Server Iron 1230 GUI

53-1002074-0125 March 2011

®

ServerIron ADXGraphical User Interface Guide

Supporting ServerIron ADX 1000, ServerIron ADX 4000, ServerIron ADX 8000, and ServerIron ADX 10000

Copyright © 2008-2011 Brocade Communications Systems, Inc. All Rights Reserved.

Brocade, the B-wing symbol, BigIron, DCFM, DCX, Fabric OS, FastIron, IronView, NetIron, SAN Health, ServerIron, TurboIron, and Wingspan are registered trademarks, and Brocade Assurance, Brocade NET Health, Brocade One, Extraordinary Networks, MyBrocade, VCS, and VDX are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned are or may be trademarks or service marks of their respective owners.

Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government.

Brocade Communications Systems, Incorporated

Document History

Corporate and Latin American HeadquartersBrocade Communications Systems, Inc.130 Holger waySan Jose, CA 95134Tel: 1-408-333-8000 Fax: 1-408-333-8101 E-mail: [email protected]

Asia-Pacific HeadquartersBrocade Communications Systems China HK, Ltd.No. 1 Guanghua RoadChao Yang DistrictUnits 2718 and 2818Beijing 100020, ChinaTel: +8610 6588 8888Fax: +8610 6588 9999E-mail: [email protected]

European HeadquartersBrocade Communications Switzerland SàrlCentre SwissairTour B - 4ème étage29, Route de l'AéroportCase Postale 105CH-1215 Genève 15Switzerland Tel: +41 22 799 5640Fax: +41 22 799 5641E-mail: [email protected]

Asia-Pacific HeadquartersBrocade Communications Systems Co., Ltd. (Shenzhen WFOE)Citic PlazaNo. 233 Tian He Road NorthUnit 1308 – 13th FloorGuangzhou, ChinaTel: +8620 3891 2000Fax: +8620 3891 2111E-mail: [email protected]

Title Publication number Summary of changes Date

ServerIron ADX Graphical User Interface Guide

53-1002074-01 New document March 2011

ServerIron ADX Graphical User Interface Guide v53-1002074-01

Contents

About This Document

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Document conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiText formatting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiiNotes, cautions, and danger notices . . . . . . . . . . . . . . . . . . . . . xii

Notice to the reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Getting technical help or reporting errors . . . . . . . . . . . . . . . . . . . . . xiiiWeb access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiiiE-mail access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Chapter 1 Getting Started with the GUI

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

The ServerIron ADX GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Accessing the GUI through HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Step 1: Connecting to the switch . . . . . . . . . . . . . . . . . . . . . . . . . 3Step 2a: Logging in with switch code . . . . . . . . . . . . . . . . . . . . . . 3Step 2b: Logging in with router code . . . . . . . . . . . . . . . . . . . . . . 3Step 3: Connecting ServerIron to the network. . . . . . . . . . . . . . . 4Step 4: Opening a browser (Internet Explorer or Firefox) . . . . . . 4

Accessing the GUI through HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Step 1: Connecting to the switch . . . . . . . . . . . . . . . . . . . . . . . . . 6Step 2 : Logging commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Step 3: SSL configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Step 4: Enabling HTTPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Step 5: Connecting ServerIron to the network. . . . . . . . . . . . . . . 9Step 6: Opening a browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Web management using the management port . . . . . . . . . . . . . . . .13Step 1: Connecting to the switch . . . . . . . . . . . . . . . . . . . . . . . .13Step 2a: Logging in with switch code . . . . . . . . . . . . . . . . . . . . .13Step 2b: Logging in with router code . . . . . . . . . . . . . . . . . . . . . 14Step 3: Connecting ServerIron to the network. . . . . . . . . . . . . . 14Step 4: Opening a browser (Internet Explorer or Firefox) . . . . . 14

Configuring IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15Configuring an IP address on switch code . . . . . . . . . . . . . . . . .15Configuring an IP address on router code . . . . . . . . . . . . . . . . . 16

vi ServerIron ADX Graphical User Interface Guide53-1002074-01

Configuring Source IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Configuring Source IP, Source NAT IP, and Source Standby IP addresses on switch code. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Configuring Source NAT IP addresses on router code. . . . . . . .19

Displaying the Dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Displaying the Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

Defining global system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

Displaying and saving the running configuration . . . . . . . . . . . . . . .23

Chapter 2 Configuring a Real Server and a Real Server Port

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Creating a basic real server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Creating a real server port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

Enabling or disabling a real server . . . . . . . . . . . . . . . . . . . . . . . . . . 27Enabling at Summary tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Disabling at Summary tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28Enabling at Basic tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28Disabling at Basic tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

Enabling or disabling a real server port. . . . . . . . . . . . . . . . . . . . . . .29Enabling at Summary tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29Disabling at Summary tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30Enabling at Port tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Disabling at Port tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Cloning a real server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

Defining advanced parameters for real servers . . . . . . . . . . . . . . . .33

Viewing real server summary information. . . . . . . . . . . . . . . . . . . . .35Real server status indicators . . . . . . . . . . . . . . . . . . . . . . . . . . .35Real server port status indicators . . . . . . . . . . . . . . . . . . . . . . .35Viewing real server summary information . . . . . . . . . . . . . . . . .35

Chapter 3 Configuring a Virtual Server and a Virtual Server Port

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Creating a virtual server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Creating a virtual server port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38

Binding the virtual server port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40

Enabling or disabling a virtual server . . . . . . . . . . . . . . . . . . . . . . . . 41Enabling at Summary tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Disabling at Summary tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42Enabling at Basic tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42Disabling at Basic tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

ServerIron ADX Graphical User Interface Guide vii53-1002074-01

Enabling or disabling a virtual server port . . . . . . . . . . . . . . . . . . . .43Enabling at Summary tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43Disabling at Summary tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44Enabling at Port tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45Disabling at Port tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46

Defining advanced virtual server parameters. . . . . . . . . . . . . . . . . .46

Chapter 4 Configuring Health Checks

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49

Configuring health check for a real server . . . . . . . . . . . . . . . . . . . .49

Enabling Layer 2 to Layer 4 health checks . . . . . . . . . . . . . . . . . . . .52

Disabling Layer 2 to Layer 4 health checks. . . . . . . . . . . . . . . . . . . .53

Creating a port profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

Creating a port policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Configuring element health checks . . . . . . . . . . . . . . . . . . . . . . . . . .59Configuring TCP or UDP health check policy . . . . . . . . . . . . . . .59Configuring ICMP health check policy . . . . . . . . . . . . . . . . . . . .60Configuring Boolean health check policy . . . . . . . . . . . . . . . . . . 61

Configuring a match list policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62

Chapter 5 Application Templates

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65

Generic HTTP application template . . . . . . . . . . . . . . . . . . . . . . . . . .65

Chapter 6 Configuring Role Based Management

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

Creating a context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

Creating a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Assigning a user role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72

Creating a role template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75

Web server authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76AAA web server authentication with the RADIUS method. . . . . 76AAA web server authentication with the TACACS+ method. . . . 76AAA web server authentication with the enable or line method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77AAA web server authentication failover to alternative method. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

System log details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78

Chapter 7 Configuring VLANs, ACLs, and Routes

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79

viii ServerIron ADX Graphical User Interface Guide53-1002074-01

Configuring VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79Configuring a VLAN on switch code . . . . . . . . . . . . . . . . . . . . . .79Configuring a VLAN on router code. . . . . . . . . . . . . . . . . . . . . . .80

Configuring standard Access Control List . . . . . . . . . . . . . . . . . . . . . 81

Configuring a static route on router code . . . . . . . . . . . . . . . . . . . . .82

Chapter 8 Configuring High Availability

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

High Availability modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

Configuring Hot Standby mode on switch code . . . . . . . . . . . . . . . .85

Configuring Symmetric Active-Standby mode . . . . . . . . . . . . . . . . . .88

Configuring Symmetric Active-Active mode . . . . . . . . . . . . . . . . . . . . 91

Displaying High Availability summary . . . . . . . . . . . . . . . . . . . . . . . .93Hot Standby summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93Symmetric Active-Standby and Symmetric Active-Active summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94

Chapter 9 SSL Acceleration and Certificate Management

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Generating an SSL key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Uploading an existing SSL Key to ServerIron . . . . . . . . . . . . . . . . .101

Generating a self-signed certificate. . . . . . . . . . . . . . . . . . . . . . . . .102

Generating a certificate signing request . . . . . . . . . . . . . . . . . . . . .105

Uploading certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107

Creating an SSL profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108

Defining SSL accelerated services . . . . . . . . . . . . . . . . . . . . . . . . .114

Displaying SSL summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116

Chapter 10 Configuring Layer 7 Switching

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119

Creating a Layer 7 Switching Rule (Request) . . . . . . . . . . . . . . . . .119Creating a nested rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121

Creating a Layer 7 Request Policy . . . . . . . . . . . . . . . . . . . . . . . . . .122

Enabling Layer 7 Switching (HTTP Requests) . . . . . . . . . . . . . . . . .123

Displaying Layer 7 Summary (HTTP Requests) . . . . . . . . . . . . . . . .124

Creating Layer 7 Rules for HTTP Response. . . . . . . . . . . . . . . . . . .124

Creating Layer 7 Policies for HTTP Responses . . . . . . . . . . . . . . . .125Configuring Response Rewrite on HTTP Header . . . . . . . . . . .126Configuring Response Rewrite on HTTP Body . . . . . . . . . . . . .127

Enabling Layer 7 Switching for HTTP Responses . . . . . . . . . . . . . .128

ServerIron ADX Graphical User Interface Guide ix53-1002074-01

Displaying Layer 7 Summary of Response Rules, Policies, and associated virtual servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129

Using the L7 Switching Request Wizard . . . . . . . . . . . . . . . . . . . . .130Launching the Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130Wizard 1: Traffic Forwarding based on URL prefix. . . . . . . . . .131Step 1: Creating a rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132Step 2: Creating a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132Step 3: Enabling Layer 7 Switching . . . . . . . . . . . . . . . . . . . . .133Wizard 2: Traffic Forwarding based on URL suffix . . . . . . . . . .134

Chapter 11 Maintenance

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135

Software upgrade overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135Copying system software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136Rebooting the device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136

Chapter 12 Displaying Statistics

In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139

Statistics overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139

Viewing system resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140

Displaying traffic statistics for a real server . . . . . . . . . . . . . . . . . .141Current Connection Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142Current Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143Connection Distribution among Application Ports. . . . . . . . . .144Total Accumulated Connections to Server . . . . . . . . . . . . . . . .144Total Accumulated Connections per Application Port . . . . . . .145Received and Transmitted Packets among ApplicationPorts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145

Displaying statistics for a real server port . . . . . . . . . . . . . . . . . . . .146Current Connections on Ports. . . . . . . . . . . . . . . . . . . . . . . . . .147Total Accumulated Connections on Ports. . . . . . . . . . . . . . . . .147Received and Transmitted Packets on Ports . . . . . . . . . . . . . .148

Displaying statistics for a virtual server. . . . . . . . . . . . . . . . . . . . . .148Connection Distribution among Application Ports. . . . . . . . . .149Total Accumulated Connections to Server . . . . . . . . . . . . . . . .150Total Accumulated Connections per Port . . . . . . . . . . . . . . . . .150

Displaying statistics for virtual server port . . . . . . . . . . . . . . . . . . .151Current Connections on Ports. . . . . . . . . . . . . . . . . . . . . . . . . .152Current Connection Distribution among Real Servers . . . . . .152Total Accumulated Connections . . . . . . . . . . . . . . . . . . . . . . . .153Total Accumulated Connection Distribution among Real Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153

Displaying global traffic statistics . . . . . . . . . . . . . . . . . . . . . . . . . .154

Displaying interface statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154

Viewing Syslog entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158

x ServerIron ADX Graphical User Interface Guide53-1002074-01

ServerIron ADX Graphical User Interface Guide xi53-1002074-01

About This Document

In this chapter•Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

•Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

•Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

•Notice to the reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

•Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

•Getting technical help or reporting errors . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Audience

This document is designed for system administrators with a working knowledge of Layer 2 and Layer 3 switching and routing.

If you are using a Brocade Layer 3 Switch, you should be familiar with the following protocols if applicable to your network: IP, RIP, OSPF, BGP, ISIS, IGMP, PIM, DVMRP, and VRRP.

Supported hardware and software

Although many different software and hardware configurations are tested and supported by Brocade Communications Systems, Inc. for 12.3, documenting all possible configurations and scenarios is beyond the scope of this document.

The following hardware platforms are supported by this release of this guide:

• ServerIron ADX 1000




Document conventions

This section describes text formatting conventions and important notice formats used in this document.

xii ServerIron ADX Graphical User Interface Guide53-1002074-01

In this chapter

Text formattingThe narrative-text formatting conventions that are used are as follows:

For readability, command names in the narrative portions of this guide are presented in bold: for example, show version.

Notes, cautions, and danger noticesThe following notices and statements are used in this manual. They are listed below in order of increasing severity of potential hazards.

NOTEA note provides a tip, guidance or advice, emphasizes important information, or provides a reference to related information.

CAUTION

A Caution statement alerts you to situations that can be potentially hazardous to you or cause damage to hardware, firmware, software, or data.

DANGER

A Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you. Safety labels are also attached directly to products to warn of these conditions or situations.

Notice to the reader

This document may contain references to the trademarks of the following corporations. These trademarks are the properties of their respective companies and corporations.

These references are made for informational purposes only.

bold text Identifies command names

Identifies the names of user-manipulated GUI elements

Identifies keywords

Identifies text to enter at the GUI or CLI

italic text Provides emphasis

Identifies variables

Identifies document titles

code text Identifies CLI output

ServerIron ADX Graphical User Interface Guide xiii53-1002074-01

In this chapter

Related publications

The following Foundry Networks documents supplement the information in this guide:

• Release Notes for ServerIron Switch and Router Software TrafficWorks 12.0.00

• ServerIron ADX TrafficWorks Graphical User Interface

• ServerIron ADX TrafficWorks Server Load Balancing Guide

• ServerIron ADX TrafficWorks Advanced Server Load Balancing Guide

• ServerIron ADX TrafficWorks Global Server Load Balancing Guide

• ServerIron ADX TrafficWorks Security Guide

• ServerIron ADX TrafficWorks Administration Guide

• ServerIron ADX TrafficWorks Switching and Routing Guide

• ServerIron ADX Firewall Load Balancing Guide

• ServerIron ADX Hardware Installation Guide

• IronWare MIB Reference

NOTEFor the latest edition of these documents, which contain the most up-to-date information, see Product Manuals at kp.foundrynet.com.

Getting technical help or reporting errors

Brocade is committed to ensuring that your investment in our products remains cost-effective. If you need assistance, or find errors in the manuals, contact Brocade using one of the following options:

Web accessThe Knowledge Portal (KP) contains the latest version of this guide and other user guides for the product. You can also report errors on the KP.

Log in to my.Brocade.com, click the Product Documentation tab, then click on the link to the Knowledge Portal (KP). Then click on Cases > Create a New Ticket to report an error. Make sure you specify the document title in the ticket description.

Corporation Referenced Trademarks and Products

Microsoft Corporation Internet Explorer

Mozilla Corporation Mozilla Firefox

Sun Microsystems Java Runtime Environment

xiv ServerIron ADX Graphical User Interface Guide53-1002074-01

In this chapter

E-mail accessGo to http://www.brocade.com/services-support/index.page for the latest e-mail and telephone contact information.

ServerIron ADX Graphical User Interface Guide 153-1002074-01

Chapter

1Getting Started with the GUI

In this chapter•The ServerIron ADX GUI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

•Accessing the GUI through HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

•Accessing the GUI through HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

•Web management using the management port . . . . . . . . . . . . . . . . . . . . . . 13

•Configuring IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

•Configuring Source IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

•Displaying the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

•Displaying the Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

•Defining global system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

•Displaying and saving the running configuration . . . . . . . . . . . . . . . . . . . . . 23

The ServerIron ADX GUIThis guide describes the Graphical User Interface (GUI) of the Brocade ServerIron ADX devices.

NOTEFeatures or options not documented in this guide are not supported through GUI.

This section describes the basic components that you need to know to navigate through the ServerIron ADX GUI and how to access the ServerIron ADX using both non-secure (HTTP) and secure (HTTPS) communication methods.

NOTEThe ServerIron ADX GUI has been tested with Internet Explorer and Firefox Web browsers. Also, you must have the latest version of Java Runtime Environment (JRE) installed on your system to be able to view some of the graphics on the GUI. Obtain the latest JRE version from the Sun Microsystems Java Web site.

2 ServerIron ADX Graphical User Interface Guide53-1002074-01

The ServerIron ADX GUI1

FIGURE 1 ServerIron web interface home page

32 41

1 The context bars allow you to access the main functions by clicking the background. The main functions are: Overview, System, Traffic Management, L7 Traffic Management, Security, Network, and Maintenance.

2 The option tabs allow you to access the detailed functions by clicking the tab on top of the respective content area; for example, Real Server, and Statistics.

3 The content area allows you to configure, monitor, or troubleshoot the detailed functions; for example, a Real Server.

4 The Log Out button allows you to log out from any window in the application.


Accessing the GUI through HTTP 1

NOTEThe circular arrow in the right hand corner of the content window refreshes the screen. The file save button saves the content you enter. The "help button" (?) in the right hand corner of the content window links to the Brocade ADC Community website.

Accessing the GUI through HTTPThe steps below vary depending on whether you are running switch code or router code.

Step 1: Connecting to the switch1. Connect your PC to the ServerIron console connector using the serial cable.

2. Press Enter to bring up the command line prompt.

3. If you are using switch code, go to Step 2a; for router code, go to Step 2b.

Step 2a: Logging in with switch codeIf you are using switch code, enter the following commands.

1. Enable configuration mode.

ServerIronADX>ServerIronADX> enableNo password has been assigned yet...ServerIronADX#ServerIronADX# config term

2. Assign an IPv4 address and default gateway.

ServerIronADX(config)# ip address 1.1.1.1 255.255.255.0ServerIronADX(config)# ip default-gateway 1.1.1.254

Or assign an IPv6 address and default gateway.

ServerIronADX(config)# ipv6 address fd00:60:69bc::100/64 ServerIronADX(config)# ipv6 default-gateway fd00:60:69bc::1

3. Write to memory.

ServerIronADX# write memory.Write startup-config in progress..Write startup-config done.ServerIronADX#

Step 2b: Logging in with router codeIf you are using router code, enter the following commands.


Accessing the GUI through HTTP1



2. Configure an interface.

ServerIronADX(config)# interface ethernet 1

3. Assign an IPv4 address.

ServerIronADX(config-if-e1000-1)# ip address 1.1.1.1/24ServerIronADX(config-if-e1000-1)# exitOr assign an IPv6 address.

ServerIronADX(config)# ipv6 address fd00:60:69bc::100/64

4. Configure an IPv4 default route.

ServerIronADX(config)# ip route 0.0.0.0/0 1.1.1.254

Or configure an IPv6 default route.

ServerIronADX(config)# ipv6 route 0::0/0 fd00:60:69bc::1

5. Write to memory.

ServerIronADX(config)# ^ZServerIronADX# write memory.Write startup-config in progress..Write startup-config done.ServerIronADX#

Step 3: Connecting ServerIron to the network1. Connect ServerIron ADX to your network infrastructure.

2. Check to see if ping access to the ServerIron IP address is working.

Step 4: Opening a browser (Internet Explorer or Firefox)1. If an IPv4 address is used, type the address into the address bar of the browser.

Example http://1.1.1.1

If an IPv6 address is used, type the address into the address bar enclosed by square brackets.

Example http://[fd00:60:69bc::100]

2. Press Enter.

The Login window displays.


Accessing the GUI through HTTP 1

3. Click HTTP.

The User name and Password window displays.

NOTEThe default User name is admin. The default Password is brocade. The password can be edited for greater security.

4. Enter the user name and password and click OK.

NOTEYou have three attempts to log in to the web management. If all three log in tries fail, you will be locked out for 30 minutes. During the locked out period, you cannot log in even if you provide a correct password.


Accessing the GUI through HTTPS1

The home page for the ServerIron web interface is displayed.

Accessing the GUI through HTTPSThe steps below vary depending on whether you are running switch code or router code.

Step 1: Connecting to the switch1. Connect your PC to the ServeIron console connector using the serial cable.


Step 2 : Logging commandsThe logging commands vary depending on whether you are running switch code or router code. Follow Step 2a if you are logging in with switch code, or Step 2b if you are logging in with router code.


Accessing the GUI through HTTPS 1

Step 2a: Logging in with switch code

If you are using switch code, enter the following commands.



2. Assign an IPv4 address and default gateway.

ServerIronADX(config)# ip address 1.1.1.1 255.255.255.0ServerIronADX(config)# ip default-gateway 1.1.1.254

Or assign an IPv6 address and default gateway.

ServerIronADX(config)# ipv6 address fd00:60:69bc::100/64 ServerIronADX(config)# ipv6 default-gateway fd00:60:69bc::1

3. Write to memory.


Step 2b: Logging in with router code

If you are using router code, enter the following commands.



2. Configure an interface.

ServerIronADX(config)# interface ethernet 1

3. Assign an IPv4 address.

ServerIronADX(config-if-e1000-1)# ip address 1.1.1.1/24ServerIronADX(config-if-e1000-1)# exit

Or assign an IPv6 address.

ServerIronADX(config)# ipv6 address fd00:60:69bc::100/64

4. Configure an IPv4 default route.


Or configure an IPv6 default route.

ServerIronADX(config)# ipv6 route 0::0/0 fd00:60:69bc::1



5. Write to memory.

ServerIronADX(config)#^ZServerIronADX# write memory.Write startup-config in progress..Write startup-config done.ServerIronADX#

Step 3: SSL configurationThe ServerIron ADX supports Secure Socket Layer (SSL) for enabling HTTPS access. When enabled, SSL protocol uses a digital certificate and public-private keypair to establish a secure connection to ServerIron. A digital certificate serves to prove the identity of participating entities, and a public-private key pair provides the means to encrypt data that is sent between two entities.

The SSL digital certificate and private key for HTTPS access to ServerIron either can be imported from an external device or self-generated by ServerIron.

Follow Step 3a if you are importing the digital certificate and private key file, or Step 3b if you are generating a default certificate on ServerIron.

Step 3a: Importing digital certificates and private key files

To import a digital certificate using TFTP, enter the following command.

ServerIronADX(config)# ip ssl certificate-data-file tftp <ip address> <certificate file-name>

To import a private key using TFTP, enter the following command.

ServerIronADX(config)# ip ssl private-key-file tftp <ip address> <key file-name>

After you have imported the digital certificate, reformat and prepare the SSL certificate for use by HTTPS access by entering the following command.

ServerIronADX(config)# crypto-ssl certificate generate

NOTES:

• Imported certificates can be no larger than 2048 bytes.

• Encrypted private key files (DES, DES3, or other ciphers) are not supported. Private key files must be unencrypted; private keys greater than 1024 bits are not supported; and private key files must be either 512 or 1024 bits.



Step 3b: Generating a default SSL certificate

To generate a default SSL certificate, enter the following command.

ServerIronADX(config)# crypto-ssl certificate generate default_cert

Step 4: Enabling HTTPS To enable HTTPS access, use the following command.

ServerIronADX(config)#web-management httpsServerIronADX(config)# exit ServerIronADX# write memory.Write startup-config in progress..Write startup-config done.ServerIronADX#

Syntax: [no] web-management https

Step 5: Connecting ServerIron to the network1. Connect ServerIron to your network infrastructure.


Step 6: Opening a browser This procedure applies to the Internet Explorer or Firefox browsers.

1. If an IPv4 address is used, type the address into the address bar of the browser.




If an IPv6 address is used, type the address into the address bar enclosed by square brackets.

Example http://[fd00:60:69bc::100]

2. Press Enter.


3. Click HTTPS.

The system prompts you for certificate verification.

4. Click Yes.

The system prompts for the user name and password.



NOTEThe default User name is admin. The default Password is brocade. This password can be edited for greater security.

5. Enter the user name and password and click OK.

NOTEYou have three attempts to log in to the web management. If all three log in tries fail, you will be locked out for 30 minutes. During the locked out period, you cannot log in even if you provide a correct password.



The home page for the ServerIron web interface is displayed. A lock symbol displayed on the top right corner indicates that the current connection is a secure HTTPS connection.

6. To log out, click Log Out in the upper right corner of the window.

The message You are successfully logged out is displayed.


Web management using the management port 1

Web management using the management port

NOTEThe management port supports IPv4 addresses only. The IP address configuration procedure is the same for both HTTP and HTTPS.

The steps below vary depending on whether you are running switch code or router code.

Step 1: Connecting to the switch1. Connect your PC to the ServerIron console connector using the serial cable.


3. If you are using switch code, go to Step 2a; for router code, go to Step 2b.

Step 2a: Logging in with switch codeIf you are using switch code, enter the following commands.



2. Assign an IP address to the management port.

ServerIronADX(config)# interface management 1ServerIronADX(config-if-mgmt-1)# ip address 1.1.1.1 255.255.255.0


Web management using the management port1

3. Configure a static route (the default route cannot point to the management port).

ServerIronADX(config-if-mgmt-1)# ip route 10.54.1.0/24 1.1.1.254

4. Write to memory.


Step 2b: Logging in with router codeIf you are using router code, enter the following commands.



2. Configure the management interface.

ServerIronADX(config)# interface management 1

3. Assign an IP address.

ServerIronADX(config-if-mgmt-1)# ip address 1.1.1.1/24ServerIronADX(config-if-mgmt-1)# exit

4. Configure a static route (the default route cannot point to the management port).


5. Write to memory.


Step 3: Connecting ServerIron to the network1. Connect the ServerIron ADX management port to your network infrastructure.


Step 4: Opening a browser (Internet Explorer or Firefox)1. Type the IP address into the address bar of the browser.


2. Press Enter.


Configuring IP addresses 1


You can log in to the web management by clicking either HTTP (non secure) or HTTPS (secure). If you click HTTPS, the system prompts you for certificate verification, and you must click Yes to proceed further. The User name and Password window displays. Enter the user name and password and click OK.

Configuring IP addressesThis section describes the procedure to configure an IP address on switch code and router code.

Configuring an IP address on switch codeTo configure an IP address on a ServerIron that runs switch code, follow these steps.

1. Click System on the context bar and select IP/VLAN/Source IP.

2. Click the IP Address tab.


Configuring IP addresses1

3. Enter the information for the following fields:

• Management IP: Enter the IP address.

• Subnet Mask: Enter the subnet mask.

• Default Gateway: Enter the default gateway address.

4. Click Apply.

Configuring an IP address on router codeTo configure an IP address on a ServerIron that runs router code, follow these steps.


2. Click the IP Address tab.

3. Select a router interface from the Interface list.


Configuring Source IP addresses 1

NOTEYou can also configure multiple IP addresses for the management port (mgmt1).


• IP Address: Enter the management IP address.



NOTEYou can configure a secondary IP address for an interface using the GUI.

Configuring Source IP addressesYou can configure Source IP, Source NAT IP, and Source Standby IP addresses using the GUI.

Configuring Source IP, Source NAT IP, and Source Standby IP addresses on switch codeYou can configure the following addresses on a ServerIron running switch code:

• Source IP

• Source NAT IP

• Source Standby IP

Defining Source IP addresses

To define Source IP addresses, follow these steps.


2. Click the Source IP tab.

3. Click Source IP for Type.


Configuring Source IP addresses1

4. Provide the following information:

• IP Address: Enter the IP address.



• Use this IP for SSL Traffic (Optional): Select the check box to use the Source IP address for SSL terminate or proxy traffic.

• Allocate Source Port per Real Server (Optional): Select the check box if the source port is to be allocated on the real server.

5. Click Add to add the Source IP address.

The new Source IP address is displayed in the summary table.

Defining Source NAT IP address

To define Source NAT IP address, follow these steps.



3. Click Source NAT IP for Type.





• Source Port Range: Select Lower Port Range or Higher Port Range.


Configuring Source IP addresses 1

• Use this IP for SSL Traffic (Optional): Select the check box to use this Source IP address for SSL terminate or proxy traffic.


5. Click Add to add the Source NAT IP address.

The new Source NAT IP address is displayed in the summary table.

Defining Source Standby IP address

To define Source Standby IP address, follow these steps.



3. Click Source Standby IP for Type.





5. Click Add to add the Source Standby IP address.

The new Source Standby IP address is displayed in the summary table.

Configuring Source NAT IP addresses on router codeYou can configure only Source NAT IP addresses on a ServerIron running router code.




Configuring Source IP addresses1





• Source Port Range: Select Lower Port Range or Higher Port Range.


4. Click Add to add the Source NAT IP address.

The new Source NAT IP address is displayed in the summary table.


Displaying the Dashboard 1

Displaying the DashboardBy default, the Dashboard is displayed when you log in to the ServerIron GUI. To view the Dashboard, click Overview on the context bar and select Dashboard.

The Dashboard shows CPU utilization for the management processor, available and used memory in the management processor, CPU utilization by the barrel processors, and the number of used and available sessions in the barrel processors.

The Dashboard additionally provides status of fans, power supplies, and system temperature. It also shows software images installed on the system.


Displaying the Front Panel1

Displaying the Front Panel To dynamically display the front view of the ServerIron hardware, click Overview on the context bar and select Front Panel. An example is shown below.

Defining global system settingsYou can modify global settings from the Global Settings page.

1. Click System on the context bar and select Global Settings.

2. You can change one or more of the following parameters:

• Load Balancing Predictor: Select the predictor to be used by the ServerIron from the Load Balancing Predictor list.

• TCP Age: Enter the number of minutes for TCP age.

• UDP Age: Enter the number of minutes for UDP age.

• Sticky Age: Enter the number of minutes for Sticky age.

• Clock Scale: Enter a value from 1 to 24 for clock scale.

• Max Sessions Per BP: Enter the maximum number of sessions allowed for each BP.

NOTEIf you change the Max Session Per BP setting, you must reload the ServerIron from the CLI.

• Source NAT: Select to globally enable source NAT on the system.


Displaying and saving the running configuration 1

• TCP SYN NAK Threshold: Select the Enable check box to edit the TCP NAK threshold value. The default value is 20.

3. Click Apply to save your changes.

Displaying and saving the running configurationTo display the running configuration of the ServerIron ADX, click Overview on the context bar and select Running Configuration.

Scroll down the display to view the running configuration.

To save the configuration to a file, click Download. A file download dialog box displays.


Displaying and saving the running configuration1

Click Save to save the configuration file.


Chapter

2Configuring a Real Server and a Real Server Port

In this chapter•Creating a basic real server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

•Creating a real server port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

•Enabling or disabling a real server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

•Enabling or disabling a real server port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

•Cloning a real server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

•Defining advanced parameters for real servers . . . . . . . . . . . . . . . . . . . . . . 33

•Viewing real server summary information . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Creating a basic real serverTo configure a basic real server, follow these steps.

1. Click Traffic Management on the context bar and select Real Server.

The real server window is displayed.


Creating a real server port2

The configuration details of the real server are displayed in the right panel. The summary table displays the first 20 entries of the real servers. Click Next Page and Previous Page to navigate to the respective pages or select the page number from the Go To list.

2. Click the Basic tab at the top of the window.

The basic real server window is displayed.

3. Click New, if New is not already displayed.

4. Enter the following information:

• Real Server Name: Enter the real server name; for example, real1.

• Server IP: Enter the server IP address. You can configure both IPv4 and IPv6 addresses.

5. Click Enable for Admin Status. Enable is the default option.

6. Click Apply.

The message The operation was successful is displayed.

Creating a real server port To configure a real server port, follow these steps.


2. Click the Port tab.


Enabling or disabling a real server 2

3. In the Applications panel, select HTTP and click Add to enter a new application type.

4. In the Characteristics panel, click Enable for Admin Status (Enable is the default option).

5. Optionally, configure other port level parameters.

6. Click Update.


Enabling or disabling a real serverYou can enable or disable a real server using the Summary or Basic tab.

Enabling at Summary tabTo enable a real server at the Summary tab, follow these steps.


2. Click the Summary tab.


Enabling or disabling a real server2

The list of real servers in the system is displayed.

3. Find the real server you want in the Real Server Name column.

In the example above, "real1" is in the "Disabled" running state.

4. Click the arrow button in the Status column and select Enable.

5. Click Apply in the User Action column.

The Running State column now shows Enabled.

Disabling at Summary tabTo disable a real server at the Summary tab, follow these steps.



The list of the real servers in the system is displayed.


4. Click the arrow button in the Status column for your device and select Disable.


Enabling at Basic tabTo enable a real server at the Basic tab, follow these steps.


2. Click the Basic tab.


Enabling or disabling a real server port 2

The basic real server window is displayed.

3. Select a real server from the list.

4. Click Enable for Admin Status.

5. Click Apply.

Disabling at Basic tabTo disable a real server at the Basic tab, follow these steps.



3. Select a real server from the list.

4. Click Disable for Admin Status.

5. Click Apply.

Enabling or disabling a real server portYou can enable or disable a real server port using the Summary or Port tab.

Enabling at Summary tabTo enable a real server port at the Summary tab, follow these steps.




Enabling or disabling a real server port2

The list of real servers in the system is displayed.


In the above example, "real1" is in the "Enable" running state.

4. Click the arrow in the Port column to view a list of configured ports.

The DNS port for “real1” is Disabled.

5. Click the arrow button in the DNS row and select Enable.

6. Click Apply.

The status should now show Enable.

Disabling at Summary tabTo disable a real server port at the Summary tab, follow these steps.



The list of the real servers in the system is displayed.


4. Click the arrow in the Port column to view a list of configured ports.


Enabling or disabling a real server port 2

5. Click the arrow button in the Port row and select Disable.

6. Click Apply.

The status should now show Disabled.

Enabling at Port tabTo enable a real server port at the Port tab, follow these steps.



The Port window is displayed.

3. Select the real server from the Real Server Name list and the port from the Port list.


5. Click Update.

Disabling at Port tabTo disable a real server port at the Port tab, follow these steps.




Cloning a real server2

3. Select the real server from the Real Server Name list and the port from the Port list.


5. Click Update.

Cloning a real serverTo clone a real server, follow these steps.


2. Click the Cloning tab.

The clone real server window is displayed.

3. Select a real server from the Real Server Name list.

4. Enter an IP address in the Base IP field and the number of clones you want in the Number of Clones field, and click Preview.

The number of clones you specified are displayed. You can edit clone names and IP addresses.


Defining advanced parameters for real servers 2

5. Click Create Clones to create the clones.

The message The operation was successful is displayed at the top of the window.

Defining advanced parameters for real serversTo define additional optional parameters for real servers, follow these steps.


2. Click the Advanced tab.


Defining advanced parameters for real servers2


• Real Server Name: Select a real server from the list.

• Description: Enter a description for the real server.

• Alias Name: Enter the alias name.

• Ping Health Check: Click Disable to disable Layer 3 health check. By default, Layer 3 health check is enabled.

• Backup: Select the check box to designate the real server to be a backup server.

• Source-NAT: Select the check box to enable Source NAT on the real server.

• Source-NAT ACL: Select the check box to enter the Source NAT access list number in the ACL # field.

• Max Connections: Enter the maximum number of sessions the ServerIron will maintain in its session table.

• Max TCP Connection Rate: Enter the maximum TCP connection rate.

• Max UDP Connection Rate: Enter the maximum UDP connection rate.


Viewing real server summary information 2

• Port Number: Enter the port number and specify the community name in the Community Name field.

• Entry ID: Enter the entry IDs in the respective fields and the SNMP OID value in the SNMP Request OID fields.

• Least Connection Weight: Enter the weight of the real server relative to other real servers in terms of the number of connections on the server.

4. Click Apply to accept your entries.

Viewing real server summary informationThis section describes the status indicators for real servers and real server ports.

Real server status indicatorsReal servers display their status by using different colors.

Real server port status indicatorsReal server ports display their status by using different colors.

Viewing real server summary informationYou can view the real server summary information sorted by IP address, running state, or real server name.

Sorted by IP address

To view real server status sorted by IP address, follow these steps.


2. Click the IP column heading.

The real server information sorted by IP address is displayed.

Enabled Amber Light

Disabled Red Light

Failed Red Light

Testing Amber Light

Suspect Amber Light

Shutting-down Amber Light

Active Green Light

Enabled Green Light

Disabled Red Light


Viewing real server summary information2

Sorted by running state

To view real server status sorted by running state, follow these steps.


2. Click the Running State column heading.

The real server information sorted by running state is displayed.

Sorted by real server name

To view real server status sorted by real server name, follow these steps.


2. Click the Real Server Name column heading.

The real server information sorted by real server name is displayed.


Chapter

3Configuring a Virtual Server and a Virtual Server Port

In this chapter•Creating a virtual server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

•Creating a virtual server port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

•Binding the virtual server port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

•Enabling or disabling a virtual server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

•Enabling or disabling a virtual server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

•Defining advanced virtual server parameters . . . . . . . . . . . . . . . . . . . . . . . . 46

Creating a virtual serverTo configure a basic virtual server, follow these steps.

1. Click Traffic Management on the context bar and select Virtual Server.

The virtual server window is displayed.


Creating a virtual server port3

The content area for configuring the virtual server is displayed in the right panel. The Summary tab displays a list of the virtual servers in the system.

2. Click the Basic tab at the top of the window.

The basic virtual server window is displayed.



• Virtual Server Name: Enter the virtual server name.

• Server IP: Enter the server IP address. You can configure both IPv4 and IPv6 addresses.

5. Click Enable for Admin Status (Enable is the default option).

6. Select a predictor in the Predictor list; for example, Least Connection.

7. Click Apply.


Creating a virtual server port To configure a virtual server port, follow these steps.




Creating a virtual server port 3


3. In the Applications panel, select a port from the list and click Add to enter a new application type.

4. In the Characteristics panel, select Enable for Admin Status. (Enabled is the default option.)

Optionally, specify other port level items.


Binding the virtual server port3

5. Click Update.


Binding the virtual server port To bind a virtual server port to a real port, follow these steps.


2. Click the Bind tab.


Enabling or disabling a virtual server 3

The virtual server bind window is displayed.


• From the Virtual Server list, select the virtual server name.

• From the Port list, select the virtual server port name.

• From the Real Server list, select the real server name.

• From the Port list, select the real server port name.

4. Click Bind.

5. Repeat the above steps for binding additional real servers.

Enabling or disabling a virtual serverYou can enable or disable a virtual server using the Summary or Basic tab.

Enabling at Summary tabTo enable a virtual server at the Summary tab, follow these steps.



The list of the virtual servers in the system is displayed.


Enabling or disabling a virtual server3

3. Find the virtual server you want in the Virtual Server Name column.

4. Click the arrow button in the Admin column and select Enable.


The Running State column should now show Enabled.

Disabling at Summary tabTo disable a virtual server at the Summary tab, follow these steps.





4. Click the arrow button in the Admin column and select Disable.


The Running State column should now show Disabled.

Enabling at Basic tabTo enable a virtual server at the Basic tab, follow these steps.



The basic virtual server window is displayed.

3. Select a virtual server from the list.


5. Click Apply.


Enabling or disabling a virtual server port 3

Disabling at Basic tabTo disable a virtual server at the Basic tab, follow these steps.



3. Select a virtual server from the list


5. Click Apply.

Enabling or disabling a virtual server portYou can enable or disable a virtual server port using the Summary or Port tab.

Enabling at Summary tabTo enable a virtual server port at the Summary tab, follow these steps.





In the example above, "vip2" is in the "Enabled" running state.

4. Click the arrow in the Port column to view the list of virtual ports.

The DNS port for “vip2” is Disabled.


Enabling or disabling a virtual server port3

5. Click the arrow button in the DNS row and select Enable.

6. Click Apply.

The Port status should now show Enable.

Disabling at Summary tabTo disable a virtual server port at the Summary tab, follow these steps.





4. Click the arrow in the Port column to view a list of virtual ports.

The DNS port for vip2 is Enabled.

5. Click the arrow button in the DNS row and select Disable.

6. Click Apply.

The Port status should now show Disable.


Enabling or disabling a virtual server port 3

Enabling at Port tabTo enable a virtual server port at the Port tab, follow these steps.




3. Select a virtual server in the Virtual Server Name list and a virtual port in the Port list.


5. Click Update.


Defining advanced virtual server parameters3

Disabling at Port tabTo disable a virtual server port at the Port tab, follow these steps.



3. Select a virtual server in the Virtual Server Name list and a virtual port in the Port list.


5. Click Update.

Defining advanced virtual server parametersTo define additional optional parameters for a virtual server, follow these steps.


2. Click the Advanced tab.


• Virtual Server Name: Select a virtual server from the list.


Defining advanced virtual server parameters 3

• Description: Enter a description for the virtual server.

• Track Group: Select to enable track group.

• Track Port: Select to enable track port.

• Master Port: Select the master port from the list.

• TCP Age: Enter the TCP age.

• UDP Age: Enter the UDP age.

• Sticky Age: Enter the sticky age.

• Rate Limiting, Client Connection Limit: Select the maximum number of client connections allowed for the virtual server.

• Rate Limiting, Transaction Rate Limit: Select the maximum number of TCP, UDP, and ICMP transactions allowed for the virtual server.

• Click the down arrow next to VIP Route Health Injection (VIP RHI) to display the parameters to be configured. Enter the information for the following fields:

VIP Route: Select the Advertise VIP Route check box to advertise the availability of a VIP address throughout the network. Click Enable to enable VIP RHI for the virtual server or click Disable to disable VIP RHI for the virtual server. Enable is the default option.

Subnet Mask: You can enter the subnet mask of VIP RHI injected route for the virtual server using the prefix length. The default prefix length for IPv4 address is 32 and for IPv6 address is 128. To specify the full subnet mask, select the Specify Full Mask check box and enter the full subnet mask.

4. Click Apply to accept your entries.


Defining advanced virtual server parameters3


Chapter

4Configuring Health Checks

In this chapter•Configuring health check for a real server. . . . . . . . . . . . . . . . . . . . . . . . . . . 49

•Enabling Layer 2 to Layer 4 health checks . . . . . . . . . . . . . . . . . . . . . . . . . . 52

•Disabling Layer 2 to Layer 4 health checks . . . . . . . . . . . . . . . . . . . . . . . . . . 53

•Creating a port profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

•Creating a port policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

•Configuring element health checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

•Configuring a match list policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Configuring health check for a real serverTo configure health check for an individual real server, follow these steps.

1. Click Traffic Management on the context bar and select Health Checks.

The health check window is displayed.


Configuring health check for a real server4


The Summary tab displays the links to configure global health check settings and individual real server health checks.

3. Follow the links available under Step 1 (Optional): Define global health check settings to create or modify system level health check containers such as port profiles, port policies, element health checks, and match lists, or modify global health check settings.

4. Under Step 2: Configure Health Check, select the real server name from the Select Real Server list.

5. Select the port name from the Select Real Port list.

6. Click Open Port Health Check configuration page.

The system opens a new dialog box for displaying the port configurations for the selected real server.


Configuring health check for a real server 4

7. Under Health Check, enter the following information:

• Click Enable to enable periodic health check for the real server.

• Click L4 Check Only to enable a Layer 4 check.

• Enter the Bringup Health Check Interval in the L4 and L7 fields.

• Click Update.

8. Close the dialog box and click Finish on the parent window.


Enabling Layer 2 to Layer 4 health checks4

Enabling Layer 2 to Layer 4 health checksTo globally enable Layer 2, Layer 3, and Layer 4 health checks, follow these steps.


2. Click the Generic tab.

or

Click the Summary tab and then click Generic.

The Generic Health Checks window is displayed.

3. Click Enable for Periodic ARP to enable Layer 2 ARP check. Enable is the default option.

4. Click Enable for Real Server and Remote Server to enable Layer 3 ping check. Enable is the default option.

5. Click Enable for Layer 4 Health Check and Fast Port Bring-up to enable Layer 4 TCP/UDP check. Enable is the default option.

6. Click Apply.


Disabling Layer 2 to Layer 4 health checks 4

Disabling Layer 2 to Layer 4 health checksTo globally disable Layer 2, Layer 3, and Layer 4 health checks, follow these steps.


2. Click the Generic tab.

or

Click the Summary tab and then click Generic.

3. Click Disable for Periodic ARP to disable Layer 2 ARP check.

4. Click Disable for Real Server and Remote Server to disable Layer 3 ping check.

5. Click Disable for Layer 4 Health Check and Fast Port Bring-up to disable Layer 4 TCP/UDP check.

6. Click Apply.

Creating a port profileDefine a port profile to globally configure the port’s parameters and configure the keepalive health check.

To create a port profile, follow these steps.

1. Click Traffic Management. on the context bar and select Health Checks.

The health check window is displayed.


Creating a port profile4

The content area for configuring the health checks is displayed on the right side of the window. The Summary tab displays links to configure global health check settings and individual real server health checks.


Creating a port profile 4

2. Click the Port Profile tab.

or

Click the Summary tab and then click Port Profile.

The Port Profile Health Checks window is displayed.


Creating a port profile4


4. Enter the well-known port name or port number in the Port field.

5. Select the protocol from the Protocol list.

6. Select Enable for Status to enable health check for the port.

7. Select TCP or UDP for Type to globally define the type for this port, and enter the following information:

• Age: You can edit the default age value.


Creating a port policy 4

8. Select Enable or Disable for Periodic HC. (This option is available only for the TCP type).

• Interval: You can edit the default interval value.

• Retries: You can edit the default retries value.

NOTEThe ServerIron assumes that ports for which it does not know the type are UDP ports.

9. Select the L4 Check Only check box to enable only Layer 4 checks. This selection disables Layer 7 checks if applicable.

10. Select Enable for Session Sync to enable session synchronization for the port in high availability designs.

11. Click Apply.

The port profile is listed in the Summary table. You can click Edit in the table or select the port profile from the list (next to the New button) at the top of the page to modify the port profile. Also click Del to delete the port profile from the Summary table. However, you cannot edit or delete port profiles if they are in use.

Creating a port policyTo create a port policy, follow these steps.


2. Click the Port Policy tab.

or

Click the Summary tab and then click Port Policy.

The Port Policy Health Checks window is displayed.


Creating a port policy4


4. Enter the name of the port policy in the Name field.

5. Edit the default health check interval value in the HC Interval field.

6. Edit the default health check retries in the HC Retries field.

7. Select the L4 Check Only check box to enable only Layer 4 checks. This selection disables Layer 7 checks if applicable.

8. Optionally, select the port from the Port list.

9. Select the protocol from the HC Protocol list. The port value is displayed in the field next to the HC Protocol list.

Depending on the selected HC Protocol, the display changes and the system asks for additional information.

10. Provide the required additional information and click Apply.

The port policy is listed in the table at the bottom of the page. You can click Edit in the table or select the port policy from the list (next to the New button) at the top of the page to modify the port policy. Also click Del to delete the port profile from the Summary table. However, you cannot edit or delete port policies if they are in use.


Configuring element health checks 4

Configuring element health checksYou can configure health check of an individual server or group several health checks together from the Element HC tab.

You can create Element health checks for the following types:

• TCP

• UDP

• ICMP

• Boolean

Configuring TCP or UDP health check policyTo configure a TCP or UDP health check policy, follow these steps.


2. Click the Element HC tab.

The Element HC window is displayed.


Configuring element health checks4


4. Enter the name for the health check in the Name field.

5. Select TCP or UDP for Type.


• Destination IP: Enter the destination IP address. You can configure both IPv4 and IPv6 addresses.

• State: Select Enable or Disable.

• HC Interval: You can edit the default interval value.

• HC Retries: You can edit the default retries value.

• Port: Select the port from the Port list. The port value is displayed in the field next to the Port list.

• HC Protocol: Select the protocol from the HC Protocol list. The port value is displayed in the field next to the HC Protocol list. Depending on the selected HC Protocol, the display changes and the system asks for additional information.

• L4 Check: Select Enable or Disable.

• L7 Check: Select Enable or Disable.

7. Click Apply.

The details are listed in the table at the bottom of the page. You can click Edit in the table or select the TCP or UDP health check policy from the list (next to the New button) at the top of the page to modify the health check policy. You can also delete the health check policy from the table by clicking Del. However, you cannot edit or delete health check policies if they are in use.

Configuring ICMP health check policyTo configure an ICMP health check policy, follow these steps.




Configuring element health checks 4

The Element HC window is displayed..



5. Click ICMP for Type.

6. Enter the destination IP address in the Destination IP field. You can configure both IPv4 and IPv6 addresses.

7. Click Apply.

The details are listed in the table at the bottom of the page.You can click Edit in the table or select the ICMP health check policy from the list (next to the New button) at the top of the page to modify the health check policy. You can also delete the ICMP policy from the table by clicking Del. However, you cannot edit or delete ICMP health check policies if they are in use.

Configuring Boolean health check policyTo configure a Boolean health check policy, follow these steps.




Configuring a match list policy4

The Element HC window is displayed.



5. Click Boolean for Type.


• Select an Element health check policy from the Element HC #1 list.

• Select a boolean operator from the Operator list.

• Select an Element health check policy from the Element HC #2 list.

7. Click Apply.

The details are listed in the table at the bottom of the page. You can click Edit in the table or select the Boolean health check policy from the list (next to the New button) at the top of the page to modify the health check policy. You can also delete the boolean policy from the table by clicking Del. However, you cannot edit or delete the boolean health check policies if they are in use.

Configuring a match list policyYou can configure a match list policy to mark the server port up or down when the rule defined in the match list is met.

To create a match list, follow these steps.

1. Click Traffic Management on the context bar and select Health Check.

2. Click the Match List tab.


Configuring a match list policy 4

The Match List Health Check window is displayed.


4. Enter the name of the match list in the Name field.

5. Select Up or Down from the Health State list.

6. Select one of the following conditions from the Match Condition list to define a rule:

• Select String Starts With and enter the string in the String field.

• Select String Ends With and enter the string in the String field.

• Select Simple String Match and enter the following details:

Enter the string in the String field. Select the Log check box.

• Select Compound String Match and enter the following details:

Enter the string start text in the Starts With field. Enter the string end text in the Ends With field. Select the Log check box.

7. Click Add.

The rule is displayed in the table below the Add button. You can click Edit in the table to modify the rule. Also click Del to delete the rule from the table.


Configuring a match list policy4

8. Repeat step 5 to step 7 to define additional match conditions.

9. Select Up or Down for Default.

10. Click Apply.

The configured match list is listed in the table at the bottom of the page. You can click Edit in the table to modify the match list. Also click Del to delete the match list from the table.


Chapter

5Application Templates

In this chapter•Generic HTTP application template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Generic HTTP application templateYou can use the built-in generic HTTP application template for configuring the HTTP load balancing service. The same template can also be used for configuring simple Layer 4 load balancing for any other TCP or UDP based application.

1. Click Traffic Management on the context bar and select Application Templates.

The template window is displayed.

2. Click the HTTP link in the Template page.

or

Click the HTTP tab.

The HTTP tab is displayed.


Generic HTTP application template5

3. Edit the Specify Naming Prefix field to enter any string which will be used as prefix in generating distinguishable virtual server and real server names. The default prefix is app_http_.

4. Provide the following information under Virtual Server Details:

• What is the IP Address: Enter the virtual server IP address.

• What is the Port: By default, the HTTP port value is displayed. You can change this value to specify any other port.

• Load Balancing Method: Select the appropriate load balancing method from the list.

5. Provide the following information under Real Server Details:

• What is the IP Address: Enter the real server IP address.

• Service Port: Select the service port from the list.

The selected service port value is displayed in the adjacent field.

6. Click Add.

The real server details are displayed in the table below the Add button. You can click Delete to delete a selected real server from the table or click Delete All to delete all the real servers listed in the table.

7. Repeat steps 5 and 6 to add multiple real servers.

8. Enter the server health check URL address in the Health check URL field.


Generic HTTP application template 5

9. Click Apply to save the configuration.

The system automatically creates a sample Layer 4 server load balancing configuration in the background. You can verify the changes by viewing the running configuration (refer to “Displaying and saving the running configuration” on page 23) or using a CLI interface. A sample output is shown as follows.

!server real app_http_rs_1 10.1.1.1 port http port http url "GET /"!server real app_http_rs_2 10.1.1.2 port http port http url "GET /"!server real app_http_rs_3 10.1.1.3 port http port http url "GET /"!server real app_http_rs_4 10.1.1.4 port 8080 port 8080 url "GET /"!server real app_http_rs_5 10.1.1.5 port 8080 port 8080 url "GET /"!!server virtual app_http_vip_1 100.10.10.1 predictor least-conn port http bind http app_http_rs_1 http app_http_rs_2 http app_http_rs_3 http app_http_rs_4 8080 bind http app_http_rs_5 8080!


Generic HTTP application template5


Chapter

6Configuring Role Based Management

In this chapter•Creating a context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

•Creating a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

•Assigning a user role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

•Creating a role template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

•Web server authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

•System log details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

•Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Creating a contextTo create a context, perform the following steps.

1. Click System on the context bar and select User/Role Management.

The user/role based window is displayed.

The Summary tab displays the list of users.

2. Click the Context tab.


Creating a context6

The context window is displayed.

3. In the Name field, enter the context name; for example, Finance.

4. Click Add.

The message The operation was successful is displayed and the context name is included in the table.


Creating a user 6

Creating a userTo create a user, follow these steps.

1. Click the User tab.

The user window is displayed.

2. Click New.


• User Name: Enter the user name.

• User Type: Select Super User, Role Based, or Read Only as the user type.

NOTEFor more information on the role based user type, refer to “Assigning a user role” on page 72.

• Password: Enter the password with a minimum of eight characters containing the following combinations:

At least two uppercase characters At least two lowercase characters At least two numeric characters At least two special characters


Assigning a user role6

The password is always masked to ensure security.

• Confirm Password: Enter the password again for confirmation.

4. Click Apply.

If the user is created successfully, the message The operation was successful is displayed.

Assigning a user roleTo assign role to a role based user, perform the following steps.

1. Click the User tab.

2. Select a user from the list.


Assigning a user role 6

3. Click None, Viewer, or Manager for Global (non-Context) Config. The global configuration refers to Layer 2, Layer 3, and other miscellaneous configurations on the system.

NOTEThe global configuration does not include configurations from other contexts.

4. Select a context from the Context list and the respective role from the Role list and then click Add.

5. Repeat step 4 for every context as desired.

6. Select a context from the Default Operational Context list for the user.

On logging in, you will find the selected default operational context.

7. Optionally, define a Role Template for the user.

8. Click Apply.

The user role is displayed with the message The operation was successful.


Assigning a user role6


Creating a role template 6

Creating a role templateTo create a role template, follow these steps.

1. Click the Role Template tab.

The role template window is displayed.

2. Click New.

3. Enter the role template name in the Name field.

4. Click None, Viewer, or Manager for Global (non-Context) Config. The global configuration refers to Layer 2, Layer 3, and other miscellaneous configurations on the system.

5. Select a context from the Context list and the respective role from the Role list and then click Add.

6. Select a context from the Default Context list.

7. Click Apply.

The role template is displayed with the message The operation was successful.


Web server authentication6

Web server authenticationThis section explains how to configure ServerIron to use different methods for authentication.

AAA web server authentication with the RADIUS methodTo configure the ServerIron to use the RADIUS method for authentication, enter the following command in the CLI.

ServerIronADX(config)# aaa authentication web-server default radius

During the RADIUS authentication process, if a user supplies a valid user name and password, the RADIUS server sends an Access-Accept packet to the ServerIron, authenticating the user. The Access-Accept packet contains three attributes as given below.

AAA web server authentication with the TACACS+ methodTo configure the ServerIron to use the TACACS+ method for authentication, enter the following commands in the CLI.

ServerIronADX(config)# aaa authentication web-server default tacacs+ServerIronADX(config)# aaa authorization exec default tacacs+

If the EXEC authorization command aaa authorization exec default tacacs+ is not configured, the user will get Super User privilege by default upon successful authentication by the TACACS+ server. Otherwise, the user obtains the privilege through TACACS+ EXEC authorization.

During TACACS+ EXEC authorization, the ServerIron expects the TACACS+ server to send a response containing an A-V (Attribute-Value) pair that specifies the privilege level of the user. When the ServerIron receives the response, it extracts an A-V pair configured for the EXEC service and uses it to determine the user's privilege level.

To set a user's privilege level, you can configure the "foundry-privlvl" A-V pair for the EXEC service on the TACACS+ server.

Example

user=admin0 {default service = permitmember admin# Global passwordglobal = cleartext "cat"service = exec {foundry-privlvl = 0}}

Vendor Specific Attribute Value Description

foundry-privilege-level 0

5

Super User level. Allows user to modify configuration through web GUI

Read Only level. Allows user to view configurations only (All Submit buttons are disabled)

foundry-command-string <string> If exists, it will be ignored

foundry-command-exception-flag <int> If exists, it will be ignored


System log details 6

In the previous example, the A-V pair foundry-privlvl=0 grants the user full read-write access.

user=admin5 {default service = permitmember admin# Global passwordglobal = cleartext "cat"service = exec {foundry-privlvl = 5}}

In the previous example, the A-V pair foundry-privlvl=5 grants the user read-only access.

AAA web server authentication with the enable or line methodThe following command configures the device to use the Super User accounts to authenticate access to the device through the web management interface.

aaa authentication web-server default enable

The following command configures the device to use the Telnet password to authenticate access to the device through the web management interface.

aaa authentication web-server default line

AAA web server authentication failover to alternative methodTo configure the device to consult a RADIUS server first for web server access, then consult the local user accounts if the RADIUS server is unavailable, enter the following command in the CLI.

aaa authentication web-server default radius local

System log detailsThe web server logs important user events in the system log. The following events will be logged with the user name, IP address, and time:

• User logged in

• User logged out

• User login failed

• User locked out (3 login tries failed)


Navigation6

To display the system log details, click Overview on the context bar and select Statistics and then click the System Log tab.

Navigation1. Log in as a valid user and create Layer 4-7 objects such as real, virtual, etc.

2. Log out and log in as a different user. You can only view objects that belong to respective user contexts.


Chapter

7Configuring VLANs, ACLs, and Routes

In this chapter•Configuring VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

•Configuring standard Access Control List . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

•Configuring a static route on router code . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Configuring VLANsThis section describes the procedure to configure a VLAN on switch code and router code.

Configuring a VLAN on switch codeTo configure a VLAN on a ServerIron that runs switch code, follow these steps.



Configuring VLANs7

2. Click the VLAN tab.



• VLAN #: Enter the value between 1 and 4095.

• VLAN Name: Enter the VLAN name.

5. To assign VLAN port membership, do the following:

• Select the Tag check box if the port is expected to be a tagged port and carry multiple VLANs.

• Select the Show All Ports check box if you want to see all ports on the system.

• Use Add Port and Remove to assign ports to the VLAN.

6. Click Apply.

Configuring a VLAN on router codeTo configure an IP address on a ServerIron that runs router code, follow these steps.



Configuring standard Access Control List 7

2. Click the VLAN tab.



• VLAN #: Enter the value between 1 and 4095.

• VLAN Name: Enter the VLAN name.

• Router Interface: Define a virtual routing interface, if necessary.

5. To assign VLAN port membership, do the following:

• Select the Tag check box if the port is expected to be a tagged port and carry multiple VLANs.

• Select the Show All Ports check box if you want to see all ports on the system.

• Use Add Port and Remove to assign ports to the VLAN.

6. Click Apply.

Configuring standard Access Control List To configure a standard ACL on a ServerIron that runs switch code, follow these steps.

1. Click Security on the context bar and select ACL.

The Standard ACL window is displayed.

2. Select New from the list.

3. Select either ID# or Name and enter the number or name of a standard ACL.


Configuring a static route on router code7

4. Select Permit or Deny for Action.


• Source IP Address: Enter the IP address.


• Remark (optional): Enter the remark.

• Log (optional): Select or clear the check box.

6. Click Apply.

Configuring a static route on router codeTo configure a static route on a ServerIron that runs router code, follow these steps.

1. Click Network on the context bar and select Static Route.


• IP Version: By default, IPV4 is enabled.

• Destination Network: Enter the IP address.

• Subnet Mask: Enter the subnet mask or select the Specify Prefix Length check box and enter the prefix length.

• Gateway: If you click IP, enter the IP address in the IP field. If you click Interface, select the port from the Interface list.


Configuring a static route on router code 7

• Metric: Enter the metric between 1 and 16.

• Distance: Enter the distance between 1 and 255.

3. Click Apply.

The message The operation was successful is displayed and the configured static route is listed in the summary table.

Click Edit to modify the static route. You can also delete the static route from the summary table by clicking Del.


Configuring a static route on router code7


Chapter

8Configuring High Availability

In this chapter•High Availability modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

•Configuring Hot Standby mode on switch code. . . . . . . . . . . . . . . . . . . . . . . 85

•Configuring Symmetric Active-Standby mode . . . . . . . . . . . . . . . . . . . . . . . . 88

•Configuring Symmetric Active-Active mode . . . . . . . . . . . . . . . . . . . . . . . . . . 91

•Displaying High Availability summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

High Availability modesThe web GUI allows configuration of the three high availability modes:

• Hot Standby

• Symmetric Active-Standby

• Symmetric Active-Active

Configuring Hot Standby mode on switch codeHot Standby allows you to configure two ServerIrons to serve as a redundant pair. One ServerIron is always active while the other ServerIron is always standby. If the active ServerIron fails, the idle standby ServerIron assumes the active duties and becomes the new active device.

NOTEHot standby is supported only in switch code and not in router code.

To configure the Hot Standby feature on a ServerIron that runs switch code, follow these steps.

1. Click System on the context bar and select High Availability.


Configuring Hot Standby mode on switch code8

The high availability window is displayed.

The content area for configuring High Availability is displayed on the right side of the window. The Summary tab displays the configured ServerIron services.

2. Click the Configuration tab.


Configuring Hot Standby mode on switch code 8

The Basic panel provides the minimum required configuration for Hot Standby mode.

3. Provide the following information under the Basic panel:

• Sync VLAN: Click the Sync VLAN list to select a VLAN. If none exists, then click Create VLAN to create one. For creating a VLAN, refer to “Configuring a VLAN on switch code” on page 79.

• Sync Port: Select the Hot Standby port from the list.

• Shared MAC: Specify the MAC address of one of the ServerIrons. Be sure to use a chassis MAC address from one of the two devices, not the MAC address of one of the backup ports.

• Router Ports: Click Add Port to specify the number of router ports for the ServerIron to become active. Click Remove to remove an added router port.

• Spanning Tree: Select the Disable check box to avoid system conflicts.

4. Optionally, select Advanced to configure advanced settings.


Configuring Symmetric Active-Standby mode8

Provide the following information under the Advanced panel:

• Backup Preference: Enter the number of minutes for the ServerIron to wait before assuming the active role.

• Failover Delay Time: Enter the number of seconds for the ServerIron to wait before beginning the failover check.

• Track Active VIP Count: Select this check box to include an active VIP count in a failover decision.

• Track Virtual Port Count: Select this check box to include a virtual port count in a failover decision.

• Track Trunk Port Count: Select this check box to include a router port count in a failover decision.

• Backup Timer: Enter a value between 5 and 100 in units of 100 milliseconds to set the timer. The default value is 10.

• Backup Group: Enter the backup group value.

5. Click Apply.


Configuring Symmetric Active-Standby modeSymmetric Active-Standby service is an active-standby VIP. Both ServerIrons handle traffic, but the active VIP handles the Layer 4 to Layer 7 and the standby VIP serves only as a standby. Each ServerIron is the active ServerIron for a specific set of VIPs, while the other ServerIron is the backup for the same set of VIPs.

NOTESymmetric Active-Standby mode is supported in both switch code and router code. Use of router code is highly recommended.


Configuring Symmetric Active-Standby mode 8

To configure the Symmetric Active-Standby mode on a ServerIron, follow these steps.



3. Click the Symmetric Active-Active / Symmetric Active-Standby down arrow to display the parameters to be configured.

4. Symmetric Active-Standby configuration is a six step process in which step 2 to step 6 are optional.

5. For Step 1: Assign Sym-Priority & Enable Session Synchronization, enter the information for the following fields:


Configuring Symmetric Active-Standby mode8

• Sym Priority: Enter the priority value for the ServerIron. The range is 0 through 225.

• Dyn Sym Pri Factor (optional): Specify the value for the dynamic priority.

• Session Sync: Click the image button under this column to enable session synchronization for a specific port. If a port profile is not available, a new port profile will be created.

6. For Step 2: (Optional) Enable Symmetric Active-Active HA, by default Disable is selected. Select Enable if you want to enable Symmetric Active-Active HA mode.

7. For Step 3: (Optional) Define Synchronization (Symmetric) Port, enter the following information:

• Select Sync VLAN from the list or click Create VLAN to create one. To create a VLAN, see “Configuring VLANs” on page 79.

• Select the port from the Sync Port list.

8. For Step 5: (Optional) Create VIP group & associate with VRRP / VRRPE, select New from the list to create a VIP group.

Enter the information in the following fields:

• VIP Group ID: Enter the VIP group ID.

• Member VIPs: Click Add to include an available VIP as a member of this group. Click Remove to remove an added VIP.

• Select Interface: Select the required interface from the list.

• Associate VRRE-E VRID: Enter the VRRE-E VRID.


Configuring Symmetric Active-Active mode 8

9. For Step 6: (Optional) Advanced Settings, enter the following information:

• Symmetric PDU Rate

In the Discover Multiplier field, enter the multiplier for the SSLB send and wait interval. You can specify a multiplier from 1 through 60. The default is 1.

In the Wait Time Multiplier field, enter how many multiples of the wait interval the ServerIron will wait for an SSLB discovery packet. You can specify a multiplier from 1 through 60. The default is 20.

• Delay Symmetric: Select the Enable check box and enter the minutes you want the recovered ServerIron to wait before becoming active again.

• Group ID: Enter the group ID.

10. Click Apply.


Configuring Symmetric Active-Active modeIn Symmetric Active-Active mode, both the ServerIrons handle traffic (active-active), and both ServerIrons are active for the same VIP on both ServerIrons.

NOTESymmetric Active-Active mode is supported in both switch code and router code. Use of router code is highly recommended.

To configure Symmetric Active-Active mode on a ServerIron follow these steps.



3. Click the Symmetric Active-Active / Symmetric Active-Standby down arrow. The window displays the configuration details in a step-by-step process.


Configuring Symmetric Active-Active mode8

4. For Step 1: Assign Sym-Priority & Enable Session Synchronization, enter the information for the following fields:

• Sym Priority: Enter the priority value for the ServerIron. The range is 0 through 225.

• Dyn Sym Pri Factor (optional): Specify the value for the dynamic priority.


Displaying High Availability summary 8

• Session Sync: Click the image button under this column to enable session synchronization for a specific port. If a port profile is not available, a new port profile will be created.

5. For Step 2: (Optional) Enable Symmetric Active-Active HA, click Enable.

6. For Step 4: (Optional) Define Active-Active Port, enter the following information:

• Select a VLAN from the Sync VLAN list or click Create VLAN to create one. To create a VLAN, see “Configuring VLANs” on page 79.

• Select the required port from the Active-Active Port list.

7. Optionally, configure other parameters.

8. Click Apply.


NOTEYou can only enable one of the three HA modes on ServerIron.

Displaying High Availability summaryYou can view the details of the following options from the Summary tab:

• Hot Standby summary

• Symmetric Active-Standby and Symmetric Active-Active summary

Hot Standby summaryTo view the Hot Standby summary, follow these steps.



3. Click the Hot Standby down arrow to display the configuration details for the Hot Standby mode configured on a ServerIron.


Displaying High Availability summary8

If this mode is configured for switch code, then the details will appear as shown in the following image.

NOTEThis mode is not applicable for router code and thus the message Hot Standby High Availability mode is not enabled will be displayed.

Symmetric Active-Standby and Symmetric Active-Active summaryTo view the Symmetric Active-Standby and Symmetric Active-Active summary, follow these steps.



3. Click the Symmetric Active-Standby / Active-Active down arrow to display the configuration details for the Symmetric Active-Standby and Symmetric Active-Active modes configured on a ServerIron.


Displaying High Availability summary 8

The Summary window is displayed.


Displaying High Availability summary8


Chapter

9SSL Acceleration and Certificate Management

In this chapter•Generating an SSL key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

•Uploading an existing SSL Key to ServerIron. . . . . . . . . . . . . . . . . . . . . . . . 101

•Generating a self-signed certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

•Generating a certificate signing request . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

•Uploading certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

•Creating an SSL profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

•Defining SSL accelerated services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

•Displaying SSL summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Generating an SSL keyThe SSL Traffic Management selection on the context bar allows you to manage SSL certificates, SSL keys, SSL profiles, and to configure SSL acceleration for service VIPs.

To generate a Secure Sockets Layer (SSL) key, follow these steps.

1. Click Security on the context bar and select SSL Traffic Management.


Generating an SSL key9

The SSL traffic management window is displayed.

2. Click the SSL Keys tab.


Generating an SSL key 9

3. Click the down arrow next to Key Generation on ServerIron to display the parameters for generating an SSL key.


• Key File Name: Enter the key name.

• Encryption Algorithm: Select RSA.

• Key Length: Select the key length from the list. The default is 1024.


Generating an SSL key9

• Encryption Password: Enter the password.

5. Click Generate.

If the key is generated successfully, the message The operation was successful is displayed at the top of the page and the SSL key is displayed in the Summary tab.

The Summary tab lists the SSL keys available in the ServerIron. When the key entries exceed 20, page mode is automatically displayed. You can navigate through the pages by clicking Next Page and Previous Page, or you can use the Go To list.

You can search for a particular key or keys by entering the string in the Search Keys field in one of the following ways:

• * -- Enter to display all keys.

• *<string>* -- Enter to search keys that contain <string>.

• <string>* -- Enter to search keys that start with <string>.

• *<string> -- Enter to search keys that end with <string>.

After entering the <string>, click Find to display the keys.


Uploading an existing SSL Key to ServerIron 9

The following actions can be performed on the keys:

• Click Delete to delete a key.

• Click Details to view the contents of the key.

• Click Download to save the key. The key is displayed in a separate window. You can then save the key to a file on your local drive.

Uploading an existing SSL Key to ServerIronTo upload an existing SSL key to ServerIron, follow these steps.


2. Click the SSL Keys tab.

3. Under Key Upload to ServerIron, enter the following information:

• Key Format: Select the key format from the list. The default is PEM.

• Encryption Password: (Optional) Enter the password if the key is encrypted; otherwise leave this field blank.


Generating a self-signed certificate9

• Save As File Name: (Optional) Enter the file name if you want to save the key file on the ServerIron with a different name. If this field is left blank, the key file is saved with the same name.

• Select Local Key File: Click Browse to find the key file in the local directory.

4. Click Upload.

If the key is uploaded successfully, the message The operation was successful is displayed at the top of the page. The newly uploaded key is listed in the Summary tab.

Generating a self-signed certificateTo generate a self-signed certificate, follow these steps.


2. Click the Certificates tab.


Generating a self-signed certificate 9

3. Click the down arrow next to Self-Signed Certificate Generation.


• Certificate File Name: Enter the certificate name.

• Select Key File: You can select the previously generated or uploaded SSL key file in two ways.

The Select Key File list displays the first 20 entries. To view other entries, use the arrow keys. Select the key you want and it will appear in the Search Key File field.

Enter the string in the Select Key File field in one of the following ways and then click Find.*<string>* Enter to search keys that contain <string><string>* Enter to search keys that start with <string>*<string> Enter to search keys that end with <string>

The keys are displayed in the Select Key File list. Select the key file you want.

• Encryption Password: Enter the password.

• Organization: Enter the organization name.

• Domain Name: Enter the domain name.

• City: Enter the city name.

• State or Province: Enter the state name.

• Country: Enter the country name. Only two characters are allowed.

• Department: Enter the department name.

• Email: Enter the e-mail address.


Generating a self-signed certificate9

5. Click Generate to generate the certificate.

If the operation is successful, the message The operation was successful is displayed at the top of the page. The certificate will be listed in the Summary tab.

The Summary tab lists the generated SSL certificates available in the ServerIron. When the entries exceed 20, page mode is automatically displayed. You can navigate through the pages by clicking Next Page and Previous Page, or you can use the Go To list.

You can search for a particular certificate or certificates by entering the string in the Search Certificates field in one of the following ways:

• * -- Enter to display all certificates.


Generating a certificate signing request 9

• *<string>* -- Enter to search certificates that contain <string>.

• <string>* -- Enter to search certificates that start with <string>.

• *<string> -- Enter to search certificates that end with <string>.

After entering the <string>, click Find to display the certificates.

The following actions can be performed on the certificates:

• Click Delete to delete the certificate.

• Click Details to view the contents of the certificate.

• Click Download to save the certificate. The certificate is displayed in a separate window. You can then save the certificate to a file on your local drive.

Generating a certificate signing requestTo generate a request for a certificate that will be sent to a CA to be digitally signed, perform the following tasks.

1. Click Security in the context bar and select SSL Traffic Management.


3. Click the down arrow next to Certificate Signing Request (CSR) Generation.


Generating a certificate signing request9


• Select Key File: You can select the previously generated or uploaded SSL key file in two ways.

The Select Key File list displays the first 20 entries. To view other entries, click the arrow keys. Select the key you want and it will appear in the Search Key File field.

Enter the string in the Select Key File field in one of the following ways and then click Find.*<string>* Enter to search keys that contain <string><string>* Enter to search keys that start with <string>*<string> Enter to search keys that end with <string>

The keys are displayed in the Select Key File list. Select the key file you want.

• Organization: Enter the organization name.

• Domain Name: Enter the domain name.

• City: Enter the city name.

• State or Province: Enter the state name.

• Country: Enter the country name. Only two characters are allowed.

• Department: Enter the department name.


Uploading certificates 9

• Email: Enter the e-mail address.

5. Click Generate to generate the certificate signing request (CSR).

If the operation is successful, the message The operation was successful is displayed at the top of the page. The certificate request is displayed in the field at the bottom of the page.

6. Copy the entire certificate request and save it to a file.

7. Send the certificate request to an authorized certificate signing agency. The agency will send you a signed certificate file that you must upload into ServerIron.

Uploading certificatesOnce you receive an SSL certificate from the CA, upload it to the ServerIron by performing the following tasks.




Creating an SSL profile9

3. Click the down arrow next to Certificate Upload to ServerIron.


• Certificate Format: Select PEM.

NOTEIf your certificate type is PKCS12, both the SSL key and certificate are included inside a single file. In this situation, you must upload the certificate and key file through the key upload procedure, which is under the SSL keys tab.

• Save As File Name: (Optional) Enter a name for the certificate if you want to upload the certificate on the ServerIron with a different name. If you leave this field blank, the certificate will be uploaded with the same name.

• Chain CA Certificate: Select the check box to chain (append) the certificate you are uploading to an existing certificate on the ServerIron.

NOTEThe title of the Select Server Certificate changes to Select CA Certificate when you select the Chain CA Certificate check box.

• Select Server Certificate on ServerIron: Select the existing certificate on the ServerIron to which you want to chain the selected CA certificate. The Select Server Certificate on ServerIron list displays the first 20 entries. You can use the arrow keys to view other sets of certificates.

• Select Server Certificate or Select CA Certificate: Select the server certificate or CA certificate from your local directory.

5. Click Upload.

If the operation is successful, the message The operation was successful is displayed at the top of the page. The certificate is listed in the Summary tab.

Creating an SSL profileTo create an SSL profile, ensure that the SSL key and SSL certificate have been created or uploaded to the ServerIron. Follow the steps below to define an SSL profile.


Creating an SSL profile 9


2. Click the SSL Profiles tab.


• Click New or select New from the list.

• SSL Profile Name: Enter the profile name.

• SSL Key: You can select the previously generated or uploaded SSL key file in two ways:

The SSL Key list displays the first 20 entries. To view other entries, use the arrow keys. Select the key you want and it will appear in the SSL Key field.

Enter the string in the SSL Key field in one of the following ways and then click Find.*<string>* Enter to search keys that contains <string><string>* Enter to search keys that start with <string>*<string> Enter to search keys that end with <string>

The keys are displayed in the SSL Key list. Select the key file you want.

If no key is available, click Create New Key to create a new key.

• SSL Certificate: You can select the previously generated or uploaded SSL certificate in two ways:

The SSL Certificate list displays the first 20 entries. To view other entries, use the arrow keys. Select the certificate you want and it will appear in the SSL Certificate field.

Enter the string in the SSL Certificate field in one of the following ways and then click Find.



*<string>* Enter to search certificates that contain <string><string>* Enter to search certificates that start with <string>*<string> Enter to search certificates that end with <string>

The certificates are displayed in the SSL Certificate list. Select the certificate you want.

If no certificate is available, click Create New Certificate to create a new certificate.

• Check if Certificate is self-signed: Select the check box to check if the SSL certificate is a self-signed certificate.

• Certificate Chaining: Click Enable if the certificate in use is a chained certificate.

• Cipher Suites: Select the cipher suites you want from the left field and click the right arrow to move them to the right field.

4. Click Apply to accept and create the SSL profile.

5. If you want to specify additional options under the SSL profile, click the down arrow next to Advanced Options to display these options.




• SSL 2.0: Select Enable or Disable. The default is Disable.

• Verify Client Certificate: By default, client certificate verification is disabled. Select this option if you want ServerIron to verify the connecting client.

Select the appropriate option:

Per New Connection: Verify the client certificate with every new connection. Per SSL Handshake: Verify the client certificate with every SSL handshake. Accept Connection Only if Certificate is present: If selected, the ServerIron rejects any

client connection if the client does not present a certificate for verification. If this option is not selected, then the ServerIron will verify the client certificate only if presented.



• Select CA Certificates: This selection is applicable if ServerIron is configured in SSL proxy mode, where it acts as an SSL client to a server-side SSL certificate. You can specify up to four CA certificates.

• Enable CLOSE-NOTIFY Alert: Select to enable sending close notify alert.

• Enable SSL Session Cache: Select to enable SSL session cashing. By default, session caching is turned off.

Client Side: Select to enable session caching for the SSL client only. Server Side: Select to enable session caching for the SSL server only. Both Side: Select to enable session caching for the SSL client and the SSL server. Cache Timeout: Enter the cache timeout between 30 and 86400. Maximum Cache Entries: Enter the maximum number of cache entries. The default is

1024.• Create / Edit TCP Profile: Select to create or edit the TCP profile.

Select the TCP profile you want to edit from the list or click New to create a new profile. Profile Name: Enter the profile name. Nagle Algorithm: Select On or Off. Delayed ACK Algorithm: Select On or Off. PUSH Bit: Select On or Off. Click Apply. The message The operation was successful is displayed. To delete a TCP profile, select the profile from the list and click Delete.

• Associate TCP Profile: Select a TCP profile from the list.

7. Click Update.

If the operation is successful, the message The operation was successful is displayed at the top of the page. The profile will be listed under the Summary table.



The Summary tab lists the SSL profiles available in the ServerIron. When the entries exceed 20, page mode is automatically displayed. You can navigate through the pages by clicking Next Page and Previous Page, or you can use the Go To list.

You can search for a particular profile by entering the string in the Search Profiles field in one of the following ways:

• * -- Enter to display all profiles.

• *<string>* -- Enter to search profiles that contain <string>.

• <string>* -- Enter to search profiles that start with <string>.

• *<string> -- Enter to search profiles that end with <string>.

After entering the <string>, click Find to display the profiles. You can click Edit to modify the profile. You can also delete the profile by clicking Delete. However, you cannot delete a profile if it is in use.


Defining SSL accelerated services9

Defining SSL accelerated servicesBefore enabling SSL acceleration, make sure the following have been created:

• Virtual server: Refer to “Creating a virtual server” on page 37.

• Virtual server port: Refer to “Creating a virtual server port” on page 38.

• SSL (TCP) profile: Refer to “Creating an SSL profile” on page 108.


2. Click the SSL Services tab.


• Virtual Server: Select a virtual server from the list or click Create Virtual Server to create one.

• Virtual Server Port: Select a virtual server port from the list or click Add Virtual Server Port to create one.

• SSL Mode: Select Terminate or Proxy.

• SSL Client Communication: Select the SSL profile from the Server Profile list or click Create SSL Profile to create one. The list displays the first 20 profiles. Use the arrow keys to view other sets of profiles.


Defining SSL accelerated services 9

• Real Server Communication: (Plain-Text): If SSL Terminate mode is enabled, select a profile from the TCP Profile list or click Create TCP Profile to create a new one. The list displays the first 20 profiles. Use the arrow keys to view other sets of profiles.

• Real Server Communication: (Cipher-Text): If SSL Proxy mode is enabled, select a profile from the Client Profile list or click Create SSL Profile to create one. The list displays the first 20 profiles. Use the arrow keys to view other sets of profiles.

4. Click Apply to enable SSL acceleration for a service (VIP).

5. If real servers (member servers) are already bound to VIPs, then those members are shown under the member servers summary table. If none are bound, then you can bind them or create new ones and bind them under Member Servers. Click the down arrow next to Member Servers.


• Real Server: Select a real server from the list or click Create Real Server to create one.

• Real Server Port: Select a real server port from the list or click Add Real Server Port to create one.

• Real Port: (Optional) Specify the real port.

7. Click Add to bind the selected real server to an SSL accelerated virtual server.

The summary table shows the real server member that is bound to a virtual server.


Displaying SSL summary9

Displaying SSL summaryYou can display details of SSL keys, SSL certificates, and SSL services from the Summary tab or from the tab where they are configured.

From the Summary tab, click SSL Keys, SSL Services, or SSL Certificate.


Displaying SSL summary 9

Depending on which option you selected, the entries are displayed. When the entries exceed 20, page mode is automatically displayed. You can navigate through the pages by clicking Next Page and Previous Page, or you can use the Go To list. You can search for a particular virtual server by entering the string in the Search Virtual Servers field in one of the following ways:

• * -- Enter to display all profiles.

• *<string>* -- Enter to search profiles that contain <string>.

• <string>* -- Enter to search profiles that start with <string>.

• *<string> -- Enter to search profiles that end with <string>.

You can view and download the SSL keys and SSL certificates from ServerIron. For example, if you selected SSL Certificates, the Certificate Name field is displayed with a list of the certificates that have been created in the ServerIron. When you click View, the details for the selected certificate are displayed, as in the following example.

Click Download for the selected entry to save the certificate to a file on your local drive. Likewise, you can download the SSL keys by clicking SSL Keys under the Summary tab.


Displaying SSL summary9


Chapter

10Configuring Layer 7 Switching

In this chapter•Creating a Layer 7 Switching Rule (Request). . . . . . . . . . . . . . . . . . . . . . . . 119

•Creating a Layer 7 Request Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

•Enabling Layer 7 Switching (HTTP Requests) . . . . . . . . . . . . . . . . . . . . . . . 123

•Displaying Layer 7 Summary (HTTP Requests) . . . . . . . . . . . . . . . . . . . . . . 124

•Creating Layer 7 Rules for HTTP Response . . . . . . . . . . . . . . . . . . . . . . . . . 124

•Creating Layer 7 Policies for HTTP Responses . . . . . . . . . . . . . . . . . . . . . . 125

•Enabling Layer 7 Switching for HTTP Responses . . . . . . . . . . . . . . . . . . . . 128

•Displaying Layer 7 Summary of Response Rules, Policies, and associated virtual servers 129

•Using the L7 Switching Request Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Creating a Layer 7 Switching Rule (Request)1. Click L7 Traffic Management on the context bar and select L7 Switching (Request).

The L7 Switching (Request) window is displayed.

2. Click the Req. Rule tab.


Creating a Layer 7 Switching Rule (Request)10



• Name: Enter a name for the rule.

• Type: Select the type of rule from the list.

The appropriate parameters are displayed depending on what Type you selected. Fill in the values for the parameters displayed.

• Case Insensitive: Select this check box if you want the rule to be case insensitive.

5. Click Apply.

The rule is listed in the Rule Summary table. You can click Edit to modify the rule or select it from the list at the top of the page, next to New. You can also delete the rule from the Rule Summary table. However, you cannot edit or delete rules if they are in use.

Click the arrow next to rule name in Rule Summary table to display its details.


Creating a Layer 7 Switching Rule (Request) 10

Creating a nested ruleThe following steps describe how to create a nested rule.

1. Click the down arrow next to Nested Rules to display the parameters for nested rules.

2. Enter the Name for the nested rule.

3. Identify individual rules and select the appropriate operator (AND, OR) from the list.

You can use the NOT operator by placing a check mark in the NOT box.

ServerIron starts generating an expression for the Nested Rule, which will be visible in grey color in the Input Expression field.

4. To add brackets to an expression, select the option for the Input Expression field and build your own custom expression.

5. Click Apply when you have finished.

The nested rule is created and is listed in the Rule Summary table.


Creating a Layer 7 Request Policy10

Creating a Layer 7 Request Policy1. With the L7 Switching (Request) selected from L7 Traffic Management, click the Req. Policy

tab.


3. Enter the name of the Layer 7 policy in the Name field.

4. Click Add.

The fields to define the policy are displayed.

5. Select a rule from the Rule list. If a rule is not created already, then you can define one by clicking Create New Rule.


Enabling Layer 7 Switching (HTTP Requests) 10

6. Select an action from the Action list.

Depending on the selected Action, the display changes and the system asks for additional information.

7. Provide the required additional information and click Add Rule to Policy.

8. Repeat step 4 to step 7 if you wish to add more rules to this policy. You can also add a default rule to the policy.

The rule is listed in the policy table. You can delete a rule from the policy table by clicking Del. You can also click the down arrows to display details for a rule.

Enabling Layer 7 Switching (HTTP Requests)1. Click L7 Traffic Management on the context bar and select L7 Switching (Request).

2. Click the L7 Switching tab.

3. Select a virtual server from the Virtual Server list or click Create Virtual Server to create one.

4. Select a virtual port from the Virtual Port list or click Add Virtual Port to create one.

5. Select Enable to enable Layer 7 switching under the selected VIP and VIP port; select Disable to disable Layer 7 switching.

6. Select a request policy from the Request Policy list or click Create New Policy to create one.

7. Click Apply.


Displaying Layer 7 Summary (HTTP Requests)10

Displaying Layer 7 Summary (HTTP Requests) To display a summary of L7 request rules, policies and switching definitions, click the Summary tab on L7 Switching (Request).

Click Request Rules to display summary of Layer 7 rules for HTTP requests. Click the down arrow next to the rule name to display details for that rule. Rules that are not in use can be modified or deleted.

Click Request Policies to display a summary Layer 7 policies for HTTP requests. Click the down arrow next to the policy name to display its details. You can edit or delete polices from the summary.

Click L7 Switching to display the summary of VIPs that are enabled with Layer 7 switching for HTTP requests. Click the down arrow next to the policy name to view its details. You can also click Edit to modify the policy or Unbind to remove the policy from the virtual server.

For example, the following shows a summary of the Layer 7 rules for HTTP requests.

Creating Layer 7 Rules for HTTP Response1. Click L7 Traffic Management on the context bar and select L7 Switching (Response).

2. Click the Resp. Rule tab.


Creating Layer 7 Policies for HTTP Responses 10

3. Click New from the list.


• Name: Name of the response rule.

• Type: Select the type of the response rule: response status code, response header, or response body from the list.

The display changes depending on the selected rule type. Fill in the requested data.

5. Click Apply.

The new rule is listed in the Rule Summary table. You can edit or delete rules.

Creating Layer 7 Policies for HTTP Responses1. Click L7 Traffic Management on the context bar and select L7 Switching (Response).

2. Click the Resp. Policy tab.


4. Enter the name of the Layer 7 policy for HTTP response in the Name field.

5. Click Add.


Creating Layer 7 Policies for HTTP Responses10

There are two types of Layer 7 HTTP response policies - HTTP header rewrite and HTTP body rewrite:

• For HTTP header rewrite policy, click the down arrow next to Response Rewrite on HTTP Header and configure as described in “Configuring Response Rewrite on HTTP Header” on page 126.

• For HTTP body rewrite policy, click the down arrow next to Response Rewrite on HTTP Body and configure as described in “Configuring Response Rewrite on HTTP Body” on page 127.

Configuring Response Rewrite on HTTP HeaderLayer 7 policy creation for HTTP header rewrite is a two-step process. In the first step, select the Layer 7 response rule that identifies the status code in the response packets on which the Layer 7 response policy should act upon. In the second step, select the rule and action for the header rewrite.

1. For Step 1 under the Response Rewrite on HTTP Header, select the HTTP Response Status Code Rule that identifies the response packets on which Layer 7 policy should act upon. If the rule is not present, then click Create New Rule to create a new rule.

2. Click Add to add the rule.


Creating Layer 7 Policies for HTTP Responses 10

3. For Step 2 under the Response Rewrite on HTTP Header, select a rule from the HTTP Response Header Name & String Rule list that identifies an HTTP response header name and the string that needs to be rewritten. If the rule is not present, then click the Create New Rule to create a new one.

4. Enter the New String Value. The Offset and Length parameters are automatically filled in.

5. Click Add Rules to Policy.

The new Layer 7 Response Policy is added to the Policy table. You can click Del to delete a rules from inside the policy.

Configuring Response Rewrite on HTTP Body1. To create HTTP body rewrite policy then click the down arrow next to Response Rewrite on HTTP

Body and follow the steps below.

Layer 7 policy creation for HTTP body rewrite is a two-step process. In the first step, select the Layer 7 request rule that identifies the flow with the response that needs Layer 7 rewrite. In the second step, select the rule and action for the body rewrite.

2. For Step 1 under the Response Rewrite on HTTP Body, select the HTTP Request Rule with the response packet that needs to be acted upon or select HTTP Response Rule to identify if the response packet needs to be acted upon. If rule is not present, then click Create New Rule to create a new rule.

3. For Step 2 under Response Rewrite on HTTP Body, select the HTTP Response Body String Rule. If the rule is not present, then click Create New Rule to create a new rule.

4. After selecting the rule, its old value is displayed. If necessary, enter the new value for any of the fields displayed.

5. Click Add Rules to Policy.


Enabling Layer 7 Switching for HTTP Responses10

The new Layer 7 Response Policy is added to the Policy table. You can click Del to delete a rule from inside the policy.

Enabling Layer 7 Switching for HTTP ResponsesBefore enabling Layer 7 Switching for HTTP Responses, you need to define the following in the ServerIron:

• Virtual server

• Virtual server port

• Layer 7 response policy

If these objects are not defined, then links are provided from the Layer 7 Switching tab to create new ones.

To enable Layer 7 switching for HTTP responses, perform the following steps.

1. Click L7 Traffic Management on the context bar and select L7 Switching (Response).

The Layer 7 Switching (Response) window is displayed.

2. Click the L7 Switching tab.


Displaying Layer 7 Summary of Response Rules, Policies, and associated virtual servers 10


• Virtual Server: Select the virtual server for which you wish to enable Layer 7 switching from the Virtual Server list. If none exists, then click Create Virtual Server to create one.

• Virtual Port: Select a port from the Virtual Port list or click Add Virtual Port to create one.

• Response Policy: Select a response policy from the Response Policy list or click Create New Policy to create one.

4. Click Apply.

Displaying Layer 7 Summary of Response Rules, Policies, and associated virtual servers

You can display summaries of Layer 7 rules, response policies, and associated virtual servers from the Summary tab. Select L7 Switching (Response) and click the Summary tab.

Click Response Rules to display the summary of response rules. Click the down arrow next to the rule name to display details for that rule. Rules that are not in use can be modified or deleted.

Click Response Policies to display a summary of a response policy. Click the down arrow next to the policy name to display its details. Click Edit if you wish to make changes, or Delete to delete the policy.

Click L7 Switching to display virtual servers that have Layer 7 response policies associated with them. Click the down arrow next to the policy name to view its details. You can also click Edit to modify the policy or Unbind to remove the policy from the virtual server.


Using the L7 Switching Request Wizard10

For example, the following shows a summary for Response Rules.

You can click the down arrow to the right of Name to display details for a rule.

NOTEA rule in use cannot be edited or deleted.

Using the L7 Switching Request WizardThe Layer 7 Switching Wizard page provides simple, step-by-step instructions for creating a sample Layer 7 switching configuration. You can choose from one of the predesigned sample scenarios and the GUI will navigate you through rule creation, policy creation, and policy association pages.

Launching the WizardTo launch the Wizard, do the following.

1. Click L7 Switching (Request) to display the configuration tabs.

2. Click the Wizard tab.

3. When the start page for the Wizard displays, select a scenario from the Select Scenario list and click Start.


Using the L7 Switching Request Wizard 10

4. The Wizard guides you through the steps for creating a Layer 7 switching configuration.

Wizard 1: Traffic Forwarding based on URL prefixThe following steps describe how to configure Traffic Forwarding Based on a URL Prefix by following these steps.

Step 1: Creating a rule – In this step, the rule is named and the Type, Operator, and Value are defined.

Step 2: Creating a policy – In this step, the policy is named and defined.

Step 3: Enabling Layer 7 switching – In this step, the Virtual Server and Virtual Port are enabled for Layer 7 Switching and the Layer 7 Policy is applied.



Step 1: Creating a ruleSelecting the Traffic Forwarding based on URL Prefix scenario displays the Create Rule page as shown in the following.

1. Enter a name for the rule in the Name field. The type and the operator with this rule would be URL and Prefix respectively. Select Case Insensitive if case sensitivity is not required.

2. Click Create to create the rule. This rule will then be displayed under the Rule summary table.

3. Repeat step 1 and step 2 within this procedure if you wish to create additional rules.

4. Click >> to continue to the next step.

Step 2: Creating a policyThe second step is to create a policy for the rule.

1. On the Create Policy page, enter a name for the policy, select the rule to which the policy will be applied, select an action, and provide any information required for the policy.

2. Click Add Rule to Policy. The new policy is listed in the Policy Summary table.


Using the L7 Switching Request Wizard 10

3. Repeat step 1 and step 2 within this procedure if you wish to create additional rules.

4. Click >> to continue to the next step.

Step 3: Enabling Layer 7 SwitchingThe last step is to enable the rule.

When the Enable Switching page is displayed, the virtual server to which the rule will be enabled, the virtual server port, and the selected request policy are displayed.

1. Select the Virtual Server and Virtual Port for which you want to enable Layer 7 switching.

2. Click Enable to enable the rule.

3. Select the L7 policy from Request Policy list.

4. Click Apply. The Layer 7 switching details are now displayed in the Summary table.



5. Click Finish to complete the procedure.

Wizard 2: Traffic Forwarding based on URL suffixTraffic Forwarding based on URL suffix is configured using the same procedure as Traffic Forwarding based on URL prefix, as described in “Wizard 1: Traffic Forwarding based on URL prefix” on page 131.


Chapter

11Maintenance

In this chapter•Software upgrade overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Software upgrade overviewYou can upgrade the application images from a TFTP server that is connected to the ServerIron ADX. While upgrading the image, make sure that there are no power failures.

To access the software upgrade window, click Maintenance on the context bar and select Software Upgrade.


Software upgrade overview11

You can perform the following actions using the software upgrade window:

• Copy the system software

• Reboot the device

Copying system softwareTo copy system software from the TFTP server, follow these steps.

1. Click Maintenance on the context bar and select Software Upgrade.

The copy window is displayed.

2. Enter the TFTP server IP address in the TFTP Server IP field.

3. Enter the image name in the Software Image Name field.

4. By default, the flash memory is set as Primary. Select Secondary to download the image to secondary memory.

5. Click Copy to start loading the software image.

On successful completion, a status message is displayed, “TFTP copy completed successfully”. If an error occurs, an error message is displayed.

Rebooting the deviceTo reboot the device, follow these steps.

1. Click Maintenance on the context bar and select Software Upgrade.

2. Click Reboot.

The reboot window is displayed.


Software upgrade overview 11

3. The current configured boot location is displayed on the screen. You can change the current boot location by selecting Primary or Secondary.

4. By default, the system is configured to boot from the Primary memory. Select Secondary to configure the boot from the secondary memory.

5. Click Save and Reboot.

On successful reboot, a status message is displayed, “System reboot complete. Now the system is up.”

If any of the embedded system images such as boot image or other image files require update, an information message with further instructions to be performed using CLI are displayed on the screen as shown below.


Software upgrade overview11

You must perform the following procedure using the CLI.

1. Connect your system to the ServerIron console connector using the serial cable.


ServerIronADX1000>ServerIronADX1000>enableServerIronADX1000#

3. Enter boot upgrade flash primary/Secondary as specified in the Web GUI boot upgrade message.

ServerIronADX1000#boot upgrade flash primary

The system will start rebooting. Wait until the following prompt comes up.

MP-Appl#

4. Enter the upgrade all command.

MP-Appl# upgrade all

5. After the MP-Appl# prompt reappears, enter the reset command.

MP-Appl# reset

The boot code upgrading process is complete.


Chapter

12Displaying Statistics

In this chapter•Statistics overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

•Viewing system resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

•Displaying traffic statistics for a real server . . . . . . . . . . . . . . . . . . . . . . . . 141

•Displaying statistics for a real server port . . . . . . . . . . . . . . . . . . . . . . . . . . 146

•Displaying statistics for a virtual server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

•Displaying statistics for virtual server port . . . . . . . . . . . . . . . . . . . . . . . . . 151

•Displaying global traffic statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

•Displaying interface statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

•Viewing Syslog entries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Statistics overviewThe ServerIron GUI displays information about system CPU and memory resources; traffic statistics for real servers, virtual server and ports; details on system interfaces, ARP and MAC tables; and system resources.

To view system statistics, click Overview on the context bar and select Statistics.


Viewing system resources12

By default, real server statistics is displayed.

Viewing system resourcesInformation about the available system resources can be viewed from Dashboard on Overview or from the System Resources tab of the Statistics page.

To view system resources from the Statistics page, click Overview on the context bar and select Statistics, then click the System Resources tab.


Displaying traffic statistics for a real server 12

The System Resources page displays CPU and memory utilization of the management processor (MP), and CPU and session utilization of barrel processors (BP).

Displaying traffic statistics for a real serverTo display traffic statistics for a real server, follow these steps.

1. Click the Traffic Statistics tab.

By default, traffic statistics for the first real server is displayed.

2. Select the real server by using one of the following methods:

• Select a real server from the list.

• Click the left or right arrow to the sides of the list.


Displaying traffic statistics for a real server12

3. You can select how often the display is refreshed by selecting a value from the Refresh Interval list on the Live Chart bar. The default refresh interval is 10 seconds and it can be adjusted from 5 seconds to 2 minutes.

4. By default, auto-refresh is enabled. You can stop auto-refresh by clicking Stop. Resume the refresh by clicking Start again, or start over by clicking Reset.

The top portion of the display shows a summary for the real server. The remainder of the page contains several charts that shows the statistical information for the real server:

• “Current Connection Rate” on page 142

• “Current Connections” on page 143

• “Connection Distribution among Application Ports” on page 144

• “Total Accumulated Connections to Server” on page 144

• “Total Accumulated Connections per Application Port” on page 145

• “Received and Transmitted Packets among Application Ports” on page 145

The charts show live client connections to the real servers and the number of packets that have been sent or received by the real server.

Current Connection RateThe Current Connection Rate live chart shows the rate at which the current connections are made to a selected real server.

The X-axis displays the time interval, based on your selection for Refresh Interval. For example, if you select 1-minute interval, one-minute increments are displayed on the X-axis.

The Y-axis shows the connection rate.



Current Connections The Current Connections live chart shows the current connections to a selected real server.

The X-axis displays the time interval, based on your selection for Refresh Interval. For example, if you selected 1-minute intervals, one-minute increments are displayed on the X-axis.

The Y-axis shows the number of connections.


Displaying traffic statistics for a real server12

Connection Distribution among Application PortsThe Connection Distribution among Application Ports chart shows the number of current connections for each application port and also displays the peak number of connections for each of these application ports..

Total Accumulated Connections to ServerThe Total Accumulated Connections to Server chart shows the total number of connections that are serviced by a given real server over a period of time.



Total Accumulated Connections per Application PortThe Total Accumulated Connections per Port chart shows the total number of connections serviced by a given real server over a period of time for a given application port since the last time the statistics were cleared using the CLI.

Received and Transmitted Packets among ApplicationPortsThe RX & TX Packets among Application Ports chart shows the number of packets received and transmitted by a real server for a given application port since the last time statistics were cleared using the CLI.


Displaying statistics for a real server port12

Displaying statistics for a real server port1. Click the Traffic Statistics tab.

2. Click Real Port.

3. From the Real Server list, select a real server. Use one of the following methods:

• Select a real server from the Real Server list.

• Click the left or right arrow to the sides of the Real Server list.

4. From the Real Port list, select a real port. Use one of the following methods:

• Select a real port from the Real Port list.

• Click the left or right arrow to the sides of the Real Port list.

The table at the top of the page displays information about the selected real server port.

5. To view statistics on the Live Chart, select the refresh rate from the Refresh Interval list.

6. Click Start to start or resume the data display, Stop to stop it, or Reset to start over again.

The following charts are displayed:

• “Current Connections on Ports” on page 147

• “Total Accumulated Connections on Ports” on page 147

• “Received and Transmitted Packets on Ports” on page 148


Displaying statistics for a real server port 12

Current Connections on PortsThe Current Connections on Port <port> chart shows the current connection count of a given port on a given real server.

Total Accumulated Connections on PortsThe Total Accumulated Connections on Port <port> chart shows the total number of connections serviced over a period of time by given a real server on a given application port.


Displaying statistics for a virtual server12

Received and Transmitted Packets on PortsThe Rx and Tx Packets on Port <port> chart shows the total number of received and transmitted packets for a given port on a given real server.

Displaying statistics for a virtual server1. Click the Traffic Statistics tab.

2. Click Virtual Server.

3. Select the virtual server by using one of the following methods:

• Select a virtual server from the list.

• Click the left or right arrow to the sides of the list.

The top portion of the display shows a summary of the statistics for the virtual server.


Displaying statistics for a virtual server 12

4. You can select how often the display is refreshed by selecting a value from the Refresh Interval list on the Live Chart bar.

5. Click Start to begin or resume the statistics display. Click Stop to stop it or Reset to start over.

The page displays the following charts:

• “Connection Distribution among Application Ports” on page 149

• “Total Accumulated Connections to Server” on page 150

• “Total Accumulated Connections per Port” on page 150

Connection Distribution among Application PortsThe Connection Distribution among Application Ports chart shows the number of current connections to the virtual server for each application port at a given point of time.


Displaying statistics for a virtual server12

Total Accumulated Connections to Server The Total Accumulated Connections to Server chart shows the total number of connections that are serviced by the virtual server over a given period of time since the last reboot.

Total Accumulated Connections per PortThe Total Accumulated Connections per Port shows the total number of connections serviced by a given virtual server on a given application port over a period of time.


Displaying statistics for virtual server port 12

Displaying statistics for virtual server port1. Click the Traffic Statistics tab.

2. Click the Virtual Port.

3. From the Virtual Server list, select a virtual server. Use one of the following methods:

• Select a virtual server from the Virtual Server list.

• Click the left or right arrow to the sides of the Virtual Server list.

4. From the Virtual Port list, select a virtual port. Use one of the following methods:

• Select a virtual port from the Virtual Port list.

• Click the left or right arrow to the sides of the Virtual Port list.

The top portion of the display shows the summary of statistics for the virtual server port.

5. You can select how often the display is refreshed by selecting a value from the Refresh Interval list on the Live Chart bar.

6. Click Start to start or resume the statistics display. Click Stop to stop it or Reset to start over.

The page shows the following charts:

• “Current Connections on Ports” on page 152

• “Current Connection Distribution among Real Servers” on page 152

• “Total Accumulated Connections” on page 153

• “Total Accumulated Connection Distribution among Real Servers” on page 153


Displaying statistics for virtual server port12

Current Connections on PortsThe Current Connections on Port <port> shows the number of current connections being serviced on a given virtual server at a given point of time.

Current Connection Distribution among Real ServersThe Current Connection Distribution among Real Servers shows the distribution of connections among backend real servers that are bound to a given virtual server on a given virtual port.


Displaying statistics for virtual server port 12

Total Accumulated ConnectionsThe Total Accumulated Connections on Port <port> shows the total number of connections serviced on a given virtual port by a given virtual server over a period of time since the last system reboot.

Total Accumulated Connection Distribution among Real Servers The Total Accumulated Connection Distribution Among Real Servers shows the distribution among real servers for the total number of connections that are serviced on a given virtual port by a given virtual server over a period of time since last system reboot. Each column or bar indicates the total number of connections serviced by the associated real server on it corresponding real port.


Displaying global traffic statistics12

Displaying global traffic statistics1. Click the Traffic Statistics tab.

2. Click Traffic.

Global traffic statistics for the device are displayed.

Displaying interface statisticsTo display statistics for an interface, perform the following steps..

1. Click Overview on the context bar and select Statistics.

2. Click the Interface / IP tab.

3. Click I/F Summary to display a quick summary of all the interfaces on the ServerIron.


Displaying interface statistics 12

4. Click I/F Details to view more details for an interface.

The Interface Details page provides data for the interface attributes, its utilization, and errors on the interface.


Displaying interface statistics12

5. Click IP to display ICMP, IP, TCP, and UDP protocol statistics.

6. Click ARP to display the ARP Statistics and the entries in the ARP Cache.

The ARP cache table shows IP to MAC address association.

NOTEI/F Summary, I/F Details and ARP also display the management port statistics.


Displaying interface statistics 12

7. Click MAC to display Layer 2 MAC table information. The MAC Address table shows the association between a MAC address and a system port.


Viewing Syslog entries12

Viewing Syslog entriesClick the System Log tab to view the entries in the Syslog. The System Log page shows the date and time when the entry was generated, the severity of the entry, and the generated message.

Server Iron 1230 GUI

Documents

Transcript of Server Iron 1230 GUI