Post on 14-Jul-2015
A10 Networks: AX Planning, Deployment and Management ClassAX release 2.4
Course AX-DSC-001.12
1
Table of Contents
Module 1: Course Introduction - 3 Module 2: AX Product Line - 8 Module 3: Basic Load Balancing Concepts and Related AX Configuration & Management - 19 Module 4: FTP, HTTP and HTTPS Protocols - 68 Module 5: AX Acceleration - 118 Module 6: AX Security - 141 Module 7: AX Power and Flexibility- 178 Module 8: AX Management and Troubleshooting - 2102
Course IntroductionModule 1
3
Module objectives
Understand the course goals Understand the facilities and materials available Understand the objective for the students
4
Goal of this course
To present the A10 Networks AX product line To teach the basic load balancing concepts To present FTP, HTTP and HTTPS protocols To teach advanced AX load balancing concepts To prepare students to install, configure and manage the AX device
5
Facilities and materials
Basics:
Material:
Additional Resources:
6
Course map
Module 2: AX Product Line Module 3: Basic Load Balancing Concepts and Related AX Configuration & Management Module 4: FTP, HTTP and HTTPS Protocols Module 5: AX Acceleration Components Module 6: AX Security Components Module 7: AX Power and Flexibility Module 8: AX Management and Troubleshooting
7
AX Product LineModule 2
8
Module objectives
Understand the AX solution / market Understand the AX product portfolio Understand the feature set Understand the licensing
9
AX solution / market: AX new generation load balancers
New Generation in Design and PerformanceSingle
ACOS
Designed for multi-core CPUs Hardware Accelerated Symmetrical Multiprocessing (SMP) Flexible Traffic ASIC, SSL ASIC, Switching and Routing ASIC Highest throughput and performance
CPU or MultiCPU with instruction blocking Retrofitted Platform Limited scalability Lower throughput Half the performance SSL ASIC only
10
AX solution / market: AX new generation customer benefits
Basic LB benefits
New Generation LB benefits
11
789
AX 32-bit Series Models
AX 3200-11 AX 2200-117.4 Gbps302,000 L4 CPS
153,000 L4 CPS
Small to Large Enterprise
PriceAX 1000-114 Gbps
8.7 Gbps541,000 L4 CPS
Overall Performance12
789
AX 64-bit Series ModelsAX 5200 AX 510040 Gbps3 Million L4 CPS
40 Gbps
AX 3000-11* AX 2600* AX 250019 Gbps 11 Gbps300,000 L4 CPS 355,000 L4 CPS
2 Million L4 CPS
Medium to Large Enterprise
Price
30 Gbps850,000 L4 CPS
Large Enterprise or Service Provider
Overall Performance13
AX product line32-bit:
AX Series Family Interface and hardware optionsAX 1000 AX 20008 2 0 Yes Yes Single
AX 21008 4 0 Yes Yes Dual
AX 220016 4 0 Yes Yes Dual
AX 310016 4 2 Yes Yes Dual
AX 320016 4 2 Yes Yes Dual
Ethernet Interfaces: Gigabit Copper Gigabit Fiber SFP Mini GBIC 10 Gigabit Fiber SFP+ Management Interface Console Port Storage Cooling Fan Power Supplies
6 2 0 Yes Yes Single Fixed 250 W RPS
Hot Swap Smart Fan Dual 600 W RPS Dual 600 W RPS Dual 600 W RPS
Dual 460 W Dual 460 W RPS RPS 100 to 240 VAC, Frequency 50-60 Hz Yes No Yes No No Yes No Yes No No Yes No Yes No Option
Hardware Acceleration Linear Decoupled Architecture Flexible Traffic ASIC SSL Acceleration ASIC Switching and Routing ASIC Hardware Compression ASIC
Yes Yes Yes Yes Option
Yes Yes Yes Yes Option
Yes Yes Yes Yes Option
14
AX product line64-bit:
AX Series Family Interface and hardware optionsAX 2500 AX 2600GC 24 0 0 Yes Yes GF 0 24 0 GCF 16 8 0
AX 3000GC 16 0 4 Yes Yes GCF 8 8 4
AX 51000 4 8 Yes Yes
AX 52000 4 16 Yes Yes
Model Option Code Ethernet Interfaces: Gigabit Copper Gigabit Fiber SFP Mini GBIC 10 Gigabit Fiber SFP+ Management Interface Console Port Storage Cooling Fan Dual Power Supplies
8 4 0 Yes Yes SSD
Hot Swap Smart Fan 400 W RPS 400 W RPS 400 W RPS 900W RPS 900W RPS
100 to 240 VAC, Frequency 50-60 Hz Hardware Acceleration Linear Decoupled Architecture Flexible Traffic ASIC SSL Acceleration ASIC Multi-ASIC High Performance SSL Switching and Routing ASIC Hardware Compression ASIC Yes No Yes Option No Option Yes No Yes Option No Option Yes No Yes Option No Option Yes Yes x4 No Option Yes Option Yes Yes x4 No Option Yes Option
15
AX feature setLayer
4 and Layer 7 Application AccelerationSSL ASIC RAM HTTP
aXAPI
aFleX
L7 TCL scripting for deep packet inspection Advanced NAT options AX High-Availability Firewall LB GSLB Global Server Load Balancing DNS Application Layer Firewall Operates in Layer 2/Layer 3 simultaneously
caching static or dynamic compression
REST-based XML API for custom management Virtualized managementRole-Based
IPv4
and IPv6 load balancing and management Full web interface or industry standard command line interface
and Partition-Based Management Seamless Management for Multiple Devices
Covered in this Training16
AX licensing
No extra licenses required for performance or features Each AX is offered with full scalability and benefits
17
Summary
In this module we discussed:
18
Basic Load Balancing Concepts and Related AX Configuration & ManagementModule 3
19
Module objectives
Understand Main Load Balancing Goals and Concepts Configure AX Basic L4 SLB VIP configuration steps Understand and Configure two common L4 SLB VIP Options (Source IP Persistence + NAT)
20
Module 3 Lesson1
Main LB Goals and Concepts
21
Main load balancing goals and concepts
Share load among multiple servers (load balancing)
Provide high availability of services
22
Methods of load balancer integration into network
Routed Mode
23
Methods of load balancer integration into network Benefits:
Routed Mode
No
change required on clients and servers Servers keep the Client IP@ visibility
Points
to keep in mind:has to be the servers dgw can't be in the servers' subnet24
SLB
Clients
Methods of load balancer integration into network
One-Arm Mode
25
Methods of load balancer integration into network
One-Arm Mode
Benefits:No
change required on clients and servers Easy to test Clients can be in the servers' subnet
Points
to keep in mind:
Servers
lose the Client IP@ visibility Requires Source NAT on SLB
26
Methods of load balancer integration into network
Transparent Mode
27
Methods of load balancer integration into network
Transparent Mode
Benefits:No
change required on clients and servers Servers keeps the Client IP@ visibility
Points
to keep in mind:to implement servers responses must go through AX"
"Harder
28
Methods of load balancer integration into network
DSR Mode
29
Methods of load balancer integration into network
DSR Mode
Benefits:Highly
Points
to keep in mind:
sclalable (SLB process only incomming traffic)
Cant
use any AX layer 7 features Extra configuration required on every server (IP Stack update)30
Server Load Balancing
AX SLB configuration has three core elements:
31
Servers
Minimum configuration
Server configuration
Server status and statistics
32
Service groups
Minimum configuration
Service group configuration
Service group status and statistics
33
Service groups
Service group load-balancing algorithms
34
Virtual Server (VIP)
Minimum configuration
Virtual server configuration
Virtual server status and statistics
35
Virtual server (VIP) Virtual server port (VIP port)
Minimum configuration
Virtual server port configuration
AX(config-slb vserver))# port N
Virtual server port status and statistics
36
Health monitors
Service availability is checked using health monitors Health monitors apply to:
37
Health monitors
Health monitors can test server availability
Multiple L3/L4/L7 tests can also be combined in a Boolean expression (and/or/not) Health monitor configuration
38
Service group health monitor
Health Monitoring is done on all Service Group members
Service Group HM configuration
AX(config-slb svc group)# health-check
Service Group HM status
39
Server port health monitor
Health Monitoring is done on the Server Port
Server Port HM configuration
AX(config-slb vserver)# port N AX(config-slb vserver-vport)# health-check
Server Port HM status
40
Server health monitor
Health Monitoring is done on the Server
Server HM configuration
AX(config-real server)# health-check
Server HM status41
Lab1 - Create basic L4 VIP
In this lab, you will configure one L4 SLB VIP
a. Create a TCP Health Monitor for port 80: "hm-tcp-80" b. Associate the Health Monitor "hm-tcp-80" with the Service Group "sg-80" c. Check Virtual Server "vip1" status42
Module 3 Lesson2
Common SLB VIP Options
43
Source IP persistence
When to use Source IP persistence
44
Source IP persistence
Source IP persistence configuration steps
Name Type: Port (persistence per VIP:Port) or Server (persistence per VIP) or Service-Group (persistence per URL or Host switching see Module 4 lesson 2) Timeout: How long inactive entries are saved (default = 5 minutes) Don't Honor Conn Rules: Ignore connection limits defined on Servers and Server Ports and connect new clients' connections to the Server (default = disabled) Netmask: Granularity of Client IP address hashing (default = 255.255.255.255 for the most granularity)
45
Source IP persistence
Source IP persistence configuration
WebUI: Config > Service > Template > Persistent > Source IP Persistence CLI: AX(config)# slb template persist source-ip
WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server AX(config-slb vserver)# port N tcp AX(config-slb vserver-vport)# template persist source-ip
Source IP persistence entries46
Network Address Translation
AX provides multiple NAT services
47
Network Address Translation SLB source NAT
When to use SLB source NAT
48
Network Address Translation SLB source NAT
SLB source NAT configuration steps Name: Name of the template Start IP address: First IP address for the SLB source NAT (can be the AX interface IP address) End IP address: Last IP address for the SLB source NAT (can be the same as "Start IP address") Note: If the "Start" and "End IP address" are the same, the AX will NAT with one unique IP address and can NAT up to 64k flows. Netmask: Specify the netmask of the SLB source IP addresses. Note: This is used by the "IP Source NAT Group" when servers are in different subnets (see AX Config Guide for more information). (optional) Gateway: Specify a specific gateway to use to reply to the clients' requests when SLB Source NAT has been used. (optional) "HA Group": Specify the HA group to tie to the SLB source NAT pool.
49
Network Address Translation SLB source NAT
SLB source NAT configuration
WebUI: Config > Service > IP Source NAT > IPv4 Pool CLI: AX(config)# ip nat pool
WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server AX(config-slb vserver)# port N AX(config-slb vserver-vport)# source-nat pool
50
Network Address Translation SLB source NAT
SLB source NAT statistics
51
Network Address Translation Layer3 NAT
When to use Layer3 NAT
52
Network Address Translation Layer3 NAT
Dynamic Layer3 NAT
53
Network Address Translation Layer3 NAT
Dynamic Layer3 NAT configuration steps
54
Network Address Translation Layer3 NAT
Dynamic Layer3 NAT configuration
WebUI: Config > Service > IP Source NAT > IPv4 Pool CLI: AX(config)# ip nat pool WebUI: Config > Service > IP Source NAT > Group CLI: AX(config)# ip nat pool-group WebUI: Config > Network > ACL CLI: AX(config)# access-list [] WebUI: Config > Service > IP Source NAT > Binding CLI: AX(config)# ip nat inside source list [acl#] pool [pool-group-name | pool-name]55
Network Address Translation Layer3 NAT
Dynamic Layer3 NAT configuration (cont.)
On the inside interfaces WebUI: Config > Service > IP Source NAT > Interface CLI: AX(config)# interface ethernet # AX(config-if:ethernetx)# ip nat inside On the outside interfaces WebUI: Config > Service > IP Source NAT > Interface CLI: AX(config)# interface ethernet # AX(config-if:ethernetx)# ip nat outside
56
Network Address Translation Layer3 NAT
Dynamic Layer3 NAT statistics
57
Network Address Translation Layer3 NAT
Static Layer3 NAT
58
Network Address Translation Layer3 NAT
Static Layer3 NAT configuration steps
4.
59
Network Address Translation Layer3 NAT
Static Layer3 NAT configuration
WebUI: Config > Service > IP Source NAT > Static NAT CLI: AX(config)# ip nat inside source static [original-IP@] [NAT-IP@] WebUI: Config > Service > IP Source NAT > NAT Range CLI: AX(config)# ip nat range-list []
60
Network Address Translation Layer3 NAT
Static Layer3 NAT configuration (cont.)
On the inside interfaces WebUI: Config > Service > IP Source NAT > Interface CLI: AX(config)# interface ethernet # AX(config-if:ethernetx)# ip nat inside On the outside interfaces WebUI: Config > Service > IP Source NAT > Interface CLI: AX(config)# interface ethernet # AX(config-if:ethernetx)# ip nat outside WebUI: Config > Service > IP Source NAT > Global CLI: AX(config)# ip nat allow-static-host
61
Network Address Translation Layer3 NAT
Static Layer3 NAT statistics
62
Network Address Translation
Virtual Server Port option "Source NAT traffic against VIP"
63
Lab2a Update basic L4 VIP with source IP persistence
In this lab, you will configure source IP persistence
64
Lab2b - (optional) Update basic L4 VIP with SLB source NAT
In this lab, you will configure SLB source NAT
65
Lab2c - (optional) Create Static NAT to access directly your server S1
In this lab, you will configure static Layer3 NAT
66
Summary
In this module, we discussed:
And also:
67
FTP, HTTP and HTTPS protocolsModule 4
68
Module objectives
Understand protocols
Understand Load Balancing specifics for each Configure FTP, HTTP and HTTPS VIPs
69
Module 4 Lesson1
FTP protocol
70
FTP protocol
File Transfer Protocol (FTP) RFC is 959 ( http://www.w3.org/Protocols/rfc959/) FTP is an unencrypted TCP protocol used to transfer files between clients and servers FTP has 2 connections
71
FTP protocol
FTP Control Session
FTP Data session
Important Notes:
72
FTP protocol
FTP Data session 2 modes
In the control session, the client tells the server what IP and TCP port to use to establish the data connection. The server establishes the data connection to the client, and data requested in the control session can be exchanged.
73
FTP protocol
FTP Data session 2 modes (cont.)
In the control session, the server tells the client what IP and TCP port to use to establish the data session. The client establishes the data connection to the server, and data requested in the control session can be exchanged.
74
Load balancer configuration for FTP applications
Control session resets
75
Load balancer configuration for FTP applications
Active Mode - Data session established from the server IP@ (not the VIP IP@)
76
Load balancer configuration for FTP applications
Passive Mode - Data session established to the server IP@ (not the VIP IP@)
77
Load balancer configuration for FTP applications
Control session resets
Note: AX default aging time is 120 seconds
78
Load balancer configuration for FTP applications
AX configuration to update default aging timer1. Create a TCP template with 15,000 seconds Idle Timeout WebUI: Config > Service > Template > L4 > TCP CLI: AX(config)# slb template tcp AX(config-l4 tcp)# idle-timeout 15000 2. Assign the TCP template to the Virtual Server Port WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server AX(config-slb vserver)# port N tcp AX(config-slb vserver-vport)# template tcp
Show aging time of SLB entries
79
Load balancer configuration for FTP applications
Active Mode - Data session established from the server IP@ (not VIP IP@)
WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server AX(config-slb vserver)# port N ftp
80
Load balancer configuration for FTP applications
Passive Mode - Data session established to the server IP@ (not the VIP IP@)
WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server AX(config-slb vserver)# port N ftp
81
Lab3a - Create FTP VIP
In this lab, you will configure one FTP VIP
82
Lab3b (optional) Create FTP health monitor and use least connection algorithm
In this lab, you will configure an FTP VIP health monitor and the least connection algorithm
83
Module 4 Lesson2
HTTP protocol
84
HTTP protocol
HTTP RFC is 2616 ( http://www.w3.org/Protocols/rfc2616/rfc2616.html) HTTP (Hypertext Transfer Protocol) is an unencrypted TCP protocol used to access web content (usually on port 80)
HTTP is a sequence of network request/response transactions
Request and response options are sent via headers
85
HTTP requests
Main request methods
Main request headers
86
HTTP responses
Main server response codes
Main response headers
87
HTTP example (using HttpFox)
88
Load balancer configuration for HTTP applications
Load Balancers don't need a specific configuration for basic HTTP load balancing - Any L4 SLB VIP works for HTTP services However, advanced load balancers provide techniques for improving HTTP services
89
Load balancer configuration for HTTP applications greater availability
HTTP Health Monitor
Port: TCP port Method (GET or HEAD or POST) URL User + Password: For web sites that require authentication Expect: Server Response code or Server text Maintenance Code: To automatically mark the server in maintenance, rather than down (so users with persistence to that server remain on that server)
90
Load balancer configuration for HTTP applications greater flexibility
AX offers advanced flexibility options for web applications These options are available via HTTP templates
HTTP templates are associated with virtual server ports of service type HTTP" or "HTTPS
91
Load balancer configuration for HTTP applications greater flexibility
HTTP template options
Load Balancing of Servers is done based on hash on the URL (beginning or end of the URL). This option is usually used for Web Cache load balancing. Selection of Servers is done based on Host or URL (beginning or end). This option also is usually used for Web Cache load balancing. Allows the AX to insert or remove client request header (such as "Accept-Encoding") server response header (such as "Cache-Control") This option usually is used to centrally change web server behavior without changing the web servers configuration.
92
Load balancer configuration for HTTP applications greater flexibility
HTTP template options (cont.)
Allows HTTP/HTTPS load balancing per request (instead of per session). This option usually is used when the load among the Servers is unequal.
93
Load balancer configuration for HTTP applications greater security
AX offers advanced security options for web applications These options are available via HTTP templates
HTTP templates are associated with virtual server ports of service type "HTTP" or "HTTPS Note: Some of the following options can be considered as availability and flexibility options too.
94
Load balancer configuration for HTTP applications greater security
URL failover
95
Load balancer configuration for HTTP applications greater security
URL redirect / rewrite
96
Load balancer configuration for HTTP applications greater security
Retry HTTP request on HTTP 5xx
"On HTTP 5xx code for each request": The client request is resent to a new server "On HTTP 5xx code": The client request is resent to a new server + the server that replied with the 5xx is not used for new requests for 30 seconds "#": Number of servers that can be tried Logging: Generates logs when this event happens (not available in WebUI in AX 2.4.2)
97
Load balancer configuration for HTTP applications greater security
Client IP header insertion
98
Lab4a - Create HTTP VIP with advanced health monitor
In this lab, you will configure an HTTP VIP with an HTTP health monitor
99
Lab4b - (optional) Use server "s2" for images
In this lab, you will configure an HTTP VIP with URL switching
100
Lab4c - (optional) Hide server type information
In this lab, you will configure an HTTP VIP with response header insertion
101
Lab4d - (optional) Redirect clients to backup site when all servers are down
In this lab, you will configure an HTTP VIP with URL failover
102
Module 4 Lesson3
HTTPS protocol
103
HTTPS protocol
HTTPS (HTTP over TLS) RFC is 2818 ( http://www.ietf.org/rfc/rfc2818.txt) HTTPS is the "secured" version of HTTP (usually port 443) HTTPS offers
104
How does server authentication work?
TLS/SSL is based on public certificates / private keys Certificates are issued and signed by Certificate Authority (CA) HTTPS clients first request the server public certificate and validates it using list of trusted CAs When the server certificate is validated (name, date, etc.), the client sends its HTTP requests
105
How does the encryption work?
Once the server is trusted, the client and server negotiate a "session key" to encrypt the traffic The session key is negotiated via an asymmetric encryption protocol using long keys (usually 2048 bits) Once the"session key is negotiated, the HTTPS client requests / server responses are sent encryptedNote: If the client re-establishes a new TCP session before the session key expires, it will propose to the server to use it (SSL session ID reuse option). The server can accept or refuse it. If refused, a new session key is negotiated.
106
Load balancer configuration for HTTPS applications
Load balancers don't need a specific configuration for HTTPS load balancing - Any L4 SLB VIP works for HTTPS services However, advanced load balancers provide techniques to improve HTTPS services
107
Load balancer configuration for HTTPS applications
AX offers advanced flexibility/performance/security options for HTTPS applications These options are available via HTTP templates
HTTP templates are associated with virtual server ports of type "HTTP" or "HTTPS.
108
HTTPS communication with clients
Client SSL templates
Public certificate that will be presented to Clients Private key (and its passphrase) SSL cipher supported ("encrypted algorithm") (optional) Client certificate request
109
HTTPS communication with clients
HTTPS communication with clients configuration
WebUI: Config > Service > SSL Managament > Certificate CLI: AX(config)# import ssl-cert AX(config)# import ssl-key WebUI: Config > Service > Template > SSL > Client SSL CLI: AX(config)# slb template client-ssl []
WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server AX(config-slb vserver)# port N https AX(config-slb vserver-vport)# template client-ssl 110
HTTPS communication with servers
Server SSL templates
SSL cipher supported ("encrypted algorithm") (optional) CA that will be used to validate the Servers certificate
111
HTTPS communication with servers
HTTPS communication with servers configuration
WebUI: Config > Service > SSL Managament > Certificate CLI: AX(config)# import ssl-cert WebUI: Config > Service > Template > SSL > Server SSL CLI: AX(config)# slb template server-ssl []
WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server AX(config-slb vserver)# port N https AX(config-slb vserver-vport)# template server-ssl
112
HTTPS virtual port options
SSL statistics
113
Lab5a - Create HTTPS VIP using HTTPS servers
In this lab, you will configure an HTTPS VIP using HTTPS servers
114
Lab5b - (optional) Create HTTPS VIP using HTTP servers
In this lab, you will configure an HTTPS VIP using HTTP servers
115
Lab5c - (optional) Transparently convert an HTTP service into HTTPS on AX
In this lab, you will configure an HTTPS VIP and an HTTP VIP that will redirect traffic to HTTPS
116
Summary
In this module, we presented:
And also:
117
AX AccelerationModule 5
118
Module objectives
Understand the advanced AX options for acceleration
Configure advanced AX options for acceleration
119
Connection reuse
Web servers need to manage:
Note: Web browsers keep their TCP connections open - even when all objects have been loaded
120
Connection reuse
Connection Reuse off loads the server TCP stack This option provides faster server response time and higher server scalability Connection reuse
121
Connection reuse
Connection reuse configuration
WebUI: Config > Service > Template > Connection Reuse CLI: AX(config)# slb template connection-reuse []
WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server AX(config-slb vserver)# port N http AX(config-slb vserver-vport)# template connection-reuse Note: IP Source NAT also must be configured on the Virtual Server Port
Connection Reuse statistics122
SSL offload
SSL Offload relieves the server of SSL tasks This option provides faster server response time and higher server scalability AX receives HTTPS client traffic and sends HTTP traffic to the servers
123
SSL offload
SSL offload configuration
124
HTTP compression
Compresses HTTP/HTTPS objects Uses less bandwidth and provides faster client download time AX HTTP compression
125
HTTP compression
HTTP compression configuration
WebUI: Config > Service > Template > Application > HTTP CLI: AX(config)# slb template http []
WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server AX(config-slb vserver)# port N http AX(config-slb vserver-vport)# template http
WebUI: Config > Service > SLB > Global CLI: AX(config)# slb hw-compression
126
HTTP compression
HTTP compression statistics
127
RAM Caching
Caches HTTP/HTTPS static and dynamic content in AX RAM Delivers cached objects to clients directly from the AX Cache, offloading servers from these requests Provides faster client download time and higher server scalability
128
RAM Caching
AX RAM Caching
200 OK 203 Non-Authoritative response 300 Multiple Choices 301 Moved Permanently 302 Found (only if Expires header is also present) 410 Gone
129
RAM Caching
AX RAM Caching limitations
130
RAM Caching
RAM Caching configuration
WebUI: Config > Service > Template > Application > RAM Caching CLI: AX(config)# slb template cache
WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server AX(config-slb vserver)# port N http AX(config-slb vserver-vport)# template cache
RAM Caching statistics
131
RAM Caching
AX RAM Caching for dynamic objects
What is to be cached? How long is the cached content valid? What is the trigger that would cause the response to change? The URL matches a specific pattern. Specific query parameters are present. Specific cookies in the request are present. Specific HTTP headers in the request are present. Cacheability rules determine what is cacheable and what is not Invalidation rules
132
RAM Caching
When not to use dynamic caching
Example: the response to a login page Example: a confirmation number for a transaction that was just executed
Example: the portfolio page of a brokerage account user changes when the user executes transactions.
Example: the response contains personalized settings, such as the user name but no query parameter or cookie directly identifies the user.
133
RAM Caching
Dynamic caching caching policies
policy Where: is of the form uri is cache , no-cache, or invalidate Note: More sophisticated conditions will be supported in future using aFleX policies
134
RAM Caching
Dynamic caching example
http://x.y.com/list http://x.y.com/add?a=p1&b=p2 http://x.y.com/del?c=p3 http://x.y.com/private?user=u1
lists all items from database adds item to database deletes item from database private info for user
135
RAM Caching
WebUI configuration for the example
136
Lab6a - Update HTTP "vip2" port "80" with connection reuse
In this lab, you will update HTTP "vip2" to use connection reuse
137
Lab6b - Update HTTP "vip2" port "80" with HTTP compression
In this lab, you will update HTTP "vip2" to use HTTP compression
138
Lab6c - Update HTTP "vip2" port "80" with RAM Caching
In this lab, you will update HTTP "vip2" to use RAM Caching
139
Summary
In this module, we presented the AX acceleration options:
And also configured them on the AX.
140
AX SecurityModule 6
141
Module objectives
Understand the advanced AX options for security
Configure HA on AX devices
142
Points to keep in mind
Some advanced HTTP/HTTPS security options are detailed in Module 4 (HTTP Templates) This module (Module 6) presents other AX advanced security options Note: aFleX (covered in Module 7) also can be considered a security option
143
DDoS protection
AX provides enhanced protection against DDoS (Distributed Denial of Service) attacks
DDoS basic filters
DDoS configuration
144
DDoS protection
Advanced DDoS filters are also available with system-wide PBSLB
Advanced DDoS configuration Basic and advanced DDoS statistics
145
Policy-based SLB
Policy-based SLB (PBSLB) allows "black lists" and "white lists" with individual clients or subnets PBSLB denies client traffic based on:
146
Policy-based SLB
PBSLB specifics
Up to 8 M IP addresses Up to 64 K IP subnets Up to 32 group IDs B/W lists are stored in hash tables Can process Gbps of traffic AX can update its B/W automatically at specific intervals via TFTP
PBSLB components
ipaddr [/network-mask] [group-id] [#conn-limit] [;comment-string]147
Policy-based SLB
PBSLB configuration
WebUI (creation or import): Config > Service > PBSLB CLI (import): AX(config)# import bw-list [] WebUI: Config > Service > Template > PBSLB Policy CLI (import): AX(config)# slb template policy []
WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server AX(config-slb vserver)# port N AX(config-slb vserver-vport)# template policy
PBSLB statistics148
Policy-based SLB
PBSLB file example
PBSLB template example
149
Access Control Lists
AX supports standard and extended Access Control Lists (ACLs) ACL can be applied to data interfaces, management interface, and virtual server ports Remark, re-sequencing and logging options are supported (Cisco/Foundry format) IPv4 and IPv6 ACLs are supported
150
Access Control Lists
ACL components
ACL configuration
WebUI: Config > Network > ACL CLI: AX(config)# access-list []
151
Access Control Lists
ACL configuration
Data Interface: WebUI: Config > Network > Interfaces > LAN CLI: AX(config)# interface ethernet 1 AX(config-if:ethernet1)# access-list in Management: CLI only: AX(config)# interface management AX(config-if:ethernet1)# access-list in Virtual Server Port: WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server AX(config-slb vserver)# port N AX(config-slb vserver-vport)# access-list 152
Access Control Lists
ACL statistics
153
Management security
AX provides advanced management security options
Note: See AX Series Configuration Guide for more information
154
High Availability (HA)
High Availability Design Options
155
High Availability (HA)
Active-Standby Mode
156
High Availability (HA)
Active-Standby Failover
157
High Availability (HA)
Active-Active Mode
Note: Don't exceed 50% utilization on each unit for full HA
158
High Availability (HA)
Active-Active Failover
159
High Availability (HA)
L2/3 Hot Standby Mode
Note: Loop elimination protocols such as STP are not required
160
High Availability (HA)
L2/3 Hot Standby Failover
161
High Availability
All AX integration modes support HA
Active-Standby, Active-Active and L3 Hot Standby modes Active-Standby and Active-Active modes and L3 Hot Standby modes L2 Hot Standby mode Active-Standby, Active-Active and L3 Hot Standby modes
162
High Availability
HA Active-Standby Mode configuration stepsAll interfaces used with production traffic (+ AX interlink if exists) Note: We recommend a dedicated direct interlink between the AX so sync traffic is off the production network.
Identifier (AX1 = 1 , AX2 = 2) HA Status: Enabled (optional) HA Mirroring IP address: Remote AX Sync interface (optional) Preempt: to failover to a higher AX when available Group1 with priority 200 on AX1 (priority 100 on AX2) Floating VIP for Group1: IP addresses defined on servers' gateway (VRRP-like) (optional) IP@ and VLAN check Note: IP@ have to be defined as SLB-Server too
163
High Availability
HA Active-Standby Mode configuration steps (cont.)In VIP settings, associate HA Group with the VIP (optional) Enable Dynamic Server Weight: Reduce the AX HA Group priority when a server is down (optional) Enable HA Connection Mirroring on the VIP ports: To synchronize SLB session table (available for TCP, UDP, RTSP, FTP, MMS and SIP VIP types) Note: For HTTP/HTTPS VIP types, the client session is terminated on the AX device. HA Connection Mirroring is not available for these VIP types.
In IP Source NAT, associate the HA Group with IPv4 Pools, IPv6 Pools, NAT Ranges, or Static NAT.
164
High Availability
HA Active-Active Mode configuration steps
Step2:
Group1 with priority 200 on AX1 (priority 100 on AX2) Group2 with priority 100 on AX1 (priority 200 on AX2) Associate Group1 with half of the VIPs and Group2 with the second half Associate Group1 with the NAT Pools used by VIPs in Group1 and Group2 with the NAT Pools used by VIPs in Group2
Step3:
Step4:
165
High Availability
HA Layer2/3 Mode configuration steps2. Configure HA Inline Mode Enable Preferred port: Port used to sync configuration and sessions (optional) Restart port list: Add AX interfaces in production (optional) L3 mode enabled: If AX in Layer3 Inline mode
166
High Availability
HA Active-Standby Mode configuration
WebUI: Config > HA > Setting > HA Global CLI: AX(config)# ha interface []
Active-Standby or Active-Active Modes: WebUI : Config > HA > Setting > HA Global CLI: AX(config)# ha [] Note: If IP@ check is configured, define these IP@ in SLB-Server too. L2/3 Modes: WebUI : Config > HA > Setting > HA Inline Mode CLI: AX(config)# ha [inline-mode | l3inline-mode]
167
High Availability
HA Active-Standby Mode configuration (cont.)
WebUI: Config > Service > SLB > Virtual Server CLI: AX(config)# slb virtual-server AX(config-slb vserver))# ha-group WebUI: Config > Service > SLB > IP Source NAT CLI: AX(config)# ip nat []
168
High Availability
Configuration synchronization
HA Manual failover can also be initiated with the following:
169
High Availability
HA status
170
High Availability
HA statistics
171
Lab7 - Configure HA with your neighbor
In this lab, you will configure HA Active/Standby mode with your neighborAn interlink has been added on the AXs (on ether3). AX1 is connected to AX2, AX3 to AX4, etc. Note: The trainer will show you how to configure the ether3 interface. HA config sync will erase the configuration of the AX Standby. Backup your configuration to be able to do the following labs after this one. Note: The trainer will show you how to backup your AXs. Servers' default gateway is changed to the AX floating VIP
172
Lab7 - Configure HA with your neighbor
In this lab, you will configure HA Active/Standby mode with your neighbor (cont.)a. Configure inter-AX connection i. Create VLAN 100 called "AX-HA" with interface "e3untagged" and Virtual Ethernet (VE) interface "100" ii. Configure VE "100" with IP@ "10.0.3.1/255.255.255.252" iii. Enable interface "e3" b. Enable HA for interfaces "e1" + "e2" + "e3" c. Enable HA Global Settings i. Identifier "1" - Set-ID "group-pair" (AX1=1, AX3=2, AX5=3, etc) ii. HA Mirroring IP = "10.0.3.2" (Secondary-AX-e3) iii. Group1 with priority 200 iv. Floating IP = "10.0.2.x" (AX1=10.0.2.10, AX3=10.0.2.30, etc) d. Configure VIP HA for "vip1" + "vip2" + "snat-pool1" i. Associate HA Group "1" with both VIPs and SNAT ii. Enable HA Connection Mirroring on "vip1" port "21" + "80" e. Save your config
173
Lab7 - Configure HA with your neighbor
In this lab, you will configure HA Active/Standby mode with your neighbor (cont.)a. Configure inter-AX connection i. Create VLAN 100 called "AX-HA" with interface "e3untagged" and the VE "100" ii. Configure VE "100" with IP@ "10.0.3.2/255.255.255.252" iii. Enable interface "e3" b. Enable HA interfaces for "e1" + "e2" + "e3" c. Enable HA Global Settings i. Identifier "2" - Set-ID "group-pair" (AX2=1, AX4=2, AX6=3, etc) ii. HA Mirroring IP = "10.0.3.1" (AX2=10.0.2.10, AX4=10.0.2.30, etc) iii. Group1 with priority 100 iv. Floating IP = "10.0.2.x" (Server's default gateway) d. Save your config e.
174
Lab7 - Configure HA with your neighbor
In this lab, you will configure HA Active/Standby mode with your neighbor (cont.)
a. Be sure you saved your config on both AXs before you start the config sync b. Sync Configuration Primary-AX "all" to Secondary-AX "startup-config + reload"
Note: Don't close the FTP control session
175
Lab7 - Configure HA with your neighbor
In this lab, you will configure HA Active/Standby mode with your neighbor (cont.)
176
Summary
In this module, we presented AX advanced security options:
And also configured HA.
177
AX Power and FlexibilityModule 7
178
Module objectives
Understand the advanced AX options for flexibility
Understand AX Advanced Core Operating System (ACOS)
179
Module 7 Lesson1
AX Flexibility
180
Points to keep in mind
Some advanced HTTP/HTTPS flexibility options already have been detailed in Module 4 (HTTP Templates) This module (Module 7) presents other advanced AX flexibility options
181
Cookie persistence
When to use cookie persistence
182
Cookie persistence
AX Cookie Persistence configuration
Name (optional) Expiration (optional) Cookie Name (optional) Domain (optional) Path (optional) Match type (optional) Insert Always (optional) Don't Honor Conn Rules
183
Cookie persistence
AX Cookie Persistence configuration (cont.)
WebUI: Config > Service > Template > Persistent > Cookie Persistence CLI: AX(config)# slb template persist cookie []
WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server AX(config-slb vserver)# port N tcp AX(config-slb vserver-vport)# template persist cookie
184
Lab8 - Update HTTP "vip2" port "80" with cookie persistence
In this lab, you will configure cookie persistence
185
aFleX
What is aFleX?
Stantard Tcl commands Special set of extensions provided by the AX Content inspection (headers / data) Actions on traffic Block traffic Redirect traffic to a specific Service Group (pool) or Server (node) Modify traffic content
186
aFleX
Elements of an aFleX script
Events Operators aFleX commands
aFleX scripts are event-driven, which means that the AX system triggers the aFleX whenever that event occurs. Examples: HTTP_REQUEST is triggered when an HTTP request is received. CLIENT_ACCCEPTED is triggered when a client has established a connection.
Standard Tcl operators Relational operators: contains, matches, equals, starts_with, ends_with, matches_regex Logical operators: not, and, or
187
aFleX
Elements of an aFleX script (cont.)
Used to query for data, manipulate data, or specify a traffic destination. These may be grouped into three main categories: Statement commands Example: "pool directs traffic to the named load balancing pool Commands that query or manipulate data Examples: "IP::remote_addr returns the remote IP address of a connection "HTTP::header remove removes the last occurrence of the named header from a request or response Utility commands - useful for parsing and manipulating content Example: "decode_uri decodes the named string using HTTP URI encoding and returns the result188
aFleX
aFleX configuration
Using the CLI Use a computer with any text editor to write an aFleX script and save it as a file. Use import aflex command to import the aFleX file from the computer to AX. aFleX CLI syntax check: "aflex check ". Using the WebUI With AXs web interface, users can directly type in aFleX scripts and save them on the AX under "Config > Service > aFleX". Using the aFleX Editor The aFleX editor can download/upload aFleX scripts from/to the AX. Moreover, it can do syntax checking. As an editor, it also has syntax highlighting, keyword autocompletion, etc.189
aFleX
aFleX configuration (cont.)WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server AX(config-slb vserver)# port N tcp AX(config-slb vserver-vport)# aflex
aFleX statistics
190
aFleX
aFleX examples
When CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 10.10.10.10] } { pool sg2 } }
when HTTP_REQUEST { if {[HTTP::host] equals "secure.abc.com"} { HTTP::redirect } }191
aFleX
aFleX examples
when HTTP_REQUEST { if { [HTTP::uri] starts_with "/finance" } { pool finance_pool } elseif { [HTTP::uri] starts_with "/dev" } { pool dev_pool } }
192
Lab9a - Block HTTP access to directory /private from your IP address on "vip2" port "80"
In this lab, you will configure an aFleX rule1. Connect via HTTPS to your AX Management IP@ 2. Create aFleX script "aFleX-9a" to Block HTTP access to directory /private from your IP address
Event is "HTTP_REQUEST" Tests are: [IP::addr [IP::client_addr] equals x.x.x.x] [HTTP::uri] starts_with "/private" Action is: drop
3. Associate aFleX "aFleX-9a" with Virtual Server "vip2" port "80"
193
Lab9a - Block HTTP access to directory /private from your IP address on "vip2" port "80"
In this lab, you will configure an aFleX rule (cont.)4. Request the page "http://vip2-IP@/private", validate your IP address is blocked 5. Request the page "http://vip2-IP@/", validate your IP address is not blocked 6. Show aFleX statistics
194
Lab9b Transparently convert "intranet.abc.com" from HTTP to HTTPS Create the HTTP + HTTPS VIP
In this lab, you will create the HTTP + HTTPS VIP1. Connect via HTTPS to your AX Management IP@ 2. Create one Virtual Server: "vip3" 3. Create one Virtual Server port on "vip3": type "HTTP" + port "80" + service group "none" 4. Create one Virtual Server port on "vip3": type "HTTPS" + port "443" + service group "sg-http" + "Client-SSL template "client-ssl1" 5. Check Virtual Server "vip3" status 6. Update your PC "hostfile" with "intranet.abc.com" = "vip3IP@"
195
Lab9b Transparently convert "intranet.abc.com" from HTTP to HTTPS Redirect HTTP clients
In this lab, you will create the HTTP + HTTPS VIP (cont.)7. Create aFleX script "aFleX-9b-80" to transparently redirect the HTTP clients to HTTPS (for instance clients that use old bookmarks)
Event is "HTTP_REQUEST" Tests are: No test Action is: HTTP::redirect https://[HTTP::host][HTTP::uri]
8. Associate aFleX "aFleX-9b-80" with Virtual Server "vip3" port "80"
196
Lab9b Transparently convert "intranet.abc.com" from HTTP to HTTPS Redirect HTTP clients
In this lab, you will create the HTTP + HTTPS VIP (cont.)9. Request the page "http://intranet.abc.com/", validate you're redirected to "https://intranet.abc.com/" 10.Request the page "http://intranet.abc.com/index.html", validate you're redirected to https://intranet.abc.com/index.html
197
Lab9b Transparently convert "intranet.abc.com" from HTTP to HTTPS Rewrite sever redirect
(optional) In this lab, you will configure an aFleX rule to transparently rewrite the redirects from the server1. If pages contain redirections, create aFleX script "aFleX-9b443" to rewrite the server redirects from "http://intranet.abc.com/*" to "https://intranet.abc.com/*"
Event is "HTTP_RESPONSE" Test is: [HTTP::header Location] contains "http://intranet.abc.com" Action is: regsub "http://intranet.abc.com" [HTTP::header Location] "https://intranet.abc.com" new_location HTTP::header replace Location $new_location
2. Associate updated aFleX "aFleX-9b-443" with Virtual Server "vip3" port "443" 3. Request the page https://intranet.abc.com/redirect.html and verify the redirection198
Lab9b Transparently convert "intranet.abc.com" from HTTP to HTTPS Rewrite absolute links
(optional) In this lab, you will configure an aFleX rule to transparently rewrite absolute links1. If pages contain absolute links, expand aFleX script "aFleX9b-443" to rename absolute links from "http://intranet.abc.com" to "https://intranet.abc.com"
aFleX rule iswhen HTTP_REQUEST { HTTP::header remove Accept-Encoding } when HTTP_RESPONSE { if { [HTTP::header exists "Location"]} { if {([HTTP::header "Location"] starts_with "http://intranet.abc.com")} { regsub "http://intranet.abc.com" [HTTP::header Location] "https://intranet.abc.com" new_location HTTP::header replace Location $new_location } } if { [HTTP::header "Content-Type"] starts_with "text" } { HTTP::collect } }199
Lab9b Transparently convert "intranet.abc.com" from HTTP to HTTPS Rewrite absolute links
(optional) In this lab, you will configure an aFleX rule to transparently rewrite absolute links (cont)
when HTTP_RESPONSE_DATA { if { [HTTP::header "Content-Type"] contains "text" } { set payload_length [HTTP::payload length] regsub -all "http://intranet.abc.com" [HTTP::payload] "https://intranet.abc.com" new_payload HTTP::payload replace 0 $payload_length $new_payload HTTP::release } }
2. Associate aFleX "aFleX-9b-443" with Virtual Server "vip3" port "443" 3. Access page https://intranet.abc.com/absolute.html and check the link
200
Module 7 Lesson2
Advanced Core Operating System
201
ACOS Architecture Overview
SSL Acceleration Module SSL Processing
Memory Session Tables, Buffer Memory, Application Data
L4-7 CPUs L4-7 Processing, Security
rnel CLI, GUI , Manageme nt Tasks and Health Checking
le Traffic ASIC (FTA) utes Traffic Across L4-7 CPUs, Efficient Network I/O, DDoS
Switching & Routing ASIC L2 & L3 Processing and Security
202
ACOS Design Highlights
ACOS on the data plane
Linux on the control plane All application delivery traffic handled by ACOS Efficient use of memory no duplicate data203
ACOS = Resource Efficiency
Processing Efficiency
Eliminates unneeded cycles for faster processing
Zero locking, zero buffer copy, zero IPC, zero scheduling, zero interrupt
Physical Memory Efficiency
Data is not replicated, multiple copies of data are not needed, more total memory available
Space saving, non-replication, zero copy, accuracy, real-time data
Input/Output (I/O) Efficiency
Faster overall system processing
Low latency packet processing, optimized drivers, Flexible Traffic ASIC, low overhead
204
Shared Memory Versus Legacy Approach AX Series Shared Memory
Replicate to each cores dedicated m
Legacy approach
205
AX Shared Memory Advantage AX Series Shared Memory
AX
Series eliminates IPC and maximizes performance Data required by all CPUs is processed in the same location without other CPU notification/reliance Accurate real-time decision criteria, e.g. rate-limiting, connection-limit, max TCP connections, server selection, tracked global variables used for decisions or any shared data set Maximizes memory no redundant copies of information per core. More total system memory
206
Shared Memory Efficiency
Shared Memory
One copy of each item kept in memory, for example
PBSLB List uses 64 MB of RAM, Total AX Memory Usage = 64MB RAM Cached Objects, 10 x 0.5 MB, Total AX Memory Usage = 5 MB Total 69 MB of RAM used
Without Shared Memory
Multiple copies of each item kept in each cores memory, for example 32 cores
PBSLB List uses 64 MB of RAM per core, Total Memory Usage = 2048 MB RAM Cached Objects, 10 x 0.5 MB per core, Total Memory Usage = 160 MB Total 2208 MB of RAM used
Total system memory is reduced dramatically by the nonshared memory architecture
207
ACOS Versus Legacy OSACOS Legacy OS ACOS Designed for multi- Not Designed for core multi-core 32-bit or 64-bit OS (With Feature Parity) 32-bit OS Only
Decoupled CPU Architecture Shared Memory
Coupled CPU Architecture Non-shared Memory
No IPC (Inter Process Communication)
IPC (Inter Process Communication)
Optimized Flow Distribution
Software Based Flow Distribution
208
Summary
In this module, we presented the following advanced AX flexibility options:
And also configured them on the AX. We also presented the ACOS architecture.
209
AX Management and TroubleshootingModule 8
210
Module objectives
Understand the different types of AX management access Understand the AX configuration components and how to backup/restore AX configuration Understand the AX software components and how to upgrade/downgrade AX Understand VLAN on AX Learn initial AX configuration Learn troubleshooting techniques and tools Understand AX Release Process and how to contact AX support211
AX management access
CLI
Web
Levels of CLI authentication
Login ID/Password Enable ID/Password User roles (read-write / read-only)
212
AX configuration components
AX configuration components
213
AX configuration components
AX full configuration backup
WebUI: Configuration > System > Maintenance > Backup > System CLI: AX(config)# backup config []
AX full configuration restore
WebUI: Configuration > System > Maintenance > Restore > System CLI: AX(config)# restore []
Note: Supported upload protocols: FTP, SCP, RCP, TFTP, and HTTPS (via WebUI)
214
AX software management
AX software is stored on
Second partition is designed for easy software rollback CF is designed for emergency recovery
215
AX software management
AX software upgrade recommended steps
Back up your system
(covered on previous slide) WebUI: Monitor > Overview > Summary > System Information CLI: AX# show bootimage WebUI: Configuration > System > Maintenance > Upgrade CLI: AX(config)# upgrade [] CLI only: AX# write memory [primary|secondary] WebUI: Configuration > System > Settings > Boot CLI: AX(config)# bootimage hd [primary|secondary] WebUI: Configuration > System > Settings > Action > Reboot CLI: AX# reboot
Check the AX running partition
Upgrade the AX devices other partition
Copy the running configuration to the other partition
Set the boot source to the other partition
Restart from the other partition
216
VLAN
VLAN allows AX to
217
VLAN
VLAN allows AX to (cont.)
218
VLAN
VLAN configuration steps
VLAN ID Physical interfaces tagged and untagges (optional) VLAN Name (optional) Virtual Interface IP address Netmask (optional) all ethernet options such as ACL, secondary IP@
219
VLAN
VLAN configuration
WebUI: Config > Network > VLAN CLI: AX(config)# vlan [] WebUI: Config > Network > Interface > Virtual CLI: AX(config)# interface ve []
220
VLAN
Important Point
221
First Steps configuration
Rollback to Factory configuration
First Step configuration
Default user/password: admin/a10 Configure the management interface, its default gateway Finish the AX configuration via CLI (ssh) or WebUI (https) Configure Production interfaces (vlan, ethernet/ve interfaces) Enable production interfaces (optional) Configure routing (static/dynamic) (optional) Configure specific management rights Configure Servers / Service Groups / Virtual Servers etc
222
First Steps configuration
First Step configuration example
AX login: admin Password: [type ? for help] AX>en Password: AX#conf AX(config)#in AX(config)#interface m AX(config)#interface management AX(config-if:management)#ip address 172.31.31.11 /24 AX(config-if:management)#ip default-gateway 172.31.31.1 AX(config-if:management)#exit AX(config)#exit
223
Troubleshooting methodology
Layer 2 and 3: Data Link & Network Layers
AX# ping AX# show interface brief + AX# show interface
AX# show arp + AX# show mac-address-table AX# show ip fib + AX# show ip route Check for connection errors Check for application specific errors224
Troubleshooting tools
AX log (AX# show log)
Port/Interface up/down messages L2 loop detection warnings Unicast/Multicast/Broadcast packet limit warnings MAC address movement warnings Duplicate IP warnings Server & service port up/down messages Application specific error messages: SLB, PBSLB, HTTP, HA, etc.
225
Troubleshooting tools
Debug
AXs WebUI provides a number of report graphs that can help you identify any potential issues Example: CPU and server/virtual-server load information can help identify time periods when the system was under stress SNMP clients can query AX for status information AX can be configured to send SNMP traps to servers/receivers
226
Troubleshooting tools
Debug (cont.)
Define a set of filters for packet capture Example: interface, IP address, protocol, port number, etc. Captures application specific debug information Use this command after defining a filter to display captured packets on screen Make sure your filter is specific enough to capture only the packets needed for debugging The CLI may become temporarily unresponsive if a large number of packets are captured to the screen
227
Troubleshooting tools
AXdebug
Show techsupport
Backup log
228
AX Release Process
AX provides 5 different releases
Major features/enhancements (between 12 - 14 months) Enhancements (between 6 - 8 months) Periodic bug fixes and minor enhancements (between 3 - 4 months) Collection of P1/P2 fixes and previous patch fixes (between 4-5 weeks) Emergency patch for a specific customer (2-3 days)
229
AX Release Process
AX releases testsMAJOR Enhancement New features New features Full Affected Manual=affected Automated=full Full Affected Affected 1 week Affected Affected Minor Fixes Fixes Affected None Manual=affected Automated=full Partial Affected Affected 3 days Affected None PATCH Fixes Fixes None None Manual=affected Automated=full Partial as needed None None 1 day None None New features New features Full Full Manual=full Automated=full Full Full Full 2 weeks Full Full
Unit Functional Negative Stress Regression Sys Integration Performance Scalability Stability Alpha Beta
230
AX Release Process
QA patch release processSupport QA Release Mgr
Approve
Release
Functional Test
Alpha Test
Regression Test Manual Automated
Test
Sys Integration Test
Performance Test Scalability Test (as needed)231
AX Release Process
AX provides 5 different releases type
Major features/enhancements (between 12 - 14 months) Enhancements (between 6 - 8 months) Periodic bug fixes and minor enhancements (between 3 - 4 months) Collection of P1/P2 fixes and previous patch fixes (between 4-5 weeks) Emergency patch for a specific customer (2-3 days)
232
AX Release Process
Source Tree Branch Diagram
233
Why AX support is better
Qualified support staff Training
Passionate
234
How to contact AX support
AX support can be contacted by 3 methods
From North America: 1 888 822 7210 (1-888-TACSA10) From International: +1 408 325 8676 24 x 7 x 365 Support Mon-Fri 6AM-11PM PST + Sat, Sun 9AM 6PM PST A10 support engineers All other hours Call center When needed: escalation to standby engineers and standby engineers contact customer immediately Be ready to provide Problem description Showtech (almost always required) Topology; highly preferred Trace Backup log235
How to contact AX support
AX support can be contacted by 3 methods (cont.)support@a10networks.com A support ticket auto generated Auto reply email with a ticket number is sent What information to provide? Subject with "Priority (if urgent)" + "Customer name" + "Brief description of ticket + Release number" Example: "P1: abc.com - Certain VIPs fail to pass traffic release 2.4.2" Additional information : Detail problem description Production, eval, POC, etc, Expected time of resolution by customer Showtech attachment (almost always required) Topology; highly preferred Trace Backup log
236
How to contact AX support
AX support can be contacted by 3 methods (cont.)
http://a10networks.com/support A support ticket auto generated Auto reply email with a ticket number is sent What information to provide? Same as by email (see previous slide).
237
How to contact AX support Security levels Priority Level Acknowledgement Response
Ownership Support Manager Support Engineer Support Engineer Support Engineer
Priority 1 Priority 2 Priority 3 Priority 4
< 1 Hour* < 1 Hour < 8 Hour < 8 Hour
< 1 Hour < 4 Hours < 2 Day < 4 Day
* 30 minutes of less
238
How to contact AX support
Escalation metrics
Escalation Priority 1, Critical Priority 2, High Priority 3, 4, Medium Low
Level 1 TAC Engineer/ Manager
Level 2 (after 1 hour) Director, Technical Support TAC Manager TAC Engineer
Level 3 (after 4 hours) VP, Engineering/ Sales
Level 4 (after 24 hours) CEO
Level 5 (after 7 days)
TAC Engineer TAC Engineer
Director, Technical VP, Engineering/ Support Sales TAC Engineer TAC Manager Engineer
CEO Flagged (after 14 days)
239
Lab10a Troubleshooting
Restore the AX configuration provided by your trainer Fix your AX configuration:
240
Lab10b Troubleshooting
Group troubleshooting
241
Summary
In this module, we presented:
242