind it to the ACL. Add an FTP virtual port and bind it to the service group containing the cache server, and to the service group containing the router. Disable des- tination NAT on the virtual port. CLI Example The following commands configure the AX interfaces to the FTP server, the FTP client, and the cache servers. AX( conf i g) #interface ethernet 1 AX( conf i g- i f : et her net 1) #enable AX( conf i g- i f : et her net 1) #ip address 10.10.10.254 255.255.255.0 AX( conf i g- i f : et her net 1) #cpu-process AX( conf i g- i f : et her net 1) #exit AX( conf i g) #interface ethernet 2 AX( conf i g- i f : et her net 2) #enable AX( conf i g- i f : et her net 2) #ip address 192.168.19.254 255.255.255.0 AX( conf i g- i f : et her net 2) #ip allow-promiscuous-vip AX( conf i g- i f : et her net 2) #cpu-process AX( conf i g- i f : et her net 2) #exit AX( conf i g) #interface ethernet 5 AX( conf i g- i f : et her net 5) #enable AX( conf i g- i f : et her net 5) #ip address 12.12.12.254 255.255.255.0 AX( conf i g- i f : et her net 5) #ip cache-spoofing-port AX( conf i g- i f : et her net 5) #cpu-process AX( conf i g- i f : et her net 5) #exit AX( conf i g) #interface ethernet 6 AX( conf i g- i f : et her net 6) #enable AX( conf i g- i f : et her net 6) #ip address 11.11.11.254 255.255.255.0 P e r f o r m a n c e b y D e s i g n 331 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring TCS for FTP AX( conf i g- i f : et her net 6) #ip cache-spoofing-port AX( conf i g- i f : et her net 6) #cpu-process AX( conf i g- i f : et her net 6) #exit The following command configures an extended ACL to match on clients and on the content server. The ACL in this example matches on any source address (client IP address) and on the destination IP address of the content server. AX( conf i g) #access-list 198 permit ip any host 20.20.20.11 log The following commands configure real servers for FTP on each of the cache servers. Cache spoofing is enabled and TCP port 21 is added to each real server. AX( conf i g) #slb server ftps1 11.11.11.10 AX( conf i g- r eal ser ver ) #spoofing-cache AX( conf i g- r eal ser ver ) #port 21 tcp AX( conf i g- r eal ser ver - node por t ) #no health-check AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g) #slb server ftps2 11.11.11.11 AX( conf i g- r eal ser ver ) #spoofing-cache AX( conf i g- r eal ser ver ) #port 21 tcp AX( conf i g- r eal ser ver - node por t ) #no health-check AX( conf i g- r eal ser ver - node por t ) #exit The following commands configure an FTP service group for the cache server: AX( conf i g) #slb service-group sg-ftps tcp AX( conf i g- sl b svc gr oup) #member ftps1:21 AX( conf i g- sl b svc gr oup) #member ftps2:21 AX( conf i g- sl b svc gr oup) #exit The following commands configure a wildcard VIP traffic and bind it to the ACL. The FTP virtual port is bound to the FTP and router service groups. Also, destination NAT is disabled. AX( conf i g) #slb virtual-server wildcard 0.0.0.0 acl 198 AX( conf i g- sl b vser ver ) #port 21 ftp AX( conf i g- sl b vser ver - vpor t ) #service-group sg-ftps AX( conf i g- sl b vser ver - vpor t ) #no-dest-nat 332 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Configuring TCS for FTP P e r f o r m a n c e b y D e s i g n 333 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Firewall Load Balancing This chapter describes how to configure Firewall Load Balancing (FWLB). Overview AX Series devices support Firewall Load Balancing (FWLB). FWLB load balances server-client sessions across firewalls. Figure116 shows an exam- ple FWLB topology. FIGURE 116 Example FWLB Topology 334 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview This example shows two pairs of AX devices. One pair is located on the public (unprotected) side of the network. The other pair is located on the secured side of the network. Each pair is configured for High Availability (HA). One member of the pair is the Active AX device and the other is a hot Standby. SLB for the real servers is configured on one of the AX pairs. You can con- figure SLB for the servers on either AX pair. However, do not add the SLB configuration to both AX pairs. The upstream/downstream routers and the firewalls need to be configured to use the AX device as the next hop. If HA pairs are being used, the next hop IP configured on the upstream/downstream routers and firewalls must be an HA-capable IP address. The following types of IP addresses are HA-capa- ble: Floating IP addresses (shown in Figure116) Virtual IP addresses IP addresses allocated from IP source NAT pools In HA deployments, each AX device needs an HA-capable IP interface in the subnets connected to the firewalls and those connected to real servers and upstream/downstream routers. Firewall Groups This example uses a single firewall group for both firewall nodes. When you configure FWLB, make sure to configure a firewall group for the fire- walls rather than an SLB service group. Templates Although this example does not use one, you can use a source-IP persis- tence template in an FWLB configuration. You can bind a source-IP persis- tence template to the virtual firewall or to individual service ports on the virtual firewall. If you apply a source-IP persistence template to the virtual firewall, the AX device sends all traffic from a given source address through the same firewall. If you apply a source-IP persistence template to an individual service port on the virtual firewall, the AX device sends all traffic from a given client for that service port through the same firewall. P e r f o r m a n c e b y D e s i g n 335 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Health Monitors To monitor the health of a firewall, use a Layer 3 monitor with the ICMP method, and with transparent mode enabled. This type of health monitor verifies a firewalls health by verifying the path through the firewall to the AX device or HA pair on the other side of the firewall. FWLB HA with Direct Connection of AX Devices to Firewalls Layer 2 switches are not required between the A device and the firewalls. You can connect the AX device directly to the firewalls, as shown in Figure117. FIGURE 117 FWLB HA with Direct Connection of AX Devices to Firewalls 336 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview In this topology, each AX device is directly connected to only two of the four firewalls, but can reach the other two firewalls at Layer 2 through the other AX device. In this topology, one AX device is active for SLB and FWLB and the other AX device is a hot standby for these services. The standby AX device allows Layer 2 client-server traffic to pass through but blocks other traffic. The active AX device load balances client-server traffic across all four firewalls. For example, assume that External AX1 is the active member of the HA pair (is the one actively performing SLB and FWLB). External AX1 is directly connected to the firewalls with interfaces 20.1.1.1 and 20.1.1.2, but can also reach the other two firewalls by sending the traffic at Layer 2 through Exter- nal AX2. External AX2, the standby for SLB and FWLB, allows client- server traffic to pass through at Layer 2. Interfaces to Clients and Servers This topology is supported on AX devices that are deployed in route mode (also called gateway mode). Virtual Ethernet (VE) interfaces are used to connect the AX device to clients, servers, and the other AX device. Each VE is configured with an IP address. In this example, External AX1 is con- figured with the following VE interfaces: VE1 Connects the AX device to clients (through the gateway routers). VE2 Directly connects the AX device to some of the firewalls, and indirectly connects to the other firewalls through the other AX device. VE50 Provides the HA management and session synchronization con- nection to the other AX device. Static IP Routes Each of the AX devices requires static IP routes to the following: Firewall VE subnet of the other AX pair Client or server VE subnet of the other AX pair: On the external AX devices, the destination address of this route is the VE subnet connected to the real servers. On the internal AX devices, the destination address of this route is the virtual IP address of a pair of external access routers running a router redundancy protocol such as VRRP. P e r f o r m a n c e b y D e s i g n 337 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview In the example above, External AX1 has the following static routes: Destination: 30.1.1.0 Next hop: 20.1.1.1 This route reaches the fire- wall VE subnet of the internal AX devices, through one of the firewalls. Destination: 40.1.1.0 Next hop: 20.1.1.1 This route reaches the VE subnet of the real servers, through one of the firewalls. Internal AX1 has the following static routes: Destination: 10.1.1.0 Next hop: 30.1.1.1 This route reaches the client VE subnet of the external AX devices, through one of the firewalls. Destination: 20.1.1.0 Next hop: 30.1.1.1 This route reaches the fire- wall VE subnet of the external AX devices, through one of the firewalls. Notice that on each AX device, both static routes use the same next hop. This is not required but it is recommended. Using the same hop does not present a single point of failure. If the route to the specified next hop goes down, the AX device automatically looks for another path to the route's des- tination through another firewall. Note: If the management interface is on a separate subnet, a static IP route for this interface might also be required. This is network-dependent and is not covered in this example. FWLB, SLB, and HA Configuration The FWLB and HA configuration is the same as in previous releases. There are no new commands or options required to configure this HA solution. To simplify configuration, A10 Networks recommends that you configure SLB on only one of the AX pairs, either the external pair or the internal pair. SLB does not need to be configured on both pairs. 338 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide FWLB Parameters FWLB Parameters Table6 lists the FWLB parameters. TABLE 6 FWLB Parameters Parameter Description and Syntax Supported Values Firewall Node Parameters Firewall (Required) Configures the firewall. [ no] fwlb node fwall-name ipaddr Config >Service >Firewall >Firewall Node Default: None configured Health check (Optional) Applies a configured health check to the firewall. The only type of health monitor supported for FWLB is Layer 3 ICMP with the transparent option enabled. The transparent option sends health check packets to the AX device or HA pair on the other side of the firewall. health-check monitor-name Config >Service >Firewall >Firewall Node Name of a configured health monitor Default: The AX device attempts to use the default Layer 3 method (ping). However, this default method does not use the transparent option. Statistics collection (Optional) Enables or disables collection of statistical data for the firewall node. stats-data-enable stats-data-disable Note: Statistical data collection for load-balancing resources requires collection for system resources to also be enabled (stats-data-enable). Config >Service >Firewall >Firewall Node Enabled or disabled Default: enabled Firewall Group Parameters Firewall service group (Required) Configures the firewall group. fwlb service-group group-name Config >Service >Firewall >Firewall Group Default: None configured Member (Required) Adds a firewall to the firewall group. member fwall-name [ priority num] The priority option enables you to designate some firewalls as backups (the lower priority firewalls) to be used only if the higher priority firewalls all are unavailable. Config >Service >Firewall >Firewall Group Default: None When you configure one, the default priority is 1. Load balancing method (Optional) Changes the algorithm used to select a firewall for a client request, from round-robin to least-connection. Least connection selects the firewall that has the fewest connections. [ no] method least-connection Config >Service >Firewall >Firewall Group Default: round robin P e r f o r m a n c e b y D e s i g n 339 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide FWLB Parameters Statistics collection (Optional) Enables or disables collection of statistical data for the firewall service group. stats-data-enable stats-data-disable Note: Statistical data collection for load-balancing resources requires collection for system resources to also be enabled (stats-data-enable). Config >Service >Firewall >Firewall Group Enabled or disabled Default: enabled Firewall Virtual Server Parameters Virtual firewall state (Optional) State of the firewall virtual server [ no] disable [ no] enable Config >Service >Firewall >Firewall Virtual server Enabled or disabled Default: Enabled Service ports (Optional) Specifies the service ports to load balance. port port-number {tcp | udp} Config >Service >Firewall >Firewall Virtual server - Port (See the Firewall Virtual Service Port Parameters below for additional port settings) Protocol port number, 1-65535 Default: No service ports are specified, which means all traffic is load bal- anced. Firewall group (Required) Specifies the firewall group to use. You also can specify a firewall group on individual service ports. If you specify a firewall group at each level, the firewall group specified for the individual service port takes precedence. [ no] service-group group-name Config >Service >Firewall >Firewall Virtual server Name of a configured firewall group Default: not set High Availabil- ity (HA) group (Optional) Specifies the HA group to use for the virtual fire- walls traffic. [ no] ha-group group-id Config >Service >Firewall >Firewall Virtual server 1-31 Default: not set Session synchro- nization (Optional) Synchronizes active sessions onto the standby AX in the HA pair, to prevent the sessions from being interrupted if an HA failover occurs. [ no] ha-conn-mirror Config >Service >Firewall >Firewall Virtual server Enabled or disabled Default: Disabled TABLE 6 FWLB Parameters (Continued) Parameter Description and Syntax Supported Values 340 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide FWLB Parameters Source-IP persis- tence template (Optional) Sends all traffic from a given source address to the same firewall. You also can specify a source-IP persistence tem- plate on individual service ports. If you specify a template at each level, the template specified for the individual service port takes precedence. Note: The match-type option is not applicable to FWLB. The match type for FWLB is always server, which sets the granularity of source-IP persistence to individual firewalls, not firewall groups or indi- vidual service ports. [ no] template persist source-ip template-name Config >Service >Firewall >Firewall Virtual server Name of a configured source-IP per- sistence template Default: not set TCP idle timeout (Optional) Specifies the number of seconds a TCP session through a firewall can remain idle before the AX device terminates the session. [ no] tcp-idle-timeout seconds Config >Service >Firewall >Firewall Virtual server Note: The idle timeout applied to a session can come from the idle timeout configured here, the idle timeout configured on the virtual firewall port, or the idle time configured in SLB. See TCP and UDP Session Aging on page342. 60-15000 seconds Default: 300 seconds UDP idle time- out (Optional) Specifies the number of seconds a UDP session through a firewall can remain idle before the AX device terminates the session. [ no] udp-idle-timeout seconds Config >Service >Firewall >Firewall Virtual server Note: The idle timeout applied to a session can come from the idle timeout configured here, the idle timeout configured on the virtual firewall port, or the idle time configured in SLB. See TCP and UDP Session Aging on page342. 60-15000 seconds Default: 300 seconds TABLE 6 FWLB Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 341 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide FWLB Parameters Statistics collection (Optional) Enables or disables collection of statistical data for the virtual firewall. stats-data-enable stats-data-disable Note: Statistical data collection for load-balancing resources requires collection for system resources to also be enabled (stats-data-enable). Config >Service >Firewall >Firewall Virtual server Enabled or disabled Default: enabled Firewall Virtual Service Port Parameters Port state (Optional) State of the virtual port. [ no] disable [ no] enable Config >Service >Firewall >Firewall Virtual server - Port Enabled or disabled Default: Enabled Firewall group (Optional) Specifies the firewall group to use. If you specify a firewall group at this level, the fire- wall group specified here takes precedence over the firewall group specified at the firewall level. [ no] service-group group-name Config >Service >Firewall >Firewall Virtual server - Port Name of a configured firewall group Default: not set Session synchro- nization (Optional) Synchronizes active sessions onto the standby AX in the HA pair, to prevent the sessions from being interrupted if an HA failover occurs. [ no] ha-conn-mirror Config >Service >Firewall >Firewall Virtual server - Port Enabled or disabled Default: Disabled Source-IP persis- tence template (Optional) Sends all traffic from a given source address to the same firewall. If you specify a source-IP persistence template at this level, the template specified here takes prece- dence over the template specified at the firewall level. [ no] template persist source-ip template-name Config >Service >Firewall >Firewall Virtual server - Port Name of a configured source-IP per- sistence template Default: not set TABLE 6 FWLB Parameters (Continued) Parameter Description and Syntax Supported Values 342 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide FWLB Parameters TCP and UDP Session Aging By default, the AX device allows TCP or UDP connections through a fire- wall to be idle for 300 seconds (5 minutes). The idle timeout for a TCP or UDP session through a firewall is determined as follows: For service-type UDP (Layer 4), if the idle-timeout is set on the virtual firewall or the UDP virtual firewall port, that idle-timeout is used. Oth- erwise, if the UDP idle-timeout is not set in FWLB, the idle-timeout in the default SLB UDP template is used. Unless the default template has been changed, the idle-timeout is 120 seconds. For service-type TCP (Layer 4), the idle-timeout in the default SLB TCP template is used. Unless the default template has been changed, the idle-timeout is 120 seconds. For service-type HTTP (Layer 7), the idle-timeout in the default SLB TCP-proxy template is used. Unless the default template has been changed, the idle-timeout is 600 seconds. TCP/UDP idle timeout (Optional) Specifies the number of seconds a session through a firewall on this service port can remain idle before the AX device terminates the session. [ no] idle-timeout seconds Config >Service >Firewall >Firewall Virtual server - Port Note: The idle timeout applied to a session can come from the idle timeout configured here, the idle timeout configured on the virtual firewall, or the idle time configured in SLB. See TCP and UDP Session Aging on page342. 60-15000 seconds Default: 300 seconds Statistics collection (Optional) Enables or disables collection of statistical data for the virtual port. stats-data-enable stats-data-disable Note: Statistical data collection for load-balancing resources requires collection for system resources to also be enabled (stats-data-enable). Config >Service >Firewall >Firewall Virtual server - Port Enabled or disabled Default: enabled TABLE 6 FWLB Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 343 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FWLB Note: In the current release, the TCP idle-timeout settings in FWLB are never used. The AX device allows you to configure them but they are not used. Configuring FWLB To configure FWLB: 1. Configure High Availability (HA) parameters: HA ID, HA group, ses- sion synchronization, and floating IP address. 2. Configure a health check for each firewall. 3. Configure the firewalls. 4. Configure a firewall group and add the firewalls to the group. 5. Configure a virtual firewall. To apply FWLB only to traffic for specific services, create a virtual port for each service, and bind the firewall group to each virtual port. If FWLB will apply to all traffic types, do not configure any virtual ports on the virtual firewall. If the AX device is configured for HA, specify the HA group ID to use for the virtual port. Note: The essential steps are described in this section. For the complete list of FWLB settings you can configure, see Table6 on page338. 344 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FWLB USING THE GUI To configure a health check for a firewall path 1. Select Config >Service >Health Monitor. 2. Select Health Monitor on the menu bar. 3. Click Add. 4. In the Health Monitor section, enter a name for the health monitor. 5. In the Method section, select ICMP from the Type drop-down list. 6. Select Transparent. The Alias Address field appears. 7. Enter the AX IP address at the other end of the path to check: If there is a single AX device on the other side of the firewall, enter the IP address of the AX. If there is an HA pair of AX device on the other side of the firewall, enter the floating IP address of the HA pair. 8. Click OK. The new health monitor appears in the Health Monitor table. FIGURE 118 Config >Service >Health Monitor P e r f o r m a n c e b y D e s i g n 345 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FWLB To configure a firewall node 1. Select Config >Service >Firewall. 2. Select Firewall Node on the menu bar. 3. Click Add. The Firewall Node section appears. 4. Enter the firewall name and IP address. 5. Select the health method to use for checking the path through the fire- wall to the other AX device. If an HA pair is configured on the other side of the firewall, enter the floating IP address of the HA pair. 6. Click OK. The firewall appears in the Firewall Node table. FIGURE 119 Config >Service >Firewall >Firewall Node To configure a firewall group 1. Select Firewall Group on the menu bar. 2. Click Add. The Firewall Group section appears. 3. In the Firewall Group section, enter a name for the service group. 4. In the Member section, enter the IP address of a firewall in the Firewall field. 5. Click Add. 6. Repeat step4 and step5 for each firewall. 7. Click OK. The firewall group appears in the Firewall Group table. 346 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FWLB FIGURE 120 Config >Service >Firewall >Firewall Group To configure the virtual firewall 1. Select Virtual Firewall Server on the menu bar. 2. Click Add. 3. In the Default section, select the HA group, if HA is configured. 4. Select the firewall group. 5. If you want to load balance all types of traffic through the firewalls, click OK to complete the configuration. Otherwise, to load balance only specific services, go to step6. 6. To specify services to load balance: a. In the Port section, click Add. b. Enter the protocol port number in the Port field. c. Select the transport protocol (TCP or UDP) from the Type drop- down list. d. Select the firewall group from the Firewall Group drop-down list. e. If HA is configured and you plan to use connection mirroring (ses- sion synchronization), select Enabled next to HA Connection Mir- ror. f. Click OK. P e r f o r m a n c e b y D e s i g n 347 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FWLB g. Repeat for each protocol port. h. Click OK to complete the firewall virtual server configuration. FIGURE 121 Config >Service >Firewall >Firewall Virtual Server FIGURE 122 Config >Service >Firewall >Firewall Virtual Server - Port section 348 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FWLB USING THE CLI 1. To configure HA parameters, use the following commands at the global configuration level of the CLI: ha id {1 | 2} ha group group-id priority number ha conn-mirror ip ipaddr ha interface ethernet port-num [ router-interface | server-interface | both] [ no-heartbeat | vlan vlan-id] floating-ip ipaddr ha-group group-id 2. To configure a health check for a firewall path, use the following com- mands: health monitor monitor-name [ interval seconds | retry number | timeout seconds] Enter this command at the global Config level. method icmp transparent ipaddr Enter this command at the configuration level for the health monitor. The transparent option is required and configures the health method to check the full path through the firewall to the other AX. The ipaddr specifies the IP address of the AX on the other side of the firewall. In an HA configuration, the ipaddr is the floating IP address of the HA group on the other side of the firewall. 3. To configure a firewall and assign a health monitor to it, use the follow- ing commands: fwlb node fwall-name ipaddr Enter this command at the global Config level. health-check monitor-name Enter this command at the configuration level for the firewall. 4. To configure a firewall group and add the firewalls to it, use the follow- ing commands: fwlb service-group group-name Enter this command at the global Config level. member fwall-name [ priority num] method least-connection P e r f o r m a n c e b y D e s i g n 349 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FWLB The priority option enables you to designate some firewalls as backups (the lower priority firewalls) to be used only if the higher priority fire- walls all are unavailable. The method command is optional and changes the load-balancing method from round-robin (the default) to least-connections. Enter these commands at the configuration level for the firewall group. 5. To configure the virtual firewall, use the following commands: fwlb virtual-firewall default This command changes the CLI to the configuration level for the virtual firewall named "default". The "default" virtual firewall is the only one supported in the current release. Enter this command at the global Config level. port port-number {tcp | udp} ha-group {1 | 2} Enter these commands at the configuration level for the virtual firewall. The port command specifies the service port that is being protected by the firewall. This is the virtual port configured on the VIP in the SLB configuration. The ha-group command specifies the HA group the vir- tual port is in. service-group fwall-name ha-conn-mirror Enter these commands at the configuration level for the virtual port. The service-group command binds the firewall group to the virtual port. The ha-conn-mirror command enables session synchronization (connection mirroring) between the Active and Standby AX devices in the HA con- figuration. Displaying FWLB Information To display FWLB configuration information and statistics, use the follow- ing commands: show fwlb node [ fwall-name] [ config] show fwlb service-group [ group-name] [ config] show fwlb virtual-firewall [ config] In each command, the config option displays configuration information. If you omit the config option, statistics are displayed instead. 350 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FWLB CLI CONFIGURATION EXAMPLETOPOLOGY USING LAYER 2 SWITCHES The commands in the following example implement the FWLB configura- tion for the External AX (Active) shown in Figure116 on page333. The same commands can be used on the other AX devices, with the following exceptions: The ha id command on each AX in an HA pair must use a different HA ID. For example, since External AX A uses HA ID 1, External AX B must use HA ID 2. The ha group command on each AX in an HA pair should use a differ- ent HA priority. For example, since External AX A uses priority 100 for the HA group, External AX B uses priority 1. The floating-ip commands on the each AX device must use addresses within the subnets connected to the firewalls and upstream/downstream routers or servers. In Figure116 on page333, the external AX devices need floating IP addresses 10.1.1.100 and 192.168.1.100. The internal AX devices need floating IP addresses 10.5.1.100 and 10.20.1.100. The method icmp transparent commands on the External AX devices must use the floating IP address of the subnet on which the Internal AX pair is connected to the firewalls. Likewise, the method icmp transparent commands on the Internal AX devices must use the floating IP address of the subnet on which the External AX pair is connected to the firewalls. CLI Commands on External AX (Active) The following commands configure global HA parameters: AX- Ext - A( conf i g) #ha id 1 AX- Ext - A( conf i g) #ha group 1 priority 100 AX- Ext - A( conf i g) #ha interface ethernet 1 AX- Ext - A( conf i g) #ha interface ethernet 2 AX- Ext - A( conf i g) #ha conn-mirror ip 10.1.1.6 AX- Ext - A( conf i g) #floating-ip 192.168.1.100 ha-group 1 AX- Ext - A( conf i g) #floating-ip 10.1.1.100 ha-group 1 The following commands configure the health monitors: AX- Ext - A( conf i g) #health monitor fwpathcheck AX- Ext - A( conf i g- heal t h: moni t or ) #method icmp transparent 10.5.1.100 AX- Ext - A( conf i g- heal t h: moni t or ) #exit P e r f o r m a n c e b y D e s i g n 351 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FWLB The following commands configure the firewalls: AX- Ext - A( conf i g) #fwlb node fw1 10.1.1.1 AX- Ext - A( conf i g- f i r ewal l node) #health-check fwpathcheck AX- Ext - A( conf i g- f i r ewal l node) #exit AX- Ext - A( conf i g) #fwlb node fw2 10.1.1.2 AX- Ext - A( conf i g- f i r ewal l node) #health-check fwpathcheck AX- Ext - A( conf i g- f i r ewal l node) #exit The following commands configure the firewall groups: AX- Ext - A( conf i g) #fwlb service-group fwsg AX- Ext - A( conf i g- f wl b svc gr oup) #member fw1 AX- Ext - A( conf i g- f wl b svc gr oup) #member fw2 AX- Ext - A( conf i g- f wl b svc gr oup) #exit The following commands configure the virtual firewall: AX- Ext - A( conf i g) #fwlb virtual-firewall default AX- Ext - A( conf i g- f wl b vf w) #ha-group 1 AX- Ext - A( conf i g- f wl b vf w) #port 80 tcp AX- Ext - A( conf i g- f wl b vf w- vpor t ) #service-group fwsg AX- Ext - A( conf i g- f wl b vf w- vpor t ) #ha-conn-mirror CLI Commands on External AX (Standby) AX- Ext - S( conf i g) #ha id 2 AX- Ext - S( conf i g) #ha group 1 priority 1 AX- Ext - S( conf i g) #ha interface ethernet 1 AX- Ext - S( conf i g) #ha interface ethernet 2 AX- Ext - S( conf i g) #ha conn-mirror ip 10.1.1.6 AX- Ext - S( conf i g) #floating-ip 192.168.1.100 ha-group 1 AX- Ext - S( conf i g) #floating-ip 10.1.1.100 ha-group 1 AX- Ext - S( conf i g) #health monitor fwpathcheck AX- Ext - S( conf i g- heal t h: moni t or ) #method icmp transparent 10.5.1.100 AX- Ext - S( conf i g- heal t h: moni t or ) #exit AX- Ext - S( conf i g) #fwlb node fw1 10.1.1.1 AX- Ext - S( conf i g- f i r ewal l node) #health-check fwpathcheck AX- Ext - S( conf i g- f i r ewal l node) #exit AX- Ext - S( conf i g) #fwlb node fw2 10.1.1.2 AX- Ext - S( conf i g- f i r ewal l node) #health-check fwpathcheck AX- Ext - S( conf i g- f i r ewal l node) #exit AX- Ext - S( conf i g) #fwlb service-group fwsg AX- Ext - S( conf i g- f wl b svc gr oup) #member fw1 AX- Ext - S( conf i g- f wl b svc gr oup) #member fw2 352 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FWLB AX- Ext - S( conf i g- f wl b svc gr oup) #exit AX- Ext - S( conf i g) #fwlb virtual-firewall default AX- Ext - S( conf i g- f wl b vf w) #ha-group 1 AX- Ext - S( conf i g- f wl b vf w) #port 80 tcp AX- Ext - S( conf i g- f wl b vf w- vpor t ) #service-group fwsg AX- Ext - S( conf i g- f wl b vf w- vpor t ) #ha-conn-mirror CLI Commands on Internal AX (Active) AX- I nt - A( conf i g) #ha id 1 AX- I nt - A( conf i g) #ha group 1 priority 100 AX- I nt - A( conf i g) #ha interface ethernet 1 AX- I nt - A( conf i g) #ha interface ethernet 2 AX- I nt - A( conf i g) #ha conn-mirror ip 10.5.1.6 AX- I nt - A( conf i g) #floating-ip 10.5.1.100 ha-group 1 AX- I nt - A( conf i g) #floating-ip 10.20.1.100 ha-group 1 AX- I nt - A( conf i g) #health monitor fwpathcheck AX- I nt - A( conf i g- heal t h: moni t or ) #method icmp transparent 10.1.1.100 AX- I nt - A( conf i g- heal t h: moni t or ) #exit AX- I nt - A( conf i g) #fwlb node fw1 10.5.1.1 AX- I nt - A( conf i g- f i r ewal l node) #health-check fwpathcheck AX- I nt - A( conf i g- f i r ewal l node) #exit AX- I nt - A( conf i g) #fwlb node fw2 10.5.1.2 AX- I nt - A( conf i g- f i r ewal l node) #health-check fwpathcheck AX- I nt - A( conf i g- f i r ewal l node) #exit AX- I nt - A( conf i g) #fwlb service-group fwsg AX- I nt - A( conf i g- f wl b svc gr oup) #member fw1 AX- I nt - A( conf i g- f wl b svc gr oup) #member fw2 AX- I nt - A( conf i g- f wl b svc gr oup) #exit AX- I nt - A( conf i g) #fwlb virtual-firewall default AX- I nt - A( conf i g- f wl b vf w) #ha-group 1 AX- I nt - A( conf i g- f wl b vf w) #port 80 tcp AX- I nt - A( conf i g- f wl b vf w- vpor t ) #service-group fwsg AX- I nt - A( conf i g- f wl b vf w- vpor t ) #ha-conn-mirror P e r f o r m a n c e b y D e s i g n 353 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FWLB CLI Commands on Internal AX (Standby) AX- I nt - S( conf i g) #ha id 2 AX- I nt - S( conf i g) #ha group 1 priority 1 AX- I nt - S( conf i g) #ha interface ethernet 1 AX- I nt - S( conf i g) #ha interface ethernet 2 AX- I nt - S( conf i g) #ha conn-mirror ip 10.5.1.5 AX- I nt - S( conf i g) #floating-ip 10.5.1.100 ha-group 1 AX- I nt - S( conf i g) #floating-ip 10.20.1.100 ha-group 1 AX- I nt - S( conf i g) #health monitor fwpathcheck AX- I nt - S( conf i g- heal t h: moni t or ) #method icmp transparent 10.1.1.100 AX- I nt - S( conf i g- heal t h: moni t or ) #exit AX- I nt - S( conf i g) #fwlb node fw1 10.5.1.1 AX- I nt - S( conf i g- f i r ewal l node) #health-check fwpathcheck AX- I nt - S( conf i g- f i r ewal l node) #exit AX- I nt - S( conf i g) #fwlb node fw2 10.5.1.2 AX- I nt - S( conf i g- f i r ewal l node) #health-check fwpathcheck AX- I nt - S( conf i g- f i r ewal l node) #exit AX- I nt - S( conf i g) #fwlb service-group fwsg AX- I nt - S( conf i g- f wl b svc gr oup) #member fw1 AX- I nt - S( conf i g- f wl b svc gr oup) #member fw2 AX- I nt - S( conf i g- f wl b svc gr oup) #exit AX- I nt - S( conf i g) #fwlb virtual-firewall default AX- I nt - S( conf i g- f wl b vf w) #ha-group 1 AX- I nt - S( conf i g- f wl b vf w) #port 80 tcp AX- I nt - S( conf i g- f wl b vf w- vpor t ) #service-group fwsg AX- I nt - S( conf i g- f wl b vf w- vpor t ) #ha-conn-mirror 354 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FWLB CLI CONFIGURATION EXAMPLETOPOLOGY WITHOUT LAYER 2 SWITCHES The following sections show the CLI commands for configuring interfaces, FWLB, and HA on each of the AX devices shown in Figure117 on page335. For simplicity, the SLB configuration is not shown. Configuration of External AX1 The following commands configure the HA management and session syn- chronization interface to the other AX device. Ext - AX1( conf i g) #trunk 1 Ext - AX1( conf i g- t r unk: 1) #ethernet 9 to 10 Ext - AX1( conf i g- t r unk: 1) #exit Ext - AX1( conf i g) #vlan 50 Ext - AX1( conf i g- vl an: 50) #untagged ethernet 9 to 10 Ext - AX1( conf i g- vl an: 50) #router-interface ve 5 Ext - AX1( conf i g- vl an: 50) #exit Ext - AX1( conf i g) #interface ve 5 Ext - AX1( conf i g- i f : ve5) #ip address 50.1.1.1 255.255.255.0 Ext - AX1( conf i g- i f : ve5) #exit The following commands configure the VE interface to clients: Ext - AX1( conf i g) #vlan 10 Ext - AX1( conf i g- vl an: 10) #untagged ethernet 1 Ext - AX1( conf i g- vl an: 10) #router-interface ve 1 Ext - AX1( conf i g- vl an: 10) #exit Ext - AX1( conf i g) #interface ve 1 Ext - AX1( conf i g- i f : ve1) #ip address 10.1.1.10 255.255.255.0 Ext - AX1( conf i g- i f : ve1) #exit The following commands configure the VE interface to the firewalls: Ext - AX1( conf i g) #vlan 20 Ext - AX1( conf i g- vl an: 20) #untagged ethernet 2 ethernet 4 ethernet 13 Ext - AX1( conf i g- vl an: 20) #router-interface ve 2 Ext - AX1( conf i g- vl an: 20) #exit Ext - AX1( conf i g) #interface ve 2 Ext - AX1( conf i g- i f : ve2) #ip address 20.1.1.10 255.255.255.0 Ext - AX1( conf i g- i f : ve2) #exit The following commands configure the static routes: Ext - AX1( conf i g) #ip route 40.1.1.0 /24 20.1.1.1 Ext - AX1( conf i g) #ip route 30.1.1.0 /24 20.1.1.1 P e r f o r m a n c e b y D e s i g n 355 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FWLB The following commands configure global HA parameters: Ext - AX1( conf i g) #ha id 1 Ext - AX1( conf i g) #ha group 1 priority 200 Ext - AX1( conf i g) #ha interface ethernet 1 Ext - AX1( conf i g) #ha interface ethernet 2 Ext - AX1( conf i g) #ha interface ethernet 4 Ext - AX1( conf i g) #ha conn-mirror ip 50.1.1.2 Ext - AX1( conf i g) #ha preemption-enable Ext - AX1( conf i g) #floating-ip 20.1.1.254 ha-group 1 The following commands configure a Layer 2 health monitor to check the health of the paths through the firewalls to the floating IP address config- ured on the other AX pair: Ext - AX1( conf i g) #health monitor tsping interval 15 Ext - AX1( conf i g- heal t h: moni t or ) #method icmp transparent 40.1.1.254 Ext - AX1( conf i g- heal t h: moni t or ) #exit The following commands configure the FWLB parameters: Ext - AX1( conf i g) #fwlb node fw1 20.1.1.1 Ext - AX1( conf i g- f i r ewal l node) #health-check tsping Ext - AX1( conf i g- f i r ewal l node) #exit Ext - AX1( conf i g) #fwlb node fw2 20.1.1.2 Ext - AX1( conf i g- f i r ewal l node) #health-check tsping Ext - AX1( conf i g- f i r ewal l node) #exit Ext - AX1( conf i g) #fwlb node fw3 20.1.1.3 Ext - AX1( conf i g- f i r ewal l node) #health-check tsping Ext - AX1( conf i g- f i r ewal l node) #exit Ext - AX1( conf i g) #fwlb node fw4 20.1.1.4 Ext - AX1( conf i g- f i r ewal l node) #health-check tsping Ext - AX1( conf i g- f i r ewal l node) #exit Ext - AX1( conf i g) #fwlb service-group fwsg Ext - AX1( conf i g- f wl b svc gr oup) #member fw1 Ext - AX1( conf i g- f wl b svc gr oup) #member fw2 Ext - AX1( conf i g- f wl b svc gr oup) #member fw3 Ext - AX1( conf i g- f wl b svc gr oup) #member fw4 Ext - AX1( conf i g- f wl b svc gr oup) #exit Ext - AX1( conf i g) #fwlb virtual-firewall default Ext - AX1( conf i g- - f wl b vf w) #ha-group 1 Ext - AX1( conf i g- - f wl b vf w) #service-group fwsg Ext - AX1( conf i g- - f wl b vf w) #ha-conn-mirror Ext - AX1( conf i g- - f wl b vf w) #port 80 tcp 356 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FWLB Ext - AX1( conf i g- f wl b vf w- vpor t ) #service-group fwsg Ext - AX1( conf i g- f wl b vf w- vpor t ) #ha-conn-mirror Configuration of External AX2 This configuration is like the configuration for External AX1, with the fol- lowing exceptions: The VE IP addresses are different (although they are in the same subnets as those on the other AX device). The HA ID, priority, and connection mirroring IP address are different from the other AX device. The FWLB configuration is the same. For brevity, it is not shown. Ext - AX2( conf i g) #trunk 1 Ext - AX2( conf i g- t r unk: 1) #ethernet 9 to 10 Ext - AX2( conf i g- t r unk: 1) #exit Ext - AX2( conf i g) #vlan 50 Ext - AX2( conf i g- vl an: 50) #untagged ethernet 9 to 10 Ext - AX2( conf i g- vl an: 50) #router-interface ve 5 Ext - AX2( conf i g- vl an: 50) #exit Ext - AX2( conf i g) #interface ve 5 Ext - AX2( conf i g- i f : ve5) #ip address 50.1.1.2 255.255.255.0 Ext - AX2( conf i g- i f : ve5) #exit Ext - AX2( conf i g) #vlan 10 Ext - AX2( conf i g- vl an: 10) #untagged ethernet 1 Ext - AX2( conf i g- vl an: 10) #router-interface ve 1 Ext - AX2( conf i g- vl an: 10) #exit Ext - AX2( conf i g) #interface ve 1 Ext - AX2( conf i g- i f : ve1) #ip address 10.1.1.20 255.255.255.0 Ext - AX2( conf i g- i f : ve1) #exit Ext - AX2( conf i g) #vlan 20 Ext - AX2( conf i g- vl an: 20) #untagged ethernet 2 ethernet 4 ethernet 13 Ext - AX2( conf i g- vl an: 20) #router-interface ve 2 Ext - AX2( conf i g- vl an: 20) #exit Ext - AX2( conf i g) #interface ve 2 Ext - AX2( conf i g- i f : ve2) #ip address 20.1.1.20 255.255.255.0 Ext - AX2( conf i g- i f : ve2) #exit Ext - AX2( conf i g) #ip route 40.1.1.0 /24 20.1.1.1 Ext - AX2( conf i g) #ip route 30.1.1.0 /24 20.1.1.1 Ext - AX2( conf i g) #ha id 2 Ext - AX2( conf i g) #ha group 1 priority 100 P e r f o r m a n c e b y D e s i g n 357 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FWLB Ext - AX2( conf i g) #ha interface ethernet 1 Ext - AX2( conf i g) #ha interface ethernet 2 Ext - AX2( conf i g) #ha interface ethernet 4 Ext - AX2( conf i g) #ha conn-mirror ip 50.1.1.1 Ext - AX2( conf i g) #ha preemption-enable Ext - AX2( conf i g) #floating-ip 20.1.1.254 ha-group 1 Configuration of Internal AX1 This configuration is like the configuration for External AX1, with the fol- lowing exceptions: The VE IP addresses and subnets are different. (The VLAN numbers and some of the VE numbers also are different, but this is not required. For simplicity, the VLAN numbers were selected to match the subnet numbers.) The static routes are different. The floating IP address and connection mirroring IP address are differ- ent. The target IP address of the transparent Layer 3 health check is the float- ing IP address of the external AX pair. The IP addresses of the firewall nodes are different. The following commands configure the HA management and session syn- chronization interface to the other AX device. I nt - AX1( conf i g) #trunk 1 I nt - AX1( conf i g- t r unk: 1) #ethernet 9 to 10 I nt - AX1( conf i g- t r unk: 1) #exit I nt - AX1( conf i g) #vlan 60 I nt - AX1( conf i g- vl an: 60) #untagged ethernet 9 to 10 I nt - AX1( conf i g- vl an: 60) #router-interface ve 60 I nt - AX1( conf i g- vl an: 60) #exit I nt - AX1( conf i g) #interface ve 60 I nt - AX1( conf i g- i f : ve60) #ip address 60.1.1.1 255.255.255.0 I nt - AX1( conf i g- i f : ve60) #exit 358 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FWLB The following commands configure the VE interface to the servers: I nt - AX1( conf i g) #vlan 40 I nt - AX1( conf i g- vl an: 40) #untagged ethernet 2 I nt - AX1( conf i g- vl an: 40) #router-interface ve 2 I nt - AX1( conf i g- vl an: 40) #exit I nt - AX1( conf i g) #interface ve 2 I nt - AX1( conf i g- i f : ve2) #ip address 40.1.1.10 255.255.255.0 I nt - AX1( conf i g- i f : ve2) #exit The following commands configure the VE interface to the firewalls: I nt - AX1( conf i g) #vlan 30 I nt - AX1( conf i g- vl an: 30) #untagged ethernet 1 ethernet 3 ethernet 13 I nt - AX1( conf i g- vl an: 30) #router-interface ve 1 I nt - AX1( conf i g- vl an: 30) #exit I nt - AX1( conf i g) #interface ve 1 I nt - AX1( conf i g- i f : ve1) #ip address 30.1.1.10 255.255.255.0 I nt - AX1( conf i g- i f : ve1) #exit The following commands configure the static routes: I nt - AX1( conf i g) #ip route 10.1.1.0 /24 30.1.1.1 I nt - AX1( conf i g) #ip route 20.1.1.0 /24 30.1.1.1 The following commands configure global HA parameters: I nt - AX1( conf i g) #ha id 1 I nt - AX1( conf i g) #ha group 1 priority 200 I nt - AX1( conf i g) #ha interface ethernet 1 I nt - AX1( conf i g) #ha interface ethernet 2 I nt - AX1( conf i g) #ha interface ethernet 3 I nt - AX1( conf i g) #ha conn-mirror ip 60.1.1.2 I nt - AX1( conf i g) #ha preemption-enable I nt - AX1( conf i g) #floating-ip 40.1.1.254 ha-group 1 Configuration of Internal AX2 This configuration is like the configuration for Internal AX1, with the fol- lowing exceptions: The VE IP addresses are different (although they are in the same subnets as those on the other AX device). The HA ID, priority, and connection mirroring IP address are different from the other AX device. P e r f o r m a n c e b y D e s i g n 359 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FWLB The health monitor and FWLB configuration is the same. For brevity, it is not shown. I nt - AX2( conf i g) #trunk 1 I nt - AX2( conf i g- t r unk: 1) #ethernet 9 to 10 I nt - AX2( conf i g- t r unk: 1) #exit I nt - AX2( conf i g) #vlan 60 I nt - AX2( conf i g- vl an: 60) #untagged ethernet 9 to 10 I nt - AX2( conf i g- vl an: 60) #router-interface ve 60 I nt - AX2( conf i g- vl an: 60) #exit I nt - AX2( conf i g) #interface ve 60 I nt - AX2( conf i g- i f : ve60) #ip address 60.1.1.2 255.255.255.0 I nt - AX2( conf i g- i f : ve60) #exit I nt - AX2( conf i g) #vlan 40 I nt - AX2( conf i g- vl an: 40) #untagged ethernet 2 I nt - AX2( conf i g- vl an: 40) #router-interface ve 2 I nt - AX2( conf i g- vl an: 40) #exit I nt - AX2( conf i g) #interface ve 2 I nt - AX2( conf i g- i f : ve2) #ip address 40.1.1.20 255.255.255.0 I nt - AX2( conf i g- i f : ve2) #exit I nt - AX2( conf i g) #vlan 30 I nt - AX2( conf i g- vl an: 30) #untagged ethernet 1 ethernet 3 ethernet 13 I nt - AX2( conf i g- vl an: 30) #router-interface ve 1 I nt - AX2( conf i g- vl an: 30) #exit I nt - AX2( conf i g) #interface ve 1 I nt - AX2( conf i g- i f : ve1) #ip address 30.1.1.20 255.255.255.0 I nt - AX2( conf i g- i f : ve1) #exit I nt - AX2( conf i g) #ip route 10.1.1.0 /24 30.1.1.1 I nt - AX2( conf i g) #ip route 20.1.1.0 /24 30.1.1.1 I nt - AX2( conf i g) #ha id 2 I nt - AX2( conf i g) #ha group 1 priority 100 I nt - AX2( conf i g) #ha interface ethernet 1 I nt - AX2( conf i g) #ha interface ethernet 2 I nt - AX2( conf i g) #ha interface ethernet 3 I nt - AX2( conf i g) #ha conn-mirror ip 60.1.1.1 I nt - AX2( conf i g) #ha preemption-enable I nt - AX2( conf i g) #floating-ip 40.1.1.254 ha-group 1 360 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring FWLB P e r f o r m a n c e b y D e s i g n 361 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Server and Port Templates This chapter describes how to configure parameters for multiple servers and service ports using server and port templates. Overview The AX device supports the following types of templates for configuration of SLB servers and ports: Server Contains configuration parameters for real servers Port Contains configuration parameters for real service ports Virtual-server Contains configuration parameters for virtual servers Virtual-port Contains configuration parameters for virtual service ports These template types provide the same benefit as other template types. They allow you to configure a set of parameter values and apply the set of values to multiple configuration items. In this case, you can configure sets of parameters (templates) for SLB assets (servers and service ports) and apply the parameters to multiple servers or ports. Some of the parameters that can be set using a template can also be set or changed on the individual server or port. If a parameter is set (or changed from its default) in both a template and on the individual server or port, the setting on the individual server or port takes precedence. If a parameter is set (or changed from its default) in a template but is not set or changed from its default on the individual server or port, the set- ting in the template takes precedence. 362 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Parameters That Can Be Configured Using Server and Port Templates Table7 describes the server and port parameters you can configure using templates. TABLE 7 SLB Port and Server Template Parameters Template Type Parameter Description Real Server Health monitor Assigns a configured Layer 3 health monitor to all servers that use the template. (See Configuring and Applying a Health Method on page390.) Connection limit Specifies the maximum number of connections allowed on any server that uses the template. (See Connection Limit- ing on page370.) Connection rate limit- ing Limits the rate of new connections the AX is allowed to send to any server that uses the template. (See Connection Rate Limiting on page372.) Slow start Provides time for servers that use the template to ramp-up after TCP/UDP service is enabled, by temporarily limiting the number of new connections on the server. (See Slow- Start on page374.) Dynamic server creation using DNS The following parameters apply to dynamic server creation using DNS. (For more information about this feature, see Dynamic Real Server Creation Using DNS on page895.) DNS query interval Specifies how often the AX device sends DNS queries for the IP addresses of dynamic real servers. Dynamic server prefix Changes the prefix added to the front of dynamically cre- ated servers. Minimum TTL ratio Specifies the minimum initial value for the TTL of dynamic real servers. Maximum dynamic servers Specifies the maximum number of dynamic real servers that can be created for a given hostname. P e r f o r m a n c e b y D e s i g n 363 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Real Server Port Health monitor Assigns a configured Layer 4-7 health monitor to all service ports that use the template. (See Configuring and Applying a Health Method on page390.) In-band health monitor Provides rapid server status change and reassignment based on client-server traffic. This is an enhanced health check mechanism that works independently of the standard out-of-band health mecha- nism. See In-Band Health Monitoring on page410. Connection limit Specifies the maximum number of connections allowed on any real port that uses the template. (See Connection Lim- iting on page370.) Connection rate limit- ing Limits the rate of new connections the AX is allowed to send to any real port that uses the template. (See Connec- tion Rate Limiting on page372.) Destination NAT Enables destination Network Address Translation (NAT). Destination NAT is enabled by default, but is disabled in Direct Server Return (DSR) configurations. You can re-enable destination NAT on individual ports for deployment of mixed DSR configurations. See Direct Server Return in Mixed Layer 2/Layer 3 Environment on page101. DSCP Sets the differentiated services code point (DSCP) value in the IP header of a client request before sending the request to a server. Member priority for dynamically created servers Sets the initial TTL for dynamically created service-group members. (See Dynamic Real Server Creation Using DNS on page895.) Slow start Provides time for real ports that use the template to ramp-up after TCP/UDP service is enabled, by temporarily limiting the number of new connections on the ports. (See Slow- Start on page374.) Source NAT Specifies the IP NAT pool to use for assigning a source IP address to client traffic addressed to the port. For informa- tion about NAT, see Network Address Translation on page615 Weight Biases load-balancing selection of this port. A higher weight gives more favor to the server and port relative to the other servers and ports. For an example of weighted SLB, see FTP Load Balanc- ing on page169. (The example configures weights directly on the real service ports rather than using templates, but still illustrates how the weight option works.) Note: The weight option applies only to the weighted-least- connection, service-weighted-least-connection, and weighted-round-robin load-balancing methods. TABLE 7 SLB Port and Server Template Parameters (Continued) Template Type Parameter Description 364 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Default Server and Service Port Templates The AX device has a default template for each of these template types. If you do not explicitly bind a server or service port template to a server or ser- vice port, the default template is automatically applied. For example, when you create a real server, the parameter settings in the default real server tem- plate are automatically applied to the new server, unless you bind a different real server template to the server. The default server and port templates are each named default. The default settings in the templates are the same as the default settings for the parame- ters that can be set in the templates. If you are upgrading an AX device that has a configuration saved under a previous release, the default server and port templates are automatically bound (applied to) the servers and ports in the configuration. This does not change the configuration or operation of the servers and ports themselves, since the default server and port templates use the default settings for all parameters, unless overridden by parameter settings on the individual serv- ers and ports. Virtual Server Connection limit Specifies the maximum number of connections allowed on any VIP that uses the template. (See Connection Limiting on page370.) Connection rate limit- ing Limits the rate of new connections the AX is allowed to send to any VIP that uses the template. (See Connection Rate Limiting on page372.) ICMP rate limiting Limits the rate at which ICMP packets can be sent to the VIP. (See ICMP Rate Limiting on page734.) Gratuitous ARPs for subnet VIPs Enables gratuitous ARPs for all VIPs in a subnet VIP. (See Gratuitous ARPs for Subnet VIPs on page377.) Virtual Server Port Connection limit Specifies the maximum number of connections allowed on any virtual service port that uses the template. (See Con- nection Limiting on page370.) Connection rate limit- ing Limits the rate of new connections the AX is allowed to send to any virtual service port that uses the template. (See Connection Rate Limiting on page372.) Reset unknown connec- tions Enables sending of a TCP Reset (RST) in response to a ses- sion mismatch. (See TCP Reset Option for Session Mis- match on page378.) TABLE 7 SLB Port and Server Template Parameters (Continued) Template Type Parameter Description P e r f o r m a n c e b y D e s i g n 365 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Server and Service Port Templates Configuring Server and Service Port Templates To configure a server or port template, use either of the following methods. USING THE GUI 1. Select Config >Service >SLB. 2. On the menu bar, select one of the following: Template >Server Template >Server Port Template >Virtual Server Template >Virtual Server Port The list of configured templates of the selected type appears. 3. Click Add to create a new one or click on the name of a configured tem- plate to edit it. The configuration section for the template appears. 4. Enter a name for the template (if the template is new). 5. Enter or edit other settings. (See the descriptions in the sections below for information.) 6. Click OK. USING THE CLI To configure server and service-port templates, use the following com- mands at the global configuration level of the CLI: [ no] slb template server template-name [ no] slb template port template-name [ no] slb template virtual-server template-name [ no] slb template virtual-port template-name The template name can be 1-31 characters. These commands change the CLI to the configuration level for the template. To modify the default tem- plate, specify the name default (without the quotation marks). To display the settings in a template, use one of the following commands: show slb template server template-name show slb template port template-name 366 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Applying a Server or Service Port Template show slb template virtual-server template-name show slb template virtual-port template-name CLI Example The following commands configure a new real server template and bind the template to two real servers: AX( conf i g) #slb template server rs-tmplt1 AX( conf i g- r ser ver ) #health-check ping2 AX( conf i g- r ser ver ) #conn-limit 500000 AX( conf i g- r ser ver ) #exit AX( conf i g) #slb server rs1 10.1.1.99 AX( conf i g- r eal ser ver ) #template server rs-tmplt1 AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server rs2 10.1.1.100 AX( conf i g- r eal ser ver ) #template server rs-tmplt1 This example includes the commands to bind the template to real servers. For information about binding the templates, see Applying a Server or Ser- vice Port Template on page366. Applying a Server or Service Port Template If you modify a default server or port template, the changes are automati- cally applied to any servers or ports that are not bound to another server or port template. If you create a new server or port template, the template takes effect only after you bind it to servers or ports. Table8 lists the types of bindings that are supported for server and port tem- plates. P e r f o r m a n c e b y D e s i g n 367 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Applying a Server or Service Port Template The following subsections describe how to bind server and port templates to servers, ports, and service group members. For configuration examples, see the feature sections referred to in Table7 on page362. Binding a Server Template to a Real Server USING THE GUI 1. Select Config >Service >SLB. 2. Click Server on the menu bar. 3. Click on the server name. 4. Select the template from the Server Template drop-down list. To create one, click create. 5. When finished, click OK. USING THE CLI Enter the following command at the configuration level for the real server: [ no] template server template-name TABLE 8 Server and Port Template Bindings Template Type Can Be Bound To... Server Real servers Port Real server ports You can apply them to real server ports directly or in a service group. Note: Binding a server port template to a service port within a service group provides a finer level of control than binding the template directly to a port. When the template is bound to the port only within a service group, and not bound to the port directly, the template settings apply to the port only when the port is used by the service group. The settings do not apply to the same port if used in other ser- vice groups. Virtual Server Virtual servers Virtual Server Port Virtual server ports 368 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Applying a Server or Service Port Template Binding a Server Port Template to a Real Server Port USING THE GUI 1. Select Config >Service >SLB. 2. Click Server on the menu bar. 3. Click on the server name. 4. In the Port section, select the template from the Server Port Template drop-down list. To create one, click create. 5. Click Update. 6. When finished, click OK. USING THE CLI Enter the following command at the configuration level for the real port: [ no] template port template-name Binding a Virtual Server Template to a Virtual Server USING THE GUI 1. Select Config >Service >SLB. 2. Click Virtual Server on the menu bar. 3. Click on the virtual server name. 4. Select the template from the Virtual Server Template drop-down list. To create one, click create. 5. When finished, click OK. USING THE CLI Enter the following command at the configuration level for the virtual server: [ no] template virtual-server template-name P e r f o r m a n c e b y D e s i g n 369 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Applying a Server or Service Port Template Binding a Virtual Server Port Template to a Virtual Service Port USING THE GUI 1. Select Config >Service >SLB. 2. Click Virtual Server on the menu bar. 3. Click on the virtual server name. 4. In the Port section, select the port and click Edit. 5. Select the template from the Virtual Server Port Template drop-down list. 6. Click OK. 7. When finished, click OK. USING THE CLI Enter the following command at the configuration level for the virtual ser- vice port: [ no] template virtual-port template-name Binding a Server Port Template to a Service Group USING THE GUI 1. Select Config >Service >SLB. 2. Click Service Group on the menu bar. 3. In the Server section, select the server port template from the Server Port Template drop-down list. 4. Click OK. 370 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Connection Limiting USING THE CLI At the configuration level for the service group, use the template tem- plate-name option with the member command: [ no] member server-name:portnum [ disable | enable] [ priority num] [ template port template-name] Connection Limiting By default, the AX device does not limit the number of concurrent connec- tions on a server or service port. If certain servers or services are becoming oversaturated, you can set a connection limit. The AX device stops sending new connection requests to a server or port when that server or port reaches its maximum allowed number of concurrent connections. Connection Limit Parameters To configure connection limits, you can set the following parameters : Connection limit Specifies the maximum number of concurrent con- nections allowed on a server or port. You can specify 0-8000000 (8 mil- lion). By default, the connection limit is 8000000 (8 million). Connection resume threshold (real servers or ports only) Specifies the maximum number of connections the server or port can have before the AX device resumes use of the server or port. You can specify 1-1048575 (1 million) connections. Reset or Drop (virtual servers or virtual server ports only) Specifies the action to take for connections after the connection limit is reached on the virtual server or virtual server port. By default, excess connections are dropped. If you change the action to reset, the connections are reset instead. Logging By default, the AX device generates a log message when the connection limit is exceeded. Connection limiting can be set in real server templates, real port templates, virtual server templates, and virtual port templates. Note: If you change the connection limiting configuration on a virtual port or virtual server that has active sessions, or in a virtual-port or virtual-server template bound to the virtual server or virtual port, the current connection counter for the virtual port or server in show command output and in the GUI may become incorrect. To avoid this, do not change the connection P e r f o r m a n c e b y D e s i g n 371 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Connection Limiting limiting configuration until the virtual server or port does not have any active connections. Setting a Connection Limit To set a connection limit in a server or port template, use either of the fol- lowing methods. USING THE GUI In the configuration section for the template: 1. Select the Connection Limit Status checkbox to display the configura- tion fields. 2. In the Connection Limit field, enter the maximum number of concurrent connections to allow on the server or port. 3. (Server or Server Port Templates only) In the Connection Resume, enter the maximum number of connections the server or port can have before the AX device resumes use of the server or port. 4. (Virtual Server or Virtual Server Port Templates only) Select the action to take for connections that occur after the limit is reached: Drop or Reset. 5. Click OK. USING THE CLI To set a connection limit using a server or server port template, use the fol- lowing command at the configuration level for the template: [ no] conn-limit max-connections [ resume connections] [ no-logging] To set a connection limit using a virtual server or virtual server port tem- plate, use the following command at the configuration level for the tem- plate: [ no] conn-limit max-connections [ reset] [ no-logging] 372 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Connection Rate Limiting CLI Example The following commands set the connection limit to 500,000 concurrent connections in a real server template, then bind the template to real servers: AX( conf i g) #slb template server rs-tmplt1 AX( conf i g- r ser ver ) #conn-limit 500000 AX( conf i g- r ser ver ) #exit AX( conf i g) #slb server rs1 10.1.1.99 AX( conf i g- r eal ser ver ) #template server rs-tmplt1 AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server rs2 10.1.1.100 AX( conf i g- r eal ser ver ) #template server rs-tmplt1 Connection Rate Limiting You can limit the rate at which the AX device is allowed to send new con- nections to servers or service ports. Note: Connection rate limiting is different from slow-start, which temporarily limits the number of new connections per second when TCP/UDP service comes up on a service port. See Slow-Start on page374. Connection Rate Limiting Parameters When you configure connection rate limiting, you can set the following parameters: Connection rate limit The connection rate limit specifies the maximum of new connections allowed on a server or service port. You can specify 1-1048575 connections. By default, the connection rate limit is not set. Interval The interval specifies whether the connection rate limit applies to one-second intervals or 100-ms intervals. The default is one- second intervals. Action for excess connections (virtual servers or virtual server ports only) The action specifies how the AX device responds to connection requests after the connection rate has been exceeded. The action can be to silently drop excess connections or to send a reset (RST) to client requesting the connection. The default action is to silently drop the excess connection requests. Logging By default, the AX device generates a log message when the connection rate limit is exceeded. When a server or service port reaches its connection limit, the AX device stops using the server or service port. P e r f o r m a n c e b y D e s i g n 373 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Connection Rate Limiting USING THE GUI In the configuration section for the template: 1. Select the Connection Rate Limit checkbox to activate the configuration fields. 2. Enter the connection rate limit in the field next to the checkbox. 3. Select the sampling interval: 100ms or 1 second. 4. Select the action to take for connections that exceed the limit: Drop or Reset. 5. (Virtual Server or Virtual Server Port Templates only) Select the action to take for connections that occur after the limit is reached: Drop or Reset. 6. Click OK. USING THE CLI To configure connection rate limiting for a real server or service port, use the following command at the configuration level for a server or server port template, and apply the template to the server or port: [ no] conn-rate-limit connections [ per {100ms | 1sec}] [ no-logging] The connections option specifies the maximum number of new connections allowed per interval. The per {100ms | 1sec} option specifies the interval. If you configure a limit for a server and also for an individual port, the AX device uses the lower limit. For example, if you limit new TCP connections to a real server to 5000 per second and also limit new HTTP connections to 1200 per second, the AX device limits connections to TCP port HTTP to 1200 per second. To configure connection rate limiting for a virtual server or service port, use the following command at the configuration level for a virtual server or vir- tual server port template, and apply the template to the virtual server or vir- tual server port: [ no] conn-rate-limit connections [ per {100ms | 1sec}] [ reset] [ no-logging] The reset option resets connections that occur after the limit is reached. By default, excess connections are dropped. To display connection rate limiting information, use the following com- mands: 374 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Slow-Start show slb server [ server-name] detail show slb virtual-server [ server-name] detail CLI Example The following commands configure connection rate limiting in a real server template, then bind the template to real servers. AX( conf i g) #slb template server rs-tmplt1 AX( conf i g- r ser ver ) #conn-rate-limit 50000 AX( conf i g- r ser ver ) #exit AX( conf i g) #slb server rs1 10.1.1.99 AX( conf i g- r eal ser ver ) #template server rs-tmplt1 AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server rs2 10.1.1.100 AX( conf i g- r eal ser ver ) #template server rs-tmplt1 Slow-Start The slow-start feature allows time for a server or real service port to ramp up after TCP/UDP service on a server is enabled, by temporarily limiting the total concurrent connections on the server or port. You can configure the slow-start parameters described in this section in real server templates and real port templates. Ramp-Up Parameters By default, slow-start allows a maximum of 128 new connections during the first 10 seconds. During each subsequent 10-second interval, the total num- ber of concurrent connections allowed to the server is doubled. Thus, during the first 20 seconds, the server is allowed to have a total of 256 concurrent connections. After 59 seconds, slow-start ends the ramp-up and no longer limits the number of concurrent connections. Table8 shows the default ramp-up. TABLE 9 Default Slow-Start Ramp-Up Number of Seconds After Server Restart Total Maximum Concurrent Connections Allowed After Server Restart 0-9 128 10-19 256 20-29 512 30-39 1024 P e r f o r m a n c e b y D e s i g n 375 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Slow-Start You can configure the following ramp-up parameters: Starting connection limit The starting connection limit is the maxi- mum number of concurrent connections to allow on the server or service port after it first comes up. You can specify from 1-4095 concurrent con- nections. The default is 128. Connection increment The connection increment specifies the amount by which to increase the maximum number of concurrent connections allowed. You can use one of the following methods to specify the incre- ment: Scale factor (This is the default.) The scale factor is the number by which to multiply the starting connection limit. For example, if the scale factor is 2 and the starting connection limit is 128, the AX device increases the connection limit to 256 after the first ramp-up interval. The scale factor can be 2-10. The default is 2. Connection addition As an alternative to specifying a scale factor, you can instead specify how many more concurrent connections to allow. You can specify 1-4095 new connections. Ramp-up interval The ramp-up interval specifies the number of sec- onds between each increase of the number of concurrent connections allowed. For example, if the ramp-up interval is 10 seconds, the number of concurrent connections to allow is increased every 10 seconds. The ramp-up interval can be 1-60 seconds. The default is 10 seconds. Ending connection limit The ending connection limit is the maximum number of concurrent connections to allow during the final ramp-up interval. After the final ramp-up interval, the slow start is over and does not limit further connections to the server. You can specify from 1-65535 connections. The default is 4096. Note: For the connection increment, you can specify a scale factor or a connec- tion addition. The ending connection limit must be higher than the starting connection limit. If a normal runtime connection limit is also configured on the server or port (for example, by Connection Limiting on page370), and the nor- mal connection limit is smaller than the slow-start ending connection 40-49 2048 50-59 4096 60+ Slow-start ends No limit TABLE 9 Default Slow-Start Ramp-Up (Continued) Number of Seconds After Server Restart Total Maximum Concurrent Connections Allowed After Server Restart 376 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Slow-Start limit, the AX device limits slow-start connections to the maximum allowed by the normal connection limit. Behavior When Slow Start Is Also Configured on the Real Server Itself Alternatively, you can enable slow-start on individual real servers. How- ever, the ramp-up settings on individual servers are not configurable. The settings are the same as the default ramp-up settings in server and port tem- plates. It is recommended to configure slow start only in a server template or port template, not on the real server. If you do configure slow-start both on the real server itself and in a real server template or real port template, the actual slow-start behavior can dif- fer from the behavior configured in the template. If slow start is configured on the real server and in a real server tem- plate, the slow-start settings on the real server are used and the settings in the template are ignored. It is recommended to configure slow start only in a real server template or real port template. If slow start is configured on the real server and in a real port template, the lower number of connections allowed by either of the configurations at a given interval is used. USING THE GUI In the configuration section for the real server template or real port tem- plate: 1. Select the Slow Start checkbox to activate the configuration fields. 2. Enter the starting connection limit in the field to the right of From. 3. Enter the connection increment method: Multiplying or Adding. 4. Enter the connection increment in the field next to the increment method you selected. 5. Enter the ramp-up interval in the Every field. 6. Enter the ending connection limit in the Till field. 7. Click OK. P e r f o r m a n c e b y D e s i g n 377 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Gratuitous ARPs for Subnet VIPs USING THE CLI To configure slow-start, use the following command at the configuration level for a real server or real service port: [ no] slow-start [ from starting-conn-per-second] [ times scale-factor | add conn-incr] [ every interval] [ till ending-conn-per-second] CLI Example The following commands enable slow start in a real server template, using the default settings, and bind the template to real servers. AX( conf i g) #slb template server rs-tmplt1 AX( conf i g- r ser ver ) #slow-start AX( conf i g- r ser ver ) #exit AX( conf i g) #slb server rs1 10.1.1.99 AX( conf i g- r eal ser ver ) #template server rs-tmplt1 AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server rs2 10.1.1.100 AX( conf i g- r eal ser ver ) #template server rs-tmplt1 Gratuitous ARPs for Subnet VIPs Virtual server templates have an option to enable gratuitous ARPs for all VIPs in a subnet VIP. (A subnet VIP is a range of VIPs created from a range of IP addresses within a subnet.) By default, the AX device sends gratuitous ARPs for only the first IP address in a subnet VIP. You can enable the AX device to send gratuitous ARPs for all the IP addresses within a subnet VIP. Note: This option applies only to VIPs that are created using a range of subnet IP addresses. The option has no effect on VIPs created with a single IP address. 378 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide TCP Reset Option for Session Mismatch USING THE GUI 1. Select Config >Service >SLB. 2. On the menu bar, select Template >Virtual Server. 3. Select the Subnet Gratuitous ARP checkbox. 4. Click OK. USING THE CLI To enable gratuitous ARPs for all VIPs in subnet VIPs, use the following command at the configuration level for the virtual server template used to configure the VIPs: subnet-gratuitous-arp CLI Example The following commands modify the default virtual server template to enable gratuitous ARPs for subnet VIPs. The change applies to all subnet VIPs that use the default template for virtual server configuration. AX( conf i g) #slb template virtual-server default AX( conf i g- vser ver ) #subnet-gratuitous-arp TCP Reset Option for Session Mismatch Virtual port templates have an option that enables sending of a TCP Reset (RST) in response to a session mismatch. A session mismatch occurs when the AX device receives a TCP packet for a TCP session that is not in the active session table on the AX device. This option is useful in cases where a session ages out or is deleted on the AX device, but the client does not receive a RST or FIN for the session. In this case, without a RST, the session could remain open on the client until the session ages out. P e r f o r m a n c e b y D e s i g n 379 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide TCP Reset Option for Session Mismatch When this option is enabled, TCP RSTs are sent in the cases listed in Table10. The option is disabled by default, which means the AX device does not send a RST in response to a session mismatch. You can enable the option in indi- vidual virtual port templates. Note: This option does not apply to sessions that are in the delete queue. If the AX device receives a packet for a session that has been moved to the delete queue, the AX device does not send a TCP RST. Instead, the AX device reactivates the session and allows it to age out normally. USING THE GUI To enable sending of TCP RSTs in response to a session mismatch, select the following option on the configuration page for the virtual port template: Reset Unknown Connection USING THE CLI To enable sending of TCP RSTs in response to a session mismatch, use the following command at the configuration level for a virtual port template: [ no] reset-unknown-conn TABLE 10 Processing When Session Is To Be Deleted Session Termination Method Packet Type Sent by Client or Server After Session Termination AX Response Session is terminated by FINs from client and server Any packet type other than SYN Maintain connection as long as there is traffic. When there is no traffic, remove the connection one second later. Session ages out Any packet type other than SYN Move session from delete queue back into active session table. 380 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide TCP Reset Option for Session Mismatch P e r f o r m a n c e b y D e s i g n 381 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Default Health Checks Health Monitoring AX Series devices can regularly check the health of real servers and service ports. Health checks ensure that client requests go only to available servers. Servers or ports that respond appropriately to health checks remain eligible to serve client requests. A server or port that does not respond appropriately to a health check is temporarily removed from service, until the server or port is healthy again. You can configure health methods on the AX device by configuring settings for the type of service you are monitoring. You also can configure health monitors externally using scripts and import the monitors for use by the AX device. Default Health Checks The AX device performs the following types of health checks by default: Layer 3 ping Every 5 seconds, the AX device sends an ICMP echo request (ping) addressed to the real servers IP address. The server passes the health check if it sends an echo reply to the AX device. If the server does not reply after the fourth attempt (the first attempt followed by 3 retries), the AX device sets the server state to DOWN. Layer 4 TCP Every 5 seconds, the AX device sends a connection request (TCP SYN) to the specified TCP port on the server. The port passes the health check if it replies to the AX device by sending a TCP SYN ACK. If the port does not reply after the fourth attempt, the AX device sets the port state to DOWN. Layer 4 UDP Every 5 seconds, the AX device sends a packet with a valid UDP header and a garbage payload to the UDP port. The port passes the health check if it either does not reply, or replies with any type of packet except an ICMP Error message. If the port replies with an ICMP Error message, the AX device sets the port state to DOWN. The default ICMP, TCP, or UDP monitor is not used if you disable it on the server or port, or you apply a different monitor to the server or port. Note: For very large deployments (1000 or more servers), A10 Networks rec- ommends disabling the default Layer 3 health check, and using only Layer 4-7 health checks. (See Globally Disabling Layer 3 Health Checks on page420.) 382 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Health Method Timers Health Method Timers Health methods operate based on the following timers: Interval Number of seconds between health check attempts. Determination of the server or ports health is not made within the inter- val. Instead, determination of health is made after the server or port passes or fails one of the attempts (intervals), or the number of retries is exhausted. The default interval is 5 seconds. If you need to fine-tune this interval, you can change it to a value from 1-180 seconds. Timeout Number of seconds the AX device waits for a reply to a health check. If the AX device does not receive the expected reply by the end of the timeout, the AX device either sends the health check again (if there are retries left) or marks the server or service down. You can specify 1-12 seconds. The default is 5 seconds. The type of reply expected by the AX device depends on the monitor type. (See Health Method Types on page385.) Retries Maximum number of times the AX device will send the same health check to an unresponsive server or service before marking that server or service as down. You can specify 1-5. The default is 3. Up-Retry Number of consecutive times the device must pass the same periodic health check, in order to be marked Up. You can specify 1-10. The default is 1. (See Consecutive Health Checks Within a Health Check Period on page414.) Note: The timeout does not apply to externally configured health monitors. P e r f o r m a n c e b y D e s i g n 383 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Health Method Timers Health Check Operation The figures in this section show how health checking operates. Example When Server or Port Is Unresponsive Figure123 shows how health checking operates when the server or port is unresponsive. After each interval, the AX device immediately begins the next health check, because the next interval begins immediately after the previous attempt times out. In the figures, R indicates a retry. FIGURE 123 Health Checks Using Default Settings Server or Port Is Unresponsive 384 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Health Method Timers Example When Server or Port Is Responsive Figure124 shows how health checking operates when the server or port is responsive. The AX device begins the next health check when the next interval begins. Using the default interval value, the next interval begins within 5 seconds. FIGURE 124 Health Checks Using Default Settings Server or Port Responds P e r f o r m a n c e b y D e s i g n 385 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Health Method Types Health Method Types Table11 lists the internal health method types supported by the AX device. The health methods use the well-known port numbers for each application by default. You can change the port numbers and other options when you define the health methods. Multiple health method instances can be defined using the same method type and different parameters. Likewise, multiple health monitors can use the same health method to check different servers. When a health monitor is in use by a server, the monitor cannot be removed. Note: To configure a health monitor for Direct Server Return (DSR), see Con- figuring Health Monitoring of Virtual IP Addresses in DSR Deploy- ments on page394. 386 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Health Method Types TABLE 11 Internal Health Method Types Type Description Successful If... Configuration Required on Target Server DNS AX Series sends a lookup request for the specified domain name or server IP address. By default, recursion is allowed. The tested DNS server is allowed to send the health checks request to another DNS server if the tested server can not fulfill the request using its own database. Optionally, you can disable recursion. Server sends a reply with the expected status code (0 by default) and record type (A by default). You can configure the response code(s) and record type required for a successful health check. You can require the server to reply with specific status codes within the range 0-15. For health checks sent to a domain name, you can require the server to reply with one of the following record types: A IPv4 address record (the default) CNAME Canonical name record for a DNS alias SOA Start of authority record PTR Pointer record for a domain name MX Mail Exchanger record TXT Text string AAAA IPv6 address record (For more information, see Customizing DNS Health Mon- itors on page399.) Domain name in the lookup request must be in the servers database. FTP AX Series sends an FTP login request to the specified port. If anonymous login is not used, the username also must be speci- fied in the health check configu- ration. Server replies with FTP OK message or Password message. If the server sends the Password message, the AX Series sends the password specified in the health check configuration. In this case, the AX Series expects the server to reply with another OK message. Requested user name and password must be valid on the server. P e r f o r m a n c e b y D e s i g n 387 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Health Method Types HTTP / HTTPS AX Series sends an HTTP GET, HEAD, or POST request to the specified TCP port and URL. GET requests the entire page. HEAD requests only the meta-information in the header. POST attempts to write infor- mation to the server. For POST requests, you must specify the target field names and the values to post. (For more information, see Con- figuring POST Requests in HTTP/HTTPS Health Moni- tors on page396.) If a user name and password are required to access the page, they also must be specified in the health check configuration. By default, the real servers IP address is placed in the request headers Host: field. You can configure a different value if needed. The following types of authenti- cation are supported: basic, digest and NT LAN Manager (NTLM) authentication. If you specify a username and pass- word, the health monitor will try to use basic authentication first. If this try succeeds, the authenti- cation process is complete. Oth- erwise, the health monitor will negotiate with the server to select another authentication method, and retry the health check using that authentication method. Server replies with OK message (200), by default. You can con- figure the response code(s) and record type required for a suc- cessful health check. For GET requests, the server also must reply with the requested content or meta-infor- mation in the page header. The response must include the string specified in the Expect field on the AX Series. For HEAD requests, the AX Series ignores the Expect field and only checks for the server reply message. For POST operations, the data must be posted without error. Requested page (URL) must be present on the server. For GET requests, the string specified as the expected reply must be present. For POST operations, the field names specified in the health check must be present on the requested page. For HTTPS health checks, SSL support must be enabled on the server. A certificate does not need to be installed on the AX device. The AX device always accepts the server certificate presented by the server. ICMP AX Series sends an ICMP echo request (ping) to the server. Note: This is a Layer 3 health check only. Use the other method types to check the health of a specific application. Server replies with an ICMP echo reply message. Server must be configured to reply to ICMP echo requests. TABLE 11 Internal Health Method Types (Continued) Type Description Successful If... Configuration Required on Target Server 388 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Health Method Types LDAP AX Series sends an LDAP request to the LDAP port. Optionally, the request can be directed to a specific Distin- guished Name. Optionally, SSL can be enabled for the health check. The AX Series also must send a valid password, if one is required by the server. Server sends a reply containing result code 0. If a Distinguished Name and password are sent in the health check, they must match these values on the LDAP server. A certificate does not need to be installed on the AX Series. The AX Series always accepts the server certificate pre- sented by the server. NTP AX Series sends an NTP client message to UDP port 123. Server sends a standard NTP 48-byte reply packet. NTP service must be running. POP3 AX Series sends a POP3 user login request with the specified user parameter. Server replies with an OK mes- sage. The AX Series then sends the password specified in the health check configuration. The AX Series expects the server to reply with another OK message. Requested user name and password must be valid on the server. RADIUS AX Series sends a Password Authentication Protocol (PAP) request to authenticate the user name and password specified in the health check configuration. Server sends Access Accepted message (reply code 2). Requested user name and password must be configured in the servers user database. Likewise, the shared secret sent in the health check must be valid on the server. RTSP AX Series sends a request for information about the file speci- fied in the health check configu- ration. Server replies with information about the specified file. The file must be present on the RTSP server. SIP AX Series sends a SIP OPTION request or REGISTER request. Server replies with 200 - OK. None. SMTP AX Series sends an SMTP Hello message. Server sends an OK message (reply code 250). Server recognizes and accepts the domain of sender. If SMTP service is running and can reply to Hello messages, the server can pass the health check. SNMP AX Series sends an SNMP Get or Get Next request to the speci- fied OID, from the specified community. Server replies with the value of the OID. Requested OID and the SNMP community must both be valid on the server. TABLE 11 Internal Health Method Types (Continued) Type Description Successful If... Configuration Required on Target Server P e r f o r m a n c e b y D e s i g n 389 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Health Method Types TCP AX Series sends a connection request (TCP SYN) to the speci- fied TCP port on the server. Server replies with a TCP SYN ACK. By default, the AX device com- pletes the TCP handshake with the server: AX -> Server SYN -> <- SYN-ACK ACK -> FIN-ACK -> <- FIN-ACK ACK -> To configure the AX device to send a RST (Reset) instead of sending the first ACK, enable the Halfopen option. In this case, the health check is performed as follows: SYN -> <- SYN-ACK RST -> Destination TCP port of the health check must be valid on the server. UDP AX Series sends a packet with a valid UDP header and a garbage payload to the specified UDP port on the server. Server does either of the follow- ing: Replies from the specified UDP port with any type of packet. Does not reply at all. The server fails the health check only if the server replies with an ICMP Error message. Destination UDP port of the health check must be valid on the server. TABLE 11 Internal Health Method Types (Continued) Type Description Successful If... Configuration Required on Target Server 390 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring and Applying a Health Method Protocol Port Numbers Tested by Health Checks If you specify the protocol port number to test in a health monitor, the proto- col port number configured in the health monitor is used if you send an on- demand health check to a server without specifying the protocol port. (See On-Demand Health Checks on page416.) After you bind the health monitor to a real server port, health checks using the monitor are addressed to the real server port number instead of the port number specified in the health monitors configuration. In this case, you can override the IP address or port using the override options described in Overriding the Target IP Address or Protocol Port Number on page402. Configuring and Applying a Health Method 1. Create a new health monitor and configure its settings for the type of service you are monitoring. If you created the monitor externally with a script, import the script. 2. Apply the monitor to the real server (for Layer 3 checks) or service port. You can apply a health monitor to a server or port in either of the follow- ing ways: Apply the health monitor to a server or port template, then bind the template to the server or port. Apply the health monitor directly to the individual server or port. USING THE GUI To configure an internal monitor 1. Select Config >Service >Health Monitor. 2. Select Health Monitor on the menu bar. 3. Click Add. 4. In the Health Monitor section, enter a name for the monitor. 5. In the Method section, select the monitor type from the Type drop-down list. The rest of the configuration fields change depending on the moni- tor type. (See Health Method Types on page385.) 6. Enter or select settings for the monitor. 7. Click OK. The new monitor appears in the Health Monitor table. P e r f o r m a n c e b y D e s i g n 391 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring and Applying a Health Method To import an externally configured monitor 1. Create a script for the monitor. (For an example, see Using External Health Methods on page428.) 2. In the AX management GUI, select Config >Service >Health Monitor. 3. Select External Program on the menu bar. 4. Click Add. 5. Enter a name and description for the external health method. 6. Copy and paste the script into the Definition field. 7. Click OK. The method appears in the External Program table. To apply a Layer 3 health monitor to a real server template 1. Select Config >Service >SLB. 2. On the menu bar, select Template >Server. 3. To edit an existing template, click on the template name. To create a new template, click Add. The Server Template section appears. 4. Select the health monitor from the Health Monitor drop-down list. 5. Configure other settings if needed. (See Server and Port Templates on page361.) 6. Click OK. To apply a health monitor to a real service port template 1. Select Config >Service >SLB. 2. On the menu bar, select Template >Server Port. 3. To edit an existing template, click on the template name. To create a new template, click Add. The Server Port Template section appears. 4. Select the health monitor from the Health Monitor drop-down list. 392 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring and Applying a Health Method 5. Configure other settings if needed. (See Server and Port Templates on page361.) 6. Click OK. To apply the monitor to an individual real server or service port 1. Select Config >Service >SLB. 2. On the menu bar, select Server. 3. Select the server or click Add to create a new one. 4. To apply a Layer 3 health monitor to the server, select the health monitor from the Health Monitor drop-down list in the General section. 5. To apply a health monitor to a service port: a. In the Port section, click the checkbox next to the service port to select it. b. Select the health monitor from the Health Monitor drop-down list in the Port section. c. Click Update. 6. Enter or change other settings if needed. 7. Click OK. To apply a Layer 3 health monitor to a service group 1. Select Config >Service >SLB. 2. On the menu bar, select Service Group. 3. Select the service group or click Add to create a new one. 4. Select the health monitor from the Health Monitor drop-down list in the Service Group section. 5. Enter or change other settings if needed. 6. Click OK. (For more information about how health monitors are used when applied to service groups, see Service Group Health Checks on page406.) P e r f o r m a n c e b y D e s i g n 393 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring and Applying a Health Method USING THE CLI To configure an internal monitor 1. Use the following command at the global configuration level of the CLI: health monitor monitor-name [ interval seconds | retry number | timeout seconds] If you enter the monitor-name without any of the timer options, the CLI changes to the configuration level for the monitor. If you enter any of the timer options, the timer value is changed instead. 2. At the configuration level for the monitor, use the following command to specify the method to use: [ no] method method-name The method-name can be one of the types listed in Health Method Types on page385. Also see that section for additional options you can specify. For syntax information, see the Config Commands: SLB Health Monitors chapter in the AX Series CLI Reference. To import an externally configured monitor 1. Create a Tcl script for the monitor. (For an example, see Using Exter- nal Health Methods on page428.) 2. At the global configuration level of the AX CLI, use the following com- mand to import the monitor script: health external import [ description] url The url specifies the file transfer protocol, username (if required), and directory path. You can enter the entire URL on the command line or press Enter to dis- play a prompt for each part of the URL. If you enter the entire URL and a password is required, you will still be prompted for the password. To enter the entire URL: tftp://host/program-name ftp://[ user@] host[ :port] /program-name scp://[ user@] host/program-name rcp://[ user@] host/program-name 394 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring and Applying a Health Method 3. Create a new health monitor to use the script by entering the following command at the global config level: health monitor monitor-name This command changes the CLI to the configuration level for the new health monitor. 4. At the configuration level for the monitor, use the following command to associate the script with the new monitor: method external [ port port-num] program program- name [ arguments argument-string] For port-num, specify the service port number on the real server. To apply the health monitor to a real server template or real ser- vice port template Use the following command at the configuration level for the server tem- plate (if applying a monitor that uses the ping method) or at the configura- tion level for the service port template (for all other method types). health-check [ monitor-name] To apply the monitor to an individual real server or service port Use the following command at the configuration level for the server (if applying a monitor that uses the ping method) or at the configuration level for the service port (for all other method types). health-check [ monitor-name] Configuring Health Monitoring of Virtual IP Addresses in DSR Deployments Layer 3 and Layer 4-7 health checks are supported in DSR configurations. The target of the Layer 3 health checks can be the real IP addresses of the servers, or the virtual IP address, depending on your preference. To send the Layer 3 health checks to the real server IP addresses, you can use the default Layer 3 health method (ICMP). To send the Layer 3 health checks to the virtual IP address instead: Configure an ICMP health method with the transparent option enabled, and with the alias address set to the virtual IP address. Globally enable DSR health checking. P e r f o r m a n c e b y D e s i g n 395 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring and Applying a Health Method Layer 4-7 health checks are sent to the same IP address as the Layer 3 health checks, and then addressed to the specific protocol port. You can use the default TCP and UDP health monitors or configure new health monitors. This example uses the default TCP health monitor. Note: The following sections show how to configure Layer 3 health checking of virtual IP addresses and how to globally enable DSR health checking of virtual IP addresses. A complete DSR deployment requires additional configuration. See the examples in Network Setup on page73. USING THE GUI To configure a Layer 3 health method targeted to a virtual IP address: 1. Select Config >Service >Health Monitor. 2. Select Health Monitor on the menu bar. 3. Click New. The Health Monitor section appears. 4. Enter a name for the monitor. 5. Click Method. 6. In the Type drop-down list, select ICMP. 7. In the Mode drop-down list, select Transparent. 8. In the Alias Address field, enter the loopback address. 9. Click Apply or OK. To globally enable DSR health checking of virtual IP addresses: 1. Select Config >Service >Server >Global >Settings. 2. Select Enabled next to DSR Health Check. 3. Click Apply. 396 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring and Applying a Health Method USING THE CLI To configure a Layer 3 health method targeted to a virtual IP address: Use the following commands: health monitor monitor-name [interval seconds | retry number | timeout seconds] Enter this command at the global Config level of the CLI. The CLI changes to the configuration level for the health method. method icmp transparent ipaddr For ipaddr, enter the virtual IP address. To globally enable DSR health checking of virtual IP addresses: Use the following command at the global Config level of the CLI: slb dsr-health-check-enable Configuring POST Requests in HTTP/HTTPS Health Monitors You can specify a POST operation in an HTTP or HTTPS health monitor. A POST operation attempts to post data into fields on the requested page. USING THE GUI 1. Select Config >Service >Health Monitor. 2. Click Add. 3. In the Health Monitor section, enter a name for the monitor in the Name field. 4. In the Method section, select HTTP or HTTPS from the Type drop- down list. Configuration fields for HTTP or HTTPS health monitoring options appear. 5. To configure an HTTP POST operation: a. Next to URL, select POST from the drop-down list. b. In the field next to the drop-down list, enter the URL path. P e r f o r m a n c e b y D e s i g n 397 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring and Applying a Health Method c. In the Post Data field, enter the field names and values to be posted. In the postdata string, use = between a field name and the value you are posting to it. If you post to multiple fields, use & between the fields. For example: fieldname1=value&fieldname1=value. The string can be up to 255 bytes long. 6. Configure other settings as needed. 7. Click OK. FIGURE 125 HTTP Health Monitor with POST Operation USING THE CLI To configure an HTTP or HTTPS health monitor, use the following com- mands: [ no] health monitor monitor-name [ interval seconds] [ retry number] [ timeout seconds] [ up-retry num] 398 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring and Applying a Health Method This command creates the health monitor, but does not configure the health method used by the monitor. If you enter the monitor-name without entering any other options, the CLI changes to the configuration level for the moni- tor. If you enter any of the timer options, the timer value is changed instead. At the configuration level for the health monitor, enter one of the following commands: [ no] method http [ port port-num] [ url {GET | HEAD} url-path | POST {url-path postdata string | / postfile filename}] [ host {ipv4-addr | ipv6-addr | domain-name} [ :port-num] ] [ expect {string | response-code code-list}] [ username name] or [ no] method https [ port port-num] [ url {GET | HEAD} url-path | POST {url-path postdata string | / postfile filename}] [ host {ipv4-addr | ipv6-addr | domain-name} [ :port-num] ] [ expect {string | response-code code-list}] [ username name] In the postdata string, use = between a field name and the value you are posting to it. If you post to multiple fields, use & between the fields. For example: postdata fieldname1=value&fieldname1=value. The string can be up to 255 bytes long. To use POST data longer than 255 bytes, you must import a POST data file and use the POST / postfile filename option. To import POST data file up to 2Kbytes long, use the following command at the global configuration level of the CLI: health postfile import filename P e r f o r m a n c e b y D e s i g n 399 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring and Applying a Health Method CLI Examples The following commands configure an HTTP health method that uses a POST operation to post firstname=abc and lastname=xyz to /postdata.asp on the tested server: AX( conf i g) #health monitor http1 AX( conf i g- heal t h: moni t or ) #method http url POST /postdata.asp postdata first- name=abc&lastname=xyz The following commands import a file containing a large HTTP POST data payload (up to 2 Kbytes), and add the payload to an HTTP health monitor: AX( conf i g) #health postfile import long-post AX( conf i g) #health monitor http1 AX2000( conf i g- heal t h: moni t or ) #method http url post / postfile long-post expect def In this example, health checks that use this health monitor will send a POST request containing the data in postfile, and expect the string def in response. Customizing DNS Health Monitors The AX Series provides the following configurable options for DNS health monitors Expected response codes You can specify a list of response codes, in the range 0-15, that are valid responses to a health check. If the tested DNS server responds with any of the expected response codes, the server passes the health check. By default, the expect list is empty, in which case the AX device expects status code 0 (No error condition). Recursion setting (enabled or disabled) Recursion specifies whether the tested DNS server is allowed to send the health checks request to another DNS server if the tested server can not fulfill the request using its own database. Recursion is enabled by default. Record type expected from the server You can specify one of the fol- lowing record types: A IPv4 address record CNAME Canonical name record for a DNS alias SOA Start of authority record PTR Pointer record for a domain name MX Mail Exchanger record TXT Text string AAAA IPv6 address record 400 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring and Applying a Health Method By default, the AX device expects the DNS server to respond to the health check with an A record. USING THE GUI 1. Select Config >Service >Health Monitor. 2. Click Add. 3. In the Health Monitor section, enter a name for the monitor in the NAme field. 4. In the Method section, select DNS from the Type drop-down list. Con- figuration fields for DNS health monitoring options appear. 5. If the DNS server to be tested does not listen for DNS traffic on the default DNS port (53), edit the port number in the Port field. 6. To test a specific server, click IP Address and enter the address in the IP Address field. Otherwise, to test based on a domain name sent in the health check, leave Domain selected and enter the domain name in the Domain field. 7. If you left Domain selected, select the record type the server is expected to send in reply to health checks. Select the record type from the Type drop-down list. 8. If you do not want to allows recursion, select Disabled next to Recur- sion. 9. To specify the response codes that are valid for passing a health check, enter the codes in the Expect field. To specify a range, use a dash. Sepa- rate the codes (and code ranges) with commas. 10. Click OK. P e r f o r m a n c e b y D e s i g n 401 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring and Applying a Health Method FIGURE 126 DNS Health USING THE CLI To configure a DNS health monitor, use the following commands: [ no] health monitor monitor-name [ interval seconds] [ retry number] [ timeout seconds] [ up-retry num] This command creates the health monitor, but does not configure the health method used by the monitor. If you enter the monitor-name without entering any other options, the CLI changes to the configuration level for the moni- tor. If you enter any of the timer options, the timer value is changed instead. At the configuration level for the health monitor, enter the following com- mand: 402 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring and Applying a Health Method [ no] method dns {ipaddr | domain domain-name} [ expect response-code code-list | port port-num | recurse {enabled | disabled} | type {A | CNAME | SOA | PTR | MX | TXT | AAAA} ] CLI Example The following commands configure a DNS health monitor that sends a query for www.example.com, and expects an Address record and any of the following response codes in reply: 0, 1, 2, 3, or 5: AX( conf i g) #health monitor dnshm1 AX( conf i g- heal t h: moni t or ) #method dns domain www.example.com expect response- code 0-3,5 Overriding the Target IP Address or Protocol Port Number The AX device provides options to override the real server IP address or protocol port number to which health checks are addressed. By default, the AX device sends a Layer 3 health check to the IP address used in the real server configuration. Likewise, the AX device sends Layer 4-7 health checks to the real port number in the real servers configuration. For GSLB service IPs, the AX device sends the health check to the service IP address. For example, if the configuration has a Layer 3 health monitor used by service IPs 192.168.100.100-102, the AX device addresses the health checks those IP addresses. You can specify an override IP address or protocol port number in the health monitor. In this case, the AX device always addresses the health check to the override address or port. This option is particularly useful for testing the health of a remote link, as in the following example. P e r f o r m a n c e b y D e s i g n 403 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring and Applying a Health Method FIGURE 127 Example of Health-check Address Override In this example, the real servers managed by the site AX are configured as service IPs 192.168.100.100-102 on the GSLB AX. The health-check met- ric is enabled in the GSLB policy, so health checks are needed to verify that the service IPs are healthy. One way to do so is to check the health of the ISP link connected to the site AX device. Because the GSLB AX device is deployed in route mode instead of trans- parent mode, the transparent option for ICMP health monitors can not be used to check the remote end of the path. In this case, the health monitor can be configured with an override IP address, 192.168.1.1, to check the health of the ISP link to the site where the servers are located. When the AX device in this example uses the health monitor to check the health of a service IP, 404 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring and Applying a Health Method the device addresses the health check to 192.168.1.1, the override address, instead of addressing the health check to the service IP addresses. Override Parameters You can independently configure any of the following override parameters for a health monitor: Target IPv4 address Target IPv6 address Target Layer 4 protocol port number The override is used only if applicable to the method (health check type) and the target. An IP address override is applicable only if the target has the same address type (IPv4 or IPv6) as the override address. A protocol port override is applicable to all health methods except ICMP. If the protocol port number is explicitly configured for the method, the over- ride port number is still used instead. USING THE GUI 1. Select Config >Service >Health Monitor. 2. Click on the health monitor name or click Add to create a new one. 3. For an ICMP health monitor: a. Leave ICMP selected in the Type drop-down list. b. Enter the target IP address of the health monitor, in the Override IPv4 or Override IPv6 field. 4. For other health methods, select the type, then enter the target protocol port number in the Override Port field. 5. Click OK. The health monitor list re-appears. USING THE CLI Use one of the following commands at the configuration level for the health monitor: [ no] override-ipv4 ipaddr [ no] override-ipv6 ipv6addr [ no] override-port portnum P e r f o r m a n c e b y D e s i g n 405 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring and Applying a Health Method The following commands configure a health monitor for the service IPs shown in Figure127 on page403, and apply the monitor to the service IPs. AX( conf i g) #health monitor site1-hm AX( conf i g- heal t h: moni t or ) #method icmp AX( conf i g- heal t h: moni t or ) #override-ipv4 192.168.1.1 AX( conf i g- heal t h: moni t or ) #exit AX( conf i g) #gslb service-ip gslb-srvc1 192.168.100.100 AX( conf i g- gsl b ser vi ce- i p) #health-check site1-hm AX( conf i g- gsl b ser vi ce- i p) #exit AX( conf i g) #gslb service-ip gslb-srvc2 192.168.100.101 AX( conf i g- gsl b ser vi ce- i p) #health-check site1-hm AX( conf i g- gsl b ser vi ce- i p) #exit AX( conf i g) #gslb service-ip gslb-srvc3 192.168.100.102 AX( conf i g- gsl b ser vi ce- i p) #health-check site1-hm Basing a Ports Health Status on Another Ports Health Status You can configure the AX device to base a real ports health status on the health status of another port number. Both the real port and the port to use for the real ports health status must be the same type, TCP or UDP. USING THE GUI 1. Navigate to the configuration page for the real server. 2. In the port configuration section, select the Follow Port radio button. 3. Enter the port number of the TCP or UDP port upon which to base the health of the real port. 4. Select the Layer 4 protocol of the port to use for health checking, TCP or UDP. USING THE CLI Use the following command at the configuration level for the real port: [ no] health-check follow-port port-num 406 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Group Health Checks Service Group Health Checks You can assign a health monitor to a service group. This feature is useful in cases where the same server provides content for multiple, independent sites. When you use this feature, if a site is unavailable (for example, is taken down for maintenance), the server will fail the health check for that site, and clients will not be sent to the site. However, other sites on the same server will pass their health checks, and clients of those sites will be sent to the server. Figure128 shows an example. FIGURE 128 Service Group Health Checks In this example, a single server provides content for the following sites: www.media-rts.com www.media-tuv.com www.media-wxyz.com All sites can be reached on HTTP port 80 on the server. The health check configured on the port in the real server configuration results in the same health status for all three sites. All of them either are up or are down. P e r f o r m a n c e b y D e s i g n 407 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Group Health Checks In this case, if one of the sites is taken down for maintenance, the health sta- tus of that site will still be up, since the real port still responds to the health check configured on the port. You can configure the AX device to separately test the health of each site, by assigning each site to a separate service group, and assigning a separate Layer 7 health monitor to each of the service groups. In this case, if a site is taken down for maintenance, that site fails its health check while the other sites still pass their health checks, on the same real port. In this example, a separate HTTP health method is configured for each of the services. The health monitors test the health of a site by sending an HTTP request to a URL specific to the site. In this way, even though the servers HTTP port is up, a site will fail its health check if the URL requested by its health check is unavailable. Priority of Health Checks Service group health status applies only within the context of the service group. For example, a health check of the same port from another service group can result in a different health status, depending on the resource requested by the health check. Health checks can be applied to the same resource (real server or port) at the following levels: In a service group that contains the server and port as a member In a server or server port configuration template that is bound to the server or port Directly on the individual server or port In cases where health checks are applied at multiple levels, they have the following priority: 1. Health check on real server 2. Health check on real servers port 3. Health check on service group If a health check at the real server level (1) fails, the corresponding real server, real server port, and service group members are marked Down. However, if a health check on the service group level (3) fails, only that ser- vice group member in that service group is marked Down. To assign a health monitor to a service group, use either of the following methods. 408 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Group Health Checks USING THE GUI In the Service Group configuration section, select the monitor from the Health Monitor list or click create to create a new one and select it. USING THE CLI Use the following command at the configuration level for the service group: [ no] health-check monitor-name CLI Example The commands in this section implement the configuration shown in Figure128. The following commands configure the health monitors for each site on the server: AX( conf i g) #health monitor qrs AX( conf i g- heal t h: moni t or ) #method http url GET /media-qrs/index.html AX( conf i g- heal t h: moni t or ) #exit AX( conf i g) #health monitor tuv AX( conf i g- heal t h: moni t or ) #method http url GET /media-tuv/index.html AX( conf i g- heal t h: moni t or ) #exit AX( conf i g) #health monitor wxyz AX( conf i g- heal t h: moni t or ) #method http url GET /media-wxyz/index.html AX( conf i g- heal t h: moni t or ) #exit The following commands configure the real server: AX( conf i g) #slb server media-rs 10.10.10.88 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit P e r f o r m a n c e b y D e s i g n 409 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Disable Following Failed Health Check The following commands configure the service groups: AX( conf i g) #slb service-group qrs tcp AX( conf i g- sl b svc gr oup) #member media-rs:80 AX( conf i g- sl b svc gr oup) #health-check qrs AX( conf i g- sl b svc gr oup) #exit AX( conf i g) #slb service-group tuv tcp AX( conf i g- sl b svc gr oup) #member media-rs:80 AX( conf i g- sl b svc gr oup) #health-check tuv AX( conf i g- sl b svc gr oup) #exit AX( conf i g) #slb service-group wxyz tcp AX( conf i g- sl b svc gr oup) #member media-rs:80 AX( conf i g- sl b svc gr oup) #health-check wxyz AX( conf i g- sl b svc gr oup) #exit The following commands configure the virtual servers: AX( conf i g) #slb virtual-server media-qrs 192.168.1.10 AX( conf i g- sl b vser ver ) #port 80 http AX( conf i g- sl b vser ver - vpor t ) #service-group qrs AX( conf i g- sl b vser ver - vpor t ) #exit AX( conf i g- sl b vser ver ) #exit AX( conf i g) #slb virtual-server media-tuv 192.168.1.11 AX( conf i g- sl b vser ver ) #port 80 http AX( conf i g- sl b vser ver - vpor t ) #service-group tuv AX( conf i g- sl b vser ver - vpor t ) #exit AX( conf i g- sl b vser ver ) #exit AX( conf i g) #slb virtual-server media-wxyz 192.168.1.12 AX( conf i g- sl b vser ver ) #port 80 http AX( conf i g- sl b vser ver - vpor t ) #service-group wxyz AX( conf i g- sl b vser ver - vpor t ) #exit AX( conf i g- sl b vser ver ) #exit Disable Following Failed Health Check You can configure the AX device to disable a server, port, or service group if the server, port, or service group fails a health check. This option applies to all servers, ports, or service groups that use the health monitor. When a server, port, or service group is disabled based on this command, the server, port, or service groups state is changed to disable in the running-config. If you save the configuration while the server, port, or service group is disabled, the state change is written to the startup-config. 410 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide In-Band Health Monitoring The AX device also generates a log message to indicate that the server, port, or service group is disabled. The server, port, or service group remains disabled until you explicitly enable it. This option is disabled by default. (A server, port, or service group that uses the health monitor is not disabled if it fails a health check.) USING THE GUI 1. Select Config >Service >Health Monitor. 2. On the menu bar, select Health Monitor, if not already selected. 3. Click on the health monitor name or click Add to create a new one. 4. Select the Disable After Down checkbox. 5. When finished configuring the health monitor, click OK. USING THE CLI Use the following command at the configuration level for the health moni- tor: [ no] disable-after-down In-Band Health Monitoring In-band health checks are an optional supplement to the standard Layer 4 health checks. In-band health checks assess service port health based on cli- ent-server traffic, and can very quickly send a clients traffic to another server and port if necessary. An in-band health check can also mark a port down. In the current release, in-band health monitoring is supported for the follow- ing service types: TCP HTTP HTTPS P e r f o r m a n c e b y D e s i g n 411 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide In-Band Health Monitoring Relationship To Standard Layer 4 Health Monitoring The in-band health check works independently of and supplements the stan- dard Layer 4 health check. For example, for TCP, the standard health check works as follows by default: Every 30 seconds, the AX device sends a connection request (TCP SYN) to the specified TCP port on the server. The port passes the health check if the server replies to the AX device by sending a TCP SYN ACK. This is the same Layer 4 health check available in previous releases and has the same defaults. In-band health monitoring works as described below. Note: A10 Networks recommends that you continue to use standard Layer 4 health monitoring even if you enable in-band health monitoring. Without standard health monitoring, a server port marked down by an in-band health check remains down. How In-Band Layer 4 Health Monitoring Works In-band health monitoring for services on TCP watches client-server SYN handshake traffic, and increments the following counters if the server does not send a SYN ACK in reply to a SYN: Retry counter Each client-server session has its own retry counter. The AX device increments a sessions retry counter each time a SYN ACK is late. If the retry counter exceeds the configured maximum number of retries allowed, the AX device sends the next SYN for the session to a different server. The AX device also resets the retry counter to 0. You can set the retry counter to 0-7 retries. The default is 2 retries. Reassign counter Each real port has its own reassign counter. Each time the retry counter for any session is exceeded, the AX device incre- ments the reassign counter for the server port. If the reassign counter exceeds the configured maximum number of reassignments allowed, the AX device marks the port DOWN. In this case, the port remains DOWN until the next time the port suc- cessfully passes a standard health check. Once the port passes a standard health check, the AX device starts using the port again and resets the reassign counter to 0. You can set the reassign counter to 0-255 reassignments. The default is 25 reassignments. In-band health monitoring is disabled by default. 412 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide In-Band Health Monitoring Logging and Traps When the AX device marks a server port down, the device generates a log message and an SNMP trap, if logging or SNMP traps are enabled. The message and trap are the same as those generated when a server port fails a standard health check. However, you can discern whether the port was marked down due to a failed in-band health check or standard health check, based on the module name listed in the message. A10LB The port was marked down by an in-band health check. A10HM The port was marked down by a standard health check. Here is an example of a log message generated from each module: Sep 08 2008 17: 15: 04 I nf o A10LB SLB ser ver s- 3- 2- 1 ( 10. 3. 2. 1) por t 80 i s down. Sep 08 2008 17: 15: 04 I nf o A10HM SLB ser ver s- 3- 2- 1 ( 10. 3. 2. 1) por t 80 i s down. In-band health monitoring does not mark ports up. Only standard health monitoring marks ports up. So messages and traps for server ports coming up are generated only by the A10HM module. Configuring In-Band Health Monitoring To configure in-band health monitoring: 1. Enable the feature in a server port template. 2. Bind the port template to real server ports, either directly or in a service group. USING THE GUI To configure in-band health monitoring in server port template: 1. Select Config >Service >SLB. 2. On the menu bar, select Template >Server Port. 3. Click on the template name or click Add to create a new one. 4. Select Inband Health Check in the Server Port section. 5. In the Retry field, enter the number of retries allowed. 6. In the Reassign field, enter the number of reassignments allowed. P e r f o r m a n c e b y D e s i g n 413 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide In-Band Health Monitoring 7. Enter other parameters as needed (for example, the template name, if you are creating a new template). 8. Click OK. To bind the template to a server port, see Binding a Server Port Template to a Real Server Port on page368. USING THE CLI To configure in-band health monitoring, use the following command at the configuration level for the server port template: [ no] inband-health-check [ retry maximum-retries] [ reassign maximum-reassigns] CLI Example The following commands enable in-band health monitoring in a server port template and bind the template to real ports on two real servers: AX( conf i g) #slb template port rp-tmplt2 AX( conf i g- r por t ) #inband-health-check AX( conf i g- r por t ) #exit AX( conf i g) #slb server rs1 10.1.1.99 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver - node por t ) #template port rp-tmplt2 AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server rs2 10.1.1.100 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver - node por t ) #template port rp-tmplt2 AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit 414 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Consecutive Health Checks Within a Health Check Period Consecutive Health Checks Within a Health Check Period You can configure the number of times the target device must consecutively reply to the same periodic health check in order to pass the health check. By default, a server or port needs to successfully reply to a given health check only one time in order to pass the health check. The server or port is then considered to be up until the next periodic health check. You can set the required number of consecutive passes to 1-10. You can configure this parameter on an individual health monitor basis. The setting applies to all health checks that are performed using the health mon- itor. USING THE GUI 1. Select Config >Service >Health Monitor. 2. Select Health Monitor on the menu bar. 3. Click on the monitor name or click Add to add a new one. 4. In the Health Monitor section, enter a name for the monitor (if new). 5. In the Consec Pass Reqd field, enter the number of consecutive times the target must pass the same periodic health check. 6. If new, in the Method section, select the monitor type from the Type drop-down list, and enter or select settings for the monitor. 7. Click OK. USING THE CLI Use the up-retry number option with the health-monitor command. P e r f o r m a n c e b y D e s i g n 415 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Maintenance Health Status for Servers in Persistence Configurations Maintenance Health Status for Servers in Persistence Configurations You can use the response to an HTTP or HTTPS health check to set a servers health status to Maintenance. When a servers health status is Maintenance, the server will accept new requests on existing cookie-persis- tent or source-IP persistent connections, but will not accept any other requests. To place a server into maintenance mode, configure an HTTP or HTTPS health method that includes a maintenance code. If the server replies to a health check with the code, the AX device changes the servers health status to Maintenance. To leave maintenance mode, the server must do one of the following: Successfully reply to a health check, but without including the mainte- nance code. In this case, the servers health status changes to Up. Fail a health check. In this case, the servers status changes to Down. The Maintenance health status applies to server ports and service-group members. When a ports status changes to Maintenance, this change applies to all service-group members that use the port. Note: This feature applies only to servers in cookie-persistence or source-IP persistence configurations, and can be used only for HTTP and HTTPS ports. USING THE GUI 1. Select Config >Service >Health Monitor. 2. On the menu bar, select Health Monitor, if not already selected. 3. Click on the health monitor name or click Add to create a new one. 4. In the Maintenance Code field, enter the response code to use to trigger the AX device to change the servers status to Maintenance. 5. When finished configuring the health monitor, click OK. 416 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide On-Demand Health Checks USING THE CLI Use the maintenance-code code-list option with one of the following com- mands at the configuration level for a health method: http options https options CLI Example The following commands configure a health monitor that places a server into maintenance mode if the server replies to a health check with code 601: AX( conf i g) #health monitor hm2 AX( conf i g- heal t h: moni t or ) #method http url GET / maintenance-code 601 expect 200 In this example, if the server replies with code 601, the server goes into maintenance mode, and stays there until the server either fails a health check (Down) or replies with code 200 (Up). On-Demand Health Checks You can easily test the health of a server or individual service at any time, using the default Layer 3 health monitor (ICMP ping) or a configured health monitor. USING THE GUI 1. Select Monitor >Service >Health Monitor. 2. Enter the IP address of the server to be tested in the IP Address field. 3. Select the health monitor to use from the Health Monitor drop-down list. 4. To test a specific service, enter the protocol port number for the service in the Port field. 5. Click Start. The status of the server or service appears in the Status message area. Note: If an override IP address and protocol port are set in the health monitor configuration, the AX device will use the override address and port, even if you specify an address and port when you send the on-demand health check. P e r f o r m a n c e b y D e s i g n 417 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide On-Demand Health Checks USING THE CLI To test the health of a server, use the following command at the EXEC, Privileged EXEC, or global configuration level of the CLI: health-test {ipaddr | ipv6 ipv6addr} [ count num] [ monitorname monitor-name] [ port portnum] The ipaddr | ipv6 ipv6addr option specifies the IPv4 or IPv6 address of the device to test. The count num option specifies the number of health checks to send to the device. You can specify 1-65535. The default is 1. The monitorname monitor-name option specifies the health monitor to use. The health monitor must already be configured. By default, the default Layer 3 health check (ICMP ping) is used. The port portnum option specifies the protocol port to test, 1-65535. By default, the protocol port number specified in the health monitor configura- tion is used. Note: If an override IP address and protocol port are set in the health monitor configuration, the AX device will use the override address and port, even if you specify an address and port when you send the on-demand health check. CLI Example The following command tests port 80 on server 192.168.1.66, using config- ured health monitor hm80: AX#health-test 192.168.1.66 monitorname hm80 node st at us UP. 418 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Enabling Strict Retries Enabling Strict Retries Some types of health monitors do not use the retry parameter by default. For these health monitors, the AX device marks the server or port Down after the first failed health check attempt, even if the retries option for the health monitor is set to higher than 0. For example, this is true for HTTP health monitors that expect a string in the server reply. If the servers HTTP port does not reply to the first health check attempt with the expected string, the AX device immediately marks the port Down. To force the AX device to wait until all retries are unsuccessful before marking a server or port down, enable strict retries. You can enable strict retries on an individual health monitor basis. USING THE GUI On the configuration page for the health monitor, select the Strictly Retry checkbox. USING THE CLI Use the following command at the configuration level for the health moni- tor: [ no] strictly-retry-on-server-error-response CLI Example The following commands configure an HTTP health monitor that checks for the presence of testpage.html, and enable strict retries for the monitor. AX( conf i g) #health monitor http-exhaust AX( conf i g- heal t h: moni t or ) #method http url GET /testpage.html AX( conf i g- heal t h: moni t or ) #strictly-retry-on-server-error-response P e r f o r m a n c e b y D e s i g n 419 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Globally Changing Health Monitor Parameters Globally Changing Health Monitor Parameters You can globally change the following health monitor parameters: Interval Number of seconds between health check attempts. Timeout Number of seconds the AX device waits for a reply to a health check. Retries Maximum number of times the AX device will send the same health check to an unresponsive server or service before marking that server or service as down. Up-Retry Number of consecutive times the device must pass the same periodic health check, in order to be marked Up. Globally changing a health monitor parameter changes the default for that parameter. For example, if you globally change the interval from 5 seconds to 10 seconds, the default interval becomes 10 seconds. If a parameter is explicitly set on a health monitor, globally changing the parameter does not affect the health monitor. For example, if the interval on health monitor hm1 is explicitly set to 20 seconds, the interval remains 20 seconds on hm1 regardless of the global setting. Note: Global health monitor parameter changes automatically apply to all new health monitors configured after the change. To apply a global health monitor parameter change to health monitors that were configured before the change, you must reboot the AX device. To globally change health monitor parameters, use the following command at the global configuration level of the CLI: health global { interval seconds | retry number | timeout seconds | up-retry number } You can change one or more parameters on the same command line. Note: To change a global parameter back to its factory default, use the health global form of the command and specify the parameter value to use. 420 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Globally Changing Health Monitor Parameters CLI Example The following command globally changes the default number of retries to 5: AX( conf i g) #health global retry 5 The following command globally changes the timeout to 10 seconds and default number of retries to 4: AX( conf i g) #health global timeout 10 retry 4 Globally Disabling Layer 3 Health Checks Layer 3 health checks (ICMP pings) are enabled by default. For very large deployments (1000 or more servers), A10 Networks recommends disabling the default Layer 3 health check, and using only Layer 4-7 health checks. To globally disable Layer 3 health checks, disable health monitoring in the server templates used to configure the servers. If you did not configure a customized server template, the default server template is used. Note: If a custom Layer 3 health monitor is enabled on an individual server, the health monitor is still used. USING THE GUI 1. Select Config >Service >SLB. 2. On the menu bar, select Template >Server. 3. Click on the name of the server template used to configure the servers. If you did not configure a server template, click default to edit the default server template. 4. Select the blank option from the Health Monitor drop-down list. (Do not leave default selected.) 5. Click OK. USING THE CLI At the global configuration level of the CLI, use the following command to access the configuration level for the server template: slb template server template-name P e r f o r m a n c e b y D e s i g n 421 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Compound Health Monitors Use the following command to disable Layer 3 health monitoring in the template: no health-check CLI Example The following commands disable Layer 3 health monitoring in the default server template: AX( conf i g) #slb template server default AX( conf i g- r ser ver ) #no health-check Compound Health Monitors Compound health monitors enable you to combine multiple health monitors into a compound health monitor. The AX device uses the combined results of the individual health monitors in the compound health monitor to deter- mine the health of the real server, port, or service group to which the com- pound health monitor is applied. Compound Health Monitor Syntax A compound health monitor consists of a set of health monitors joined in a Boolean expression (AND / OR / NOT). The CLI Boolean expression syntax is based on Reverse Polish Notation (also called Postfix Notation), a notation method that places an operator (AND, OR, NOT) after all of its operands (in this case, health monitors). After listing the health monitors, add the Boolean operator(s). The follow- ing operators are supported: AND Both the ANDed health checks must be successful for the health status to be Up. If either of the health checks is unsuccessful, the health status is Down. OR Either of the ORed health checks must be successful for the result to be Up. Even if one of the health checks is unsuccessful, the health sta- tus is still Up if the other health check is successful. If both of the health checks are unsuccessful, the health status is Down. NOT The health status is the opposite of the health check result. For example, if a health check is unsuccessful, the resulting health status is Up. Likewise, if the health check is successful, the resulting health sta- tus is Down. You can use NOT with a single health method, or with multiple health methods for more complex expressions. (See below.) 422 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Compound Health Monitors For example, to construct a health monitor that ANDs two health monitors, use the following syntax: method compound sub hm1 sub hm2 AND This is logically equivalent to the following expression: hm1 & hm2 Note: In the CLI, you must enter method compound at the beginning, and sub in front of each health-monitor name. In the GUI, do not enter method compound. The GUI automatically enters sub in front of each health monitor name when you select it. Note: The equivalent expressions are shown for clarity but are not valid syntax on the AX device. Similarly, to construct a health monitor that ORs two health monitors, use the following syntax: method compound sub hm1 sub hm2 OR This is logically equivalent to the following expression: hm1 | hm2 To construct a health monitor that results in an Up health status if the health check is unsuccessful, use the following syntax: method compound sub hm1 NOT This is logically equivalent to the following expression: ! hm1 To construct more complex expressions, you can enter multiple sets of health monitors and operators. Here is a quite complex expression: ( ! ( hm1 | ( hm2 & ( hm3 | ( ! hm4) ) ) ) ) | hm5 To configure this expression, use the following syntax: method compound sub hm1 sub hm2 sub hm3 sub hm4 NOT OR AND OR NOT sub hm5 OR Considerations A maximum of 8 sub monitors are supported in a compound monitor. To use more sub monitors, you can nest compound monitors. (See below.) The total number of sub monitors plus the number of Boolean operators supported in a compound monitor is 16. You can nest compound monitors. To nest compound monitors, config- ure a compound monitor, then use that compound monitor as a sub mon- itor in another compound monitor. The maximum nesting depth is 8. Nesting loops are not allowed. P e r f o r m a n c e b y D e s i g n 423 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Compound Health Monitors The timeout and interval parameters of a compound monitor must be set to values that allow each of the sub monitors to complete their health checks. If any of the sub modules is unable to complete its health check, the compound monitors result will always be Down. For example, if monitor1 gives a result after 2 seconds, but a compound monitor that uses monitor1 times out in 1 second, the resulting health status will always be Down, regardless of the Boolean expression. Compound health monitoring increases the workload of the health mon- itoring subsystem. For example, using a compound monitor with many submonitors against a service group with many members can affect sys- tem performance. USING THE GUI 1. Configure the sub monitors first. 2. Click Add on the health monitor list to begin configuration of a new monitor. 3. In the Method section, select Compound from the Type drop-down list. The Boolean Expression configuration controls appear. 4. Construct the Boolean expression: To enter a health monitor, click the radio button next to the list of health monitors, select the monitor, then click Add. To enter an operator, click the radio button next to the list of opera- tors, select the operator, then click Add. Note: Make sure to use Reverse Polish Notation. (See Compound Health Mon- itor Syntax on page421.) Otherwise, the GUI will display an error mes- sage when you click OK to complete the health monitor configuration. 5. Click OK to complete the configuration of the compound monitor. 424 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Compound Health Monitors FIGURE 129 Compound Health Monitor Configuration USING THE CLI To configure a compound health monitor, use the following command to add a Boolean expression at the configuration level for the monitor: [ no] method compound sub monitor-name [ sub monitor-name . . . ] Boolean-operators Note: Make sure to use Reverse Polish Notation. (See Compound Health Mon- itor Syntax on page421.) CLI Examples The following commands configure a compound health monitor in which both health checks must be successful in order for the resulting health status to be Up: AX( conf i g) #health monitor hm-compoundAND AX( conf i g- heal t h: moni t or ) #method compound sub hm1 sub hm2 AND AX( conf i g- heal t h: moni t or ) #exit P e r f o r m a n c e b y D e s i g n 425 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Displaying Health Status The following commands apply the health monitor to a service group: AX( conf i g) #slb service-group sg1 tcp AX( conf i g- sl b svc gr oup) #health-check hm-compoundAND The following commands configure a compound health monitor in which the resulting health status is Up if any one ore more of the health checks is successful: AX( conf i g) #health monitor hm-compoundOR AX( conf i g- heal t h: moni t or ) #method compound sub hm1 sub hm2 sub hm3 OR OR The following commands apply the health monitor to a service group: AX( conf i g) #slb service-group sg2 tcp AX( conf i g- sl b svc gr oup) #health-check hm-compoundOR Displaying Health Status The AX device begins sending health checks to a real servers IP address and service ports as soon as you finish configuring the server. You can dis- play health status for virtual servers and service ports, and for the real serv- ers and service ports used by the virtual server. To display health status, use either of the following methods. USING THE GUI To display the health of virtual servers and service ports: 1. Select Monitor >Overview >Status. The virtual servers are listed at the top of the page. The state of health of each virtual server is shown by an icon next to the virtual server name. 2. To display more specific health information for a virtual servers service ports, click on the virtual server name. Virtual server health status is also displayed in the virtual server list dis- played by Config >Service >SLB >Virtual Server. For information about the virtual server health state icons, see the Monitor >Overview>Status section in the Monitor Mode chapter of the AX Series GUI Reference. 426 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Displaying Health Status To display the health of real servers and service ports: 1. Select Monitor >Service >Server. 2. On the menu bar, select Server. The state of health of each real server is shown by an icon next to the server name. 3. To display more specific health information for a real servers service ports, click on the server name. Real server health status is also displayed in the real server list displayed by Config >Service >SLB >Server. For information about the real server health state icons, see the Monitor >Service>Server section in the Monitor Mode chapter of the AX Series GUI Reference. USING THE CLI To display the health of virtual servers and service ports: Use the following command. The health is shown in the State field. For descriptions of each health state, see the AX Series CLI Reference. show slb virtual-server virtual-server-name [ virtual-port-num service-type [ group-name] ] Here is an example: AX#show slb virtual-server "vs 1" Vi r t ual ser ver : vs 1 St at e: Down I P: 1. 1. 1. 201 Pr i Por t / St at e Cur r - conn Tot al - conn Rev- Pkt Fwd- Pkt - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Vi r t ual Por t : 80 / ser vi ce: svcgr p 1 / st at e: Down por t 80 t cp 1 ser ver 1: 80/ Down 0 0 0 0 Vi r t ual Por t : 1 / ser vi ce: / st at e: Unkn por t 1 t cp Per si st Sour ce I P: t mpl per si st sr ci p 1 Vi r t ual Por t : 2 / ser vi ce: / st at e: Unkn por t 2 t cp Per si st SSL sessi on I D: t mpl per si st ssl i d 1 P e r f o r m a n c e b y D e s i g n 427 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Displaying Health Status Vi r t ual Por t : 3 / ser vi ce: / st at e: Unkn por t 3 t cp Templ at e t cp t mpl t cp 1 Vi r t ual Por t : 4 / ser vi ce: / st at e: Unkn . . . To display the health of real servers and service ports: Use the following command. The health is shown in the State field. For descriptions of each health state, see the AX Series CLI Reference. show slb server [ server-name [ port-num] ] Here is an example: AX#show slb server Tot al Number of Ser vi ces conf i gur ed: 5 Cur r ent = Cur r ent Connect i ons, Tot al = Tot al Connect i ons Fwd- pkt = For war d packet s, Rev- pkt = Rever se packet s Ser vi ce Cur r ent Tot al Fwd- pkt Rev- pkt St at e - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - s1: 80/ t cp 0 0 0 0 Down s1: 53/ udp 0 0 0 0 Down s1: 85/ udp 0 0 0 0 Down s1: Tot al 0 0 0 0 Down . . . To display health monitoring statistics: Use the following command: show health stat Here is an example: AX#show health stat Heal t h moni t or st at i st i cs Tot al r un t i me: : 2 hour s 1345 seconds Number of bur st : : 0 Number of t i mer adj ust ment : : 0 Ti mer of f set : : 0 Opened socket : : 1140 Open socket f ai l ed: : 0 Cl ose socket : : 1136 Send packet : : 0 Send packet f ai l ed: : 259379 Recei ve packet : : 0 Recei ve packet f ai l ed : 0 428 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Using External Health Methods Ret r y t i mes: : 4270 Ti meout : : 0 Unexpect ed er r or : : 0 I P addr ess Por t Heal t h moni t or St at us Cause( Up/ Down/ Ret r y) PI N - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10. 10. 10. 99 def aul t Down 0 / 48 / 854 2 / 0 4. 4. 4. 4 def aul t Down 0 / 48 / 854 2 / 0 8. 4. 3. 2 def aul t Down 0 / 48 / 854 2 / 0 99. 99. 99. 99 def aul t Down 0 / 48 / 854 2 / 0 10. 10. 10. 88 def aul t Down 0 / 48 / 854 2 / 0 10. 10. 10. 88 80 qr s Down 0 / 34 / 0 2 / 0 For more information, see the AX Series CLI Reference. Using External Health Methods Besides internal health checks, which use a predefined health check method, you can use external health checks with scripts. The following types of scripts are supported: Perl Shell Tcl Utility commands such as ping, ping6, wget, dig, and so on are supported. Configuration To use an external health method: 1. Configure a health monitor script. 2. Import the script onto the AX device. 3. Configure a health monitor that uses external as the method. 4. In the server configuration, set the health check to use the method. P e r f o r m a n c e b y D e s i g n 429 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Using External Health Methods USING THE GUI To import an external health-check script onto the AX device: 1. Select Config >Service >Health Monitor. 2. On the menu bar, select External Program. 3. Click Add. 4. Enter a name and description for the script. 5. Copy-and-paste the script into the Definition field. 6. Click OK. To configure an external health monitor: 1. On the menu bar, select Health Monitor. 2. Click Add. 3. Enter a name for the monitor. 4. In the Method section, click External next to Method. 5. Select the script from the Program Name drop-down list. 6. Enter any arguments in the Arguments field. 7. In the Port field, enter the protocol port number. 8. Click OK. To configure a server to use the external health method: 1. Select Config >Service >SLB. 2. On the menu bar, select Server. 3. Click on the server name or click Add to create a new one. 4. If configuring a new server, enter the name and IP address, and other general parameters as applicable. 430 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Using External Health Methods 5. In the Port section: a. If adding a new port, enter the port number in the Port field. b. Select the external health monitor from the Health Monitor field. 6. Click OK. USING THE CLI To import an external health-check script onto the AX device: Use the following command at the global configuration level: health external import [use-mgmt-port] [ description] url To configure an external health monitor: Use the following command at the global configuration level: health monitor monitor-name This command changes the CLI to the configuration level for the monitor. At this level, use the following command: method method-name external [ port port-num] program program-name [ arguments argument-string] For program-name, use the same filename you used when you imported the script. To configure a server to use the external health method: Use the following command at the configuration level for the server: health-check monitor-name Script Examples TCL Script Example For Tcl scripts, the health check parameters are transmitted to the script through the predefined TCL array ax_env. The array variable ax_env(ServerHost) is the server IP address and ax_env(ServerPort) is the server port number. Set ax_env(Result) 0 as pass and set the others as fail. TCL script filenames must use the .tcl extension. P e r f o r m a n c e b y D e s i g n 431 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Using External Health Methods To use the external method, you must import the program onto the AX Series device. The script execution result indicates the server status, which must be stored in ax_env(Result). The following commands import external program ext.tcl from FTP server 192.168.0.1, and configure external health method hm3 to use the imported program to check the health of port 80 on the real server: AX( conf i g) #health external import "checking HTTP server" ftp://192.168.0.1/ ext.tcl AX( conf i g) #health monitor hm3 AX( conf i g- heal t h: moni t or ) #method external port 80 program ext.tcl Here is the ext.tcl file: # I ni t ser ver st at us t o "DOWN" set ax_env( Resul t ) 1 # Open a socket i f {[ cat ch {socket $ax_env( Ser ver Host ) $ax_env( Ser ver Por t ) } sock] } { put s st der r " $ax_env( Ser ver Host ) : $sock" } el se { f conf i gur e $sock - buf f er i ng none - eof char {} # Send t he r equest put s $sock " GET / 1. ht ml HTTP/ 1. 0\ n" # Wai t f or t he r esponse f r omht t p ser ver set l i ne [ r ead $sock] i f { [ r egexp "HTTP/ 1. . ( \ [ 0- 9\ ] +) " $l i ne mat ch st at us] } { put s " ser ver $ax_env( Ser ver Host ) r esponse : $st at us" # Check exi t code i f { $st at us == 200 } { # Set ser ver t o be " UP" set ax_env( Resul t ) 0 } } cl ose $sock } 432 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Using External Health Methods Perl Script Example For other external scripts (non-Tcl), environment variables are used to pass the server IP address (HM_SRV_IPADDR) and the port number (HM_SRV_PORT). The script returns 0 as pass and returns others as fail. For Perl scripts, use #! / usr / bi n/ per l at the beginning of the script. Here is an example using the Perl scripting language: #! / usr / bi n/ per l - w # Sampl e scr i pt f or checki ng Web ser ver my $host = $ENV{' HM_SRV_I PADDR' }; my $por t = 80; i f ( def i ned( $ENV{' HM_SRV_PORT' }) ) { $por t = $ENV{' HM_SRV_PORT' }; } # Use wget , exi t code i s zer o i f wget was successf ul . my @ar gs = qw( - O / dev/ nul l - o / dev/ nul l ) ; exec " wget " , " ht t p: / / $host : $por t " , @ar gs; # vi m: t w=78: sw=3: t abst op=3: aut oi ndent : expandt ab P e r f o r m a n c e b y D e s i g n 433 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Using External Health Methods Shell Script Example For Shell scripts, use #! / bi n/ bash at the beginning of the script. Here is an example using the Shell scripting language: #! / bi n/ bash i f t est " $HM_SRV_I PADDR" == " " ; t hen echo " Pl ease check ENV Var ' HM_SRV_I PADDR' " exi t 1 f i
echo - n " Test $HM_SRV_I PADDR . . . . " wget $HM_SRV_I PADDR - - del et e- af t er - - t i meout =2 - - t r i es=1 > / dev/ nul l 2>&1 r et =$? i f t est $r et == 0 ; t hen echo " OK" exi t 0 el se echo " Fai l " exi t 1 f i 434 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Using External Health Methods P e r f o r m a n c e b y D e s i g n 435 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Global Server Load Balancing This chapter describes Global Server Load Balancing (GSLB). Overview Global Server Load Balancing (GSLB) extends load balancing to global geographic scale. AX Series adds intelligence to DNS. GSLB evaluates the server IP addresses in DNS replies and changes the order of the addresses in the replies so that the best available host IP address is the preferred choice. AX Series GSLB provides the following key advantages: Protects businesses from down time due to site failures Ensures business continuity and applications availability Provides faster performance and improved user experience by directing users to the nearest site Increases data center efficiency and better return on investment by dis- tributing load to multiple sites Provides flexible policies for selecting fairness and distribution to multi- ple sites You can deploy GSLB in proxy mode or server mode. Proxy mode The AX device acts as a proxy for an external DNS server. Server mode The AX device directly responds to queries for specific service IP addresses in the GSLB zone. (The AX device still forwards other types of queries to the DNS server.) 436 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Figure130 shows an example of a GSLB configuration. FIGURE 130 GSLB Example (proxy mode) In this example, the GSLB AX device (the GSLB controller) globally load balances client requests for www.a10.com. The a10.com services reside on real servers at two sites. At each site, an AX device provides SLB for the real servers. On the GSLB AX device, the sites are grouped into a zone for the service. When a client sends a DNS lookup request for the IP address of www.a10.com, the GSLB AX device intercepts the request and sends the same request to the DNS server on behalf of the client. When the GSLB AX device receives the DNS reply, the device re-orders the IP addresses in the reply based on the results of site evaluation using the configured GSLB metrics. The GSLB AX device also makes other changes P e r f o r m a n c e b y D e s i g n 437 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview to the DNS reply, such as shortening the TTL of the IP Address records, if specified by the GSLB configuration. The GSLB AX device then sends the modified DNS reply to the client. When the client receives the DNS reply, the client then sends the HTTP request to the IP address that the GSLB AX device placed at the top of the IP address list in the DNS reply. Note: Here and elsewhere in A10 Networks user documentation, the IP addresses shown in figures and configuration examples are for illustration purposes only. When you configure a feature for your network, you will need to use the IP addresses that apply to your network. Note: An AX device becomes a GSLB AX device when you configure GSLB on the device and enable the GSLB protocol, for the controller function. The A10 Networks GSLB protocol uses port 4149. The protocol is regis- tered on this port for both TCP and UDP. Advantages of GSLB In standard DNS, when a client wants to connect to a host and has the host- name but not the IP address, the client sends a lookup request to its local DNS server. The local DNS server checks its local database. If the database contains an Address record for the requested host name, the DNS server sends the IP address for the host name back to the client. The client can then access the host. If the local DNS server does not have an Address record for the requested server, the local DNS server makes recursive queries to the root and intermediate DNS servers, which results in authoritative DNS server addresses. When a request reaches an authoritative DNS server, that DNS server sends a reply to the DNS query. The clients local DNS server then sends the reply to the client. The client now can access the requested host. In todays redundant data centers and multiple service provider sites, a host name can reside at multiple data centers or sites, with different IP addresses. When this is the case, the authoritative DNS server for the host sends multi- ple IP addresses in its replies to DNS queries. Standard DNS servers can provide only rudimentary load sharing for the addresses, using a simple round-robin algorithm to rotate the list of addresses for each query. Thus, the address that is listed first in the last reply sent by the DNS server is rotated to be the last address listed in the next reply, and so on. 438 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Zones, Services, and Sites GSLB operates on zones, services, and sites. Zones A zone is a DNS domain for GSLB and is called as GSLB zone. An AX device can be configured with one or more GSLB zones. Each zone can contain one or more GSLB sites. For example, mydomain.com is a domain. Services A service is an application; for example, HTTP or FTP. Each zone can be configured with one or more services. For example: www.mydomain.com is a service where www is the http service or an application. Sites A site is a server farm that is locally managed by an AX device that performs Server Load Balancing (SLB) for the site. GSLB Policy GSLB evaluates the service IP addresses listed in replies from DNS servers to clients, re-orders the addresses based on that evaluation, and sends the DNS replies to clients with the re-ordered IP address lists. As a result of this process, each client receives a DNS reply that has the best service IP address listed first. GSLB selects the best site IP address using a GSLB policy. A GSLB policy consists of one or more of the following metrics: 1. health-check Services that pass health checks are preferred. 2. weighted-ip Service IP addresses with higher administratively assigned weights are used more often than service IP addresses with lower weights. (See Weighted-IP and Weighted-Site on page440.) 3. weighted-site Sites with higher administratively assigned weights are preferred. Sites with higher administratively assigned weights are used more often than sites with lower weights. (See Weighted-IP and Weighted-Site on page440.) 4. session capacity Sites with more available sessions based on respec- tive maximum session capacity are preferred. 5. active-servers Sites with the most currently active servers are pre- ferred. 6. active-rtt Sites with faster round-trip-times for DNS queries and replies between a site AX device and the GSLB local DNS are pre- ferred. 7. passive-rtt Services with faster response times to clients are preferred. P e r f o r m a n c e b y D e s i g n 439 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview 8. geographic Services located within the clients geographic region are preferred. 9. connection-load Sites that are not exceeding their thresholds for new connections are preferred. 10. num-session Sites that are not exceeding available session capacity threshold compared to other sites are treated as having the same prefer- ence. 11. admin-preference The site with the highest administratively set prefer- ence is selected. 12. bw-cost Selects sites based on bandwidth utilization on the site AX links. 13. least-response Service IP addresses with the fewest hits are preferred. 14. ordered-ip Service IP addresses are administratively prioritized. The prioritized list is sent to the next metric for further evaluation. If ordered-ip is the last metric, the prioritized list is sent to the client. (See Ordered-IP on page440.) 15. round-robin Sites are selected in sequential order. (See Tie-Breaker on page440.) 16. alias-admin-preference Selects the DNS CNAME record with the highest administratively set preference. This metric is similar to the Admin Preference metric, but applies only to DNS CNAME records. 17. weighted-alias Prefers CNAME records with higher weight values over CNAME records with lower weight values. This metric is similar to Weighted-IP, but applies only to DNS CNAME records. The health-check, geographic, and round-robin metrics are enabled by default. All other metrics are disabled by default. The GSLB AX device uses each enabled GSLB metric to select or eliminate service IP addresses, then passes the subset of addresses that pass the met- rics criteria to the next metric, and so on, to sort (re-order) the list of addresses. The GSLB AX device then replaces the IP address list in the DNS reply with the re-ordered list before sending the reply to the client. The metric order and the configuration of each metric are specified in a GSLB policy. Policies can be applied to GSLB zones and to individual ser- vices. The GSLB AX device has a default GSLB policy, named default, that is automatically applied to a zone or service, unless you configure and assign a different policy to the zone or service. Note: Metric order does not apply to the alias-admin-preference and weighted- alias metrics. When enabled, alias-admin-preference always has high pri- ority. 440 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Weighted-IP and Weighted-Site The weighted-ip and weighted-site metrics allow you to bias selection toward specific sites or IP addresses. GSLB selects higher-weighted sites or IP addresses more often than lower-weighted sites or IP addresses. For example, if there are two sites (A and B), and A has weight 2 whereas B has weight 4, GSLB will select site B twice as often as site A. Specifically, GSLB will select site B the first 4 times, and will then select site A the next 2 times. This cycle then repeats: B is chosen 4 times, then A is chosen the next 2 times, then B is chosen the next 4 times, and so on. Note: If DNS caching is used, the cycle starts over if the cache aging timer expires. Ordered-IP Most metrics select a site or IP address as the best address. However, the ordered-ip metric does not select or eliminate sites or IP addresses. Instead, the ordered-ip metric re-orders the IP addresses based on the metrics con- figuration in the GSLB policy. If there are any more metrics after ordered-ip, the re-ordered list is sent to the next metric. If you plan to use the ordered-ip metric, you need to disable the round-robin metric. Otherwise, round-robin will be used as the tie-breaker and the ordered IP list will be ignored. Tie-Breaker If all the enabled metrics in the policy result in a tie (do not definitively select a single site as the best site), the AX device uses round-robin to select a site. This is true even if the round-robin metric is disabled in the GSLB policy. Note: If the last metric is ordered-ip, and round-robin is disabled, the prioritized list of IP addresses is sent to the client. Round-robin is not used. Health Checks The health-check metric checks the availability (health) of the real servers and service ports. Sites whose real servers and service ports respond to the health checks are preferred over sites in which servers or service ports are unresponsive to the health checks. P e r f o r m a n c e b y D e s i g n 441 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview GSLB supports health check methods for the following services: ICMP (Layer 3 health check), TCP, UDP, HTTP, HTTPS, FTP, SMTP, POP3, SNMP, DNS, RADIUS, LDAP, RTSP, SIP You can use the default health methods or configure new methods for any of these services. Note: By default, the GSLB protocol is used for health checking a service, if the protocol can reach the service. Otherwise, health checking is performed using standard network traffic instead. Health Check Precedence Health monitoring for a GSLB service can be performed at the following levels. 1. Gateway health check 2. Port health check 3. IP health check (Layer 3 health check of service IP) If the gateway health check is unsuccessful, the service IP is marked Down. If the gateway health check is successful, the port health check is used if ports are configured on the service IP. Otherwise, if no service ports are configured on the service IP, the Layer 3 health check is used. (For more information about health monitoring, see Health Monitoring on page381.) Geo-Location You can configure GSLB to prefer site VIPs for DNS replies that are geo- graphically closer to the clients. For example, if a domain is served by sites in both the USA and Asia, you can configure GSLB to favor the USA site for USA clients while preferring the Asian site for Asian clients. To configure geo-location: Leave the geographic GSLB metric enabled. Load geo-location data. You can load geo-location data from a file or manually configure individual geo-location mappings. Loading geo-location data from a file is simpler than manually configuring geo-location mappings, especially if you have more than a few GSLB sites. For more information, see Loading or Configuring Geo-Location Map- pings on page467. 442 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview The AX software includes an Internet Assigned Numbers Authority (IANA) database. The IANA database contains the geographic locations of the IP address ranges and subnets assigned by the IANA. The IANA database is loaded (enabled) by default. CNAME Support As an extension to geo-location support, you can configure GSLB to send a Canonical Name (CNAME) record instead of an Address record in DNS replies to clients. A CNAME record maps a domain name to an alias for that domain. For example, you can configure aliases such as the following for domain a10.com, and associate the aliases with different geo-locations: www.a10.co.cn www.1.a10.com ftp.a10.com If a clients IP address is within a geo-location associated with www.1.a10.com, GSLB places a CNAME record for www.1.a10.com in the DNS reply to the client. To configure CNAME support: Configure geo-location as described above. In the GSLB policy, enable the following DNS options: dns cname-detect (enabled by default) dns geoloc-alias For individual services in the zone, configure the aliases and associate them with geo-locations. Alias-Admin-preference and Weighted-alias The Alias Admin Preference and Weighted Alias metrics can be used in DNS Proxy or DNS Server mode. Some additional policy options are required in either mode. DNS proxy Enable the geoloc-alias option. After GSLB retrieves the DNS response from the DNS answer, GSLB selects a DNS A record using IP metrics, then tries to insert the DNS CNAME record into the answer based on geo-location settings. While inserting the CNAME record, if the Alias metrics are enabled, GSLB may remove some CNAME records and related service IPs. DNS server Enable the geoloc-alias option. After receiving a DNS query, GSLB tries to insert a DNS CNAME record into the answer based on the geo-location settings. During insertion, if the Alias metrics are enabled, GSLB may remove some CNAME records. After finishing P e r f o r m a n c e b y D e s i g n 443 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview the CNAME records, GSLB tries to insert DNS A records by CNAME record. DNS server If applicable, enable the backup-alias option. If there is no DNS A record to return, GSLB tries to insert all backup DNS CNAME records. During insertion, if Alias metrics are enabled, GSLB may remove some CNAME records. No DNS A records are returned. This option also requires the dns-cname-record as-backup option on the service. DNS Options DNS options provide additional control over the IP addresses listed in DNS replies to clients. After the GSLB AX device uses the metrics to select and prioritize the IP addresses for the DNS reply, the AX device applies the enabled DNS options to the list. The following DNS options can be set in GSLB policies: dns action Enable GSLB to perform DNS actions specified in the serv- ice configurations. dns active-only Removes IP addresses for services that did not pass their health checks. dns addition-mx Appends MX records in the Additional section in replies for A records, when the device is configured for DNS proxy or cache mode. dns best-only Removes all IP addresses from DNS replies except for the address selected as the best address by the GSLB policy metrics. dns cache Caches DNS replies and uses them when replying to clients, instead of sending a new DNS request for every client query. dns cname-detect For IP addresses that have Canonical Name (CNAME) records, applies the GSLB policy to the CNAME record instead of the Address record. (This applies only if the CNAME records are for the zone and application requested by the DNS proxy on the GSLB AX device.) dns external-ip Returns the external IP address configured for a ser- vice IP. If this option is disabled, the internal address is returned instead. dns geoloc-action Performs the DNS traffic handling action specified for the clients geo-location. The action is specified as part of service configuration in a zone. dns geoloc-alias Replaces the IP address with its alias configured on the GSLB AX Series. 444 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview dns geoloc-policy Returns the alias name configured for the clients geo-location. dns ip-replace Replaces the IP addresses with the set of addresses administratively assigned to the service in the zone configuration. dns ipv6 Enables support for IPv6 AAAA records. dns logging Configures DNS logging. dns server Enables the GSLB AX device to act as a DNS server, for specific service IPs in the GSLB zone. dns sticky Sends the same service IP address to a client for all requests from that client for the service address. dns ttl Overrides the TTL set in the DNS reply. (For more information about this option, see TTL Override on page444.) The cname-detect and external-ip options are enabled by default. All the other DNS options are disabled by default. Order in Which Sticky, Server, Cache, and Proxy Options Are Used If more than one of the following options are enabled, GSLB uses them in the order listed, beginning with sticky: 1. sticky 2. server 3. cache 4. proxy Note: GSLB does not have a separately configurable proxy option. The proxy option is automatically enabled when you configure the DNS proxy as part of GSLB configuration. The site address selected by the first option that is applicable to the client and requested service is used. TTL Override GSLB ensures that DNS replies to clients contain the optimal set of IP addresses based on current network conditions. However, if the DNS TTL value assigned to the Address records is long, the local DNS servers used by clients might cache the replies for a long time, and send those stale replies to clients. Thus, even though the GSLB AX device has current information, clients might receive outdated information. P e r f o r m a n c e b y D e s i g n 445 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview To ensure that the clients local DNS servers do not cache the DNS replies for too long, you can configure the GSLB AX device to override the TTL values of the Address records in the DNS replies before sending the replies to clients. The TTL of the DNS reply can be overridden in two different places in the GSLB configuration: 1. If a GSLB policy is assigned to the individual service, the TTL set in that policy is used. 2. If no policy is assigned to the individual service, but the TTL is set in the zone, then the zones TTL setting is used. By default, the TTL override is not set in either of these places. Metrics That Require the GSLB Protocol on Site AX Devices AX devices use the GSLB protocol for GSLB management traffic. The pro- tocol is required to be enabled on the GSLB controller. The protocol is rec- ommended on site AX devices but is not required. However, some GSLB policy metrics require the protocol to be enabled on the site AX devices as well as the GSLB controller: session-capacity active-rtt passive-rtt connection-load num-session least-response The GSLB protocol is required in order to collect the site information pro- vided for these metrics. Note: The GSLB protocol is also required for the health-check metric, if the default health checks are used. If you modify the health checks, the GSLB protocol is not required. (See Health Checks on page440.) 446 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview Configuration Overview Configuration is required on the GSLB AX device (GSLB controller) and the site AX devices. Configuration on GSLB Controller To configure GSLB on the GSLB AX device: 1. Configure health monitors for the DNS server to be proxied and for the GSLB services to be load balanced. 2. Configure a DNS proxy. 3. Configure a GSLB policy (unless you plan to use the default policy set- tings, described in GSLB Policy on page438). 4. Configure services. 5. Configure sites. 6. Configure a zone. 7. Enable the GSLB protocol for the GSLB controller function. Note: If you plan to run GSLB in server mode, the proxy DNS server does not require configuration of a real server or service group. Only the VIP is required. However, if you plan to run GSLB in proxy mode, the real server and service group are required along with the VIP. (Server and proxy mode are configured as DNS options. See DNS Options on page443.) Configuration on Site AX Device To configure GSLB on the site AX devices: 1. Configure SLB, if not already configured. 2. Enable the GSLB protocol for the GSLB site device function. P e r f o r m a n c e b y D e s i g n 447 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview Configuration takes place at the following levels: The parameters you can configure at each level are described in GSLB Parameters on page487. The following sections describe the GSLB configuration steps in the GUI and in the CLI. Required commands and commonly used options are listed. For advanced commands and options, see GSLB Parameters on page487. Note: Each of the following configuration sections shows the CLI and GUI methods for configuration. For complete configuration examples, see Configuration Examples on page514. Configure Health Monitors A10 Networks recommends that you configure health monitors for the local DNS server to be proxied, and also for the GSLB services to be load bal- anced. Use a DNS health monitor for the local DNS server. You also can use a Layer 3 health monitor to check the IP reachability of the server. For the GSLB service, use health monitors for the application types of the services. For example, for an HTTP service, use an HTTP health monitor. If the health-check metric is enabled in the GSLB policy, the metric will use the results of service health checks to select sites. To monitor the health of the real servers providing the services, configure health monitors on the site SLB devices. Configure the health monitors for the proxied DNS server and the GSLB services on the GSLB AX device. Configure the health monitors for real servers and their services on the site AX devices. Global (system-wide on the GSLB AX device) Zone SLB device Site Service IP 448 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview Configuration of health monitors is the same as for standard SLB. There are no special health monitoring options or requirements for GSLB. For config- uration information, see Health Monitoring on page381. Configure the DNS Proxy The DNS proxy is a DNS virtual service, and its configuration is therefore similar to the configuration of an SLB service. To configure the GSLB DNS proxy, use either of the following methods. USING THE GUI 1. Select Config >Service >GSLB. 2. Click DNS Proxy, then click Add. 3. Enter a name for the DNS proxy. 4. Enter the IP address that will be advertised as the authoritative DNS server for the GSLB zone. Note: The GUI will not accept the configuration if the IP address you enter here is the same as the real DNS server IP address you enter when configuring the service group for this proxy (below). 5. (Optional) To add this proxy configuration of the DNS server to a High Availability (HA) group, select the group. 6. In the GSLB Port section, click Add. 7. In the Port field, enter the DNS port number, if not already filled in. 8. In the Service Group field, select create. The Service Group and Server sections appear. 9. In the Name field, enter a name for the service group. 10. In the Type drop-down list, select UDP. 11. In the Server section, in the Server drop-down list, enter the IP address of the DNS server. Enter the real IP address of the DNS server, not the IP address you are assigning to the DNS proxy. 12. Enter the DNS port number in the Port field and click Add. The server information appears. 13. Click OK. The GSLB Port section re-appears. P e r f o r m a n c e b y D e s i g n 449 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview 14. Click OK. The Proxy section re-appears. 15. Click OK. The DNS proxy appears in the DNS proxy table. USING THE CLI 1. To configure a real server for the DNS server to be proxied, use the fol- lowing commands: slb server server-name ipaddr Use this command at the global configuration level of the CLI. The command creates the proxy and changes the CLI to the configuration level for it. To configure the DNS port on the server, use the following command to change the CLI to the configuration level for the port: port port-num udp To enable health monitoring of the DNS service, use the following com- mand: health-check monitor-name (Layer 3 health monitoring using the default Layer 3 health monitor is already enabled by default.) 2. To configure a service group and add the DNS proxy (real server) to it, use the following commands: slb service-group group-name udp Use this command at the global configuration level of the CLI. The command creates the service group and changes the CLI to the configu- ration level for it. To add the DNS server to the service group, use the following command: member server-name:port-num 3. To configure a virtual server for the DNS proxy and bind it to the real server and service group, use the following commands: slb virtual-server name ipaddr Use this command at the global configuration level of the CLI. The command creates the virtual server changes the CLI to the configuration level for it. To add the DNS port, use the following command: port port-number udp This command changes the CLI to the configuration level for the DNS port. To bind the DNS port to the DNS proxy service group and enable GSLB on the port, use the following commands: service-group group-name gslb-enable 450 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview Configure a GSLB Policy The GSLB policy contains the metrics used to evaluate each site and select the best site for a client request. Configuring a GSLB policy is optional. By default, the default policy is used unless you configure and apply a different policy. In the default GSLB policy, the following metrics are enabled by default: health-check geographic round-robin The other metrics are disabled. (For detailed information about policy parameters and their defaults, see GSLB Parameters on page487.) Note: Although the geographic metric is enabled by default, there are no default geo-location mappings. To use the geographic metric, you must load or manually configure geo-location mappings. (See Loading or Configur- ing Geo-Location Mappings on page467 later in this section.) Enabling / Disabling Metrics To enable or disable a metric, use either of the following methods. Using the GUI 1. Select Config >Service >GSLB. 2. On the menu bar, select Policy. 3. Click on the policy name or click Add to create a new policy. 4. If you are configuring a new policy, enter a name in the Name field in the General section. 5. In the Metrics section, drag-and-drop the metric from one column to the other. For example, to disable the health-check metric, drag-and-drop it from the In Use column to the Not In Use column. If you are enabling a metric, drag it to the position you want it to be used in the processing order. For example, if you are enabling the Admin Preference metric and you want this metric to be used first, drag-and- drop the metric to the top of the In Use column. P e r f o r m a n c e b y D e s i g n 451 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview 6. In the DNS Options section, configure the DNS options, if applicable to your deployment. (For descriptions, see DNS Options on page443 and Table13, GSLB Policy Parameters, on page502.) 7. Click OK. Using the CLI To enable a metric, enter the metric name at the configuration level for the policy. For example, to enable the admin-preference metric, enter the fol- lowing command: AX( conf i g gsl b- pol i cy) #admin-preference To disable a GSLB metric, use the no form of the command for the met- ric, at the configuration level for the policy. For example, to disable the health-check metric, enter the following command at the configuration level for the policy: AX( conf i g gsl b- pol i cy) #no health-check To set DNS options, use the following command at the configuration level for the policy. (For descriptions, see DNS Options on page443 and Table13, GSLB Policy Parameters, on page502.) [ no] dns { action | active-only | addition-mx | backup-alias | best-only [ max-answers] | cache [ aging-time {seconds | ttl}] | cname-detect | external-ip | geoloc-action | geoloc-alias | geoloc-policy | ip-replace | ipv6 options | logging {both | query | response} [ geo-location name | ip ipaddr] | server [ addition-mx] [ authoritative [ full-list] ] [ mx] [ ns [ auto-ns] ] [ ptr [ auto-ptr] ] [ srv] | sticky [ /prefix-length] [ aging-time minutes] [ ipv6-mask mask-length] | ttl num } 452 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview Changing the Metric Order To change the metric order, use either of the following methods. Using the GUI 1. Select Config >Service >GSLB. 2. On the menu bar, select Policy. 3. Click on the policy name or click Add to create a new policy. 4. If you are configuring a new policy, enter a name in the Name field in the General section. 5. In the Parameters section, drag-and-drop the metric to the position in which you want it to be used in the processing order. For example, if you want the admin-preference metric to be used first, drop the metric to the top of the In Use column. 6. Click OK. Using the CLI To change the positions of metrics in a GSLB policy, use the following command at the configuration level for the policy: [ no] metric-order metric [ metric . . . ] The metric option specifies a metric and can be one of the following: active-rtt active-servers admin-preference bw-cost capacity connection-load geographic health-check least-response num-session ordered-ip P e r f o r m a n c e b y D e s i g n 453 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview passive-rtt weighted-ip weighted-site Note: Metric order does not apply to the alias-admin-preference or weighted- alias metrics. Configuring RTT Settings If you are planning to use the active-RTT or passive-RTT metric, read this section. Otherwise, you can skip the section. Both these metrics are disabled by default. Active RTT Active RTT measures the round-trip-time for a DNS query and reply between a site AX device and the GSLB local DNS. The active RTT metric is disabled by default. You can enable it to take either a single sample (single shot) or multiple samples at regular intervals. You can configure active RTT to take a single sample or periodic samples. Global Active RTT Parameters The Active RTT metric uses the following options, which are configurable on a global basis: Domain Specifies the query domain. To measure the active round-trip time (RTT) for a client, the site AX device sends queries for the domain name to a clients local DNS. An RTT sample consists of the time between when the site AX device sends a query and when it receives the response. Only one active-RTT domain can be configured. It is recommended to use a domain name that is likely to be in the cache of each clients local DNS. The default domain name is google.com. The AX device averages multiple active-RTT samples together to calcu- late the active-RTT measurement for a client. (See the description of Track below.) Interval Specifies the number of seconds between queries. You can specify 1-120 seconds. The default is 1. Retry Specifies the number of times GSLB will resend a query if there is no response. You can specify 0-16. The default is 3. 454 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview Sleep Specifies the number of seconds GSLB stops tracking active- RTT data for a client after a query fails. You can specify 1-300 seconds. The default is 3. Timeout Specifies the number of milliseconds GSLB will wait for a reply before resending a query. You can specify 1-1023 milliseconds (ms). The default is 1000 ms. Track Specifies the number of seconds during which the AX device collects samples for a client. The samples collected during the track time are averaged together, and the averaged value is used as the active RTT measurement for the client. You can specify 15-3600 seconds. The default is 60 seconds. The averaged RTT measurement is used until it ages out. The aging time for averaged RTT measurements is 10 minutes by default and is config- urable on individual sites, using the active-rtt aging-time command. To configure global active-RTT options, use the following command at the global configuration level of the CLI: [ no] gslb active-rtt { domain domain-name | interval seconds | retry num | sleep seconds | timeout ms | track seconds } Default Settings When you enable Active RTT, a site AX device sends 5 DNS requests to the GSLB domains local DNS. The GSLB AX device averages the RTT times of the 5 samples. Single Sample (Single Shot) To take a single sample and use that sample indefinitely, use the single-shot option. This option instructs each site AX device to send a single DNS query to the GSLB local DNS. The single-shot option is useful if you do not want to frequently update the active RTT measurements. For example, if the GSLB domain's clients tend to remain logged on for long periods of time, using the single-shot option ensures that clients are not frequently sent to differing sites based on active RTT measurements. P e r f o r m a n c e b y D e s i g n 455 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview The single-shot has the following additional options: timeout Specifies the number of seconds each site AX device should wait for the DNS reply. If the reply does not arrive within the specified timeout, the site becomes ineligible for selection, in cases where selec- tion is based on the active RTT metric. You can specify 1-255 seconds. The default is 3 seconds. skip Specifies the number of site AX devices that can exceed their sin- gle-shot timeouts, without the active RTT metric itself being skipped by the GSLB AX device during site selection. You can skip from 1-31 sites. The default is 3. Multiple Samples To periodically retake active RTT samples, do not use the single-shot option. In this case, the AX device uses the averaged RTT based on the number of samples measured for the intervals. For example, if you set active RTT to use 3 samples with an interval of 5 seconds, the RTT is the average RTT for the last 3 samples, collected in 5- second intervals. If you configure single-shot instead, a single sample is taken. The number of samples can be 1-8. The default is 5 samples. Store-By By default, the GSLB AX device stores one active RTT measurement per site SLB device. Optionally, you can configure the GSLB AX device to store one measurement per geo-location instead. This option is configurable on individual GSLB sites. (See Changing Active RTT Settings for a Site on page457.) Tolerance The default measurement tolerance is 10 percent. If the RTT measurements for more than one site are within 10 percent, the GSLB AX device considers the sites to be equal in terms of active RTT. You can adjust the tolerance to any value from 0-100 percent. 456 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview Enabling Active RTT To enable active RTT, use either of the following methods. USING THE GUI 1. Select Config >Service >GSLB. 2. On the menu bar, select Policy. 3. Click on the policy name or click Add to create a new one. 4. Drag-and-drop Active RTT from the Not In Use column to the In Use column. 5. Click the plus sign to display the Active RTT configuration fields. 6. To use single-shot RTT, select the Single-shot checkbox. To collect mul- tiple samples, do not select the Single-shot checkbox. 7. To change settings for single-shot, edit the values in the Timeout and Skip fields. 8. To change settings for multiple samples, edit the values in the Samples and Tolerance fields. 9. Click OK. USING THE CLI Enter the following command at the configuration level for the GSLB pol- icy: [ no] active-rtt [ difference num] [ fail-break] [ ignore-id group-id] [ keep-tracking] [ limit ms] [ samples num-samples] [ single-shot] [ skip count] [ timeout seconds] [ tolerance num-percentage] If you omit all the options, the site AX device send 5 DNS requests to the GSLB domains local DNS. The GSLB AX device averages the RTT times of the 5 samples. The active RTT measurements are regularly updated. You can use the samples option to change the number of samples to 1-8. P e r f o r m a n c e b y D e s i g n 457 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview To enable single-shot RTT instead, use the single-shot option. For singe- shot, you also can use the skip and timeout options. (See the descriptions above, in Single Sample (Single Shot) on page454) CLI Examples The following commands access the configuration level for GSLB policy gslbp2 and enable the active RTT metric, using all the default settings: AX( conf i g) #gslb policy gslbp2 AX( conf i g gsl b- pol i cy) #active-rtt The following commands access the configuration level for GSLB policy gslbp3 and enable the active RTT metric, using single-shot settings: AX( conf i g) #gslb policy gslbp3 AX( conf i g gsl b- pol i cy) #active-rtt single-shot AX( conf i g gsl b- pol i cy) #active-rtt skip 3 In this example, each site AX device will send a single DNS query to the GSLB domains local DNS, and wait 3 seconds (the default) for a reply. The site AX devices will then send their RTT measurements to the GSLB AX device. However, if more than 3 site AX devices fail to send their RTT mea- surements to the GSLB AX device, the AX device will not use the active RTT metric. Changing Active RTT Settings for a Site You can adjust the following Active RTT settings on individual sites: aging-time Specifies the maximum amount of time a stored active- RTT result can be used. You can specify 1-60 minutes. The default is 10 minutes. bind-geoloc Stores the active-RTT measurements on a per geo-loca- tion basis. Without this option, the measurements are stored on a per site-SLB device basis. ignore-count Specifies the ignore count if RTT is out of range. You can specify 1-15. The default is 5. ipv6-mask Specifies the client IPv6 mask length, 1-128. The default is 128. limit Specifies the limit. You can specify 1-1023. The default is 1023. mask Specifies the maximum RTT allowed for the site. If the RTT measurement for a site exceeds the configured limit, GSLB does not eliminate the site. Instead, GSLB moves to the next metric in the policy. You can specify 0-16383 milliseconds (ms). The default is 16383. 458 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview range-factor Specifies the maximum percentage a new active-RTT measurement can differ from the previous measurement. If the new measurement differs from the previous measurement by more than the allowed percentage, the new measurement is discarded and the previous measurement is used again. For example, if the range-factor is set to 25 (the default), a new mea- surement that has a value from 75% to 125% of the previous value can be used. A measurement that is less than 75% or more than 125% of the previous measurement can not be used. You can specify 1-1000. The default is 25. smooth-factor Blends the new measurement with the previous one, to smoothen the measurements. For example, if the smooth-factor is set to 10 (the default), 10% of the new measurement is used, along with 90% of the previous measure- ment. Similarly, if the smooth-factor is set to 50, 50% of the new mea- surement is used, along with 50% of the previous measurement. You can specify 1-100. The default is 10. USING THE GUI Use the Options section of the GUI page for the site. USING THE CLI Use the following command at the configuration level for the site: [no] active-rtt aging-time minutes | bind-geoloc | limit num | mask {/mask-length | mask-ipaddr} | range-factor num | smooth-factor num Excluding a Set of IP Addresses from Active-RTT Polling You can use an IP list to exclude a set of IP addresses from active-RTT poll- ing. You can configure an IP list in either of the following ways: Use a text editor on a PC or use the AX GUI to configure a black/white list, then load the entries from the black/white list into an IP list. Use this command to configure individual IP list entries. P e r f o r m a n c e b y D e s i g n 459 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview USING THE CLI To configure an IP list using the CLI, use the following command at the global configuration level of the CLI: [ no] gslb ip-list list-name The command changes the CLI to the configuration level for the list, where the following IP-list-related commands are available: [ no] ip ipaddr {subnet-mask | /mask-length} id group-id This command creates an IP entry in the list. Based on the subnet mask or mask length, the entry can be a host address or a subnet address. The id option adds the entry to a group. The group-id can be 0-31. [ no] load bwlist-name This command loads the entries from a black/white list into the IP list. For information on configuring a black/white list, see Configuring a Black/ White List on page761. To use the IP list to specify the IP addresses to exclude from active-RTT data collection, use the following command at the configuration level for the GSLB policy: [ no] active-rtt ignore-id group-id USING THE GUI Note: In the current release, IP lists can not be configured using the GUI. Passive RTT Passive RTT measures the round-trip-time between when the site AX device receives a clients TCP connection (SYN) and the time when the site AX device receives acknowledgement (ACK) back from the client for the connection. Enabling Passive RTT To enable passive RTT, use either of the following methods. USING THE GUI 1. Select Config >Service >GSLB. 2. On the menu bar, select Policy. 460 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview 3. Click on the policy name or click Add to create a new one. 4. Drag-and-drop Passive RTT from the Not In Use column to the In Use column. 5. Click the plus sign to display the Passive RTT configuration fields. 6. To change sample settings, edit the values in the Samples and Tolerance fields. (These parameters work the same as they do for active RTT. See Multiple Samples on page455 and Tolerance on page455.) 7. Click OK. USING THE CLI Enter the following command at the configuration level for the GSLB pol- icy: [ no] passive-rtt [ difference num] [ samples num-samples] [ tolerance num-percentage] [ fail-break] Changing Passive RTT Settings for a Site You can adjust Passive RTT settings on individual sites. The types of set- tings used by Passive RTT settings are the same as those used for Active RTT. See Changing Active RTT Settings for a Site on page457. USING THE GUI Note: In the current release, passive RTT settings for a site cannot be changed using the GUI. USING THE CLI Use the following command at the configuration level for the site: [ no] passive-rtt aging-time minutes | bind-geoloc | limit num | mask {/mask-length | mask-ipaddr} | range-factor num | smooth-factor num P e r f o r m a n c e b y D e s i g n 461 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview Configuring BW-Cost Settings If you are planning to use the bw-cost metric, read this section. Otherwise, you can skip the section. The bw-cost metric is disabled by default. The bw-cost metric selects sites based on bandwidth utilization on the site AX links. How Bandwidth Cost Is Measured To compare sites based on bandwidth utilization, the GSLB AX device sends SNMP GET requests for a specified MIB interface object, such as ifInOctets, to each site. If the SNMP object value has incremented less than or equal to the bandwidth limit configured for the site, the site is eligible to be selected as the best site. If the SNMP object value has incremented more than the bandwidth limit configured for the site, the site is ineligible. The GSLB AX device sends the SNMP requests at regular intervals. Once a site is ineligible, the site can become eligible again at the next interval if the utilization incrementation is below the configured limit minus the threshold percentage. (See below.) Configuration Requirements To use the bw-cost metric, an SNMP template must be configured and bound to each site. The GSLB SNMP template specifies the SNMP version and other information necessary to access the SNMP agent on the site AX device, and the Object Identifier (OID) of the MIB object to request. In addition, the following bw-cost parameters must be configured on each site: Bandwidth limit The bandwidth limit specifies the maximum value by which the requested MIB object can increment, for the site to be eligible for selection as the best site. Bandwidth threshold For a site to regain eligibility when bw-cost is being compared, the SNMP objects incremental value must be below the threshold-percentage of the limit value. For example, if the limit value is 80000 and the threshold is 90, the limit value must increment by 72000 or less, in order for the site to become eligible again based on bandwidth cost. Once a site again becomes eligi- ble, the SNMP objects value is again allowed to increment by as much as the bandwidth limit value (80000, in this example). 462 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview Configuring Bandwidth Cost To use the bw-cost metric: 1. On the site AX devices, configure and enable SNMP. 2. On the GSLB AX device: a. Configure a GSLB SNMP template. b. Add the template to the GSLB site configuration. c. Optionally, set the bandwidth limit and threshold on the site. By default, the bandwidth limit is not set (unlimited). d. Enable the bw-cost metric in the GSLB policy. By default, the bw- cost metric is disabled. USING THE GUI Note: SNMP template configuration is not supported in the GUI. Use the CLI to configure the template, then use the following GUI procedures. USING THE CLI To Configure a GSLB SNMP Template Use the following commands: [ no] gslb template snmp template-name This command adds the template and changes the CLI to the configuration level for the template, where the following template-related commands are available: [ no] version {v1 | v2c | v3} The version command specifies the SNMP version running on the site AX device. [ no] host ipaddr [ no] oid oid-value The host command specifies the IP address of the site AX device. The oid command specifies the interface MIB object to query on the site AX device. Note: If the object is part of a table, make sure to append the table index to the end of the OID. Otherwise, the AX device will return an error. P e r f o r m a n c e b y D e s i g n 463 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview SNMPv1 / v2c Commands: [ no] community community-string The community command specifies the community string required for authentication. SNMPv3 Commands: [ no] username name This command specifies the SNMPv3 username required for access to the SNMP agent on the site AX device. [ no] security-level {no-auth | auth-no-priv | auth-priv} This command specifies the SNMPv3 security level: no-auth Authentication is not used and encryption (privacy) is not used. This is the default. auth-no-priv Authentication is used but encryption is not used. auth-priv Both authentication and encryption are used. [ no] auth-proto {sha | md5} [ no] auth-key string These commands are applicable if the security level is auth-no-priv or auth-priv. The auth-proto command specifies the authentication protocol. The auth-key command specifies the authentication key. The key string can be 1-127 characters long. [ no] priv-proto {aes | des} [ no] priv-key string These commands are applicable only if the security level is auth-priv. The priv-proto command specifies the privacy protocol used for encryption. The priv-key command specifies the encryption key. The key string can be 1-127 characters long. [ no] context-engine-id id [ no] context-name id [ no] security-engine-id id The context-engine-id command specifies the ID of the SNMPv3 protocol engine running on the site AX device. The context-name command speci- fies an SNMPv3 collection of management information objects accessible by an SNMP entity. The security-engine-id command specifies the ID of 464 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview the SNMPv3 security engine running on the site AX device. For each com- mand, the ID is a string 1-127 characters long. [ no] interface id The interface command specifies the SNMP interface ID. Additional Commands: [ no] interval seconds [ no] port port-num The interval command specifies the amount of time between each SNMP GET to the site AX devices. You can specify 1-999 seconds. The default is3. The port command specifies the protocol port on which the site AX devices listen for the SNMP requests from the GSLB AX device. You can specify 1- 65535. The default is 161. To Apply a GSLB SNMP Template to a GSLB Site Use the following command at the configuration level for the site: [ no] template template-name To Configure the Bandwidth Limit and Threshold on a Site Use the following command at the configuration level for the site: [ no] bw-cost limit limit threshold percentage The limit specifies the maximum amount the SNMP object queried by the GSLB AX device can increment since the previous query, in order for the site to remain eligible for selection as the best site. You can specify 0- 2147483647. There is no default. If a site becomes ineligible due to being over the limit, the percentage parameter is used. In order to become eligible for selection again, the sites limit value must not increment more than l i mi t *t hr eshol d- per cent age. You can specify 0-100. There is no default. To Enable the Bandwidth Cost Metric in a GSLB Policy Use the following command at the configuration level for the policy: [ no] bw-cost P e r f o r m a n c e b y D e s i g n 465 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview To display bw-cost data for a site Use the following command: show gslb site [ site-name] bw-cost CLI Example SNMPv2c The following commands configure a GSLB SNMP template for SNMPv2c: AX( conf i g) #gslb template snmp snmp-1 AX( conf i g- gsl b t empl at e snmp) #version v2c AX( conf i g- gsl b t empl at e snmp) #host 192.168.214.124 AX( conf i g- gsl b t empl at e snmp) #oid .1.3.6.1.2.1.2.2.1.16.12 AX( conf i g- gsl b t empl at e snmp) #community public AX( conf i g- gsl b t empl at e snmp) #exit The following commands apply the SNMP template to a site and set the bandwidth increment limit and threshold: AX( conf i g) #gslb site usa AX( conf i g gsl b- si t e) #template snmp-1 AX( conf i g gsl b- si t e) #bw-cost limit 100000 threshold 90 AX( conf i g gsl b- si t e) #exit The following commands enable the bw-cost metric in the GSLB policy: AX( conf i g) #gslb policy pol1 AX( conf i g- gsl b pol i cy) #bw-cost AX( conf i g- gsl b pol i cy) #exit The following command displays bw-cost data for the site: AX- 1( conf i g) #show gslb site usa bw-cost U = Usabl e, TI = Ti me I nt er val USGN = Unsi gned, SN64 = Unsi gned 64 CNTR = Count er , CT64 = Count er 64 Si t e Templ at e Cur r ent Hi ghest Li mi t U Type Len Val ue TI - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - usa snmp- 1 31091 142596 100000 Y CNTR 4 3355957308 3 466 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview CLI Example SNMPv3 The following commands configure a GSLB SNMP template for SNMPv3. In this example, authentication and encryption are both used. AX( conf i g) #gslb template snmp snmp-2 AX( conf i g- gsl b t empl at e snmp) #security-level auth-priv AX( conf i g- gsl b t empl at e snmp) #host 192.168.214.124 AX( conf i g- gsl b t empl at e snmp) #username read AX( conf i g- gsl b t empl at e snmp) #oid .1.3.6.1.2.1.2.2.1.16.12 AX( conf i g- gsl b t empl at e snmp) #priv-proto des AX( conf i g- gsl b t empl at e snmp) #auth-key 12345678 AX( conf i g- gsl b t empl at e snmp) #priv-key 12345678 The other commands are the same as those shown in CLI Example SNMPv2c on page465. Configuring Alias Admin Preference To configure the Alias Admin Preference metric: 1. At the configuration level for the GSLB service, assign an administra- tive preference to the DNS CNAME record for the service. 2. At the configuration level for the GSLB policy: Enable the Alias Admin Preference metric. Enable one or both of the following DNS options, as applicable to your deployment: DNS backup-alias DNS geoloc-alias 3. If using the backup-alias option, use the dns-cname-record as-backup option on the service. USING THE GUI The current release does not support this feature in the GUI. USING THE CLI 1. To assign an administrative preference to the DNS CNAME record for a service, use the following command at the configuration level for the service: [ no] admin-preference preference The preference can be 0-255. A higher value is preferred over a lower value. The default is 0 (not set). P e r f o r m a n c e b y D e s i g n 467 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview 2. To enable the Alias Admin Preference metric, use the following com- mand at the configuration level for the policy: [ no] alias-admin-preference Configuring Weighted Alias To configure the Weighted Alias metric: 1. At the configuration level for the GSLB service, assign a weight to the DNS CNAME record for the service. 2. At the configuration level for the GSLB policy: Enable the Weighted Alias metric. Enable one or both of the following DNS options, as applicable to your deployment: DNS backup-alias DNS geoloc-alias 3. If using the backup-alias option, use the dns-cname-record as-backup option on the service. USING THE GUI The current release does not support this feature in the GUI. USING THE CLI 1. To assign a weight to the DNS CNAME record for a service, use the fol- lowing command at the configuration level for the service: [ no] weight num The num can be 1-255. A higher value is preferred over a lower value. The default is 1. 2. To enable the Weighted Alias metric, use the following command at the configuration level for the policy: [ no] weighted-alias Loading or Configuring Geo-Location Mappings You can configure geo-location mappings manually or by loading the map- pings from a file. Unless you have only a few sites, configuring the geo- location mappings manually might not be practical. A10 Networks recom- mends that you load the mappings from a file. 468 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview The geo-location configuration options are described in detail below. To skip the descriptions and go directly to configuration instructions, see one of the following sections. Each section provides the procedure for one of the methods to configure geo-location mappings. Creating and Loading a Custom Geo-Location Database on page470 Manually Configuring Geo-Location Mappings on page473 Geo-Location Database Files You can load the geo-location database from one of the following types of files: Internet Assigned Numbers Authority (IANA) database The IANA database contains the geographic locations of the IP address ranges and subnets assigned by the IANA. The IANA database is loaded by default. Custom database in CSV format You can load a custom geo-location database from a file in comma-separated-values (CSV) format. This option requires configuration of a CSV template on the AX device. When you load the CSV file, the data is formatted based on the tem- plate. Note: You can load more than one geo-location database. When you load a new database, if the same IP address or IP address range already exists in a previously loaded database, the address or range is overwritten by the new database. Geo-Location Mappings A geo-location mapping consists of a geo-location name and an IP address or IP range. If you manually map a geo-location to an GSLB site, GSLB uses the mapping. If no geo-location is configured for a GSLB site, GSLB automatically maps the service-ip to a geo-location in the loaded geo-location data- base. If a service-ip cannot be mapped to a geo-location, GSLB maps the site AX device to a geo-location. If more than one geo-location matches a clients IP address, the most spe- cific match is used. For example, if a client is in the same city as a site AX, that site will be preferred. If the client and site are in the same state but in different cities, the site in that state will be preferred. P e r f o r m a n c e b y D e s i g n 469 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview Only one database can be active. If you load more than one database, the most-recently loaded one becomes the active one. The older database is no longer used. Data from the older database is not merged into the new data- base. Example Database File An example of a database file is shown below. Each paragraph is actually a single line in the file, but they are displayed here in multiple lines due to the limited width of the page. " 1159363840" , " 1159364095" , " US" , " UNI TED STATES" , " NA" , " NORTH AMERI CA" , " EST" , " MA" , " MASSA- CHUSETTS" , " COMMRAI L I NC" , " MARLBOROUGH" , " MI DDLESEX" , " 42. 3495" , " - 71. 5482" " 1159364096" , " 1159364351" , " US" , " UNI TED STATES" , " NA" , " NORTH AMERI CA" , " " , " " , " " , " ENVI RON- MENTAL COMPLI ANCE SERVI CE" , "SI LVER" , " " , " 32. 0708" , " - 100. 682" " 1159364352" , " 1159364607" , " US" , " UNI TED STATES" , " NA" , " NORTH AMERI CA" , " EST" , " MA" , " MASSA- CHUSETTS" , " MLS PROPERTY I NFORMATI ON NETWORK" , " SHREWSBURY" , "WORCESTER" , " 42. 2959" , " - 71. 7134" . . . The example above shows the file displayed in a text editor. The same file looks like the example in Figure131 if displayed in a spreadsheet applica- tion. However, when the file is saved to CSV format, the file is essentially as shown above. FIGURE 131 CSV File in Spreadsheet Application The database file can contain more types of information (fields) than are required for the GSLB database. When you load the file into the geo-loca- tion database, the CSV template on the AX device is used to filter the file to extract the required data. In this example, only the fields shown in bold type will be extracted and placed into the geo-location database: " 1159363840" , " 1159364095" , " US" , " UNI TED STATES" , " NA" , " NORTH AMERI CA" , " EST" , " MA" , " MASSA- CHUSETTS" , "COMMRAI L I NC" , " MARLBOROUGH" , " MI DDLESEX" , " 42. 3495" , " - 71. 5482" These fields contain the following information: From IP address (starting IP address in range), To IP address (ending IP address in range, or subnet mask), Continent, Country The IP addresses in this example are in bin4 format. Dotted decimal format (for example: 69.26.125.0) is also supported. If you use bin4 format, the AX 470 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview device automatically converts the addresses into dotted decimal format when you load the database into GSLB. Converting IP Addresses into bin4 Format If you want to use bin4 format in the CSV file, here is how to convert an IP address from dotted-decimal format to bin4 format: 1. Convert each node into Hex. 2. Convert the resulting Hex number into decimal. 3. Enter the decimal number into the database file. Here is an example for IP address 69.26.125.0, the first IP address in the example CSV file: CSV File Field Delimiters The fields in the CSV file must be separated by a delimiter. By default, the AX device interprets commas as delimiters. When you configure the CSV template on the AX device, you can set the delimiter to any valid ASCII character. Creating and Loading a Custom Geo-Location Database To create and load a custom geo-location database: 1. Prepare the database file. (This step requires an application that can save to text for CSV format, and can not be performed on the AX device.) 2. Configure a CSV template for the file. The CSV template specifies the field positions for IP address and location information. 3. Import the CSV file onto the AX device. 4. Load the CSV file. 5. Display the geo-location database. Dotted Decimal Hex of Each Node Combined Hex Number Decimal 69.26.125.0 45.1a.7d.00 451a7d00 1159363840 P e r f o r m a n c e b y D e s i g n 471 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview USING THE GUI Configuring the CSV Template 1. Select Config >Service >GSLB. 2. On the menu bar, select Geo-location >Import. 3. In the Template section, enter name for the template. 4. If the CSV file uses a character other than a comma to delimit fields, enter the delimiter character in the Delimiter field. 5. In each data field, indicate the fields position in the CSV file. For exam- ple, if the destination IP address or subnet is listed in the CSV file in data field 4, enter 4 in the IP-To field. 6. Click Add. Importing the CSV File 1. Select Config >Service >GSLB, if not already selected. 2. On the menu bar, select Geo-location >Import, if not already selected.. 3. In the File section, select the file transfer protocol. 4. Enter the filename and the access parameters required to copy the file from the remote server. 5. Click Add. Loading the CSV File Data into the Geo-Location Database 1. Select Config >Service >GSLB, if not already selected. 2. On the menu bar, select Geo-location >Import, if not already selected.. 3. In the Load/Unload section, enter the name of the geo-location database in the file field. 4. In the Template field, enter the name of the template to use for format- ting the data. 472 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview USING THE CLI Configuring the CSV Template On the AX device, you must configure a CSV template for the database file. When you load the file into GSLB, the AX device uses the template to extract the data and load it into the GSLB database. 1. Use the following command at the global configuration level of the CLI: [ no] gslb template csv template-name This command creates the template and changes the CLI to the configu- ration level for it. 2. Use the following command to identify the field positions for the geo- location data: [ no] field num {ip-from | ip-to-mask | continent | country | state | city} The num option specifies the field position within the CSV file. You can specify 1-64. The following options specify the type of geo-location data that is located in the field position: ip-from Specifies the beginning IP address in the range or subnet. ip-to-mask Specifies the ending IP address in the range, or the subnet mask. continent Specifies the continent where the IP address range or subnet is located. country Specifies the country where the IP address range or subnet is located. state Specifies the state where the IP address range or subnet is located. city Specifies the city where the IP address range or subnet is located. 3. If the CSV file uses a character other than a comma to delimit fields, use the following command to specify the character used in the file: [ no] delimiter {character | ASCII-code} You can type the character or enter its decimal ASCII code (0-255). Importing the CSV File To import the CSV file onto the AX device, use the following command at the Privileged EXEC or global configuration level of the CLI: import geo-location file-name [ use-mgmt-port] url P e r f o r m a n c e b y D e s i g n 473 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. If you enter the entire URL and a pass- word is required, you will still be prompted for the password. To enter the entire URL: tftp://host /f i l e ftp://[ user@] host[ :port] /file scp://[ user@] host/file rcp://[ user@] host/file (For information about the use-mgmt-port option, see Using the Manage- ment Interface as the Source for Management Traffic on page939.) Loading the CSV File Data into the Geo-Location Database To load the CSV file, use the following command at the global configura- tion level of the CLI: [ no] gslb geo-location load file-name csv-template-name Use the file name you specified when you imported the CSV file, and the name of the CSV template to be used for extracting data from the file. Note: The file-name option is available only if you have already imported a geo- location database file. To display information about CSV files that have been loaded are currently being loaded, use the following command: show gslb geo-location file [ file-name] Manually Configuring Geo-Location Mappings USING THE GUI In the GUI, this is part of site configuration. See Configure Sites on page483. 474 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview USING THE CLI To manually configure a geo-location mapping: 1. Configure each geographic location (geo-location) as a named range of client IP addresses. You can configure geo-locations globally and within individual GSLB policies. To configure a geo-location, use the following command at the global configuration level or at the configuration level for the GSLB policy: [ no] gslb geo-location location-name start-ip-addr [ mask ip-mask] [ end-ip-addr] 2. Associate a site with a geo-location name, using the following command at the configuration level for the site: [no] geo-location location-name Note: If you configure geo-locations globally and at the configuration level for individual sites, and a client IP address matches both a globally config- ured geo-location and a geo-location configured on a site, the globally configured geo-location is used by default. To configure the GSLB AX device to use geo-locations configured on individual sites instead, use the geo-location match-first policy command at the configuration level for the policy. Displaying the Geo-Location Database USING THE GUI 1. Select Config >Service >GSLB. 2. On the menu bar, select Geo-location >Find. The geo-location database appears. You can use the find options to display database entries or statistics for specific geo-locations or IP addresses. USING THE CLI To display the geo-location database, use the following command: show gslb geo-location db [ geo-location-name] [ [ statistics] ip-range range-start range-end] [ [ statistics] depth num] [ statistics] ] The geo-location-name option displays the database entry for the specified location. P e r f o r m a n c e b y D e s i g n 475 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview The ip-range option displays entries for the specified IP address range. The depth num option filters the display to show only the location entries at the specified depth or higher. For example, to display only continent and country entries and hide individual state and city entries, specify depth 2. To search for an entry in the geo-location database based on client IP address, use the following command: show gslb geo-location ip ipaddr CLI Example The commands in this example load a custom geo-location database from a CSV file called test.csv, and display the database. The test.csv file is shown in Example Database File on page469. First, the following commands configure the CSV template: AX( conf i g) #gslb template csv test1-tmplte AX( conf i g- gsl b t empl at e csv) #field 1 ip-from AX( conf i g- gsl b t empl at e csv) #field 2 ip-to-mask AX( conf i g- gsl b t empl at e csv) #field 5 continent AX( conf i g- gsl b t empl at e csv) #field 3 country AX( conf i g- gsl b t empl at e csv) #exit The following command imports the file onto the AX device: AX( conf i g) #import geo-location test1.csv ftp: Addr ess or name of r emot e host [ ] ?192.168.1.100 User name [ ] ?admin2 Passwor d [ ] ?********* Fi l e name [ / ] ?test1.csv The following commands initiate loading the data from the CSV file into the geo-location database, and display the status of the load operation: AX( conf i g) #gslb geo-location load test1.csv test1-tmplte AX( conf i g) #show gslb geo-location file T = T( Templ at e) / B( Bui l t - i n) , Per = Per cent age of l oadi ng Fi l ename T Templ at e Per Li nes Success Er r or - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - t est 1 T t 1 98% 11 10 0 476 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview The following command displays the geo-location database. The data that was extracted from the CSV file is shown here in bold type. AX( conf i g) #show gslb geo-location db Last = Last Mat ched Cl i ent , Hi t s = Count of Cl i ent mat ched T = Type, Sub = Count of Sub Geo- l ocat i on G( gl obal ) / P( pol i cy) , S( sub) / R( sub r ange) M( manual l y conf i g) Gl obal Name Fr om To Last Hi t s Sub T - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NA ( empt y) ( empt y) ( empt y) 0 1 G Geo- l ocat i on: NA, Gl obal Name Fr om To Last Hi t s Sub T - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - US ( empt y) ( empt y) ( empt y) 0 10 GS Geo- l ocat i on: NA. US, Gl obal Name Fr om To Last Hi t s Sub T - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 69. 26. 125. 0 69. 26. 125. 255 ( empt y) 0 0 GR 69. 26. 126. 0 69. 26. 126. 255 ( empt y) 0 0 GR 69. 26. 127. 0 69. 26. 127. 255 ( empt y) 0 0 GR 69. 26. 128. 0 69. 26. 136. 135 ( empt y) 0 0 GR 69. 26. 136. 136 69. 26. 136. 143 ( empt y) 0 0 GR 69. 26. 136. 144 69. 26. 140. 255 ( empt y) 0 0 GR 69. 26. 141. 0 69. 26. 141. 255 ( empt y) 0 0 GR 69. 26. 142. 0 69. 26. 159. 255 ( empt y) 0 0 GR 69. 26. 160. 0 69. 26. 160. 255 ( empt y) 0 0 GR 69. 26. 161. 0 69. 26. 161. 7 ( empt y) 0 0 GR Configure Services To configure GSLB services, use either of the following methods. USING THE GUI 1. Select Config >Service >GSLB. 2. On the menu bar, select Service IP. 3. Click Add. 4. Enter the service name and IP address. P e r f o r m a n c e b y D e s i g n 477 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview 5. If needed, assign an external IP address to the service IP. The external IP address allows a service IP that has an internal IP address to be reached from outside the internal network. 6. Add the service port(s): a. Enter the port number and select the protocol (TCP or UDP). b. Optionally, select a health monitor. c. Click Add. The service port appears in the service port list. 7. Click OK. 8. Repeat for each service IP. USING THE CLI To configure service VIPs, use the following command at the global config- uration level of the CLI: gslb vip-name ipaddr This command changes the CLI to the configuration level for the service. To assign an external IP address to the service, use the following command. An external IP address is needed if the service IP address is an internal IP address that can not be reached from outside the internal network. external-ip ipaddr To configure a service port on the service, use the following command to change the CLI to the configuration level for the port: port port-num {tcp | udp} To enable health monitoring of the service, use the following command: health-check monitor-name Gateway Health Monitoring To simplify health monitoring of a GSLB site, you can use a gateway health check. A gateway health check is a Layer 3 health check (ping) sent to the gateway router for an SLB site. If a sites gateway router fails a health check, it is likely that none of the services at the site can be reached. GSLB stops using the site until it begins to pass gateway health checks again. 478 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview In most cases, an ICMP health check is sufficient. You can use the default ICMP health check or configure a custom one. For more detailed health analysis, you can use an external health check. For example, you can use a script to get SNMP information from the gateway, and base the gateways health status on the retrieved information. Health Check Precedence Health checking for a GSLB service can be performed at the following lev- els. 1. Gateway health check 2. Port health check 3. IP health check (Layer 3 health check of service IP) If the gateway health check is unsuccessful, the service IP is marked Down. If the gateway health check is successful, the port health check is used if ports are configured on the service IP. Otherwise, if no service ports are configured on the service IP, the Layer 3 health check is used. Configuring Gateway Health Checking for GSLB Sites To configure gateway health checking for a GSLB site: 1. Configure the health monitor, unless you plan to use the default ICMP health monitor. 2. On the SLB device at the site, create an SLB real server configuration with the gateway routers IP address. If you configured a custom health check, make sure to apply it to the real server. 3. On the GSLB controller, specify the sites gateway IP address in the SLB-device configuration for the site. Sites with Multiple Gateway Links If a site has multiple gateways, create a separate real server for each gate- way on the site AX device. On the GSLB controller, create a separate SLB- device configuration for each gateway (real server). In each SLB-device configuration, specify only the service IPs that can be reached by the gate- way specified in that SLB-device configuration. For a service IP that can be reached on any of multiple links, create a sepa- rate SLB-device configuration, without using the gateway option. The gate- way health status for this SLB-device will be Down only if all the gateway health checks performed for the other SLB-device configurations for the site fail. P e r f o r m a n c e b y D e s i g n 479 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview USING THE GUI Configuration of this feature does not use any new GUI pages or fields not present in earlier releases. 1. On the site AX deviceTo create the gateway router, navigate to the real server configuration page. Enter a name and the gateway IP address. Do not add any ports. If you plan to use the default Layer 3 health monitor, no further configu- ration is needed on the site AX device. If you plan to use a custom ICMP monitor, configure the monitor, select create from the Health Monitor drop-down list. 2. On the GSLB controllerTo specify the sites gateway IP address, nav- igate to the site configuration page. From this page, navigate to the SLB-Device configuration page and enter the gateway IP address in the Gateway field. USING THE CLI Configuration of this feature does not use any new CLI commands or options not present in earlier releases. 1. On the site AX deviceTo create the gateway router, use the following command at the global configuration level of the CLI on the site AX device: [ no] slb server gateway-name gateway-ipaddr If you plan to use the default Layer 3 health monitor, no further configu- ration is needed on the site AX device. If you plan to use a custom ICMP monitor, configure the monitor, then use the following command at the configuration level for the real server (gateway): [ no] health-check icmp-monitor-name 2. On the GSLB controllerTo specify the sites gateway IP address, use the following command at the configuration level for the SLB device, within the site configuration: [ no] gateway gateway-ipaddr Disabling a Gateway Health Check On the GSLB controller, you can disable gateway health checking at the SLB-device configuration level or the service configuration level. To disable gateway health checking at the SLB-device configuration level, use the following command: no gateway health-check 480 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview After you enter this command, the SLB device will stop accepting gateway status information. To disable gateway health checking at the service configuration level, use the following command: no health-check gateway After you enter this command, the service will stop using gateway health checks. Displaying the Health Status of a Site Gateway To display the health status for a site gateway, use the following command: show gslb slb-device Note: The health status of the individual virtual servers and service ports at the site is not marked Down. CLI ExampleSite with Single Gateway Link On the site AX device, the following command configures a real server for the gateway. The default ICMP health method is used. Si t e- AX( conf i g) #slb server 1.1.1.1 On the GSLB controller, the following commands enable gateway health checking for site device site-ax: GSLB- AX( conf i g) #gslb site remote GSLB- AX( conf i g- gsl b si t e) #slb-dev site-ax 10.1.1.1 GSLB- AX( conf i g- sl b dev) #gateway 1.1.1.1 The following command displays the gateway health status for GSLB sites: GSLB- AX( conf i g) #show gslb slb-device At t r s = At t r i but es, APF = Admi ni st r at i ve Pr ef er ence Sesn- Num/ Uzn = Number / Ut i l i zat i on of Avai l abl e Sessi ons GW= Gat eway St at us, I PCnt = Count of Ser vi ce- I Ps P = GSLB Pr ot ocol , L = Local Pr ot ocol Devi ce I P At t r s APF Sesn- Num Uzn GW I PCnt - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - l ocal : sel f 127. 0. 0. 1 100 0 0% 0 l ocal : sel f 2 127. 0. 0. 1 100 0 0% 0 l ocal : sel f 3 127. 0. 0. 1 100 0 0% 2 remote:site-ax 10. 1. 1. 1 100 0 0% UP 0 In this example, the gateway health status for SLB-device configuration site-ax on the remote site is Up. P e r f o r m a n c e b y D e s i g n 481 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview CLI ExampleSite with Multiple Gateway Links On the site AX device, the following commands configure real servers for each of two gateway links. The default ICMP health method is used for each link. Si t e- AX( conf i g) #slb server 2.2.2.1 Si t e- AX( conf i g- r eal ser ver ) #exit Si t e- AX( conf i g) #slb server 3.3.3.1 On the GSLB controller, the following commands enable gateway health checking for each of the sites links. A unique SLB-device name is used for each link, even though both links are for the same SLB device (20.1.1.1). GSLB- AX( conf i g) #gslb site remote-link1 GSLB- AX( conf i g- gsl b si t e) #slb-dev site-ax-lnk1 20.1.1.1 GSLB- AX( conf i g- sl b dev) #gateway 2.2.2.1 GSLB- AX( conf i g- sl b dev) #exit GSLB- AX( conf i g- gsl b si t e) #exit GSLB- AX( conf i g) #gslb site remote-link2 GSLB- AX( conf i g- gsl b si t e) #slb-dev site-ax-lnk2 20.1.1.1 GSLB- AX( conf i g- sl b dev) #gateway 3.3.3.1 If the same services can be reached through either link, an additional SLB- device configuration is required: GSLB- AX( conf i g) #gslb site remote-link-both GSLB- AX( conf i g- gsl b si t e) #slb-dev site-ax-lnkboth 20.1.1.1 No gateway is specified in the SLB-device configuration. The gateway health status will be Up unless the health checks for 2.2.2.1 and 3.3.3.1 both fail. Multiple-Port Health Monitoring GSLB supports multiple-port health checking for service IPs. When you use a multiple-port health check for a service IP, the service IP is marked Up if any of the ports passes the health check. It is not required for all ports to pass the health check. Default Health Monitors The default health monitor for a service is the default Layer 3 health moni- tor (ICMP ping). The default health monitor for a service port is the default TCP or UDP monitor, depending on the transport protocol. By default, if the GSLB protocol is enabled and can reach the service, health checking is performed over the GSLB protocol. Otherwise, health 482 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview checking is performed using standard network traffic instead. Optionally, you can disable use of the GSLB protocol for health checking, on individual service-IPs. USING THE GUI The current release does not support this feature in the GUI. USING THE CLI To configure a multiple-port health check, use the following command at the configuration level for the service IP: [ no] health-check port port-num port-num [ . . . ] You can specify up to 64 ports. CLI Example The following commands apply a custom HTTP health monitor to service IP gslb-srvc2: AX( conf i g) #gslb service-ip gslb-srvc2 192.168.20.99 AX( conf i g- gsl b ser vi ce- i p) #port 80 AX( conf i g- gsl b ser vi ce- por t ) #health-check http AX( conf i g- gsl b ser vi ce- i p) #port 8080 AX( conf i g- gsl b ser vi ce- por t ) #health-check http AX( conf i g- gsl b ser vi ce- i p) #port 8081 AX( conf i g- gsl b ser vi ce- por t ) #health-check http Note: Applying a health monitor is required only if you do not plan to use the default health monitors. (See Default Health Monitors on page481.) The following commands enable a multi-port health check for the HTTP service www on service IP gslb-srvc2 in GSLB zone abc.com: AX( conf i g) #gslb zone abc.com AX( conf i g- gsl b zone) #service http www AX( conf i g- gsl b ser vi ce) #health-check port 80 8080 8081 P e r f o r m a n c e b y D e s i g n 483 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview Configure Sites To configure GSLB sites, use either of the following methods. USING THE GUI 1. Select Config >Service >GSLB. 2. On the menu bar, select Site. 3. Click Add. 4. Enter the site name. 5. In the SLB-Device section, enter information about the AX devices that provide SLB for the site: a. Click Add. b. Enter a name for the device. c. Enter the IP address at which the GSLB AX device will be able to reach the site AX device. d. To add a service to this SLB device, select it from the drop-down list in the VIP server section and click Add. Repeat for each service. 6. In the IP-Server section, add services to the site. Select a service from the drop-down list and click Add. Repeat for each service. 7. To manually map a geo-location name to the site, enter the geo-location name in the Geo-location section and click Add. 8. Click OK. The site appears in the Site table. USING THE CLI To configure the GSLB sites, use the following commands: gslb site site-name This command changes the CLI to the configuration level for the site. To associate an IP service with this site, use the following command: ip-server service-ip The ipaddr is the IP address of a real server load balanced by the site. 484 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview To specify the AX device that provides SLB at the site, use the following command: slb-dev device-name ip-addr To add the GSLB VIP server to the SLB device, use the following com- mand: vip-server gslb service-name The service-name is the GSLB service specified by the gslb vip-name ipaddr command in Configure Services on page476. Configure a Zone To configure a GSLB zone, use either of the following methods. USING THE GUI 1. Select Config >Service >GSLB. 2. On the menu bar, select Zone. 3. Click Add. 4. Enter the zone name in the Name field. 5. In the Service section, click Add. (See Figure140 on page524.) The service configuration sections appear. 6. In the Service field, enter the service name. 7. Select the service type from the Port drop-down list. 8. Add the services: a. In the Service section, click Add. b. Enter name for the service (for example, www). c. Select the service type from the Port drop-down list. d. Configure additional options, if applicable to your deployment. (See Table12, GSLB Parameters, on page487.) e. Click OK. f. Repeat for each service. 9. Click OK. The zone appears in the GSLB zone list. P e r f o r m a n c e b y D e s i g n 485 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview USING THE CLI To configure the GSLB zone, use the following commands: gslb zone zone-url The zone-url is the URL that clients will send in DNS queries. This command changes the CLI to the configuration level for the zone. To add a service to the zone, use the following command: service port service-name The port is the application port for the server and must be the same port name or number specified on the service VIP. Enable the GSLB Protocol To enable the GSLB protocol, use either of the following methods. USING THE GUI 1. Select Config >Service >GSLB. 2. On the menu bar, select Global. The Global section appears. 3. Select Enabled next to one of the following options, depending on the AX devices function in the GSLB configuration: Run GSLB as Controller Run GSLB as Site SLB Device If you are planning to use the Passive RTT metric, select the Passive RTT checkbox to enable collection of passive RTT data on this site AX device. 4. Click OK. USING THE CLI To enable the GSLB protocol on the GSLB AX device, use the following command at the global configuration level of the CLI: gslb protocol enable controller 486 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Overview To enable the GSLB protocol on a site AX device, use the following com- mand at the global configuration level of the CLI: gslb protocol enable device [ no-passive-rtt] The no-passive-rtt option disables collection of passive RTT data on this site AX device. If you are planning to use the Passive RTT metric, do not use this option. P e r f o r m a n c e b y D e s i g n 487 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide GSLB Parameters GSLB Parameters Table12 lists the GSLB parameters. TABLE 12 GSLB Parameters Parameter Description and Syntax Supported Values Global GSLB Parameters protocol enable (Required) Enables the GSLB protocol. The protocol must be enabled on the GSLB AX device and on the site AX devices. [ no] gslb protocol {enable {controller | device [ no-passive-rtt] } | status-interval seconds} On the GSLB AX device, use the controller option. On the site AX devices, use the device option. The status-interval option sets the number of sec- onds between GSLB status messages. Config >Service >GSLB >Global Controller or device. Default: Disabled When you enable the GSLB protocol, the default status interval is 30 sec- onds. geo-location (Optional) Maps geographic locations to IP address ranges. GSLB forwards client requests from addresses within the range to the GSLB site that serves the location. To load the IANA database: [ no] gslb geo-location load iana Config >Service >GSLB >Geo-location >Import To load a custom database: [ no] gslb template csv template- name [ no] gslb geo-location load file-name csv-template-name Config >Service >GSLB >Geo-location >Import To configure individual mappings: [ no] gslb geo-location location-name start-ip-addr [ mask ip-mask] [ end-ip-addr] Config >Service >GSLB >Site - Geo-location For geo-location mappings loaded from a database, the mappings must be in the AX devices IANA database or in a comma-separated values (CSV) file. For individual mappings, the location- name can be up to 127 alphanumeric characters. Specify either the begin- ning and ending addresses of the range, or the beginning address and the network mask. Default: The IANA database is loaded by default. 488 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide GSLB Parameters policy (Optional) Configures a GSLB policy. GSLB policies config- ure the GSLB metrics used to select the best sites and site IP addresses to return in DNS replies to cli- ents. [ no] gslb policy {default | policy-name} Config >Service >GSLB >Policy Default: The default GSLB policy is used, unless you configure another policy and apply it to the zone. service-ip (Required) Configures a virtual IP address (VIP) for a service. In GSLB, service IP addresses are VIPs that repre- sent services that are provided by servers connected to the site AX devices. [ no] gslb service-ip vip-name [ ipaddr] Config >Service >GSLB >Service IP The vip-name can be up to 31 alphanu- meric characters. The ipaddr can be an IPv4 or IPv6 address. site (Required) Configures a site. A GSLB zone can contain one or more sites. Each site has at least one AX device pro- viding load balancing for the sites services. [ no] gslb site site-name Config >Service >GSLB >Site See Site Parameters below. The site-name can be up to 31 alpha- numeric characters. Default: None zone (Required) Configures a zone. The zone identifies the top-level URL for the services load balanced by GSLB. [ no] gslb zone zone-url Config >Service >GSLB >Zone See Zone Parameters below. The zone-url is the URL of the zone and can be up to 127 alphanumeric characters. Default: None Note: You can use lower case charac- ters and upper case characters. How- ever, since Internet domain names are case-insensitive, the AX device inter- nally converts all upper case characters in GSLB zone names to lower case. TABLE 12 GSLB Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 489 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide GSLB Parameters Active-RTT set- tings (Optional) Configures the following Active RTT options: Domain Specifies the query domain. To mea- sure the active round-trip time (RTT) for a client, the site AX device sends queries for the domain name to a clients local DNS. An RTT sample consists of the time between when the site AX device sends a query and when it receives the response. Only one active-RTT domain can be configured. It is recommended to use a domain name that is likely to be in the cache of each clients local DNS. The AX device averages multiple active-RTT samples together to calculate the active-RTT measurement for a client. (See the description of Track below.) Interval Specifies the number of seconds between queries. Retry Specifies the number of times GSLB will resend a query if there is no response. Sleep Specifies the number of seconds GSLB stops tracking active-RTT data for a client after a query fails. Timeout Specifies the number of milliseconds GSLB will wait for a reply before resending a query. Track Specifies the number of seconds during which the AX device collects samples for a cli- ent. The samples collected during the track time are averaged together, and the averaged value is used as the active RTT measurement for the cli- ent. The averaged RTT measurement is used until it ages out. The aging time for averaged RTT mea- surements is 10 minutes by default and is config- urable on individual sites, using the active-rtt aging-time option. The following values are supported: Domain Valid domain name (such as example.com) Interval 1-120 seconds Retry 0-16 Sleep 1-300 seconds Timeout 1-1023 milliseconds (ms) Track 15-3600 seconds Defaults: Domain google.com Interval 1 Retry 3 Sleep 3 Timeout 1000 Track 60 TABLE 12 GSLB Parameters (Continued) Parameter Description and Syntax Supported Values 490 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide GSLB Parameters Handling of DNS queries from the local DNS (Optional) Action to take in response to queries from the local DNS. Drop Drops DNS queries from the local DNS server that do not match any zone service. Reject Rejects DNS queries from the local DNS server that do not match any zone service, and returns the Refused message in replies. [ no] gslb dns action {drop | reject} Note: The current release does not support configu- ration of this option using the GUI. Default: Not set DNS logging (Optional) Logging of DNS messages. [ no] gslb dns logging {both | query | response} Note: The current release does not support configu- ration of this option using the GUI. Default: Not set ip-list (Optional) List of IP addresses and group IDs to use as input to other GLSB commands. [ no] gslb ip-list list-name Note: The current release does not support configu- ration of this option using the GUI. Default: None Startup delay (Optional) Delays startup of GSLB following startup of the AX device. [ no] gslb system wait seconds Note: The current release does not support configu- ration of this option using the GUI. 0-16384 seconds Default: 0 (no delay) GSLB protocol timers (Optional) Changes timers used by the SLB protocol. [ no] gslb protocol limit { artt-query num-msgs | artt-response num-msgs | artt-session num-sessions | prtt-response num-msgs | conn-response num-msgs | response num-msgs | message num-msgs } Note: The current release does not support configu- ration of this option using the GUI. See the online help. TABLE 12 GSLB Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 491 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide GSLB Parameters Service-IP Parameters service-ip status (Required) Enables or disables the service-ip. disable | enable Config >Service >GSLB >Service-IP Default: Enabled external IP address Assigns an external IP address to the service IP. The external IP address allows a service IP that has an internal IP address to be reached from outside the internal network. [ no] external-ip ipaddr Config >Service >GSLB >Service-IP Default: None health check Enables or disables monitoring for the service IP address. You can specify any health monitor (Layer 3, 4 or 7). Alternatively, you can use the follow-port option to base the health of the service port on the health of another port. Specify the other port number. The protocol option enables or disables use of the GSLB protocol for health checking of the service. By default, the protocol option is enabled. If the GSLB protocol is enabled and can reach the service, health checking is performed over the GSLB proto- col. Otherwise, health checking is performed using standard network traffic instead. [ no] health-check [ monitor-name] | [ follow-port portnum] [ protocol] Config >Service >GSLB >Service-IP Default: The default Layer 3 health monitor (ICMP ping) is used. The pro- tocol option is enabled by default. service port Adds a service port to the service IP address. The command also changes the CLI to the configuration level for the specified service port, where the fol- lowing service port-related commands are available: port num {tcp | udp} Config >Service >GSLB >Service-IP Valid protocol port number and service type Default: None IPv6 mapping Maps an IPv6 address to an IPv4 service IP. This option also requires IPv6 DNS AAAA support to be enabled in the GSLB policy. [ no] ipv6 ipv6-addr Note: The current release does not support configu- ration of this option using the GUI. Valid IPv6 address Default: None TABLE 12 GSLB Parameters (Continued) Parameter Description and Syntax Supported Values 492 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide GSLB Parameters Site Parameters active-rtt (Optional) Configures options for the Active RTT metric. [ no] active-rtt aging-time minutes | bind-geoloc | ignore-count num | limit num | mask {/mask-length | mask-ipaddr} | range-factor num | smooth-factor num Config >Service >GSLB >Site - Options aging-time Specifies the maximum amount of time a stored active-RTT result can be used. You can specify 1- 60 minutes. The default is 10 minutes. bind-geoloc Stores the active-RTT measurements on a per geo-location basis. Without this option, the mea- surements are stored on a per site-SLB device basis. ignore-count Specifies the ignore count if RTT is out of range. You can specify 1-15. The default is 5. limit Specifies the maximum RTT allowed for the site. If the RTT mea- surement for a site exceeds the config- ured limit, GSLB does not eliminate the site. Instead, GSLB moves to the next metric in the policy. You can specify 0-16383 milliseconds (ms). The default is 16383. mask Specifies the client IPv4 subnet mask length, 1-32. The default is 32. mask Specifies the client IPv4 subnet mask length, 1-32. The default is 32. range-factor Specifies the maximum percentage a new active-RTT measure- ment can differ from the previous mea- surement. If the new measurement differs from the previous measurement by more than the allowed percentage, the new measurement is discarded and the previous measurement is used again. For example, if the range-factor is set to 25 (the default), a new measurement that has a value from 75% to 125% of the previous value can be used. A mea- surement that is less than 75% or more than 125% of the previous measure- ment can not be used. (cont.) TABLE 12 GSLB Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 493 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide GSLB Parameters active-rtt (Optional) (cont.) You can specify 1-1000. The default is 25. smooth-factor Blends the new mea- surement with the previous one, to smoothen the measurements. You can specify 1-100. The default is 10. bw-cost (Optional) Configures options for the bw-cost metric: [ no] bw-cost limit limit threshold percentage Config >Service >GSLB >Site - Options limit Specifies the maximum amount the SNMP object queried by the GSLB AX device can increment since the previous query, in order for the site to remain eligible for selection as the best site. You can specify 0-2147483647. There is no default. If a site becomes ineligible due to being over the limit, the percentage parameter is used. In order to become eligible for selection again, the sites limit value must not increment more than l i mi t *t hr eshol d- per - cent age. You can specify 0-100. There is no default. threshold percentage For a site to regain eligibility when bw-cost is being compared, the SNMP objects incremental value must be below the threshold-percentage of the limit value. For example, if the limit value is 80000 and the threshold is 90, the limit value must increment by 72000 or less, in order for the site to become eligible again based on bandwidth cost. Once a site again becomes eligible, the SNMP objects value is again allowed to increment by as much as the band- width limit value (80000, in this exam- ple). geo-location (Optional) Associates the site with a specific geographic loca- tion. [ no] geo-location location-name Config >Service >GSLB >Site - Geo-location Note: This option is applicable only for manually configuring geo-location mappings. If you plan to load geo-location mappings from a file instead, you do not need to use this option. The location-name can be up to 127 alphanumeric characters. Default: None TABLE 12 GSLB Parameters (Continued) Parameter Description and Syntax Supported Values 494 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide GSLB Parameters ip-server (Optional) Associates a real server with this site. [ no] ip-server service-name Config >Service >GSLB >Site - IP Server Note: Generally, virtual servers rather than real servers are associated with a site. To associate a vir- tual server with a site, use the vip-server option at the SLB device configuration level. (See SLB device parameters.) Default: None passive-rtt (Optional) Configures options for the passive RTT metric. The options are the same as those for active-rtt. (See above.) [ no] passive-rtt aging-time minutes | bind-geoloc | limit num | mask {/mask-length | mask-ipaddr} | range-factor num | smooth-factor num Config >Service >GSLB >Site - Options See the description for active-rtt, above. slb-device (Required) Specifies the AX device that provides SLB for the site. [ no] slb-dev device-name ipaddr Config >Service >GSLB >Site - SLB Device The device-name can be up to 31 alphanumeric characters. The IP address must be an address that can be reached by the GSLB AX device. Default: None template (Optional) Binds a template to the site. To use the bw-cost met- ric, use this option to bind a GSLB SNMP template to the site. [ no] template template-name Config >Service >GSLB >Site - Template Name of configured SNMP template. Default: None weight (Optional) Assigns a weight to the site. If the weighted-site metric is enabled in the policy and all metrics before weighted-site result in a tie, the site with the highest weight is preferred. [ no] weight num Config >Service >GSLB >Site - General The weight can be from 1 100. Default: 1 TABLE 12 GSLB Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 495 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide GSLB Parameters SLB Device Parameters admin-prefer- ence (Optional) Assigns a preference value to the SLB device. If the admin-preference metric is enabled in the policy and all metrics before this one result in a tie, the SLB device with the highest admin-preference value is preferred. [ no] admin-preference num Config >Service >GSLB >Site - SLB-Device You can specify from 0 255. Default: 100 gateway (Optional) Specifies the gateway that the SLB device will use to reach the GLSB local DNS for collecting active RTT measurements. [ no] gateway ipaddr Config >Service >GSLB >Site - SLB-Device Valid IP address. Default: Not set gateway health check (Optional) Allows GSLB to use a Layer 3 health monitor to check the health of the SLB devices gateway. [ no] gateway health-check Note: The current release does not support configu- ration of this option using the GUI. Enabled or disabled Default: enabled max-client (Optional) Specifies the maximum number of clients for which the GSLB AX device (controller) saves data such as active and passive RTT measurements. [ no] max-client number Config >Service >GSLB >Site - SLB-Device 1-2147483647 Default: 32768 passive-rtt-timer (Optional) For passive RTT, specifies the number of seconds during which samples are collected during each sampling period. You can specify 1-255. The default is 3. [ no] passive-rtt-timer num To prevent samples from being taken for this device, use the no passive-rtt-timer command. Config >Service >GSLB >Site - SLB-Device 1-255 Default: 3 vip-server (Required) Maps this SLB site to a globally configured GSLB service IP address (configured by the service-ip option). [ no] vip-server name Config >Service >GSLB >Site - SLB-Device The name must be the name of a con- figured service IP. (To configure the service IP, use the gslb service-ip command.) Default: None TABLE 12 GSLB Parameters (Continued) Parameter Description and Syntax Supported Values 496 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide GSLB Parameters Zone Parameters dns-mx-record (Optional) Configures a DNS Mail Exchange (MX) record for the zone. The name is the fully-qualified domain name of the mail server for the zone. If more than MX record is configured for the same zone, the priority specifies the order in which the mail server should attempt to deliver mail to the MX hosts. The MX with the lowest preference value has the highest priority and is tried first. The priority can be 0-65535. There is no default. MX records configured on a zone are used only for services on which MX records are not configured. [ no] dns-mx-record name priority Config >Service >GSLB >Zone - Click Add on the Service section to display the DNS MX Record section. The name is the fully-qualified domain name of the mail server for the zone. The priority can be 0-65535. There is no default preference. Default: None dns-ns-record (Optional) Configures a DNS name server record for the zone. [ no] dns-ns-record domain- name Config >Service >GSLB >Zone - Click Add on the Service section to display the DNS NS Record section. Fully-qualified domain name. Default: None TABLE 12 GSLB Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 497 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide GSLB Parameters dns-soa-record (Optional) Configures a DNS start of authority (SOA) record for the GSLB zone. You must specify the DNS server name and mailbox name. The following parameters are optional: Refresh Specifies the number of seconds other DNS servers wait before requesting updated infor- mation for the GSLB zone. Retry Specifies how many seconds other DNS servers wait before resending a refresh request, if GSLB does not respond to the previous request. Expire Specifies how many seconds GSLB can remain unresponsive to a refresh request before the other DNS server drops responding to queries for the zone. Serial Specifies the initial serial number of the SOA record. This number is automatically incre- mented each time a change occurs to any records for the GSLB zone. TTL Specifies the number of seconds GSLB will cache and reuse negative replies (NXDOMAIN messages). A negative reply is an error message indicating that a requested domain does not exist. [ no] dns-soa-record dns-server- name mailbox-name [ expire seconds] [ refresh seconds] [ retry seconds] [ serial num] [ ttl seconds] Note: The current release does not support configu- ration of this option using the GUI. Valid DNS server name and mailbox name. Defaults: No SOA record is configured by default. If you configure one, its parameters have the following default values: Refresh 3600 seconds Retry 900 seconds Expire 1209600 seconds Serial The default is based on the current system time on the GSLB AX device when you create the SOA record. TTL Value of the zone TTL when you create the SOA record policy (Optional) Applies a GSLB policy to the zone. [ no] policy policy-name Config >Service >GSLB >Zone See Policy Parameters on page502. The policy-name can be up to 31 alphanumeric characters. Default: The default GSLB policy is used, unless you configure another policy and apply it to the zone. TABLE 12 GSLB Parameters (Continued) Parameter Description and Syntax Supported Values 498 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide GSLB Parameters service (Required) Adds a service to the zone. The GSLB AX Series verifies the availability of the service by sending a health check to the specified service port. [ no] service port service-name Config >Service >GSLB >Zone - Service tab The health check must be assigned to the individual service. See Service Parameters below. The port can be a well-known name recognized by the CLI, a port number from 1 to 65535, or * (wildcard match- ing on any port). The service-name can be up to 31 alphanumeric characters. (For the same reason described for zone names, the AX device converts all upper case characters in GSLB service names to lower case.) Default: None ttl (Optional) Changes the TTL of each DNS record contained in DNS replies received from the DNS for which the AX Series is a proxy, for this zone. TTL can be set at different levels of the GSLB con- figuration; however, only one of the TTL settings is used. (See DNS Options on page443.) ttl seconds [ no] Config >Service >GSLB >Zone The health check must be assigned to the individual service. See Service Parameters below. You can specify from 0 to 1000000 (1,000,000) seconds. Default: 10 seconds Service Parameters action (Optional) Specifies the action to perform for DNS traffic. Note: Use of the actions configured for services also must be enabled in the GSLB policy, using the DNS action option. See Table13, GSLB Policy Parameters, on page502. [ no] action {drop | reject | forward {both | query | response}} Config >Service >GSLB >Zone - Click Add in the Service section. You can specify one of the following: Drop Drops DNS queries from the local DNS server. Reject Rejects DNS queries from the local DNS server and returns the Refused message in replies. Forward Forwards requests or queries, as follows: Forward both Forwards queries to the Authoritative DNS server, and forwards responses to the local DNS server. Forward query Forwards que- ries to the Authoritative DNS server, but does not forward responses to the local DNS server. Forward response Forwards responses to the local DNS server, but does not forward que- ries to the Authoritative DNS server. TABLE 12 GSLB Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 499 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide GSLB Parameters dns-a-record (Optional) Configures a DNS Address (A) record for the ser- vice, for use with the DNS replace-ip option in the GSLB policy. dns-a-record {service-name | service-ipaddr} {as-replace | no-resp | static | ttl num | weight num} Config >Service >GSLB >Zone - Click Add in the Service section to display the DNS Address Record section. Note: The no-resp option is not valid with the static or as-replace option. If you use no-resp, you cannot use static or as-replace. as-replace This option is used with the ip-replace option in the policy. When both options are set (as-replace here and ip-replace in the policy), the client receives only the IP address set here by service-ip. This option is dis- abled by default. no-resp Prevents the IP address for this site from being included in DNS replies to clients. This option is dis- abled by default. static This option is used with the dns server option in the policy. When both options are set (static here and dns server in the policy), the GSLB AX device acts as the DNS server for the IP address set here by service-ip. This option is disabled by default. ttl Assigns a TTL to the service, 0- 2147483647. By default, the TTL of the zone is used. This option can be used with the dns server option in the policy, or with DNS proxy mode enabled in the policy. weight Assigns a weight to the ser- vice. If the weighted-ip metric is enabled in the policy and all metrics before weighted-ip result in a tie, the service on the site with the highest weight is selected. The weight can be 1-100. By default, the weight is not set. Default: None dns-cname- record (Optional) Configures DNS Canonical Name (CNAME) records for the service. The as-backup option specifies that the record is a backup record. dns-cname-record alias [ as-backup] [ alias ...] Config >Service >GSLB >Zone - Click Add in the Service section to display the DNS CName Record section. Default: None TABLE 12 GSLB Parameters (Continued) Parameter Description and Syntax Supported Values 500 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide GSLB Parameters dns-mx-record (Optional) Configures a DNS Mail Exchange (MX) record for the service. If more than MX record is configured for the same service, the priority specifies the order in which the mail server should attempt to deliver mail to the MX hosts. The MX record with the lowest priority num- ber has the highest priority and is tried first. dns-mx-record name priority Config >Service >GSLB >Zone - Click Add on the Service tab to display the DNS MX Record tab. Note: If you want the GSLB AX device to return the IP address of the mail service in response to MX requests, you must configure A records for the mail service. The name is the fully-qualified domain name of the mail server for the service. The priority can be 0-65535. There is no default. dns-ns-record (Optional) Configures a DNS name server record for the ser- vice. dns-ns-record domain-name [ as-backup] Config >Service >GSLB >Zone - Click Add on the Service tab to display the DNS NS Record tab. Fully-qualified domain name Not set dns-ptr-record (Optional) Configures a DNS pointer record for the service. dns-ptr-record domain-name Config >Service >GSLB >Zone - Click Add on the Service tab to display the DNS PTR Record tab. Fully-qualified domain name Not set gateway health check (Optional) Allows GSLB to use a Layer 3 health monitor to check the health of the service by sending health checks to the site gateway. [ no] health-check gateway Note: The current release does not support configu- ration of this option using the GUI. Enabled or disabled Default: enabled geo-location (Optional) Maps an alias to the specified geographic location for this service. [ no] geo-location location-name alias url Config >Service >GSLB >Zone - Click Add in the Service section to display the Geo-location section. This CNAME overrides any CNAME globally con- figured for the zone. The location-name is a global GSLB parameter and must already be config- ured. (See Global GSLB parameters and Site parameters above.) The alias is a service parameter and must already be configured. (See above.) Default: None TABLE 12 GSLB Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 501 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide GSLB Parameters ip-order (Optional) Specifies the order in which to list the service IP addresses (VIPs) for this service in the DNS replies to clients. The ip-order is one of the metrics used to select the best IP address for a service. [ no] ip-order {service-name | service-ipaddr} [ service-ipaddr . . . ] Config >Service >GSLB >Zone - Click Add in the Service section to display the DNS Address Record section. Each service-ipaddr is a virtual IP address assigned to the service at this site. Generally, each service will have a dif- ferent virtual IP address for each real server that provides the service at the site. policy (Optional) Applies the specified GSLB policy to the service. [ no] policy policy-name Config >Service >GSLB >Zone - Click Add in the Service section to display the Service section. The policy-name can be up to 31 alphanumeric characters. You must configure the policy before you apply it. Default: The GSLB policy applied to the zone is also applied to the services in that zone. If no policy is applied to the zone, the default GSLB policy is applied. TABLE 12 GSLB Parameters (Continued) Parameter Description and Syntax Supported Values 502 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide GSLB Parameters Policy Parameters Table13 lists the GSLB policy parameters. TABLE 13 GSLB Policy Parameters Parameter Description and Syntax Supported Values Load Balancing Metrics active-rtt Load balancing metric that selects the site with the fastest round-trip-time for a DNS query and reply between a site AX device and the GSLB local DNS. The active RTT metric is disabled by default. You can enable it to take either a single sample (single shot) or multiple samples at regular intervals. [ no] active-rtt [ difference num] [ fail-break] [ ignore-id num] [ keep-tracking] [ limit ms] [ samples num-samples] [ single-shot] [ skip count] [ timeout seconds] [ tolerance num-percentage] Config >Service >GSLB >Policy - Metrics Note: This metric requires the GSLB protocol to be enabled on the site AX devices. (See Metrics That Require the GSLB Protocol on Site AX Devices on page445.) The state is one of the following: Enabled Disabled This is the default. When you enable the active-rtt metric, the default number of samples is 5. The default store-by is slb-device. The default tolerance is 10 percent. active-servers Load balancing metric that selects the site that has the most active servers for the requested service. The fail-break option enables GSLB to stop if the number of active servers for all services is 0. [ no] active-servers [ fail-break] Config >Service >GSLB >Policy - Metrics The state is one of the following: Enabled Disabled This is the default. admin-prefer- ence Load balancing metric that selects the service with the highest administratively set preference. [ no] admin-preference Config >Service >GSLB >Policy - Metrics The state is one of the following: Enabled Disabled This is the default. The preference can be from 0 to 255. The default is 100 for each site. P e r f o r m a n c e b y D e s i g n 503 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide GSLB Parameters alias-admin-pref- erence Load balancing metric that selects the DNS CNAME record with the highest administratively set preference. This metric is similar to the Admin Preference metric, but applies only to DNS CNAME records. [ no] alias-admin-preference Note: The current release does not support configu- ration of this metric in the GUI. The state is one of the following: Enabled Disabled This is the default. bw-cost Load balancing metric that selects sites based on bandwidth utilization on the site AX links. The fail-break option enables GSLB to stop if the current bw-cost value is over the limit. [ no] bw-cost [ fail-break] Config >Service >GSLB >Policy - Metrics The state is one of the following: Enabled Disabled This is the default. capacity Sites that have not exceeded their thresholds for their respective maximum TCP/UDP sessions are preferred over sites that have exceeded their thresh- olds. Example: Site As maximum session capacity is 800,000 and Site Bs maximum session capacity is 500,000. If the session-capacity threshold is set to 90, then for Site A the capacity threshold is 90% of 800,000, which is 720,000. Likewise, the capacity threshold for Site B is 90% of 500,000, which is 450,000. The fail-break option enables GSLB to stop if the session utilization on all site SLB devices is over the threshold. [ no] capacity [ threshold num] [ fail-break] Config >Service >GSLB >Policy - Metrics Note: This metric requires the GSLB protocol to be enabled on the site AX devices. (See Metrics That Require the GSLB Protocol on Site AX Devices on page445.) The state is one of the following: Enabled Disabled This is the default. The threshold can be from 0 to 100 percent. The default is 90. TABLE 13 GSLB Policy Parameters (Continued) Parameter Description and Syntax Supported Values 504 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide GSLB Parameters connection-load Sites that are at or below their thresholds of average new connections per second are preferred over sites that are above their thresholds. The fail-break option enables GSLB to stop if the connection load for all sites is over the limit. [ no] connection-load [ limit average-load] | [ samples num interval seconds] [ fail-break] Config >Service >GSLB >Policy - Metrics Note: This metric requires the GSLB protocol to be enabled on the site AX devices. (See Metrics That Require the GSLB Protocol on Site AX Devices on page445.) The state is one of the following: Enabled Disabled This is the default. The limit can be from 1 to 999999999 (999,999,999). The default is not set (unlimited). The samples can be from 1 to 8. The default is 5. The interval can be from 1 to 60 sec- onds. The default is 5 seconds. geographic Service IP addresses for the geographic region where the client is located are preferred over addresses from other regions. The GSLB AX Series selects the geographic region by matching the clients IP address with the GSLB address ranges configured using geo-location options. [ no] geographic Config >Service >GSLB >Policy - Metrics The state is one of the following: Enabled This is the default. Disabled health-check Service IP addresses that pass their health checks are preferred over addresses that do not pass their health checks. An IP address that fails its health check is not auto- matically ineligible to be included in the DNS reply to a client. [ no] health-check Config >Service >GSLB >Policy - Metrics Note: This metric requires the GSLB protocol to be enabled on the site AX devices, if the default health checks are used on the service IPs. (See Health Checks on page440.) The state is one of the following: Enabled This is the default. Disabled TABLE 13 GSLB Policy Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 505 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide GSLB Parameters least-response Service IP addresses with the fewest hits are pre- ferred over addresses with more hits. [ no] least-response Config >Service >GSLB >Policy - Metrics Note: This metric requires the GSLB protocol to be enabled on the site AX devices. (See Metrics That Require the GSLB Protocol on Site AX Devices on page445.) The state is one of the following: Enabled Disabled This is the default. num-session Sites that are at or below their thresholds of current available sessions are preferred over sites that are above their thresholds. The tolerance specifies the percentage by which the number of available sessions on site SLB devices can differ without causing the num-session metric to select one SLB device over another. Thus, minor differences among SLB devices do not cause fre- quent, unnecessary changes in site preference. Example: Site A has 800,000 sessions available and Site B has 600,000 sessions available. The difference between the two sites is 200,000 available sessions. If num- session is set to 10, then Site A is preferred because 200,000 is larger than 10% of 800,000, which is 80,000. [ no] num-session [ tolerance num] Config >Service >GSLB >Policy - Metrics Note: This metric requires the GSLB protocol to be enabled on the site AX devices. (See Metrics That Require the GSLB Protocol on Site AX Devices on page445.) The state is one of the following: Enabled Disabled This is the default. When you enable the num-session metric, the default tolerance is 10 per- cent. ordered-ip Service IP addresses are re-ordered in DNS replies to match the order administratively configured for the service. The prioritized list is sent to the next metric for fur- ther evaluation. If ordered-ip is the last metric, the prioritized list is sent to the client. The ordered list of IP addresses must be configured for the service. To send only the first (top) IP address in the IP list, use the top-only option. [ no] ordered-ip [ top-only] Config >Service >GSLB >Policy - Metrics The state is one of the following: Enabled Disabled This is the default. TABLE 13 GSLB Policy Parameters (Continued) Parameter Description and Syntax Supported Values 506 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide GSLB Parameters passive-rtt Sites with faster round-trip times (RTTs) between a client and the site are preferred over sites with slower times. The passive RTT is the time between when the site AX device receives a clients TCP connection (SYN) and the time when the site AX device receives acknowledgement (ACK) back from the client for the connection. Passive RTT measurements are taken for client addresses in each /24 subnet range. Passive RTT tolerance is a percentage from 0 to 100. It specifies how much the RTT values of sites must differ in order for GSLB to prefer one site over the other based on RTT. Example: Site As RTT value is 0.3 seconds and Site Bs RTT value is 0.32 seconds. If the passive RTT tolerance is 10% then the two sites are treated as having the same passive RTT preference. The fail-break option enables GSLB to stop if the configured RTT limit in a policy is reached. [ no] passive-rtt [ difference num] [ samples num-samples] [ tolerance num-percentage] [ fail-break] Config >Service >GSLB >Policy - Metrics Note: This metric requires the GSLB protocol to be enabled on the site AX devices. (See Metrics That Require the GSLB Protocol on Site AX Devices on page445.) The state is one of the following: Enabled Disabled This is the default. When you enable the passive-rtt met- ric, the default number of samples is 5. The default store-by is slb-device. The default tolerance is 10 percent. round-robin Each service IP address is used sequentially, in rota- tion. The first service IP address is selected for the first new connection, the second address is selected for the second new connection, and so on until all service IP addresses have been selected. Then selec- tion starts over again with the first service IP address. [ no] round-robin Config >Service >GSLB >Policy - Metrics The state is one of the following: Enabled This is the default. Disabled TABLE 13 GSLB Policy Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 507 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide GSLB Parameters weighted-alias Load balancing metric that prefers CNAME records with higher weight values over CNAME records with lower weight values. This metric is similar to weighted-ip, but applies only to DNS CNAME records. [ no] weighted-alias Note: The current release does not support configu- ration of this metric in the GUI. The state is one of the following: Enabled Disabled This is the default. weighted-ip Service IP addresses with higher weight values are used more often than addresses with lower weight values. As a simple example, assume that the weighted-ip metric is the only enabled metric, or at least always ends up being the tie breaker. IP address 10.10.10.1 has weight 4 and IP address 10.10.10.2 has weight 2. During a given session aging period, the first 4 requests go to 10.10.10.1, the next 2 requests go to 10.10.10.2, and so on, (4 to 10.10.10.1, then 2 to 10.10.10.2). The total-hits option first sends requests to the serv- ice IP addresses that have fewer hits. After all serv- ice IP addresses have the same number of hits, GSLB sends requests based on weight. This option is disabled by default. [ no] weighted-ip [ total-hits] Config >Service >GSLB >Policy - Metrics The state is one of the following: Enabled Disabled This is the default. weighted-site Sites with higher weight values are used more often than sites with lower weight values. As a simple example, assume that the weighted-site metric is the only enabled metric, or at least always ends up being the tie breaker. Site A has weight 4 and site B has weight 2. During a given session aging period, the first 4 requests go to site A, the next 2 requests go to site B, and so on, (4 to A, then 2 to B). The total-hits option first sends requests to the sites that have fewer hits. After all service sites have the same number of hits, GSLB sends requests based on weight. This option is disabled by default. [ no] weighted-site [ total-hits] Config >Service >GSLB >Policy - Metrics The state is one of the following: Enabled Disabled This is the default. TABLE 13 GSLB Policy Parameters (Continued) Parameter Description and Syntax Supported Values 508 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide GSLB Parameters metric-order Assigns a geographic location to an IP address range. GSLB forwards client requests from addresses within the range to the GSLB site that serves the location. [ no] metric-order metric [ metric . . . ] Config >Service >GSLB >Policy - Metrics The first metric you specify becomes the primary metric. If you specify additional parameters, they are used in the priority you specify. All remaining metrics are prioritized to follow the metrics you specify. For example, if you specify only the ordered-ip met- ric with the command, and the metric order in the policy has not been changed previously, the ordered-ip metric becomes the first metric. The health-check metric becomes the second metric, the weighted-ip metric becomes the third metric, and so on. You can specify one or more of the fol- lowing metrics (listed alphabetically): active-rtt active-servers admin-preference bw-cost capacity connection-load geographic health-check least-response num-session ordered-ip passive-rtt weighted-ip weighted-site Default metric order: See GSLB Pol- icy on page438. metric-force- check Forces the GSLB controller to always check all met- rics in the policy. [ no] metric-force-check Config >Service >GSLB >Policy The state is one of the following: Enabled Disabled This is the default. metric-fail-break Enables GSLB to stop if there are no valid service IPs. [ no] metric-fail-break Note: In the current release, this option can not be configured using the GUI. The state is one of the following: Enabled Disabled This is the default. DNS Parameters action Enable GSLB to perform the DNS actions specified in the service configurations. [ no] dns action Config >Service >GSLB >Policy - DNS Options Note: To configure the DNS action for a service, use the act i on option at the configuration level for the service. See Table12, GSLB Parameters, on page487. The state is one of the following: Enabled Disabled This is the default. TABLE 13 GSLB Policy Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 509 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide GSLB Parameters active-only Removes IP addresses from DNS replies when those addresses fail a health check. Note: If none of the IP addresses in the DNS reply pass the health check, the GSLB AX Series does not use this metric, since it would result in an empty IP address list. [ no] dns active-only Config >Service >GSLB >Policy - DNS Options The state is one of the following: Enabled Disabled This is the default. addition-mx Appends MX records in the Additional section in replies for A records, when the device is configured for DNS proxy or cache mode. [ no] dns addition-mx Config >Service >GSLB >Policy - DNS Options The state is one of the following: Enabled Disabled This is the default. backup-alias Returns the alias CNAME record configured for the service, if GSLB does not receive an answer to a query for the service and no active DNS server exists. [ no] dns backup-alias Config >Service >GSLB >Policy - DNS Options The state is one of the following: Enabled Disabled This is the default. best-only Removes all IP addresses from DNS replies except for the address selected as the best address by the GSLB policy metrics. [ no] dns best-only [ max-answers] Config >Service >GSLB >Policy - DNS Options The state is one of the following: Enabled Disabled This is the default. cache Caches DNS replies and uses them when replying to clients, instead of sending a new DNS request for every client query. [ no] dns cache [ aging-time seconds | ttl] Config >Service >GSLB >Policy - DNS Options For more information on this option, see Order in Which Sticky, Server, Cache, and Proxy Options Are Used on page444. The state is one of the following: Enabled Disabled This is the default. The aging time can be 1-1,000,000,000 seconds (nearly 32 years). Default: TTL set by the DNS server in the reply Note: If you change the value and later want to restore it to the default, use the ttl option. cname-detect Applies GSLB to CNAME records. [ no] dns cname-detect Config >Service >GSLB >Policy - DNS Options The state is one of the following: Enabled This is the default. Disabled TABLE 13 GSLB Policy Parameters (Continued) Parameter Description and Syntax Supported Values 510 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide GSLB Parameters external-ip Returns the external IP address configured for a ser- vice IP. If this option is disabled, the internal address is returned instead. [ no] dns external-ip Config >Service >GSLB >Policy - DNS Options Note: The external IP address must be configured on the service IP. Use the external-ip option at the configuration level for the service IP. See Table12, GSLB Parameters, on page487. The state is one of the following: Enabled This is the default. Disabled geoloc-action Performs the DNS traffic handling action specified for the clients geo-location. The action is specified as part of service configuration in a zone. [ no] dns geoloc-action Config >Service >GSLB >Policy - DNS Options Note: To configure the DNS action for a service, use the geo-location action option at the configura- tion level for the service. See Table12, GSLB Parameters, on page487. The state is one of the following: Enabled Disabled This is the default. geoloc-alias Returns the alias name configured for the clients geo-location. [ no] dns geoloc-alias Config >Service >GSLB >Policy - DNS Options The state is one of the following: Enabled Disabled This is the default. geoloc-policy Uses the GSLB policy assigned to the clients geo- location. [ no] dns geoloc-policy Config >Service >GSLB >Policy - DNS Options The state is one of the following: Enabled Disabled This is the default. ip-replace Replaces the IP addresses in the DNS reply with the service IP addresses configured for the service. [ no] dns ip-replace Config >Service >GSLB >Policy - DNS Options The state is one of the following: Enabled Disabled This is the default. TABLE 13 GSLB Policy Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 511 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide GSLB Parameters ipv6 Enables support for IPv6 AAAA records. You can configure the following options: Mapping Specifies the actions in response to an IPv6 DNS query. You can enable one or more of these options. Addition Append AAAA records in the DNS Addition section of replies. Answer Append AAAA records in the DNS Answer section of replies. Exclusive Replace A records (IPv4 address records) with AAAA records. Replace Reply with AAAA records only. Mix Enables GSLB to return both AAAA and A records in the same answer. Smart Enables IPv6 return by query type. For the ipv4-ipv6 mapping records, an A query (IPv4) will return an A record and an AAAA query (IPv6) will return an AAAA record. Note: The current release has the following limita- tions: Health checks and the GSLB protocol use IPv4 only. IP address-related metrics such as RTT are always based on IPv4. Virtual servers for GSLB service IPs are required to have both an IPv4 and an IPv6 address. [ no] dns ipv6 options Note: The current release does not support configu- ration of these options using the GUI. All options are disabled by default. logging Configures DNS logging. [ no] dns logging {both | query | response} [ geo-location name | ip ipaddr] Note: The current release does not support configu- ration of these options using the GUI. Disabled by default TABLE 13 GSLB Policy Parameters (Continued) Parameter Description and Syntax Supported Values 512 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide GSLB Parameters server Directly responds to Address queries for specific service IP addresses in the GSLB zone. (The AX device still forwards other types of queries to the DNS server.) If you use this option, you do not need to use the cname-detect option. When a client requests a con- figured alias name, GSLB applies the policy to the CNAME records. addition-mx enables the GSLB AX device to provide the A record containing the mail servers IP address in the Additional section, when the device is configured for DNS server mode. authoritative makes the AX device the authori- tative DNS server for the GSLB zone domain, for the service IPs in which you enable the static option. If you omit the authoritative option, the AX device is a non-authoritative DNS server for the zone domain. The full-list option appends all A records in the Authoritative section of DNS replies. mx Provides the MX record in the Answer sec- tion, and the A record for the mail server in the Additional section, when the device is configured for DNS server mode. ns [auto-ns] Provides the NS record. ptr [auto-ptr] Provides the pointer record. To place the server option into effect, you also must enable the static option on the individual service IP. [ no] dns server addition-mx [ no] dns server authoritative [ full-list] [ no] dns server mx [ no] dns server ns [auto-ns] [ no] dns server ptr [auto-ptr] Config >Service >GSLB >Policy - DNS Options For more information on this option, see Order in Which Sticky, Server, Cache, and Proxy Options Are Used on page444. The state is one of the following: Enabled Disabled This is the default. Other defaults: addition-mx Disabled authoritative The AX device is a non-authoritative DNS server for the zone domain. mx Disabled TABLE 13 GSLB Policy Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 513 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide GSLB Parameters sticky Sends the same service IP address to a client for all requests from that client for the service address. [ no] dns sticky [ /prefix-length] [ aging-time minutes] [ ipv6-mask mask-length] The /prefix-length and ipv6-mask options adjust the granularity of the feature. Config >Service >GSLB >Policy - DNS Options The aging-time option specifies how many minutes a DNS reply remains sticky. You can specify 1- 65535 minutes. Note: If you enable the sticky option, the sticky time must be as long or longer than the zone TTL. (Use the ttl command at the configuration level for the zone.) For more information on this option, see Order in Which Sticky, Server, Cache, and Proxy Options Are Used on page444. The state is one of the following: Enabled Disabled This is the default. The default prefix is /32, which causes the AX device to maintain separate stickiness information for each local DNS server. For example, if two cli- ents use DNS 10.10.10.25 as their local DNS server, and two other clients use DNS 10.20.20.99 as their local DNS server, the AX maintains sepa- rate stickiness information for each set of clients, by maintaining separate stickiness information for each of the local DNS servers. The aging time can be 1-65535 min- utes. Default: 5 minutes ttl Specifies the value to which the AX Series changes the TTL of each DNS record contained in DNS replies received from the DNS for which the AX Series is a proxy. [ no] dns ttl num Config >Service >GSLB >Policy - DNS Options You can specify from 0 to 1000000 (1,000,000) seconds. Default: 10 seconds Geo-location Parameters geo-location Assigns a geographic location to an IP address range. GSLB forwards client requests from addresses within the range to the GSLB site that serves the location. This is an alternative to loading a geo-location database. [ no] geo-location location-name start-ip-addr [ mask ip-mask] [ end-ip-addr] This parameter cannot be configured using the GUI. [ no] geo-location match-first {global | policy} The match-first parameter specifies whether to match the requested IP address with the global geo- location table or with the geo-location table config- ured in the policy. [ no] geo-location overlap The geo-location mapping and overlap cannot be configured using the GUI. To configure the match- first parameter, select Config >Service >GSLB > Policy - Geo-location The location-name can be up to 127 alphanumeric characters. Default location: None Default match-first: global Default overlap: disabled TABLE 13 GSLB Policy Parameters (Continued) Parameter Description and Syntax Supported Values 514 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Examples Configuration Examples These examples implement the GSLB configuration shown in Figure130 on page436. The examples assume that the default GSLB policy is used, without any changes to the policy settings. CLI Example Configuration on the GSLB AX Device (GSLB Controller) The following commands configure a health monitor for the local DNS server to be proxied: AX- Cont r ol l er ( conf i g) #health monitor dns-53 AX- Cont r ol l er ( conf i g- heal t h: moni t or ) #method dns domain example.com AX- Cont r ol l er ( conf i g- r eal ser ver ) #exit The following commands configure the DNS proxy: AX- Cont r ol l er ( conf i g) #slb server dns-1 10.10.10.53 AX- Cont r ol l er ( conf i g- r eal ser ver ) #port 53 udp AX- Cont r ol l er ( conf i g- r eal ser ver - node por t ) #health-check dns-53 AX- Cont r ol l er ( conf i g- r eal ser ver - node por t ) #exit AX- Cont r ol l er ( conf i g- r eal ser ver ) #exit AX- Cont r ol l er ( conf i g) #slb service-group sg-1 udp AX- Cont r ol l er ( conf i g- sl b ser vi ce gr oup) #member dns-1:53 AX- Cont r ol l er ( conf i g- sl b ser vi ce gr oup) #exit AX- Cont r ol l er ( conf i g) #slb virtual-server DNS_SrvA 10.10.10.100 AX- Cont r ol l er ( conf i g- sl b vi r t ual - ser ver ) #port 53 udp AX- Cont r ol l er ( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #gslb-enable AX- Cont r ol l er ( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group sg-1 AX- Cont r ol l er ( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #exit AX- Cont r ol l er ( conf i g- sl b vi r t ual ser ver ) #exit The following commands configure the service IP addresses. The VIP address and virtual port number of the virtual server in the site AX Series devices SLB configuration are used as the service IP address and port num- ber on the GSLB AX Series device. AX- Cont r ol l er ( conf i g) #gslb service-ip servicevip1 2.1.1.10 AX- Cont r ol l er ( conf i g- gsl b ser vi ce i p) #port 80 tcp AX- Cont r ol l er ( conf i g- gsl b ser vi ce i p) #exit AX- Cont r ol l er ( conf i g) #gslb service-ip servicevip2 3.1.1.10 AX- Cont r ol l er ( conf i g- gsl b ser vi ce i p) #port 80 tcp AX- Cont r ol l er ( conf i g- gsl b ser vi ce i p) #exit The following command loads the IANA file into the geo-location database: AX- Cont r ol l er ( conf i g) #gslb geo-location load iana P e r f o r m a n c e b y D e s i g n 515 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Examples The following commands configure the sites. For each site SLB device, enter the IP address of the AX Series device that provides SLB at the site. For the VIP server names, enter the service IP name specified above. AX- Cont r ol l er ( conf i g) #gslb site usa AX- Cont r ol l er ( conf i g- gsl b si t e) #slb-dev ax-a 2.1.1.1 AX- Cont r ol l er ( conf i g- gsl b si t e- sl b dev) #vip-server servicevip1 AX- Cont r ol l er ( conf i g- gsl b si t e- sl b dev) #exit AX- Cont r ol l er ( conf i g- gsl b si t e) #exit AX- Cont r ol l er ( conf i g) #gslb site asia AX- Cont r ol l er ( conf i g- gsl b si t e) #slb-dev ax-b 3.1.1.1 AX- Cont r ol l er ( conf i g- gsl b si t e- sl b dev) #vip-server servicevip2 AX- Cont r ol l er ( conf i g- gsl b si t e- sl b dev) #exit AX- Cont r ol l er ( conf i g- gsl b si t e) #exit The following commands configure the GSLB zone: AX- Cont r ol l er ( conf i g) #gslb zone a10.com AX- Cont r ol l er ( conf i g- gsl b zone) #service http www AX- Cont r ol l er ( conf i g- gsl b zone- gsl b ser vi ce) #dns-cname-record www.a10.co.cn AX- Cont r ol l er ( conf i g- gsl b zone- gsl b ser vi ce) #geo-location China www.a10.co.cn AX- Cont r ol l er ( conf i g- gsl b zone- gsl b ser vi ce) #exit AX- Cont r ol l er ( conf i g- gsl b zone) #exit At the configuration level for the service (www), the CNAME www.a10.co.cn is configured, and the CNAME is associated with geo-loca- tion China. If a clients IP address is in the range for the China geo-location, GSLB sends the CNAME www.a10.co.cn in the DNS reply. The following command enables the GSLB protocol: AX- Cont r ol l er ( conf i g) #gslb protocol enable controller Configuration on Site AX Device AX-A The following commands configure SLB on site AX device AX-A in Figure130 on page436: Si t e- AX- A( conf i g) #slb server www 2.1.1.2 Si t e- AX- A( conf i g- r eal ser ver ) #port 80 tcp Si t e- AX- A( conf i g- r eal ser ver - node por t ) #exit Si t e- AX- A( conf i g- r eal ser ver ) #exit Si t e- AX- A( conf i g) #slb server www2 2.1.1.3 Si t e- AX- A( conf i g- r eal ser ver ) #port 80 tcp Si t e- AX- A( conf i g- r eal ser ver - node por t ) #exit Si t e- AX- A( conf i g- r eal ser ver ) #exit Si t e- AX- A( conf i g) #slb service-group www tcp Si t e- AX- A( conf i g- sl b ser vi ce gr oup) #member www:80 Si t e- AX- A( conf i g- sl b ser vi ce gr oup) #member www2:80 Si t e- AX- A( conf i g- sl b ser vi ce gr oup) #exit Si t e- AX- A( conf i g) #slb virtual-server www 2.1.1.10 Si t e- AX- A( conf i g- sl b vi r t ual ser ver ) #port 80 http 516 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Examples Si t e- AX- A( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group www Si t e- AX- A( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #exit Si t e- AX- A( conf i g- sl b vi r t ual ser ver ) #exit Note: The virtual server IP address must be the same as the GSLB service IP address configured on the GSLB AX device. The following command enables the GSLB protocol: Si t e- AX- A( conf i g) #gslb protocol enable device Configuration on Site AX Device AX-B The following commands configure SLB and enable the GSLB protocol on site AX device AX-B: Si t e- AX- B( conf i g) #slb server www 3.1.1.2 Si t e- AX- B( conf i g- r eal ser ver ) #port 80 tcp Si t e- AX- B( conf i g- r eal ser ver - node por t ) #exit Si t e- AX- B( conf i g- r eal ser ver ) #exit Si t e- AX- B( conf i g) #slb server www2 3.1.1.3 Si t e- AX- B( conf i g- r eal ser ver ) #port 80 tcp Si t e- AX- B( conf i g- r eal ser ver - node por t ) #exit Si t e- AX- B( conf i g- r eal ser ver ) #exit Si t e- AX- B( conf i g) #slb service-group www tcp Si t e- AX- B( conf i g- sl b ser vi ce gr oup) #member www:80 Si t e- AX- B( conf i g- sl b ser vi ce gr oup) #member www2:80 Si t e- AX- B( conf i g- sl b ser vi ce gr oup) #exit Si t e- AX- B( conf i g) #slb virtual-server www 3.1.1.10 Si t e- AX- B( conf i g- sl b vi r t ual ser ver ) #port 80 http Si t e- AX- B( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group www Si t e- AX- B( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #exit Si t e- AX- B( conf i g- sl b vi r t ual ser ver ) #exit Si t e- AX- B( conf i g) #gslb protocol enable device GUI Example Configuration on the GSLB AX Device (GSLB Controller) Configure a Health Monitor for the DNS Proxy 1. Select Config >Service >Health Monitor. 2. On the menu bar, select Health Monitor. 3. Click Add. 4. Enter a name for the monitor in the Name field. P e r f o r m a n c e b y D e s i g n 517 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Examples 5. In the Method section, select DNS from the Type drop-down list. 6. In the Domain field, enter the domain name. (Generally, this is the same as the GSLB zone name you will configure.) Configure the DNS Proxy 1. Begin configuring the proxy: a. Select Config >Service >GSLB. b. On the menu bar, select DNS Proxy. c. Click Add. d. Enter a name for the proxy in the Name field. e. In the IP Address field, enter the IP address that will be advertised as the authoritative DNS server for GSLB zone. Note: The GUI will not accept the configuration if the IP address you enter here is the same as the real DNS server IP address you enter when configuring the service group for this proxy. (below). f. In the GSLB Port section, click Add. The GSLB Port section appears. 2. Configure the service group: a. In the Service Group drop-down list, select create to create a ser- vice group. (See Figure132 on page518.) The Service Group section appears. b. Enter the service group information. For this example, enter the fol- lowing: Name gslb-proxy-sg-1 Port type UDP Load-balancing metric (algorithm) Round-Robin Health Monitor default c. In the Server section, enter the DNS servers real IP address in the Server field, and enter the DNS port number in the port field. d. Click Add. The DNS port appears in the list. (See Figure133 on page518.) e. Click OK. The GSLB Port section reappears. In the service drop- down list, the service group you just configured is selected. (See Figure134 on page519.) 518 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Examples 3. Finish configuration of the proxy: a. Click OK. The Proxy section reappears. (See Figure135 on page519.) b. Click OK. The DNS proxy appears in the DNS Proxy table. (See Figure136 on page519.) FIGURE 132 Configure >Service >GSLB >DNS Proxy FIGURE 133 Configure >Service >GSLB >DNS Proxy - service group configuration P e r f o r m a n c e b y D e s i g n 519 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Examples FIGURE 134 Configure >Service >GSLB >DNS Proxy - service group selected FIGURE 135 Configure >Service >GSLB >DNS Proxy - GSLB port configured FIGURE 136 Configure >Service >GSLB >DNS Proxy - DNS proxy configured 520 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Examples Load the IANA Geo-location Database 1. Select Config >Service >GSLB. 2. On the menu bar. select Geo-location >Import. 3. In the Load/Unload section, enter iana in the File field. Leave the Template field blank. 4. Click Add. Configure Services 1. Select Config >Service >GSLB. 2. On the menu bar, select Service IP. 3. Click Add. 4. Enter the service name and IP address. For this example, enter the fol- lowing: Name servicevip1 IP Address 2.1.1.10 (This is the VIP address of a site. Configure a separate GSLB service IP for each SLB VIP.) 5. If needed, assign an external IP address to the service IP. The external IP address allows a service IP that has an internal IP address to be reached from outside the internal network. 6. Add the service port(s): a. Enter the port number and select the protocol (TCP or UDP). b. Optionally, select a health monitor. c. Click Add. The service port appears in the service port list. For this example, add TCP port 80 and leave the health monitor unselected. (See Figure137 on page521.) 7. Click OK. 8. Repeat for each service IP. P e r f o r m a n c e b y D e s i g n 521 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Examples FIGURE 137 Config >Service >GSLB >Service IP Configure Sites 1. Select Config >Service >GSLB. 2. On the menu bar, select Site. 3. Click Add. 4. Enter the site name. 5. In the SLB-Device section, enter information about the AX devices that provide SLB for the site: a. Click Add. b. Enter a name for the device. c. Enter the IP address at which the GSLB AX device will be able to reach the site AX device. d. To add a service to this SLB device, select it from the drop-down list in the VIP server section and click Add. Repeat for each service. For this example, enter the following: Name AX-A IP Address 2.1.1.1 (This is the IP address of the site AX device that provides SLB for the site.) 522 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Examples GSLB Service Add a service IP by selecting it from the drop- down list and clicking Add. For this example, add servicevip1 to site usa. 6. In the IP-Server section, add services to the site. Select a service from the drop-down list and click Add. Repeat for each service. 7. To manually map a geo-location name to the site, enter the geo-location name in the Geo-location section and click Add. 8. Click OK. The site appears in the Site table. FIGURE 138 Configure >Service >GSLB >Site - SLB Device P e r f o r m a n c e b y D e s i g n 523 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Examples FIGURE 139 Configure >Service >GSLB >Site - site parameters selected Configure a Zone 1. Select Config >Service >GSLB. 2. On the menu bar, select Zone. 3. Click Add. 4. Enter the zone name in the Name field. 5. In the Service section, click Add. (See Figure140 on page524.) The service configuration sections appear. 6. In the Service field, enter the service name. 524 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Examples 7. Select the service type from the Port drop-down list. 8. Add the services: a. In the Service section, click Add. b. Enter name for the service (for example, www). c. Select the service type from the Port drop-down list. d. Configure additional options, if applicable to your deployment. (See Table12, GSLB Parameters, on page487.) e. Click OK. f. Repeat for each service. 9. Click OK. The zone appears in the GSLB zone list. FIGURE 140 Configure >Service >GSLB >Zone P e r f o r m a n c e b y D e s i g n 525 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Examples FIGURE 141 Configure >Service >GSLB >Zone Enable the GSLB Protocol 1. Select Config >Service >GSLB. 2. On the menu bar, select Global. 3. Select Enabled next to Run GSLB as Controller. 4. Click OK. 526 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Examples Configuration on Site AX Devices SLB configuration is the same with or without GSLB, and is not described here. To enable the AX device to run GSLB as a site AX device, perform the fol- lowing steps on each site AX device: 1. Select Config >Service >GSLB. 2. On the menu bar, select Global. 3. Select Enabled next to Run GSLB as Site SLB Device. 4. Click OK. P e r f o r m a n c e b y D e s i g n 527 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview RAMCaching You can use the AX device as a transparent cache server, along with the devices many other uses. Overview The RAM Cache is a high-performance, in-memory Web cache that by default caches HTTP responses (RFC 2616 compliant). The RAM Cache can store a variety of static and dynamic content and serve this content instantly and efficiently to a large number of users. Caching of HTTP content reduces the number of Web server transactions and hence the load on the servers. Caching of dynamic content reduces the latency and the computation cost of generating dynamic pages by applica- tion servers and database servers. Caching can also result in significant reduction in page download time and in bandwidth utilization. RAM caching is especially useful for high-demand objects on a website, for static content such as images, and when used in conjunction with compres- sion to store compressed responses, eliminating unnecessary overhead. RFC 2616 Support In general, AX RAM caching conforms with the cache requirements described in RFC 2616, Hypertext Transfer Protocol -- HTTP/1.1, in sec- tions 13 and 14. AX RAM caching considers HTTP responses with the following status codes to be cacheable: 200 OK 203 Non-Authoritative Response 300 Multiple Choices 301 Moved Permanently 302 Found (only if Expires header is also present) 410 Gone 528 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview However, if there is no Content-Length header, the response will not be cached. Warning headers are not supported. If-Modified-Since Header Support The AX device supports If-Modified-Since (IMS) headers in GET requests from clients. Optionally, a client can include the following header in a GET request: I f - Modi f i ed- Si nce: date-time This header instructs the content server (or cache server) to send the requested page only if the page has been modified subsequent to the date and time specified in the IMS header. The AX device responds as follows: If the requested content is in the cache and is still fresh, but the content was cached before the date and time in the IMS header, the AX device sends a 304 Not Modified response to the client. If the requested content is in the cache and is still fresh, and the content was cached after the date and time in the IMS header, the AX device sends a 200 OK response, along with the requested page, to the client. If the requested content is not in the cache, or is in the cache but is stale, the AX device deletes the IMS header from the request. This forces the server to send a 200 OK response, which is then immediately cached. Support for no-cache and max-age=0 Cache-Control Headers According to RFC 2616, either of the following Cache-Control headers in a request should make the cache (the AX device) reload the cached object from the origin server: Cache-Control: no-cache Cache-Control: max-age=0 However, for security, support for these headers is disabled by default. Thee headers can make the AX device vulnerable to Denial of Service (DoS) attacks. To enforce strict RFC compliance, you can enable support for the headers. P e r f o r m a n c e b y D e s i g n 529 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Insertion of Age and Via Headers into Cached Responses RAM caching supports insertion of Age and Via headers into cached server replies before they are sent to clients. Age header indicates the age of the cached response, measured in sec- onds Via header indicates the AX software version, in the following format: AX- CACHE- software-version( major. minor) : last-octet-of-VIP address Here is an excerpt of a cached server reply containing these headers: HTTP/ 1. 1 200 OK Ser ver : AX- 3200 Dat e: Thu, 04 Mar 2010 20: 46: 23 GMT Cont ent - Type: t ext / pl ai n Cont ent - Lengt h: 4096 Last - Modi f i ed: Fr i , 29 J an 2010 00: 37: 46 GMT Age: 230 Via: AX-CACHE-2.4:130 Insertion of these headers is enabled by default. You can disable insertion of the Age and Via headers, in individual RAM caching templates. Cacheability Behavior of AX RAMCache A response for a request that uses any method other than GET is not cached. A response for a GET request that contains a body is not cached. A request that contains an Authorization or a Proxy-Authorization header is not cacheable. The authorization header contains security- related information and should not be cached. A response for a request that contains an If-Match header or an If- Unmodified-Since header is not cached. An HTTP response which has a Vary header with a value of anything other than Accept-Encoding is not cached. (The compression module inserts the Vary: Accept-Encoding header.) A response with a Cache-Control header that has one of the following values: No-Cache, No-Store, Private is not cached. If the Cache-Control header has one of the following values: Public, Must-Revalidate, Proxy-Revalidate, Max-Age, S-Maxage it is cached. 530 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Responses that contain a Pragma header are not cached. Responses that contain a Set-Cookie or a Set-Cookie2 header are not cached. (Responses with Cookie headers often contain information that is specific to the user and so should not be cached.) If the response type is FIN terminated, or the response does not have one of the following attributes: Content-Length, or Transfer-Encoding: Chunked, it is not cached. Caching Server Replies in Cookie Persistence Configurations AX RAM caching does not cache responses that contain cookies. In config- urations that also use cookie persistence, this behavior prevents server responses from being cached. You can enable the AX device to remove cookies from server replies, so that the replies can be cached. Note: Image files are an exception. RAM caching can cache images that have cookies. Dynamic Caching You can enhance RAM caching performance with dynamic RAM caching. Dynamic RAM caching is useful in situations where the response to a client request can be used multiple times before the response expires. Here are some examples where dynamic RAM caching is beneficial: The same response is usable by multiple users within a certain period of time. In this case, dynamic RAM caching is useful even if the cache expiration period is very small, if enough users access the response within that period. For example, dynamic RAM caching is beneficial for a hierarchical directory that is generated dynamically but presents the same view to all users that request it. The response is usable by only a single user but the user accesses it mul- tiple times. For example, if the response generated in one session can be used unchanged in a second session. Host Verification RAM caching has an optional host verification feature. Host verification supports multiple name-based virtual hosts. Name-based virtual hosts are host names that share the same IP address. For example, the real server IP address 192.168.209.34 could be shared by the following virtual hosts: www.abc.com www.xyz.com P e r f o r m a n c e b y D e s i g n 531 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring RAM Caching By default, host verification is disabled. When the AX device receives the server response for cacheable content, the AX device caches the content along with the URI, but not the host name. For example, if a client requests http://www.abc.com/index.html, the AX device caches the content and /index.html but does not cache abc.com. If another request is received, for http://www.xyz.com/index.html, the AX device serves the same content. If you enable host verification, the AX device caches the host name along with the URI. For example, for http://www.abc.com/index.html, the AX device caches the content, /index.html, and abc.com. If a new request is received, for http://www.xyz.com/index.html, the AX device checks the cache for content indexed by both /index.html and xyz.com. The AX device serves the content to the client only if the content was cached for xyz.com. Configuring RAMCaching To configure RAM caching: 1. Add the real servers that serve the content to be cached, if not already configured. 2. Configure a service group and add the real servers to it, if not already configured. 3. Configure a cache template with settings for the type and size of content to be cached. Optionally, configure dynamic caching policies. 4. Configure the virtual server, and bind the service group and cache tem- plate to the service ports for which caching will be provided. USING THE GUI To Configure RAM Caching 1. Select Config >Service >Template. 2. On the menu bar, select Application >RAM Caching. 3. Click on the template name or click Add to create a new one. 4. Enter a name for the template, if you are creating a new one. 5. Enter or change any settings for which you do not want to use the default settings. 532 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring RAM Caching 6. To configure dynamic caching polices, use the applicable set of steps below. To configure a cache policy: a. In the URI field, enter the portion of the URI string to match on. b. Select Cache from the Action drop-down list. The Duration field appears. c. By default, the content is cached for the number of seconds speci- fied in the Age field of the RAM Caching section. To override the aging period, specify the number of seconds in the Duration field. d. Click Add. To configure a no-cache policy: a. In the URI field, enter the portion of the URI string to match on. b. Select No Cache from the Action drop-down list. c. Click Add. To configure an invalidate policy: a. In the URI field, enter the portion of the URI string to match on. b. Select Invalidate from the Action drop-down list. The Pattern field appears. Enter the portion of the URL string on which to match. For example, to invalidate /list objects when the URL contains /add, enter /add (without the quotation marks). 7. Click OK. To Monitor RAM Caching Use the following options: Monitor >Service >Application >RAM Caching >Details Monitor >Service >Application >RAM Caching >Objects Monitor >Service >Application >RAM Caching >Replacement The Details menu option displays RAM caching statistics. The Objects option displays cached entries. The Replacement option shows entry replacement information. To Export Web Log Archives 1. Select Monitor >Service >Application. 2. On the menu bar, select RAM Caching >Logs. The list of log archive files appears. P e r f o r m a n c e b y D e s i g n 533 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring RAM Caching 3. Click on the checkbox next to the filename of each log file you want to export. 4. Click Export. To delete log archive files, click the checkbox next to each file you want to delete, and click Delete. USING THE CLI The commands for configuring the real servers, service group, and virtual server are the same as those used for configuring other types of SLB. These configuration items have no commands or options specific to RAM caching. To configure a RAM caching template, use the following commands: [ no] slb template cache template-name Enter this command at the global configuration level of the CLI. The com- mand changes the CLI to the configuration level for the template, where the following commands specific to RAM caching are available: [ no] accept-reload-req This command enables support for the following Cache-Control headers: Cache-Control: no-cache Cache-Control: max-age=0 When support for these headers is enabled, either header causes the AX device to reload the cached object from the origin server. [ no] age seconds This command specifies how long a cached object can remain in the AX RAM cache without being requested. You can specify 1-999999 seconds (about 11-1/2 days). The default is 3600 seconds (1 hour). [ no] default-policy-nocache This command changes the default cache policy in the template from cache to nocache. This option gives you tighter control over content caching. When you use the default no-cache policy, the only content that is cached is cacheable content whose URI matches an explicit cache policy. [ no] max-cache-size MB This command specifies the size of the AX RAM cache. 534 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring RAM Caching On models AX 1000, AX 2000, AX 2100, AX 2200, AX 3100, and AX 3200, you can specify 1-512 MB. On model AX 2500, you can specify 1-1024MB. On models AX 2600 and AX 3000, you can specify 1-2048MB. On models AX 5100 and AX 5200, you can specify 1-4096MB. The default is 80 MB. [ no] max-content-size bytes This command specifies the maximum object size that can be cached. The AX device will not cache objects larger than this size. You can specify 0-4194303 bytes (4 MB). If you specify 0, no objects can be cached. The default is 81920 bytes (80 KB). [ no] disable-insert-age Disables insertion of Age headers into cached responses. Insertion of Age headers is enabled by default. [ no] disable-insert-via Disables insertion of Via headers into cached responses. Insertion of Via headers is enabled by default. [ no] min-content-size bytes This command specifies the minimum object size that can be cached. The AX device will not cache objects smaller than this size. You can specify 0-4194303 bytes (4 MB). If you specify 0, all objects smaller than or equal to the maximum content size can be cached. The default is 512 bytes. [ no] remove-cookies This command enables RAM caching to remove cookies from server replies so the replies can be cached. (See Caching Server Replies in Cookie Per- sistence Configurations on page530.) [ no] replacement-policy LFU This command specifies the policy used to make room for new objects when the RAM cache is full. The policy supported in the current release is Least Frequently Used (LFU). When the RAM cache becomes more than 90% full, the AX device discards the least-frequently used objects to ensure there is sufficient room for new objects. This is the default behavior and is the only supported option in the current release. P e r f o r m a n c e b y D e s i g n 535 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring RAM Caching Dynamic Caching Command Dynamic caching is performed using caching policies. To configure a cach- ing policy, use the following command at the configuration level for a RAM caching template: [ no] policy uri pattern {cache [ seconds] | nocache | invalidate inv-pattern} The pattern option specifies the portion of the URI string to match on. In the current release, matching is performed based on containment. All URIs that contain the pattern string match the rule. For example, the following policy matches all URIs that contain the string .jpg and sets the cache timeout for the matching objects to 7200 seconds: policy uri .jpg cache 7200 The other options specify the action to take for URIs that match the pattern: cache [seconds] Caches the content. By default, the content is cached for the number of seconds configured in the template (set by the age command). To override the aging period set in the template, specify the number of seconds with the cache command. nocache Does not cache the content. invalidate inv-pattern Invalidates the content that has been cached for inv-pattern. If a URI matches the pattern in more than one policy command, the policy command with the most specific match is used. Note: Wildcard characters (for example: ? and *) are not supported in RAM Caching policies. For example, if the string pattern contains *, it is interpreted literally, as the * character. Host Verification Command [ no] verify-host This command enables the AX device to cache the host name in addition to the URI for cached content. Use this command if a real server that contains cacheable content will host more than one host name (for example, www.abc.com and www.xyz.com). Show Commands To display client sessions that are using cached content, use the following command: show session To display RAM caching statistics, use the following command: 536 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring RAM Caching show slb cache To display cached objects, use the following command: show slb cache entries vip-name port-num To clear RAM caching statistics counters, use the following command: clear slb cache stats [ vip-name port-num] To clear cached objects, use the following command: clear slb cache entries vip-name port-num [ uri-pattern] To clear individual objects based on URI pattern, use the uri-pattern option. To display RAM caching memory usage, use the following command: show slb cache memory-usage CLI CONFIGURATION EXAMPLES Basic Configuration The commands in this example enable RAM caching for virtual service port TCP 80 on VIP cached-vip. The following commands add a RAM caching template. In this example, the default template settings are used. AX( conf i g) #slb template cache ramcache AX( conf i g- RAM cachi ng t empl at e) #exit The following commands configure the real servers. AX( conf i g) #slb server 192.168.90.34 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #port 443 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server 192.168.90.35 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #port 443 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit P e r f o r m a n c e b y D e s i g n 537 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring RAM Caching The following commands configure the service group. AX( conf i g) #slb service-group cached-group AX( conf i g- sl b ser vi ce gr oup) #member 192.168.90.34:80 AX( conf i g- sl b ser vi ce gr oup) #member 192.168.90.34:443 AX( conf i g- sl b ser vi ce gr oup) #member 192.168.90.35:80 AX( conf i g- sl b ser vi ce gr oup) #member 192.168.90.35:443 The following commands configure the virtual server and bind the RAM caching template and the service group to virtual HTTP service port 80. AX( conf i g) #slb virtual-server cached-vip 10.10.10.101 AX( conf i g- sl b vi r t ual ser ver ) #port 80 http AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group cached-group AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #template cache ramcache The following command shows client sessions. Asterisks ( * ) in the Reverse Source and Reverse Dest fields indicate that the AX device directly served the requested content to the client from the AX RAM cache. In this case, the session is actually between the client and the AX device rather than the real server. AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #show session Tr af f i c Type Tot al - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - TCP Est abl i shed 4328 TCP Hal f Open 39026 UDP 0 Non TCP/ UDP I P sessi ons 0 Ot her 0 Rever se NAT TCP 0 Rever se NAT UDP 0 Fr ee Buf f Count 0 Cur r Fr ee Conn 1923655 Conn Count 5287134 Conn Fr eed 5113720 t cp syn hal f open 0
Pr ot For war d Sour ce For war d Dest Rever se Sour ce Rever se Dest Age - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Tcp 10. 10. 10. 61: 25058 10. 10. 10. 10: 80 * * 600 Tcp 10. 10. 10. 60: 9239 10. 10. 10. 11: 80 * * 600 Tcp 10. 10. 10. 61: 1838 10. 10. 10. 10: 80 * * 600 Tcp 10. 10. 10. 65: 47834 10. 10. 10. 11: 80 * * 600 Tcp 10. 10. 10. 62: 55613 10. 10. 10. 11: 80 * * 600 Tcp 10. 10. 10. 57: 9233 10. 10. 10. 11: 80 * * 600 538 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring RAM Caching The following command shows RAM caching statistics. AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #show slb cache Tot al - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cache Hi t s 0 Cache Mi sses 6 Memor y Used 27648 Byt es Ser ved 0 Ent r i es Cached 6 Ent r i es Repl aced 0 Ent r i es Aged Out 0 Ent r i es Cl eaned 0 Tot al Request s 0 Cacheabl e Request s 0 No- cache Request s 0 No- cache Responses 0 I MS Request s 0 304 Responses 0 Reval i dat i on Successes 0 Reval i dat i on Fai l ur es 0 Pol i cy URI nocache 0 Pol i cy URI cache 0 Pol i cy URI i nval i dat e 0 Cont ent Too Bi g 0 Cont ent Too Smal l 0 Sr vr Resp - Cont Len 220 Sr vr Resp - Chnk Enc 37 Sr vr Resp - 304 St at us 0 Sr vr Resp - Ot her 0 Cache Resp - No Comp 383579 Cache Resp - Gzi p 0 Cache Resp - Def l at e 0 Cache Resp - Ot her 0 Ent r y cr eat e f ai l ur es 0 P e r f o r m a n c e b y D e s i g n 539 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring RAM Caching The following command shows cached objects. AX#show slb cache entries cached-vip 80 cached- vi p: 80 Host Obj ect URL Byt es Type St at us Expi r es i n - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10. 20. 0. 130 / 16k. ht ml 16744 CL, No FR 165 s 10. 20. 0. 130 / 4k. ht ml 4303 CL, No FR 166 s 10. 20. 0. 130 / 32k. ht ml 32976 CE, No FR 169 s 10. 20. 0. 130 / 1024k. ht ml 108786 CL, Gz FR 162 s 10. 20. 0. 130 / 8k. ht ml 8399 CE, No FR 165 s 10. 20. 0. 130 / 64k. ht ml 65744 CE, Gz FR 168 s The Status column indicates the status. In this example, all entries are fresh (FR). For more information, see the AX Series CLI Reference. Dynamic Caching Configuration Here is an example application of dynamic RAM caching. Web site x.y.com displays a frequently requested list page, and also serves private pages to individual clients based on additional requests from clients. Clients also can add or delete content on the list page. ht t p: / / x. y. com/ l i st ht t p: / / x. y. com/ pr i vat e?user =u1 ht t p: / / x. y. com/ add?a=p1&b=p2 ht t p: / / x. y. com/ del ?c=p3 Dynamic RAM caching policies can be used to effectively manage caching for this site. The /list URI is visited by many users and therefore should be cached, so long as the content is current. However, the /private URI contain private data for a specific user, and should not be cached. The /add and /del URLs modify the content of the list page. When either type of URI is observed by the AX device, the currently cached content for the /list URI should be invalidated, so that new requests for the URI are not served with a stale page. The following commands implement the dynamic RAM caching configura- tion described above. AX( conf i g) #slb template cache ram-cache AX( conf i g- RAM cachi ng t empl at e) #policy uri /list cache 3000 AX( conf i g- RAM cachi ng t empl at e) #policy uri /private nocache AX( conf i g- RAM cachi ng t empl at e) #policy uri /add invalidate /list AX( conf i g- RAM cachi ng t empl at e) #policy uri /del invalidate /list 540 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring RAM Caching The policy that matches on /list caches content for 50 minutes. The policy that matches on /private does not cache content. The policies that match on /add and /del invalidate the cached /list content. Configuration To Flush Specific Cache Entries If you need to flush specific entries from the RAM cache, you can do so using an invalidate policy. Here is an example: AX( conf i g) #slb template cache ram-cache AX( conf i g- RAM cachi ng t empl at e) #policy uri /story cache 3600 AX( conf i g- RAM cachi ng t empl at e) #policy uri /flush invalidate /story This policy is configured to flush (invalidate) all cached entries that have /story in the URI. The policy is activated when a request is received with the URI /flush. P e r f o r m a n c e b y D e s i g n 541 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview High Availability This chapter describes High Availability (HA) and how to configure it. Overview High Availability (HA) is an AX feature that provides AX-level redundancy to ensure continuity of service to clients. In HA configurations, AX devices are deployed in pairs. If one AX device in the HA pair becomes unavailable, the other AX device takes over. You can configure either of the following types of HA: Active-Standby One AX device is the primary SLB device for all vir- tual services on which HA is enabled. The other AX device is a hot Standby for the virtual services. Active-Active Each AX device is the primary SLB device for some of the configured virtual services, and is a hot Standby for the other config- ured virtual services. Active-Active is supported only on AX devices that are deployed in route mode. Active-Standby is supported on AX devices deployed in transparent mode or route mode. Note: Both AX devices in an HA pair should be the same model and should be running the same software version. Using different AX models or differ- ent software versions in an HA pair is not supported. 542 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Layer 3 Active-Standby HA Figure142 shows an example of an Active-Standby configuration. FIGURE 142 Active-Standby HA P e r f o r m a n c e b y D e s i g n 543 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview In this example, each AX device provides SLB for two virtual servers, VIP1 and VIP2. Each AX device has the following HA configuration elements: HA ID The HA ID of AX1 is 1 and the AX ID of AX2 is 2. An AX device must have an HA ID, which can be 1 or 2. The ID must be differ- ent on each AX device. The ID can be used as a tie breaker to select the Active AX device. (See How the Active AX Device Is Selected on page559.) HA group HA group 1 is configured on each AX device. An AX device can have up to 31 HA groups. Both VIPs on each AX device are members of the HA group. Each HA group must be configured with a priority. The priority can be used as a tie breaker to select the Active AX device for a VIP. Each HA group has a shared MAC address, 021f.a0000.00xx. The xx portion of the address is unique to the HA group. The shared MAC address is used for all IP addresses for which HA is provided (SLB VIPs, source NAT addresses, the floating IP address, and so on). Session synchronization Also called connection mirroring, session synchronization sends information about active client sessions to the Standby AX device. If a failover occurs, the client sessions are main- tained without interruption. (For a complete list of configurable HA parameters, see HA Configuration Parameters on page564.) 544 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Layer 3 Active-Active HA Figure143 shows an example of an Active-Active configuration. FIGURE 143 Active-Active HA In the Active-Active configuration, as in the Active-standby configuration. only one AX is active for a given VIP. But unlike the Active-Standby con- figuration, the same AX device does not need to be the Active AX device for all the VIPs. Instead, each of the AX devices can be the Active AX device for some VIPs. In this example, AX1 is Active for VIP2 and AX2 is Active for VIP1. P e r f o r m a n c e b y D e s i g n 545 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview This configuration is similar to the configuration for Active-Standby shown in Figure142, with the following exceptions: Both HA groups are configured on each of the AX devices. In Active- Standby, only a single HA group is configured. The priority values have been set so that each HA group has a higher priority on one AX device than it does on the other AX device. In this example, HA group 1 has a higher priority on AX2, whereas HA group 2 has a higher priority on AX1. On each AX device, one of the VIPs is assigned to HA group 1 and the other VIP is assigned to HA group 2. On both AX devices, HA pre-emption is enabled. HA pre-emption enables the devices to use the HA group priority values to select the Active and Standby AX device for each VIP. Without HA pre-emption, the AX selection is based on which of the AX devices comes up first. 546 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Layer 2 Active-Standby HA (Inline Deployment) AX devices support Layer 2 hot standby inline deployment. Inline deploy- ment allows you to insert a pair of AX devices into an existing network without the need to reconfigure other devices in the network. Inline support applies specifically to network topologies where inserting a pair of AX switches would cause a Layer 2 loop, as shown in this example. FIGURE 144 Topology Supported for Layer 2 Inline HA Deployment In this example, a pair of routers configured as a redundant pair route traffic between clients and servers. The redundant router pair can be implemented using Virtual Router Redundancy Protocol (VRRP), Extreme Standby Router Protocol (ESRP), or another equivalent router redundancy protocol. P e r f o r m a n c e b y D e s i g n 547 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Each real server is connected to the router pair through a Layer 2 switch. Neither the Layer 2 switches nor the routers are running Spanning Tree Pro- tocol (STP). The network does not have any Layer 2 loops because the Layer 2 switches are not connected directly together, and the routers do not forward Layer 2 traffic. If a pair of AX switches in transparent mode are added, the AX switches can add redundant Layer 2 paths, which cause Layer 2 loops. To prevent loops in this deployment, without making any configuration changes on the other devices in the network, you can enable HA inline mode on the AX devices. Inline mode automatically blocks redundant paths through the Standby AX device, without the need to enable STP on any devices. 548 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview FIGURE 145 Layer 2 Inline HA Deployment Restrictions Supported for Active-Standby HA deployments only. Not supported for Active-Active HA. Inline mode is designed for one HA group in Hot-Standby mode. Do not configure more than one HA group on an AX running in inline mode. P e r f o r m a n c e b y D e s i g n 549 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview In order to prevent Layer 2 loops in a Layer 2 host-standby environ- ment, the Standby AX does not forward traffic. In addition, the Active AX in the HA pair is designed to not forward packets destined for the Standby AX. Depending on the network topology, certain traffic to the Standby AX might be dropped if it must first pass through the Active AX. Preferred HA Port When you enable inline mode on an AX, the AX uses a preferred HA port for session synchronization and for management traffic between the AX devices in the HA pair. For example, if you use the CLI on one AX to ping the other AX, the ping packets are sent only on the preferred HA port. Like- wise, the other AX sends the ping reply only on its preferred HA port. Management traffic between AX devices includes any of the following types of traffic: Telnet SSH Ping Optionally, you can designate the preferred HA port when you enable inline mode. In Figure145 on page548, Ethernet interface 5 on each AX has been configured as the preferred HA port. The AX selects the Active AX devices preferred HA port as follows: 1. Is a preferred port specified with the inline configuration, and is the port up? If so, use the port. 2. If no preferred HA port is specified in the configuration or that port is down, the first HA interface that comes up on the AX is used as the pre- ferred HA port. 3. If the preferred HA port selected by 1. or 2. above goes down, the HA interface with the lowest port number is used. If that port also goes down, the HA interface with the next-lowest port number is used, and so on. HA heartbeat messages are not restricted to the preferred HA port. Heart- beat messages are sent out all HA interfaces unless you disable the mes- sages on specific interfaces. Note: The preferred port must be added as an HA interface and heartbeat mes- sages must be enabled on the interface. 550 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Port Restart When a transition from Standby to Active occurs because the formerly Active AX device becomes unavailable, the other devices that are directly connected to the unavailable AX detect that their links to the AX have gone down. The devices then flush their cached MAC entries on the down links. For example, in Figure145 on page548, while AX1 is still Active, the active router (the one on the left) uses the MAC entries it has learned on its link with AX1 to reach downstream devices. If the link with AX1 goes down, the router flushes the MAC entries. The router then relearns the MAC addresses on the link with AX2 when it becomes the Active AX. This mechanism is applicable when the link with AX1 goes down. How- ever, if the transition from Active to Standby does not involve failure of the router's link with AX1, the router does not flush its learned MAC entries on the link. As a result, the router might continue to send traffic for down- stream devices through the router's link with AX1. Since AX1 is now the Standby, it drops the traffic, thereby causing reachability issues. For example, if you administratively force a failover by changing the HA configurations of the AX devices and enabling HA pre-emption, the link between the router and AX1 remains up. In this case, the router continues to have MAC addresses through this link. To ensure that devices connected to the formerly Active AX flush their learned MAC entries on their links with AX1, you can enable HA port restart. HA port restart toggles a specified set of ports on the formerly Active AX by disabling the ports, waiting for a specified number of milliseconds, then re-enabling the ports. Toggling the ports causes the links to go down, which in turn causes the devices on the other ends of the links to flush their learned MAC entries on the links. The devices then can relearn MACs through links with the newly Active AX. Note: You must omit at least one port connecting the AX devices from the restart port-list. This is so that heartbeat messages between the AX devices are maintained; otherwise, flapping might occur. Note: On model AX 2000 or AX 2100, A10 recommends that you do not include Fiber ports in the restart port list. P e r f o r m a n c e b y D e s i g n 551 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Layer 3 Active-Standby HA (Inline Deployment) Inline mode HA is also supported for AX devices deployed in route mode (Layer 3). Layer 3 HA for inline mode is beneficial in network topologies where the AX interfaces with the clients and real servers are in the same subnet. Figure146 shows an example. FIGURE 146 Inline Mode for Layer 3 HA In this example, each AX device has multiple Ethernet ports connected to the clients, and multiple Ethernet ports connected to the servers. On each AX device, all these Ethernet interfaces are configured as a single Virtual Ethernet (VE) interface with a single IP address. The routers, both AX devices, and the servers are all in the same subnet. 552 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Normally, this topology would introduce a traffic loop. However, the HA inline mode prevents loops by logically blocking through traffic on the standby AX device. Spanning Tree Protocol (STP) is not required in order to prevent loops. A dedicated link between the AX devices is used for HA management traf- fic. In this example, the dedicated link is in another subnet. Comparison to Layer 2 Inline Mode Layer 3 inline configuration is similar to Layer 2 inline mode configuration, with the following exceptions: Layer 3 inline mode does not require designation of a preferred port or configuration of port restart. CPU processing must be enabled on the Ethernet interfaces that will receive server replies to client requests. CPU processing is required on these interfaces in order to change the source IP address from the servers real IP address back into the VIP address. Restrictions Supported for Active-Standby HA deployments only. Not supported for Active-Active HA. Inline mode is designed for one HA group in Hot-Standby mode. Do not configure more than one HA group on an AX running in inline mode. In order to prevent Layer 2 loops in a Layer 2 host-standby environ- ment, the Standby AX does not forward traffic. In addition, the Active AX in the HA pair is designed to not forward packets destined for the Standby AX. Depending on the network topology, certain traffic to the Standby AX might be dropped if it must first pass through the Active AX. HA Messages The AX devices in an HA pair communicate their HA status with the fol- lowing types of messages: HA heartbeat messages Gratuitous ARP requests and replies P e r f o r m a n c e b y D e s i g n 553 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview HA Heartbeat Messages Each of the AX devices regularly sends HA heartbeat messages out its HA interfaces. The Standby AX device listens for the heartbeat messages. If the Standby AX device stops receiving heartbeat messages from the Active AX device, the Standby AX device transitions to Active and takes over net- working and SLB operations from the other AX device. By default, heartbeat messages are sent every 200 milliseconds. If the Standby AX device does not receive a heartbeat message for 1 second (5times the heartbeat interval), the Standby AX device transitions to Active. The heartbeat interval and retry count are configurable. (See HA Configu- ration Parameters on page564.) Gratuitous ARPs When an AX transitions from Standby to Active, the newly Active AX device sends gratuitous ARP requests and replies (ARPs) for the IP address under HA control. Gratuitous ARPs are sent for the following types of addresses: Virtual server IP addresses, for the VIPs that are assigned to an HA group. Floating IP address, if configured NAT pool IP addresses, for NAT pools assigned to an HA group Devices that receive the ARPs learn that the MAC address for the AX HA pair has moved, and update their forwarding tables accordingly. The Active AX device sends the gratuitous ARPs immediately upon becom- ing the Active AX device. To make sure ARPs are being received by the tar- get addresses, the AX device re-sends the ARPs 4 additional times, at 500- millisecond intervals. After this, the AX device sends gratuitous ARPs every 30 seconds to keep its IP information current. The ARP retry count is configurable. (See HA Configuration Parameters on page564.) 554 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview HA Interfaces When configuring HA, you specify each of the interfaces that are HA inter- faces. An HA interface is an interface that is connected to an upstream router, a real server, or the other AX device in the HA pair. HA heartbeat messages can be sent only on HA interfaces. Optionally, you can disable the messages on individual interfaces. When you configure an HA interface that is a tagged member of one or more VLANs, you must specify the VLAN on which to send the heartbeat messages. Note: The maximum number of HA interfaces you can configure is the same as the number of Ethernet data ports on the AX device. Note: If the heartbeat messages from one AX device to the other will pass though a Layer 2 switch, the switch must be able to pass UDP IP multi- cast packets. Note: If a tracked interface is a member of a trunk, only the lead port in the trunk is shown in the tracking configuration and in statistics. For example, if a trunk contains ports 1-3 and you configure tracking of port 3, the con- figuration will show that tracking is enabled on port 1. Likewise, tracking statistics will show port 1, not port 3. Similarly, if port 1 goes down but port 3 is still up, statistics still will show that port 1 is up since it is the lead port for the trunk. Changes to the state of an HA interface can trigger a failover. By default, the HA state of an interface can be Up or Down. Optionally, you can specify the HA interface type as one of the following: Server interface A real server can be reached through the interface. Router interface An upstream router (and ultimately, clients) can be reached through the interface. Both Both a server and upstream router can be reached through the interface. If you specify the HA interface type, the HA status of the AX device is based on the status of the AX link with the real server and/or upstream router. The HA status can be one of the following: Up All configured HA router and server interfaces are up. Partially Up Some HA router or server interfaces are down but at least one server link and one router link are up. P e r f o r m a n c e b y D e s i g n 555 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Down All router interfaces, or all server interfaces, or both are down. The status also is Down if both router interfaces and server interfaces are not configured and an HA interface goes down. If both types of interfaces (router interfaces and server interfaces) are con- figured, the HA interfaces for which a type has not been configured are not included in the HA interface status determination. During selection of the active AX, the AX with the highest state becomes the active AX and all HA interfaces on that AX become active. For exam- ple, if one AX is UP and the other AX is only Partially Up, the AX that is UP becomes the active AX. If each AX has the same state, the active AX is selected as follows: If HA pre-emption is disabled (the default), the first AX to come up is the active AX. If HA pre-emption is enabled, the AX with the higher HA group priority becomes active for that group. If the group priorities on the two AX devices are also the same, the AX that has the lowest HA ID (1 or 2) becomes active. Note: You can configure up to 31 HA groups on an AX, and assign a separate HA priority to each. For Active-Standby configurations, use only one group ID. For Active-Active configurations, use multiple groups IDs and assign VIPs to different groups. Session Synchronization HA session synchronization sends information about active client sessions to the Standby AX device. If a failover occurs, the client sessions are main- tained without interruption. Session synchronization is optional. Without it, a failover causes client sessions to be terminated. Session synchronization can be enabled on individual virtual ports. Session synchronization applies primarily to Layer 4 sessions. Session syn- chronization does not apply to DNS sessions. Since these sessions are typi- cally very short lived, there is no benefit to synchronizing them. Likewise, session synchronization does not apply to NATted ICMP sessions or to any static NAT sessions. Synchronization of these sessions is not needed since the newly Active AX device will create a new flow for the session follow- ing failover. To enable session synchronization, see Enabling Session Synchronization on page603. 556 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Session synchronization is required for config sync. Config sync uses the session synchronization link. (For more information, Synchronizing Con- figuration Information on page606.) Note: Session synchronization is also called connection mirroring. Optional Failover Triggers In addition to HA interface-based failover, you can configure failover based one any of the following: Inactive VLAN (VLAN-based failover) Unresponsive gateway router (gateway-based failover) Unresponsive real servers (VIP-based failover) VLAN-based Failover You can enable HA checking for individual VLANs. When HA checking is enabled for a VLAN, the active AX device in the HA pair monitors traffic activity on the VLAN. If there is no traffic on the VLAN for half the dura- tion of a configurable timeout, the AX device attempts to generate traffic by issuing ping requests to servers if configured, or broadcast ARP requests through the VLAN. If the AX device does not receive any traffic on the VLAN before the time- out expires, a failover occurs. The timeout can be 2-600 seconds. You must specify the timeout. Although there is no default, A10 recommends trying 30 seconds. This HA checking method provides a passive means to detect network health, whereas heartbeat messages are an active mechanism. You can use either or both methods to check VLAN health. If you use both methods on a VLAN, A10 recommends that you specify an HA checking interval (time- out) that is much longer than the heartbeat interval. For a configuration example, see VLAN-Based Failover Example on page596. Gateway-based Failover Gateway-based failover uses ICMP health monitors to check the availability of the gateways. If any of the active AX devices gateways fails a health check, the AX device changes its HA status to Down. If the HA status of the other AX device is higher than Down, a failover occurs. P e r f o r m a n c e b y D e s i g n 557 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Likewise, if the gateway becomes available again and all gateways pass their health checks, the AX device recalculates its HA status according to the HA interface counts. If the new HA status of the AX device is higher than the other AX devices HA status, a failover occurs. Configuration of gateway-based failover requires the following steps: 1. Configure a health monitor that uses the ICMP method. 2. Configure the gateway as an SLB real server and apply the ICMP health monitor to the server. 3. Enable HA checking for the gateway. For a configuration example, see Gateway-Based Failover Example on page597. Route-based Failover Route-based failover reduces the HA priority of all HA groups on the AX device, if a specific route is missing from the IPv4 or IPv6 route table. You can configure this feature for individual IP routes. When you configure this feature for a route, you also specify the value to subtract from the HA priority of all HA groups, if the route is missing from the route table. You can configure this option for up to 100 IPv4 routes and up to 100 IPv6 routes. This option is valid for all types of IP routes supported in this release (static and OSPF). If the priority of an HA group falls below the priority for the same group on the other AX device in an HA pair, a failover can be triggered. Notes This feature applies only to routes in the data route table. The feature does not apply to routes in the management route table. For failover to occur due to HA priority changes, the HA pre-emption option must be enabled. For a configuration example, see Route-Based Failover Example on page599. Real Server or Port Health-based Failover You can configure the AX device to decrease the HA priority of an HA group, if a real server or ports health status changes to Down. 558 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview You can configure this feature on individual real servers and ports. The fea- ture is disabled by default. To enable the feature, assign an HA weight to the server or port. If the server or ports health status changes to Down, the weight value is subtracted from the priority value of the HA group. You can specify a single HA group or allow the priority change to apply to all HA groups. If the server or ports status changes back to Up, the weight value is added back to the HA groups priority value. If the HA priority of a group falls below the priority of the same group on the other AX device, HA failover can be triggered. Notes The lowest HA priority value a server or port can have is 1. If HA weights for an HA group are assigned to both the server and an individual port, and both health checks are unsuccessful, only the server weight is subtracted from the HA groups priority. For failover to occur due to HA priority changes, the HA pre-emption option must be enabled. VIP-based Failover VIP-based failover allows service for a VIP to be transferred from one AX device in an HA pair to the other AX device based on HA status changes of the real servers. When you configure an HA group ID, you also specify its priority. If HA pre-emption is enabled, the HA groups priority can be used to determine which AX device in the HA pair becomes the Active AX for the HA group. In this case, the AX device that has a higher value for the groups priority becomes the Active AX device for the group. If you enable the dynamic HA option on a virtual server, the AX device reduces the HA priority of the group assigned to the virtual server, if a real server becomes unavailable. (A real server is unavailable if it is marked Down by the AX device because the server failed its health check.) If the priority value is reduced to a value that is lower than the groups priority value on the other AX device in the HA pair, and HA pre-emption is enabled, service of the virtual serve is failed over to the other AX device. When a real server becomes available again, the weight value that was sub- tracted from the HA groups priority is re-added. If this results in the prior- ity value being higher than on the other AX device, the virtual server is P e r f o r m a n c e b y D e s i g n 559 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview failed over again to the AX device with the higher priority value for the group. Note: Configure the same HA group ID on any floating IP addresses or Source IP NAT pools used by the virtual server. For example, if you assign a vir- tual server to HA group 31, also assign any floating IP addresses and IP Source NAT pools used by the virtual server to HA group 31. For a configuration example, see VIP-Based Failover Example on page601. How the Active AX Device Is Selected In Active-Standby configurations, only one AX device is Active and the other is the Standby. After you configure HA, the Active AX device is selected using the process shown in Figure147. FIGURE 147 Initial Selection of Active AX Device 560 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview After initial selection of the Active AX device, that device remains the Active AX device unless one of the following events occurs: The Standby AX device stops receiving HA heartbeat messages from the Active AX device. The HA interface status of the Active AX device becomes lower than the HA interface status of the Standby AX device. VLAN-based failover is configured and the VLAN becomes inactive. Gateway-based failover is configured and the gateway becomes unavail- able. HA pre-emption is enabled, and the configured HA priority is changed to be higher on the Standby AX device. Figure148 shows the events that can cause an HA failover. P e r f o r m a n c e b y D e s i g n 561 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview FIGURE 148 HA Failover 562 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview HA Pre-Emption By default, a failover occurs only in the following cases: The Standby AX device stops receiving HA heartbeat messages form the other AX device in the HA pair. HA interface state changes give the Standby AX device a better HA state than the Active AX device. (See HA Interfaces on page554.) VLAN-based failover is configured and the VLAN becomes inactive. (See VLAN-based Failover on page556.) Gateway-based failover is configured and the gateway becomes unavail- able. (See Gateway-based Failover on page556.) VIP-based failover is configured and the unavailability of real servers causes the Standby AX to have the greater HA priority for the VIPs HA group. (See VIP-based Failover on page558.) By default, failover does not occur due to HA configuration changes to the HA priority. To enable the AX devices to failover in response to changes in priority, enable HA pre-emption. When pre-emption is enabled, the AX device with the higher HA priority becomes the Active AX device. If the HA priority is equal on both AX devices, then the AX device with the lower HA ID (1) becomes the Active AX device. Note: To force Active groups to change to Standby status, without changing HA group priorities and enabling pre-emption, see Forcing Active Groups to Change to Standby Status on page603. P e r f o r m a n c e b y D e s i g n 563 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview HA Sets Optionally, you can provide even more redundancy by configuring multiple sets of HA pairs. FIGURE 149 Multiple HA Pairs In this example, two HA pairs are configured. Each pair is distinguished by an HA set ID. Each HA pair can be used to handle a different set of real servers. You can configure up to 7 HA sets. This feature is supported for Layer 2 and Layer 3 HA configurations. The set ID can be specified along with the HA ID. (For syntax information, see Table14 on page564.) 564 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview HA Configuration Parameters Table14 lists the HA parameters. TABLE 14 HA Parameters Parameter Description and Syntax Supported Values Global HA Parameters HA ID and HA set ID HA ID of the AX device, and HA set to which the AX device belongs. The HA ID uniquely identifies the AX device within the HA pair. The HA set ID specifies the HA set to which the AX device belongs. This parameter is applicable to con- figurations that use multiple AX pairs. [ no] ha id {1 | 2} [ set-id num] Config >HA >Setting >HA Global - General HA ID: 1 or 2 HA set ID: 1-7 Default: Neither parameter is set HA group ID Uniquely identifies the HA group on an individual AX device. The priority value can be used during selection of the Active AX device. (SeeHow the Active AX Device Is Selected on page559.) [ no] ha group group-id priority num Config >HA >Setting >HA Global - Group HA group ID: 1-31 Priority: 1 (low priority) to 255 (high priority Default: not set Floating IP address IP address that downstream devices should use as their default gateway. The same address is shared by both AX devices in the HA pair. Regardless of which device is Active, downstream devices can reach their default gateway at this IP address. [ no] floating-ip ipaddr ha-group group-id Config >HA >Setting >HA Global - Floating IP Address Default: not set P e r f o r m a n c e b y D e s i g n 565 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview HA interfaces Interfaces used for HA management. HA heartbeat messages are sent on HA interfaces, unless you use the option to disable the messages. At least one HA interface must be specified. If the interface is tagged, then a VLAN ID must be speci- fied if heartbeat messages are enabled on the inter- face. If you specify the interface type (server, router, or both), changes to the interface state can control failover. (See HA Interfaces on page554 and How the Active AX Device Is Selected on page559.) [ no] ha interface ethernet port-num [ router-interface | server-interface | both] [ no-heartbeat | vlan vlan-id] Config >Network >Interface >LAN - Select the interface and then click HA. AX Ethernet interfaces Default: not set VLAN-based HA Enables the AX device to change its HA status based on the health of a VLAN. When HA checking is enabled for a VLAN, the active AX device in the HA pair monitors traffic activity on the VLAN. If there is no traffic on the VLAN for half the duration of a configurable time- out, the AX device attempts to generate traffic by issuing ping requests to servers if configured, or broadcast ARP requests through the VLAN. If the AX device does not receive any traffic on the VLAN before the timeout expires, a failover occurs. [ no] ha check vlan vlan-id timeout seconds Config >HA >Setting >HA Global - Status Check Valid VLAN ID Default: not set The timeout can be 2-600 seconds. Although there is no default timeout, A10 recommends trying 30 seconds. Gateway-based HA Enables the AX device to change its HA status based on the health of a gateway router. If the gateway fails a Layer 3 (ICMP) health check, the AX device changes its HA status to Down. If the HA status of the other AX device is higher than Down, a failover occurs. [ no] ha check gateway ipaddr Config >HA >Setting >HA Global - Status Check IP address of the gateway Default: not set Additional configuration is required. (See Gateway-based Failover on page556.) TABLE 14 HA Parameters (Continued) Parameter Description and Syntax Supported Values 566 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Session synchro- nization (Also called connection mir- roring) Enables the AX devices to share information about active client sessions. If a failover occurs, client ses- sions continue uninterrupted. The Standby AX device, when it becomes Active, uses the session information it received from the Active AX device before the failover to continue the sessions without terminating them. To enable session synchronization, specify the IP address of the other AX device in the HA pair. Session synchronization does not apply to DNS ses- sions. Since these sessions are typically very short lived, there is no benefit to synchronizing them. Note: This option also requires session synchroni- zation to be enabled on the individual virtual service ports. (See HA Parameters for Virtual Service Ports below.) [ no] ha conn-mirror ip ipaddr Config >HA >Setting >HA Global - General IP address of the other AX device Default: not set Pre-emption Controls whether failovers can be caused by config- uration changes to HA priority or HA ID. [ no] ha preemption-enable Config >HA >Setting >HA Global - General Enabled or disabled Default: disabled HA heartbeat interval Interval at which the AX device sends HA heartbeat messages on its HA interfaces. [ no] ha time-interval 100-msec-units Config >HA >Setting >HA Global - General 1-255 units of 100 milliseconds (ms) each Default: 200 ms Retry count Number of HA heartbeat intervals the Standby device will wait for a heartbeat message from the Active AX device before failing over to become the Active AX device. [ no] ha timeout-retry-count num Config >HA >Setting >HA Global - General 2-255 Default: 5 ARP repeat count Number of additional gratuitous ARPs, in addition to the first ones, an AX sends after transitioning from Standby to Active in an HA configuration. [ no] ha arp-retry num Config >HA >Setting >HA Global - General 1-255 Default: 4 additional gratuitous ARPs, for a total of 5 TABLE 14 HA Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 567 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Forced failover Forces HA groups to change from Active to Standby status. [ no] ha force-self-standby [ group-id] Note: This option provides a simple method to force a failover, without the need to change HA group pri- orities and enable pre-emption. The option is not added to the configuration and does not persist across reboots. Note: The current release does not support configu- ration of this parameter using the GUI. Valid HA group ID. If you do not specify a group ID, all Active groups are forced to change from Active to Standby status. Layer 2/3 forwarding of Layer 4 traffic on the Standby AX device Enables Layer 2/3 forwarding of Layer 4 traffic on the Standby AX device. [ no] ha forward-l4-packet-on- standby Note: The current release does not support configu- ration of this parameter using the GUI. Enabled or disabled Default: Disabled. Layer 4 traffic is dropped by the Standby AX device. Global HA Parameters for Layer 2 Inline Mode Inline mode state Enables Layer 2 inline mode and, optionally, speci- fies the HA interface to use for session synchroniza- tion and for management traffic between the AX devices. [ no] ha inline-mode [ preferred-port port-num] Config >HA >Setting - HA Inline Mode Enabled or disabled Default: disabled When inline mode is enabled, the pre- ferred port is selected as described in Preferred HA Port on page549. Restart port list List of Ethernet interfaces on the previously Active AX device to toggle (shut down and restart) follow- ing HA failover. [ no] ha restart-port-list ethernet port-list Config >HA >Setting - HA Inline Mode AX Ethernet interfaces Default: not set Port restart time Amount of time interfaces in the restart port list remain disabled following a failover. [ no] ha restart-time 100-msec-units Config >HA >Setting - HA Inline Mode 1-100 units of 100 milliseconds (ms) Default: 20 units of 100 ms (2 sec- onds) TABLE 14 HA Parameters (Continued) Parameter Description and Syntax Supported Values 568 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Global HA Parameters for Layer 3 Inline Mode Inline mode state Enables Layer 3 inline mode. [ no] ha l3-inline-mode Config >HA >Setting - HA Inline Mode Enabled or disabled Default: disabled OSPF on Standby AX device Leaves OSPF enabled on the Standby AX device. [ no] ha ospf-inline vlan vlan-id Note: This option is not configurable using the GUI. Enabled or disabled Default for all HA modes except Layer 3 inline: disabled. OSPF is dis- abled on the Standby AX device. Default for Layer 3 inline mode: enabled. OSPF is allowed to run on all VLANs by default. Link event delay Change the delay waited by the AX device before changing the HA state (Up, Partially Up, or Down) in response to link-state changes on HA interfaces. [ no] ha link-event-delay 100-ms-unit Config >HA >Setting - HA Inline Mode 100 milliseconds (ms) to 10000 ms, in increments of 100 ms Default: 3000 ms (3 seconds) HA Parameters for Virtual Servers HA group ID HA group ID for a virtual server. This is required to enable HA for the VIP. [ no] ha-group group-id Config >Service >SLB >Virtual Server 1-31 Default: not set Server weight Weight value assigned to real servers bound to the virtual server. The weight is used for VIP-based failover. (See VIP-based Failover on page558.) [ no] ha-dynamic server-weight Config >Service >SLB >Virtual Server - Select the HA group, then select the Dynamic Server Weight. 1-255 Not set Link event delay Change the delay waited by the AX device before changing the HA state (Up, Partially Up, or Down) in response to link-state changes on HA interfaces. [ no] ha link-event-delay 100-ms-unit Config >HA >Setting - HA Inline Mode 100 milliseconds (ms) to 10000 ms, in increments of 100 ms Default: 3000 ms (3 seconds) TABLE 14 HA Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 569 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview HA Parameters for Virtual Service Ports Session synchronization (Also called connection mir- roring) Enables active client sessions on this virtual port to continue uninterrupted following a failover. Note: This option also requires session synchroni- zation to be enabled globally. (See Global HA Parameters above.) [no] ha-conn-mirror Config >Service >SLB >Virtual Server - Port Enabled or disabled Default: disabled HA Parameters for Real Servers Priority cost Decreases the HA priority of an HA group, if the real servers health status changes to Down. [ no] ha-priority-cost weight [ ha-group group-id] Note: The current release does not support configu- ration of this option using the GUI. Weight: 1-255 HA group: 1-31. If no group is speci- fied, the weight applies to all HA groups. Default: not set HA Parameters for Real Ports Priority cost Decreases the HA priority of an HA group, if the real ports health status changes to Down. [ no] ha-priority-cost weight [ ha-group group-id] Note: The current release does not support configu- ration of this option using the GUI. Weight: 1-255 HA group: 1-31. If no group is speci- fied, the weight applies to all HA groups. Default: not set HA Parameters for Firewall Load Balancing (FWLB) Note: For an example of an FWLB HA configuration, see Firewall Load Balancing on page333. HA group ID HA group ID for a virtual firewall or virtual firewall port. [ no] ha-group group-id Config >Service >Firewall >Firewall Virtual Server (for virtual firewall) Config >Service >Firewall >Firewall Virtual Server - Port (for virtual firewall port) 1-31 Default: not set Session synchronization Enables active client sessions on this virtual firewall port to continue uninterrupted following a failover. Note: This option also requires session synchroni- zation to be enabled globally. (See Global HA Parameters above.) [no] ha-conn-mirror Config >Service >Firewall >Firewall Virtual Server (for virtual firewall) Config >Service >Firewall >Firewall Virtual Server - Port (for virtual firewall port) Enabled or disabled Default: disabled TABLE 14 HA Parameters (Continued) Parameter Description and Syntax Supported Values 570 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview HA Parameters for IP Network Address Translation (NAT) Pools HA group ID HA group ID for IP NAT. Option with ip nat pool, ipv6 nat pool, or ip nat inside command: ha-group group-id Config >Service >IP Source NAT >IPv4 Pool Config >Service >IP Source NAT >IPv6 Pool Config >Service >IP Source NAT >NAT Range 1-31 Default: not set HA Parameters for IP Routes Priority cost Reduces the HA priority of all HA groups on the AX device, if the specified route is missing from the IPv4 or IPv6 route table. For IPv4 routes: [ no] ha check route destination-ipaddr / mask-length priority-cost weight [ gateway ipaddr] [ protocol {static | dynamic}] [ distance num] For IPv6 routes: [ no] ha check route destination-ipv6addr/ mask-length priority-cost weight [ gateway ipv6addr] [ protocol {static | dynamic}] [ distance num] Note: The current release does not support configu- ration of this option using the GUI. Default: not set TABLE 14 HA Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 571 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide HA Status Indicators HA Status Indicators The HA status of an AX device is displayed in the GUI and CLI. The HA status indicators provide the following information: Current HA status of the AX device: Active or Standby Configuration status: Most recent configuration update The system time and date when the most recent configuration change was made. Most recent configuration save The system time and date when the configuration was saved to the startup-config. Most recent config-sync The system time and date when the most recent configuration change was made. If the AX device is configured with multiple Role-Based Administration (RBA) partitions, separate configuration status information is shown for each partition. In the GUI The current HA status is shown as one of the following: Active Standby Not Configured The config-sync status is shown as one of the following: Sync Not-Sync The GUI does not indicate when the most recent configuration update or save occurred. This information is available in the CLI. (See below.) In the CLI In the CLI, the HA the status is shown in the command prompt. For exam- ple: AX- Act i ve# or AX- St andby# 572 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 3 HA Note: If HA is not configured, the prompt is simply the hostname (AX by default). Configuration status is displayed in show running-config output. Here is an example: AX- Act i ve#show running-config ! Cur r ent conf i gur at i on: 8134 byt es par t i t i on par t i t i on- 1 ! ! Conf i gur at i on l ast updat ed at 08: 11: 05 I ST Mon May 17 2010 ! Conf i gur at i on l ast saved at 15: 16: 49 I ST Sat May 15 2010 ! Conf i gur at i on l ast synchr oni zed at 08: 15: 02 I ST Mon May 17 2010 Disabling HA Status Display in the CLI Prompt Display of the HA status in the CLI prompt is enabled by default. To disable it, use the following command at the global configuration level of the CLI: [ no] terminal no-ha-prompt Configuring Layer 3 HA To configure Layer 3 HA: 1. Configure the following global HA parameters: HA ID HA group ID and priority. For an Active-Standby configuration, configure one group ID. For Active-Active, configure multiple HA group IDs. Floating IP address (optional) Session synchronization (optional) HA pre-emption (optional) 2. Configure the HA interfaces. 3. Add each virtual server to an HA group. 4. If session synchronization is globally enabled, enable it on the individ- ual virtual ports whose client sessions you want to synchronize. 5. If IP NAT pools are configured, add each pool to an HA group. P e r f o r m a n c e b y D e s i g n 573 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 3 HA USING THE GUI Configuring Global HA Parameters 1. Select Config >HA >Setting. a. In the Identifier drop-down list, select the HA ID for the AX device. b. Select Enabled next to HA Status. c. To enable pre-emption, select Enabled next to Preempt Status. d. To enable connection mirroring, enter the IP address of the other AX device in the HA Mirroring IP Address field. Note: Enter the real IP address of the AX device, not the floating IP address that downstream devices will use as their default gateway address. 2. In the Group section, configure HA group parameters: a. Select HA group 1 from the Group Name drop-down list. b. In the Priority field, enter the priority for HA group 1 and click Add. c. If you are configuring Active-Active, select the next HA group from the Group Name drop-down list, enter its priority in the Priority field, and click Add. Repeat for each additional group used in the configuration. 3. In the Floating IP Address section, configure the floating IP addresses for the HA groups. a. Select an HA group from the Group Name drop-down list. b. Select the address type (IPv4 or IPv6). c. Enter the floating IP address for the group. d. Click Add. e. If you are configuring Active-Active, select the next HA group from the Group Name drop-down list, and repeat the previous steps. 4. Click OK. 574 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 3 HA Configuring HA Interfaces 1. Select Config >Network >Interface. 2. On the menu bar, select LAN. The list of the AX devices physical Ethernet data interfaces appears. 3. Perform the following steps for each HA interface. (For information, see HA Interfaces on page554.) a. Click on the interface number. b. In the HA section, select Enabled next to HA Enabled. c. To specify the interface type, select one of the following or leave the setting None: Router-Interface Server-Interface Both d. To enable HA heartbeat messages, select Enabled next to Heartbeat. e. To restrict the HA heartbeat messages to a specific VLAN, enter the VLAN ID in the VLAN field. f. Click OK. Configuring HA Parameters on a Virtual Server 1. Select Config >Service >SLB. 2. On the menu bar, select Virtual Server. 3. Click on the virtual server name or click Add to add a new one. 4. In the General section, select the HA group ID from the HA Group drop-down list. Note: The Dynamic Server Weight option is used for VIP-based failover. For information, see VIP-based Failover on page558. 5. Configure other general settings, not related to HA, if needed. 6. If you plan to use session synchronization (connection mirroring) for a service port: a. In the Port section, click Add to add a new virtual service port or select an existing port and click Edit. The Virtual Server Port sec- tion appears. b. Select enabled next to HA Connection Mirror. c. Click OK. The service port list re-appears. P e r f o r m a n c e b y D e s i g n 575 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 3 HA Note: The GUI does not support enabling connection mirroring on some types of service ports. However, you can enable connection mirroring for these service types using the CLI. 7. Click OK to complete configuration of the virtual server. HA Configuration of AX1 FIGURE 150 Config >HA >Setting >HA Global 576 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 3 HA FIGURE 151 Config >Service >Network >LAN (Ethernet interface 1) Note: This example shows HA configuration of a single interface. Make sure to configure HA settings on the other HA interfaces too. FIGURE 152 Config >Service >SLB >Virtual Server (VIP1) P e r f o r m a n c e b y D e s i g n 577 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 3 HA FIGURE 153 Config >Service >SLB >Virtual Server (VIP2) HA Configuration of AX2 FIGURE 154 Config >HA >Setting 578 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 3 HA FIGURE 155 Config >Service >SLB >Virtual Server (VIP1) FIGURE 156 Config >Service >SLB >Virtual Server (VIP2) USING THE CLI 1. To configure the global HA parameters, use the following commands at the global configuration level of the CLI: ha id {1 | 2} [ set-id num] ha group group-id priority num floating-ip ipaddr ha-group group-id ha interface ethernet port-num [ router-interface | server-interface | both] [ no-heartbeat | vlan vlan-id] ha conn-mirror ip ipaddr ha preemption-enable 2. To add a virtual server to an HA group, use the following command at the configuration level for the virtual server: ha-group group-id P e r f o r m a n c e b y D e s i g n 579 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 3 HA Use the same HA group ID for the same virtual server, on both AX devices. 3. If session synchronization is globally enabled, use the following com- mand at the configuration level for the virtual port to enable session syn- chronization for the port: ha-conn-mirror 4. If IP NAT pools are configured, use the following option with the ip nat pool or ipv6 nat pool command. ha-group group-id (For the complete command syntax, see Table14 on page564.) Commands on AX1 This examples shows the CLI commands to implement the Active-Active configuration shown in Figure143 on page544. The following commands configure the HA ID and HA groups. Since this is an Active-Active configuration, both HA groups are configured. The prior- ity for group 1 is set to a low value. The same group will be set to a higher priority value on the other AX device. Likewise, the priority of group 2 is set to a high value on this AX device but will be set to a lower value on the other AX device. Later in the configuration, each virtual server will need to be added to one or the other of the HA groups. AX1( conf i g) #ha id 1 AX1( conf i g) #ha group 1 priority 1 AX1( conf i g) #ha group 2 priority 255 The following commands configure the floating IP addresses for each HA group. The real servers and the Layer 2 switches connected to them will need to be configured to use the floating IP addresses as their default gate- ways. AX1( conf i g) #floating-ip 10.10.10.1 ha-group 1 AX1( conf i g) #floating-ip 10.10.10.100 ha-group 2 The following commands configure the HA interfaces. The interface types are specified, so that the HA state of the AX device can be more precisely calculated based on HA interface state. (See HA Interfaces on page554.) 580 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 3 HA Heartbeat messages are disabled on all HA interfaces except the dedicated HA link between the AX devices. AX1( conf i g) #ha interface ethernet 1 router-interface no-heartbeat AX1( conf i g) #ha interface ethernet 2 router-interface no-heartbeat AX1( conf i g) #ha interface ethernet 3 server-interface no-heartbeat AX1( conf i g) #ha interface ethernet 4 server-interface no-heartbeat AX1( conf i g) #ha interface ethernet 5 The following command enables session synchronization (connection mir- roring). The feature also will need to be enabled on individual virtual ports, later in the configuration. The IP address is the real address of the other AX device. AX1( conf i g) #ha conn-mirror ip 10.10.30.2 The following command enables HA pre-emption, to ensure that the Active and Standby for each virtual server are chosen based on the configuration. By default, when HA is first configured, Active and Standby are selected based on which AX device comes up first. AX1( conf i g) #ha preemption-enable The following commands add each of the virtual servers to an HA group, and enables session synchronization on the virtual ports. (For brevity, this example does not show the complete SLB configuration, only the HA part of the SLB configuration.) AX1( conf i g) #slb virtual-server VIP1 AX( conf i g- sl b vi r t ual ser ver ) #ha-group 1 AX( conf i g- sl b vi r t ual ser ver ) #port 80 tcp AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #ha-conn-mirror AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #exit AX( conf i g- sl b vi r t ual ser ver ) #exit AX1( conf i g) #slb virtual-server VIP2 AX1( conf i g- sl b vi r t ual ser ver ) #ha-group 2 AX1( conf i g- sl b vi r t ual ser ver ) #port 80 tcp AX1( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #ha-conn-mirror AX1( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #exit AX1( conf i g- sl b vi r t ual ser ver ) #exit P e r f o r m a n c e b y D e s i g n 581 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 3 HA Commands on AX2 Here are the commands for AX2. The priority values for the groups are dif- ferent from the values set on AX1, so that group 1 has higher priority on this AX device than on AX1. Likewise, the priority of group 2 is set so that its priority is higher on AX1. AX2( conf i g) #ha id 2 AX2( conf i g) #ha group 1 priority 255 AX2( conf i g) #ha group 2 priority 1 The floating IP addresses must be the same as the ones set on AX1. AX2( conf i g) #floating-ip 10.10.10.1 ha-group 1 AX2( conf i g) #floating-ip 10.10.10.100 ha-group 2 AX2( conf i g) #ha interface ethernet 1 router-interface no-heartbeat AX2( conf i g) #ha interface ethernet 2 router-interface no-heartbeat AX2( conf i g) #ha interface ethernet 3 server-interface no-heartbeat AX2( conf i g) #ha interface ethernet 4 server-interface no-heartbeat AX2( conf i g) #ha interface ethernet 5 The IP address for session synchronization is the address of AX1. AX2( conf i g) #ha conn-mirror ip 10.10.30.1 AX2( conf i g) #ha preemption-enable The HA configuration for virtual servers and virtual ports is identical to the configuration on AX1. AX2( conf i g) #slb virtual-server VIP1 AX2( conf i g- sl b vi r t ual ser ver ) #ha-group 1 AX2( conf i g- sl b vi r t ual ser ver ) #port 80 tcp AX2( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #ha-conn-mirror AX2( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #exit AX2( conf i g- sl b vi r t ual ser ver ) #exit AX2( conf i g) #slb virtual-server VIP2 AX2( conf i g- sl b vi r t ual ser ver ) #ha-group 2 AX2( conf i g- sl b vi r t ual ser ver ) #port 80 tcp AX2( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #ha-conn-mirror AX2( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #exit AX2( conf i g- sl b vi r t ual ser ver ) #exit 582 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 2 HA (Inline Mode) Configuring Layer 2 HA (Inline Mode) To configure Layer 2 HA: 1. Configure the following global HA parameters: HA ID HA group ID and priority. Configure only one group ID. Configure the same ID on both AX devices. Floating IP address (optional) Inline mode and optional preferred port Restart port list and time (optional) HA interfaces Session synchronization (optional) HA pre-emption (optional) 2. Add each virtual server to the HA group. 3. If session synchronization is globally enabled, enable it on the individ- ual virtual ports whose client sessions you want to synchronize. 4. If IP NAT pools are configured, add each pool to the HA group. Note: If source NAT is not configured for the VIP, but real servers send responses to a gateway IP address other than the AX floating IP address, CPU processing must be enabled on the AX interfaces connected to the real servers. This applies to the following AX models: AX 2200, AX 3100, AX 3200, AX 5100, and AX 5200. On other models, the option for CPU processing is not valid and is not required. Layer 2 Inline HA Configuration Example The following configuration examples implement the deployment shown in Figure145 on page548. In addition to the inline features described in this section, the sample configuration also uses the following HA features: Identification of HA interface type: server or router The interface types affect the AX devices summary link state for HA. (See HA Interfaces on page554.) Session synchronization (also called connection mirroring) Existing client sessions remain up during a failover. Floating IP The default gateway IP address used by the real servers is a floating IP address shared by the AX devices, rather than the IP address of the Active AX. Servers can still reach clients through their P e r f o r m a n c e b y D e s i g n 583 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 2 HA (Inline Mode) default gateway after an HA failover, without the need for the gateway address to be changed to the Standby AX devices address. USING THE GUI Configuring Global HA Parameters 1. Select Config >HA >Setting. a. In the General section, select the HA ID for the AX device from the Identifier drop-down list. b. Select Yes next to HA Status. c. To enable pre-emption, select Yes next to Preempt Status. d. To enable connection mirroring, enter the IP address of the other AX device in the HA Mirroring IP Address field. Note: Enter the real IP address of the AX device, not the floating IP address that downstream devices will use as their default gateway address. 2. In the Group section, configure HA group parameters: a. Select HA group 1 from the Group Name drop-down list. b. In the Priority field, enter the priority for HA group 1 and click Add. 3. In the Floating IP Address section, configure the floating IP address for the HA group. a. Select an HA group 1 from the Group Name drop-down list. b. Select the address type (IPv4 or IPv6). c. Enter the floating IP address for the group. d. Click Add. 4. Click OK. Configuring HA Interface Parameters 1. Select Config >Network >Interface. 2. On the menu bar, select LAN. The list of the AX devices physical Ethernet data interfaces appears. 3. Perform the following steps for each HA interface. (For information, see HA Interfaces on page554.) a. Click on the interface number. b. In the HA section, select Enabled next to HA Enabled. 584 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 2 HA (Inline Mode) c. To specify the interface type, select one of the following or leave the setting None: Router-Interface Server-Interface Both d. To enable HA heartbeat messages, select Enabled next to Heartbeat. e. To restrict the HA heartbeat messages to a specific VLAN, enter the VLAN ID in the VLAN field. f. If source NAT is not configured for the VIP, but real servers send responses to a gateway IP address other than the AX floating IP address, select CPU Process in the General section. This require- ment applies to the following AX models: AX 2200, AX 3100, AX 3200, AX 5100, and AX 5200. On other models, the command for CPU processing is not valid and is not required. g. Click OK. Configuring Inline Parameters 1. Select Config >HA >Setting. 2. Select HA Inline Mode on the menu bar. 3. Select Enabled next to Inline Mode Status. 4. Select the preferred port. 5. In Restart Port List section, select the HA interfaces. 6. Click >>to move them to the Selected list. 7. Click OK. The following GUI screens configure HA on AX1 in Figure145 on page548. P e r f o r m a n c e b y D e s i g n 585 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 2 HA (Inline Mode) FIGURE 157 Config >HA >Setting 586 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 2 HA (Inline Mode) FIGURE 158 Config >Service >Network >LAN (Ethernet interface 1) Note: This example shows HA configuration of a single interface. Make sure to configure HA settings on the other HA interfaces too. FIGURE 159 Config >HA >Setting >HA Inline Mode P e r f o r m a n c e b y D e s i g n 587 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 2 HA (Inline Mode) USING THE CLI Commands on AX1 The following commands configure the HA ID and set the HA priority. HA priority is associated with an HA group. Since inline mode is supported only in Active-Standby configurations, only one HA group is used. Later in the configuration, the VIP is assigned to this HA group. AX1( conf i g) #ha id 1 AX1( conf i g) #ha group 1 priority 255 The following command enables inline HA mode and specifies the pre- ferred HA port. AX1( conf i g) #ha inline-mode preferred-port 5 The following commands configure the HA interfaces. Each interface that is connected to a server, a router, or the other AX can be configured as an HA interface. Make sure to add the preferred HA port as one of the HA inter- faces. AX1( conf i g) #ha interface ethernet 1 router-interface no-heartbeat AX1( conf i g) #ha interface ethernet 2 router-interface no-heartbeat AX1( conf i g) #ha interface ethernet 3 server-interface AX1( conf i g) #ha interface ethernet 4 server-interface AX1( conf i g) #ha interface ethernet 5 The following command enables restart of the HA ports connected to the routers, to occur if the AX transitions to Standby. AX1( conf i g) #ha restart-port-list ethernet 1 to 2 Note: If source NAT is not configured for the VIP, but real servers send responses to a gateway IP address other than the AX floating IP address, enter the cpu-process command at the configuration level for each inter- face connected to the real servers. This requirement applies to the follow- ing AX models: AX 2200, AX 3100, AX 3200, AX 5100, and AX 5200. On other models, the command for CPU processing is not valid and is not required. The following command enables HA pre-emption mode, which causes failover to occur in response to administrative changes to the HA configura- tion. (For example, if you change the HA priority so that the other AX has higher priority, this will trigger a failover, but only if pre-emption mode is enabled.) AX1( conf i g) #ha preemption-enable 588 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 2 HA (Inline Mode) The following command specifies the IP address of the other AX, to use for session synchronization. AX1( conf i g) #ha conn-mirror ip 172.168.10.3 The following command configures the floating IP address for the real serv- ers to use as their default gateway address. AX1( conf i g) #floating-ip 172.168.10.1 ha-group 1 The following commands configure a health method, real servers, a server group, and a VIP for an HTTP service. AX1( conf i g) #health monitor myHttp interval 10 retry 2 timeout 3 AX1( conf i g- heal t h: moni t or ) #method http url HEAD /index.html AX1( conf i g- heal t h: moni t or ) #exit AX1( conf i g) #slb server s1 172.168.10.30 AX1( conf i g- r eal ser ver ) #port 80 tcp AX1( conf i g- r eal ser ver - node por t ) #health-check myHttp AX1( conf i g- r eal ser ver - node por t ) #exit AX1( conf i g- r eal ser ver ) #exit AX1( conf i g) #slb server s2 172.168.10.31 AX1( conf i g- r eal ser ver ) #port 80 tcp AX1( conf i g- r eal ser ver - node por t ) #health-check myHttp AX1( conf i g- r eal ser ver - node por t ) #exit AX1( conf i g- r eal ser ver ) #exit AX1( conf i g) #slb service-group g80 tcp AX1( conf i g- sl b ser vi ce gr oup) #member s1:80 AX1( conf i g- sl b ser vi ce gr oup) #member s2:80 AX1( conf i g- sl b ser vi ce gr oup) #exit AX1( conf i g) #slb virtual-server v1 172.168.10.80 AX1( conf i g- sl b vi r t ual ser ver ) #ha-group 1 AX1( conf i g- sl b vi r t ual ser ver ) #port 80 tcp AX1( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group g80 AX1( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #ha-conn-mirror P e r f o r m a n c e b y D e s i g n 589 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 2 HA (Inline Mode) Commands on AX2 Here are the commands for implementing HA on the standby AX, AX2. Most of the commands are the same as those on AX1, with the following exceptions: The HA ID is 2. The HA priority is 1. The session synchronization (conn-mirror) IP address is the address of the Active AX. (On the Active AX, the session synchronization IP address is the address of the Standby AX.) AX2( conf i g) #ha id 2 AX2( conf i g) #ha group 1 priority 1 AX2( conf i g) #ha interface ethernet 1 router-interface no-heartbeat AX2( conf i g) #ha interface ethernet 2 router-interface no-heartbeat AX2( conf i g) #ha interface ethernet 3 server-interface AX2( conf i g) #ha interface ethernet 4 server-interface AX2( conf i g) #ha interface ethernet 5 AX2( conf i g) #ha inline-mode preferred-port 5 AX2( conf i g) #ha restart-port-list ethernet 1 to 2 AX2( conf i g) #ha preemption-enable AX2( conf i g) #ha conn-mirror ip 172.168.10.2 AX2( conf i g) #floating-ip 172.168.10.1 ha-group 1 AX2( conf i g) #health monitor myHttp interval 10 retry 2 timeout 3 AX2( conf i g- heal t h: moni t or ) #method http url HEAD /index.html AX2( conf i g- heal t h: moni t or ) #exit AX2( conf i g) #slb server s1 172.168.10.30 AX2( conf i g- r eal ser ver ) #port 80 tcp AX2( conf i g- r eal ser ver - node por t ) #health-check myHttp AX2( conf i g- r eal ser ver - node por t ) #exit AX2( conf i g- r eal ser ver ) #exit AX2( conf i g) #slb server s2 172.168.10.31 AX2( conf i g- r eal ser ver ) #port 80 tcp AX2( conf i g- r eal ser ver - node por t ) #health-check myHttp AX2( conf i g- r eal ser ver - node por t ) #exit AX2( conf i g- r eal ser ver ) #exit AX2( conf i g) #slb service-group g80 tcp AX2( conf i g- sl b ser vi ce gr oup) #member s1:80 AX2( conf i g- sl b ser vi ce gr oup) #member s2:80 AX2( conf i g- sl b ser vi ce gr oup) #exit 590 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 3 HA (Inline Mode) AX2( conf i g) #slb virtual-server v1 172.168.10.80 AX2( conf i g- sl b vi r t ual ser ver ) #ha-group 1 AX2( conf i g- sl b vi r t ual ser ver ) #port 80 tcp AX2( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group g80 AX2( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #ha-conn-mirror Configuring Layer 3 HA (Inline Mode) To configure Layer 3 HA: 1. Configure the following global HA parameters: HA ID HA group ID and priority. Configure only one group ID. Configure the same ID on both AX devices. Floating IP address (optional) Inline mode HA interfaces Session synchronization (optional) HA pre-emption (optional) 2. Enable CPU processing on the Ethernet interfaces that will receive server replies to client requests. 3. Add each virtual server to the HA group. 4. If session synchronization is globally enabled, enable it on the individ- ual virtual ports whose client sessions you want to synchronize. 5. If IP NAT pools are configured, add each pool to the HA group. P e r f o r m a n c e b y D e s i g n 591 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 3 HA (Inline Mode) Layer 3 Inline HA Configuration Example The following configuration example implements the deployment shown in Figure146 on page551. Note: The GUI does not support configuration of Layer 3 inline mode in the current release. USING THE CLI 1. To enable Layer 3 inline mode, use the following command at the glo- bal configuration level of the CLI: ha l3-inline-mode 2. To enable CPU processing on an interface, use the following command at the configuration level for the interface: cpu-process If the interface is part of a trunk, use the command on the lead interface of the trunk. (The lead interface of a trunk is the lowest-numbered inter- face in the trunk.) Commands on AX1 The following commands configure the interfaces. Since Ethernet interfaces 3 and 4 will receive server replies to client requests, CPU processing is enabled on those interfaces. AX1( conf i g) #interface ethernet 1 AX1( conf i g- i f : et her net 1) #enable AX1( conf i g- i f : et her net 1) #interface ethernet 2 AX1( conf i g- i f : et her net 2) #enable AX1( conf i g- i f : et her net 2) #interface ethernet 3 AX1( conf i g- i f : et her net 3) #enable AX1( conf i g- i f : et her net 3) #cpu-process AX1( conf i g- i f : et her net 3) #interface ethernet 4 AX1( conf i g- i f : et her net 4) #enable AX1( conf i g- i f : et her net 4) #cpu-process AX1( conf i g- i f : et her net 4) #interface ethernet 5 AX1( conf i g- i f : et her net 5) #enable AX1( conf i g- i f : et her net 5) #exit AX1( conf i g) #vlan 100 AX1( conf i g- vl an: 100) #untagged ethernet 1 to 4 AX1( conf i g- vl an: 100) #router-interface ve 1 AX1( conf i g- vl an: 100) #exit 592 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 3 HA (Inline Mode) AX1( conf i g) #vlan 5 AX1( conf i g- vl an: 5) #untagged ethernet 5 AX1( conf i g- vl an: 5) #router-interface ve 5 AX1( conf i g- vl an: 5) #exit AX1( conf i g) #interface ve1 AX1( conf i g- i f : ve1) #ip address 172.168.10.2 /24 AX1( conf i g- i f : ve1) #interface ve5 AX1( conf i g- i f : ve5) #ip address 172.168.20.2 /24 AX1( conf i g- i f : ve5) #exit The following commands configure the HA ID and set the HA priority. HA priority is associated with an HA group. Later in the configuration, the VIP is assigned to this HA group. AX1( conf i g) #ha id 1 AX1( conf i g) #ha group 1 priority 255 The following command enables Layer 3 inline HA mode. AX1( conf i g) #ha l3-inline-mode The following commands configure the HA interfaces. Each interface that is connected to a server, a router, or the other AX can be configured as an HA interface. (Make sure to add the dedicated HA link between the AX devices as one of the HA interfaces.) AX1( conf i g) #ha interface ethernet 1 router-interface no-heartbeat AX1( conf i g) #ha interface ethernet 2 router-interface no-heartbeat AX1( conf i g) #ha interface ethernet 3 server-interface AX1( conf i g) #ha interface ethernet 4 server-interface AX1( conf i g) #ha interface ethernet 5 The following command enables restart of the HA ports connected to the routers, to occur if the AX transitions to Standby. AX1( conf i g) #ha restart-port-list ethernet 1 to 2 The following command enables HA pre-emption mode, which causes failover to occur in response to administrative changes to the HA configura- tion. (For example, if you change the HA priority so that the other AX has higher priority, this will trigger a failover, but only if pre-emption mode is enabled.) AX1( conf i g) #ha preemption-enable The following command specifies the IP address of the other AX, to use for session synchronization. AX1( conf i g) #ha conn-mirror ip 172.168.10.3 P e r f o r m a n c e b y D e s i g n 593 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 3 HA (Inline Mode) The following command configures the floating IP address for the real serv- ers to use as their default gateway address. AX1( conf i g) #floating-ip 172.168.10.1 ha-group 1 The following commands configure a health method, real servers, a server group, and a VIP for an HTTP service. AX1( conf i g) #health monitor myHttp interval 10 retry 2 timeout 3 AX1( conf i g- heal t h: moni t or ) #method http url HEAD /index.html AX1( conf i g- heal t h: moni t or ) #exit AX1( conf i g) #slb server s1 172.168.10.30 AX1( conf i g- r eal ser ver ) #port 80 tcp AX1( conf i g- r eal ser ver - node por t ) #health-check myHttp AX1( conf i g- r eal ser ver - node por t ) #exit AX1( conf i g- r eal ser ver ) #exit AX1( conf i g) #slb server s2 172.168.10.31 AX1( conf i g- r eal ser ver ) #port 80 tcp AX1( conf i g- r eal ser ver - node por t ) #health-check myHttp AX1( conf i g- r eal ser ver - node por t ) #exit AX1( conf i g- r eal ser ver ) #exit AX1( conf i g) #slb service-group g80 tcp AX1( conf i g- sl b ser vi ce gr oup) #member s1:80 AX1( conf i g- sl b ser vi ce gr oup) #member s2:80 AX1( conf i g- sl b ser vi ce gr oup) #exit AX1( conf i g) #slb virtual-server v1 172.168.10.80 AX1( conf i g- sl b vi r t ual ser ver ) #ha-group 1 AX1( conf i g- sl b vi r t ual ser ver ) #port 80 tcp AX1( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group g80 AX1( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #ha-conn-mirror Commands on AX2 Here are the commands for implementing HA on AX2. Most of the com- mands are the same as those on AX1, with the following exceptions: The IP interfaces are different. The HA ID is 2. The HA priority is 1. The session synchronization (conn-mirror) IP address is the address of AX1. (On AX1, the session synchronization IP address is the address of AX2.) 594 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 3 HA (Inline Mode) AX2( conf i g) #interface ethernet 1 AX2( conf i g- i f : et her net 1) #enable AX2( conf i g- i f : et her net 1) #interface ethernet 2 AX2( conf i g- i f : et her net 2) #enable AX2( conf i g- i f : et her net 2) #interface ethernet 3 AX2( conf i g- i f : et her net 3) #enable AX1( conf i g- i f : et her net 3) #cpu-process AX2( conf i g- i f : et her net 3) #interface ethernet 4 AX2( conf i g- i f : et her net 4) #enable AX1( conf i g- i f : et her net 4) #cpu-process AX2( conf i g- i f : et her net 4) #interface ethernet 5 AX2( conf i g- i f : et her net 5) #enable AX2( conf i g- i f : et her net 5) #exit AX2( conf i g) #vlan 100 AX2( conf i g- vl an: 100) #untagged ethernet 1 to 4 AX2( conf i g- vl an: 100) #router-interface ve 1 AX2( conf i g- vl an: 100) #exit AX2( conf i g) #vlan 5 AX2( conf i g- vl an: 5) #untagged ethernet 5 AX2( conf i g- vl an: 5) #router-interface ve 5 AX2( conf i g- vl an: 5) #exit AX2( conf i g) #interface ve1 AX2( conf i g- i f : ve1) #ip address 172.168.10.23 /24 AX2( conf i g- i f : ve1) #interface ve5 AX2( conf i g- i f : ve5) #ip address 172.168.20.3 /24 AX2( conf i g- i f : ve5) #exit AX2( conf i g) #ha id 2 AX2( conf i g) #ha group 1 priority 1 AX2( conf i g) #ha interface ethernet 1 router-interface no-heartbeat AX2( conf i g) #ha interface ethernet 2 router-interface no-heartbeat AX2( conf i g) #ha interface ethernet 3 server-interface AX2( conf i g) #ha interface ethernet 4 server-interface AX2( conf i g) #ha interface ethernet 5 AX2( conf i g) #ha l3-inline-mode AX2( conf i g) #ha restart-port-list ethernet 1 to 2 AX2( conf i g) #ha preemption-enable AX2( conf i g) #ha conn-mirror ip 172.168.10.2 AX2( conf i g) #floating-ip 172.168.10.1 ha-group 1 AX2( conf i g) #health monitor myHttp interval 10 retry 2 timeout 3 AX2( conf i g- heal t h: moni t or ) #method http url HEAD /index.html AX2( conf i g- heal t h: moni t or ) #exit P e r f o r m a n c e b y D e s i g n 595 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Layer 3 HA (Inline Mode) AX2( conf i g) #slb server s1 172.168.10.30 AX2( conf i g- r eal ser ver ) #port 80 tcp AX2( conf i g- r eal ser ver - node por t ) #health-check myHttp AX2( conf i g- r eal ser ver - node por t ) #exit AX2( conf i g- r eal ser ver ) #exit AX2( conf i g) #slb server s2 172.168.10.31 AX2( conf i g- r eal ser ver ) #port 80 tcp AX2( conf i g- r eal ser ver - node por t ) #health-check myHttp AX2( conf i g- r eal ser ver - node por t ) #exit AX2( conf i g- r eal ser ver ) #exit AX2( conf i g) #slb service-group g80 tcp AX2( conf i g- sl b ser vi ce gr oup) #member s1:80 AX2( conf i g- sl b ser vi ce gr oup) #member s2:80 AX2( conf i g- sl b ser vi ce gr oup) #exit AX2( conf i g) #slb virtual-server v1 172.168.10.80 AX2( conf i g- sl b vi r t ual ser ver ) #ha-group 1 AX2( conf i g- sl b vi r t ual ser ver ) #port 80 tcp AX2( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group g80 AX2( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #ha-conn-mirror 596 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Optional Failover Triggers Configuring Optional Failover Triggers The following sections show how to configure the following optional failover triggers: VLAN-based failover Gateway-based failover VIP-based failover Only the configuration relevant to the triggers is shown. A complete HA configuration also includes the configuration items described in the previ- ous sections. Note: Failover based on HA interface state is also optional, and is described in other sections in this chapter. VLAN-Based Failover Example To configure VLAN-based failover, use either of the following methods. (For a description of the feature, see VLAN-based Failover on page556.) USING THE GUI 1. Select Config >HA >Setting >HA Global. 2. In the Status Check section, enter the VLAN ID in the VLAN ID field. 3. Enter the timeout in the Timeout field. The timeout can be 2-600 seconds. You must specify the timeout. Although there is no default, A10 recommends trying 30 seconds. 4. Click Add. 5. Repeat step2 through step4 for each VLAN to be monitored for HA. 6. Click OK. P e r f o r m a n c e b y D e s i g n 597 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Optional Failover Triggers USING THE CLI To enable HA checking for a VLAN, use the following command at the global configuration level of the CLI: [ no] ha check vlan vlan-id timeout seconds The timeout can be 2-600 seconds. You must specify the timeout. Although there is no default, A10 recommends trying 30 seconds. The following command enables VLAN-based failover for VLAN 10 and sets the timeout to 30 seconds: AX( conf i g) #ha check vlan 10 timeout 30 Gateway-Based Failover Example To configure gateway-based failover, use either of the following methods. (For a description of the feature, see Gateway-based Failover on page556.) USING THE GUI 1. Configure a health monitor that uses the ICMP method: a. Select Config >Service >Health Monitor. b. Select Health Monitor on the menu bar. c. Click Add. d. In the Health Monitor section, enter a name for the monitor. e. In the Method section, select ICMP from the Type drop-down list. f. Click OK. 2. Configure the gateway as an SLB real server and apply the ICMP health monitor to the server: a. Select Config >Service >SLB. b. Select Server on the menu bar. c. Click Add. The General section appears. d. In the General section, enter a name for the gateway in the Name field. e. In the IP Address field, enter the IP address of the gateway. 598 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Optional Failover Triggers f. In the Health Monitor drop-down list, select the ICMP health moni- tor you configured in step1. g. Click OK. 3. Enable gateway-based failover: a. Select Config >HA >Setting >HA Global. b. In the Status Check section, enter the IP address of the gateway in the IP Address field. c. Click Add. d. Repeat stepb and stepc for each gateway to be monitored for HA. e. Click OK. USING THE CLI 1. To configure a health monitor for a gateway, use the following com- mands. [ no] health monitor monitor-name Enter this command at the global Config level. [ no] method icmp Enter this command at the configuration level for the health monitor. 2. To configure the gateway as an SLB real server and apply the health monitor to the server, use the following command. [ no] slb server server-name ipaddr [ no] health-check monitor-name 3. To enable HA health checking for the gateway, use the following com- mand at the global configuration level. [ no] ha check gateway ipaddr CLI Example The following commands configure an ICMP health method: AX( conf i g) #health monitor gatewayhm1 AX( conf i g- heal t h: moni t or ) #method icmp AX( conf i g- heal t h: moni t or ) #exit P e r f o r m a n c e b y D e s i g n 599 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Optional Failover Triggers The following commands configure a real server for the gateway and apply the health monitor to it: AX( conf i g) #slb server gateway1 10.10.10.1 AX( conf i g- r eal ser ver ) #health-check gatewayhm1 AX( conf i g- r eal ser ver ) #exit The following command enables HA health checking for the gateway: AX( conf i g) #ha check gateway 10.10.10.1 Route-Based Failover Example You can configure HA route awareness for IPv4 routes and IPv6 routes. Note: The current release does not support this feature in the GUI. HA Route Awareness for IPv4 Routes To configure HA route awareness for an IPv4 route, use the following com- mand at the global configuration level of the CLI: [ no] ha check route destination-ipaddr / mask-length priority-cost weight [ gateway ipaddr] [ protocol {static | dynamic}] [ distance num] The destination-ipaddr /mask-length option specifies the destination IPv4 subnet of the route. The priority-cost weight option specifies the value to subtract from the HA priority of each HA group, if the IP route table does not have a route to the destination subnet. The gateway addr option specifies the next-hop gateway for the route. The protocol option specifies the source of the route: static The route was added by an administrator. dynamic The route was added by a routing protocol. (This includes redistributed routes.) The distance num option specifies the metric value (cost) of the route. 600 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Optional Failover Triggers Omitting an optional parameter matches on all routes. For example, if you do not specify the next-hop gateway, routes that match based on the other parameters can have any next-hop gateway. HA Route Awareness for IPv6 Routes To configure HA route awareness for an IPv6 route, use the following com- mand at the global configuration level of the CLI: [ no] ha check route destination-ipv6addr/ mask-length priority-cost weight [ gateway ipv6addr] [ protocol {static | dynamic}] [ distance num] The destination-ipv6addr/mask-length option specifies the destination IPv6 address. The other options are the same as those for IPv4 routes. (See above.) CLI Examples The following command configures HA route awareness for a default IPv4 route. If this route is not in the IP route table, 255 is subtracted from the HA priority of all HA groups. AX( conf i g) #ha check route 0.0.0.0 /0 priority-cost 255 Note: The lowest possible HA priority value is 1. Deleting 255 sets the HA pri- ority value to 1, regardless of the original priority value. The following command configures HA route awareness for a dynamic route to subnet 10.10.10.x with route cost 10. If the IP route table does not have a dynamic route to this destination with the specified cost, 10 is sub- tracted from the HA priority value for each HA group. AX( conf i g) #ha check route 10.10.10.0 /24 priority-cost 10 protocol dynamic dis- tance 10 The following commands configure HA route awareness for an IPv6 route to 3000::/64. Based on the combination of these commands, if the IPv6 route table does not contain any routes to the destination, 105 is subtracted from the HA priority of each HA group. If the IPv6 route table does contain a static route to the destination, but the next-hop gateway is not 2001::1, the AX device subtracts only 5 from the HA priority of each HA group. AX( conf i g) #ha check route 3000::/64 priority-cost 100 AX( conf i g) #ha check route 3000::/64 priority-cost 5 protocol static gateway 2001::1 P e r f o r m a n c e b y D e s i g n 601 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Optional Failover Triggers VIP-Based Failover Example To configure VIP-based failover, use either of the following methods. These procedures apply specifically to the VIP-based failover parameters. You also need to configure HA global and interface parameters. See Con- figuring Global HA Parameters on page573 and Configuring HA Inter- faces on page574. (For a description of the feature, see VIP-based Failover on page558.) USING THE GUI To configure VIP-based failover on a virtual server: 1. Configure HA global and interface parameters, if you have not already done so. 2. Select Config >Service >SLB. 3. On the menu bar, select Virtual Server. 4. Click on the virtual server name or click Add to create a new one. 5. Select the HA group from the HA Group drop-down list. The Dynamic Server Weight field appears. Note: If the HA Group drop-down list does not have any group IDs, you still need to configure global HA parameters. See Configuring Global HA Parameters on page573. 6. Enter other parameters if needed (for example, the name, IP address, and virtual service ports). 7. Click OK. USING THE CLI To configure VIP-based failover, use the following commands: [ no] ha-group group-id Enter this command at the configuration level for a virtual server, to assign the virtual server to the HA group. The group-id can be 1-31. [ no] ha-dynamic server-weight 602 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Optional Failover Triggers Enter this command at the configuration level for the virtual server to enable VIP-based failover. The server-weight specifies the amount to sub- tract from the HA group's priority value for each real server that becomes unavailable. The weight can be 1-255. The default is 1. CLI Example The following command configures HA group 6 on AX-1 and assigns prior- ity 100 to the group: AX- 1( conf i g) #ha group 6 priority 100 The following command enables HA pre-emption. HA pre-emption must be enabled in order for failover to occur based on HA group priority changes. AX- 1( conf i g) #ha preemption-enable The following command configures a floating IP address and assigns it to HA group 6: AX- 1( conf i g) #floating-ip 192.168.10.1 ha-group 6 The following commands assign virtual server VIP2 to HA group 6 and enable VIP-based failover for the virtual server. (For simplicity, this exam- ple does not show configuration of the real servers or non-HA virtual server options.) AX- 1( conf i g) #slb virtual VIP2 192.168.10.22 AX- 1( conf i g- sl b vi r t ual ser ver ) #ha-group 6 AX- 1( conf i g- sl b vi r t ual ser ver ) #ha-dynamic 10 The following commands configure the HA settings on AX-2. The priority for HA group 6 is set to 80. The server weight for HA group 6 on VIP2 is set to 10, the same weight value set on AX-1. Up to 2 real servers bound to VIP2 can become unavailable on AX-1 without triggering a failover. How- ever, if a third real server becomes unavailable, the priority of HA group 6 is reduced to 70, which is lower than the priority value set on AX-2 for the group. In this case, a failover does occur for VIP2. AX- 2( conf i g) #ha group 6 priority 80 AX- 2( conf i g) #ha preemption-enable AX- 2( conf i g) #floating-ip 192.168.10.1 ha-group 6 AX- 2( conf i g) #slb virtual VIP2 192.168.10.22 AX- 2( conf i g- sl b vi r t ual ser ver ) #ha-group 6 AX- 2( conf i g- sl b vi r t ual ser ver ) #ha-dynamic 10 P e r f o r m a n c e b y D e s i g n 603 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Forcing Active Groups to Change to Standby Status Forcing Active Groups to Change to Standby Status To force HA groups to change from Active to Standby status, use the fol- lowing command at the global configuration level of the CLI: [ no] ha force-self-standby [ group-id] If you specify a group ID, only the specified group is forced to change from Active to Standby. If you do not specify a group ID, all Active groups are forced to change to Standby status. CLI Example The following command forces HA group 1 to change from Active to Standby status: AX( conf i g) #ha force-self-standby 1 Enabling Session Synchronization Session synchronization backs up live client sessions on the Backup AX device. To enable session synchronization: Globally enable the feature, specifying the IP address of the other AX device in the HA pair. Enable the feature on individual virtual ports. Session synchronization is supported for Layer 4 sessions. Note: HA session synchronization is required for persistent sessions (source-IP persistence, and so on), and is therefore automatically enabled for these sessions by the AX device. Persistent sessions are synchronized even if session synchronization is disabled in the configuration. USING THE GUI To globally enable the feature: 1. Select Config >HA >Setting. 2. On the menu bar, select HA Global. 604 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Enabling Session Synchronization 3. In the Mirror IP Address field, enter the IP address of the other AX device in the HA pair. 4. Click OK or Apply. To enable the feature on individual virtual ports: 1. Select Config >Service >Server. 2. On the menu bar, select Virtual Server. 3. Click on the virtual server name. 4. On the Port tab, select the port and click Edit. 5. Select Enabled next to HA Connection Mirror. Note: If the HA Connection Mirror option is not displayed, session synchroniza- tion is not supported for this service type. 6. Click OK to redisplay the Port tab. 7. Click OK again. USING THE CLI To globally enable session synchronization, use the following command at the global configuration level of the CLI: [no] ha conn-mirror ip ipaddr The ipaddr must be an IP address on the other AX device. To enable session synchronization on a virtual port, use the following com- mand at the configuration level for the port: [no] ha-conn-mirror CLI Example The following command sets the session synchronization address to 10.10.10.66, the IP address of the other AX in this HA pair: AX( conf i g) #ha conn-mirror ip 10.10.10.66 The following commands access the configuration level for a virtual port and enable connection mirroring on the port: P e r f o r m a n c e b y D e s i g n 605 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring OSPF-Related HA Parameters AX( conf i g) #slb virtual-server vip1 10.10.10.100 AX( conf i g- sl b vi r t ual ser ver ) #port 80 tcp AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #ha-conn-mirror Configuring OSPF-Related HA Parameters The following sections describe how to configure OSPF-related HA param- eters. OSPF Awareness of HA The AX device uses HA-aware VIPs, floating IPs, IP NAT pools, and IP range lists with route redistribution to achieve HA-aware dynamic routing. However, by default, the OSPF protocol on the AX device is not aware of the HA state (Active or Standby) of the AX device. Consequently, following HA failover of an AX device, other OSPF routers might continue forward- ing traffic to the Standby AX device (the former Active AX device), instead of the new Active AX device. Note: In Layer 3 inline mode, all VLANs on the AX device participate in OSPF routing by default. (See OSPF Support on Standby AX in Layer 3 Inline Mode on page606.) You can assign an additional cost to an AX devices OSPF interfaces when the HA status for any group on the device is Standby. If failover of one or more HA groups from Active to Standby occurs, the AX device does the following: Updates the cost of all its OSPF interfaces Sends Link-State Advertisement (LSA) updates to its OSPF neighbors advertising the interface cost change After an OSPF neighbor receives the LSA update, the neighbor updates its OSPF link-state database with the increased cost of the links. The increased cost biases route selection away from paths that use the Standby AX device. Similarly, if a failover results in HA status Active for all HA groups on an AX device, the device removes the additional cost added for Standby status from all its OSPF interfaces and sends LSA updates to advertise the change. The reduced cost biases route selection toward paths that use the Active AX device and away from paths that use the Standby AX device. 606 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Synchronizing Configuration Information Note: The additional cost for Standby status is removed only if the HA status for all HA groups on the device is Active. Otherwise, if the status of any of the groups is Standby, the additional cost remains in effect for all OSPF interfaces on the device. Enabling OSPF Awareness of HA To enable OSPF awareness of HA, use the following command at the OSPF configuration level. [ no] ha-standby-extra-cost num The num option specifies the extra cost to add to the AX devices OSPF interfaces, if the HA status of one or more of the devices HA groups is Standby. You can specify 1-65535. If the resulting cost value is more than 65535, the cost is set to 65535. Enter the command on each of the AX devices in the HA pair. OSPF Support on Standby AX in Layer 3 Inline Mode In HA Layer 3 inline mode deployments, OSPF adjacencies are automati- cally formed between the Active and Standby AX devices and all OSPF routers on all VLANs. To limit OSPF adjacency formation to a specific VLAN only, explicitly configure adjacency formation for that VLAN. In this case, OSPF adja- cency formation does not occur for any other VLANs. Use the following command at the global configuration level of the CLI: ha ospf-inline vlan vlan-id Synchronizing Configuration Information You can use config-sync options to synchronize some or all of the follow- ing: Startup-config, to the other AX devices startup-config or running-con- fig Running-config, to the other AX devices running-config or startup-con- fig) P e r f o r m a n c e b y D e s i g n 607 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Synchronizing Configuration Information Data files: SSL certificates and private-key files aFleX files External health check files Black/white-list files Requirements Session synchronization (connection mirroring) is required for config sync. Config sync uses the session synchronization link. To enable session syn- chronization, see Enabling Session Synchronization on page603. SSH management access must be enabled on both ends of the link. (See Securing Admin Access by Ethernet on page687.) Configuration Items That Are Backed Up The following configuration items are backed up during HA configuration synchronization: Admin accounts and settings Floating IP addresses IP NAT configuration Access control lists (ACLs) Health monitors Policy-based SLB (black/white lists) SLB FWLB GSLB Data Files: aFleX files External health check files SSL certificate and private-key files Black/white-list files Note: For IP NAT configuration items to be backed up, you must specify an HA group ID as part of the NAT configuration. 608 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Synchronizing Configuration Information Configuration Items That Are Not Backed Up The following configuration items are not backed up during HA configura- tion synchronization: Management access settings (the ones described in Securing Admin Access by Ethernet on page687) AX Hostname MAC addresses Management IP addresses Trunks or VLANs Interface settings OSPF settings ARP entries or settings Reload of the Target AX Device In certain cases, the target AX device is automatically reloaded, but in other cases, reload is either optional or is not allowed. Table15 lists the cases in which reload is automatic, optional, or not allowed. TABLE 15 Reload of Target AX Device After Config-Sync Admin Role Status of Target AX 1 Target Config Reload? Root or Super User (Read-Write) Standby startup-config Automatic running-config Automatic Active startup-config Optional 2
Not reloaded by default running-config Automatic Partition Write Standby startup-config Not Allowed running-config Not Allowed Active startup-config Not Allowed running-config Not Allowed 1. Active means the AX device is currently the active device for at least one HA group. 2. If the target AX device is not reloaded, the GUI Save button on the Standby AX device does not blink to indicate unsaved changes. It is recommended to save the configuration if required to keep the running-config before the next reboot. P e r f o r m a n c e b y D e s i g n 609 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Synchronizing Configuration Information An admin who is logged on with Root or Read-Write (Super Admin) privi- leges can synchronize for all Role-Based Administration (RBA) partitions or for a specific partition. An admin who is logged on with Partition Write privileges can synchronize only for the partition to which the admin is assigned, and can only synchro- nize to the startup-config on the other device. The with-reload and to-run- ning-config options are not available to Partition Write admins. Caveats Before synchronizing the Active and Standby AX devices, verify that both are running the same software version. HA configuration synchronization between two different software versions is not recommended, since some configuration commands in the newer version might not be supported in the older version. The HA configuration synchronization process does not check user privi- leges on the Standby AX device and will synchronize to it using read-only privileges. However, you must be logged onto the Active AX with configu- ration (read-write) access. If the configuration includes Policy-based SLB (black/white lists), the time it takes for synchronization depends on the size of the black/white-list file. This is because the synchronization process is blocked until the files are transferred from active to standby. Do not make other configuration changes to the Active or Standby AX device during synchronization. Data that is synchronized from a Standby AX device to an Active AX device is not available on the Active AX device until that device is rebooted or the software is reloaded. 610 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Synchronizing Configuration Information Performing HA Synchronization To synchronize the AX devices in an HA configuration, use the CLI com- mands described below. USING THE GUI 1. Select Config >HA >Config Sync. 2. In the User and Password fields, enter the admin username and pass- word for logging onto the other AX device. 3. If Role-Based Administration (RBA) is configured on the AX device, select whether to synchronize all partitions or only the currently selected partition. (For information, see Synchronizing the Configuration on page822.) 4. Next to Operation, select the information to be copied to the other AX device: All Copies all the following to the other AX device: Floating IP addresses IP NAT configuration Access control lists (ACLs) Health monitors Policy-based SLB (black/white lists) SLB FWLB GSLB Data files (see below) The items listed above that appear in the configuration file are cop- ied to the other AX devices running-config. Data Files Copies only the SSL certificates and private-key files, aFleX files, External health check files, and black/white-list files to the other AX device Running-config Copies everything listed for the All option, except the data files, from this AX devices running-config Startup-config Copies everything listed for the All option, except the data files, from this AX devices startup-config 5. Next to Peer Option, select the target for the synchronization: To Running-config Copies the items selected in step4 to the other AX devices running-config To Startup-config Copies the items selected in step4 to the other AX devices startup-config P e r f o r m a n c e b y D e s i g n 611 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Synchronizing Configuration Information 6. To reload the other AX device after synchronization, select With Reload. Otherwise, the other AX device is not reloaded following the synchronization. Note: In some cases, reload of the other AX device either is automatic or is not allowed. See Table15 on page608. 7. Click OK. USING THE CLI The ha sync commands are available at the global configuration level of the CLI. Note: The all-partitions and partition partition-name options are applicable on AX devices that are configured for Role-Based Administration (RBA). For information, see Role-Based Administration on page807. To synchronize data files and the running-config, use the following com- mand: ha sync all {to-startup-config [ with-reload] | to-running-config} [ all-partitions | partition partition-name] Note: In some cases, reload of the other AX device either is automatic or is not allowed. See Table15 on page608. To synchronize the Active AX devices startup-config to the Standby AX devices startup-config or running-config, without also synchronizing the data files, use the following command: ha sync startup-config {to-startup-config [ with-reload] | to-running-config} [ all-partitions | partition partition-name] To synchronize the Active AX devices running-config to the Standby AX devices running-config or startup-config, without also synchronizing the data files, use the following command: ha sync running-config {to-startup-config [ with-reload] | to-running-config} [ all-partitions | partition partition-name] To synchronize the data files by copying the Active AX devices data files to the Standby AX device, use the following command: 612 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Tip for Ensuring Fast HA Failover ha sync data-files [ all-partitions | partition partition-name] Tip for Ensuring Fast HA Failover You can use health checking of the upstream and downstream routers to help ensure rapid HA failover. The time it takes for traffic to reconverge following HA failover can vary based on the network environment, and depends on the following: How fast the ARPs (typically, ARPs of the default gateways) are learned on the newly active AX device How fast the MAC tables in the devices along the traffic paths are updated To help reconvergence occur faster, you can create a real server configura- tion for each router, and use an ICMP health monitor for checking the health of the gateways. The health checks keep the ARP entries for the gateway routers active, which can help to reduce reconvergence time considerably. In a typical SLB configuration that includes a client-side router and a server-side router, configure a real server for each router. To configure health checking of the gateway routers: 1. (Optional) Configure an ICMP health monitor. For Layer 3 inline deployments, it is recommended to use very short values (1 second) for the interval and timeout. (For examples of Layer 3 inline HA deployments for TCS, see Transparent Cache Switching on page301.) 2. Create an SLB real server configuration for each gateway. If you plan to use a custom ICMP health monitor (previous step), apply the health monitor to the server. Perform these steps on both AX devices in the HA pair. Note: The AX device also has an HA gateway health checking feature. This fea- ture also uses ICMP health monitors. However, if you use the HA gate- way health checking feature, HA failover is triggered if a gateway fails a health check. If you use real server configurations instead, as shown in the following examples, HA failover is not triggered by a failed health check. P e r f o r m a n c e b y D e s i g n 613 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Tip for Ensuring Fast HA Failover CLI Example IPv4 AX( conf i g) #health monitor gatewayhm1 AX( conf i g- heal t h: moni t or ) #method icmp interval 1 timeout 1 AX( conf i g- heal t h: moni t or ) #exit AX( conf i g) #slb server gateway-upstream 192.168.10.1 AX( conf i g- r eal ser ver ) #health-check gatewayhm1 AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server gateway-downstream 10.10.10.1 AX( conf i g- r eal ser ver ) #health-check gatewayhm1 AX( conf i g- r eal ser ver ) #exit To use the default ICMP health monitor instead, the configuration is even simpler: AX( conf i g) #slb server gateway-upstream 192.168.10.1 AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server gateway-downstream 10.10.10.1 AX( conf i g- r eal ser ver ) #exit CLI Example IPv6 AX( conf i g) #health monitor gatewayhm1 AX( conf i g- heal t h: moni t or ) #method icmp interval 1 timeout 1 AX( conf i g- heal t h: moni t or ) #exit AX( conf i g) #slb server up-router 2309:e90::1 AX( conf i g- r eal ser ver ) #health-check gatewayhm1 AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server down-router 2309:e90::3 AX( conf i g- r eal ser ver ) #health-check gatewayhm1 AX( conf i g- r eal ser ver ) #exit To use the default ICMP health monitor: AX( conf i g) #slb server up-router 2309:e90::1 AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server down-router 2309:e90::3 AX( conf i g- r eal ser ver ) #exit 614 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Tip for Ensuring Fast HA Failover P e r f o r m a n c e b y D e s i g n 615 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Network Address Translation This chapter describes Network Address Translation (NAT) and how to con- figure it. NAT translates the source or destination IP address of a packet before forwarding the packet. The AX device uses NAT to perform SLB. The AX device also supports tra- ditional Layer 3 NAT, which you can configure if required by your network. Note: This chapter does not include information about Large-Scale NAT (LSN). For LSN information, see Large-Scale Network Address Translation on page647. 616 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide SLB NAT SLB NAT AX Series devices can perform source and destination NAT on client-VIP SLB traffic. SLB Destination NAT AX Series devices automatically perform destination NAT for client-VIP SLB traffic. Figure160 shows an example. Note: Destination NAT is disabled for virtual ports on which Direct Server Return (DSR) is enabled. FIGURE 160 SLB NAT P e r f o r m a n c e b y D e s i g n 617 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide SLB NAT By default, SLB NAT works as follows. Before forwarding a client packet to a real server, the AX device trans- lates the destination IP address from the virtual server IP address (VIP) to the IP address of the real server. The AX device reverses the translation before sending the server reply to the client. The source IP address is translated from the real servers IP address to the VIP address. The default SLB NAT behavior does not translate the clients IP address. SLB Source NAT SLB source NAT is disabled by default. There are some cases where SLB Source NAT is applicable: Connection reuse. (See Connection Reuse on page617.) The VIP and real servers are in different subnets. In cases where real servers are in a different subnet than the VIP, source NAT ensures that reply traffic from a server will pass back through the AX device. (See Source NAT for Servers in Other Subnets on page622.) IP Source NAT Configuration Limits The AX device supports the following: NAT pool addresses Maximum of 500 NAT pool addresses supported, in all NAT pools. For example, you can configure 1 NAT pool contain- ing 500 NAT addresses, or 100 NAT pools containing 5 addresses each, and so on. NAT pools Maximum of 100 NAT pools supported. NAT pool groups Maximum of 50 NAT pool groups supported. Each NAT pool group can contain up to 5 NAT pools. Connection Reuse Connection reuse enables you to reuse TCP connections between the AX device and real servers for multiple client sessions. When you enable this feature, the AX device does not tear down a TCP connection with the real server each time a client ends its session. Instead, the AX device leaves the TCP connection established, and reuses the connection for the next client that uses the real server. 618 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide SLB NAT Connection reuse requires SLB source NAT. Since the TCP connection with the real server needs to remain established after a clients session ends, the clients IP address cannot be used as the source address for the connection, Instead, the source address must be an IP address from a NAT pool or pool group configured on the AX device. The pool or pool group must have a unique IP address for each reusable TCP connection you want to establish. To configure connection reuse: 1. Configure a NAT pool or set of pools to specify the IP addresses to use as source addresses for the reusable connections with the real servers. To use a single, contiguous range of addresses, only one pool is needed. To use a non-contiguous range of addresses, configure a separate pool for each contiguous portion of the range, then configure a pool group that contains the pools. The addresses within an individual pool still must be contiguous, but you can have gaps between the ending address in one pool and the starting address in another pool. You also can use pools that are in different subnets. A pool group can contain up to 5 pools. Pool group members must belong to the same protocol family (IPv4 or IPv6) and must use the same HA ID. A pool can be a member of multiple pool groups. Up to 50 NAT pool groups are supported. 2. Configure a connection reuse template. 3. If you plan to use policy-based source NAT, to select from among multi- ple pools based on source IP address, configure an ACL for each of the client address ranges that will use its own pool. 4. Enable source NAT on the virtual service port and specify the pool or pool group to use for the source addresses. If you are configuring pol- icy-based source NAT, bind each ACL to its pool. 5. Add the connection reuse template to the service port. Note: These steps apply specifically to configuration of connection reuse. A complete SLB configuration also requires the standard SLB configuration steps, including configuration of the real servers and service group, and so on. P e r f o r m a n c e b y D e s i g n 619 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide SLB NAT USING THE GUI 1. To configure a pool of addresses: a. Select Config >Service >IP Source NAT. b. Select IPv4 Pool or IPv6 Pool on the menu bar. c. Click New. The Pool section appears. d. Enter a name for the pool. e. Enter the start and end addresses. f. Enter the network mask. g. If the AX device is deployed in transparent mode, enter the default gateway to use for NATted traffic. h. To use session synchronization for NAT translations, select the HA group. i. Click OK. 2. To configure a connection reuse template: a. Select Config >Service >Template. b. Select Connection Reuse on the menu bar. c. Click New. The Connection Reuse section appears. d. Enter a name for the template. e. Edit the other parameters or leave them at their default settings. f. Click OK. The template appears in the connection reuse template table. 3. To enable source NAT on the virtual port: a. Select Config >Service >Server. b. Select Virtual Server on the menu bar. c. Select the virtual server name or click New. d. If you are adding a new virtual server, enter the general server set- tings. e. Click Port. f. Select the port and click Edit, or click New. The Virtual Server Port section appears. g. Enter or select the port settings, if the port is new. 620 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide SLB NAT h. Do one of the following: To use a single pool or pool group for all source addresses, select the pool from the Source NAT pool drop-down list. To use separate pools based on source addresses, use the ACL-SNAT Binding fields to bind each ACL to its pool. For each binding, select the ACL from the Access List drop- down list, select the pool from the Source NAT Pool drop-down list, and click Add. i. Do not click OK yet. Go to step4. 4. To add the connection reuse template to the virtual port: a. In the Connection Reuse Template drop-down list, select the tem- plate. b. Click OK. c. Click OK again. USING THE CLI 1. To configure an IP address pool, use one of the following commands at the global configuration level of the CLI. To configure an IPv4 pool: ip nat pool pool-name start-ipaddr end-ipaddr netmask {subnet-mask | /mask-length} [ gateway ipaddr] [ ha-group-id group-id] To configure an IPv6 pool: ipv6 nat pool pool-name start-ipv6-addr end-ipv6-addr netmask mask-length [ gateway ipaddr] [ ha-group-id group-id] To configure a pool group, configure a separate IP pool for each contig- uous set of addresses, then use the following command to add the pools to a pool group: ip nat pool-group pool-group-name {pool-name ...} 2. To configure a connection reuse template, enter the following command at the global configuration level to create the template: slb template connection-reuse template-name P e r f o r m a n c e b y D e s i g n 621 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide SLB NAT This command creates the template and changes the CLI to configura- tion level for the template. Use the following commands to configure the template, or use the default settings: limit-per-server number timeout seconds Thelimit-per-server command specifies the maximum number of reus- able connections to establish with each real server. You can specify 0- 65535. For unlimited connections, specify 0. The default is 1000. The timeout command specifies the maximum number of seconds a reusable connection can remain idle before it times out. You can specify 1-3600 seconds. The default is 2400 seconds (40 minutes). 3. To enable source NAT, do one of the following: To enable source NAT on the virtual port and use a single pool or pool group for all source addresses, use the following command at the configuration level for the virtual port: source-nat pool {pool-name | pool-group-name} To enable policy-based source NAT and use separate pools based on source IP address, use the following command at the configuration level for the port. This command binds an ACL to its pool: access-list acl-num source-nat-pool pool-name Note: If you do not specify a NAT pool with this command, the ACL is used only to filter the traffic. 4. Add the connection reuse template to the virtual port, use the following command at the configuration level for the virtual port: template connection-reuse template-name CLI Example The following commands configure standard ACLs that match on different client addresses: AX( conf i g) #access-list 30 permit ip 192.168.1.1 /24 AX( conf i g) #access-list 50 permit ip 192.168.20.69 /24 The following commands configure source NAT pools: AX( conf i g) #ip nat pool pool1 10.10.10.200 10.10.10.100 netmask /16 ha-group-id 1 AX( conf i g) #ip nat pool pool2 10.10.10.200 10.10.10.200 netmask /16 ha-group-id 1 622 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide SLB NAT The following commands configure a real server and a service group: AX( conf i g) #slb server s1 192.168.19.48 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb service-group group80 tcp AX( conf i g- sl b ser vi ce gr oup) #method weighted-rr AX( conf i g- sl b ser vi ce gr oup) #member s1:80 AX( conf i g- sl b ser vi ce gr oup) #exit The following commands configure policy-based source NAT, by binding ACLs to NAT pools on the virtual port. AX( conf i g) #slb virtual-server vs1 10.10.10.100 AX( conf i g- sl b vi r t ual ser ver ) #port 80 tcp AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #access-list 30 source-nat-pool pool1 AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #access-list 50 source-nat-pool pool2 Source NAT for Servers in Other Subnets The AX device allows source NAT to be enabled on a virtual port. In cases where real servers are in a different subnet than the VIP, source NAT ensures that reply traffic from a server will pass back through the AX device. You can enable source NAT on a virtual port in either of the following ways: Use the the source-nat option to bind a single IP address pool or pool group to the virtual port. This option is applicable if all the real servers are in the same subnet. Use sets of ACL-pool pairs, one for each real server subnet. You must use this method if the real servers are in multiple subnets. This section describes how to use this method. For the real server to be able to send replies back through the AX device, use an extended ACL. The source IP address must match on the client address. The destination IP address must match on the real server address. The action must be permit. The ACL should not match on the virtual IP address (unless the virtual IP address is in the same subnet as the real servers, in which case source NAT is probably not required). Figure161 on page623 shows an example. P e r f o r m a n c e b y D e s i g n 623 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide SLB NAT FIGURE 161 Multiple NAT Pools Bound to a Virtual Port In this example, a service group has real servers that are located in two dif- ferent subnets. The VIP is not in either of the subnets. To ensure that reply traffic from a server will pass back through the AX device, the AX device uses IP source NAT. To implement IP source NAT, two pairs of ACL and IP address pool are bound to the virtual port. Each ACL-pool pair contains the following: An extended ACL whose source IP address matches on client addresses and whose destination IP address matches on the real servers subnet. An IP address pool or pool group containing translation addresses in the real servers subnet. 624 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide SLB NAT For example, if SLB selects a real server in the 10.10.10.x subnet, then the source IP address is translated from the clients address to an address in pool 1. When the server replies, it replies to the address from pool 1. Note: In most cases, destination NAT does not need to be configured for SLB. The AX device automatically translates the VIP address into a real server address before forwarding a request to the server. CLI Example The following commands implement the source NAT configuration shown in Figure161 on page623. First, the ACLs are configured. In each ACL, any is used to match on all clients. The destination address is the subnet where the real servers are located. AX( conf i g) #access-list 100 permit any 10.10.10.0 /24 AX( conf i g) #access-list 110 permit any 10.10.20.0 /24 The following commands configure the IP address pools. Each pool con- tains addresses in one of the real server subnets. AX( conf i g) #ip nat pool pool1 10.10.10.100 10.10.10.101 netmask /24 AX( conf i g) #ip nat pool pool2 10.10.20.100 10.10.20.101 netmask /24 The following commands bind the ACLs and IP address pools to a virtual port on the VIP: AX( conf i g) #slb virtual-server vip1 192.168.1.100 AX( conf i g- sl b vi r t ual ser ver ) #port 80 tcp AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #access-list 100 source-nat-pool pool1 AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #access-list 110 source-nat-pool pool2 Direct Server Return You can disable destination NAT on a virtual port, to enable Direct Server Return (DSR). DSR enables a real server to respond to clients directly instead of going through the AX device. The AX is not required to return the servers response traffic to clients, so there is no need to un-NAT traffic. This type of NAT is especially useful for applications that have intensive payload transfers, such as FTP and streaming media. P e r f o r m a n c e b y D e s i g n 625 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide SLB NAT When DSR is enabled, only the destination MAC address is translated from the VIPs MAC address to the real servers IP address. The destination IP address is still the VIP. To use DSR, the AX device and the real servers must be in the same Layer 2 subnet. The VIP address must be configured as a loopback address on the real servers. To enable DSR on a virtual port, use either of the following methods. Note: To configure health checking for DSR, see Configuring Health Monitor- ing of Virtual IP Addresses in DSR Deployments on page394. Note: For examples of DSR configurations, see Network Setup on page73. USING THE GUI 1. Select Config >Service >SLB. 2. Select Virtual Server on the menu bar. 3. Select the virtual server name or Click Add. 4. If you are adding a new virtual server, enter the general server settings. 5. Click Port. 6. Select the port and click Edit, or click Add. The Virtual Server Port sec- tion appears. 7. Enter or select the port settings, if the port is new. 8. Select Enabled next to Direct Server Return. 9. Click OK. 10. Click OK again. USING THE CLI Enter the following CLI command at the configuration level for the virtual port: no-dest-nat 626 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide SLB NAT IP NAT Support for VIPs The AX device supports IP NAT for VIPs. This feature allows clients in a private network to connect to outside VIP servers, without revealing the IP addresses of the clients to the servers. Dynamic NAT and static NAT are both supported. Note: The current release does not support this feature for FTP or RTSP traffic. Priority for Source IP NAT Configurations on Individual Virtual Ports Source IP NAT can be configured on a virtual port in the following ways: 1. ACL-based source NAT (access-list command at virtual port level) 2. VIP source NAT (slb snat-on-vip command at global configuration level) 3. aFleX policy (aflex command at virtual port level) 4. Non-ACL source NAT (source-nat command at virtual port level) These methods are used in the order shown above. For example, if IP source NAT is configured using an ACL on the virtual port, and the slb snat-on- vip command is also used, then a pool assigned by the ACL is used for traf- fic that is permitted by the ACL. For traffic that is not permitted by the ACL, VIP source NAT can be used instead. Configuration To configure IP NAT for VIPs: 1. Configure a pool, range list, or static inside source NAT mapping, that includes the real IP address(es) of the inside clients. 2. Enable inside NAT on the interface connected to the inside clients. 3. Enable outside NAT on the interface connected to the external VIP serv- ers You can enable this feature globally or on individual virtual ports: To globally configure IP NAT support for VIPs, use the following command at the global configuration level of the CLI: [ no] slb snat-on-vip P e r f o r m a n c e b y D e s i g n 627 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide IP Source NAT To configure IP NAT support for an individual virtual port, use the com- mand at the configuration level for the virtual port instead of at the global level. Using IP Pool Default Gateways To Forward Traffic fromReal Servers The AX device provides an option to use the default gateway of an IP source NAT pool to forward traffic from a real server. When this option is enabled, the AX device checks the configured IP NAT pools for an IP address range that includes the server IP address (the source address of the traffic). If the address range in a pool does include the servers IP address, and a default gateway is defined for the pool, the AX device forwards the server traffic through the pools default gateway. This feature is disabled by default. To enable it, use the following command at the global configuration level of the CLI: [ no] slb snat-gwy-for-l3 IP Source NAT Independently of SLB NAT, you can configure traditional, Layer 3 IP source NAT. IP source NAT translates internal host addresses into routable addresses before sending the hosts traffic to the Internet. When reply traffic is received, the AX device then retranslates addresses back into internal addresses before sending the reply to the client. You can configure dynamic or static IP source NAT: Dynamic source IP NAT Internal addresses are dynamically translated into external addresses from a pool. Static source IP NAT Internal addresses are explicitly mapped to external addresses. Configuration Elements for Dynamic NAT Dynamic NAT uses the following configuration elements: Access Control List (ACL) to identify the inside host addresses to be translated Pool to identify a contiguous range of external addresses into which to translate inside addresses 628 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide IP Source NAT Optionally, pool group to use non-contiguous address ranges. To use a non-contiguous range of addresses, you can configure separate pools, then combine them in a pool group and map the ACL to the pool group. The addresses within an individual pool still must be contiguous, but you can have gaps between the ending address in one pool and the start- ing address in another pool. You also can use pools that are in different subnets. A pool group can contain up to 5 pools. Pool group members must belong to the same protocol family (IPv4 or IPv6) and must use the same HA ID. A pool can be a member of multiple pool groups. Up to 50 NAT pool groups are supported. If a pool group contains pools in different subnets, the AX device selects the pool that matches the outbound subnet. For example, if there are two routes to a given destination, in different subnets, and the pool group has a pool for one of those subnets, the AX selects the pool that is in the sub- net for the outbound route. The AX device searches the pools beginning with the first one added to the group, and selects the first match. If none of the pools are in the des- tination subnet, the AX uses the first pool that has available addresses. Inside NAT setting on the interface connected to the inside host. Outside NAT setting on the interface connected to the Internet. Inside host addresses are translated into external addresses from a pool before the host traffic is sent to the Internet. Note: The AX device enables you to specify the default gateway for an IP source NAT pool to use. However, the pools default gateway can be used only if the data route table already has either a default route or a direct route to the destination of the NAT traffic. In this case, the pools default gateway will override the route, for NAT traffic that uses the pool. If the data route table does not have a default route or a direct route to the NAT traffic destination, the pools default gateway can not be used. In this case, the NAT traffic can not reach its destination. Configuration Elements for Static NAT Static NAT uses the following configuration elements: Static mappings or an address range list A static mapping is a one-to- one mapping of an inside address to an external address. An address range list is a contiguous range of inside addresses and external addresses to translate them into. Inside NAT setting on the interface connected to the inside host. P e r f o r m a n c e b y D e s i g n 629 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide IP Source NAT Outside NAT setting on the interface connected to the Internet. Inside host addresses are translated into external addresses from a static map- ping or a range list before the host traffic is sent to the Internet. Configuring Dynamic IP Source NAT To configure dynamic source NAT: 1. Configure an Access Control List (ACL) to identify the inside addresses that need to be translated. 2. Configure a pool of external addresses to use for translation. To use non- contiguous ranges of addresses, configure multiple pools and add them to a pool group. 3. Enable inside source NAT and map the ACL to the pool. 4. Enable inside NAT on the interfaces connected to the inside hosts. 5. Enable outside NAT on the interfaces connected to the Internet. Note: In addition, on some AX models, if Layer 2 IP NAT is required, you also must enable CPU processing on the NAT interfaces. This applies to mod- els AX 2200, AX 3100, AX 3200, AX 5100, and AX 5200. This addi- tional step is performed at the configuration level for each NAT interface. The procedures below do not include this additional step. USING THE GUI Note: In step3, the GUI supports binding IPv4 pools to ACLs but not IPv6 pools. To bind an IPv6 pool to an ACL, use the CLI instead. 1. To configure an ACL to identify the inside addresses that need to be translated: a. Select Config >Network >ACL. b. Select the ACL type, Standard or Extended, on the menu bar. c. Click Add. d. Enter or select the values to filter. e. Click OK. The new ACL appears in the Standard ACL table or Extended ACL table. f. Click OK to commit the ACL change. 630 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide IP Source NAT 2. To configure a pool of external addresses to use for translation: a. Select Config >Service >IP Source NAT. b. Select IPv4 Pool or IPv6 Pool on the menu bar. c. Click Add. d. Enter a name for the pool. e. Enter the start and end addresses. f. Enter the network mask. g. If the AX device is deployed in transparent mode, enter the default gateway to use for NATted traffic. h. To use session synchronization for NAT translations, select the HA group. i. Click OK. 3. To enable inside source NAT and map the ACL to the pool: a. Select Config >Service >IP Source NAT, if not already selected. b. Select Binding on the menu bar. c. Select the ACL number from the ACL drop-down list. d. Select the pool ID from the NAT Pool drop-down list. e. Click Add. The new binding appears in the ACL section. f. Click OK. 4. To enable inside NAT on the interfaces connected to the inside hosts: a. Select Config >Service >IP Source NAT, if not already selected. b. Select Interface on the menu bar. c. Select the interface connected to the internal hosts. d. In the Direction drop-down list, select Inside. e. Click Add. f. Repeat for each interface connected to the internal hosts. g. Do not click OK yet. Instead, go to the next step. 5. To enable outside NAT on the interfaces connected to the Internet: a. Select the interface connected to the Internet. b. In the Direction drop-down list, select Outside. c. Click Add. P e r f o r m a n c e b y D e s i g n 631 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide IP Source NAT d. Repeat for each interface connected to the Internet. e. Click OK. FIGURE 162 Configure >Network >ACL >Standard ACL FIGURE 163 Configure >Service >IP Source NAT >IPv4 Pool FIGURE 164 Configure >Service >IP Source NAT >Binding 632 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide IP Source NAT FIGURE 165 Configure >Service >IP Source NAT >Interface USING THE CLI 1. To configure an ACL to identify the inside addresses that need to be translated, use either of the following commands at the global configu- ration level of the CLI. Use a standard ACL to specify the host IP addresses to translate. All host addresses that are permitted by the ACL are translated before traffic is sent to the Internet. To also specify other information including destination addresses and source and destination protocol ports, use an extended ACL. Standard ACL Syntax access-list acl-num {permit | deny} source-ipaddr {filter-mask | /mask-length} Extended ACL Syntax access-list acl-num {permit | deny} {ip | icmp} {any | host host-src-ipaddr | net-src-ipaddr {filter-mask | /mask-length}} {any | host host-dst-ipaddr | net-dst-ipaddr {filter-mask | /mask-length}} P e r f o r m a n c e b y D e s i g n 633 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide IP Source NAT or access-list acl-num {permit | deny} {tcp | udp} {any | host host-src-ipaddr | net-src-ipaddr {filter-mask | /mask-length}} [ eq src-port | gt src-port | lt src-port | range start-src-port end-src-port] {any | host host-dst-ipaddr | net-dst-ipaddr {filter-mask | /mask-length}} [ eq dst-port | gt dst-port | lt dst-port | range start-dst-port end-dst-port] 2. To configure a pool of external addresses to use for translation, use one of the following commands at the global configuration level of the CLI. To configure an IPv4 pool: ip nat pool pool-name start-ipaddr end-ipaddr netmask {subnet-mask | /mask-length} [ gateway ipaddr] [ ha-group-id group-id [ ha-use-all-ports] ] Note: The ha-use-all-ports option applies only to DNS virtual ports. Using this option with other virtual port types is not valid. (For information about this option, see the AX Series CLI Reference.) To configure an IPv6 pool: ipv6 nat pool pool-name start-ipv6-addr end-ipv6-addr netmask mask-length [ gateway ipaddr] [ ha-group-id group-id] To configure a pool group: ip nat pool-group pool-group-name {pool-name ...} 3. To enable inside source NAT and map the ACL to the pool, use the fol- lowing command: ip nat inside source list acl-name pool {pool-name | pool-group-name} 634 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide IP Source NAT 4. To enable inside NAT on the interfaces connected to the inside hosts, use the following commands: interface [ ethernet port-num | ve ve-num] ip nat inside The interface command changes the CLI to the configuration level for the interface connected to the internal hosts. These are the hosts identi- fied by the ACL configured in step1 and used by the commands in step2 and step3. 5. To enable outside NAT on the interfaces connected to the Internet, use the following commands: interface [ ethernet port-num | ve ve-num] ip nat outside CLI EXAMPLE The following commands configure an ACL to specify the internal hosts to be NATted. In this example, all hosts in the 10.10.10.x subnet are to receive NAT service for traffic to the Internet. AX( conf i g) #access-list 1 permit 10.10.10.0 0.0.0.255 The following command configures an IPv4 pool of external addresses to use for the NAT translations. In this example, 10.10.10.x addresses will be translated into 192.168.1.1 or 192.168.1.2: AX( conf i g) #ip nat pool pool1 192.168.1.1 192.168.1.2 netmask /24 The following command enables inside source NAT and associates the ACL with the pool: AX( conf i g) #ip nat inside source list 1 pool pool1 The following commands enable inside source NAT on the interface con- nected to the internal hosts: AX( conf i g) #interface ethernet 4 AX( conf i g- i f : et her net 4) #ip nat inside The following commands enable source NAT on the interface connected to the external hosts: AX( conf i g- i f : et her net 4) #interface ethernet 6 AX( conf i g- i f : et her net 6) #ip nat outside P e r f o r m a n c e b y D e s i g n 635 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide IP Source NAT Configuring Static IP Source NAT You can configure individual static source NAT mappings or configure a range of static mappings. After configuring the static source NAT mappings, do the following: Enable inside NAT on the interfaces connected to the inside hosts. Enable outside NAT on the interfaces connected to the Internet. Limitations for Static NAT Mappings Application Layer Gateway (ALG) services other than FTP are not sup- ported when the server is on the inside. HA session synchronization is not supported. However, sessions will not be interrupted by HA failovers. Syn-cookies are not supported. USING THE GUI Note: The GUI supports configuring a static NAT range but does not support configuring individual mappings. 1. To configure the static translations of internal host addresses to external addresses: a. Select NAT Range on the menu bar. b. Click Add. c. Enter a name for the range. d. Select the address type (IPv4 or IPv6) e. In the From fields, enter the first (lowest numbered) address and network mask in the range of inside host addresses to be translated. f. In the To field, enter the first (lowest numbered) address and net- work mask in the range of external addresses into which to translate the inside host addresses. g. In the Count field, enter the number of addresses to be translated. h. To apply HA to the addresses, select the HA group. i. Click OK. 636 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide IP Source NAT 2. To enable inside NAT on the interfaces connected to the inside hosts: a. Select Interface on the menu bar. b. Select the interface from the Interface drop-down list. c. Select Inside in the Direction drop-down list. d. Click OK. e. Repeat for each inside interface. 3. To enable outside NAT on the interfaces connected to the Internet: a. Select Interface on the menu bar. b. Select the interface from the Interface drop-down list. c. Select Outside in the Direction drop-down list. d. Click OK. e. Repeat for each outside interface. USING THE CLI 1. To configure the external addresses to use for translation, use one of the following commands. To configure individual address mappings, use the following command to configure each mapping: ip nat inside source static source-ipaddr nat-ipaddr [ ha-group-id group-id] The source-ipaddr is the internal host that will send requests. The nat- ipaddr is the address into which the AX device will translate the source- ipaddr before forwarding the requests. Similarly, for inbound static NAT, the following syntax is supported: [ no] ip nat inside source static destination- ipaddr nat-ipaddr The destination-ipaddr is the internal host to which external hosts send requests. The nat-ipaddr is the address into which the AX device will translate the destination-ipaddr before forwarding the requests. To configure a range list to use for static mappings: ip nat range-list list-name source-ipaddr /mask-length nat-ipaddr /mask-length count number [ ha-group-id group-id] P e r f o r m a n c e b y D e s i g n 637 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide IP Source NAT The source-ipaddr specifies the starting address in the range of internal host addresses. The nat-ipaddr command specifies the first address in the range of external addresses to use for the translations. The count option specifies how many mappings to create. 2. If you used the ip nat inside source command, enter the following com- mand at the global configuration level of the CLI, to enable static NAT support: ip nat allow-static-host Note: This step is not required if you use a static source NAT range list instead. 3. To enable inside NAT on the interfaces connected to the inside hosts, use the following commands: interface [ ethernet port-num | ve ve-num] ip nat inside The interface command changes the CLI to the configuration level for the interface connected to the internal hosts. 4. To enable outside NAT on the interfaces connected to the Internet, use the following commands: interface [ ethernet port-num | ve ve-num] ip nat outside CLI EXAMPLE The following commands enable static NAT, configure an IP address range named nat-list-1 that maps up to 100 local addresses starting from 10.10.10.97 to Internet addresses starting from 192.168.22.50, set Ethernet interface 2 as the inside NAT interface, and set Ethernet interface 4 as the outside NAT interface. AX( conf i g) #ip nat range-list nat-list-1 10.10.10.97 /16 192.168.22.50 /16 count 100 AX( conf i g) #interface ethernet 2 AX( conf i g- i f : et her net 2) #i p nat inside AX( conf i g- i f : et her net 2) #exit AX( conf i g) #interface ethernet 4 AX( conf i g- i f : et her net 4) #ip nat outside 638 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide IP Source NAT NAT ALG Support for PPTP NAT Application Layer Gateway (ALG) support for the Point-to-Point Tun- neling Protocol (PPTP) enables clients and servers to exchange Point-to- Point (PPP) traffic through the AX device over a Generic Routing Encapsu- lation (GRE) tunnel. PPTP is used to connect Microsoft Virtual Private Network (VPN) clients and VPN hosts. Figure166 shows an example. FIGURE 166 NAT ALG for PPTP The AX device is deployed between PPTP clients and the VPN server (VPN Server using PPTP). The AX interface connected to the PPTP clients is enabled for inside source NAT. The AX interface connected to the VPN server is enabled for outside source NAT. Each client runs a PPTP Network Server (PNS). To set up a VPN session, the PNS sends an Outgoing-Call-Request to the PPTP Access Concentrator (PAC), which is the VPN server. The destination TCP port is the PPTP port (1723 by default). The request includes a Call ID that the PNS chooses. Because multiple clients may share the same NAT address, the AX device must ensure that clients do not share the same Call ID as well. Therefore, the AX device assigns to each client a NAT Call ID (analogous to a NAT source port for TCP) and modifies the Outgoing-Call-Request to use the NAT Call ID instead. The PAC replies to the Outgoing-Call-Request with a Call ID of its own. This is like a TCP destination port. The AX device does not change the P e r f o r m a n c e b y D e s i g n 639 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide IP Source NAT PACs Call ID. The PAC then assigns to the client an IP address belonging to the VPN subnet. On the AX device, the GRE session is created after the PNS sends its reply. In the GRE session, the Call ID is used as the Layer 4 port, instead of a TCP/UDP port number. (See the example of show session output in CLI Example on page641.) In Figure166 on page638, client (PNS) 10.1.1.1 wants to connect to a VPN through the VPN Server (PAC) 10.3.3.2, which is using PPTP. Client 10.1.1.1 establishes a PPTP control session (on port 1723) with 10.3.3.2. When the client sends the Outgoing-Call-Request over that TCP session with its desired Call ID, the AX device will translate the Call ID into a unique Call ID for NAT. Once the VPN server replies with its own Call ID, the AX device will establish the GRE session. After the Call IDs are exchanged, the client and server encapsulate VPN subnet traffic in a GRE tunnel. The GRE tunnel packets are sent under nor- mal IP between 10.1.1.1 and 10.3.3.2. A GRE packet for PPTP uses a Call ID in the same way as a TCP or UDP destination port. Therefore, GRE packets from the server (10.3.3.2) will use the NAT Call ID. The AX device translates the NAT Call ID back into the clients original Call ID before sending the packet to the client. Note: One GRE session is supported per control session, which means one call at a time is supported. In practice, PPTP is used only for VPNs, in which case multiple concurrent calls do not occur. Configuring NAT ALG for PPTP To configure an AX device to support NAT ALG for PPTP: Configure dynamic IP source NAT: Configure an ACL that matches on the PPTP client subnet(s). Configure an IP source NAT pool that contains the range of IP addresses into which to translate client addresses. Configure an inside source NAT list, using the ACL and pool. Enable inside IP source NAT on the AX interface connected to the VPN clients. Enable outside IP source NAT on the AX interface connected to the VPN server. If NAT ALG support for PPTP is disabled, enable it. (The feature is enabled by default.) 640 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide IP Source NAT Note: In the current release, NAT ALG support for PPTP is not supported with static NAT or NAT range lists. Note: In the current release, NAT ALG support for PPTP can not be disabled or re-enabled using the GUI. USING THE CLI To configure dynamic IP source NAT, use the following commands. First, to configure the ACL, use the following command at the global con- figuration level of the CLI: access-list acl-num permit source-ipaddr {filter-mask | /mask-length} Note: The ACL must permit IP traffic. The syntax above is for a standard ACL. If you plan to use an extended ACL instead, make sure to use the ip option, instead of icmp, tcp, or udp. To configure the IP address pool, use the following command at the global configuration level of the CLI: ip nat pool pool-name start-ipaddr end-ipaddr netmask {subnet-mask | /mask-length} [ gateway ipaddr] [ ha-group-id group-id] To configure an IP source NAT list, use the following command at the global configuration level of the CLI: ip nat inside source list acl-name pool {pool-name | pool-group-name} To enable inside source NAT on an interface, use the following command at the configuration level for the interface: [ no] ip nat inside To enable outside source NAT on an interface, use the following command at the configuration level for the interface: [ no] ip nat outside To enable or disable NAT ALG support for PPTP, use the following com- mand at the global configuration level of the CLI: ip nat alg pptp {enable | disable} The feature is enabled by default. The default protocol port number is 1723 and can not be changed. P e r f o r m a n c e b y D e s i g n 641 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide IP Source NAT To display GRE sessions, use the following commands: show session To display or clear statistics, use the following commands: show ip nat alg pptp statistics clear ip nat alg pptp statistics CLI Example The commands in this section implement the NAT ALG for PPTP configu- ration shown in Figure166 on page638. The following commands configure dynamic inside source NAT. AX( conf i g) #access-list 1 permit 10.1.1.0 0.0.0.255 AX( conf i g) #ip nat pool pptp-pool 192.168.1.100 192.168.1.110 netmask /24 AX( conf i g) #ip nat inside source list 1 pool pptp-pool The following commands specify the inside NAT interface and the outside NAT interface. AX( conf i g) #interface ethernet 1 AX( conf i g- i f : et her net 1) #ip address 10.2.2.254 255.255.255.0 AX( conf i g- i f : et her net 1) #ip nat inside AX( conf i g- i f : et her net 1) #interface ethernet 2 AX( conf i g- i f : et her net 2) #ip address 10.3.3.254 255.255.255.0 AX( conf i g- i f : et her net 2) #ip nat outside The following command displays session information: AX( conf i g- i f : et her net 2) #show session Pr ot For war d Sour ce For war d Dest Rever se Sour ce Rever se Dest Age Hash - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gr e 10. 1. 1. 1: 49152 10. 3. 3. 2: 32799 10. 3. 3. 2: 32799 192. 168. 1. 100: 2109 240 1 Tcp 10. 1. 1. 1: 2301 10. 3. 3. 2: 1723 10. 3. 3. 2: 1723 192. 168. 1. 100: 2109 240 2 This example shows the GRE session and the TCP session over which the GRE session is transported. For the GRE session, the number following each IP address is the PPTP Call ID. For the TCP session, the number is the TCP protocol port. 642 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide IP Source NAT The following command displays PPTP NAT ALG statistics. AX( conf i g- i f : et her net 2) #show ip nat alg pptp statistics St at i st i cs f or PPTP NAT ALG: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cal l s I n Pr ogr ess: 10 Cal l Cr eat i on Fai l ur e: 0 Tr uncat ed PNS Message: 0 Tr uncat ed PAC Message: 0 Mi smat ched PNS Cal l I D: 1 Mi smat ched PAC Cal l I D: 0 Ret r ansmi t t ed PAC Message: 3 Tr uncat ed GRE Packet s: 0 Unknown GRE Packet s: 0 No Mat chi ng Sessi on Dr ops: 4 Fast Aging for IP NATted ICMP and DNS Sessions The AX device uses application-aware aging for IP NATted sessions, in cases where the AX device performs IP NAT translation of the internal cli- ent IP addresses. The default timeout for IP NATted ICMP sessions, as well as UDP sessions on port 53 (DNS), is set to the SLB maximum session life (MSL), which is 2 seconds by default. Note: Fast aging applies to sessions between internal clients and external resources, in cases where the AX device performs IP NAT translation of the client addresses. This type of traffic is not SLB traffic between clients and a VIP configured on the AX device. For SLB DNS traffic, short aging based on the MSL time is the default aging mechanism. P e r f o r m a n c e b y D e s i g n 643 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide IP Source NAT Table16 summarizes the session timeouts and how to configure them. USING THE CLI To display the timeout that will be used for IP NATted sessions, use the fol- lowing command: show ip nat timeouts To change the IP NAT translation timeout for ICMP, use the following com- mand: [ no] ip nat translation icmp-timeout {seconds | fast} To change the IP NAT translation timeout for a UDP port, use the following command: [ no] ip nat translation service-timeout udp port-num {seconds | fast} The port-num option specifies the UDP port number. The fast option sets the timeout to the SLB MSL timeout, for the specified UDP port. CLI Example The following command displays the current IP NAT translation timeouts: AX#show ip nat timeouts NAT Ti meout val ues i n seconds: SYN TCP UDP I CMP - - - - - - - - - - - - - - - - - - - - - - - - 60 300 300 f ast Ser vi ce 53/ udp has f ast - agi ng conf i gur ed TABLE 16 Session Timeout for IP NATted ICMP and UDP Sessions Default Timeout for IP NATted ICMP DNS Sessions Method To Change Timeout SLB MSL timeout (2 seconds by default) Note: For DNS, this is the default only for the default DNS port (53). You can use either of the following methods: Change the SLB MSL timeout. Change the IP NAT translation timeout: ICMP Change the IP NAT translation ICMP timeout, by specifying the number of seconds for the timeout, instead of fast. DNS Change the IP NAT translation UDP time- out for the DNS port, by specifying the number of seconds for the timeout, instead of fast. The timeout is configurable for individual UDP ports. 644 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide IP Source NAT In this example, the output indicates that fast aging is used for IP NATted ICMP sessions, and for IP NATted DNS sessions on port 53. The message at the bottom of the display indicates that the fast aging setting (SLB MSL timeout) will be used for IP NATted UDP sessions on port 53. If the message is not shown in the output, then the timeout shown under UDP will be used instead. Client and Server TCP Resets for NATted TCP Sessions By default, the AX device does not send TCP Resets to the client and server when a NATted TCP session becomes idle. To enable this option, use the following command at the global configuration level of the CLI: ip nat reset-idle-tcp-conn Requirements for Translation of DNS Traffic If you plan to use IP NAT for DNS traffic, make sure the configuration includes the following: Both the DNS request from the inside client, and the response from the external DNS server, must pass through the IP NAT outside interface. If an ACL is configured on the interface that will receive the DNS responses (the IP NAT outside interface), the ACL must include a per- mit rule that allows traffic from the DNS server. Otherwise, the traffic will be denied by the implicit (non-visible) deny any any rule at the end of the ACL. IP NAT Use in Transparent Mode in Multi-Netted Environment If the AX device is deployed in transparent mode, the device uses NAT IP addresses to perform health monitoring on servers that are outside the IP subnet or VLAN of the AX device. If there are multiple IP addresses in the NAT pool, the AX device uses only the last IP address in the pool for the health checks. Also, the AX device only responds to control traffic (for example, management and ICMP traffic) on the last IP address in the pool. In the following example, the AX devices IP address is on the 172.168.101.0/24 subnet. A NAT pool has been configured to reach servers outside of that subnet/VLAN. P e r f o r m a n c e b y D e s i g n 645 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide IP Source NAT AX#show ip Syst emi s r unni ng i n Tr anspar ent Mode I P addr ess: 172. 168. 101. 4 255. 255. 255. 0 I P Gat eway addr ess: 172. 168. 101. 251 SMTP Ser ver addr ess: Not conf i gur ed AX#show ip nat pool Tot al I P NAT Pool s: 4 Pool Name St ar t Addr ess End Addr ess Mask Gat eway HA Gr oup - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Pool - A 173. 168. 10. 20 173. 168. 10. 25 / 24 173. 168. 10. 250 0 In this configuration, the AX device will initiate health checks using the last IP address in the pool as the source IP address. In this example, the AX device will use IP address 173.168.10.25. In addition, the AX device will only respond to control traffic directed to 173.168.10.25 from the 173.168.10.0/24 subnet. NAT Range List Requires AX Interface or Route Within the Global Subnet In an IP source NAT configuration, return UDP or ICMP traffic may not be able to reach the AX device. This can occur under the following circum- stances: IP source NAT is configured using a NAT range list. The AX device does not have any data interfaces or routes that contain an address within the subnet of the range list's global address(es). To work around this issue, configure an IP interface that is within the NAT range lists global subnet. You can configure the address on any active data interface on the AX device. This issue does not affect NATted traffic other than ICMP or UDP traffic, or use of an ACL with a NAT pool. IP NAT in HA Configurations If you are using IP source NAT or full NAT in an HA configuration, make sure to add the NAT pool or range list to an HA group. Doing so allows a newly Active AX device to properly continue management of NAT resources following a failover. 646 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide IP Source NAT USING THE GUI In the GUI, you can select the HA group from the HA Group drop-down list on the following configuration tabs: Config >Service >IP Source NAT >IPv4 Pool Config >Service >IP Source NAT >IPv6 Pool Config >Service >IP Source NAT >NAT Range USING THE CLI In the CLI, the ha-group-id option is supported with the following NAT commands: [ no] ip nat pool pool-name start-ipaddr end-ipaddr netmask {subnet-mask | /mask-length} [ gateway ipaddr] [ ha-group-id group-id] [ no] ipv6 nat pool pool-name start-ipv6-addr end-ipv6-addr netmask mask-length [ gateway ipaddr] [ ha-group-id group-id] [ no] ip nat range-list list-name source-ipaddr /mask-length nat-ipaddr /mask-length count number [ ha-group-id group-id] P e r f o r m a n c e b y D e s i g n 647 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Large-Scale Network Address Translation This chapter describes Large-scale Network Address Translation (LSN) and how to configure it. The A10 Networks implementation of LSN conforms to the following RFCs: draft-nishitani-cgn-02 This is the main RFC for LSN. RFC 4787 Network Address Translation (NAT) Behavioral Require- ments for Unicast UDP RFC 5382 NAT Behavioral Requirements for TCP RFC 5508 NAT Behavioral Requirements for ICMP Note: LSN is supported only on the 64-bit ACOS models: AX 2500, AX 2600, AX 3000, AX 5100, and AX 5200. Note: The current release provides Application Layer Gateway (ALG) support for FTP only. Note: LSN requires the new-path processing option. This option was enabled by default in AX Release 2.5.0 (the Beta release for LSN) but is disabled by default in the current release. New-path processing is required for LSN and applies only to LSN. The option does not apply to any other features. (To enable the option, see step7 in Configuring Large-Scale NAT on page666.) Overview LSN provides robust NAT support for network carriers (also called Inter- net Service Providers or ISPs). Carriers can use LSN to provide NAT service for multiple enterprises and residential clients. Figure167 shows an example of a carrier using LSN to provide NAT to residential clients. 648 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview FIGURE 167 Large-Scale NAT The carriers clients are on an internal subnet, 192.168.1.x/24, in the car- riers network. When a client sends a request, the AX device running LSN creates a mapping of the clients internal address and protocol port to a pub- lic address and protocol port. In this example, LSN creates the following mapping: Client Internal Address Client Public Address 192.168.1.1:10000 203.0.113.1:10000 P e r f o r m a n c e b y D e s i g n 649 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview After LSN creates an IP address mapping for a client, LSN uses the same mapping for all traffic between the client and any external IP address. For example, if client 192.168.1.1 opens multiple HTTP sessions and an email session, LSN uses the same external IP address for the client for all the ses- sions, as shown in Figure168. FIGURE 168 LSN Address Mapping 650 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview NAT Data Session Aging The clients data session remains in effect until the AX device detects that the session has ended or until the session ages out due to inactivity. For a TCP session, the data session is removed when the AX device observes the FIN or RST messages exchanged by the two end points of the session. If the AX device does not observe the FIN exchange but the session is idle, the mapping is removed when the session ages out. For a UDP session, the data session is removed when the session ages out. For an ICMP session, the data session ends when the ICMP reply is received, or when the session ages out. NAT session aging is individually configurable for TCP, UDP, and ICMP, using the ip nat translation command. tcp-timeout Configurable to 60-1500 seconds. The default is 300 sec- onds. udp-timeout Configurable to 60-1500 seconds. The default is 300 seconds. icmp-timeout Configurable to 60-1500 seconds, or fast. The fast option uses the SLB maximum session life (MSL), which is 2 seconds by default. The default is fast. Optionally, static mappings can be configured. A static mapping never ages out. NAT Mapping Removal and Full-Cone Behavior When a NAT data session is removed, removal of the NAT mapping used by the data session depends on whether full-cone behavior is present: If full-cone behavior is not present, the NAT mapping is removed when the data session is removed. If full-cone behavior is present, the NAT mapping remains in effect until all the data session that use the mapping a removed. For example, if a client uses source port 50000 to connect to two different destinations, the same NAT mapping is used for both data sessions. (This is endpoint- independent mapping.) The NAT mapping is not removed until the data sessions with both destinations have been removed. LSN maintains the NAT mapping for a full-cone session for a period of time, the STUN timeout, after the last data session ends. The STUN timeout is 2 minutes by default and is configurable. (See STUN Timeout on page670.) P e r f o r m a n c e b y D e s i g n 651 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview By default, full-cone behavior for the well-known destination ports (1-1024) is disabled. Full-cone behavior does not apply to ICMP sessions. How LSN Differs fromTraditional NAT LSN fulfills the following requirements that traditional NAT is unable to fulfill: High transparency Existing user applications continue to work with minimal to no impact on customers. Well defined NAT behavior LSNs consistent, deterministic behavior allows for easy development of new user applications. Traditional NAT implementations vary considerably, and may not work for all applica- tions. Fairness in resource sharing LSN provides user guarantees and protec- tion. LSN works for both client-server (traditional) and client-client (P2P) applications. The benefits LSN provides that traditional NAT can not provide are described in this section and in more detail in Benefits of LSN on page653. Traditional NAT works for client-to-server applications, wherein a client opens a connection to a server and requests data, and the server responds back to the client. However, traditional NAT is often inadequate for contem- porary applications such as peer-to-peer (P2P) file-sharing, instant messen- gers (IM), and Voice-over-IP (VoIP). To provide NAT for these types of applications, LSN is required. Figure169 shows an example of P2P file sharing among LSN clients and other devices. 652 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview FIGURE 169 LSN Clients Using P2P File Sharing In this example, multiple clients are registered with a P2P file-sharing tracker as sharers of file example.torrent. All clients are registered on the file-sharing tracker by their public IP addresses. LSN allows each of the internal clients to use the same public IP address, with different Layer 4 source port numbers. LSN also allows the clients in the internal subnet to share the file among themselves, as well as with other clients who are out- side the internal network. Note: When possible, LSN uses the internal clients source protocol port num- ber in the external mapping for the client. However, if the protocol port is P e r f o r m a n c e b y D e s i g n 653 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview already used by another client on the same external IP address, LSN selects another protocol port for the new mapping. Benefits of LSN LSN provides the following benefits not provided by traditional NAT: Sticky NAT Application transparency through full-cone NAT to support peer-to-peer (P2P) applications Hairpinning support Configurable user quotas to ensure fair allocation of NAT mappings Static port reservation Sticky NAT Once an internal user uses a NAT IP, the user always uses the same NAT IP for future connections. If all user sessions are cleared, then a different NAT IP may be assigned. Some applications that open multiple sessions to the same or multiple serv- ers often do not work well without sticky NAT. Full-Cone NAT Traditional NAT works well for client-to-server applications, wherein a cli- ent opens a connection to a server and requests data, and the server responds back to the client. However, traditional NAT is inadequate to support client- to-client applications, such as the following: Peer-to-peer (P2P) file-sharing applications Instant messengers (IM) Voice-over-IP (VoIP) To overcome the shortcomings of traditional NAT, LSN implements full- cone NAT. Full-cone NAT, also known as one-to-one NAT, has two specific behaviors: 654 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Endpoint-Independent Mapping (See Figure168 on page649.) After LSN maps an internal clients source IP address and Layer 4 (TCP or UDP) port to an external IP address and port, the same mapping is used for all traffic from that internal source IP and port, regardless of the des- tination. For ping, the ICMP query identifier is treated the same way as a UDP or TCP port. Internal-IP-and-L4-Port =External-IP-and-L4-Port, for all destina- tions Internal-IP-and-ICMP-query-ID =External-IP-and-ICMP-query- ID, for all destinations Endpoint-Independent Filtering (See Figure169 on page652.) For traffic from any source to a given mapped client, LSN always allows the traffic to be forwarded to the internal client regardless of the endpoint. These techniques provide consistent NAT mapping behavior, enabling cli- ent-to-client applications such as P2P, client-to-server applications, and NAT traversal techniques such as STUN, to work correctly. Note: Endpoint-Independent Filtering is different from security filtering such as provided by ACLs, black/white lists, and so on. Endpoint-Independent Filtering simply means that LSN does not cause an internal client to be unreachable by certain sources, by using different mappings based on des- tination. The AX devices security features can still be used to control access to clients. P e r f o r m a n c e b y D e s i g n 655 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Hairpinning Hairpinning allows inside clients to communicate with one another using their outside addresses. This feature is useful for applications that require global addresses. Figure170 shows an example. FIGURE 170 LSN NAT Hairpinning User Quotas When an internal user is first mapped by LSN, the user is assigned to a NAT IP as part of sticky NAT. Before choosing a NAT IP for a particular internal user, LSN checks to ensure there are enough ports free on that NAT IP for the user. This guarantees that internal users will be able to use as many ports as possible. LSN user quotas limit the number of NAT port mappings allowed for indi- vidual internal IP addresses. For example, you can limit each inside IP address to a maximum of 100 TCP NAT ports. Once a client reaches the quota, the client is not allowed to open additional TCP sessions. 656 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview You can configure separate quotas for each of the following protocols, on a global or individual LSN Limit-ID (LID) basis: TCP UDP ICMP Each NAT IP has 64,000 TCP ports, 64,000 UDP ports, and 64,000 ICMP ports that can be used for user sessions on the address. FIGURE 171 Protocol Ports Available for Per-User Quota The per-user quota for a protocol specifies the maximum number of ports a given internal user can use at the same time on a NAT IP. For example, if you set the TCP per -user quota to 100 ports, each internal user can have a maximum of 100 TCP sessions on a NAT IP. In Figure172, 320 internal users are mapped to a NAT IP. Each of the users consumes 100 TCP ports, leaving 32,000 ports free for new users. In this example, there is room for an additional 320 internal users on the NAT IP. P e r f o r m a n c e b y D e s i g n 657 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview FIGURE 172 Per-User Quota Port Reserve In the example above, each internal user immediately consumes 100 of the NAT IPs TCP ports, as soon as the user is mapped to the NAT IP. If typical port consumption per user is expected to be lower than the per- user quota, you can also specify a reserve value. The reserve value is a sub- set of the per-user quota. Specifying a reserve value allows more internal users to be mapped to the NAT IP. When you specify a reserve value, each new internal user immediately con- sumes the number of reserved ports. However, the remaining ports in the users quota are not consumed unless the user actually needs them. Any remaining ports that are not consumed by the user are available, if needed, to new users. FIGURE 173 Per-User Quota with Reserve 658 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview In Figure173, none of the 320 internal users currently mapped to the NAT IP is using more than their reserve value of 50 TCP ports each. This leaves the remaining ports in each users quota available for new users, if needed. When new users are mapped to the NAT IP, those users receive ports from the free ports. After all free ports are assigned to users, available (unused) ports within existing users quotas are assigned to new users if needed. In Figure174, the external IP address does not have any more free ports. How- ever, none of the users are actually using all of the ports in their 100-port quota. In fact, in this example, none of the users are using more than the 50 reserved ports within the quota. Although there are no more free ports, 32,000 ports are still unused, and therefore available for mapping to new internal users. FIGURE 174 Per-User Quota with Reserve - no free ports How the Reserve Value Affects NAT IP Selection If the inside client is not yet assigned to a NAT IP address, LSN selects an available NAT IP address. The NAT IP address must meet the following requirements in order to be used for the client: The address must have enough free or available TCP ports to fulfill the configured per-user TCP reserve. The configured per-user TCP reserve must not exceed the number of free or available ports on the NAT IP address. The address must have enough free or available UDP ports to fulfill the configured per-user UDP reserve. The configured per-user UDP reserve must not exceed the number of free or available ports on the NAT IP address. P e r f o r m a n c e b y D e s i g n 659 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Note: There is a difference between available ports and free ports. It is possible to allocate more than the reserve value. However, it is not possible to allo- cate more than the user-quota value. All requirements above must be met for any type of session (TCP, UDP, or ICMP). If the NAT IP address can not meet all requirements, another avail- able address is selected and evaluated for the same requirements. The pro- cess continues until an available NAT IP address that meets all requirements is found. Extended User Quota for Always-Available Services By default, once a client reaches their quota for a protocol, no new transla- tions for that protocol are allowed. To ensure that ports are available for essential services, you can configure an extended quota for the protocol ports used by those essential services. For example, to ensure that email ser- vice remains available, you can configure an extended quota for TCP port 25, the standard port used by Simple Mail Transfer Protocol (SMTP). Extended quotas can be configured on individual LSN LIDs, for individual destination ports. For user quotas, the regular quota is used first, for all applications. The extended quota is used only if all regular quota ports are in use, and only for the specified application. The extended quota is always released before the regular quota. Example: TCP user quota =10. Extended user quota for TCP port 25 (email) =5. Table17 shows an example of how ports are used and released with these quotas. TABLE 17 Extended-User-Quota Example User Connections Regular Quota Available Extended Quota Available TCP 80 (web) TCP 25 (email) No connections No connections 10 5 No connections User opens 1 connection 9 5 User opens 4 connections 5 5 User opens 1 more connection 4 5 User opens 4 more connections (total 8) No more port 80 connections allowed! 0 5 660 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Maximum User Per IP By default, there is no limit to the number of internal addresses that can be mapped to a single public address at the same time. You can specify 1-65535 as the limit. Static Port Reservation A common issue with NAT occurs when an inside user wants to advertise a service on a port. For example, an HTTP server will need to advertise port 80. However, since the NAT IP is shared, only one user per NAT IP will be able to have port 80. You can allow an inside user to reserve a specific NAT port. In this example, the NAT port 80 would be statically assigned to the particular user. Note: This concept of port reservation is sometimes called port forwarding. User opens 5 more connections (total 7) No more port 25 connections allowed! 0 0 User frees 4 connections Still no more port 80 connections allowed! 4 more connections allowed 0 4 User frees remaining 4 connections 3 5 TABLE 17 Extended-User-Quota Example (Continued) User Connections Regular Quota Available Extended Quota Available TCP 80 (web) TCP 25 (email) P e r f o r m a n c e b y D e s i g n 661 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview LSN Logging The AX device generates logs for LSN operational events and for LSN traf- fic. LSN Operational Logging Table18 lists the types of LSN operational events that are logged. Here is an example of the full string for a log: May 13 2010 15: 15: 43 War ni ng [ AX] : LSN: NAT por t usage exceeded on pool pool 1 ( 4146 t i mes) This log indicates that a current NAT IP user with an external IP address from pool1 could not get a new NAT port session, because no ports were available. The log indicates 4146 occurrences of the same event. LSN events are logged to the AX devices local log buffer based on the log settings for the system. TABLE 18 LSN Operational Logs Severity Level Event Message String Critical User-quota creation failure LSN: User - quot a cr eat i on f ai l ed ( out of memor y) f or pool . . . Full-cone session creation failure LSN: Ful l - cone sessi on cr eat i on f ai l ed ( out - of - memor y) f or pool . . . Warning New inside user unable to get NAT IP LSN: New user coul d not get a NAT I P on pool . . Current inside user on NAT IP can not get new NAT port LSN: NAT por t usage exceeded on pool . . . Notice User quota exceeded LSN: I CMP user - quot a exceeded on pool . . . LSN: UDP user - quot a exceeded on pool . . . LSN: TCP user - quot a exceeded on pool . . . Extended user quota exceeded LSN: UDP ext ended user - quot a exceeded on pool . . . LSN: TCP ext ended user - quot a exceeded on pool . . . 662 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview LSN Traffic Logging LSN traffic logs are sent only to external log servers. There are two basic types of LSN traffic logs: Session logs, to indicate creation or deletion of ICMP, TCP, and UDP sessions NAT port mapping logs, to indicate creation or freeing of NAT port mappings for ICMP, TCP, and UDP Table19 lists the LSN traffic logs that can be generated. TABLE 19 LSN Traffic Logs Event Message String Format ICMP data session created AX_hostname NAT- I CMP- N: fwd_src_ip: fwd_src_port<- - >fwd_dest_ip:fwd_dest_port, rev_src_ip:rev_src_port<- - >rev_dest_ip: rev_dest_port TCP data session created AX_hostname NAT- TCP- N: fwd_src_ip: fwd_src_port<- - >fwd_dest_ip:fwd_dest_port, rev_src_ip:rev_src_port<- - >rev_dest_ip: rev_dest_port UDP data session created AX_hostname NAT- UDP- N: fwd_src_ip: fwd_src_port<- - >fwd_dest_ip:fwd_dest_port, rev_src_ip:rev_src_port<- - >rev_dest_ip: rev_dest_port ICMP data session deleted AX_hostname NAT- I CMP- D: fwd_src_ip: fwd_src_port<- - >fwd_dest_ip:fwd_dest_port, rev_src_ip:rev_src_port<- - >rev_dest_ip: rev_dest_port TCP data session deleted AX_hostname NAT- TCP- D: fwd_src_ip: fwd_src_port<- - >fwd_dest_ip:fwd_dest_port, rev_src_ip:rev_src_port<- - >rev_dest_ip: rev_dest_port UDP data session deleted AX_hostname NAT- UDP- D: fwd_src_ip: fwd_src_port<- - >fwd_dest_ip:fwd_dest_port, rev_src_ip:rev_src_port<- - >rev_dest_ip: rev_dest_port LSN port mapping created for ICMP AX_hostname NAT- I CMP- C: inside_ip: inside_port<- - >nat_ip: nat_port t o dest_ip: dest_port Note: In this message and the other port mapping creation messages, the destination (t o dest_ip: dest_port) is not included in the message by default. You can enable the destination to be included when you configure LSN external logging. LSN port mapping created for TCP AX_hostname NAT- TCP- C: inside_ip: inside_port<- - >nat_ip: nat_port t o dest_ip: dest_port LSN port mapping created for UDP AX_hostname NAT- UDP- C: inside_ip: inside_port<- - >nat_ip: nat_port t o dest_ip: dest_port LSN port mapping for ICMP freed AX_hostname NAT- I CMP- F: inside_ip: inside_port<- - >nat_ip: nat_port t o dest_ip: dest_port LSN port mapping for TCP freed AX_hostname NAT- TCP- F: inside_ip: inside_port<- - >nat_ip: nat_port t o dest_ip: dest_port LSN port mapping for UDP freed AX_hostname NAT- UDP- F: inside_ip: inside_port<- - >nat_ip: nat_port t o dest_ip: dest_port P e r f o r m a n c e b y D e s i g n 663 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview You can specify the severity level of LSN traffic logs when you configure external logging (described below). The default severity level is debugging. LSN port mapping logs are enabled by default. LSN session logs are dis- abled by default. You can enable or disable each type of log when you con- figure external logging. Examples The following logs indicate the creation and deletion of a UDP session. AX NAT- UDP- C: 192. 168. 1. 1: 20001<- - >203. 0. 210. 1: 80, 203. 0. 210. 1: 80<- - >203. 0. 113. 1: 20001 AX NAT- UDP- D: 192. 168. 1. 1: 20001<- - >203. 0. 210. 1: 80, 203. 0. 210. 1: 80<- - >203. 0. 113. 1: 20001 The following logs indicate the creation and freeing of an LSN port map- ping for UDP. AX NAT- UDP- C: 192. 168. 1. 1: 20001 - > 203. 0. 113. 1: 20001 t o 203. 0. 210. 1: 80 AX NAT- UDP- F: 192. 168. 1. 1: 20001 - > 203. 0. 113. 1: 20001 t o 203. 0. 210. 1: 80 Remote Logging LSN traffic logs can be sent only to external log servers. LSN traffic logs are not sent to the AX devices local log buffer. You can use a group of external log servers. The AX device uses a hash value based on the client IP address to select an external log server, and always sends logs for that client to the same server. (For configuration infor- mation, see Configuring External Logging for LSN Traffic Logs on page671.) Note: External LSN logging applies only to LSN traffic logs, not to LSN opera- tional event logs. LSN NAT Capacities Pools and Pool Groups AX Release 2.4.3 increases the capacity for LSN NAT resources that can be configured on an AX device. These increases apply only to LSN. Up to 500 LSN pools can be configured. In previous releases, up to 100 LSN pools can be configured. Up to 200 LSN pool groups can be configured. In previous releases, up to 50 LSN pool groups can be configured. Each pool group can contain up to 25 pools. In previous releases, each pool group can contain up to 5 pools. 664 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Note: This release also has a CLI syntax enhancement for LSN pool-group con- figuration. (See CLI Syntax Enhancement for LSN Pool-Group Configu- ration on page198.) Maximum LSN Pool IP Addresses By default, the AX models that support LSN can support up to the following maximum numbers of LSN pool addresses (outside addresses) per system: AX 5200 10,000 outside IPs AX 5100 10,000 outside IPs AX 3000 4000 outside IPs AX 2600 2000 outside IPs AX 2500 2000 outside IPs This limit is configurable. To display the current and configurable values, use the show system resource-usage command. Here is an example on model AX 5200: AX5200( conf i g) #show system resource-usage Resour ce Cur r ent Def aul t Mi ni mum Maxi mum - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - l 4- sessi on- count 33554432 33554432 8388608 134217728 nat-pool-addr-count 10000 2000 500 10000 r eal - ser ver - count 1024 1024 512 16384 r eal - por t - count 2048 2048 512 32768 . . . The Current column shows the maximum number of LSN pool addresses currently allowed on the system. The default column shows the default maximum allowed. In this example, the maximum has been increased by an administrator, to the highest allowed amount, 10000. To change the maximum number of LSN pool addresses allowed on the sys- tem, use the following command at the global configuration level of the CLI: [ no] system resource-usage nat-pool-addr-count maximum The maximum value can be any value in the range between the values in the Minimum and Maximum columns in the show system resource-usage out- put. P e r f o r m a n c e b y D e s i g n 665 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Note: To place a system resource change into effect, you must reload or reboot the AX device. If you change the maximum number of Layer 4 sessions (l4-session- count), a reboot is required. A reload will not place this change into effect. Notes and Limitations Dynamic Class-List Changes Class-list changes do not affect LSN sessions that are already in effect when the class list changes occur. Example: Some data sessions, user-quota sessions, or full-cone sessions are created for inside user X. Then, the class list is changed in a way that affects X. The sessions for X will stay alive as long as there is traffic matching them. LSN IP Selection The method used for selection of an IP address within an LSN pool does not apply to pool selection within a pool group. Selection of a pool from within a pool group is always random. After a pool is randomly selected, the configured IP selection method is used to select an IP address from the pool. Example: The least-used-strict method is enabled for LSN IP address selection. For a new NAT session: 1. A pool is randomly chosen from the pool group. 2. The least-used IP address within that pool is chosen for the new NAT session. 666 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Large-Scale NAT Configuring Large-Scale NAT To configure LSN: 1. Configure NAT pools (and optionally, pool groups). Use the LSN option to indicate the pools are for use by LSN. 2. Configure LSN Limit IDs (LIDs). For each LID, specify the NAT pool to use. Optionally, set user quotas for the LID. 3. Configure class lists for the user subnets that require LSN. A class list is a list of internal subnets or hosts. Within a class list, you can bind each internal subnet to an individual LSN LID. 4. Bind a class-list for use with LSN. The class lists will apply to packets from the inside NAT interface to the outside NAT interface. There can be at most 1 class-list for this purpose. 5. Enable inside NAT on the interface connected to the internal clients. 6. Enable outside NAT on the interface connected to the Internet. 7. Enable new-path processing. Note: New-path processing was enabled by default in AX Release 2.5.0 but is disabled by default in the current release. New-path processing is required for LSN and applies only to LSN. The option does not apply to any other features. The CLI commands for performing these configuration steps are described below. For information about additional options, see the following sections: Configuring Static Mappings on page670 Enabling Full-Cone Support for Well-Known Ports on page670 Configuring External Logging for LSN Traffic Logs on page671 Configure the IP Selection Method on page673 Configuring the LSN SYN Timeout on page673 P e r f o r m a n c e b y D e s i g n 667 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Large-Scale NAT Configure an LSN NAT Pool Use the following command at the global configuration level of the CLI: [ no] ip nat pool pool-name start-ipaddr end-ipaddr netmask {subnet-mask | /mask-length} lsn [ max-users-per-ip num] This command configures an LSN NAT pool. The start-ipaddr and end- ipaddr options specify the beginning and ending public IP addresses in the range to be mapped to internal addresses. The netmask option specifies the subnet mask or mask length for the addresses. The lsn option enables the pool for use by LSN. The max-user-per-ip option specifies the maximum number of internal addresses that can be mapped to a single public address at the same time. You can specify 1-65535. By default, there is no limit. Note: LSN pools can not be used for SLB. Pool Modification If you need to modify a pool used for LSN, all sessions using that pool must be cleared first. 1. Remove the pool from any pool groups and LIDs that use the pool. 2. Clear the sessions (clear ip nat lsn all-sessions pool pool-name). 3. Reconfigure the pool. 4. Add the pool back to the pool groups and LIDs that use the pool. Configure a LID Use the following commands: [ no] lsn-lid num Enter this command at the global configuration level of the CLI. The num specifies the LID number and can be 1-31, for a maximum of 31 LIDs. This command changes the CLI to the configuration level for the LID, where the following LID-related commands are available: [ no] source-nat-pool pool-name This command binds an LSN NAT pool to the LID. 668 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Large-Scale NAT [ no] user-quota {tcp | udp | icmp} quota-num [ reserve reserve-num] This command configures the per-user mapping quota for each type of pro- tocol supported for LSN (TCP, UDP, or ICMP). The quota-num option spec- ifies the maximum number of sessions allowed per client and can be 1-64000. There is no default user quota. The reserve option allows you to specify how many ports to reserve on a NAT IP for each user, 0-64000. If unspecified, the reserve value is the same as the user-quota value. [ no] extended-user-quota {tcp | udp | icmp} service-port portnum sessions num This command configures a per-user extended quota for essential services. The port option specifies the Layer 4 protocol port of the service, and can be 1-65535. The sessions option specifies how many extended sessions are allowed for the protocol port, and can be 1-255. There is no default extended user quota. Configure a Class List Use the following command at the global configuration level of the CLI: [ no] class-list {list-name | filename file} This command changes the CLI to the configuration level for the class list. The list-name option will add the list to the running-config. If the list will be large, you might want to use the filename file option to save the list to a file instead. In this case, the list entries are not displayed in the running-config. The following class-list-related command is available: [ no] priv-addr {subnet-mask | /mask-length} lsn-lid num Thepriv-addr option specifies the internal host or subnet address. Use the subnet-mask or /mask-length option to specify the subnet mask or mask length. The lsn-lid num option specifies the LID number. Class List Syntax Each entry (row) in the class list defines a client class, and has the following format: ipaddr /network-mask lsn-lid num [ ; comment-string] P e r f o r m a n c e b y D e s i g n 669 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Large-Scale NAT Each entry consists of the following: ipaddr Specifies the inside subnet that requires LSN. The network- mask specifies the network mask. To configure a wildcard IP address, specify 0.0.0.0 /0. The wildcard address matches on all addresses that do not match any entry in the class list. lsn-lid num Specifies the LID. ; comment-string Contains a comment. Use a semi-colon ( ; ) in front of the comment string. Note: The AX device discards the comment string when you save the class list. Example Class Lists Here is an example of a class list for inside subnet 192.168.1.x/24 using LID2. 192. 168. 0. 0 / 16 l sn- l i d 2 Bind the CLass List for Use with LSN Use the following command at the global configuration level of the CLI: [ no] ip nat inside source class-list list-name Enable Inside NAT on the Interface Connected to Internal Clients Use the following command at the configuration level for the interface: [ no] ip nat inside Enable Outside NAT on the Interface Connected to the Internet Use the following command at the configuration level for the interface: [ no] ip nat outside Enable New-path Processing Use the following command at the global configuration level: [ no] slb new-path-enable 670 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Large-Scale NAT Optional Configuration The following sections describe additional configuration options. Configuring Static Mappings Optionally, to configure static mappings for a range of protocol ports for an internal address, use the following command at the global configuration level of the CLI: [ no] ip nat lsn port-reservation inside priv-ipaddr start-priv-portnum end-priv-portnum nat public-ipaddr start-public-portnum end-public-portnum The priv-ipaddr option specifies the internal IP address. The start-priv-port- num and end-priv-portnum options specify the range of internal protocol port numbers. Likewise, the public-ipaddr option specifies the public IP address to map to the internal IP address. The start-public-portnum and end- public-portnum options specify the range of public protocol port numbers to map to the range of internal protocol port numbers. Enabling Full-Cone Support for Well-Known Ports By default, LSN does not provide full-cone support for user sessions initi- ated from an internal IP address to a well-known TCP or UDP port (0-1023) on an external address. To enable full-cone support for these sessions, use the following command at the global configuration level of the CLI: [ no] ip nat lsn enable-full-cone-for-well-known STUN Timeout LSN maintains the NAT mapping for a full-cone session for a period of time, the STUN timeout, after the session ends. If the client requests a new session for the same port before the mapping times out, the mapping is used again, for the new session. If the mapping is not used again before the STUN timeout expires, the mapping is removed. The default STUN timeout is 2 minutes. To change the STUN timeout, use the following command at the global configuration level of the CLI: [ no] ip nat lsn stun-timeout minutes You can specify 0-60 minutes. P e r f o r m a n c e b y D e s i g n 671 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Large-Scale NAT Configuring External Logging for LSN Traffic Logs LSN traffic logs can be sent only to external log servers. If you configure a group of external log servers, the AX device load balances the messages among the servers. Source-IP based hashing is used to select an external log server. This method ensures that LSN logs for a given source IP address always go to the same log server. To configure LSN logging to external servers: 1. Create an SLB real server configuration for each log server. 2. Configure a UDP service group and add the log servers to the group. The service group can contain a maximum of 32 members for external LSN logging. 3. Configure an LSN logging template. Within the template, specify the service group and the types of events to log. The commands for configuring real servers and service groups are the same as those used for SLB. (See the example in Configuration of External Log- ging for LSN Traffic Logs on page676.) To configure an LSN external logging template, use the following com- mands: [ no] ip nat template logging template-name This command changes the CLI to the configuration level for the template, where the following configuration commands are available: [ no] service-group group-name This command adds the service group of external log servers to the tem- plate. [ no] log port-mappings [ no] log sessions These commands enable or disable LSN traffic logs. The port-mappings option is enabled by default. The sessions option is disabled by default. (For more information about each type of LSN traffic log, see LSN Logging on page661.) [ no] source-port port-num This command specifies the UDP port number from which the AX device will send the log messages. The default is 514. 672 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Large-Scale NAT [ no] severity severity-level This command specifies the severity level to assign to LSN traffic logs gen- erated using this template. You can enter the name or the number of a sever- ity level. The default is 7 (debugging). {0 | emergency} {1 | alert} {2 | critical} {3 | error} {4 | warning} {5 | notification} {6 | information} {7 | debugging} [ no] facility facility-name This command specifies the logging facility to use. The default is local0. For a list of available facilities, enter the following command: facility ? [ no] include-destination This command includes the destination IP addresses and protocol ports in NAT port mapping logs. This option is disabled by default. Activating the LSN Logging Template To activate the LSN external logging template, use the following command at the global configuration level of the CLI: [ no] ip nat lsn logging default-template template-name LSN external logging does not take effect until you use this command. Using a Different LSN Logging Template for Individual Pools The default LSN logging template is used for all LSN pools. To use a differ- ent LSN logging template for an individual pool, configure the template, then use the following command at the global configuration level of the CLI: [ no] ip nat lsn logging pool pool-name template template-name P e r f o r m a n c e b y D e s i g n 673 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Large-Scale NAT Configure the IP Selection Method The method used by LSN to select an IP address from an LSN NAT pool is configurable, on a global basis. You can select one of the following IP address selection methods: random (the default) round-robin least-used-strict Selects the address with the fewest NAT ports of any type (ICMP, TCP, or UDP) used least-udp-used-strict Selects the address with the fewest UDP NAT ports used least-tcp-used-strict Selects the address with the fewest TCP NAT ports used least-reserved-strict Selects the address with the fewest NAT ports of any type (ICMP, TCP, or UDP) reserved least-reserved-udp-strict Selects the address with the fewest UDP NAT ports reserved least-reserved-tcp-strict Selects the address with the fewest TCP NAT ports reserved least-users Selects the address with the fewest users The IP address selection method applies only to the IP addresses within individual pools. The method does not apply to selection of pools within a pool group. LSN randomly selects a pool from within a pool group, then uses the configured IP address selection method to select an address from within the pool. To specify the method for LSN IP address selection within a pool, use the following command at the global configuration level of the CLI: [ no] ip nat lsn ip-selection method The method can be one of the options listed above. The method you specify applies to all LSN pools. Configuring the LSN SYN Timeout LSN has its own SYN timeout, separate from the IP NAT translation time- out. The LSN timeout can be 2-7 seconds, and is 4 seconds by default. To change the LSN timeout, use the following command at the global con- figuration level of the CLI: 674 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Displaying LSN Information [ no] ip nat lsn syn-timeout seconds Note: In AX Release 2.5.0 (the Beta release for LSN), the ip nat translation syn-timeout command was used for the LSN timeout. Accordingly, the configurable range was changed from 60-300 seconds to 2-7 seconds. In AX Release 2.4.3, the ip nat translation syn-timeout command is not used for LSN, and the configurable range has been restored to 60-300 sec- onds. In AX Release 2.4.3, to configure the LSN SYN timeout, use the ip nat lsn syn-timeout command instead of the ip nat translation syn- timeout command. Displaying LSN Information Use the following commands to display LSN information. show class-list [ list-name] This command shows configured class lists. show ip nat lsn full-cone-sessions This command shows currently active full-cone sessions. show ip nat lsn pool-statistics This command shows statistics related to IP address pools used for LSN. show ip nat lsn user-quota-sessions This command shows currently active user quota sessions. show ip nat lsn port-reservations This command shows configured LSN static port reservations. show ip nat lsn statistics This command shows global statistics related to LSN. Clearing LSN Statistics and Sessions Use the following command to clear LSN statistics: clear ip nat lsn statistics Use the following commands to clear LSN sessions: clear ip nat lsn full-cone-sessions P e r f o r m a n c e b y D e s i g n 675 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Example clear ip nat lsn data-sessions clear ip nat lsn all-sessions pool pool-name Note: The last command is required before removing a pool from a pool group. Configuration Example The commands in this section implement the LSN configuration shown in Figure167 on page648. The following command configures an LSN NAT pool: AX( conf i g) #ip nat pool LSN_POOL1 203.0.113.1 203.0.113.254 netmask /24 lsn The following commands configure an LSN LID. The LID is bound to pool LSN_POOL1. Per-user quotas are configured for TCP, UDP, and ICMP. For UDP, this class of users will reserve only 100 UDP ports instead of 300. An extended quota of sessions per client is allocated for TCP port 25 (SMTP). AX( conf i g) #lsn-lid 5 AX( conf i g- l sn l i d) #source-nat-pool LSN_POOL1 AX( conf i g- l sn l i d) #user-quota tcp 100 AX( conf i g- l sn l i d) #user-quota udp 300 reserve 100 AX( conf i g- l sn l i d) #user-quota icmp 10 AX( conf i g- l sn l i d) #extended-user-quota tcp port 25 sessions 3 AX( conf i g- l sn l i d) #end The following commands configure a class list to bind the internal subnet to the LID: AX( conf i g) #class-list list1 AX( conf i g- cl ass l i st ) #192.168.0.0 /16 lsn-lid 5 AX( conf i g- cl ass l i st ) #end The following command enables LSN for the class list: AX( conf i g) #ip nat inside source class-list list1 The following commands enable inside NAT on the interface connected to the internal clients: AX( conf i g) #interface ethernet 1 AX( conf i g- i f : et her net 1) #ip nat inside 676 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Example The following commands enable outside NAT on the interface connected to the Internet: AX( conf i g) #interface ethernet 2 AX( conf i g- i f : et her net 2) #ip nat outside AX( conf i g- i f : et her net 2) #exit The following command enables new-path processing, which is required for LSN: AX( conf i g) #slb new-path-enable Configuration of External Logging for LSN Traffic Logs The following commands configure external logging for LSN traffic logs: AX5200( conf i g) #slb server syslog1 203.0.118.1 AX5200( conf i g- r eal ser ver ) #port 514 udp AX5200( conf i g- r eal ser ver ) #exit AX5200( conf i g) #slb service-group syslog udp AX5200( conf i g- sl b svc gr oup) #member syslog1:514 AX5200( conf i g- sl b svc gr oup) #exit AX5200( conf i g) #ip nat template logging lsn_logging AX5200( conf i g- nat l oggi ng) #log port-mappings AX5200( conf i g- nat l oggi ng) #service-group syslog AX5200( conf i g- nat l oggi ng) #exit AX5200( conf i g) #ip nat lsn logging default-template lsn_logging Display Commands The following commands display LSN information: AX( conf i g) #end AX#show class-list list1 Name: l i st 1 Tot al si ngl e I P: 0 Tot al I P subnet : 1 Cont ent : 192. 168. 0. 0 / 16 l sn- l i d 5 AX#show ip nat lsn full-cone-sessions LSN Ful l Cone Sessi ons: Pr ot I nsi de Addr ess NAT Addr ess Conns Pool CPU Age - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - TCP 192. 168. 1. 1: 20001 203. 0. 113. 1: 20001 1 pool 1 1 0 TCP 192. 168. 2. 1: 30001 203. 0. 113. 1: 30001 1 pool 1 4 0 TCP 192. 168. 255. 1: 50001 203. 0. 113. 1: 50001 1 pool 1 13 0 P e r f o r m a n c e b y D e s i g n 677 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Example AX#show ip nat lsn user-quota-sessions LSN User - Quot a Sessi ons: I nsi de Addr ess NAT Addr ess I CMP UDP TCP Pool LI D - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 192. 168. 1. 1: 20001 203. 0. 113. 1: 20001 0 3 0 pool 1 3 192. 168. 2. 1: 30001 203. 0. 113. 1: 30001 0 3 0 pool 1 3 192. 168. 255. 1: 50002 203. 0. 113. 1: 50001 0 2 0 pool 1 3 AX#show ip nat lsn port-reservations LSN Por t Reser vat i ons I nsi de Addr ess St ar t End NAT Addr ess St ar t End - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 192. 168. 1. 1 80 1024 203. 0. 113. 1 80 1024 AX#show ip nat lsn pool-statistics LSN Addr ess Pool St at i st i cs: - - - - - - - - - - - - - - - - - - - - - - - - - - - - pool 1 Addr ess User s I CMP Fr eed Tot al UDP Fr eed Tot al Rsvd TCP Fr eed Tot al Rsvd - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 203. 0. 113. 1 0 0 0 0 0 0 0 0 0 0 0 0 203. 0. 113. 2 0 0 0 0 0 0 0 0 0 0 0 0 203. 0. 113. 3 0 0 0 0 0 0 0 0 0 0 0 0 Table20 describes the fields in the show ip nat lsn pool-statistics output. TABLE 20 show ip nat lsn pool-statistics fields Field Description Address NAT (global) IP address. Users Number of inside IP addresses currently using the NAT IP address. ICMP Number of ICMP identifiers currently in use. Freed (ICMP) Total number of ICMP identifiers freed. Total (ICMP) Total number of ICMP identifiers allocated. ICMP column +Freed column =Total column. UDP Number of UDP ports currently in use. Freed (UDP) Total number of UDP ports freed. Total (UDP) Total number of UDP ports allocated. UDP column +Freed column =Total column. Rsvd (UDP) Total of all UDP reserve settings for each user that is cur- rently using the NAT IP address. For example, if an LID has the setting user-quota udp 100 reserve 50, and there are 50 users using the LID d on the NAT IP address, the Rsvd value is 50*50 =2500. TCP Number of TCP ports currently in use. Freed (TCP) Total number of TCP ports freed. Total (TCP) Total number of TCP ports allocated. TCP column +Freed column =Total column. 678 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuration Example Rsvd (TCP) Total of all TCP reserve settings for each user that is cur- rently using the NAT IP address. For example, if an LID has the setting user-quota tcp 100 reserve 60, and there are 10 users using the LID d on the NAT IP address, the Rsvd value is 10*60 =600. TABLE 20 show ip nat lsn pool-statistics fields (Continued) Field Description P e r f o r m a n c e b y D e s i g n 679 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Additional Admin Accounts Management Security Features In addition to basic security provided by login and enable passwords, AX Series devices support the following advanced management access security features: Multiple admin accounts with distinct levels of access Admin account lockout in response to excessive invalid passwords Interface-level access control for individual management access types (Telnet, SSH, and so on) Web access features for securing access through the GUI Authentication, Authorization, and Accounting (AAA) for remotely managed access security The following sections describe these features and show how to configure them. Note: If you have not already changed the default admin password and the enable password, A10 Networks recommends that you do so now, before implementing security options described in this chapter. Configuring Additional Admin Accounts The AX device comes with one admin account, admin, by default. The admin account has Root privileges and cannot be deleted. When logged onto the AX device with the admin account, you can config- ure additional admin accounts. For each admin account, you can configure the following settings: Username and password Privilege level (read or read-write) IP host or subnet address from which the admin is allowed to log on Account state (enabled or disabled) Note: You cannot change the privilege level of the admin account or disable it. 680 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring an Admin Account To configure an admin account, use either of the following methods. USING THE GUI 1. Select Config >System >Admin. 2. Click Add. The Administrator section appears. 3. Enter the name in the Name field. 4. Leave Change Administrator Password selected. (If you do not change the password, the default is used: a10.) 5. Enter the password for the new admin account in the Password and Con- firm Password fields. 6. To restrict login access by the admin to a specific host or subnet: a. Enter the address in the Trusted Host IP Address field. b. To restrict access to just a single host, edit the value in the Netmask field to 255.255.255.255. c. To restrict access to a subnet, edit the value in the Netmask field to the subnet mask for the subnet. Note: To allow access from any host, leave the Trusted Host IP Address and Netmask fields blank. 7. From the Privilege drop-down list, select the access level: Super Admin Allows access to all levels of the system. This account is not the Root account and can be deleted. This account cannot configure other admin accounts. (Only the admin account that has Root privileges can configure other admin accounts.) Read Only Admin Allows monitoring access to the system but not configuration access. In the CLI, this account can only access the User EXEC and Privileged EXEC levels, not the configuration lev- els. In the GUI, this account cannot modify configuration informa- tion. Partition Write Admin The admin has read-write privileges within the private partition to which the admin is assigned. The admin has read-only privileges for the shared partition. Partition Read Admin The admin has read-only privileges within the private partition to which the admin is assigned, and read-only privileges for the shared partition. P e r f o r m a n c e b y D e s i g n 681 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Additional Admin Accounts Partition RS Operator The admin is assigned to a private partition but has permission only to view service port statistics for real serv- ers in the partition, and to disable or re-enable the real servers and their service ports. Note: The Partition roles apply to Role-Based Administration (RBA). For infor- mation about this feature, see Role-Based Administration on page807. 8. Leave the Status enabled. 9. Click OK. 10. The new admin appears in the Admin table. FIGURE 175 Config >Admin >Admin FIGURE 176 Config >Admin - new admin added 682 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide USING THE CLI 1. Log on through the CLI and access the global configuration level. 2. Enter the following command to create the new admin account: [ no] admin admin-username This command changes the CLI to the configuration level for the new account. 3. Use the following commands to complete the configuration: password string trusted-host ipaddr {subnet-mask | /mask-length} privilege priv-level [ partition-name] The password command assigns the password, which can be 1-63 char- acters. The default is a10. The trusted-host command specifies the host or subnet from which the admin is allowed to log in. The default is 0.0.0.0 /0 (any host or subnet). The privilege command specifies the privileges granted to the admin account: read The admin can access the User EXEC and Privileged EXEC levels of the CLI only. This is the default. write The admin can access all levels of the CLI but cannot con- figure other admin accounts. partition-read The admin has read-only privileges within the pri- vate partition to which the admin is assigned, and read-only privi- leges for the shared partition. partition-write The admin has read-write privileges within the private partition to which the admin is assigned. The admin has read-only privileges for the shared partition. partition-enable-disable The admin has read-only privileges for real servers, with permission to view service port statistics and to disable or re-enable the servers and their service ports. No other read-only or read-write privileges are granted. The partition-name specifies the name of the private partition to which the admin is assigned. This option applies only to admins that have priv- ilege level partition-read, partition-write, or partition-enable-dis- able. Note: To restrict write access to specific configuration areas, see Configuring AAA for Admin Access on page694. 4. To verify the new admin account, enter the following command: show admin P e r f o r m a n c e b y D e s i g n 683 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Additional Admin Accounts CLI EXAMPLES The following commands add admin adminuser2 with password 12345678 and read-write privilege: AX( conf i g) #admin adminuser2 AX( conf i g- admi n: admi nuser 2) #password 12345678 AX( conf i g- admi n: admi nuser 2) #privilege write AX( conf i g- admi n: admi nuser 2) #show admin User Name St at us Pr i vi l ege Par t i t i on - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - admi n Enabl ed Root admi nuser 2 Enabl ed Read/ Wr i t e The following commands add admin adminuser3 with password abcde- fgh and read-write privilege, and restrict login access to the 10.10.10.x subnet only: AX( conf i g) #admin adminuser3 AX( conf i g- admi n: admi nuser 3) #password abcdefgh AX( conf i g- admi n: admi nuser 3) #privilege write AX( conf i g- admi n: admi nuser 3) #trusted-host 10.10.10.0 /24 AX( conf i g- admi n: admi nuser 3) #show admin User Name St at us Pr i vi l ege Par t i t i on - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - admi n Enabl ed Root admi nuser 2 Enabl ed Read/ Wr i t e admi nuser 3 Enabl ed Read/ Wr i t e AX( conf i g- admi n: admi nuser 3) #show admin adminuser3 detail User Name . . . . . . admi nuser 3 St at us . . . . . . Enabl ed Pr i vi l ege . . . . . . Read/ Wr i t e Par t i t i on . . . . . . Tr ust ed Host ( Net mask) . . . . . . 10. 10. 10. 0( 255. 255. 255. 0) Lock St at us . . . . . . No Lock Ti me . . . . . . Unl ock Ti me . . . . . . Passwor d Type . . . . . . Encr ypt ed Passwor d . . . . . . $1$6334ba07$CKbWL/ LuSNdY12kcE. KdS0 684 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Deleting an Admin Account An admin with Root privileges can delete other admin accounts. If you need to delete an admin account: 1. Display the admin session table to determine whether the admin has any active admin sessions. 2. Clear any sessions the admin has open. 3. Delete the admin account. Note: To delete an admin account, you first must terminate any active sessions the admin account has open. The account is not deleted if there are any open sessions for the account. USING THE GUI 1. To display the admin session table, select Monitor >System >Admin. 2. To clear an admin session, click on the checkbox next to the session to select it, then click Delete. 3. To delete the admin account: a. Select Config >System >Admin. b. Click on the checkbox next to the admin name. c. Click Delete. USING THE CLI 1. To display the admin session table, use the following command at the Privileged EXEC level or any configuration level: show admin session 2. To clear an admin session, use the following command at the Privileged EXEC level or any configuration level: clear admin session session-id The session-id is the ID listed in the ID column of the show admin ses- sion output. 3. To delete the admin account, use the following command at the global configuration level: no admin admin-username P e r f o r m a n c e b y D e s i g n 685 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Admin Lockout Configuring Admin Lockout By default, there is no limit to the number of times an incorrect password can be entered with an admin account to attempt access. You can enable the AX device to lock admin accounts for a specific period of time following a specific number of invalid passwords entered for the account. Table21 lists the admin lockout parameters you can configure. To configure admin lockout, use either of the following methods. USING THE GUI To enable the lockout feature: 1. Select Config >System >Admin. 2. Select Lockout Policy on the menu bar. 3. Select Enable Administrator lockout Feature. 4. Optionally, change lockout settings. (For descriptions, see Table21 on page685.) 5. Click OK. TABLE 21 Admin Lockout Parameters Parameter Description Default Feature state Controls whether admin accounts can be locked. Disabled Threshold Number of failed login attempts allowed for an admin account before it is locked. 5 Reset time Number of minutes the AX device remembers a failed login attempt. For an account to be locked, greater than the number of failed login attempts specified by the threshold must occur within the reset time. 10 minutes Duration Number of minutes a locked account remains locked. To keep accounts locked until you or another authorized administrator unlocks them, set the value to 0. 10 minutes 686 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide To view lockout status or manually unlock a locked account: 1. Select Monitor >System >Admin. 2. Select the admin account. 3. Click Unlock. USING THE CLI 1. Log on through the CLI and access the global configuration level. 2. Optionally, enter the following commands to change lockout settings: admin lockout threshold number admin lockout duration minutes admin lockout reset-time minutes (For descriptions, see Table21 on page685.) 3. Use the following command to enable admin lockout: admin lockout enable To view lockout status or manually unlock a locked account: 1. Log on through the CLI and access the global configuration level. 2. Enter the following command to view the lockout status of an admin account: show admin admin-username detail 3. Enter the following command to access the configuration level for the admin account: admin admin-username 4. Use the following command to unlock the account: unlock P e r f o r m a n c e b y D e s i g n 687 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Securing Admin Access by Ethernet Securing Admin Access by Ethernet By default, certain types of management access through the AX devices Ethernet interfaces are blocked. Table22 lists the default settings for each management service. You can enable or disable management access, for individual access types and interfaces. You also can use an Access Control List (ACL) to permit or deny management access through the interface by specific hosts or subnets. To set management access through Ethernet interfaces, use either of the fol- lowing methods. Notes Regarding Use of ACLs If you use an ACL to secure management access, the action in the ACL rule that matches the management traffics source address is used to permit or deny access, regardless of other management access settings. For example, if you disable Telnet access to a data interface, but you also enable access to the interface using an ACL with permit rules, the ACL per- mits Telnet (and all other) access to the interface, for traffic that matches the permit rules in the ACL. If you want certain types of management access to be disabled on an inter- face, do not use a permit ACL to control management access to the inter- face. Each ACL has an implicit deny any any rule at the end. If the management traffics source address does not match a permit rule in the ACL, the implicit deny any any rule is used to deny access. On data interfaces, you can disable or enable access to specific services and also use an ACL to control access. However, on the management interface, TABLE 22 Default Management Access Management Service Ethernet Management Interface Ethernet and VE Data Interfaces SSH Enabled Disabled Telnet Disabled Disabled HTTP Enabled Disabled HTTPS Enabled Disabled SNMP Enabled Disabled Ping Enabled Enabled 688 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide you can disable or enable access to specific services or control access using an ACL, but you can not do both. USING THE GUI To change management access settings for interfaces: 1. Select Config >System >Access Control. 2. For each interface (each row), select or de-select the checkboxes for the access types. 3. To use an ACL to control access, select the ACL from the ACL drop- down list in the row for the interface. 4. After selecting the settings for all the interfaces, click OK. To reset the access settings to the defaults listed in Table22, click Reset to Default. USING THE CLI Disabling Management Access To disable management access, use either of the following commands at the global configuration level of the CLI: disable-management service {all | ssh | telnet | http | https | snmp | ping} {management | ethernet port-num [to port-num] | ve ve-num [to ve-num]} or disable-management service acl acl-num {management | ethernet port-num [to port-num] | ve ve-num [to ve-num]} In both commands, the following options specify the interfaces to protect: management The out-of-band Ethernet management interface (MGMT) ve ve-num [to ve-num] A VE data interface or range of VE data inter- faces ethernet port-num [to port-num] An Ethernet data interface or range of Ethernet data interfaces In the first command, the following options specify the type of management access you are configuring: P e r f o r m a n c e b y D e s i g n 689 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Securing Admin Access by Ethernet all Disables access to all the management services listed below. ssh Disables SSH access to the CLI. telnet Disables Telnet access to the CLI. http Disables HTTP access to the management GUI. https Disables HTTPS access to the management GUI. snmp Disables SNMP access to the AX devices SNMP agent. ping Disables ping replies from AX interfaces. This option does not affect the AX devices ability to ping other devices. Note: Disabling ping replies from being sent by the AX device does not affect the devices ability to ping other devices. In the second command, the acl acl-id option specifies an ACL. Manage- ment access from any host address that matches the ACL is either permitted or denied, depending on the action (permit or deny) used in the ACL. CLI Examples: The following command disables HTTP access to the out-of-band manage- ment interface: AX( conf i g) #disable-management service http management You may l ose connect i on by di sabl i ng t he ht t p ser vi ce. Cont i nue? [ yes/ no] : yes Enabling Management Access To enable management access, use either of the following commands at the global configuration level of the CLI: enable-management service {all | ssh | telnet | http | https | snmp | ping} {management | ethernet port-num [ to port-num] | ve ve-num [ to ve-num] } or enable-management service acl acl-num {management | ethernet port-num [ to port-num] | ve ve-num [ to ve-num] } The options are the same as those for the disable-management command. 690 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide CLI Example: The following command enables Telnet access to data interface 6: AX( conf i g) #enable-management service telnet ethernet 6 Displaying the Current Management Access Settings To display the management access settings that are currently in effect, enter the following command at any level of the CLI: show management CLI EXAMPLES Here is an example for an AX device that has 10 Ethernet data ports. In this example, all the access settings are set to their default values. AX#show management PI NG SSH Tel net HTTP HTTPS SNMP ACL - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - mgmt on on of f on on on - 1 on of f of f of f of f of f - 2 on of f of f of f of f of f - 3 on of f of f of f of f of f - 4 on of f of f of f of f of f - 5 on of f of f of f of f of f - 6 on of f of f of f of f of f - 7 on of f of f of f of f of f - 9 on of f of f of f of f of f - 10 on of f of f of f of f of f - ve1 on of f of f of f of f of f - P e r f o r m a n c e b y D e s i g n 691 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Changing Web Access Settings Here is an example after entering the commands used in the configuration examples above. AX#show management PI NG SSH Tel net HTTP HTTPS SNMP ACL - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - mgmt on on of f of f on on - 1 on of f of f of f of f of f 1 2 on of f of f of f of f of f 1 3 on of f of f of f of f of f 1 4 on of f of f of f of f of f 1 5 on of f of f of f of f of f 1 6 on of f on of f of f of f 1 7 on of f of f of f of f of f 1 9 on of f of f of f of f of f 1 10 on of f of f of f of f of f 1 ve1 on of f of f of f of f of f - Regaining Access if You Accidentally Block All Access If you disable the type of access you are using on the interface you are using at the time you enter a disable-management command, your management session will end. If you accidentally lock yourself out of the device alto- gether (for example, if you use the all option for all interfaces), you can still access the CLI by connecting a PC to the AX devices serial port. Changing Web Access Settings By default, access to the AX management GUI is enabled and is secure. A valid admin username and password are required to log in. Table23 lists the default settings for Web access. TABLE 23 Default Web Access Settings Parameter Description Default Auto-redirect Automatically redirects requests for the unse- cured port (HTTP) to the secure port (HTTPS). Enabled HTTP server HTTP server on the AX device. Enabled HTTP port Protocol port number for the unsecured (HTTP) port. 80 HTTPS server HTTPS server on the AX device. Enabled 692 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Note: If you disable HTTP or HTTPS access, any sessions on the management GUI are immediately terminated. USING THE GUI 1. Select Config >System >Settings. 2. On the menu bar, select Web. 3. Edit the settings you want to change. 4. Click OK. Note: The Preference section sets the default IP address type (IPv4 or IPv6) for GUI configuration fields that require an IP address. The Preference sec- tion does not affect access to the GUI itself. HTTPS port Protocol port number for the secure (HTTPS) port. 443 Timeout Number of minutes a Web management ses- sion can remain idle before it times out and is terminated by the AX device. Range: 0-60 minutes To disable the timeout, specify 0. Default: 10 minutes aXAPI Timeout Number of minutes an aXAPI session can remain idle before being terminated. Once the aXAPI session is terminated, the session ID generated by the AX device for the session is no longer valid. Note: For information about aXAPI, see the AX Series aXAPI Reference. 0-60 min- utes. f you specify 0, sessions never time out. Default: 10 minutes TABLE 23 Default Web Access Settings (Continued) Parameter Description Default P e r f o r m a n c e b y D e s i g n 693 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Changing Web Access Settings USING THE CLI At the global configuration level of the CLI, use the following command: [ no] web-service { axapi-timeout-policy idle minutes | auto-redir | port protocol-port | secure-port protocol-port | server | secure-server | timeout-policy idle minutes } To view Web access settings, use the following command: show web-service CLI EXAMPLE The following command disables management access on HTTP and verifies the change: AX( conf i g) #no web-service server AX( conf i g) #show web-service AX Web ser ver : I dl e t i me: 10 mi nut es Ht t p por t : 80 Ht t ps por t : 443 Aut o r edi r ect : Enabl ed Ht t ps: Enabl ed Ht t p: Di sabl ed 694 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring AAA for Admin Access You can configure the AX device to use remote servers for Authentication, Authorization, and Accounting (AAA) for admin sessions. The AX device supports RADIUS and TACACS+servers. Authentication Authentication grants or denies access based on the credentials presented by the person who is attempting access. Authentication for management access to the AX device grants or denies access based on the admin username and password. By default, when someone attempts to log into the AX device, the device checks its local admin database for the username and password entered by the person attempting to gain access. Without additional configuration, the authentication process stops at this point. If the admin username and password are in the local database, the person is granted access. Otherwise, they are denied. You can configure the AX device to also use external RADIUS or TACACS+servers for authentication. You can use TACACS+or RADIUS for external authentication. Only one external authentication method can be used. Authentication Process You can specify whether to check the local database or the remote server first. Figure177 and Figure178 show the authentication processes used if the AX device is configured to check RADIUS or TACACS+before check- ing the local database. P e r f o r m a n c e b y D e s i g n 695 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring AAA for Admin Access FIGURE 177 Authentication Process When Remote Authentication Is First (2 remote servers configured) Example shown is for RADIUS 696 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide FIGURE 178 Authentication Process When Remote Authentication Is First (1 remote server configured) Example shown is for TACACS+ Local Authentication Type Always Required The local database must be included as one of the authentication sources, regardless of the order is which the sources are used. Authentication using only a remote server is not supported. If the same username is configured in the local database and on the remote server but the passwords do not match, the order in which the authentication sources are used determines whether the admin is granted access. Figure179 shows an example. P e r f o r m a n c e b y D e s i g n 697 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring AAA for Admin Access FIGURE 179 Authentication Process When Username and Password On Server Do Not Match the Local Database Username admin Always Authenticated Locally Unlike other admin accounts, the username admin has Root privileges. To ensure against accidental lockout from the AX device, admin is always authenticated using the local database only, regardless of the authentication order used for other admin usernames. 698 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Authorization for GUI Access Admins who log in through the GUI and who are authenticated by a RADIUS or TACACS+server, can be authorized for either read-only or read-write access in the GUI: If authorization is set on the RADIUS server, that setting is used. The setting can be read-only or read-write. If authorization is set on the TACACS+server, the command level set on the server determines whether the admin is granted read-only or read- write access: If the command level is 14 or 15, the admin is granted read-write access in the GUI. If the command level is 0-13, the admin is granted read-only access in the GUI. Note: Also see RADIUS Authorization Based on Service-Type on page700. Note: This authorization process does not apply to admins who log in through the CLI. (See Authorization for CLI Access on page698.) Authorization for CLI Access You can configure the AX device to use external RADIUS or TACACS+ servers to authorize commands entered by admins who log in using the CLI. Following successful Authentication, the authenticated party is granted access to specific system resources by Authorization. For an AX admin, authorization specifies the CLI levels they can access. RADIUS CLI Authorization To configure RADIUS CLI Authorization, use the following settings on the RADIUS server: VALUE A10- Admi n- Pr i vi l ege Read- onl y- Admi n 1 VALUE A10- Admi n- Pr i vi l ege Read- wr i t e- Admi n 2 The first line grants access to the User EXEC level and Privileged EXEC level. The admins CLI session begins at the User EXEC level. The admin can access the Privileged EXEC level, without entering an enable password. Access to the configuration level is not allowed. P e r f o r m a n c e b y D e s i g n 699 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring AAA for Admin Access l ogi n as: admin3 Usi ng keyboar d- i nt er act i ve aut hent i cat i on. Passwor d: ******** Last l ogi n: Fr i Mar 26 20: 03: 39 2010 f r om192. 168. 1. 140 [ t ype ? f or hel p] AX>enable AX# The second line grants access to all levels. The admins CLI session begins at the Privileged EXEC level. l ogi n as: admin4 Usi ng keyboar d- i nt er act i ve aut hent i cat i on. Passwor d: ******** Last l ogi n: Fr i Mar 26 20: 03: 39 2010 f r om192. 168. 1. 140 [ t ype ? f or hel p] AX# Note: Also see RADIUS Authorization Based on Service-Type on page700. TACACS+CLI Authorization To configure TACACS+CLI Authorization: Configure the TACACS+server to authorize or deny execution of spe- cific commands or command groups. Configure the AX device to send commands to the TACACS+server for authorization before executing those commands. Note: This authorization process does not apply to admins who log in through the GUI. (See Authorization for GUI Access on page698.) CLI Access Levels You can use TACACS+to authorize an admin to execute commands at one of the following CLI access levels: 15(admin) This is the most extensive level of authorization. Com- mands at all CLI levels, including those used to configure admin accounts, are sent to TACACS+for authorization. 700 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide 14(config) Commands at all CLI levels except those used to configure admin accounts are sent to TACACS+for authorization. Commands for configuring admin accounts are automatically allowed. 1(priv EXEC) Commands at the Privileged EXEC and User EXEC levels are sent to TACACS+for authorization. Commands at other lev- els are automatically allowed. 0 (user EXEC) Commands at the User EXEC level are sent to TACACS+for authorization. Commands at other levels are automati- cally allowed. Access levels 1-15 grant access to the Privileged EXEC level or higher, without challenging the admin for the enable password. Access level 0 grants access to the User EXEC level only. Note: Command levels 2-13 are equivalent to command level 1. Caution: The most secure option is 15(admin). If you select a lower option, for example, 1(priv EXEC), make sure to configure the TACACS+ server to deny any unmatched commands (commands that are not explicitly allowed by the server). Otherwise, unmatched commands, including commands at higher levels, will automatically be authorized to exe- cute. TACACS+ Authorization Debug Options You can enable the following TACACS+debug levels for troubleshooting: 0x1 Common system events such as trying to connect with TACACS+servers and getting response from TACACS+servers. These events are recorded in the syslog. 0x2 Packet fields sent out and received by the AX Series device, not including the length fields. These events are written to the terminal. 0x4 Length fields of the TACACS+packets will also be displayed on the terminal. 0x8 Information about TACACS+MD5 encryption will be sent to the syslog. RADIUS Authorization Based on Service-Type AX Release 2.4.3-P2 provides support for the RADIUS Service-Type attri- bute. The following values are supported: Ser vi ce- Type=Logi n Allows access to the EXEC level of the CLI (AX>), and read-only access to the GUI P e r f o r m a n c e b y D e s i g n 701 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring AAA for Admin Access Ser vi ce- Type=NAS Pr ompt Allows access to the Privileged EXEC level of the CLI (AX#), and read-only access to the GUI Ser vi ce- Type=Admi ni st r at i ve Allows access to the con- figuration level of the CLI [AX( conf i g) #], and read-write access to the GUI By default, if the Service-Type attribute is not used, or the A10 vendor attri- bute is not used, successfully authenticated admins are authorized for read- only access. AX Release 2.4.3-P2 allows you to change the default privilege authorized by RADIUS from read-only to read-write. To change the default access level authorized by RADIUS, use the following command at the global configuration level of the CLI: [ no] radius-server default-privilege-read-write Accounting You can configure the AX device to use external RADIUS or TACACS+ servers for Accounting. Accounting keeps track of user activities while the user is logged on. For AX admins, you can configure Accounting for the following: Login/logoff activity (start/stop accounting) Commands Command Accounting (TACACS+only) You can use TACACS+servers to track attempts to execute commands at one of the following CLI access levels: 15(admin) This is the most extensive level of accounting. Commands at all CLI levels, including those used to configure admin accounts, are tracked. 14(config) Commands at all CLI levels except those used to configure admin accounts are tracked. Commands for configuring admin accounts are not tracked. 1(priv EXEC) Commands at the Privileged EXEC and User EXEC levels are tracked. Commands at other levels are not tracked. 0 (user EXEC) Commands at the User EXEC level are tracked. Com- mands at other levels are not tracked. Note: Command levels 2-13 are equivalent to command level 1. 702 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide TACACS+Accounting Debug Options The same debug levels that are available for TACACS+Authorization are also available for TACACS+Accounting. (See TACACS+Authorization Debug Options on page700.) Configuring AAA for Admin Access To configure AAA for admin access: 1. Prepare the AAA servers: Add admin accounts (usernames and passwords). Add the AX device as a client. For the client IP address, specify the AX IP address. For authorization, configure the following settings for the admin accounts: If using TACACS+, specify the CLI commands or command groups that are to be allowed or denied execution. If using RADIUS, specify the access level for the GUI (read- write or read-only). 2. To use RADIUS or TACACS+for Authentication: a. Add the RADIUS or TACACS+server(s) to the AX device. b. Add RADIUS or TACACS+as an authentication method to use along with the local database. 3. Configure Authorization: a. Add the TACACS+or RADIUS servers, if not already added for authentication. b. Specify the access level: If using TACACS+, specify the CLI command levels to be authorized. If using RADIUS, specify the GUI access to be authorized. 4. Configure Accounting: a. Add the TACACS+or RADIUS servers, if not already added for Authorization. b. Specify whether to track logon/logoff activity. You can track both logons and logoffs, logoffs only, or neither. c. Optionally, is using TACACS+, specify the command levels to track. P e r f o r m a n c e b y D e s i g n 703 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring AAA for Admin Access Configuring Authentication To configure remote authentication, use either of the following methods. USING THE GUI 1. Select Config >System >Admin. 2. On the menu bar, select one of the following options: External Authentication >RADIUS External Authentication >TACACS+ 3. To add the primary server, click Server 1 to display the configuration fields for the server. 4. Enter the hostname or IP address of the server in the Hostname field. 5. In the Secret and Confirm Secret fields, enter the shared secret (pass- word) expected by the server when it receives requests. 6. To add a backup server to use if the primary server can not be reached, click Server 2 and enter the configuration information for the server. 7. Click OK. USING THE CLI Note: The command syntax shown in this section is simplified to show the required or more frequently used options. For complete syntax informa- tion, see the AX Series CLI Reference. 1. Use one of the following commands at the global configuration level of the CLI to add the primary server: [ no] radius-server host {hostname | ipaddr} secret secret-string [ no] tacacs-server host {hostname | ipaddr} secret secret-string The secret-string is the shared secret (password) expected by the server when it receives requests. 2. To add a backup server to use if the primary server can not be reached, repeat the command, using the backup servers information. 704 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide 3. Use one of the following commands to specify the order in which to use the authentication methods: [ no] authentication type { local [ radius | tacplus] | [ radius | tacplus] local } (For more information, see Authentication Process on page694.) Configuring Authorization Note: The command syntax shown in this section is simplified to show the required or more frequently used options. For complete syntax informa- tion, see the AX Series CLI Reference. Note: The configuration options described in this section are available only in the CLI. 1. Add the RADIUS or TACACS+server(s), if not already added. [ no] tacacs-server host {hostname | ipaddr} secret secret-string [ no] radius-server host {hostname | ipaddr} secret secret-string 2. Optionally, if using TACACS+, specify the command levels the TACACS+server will be used to authorize: authorization commands cmd-level method tacplus [ none] The cmd-level can be one of the following: 15, 14, 1, or 0. The none option allows a command to execute if Authorization cannot be performed (for example, if all TACACS+servers are down). (For descriptions, see Authorization for CLI Access on page698.) Note: If using RADIUS, you can set the GUI access levels on the RADIUS server itself. See Authorization for GUI Access on page698. 3. Optionally, if using TACACS+, enable Authorization debugging: authorization debug debug-level The debug-level can be one of the following: 0x1, 0x2, 0x4, or 0x8. (See TACACS+Authorization Debug Options on page700.) P e r f o r m a n c e b y D e s i g n 705 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring AAA for Admin Access Configuring Accounting Note: The command syntax shown in this section is simplified to show the required or more frequently used options. For complete syntax informa- tion, see the AX Series CLI Reference. Note: The configuration options described in this section are available only in the CLI. 1. Add the RADIUS or TACACS+server(s), if not already added. [ no] tacacs-server host {hostname | ipaddr} secret secret-string [ no] radius-server host {hostname | ipaddr} secret secret-string 2. To configure Accounting for logon/logoff activity, use the following command: [ no] accounting exec {start-stop | stop-only} {radius | tacplus} 3. Optionally, if using TACACS+, configure accounting for command exe- cution: accounting commands cmd-level stop-only tacplus 4. Optionally, if using TACACS+, enable Accounting debugging: accounting debug debug-level CLI EXAMPLES RADIUS Authentication The following commands configure a pair of RADIUS servers and config- ure the AX device to use them first, before using the local database. Since 10.10.10.12 is added first, this server will be used as the primary server. Server 10.10.10.13 will be used only if the primary server is unavailable. AX( conf i g) #radius-server host 10.10.10.12 secret radp1 AX( conf i g) #radius-server host 10.10.10.13 secret radp2 AX( conf i g) #authentication type radius local TACACS+ Authorization The following commands configure the AX device to use TACACS+server 10.10.10.13 to authorize commands at all CLI levels. In this example, the none option is not used. As a result, if TACACS+authorization cannot be 706 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide performed (for example, due to server unavailability), the command is denied. AX( conf i g) #tacacs-server host 10.10.10.13 secret SharedSecret AX( conf i g) #authorization commands 15 method tacplus TACACS+ Accounting The following commands configure the AX device to use the same TACACS+server for accounting of logon/logoff activity and of all com- mand activity: AX( conf i g) #accounting exec start-stop tacplus AX( conf i g) #accounting commands 15 stop-only tacplus EXAMPLE INCLUDING RADIUS SERVER SETUP This example shows the AX commands to configure an AX device to use a RADIUS server, and also shows the changes to make on the RADIUS server itself. The RADIUS server in this example is freeRADIUS. The IP address is 192.168.1.157, and the shared secret is a10rad. To implement the solution, the following steps are required: 1. On the AX device: a. Add the RADIUS server. b. Enable RADIUS authentication. 2. On the freeRADIUS server: a. In the clients.conf file, add the AX device as a client. b. Add a dictionary file for vendor a10networks, and add the file to the dictionary. c. In the users file, add each AX admin as a user. Configuration on the AX Device Enter the following commands at the global configuration level of the CLI: AX( conf i g) #radius-server host 192.168.1.157 secret a10rad AX( conf i g) #authentication type local radius P e r f o r m a n c e b y D e s i g n 707 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring AAA for Admin Access Configuration on the freeRADIUS Server Changes in clients.conf File The AX device is added to the clients.conf file as a RADIUS client: vi /usr/local/etc/raddb/clients.conf cl i ent 192. 168. 1. 0/ 24 { secr et = a10r ad shor t name = pr i vat e- net wor k- 1 } Note: In this example, the AX devices subnet is added as the client. Creation of dictionary.a10networks File In the dictionary file, specify the following: Vendor name A10-Networks Vendor code 22610 After authenticating an admin, the RADIUS server must return the A10-Admin-Privilege attribute, with one of the following values: Read-only-Admin The admin can access User EXEC and Privileged EXEC commands only. These are commands at the >and #prompts. Read-write-Admin The admin can access User EXEC, Privileged EXEC, and configuration commands. These are commands at the >, #, (config)#and sub-config prompts. vi /usr/local/share/freeradius/dictionary.a10networks # # The Fr eeRADI US Vendor - Speci f i c di ct i onar y. # # Ver si on: $I d: di ct i onar y. a10net wor ks, v 1. 4 2009/ 05/ 05 11: 03: 56 a10user Exp $ # # For a compl et e l i st of Pr i vat e Ent er pr i se Codes, see: # # ht t p: / / www. i si . edu/ i n- not es/ i ana/ assi gnment s/ ent er pr i se- number s # VENDOR A10- Net wor ks 22610 708 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide BEGI N- VENDOR A10- Net wor ks ATTRI BUTE A10- App- Name 1 St r i ng ATTRI BUTE A10- Admi n- Pr i vi l ege 2 i nt eger VALUE A10- Admi n- Pr i vi l ege Read- onl y- Admi n 1 VALUE A10- Admi n- Pr i vi l ege Read- wr i t e- Admi n 2 ATTRI BUTE A10- Si ngl e- 1 51 St r i ng ATTRI BUTE A10- Si ngl e- 2 52 St r i ng ATTRI BUTE A10- Si ngl e- 3 53 St r i ng ATTRI BUTE A10- Si ngl e- 4 54 St r i ng ATTRI BUTE A10- Si ngl e- 5 55 St r i ng ATTRI BUTE A10- Mul t i - 1 56 St r i ng ATTRI BUTE A10- Mul t i - 2 57 St r i ng ATTRI BUTE A10- Mul t i - 3 58 St r i ng ATTRI BUTE A10- Mul t i - 4 59 St r i ng ATTRI BUTE A10- Mul t i - 5 60 St r i ng END- VENDOR A10- Net wor ks vi /usr/local/share/freeradius/dictionary add $I NCLUDE di ct i onar y. a10net wor ks #new added f or a10net wor ks Changes in users File vi /usr/local/etc/raddb/users r ead Aut h- Type : = Local , User - Passwor d == " t est " A10- Admi n- Pr i vi l ege = 1 wr i t e Aut h- Type : = Local , User - Passwor d == " t est " A10- Admi n- Pr i vi l ege = 2 Configuring Windows IAS for AX RADIUS Authentication This section describes how to configure Windows Server 2003 Internet Authentication Service (IAS) for use with AX RADIUS authentication. These steps assume that IAS and Active Directory (AD) are already installed on the Windows 2003 server. P e r f o r m a n c e b y D e s i g n 709 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring AAA for Admin Access Procedure Overview To configure Windows IAS for AX RADIUS authentication: 1. On the IAS server, create the following access groups: AX-Admin-Read-Only AX-Admin-Read-Write 2. On the IAS server, configure a RADIUS client for the AX device. 3. On the IAS server, configure the following remote access policies: AX-Admin-Read-Only-Policy AX-Admin-Read-Write-Policy). 4. On the IAS server, add AD users to appropriate AX device access groups, either AX-Admin-Read-Only or AX-Admin-Read-Write. 5. Register the IAS server in AD. 6. On the AX device, configure RADIUS. 7. Test the configuration by attempting to log onto the AX device with AD users added in step4. The following sections provide detailed steps for each of these tasks. Configure Access Groups 1. Select Start >All programs >Administrator tools >Active directory user and computers. If Active Directory Is Not Installed If AD is not installed on the IAS server, you can use the following steps to add the users and groups. However, the rest of this section assumes that AD will be used. 1. Open the Computer Management tool by selecting Start >Programs > Administrative Tools >Computer Management. 2. Open the System Tools and Local Users and Groups items, if they are not already open. 3. Right click on Group and select New Group. 4. Enter the following information for the first group: Group Name AX-Admin-Read-Only 710 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Group Description Read-Only Access to AX devices Members Add the members using the Add button. 5. Click Create. 6. Enter the following information for the second group: Group Name AX-Admin-Read-Write Group Description Read-Write to AX devices Members Add members as desired using the Add button 7. Click Create. 8. Click Close. Configure RADIUS Client for AX Device 1. Open Internet Authentication Service, by selecting Start >Programs > Administrative Tools >Internet Authentication Service. 2. Right-click on Client and select New Client. P e r f o r m a n c e b y D e s i g n 711 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring AAA for Admin Access 3. Enter the following information in the Add Client dialog box: Friendly name Useful name for the AX device; for example, ax2000_slb1 Protocol RADIUS Note: 192.168.1.238 is the IP address of the AX device that will use the IAS server for external RADIUS authentication. 4. Click Next. 5. Enter the following information in the Add RADIUS Client dialog box: Client address IP address or domain name for the client (AX device) Client-Vendor RADIUS Standard Shared secret Secret to be shared between IAS and AX. You also will need to enter this in the RADIUS configuration on the AX device. Confirm shared secret Same as above Note: Do not select Request must contain the Message Authenticator attri- bute. AX RADIUS authentication does not support this option. 712 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide 6. Click Next. Configure Remote Access Policies 1. Open the Internet Authentication Service, if not already open. 2. To create the first remote access policy, right-click on Remote Access Policies, select New Remote Access Policy, and enter the following information: Policy Friendly name AX-Admin-Read-Only-Policy P e r f o r m a n c e b y D e s i g n 713 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring AAA for Admin Access 3. Click Next. 4. In the Add Remote Access Policy dialog box, click Add. 5. In the Select Attribute dialog box, double-click Client Friendly Name. 6. In the Client-Friendly-Name dialog box, enter the friendly name used to define the AX device (for example, AX-Admin-Read-Only-Policy) and click OK. 7. In the same Add Remote Access Policy dialog box as before, click Add again. 714 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide 8. In the Select Attribute dialog box, double-click Windows-Groups. P e r f o r m a n c e b y D e s i g n 715 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring AAA for Admin Access 9. In the Groups dialog box, click Add, then double-click AX-Admin- Read-Only group, Click OK to add the group, then click OK once more to confirm the groups. 716 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide 10. In the same Add Remote Access Policy dialog box as before, click Next. 11. Select Grant remote access permission, and click Next. P e r f o r m a n c e b y D e s i g n 717 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring AAA for Admin Access 12. Click Edit Profile. 718 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide 13. In the Edit Dial-in Profile dialog box, select the Authentication tab. Select the type of authentication you are using: CHAP and PAP. P e r f o r m a n c e b y D e s i g n 719 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring AAA for Admin Access 14. Select the Advanced tab, and click Add. 15. In the RADIUS attributes list, find and double-click the line beginning with Vendor-Specific. 720 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide 16. In the Multivalued Attribute Information dialog box, click Add and enter the following: Enter vendor code 22610 (for A10 Networks) Conforms to RADIUS RFC Yes P e r f o r m a n c e b y D e s i g n 721 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring AAA for Admin Access 17. Click Configure Attribute, and enter the following information: Vendor-assigned attribute number 2 Attribute format Decimal Attribute value 1 Note: Attribute value 1 is read-only. Attribute value 2 is read-write. 18. Click OK for the Configure VSA, Vendor-Specific Attribute Informa- tion, and Multivalued Attribute Information dialog boxes. 19. Click Close in the Add Attributes dialog box. 20. Click OK in the Edit Dial-In Profile dialog box. Optionally, read the suggested help by clicking OK. 21. Click Finish in the Add Remote Access Policy dialog box. 22. To create the second Remote Access Policy, repeat the above steps with the following changes: Policy Friendly name AX-Admin-Read-Write-Policy Group to add AX-Admin-Read-Write Attribute value 2 722 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Add AD Users to AX Access Groups 1. In the Active Directory management console, add the AX access group to the user, tester1: P e r f o r m a n c e b y D e s i g n 723 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring AAA for Admin Access 2. Make sure Remote Access Permission is enabled: Register the IAS Server in Active Directory The IAS RADIUS server must be registered with AD. Otherwise, RADIUS will use compatibility mode instead of AD to authenticate users. 1. Open the IAS main window. 2. Click Action on the menu bar, and click register server on active direc- tory. 724 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configure RADIUS in the AX Device Add the RADIUS server (IAS server) to the AX device. Make sure the shared secret is the same as the one specified for the RADIUS client config- ured for the AX server on the IAS server. AX( conf i g) #radius server 192.168.230.10 secret shared-secret AX( conf i g) #authentication type local radius Note: 192.168.230.10 is the IP address of w2003-10.com, and shared-secret is the secret entered in the step5 in Configure RADIUS Client for AX Device on page710. Test the Configuration 1. Access the AX CLI command prompt. 2. Enter the login name, in the following format: user-name@AD-domain-name In this example, use tester1@w2003-10.com. 3. Enter the password. 4. Press Enter. P e r f o r m a n c e b y D e s i g n 725 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide DDoS Protection Traffic Security Features AX Series devices support the following advanced security features: DDoS protection SYN Cookies ICMP rate limiting Source-IP based connection rate limiting DNS security Access Control Lists (ACLs) Policy-based SLB (PBSLB) Geo-location-based access control for virtual IPs (VIPs) The following sections describe these features and show how to configure them. Note: IP limiting provides a more robust version of the source-IP based connec- tion rate limiting feature. For information, see IP Limiting on page787. DDoS Protection AX Series devices provide enhanced protection against distributed denial- of-service (DDoS) attacks, with IP anomaly filters. The IP anomaly filters drop packets that contain common signatures of DDoS attacks. Note: On models AX 2200, AX 3100, AX 3200, AX 5100, and AX 5200, DDoS protection is hardware-based. On other models, DDoS protection is software-based. DDoS detection applies only to Layer 3, Layer 4, and Layer 7 traffic. Layer 2 traffic is not affected by the feature. All IP anomaly filters except IP-option apply to IPv4 and IPv6. The IP-option filter applies only to IPv4. You can enable the following DDoS filters. All filters are supported for IPv4. All filters except IP-option are supported for IPv6. 726 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide DDoS Protection Frag Drops all IP fragments, which can be used to attack hosts running IP stacks that have known vulnerabilities in their fragment reassembly code IP-option Drops all packets that contain any IP options Land-attack Drops spoofed SYN packets containing the same IP address as the source and destination, which can be used to launch an IP land attack Ping-of-death Drops all jumbo IP packets, known as ping of death packets Note: On models AX 1000, AX 2000, AX 2100, AX 2500, AX 2600, and AX 3000, the ping-of-death option drops all IP packets longer than 32000 bytes. On models AX 2200, AX 3100, AX 3200, AX 5100, and AX 5200, the option drops IP packets longer than 65535 bytes. TCP-no-flag Drops all TCP packets that do not have any TCP flags set TCP-SYN-FIN Drops all TCP packets in which both the SYN and FIN flags are set TCP-SYN-frag Drops incomplete (fragmented) TCP Syn packets, which can be used to launch TCP Syn flood attacks IP Anomaly Filters for System-Wide PBSLB The following IP anomaly filters are supported specifically for system-wide PBSLB: Invalid HTTP or SSL payload Zero-length TCP window Out-of-sequence packet When these filters are enabled, the AX device checks for these anomalies in new HTTP or HTTPS connection requests from clients. Filtering for these anomalies is disabled by default. However, if you config- ure a system-wide PBSLB policy, the filters are automatically enabled. You also can configure the filters on an individual basis. Note: In the current release, these filters are supported only for HTTP and HTTPS traffic. (For information about system-wide PBSLB, see Configuring System- Wide PBSLB on page764.) P e r f o r m a n c e b y D e s i g n 727 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide DDoS Protection Enabling DDoS Protection To enable DDoS protection, use either of the following methods. USING THE GUI 1. Select Config >Service >SLB. 2. On the menu bar, select Global >DDoS Protection. 3. Select each type of DDoS protection filter to enable. To enable all of them, select Drop All. 4. Click OK. USING THE CLI Use the following command at the global Config level of the CLI: ip anomaly-drop {drop-all | frag | ip-option | land-attack | ping-of-death | tcp-no-flag | tcp- syn-fin | tcp-syn-frag} You can enable the following options individually or specify drop-all to enable all the options: As an example, the following command enables DDoS protection against ping-of-death attacks: AX( conf i g) #ip anomaly-drop ping-of-death Configuring IP Anomaly Filters for System-Wide PBSLB To configure the IP anomaly filters for system-wide PBSLB, use the follow- ing commands at the global configuration level of the CLI: [ no] ip anomaly-drop out-of-sequence [ threshold] [ no] ip anomaly-drop zero-window [ threshold] [ no] ip anomaly-drop bad-content [ threshold] Note: The threshold option is valid only for the new anomaly filters described in this section. The option does not apply to other IP anomaly filters. Threshold Each of these IP anomaly filters has a configurable threshold. The threshold specifies the number of times the anomaly is allowed to occur in a clients 728 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide SYN Cookies connection requests. If a client exceeds the threshold, the AX device applies the system-wide PBSLB policys over-limit action to the client. The threshold can be set to 1-127 occurrences of the anomaly. The default is 10. Note: The thresholds are not tracked by PBSLB policies bound to individual virtual ports. SOCKSTRESS_CHECK Session State While the AX device is checking a data packet against the new IP anomaly filters, the clients session is in the SOCKSTRESS_CHECK state. You might see this state if you are viewing debug output for the clients session. Displaying and Clearing IP Anomaly Statistics USING THE CLI\ Select Monitor >Service >Application >Switch. USING THE CLI To display IP anomaly statistics, use the following command: show slb l4 For system-wide PBSLB, you also can use the following command: show pbslb client [ ipaddr] In the output of this command, the counters for a dynamic client are reset to 0 when a clients dynamic entry ages out. To clear all Layer 4 SLB statistics, including the IP anomaly counters, use the following command: clear slb l4 SYN Cookies AX Series devices provide enhanced protection against TCP SYN flood attacks, with SYN cookies. SYN cookies enable the AX to continue to serve legitimate clients during a TCP SYN flood attack, without allowing illegiti- mate traffic to consume system resources. P e r f o r m a n c e b y D e s i g n 729 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide SYN Cookies The AX device supports SYN cookies for Layer 4-7 SLB traffic and for Layer 2/3 traffic. Layer 4-7 SYN cookies protect against TCP SYN flood attacks directed at SLB service ports. Layer 2/3 SYN cookies protect against TCP SYN flood attacks attempted in traffic passing through the AX device. The Service Provided By SYN Cookies SYN cookies enable the AX device to continue to serve legitimate clients during a TCP SYN flood attack, without allowing illegitimate traffic to con- sume system resources. During a TCP SYN flood attack, an attacker sends a large series of TCP SYN Requests but does not acknowledge the SYN ACKs that the AX sends in reply. Normally, these half-completed connections can eventually cause the AX device's TCP connection queue to become full, which prevents the AX from establishing new connections for legitimate clients. When SYN cookies are enabled, the feature prevents the AX devices TCP connection queue from filling up during TCP SYN flood attacks. Instead of leaving a half-completed TCP connection in the queue, the AX replies to each SYN Request with a SYN cookie, which is a special type of SYN ACK, and does not leave a connection in the queue. If the SYN Request is from a legitimate client, the client sends an ACK in response to the SYN cookie. The AX reconstructs the clients connection information based on information in the SYN ACK, and establishes a connection for the client. However, if the SYN Request is part of an attack, the attacker does not send an ACK, and the AX therefore does not establish a connection. Dynamic SYN Cookies You can configure the on and off thresholds for SYN cookie use by the AX device. The benefit of this feature is that when there is no TCP SYN attack, TCP options are preserved. You can configure the following dynamic SYN cookie options: On-threshold specifies the maximum number of concurrent half- open TCP connections allowed on the AX device, before SYN cookies are enabled. If the number of half-open TCP connections exceeds the on-threshold, the AX device enables SYN cookies. You can specify 0-2147483647 half-open connections. Off-threshold option specifies the minimum number of concurrent half-open TCP connections for which to keep SYN cookies enabled. If the number of half-open TCP connections falls below this level, SYN cookies are disabled. You can specify 0-2147483647 half- open connections. 730 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide SYN Cookies Hardware-based SYN cookies are disabled by default. When the feature is enabled, there are no default settings for the on and off thresholds. If you omit the on-threshold and off-threshold options, SYN cookies are enabled and are always on regardless of the number of half-open TCP connections present on the AX device. Note: It may take up to 10 milliseconds for the AX device to detect and respond to crossover of either threshold. Hardware-Based or Software-Based Depending on the AX model, you can use hardware-based SYN cookies or software-based SYN cookies: Hardware-based SYN cookies can be globally enabled and apply to all virtual server ports configured on the device. Hardware-based SYN cookies are available on the AX 2200, AX 3100, AX 3200, AX 5100, and AX 5200. Software-based SYN cookies can be enabled on individual virtual ports. This version of the feature is available on all AX models. Note: Hardware-based SYN cookies are a faster, easier-to-configure alternative to the software-based SYN cookie feature available on all AX platforms. If your AX model supports hardware-based SYN cookies, A10 Networks recommends that you use the hardware-based version of the feature instead of the software-based version of the feature. If both hardware-based and software-based SYN cookies are enabled, only hardware-based SYN cookies are used. You can leave software- based SYN cookies enabled but they are not used. Note: If the target VIP is in a different subnet from the client-side router, use of hardware-based SYN cookies requires some additional configuration. See Configuration when Target VIP and Client-side Router Are in Different Subnets on page731. Enabling Hardware-Based SYN Cookies To enable hardware-based SYN cookies, use following CLI method. USING THE GUI 1. Select Config >Service >SLB. 2. On the menu bar, select Global >Settings. P e r f o r m a n c e b y D e s i g n 731 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide SYN Cookies 3. Select Enabled next to SYN Cookie. 4. In the On Threshold field, enter the maximum number of concurrent half-open TCP connections allowed on the AX device, before SYN cookies are enabled. 5. In the Off Threshold field, enter the minimum number of concurrent half-open TCP connections for which to keep SYN cookies enabled. 6. Click OK. USING THE CLI To enable hardware-based SYN cookies, use the following command at the global Config level of the CLI: [ no] syn-cookie [ on-threshold num off-threshold num] The command in the following example enables dynamic-based SYN cook- ies when the number of concurrent half-open TCP connections exceeds 50000, and disables SYN cookies when the number falls below 30000: AX( conf i g) #syn-cookie on-threshold 50000 off-threshold 30000 Configuration when Target VIP and Client-side Router Are in Different Subnets Usually, the target VIP in an SLB configuration is in the same subnet as the client-side router. However, if the target VIP is in a different subnet from the client-side router, use of hardware-based SYN cookies requires some addi- tional configuration: On the AX device, configure a dummy VIP that is in the same subnet as the client-side router. On the client-side router, configure a static route to the VIP, using the dummy VIP as the next hop. Figure180 shows an example. 732 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide SYN Cookies FIGURE 180 Hardware-based SYN Cookies Target VIP and Client-side Router in Different Subnets The following commands configure hardware-based SYN cookies on the AX device in this example: AX( conf i g) #slb virtual-server dummyvip 10.10.10.154 AX( conf i g- sl b vi r t ual ser ver ) #exit AX( conf i g) #syn-cookie Note: If HA is configured, add both the target VIP and the dummy VIP to the same HA group, so they will fail over to the HA peer as a unit. Enabling Software-Based SYN Cookies If you are using an AX model that does not support hardware-based SYN cookies, you can still enable the software-based version of the feature, for individual virtual ports. USING THE GUI 1. Select Config>Service >Server. 2. Select Virtual Server on the menu bar. P e r f o r m a n c e b y D e s i g n 733 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide SYN Cookies 3. Click on an existing virtual server name or click Add. 4. Enter or edit the information in the General section. 5. In the Port section, select the TCP port and click Edit, or click Add. 6. If you are configuring a new port, select TCP in the Type drop-down list. 7. Select Enabled next to SYN Cookie. 8. Enter or edit other values as needed for your configuration. 9. Click OK. 10. Click OK again to save the new or changed virtual server. USING THE CLI To enable software-based SYN cookies, use the following command at the configuration level for the virtual port on the virtual server: syn-cookie [ sack] For information about the sack feature, see the AX Series CLI Reference. Configuring Layer 2/3 SYN Cookie Support To configure Layer 2/3 SYN cookie support: 1. Enable Layer 2/3 SYN cookies on individual interfaces. 2. Optionally, modify the threshold for TCP handshake completion. USING THE CLI 1. To enable Layer 2/3 SYN cookies on an interface, use the following command at the configuration level for the interface: [ no] ip tcp syn-cookie The feature is disabled by default. 2. Optionally, to modify the threshold for TCP handshake completion, use the following command at the global configuration level of the CLI: [ no] ip tcp syn-cookie threshold seconds You can specify 1-100 seconds. The default is 4 seconds. 734 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide ICMP Rate Limiting CLI Example The following commands globally enable SYN cookie support, then enable Layer 2/3 SYN cookies on Ethernet interfaces 4 and 5: AX( conf i g) #syn-cookie on-threshold 50000 off-threshold 30000 AX( conf i g) #interface ethernet 4 AX( conf i g- i f : et her net 4) #ip tcp syn-cookie AX( conf i g- i f : et her net 4) #interface ethernet 5 AX( conf i g- i f : et her net 5) #ip tcp syn-cookie ICMP Rate Limiting ICMP rate limiting protects the AX device against denial-of-service (DoS) attacks such as Smurf attacks, which consist of floods of spoofed broadcast ping messages. ICMP rate limiting monitors the rate of ICMP traffic and drops ICMP pack- ets when the configured thresholds are exceeded. You can configure ICMP rate limiting filters globally, on individual Ether- net interfaces, and in virtual server templates. If you configure ICMP rate limiting filters at more than one of these levels, all filters are applicable. ICMP Rate Limiting Parameters IMCP rate limiting filters consist of the following parameters: Normal rate The ICMP normal rate is the maximum number of ICMP packets allowed per second. If the AX device receives more than the normal rate of ICMP packets, the excess packets are dropped until the next one-second interval begins. The normal rate can be 1-65535 pack- ets per second. Maximum rate The IMCP maximum rate is the maximum number of ICMP packets allowed per second before the AX device locks up ICMP traffic. When ICMP traffic is locked up, all ICMP packets are dropped until the lockup expires. The maximum rate can be 1-65535 packets per second. Lockup time The lockup time is the number of seconds for which the AX device drops all ICMP traffic, after the maximum rate is exceeded. The lockup time can be 1-16383 seconds. Specifying a maximum rate (lockup rate) and lockup time is optional. If you do not specify them, lockup does not occur. Note: The maximum rate must be larger than the normal rate. P e r f o r m a n c e b y D e s i g n 735 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide ICMP Rate Limiting USING THE GUI To globally configure ICMP rate limiting: 1. Select Config >Network >ICMP Rate Limiting. 2. Select the ICMP Rate Limiting checkbox to activate the configuration fields. 3. Enter the normal rate in the Normal Rate field. 4. Enter the maximum rate in the Lockup Rate field. 5. Enter the lockup time in the Lockup Period field. 6. Click OK. To configure ICMP rate limiting on an individual Ethernet inter- face: 1. Select Config >Network >Interface. 2. Click on the interface name to display the configuration sections for it. 3. Select the ICMP Rate Limiting checkbox to activate the configuration fields. 4. Enter the normal rate in the Normal Rate field. 5. Enter the maximum rate in the Lockup Rate field. 6. Enter the lockup time in the Lockup Period field. 7. Click OK. To configure ICMP rate limiting in a virtual server template: 1. Select Config >Service >SLB. 2. On the menu bar, select Template >Virtual Server. 3. To edit an existing template, click on the template name. To create a new template, click Add. The Virtual Server section appears. 4. Select the ICMP Rate Limit Status checkbox to enable the configuration fields. 5. Enter the normal rate in the Normal Rate field. 736 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Source-IP Based Connection Rate Limiting 6. To configure the lockup time, click Lockup Status. 7. Enter the maximum rate in the Lockup Rate field. 8. Enter the lockup time in the Lockup Period field. 9. Click OK. USING THE CLI To configure an ICMP rate-limiting filter, use the following command. You can enter this command at the global configuration level, the configuration level for a physical or virtual Ethernet interface, or the configuration level for a virtual server template. [ no] icmp-rate-limit normal-rate lockup max-rate lockup-time For descriptions of the parameters, see ICMP Rate Limiting Parameters on page734. To display ICMP rate limiting information, use the following commands: show icmp show interfaces show slb virtual-server server-name detail CLI Example The following commands configure a virtual server template that sets ICMP rate limiting: AX( conf i g) #slb template virtual-server vip-tmplt AX( conf i g- vser ver ) #icmp-rate-limit 25000 lock 30000 60 Source-IP Based Connection Rate Limiting Source-IP based connection rate limiting protects the system from excessive connection requests from individual clients. This feature can be enabled on a global basis. The feature applies only to SLB virtual ports. Note: IP limiting provides a more robust version of the source-IP based connec- tion rate limiting feature. For information, see IP Limiting on page787. P e r f o r m a n c e b y D e s i g n 737 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Source-IP Based Connection Rate Limiting Parameters Source-IP based connection rate limiting is configured using the following parameters: TCP or UDP Layer 4 protocol for the connections. Connection limit Maximum number of connection requests allowed from a client, within the limit period. The connection limit can be 1-1000000. Limit period Interval to which the connection limit is applied. A client is conforming to the rate limit if the number of new connection requests within the limit period does not exceed the connection limit. The limit period can be one of the following: 100 milliseconds (one tenth of a second) 1000 milliseconds (one second) Scope Specifies whether the connection limit applies separately to each virtual port, or is applied as an aggregate to all virtual ports. By default, the connection limit applies separately to each individual virtual port. (See Deployment Considerations on page738 for more informa- tion.) Exceed actions Actions to take when the connection limit is exceeded. All connection requests in excess of the connection limit that are received from a client within the limit period are dropped. This action is enabled by default when you enable the feature, and can not be disabled. You can enable one or both of the following additional exceed actions: Logging Generates a log message when a client exceeds the con- nection limit. Lockout Locks out the client for a specified number of seconds. During the lockout period, all connection requests from the client are dropped. The lockout period can be 1-3600 seconds (1 hour). There is no default. By default, logging and lockout are both disabled. Log Messages The AX device generates two log messages per offending client, per client activity. The first message is generated the first time a client exceeds the connection limit. The message indicates the source (client) address and the destination address of the session. If lockout is configured, the message also indicates that the client is locked out. 738 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Source-IP Based Connection Rate Limiting The second message is generated after the client activity for that period. This message indicates the number of times the client exceeded the connec- tion limit. If lockout is enabled, the message also indicates the number of requests that were dropped during lockout. Message Examples No Lockout Configured Here is an example of the pair of log messages generated by this feature for an offending client, if lockout is not configured. Mar 05 2009 14: 55: 59 Not i ce [ AX] : UDP 53. 12. 3. 82 > 51. 1. 1. 2: 53 Sour ce I P Con- nect i on r at e l i mi t dr opped t hi s packet Mar 05 2009 14: 37: 00 Not i ce [ AX] : UDP 51. 2. 1. 81 > 51. 1. 1. 2: 53 Sour ce I P exceeded Connect i on r at e l i mi t i n al l ( 8654 t i mes) In this example, the session is between client 53.12.3.82 and destination 51.1.1.2:53. During this period of activity, 8654 of the requests from the cli- ent were sent after a connection limit had been exceeded, and were dropped. Message Examples With Lockout Configured Here is an example of how the messages look if lockout is configured. Mar 05 2009 14: 34: 57 Not i ce [ AX] : UDP 53. 12. 3. 82 > 51. 1. 1. 2: 53 Sour ce I P Con- nect i on r at e l i mi t dr opped t hi s packet ( l ocked out ) Mar 05 2009 14: 37: 00 Not i ce [ AX] : UDP 51. 2. 1. 81 > 51. 1. 1. 2: 53 Sour ce I P exceeded Connect i on r at e l i mi t i n al l ( 897 t i mes, 2342 t i mes i n l ockout ) In this example, the session is between the same client and destination as the previous example. During this period of activity, 897 of the requests from the client were sent after a connection limit had been exceeded, and were dropped. An additional 2342 requests were dropped because they were received during the lockout. Deployment Considerations The AX device internally uses a session to keep track of user activity. Cur- rently, the AX device has a capacity of up to 16 million sessions. Up to 8 million of these sessions are available for tracking user activity. Depending on client profile and activity, as well as the number of virtual ports configured on the device, you might need to use the shared option to apply the connection limit to all virtual ports, instead of each individual port. The default is to apply the connection limit to each individual virtual port, which uses proportionally more sessions than the shared option. P e r f o r m a n c e b y D e s i g n 739 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Source-IP Based Connection Rate Limiting Recommendation for Logging If you plan to enable logging for this feature, A10 Networks recommends using an external log server. Log traffic can be heavy during an attack. Recommendations for DNS Load Balancing If you plan to use this feature with DNS load balancing, A10 Networks rec- ommends the following: Increase the maximum number of Layer 4 sessions. To increase the maximum number of Layer 4 sessions the system can have, use the fol- lowing CLI command at the global configuration level of the CLI: system resource-usage l4-session-count num The num option specifies the number of Layer 4 sessions. Use a short UDP aging time. To set a short UDP aging time, use the fol- lowing command at the configuration level for the UDP template to which you plan to bind the DNS virtual port(s): aging short [ seconds] The seconds option specifies the number of seconds to wait before ter- minating UDP sessions. If you omit the seconds option, sessions are ter- minated after the SLB maximum session life (MSL) time expires, after a request is received and sent out to the server. (The MSL timer is a glo- bally configurable SLB option. For more information, see the AX Series CLI Reference or AX Series GUI Reference.) Configuration Note: The current release does not support configuration or monitoring of this feature using the GUI. To configure source-IP based connection rate limiting, use the following command at the global configuration level of the CLI: slb conn-rate-limit src-ip {tcp | udp} conn-limit per {100 | 1000} [ shared] [ exceed-action [ log] [ lock-out lockout-period] ] The tcp | udp option specifies the Layer 4 protocol. The conn-limit option specifies the connection limit and can be 1-1000000. 740 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Source-IP Based Connection Rate Limiting The per {100 | 1000} option specifies the limit period, either 100 millisec- onds or 1000 milliseconds. The shared option specifies that the connection limit applies in aggregate to all virtual ports. If you omit this option, the limit applies separately to each virtual port. The exceed-action options enable optional exceed actions: The log option enables logging. The lock-out lockout-period option enables lockout. The lockout period can be 1-3600 seconds (1 hour). To display statistics for this feature, use the following command: show slb conn-rate-limit src-ip statistics To clear statistics for this feature, use the following command: clear slb conn-rate-limit src-ip statistics Configuration Examples CLI Example 1 The following command allows up to 1000 TCP connection requests per one-second interval from any individual client. If a client sends more than 1000 requests within a given limit period, the client is locked out for 3 sec- onds. The limit applies separately to each individual virtual port. Logging is not enabled. AX( conf i g) #slb conn-rate-limit src-ip tcp 1000 per 1000 exceed-action lock-out 3 CLI Example 2 The following command allows up to 2000 UDP connection requests per 100-millisecond interval. The limit applies to all virtual ports together. Log- ging is enabled but lockout is not enabled. AX( conf i g) #slb conn-rate-limit src-ip udp 2000 per 100 shared exceed-action log CLI Example 3 The following command allows up to 2000 UDP connection requests per 100-millisecond interval. The limit applies to all virtual ports together. Log- ging is enabled and lockout is enabled. If a client sends a total of more than P e r f o r m a n c e b y D e s i g n 741 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide DNS Security 2000 requests within a given limit period, to one or more virtual ports, the client is locked out for 3 seconds. AX( conf i g) #slb conn-rate-limit src-ip udp 2000 per 100 shared exceed-action log lock-out 3 Statistics The following commands display statistics for this feature, then reset the counters to 0 and verify that they have been reset: AX( conf i g) #show slb conn-rate-limit src-ip statistics Thr eshol d check count 1022000 Honor t hr eshol d count 20532 Thr eshol d exceeded count 1001408 Lockout dr ops 60 Log messages sent 20532 DNS r equest s r e- t r ansmi t t ed 1000 No DNS r esponse f or r equest 1021000 AX( conf i g) #clear slb conn-rate-limit src-ip statistics AX( conf i g) #show slb conn-rate-limit src-ip statistics Thr eshol d check count 0 Honor t hr eshol d count 0 Thr eshol d exceeded count 0 Lockout dr ops 0 Log messages sent 0 DNS r equest s r e- t r ansmi t t ed 0 No DNS r esponse f or r equest DNS Security You can configure security for DNS VIPs. DNS security examines DNS queries addressed to a VIP to ensure that the queries are formed properly (not malformed). If a malformed DNS query is detected, the AX device takes one of the following actions, depending on the action specified in the DNS security policy: Drops the query Forwards the query to another service group This option is useful if you want to quarantine and examine the malformed queries, while still keeping them away from the DNS server. 742 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide DNS Security This feature parses DNS queries based on following RFCs: RFC 1034: Domain Names Concepts and Facilities RFC 1035: Domain Names Implementation and Specification RFC 2671 Extension Mechanisms for DNS (EDNS0) To configure DNS security for a DNS virtual port: 1. Create a DNS template and specify the DNS security action in the tem- plate. 2. Bind the DNS template to the DNS virtual port. Note: DNS templates are a new type of template in AX Release 2.4. USING THE GUI 1. Select Config >Service >Template. 2. On the menu bar, select Application >DNS. 3. Click on the template name or click Add to create a new one. 4. If creating a new template, enter the name. 5. Select Malformed Query. 6. Select the action to take for malformed queries: Drop Forward to Service group. To use this option, select the service group from the drop-down list. 7. Click OK. USING THE CLI To configure DNS security, use the following command at the global con- figuration level of the CLI: [ no] slb template dns template-name This command creates the UDP template and changes the CLI to the config- uration level for the template. Use the following command to enable DNS security and specify the action to take for malformed DNS queries: [ no] malformed-query {drop | forward service-group-name} P e r f o r m a n c e b y D e s i g n 743 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Access Control Lists (ACLs) The drop option drops malformed queries. The forward option sends the queries to the specified service group. With either option, the malformed queries are not sent to the DNS virtual port. CLI Example The following commands configure a DNS template for DNS security and bind the template to the DNS virtual port on a virtual server: AX( conf i g) #slb template dns dns-sec AX( conf i g- dns- pol i cy) #malformed-query drop AX( conf i g- dns- pol i cy) #exit AX( conf i g) #slb virtual-server dnsvip1 192.168.1.53 AX( conf i g- sl b vser ver ) #port 53 udp AX( conf i g- sl b vser ver - vpor t ) #template dns dns-sec Since the drop action is specified, malformed DNS queries sent to the vir- tual DNS server are dropped by the AX device. Access Control Lists (ACLs) You can use Access Control Lists (ACLs) to permit or deny packets based on address and protocol information in the packets. AX devices support the following types of ACLs: Standard IPv4 ACL Standard IPv4 ACLs filter based on source IPv4 address. Extended IPv4 ACL Extended IPv4 ACLs filter based on source and destination IPv4 addresses, IP protocol, and TCP/UDP port numbers. Extended IPv6 ACL Extended IPv6 ACLs filter based on source and destination IPv6 addresses, IP protocol, and TCP/UDP port numbers. How ACLs Are Used You can use ACLs for the following tasks: Permit or block through traffic. Permit or block management access. Specify the internal host or subnet addresses to which to provide Net- work Address Translation (NAT). 744 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Access Control Lists (ACLs) An ACL can contain multiple rules. Each rule contains a single permit or deny statement. Rules are added to the ACL in the order you configure them. The first rule you add appears at the top of the ACL. Rules are applied to the traffic in the order they appear in the ACL (from the top, which is the first rule, downward). The first rule that matches traffic is used to permit or deny that traffic. After the first rule match, no additional rules are compared against the traffic. Access lists do not take effect until you apply them. To permit or block through traffic on an interface, apply the ACL to the interface. (See Applying an ACL to an Interface on page756.) To permit or block through traffic on a virtual server port, apply the ACL to the virtual port. (See Applying an ACL to a Virtual Server Port on page757.) To permit or block management access, use the ACL with the enable- management command. (See Securing Admin Access by Ethernet on page687.) To specify the internal host or subnet addresses to which to provide NAT, use the ACL when configuring the pool. (See Network Address Translation on page615.) Configuring Standard IPv4 ACLs To configure a standard IPv4 ACL, use either of the following methods. USING THE GUI 1. Select Config >Network >ACL. 2. Select Standard on the menu bar. 3. Click Add. 4. Enter or select the values to filter. (For descriptions, see the CLI syntax below.) 5. Click OK. The new ACL appears in the Standard ACL table. 6. Click OK to commit the change. P e r f o r m a n c e b y D e s i g n 745 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Access Control Lists (ACLs) USING THE CLI To configure a standard ACL, use the following command: access-list acl-num [ seq-num] {permit | deny | remark string} source-ipaddr {filter-mask | /mask-length} [ log [ transparent-session-only] ] The acl-num specifies the ACL number, from 1-99. The seq-num option specifies the sequence number of this rule in the ACL. (See Resequencing ACL Rules on page758.) The deny | permit option specifies the action to perform on traffic that matches the ACL: deny Drops the traffic. permit Allows the traffic. The remark option adds a remark to the ACL. (For more information, see Adding a Remark to an ACL on page753.) The source address to match on is specified by one of the following: any The ACL matches on all source IP addresses. host host-src-ipaddr The ACL matches only on the specified host IP address. net-src-ipaddr {filter-mask | /mask-length} The ACL matches on any host in the specified subnet. The filter-mask specifies the portion of the address to filter: Use 0 to match. Use 255 to ignore. For example, the following filter-mask filters on a 24-bit subnet: 0.0.0.255 Alternatively, you can use mask-length to specify the portion of the address to filter. For example, you can specify /24 instead 0.0.0.255 to filter on a 24-bit subnet. The log option configures the AX device to generate log messages when traffic matches the ACL. This option is disabled by default. The transpar- ent-session-only option limits logging for an ACL rule to creation and dele- tion of transparent sessions for traffic that matches the ACL rule. (See Transparent Session Logging on page754.) 746 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Access Control Lists (ACLs) When ACL logging is enabled, the AX device writes the log messages to the local logging buffer. If you configure an external log server, the AX device also sends the messages to the server. For more information, see Log Rate Limiting on page50. Note: If you plan to use an external log server, the server must be attached to an AX data port in order for ACL logging messages to reach the server. They will not reach the server if the server is attached to the AX management port. CLI EXAMPLE The following commands configure a standard ACL to deny traffic sent from subnet 10.10.10.x, and apply the ACL to inbound traffic received on Ethernet interface 4: AX( conf i g) #access-list 1 deny 10.10.10.0 0.0.0.255 AX( conf i g) #interface ethernet 4 AX( conf i g- i f : et her net 4) #access-list 1 in Configuring Extended IPv4 ACLs To configure an extended IPv4 ACL, use either of the following methods. USING THE GUI 1. Select Config >Network >ACL. 2. Select Extended on the menu bar. 3. Click Add. 4. Enter or select the values to filter. (For descriptions, see the CLI syntax below.) 5. Click OK. The new ACL appears in the Extended ACL table. 6. Click OK to commit the change. P e r f o r m a n c e b y D e s i g n 747 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Access Control Lists (ACLs) USING THE CLI To configure an extended ACL, use the following commands. Syntax for Filtering on Source and Destination IP Addresses [ no] access-list acl-num [ seq-num] {permit | deny | remark string} ip {any | host host-src-ipaddr | net-src-ipaddr {filter-mask | /mask-length}} {any | host host-dst-ipaddr | net-dst-ipaddr {filter-mask | /mask-length}} [ log [ transparent-session-only] ] The acl-num specifies the ACL number, from 100-199. The seq-num option specifies the sequence number of this rule in the ACL. (See Resequencing ACL Rules on page758.) The deny | permit option specifies the action to perform on traffic that matches the ACL: deny Drops the traffic. permit Allows the traffic. The remark option adds a remark to the ACL. (For more information, see Adding a Remark to an ACL on page753.) The source address to match on is specified by one of the following: any The ACL matches on all source IP addresses. host host-src-ipaddr The ACL matches only on the specified host IP address. net-src-ipaddr {filter-mask | /mask-length} The ACL matches on any host in the specified subnet. The filter-mask specifies the portion of the address to filter: Use 0 to match. Use 255 to ignore. For example, the following filter-mask filters on a 24-bit subnet: 0.0.0.255 748 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Access Control Lists (ACLs) Alternatively, you can use mask-length to specify the portion of the address to filter. For example, you can specify /24 instead 0.0.0.255 to filter on a 24-bit subnet. The options for specifying the destination address are the same as those for specifying the source address. The log option configures the AX device to generate log messages when traffic matches the ACL. This option is disabled by default. The transpar- ent-session-only option limits logging for an ACL rule to creation and dele- tion of transparent sessions for traffic that matches the ACL rule. (See Transparent Session Logging on page754.) When ACL logging is enabled, the AX device writes the log messages to the local logging buffer. If you configure an external log server, the AX device also sends the messages to the server. For more information, see Log Rate Limiting on page50. Note: If you plan to use an external log server, the server must be attached to an AX data port in order for ACL logging messages to reach the server. They will not reach the server if the server is attached to the AX management port. Syntax for Filtering on ICMP Traffic [ no] access-list acl-num [ seq-num] {permit | deny | remark string} icmp [ type icmp-type [ code icmp-code] ] {any | host host-src-ipaddr | net-src-ipaddr {filter-mask | /mask-length}} {any | host host-dst-ipaddr | net-dst-ipaddr {filter-mask | /mask-length}} [ log [ transparent-session-only] ] The type and code options enable you to filter on ICMP traffic. The type type-option option matches based on the specified ICMP type. You can specify one of the following. Enter the type name or the type num- ber (for example, dest-unreachable or 3). The type-option can be one of the following: any-type Matches on any ICMP type. dest-unreachable | 3 Type 3, destination unreachable P e r f o r m a n c e b y D e s i g n 749 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Access Control Lists (ACLs) echo-reply | 0 Type 0, echo reply echo-request | 8 Type 8, echo request info-reply | 16 Type 16, information reply info-request | 15 Type 15, information request mask-reply | 18 Type 18, address mask reply mask-request | 17 Type 17, address mask request parameter-problem | 12 Type 12, parameter problem redirect | 5 Type 5, redirect message source-quench | 4 Type 4, source quench time-exceeded | 11 Type 11, time exceeded timestamp | 13 Type 13, timestamp timestamp-reply | 14 Type 14, timestamp reply type-num ICMP type number, 0-254 The code code-num option matches based on the specified ICMP code. To match on any ICMP code, specify any-code. To match on a specific ICMP code, specify the code, 0-254. Syntax for Filtering on Source and Destination IP Addresses and on TCP or UDP Protocol Port Numbers [ no] access-list acl-num [ seq-num] {permit | deny | remark string} {tcp | udp} {any | host host-src-ipaddr | net-src-ipaddr {filter-mask | /mask-length}} [ eq src-port | gt src-port | lt src-port | range start-src-port end-src-port] {any | host host-dst-ipaddr | net-dst-ipaddr {filter-mask | /mask-length}} [ eq dst-port | gt dst-port | lt dst-port | range start-dst-port end-dst-port] [ log [ transparent-session-only] ] 750 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Access Control Lists (ACLs) The tcp and udp options enable you to filter on protocol port numbers. Use one of the following options to specify the source port(s) on which to filter: eq src-port The ACL matches on traffic from the specified source port. gt src-port The ACL matches on traffic from any source port with a higher number than the specified port. lt src-port The ACL matches on traffic from any source port with a lower number than the specified port. range start-src-port end-src-port The ACL matches on traffic from any source port within the specified range. The same options can be used to specify the destination port(s) on which to filter. CLI EXAMPLE The following commands configure an extended IPv4 ACL to deny traffic sent from subnet 10.10.10.x to 10.10.20.5:80, and apply the ACL to inbound traffic received on Ethernet interface 7: AX( conf i g) #access-list 100 deny tcp 10.10.10.0 0.0.0.255 10.10.20.5 /32 eq 80 AX( conf i g) #interface ethernet 7 AX( conf i g- i f : et her net 7) #access-list 100 in Configuring Extended IPv6 ACLs To configure an extended IPv4 ACL, use either of the following methods. USING THE GUI 1. Select Config >Network >ACL. 2. Select IPv6 on the menu bar. 3. Click Add. 4. Enter or select the values to filter. (For descriptions, see the CLI syntax below.) 5. Click OK. The new ACL appears in the IPv6 ACL table. 6. Click OK to commit the change. P e r f o r m a n c e b y D e s i g n 751 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Access Control Lists (ACLs) USING THE CLI To configure an IPv6 ACL, use the following commands: [ no] ipv6 access-list acl-id Enter this command at the global configuration level of the CLI. The acl-id can be a string up to 16 characters long. This command changes the CLI to the configuration level for the ACL, where the following ACL-related com- mands are available. The permit | deny Command This command specifies the action to take for traffic that matches the ACL, specifies the source and destination addresses upon which to perform the action, and optionally, enables logging. [ no] [ seq-num] {permit | deny} {ipv6 | icmp} {any | host host-src-ipv6addr | net-src-ipv6addr /mask-length} {any | host host-dst-ipv6addr | net-dst-ipv6addr /mask-length} [ log [ transparent-session-only] ] or [ no] {permit | deny} {tcp | udp} {any | host host-src-ipv6addr | net-src-ipv6addr /mask-length} [ eq src-port | gt src-port | lt src-port | range start-src-port end-src-port] {any | host host-dst-ipv6addr | net-dst-ipv6addr /mask-length} [ eq dst-port | gt dst-port | lt dst-port | range start-dst-port end-dst-port] [ log [ transparent-session-only] ] 752 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Access Control Lists (ACLs) Parameter Description seq-num Sequence number of this rule in the ACL. You can use this option to resequence the rules in the ACL. deny | permit Action to take for traffic that matches the ACL. deny Drops the traffic. permit Allows the traffic. ipv6 | icmp Filters on IPv6 or ICMP packets. tcp | udp Filters on TCP or UDP packets. The tcp and udp options enable you to filter on protocol port num- bers. any | host host-src- ipv6addr | net-src- ipv6addr /mask- length Source IP address(es) to filter. any The ACL matches on all source IP addresses. host host-src-ipv6addr The ACL matches only on the specified host IPv6 address. net-src-ipv6addr /mask-length The ACL matches on any host in the specified subnet. The mask-length specifies the portion of the address to filter. eq src-port | gt src-port | lt src-port | range start- src-port end-src-port For tcp or udp, the source protocol ports to filter. eq src-port The ACL matches on traffic from the specified source port. gt src-port The ACL matches on traffic from any source port with a higher number than the specified port. lt src-port The ACL matches on traffic from any source port with a lower number than the specified port. P e r f o r m a n c e b y D e s i g n 753 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Access Control Lists (ACLs) range start-src-port end-src-port The ACL matches on traffic from any source port within the specified range. any | host host-dst- ipv6addr | net-dst- ipv6addr /mask- length Destination IP address(es) to filter. eq dst-port | gt dst-port | lt dst-port | range start- dst-port end-dst-port For tcp or udp, the destination protocol ports to filter. log [ transparent- session-only] Configures the AX device to generate log mes- sages when traffic matches the ACL. The transparent-session-only option limits log- ging for an ACL rule to creation and deletion of transparent sessions for traffic that matches the ACL rule. (See Transparent Session Logging on page754.) The remark Command The remark command adds a remark to the ACL. The remark appears at the top of the ACL when you display it in the CLI. Here is the syntax: [ no] remark string The string can be 1-63 characters. To use blank spaces in the remark, enclose the entire remark string in double quotes. Adding a Remark to an ACL You can add a remark to an ACL. The remark appears at the top of the ACL when you display it in the CLI, or next to the ACL in the ACL tables dis- played in the GUI. 754 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Access Control Lists (ACLs) Here is a CLI example: AX( conf i g) #access-list 42 permit host 192.168.1.42 AX( conf i g) #access-list 42 deny 192.168.1.0 /24 AX( conf i g) #access-list 42 remark "The meaning of life" AX( conf i g) #show access-list ipv4 42 Access Li st 42 "The meani ng of l i f e" access- l i st 42 10 per mi t host 192. 168. 1. 42 Hi t s: 0 access- l i st 42 20 deny 192. 168. 1. 0 0. 0. 0. 255 Hi t s: 0 As shown in this example, the remark appears at the top of the ACL, above the first rule. To use blank spaces in the remark, enclose the entire remark string in double quotes, as shown in the example. The ACL must already exist before you can configure a remark for it. Transparent Session Logging The transparent-session-only option limits logging for an ACL rule to cre- ation and deletion of transparent sessions for traffic that matches the ACL rule. A transparent session is a non-SLB Layer 2 or Layer 3 session that the AX device sets up for traffic that is transiting through the AX device, but is not initiated or terminated on the device. Sample Log Messages for Transparent Sessions The following sections show examples of the log messages generated for transparent sessions. IPv4 Sessions The following example shows the log messages for creation and deletion of an IPv4 transparent session: Oct 29 2009 12: 00: 55 Not i ce [ AX] : [ et h 1] TCP 200. 200. 200. 100: 32548 > 1. 1. 1. 100: 80 ACL r ul e t r anspar ent sessi on expi r ed ( ACL 150) Oct 29 2009 12: 00: 55 Not i ce [ AX] : [ et h 1] TCP 200. 200. 200. 100: 32548 > 1. 1. 1. 100: 80 ACL r ul e t r anspar ent sessi on cr eat ed ( ACL 150) The interface on which the ACL matched traffic is indicated in brackets (in this example, eth 1). The addresses are shown as src-ip:port > dst-ip:port. The ACL number or ACL name is shown at the end of the message. P e r f o r m a n c e b y D e s i g n 755 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Access Control Lists (ACLs) IPv6 Sessions For successfully created TCP or UDP sessions, a separate message is gener- ated when the session is created and when it expires: Feb 24 2010 02: 18: 27 Not i ce [ AX] : [ ve 21] UDP 2001: 10: : 100: 50213 > 2001: 7: : 40: 53 ACL r ul e t r anspar ent sessi on expi r ed ( I PV6_LI ST) Feb 24 2010 02: 18: 12 Not i ce [ AX] : [ ve 21] UDP 2001: 10: : 100: 50213 > 2001: 7: : 40: 53 ACL r ul e t r anspar ent sessi on cr eat ed ( I PV6_LI ST) Feb 24 2010 02: 15: 12 Not i ce [ AX] : [ ve 21] TCP 2001: 10: : 100: 4401 >2001: 7: : 40: 22 ACL r ul e t r anspar ent sessi on expi r ed ( I PV6_LI ST) Feb 24 2010 02: 15: 08 Not i ce [ AX] : [ ve 21] TCP 2001: 10: : 100: 4401 >2001: 7: : 40: 22 ACL r ul e t r anspar ent sessi on cr eat ed ( I PV6_LI ST) For all other types of transparent IPv6 sessions, a message is generated if the packet is forwarded: Feb 24 2010 02: 18: 07 Not i ce [ AX] : [ ve 21] I P 2001: 10: : 100 > 2001: 7: : 40 ACL r ul e per mi t t ed t hi s packet ( I PV6_LI ST) If a TCP or UDP packet is denied, a message such as the following is gener- ated: Feb 24 2010 02: 18: 07 Not i ce [ AX] : [ ve 21] TCP 2001: 10: : 100: 57373 > 2001: 7: : 40: 80 ACL r ul e t r anspar ent sessi on deni ed ( I PV6_LI ST) For all other types of transparent IPv6 sessions, a message such as the fol- lowing is generated: Feb 24 2010 02: 18: 07 Not i ce [ AX] : [ ve 21] I P 2001: 10: : 100 > 2001: 7: : 40 ACL r ul e deni ed t hi s packet ( I PV6_LI ST) Configuration To configure session filtering for transparent IPv6 sessions on an interface: 1. Configure an IPv6 ACL that uses the log transparent-session-only option. 2. Apply the ACL to the interface that receives incoming traffic for the ses- sions. 3. For the following AX models only, enable the cpu-process option on the interface that receives incoming traffic for the sessions: AX 2200, AX 3100, AX 3200, AX 5100, and AX 5200. CLI Example The following commands configure an IPv6 ACL for transparent session logging, and apply it to an IPv6 interface: 756 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Access Control Lists (ACLs) AX( conf i g) #ipv6 access-list tran_sess_log1 AX( conf i g- access- l i st : t r ans_sess_l og1) #permit tcp any any log transparent-session-only AX( conf i g- access- l i st : t r ans_sess_l og1) #exit AX( conf i g) #interface ve 21 AX( conf i g- i f : ve21) #ipv6 access-list tran_sess_log1 in Applying an ACL to an Interface To apply a configured ACL to an interface, use either of the following meth- ods. USING THE GUI To apply an ACL to an Ethernet port: 1. Select Config >Network >Interface. 2. Select LAN on the menu bar. 3. Click on the port number. 4. In the IPv4 section, select the ACL from the Access List field. 5. Click OK. To apply an ACL to a Virtual Ethernet (VE) interface: 1. Select Config >Network >Interface. 2. Select Virtual on the menu bar. 3. Click on the VE name. 4. Select IPv4. 5. Select the ACL from the Access List field. 6. Click OK. USING THE CLI Access the configuration level for the interface and use the following com- mand: access-list acl-num in P e r f o r m a n c e b y D e s i g n 757 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Access Control Lists (ACLs) The following commands configure a standard ACL to deny traffic from subnet 10.10.10.x, and apply the ACL to the inbound traffic direction on Ethernet interface 4: AX( conf i g) #access-list 1 deny 10.10.10.0 0.0.0.255 AX( conf i g) #interface ethernet 4 AX( conf i g- i f : et her net 4) #access-list 1 in Applying an ACL to a Virtual Server Port You can apply an ACL to a virtual server port. An ACL applied to a virtual server port permits or denies traffic just as an ACL applied to a physical port or Virtual Ethernet (VE) interface does. To apply a configured ACL to a virtual server port, use either of the follow- ing methods. USING THE GUI 1. Select Config >Service >SLB. 2. Select Virtual Server on the menu bar. 3. Click Add or click on the name of a configured virtual server. 4. Enter or change information in the General section, if you are configur- ing a new virtual server. 5. In the Port section, click Add or select a port and click Edit. 6. In the Virtual Server Port section, select the ACL from the Access List drop-down list. 7. Click OK. 8. Click OK again to return to the virtual server table. USING THE CLI To apply an ACL to a virtual port in the CLI, use the following command at the configuration level for the virtual port: access-list acl-id The acl-id specifies the ACL number. 758 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Access Control Lists (ACLs) Using an ACL to Control Management Access To use an ACL to control management access, see Securing Admin Access by Ethernet on page687. Using an ACL for NAT To use an ACL for NAT, configure the ACL, then use either of the following methods to bind the ACL to a NAT pool. USING THE GUI To bind an ACL to an IP source NAT pool: 1. Select Config >Service >IP Source NAT. 2. Select Binding on the menu bar. 3. Select the ACL number from the ACL drop-down list. 4. Select the pool ID from the NAT Pool drop-down list. 5. Click Add. The new binding appears in the ACL section. 6. Click OK. USING THE CLI To use a configured ACL in an IPv4 NAT pool, use the following command: [ no] ip nat inside source {list acl-name {pool pool-name | pool-group pool-group-name} static local-ipaddr global-ipaddr} The list acl-name option specifies the ACL. Resequencing ACL Rules An ACL can contain multiple rules. Each access-list command configures one rule. Rules are added to the ACL in the order you configure them. The first rule you add appears at the top of the ACL. P e r f o r m a n c e b y D e s i g n 759 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Access Control Lists (ACLs) Rules are applied to the traffic in the order they appear in the ACL (from the top rule, which is the first, downward). The first rule that matches traffic is used to permit or deny that traffic. After the first rule match, no additional rules are compared against the traffic. Each ACL has an implicit deny any rule at the end of the ACL. This rule is applied to any traffic that does not match any of the configured rules in the ACL. The deny any rule at the end of the ACL is not displayed and cannot be removed. You can resequence the rules in an ACL. When you create an ACL rule, the AX device assigns a sequence number to the rule and places the rule at the bottom of the ACL. Here is an example: AX( conf i g) #access-list 86 permit host 10.10.10.12 AX( conf i g) #access-list 86 deny 10.10.10.0 /24 AX( conf i g) #show access-list ipv4 86 access- l i st 86 10 per mi t host 10. 10. 10. 12 l og Hi t s: 0 access- l i st 86 20 deny 10. 10. 10. 0 0. 0. 0. 255 l og Hi t s: 0 In this example, two rules are configured for ACL 86. The default sequence numbers are used. The first rule has sequence number 10, and each rule after that has a sequence number that is higher by 10. The intent of this ACL is to deny all access from the 10.10.10.x subnet, except for access from specific host addresses. In this example, the permit rule for the host appears before the deny rule for the subnet the host is in, so the host will be permitted. However, suppose another permit rule is added for another host in the same subnet. AX( conf i g) #access-list 86 permit host 10.10.10.13 AX( conf i g) #show access-list ipv4 86 access- l i st 86 10 per mi t host 10. 10. 10. 12 l og Hi t s: 0 access- l i st 86 20 deny 10. 10. 10. 0 0. 0. 0. 255 l og Hi t s: 0 access- l i st 86 30 per mi t host 10. 10. 10. 13 l og Hi t s: 0 By default, since no sequence number was specified when the rule was con- figured, the rule is placed at the end of the ACL. Because the deny rule comes before the permit rule, host 10.10.10.13 will never be permitted. To resequence the ACL to work as intended, the deny rule can be deleted, then re-added. Alternatively, either the deny rule or the second permit rule can be resequenced to appear in the right place. To change the sequence number of an ACL rule, delete the rule, then re-add it with the sequence number. 760 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Access Control Lists (ACLs) AX( conf i g) #no access-list 86 30 AX( conf i g) #access-list 86 11 permit host 10.10.10.13 log AX( conf i g) #show access-list ipv4 86 access- l i st 86 10 per mi t host 10. 10. 10. 12 l og Hi t s: 0 access- l i st 86 11 per mi t host 10. 10. 10. 13 l og Hi t s: 0 access- l i st 86 20 deny 10. 10. 10. 0 0. 0. 0. 255 l og Hi t s: 0 In this example, rule 30 is deleted, then re-added with sequence number 11. The ACL will now work as intended, and permit hosts 10.10.10.12 and 10.10.10.13 while denying all other hosts in the 10.10.10.x subnet. To per- mit another host, another rule can be added, sequenced to come before the deny rule. AX( conf i g) #access-list 86 12 permit host 10.10.10.14 log AX( conf i g) #show access-list ipv4 86 access- l i st 86 10 per mi t host 10. 10. 10. 12 l og Hi t s: 0 access- l i st 86 11 per mi t host 10. 10. 10. 13 l og Hi t s: 0 access- l i st 86 12 per mi t host 10. 10. 10. 14 l og Hi t s: 0 access- l i st 86 20 deny 10. 10. 10. 0 0. 0. 0. 255 l og Hi t s: 0 USING THE GUI Each row in the Standard ACL and Extended ACL tables is a separate ACL rule. You can configure multiple rules in the same ACL. In this case, they still appear as separate rows, with the same ACL number. The AX device applies the ACL rules in the order they are listed, starting at the top of the table. The first rule that matches traffic is used to permit or deny that traffic. After the first rule match, no additional rules are compared against the traffic. If you need to re-order the ACL rules, you can do so by clicking the up or down arrows at the ends of the rows containing the ACL rules. Click OK to commit the changes. USING THE CLI See the description above. P e r f o r m a n c e b y D e s i g n 761 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Policy-Based SLB (PBSLB) Policy-Based SLB (PBSLB) AX Series devices allow you to black list or white list individual clients or client subnets. Based on actions you specify on the AX device, the AX will allow (white list) or drop (black list) traffic from specific client hosts or subnets in the list. Note: IPv6 addresses are not supported in black/white lists. For traffic that is allowed, you can specify the service group to use. You also can specify the action to perform (drop or reset) on new connections that exceed the configured connection threshold for the client address. For example, you can configure the AX to respond to DDoS attacks from a cli- ent by dropping excessive connection attempts from the client. You can apply PBSLB on a system-wide basis or on individual virtual ports. Configuring a Black/White List Client IP lists (black/white lists) can be configured on an external device and imported onto the AX device, or can be entered directly into the GUI. The actions to take on the addresses in the list are specified on the AX device. A black/white list can contain up to 8 million individual host addresses and up to 32,000 subnet addresses. For each IP address (host or subnet) in a black/white list, add a row using the following syntax: ipaddr [/network-mask] [group-id] [#conn-limit] [;comment-string] The ipaddr is the host or subnet address of the client. The network-mask is optional. The default is 32, which means the address is a host address. The group-id is a number from 1 to 31 in a black/white list that identi- fies a group of IP host or subnet addresses contained in the list. In a PBSLB policy template on the AX device, you can map the group to one of the following actions: Drop the traffic Reset the connection Send the traffic to a specific service group The default group ID is 0, which means no group is assigned. 762 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Policy-Based SLB (PBSLB) The #conn-limit specifies the maximum number of concurrent connec- tions allowed from the client. By default, there is no connection limit. If you set it, the valid range is from 1 to 32767. On the AX, you can spec- ify whether to reset or drop new connections that exceed this limit. The # is required only if you do not specify a group-id. Note: The conn-limit is a coarse limit. The larger the number you specify, the coarser the limit will be. For example, if you specify 100, the AX device limits the total connections to exactly 100; however, if you specify 1000, the device limits the connections to not exceed 992. If the number in the file is larger than the supported maximum (32767), the parser will use the longest set of digits in the number you enter that makes a valid value. For example, if the file contains 32768, the parser will use 3276 as the value. As another example, if the file contains 111111, the parser will use 11111 as the value. The ;comment-string is a comment. Everything to the right of the ; is ignored by the AX device when it parses the file. Example Black/White List Here is an example black/white list: 10. 10. 1. 3 4; bl ocki ng a si ngl e host . 4 i s t he dr op gr oup 10. 10. 2. 0/ 24 4; bl ocki ng t he ent i r e 10. 10. 2. x subnet 192. 168. 1. 1/ 32 #20 ; 20 concur r ent connect i ons max, any gr oup ok 192. 168. 4. 69 2 20 ; assi gn t o gr oup 2, and al l ow 20 max The first row assigns a specific host to group 4. On the AX device, the drop action will be assigned to this group, thus black listing the client. The sec- ond row black lists an entire subnet, by assigning it to the same group (4). The third row sets the maximum number of concurrent connections for a specific host to 20. The fourth row assigns a specific host to group 2 and specifies a maximum of 20 concurrent connections. Note: The AX device allows up to three parser errors when reading the file. However, after the third parser error, the device stops reading the file. Dynamic Black/White-list Client Entries AX Release 2.4.1 supports dynamic client entries. To configure this feature, add client address 0.0.0.0/0 (wildcard address) to the black/white list used by the system-wide PBSLB policy. When a client sends an HTTP or HTTPS connection request, the AX device checks the system-wide PBSLB policys black/white list for the clients IP address. P e r f o r m a n c e b y D e s i g n 763 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Policy-Based SLB (PBSLB) If the list does not already have an entry for the client, the AX device creates a dynamic entry for the clients host address. If the list already has a dynamic entry for the client, the AX device resets the timeout value for the entry. (Dynamic entry aging is described below.) If the list contains a static entry for the clients host or subnet address, the static entry is used instead. Here is an example of a wildcard address in a black/white list: 0. 0. 0. 0/ 0 1 #20 In this example, all clients who do not match a static entry in the list will be assigned to group 1, and will be limited to 20 concurrent connections. The AX device supports up to 8 million dynamic client entries for system- wide PBSLB. Once this limit is reached, the AX device does not track con- nections or anomaly counters for additional clients. Connection Limit for Dynamic Entries For dynamic entries in a system-wide PBSLB policys black/white list, the connection limit in the list applies to each individual client. In the example above, each client that has a dynamic entry in the black/white list will be allowed to have a maximum of 20 concurrent connections. Aging of Dynamic Entries When the AX device creates a dynamic black/white list entry for a client, the device also sets the timeout for the entry. The timeout value for the dynamic entry decrements until the timeout reaches 0 or the client sends a new HTTP or HTTPS connection request. If the client sends a new HTTP or HTTPS connection request, the time- out is reset to its full value. If the timeout reaches 0 and the client does not have any active connec- tions, the dynamic entry is removed. However, if the client has an active connection, the dynamic entry is not removed until the clients connec- tion ends. You can set the timeout to 1-127 minutes. The default is 5 minutes. If client-lockup is enabled, the timeout for a locked up client does not begin decrementing until the lockup expires. (See Client Lockup on page765.) 764 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Policy-Based SLB (PBSLB) Wildcard Address Support in PBSLB Policies Bound to Virtual Ports Dynamic client entries are supported only for system-wide PBSLB policies. You can add a wildcard address (0.0.0.0/0) to a black/white list that is used by a virtual ports PBSLB policy. The group ID and connection limit speci- fied for the wildcard address will be applied to clients that do not match a static entry in the list. However, there are a few limitations: The AX device does not create any dynamic entries in the list. The connection limit applies collectively to all clients that do not have a static entry in the list. Configuring System-Wide PBSLB System-wide PBSLB policies provide options that are not available in poli- cies applied to individual virtual ports: Dynamic black/white-list client entries Client lockup IP anomaly checking and tracking, using IP anomaly filters To configure a system-wide PBLSB policy, use the following commands at the global configuration level of the CLI: [ no] system pbslb bw-list name This command specifies the name of the black/white list to use for the pol- icy. [ no] system pbslb id id {drop | reset} [ logging minutes] This command specifies the action to take for clients in a given group con- figured in the black/white list. drop Drops the connections. reset Resets the connections. The logging option enables logging. The minutes option specifies how often messages can be generated. P e r f o r m a n c e b y D e s i g n 765 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Policy-Based SLB (PBSLB) [ no] system pbslb over-limit [ reset] [ lockup minutes] [ logging minutes] This command specifies the action to take for clients who either exceed the connection limit specified in the black/white list, or exceed the threshold of any of the new IP anomaly filters. You can use one or both of the following options: reset Resets all new connection attempts from the client. If you omit this option, new connection attempts are dropped instead. lockup Continues to apply the over-limit action to all new connection attempts from the client, for the specified number of minutes. The logging option enables logging. The minutes option specifies how often messages can be generated. [ no] system pbslb timeout minutes This command sets the timeout for dynamic black/white-list entries. You can specify 1-127 minutes. The default is 5 minutes. Note: If the lockup option is used with the system pbslb over-limit command, aging of the dynamic entry for a locked up client begins only after the lockup expires. Client Lockup The over-limit rule in a system-wide PBSLB policy includes an optional lockup period. If the lockup period is configured, the AX device continues to enforce the over-limit action for the duration of the lockup. For example, if the over-limit action is drop and a client exceeds the con- nection limit specified in the black/white list, the AX device continues to drop all connection attempts from the client until the lockup expires. The lockup option is disabled by default. You can enable it by specifying a lockup period of 1-127 minutes. The dynamic black/white-list entry for a client does not age while the client is locked up. After the lockup ends, the timeout for the entry is reset to its full value and begins decrementing normally as described in Aging of Dynamic Entries on page763. Displaying and Clearing System-Wide PBSLB Information To display information for system-wide PBSLB, use the following com- mands: 766 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Policy-Based SLB (PBSLB) show pbslb system show pbslb client [ ipaddr] To clear PBSLB information, use the following commands: clear pbslb system clear pbslb client [ entry] If you omit the entry option, the statistics counters are cleared but the client entries themselves are not cleared. To also clear the client entries, use the entry option. Configuring PBSLB for Individual Virtual Ports You can configure PBSLB parameters for virtual ports by configuring the settings directly on individual ports, or by configuring a PBSLB policy tem- plate and binding the template to individual virtual ports. To configure PBSLB: 1. Configure a black/white list, either remotely or on the AX device itself. 2. If you configure the list remotely, import the list onto the AX device. 3. Optionally, modify the sync interval for the list. The AX regularly syn- chronizes with the list to make sure the AX version is current. 4. Configure PBSLB settings. You can configure the following settings directly on individual virtual ports, or configure a policy template and bind the template to virtual ports. Specify the black/white list. Optionally, map each group ID used in the list to one of the follow- ing actions: Send the traffic to a specific service group. Reset the traffic. Drop the traffic. Optionally, change the action (drop or reset) the AX will perform on connections that exceed the limit specified in the list. Optionally, if needed for your configuration, change client address matching from source IP matching to destination IP matching. Note: These steps assume that the real servers, service groups, and virtual serv- ers have already been configured. P e r f o r m a n c e b y D e s i g n 767 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Policy-Based SLB (PBSLB) USING THE GUI To Configure PBSLB Settings Using a Policy Template: 1. Select Config >Service >Template. 2. On the menu bar, select Application >PBSLB Policy. 3. Click Add. 4. In the Name field, enter a name for the template. 5. From the drop-down list below the Name field, select the black/white list or click create to create or import one. 6. If you clicked create, the PBSLB section appears. a. Enter or select the following information in the fields of the PBSLB section: Name that will be used for the imported black/white list. Location of the black/white list (Local or Remote). b. To create the list using a text entry field in the GUI, click Local. The Definition field appears. Copy-and-paste or type the black/white list. c. To import a list from a remote server, select Remote. Enter values for the following parameters: Interval at which the AX device re-imports the list. This option ensures that changes to the list are automatically replicated on the AX device. File transfer protocol to use. IP address or hostname of the device where the list is located. Path and filename of the list on the remote device. d. Click OK. The Policy section reappears. 7. To configure group options: a. Select the group from the Group ID drop-down list. b. Select one of the following from the Action drop-down list. Drop Drops new connections until the number of concurrent connections on the virtual port falls below the ports connection limit. (The connection limit is set in the black/white list.) Reset Resets new connections until the number of concurrent connections on the virtual port falls below the connection limit. service group name Each of the service groups configured on the AX device is listed. 768 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Policy-Based SLB (PBSLB) create This option displays the configuration sections for creat- ing a new service group. c. Optionally, enable logging. To change the logging interval, edit the number in the Period field. Logging generates messages to indicate that traffic matched the group ID. To generate log messages only when there is a failed attempt to reach a service group, select Log Failures only. Note: If the Use default server selection when preferred method fails option is enabled on the virtual port, log messages will never be generated for server-selection failures. To ensure that messages are generated to log server-selection failures, disable the Use default server selection when preferred method fails option on the virtual port. This limitation does not affect failures that occur because a client is over their PBSLB connec- tion limit. These failures are still logged. d. Click Add. The group settings appear in the PBSLB list. e. Repeat the steps above for each group. 8. Select the action to take when traffic exceeds the limit: Drop or Reset. 9. Optionally, to match destination traffic against the black/white list, instead of source traffic, select Use Destination IP. 10. Click OK. The new policy appears in the PBSLB policy list. 11. To bind the PBSLB policy template to a virtual port: a. Select Config >Service >SLB. b. On the menu bar, select Virtual Server. c. Click on the virtual server name or click Add to create a new one. d. In the Port section, click Add, or select a virtual port and click Edit. e. In the Virtual Server Port section, select the PBSLB template from the Policy Template drop-down list. f. Click OK. g. Click OK again. P e r f o r m a n c e b y D e s i g n 769 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Policy-Based SLB (PBSLB) FIGURE 181 PBSLB Policy section 770 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Policy-Based SLB (PBSLB) FIGURE 182 Config >Service >SLB >Virtual Server - Virtual Server Port section USING THE CLI To Import a Black/White List: Use the following command at the global configuration level of the CLI: bw-list name url [ period seconds] [ load] The name can be up to 31 alphanumeric characters long. The url specifies the file transfer protocol, directory path, and filename. The following URL format is supported: tftp://host/file P e r f o r m a n c e b y D e s i g n 771 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Policy-Based SLB (PBSLB) The period seconds option specifies how often the AX device re-imports the list to ensure that changes to the list are automatically replicated on the AX. You can specify 60 86400 seconds. The default is 300 seconds. The load option immediately re-imports the list to get the latest changes. Use this option if you change the list and want to immediately replicate the changes on the AX device, without waiting for the update period. Note: A TFTP server is required on the PC and the TFTP server must be run- ning when you enter the bw-list command. Note: If you use the load option, the CLI cannot accept any new commands until the load is completely finished. For large black/white lists, loading can take a while. Do not abort the load process; doing so can also interrupt periodic black/white-list updates. If you do accidentally abort the load process, repeat the command with the load option and allow the load to complete. To Configure PBSLB Settings Using a Policy Template: To configure a PBSLB template, use the following commands: [ no] slb template policy template-name Enter this command at the global configuration level of the CLI. The com- mand creates the template and changes the CLI to the configuration for the template, where the following PBSLB-related commands are available. [ no] bw-list name file-name This command binds a black/white list to the virtual ports that use this tem- plate. [ no] bw-list id id service {service-group-name | drop | reset} [ logging [ minutes] [ fail] ] This command specifies the action to take for clients in the black/white list: id Group ID in the black/white list. service-group-name Sends clients to the SLB service group associated with this group ID on the AX device. drop Drops connections for IP addresses that are in the specified group. reset Resets connections for IP addresses that are in the specified group. 772 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Policy-Based SLB (PBSLB) logging [ minutes] [ fail] Enables logging. The minutes option specifies how often messages can be generated. This option reduces overhead caused by frequent recurring messages. For example, if the logging interval is set to 5 minutes, and the PBSLB rule is used 100 times within a five-minute period, the AX device gener- ates only a single message. The message indicates the number of times the rule was applied since the last message. You can specify a logging interval from 0 to 60 minutes. To send a separate message for each event, set the interval to 0. PBSLB rules that use the service service-group-name option also have a fail option for logging. The fail option configures the AX device to gen- erate log messages only when there is a failed attempt to reach a service group. Messages are not generated for successful connections to the ser- vice group. The fail option is disabled by default. The option is available only for PBSLB rules that use the service service-group-name option, not for rules with the drop or reset option, since any time a drop or reset rule affects traffic, this indicates a failure condition. Logging is disabled by default. If you enable it, the default for minutes is3. The AX device uses the same log rate limiting and load balancing fea- tures for PBSLB logging as those used for ACL logging. See Log Rate Limiting on page50. Note: If the def-selection-if-pref-failed option is enabled on the virtual port, log messages will never be generated for server-selection failures. To ensure that messages are generated to log server-selection failures, disable the def-selection-if-pref-failed option on the virtual port. This limitation does not affect failures that occur because a client is over their PBSLB connec- tion limit. These failures are still logged. [ no] bw-list over-limit {lockup min | logging min | reset} This command specifies the action to take for traffic that is over the limit. You can specify one or more of the following options: lockup min Continues to apply the over-limit action to all new con- nection attempts from the client, for the specified number of minutes (1-127). logging min Generates a log message when traffic goes over the limit. The min option specifies the log interval and can be 1-255 min- utes. reset Resets new connections until the number of concurrent con- nections on the virtual port falls below the connection limit. P e r f o r m a n c e b y D e s i g n 773 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Policy-Based SLB (PBSLB) [ no] bw-list use-destination-ip This command matches black/white list entries based on the clients desti- nation IP address. By default, matching is based on the clients source IP address. This option is applicable if you are using a wildcard VIP. (See Wildcard VIPs on page277.) To bind the template to a virtual port, use the following command at the configuration level for the port: [ no] template policy template-name To Configure PBSLB Settings Directly on a Virtual Port: To bind a black/white list to a virtual port, use the following command at the configuration level for the virtual port: pbslb bw-list name The name is the name you assign to the list when you import it. To map client IP addresses in a black/white list to specific service groups, use the following command at the configuration level for the virtual port: pbslb id id {service service-group-name | drop | reset} [ logging [ minutes] [ fail] ] ] The id is a group ID in the black/white list and can be from 1 to 31. The service-group-name is the name of an SLB service group on the AX. The drop option immediately drops all connections between the clients in the list and any servers in the service group. The reset option resets the con- nections between the clients in the list and any servers in the service group. The logging option enables logging. The minutes option specifies how often messages can be generated. This option reduces overhead caused by fre- quent recurring messages. For example, if the logging interval is set to 5 minutes, and the PBSLB rule is used 100 times within a five-minute period, the AX device generates only a single message. The message indicates the number of times the rule was applied since the last message. You can spec- ify a logging interval from 0 to 60 minutes. To send a separate message for each event, set the interval to 0. The default is 3 minutes. PBSLB rules that use the service service-group-name option also have a fail option for logging. The fail option configures the AX device to generate 774 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Policy-Based SLB (PBSLB) log messages only when there is a failed attempt to reach a service group. Messages are not generated for successful connections to the service group. The fail option is disabled by default. The option is available only for PBSLB rules that use the service service-group-name option, not for rules with the drop or reset option, since any time a drop or reset rule affects traf- fic, this indicates a failure condition. The AX device uses the same log rate limiting and load balancing features for PBSLB logging as those used for ACL logging. See Log Rate Limit- ing on page50. Note: If the def-selection-if-pref-failed option is enabled on the virtual port, log messages will never be generated for server-selection failures. To ensure that messages are generated to log server-selection failures, disable the def-selection-if-pref-failed option on the virtual port. This limitation does not affect failures that occur because a client is over their PBSLB connec- tion limit. These failures are still logged. To specify the action to take if the virtual ports connection threshold is exceeded, use the following command at the configuration level for the vir- tual port: [ no] bw-list over-limit {drop | reset} This command specifies the action to take for traffic that is over the limit. drop Drops new connections until the number of concurrent connec- tions on the virtual port falls below the ports connection limit. (The connection limit is set in the black/white list.) reset Resets new connections until the number of concurrent connec- tions on the virtual port falls below the connection limit.The connection threshold is set in the black/white list. Displaying PBSLB Information To show the configuration of a PBSLB policy template, use the following command: show slb template policy template-name To show client IP addresses contained in a black/white list, use the follow- ing command: show bw-list [ name [ detail | ipaddr] ] The name is the name you assign to the list when you import it. The ipaddr is the client IP address. P e r f o r m a n c e b y D e s i g n 775 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Policy-Based SLB (PBSLB) To show policy-based SLB statistics, use the following command: show pbslb [ name] The name option specifies a virtual server name. If you use this option, sta- tistics are displayed only for that virtual server. Otherwise, statistics are shown for all virtual servers. CLI CONFIGURATION EXAMPLES The following commands import black/white list sample-bwlist.txt onto the AX device: AX( conf i g) #bw-list sample-bwlist tftp://myhost/TFTP-Root/AX_bwlists/sample- bwlist.txt AX( conf i g) #show bw-list Name Ur l Si ze( Byt e) Dat e - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - sampl e- bwl i st t f t p: / / myhost / TFTP- Root / AX_ N/ A N/ A bwl i st s/ sampl e- bwl i st . t xt Tot al : 1 The following commands configure a PBSLB template and bind it to a vir- tual port: AX( conf i g) #slb template policy bw1 AX( conf i g- pol i cy) #bw-list name bw1 AX( conf i g- pol i cy) #bw-list id 2 service srvcgroup2 AX( conf i g- pol i cy) #bw-list id 4 drop AX( conf i g- pol i cy) #exit AX( conf i g) #slb virtual-server PBSLB_VS1 10.10.10.69 AX( conf i g- sl b vi r t ual ser ver ) #port 80 http AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #template policy bw1 The following commands configure the same PBSLB settings directly on a virtual port: AX( conf i g) #slb virtual-server PBSLB_VS2 10.10.10.70 AX( conf i g- sl b vi r t ual ser ver ) #port 80 http AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #pbslb bw-list sample-bwlist AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #pbslb id 4 drop AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #pbslb id 2 service srvcgroup2 776 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Policy-Based SLB (PBSLB) The following commands shows PBSLB information: AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #show pbslb Tot al number of PBSLB conf i gur ed: 1 Vi r t ual Ser ver Por t Bl ackl i st / whi t el i st GI D Connect i on # ( Est abl i sh Reset Dr op) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - PBSLB_VS1 80 sampl e- bwl i st 2 0 0 0 4 0 0 0 PBSLB_VS2 80 sampl e- bwl i st 2 0 0 0 4 0 0 0 Configuration ExampleSockstress Attack Protection You can use system-wide PBSLB in combination with IP anomaly filters to protect against Sockstress attacks, a type of DDoS attack. In this example, the AX device drops all new connection attempts from a client if either of the following occurs: The client already has 20 active connections and attempts to open a new HTTP or HTTPS connection. The client exceeds any of the IP anomaly thresholds. The lockup period is set to 5 minutes, to continue enforcing the over-limit action for 5 minutes after the over-limit action is triggered. The timeout for dynamic black/white list entries is set to 2 minutes. This example uses the following black/white list: 0. 0. 0. 0/ 0 1 #20 System-wide PBSLB Policy Configuration The following commands configure the system-wide PBSLB policy: AX( conf i g) #system pbslb bw-list bwlist-wc AX( conf i g) #system pbslb over-limit lockup 5 AX( conf i g) #system pbslb timeout 2 Configuring the system-wide PBSLB policy also automatically enables the new IP anomaly filters. Statistics Display The following command shows system-wide statistics for the new IP anom- aly filters: P e r f o r m a n c e b y D e s i g n 777 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Policy-Based SLB (PBSLB) AX( conf i g) #show slb l4 Tot al - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - I P out nor out e 20061 TCP out RST 0 TCP out RST no SYN 0 . . . Anomaly out of sequence 225408 Anomaly zero window 225361 Anomaly bad content 224639 The following command shows statistics for the system-wide PBSLB pol- icy: AX( conf i g) #show pbslb system Syst em B/ Wl i st : bwl i st - wc Vi r t ual Ser ver Por t Bl ackl i st / whi t el i st GI D Connect i on # ( Est abl i sh Reset Dr op) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Syst em bwl i st - wc 1 12 0 0 2 0 0 0 The following command shows summary statistics for individual black/ white-list clients: AX#show pbslb client GI D = Gr oup I D, S/ D = St at i c or dynami c ent r y Out - s = Out of sequence, Zer o- w = Zer o wi ndow, Bad- c = Bad cont ent I P S/ D GI D Conn- l i mi t Cur r - conn Age Lockup Out - s Zer o- w Bad- c - - - - - - - - - - - - - - - - - - +- - - +- - - +- - - - - - - - - - +- - - - - - - - - +- - - - - +- - - - - - +- - - - - +- - - - - - +- - - - 40. 40. 40. 168 / 32 D 1 20 5 120 0 0 5 5 40. 40. 40. 169 / 32 D 1 20 6 0 5 0 6 6 40. 40. 40. 170 / 32 D 1 20 6 0 5 0 6 6 40. 40. 40. 171 / 32 D 1 20 6 0 5 0 6 6 40. 40. 40. 172 / 32 D 1 20 6 0 5 0 6 6 40. 40. 40. 173 / 32 D 1 20 2 120 0 0 2 2 40. 40. 40. 174 / 32 D 1 20 5 120 0 0 5 5 40. 40. 40. 175 / 32 D 1 20 5 120 0 0 5 5 40. 40. 40. 160 / 32 D 1 20 5 120 0 0 5 5 40. 40. 40. 161 / 32 D 1 20 6 120 0 0 6 6 40. 40. 40. 162 / 32 D 1 20 6 0 5 0 6 6 40. 40. 40. 163 / 32 D 1 20 6 0 5 0 6 6 40. 40. 40. 164 / 32 D 1 20 6 0 5 0 6 6 40. 40. 40. 165 / 32 D 1 20 5 120 0 0 5 5 778 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Geo-location-based Access Control for VIPs The Age column indicates how many seconds are left before a dynamic entry ages out. For clients who are currently locked out of the system, the value in the Lockup column indicates how many minutes the lockup will continue. For locked up clients, the age value is 0 until the lockup expires. After the lockup expires, the age is set to its full value (120 seconds in this example). The following command shows detailed statistics for a specific black/white- list client: AX#show pbslb client 40.40.40.168 I P addr ess: 40. 40. 40. 168 Net mask l engt h: 32 Type: Dynami c Gr oup I D: 1 Connect i on l i mi t ( 0 = no l i mi t ) : 1984 Cur r ent connect i on: 6 Age: 0 second Lockup t i me: 5 mi nut e Out of sequence: 0 Zer o wi ndow: 6 Bad cont ent : 6 Geo-location-based Access Control for VIPs You can control access to a VIP based on the geo-location of the client. Using Policy-based SLB (PBSLB), you can configure the AX device to per- form one of the following actions for traffic from a client, depending on the location of the client: Drop the traffic Reset the connection Send the traffic to a specific service group The AX device determines a clients location by looking up the clients sub- net in the geo-location database used by Global Server Load Balancing (GSLB). Note: This feature requires you to load a geo-location database, but does not require any other configuration of GSLB. The AX system image includes the Internet Assigned Numbers Authority (IANA) database. By default, the IANA database is not loaded but you can easily load it, as described in the configuration procedure later in this section. P e r f o r m a n c e b y D e s i g n 779 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Geo-location-based Access Control for VIPs Configuration To configure geo-location-based access control for a VIP: 1. Configure a black/white list. You can configure the list using a text edi- tor on a PC or enter it directly into the GUI. If you configure the list using a text editor, import the list onto the AX device. 2. Configure an SLB policy (PBSLB) template. In the template, specify the black/white list name, and the actions to perform for the group IDs in the list. 3. Load a geo-location database, if one is not already loaded. 4. Apply the policy template to the virtual port for which you want to con- trol access. Configuring the Black/White List You can configure black/white lists in either of the following ways: Remote option Use a text editor on a PC, then import the list onto the AX device. Local option Enter the black/white list directly into a management GUI window. With either method, the syntax is the same. The black/white list must be a text file that contains entries (rows) in the following format: L " geo-location" group-id #conn-limit The L indicates that the clients location will be determined using infor- mation in the geo-location database. The geo-location is the string in the geo-location database that is mapped to the clients IP address; for example, US, US.CA, or US.CA.SanJ ose. The group-id is a number from 1 to 31 that identifies a group of clients (geo- locations) in the list. The default group ID is 0, which means no group is assigned. On the AX device, the group ID specifies the action to perform on client traffic. The #conn-limit specifies the maximum number of concurrent connections allowed from a client. The # is required only if you do not specify a group ID. The connection limit is optional. For simplicity, the examples in this section do not specify a connection limit. 780 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Geo-location-based Access Control for VIPs Here is a simple example of a black/white list for this feature: L " US" 1 L " US. CA" 2 L " J P" 3 USING THE GUI To configure or import a black/white list using the GUI: 1. Select Config >Service >PBSLB. 2. Click New. To import the list: Leave Remote selected. Enter a name for the list in the Name field. Enter the hostname or IP address in the Host field. Enter the file path and name in the Location field. To enter the file directly into the GUI: Select Local. Type the list into the Definition field. 3. Click OK. To configure an SLB policy (PBSLB) template: 1. Select Config >Service >Template. 2. On the menu bar, select Application >PBSLB Policy. 3. Click Add. 4. In the Name field, enter a name for the template. 5. From the drop-down list below the Name field, select the black/white list. 6. Select a group ID from the Group ID drop-down list. 7. Select one of the following from the Action drop-down list. Drop Drops new connections until the number of concurrent con- nections on the virtual port falls below the ports connection limit. (The connection limit is set in the black/white list.) Reset Resets new connections until the number of concurrent con- nections on the virtual port falls below the connection limit. P e r f o r m a n c e b y D e s i g n 781 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Geo-location-based Access Control for VIPs service-group-name Each of the service groups configured on the AX device is listed. create This option displays the configuration sections for creating a new service group. 8. Optionally, enable logging. (The AX device uses the same log rate limit- ing and load balancing features for PBSLB logging as those used for ACL logging. See Log Rate Limiting on page50.) 9. Click Add. 10. Repeat step6 through step9 for each group ID. 11. Click OK. To load the IANA geo-location database: 1. Select Config >Service >GSLB. 2. On the menu bar, select Geo-location >Import. 3. In the Load/Unload section, enter iana in the File field. Leave the Template field blank. 4. Click Add. Note: If preferred, you can import a custom geo-location database instead. For information, see Loading or Configuring Geo-Location Mappings on page467. To apply the policy template to a virtual port: 1. Select Config >Service >SLB. 2. On the menu bar, select Virtual Server. 3. Select the virtual server or click Add to configure a new one. 4. If you are configuring a new VIP, enter the name and IP address for the server. 5. In the Port section, select the port and click Edit, or click Add to add a new port. The Virtual Server Port page appears. 6. Select the policy template from the PBSLB Policy Template drop-down list. 782 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Geo-location-based Access Control for VIPs 7. Click OK. 8. Click OK again to finish the changes and redisplay the virtual server list. USING THE CLI 1. To import a black/white list onto the AX device, use the following com- mand at the global configuration level of the CLI: bw-list name url [ period seconds] [ load] The name can be up to 31 alphanumeric characters long. The url speci- fies the file transfer protocol, directory path, and filename. The follow- ing URL format is supported: tftp://host/file 2. To configure a PBSLB template, use the following commands: [ no] slb template policy template-name Enter this command at the global configuration level of the CLI. The command creates the template and changes the CLI to the configuration for the template, where the following PBSLB-related commands are available. [ no] bw-list name file-name This command binds a black/white list to the virtual ports that use this template. [ no] bw-list id id service {service-group-name | drop | reset} [ logging [ minutes] [ fail] ] This command specifies the action to take for clients in the black/white list: id Group ID in the black/white list. service-group-name Sends clients to the SLB service group asso- ciated with this group ID on the AX device. drop Drops connections for IP addresses that are in the specified group. reset Resets connections for IP addresses that are in the specified group. 3. To load a geo-location database, use the following command at the glo- bal configuration level of the CLI: [ no] gslb geo-location load {iana | file-name csv-template-name} P e r f o r m a n c e b y D e s i g n 783 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Geo-location-based Access Control for VIPs 4. To apply the policy template to a virtual port, use the following com- mand at the configuration level for the virtual port: [ no] template policy template-name Displaying SLB Geo-Location Information To display SLB geo-location information, use the following command: show slb geo-location [ virtual-server-name | virtual-port-num | bad-only | [ depth num] [ id num] [ location string] [ statistics] ] The bad-only option displays only invalid or mismatched geo-location con- tent. The depth option specifies how many nodes within the geo-location data tree to display. For example, to display only continent and country entries and hide individual state and city entries, specify depth 2. By default, the full tree (all nodes) is displayed. The id option displays only the geo-locations mapped to the specified black/ white list group ID. The location option displays information only for the specified geo-loca- tion; for example US.CA. Clearing SLB Geo-Location Statistics To clear SLB geo-location statistics, use the following command at the Priv- ileged EXEC level of the CLI: clear slb geo-location [ virtual-server name [ ...] virtual-port-num | location {all | string} ] 784 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Geo-location-based Access Control for VIPs CLI Example The following command imports black/white list geolist onto the AX device. AX( conf i g) #import bw-list geolist scp://192.168.1.2/root/geolist The following commands configure a policy template named geoloc and add the black/white list to it. The template is configured to drop traffic from clients in the geo-location mapped to group 1 in the list. AX( conf i g) #slb template policy geoloc AX( conf i g- pol i cy) #bw-list name geolist AX( conf i g- pol i cy) #bw-list id 1 drop AX( conf i g- pol i cy) #exit The following commands apply the policy template to port 80 on virtual server vip1: AX( conf i g) #slb virtual-server vip1 AX( conf i g- sl b vi r t ual ser ver ) #port 80 http AX( conf i g- sl b vser ver - vpor t ) #template policy geoloc AX( conf i g- sl b vser ver - vpor t ) #show slb geo-location Enabling PBSLB Statistics Counter Sharing You can enable sharing of statistics counters for all virtual servers and vir- tual ports that use a PBSLB template. This option causes the following counters to be shared by the virtual servers and virtual ports that use the template: Permit Deny Connection number Connection limit USING THE GUI The current release does not support this feature in the GUI. USING THE CLI To enable the share option, use the following command at the configuration level for the PBSLB policy template: geo-location share P e r f o r m a n c e b y D e s i g n 785 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Geo-location-based Access Control for VIPs Note: It is recommended to enable or disable this option before enabling GSLB. Changing the state of this option while GSLB is running can cause the related statistics counters to be incorrect. Enabling Full-Domain Checking for Connection Limits By default, when a client requests a connection, the AX device checks the connection count only for the specific geo-location level of the client. If the connection limit for that specific geo-location level has not been reached, the clients connection is permitted. Likewise, the permit counter is incre- mented only for that specific geo-location level. Table24 shows an example set of geo-location connection limits and cur- rent connections. Using the default behavior, the connection request from the client at US.CA.SanJ ose ia allowed even though CA has reached its connection limit. Likewise, a connection request from a client at US.CA is allowed. However, a connection request from a client whose location match is simply US is denied. After these three clients are permitted or denied, the connection permit and deny counters are incremented as follows: US Deny counter is incremented by 1. US.CA Permit counter is incremented by 1. US.CA.SanJ ose Permit counter is incremented by 1. Full-Domain Checking When full-domain checking is enabled, the AX device checks the current connection count not only for the clients specific geo-location, but for all geo-locations higher up in the domain tree. Based on full-domain checking, all three connection requests from the cli- ents in the example above are denied. This is because the US domain has reached its connection limit. Likewise, the counters for each domain are updated as follows: TABLE 24 Geo-location connection limit example Geo-location Connection Limit Current Connections US 100 100 US.CA 50 37 US.CA.SanJ ose 20 19 786 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Geo-location-based Access Control for VIPs US Deny counter is incremented by 1. US.CA Deny counter is incremented by 1. USING THE GUI The current release does not support this feature in the GUI. USING THE CLI To enable full-domain checking for geo-location-based connection limiting, use the following command at the configuration level for the PBSLB tem- plate: geo-location full-domain-tree Note: It is recommended to enable or disable this option before enabling GSLB. Changing the state of this option while GSLB is running can cause the related statistics counters to be incorrect. P e r f o r m a n c e b y D e s i g n 787 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview IP Limiting IP limiting provides a greatly enhanced implementation of the source IP connection limiting and connection-rate limiting feature available in previ- ous releases. This chapter describes the IP limiting options and how to con- figure and apply them. Overview IP limiting provides the following benefits: Configuration flexibility You can apply source IP limiting on a sys- tem-wide basis, on individual virtual servers, or on individual virtual ports. Class lists You can configure different classes of clients, and apply a separate set of IP limits to each class. You also can exempt specific cli- ents from being limited. Separate limits can be configured for each of the following: Concurrent connections Connection rate Concurrent Layer 7 requests Layer 7 request rate Note: In the current release, Layer 7 request limiting applies only to the HTTP, HTTPS, and fast-HTTP virtual port types. The following sections describe the IP limiting options and how to config- ure and apply them. Class Lists A class list is a set of IP host or subnet addresses that are mapped to IP lim- iting rules. The AX device can support up to 255 class lists. Each class list can contain up to 8 million host IP addresses and 64,000 subnets. 788 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Class List Syntax Each entry (row) in the class list defines a client class, and has the following format: ipaddr /network-mask [ glid num | lid num] [ ; comment-string] Each entry consists of the following: ipaddr Specifies the host or subnet address of the client. The network- mask specifies the network mask. To configure a wildcard IP address, specify 0.0.0.0 /0. The wildcard address matches on all addresses that do not match any entry in the class list. glid num | lid num Specifies the ID of the IP limiting rule to use for matching clients. You can use a system-wide (global) IP limiting rule or an IP limiting rule configured in a PBSLB policy template. To use an IP limiting rule configured at the global configuration level, use the glid num option. To use an IP limiting rule configured at the same level (in the same PBSLB policy template) as the class list, use the lid num option. To exclude a host or subnet from being limited, do not specify an IP lim- iting rule. ; comment-string Contains a comment. Use a semi-colon ( ; ) in front of the comment string. Note: The AX device discards the comment string when you save the class list. IP Address Matching By default, the AX device matches class-list entries based on the source IP address of client traffic. Optionally, you can match based on one of the fol- lowing instead: Destination IP address Matches based on the destination IP address instead of the source IP address. IP address in HTTP request Matches based on the IP address in a header in the HTTP request. You can specify the header when you enable this option. P e r f o r m a n c e b y D e s i g n 789 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Example Class Lists Here is an example of a very simple class list. This list matches on all cli- ents and uses an IP limiting rule configured at the global configuration level: 0. 0. 0. 0/ 0 gl i d 1 Here is an example with more options: 1. 1. 1. 1 / 32 l i d 1 2. 2. 2. 0 / 24 l i d 2 ; LI D 2 appl i es t o ever y si ngl e I P of t hi s subnet 0. 0. 0. 0 / 0 l i d 10 ; LI D 10 appl i ed t o ever y undef i ned si ngl e I P 3. 3. 3. 3 / 32 gl i d 3 ; Use gl obal LI D 3 4. 4. 4. 4 / 32 ; No LI D i s appl i ed ( except i on l i st ) The rows in the list specify the following: For individual host 1.1.1.1, use IP limiting rule 1, which is configured in a PBSLB policy template. (A PBSLB policy template can be applied globally for system-wide IP limiting, or to an individual virtual server or virtual port. This is described in more detail in a later section.) For all hosts in subnet 2.2.2.0/24, use IP limiting rule 2, which is config- ured in a PBSLB policy template. For all hosts that do not match another entry in the class list, use IP lim- iting rule 10, which is configured in a PBSLB policy template. For individual host 3.3.3.3, use IP limiting rule 3, which is configured at the global configuration level. For individual host 4.4.4.4, do not use an IP limiting rule. IP Limiting Rules IP limiting rules specify connection and request limits for clients. Each IP limiting rule has the following parameters: Limit ID Number from 1-31 that identifies the rule. Connection limit Maximum number of concurrent connections allowed for a client. You can specify 1-1048575. There is no default. Connection-rate limit Maximum number of new connections allowed for a client within the limit period. You can specify 1-4294967295 con- nections. The limit period can be 100-6553500 milliseconds (ms), spec- ified in increments of 100 ms. There is no default. 790 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Request limit Maximum number of concurrent Layer 7 requests allowed for a client. You can specify 1-1048575. There is no default. Request-rate limit Maximum number of Layer 7 requests allowed for a client within the limit period. You can specify 1-4294967295 connec- tions. The limit period can be 100-6553500 milliseconds (ms), specified in increments of 100 ms. There is no default. Over-limit action Action to take when a client exceeds one or more of the limits. The action can be one of the following: Drop The AX device drops that traffic. If logging is enabled, the AX device also generates a log message. This is the default action. Forward The AX device forwards the traffic. If logging is enabled, the AX device also generates a log message. Reset For TCP, the AX device sends a TCP RST to the client. If logging is enabled, the AX device also generates a log message. Lockout period Number of minutes during which to apply the over- limit action after the client exceeds a limit. The lockout period is acti- vated when a client exceeds any limit. The lockout period can be 1-1023 minutes. There is no default. Logging Generates log messages when clients exceed a limit. Logging is disabled by default. When you enable logging, a separate message is generated for each over-limit occurrence, by default. You can specify a logging period, in which case the AX device holds onto the repeated messages for the specified period, then sends one message at the end of the period for all instances that occurred within the period. The logging period can be 0-255 minutes. The default is 0 (no wait period). Match IP Address By default, the AX device matches class-list entries based on the source IP address of client traffic. Optionally, you can match based on one of the fol- lowing instead: Destination IP address matches based on the destination IP address in packets from clients. IP address in client packet header matches based on the IP address in the specified header in packets from clients. If you do not specify a header name, this option uses the IP address in the X-Forwarded-For header. P e r f o r m a n c e b y D e s i g n 791 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Source IP Limiting Configuring Source IP Limiting To configure source IP limiting: 1. Configure a class list either on the AX device or another device. If you configure the class list on another device, import it onto the AX device. 2. Configure the IP limiting rules. For system-wide IP limiting, you can configure the rules in a PBSLB policy template or in standalone IP limiting rules. For IP limiting on an individual virtual server or virtual port, config- ure the rules in a PBSLB policy template. 3. Apply the IP limiting rules. You can configure multiple PBSLB policy templates with different IP limit- ing rules. You can use a given class list in one or more PBSLB policy tem- plates. For system-wide source IP limiting, apply the PBSLB policy template globally. For source IP limiting on an individual virtual server or virtual port, apply the PBSLB policy template to the virtual server or virtual port. Clients must comply with all IP limiting rules that are applicable to the cli- ent. For example, if you configure system-wide IP limiting and also config- ure IP limiting on an individual virtual server, clients must comply with the system-wide IP limits and with the IP limits applied to the individual virtual server accessed by the client. Configuring a Class List You can configure a class list in either of the following ways: Use a text editor on a PC or other device to create the list, then import it onto the AX device. Use CLI commands to create the list entries. For class-list syntax information, see Class Lists on page787. 792 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Source IP Limiting USING THE GUI Importing a Class List onto the AX Device 1. Select Config >Service >SLB. 2. On the menu bar, select Class List. 3. Click Import. The Import page appears. 4. In the Name field, enter the filename to use for the imported class list. 5. Select the location of the file to be imported: Local The file is on the PC you are using to run the GUI, or is on another PC or server in the local network. Go to step6. Remote The file is on a remote server. Go to step8. 6. Click Browse and navigate to the location of the class list. 7. Click Open. The path and filename appear in the Source field. Go to step13. 8. To use the management interface as the source interface for the connec- tion to the remote device, select Use Management Port. Otherwise, the AX device will attempt to reach the remote server through a data inter- face. 9. Select the file transfer protocol: FTP, TFTP, RCP, or SCP. 10. In the Host field, enter the directory path and filename. 11. If needed, change the protocol port number n the port field. By default, the default port number for the selected file transfer protocol is used. 12. In the User and Password fields, enter the username and password required for access to the remote server. 13. Click OK. Configuring a Class List in the GUI 1. Select Config >Service >SLB. 2. On the menu bar, select Class List. 3. Click Create. 4. In the Name field, enter a name for the class list. P e r f o r m a n c e b y D e s i g n 793 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Source IP Limiting 5. Select the system location in which to save the class list: File The list is saved in a stand-alone file. Config The list is saved in the startup-config. Note: If the class list contains 100 or more entries, it is recommended to use the File option. A class list can be exported only if you use the File option. 6. Configure the class list entries: a. Enter the IP address and subnet mask. For a host entry, use mask 255.255.255.255. For a wildcard entry, enter IP address 0.0.0.0 and network mask 0.0.0.0. b. Specify the IP limiting rule to apply to the host or subnet address. Select the system location of the IP limiting rule: Local The IP limiting rule is configured in a PBSLB policy template to be applied to a virtual server or virtual port. Global The IP limiting rule is configured at the system (global) level, and can be shared by all policy templates. LSN This option applies only to the Large-Scale NAT feature. Do not use this option with IP limiting. Enter the rule number, 1-31. Note: Make sure to use the same number when you configure the IP limiting rule. c. Click Add. d. Repeat for each entry. 7. Click OK. USING THE CLI Importing a Class List onto the AX Device After the class list is configured, import it onto the AX device, using the fol- lowing command at the Privileged EXEC or global configuration level of the CLI:. import class-list file- name url 794 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Source IP Limiting Thefile-name specifies the name the class list will have on the AX device. The url specifies the file transfer protocol, username (if required), and directory path. You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. If you enter the entire URL and a pass- word is required, you will still be prompted for the password. To enter the entire URL: tftp://host/file ftp://[ user@] host[ :port] /file scp://[ user@] host/file rcp://[ user@] host/file You also can export class lists to a remote server, using the following com- mand: export class-list file- name url Configuring a Class List in the CLI To configure a class list in the CLI, use the following commands: [ no] class-list name [ file] Enter this command at the global configuration level of the CLI. The file option saves the class list as a separate file. Without this option, the class list is instead saved in the startup-config. If the class list contains 100 or more entries, it is recommended to use the file option. The file option is valid only when you create the class list. After you create the list, the list remains either in the startup-config or in a separate file, depending on whether you use the file option when you create the list. Note: A class list can be exported only if you use the file option. The class-list command creates the class list if it is not already configured, and changes the CLI to the configuration level for the list. [ no] ipaddr /network-mask [ glid num | lid num] To add an entry to the class list, use the command without no. To modify an entry, use the command without no. Use the same source IP address as the entry to replace. Entries are keyed by source IP address. To delete an entry, use no followed by the source IP address. P e r f o r m a n c e b y D e s i g n 795 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Source IP Limiting Applying a Class List to a PBSLB Policy To apply a class list, use the following command at the configuration level for the PBSLB policy that contains the IP limiting rules used by the class list. [ no] class-list name name After you configure the IP limiting rules and class list, and add the class list to the PBSLB policy, you can activate the IP limits. See Applying Source IP Limits on page798. Configuring the IP Limiting Rules You can configure IP limiting rules in PBSLB policy templates (applied to individual clients) or in system-wide IP limiting rules (applied to all cli- ents). If you plan to apply IP limits to individual virtual servers or virtual ports, you must configure the IP limiting rules in a PBSLB policy tem- plate, then apply the template to the virtual server or virtual port. If you plan to apply IP limits on a system-wide basis, you can configure the IP limiting rules in a PBSLB template or in standalone IP limiting rules. USING THE GUI Configuring IP Limiting Rules in a PBSLB Policy Template 1. Select Config >Service >Template. 2. On the menu bar, select Application >PBSLB Policy. 3. Click Add to create a new template (or click on the name of an existing template). The PBSLB Policy section appears. 4. Enter a name for the template, if creating a new one. 5. In the IP Limiting section, configure IP limiting. a. Select the class list from the Class List drop-down list. b. Configure the limiting rules to apply to the selected class list. (For parameter information, see IP Limiting Rules on page789.) 6. Leave the Destination IP and Overlap options disabled. 7. Click OK. 796 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Source IP Limiting Configuring Standalone IP Limiting Rules for System-Wide IP Limiting 1. Select Config >Service >SLB. 2. On the menu bar, select LID. 3. Configure the IP limiting rules. (For parameter information, see IP Limiting Rules on page789.) 4. Click OK. USING THE CLI Configuring IP Limiting Rules in a PBSLB Policy Template To configure IP limiting rules in a PBSLB policy template, use the follow- ing commands: [ no] slb template policy template-name Enter this command at the global configuration level of the CLI. The com- mand creates the template and changes the CLI to the configuration level for the template, where the following commands are available. For informa- tion about the valid values and defaults, see IP Limiting Rules on page789. [ no] class-list lid num This command creates an IP limiting rule and changes the CLI to the con- figuration level for the rule. The num option specifies the rule ID, and can be 1-31. The following commands are available at the configuration level for the IP limiting rule. [ no] conn-limit num This command specifies the maximum number of concurrent connections allowed for a client. [ no] conn-rate-limit num per num-of-100ms This command specifies the maximum number of new connections allowed for a client within the specified limit period. [ no] request-limit num This command specifies the maximum number of concurrent Layer 7 requests allowed for a client. P e r f o r m a n c e b y D e s i g n 797 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Source IP Limiting [ no] request-rate-limit num per num-of-100ms This command specifies the maximum number of Layer 7 requests allowed for the client within the specified limit period. [ no] over-limit-action [ forward | reset] [ lockout minutes] [ log minutes] This command specifies the action to take when a client exceeds one or more of the limits. The command also configures lockout and enables log- ging. Configuring IP Limiting Rules for System-Wide IP Limiting (without a class list) To configure an IP limiting rule for system-wide IP limiting, use the follow- ing commands. [ no] lid num This command creates the rule and changes the CLI to the configuration level for it. The following commands are available at this level: [ no] conn-limit num [ no] conn-rate-limit num per num-of-100ms [ no] request-limit num [ no] request-rate-limit num per num-of-100ms [ no] over-limit-action [ forward | reset] [ lockout minutes] [ log minutes] These commands are the same as the ones available at the IP limiting rule configuration level in PBSLB policy templates. (See Configuring IP Limit- ing Rules in a PBSLB Policy Template on page796.) Specifying the Match IP Address By default, the AX device matches class-list entries based on the source IP address of client traffic. Optionally, you can match based on one of the fol- lowing instead: Destination IP address IP address in client packet header To change the match IP address to one of these options, use the following command at the configuration level for the PBSPB policy template: [ no] class-list client-ip {l3-dest | l7-header [ header-name] } 798 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Source IP Limiting The l3-dest option matches based on the destination IP address in packets from clients. The l7-header [header-name] option matches based on the IP address in the specified header in packets from clients. The header-name specifies the name of the header to use. If you do not specify a header name, the X-Forwarded-For header is used. Note: The destination-ip option applies only to black/white lists. Applying Source IP Limits The following subsections describe how to apply IP limiting rules to the system or to individual virtual servers or virtual ports. USING THE GUI Applying System-Wide Source IP Limiting For system-wide source IP limiting, no additional configuration is required. After you configure one or more stand-alone IP limiting rules, and apply them to classes (if using more than one class), the feature is implemented. See the following sections: Configuring a Class List in the GUI on page792 Configuring Standalone IP Limiting Rules for System-Wide IP Limit- ing on page796 Applying Source IP Limiting to a Virtual Server 1. Select Config >Service >SLB. 2. On the menu bar, select Virtual Server. 3. Click on the virtual server name or click Add if you are configuring a new virtual server. 4. If you are creating a new virtual server, enter the name, virtual IP address, and other General settings. 5. Select the PBSLB policy template from the PBSLB Policy Template drop-down list. 6. If you are creating a new virtual server, configure the virtual port set- tings as applicable to your deployment. 7. When the virtual server configuration is complete, click OK. P e r f o r m a n c e b y D e s i g n 799 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Source IP Limiting Applying Source IP Limiting to a Virtual Port 1. Access the configuration page for the virtual server. (For information, see Applying Source IP Limiting to a Virtual Server on page798.) 2. On the Virtual Server Port configuration page, select the PBSLB policy template from the PBSLB Policy Template drop-down list. 3. Click OK to return to the configuration page for the virtual server. 4. When the virtual server configuration is complete, click OK. USING THE CLI Applying System-Wide Source IP Limiting To apply source IP limits to the whole system, use one of the following commands at the global configuration level of the CLI: [ no] system lid num Use this command if you plan to apply a combined set of limits to the whole system. [ no] system template policy template-name Use this command if you plan to apply per-client IP limiting at the system level. Note: The AX device does not support using the system template policy com- mand and the system pbslb command in the same configuration. Applying Source IP Limiting to a Virtual Server To apply source IP limiting to a virtual server, use the following command at the global configuration level for the virtual server: [ no] template policy template-name Applying Source IP Limiting to a Virtual Port To apply source IP limiting to a virtual port, use the following command at the global configuration level for the virtual port: [ no] template policy template-name 800 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Source IP Limiting Displaying IP Limiting Information USING THE GUI To view configuration information for the feature, navigate to the configura- tion pages described in the previous sections. To display statistics for the feature, use the CLI. (See the following section.) USING THE CLI To display configuration information for IP limiting, use the following com- mands: show class-list [ name [ ipaddr] ] show lid [ num] show system policy To display statistics for IP limiting, use the following commands: show pbslb show pbslb system show pbslb client ipaddr show pbslb virtual-server virtual-server-name [ port port-num service-type] To reset statistics counters for IP limiting, use the following commands: clear pbslb clear pbslb system clear pbslb client ipaddr entry clear pbslb virtual-server virtual-server-name [ port port-num service-type [ group-id group-id] ] P e r f o r m a n c e b y D e s i g n 801 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Source IP Limiting CLI ExamplesConfiguration The examples in this section show how to configure IP limiting. Configure System-Wide IP Limiting With a Single Class The following commands configure a standalone IP limiting rule to be applied globally to all IP clients (the clients that match class list global): AX( conf i g) #lid 1 AX( conf i g- gl obal l i d) #conn-rate-limit 10000 per 1 AX( conf i g- gl obal l i d) #conn-limit 2000000 AX( conf i g- gl obal l i d) #over-limit forward logging AX( conf i g- gl obal l i d) #exit AX( conf i g) #system lid 1 The following commands configure class list global, which matches on all clients, and uses IP limiting rule 1: AX( conf i g) #class-list global AX( conf i g- cl ass l i st ) #0.0.0.0/0 glid 1 AX( conf i g- cl ass l i st ) #exit Configure System-Wide IP Limiting With Multiple Classes The commands in this example configure system-wide IP limiting using a PBSLB policy template. AX( conf i g) #slb template policy global_policy AX( conf i g- pol i cy) #class-list name global_list AX( conf i g- pol i cy) #class-list lid 1 AX( conf i g- pol i cy- pol i cy l i d) #conn-rate-limit 20000 per 1 AX( conf i g- pol i cy- pol i cy l i d) #conn-limit 5000000 AX( conf i g- pol i cy- pol i cy l i d) #over-limit reset logging AX( conf i g- pol i cy- pol i cy l i d) #exit AX( conf i g- pol i cy) #exit The following command imports the class list used by the policy: AX( conf i g) #import class-list global_list ftp: Addr ess or name of r emot e host [ ] ?1.1.1.2 User name [ ] ?axadmin Passwor d [ ] ?********* Fi l e name [ / ] ?global_list 802 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Source IP Limiting The following command applies the policy to the system: AX( conf i g) #system template policy global_policy Configure IP Limiting on a Virtual Server The commands in this example configure IP limiting for a virtual server. The following commands configure a PBSLB policy template: AX( conf i g) #slb template policy vs_policy AX( conf i g- pol i cy) #class-list name vs_list AX( conf i g- pol i cy) #class-list lid 1 AX( conf i g- pol i cy- pol i cy l i d) #conn-rate-limit 200 per 1 AX( conf i g- pol i cy- pol i cy l i d) #conn-limit 50000 AX( conf i g- pol i cy- pol i cy l i d) #over-limit lockout 10 logging AX( conf i g- pol i cy- pol i cy l i d) #exit AX( conf i g- pol i cy) #exit The following command imports the class list used by the policy: AX( conf i g) #import class-list vs_list ftp: Addr ess or name of r emot e host [ ] ?1.1.1.2 User name [ ] ?axadmin Passwor d [ ] ?********* Fi l e name [ / ] ?vs_list The following commands apply the policy to a virtual server: AX( conf i g) #slb virtual server vs1 AX( conf i g- sl b vi r t ual ser ver ) #template policy vs_policy P e r f o r m a n c e b y D e s i g n 803 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Source IP Limiting Configure IP Limiting on a Virtual Port The commands in this example configure IP limiting for a virtual port. Note: In this example, IP limiting is applied to a virtual port on a virtual server that also has IP limiting. Clients must conform to both sets of limits. The following commands configure a PBSLB policy template: AX( conf i g) #slb template policy vp_policy AX( conf i g- pol i cy) #class-list name vp_list AX( conf i g- pol i cy) #class-list lid 1 AX( conf i g- pol i cy- pol i cy l i d) #request-rate-limit 50 per 1 AX( conf i g- pol i cy- pol i cy l i d) #request-limit 60000 AX( conf i g- pol i cy- pol i cy l i d) #over-limit reset logging AX( conf i g- pol i cy- pol i cy l i d) #exit AX( conf i g- pol i cy) #exit The following command imports the class list used by the policy: AX( conf i g) #import class-list vp_list ftp: Addr ess or name of r emot e host [ ] ?1.1.1.2 User name [ ] ?axadmin Passwor d [ ] ?********* Fi l e name [ / ] ?vp_list The following commands apply the policy to a virtual port: AX( conf i g) #slb virtual server vs1 AX( conf i g- sl b vi r t ual ser ver ) #port 80 http AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #template policy vp_policy CLI ExamplesDisplay This section shows example show command output for IP limiting. Class Lists The following command displays the class-list files on the AX device: AX#show class-list Name I P Subnet Locat i on t est 4 3 f i l e user - l i mi t 14 4 conf i g Tot al : 2 804 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Source IP Limiting Table25 describes the fields in the command output. The following command shows details for a class list: AX#show class-list test Name: t est Tot al si ngl e I P: 4 Tot al I P subnet : 3 Cont ent : 1. 1. 1. 1 / 32 gl i d 1 2. 2. 2. 2 / 32 gl i d 2 10. 1. 2. 1 / 32 l i d 1 10. 1. 2. 2 / 32 l i d 2 20. 1. 1. 0 / 24 l i d 1 20. 1. 2. 0 / 24 l i d 2 0. 0. 0. 0 / 0 l i d 31 The following commands show the closest matching entries for specific IP addresses in class list test: AX#show class-list test 1.1.1.1 1. 1. 1. 1 / 32 gl i d 1 AX#show class-list test 1.1.1.2 0. 0. 0. 0 / 0 l i d 31 The class list contains an entry for 1.1.1.1, so that entry is shown. However, since the class list does not contain an entry for 1.1.1.2 but does contain a wildcard entry (0.0.0.0), the wildcard entry is shown. TABLE 25 show class-list fields Field Description Name Name of the class list. IP Number of host IP addresses in the class list. Subnet Number of subnets in the class list. Location Indicates whether the class list is in the startup-config or in a standalone file: config Class list is located in the startup-config. file Class list is located in a standalone file. Total Total number of class lists on the AX device. P e r f o r m a n c e b y D e s i g n 805 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Source IP Limiting IP Limiting Rules The following command the configuration of each standalone IP limiting rule: AX#show lid l i d 1 conn- l i mi t 100 conn- r at e- l i mi t 100 per 10 r equest - l i mi t 1 r equest - r at e- l i mi t 10 per 10 over - l i mi t - act i on r eset l og 1 l i d 2 conn- l i mi t 20000 conn- r at e- l i mi t 2000 per 10 r equest - l i mi t 200 r equest - r at e- l i mi t 200 per 1 over - l i mi t - act i on r eset l og 3 l i d 30 conn- l i mi t 10000 conn- r at e- l i mi t 1000 per 1 over - l i mi t - act i on f or war d l og The following command shows the configuration of IP limiting rule 1: AX#show lid 1 l i d 1 conn- l i mi t 100 conn- r at e- l i mi t 100 per 10 r equest - l i mi t 1 r equest - r at e- l i mi t 10 per 10 over - l i mi t - act i on r eset l og 1 806 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Source IP Limiting IP Limiting Statistics The following command shows IP limiting statistics for the entire system: AX#show pbslb system Syst emLI D st at i st i cs ( l i d 1) : Cur r ent connect i on: 1 Cur r ent connect i on r at e: 0/ s Tot al over connect i on l i mi t number : 0 Tot al over connect i on r at e l i mi t number : 0 Syst emcl ass l i st st at i st i cs: F = Fl ag ( C- Connect i on, R- Request ) , Over - RL = Over r at e l i mi t Sour ce Dest i nat i on F Cur r ent Rat e Over - l i mi t Over - RL - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - +- +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - 20. 1. 2. 1 * C 0 0 0 0 Tot al : 1 The following command shows IP limiting statistics for virtual servers: AX#show pbslb virtual-server Vi r t ual ser ver cl ass l i st st at i st i cs: F = Fl ag ( C- Connect i on, R- Request ) , Over - RL = Over r at e l i mi t Sour ce Dest i nat i on F Cur r ent Rat e Over - l i mi t Over - RL - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - +- +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - 1. 1. 1. 1 20. 1. 11. 1: 80 R 0 0 0 2 20. 1. 2. 1 20. 1. 11. 1 C 0 0 0 0 20. 1. 2. 1 20. 1. 11. 1: 80 C 0 0 0 0 Tot al : 3 The following command shows IP limiting statistics for clients: AX#show pbslb client Cl i ent cl ass l i st st at i st i cs: F = Fl ag ( C- Connect i on, R- Request ) , Over - RL = Over r at e l i mi t Sour ce Dest i nat i on F Cur r ent Rat e Over - l i mi t Over - RL - - - - - - - - - - - - - - - +- - - - - - - - - - - - - - - - - - - - - +- +- - - - - - - - - +- - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - 1. 1. 1. 1 20. 1. 11. 1: 80 R 0 0 0 2 20. 1. 2. 1 * C 0 0 0 0 20. 1. 2. 1 20. 1. 11. 1 C 0 0 0 0 20. 1. 2. 1 20. 1. 11. 1: 80 C 0 0 0 0 Tot al : 4 P e r f o r m a n c e b y D e s i g n 807 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Role-Based Administration The AX Series provides Virtualized Management, through Role-Based Administration (RBA). RBA allows administrators (admins) to configure and view SLB resources based on administrative domains (partitions). RBA supports separate partitions for these types of resources. Partitioning allows the AX device to be logically segmented to support separate configu- rations for different customers; for example, separate companies or separate departments within an enterprise. Admins assigned to a partition can man- age only the resources inside that partition. Note: RBA is backwards compatible with configurations saved under earlier AX releases. All resources are automatically migrated to a single, shared partition. 808 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Overview Figure183 shows an example of an AX device with multiple partitions. FIGURE 183 Role-Based Administration In this example, a service provider hosts an AX device shared by two com- panies: A.com and B.com. Each company has its own dedicated servers that they want to manage in entirety. The partition for A.com contains A.com's SLB resources. Likewise, the partition for B.com contains B.com's SLB resources. Admins assigned to the partition for A.com can add, modify, delete and save only those resources contained in A.com's partition. Likewise, B.com's admins can add, modify, delete and save only the resources in B.com's parti- tion. The following sections describe RBA in more detail. P e r f o r m a n c e b y D e s i g n 809 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Resource Partitions AX system resources are contained in partitions. The AX device has a sin- gle shared partition and can have multiple private partitions. Shared partition The shared partition contains resources that can be configured only by admins with Root or Read Write privileges. By default, all resources are in the shared partition. There is one shared par- tition for the device and it is the default partition. The shared partition cannot be deleted. Private partitions A private partition can be accessed only by the admins who are assigned to it, and by admins with Root, Read Write, or Read Only privileges. The AX device does not have any private parti- tions by default. Private partitions can be created or deleted only by admins who have Root or Read Write privileges. A maximum of 128 partitions are supported. (For descriptions of admin privileges, see Table26 on page811.) Types of Resources That Can Be Contained in Private Partitions Only certain types of resources can be contained in private partitions. In the current release, a private partition can contain SLB resources only: Real servers Virtual servers Service groups Templates Health monitors Certificates and keys aFleX policies All other types of resources can reside only in the shared partition and are not configurable by admins assigned to private partitions. Resource names must be unique within a partition. However, the same name can be used for resources in different partitions. For example, partitions A.com and B.com can each have a real server named rs1. The AX device is able to distinguish between them. 810 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Use of Shared Resources by Private Resources SLB resources in private partitions can use SLB resources in the shared par- tition, but cannot use resources in other private partitions. For example, a virtual service port in a private partition can be configured to bind to a ser- vice group in the shared partition, as shown in the following GUI example. FIGURE 184 Shared SLB Resource Used by Private SLB Resource Resources in a private partition cannot be used by resources in any other partition, whether private or shared. aFleX Policies By default, aFleX policies act upon resources within the partition that con- tains the aFleX policy. Some aFleX commands have an option to act upon service groups in the shared partition instead. (For more information, see the AX Series aFleX Reference.) Partition Logos Each private partition has a logo file associated with it. The logo appears in the upper left corner of the Web GUI. By default, the A10 Networks logo is used. Partition admins can replace the A10 Networks logo with a company logo. The recommended logo size is 180x60 pixels. The following examples show Web GUI pages for two private partitions. A company-specific logo has been uploaded for each partition. P e r f o r m a n c e b y D e s i g n 811 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview FIGURE 185 Configurable Partition Logos Administrator Roles The type of access (read-only or read-write) allowed to an admin, and the partitions where the access applies, depend on that admins privilege level (role). An admin account can have one of the privilege levels listed in Table26 on page811. Note: The Partition privilege levels apply specifically to admins who are assigned to private partitions. Table26 describes the admin roles. TABLE 26 Admin Privilege Levels Privilege Level (Role) Access to Shared Partition Access to Private Partition Can configure other admin accounts Can Change Own Password? Root Read-write Read-write Yes 1 Yes 2 Read Write Read-write Read-write No Yes Read Only Read-only Read-only No No Partition Write Read-only Read-write, for the partition to which the admin is assigned No Yes 812 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Types of Resources That Can Be Viewed and Saved By Private Partition Admins All admins can view resources in the shared partition. However, the only admins who can add, modify, or delete resources in the shared partition are admins with Root or Read Write privileges. Admins who are assigned to a partition can view but not modify resources in the shared partition. Admins assigned to a partition cannot view the resources in any other private parti- tion. Each partition has its own running-config and startup-config. When an admin assigned to a partition displays the running-config or startup-config, only the resources within the partition are listed. Likewise, when an admin assigned to a private partition saves the configu- ration, only the startup-config for that partition is modified. The configura- tion changes in the partitions running-config are copied to the partitions startup-config. Only admins with Root or Read Write privileges can select the partition(s) for which to save changes. Admins with Real Server Operator privileges can view real servers within the private partition and can disable or re-enable the real servers and their individual service ports. These admins have no other privileges. Partition Read Read-only Read-only, for the partition to which the admin is assigned No No Partition Real Server Opera- tor None Read-only for real servers, with permis- sion to view service port statistics, and to disable or enable real servers and real server ports. No other read-only or read-write privi- leges are granted. All access is restricted to the partition to which the admin is assigned. No No 1. Only the admin account named admin is allowed to configure other admin accounts, and cannot be deleted. Otherwise, the Root and Read-write privilege levels are the same. 2. The Root privilege level can also change the passwords of other admins. TABLE 26 Admin Privilege Levels (Continued) Privilege Level (Role) Access to Shared Partition Access to Private Partition Can configure other admin accounts Can Change Own Password? P e r f o r m a n c e b y D e s i g n 813 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Role-Based Administration Configuring Role-Based Administration To configure role-based administration, log in using an admin account with Root privileges, and perform the following steps: 1. Configure partitions. 2. Configure admin accounts and assign them to partitions. 3. Configure any SLB shared resources that you want to make available to multiple private partitions. (For information about configuring SLB resources, see the SLB configuration chapters in this guide.) Configuration of SLB resources within a private partition can be performed by an admin with Partition-write privileges who is assigned to the partition. Note: This document shows how to set up partitions and assign admins to them. The partition admins will be able to configure their own SLB resources. However, you will need to configure connectivity resources such as inter- faces, VLANs, routing, and so on. You also will need to configure any additional admin accounts for the partition. Note: To configure admin accounts, you must be logged in with Root privileges. Configuring Private Partitions To configure a private partition, use either of the following methods. USING THE GUI 1. Select Config >System >Admin. 2. On the menu bar, select Partition. 3. Click New. The Partition section appears. 4. Enter a name for the partition. 5. To upload a logo for the partition, click Browse and navigate to the logo file. 6. If a partition logo is not uploaded, the A10 Networks logo is used by default. 7. Click OK. The new partition appears in the partition list. 814 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Role-Based Administration FIGURE 186 Config >System>Admin >Partition FIGURE 187 Config >System>Admin >Partition - List USING THE CLI To configure a private partition, use the following command at the global configuration level of the CLI: partition partition-name [ max-aflex-file num] The partition-name can be 1-14 characters. (For information about the max- aflex-file option, see Changing the Maximum Number of aFleX Policies Allowed in a Partition on page814.) Changing the MaximumNumber of aFleX Policies Allowed in a Partition By default, each partition is allowed to have a maximum of 32 aFleX poli- cies. If a partition admin attempts to add more aFleX policies than are allowed for the partition, an error message is displayed to the admin. You can specify a maximum of 1-128 aFleX policies, on an individual parti- tion basis. P e r f o r m a n c e b y D e s i g n 815 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Role-Based Administration USING THE GUI 1. Select Config >System >Admin. 2. On the menu bar, select Partition. 3. Select the partition. (Click the checkbox next to the partition name.) 4. Edit the number in the Max aFleX File field. You can specify 1-128. 5. Click OK. USING THE CLI The max-aflex-file option of the partition command specifies the maxi- mum number of aFleX policies that can belong to the partition. You can specify 1-128. The default is 32. Migrating Resources Between Partitions Resources cannot be moved directly from one partition to another. To move resources, an admin must delete the resources from the partition they are in, then recreate the resources in the new partition. Deleting a Partition Only an admin with Root or Read Write privileges can delete a partition. When a partition is deleted, all resources within the partition also are deleted. USING THE GUI 1. Select Config >System >Admin. 2. On the menu bar, select Partition. 3. Select the partition. (Click the checkbox next to the partition name.) 4. Click Delete. USING THE CLI To delete a partition, use the following command at the global configuration level of the CLI: no partition [ partition-name] 816 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Role-Based Administration If you do not specify a partition name, the CLI displays a prompt to verify whether you want to delete all partitions and the resources within them. Enter y to confirm or n to cancel the request. Configuring Partition Admin Accounts To configure admin accounts and assign them to partitions, use either of the following methods. Note: To delete an admin account, see Deleting an Admin Account on page684. USING THE GUI To configure an admin account for a private partition: 1. Select Config >System >Admin (if not already selected). 2. On the menu bar, select Admin Management. 3. Click New. The Admin section appears. 4. Enter a name and password for the admin. 5. From the Role drop-down list, select one of the following: Partition Write Admin Gives read-write privileges within the par- tition you select below. Partition Read Admin Gives read-only privileges within the parti- tion you select below. Partition RS Operator Allows the admin to view, disable, or re- enable real servers and service ports in the partition. No other read or write privileges are granted. 6. From the Partition drop-down list, select the partition to which you are assigning the admin. 7. Click OK. The new admin appears in the admin list with their respective partition logos. P e r f o r m a n c e b y D e s i g n 817 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Role-Based Administration FIGURE 188 Config >System>Admin >Admin Management USING THE CLI To configure an admin account for a private partition, use the following commands: [ no] admin admin-username password string [ no] privilege {partition-write | partition-read | partition-enable-disable} partition-name The admin command creates the admin account and changes the CLI to the configuration level for the account. The command syntax shown here includes the password option. You can specify the password with the admin command, or with the separate password command at the configu- ration level for the account. The default password is a10. The privilege command specifies the privilege level for the account and assigns the account to a partition. (The partition-enable-disable option gives Partition Real Server Operator privileges.) Note: The other admin configuration commands do not apply specifically to role-based administration. For information about these other commands, see Configuring Additional Admin Accounts on page679. 818 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Role-Based Administration CLI Example The following commands configure two private partitions, companyA and companyB, and verify that they have been created. AX( conf i g) #partition companyA AX( conf i g) #partition companyB AX( conf i g) #show partition Max Number al l owed: 128 Tot al Number of par t i t i ons conf i gur ed: 2 Par t i t i on Name Max. aFl eX Fi l e Al l owed # of Admi ns - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - companyA 32 0 companyB 32 0 The following commands configure an admin account for each partition: AX( conf i g) #admin compAadmin password compApwd AX( conf i g- admi n: compAadmi n) #privilege partition-write companyA Modi f y Admi n User successf ul ! AX( conf i g- admi n: compAadmi n) #exit AX( conf i g) #admin compBadmin password compBpwd AX( conf i g- admi n: compBadmi n) #privilege partition-write companyB Modi f y Admi n User successf ul ! AX( conf i g- admi n: compBadmi n) #exit The following command displays the admin accounts: AX( conf i g) #show admin User Name St at us Pr i vi l ege Par t i t i on - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - admi n Enabl ed Root compAadmi n Enabl ed P. R/ W companyA compBadmi n Enabl ed P. R/ W companyB The show admin command shows privilege information as follows: Root The admin has Root privileges. R/W The admin has Read Write privileges. R The admin has Read Only privileges. P.R/W The admin is assigned to a private partition and has Partition- write (read-write) privileges within that partition. P e r f o r m a n c e b y D e s i g n 819 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Viewing and Saving the Configuration P.R The admin is assigned to a private partition and has Partition-read (read-only) privileges within that partition. P.RS Op The admin is assigned to a private partition but has permis- sion only to view service port statistics for real servers in the partition, and to disable or re-enable the real servers. Viewing and Saving the Configuration Admins with Root, Read Write, or Read Only privileges can view resources in any partition. Admins assigned to a partition can view the resources in the shared partition and in their own private partition but not in any other pri- vate partition. Admins with Root or Read Write privileges can save resources in any parti- tion. Admins with Partition-write privileges can save only the resources within their own partition. Viewing the Configuration To view configuration information on an AX device configured with private partitions, use either of the following methods. USING THE GUI See Switching To Another Partition on page821. USING THE CLI To view the configuration, use the following commands: show running-config [ all-partitions | partition partition-name] show startup-config [ all-partitions | partition partition-name] If you enter the command without either option, the command shows only the resources that are in the shared partition. The all-partitions option shows all resources in all partitions. In this case, the resources in the shared partition are listed first. Then the resources in each private partition are listed, organized by partition. 820 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Viewing and Saving the Configuration If you specify a private partition-name, only the resources in that partition are listed. Note: If an admin assigned to a private partition uses the all-partitions option, the option does not list resources in any other private partitions. Similarly, if a partition admin enters the name of another private partition for parti- tion-name, an Insufficient privilege warning message appears. The resources of the other partition are not displayed. Saving the Configuration To save the configuration on an AX device configured with private parti- tions, use either of the following methods. USING THE GUI To save the configuration in the GUI, click the Save button on the title bar. The GUI automatically saves only the resources that are in the current parti- tion view. For example, if the partition view is set to the companyB pri- vate partition, only the resources in that partition are saved. USING THE CLI To save the configuration, use the following command: write memory [ all-partitions | partition partition-name] If you enter the command without either option, the command saves only the changes for resources that are in the current partition. The all-partitions option saves changes for all resources in all partitions. If you specify a private partition-name, only the changes for the resources in that partition are saved. Caution: Before saving all partitions or before a reload, reboot, or shutdown operation, a Root or Read Write admin should notify all partition admins to save their configurations if they wish to. Saving all parti- tions without consent from the partition admins is not recommended. Note: The all-partitions and partition partition-name options are not applica- ble for admins with Partition-write privileges. Partition admins can only save their respective partitions. For these admins, the command syntax is P e r f o r m a n c e b y D e s i g n 821 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Switching To Another Partition the same as in previous releases. The options are available only to admins with Root or Read Write privileges. Note: A configuration can be saved to a different configuration profile name (rather than being written to startup-config), as supported in previous releases. In this case, the resources that are saved depend on the parti- tion(s) to which the write memory command is applied. Unless the resources in the shared partition are being saved, the configuration profile name used with the write memory command must already exist. The command does not create new configuration profiles for private parti- tions. Switching To Another Partition Admins with Root, Read Write, or Read Only privileges can select the parti- tion to view. When an admin with one of these privilege levels logs in, the view is set to the shared partition by default, which means all resources are visible. To change the view to a private partition, use either of the following meth- ods. USING THE GUI 1. On the title bar, select the partition from the Partition drop-down list. A dialog appears, asking you to confirm your partition selection. 2. Click Yes. 3. Click the Refresh button next to the Partition drop-down list. You must refresh the page in order for the view change to take effect. USING THE CLI Use the following command at the Privileged EXEC level of the CLI: active-partition {partition-name | shared} To change the view to a private partition, specify the partition name. To change the view to the shared partition, specify shared. 822 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Synchronizing the Configuration The following command changes the view to private partition companyA: AX#active-partition companyA Cur r ent l y act i ve par t i t i on: companyA To display the currently active partition, use the following command: show active-partition Synchronizing the Configuration When an admin assigned to a private partition synchronizes the configura- tion to the other AX device in a High-Availability (HA) pair, the resources in the private partition are synchronized for that partition. No other resources are synchronized. An admin with Root or Read Write privileges can specify any partitions(s) to synchronize. Note: If you plan to synchronize the Active AX devices running-config to the Standby AX devices running-config, make sure to use one of the follow- ing synchronization options. Performing any one of these options ensures that new private partitions appear correctly in the Standby AX devices configuration. Synchronize all partitions Synchronize the shared partition to the startup-config first, then syn- chronize the private partition to the running-config. On the Active AX device, synchronize the shared partition to the run- ning-config first. Log onto the Standby AX device and save the shared partition (write memory partition shared). Then, on the Active AX device, synchronize the private partition to the running-config. Note: In the current release, HA config-sync to a partition is supported only for Active-Standby HA configurations. USING THE GUI In the GUI, the synchronization applies only to the current partition. P e r f o r m a n c e b y D e s i g n 823 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Synchronizing the Configuration USING THE CLI The ha sync commands have new options that enable you to specify the partition. For admins with Root or Read Write privileges, here is the new syntax for the ha sync commands: ha sync all {to-startup-config [ with-reload] | to-running-config} [ all-partitions | partition partition-name] ha sync startup-config {to-startup-config [ with-reload] | to-running-config} [ all-partitions | partition partition-name] ha sync running-config {to-startup-config [ with-reload] | to-running-config} [ all-partitions | partition partition-name] ha sync data-files [ all-partitions | partition partition-name] To synchronize the configuration for all partitions, use the all-partitions option. To synchronize only a specific private partition, use the partition partition-name option. By default, the synchronization applies only to the current partition. If you plan to use the ha sync running-config to-running-config com- mand, see the note at the beginning of this section first. For admins logged on with Partition Write privileges, the following syntax is available: ha sync all to-startup-config ha sync startup-config to-startup-config ha sync running-config to-startup-config ha sync data-files Admins with Partition Write privileges are not allowed to synchronize to the running-config or to reload the other AX device. 824 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Operator Management of Real Servers Operator Management of Real Servers This section is for admins with Partition Real Server Operator privileges. The procedures in this section explain how to view service port statistics, and how to disable or re-enable real servers and individual service ports on the servers. Note: Service port statistics are not available in the GUI. To display service port statistics, use the CLI instead. USING THE GUI This section describes how to enable or disable real servers and service ports using the GUI. To Disable or Re-Enable Servers 1. Log in with your Partition-enable-disable account. 2. Select the checkbox next to each server you want to disable or re-enable, or click Select All to select all of the servers. 3. Click Disable or Enable. FIGURE 189 Real Server Management in Operator Mode Note: Although the GUI displays the Delete and New buttons, these buttons are not supported for admins with Partition Real Server Operator privileges. To Disable or Re-Enable Individual Real Server Ports 1. Log in with your Partition Real Server Operator account. 2. Select the checkbox next to each server for which you want to disable or re-enable service ports, or click Select All to select all of the servers. 3. Click Edit. 4. A list of all the service ports on the selected servers is displayed. P e r f o r m a n c e b y D e s i g n 825 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Operator Management of Real Servers 5. Select the port numbers you want to disable or re-enable. A single row appears for each port number. Selecting a row selects the port number on each of the real servers you selected in step 2. 6. Click Disable or Enable. 7. Click OK. FIGURE 190 Disabling Service Ports Selecting the Servers FIGURE 191 Disabling Service Ports Selecting the Ports USING THE CLI To View Service Statistics To view configuration information and statistics for real servers used by the partition, log in with your Partition-enable-disable account and use the fol- lowing command: show slb server [ server-name] [ config] 826 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Operator Management of Real Servers CLI Example l ogi n as: compAoper Wel come t o AX Usi ng keyboar d- i nt er act i ve aut hent i cat i on. Passwor d: ******** Last l ogi n: Wed Aug 20 08: 58: 45 2008 f r om192. 168. 1. 130 [ t ype ? f or hel p] AX>show slb server Tot al Number of Ser vi ces conf i gur ed: 2 Cur r ent = Cur r ent Connect i ons, Tot al = Tot al Connect i ons Fwd- pkt = For war d packet s, Rev- pkt = Rever se packet s Ser vi ce Cur r ent Tot al Fwd- pkt Rev- pkt St at e - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - compAr s1: 80/ t cp 23 320543 1732383 1263164 Up / 60 ms compAr s1: Tot al 23 321024 1732383 1263164 Up AX>show slb server config Tot al Number of Ser vi ces conf i gur ed: 2 H- check = Heal t h check Max conn = Max. Connect i on Wgt = Wei ght Ser vi ce Addr ess H- check St at us Max conn Wgt - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - compAr s1: 80/ t cp 7. 7. 7. 7 Def aul t Enabl e 1000000 1 compAr s1 7. 7. 7. 7 Def aul t Di sabl e 1000000 1 compAr s2: 80/ t cp 8. 8. 8. 8 Def aul t Enabl e 1000000 1 compAr s2 8. 8. 8. 8 Def aul t Enabl e 1000000 1 To Disable or Re-Enable Servers Use the following commands to access the configuration level of the CLI: enable config The enable command accesses the Privileged EXEC level. The end of the command prompt changes from >to #. If you are prompted for a password, enter the enable password assigned by the root administrator. The config command accesses the configuration level. At the configuration level, use the following command to access the opera- tion level for the real server: slb server server-name [ ipaddr] P e r f o r m a n c e b y D e s i g n 827 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Operator Management of Real Servers Use one of the following commands to change the state of the server: {disable | enable} To verify the state change, use the show slb server command. To Disable or Re-Enable Real Service Ports Access the configuration level, then use the following command to access the operation level for the server: slb server server-name [ ipaddr] Use the following command to access the operation level for the service port: port port-num {tcp | udp} Use one of the following commands to change the state of the service port: {disable | enable} To verify the state change, use the show slb server command. CLI Example The following commands access the configuration level and disable real server compArs1 and verify the change: AX>enable Passwor d: ******** AX#config AX( conf i g) #slb server compArs1 AX( conf i g- r eal ser ver ) #disable AX( conf i g) #show slb server compArs1 Tot al Number of Ser vi ces conf i gur ed on Ser ver compAr s1: 1 Cur r ent = Cur r ent Connect i ons, Tot al = Tot al Connect i ons Fwd- pkt = For war d packet s, Rev- pkt = Rever se packet s Ser vi ce Cur r ent Tot al Req- pkt Rev- pkt St at e/ Rsp Ti me - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - compAr s1: 80/ t cp 0 0 0 0 Down 0. 00 ms compAr s1: Tot al 0 0 0 0 Di sabl ed AX( conf i g) #show slb server compArs1 config Tot al Number of Ser vi ces conf i gur ed on Ser ver compAr s1: 1 H- check = Heal t h check Max conn = Max. Connect i on Wgt = Wei ght Ser vi ce Addr ess H- check St at us Max conn Wgt - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - compAr s1: 80/ t cp 7. 7. 7. 7 Def aul t Enabl e 1000000 1 compAr s1 7. 7. 7. 7 Def aul t Di sabl e 1000000 1 828 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Operator Management of Real Servers P e r f o r m a n c e b y D e s i g n 829 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters SLB Parameters This chapter lists the parameters you can configure for Server Load Balanc- ing (SLB). Note: This chapter is intended only as a reference. Not every configurable parameter will apply to a given SLB application. For information about specific applications, see the individual SLB configuration chapters in this guide. For information about health monitoring parameters, see Health Moni- toring on page381. For information about GSLB parameters, see Global Server Load Bal- ancing on page435. For information about FWLB parameters, see Firewall Load Balancing on page333. Service Template Parameters The tables in this section list the template types that are valid for each ser- vice type, and the configurable settings in each type of template. Note: For information about server and port configuration templates, see Server and Port Templates on page361. Table29 lists the types of templates that are valid for each service type. When you configure a virtual port, the AX device automatically adds any default templates that are applicable to the service type. To override a default template, you can configure another template of the same type and bind that template to the virtual port instead. For example, when you configure a virtual port that has the service type Fast-HTTP, the following templates are automatically applied to the service port: TCP HTTP Connection Reuse (The parameters in this default template are all unset.) 830 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters For information about the default settings in a template, see the section in this chapter that describes the template. To override the settings in a default template, you must configure another template of the same type and apply that template to the service port instead. For example, to override the settings that will be applied from the HTTP template, configure another HTTP template and assign that one to the vir- tual port instead. A virtual port can have only one of each type of template that is valid for the ports service type, so when you add a template to the virtual port, the other template of the same type is automatically removed from the virtual port. TABLE 27 Template Types Valid for Service Types Service Type Template Type Fast- HTTP H T T P H T T P S F T P M M S R T S P S I P SIP- TCP S I P S S M T P SSL- Proxy T C P U D P Others Cache V V Client SSL 1 V V V V Connection Reuse V V V V V Cookie Persistence V V V DNS V V Destination-IP Persistence 2 V HTTP V V V Policy V V V V V V V V V V V V V V Server SSL V V V V V Source-IP Persistence V V V V V V V V V V V V SIP V V V SMTP V SSL Session-ID Persistence V Streaming- media V TCP V V V V V V TCP-Proxy V V V V V V UDP V V V 1. To use a client-SSL template, you must install a valid certificate and key on the AX device, then configure the template to refer to the certificate and key. 2. Destination-IP persistence templates apply only to wildcard virtual ports. P e r f o r m a n c e b y D e s i g n 831 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Cache Template Parameters Table28 lists the parameters you can configure in RAM caching templates. TABLE 28 Cache Template Parameters Parameter Description and Syntax Supported Values Template name Name of the template. [ no] slb template cache template-name Config >Service >Template >Application > RAM Caching String of 1-31 characters Default: default. The default tem- plate has the default values listed below. Age time Number of seconds a cached object can remain in the AX RAM cache without being requested. [ no] age seconds Config >Service >Template >Application > RAM Caching 1-999999 seconds (about 11-1/2 days) Default: 3600 seconds (1 hour) Default cache action Controls whether the default action is to cache cacheable objects, or not cache them. If you change the default action to nocache, the AX device can cache only those objects that match a dynamic pol- icy rule that has the cache action. [ no] default-policy-nocache Config >Service >Template >Application > RAM Caching Enabled or disabled Default: disabled (Cacheable objects are cached by default.) Reload header support Enables support for the following Cache-Control headers: Cache-Control: no-cache Cache-Control: max-age=0 When support for these headers is enabled, either header causes the AX device to reload the cached object from the origin server. [ no] accept-reload-req Config >Service >Template >Application > RAM Caching Enabled or disabled Default: disabled Cache size Size of the AX RAM cache. The total size of all RAM caches combined can be 512 Mbytes on systems with 2 GBytes of memory and 1024 Mbytes on systems with 4GBytes of memory. (To display the amount of memory your system has, enter the show version command.) [ no] max-cache-size Mbyt es Config >Service >Template >Application > RAM Caching 1-512 Mbytes Default: 80 Mbytes 832 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Maximum object size Maximum object size that can be cached. The AX device will not cache objects larger than this size. [ no] max-content-size bytes Config >Service >Template >Application > RAM Caching 1-8000000 bytes Default: 81920 bytes (80 Kbytes) Minimum object size minimum object size that can be cached. The AX device will not cache objects smaller than this size. [ no] min-content-size bytes Config >Service >Template >Application > RAM Caching 1-8000000 bytes Default: 500 bytes (1/2 Kbytes) Dynamic caching policy Configures dynamic caching. [ no] policy uri pattern {cache [ seconds] | nocache | invalidate inv-pattern} The pattern option specifies the portion of the URI string to match on. The other options specify the action to take for URIs that match the pattern: cache [seconds] Caches the content. By default, the content is cached for the number of seconds configured in the template (set by the age com- mand). To override the aging period set in the template, specify the number of seconds with the cache command. nocache Does not cache the content. invalidate inv-pattern Invalidates the content that has been cached for inv-pattern. Config >Service >Template >Application > RAM Caching Note: If a URI matches the pattern in more than one policy rule, the rule with the most specific match is used. Wildcard characters (for example: ? and *) are not supported in RAM Caching policies. Valid URI pattern. Default: Not set Verify host Enables the AX device to cache the host name in addition to the URI for cached content. Use this option if a real server that contains cacheable con- tent will host more than one host name (for exam- ple, www.abc.com and www.xyz.com). [ no] verify-host Config >Service >Template >Application > RAM Caching Default: Disabled TABLE 28 Cache Template Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 833 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Client SSL Template Parameters Table29 lists the parameters you can configure in client SSL templates. Age header insertion Disables insertion of Age headers into cached responses. [ no] disable-insert-age Config >Service >Template >Application > RAM Caching Default: Disabled (Age header inser- tion is enabled.) Via header insertion Enables insertion of Via headers into cached responses. [ no] disable-insert-via Config >Service >Template >Application > RAM Caching Default: Disabled (Age header inser- tion is enabled.) Cookie removal Removes cookies from server replies so the replies can be cached. RAM caching does not cache server replies that contain cookies. (Image files are an exception. RAM caching can cache images that have cookies.) [ no] remove-cookies Note: The current release does not support configu- ration of this option using the GUI. Default: Disabled Replacement policy Policy used to make room for new objects when the RAM cache is full. When the RAM cache becomes more than 90% full, the AX device discards the least-frequently used objects to ensure there is sufficient room for new objects. [ no] replacement-policy LFU Config >Service >Template >Application > RAM Caching The policy supported in the current release is Least Frequently Used (LFU). Default: LFU TABLE 28 Cache Template Parameters (Continued) Parameter Description and Syntax Supported Values TABLE 29 Client SSL Template Parameters Parameter Description and Syntax Supported Values Template name Name of the template. [ no] slb template client-ssl template-name Config >Service >Template >SSL >Client SSL String of 1-31 characters Default: default. The default tem- plate has the default values listed below. 834 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Certificate Authority (CA) certificate name Name of the Certificate Authority (CA) certificate to use for validating client certificates. [ no] ca-cert cert-name Config >Service >Template >SSL >Client SSL Note: To use the certificate, you must import it onto the AX device. (See Importing SSL Certificates on page467.) Name of a CA certificate imported onto the AX device Certificate name Certificate to use for terminating or initiating SSL connections with clients. [ no] cert cert-name Config >Service >Template >SSL >Client SSL Note: To use the certificate, you must import it onto the AX device. (See Importing SSL Certificates on page467.) Name of a certificate imported onto the AX device Certificate key-chain name Chain of certificates to use for terminating or initiat- ing SSL connections with clients. [ no] chain-cert chain-cert-name Config >Service >Template >SSL >Client SSL String of 1-31 characters Certificate key Key for the certificate, and the passphrase used to encrypt the key. [ no] key key-name [ passphrase passphrase-string] Config >Service >Template >SSL >Client SSL Key name: string of 1-31 characters Passphrase: string of 1-16 characters Default: None configured TABLE 29 Client SSL Template Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 835 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters AX response to connection request from cli- ent Action that the AX device takes in response to a cli- ents connection request. [ no] client-certificate {ignore | request | require} Config >Service >Template >SSL >Client SSL One of the following: ignore The AX device does not request the client to send its certifi- cate. request The AX device requests the client to send its certificate. With this action, the SSL handshake pro- ceeds even if either of the following occurs: The client sends a NULL certifi- cate (one with zero length). The certificate is invalid, causing client verification to fail. Use this option if you want to the request to trigger an aFleX policy for further processing. require The AX device requires the client certificate. This action requests the client to send its certifi- cate. However, the SSL handshake does not proceed (it fails) if the cli- ent sends a NULL certificate or the certificate is invalid. Default: ignore Certificate Revocation List (CRL) CRL to use for verifying that client certificates have not been revoked. When you add a CRL to a client SSL template, the AX device checks the CRL to ensure that the certif- icates presented by clients have not been revoked by the issuing CA. [ no] crl filename Config >Service >Template >SSL >Client SSL Note: If you plan to use a CRL, you must set the Mode to Require. Note: To use the CRL, you must import it onto the AX device. (See Importing SSL Certificates on page467.) Name of a CRL imported onto the AX device Session cache size Maximum number of cached sessions for SSL ses- sion ID reuse. [ no] session-cache-size number Config >Service >Template >SSL >Client SSL 0-131072 Default: 0 (session ID reuse is dis- abled) TABLE 29 Client SSL Template Parameters (Continued) Parameter Description and Syntax Supported Values 836 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Connection Reuse Template Parameters Table30 lists the parameters you can configure in connection reuse tem- plates. Ciphers Cipher suite to support for decrypting certificates from clients. [ no] cipher Config >Service >Template >SSL >Client SSL - Cipher One or more of the following: SSL3_RSA_DES_192_CBC3_SHA SSL3_RSA_DES_40_CBC_SHA SSL3_RSA_DES_64_CBC_SHA SSL3_RSA_RC4_128_MD5 SSL3_RSA_RC4_128_SHA SSL3_RSA_RC4_40_MD5 TLS1_RSA_AES_128_SHA TLS1_RSA_AES_256_SHA TLS1_RSA_EXPORT1024_RC4_56 _MD5 TLS1_RSA_EXPORT1024_RC4_56 _SHA Default: All the above are enabled. Close notification Closure alerts for SSL sessions. When this option is enabled, the AX device sends a close_notify mes- sage when an SSL transaction ends, before sending a FIN. This behavior is required by certain types of client applications, including PHP cgi. For this type of client, if the AX device does not send a close_notify, an error or warning appears on the cli- ent. [ no] close-notify Config >Service >Template >SSL >Client SSL - Cipher Enabled or disabled Default: disabled TABLE 29 Client SSL Template Parameters (Continued) Parameter Description and Syntax Supported Values TABLE 30 Connection Reuse Template Parameters Parameter Description and Syntax Supported Values Template name Name of the template. [ no] slb template connection-reuse template-name Config >Service >Template >Connection Reuse String of 1-31 characters Default: default. The default tem- plate has the default values listed below. P e r f o r m a n c e b y D e s i g n 837 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Cookie Persistence Template Parameters Table31 lists the parameters you can configure in cookie persistence tem- plates. Connection limit Maximum number of reusable connections per server port. The smart flow control option queues HTTP packets from clients when a server port reaches its config- ured connection limit, instead of dropping the pack- ets. [ no] limit-per-server number [ smart-flow-control queue-depth] Config >Service >Template >Connection Reuse Limit-per-server 0-65535. For unlimited connections, specify 0. Queue-depth for smart flow control 1-32000 Defaults: Limit-per-server: 1000 Smart flow control: disabled. If this option is enabled, the default queue depth is 1000. Connection keepalive Number of new reusable connections to open before beginning to reuse existing connections. You can specify 1-1024 connections. [ no] keep-alive-conn number Config >Service >Template >Connection Reuse 1-1024 connections Default: 100 Connection idle timeout Maximum number of seconds a connection can remain idle before it times out. [ no] timeout seconds Config >Service >Template >Connection Reuse 0-3600 seconds To disable timeout, specify 0. Default: 2400 seconds (40 minutes) TABLE 30 Connection Reuse Template Parameters (Continued) Parameter Description and Syntax Supported Values TABLE 31 Cookie Persistence Template Parameters Parameter Description and Syntax Supported Values Template name Name of the template. [ no] slb template persist cookie template-name Config >Service >Template >Persistent >Cookie Persistence String of 1-31 characters Default: default. The default tem- plate has the default values listed below. Cookie expiration Number of seconds a cookie persists on a clients PC before being deleted by the clients browser. [ no] expire expire-seconds Config >Service >Template >Persistent >Cookie Persistence 0 to 31,536,000 seconds (one year) If you specify 0, cookies persist only for the current session. Default: 10 years Note: Although the default is 10 years (essentially, unlimited), the maximum configurable expiration is one year. 838 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Domain Adds the specified domain name to the cookie. [ no] domain domain-name Config >Service >Template >Persistent >Cookie Persistence Valid domain name Default: Not set Path Adds path information to the cookie. [ no] path path-name Config >Service >Template >Persistent >Cookie Persistence 1-31 characters Default: / Insert always Specifies whether to insert a new persistence cookie in every reply, even if the request already had an AX cookie. [ no] insert-always Config >Service >Template >Persistent >Cookie Persistence Enabled or disabled Default: Disabled. The AX device inserts a persistence cookie only if the client request does not contain a per- sistence cookie inserted by the AX device, or if the server referenced by the cookie is unavailable. Match type Changes the granularity of cookie persistence: Port The cookie inserted into the HTTP header of the server reply to a client ensures that subse- quent requests from the client will be sent to the same real port on the same real server. Server The cookie inserted into the HTTP header of the server reply to a client ensures that subsequent requests from the client for the same VIP are sent to the same real server. (This assumes that all virtual ports of the VIP use the same cookie persistence template with match- type set to Server.) Service Group Enables support for URL switching or host switching along with cookie persistence. Without this option, URL switch- ing or host switching can be used only for the initial request from the client. After the ini- tial request, subsequent requests are always sent to the same service group. Note: To use URL switching or host switching, you also must configure an HTTP template with the Host Switching or URL Switching option. [ no] match-type {server | service-group} Config >Service >Template >Persistent >Cookie Persistence One of the following: Port (selectable in the GUI but not in the CLI) Server Service-group Default: Port TABLE 31 Cookie Persistence Template Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 839 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Destination-IP Persistence Template Parameters Table32 lists the parameters you can configure in destination-IP persistence templates. Cookie name Specifies the name of the persistence cookie. The format of the cookie depends on the match type. [ no] name cookie-name Config >Service >Template >Persistent >Cookie Persistence String of 1-63 characters Default: sto-id Ignore connection limits Ignores connection limit settings configured on real servers and real ports. This option is useful for applications in which multiple sessions (connec- tions) are likely to be used for the same persistent cookie. [ no] dont-honor-conn-rules Config >Service >Template >Persistent >Cookie Persistence Enabled or Disabled Default: Disabled. By default, the con- nection limit set on real servers and real ports is used. TABLE 31 Cookie Persistence Template Parameters (Continued) Parameter Description and Syntax Supported Values TABLE 32 Destination-IP Persistence Template Parameters Parameter Description and Syntax Supported Values Template name Name of the template. [ no] slb template persist destination-ip template-name Config >Service >Template >Persistent > Destination IP Persistence String of 1-31 characters Default: default. The default tem- plate has the default values listed below. 840 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Match type Granularity of persistence: Port Traffic from a given client to the same vir- tual port is always sent to the same real port. This is the most granular setting. Server Traffic from a given client to the same VIP is always sent to the same real server, for any service port requested by the client. Service-group This option is applicable if you also plan to use URL switching or host switching. If you use the Service-group option, URL or host switching is used for every request to select a ser- vice group. The first time URL or host switching selects a given service group, the load-balancing method is used to select a real port within the ser- vice group. The next time URL or host switching selects the same service group, the same real port is used. Thus, service group selection is per- formed for every request, but once a service group is selected for a request, the request goes to the same real port that was selected the first time that service group was selected. Note: To use URL switching or host switching, you also must configure an HTTP template with the Host Switching or URL Switching option. [ no] match-type {server | service-group} Config >Service >Template >Persistent > Destination IP Persistence One of the following: Port (selectable in the GUI but not in the CLI) Server Service-group Default: Port TABLE 32 Destination-IP Persistence Template Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 841 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Netmask Granularity of IP address hashing for initial server port selection. You can specify an IPv4 network mask in dotted decimal notation. To configure initial server port selection to occur once per destination VIP subnet, configure the network mask to indicate the subnet length. For example, to select a server port once for all requested VIPs within a subnet such as 10.10.10.x, 192.168.1.x, and so on (class C subnets), use mask 255.255.255.0. SLB selects a server port for the first request to the given VIP subnet, the sends all other requests for the same VIP subnet to the same port. To configure initial server port selection to occur independently for each requested VIP, use mask 255.255.255.255. (This is the default.) [ no] netmask ipaddr Config >Service >Template >Persistent > Destination IP Persistence Valid IPv4 network mask Default: 255.255.255.255 Timeout Number of minutes the mapping of a client source IP to a real server persists after the last time traffic from the client is sent to the server. [ no] timeout timeout-minutes Config >Service >Template >Persistent > Destination IP Persistence 1-2000 minutes (about 33 hours) Default: 5 minutes Ignore connection limits Ignores connection limit settings configured on real servers and real ports. This option is useful for applications in which multiple sessions (connec- tions) are likely to be used for the same persistent client source IP address. [ no] dont-honor-conn-rules Config >Service >Template >Persistent > Destination IP Persistence Enabled or Disabled Default: Disabled. By default, the con- nection limit set on real servers and real ports is used. TABLE 32 Destination-IP Persistence Template Parameters (Continued) Parameter Description and Syntax Supported Values 842 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters DNS Template Parameters Table33 lists the parameters you can configure in DNS templates. HTTP Template Parameters Table34 lists the parameters you can configure in HTTP templates. TABLE 33 DNS Template Parameters Parameter Description and Syntax Supported Values Template name Name of the template. [ no] slb template dns template-name Config >Service >Template >Application >DNS String of 1-31 characters Default: None. Action for malformed DNS queries (DNS security) Action to take if the AX device detects a malformed DNS query: Drop Drops the query Forward to service group Forwards the query to another service group. This option is useful if you want to quarantine and examine the malformed queries, while still keeping them away from the DNS server. You must specify the service group. [ no] slb template dns template-name Config >Service >Template >Application >DNS Drop or forward To use the forward option, you also must specify the service group name. Default: drop TABLE 34 HTTP Template Parameters Parameter Description and Syntax Supported Values Template name Name of the template. [ no] slb template http template- name Config >Service >Template >Application >HTTP String of 1-31 characters Default: default. The default tem- plate has the default values listed below. Failover URL Fallback URL to send in an HTTP 302 response when all real servers are down. [ no] failover-url url-string Config >Service >Template >Application >HTTP Valid URL Default: Not set P e r f o r m a n c e b y D e s i g n 843 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Retry and reassignment when server replies with 5xx status code Configures the AX device to retry sending a clients request to a service port that replies with an HTTP 5xx status code, and reassign the request to another server if the first server replies with a 5xx status code. The first command shown below stops using a ser- vice port for 30 seconds after reassignment. The second command does not. [ no] retry-on-5xx num [ no] retry-on-5xx-per-req num Config >Service >Template >Application >HTTP By default, logging of HTTP retries is disabled by default. To enable logging of HTTP retries, use the following command at the configuration level for the HTTP template: [ no] log-retry Note: The current release does not support configu- ration of the log-retry option using the GUI. Note: This option is supported only for virtual port types HTTP and HTTPS. It is not supported for fast- HTTP or any other virtual port type. 1-3 Default: Disabled. The AX device sends the 5xx status code to the client. When you enable this option, the default number of retries is 3. Logging of retries Logs HTTP retries. An HTTP retry occurs when the AX device resends a clients HTTP request to a server because the server did not reply to the first request. (HTTP retries are enabled using the retry-on-5xx or retry-on-5xx-per-req option in the HTTP template.) [ no] log-retry Note: The current release does not support configu- ration of this option using the GUI. Enabled or disabled Default: disabled TABLE 34 HTTP Template Parameters (Continued) Parameter Description and Syntax Supported Values 844 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Compression Offloads Web servers from CPU-intensive HTTP compression operations. [ no] compression {enable | content-type content-string | exclude-content-type content- string | exclude-uri uri-string | keep-accept-encoding enable | level number | minimum-content-length number} Config >Service >Template >Application >HTTP Note: Compression is supported only for HTTP and HTTPS virtual ports. Compression is not supported of fast-HTTP virtual ports. Any of the following: enable Enables compression. content-type Specifies the types of content to compress, based on a string in the content-type header of the HTTP response. The content- string can be 1-31 characters long. exclude-content-type Specifies the types of content to exclude from compression. exclude-uri Specifies URI strings (up to 31 characters) to exclude from compression. keep-accept-encoding enable Leaves the Accept-Encoding header in HTTP requests from clients instead of removing the header. level Specifies the compression level, 1-9. Each level provides a higher compression ratio, begin- ning with level 1, which provides the lowest compression ratio. A higher compression ratio results in a smaller file size after compression. However, higher compression levels also require more CPU processing than lower compression levels, so performance can be affected. minimum-content-length Speci- fies the minimum length (in bytes) a server response can be in order to be compressed. The length applies to the content only and does not include the headers. You can specify 0-2147483647 bytes. TABLE 34 HTTP Template Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 845 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Compression (cont.) Compression is disabled by default. When it is enabled, the compression options have the following defaults: content-type text and applica- tion included by default exclude-content-type not set exclude-content not set keep-accept-encoding disabled level 1 minimum-content-length 120 bytes Header insert / replace Inserts the specified header into an HTTP request or reply. [ no] request-header-insert field:value [ insert-always | insert-if-not-exist] [ no] response-header-insert field:value [ insert-always | insert-if-not-exist] Config >Service >Template >Application >HTTP Note: These options are not supported with the fast- http service type. The AX device does not allow an HTTP template with any of the header erase or header insert options to be bound to a fast-http vir- tual port. Likewise, the AX device does not allow header options to be added to an HTTP template that is already bound to a fast-http virtual port. String of 1-256 characters Default: Not set Header erase Erases the specified header from an HTTP request or reply. [ no] request-header-erase field [ no] response-header-erase field Config >Service >Template >Application >HTTP Note: These options are not supported with the fast- http service type. The AX device does not allow an HTTP template with any of the header erase or header insert options to be bound to a fast-http vir- tual port. Likewise, the AX device does not allow header options to be added to an HTTP template that is already bound to a fast-http virtual port. Note: You can use URL switching or Host switch- ing in an HTTP template, but not both. String of 1-256 characters Default: Not set TABLE 34 HTTP Template Parameters (Continued) Parameter Description and Syntax Supported Values 846 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Host switching Selects a service group based on the value in the Host field of the HTTP header. The selection over- rides the service group configured on the virtual port. If the host-string does not match, the service group configured on the virtual port is used. Selection is performed using the following match filters: starts-with host-string matches only if the hostname or IP address starts with host-string. contains host-string matches if the host-string appears anywhere within the hostname or host IP address. ends-with host-string matches only if the host- name or IP address ends with host-string. The match options are always applied in the order listed above, regardless of the order in which they appear in the configuration. The service group for the first match is used. If a host name matches on more than one match fil- ter of the same type, the most specific match is used. [ no] host-switching {starts-with | contains | ends-with} host-string service-group service- group-name Config >Service >Template >Application >HTTP Note: You can use URL switching or Host switch- ing in an HTTP template, but not both. However, if you need to use both types of switching, you can do so with an aFleX script. Each host string can be all or part of an IP address or host name. Default: Not set Client IP insert Inserts the clients source IP address into HTTP headers. [ no] insert-client-ip [ http-fieldname] [ replace] Config >Service >Template >Application >HTTP String of 1-256 characters Default: Not set When you enable this option, the client IP address is inserted into the X-ClientIP field by default, without replacing any client IP addresses already in the field. Redirect rewrite Modifies redirects sent by servers by rewriting the matching URL string to the specified value before sending the redirects to clients. [ no] redirect-rewrite match url-string rewrite-to url-string Config >Service >Template >Application >HTTP Strings of 1-256 characters Default: Not set TABLE 34 HTTP Template Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 847 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Redirect rewrite secure Changes HTTP redirects sent by servers into HTTPS redirects before sending the redirects to cli- ents. [ no] redirect-rewrite secure {port tcp-portnum} Config >Service >Template >Application >HTTP Strings of 1-256 characters Default: Not set Strict transaction switching Forces the AX device to perform the server selec- tion process anew for every HTTP request. Without this option, the AX device reselects the same server for subsequent requests (assuming the same server group is used), unless overridden by other template options. [ no] strict-transaction-switch Config >Service >Template >Application >HTTP Enabled or disabled Default: Disabled URL switching Selects a service group based on the URL string requested by the client. The selection overrides the service group configured on the virtual port. [ no] url-switching {starts-with | contains | ends-with} url-string service-group service-group-name If the URL-string does not match, the service group configured on the virtual port is used. Selection is performed using the following match filters: starts-with url-string matches only if the URL starts with url-string. contains url-string matches if the url-string appears anywhere within the URL. ends-with url-string matches only if the URL ends with url-string. The match options are always applied in the order listed above, regardless of the order in which they appear in the configuration. The service group for the first match is used. If a URL matches on more than one match filter of the same type, the most specific match is used. Config >Service >Template >Application >HTTP Note: You can use URL switching or Host switch- ing in an HTTP template, but not both. However, if you need to use both types of switching, you can do so with an aFleX script. Strings of 1-256 characters Default: Not set TABLE 34 HTTP Template Parameters (Continued) Parameter Description and Syntax Supported Values 848 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters URL hash persistence (also called URL hash switching) Selects a service group based on the hash value of the first or last bytes of the URL string. The bytes option specifies how many bytes to use to calculate the hash value. Optionally, you can use URL hashing with either URL switching or host switching. Without URL switching or host switching configured, URL hash switching uses the hash value to choose a server within the default service group. If URL switching or host switching is configured, for each HTTP request, the AX device first selects a service group based on the URL or host switching values, then calculates the hash value and uses it to choose a server within the selected service group. The use-server-status option enables server load awareness, which allows servers to act as backups to other servers, based on server load. (This option requires some custom configuration on the server. For information, see URL Hash Switching with Server Load Awareness on page136.) [no] url-hash-persist {first | last} bytes [use-server-status} Config >Service >Template >Application >HTTP First or last 4-128 bytes Default: Not set Session termination for non-compliant HTTP 1.1 clients Enables the AX device to terminate HTTP 1.1 client connections when the Connection: close header exists in the HTTP request. This option is applicable to connection-reuse deployments that have HTTP 1.1 clients that are not compliant with the HTTP 1.1 standard. Without this option, sessions for non-com- pliant HTTP 1.1. clients are not terminated. [ no] term-11client-hdr-conn-close Note: The current release does not support configu- ration of this option using the GUI. Enabled or disabled Default: disabled TABLE 34 HTTP Template Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 849 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Policy Template Parameters Table35 lists the parameters you can configure in Policy-Based SLB (PBSLB) templates. TABLE 35 Policy Template Parameters Parameter Description and Syntax Supported Values Template name Name of the template. [ no] slb template policy template- name Config >Service >Template >Application > Policy String of 1-31 characters Default: None. Black/white list name Binds a black/white list to the virtual ports that use this template. [ no] bw-list name file-name Config >Service >Template >Application > Policy Name of a configured black/white list. Default: None. Action for over- limit traffic Specifies the action to take for traffic that is over the limit. You can specify one or more of the following options: Lockup Stops accepting new connection requests for the specified number of minutes, 1-127. Logging Generates a log message when traffic goes over the limit. The min option specifies the log interval and can be 1-255 minutes. Reset Resets new connections until the number of concurrent connections on the virtual port falls below the connection limit. [ no] bw-list over-limit {lockup min | logging min | reset} Config >Service >Template >Application > Policy You can specify the following: Over-limit action reset Lockup 1-127 minutes Logging 1-255 minutes Default: Over-limit action drop Lockup not set Logging not set Timeout for dynamic clients Specifies the number of minutes dynamic black/ white-list client entries can remain idle before aging out. [ no] bw-list timeout minutes Note: The current release does not support configu- ration of this option using the GUI. 1-127 minutes Default: 5 850 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Action Specifies the action to take for clients in the black/ white list. [ no] bw-list id id {service service-group-name | drop | reset} [ logging [ minutes] [ fail] ] Config >Service >Template >Application > Policy Note: If the option to use default selection if pre- ferred server selection fails is enabled on the virtual port, log messages will never be generated for server-selection failures. To ensure that messages are generated to log server-selection failures, dis- able the option on the virtual port. This limitation does not affect failures that occur because a client is over their PBSLB connection limit. These failures are still logged. The following settings are configu- rable: List ID ID of the black/white list. Group ID Group ID in the black/ white list. Service-group name Name of an SLB service group on the AX Series device. Action: Drop Drops new connections until the number of concurrent connections on the virtual port falls below the ports connection limit. (The connection limit is set in the black/white list.) Reset Resets new connections until the number of concurrent connections on the virtual port falls below the connection limit. Logging Enables logging. You can specify the number of minutes between log messages. This option reduces overhead caused by fre- quent recurring messages. You can specify a logging interval from 0 to 60 minutes. To send a separate mes- sage for each event, set the interval to 0. Defaults: List ID None Group ID None Action Not set Logging Disabled. If you enable logging, the default for minutes is3. Overlap Matches black/white list entries based on the cli- ents destination IP address. [ no] overlap Config >Service >Template >Application > Policy Enabled or Disabled Default: Disabled. Matching is based on the clients source IP address. TABLE 35 Policy Template Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 851 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Matching based on destination IP address Matches black/white list entries based on the cli- ents destination IP address. [ no] bw-list use-destination-ip Config >Service >Template >Application > Policy Enabled or Disabled Default: Disabled. Matching is based on the clients source IP address. Class list IP address matching Specifies the IP address to use for matching entries in an IP class list. Destination IP address Matches based on the destination IP address instead of the source IP address. IP address in HTTP request Matches based on the IP address in a header in the HTTP request. You can specify the header when you enable this option. [ no] class-list client-ip {l3-dest | l7-header [ header-name] } Config >Service >Template >Application > Policy Client IP address, destination IP address, or request header. Default: Matching is based on the cli- ents source IP address. Class list name Applies an IP class list to the template. [ no] class-list name name Config >Service >Template >Application > Policy Name of a configured class list Default: not set TABLE 35 Policy Template Parameters (Continued) Parameter Description and Syntax Supported Values 852 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Class list IP limiting rule Configures an IP limiting rule for the IP limiting feature. IP limiting rules have the following param- eters: Limit ID (LID) Number from 1-31 that identi- fies the rule. Connection limit Maximum number of concur- rent connections allowed for a client. Connection-rate limit Maximum number of new connections allowed for a client within the limit period. Request limit Maximum number of concurrent Layer 7 requests allowed for a client. Request-rate limit Maximum number of Layer 7 requests allowed for a client within the limit period. Over-limit action Action to take when a client exceeds one or more of the limits. The action can be one of the following: Drop The AX device drops that traffic. If logging is enabled, the AX device also gener- ates a log message. Forward The AX device forwards the traffic. If logging is enabled, the AX device also gen- erates a log message. Reset For TCP, the AX device sends a TCP RST to the client. If logging is enabled, the AX device also generates a log message. Lockout period Number of minutes during which to apply the over-limit action after the cli- ent exceeds a limit. The lockout period is acti- vated when a client exceeds any limit. Logging Generates log messages when clients exceed a limit. When you enable logging, a sepa- rate message is generated for each over-limit occurrence, by default. You can specify a logging period, in which case the AX device holds onto the repeated messages for the specified period, then sends one message at the end of the period for all instances that occurred within the period. [ no] class-list lid num Config >Service >Template >Application > Policy Valid values: Limit ID (LID) 1-31 Connection limit 1-1048575 Connection-rate limit 1-4294967295 connections. The limit period can be 100-6553500 milliseconds (ms), specified in increments of 100 ms. Request limit 1-1048575 Request-rate limit 1-4294967295 connections. The limit period can be 100-6553500 milliseconds (ms), specified in increments of 100 ms. Over-limit action Drop, Forward, or Reset Lockout period 1-1023 minutes Logging Enabled or disabled. The logging period can be 0-255 min- utes. Default: Limit ID (LID) None Connection limit None Connection-rate limit None Request limit None Request-rate limit None Over-limit action Drop Lockout period None Logging Disabled. When logging is enabled, the default logging period is 0 (no wait period). TABLE 35 Policy Template Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 853 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Server SSL Template Parameters Table40 lists the parameters you can configure in Server SSL templates. Geo-location statistics sharing Enables sharing of PBLSB statistics counters for all virtual servers and virtual ports that use the tem- plate. This option causes the following counters to be shared: Permit Deny Connection number Connection limit [ no] geo-location share Note: The current release does not support configu- ration of this option using the GUI. Note: It is recommended to enable or disable this option before enabling GSLB. Changing the state of this option while GSLB is running can cause the related statistics counters to be incorrect. Disabled TABLE 35 Policy Template Parameters (Continued) Parameter Description and Syntax Supported Values TABLE 36 Server SSL Template Parameters Parameter Description and Syntax Supported Values Template name Name of the template. [ no] slb template server-ssl template-name Config >Service >Template >SSL >Server SSL String of 1-31 characters Default: default. The default tem- plate has the default values listed below. Certificate Authority (CA) certificate name Name of the Certificate Authority (CA) certificate to use for validating server certificates. [ no] ca-cert cert-name Config >Service >Template >SSL >Server SSL Note: To use the certificate, you must import it onto the AX device. (See Importing SSL Certificates on page467.) Name of a CA certificate imported onto the AX device Default: None 854 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Note: If you add, remove, or replace a certificate in a server-SSL template that is already bound to a VIP, the AX device does not use the changes. To change the certificates in a server-SSL template, unbind the template from the VIP and delete the template. Configure a new template with the changed certificates and bind the new template to the VIP. SIP Template Parameters (SIP over TCP/TLS) Table37 lists the parameters you can configure in SIP templates for SIP over TCP/TLS. Ciphers Cipher suite to support for decrypting certificates from servers. [ no] cipher Config >Service >Template >SSL >Server SSL One or more of the following: SSL3_RSA_DES_192_CBC3_SHA SSL3_RSA_DES_40_CBC_SHA SSL3_RSA_DES_64_CBC_SHA SSL3_RSA_RC4_128_MD5 SSL3_RSA_RC4_128_SHA SSL3_RSA_RC4_40_MD5 TLS1_RSA_AES_128_SHA TLS1_RSA_AES_256_SHA TLS1_RSA_EXPORT1024_RC4_56 _MD5 TLS1_RSA_EXPORT1024_RC4_56 _SHA Default: All the above are enabled. TABLE 36 Server SSL Template Parameters (Continued) Parameter Description and Syntax Supported Values TABLE 37 SIP Template Parameters for SIP over TCP/TLS Parameter Description and Syntax Supported Values Template name Name of the template. [ no] slb template sip template-name Config >Service >Template >Application >SIP String of 1-31 characters Default: None. P e r f o r m a n c e b y D e s i g n 855 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Client Keep-Alive Enables the AX device to respond to SIP pings from clients on behalf of SIP servers. When this option is enabled, the AX device responds to a SIP ping from a client with a pong. This option is disabled by default. Note: If connection reuse is configured, even if cli- ent keepalive is disabled, the AX device will respond to a client SIP ping with a pong. [ no] client-keep-alive Config >Service >Template >Application >SIP Enabled or disabled Default: Disabled Server Keep-Alive For configurations that use a connection-reuse tem- plate, this option specifies how often the AX device sends a SIP ping on each persistent connection. The AX device silently drops the servers reply. If the server does not reply to a SIP ping within the connection-reuse timeout, the AX device closes the persistent connection. (The connection-reuse time- out is configured in the connection-reuse template. See Connection Reuse Template Parameters on page836.) Note: This option is applicable only if the configu- ration includes a connection-reuse template. [ no] server-keep-alive seconds Config >Service >Template >Application >SIP 5-300 seconds Default: 30 Insert Client IP Inserts an X-Forwarded-For: IP-address:port header into SIP packets from the client to the SIP server. The header contains the client IP address and source protocol port number. The AX device uses the header to identify the client when forwarding a server reply. This option is disabled by default. [ no] insert-client-ip Config >Service >Template >Application >SIP Name of an IP header that inserts a cli- ent IP address. Default: Disabled Select Client Fail Action Specifies the AX response when selection of a SIP client fails. You can specify one of the following: String Message string to send to the server; for example: 480 Temporarily Unavailable. If the message string contains a blank, use double quo- tation marks around the string. Drop Drops the traffic. [ no] select-client-fail {string | drop} Config >Service >Template >Application >SIP The action can be one of the following: Reset Drop Send message Default: Reset TABLE 37 SIP Template Parameters for SIP over TCP/TLS (Continued) Parameter Description and Syntax Supported Values 856 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Select Server Fail Action Specifies the AX response when selection of a SIP server fails. You can specify one of the following: String Message string to send to the client; for example: 504 Server Time-out. If the message string contains a blank, use double quotation marks around the string. Drop Drops the traffic. [ no] select-server-fail {string | drop} Config >Service >Template >Application >SIP The action can be one of the following: Reset Drop Send message Default: Reset Exclude Translation Body Disables translation of the virtual IP address and virtual port in specific portions of SIP messages: Body Does not translate virtual IP addresses and virtual ports in the body of the message. Header string Does not translate virtual IP addresses and virtual ports in the specified header. Start line Does not translate virtual IP addresses and virtual ports in the SIP request line or status line. Note: Regardless of the settings for this option, the AX device never translates addresses in Call-ID or X-Forwarded-For headers. [ no] exclude-translation {body | header string | start-line} Config >Service >Template >Application >SIP Enabled or disabled Default: Disabled Call timeout Number of minutes a call can remain idle before the AX Series terminates it. [ no] timeout minutes Config >Service >Template >Application >SIP 1-250 minutes Default: 30 minutes TABLE 37 SIP Template Parameters for SIP over TCP/TLS (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 857 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters SIP Template Parameters (SIP over UDP) Table38 lists the parameters you can configure in SIP templates for SIP over UDP. TABLE 38 SIP Template Parameters for SIP over UDP Parameter Description and Syntax Supported Values Template name Name of the template. [ no] slb template sip template-name Config >Service >Template >Application >SIP String of 1-31 characters Default: None. Registrar service group Name of a configured service group of SIP Regis- trar servers. [ no] registrar service-group group-name Config >Service >Template >Application >SIP Name of a configured service group Header erase Erases the specified SIP header from the SIP request before sending it to a SIP Registrar. [ no] header-erase string Config >Service >Template >Application >SIP String of 1-256 characters Default: None Header insert Inserts the specified SIP header into the SIP request before sending it to a SIP Registrar. [ no] header-insert string Config >Service >Template >Application >SIP String of 1-256 characters Default: None Header replace Replaces the specified SIP header in the SIP request before sending it to a SIP Registrar. [ no] header-replace string new-string Config >Service >Template >Application >SIP String of 1-256 characters Default: None Reverse NAT disable Disables reverse NAT based on the IP addresses in an extended ACL. This option is useful in cases where a SIP server needs to reach another server, and the traffic must pass through the AX device. Configure the extended ACL to match on the SIP server IP address or subnet as the source address, and matches on the destination servers IP address or subnet as the destination address. [ no] pass-real-server-ip-for-acl acl-id Config >Service >Template >Application >SIP ID of a configured extended ACL. Default: Not set. Reverse NAT is enabled for all traffic from the server. 858 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters SMTP Template Parameters Table39 lists the parameters you can configure in SMTP templates. Call timeout Number of minutes a call can remain idle before the AX Series terminates it. [ no] timeout minutes Config >Service >Template >Application >SIP 1-250 minutes Default: 30 minutes TABLE 38 SIP Template Parameters for SIP over UDP (Continued) Parameter Description and Syntax Supported Values TABLE 39 SMTP Template Parameters Parameter Description and Syntax Supported Values Template name Name of the template. [ no] slb template smtp template-name Config >Service >Template >Application > SMTP String of 1-31 characters Default: default. The default tem- plate has the default values listed below. Domain name switching Selects a service group based on the domain of the client. You can specify all or part of the client domain name. This option is applicable when you have multiple SMTP service groups. If the client domain does not match, the service group configured on the virtual port is used. Selection is performed using the following match filters: starts-with string matches only if the domain name starts with string. contains string matches if the string appears anywhere within the domain name. ends-with string matches only if the domain name ends with string. (cont.) Strings Default: Not set. All client domains match, and any service group can be used. P e r f o r m a n c e b y D e s i g n 859 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Domain name switching (cont.) The match options are always applied in the order listed above, regardless of the order in which they appear in the configuration. The service group for the first match is used. If a domain name matches on more than one match filter of the same type, the most specific match is used. [ no] client-domain-switching {starts-with | contains | ends- with} string service-group group-name Config >Service >Template >Application > SMTP STARTTLS command dis- able Disables support of certain SMTP commands. If a client tries to issue a disabled SMTP command, the AX sends the following message to the client: 502 - Command not implemented [ no] command-disable [ vrfy] [ expn] [ turn] Note: To disable all three commands, simply enter the following: command-disable Config >Service >Template >Application > SMTP Any of the following: VRFY, EXPN, TURN Default: VRFY, EXPN, and TURN are enabled Email server domain Email server domain. This is the domain for which the AX Series device provides SMTP load balanc- ing. [ no] server-domain name Config >Service >Template >Application > SMTP String Default: mail-server-domain Service ready message Text of the SMTP service-ready message sent to cli- ents. The complete message sent to the client is con- structed as follows: 200 - smtp-domain service-ready-string [ no] service-ready-message string Config >Service >Template >Application > SMTP String Default: ESMTP mail service ready TABLE 39 SMTP Template Parameters (Continued) Parameter Description and Syntax Supported Values 860 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Source-IP Persistence Template Parameters Table40 lists the parameters you can configure in source-IP persistence templates. STARTTLS requirement Specifies whether use of STARTTLS by clients is required. starttls {disable | optional | enforced} Config >Service >Template >Application > SMTP One of the following: Disabled Clients cannot use STARTTLS. Use this option if you need to disable STARTTLS support but you do not want to remove the configuration. Optional Clients can use START- TLS but are not required to do so. Enforced Before any mail transac- tions are allowed, the client must issue the STARTTLS command to establish a secured session. If the client does not issue the STARTTLS command, the AX sends the follow- ing message to the client: "530 - Must issue a STARTTLS command first Default: Disabled TABLE 39 SMTP Template Parameters (Continued) Parameter Description and Syntax Supported Values TABLE 40 Source-IP Persistence Template Parameters Parameter Description and Syntax Supported Values Template name Name of the template. [ no] slb template persist source-ip template-name Config >Service >Template >Persistent >Source IP Persistence String of 1-31 characters Default: default. The default tem- plate has the default values listed below. P e r f o r m a n c e b y D e s i g n 861 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Match type Granularity of persistence: Port Traffic from a given client to the same vir- tual port is always sent to the same real port. This is the most granular setting. Server Traffic from a given client to the same VIP is always sent to the same real server, for any service port requested by the client. Service-group This option is applicable if you also plan to use URL switching or host switching. If you use the Service-group option, URL or host switching is used for every request to select a ser- vice group. The first time URL or host switching selects a given service group, the load-balancing method is used to select a real port within the ser- vice group. The next time URL or host switching selects the same service group, the same real port is used. Thus, service group selection is per- formed for every request, but once a service group is selected for a request, the request goes to the same real port that was selected the first time that service group was selected. The scan all members option scans all members bound to the template. This option is useful in configurations where match-type server is used, and where some members have different priorities or are disabled. (See Scan-All-Mem- bers Option in Persistence Templates on page911.) Note: To use URL switching or host switching, you also must configure an HTTP template with the Host Switching or URL Switching option. [ no] match-type {server | service-group} Config >Service >Template >Persistent >Source IP Persistence One of the following: Port (selectable in the GUI but not in the CLI) Server Service-group Default: Port TABLE 40 Source-IP Persistence Template Parameters (Continued) Parameter Description and Syntax Supported Values 862 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Netmask Granularity of IP address hashing for server port selection. You can specify an IPv4 network mask in dotted decimal notation. To configure server port selection to occur on a per subnet basis, configure the network mask to indicate the subnet length. For example, to send all clients within a subnet such as 10.10.10.x, 192.168.1.x, and so on (class C subnets) to the same server port, use mask 255.255.255.0. SLB selects a server port for the first client in a given subnet, the sends all other clients in the same sub- net to the same port. To configure server port selection to occur on a per client basis, use mask 255.255.255.255. SLB selects a server port for the first request from a given client, the sends all other requests from the same client to the same port. (This is the default.) [ no] netmask ipaddr Config >Service >Template >Persistent >Source IP Persistence Valid IPv4 network mask Default: 255.255.255.255 Timeout Number of minutes the mapping of a client source IP to a real server persists after the last time traffic from the client is sent to the server. Note: The timeout for a source-IP persistent session will not be reset if the timeout in the source-IP per- sistence template is set to 1 minute. If the timeout is set to 1 minute, sessions will always age out after 1 minute, even if they are active. [ no] timeout timeout-minutes Config >Service >Template >Persistent >Source IP Persistence 1-2000 minutes (about 33 hours) Default: 5 minutes Include source port Includes the source port in persistent sessions. [ no] incl-sport Note: The current release does not support configu- ration of this option using the GUI. Enabled or Disabled Default: Disabled. Ignore connection limits Ignores connection limit settings configured on real servers and real ports. This option is useful for applications in which multiple sessions (connec- tions) are likely to be used for the same persistent client source IP address. [ no] dont-honor-conn-rules Config >Service >Template >Persistent >Source IP Persistence Enabled or Disabled Default: Disabled. By default, the con- nection limit set on real servers and real ports is used. TABLE 40 Source-IP Persistence Template Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 863 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters SSL Session-ID Persistence Template Parameters Table41 lists the parameters you can configure in SSL session-ID persis- tence templates. TABLE 41 SSL Session-ID Persistence Template Parameters Parameter Description and Syntax Supported Values Template name Name of the template. [ no] slb template persist ssl-sid template-name Config >Service >Template >Persistent > SSL Session ID Persistence String of 1-31 characters Default: default. The default tem- plate has the default values listed below. Timeout Number of minutes the mapping of an SSL session ID to a real server and real server port persists after the last time traffic using the session ID is sent to the server. [ no] timeout timeout-minutes Config >Service >Template >Persistent > SSL Session ID Persistence 1-250 minutes Default: 5 minutes Ignore connection limits Ignores connection limit settings configured on real servers and real ports. This option is useful for applications in which multiple sessions (connec- tions) are likely to be used for the same persistent SSL session ID. [ no] dont-honor-conn-rules Config >Service >Template >Persistent > SSL Session ID Persistence Enabled or Disabled Default: Disabled. By default, the con- nection limit set on real servers and real ports is used. 864 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Streaming-Media Template Parameters Table42 lists the parameters you can configure in streaming-media tem- plates. TCP Template Parameters Table43 lists the parameters you can configure in TCP templates. TABLE 42 Streaming-media Template Parameters Parameter Description and Syntax Supported Values Template name Name of the template. [ no] slb template streaming-media template-name Config >Service >Template >Application >RTSP String of 1-31 characters Default: default. The default tem- plate has the default values listed below. URI switching Service group to which to send requests for a spe- cific URI. [ no] uri-switching stream uri-string service-group group-name Config >Service >Template >Application >RTSP Note: This option is supported only for Windows Media Server. Name of a configured service group Default: Requests are sent to the ser- vice group that is bound to the virtual port. TABLE 43 TCP Template Parameters Parameter Description and Syntax Supported Values Template name Name of the template. [ no] slb template tcp template-name Config >Service >Template >L4 >TCP String of 1-31 characters Default: default. The default tem- plate has the default values listed below. Idle timeout Number of seconds a connection can remain idle before the AX Series device terminates it. Enter a value that is a multiple of 60 (60, 120, 1200, and so on). If you enter a value that is not a multiple of 60, the AX device rounds to the nearest multiple of 60. For example, if you enter 70, the actual time- out is 60 seconds. [ no] idle-timeout seconds Config >Service >Template >L4 >TCP 60-120000 seconds (about 33 hours) Default: 120 seconds P e r f o r m a n c e b y D e s i g n 865 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters TCP-Proxy Template Parameters Table43 lists the parameters you can configure in TCP-proxy templates. Aging of half- closed sessions Enables aging of half-closed TCP sessions. A half- closed TCP session is a session in which the server sends a FIN but the client does not reply with an ACK. [ no] half-close-idle-timeout seconds Config >Service >Template >L4 >TCP 60-15000 seconds Default: Not set. The AX device keeps half-closed sessions open indefinitely. Server reset Sends a TCP RST to the real server after a session times out. [ no] reset-fwd Config >Service >Template >L4 >TCP Enabled or disabled Default: Disabled Client reset Sends a TCP RST to the client after a session times out. Note: If the server is Down, this option immediately sends the RST to the client and does not wait for the session to time out. [ no] reset-rev Config >Service >Template >L4 >TCP Enabled or disabled Default: Disabled Initial window size Sets the initial TCP window size in SYN ACK packets to clients. The TCP window size in a SYN ACK or ACK packet specifies the amount of data that a client can send before it needs to receive an ACK. [ no] initial-window-size bytes Config >Service >Template >L4 >TCP 1-65535 bytes Default: The AX device uses the TCP window size set by the client or server. TABLE 43 TCP Template Parameters (Continued) Parameter Description and Syntax Supported Values TABLE 44 TCP-Proxy Template Parameters Parameter Description and Syntax Supported Values Template name Name of the template. [ no] slb template tcp-proxy template-name Config >Service >Template >TCP Proxy String of 1-31 characters Default: default. The default tem- plate has the default values listed below. FIN timeout Number of seconds that a connection can be in the FIN-WAIT or CLOSING state before the AX Series terminates the connection. [ no] fin-timeout seconds Config >Service >Template >TCP Proxy 1-60 seconds Default: 5 seconds 866 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters Aging of half- closed sessions Enables aging of half-closed TCP sessions. A half- closed TCP session is a session in which the server sends a FIN but the client does not reply with an ACK. [ no] half-close-idle-timeout seconds Config >Service >Template >L4 >TCP Proxy 60-15000 seconds Default: Not set. The AX device keeps half-closed sessions open indefinitely. Idle timeout Number of seconds that a connection can be idle before the AX Series terminates the connection. Enter a value that is a multiple of 60 (60, 120, 1200, and so on). If you enter a value that is not a multiple of 60, the AX device rounds to the nearest multiple of 60. For example, if you enter 70, the actual time- out is 60 seconds. [ no] idle-timeout seconds Config >Service >Template >TCP Proxy 60-120000 seconds (about 33 hours) Default: 600 seconds Nagle algorithm Enables Nagle congestion compression (described in RFC 896). [ no] nagle Config >Service >Template >TCP Proxy Enabled or disabled Default: Disabled Receive buffer size Maximum number of bytes addressed to the port that the AX Series will buffer. [ no] receive-buffer number Config >Service >Template >TCP Proxy 1-2147483647bytes Default: 87380 bytes Retransmit retries Number of times the AX Series can retransmit a data segment for which the AX Series does not receive an ACK. [ no] retransmit-retries number Config >Service >Template >TCP Proxy 1-20 Default: 3 SYN retries Number of times the AX Series can retransmit a SYN for which the AX Series does not receive an ACK. [ no] syn-retries number Config >Service >Template >TCP Proxy 1-20 Default: 5 Time-Wait Number of seconds that a connection can be in the TIME-WAIT state before the AX Series transitions it to the CLOSED state. [ no] timewait number Config >Service >Template >TCP Proxy 1-60 seconds Default: 5 seconds Transmit buffer size Number of bytes sent by the port that the AX Series will buffer. [ no] transmit-buffer number Config >Service >Template >TCP Proxy 1-2147483647 Default: 16384 bytes TABLE 44 TCP-Proxy Template Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 867 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Template Parameters UDP Template Parameters Table45 lists the parameters you can configure in UDP templates. Initial window size Sets the initial TCP window size in SYN ACK packets to clients. The TCP window size in a SYN ACK or ACK packet specifies the amount of data that a client can send before it needs to receive an ACK. [ no] initial-window-size bytes Config >Service >Template >TCP Proxy 1-65535 bytes Default: The AX device uses the TCP window size set by the client or server. TABLE 44 TCP-Proxy Template Parameters (Continued) Parameter Description and Syntax Supported Values TABLE 45 UDP Template Parameters Parameter Description and Syntax Supported Values Template name Name of the template. [ no] slb template udp template-name Config >Service >Template >L4 >UDP String of 1-31 characters Default: default. The default tem- plate has the default values listed below. Aging Specifies how quickly sessions are terminated when the request is received. aging {immediate | short [ seconds] } Config >Service >Template >L4 >UDP Immediate aging: Response Received Session is terminated within 1 second. No Response Idle timeout value in UDP tem- plate is used. Short aging: Response Received Session is terminated within 1 second. No Response Session is terminated after con- figured short aging period. Note: If you are configuring DNS load balancing, A10 Networks recommends using the immediate option. One of the following: Immediate Short, with an aging period of 1-6 seconds Default: Not set. Theidle timeout value in the template is used instead. If you enable short aging, the default aging period is 3 seconds. 868 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Global SLB Parameters Global SLB Parameters Table47 lists the SLB parameters you can configure globally. Idle timeout Number of seconds a connection can remain idle before the AX Series terminates it. Enter a value that is a multiple of 60 (60, 120, 1200, and so on). If you enter a value that is not a multiple of 60, the AX device rounds to the nearest multiple of 60. For example, if you enter 70, the actual time- out is 60 seconds. [ no] idle-timeout number Config >Service >Template >L4 >UDP 60-120000 seconds (about 33 hours) Default: 120 seconds Server reselection Configures the AX device to select another real server if the server that is bound to an active con- nection goes down. Without this option, another server is not selected. [ no] re-select-if-server-down Config >Service >Template >L4 >UDP Enabled or disabled Default: Disabled TABLE 45 UDP Template Parameters (Continued) Parameter Description and Syntax Supported Values TABLE 46 Global SLB Parameters Parameter Description and Syntax Supported Values Server state Globally disables or re-enables a real or virtual server. {disable | enable} slb server [ server-name] [ port port-num] {disable | enable} slb virtual-server [ server-name] [ port port-num] Config >Service >SLB >Server Config >Service >SLB >Virtual Server Enabled or disabled Default: Enabled P e r f o r m a n c e b y D e s i g n 869 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Global SLB Parameters DSR health check Enables Layer 4-7 health checking in Direct Server Return (DSR) configurations. [ no] slb dsr-health-check-enable Config >Service >SLB >Global >Settings Note: Additional configuration is required. See Configuring Health Monitoring of Virtual IP Addresses in DSR Deployments on page394. Enabled or disabled Default: Disabled Graceful shutdown Enables the AX device to wait for the specified grace period before moving active sessions on a deleted or disabled port or server to the delete queue. [ no] slb graceful-shutdown grace-period [ server | virtual-server] [ after-disable] Config >Service >SLB >Global >Settings 1-65535 seconds (about 18 hours) Default: Not set. When you delete a real or virtual service port, the AX device places all the ports sessions in the delete queue, and stops accepting new sessions on the port. Maximum session life Maximum session life following completion of a TCP flow. [ slb] msl-time seconds Config >Service >SLB >Global >Settings 1-40 seconds Default: 2 seconds Hardware-based SYN cookies Enables system-wide protection against TCP SYN flood attacks. SYN cookies enable the AX device to continue to serve legitimate clients during a TCP SYN flood attack, without allowing illegitimate traffic to consume system resources. On-Threshold Specifies the maximum number of concurrent half-open TCP connections allowed on the AX device, before SYN cookies are enabled. If the number of halfopen TCP con- nections exceeds the on-threshold, the AX device enables SYN cookies. You can specify 0- 2147483647 half-open connections. Off-Threshold - Specifies the minimum number of concurrent half-open TCP connections for which to keep SYN cookies enabled. If the num- ber of half-open TCP connections falls below this level, SYN cookies are disabled. You can specify 0-2147483647 halfopen connections. [ no] syn-cookie [ on-threshold num off-threshold num] Config >Service >SLB >Global >Settings Note: This option is supported only on models AX 2200, AX 3100, AX 3200, AX 5100, and AX 5200. Disabled or Enabled On-Threshold 0-2147483647 half- open connections Off-Threshold 0-2147483647 half- open connections Default: Disabled Note: If you leave the On-Threshold and Off-Threshold fields blank, SYN cookies are enabled and are always on regardless of the number of half-open TCP connections present on the AX device. TABLE 46 Global SLB Parameters (Continued) Parameter Description and Syntax Supported Values 870 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Global SLB Parameters Use of IP pool default gateways by real servers Enables use of IP pool default gateways to forward traffic from real servers. When this option is enabled, the AX device checks the configured IP NAT pools for an IP address range that includes the server IP address (the source address of the traffic). If the address range in a pool does include the servers IP address, and a default gateway is defined for the pool, the AX device for- wards the server traffic through the pools default gateway. [ no] slb snat-gwy-for-l3 Note: This parameter is not configurable using the GUI. Enabled or disabled Default: Disabled Source-IP based connection rate limiting Protects the system from excessive connection requests from individual clients. [ no] slb conn-rate-limit src-ip conn-limit per {100 | 1000} [ shared] [ exceed-action [ log] [ lock-out lockout-period] ] Note: The current release does not support configu- ration of this feature using the GUI. For more information about this feature, see Source-IP Based Connection Rate Limiting on page736. Connection limit 1-1000000. Limit period One of the following: 100 milliseconds (one tenth of a second) 1000 milliseconds (one second) Scope One of the following: Shared Connection limit applies as an aggregate to all virtual ports. Not shared Connection limit applies separately to each virtual port. (This is the default behavior. There is no Not shared option.) Exceed actions All connection requests in excess of the connection limit that are received from a client within the limit period are dropped. This action is enabled by default when you enable the feature, and can not be disabled. Optionally, you can enable one or both of the following additional exceed actions: (cont.) TABLE 46 Global SLB Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 871 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Global SLB Parameters Source-IP based connection rate limiting (cont.) Logging Generates a log message when a client exceeds the connec- tion limit. Lockout Locks out the client for a specified number of seconds. Dur- ing the lockout period, all connec- tion requests from the client are dropped. The lockout period can be 1-3600 seconds (1 hour). There is no default. Default: Not configured DNS caching Configures the AX device to locally cache DNS responses to client requests. Note: A DNS reply begins aging as soon as it is cached and continues aging even if the cached reply is used after aging starts. Use of a cached reply does not reset the age of that reply. [ no] dns-cache-enable [ no] dns-cache-age seconds Config >Service >SLB >Global >Settings Enabled or disabled The cache aging timeout can be 1-1000000 seconds. Default: disabled. When you enable DNS caching, the default cache aging timeout is 300 seconds. Source NAT on VIP Globally enables IP NAT support for VIPs. Source IP NAT can be configured on a virtual port in the following ways: ACL-SNAT Binding at the virtual port level VIP source NAT at the global configuration level aFleX policy bound to the virtual port Source NAT Pool at the virtual port level These methods are used in the order shown above. For example, if IP source NAT is configured using an ACL on the virtual port, and VIP source NAT is also enabled globally, then a pool assigned by the ACL is used for traffic that is permitted by the ACL. For traffic that is not permitted by the ACL, the globally configured VIP source NAT can be used instead. Note: The current release does not support source IP NAT on FTP or RTSP virtual ports. [ no] slb snat-on-vip Config >Service >SLB >Global >Settings Enabled or disabled Default: disabled TABLE 46 Global SLB Parameters (Continued) Parameter Description and Syntax Supported Values 872 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Global SLB Parameters Layer 7 request accounting Globally enables Layer 7 request accounting. Note: Layer 7 request accounting is automatically enabled for service groups that use the least-request load-balancing method. To display Layer 7 request statistics, view details for the service group, real port, or virtual port. [ no] slb enable-l7-req-acct Config >Service >SLB >Global >Settings Enabled or disabled Default: disabled Hardware-based content compression Enables hardware-based compression. When you enable hardware-based compression, all compression settings configured in HTTP tem- plates, except the compression level, are used. Hardware-based compression always uses the same compression level, regardless of the compression level configured in an HTTP template. Hardware-based compression is available using an optional hardware module in new AX devices, on certain models. If this option does not appear on your AX device, the device does not contain a com- pression module. [ no] slb hw-compression Config >Service >SLB >Global >Settings Enabled or disabled Default: Disabled Idle timeout for passthrough TCP sessions Sets the idle timeout for pass-through TCP sessions. A pass-through TCP session is one that is not termi- nated by the AX device (for example, a session for which the AX device is not serving as a proxy for SLB). Specify the name of a TCP template. The idle time- out in the TCP template is used. Only the idle timeout setting in the specified TCP template is applicable to pass-through TCP ses- sions. None of the other options in TCP templates affect pass-through TCP sessions. [ no] slb transparent-tcp-template template-name Note: This parameter is not configurable using the GUI. Name of a configured TCP template. To use the default TCP template, spec- ify the name default. Default: The default idle timeout for pass-through TCP sessions is 30 min- utes. The default idle timeout in TCP templates is 120 seconds. Trunk load balancing Disables or re-enables trunk load balancing or Layer2/Layer 3 traffic. [ no] slb l2l3-trunk-lb-disable Note: This parameter is not configurable using the GUI. Enabled or disabled Default: Enabled. TABLE 46 Global SLB Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 873 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Global SLB Parameters Fast-path processing Enables fast-path processing, wherein the AX device does not perform a deep inspection of every field within a packet. [ no] slb fast-path-disable Config >Service >SLB >Global >Settings Enabled (slb fast-path-dis- able) or disabled (no slb fast- path-disable) Default: Enabled. Deep inspection of every packet field is enabled. TCP Maximum Segment Size (MSS) Changes the minimum TCP MSS the AX device allows for client traffic. [ no] slb mss-table num Note: This parameter is not configurable using the GUI. 128-750 Default: 538 Statistics collection Globally disables or re-enables collection of statisti- cal data for system resources and for load-balancing resources. stats-data-disable stats-data-enable Note: Statistical data collection for load-balancing resources also must be enabled on the individual resources. Config >Service >SLB >Global >Settings Enabled or disabled Default: Statistical data collection for system resources is enabled by default. This also allows collection for those individual load-balancing resources on which collection is enabled. Statistical data collection also is ena- bled by default on individual load-bal- ancing resources. SLB application buffer threshold Fine-tunes thresholds for SLB buffer queues. Hardware buffer IO buffer threshold. For each CPU, if the number of queued entries in the IO buffer reaches this threshold, fast aging is ena- bled and no more IO buffer entries are allowed to be queued on the CPUs IO buffer. Relieve threshold Threshold at which fast aging is disabled, to allow IO buffer entries to be queued again. Low buffer threshold Threshold of queued sys- tem buffer entries at which the AX begins refus- ing new incoming connections. High buffer threshold Threshold of queued sys- tem buffer entries at which the AX device drops a connection whenever a packet is received for that connection. [ no] slb buff-thresh hw-buff num relieve-thresh num sys-buff-low num sys-buff-high num Config >Service >SLB >Global >Settings The supported values and defaults depend on the AX model. See the CLI online help. Compression block size Changes the default compression block size used for SLB. [ no] compress-block-size bytes Config >Service >SLB >Global >Rate-Limit Log 6000-32000 bytes Default: 16000 bytes TABLE 46 Global SLB Parameters (Continued) Parameter Description and Syntax Supported Values 874 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Real Server Parameters Real Server Parameters Table47 lists the parameters you can configure on real servers. DDoS Protection See DDoS Protection on page725. Default: Not set Log rate limiting Configures rate limiting settings for system logging: Max-local-rate Specifies the maximum number of messages per second that can be sent to the local log buffer. Max-remote-rate Specifies the maximum num- ber of messages per second that can be sent to remote log servers. Exclude-destination Excludes logging to the specified destination. slb rate-limit-logging [ max-local-rate msgs-per-second] [ max-remote-rate msgs-per-second] [ exclude-destination {local | remote}] Config >Service >SLB >Global >Rate-Limit Log Max-local-rate 1-100 messages per second Max-remote-rate 1-100000 mes- sages per second Exclude-destination Local, remote, or both Defaults: Max-local-rate 32 messages per second Max-remote-rate 15000 messages per second Exclude-destination Logging to both destinations is enabled. TABLE 46 Global SLB Parameters (Continued) Parameter Description and Syntax Supported Values TABLE 47 Real Server Parameters Parameter Description and Syntax Supported Values Configurable in Real Server Template? Server name and IP address Name and IP address of the real server. [ no] slb server server-name ipaddr Config >Service >SLB >Server Note: The name does not need to match the host- name configured on the server. String of 1-31 characters IPv4 or IPv6 address Default: None con- figured N/A Server state State of the real server. [ no] {disable | enable} Config >Service >SLB >Server Enabled or disa- bled Default: Enabled No P e r f o r m a n c e b y D e s i g n 875 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Real Server Parameters Real server template Configuration template of real server parameters. [ no] template server template-name Config >Service >SLB >Server Name of a config- ured real server template Default: Default real server tem- plate N/A Health check Enables or disables Layer 3 health monitoring and species the monitor to use. [ no] health-check [ monitor-name] Config >Service >SLB >Server Enabled or disa- bled Name of a config- ured health moni- tor Default: Enabled; ping (ICMP) Yes Connection limit Number of concurrent connections allowed on a real server. [ no] conn-limit max-connections Config >Service >SLB >Server 1-1000000 (one million) if config- ured on the real server; 1-1048575 if configured in the server template Default: 1000000 if configured on the real server; 1048575 if config- ured in the server template Yes Connection resume Maximum number of connections the server can have before the AX device resumes use of the server. Use does not resume until the number of connections reaches the configured maximum or less. [ no] conn-resume connections Config >Service >SLB >Server 1-1000000 (one million) connec- tions Default: Not set. The AX device is allowed to start sending new con- nection requests to the server as soon as the number of connections on the server falls back below the connec- tion limit. Yes, but as addi- tional parameter with conn-limit command (CLI) or additional field under Connection Limit Status (GUI) TABLE 47 Real Server Parameters (Continued) Parameter Description and Syntax Supported Values Configurable in Real Server Template? 876 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Real Server Parameters Service port TCP or UDP port number. [ no] port port-num {tcp | udp} Config >Service >SLB >Server - Port (For parameters you can set on the service port, see Real Service Port Parameters on page877.) Transport protocol: TCP or UDP Port number: 0-65534 Default: None con- figured N/A Slow start Allows time for a server to ramp up after the server is enabled or comes online, by temporarily limiting the number of new connections on the server. [ no] slow-start Config >Service >SLB >Server - Port Note: It is recommended to configure this feature in the real server template or real port template instead. See Behavior When Slow Start Is Also Configured on the Real Server Itself on page376. Enabled or dis- abled Default: Disabled Yes Weight Administrative weight of the server, used for weighted load balancing (weighted-least-connection or weighted-round-robin). [ no] weight num Config >Service >SLB >Server 1-100 Default: 1 No External IP address External IP address, used for reaching a server in a private network from outside the network. [ no] external-ip ipaddr Config >Service >SLB >Server Valid IP address Default: Not set No Spoofing cache Enables support for a spoofing cache server. A spoofing cache server uses the clients IP address instead of its own as the source address when obtaining content requested by the client. This command applies to the Transparent Cache Switching (TCS) feature. (See Transparent Cache Switching on page301.) [ no] spoofing-cache Config >Service >SLB >Server Enabled or disa- bled Default: Disabled No Statistics collection Enables or disables collection of statistical data for the server. stats-data-enable stats-data-disable Config >Service >SLB >Server Enabled or disabled Default: enabled No TABLE 47 Real Server Parameters (Continued) Parameter Description and Syntax Supported Values Configurable in Real Server Template? P e r f o r m a n c e b y D e s i g n 877 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Real Service Port Parameters Real Service Port Parameters Table48 lists the parameters you can configure on individual service ports on real servers. GSLB IPv6 mapping Assigns an IPv6 address to the real server for GSLB. [ no] ipv6 ipv6-addr Note: The current release does not support configu- ration of this option using the GUI. Valid IPv6 address Default: None No TABLE 47 Real Server Parameters (Continued) Parameter Description and Syntax Supported Values Configurable in Real Server Template? TABLE 48 Real Service Port Parameters Parameter Description and Syntax Supported Values Configurable in Real Port Template? Service port number and transport pro- tocol TCP or UDP port number. [ no] port port-num {tcp | udp} Config >Service >SLB >Server - Port In the CLI, this is set at the real server configuration level. In the GUI, this is set in the Port section of the Server page. TCP or UDP 0-65534 Default: Not set Note: Port number 0 is a wildcard port used for IP proto- col load balanc- ing. (For more information, see IP Protocol Load Balancing on page269.) N/A Service port state State of the service port. [ no] {disable | enable} Config >Service >SLB >Server - Port Enabled or disa- bled Default: Enabled No Real server port template Configuration template of real port parameters. [ no] template port template-name Config >Service >SLB >Server - Port Name of a config- ured real port tem- plate Default: Default real port template N/A 878 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Real Service Port Parameters Health check Enables or disables health monitoring and species the monitor to use. To base the ports health on the health of another port of the same type on the same server, use the fol- low-port option instead. [ no] health-check [ monitor-name | follow-port portnum method-type] Config >Service >SLB >Server - Port Note: In the current release, the follow-port option is not supported in the GUI. Enabled or disa- bled Name of a config- ured health moni- tor Default: The AX performs the default TCP or UDP check every 5 seconds. (See Default Health Checks on page381.) Yes (The follow-port option can not be configured using a template.) Connection limit Number of concurrent connections allowed on the service port. [ no] conn-limit max-connections Config >Service >SLB >Server - Port 1-1000000 (one million) if config- ured on the server port; 1-1048575 if configured in the server port tem- plate Default: 1000000 if configured on the server port; 1048575 if config- ured in the server port template Yes Connection resume Maximum number of connections the port can have before the AX device resumes use of the port. Use does not resume until the number of connections reaches the configured maximum or less. [ no] conn-resume connections Config >Service >SLB >Server - Port 1-1000000 (one million) connec- tions Default: Not set. The AX device is allowed to start sending new con- nection requests to the port as soon as the number of con- nections on the port falls back below the connec- tion limit. Yes, but as addi- tional parameter with conn-limit command (CLI) or additional field under Connection Limit Status (GUI) Weight Administrative weight of the service port, used for weighted load balancing (service-weighted-least- connection). [ no] weight num Config >Service >SLB >Server - Port 1-100 Default: 1 Yes TABLE 48 Real Service Port Parameters (Continued) Parameter Description and Syntax Supported Values Configurable in Real Port Template? P e r f o r m a n c e b y D e s i g n 879 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Group Parameters Service Group Parameters Table48 lists the parameters you can configure in service groups. No-SSL Disables SSL for server-side connections. This option is useful if a server-SSL template is bound to the virtual port that uses this real port, and you want to disable encryption on this real port. Encryption is disabled by default, but it is enabled for server-side connections when the real port is used by a virtual port that is bound to a server-SSL template. [ no] no-ssl Config >Service >SLB >Server - Port Enabled or disabled Default: Disabled (SSL is enabled) No Statistics collection Enables or disables collection of statistical data for the port. stats-data-enable stats-data-disable Config >Service >SLB >Server - Port Enabled or disabled Default: enabled No TABLE 48 Real Service Port Parameters (Continued) Parameter Description and Syntax Supported Values Configurable in Real Port Template? TABLE 49 Service Group Parameters Parameter Description and Syntax Supported Values Service group name and type Name of a service group and the transport protocol used by service ports in the group. [ no] slb service-group group-name {tcp | udp} Config >Service >SLB >Service Group String of 1-31 characters TCP or UDP Default: None configured 880 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Group Parameters Member Real servers and service ports managed by the group. [ no] member server-name:portnum [ disable | enable] [ priority num] [ template template-name] [ stats-data-enable] The enable | disable options change the server and port state within the service group only. The priority option enables you to designate some real servers as backups (the lower priority servers) to be used only if the higher priority servers all are unavailable. The template option binds a real port template to the port. Config >Service >SLB >Service Group Name of a configured real server, and a service port number configured on the server The priority can be 1-16. Defaults: State enabled Priority 1 Template not set Statistical data collection enabled TABLE 49 Service Group Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 881 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Group Parameters Load balancing method Algorithm used to select a real server and service port to fulfil a clients request. [ no] method lb-method Config >Service >SLB >Service Group Note: The fastest-response algorithm takes effect only if the traffic rate on the servers is at least 5 con- nections per second (per server). If the traffic rate is lower, the first server in the service group usually is selected. One of the following: Fastest-response Selects the server with the fastest SYN-ACK response time. Least-connection Selects the server that currently has the fewest connec- tions. Service-least-connection Selects the server port that currently has the fewest connections. If there is a tie, the port (among those tied) that has the lowest number of request bytes plus response bytes is selected. If there is still a tie, a port is randomly selected from among the ones that are still tied. Weighted-least-connection Selects a server based on a combination of the servers administratively assigned weight and the number of connections on the server. Service-weighted-least-connection Same as weighted-least-connec- tion, but per service. Least-request Selects the real server port for which the AX device is currently processing the fewest HTTP requests. This method is applicable to HTTP load balancing. Weighted-round-robin Selects servers in rotation, biased by the servers administratively assigned weights. If the weight value is the same on each server, this load-balancing method simply selects the servers in rotation. (cont.) TABLE 49 Service Group Parameters (Continued) Parameter Description and Syntax Supported Values 882 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Group Parameters Load balancing method (cont.) Round Robin Strict Provides a more exact round-robin method. The standard, default round robin method is optimized for high perfor- mance. Over time, this optimization can result in a slight imbalance in server selection. Server selection is still basically round robin, but over time some servers may be selected slightly more often than others. The following methods apply only to stateless SLB. (For more information, see Stateless SLB on page291.) Stateless-src-ip-hash Balances server load based on a hash value calculated using the source IP address and source TCP or UDP port. Stateless-src-dst-ip-hash Balances server load based on a hash value calculated using both the source and destination IP addresses and TCP or UDP ports. Stateless-dst-ip-hash Balances server load based on a hash value calculated using the destination IP address and destination TCP or UDP port. Stateless-per-pkt-round-robin Bal- ances server load by sending each packet to a different server, in rota- tion. This method is applicable only for UDP DNS traffic. Stateless-src-ip-only-hash Bal- ances server load based on a hash value calculated using the source IP address only. Default: Round robin (simple rotation without weighting) TABLE 49 Service Group Parameters (Continued) Parameter Description and Syntax Supported Values P e r f o r m a n c e b y D e s i g n 883 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Service Group Parameters Health monitor Assigns a health monitor to all members in the ser- vice group. This option is useful in cases where the same server provides content for multiple, independent sites. When you use this feature, if a site is unavailable (for example, is taken down for maintenance), the server will fail the health check for that site, and cli- ents will not be sent to the site. However, other sites on the same server will pass their health checks, and clients of those sites will be sent to the server. [ no] health-check monitor-name Config >Service >SLB >Service Group The default health monitor (IP ping) or the name of a configured health moni- tor Default: Not set Minimum active members Uses backup servers even if some primary servers are up. To configure this parameter, specify the number of primary servers that can still be active before the backup servers are used. The skip-pri-set option specifies whether the remaining primary servers continue to be used. If you use this option, the AX device uses only the backup servers and stops using any of the primary servers. [ no] min-active-member num [ skip-pri-set] Config >Service >SLB >Service Group 1-63 Default: Not set. Backup servers are used only if all primary servers are unavailable. When you configure this parameter, the skip-pri-set option is disabled by default, for all load-balancing methods except round-robin. For round-robin (the default), skip-pri-set is always enabled and can not be disabled. Reset after server selection failure Sends a TCP reset (RST) to clients if server selec- tion fails. [ no] reset-on-server-selection- fail Config >Service >SLB >Service Group Note: For more information about this option, see Sending a Reset After Server Selection Failure on page905. Enabled or disabled Default: disabled Statistics collection Enables or disables collection of statistical data for the service group. stats-data-enable stats-data-disable Config >Service >SLB >Service Group Enabled or disabled Default: enabled TABLE 49 Service Group Parameters (Continued) Parameter Description and Syntax Supported Values 884 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Virtual Server Parameters Virtual Server Parameters Table50 lists the parameters you can configure on virtual servers. TABLE 50 Virtual Server Parameters Parameter Description and Syntax Supported Values Configurable in Virtual Server Template? Virtual server name and vir- tual IP address Name to identify the virtual server on the AX device, and the virtual IP address that clients will request. To configure a single VIP, enter the IP address. To configure a contiguous range of VIPs, enter a subnet, in Classless Interdomain Routing (CIDR) format. [ no] slb virtual-server name ipaddr or [ no] slb virtual-server server-name starting-ip {subnet-mask | / mask-length} Config >Service >SLB >Virtual Server String of 1-31 characters IPv4 or IPv6 address Default: None con- figured N/A Virtual server state State of the virtual server. [ no] {disable [ when-all-ports-down] | enable} The when-all-ports-down option automatically dis- ables the virtual server if all its service ports are down. If OSPF redistribution of the VIP is enabled, the AX device also withdraws the route to the VIP in addition to disabling the virtual server. Config >Service >Server >Virtual Server Note: The when-all-ports-down option is not con- figurable using the GUI. Enabled or disa- bled Default: Virtual servers are enabled by default. The when-all-ports- down option is dis- abled by default. No Virtual server template Configuration template of virtual server parameters. [ no] template virtual-server template-name Config >Service >Server >Virtual Server Name of a config- ured virtual server template Default: Default virtual server tem- plate N/A P e r f o r m a n c e b y D e s i g n 885 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Virtual Server Parameters Virtual service port number and service type Service port number and service type. [ no] port port-num service-type Config >Service >SLB >Virtual Server - Port Service type can be one of the following: fast-http Streamlined Hypertext Transfer Proto- col (HTTP) service ftp File Transfer Protocol http HTTP https Secure HTTP (SSL) mms Multimedia Messaging Service rtsp Real Time Streaming Protocol sip Session Initiation Protocol smtp Simple Mail Transfer Protocol ssl-proxy SSL proxy service tcp Transmission Control Protocol udp User Datagram Protocol others Wildcard port used for IP protocol load balancing. (For more information, see IP Protocol Load Balancing on page269.) (For parameters you can set on the service port, see Virtual Service Port Parameters on page887.) Note: Fast-HTTP is optimized for very high per- formance information transfer in comparison to regular HTTP. Due to this optimization, fast- HTTP does not support all the comprehensive capabilities of HTTP such as header insertion and manipulation. It is recommended not to use fast-HTTP for applications that require compete data transfer integrity. Port number: 0-65535 Service type: fast-http ftp http https mms rtsp sip smtp ssl-proxy tcp udp others Default: None con- figured N/A ARP disable Disables or re-enables ARP replies from a virtual server. [ no] arp-disable Config >Service >SLB >Virtual Server Enabled or dis- abled Default: Disabled; ARP replies are enabled. No HA group ID HA group ID to use for session backup. [ no] ha-group group-id Config >Service >SLB >Virtual Server 1-31 Default: Not set No TABLE 50 Virtual Server Parameters (Continued) Parameter Description and Syntax Supported Values Configurable in Virtual Server Template? 886 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Virtual Server Parameters VIP-based High Avail- ability (HA) failover Enables dynamic failover based on server weight. The configured amount is subtracted from the HA groups priority value for each real server that goes down. [ no] ha-dynamic server-weight Config >Service >SLB >Virtual Server 1-255 Default: Not set No OSPF redistribution Explicitly include or exclude the VIP in OSPF redistribution. Setting this option enables you to selectively redis- tribute individual VIPs. Without this option, the VIP is automatically redistributed if VIP redistribution is enabled in OSPF. To redistribute a VIP, set this option on the VIP, and enter the following command at the OSPF configuration level: redistribute vip only-flagged To exclude this VIP from redistribution, set this option on the VIP, and enter either of the follow- ing commands at the OSPF configuration level: redistribute vip only-not-flagged or redistrib- ute vip [ no] redistribution-flagged Note: The current release does not support configu- ration of this option using the GUI. Set or not set Default: Not set No Statistics collection Enables or disables collection of statistical data for the virtual server. stats-data-enable stats-data-disable Config >Service >SLB >Virtual Server Enabled or disabled Default: enabled No TABLE 50 Virtual Server Parameters (Continued) Parameter Description and Syntax Supported Values Configurable in Virtual Server Template? P e r f o r m a n c e b y D e s i g n 887 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Virtual Service Port Parameters Virtual Service Port Parameters Table51 lists the parameters you can configure on individual service ports on virtual servers. TABLE 51 Virtual Service Port Parameters Parameter Description and Syntax Supported Values Configurable in Virtual Port Template? Virtual service port number and service type Service port number and service type. [ no] port port-num service-type Config >Service >SLB >Virtual Server - Virtual Server Port In the CLI, this is set at the virtual server configura- tion level. In the GUI, this is set on the Virtual Server Port page. Service type can be one of the following: fast-http Streamlined HTTP service ftp File Transfer Protocol http HTTP https Secure HTTP (SSL) mms Multimedia Messaging Service rtsp Real Time Streaming Protocol sip Session Initiation Protocol over UDP sip-tcp SIP over TCP sips Secure SIP over TLS smtp Simple Mail Transfer Protocol ssl-proxy SSL proxy service tcp Transmission Control Protocol udp User Datagram Protocol Note: Fast-HTTP is optimized for very high per- formance information transfer in comparison to regular HTTP. Due to this optimization, fast- HTTP does not support all the comprehensive capabilities of HTTP such as header insertion and manipulation. It is recommended not to use fast-HTTP for applications that require compete data transfer integrity. Note: The AX device allocates processing resources to HTTPS virtual ports when you bind them to an SSL template. This results in increased CPU utiliza- tion, regardless of whether traffic is active on the virtual port. Port number: 0-65535 Service type: fast-http ftp http https mms rtsp sip sip-tls sips smtp ssl-proxy tcp udp Default: None con- figured N/A 888 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Virtual Service Port Parameters Virtual service port state State of the virtual service port. [ no] {disable | enable} Config >Service >SLB >Virtual Server - Virtual Server Port Enabled or disa- bled Default: Enabled No Virtual port template Configuration template of virtual port parameters. [ no] template virtual-port template-name Config >Service >SLB >Virtual Server - Virtual Server Port Name of a config- ured virtual port template Default: Default virtual port tem- plate N/A Service group Service group bound to the virtual service port. The AX device uses real servers and ports in the service group to fulfill requests for the virtual service port. [ no] service-group group-name Config >Service >SLB >Virtual Server - Virtual Server Port Name of a config- ured service group Default: Not set No Template Connection or application template to use for ser- vice port parameters. [ no] template template-type template-name Config >Service >SLB >Virtual Server - Virtual Server Port Template type: One of the types described in Ser- vice Template Parameters on page829. Template name: Name of a config- ured template. Default: Depends on whether the template type has a default and whether the ser- vice type uses that template type. (See Service Template Parameters on page829.) N/A TABLE 51 Virtual Service Port Parameters (Continued) Parameter Description and Syntax Supported Values Configurable in Virtual Port Template? P e r f o r m a n c e b y D e s i g n 889 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Virtual Service Port Parameters Access Control List (ACL) ID of an ACL. If you do not also specify a NAT pool name, the ACL is used to deny or permit inbound traffic on the service port. If you do specify a NAT pool name, the ACL does not permit or deny traffic. Instead, it binds the source addresses in the ACL to the NAT pool. The NAT pool is used only for the client addresses in the ACL. [ no] access-list acl-num [ source-nat-pool pool-name] Config >Service >SLB >Virtual Server - Virtual Server Port Valid standard or extended ACL ID Default: None No aFleX policy aFleX policy to use for custom SLB processing. [ no] aflex aflex-name Config >Service >SLB >Virtual Server - Virtual Server Port Name of a config- ured aFleX policy. Default: None No Connection limit Number of concurrent connections allowed on the virtual service port. By default, after the connection limit is exceeded, new connections are silently dropped and no reset is sent to the client. You can use the reset option to send a connection reset to the client instead. [ no] conn-limit number [ reset] [ no-logging] Config >Service >SLB >Virtual Server - Virtual Server Port 0-8000000 (8 mil- lion) 0 means no limit. Default: Not set. When the feature is enabled, the reset option is dis- abled and logging is enabled. Yes, but the range is 1-1048575 Session synchroniza- tion (connection mirroring) Backs up session information on the Standby AX device in an HA configuration. When this option is enabled, sessions remain up even following a failover. [ no] ha-conn-mirror Config >Service >SLB >Virtual Server - Virtual Server Port Note: In HA deployments, HA session synchroniza- tion is required for persistent sessions (source-IP persistence, and so on), and is therefore automati- cally enabled for these sessions by the AX device. Persistent sessions are synchronized even if session synchronization is disabled in the configuration. Enabled or dis- abled Default: Disabled No TABLE 51 Virtual Service Port Parameters (Continued) Parameter Description and Syntax Supported Values Configurable in Virtual Port Template? 890 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Virtual Service Port Parameters Direct Server Return (DSR) Disables destination NAT, so that server responses go directly to clients. [ no] no-dest-nat Config >Service >SLB >Virtual Server - Virtual Server Port Enabled or dis- abled Disabled: Destina- tion NAT is enabled. No Policy-based SLB (PBSLB) Uses a black/white list to allow or deny clients who request the service port, select service groups for allowed clients, and drop or reset connections if the connection limit is reached. [ no] pbslb bw-list name [ no] pbslb id id {service service-group-name | drop | reset} [ logging [ minutes [ fail] ] ] [ no] pbslb over-limit {drop | reset} Note: In the GUI, PBSLB can only be configured and applied using PBSLB policy templates. Note: If the option to use default selection if pre- ferred server selection fails is enabled on the virtual port, log messages will never be generated for server-selection failures. To ensure that messages are generated to log server-selection failures, dis- able the option on the virtual port. This limitation does not affect failures that occur because a client is over their PBSLB connection limit. These failures are still logged. (For information about PBSLB, see Policy-Based SLB (PBSLB) on page761.) Name of a config- ured black/white list. The list must be imported onto the AX device. Default: Not set No Source NAT Name of a pool of IP addresses to use for Network Address Translation (NAT). [ no] source-nat pool pool-name Config >Service >SLB >Virtual Server - Virtual Server Port Note: This option is not applicable to the mms or rtsp service types. Name of a config- ured source NAT pool. Default: Not set No TABLE 51 Virtual Service Port Parameters (Continued) Parameter Description and Syntax Supported Values Configurable in Virtual Port Template? P e r f o r m a n c e b y D e s i g n 891 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Virtual Service Port Parameters VIP Source NAT Enables IP NAT support for the VIP. Source IP NAT can be configured on a virtual port in the following ways: ACL-Source NAT binding at the virtual port level VIP source NAT at the global configuration level aFleX policy bound to the virtual port Source NAT pool at the virtual port level These methods are used in the order shown above. For example, if IP source NAT is configured using an ACL on the virtual port, and the VIP source NAT is also enabled globally, then a pool assigned by the ACL is used for traffic that is permitted by the ACL. For traffic that is not permitted by the ACL, the globally configured VIP source NAT can be used instead. [ no] snat-on-vip Config >Service >SLB >Virtual Server - Virtual Server Port Note: The current release does not support source IP NAT on FTP or RTSP virtual ports. Enabled or dis- abled Default: Disabled No Software- based protection against TCP SYN flood attacks Protects against TCP SYN floods. [ no] syn-cookie [ sack] Config >Service >SLB >Virtual Server - Virtual Server Port Note: If hardware-based SYN cookies are sup- ported on the AX model you are configuring, use that version of the feature instead. (See SYN Cookies on page728.) Enabled or dis- abled Default: Disabled No Use receive hop for responses Sends replies to clients back through the last hop on which the request for the virtual port's service was received. [ no] use-rcv-hop-for-resp Config >Service >SLB >Virtual Server - Virtual Server Port Enabled or dis- abled Default: Disabled No TABLE 51 Virtual Service Port Parameters (Continued) Parameter Description and Syntax Supported Values Configurable in Virtual Port Template? 892 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Virtual Service Port Parameters Reset after server selection failure Sends a TCP reset (RST) to clients if server selec- tion fails. [ no] reset-on-server-selection- fail Config >Service >SLB >Virtual Server - Virtual Server Port Note: For more information about this option, see Sending a Reset After Server Selection Failure on page905. Enabled or disa- bled Default: disabled No Default forwarding after server selection failure Forwards client traffic at Layer 3, if SLB server selection fails. Note: This option applies only to wildcard VIPs (VIP address 0.0.0.0). [ no] use-default-if-no-server Config >Service >SLB >Virtual Server - Virtual Server Port Enabled or disabled Default: disabled. If SLB server selection fails, the traffic is dropped. No Default selection if preferred server selection fails Continues checking for an available server in other service groups if all of the servers are down in the first service group selected by SLB. During SLB selection of the preferred server to use for a client request, SLB checks the following con- figuration areas, in the order listed: 1. Layer 3-4 configuration items: a. aFleX policies triggered by Layer 4 events b. Policy-based SLB (black/white lists). PBSLB is a Layer 3 configuration item because it matches on IP addresses in black/white lists. 2. Layer 7 configuration items: a. Cookie switching b. aFleX policies triggered by Layer 7 events c. URL switching d. Host switching (cont.) Enabled or disa- bled Default: Enabled No TABLE 51 Virtual Service Port Parameters (Continued) Parameter Description and Syntax Supported Values Configurable in Virtual Port Template? P e r f o r m a n c e b y D e s i g n 893 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Virtual Service Port Parameters Default selection if preferred server selection fails (cont.) 3. Default service group. If none of the items above results in selection of a server, the default service group is used. If the configuration uses only one service group, this is the default service group. If the configuration uses multiple service groups, the default service group is the one that is used if none of the templates used by the configuration selects another service group instead. The first configuration area that matches the client or VIP (as applicable) is used, and the client request is sent to a server in the service group that is appli- cable to that configuration area. For example, if the clients IP address in a black/white list, the service group specified by the list is used for the client request. [ no] def-selection-if-pref-failed Config >Service >SLB >Virtual Server - Virtual Server Port GSLB enable (DNS proxy ports only) Enables a DNS port to function as a proxy for Glo- bal Server Load Balancing (GSLB) for this virtual port. [ no] gslb-enable Config >Service >SLB >Virtual Server - Virtual Server Port Note: This option applies only to DNS ports and only for a virtual service port on a virtual server that will be used as a DNS proxy on the GSLB AX device. Enabled or dis- abled Default: Disabled No Statistics collection Enables or disables collection of statistical data for the virtual port. stats-data-enable stats-data-disable Config >Service >SLB >Virtual Server - Virtual Server Port Enabled or disabled Default: enabled No TABLE 51 Virtual Service Port Parameters (Continued) Parameter Description and Syntax Supported Values Configurable in Virtual Port Template? 894 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Virtual Service Port Parameters P e r f o r m a n c e b y D e s i g n 895 of 732 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Dynamic Real Server Creation Using DNS You can use DNS to simplify real server creation, by specifying a DNS hostname instead of an IP address. In this case, the AX device periodically sends a DNS query for the hostnames IP address, and dynamically creates a real server with the IP address returned by DNS. The AX device also creates a service-group member for the server, in each service group that contains the server. To create and maintain dynamic real servers, the AX device sends a DNS query for each hostname real server, at a configurable interval. If the DNS server replies with an Address (A) record for a hostname real server, the AX device creates the server or, if the server is already cre- ated, the AX device refreshes its TTL. The AX device also creates ser- vice-group members for the server and its ports. If the DNS server replies with a CNAME record, the AX device also sends a DNS query for the CNAME. The AX device supports multiple servers with the same hostname. For example, if the DNS server replies with a different IP address for a host- name real server that has already been created, the AX device creates a sec- ond real server with the same hostname and the new IP address. If the IP address returned by the DNS server matches the IP address of a statically configured real server, the server is not created. Service groups can contain both static and hostname servers. Dynamic Server Aging Dynamically created real servers do not persist indefinitely. Instead, they age out based on the TTL values returned by the DNS server. The AX device sets a servers initial TTL when the server is created. The initial TTL value is the greater of the following: TTL value in the DNS reply DNS query interval multiplied by the min-ttl-ratio (described in Tem- plate Options for Dynamically Created Real Servers on page896) The servers TTL is decremented by 60 every minute. The TTL is refreshed each time the DNS server replies with the address. 896 of 732 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Template Options for Dynamically Created Real Servers If the TTL reaches 0, the dynamically created server is removed. If the DNS server replies with the IP address after this, the server is dynamically cre- ated again. Note: When a dynamically created real server ages out, only that instance of the server (its port and service group member) is removed. Other instances (other IP addresses) for the same server (hostname) are not removed, unless they also age out. The real server configuration that you entered, used by the AX device to dynamically create servers, is not removed. Template Options for Dynamically Created Real Servers The options that can be configured for static servers and ports also apply to dynamic servers and ports. In addition, server and server port templates have some new options, specif- ically for dynamic real servers. Note: These template options take effect when you apply a template to a dynamic server configuration. After this, any dynamic real servers that are created using the dynamic server configuration use the template val- ues that were set when the template was applied to the dynamic server configuration, even if the values are later changed in the template. Server template options for hostname real servers: dynamic-server-prefix Specifies a short string to add to the front of the name for each dynamically created real server. Dynamically created servers are named using the following format: prefix-ipaddr-hostname The prefix is the string added by the AX device. You can specify a string of 1-3 characters. The default is DRS, for Dynamic Real Servers. The ipaddr is the IP address returned in the DNS reply. The hostname is the hostname you specify when you create the server configuration. The maximum total length of a dynamic server name is 32 bytes. If the name becomes longer than 32 characters, the AX device truncates the name to 32 bytes. dns-query-interval Specifies the interval at which the AX device sends DNS queries for the IP addresses of the dynamic real servers. You can specify 1-1440 minutes (one day). The default is 10 minutes. P e r f o r m a n c e b y D e s i g n 897 of 732 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Template Options for Dynamically Created Real Servers max-dynamic-server Specifies the maximum number of real servers that can be dynamically created for a given hostname. You can specify 1-1023. The default is 255. After the maximum number of servers is cre- ated, the AX device deletes the oldest servers, as determined by the time it was created, to make room for new ones. min-ttl-ratio Specifies the minimum initial value for the TTL of dynamic real servers. This option prevents dynamic real servers from aging out too quickly due to a small TTL value from the DNS server. To calculate the minimum TTL value for a dynamic real server, the AX device multiplies the dns-query-interval by the min-ttl-ratio. For exam- ple, if the min-ttl-ratio is 2 and the dns-query-interval is 10 minutes (600 seconds), then the minimum TTL for dynamic real servers is 1200. The min-ttl-ratio can be 2-15. The default is 2. Server port template options for dynamic service-group members: dynamic-member-priority and decrement-delta Sets the initial priority of dynamic service-group members, and specifies how much to decre- ment from the priority after each DNS query. Within a service group, the priorities of the members determine which of those members can be used to service client requests. Normally, only the highest priority members can be used. Decrementing the priorities of dynamic members provides a way to ensure that the service group uses newer dynamically created members instead of older ones. The initial priority can be 1-16, and the default is 16. The delta can be 0-8, and the default is 0. The priority value decrements only when the IP address is not refreshed after a DNS query. For example, assume a DNS query returns IP address 1.1.1.1, and the AX device creates a dynamic server with priority 16. However, the latest DNS query returns IP address 2.2.2.2 only. In this case, the priority of 1.1.1.1 is decremented by the delta value. If a later DNS query returns 1.1.1.1 again, the priority of server 1.1.1.1 is reset to 16. If you leave the delta set to its default (0), service-group member priori- ties are not decremented. Note: Settings that also apply to static servers and ports, such as connection and rate limits, apply individually to each dynamically created server or port. For example, the connection-rate limit configured in a server template applies individually to each dynamically created server for a given host- name. The limit is not applied collectively to all dynamically created serv- ers for the hostname. 898 of 732 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Dynamic Real Server Creation Configuring Dynamic Real Server Creation You can configure dynamic real servers using the GUI or CLI. Note: In the current release, configuration of template options for dynamic server creation is not supported in the GUI. USING THE GUI 1. Select Config >Service >SLB. 2. On the menu bar, select Server. 3. Enter a name for the dynamic real server in the Name field. 4. In the IP Address/Host, enter the hostname known to DNS. 5. Configure additional options for the real server and add ports, as appli- cable to your deployment. 6. When finished, click OK. USING THE CLI To configure a dynamic real server, use the following command at the global configuration level of the CLI: slb server server-name hostname This command does not in itself create functioning dynamic servers. Instead, the command enables the AX device to create dynamic servers for the hostname, based on DNS replies. To configure server options for dynamic real servers, use the following commands at the configuration level for a server template: dns-query-interval minutes This command specifies how often the AX device sends DNS queries for the IP addresses of dynamic real servers. You can specify 1-1440 minutes (one day). The default is 10 minutes. dynamic-server-prefix string Changes the prefix added to the front of dynamically created servers. You can specify a string of 1-3 characters. The default is DRS, for Dynamic Real Servers. P e r f o r m a n c e b y D e s i g n 899 of 732 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Dynamic Real Server Creation max-dynamic-server num This command specifies the maximum number of dynamic real servers that can be created for a given hostname. You can specify 1-1023. The default is 255. min-ttl-ratio num This command specifies the minimum initial value for the TTL of dynamic real servers. The AX device multiplies this value by the TTL in the DNS reply to calculate the minimum TTL value to assign to the dynamically cre- ated server. The min-ttl-ratio can be 2-15. The default is 2. To configure server port options for dynamic real servers, use the following command at the configuration level for a server port template: dynamic-member-priority num decrement delta The num option sets the initial TTL for dynamically created service-group members, and can be 1-16. The delta option specifies how much to decre- ment the TTL if the IP address is not included in the DNS reply, and can be 0-7. When configuring the service group, add the port template to the mem- ber. The default priority value is 16 and the default delta is 0. To display information about dynamically created real servers, use the fol- lowing commands: show slb server server-name detail show slb service-group CLI Example The following commands configure hostname server parameters in a server port template and a server template: AX( conf i g) #slb template port temp-port AX( conf i g- r por t ) #dynamic-member-priority 12 AX( conf i g- r por t ) #exit AX( conf i g) #slb template server temp-server AX( conf i g- r ser ver ) #dns-query-interval 5 AX( conf i g- r ser ver ) #min-ttl-ratio 3 AX( conf i g- r ser ver ) #max-dynamic-server 16 AX( conf i g- r ser ver ) #exit 900 of 732 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Dynamic Real Server Creation The following commands configure a hostname server, add a port to it, and bind the server template to it: AX( conf i g) #slb server s-test1 s1.test.com AX( conf i g- r eal ser ver ) #template server temp-server AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit The following commands configure a static real server: AX( conf i g) #slb server s-test2 10.4.2.1 AX( conf i g- r eal ser ver ) #port 80 tcp AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit The following commands configure a service group and add the hostname server and static server to it. The port template is bound to the member for the hostname server and port. AX( conf i g) #slb service-group sg-test tcp AX( conf i g- sl b svc gr oup) #member s-test1:80 template temp-port AX( conf i g- sl b svc gr oup) #member s-test2:80 AX( conf i g- sl b svc gr oup) #exit The following commands adds the DNS server to use for resolving the real server hostname into server IP addresses: AX( conf i g) #ip dns primary 10.10.10.10 The following command displays detailed information for the hostname server. The configuration details are shown first, followed by details for the dynamically created servers. AX#show slb server s-test1 detail Server name: s-test1 Hostname: s1.test.com Last DNS reply: Tue Nov 17 03:41:59 2009 State: Up Server template: temp-server DNS query interval: 5 Minimum TTL ratio: 3 Maximum dynamic server: 16 Health check: none Cur r ent connect i on: 0 Cur r ent r equest : 0 Tot al connect i on: 1919 P e r f o r m a n c e b y D e s i g n 901 of 732 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Dynamic Real Server Creation Tot al r equest : 1919 Tot al r equest success: 1877 Tot al f or war d byt es: 546650 Tot al f or war d packet s: 5715 Tot al r ever se byt es: 919730 Tot al r ever se packet s: 5631 Dynamic server name: DRS-10.4.2.5-s1.test.com Last DNS reply: Tue Nov 17 03:41:59 2009 TTL: 4500 State: Up Server template: test DNS query interval: 5 Minimum TTL ratio: 15 Maximum dynamic server: 1023 Health check: none Cur r ent connect i on: 0 Cur r ent r equest : 0 Tot al connect i on: 1919 Tot al r equest : 1919 Tot al r equest success: 1877 Tot al f or war d byt es: 546650 Tot al f or war d packet s: 5715 Tot al r ever se byt es: 919730 Tot al r ever se packet s: 5631 The following command displays service-group information. A separate row of information appears for each dynamically created member. AX#show slb service-group Tot al Number of Ser vi ce Gr oups conf i gur ed: 40 Cur r ent = Cur r ent Connect i ons, Tot al = Tot al Connect i ons Fwd- p = For war d packet s, Rev- p = Rever se packet s Ser vi ce Gr oup Name Ser vi ce Cur r ent Tot al Fwd- p Rev- p - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - *sg- t est St at e: Al l Up DRS- 10. 4. 2. 6- s2. t est . com: 80 0 0 0 0 DRS- 10. 4. 2. 5- s1. t est . com: 80 36 1919 5714 5631 s- t est 2: 80 0 53 265 212 902 of 732 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring Dynamic Real Server Creation The following command displays detailed statistics for the dynamically cre- ated service-group members: AX#show slb service-group sg-test Ser vi ce gr oup name: sg- t est St at e: Al l Up Ser vi ce sel ect i on f ai l dr op: 0 Ser vi ce sel ect i on f ai l r eset : 0 Ser vi ce: DRS- 10. 4. 2. 6- s2. t est . com: 80 UP For war d packet s: 0 Rever se packet s: 0 For war d byt es: 0 Rever se byt es: 0 Cur r ent connect i ons: 0 Per si st ent connect i ons: 0 Cur r ent r equest s: 0 Tot al r equest s: 0 Tot al connect i ons: 0 Response t i me: 0. 00 msec Tot al r equest s succ: 0 Ser vi ce: DRS- 10. 4. 2. 5- s1. t est . com: 80 UP For war d packet s: 5715 Rever se packet s: 5631 For war d byt es: 546650 Rever se byt es: 919730 Cur r ent connect i ons: 10 Per si st ent connect i ons: 0 Cur r ent r equest s: 10 Tot al r equest s: 1919 Tot al connect i ons: 1919 Response t i me: 0. 00 msec Tot al r equest s succ: 1877 Ser vi ce: s- t est 1: 80 UP For war d packet s: 450 Rever se packet s: 360 For war d byt es: 31500 Rever se byt es: 44820 Cur r ent connect i ons: 0 Per si st ent connect i ons: 0 Cur r ent r equest s: 0 Tot al r equest s: 0 Tot al connect i ons: 90 Response t i me: 0. 00 msec Tot al r equest s succ: 1877 The following command displays configuration information for the service group. In this example, the service group has dynamic members and a static member. AX#show slb service-group sg-test config Ser vi ce gr oup name: sg- t est Type: t cp Di st r i but i on: Round Robi n Heal t h Check: None Member Count : 4 Member 4: DRS- 10. 4. 2. 6- s2. t est . com: 80 Pr i or i t y: 1 Member 3: DRS- 10. 4. 2. 5- s1. t est . com: 80 Pr i or i t y: 16 Member 1: DRS- 10. 4. 2. 5- s- t est 2: 80 Pr i or i t y: 1 Member 2: s- t est 1: 80 Pr i or i t y: 1 P e r f o r m a n c e b y D e s i g n 903 of 732 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide VIP Creation Based on Subnet The AX device provides a simple method to configure a range of VIPs, based on IP subnet. Using this method, you can create a set of virtual serv- ers that have contiguous IP addresses, simply by specifying the beginning and ending IP addresses in the range. The IP addresses in the specified range can not belong to an IP interface, real server, or other virtual server configured on the AX device. Notes The largest supported subnet length is /20. Statistics are aggregated for all VIPs in the subnet virtual server. In the GUI, only the first VIP in the range is visible. The current release supports this feature only for DNS ports on the default DNS port number (TCP port 53 or UDP port 53). USING THE GUI 1. Select Config >Service >SLB. 2. On the menu bar, select Virtual Server, if not already selected. 3. Enter a name for the VIP range in the name field. 4. In the IP Address or CIDR Subnet field, enter the subnet address and network mask, in the following format: ipaddr/mask-length Do not use a space before or after the forward slash. The ipaddr is the starting host address in the range and must be a valid host address. (For example, entering 192.168.1.0/24 is not valid.) 5. Configure additional VIP options as required for your deployment. 6. When finished, click OK at the bottom of the VIP creation page. The VIP appears in the VIP table. 904 of 732 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide USING THE CLI To configure a set of virtual servers based on subnet, use the following com- mand at the global configuration level of the CLI: [ no] slb virtual-server server-name starting-ip {subnet-mask | / mask-length} The starting-ip option specifies the beginning IP address in the range. The subnet-mask | /mask-length option specifies the size of the range. Note: If you do not specify a network mask, the virtual server is a standard VIP that has the IP address you specify as the starting-ip address. CLI Example The following command configures a set of VIPs for IP addresses 1.1.1.5- 1.1.1.255: AX( conf i g) #slb virtual-server vs1 1.1.1.5 /24 P e r f o r m a n c e b y D e s i g n 905 of 732 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Sending a Reset After Server Selection Failure The AX device provides an option or send a TCP reset (RST) to clients if server selection fails. Server selection failure can occur as the result of any of the following conditions: Server or port connection limit is reached Server or port connection rate limit is reached Client in a PBSLB black/white list reaches its connection limit The def-selection-if-pref-failed option is disabled and SLB is unable to select a server for any reason All servers are down The reset-on-server-selection-fail option can be enabled at either of the fol- lowing levels: Service group Virtual port Enabling the reset-on-server-selection-fail option at the service-group level allows selective use of the option based on service group. Figure192 on page906 shows an example of a Policy-Based SLB (PBSLB) solution that uses the reset-on-server-selection-fail option. Note: The TCP template reset-rev option also can be used to send a RST to cli- ents. In AX releases prior to 2.2.2, the reset-rev option would send a RST in response to a server selection failure. In AX Release 2.2.2 and later, the new reset-on-server-selection-fail option must be used instead. 906 of 732 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide FIGURE 192 PBSLB Used With reset-on-server-selection-fail Option P e r f o r m a n c e b y D e s i g n 907 of 732 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide This deployment categorizes clients as follows: White-list clients Grey-list clients Black-list clients In this solution, if a white-list client exceeds the connection limit specified in the black/white list, the AX device sends a RST to the client. However, if a grey-list or black-list client exceeds its connection limit, the AX device drops the connection, instead of sending a RST. To implement this solution, a separate service group is configured for each client category. In the black/white list, each client is assigned to one of the service groups, according to the clients category. For example, client 192.168.1.1 is a white-list client, and is therefore assigned to the white-list service group. To configure the AX device to send a RST to white-list clients upon server selection failure, but not to grey-list or black-list clients, the reset-on-server- selection-fail option is used in the white-list service group only. The default PBSLB action, drop, is used for the other service groups. The virtual port to which clients will send mail traffic is bound to all three service groups. In addition, the def-selection-if-pref-failed option is dis- abled. This option must be disabled so that the AX device does not attempt to use other configuration areas of the system to select a server, if SLB is unable to select a server. A policy template is used to identify the black/white list and the service group assignments, and is bound to the virtual port. Note: This example uses a separate server for each client category. However, traffic for all clients could be sent to the same server. The essential parts of this solution are use of a separate service group for each client cate- gory, enabling of the reset-on-server-selection-fail option in the white-list service group, and disabling of the def-selection-if-pref-failed option on the virtual port. USING THE CLI The reset-on-server-selection-fail option is disabled by default. To enable the option in a service group, use the following command at the configuration level for the group: [ no] reset-on-server-selection-fail 908 of 732 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide To enable the option on a virtual port, use the following command at the configuration level for the port: [ no] reset-on-server-selection-fail CLI Example The commands below implement the solution shown in Figure192 on page906. The following commands configure the real servers: AX( conf i g) #slb server ms1 10.10.10.11 AX( conf i g- r eal ser ver ) #port 25 AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server ms2 10.10.10.12 AX( conf i g- r eal ser ver ) #port 25 AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit AX( conf i g) #slb server ms3 10.10.10.13 AX( conf i g- r eal ser ver ) #port 25 AX( conf i g- r eal ser ver - node por t ) #exit AX( conf i g- r eal ser ver ) #exit The following commands configure the service groups: AX( conf i g) #slb service-group white-list AX( conf i g- sl b ser vi ce gr oup) #member ms1:25 AX( conf i g- sl b ser vi ce gr oup) #reset-on-server-selection-fail AX( conf i g- sl b ser vi ce gr oup) #exit AX( conf i g) #slb service-group grey-list AX( conf i g- sl b ser vi ce gr oup) #member ms2:25 AX( conf i g- sl b ser vi ce gr oup) #exit AX( conf i g) #slb service-group black-list AX( conf i g- sl b ser vi ce gr oup) #member ms3:25 AX( conf i g- sl b ser vi ce gr oup) #exit The following commands configure the policy template: AX( conf i g) #slb template policy pbslb1 AX( conf i g- pol i cy) #bw-list name bw-list-1 AX( conf i g- pol i cy) #bw-list id 1 service-group white-list AX( conf i g- pol i cy) #bw-list id 2 service-group grey-list AX( conf i g- pol i cy) #bw-list id 3 service-group black-list AX( conf i g- pol i cy) #exit P e r f o r m a n c e b y D e s i g n 909 of 732 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide The following commands import black/white list bw-list-1.txt onto the AX device: AX( conf i g) #bw-list bw-list-1.txt tftp://myhost/TFTP-Root/AX_bwlists/bw-list-1.txt AX( conf i g) #show bw-list Name Ur l Si ze( Byt e) Dat e - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - bw- l i st - 1. t xt t f t p: / / myhost / TFTP- Root / AX_ N/ A N/ A bwl i st s/ bw- l i st - 1. t xt Tot al : 1 The following commands configure the VIP: AX( conf i g) #slb virtual-server mail-vip 10.10.10.10 AX( conf i g- sl b vi r t ual - ser ver ) #port 25 tcp AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group white-list AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group grey-list AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #service-group black-list AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #template policy pbslb1 AX( conf i g- sl b vi r t ual ser ver - sl b vi r t ua. . . ) #no def-selection-if-pref-failed 910 of 732 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide P e r f o r m a n c e b y D e s i g n 911 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Scan-All-Members Option in Persistence Templates In cookie, source-IP, and destination-IP persistence templates, the match-type server option has a suboption called scan-all-members. The scan-all-members option allows a persistent session to continue even when the real server port the session is on becomes unavailable. This chapter describes the scan-all-members option in detail. The match-type server option changes the granularity of persistence, from server+port, to simply server. If the match-type is set to server+port (the default), a persistent session is always sent to the same real port on the same real server. However, if the match-type is set to server, a persistent session is always sent to the same real server, but not necessarily to the same real port. The match-type server option is useful in cases where the same service is available on multiple service ports on the server. With this option, if the server port that a client is using for a persistent session goes down, another service port of the same service type on the same server can be used. Figure193 shows an example. 912 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide FIGURE 193 Scan-all-members VIP 192.168.10.11 uses 3 real servers to provide HTTP service. Two of the servers have a single protocol port for HTTP. However, one of the servers has HTTP service on multiple service ports. For a new session, the SLB load-balancing method enabled on the service group is used to select a server and port for the client (source IP address). Because source-IP persistence is enabled, subsequent requests from the same client are always sent to the same server. By default, when the match-type is changed to match-type server, the AX device uses the service groups load-balancing method for the first request to select a service-group member (server+port). For subsequent connections from the same client, the AX device uses fast-path processing to select the first service-group member that has the same IP address as the server that was initially selected by the service groups load-balancing method for the first request. P e r f o r m a n c e b y D e s i g n 913 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide In this example, if the load-balancing method happens to choose port 80 on server s3 for the first request, subsequent connections also are sent to port 80 on s3, since port 80 is in the first member (server+port) for s3 listed in the service-group configuration. Because the match-type is set to match- type server, if port 80 goes down, the next request for the persistent session is still sent to s3, but to a different port on s3. If the load-balancing method happens to choose port 8080 on server s3 for the first request, subsequent requests are sent to port 80 on s3, since port 80 is in the first member (server+port) for s3 listed in the service-group config- uration. However, if the member (port 80 on s3) is set to a lower priority or is administratively disabled, the AX device again will use the load-balancing method to select a server and port for the next request. Any of the available service-group members can be selected, even if they are different servers. In this case, it is possible that a different server will be selected for the next request. For example, if an admin needs to perform some maintenance on port 80, and disables that port in order to prevent it from being used for fur- ther requests, persistent sessions on the port and server may not remain per- sistent to the same server. In a match-type server configuration, to ensure that sessions do remain persistent on the same server if a member is administratively disabled or is set to a lower priority, use the scan-all-members option. In this case, the AX device selects the first available service-group member on the same server as the member that is out of service. In this example, if s3:80 is disabled or is set to a lower priority, the AX device selects the next member on the same server, s3:8080. When s3:80 is available again, it is selected for any new connections. However, connec- tions that are already in existence when s3:80 comes back up continue to go to s3:8080. CLI Example The commands in this section configure the source-IP persistence template and service group in Figure193 on page912. The following commands configure the source-IP persistence template: AX( conf i g) #slb template persist source-ip persist-source AX( conf i g- sour ce i p per si st ence t empl at e) #match-type server scan-all-members AX( conf i g- sour ce i p per si st ence t empl at e) #exit 914 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide The following commands configure the service group: AX( conf i g) #slb service-group sg-1 AX( conf i g- sl b ser vi ce gr oup) #member s1:80 AX( conf i g- sl b ser vi ce gr oup) #member s2:80 AX( conf i g- sl b ser vi ce gr oup) #member s3:80 AX( conf i g- sl b ser vi ce gr oup) #member s3:8080 AX( conf i g- sl b ser vi ce gr oup) #member s3:8081 AX( conf i g- sl b ser vi ce gr oup) #exit The following commands configure the virtual server: AX( conf i g) #slb virtual-server vip1 192.168.10.11 AX( conf i g- sl b vser ver - vpor t ) #service-group sg-1 AX( conf i g- sl b vser ver - vpor t ) #template persist source-ip persist-source P e r f o r m a n c e b y D e s i g n 915 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview SSL Certificate Management This chapter describes how to install SSL keys, certificates, and Certificate Revocation Lists (CRLs) on the AX device. Installing these SSL resources on the AX device enables the AX device to provide SSL services on behalf of real servers. You can use the AX device to offload SSL processing from servers or, for some types of traffic, you can use the AX device as an SSL proxy. (For more information about SSL offload and SSL proxy, see SSL Offload and SSL Proxy on page225.) Overview Some types of client-server traffic need to be encrypted for security. For example, traffic for online shopping must be encrypted to secure sensitive account information from being stolen. Commonly, clients and servers use Secure Sockets Layer (SSL) or Trans- port Layer Security (TLS) to secure traffic. For example, a client that is using a shopping application on a server will encrypt data before sending it to the server. The server will decrypt the clients data, then send an encrypted reply to the client. The client will decrypt the server reply, and so on. Note: SSL is an older version of TLS. The AX device supports SSL version 3.0 and TLS version 1.0. The AX device also supports RFC 3268: AES Ciphersuites for TLS. For simplicity, elsewhere this document and other AX user documents use the term SSL to mean both SSL and TLS. Note: The AX device supports Privacy Enhanced Mail (PEM) format for certif- icate files and CRLs. AX SSL processing supports PEM format and RSA encryption. SSL Process SSL works using certificates and keys. Typically, a client will begin a secure session by sending an HTTPS request to a VIP. The request begins an SSL handshake. The AX device will respond with a digital certificate, to provide verification of the content servers identity. From the clients perspective, this certificate comes from the server. Once the SSL handshake is complete, the client begins an encrypted client-server session with the AX device. 916 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Figure194 shows a simplified example of an SSL handshake. In this exam- ple, the AX device is acting as an SSL proxy for backend servers. FIGURE 194 Typical SSL Handshake (simplified) To begin, the client sends an HTTPS request. The request includes some encryption details such as the cipher suites supported by the client. The AX device, on behalf of the server, checks for a client-SSL template bound to the VIP. If a client-SSL template is bound to the VIP, the AX device sends all the digital certificates contained in the template to the cli- ent. The client browser checks its certificate store (sometimes called the certifi- cate list) for a copy of the server certificate. If the client does not have a P e r f o r m a n c e b y D e s i g n 917 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview copy of the server certificate, the client will check for a certificate from the Certificate Authority (CA) that signed the server certificate. Certificate Chain Ultimately, a certificate must be validated by a root CA. Certificates from root CAs are the most trusted. They do not need to be signed by a higher (more trusted) CA. If the CA that signed the certificate is a root CA, the client browser needs a copy of the root CAs certificate. If the CA that signed the server certificate is not a root CA, the client browser should have another certificate or a cer- tificate chain that includes the CA that signed the CAs certificate. A certificate chain contains the chain of signed certificates that leads from the CA to the signature authority that signed the certificate for the server. Typically, the certificate authority that signs the server certificate also will provide the certificate chain. Figure195 shows an example of a certificate chain containing three certificates: FIGURE 195 SSL Certificate Chain Example - - - - - BEGI N CERTI FI CATE- - - - - ZS9naWYwI TAf MAcGBSsOAwI aBBRLa7kol gYMu9BSOJ spr EsHi yEFGDAmFi RodHRw Oi 8vbG9nby52ZXJ pc2l nbi 5j b20vdnNsb2dvMS5naWYwDQYJ KoZI hvcNAQEFBQAD gYEAheI VEe8vAr UOZxKkUI Gj aYymzJ Ah8Ty0uUPr i kLpQ0I GezByVdbDUJ +HQLGp 2er uTPZpBNADaEf ymst I PI xr suCRhyr 3Ymsa2r gzwy9kSXeG83H7E7HxRnpxDNZ8 l +uzpU/ r k4j 3bO/ J VxPZMnwzMWr i PSYgL1EKYcOSKyReaxQ= - - - - - END CERTI FI CATE- - - - - - - - - - BEGI N CERTI FI CATE- - - - - ZS9naWYwI TAf MAcGBSsOAwI aBBRLa7kol gYMu9BSOJ spr EsHi yEFGDAmFi RodHRw Oi 8vbG9nby52ZXJ pc2l nbi 5j b20vdnNsb2dvMS5naWYwDQYJ KoZI hvcNAQEFBQAD gYEAheI VEe8vAr UOZxKkUI Gj aYymzJ Ah8Ty0uUPr i kLpQ0I GezByVdbDUJ +HQLGp 2er uTPZpBNADaEf ymst I PI xr suCRhyr 3Ymsa2r gzwy9kSXeG83H7E7HxRnpxDNZ8 l +uzpU/ r k4j 3bO/ J VxPZMnwzMWr i PSYgL1EKYcOSKyReaxQ= - - - - - END CERTI FI CATE- - - - - - - - - - BEGI N CERTI FI CATE- - - - - ZS9naWYwI TAf MAcGBSsOAwI aBBRLa7kol gYMu9BSOJ spr EsHi yEFGDAmFi RodHRw Oi 8vbG9nby52ZXJ pc2l nbi 5j b20vdnNsb2dvMS5naWYwDQYJ KoZI hvcNAQEFBQAD gYEAheI VEe8vAr UOZxKkUI Gj aYymzJ Ah8Ty0uUPr i kLpQ0I GezByVdbDUJ +HQLGp 2er uTPZpBNADaEf ymst I PI xr suCRhyr 3Ymsa2r gzwy9kSXeG83H7E7HxRnpxDNZ8 l +uzpU/ r k4j 3bO/ J VxPZMnwzMWr i PSYgL1EKYcOSKyReaxQ= - - - - - END CERTI FI CATE- - - - - 918 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview The certificate chain file and the server certificate files are text files. Each certificate must begin with the -----BEGIN CERTIFICATE----- line and end with the -----END CERTIFICATE----- line. The certificate at the top of the certificate chain file is the root CAs certifi- cate. The next certificate is an intermediary certificate signed by the root CA. The next certificate is signed by the intermediate signature authority that was signed the root CA. On the AX device, a client-SSL template can have one certificate chain file. The certificate chain must begin at the top with the root CAs certificate, fol- lowed in order by the intermediary certificates. If the certificate authority that signs the server certificate does not provide the certificate chain in a single file, you can use a text editor to chain the certificates together in a single file as shown in Figure195. Certificate Warning fromClient Browser After the client browser validates the server certificate, the client accepts the certificate and begins an encrypted session with the AX device. If the client can not validate the server certificate or the certificate is out of date, the clients browser may display a certificate warning. Figure196 shows an example of a certificate warning displayed by Internet Explorer. FIGURE 196 Example of Certificate Warning Note: It is normal for the AX device to display a certificate warning when an admin accesses the AX management GUI. Certificates used for SLB are not used by the management GUI. P e r f o r m a n c e b y D e s i g n 919 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview CA-Signed and Self-Signed Certificates Typically, clients have a certificate store that includes certificates signed by the various root CAs. The certificate store may also have some non-CA cer- tificates that can be validated by a root CA certificate, either directly or through a chain of certificates that end with a root certificate. Each certificate is digitally signed to validate its authenticity. Certificates can be CA-signed or self-signed: CA-signed A CA-signed certificate is a certificate that is created and signed by a recognized Certificate Authority (CA). To obtain a CA- signed certificate, an admin creates a key and a Certificate Signing Request (CSR), and sends the CSR to the CA.The CSR includes the key. The CA then creates and signs a certificate. The admin installs the cer- tificate on the AX device. When a client sends an HTTPS request, the AX device sends a copy of the certificate to the client, to verify the iden- tity of the server (AX device). To ensure that clients receive the required chain of certificates, you also can send clients a certificate chain in addition to the server certificate. (See Certificate Chain on page917.) The example in Figure194 on page916 uses a CA-signed certificate. Self-signed A self-signed certificate is a certificate that is created and signed by the AX device. A CA is not used to create or sign the certifi- cate. CA-signed certificates are considered to be more secure than self-signed certificates. Likewise, clients are more likely to be able to validate a CA- signed certificate than a self-signed certificate. If you configure the AX device to present a self-signed certificate to clients, the clients browser may display a certificate warning. This can be alarming or confusing to end users. Users can select the option to trust a self-signed certificate, in which case the warning will not re-appear. 920 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview SSL Templates You can install more than one key-certificate pair on the AX device. The AX device selects the certificate(s) to send a client or server based on the SSL template bound to the VIP. You can bind the following types of SSL templates to VIPs: Client-SSL template Contains keys and certificates for SSL-encrypted traffic between clients and the AX device. A client-SLS template can also contain a certificate chain. Server-SSL template Contains CA certificates for SSL-encrypted traf- fic between servers and the AX device. Client-SSL Template Options Use client-SSL templates for deployments in which traffic between clients and the AX device will be SSL-encrypted. Client-SSL templates have the following options. For the simple deployment example in Figure194 on page916, only the first option (Certificate) needs to be configured. You may also need to con- figure the Certificate chain option. Certificate Specifies a server certificate that the AX device will send to a client, so that the client can validate the servers identity. The certif- icate can be generated on the AX device (self-signed) or can be signed by another entity and imported onto the AX device. Key Specifies a public key for a server certificate. If the CSR used to request the server certificate is generated on the AX device, the key is automatically generated. Otherwise, the key must be imported. Certificate chain Specifies a named set of server certificates beginning with a root CA certificate, and containing all the intermediary certifi- cates in the authority chain that ends with the authority that signed the server certificate. (See Certificate Chain on page917.) CA certificate Specifies a CA certificate that the AX device can use to validate the identity of a client. A CA certificate is needed only if the AX device will be required to validate the identities of clients. If CA certificates are required for this purpose, they must be imported onto the AX device. The AX device is not configured at the factory to contain a certificate store. Certificate Revocation List (CRL) Specifies a list of client certificates that have been revoked by the CAs that signed them. This option is applicable only if the AX device will be required to validate the identi- ties of clients. P e r f o r m a n c e b y D e s i g n 921 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Note: The CRL should be signed by the same issuer as the CA certificate. Oth- erwise, the client and AX device will not be able to establish a connec- tion. Connection-request response Specifies the AX response to connection requests from clients. This option is applicable only if the AX device will be required to validate the identities of clients. The response can be one of the following: ignore (default) The AX device does not request the client to send its certificate. request The AX device requests the client to send its certificate. With this action, the SSL handshake proceeds even if either of the following occurs: The client sends a NULL certificate (one with zero length). The certificate is invalid, causing client verification to fail. Use this option if you want to the request to trigger an aFleX policy for further processing. require The AX device requires the client certificate. This action requests the client to send its certificate. However, the SSL hand- shake does not proceed (it fails) if the client sends a NULL certifi- cate or the certificate is invalid. Cipher list Specifies the cipher suites supported by the AX device. When the client sends its connection request, it also sends a list of the cipher suites it can support. The AX device selects the strongest cipher suite supported by the client that is also enabled in the template, and uses that cipher suite for traffic with the client. By default, all the fol- lowing are enabled: SSL3_RSA_DES_192_CBC3_SHA SSL3_RSA_DES_40_CBC_SHA SSL3_RSA_DES_64_CBC_SHA SSL3_RSA_RC4_128_MD5 SSL3_RSA_RC4_128_SHA SSL3_RSA_RC4_40_MD5 TLS1_RSA_AES_128_SHA TLS1_RSA_AES_256_SHA TLS1_RSA_EXPORT1024_RC4_56_MD5 TLS1_RSA_EXPORT1024_RC4_56_SHA Session cache size Specifies the maximum number of cached sessions for SSL session ID reuse. 922 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview Server-SSL Template Options A server-SSL template is needed only if traffic between the AX device and real servers will be encrypted using SSL. In this case, the AX device will be required to validate the identities of the servers. CA certificate Specifies a CA certificate that the AX device can use to validate the identity of a server. Cipher list Specifies the cipher suites supported by the AX device. When the server sends its connection request, it also sends a list of the cipher suites it can support. The AX device selects the strongest cipher suite supported by the server that is also enabled in the template and uses that cipher suite for traffic with the server. The same cipher suites supported in client-SSL templates are supported in server-SSL tem- plates. Support for all of them is enabled by default. Certificate Installation Process To configure an AX device to perform SSL processing on behalf of real servers, you must install a certificate on the AX device. This certificate is the one that the AX device will present to clients during the SSL handshake. You also must configure a client-SSL template, add the key and certificate to the template, and bind the template to the VIP that will be requested by clients. You can install a CA-signed certificate or a self-signed certificate (described in CA-Signed and Self-Signed Certificates on page919). This section gives an overview of the process for each type of certificate. Detailed procedures are provided later in this chapter. Requesting and Installing a CA-Signed Certificate To request and install a CA-signed certificate, use the following process. For detailed steps, see Generating a Key and CSR for a CA-Signed Certifi- cate on page925 and Importing a Certificate and Key on page928. 1. Create an encryption key. 2. Create a Certificate Signing Request (CSR). The CSR will include the public portion of the key, as well as informa- tion that you enter when you create the CSR. You can create the key and CSR on the AX device or on a server that is running openssl or a similar application. P e r f o r m a n c e b y D e s i g n 923 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview 3. Submit the CSR to the CA. If the CSR was created on the AX device, do one of the following: Copy and paste the CSR from the AX CLI or GUI onto the CSR submission page of the CA server. Export the CSR to another device, such as the PC from which you access the AX CLI or GUI. Email the CSR to the CA, or copy-and- paste it onto the CSR submission page of the CA server. If the CSR was created on another device, email the CSR to the CA, or copy-and-paste it onto the CSR submission page of the CA server. 4. After receiving the signed certificate and the CAs public key from the CA, import them onto the AX device. If the key and certificate are provided by the CA in separate files (PKCS #7 format), import the certificate. You do not need to import the key if the CSR was created on the AX device. In this case, the key is already on the AX device. If the certificate is not in PEM for- mat, specify the certificate format (type) when you import it. If the CSR was not created on the AX device, you do need to import the key also. If the key and certificate are provided by the CA in a single file (PKCS #12 format), specify the certificate format (type) when you import it. If the CSR was not created on the AX device, you need to import the key also. See Converting SSL Certificates to PEM Format on page937. 5. If applicable, import the certificate chain onto the AX device. The certif- icate chain must be a single text file, beginning with a root CAs certifi- cate at the top, followed in order by each intermediate signing authoritys certificate. (See Certificate Chain on page917.) Figure197 shows the most common way to obtain and install a CA-signed certificate onto the AX device. You also may need to install a certificate chain file. 924 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Overview FIGURE 197 Obtaining and Installing Signed Certificate fromCA Note: As an alternative to using a CA, you can use an application such as openssl to create a certificate, then use that certificate as a CA-signed cer- tificate to sign another certificate. However, in this case, a clients browser is still likely to display a certificate warning to the end user. Installing a Self-Signed Certificate To install a self-signed certificate instead of a CA-signed certificate: 1. Create an encryption key. 2. Create the certificate. See Generating a Self-Signed Certificate on page930. P e r f o r m a n c e b y D e s i g n 925 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Generating a Key and CSR for a CA-Signed Certificate Generating a Key and CSR for a CA-Signed Certificate USING THE GUI 1. Select Config >Service >SSL Management, if not already selected. 2. On the menu bar, select Certificate. 3. Click Create. 4. Enter a name for the certificate. 5. In the Issuer drop-down list, select Certificate Authority, if not already selected. This option displays the Pass Phrase and Confirm Pass Phrase fields. 6. Enter the rest of the certificate information in the remaining fields of the Certificate section. Note: If you need to create a request for a wildcard certificate, use an asterisk as the first part of the common name. For example, to request a wildcard cer- tificate for domain example.com and it sub-domains, enter the following common name: *.example.com 7. Enter a passphrase. 8. From the Key drop-down list, select the length (bits) for the key. 9. Click OK. The AX device generates the certificate key and the certifi- cate signing request (CSR), and displays the CSR. The CSR is displayed in the Request Text field. 10. To save the CSR to your PC: a. Click Download. Note: If the browser security settings normally block downloads, you may need to override the setting. For example, in Internet Explorer, hold the Ctrl key while clicking Download. b. Click Save. c. Navigate to the save location. d. Click Save again. Note: If you prefer to copy-and-paste the CSR, make sure to include everything, including -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----. 926 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Generating a Key and CSR for a CA-Signed Certificate 11. When you receive the certificate from the CA, import it onto the AX device. (See Importing a Certificate and Key on page928.) USING THE CLI To generate a key and a CSR, use the following command at the global con- figuration level of the CLI: slb ssl-create csr csr-name url The csr-name can be 1-31 characters. The url specifies the file transfer pro- tocol, username (if required), directory path, and filename. You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. If you enter the entire URL and a password is required, you will still be prompted for the password. To enter the entire URL: tftp://host/file ftp://[ user@] host[ :port] /file scp://[ user@] host/file rcp://[ user@] host/file http://[ user@] host/file https://[ user@] host/file This command displays a series of prompts, for the following information: IP address of the server to which to export the CSR Username for write access to the server Password for write access to the server Path and filename Key length, which can be 512, 1024, or 2048 bits Common name, 1-64 characters Division, 0-31 characters Organization, 0-63 characters Locality, 0-31 characters State or Province, 0-31 characters Country, 2 characters Email address, 0-64 characters Passphrase to use for the key, 0-31 characters P e r f o r m a n c e b y D e s i g n 927 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Generating a Key and CSR for a CA-Signed Certificate Note: If you need to create a request for a wildcard certificate, use an asterisk as the first part of the common name. For example, to request a wildcard cer- tificate for domain example.com and it sub-domains, enter the following common name: *.example.com After the CSR is generated, send the CSR to the CA. After you receive the signed certificate from the CA, use the import command to import the CA onto the AX device. The key does not need to be imported. The key is gen- erated along with the CSR. The following commands generate and export a CSR, then import the signed certificate. AX( conf i g) #slb ssl-create csr slbcsr1 ftp: Addr ess or name of r emot e host [ ] ?192.168.1.10 User name [ ] ?axadmin Passwor d [ ] ?******** Fi l e name [ / ] ?slbcsr1 i nput key bi t s( 512, 1024, 2048) def aul t 1024: <Enter> i nput Common Name, 1~64: slbcsr1 i nput Di vi si on, 0~31: div1 i nput Or gani zat i on, 0~63: org2 i nput Local i t y, 0~31: westcoast i nput St at e or Pr ovi nce, 0~31: ca i nput Count r y, 2 char act er s: us i nput emai l addr ess, 0~64: axadmin@example.com i nput Pass Phr ase, 0~31: csrpword Conf i r mPass Phr ase: csrpword AX( conf i g) #import ca-signedcert1 ftp: Addr ess or name of r emot e host [ ] ?192.168.1.10 User name [ ] ?axadmin Passwor d [ ] ?******** Fi l e name [ / ] ?ca-signedcert1 928 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Importing a Certificate and Key Importing a Certificate and Key To import certificate and key files, place them on the PC that is running the GUI or CLI session, or onto a PC or file server that can be locally reached over the network. Note: If you are importing a CA-signed certificate for which you used the AX device to generate the CSR, you do not need to import the key. The key is automatically generated on the AX device when you generate the CSR. USING THE GUI 1. Select Config >Service >SSL Management, if not already selected. 2. On the menu bar, select Certificate. 3. To import a certificate or certificate chain: a. Click Import. b. In the Name field, enter a name for the certificate. This is the name you will refer to when adding the certificate to a client-SSL or server-SSL template. c. Select the certificate location: Local The file is on the PC you are using to run the GUI, or is on a PC or server in the local network. Remote The file is on a remote server. d. Select the format of the certificate from the Certificate Format drop- down list. e. If you selected Local, click Browse next to the Certificate Source field and navigate to the location of the certificate. If you selected Remote: To use the management interface as the source interface for the connection to the remote device, select Use Management Port. Oth- erwise, the AX device will attempt to reach the remote server through a data interface. Select the file transfer protocol: HTTP, HTTPS, FTP, TFTP, RCP, or SCP. In the URL field, enter the directory path and filename. If needed, change the protocol port number n the port field. By default, the default port number for the selected file transfer proto- col is used. In the User and Password fields, enter the username and password required for access to the remote server. P e r f o r m a n c e b y D e s i g n 929 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Importing a Certificate and Key f. Click Open. The path and filename appear in the Source field. g. If applicable, repeat the steps above for the private key. h. Click OK. The certificate and key appear in the certificate and key list. USING THE CLI To import a certificate and its key, or a certificate chain, use the following command at the global Config level of the CLI: [ no] slb ssl-load {certificate cert-name [ type {der | pem | pfx}] | private-key-string} url The type option specifies the format of the certificate. The url specifies the file transfer protocol, username (if required), directory path, and filename. You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. If you enter the entire URL and a pass- word is required, you will still be prompted for the password. To enter the entire URL: tftp://host/file ftp://[ user@] host[ :port] /file scp://[ user@] host/file rcp://[ user@] host/file http://[ user@] host/file https://[ user@] host/file Alternatively, you can use the following commands at the Privileged EXEC or global Config level of the CLI: import ssl-cert file-name url import ssl-key file-name url 930 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Generating a Self-Signed Certificate Generating a Self-Signed Certificate USING THE GUI 1. Select Config >Service >SSL Management, if not already selected. 2. On the menu bar, select Certificate. 3. Click Create. 4. Enter a name for the certificate. 5. In the Issuer drop-down list, select Self, if not already selected. 6. Enter the rest of the certificate information in the remaining fields of the Certificate section. Note: If you need to create a wildcard certificate, use an asterisk as the first part of the common name. For example, to create a wildcard certificate for domain example.com and it sub-domains, enter the following common name: *.example.com 7. From the Key drop-down list, select the length (bits) for the key. 8. Click OK. The AX device generates the self-signed certificate and its key. The new certificate and key appear in the certificate list. The certif- icate is ready to be used in client-SSL and server-SSL templates. USING THE CLI To generate a self-signed certificate, use the following command at the global configuration level of the CLI: slb ssl-create certificate certificate-name The certificate-name can be 1-31 characters. This command enters configuration mode for the certificate. The CLI prompts you for the following information: Key length, which can be 512, 1024, or 2048 bits Common name, 1-64 characters Division, 0-31 characters Organization, 0-63 characters Locality, 0-31 characters State or Province, 0-31 characters P e r f o r m a n c e b y D e s i g n 931 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Generating a Self-Signed Certificate Country, 2 characters Email address, 0-64 characters Number of days the certificate is valid, 30-3650 days Note: If you need to create a wildcard certificate, use an asterisk as the first part of the common name. For example, to create a wildcard certificate for domain example.com and it sub-domains, enter the following common name: *.example.com The key length, common name, and number of days the certificate is valid are required. The other information is optional. The default key length is 1024 bits. The default number of days the certificate is valid is 730. The following commands create a self-signed certificate named slbcert1 and verify the configuration: AX( conf i g) #slb ssl-create certificate slbcert1 i nput key bi t s( 512, 1024, 2048) def aul t 1024: <Enter> i nput Common Name, 1~64: slbcert1 i nput Di vi si on, 0~31: Div1 i nput Or gani zat i on, 0~63: Org2 i nput Local i t y, 0~31: WestCoast i nput St at e or Pr ovi nce, 0~31: CA i nput Count r y, 2 char act er s: US i nput emai l addr ess, 0~64: axadmin@example.com i nput val i d days, 30~3650, def aul t 730: <Enter> AX( conf i g) #show slb ssl cert name: sl bcer t 1 t ype: cer t i f i cat e/ key Common Name: sl bcer t 1 Or gani zat i on: Or g2 Expi r at i on: Apr 10 00: 34: 34 2010 GMT I ssuer : Sel f key si ze: 1024 932 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Importing a CRL Importing a CRL To import a CRL, place it on the PC that is running the GUI or CLI session, or onto a PC or file server that can be locally reached over the network. USING THE GUI 1. Select Config >Service >SSL Management, if not already selected. 2. On the menu bar, select Cert Revocation List. 3. Click Import. 4. Click Browse and navigate to the location of the CRL. 5. Click Open. The path and filename appear in the Source field. 6. Click OK. USING THE CLI To import a CRL, use the following command at the Privileged EXEC or global Config level of the CLI: import ssl-crl file-name url The url specifies the file transfer protocol, username (if required), directory path, and filename. You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. If you enter the entire URL and a pass- word is required, you will still be prompted for the password. To enter the entire URL: tftp://host/file ftp://[ user@] host[ :port] /file scp://[ user@] host/file rcp://[ user@] host/file P e r f o r m a n c e b y D e s i g n 933 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Exporting Certificates, Keys, and CRLs Exporting Certificates, Keys, and CRLs Exporting a Certificate and Key USING THE GUI 1. Select Config >Service >SSL Management, if not already selected. 2. On the menu bar, select Certificate. 3. To export a certificate: a. Select the certificate. (Click the checkbox next to the certificate name.) b. Click Export. Note: If the browser security settings normally block downloads, you may need to override the setting. For example, in Internet Explorer, hold the Ctrl key while clicking Export. c. Click Save. d. Navigate to the save location. e. Click Save again. 4. To export a key: a. Select the key. b. Click Export. c. Click Save. d. Navigate to the save location. e. Click Save again. USING THE CLI To export a certificate and its key, use the following commands at the Privi- leged EXEC or global Config level of the CLI: export ssl-cert file-name url export ssl-key file-name url The url specifies the file transfer protocol, username (if required), directory path, and filename. 934 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Exporting Certificates, Keys, and CRLs You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. If you enter the entire URL and a pass- word is required, you will still be prompted for the password. To enter the entire URL: tftp://host/file ftp://[ user@] host[ :port] /file scp://[ user@] host/file rcp://[ user@] host/file Exporting a CRL USING THE CLI To export a CRL, use the following command at the Privileged EXEC or global Config level of the CLI: export ssl-crl file-name url USING THE GUI 1. Select Config >Service >SSL Management, if not already selected. 2. On the menu bar, select Cert Revocation List. 3. Select the CRL. (Click the checkbox next to the CRL name.) 4. Click Export. Note: If the browser security settings normally block downloads, you may need to override the setting. For example, in IE, hold the Ctrl key while click- ing Export. 5. Click Save. 6. Navigate to the save location. 7. Click Save again. Note: The CLI does not support export of CRLs. P e r f o r m a n c e b y D e s i g n 935 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Creating a Client-SSL or Server-SSL Template and Binding it to a VIP Creating a Client-SSL or Server-SSL Template and Binding it to a VIP After creating or importing certificates and keys on the AX device, you must add them to an SSL template, then bind the template to a VIP, in order for them to take effect. Creating an SSL Template USING THE GUI 1. Select Config >Service >Template. 2. On the menu bar, select one of the following: SSL >Client SSL to create a template for SSL traffic between the AX device (VIP) and clients. SSL >Server SSL to create a template for SSL traffic between the AX device and servers. 3. Click Add. 4. Enter or select the configuration options. (For information, see SSL Templates on page920, the AX Series GUI Reference, or the online help.) 5. When finished, click OK. USING THE CLI Use one of the following commands at the global configuration level of the CLI: [ no] slb template client-ssl template-name [ no] slb template server-ssl template-name The command creates the template and changes the CLI to the configuration level for it. Use the commands at the template configuration level to config- ure template parameters. (For information, see SSL Templates on page920 or the AX Series CLI Reference.) 936 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Converting Certificates and CRLs to PEM Format Binding an SSL Template to a VIP USING THE GUI 1. Select Config >Service >SLB. 2. On the menu bar, select Virtual Server. 3. Click on the virtual server name or click Add to create a new one. 4. Enter the VIP name and IP address, if creating a new VIP. 5. In the Port section, select a port and click Edit, or click Add to add a new port. The Virtual Server Port page appears. 6. Select the template from the Client-SSL Template or Server-SSL Tem- plate drop-down list. 7. Click OK. 8. Click OK again. USING THE CLI Use one of the following commands at the configuration level for the virtual port on the VIP: [ no] template client-ssl template-name [ no] template server-ssl template-name Use the same command on each port for which SSL will be used. Converting Certificates and CRLs to PEMFormat The AX device supports Privacy Enhanced Mail (PEM) format for certifi- cate files and CRLs. If a certificate or CRL you plan to import onto the AX device is not in PEM format, it must be converted to PEM format first, before you import it onto the AX device. Note: Beginning in AX Release 2.4.1, you do not need to convert the certificate into PEM format before importing it. You can specify the format when you import the certificate. The AX device automatically converts the P e r f o r m a n c e b y D e s i g n 937 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Converting Certificates and CRLs to PEM Format imported certificate into PEM format. (See Importing a Certificate and Key on page928.) Converting SSL Certificates to PEMFormat If you have certificates that are in Windows format, use the procedure in this section to convert them to PEM format. For example, you can use this procedure to export SSL certificates that were created under a Windows IIS environment, for use on servers that are running Apache. This procedure requires a Windows PC and a Unix/Linux workstation. Per- form step1 through step4 on the Windows PC. Perform step5 through step8 on the Unix/Linux workstation. Steps to perform on the Windows PC: 1. Start the Microsoft Management Console (mmc.exe). 2. Add the Certificates snap-in: a. Select File Add/Remove Snap-In. The Add/Remove Snap-In dialog appears. b. Click Add. A list of available snap-ins appears. c. Select Certificates. d. Click Add. A dialog appears with the following choices: My user account, Ser- vice account, and Computer account. e. Select Computer Account and click Next. The Select Computer dia- log appears. f. Select Local Computer and click Finish. g. Click Close. h. Click OK. The Certificates snap-in appears in the Console Root list. 3. Expand the Certificate folders and navigate to the certificate you want to convert. 4. Select Action >All Tasks >Export. The Export wizard guides you with instructions. Make sure to export the private key too. The wizard will ask you to enter a passphrase to use to encrypt the key. 938 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Converting Certificates and CRLs to PEM Format Steps to perform on the Unix/Linux workstation: 5. Copy the PFX-format file that was created by the Export wizard to a UNIX machine. 6. Use OpenSSL to convert the PFX file into a PKCS12 format: $ openssl pkcs12 -in filename.pfx -out pfxoutput.txt This command creates a PKCS12 output file, which contains a concate- nation of the private key and the certificate. 7. Use the vi editor to divide the PKCS12 file into two files, one for the certificate (.crt) and the other for the private key. 8. To remove the passphrase from the key, use the following command: $ openssl rsa -in encrypted.key -out unencrypted.key Note: Although removing the passphrase is optional, A10 Networks recom- mends that you remove the passphrase for production environments where Apache must start unattended. Converting CRLs fromDER to PEMFormat If you plan to use a Certificate Revocation List (CRL), the CRL must be in PEM format. To convert Distinguished Encoding Rules (DER) format to PEM format, use the following command on a Unix/Linux machine where the file is located: openssl crl -in filename.der inform der -outform pem -out file- name.pem P e r f o r m a n c e b y D e s i g n 939 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Route Tables Using the Management Interface as the Source for Management Traffic By default, the AX device attempts to use a route from the main route table for management connections originated on the AX device. You can enable the AX device to use the management route table to initiate management connections instead. This chapter describes the AX devices two route tables, for data and man- agement traffic, and how to configure the device to use the management route table. Route Tables The AX device uses separate route tables for management traffic and data traffic. Management route table Contains all static routes whose next hops are connected to the management interface. The management route table also contains the route to the device configured as the management default gateway. Main route table Contains all routes whose next hop is connected to a data interface. These routes are sometimes referred to as data plane routes. Entries in this table are used for load balancing and for Layer 3 forwarding on data ports. This route table also contains copies of all static routes in the manage- ment route table, excluding the management default gateway route. You can configure the AX device to use the management interface as the source interface for automated management traffic. In addition, on a case- by-case basis, you can enable use of the management interface and manage- ment route table for various types of management connections to remote devices: The AX device automatically will use the management route table for reply traffic on connections initiated by a remote host that reaches the AX device on the management port. For example, this occurs for SSH or HTTP con- nections from remote hosts to the AX device. Note: In AX Release 1.2.4 and earlier, all static routes are stored in the main route table, even if the next hop is connected to the management interface. The management route table contains only the route to the subnet directly 940 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Management Routing Options connected to the management interface, and the IP default gateway con- figured on the management interface. When you upgrade to an AX release later than 1.2.4, static routes whose next hop is the management interface are duplicated in the management route table. Keep the Management and Data Interfaces in Separate Networks It is recommended to keep the management interface and the data interfaces in separate networks. If both tables have routes to the same destination sub- net, some operations such as pinging may have unexpected results. An exception is the default route (0.0.0.0/0), which can be in both tables. To display the routes in each table, use the following commands: show ip route mgmt This command displays the routes in the man- agement route table. show ip route or show ip fib These commands display data plane routes. Management Routing Options You can configure the AX device to use the management interface as the source interface for the following management protocols, used for auto- mated management traffic: SYSLOG SNMPD NTP RADIUS TACACS+ SMTP For example, when use of the management interface as the source interface for control traffic is enabled, all log messages sent to remote log servers are sent through the management interface. Likewise, the management route table is used to find a route to the log server. The AX device does not attempt to use any routes from the main route table to reach the server, even if a route in the main route table could be used. In addition, on a case-by-case basis, you can enable use of the management interface and management route table for the following types of manage- ment connections to remote devices: P e r f o r m a n c e b y D e s i g n 941 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Management Routing Options Upgrade of the AX software SSH or Telnet connection to a remote host Import or export of files Export of show techsupport output Reload of black/white lists SSL loads (keys, certificates, and Certificate Revocation Lists) Copy or restore of configurations Backups Caution: If you enable this feature, then downgrade to AX Release 1.2.4 or ear- lier, it is possible to lose access to the AX device after you downgrade. This can occur if you configure an external AAA server (TACACS+ server) to authorize CLI commands entered on the AX device, and the TACACS+ server is connected to the AX device through the man- agement default gateway. If this is the case, before you downgrade, remove the TACACS+ con- figuration from the AX device. After you downgrade, you can re-add the configuration, but make sure the TACACS+ server can be reached using a route other than through the management default gateway. Enabling Use of the Management Interface as the Source for Automated Management Traffic By default, use of the management interface as the source interface for auto- mated management traffic is disabled. To enable it, use the following command at the configuration level for the management interface: [ no] ip control-apps-use-mgmt-port Here is an example: AX( conf i g- i f : management ) #ip control-apps-use-mgmt-port 942 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Management Routing Options Using the Management Interface as the Source Interface for Manually Generated Management Traffic To use the management interface as the source interface for manually gener- ated management traffic, use the use-mgmt-port option. In the GUI, this option is provided as a Use Management Port checkbox on the applicable pages. In the CLI, this option is supported with the following commands. Commands at the User EXEC Level ssh [ use-mgmt-port] {host-name | ipaddr) login-name [ protocol-port] telnet [ use-mgmt-port] {host-name | ipaddr) [ protocol-port] Commands at the Privileged EXEC Level export {aflex | ssl-cert | ssl-key | axdebug} file-name [use-mgmt-port] url ssh [ use-mgmt-port] {host-name | ipaddr) login-name [ protocol-port] telnet [ use-mgmt-port] {host-name | ipaddr) [ protocol-port] Commands at the Global Configuration Level backup {config | log} [ use-mgmt-port] url [ no] bw-list name [ use-mgmt-port] url [ period seconds] [ load] copy {running-config | startup-config | from-profile-name} [ use-mgmt-port] {url | to-profile-name [ cf] } health external {delete program-name | import [ use-mgmt-port] [ description] url | export [ use-mgmt-port] program-name url} [ no] restore [ use-mgmt-port] url P e r f o r m a n c e b y D e s i g n 943 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Management Routing Options [ no] slb ssl-load {certificate file-name | private-key file-name} [ use-mgmt-port] url upgrade {cf | hd} {pri | sec} [ use-mgmt-port] url ShowCommands show techsupport [ [ use-mgmt-port] export url] [ page] 944 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010 AX Series - Configuration Guide Management Routing Options P e r f o r m a n c e b y D e s i g n 945 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Backing Up System Information Configuration Management By default, when you click the Save button in the GUI or enter the write memory command in the CLI, all unsaved configuration changes are saved to the startup-config. The next time the AX device is rebooted, the configu- ration is reloaded from this file. In addition to these simple configuration management options, the AX device has advanced configuration management options that allow you to save multiple configuration files. You can save configuration files remotely on a server and locally on the AX device itself. Note: For information about managing configurations for separate partitions on an AX device configured for Role-Based Administration (RBA), see Role-Based Administration on page701. Note: For information about synchronizing configuration information between AX devices in a High Availability (HA) pair, see Synchronizing Config- uration Information on page556. Note: For upgrade instructions, see the release notes for the AX release to which you plan to upgrade. Backing Up SystemInformation The AX device allows you to back up the system, individual configuration files, and even log entries onto remote servers. You can use any of the fol- lowing file transfer protocols: Trivial File Transfer Protocol (TFTP) File Transfer Protocol (FTP) Secure Copy Protocol (SCP) Unix Remote Copy (RCP) 946 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Backing Up System Information USING THE GUI 1. Select Config >System >Maintenance. 2. Select one of the following from the menu bar: Backup >System This option backs up the configuration file(s), aFleX policies, and SSL certificates and keys. Backup >Config This option backs up only the specified configu- ration file. Backup >Syslog This option backs up the log entries in the AX devices syslog buffer. (If there are any core files on the system, this option backs them up as well.) 3. Select the backup location: Local Saves the backup on the PC or workstation where you are using the AX GUI. Remote Saves the backup onto another PC or workstation. 4. If you selected Local: a. Click OK. b. Click Save and navigate to the save location. Optionally, you can edit the filename. c. Click Save. 5. If you selected Remote: a. In the Protocol drop-down list, select the file transfer protocol: FTP, TFTP, RCP, or SCP. b. If using FTP and the remote device does not use the default FTP port, change the port. c. In the Host field, enter the hostname or IP address of the remote device. d. In the Location field, enter the pathname. To change the system backup file from the default name (backup_system.tar), specify the new name at the end of the path. e. In the User and Password fields, enter the username and password required for write access to the remote device. f. Click OK. P e r f o r m a n c e b y D e s i g n 947 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Saving Multiple Configuration Files Locally USING THE CLI At the Privileged EXEC level of the CLI, use the following command: backup {config | log} url The config option backs up the startup-config file, aFleX scripts, and SSL certificates and keys. The log option backs up the log entries in the AX devices syslog buffer. The url option specifies the file transfer protocol, username, and directory path. You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. If you enter the entire URL and a password is required, you will still be prompted for the password. To enter the entire URL: tftp://host/file ftp://[ user@] host[ :port] /file scp://[ user@] host/file rcp://[ user@] host/file Saving Multiple Configuration Files Locally The AX device has CLI commands that enable you to store and manage multiple configurations on the AX device. Note: Unless you plan to locally store multiple configurations, you do not need to use any of the advanced commands or options described in this section. J ust click Save in the GUI or enter the write memory command in the CLI to save configuration changes. These simple options replace the com- mands in the startup-config stored in the image area the AX device booted from with the commands in the running-config. Note: Management of multiple locally stored configuration files is not sup- ported in the GUI. 948 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Saving Multiple Configuration Files Locally Configuration Profiles Configuration files are managed as configuration profiles. A configuration profile is simply a configuration file. You can locally save multiple configu- ration profiles on the AX device. The configuration management commands described in this section enable you to do the following: Save the startup-config or running-config to a configuration profile. Copy locally saved configuration profiles. Delete locally saved configuration profiles. Compare two configuration profiles side by side to see the differences between the configurations. Link the command option startup-config to a configuration profile other than the one stored in the image area used for the most recent reboot. (This is the profile that startup-config refers to by default.) This option makes it easier to test a configuration without altering the configuration stored in the image area. Note: Although the enable and admin passwords are loaded as part of the sys- tem configuration, they are not saved in the configuration profiles. Changes to the enable password or to the admin username or password take effect globally, regardless of the values that were in effect when a given configuration profile was saved. Commands for Local Configuration Management To manage multiple locally stored configurations, use the following com- mands. All commands are available at the global configuration level of the CLI. write memory [ primary | secondary | profile-name] [ cf] | terminal This command replaces the configuration commands in the specified con- figuration profile with the commands in the running-config. If you enter write memory without additional options, the command replaces the configuration profile that is currently linked to by startup-con- fig with the commands in the running-config. If startup-config is set to its default (linked to the configuration profile stored in the image area that was used for the last reboot), then write memory replaces the configuration pro- file in the image area with the running-config. P e r f o r m a n c e b y D e s i g n 949 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Saving Multiple Configuration Files Locally If you enter write memory primary, the command replaces the configura- tion profile stored in the primary image area with the running-config. Like- wise, if you enter write memory secondary, the command replaces the configuration profile stored in the secondary image area with the running- config. If you enter write memory profile-name, where profile-name is the name of a configuration profile, the AX device replaces the commands in the speci- fied profile with the running-config. The cf option replaces the configuration profile in the specified image area (primary or secondary) on the compact flash rather than the hard disk. If you omit this option, the configuration profile in the specified area on the hard disk is replaced. The terminal option displays the running-config on the management termi- nal. show startup-config [ all | profile-name] [ cf] When entered without the all or profile-name option, this command dis- plays the contents of the configuration profile that is currently linked to "startup-config". To display the contents of a different configuration profile, use the profile-name option. To display a list of the locally stored configura- tion profiles, use the all option. The cf option displays the configuration profile in the specified image area (primary or secondary) on the compact flash rather than the hard disk. If you omit this option, the configuration profile in the specified area on the hard disk is displayed. If the all option is also used, the cf option displays all the configuration profiles stored on the compact flash. copy {running-config | startup-config | from-profile-name} {url | to-profile-name [ cf] } The copy startup-config to-profile-name command copies the configura- tion profile that is currently linked to startup-config and saves the copy under the specified profile name. The copy running-config to-profile-name command copies the running- config and saves the copy under the specified profile name. The cf option copies the profile to the compact flash instead of the hard disk. Note: Copying a profile from the compact flash to the hard disk is not sup- ported. 950 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Saving Multiple Configuration Files Locally (The url option backs up the configuration to a remote device. See Backing Up System Information on page945.) diff {startup-config | profile-name} {running-config | profile-name} Displays a side-by-side comparison of the commands in a pair of configura- tions. The diff startup-config running-config command compares the configura- tion profile that is currently linked to "startup-config" with the running-con- fig. Similarly, the diff startup-config profile-name command compares the configuration profile that is currently linked to "startup-config" with the specified configuration profile. To compare a configuration profile other than the startup-config to the run- ning-config, enter the configuration profile name instead of startup-config. To compare any two configuration profiles, enter their profile names instead of startup-config or running-config. In the CLI output, the commands in the first profile name you specify are listed on the left side of the terminal screen. The commands in the other pro- file that differ from the commands in the first profile are listed on the right side of the screen, across from the commands they differ from. The follow- ing flags indicate how the two profiles differ: This command has different settings in the two profiles. This command is in the second profile but not in the first one. This command is in the first profile but not in the second one. link startup-config {default | profile-name} [ primary | secondary] [ cf] This command links the "startup-config" token to the specified configura- tion profile. By default, "startup-config" is linked to "default", which means the configuration profile stored in the image area from which the AX device most recently rebooted. This command enables you to easily test new configurations without replac- ing the configuration stored in the image area. The primary | secondary option specifies the image area. If you omit this option, the image area last used to boot is selected. P e r f o r m a n c e b y D e s i g n 951 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Saving Multiple Configuration Files Locally The cf option links the profile to the specified image area in compact flash instead of the hard disk. The profile you link to must be stored on the boot device you select. For example, if you use the default boot device selection (hard disk), the profile you link to must be stored on the hard disk. If you specify cf, the profile must be stored on the compact flash. (To display the profiles stored on the boot devices, use the show startup-config all and show startup-config all cf commands.) After you link "startup-config" to a different configuration profile, configu- ration management commands that affect "startup-config" affect the linked profile instead of affecting the configuration stored in the image area. For example, if you enter the write memory command without specifying a profile name, the command saves the running-config to the linked profile instead of saving it to the configuration stored in the image area. Likewise, the next time the AX device is rebooted, the linked configuration profile is loaded instead of the configuration that is in the image area. To relink startup-config to the configuration profile stored in the image area, use the default option (link startup-config default). delete startup-config profile-name [ cf] This command deletes the specified configuration profile. The cf option deletes the profile from compact flash instead of the hard disk. Note: Although the command uses the startup-config option, the command only deletes the configuration profile linked to startup-config if you enter that profiles name. The command deletes only the profile you spec- ify. Note: If the configuration profile you specify is linked to startup-config, startup-config is automatically relinked to the default. (The default is the configuration profile stored in the image area from which the AX device most recently rebooted). CLI EXAMPLES The following command saves the running-config to a configuration profile named slbconfig2: AX( conf i g) #write memory slbconfig2 The following command shows a list of the configuration profiles locally saved on the AX device. The first line of output lists the configuration pro- 952 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Saving Multiple Configuration Files Locally file that is currently linked to startup-config. If the profile name is default, then startup-config is linked to the configuration profile stored in the image area from which the AX device most recently rebooted. AX( conf i g) #show startup-config all Cur r ent St ar t up- conf i g Pr of i l e: sl b- v6 Pr of i l e- Name Si ze Ti me - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1210t est 1957 J an 28 18: 39 i pnat 1221 J an 25 10: 43 i pnat - l 3 1305 J an 24 18: 22 i pnat - phy 1072 J an 25 19: 39 i pv6 2722 J an 22 15: 05 l ocal - bwl i st - 123 3277 J an 23 14: 41 mgmt 1318 J an 28 10: 51 sl b 1354 J an 23 18: 12 sl b- v4 12944 J an 23 19: 32 sl b- v6 13414 J an 23 19: 19 The following command copies the configuration profile currently linked to startup-config to a profile named slbconfig3: AX( conf i g) #copy startup-config slbconfig3 The following command compares the configuration profile currently linked to startup-config with configuration profile testcfg1. This exam- ple is abbreviated for clarity. The differences between the profiles are shown in this example in bold type. P e r f o r m a n c e b y D e s i g n 953 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Saving Multiple Configuration Files Locally AX( conf i g) #diff startup-config testcfg1 ! Cur r ent conf i gur at i on: 13378 byt es ( ! Conf i gur at i on l ast updat ed at 19: 18: 57 PST Wed J an 23 2008 ( ! Conf i gur at i on l ast saved at 19: 19: 37 PST Wed J an 23 2008 ( ! ver si on 1. 2. 1 ( ! ( host name AX ( ! ( cl ock t i mezone Amer i ca/ Ti j uana ( ! ( nt p ser ver 10. 1. 11. 100 1440 ( ! ( . . . ! ( i nt er f ace ve 30 ( ip address 30.30.31.1 255.255.255.0 | ip address 10.10.20.1 255.255.255.0 ipv6 address 2001:144:121:3::5/64 | ipv6 address fc00:300::5/64 ! ( ! ( > ip nat range- list v6-1 fc00:300::300/64 2001:144:121:1::900/6 ! ( ipv6 nat pool p1 2001:144:121:3::996 2001:144:121:3::999 netm < ! < slb server ss100 2001:144:121:1::100 < port 22 tcp < - - MORE- - The following command links configuration profile slbconfig3 with startup-config: AX( conf i g) #link startup-config slbconfig3 The following command deletes configuration profile slbconfig2: AX( conf i g) #delete startup-config slbconfig2 954 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Saving Multiple Configuration Files Locally P e r f o r m a n c e b y D e s i g n 955 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide VLAN-to-VLAN Bridging VLAN-to-VLAN bridging allows an AX device to selectively bridge traffic among multiple VLANs. The AX device selectively forwards packets from one VLAN to another based on the VLAN-to-VLAN bridging configuration on the AX device. This feature allows the traffic flow between VLANs to be tightly controlled through the AX device without the need to reconfigure the hosts in the separate VLANs. VLAN-to-VLAN bridging is useful in cases where reconfiguring the hosts on the network either into the same VLAN, or into different IP subnets, is not desired or is impractical. You can configure a bridge VLAN group to forward one of the following types of traffic: IP traffic only (the default) This option includes typical traffic between end hosts, such as ARP requests and responses. This option does not forward multicast packets. All traffic This option forwards all types of traffic. Configuration Notes VLAN-to-VLAN bridging is supported on AX devices deployed in trans- parent mode (Layer 2) or in gateway mode (Layer 3). Each VLAN to be bridged must be configured on the AX device. The nor- mal rules for tagging apply: If an interface belongs to only one VLAN, the interface can be untagged. If the interface belongs to more than one VLAN, the interface must be tagged. Each VLAN can belong to only a single bridge VLAN group. Each bridge VLAN group can have a maximum of 8 member VLANs. Traf- fic from any VLAN in the group is bridged to all other VLANs in the group. Up to 64 bridge VLAN groups are supported. If the AX device is deployed in gateway mode, a Virtual Ethernet (VE) interface is required in the bridge VLAN group. 956 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Configuring VLAN-to-VLAN Bridging To configure VLAN-to-VLAN bridging: 1. Configure each of the VLANs to be bridged. In each VLAN, add the AX devices interfaces to the VLAN. 2. Configure a bridge VLAN group. Add the VLANs to the group. If the AX device is deployed in gateway mode, add a Virtual Ethernet (VE) interface to the group. Optionally, you can assign a name to the group. You also can change the types of traffic to be bridged between VLANs in the group. 3. If the AX device is deployed in gateway mode, configure an IP address on the VE to place the AX device in the same subnet as the bridged VLANs. USING THE CLI To configure a bridge VLAN group, use the following commands. [ no] bridge-vlan-group group-num Use this command at the global configuration level of the CLI to create the bridge VLAN group and enter the configuration mode for it, where the fol- lowing commands are available. The group-num can be 1-64. [ no] name string This command configures a name for the group. The string can be 1-63 characters long. If the string contains blank spaces, use double quotation marks around the entire string. [ no] vlan vlan-id [ vlan vlan-id . . . | to vlan vlan-id] This command adds the VLANs to the group. [ no] router-interface ve num On an AX device deployed in gateway mode, this command adds the VE to the group. forward-all-traffic This command configures the AX device to forward all types of traffic between the VLANs in the group. By default, only IP traffic is forwarded. If you change the traffic type but later want to change it back to the default, you can use the following command: forward-ip-traffic P e r f o r m a n c e b y D e s i g n 957 of 960 Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide Group Information and Statistics To display information for a bridge VLAN group, use the following com- mand: show bridge-vlan-group [ group-id] CLI Example Transparent Mode The commands in this section configure an AX device deployed in transpar- ent mode to forward IP traffic between VLANs 2 and 3. The following commands configure the VLANs: AX( conf i g) #vlan 2 AX( conf i g- vl an: 2) #tagged ethernet 2 AX( conf i g- vl an: 2) #exit AX( conf i g) #vlan 3 AX( conf i g- vl an: 3) #tagged ethernet 3 AX( conf i g- vl an: 3) #exit The following commands configure the bridge VLAN group: AX( conf i g) #bridge-vlan-group 1 AX( conf i g- br i dge- vl an- gr oup: 1) #vlan 2 to 3 AX( conf i g- br i dge- vl an- gr oup: 1) #exit CLI Example Gateway Mode The commands in this section configure an AX device deployed in gateway mode to forward IP traffic between VLANs 2 and 3 on IP subnet 192.168.1.x. The following commands configure the VLANs: AX( conf i g) #vlan 2 AX( conf i g- vl an: 2) #tagged ethernet 2 AX( conf i g- vl an: 2) #exit AX( conf i g) #vlan 3 AX( conf i g- vl an: 3) #tagged ethernet 3 AX( conf i g- vl an: 3) #exit The following commands configure the bridge VLAN group, which includes a VE: AX( conf i g) #bridge-vlan-group 1 AX( conf i g- br i dge- vl an- gr oup: 1) #vlan 2 to 3 AX( conf i g- br i dge- vl an- gr oup: 1) #router-interface ve 1 AX( conf i g- br i dge- vl an- gr oup: 1) #exit 958 of 960 P e r f o r m a n c e b y D e s i g n Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010 AX Series - Configuration Guide The following commands assign an IP address to the VE: AX( conf i g) #interface ve 1 AX( conf i g- i f : ve1) #ip address 192.168.1.100 /24 AX( conf i g- i f : ve1) #exit 960 P e r f o r m a n c e b y D e s i g n 960 P e r f o r m a n c e b y D e s i g n Corporate Headquarters A10 Networks, Inc. 2309 Bering Dr. San J ose, CA 95131-1125 USA Tel: +1-408-325-8668 (main) Tel: +1-888-822-7210 (support toll-free in USA) Tel: +1-408-325-8676 (support direct dial) Fax: +1-408-325-8666 www.a10networks.com This document is for informational purposes only. A10 Networks MAKES NO WARRANTIES, EXPRESSED OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limit- ing the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of A10 Networks Corporation. A10 Networks may have patents, patent applications, trademarks, copyrights, or other intel- lectual property rights covering subject matter in this document. Except as expressly pro- vided in any written license agreement from A10 Networks, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2010 A10 Networks Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.