Académique Documents
Professionnel Documents
Culture Documents
Headquarters
www.a10networks.com
©
A10 Networks, Inc. 11/3/2010 - All Rights Reserved
Information in this document is subject to change without notice.
Trademarks
A10 Networks, the A10 logo, ACOS, aFleX, aFlow, aGalaxy, aVCS, aXAPI, IDaccess, IDSENTRIE,
IP to ID, SmartFlow, SoftAX, VirtualADC, Virtual Chassis, and VirtualN are trademarks or registered
trademarks of A10 Networks, Inc. All other trademarks are property of their respective owners.
Patents Protection
A10 Networks products including all AX Series products are protected by one or more of the following
US patents and patents pending: 7716378, 7675854, 7647635, 7552126, 20090049537, 20080229418,
20080040789, 20070283429, 20070271598, 20070180101
Confidentiality
This document contains confidential materials proprietary to A10 Networks, Inc. This document and
information and ideas herein may not be disclosed, copied, reproduced or distributed to anyone outside
A10 Networks, Inc. without prior written consent of A10 Networks, Inc. This information may contain
forward looking statements and therefore is subject to change.
Disclaimer
The information presented in this document describes the specific products noted and does not imply
nor grant a guarantee of any technical performance nor does it provide cause for any eventual claims
resulting from the use or misuse of the products described herein or errors and/or omissions. A10 Net-
works, Inc. reserves the right to make technical and other changes to their products and documents at
any time and without prior notification.
Environmental Considerations
Some electronic components may possibly contain dangerous substances. For information on specific
component types, please contact the manufacturer of that component. Always consult local authorities
for regulations regarding proper disposal of electronic components in your area.
Further Information
For additional information about A10 products, terms and conditions of delivery, and pricing, contact
your nearest A10 Networks, Inc. location which can be found by visiting www.a10networks.com.
AX Series - Configuration Guide
About This Document
The following terms of this End User License Agreement ("Agreement") govern Cus-
tomer's access and use of the Software, except to the extent there is a separate
signed agreement between Customer and A10 Networks governing Customer's use
of the Software
License. Conditioned upon compliance with the terms and conditions of this Agree-
ment, A10 Networks Inc. or its subsidiary licensing the Software instead of A10 Net-
works Inc. ("A10 Networks"), grants to Customer a nonexclusive and
nontransferable license to use for Customer's business purposes the Software and
the Documentation for which Customer has paid all required fees. "Documentation"
means written information (whether contained in user or technical manuals, training
materials, specifications or otherwise) specifically pertaining to the product or prod-
ucts and made available by A10 Networks in any manner (including on CD-Rom, or
on-line).
Unless otherwise expressly provided in the Documentation, Customer shall use the
Software solely as embedded in or for execution on A10 Networks equipment owned
or leased by Customer and used for Customer's business purposes.
General Limitations. This is a license, not a transfer of title, to the Software and
Documentation, and A10 Networks retains ownership of all copies of the Software
and Documentation. Customer acknowledges that the Software and Documentation
contain trade secrets of A10 Networks, its suppliers or licensors, including but not
limited to the specific internal design and structure of individual programs and asso-
ciated interface information. Accordingly, except as otherwise expressly provided
under this Agreement, Customer shall have no right, and Customer specifically
agrees not to:
a. transfer, assign or sublicense its license rights to any other
person or entity, or use the Software on unauthorized or sec-
ondhand A10 Networks equipment
b. make error corrections to or otherwise modify or adapt the
Software or create derivative works based upon the Software,
or permit third parties to do the same
P e r f o r m a n c e b yD e s i g n 3 of 1088
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
About This Document
c. reverse engineer or decompile, decrypt, disassemble or oth-
erwise reduce the Software to human readable form, except
to the extent otherwise expressly permitted under applicable
law notwithstanding this restriction
d. disclose, provide, or otherwise make available trade secrets
contained within the Software and Documentation in any form
to any third party without the prior written consent of A10 Net-
works. Customer shall implement reasonable security mea-
sures to protect such trade secrets.
Term and Termination. This Agreement and the license granted herein shall remain
effective until terminated. All confidentiality obligations of Customer and all limita-
tions of liability and disclaimers and restrictions of warranty shall survive termination
of this Agreement
Trademarks. A10 Networks, the A10 logo, ACOS, aFleX, aFlow, aGalaxy, aVCS,
aXAPI, IDaccess, IDsentrie, IP-to-ID, SoftAX, Virtual Chassis, and VirtualN are
trademarks or registered trademarks of A10 Networks, Inc. All other trademarks are
property of their respective owners.
4 of 1088 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
About This Document
Patents Protection. A10 Networks products including all AX Series are protected
by one or more of the following US patents and patents pending: 7716378, 7675854,
7647635, 7552126, 20090049537, 20080229418, 20080040789, 20070283429,
20070271598, 20070180101.
Limited Warranty
Customer agrees that the limitations of liability and disclaimers set forth herein will
apply regardless of whetherCustomer has accepted the Software or any other prod-
uct or service delivered by A10 Networks. Customer acknowledges and agrees that
A10 Networks has set its prices and entered into this Agreement in reliance upon the
disclaimers of warranty and the limitations of liability set forth herein, that the same
reflect an allocation of risk between the parties (including the risk that a contract
remedy may fail of its essential purpose and cause consequential loss), and that the
same form an essential basis of the bargain between the parties.
The Warranty and the End User License shall be governed by and construed in
accordance with the laws of the State of California, without reference to or applica-
tion of choice of law rules or principles. If any portion hereof is found to be void or
unenforceable, the remaining provisions of the Agreement shall remain in full force
and effect. This Agreement constitutes the entire and sole agreement between the
parties with respect to the license of the use of A10 Networks Products unless other-
wise supersedes by a written signed agreement.
P e r f o r m a n c e b yD e s i g n 5 of 1088
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
About This Document
6 of 1088 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
About This Document
For all customers, partners, resellers, and distributors who hold valid A10
Networks Regular and Technical Support service contracts, the A10 Net-
works Technical Assistance Center provides support services online and
over the phone.
Corporate Headquarters
www.a10networks.com
P e r f o r m a n c e b yD e s i g n 7 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
About This Document
Note: As an alternative to saving the output in a log file captured by your termi-
nal emulation application, you can export the output from the CLI using
the following command:
show techsupport export [use-mgmt-port] url
(For syntax information, see the AX Series CLI Reference.)
8 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
About This Document
This document assumes that you have already performed the basic deploy-
ment tasks described in the AX Series Installation Guide.
P e r f o r m a n c e b yD e s i g n 9 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
About This Document
secures critical business applications, provides the highest performance and
reliability, and establishes a new industry-leading price/performance For
more detailed information, see “System Overview” on page 27.
Audience
This document is intended for use by network architects for determining
applicability and planning implementation, and for system administrators
for provision and maintenance of the A10 Networks AX Series.
Icon Description
Layer 2 switch
Layer 3 router
10 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Contents
End User License Agreement 3
System Overview 27
AX Series Features............................................................................................................................... 27
ACOS Architecture ............................................................................................................................... 29
AX Software Processes .................................................................................................................. 29
Local File Storage ........................................................................................................................... 31
Hardware Interfaces ............................................................................................................................. 32
Software Interfaces............................................................................................................................... 32
Server Load Balancing......................................................................................................................... 33
Intelligent Server Selection ............................................................................................................. 34
Configuration Templates ................................................................................................................. 34
Global Server Load Balancing............................................................................................................. 36
Outbound Link Load Balancing .......................................................................................................... 36
Transparent Cache Switching ............................................................................................................. 36
Firewall Load Balancing....................................................................................................................... 36
Where Do I Start?.................................................................................................................................. 37
Basic Setup 39
Logging On............................................................................................................................................ 39
Logging Onto the CLI ...................................................................................................................... 40
Logging Onto the GUI ..................................................................................................................... 41
Configuring Basic System Parameters .............................................................................................. 43
Setting the Hostname and Other DNS Parameters ........................................................................ 44
Setting the CLI Banners .................................................................................................................. 45
Setting Time/Date Parameters ....................................................................................................... 46
Configuring Syslog Settings ............................................................................................................ 48
P e r f o r m a n c e D e s i g nb y 11 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Contents
Enabling SNMP .............................................................................................................................. 52
SNMP Traps ................................................................................................................................ 53
SNMP Communities and Views .................................................................................................. 55
SNMP Configuration Steps ......................................................................................................... 56
Configuration Examples .......................................................................................................................59
Emailing Log Messages........................................................................................................................66
Network Setup 73
Overview ................................................................................................................................................73
IP Subnet Support .......................................................................................................................... 73
Transparent Mode .................................................................................................................................75
Configuration Example ................................................................................................................... 76
Transparent Mode in Multinetted Environment ..................................................................................82
Configuration Example ................................................................................................................... 84
Route Mode............................................................................................................................................88
Configuration Example ................................................................................................................... 89
Direct Server Return in Transparent Mode .........................................................................................93
Configuration Example ................................................................................................................... 95
Direct Server Return in Route Mode....................................................................................................98
Configuration Example ................................................................................................................... 99
Direct Server Return in Mixed Layer 2/Layer 3 Environment..........................................................101
12 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Contents
HTTP Options for SLB 131
Overview.............................................................................................................................................. 131
Summary of HTTP Options ........................................................................................................... 131
HTTP Template Configuration ...................................................................................................... 133
URL Hash Switching........................................................................................................................... 134
URL Hash Switching with Server Load Awareness ...................................................................... 136
Configuring URL Hashing ............................................................................................................. 138
URL / Host Switching ......................................................................................................................... 139
Configuring URL / Host Switching ................................................................................................ 142
Using URL / Host Switching along with Cookie Persistence ........................................................ 143
Using URL / Host Switching along with Source IP Persistence .................................................... 147
URL Failover........................................................................................................................................ 147
Configuring URL Failover ............................................................................................................. 148
5xx Retry and Reassignment............................................................................................................. 149
Content Compression ........................................................................................................................ 150
Hardware-Based Compression ..................................................................................................... 152
How the AX Device Determines Whether to Compress a File ...................................................... 153
Configuring Content Compression ................................................................................................ 154
Client IP Insertion / Replacement...................................................................................................... 157
Configuring Client IP Insertion / Replacement .............................................................................. 159
Header Insertion / Erasure ................................................................................................................. 160
Configuring Header Insertion / Replacement ................................................................................ 161
Configuring Header Erasure ......................................................................................................... 164
URL Redirect Rewrite......................................................................................................................... 165
Configuring URL Redirect Rewrite ................................................................................................ 166
Strict Transaction Switching ............................................................................................................. 167
Enabling Strict Transaction Switching .......................................................................................... 168
P e r f o r m a n c e D e s i g nb y 13 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Contents
Load Balancing for SIP over TCP/TLS ..............................................................................................203
SIP Multiplexing ............................................................................................................................ 203
Client Keepalive and Server Keepalive ........................................................................................ 206
AX Actions if Selection of a Client or SIP Server Fails ................................................................. 207
SLB Network Address Translation for SIP over TCP / TLS .......................................................... 207
Configuring SIP over TCP / TLS for SIP Multiplexing .................................................................. 208
CLI Example ............................................................................................................................. 219
Displaying SIP SLB Statistics .................................................................................................... 221
CLI Example ............................................................................................................................. 221
Disabling Reverse NAT Based on Destination IP Address..............................................................222
IP NAT for SIP ......................................................................................................................................224
14 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Contents
Wildcard VIPs 277
Configuring a Wildcard VIP ............................................................................................................... 277
Configuration Examples ............................................................................................................ 281
P e r f o r m a n c e D e s i g nb y 15 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Contents
16 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Contents
Maintenance Health Status for Servers in Persistence Configurations ........................................ 415
On-Demand Health Checks................................................................................................................ 416
Enabling Strict Retries ....................................................................................................................... 418
Globally Changing Health Monitor Parameters ............................................................................... 419
Globally Disabling Layer 3 Health Checks .................................................................................... 420
Compound Health Monitors............................................................................................................... 421
Displaying Health Status.................................................................................................................... 425
Using External Health Methods......................................................................................................... 428
Configuration ................................................................................................................................ 428
Script Examples ............................................................................................................................ 430
TCL Script Example .................................................................................................................. 430
Perl Script Example ................................................................................................................... 432
Shell Script Example ................................................................................................................. 433
P e r f o r m a n c e D e s i g nb y 17 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Contents
Configure Sites ............................................................................................................................. 483
Configure a Zone .......................................................................................................................... 484
Enable the GSLB Protocol ........................................................................................................... 485
GSLB Parameters................................................................................................................................487
Policy Parameters ........................................................................................................................ 502
Configuration Examples .....................................................................................................................514
CLI Example ................................................................................................................................. 514
Configuration on the GSLB AX Device (GSLB Controller) ........................................................ 514
Configuration on Site AX Device AX-A ..................................................................................... 515
Configuration on Site AX Device AX-B ..................................................................................... 516
GUI Example ................................................................................................................................ 516
Configuration on the GSLB AX Device (GSLB Controller) ........................................................ 516
Configuration on Site AX Devices ............................................................................................. 526
18 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Contents
Optional Failover Triggers ............................................................................................................ 556
VLAN-based Failover ................................................................................................................ 556
Gateway-based Failover ........................................................................................................... 556
Route-based Failover ................................................................................................................ 557
Real Server or Port Health-based Failover ............................................................................... 557
VIP-based Failover .................................................................................................................... 558
How the Active AX Device Is Selected ......................................................................................... 559
HA Pre-Emption ............................................................................................................................ 562
HA Sets ......................................................................................................................................... 563
HA Configuration Parameters ....................................................................................................... 564
HA Status Indicators .......................................................................................................................... 571
In the GUI .................................................................................................................................. 571
In the CLI ................................................................................................................................... 571
Configuring Layer 3 HA...................................................................................................................... 572
Configuring Layer 2 HA (Inline Mode) .............................................................................................. 582
Layer 2 Inline HA Configuration Example ..................................................................................... 582
Configuring Layer 3 HA (Inline Mode) .............................................................................................. 590
Layer 3 Inline HA Configuration Example ..................................................................................... 591
Configuring Optional Failover Triggers............................................................................................ 596
VLAN-Based Failover Example .................................................................................................... 596
Gateway-Based Failover Example ............................................................................................... 597
Route-Based Failover Example .................................................................................................... 599
VIP-Based Failover Example ........................................................................................................ 601
Forcing Active Groups to Change to Standby Status..................................................................... 603
Enabling Session Synchronization................................................................................................... 603
Configuring OSPF-Related HA Parameters...................................................................................... 605
OSPF Awareness of HA ............................................................................................................... 605
OSPF Support on Standby AX in Layer 3 Inline Mode ................................................................. 606
Synchronizing Configuration Information........................................................................................ 606
Configuration Items That Are Backed Up ..................................................................................... 607
Configuration Items That Are Not Backed Up ........................................................................... 608
Performing HA Synchronization .................................................................................................... 610
Tip for Ensuring Fast HA Failover..................................................................................................... 612
P e r f o r m a n c e D e s i g nb y 19 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Contents
20 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Contents
Bind the CLass List for Use with LSN ........................................................................................... 669
Enable Inside NAT on the Interface Connected to Internal Clients .............................................. 669
Enable Outside NAT on the Interface Connected to the Internet ................................................. 669
Enable New-path Processing ....................................................................................................... 669
Optional Configuration .................................................................................................................. 670
Configuring Static Mappings ..................................................................................................... 670
Enabling Full-Cone Support for Well-Known Ports ................................................................... 670
Configuring External Logging for LSN Traffic Logs ................................................................... 671
Configure the IP Selection Method ............................................................................................ 673
Configuring the LSN SYN Timeout ............................................................................................ 673
Displaying LSN Information............................................................................................................... 674
Clearing LSN Statistics and Sessions .......................................................................................... 674
Configuration Example ...................................................................................................................... 675
P e r f o r m a n c e b y
D e s i g n 21 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Contents
Configuring Windows IAS for AX RADIUS Authentication ........................................................... 708
Procedure Overview .................................................................................................................. 709
Configure Access Groups ......................................................................................................... 709
Configure RADIUS Client for AX Device ................................................................................... 710
Configure Remote Access Policies ........................................................................................... 712
Add AD Users to AX Access Groups ........................................................................................ 722
Register the IAS Server in Active Directory .............................................................................. 723
Configure RADIUS in the AX Device ........................................................................................ 724
Test the Configuration ............................................................................................................... 724
22 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Contents
Using an ACL to Control Management Access ............................................................................ 758
Using an ACL for NAT .................................................................................................................. 758
Resequencing ACL Rules ............................................................................................................. 758
Policy-Based SLB (PBSLB) ............................................................................................................... 761
Configuring a Black/White List ...................................................................................................... 761
Dynamic Black/White-list Client Entries .................................................................................... 762
Configuring System-Wide PBSLB ................................................................................................ 764
Configuring PBSLB for Individual Virtual Ports ............................................................................. 766
Displaying PBSLB Information .................................................................................................. 774
Configuration Example—Sockstress Attack Protection ................................................................ 776
Geo-location-based Access Control for VIPs .................................................................................. 778
Configuration ............................................................................................................................. 779
Enabling PBSLB Statistics Counter Sharing ............................................................................. 784
Enabling Full-Domain Checking for Connection Limits ............................................................. 785
IP Limiting 787
Overview.............................................................................................................................................. 787
Class Lists .................................................................................................................................... 787
Class List Syntax ....................................................................................................................... 788
IP Address Matching ................................................................................................................. 788
Example Class Lists .................................................................................................................. 789
IP Limiting Rules ........................................................................................................................... 789
Match IP Address ...................................................................................................................... 790
Configuring Source IP Limiting......................................................................................................... 791
Configuring a Class List ................................................................................................................ 791
Configuring the IP Limiting Rules ................................................................................................. 795
Applying Source IP Limits ............................................................................................................. 798
Displaying IP Limiting Information ................................................................................................ 800
CLI Examples—Configuration ...................................................................................................... 801
Configure System-Wide IP Limiting With a Single Class .......................................................... 801
Configure System-Wide IP Limiting With Multiple Classes ....................................................... 801
Configure IP Limiting on a Virtual Server .................................................................................. 802
Configure IP Limiting on a Virtual Port ...................................................................................... 803
CLI Examples—Display ................................................................................................................ 803
Class Lists ................................................................................................................................. 803
IP Limiting Rules ....................................................................................................................... 805
IP Limiting Statistics .................................................................................................................. 806
P e r f o r m a n c e D e s i g nb y 23 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Contents
24 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Contents
Global SLB Parameters...................................................................................................................... 868
Real Server Parameters ..................................................................................................................... 874
Real Service Port Parameters............................................................................................................ 877
Service Group Parameters................................................................................................................. 879
Virtual Server Parameters.................................................................................................................. 884
Virtual Service Port Parameters ........................................................................................................ 887
P e r f o r m a n c e D e s i g nb y 25 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Contents
Binding an SSL Template to a VIP ............................................................................................... 936
Converting Certificates and CRLs to PEM Format...........................................................................936
Converting SSL Certificates to PEM Format ................................................................................ 937
Converting CRLs from DER to PEM Format ................................................................................ 938
Using the Management Interface as the Source for Management Traffic 939
Route Tables ........................................................................................................................................939
Management Routing Options ...........................................................................................................940
Enabling Use of the Management Interface as the Source for Automated Management
Traffic ........................................................................................................................................... 941
Using the Management Interface as the Source Interface for Manually Generated
Management Traffic ..................................................................................................................... 942
Commands at the User EXEC Level ......................................................................................... 942
Commands at the Privileged EXEC Level ................................................................................. 942
Commands at the Global Configuration Level .......................................................................... 942
Show Commands ...................................................................................................................... 943
26 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
AX Series Features
System Overview
This chapter provides a brief overview of the AX Series system and fea-
tures. For more information, see the other chapters in this guide.
AX Series Features
Key features of the AX Series include:
• Application Delivery Features
• Comprehensive IPv4/IPv6 Support
• Transparent (Layer 2) and gateway (Layer 3) mode support for
easy deployment into existing infrastructures
• Network Address Translation (NAT) – IPv4-IPv4, IPv4-IPv6,
IPv6-IPv4, IPv6-IPv6, ALG support for PPTP, Large-Scale NAT
(LSN)
• OSPFv2 for IPv4, OSPFv3 for IPv6
• IPv4/IPv6 static routes
• DHCP relay
• Advanced Layer 4/7 Server Load Balancing
• Fast TCP, fast UDP, fast HTTP, and full HTTP Proxy
• Comprehensive protocol support: HTTP, HTTPS, FTP, TCP,
UDP, SSL, SIP, SMTP, and others
• Comprehensive load-balancing methods – weight-based, con-
nection-based, request-based, and response-based methods, as
well as simple round robin
• Protocol translation – support for mixed IPv4/IPv6 environments
• Advanced health monitoring
• Customizable configuration templates
• RAM caching of web content
• Firewall Load Balancing (FWLB)
• Global Server Load Balancing (GSLB)
• Transparent Cache Switching (TCS)
• High Availability (HA)
• Active-Active, Active-Standby, and Layer 2/3 inline mode configu-
rations with sub-second failover
• Layer 4 session synchronization
• Configuration synchronization
P e r f o r m a n c e b yD e s i g n 27 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
AX Series Features
• Acceleration and Security
• SSL acceleration and offload
• Traffic security
• Management access security – Local admin database and support
for optional remote RADIUS or TACACS+ AAA
• Spam filter support (Policy-Based SLB) – High-speed application
of very large black/white lists that filter based on source or destina-
tion IP host or subnet address
• DoS attack detection and prevention
• Access Control Lists (ACLs)
• System Management
• Dedicated management interface
• Multiple access methods – SSH, Telnet, HTTPS
• Web-based Graphical User Interface (GUI) with language localiza-
tion
• Industry-standard Command Line Interface (CLI) support
• On-demand backup of configuration files, logs, and system files
• SNMP, syslog, alerting
• Virtualized Management, provided by Role-Based Administration
(RBA)
• Troubleshooting tools
• Port mirroring
• Debug subsystem for packet capture
28 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
ACOS Architecture
ACOS Architecture
AX Series devices use embedded Advanced Core Operating System
(ACOS) architecture. ACOS is built on top of a set of Symmetric Multi-Pro-
cessing CPUs and uses shared memory architecture to maximize application
data delivery.
AX Software Processes
The AX software performs its many tasks using the following processes:
• a10mon – Parent process of the AX device. This process is executed
when the system comes up. The a10mon process is responsible for the
following:
• Responsible for bringing AX user-space processes up and down
• Monitors all its child processes and restarts a process and all depen-
dent processes if any of them die.
• syslogd – System logger daemon that logs kernel and system events.
P e r f o r m a n c e b yD e s i g n 29 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
ACOS Architecture
• a10stat – Monitors the status of all the main processes of the AX device,
such as a10switch (on models AX2200 and higher) and a10lb.
The a10stat process probes every thread within these processes to ensure
that they are responsive. If a thread is deemed unhealthy, a10stat kills
the process, after which a10mon restarts the process and other processes
associated with it.
• a10switch – Contains libraries and APIs to program the Switching ASIC
to perform Layer 2 and Layer 3 switching at wire speed.
• a10hm – Performs health-checking for real servers and services. This
process sends pre-configured requests to external servers at pre-defined
intervals. If a server or individual service does not respond, it is marked
down. Once the server or service starts responding again, it is marked
up.
• a10rt – Routing daemon, which maintains the routing table with routes
injected from OSPF, as well as static routes.
• a10rip – Implements RIPv1 and v2 routing protocols.
• a10lb – The heart of the AX device. This process contains all the intelli-
gence to perform Server Load Balancing.
• rimacli – This process is automatically invoked when an admin logs into
the AX device through an interface address. The admin is presented a
Command Line Interface (CLI) that can issue and save commands to
configure the system.
30 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
ACOS Architecture
AX devices use local storage for application files and for data objects used
for monitoring. The amount of storage used for these types of data depends
on the AX model and on how the devices are used. On average, the follow-
ing amounts of storage are used for these types of data on 64-bit ACOS
models:
• AX 2500, AX 2600 – 15 Gigabytes (G) or less
• AX 3000 – 20 G or less
Monitoring data includes objects for CPU, disk, memory, global statistics,
port statistics, and 30-day SLB statistics. The 30-day SLB statistics include
objects for real servers, virtual servers, real ports, virtual ports, server
groups, service groups, and service-group members.
The 30-day SLB statistics use the most storage among the monitoring
objects. For the maximum configuration, the 30-day SLB statistics can use
the following amounts of storage on 64-bit ACOS models:
• AX 2500, AX 2600 – 3 G or less
• AX 3000 – 9 G or less
P e r f o r m a n c e b yD e s i g n 31 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Hardware Interfaces
Hardware Interfaces
• 1000BaseT (GOC) + SFP Mini GBIC Fiber Ports
• On models AX 3100, AX 3200, AX 5100, and AX 5200, 10G XFP-SR
(short range) single-mode fiber port or XFP-LR (long range) multi-
mode fiber port, depending on order
• Management Ethernet Port
• RJ-45 Console Port
Generally, the fiber ports do not require any configuration other than IP
interface(s). When you plug in a port, the port speed and mode (full-duplex
or half-duplex) are automatically negotiated with the other end of the link.
Software Interfaces
• Graphical User Interface (GUI)
• Command Line Interface (CLI) accessible using console, Telnet, or
Secure Shell (v1 and v2)
• Simple Network Management Protocol (SNMP) v1, v2c, and v3
• XML Application Programming Interface (aXAPI)
32 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Server Load Balancing
You can easily grow server farms in response to changing traffic flow, while
protecting the servers behind a common virtual IP address. From the per-
spective of a client who accesses services, requests go to and arrive from a
single IP address. The client is unaware that the server is in fact multiple
servers managed by an AX device. The client simply receives faster, more
reliable service.
Moreover, you do not need to wait for DNS entries to propagate for new
servers. To add a new server, you simply add it to the AX configuration for
the virtual server, and the new real server becomes accessible immediately.
P e r f o r m a n c e b yD e s i g n 33 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Server Load Balancing
Configuration Templates
SLB configuration is simplified by the use of templates. Templates simplify
configuration by enabling you to configure common settings once and use
them in multiple service configurations. The AX device provides templates
to control server and port configuration parameters, connectivity parame-
ters, and application parameters.
The AX device provides the following types of server and port configura-
tion templates:
• Server – Controls parameters for real servers
• TCP – Controls the idle timeout for unused sessions and specifies
whether the AX device sends TCP Resets to clients or servers after a
session times out
• UDP – Controls the idle timeout for unused sessions and specifies how
quickly sessions are terminated after a server response is received
34 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Server Load Balancing
• Policy – Uses Policy-based SLB (PBSLB) to permit or deny clients, or
direct them to service groups, based on client black/white lists
• Cache – Caches web content on the AX device to enhance website per-
formance for clients
• Client SSL – Offloads SSL validation tasks from real servers
P e r f o r m a n c e b yD e s i g n 35 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Global Server Load Balancing
• “STARTTLS for Secure SMTP” on page 245
For descriptions of all the parameters you can control using templates, see
“Server and Port Templates” on page 361 and “Service Template Parame-
ters” on page 829.
36 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Where Do I Start?
Where Do I Start?
• To configure basic system settings, see “Basic Setup” on page 39.
P e r f o r m a n c e b yD e s i g n 37 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Where Do I Start?
38 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Logging On
Basic Setup
This chapter describes how to log onto the AX device and how to configure
the following basic system parameters:
• Hostname and other Domain Name Server (DNS) settings
• Date/time settings
After you are through with this chapter, go to “Network Setup” on page 73.
Note: The only basic parameters that you are required to configure are date/time
settings. Configuring the other parameters is optional.
Note: This chapter does not describe how to access the out-of-band manage-
ment interface. For that information, see the AX Series Advanced Traffic
Manager Installation Guide.
Logging On
AX Series devices provide the following management interfaces:
• Command-Line Interface (CLI) – Text-based interface in which you
type commands on a command line. You can access the CLI directly
through the serial console or over the network using either of the
following protocols:
• Secure protocol – Secure Shell (SSH) version 1 or version 2
• Unsecure protocol – Telnet (if enabled)
P e r f o r m a n c e b yD e s i g n 39 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Logging On
• Secure protocol – Hypertext Transfer Protocol over Secure Socket
Layer (HTTPS)
• Unsecure protocol – Hypertext Transfer Protocol (HTTP)
Note: By default, Telnet access is disabled on all interfaces, including the man-
agement interface. SSH, HTTP, HTTPS, and SNMP access are enabled by
default on the management interface only, and disabled by default on all
data interfaces.
2. Generally, if this the first time the SSH client has accessed the AX
device, the SSH client displays a security warning. Read the warning
carefully, then acknowledge the warning to complete the connection.
(Press Enter.)
40 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Logging On
3. At the login as: prompt, enter the admin username.
Note: The “AX” in the CLI prompt is the hostname configured on the device,
which is “AX” by default. If the hostname has already been changed, the
new hostname appears in the prompt instead of “AX”.
5. To access the Privileged EXEC level of the CLI and allow access to all
configuration levels, enter the enable command.
At the Password: prompt, enter the enable password. (This is not the
same as the admin password, although it is possible to configure the
same value for both passwords.)
If the enable password is correct, the command prompt for the Privi-
leged EXEC level of the CLI appears: AX#
6. To access the global configuration level, enter the config command. The
following command prompt appears: AX(config)#
P e r f o r m a n c e b y
D e s i g n 41 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Logging On
3. If the browser displays a certificate warning, select the option to con-
tinue to the server (the AX device).
A login dialog is displayed. The name and appearance of the dialog
depends on the browser you are using.
Note: The default admin username and password are “admin”, “a10”.
The Summary page appears, showing at-a-glance information for your
AX device.
You can access this page again at any time while using the GUI, by
selecting Monitor > Overview > Summary.
42 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Basic System Parameters
FIGURE 4 Monitor > Overview > Summary
Note: For more information about the GUI, see the AX Series GUI Reference or
the GUI online help.
Note: If you plan to use the GUI, the Basic System page under Config Mode
also provides configuration access to most of the system parameters
described in this chapter. For information, navigate to Config Mode >
Basic System, then click Help.
P e r f o r m a n c e b yD e s i g n 43 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Basic System Parameters
2. In the Hostname field, edit the name to one that will uniquely identify
this particular AX device (for example, “AX-SLB1”).
3. In the DNS Suffix field, enter the domain name to which the host
(AX Series) belongs.
4. In the Primary DNS field, enter the IP address of the external DNS
server the AX Series should use for resolving DNS queries.
6. Click OK.
3. To set the default domain name (DNS suffix) for hostnames on the AX
device, use the following command:
ip dns suffix string
44 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Basic System Parameters
4. To specify the DNS servers the AX should use for resolving DNS
requests, use the following command:
ip dns {primary | secondary} ipaddr
The primary option specifies the DNS server the AX device should
always try to use first. The secondary option specifies the DNS server
that the AX device should use if the primary DNS server is unavailable.
If you configure a banner message that occupies multiple lines, you must
specify the end marker that indicates the end of the last line. The end marker
is a simple string up to 2-characters long, each of the which must be an
ASCII character from the following range: 0x21-0x7e.
The multi-line banner text starts from the first line and ends at the marker. If
the end marker is on a new line by itself, the last line of the banner text will
be empty. If you do not want the last line to be empty, put the end marker at
the end of the last non-empty line.
3. To configure a banner:
a. Select the banner type, single-line or multi-line.
b. If you selected multi-line, enter the delimiter value in the End
Marker field.
P e r f o r m a n c e b yD e s i g n 45 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Basic System Parameters
c. Enter the message in the Login Banner or Exec Banner field.
If the message is a multi-line message, press Enter / Return at the
end of every line. Do not type the end marker at the end of the mes-
sage. The GUI automatically places the end marker at the end of the
message text in the configuration.
4. If you are configuring both messages, repeat step 3 for the other mes-
sage.
5. Click OK.
The login option changes the first banner, which is displayed after you enter
the admin username. The exec option changes the second banner, which is
displayed after you enter the admin password.
To use blank spaces within the banner, enclose the entire banner string with
double quotation marks.
• Set the system time and date manually or configure the AX device to use
a Network Time Protocol (NTP) server.
Note: You do not need to configure Daylight Savings Time. The AX device
automatically adjusts the time for Daylight Savings Time based on the
timezone you select.
Note: When you change the AX timezone or system time, the statistical data-
base is cleared. This database contains general system statistics (perfor-
mance, and CPU, memory, and disk utilization) and SLB statistics. For
46 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Basic System Parameters
example, in the GUI, the graphs displayed on the Monitor > Overview
page are cleared.
3. Click OK.
Enter the following command at the global configuration level of the CLI:
clock timezone timezone [nodst]
The nodst option disables Daylight Savings Time (DST) for the zone. DST
is enabled by default, if applicable to the timezone.
P e r f o r m a n c e b yD e s i g n 47 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Basic System Parameters
To configure the AX device to use NTP
1. To specify the NTP server to use, enter the following command at the
global configuration level of the CLI:
ntp server {hostname | ipaddr} [minutes]
The minutes option sets the synchronization interval, which specifies
how often the AX polls the NTP server for updated time information.
You can specify 1-518400 minutes. The default is 1440 minutes.
You can configure a maximum of 4 NTP servers.
2. To enable NTP and synchronize the AX clock with the NTP server,
enter the following command:
ntp enable
2. Enter the following command at the Privileged EXEC level of the CLI:
clock set time day month year
Enter the time and date in the following format:
time – hh:mm:ss
day – 1-31
month – January, February, March, ...
year – 2008, 2009 ...
Note: The clock is based on 24 hours. For example, for 1 p.m., enter the hour as
“13”.
48 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Basic System Parameters
• External Syslog server
• Email address(es)
Logging to the local buffer and to CLI sessions is enabled by default. Log-
ging to other places requires additional configuration. The standard Syslog
message severity levels are supported:
• Emergency – 0
• Alert – 1
• Critical – 2
• Error – 3
• Warning – 4
• Notification – 5
• Information – 6
• Debugging – 7
P e r f o r m a n c e b y
D e s i g n 49 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Basic System Parameters
TABLE 2 Configurable System Log Settings (Continued)
Parameter Description Supported Values
Facility Standard Syslog facility to use. Standard Syslog facilities listed in
RFC 3164.
Log Buffer Maximum number of log entries the log buffer can 10000 to 50000 entries
Entries store. Default: 30000
Log Server IP addresses or fully-qualified domain names of Any valid IP address or fully-quali-
external log servers. fied domain name.
Only the message levels for which Syslog is selected Default: None configured
in the Disposition list are sent to log servers.
Note: By default, the AX device can reach remote
log servers only if they are reachable through the AX
device’s data ports, not the management port. To
enable the AX device to reach remote log servers
through the management port, see “Using the Man-
agement Interface as the Source for Management
Traffic” on page 939.
Log Server Port Protocol port to which log messages sent to external Any valid protocol port number
log servers are addressed. Default: 514
Email To Email addresses to which to send log messages. Valid email address. Click the down
Only the message levels for which Email is selected arrow next to the input field to add
in the Disposition list are sent to log servers. another address (up to 10).
Each email address can be a maxi-
mum of 31 characters long.
SMTP Server IP address or fully-qualified domain name of an Any valid IP address or fully-quali-
email server using Simple Message Transfer Proto- fied domain name.
col. Default: None configured
Note: By default, the AX device can reach SMTP
servers only if they are reachable through the AX
device’s data ports, not the management port. To
enable the AX device to reach SMTP servers through
the management port, see “Using the Management
Interface as the Source for Management Traffic” on
page 939.
SMTP Server Protocol port to which email messages sent to the Any valid protocol port number
Port SMTP server are addressed. Default: 25
The rate limit for external logging is 15,000 messages per second from the
AX device.
50 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Basic System Parameters
The rate limit for internal logging is 32 messages per second from the AX
device.
• If the number of new messages within a one-second interval exceeds 32,
then during the next one-second interval, the AX sends log messages
only to the external log servers.
• If the number of new messages generated within the new one-second
interval is 32 or less, then during the following one-second interval, the
AX will again send messages to the local logging buffer as well as the
external log server. In any case, all messages (up to 15,000 per second)
get sent to the external log servers.
4. Click OK.
2. To change the severity level of messages that are logged in other places,
use the following command:
logging target severity-level
The target can be one of the following:
• console – Serial console
• email – Email
• monitor – Telnet and SSH sessions
• syslog – external Syslog host
• trap – external SNMP trap host
Note: Only severity levels emergency, alert, critical, and notification can be
sent by email. Sending log messages by email requires additional configu-
ration. See “Emailing Log Messages” on page 66.
P e r f o r m a n c e b yD e s i g n 51 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Basic System Parameters
3. To configure the AX device to send log messages to an external Syslog
server, use the following command to specify the server:
logging host ipaddr [ipaddr...]
[port protocol-port]
You can enter more than one server IP address on the same command
line. The default protocol port is 514. You can specify only one protocol
port with the command. All servers must use the same protocol port to
listen for syslog messages.
If you use the command to add some log servers, then need to add a new
log server later, you must enter all server IP addresses in the new com-
mand. Each time you enter the logging host command, it replaces any
set of servers and syslog port configured by the previous logging host
command.
4. To configure the AX device to send log messages by email, use the fol-
lowing commands to specify the email server and the email addresses:
smtp {hostname | ipaddr} [port protocol-port]
The port option specifies the protocol port to which to send email. The
default is 25.
logging email-address address [...]
To enter more than one address, use a space between each address.
Enabling SNMP
AX devices support the following SNMP versions: v1, v2c, v3. SNMP is
disabled by default.
You can configure the AX device to send SNMP traps to the Syslog and to
external trap receivers. You also can configure read (GET) access to SNMP
Management Information Base (MIB) objects on the AX device by external
SNMP managers.
52 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Basic System Parameters
• RFC 2576, Coexistence between Version 1, Version 2, and Version 3 of
the Internet-standard Network Management Framework
• 2790, Host Resources MIB – The following subtrees are supported:
• hrSystem: .1.3.6.1.2.1.25.1
• hrStorage: .1.3.6.1.2.1.25.2
• hrDeviceTable: .1.3.6.1.2.1.25.3.2
• hrProcessorTable: .1.3.6.1.2.1.25.3.3
SNMP Traps
Table 3 lists the SNMP traps supported by the AX device. All traps are dis-
abled by default.
P e r f o r m a n c e b y
D e s i g n 53 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Basic System Parameters
TABLE 3 AX SNMP Traps (Continued)
Trap Category Trap Description
System Start Indicates that the AX device has started.
Shutdown Indicates that the AX device has shut down.
Restart Indicates that the AX device is going to reboot or reload.
Control CPU utilization Indicates that the control CPU utilization is higher than
90%.*
Data CPU utilization Indicates that data CPU utilization is higher than 90%.*
High Temperature Indicates that the temperature inside the AX chassis is too
high (68 C or higher).*
If you see this trap, check for fan failure traps. Also check
the installation location to ensure that the chassis room tem-
perature is not too high (40 C or higher) and that the chassis
is receiving adequate air flow.
Fan Failure Indicates that a system fan has failed. Contact A10 Net-
works.
Power Supply Failure Indicates that a power supply has failed. Contact A10 Net-
works.
Primary Hard Disk Indicates that the primary Hard Disk has failed or the RAID
system has failed. Contact A10 Networks. In dual-disk mod-
els, the primary Hard Disk is the one on the left, as you are
facing the front of the AX chassis.
Secondary Hard Disk Indicates that the secondary Hard Disk has failed or the
RAID system has failed. Contact A10 Networks. The sec-
ondary Hard Disk is the one on the right, as you are facing
the front of the AX chassis.
Note: This trap does not apply to the following models:
AX 2500, AX 2600, AX 3000, AX 5100, or AX 5200.
High Disk Usage Indicates that hard disk usage on the AX device is high
(85% or higher).*
High Memory Usage Indicates that the memory usage on the AX device is high
(95% or higher).*
Packet Buffer drop Indicates that the AX device is dropping too many packets
(100 or more during a 10-second interval).*
Network Trunk Ports Threshold Indicates that the trunk ports threshold feature has disabled
trunk members because the number of up ports in the trunk
has fallen below the configured threshold.
High Availability (HA) Active Indicates that the AX device is going from HA Standby
mode to Active mode.
Standby Indicates that the AX device is going from HA Active mode
to Standby mode.
Active-Active Indicates that an Active-Active HA configuration has been
enabled.
54 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Basic System Parameters
TABLE 3 AX SNMP Traps (Continued)
Trap Category Trap Description
Server Load Balancing Server Up Indicates that an SLB server has come up.
(SLB) Server Down Indicates that an SLB server has gone down.
Service Up Indicates that an SLB service has come up.
Service Down Indicates that an SLB service has gone down.
Server Connection Indicates that an SLB server has reached its configured con-
Limit nection limit.
Server Connection Indicates that an SLB server has reached its configured con-
Resume nection-resume value.
Service Connection Indicates that an SLB service has reached its configured
Limit connection limit.
Service Connection Indicates that an SLB service has reached its configured
Resume connection-resume value.
Virtual Server Indicates that the connection limit configured on a virtual
Connection Limit server has been exceeded.
Virtual Port Indicates that the connection limit configured on a virtual
Connection Limit port has been exceeded.
Virtual Server Indicates that the connection rate limit configured on a vir-
Connection-Rate Limit tual server has been exceeded.
Virtual Port Indicates that the connection rate limit configured on a vir-
Connection-Rate Limit tual port has been exceeded.
Virtual Port Up Indicates that an SLB virtual service port has come up. An
SLB virtual server’s service port is up when at least one
member (real server and real port) in the service group
bound to the virtual port is up.
Virtual Port Down Indicates that an SLB virtual service port has gone down.
Application Buffer Indicates that the configured SLB application buffer thresh-
Threshold old has been exceeded.*
* This threshold is configurable. To use the GUI, navigate to Config > System > Settings >
General > Threshold. In the CLI, use the monitor command at the global configuration level.
Community strings are similar to passwords. You can minimize security risk
by applying the same principles to selecting a community name as you
P e r f o r m a n c e b y
D e s i g n 55 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Basic System Parameters
would to selecting a password. Use a hard-to-guess string and avoid use of
commonly used community names such as “public” or “private”.
You also can restrict access to specific Object IDs (OIDs) within the MIB,
on an individual community basis. OIDs indicate the position of a set of
MIB objects in the global MIB tree. The OID for A10 Networks AX Series
objects is 1.3.6.1.4.1.22610.
SNMP Views
An SNMP view is like a filter that permits or denies access to a specific OID
or portions of an OID. You can configure SNMP user groups and individual
SNMP users, and allow or disallow them to read specific portions of the AX
MIBs using different views.
When you configure an SNMP user group or user, you specify the SNMP
version. SNMP v1 and v2c do not support authentication or encryption of
SNMP packets. SNMPv3 does. You can enable authentication, encryption,
or both, on an individual SNMP user-group basis when you configure the
groups. You can specify the authentication method and the password for
individual SNMP users when you configure the users.
You are not required to perform these configuration tasks in precisely this
order. The workflow in the GUI is slightly different from the workflow
shown here.
Note: By default, the AX device can reach remote logging and trap servers only if
they are reachable through the AX device’s data ports, not the management port. To
enable the AX device to reach remote logging and trap servers through the manage-
ment port, see “Using the Management Interface as the Source for Management
Traffic” on page 939.
56 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Basic System Parameters
USING THE GUI
P e r f o r m a n c e b yD e s i g n 57 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Basic System Parameters
f. Click Add to add the receiver.
g. Repeat step b through step f for each trap receiver.
6. Click OK.
Note: When there are unsaved configuration changes on the AX device, the
Save button flashes.
58 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Examples
4. To configure views, groups, and users, use the following commands:
snmp-server view view-name oid [oid-mask]
{included | excluded}
snmp-server group group-name
{v1 | v2c | v3 {auth | noauth | priv}}
read view-name
snmp-server user username group groupname
{v1 | v2 | v3 [auth {md5 | sha} password
[encrypted]]}
5. To enable the SNMP agent and SNMP traps, use the following com-
mand:
snmp-server enable
[
traps [
snmp [trap-name] |
system [trap-name] |
network [trap-name] |
ha [trap-name] |
slb [trap-name]
]
]
Configuration Examples
The following examples show how to configure the system settings
described in this chapter.
GUI EXAMPLE
The following examples show the GUI screens used for configuration of the
basic system settings described in this chapter.
P e r f o r m a n c e b yD e s i g n 59 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Examples
FIGURE 5 Config > Network > DNS > DNS
60 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Examples
FIGURE 6 Config > System > Time > Date/Time
P e r f o r m a n c e b yD e s i g n 61 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Examples
FIGURE 7 Config > System > Settings > Log
62 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Examples
FIGURE 8 Config > System > SNMP
P e r f o r m a n c e b yD e s i g n 63 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Examples
FIGURE 9 Config > System > SNMP > Trap List
64 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Examples
CLI EXAMPLE
The following commands log onto the CLI, access the global configuration
level, and set the hostname and configure the other DNS settings:
login as: admin
Welcome to AX
Using keyboard-interactive authentication.
Password:********
Last login: Tue Jan 13 19:51:56 2009 from 192.168.1.144
AX>enable
Password:********
AX#config
AX(config)#hostname AX-SLB2
AX-SLB2(config)#ip dns suffix ourcorp
AX-SLB2(config)#ip dns primary 10.10.20.25
AX-SLB2(config)#ip dns secondary 192.168.1.25
The following examples set the login banner to “welcome to login mode”
and set the EXEC banner to “welcome to exec mode”:
AX-SLB2(config)#banner login “welcome to login mode”
AX-SLB2(config)#banner exec “welcome to exec mode”
The following commands configure the AX device to send system log mes-
sages to an external syslog server and to email Emergency messages to the
system admins. In this example, the message levels sent to the external
server are left at the default, Error (3) and above. By default, the same mes-
P e r f o r m a n c e b yD e s i g n 65 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Emailing Log Messages
sage levels are sent to the management terminal in CLI sessions. The mes-
sage level emailed to admins is set to Emergency (0) messages only.
AX-SLB2(config)#logging host 192.168.10.10
AX-SLB2(config)#smtp ourmailsrvr
AX-SLB2(config)#logging email-address admin1@example.com admin2@exam-
ple.com
AX-SLB2(config)#logging email 0
The following commands enable SNMP and all traps, configure the AX
device to send traps to an external trap receiver, and configure a community
string for use by external SNMP managers to read MIB data from the AX
device.
AX-SLB2(config)#snmp-server location ourcorp-HQ
AX-SLB2(config)#snmp-server contact Me_admin1
AX-SLB2(config)#snmp-server enable trap
AX-SLB2(config)#snmp-server community read ourcorpsnmp
AX-SLB2(config)#snmp-server host 192.168.10.11 ourcorpsnmp
66 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Emailing Log Messages
can be a simple text string or a more complex expression using stan-
dard regular expression logic. If you do not specify a regular expres-
sion, messages with any text match the filter and can be emailed.
• Operators – Set of Boolean operators (AND, OR, NOT) that specify
how the conditions should be compared. (See ““Boolean Operators” on
page 67”.)
• Trigger option – Specifies whether to buffer matching messages or send
them immediately.
Boolean Operators
A logging email filter consists of a set of conditions joined by Boolean
expressions (AND / OR / NOT).
After listing all the conditions, specify the Boolean operator(s). The follow-
ing operators are supported:
• AND – All conditions must match in order for a log message to be
emailed.
• OR – Any one or more of the conditions must match in order for a log
message to be emailed.
• NOT – A log message is emailed only if it does not match the conditions
(For more information about Reverse Polish Notation, see the following
link: http://en.wikipedia.org/wiki/Reverse_Polish_notation.)
3. In the Logging Email Filter section, click Add. A configuration page for
the filter appears.
P e r f o r m a n c e b yD e s i g n 67 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Emailing Log Messages
6. Construct the rest of the filter by selecting the conditions.
Note: The conditions must be selected in the order described here. Otherwise,
the filter will be invalid. If you accidentally configure an invalid filter,
you can click Clear to remove the filter conditions and start again.
a. Select the message severity level from the Level drop-down list, and
click Add. To add more severity levels, repeat this step for each
severity level.
b. Optionally, select a software module from the Module drop-down
list, and click Add. To add more modules, repeat this step for each
module.
c. Optionally, enter a regular expression in the Pattern field to specify
message text to match on, and click Add.
d. Select the operator from the Operator drop-down list, and click Add.
7. Click OK. The new filter appears in the Logging Email Filter section on
the Log page.
68 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Emailing Log Messages
FIGURE 11 Config > System > Settings > Log - Add (Logging Email Filter
section)
FIGURE 12 Config > System > Settings > Log (Logging Email Filter added)
P e r f o r m a n c e b yD e s i g n 69 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Emailing Log Messages
This command configures message buffering. The number option specifies
the maximum number of messages to buffer. You can specify 16-256. The
default is 50. The time option specifies how long to wait before sending all
buffered messages, if the buffer contains fewer than the maximum allowed
number of messages. You can specify 10-1440 minutes. The default is 10.
Whenever an email is triggered, the email will contain all buffered log mes-
sages.
The filter-num option specifies the filter number, and can be 1-8.
The operators are a set of Boolean operators (AND, OR, NOT) that specify
how the conditions should be compared. (See “Filter Syntax” below.)
Considerations
• You can configure up to 8 filters. The filters are used in numerical order,
starting with filter 1. When a message matches a filter, the message will
be emailed based on the buffer settings. No additional filters are used to
examine the message.
• A maximum of 8 conditions are supported in a filter.
70 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Emailing Log Messages
• The total number of conditions plus the number of Boolean operators
supported in a filter is 16.
• For backward compatibility, the following syntax from previous releases
is still supported:
logging email severity-level
The severity-level can be one or more of the following: 0, 1, 2, 5, emer-
gency, alert, critical, notification.
The command is treated as a special filter. This filter is placed into effect
only if the command syntax shown above is in the configuration. The
filter has an implicit trigger option for emergency, alert, and critical
messages, to emulate the behavior in previous releases.
CLI Example
The following command configures the AX device to buffer log messages
to be emailed. Messages will be emailed only when the buffer reaches 32
messages, or 30 minutes passes since the previous log message email,
whichever happens first.
AX(config)#logging email buffer number 32 time 30
The following command resets the buffer settings to their default values.
AX(config)#no logging email buffer number time
P e r f o r m a n c e b yD e s i g n 71 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Emailing Log Messages
72 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Network Setup
This chapter describes how to insert the AX device into your network.
After you complete the setup tasks in this chapter that are applicable to your
network, the AX device will be ready to configure for its primary function:
load balancing.
Overview
AX Series devices can be inserted into your network with minimal or no
changes to your existing network. You can insert the AX device into your
network as a Layer 2 switch or a Layer 3 router.
The same Layer 4-7 features are available with either deployment option.
Examples are provided in this chapter for the following types of network
deployment:
• Transparent mode
IP Subnet Support
Each AX device has a management interface and data interfaces. The man-
agement interface is a physical Ethernet port. A data interface is a physical
Ethernet port, a trunk group, or a Virtual Ethernet (VE) interface.
P e r f o r m a n c e b yD e s i g n 73 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
The management interface can have a single IP address.
74 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Transparent Mode
Transparent Mode
Figure 13 shows an example of an AX Series device deployed in transpar-
ent mode.
The blue arrows show the traffic flow for client-server traffic; in this exam-
ple, between clients and server 10.10.10.3.
P e r f o r m a n c e b yD e s i g n 75 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Transparent Mode
Note: For simplicity, this example and the other examples in this chapter show
the physical links on single Ethernet ports. Everywhere a single Ethernet
connection is shown, you can use a trunk, which is a set of multiple ports
configured as a single logical link.
Similarly, where a single gateway router is shown, a pair of routers in a
Virtual Router Redundancy Protocol (VRRP) configuration could be
used. In this case, the gateway address used by hosts and Layer 2 switches
is the virtual IP address of the pair of routers.
This example does not use Layer 3 Network Address Translation (NAT) but
does use the default SLB NAT settings. (For a description, see “SLB Source
NAT” on page 617.)
HTTP requests from clients for virtual server 10.10.10.99 are routed by the
Layer 3 router to the AX device. SLB on the AX device selects a real server
and sends the request to the server. The server reply passes back through the
AX device to clients.
Configuration Example
This section shows the GUI screens and CLI commands needed to imple-
ment the configuration shown in Figure 13.
The following figures show the GUI screens used to implement the configu-
ration shown in Figure 13. Here and elsewhere in this guide, the command
paths used to access a GUI screen are listed in the figure caption.
Interface Configuration
76 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Transparent Mode
Note: For reference, Figure 14 shows the entire interface. Subsequent figures
show only the relevant configuration page.
P e r f o r m a n c e b yD e s i g n 77 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Transparent Mode
FIGURE 16 Config > Service > SLB > Server
78 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Transparent Mode
Service group configuration
P e r f o r m a n c e b yD e s i g n 79 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Transparent Mode
Virtual server configuration
FIGURE 19 Config > Service > SLB > Virtual Server - Virtual Server Port
80 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Transparent Mode
USING THE CLI
The following commands configure the global IP address and default gate-
way:
AX(config)#ip address 10.10.10.2 /24
AX(config)#ip default-gateway 10.10.10.1
The following commands enable the Ethernet interfaces used in the exam-
ple:
AX(config)#interface ethernet 1
AX(config-if:ethernet1)#enable
AX(config-if:ethernet1)#interface ethernet 2
AX(config-if:ethernet2)#enable
AX(config-if:ethernet2)#interface ethernet 3
AX(config-if:ethernet3)#enable
AX(config-if:ethernet3)#exit
The following commands add the SLB configuration. (For more informa-
tion about SLB commands, see the SLB configuration chapters in this
guide. Also see the AX Series CLI Reference.)
P e r f o r m a n c e b yD e s i g n 81 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Transparent Mode in Multinetted Environment
This example is similar to the example in Figure 13, except the real servers
are in separate subnets. Each server uses the router as its default gateway,
but at a different subnet address.
82 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Transparent Mode in Multinetted Environment
The blue arrows show the traffic flow for client-server traffic; in this exam-
ple, between clients and server 10.10.10.4.
To enable the AX device to pass traffic for multiple subnets, the device is
configured with multiple VLANs. The interfaces in subnet 10.10.10.x are in
VLAN 1. The interfaces in the 10.10.20.x subnet are in VLAN 2.
Note: In this example, each AX interface is in only one VLAN and can therefore
be untagged. The AX device could be connected to the router by a single
link, in which case the AX link with the router would be in two VLANs
and would need to tagged in at least one of the VLANs. (If an interface is
in multiple VLANs, the interface can be untagged in only one of the
VLANs.)
The default SLB NAT settings allow client traffic to reach the server in the
10.10.20.x subnet, even though this is not the subnet that contains the AX
device’s IP address.
Note: The AX device initiates health checks using the last (highest numbered)
IP address in the pool as the source IP address. In addition, the AX device
will only respond to control traffic (for example, management and ICMP
traffic) from the NATted subnet if the control traffic is sent to the last IP
address in the pool.
P e r f o r m a n c e b yD e s i g n 83 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Transparent Mode in Multinetted Environment
Configuration Example
This section shows the GUI screens and CLI commands needed to imple-
ment the configuration shown in Figure 20.
Note: GUI examples are shown here only for the configuration elements that are
new in this section (VLAN and Source NAT pool). For examples of the
GUI screens for the rest of the configuration, see “Transparent Mode” on
page 75.
FIGURE 22 Config > Service > IP Source NAT > IPv4 Pool
84 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Transparent Mode in Multinetted Environment
FIGURE 23 Config > Service > SLB > Virtual Server - Virtual Server Port
P e r f o r m a n c e b yD e s i g n 85 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Transparent Mode in Multinetted Environment
The following commands configure the global IP address and default gate-
way:
AX(config)#ip address 10.10.10.2 /24
AX(config)#ip default-gateway 10.10.10.1
The following commands enable the Ethernet interfaces used in the exam-
ple:
AX(config)#interface ethernet 1
AX(config-if:ethernet1)#enable
AX(config-if:ethernet1)#interface ethernet 2
AX(config-if:ethernet2)#enable
AX(config-if:ethernet2)#interface ethernet 3
AX(config-if:ethernet3)#enable
AX(config-if:ethernet3)#interface ethernet 4
AX(config-if:ethernet4)#enable
AX(config-if:ethernet4)#exit
The following commands add the SLB configuration. The source-nat com-
mand enables the IP address pool configured above to be used for NATting
health check traffic between the AX device and the real server. (For more
information about SLB commands, see the SLB configuration chapters in
this guide. Also see the AX Series CLI Reference.)
86 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Transparent Mode in Multinetted Environment
Commands to configure the real servers
AX(config)#slb server rs1 10.10.10.4
AX(config-real server)#port 80 tcp
AX(config-real server-node port)#exit
AX(config-real server)#exit
AX(config)#slb server rs2 10.10.20.4
AX(config-real server)#port 80 tcp
AX(config-real server-node port)#exit
AX(config-real server)#exit
P e r f o r m a n c e b yD e s i g n 87 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Route Mode
Route Mode
Figure 24 shows an example of an AX device deployed in route mode.
The blue arrows show the traffic flow for client-server traffic; in this exam-
ple, between clients and server 192.168.4.101. This example shows a data-
base server that is not part of the SLB configuration but that is used by the
real servers when fulfilling client requests. Real servers can reach the data-
base server through the AX device just as they would through any other
88 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Route Mode
router. Replies to clients still travel from the real servers through the AX
device back to the client.
Although this example shows single physical links, you could use trunks as
physical links. You also could use multiple VLANs. In this case, the IP
addresses would be configured on Virtual Ethernet (VE) interfaces, one per
VLAN, instead of being configured on individual Ethernet ports.
Source NAT is not required for this configuration. The AX can send health
checks to the real servers and receive the replies without NAT.
Configuration Example
This section shows the GUI screens and CLI commands needed to imple-
ment the configuration shown in Figure 24.
Note: GUI examples are shown here only for the configuration elements that are
new in this section (configuration of routing parameters). For examples of
the GUI screens for the SLB configuration, see “Transparent Mode” on
page 75.
Note: In the current release, the GUI does not support configuration of OSPF.
P e r f o r m a n c e b yD e s i g n 89 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Route Mode
FIGURE 25 Config > Network > Interface > LAN > IPv4
90 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Route Mode
USING THE CLI
The following commands enable the Ethernet interfaces used in the exam-
ple and configure IP addresses on them:
AX(config)#interface ethernet 1
AX(config-if:ethernet1)#enable
AX(config-if:ethernet1)#ip address 10.10.10.2 /24
AX(config-if:ethernet1)#interface ethernet 2
AX(config-if:ethernet2)#enable
AX(config-if:ethernet2)#ip address 192.168.3.100 /24
AX(config-if:ethernet2)#interface ethernet 3
AX(config-if:ethernet3)#enable
AX(config-if:ethernet3)#ip address 192.168.1.111 /24
AX(config-if:ethernet3)#exit
AX(config-if:ethernet3)#interface ethernet 4
AX(config-if:ethernet4)#enable
AX(config-if:ethernet4)#ip address 192.168.2.100 /24
AX(config-if:ethernet4)#exit
The following commands add the SLB configuration. (For more informa-
tion about SLB commands, see the SLB configuration chapters in this
guide. Also see the AX Series CLI Reference.)
P e r f o r m a n c e b yD e s i g n 91 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Route Mode
Commands to configure the virtual server
AX(config)#slb virtual-server vip1 10.10.10.99
AX(config-slb virtual server)#port 80 http
AX(config-slb virtual server-slb virtua...)#service-group sg-web
92 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Direct Server Return in Transparent Mode
P e r f o r m a n c e b yD e s i g n 93 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Direct Server Return in Transparent Mode
link can be on a single Ethernet port or a trunk. This example uses a single
Ethernet port.
The blue arrows show the traffic flow for client-server traffic; in this exam-
ple, between clients and servers 10.10.10.3-4. Client request traffic for the
virtual server IP address, 10.10.10.99, is routed to the AX device. However,
server reply traffic does not pass back through the AX device.
Note: VIP redistribution is not supported for VIPs that are configured for Direct
Server Return (DSR).
The target of the Layer 3 health checks can be the real IP addresses of the
servers, or the virtual IP address, depending on your preference.
• To send the Layer 3 health checks to the real server IP addresses, you
can use the default Layer 3 health method (ICMP).
• To send the Layer 3 health checks to the virtual IP address instead:
• Configure an ICMP health method with the transparent option
enabled, and with the alias address set to the virtual IP address.
• Globally enable DSR health checking.
Layer 4-7 health checks are sent to the same IP address as the Layer 3 health
checks, and then addressed to the specific protocol port. You can use the
default TCP and UDP health monitors or configure new health monitors.
This example uses the default TCP health monitor.
Requirements
Note: In the current release, for IPv4 VIPs, DSR is supported on virtual port
types (service types) TCP, UDP, FTP, and RTSP. For IPv6 VIPs, DSR is
supported on virtual port types TCP, UDP, and RTSP.
94 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Direct Server Return in Transparent Mode
• Requirements on the real server:
• A loopback interface must be configured with the virtual server IP
address.
• ARP replies from the loopback interfaces must be disabled. (This
applies to the loopback interfaces that have the virtual server IP
address.)
Configuration Example
This section shows how to implement the configuration shown in Figure 27.
Note: This example does not include configuration of the real servers, or config-
uration of the virtual server other than the steps for enabling DSR.
3. Enter the IP address, network mask or prefix length, and default gate-
way address. (In this example, use the IPv4 section and enter 10.10.10.2,
255.255.255.0, and 10.10.10.1.)
4. Click OK.
3. Click on the checkbox next to the interface number to enable (for exam-
ple, “e3”).
4. Click Enable. The icon in the Status column changes to a green check-
mark to indicate that the interface is enabled.
3. Select the virtual port and click Edit, or click Add to create a new one.
P e r f o r m a n c e b yD e s i g n 95 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Direct Server Return in Transparent Mode
4. In the Virtual Server Port section, select Enabled next to Direct Server
Return. Configure other settings if needed. (The other settings are not
specific to DSR and depend on the application.)
5. Click OK. The virtual port list for the virtual server reappears.
The following commands configure the global IP address and default gate-
way:
AX(config)#ip address 10.10.10.2 /24
AX(config)#ip default-gateway 10.10.10.1
The following commands enable the Ethernet interface connected to the cli-
ents and server:
AX(config)#interface ethernet 3
AX(config-if:ethernet3)#enable
AX(config-if:ethernet3)#exit
The following commands add the SLB configuration. (For more informa-
tion about SLB commands, see the SLB configuration chapters in this
guide. Also see the AX Series CLI Reference.)
96 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Direct Server Return in Transparent Mode
Commands to configure the virtual server
AX(config)#slb virtual-server vip1 10.10.10.99
AX(config-slb virtual server)#port 80 tcp
AX(config-slb virtual server-slb virtua...)#service-group sg-web
AX(config-slb virtual server-slb virtua...)#no-dest-nat
For DSR to work, a loopback interface with the IP address of the virtual
server must be configured on each real server, and ARP replies from the
loopback address must be disabled.
P e r f o r m a n c e b yD e s i g n 97 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Direct Server Return in Route Mode
The configuration is very similar to the one for DSR in transparent mode,
except the AX device uses an IP interface configured on an individual
Ethernet port instead of a global IP address.
The requirements for the AX device and real servers are the same as those
for DSR in transparent mode. (See “Direct Server Return in Transparent
Mode” on page 93.)
Note: VIP redistribution is not supported for VIPs that are configured for Direct
Server Return (DSR).
98 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Direct Server Return in Route Mode
Configuration Example
This section shows how to implement the configuration shown in Figure 28.
Note: The following examples only show the part of the configuration that dif-
fers from deployment of DSR in transparent mode. The only difference is
configuration of the IP interface on the Ethernet interface connected to the
router, and configuration of a default route.
3. In the Interface column, click on the interface name (for example, “e3”).
6. Click OK.
3. Click Add.
6. Click OK.
P e r f o r m a n c e b yD e s i g n 99 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Direct Server Return in Route Mode
The following commands enable the Ethernet interface used in the example
and configure an IP address on it:
AX(config)#interface ethernet 3
AX(config-if:ethernet3)#enable
AX(config-if:ethernet3)#ip address 10.10.10.2 /24
AX(config-if:ethernet3)#exit
The rest of the configuration commands are the same as those shown in
“Direct Server Return in Transparent Mode” on page 93, beginning with
configuration of the real servers.
100 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Direct Server Return in Mixed Layer 2/Layer 3 Environment
Note: The deployment described in this section is useful for deploying backup
servers to use only if primary servers are unavailable.
In this example, two real servers are used as the primary servers for VIP
10.10.10.99:80. They are in the same IP subnet as the AX device. Each of
them is configured for DSR: destination NAT is disabled on the virtual port.
P e r f o r m a n c e b yD e s i g n 101 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Direct Server Return in Mixed Layer 2/Layer 3 Environment
To deploy the backup server:
• In the service group, assign a higher priority to the members for the pri-
mary servers, so that the member for the backup server has the lower
priority. By default, the AX device will not use the lower-priority server
(the backup server) unless all the primary servers are down. Use the
same priority for all the primary servers.
• Enable destination NAT on the backup server. By default, destination
NAT is unset on real ports, and is set by the virtual port. Normally, desti-
nation NAT is disabled on virtual ports used for DSR. However, destina-
tion NAT needs to be enabled on the real port on the backup server.
Enabling destination NAT for the backup server allows the server to
remain on a different subnet from the AX device, and still be used for
the VIP that normally is served by DSR. The backup server does not
need to be moved to a Layer 2 connection to the AX device and the
server’s IP address does not need to be changed. It can remain on a dif-
ferent subnet from the AX device and the primary servers.
Destination NAT can not be set directly on an individual real port. To
enable destination NAT on a real port, create a real port template and
enable destination NAT in the template. You can bind the template to the
real port itself, or to the service group member for the port.
• If you bind the template to the port itself, the template applies to the
port in all service groups that use the port.
• If you bind the template to the service group member instead, the
template applies to the port only within the service group. The tem-
plate does not apply to the same port when used in other service
groups.
Note: VIP redistribution is not supported for VIPs that are configured for Direct
Server Return (DSR).
3. Click Add.
102 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Direct Server Return in Mixed Layer 2/Layer 3 Environment
5. Select Disabled next to Direct Server Return.
6. Click OK.
3. Click on the service group name or click Add to create a new one.
Note: If you are modifying a member that is already in the list, click the check-
box in the row containing the member information, select the priority,
then click Update.
b. Enter the protocol port number in the Port field.
c. Select 16 from the Priority drop-down list.
d. Click Add.
e. Repeat for the other primary server.
7. Click OK.
P e r f o r m a n c e b yD e s i g n 103 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Direct Server Return in Mixed Layer 2/Layer 3 Environment
FIGURE 30 Config > Service > SLB > Template > Server Port
To set the priority values of the primary servers to a higher value than the
backup server, re-add the members for the primary servers’ ports, and use
the priority option. Set the priority to a value higher than 1 (the default).
Use the same priority value on each of the primary server’s member ports.
104 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Direct Server Return in Mixed Layer 2/Layer 3 Environment
To enable destination NAT on a service port within a service group, use the
dest-nat option in a server port template, then bind that template to the
server port in the service group.
CLI Example
The following commands configure a server port template for the backup
server:
AX(config)#slb template port dsrbackup
AX(config-rport)#dest-nat
AX(config-rport)#exit
P e r f o r m a n c e b yD e s i g n 105 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Direct Server Return in Mixed Layer 2/Layer 3 Environment
106 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Support for Multiple OSPFv2 Processes and OSPFv3 Instances
Each IPv6 link can run up to 65535 OSPFv3 instances, on the same link.
P e r f o r m a n c e b yD e s i g n 107 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Example
Configuration Example
The configuration excerpts in this example configure OSPFv2 and OSPFv3
on an AX device.
Interface Configuration
The following commands configure two physical Ethernet data interfaces.
Each interface is configured with an IPv4 address and an IPv6 address. Each
interface also is added to OSPF area 0 (the backbone area).
The link-state metric (OSPF cost) of Ethernet 2 is set to 30, which is higher
than the default, 10. Based on the cost difference, OSPF routes through
Ethernet 1 will be favored over OSPF route through Ethernet 2, because the
OSPF cost of Ethernet 1 is lower.
interface ethernet 1
ip address 2.2.10.1 255.255.255.0
ipv6 address 5f00:1:2:10::1/64
ipv6 router ospf area 0 tag 1
!
interface ethernet 2
ip address 3.3.3.1 255.255.255.0
ipv6 address 5f00:1:2:20::1/64
ip ospf cost 25
ipv6 router ospf area 0 tag 1
108 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Example
interface ve 4
ip address 1.1.60.2 255.255.255.0
ipv6 address 5f00:1:1:60::2/64
ip ospf cost 15
P e r f o r m a n c e b yD e s i g n 109 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Example
OSPF Logging
Router logging is disabled by default. You can enable router logging to one
or more of the following destinations:
• CLI terminal (stdout)
• Local file
Note: Log file settings are retained across reboots but debug settings are not.
Note: Enabling debug settings that produce lots of output, or enabling all debug
settings, is not recommend for normal operation.
For additional syntax information, including show and clear commands for
router logging, see the AX Series CLI Reference.
To enable output to the local logging buffer, use the following command at
the global configuration level of the CLI:
router log syslog
To enable output to a local file, use the following command at the global
configuration level of the CLI:
110 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Example
[no] router log file
{
name string |
per-protocol |
rotate num |
size Mbytes
}
To enable output to a remote log server, use the following command at the
global configuration level of the CLI:
logging host ipaddr [ipaddr...]
[port protocol-port]
• 1 or alert
• 2 or critical
• 3 or error
• 4 or warning
• 5 or notification
• 6 or information
• 7 or debugging
To change the severity level for messages output to the local logging buffer,
use the following command at the global configuration level of the CLI:
logging buffered severity-level
To change the severity level for messages output to external log servers, use
the following command at the global configuration level of the CLI:
logging syslog severity-level
P e r f o r m a n c e b yD e s i g n 111 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Example
To change the severity level for messages output to a file, use the following
command at the global configuration level of the CLI:
router log trap severity-level
To change the facility, use the following command at the global configura-
tion level of the CLI:
logging facility facility-name
• local1
• local2
• local3
• local4
• local5
• local6
• local7
The ipv6 option enables debugging for OSPFv3. Without the ipv6 option,
debugging is enabled for OSPFv2.
The type specifies the types of OSPF information to log, and can be one or
more of the following:
• all – Enables debugging for all information types listed below.
112 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Example
• nsm – Enables debugging for the Network Services Module (NSM).
The NSM deals with use of ACLs, route maps, interfaces, and other net-
work parameters.
• packet – Enables debugging for OSPF packets.
CLI Example
The following commands configure OSPFv2 logging to a local file.
AX(config)#router log file name ospf-log
AX(config)#router log file per-protocol
AX(config)#router log file size 100
AX(config)#debug a10 ospf all
AX(config)#debug ospf packet
These commands create a router log file named “ospf-log”. The per-proto-
col option will log messages for each routing protocol separately. The log
file will hold a maximum 100 MB of data, after which the messages will be
saved in a backup and the log file will be cleared.
The following command displays the contents of the local router log file:
AX(config)#show router log file ospfd
2010/04/21 09:57:20 OSPF: IFSM[ve 3:1.1.1.2]: Hello timer expire
2010/04/21 09:57:20 OSPF: SEND[Hello]: To 224.0.0.5 via ve
3:1.1.1.2,
length
64
2010/04/21 09:57:20 OSPF:
-----------------------------------------------------
2010/04/21 09:57:20 OSPF: Header
2010/04/21 09:57:20 OSPF: Version 2
2010/04/21 09:57:20 OSPF: Type 1 (Hello)
2010/04/21 09:57:20 OSPF: Packet Len 48
2010/04/21 09:57:20 OSPF: Router ID 2.2.2.2
2010/04/21 09:57:20 OSPF: Area ID 0.0.0.0
2010/04/21 09:57:20 OSPF: Checksum 0x0
2010/04/21 09:57:20 OSPF: Instance ID 0
2010/04/21 09:57:20 OSPF: AuType 2
2010/04/21 09:57:20 OSPF: Cryptographic Authentication
2010/04/21 09:57:20 OSPF: Key ID 1
P e r f o r m a n c e b yD e s i g n 113 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Example
2010/04/21 09:57:20 OSPF: Auth Data Len 16
2010/04/21 09:57:20 OSPF: Sequence number 1271830931
2010/04/21 09:57:20 OSPF: Hello
2010/04/21 09:57:20 OSPF: NetworkMask 255.255.255.0
2010/04/21 09:57:20 OSPF: HelloInterval 10
2010/04/21 09:57:20 OSPF: Options 0x2 (-|-|-|-|-|-|E|-)
2010/04/21 09:57:20 OSPF: RtrPriority 1
2010/04/21 09:57:20 OSPF: RtrDeadInterval 40
2010/04/21 09:57:20 OSPF: DRouter 1.1.1.200
2010/04/21 09:57:20 OSPF: BDRouter 1.1.1.2
2010/04/21 09:57:20 OSPF: # Neighbors 1
2010/04/21 09:57:20 OSPF: Neighbor 31.31.31.31
2010/04/21 09:57:20 OSPF:
-----------------------------------------------------
2010/04/21 09:57:21 OSPF: IFSM[ethernet 2:3.3.3.1]: Hello timer
expire
2010/04/21 09:57:21 OSPF: SEND[Hello]: To 224.0.0.5 via ethernet
2:3.3.3.1,
length 48
2010/04/21 09:57:21 OSPF:
-----------------------------------------------------
2010/04/21 09:57:21 OSPF: Header
2010/04/21 09:57:21 OSPF: Version 2
2010/04/21 09:57:21 OSPF: Type 1 (Hello)
2010/04/21 09:57:21 OSPF: Packet Len 48
2010/04/21 09:57:21 OSPF: Router ID 2.2.2.2
2010/04/21 09:57:21 OSPF: Area ID 0.0.0.0
2010/04/21 09:57:21 OSPF: Checksum 0x49eb
2010/04/21 09:57:21 OSPF: Instance ID 0
2010/04/21 09:57:21 OSPF: AuType 0
2010/04/21 09:57:21 OSPF: Hello
2010/04/21 09:57:21 OSPF: NetworkMask 255.255.255.0
2010/04/21 09:57:21 OSPF: HelloInterval 10
2010/04/21 09:57:21 OSPF: Options 0x2 (-|-|-|-|-|-|E|-)
2010/04/21 09:57:21 OSPF: RtrPriority 1
2010/04/21 09:57:21 OSPF: RtrDeadInterval 40
2010/04/21 09:57:21 OSPF: DRouter 3.3.3.2
2010/04/21 09:57:21 OSPF: BDRouter 3.3.3.1
2010/04/21 09:57:21 OSPF: # Neighbors 1
2010/04/21 09:57:21 OSPF: Neighbor 81.81.81.81
...
114 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
This chapter describes HTTP load balancing and how to configure it.
Overview
HTTP load balancing manages HTTP traffic across a Web server farm.
Figure 32 shows an example of an HTTP load balancing deployment.
Note: The network topologies in application examples such as this one are sim-
plified to focus on the application. For example, the Internet router con-
necting the clients to the AX device is not shown here. Likewise, a single
AX is shown. Your configuration might use an AX pair for High Avail-
ability (HA).
P e r f o r m a n c e b yD e s i g n 115 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
FIGURE 32 HTTP Load Balancing
For simplicity in this example, the real servers use the default protocol port
number for HTTP (80). The port numbers on the real and virtual servers are
not required to match.
The client is unaware of the real IP address of the real server, nor is the cli-
ent aware that the site actually consists of multiple servers. After selecting a
real server, the AX device automatically performs the necessary Network
Address Translation (NAT) to send the client request to the server, receive
the reply from the server, and send the reply to the client. From the client’s
perspective, the Web session is between the client and port 80 on
192.168.10.11.
116 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
SERVICE GROUPS
A service group contains a set of real servers from which the AX device can
select to service a client request.
This example uses a single service group that contains all the real servers
and the applicable service port (80). During configuration, you bind the ser-
vice group to the virtual port(s) on the virtual server.
The AX device selects a server based on the load balancing method used by
the service group, and on additional criteria relevant to the load balancing
method.
In this example, the default load balancing method, round robin, is used.
The round robin method selects servers in rotation. For example, the first
client request is sent to server web-2, the next client request is sent to server
web-3, and so on.
VIRTUAL SERVER
The virtual server in this example has IP address 192.168.10.11 and virtual
service port 80. When you configure a virtual service port, you specify the
protocol port number for the port. You also specify the service type. The AX
device supports the following service types for HTTP ports:
• HTTP – Complete TCP stack. Use this service type if you plan to cus-
tomize any templates. For example, if you plan to use SSL (HTTPS load
balancing or SSL offload), or customize the HTTP template to change
information in the HTTP headers of server replies, use the HTTP service
type. Also use this service type for stream-based applications such as
RAM Caching and compression.
• Fast-HTTP – Streamlined hybrid stack for high performance. If you do
not plan to offload SSL or customize any templates, use Fast-HTTP.
(For a complete list of the service types, see “Virtual Service Port Parame-
ters” on page 887.)
TEMPLATES
Templates are sets of configuration parameters that apply to specific service
types or to servers and service ports. This example uses the default settings
for each of the templates that are automatically applied to the HTTP service
type and to the real and virtual servers and ports. The rest of the information
in this section is for reference but is not required reading to continue with
this example.
P e r f o r m a n c e b yD e s i g n 117 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
For some of types of templates, the AX configuration has a “default” tem-
plate that is automatically applied to a service port unless you apply another
template of the same type instead. (See “Service Template Parameters” on
page 829.)
Service Templates
The following types of templates also can be used with HTTP service ports.
However, these types of templates do not have “default” templates that are
applied automatically.
• Cookie Persistence – Inserts a cookie in the HTTP header of a server
reply before sending the reply to the client. The cookie ensures that sub-
sequent requests from the client for the same virtual server and virtual
port are directed to the same service group, real server, or real service
port.
• Source-IP Persistence – Similar to cookie persistence, except the AX
device does not insert cookies. Instead, clients are directed to the same
resource in the server farm for every request, for the duration of a con-
figurable timer on the AX device. The granularity of the persistence can
be set to always use the same real server port, the same real server, or
the same service group.
118 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
(For an example that uses a source-IP persistence template, see “Layer 4
TCP/UDP Load Balancing” on page 261.)
For more information about server and port templates, see the following:
• “Server and Port Templates” on page 361 in this guide
HEALTH MONITORS
This example uses the following types of health monitors to check the real
servers:
• Ping – A Layer 3 health method that sends an ICMP echo request to the
real server’s IP address. The server passes the health check if the AX
device receives a ping reply.
• TCP – By default, every 30 seconds the AX device sends a connection
request (TCP SYN) to each load balanced TCP port on each server, in
this case ports 80 and 443. A TCP port passes the health check if the
server replies to the AX device by sending a TCP SYN ACK. By
default, the AX device completes the TCP handshake.
In addition to these default health checks, you can configure health monitors
for specific service types. This example uses an HTTP health monitor, with
the following default settings.
P e r f o r m a n c e b yD e s i g n 119 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring HTTP Load Balancing
• Every 30 seconds, the AX device sends an HTTP GET request for the
default index page.
• The HTTP service port passes the health check if the requested page is
present on the server and the server replies with an OK message (200).
(For more information about health monitors and their configurable options,
see “Health Monitoring” on page 381.)
3. Configure the service group. Add the real servers and service ports to
the group.
3. Click Add.
5. In the Method section, select HTTP from the Type drop-down list.
The other configuration fields change to those that apply to HTTP health
monitors.
120 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring HTTP Load Balancing
6. Optionally, select or enter additional options for the health monitor. (See
“Health Monitoring” on page 381.)
In this example, you can use all the default settings
7. Click OK. The new monitor appears in the health monitor table.
FIGURE 33 Config > Service > Health Monitor > Health Monitor
3. Click Add.
4. In the General section, enter a name for the server in the Name field.
Note: Enter the server’s real address, not the virtual server IP address.
P e r f o r m a n c e b yD e s i g n 121 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring HTTP Load Balancing
6. In the Health Monitor drop-down list, select ping or leave the monitor
unset.
Note: If you leave the monitor unset, the Layer 3 health monitor that comes in
the AX configuration by default is used. (See “Default Health Checks” on
page 381.)
7. In the Port section, enter the number of the service port on the real
server in the Port field. In this example, enter “80”.
8. In the Health Monitor drop-down list, select the HTTP health monitor
configured in “To configure an HTTP health method” on page 120.
10. Click OK. The real server appears in the server table.
122 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring HTTP Load Balancing
FIGURE 35 Config > Service > SLB > Server (real servers added)
Note: The AX device begins sending health checks to a real server’s IP address
and service ports as soon as you finish configuring the server. The overall
health status for the server is shown in the Health column. If the status is
Down ( ) instead of Up ( ), verify that health monitors are config-
ured for all the service ports. The default Layer 3 health method is auto-
matically used for the Layer 3 health check, unless you selected another
health method instead.
3. Click Add.
4. In the Service Group section, select the load-balancing method from the
Algorithm drop-down list.
For this example, you can leave the default selected: Round Robin
5. In the Server section, select a real server from the Server drop-down list.
7. Click Add.
9. Click OK. The new group appears in the service group table.
P e r f o r m a n c e b yD e s i g n 123 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring HTTP Load Balancing
FIGURE 36 Config > Service > SLB > Service Group
124 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring HTTP Load Balancing
To configure the virtual server
1. Select Config > Service > SLB, if not still selected.
4. In the General section, enter a name for the virtual server in the Name
field.
5. In the IP Address field, enter the IP address that clients will request.
6. In the Port section, click Add. The Virtual Server Port section appears.
7. In the Type drop-down list, select the service type. In this example,
select Fast-HTTP.
8. In the Port field, enter the service port number. In this example, enter
“80”.
10. Click OK. The port appears in the Port list of the Port section.
11. Click OK. The virtual server appears in the virtual server table.
P e r f o r m a n c e b yD e s i g n 125 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring HTTP Load Balancing
FIGURE 37 Config > Service > SLB > Virtual Server
FIGURE 38 Config > Service > SLB > Virtual Server - Virtual Server Port
section
126 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring HTTP Load Balancing
USING THE CLI
Note: The command syntax shown in this section is simplified for the configu-
ration example in this chapter. For complete syntax information about any
command, see the AX Series CLI Reference.
1. To configure HTTP and HTTPS health methods, use the following com-
mands:
health monitor monitor-name
Enter this command at the global configuration level of the CLI, for
each monitor to be configured. The command changes the CLI to the
configuration level for the monitor. At the monitor configuration level,
enter the following command:
method http
Entering this command, without entering additional commands at this
level, configures the monitor to use all the default settings for the HTTP
method.
To customize settings for a health monitor, use additional commands at
the configuration level for the monitor.
P e r f o r m a n c e b yD e s i g n 127 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring HTTP Load Balancing
member server-name:portnum
The portnum is the protocol port number of the service to be load bal-
anced. In this example, specify “80”.
Repeat the command for each real server.
4. To configure the virtual server and virtual port, use the following com-
mands:
slb virtual-server name ipaddr
This command changes the CLI to the configuration level for the virtual
server, where you can use the following command to add the virtual port
to the server:
port port-number fast-http
or
port port-num http
For this example, use the first command (the one with fast-http as the
service type) and specify “80” as the port-num.
The port command changes the CLI to the configuration level for the
virtual port, where you can use the following command to bind the vir-
tual port to the service group:
service-group group-name
The group-name is the name of the service group configured in step 3.
CLI EXAMPLE
The following commands configure the HTTP health monitor:
AX(config)#health monitor http-monitor
AX(config-health:monitor)#method http
AX(config-health:monitor)#exit
128 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring HTTP Load Balancing
AX(config-real server)#exit
AX(config)#slb server web-4 10.10.10.4
AX(config-real server)#port 80 tcp
AX(config-real server-node port)#health-check http-hmon
AX(config-real server-node port)#exit
AX(config-real server)#exit
P e r f o r m a n c e b yD e s i g n 129 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring HTTP Load Balancing
130 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
This chapter describes the HTTP options you can configure in HTTP tem-
plates, and provides examples of their use.
Overview
HTTP templates provide many SLB options. Some options control selection
of real servers or service groups, while other options modify HTTP header
information or enhance website performance.
HTTP templates can be used with the following service (virtual port) types:
• HTTP
• HTTPS
• Fast-HTTP
P e r f o r m a n c e b yD e s i g n 131 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
• URL / host switching – Selects a service group based on the URL path
or domain in the client’s GET request. (See “URL / Host Switching” on
page 139.)
• Failover URL – If the URL in GET request cannot be reached due to
server unavailability, the AX device sends a 302 Redirect to the client.
(See “URL Failover” on page 147.)
• 5xx retry and reassignment – Retries a server that replies to a request
with a 5xx status code instead of sending the status code to the client,
and reassigns the request to another server if the first server continues to
reply with a 5xx status code. (See “5xx Retry and Reassignment” on
page 149.)
• Strict transaction switching – Performs server selection for each request
within a client-server session, rather than performing server-selection
once per session. This option provides a simple method to force rebal-
ancing of server selection. (See “Strict Transaction Switching” on
page 167.)
132 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
• Fast-HTTP
• HTTPS
5. Select or enter values for the template options you want to use. The
remaining sections in this chapter describe the fields for configuring
each option.
Note: Some settings are on the other HTTP template sections (App switching,
Redirect Rewrite, and Compression).
6. When finished, click OK. The template appears in the HTTP template
list.
3. To edit an existing virtual server, select it. To configure a new one, Click
Add. The General section appears.
5. Select the port or Click Add. The Virtual Server Port section appears.
P e r f o r m a n c e b yD e s i g n 133 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
URL Hash Switching
6. Make sure the port type is HTTP, Fast-HTTP, or HTTPS.
9. Click OK. The port appears in the Port list of the Port section.
This command changes the CLI to the configuration level for the template.
The remaining sections in this chapter describe the commands for configur-
ing each option.
When enabled, URL hashing selects a real server for the first request for
given content, and assigns a hash value to the server for the content. The
AX device then sends all subsequent requests for the content to the same
real server.
134 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
URL Hash Switching
FIGURE 39 URL Hashing
In this example, a service group contains three real servers. Each of the real
servers contains the same set of .html(l), .pdf, and .jpg files. The AX device
is configured to calculate a hash value based on the last 3 bytes of the URL
string in the client request, and assign the hash value to a server.
After assigning a hash value to a server, the AX device sends all requests
that match the hash value to the same real server. In this example, all
requests that end with “pdf” are sent to the same server.
If the real server becomes unavailable, the AX device selects another server,
assigns a hash value to it, and uses that server for all subsequent requests for
URL strings that have the same hash value.
P e r f o r m a n c e b yD e s i g n 135 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
URL Hash Switching
Hash Options
You can specify the following hash options:
• Bytes – Specifies how many bytes of the URL string to use to calculate
the hash value.
• First or last – Specifies which end of the URL string to use to calculate
the hash value.
The example in Figure 39 calculates hash values based on the last 3 bytes of
the URL strings.
Normally, URL hashing selects a server for the first request for a given
URL, then uses the same server for all subsequent requests for the same
URL. In cases where a given URL becomes wildly popular (for example, a
viral video), the server for that URL can become overwhelmed.
The server load awareness option provides a way to avoid server outage in
this type of situation. After some configuration on the server and on the AX
device, the AX device can learn a server’s load status from the server.
Server Configuration
This feature requires some custom configuration on the server. The server
must be configured to insert an HTTP header named “Server-Status” in the
server’s responses. The header must have one of the following values: 0, 1,
or 2.
Server-Status: load=N
136 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
URL Hash Switching
Assume that the first request for URI /article-new1 is hashed to S1. Subse-
quent requests are load balanced as listed in Table 4.
P e r f o r m a n c e b y
D e s i g n 137 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
URL Hash Switching
AX Configuration
On the AX device, URL hash switching with server load awareness does not
require configuration of dedicated backup servers in the service group.
Instead, any primary server can also act as a backup for other servers, based
on server load.
3. Select the URL Hash checkbox. This activates the configuration fields.
138 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
URL / Host Switching
5. If you plan to use the server load awareness option, select the Use
Server Status checkbox.
6. Click OK.
Enter the following command at the configuration level for the HTTP tem-
plate:
url-hash-persist {first | last} bytes
[use-server-status]
CLI Examples
You can configure an HTTP template with one of the following service-
group switching options:
• URL switching – Selects a service group based on the URL path in the
GET line of the HTTP request’s header
P e r f o r m a n c e b yD e s i g n 139 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
URL / Host Switching
• Host switching – Selects a service group based on the domain name in
the Host field of the HTTP request’s header
Note: If you plan to use URL / host switching along with cookie persistence,
you must enable the match-type service-group option in the cookie persis-
tence template. (See “Using URL / Host Switching along with Cookie
Persistence” on page 143.)
140 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
URL / Host Switching
Requests for URLs that begin with “/abc” are sent to service group sg-abc.
Likewise, requests for URLs that begin with “/123” are sent to service
group sg-123.
Note: An HTTP template can be configured with only one type of service-group
switching, URL switching or host switching. However, if you need to use
both types of switching, you can do so with an aFleX script.
Match Options
URL / host switching selects a service group based on rules that map part of
the URL string or host (domain name) to the service group. You can use the
following match options in URL / host switching rules:
• Starts-with string – matches only if the URL or host name starts with the
specified string.
• Contains string – matches if the specified string appears anywhere
within the URL or host name.
• Ends-with string – matches only if the URL or host name ends with the
specified string.
These match options are always applied in the following order, regardless of
the order in which the rules appear in the configuration. The service group
for the first match is used.
• Starts-with
• Contains
• Ends-with
If a template has more than one rule with the same option (starts-with, con-
tains, or ends-with) and a URL or host name matches on more than one of
them, the most-specific match is always used. For example, if a template
has the following rules, requests for host “www.ddeeff.org” will always be
directed to service group http-sgf:
host-switching contains d service-group http-sgd
host-switching contains dd service-group http-sge
host-switching contains dde service-group http-sgf
If you use the starts-with option with URL switching, use a slash in front of
the URL string. For example:
url-switching starts-with /urlexample service-group http-sg1
P e r f o r m a n c e b yD e s i g n 141 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
URL / Host Switching
6. Click Add.
Enter one of the following commands at the configuration level for the
HTTP template:
url-switching
{starts-with | contains | ends-with} url-string
service-group service-group-name
142 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
URL / Host Switching
host-switching
{starts-with |contains | ends-with} host-string
service-group service-group-name
CLI Example
The following commands bind the HTTP template and service group sg-abc
to virtual port 80:
AX(config)#slb virtual-server vs1 1.1.1.1
AX(config-slb virtual server)#port 80 http
AX(config-slb virtual server-slb virtua...)#template http urlswitch
AX(config-slb virtual server-slb virtua...)#service-group sg-abc
The following commands bind the HTTP template and service group sg-123
to virtual port 80:
AX(config)#slb virtual-server vs1 1.1.1.1
AX(config-slb virtual server)#port 80 http
AX(config-slb virtual server-slb virtua...)#template http urlswitch
AX(config-slb virtual server-slb virtua...)#service-group sg-123
P e r f o r m a n c e b yD e s i g n 143 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
URL / Host Switching
To continue using URL switching or host switching to select a service group
for each request, enable the service-group option in the cookie persistence
template. In this case, for each request from the client, the AX device first
selects a service group, then uses information in the cookie to select the real
server and port within the service group.
In this example, URL switching and cookie persistence are both configured,
and the service-group option is enabled in the cookie persistence template.
For each client request, URL switching selects a service group first. Then,
after a service group is selected, a real server and port are selected within
the service group.
144 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
URL / Host Switching
• If the client’s request does not have a persistence cookie that includes
the selected service group, the AX device uses SLB to select a server,
then inserts a persistence cookie into the reply from the server. The
cookie includes the service group name.
• If the client’s request already has a persistence cookie containing the
name of the selected service group, the AX device uses the information
in the cookie to select the same server within the service group.
For example, the first time service group sgabc is selected by URL switch-
ing, the AX device inserts a cookie into the server's reply, to ensure that the
same server is used the next time URL switching selects sgabc. The first
time service group sg123 is selected by URL switching, the AX device
inserts a second cookie into the server’s reply, to ensure that the same server
is used the next time URL switching selects sg123. Even though URL
switching does not always select the same service group, the same server
within the selected service group is always selected.
Note: The port option is shown in parentheses because the CLI does not have a
“port” keyword. If you do not set the match type to server (see below),
the match type is automatically “port”.
• match-type server – Subsequent requests from the client for the same
VIP will be sent to the same real server, provided that all virtual ports of
the VIP use the same cookie persistence template with match-type set to
server. URL switching or host switching is used only for the first
request.
The cookie that the AX device inserts into the server reply has the fol-
lowing format:
Set-Cookie: cookiename=rserverIP
P e r f o r m a n c e b yD e s i g n 145 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
URL / Host Switching
• match-type (port) service-group – Subsequent requests from the client
will be sent to the same real port on the same real server, within the ser-
vice group selected by URL switching or host switching. URL switch-
ing or host switching is still used for every request.
The cookie that the AX device inserts into the server reply has the fol-
lowing format:
Set-Cookie: cookiename-vport-servicegroupname=rserverIP_rport
• match-type server service-group – Subsequent requests from the cli-
ent for the same VIP will be sent to the same real server, within the ser-
vice group selected by URL switching or host switching. URL
switching or host switching is still used for every request.
The cookie that the AX device inserts into the server reply has the fol-
lowing format:
Set-Cookie: cookiename-servicegroupname=rserverIP
To enable the service-group option, use the following command at the con-
figuration level for the cookie persistence template:
[no] match-type
{server [service-group] | service-group}
To use the service-group option with port-level granularity, enter the fol-
lowing command: match-type service-group
To use the service-group option with server-level granularity, enter the fol-
lowing command: match-type server service-group
CLI Example
146 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
URL Failover
For more information, see the description of the slb template persist
source-ip command in the “Config Commands: SLB Templates” chapter of
the AX Series CLI Reference.
URL Failover
The AX device can send an HTTP 302 Redirect message to a client when
the real servers for the URL requested by the client are unavailable.
P e r f o r m a n c e b yD e s i g n 147 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
URL Failover
In this example, a client sends a request for www.example.com (virtual IP
address 192.168.10.10). However, this VIP is unavailable because all the
real servers are failing their health checks. The AX device is configured to
send an HTTP 302 Redirect message if the VIP is down, redirecting clients
to www.example2.com.
By default, URL failover is not configured. To configure it, you specify the
URL to which to redirect clients. Like the other HTTP options, you can
apply this option to a virtual port by configuring the option in an HTTP tem-
plate, and binding the template to the virtual port.
Note: The URL failover option does not affect redirect messages sent by real
servers. To alter redirect messages from real servers, use the URL redi-
rect-rewrite option instead. (See “URL Redirect Rewrite” on page 165.)
2. In the URL Failover field of the HTTP section, enter the URL to which
to redirect clients.
Enter the following command at the configuration level for the HTTP tem-
plate:
failover-url url-string
CLI Example
148 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
5xx Retry and Reassignment
The following commands bind the HTTP template to virtual port 80:
AX(config)#slb virtual-server vs1 1.1.1.1
AX(config-slb virtual server)#port 80 http
AX(config-slb virtual server-slb virtua...)#template http urlfailover
HTTP templates have an option to override this behavior. You can configure
the AX device to retry sending a client’s request to a service port that replies
with an HTTP 5xx status code, and reassign the request to another server if
the first server replies with a 5xx status code. The AX device is allowed to
reassign the request up to the configured number of retries.
For example, assume that a service group has three members (s1, s2, and
s3), and the retry is set to 1. In this case, if s1 replies with a 5xx status code,
the AX device reassigns the request to s2. If s2 also responds with a 5xx sta-
tus code, the AX device will not reassign the request to s3, because the max-
imum number of retries has already been used.
Depending on the 5xx retry option you configure, either the service port and
server remain eligible for more client requests, or the AX device stops send-
ing client requests to the service port and server for 30 seconds.
Note: Use of this HTTP template option also requires the strict-transaction-
switch option to be used in the same HTTP template. (See “Strict Transac-
tion Switching” on page 167.)
Note: This option is supported only for virtual port types HTTP and HTTPS. It
is not supported for fast-HTTP or any other virtual port type.
P e r f o r m a n c e b yD e s i g n 149 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Content Compression
The first command continues to use the service port and server for client
requests, even after a reassignment has occurred. The second command
stops using the service port and server for 30 seconds after a reassignment
occurs.
The num option specifies the number of times the AX device will resend the
request to the server before assigning the request to another server. You can
specify 1-3 retries. The default is 3.
An HTTP template can contain only one of the commands shown above.
CLI Example
The following commands configure an HTTP template to reselect a server if
the initially selected server responds 4 times to a client’s request with a 5xx
status code. The AX device stops using the service port and server for 30
seconds following reassignment.
AX(config)#slb template http 5xxretry
AX(config-HTTP)#strict-transaction-switch
AX(config-HTTP)#retry-on-5xx
Content Compression
Most types of real servers are able to compress media (content) before send-
ing it to clients. Compression reduces the amount of bandwidth required to
send content to clients.
150 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Content Compression
Note: Compression is supported only for HTTP and HTTPS virtual ports. Com-
pression is not supported of fast-HTTP virtual ports.
Accept-Encoding Field
If compression is enabled on the real server, the real server will compress
content before sending it to a client, if the client’s request contains the
Accept-Encoding field with the “compress” value for the requested content
type.
If you still want the server to compress some content, you can configure the
AX device to leave the Accept-Request field unchanged. In this case, com-
pression is performed by the real server instead of the AX device, if the
server is configured to perform the compression. The AX device can still
compress content that the real server does not compress.
Compression Level
The AX device supports compression level 1-9. Each level provides a
higher compression ratio, beginning with level 1, which provides the lowest
compression ratio. A higher compression ratio results in a smaller file size
after compression. However, higher compression levels also require more
CPU processing than lower compression levels, so performance can be
affected.
The default compression level is 1, which provides the fastest compression
speed but with the lowest compression ratio.
P e r f o r m a n c e b yD e s i g n 151 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Content Compression
Hardware-Based Compression
Hardware-based compression is available using an optional hardware mod-
ule in the following AX models: AX 2100, AX 2200, AX 3100, AX 3200,
and AX 5200.
Note: Installation of the compression module into AX devices in the field is not
supported. Contact A10 Networks for information on obtaining an AX
device that includes the module.
152 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Content Compression
P e r f o r m a n c e b yD e s i g n 153 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Content Compression
6. Click OK.
Note: If the Hardware Compression option is not present, your AX device does
not contain a compression module.
154 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Content Compression
USING THE CLI
P e r f o r m a n c e b yD e s i g n 155 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Content Compression
To display compression statistics, use the following command:
Note: If the slb hw-compression and show slb hw-compression commands are
not in the CLI, your AX device does not contain a compression module.
CLI Example
156 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Client IP Insertion / Replacement
Server selection fail 0
Fwd req fail 0
Fwd req data fail 0
Req retransmit 0
Req pkt out-of-order 0
Server reselection 0
Server premature close 0
Server conn made 50
Source NAT failure 0
Tot data before compress 1373117
Tot data after compress 404410
P e r f o r m a n c e b yD e s i g n 157 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Client IP Insertion / Replacement
To add the client’s IP address back to the request, you do not need to change
the network configuration or NAT settings. Instead, you can simply enable
the AX device to insert the client’s IP address into the header of the client’s
GET request before sending the request to a real server.
158 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Client IP Insertion / Replacement
In this example, SLB source NAT changes the source address of the client’s
GET request from 192.168.100.3 to 10.20.20.11. However, the client’s
source IP address is preserved within the HTTP header of the request, by
inserting the address into the X-ClientIP field.
This option inserts the client’s IP address into the X-ClientIP field by
default. However, you can specify another field name instead. For example,
you can configure the option to insert the client IP address into the
X-Forwarded-For field.
Note: To insert HTTP header fields with other types of values, or to erase fields,
see “Header Insertion / Erasure” on page 160.
Replace Option
Without this option, the client IP address is appended to the lists of client IP
addresses already in the header. For example, if the header already contains
“X-Forwarded-For:1.1.1.1”, the field:value pair becomes
“X-Forwarded-For:1.1.1.1, 2.2.2.2”.
2. On the HTTP template, select the “Header Name for Inserting Client IP”
checkbox.
This enables the option and displays the name of the header field to
which the client IP address will be added.
3. Optionally, to replace any client addresses that are already in the header,
select Replace. Without this option, the client IP address is appended to
the lists of client IP addresses already in the header.
P e r f o r m a n c e b yD e s i g n 159 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Header Insertion / Erasure
4. To change the name of the field, edit the name. Otherwise, leave the
field name set to the default (X-ClientIP).
Enter the following command at the configuration level for the HTTP tem-
plate:
The replace option replaces any client addresses that are already in the
header.
CLI Example
The following commands bind the HTTP template to virtual port 80:
AX(config)#slb virtual-server vs1 1.1.1.1
AX(config-slb virtual server)#port 80 http
AX(config-slb virtual server-slb virtua...)#template http insertclientip
160 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Header Insertion / Erasure
Note: The header insert, replace, and erase options described in this section are
not supported with the fast-http service type. The AX device does not
allow an HTTP template with any of these header options to be bound to a
fast-http virtual port. Likewise, the AX device does not allow any of the
header options to be added to an HTTP template that is already bound to a
fast-http virtual port.
Note: To configure the AX device to insert the client’s IP address, see “Client IP
Insertion / Replacement” on page 157.
P e r f o r m a n c e b yD e s i g n 161 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Header Insertion / Erasure
Effect When insert-always Is Used
If you configure an HTTP template to insert “Cookie: c=3”, and you use the
insert-always option, the client’s header is changed as follows:
GET / HTTP/1.1
Host: www.example.com
Cookie: a=1
Cookie: b=2
Cookie: c=3
...
162 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Header Insertion / Erasure
ally, to change this behavior, select one of the following options
from the drop-down list next to the Name field:
• Insert Always – The AX device always inserts the field:value
pair. If the request already contains a header with the same field
name, the new field:value pair is added after the existing
field:value pair. Existing headers are not replaced.
• Insert if not already present – The AX device inserts the header
only if the packet does not already contain a header with the
same field name.
c. Click Add.
4. To insert a response header, follow the same steps as those for inserting
a request header, but use the Response section.
The field:value pair indicates the header field name and the value to insert.
• By default, if a packet already contains one or more headers with the
specified field name, the command replaces the first header.
• If you use the insert-always option, the command always inserts the
field:value pair. If the request already contains a header with the same
field name, the new field:value pair is added after the existing
field:value pair. Existing headers are not replaced.
• If you use the insert-if-not-exist option, the command inserts the header
only if the packet does not already contain a header with the same field
name.
To insert a field:value pair into response headers, use the following com-
mand:
P e r f o r m a n c e b yD e s i g n 163 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Header Insertion / Erasure
CLI Examples
The following command configures an HTTP template that inserts
“Cookie: c=3” into every HTTP request. If the request already contains
“Cookie” headers, the first header is replaced.
AX(config)#slb template http replace-cookie
AX(config-HTTP template)#request-header-insert "Cookie: c=3"
4. To erase a response header, follow the same steps as those for erasing a
request header, but use the Response section.
164 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
URL Redirect Rewrite
USING THE CLI
CLI Example
P e r f o r m a n c e b yD e s i g n 165 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
URL Redirect Rewrite
slb template http 1
redirect-rewrite match /00 rewrite-to http://66.1.1.202/a
redirect-rewrite match /000.html rewrite-to /001.gif
redirect-rewrite match 66.1.1.222/000.html rewrite-to 66.1.1.202/003.bmp
5. Click OK.
The default SSL port number (tcp-portnum) is 443. If you do not spec-
ify a port number, the AX device does not include a port number in the
URL. In this case, the client browser adds the SSL port number when send-
ing a request to the redirect URL.
166 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Strict Transaction Switching
If you do specify the port number, the AX includes the port number in the
redirect URL.
CLI Example
The following commands configure the HTTP template. Redirect URLs that
begin with “http://” are changed to “https://”. The URLs in the redirect mes-
sages are otherwise unchanged.
AX(config)#slb template http secureredirect
AX(config-HTTP template)#redirect-rewrite secure
AX(config-HTTP template)#exit
The following commands bind the HTTP template to virtual port 80:
AX(config)#slb virtual-server vs1 1.1.1.1
AX(config-slb virtual server)#port 80 http
AX(config-slb virtual server-slb virtua...)#template http secureredirect
If the load among real servers appears to be unbalanced, you can enable
strict transaction switching to rebalance the load. The strict transaction
switching option forces the AX device to perform server selection for each
request within every session.
Note: Use this option only if needed, and disable the option once the server load
is rebalanced. This option makes server selection much more granular but
also uses more AX system resources.
P e r f o r m a n c e b yD e s i g n 167 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Strict Transaction Switching
strict-transaction-switch
168 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Overview
FTP load balancing optimizes the download experience for clients by bal-
ancing FTP traffic across servers in a server farm. You can provide clients
with a single, published virtual IP address for large files, and serve the files
from a set of real servers.
P e r f o r m a n c e b yD e s i g n 169 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
In this example, FTP files are served by three real servers. Each server has
the same set of files available for download. One of the servers also pro-
vides the HTML pages for the download site.
The AX device supports both the passive and port FTP modes.
The AX Series device sends all HTTP requests to server ftp-2, and balances
FTP requests among servers ftp-2, ftp-3, and ftp-4. In this example, the
load-balancing method is changed from the default, round robin, to
weighted round robin.
Service Groups
This example uses a single service group containing all three servers. To
provide weighted load balancing as described above, the load balancing
method is changed from the default (round robin) to weighted round robin.
Templates
The default HTTP template is assigned to the virtual HTTP port by default.
However, the parameters in the default HTTP template are unset by default.
For this configuration, you do not need to configure a different HTTP tem-
plate or change settings in the default one.
170 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FTP Load Balancing
For more information about templates, see the following:
• “Service Template Parameters” on page 829
Health Monitors
This example uses the following health monitors to check the real servers:
• Ping – Tests Layer 3 connectivity to the servers. The Ping health moni-
tor is already configured by default, and is enabled by default when you
add the real server.
• HTTP – Tests the HTTP port by requesting a Web page from the port. In
this example, the default settings are used: Every 30 seconds, the AX
device sends an HTTP Get request for the index.html page.
• FTP – Tests the FTP port by sending a login request to the port. In this
example, the default settings are used: Every 30 seconds, the AX device
sends an anonymous FTP login request to port 21.
The HTTP and FTP monitors must be configured and applied to the real
server ports.
The AX device has default Layer 4 health checks it uses to test the TCP and
UDP transport layers. This configuration also uses those health checks. (For
information, see “Default Health Checks” on page 381.)
P e r f o r m a n c e b yD e s i g n 171 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FTP Load Balancing
c. Assign weight 80 to the HTTP/FTP server. Assign weight 100 to
each of the FTP servers that will not also be handling HTTP. These
weights will cause the AX device to select the HTTP/FTP server for
FTP only 80% as often as each of the other servers.
3. Configure a TCP template and set the idle time in the template to a high
value.
4. Configure a service group for HTTP and add the HTTP server to it.
5. Configure another service group for FTP and add the FTP servers to it.
2. Click Add.
3. In the Health Monitor section, enter a name for the monitor in the Name
field.
4. Click Method.
5. In the Method section, select HTTP from the Type drop-down list.
6. Click OK. The new health monitor appears in the health monitor table.
172 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FTP Load Balancing
FIGURE 46 Config > Service > Health Monitor (for HTTP monitor)
FIGURE 47 Config > Service > Health Monitor - Method section (for FTP
monitor)
P e r f o r m a n c e b yD e s i g n 173 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FTP Load Balancing
FIGURE 48 Config > Service > Health Monitor (showing configured health
monitors)
3. Click Add.
4. In the General section, enter a name for the server in the Name field.
6. Change the weight be editing the number in the Weight field. In this
example, change the weight for the HTTP/FTP server to 80 and change
the weights of the two other FTP servers to 100.
7. In the Port section, enter the HTTP (or FTP) port number in the Port
field.
9. In the Health Monitor drop-down list, select the HTTP or FTP health
monitor you configured in “To configure the health monitors” on
page 172. (Select the monitor that matches the port type, HTTP or FTP.)
10. Click Add. The new port appears in the port list.
11. Click OK. The new server appears in the server table.
12. Repeat step 3 through step 11 for each of the other real servers.
174 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FTP Load Balancing
FIGURE 49 Config > Service > SLB > Server (ftp-2)
P e r f o r m a n c e b yD e s i g n 175 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FTP Load Balancing
FIGURE 50 Config > Service > SLB > Server (ftp-3)
176 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FTP Load Balancing
FIGURE 51 Config > Service > SLB > Server (ftp-4)
FIGURE 52 Config > Service > SLB > Server (showing configured real
servers)
Note: The Health Monitor column shows the Layer 3 (ICMP ping) health moni-
tors for the real servers, not the Layer4-7 health monitors for individual
server ports.
P e r f o r m a n c e b yD e s i g n 177 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FTP Load Balancing
To configure the TCP template for FTP
1. Select Config > Service > Template.
3. Click Add.
6. Click OK. The new template appears in the TCP template table.
3. Click Add.
6. In the Algorithm field, select the load balancing method. For this exam-
ple, select Weighted Round Robin.
178 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FTP Load Balancing
9. Click Add. The server and port appear in the member list. Repeat for
each combination of server and port. In this example, add member
10.10.10.2 for port 80 and again for port 21 to service group http-grp.
10. Click OK. The new service group appears in the service group table.
P e r f o r m a n c e b yD e s i g n 179 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FTP Load Balancing
FIGURE 55 Config > Service > Service Group (for FTP)
FIGURE 56 Config > Service > Service Group (service groups added)
180 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FTP Load Balancing
To configure the virtual server
1. Select Config > Service > SLB.
3. Click Add.
5. Enter the virtual IP address in the IP Address field. This is the IP address
to which clients will send HTTP and FTP requests.
6. In the Port section, click Add. The Virtual Server Port section appears.
8. Edit the number in the Port field to match the protocol port that clients
will request at the virtual IP address.
10. Click OK. The port and service group appear in the virtual port list.
12. Click OK. The new virtual server appears in the virtual server table.
P e r f o r m a n c e b yD e s i g n 181 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FTP Load Balancing
FIGURE 57 Config > Service > Virtual Server
FIGURE 58 Config > Service > Virtual Server - Virtual Server Port section
(for HTTP)
182 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FTP Load Balancing
FIGURE 59 Config > Service > Virtual Server - Virtual Server Port section
(for FTP)
FIGURE 60 Config > Service > Virtual Server - Port section (ports added)
FIGURE 61 Config > Service > Virtual Server (virtual server added)
P e r f o r m a n c e b yD e s i g n 183 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FTP Load Balancing
3. To configure the TCP template for FTP, use the following commands:
slb template tcp template-name
This command creates the TCP template and changes the CLI to the
configuration level for the template.
idle-timeout seconds
184 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FTP Load Balancing
The idle-timeout command specifies the number of seconds a TCP ses-
sion can remain idle. For this example, set the idle timeout to 15000 sec-
onds.
P e r f o r m a n c e b yD e s i g n 185 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FTP Load Balancing
The service-group command binds the virtual port to a service group.
The template tcp command binds the virtual port to a TCP template.
The following commands configure the HTTP and FTP health monitors:
AX(config)#health monitor http-monitor
AX(config-health:monitor)#method http
AX(config-health:monitor)#exit
AX(config)#health monitor ftp-monitor
AX(config-health:monitor)#method ftp
AX(config-health:monitor)#exit
The following commands configure the TCP template for use with FTP:
AX(config)#slb template tcp ftp-longidletime
AX(config-L4 TCP LB template)#idle-timeout 15000
AX(config-L4 TCP LB template)#exit
186 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FTP Load Balancing
The following commands configure the service group for HTTP:
AX(config)#slb service-group http-grp tcp
AX(config-slb service group)#member ftp-2:8801
AX(config-slb service group)#exit
P e r f o r m a n c e b yD e s i g n 187 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FTP Load Balancing
188 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over UDP
This chapter describes Session Initiation Protocol (SIP) load balancing and
how to configure it.
You can configure load balancing for SIP over UDP or SIP over TCP/TLS.
P e r f o r m a n c e b yD e s i g n 189 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over UDP
FIGURE 62 SIP Load Balancing
2. Configure a real server for each SIP Registrar server, add the SIP port to
the server, and assign the SIP health monitor to the port.
3. Configure a real server as a proxy for each SIP server that will handle
SIP messages other than registration messages. Add the SIP port to each
server. The SIP port can be the same on the Registrar servers and these
proxy servers. The AX selects a service group based on the message
type.
4. Configure a service group for the Registrar servers and add them to the
group.
5. Configure a service group for the other SIP servers and add them to the
group. This is the SIP proxy group.
190 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over UDP
6. Configure a SIP template to redirect all SIP registration messages to the
SIP Registrar service group.
7. Configure a virtual server containing the SIP port and bind the port to
the SIP proxy group. Add the SIP proxy service group and the SIP tem-
plate to the port.
P e r f o r m a n c e b yD e s i g n 191 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over UDP
d. In the General section, enter a name for the Registrar server.
e. Enter the IP address of the server.
f. In the Port section, enter the SIP port number in the Port field.
g. In the Protocol drop-down list, select UDP.
h. In the Health Monitor drop-down list, select the health monitor.
i. Click Add. The port appears in the Port list.
j. Click OK. The server appears in the real server table.
4. Use the same steps to configure a real server as a proxy for each SIP
server that will handle SIP messages other than registration messages.
The steps are the same as the steps for adding the Registrar servers. (See
Figure 66.)
5. To configure a service group for the Registrar servers and add them to
the group:
a. Select Service Group on the menu bar.
b. Click Add.
c. In the Service Group section, enter a name for the group.
d. In the Type drop-down list, select UDP.
e. In the Port section, select the real server for the SIP Registrar server
from the Server drop-down list.
f. In the Port field, enter the SIP port number.
g. Click Add.
h. Repeat for each Registrar server.
i. Click OK. The new service group appears in the service group table.
6. Use the same steps to configure a service group for the other SIP servers
and add them to the group. This is the SIP proxy group.
192 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over UDP
f. In the Registrar Service Group drop-down list, select the service
group.
g. Click OK. The new SIP template appears in the SIP template table.
P e r f o r m a n c e b yD e s i g n 193 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over UDP
FIGURE 63 Config > Service > Health Monitor > Health Monitor
(example for Registrar servers)
194 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over UDP
FIGURE 64 Config > Service > Health Monitor > Health Monitor
(example for other SIP servers)
P e r f o r m a n c e b yD e s i g n 195 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over UDP
FIGURE 65 Config > Service > SLB > Server
FIGURE 66 Config > Service > SLB > Server - Registrar and Proxy servers
added
196 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over UDP
FIGURE 67 Config > Service > Service Group (registrar group)
FIGURE 69 Config > Service > Template > Application > SIP
P e r f o r m a n c e b yD e s i g n 197 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over UDP
FIGURE 70 Config > Service > Template > Application > SIP - template
added
198 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over UDP
USING THE CLI
1. To configure a SIP health monitor using the SIP health method, use the
following commands:
health monitor monitor-name
Enter this command at the global Config level.
method sip [register [port port-num]]
Enter this command at the configuration level for the health method.
The SIP health monitor sends an OPTION request to port 5060 by
default.
To send a REGISTER request instead, use the register option. To send
the request to a port other than 5060, use the port option to specify the
port number.
2. To configure a real server for a SIP Registrar server, add the SIP port to
it, and apply the SIP health monitor to the port, use the following com-
mands:
slb server server-name ipaddr
Enter this command at the global Config level.
port port-num udp
Enter this command at the configuration level for the real server.
health-check monitor-name
Enter this command at the configuration level for the SIP port.
3. To configure a real server as a proxy for each SIP server that will handle
SIP messages other than registration messages, use the same commands
as in step 2.
4. To configure a service group for the Registrar servers and add them to
the group, use the following commands:
slb service-group group-name udp
Enter this command at the global Config level.
member server-name [priority number]
Enter this command at the configuration level for the service group.
5. To configure a service group for the other SIP servers and add them to
the group, use the same commands as in step 4.
P e r f o r m a n c e b yD e s i g n 199 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over UDP
Enter this command at the global Config level.
registrar service-group group-name
header-erase string
header-insert string
header-replace string new-string
timeout minutes
pass-real-server-ip-for-acl acl-id
The header-erase, header-insert, and header-replace commands edit
information in the SIP header of each SIP packet before sending it to the
service group. Each command erases, inserts, or replaces a single header
field.
The timeout command specifies how many minutes the AX device
leaves a SIP call session up. You can specify 1-250 minutes. The default
is 30.
The pass-real-server-ip-for-acl command disables reverse NAT based
for traffic from the server, based on IP address. This command is useful
in cases where a SIP server needs to reach another server, and the traffic
must pass through the AX device. (See “Disabling Reverse NAT Based
on Destination IP Address” on page 222.)
Enter these commands at the configuration level for the SIP template.
Caution: A10 Networks recommends that you do not set the timeout
to a value lower than 30 minutes. The SIP termination message
(Bye) does not necessarily go through the AX device, thus the AX
device does not know for certain that a conversation has ended.
7. To configure a virtual server for the SIP proxy servers (the servers that
will handle all other SIP traffic except registration messages), use the
following commands:
slb virtual-server name ipaddr
Enter this command at the global Config level.
port port-number sip
Enter this command at the configuration level for the virtual server.
service-group group-name
template sip template-name
Enter these commands at the configuration level for the virtual port.
200 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over UDP
CLI CONFIGURATION EXAMPLE
The commands in the following example implement the SIP load balancing
configuration shown in Figure 62 on page 190.
P e r f o r m a n c e b yD e s i g n 201 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over UDP
The following commands configure the service groups:
AX(config)#slb service-group Registrar_gp udp
AX(config-slb service group)#member Registrar1:5060
AX(config-slb service group)#member Registrar2:5060
AX(config-slb service group)#exit
AX(config)#slb service-group sip5060 udp
AX(config-slb service group)#member Proxy3:5060
AX(config-slb service group)#member Proxy4:5060
AX(config-slb service group)#exit
The following commands configure the VIP for the SIP registrar:
AX(config)#slb virtual-server sip1 192.168.20.1
AX(config-slb virtual server)#port 5060 sip
AX(config-slb virtual server-slb virtua...)#service-group sip5060
AX(config-slb virtual server-slb virtua...)#template sip Registrar_template
202 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over TCP/TLS
SIP clients send secure SIP requests over TLS. The requests are addressed
to a VIP configured on the AX device. The AX device forwards the requests
to the SIP servers over TCP. Likewise, when the AX device receives SIP
traffic from the SIP servers, the AX device forwards the traffic to the appro-
priate clients over TLS.
SIP Multiplexing
You can use the AX device to multiplex SIP connections. This is useful in
cases where the SIP servers do not have enough capacity to maintain sepa-
rate connections for each SIP client. Figure 74 shows an example.
P e r f o r m a n c e b yD e s i g n 203 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over TCP/TLS
FIGURE 74 SIP Multiplexing
In this example, each SIP server can handle a maximum of 256 client con-
nections. However, there are 1000 SIP clients that use the VIP as their SIP
server.
To enable the SIP servers to be used with this many clients, the connection-
reuse feature is configured on the AX device. The AX device is allowed to
open a maximum of 100 connections to each server, but uses each connec-
tion for multiple clients.
204 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over TCP/TLS
In this example, the AX device sends requests for 3 different clients before
receiving the reply to the first request.
To identify the client to which to forward the reply, the AX device examines
the X-Forwarded-For header in the reply.
Note: The operation of connection reuse for SIP over TCP is different from the
operation of connection reuse for HTTP. For HTTP, the AX device does
not free a connection after sending a client’s request. Instead, the AX
device frees the connection only after receiving a response to the request.
In order for the AX device to be used as a multiplexer for SIP over TCP/
TLS, the clients and SIP servers must meet certain requirements:
• The SIP clients must be able to send SIP pings.
• The SIP server must be able to reply to SIP pings, with SIP pongs.
• The SIP server must be able to include the X-Forward-For header added
to the client’s request by the AX device, in replies to the client.
P e r f o r m a n c e b yD e s i g n 205 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over TCP/TLS
Client keepalive enables the AX device to reply to SIP pings sent by clients
instead of forwarding them to the SIP server. This feature is applicable
regardless of whether you use the AX device to multiplex SIP connections.
Server keepalive enables the AX device to generate SIP pings and send
them to the server. The AX device uses server keepalive to prevent the reus-
able connections to the server from aging out. If the AX device does not
receive a pong before the connection-reuse timeout expires, the AX device
closes the connection. Server keepalives apply only to configurations that
include connection reuse, such as a configuration that uses the AX device as
a SIP multiplexer.
206 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over TCP/TLS
When a client sends a SIP request, the request is addressed to the virtual IP
address (VIP) and protocol port number configured on the AX device for
the SIP servers. The AX device translates the destination IP address and
port of the request from the VIP to the real IP address and port of a SIP
server. The AX device does not change the client IP address or source proto-
col port number.
Likewise, when the AX device receives a SIP packet from a SIP server, the
AX device translates the source IP address and port from the server’s real IP
address and SIP port to the VIP address and port, then sends the packet to
the client.
By default, the AX device also translates the client IP address and protocol
port number where they are used in some other parts of the SIP packet.
However, the AX device does not translate server addresses or protocol port
numbers in the following headers:
• Call-ID header
• X-Forwarded-For header
P e r f o r m a n c e b yD e s i g n 207 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over TCP/TLS
You can disable translation in any of the following places in the packet:
• Start line
• Individual headers
• Body
• Configure a real server for each SIP server. Use the SIP protocol port
number on the server (for example, 5060) as the port number.
Use TCP as the protocol type. Use a Layer 4 TCP health monitor. When
you add the TCP port, the default TCP health monitor is automatically
applied to the port and enabled.
• Configure a service group containing the real servers.
208 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over TCP/TLS
USING THE GUI
The GUI items that are new in AX Releases 2.2.2 are the additional options
for SIP templates, and the following new service types for virtual ports:
• SIP-TCP
• SIP-TLS
Otherwise, the GUI procedures for creating the configuration items needed
for SIP over TCP/TLS are the same as in previous releases.
The following figures show examples of the GUI configuration pages for
implementing the SIP multiplexing configuration shown in Figure 74 on
page 204.
P e r f o r m a n c e b yD e s i g n 209 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over TCP/TLS
FIGURE 78 Config > Service > SLB > Service Group
210 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over TCP/TLS
FIGURE 79 Config > Service > Template > Application > SIP
P e r f o r m a n c e b yD e s i g n 211 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over TCP/TLS
FIGURE 81 Config > Service > SSL Management - import certificate
FIGURE 83 Config > Service > Template > SSL > Client SSL
212 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over TCP/TLS
FIGURE 84 Config > Service > SLB > Virtual Server - Virtual Server Port
P e r f o r m a n c e b yD e s i g n 213 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over TCP/TLS
FIGURE 85 Config > Service > SLB > Virtual Server - port section contains
virtual port configured on Virtual Server Port page (above)
This section shows the CLI commands that are specific to SIP configura-
tion.
214 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over TCP/TLS
To Configure Real Servers
Note: In the current release, the SIP template options described below are valid
only for SIP over TCP/TLS. Other SIP template options, such as header-
insert, header-erase, and so on are valid only for SIP over UDP.
P e r f o r m a n c e b yD e s i g n 215 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over TCP/TLS
insert-client-ip
This command inserts an “X-Forwarded-For: IP-address:port” header into
SIP packets from the client to the SIP server. The header contains the client
IP address and source protocol port number. The AX device uses the header
to identify the client when forwarding a server reply. This option is disabled
by default.
client-keep-alive
This command enables the AX device to respond to SIP pings from clients
on behalf of SIP servers. When this option is enabled, the AX device
responds to a SIP ping from a client with a “pong”. This option is disabled
by default.
server-keep-alive seconds
This command specifies how often the AX device sends a SIP ping on each
reusable connection with the SIP server. The AX device silently drops the
server’s pong reply.
If the server does not reply to a SIP ping within the connection-reuse time-
out, the AX device closes the connection. (The connection-reuse timeout is
configured by the timeout command at the configuration level for the con-
nection-reuse template.)
You can specify 5-300 seconds. The default is 30 seconds.
exclude-translation
{body | header string | start-line}
This command disables translation of the virtual IP address and virtual port
in specific portions of SIP messages:
216 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over TCP/TLS
• body – Does not translate virtual IP addresses and virtual ports in the
body of the message.
• header string – Does not translate virtual IP addresses and virtual ports
in the specified header.
• start-line – Does not translate virtual IP addresses and virtual ports in
the SIP request line or status line.
(For default information, see “SLB Network Address Translation for SIP
over TCP / TLS” on page 207.)
timeout minutes
This command specifies the number of minutes a SIP session can remain
idle before the AX device terminates it. You can specify 1-250 minutes. The
default is 30 minutes.
limit-per-server number
This command specifies the maximum number of reusable connections per
server port. You can specify 0-65535. 0 means unlimited. The default is
1000.
keep-alive-conn number
This command specifies the number of new reusable connections to open
before beginning to reuse existing connections. You can specify 1-1024
connections. The default is 100.
timeout seconds
This command specifies the maximum number of seconds a connection can
remain idle before it times out. You can specify 1-3600 seconds. The default
is 2400 seconds.
Before configuring the template, use the following command to import the
certificates and keys. Use this command at the global configuration level of
the CLI.
P e r f o r m a n c e b yD e s i g n 217 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over TCP/TLS
[no] slb ssl-load
{certificate file-name | private-key file-name}
[use-mgmt-port]
url
The use-mgmt-port option uses the AX device’s management route table
and management port to communicate with the remote server. Without this
option, the AX device uses the main route table and a data interface to com-
municate with the remote server.
The url specifies the file transfer protocol (tftp:, ftp:, scp:, or rcp:), user-
name (if required), and directory path. You can enter the entire URL on the
command line or press Enter to display a prompt for each part of the URL.
If you enter the entire URL and a password is required, you will still be
prompted for the password. To enter the entire URL:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• rcp://[user@]host/file
218 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over TCP/TLS
service-group group-name
This command binds a service group to the virtual port.
CLI Example
The commands in this example implement the SIP multiplexing configura-
tion shown in Figure 74 on page 204, and show SIP SLB statistics.
The following commands access the configuration level of the CLI and con-
figure a SIP over TCP health monitor:
AX>enable
AX#config
AX(config)#health monitor sip-over-tcp
AX(config-health:monitor)#method sip tcp
P e r f o r m a n c e b yD e s i g n 219 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over TCP/TLS
The following commands configure the SIP template:
AX(config)#slb template sip siptls-tmplt
AX(config-SIP LB template)#insert-client-ip
AX(config-SIP LB template)#client-keep-alive
AX(config-SIP LB template)#select-client-fail "480 Temporarily Unavailable"
AX(config-SIP LB template)#select-server-fail "504 Server Time-out"
AX(config-SIP LB template)#exclude-translation header Authentication
AX(config-SIP LB template)#exit
The following commands import the certificates and keys to use for authen-
ticating SIP clients:
AX(config)#slb ssl-load certificate ca-cert.pem scp:
Address or name of remote host []?192.168.1.1
User name []?admin
Password []?*********
File name [/]?ca-cert.pem
AX(config)#slb ssl-load private-key ca-certkey.pem scp:
Address or name of remote host []?192.168.1.1
User name []?admin
Password []?*********
File name [/]?ca-certkey.pem
AX(config)#slb ssl-load certificate cert.pem scp:
Address or name of remote host []?192.168.1.1
User name []?admin
Password []?*********
File name [/]?cert.pem
AX(config)#slb ssl-load private-key certkey.pem scp:
Address or name of remote host []?192.168.1.1
User name []?admin
Password []?*********
File name [/]?certkey.pem
220 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Load Balancing for SIP over TCP/TLS
The following commands configure the virtual server:
AX(config)#slb virtual-server siptls-vip 10.1.54.4
AX(config-slb virtual server)#port 5061 sips
AX(config-slb virtual server-slb virtua...)#service-group siptls-sg
AX(config-slb virtual server-slb virtua...)#template sip siptls-tmplt
AX(config-slb virtual server-slb virtua...)#template connection-reuse
siptls-tmplt
AX(config-slb virtual server-slb virtua...)#template client-ssl siptls-tmplt
The detail option shows statistics separately for each CPU. Without this
option, aggregate statistics are shown for all CPUs.
CLI Example
P e r f o r m a n c e b yD e s i g n 221 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Disabling Reverse NAT Based on Destination IP Address
By default, the AX device performs reverse NAT on all traffic from a SIP
server before forwarding the traffic. Reverse NAT translates the source IP
address of return traffic from servers to clients back into the VIP address
before forwarding the traffic to clients.
However, if the SIP server needs to reach another server, and the traffic
must pass through the AX device, the destination server will receive the
traffic from the VIP address instead of the SIP server address.
222 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Disabling Reverse NAT Based on Destination IP Address
2. Configure a SIP template that disables reverse NAT based on the ACL.
4. Select the ACL from the Pass Real Server IP for ACL drop-down list.
CLI Example
The commands in this section are applicable to Figure 86.
The following commands bind the SIP template to the SIP virtual port:
AX(config)#slb virtual-server sip-vip 192.168.20.1
AX(config-slb vserver)#port 5060 sip
AX(config-slb vserver-vport)#template sip sip1
P e r f o r m a n c e b yD e s i g n 223 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
IP NAT for SIP
Note: Only the SIP signalling packets are NATted. The media packets are not
NATted.
3. Enable outside NAT on the interface connected to the external SIP serv-
ers.
CLI Example
The following configuration excerpt uses dynamic NAT.
access-list 1 permit any
!
interface ethernet 3
ip address 171.1.1.1 255.255.255.0
ip nat inside
!
interface ethernet 5
ip address 2.2.2.1 255.255.255.0
ip nat outside
!
ip nat pool xin 2.2.2.100 2.2.2.100 netmask /32
ip nat inside source list 1 pool xin
224 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Overview
The AX device provides the following types of SSL optimization:
• SSL Offload – The AX device applies Layer 7 features to HTTPS traffic
per your configured HTTP template options, such as those described in
“HTTP Options for SLB” on page 131.
• SSL proxy – The AX device acts as a Layer 4 SSL proxy for TCP ser-
vices such as POPS, SMTPS, IMAPS, and LDAPS.
SSL offload uses service type (virtual port type) HTTPS, and supports deep
packet inspection and header manipulation. SSL proxy uses service type
SSL-proxy and provides Layer 4 SLB but does not provide deep packet
inspection or header manipulation.
P e r f o r m a n c e b yD e s i g n 225 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Client SSL
Implement SSL proxy if the following are true:
• The traffic will be SSL-secured traffic over TCP, but not necessarily
HTTPS traffic.
• Layer 7 features are not required.
2. Configure a client SSL template and add the certificate and key to it.
226 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Client SSL
– In the URL field, enter the directory path and filename.
– If needed, change the protocol port number n the port field. By
default, the default port number for the selected file transfer proto-
col is used.
– In the User and Password fields, enter the username and password
required for access to the remote server.
f. Click Open. The path and filename appear in the Source field.
g. If applicable, repeat the steps above for the private key.
h. Click OK. The certificate and key appear in the certificate and key
list.
2. To configure a client SSL template and add the certificate and key to it:
a. Select Configure > Service > Template.
b. Select SSL > Client SSL from the menu bar.
c. Click Add.
d. On the Client SSL tab, enter a name for the template in the Name
field.
e. In the Certificate Name drop-down list, select the certificate you
imported in the previous step.
f. In the Key Name field, select the private key you imported in the
previous step.
g. If the files are secured with a passphrase, enter the passphrase.
h. Click OK. The new template appears in the Client SSL template
table.
P e r f o r m a n c e b yD e s i g n 227 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Client SSL
FIGURE 87 Configure > Service > SSL Management - Import (for the
certificate)
FIGURE 88 Configure > Service > Template > SSL > Client SSL
228 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Client SSL
You can enter the entire URL on the command line or press Enter to dis-
play a prompt for each part of the URL. If you enter the entire URL and
a password is required, you will still be prompted for the password. To
enter the entire URL:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• rcp://[user@]host/file
The following commands configure a client SSL template to use the certifi-
cate and key:
AX(config)#slb template client-ssl sslcert-tmplt
AX(config-client SSL template)#cert sslcert.crt
AX(config-client SSL template)#key sslcertkey.pem
AX(config-client SSL template)#exit
P e r f o r m a n c e b yD e s i g n 229 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring HTTPS Offload
3. Configure a service group for the servers and add them to the group.
5. Configure a virtual server and add a virtual port that has the service type
https. Bind the service-group to the virtual port and to the HTTP tem-
plate (if configured) and client-SSL template.
Note: If traffic between the servers and AX device also will be encrypted, you
also need to configure a server-SSL template and bind it to the virtual
port. In configurations that use both client-SSL and server-SSL, use the
HTTPS/SSL port number in the real server configuration.
If only client-SSL is used, use the HTTP port number in the real server
configuration. Use the HTTPS/SSL port number in the virtual server con-
figuration.
Beginning in AX Release 2.4.x, server-SSL without client-SSL is sup-
ported. However, in this case, the service type of the virtual port must be
HTTP, not HTTPS.
230 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring HTTPS Offload
g. Select the health monitor, if your configuration will use one.
h. Click Add. The port appears in the Port list.
i. Click OK. The server appears in the server table.
j. Repeat for each real server.
2. To configure a service group for the servers and add them to the group:
a. Select Service Group on the menu bar.
b. Click Add.
c. On the Service Group tab, enter a name for the service group.
d. In the Type drop-down list, select TCP, if not already selected.
e. Select the health monitor, if your configuration will use one.
f. On the Port tab, select a server from the Server drop-down list.
g. Enter the service port in the Port field.
h. Click Add. The port appears in the list.
i. Repeat step f through step h for each server.
j. Click OK. The new service group appears in the service group table.
P e r f o r m a n c e b yD e s i g n 231 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring HTTPS Offload
232 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring HTTPS Offload
FIGURE 90 Configure > Service > SLB > Service Group
P e r f o r m a n c e b yD e s i g n 233 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring HTTPS Offload
FIGURE 91 Configure > Service > SLB > Virtual Server
234 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring HTTPS Offload
FIGURE 92 Configure > Service > SLB > Virtual Server - Port tab
2. To configure a service group for the servers and add them to the group,
use the following commands:
slb service-group group-name tcp
Enter this command at the global Config level.
member server-name [priority number]
Enter this command at the configuration level for the service group.
P e r f o r m a n c e b yD e s i g n 235 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring HTTPS Offload
4. To configure a virtual server and HTTPS virtual port, use the following
commands:
slb virtual-server name ipaddr
Enter this command at the global Config level.
port port-number https
Enter this command at the configuration level for the virtual server.
service-group group-name
template http template-name
template client-ssl template-name
Enter these commands at the configuration level for the virtual port to
bind the port to the service group and the application templates.
The following commands configure a service group for the HTTPS servers:
AX(config)#slb service-group HTTPS_servers tcp
AX(config-slb service group)#member HTTPS1:80
AX(config-slb service group)#member HTTPS2:80
AX(config-slb service group)#exit
236 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring the SSL Proxy Feature
The following commands configure the VIP to which clients will send
HTTPS traffic:
AX(config)#slb virtual-server v1 10.6.6.6
AX(config-slb virtual server)#port 443 https
AX(config-slb virtual server-slb virtua...)#service-group HTTPS_servers
AX(config-slb virtual server-slb virtua...)#template http HTTPS_1
AX(config-slb virtual server-slb virtua...)#template client-ssl sslcert-tmplt
3. Configure a service group for the servers and add them to the group.
4. Configure a virtual server and add a virtual port that has the service type
ssl-proxy. Bind the service-group to the virtual port and to the client-
SSL template.
2. To configure a service group for the servers and add them to the group:
a. Select Service Group on the menu bar.
b. Click Add.
P e r f o r m a n c e b yD e s i g n 237 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring the SSL Proxy Feature
c. On the Service Group tab, enter a name for the service group.
d. In the Type drop-down list, select TCP, if not already selected.
e. Select the health monitor, if your configuration will use one.
f. On the Port tab, select a server from the Server drop-down list.
g. Enter the service port in the Port field.
h. Click Add. The port appears in the list.
i. Repeat step f through step h for each server.
j. Click OK. The new service group appears in the service group table.
238 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring the SSL Proxy Feature
GUI CONFIGURATION EXAMPLE
P e r f o r m a n c e b yD e s i g n 239 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring the SSL Proxy Feature
FIGURE 94 Configure > Service > SLB > Service Group
240 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring the SSL Proxy Feature
FIGURE 95 Configure > Service > SLB > Virtual Server
FIGURE 96 Configure > Service > SLB > Virtual Server - Port tab
P e r f o r m a n c e b yD e s i g n 241 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring the SSL Proxy Feature
2. To configure a service group for the servers and add them to the group,
use the following commands:
slb service-group group-name tcp
Enter this command at the global Config level.
member server-name [priority number]
Enter this command at the configuration level for the service group.
3. To configure a virtual server and port for the TCP service, use the fol-
lowing commands:
slb virtual-server name ipaddr
Enter this command at the global Config level.
port port-number ssl-proxy
Enter this command at the configuration level for the virtual server.
service-group group-name
template client-ssl template-name
Enter these commands at the configuration level for the virtual port.
242 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring the SSL Proxy Feature
CLI CONFIGURATION EXAMPLE
The following commands configure proxy SSL for POPS. The same com-
mands can be used to configure SSL proxy for other TCP services. In each
case, the feature is enabled by the ssl-proxy option of the port command at
the virtual server configuration level of the CLI.
The following commands configure a service group for the POP servers:
AX(config)#slb service-group POP_servers tcp
AX(config-slb service group)#member POP1:110
AX(config-slb service group)#member POP2:110
AX(config-slb service group)#exit
The following commands configure the VIP to which clients will send
POPS traffic:
AX(config)#slb virtual-server v1 10.6.6.6
AX(config-slb virtual server)#port 110 ssl-proxy
AX(config-slb virtual server-slb virtua...)#service-group SMTP_servers
AX(config-slb virtual server-slb virtua...)#template client-ssl sslcert-tmplt
P e r f o r m a n c e b yD e s i g n 243 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring the SSL Proxy Feature
244 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Overview
AX Series devices support the STARTTLS feature. STARTTLS is an exten-
sion to SMTP that enables you to secure mail traffic to and from your leg-
acy SMTP servers. SMTP itself does not provide any security.
FIGURE 97 STARTTLS
P e r f o r m a n c e b yD e s i g n 245 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Additional SMTP Security Options
In addition to providing encryption of mail traffic for clients, the AX
STARTTLS feature has additional security options:
• Require STARTTLS – By default, client use of STARTTLS is optional.
You can configure the AX to require STARTTLS. In this case, before
any mail transactions are allowed, the client must issue the STARTTLS
command to establish a secured session.
If the client does not issue the STARTTLS command, the AX sends the
following message to the client: "530 - Must issue a STARTTLS com-
mand first”
• Disable SMTP commands – By default, the VRFY, EXPN, and TURN
commands are allowed. You can disable support of any of these com-
mands. In this case, if the client tries to issue a disabled SMTP com-
mand, the AX sends the following message to the client: “502 -
Command not implemented”
Domain Switching
By default, SMTP traffic from all client domains is sent to the same service
group. You can configure multiple service groups and send traffic to the
groups based on the client domain. For example, you can send SMTP traffic
from clients in domain "CorpA" to a different service group than SMTP
traffic from clients in domain "CorpB".
246 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring STARTTLS
Configuring STARTTLS
To configure STARTTLS:
1. Import a certificate and its key to use for TLS sessions with clients.
2. Configure a client SSL template and add the certificate and its key to it.
3. Configure a real server for each SMTP server and add the SMTP port to
the server.
4. Configure a service group for the SMTP servers and add them to the
group.
6. Configure a virtual server and port for the SMTP address to which cli-
ents will send SMTP traffic, and add the SMTP service group and
SMTP template to the port.
P e r f o r m a n c e b yD e s i g n 247 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring STARTTLS
In the GUI, most of the configuration steps (step 1 through step 4 above) for
STARTTLS are the same as those for SSL proxy support. (See “Configuring
the SSL Proxy Feature” on page 237.)
6. Click OK. The new template appears in the SMTP template table.
248 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring STARTTLS
To configure a virtual server for STARTTLS (step 6 above):
1. Select Configure > Service > SLB.
3. Click Add.
4. In the General section, enter general settings for the virtual server:
a. Enter a name for the virtual server.
b. In the IP address field, enter the VIP address.
P e r f o r m a n c e b yD e s i g n 249 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring STARTTLS
FIGURE 99 Config > Service > Template > Application > SMTP
250 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring STARTTLS
FIGURE 100 Config > Service > SLB > Virtual Server - Port section
P e r f o r m a n c e b yD e s i g n 251 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring STARTTLS
Enter this command at the global Config level.
cert cert-name
Enter this command at the configuration level for the client SSL tem-
plate.
key key-name [passphrase passphrase-string]
3. To configure a real server for an SMTP server, use the following com-
mands:
slb server server-name ipaddr
Enter this command at the global Config level.
port port-num tcp
Enter this command at the configuration level for the real server.
4. To configure a service group for the SMTP servers and add them to the
group, use the following commands:
slb service-group group-name tcp
Enter this command at the global Config level.
member server-name [priority number]
Enter this command at the configuration level for the service group.
6. To configure a virtual server and port for the SMTP address to which
clients will send SMTP traffic, add the SMTP service group, and add the
252 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring STARTTLS
SMTP and client SSL templates to the port, use the following com-
mands:
slb virtual-server name ipaddr
Enter this command at the global Config level.
port port-num smtp
Enter this command at the configuration level for the virtual server.
service-group group-name
template smtp template-name
template client-ssl template-name
Enter these commands at the configuration level for the virtual port.
P e r f o r m a n c e b yD e s i g n 253 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring STARTTLS
The following commands configure a client SSL template to use the certifi-
cate and key:
AX(config)#slb template client-ssl mailcert-tmplt
AX(config-client SSL template)#cert starttls.crt
AX(config-client SSL template)#key tlscertkey.pem
AX(config-client SSL template)#exit
The following commands configure a service group for the SMTP servers:
AX(config)#slb service-group SMTP_servers tcp
AX(config-slb service group)#member SMTP1:25
AX(config-slb service group)#member SMTP2:25
AX(config-slb service group)#exit
The following commands configure the VIP to which mail clients will send
SMTP traffic:
AX(config)#slb virtual-server v1 10.1.1.1
AX(config-slb virtual server)#port 25 smtp
AX(config-slb virtual server-slb virtua...)#service-group SMTP_servers
AX(config-slb virtual server-slb virtua...)#template client-ssl mailcert-tmplt
AX(config-slb virtual server-slb virtua...)#template smtp starttls-tmplt
254 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Overview
AX Series devices support content-aware load balancing of the following
widely used streaming-media types:
• Real Time Streaming Protocol (RTSP)
Note: The AX Series also supports load balancing of Session Initiation Protocol
(SIP) sessions. For information, see “SIP Load Balancing” on page 189.
P e r f o r m a n c e b yD e s i g n 255 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
FIGURE 101 Streaming-Media Load Balancing
In this example, a server farm provides streaming content in both RTSP and
MMS format. All the servers are allowed to serve HTTP and HTTPS
requests. Two of the servers (stream-rs2 and stream-rs3) are configured to
serve RTSP and MMS requests.
Service Groups
This example uses the following service groups:
• all80-grp – The servers in this service group provide HTTP and HTTPS
service. In this example, all the servers are members of this service
group.
• rtsp554-grp – The servers in this service group provide RTSP content.
256 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Streaming-Media SLB
Note: Using separate service groups makes it easier to adapt the configuration
when the server farm grows. For example, if RTSP and MMS content is
separated onto different servers, the membership of the RTSP group can
easily be edited to include only the RTSP servers, and so on.
Templates
By default, the default TCP template is applied to RTSP and MMS traffic.
(For information, see “TCP Template Parameters” on page 864.)
Health Monitors
This example uses the default Layer 3 health check (ping) and the default
Layer 4 TCP health check.
3. Configure the virtual server by adding virtual service ports for the
streaming-media services.
Most of the configuration procedures are the same as the configuration pro-
cedures for other types of SLB.
3. Click Add.
6. Click OK.
P e r f o r m a n c e b yD e s i g n 257 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Streaming-Media SLB
When configuring the virtual server, select RTSP or MMS as the service
port type.
258 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Streaming-Media SLB
CLI CONFIGURATION EXAMPLE
P e r f o r m a n c e b yD e s i g n 259 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Streaming-Media SLB
The following commands configure the service groups:
AX(config)#slb service-group all80-grp tcp
AX(config-slb service group)#member stream-rs1:80
AX(config-slb service group)#member stream-rs1:443
AX(config-slb service group)#member stream-rs2:80
AX(config-slb service group)#member stream-rs2:443
AX(config-slb service group)#member stream-rs3:80
AX(config-slb service group)#member stream-rs3:443
AX(config-slb service group)#exit
AX(config)#slb service-group rtsp554-grp tcp
AX(config-slb service group)#member stream-rs2:554
AX(config-slb service group)#member stream-rs3:554
AX(config-slb service group)#exit
AX(config)#slb service-group mms1755-grp tcp
AX(config-slb service group)#member stream-rs2:1755
AX(config-slb service group)#member stream-rs3:1755
AX(config-slb service group)#exit
260 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
This chapter describes Layer 4 load balancing of TCP and UDP traffic and
how to configure it.
Note: The Layer 4 load balancing described in this chapter requires you to spec-
ify the protocol port numbers to be load balanced. To load balance traffic
based solely on transport protocol (TCP, UDP, or other), see “IP Protocol
Load Balancing” on page 269.
Overview
In addition to load balancing for well-known and widely used types of ser-
vices such as HTTP, HTTPS, and FTP, AX devices also support Layer 4
load balancing for custom applications. If a service you need to load balance
is not one of the well-known service types recognized by the AX device,
you still can configure Layer 4 TCP or UDP load balancing for the service.
P e r f o r m a n c e b yD e s i g n 261 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
FIGURE 102 Layer 4 SLB
Layer 4 load balancing balances traffic based on the transport protocol (TCP
or UDP) and the protocol port number. The payload of the UDP or TCP
packets is not examined.
Note: To configure deeper packet inspection for custom applications, you can
use aFleX policies. For example, you can configure an aFleX policy to
examine the byte value at a certain position within each client request
packet and select a server based on the value of the byte. For information
about aFleX policies, see the AX Series aFleX Reference.
SERVICE GROUPS
This example uses a single service group that contains all the real servers.
The service group uses the default load balancing method (round robin).
262 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
VIRTUAL SERVER
The custom application on the real servers is accessed at TCP port 1020 by
clients through virtual IP address 192.168.55.55.
TEMPLATES
The AX device has default TCP and UDP templates. You can use the
default template or configure another TCP or UDP template and use that
one instead. If your Layer 4 load balancing configuration is for a TCP appli-
cation and you do not bind a TCP template to the virtual port, the default
TCP template is used. For a UDP application, the default UDP template is
used unless you bind another UDP template to the virtual port.
One of the parameters you can configure in TCP and UDP templates is the
idle time. Depending on the requirements of your application, you can
reduce or increase the amount of time the AX device allows a session to
remain idle.
For more information about the parameters controlled by TCP and UDP
templates, see the following sections:
• “TCP Template Parameters” on page 864
P e r f o r m a n c e b yD e s i g n 263 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 4 Load Balancing
HEALTH MONITORS
This example uses the default Layer 3 and Layer 4 health monitors. The
Layer 3 monitor (Ping) and the applicable Layer 4 monitor (TCP or UDP)
are enabled by default when you configure the real server and real service
ports.
Note: You can create an external health monitor using a script and import the
monitor onto the AX device. For information, see “Health Monitoring” on
page 381.
2. Configure a service group. Add the real servers, service port, and any
custom templates to the group.
5. Configure the virtual server. Bind the virtual service port on the virtual
server to the service group and custom templates, if configured.
264 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 4 Load Balancing
2. To configure the service group:
a. Select Config > Service > SLB, if not already selected.
b. Select Service Group on the menu bar.
c. Click Add.
d. In the Service Group section, enter a name for the service group.
e. In the Type drop-down list, select the transport protocol for the
application, TCP or UDP.
f. In the Server section, select a server from the Server drop-down list.
g. Enter the protocol port number in the Port field.
h. Click Add.
i. Repeat step f through step h for each server and port.
j. Click OK. The service group appears in the Service Group table.
P e r f o r m a n c e b yD e s i g n 265 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 4 Load Balancing
d. Enter a name for the virtual server.
e. In the IP Address field, enter the virtual IP address to which clients
will send requests.
f. Select or enter other general settings as needed.
g. In the Port section, click Add. The Virtual Server Port section
appears.
h. In the Type drop-down list, select the transport protocol for the
application, TCP or UDP.
i. Enter the application port number in the Port field.
j. If you configured any custom templates, select them from the drop-
down lists for each template type.
k. Enter or select other values as needed.
l. Click OK. The port appears in the port section.
m. Click OK again. The virtual server appears in the virtual server list.
266 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 4 Load Balancing
3. To configure a custom TCP or UDP template, use the following com-
mands at the global configuration level of the CLI:
slb template tcp template-name
slb template udp template-name
These commands create the template and change the CLI to the configu-
ration level for the template, where additional commands are available.
(See “TCP Template Parameters” on page 864 or “UDP Template
Parameters” on page 867. Also see the “Config Commands: SLB Tem-
plates” chapter in the AX Series CLI Reference.)
P e r f o r m a n c e b yD e s i g n 267 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 4 Load Balancing
CLI EXAMPLE
268 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Overview
IP protocol load balancing enables you to easily load balance traffic based
solely on whether the traffic is TCP, UDP, or other (not UDP or TCP), with-
out the need to specify the protocol port numbers to be load balanced.
You can combine IP protocol load balancing with other load balancing con-
figurations. For example, you can use IP protocol load balancing along with
HTTP load balancing. In this case, HTTP traffic to the VIP HTTP port num-
ber is load balanced separately from traffic to other port numbers.
P e r f o r m a n c e b yD e s i g n 269 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
FIGURE 103 IP Protocol Load Balancing
This example uses separate service groups for each of the following types of
traffic:
• HTTP traffic addressed to TCP port 80 is sent to service group http-grp.
• All TCP traffic addressed to any TCP port except port 80 is sent to ser-
vice group tcp-grp.
270 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
• All UDP traffic, addressed to any UDP port, is sent to service group
udp-grp.
• All other traffic (all non TCP/UDP traffic) is sent to service group oth-
ers-grp.
Although this example shows separate service groups for each type of traf-
fic, you can use the same service group for multiple traffic types.
Health checking does not apply to the wildcard port. When you configure IP
protocol load balancing, make sure to disable health checking of port 0. If
you leave health checking enabled, the port will be marked down and the
client’s request therefore will not be serviced.
SLB NAT
For client request traffic to which IP protocol load balancing applies, the
AX device translates only the destination IP address, not the protocol port
number. The AX device translates the destination IP address in the request
from the VIP address to a real server’s IP address. The AX device then
sends the request to the same protocol port number as the one requested by
the client. (Likewise, the AX device does not translate the port number to
“0”.)
Template Support
P e r f o r m a n c e b yD e s i g n 271 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring IP Protocol Load Balancing
Direct Server Return
2. Configure the service group(s). To add members (real servers) for traffic
to which IP protocol load balancing will apply, specify 0 as the protocol
port for the member.
272 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring IP Protocol Load Balancing
3. Configure the virtual server. Bind virtual port 0 to the service group(s)
that have members for port 0. Specify one of the following as the service
type:
• TCP
• UDP
• Others
Note: For load balancing of non-TCP/UDP traffic, you can specify TCP or UDP
as the transport protocol, in the configurations of the real server ports and
service groups. If the port number is 0 and the service type on the virtual
port is “others”, the AX device will load balance the traffic as non-TCP/
UDP traffic.
2. In the Service Group section, enter 0 as the port number on the Service
Group page.
3. In the Virtual Server Port section (Config > Service > SLB > Virtual
Server), select TCP, UDP, or Others in the Type drop-down list.
The following commands configure the real servers shown in Figure 103 on
page 270.
For simplicity, the example assumes that only the default TCP health check
is used for port 80. Health checking does not apply to the wildcard port
number and is therefore disabled. Health checking of other, explicitly speci-
fied port numbers is still supported as in previous releases.
AX(config)#slb server rs1 10.10.10.21
AX(config-real server)#port 80 tcp
AX(config-real server)#exit
AX(config)#slb server rs2 10.10.10.22
AX(config-real server)#port 80 tcp
AX(config-real server)#exit
AX(config)#slb server rs3 10.10.20.21
AX(config-real server)#port 0 tcp
P e r f o r m a n c e b yD e s i g n 273 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring IP Protocol Load Balancing
AX(config-real server)#no health-check
AX(config-real server)#exit
AX(config)#slb server rs4 10.10.20.22
AX(config-real server)#port 0 tcp
AX(config-real server)#no health-check
AX(config-real server)#exit
AX(config)#slb server rs5 10.10.30.21
AX(config-real server)#port 0 udp
AX(config-real server)#no health-check
AX(config-real server)#exit
AX(config)#slb server rs6 10.10.30.22
AX(config-real server)#port 0 udp
AX(config-real server)#no health-check
AX(config-real server)#exit
AX(config)#slb server rs7 10.10.40.21
AX(config-real server)#port 0 tcp
AX(config-real server)#no health-check
AX(config-real server)#exit
AX(config)#slb server rs8 10.10.40.22
AX(config-real server)#port 0 tcp
AX(config-real server)#no health-check
AX(config-real server)#exit
274 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring IP Protocol Load Balancing
The following commands configure the virtual server.
AX(config)#slb virtual-server vip1 192.168.2.1
AX(config-slb virtual server)#port 80 tcp
AX(config-slb virtual server-slb virtua...)#service-group http-grp
AX(config-slb virtual server-slb virtua...)#exit
AX(config-slb virtual server)#port 0 tcp
AX(config-slb virtual server-slb virtua...)#service-group tcp-grp
AX(config-slb virtual server-slb virtua...)#exit
AX(config-slb virtual server)#port 0 udp
AX(config-slb virtual server-slb virtua...)#service-group udp-grp
AX(config-slb virtual server-slb virtua...)#exit
AX(config-slb virtual server)#port 0 others
AX(config-slb virtual server-slb virtua...)#service-group tcp-others
To display configuration information and statistics, you can use the same
show commands used for other types of SLB:
show slb virtual
show slb server
show slb service-group
show session
P e r f o r m a n c e b yD e s i g n 275 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring IP Protocol Load Balancing
276 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring a Wildcard VIP
Wildcard VIPs
You can create SLB configurations that use wildcard VIPs and wildcard vir-
tual ports. A wildcard VIP matches on any destination IP address. Likewise,
a wildcard virtual port matches on any port number.
You can use wildcard VIPs for all types of load balancing:
• SLB
• IP load balancing
Note: Use of wildcard VIPs and interface-based SYN cookies is not supported.
IPv4 wildcard VIPs have IP address 0.0.0.0. IPv6 wildcard VIPs have
address :: (double colon). Wildcard protocol ports have port number 0.
You can configure multiple wildcard VIPs and wildcard ports. The AX
device allows multiple VIPs to have IP address 0.0.0.0 or ::. Likewise, mul-
tiple ports that have port number 0 are allowed.
P e r f o r m a n c e b yD e s i g n 277 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring a Wildcard VIP
Note: The ACL acts as a “catch-all”, and treats any IP address permitted by the
ACL, and received on the promiscuous VIP interface, as a wildcard VIP.
A10 Networks recommends that you use the most restrictive ACL possi-
ble, to permit only the IP addresses that should be treated as VIPs and
deny all other IP addresses.
If you do not configure a default wildcard VIP, traffic that does not match
any of the ACLs bound to the other wildcard VIPs is forwarded at
Layer 2/3, if applicable.
AX Release 2.0.2 and later supports forwarding of wildcard VIP traffic that
is not bound to a service group. The AX device creates a session for the traf-
fic and forwards it at Layer 2/3. This feature is useful in mixed wildcard vir-
tual server environments where Layer 4-7 features apply to certain VIPs and
Layer 2/3 forwarding applies to other traffic.
In AX releases prior to 2.0.2, Layer 4 traffic for a wildcard VIP that is not
bound to a service group is dropped.
4. In the General section, enter a name for the virtual server in the Name
field.
5. Select the Wildcard checkbox next to the Name field. Selecting this
checkbox causes the Access List drop-down list to appear in place of the
IP Address field.
278 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring a Wildcard VIP
7. Select the IP version, IPv4 or IPv6.
2. Click on the interface name to display the configuration sections for the
interface.
5. Click OK.
FIGURE 104 Config > Service > SLB > Virtual Server - wildcard VIP
configuration
P e r f o r m a n c e b yD e s i g n 279 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring a Wildcard VIP
FIGURE 105 Config > Network > Interface - VIP section
To configure a wildcard VIP, use the following command at the global con-
figuration level of the CLI:
For an IPv4 wildcard VIP, enter IP address 0.0.0.0. For an IPv6 wildcard
VIP, enter IP address :: (double colon).
If you specify an ACL, the ACL is used to control the clients allowed to
access the VIPs and the VIP addresses managed by the wildcard VIP. The
source address in the ACL filters the clients. The destination address in the
ACL filters the VIPs.
To enable promiscuous VIP support, use the following command at the con-
figuration level for each interface connected to clients:
[no] ip allow-promiscuous-vip
280 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring a Wildcard VIP
Configuration Examples
P e r f o r m a n c e b yD e s i g n 281 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring a Wildcard VIP
282 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
• TCP
• Fast-HTTP
• HTTP
• HTTPS
• SSL-proxy
• SMTP
P e r f o r m a n c e b yD e s i g n 283 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
In this example, a server farm consisting of IPv6 and IPv4 servers is config-
ured with an IPv6 VIP address. IPv6 clients send requests to the IPv6 VIP.
The AX device then selects an IPv6 or IPv4 server and forwards the client’s
request to the selected server. If the server is an IPv4 server, the AX device
translates the IP protocol of the client’s request from IPv6 to IPv4 before
forwarding it to the IPv4 server. Likewise, when the AX device receives the
servers’s reply, the AX device translates the reply from IPv4 to IPv6, then
forwards the reply to the client.
284 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
If the deployment also will send IPv4 client requests to IPv6 servers, an
IPv6 pool is also required.
For simplicity, the CLI example below uses a single IPv4 NAT pool. Fol-
lowing the example, the “Examples Using Multiple Source NAT Pools” on
page 288 section describes how to use multiple pools.
CLI Example
Note: For simplicity, this example uses only a single pool. If multiple pools are
used, ACLs are also required. The ACLs must match on the client IP
address(es) as the source address. If the real servers and VIP are in differ-
ent subnets, the ACLs also must match on the real server IP address(es) as
the destination address. (For more information, see “Examples Using
Multiple Source NAT Pools” on page 288. Also see the “Network
Address Translation” chapter in the AX Series Configuration Guide.)
P e r f o r m a n c e b yD e s i g n 285 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
The following commands configure the IPv4 real servers. For simplicity, all
the IPv4 and IPv6 servers have the same real ports.
AX(config)#slb server v4server-1 192.168.217.10
AX(config-real server)#port 80 tcp
AX(config-real server-node port)#exit
AX(config-real server)#port 53 udp
AX(config-real server-node port)#exit
AX(config-real server)#port 443 tcp
AX(config-real server-node port)#exit
AX(config-real server)#port 25 tcp
AX(config-real server-node port)#exit
AX(config-real server)#exit
AX(config)#slb server v4server-2 192.168.217.11
AX(config-real server)#port 80 tcp
AX(config-real server-node port)#exit
AX(config-real server)#port 53 udp
AX(config-real server-node port)#exit
AX(config-real server)#port 443 tcp
AX(config-real server-node port)#exit
AX(config-real server)#port 25 tcp
AX(config-real server-node port)#exit
AX(config-real server)#exit
286 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
The following commands import an SSL certificate and key, and configure
a client-SSL template to use them. The AX device will use the certificate
and key to terminate SSL sessions between clients and the VIP.
AX(config)#slb ssl-load certificate sslcert.pem scp:
Address or name of remote host []?10.10.10.2
User name []?axadmin
Password []?*********
File name [/]?sslcert.pem
AX(config)#slb ssl-load certificate certkey.pem scp:
Address or name of remote host []?10.10.10.2
User name []?axadmin
Password []?*********
File name [/]?certkey.pem
AX(config)#slb template client-ssl cssl
AX(config-client SSL template)#certsslcert.pem
AX(config-client SSL template)#key certkey.pem
AX(config-client SSL template)#exit
P e r f o r m a n c e b yD e s i g n 287 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
The example shown above uses only a single NAT pool, for access to the
IPv4 servers. If multiple pools are used, then different CLI syntax is
required.
First, IPv6 ACLs that match on the client IP address(es) are configured. A
separate ACL is required for each NAT pool.
AX(config)#ipv6 access-list v6acl-1
AX(config-access-list:v6acl-1)#permit ipv6 2001:32::/96 any
AX(config-access-list:v6acl-1)#exit
AX(config)#ipv6 access-list v6acl-2
AX(config-access-list:v6acl-2)#permit ipv6 2001:64::/96 any
AX(config-access-list:v6acl-2)#exit
288 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
The following commands access the configuration level for a virtual port on
the VIP and configure the port to use the IPv4 pools:
AX(config)#slb virtual-server v6vip 2001:32::2020:2000
AX(config-slb virtual server)#port 80 http
AX(config-slb virtual server-slb virtua...)#access-list name v6acl-1 source-
nat-pool v4natpool-1
AX(config-slb virtual server-slb virtua...)#access-list name v6acl-2 source-
nat-pool v4natpool-2
Each of the access-list commands binds one of the IPv6 ACLs to the virtual
port. The source-nat-pool option used with each command binds an IPv4
pool to the ACL. When the AX device receives a request for the VIP, the
AX device matches the client address against the source addresses in the
ACLs. The AX device then uses the IPv4 NAT pool bound to the first
matching ACL.
The AX device translates the client’s request from an IPv6 packet into an
IPv4 packet. The AX device replaces the client’s IPv6 address with an IPv4
address from the selected pool. The IPv6 VIP address is replaced with the
server’s IPv4 address.
If the client’s address does not match the source address in any of the ACLs,
the request is dropped.
Note: This is different from the behavior if a single NAT pool is used. If only
one NAT pool is bound to the virtual port, the pool is used if the client’s
IP type (IPv4 or IPv6) is not the same as the IP type of the selected server.
Otherwise, if the IP type of the client and the selected server is the same,
SLB-PT is not required for the request. The request is sent to the server
with the client’s original IP address.
It is not required to use pools of the same IP type as the IP type used by cli-
ents. For example, IPv6 pools are not required for IPv6 clients.
Using pools of the same IP type as the client IP type provides a way to con-
trol access to the real servers. When multiple pools are bound to a virtual
port, the client’s IP address must match the source address in at least one of
the ACLs associated with the pools. Otherwise, the client’s traffic is
dropped.
Note: In the case of IPv4, IPv4 pools are still required if the VIP and the real
servers are in different IPv4 subnets. For more information, see the
“Source NAT for Servers in Other Subnets” section in the “Network
Address Translation” chapter of the AX Series Configuration Guide.
P e r f o r m a n c e b yD e s i g n 289 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
This example builds on the example in “Multiple IPv4 Pools” on page 288.
The virtual port will have 4 pools: 2 IPv4 pools and 2 IPv6 pools. Each of
the IPv6 ACLs will be bound to an IPv4 pool and an IPv6 pool. If SLB
selects an IPv4 server, the IPv4 pool bound to the ACL that matches the cli-
ent’s IP address will be used. Likewise, if SLB selects an IPv6 server, the
IPv6 pool bound to the ACL will be used.
The following commands bind the IPv6 NAT pools to the virtual port:
AX(config-slb virtual server-slb virtua...)#access-list name v6acl-1 source-
nat-pool v4natpool-2
AX(config-slb virtual server-slb virtua...)#access-list name v6acl-2 source-
nat-pool v6natpool-1
290 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Stateless Load-Balancing Methods
Stateless SLB
If the AX device is running short on sessions, you can use stateless SLB
where applicable to make more sessions available for traffic that requires
session table entries.
• Other types of traffic that do not require features that use session-table
entries. (See “Limitations” on page 292.)
P e r f o r m a n c e b yD e s i g n 291 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Stateless Load-Balancing Methods
Limitations
Stateless SLB is not valid for the following features or traffic types:
• Rate limiting
• ACLs
• IP source NAT
• HA session synchronization
• Layer 3 DSR
• SLB-PT
• IPv6
A given real server can be used in only one stateless SLB service group. A
real server that is in a stateless SLB service group can not be used in any
other service groups.
Mega-proxies may interfere with equal balancing of traffic load among the
multiple data CPUs. In this case, for DNS traffic only, try using the state-
less-per-pkt-round-robin method.
On the service group configuration page, select one of the following from
the Algorithm drop-down list:
• Stateless Source IP+Port Hash
292 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Stateless Load-Balancing Methods
USING THE CLI
To enable stateless SLB for a service group, use one of the following
options with the method command, at the configuration level for the service
group:
• stateless-dst-ip-hash
• stateless-src-dst-ip-hash
• stateless-src-ip-hash
• stateless-per-pkt-round-robin
• stateless-src-ip-only-hash
Configuration of the real servers and virtual server is the same as for stateful
SLB.
CLI Example
The following commands configure a stateless SLB service group for UDP
traffic:
AX(config)#slb service-group dns-stateless udp
AX(config-slb svc group)#member dns1:53
AX(config-slb svc group)#member dns2:53
AX(config-slb svc group)#method stateless-src-dst-ip-hash
P e r f o r m a n c e b yD e s i g n 293 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Stateless Load-Balancing Methods
294 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
P e r f o r m a n c e b yD e s i g n 295 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
When the AX device receives a request from a client, the AX device uses
SLB load balancing to select one of the WAN links. The AX device then
uses source IP NAT to translate the client’s private IP address into a public
IP address, then sends the client’s request to the next-hop router for the
selected WAN link.
When the AX device receives the server’s reply to the client’s request, the
AX device translates the destination IP address from the NAT address back
into the client’s private IP address, then forwards the reply to the client.
The pools do not need to contain more than a few addresses. The AX device
internally uses a separate protocol port number for each client session on a
pool address.
296 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
4. Configure a real server for each link to be load balanced. Add wildcard
ports (TCP 0, UDP 0, or both) to the server.
Note: You can use Layer 3 health checking (ICMP ping) to check the health of
the router’s IP interface. However, the configuration requires health
checking to be disabled on the wildcard ports added for a router. The
router will not respond to these health checks. If you leave health check-
ing enabled on the wildcard ports, the AX device will mark the ports
down and LLB will not work.
5. Configure a service group for the links (real servers). If the real server
configurations for the links have both TCP and UDP ports, configure a
service group for TCP and another service group for UDP.
P e r f o r m a n c e b yD e s i g n 297 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
CLI Example
The following commands configure the IP source NAT pools and pool
group:
AX(config)#ip nat pool nat10 192.168.10.3 192.168.10.4 netmask /24
AX(config)#ip nat pool nat20 192.168.20.3 192.168.20.4 netmask /24
AX(config)#ip nat pool-group outbound-nat-group nat10 nat20
Note: For simplicity, this example uses a single Ethernet port for each interface
to the clients and the next-hop routers. You also can use trunk interfaces,
virtual Ethernet (VE) interfaces, or both.
AX(config)#interface ethernet 3
AX(config-if: ethernet3)#ip address 10.10.10.1 255.255.255.0
AX(config-if: ethernet3)#ip allow-promiscuous-vip
AX(config-if: ethernet3)#exit
AX(config)#interface ethernet 4
AX(config-if: ethernet4)#ip address 10.20.20.1 255.255.255.0
AX(config-if: ethernet4)#ip allow-promiscuous-vip
AX(config-if: ethernet4)#exit
298 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
The following commands configure a real server for each link to be load
balanced:
AX(config)#slb server link-101 192.168.10.1
AX(config-real server)#port 0 tcp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
AX(config-real server)#port 0 udp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
AX(config-real server)#exit
AX(config)#slb server link-201 192.168.20.1
AX(config-real server)#port 0 tcp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
AX(config-real server)#port 0 udp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
AX(config-real server)#exit
P e r f o r m a n c e b yD e s i g n 299 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
300 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Overview
The AX Series supports Transparent Cache Switching (TCS). TCS enables
you to improve server response times by redirecting client requests for con-
tent to cache servers containing the content.
P e r f o r m a n c e b yD e s i g n 301 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Overview
In this example, a client sends a request for content that is hosted by the
content server. The AX device redirects the client’s request to the cache
server. If the cache server has the requested content, the cache server sends
the content to the AX device, which sends the content to the client.
If the content is cacheable, but the cache server does not have the requested
content or the content is stale, the cache server requests the content from the
content server, caches the content, then sends the content to the AX device,
which sends the content to the client.
Granularity of TCS
If your network uses multiple cache servers, you can configure destination-
IP persistence, to always select the same cache server for content from a
given destination IP address. This technique reduces cache misses, by
ensuring that requests for a given site IP address always go to the same
cache server.
For even greater control, you can configure the AX device to select from
among multiple cache service groups based on the requested URL. When
combined with destination-IP persistence, this method allows you to control
initial selection of the cache service group, after which the AX device
always sends requests for the same content to the same cache server within
the cache service group.
Application Templates
TCS does not require configuration of any application templates. However,
you can use the following types of application templates for advanced fea-
tures, such as URL-based Layer 7 TCS:
• HTTP template – If you want to selectively redirect client requests
based on URL strings, you can use an HTTP template containing URL
switching rules. When a client request matches the URL string in a URL
302 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Overview
switching rule, the AX device selects the service group specified in the
URL switching rule, instead of the service group bound to the virtual
port.
For example, you can configure a URL switching rule that matches on
any URL that contains “.mycorp/”. In this case, requests for any URL
that contains “.mycorp/” are sent to the service group that contains the
cache server. Requests for other URLs are sent to the gateway router
instead.
In a Layer 7 TCS configuration that uses URL switching, a separate real
server is required for the gateway router, and the real server is required
to be placed in its own service group. The gateway router’s service
group is used as the default service group for the virtual port. Client
requests to a URL that does not match a URL switching rule are sent to
the gateway router’s service group instead of the cache server’s service
group.
• Destination-IP persistence template – In deployments that use multiple
cache servers, you can use a destination-IP persistence template to
ensure that the same cache server is used for every request for content
on a given content server. The AX device uses standard SLB to select a
cache server for the first request to a real server IP address, and assigns a
hash value to the server. All subsequent requests for the same real server
are sent to the same cache server.
By always using the same cache server for content from a given server, a
destination-IP persistence template can reduce duplication of content on
multiple cache servers, and can also reduce cache misses.
• RAM caching template – To also cache some content on the AX device
itself, you can use a RAM caching template. In this case, the AX device
directly serves content that is cached on the AX device, and only sends
requests to the cache server for content that is not cached on the AX
device.
• Connection reuse template – You can use a connection reuse template to
reuse TCP connections. When a client’s session ends, the TCP connec-
tion is not terminated. Instead, the connection is reused for a new client
session.
Some cache servers can use the client’s IP address instead of the cache
server’s IP address as the source address when obtaining content requested
by the client. A cache server operating in this mode is a spoofing cache
server. Configuration for a spoofing cache server includes a couple of addi-
tional steps. (See “Enabling Support for Cache Spoofing” on page 314.)
P e r f o r m a n c e b yD e s i g n 303 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring Layer 4 TCS
High Availability Support
You can deploy TCS in High Availability (HA) configurations. For an
example of TCS deployed in Layer 3 inline mode of HA, see “Configuring
IPv4 TCS in High Availability Layer 3 Inline Mode” on page 315.
2. Configure an extended ACL that uses the permit action and that matches
on client addresses as the source address, and on the content server
address as the destination address.
3. Configure a real server for the cache server. Add the TCP or UDP port;
for example, TCP port 80.
If the cache server will spoof client IP addresses when requesting con-
tent from content servers, enable cache spoofing support.
4. Configure a service group for the cache server and add the cache server
to it.
6. If the cache server will spoof client IP addresses when requesting con-
tent from content servers, enable cache spoofing support on the AX
interface connected to the cache server, and on the real server (cache
server).
304 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring Layer 4 TCS
CLI Example
P e r f o r m a n c e b yD e s i g n 305 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring Layer 4 TCS
The following commands configure the AX interface to the client. Promis-
cuous VIP is enabled on the interface.
AX(config)#trunk 4
AX(config-trunk:4)#ethernet 3 to 4
AX(config-trunk:4)#exit
AX(config)#vlan 4
AX(config-vlan:4)#tagged ethernet 3 to 4
AX(config-vlan:4)#router-interface ve 4
AX(config-vlan:4)#exit
AX(config)#interface ve 4
AX(config-if:ve4)#ip address 192.168.19.1 255.255.255.0
AX(config-if:ve4)#ip allow-promiscuous-vip
AX(config-if:ve4)#exit
The following commands configure a real server for the cache server. TCP
port 80 is added to the real server.
AX(config)#slb server cache-rs 110.110.110.10
AX(config-real server)#port 80 tcp
AX(config-real server-node port)#exit
306 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring Layer 7 TCS
The following command configures a service group for the cache server:
AX(config)#slb service-group sg-tcs tcp
AX(config-slb svc group)#member cache-rs:80
AX(config-slb svc group)#exit
The following commands configure a wildcard VIP and bind it to the ACL:
AX(config)#slb virtual-server wildcard 0.0.0.0 acl 198
AX(config-slb vserver)#port 80 tcp
AX(config-slb vserver-vport)#service-group sg-tcs
AX(config-slb vserver-vport)#no-dest-nat
Figure 110 on page 308 shows an example of the first method, which does
not use URL switching rules. Figure 111 on page 309 shows an example of
the second method, which does use URL switching rules.
P e r f o r m a n c e b yD e s i g n 307 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring Layer 7 TCS
FIGURE 110 Layer 7 TCS Without URL Switching Rules
308 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring Layer 7 TCS
FIGURE 111 Layer 7 TCS Using URL Switching Rules
P e r f o r m a n c e b yD e s i g n 309 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring Layer 7 TCS
2. Configure an extended ACL that uses the permit action and that matches
on client addresses as the source address, and on the content server
address as the destination address.
3. Configure a real server for the cache server. Add the TCP port; for
example, TCP port 80.
4. Configure a service group for the cache server and add the cache server
to it.
CLI Example
The following commands configure a wildcard VIP and bind it to the ACL:
AX(config)#slb virtual-server wildcard 0.0.0.0 acl 198
AX(config-slb vserver)#port 80 http
AX(config-slb vserver-vport)#service-group sg-tcs
AX(config-slb vserver-vport)#no-dest-nat
310 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring Layer 7 TCS
2. Configure an extended ACL that uses the permit action and that matches
on client addresses as the source address, and on the content server
address as the destination address.
3. Configure a real server for the cache server. Add the TCP or UDP port;
for example, TCP port 80.
4. Configure a real server for the next-hop router through which the AX
device will reach the content servers. Add the same TCP port number as
the one on the cache server (for example, TCP port 80). Disable health
checking on the port.
5. Configure a service group for the cache server and add the cache server
to it.
6. Configure a separate service group for the router, and add the router to
it.
CLI Example
P e r f o r m a n c e b yD e s i g n 311 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring Layer 7 TCS
ACL, and the real server and service group for the cache server, are the
same as those used in the Layer 4 TCS example, and are therefore not
shown.
The following commands configure a real server for the gateway router:
AX(config)#slb server router 10.10.10.20
AX(config-real server)#port 80 tcp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
The following commands configure a wildcard VIP and bind it to the ACL:
AX(config)#slb virtual-server wildcard 0.0.0.0 acl 198
AX(config-slb vserver)#port 80 http
AX(config-slb vserver-vport)#service-group sg-router
AX(config-slb vserver-vport)#template http http1
AX(config-slb vserver-vport)#no-dest-nat
CLI Example
312 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring Layer 7 TCS
shown. The other commands are the same as those shown in the previous
sections.
P e r f o r m a n c e b yD e s i g n 313 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring Layer 7 TCS
The following commands configure the VIP. The commands are the same as
those used for Layer 7 TCS, with the addition of a command to bind the
destination-IP persistence template to the virtual port.
AX(config)#slb virtual-server wildcard 0.0.0.0 acl 198
AX(config-slb vserver)#port 80 http
AX(config-slb vserver-vport)#template http http1
AX(config-slb vserver-vport)#service-group sg-router
AX(config-slb vserver-vport)#no-dest-nat
AX(config-slb vserver-vport)#template persist destination-ip d-sticky
AX(config-slb vserver-vport)#exit
AX(config-slb vserver)#exit
2. In the real server configuration for the cache server, enable spoof cach-
ing support. In the CLI, enter the following command at the configura-
tion level for the real server:
spoofing-cache
CLI Example
The commands in this section enable cache spoofing support for the TCS
configuration shown in Figure 112.
AX(config)#interface ethernet 5
AX(config-if:ethernet5)#ip address 110.110.110.254 255.255.255.0
AX(config-if:ethernet5)#ip cache-spoofing-port
AX(config-if:ethernet5)#exit
AX(config)#slb server cache-rs 110.110.110.10
AX(config-real server)#spoofing-cache
AX(config-real server)#port 80 tcp
314 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring IPv4 TCS in High Availability Layer 3 Inline Mode
P e r f o r m a n c e b yD e s i g n 315 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring IPv4 TCS in High Availability Layer 3 Inline Mode
Interface Parameters
HA Parameters
This configuration uses the following HA parameters. The last two in this
list apply specifically to inline mode. The other HA parameters apply to all
types of HA configurations.
• HA ID – AX-1 uses HA ID 1. AX-2 uses HA ID 2.
316 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring IPv4 TCS in High Availability Layer 3 Inline Mode
• Restart port list – Interfaces 1 to 5 and interface 9 are designated as
inline-mode restart ports. This includes the AX interfaces with the cli-
ent, cache servers, and content server. Interface 6 is the dedicated HA
link between the AX devices and is not included in the restart list.
SLB Parameters
• Members – Add the real servers configured for the cache servers.
P e r f o r m a n c e b yD e s i g n 317 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring IPv4 TCS in High Availability Layer 3 Inline Mode
Note: In the current release, client sessions will be reset if an HA failover
occurs. In most cases, the reset will not be noticeable. However, if a client
is downloading a large file, the reset may be noticeable, because the
download progress is not retained after the session is reset.
Templates
For simplicity, the sample configuration in this section does not use any cus-
tom templates. For information about the templates that can be used with
TCS, see “Application Templates” on page 302.
AX-1 Configuration
The following commands configure the links:
AX-1(config)#trunk 1
AX-1(config-trunk:1)#ethernet 1 to 2 ethernet 9
AX-1(config-trunk:1)#trunk 3
AX-1(config-trunk:3)#ethernet 3 to 4
AX-1(config-trunk:3)#vlan 11
AX-1(config-vlan:11)#untagged ethernet 3 to 6
AX-1(config-vlan:11)#tagged ethernet 1 to 2 ethernet 9
AX-1(config-vlan:11)#router-interface ve 1
AX-1(config-vlan:11)#interface ethernet 1
AX-1(config-if:ethernet1)#cpu-process
AX-1(config-if:ethernet1)#interface ethernet 3
AX-1(config-if:ethernet3)#ip allow-promiscuous-vip
AX-1(config-if:ethernet3)#cpu-process
AX-1(config-if:ethernet3)#interface ethernet 5
AX-1(config-if:ethernet5)#ip cache-spoofing-port
AX-1(config-if:ethernet5)#cpu-process
AX-1(config-if:ethernet5)#interface ethernet 6
AX-1(config-if:ethernet6)#cpu-process
AX-1(config-if:ethernet6)#interface ve 1
AX-1(config-if:ve1)#ip address 10.10.10.1 255.255.255.0
AX-1(config-if:ve1)#ip allow-promiscuous-vip
AX-1(config-if:ve1)#exit
The following commands configure static routes. One of the routes goes to
the subnet on the other side of the router that connects the AX device to the
content servers. The other static route goes to the subnet on the other side of
318 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring IPv4 TCS in High Availability Layer 3 Inline Mode
the router that connects the AX device to the client. CPU processing is also
enabled on the routes.
AX-1(config)#ip route 20.20.20.0 /24 10.10.10.20 cpu-process
AX-1(config)#ip route 192.168.19.0 /24 10.10.10.254 cpu-process
The following command configures an extended ACL that uses the permit
action and that matches on client addresses as the source address, and on the
content server address as the destination address:
AX-1(config)#access-list 198 permit ip any host 20.20.20.11 log
The following commands configure real servers for the cache servers:
AX-1(config)#slb server cache1 10.10.10.10
AX-1(config-real server)#spoofing-cache
AX-1(config-real server)#port 80 tcp
AX-1(config-real server-node port)#exit
AX-1(config-real server)#exit
AX-1(config)#slb server cache2 10.10.10.11
AX-1(config-real server)#spoofing-cache
AX-1(config-real server)#port 80 tcp
AX-1(config-real server-node port)#exit
AX-1(config-real server)#exit
The following commands configure a service group for the real servers:
AX-1(config)#slb service-group sg-cache-80 tcp
AX-1(config-slb svc group)#member cache1:80
AX-1(config-slb svc group)#member cache2:80
AX-1(config-slb svc group)#exit
P e r f o r m a n c e b yD e s i g n 319 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring IPv4 TCS in High Availability Layer 3 Inline Mode
The following commands configure the virtual server:
AX-1(config)#slb virtual-server wildcard 0.0.0.0 acl 198
AX-1(config-slb vserver)#ha-group 1
AX-1(config-slb vserver)#port 80 tcp
AX-1(config-slb vserver-vport)#service-group sg-cache-80
AX-1(config-slb vserver-vport)#no-dest-nat
AX-1(config-slb vserver-vport)#ha-conn-mirror
AX-2 Configuration
Most of the commands on AX-2 are the same as the ones on AX-1, with the
following exceptions:
• The ip address command on the VE adds a unique IP address (not the
address of the other AX device).
• The ha id command assigns HA ID 2 instead of HA ID 1.
320 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring IPv4 TCS in High Availability Layer 3 Inline Mode
AX-2(config)#ip route 20.20.20.0 /24 10.10.10.20 cpu-process
AX-2(config)#ip route 192.168.19.0 /24 10.10.10.254 cpu-process
AX-2(config)#access-list 198 permit ip any host 20.20.20.11 log
AX-2(config)#ha id 2
AX-2(config)#ha group 1 priority 180
AX-2(config)#ha interface ethernet 1
AX-2(config)#ha interface ethernet 3
AX-2(config)#ha interface ethernet 6
AX-2(config)#ha conn-mirror ip 10.10.10.1
AX-2(config)#ha preemption-enable
AX-2(config)#floating-ip 10.10.10.250 ha-group 1
AX-2(config)#ha l3-inline-mode
AX-2(config)#ha restart-port-list ethernet 1 to 5 ethernet 9
AX-2(config)#slb server cache1 10.10.10.10
AX-2(config-real server)#spoofing-cache
AX-2(config-real server)#port 80 tcp
AX-2(config-real server-node port)#exit
AX-2(config-real server)#exit
AX-2(config)#slb server cache2 10.10.10.11
AX-2(config-real server)#spoofing-cache
AX-2(config-real server)#port 80 tcp
AX-2(config-real server-node port)#exit
AX-2(config-real server)#exit
AX-2(config)#slb service-group sg-cache-80 tcp
AX-2(config-slb svc group)#member cache1:80
AX-2(config-slb svc group)#member cache2:80
AX-2(config-slb svc group)#exit
AX-2(config)#slb virtual-server wildcard 0.0.0.0 acl 198
AX-2(config-slb vserver)#ha-group 1
AX-2(config-slb vserver)#port 80 tcp
AX-2(config-slb vserver-vport)#service-group sg-cache-80
AX-2(config-slb vserver-vport)#no-dest-nat
AX-2(config-slb vserver-vport)#ha-conn-mirror
P e r f o r m a n c e b yD e s i g n 321 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring IPv6 TCS in High Availability Layer 3 Inline Mode
322 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring IPv6 TCS in High Availability Layer 3 Inline Mode
The configuration requirements and syntax are the same as for IPv4. The
only difference is use of IPv6 addresses instead of IPv4 addresses.
AX-1 Configuration
The following commands configure the links.
AX-1(config)#trunk 1
AX-1(config-trunk:1)#ethernet 5 to 6
AX-1(config-trunk:1)#vlan 21
AX-1(config-vlan:21)#untagged ethernet 1 to 3
AX-1(config-vlan:21)#router-interface ve 1
AX-1(config-vlan:21)#vlan 22
AX-1(config-vlan:22)#untagged ethernet 2
AX-1(config-vlan:22)#router-interface ve 22
AX-1(config-vlan:22)#vlan 56
AX-1(config-vlan:56)#untagged ethernet 5 to 6
AX-1(config-vlan:56)#router-interface ve 56
AX-1(config-vlan:11)#interface ethernet 1
AX-1(config-if:ethernet1)#cpu-process
AX-1(config-if:ethernet1)#interface ethernet 2
AX-1(config-if:ethernet2)#cpu-process
AX-1(config-if:ethernet2)#ip cache-spoofing-port
AX-1(config-if:ethernet2)#interface ethernet 3
AX-1(config-if:ethernet3)#cpu-process
AX-1(config-if:ethernet3)#interface ethernet 5
AX-1(config-if:ethernet5)#cpu-process
AX-1(config-if:ethernet5)#interface ve 1
AX-1(config-if:ve1)#ipv6 address 2309:e90::2/64
AX-1(config-if:ve1)#ip allow-promiscuous-vip
AX-1(config-if:ve1)#interface ve 22
AX-1(config-if:ve22)#ipv6 address 2409:c90::1/64
AX-1(config-if:ve22)#interface ve 56
AX-1(config-if:ve56)#ipv6 address 2509:c90::1/64
AX-1(config-if:ve56)#ip address 3.3.3.2 255.255.255.0
AX-1(config-if:ve56)#exit
P e r f o r m a n c e b yD e s i g n 323 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring IPv6 TCS in High Availability Layer 3 Inline Mode
On models AX 5100 and AX 5200, when configured in HA inline mode,
all traffic going through the system is examined by the CPU for process-
ing. Packets are not directly forwarded by the Layer 2/3 ASIC before
examination by the CPU.
The following commands configure static routes. One of the routes goes to
the subnet on the other side of the router that connects the AX device to the
content servers. The other static route goes to the subnet on the other side of
the router that connects the AX device to the client. CPU processing is also
enabled on the routes.
AX-1(config)#ipv6 route 2309:d90::/32 2309:e90::1
AX-1(config)#ipv6 route 2309:f90::/32 2309:e90::3
The following commands configure an IPv6 ACL that uses the permit
action and that matches on client addresses as the source address, and on the
content server address as the destination address:
AX-1(config)#ipv6 access-list ipv6-101
AX-1(config-access-list:ipv6-101)#permit ipv6 any host 2309:f90::10 log
AX-1(config-access-list:ipv6-101)#exit
The following commands configure ICMP health checking for the upstream
and downstream routers. The health checks help ensure rapid HA failover.
(See “Tip for Ensuring Fast HA Failover” on page 612.) The custom ICMP
health monitor configured above is also used.
324 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring IPv6 TCS in High Availability Layer 3 Inline Mode
AX-1(config)#slb server up-router 2309:e90::1
AX-1(config-real server)#health-check icmp
AX-1(config-real server)#exit
AX-1(config)#slb server down-router 2309:e90::3
AX-1(config-real server)#health-check icmp
AX-1(config-real server)#exit
The following commands configure real servers for the cache servers:
AX-1(config)#slb server cache1-ipv6 2409:c90::5
AX-1(config-real server)#spoofing-cache
AX-1(config-real server)#health-check icmp
AX-1(config-real server)#port 80 tcp
AX-1(config-real server-node port)#exit
AX-1(config-real server)#exit
AX-1(config)#slb server cache2-ipv6 2409:c90::6
AX-1(config-real server)#spoofing-cache
AX-1(config-real server)#health-check icmp
AX-1(config-real server)#port 80 tcp
AX-1(config-real server-node port)#exit
AX-1(config-real server)#exit
The following commands configure a service group for the real servers
(cache servers):
AX-1(config)#slb service-group cache-ipv6 tcp
AX-1(config-slb svc group)#member cache1-ipv6:80
AX-1(config-slb svc group)#member cache2-ipv6:80
AX-1(config-slb svc group)#exit
P e r f o r m a n c e b yD e s i g n 325 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring IPv6 TCS in High Availability Layer 3 Inline Mode
AX-2 Configuration
Here are the configuration commands for AX-2. Most of the commands are
exactly the same as on AX-1. Only the following values differ:
• IP addresses of the VEs
• HA priority
AX-2(config)#trunk 1
AX-2(config-trunk:1)#ethernet 5 to 6
AX-2(config-trunk:1)#vlan 21
AX-2(config-vlan:21)#untagged ethernet 1 to 3
AX-2(config-vlan:21)#router-interface ve 1
AX-2(config-vlan:21)#vlan 22
AX-2(config-vlan:22)#untagged ethernet 2
AX-2(config-vlan:22)#router-interface ve 22
AX-2(config-vlan:22)#vlan 56
AX-2(config-vlan:56)#untagged ethernet 5 to 6
AX-2(config-vlan:56)#router-interface ve 56
AX-2(config-vlan:11)#interface ethernet 1
AX-2(config-if:ethernet1)#cpu-process
AX-2(config-if:ethernet1)#interface ethernet 2
AX-2(config-if:ethernet2)#cpu-process
AX-2(config-if:ethernet2)#ip cache-spoofing-port
AX-2(config-if:ethernet2)#interface ethernet 3
AX-2(config-if:ethernet3)#cpu-process
AX-2(config-if:ethernet3)#interface ethernet 5
AX-2(config-if:ethernet5)#cpu-process
AX-2(config-if:ethernet5)#interface ve 1
AX-2(config-if:ve1)#ipv6 address 2309:e90::4/64
AX-2(config-if:ve1)#ip allow-promiscuous-vip
AX-2(config-if:ve1)#interface ve 22
AX-2(config-if:ve22)#ipv6 address 2409:c90::2/64
AX-2(config-if:ve22)#interface ve 56
AX-2(config-if:ve56)#ipv6 address 2509:c90::2/64
AX-2(config-if:ve56)#ip address 3.3.3.3 255.255.255.0
AX-2(config-if:ve56)#exit
AX-2(config)#ipv6 route 2309:d90::/32 2309:e90::1
AX-2(config)#ipv6 route 2309:f90::/32 2309:e90::3
326 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring IPv6 TCS in High Availability Layer 3 Inline Mode
AX-2(config)#ipv6 access-list ipv6-101
AX-2(config-access-list:ipv6-101)#permit ipv6 any host 2309:f90::10 log
AX-2(config-access-list:ipv6-101)#exit
AX-2(config)#ha id 1 set-id 1
AX-2(config)#ha l3-inline-mode
AX-2(config)#ha group 1 priority 100
AX-2(config)#ha interface ethernet 1 server-interface no-heartbeat
AX-2(config)#ha interface ethernet 3 router-interface no-heartbeat
AX-2(config)#ha interface ethernet 5
AX-2(config)#ha restart-port-list ethernet 1 ethernet 3
AX-2(config)#ha conn-mirror ip 3.3.3.2
AX-2(config)#ha preemption-enable
AX-2(config)#floating-ip 2409:c90::100 ha-group 1
AX-2(config)#floating-ip 2309:e90::100 ha-group 1
AX-2(config)#health monitor icmp interval 1 timeout 1
AX-2(config)#slb server up-router 2309:e90::1
AX-2(config-real server)#health-check icmp
AX-2(config-real server)#exit
AX-2(config)#slb server down-router 2309:e90::3
AX-2(config-real server)#health-check icmp
AX-2(config-real server)#exit
AX-2(config)#slb server cache1-ipv6 2409:c90::5
AX-2(config-real server)#spoofing-cache
AX-2(config-real server)#health-check icmp
AX-2(config-real server)#port 80 tcp
AX-2(config-real server-node port)#exit
AX-2(config-real server)#exit
AX-2(config)#slb server cache2-ipv6 2409:c90::6
AX-2(config-real server)#spoofing-cache
AX-2(config-real server)#health-check icmp
AX-2(config-real server)#port 80 tcp
AX-2(config-real server-node port)#exit
AX-2(config-real server)#exit
AX-2(config)#slb service-group cache-ipv6 tcp
AX-2(config-slb svc group)#member cache1-ipv6:80
AX-2(config-slb svc group)#member cache2-ipv6:80
AX-2(config-slb svc group)#exit
AX-2(config)#slb virtual-server wildcard-ipv6 :: ipv6-acl ipv6-101
AX-2(config-slb vserver)#ha-group 1
AX-2(config-slb vserver)#port 80 tcp
AX-2(config-slb vserver-vport)#service-group cache-ipv6
P e r f o r m a n c e b yD e s i g n 327 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring TCS for FTP
AX-2(config-slb vserver-vport)#no-dest-nat
AX-2(config-slb vserver-vport)#ha-conn-mirror
When a client sends a request to the FTP server, the AX device intercepts
the request and forwards it to the FTP cache server. The cache server then
forwards the requested content to the AX device, if the content is cached.
The AX device forwards the content to the client.
328 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring TCS for FTP
If the requested content is not already cached, the cache server obtains the
content from the FTP server and caches it. The AX device forwards the con-
tent to the client.
Each cache server in this example has two physical interfaces. One of the
interfaces receives client requests forwarded by the AX device. The other
interface communicates with the FTP server, and forwards cached content
to the AX device. Only the interfaces that receive client requests from the
AX device need to be configured as real servers.
Note: In this example, the content transferred by FTP is cached on the cache
servers. However, this feature also can be used if the device is a firewall
instead of an FTP cache server. In that case, the firewall is used to exam-
ine the traffic that is transferred to or from the FTP server by the client.
Configuration
To configure TCS for FTP:
1. Configure the interfaces connected to the clients, the content servers,
and the cache server.
• Enable promiscuous VIP on the AX interface(s) connected to the
clients.
• Enable cache spoofing on the interface(s) connected to the cache
server.
Unless you are using AX model 1000, 2000, 2100, or 3000, you also
must enable CPU processing on each interface. On these AX models,
CPU processing is automatically used.
2. Configure an extended ACL that uses the permit action and that matches
on client addresses as the source address, and on the content server
address as the destination address.
3. Configure a real server for the cache server. Add an FTP port to the
server.
If the cache server will spoof client IP addresses when requesting con-
tent from content servers, enable cache spoofing support.
If the cache server has multiple interfaces, configure a separate real
server for each one.
4. Configure a real server for the next-hop router through which the AX
device will reach the content servers. Add the same FTP port number as
the one on the cache server (for example, port 21). Disable health check-
ing on the port.
P e r f o r m a n c e b yD e s i g n 329 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring TCS for FTP
Note: The configuration requires health checking to be disabled on the router
port. The router will not respond to the health check. If you leave health
checking enabled, the AX device will mark the port down and TCS will
not work.
5. Configure a service group for the cache servers and add them to it.
6. Configure a separate service group for the router, and add the router to
it.
CLI Example
The following commands configure the AX interfaces to the FTP server, the
FTP client, and the cache servers.
AX(config)#interface ethernet 1
AX(config-if:ethernet1)#enable
AX(config-if:ethernet1)#ip address 10.10.10.254 255.255.255.0
AX(config-if:ethernet1)#cpu-process
AX(config-if:ethernet1)#exit
AX(config)#interface ethernet 2
AX(config-if:ethernet2)#enable
AX(config-if:ethernet2)#ip address 192.168.19.254 255.255.255.0
AX(config-if:ethernet2)#ip allow-promiscuous-vip
AX(config-if:ethernet2)#cpu-process
AX(config-if:ethernet2)#exit
AX(config)#interface ethernet 5
AX(config-if:ethernet5)#enable
AX(config-if:ethernet5)#ip address 12.12.12.254 255.255.255.0
AX(config-if:ethernet5)#ip cache-spoofing-port
AX(config-if:ethernet5)#cpu-process
AX(config-if:ethernet5)#exit
AX(config)#interface ethernet 6
AX(config-if:ethernet6)#enable
AX(config-if:ethernet6)#ip address 11.11.11.254 255.255.255.0
330 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring TCS for FTP
AX(config-if:ethernet6)#ip cache-spoofing-port
AX(config-if:ethernet6)#cpu-process
AX(config-if:ethernet6)#exit
The following commands configure real servers for FTP on each of the
cache servers. Cache spoofing is enabled and TCP port 21 is added to each
real server.
AX(config)#slb server ftps1 11.11.11.10
AX(config-real server)#spoofing-cache
AX(config-real server)#port 21 tcp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
AX(config)#slb server ftps2 11.11.11.11
AX(config-real server)#spoofing-cache
AX(config-real server)#port 21 tcp
AX(config-real server-node port)#no health-check
AX(config-real server-node port)#exit
The following commands configure an FTP service group for the cache
server:
AX(config)#slb service-group sg-ftps tcp
AX(config-slb svc group)#member ftps1:21
AX(config-slb svc group)#member ftps2:21
AX(config-slb svc group)#exit
The following commands configure a wildcard VIP traffic and bind it to the
ACL. The FTP virtual port is bound to the FTP and router service groups.
Also, destination NAT is disabled.
AX(config)#slb virtual-server wildcard 0.0.0.0 acl 198
AX(config-slb vserver)#port 21 ftp
AX(config-slb vserver-vport)#service-group sg-ftps
AX(config-slb vserver-vport)#no-dest-nat
P e r f o r m a n c e b yD e s i g n 331 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Configuring TCS for FTP
332 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Overview
Overview
AX Series devices support Firewall Load Balancing (FWLB). FWLB load
balances server-client sessions across firewalls. Figure 116 shows an exam-
ple FWLB topology.
P e r f o r m a n c e b yD e s i g n 333 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
This example shows two pairs of AX devices. One pair is located on the
public (unprotected) side of the network. The other pair is located on the
secured side of the network. Each pair is configured for High Availability
(HA). One member of the pair is the Active AX device and the other is a hot
Standby.
SLB for the real servers is configured on one of the AX pairs. You can con-
figure SLB for the servers on either AX pair. However, do not add the SLB
configuration to both AX pairs.
• Virtual IP addresses
Firewall Groups
This example uses a single firewall group for both firewall nodes. When
you configure FWLB, make sure to configure a firewall group for the fire-
walls rather than an SLB service group.
Templates
Although this example does not use one, you can use a source-IP persis-
tence template in an FWLB configuration. You can bind a source-IP persis-
tence template to the virtual firewall or to individual service ports on the
virtual firewall.
• If you apply a source-IP persistence template to the virtual firewall, the
AX device sends all traffic from a given source address through the
same firewall.
• If you apply a source-IP persistence template to an individual service
port on the virtual firewall, the AX device sends all traffic from a given
client for that service port through the same firewall.
334 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Health Monitors
To monitor the health of a firewall, use a Layer 3 monitor with the ICMP
method, and with transparent mode enabled. This type of health monitor
verifies a firewall’s health by verifying the path through the firewall to the
AX device or HA pair on the other side of the firewall.
P e r f o r m a n c e b yD e s i g n 335 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
In this topology, each AX device is directly connected to only two of the
four firewalls, but can reach the other two firewalls at Layer 2 through the
other AX device. In this topology, one AX device is active for SLB and
FWLB and the other AX device is a hot standby for these services. The
standby AX device allows Layer 2 client-server traffic to pass through but
blocks other traffic. The active AX device load balances client-server traffic
across all four firewalls.
For example, assume that External AX1 is the active member of the HA pair
(is the one actively performing SLB and FWLB). External AX1 is directly
connected to the firewalls with interfaces 20.1.1.1 and 20.1.1.2, but can also
reach the other two firewalls by sending the traffic at Layer 2 through Exter-
nal AX2. External AX2, the standby for SLB and FWLB, allows client-
server traffic to pass through at Layer 2.
Static IP Routes
336 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
In the example above, External AX1 has the following static routes:
• Destination: 30.1.1.0 Next hop: 20.1.1.1 – This route reaches the fire-
wall VE subnet of the internal AX devices, through one of the firewalls.
• Destination: 40.1.1.0 Next hop: 20.1.1.1 – This route reaches the VE
subnet of the real servers, through one of the firewalls.
Notice that on each AX device, both static routes use the same next hop.
This is not required but it is recommended. Using the same hop does not
present a single point of failure. If the route to the specified next hop goes
down, the AX device automatically looks for another path to the route's des-
tination through another firewall.
P e r f o r m a n c e b yD e s i g n 337 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
FWLB Parameters
FWLB Parameters
Table 6 lists the FWLB parameters.
338 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
FWLB Parameters
TABLE 6 FWLB Parameters (Continued)
Parameter Description and Syntax Supported Values
Statistics Enables or disables collection of statistical data for Enabled or disabled
collection the firewall service group. Default: enabled
(Optional) stats-data-enable
stats-data-disable
Note: Statistical data collection for load-balancing
resources requires collection for system resources to
also be enabled (stats-data-enable).
Config > Service > Firewall > Firewall Group
Firewall Virtual Server Parameters
Virtual firewall State of the firewall virtual server Enabled or disabled
state [no] disable Default: Enabled
(Optional) [no] enable
Config > Service > Firewall > Firewall Virtual
server
Service ports Specifies the service ports to load balance. Protocol port number, 1-65535
(Optional) port port-number {tcp | udp} Default: No service ports are specified,
Config > Service > Firewall > Firewall Virtual which means all traffic is load bal-
server - Port anced.
(See the “Firewall Virtual Service Port Parameters”
below for additional port settings)
Firewall group Specifies the firewall group to use. Name of a configured firewall group
(Required) You also can specify a firewall group on individual Default: not set
service ports. If you specify a firewall group at each
level, the firewall group specified for the individual
service port takes precedence.
[no] service-group group-name
Config > Service > Firewall > Firewall Virtual
server
High Availabil- Specifies the HA group to use for the virtual fire- 1-31
ity (HA) group wall’s traffic. Default: not set
(Optional) [no] ha-group group-id
Config > Service > Firewall > Firewall Virtual
server
Session synchro- Synchronizes active sessions onto the standby AX Enabled or disabled
nization in the HA pair, to prevent the sessions from being Default: Disabled
(Optional) interrupted if an HA failover occurs.
[no] ha-conn-mirror
Config > Service > Firewall > Firewall Virtual
server
P e r f o r m a n c e b y
D e s i g n 339 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
FWLB Parameters
TABLE 6 FWLB Parameters (Continued)
Parameter Description and Syntax Supported Values
Source-IP persis- Sends all traffic from a given source address to the Name of a configured source-IP per-
tence template same firewall. sistence template
(Optional) You also can specify a source-IP persistence tem- Default: not set
plate on individual service ports. If you specify a
template at each level, the template specified for the
individual service port takes precedence.
Note: The match-type option is not applicable to
FWLB. The match type for FWLB is always server,
which sets the granularity of source-IP persistence
to individual firewalls, not firewall groups or indi-
vidual service ports.
[no] template persist source-ip
template-name
Config > Service > Firewall > Firewall Virtual
server
TCP idle timeout Specifies the number of seconds a TCP session 60-15000 seconds
(Optional) through a firewall can remain idle before the AX Default: 300 seconds
device terminates the session.
[no] tcp-idle-timeout seconds
Config > Service > Firewall > Firewall Virtual
server
Note: The idle timeout applied to a session can
come from the idle timeout configured here, the idle
timeout configured on the virtual firewall port, or
the idle time configured in SLB. See “TCP and
UDP Session Aging” on page 342.
UDP idle time- Specifies the number of seconds a UDP session 60-15000 seconds
out through a firewall can remain idle before the AX Default: 300 seconds
(Optional) device terminates the session.
[no] udp-idle-timeout seconds
Config > Service > Firewall > Firewall Virtual
server
Note: The idle timeout applied to a session can
come from the idle timeout configured here, the idle
timeout configured on the virtual firewall port, or
the idle time configured in SLB. See “TCP and
UDP Session Aging” on page 342.
340 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
FWLB Parameters
TABLE 6 FWLB Parameters (Continued)
Parameter Description and Syntax Supported Values
Statistics Enables or disables collection of statistical data for Enabled or disabled
collection the virtual firewall. Default: enabled
(Optional) stats-data-enable
stats-data-disable
Note: Statistical data collection for load-balancing
resources requires collection for system resources to
also be enabled (stats-data-enable).
Config > Service > Firewall > Firewall Virtual
server
Firewall Virtual Service Port Parameters
Port state State of the virtual port. Enabled or disabled
(Optional) [no] disable Default: Enabled
[no] enable
Config > Service > Firewall > Firewall Virtual
server - Port
Firewall group Specifies the firewall group to use. Name of a configured firewall group
(Optional) If you specify a firewall group at this level, the fire- Default: not set
wall group specified here takes precedence over the
firewall group specified at the firewall level.
[no] service-group group-name
Config > Service > Firewall > Firewall Virtual
server - Port
Session synchro- Synchronizes active sessions onto the standby AX Enabled or disabled
nization in the HA pair, to prevent the sessions from being Default: Disabled
(Optional) interrupted if an HA failover occurs.
[no] ha-conn-mirror
Config > Service > Firewall > Firewall Virtual
server - Port
Source-IP persis- Sends all traffic from a given source address to the Name of a configured source-IP per-
tence template same firewall. sistence template
(Optional) If you specify a source-IP persistence template at Default: not set
this level, the template specified here takes prece-
dence over the template specified at the firewall
level.
[no] template persist source-ip
template-name
Config > Service > Firewall > Firewall Virtual
server - Port
P e r f o r m a n c e b y
D e s i g n 341 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
FWLB Parameters
TABLE 6 FWLB Parameters (Continued)
Parameter Description and Syntax Supported Values
TCP/UDP idle Specifies the number of seconds a session through a 60-15000 seconds
timeout firewall on this service port can remain idle before Default: 300 seconds
(Optional) the AX device terminates the session.
[no] idle-timeout seconds
Config > Service > Firewall > Firewall Virtual
server - Port
Note: The idle timeout applied to a session can
come from the idle timeout configured here, the idle
timeout configured on the virtual firewall, or the
idle time configured in SLB. See “TCP and UDP
Session Aging” on page 342.
Statistics Enables or disables collection of statistical data for Enabled or disabled
collection the virtual port. Default: enabled
(Optional) stats-data-enable
stats-data-disable
Note: Statistical data collection for load-balancing
resources requires collection for system resources to
also be enabled (stats-data-enable).
Config > Service > Firewall > Firewall Virtual
server - Port
342 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FWLB
Note: In the current release, the TCP idle-timeout settings in FWLB are never
used. The AX device allows you to configure them but they are not used.
Configuring FWLB
To configure FWLB:
1. Configure High Availability (HA) parameters: HA ID, HA group, ses-
sion synchronization, and floating IP address.
To apply FWLB only to traffic for specific services, create a virtual port for
each service, and bind the firewall group to each virtual port. If FWLB will
apply to all traffic types, do not configure any virtual ports on the virtual
firewall.
If the AX device is configured for HA, specify the HA group ID to use for
the virtual port.
Note: The essential steps are described in this section. For the complete list of
FWLB settings you can configure, see Table 6 on page 338.
P e r f o r m a n c e b yD e s i g n 343 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FWLB
3. Click Add.
4. In the Health Monitor section, enter a name for the health monitor.
5. In the Method section, select ICMP from the Type drop-down list.
8. Click OK. The new health monitor appears in the Health Monitor table.
344 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FWLB
To configure a firewall node
1. Select Config > Service > Firewall.
5. Select the health method to use for checking the path through the fire-
wall to the other AX device.
If an HA pair is configured on the other side of the firewall, enter the
floating IP address of the HA pair.
FIGURE 119 Config > Service > Firewall > Firewall Node
3. In the Firewall Group section, enter a name for the service group.
5. Click Add.
7. Click OK. The firewall group appears in the Firewall Group table.
P e r f o r m a n c e b yD e s i g n 345 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FWLB
FIGURE 120 Config > Service > Firewall > Firewall Group
2. Click Add.
5. If you want to load balance all types of traffic through the firewalls,
click OK to complete the configuration. Otherwise, to load balance only
specific services, go to step 6.
346 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FWLB
g. Repeat for each protocol port.
h. Click OK to complete the firewall virtual server configuration.
FIGURE 121 Config > Service > Firewall > Firewall Virtual Server
FIGURE 122 Config > Service > Firewall > Firewall Virtual Server - Port
section
P e r f o r m a n c e b yD e s i g n 347 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FWLB
2. To configure a health check for a firewall path, use the following com-
mands:
health monitor monitor-name
[interval seconds | retry number |
timeout seconds]
Enter this command at the global Config level.
method icmp transparent ipaddr
Enter this command at the configuration level for the health monitor.
The transparent option is required and configures the health method to
check the full path through the firewall to the other AX. The ipaddr
specifies the IP address of the AX on the other side of the firewall. In an
HA configuration, the ipaddr is the floating IP address of the HA group
on the other side of the firewall.
3. To configure a firewall and assign a health monitor to it, use the follow-
ing commands:
fwlb node fwall-name ipaddr
Enter this command at the global Config level.
health-check monitor-name
Enter this command at the configuration level for the firewall.
4. To configure a firewall group and add the firewalls to it, use the follow-
ing commands:
fwlb service-group group-name
Enter this command at the global Config level.
member fwall-name [priority num]
method least-connection
348 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FWLB
The priority option enables you to designate some firewalls as backups
(the lower priority firewalls) to be used only if the higher priority fire-
walls all are unavailable.
The method command is optional and changes the load-balancing
method from round-robin (the default) to least-connections.
Enter these commands at the configuration level for the firewall group.
P e r f o r m a n c e b yD e s i g n 349 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FWLB
350 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FWLB
The following commands configure the firewalls:
AX-Ext-A(config)#fwlb node fw1 10.1.1.1
AX-Ext-A(config-firewall node)#health-check fwpathcheck
AX-Ext-A(config-firewall node)#exit
AX-Ext-A(config)#fwlb node fw2 10.1.1.2
AX-Ext-A(config-firewall node)#health-check fwpathcheck
AX-Ext-A(config-firewall node)#exit
P e r f o r m a n c e b yD e s i g n 351 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FWLB
AX-Ext-S(config-fwlb svc group)#exit
AX-Ext-S(config)#fwlb virtual-firewall default
AX-Ext-S(config-fwlb vfw)#ha-group 1
AX-Ext-S(config-fwlb vfw)#port 80 tcp
AX-Ext-S(config-fwlb vfw-vport)#service-group fwsg
AX-Ext-S(config-fwlb vfw-vport)#ha-conn-mirror
352 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FWLB
CLI Commands on Internal AX (Standby)
AX-Int-S(config)#ha id 2
AX-Int-S(config)#ha group 1 priority 1
AX-Int-S(config)#ha interface ethernet 1
AX-Int-S(config)#ha interface ethernet 2
AX-Int-S(config)#ha conn-mirror ip 10.5.1.5
AX-Int-S(config)#floating-ip 10.5.1.100 ha-group 1
AX-Int-S(config)#floating-ip 10.20.1.100 ha-group 1
AX-Int-S(config)#health monitor fwpathcheck
AX-Int-S(config-health:monitor)#method icmp transparent 10.1.1.100
AX-Int-S(config-health:monitor)#exit
AX-Int-S(config)#fwlb node fw1 10.5.1.1
AX-Int-S(config-firewall node)#health-check fwpathcheck
AX-Int-S(config-firewall node)#exit
AX-Int-S(config)#fwlb node fw2 10.5.1.2
AX-Int-S(config-firewall node)#health-check fwpathcheck
AX-Int-S(config-firewall node)#exit
AX-Int-S(config)#fwlb service-group fwsg
AX-Int-S(config-fwlb svc group)#member fw1
AX-Int-S(config-fwlb svc group)#member fw2
AX-Int-S(config-fwlb svc group)#exit
AX-Int-S(config)#fwlb virtual-firewall default
AX-Int-S(config-fwlb vfw)#ha-group 1
AX-Int-S(config-fwlb vfw)#port 80 tcp
AX-Int-S(config-fwlb vfw-vport)#service-group fwsg
AX-Int-S(config-fwlb vfw-vport)#ha-conn-mirror
P e r f o r m a n c e b yD e s i g n 353 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FWLB
The following sections show the CLI commands for configuring interfaces,
FWLB, and HA on each of the AX devices shown in Figure 117 on
page 335. For simplicity, the SLB configuration is not shown.
354 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FWLB
The following commands configure global HA parameters:
Ext-AX1(config)#ha id 1
Ext-AX1(config)#ha group 1 priority 200
Ext-AX1(config)#ha interface ethernet 1
Ext-AX1(config)#ha interface ethernet 2
Ext-AX1(config)#ha interface ethernet 4
Ext-AX1(config)#ha conn-mirror ip 50.1.1.2
Ext-AX1(config)#ha preemption-enable
Ext-AX1(config)#floating-ip 20.1.1.254 ha-group 1
P e r f o r m a n c e b yD e s i g n 355 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FWLB
Ext-AX1(config-fwlb vfw-vport)#service-group fwsg
Ext-AX1(config-fwlb vfw-vport)#ha-conn-mirror
This configuration is like the configuration for External AX1, with the fol-
lowing exceptions:
• The VE IP addresses are different (although they are in the same subnets
as those on the other AX device).
• The HA ID, priority, and connection mirroring IP address are different
from the other AX device.
356 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FWLB
Ext-AX2(config)#ha interface ethernet 1
Ext-AX2(config)#ha interface ethernet 2
Ext-AX2(config)#ha interface ethernet 4
Ext-AX2(config)#ha conn-mirror ip 50.1.1.1
Ext-AX2(config)#ha preemption-enable
Ext-AX2(config)#floating-ip 20.1.1.254 ha-group 1
This configuration is like the configuration for External AX1, with the fol-
lowing exceptions:
• The VE IP addresses and subnets are different. (The VLAN numbers
and some of the VE numbers also are different, but this is not required.
For simplicity, the VLAN numbers were selected to match the subnet
numbers.)
• The static routes are different.
P e r f o r m a n c e b yD e s i g n 357 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FWLB
The following commands configure the VE interface to the servers:
Int-AX1(config)#vlan 40
Int-AX1(config-vlan:40)#untagged ethernet 2
Int-AX1(config-vlan:40)#router-interface ve 2
Int-AX1(config-vlan:40)#exit
Int-AX1(config)#interface ve 2
Int-AX1(config-if:ve2)#ip address 40.1.1.10 255.255.255.0
Int-AX1(config-if:ve2)#exit
This configuration is like the configuration for Internal AX1, with the fol-
lowing exceptions:
• The VE IP addresses are different (although they are in the same subnets
as those on the other AX device).
• The HA ID, priority, and connection mirroring IP address are different
from the other AX device.
358 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FWLB
The health monitor and FWLB configuration is the same. For brevity, it is
not shown.
Int-AX2(config)#trunk 1
Int-AX2(config-trunk:1)#ethernet 9 to 10
Int-AX2(config-trunk:1)#exit
Int-AX2(config)#vlan 60
Int-AX2(config-vlan:60)#untagged ethernet 9 to 10
Int-AX2(config-vlan:60)#router-interface ve 60
Int-AX2(config-vlan:60)#exit
Int-AX2(config)#interface ve 60
Int-AX2(config-if:ve60)#ip address 60.1.1.2 255.255.255.0
Int-AX2(config-if:ve60)#exit
Int-AX2(config)#vlan 40
Int-AX2(config-vlan:40)#untagged ethernet 2
Int-AX2(config-vlan:40)#router-interface ve 2
Int-AX2(config-vlan:40)#exit
Int-AX2(config)#interface ve 2
Int-AX2(config-if:ve2)#ip address 40.1.1.20 255.255.255.0
Int-AX2(config-if:ve2)#exit
Int-AX2(config)#vlan 30
Int-AX2(config-vlan:30)#untagged ethernet 1 ethernet 3 ethernet 13
Int-AX2(config-vlan:30)#router-interface ve 1
Int-AX2(config-vlan:30)#exit
Int-AX2(config)#interface ve 1
Int-AX2(config-if:ve1)#ip address 30.1.1.20 255.255.255.0
Int-AX2(config-if:ve1)#exit
Int-AX2(config)#ip route 10.1.1.0 /24 30.1.1.1
Int-AX2(config)#ip route 20.1.1.0 /24 30.1.1.1
Int-AX2(config)#ha id 2
Int-AX2(config)#ha group 1 priority 100
Int-AX2(config)#ha interface ethernet 1
Int-AX2(config)#ha interface ethernet 2
Int-AX2(config)#ha interface ethernet 3
Int-AX2(config)#ha conn-mirror ip 60.1.1.1
Int-AX2(config)#ha preemption-enable
Int-AX2(config)#floating-ip 40.1.1.254 ha-group 1
P e r f o r m a n c e b yD e s i g n 359 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring FWLB
360 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
This chapter describes how to configure parameters for multiple servers and
service ports using server and port templates.
Overview
The AX device supports the following types of templates for configuration
of SLB servers and ports:
• Server – Contains configuration parameters for real servers
These template types provide the same benefit as other template types. They
allow you to configure a set of parameter values and apply the set of values
to multiple configuration items. In this case, you can configure sets of
parameters (templates) for SLB assets (servers and service ports) and apply
the parameters to multiple servers or ports.
Some of the parameters that can be set using a template can also be set or
changed on the individual server or port.
• If a parameter is set (or changed from its default) in both a template and
on the individual server or port, the setting on the individual server or
port takes precedence.
• If a parameter is set (or changed from its default) in a template but is not
set or changed from its default on the individual server or port, the set-
ting in the template takes precedence.
P e r f o r m a n c e b yD e s i g n 361 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
362 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
TABLE 7 SLB Port and Server Template Parameters (Continued)
Template Type Parameter Description
Real Server Port Health monitor Assigns a configured Layer 4-7 health monitor to all service
ports that use the template. (See “Configuring and Applying
a Health Method” on page 390.)
In-band health monitor Provides rapid server status change and reassignment based
on client-server traffic.
This is an enhanced health check mechanism that works
independently of the standard out-of-band health mecha-
nism. See “In-Band Health Monitoring” on page 410.
Connection limit Specifies the maximum number of connections allowed on
any real port that uses the template. (See “Connection Lim-
iting” on page 370.)
Connection rate limit- Limits the rate of new connections the AX is allowed to
ing send to any real port that uses the template. (See “Connec-
tion Rate Limiting” on page 372.)
Destination NAT Enables destination Network Address Translation (NAT).
Destination NAT is enabled by default, but is disabled in
Direct Server Return (DSR) configurations.
You can re-enable destination NAT on individual ports for
deployment of mixed DSR configurations. See “Direct
Server Return in Mixed Layer 2/Layer 3 Environment” on
page 101.
DSCP Sets the differentiated services code point (DSCP) value in
the IP header of a client request before sending the request
to a server.
Member priority for Sets the initial TTL for dynamically created service-group
dynamically created members. (See “Dynamic Real Server Creation Using
servers DNS” on page 895.)
Slow start Provides time for real ports that use the template to ramp-up
after TCP/UDP service is enabled, by temporarily limiting
the number of new connections on the ports. (See “Slow-
Start” on page 374.)
Source NAT Specifies the IP NAT pool to use for assigning a source IP
address to client traffic addressed to the port. For informa-
tion about NAT, see “Network Address Translation” on
page 615
Weight Biases load-balancing selection of this port. A higher weight
gives more favor to the server and port relative to the other
servers and ports.
For an example of weighted SLB, see “FTP Load Balanc-
ing” on page 169. (The example configures weights directly
on the real service ports rather than using templates, but still
illustrates how the weight option works.)
Note: The weight option applies only to the weighted-least-
connection, service-weighted-least-connection, and
weighted-round-robin load-balancing methods.
P e r f o r m a n c e b y
D e s i g n 363 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
TABLE 7 SLB Port and Server Template Parameters (Continued)
Template Type Parameter Description
Virtual Server Connection limit Specifies the maximum number of connections allowed on
any VIP that uses the template. (See “Connection Limiting”
on page 370.)
Connection rate limit- Limits the rate of new connections the AX is allowed to
ing send to any VIP that uses the template. (See “Connection
Rate Limiting” on page 372.)
ICMP rate limiting Limits the rate at which ICMP packets can be sent to the
VIP. (See “ICMP Rate Limiting” on page 734.)
Gratuitous ARPs for Enables gratuitous ARPs for all VIPs in a subnet VIP. (See
subnet VIPs “Gratuitous ARPs for Subnet VIPs” on page 377.)
Virtual Server Port Connection limit Specifies the maximum number of connections allowed on
any virtual service port that uses the template. (See “Con-
nection Limiting” on page 370.)
Connection rate limit- Limits the rate of new connections the AX is allowed to
ing send to any virtual service port that uses the template. (See
“Connection Rate Limiting” on page 372.)
Reset unknown connec- Enables sending of a TCP Reset (RST) in response to a ses-
tions sion mismatch. (See “TCP Reset Option for Session Mis-
match” on page 378.)
The default server and port templates are each named “default”. The default
settings in the templates are the same as the default settings for the parame-
ters that can be set in the templates.
364 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Server and Service Port Templates
3. Click Add to create a new one or click on the name of a configured tem-
plate to edit it. The configuration section for the template appears.
5. Enter or edit other settings. (See the descriptions in the sections below
for information.)
6. Click OK.
The template name can be 1-31 characters. These commands change the
CLI to the configuration level for the template. To modify the default tem-
plate, specify the name “default” (without the quotation marks).
P e r f o r m a n c e b yD e s i g n 365 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Applying a Server or Service Port Template
show slb template virtual-server template-name
show slb template virtual-port template-name
CLI Example
The following commands configure a new real server template and bind the
template to two real servers:
AX(config)#slb template server rs-tmplt1
AX(config-rserver)#health-check ping2
AX(config-rserver)#conn-limit 500000
AX(config-rserver)#exit
AX(config)#slb server rs1 10.1.1.99
AX(config-real server)#template server rs-tmplt1
AX(config-real server)#exit
AX(config)#slb server rs2 10.1.1.100
AX(config-real server)#template server rs-tmplt1
This example includes the commands to bind the template to real servers.
For information about binding the templates, see “Applying a Server or Ser-
vice Port Template” on page 366.
If you create a new server or port template, the template takes effect only
after you bind it to servers or ports.
Table 8 lists the types of bindings that are supported for server and port tem-
plates.
366 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Applying a Server or Service Port Template
The following subsections describe how to bind server and port templates to
servers, ports, and service group members. For configuration examples, see
the feature sections referred to in Table 7 on page 362.
4. Select the template from the Server Template drop-down list. To create
one, click create.
Enter the following command at the configuration level for the real server:
P e r f o r m a n c e b yD e s i g n 367 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Applying a Server or Service Port Template
4. In the Port section, select the template from the Server Port Template
drop-down list. To create one, click create.
5. Click Update.
Enter the following command at the configuration level for the real port:
4. Select the template from the Virtual Server Template drop-down list. To
create one, click create.
Enter the following command at the configuration level for the virtual
server:
368 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Applying a Server or Service Port Template
5. Select the template from the Virtual Server Port Template drop-down
list.
6. Click OK.
Enter the following command at the configuration level for the virtual ser-
vice port:
[no] template virtual-port template-name
3. In the Server section, select the server port template from the Server
Port Template drop-down list.
4. Click OK.
P e r f o r m a n c e b yD e s i g n 369 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Connection Limiting
At the configuration level for the service group, use the template tem-
plate-name option with the member command:
[no] member server-name:portnum
[disable | enable]
[priority num]
[template port template-name]
Connection Limiting
By default, the AX device does not limit the number of concurrent connec-
tions on a server or service port. If certain servers or services are becoming
oversaturated, you can set a connection limit. The AX device stops sending
new connection requests to a server or port when that server or port reaches
its maximum allowed number of concurrent connections.
Connection limiting can be set in real server templates, real port templates,
virtual server templates, and virtual port templates.
370 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Connection Limiting
limiting configuration until the virtual server or port does not have any
active connections.
To set a connection limit in a server or port template, use either of the fol-
lowing methods.
4. (Virtual Server or Virtual Server Port Templates only) Select the action
to take for connections that occur after the limit is reached: Drop or
Reset.
5. Click OK.
P e r f o r m a n c e b yD e s i g n 371 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Connection Rate Limiting
CLI Example
The following commands set the connection limit to 500,000 concurrent
connections in a real server template, then bind the template to real servers:
AX(config)#slb template server rs-tmplt1
AX(config-rserver)#conn-limit 500000
AX(config-rserver)#exit
AX(config)#slb server rs1 10.1.1.99
AX(config-real server)#template server rs-tmplt1
AX(config-real server)#exit
AX(config)#slb server rs2 10.1.1.100
AX(config-real server)#template server rs-tmplt1
When a server or service port reaches its connection limit, the AX device
stops using the server or service port.
372 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Connection Rate Limiting
USING THE GUI
In the configuration section for the template:
1. Select the Connection Rate Limit checkbox to activate the configuration
fields.
2. Enter the connection rate limit in the field next to the checkbox.
4. Select the action to take for connections that exceed the limit: Drop or
Reset.
5. (Virtual Server or Virtual Server Port Templates only) Select the action
to take for connections that occur after the limit is reached: Drop or
Reset.
6. Click OK.
P e r f o r m a n c e b yD e s i g n 373 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Slow-Start
show slb server [server-name] detail
show slb virtual-server [server-name] detail
CLI Example
The following commands configure connection rate limiting in a real server
template, then bind the template to real servers.
AX(config)#slb template server rs-tmplt1
AX(config-rserver)#conn-rate-limit 50000
AX(config-rserver)#exit
AX(config)#slb server rs1 10.1.1.99
AX(config-real server)#template server rs-tmplt1
AX(config-real server)#exit
AX(config)#slb server rs2 10.1.1.100
AX(config-real server)#template server rs-tmplt1
Slow-Start
The slow-start feature allows time for a server or real service port to ramp
up after TCP/UDP service on a server is enabled, by temporarily limiting
the total concurrent connections on the server or port.
You can configure the slow-start parameters described in this section in real
server templates and real port templates.
Ramp-Up Parameters
374 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Slow-Start
TABLE 9 Default Slow-Start Ramp-Up (Continued)
Total Maximum Concurrent
Number of Seconds After Connections Allowed After
Server Restart Server Restart
40-49 2048
50-59 4096
60+ Slow-start ends – No limit
Note: For the connection increment, you can specify a scale factor or a connec-
tion addition. The ending connection limit must be higher than the starting
connection limit.
If a normal runtime connection limit is also configured on the server or
port (for example, by “Connection Limiting” on page 370), and the nor-
mal connection limit is smaller than the slow-start ending connection
P e r f o r m a n c e b yD e s i g n 375 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Slow-Start
limit, the AX device limits slow-start connections to the maximum
allowed by the normal connection limit.
If you do configure slow-start both on the real server itself and in a real
server template or real port template, the actual slow-start behavior can dif-
fer from the behavior configured in the template.
• – If slow start is configured on the real server and in a real server tem-
plate, the slow-start settings on the real server are used and the settings
in the template are ignored. It is recommended to configure slow start
only in a real server template or real port template.
• – If slow start is configured on the real server and in a real port template,
the lower number of connections allowed by either of the configurations
at a given interval is used.
In the configuration section for the real server template or real port tem-
plate:
1. Select the Slow Start checkbox to activate the configuration fields.
2. Enter the starting connection limit in the field to the right of “From”.
4. Enter the connection increment in the field next to the increment method
you selected.
7. Click OK.
376 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Gratuitous ARPs for Subnet VIPs
USING THE CLI
[no] slow-start
[from starting-conn-per-second]
[times scale-factor | add conn-incr]
[every interval]
[till ending-conn-per-second]
CLI Example
The following commands enable slow start in a real server template, using
the default settings, and bind the template to real servers.
AX(config)#slb template server rs-tmplt1
AX(config-rserver)#slow-start
AX(config-rserver)#exit
AX(config)#slb server rs1 10.1.1.99
AX(config-real server)#template server rs-tmplt1
AX(config-real server)#exit
AX(config)#slb server rs2 10.1.1.100
AX(config-real server)#template server rs-tmplt1
By default, the AX device sends gratuitous ARPs for only the first IP
address in a subnet VIP. You can enable the AX device to send gratuitous
ARPs for all the IP addresses within a subnet VIP.
Note: This option applies only to VIPs that are created using a range of subnet
IP addresses. The option has no effect on VIPs created with a single IP
address.
P e r f o r m a n c e b yD e s i g n 377 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
TCP Reset Option for Session Mismatch
4. Click OK.
To enable gratuitous ARPs for all VIPs in subnet VIPs, use the following
command at the configuration level for the virtual server template used to
configure the VIPs:
subnet-gratuitous-arp
CLI Example
This option is useful in cases where a session ages out or is deleted on the
AX device, but the client does not receive a RST or FIN for the session. In
this case, without a RST, the session could remain open on the client until
the session ages out.
378 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
TCP Reset Option for Session Mismatch
When this option is enabled, TCP RSTs are sent in the cases listed in
Table 10.
The option is disabled by default, which means the AX device does not send
a RST in response to a session mismatch. You can enable the option in indi-
vidual virtual port templates.
Note: This option does not apply to sessions that are in the delete queue. If the
AX device receives a packet for a session that has been moved to the
delete queue, the AX device does not send a TCP RST. Instead, the AX
device reactivates the session and allows it to age out normally.
P e r f o r m a n c e b y
D e s i g n 379 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
TCP Reset Option for Session Mismatch
380 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Default Health Checks
Health Monitoring
AX Series devices can regularly check the health of real servers and service
ports. Health checks ensure that client requests go only to available servers.
Servers or ports that respond appropriately to health checks remain eligible
to serve client requests. A server or port that does not respond appropriately
to a health check is temporarily removed from service, until the server or
port is healthy again.
The default ICMP, TCP, or UDP monitor is not used if you disable it on the
server or port, or you apply a different monitor to the server or port.
Note: For very large deployments (1000 or more servers), A10 Networks rec-
ommends disabling the default Layer 3 health check, and using only
Layer 4-7 health checks. (See “Globally Disabling Layer 3 Health
Checks” on page 420.)
P e r f o r m a n c e b yD e s i g n 381 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Health Method Timers
Note: The timeout does not apply to externally configured health monitors.
382 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Health Method Timers
After each interval, the AX device immediately begins the next health
check, because the next interval begins immediately after the previous
attempt times out. In the figures, “R” indicates a retry.
P e r f o r m a n c e b yD e s i g n 383 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Health Method Timers
Example When Server or Port Is Responsive
Figure 124 shows how health checking operates when the server or port is
responsive. The AX device begins the next health check when the next
interval begins. Using the default interval value, the next interval begins
within 5 seconds.
384 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Health Method Types
Multiple health method instances can be defined using the same method
type and different parameters. Likewise, multiple health monitors can use
the same health method to check different servers.
Note: To configure a health monitor for Direct Server Return (DSR), see “Con-
figuring Health Monitoring of Virtual IP Addresses in DSR Deploy-
ments” on page 394.
P e r f o r m a n c e b yD e s i g n 385 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Health Method Types
386 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Health Method Types
TABLE 11 Internal Health Method Types (Continued)
Configuration Required
Type Description Successful If... on Target Server
HTTP / AX Series sends an HTTP GET, Server replies with OK message Requested page (URL) must
HTTPS HEAD, or POST request to the (200), by default. You can con- be present on the server.
specified TCP port and URL. figure the response code(s) and For GET requests, the string
• GET requests the entire page. record type required for a suc- specified as the expected
cessful health check. reply must be present.
• HEAD requests only the
meta-information in the For GET requests, the server For POST operations, the
header. also must reply with the field names specified in the
requested content or meta-infor- health check must be present
• POST attempts to write infor-
mation in the page header. The on the requested page.
mation to the server. For
response must include the string
POST requests, you must For HTTPS health checks,
specified in the Expect field on
specify the target field names SSL support must be enabled
the AX Series.
and the values to post. (For on the server.
more information, see “Con- For HEAD requests, the
A certificate does not need to
figuring POST Requests in AX Series ignores the Expect
be installed on the AX device.
HTTP/HTTPS Health Moni- field and only checks for the
The AX device always
tors” on page 396.) server reply message.
accepts the server certificate
If a user name and password are For POST operations, the data presented by the server.
required to access the page, they must be posted without error.
also must be specified in the
health check configuration.
By default, the real server’s IP
address is placed in the request
header’s Host: field. You can
configure a different value if
needed.
The following types of authenti-
cation are supported: basic,
digest and NT LAN Manager
(NTLM) authentication. If you
specify a username and pass-
word, the health monitor will try
to use basic authentication first.
If this try succeeds, the authenti-
cation process is complete. Oth-
erwise, the health monitor will
negotiate with the server to
select another authentication
method, and retry the health
check using that authentication
method.
ICMP AX Series sends an ICMP echo Server replies with an ICMP Server must be configured to
request (ping) to the server. echo reply message. reply to ICMP echo requests.
Note: This is a Layer 3 health
check only. Use the other
method types to check the health
of a specific application.
P e r f o r m a n c e b y
D e s i g n 387 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Health Method Types
TABLE 11 Internal Health Method Types (Continued)
Configuration Required
Type Description Successful If... on Target Server
LDAP AX Series sends an LDAP Server sends a reply containing If a Distinguished Name and
request to the LDAP port. result code 0. password are sent in the
Optionally, the request can be health check, they must match
directed to a specific Distin- these values on the LDAP
guished Name. server.
Optionally, SSL can be enabled A certificate does not need to
for the health check. be installed on the AX Series.
The AX Series always accepts
The AX Series also must send a
the server certificate pre-
valid password, if one is required
sented by the server.
by the server.
NTP AX Series sends an NTP client Server sends a standard NTP NTP service must be running.
message to UDP port 123. 48-byte reply packet.
POP3 AX Series sends a POP3 user Server replies with an OK mes- Requested user name and
login request with the specified sage. password must be valid on the
user parameter. The AX Series then sends the server.
password specified in the health
check configuration. The
AX Series expects the server to
reply with another OK message.
RADIUS AX Series sends a Password Server sends Access Accepted Requested user name and
Authentication Protocol (PAP) message (reply code 2). password must be configured
request to authenticate the user in the server’s user database.
name and password specified in Likewise, the shared secret
the health check configuration. sent in the health check must
be valid on the server.
RTSP AX Series sends a request for Server replies with information The file must be present on
information about the file speci- about the specified file. the RTSP server.
fied in the health check configu-
ration.
SIP AX Series sends a SIP OPTION Server replies with 200 - OK. None.
request or REGISTER request.
SMTP AX Series sends an SMTP Hello Server sends an OK message Server recognizes and accepts
message. (reply code 250). the domain of sender. If
SMTP service is running and
can reply to Hello messages,
the server can pass the health
check.
SNMP AX Series sends an SNMP Get Server replies with the value of Requested OID and the
or Get Next request to the speci- the OID. SNMP community must both
fied OID, from the specified be valid on the server.
community.
388 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Health Method Types
TABLE 11 Internal Health Method Types (Continued)
Configuration Required
Type Description Successful If... on Target Server
TCP AX Series sends a connection Server replies with a TCP SYN Destination TCP port of the
request (TCP SYN) to the speci- ACK. health check must be valid on
fied TCP port on the server. By default, the AX device com- the server.
pletes the TCP handshake with
the server:
AX -> Server
SYN ->
<- SYN-ACK
ACK ->
FIN-ACK ->
<- FIN-ACK
ACK ->
SYN ->
<- SYN-ACK
RST ->
UDP AX Series sends a packet with a Server does either of the follow- Destination UDP port of the
valid UDP header and a garbage ing: health check must be valid on
payload to the specified UDP • Replies from the specified the server.
port on the server. UDP port with any type of
packet.
• Does not reply at all.
The server fails the health check
only if the server replies with an
ICMP Error message.
P e r f o r m a n c e b y
D e s i g n 389 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring and Applying a Health Method
After you bind the health monitor to a real server port, health checks using
the monitor are addressed to the real server port number instead of the port
number specified in the health monitor’s configuration. In this case, you can
override the IP address or port using the override options described in
“Overriding the Target IP Address or Protocol Port Number” on page 402.
2. Apply the monitor to the real server (for Layer 3 checks) or service port.
You can apply a health monitor to a server or port in either of the follow-
ing ways:
• Apply the health monitor to a server or port template, then bind the
template to the server or port.
• Apply the health monitor directly to the individual server or port.
3. Click Add.
5. In the Method section, select the monitor type from the Type drop-down
list. The rest of the configuration fields change depending on the moni-
tor type. (See “Health Method Types” on page 385.)
7. Click OK. The new monitor appears in the Health Monitor table.
390 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring and Applying a Health Method
To import an externally configured monitor
1. Create a script for the monitor. (For an example, see “Using External
Health Methods” on page 428.)
2. In the AX management GUI, select Config > Service > Health Monitor.
4. Click Add.
4. Select the health monitor from the Health Monitor drop-down list.
6. Click OK.
4. Select the health monitor from the Health Monitor drop-down list.
P e r f o r m a n c e b yD e s i g n 391 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring and Applying a Health Method
5. Configure other settings if needed. (See “Server and Port Templates” on
page 361.)
6. Click OK.
4. To apply a Layer 3 health monitor to the server, select the health monitor
from the Health Monitor drop-down list in the General section.
7. Click OK.
4. Select the health monitor from the Health Monitor drop-down list in the
Service Group section.
6. Click OK.
(For more information about how health monitors are used when applied to
service groups, see “Service Group Health Checks” on page 406.)
392 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring and Applying a Health Method
USING THE CLI
2. At the configuration level for the monitor, use the following command
to specify the method to use:
[no] method method-name
The method-name can be one of the types listed in “Health Method
Types” on page 385. Also see that section for additional options you can
specify. For syntax information, see the “Config Commands: SLB
Health Monitors” chapter in the AX Series CLI Reference.
2. At the global configuration level of the AX CLI, use the following com-
mand to import the monitor script:
health external import [description] url
The url specifies the file transfer protocol, username (if required), and
directory path.
You can enter the entire URL on the command line or press Enter to dis-
play a prompt for each part of the URL. If you enter the entire URL and
a password is required, you will still be prompted for the password. To
enter the entire URL:
tftp://host/program-name
ftp://[user@]host[:port]/program-name
scp://[user@]host/program-name
rcp://[user@]host/program-name
P e r f o r m a n c e b yD e s i g n 393 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring and Applying a Health Method
3. Create a new health monitor to use the script by entering the following
command at the global config level:
health monitor monitor-name
This command changes the CLI to the configuration level for the new
health monitor.
4. At the configuration level for the monitor, use the following command
to associate the script with the new monitor:
method external [port port-num] program program-
name [arguments argument-string]
For port-num, specify the service port number on the real server.
Use the following command at the configuration level for the server tem-
plate (if applying a monitor that uses the ping method) or at the configura-
tion level for the service port template (for all other method types).
health-check [monitor-name]
Use the following command at the configuration level for the server (if
applying a monitor that uses the ping method) or at the configuration level
for the service port (for all other method types).
health-check [monitor-name]
The target of the Layer 3 health checks can be the real IP addresses of the
servers, or the virtual IP address, depending on your preference.
• To send the Layer 3 health checks to the real server IP addresses, you
can use the default Layer 3 health method (ICMP).
• To send the Layer 3 health checks to the virtual IP address instead:
• Configure an ICMP health method with the transparent option
enabled, and with the alias address set to the virtual IP address.
• Globally enable DSR health checking.
394 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring and Applying a Health Method
Layer 4-7 health checks are sent to the same IP address as the Layer 3 health
checks, and then addressed to the specific protocol port. You can use the
default TCP and UDP health monitors or configure new health monitors.
This example uses the default TCP health monitor.
Note: The following sections show how to configure Layer 3 health checking of
virtual IP addresses and how to globally enable DSR health checking of
virtual IP addresses. A complete DSR deployment requires additional
configuration. See the examples in “Network Setup” on page 73.
5. Click Method.
3. Click Apply.
P e r f o r m a n c e b yD e s i g n 395 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring and Applying a Health Method
Enter this command at the global Config level of the CLI. The CLI changes
to the configuration level for the health method.
Use the following command at the global Config level of the CLI:
slb dsr-health-check-enable
2. Click Add.
3. In the Health Monitor section, enter a name for the monitor in the Name
field.
4. In the Method section, select HTTP or HTTPS from the Type drop-
down list. Configuration fields for HTTP or HTTPS health monitoring
options appear.
396 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring and Applying a Health Method
c. In the Post Data field, enter the field names and values to be posted.
In the postdata string, use “=” between a field name and the value
you are posting to it. If you post to multiple fields, use “&” between
the fields. For example: fieldname1=value&fieldname1=value. The
string can be up to 255 bytes long.
7. Click OK.
P e r f o r m a n c e b yD e s i g n 397 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring and Applying a Health Method
This command creates the health monitor, but does not configure the health
method used by the monitor. If you enter the monitor-name without entering
any other options, the CLI changes to the configuration level for the moni-
tor. If you enter any of the timer options, the timer value is changed instead.
At the configuration level for the health monitor, enter one of the following
commands:
[no] method http
[port port-num]
[url {GET | HEAD} url-path |
POST {url-path postdata string |
/ postfile filename}]
[host {ipv4-addr | ipv6-addr | domain-name}
[:port-num]]
[expect {string | response-code code-list}]
[username name]
or
[no] method https
[port port-num]
[url {GET | HEAD} url-path |
POST {url-path postdata string |
/ postfile filename}]
[host {ipv4-addr | ipv6-addr | domain-name}
[:port-num]]
[expect {string | response-code code-list}]
[username name]
In the postdata string, use “=” between a field name and the value you are
posting to it. If you post to multiple fields, use “&” between the fields. For
example: postdata fieldname1=value&fieldname1=value. The string can be
up to 255 bytes long.
To use POST data longer than 255 bytes, you must import a POST data file
and use the POST / postfile filename option. To import POST data file up to
2 Kbytes long, use the following command at the global configuration level
of the CLI:
health postfile import filename
398 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring and Applying a Health Method
CLI Examples
The following commands configure an HTTP health method that uses a
POST operation to post firstname=abc and lastname=xyz to /postdata.asp
on the tested server:
AX(config)#health monitor http1
AX(config-health:monitor)#method http url POST /postdata.asp postdata first-
name=abc&lastname=xyz
The following commands import a file containing a large HTTP POST data
payload (up to 2 Kbytes), and add the payload to an HTTP health monitor:
AX(config)#health postfile import long-post
AX(config)#health monitor http1
AX2000(config-health:monitor)#method http url post / postfile long-post expect
def
In this example, health checks that use this health monitor will send a POST
request containing the data in “postfile”, and expect the string “def” in
response.
P e r f o r m a n c e b yD e s i g n 399 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring and Applying a Health Method
By default, the AX device expects the DNS server to respond to the
health check with an A record.
2. Click Add.
3. In the Health Monitor section, enter a name for the monitor in the NAme
field.
4. In the Method section, select DNS from the Type drop-down list. Con-
figuration fields for DNS health monitoring options appear.
5. If the DNS server to be tested does not listen for DNS traffic on the
default DNS port (53), edit the port number in the Port field.
6. To test a specific server, click IP Address and enter the address in the IP
Address field. Otherwise, to test based on a domain name sent in the
health check, leave Domain selected and enter the domain name in the
Domain field.
7. If you left Domain selected, select the record type the server is expected
to send in reply to health checks. Select the record type from the Type
drop-down list.
9. To specify the response codes that are valid for passing a health check,
enter the codes in the Expect field. To specify a range, use a dash. Sepa-
rate the codes (and code ranges) with commas.
400 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring and Applying a Health Method
FIGURE 126 DNS Health
This command creates the health monitor, but does not configure the health
method used by the monitor. If you enter the monitor-name without entering
any other options, the CLI changes to the configuration level for the moni-
tor. If you enter any of the timer options, the timer value is changed instead.
At the configuration level for the health monitor, enter the following com-
mand:
P e r f o r m a n c e b yD e s i g n 401 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring and Applying a Health Method
[no] method dns {ipaddr | domain domain-name}
[
expect response-code code-list |
port port-num |
recurse {enabled | disabled} |
type {A | CNAME | SOA | PTR | MX | TXT | AAAA}
]
CLI Example
The following commands configure a DNS health monitor that sends a
query for www.example.com, and expects an Address record and any of the
following response codes in reply: 0, 1, 2, 3, or 5:
AX(config)#health monitor dnshm1
AX(config-health:monitor)#method dns domain www.example.com expect response-
code 0-3,5
402 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring and Applying a Health Method
FIGURE 127 Example of Health-check Address Override
In this example, the real servers managed by the site AX are configured as
service IPs 192.168.100.100-102 on the GSLB AX. The health-check met-
ric is enabled in the GSLB policy, so health checks are needed to verify that
the service IPs are healthy. One way to do so is to check the health of the
ISP link connected to the site AX device.
P e r f o r m a n c e b yD e s i g n 403 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring and Applying a Health Method
the device addresses the health check to 192.168.1.1, the override address,
instead of addressing the health check to the service IP addresses.
Override Parameters
The override is used only if applicable to the method (health check type)
and the target. An IP address override is applicable only if the target has the
same address type (IPv4 or IPv6) as the override address.
2. Click on the health monitor name or click Add to create a new one.
4. For other health methods, select the type, then enter the target protocol
port number in the Override Port field.
Use one of the following commands at the configuration level for the health
monitor:
[no] override-ipv4 ipaddr
[no] override-ipv6 ipv6addr
[no] override-port portnum
404 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring and Applying a Health Method
The following commands configure a health monitor for the service IPs
shown in Figure 127 on page 403, and apply the monitor to the service IPs.
AX(config)#health monitor site1-hm
AX(config-health:monitor)#method icmp
AX(config-health:monitor)#override-ipv4 192.168.1.1
AX(config-health:monitor)#exit
AX(config)#gslb service-ip gslb-srvc1 192.168.100.100
AX(config-gslb service-ip)#health-check site1-hm
AX(config-gslb service-ip)#exit
AX(config)#gslb service-ip gslb-srvc2 192.168.100.101
AX(config-gslb service-ip)#health-check site1-hm
AX(config-gslb service-ip)#exit
AX(config)#gslb service-ip gslb-srvc3 192.168.100.102
AX(config-gslb service-ip)#health-check site1-hm
Both the real port and the port to use for the real port’s health status must be
the same type, TCP or UDP.
2. In the port configuration section, select the Follow Port radio button.
3. Enter the port number of the TCP or UDP port upon which to base the
health of the real port.
4. Select the Layer 4 protocol of the port to use for health checking, TCP
or UDP.
Use the following command at the configuration level for the real port:
[no] health-check follow-port port-num
P e r f o r m a n c e b yD e s i g n 405 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Group Health Checks
In this example, a single server provides content for the following sites:
• www.media-rts.com
• www.media-tuv.com
• www.media-wxyz.com
All sites can be reached on HTTP port 80 on the server. The health check
configured on the port in the real server configuration results in the same
health status for all three sites. All of them either are up or are down.
406 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Group Health Checks
In this case, if one of the sites is taken down for maintenance, the health sta-
tus of that site will still be up, since the real port still responds to the health
check configured on the port.
You can configure the AX device to separately test the health of each site,
by assigning each site to a separate service group, and assigning a separate
Layer 7 health monitor to each of the service groups. In this case, if a site is
taken down for maintenance, that site fails its health check while the other
sites still pass their health checks, on the same real port.
Health checks can be applied to the same resource (real server or port) at the
following levels:
• In a service group that contains the server and port as a member
In cases where health checks are applied at multiple levels, they have the
following priority:
1. Health check on real server
2. Health check on real server’s port
3. Health check on service group
If a health check at the real server level (1) fails, the corresponding real
server, real server port, and service group members are marked Down.
However, if a health check on the service group level (3) fails, only that ser-
vice group member in that service group is marked Down.
P e r f o r m a n c e b yD e s i g n 407 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Group Health Checks
In the Service Group configuration section, select the monitor from the
Health Monitor list or click “create” to create a new one and select it.
Use the following command at the configuration level for the service group:
CLI Example
The commands in this section implement the configuration shown in
Figure 128.
The following commands configure the health monitors for each site on the
server:
AX(config)#health monitor qrs
AX(config-health:monitor)#method http url GET /media-qrs/index.html
AX(config-health:monitor)#exit
AX(config)#health monitor tuv
AX(config-health:monitor)#method http url GET /media-tuv/index.html
AX(config-health:monitor)#exit
AX(config)#health monitor wxyz
AX(config-health:monitor)#method http url GET /media-wxyz/index.html
AX(config-health:monitor)#exit
408 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Disable Following Failed Health Check
The following commands configure the service groups:
AX(config)#slb service-group qrs tcp
AX(config-slb svc group)#member media-rs:80
AX(config-slb svc group)#health-check qrs
AX(config-slb svc group)#exit
AX(config)#slb service-group tuv tcp
AX(config-slb svc group)#member media-rs:80
AX(config-slb svc group)#health-check tuv
AX(config-slb svc group)#exit
AX(config)#slb service-group wxyz tcp
AX(config-slb svc group)#member media-rs:80
AX(config-slb svc group)#health-check wxyz
AX(config-slb svc group)#exit
This option applies to all servers, ports, or service groups that use the health
monitor. When a server, port, or service group is disabled based on this
command, the server, port, or service group’s state is changed to disable in
the running-config. If you save the configuration while the server, port, or
service group is disabled, the state change is written to the startup-config.
P e r f o r m a n c e b yD e s i g n 409 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
In-Band Health Monitoring
The AX device also generates a log message to indicate that the server, port,
or service group is disabled.
The server, port, or service group remains disabled until you explicitly
enable it.
This option is disabled by default. (A server, port, or service group that uses
the health monitor is not disabled if it fails a health check.)
3. Click on the health monitor name or click Add to create a new one.
In the current release, in-band health monitoring is supported for the follow-
ing service types:
• TCP
• HTTP
• HTTPS
410 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
In-Band Health Monitoring
Relationship To Standard Layer 4 Health Monitoring
The in-band health check works independently of and supplements the stan-
dard Layer 4 health check. For example, for TCP, the standard health check
works as follows by default:
This is the same Layer 4 health check available in previous releases and has
the same defaults.
Note: A10 Networks recommends that you continue to use standard Layer 4
health monitoring even if you enable in-band health monitoring. Without
standard health monitoring, a server port marked down by an in-band
health check remains down.
P e r f o r m a n c e b yD e s i g n 411 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
In-Band Health Monitoring
Logging and Traps
When the AX device marks a server port down, the device generates a log
message and an SNMP trap, if logging or SNMP traps are enabled. The
message and trap are the same as those generated when a server port fails a
standard health check. However, you can discern whether the port was
marked down due to a failed in-band health check or standard health check,
based on the module name listed in the message.
• A10LB – The port was marked down by an in-band health check.
In-band health monitoring does not mark ports up. Only standard health
monitoring marks ports up. So messages and traps for server ports coming
up are generated only by the A10HM module.
2. Bind the port template to real server ports, either directly or in a service
group.
412 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
In-Band Health Monitoring
7. Enter other parameters as needed (for example, the template name, if
you are creating a new template).
8. Click OK.
To bind the template to a server port, see “Binding a Server Port Template to
a Real Server Port” on page 368.
[no] inband-health-check
[retry maximum-retries]
[reassign maximum-reassigns]
CLI Example
P e r f o r m a n c e b yD e s i g n 413 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Consecutive Health Checks Within a Health Check Period
You can configure this parameter on an individual health monitor basis. The
setting applies to all health checks that are performed using the health mon-
itor.
4. In the Health Monitor section, enter a name for the monitor (if new).
5. In the Consec Pass Req’d field, enter the number of consecutive times
the target must pass the same periodic health check.
6. If new, in the Method section, select the monitor type from the Type
drop-down list, and enter or select settings for the monitor.
7. Click OK.
414 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Maintenance Health Status for Servers in Persistence Configurations
3. Click on the health monitor name or click Add to create a new one.
4. In the Maintenance Code field, enter the response code to use to trigger
the AX device to change the server’s status to Maintenance.
P e r f o r m a n c e b yD e s i g n 415 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
On-Demand Health Checks
Use the maintenance-code code-list option with one of the following com-
mands at the configuration level for a health method:
http options
https options
CLI Example
In this example, if the server replies with code 601, the server goes into
maintenance mode, and stays there until the server either fails a health
check (Down) or replies with code 200 (Up).
3. Select the health monitor to use from the Health Monitor drop-down list.
4. To test a specific service, enter the protocol port number for the service
in the Port field.
5. Click Start.
The status of the server or service appears in the Status message area.
Note: If an override IP address and protocol port are set in the health monitor
configuration, the AX device will use the override address and port, even
if you specify an address and port when you send the on-demand health
check.
416 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
On-Demand Health Checks
USING THE CLI
To test the health of a server, use the following command at the EXEC,
Privileged EXEC, or global configuration level of the CLI:
health-test {ipaddr | ipv6 ipv6addr} [count num]
[monitorname monitor-name] [port portnum]
The ipaddr | ipv6 ipv6addr option specifies the IPv4 or IPv6 address of the
device to test.
The count num option specifies the number of health checks to send to the
device. You can specify 1-65535. The default is 1.
The monitorname monitor-name option specifies the health monitor to use.
The health monitor must already be configured. By default, the default
Layer 3 health check (ICMP ping) is used.
The port portnum option specifies the protocol port to test, 1-65535. By
default, the protocol port number specified in the health monitor configura-
tion is used.
Note: If an override IP address and protocol port are set in the health monitor
configuration, the AX device will use the override address and port, even
if you specify an address and port when you send the on-demand health
check.
CLI Example
The following command tests port 80 on server 192.168.1.66, using config-
ured health monitor hm80:
AX#health-test 192.168.1.66 monitorname hm80
node status UP.
P e r f o r m a n c e b yD e s i g n 417 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Enabling Strict Retries
For example, this is true for HTTP health monitors that expect a string in the
server reply. If the server’s HTTP port does not reply to the first health
check attempt with the expected string, the AX device immediately marks
the port Down.
To force the AX device to wait until all retries are unsuccessful before
marking a server or port down, enable strict retries. You can enable strict
retries on an individual health monitor basis.
On the configuration page for the health monitor, select the Strictly Retry
checkbox.
[no] strictly-retry-on-server-error-response
CLI Example
The following commands configure an HTTP health monitor that checks for
the presence of “testpage.html”, and enable strict retries for the monitor.
AX(config)#health monitor http-exhaust
AX(config-health:monitor)#method http url GET /testpage.html
AX(config-health:monitor)#strictly-retry-on-server-error-response
418 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Globally Changing Health Monitor Parameters
Globally changing a health monitor parameter changes the default for that
parameter. For example, if you globally change the interval from 5 seconds
to 10 seconds, the default interval becomes 10 seconds.
Note: Global health monitor parameter changes automatically apply to all new
health monitors configured after the change. To apply a global health
monitor parameter change to health monitors that were configured before
the change, you must reboot the AX device.
health global
{
interval seconds |
retry number |
timeout seconds |
up-retry number
}
You can change one or more parameters on the same command line.
Note: To change a global parameter back to its factory default, use the
health global form of the command and specify the parameter value to
use.
P e r f o r m a n c e b yD e s i g n 419 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Globally Changing Health Monitor Parameters
CLI Example
3. Click on the name of the server template used to configure the servers. If
you did not configure a server template, click “default” to edit the
default server template.
4. Select the blank option from the Health Monitor drop-down list. (Do not
leave “default” selected.)
5. Click OK.
At the global configuration level of the CLI, use the following command to
access the configuration level for the server template:
slb template server template-name
420 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Compound Health Monitors
Use the following command to disable Layer 3 health monitoring in the
template:
no health-check
CLI Example
The following commands disable Layer 3 health monitoring in the default
server template:
AX(config)#slb template server default
AX(config-rserver)#no health-check
After listing the health monitors, add the Boolean operator(s). The follow-
ing operators are supported:
• AND – Both the ANDed health checks must be successful for the health
status to be Up. If either of the health checks is unsuccessful, the health
status is Down.
• OR – Either of the ORed health checks must be successful for the result
to be Up. Even if one of the health checks is unsuccessful, the health sta-
tus is still Up if the other health check is successful. If both of the health
checks are unsuccessful, the health status is Down.
• NOT – The health status is the opposite of the health check result. For
example, if a health check is unsuccessful, the resulting health status is
Up. Likewise, if the health check is successful, the resulting health sta-
tus is Down. You can use NOT with a single health method, or with
multiple health methods for more complex expressions. (See below.)
P e r f o r m a n c e b yD e s i g n 421 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Compound Health Monitors
For example, to construct a health monitor that ANDs two health monitors,
use the following syntax:
method compound sub hm1 sub hm2 AND
This is logically equivalent to the following expression: hm1 & hm2
Note: In the CLI, you must enter method compound at the beginning, and sub
in front of each health-monitor name. In the GUI, do not enter method
compound. The GUI automatically enters sub in front of each health
monitor name when you select it.
Note: The equivalent expressions are shown for clarity but are not valid syntax
on the AX device.
Similarly, to construct a health monitor that ORs two health monitors, use
the following syntax:
method compound sub hm1 sub hm2 OR
This is logically equivalent to the following expression: hm1 | hm2
Considerations
• A maximum of 8 sub monitors are supported in a compound monitor. To
use more sub monitors, you can nest compound monitors. (See below.)
• The total number of sub monitors plus the number of Boolean operators
supported in a compound monitor is 16.
• You can nest compound monitors. To nest compound monitors, config-
ure a compound monitor, then use that compound monitor as a sub mon-
itor in another compound monitor. The maximum nesting depth is 8.
Nesting loops are not allowed.
422 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Compound Health Monitors
• The timeout and interval parameters of a compound monitor must be set
to values that allow each of the sub monitors to complete their health
checks. If any of the sub modules is unable to complete its health check,
the compound monitor’s result will always be Down.
For example, if monitor1 gives a result after 2 seconds, but a compound
monitor that uses monitor1 times out in 1 second, the resulting health
status will always be Down, regardless of the Boolean expression.
• Compound health monitoring increases the workload of the health mon-
itoring subsystem. For example, using a compound monitor with many
submonitors against a service group with many members can affect sys-
tem performance.
3. In the Method section, select Compound from the Type drop-down list.
The Boolean Expression configuration controls appear.
Note: Make sure to use Reverse Polish Notation. (See “Compound Health Mon-
itor Syntax” on page 421.) Otherwise, the GUI will display an error mes-
sage when you click OK to complete the health monitor configuration.
P e r f o r m a n c e b yD e s i g n 423 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Compound Health Monitors
FIGURE 129 Compound Health Monitor Configuration
Note: Make sure to use Reverse Polish Notation. (See “Compound Health Mon-
itor Syntax” on page 421.)
CLI Examples
424 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Displaying Health Status
The following commands apply the health monitor to a service group:
AX(config)#slb service-group sg1 tcp
AX(config-slb svc group)#health-check hm-compoundAND
Virtual server health status is also displayed in the virtual server list dis-
played by Config > Service > SLB > Virtual Server.
For information about the virtual server health state icons, see the
“Monitor > Overview > Status” section in the “Monitor Mode” chapter of
the AX Series GUI Reference.
P e r f o r m a n c e b yD e s i g n 425 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Displaying Health Status
To display the health of real servers and service ports:
1. Select Monitor > Service > Server.
Real server health status is also displayed in the real server list displayed by
Config > Service > SLB > Server.
For information about the real server health state icons, see the
“Monitor > Service > Server” section in the “Monitor Mode” chapter of the
AX Series GUI Reference.
Use the following command. The health is shown in the State field. For
descriptions of each health state, see the AX Series CLI Reference.
Here is an example:
AX#show slb virtual-server "vs 1"
Virtual server: vs 1 State: Down IP: 1.1.1.201
Pri Port/State Curr-conn Total-conn Rev-Pkt Fwd-Pkt
------------------------------------------------------------------------
426 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Displaying Health Status
Virtual Port:3 / service: / state:Unkn
port 3 tcp
Template tcp tmpl tcp 1
Use the following command. The health is shown in the State field. For
descriptions of each health state, see the AX Series CLI Reference.
Here is an example:
AX#show slb server
Total Number of Services configured: 5
Current = Current Connections, Total = Total Connections
Fwd-pkt = Forward packets, Rev-pkt = Reverse packets
Service Current Total Fwd-pkt Rev-pkt State
------------------------------------------------------------------------------
s1:80/tcp 0 0 0 0 Down
s1:53/udp 0 0 0 0 Down
s1:85/udp 0 0 0 0 Down
s1: Total 0 0 0 0 Down
...
Here is an example:
AX#show health stat
Health monitor statistics
Total run time: : 2 hours 1345 seconds
Number of burst: : 0
Number of timer adjustment: : 0
Timer offset: : 0
Opened socket: : 1140
Open socket failed: : 0
Close socket: : 1136
Send packet: : 0
Send packet failed: : 259379
Receive packet: : 0
Receive packet failed : 0
P e r f o r m a n c e b yD e s i g n 427 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Using External Health Methods
Retry times: : 4270
Timeout: : 0
Unexpected error: : 0
• Shell
• Tcl
Utility commands such as ping, ping6, wget, dig, and so on are supported.
Configuration
To use an external health method:
1. Configure a health monitor script.
4. In the server configuration, set the health check to use the method.
428 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Using External Health Methods
USING THE GUI
3. Click Add.
6. Click OK.
2. Click Add.
8. Click OK.
4. If configuring a new server, enter the name and IP address, and other
general parameters as applicable.
P e r f o r m a n c e b yD e s i g n 429 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Using External Health Methods
5. In the Port section:
a. If adding a new port, enter the port number in the Port field.
b. Select the external health monitor from the Health Monitor field.
6. Click OK.
For program-name, use the same filename you used when you imported the
script.
Script Examples
For Tcl scripts, the health check parameters are transmitted to the script
through the predefined TCL array ax_env. The array variable
ax_env(ServerHost) is the server IP address and ax_env(ServerPort) is the
server port number. Set ax_env(Result) 0 as pass and set the others as fail.
TCL script filenames must use the “.tcl” extension.
430 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Using External Health Methods
To use the external method, you must import the program onto the
AX Series device. The script execution result indicates the server status,
which must be stored in ax_env(Result).
# Open a socket
if {[catch {socket $ax_env(ServerHost) $ax_env(ServerPort)} sock]} {
puts stderr "$ax_env(ServerHost): $sock"
} else {
fconfigure $sock -buffering none -eofchar {}
close $sock
}
P e r f o r m a n c e b yD e s i g n 431 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Using External Health Methods
For other external scripts (non-Tcl), environment variables are used to pass
the server IP address (HM_SRV_IPADDR) and the port number
(HM_SRV_PORT). The script returns 0 as pass and returns others as fail.
For Perl scripts, use #! /usr/bin/perl at the beginning of the script.
my $host = $ENV{'HM_SRV_IPADDR'};
my $port = 80;
if (defined($ENV{'HM_SRV_PORT'})) {
$port = $ENV{'HM_SRV_PORT'};
}
# vim: tw=78:sw=3:tabstop=3:autoindent:expandtab
432 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Using External Health Methods
Shell Script Example
P e r f o r m a n c e b yD e s i g n 433 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Using External Health Methods
434 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Overview
Global Server Load Balancing (GSLB) extends load balancing to global
geographic scale. AX Series adds intelligence to DNS. GSLB evaluates the
server IP addresses in DNS replies and changes the order of the addresses in
the replies so that the best available host IP address is the preferred choice.
AX Series GSLB provides the following key advantages:
• Protects businesses from down time due to site failures
P e r f o r m a n c e b yD e s i g n 435 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Figure 130 shows an example of a GSLB configuration.
In this example, the GSLB AX device (the GSLB controller) globally load
balances client requests for “www.a10.com”.
The a10.com services reside on real servers at two sites. At each site, an AX
device provides SLB for the real servers. On the GSLB AX device, the sites
are grouped into a zone for the service.
When the GSLB AX device receives the DNS reply, the device re-orders the
IP addresses in the reply based on the results of site evaluation using the
configured GSLB metrics. The GSLB AX device also makes other changes
436 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
to the DNS reply, such as shortening the TTL of the IP Address records, if
specified by the GSLB configuration. The GSLB AX device then sends the
modified DNS reply to the client.
When the client receives the DNS reply, the client then sends the HTTP
request to the IP address that the GSLB AX device placed at the top of the
IP address list in the DNS reply.
Advantages of GSLB
In standard DNS, when a client wants to connect to a host and has the host-
name but not the IP address, the client sends a lookup request to its local
DNS server. The local DNS server checks its local database.
• If the database contains an Address record for the requested host name,
the DNS server sends the IP address for the host name back to the client.
The client can then access the host.
• If the local DNS server does not have an Address record for the
requested server, the local DNS server makes recursive queries to the
root and intermediate DNS servers, which results in authoritative DNS
server addresses. When a request reaches an authoritative DNS server,
that DNS server sends a reply to the DNS query. The client’s local DNS
server then sends the reply to the client. The client now can access the
requested host.
In today’s redundant data centers and multiple service provider sites, a host
name can reside at multiple data centers or sites, with different IP addresses.
When this is the case, the authoritative DNS server for the host sends multi-
ple IP addresses in its replies to DNS queries. Standard DNS servers can
provide only rudimentary load sharing for the addresses, using a simple
round-robin algorithm to rotate the list of addresses for each query. Thus,
the address that is listed first in the last reply sent by the DNS server is
rotated to be the last address listed in the next reply, and so on.
P e r f o r m a n c e b yD e s i g n 437 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
GSLB Policy
GSLB evaluates the service IP addresses listed in replies from DNS servers
to clients, re-orders the addresses based on that evaluation, and sends the
DNS replies to clients with the re-ordered IP address lists. As a result of this
process, each client receives a DNS reply that has the best service IP
address listed first.
GSLB selects the best site IP address using a GSLB policy. A GSLB policy
consists of one or more of the following metrics:
1. health-check – Services that pass health checks are preferred.
2. weighted-ip – Service IP addresses with higher administratively
assigned weights are used more often than service IP addresses with
lower weights. (See “Weighted-IP and Weighted-Site” on page 440.)
3. weighted-site – Sites with higher administratively assigned weights are
preferred. Sites with higher administratively assigned weights are used
more often than sites with lower weights. (See “Weighted-IP and
Weighted-Site” on page 440.)
4. session capacity – Sites with more available sessions based on respec-
tive maximum session capacity are preferred.
5. active-servers – Sites with the most currently active servers are pre-
ferred.
6. active-rtt – Sites with faster round-trip-times for DNS queries and
replies between a site AX device and the GSLB local DNS are pre-
ferred.
7. passive-rtt – Services with faster response times to clients are preferred.
438 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
8. geographic – Services located within the client’s geographic region are
preferred.
9. connection-load – Sites that are not exceeding their thresholds for new
connections are preferred.
10. num-session – Sites that are not exceeding available session capacity
threshold compared to other sites are treated as having the same prefer-
ence.
11. admin-preference – The site with the highest administratively set prefer-
ence is selected.
12. bw-cost – Selects sites based on bandwidth utilization on the site AX
links.
13. least-response – Service IP addresses with the fewest hits are preferred.
14. ordered-ip – Service IP addresses are administratively prioritized. The
prioritized list is sent to the next metric for further evaluation. If
ordered-ip is the last metric, the prioritized list is sent to the client. (See
“Ordered-IP” on page 440.)
15. round-robin – Sites are selected in sequential order. (See “Tie-Breaker”
on page 440.)
16. alias-admin-preference – Selects the DNS CNAME record with the
highest administratively set preference. This metric is similar to the
Admin Preference metric, but applies only to DNS CNAME records.
17. weighted-alias – Prefers CNAME records with higher weight values
over CNAME records with lower weight values. This metric is similar
to Weighted-IP, but applies only to DNS CNAME records.
The GSLB AX device uses each enabled GSLB metric to select or eliminate
service IP addresses, then passes the subset of addresses that pass the met-
ric’s criteria to the next metric, and so on, to sort (re-order) the list of
addresses. The GSLB AX device then replaces the IP address list in the
DNS reply with the re-ordered list before sending the reply to the client.
The metric order and the configuration of each metric are specified in a
GSLB policy. Policies can be applied to GSLB zones and to individual ser-
vices. The GSLB AX device has a default GSLB policy, named “default”,
that is automatically applied to a zone or service, unless you configure and
assign a different policy to the zone or service.
Note: Metric order does not apply to the alias-admin-preference and weighted-
alias metrics. When enabled, alias-admin-preference always has high pri-
ority.
P e r f o r m a n c e b yD e s i g n 439 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Weighted-IP and Weighted-Site
The weighted-ip and weighted-site metrics allow you to bias selection
toward specific sites or IP addresses. GSLB selects higher-weighted sites or
IP addresses more often than lower-weighted sites or IP addresses.
For example, if there are two sites (A and B), and A has weight 2 whereas B
has weight 4, GSLB will select site B twice as often as site A. Specifically,
GSLB will select site B the first 4 times, and will then select site A the next
2 times. This cycle then repeats: B is chosen 4 times, then A is chosen the
next 2 times, then B is chosen the next 4 times, and so on.
Note: If DNS caching is used, the cycle starts over if the cache aging timer
expires.
Ordered-IP
Most metrics select a site or IP address as the best address. However, the
ordered-ip metric does not select or eliminate sites or IP addresses. Instead,
the ordered-ip metric re-orders the IP addresses based on the metric’s con-
figuration in the GSLB policy.
If there are any more metrics after ordered-ip, the re-ordered list is sent to
the next metric.
If you plan to use the ordered-ip metric, you need to disable the round-robin
metric. Otherwise, round-robin will be used as the tie-breaker and the
ordered IP list will be ignored.
Tie-Breaker
If all the enabled metrics in the policy result in a tie (do not definitively
select a single site as the best site), the AX device uses round-robin to select
a site. This is true even if the round-robin metric is disabled in the GSLB
policy.
Note: If the last metric is ordered-ip, and round-robin is disabled, the prioritized
list of IP addresses is sent to the client. Round-robin is not used.
Health Checks
The health-check metric checks the availability (health) of the real servers
and service ports. Sites whose real servers and service ports respond to the
health checks are preferred over sites in which servers or service ports are
unresponsive to the health checks.
440 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
GSLB supports health check methods for the following services:
ICMP (Layer 3 health check), TCP, UDP, HTTP, HTTPS, FTP, SMTP,
POP3, SNMP, DNS, RADIUS, LDAP, RTSP, SIP
You can use the default health methods or configure new methods for any of
these services.
Note: By default, the GSLB protocol is used for health checking a service, if the
protocol can reach the service. Otherwise, health checking is performed
using standard network traffic instead.
Geo-Location
You can configure GSLB to prefer site VIPs for DNS replies that are geo-
graphically closer to the clients. For example, if a domain is served by sites
in both the USA and Asia, you can configure GSLB to favor the USA site
for USA clients while preferring the Asian site for Asian clients.
To configure geo-location:
• Leave the geographic GSLB metric enabled.
• Load geo-location data. You can load geo-location data from a file or
manually configure individual geo-location mappings.
P e r f o r m a n c e b yD e s i g n 441 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
The AX software includes an Internet Assigned Numbers Authority (IANA)
database. The IANA database contains the geographic locations of the IP
address ranges and subnets assigned by the IANA. The IANA database is
loaded (enabled) by default.
CNAME Support
As an extension to geo-location support, you can configure GSLB to send a
Canonical Name (CNAME) record instead of an Address record in DNS
replies to clients. A CNAME record maps a domain name to an alias for that
domain. For example, you can configure aliases such as the following for
domain “a10.com”, and associate the aliases with different geo-locations:
• www.a10.co.cn
• www.1.a10.com
• ftp.a10.com
• For individual services in the zone, configure the aliases and associate
them with geo-locations.
442 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
the CNAME records, GSLB tries to insert DNS A records by CNAME
record.
• DNS server – If applicable, enable the backup-alias option. If there is no
DNS A record to return, GSLB tries to insert all backup DNS CNAME
records. During insertion, if Alias metrics are enabled, GSLB may
remove some CNAME records. No DNS A records are returned.
This option also requires the dns-cname-record as-backup option on the
service.
DNS Options
DNS options provide additional control over the IP addresses listed in DNS
replies to clients. After the GSLB AX device uses the metrics to select and
prioritize the IP addresses for the DNS reply, the AX device applies the
enabled DNS options to the list.
P e r f o r m a n c e b yD e s i g n 443 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
• dns geoloc-policy – Returns the alias name configured for the client’s
geo-location.
• dns ip-replace – Replaces the IP addresses with the set of addresses
administratively assigned to the service in the zone configuration.
• dns ipv6 – Enables support for IPv6 AAAA records.
• dns server – Enables the GSLB AX device to act as a DNS server, for
specific service IPs in the GSLB zone.
• dns sticky – Sends the same service IP address to a client for all requests
from that client for the service address.
• dns ttl – Overrides the TTL set in the DNS reply. (For more information
about this option, see “TTL Override” on page 444.)
The cname-detect and external-ip options are enabled by default. All the
other DNS options are disabled by default.
If more than one of the following options are enabled, GSLB uses them in
the order listed, beginning with sticky:
1. sticky
2. server
3. cache
4. proxy
Note: GSLB does not have a separately configurable “proxy” option. The proxy
option is automatically enabled when you configure the DNS proxy as
part of GSLB configuration.
The site address selected by the first option that is applicable to the client
and requested service is used.
TTL Override
GSLB ensures that DNS replies to clients contain the optimal set of IP
addresses based on current network conditions. However, if the DNS TTL
value assigned to the Address records is long, the local DNS servers used by
clients might cache the replies for a long time, and send those stale replies to
clients. Thus, even though the GSLB AX device has current information,
clients might receive outdated information.
444 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
To ensure that the clients’ local DNS servers do not cache the DNS replies
for too long, you can configure the GSLB AX device to override the TTL
values of the Address records in the DNS replies before sending the replies
to clients.
The TTL of the DNS reply can be overridden in two different places in the
GSLB configuration:
1. If a GSLB policy is assigned to the individual service, the TTL set in
that policy is used.
• active-rtt
• passive-rtt
• connection-load
• num-session
• least-response
The GSLB protocol is required in order to collect the site information pro-
vided for these metrics.
Note: The GSLB protocol is also required for the health-check metric, if the
default health checks are used. If you modify the health checks, the GSLB
protocol is not required. (See “Health Checks” on page 440.)
P e r f o r m a n c e b yD e s i g n 445 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
Configuration Overview
Configuration is required on the GSLB AX device (GSLB controller) and
the site AX devices.
3. Configure a GSLB policy (unless you plan to use the default policy set-
tings, described in “GSLB Policy” on page 438).
4. Configure services.
5. Configure sites.
6. Configure a zone.
Note: If you plan to run GSLB in server mode, the proxy DNS server does not
require configuration of a real server or service group. Only the VIP is
required. However, if you plan to run GSLB in proxy mode, the real
server and service group are required along with the VIP. (Server and
proxy mode are configured as DNS options. See “DNS Options” on
page 443.)
2. Enable the GSLB protocol for the GSLB site device function.
446 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
Configuration takes place at the following levels:
Zone
Service IP
Site
SLB device
The parameters you can configure at each level are described in “GSLB
Parameters” on page 487.
The following sections describe the GSLB configuration steps in the GUI
and in the CLI. Required commands and commonly used options are listed.
For advanced commands and options, see “GSLB Parameters” on page 487.
Note: Each of the following configuration sections shows the CLI and GUI
methods for configuration. For complete configuration examples, see
“Configuration Examples” on page 514.
Use a DNS health monitor for the local DNS server. You also can use a
Layer 3 health monitor to check the IP reachability of the server.
For the GSLB service, use health monitors for the application types of the
services. For example, for an HTTP service, use an HTTP health monitor. If
the health-check metric is enabled in the GSLB policy, the metric will use
the results of service health checks to select sites.
To monitor the health of the real servers providing the services, configure
health monitors on the site SLB devices.
Configure the health monitors for the proxied DNS server and the GSLB
services on the GSLB AX device. Configure the health monitors for real
servers and their services on the site AX devices.
P e r f o r m a n c e b yD e s i g n 447 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
Configuration of health monitors is the same as for standard SLB. There are
no special health monitoring options or requirements for GSLB. For config-
uration information, see “Health Monitoring” on page 381.
To configure the GSLB DNS proxy, use either of the following methods.
Note: The GUI will not accept the configuration if the IP address you enter here
is the same as the real DNS server IP address you enter when configuring
the service group for this proxy (below).
7. In the Port field, enter the DNS port number, if not already filled in.
8. In the Service Group field, select “create”. The Service Group and
Server sections appear.
11. In the Server section, in the Server drop-down list, enter the IP address
of the DNS server. Enter the real IP address of the DNS server, not the
IP address you are assigning to the DNS proxy.
12. Enter the DNS port number in the Port field and click Add. The server
information appears.
15. Click OK. The DNS proxy appears in the DNS proxy table.
2. To configure a service group and add the DNS proxy (real server) to it,
use the following commands:
slb service-group group-name udp
Use this command at the global configuration level of the CLI. The
command creates the service group and changes the CLI to the configu-
ration level for it. To add the DNS server to the service group, use the
following command:
member server-name:port-num
3. To configure a virtual server for the DNS proxy and bind it to the real
server and service group, use the following commands:
slb virtual-server name ipaddr
Use this command at the global configuration level of the CLI. The
command creates the virtual server changes the CLI to the configuration
level for it. To add the DNS port, use the following command:
port port-number udp
This command changes the CLI to the configuration level for the DNS
port. To bind the DNS port to the DNS proxy service group and enable
GSLB on the port, use the following commands:
service-group group-name
gslb-enable
P e r f o r m a n c e b yD e s i g n 449 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
In the “default” GSLB policy, the following metrics are enabled by default:
• health-check
• geographic
• round-robin
The other metrics are disabled. (For detailed information about policy
parameters and their defaults, see “GSLB Parameters” on page 487.)
Note: Although the geographic metric is enabled by default, there are no default
geo-location mappings. To use the geographic metric, you must load or
manually configure geo-location mappings. (See “Loading or Configur-
ing Geo-Location Mappings” on page 467 later in this section.)
4. If you are configuring a new policy, enter a name in the Name field in
the General section.
5. In the Metrics section, drag-and-drop the metric from one column to the
other. For example, to disable the health-check metric, drag-and-drop it
from the In Use column to the Not In Use column.
If you are enabling a metric, drag it to the position you want it to be used
in the processing order. For example, if you are enabling the Admin
Preference metric and you want this metric to be used first, drag-and-
drop the metric to the top of the In Use column.
450 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
6. In the DNS Options section, configure the DNS options, if applicable to
your deployment. (For descriptions, see “DNS Options” on page 443
and Table 13, “GSLB Policy Parameters,” on page 502.)
7. Click OK.
To enable a metric, enter the metric name at the configuration level for the
policy. For example, to enable the admin-preference metric, enter the fol-
lowing command:
AX(config gslb-policy)#admin-preference
To disable a GSLB metric, use the “no” form of the command for the met-
ric, at the configuration level for the policy. For example, to disable the
health-check metric, enter the following command at the configuration level
for the policy:
AX(config gslb-policy)#no health-check
To set DNS options, use the following command at the configuration level
for the policy. (For descriptions, see “DNS Options” on page 443 and
Table 13, “GSLB Policy Parameters,” on page 502.)
[no] dns
{
action |
active-only |
addition-mx |
backup-alias |
best-only [max-answers] |
cache [aging-time {seconds | ttl}] |
cname-detect |
external-ip |
geoloc-action |
geoloc-alias |
geoloc-policy |
ip-replace |
ipv6 options |
logging {both | query | response}
[geo-location name | ip ipaddr] |
server [addition-mx] [authoritative [full-list]]
[mx] [ns [auto-ns]] [ptr [auto-ptr]] [srv] |
sticky [/prefix-length] [aging-time minutes]
[ipv6-mask mask-length] |
ttl num
}
P e r f o r m a n c e b yD e s i g n 451 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
4. If you are configuring a new policy, enter a name in the Name field in
the General section.
6. Click OK.
The metric option specifies a metric and can be one of the following:
• active-rtt
• active-servers
• admin-preference
• bw-cost
• capacity
• connection-load
• geographic
• health-check
• least-response
• num-session
• ordered-ip
452 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
• passive-rtt
• weighted-ip
• weighted-site
If you are planning to use the active-RTT or passive-RTT metric, read this
section. Otherwise, you can skip the section. Both these metrics are disabled
by default.
Active RTT
Active RTT measures the round-trip-time for a DNS query and reply
between a site AX device and the GSLB local DNS.
The active RTT metric is disabled by default. You can enable it to take
either a single sample (single shot) or multiple samples at regular intervals.
You can configure active RTT to take a single sample or periodic samples.
P e r f o r m a n c e b yD e s i g n 453 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
• Sleep – Specifies the number of seconds GSLB stops tracking active-
RTT data for a client after a query fails. You can specify 1-300 seconds.
The default is 3.
• Timeout – Specifies the number of milliseconds GSLB will wait for a
reply before resending a query. You can specify 1-1023 milliseconds
(ms). The default is 1000 ms.
• Track – Specifies the number of seconds during which the AX device
collects samples for a client. The samples collected during the track time
are averaged together, and the averaged value is used as the active RTT
measurement for the client. You can specify 15-3600 seconds. The
default is 60 seconds.
The averaged RTT measurement is used until it ages out. The aging time
for averaged RTT measurements is 10 minutes by default and is config-
urable on individual sites, using the active-rtt aging-time command.
Default Settings
When you enable Active RTT, a site AX device sends 5 DNS requests to the
GSLB domain’s local DNS. The GSLB AX device averages the RTT times
of the 5 samples.
The single-shot option is useful if you do not want to frequently update the
active RTT measurements. For example, if the GSLB domain's clients tend
to remain logged on for long periods of time, using the single-shot option
ensures that clients are not frequently sent to differing sites based on active
RTT measurements.
454 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
Multiple Samples
To periodically retake active RTT samples, do not use the single-shot
option. In this case, the AX device uses the averaged RTT based on the
number of samples measured for the intervals.
For example, if you set active RTT to use 3 samples with an interval of 5
seconds, the RTT is the average RTT for the last 3 samples, collected in 5-
second intervals. If you configure single-shot instead, a single sample is
taken.
Store-By
By default, the GSLB AX device stores one active RTT measurement per
site SLB device. Optionally, you can configure the GSLB AX device to
store one measurement per geo-location instead. This option is configurable
on individual GSLB sites. (See “Changing Active RTT Settings for a Site”
on page 457.)
Tolerance
The default measurement tolerance is 10 percent. If the RTT measurements
for more than one site are within 10 percent, the GSLB AX device considers
the sites to be equal in terms of active RTT. You can adjust the tolerance to
any value from 0-100 percent.
P e r f o r m a n c e b yD e s i g n 455 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
Enabling Active RTT
To enable active RTT, use either of the following methods.
4. Drag-and-drop Active RTT from the Not In Use column to the In Use
column.
5. Click the plus sign to display the Active RTT configuration fields.
7. To change settings for single-shot, edit the values in the Timeout and
Skip fields.
8. To change settings for multiple samples, edit the values in the Samples
and Tolerance fields.
9. Click OK.
If you omit all the options, the site AX device send 5 DNS requests to the
GSLB domain’s local DNS. The GSLB AX device averages the RTT times
of the 5 samples. The active RTT measurements are regularly updated. You
can use the samples option to change the number of samples to 1-8.
456 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
To enable single-shot RTT instead, use the single-shot option. For singe-
shot, you also can use the skip and timeout options. (See the descriptions
above, in “Single Sample (Single Shot)” on page 454)
CLI Examples
The following commands access the configuration level for GSLB policy
“gslbp2” and enable the active RTT metric, using all the default settings:
AX(config)#gslb policy gslbp2
AX(config gslb-policy)#active-rtt
The following commands access the configuration level for GSLB policy
“gslbp3” and enable the active RTT metric, using single-shot settings:
AX(config)#gslb policy gslbp3
AX(config gslb-policy)#active-rtt single-shot
AX(config gslb-policy)#active-rtt skip 3
In this example, each site AX device will send a single DNS query to the
GSLB domain’s local DNS, and wait 3 seconds (the default) for a reply. The
site AX devices will then send their RTT measurements to the GSLB AX
device. However, if more than 3 site AX devices fail to send their RTT mea-
surements to the GSLB AX device, the AX device will not use the active
RTT metric.
• mask – Specifies the maximum RTT allowed for the site. If the RTT
measurement for a site exceeds the configured limit, GSLB does not
eliminate the site. Instead, GSLB moves to the next metric in the policy.
You can specify 0-16383 milliseconds (ms). The default is 16383.
P e r f o r m a n c e b yD e s i g n 457 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
• range-factor – Specifies the maximum percentage a new active-RTT
measurement can differ from the previous measurement. If the new
measurement differs from the previous measurement by more than the
allowed percentage, the new measurement is discarded and the previous
measurement is used again.
For example, if the range-factor is set to 25 (the default), a new mea-
surement that has a value from 75% to 125% of the previous value can
be used. A measurement that is less than 75% or more than 125% of the
previous measurement can not be used.
You can specify 1-1000. The default is 25.
• smooth-factor – Blends the new measurement with the previous one, to
smoothen the measurements.
For example, if the smooth-factor is set to 10 (the default), 10% of the
new measurement is used, along with 90% of the previous measure-
ment. Similarly, if the smooth-factor is set to 50, 50% of the new mea-
surement is used, along with 50% of the previous measurement.
You can specify 1-100. The default is 10.
Use the Options section of the GUI page for the site.
Use the following command at the configuration level for the site:
[no] active-rtt
aging-time minutes |
bind-geoloc |
limit num |
mask {/mask-length | mask-ipaddr} |
range-factor num |
smooth-factor num
458 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
USING THE CLI
To configure an IP list using the CLI, use the following command at the
global configuration level of the CLI:
Note: In the current release, IP lists can not be configured using the GUI.
Passive RTT
Passive RTT measures the round-trip-time between when the site AX
device receives a client’s TCP connection (SYN) and the time when the site
AX device receives acknowledgement (ACK) back from the client for the
connection.
P e r f o r m a n c e b yD e s i g n 459 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
3. Click on the policy name or click Add to create a new one.
4. Drag-and-drop Passive RTT from the Not In Use column to the In Use
column.
5. Click the plus sign to display the Passive RTT configuration fields.
6. To change sample settings, edit the values in the Samples and Tolerance
fields. (These parameters work the same as they do for active RTT. See
“Multiple Samples” on page 455 and “Tolerance” on page 455.)
7. Click OK.
Note: In the current release, passive RTT settings for a site cannot be changed
using the GUI.
Use the following command at the configuration level for the site:
[no] passive-rtt
aging-time minutes |
bind-geoloc |
limit num |
mask {/mask-length | mask-ipaddr} |
range-factor num |
smooth-factor num
460 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
Configuring BW-Cost Settings
If you are planning to use the bw-cost metric, read this section. Otherwise,
you can skip the section. The bw-cost metric is disabled by default.
The bw-cost metric selects sites based on bandwidth utilization on the site
AX links.
The GSLB AX device sends the SNMP requests at regular intervals. Once a
site is ineligible, the site can become eligible again at the next interval if the
utilization incrementation is below the configured limit minus the threshold
percentage. (See below.)
Configuration Requirements
P e r f o r m a n c e b yD e s i g n 461 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
Configuring Bandwidth Cost
Note: If the object is part of a table, make sure to append the table index to the
end of the OID. Otherwise, the AX device will return an error.
462 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
SNMPv1 / v2c Commands:
[no] community community-string
The community command specifies the community string required for
authentication.
SNMPv3 Commands:
[no] username name
This command specifies the SNMPv3 username required for access to the
SNMP agent on the site AX device.
[no] security-level
{no-auth | auth-no-priv | auth-priv}
This command specifies the SNMPv3 security level:
• no-auth – Authentication is not used and encryption (privacy) is not
used. This is the default.
• auth-no-priv – Authentication is used but encryption is not used.
[no] context-engine-id id
[no] context-name id
[no] security-engine-id id
The context-engine-id command specifies the ID of the SNMPv3 protocol
engine running on the site AX device. The context-name command speci-
fies an SNMPv3 collection of management information objects accessible
by an SNMP entity. The security-engine-id command specifies the ID of
P e r f o r m a n c e b yD e s i g n 463 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
the SNMPv3 security engine running on the site AX device. For each com-
mand, the ID is a string 1-127 characters long.
[no] interface id
The interface command specifies the SNMP interface ID.
Additional Commands:
[no] interval seconds
[no] port port-num
The interval command specifies the amount of time between each SNMP
GET to the site AX devices. You can specify 1-999 seconds. The default
is 3.
The port command specifies the protocol port on which the site AX devices
listen for the SNMP requests from the GSLB AX device. You can specify 1-
65535. The default is 161.
The limit specifies the maximum amount the SNMP object queried by the
GSLB AX device can increment since the previous query, in order for the
site to remain eligible for selection as the best site. You can specify 0-
2147483647. There is no default.
If a site becomes ineligible due to being over the limit, the percentage
parameter is used. In order to become eligible for selection again, the site’s
limit value must not increment more than
limit*threshold-percentage.
464 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
To display bw-cost data for a site
Use the following command:
show gslb site [site-name] bw-cost
The following commands apply the SNMP template to a site and set the
bandwidth increment limit and threshold:
AX(config)#gslb site usa
AX(config gslb-site)#template snmp-1
AX(config gslb-site)#bw-cost limit 100000 threshold 90
AX(config gslb-site)#exit
The following commands enable the bw-cost metric in the GSLB policy:
AX(config)#gslb policy pol1
AX(config-gslb policy)#bw-cost
AX(config-gslb policy)#exit
P e r f o r m a n c e b yD e s i g n 465 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
CLI Example – SNMPv3
The following commands configure a GSLB SNMP template for SNMPv3.
In this example, authentication and encryption are both used.
AX(config)#gslb template snmp snmp-2
AX(config-gslb template snmp)#security-level auth-priv
AX(config-gslb template snmp)#host 192.168.214.124
AX(config-gslb template snmp)#username read
AX(config-gslb template snmp)#oid .1.3.6.1.2.1.2.2.1.16.12
AX(config-gslb template snmp)#priv-proto des
AX(config-gslb template snmp)#auth-key 12345678
AX(config-gslb template snmp)#priv-key 12345678
The other commands are the same as those shown in “CLI Example –
SNMPv2c” on page 465.
The current release does not support this feature in the GUI.
466 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
2. To enable the Alias Admin Preference metric, use the following com-
mand at the configuration level for the policy:
[no] alias-admin-preference
The current release does not support this feature in the GUI.
2. To enable the Weighted Alias metric, use the following command at the
configuration level for the policy:
[no] weighted-alias
P e r f o r m a n c e b yD e s i g n 467 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
The geo-location configuration options are described in detail below. To
skip the descriptions and go directly to configuration instructions, see one of
the following sections. Each section provides the procedure for one of the
methods to configure geo-location mappings.
• “Creating and Loading a Custom Geo-Location Database” on page 470
You can load the geo-location database from one of the following types of
files:
• Internet Assigned Numbers Authority (IANA) database – The IANA
database contains the geographic locations of the IP address ranges and
subnets assigned by the IANA. The IANA database is loaded by default.
• Custom database in CSV format – You can load a custom geo-location
database from a file in comma-separated-values (CSV) format. This
option requires configuration of a CSV template on the AX device.
When you load the CSV file, the data is formatted based on the tem-
plate.
Note: You can load more than one geo-location database. When you load a new
database, if the same IP address or IP address range already exists in a
previously loaded database, the address or range is overwritten by the new
database.
Geo-Location Mappings
If more than one geo-location matches a client’s IP address, the most spe-
cific match is used. For example, if a client is in the same city as a site AX,
that site will be preferred. If the client and site are in the same state but in
different cities, the site in that state will be preferred.
468 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
Only one database can be active. If you load more than one database, the
most-recently loaded one becomes the active one. The older database is no
longer used. Data from the older database is not merged into the new data-
base.
The example above shows the file displayed in a text editor. The same file
looks like the example in Figure 131 if displayed in a spreadsheet applica-
tion. However, when the file is saved to CSV format, the file is essentially
as shown above.
The database file can contain more types of information (fields) than are
required for the GSLB database. When you load the file into the geo-loca-
tion database, the CSV template on the AX device is used to filter the file to
extract the required data. In this example, only the fields shown in bold type
will be extracted and placed into the geo-location database:
"1159363840","1159364095","US","UNITED STATES","NA","NORTH AMERICA","EST","MA","MASSA-
CHUSETTS","COMMRAIL INC","MARLBOROUGH","MIDDLESEX","42.3495","-71.5482"
The IP addresses in this example are in bin4 format. Dotted decimal format
(for example: 69.26.125.0) is also supported. If you use bin4 format, the AX
P e r f o r m a n c e b yD e s i g n 469 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
device automatically converts the addresses into dotted decimal format
when you load the database into GSLB.
If you want to use bin4 format in the CSV file, here is how to convert an IP
address from dotted-decimal format to bin4 format:
1. Convert each node into Hex.
The fields in the CSV file must be separated by a delimiter. By default, the
AX device interprets commas as delimiters. When you configure the CSV
template on the AX device, you can set the delimiter to any valid ASCII
character.
2. Configure a CSV template for the file. The CSV template specifies the
field positions for IP address and location information.
470 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
USING THE GUI
4. If the CSV file uses a character other than a comma to delimit fields,
enter the delimiter character in the Delimiter field.
5. In each data field, indicate the field’s position in the CSV file. For exam-
ple, if the destination IP address or subnet is listed in the CSV file in
data field 4, enter “4” in the IP-To field.
6. Click Add.
2. On the menu bar, select Geo-location > Import, if not already selected..
4. Enter the filename and the access parameters required to copy the file
from the remote server.
5. Click Add.
2. On the menu bar, select Geo-location > Import, if not already selected..
4. In the Template field, enter the name of the template to use for format-
ting the data.
P e r f o r m a n c e b yD e s i g n 471 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
On the AX device, you must configure a CSV template for the database file.
When you load the file into GSLB, the AX device uses the template to
extract the data and load it into the GSLB database.
1. Use the following command at the global configuration level of the
CLI:
[no] gslb template csv template-name
This command creates the template and changes the CLI to the configu-
ration level for it.
2. Use the following command to identify the field positions for the geo-
location data:
[no] field num {ip-from | ip-to-mask |
continent | country | state | city}
The num option specifies the field position within the CSV file. You can
specify 1-64. The following options specify the type of geo-location
data that is located in the field position:
• ip-from – Specifies the beginning IP address in the range or subnet.
• ip-to-mask – Specifies the ending IP address in the range, or the
subnet mask.
• continent – Specifies the continent where the IP address range or
subnet is located.
• country – Specifies the country where the IP address range or subnet
is located.
• state – Specifies the state where the IP address range or subnet is
located.
• city – Specifies the city where the IP address range or subnet is
located.
3. If the CSV file uses a character other than a comma to delimit fields, use
the following command to specify the character used in the file:
[no] delimiter {character | ASCII-code}
You can type the character or enter its decimal ASCII code (0-255).
To import the CSV file onto the AX device, use the following command at
the Privileged EXEC or global configuration level of the CLI:
472 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
You can enter the entire URL on the command line or press Enter to display
a prompt for each part of the URL. If you enter the entire URL and a pass-
word is required, you will still be prompted for the password. To enter the
entire URL:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• rcp://[user@]host/file
(For information about the use-mgmt-port option, see “Using the Manage-
ment Interface as the Source for Management Traffic” on page 939.)
To load the CSV file, use the following command at the global configura-
tion level of the CLI:
Use the file name you specified when you imported the CSV file, and the
name of the CSV template to be used for extracting data from the file.
Note: The file-name option is available only if you have already imported a geo-
location database file.
To display information about CSV files that have been loaded are currently
being loaded, use the following command:
P e r f o r m a n c e b yD e s i g n 473 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
Note: If you configure geo-locations globally and at the configuration level for
individual sites, and a client IP address matches both a globally config-
ured geo-location and a geo-location configured on a site, the globally
configured geo-location is used by default. To configure the GSLB AX
device to use geo-locations configured on individual sites instead, use the
geo-location match-first policy command at the configuration level for
the policy.
The geo-location database appears. You can use the find options to display
database entries or statistics for specific geo-locations or IP addresses.
The geo-location-name option displays the database entry for the specified
location.
474 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
The ip-range option displays entries for the specified IP address range.
The depth num option filters the display to show only the location entries at
the specified depth or higher. For example, to display only continent and
country entries and hide individual state and city entries, specify depth 2.
CLI Example
The following commands initiate loading the data from the CSV file into
the geo-location database, and display the status of the load operation:
AX(config)#gslb geo-location load test1.csv test1-tmplte
AX(config)#show gslb geo-location file
T = T(Template)/B(Built-in), Per = Percentage of loading
Filename T Template Per Lines Success Error
------------------------------------------------------------------------------
test1 T t1 98% 11 10 0
P e r f o r m a n c e b yD e s i g n 475 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
The following command displays the geo-location database. The data that
was extracted from the CSV file is shown here in bold type.
AX(config)#show gslb geo-location db
Global
Name From To Last Hits Sub T
------------------------------------------------------------------------------
NA (empty) (empty) (empty) 0 1 G
Configure Services
To configure GSLB services, use either of the following methods.
3. Click Add.
476 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
5. If needed, assign an external IP address to the service IP. The external IP
address allows a service IP that has an internal IP address to be reached
from outside the internal network.
7. Click OK.
This command changes the CLI to the configuration level for the service.
external-ip ipaddr
health-check monitor-name
To simplify health monitoring of a GSLB site, you can use a gateway health
check. A gateway health check is a Layer 3 health check (ping) sent to the
gateway router for an SLB site. If a site’s gateway router fails a health
check, it is likely that none of the services at the site can be reached. GSLB
stops using the site until it begins to pass gateway health checks again.
P e r f o r m a n c e b yD e s i g n 477 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
In most cases, an ICMP health check is sufficient. You can use the default
ICMP health check or configure a custom one. For more detailed health
analysis, you can use an external health check. For example, you can use a
script to get SNMP information from the gateway, and base the gateway’s
health status on the retrieved information.
2. On the SLB device at the site, create an SLB real server configuration
with the gateway router’s IP address. If you configured a custom health
check, make sure to apply it to the real server.
For a service IP that can be reached on any of multiple links, create a sepa-
rate SLB-device configuration, without using the gateway option. The gate-
way health status for this SLB-device will be Down only if all the gateway
health checks performed for the other SLB-device configurations for the
site fail.
478 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
USING THE GUI
Configuration of this feature does not use any new GUI pages or fields not
present in earlier releases.
1. On the site AX device—To create the gateway router, navigate to the
real server configuration page. Enter a name and the gateway IP
address. Do not add any ports.
If you plan to use the default Layer 3 health monitor, no further configu-
ration is needed on the site AX device. If you plan to use a custom
ICMP monitor, configure the monitor, select “create” from the Health
Monitor drop-down list.
P e r f o r m a n c e b yD e s i g n 479 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
After you enter this command, the SLB device will stop accepting gateway
status information.
After you enter this command, the service will stop using gateway health
checks.
Note: The health status of the individual virtual servers and service ports at the
site is not marked Down.
The following command displays the gateway health status for GSLB sites:
GSLB-AX(config)#show gslb slb-device
Attrs = Attributes, APF = Administrative Preference
Sesn-Num/Uzn = Number/Utilization of Available Sessions
GW = Gateway Status, IPCnt = Count of Service-IPs
P = GSLB Protocol, L = Local Protocol
Device IP Attrs APF Sesn-Num Uzn GW IPCnt
--------------------------------------------------------------------------------
local:self 127.0.0.1 100 0 0% 0
local:self2 127.0.0.1 100 0 0% 0
local:self3 127.0.0.1 100 0 0% 2
remote:site-ax 10.1.1.1 100 0 0% UP 0
480 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
CLI Example—Site with Multiple Gateway Links
On the site AX device, the following commands configure real servers for
each of two gateway links. The default ICMP health method is used for each
link.
Site-AX(config)#slb server 2.2.2.1
Site-AX(config-real server)#exit
Site-AX(config)#slb server 3.3.3.1
If the same services can be reached through either link, an additional SLB-
device configuration is required:
GSLB-AX(config)#gslb site remote-link-both
GSLB-AX(config-gslb site)#slb-dev site-ax-lnkboth 20.1.1.1
GSLB supports multiple-port health checking for service IPs. When you use
a multiple-port health check for a service IP, the service IP is marked Up if
any of the ports passes the health check. It is not required for all ports to
pass the health check.
By default, if the GSLB protocol is enabled and can reach the service,
health checking is performed over the GSLB protocol. Otherwise, health
P e r f o r m a n c e b yD e s i g n 481 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
checking is performed using standard network traffic instead. Optionally,
you can disable use of the GSLB protocol for health checking, on individual
service-IPs.
The current release does not support this feature in the GUI.
CLI Example
The following commands apply a custom HTTP health monitor to service
IP “gslb-srvc2”:
AX(config)#gslb service-ip gslb-srvc2 192.168.20.99
AX(config-gslb service-ip)#port 80
AX(config-gslb service-port)#health-check http
AX(config-gslb service-ip)#port 8080
AX(config-gslb service-port)#health-check http
AX(config-gslb service-ip)#port 8081
AX(config-gslb service-port)#health-check http
Note: Applying a health monitor is required only if you do not plan to use the
default health monitors. (See “Default Health Monitors” on page 481.)
The following commands enable a multi-port health check for the HTTP
service “www” on service IP “gslb-srvc2” in GSLB zone “abc.com”:
AX(config)#gslb zone abc.com
AX(config-gslb zone)#service http www
AX(config-gslb service)#health-check port 80 8080 8081
482 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
Configure Sites
To configure GSLB sites, use either of the following methods.
3. Click Add.
6. In the IP-Server section, add services to the site. Select a service from
the drop-down list and click Add. Repeat for each service.
This command changes the CLI to the configuration level for the site. To
associate an IP service with this site, use the following command:
ip-server service-ip
The ipaddr is the IP address of a real server load balanced by the site.
P e r f o r m a n c e b yD e s i g n 483 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
To specify the AX device that provides SLB at the site, use the following
command:
To add the GSLB VIP server to the SLB device, use the following com-
mand:
Configure a Zone
To configure a GSLB zone, use either of the following methods.
3. Click Add.
5. In the Service section, click Add. (See Figure 140 on page 524.)
The service configuration sections appear.
484 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
USING THE CLI
The zone-url is the URL that clients will send in DNS queries.
This command changes the CLI to the configuration level for the zone. To
add a service to the zone, use the following command:
The port is the application port for the server and must be the same port
name or number specified on the service VIP.
4. Click OK.
To enable the GSLB protocol on the GSLB AX device, use the following
command at the global configuration level of the CLI:
P e r f o r m a n c e b yD e s i g n 485 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Overview
To enable the GSLB protocol on a site AX device, use the following com-
mand at the global configuration level of the CLI:
486 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
GSLB Parameters
GSLB Parameters
Table 12 lists the GSLB parameters.
P e r f o r m a n c e b y
D e s i g n 487 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
GSLB Parameters
TABLE 12 GSLB Parameters (Continued)
Parameter Description and Syntax Supported Values
policy Configures a GSLB policy. GSLB policies config- Default: The “default” GSLB policy is
(Optional) ure the GSLB metrics used to select the best sites used, unless you configure another
and site IP addresses to return in DNS replies to cli- policy and apply it to the zone.
ents.
[no] gslb policy
{default | policy-name}
Config > Service > GSLB > Policy
service-ip Configures a virtual IP address (VIP) for a service. The vip-name can be up to 31 alphanu-
(Required) In GSLB, service IP addresses are VIPs that repre- meric characters.
sent services that are provided by servers connected The ipaddr can be an IPv4 or IPv6
to the site AX devices. address.
[no] gslb service-ip vip-name
[ipaddr]
Config > Service > GSLB > Service IP
site Configures a site. A GSLB zone can contain one or The site-name can be up to 31 alpha-
(Required) more sites. Each site has at least one AX device pro- numeric characters.
viding load balancing for the site’s services. Default: None
[no] gslb site site-name
Config > Service > GSLB > Site
See “Site Parameters” below.
zone Configures a zone. The zone identifies the top-level The zone-url is the URL of the zone
(Required) URL for the services load balanced by GSLB. and can be up to 127 alphanumeric
[no] gslb zone zone-url characters.
Config > Service > GSLB > Zone Default: None
See “Zone Parameters” below. Note: You can use lower case charac-
ters and upper case characters. How-
ever, since Internet domain names are
case-insensitive, the AX device inter-
nally converts all upper case characters
in GSLB zone names to lower case.
488 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
GSLB Parameters
TABLE 12 GSLB Parameters (Continued)
Parameter Description and Syntax Supported Values
Active-RTT set- Configures the following Active RTT options: The following values are supported:
tings • Domain – Specifies the query domain. To mea- • Domain – Valid domain name (such
(Optional) sure the active round-trip time (RTT) for a client, as “example.com”)
the site AX device sends queries for the domain • Interval – 1-120 seconds
name to a client’s local DNS. An RTT sample
• Retry – 0-16
consists of the time between when the site AX
device sends a query and when it receives the • Sleep – 1-300 seconds
response. • Timeout – 1-1023 milliseconds (ms)
Only one active-RTT domain can be configured. • Track – 15-3600 seconds
It is recommended to use a domain name that is
likely to be in the cache of each client’s local
Defaults:
DNS.
• Domain – google.com
The AX device averages multiple active-RTT
samples together to calculate the active-RTT • Interval – 1
measurement for a client. (See the description of • Retry – 3
Track below.) • Sleep – 3
• Interval – Specifies the number of seconds • Timeout – 1000
between queries.
• Track – 60
• Retry – Specifies the number of times GSLB will
resend a query if there is no response.
• Sleep – Specifies the number of seconds GSLB
stops tracking active-RTT data for a client after a
query fails.
• Timeout – Specifies the number of milliseconds
GSLB will wait for a reply before resending a
query.
• Track – Specifies the number of seconds during
which the AX device collects samples for a cli-
ent. The samples collected during the track time
are averaged together, and the averaged value is
used as the active RTT measurement for the cli-
ent.
The averaged RTT measurement is used until it
ages out. The aging time for averaged RTT mea-
surements is 10 minutes by default and is config-
urable on individual sites, using the active-rtt
aging-time option.
P e r f o r m a n c e b y
D e s i g n 489 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
GSLB Parameters
TABLE 12 GSLB Parameters (Continued)
Parameter Description and Syntax Supported Values
Handling of Action to take in response to queries from the local Default: Not set
DNS queries DNS.
from the local • Drop – Drops DNS queries from the local DNS
DNS server that do not match any zone service.
(Optional) • Reject – Rejects DNS queries from the local DNS
server that do not match any zone service, and
returns the “Refused” message in replies.
[no] gslb dns action {drop |
reject}
Note: The current release does not support configu-
ration of this option using the GUI.
DNS logging Logging of DNS messages. Default: Not set
(Optional) [no] gslb dns logging
{both | query | response}
Note: The current release does not support configu-
ration of this option using the GUI.
ip-list List of IP addresses and group IDs to use as input to Default: None
(Optional) other GLSB commands.
[no] gslb ip-list list-name
Note: The current release does not support configu-
ration of this option using the GUI.
Startup delay Delays startup of GSLB following startup of the AX 0-16384 seconds
(Optional) device. Default: 0 (no delay)
[no] gslb system wait seconds
Note: The current release does not support configu-
ration of this option using the GUI.
GSLB protocol Changes timers used by the SLB protocol. See the online help.
timers [no] gslb protocol limit
(Optional) {
artt-query num-msgs |
artt-response num-msgs |
artt-session num-sessions |
prtt-response num-msgs |
conn-response num-msgs |
response num-msgs |
message num-msgs
}
Note: The current release does not support configu-
ration of this option using the GUI.
490 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
GSLB Parameters
TABLE 12 GSLB Parameters (Continued)
Parameter Description and Syntax Supported Values
Service-IP Parameters
service-ip status Enables or disables the service-ip. Default: Enabled
(Required) disable | enable
Config > Service > GSLB > Service-IP
external IP Assigns an external IP address to the service IP. The Default: None
address external IP address allows a service IP that has an
internal IP address to be reached from outside the
internal network.
[no] external-ip ipaddr
Config > Service > GSLB > Service-IP
health check Enables or disables monitoring for the service IP Default: The default Layer 3 health
address. You can specify any health monitor (Layer monitor (ICMP ping) is used. The pro-
3, 4 or 7). tocol option is enabled by default.
Alternatively, you can use the follow-port option to
base the health of the service port on the health of
another port. Specify the other port number.
The protocol option enables or disables use of the
GSLB protocol for health checking of the service.
By default, the protocol option is enabled. If the
GSLB protocol is enabled and can reach the service,
health checking is performed over the GSLB proto-
col. Otherwise, health checking is performed using
standard network traffic instead.
[no] health-check [monitor-name] |
[follow-port portnum] [protocol]
Config > Service > GSLB > Service-IP
service port Adds a service port to the service IP address. The Valid protocol port number and service
command also changes the CLI to the configuration type
level for the specified service port, where the fol- Default: None
lowing service port-related commands are available:
port num {tcp | udp}
Config > Service > GSLB > Service-IP
IPv6 mapping Maps an IPv6 address to an IPv4 service IP. Valid IPv6 address
This option also requires IPv6 DNS AAAA support Default: None
to be enabled in the GSLB policy.
[no] ipv6 ipv6-addr
Note: The current release does not support configu-
ration of this option using the GUI.
P e r f o r m a n c e b y
D e s i g n 491 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
GSLB Parameters
TABLE 12 GSLB Parameters (Continued)
Parameter Description and Syntax Supported Values
Site Parameters
active-rtt Configures options for the Active RTT metric. aging-time – Specifies the maximum
(Optional) [no] active-rtt amount of time a stored active-RTT
aging-time minutes | result can be used. You can specify 1-
bind-geoloc | 60 minutes. The default is 10 minutes.
ignore-count num | bind-geoloc – Stores the active-RTT
limit num | measurements on a per geo-location
mask {/mask-length | mask-ipaddr} | basis. Without this option, the mea-
range-factor num | surements are stored on a per site-SLB
smooth-factor num device basis.
Config > Service > GSLB > Site - Options ignore-count – Specifies the ignore
count if RTT is out of range. You can
specify 1-15. The default is 5.
limit – Specifies the maximum RTT
allowed for the site. If the RTT mea-
surement for a site exceeds the config-
ured limit, GSLB does not eliminate
the site. Instead, GSLB moves to the
next metric in the policy. You can
specify 0-16383 milliseconds (ms).
The default is 16383.
mask – Specifies the client IPv4 subnet
mask length, 1-32. The default is 32.
mask – Specifies the client IPv4 subnet
mask length, 1-32. The default is 32.
range-factor – Specifies the maximum
percentage a new active-RTT measure-
ment can differ from the previous mea-
surement. If the new measurement
differs from the previous measurement
by more than the allowed percentage,
the new measurement is discarded and
the previous measurement is used
again.
For example, if the range-factor is set
to 25 (the default), a new measurement
that has a value from 75% to 125% of
the previous value can be used. A mea-
surement that is less than 75% or more
than 125% of the previous measure-
ment can not be used.
(cont.)
492 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
GSLB Parameters
TABLE 12 GSLB Parameters (Continued)
Parameter Description and Syntax Supported Values
active-rtt You can specify 1-1000. The default is
(Optional) 25.
smooth-factor – Blends the new mea-
surement with the previous one, to
(cont.)
smoothen the measurements. You can
specify 1-100. The default is 10.
bw-cost Configures options for the bw-cost metric: limit – Specifies the maximum amount
(Optional) [no] bw-cost limit limit the SNMP object queried by the GSLB
threshold percentage AX device can increment since the
previous query, in order for the site to
Config > Service > GSLB > Site - Options
remain eligible for selection as the best
site. You can specify 0-2147483647.
There is no default.
If a site becomes ineligible due to
being over the limit, the percentage
parameter is used. In order to become
eligible for selection again, the site’s
limit value must not increment more
than limit*threshold-per-
centage. You can specify 0-100.
There is no default.
threshold percentage – For a site to
regain eligibility when bw-cost is
being compared, the SNMP object’s
incremental value must be below the
threshold-percentage of the limit
value.
For example, if the limit value is
80000 and the threshold is 90, the limit
value must increment by 72000 or less,
in order for the site to become eligible
again based on bandwidth cost. Once a
site again becomes eligible, the SNMP
object’s value is again allowed to
increment by as much as the band-
width limit value (80000, in this exam-
ple).
geo-location Associates the site with a specific geographic loca- The location-name can be up to 127
(Optional) tion. alphanumeric characters.
[no] geo-location location-name Default: None
Config > Service > GSLB > Site - Geo-location
Note: This option is applicable only for manually
configuring geo-location mappings. If you plan to
load geo-location mappings from a file instead, you
do not need to use this option.
P e r f o r m a n c e b y
D e s i g n 493 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
GSLB Parameters
TABLE 12 GSLB Parameters (Continued)
Parameter Description and Syntax Supported Values
ip-server Associates a real server with this site. Default: None
(Optional) [no] ip-server service-name
Config > Service > GSLB > Site - IP Server
Note: Generally, virtual servers rather than real
servers are associated with a site. To associate a vir-
tual server with a site, use the vip-server option at
the SLB device configuration level. (See “SLB
device parameters”.)
passive-rtt Configures options for the passive RTT metric. The See the description for active-rtt,
(Optional) options are the same as those for active-rtt. (See above.
above.)
[no] passive-rtt
aging-time minutes |
bind-geoloc |
limit num |
mask {/mask-length | mask-ipaddr} |
range-factor num |
smooth-factor num
Config > Service > GSLB > Site - Options
slb-device Specifies the AX device that provides SLB for the The device-name can be up to 31
(Required) site. alphanumeric characters. The IP
[no] slb-dev device-name ipaddr address must be an address that can be
reached by the GSLB AX device.
Config > Service > GSLB > Site - SLB Device
Default: None
template Binds a template to the site. To use the bw-cost met- Name of configured SNMP template.
(Optional) ric, use this option to bind a GSLB SNMP template Default: None
to the site.
[no] template template-name
Config > Service > GSLB > Site - Template
weight Assigns a weight to the site. If the weighted-site The weight can be from 1 – 100.
(Optional) metric is enabled in the policy and all metrics before Default: 1
weighted-site result in a tie, the site with the highest
weight is preferred.
[no] weight num
Config > Service > GSLB > Site - General
494 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
GSLB Parameters
TABLE 12 GSLB Parameters (Continued)
Parameter Description and Syntax Supported Values
SLB Device Parameters
admin-prefer- Assigns a preference value to the SLB device. If the You can specify from 0 – 255.
ence admin-preference metric is enabled in the policy Default: 100
(Optional) and all metrics before this one result in a tie, the
SLB device with the highest admin-preference
value is preferred.
[no] admin-preference num
Config > Service > GSLB > Site - SLB-Device
gateway Specifies the gateway that the SLB device will use Valid IP address.
(Optional) to reach the GLSB local DNS for collecting active Default: Not set
RTT measurements.
[no] gateway ipaddr
Config > Service > GSLB > Site - SLB-Device
gateway health Allows GSLB to use a Layer 3 health monitor to Enabled or disabled
check check the health of the SLB device’s gateway. Default: enabled
(Optional) [no] gateway health-check
Note: The current release does not support configu-
ration of this option using the GUI.
max-client Specifies the maximum number of clients for which 1-2147483647
(Optional) the GSLB AX device (controller) saves data such as Default: 32768
active and passive RTT measurements.
[no] max-client number
Config > Service > GSLB > Site - SLB-Device
passive-rtt-timer For passive RTT, specifies the number of seconds 1-255
(Optional) during which samples are collected during each Default: 3
sampling period. You can specify 1-255. The
default is 3.
[no] passive-rtt-timer num
To prevent samples from being taken for this
device, use the no passive-rtt-timer command.
Config > Service > GSLB > Site - SLB-Device
vip-server Maps this SLB site to a globally configured GSLB The name must be the name of a con-
(Required) service IP address (configured by the service-ip figured service IP. (To configure the
option). service IP, use the gslb service-ip
[no] vip-server name command.)
Config > Service > GSLB > Site - SLB-Device Default: None
P e r f o r m a n c e b y
D e s i g n 495 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
GSLB Parameters
TABLE 12 GSLB Parameters (Continued)
Parameter Description and Syntax Supported Values
Zone Parameters
dns-mx-record Configures a DNS Mail Exchange (MX) record for The name is the fully-qualified domain
(Optional) the zone. The name is the fully-qualified domain name of the mail server for the zone.
name of the mail server for the zone. The priority can be 0-65535. There is
If more than MX record is configured for the same no default preference.
zone, the priority specifies the order in which the Default: None
mail server should attempt to deliver mail to the MX
hosts. The MX with the lowest preference value has
the highest priority and is tried first. The priority
can be 0-65535. There is no default.
MX records configured on a zone are used only for
services on which MX records are not configured.
[no] dns-mx-record name
priority
Config > Service > GSLB > Zone - Click Add on
the Service section to display the DNS MX Record
section.
dns-ns-record Configures a DNS name server record for the zone. Fully-qualified domain name.
(Optional) [no] dns-ns-record domain-name Default: None
Config > Service > GSLB > Zone - Click Add on
the Service section to display the DNS NS Record
section.
496 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
GSLB Parameters
TABLE 12 GSLB Parameters (Continued)
Parameter Description and Syntax Supported Values
dns-soa-record Configures a DNS start of authority (SOA) record Valid DNS server name and mailbox
(Optional) for the GSLB zone. You must specify the DNS name.
server name and mailbox name. The following
parameters are optional:
Defaults: No SOA record is configured
Refresh – Specifies the number of seconds other by default. If you configure one, its
DNS servers wait before requesting updated infor- parameters have the following default
mation for the GSLB zone. values:
Retry – Specifies how many seconds other DNS Refresh – 3600 seconds
servers wait before resending a refresh request, if
Retry – 900 seconds
GSLB does not respond to the previous request.
Expire – 1209600 seconds
Expire – Specifies how many seconds GSLB can
remain unresponsive to a refresh request before the Serial – The default is based on the
other DNS server drops responding to queries for current system time on the GSLB AX
the zone. device when you create the SOA
record.
Serial – Specifies the initial serial number of the
SOA record. This number is automatically incre- TTL – Value of the zone TTL when
mented each time a change occurs to any records for you create the SOA record
the GSLB zone.
TTL – Specifies the number of seconds GSLB will
cache and reuse negative replies (NXDOMAIN
messages). A negative reply is an error message
indicating that a requested domain does not exist.
P e r f o r m a n c e b y
D e s i g n 497 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
GSLB Parameters
TABLE 12 GSLB Parameters (Continued)
Parameter Description and Syntax Supported Values
service Adds a service to the zone. The GSLB AX Series The port can be a well-known name
(Required) verifies the availability of the service by sending a recognized by the CLI, a port number
health check to the specified service port. from 1 to 65535, or * (wildcard match-
[no] service port service-name ing on any port).
Config > Service > GSLB > Zone - Service tab The service-name can be up to 31
alphanumeric characters. (For the
The health check must be assigned to the individual
same reason described for zone names,
service. See “Service Parameters” below.
the AX device converts all upper case
characters in GSLB service names to
lower case.)
Default: None
ttl Changes the TTL of each DNS record contained in You can specify from 0 to 1000000
(Optional) DNS replies received from the DNS for which the (1,000,000) seconds.
AX Series is a proxy, for this zone. Default: 10 seconds
TTL can be set at different levels of the GSLB con-
figuration; however, only one of the TTL settings is
used. (See “DNS Options” on page 443.)
ttl seconds [no]
Config > Service > GSLB > Zone
The health check must be assigned to the individual
service. See “Service Parameters” below.
Service Parameters
action Specifies the action to perform for DNS traffic. You can specify one of the following:
(Optional) Note: Use of the actions configured for services • Drop – Drops DNS queries from the
also must be enabled in the GSLB policy, using the local DNS server.
DNS action option. See Table 13, “GSLB Policy • Reject – Rejects DNS queries from
Parameters,” on page 502. the local DNS server and returns the
[no] action {drop | reject | “Refused” message in replies.
forward {both | query | response}} • Forward – Forwards requests or
Config > Service > GSLB > Zone - Click Add in the queries, as follows:
Service section. • Forward both – Forwards queries
to the Authoritative DNS server,
and forwards responses to the
local DNS server.
• Forward query – Forwards que-
ries to the Authoritative DNS
server, but does not forward
responses to the local DNS
server.
• Forward response – Forwards
responses to the local DNS
server, but does not forward que-
ries to the Authoritative DNS
server.
498 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
GSLB Parameters
TABLE 12 GSLB Parameters (Continued)
Parameter Description and Syntax Supported Values
dns-a-record Configures a DNS Address (A) record for the ser- as-replace – This option is used with
(Optional) vice, for use with the DNS replace-ip option in the the ip-replace option in the policy.
GSLB policy. When both options are set (as-replace
dns-a-record here and ip-replace in the policy), the
{service-name | service-ipaddr} client receives only the IP address set
{as-replace | no-resp | static | here by service-ip. This option is dis-
ttl num | weight num} abled by default.
Config > Service > GSLB > Zone - Click Add in the no-resp – Prevents the IP address for
Service section to display the DNS Address Record this site from being included in DNS
section. replies to clients. This option is dis-
Note: The no-resp option is not valid with the static abled by default.
or as-replace option. If you use no-resp, you cannot static – This option is used with the
use static or as-replace. dns server option in the policy. When
both options are set (static here and
dns server in the policy), the GSLB
AX device acts as the DNS server for
the IP address set here by service-ip.
This option is disabled by default.
ttl – Assigns a TTL to the service, 0-
2147483647. By default, the TTL of
the zone is used. This option can be
used with the dns server option in the
policy, or with DNS proxy mode
enabled in the policy.
weight – Assigns a weight to the ser-
vice. If the weighted-ip metric is
enabled in the policy and all metrics
before weighted-ip result in a tie, the
service on the site with the highest
weight is selected. The weight can be
1-100. By default, the weight is not
set.
Default: None
dns-cname- Configures DNS Canonical Name (CNAME) Default: None
record records for the service.
(Optional) The as-backup option specifies that the record is a
backup record.
dns-cname-record alias [as-backup]
[alias ...]
Config > Service > GSLB > Zone - Click Add in the
Service section to display the DNS CName Record
section.
P e r f o r m a n c e b y
D e s i g n 499 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
GSLB Parameters
TABLE 12 GSLB Parameters (Continued)
Parameter Description and Syntax Supported Values
dns-mx-record Configures a DNS Mail Exchange (MX) record for The name is the fully-qualified domain
(Optional) the service. name of the mail server for the service.
If more than MX record is configured for the same The priority can be 0-65535. There is
service, the priority specifies the order in which the no default.
mail server should attempt to deliver mail to the MX
hosts. The MX record with the lowest priority num-
ber has the highest priority and is tried first.
dns-mx-record name priority
Config > Service > GSLB > Zone - Click Add on
the Service tab to display the DNS MX Record tab.
Note: If you want the GSLB AX device to return
the IP address of the mail service in response to MX
requests, you must configure A records for the mail
service.
dns-ns-record Configures a DNS name server record for the ser- Fully-qualified domain name
(Optional) vice. Not set
dns-ns-record domain-name
[as-backup]
Config > Service > GSLB > Zone - Click Add on
the Service tab to display the DNS NS Record tab.
dns-ptr-record Configures a DNS pointer record for the service. Fully-qualified domain name
(Optional) dns-ptr-record domain-name Not set
Config > Service > GSLB > Zone - Click Add on
the Service tab to display the DNS PTR Record tab.
gateway health Allows GSLB to use a Layer 3 health monitor to Enabled or disabled
check check the health of the service by sending health Default: enabled
(Optional) checks to the site gateway.
[no] health-check gateway
Note: The current release does not support configu-
ration of this option using the GUI.
geo-location Maps an alias to the specified geographic location The location-name is a global GSLB
(Optional) for this service. parameter and must already be config-
[no] geo-location location-name ured. (See “Global GSLB parameters”
alias url and “Site parameters” above.)
Config > Service > GSLB > Zone - Click Add in the The alias is a service parameter and
Service section to display the Geo-location section. must already be configured. (See
above.)
This CNAME overrides any CNAME globally con-
figured for the zone. Default: None
500 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
GSLB Parameters
TABLE 12 GSLB Parameters (Continued)
Parameter Description and Syntax Supported Values
ip-order Specifies the order in which to list the service IP Each service-ipaddr is a virtual IP
(Optional) addresses (VIPs) for this service in the DNS replies address assigned to the service at this
to clients. site.
The ip-order is one of the metrics used to select the Generally, each service will have a dif-
best IP address for a service. ferent virtual IP address for each real
[no] ip-order server that provides the service at the
{service-name | service-ipaddr} site.
[service-ipaddr ...]
Config > Service > GSLB > Zone - Click Add in the
Service section to display the DNS Address Record
section.
policy Applies the specified GSLB policy to the service. The policy-name can be up to 31
(Optional) [no] policy policy-name alphanumeric characters.
Config > Service > GSLB > Zone - Click Add in the You must configure the policy before
Service section to display the Service section. you apply it.
Default: The GSLB policy applied to
the zone is also applied to the services
in that zone. If no policy is applied to
the zone, the “default” GSLB policy is
applied.
P e r f o r m a n c e b y
D e s i g n 501 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
GSLB Parameters
Policy Parameters
Table 13 lists the GSLB policy parameters.
502 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
GSLB Parameters
TABLE 13 GSLB Policy Parameters (Continued)
Parameter Description and Syntax Supported Values
alias-admin-pref- Load balancing metric that selects the DNS The state is one of the following:
erence CNAME record with the highest administratively • Enabled
set preference. This metric is similar to the Admin
• Disabled – This is the default.
Preference metric, but applies only to DNS
CNAME records.
[no] alias-admin-preference
Note: The current release does not support configu-
ration of this metric in the GUI.
bw-cost Load balancing metric that selects sites based on The state is one of the following:
bandwidth utilization on the site AX links. • Enabled
The fail-break option enables GSLB to stop if the • Disabled – This is the default.
current bw-cost value is over the limit.
[no] bw-cost [fail-break]
Config > Service > GSLB > Policy - Metrics
capacity Sites that have not exceeded their thresholds for The state is one of the following:
their respective maximum TCP/UDP sessions are • Enabled
preferred over sites that have exceeded their thresh-
• Disabled – This is the default.
olds.
The threshold can be from 0 to 100
Example:
percent. The default is 90.
Site A’s maximum session capacity is 800,000 and
Site B’s maximum session capacity is 500,000. If
the session-capacity threshold is set to 90, then for
Site A the capacity threshold is 90% of 800,000,
which is 720,000. Likewise, the capacity threshold
for Site B is 90% of 500,000, which is 450,000.
The fail-break option enables GSLB to stop if the
session utilization on all site SLB devices is over the
threshold.
[no] capacity [threshold num]
[fail-break]
Config > Service > GSLB > Policy - Metrics
P e r f o r m a n c e b y
D e s i g n 503 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
GSLB Parameters
TABLE 13 GSLB Policy Parameters (Continued)
Parameter Description and Syntax Supported Values
connection-load Sites that are at or below their thresholds of average The state is one of the following:
new connections per second are preferred over sites • Enabled
that are above their thresholds.
• Disabled – This is the default.
The fail-break option enables GSLB to stop if the
The limit can be from 1 to 999999999
connection load for all sites is over the limit.
(999,999,999). The default is not set
[no] connection-load (unlimited).
[limit average-load] |
The samples can be from 1 to 8. The
[samples num interval seconds]
default is 5.
[fail-break]
The interval can be from 1 to 60 sec-
Config > Service > GSLB > Policy - Metrics
onds. The default is 5 seconds.
504 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
GSLB Parameters
TABLE 13 GSLB Policy Parameters (Continued)
Parameter Description and Syntax Supported Values
least-response Service IP addresses with the fewest hits are pre- The state is one of the following:
ferred over addresses with more hits. • Enabled
[no] least-response • Disabled – This is the default.
Config > Service > GSLB > Policy - Metrics
P e r f o r m a n c e b y
D e s i g n 505 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
GSLB Parameters
TABLE 13 GSLB Policy Parameters (Continued)
Parameter Description and Syntax Supported Values
passive-rtt Sites with faster round-trip times (RTTs) between a The state is one of the following:
client and the site are preferred over sites with • Enabled
slower times. The passive RTT is the time between
• Disabled – This is the default.
when the site AX device receives a client’s TCP
connection (SYN) and the time when the site AX When you enable the passive-rtt met-
device receives acknowledgement (ACK) back ric, the default number of samples is 5.
from the client for the connection. Passive RTT The default store-by is slb-device. The
measurements are taken for client addresses in each default tolerance is 10 percent.
/24 subnet range.
Passive RTT tolerance is a percentage from 0 to
100. It specifies how much the RTT values of sites
must differ in order for GSLB to prefer one site over
the other based on RTT.
Example:
Site A’s RTT value is 0.3 seconds and Site B’s RTT
value is 0.32 seconds. If the passive RTT tolerance
is 10% then the two sites are treated as having the
same passive RTT preference.
The fail-break option enables GSLB to stop if the
configured RTT limit in a policy is reached.
[no] passive-rtt
[difference num]
[samples num-samples]
[tolerance num-percentage]
[fail-break]
Config > Service > GSLB > Policy - Metrics
506 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
GSLB Parameters
TABLE 13 GSLB Policy Parameters (Continued)
Parameter Description and Syntax Supported Values
weighted-alias Load balancing metric that prefers CNAME records The state is one of the following:
with higher weight values over CNAME records • Enabled
with lower weight values. This metric is similar to
• Disabled – This is the default.
weighted-ip, but applies only to DNS CNAME
records.
[no] weighted-alias
Note: The current release does not support configu-
ration of this metric in the GUI.
weighted-ip Service IP addresses with higher weight values are The state is one of the following:
used more often than addresses with lower weight • Enabled
values.
• Disabled – This is the default.
As a simple example, assume that the weighted-ip
metric is the only enabled metric, or at least always
ends up being the tie breaker. IP address 10.10.10.1
has weight 4 and IP address 10.10.10.2 has weight
2. During a given session aging period, the first 4
requests go to 10.10.10.1, the next 2 requests go to
10.10.10.2, and so on, (4 to 10.10.10.1, then 2 to
10.10.10.2).
The total-hits option first sends requests to the serv-
ice IP addresses that have fewer hits. After all serv-
ice IP addresses have the same number of hits,
GSLB sends requests based on weight. This option
is disabled by default.
[no] weighted-ip [total-hits]
Config > Service > GSLB > Policy - Metrics
weighted-site Sites with higher weight values are used more often The state is one of the following:
than sites with lower weight values. • Enabled
As a simple example, assume that the weighted-site • Disabled – This is the default.
metric is the only enabled metric, or at least always
ends up being the tie breaker. Site A has weight 4
and site B has weight 2. During a given session
aging period, the first 4 requests go to site A, the
next 2 requests go to site B, and so on, (4 to A, then
2 to B).
The total-hits option first sends requests to the sites
that have fewer hits. After all service sites have the
same number of hits, GSLB sends requests based on
weight. This option is disabled by default.
[no] weighted-site [total-hits]
Config > Service > GSLB > Policy - Metrics
P e r f o r m a n c e b y
D e s i g n 507 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
GSLB Parameters
TABLE 13 GSLB Policy Parameters (Continued)
Parameter Description and Syntax Supported Values
metric-order Assigns a geographic location to an IP address You can specify one or more of the fol-
range. GSLB forwards client requests from lowing metrics (listed alphabetically):
addresses within the range to the GSLB site that • active-rtt
serves the location.
• active-servers
[no] metric-order metric
• admin-preference
[metric ...]
Config > Service > GSLB > Policy - Metrics • bw-cost
• capacity
• connection-load
The first metric you specify becomes the primary
metric. If you specify additional parameters, they • geographic
are used in the priority you specify. All remaining • health-check
metrics are prioritized to follow the metrics you • least-response
specify.
• num-session
For example, if you specify only the ordered-ip met-
• ordered-ip
ric with the command, and the metric order in the
policy has not been changed previously, the • passive-rtt
ordered-ip metric becomes the first metric. The • weighted-ip
health-check metric becomes the second metric, the • weighted-site
weighted-ip metric becomes the third metric, and so
on. Default metric order: See “GSLB Pol-
icy” on page 438.
metric-force- Forces the GSLB controller to always check all met- The state is one of the following:
check rics in the policy. • Enabled
[no] metric-force-check • Disabled – This is the default.
Config > Service > GSLB > Policy
metric-fail-break Enables GSLB to stop if there are no valid service The state is one of the following:
IPs. • Enabled
[no] metric-fail-break • Disabled – This is the default.
Note: In the current release, this option can not be
configured using the GUI.
DNS Parameters
action Enable GSLB to perform the DNS actions specified The state is one of the following:
in the service configurations. • Enabled
[no] dns action
• Disabled – This is the default.
Config > Service > GSLB > Policy - DNS Options
Note: To configure the DNS action for a service,
use the action option at the configuration level
for the service. See Table 12, “GSLB Parameters,”
on page 487.
508 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
GSLB Parameters
TABLE 13 GSLB Policy Parameters (Continued)
Parameter Description and Syntax Supported Values
active-only Removes IP addresses from DNS replies when The state is one of the following:
those addresses fail a health check. • Enabled
Note: If none of the IP addresses in the DNS reply • Disabled – This is the default.
pass the health check, the GSLB AX Series does not
use this metric, since it would result in an empty IP
address list.
[no] dns active-only
Config > Service > GSLB > Policy - DNS Options
addition-mx Appends MX records in the Additional section in The state is one of the following:
replies for A records, when the device is configured • Enabled
for DNS proxy or cache mode.
• Disabled – This is the default.
[no] dns addition-mx
Config > Service > GSLB > Policy - DNS Options
backup-alias Returns the alias CNAME record configured for the The state is one of the following:
service, if GSLB does not receive an answer to a • Enabled
query for the service and no active DNS server
• Disabled – This is the default.
exists.
[no] dns backup-alias
Config > Service > GSLB > Policy - DNS Options
best-only Removes all IP addresses from DNS replies except The state is one of the following:
for the address selected as the best address by the • Enabled
GSLB policy metrics.
• Disabled – This is the default.
[no] dns best-only [max-answers]
Config > Service > GSLB > Policy - DNS Options
cache Caches DNS replies and uses them when replying to The state is one of the following:
clients, instead of sending a new DNS request for • Enabled
every client query.
• Disabled – This is the default.
[no] dns cache
The aging time can be
[aging-time seconds | ttl]
1-1,000,000,000 seconds (nearly 32
Config > Service > GSLB > Policy - DNS Options years).
For more information on this option, see “Order in Default: TTL set by the DNS server in
Which Sticky, Server, Cache, and Proxy Options the reply
Are Used” on page 444.
Note: If you change the value and later
want to restore it to the default, use the
ttl option.
cname-detect Applies GSLB to CNAME records. The state is one of the following:
[no] dns cname-detect • Enabled – This is the default.
Config > Service > GSLB > Policy - DNS Options • Disabled
P e r f o r m a n c e b y
D e s i g n 509 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
GSLB Parameters
TABLE 13 GSLB Policy Parameters (Continued)
Parameter Description and Syntax Supported Values
external-ip Returns the external IP address configured for a ser- The state is one of the following:
vice IP. If this option is disabled, the internal • Enabled – This is the default.
address is returned instead.
• Disabled
[no] dns external-ip
Config > Service > GSLB > Policy - DNS Options
Note: The external IP address must be configured
on the service IP. Use the external-ip option at the
configuration level for the service IP. See Table 12,
“GSLB Parameters,” on page 487.
geoloc-action Performs the DNS traffic handling action specified The state is one of the following:
for the client’s geo-location. The action is specified • Enabled
as part of service configuration in a zone.
• Disabled – This is the default.
[no] dns geoloc-action
Config > Service > GSLB > Policy - DNS Options
Note: To configure the DNS action for a service,
use the geo-location action option at the configura-
tion level for the service. See Table 12, “GSLB
Parameters,” on page 487.
geoloc-alias Returns the alias name configured for the client’s The state is one of the following:
geo-location. • Enabled
[no] dns geoloc-alias
• Disabled – This is the default.
Config > Service > GSLB > Policy - DNS Options
geoloc-policy Uses the GSLB policy assigned to the client’s geo- The state is one of the following:
location. • Enabled
[no] dns geoloc-policy
• Disabled – This is the default.
Config > Service > GSLB > Policy - DNS Options
ip-replace Replaces the IP addresses in the DNS reply with the The state is one of the following:
service IP addresses configured for the service. • Enabled
[no] dns ip-replace • Disabled – This is the default.
Config > Service > GSLB > Policy - DNS Options
510 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
GSLB Parameters
TABLE 13 GSLB Policy Parameters (Continued)
Parameter Description and Syntax Supported Values
ipv6 Enables support for IPv6 AAAA records. All options are disabled by default.
You can configure the following options:
Mapping – Specifies the actions in response to an
IPv6 DNS query. You can enable one or more of
these options.
• Addition – Append AAAA records in the DNS
Addition section of replies.
• Answer – Append AAAA records in the DNS
Answer section of replies.
• Exclusive – Replace A records (IPv4 address
records) with AAAA records.
• Replace – Reply with AAAA records only.
Mix – Enables GSLB to return both AAAA and A
records in the same answer.
Smart – Enables IPv6 return by query type. For the
ipv4-ipv6 mapping records, an A query (IPv4) will
return an A record and an AAAA query (IPv6) will
return an AAAA record.
P e r f o r m a n c e b y
D e s i g n 511 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
GSLB Parameters
TABLE 13 GSLB Policy Parameters (Continued)
Parameter Description and Syntax Supported Values
server Directly responds to Address queries for specific The state is one of the following:
service IP addresses in the GSLB zone. (The AX • Enabled
device still forwards other types of queries to the
• Disabled – This is the default.
DNS server.)
Other defaults:
If you use this option, you do not need to use the
cname-detect option. When a client requests a con- • addition-mx – Disabled
figured alias name, GSLB applies the policy to the • authoritative – The AX device is a
CNAME records. non-authoritative DNS server for
• addition-mx – enables the GSLB AX device to the zone domain.
provide the A record containing the mail server’s • mx – Disabled
IP address in the Additional section, when the
device is configured for DNS server mode.
• authoritative – makes the AX device the authori-
tative DNS server for the GSLB zone domain, for
the service IPs in which you enable the static
option. If you omit the authoritative option, the
AX device is a non-authoritative DNS server for
the zone domain. The full-list option appends all
A records in the Authoritative section of DNS
replies.
• mx – Provides the MX record in the Answer sec-
tion, and the A record for the mail server in the
Additional section, when the device is configured
for DNS server mode.
• ns [auto-ns] – Provides the NS record.
• ptr [auto-ptr] – Provides the pointer record.
To place the server option into effect, you also must
enable the static option on the individual service IP.
[no] dns server addition-mx
[no] dns server authoritative
[full-list]
[no] dns server mx
[no] dns server ns [auto-ns]
[no] dns server ptr [auto-ptr]
Config > Service > GSLB > Policy - DNS Options
For more information on this option, see “Order in
Which Sticky, Server, Cache, and Proxy Options
Are Used” on page 444.
512 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
GSLB Parameters
TABLE 13 GSLB Policy Parameters (Continued)
Parameter Description and Syntax Supported Values
sticky Sends the same service IP address to a client for all The state is one of the following:
requests from that client for the service address. • Enabled
[no] dns sticky [/prefix-length] • Disabled – This is the default.
[aging-time minutes]
The default prefix is /32, which causes
[ipv6-mask mask-length]
the AX device to maintain separate
The /prefix-length and ipv6-mask options adjust the
stickiness information for each local
granularity of the feature.
DNS server. For example, if two cli-
Config > Service > GSLB > Policy - DNS Options ents use DNS 10.10.10.25 as their
The aging-time option specifies how many minutes local DNS server, and two other clients
a DNS reply remains sticky. You can specify 1- use DNS 10.20.20.99 as their local
65535 minutes. DNS server, the AX maintains sepa-
Note: If you enable the sticky option, the sticky rate stickiness information for each set
time must be as long or longer than the zone TTL. of clients, by maintaining separate
(Use the ttl command at the configuration level for stickiness information for each of the
the zone.) local DNS servers.
For more information on this option, see “Order in The aging time can be 1-65535 min-
Which Sticky, Server, Cache, and Proxy Options utes. Default: 5 minutes
Are Used” on page 444.
ttl Specifies the value to which the AX Series changes You can specify from 0 to 1000000
the TTL of each DNS record contained in DNS (1,000,000) seconds.
replies received from the DNS for which the Default: 10 seconds
AX Series is a proxy.
[no] dns ttl num
Config > Service > GSLB > Policy - DNS Options
Geo-location Parameters
geo-location Assigns a geographic location to an IP address The location-name can be up to 127
range. GSLB forwards client requests from alphanumeric characters.
addresses within the range to the GSLB site that Default location: None
serves the location. This is an alternative to loading
Default match-first: global
a geo-location database.
Default overlap: disabled
[no] geo-location location-name
start-ip-addr [mask ip-mask]
[end-ip-addr]
This parameter cannot be configured using the GUI.
[no] geo-location match-first
{global | policy}
The match-first parameter specifies whether to
match the requested IP address with the global geo-
location table or with the geo-location table config-
ured in the policy.
[no] geo-location overlap
The geo-location mapping and overlap cannot be
configured using the GUI. To configure the match-
first parameter, select Config > Service > GSLB >
Policy - Geo-location
P e r f o r m a n c e b y
D e s i g n 513 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Examples
Configuration Examples
These examples implement the GSLB configuration shown in Figure 130
on page 436. The examples assume that the default GSLB policy is used,
without any changes to the policy settings.
CLI Example
The following commands configure a health monitor for the local DNS
server to be proxied:
AX-Controller(config)#health monitor dns-53
AX-Controller(config-health:monitor)#method dns domain example.com
AX-Controller(config-real server)#exit
The following command loads the IANA file into the geo-location database:
AX-Controller(config)#gslb geo-location load iana
514 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Examples
The following commands configure the sites. For each site SLB device,
enter the IP address of the AX Series device that provides SLB at the site.
For the VIP server names, enter the service IP name specified above.
AX-Controller(config)#gslb site usa
AX-Controller(config-gslb site)#slb-dev ax-a 2.1.1.1
AX-Controller(config-gslb site-slb dev)#vip-server servicevip1
AX-Controller(config-gslb site-slb dev)#exit
AX-Controller(config-gslb site)#exit
AX-Controller(config)#gslb site asia
AX-Controller(config-gslb site)#slb-dev ax-b 3.1.1.1
AX-Controller(config-gslb site-slb dev)#vip-server servicevip2
AX-Controller(config-gslb site-slb dev)#exit
AX-Controller(config-gslb site)#exit
P e r f o r m a n c e b yD e s i g n 515 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Examples
Site-AX-A(config-slb virtual server-slb virtua...)#service-group www
Site-AX-A(config-slb virtual server-slb virtua...)#exit
Site-AX-A(config-slb virtual server)#exit
Note: The virtual server IP address must be the same as the GSLB service IP
address configured on the GSLB AX device.
GUI Example
3. Click Add.
516 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Examples
5. In the Method section, select DNS from the Type drop-down list.
6. In the Domain field, enter the domain name. (Generally, this is the same
as the GSLB zone name you will configure.)
Note: The GUI will not accept the configuration if the IP address you enter here
is the same as the real DNS server IP address you enter when configuring
the service group for this proxy. (below).
f. In the GSLB Port section, click Add. The GSLB Port section
appears.
P e r f o r m a n c e b yD e s i g n 517 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Examples
3. Finish configuration of the proxy:
a. Click OK. The Proxy section reappears. (See Figure 135 on
page 519.)
b. Click OK. The DNS proxy appears in the DNS Proxy table. (See
Figure 136 on page 519.)
FIGURE 132 Configure > Service > GSLB > DNS Proxy
FIGURE 133 Configure > Service > GSLB > DNS Proxy - service group
configuration
518 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Examples
FIGURE 134 Configure > Service > GSLB > DNS Proxy - service group
selected
FIGURE 135 Configure > Service > GSLB > DNS Proxy - GSLB port
configured
FIGURE 136 Configure > Service > GSLB > DNS Proxy - DNS proxy
configured
P e r f o r m a n c e b yD e s i g n 519 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Examples
Load the IANA Geo-location Database
1. Select Config > Service > GSLB.
3. In the Load/Unload section, enter “iana” in the File field. Leave the
Template field blank.
4. Click Add.
Configure Services
1. Select Config > Service > GSLB.
3. Click Add.
4. Enter the service name and IP address. For this example, enter the fol-
lowing:
• Name – servicevip1
• IP Address – 2.1.1.10 (This is the VIP address of a site. Configure a
separate GSLB service IP for each SLB VIP.)
7. Click OK.
520 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Examples
FIGURE 137 Config > Service > GSLB > Service IP
Configure Sites
1. Select Config > Service > GSLB.
3. Click Add.
P e r f o r m a n c e b yD e s i g n 521 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Examples
• GSLB Service – Add a service IP by selecting it from the drop-
down list and clicking Add. For this example, add “servicevip1”
to site “usa”.
6. In the IP-Server section, add services to the site. Select a service from
the drop-down list and click Add. Repeat for each service.
FIGURE 138 Configure > Service > GSLB > Site - SLB Device
522 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Examples
FIGURE 139 Configure > Service > GSLB > Site - site parameters selected
Configure a Zone
1. Select Config > Service > GSLB.
3. Click Add.
5. In the Service section, click Add. (See Figure 140 on page 524.)
The service configuration sections appear.
P e r f o r m a n c e b yD e s i g n 523 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Examples
7. Select the service type from the Port drop-down list.
524 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Examples
FIGURE 141 Configure > Service > GSLB > Zone
4. Click OK.
P e r f o r m a n c e b yD e s i g n 525 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Examples
SLB configuration is the same with or without GSLB, and is not described
here.
To enable the AX device to run GSLB as a site AX device, perform the fol-
lowing steps on each site AX device:
1. Select Config > Service > GSLB.
4. Click OK.
526 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
RAM Caching
You can use the AX device as a transparent cache server, along with the
device’s many other uses.
Overview
The RAM Cache is a high-performance, in-memory Web cache that by
default caches HTTP responses (RFC 2616 compliant). The RAM Cache
can store a variety of static and dynamic content and serve this content
instantly and efficiently to a large number of users.
• 410 – Gone
P e r f o r m a n c e b yD e s i g n 527 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
However, if there is no Content-Length header, the response will not be
cached.
This header instructs the content server (or cache server) to send the
requested page only if the page has been modified subsequent to the date
and time specified in the IMS header.
• Cache-Control: max-age=0
However, for security, support for these headers is disabled by default. Thee
headers can make the AX device vulnerable to Denial of Service (DoS)
attacks.
To enforce strict RFC compliance, you can enable support for the headers.
528 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Insertion of Age and Via Headers into Cached Responses
RAM caching supports insertion of Age and Via headers into cached server
replies before they are sent to clients.
• Age header – indicates the age of the cached response, measured in sec-
onds
• Via header – indicates the AX software version, in the following format:
AX-CACHE-software-version(major.minor):last-octet-of-VIP address
P e r f o r m a n c e b yD e s i g n 529 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
• Responses that contain a Pragma header are not cached.
Note: Image files are an exception. RAM caching can cache images that have
cookies.
Dynamic Caching
You can enhance RAM caching performance with dynamic RAM caching.
Dynamic RAM caching is useful in situations where the response to a client
request can be used multiple times before the response expires. Here are
some examples where dynamic RAM caching is beneficial:
• The same response is usable by multiple users within a certain period of
time. In this case, dynamic RAM caching is useful even if the cache
expiration period is very small, if enough users access the response
within that period. For example, dynamic RAM caching is beneficial for
a hierarchical directory that is generated dynamically but presents the
same view to all users that request it.
• The response is usable by only a single user but the user accesses it mul-
tiple times. For example, if the response generated in one session can be
used unchanged in a second session.
Host Verification
RAM caching has an optional host verification feature. Host verification
supports multiple name-based virtual hosts. Name-based virtual hosts are
host names that share the same IP address. For example, the real server IP
address 192.168.209.34 could be shared by the following virtual hosts:
• www.abc.com
• www.xyz.com
530 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring RAM Caching
By default, host verification is disabled. When the AX device receives the
server response for cacheable content, the AX device caches the content
along with the URI, but not the host name. For example, if a client requests
http://www.abc.com/index.html, the AX device caches the content and
“/index.html” but does not cache “abc.com”. If another request is received,
for http://www.xyz.com/index.html, the AX device serves the same content.
If you enable host verification, the AX device caches the host name along
with the URI. For example, for http://www.abc.com/index.html, the AX
device caches the content, “/index.html”, and “abc.com”. If a new request is
received, for http://www.xyz.com/index.html, the AX device checks the
cache for content indexed by both “/index.html” and “xyz.com”. The AX
device serves the content to the client only if the content was cached for
“xyz.com”.
2. Configure a service group and add the real servers to it, if not already
configured.
3. Configure a cache template with settings for the type and size of content
to be cached. Optionally, configure dynamic caching policies.
4. Configure the virtual server, and bind the service group and cache tem-
plate to the service ports for which caching will be provided.
4. Enter a name for the template, if you are creating a new one.
5. Enter or change any settings for which you do not want to use the
default settings.
P e r f o r m a n c e b yD e s i g n 531 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring RAM Caching
6. To configure dynamic caching polices, use the applicable set of steps
below.
To configure a cache policy:
a. In the URI field, enter the portion of the URI string to match on.
b. Select Cache from the Action drop-down list. The Duration field
appears.
c. By default, the content is cached for the number of seconds speci-
fied in the Age field of the RAM Caching section. To override the
aging period, specify the number of seconds in the Duration field.
d. Click Add.
To configure a no-cache policy:
a. In the URI field, enter the portion of the URI string to match on.
b. Select No Cache from the Action drop-down list.
c. Click Add.
To configure an invalidate policy:
a. In the URI field, enter the portion of the URI string to match on.
b. Select Invalidate from the Action drop-down list. The Pattern field
appears. Enter the portion of the URL string on which to match. For
example, to invalidate “/list” objects when the URL contains “/add”,
enter “/add” (without the quotation marks).
7. Click OK.
• Monitor > Service > Application > RAM Caching > Objects
• Monitor > Service > Application > RAM Caching > Replacement
The Details menu option displays RAM caching statistics. The Objects
option displays cached entries. The Replacement option shows entry
replacement information.
532 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring RAM Caching
3. Click on the checkbox next to the filename of each log file you want to
export.
4. Click Export.
To delete log archive files, click the checkbox next to each file you want to
delete, and click Delete.
The commands for configuring the real servers, service group, and virtual
server are the same as those used for configuring other types of SLB. These
configuration items have no commands or options specific to RAM caching.
[no] accept-reload-req
This command enables support for the following Cache-Control headers:
• Cache-Control: no-cache
• Cache-Control: max-age=0
When support for these headers is enabled, either header causes the AX
device to reload the cached object from the origin server.
[no] default-policy-nocache
This command changes the default cache policy in the template from cache
to nocache. This option gives you tighter control over content caching.
When you use the default no-cache policy, the only content that is cached is
cacheable content whose URI matches an explicit cache policy.
[no] max-cache-size MB
This command specifies the size of the AX RAM cache.
P e r f o r m a n c e b yD e s i g n 533 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring RAM Caching
• On models AX 1000, AX 2000, AX 2100, AX 2200, AX 3100, and
AX 3200, you can specify 1-512 MB.
• On model AX 2500, you can specify 1-1024 MB.
[no] disable-insert-age
Disables insertion of Age headers into cached responses. Insertion of Age
headers is enabled by default.
[no] disable-insert-via
Disables insertion of Via headers into cached responses. Insertion of Via
headers is enabled by default.
[no] remove-cookies
This command enables RAM caching to remove cookies from server replies
so the replies can be cached. (See “Caching Server Replies in Cookie Per-
sistence Configurations” on page 530.)
534 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring RAM Caching
Dynamic Caching Command
Dynamic caching is performed using caching policies. To configure a cach-
ing policy, use the following command at the configuration level for a RAM
caching template:
[no] policy uri pattern
{cache [seconds] | nocache |
invalidate inv-pattern}
The pattern option specifies the portion of the URI string to match on. In the
current release, matching is performed based on containment. All URIs that
contain the pattern string match the rule. For example, the following policy
matches all URIs that contain the string “.jpg” and sets the cache timeout for
the matching objects to 7200 seconds: policy uri .jpg cache 7200
The other options specify the action to take for URIs that match the pattern:
• cache [seconds] – Caches the content. By default, the content is cached
for the number of seconds configured in the template (set by the age
command). To override the aging period set in the template, specify the
number of seconds with the cache command.
• nocache – Does not cache the content.
• invalidate inv-pattern – Invalidates the content that has been cached for
inv-pattern.
If a URI matches the pattern in more than one policy command, the policy
command with the most specific match is used.
Note: Wildcard characters (for example: ? and *) are not supported in RAM
Caching policies. For example, if the string pattern contains “*”, it is
interpreted literally, as the “*” character.
Show Commands
To display client sessions that are using cached content, use the following
command:
show session
P e r f o r m a n c e b yD e s i g n 535 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring RAM Caching
show slb cache
Basic Configuration
The commands in this example enable RAM caching for virtual service port
TCP 80 on VIP “cached-vip”.
536 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring RAM Caching
The following commands configure the service group.
AX(config)#slb service-group cached-group
AX(config-slb service group)#member 192.168.90.34:80
AX(config-slb service group)#member 192.168.90.34:443
AX(config-slb service group)#member 192.168.90.35:80
AX(config-slb service group)#member 192.168.90.35:443
The following commands configure the virtual server and bind the RAM
caching template and the service group to virtual HTTP service port 80.
AX(config)#slb virtual-server cached-vip 10.10.10.101
AX(config-slb virtual server)#port 80 http
AX(config-slb virtual server-slb virtua...)#service-group cached-group
AX(config-slb virtual server-slb virtua...)#template cache ramcache
Prot Forward Source Forward Dest Reverse Source Reverse Dest Age
---------------------------------------------------------------------------------------
Tcp 10.10.10.61:25058 10.10.10.10:80 * * 600
Tcp 10.10.10.60:9239 10.10.10.11:80 * * 600
Tcp 10.10.10.61:1838 10.10.10.10:80 * * 600
Tcp 10.10.10.65:47834 10.10.10.11:80 * * 600
Tcp 10.10.10.62:55613 10.10.10.11:80 * * 600
Tcp 10.10.10.57:9233 10.10.10.11:80 * * 600
P e r f o r m a n c e b yD e s i g n 537 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring RAM Caching
The following command shows RAM caching statistics.
AX(config-slb virtual server-slb virtua...)#show slb cache
Total
---------------------------------------------------------------
Cache Hits 0
Cache Misses 6
Memory Used 27648
Bytes Served 0
Entries Cached 6
Entries Replaced 0
Entries Aged Out 0
Entries Cleaned 0
Total Requests 0
Cacheable Requests 0
No-cache Requests 0
No-cache Responses 0
IMS Requests 0
304 Responses 0
Revalidation Successes 0
Revalidation Failures 0
Policy URI nocache 0
Policy URI cache 0
Policy URI invalidate 0
Content Too Big 0
Content Too Small 0
Srvr Resp - Cont Len 220
Srvr Resp - Chnk Enc 37
Srvr Resp - 304 Status 0
Srvr Resp - Other 0
Cache Resp - No Comp 383579
Cache Resp - Gzip 0
Cache Resp - Deflate 0
Cache Resp - Other 0
Entry create failures 0
538 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring RAM Caching
The following command shows cached objects.
AX#show slb cache entries cached-vip 80
cached-vip:80
Host Object URL Bytes Type Status Expires in
---------------------------------------------------------------------------------------
-----------------------------------
10.20.0.130 /16k.html 16744 CL, No FR 165 s
10.20.0.130 /4k.html 4303 CL, No FR 166 s
10.20.0.130 /32k.html 32976 CE, No FR 169 s
10.20.0.130 /1024k.html 108786 CL, Gz FR 162 s
10.20.0.130 /8k.html 8399 CE, No FR 165 s
10.20.0.130 /64k.html 65744 CE, Gz FR 168 s
The Status column indicates the status. In this example, all entries are fresh
(FR). For more information, see the AX Series CLI Reference.
The /list URI is visited by many users and therefore should be cached, so
long as the content is current. However, the /private URI contain private
data for a specific user, and should not be cached.
The /add and /del URLs modify the content of the list page. When either
type of URI is observed by the AX device, the currently cached content for
the /list URI should be invalidated, so that new requests for the URI are not
served with a stale page.
P e r f o r m a n c e b yD e s i g n 539 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring RAM Caching
The policy that matches on “/list” caches content for 50 minutes. The policy
that matches on “/private” does not cache content. The policies that match
on “/add” and “/del” invalidate the cached “/list” content.
This policy is configured to flush (invalidate) all cached entries that have
“/story” in the URI. The policy is activated when a request is received with
the URI “/flush”.
540 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
High Availability
This chapter describes High Availability (HA) and how to configure it.
Overview
High Availability (HA) is an AX feature that provides AX-level redundancy
to ensure continuity of service to clients. In HA configurations, AX devices
are deployed in pairs. If one AX device in the HA pair becomes unavailable,
the other AX device takes over.
Note: Both AX devices in an HA pair should be the same model and should be
running the same software version. Using different AX models or differ-
ent software versions in an HA pair is not supported.
P e r f o r m a n c e b yD e s i g n 541 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Layer 3 Active-Standby HA
Figure 142 shows an example of an Active-Standby configuration.
542 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
In this example, each AX device provides SLB for two virtual servers, VIP1
and VIP2.
P e r f o r m a n c e b yD e s i g n 543 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Layer 3 Active-Active HA
Figure 143 shows an example of an Active-Active configuration.
544 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
This configuration is similar to the configuration for Active-Standby shown
in Figure 142, with the following exceptions:
• Both HA groups are configured on each of the AX devices. In Active-
Standby, only a single HA group is configured.
• The priority values have been set so that each HA group has a higher
priority on one AX device than it does on the other AX device. In this
example, HA group 1 has a higher priority on AX2, whereas HA group
2 has a higher priority on AX1.
• On each AX device, one of the VIPs is assigned to HA group 1 and the
other VIP is assigned to HA group 2.
• On both AX devices, HA pre-emption is enabled. HA pre-emption
enables the devices to use the HA group priority values to select the
Active and Standby AX device for each VIP. Without HA pre-emption,
the AX selection is based on which of the AX devices comes up first.
P e r f o r m a n c e b yD e s i g n 545 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
546 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Each real server is connected to the router pair through a Layer 2 switch.
Neither the Layer 2 switches nor the routers are running Spanning Tree Pro-
tocol (STP). The network does not have any Layer 2 loops because the
Layer 2 switches are not connected directly together, and the routers do not
forward Layer 2 traffic.
P e r f o r m a n c e b yD e s i g n 547 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
FIGURE 145 Layer 2 Inline HA Deployment
Restrictions
• Supported for Active-Standby HA deployments only. Not supported for
Active-Active HA.
• Inline mode is designed for one HA group in Hot-Standby mode. Do not
configure more than one HA group on an AX running in inline mode.
548 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
• In order to prevent Layer 2 loops in a Layer 2 host-standby environ-
ment, the Standby AX does not forward traffic. In addition, the Active
AX in the HA pair is designed to not forward packets destined for the
Standby AX. Depending on the network topology, certain traffic to the
Standby AX might be dropped if it must first pass through the Active
AX.
Preferred HA Port
When you enable inline mode on an AX, the AX uses a preferred HA port
for session synchronization and for management traffic between the AX
devices in the HA pair. For example, if you use the CLI on one AX to ping
the other AX, the ping packets are sent only on the preferred HA port. Like-
wise, the other AX sends the ping reply only on its preferred HA port.
• SSH
• Ping
Optionally, you can designate the preferred HA port when you enable inline
mode. In Figure 145 on page 548, Ethernet interface 5 on each AX has been
configured as the preferred HA port.
Note: The preferred port must be added as an HA interface and heartbeat mes-
sages must be enabled on the interface.
P e r f o r m a n c e b yD e s i g n 549 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Port Restart
For example, in Figure 145 on page 548, while AX1 is still Active, the
active router (the one on the left) uses the MAC entries it has learned on its
link with AX1 to reach downstream devices. If the link with AX1 goes
down, the router flushes the MAC entries. The router then relearns the
MAC addresses on the link with AX2 when it becomes the Active AX.
This mechanism is applicable when the link with AX1 goes down. How-
ever, if the transition from Active to Standby does not involve failure of the
router's link with AX1, the router does not flush its learned MAC entries on
the link. As a result, the router might continue to send traffic for down-
stream devices through the router's link with AX1. Since AX1 is now the
Standby, it drops the traffic, thereby causing reachability issues.
Note: You must omit at least one port connecting the AX devices from the
restart port-list. This is so that heartbeat messages between the AX
devices are maintained; otherwise, flapping might occur.
550 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
P e r f o r m a n c e b yD e s i g n 551 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Normally, this topology would introduce a traffic loop. However, the HA
inline mode prevents loops by logically blocking through traffic on the
standby AX device. Spanning Tree Protocol (STP) is not required in order
to prevent loops.
Restrictions
• Supported for Active-Standby HA deployments only. Not supported for
Active-Active HA.
• Inline mode is designed for one HA group in Hot-Standby mode. Do not
configure more than one HA group on an AX running in inline mode.
• In order to prevent Layer 2 loops in a Layer 2 host-standby environ-
ment, the Standby AX does not forward traffic. In addition, the Active
AX in the HA pair is designed to not forward packets destined for the
Standby AX. Depending on the network topology, certain traffic to the
Standby AX might be dropped if it must first pass through the Active
AX.
HA Messages
The AX devices in an HA pair communicate their HA status with the fol-
lowing types of messages:
• HA heartbeat messages
552 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
HA Heartbeat Messages
The heartbeat interval and retry count are configurable. (See “HA Configu-
ration Parameters” on page 564.)
Gratuitous ARPs
Devices that receive the ARPs learn that the MAC address for the AX HA
pair has moved, and update their forwarding tables accordingly.
The Active AX device sends the gratuitous ARPs immediately upon becom-
ing the Active AX device. To make sure ARPs are being received by the tar-
get addresses, the AX device re-sends the ARPs 4 additional times, at 500-
millisecond intervals.
After this, the AX device sends gratuitous ARPs every 30 seconds to keep
its IP information current.
P e r f o r m a n c e b yD e s i g n 553 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
HA Interfaces
When configuring HA, you specify each of the interfaces that are HA inter-
faces. An HA interface is an interface that is connected to an upstream
router, a real server, or the other AX device in the HA pair.
Note: The maximum number of HA interfaces you can configure is the same as
the number of Ethernet data ports on the AX device.
Note: If the heartbeat messages from one AX device to the other will pass
though a Layer 2 switch, the switch must be able to pass UDP IP multi-
cast packets.
Note: If a tracked interface is a member of a trunk, only the lead port in the
trunk is shown in the tracking configuration and in statistics. For example,
if a trunk contains ports 1-3 and you configure tracking of port 3, the con-
figuration will show that tracking is enabled on port 1. Likewise, tracking
statistics will show port 1, not port 3. Similarly, if port 1 goes down but
port 3 is still up, statistics still will show that port 1 is up since it is the
lead port for the trunk.
554 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
• Down – All router interfaces, or all server interfaces, or both are down.
The status also is Down if both router interfaces and server interfaces
are not configured and an HA interface goes down.
If both types of interfaces (router interfaces and server interfaces) are con-
figured, the HA interfaces for which a type has not been configured are not
included in the HA interface status determination.
During selection of the active AX, the AX with the highest state becomes
the active AX and all HA interfaces on that AX become active. For exam-
ple, if one AX is UP and the other AX is only Partially Up, the AX that is
UP becomes the active AX.
Session Synchronization
HA session synchronization sends information about active client sessions
to the Standby AX device. If a failover occurs, the client sessions are main-
tained without interruption. Session synchronization is optional. Without it,
a failover causes client sessions to be terminated. Session synchronization
can be enabled on individual virtual ports.
P e r f o r m a n c e b yD e s i g n 555 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Session synchronization is required for config sync. Config sync uses the
session synchronization link. (For more information, “Synchronizing Con-
figuration Information” on page 606.)
VLAN-based Failover
If the AX device does not receive any traffic on the VLAN before the time-
out expires, a failover occurs. The timeout can be 2-600 seconds. You must
specify the timeout. Although there is no default, A10 recommends trying
30 seconds.
Gateway-based Failover
556 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Likewise, if the gateway becomes available again and all gateways pass
their health checks, the AX device recalculates its HA status according to
the HA interface counts. If the new HA status of the AX device is higher
than the other AX device’s HA status, a failover occurs.
Route-based Failover
You can configure this feature for individual IP routes. When you configure
this feature for a route, you also specify the value to subtract from the HA
priority of all HA groups, if the route is missing from the route table.
You can configure this option for up to 100 IPv4 routes and up to 100 IPv6
routes. This option is valid for all types of IP routes supported in this release
(static and OSPF).
If the priority of an HA group falls below the priority for the same group on
the other AX device in an HA pair, a failover can be triggered.
Notes
• This feature applies only to routes in the data route table. The feature
does not apply to routes in the management route table.
• For failover to occur due to HA priority changes, the HA pre-emption
option must be enabled.
P e r f o r m a n c e b yD e s i g n 557 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
You can configure this feature on individual real servers and ports. The fea-
ture is disabled by default. To enable the feature, assign an HA weight to the
server or port. If the server or port’s health status changes to Down, the
weight value is subtracted from the priority value of the HA group. You can
specify a single HA group or allow the priority change to apply to all HA
groups.
If the server or port’s status changes back to Up, the weight value is added
back to the HA group’s priority value.
If the HA priority of a group falls below the priority of the same group on
the other AX device, HA failover can be triggered.
Notes
• The lowest HA priority value a server or port can have is 1.
VIP-based Failover
VIP-based failover allows service for a VIP to be transferred from one AX
device in an HA pair to the other AX device based on HA status changes of
the real servers.
When you configure an HA group ID, you also specify its priority. If HA
pre-emption is enabled, the HA group’s priority can be used to determine
which AX device in the HA pair becomes the Active AX for the HA group.
In this case, the AX device that has a higher value for the group’s priority
becomes the Active AX device for the group.
When a real server becomes available again, the weight value that was sub-
tracted from the HA group’s priority is re-added. If this results in the prior-
ity value being higher than on the other AX device, the virtual server is
558 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
failed over again to the AX device with the higher priority value for the
group.
P e r f o r m a n c e b yD e s i g n 559 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
After initial selection of the Active AX device, that device remains the
Active AX device unless one of the following events occurs:
• The Standby AX device stops receiving HA heartbeat messages from
the Active AX device.
• The HA interface status of the Active AX device becomes lower than
the HA interface status of the Standby AX device.
• VLAN-based failover is configured and the VLAN becomes inactive.
560 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
FIGURE 148 HA Failover
P e r f o r m a n c e b yD e s i g n 561 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
HA Pre-Emption
By default, a failover occurs only in the following cases:
• The Standby AX device stops receiving HA heartbeat messages form
the other AX device in the HA pair.
• HA interface state changes give the Standby AX device a better HA
state than the Active AX device. (See “HA Interfaces” on page 554.)
• VLAN-based failover is configured and the VLAN becomes inactive.
(See “VLAN-based Failover” on page 556.)
• Gateway-based failover is configured and the gateway becomes unavail-
able. (See “Gateway-based Failover” on page 556.)
• VIP-based failover is configured and the unavailability of real servers
causes the Standby AX to have the greater HA priority for the VIP’s HA
group. (See “VIP-based Failover” on page 558.)
562 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
HA Sets
Optionally, you can provide even more redundancy by configuring multiple
sets of HA pairs.
You can configure up to 7 HA sets. This feature is supported for Layer 2 and
Layer 3 HA configurations. The set ID can be specified along with the HA
ID. (For syntax information, see Table 14 on page 564.)
P e r f o r m a n c e b yD e s i g n 563 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
HA Configuration Parameters
Table 14 lists the HA parameters.
TABLE 14 HA Parameters
Parameter Description and Syntax Supported Values
Global HA Parameters
HA ID HA ID of the AX device, and HA set to which the HA ID: 1 or 2
and AX device belongs. HA set ID: 1-7
HA set ID The HA ID uniquely identifies the AX device Default: Neither parameter is set
within the HA pair.
The HA set ID specifies the HA set to which the AX
device belongs. This parameter is applicable to con-
figurations that use multiple AX pairs.
[no] ha id {1 | 2} [set-id num]
Config > HA > Setting > HA Global - General
HA group ID Uniquely identifies the HA group on an individual HA group ID: 1-31
AX device. Priority: 1 (low priority) to 255 (high
The priority value can be used during selection of priority
the Active AX device. (See“How the Active AX Default: not set
Device Is Selected” on page 559.)
[no] ha group group-id priority num
Config > HA > Setting > HA Global - Group
Floating IP IP address that downstream devices should use as Default: not set
address their default gateway. The same address is shared by
both AX devices in the HA pair. Regardless of
which device is Active, downstream devices can
reach their default gateway at this IP address.
[no] floating-ip ipaddr
ha-group group-id
Config > HA > Setting > HA Global - Floating IP
Address
564 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
TABLE 14 HA Parameters (Continued)
Parameter Description and Syntax Supported Values
HA interfaces Interfaces used for HA management. AX Ethernet interfaces
HA heartbeat messages are sent on HA interfaces, Default: not set
unless you use the option to disable the messages.
At least one HA interface must be specified. If the
interface is tagged, then a VLAN ID must be speci-
fied if heartbeat messages are enabled on the inter-
face.
If you specify the interface type (server, router, or
both), changes to the interface state can control
failover. (See “HA Interfaces” on page 554 and
“How the Active AX Device Is Selected” on
page 559.)
[no] ha interface ethernet port-num
[router-interface |
server-interface | both]
[no-heartbeat | vlan vlan-id]
Config > Network > Interface > LAN - Select the
interface and then click HA.
VLAN-based Enables the AX device to change its HA status Valid VLAN ID
HA based on the health of a VLAN. Default: not set
When HA checking is enabled for a VLAN, the The timeout can be 2-600 seconds.
active AX device in the HA pair monitors traffic
Although there is no default timeout,
activity on the VLAN. If there is no traffic on the
A10 recommends trying 30 seconds.
VLAN for half the duration of a configurable time-
out, the AX device attempts to generate traffic by
issuing ping requests to servers if configured, or
broadcast ARP requests through the VLAN.
If the AX device does not receive any traffic on the
VLAN before the timeout expires, a failover occurs.
[no] ha check vlan vlan-id timeout
seconds
Config > HA > Setting > HA Global - Status Check
Gateway-based Enables the AX device to change its HA status IP address of the gateway
HA based on the health of a gateway router. Default: not set
If the gateway fails a Layer 3 (ICMP) health check, Additional configuration is required.
the AX device changes its HA status to Down. If the (See “Gateway-based Failover” on
HA status of the other AX device is higher than page 556.)
Down, a failover occurs.
[no] ha check gateway ipaddr
Config > HA > Setting > HA Global - Status Check
P e r f o r m a n c e b y
D e s i g n 565 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
TABLE 14 HA Parameters (Continued)
Parameter Description and Syntax Supported Values
Session synchro- Enables the AX devices to share information about IP address of the other AX device
nization active client sessions. If a failover occurs, client ses- Default: not set
(Also called sions continue uninterrupted. The Standby AX
“connection mir- device, when it becomes Active, uses the session
roring”) information it received from the Active AX device
before the failover to continue the sessions without
terminating them.
To enable session synchronization, specify the IP
address of the other AX device in the HA pair.
Session synchronization does not apply to DNS ses-
sions. Since these sessions are typically very short
lived, there is no benefit to synchronizing them.
Note: This option also requires session synchroni-
zation to be enabled on the individual virtual service
ports. (See “HA Parameters for Virtual Service
Ports” below.)
[no] ha conn-mirror ip ipaddr
Config > HA > Setting > HA Global - General
Pre-emption Controls whether failovers can be caused by config- Enabled or disabled
uration changes to HA priority or HA ID. Default: disabled
[no] ha preemption-enable
Config > HA > Setting > HA Global - General
HA heartbeat Interval at which the AX device sends HA heartbeat 1-255 units of 100 milliseconds
interval messages on its HA interfaces. (ms) each
[no] ha time-interval Default: 200 ms
100-msec-units
Config > HA > Setting > HA Global - General
Retry count Number of HA heartbeat intervals the Standby 2-255
device will wait for a heartbeat message from the Default: 5
Active AX device before failing over to become the
Active AX device.
[no] ha timeout-retry-count num
Config > HA > Setting > HA Global - General
ARP repeat Number of additional gratuitous ARPs, in addition 1-255
count to the first ones, an AX sends after transitioning Default: 4 additional gratuitous
from Standby to Active in an HA configuration.
ARPs, for a total of 5
[no] ha arp-retry num
Config > HA > Setting > HA Global - General
566 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
TABLE 14 HA Parameters (Continued)
Parameter Description and Syntax Supported Values
Forced failover Forces HA groups to change from Active to Valid HA group ID.
Standby status. If you do not specify a group ID, all
[no] ha force-self-standby Active groups are forced to change
[group-id] from Active to Standby status.
Note: This option provides a simple method to force
a failover, without the need to change HA group pri-
orities and enable pre-emption. The option is not
added to the configuration and does not persist
across reboots.
Note: The current release does not support configu-
ration of this parameter using the GUI.
Layer 2/3 Enables Layer 2/3 forwarding of Layer 4 traffic on Enabled or disabled
forwarding of the Standby AX device. Default: Disabled. Layer 4 traffic is
Layer 4 traffic on [no] ha forward-l4-packet-on- dropped by the Standby AX device.
the Standby AX standby
device
Note: The current release does not support configu-
ration of this parameter using the GUI.
Global HA Parameters for Layer 2 Inline Mode
Inline mode state Enables Layer 2 inline mode and, optionally, speci- Enabled or disabled
fies the HA interface to use for session synchroniza- Default: disabled
tion and for management traffic between the AX
When inline mode is enabled, the pre-
devices.
ferred port is selected as described in
[no] ha inline-mode “Preferred HA Port” on page 549.
[preferred-port port-num]
Config > HA > Setting - HA Inline Mode
Restart port list List of Ethernet interfaces on the previously Active AX Ethernet interfaces
AX device to toggle (shut down and restart) follow- Default: not set
ing HA failover.
[no] ha restart-port-list ethernet
port-list
Config > HA > Setting - HA Inline Mode
Port restart time Amount of time interfaces in the restart port list 1-100 units of 100 milliseconds (ms)
remain disabled following a failover. Default: 20 units of 100 ms (2 sec-
[no] ha restart-time 100-msec-units onds)
Config > HA > Setting - HA Inline Mode
P e r f o r m a n c e b y
D e s i g n 567 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
TABLE 14 HA Parameters (Continued)
Parameter Description and Syntax Supported Values
Global HA Parameters for Layer 3 Inline Mode
Inline mode state Enables Layer 3 inline mode. Enabled or disabled
[no] ha l3-inline-mode Default: disabled
Config > HA > Setting - HA Inline Mode
OSPF on Leaves OSPF enabled on the Standby AX device. Enabled or disabled
Standby AX [no] ha ospf-inline vlan vlan-id Default for all HA modes except
device Layer 3 inline: disabled. OSPF is dis-
Note: This option is not configurable using the
GUI. abled on the Standby AX device.
Default for Layer 3 inline mode:
enabled. OSPF is allowed to run on all
VLANs by default.
Link event delay Change the delay waited by the AX device before 100 milliseconds (ms) to 10000 ms, in
changing the HA state (Up, Partially Up, or Down) increments of 100 ms
in response to link-state changes on HA interfaces. Default: 3000 ms (3 seconds)
[no] ha link-event-delay
100-ms-unit
Config > HA > Setting - HA Inline Mode
HA Parameters for Virtual Servers
HA group ID HA group ID for a virtual server. 1-31
This is required to enable HA for the VIP. Default: not set
[no] ha-group group-id
Config > Service > SLB > Virtual Server
Server weight Weight value assigned to real servers bound to the 1-255
virtual server. Not set
The weight is used for VIP-based failover. (See
“VIP-based Failover” on page 558.)
[no] ha-dynamic server-weight
Config > Service > SLB > Virtual Server - Select
the HA group, then select the Dynamic Server
Weight.
Link event delay Change the delay waited by the AX device before 100 milliseconds (ms) to 10000 ms, in
changing the HA state (Up, Partially Up, or Down) increments of 100 ms
in response to link-state changes on HA interfaces. Default: 3000 ms (3 seconds)
[no] ha link-event-delay
100-ms-unit
Config > HA > Setting - HA Inline Mode
568 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
TABLE 14 HA Parameters (Continued)
Parameter Description and Syntax Supported Values
HA Parameters for Virtual Service Ports
Session Enables active client sessions on this virtual port to Enabled or disabled
synchronization continue uninterrupted following a failover. Default: disabled
(Also called Note: This option also requires session synchroni-
“connection mir- zation to be enabled globally. (See “Global HA
roring”) Parameters” above.)
[no] ha-conn-mirror
Config > Service > SLB > Virtual Server - Port
HA Parameters for Real Servers
Priority cost Decreases the HA priority of an HA group, if the Weight: 1-255
real server’s health status changes to Down. HA group: 1-31. If no group is speci-
[no] ha-priority-cost weight fied, the weight applies to all HA
[ha-group group-id] groups.
Note: The current release does not support configu- Default: not set
ration of this option using the GUI.
HA Parameters for Real Ports
Priority cost Decreases the HA priority of an HA group, if the Weight: 1-255
real port’s health status changes to Down. HA group: 1-31. If no group is speci-
[no] ha-priority-cost weight fied, the weight applies to all HA
[ha-group group-id] groups.
Note: The current release does not support configu- Default: not set
ration of this option using the GUI.
HA Parameters for Firewall Load Balancing (FWLB)
Note: For an example of an FWLB HA configuration, see “Firewall Load Balancing” on page 333.
HA group ID HA group ID for a virtual firewall or virtual firewall 1-31
port. Default: not set
[no] ha-group group-id
Config > Service > Firewall > Firewall Virtual
Server (for virtual firewall)
Config > Service > Firewall > Firewall Virtual
Server - Port (for virtual firewall port)
Session Enables active client sessions on this virtual firewall Enabled or disabled
synchronization port to continue uninterrupted following a failover. Default: disabled
Note: This option also requires session synchroni-
zation to be enabled globally. (See “Global HA
Parameters” above.)
[no] ha-conn-mirror
Config > Service > Firewall > Firewall Virtual
Server (for virtual firewall)
Config > Service > Firewall > Firewall Virtual
Server - Port (for virtual firewall port)
P e r f o r m a n c e b y
D e s i g n 569 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
TABLE 14 HA Parameters (Continued)
Parameter Description and Syntax Supported Values
HA Parameters for IP Network Address Translation (NAT) Pools
HA group ID HA group ID for IP NAT. 1-31
Option with ip nat pool, ipv6 nat pool, or ip nat Default: not set
inside command: ha-group group-id
Config > Service > IP Source NAT > IPv4 Pool
Config > Service > IP Source NAT > IPv6 Pool
Config > Service > IP Source NAT > NAT Range
HA Parameters for IP Routes
Priority cost Reduces the HA priority of all HA groups on the Default: not set
AX device, if the specified route is missing from the
IPv4 or IPv6 route table.
570 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
HA Status Indicators
HA Status Indicators
The HA status of an AX device is displayed in the GUI and CLI. The HA
status indicators provide the following information:
• Current HA status of the AX device: Active or Standby
• Configuration status:
• Most recent configuration update – The system time and date when
the most recent configuration change was made.
• Most recent configuration save – The system time and date when
the configuration was saved to the startup-config.
• Most recent config-sync – The system time and date when the most
recent configuration change was made.
If the AX device is configured with multiple Role-Based Administration
(RBA) partitions, separate configuration status information is shown for
each partition.
In the GUI
The current HA status is shown as one of the following:
• Active
• Standby
• Not Configured
• Not-Sync
The GUI does not indicate when the most recent configuration update or
save occurred. This information is available in the CLI. (See below.)
In the CLI
In the CLI, the HA the status is shown in the command prompt. For exam-
ple:
• AX-Active#
or
• AX-Standby#
P e r f o r m a n c e b yD e s i g n 571 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 3 HA
Note: If HA is not configured, the prompt is simply the hostname (“AX” by
default).
Configuring Layer 3 HA
To configure Layer 3 HA:
1. Configure the following global HA parameters:
• HA ID
• HA group ID and priority. For an Active-Standby configuration,
configure one group ID. For Active-Active, configure multiple HA
group IDs.
• Floating IP address (optional)
• Session synchronization (optional)
• HA pre-emption (optional)
572 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 3 HA
USING THE GUI
Note: Enter the real IP address of the AX device, not the floating IP address that
downstream devices will use as their default gateway address.
4. Click OK.
P e r f o r m a n c e b yD e s i g n 573 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 3 HA
Configuring HA Interfaces
1. Select Config > Network > Interface.
2. On the menu bar, select LAN. The list of the AX device’s physical
Ethernet data interfaces appears.
3. Perform the following steps for each HA interface. (For information, see
“HA Interfaces” on page 554.)
a. Click on the interface number.
b. In the HA section, select Enabled next to HA Enabled.
c. To specify the interface type, select one of the following or leave the
setting None:
• Router-Interface
• Server-Interface
• Both
d. To enable HA heartbeat messages, select Enabled next to Heartbeat.
e. To restrict the HA heartbeat messages to a specific VLAN, enter the
VLAN ID in the VLAN field.
f. Click OK.
3. Click on the virtual server name or click Add to add a new one.
Note: The Dynamic Server Weight option is used for VIP-based failover. For
information, see “VIP-based Failover” on page 558.
574 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 3 HA
Note: The GUI does not support enabling connection mirroring on some types
of service ports. However, you can enable connection mirroring for these
service types using the CLI.
HA Configuration of AX1
P e r f o r m a n c e b yD e s i g n 575 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 3 HA
FIGURE 151 Config > Service > Network > LAN (Ethernet interface 1)
FIGURE 152 Config > Service > SLB > Virtual Server (VIP1)
576 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 3 HA
FIGURE 153 Config > Service > SLB > Virtual Server (VIP2)
HA Configuration of AX2
P e r f o r m a n c e b yD e s i g n 577 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 3 HA
FIGURE 155 Config > Service > SLB > Virtual Server (VIP1)
FIGURE 156 Config > Service > SLB > Virtual Server (VIP2)
578 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 3 HA
Use the same HA group ID for the same virtual server, on both AX
devices.
4. If IP NAT pools are configured, use the following option with the ip nat
pool or ipv6 nat pool command.
ha-group group-id
(For the complete command syntax, see Table 14 on page 564.)
Commands on AX1
This examples shows the CLI commands to implement the Active-Active
configuration shown in Figure 143 on page 544.
Later in the configuration, each virtual server will need to be added to one
or the other of the HA groups.
AX1(config)#ha id 1
AX1(config)#ha group 1 priority 1
AX1(config)#ha group 2 priority 255
P e r f o r m a n c e b yD e s i g n 579 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 3 HA
Heartbeat messages are disabled on all HA interfaces except the dedicated
HA link between the AX devices.
AX1(config)#ha interface ethernet 1 router-interface no-heartbeat
AX1(config)#ha interface ethernet 2 router-interface no-heartbeat
AX1(config)#ha interface ethernet 3 server-interface no-heartbeat
AX1(config)#ha interface ethernet 4 server-interface no-heartbeat
AX1(config)#ha interface ethernet 5
580 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 3 HA
Commands on AX2
Here are the commands for AX2. The priority values for the groups are dif-
ferent from the values set on AX1, so that group 1 has higher priority on this
AX device than on AX1. Likewise, the priority of group 2 is set so that its
priority is higher on AX1.
AX2(config)#ha id 2
AX2(config)#ha group 1 priority 255
AX2(config)#ha group 2 priority 1
The floating IP addresses must be the same as the ones set on AX1.
AX2(config)#floating-ip 10.10.10.1 ha-group 1
AX2(config)#floating-ip 10.10.10.100 ha-group 2
AX2(config)#ha interface ethernet 1 router-interface no-heartbeat
AX2(config)#ha interface ethernet 2 router-interface no-heartbeat
AX2(config)#ha interface ethernet 3 server-interface no-heartbeat
AX2(config)#ha interface ethernet 4 server-interface no-heartbeat
AX2(config)#ha interface ethernet 5
The HA configuration for virtual servers and virtual ports is identical to the
configuration on AX1.
AX2(config)#slb virtual-server VIP1
AX2(config-slb virtual server)#ha-group 1
AX2(config-slb virtual server)#port 80 tcp
AX2(config-slb virtual server-slb virtua...)#ha-conn-mirror
AX2(config-slb virtual server-slb virtua...)#exit
AX2(config-slb virtual server)#exit
AX2(config)#slb virtual-server VIP2
AX2(config-slb virtual server)#ha-group 2
AX2(config-slb virtual server)#port 80 tcp
AX2(config-slb virtual server-slb virtua...)#ha-conn-mirror
AX2(config-slb virtual server-slb virtua...)#exit
AX2(config-slb virtual server)#exit
P e r f o r m a n c e b yD e s i g n 581 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 2 HA (Inline Mode)
Note: If source NAT is not configured for the VIP, but real servers send
responses to a gateway IP address other than the AX floating IP address,
CPU processing must be enabled on the AX interfaces connected to the
real servers. This applies to the following AX models: AX 2200,
AX 3100, AX 3200, AX 5100, and AX 5200. On other models, the option
for CPU processing is not valid and is not required.
582 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 2 HA (Inline Mode)
default gateway after an HA failover, without the need for the gateway
address to be changed to the Standby AX device’s address.
Note: Enter the real IP address of the AX device, not the floating IP address that
downstream devices will use as their default gateway address.
4. Click OK.
2. On the menu bar, select LAN. The list of the AX device’s physical
Ethernet data interfaces appears.
3. Perform the following steps for each HA interface. (For information, see
“HA Interfaces” on page 554.)
a. Click on the interface number.
b. In the HA section, select Enabled next to HA Enabled.
P e r f o r m a n c e b yD e s i g n 583 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 2 HA (Inline Mode)
c. To specify the interface type, select one of the following or leave the
setting None:
• Router-Interface
• Server-Interface
• Both
d. To enable HA heartbeat messages, select Enabled next to Heartbeat.
e. To restrict the HA heartbeat messages to a specific VLAN, enter the
VLAN ID in the VLAN field.
f. If source NAT is not configured for the VIP, but real servers send
responses to a gateway IP address other than the AX floating IP
address, select CPU Process in the General section. This require-
ment applies to the following AX models: AX 2200, AX 3100, AX
3200, AX 5100, and AX 5200. On other models, the command for
CPU processing is not valid and is not required.
g. Click OK.
7. Click OK.
584 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 2 HA (Inline Mode)
FIGURE 157 Config > HA > Setting
P e r f o r m a n c e b yD e s i g n 585 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 2 HA (Inline Mode)
FIGURE 158 Config > Service > Network > LAN (Ethernet interface 1)
586 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 2 HA (Inline Mode)
USING THE CLI
Commands on AX1
The following command enables inline HA mode and specifies the pre-
ferred HA port.
AX1(config)#ha inline-mode preferred-port 5
Note: If source NAT is not configured for the VIP, but real servers send
responses to a gateway IP address other than the AX floating IP address,
enter the cpu-process command at the configuration level for each inter-
face connected to the real servers. This requirement applies to the follow-
ing AX models: AX 2200, AX 3100, AX 3200, AX 5100, and AX 5200.
On other models, the command for CPU processing is not valid and is not
required.
P e r f o r m a n c e b yD e s i g n 587 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 2 HA (Inline Mode)
The following command specifies the IP address of the other AX, to use for
session synchronization.
AX1(config)#ha conn-mirror ip 172.168.10.3
The following command configures the floating IP address for the real serv-
ers to use as their default gateway address.
AX1(config)#floating-ip 172.168.10.1 ha-group 1
588 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 2 HA (Inline Mode)
Commands on AX2
Here are the commands for implementing HA on the standby AX, AX2.
Most of the commands are the same as those on AX1, with the following
exceptions:
• The HA ID is 2.
• The HA priority is 1.
P e r f o r m a n c e b yD e s i g n 589 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 3 HA (Inline Mode)
AX2(config)#slb virtual-server v1 172.168.10.80
AX2(config-slb virtual server)#ha-group 1
AX2(config-slb virtual server)#port 80 tcp
AX2(config-slb virtual server-slb virtua...)#service-group g80
AX2(config-slb virtual server-slb virtua...)#ha-conn-mirror
590 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 3 HA (Inline Mode)
Note: The GUI does not support configuration of Layer 3 inline mode in the
current release.
Commands on AX1
P e r f o r m a n c e b yD e s i g n 591 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 3 HA (Inline Mode)
AX1(config)#vlan 5
AX1(config-vlan:5)#untagged ethernet 5
AX1(config-vlan:5)#router-interface ve 5
AX1(config-vlan:5)#exit
AX1(config)#interface ve1
AX1(config-if:ve1)#ip address 172.168.10.2 /24
AX1(config-if:ve1)#interface ve5
AX1(config-if:ve5)#ip address 172.168.20.2 /24
AX1(config-if:ve5)#exit
The following command specifies the IP address of the other AX, to use for
session synchronization.
AX1(config)#ha conn-mirror ip 172.168.10.3
592 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 3 HA (Inline Mode)
The following command configures the floating IP address for the real serv-
ers to use as their default gateway address.
AX1(config)#floating-ip 172.168.10.1 ha-group 1
Commands on AX2
Here are the commands for implementing HA on AX2. Most of the com-
mands are the same as those on AX1, with the following exceptions:
• The IP interfaces are different.
• The HA ID is 2.
• The HA priority is 1.
P e r f o r m a n c e b yD e s i g n 593 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 3 HA (Inline Mode)
AX2(config)#interface ethernet 1
AX2(config-if:ethernet1)#enable
AX2(config-if:ethernet1)#interface ethernet 2
AX2(config-if:ethernet2)#enable
AX2(config-if:ethernet2)#interface ethernet 3
AX2(config-if:ethernet3)#enable
AX1(config-if:ethernet3)#cpu-process
AX2(config-if:ethernet3)#interface ethernet 4
AX2(config-if:ethernet4)#enable
AX1(config-if:ethernet4)#cpu-process
AX2(config-if:ethernet4)#interface ethernet 5
AX2(config-if:ethernet5)#enable
AX2(config-if:ethernet5)#exit
AX2(config)#vlan 100
AX2(config-vlan:100)#untagged ethernet 1 to 4
AX2(config-vlan:100)#router-interface ve 1
AX2(config-vlan:100)#exit
AX2(config)#vlan 5
AX2(config-vlan:5)#untagged ethernet 5
AX2(config-vlan:5)#router-interface ve 5
AX2(config-vlan:5)#exit
AX2(config)#interface ve1
AX2(config-if:ve1)#ip address 172.168.10.23 /24
AX2(config-if:ve1)#interface ve5
AX2(config-if:ve5)#ip address 172.168.20.3 /24
AX2(config-if:ve5)#exit
AX2(config)#ha id 2
AX2(config)#ha group 1 priority 1
AX2(config)#ha interface ethernet 1 router-interface no-heartbeat
AX2(config)#ha interface ethernet 2 router-interface no-heartbeat
AX2(config)#ha interface ethernet 3 server-interface
AX2(config)#ha interface ethernet 4 server-interface
AX2(config)#ha interface ethernet 5
AX2(config)#ha l3-inline-mode
AX2(config)#ha restart-port-list ethernet 1 to 2
AX2(config)#ha preemption-enable
AX2(config)#ha conn-mirror ip 172.168.10.2
AX2(config)#floating-ip 172.168.10.1 ha-group 1
AX2(config)#health monitor myHttp interval 10 retry 2 timeout 3
AX2(config-health:monitor)#method http url HEAD /index.html
AX2(config-health:monitor)#exit
594 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Layer 3 HA (Inline Mode)
AX2(config)#slb server s1 172.168.10.30
AX2(config-real server)#port 80 tcp
AX2(config-real server-node port)#health-check myHttp
AX2(config-real server-node port)#exit
AX2(config-real server)#exit
AX2(config)#slb server s2 172.168.10.31
AX2(config-real server)#port 80 tcp
AX2(config-real server-node port)#health-check myHttp
AX2(config-real server-node port)#exit
AX2(config-real server)#exit
AX2(config)#slb service-group g80 tcp
AX2(config-slb service group)#member s1:80
AX2(config-slb service group)#member s2:80
AX2(config-slb service group)#exit
AX2(config)#slb virtual-server v1 172.168.10.80
AX2(config-slb virtual server)#ha-group 1
AX2(config-slb virtual server)#port 80 tcp
AX2(config-slb virtual server-slb virtua...)#service-group g80
AX2(config-slb virtual server-slb virtua...)#ha-conn-mirror
P e r f o r m a n c e b yD e s i g n 595 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Optional Failover Triggers
• Gateway-based failover
• VIP-based failover
2. In the Status Check section, enter the VLAN ID in the VLAN ID field.
4. Click Add.
5. Repeat step 2 through step 4 for each VLAN to be monitored for HA.
6. Click OK.
596 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Optional Failover Triggers
USING THE CLI
The timeout can be 2-600 seconds. You must specify the timeout. Although
there is no default, A10 recommends trying 30 seconds.
2. Configure the gateway as an SLB real server and apply the ICMP health
monitor to the server:
a. Select Config > Service > SLB.
b. Select Server on the menu bar.
c. Click Add. The General section appears.
d. In the General section, enter a name for the gateway in the Name
field.
e. In the IP Address field, enter the IP address of the gateway.
P e r f o r m a n c e b yD e s i g n 597 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Optional Failover Triggers
f. In the Health Monitor drop-down list, select the ICMP health moni-
tor you configured in step 1.
g. Click OK.
2. To configure the gateway as an SLB real server and apply the health
monitor to the server, use the following command.
[no] slb server server-name ipaddr
[no] health-check monitor-name
3. To enable HA health checking for the gateway, use the following com-
mand at the global configuration level.
[no] ha check gateway ipaddr
CLI Example
598 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Optional Failover Triggers
The following commands configure a real server for the gateway and apply
the health monitor to it:
AX(config)#slb server gateway1 10.10.10.1
AX(config-real server)#health-check gatewayhm1
AX(config-real server)#exit
Note: The current release does not support this feature in the GUI.
The priority-cost weight option specifies the value to subtract from the HA
priority of each HA group, if the IP route table does not have a route to the
destination subnet.
The gateway addr option specifies the next-hop gateway for the route.
The distance num option specifies the metric value (cost) of the route.
P e r f o r m a n c e b yD e s i g n 599 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Optional Failover Triggers
Omitting an optional parameter matches on all routes. For example, if you
do not specify the next-hop gateway, routes that match based on the other
parameters can have any next-hop gateway.
CLI Examples
The following command configures HA route awareness for a default IPv4
route. If this route is not in the IP route table, 255 is subtracted from the HA
priority of all HA groups.
AX(config)#ha check route 0.0.0.0 /0 priority-cost 255
Note: The lowest possible HA priority value is 1. Deleting 255 sets the HA pri-
ority value to 1, regardless of the original priority value.
If the IPv6 route table does contain a static route to the destination, but the
next-hop gateway is not 2001::1, the AX device subtracts only 5 from the
HA priority of each HA group.
AX(config)#ha check route 3000::/64 priority-cost 100
AX(config)#ha check route 3000::/64 priority-cost 5 protocol static gateway
2001::1
600 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Optional Failover Triggers
4. Click on the virtual server name or click Add to create a new one.
Note: If the HA Group drop-down list does not have any group IDs, you still
need to configure global HA parameters. See “Configuring Global HA
Parameters” on page 573.
7. Click OK.
Enter this command at the configuration level for a virtual server, to assign
the virtual server to the HA group. The group-id can be 1-31.
[no] ha-dynamic server-weight
P e r f o r m a n c e b yD e s i g n 601 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Optional Failover Triggers
Enter this command at the configuration level for the virtual server to
enable VIP-based failover. The server-weight specifies the amount to sub-
tract from the HA group's priority value for each real server that becomes
unavailable. The weight can be 1-255. The default is 1.
CLI Example
602 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Forcing Active Groups to Change to Standby Status
If you specify a group ID, only the specified group is forced to change from
Active to Standby. If you do not specify a group ID, all Active groups are
forced to change to Standby status.
CLI Example
The following command forces HA group 1 to change from Active to
Standby status:
AX(config)#ha force-self-standby 1
P e r f o r m a n c e b yD e s i g n 603 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Enabling Session Synchronization
3. In the Mirror IP Address field, enter the IP address of the other AX
device in the HA pair.
4. Click OK or Apply.
7. Click OK again.
[no] ha-conn-mirror
CLI Example
The following commands access the configuration level for a virtual port
and enable connection mirroring on the port:
604 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring OSPF-Related HA Parameters
AX(config)#slb virtual-server vip1 10.10.10.100
AX(config-slb virtual server)#port 80 tcp
AX(config-slb virtual server-slb virtua...)#ha-conn-mirror
OSPF Awareness of HA
The AX device uses HA-aware VIPs, floating IPs, IP NAT pools, and IP
range lists with route redistribution to achieve HA-aware dynamic routing.
However, by default, the OSPF protocol on the AX device is not aware of
the HA state (Active or Standby) of the AX device. Consequently, following
HA failover of an AX device, other OSPF routers might continue forward-
ing traffic to the Standby AX device (the former Active AX device), instead
of the new Active AX device.
Note: In Layer 3 inline mode, all VLANs on the AX device participate in OSPF
routing by default. (See “OSPF Support on Standby AX in Layer 3 Inline
Mode” on page 606.)
After an OSPF neighbor receives the LSA update, the neighbor updates its
OSPF link-state database with the increased cost of the links. The increased
cost biases route selection away from paths that use the Standby AX device.
P e r f o r m a n c e b yD e s i g n 605 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Synchronizing Configuration Information
Note: The additional cost for Standby status is removed only if the HA status for
all HA groups on the device is Active. Otherwise, if the status of any of
the groups is Standby, the additional cost remains in effect for all OSPF
interfaces on the device.
To enable OSPF awareness of HA, use the following command at the OSPF
configuration level.
The num option specifies the extra cost to add to the AX device’s OSPF
interfaces, if the HA status of one or more of the device’s HA groups is
Standby. You can specify 1-65535. If the resulting cost value is more than
65535, the cost is set to 65535.
606 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Synchronizing Configuration Information
• Data files:
• SSL certificates and private-key files
• aFleX files
• External health check files
• Black/white-list files
Requirements
SSH management access must be enabled on both ends of the link. (See
“Securing Admin Access by Ethernet” on page 687.)
• Floating IP addresses
• IP NAT configuration
• Health monitors
• SLB
• FWLB
• GSLB
• Data Files:
• aFleX files
• External health check files
• SSL certificate and private-key files
• Black/white-list files
Note: For IP NAT configuration items to be backed up, you must specify an HA
group ID as part of the NAT configuration.
P e r f o r m a n c e b yD e s i g n 607 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Synchronizing Configuration Information
• MAC addresses
• Management IP addresses
• Trunks or VLANs
• Interface settings
• OSPF settings
608 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Synchronizing Configuration Information
An admin who is logged on with Root or Read-Write (Super Admin) privi-
leges can synchronize for all Role-Based Administration (RBA) partitions
or for a specific partition.
Caveats
Before synchronizing the Active and Standby AX devices, verify that both
are running the same software version. HA configuration synchronization
between two different software versions is not recommended, since some
configuration commands in the newer version might not be supported in the
older version.
P e r f o r m a n c e b yD e s i g n 609 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Synchronizing Configuration Information
Performing HA Synchronization
To synchronize the AX devices in an HA configuration, use the CLI com-
mands described below.
2. In the User and Password fields, enter the admin username and pass-
word for logging onto the other AX device.
610 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Synchronizing Configuration Information
6. To reload the other AX device after synchronization, select With
Reload. Otherwise, the other AX device is not reloaded following the
synchronization.
Note: In some cases, reload of the other AX device either is automatic or is not
allowed. See Table 15 on page 608.
7. Click OK.
The ha sync commands are available at the global configuration level of the
CLI.
To synchronize data files and the running-config, use the following com-
mand:
ha sync all
{to-startup-config [with-reload] |
to-running-config}
[all-partitions | partition partition-name]
Note: In some cases, reload of the other AX device either is automatic or is not
allowed. See Table 15 on page 608.
To synchronize the data files by copying the Active AX device’s data files
to the Standby AX device, use the following command:
P e r f o r m a n c e b yD e s i g n 611 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Tip for Ensuring Fast HA Failover
ha sync data-files
[all-partitions | partition partition-name]
The time it takes for traffic to reconverge following HA failover can vary
based on the network environment, and depends on the following:
• How fast the ARPs (typically, ARPs of the default gateways) are learned
on the newly active AX device
• How fast the MAC tables in the devices along the traffic paths are
updated
To help reconvergence occur faster, you can create a real server configura-
tion for each router, and use an ICMP health monitor for checking the health
of the gateways. The health checks keep the ARP entries for the gateway
routers active, which can help to reduce reconvergence time considerably.
2. Create an SLB real server configuration for each gateway. If you plan to
use a custom ICMP health monitor (previous step), apply the health
monitor to the server.
Note: The AX device also has an HA gateway health checking feature. This fea-
ture also uses ICMP health monitors. However, if you use the HA gate-
way health checking feature, HA failover is triggered if a gateway fails a
health check. If you use real server configurations instead, as shown in the
following examples, HA failover is not triggered by a failed health check.
612 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Tip for Ensuring Fast HA Failover
CLI Example – IPv4
AX(config)#health monitor gatewayhm1
AX(config-health:monitor)#method icmp interval 1 timeout 1
AX(config-health:monitor)#exit
AX(config)#slb server gateway-upstream 192.168.10.1
AX(config-real server)#health-check gatewayhm1
AX(config-real server)#exit
AX(config)#slb server gateway-downstream 10.10.10.1
AX(config-real server)#health-check gatewayhm1
AX(config-real server)#exit
To use the default ICMP health monitor instead, the configuration is even
simpler:
AX(config)#slb server gateway-upstream 192.168.10.1
AX(config-real server)#exit
AX(config)#slb server gateway-downstream 10.10.10.1
AX(config-real server)#exit
P e r f o r m a n c e b yD e s i g n 613 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Tip for Ensuring Fast HA Failover
614 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
This chapter describes Network Address Translation (NAT) and how to con-
figure it. NAT translates the source or destination IP address of a packet
before forwarding the packet.
The AX device uses NAT to perform SLB. The AX device also supports tra-
ditional Layer 3 NAT, which you can configure if required by your network.
Note: This chapter does not include information about Large-Scale NAT (LSN).
For LSN information, see “Large-Scale Network Address Translation” on
page 647.
P e r f o r m a n c e b yD e s i g n 615 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
SLB NAT
SLB NAT
AX Series devices can perform source and destination NAT on client-VIP
SLB traffic.
Note: Destination NAT is disabled for virtual ports on which Direct Server
Return (DSR) is enabled.
616 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
SLB NAT
By default, SLB NAT works as follows.
• Before forwarding a client packet to a real server, the AX device trans-
lates the destination IP address from the virtual server IP address (VIP)
to the IP address of the real server.
• The AX device reverses the translation before sending the server reply
to the client. The source IP address is translated from the real server’s IP
address to the VIP address.
The default SLB NAT behavior does not translate the client’s IP address.
• The VIP and real servers are in different subnets. In cases where real
servers are in a different subnet than the VIP, source NAT ensures that
reply traffic from a server will pass back through the AX device. (See
“Source NAT for Servers in Other Subnets” on page 622.)
Connection Reuse
P e r f o r m a n c e b yD e s i g n 617 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
SLB NAT
Connection reuse requires SLB source NAT. Since the TCP connection with
the real server needs to remain established after a client’s session ends, the
client’s IP address cannot be used as the source address for the connection,
Instead, the source address must be an IP address from a NAT pool or pool
group configured on the AX device.
The pool or pool group must have a unique IP address for each reusable
TCP connection you want to establish.
3. If you plan to use policy-based source NAT, to select from among multi-
ple pools based on source IP address, configure an ACL for each of the
client address ranges that will use its own pool.
4. Enable source NAT on the virtual service port and specify the pool or
pool group to use for the source addresses. If you are configuring pol-
icy-based source NAT, bind each ACL to its pool.
618 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
SLB NAT
USING THE GUI
1. To configure a pool of addresses:
a. Select Config > Service > IP Source NAT.
b. Select IPv4 Pool or IPv6 Pool on the menu bar.
c. Click New. The Pool section appears.
d. Enter a name for the pool.
e. Enter the start and end addresses.
f. Enter the network mask.
g. If the AX device is deployed in transparent mode, enter the default
gateway to use for NATted traffic.
h. To use session synchronization for NAT translations, select the HA
group.
i. Click OK.
P e r f o r m a n c e b yD e s i g n 619 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
SLB NAT
h. Do one of the following:
• To use a single pool or pool group for all source addresses, select
the pool from the Source NAT pool drop-down list.
• To use separate pools based on source addresses, use the
ACL-SNAT Binding fields to bind each ACL to its pool.
For each binding, select the ACL from the Access List drop-
down list, select the pool from the Source NAT Pool drop-down
list, and click Add.
i. Do not click OK yet. Go to step 4.
620 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
SLB NAT
This command creates the template and changes the CLI to configura-
tion level for the template. Use the following commands to configure
the template, or use the default settings:
limit-per-server number
timeout seconds
The limit-per-server command specifies the maximum number of reus-
able connections to establish with each real server. You can specify 0-
65535. For unlimited connections, specify 0. The default is 1000.
The timeout command specifies the maximum number of seconds a
reusable connection can remain idle before it times out. You can specify
1-3600 seconds. The default is 2400 seconds (40 minutes).
Note: If you do not specify a NAT pool with this command, the ACL is used
only to filter the traffic.
4. Add the connection reuse template to the virtual port, use the following
command at the configuration level for the virtual port:
template connection-reuse template-name
CLI Example
The following commands configure standard ACLs that match on different
client addresses:
AX(config)#access-list 30 permit ip 192.168.1.1 /24
AX(config)#access-list 50 permit ip 192.168.20.69 /24
P e r f o r m a n c e b yD e s i g n 621 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
SLB NAT
The following commands configure a real server and a service group:
AX(config)#slb server s1 192.168.19.48
AX(config-real server)#port 80 tcp
AX(config-real server-node port)#exit
AX(config-real server)#exit
AX(config)#slb service-group group80 tcp
AX(config-slb service group)#method weighted-rr
AX(config-slb service group)#member s1:80
AX(config-slb service group)#exit
You can enable source NAT on a virtual port in either of the following ways:
• Use the the source-nat option to bind a single IP address pool or pool
group to the virtual port. This option is applicable if all the real servers
are in the same subnet.
• Use sets of ACL-pool pairs, one for each real server subnet. You must
use this method if the real servers are in multiple subnets. This section
describes how to use this method.
For the real server to be able to send replies back through the AX device,
use an extended ACL. The source IP address must match on the client
address. The destination IP address must match on the real server address.
The action must be permit.
The ACL should not match on the virtual IP address (unless the virtual IP
address is in the same subnet as the real servers, in which case source NAT
is probably not required). Figure 161 on page 623 shows an example.
622 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
SLB NAT
FIGURE 161 Multiple NAT Pools Bound to a Virtual Port
In this example, a service group has real servers that are located in two dif-
ferent subnets. The VIP is not in either of the subnets. To ensure that reply
traffic from a server will pass back through the AX device, the AX device
uses IP source NAT.
To implement IP source NAT, two pairs of ACL and IP address pool are
bound to the virtual port. Each ACL-pool pair contains the following:
• An extended ACL whose source IP address matches on client addresses
and whose destination IP address matches on the real server’s subnet.
• An IP address pool or pool group containing translation addresses in the
real server’s subnet.
P e r f o r m a n c e b yD e s i g n 623 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
SLB NAT
For example, if SLB selects a real server in the 10.10.10.x subnet, then the
source IP address is translated from the client’s address to an address in
pool 1. When the server replies, it replies to the address from pool 1.
Note: In most cases, destination NAT does not need to be configured for SLB.
The AX device automatically translates the VIP address into a real server
address before forwarding a request to the server.
CLI Example
First, the ACLs are configured. In each ACL, “any” is used to match on all
clients. The destination address is the subnet where the real servers are
located.
AX(config)#access-list 100 permit any 10.10.10.0 /24
AX(config)#access-list 110 permit any 10.10.20.0 /24
The following commands configure the IP address pools. Each pool con-
tains addresses in one of the real server subnets.
AX(config)#ip nat pool pool1 10.10.10.100 10.10.10.101 netmask /24
AX(config)#ip nat pool pool2 10.10.20.100 10.10.20.101 netmask /24
The following commands bind the ACLs and IP address pools to a virtual
port on the VIP:
AX(config)#slb virtual-server vip1 192.168.1.100
AX(config-slb virtual server)#port 80 tcp
AX(config-slb virtual server-slb virtua...)#access-list 100 source-nat-pool
pool1
AX(config-slb virtual server-slb virtua...)#access-list 110 source-nat-pool
pool2
This type of NAT is especially useful for applications that have intensive
payload transfers, such as FTP and streaming media.
624 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
SLB NAT
When DSR is enabled, only the destination MAC address is translated from
the VIP’s MAC address to the real server’s IP address. The destination IP
address is still the VIP.
To use DSR, the AX device and the real servers must be in the same Layer 2
subnet. The VIP address must be configured as a loopback address on the
real servers.
Note: To configure health checking for DSR, see “Configuring Health Monitor-
ing of Virtual IP Addresses in DSR Deployments” on page 394.
Note: For examples of DSR configurations, see “Network Setup” on page 73.
4. If you are adding a new virtual server, enter the general server settings.
5. Click Port.
6. Select the port and click Edit, or click Add. The Virtual Server Port sec-
tion appears.
9. Click OK.
Enter the following CLI command at the configuration level for the virtual
port:
no-dest-nat
P e r f o r m a n c e b yD e s i g n 625 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
SLB NAT
Note: The current release does not support this feature for FTP or RTSP traffic.
These methods are used in the order shown above. For example, if IP source
NAT is configured using an ACL on the virtual port, and the slb snat-on-
vip command is also used, then a pool assigned by the ACL is used for traf-
fic that is permitted by the ACL. For traffic that is not permitted by the
ACL, VIP source NAT can be used instead.
Configuration
To configure IP NAT for VIPs:
1. Configure a pool, range list, or static inside source NAT mapping, that
includes the real IP address(es) of the inside clients.
3. Enable outside NAT on the interface connected to the external VIP serv-
ers
To globally configure IP NAT support for VIPs, use the following command
at the global configuration level of the CLI:
[no] slb snat-on-vip
626 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
IP Source NAT
To configure IP NAT support for an individual virtual port, use the com-
mand at the configuration level for the virtual port instead of at the global
level.
When this option is enabled, the AX device checks the configured IP NAT
pools for an IP address range that includes the server IP address (the source
address of the traffic). If the address range in a pool does include the
server’s IP address, and a default gateway is defined for the pool, the AX
device forwards the server traffic through the pool’s default gateway.
This feature is disabled by default. To enable it, use the following command
at the global configuration level of the CLI:
IP Source NAT
Independently of SLB NAT, you can configure traditional, Layer 3 IP
source NAT. IP source NAT translates internal host addresses into routable
addresses before sending the host’s traffic to the Internet. When reply traffic
is received, the AX device then retranslates addresses back into internal
addresses before sending the reply to the client.
P e r f o r m a n c e b yD e s i g n 627 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
IP Source NAT
• Optionally, pool group – to use non-contiguous address ranges. To use a
non-contiguous range of addresses, you can configure separate pools,
then combine them in a pool group and map the ACL to the pool group.
The addresses within an individual pool still must be contiguous, but
you can have gaps between the ending address in one pool and the start-
ing address in another pool. You also can use pools that are in different
subnets.
A pool group can contain up to 5 pools. Pool group members must
belong to the same protocol family (IPv4 or IPv6) and must use the
same HA ID. A pool can be a member of multiple pool groups. Up to 50
NAT pool groups are supported.
If a pool group contains pools in different subnets, the AX device selects
the pool that matches the outbound subnet. For example, if there are two
routes to a given destination, in different subnets, and the pool group has
a pool for one of those subnets, the AX selects the pool that is in the sub-
net for the outbound route.
The AX device searches the pools beginning with the first one added to
the group, and selects the first match. If none of the pools are in the des-
tination subnet, the AX uses the first pool that has available addresses.
• Inside NAT setting on the interface connected to the inside host.
Note: The AX device enables you to specify the default gateway for an IP
source NAT pool to use. However, the pool’s default gateway can be used
only if the data route table already has either a default route or a direct
route to the destination of the NAT traffic. In this case, the pool’s default
gateway will override the route, for NAT traffic that uses the pool.
If the data route table does not have a default route or a direct route to the
NAT traffic destination, the pool’s default gateway can not be used. In this
case, the NAT traffic can not reach its destination.
628 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
IP Source NAT
• Outside NAT setting on the interface connected to the Internet. Inside
host addresses are translated into external addresses from a static map-
ping or a range list before the host traffic is sent to the Internet.
3. Enable inside source NAT and map the ACL to the pool.
P e r f o r m a n c e b yD e s i g n 629 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
IP Source NAT
2. To configure a pool of external addresses to use for translation:
a. Select Config > Service > IP Source NAT.
b. Select IPv4 Pool or IPv6 Pool on the menu bar.
c. Click Add.
d. Enter a name for the pool.
e. Enter the start and end addresses.
f. Enter the network mask.
g. If the AX device is deployed in transparent mode, enter the default
gateway to use for NATted traffic.
h. To use session synchronization for NAT translations, select the HA
group.
i. Click OK.
3. To enable inside source NAT and map the ACL to the pool:
a. Select Config > Service > IP Source NAT, if not already selected.
b. Select Binding on the menu bar.
c. Select the ACL number from the ACL drop-down list.
d. Select the pool ID from the NAT Pool drop-down list.
e. Click Add. The new binding appears in the ACL section.
f. Click OK.
630 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
IP Source NAT
d. Repeat for each interface connected to the Internet.
e. Click OK.
FIGURE 162 Configure > Network > ACL > Standard ACL
FIGURE 163 Configure > Service > IP Source NAT > IPv4 Pool
FIGURE 164 Configure > Service > IP Source NAT > Binding
P e r f o r m a n c e b yD e s i g n 631 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
IP Source NAT
FIGURE 165 Configure > Service > IP Source NAT > Interface
632 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
IP Source NAT
or
access-list acl-num {permit | deny} {tcp | udp}
Note: The ha-use-all-ports option applies only to DNS virtual ports. Using this
option with other virtual port types is not valid. (For information about
this option, see the AX Series CLI Reference.)
3. To enable inside source NAT and map the ACL to the pool, use the fol-
lowing command:
ip nat inside source list acl-name
pool {pool-name | pool-group-name}
P e r f o r m a n c e b yD e s i g n 633 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
IP Source NAT
4. To enable inside NAT on the interfaces connected to the inside hosts,
use the following commands:
interface [ethernet port-num | ve ve-num]
ip nat inside
The interface command changes the CLI to the configuration level for
the interface connected to the internal hosts. These are the hosts identi-
fied by the ACL configured in step 1 and used by the commands in
step 2 and step 3.
CLI EXAMPLE
The following command enables inside source NAT and associates the ACL
with the pool:
AX(config)#ip nat inside source list 1 pool pool1
The following commands enable inside source NAT on the interface con-
nected to the internal hosts:
AX(config)#interface ethernet 4
AX(config-if:ethernet4)#ip nat inside
634 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
IP Source NAT
Note: The GUI supports configuring a static NAT range but does not support
configuring individual mappings.
1. To configure the static translations of internal host addresses to external
addresses:
a. Select NAT Range on the menu bar.
b. Click Add.
c. Enter a name for the range.
d. Select the address type (IPv4 or IPv6)
e. In the From fields, enter the first (lowest numbered) address and
network mask in the range of inside host addresses to be translated.
f. In the To field, enter the first (lowest numbered) address and net-
work mask in the range of external addresses into which to translate
the inside host addresses.
g. In the Count field, enter the number of addresses to be translated.
h. To apply HA to the addresses, select the HA group.
i. Click OK.
P e r f o r m a n c e b yD e s i g n 635 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
IP Source NAT
2. To enable inside NAT on the interfaces connected to the inside hosts:
a. Select Interface on the menu bar.
b. Select the interface from the Interface drop-down list.
c. Select Inside in the Direction drop-down list.
d. Click OK.
e. Repeat for each inside interface.
636 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
IP Source NAT
The source-ipaddr specifies the starting address in the range of internal
host addresses. The nat-ipaddr command specifies the first address in
the range of external addresses to use for the translations.
The count option specifies how many mappings to create.
2. If you used the ip nat inside source command, enter the following com-
mand at the global configuration level of the CLI, to enable static NAT
support:
ip nat allow-static-host
Note: This step is not required if you use a static source NAT range list instead.
CLI EXAMPLE
P e r f o r m a n c e b yD e s i g n 637 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
IP Source NAT
The AX device is deployed between PPTP clients and the VPN server (VPN
Server using PPTP). The AX interface connected to the PPTP clients is
enabled for inside source NAT. The AX interface connected to the VPN
server is enabled for outside source NAT.
Each client runs a PPTP Network Server (PNS). To set up a VPN session,
the PNS sends an Outgoing-Call-Request to the PPTP Access Concentrator
(PAC), which is the VPN server. The destination TCP port is the PPTP port
(1723 by default). The request includes a Call ID that the PNS chooses.
Because multiple clients may share the same NAT address, the AX device
must ensure that clients do not share the same Call ID as well. Therefore,
the AX device assigns to each client a NAT Call ID (analogous to a NAT
source port for TCP) and modifies the Outgoing-Call-Request to use the
NAT Call ID instead.
638 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
IP Source NAT
PAC’s Call ID. The PAC then assigns to the client an IP address belonging
to the VPN subnet.
On the AX device, the GRE session is created after the PNS sends its reply.
In the GRE session, the Call ID is used as the Layer 4 port, instead of a
TCP/UDP port number. (See the example of show session output in “CLI
Example” on page 641.)
In Figure 166 on page 638, client (PNS) 10.1.1.1 wants to connect to a VPN
through the VPN Server (PAC) 10.3.3.2, which is using PPTP. Client
10.1.1.1 establishes a PPTP control session (on port 1723) with 10.3.3.2.
When the client sends the Outgoing-Call-Request over that TCP session
with its desired Call ID, the AX device will translate the Call ID into a
unique Call ID for NAT. Once the VPN server replies with its own Call ID,
the AX device will establish the GRE session.
After the Call IDs are exchanged, the client and server encapsulate VPN
subnet traffic in a GRE tunnel. The GRE tunnel packets are sent under nor-
mal IP between 10.1.1.1 and 10.3.3.2. A GRE packet for PPTP uses a Call
ID in the same way as a TCP or UDP destination port. Therefore, GRE
packets from the server (10.3.3.2) will use the NAT Call ID. The AX device
translates the NAT Call ID back into the client’s original Call ID before
sending the packet to the client.
Note: One GRE session is supported per control session, which means one call
at a time is supported. In practice, PPTP is used only for VPNs, in which
case multiple concurrent calls do not occur.
P e r f o r m a n c e b yD e s i g n 639 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
IP Source NAT
Note: In the current release, NAT ALG support for PPTP is not supported with
static NAT or NAT range lists.
Note: In the current release, NAT ALG support for PPTP can not be disabled or
re-enabled using the GUI.
First, to configure the ACL, use the following command at the global con-
figuration level of the CLI:
access-list acl-num permit
source-ipaddr {filter-mask | /mask-length}
Note: The ACL must permit IP traffic. The syntax above is for a standard ACL.
If you plan to use an extended ACL instead, make sure to use the ip
option, instead of icmp, tcp, or udp.
To configure the IP address pool, use the following command at the global
configuration level of the CLI:
ip nat pool pool-name start-ipaddr end-ipaddr
netmask {subnet-mask | /mask-length}
[gateway ipaddr] [ha-group-id group-id]
To enable or disable NAT ALG support for PPTP, use the following com-
mand at the global configuration level of the CLI:
ip nat alg pptp {enable | disable}
The feature is enabled by default. The default protocol port number is 1723
and can not be changed.
640 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
IP Source NAT
To display GRE sessions, use the following commands:
show session
CLI Example
The commands in this section implement the NAT ALG for PPTP configu-
ration shown in Figure 166 on page 638.
The following commands specify the inside NAT interface and the outside
NAT interface.
AX(config)#interface ethernet 1
AX(config-if:ethernet1)#ip address 10.2.2.254 255.255.255.0
AX(config-if:ethernet1)#ip nat inside
AX(config-if:ethernet1)#interface ethernet 2
AX(config-if:ethernet2)#ip address 10.3.3.254 255.255.255.0
AX(config-if:ethernet2)#ip nat outside
---------------------------------------------------------------------------------------
--------------------
This example shows the GRE session and the TCP session over which the
GRE session is transported. For the GRE session, the number following
each IP address is the PPTP Call ID. For the TCP session, the number is the
TCP protocol port.
P e r f o r m a n c e b yD e s i g n 641 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
IP Source NAT
The following command displays PPTP NAT ALG statistics.
AX(config-if:ethernet2)#show ip nat alg pptp statistics
Statistics for PPTP NAT ALG:
-----------------------------
Calls In Progress: 10
Call Creation Failure: 0
Truncated PNS Message: 0
Truncated PAC Message: 0
Mismatched PNS Call ID: 1
Mismatched PAC Call ID: 0
Retransmitted PAC Message: 3
Truncated GRE Packets: 0
Unknown GRE Packets: 0
No Matching Session Drops: 4
The default timeout for IP NATted ICMP sessions, as well as UDP sessions
on port 53 (DNS), is set to the SLB maximum session life (MSL), which is
2 seconds by default.
Note: Fast aging applies to sessions between internal clients and external
resources, in cases where the AX device performs IP NAT translation of
the client addresses. This type of traffic is not SLB traffic between clients
and a VIP configured on the AX device. For SLB DNS traffic, short aging
based on the MSL time is the default aging mechanism.
642 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
IP Source NAT
Table 16 summarizes the session timeouts and how to configure them.
To display the timeout that will be used for IP NATted sessions, use the fol-
lowing command:
show ip nat timeouts
To change the IP NAT translation timeout for ICMP, use the following com-
mand:
[no] ip nat translation icmp-timeout
{seconds | fast}
To change the IP NAT translation timeout for a UDP port, use the following
command:
[no] ip nat translation service-timeout
udp port-num {seconds | fast}
The port-num option specifies the UDP port number. The fast option sets
the timeout to the SLB MSL timeout, for the specified UDP port.
CLI Example
P e r f o r m a n c e b y
D e s i g n 643 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
IP Source NAT
In this example, the output indicates that fast aging is used for IP NATted
ICMP sessions, and for IP NATted DNS sessions on port 53.
The message at the bottom of the display indicates that the fast aging setting
(SLB MSL timeout) will be used for IP NATted UDP sessions on port 53. If
the message is not shown in the output, then the timeout shown under
“UDP” will be used instead.
644 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
IP Source NAT
AX#show ip
System is running in Transparent Mode
IP address: 172.168.101.4 255.255.255.0
IP Gateway address: 172.168.101.251
SMTP Server address: Not configured
In this configuration, the AX device will initiate health checks using the last
IP address in the pool as the source IP address. In this example, the AX
device will use IP address 173.168.10.25. In addition, the AX device will
only respond to control traffic directed to 173.168.10.25 from the
173.168.10.0/24 subnet.
• The AX device does not have any data interfaces or routes that contain
an address within the subnet of the range list's global address(es).
To work around this issue, configure an IP interface that is within the NAT
range list’s global subnet. You can configure the address on any active data
interface on the AX device.
This issue does not affect NATted traffic other than ICMP or UDP traffic, or
use of an ACL with a NAT pool.
IP NAT in HA Configurations
If you are using IP source NAT or full NAT in an HA configuration, make
sure to add the NAT pool or range list to an HA group. Doing so allows a
newly Active AX device to properly continue management of NAT
resources following a failover.
P e r f o r m a n c e b yD e s i g n 645 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
IP Source NAT
In the GUI, you can select the HA group from the HA Group drop-down list
on the following configuration tabs:
• Config > Service > IP Source NAT > IPv4 Pool
In the CLI, the ha-group-id option is supported with the following NAT
commands:
646 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Note: LSN is supported only on the 64-bit ACOS models: AX 2500, AX 2600,
AX 3000, AX 5100, and AX 5200.
Note: The current release provides Application Layer Gateway (ALG) support
for FTP only.
Note: LSN requires the new-path processing option. This option was
enabled by default in AX Release 2.5.0 (the Beta release for LSN) but
is disabled by default in the current release. New-path processing is
required for LSN and applies only to LSN. The option does not apply to
any other features. (To enable the option, see step 7 in “Configuring
Large-Scale NAT” on page 666.)
Overview
LSN provides robust NAT support for network carriers (also called “Inter-
net Service Providers” or “ISPs”). Carriers can use LSN to provide NAT
service for multiple enterprises and residential clients. Figure 167 shows an
example of a carrier using LSN to provide NAT to residential clients.
P e r f o r m a n c e b yD e s i g n 647 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
FIGURE 167 Large-Scale NAT
648 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
After LSN creates an IP address mapping for a client, LSN uses the same
mapping for all traffic between the client and any external IP address. For
example, if client 192.168.1.1 opens multiple HTTP sessions and an email
session, LSN uses the same external IP address for the client for all the ses-
sions, as shown in Figure 168.
P e r f o r m a n c e b yD e s i g n 649 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
NAT Data Session Aging
The client’s data session remains in effect until the AX device detects that
the session has ended or until the session ages out due to inactivity.
• For a TCP session, the data session is removed when the AX device
observes the FIN or RST messages exchanged by the two end points of
the session. If the AX device does not observe the FIN exchange but the
session is idle, the mapping is removed when the session ages out.
• For a UDP session, the data session is removed when the session ages
out.
• For an ICMP session, the data session ends when the ICMP reply is
received, or when the session ages out.
NAT session aging is individually configurable for TCP, UDP, and ICMP,
using the ip nat translation command.
• tcp-timeout – Configurable to 60-1500 seconds. The default is 300 sec-
onds.
• udp-timeout – Configurable to 60-1500 seconds. The default is 300
seconds.
• icmp-timeout – Configurable to 60-1500 seconds, or fast. The fast
option uses the SLB maximum session life (MSL), which is 2 seconds
by default. The default is fast.
LSN maintains the NAT mapping for a full-cone session for a period of
time, the STUN timeout, after the last data session ends. The STUN timeout
is 2 minutes by default and is configurable. (See “STUN Timeout” on
page 670.)
650 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
By default, full-cone behavior for the well-known destination ports
(1-1024) is disabled. Full-cone behavior does not apply to ICMP sessions.
The benefits LSN provides that traditional NAT can not provide are
described in this section and in more detail in “Benefits of LSN” on
page 653.
To provide NAT for these types of applications, LSN is required. Figure 169
shows an example of P2P file sharing among LSN clients and other devices.
P e r f o r m a n c e b yD e s i g n 651 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
FIGURE 169 LSN Clients Using P2P File Sharing
Note: When possible, LSN uses the internal client’s source protocol port num-
ber in the external mapping for the client. However, if the protocol port is
652 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
already used by another client on the same external IP address, LSN
selects another protocol port for the new mapping.
Benefits of LSN
LSN provides the following benefits not provided by traditional NAT:
• Sticky NAT
Sticky NAT
Once an internal user uses a NAT IP, the user always uses the same NAT IP
for future connections. If all user sessions are cleared, then a different NAT
IP may be assigned.
Some applications that open multiple sessions to the same or multiple serv-
ers often do not work well without sticky NAT.
Full-Cone NAT
Traditional NAT works well for client-to-server applications, wherein a cli-
ent opens a connection to a server and requests data, and the server responds
back to the client. However, traditional NAT is inadequate to support client-
to-client applications, such as the following:
• Peer-to-peer (P2P) file-sharing applications
• Voice-over-IP (VoIP)
To overcome the shortcomings of traditional NAT, LSN implements full-
cone NAT. Full-cone NAT, also known as one-to-one NAT, has two specific
behaviors:
P e r f o r m a n c e b yD e s i g n 653 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
• Endpoint-Independent Mapping (See Figure 168 on page 649.) – After
LSN maps an internal client’s source IP address and Layer 4 (TCP or
UDP) port to an external IP address and port, the same mapping is used
for all traffic from that internal source IP and port, regardless of the des-
tination. For ping, the ICMP query identifier is treated the same way as a
UDP or TCP port.
• Internal-IP-and-L4-Port = External-IP-and-L4-Port, for all destina-
tions
• Internal-IP-and-ICMP-query-ID = External-IP-and-ICMP-query-
ID, for all destinations
• Endpoint-Independent Filtering (See Figure 169 on page 652.) – For
traffic from any source to a given mapped client, LSN always allows the
traffic to be forwarded to the internal client regardless of the endpoint.
654 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Hairpinning
Hairpinning allows inside clients to communicate with one another using
their outside addresses. This feature is useful for applications that require
global addresses. Figure 170 shows an example.
User Quotas
When an internal user is first mapped by LSN, the user is assigned to a NAT
IP as part of sticky NAT. Before choosing a NAT IP for a particular internal
user, LSN checks to ensure there are enough ports free on that NAT IP for
the user. This guarantees that internal users will be able to use as many ports
as possible.
LSN user quotas limit the number of NAT port mappings allowed for indi-
vidual internal IP addresses. For example, you can limit each inside IP
address to a maximum of 100 TCP NAT ports. Once a client reaches the
quota, the client is not allowed to open additional TCP sessions.
P e r f o r m a n c e b yD e s i g n 655 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
You can configure separate quotas for each of the following protocols, on a
global or individual LSN Limit-ID (LID) basis:
• TCP
• UDP
• ICMP
Each NAT IP has 64,000 TCP ports, 64,000 UDP ports, and 64,000 ICMP
ports that can be used for user sessions on the address.
The per-user quota for a protocol specifies the maximum number of ports a
given internal user can use at the same time on a NAT IP. For example, if
you set the TCP per -user quota to 100 ports, each internal user can have a
maximum of 100 TCP sessions on a NAT IP.
In Figure 172, 320 internal users are mapped to a NAT IP. Each of the users
consumes 100 TCP ports, leaving 32,000 ports free for new users. In this
example, there is room for an additional 320 internal users on the NAT IP.
656 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
FIGURE 172 Per-User Quota
Port Reserve
In the example above, each internal user immediately consumes 100 of the
NAT IP’s TCP ports, as soon as the user is mapped to the NAT IP.
If typical port consumption per user is expected to be lower than the per-
user quota, you can also specify a reserve value. The reserve value is a sub-
set of the per-user quota. Specifying a reserve value allows more internal
users to be mapped to the NAT IP.
When you specify a reserve value, each new internal user immediately con-
sumes the number of reserved ports. However, the remaining ports in the
user’s quota are not consumed unless the user actually needs them. Any
remaining ports that are not consumed by the user are available, if needed,
to new users.
P e r f o r m a n c e b yD e s i g n 657 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
In Figure 173, none of the 320 internal users currently mapped to the NAT
IP is using more than their reserve value of 50 TCP ports each. This leaves
the remaining ports in each user’s quota available for new users, if needed.
When new users are mapped to the NAT IP, those users receive ports from
the free ports. After all free ports are assigned to users, available (unused)
ports within existing users’ quotas are assigned to new users if needed. In
Figure 174, the external IP address does not have any more free ports. How-
ever, none of the users are actually using all of the ports in their 100-port
quota. In fact, in this example, none of the users are using more than the 50
reserved ports within the quota. Although there are no more free ports,
32,000 ports are still unused, and therefore available for mapping to new
internal users.
658 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Note: There is a difference between available ports and free ports. It is possible
to allocate more than the reserve value. However, it is not possible to allo-
cate more than the user-quota value.
All requirements above must be met for any type of session (TCP, UDP, or
ICMP). If the NAT IP address can not meet all requirements, another avail-
able address is selected and evaluated for the same requirements. The pro-
cess continues until an available NAT IP address that meets all requirements
is found.
Example:
• TCP user quota = 10.
Table 17 shows an example of how ports are used and released with these
quotas.
P e r f o r m a n c e b y
D e s i g n 659 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
TABLE 17 Extended-User-Quota Example (Continued)
User Connections
Regular Quota Extended Quota
TCP 80 (web) TCP 25 (email) Available Available
User opens 5 more 0 0
connections (total 7)
No more port 25
connections allowed!
User frees 4 connections 4 more connections allowed 0 4
Still no more port 80
connections allowed!
User frees remaining 4 3 5
connections
660 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
LSN Logging
The AX device generates logs for LSN operational events and for LSN traf-
fic.
This log indicates that a current NAT IP user with an external IP address
from pool1 could not get a new NAT port session, because no ports were
available. The log indicates 4146 occurrences of the same event.
LSN events are logged to the AX device’s local log buffer based on the log
settings for the system.
P e r f o r m a n c e b y
D e s i g n 661 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
662 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
You can specify the severity level of LSN traffic logs when you configure
external logging (described below). The default severity level is debugging.
LSN port mapping logs are enabled by default. LSN session logs are dis-
abled by default. You can enable or disable each type of log when you con-
figure external logging.
Examples
The following logs indicate the creation and deletion of a UDP session.
AX NAT-UDP-C: 192.168.1.1:20001<-->203.0.210.1:80, 203.0.210.1:80<-->203.0.113.1:20001
AX NAT-UDP-D: 192.168.1.1:20001<-->203.0.210.1:80, 203.0.210.1:80<-->203.0.113.1:20001
The following logs indicate the creation and freeing of an LSN port map-
ping for UDP.
AX NAT-UDP-C: 192.168.1.1:20001 -> 203.0.113.1:20001 to 203.0.210.1:80
AX NAT-UDP-F: 192.168.1.1:20001 -> 203.0.113.1:20001 to 203.0.210.1:80
Remote Logging
LSN traffic logs can be sent only to external log servers. LSN traffic logs
are not sent to the AX device’s local log buffer.
You can use a group of external log servers. The AX device uses a hash
value based on the client IP address to select an external log server, and
always sends logs for that client to the same server. (For configuration infor-
mation, see “Configuring External Logging for LSN Traffic Logs” on
page 671.)
Note: External LSN logging applies only to LSN traffic logs, not to LSN opera-
tional event logs.
P e r f o r m a n c e b yD e s i g n 663 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Note: This release also has a CLI syntax enhancement for LSN pool-group con-
figuration. (See “CLI Syntax Enhancement for LSN Pool-Group Configu-
ration” on page 198.)
The Current column shows the maximum number of LSN pool addresses
currently allowed on the system. The default column shows the default
maximum allowed. In this example, the maximum has been increased by an
administrator, to the highest allowed amount, 10000.
To change the maximum number of LSN pool addresses allowed on the sys-
tem, use the following command at the global configuration level of the
CLI:
[no] system resource-usage nat-pool-addr-count
maximum
The maximum value can be any value in the range between the values in the
Minimum and Maximum columns in the show system resource-usage out-
put.
664 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Note: To place a system resource change into effect, you must reload or reboot
the AX device.
If you change the maximum number of Layer 4 sessions (l4-session-
count), a reboot is required. A reload will not place this change into
effect.
Example:
Some data sessions, user-quota sessions, or full-cone sessions are created
for inside user X. Then, the class list is changed in a way that affects X.
The sessions for X will stay alive as long as there is traffic matching them.
LSN IP Selection
The method used for selection of an IP address within an LSN pool does not
apply to pool selection within a pool group.
Selection of a pool from within a pool group is always random. After a pool
is randomly selected, the configured IP selection method is used to select an
IP address from the pool.
Example:
The least-used-strict method is enabled for LSN IP address selection. For a
new NAT session:
1. A pool is randomly chosen from the pool group.
2. The least-used IP address within that pool is chosen for the new NAT
session.
P e r f o r m a n c e b yD e s i g n 665 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Large-Scale NAT
2. Configure LSN Limit IDs (LIDs). For each LID, specify the NAT pool
to use. Optionally, set user quotas for the LID.
3. Configure class lists for the user subnets that require LSN. A class list is
a list of internal subnets or hosts. Within a class list, you can bind each
internal subnet to an individual LSN LID.
4. Bind a class-list for use with LSN. The class lists will apply to packets
from the inside NAT interface to the outside NAT interface. There can
be at most 1 class-list for this purpose.
The CLI commands for performing these configuration steps are described
below.
666 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Large-Scale NAT
This command configures an LSN NAT pool. The start-ipaddr and end-
ipaddr options specify the beginning and ending public IP addresses in the
range to be mapped to internal addresses. The netmask option specifies the
subnet mask or mask length for the addresses.
Pool Modification
If you need to modify a pool used for LSN, all sessions using that pool must
be cleared first.
1. Remove the pool from any pool groups and LIDs that use the pool.
4. Add the pool back to the pool groups and LIDs that use the pool.
Configure a LID
Use the following commands:
P e r f o r m a n c e b yD e s i g n 667 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Large-Scale NAT
[no] user-quota {tcp | udp | icmp} quota-num
[reserve reserve-num]
This command configures the per-user mapping quota for each type of pro-
tocol supported for LSN (TCP, UDP, or ICMP). The quota-num option spec-
ifies the maximum number of sessions allowed per client and can be
1-64000. There is no default user quota.
The reserve option allows you to specify how many ports to reserve on a
NAT IP for each user, 0-64000. If unspecified, the reserve value is the same
as the user-quota value.
This command changes the CLI to the configuration level for the class list.
The list-name option will add the list to the running-config. If the list will be
large, you might want to use the filename file option to save the list to a file
instead. In this case, the list entries are not displayed in the running-config.
The priv-addr option specifies the internal host or subnet address. Use the
subnet-mask or /mask-length option to specify the subnet mask or mask
length. The lsn-lid num option specifies the LID number.
668 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Large-Scale NAT
Each entry consists of the following:
• ipaddr – Specifies the inside subnet that requires LSN. The network-
mask specifies the network mask.
To configure a wildcard IP address, specify 0.0.0.0 /0. The wildcard
address matches on all addresses that do not match any entry in the class
list.
• lsn-lid num – Specifies the LID.
Note: The AX device discards the comment string when you save the class list.
P e r f o r m a n c e b yD e s i g n 669 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Large-Scale NAT
Optional Configuration
The following sections describe additional configuration options.
STUN Timeout
LSN maintains the NAT mapping for a full-cone session for a period of
time, the STUN timeout, after the session ends. If the client requests a new
session for the same port before the mapping times out, the mapping is used
again, for the new session. If the mapping is not used again before the
STUN timeout expires, the mapping is removed.
The default STUN timeout is 2 minutes. To change the STUN timeout, use
the following command at the global configuration level of the CLI:
[no] ip nat lsn stun-timeout minutes
670 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Large-Scale NAT
Configuring External Logging for LSN Traffic Logs
LSN traffic logs can be sent only to external log servers. If you configure a
group of external log servers, the AX device load balances the messages
among the servers. Source-IP based hashing is used to select an external log
server. This method ensures that LSN logs for a given source IP address
always go to the same log server.
2. Configure a UDP service group and add the log servers to the group.
The service group can contain a maximum of 32 members for external
LSN logging.
The commands for configuring real servers and service groups are the same
as those used for SLB. (See the example in “Configuration of External Log-
ging for LSN Traffic Logs” on page 676.)
P e r f o r m a n c e b yD e s i g n 671 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Large-Scale NAT
[no] severity severity-level
This command specifies the severity level to assign to LSN traffic logs gen-
erated using this template. You can enter the name or the number of a sever-
ity level. The default is 7 (debugging).
• {0 | emergency}
• {1 | alert}
• {2 | critical}
• {3 | error}
• {4 | warning}
• {5 | notification}
• {6 | information}
• {7 | debugging}
[no] include-destination
This command includes the destination IP addresses and protocol ports in
NAT port mapping logs. This option is disabled by default.
LSN external logging does not take effect until you use this command.
672 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Large-Scale NAT
Configure the IP Selection Method
The method used by LSN to select an IP address from an LSN NAT pool is
configurable, on a global basis. You can select one of the following IP
address selection methods:
• random (the default)
• round-robin
• least-used-strict – Selects the address with the fewest NAT ports of any
type (ICMP, TCP, or UDP) used
• least-udp-used-strict – Selects the address with the fewest UDP NAT
ports used
• least-tcp-used-strict – Selects the address with the fewest TCP NAT
ports used
• least-reserved-strict – Selects the address with the fewest NAT ports of
any type (ICMP, TCP, or UDP) reserved
• least-reserved-udp-strict – Selects the address with the fewest UDP NAT
ports reserved
• least-reserved-tcp-strict – Selects the address with the fewest TCP NAT
ports reserved
• least-users – Selects the address with the fewest users
To specify the method for LSN IP address selection within a pool, use the
following command at the global configuration level of the CLI:
[no] ip nat lsn ip-selection method
The method can be one of the options listed above. The method you specify
applies to all LSN pools.
To change the LSN timeout, use the following command at the global con-
figuration level of the CLI:
P e r f o r m a n c e b yD e s i g n 673 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Displaying LSN Information
[no] ip nat lsn syn-timeout seconds
Note: In AX Release 2.5.0 (the Beta release for LSN), the ip nat translation
syn-timeout command was used for the LSN timeout. Accordingly, the
configurable range was changed from 60-300 seconds to 2-7 seconds. In
AX Release 2.4.3, the ip nat translation syn-timeout command is not
used for LSN, and the configurable range has been restored to 60-300 sec-
onds. In AX Release 2.4.3, to configure the LSN SYN timeout, use the
ip nat lsn syn-timeout command instead of the ip nat translation syn-
timeout command.
674 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Example
clear ip nat lsn data-sessions
clear ip nat lsn all-sessions pool pool-name
Note: The last command is required before removing a pool from a pool group.
Configuration Example
The commands in this section implement the LSN configuration shown in
Figure 167 on page 648.
The following commands configure an LSN LID. The LID is bound to pool
“LSN_POOL1”. Per-user quotas are configured for TCP, UDP, and ICMP.
For UDP, this class of users will reserve only 100 UDP ports instead of 300.
An extended quota of sessions per client is allocated for TCP port 25
(SMTP).
AX(config)#lsn-lid 5
AX(config-lsn lid)#source-nat-pool LSN_POOL1
AX(config-lsn lid)#user-quota tcp 100
AX(config-lsn lid)#user-quota udp 300 reserve 100
AX(config-lsn lid)#user-quota icmp 10
AX(config-lsn lid)#extended-user-quota tcp port 25 sessions 3
AX(config-lsn lid)#end
The following commands configure a class list to bind the internal subnet to
the LID:
AX(config)#class-list list1
AX(config-class list)#192.168.0.0 /16 lsn-lid 5
AX(config-class list)#end
P e r f o r m a n c e b yD e s i g n 675 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Example
The following commands enable outside NAT on the interface connected to
the Internet:
AX(config)#interface ethernet 2
AX(config-if:ethernet2)#ip nat outside
AX(config-if:ethernet2)#exit
Display Commands
The following commands display LSN information:
AX(config)#end
AX#show class-list list1
Name: list1
Total single IP: 0
Total IP subnet: 1
Content:
192.168.0.0 /16 lsn-lid 5
676 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Example
AX#show ip nat lsn user-quota-sessions
LSN User-Quota Sessions:
Inside Address NAT Address ICMP UDP TCP Pool LID
---------------------------------------------------------------------------------------
192.168.1.1:20001 203.0.113.1:20001 0 3 0 pool1 3
192.168.2.1:30001 203.0.113.1:30001 0 3 0 pool1 3
192.168.255.1:50002 203.0.113.1:50001 0 2 0 pool1 3
Table 20 describes the fields in the show ip nat lsn pool-statistics output.
P e r f o r m a n c e b y
D e s i g n 677 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuration Example
TABLE 20 show ip nat lsn pool-statistics fields (Continued)
Field Description
Rsvd (TCP) Total of all TCP reserve settings for each user that is cur-
rently using the NAT IP address.
For example, if an LID has the setting “user-quota tcp 100
reserve 60”, and there are 10 users using the LID d on the
NAT IP address, the Rsvd value is 10*60 = 600.
678 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Additional Admin Accounts
The following sections describe these features and show how to configure
them.
Note: If you have not already changed the default “admin” password and the
enable password, A10 Networks recommends that you do so now, before
implementing security options described in this chapter.
When logged onto the AX device with the admin account, you can config-
ure additional admin accounts. For each admin account, you can configure
the following settings:
• Username and password
Note: You cannot change the privilege level of the “admin” account or disable
it.
P e r f o r m a n c e b yD e s i g n 679 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
5. Enter the password for the new admin account in the Password and Con-
firm Password fields.
Note: To allow access from any host, leave the Trusted Host IP Address and
Netmask fields blank.
680 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Additional Admin Accounts
• Partition RS Operator – The admin is assigned to a private partition
but has permission only to view service port statistics for real serv-
ers in the partition, and to disable or re-enable the real servers and
their service ports.
Note: The Partition roles apply to Role-Based Administration (RBA). For infor-
mation about this feature, see “Role-Based Administration” on page 807.
9. Click OK.
P e r f o r m a n c e b yD e s i g n 681 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
682 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Additional Admin Accounts
CLI EXAMPLES
P e r f o r m a n c e b yD e s i g n 683 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Note: To delete an admin account, you first must terminate any active sessions
the admin account has open. The account is not deleted if there are any
open sessions for the account.
3. To delete the admin account, use the following command at the global
configuration level:
no admin admin-username
684 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Admin Lockout
5. Click OK.
P e r f o r m a n c e b yD e s i g n 685 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
3. Click Unlock.
3. Enter the following command to access the configuration level for the
admin account:
admin admin-username
686 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Securing Admin Access by Ethernet
You can enable or disable management access, for individual access types
and interfaces. You also can use an Access Control List (ACL) to permit or
deny management access through the interface by specific hosts or subnets.
To set management access through Ethernet interfaces, use either of the fol-
lowing methods.
For example, if you disable Telnet access to a data interface, but you also
enable access to the interface using an ACL with permit rules, the ACL per-
mits Telnet (and all other) access to the interface, for traffic that matches the
permit rules in the ACL.
Each ACL has an implicit deny any any rule at the end. If the management
traffic’s source address does not match a permit rule in the ACL, the
implicit deny any any rule is used to deny access.
On data interfaces, you can disable or enable access to specific services and
also use an ACL to control access. However, on the management interface,
P e r f o r m a n c e b yD e s i g n 687 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
you can disable or enable access to specific services or control access using
an ACL, but you can not do both.
2. For each interface (each row), select or de-select the checkboxes for the
access types.
3. To use an ACL to control access, select the ACL from the ACL drop-
down list in the row for the interface.
4. After selecting the settings for all the interfaces, click OK.
To reset the access settings to the defaults listed in Table 22, click Reset to
Default.
disable-management service
{all | ssh | telnet | http | https | snmp | ping}
{management | ethernet port-num [to port-num] |
ve ve-num [to ve-num]}
or
688 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Securing Admin Access by Ethernet
• all – Disables access to all the management services listed below.
• ping – Disables ping replies from AX interfaces. This option does not
affect the AX device’s ability to ping other devices.
Note: Disabling ping replies from being sent by the AX device does not affect
the device’s ability to ping other devices.
In the second command, the acl acl-id option specifies an ACL. Manage-
ment access from any host address that matches the ACL is either permitted
or denied, depending on the action (permit or deny) used in the ACL.
CLI Examples:
The following command disables HTTP access to the out-of-band manage-
ment interface:
AX(config)#disable-management service http management
You may lose connection by disabling the http service.
Continue? [yes/no]:yes
enable-management service
{all | ssh | telnet | http | https | snmp | ping}
{management | ethernet port-num [to port-num] |
ve ve-num [to ve-num]}
or
P e r f o r m a n c e b yD e s i g n 689 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
CLI Example:
The following command enables Telnet access to data interface 6:
AX(config)#enable-management service telnet ethernet 6
CLI EXAMPLES
Here is an example for an AX device that has 10 Ethernet data ports. In this
example, all the access settings are set to their default values.
AX#show management
PING SSH Telnet HTTP HTTPS SNMP ACL
------------------------------------------------------
mgmt on on off on on on -
1 on off off off off off -
2 on off off off off off -
3 on off off off off off -
4 on off off off off off -
5 on off off off off off -
6 on off off off off off -
7 on off off off off off -
9 on off off off off off -
10 on off off off off off -
ve1 on off off off off off -
690 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Changing Web Access Settings
Here is an example after entering the commands used in the configuration
examples above.
AX#show management
PING SSH Telnet HTTP HTTPS SNMP ACL
------------------------------------------------------
mgmt on on off off on on -
1 on off off off off off 1
2 on off off off off off 1
3 on off off off off off 1
4 on off off off off off 1
5 on off off off off off 1
6 on off on off off off 1
7 on off off off off off 1
9 on off off off off off 1
10 on off off off off off 1
ve1 on off off off off off -
P e r f o r m a n c e b yD e s i g n 691 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Note: If you disable HTTP or HTTPS access, any sessions on the management
GUI are immediately terminated.
4. Click OK.
Note: The Preference section sets the default IP address type (IPv4 or IPv6) for
GUI configuration fields that require an IP address. The Preference sec-
tion does not affect access to the GUI itself.
692 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Changing Web Access Settings
USING THE CLI
At the global configuration level of the CLI, use the following command:
[no] web-service
{
axapi-timeout-policy idle minutes |
auto-redir |
port protocol-port |
secure-port protocol-port |
server |
secure-server |
timeout-policy idle minutes
}
show web-service
CLI EXAMPLE
The following command disables management access on HTTP and verifies
the change:
AX(config)#no web-service server
AX(config)#show web-service
AX Web server:
Idle time: 10 minutes
Http port: 80
Https port: 443
Auto redirect: Enabled
Https: Enabled
Http: Disabled
P e r f o r m a n c e b yD e s i g n 693 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Authentication
Authentication grants or denies access based on the credentials presented by
the person who is attempting access. Authentication for management access
to the AX device grants or denies access based on the admin username and
password.
By default, when someone attempts to log into the AX device, the device
checks its local admin database for the username and password entered by
the person attempting to gain access.
You can use TACACS+ or RADIUS for external authentication. Only one
external authentication method can be used.
Authentication Process
You can specify whether to check the local database or the remote server
first. Figure 177 and Figure 178 show the authentication processes used if
the AX device is configured to check RADIUS or TACACS+ before check-
ing the local database.
694 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring AAA for Admin Access
FIGURE 177 Authentication Process When Remote Authentication Is First
(2 remote servers configured) – Example shown is for RADIUS
P e r f o r m a n c e b yD e s i g n 695 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
If the same username is configured in the local database and on the remote
server but the passwords do not match, the order in which the authentication
sources are used determines whether the admin is granted access.
Figure 179 shows an example.
696 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring AAA for Admin Access
FIGURE 179 Authentication Process When Username and Password On
Server Do Not Match the Local Database
P e r f o r m a n c e b yD e s i g n 697 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Note: This authorization process does not apply to admins who log in through
the CLI. (See “Authorization for CLI Access” on page 698.)
The first line grants access to the User EXEC level and Privileged EXEC
level. The admin’s CLI session begins at the User EXEC level. The admin
can access the Privileged EXEC level, without entering an enable password.
Access to the configuration level is not allowed.
698 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring AAA for Admin Access
login as: admin3
Using keyboard-interactive authentication.
Password: ********
Last login: Fri Mar 26 20:03:39 2010 from 192.168.1.140
AX>enable
AX#
The second line grants access to all levels. The admin’s CLI session begins
at the Privileged EXEC level.
login as: admin4
Using keyboard-interactive authentication.
Password: ********
Last login: Fri Mar 26 20:03:39 2010 from 192.168.1.140
AX#
Note: This authorization process does not apply to admins who log in through
the GUI. (See “Authorization for GUI Access” on page 698.)
P e r f o r m a n c e b yD e s i g n 699 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Access levels 1-15 grant access to the Privileged EXEC level or higher,
without challenging the admin for the enable password. Access level 0
grants access to the User EXEC level only.
Caution: The most secure option is 15(admin). If you select a lower option, for
example, 1(priv EXEC), make sure to configure the TACACS+ server
to deny any unmatched commands (commands that are not explicitly
allowed by the server). Otherwise, unmatched commands, including
commands at higher levels, will automatically be authorized to exe-
cute.
You can enable the following TACACS+ debug levels for troubleshooting:
• 0x1 – Common system events such as “trying to connect with
TACACS+ servers” and “getting response from TACACS+ servers”.
These events are recorded in the syslog.
• 0x2 – Packet fields sent out and received by the AX Series device, not
including the length fields. These events are written to the terminal.
• 0x4 – Length fields of the TACACS+ packets will also be displayed on
the terminal.
• 0x8 – Information about TACACS+ MD5 encryption will be sent to the
syslog.
700 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring AAA for Admin Access
• Service-Type=NAS Prompt – Allows access to the Privileged
EXEC level of the CLI (AX#), and read-only access to the GUI
• Service-Type=Administrative – Allows access to the con-
figuration level of the CLI [AX(config)#], and read-write access to
the GUI
By default, if the Service-Type attribute is not used, or the A10 vendor attri-
bute is not used, successfully authenticated admins are authorized for read-
only access. AX Release 2.4.3-P2 allows you to change the default privilege
authorized by RADIUS from read-only to read-write. To change the default
access level authorized by RADIUS, use the following command at the
global configuration level of the CLI:
[no] radius-server default-privilege-read-write
Accounting
You can configure the AX device to use external RADIUS or TACACS+
servers for Accounting.
Accounting keeps track of user activities while the user is logged on. For
AX admins, you can configure Accounting for the following:
• Login/logoff activity (start/stop accounting)
• Commands
P e r f o r m a n c e b yD e s i g n 701 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
The same debug levels that are available for TACACS+ Authorization are
also available for TACACS+ Accounting. (See “TACACS+ Authorization
Debug Options” on page 700.)
3. Configure Authorization:
a. Add the TACACS+ or RADIUS servers, if not already added for
authentication.
b. Specify the access level:
• If using TACACS+, specify the CLI command levels to be
authorized.
• If using RADIUS, specify the GUI access to be authorized.
4. Configure Accounting:
a. Add the TACACS+ or RADIUS servers, if not already added for
Authorization.
b. Specify whether to track logon/logoff activity. You can track both
logons and logoffs, logoffs only, or neither.
c. Optionally, is using TACACS+, specify the command levels to
track.
702 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring AAA for Admin Access
Configuring Authentication
5. In the Secret and Confirm Secret fields, enter the shared secret (pass-
word) expected by the server when it receives requests.
6. To add a backup server to use if the primary server can not be reached,
click Server 2 and enter the configuration information for the server.
7. Click OK.
Note: The command syntax shown in this section is simplified to show the
required or more frequently used options. For complete syntax informa-
tion, see the AX Series CLI Reference.
1. Use one of the following commands at the global configuration level of
the CLI to add the primary server:
[no] radius-server host {hostname | ipaddr}
secret secret-string
[no] tacacs-server host {hostname | ipaddr}
secret secret-string
The secret-string is the shared secret (password) expected by the server
when it receives requests.
2. To add a backup server to use if the primary server can not be reached,
repeat the command, using the backup server’s information.
P e r f o r m a n c e b yD e s i g n 703 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
3. Use one of the following commands to specify the order in which to use
the authentication methods:
[no] authentication type
{
local [radius | tacplus] |
[radius | tacplus] local
}
(For more information, see “Authentication Process” on page 694.)
Configuring Authorization
Note: The command syntax shown in this section is simplified to show the
required or more frequently used options. For complete syntax informa-
tion, see the AX Series CLI Reference.
Note: The configuration options described in this section are available only in
the CLI.
1. Add the RADIUS or TACACS+ server(s), if not already added.
[no] tacacs-server host {hostname | ipaddr}
secret secret-string
[no] radius-server host {hostname | ipaddr}
secret secret-string
Note: If using RADIUS, you can set the GUI access levels on the RADIUS
server itself. See “Authorization for GUI Access” on page 698.
704 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring AAA for Admin Access
Configuring Accounting
Note: The command syntax shown in this section is simplified to show the
required or more frequently used options. For complete syntax informa-
tion, see the AX Series CLI Reference.
Note: The configuration options described in this section are available only in
the CLI.
1. Add the RADIUS or TACACS+ server(s), if not already added.
[no] tacacs-server host {hostname | ipaddr}
secret secret-string
[no] radius-server host {hostname | ipaddr}
secret secret-string
CLI EXAMPLES
RADIUS Authentication
TACACS+ Authorization
P e r f o r m a n c e b yD e s i g n 705 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
TACACS+ Accounting
706 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring AAA for Admin Access
Configuration on the freeRADIUS Server
client 192.168.1.0/24 {
secret = a10rad
shortname = private-network-1
}
vi /usr/local/share/freeradius/dictionary.a10networks
#
# The FreeRADIUS Vendor-Specific dictionary.
#
# Version: $Id: dictionary.a10networks,v 1.4 2009/05/05 11:03:56 a10user Exp $
#
# For a complete list of Private Enterprise Codes, see:
#
# http://www.isi.edu/in-notes/iana/assignments/enterprise-numbers
#
P e r f o r m a n c e b yD e s i g n 707 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
BEGIN-VENDOR A10-Networks
END-VENDOR A10-Networks
vi /usr/local/share/freeradius/dictionary
add
$INCLUDE dictionary.a10networks #new added for a10networks
708 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring AAA for Admin Access
Procedure Overview
The following sections provide detailed steps for each of these tasks.
2. Open the System Tools and Local Users and Groups items, if they are
not already open.
P e r f o r m a n c e b yD e s i g n 709 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
5. Click Create.
7. Click Create.
8. Click Close.
710 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring AAA for Admin Access
3. Enter the following information in the Add Client dialog box:
• Friendly name – Useful name for the AX device; for example,
ax2000_slb1
• Protocol – RADIUS
Note: 192.168.1.238 is the IP address of the AX device that will use the IAS
server for external RADIUS authentication.
4. Click Next.
5. Enter the following information in the Add RADIUS Client dialog box:
• Client address – IP address or domain name for the client (AX
device)
• Client-Vendor – RADIUS Standard
• Shared secret – Secret to be shared between IAS and AX. You also
will need to enter this in the RADIUS configuration on the AX
device.
• Confirm shared secret – Same as above
Note: Do not select “Request must contain the Message Authenticator attri-
bute”. AX RADIUS authentication does not support this option.
P e r f o r m a n c e b yD e s i g n 711 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
6. Click Next.
712 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring AAA for Admin Access
3. Click Next.
7. In the same Add Remote Access Policy dialog box as before, click Add
again.
P e r f o r m a n c e b yD e s i g n 713 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
714 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring AAA for Admin Access
9. In the Groups dialog box, click Add, then double-click AX-Admin-
Read-Only group, Click OK to add the group, then click OK once more
to confirm the groups.
P e r f o r m a n c e b yD e s i g n 715 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
10. In the same Add Remote Access Policy dialog box as before, click Next.
716 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring AAA for Admin Access
12. Click Edit Profile.
P e r f o r m a n c e b yD e s i g n 717 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
13. In the Edit Dial-in Profile dialog box, select the Authentication tab.
Select the type of authentication you are using: CHAP and PAP.
718 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring AAA for Admin Access
14. Select the Advanced tab, and click Add.
15. In the RADIUS attributes list, find and double-click the line beginning
with Vendor-Specific.
P e r f o r m a n c e b yD e s i g n 719 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
16. In the Multivalued Attribute Information dialog box, click Add and
enter the following:
• Enter vendor code – 22610 (for A10 Networks)
• Conforms to RADIUS RFC – Yes
720 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring AAA for Admin Access
17. Click Configure Attribute, and enter the following information:
• Vendor-assigned attribute number – 2
• Attribute format – Decimal
• Attribute value – 1
20. Click OK in the Edit Dial-In Profile dialog box. Optionally, read the
suggested help by clicking OK.
21. Click Finish in the Add Remote Access Policy dialog box.
22. To create the second Remote Access Policy, repeat the above steps with
the following changes:
• Policy Friendly name – AX-Admin-Read-Write-Policy
• Group to add – AX-Admin-Read-Write
• Attribute value – 2
P e r f o r m a n c e b yD e s i g n 721 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
722 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring AAA for Admin Access
2. Make sure Remote Access Permission is enabled:
The IAS RADIUS server must be registered with AD. Otherwise, RADIUS
will use compatibility mode instead of AD to authenticate users.
1. Open the IAS main window.
2. Click Action on the menu bar, and click “register server on active direc-
tory”.
P e r f o r m a n c e b yD e s i g n 723 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Add the RADIUS server (IAS server) to the AX device. Make sure the
shared secret is the same as the one specified for the RADIUS client config-
ured for the AX server on the IAS server.
AX(config)#radius server 192.168.230.10 secret shared-secret
AX(config)#authentication type local radius
4. Press Enter.
724 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
DDoS Protection
• SYN Cookies
• DNS security
The following sections describe these features and show how to configure
them.
Note: IP limiting provides a more robust version of the source-IP based connec-
tion rate limiting feature. For information, see “IP Limiting” on page 787.
DDoS Protection
AX Series devices provide enhanced protection against distributed denial-
of-service (DDoS) attacks, with IP anomaly filters. The IP anomaly filters
drop packets that contain common signatures of DDoS attacks.
You can enable the following DDoS filters. All filters are supported for
IPv4. All filters except IP-option are supported for IPv6.
P e r f o r m a n c e b yD e s i g n 725 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
DDoS Protection
• Frag – Drops all IP fragments, which can be used to attack hosts running
IP stacks that have known vulnerabilities in their fragment reassembly
code
• IP-option – Drops all packets that contain any IP options
• TCP-SYN-FIN – Drops all TCP packets in which both the SYN and FIN
flags are set
• TCP-SYN-frag – Drops incomplete (fragmented) TCP Syn packets,
which can be used to launch TCP Syn flood attacks
• Out-of-sequence packet
When these filters are enabled, the AX device checks for these anomalies in
new HTTP or HTTPS connection requests from clients.
Note: In the current release, these filters are supported only for HTTP and
HTTPS traffic.
726 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
DDoS Protection
4. Click OK.
Note: The threshold option is valid only for the new anomaly filters described in
this section. The option does not apply to other IP anomaly filters.
Threshold
Each of these IP anomaly filters has a configurable threshold. The threshold
specifies the number of times the anomaly is allowed to occur in a client’s
P e r f o r m a n c e b yD e s i g n 727 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
SYN Cookies
connection requests. If a client exceeds the threshold, the AX device applies
the system-wide PBSLB policy’s over-limit action to the client.
The threshold can be set to 1-127 occurrences of the anomaly. The default is
10.
Note: The thresholds are not tracked by PBSLB policies bound to individual
virtual ports.
For system-wide PBSLB, you also can use the following command:
show pbslb client [ipaddr]
In the output of this command, the counters for a dynamic client are reset to
0 when a client’s dynamic entry ages out.
To clear all Layer 4 SLB statistics, including the IP anomaly counters, use
the following command:
clear slb l4
SYN Cookies
AX Series devices provide enhanced protection against TCP SYN flood
attacks, with SYN cookies. SYN cookies enable the AX to continue to serve
legitimate clients during a TCP SYN flood attack, without allowing illegiti-
mate traffic to consume system resources.
728 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
SYN Cookies
The AX device supports SYN cookies for Layer 4-7 SLB traffic and for
Layer 2/3 traffic.
• Layer 4-7 SYN cookies protect against TCP SYN flood attacks directed
at SLB service ports.
• Layer 2/3 SYN cookies protect against TCP SYN flood attacks
attempted in traffic passing through the AX device.
P e r f o r m a n c e b yD e s i g n 729 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
SYN Cookies
Hardware-based SYN cookies are disabled by default. When the feature is
enabled, there are no default settings for the on and off thresholds. If you
omit the on-threshold and off-threshold options, SYN cookies are enabled
and are always on regardless of the number of half-open TCP connections
present on the AX device.
Note: It may take up to 10 milliseconds for the AX device to detect and respond
to crossover of either threshold.
Hardware-Based or Software-Based
Note: If the target VIP is in a different subnet from the client-side router, use of
hardware-based SYN cookies requires some additional configuration. See
“Configuration when Target VIP and Client-side Router Are in Different
Subnets” on page 731.
730 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
SYN Cookies
3. Select Enabled next to SYN Cookie.
6. Click OK.
[no] syn-cookie
[on-threshold num off-threshold num]
Configuration when Target VIP and Client-side Router Are in Different Subnets
Usually, the target VIP in an SLB configuration is in the same subnet as the
client-side router. However, if the target VIP is in a different subnet from the
client-side router, use of hardware-based SYN cookies requires some addi-
tional configuration:
• On the AX device, configure a “dummy” VIP that is in the same subnet
as the client-side router.
• On the client-side router, configure a static route to the VIP, using the
dummy VIP as the next hop.
P e r f o r m a n c e b yD e s i g n 731 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
SYN Cookies
FIGURE 180 Hardware-based SYN Cookies – Target VIP and Client-side
Router in Different Subnets
Note: If HA is configured, add both the target VIP and the dummy VIP to the
same HA group, so they will fail over to the HA peer as a unit.
732 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
SYN Cookies
3. Click on an existing virtual server name or click Add.
5. In the Port section, select the TCP port and click Edit, or click Add.
6. If you are configuring a new port, select TCP in the Type drop-down
list.
9. Click OK.
syn-cookie [sack]
For information about the sack feature, see the AX Series CLI Reference.
P e r f o r m a n c e b yD e s i g n 733 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
ICMP Rate Limiting
CLI Example
The following commands globally enable SYN cookie support, then enable
Layer 2/3 SYN cookies on Ethernet interfaces 4 and 5:
AX(config)#syn-cookie on-threshold 50000 off-threshold 30000
AX(config)#interface ethernet 4
AX(config-if: ethernet4)#ip tcp syn-cookie
AX(config-if: ethernet4)#interface ethernet 5
AX(config-if: ethernet5)#ip tcp syn-cookie
ICMP rate limiting monitors the rate of ICMP traffic and drops ICMP pack-
ets when the configured thresholds are exceeded.
You can configure ICMP rate limiting filters globally, on individual Ether-
net interfaces, and in virtual server templates. If you configure ICMP rate
limiting filters at more than one of these levels, all filters are applicable.
Specifying a maximum rate (lockup rate) and lockup time is optional. If you
do not specify them, lockup does not occur.
Note: The maximum rate must be larger than the normal rate.
734 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
ICMP Rate Limiting
USING THE GUI
6. Click OK.
2. Click on the interface name to display the configuration sections for it.
7. Click OK.
4. Select the ICMP Rate Limit Status checkbox to enable the configuration
fields.
P e r f o r m a n c e b yD e s i g n 735 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Source-IP Based Connection Rate Limiting
6. To configure the lockup time, click Lockup Status.
9. Click OK.
CLI Example
The following commands configure a virtual server template that sets ICMP
rate limiting:
AX(config)#slb template virtual-server vip-tmplt
AX(config-vserver)#icmp-rate-limit 25000 lock 30000 60
Note: IP limiting provides a more robust version of the source-IP based connec-
tion rate limiting feature. For information, see “IP Limiting” on page 787.
736 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Source-IP Based Connection Rate Limiting
Parameters
Source-IP based connection rate limiting is configured using the following
parameters:
• TCP or UDP – Layer 4 protocol for the connections.
Log Messages
The AX device generates two log messages per offending client, per client
activity.
The first message is generated the first time a client exceeds the connection
limit. The message indicates the source (client) address and the destination
address of the session. If lockout is configured, the message also indicates
that the client is locked out.
P e r f o r m a n c e b yD e s i g n 737 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Source-IP Based Connection Rate Limiting
The second message is generated after the client activity for that period.
This message indicates the number of times the client exceeded the connec-
tion limit. If lockout is enabled, the message also indicates the number of
requests that were dropped during lockout.
In this example, the session is between the same client and destination as the
previous example. During this period of activity, 897 of the requests from
the client were sent after a connection limit had been exceeded, and were
dropped. An additional 2342 requests were dropped because they were
received during the lockout.
Deployment Considerations
The AX device internally uses a session to keep track of user activity. Cur-
rently, the AX device has a capacity of up to 16 million sessions. Up to 8
million of these sessions are available for tracking user activity.
738 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Source-IP Based Connection Rate Limiting
Recommendation for Logging
If you plan to enable logging for this feature, A10 Networks recommends
using an external log server. Log traffic can be heavy during an attack.
If you plan to use this feature with DNS load balancing, A10 Networks rec-
ommends the following:
• Increase the maximum number of Layer 4 sessions. To increase the
maximum number of Layer 4 sessions the system can have, use the fol-
lowing CLI command at the global configuration level of the CLI:
system resource-usage l4-session-count num
The num option specifies the number of Layer 4 sessions.
• Use a short UDP aging time. To set a short UDP aging time, use the fol-
lowing command at the configuration level for the UDP template to
which you plan to bind the DNS virtual port(s):
aging short [seconds]
The seconds option specifies the number of seconds to wait before ter-
minating UDP sessions. If you omit the seconds option, sessions are ter-
minated after the SLB maximum session life (MSL) time expires, after a
request is received and sent out to the server. (The MSL timer is a glo-
bally configurable SLB option. For more information, see the AX Series
CLI Reference or AX Series GUI Reference.)
Configuration
Note: The current release does not support configuration or monitoring of this
feature using the GUI.
The conn-limit option specifies the connection limit and can be 1-1000000.
P e r f o r m a n c e b yD e s i g n 739 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Source-IP Based Connection Rate Limiting
The per {100 | 1000} option specifies the limit period, either 100 millisec-
onds or 1000 milliseconds.
The shared option specifies that the connection limit applies in aggregate to
all virtual ports. If you omit this option, the limit applies separately to each
virtual port.
Configuration Examples
CLI Example 1
CLI Example 2
CLI Example 3
740 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
DNS Security
2000 requests within a given limit period, to one or more virtual ports, the
client is locked out for 3 seconds.
AX(config)#slb conn-rate-limit src-ip udp 2000 per 100 shared exceed-action log
lock-out 3
Statistics
The following commands display statistics for this feature, then reset the
counters to 0 and verify that they have been reset:
AX(config)#show slb conn-rate-limit src-ip statistics
Threshold check count 1022000
Honor threshold count 20532
Threshold exceeded count 1001408
Lockout drops 60
Log messages sent 20532
DNS requests re-transmitted 1000
No DNS response for request 1021000
AX(config)#clear slb conn-rate-limit src-ip statistics
AX(config)#show slb conn-rate-limit src-ip statistics
Threshold check count 0
Honor threshold count 0
Threshold exceeded count 0
Lockout drops 0
Log messages sent 0
DNS requests re-transmitted 0
No DNS response for request
DNS Security
You can configure security for DNS VIPs. DNS security examines DNS
queries addressed to a VIP to ensure that the queries are formed properly
(not malformed). If a malformed DNS query is detected, the AX device
takes one of the following actions, depending on the action specified in the
DNS security policy:
• Drops the query
P e r f o r m a n c e b yD e s i g n 741 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
DNS Security
This feature parses DNS queries based on following RFCs:
• “RFC 1034: Domain Names – Concepts and Facilities”
7. Click OK.
To configure DNS security, use the following command at the global con-
figuration level of the CLI:
[no] slb template dns template-name
This command creates the UDP template and changes the CLI to the config-
uration level for the template. Use the following command to enable DNS
security and specify the action to take for malformed DNS queries:
[no] malformed-query
{drop | forward service-group-name}
742 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Access Control Lists (ACLs)
The drop option drops malformed queries. The forward option sends the
queries to the specified service group. With either option, the malformed
queries are not sent to the DNS virtual port.
CLI Example
The following commands configure a DNS template for DNS security and
bind the template to the DNS virtual port on a virtual server:
AX(config)#slb template dns dns-sec
AX(config-dns-policy)#malformed-query drop
AX(config-dns-policy)#exit
AX(config)#slb virtual-server dnsvip1 192.168.1.53
AX(config-slb vserver)#port 53 udp
AX(config-slb vserver-vport)#template dns dns-sec
Since the drop action is specified, malformed DNS queries sent to the vir-
tual DNS server are dropped by the AX device.
P e r f o r m a n c e b yD e s i g n 743 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Access Control Lists (ACLs)
An ACL can contain multiple rules. Each rule contains a single permit or
deny statement. Rules are added to the ACL in the order you configure
them. The first rule you add appears at the top of the ACL.
Rules are applied to the traffic in the order they appear in the ACL (from the
top, which is the first rule, downward). The first rule that matches traffic is
used to permit or deny that traffic. After the first rule match, no additional
rules are compared against the traffic.
3. Click Add.
4. Enter or select the values to filter. (For descriptions, see the CLI syntax
below.)
5. Click OK. The new ACL appears in the Standard ACL table.
744 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Access Control Lists (ACLs)
USING THE CLI
The seq-num option specifies the sequence number of this rule in the ACL.
(See “Resequencing ACL Rules” on page 758.)
The deny | permit option specifies the action to perform on traffic that
matches the ACL:
• deny – Drops the traffic.
The remark option adds a remark to the ACL. (For more information, see
“Adding a Remark to an ACL” on page 753.)
Alternatively, you can use mask-length to specify the portion of the address
to filter. For example, you can specify “/24” instead “0.0.0.255” to filter on
a 24-bit subnet.
The log option configures the AX device to generate log messages when
traffic matches the ACL. This option is disabled by default. The transpar-
ent-session-only option limits logging for an ACL rule to creation and dele-
tion of transparent sessions for traffic that matches the ACL rule. (See
“Transparent Session Logging” on page 754.)
P e r f o r m a n c e b yD e s i g n 745 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Access Control Lists (ACLs)
When ACL logging is enabled, the AX device writes the log messages to
the local logging buffer. If you configure an external log server, the AX
device also sends the messages to the server. For more information, see
“Log Rate Limiting” on page 50.
Note: If you plan to use an external log server, the server must be attached to an
AX data port in order for ACL logging messages to reach the server. They
will not reach the server if the server is attached to the AX management
port.
CLI EXAMPLE
3. Click Add.
4. Enter or select the values to filter. (For descriptions, see the CLI syntax
below.)
5. Click OK. The new ACL appears in the Extended ACL table.
746 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Access Control Lists (ACLs)
USING THE CLI
[log [transparent-session-only]]
The seq-num option specifies the sequence number of this rule in the ACL.
(See “Resequencing ACL Rules” on page 758.)
The deny | permit option specifies the action to perform on traffic that
matches the ACL:
• deny – Drops the traffic.
The remark option adds a remark to the ACL. (For more information, see
“Adding a Remark to an ACL” on page 753.)
P e r f o r m a n c e b yD e s i g n 747 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Access Control Lists (ACLs)
Alternatively, you can use mask-length to specify the portion of the address
to filter. For example, you can specify “/24” instead “0.0.0.255” to filter on
a 24-bit subnet.
The options for specifying the destination address are the same as those for
specifying the source address.
The log option configures the AX device to generate log messages when
traffic matches the ACL. This option is disabled by default. The transpar-
ent-session-only option limits logging for an ACL rule to creation and dele-
tion of transparent sessions for traffic that matches the ACL rule. (See
“Transparent Session Logging” on page 754.)
When ACL logging is enabled, the AX device writes the log messages to
the local logging buffer. If you configure an external log server, the AX
device also sends the messages to the server. For more information, see
“Log Rate Limiting” on page 50.
Note: If you plan to use an external log server, the server must be attached to an
AX data port in order for ACL logging messages to reach the server. They
will not reach the server if the server is attached to the AX management
port.
[log [transparent-session-only]]
The type and code options enable you to filter on ICMP traffic.
The type type-option option matches based on the specified ICMP type.
You can specify one of the following. Enter the type name or the type num-
ber (for example, dest-unreachable or 3). The type-option can be one of the
following:
• any-type – Matches on any ICMP type.
748 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Access Control Lists (ACLs)
• echo-reply | 0 – Type 0, echo reply
The code code-num option matches based on the specified ICMP code. To
match on any ICMP code, specify any-code. To match on a specific ICMP
code, specify the code, 0-254.
[log [transparent-session-only]]
P e r f o r m a n c e b yD e s i g n 749 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Access Control Lists (ACLs)
The tcp and udp options enable you to filter on protocol port numbers. Use
one of the following options to specify the source port(s) on which to filter:
• eq src-port – The ACL matches on traffic from the specified source
port.
• gt src-port – The ACL matches on traffic from any source port with a
higher number than the specified port.
• lt src-port – The ACL matches on traffic from any source port with a
lower number than the specified port.
• range start-src-port end-src-port – The ACL matches on traffic from
any source port within the specified range.
The same options can be used to specify the destination port(s) on which to
filter.
CLI EXAMPLE
3. Click Add.
4. Enter or select the values to filter. (For descriptions, see the CLI syntax
below.)
5. Click OK. The new ACL appears in the IPv6 ACL table.
750 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Access Control Lists (ACLs)
USING THE CLI
To configure an IPv6 ACL, use the following commands:
Enter this command at the global configuration level of the CLI. The acl-id
can be a string up to 16 characters long. This command changes the CLI to
the configuration level for the ACL, where the following ACL-related com-
mands are available.
[log [transparent-session-only]]
or
[log [transparent-session-only]]
P e r f o r m a n c e b yD e s i g n 751 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Access Control Lists (ACLs)
Parameter Description
seq-num Sequence number of this rule in the ACL. You
can use this option to resequence the rules in the
ACL.
deny | permit Action to take for traffic that matches the ACL.
deny – Drops the traffic.
permit – Allows the traffic.
ipv6 | icmp Filters on IPv6 or ICMP packets.
tcp | udp Filters on TCP or UDP packets. The tcp and udp
options enable you to filter on protocol port num-
bers.
any |
host host-src-
ipv6addr |
net-src-
ipv6addr /mask-
length Source IP address(es) to filter.
any – The ACL matches on all source IP
addresses.
host host-src-ipv6addr – The ACL
matches only on the specified host IPv6 address.
net-src-ipv6addr /mask-length – The
ACL matches on any host in the specified subnet.
The mask-length specifies the portion of the
address to filter.
eq src-port |
gt src-port |
lt src-port |
range start-
src-port
end-src-port For tcp or udp, the source protocol ports to filter.
eq src-port – The ACL matches on traffic
from the specified source port.
gt src-port – The ACL matches on traffic
from any source port with a higher number than
the specified port.
lt src-port – The ACL matches on traffic
from any source port with a lower number than
the specified port.
752 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Access Control Lists (ACLs)
range start-src-port end-src-port
– The ACL matches on traffic from any source
port within the specified range.
any |
host host-dst-
ipv6addr |
net-dst-
ipv6addr /mask-
length Destination IP address(es) to filter.
eq dst-port |
gt dst-port |
lt dst-port |
range start-
dst-port
end-dst-port For tcp or udp, the destination protocol ports to
filter.
log
[transparent-
session-only] Configures the AX device to generate log mes-
sages when traffic matches the ACL.
The transparent-session-only option limits log-
ging for an ACL rule to creation and deletion of
transparent sessions for traffic that matches the
ACL rule. (See “Transparent Session Logging”
on page 754.)
The string can be 1-63 characters. To use blank spaces in the remark,
enclose the entire remark string in double quotes.
P e r f o r m a n c e b yD e s i g n 753 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Access Control Lists (ACLs)
Here is a CLI example:
AX(config)#access-list 42 permit host 192.168.1.42
AX(config)#access-list 42 deny 192.168.1.0 /24
AX(config)#access-list 42 remark "The meaning of life"
AX(config)#show access-list ipv4 42
Access List 42 "The meaning of life"
access-list 42 10 permit host 192.168.1.42 Hits: 0
access-list 42 20 deny 192.168.1.0 0.0.0.255 Hits: 0
As shown in this example, the remark appears at the top of the ACL, above
the first rule.
To use blank spaces in the remark, enclose the entire remark string in double
quotes, as shown in the example. The ACL must already exist before you
can configure a remark for it.
The following sections show examples of the log messages generated for
transparent sessions.
IPv4 Sessions
The following example shows the log messages for creation and deletion of
an IPv4 transparent session:
Oct 29 2009 12:00:55 Notice [AX]:[eth 1] TCP 200.200.200.100:32548 >
1.1.1.100:80 ACL rule transparent session expired (ACL 150)
The interface on which the ACL matched traffic is indicated in brackets (in
this example, “eth 1”). The addresses are shown as src-ip:port > dst-ip:port.
The ACL number or ACL name is shown at the end of the message.
754 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Access Control Lists (ACLs)
IPv6 Sessions
For successfully created TCP or UDP sessions, a separate message is gener-
ated when the session is created and when it expires:
Feb 24 2010 02:18:27 Notice [AX]:[ve 21] UDP 2001:10::100:50213 >
2001:7::40:53 ACL rule transparent session expired (IPV6_LIST)
Feb 24 2010 02:18:12 Notice [AX]:[ve 21] UDP 2001:10::100:50213 >
2001:7::40:53 ACL rule transparent session created (IPV6_LIST)
Feb 24 2010 02:15:12 Notice [AX]:[ve 21] TCP 2001:10::100:4401 > 2001:7::40:22
ACL rule transparent session expired (IPV6_LIST)
Feb 24 2010 02:15:08 Notice [AX]:[ve 21] TCP 2001:10::100:4401 > 2001:7::40:22
ACL rule transparent session created (IPV6_LIST)
For all other types of transparent IPv6 sessions, a message such as the fol-
lowing is generated:
Feb 24 2010 02:18:07 Notice [AX]:[ve 21] IP 2001:10::100 > 2001:7::40 ACL
rule denied this packet (IPV6_LIST)
Configuration
To configure session filtering for transparent IPv6 sessions on an interface:
1. Configure an IPv6 ACL that uses the log transparent-session-only
option.
2. Apply the ACL to the interface that receives incoming traffic for the ses-
sions.
CLI Example
The following commands configure an IPv6 ACL for transparent session
logging, and apply it to an IPv6 interface:
P e r f o r m a n c e b yD e s i g n 755 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Access Control Lists (ACLs)
AX(config)#ipv6 access-list tran_sess_log1
AX(config-access-list:trans_sess_log1)#permit tcp any any log transparent-session-only
AX(config-access-list:trans_sess_log1)#exit
AX(config)#interface ve 21
AX(config-if:ve21)#ipv6 access-list tran_sess_log1 in
4. In the IPv4 section, select the ACL from the Access List field.
5. Click OK.
4. Select IPv4.
6. Click OK.
Access the configuration level for the interface and use the following com-
mand:
access-list acl-num in
756 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Access Control Lists (ACLs)
The following commands configure a standard ACL to deny traffic from
subnet 10.10.10.x, and apply the ACL to the inbound traffic direction on
Ethernet interface 4:
AX(config)#access-list 1 deny 10.10.10.0 0.0.0.255
AX(config)#interface ethernet 4
AX(config-if:ethernet4)#access-list 1 in
To apply a configured ACL to a virtual server port, use either of the follow-
ing methods.
5. In the Port section, click Add or select a port and click Edit.
6. In the Virtual Server Port section, select the ACL from the Access List
drop-down list.
7. Click OK.
To apply an ACL to a virtual port in the CLI, use the following command at
the configuration level for the virtual port:
access-list acl-id
P e r f o r m a n c e b yD e s i g n 757 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Access Control Lists (ACLs)
6. Click OK.
To use a configured ACL in an IPv4 NAT pool, use the following command:
[no] ip nat inside source
{list acl-name
{pool pool-name | pool-group pool-group-name}
static local-ipaddr global-ipaddr}
758 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Access Control Lists (ACLs)
Rules are applied to the traffic in the order they appear in the ACL (from the
top rule, which is the first, downward). The first rule that matches traffic is
used to permit or deny that traffic. After the first rule match, no additional
rules are compared against the traffic.
Each ACL has an implicit deny any rule at the end of the ACL. This rule is
applied to any traffic that does not match any of the configured rules in the
ACL. The deny any rule at the end of the ACL is not displayed and cannot
be removed.
You can resequence the rules in an ACL. When you create an ACL rule, the
AX device assigns a sequence number to the rule and places the rule at the
bottom of the ACL. Here is an example:
AX(config)#access-list 86 permit host 10.10.10.12
AX(config)#access-list 86 deny 10.10.10.0 /24
AX(config)#show access-list ipv4 86
access-list 86 10 permit host 10.10.10.12 log Hits: 0
access-list 86 20 deny 10.10.10.0 0.0.0.255 log Hits: 0
In this example, two rules are configured for ACL 86. The default sequence
numbers are used. The first rule has sequence number 10, and each rule
after that has a sequence number that is higher by 10.
The intent of this ACL is to deny all access from the 10.10.10.x subnet,
except for access from specific host addresses. In this example, the permit
rule for the host appears before the deny rule for the subnet the host is in, so
the host will be permitted. However, suppose another permit rule is added
for another host in the same subnet.
AX(config)#access-list 86 permit host 10.10.10.13
AX(config)#show access-list ipv4 86
access-list 86 10 permit host 10.10.10.12 log Hits: 0
access-list 86 20 deny 10.10.10.0 0.0.0.255 log Hits: 0
access-list 86 30 permit host 10.10.10.13 log Hits: 0
By default, since no sequence number was specified when the rule was con-
figured, the rule is placed at the end of the ACL. Because the deny rule
comes before the permit rule, host 10.10.10.13 will never be permitted.
To resequence the ACL to work as intended, the deny rule can be deleted,
then re-added. Alternatively, either the deny rule or the second permit rule
can be resequenced to appear in the right place. To change the sequence
number of an ACL rule, delete the rule, then re-add it with the sequence
number.
P e r f o r m a n c e b yD e s i g n 759 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Access Control Lists (ACLs)
AX(config)#no access-list 86 30
AX(config)#access-list 86 11 permit host 10.10.10.13 log
AX(config)#show access-list ipv4 86
access-list 86 10 permit host 10.10.10.12 log Hits: 0
access-list 86 11 permit host 10.10.10.13 log Hits: 0
access-list 86 20 deny 10.10.10.0 0.0.0.255 log Hits: 0
In this example, rule 30 is deleted, then re-added with sequence number 11.
The ACL will now work as intended, and permit hosts 10.10.10.12 and
10.10.10.13 while denying all other hosts in the 10.10.10.x subnet. To per-
mit another host, another rule can be added, sequenced to come before the
deny rule.
AX(config)#access-list 86 12 permit host 10.10.10.14 log
AX(config)#show access-list ipv4 86
access-list 86 10 permit host 10.10.10.12 log Hits: 0
access-list 86 11 permit host 10.10.10.13 log Hits: 0
access-list 86 12 permit host 10.10.10.14 log Hits: 0
access-list 86 20 deny 10.10.10.0 0.0.0.255 log Hits: 0
Each row in the Standard ACL and Extended ACL tables is a separate ACL
rule. You can configure multiple rules in the same ACL. In this case, they
still appear as separate rows, with the same ACL number.
The AX device applies the ACL rules in the order they are listed, starting at
the top of the table. The first rule that matches traffic is used to permit or
deny that traffic. After the first rule match, no additional rules are compared
against the traffic.
If you need to re-order the ACL rules, you can do so by clicking the up or
down arrows at the ends of the rows containing the ACL rules.
760 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
For traffic that is allowed, you can specify the service group to use. You also
can specify the action to perform (drop or reset) on new connections that
exceed the configured connection threshold for the client address. For
example, you can configure the AX to respond to DDoS attacks from a cli-
ent by dropping excessive connection attempts from the client.
For each IP address (host or subnet) in a black/white list, add a row using
the following syntax:
P e r f o r m a n c e b yD e s i g n 761 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
• The #conn-limit specifies the maximum number of concurrent connec-
tions allowed from the client. By default, there is no connection limit. If
you set it, the valid range is from 1 to 32767. On the AX, you can spec-
ify whether to reset or drop new connections that exceed this limit.
The # is required only if you do not specify a group-id.
Note: The conn-limit is a coarse limit. The larger the number you specify, the
coarser the limit will be. For example, if you specify 100, the AX device
limits the total connections to exactly 100; however, if you specify 1000,
the device limits the connections to not exceed 992.
If the number in the file is larger than the supported maximum (32767),
the parser will use the longest set of digits in the number you enter that
makes a valid value. For example, if the file contains 32768, the parser
will use 3276 as the value. As another example, if the file contains
111111, the parser will use 11111 as the value.
• The ;comment-string is a comment. Everything to the right of the ; is
ignored by the AX device when it parses the file.
The first row assigns a specific host to group 4. On the AX device, the drop
action will be assigned to this group, thus black listing the client. The sec-
ond row black lists an entire subnet, by assigning it to the same group (4).
The third row sets the maximum number of concurrent connections for a
specific host to 20. The fourth row assigns a specific host to group 2 and
specifies a maximum of 20 concurrent connections.
Note: The AX device allows up to three parser errors when reading the file.
However, after the third parser error, the device stops reading the file.
762 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
• If the list does not already have an entry for the client, the AX device
creates a dynamic entry for the client’s host address.
• If the list already has a dynamic entry for the client, the AX device
resets the timeout value for the entry. (Dynamic entry aging is described
below.)
• If the list contains a static entry for the client’s host or subnet address,
the static entry is used instead.
In this example, all clients who do not match a static entry in the list will be
assigned to group 1, and will be limited to 20 concurrent connections.
You can set the timeout to 1-127 minutes. The default is 5 minutes.
If client-lockup is enabled, the timeout for a locked up client does not begin
decrementing until the lockup expires. (See “Client Lockup” on page 765.)
P e r f o r m a n c e b yD e s i g n 763 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
Wildcard Address Support in PBSLB Policies Bound to Virtual
Ports
Dynamic client entries are supported only for system-wide PBSLB policies.
You can add a wildcard address (0.0.0.0/0) to a black/white list that is used
by a virtual port’s PBSLB policy. The group ID and connection limit speci-
fied for the wildcard address will be applied to clients that do not match a
static entry in the list. However, there are a few limitations:
• The AX device does not create any dynamic entries in the list.
• The connection limit applies collectively to all clients that do not have a
static entry in the list.
• Client lockup
This command specifies the name of the black/white list to use for the pol-
icy.
This command specifies the action to take for clients in a given group con-
figured in the black/white list.
• drop – Drops the connections.
The logging option enables logging. The minutes option specifies how often
messages can be generated.
764 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
[no] system pbslb over-limit
[reset]
[lockup minutes]
[logging minutes]
This command specifies the action to take for clients who either exceed the
connection limit specified in the black/white list, or exceed the threshold of
any of the new IP anomaly filters. You can use one or both of the following
options:
• reset – Resets all new connection attempts from the client. If you omit
this option, new connection attempts are dropped instead.
• lockup – Continues to apply the over-limit action to all new connection
attempts from the client, for the specified number of minutes.
The logging option enables logging. The minutes option specifies how often
messages can be generated.
Note: If the lockup option is used with the system pbslb over-limit command,
aging of the dynamic entry for a locked up client begins only after the
lockup expires.
Client Lockup
The over-limit rule in a system-wide PBSLB policy includes an optional
lockup period. If the lockup period is configured, the AX device continues
to enforce the over-limit action for the duration of the lockup.
For example, if the over-limit action is drop and a client exceeds the con-
nection limit specified in the black/white list, the AX device continues to
drop all connection attempts from the client until the lockup expires.
P e r f o r m a n c e b yD e s i g n 765 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
show pbslb system
show pbslb client [ipaddr]
To configure PBSLB:
1. Configure a black/white list, either remotely or on the AX device itself.
2. If you configure the list remotely, import the list onto the AX device.
3. Optionally, modify the sync interval for the list. The AX regularly syn-
chronizes with the list to make sure the AX version is current.
Note: These steps assume that the real servers, service groups, and virtual serv-
ers have already been configured.
766 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
USING THE GUI
3. Click Add.
5. From the drop-down list below the Name field, select the black/white
list or click “create” to create or import one.
P e r f o r m a n c e b yD e s i g n 767 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
• create – This option displays the configuration sections for creat-
ing a new service group.
c. Optionally, enable logging. To change the logging interval, edit the
number in the Period field. Logging generates messages to indicate
that traffic matched the group ID.
To generate log messages only when there is a failed attempt to
reach a service group, select Log Failures only.
Note: If the Use default server selection when preferred method fails option
is enabled on the virtual port, log messages will never be generated for
server-selection failures. To ensure that messages are generated to log
server-selection failures, disable the Use default server selection when
preferred method fails option on the virtual port. This limitation does
not affect failures that occur because a client is over their PBSLB connec-
tion limit. These failures are still logged.
d. Click Add. The group settings appear in the PBSLB list.
e. Repeat the steps above for each group.
8. Select the action to take when traffic exceeds the limit: Drop or Reset.
10. Click OK. The new policy appears in the PBSLB policy list.
768 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
FIGURE 181 PBSLB Policy section
P e r f o r m a n c e b yD e s i g n 769 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
FIGURE 182 Config > Service > SLB > Virtual Server - Virtual Server Port
section
The url specifies the file transfer protocol, directory path, and filename. The
following URL format is supported:
tftp://host/file
770 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
The period seconds option specifies how often the AX device re-imports
the list to ensure that changes to the list are automatically replicated on the
AX. You can specify 60 – 86400 seconds. The default is 300 seconds.
The load option immediately re-imports the list to get the latest changes.
Use this option if you change the list and want to immediately replicate the
changes on the AX device, without waiting for the update period.
Note: A TFTP server is required on the PC and the TFTP server must be run-
ning when you enter the bw-list command.
Note: If you use the load option, the CLI cannot accept any new commands
until the load is completely finished. For large black/white lists, loading
can take a while. Do not abort the load process; doing so can also interrupt
periodic black/white-list updates. If you do accidentally abort the load
process, repeat the command with the load option and allow the load to
complete.
Enter this command at the global configuration level of the CLI. The com-
mand creates the template and changes the CLI to the configuration for the
template, where the following PBSLB-related commands are available.
This command binds a black/white list to the virtual ports that use this tem-
plate.
[no] bw-list id id
service {service-group-name | drop | reset}
[logging [minutes] [fail]]
This command specifies the action to take for clients in the black/white list:
• id – Group ID in the black/white list.
P e r f o r m a n c e b yD e s i g n 771 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
• logging [minutes] [fail] – Enables logging. The minutes
option specifies how often messages can be generated. This option
reduces overhead caused by frequent recurring messages.
For example, if the logging interval is set to 5 minutes, and the PBSLB
rule is used 100 times within a five-minute period, the AX device gener-
ates only a single message. The message indicates the number of times
the rule was applied since the last message. You can specify a logging
interval from 0 to 60 minutes. To send a separate message for each
event, set the interval to 0.
PBSLB rules that use the service service-group-name option also have a
fail option for logging. The fail option configures the AX device to gen-
erate log messages only when there is a failed attempt to reach a service
group. Messages are not generated for successful connections to the ser-
vice group. The fail option is disabled by default. The option is available
only for PBSLB rules that use the service service-group-name option,
not for rules with the drop or reset option, since any time a drop or reset
rule affects traffic, this indicates a failure condition.
Logging is disabled by default. If you enable it, the default for minutes
is 3.
The AX device uses the same log rate limiting and load balancing fea-
tures for PBSLB logging as those used for ACL logging. See “Log Rate
Limiting” on page 50.
This command specifies the action to take for traffic that is over the limit.
You can specify one or more of the following options:
• lockup min – Continues to apply the over-limit action to all new con-
nection attempts from the client, for the specified number of minutes
(1-127).
• logging min – Generates a log message when traffic goes over the
limit. The min option specifies the log interval and can be 1-255 min-
utes.
• reset – Resets new connections until the number of concurrent con-
nections on the virtual port falls below the connection limit.
772 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
[no] bw-list use-destination-ip
This command matches black/white list entries based on the client’s desti-
nation IP address. By default, matching is based on the client’s source IP
address. This option is applicable if you are using a wildcard VIP. (See
“Wildcard VIPs” on page 277.)
To bind the template to a virtual port, use the following command at the
configuration level for the port:
To bind a black/white list to a virtual port, use the following command at the
configuration level for the virtual port:
The name is the name you assign to the list when you import it.
pbslb id id
{service service-group-name | drop | reset}
[logging [minutes] [fail]]]
The drop option immediately drops all connections between the clients in
the list and any servers in the service group. The reset option resets the con-
nections between the clients in the list and any servers in the service group.
The logging option enables logging. The minutes option specifies how often
messages can be generated. This option reduces overhead caused by fre-
quent recurring messages. For example, if the logging interval is set to 5
minutes, and the PBSLB rule is used 100 times within a five-minute period,
the AX device generates only a single message. The message indicates the
number of times the rule was applied since the last message. You can spec-
ify a logging interval from 0 to 60 minutes. To send a separate message for
each event, set the interval to 0. The default is 3 minutes.
PBSLB rules that use the service service-group-name option also have a
fail option for logging. The fail option configures the AX device to generate
P e r f o r m a n c e b yD e s i g n 773 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
log messages only when there is a failed attempt to reach a service group.
Messages are not generated for successful connections to the service group.
The fail option is disabled by default. The option is available only for
PBSLB rules that use the service service-group-name option, not for rules
with the drop or reset option, since any time a drop or reset rule affects traf-
fic, this indicates a failure condition.
The AX device uses the same log rate limiting and load balancing features
for PBSLB logging as those used for ACL logging. See “Log Rate Limit-
ing” on page 50.
This command specifies the action to take for traffic that is over the limit.
• drop – Drops new connections until the number of concurrent connec-
tions on the virtual port falls below the port’s connection limit. (The
connection limit is set in the black/white list.)
• reset – Resets new connections until the number of concurrent connec-
tions on the virtual port falls below the connection limit.The connection
threshold is set in the black/white list.
The name is the name you assign to the list when you import it. The ipaddr
is the client IP address.
774 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
To show policy-based SLB statistics, use the following command:
The name option specifies a virtual server name. If you use this option, sta-
tistics are displayed only for that virtual server. Otherwise, statistics are
shown for all virtual servers.
P e r f o r m a n c e b yD e s i g n 775 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
The following commands shows PBSLB information:
AX(config-slb virtual server-slb virtua...)#show pbslb
Total number of PBSLB configured: 1
Virtual Server Port Blacklist/whitelist GID Connection # (Establish Reset Drop)
------------------------------------------------------------------------------
PBSLB_VS1 80 sample-bwlist 2 0 0 0
4 0 0 0
PBSLB_VS2 80 sample-bwlist 2 0 0 0
4 0 0 0
In this example, the AX device drops all new connection attempts from a
client if either of the following occurs:
• The client already has 20 active connections and attempts to open a new
HTTP or HTTPS connection.
• The client exceeds any of the IP anomaly thresholds.
Statistics Display
The following command shows system-wide statistics for the new IP anom-
aly filters:
776 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Policy-Based SLB (PBSLB)
AX(config)#show slb l4
Total
------------------------------------------------------------------
IP out noroute 20061
TCP out RST 0
TCP out RST no SYN 0
...
Anomaly out of sequence 225408
Anomaly zero window 225361
Anomaly bad content 224639
The following command shows statistics for the system-wide PBSLB pol-
icy:
AX(config)#show pbslb system
System B/W list: bwlist-wc
Virtual Server Port Blacklist/whitelist GID Connection # (Establish Reset Drop)
--------------------------------------------------------------------------------
System bwlist-wc 1 12 0 0
2 0 0 0
P e r f o r m a n c e b y
D e s i g n 777 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Geo-location-based Access Control for VIPs
The Age column indicates how many seconds are left before a dynamic
entry ages out. For clients who are currently locked out of the system, the
value in the Lockup column indicates how many minutes the lockup will
continue. For locked up clients, the age value is 0 until the lockup expires.
After the lockup expires, the age is set to its full value (120 seconds in this
example).
Note: This feature requires you to load a geo-location database, but does not
require any other configuration of GSLB. The AX system image includes
the Internet Assigned Numbers Authority (IANA) database. By default,
the IANA database is not loaded but you can easily load it, as described in
the configuration procedure later in this section.
778 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Geo-location-based Access Control for VIPs
Configuration
To configure geo-location-based access control for a VIP:
1. Configure a black/white list. You can configure the list using a text edi-
tor on a PC or enter it directly into the GUI. If you configure the list
using a text editor, import the list onto the AX device.
4. Apply the policy template to the virtual port for which you want to con-
trol access.
With either method, the syntax is the same. The black/white list must be a
text file that contains entries (rows) in the following format:
L "geo-location" group-id #conn-limit
The “L” indicates that the client’s location will be determined using infor-
mation in the geo-location database.
P e r f o r m a n c e b yD e s i g n 779 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Geo-location-based Access Control for VIPs
Here is a simple example of a black/white list for this feature:
L "US" 1
L "US.CA" 2
L "JP" 3
2. Click New.
• To import the list:
• Leave Remote selected.
• Enter a name for the list in the Name field.
• Enter the hostname or IP address in the Host field.
• Enter the file path and name in the Location field.
• To enter the file directly into the GUI:
• Select Local.
• Type the list into the Definition field.
3. Click OK.
3. Click Add.
5. From the drop-down list below the Name field, select the black/white
list.
780 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Geo-location-based Access Control for VIPs
• service-group-name – Each of the service groups configured on the
AX device is listed.
• create – This option displays the configuration sections for creating
a new service group.
8. Optionally, enable logging. (The AX device uses the same log rate limit-
ing and load balancing features for PBSLB logging as those used for
ACL logging. See “Log Rate Limiting” on page 50.)
9. Click Add.
3. In the Load/Unload section, enter “iana” in the File field. Leave the
Template field blank.
4. Click Add.
Note: If preferred, you can import a custom geo-location database instead. For
information, see “Loading or Configuring Geo-Location Mappings” on
page 467.
4. If you are configuring a new VIP, enter the name and IP address for the
server.
5. In the Port section, select the port and click Edit, or click Add to add a
new port. The Virtual Server Port page appears.
6. Select the policy template from the PBSLB Policy Template drop-down
list.
P e r f o r m a n c e b yD e s i g n 781 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Geo-location-based Access Control for VIPs
7. Click OK.
8. Click OK again to finish the changes and redisplay the virtual server list.
782 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Geo-location-based Access Control for VIPs
4. To apply the policy template to a virtual port, use the following com-
mand at the configuration level for the virtual port:
[no] template policy template-name
The depth option specifies how many nodes within the geo-location data
tree to display. For example, to display only continent and country entries
and hide individual state and city entries, specify depth 2. By default, the
full tree (all nodes) is displayed.
The id option displays only the geo-locations mapped to the specified black/
white list group ID.
The location option displays information only for the specified geo-loca-
tion; for example “US.CA”.
P e r f o r m a n c e b yD e s i g n 783 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Geo-location-based Access Control for VIPs
CLI Example
The following command imports black/white list “geolist” onto the AX
device.
AX(config)#import bw-list geolist scp://192.168.1.2/root/geolist
You can enable sharing of statistics counters for all virtual servers and vir-
tual ports that use a PBSLB template. This option causes the following
counters to be shared by the virtual servers and virtual ports that use the
template:
• Permit
• Deny
• Connection number
• Connection limit
The current release does not support this feature in the GUI.
784 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Geo-location-based Access Control for VIPs
Note: It is recommended to enable or disable this option before enabling GSLB.
Changing the state of this option while GSLB is running can cause the
related statistics counters to be incorrect.
Using the default behavior, the connection request from the client at
US.CA.SanJose ia allowed even though CA has reached its connection
limit. Likewise, a connection request from a client at US.CA is allowed.
However, a connection request from a client whose location match is simply
“US” is denied.
After these three clients are permitted or denied, the connection permit and
deny counters are incremented as follows:
• US – Deny counter is incremented by 1.
Full-Domain Checking
When full-domain checking is enabled, the AX device checks the current
connection count not only for the client’s specific geo-location, but for all
geo-locations higher up in the domain tree.
Based on full-domain checking, all three connection requests from the cli-
ents in the example above are denied. This is because the US domain has
reached its connection limit. Likewise, the counters for each domain are
updated as follows:
P e r f o r m a n c e b yD e s i g n 785 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Geo-location-based Access Control for VIPs
• US – Deny counter is incremented by 1.
The current release does not support this feature in the GUI.
786 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
IP Limiting
Overview
IP limiting provides the following benefits:
• Configuration flexibility – You can apply source IP limiting on a sys-
tem-wide basis, on individual virtual servers, or on individual virtual
ports.
• Class lists – You can configure different classes of clients, and apply a
separate set of IP limits to each class. You also can exempt specific cli-
ents from being limited.
• Separate limits can be configured for each of the following:
• Concurrent connections
• Connection rate
• Concurrent Layer 7 requests
• Layer 7 request rate
Note: In the current release, Layer 7 request limiting applies only to the HTTP,
HTTPS, and fast-HTTP virtual port types.
The following sections describe the IP limiting options and how to config-
ure and apply them.
Class Lists
A class list is a set of IP host or subnet addresses that are mapped to IP lim-
iting rules.
The AX device can support up to 255 class lists. Each class list can contain
up to 8 million host IP addresses and 64,000 subnets.
P e r f o r m a n c e b yD e s i g n 787 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Note: The AX device discards the comment string when you save the class list.
IP Address Matching
By default, the AX device matches class-list entries based on the source IP
address of client traffic. Optionally, you can match based on one of the fol-
lowing instead:
• Destination IP address – Matches based on the destination IP address
instead of the source IP address.
• IP address in HTTP request – Matches based on the IP address in a
header in the HTTP request. You can specify the header when you
enable this option.
788 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Example Class Lists
Here is an example of a very simple class list. This list matches on all cli-
ents and uses an IP limiting rule configured at the global configuration
level:
0.0.0.0/0 glid 1
Here is an example with more options:
1.1.1.1 /32 lid 1
2.2.2.0 /24 lid 2 ; LID 2 applies to every single IP of this subnet
0.0.0.0 /0 lid 10 ; LID 10 applied to every undefined single IP
3.3.3.3 /32 glid 3 ; Use global LID 3
4.4.4.4 /32 ; No LID is applied (exception list)
IP Limiting Rules
IP limiting rules specify connection and request limits for clients.
P e r f o r m a n c e b yD e s i g n 789 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
• Request limit – Maximum number of concurrent Layer 7 requests
allowed for a client. You can specify 1-1048575. There is no default.
• Request-rate limit – Maximum number of Layer 7 requests allowed for a
client within the limit period. You can specify 1-4294967295 connec-
tions. The limit period can be 100-6553500 milliseconds (ms), specified
in increments of 100 ms. There is no default.
• Over-limit action – Action to take when a client exceeds one or more of
the limits. The action can be one of the following:
• Drop – The AX device drops that traffic. If logging is enabled, the
AX device also generates a log message. This is the default action.
• Forward – The AX device forwards the traffic. If logging is enabled,
the AX device also generates a log message.
• Reset – For TCP, the AX device sends a TCP RST to the client. If
logging is enabled, the AX device also generates a log message.
• Lockout period – Number of minutes during which to apply the over-
limit action after the client exceeds a limit. The lockout period is acti-
vated when a client exceeds any limit. The lockout period can be 1-1023
minutes. There is no default.
• Logging – Generates log messages when clients exceed a limit. Logging
is disabled by default. When you enable logging, a separate message is
generated for each over-limit occurrence, by default. You can specify a
logging period, in which case the AX device holds onto the repeated
messages for the specified period, then sends one message at the end of
the period for all instances that occurred within the period. The logging
period can be 0-255 minutes. The default is 0 (no wait period).
Match IP Address
By default, the AX device matches class-list entries based on the source IP
address of client traffic. Optionally, you can match based on one of the fol-
lowing instead:
• Destination IP address – matches based on the destination IP address in
packets from clients.
• IP address in client packet header – matches based on the IP address in
the specified header in packets from clients. If you do not specify a
header name, this option uses the IP address in the X-Forwarded-For
header.
790 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Source IP Limiting
You can configure multiple PBSLB policy templates with different IP limit-
ing rules. You can use a given class list in one or more PBSLB policy tem-
plates.
• For system-wide source IP limiting, apply the PBSLB policy template
globally.
• For source IP limiting on an individual virtual server or virtual port,
apply the PBSLB policy template to the virtual server or virtual port.
Clients must comply with all IP limiting rules that are applicable to the cli-
ent. For example, if you configure system-wide IP limiting and also config-
ure IP limiting on an individual virtual server, clients must comply with the
system-wide IP limits and with the IP limits applied to the individual virtual
server accessed by the client.
P e r f o r m a n c e b yD e s i g n 791 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Source IP Limiting
4. In the Name field, enter the filename to use for the imported class list.
7. Click Open. The path and filename appear in the Source field. Go to
step 13.
8. To use the management interface as the source interface for the connec-
tion to the remote device, select Use Management Port. Otherwise, the
AX device will attempt to reach the remote server through a data inter-
face.
10. In the Host field, enter the directory path and filename.
11. If needed, change the protocol port number n the port field. By default,
the default port number for the selected file transfer protocol is used.
12. In the User and Password fields, enter the username and password
required for access to the remote server.
3. Click Create.
792 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Source IP Limiting
5. Select the system location in which to save the class list:
• File – The list is saved in a stand-alone file.
• Config – The list is saved in the startup-config.
Note: If the class list contains 100 or more entries, it is recommended to use the
File option.
A class list can be exported only if you use the File option.
Note: Make sure to use the same number when you configure the IP limiting
rule.
c. Click Add.
d. Repeat for each entry.
7. Click OK.
P e r f o r m a n c e b yD e s i g n 793 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Source IP Limiting
The file-name specifies the name the class list will have on the AX device.
The url specifies the file transfer protocol, username (if required), and
directory path.
You can enter the entire URL on the command line or press Enter to display
a prompt for each part of the URL. If you enter the entire URL and a pass-
word is required, you will still be prompted for the password. To enter the
entire URL:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• rcp://[user@]host/file
You also can export class lists to a remote server, using the following com-
mand:
export class-list file-name url
The file option saves the class list as a separate file. Without this option, the
class list is instead saved in the startup-config. If the class list contains 100
or more entries, it is recommended to use the file option. The file option is
valid only when you create the class list. After you create the list, the list
remains either in the startup-config or in a separate file, depending on
whether you use the file option when you create the list.
Note: A class list can be exported only if you use the file option.
The class-list command creates the class list if it is not already configured,
and changes the CLI to the configuration level for the list.
[no] ipaddr /network-mask [glid num | lid num]
• To add an entry to the class list, use the command without “no”.
• To modify an entry, use the command without “no”. Use the same
source IP address as the entry to replace. Entries are keyed by source IP
address.
• To delete an entry, use “no” followed by the source IP address.
794 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Source IP Limiting
Applying a Class List to a PBSLB Policy
To apply a class list, use the following command at the configuration level
for the PBSLB policy that contains the IP limiting rules used by the class
list.
[no] class-list name name
After you configure the IP limiting rules and class list, and add the class list
to the PBSLB policy, you can activate the IP limits. See “Applying Source
IP Limits” on page 798.
3. Click Add to create a new template (or click on the name of an existing
template). The PBSLB Policy section appears.
7. Click OK.
P e r f o r m a n c e b yD e s i g n 795 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Source IP Limiting
Configuring Standalone IP Limiting Rules for System-Wide IP
Limiting
1. Select Config > Service > SLB.
4. Click OK.
The following commands are available at the configuration level for the IP
limiting rule.
796 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Source IP Limiting
[no] request-rate-limit num per num-of-100ms
This command specifies the maximum number of Layer 7 requests allowed
for the client within the specified limit period.
These commands are the same as the ones available at the IP limiting rule
configuration level in PBSLB policy templates. (See “Configuring IP Limit-
ing Rules in a PBSLB Policy Template” on page 796.)
To change the match IP address to one of these options, use the following
command at the configuration level for the PBSPB policy template:
[no] class-list client-ip
{l3-dest | l7-header [header-name]}
P e r f o r m a n c e b yD e s i g n 797 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Source IP Limiting
The l3-dest option matches based on the destination IP address in packets
from clients.
3. Click on the virtual server name or click Add if you are configuring a
new virtual server.
4. If you are creating a new virtual server, enter the name, virtual IP
address, and other General settings.
5. Select the PBSLB policy template from the PBSLB Policy Template
drop-down list.
6. If you are creating a new virtual server, configure the virtual port set-
tings as applicable to your deployment.
798 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Source IP Limiting
Applying Source IP Limiting to a Virtual Port
1. Access the configuration page for the virtual server. (For information,
see “Applying Source IP Limiting to a Virtual Server” on page 798.)
2. On the Virtual Server Port configuration page, select the PBSLB policy
template from the PBSLB Policy Template drop-down list.
Note: The AX device does not support using the system template policy com-
mand and the system pbslb command in the same configuration.
P e r f o r m a n c e b yD e s i g n 799 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Source IP Limiting
To display statistics for the feature, use the CLI. (See the following section.)
800 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Source IP Limiting
CLI Examples—Configuration
The examples in this section show how to configure IP limiting.
The following command imports the class list used by the policy:
AX(config)#import class-list global_list ftp:
Address or name of remote host []?1.1.1.2
User name []?axadmin
Password []?*********
File name [/]?global_list
P e r f o r m a n c e b yD e s i g n 801 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Source IP Limiting
The following command applies the policy to the system:
AX(config)#system template policy global_policy
The following command imports the class list used by the policy:
AX(config)#import class-list vs_list ftp:
Address or name of remote host []?1.1.1.2
User name []?axadmin
Password []?*********
File name [/]?vs_list
802 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Source IP Limiting
Configure IP Limiting on a Virtual Port
The commands in this example configure IP limiting for a virtual port.
The following command imports the class list used by the policy:
AX(config)#import class-list vp_list ftp:
Address or name of remote host []?1.1.1.2
User name []?axadmin
Password []?*********
File name [/]?vp_list
CLI Examples—Display
This section shows example show command output for IP limiting.
Class Lists
The following command displays the class-list files on the AX device:
AX#show class-list
Name IP Subnet Location
test 4 3 file
user-limit 14 4 config
Total: 2
P e r f o r m a n c e b yD e s i g n 803 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Source IP Limiting
Table 25 describes the fields in the command output.
The following commands show the closest matching entries for specific IP
addresses in class list “test”:
AX#show class-list test 1.1.1.1
1.1.1.1 /32 glid 1
AX#show class-list test 1.1.1.2
0.0.0.0 /0 lid 31
The class list contains an entry for 1.1.1.1, so that entry is shown. However,
since the class list does not contain an entry for 1.1.1.2 but does contain a
wildcard entry (0.0.0.0), the wildcard entry is shown.
804 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Source IP Limiting
IP Limiting Rules
The following command the configuration of each standalone IP limiting
rule:
AX#show lid
lid 1
conn-limit 100
conn-rate-limit 100 per 10
request-limit 1
request-rate-limit 10 per 10
over-limit-action reset log 1
lid 2
conn-limit 20000
conn-rate-limit 2000 per 10
request-limit 200
request-rate-limit 200 per 1
over-limit-action reset log 3
lid 30
conn-limit 10000
conn-rate-limit 1000 per 1
over-limit-action forward log
P e r f o r m a n c e b yD e s i g n 805 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Source IP Limiting
IP Limiting Statistics
The following command shows IP limiting statistics for the entire system:
AX#show pbslb system
System LID statistics (lid 1):
Current connection: 1
Current connection rate: 0/s
Total over connection limit number: 0
Total over connection rate limit number: 0
806 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Role-Based Administration
P e r f o r m a n c e b yD e s i g n 807 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Overview
Figure 183 shows an example of an AX device with multiple partitions.
Admins assigned to the partition for A.com can add, modify, delete and save
only those resources contained in A.com's partition. Likewise, B.com's
admins can add, modify, delete and save only the resources in B.com's parti-
tion.
808 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Resource Partitions
AX system resources are contained in partitions. The AX device has a sin-
gle shared partition and can have multiple private partitions.
• Shared partition – The shared partition contains resources that can be
configured only by admins with Root or Read Write privileges. By
default, all resources are in the shared partition. There is one shared par-
tition for the device and it is the default partition. The shared partition
cannot be deleted.
• Private partitions – A private partition can be accessed only by the
admins who are assigned to it, and by admins with Root, Read Write, or
Read Only privileges. The AX device does not have any private parti-
tions by default.
Private partitions can be created or deleted only by admins who have Root
or Read Write privileges. A maximum of 128 partitions are supported.
• Virtual servers
• Service groups
• Templates
• Health monitors
• aFleX policies
All other types of resources can reside only in the shared partition and are
not configurable by admins assigned to private partitions.
Resource names must be unique within a partition. However, the same name
can be used for resources in different partitions. For example, partitions
“A.com” and “B.com” can each have a real server named “rs1”. The AX
device is able to distinguish between them.
P e r f o r m a n c e b yD e s i g n 809 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Use of Shared Resources by Private Resources
SLB resources in private partitions can use SLB resources in the shared par-
tition, but cannot use resources in other private partitions. For example, a
virtual service port in a private partition can be configured to bind to a ser-
vice group in the shared partition, as shown in the following GUI example.
aFleX Policies
By default, aFleX policies act upon resources within the partition that con-
tains the aFleX policy. Some aFleX commands have an option to act upon
service groups in the shared partition instead. (For more information, see
the AX Series aFleX Reference.)
Partition Logos
Each private partition has a logo file associated with it. The logo appears in
the upper left corner of the Web GUI. By default, the A10 Networks logo is
used. Partition admins can replace the A10 Networks logo with a company
logo. The recommended logo size is 180x60 pixels.
The following examples show Web GUI pages for two private partitions. A
company-specific logo has been uploaded for each partition.
810 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
FIGURE 185 Configurable Partition Logos
Administrator Roles
The type of access (read-only or read-write) allowed to an admin, and the
partitions where the access applies, depend on that admin’s privilege level
(role). An admin account can have one of the privilege levels listed in
Table 26 on page 811.
Note: The “Partition” privilege levels apply specifically to admins who are
assigned to private partitions.
P e r f o r m a n c e b y
D e s i g n 811 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
TABLE 26 Admin Privilege Levels (Continued)
Access to Can configure Can Change
Privilege Shared other admin Own
Level (Role) Partition Access to Private Partition accounts Password?
Partition Read Read-only Read-only, for the partition to which the No No
admin is assigned
Partition Real None Read-only for real servers, with permis- No No
Server Opera- sion to view service port statistics, and
tor to disable or enable real servers and real
server ports.
No other read-only or read-write privi-
leges are granted.
All access is restricted to the partition to
which the admin is assigned.
1. Only the admin account named “admin” is allowed to configure other admin accounts, and cannot be deleted. Otherwise,
the Root and Read-write privilege levels are the same.
2. The Root privilege level can also change the passwords of other admins.
All admins can view resources in the shared partition. However, the only
admins who can add, modify, or delete resources in the shared partition are
admins with Root or Read Write privileges. Admins who are assigned to a
partition can view but not modify resources in the shared partition. Admins
assigned to a partition cannot view the resources in any other private parti-
tion.
Only admins with Root or Read Write privileges can select the partition(s)
for which to save changes.
Admins with Real Server Operator privileges can view real servers within
the private partition and can disable or re-enable the real servers and their
individual service ports. These admins have no other privileges.
812 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Role-Based Administration
3. Configure any SLB shared resources that you want to make available to
multiple private partitions. (For information about configuring SLB
resources, see the SLB configuration chapters in this guide.)
Note: This document shows how to set up partitions and assign admins to them.
The partition admins will be able to configure their own SLB resources.
However, you will need to configure connectivity resources such as inter-
faces, VLANs, routing, and so on. You also will need to configure any
additional admin accounts for the partition.
Note: To configure admin accounts, you must be logged in with Root privileges.
5. To upload a logo for the partition, click Browse and navigate to the logo
file.
P e r f o r m a n c e b yD e s i g n 813 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Role-Based Administration
FIGURE 186 Config > System > Admin > Partition
FIGURE 187 Config > System > Admin > Partition - List
The partition-name can be 1-14 characters. (For information about the max-
aflex-file option, see “Changing the Maximum Number of aFleX Policies
Allowed in a Partition” on page 814.)
814 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Role-Based Administration
USING THE GUI
1. Select Config > System > Admin.
3. Select the partition. (Click the checkbox next to the partition name.)
4. Edit the number in the Max aFleX File field. You can specify 1-128.
5. Click OK.
Deleting a Partition
Only an admin with Root or Read Write privileges can delete a partition.
When a partition is deleted, all resources within the partition also are
deleted.
3. Select the partition. (Click the checkbox next to the partition name.)
4. Click Delete.
no partition [partition-name]
P e r f o r m a n c e b yD e s i g n 815 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Role-Based Administration
If you do not specify a partition name, the CLI displays a prompt to verify
whether you want to delete all partitions and the resources within them.
Enter “y” to confirm or “n” to cancel the request.
6. From the Partition drop-down list, select the partition to which you are
assigning the admin.
7. Click OK. The new admin appears in the admin list with their respective
partition logos.
816 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Role-Based Administration
FIGURE 188 Config > System > Admin > Admin Management
[no] privilege
{partition-write | partition-read |
partition-enable-disable}
partition-name
The admin command creates the admin account and changes the CLI to the
configuration level for the account. The command syntax shown here
includes the password option. You can specify the password with the
admin command, or with the separate password command at the configu-
ration level for the account. The default password is “a10”.
The privilege command specifies the privilege level for the account and
assigns the account to a partition. (The partition-enable-disable option
gives Partition Real Server Operator privileges.)
P e r f o r m a n c e b yD e s i g n 817 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Role-Based Administration
CLI Example
The following commands configure two private partitions, “companyA”
and “companyB”, and verify that they have been created.
AX(config)#partition companyA
AX(config)#partition companyB
AX(config)#show partition
Max Number allowed: 128
Total Number of partitions configured: 2
Partition Name Max. aFleX File Allowed # of Admins
------------------------------------------------------
companyA 32 0
companyB 32 0
818 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Viewing and Saving the Configuration
• P.R – The admin is assigned to a private partition and has Partition-read
(read-only) privileges within that partition.
• P.RS Op – The admin is assigned to a private partition but has permis-
sion only to view service port statistics for real servers in the partition,
and to disable or re-enable the real servers.
Admins with Root or Read Write privileges can save resources in any parti-
tion. Admins with Partition-write privileges can save only the resources
within their own partition.
show running-config
[all-partitions | partition partition-name]
show startup-config
[all-partitions | partition partition-name]
If you enter the command without either option, the command shows only
the resources that are in the shared partition.
The all-partitions option shows all resources in all partitions. In this case,
the resources in the shared partition are listed first. Then the resources in
each private partition are listed, organized by partition.
P e r f o r m a n c e b yD e s i g n 819 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Viewing and Saving the Configuration
If you specify a private partition-name, only the resources in that partition
are listed.
To save the configuration in the GUI, click the Save button on the title bar.
The GUI automatically saves only the resources that are in the current parti-
tion view. For example, if the partition view is set to the “companyB” pri-
vate partition, only the resources in that partition are saved.
write memory
[all-partitions | partition partition-name]
If you enter the command without either option, the command saves only
the changes for resources that are in the current partition.
The all-partitions option saves changes for all resources in all partitions.
If you specify a private partition-name, only the changes for the resources
in that partition are saved.
Note: The all-partitions and partition partition-name options are not applica-
ble for admins with Partition-write privileges. Partition admins can only
save their respective partitions. For these admins, the command syntax is
820 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Switching To Another Partition
the same as in previous releases. The options are available only to admins
with Root or Read Write privileges.
To change the view to a private partition, use either of the following meth-
ods.
2. Click Yes.
3. Click the Refresh button next to the Partition drop-down list. You must
refresh the page in order for the view change to take effect.
Use the following command at the Privileged EXEC level of the CLI:
P e r f o r m a n c e b yD e s i g n 821 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Synchronizing the Configuration
The following command changes the view to private partition “companyA”:
AX#active-partition companyA
Currently active partition: companyA
show active-partition
An admin with Root or Read Write privileges can specify any partitions(s)
to synchronize.
822 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Synchronizing the Configuration
USING THE CLI
The ha sync commands have new options that enable you to specify the
partition. For admins with Root or Read Write privileges, here is the new
syntax for the ha sync commands:
ha sync all
{to-startup-config [with-reload] |
to-running-config}
[all-partitions | partition partition-name]
ha sync startup-config
{to-startup-config [with-reload] |
to-running-config}
[all-partitions | partition partition-name]
ha sync running-config
{to-startup-config [with-reload] |
to-running-config}
[all-partitions | partition partition-name]
ha sync data-files
[all-partitions | partition partition-name]
For admins logged on with Partition Write privileges, the following syntax
is available:
ha sync data-files
Admins with Partition Write privileges are not allowed to synchronize to the
running-config or to reload the other AX device.
P e r f o r m a n c e b yD e s i g n 823 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Operator Management of Real Servers
Note: Service port statistics are not available in the GUI. To display service port
statistics, use the CLI instead.
2. Select the checkbox next to each server you want to disable or re-enable,
or click Select All to select all of the servers.
Note: Although the GUI displays the Delete and New buttons, these buttons are
not supported for admins with Partition Real Server Operator privileges.
2. Select the checkbox next to each server for which you want to disable or
re-enable service ports, or click Select All to select all of the servers.
3. Click Edit.
824 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Operator Management of Real Servers
5. Select the port numbers you want to disable or re-enable.
A single row appears for each port number. Selecting a row selects the
port number on each of the real servers you selected in step 2.
7. Click OK.
P e r f o r m a n c e b yD e s i g n 825 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Operator Management of Real Servers
CLI Example
login as:compAoper
Welcome to AX
Using keyboard-interactive authentication.
Password:********
Last login: Wed Aug 20 08:58:45 2008 from 192.168.1.130
826 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Operator Management of Real Servers
Use one of the following commands to change the state of the server:
{disable | enable}
To verify the state change, use the show slb server command.
P e r f o r m a n c e b yD e s i g n 827 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Operator Management of Real Servers
828 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
SLB Parameters
This chapter lists the parameters you can configure for Server Load Balanc-
ing (SLB).
Note: For information about server and port configuration templates, see
“Server and Port Templates” on page 361.
Table 29 lists the types of templates that are valid for each service type.
When you configure a virtual port, the AX device automatically adds any
default templates that are applicable to the service type. To override a
default template, you can configure another template of the same type and
bind that template to the virtual port instead.
For example, when you configure a virtual port that has the service type
Fast-HTTP, the following templates are automatically applied to the service
port:
• TCP
• HTTP
P e r f o r m a n c e b yD e s i g n 829 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
For information about the default settings in a template, see the section in
this chapter that describes the template.
A virtual port can have only one of each type of template that is valid for the
port’s service type, so when you add a template to the virtual port, the other
template of the same type is automatically removed from the virtual port.
1. To use a client-SSL template, you must install a valid certificate and key on the AX device, then configure the
template to refer to the certificate and key.
2. Destination-IP persistence templates apply only to wildcard virtual ports.
830 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
P e r f o r m a n c e b y
D e s i g n 831 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 28 Cache Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Maximum object Maximum object size that can be cached. The AX 1-8000000 bytes
size device will not cache objects larger than this size. Default: 81920 bytes (80 Kbytes)
[no] max-content-size bytes
Config > Service > Template > Application >
RAM Caching
Minimum object minimum object size that can be cached. The AX 1-8000000 bytes
size device will not cache objects smaller than this size. Default: 500 bytes (1/2 Kbytes)
[no] min-content-size bytes
Config > Service > Template > Application >
RAM Caching
Dynamic Configures dynamic caching. Valid URI pattern.
caching policy [no] policy uri pattern Default: Not set
{cache [seconds] | nocache |
invalidate inv-pattern}
The pattern option specifies the portion of the URI
string to match on.
The other options specify the action to take for URIs
that match the pattern:
• cache [seconds] – Caches the content. By default,
the content is cached for the number of seconds
configured in the template (set by the age com-
mand). To override the aging period set in the
template, specify the number of seconds with the
cache command.
• nocache – Does not cache the content.
• invalidate inv-pattern – Invalidates the content
that has been cached for inv-pattern.
Config > Service > Template > Application >
RAM Caching
Note: If a URI matches the pattern in more than one
policy rule, the rule with the most specific match is
used. Wildcard characters (for example: ? and *) are
not supported in RAM Caching policies.
Verify host Enables the AX device to cache the host name in Default: Disabled
addition to the URI for cached content. Use this
option if a real server that contains cacheable con-
tent will host more than one host name (for exam-
ple, www.abc.com and www.xyz.com).
[no] verify-host
Config > Service > Template > Application >
RAM Caching
832 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 28 Cache Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Age header Disables insertion of Age headers into cached Default: Disabled (Age header inser-
insertion responses. tion is enabled.)
[no] disable-insert-age
Config > Service > Template > Application >
RAM Caching
Via header Enables insertion of Via headers into cached Default: Disabled (Age header inser-
insertion responses. tion is enabled.)
[no] disable-insert-via
Config > Service > Template > Application >
RAM Caching
Cookie removal Removes cookies from server replies so the replies Default: Disabled
can be cached. RAM caching does not cache server
replies that contain cookies. (Image files are an
exception. RAM caching can cache images that
have cookies.)
[no] remove-cookies
Note: The current release does not support configu-
ration of this option using the GUI.
Replacement Policy used to make room for new objects when the The policy supported in the current
policy RAM cache is full. release is Least Frequently Used
When the RAM cache becomes more than 90% full, (LFU).
the AX device discards the least-frequently used Default: LFU
objects to ensure there is sufficient room for new
objects.
[no] replacement-policy LFU
Config > Service > Template > Application >
RAM Caching
P e r f o r m a n c e b y
D e s i g n 833 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 29 Client SSL Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Certificate Name of the Certificate Authority (CA) certificate Name of a CA certificate imported
Authority (CA) to use for validating client certificates. onto the AX device
certificate name [no] ca-cert cert-name
Config > Service > Template > SSL > Client SSL
Note: To use the certificate, you must import it onto
the AX device. (See “Importing SSL Certificates”
on page 467.)
Certificate name Certificate to use for terminating or initiating SSL Name of a certificate imported onto
connections with clients. the AX device
[no] cert cert-name
Config > Service > Template > SSL > Client SSL
Note: To use the certificate, you must import it onto
the AX device. (See “Importing SSL Certificates”
on page 467.)
Certificate Chain of certificates to use for terminating or initiat- String of 1-31 characters
key-chain name ing SSL connections with clients.
[no] chain-cert chain-cert-name
Config > Service > Template > SSL > Client SSL
Certificate key Key for the certificate, and the passphrase used to Key name: string of 1-31 characters
encrypt the key. Passphrase: string of 1-16 characters
[no] key key-name Default: None configured
[passphrase passphrase-string]
Config > Service > Template > SSL > Client SSL
834 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 29 Client SSL Template Parameters (Continued)
Parameter Description and Syntax Supported Values
AX response to Action that the AX device takes in response to a cli- One of the following:
connection ent’s connection request. • ignore – The AX device does not
request from cli- [no] client-certificate request the client to send its certifi-
ent {ignore | request | require} cate.
Config > Service > Template > SSL > Client SSL • request – The AX device requests
the client to send its certificate. With
this action, the SSL handshake pro-
ceeds even if either of the following
occurs:
• The client sends a NULL certifi-
cate (one with zero length).
• The certificate is invalid, causing
client verification to fail.
Use this option if you want to the
request to trigger an aFleX policy
for further processing.
• require – The AX device requires
the client certificate. This action
requests the client to send its certifi-
cate. However, the SSL handshake
does not proceed (it fails) if the cli-
ent sends a NULL certificate or the
certificate is invalid.
Default: ignore
Certificate CRL to use for verifying that client certificates have Name of a CRL imported onto the AX
Revocation List not been revoked. device
(CRL) When you add a CRL to a client SSL template, the
AX device checks the CRL to ensure that the certif-
icates presented by clients have not been revoked by
the issuing CA.
[no] crl filename
Config > Service > Template > SSL > Client SSL
Note: If you plan to use a CRL, you must set the
Mode to Require.
Note: To use the CRL, you must import it onto the
AX device. (See “Importing SSL Certificates” on
page 467.)
Session cache Maximum number of cached sessions for SSL ses- 0-131072
size sion ID reuse. Default: 0 (session ID reuse is dis-
[no] session-cache-size number abled)
Config > Service > Template > SSL > Client SSL
P e r f o r m a n c e b y
D e s i g n 835 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 29 Client SSL Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Ciphers Cipher suite to support for decrypting certificates One or more of the following:
from clients. • SSL3_RSA_DES_192_CBC3_SHA
[no] cipher • SSL3_RSA_DES_40_CBC_SHA
Config > Service > Template > SSL > Client SSL - • SSL3_RSA_DES_64_CBC_SHA
Cipher
• SSL3_RSA_RC4_128_MD5
• SSL3_RSA_RC4_128_SHA
• SSL3_RSA_RC4_40_MD5
• TLS1_RSA_AES_128_SHA
• TLS1_RSA_AES_256_SHA
• TLS1_RSA_EXPORT1024_RC4_56
_MD5
• TLS1_RSA_EXPORT1024_RC4_56
_SHA
Default: All the above are enabled.
Close Closure alerts for SSL sessions. When this option is Enabled or disabled
notification enabled, the AX device sends a close_notify mes- Default: disabled
sage when an SSL transaction ends, before sending
a FIN. This behavior is required by certain types of
client applications, including PHP cgi. For this type
of client, if the AX device does not send a
close_notify, an error or warning appears on the cli-
ent.
[no] close-notify
Config > Service > Template > SSL > Client SSL -
Cipher
836 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 30 Connection Reuse Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Connection limit Maximum number of reusable connections per Limit-per-server – 0-65535. For
server port. unlimited connections, specify 0.
The smart flow control option queues HTTP packets Queue-depth for smart flow control –
from clients when a server port reaches its config- 1-32000
ured connection limit, instead of dropping the pack- Defaults:
ets.
• Limit-per-server: 1000
[no] limit-per-server number
• Smart flow control: disabled. If this
[smart-flow-control queue-depth]
option is enabled, the default queue
Config > Service > Template > Connection Reuse depth is 1000.
Connection Number of new reusable connections to open before 1-1024 connections
keepalive beginning to reuse existing connections. You can Default: 100
specify 1-1024 connections.
[no] keep-alive-conn number
Config > Service > Template > Connection Reuse
Connection idle Maximum number of seconds a connection can 0-3600 seconds
timeout remain idle before it times out. To disable timeout, specify 0.
[no] timeout seconds Default: 2400 seconds (40 minutes)
Config > Service > Template > Connection Reuse
P e r f o r m a n c e b y
D e s i g n 837 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 31 Cookie Persistence Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Domain Adds the specified domain name to the cookie. Valid domain name
[no] domain domain-name Default: Not set
Config > Service > Template > Persistent > Cookie
Persistence
Path Adds path information to the cookie. 1-31 characters
[no] path path-name Default: “ / ”
Config > Service > Template > Persistent > Cookie
Persistence
Insert always Specifies whether to insert a new persistence cookie Enabled or disabled
in every reply, even if the request already had an Default: Disabled. The AX device
AX cookie. inserts a persistence cookie only if the
[no] insert-always client request does not contain a per-
Config > Service > Template > Persistent > Cookie sistence cookie inserted by the AX
Persistence device, or if the server referenced by
the cookie is unavailable.
Match type Changes the granularity of cookie persistence: One of the following:
• Port – The cookie inserted into the HTTP header • Port (selectable in the GUI but not
of the server reply to a client ensures that subse- in the CLI)
quent requests from the client will be sent to • Server
the same real port on the same real server. • Service-group
• Server – The cookie inserted into the HTTP Default: Port
header of the server reply to a client ensures that
subsequent requests from the client for the same
VIP are sent to the same real server. (This
assumes that all virtual ports of the VIP use the
same cookie persistence template with match-
type set to Server.)
• Service Group – Enables support for URL
switching or host switching along with cookie
persistence. Without this option, URL switch-
ing or host switching can be used only for the
initial request from the client. After the ini-
tial request, subsequent requests are always
sent to the same service group.
Note: To use URL switching or host switching,
you also must configure an HTTP template
with the Host Switching or URL Switching
option.
[no] match-type
{server | service-group}
Config > Service > Template > Persistent > Cookie
Persistence
838 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 31 Cookie Persistence Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Cookie name Specifies the name of the persistence cookie. String of 1-63 characters
The format of the cookie depends on the match Default: sto-id
type.
[no] name cookie-name
Config > Service > Template > Persistent > Cookie
Persistence
Ignore Ignores connection limit settings configured on real Enabled or Disabled
connection limits servers and real ports. This option is useful for Default: Disabled. By default, the con-
applications in which multiple sessions (connec- nection limit set on real servers and
tions) are likely to be used for the same persistent real ports is used.
cookie.
[no] dont-honor-conn-rules
Config > Service > Template > Persistent > Cookie
Persistence
P e r f o r m a n c e b y
D e s i g n 839 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 32 Destination-IP Persistence Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Match type Granularity of persistence: One of the following:
• Port – Traffic from a given client to the same vir- • Port (selectable in the GUI but not
tual port is always sent to the same real port. This in the CLI)
is the most granular setting. • Server
• Server – Traffic from a given client to the same • Service-group
VIP is always sent to the same real server, for any
Default: Port
service port requested by the client.
• Service-group – This option is applicable if you
also plan to use URL switching or host switching.
If you use the Service-group option, URL or host
switching is used for every request to select a ser-
vice group. The first time URL or host switching
selects a given service group, the load-balancing
method is used to select a real port within the ser-
vice group. The next time URL or host switching
selects the same service group, the same real port
is used. Thus, service group selection is per-
formed for every request, but once a service
group is selected for a request, the request goes to
the same real port that was selected the first time
that service group was selected.
Note: To use URL switching or host switching, you
also must configure an HTTP template with the
Host Switching or URL Switching option.
[no] match-type
{server | service-group}
Config > Service > Template > Persistent >
Destination IP Persistence
840 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 32 Destination-IP Persistence Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Netmask Granularity of IP address hashing for initial server Valid IPv4 network mask
port selection. Default: 255.255.255.255
You can specify an IPv4 network mask in dotted
decimal notation.
• To configure initial server port selection to occur
once per destination VIP subnet, configure the
network mask to indicate the subnet length. For
example, to select a server port once for all
requested VIPs within a subnet such as
10.10.10.x, 192.168.1.x, and so on (“class C”
subnets), use mask 255.255.255.0. SLB selects a
server port for the first request to the given VIP
subnet, the sends all other requests for the same
VIP subnet to the same port.
• To configure initial server port selection to occur
independently for each requested VIP, use mask
255.255.255.255. (This is the default.)
[no] netmask ipaddr
Config > Service > Template > Persistent >
Destination IP Persistence
Timeout Number of minutes the mapping of a client source 1-2000 minutes (about 33 hours)
IP to a real server persists after the last time traffic Default: 5 minutes
from the client is sent to the server.
[no] timeout timeout-minutes
Config > Service > Template > Persistent >
Destination IP Persistence
Ignore Ignores connection limit settings configured on real Enabled or Disabled
connection limits servers and real ports. This option is useful for Default: Disabled. By default, the con-
applications in which multiple sessions (connec- nection limit set on real servers and
tions) are likely to be used for the same persistent real ports is used.
client source IP address.
[no] dont-honor-conn-rules
Config > Service > Template > Persistent >
Destination IP Persistence
P e r f o r m a n c e b y
D e s i g n 841 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
842 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 34 HTTP Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Retry and Configures the AX device to retry sending a client’s 1-3
reassignment request to a service port that replies with an HTTP Default: Disabled. The AX device
when server 5xx status code, and reassign the request to another sends the 5xx status code to the client.
replies with 5xx server if the first server replies with a 5xx status
When you enable this option, the
status code code.
default number of retries is 3.
The first command shown below stops using a ser-
vice port for 30 seconds after reassignment. The
second command does not.
[no] retry-on-5xx num
[no] retry-on-5xx-per-req num
Config > Service > Template > Application > HTTP
P e r f o r m a n c e b y
D e s i g n 843 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 34 HTTP Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Compression Offloads Web servers from CPU-intensive HTTP Any of the following:
compression operations.
• enable – Enables compression.
[no] compression {enable |
• content-type – Specifies the types
content-type content-string |
of content to compress, based on a
exclude-content-type content-
string in the content-type header of
string | exclude-uri uri-string | the HTTP response. The content-
keep-accept-encoding enable |
string can be 1-31 characters long.
level number |
minimum-content-length number} • exclude-content-type – Specifies the
types of content to exclude from
Config > Service > Template > Application > HTTP
compression.
• exclude-uri – Specifies URI strings
Note: Compression is supported only for HTTP and (up to 31 characters) to exclude
HTTPS virtual ports. Compression is not supported from compression.
of fast-HTTP virtual ports. • keep-accept-encoding enable –
Leaves the Accept-Encoding header
in HTTP requests from clients
instead of removing the header.
• level – Specifies the compression
level, 1-9. Each level provides a
higher compression ratio, begin-
ning with level 1, which provides
the lowest compression ratio. A
higher compression ratio results in a
smaller file size after compression.
However, higher compression levels
also require more CPU processing
than lower compression levels, so
performance can be affected.
• minimum-content-length – Speci-
fies the minimum length (in bytes) a
server response can be in order to be
compressed. The length applies to
the content only and does not
include the headers. You can specify
0-2147483647 bytes.
844 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 34 HTTP Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Compression Compression is disabled by default.
(cont.) When it is enabled, the compression
options have the following defaults:
• content-type – “text” and “applica-
tion” included by default
• exclude-content-type – not set
• exclude-content – not set
• keep-accept-encoding – disabled
• level – 1
• minimum-content-length – 120
bytes
Header insert / Inserts the specified header into an HTTP request or String of 1-256 characters
replace reply. Default: Not set
[no] request-header-insert
field:value [insert-always |
insert-if-not-exist]
[no] response-header-insert
field:value [insert-always |
insert-if-not-exist]
Config > Service > Template > Application > HTTP
Note: These options are not supported with the fast-
http service type. The AX device does not allow an
HTTP template with any of the header erase or
header insert options to be bound to a fast-http vir-
tual port. Likewise, the AX device does not allow
header options to be added to an HTTP template
that is already bound to a fast-http virtual port.
Header erase Erases the specified header from an HTTP request String of 1-256 characters
or reply. Default: Not set
[no] request-header-erase field
[no] response-header-erase field
Config > Service > Template > Application > HTTP
Note: These options are not supported with the fast-
http service type. The AX device does not allow an
HTTP template with any of the header erase or
header insert options to be bound to a fast-http vir-
tual port. Likewise, the AX device does not allow
header options to be added to an HTTP template
that is already bound to a fast-http virtual port.
Note: You can use URL switching or Host switch-
ing in an HTTP template, but not both.
P e r f o r m a n c e b y
D e s i g n 845 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 34 HTTP Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Host switching Selects a service group based on the value in the Each host string can be all or part of an
Host field of the HTTP header. The selection over- IP address or host name.
rides the service group configured on the virtual Default: Not set
port.
If the host-string does not match, the service group
configured on the virtual port is used.
Selection is performed using the following match
filters:
• starts-with host-string – matches only if the
hostname or IP address starts with host-string.
• contains host-string – matches if the host-string
appears anywhere within the hostname or host IP
address.
• ends-with host-string – matches only if the host-
name or IP address ends with host-string.
The match options are always applied in the order
listed above, regardless of the order in which they
appear in the configuration. The service group for
the first match is used.
If a host name matches on more than one match fil-
ter of the same type, the most specific match is used.
[no] host-switching
{starts-with |contains | ends-with}
host-string service-group service-
group-name
Config > Service > Template > Application > HTTP
Note: You can use URL switching or Host switch-
ing in an HTTP template, but not both. However, if
you need to use both types of switching, you can do
so with an aFleX script.
Client IP insert Inserts the client’s source IP address into HTTP String of 1-256 characters
headers. Default: Not set
[no] insert-client-ip When you enable this option, the client
[http-fieldname] [replace] IP address is inserted into the
Config > Service > Template > Application > HTTP X-ClientIP field by default, without
replacing any client IP addresses
already in the field.
Redirect rewrite Modifies redirects sent by servers by rewriting the Strings of 1-256 characters
matching URL string to the specified value before Default: Not set
sending the redirects to clients.
[no] redirect-rewrite
match url-string
rewrite-to url-string
Config > Service > Template > Application > HTTP
846 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 34 HTTP Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Redirect rewrite Changes HTTP redirects sent by servers into Strings of 1-256 characters
secure HTTPS redirects before sending the redirects to cli- Default: Not set
ents.
[no] redirect-rewrite secure
{port tcp-portnum}
Config > Service > Template > Application > HTTP
Strict Forces the AX device to perform the server selec- Enabled or disabled
transaction tion process anew for every HTTP request. Without Default: Disabled
switching this option, the AX device reselects the same server
for subsequent requests (assuming the same server
group is used), unless overridden by other template
options.
[no] strict-transaction-switch
Config > Service > Template > Application > HTTP
URL switching Selects a service group based on the URL string Strings of 1-256 characters
requested by the client. The selection overrides the Default: Not set
service group configured on the virtual port.
[no] url-switching
{starts-with | contains |
ends-with} url-string
service-group service-group-name
If the URL-string does not match, the service group
configured on the virtual port is used.
Selection is performed using the following match
filters:
• starts-with url-string – matches only if the URL
starts with url-string.
• contains url-string – matches if the url-string
appears anywhere within the URL.
• ends-with url-string – matches only if the URL
ends with url-string.
The match options are always applied in the order
listed above, regardless of the order in which they
appear in the configuration. The service group for
the first match is used.
If a URL matches on more than one match filter of
the same type, the most specific match is used.
Config > Service > Template > Application > HTTP
Note: You can use URL switching or Host switch-
ing in an HTTP template, but not both. However, if
you need to use both types of switching, you can do
so with an aFleX script.
P e r f o r m a n c e b y
D e s i g n 847 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 34 HTTP Template Parameters (Continued)
Parameter Description and Syntax Supported Values
URL hash Selects a service group based on the hash value of First or last
persistence the first or last bytes of the URL string. The bytes 4-128 bytes
(also called URL option specifies how many bytes to use to calculate Default: Not set
hash switching) the hash value.
Optionally, you can use URL hashing with either
URL switching or host switching. Without URL
switching or host switching configured, URL hash
switching uses the hash value to choose a server
within the default service group. If URL switching
or host switching is configured, for each HTTP
request, the AX device first selects a service group
based on the URL or host switching values, then
calculates the hash value and uses it to choose a
server within the selected service group.
The use-server-status option enables server load
awareness, which allows servers to act as backups
to other servers, based on server load. (This option
requires some custom configuration on the server.
For information, see “URL Hash Switching with
Server Load Awareness” on page 136.)
[no] url-hash-persist
{first | last} bytes
[use-server-status}
Config > Service > Template > Application > HTTP
Session Enables the AX device to terminate HTTP 1.1 client Enabled or disabled
termination for connections when the “Connection: close” header Default: disabled
non-compliant exists in the HTTP request. This option is applicable
HTTP 1.1 clients to connection-reuse deployments that have HTTP
1.1 clients that are not compliant with the HTTP 1.1
standard. Without this option, sessions for non-com-
pliant HTTP 1.1. clients are not terminated.
[no] term-11client-hdr-conn-close
Note: The current release does not support configu-
ration of this option using the GUI.
848 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
P e r f o r m a n c e b y
D e s i g n 849 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 35 Policy Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Action Specifies the action to take for clients in the black/ The following settings are configu-
white list. rable:
[no] bw-list id id • List ID – ID of the black/white list.
{service service-group-name | • Group ID – Group ID in the black/
drop | reset} white list.
[logging [minutes] [fail]]
• Service-group name – Name of an
Config > Service > Template > Application > SLB service group on the AX Series
Policy device.
• Action:
Note: If the option to use default selection if pre- • Drop – Drops new connections
ferred server selection fails is enabled on the virtual until the number of concurrent
port, log messages will never be generated for connections on the virtual port
server-selection failures. To ensure that messages falls below the port’s connection
are generated to log server-selection failures, dis- limit. (The connection limit is set
able the option on the virtual port. This limitation in the black/white list.)
does not affect failures that occur because a client is
• Reset – Resets new connections
over their PBSLB connection limit. These failures
until the number of concurrent
are still logged.
connections on the virtual port
falls below the connection limit.
• Logging – Enables logging. You can
specify the number of minutes
between log messages. This option
reduces overhead caused by fre-
quent recurring messages. You can
specify a logging interval from 0 to
60 minutes. To send a separate mes-
sage for each event, set the interval
to 0.
Defaults:
• List ID – None
• Group ID – None
• Action – Not set
• Logging – Disabled. If you enable
logging, the default for minutes is 3.
Overlap Matches black/white list entries based on the cli- Enabled or Disabled
ent’s destination IP address. Default: Disabled. Matching is based
[no] overlap on the client’s source IP address.
Config > Service > Template > Application >
Policy
850 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 35 Policy Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Matching based Matches black/white list entries based on the cli- Enabled or Disabled
on destination IP ent’s destination IP address. Default: Disabled. Matching is based
address [no] bw-list use-destination-ip on the client’s source IP address.
Config > Service > Template > Application >
Policy
Class list IP Specifies the IP address to use for matching entries Client IP address, destination IP
address in an IP class list. address, or request header.
matching • Destination IP address – Matches based on the Default: Matching is based on the cli-
destination IP address instead of the source IP ent’s source IP address.
address.
• IP address in HTTP request – Matches based on
the IP address in a header in the HTTP request.
You can specify the header when you enable this
option.
[no] class-list client-ip
{l3-dest |
l7-header [header-name]}
Config > Service > Template > Application >
Policy
Class list name Applies an IP class list to the template. Name of a configured class list
[no] class-list name name Default: not set
Config > Service > Template > Application >
Policy
P e r f o r m a n c e b y
D e s i g n 851 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 35 Policy Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Class list IP Configures an IP limiting rule for the IP limiting Valid values:
limiting rule feature. IP limiting rules have the following param- • Limit ID (LID) – 1-31
eters:
• Connection limit – 1-1048575
• Limit ID (LID) – Number from 1-31 that identi-
• Connection-rate limit –
fies the rule.
1-4294967295 connections. The
• Connection limit – Maximum number of concur- limit period can be 100-6553500
rent connections allowed for a client. milliseconds (ms), specified in
• Connection-rate limit – Maximum number of increments of 100 ms.
new connections allowed for a client within the • Request limit – 1-1048575
limit period.
• Request-rate limit – 1-4294967295
• Request limit – Maximum number of concurrent connections. The limit period can be
Layer 7 requests allowed for a client. 100-6553500 milliseconds (ms),
• Request-rate limit – Maximum number of Layer specified in increments of 100 ms.
7 requests allowed for a client within the limit • Over-limit action – Drop, Forward,
period. or Reset
• Over-limit action – Action to take when a client • Lockout period – 1-1023 minutes
exceeds one or more of the limits. The action can
• Logging – Enabled or disabled. The
be one of the following:
logging period can be 0-255 min-
• Drop – The AX device drops that traffic. If utes.
logging is enabled, the AX device also gener-
ates a log message.
• Forward – The AX device forwards the traffic. Default:
If logging is enabled, the AX device also gen- • Limit ID (LID) – None
erates a log message. • Connection limit – None
• Reset – For TCP, the AX device sends a TCP • Connection-rate limit – None
RST to the client. If logging is enabled, the AX • Request limit – None
device also generates a log message.
• Request-rate limit – None
• Lockout period – Number of minutes during
which to apply the over-limit action after the cli- • Over-limit action – Drop
ent exceeds a limit. The lockout period is acti- • Lockout period – None
vated when a client exceeds any limit. • Logging – Disabled. When logging
• Logging – Generates log messages when clients is enabled, the default logging
exceed a limit. When you enable logging, a sepa- period is 0 (no wait period).
rate message is generated for each over-limit
occurrence, by default. You can specify a logging
period, in which case the AX device holds onto
the repeated messages for the specified period,
then sends one message at the end of the period
for all instances that occurred within the period.
852 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 35 Policy Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Geo-location Enables sharing of PBLSB statistics counters for all Disabled
statistics sharing virtual servers and virtual ports that use the tem-
plate. This option causes the following counters to
be shared:
• Permit
• Deny
• Connection number
• Connection limit
[no] geo-location share
Note: The current release does not support configu-
ration of this option using the GUI.
Note: It is recommended to enable or disable this
option before enabling GSLB. Changing the state of
this option while GSLB is running can cause the
related statistics counters to be incorrect.
P e r f o r m a n c e b y
D e s i g n 853 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 36 Server SSL Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Ciphers Cipher suite to support for decrypting certificates One or more of the following:
from servers. • SSL3_RSA_DES_192_CBC3_SHA
[no] cipher • SSL3_RSA_DES_40_CBC_SHA
Config > Service > Template > SSL > Server SSL • SSL3_RSA_DES_64_CBC_SHA
• SSL3_RSA_RC4_128_MD5
• SSL3_RSA_RC4_128_SHA
• SSL3_RSA_RC4_40_MD5
• TLS1_RSA_AES_128_SHA
• TLS1_RSA_AES_256_SHA
• TLS1_RSA_EXPORT1024_RC4_56
_MD5
• TLS1_RSA_EXPORT1024_RC4_56
_SHA
Default: All the above are enabled.
854 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 37 SIP Template Parameters for SIP over TCP/TLS (Continued)
Parameter Description and Syntax Supported Values
Client Enables the AX device to respond to SIP pings from Enabled or disabled
Keep-Alive clients on behalf of SIP servers. When this option is Default: Disabled
enabled, the AX device responds to a SIP ping from
a client with a “pong”. This option is disabled by
default.
Note: If connection reuse is configured, even if cli-
ent keepalive is disabled, the AX device will
respond to a client SIP ping with a pong.
[no] client-keep-alive
Config > Service > Template > Application > SIP
Server For configurations that use a connection-reuse tem- 5-300 seconds
Keep-Alive plate, this option specifies how often the AX device Default: 30
sends a SIP ping on each persistent connection. The
AX device silently drops the server’s reply.
If the server does not reply to a SIP ping within the
connection-reuse timeout, the AX device closes the
persistent connection. (The connection-reuse time-
out is configured in the connection-reuse template.
See “Connection Reuse Template Parameters” on
page 836.)
Note: This option is applicable only if the configu-
ration includes a connection-reuse template.
[no] server-keep-alive seconds
Config > Service > Template > Application > SIP
Insert Client IP Inserts an “X-Forwarded-For: IP-address:port” Name of an IP header that inserts a cli-
header into SIP packets from the client to the SIP ent IP address.
server. The header contains the client IP address and Default: Disabled
source protocol port number. The AX device uses
the header to identify the client when forwarding a
server reply. This option is disabled by default.
[no] insert-client-ip
Config > Service > Template > Application > SIP
Select Client Fail Specifies the AX response when selection of a SIP The action can be one of the following:
Action client fails. You can specify one of the following: • Reset
• String – Message string to send to the server; for • Drop
example: “480 Temporarily Unavailable”. If the
message string contains a blank, use double quo- • Send message
tation marks around the string. Default: Reset
• Drop – Drops the traffic.
[no] select-client-fail {string |
drop}
Config > Service > Template > Application > SIP
P e r f o r m a n c e b y
D e s i g n 855 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 37 SIP Template Parameters for SIP over TCP/TLS (Continued)
Parameter Description and Syntax Supported Values
Select Server Specifies the AX response when selection of a SIP The action can be one of the following:
Fail Action server fails. You can specify one of the following: • Reset
• String – Message string to send to the client; for • Drop
example: “504 Server Time-out”. If the message
• Send message
string contains a blank, use double quotation
marks around the string. Default: Reset
• Drop – Drops the traffic.
[no] select-server-fail
{string | drop}
Config > Service > Template > Application > SIP
Exclude Disables translation of the virtual IP address and Enabled or disabled
Translation Body virtual port in specific portions of SIP messages: Default: Disabled
• Body – Does not translate virtual IP addresses
and virtual ports in the body of the message.
• Header string – Does not translate virtual IP
addresses and virtual ports in the specified
header.
• Start line – Does not translate virtual IP addresses
and virtual ports in the SIP request line or status
line.
Note: Regardless of the settings for this option, the
AX device never translates addresses in “Call-ID”
or “X-Forwarded-For” headers.
[no] exclude-translation
{body | header string | start-line}
Config > Service > Template > Application > SIP
Call timeout Number of minutes a call can remain idle before the 1-250 minutes
AX Series terminates it. Default: 30 minutes
[no] timeout minutes
Config > Service > Template > Application > SIP
856 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
P e r f o r m a n c e b y
D e s i g n 857 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 38 SIP Template Parameters for SIP over UDP (Continued)
Parameter Description and Syntax Supported Values
Call timeout Number of minutes a call can remain idle before the 1-250 minutes
AX Series terminates it. Default: 30 minutes
[no] timeout minutes
Config > Service > Template > Application > SIP
(cont.)
858 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 39 SMTP Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Domain name The match options are always applied in the order
switching listed above, regardless of the order in which they
(cont.) appear in the configuration. The service group for
the first match is used.
If a domain name matches on more than one match
filter of the same type, the most specific match is
used.
[no] client-domain-switching
{starts-with | contains | ends-
with}
string service-group group-name
Config > Service > Template > Application >
SMTP
STARTTLS Disables support of certain SMTP commands. If a Any of the following: VRFY, EXPN,
command dis- client tries to issue a disabled SMTP command, the TURN
able AX sends the following message to the client: “502 Default: VRFY, EXPN, and TURN are
- Command not implemented” enabled
[no] command-disable [vrfy] [expn]
[turn]
Note: To disable all three commands, simply enter
the following: command-disable
Config > Service > Template > Application >
SMTP
Email server Email server domain. This is the domain for which String
domain the AX Series device provides SMTP load balanc- Default: “mail-server-domain”
ing.
[no] server-domain name
Config > Service > Template > Application >
SMTP
Service ready Text of the SMTP service-ready message sent to cli- String
message ents. The complete message sent to the client is con- Default: “ESMTP mail service ready”
structed as follows:
200 - smtp-domain service-ready-string
[no] service-ready-message string
Config > Service > Template > Application >
SMTP
P e r f o r m a n c e b y
D e s i g n 859 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 39 SMTP Template Parameters (Continued)
Parameter Description and Syntax Supported Values
STARTTLS Specifies whether use of STARTTLS by clients is One of the following:
requirement required. • Disabled – Clients cannot use
starttls STARTTLS. Use this option if you
{disable | optional | enforced} need to disable STARTTLS support
Config > Service > Template > Application > but you do not want to remove the
SMTP configuration.
• Optional – Clients can use START-
TLS but are not required to do so.
• Enforced – Before any mail transac-
tions are allowed, the client must
issue the STARTTLS command to
establish a secured session. If the
client does not issue the STARTTLS
command, the AX sends the follow-
ing message to the client: "530 -
Must issue a STARTTLS command
first”
Default: Disabled
860 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 40 Source-IP Persistence Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Match type Granularity of persistence: One of the following:
• Port – Traffic from a given client to the same vir- • Port (selectable in the GUI but not
tual port is always sent to the same real port. This in the CLI)
is the most granular setting. • Server
• Server – Traffic from a given client to the same • Service-group
VIP is always sent to the same real server, for any
Default: Port
service port requested by the client.
• Service-group – This option is applicable if you
also plan to use URL switching or host switching.
If you use the Service-group option, URL or host
switching is used for every request to select a ser-
vice group. The first time URL or host switching
selects a given service group, the load-balancing
method is used to select a real port within the ser-
vice group. The next time URL or host switching
selects the same service group, the same real port
is used. Thus, service group selection is per-
formed for every request, but once a service
group is selected for a request, the request goes to
the same real port that was selected the first time
that service group was selected.
The scan all members option scans all members
bound to the template. This option is useful in
configurations where match-type “server” is
used, and where some members have different
priorities or are disabled. (See “Scan-All-Mem-
bers Option in Persistence Templates” on
page 911.)
Note: To use URL switching or host switching, you
also must configure an HTTP template with the
Host Switching or URL Switching option.
[no] match-type
{server | service-group}
Config > Service > Template > Persistent > Source
IP Persistence
P e r f o r m a n c e b y
D e s i g n 861 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 40 Source-IP Persistence Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Netmask Granularity of IP address hashing for server port Valid IPv4 network mask
selection. Default: 255.255.255.255
You can specify an IPv4 network mask in dotted
decimal notation.
• To configure server port selection to occur on a
per subnet basis, configure the network mask to
indicate the subnet length. For example, to send
all clients within a subnet such as 10.10.10.x,
192.168.1.x, and so on (“class C” subnets) to the
same server port, use mask 255.255.255.0. SLB
selects a server port for the first client in a given
subnet, the sends all other clients in the same sub-
net to the same port.
• To configure server port selection to occur on a
per client basis, use mask 255.255.255.255. SLB
selects a server port for the first request from a
given client, the sends all other requests from the
same client to the same port. (This is the default.)
[no] netmask ipaddr
Config > Service > Template > Persistent > Source
IP Persistence
Timeout Number of minutes the mapping of a client source 1-2000 minutes (about 33 hours)
IP to a real server persists after the last time traffic Default: 5 minutes
from the client is sent to the server.
Note: The timeout for a source-IP persistent session
will not be reset if the timeout in the source-IP per-
sistence template is set to 1 minute. If the timeout is
set to 1 minute, sessions will always age out after 1
minute, even if they are active.
[no] timeout timeout-minutes
Config > Service > Template > Persistent > Source
IP Persistence
Include Includes the source port in persistent sessions. Enabled or Disabled
source port [no] incl-sport Default: Disabled.
Note: The current release does not support configu-
ration of this option using the GUI.
Ignore Ignores connection limit settings configured on real Enabled or Disabled
connection limits servers and real ports. This option is useful for Default: Disabled. By default, the con-
applications in which multiple sessions (connec- nection limit set on real servers and
tions) are likely to be used for the same persistent real ports is used.
client source IP address.
[no] dont-honor-conn-rules
Config > Service > Template > Persistent > Source
IP Persistence
862 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
P e r f o r m a n c e b y
D e s i g n 863 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
864 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 43 TCP Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Aging of half- Enables aging of half-closed TCP sessions. A half- 60-15000 seconds
closed sessions closed TCP session is a session in which the server Default: Not set. The AX device keeps
sends a FIN but the client does not reply with an half-closed sessions open indefinitely.
ACK.
[no] half-close-idle-timeout
seconds
Config > Service > Template > L4 > TCP
Server reset Sends a TCP RST to the real server after a session Enabled or disabled
times out. Default: Disabled
[no] reset-fwd
Config > Service > Template > L4 > TCP
Client reset Sends a TCP RST to the client after a session times Enabled or disabled
out. Default: Disabled
Note: If the server is Down, this option immediately
sends the RST to the client and does not wait for the
session to time out.
[no] reset-rev
Config > Service > Template > L4 > TCP
Initial window Sets the initial TCP window size in SYN ACK 1-65535 bytes
size packets to clients. The TCP window size in a SYN Default: The AX device uses the TCP
ACK or ACK packet specifies the amount of data window size set by the client or server.
that a client can send before it needs to receive an
ACK.
[no] initial-window-size bytes
Config > Service > Template > L4 > TCP
P e r f o r m a n c e b y
D e s i g n 865 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 44 TCP-Proxy Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Aging of half- Enables aging of half-closed TCP sessions. A half- 60-15000 seconds
closed sessions closed TCP session is a session in which the server Default: Not set. The AX device keeps
sends a FIN but the client does not reply with an half-closed sessions open indefinitely.
ACK.
[no] half-close-idle-timeout
seconds
Config > Service > Template > L4 > TCP Proxy
Idle timeout Number of seconds that a connection can be idle 60-120000 seconds (about 33 hours)
before the AX Series terminates the connection. Default: 600 seconds
Enter a value that is a multiple of 60 (60, 120, 1200,
and so on). If you enter a value that is not a multiple
of 60, the AX device rounds to the nearest multiple
of 60. For example, if you enter 70, the actual time-
out is 60 seconds.
[no] idle-timeout seconds
Config > Service > Template > TCP Proxy
Nagle algorithm Enables Nagle congestion compression (described Enabled or disabled
in RFC 896). Default: Disabled
[no] nagle
Config > Service > Template > TCP Proxy
Receive buffer Maximum number of bytes addressed to the port 1-2147483647 bytes
size that the AX Series will buffer. Default: 87380 bytes
[no] receive-buffer number
Config > Service > Template > TCP Proxy
Retransmit Number of times the AX Series can retransmit a 1-20
retries data segment for which the AX Series does not Default: 3
receive an ACK.
[no] retransmit-retries number
Config > Service > Template > TCP Proxy
SYN retries Number of times the AX Series can retransmit a 1-20
SYN for which the AX Series does not receive an Default: 5
ACK.
[no] syn-retries number
Config > Service > Template > TCP Proxy
Time-Wait Number of seconds that a connection can be in the 1-60 seconds
TIME-WAIT state before the AX Series transitions Default: 5 seconds
it to the CLOSED state.
[no] timewait number
Config > Service > Template > TCP Proxy
Transmit buffer Number of bytes sent by the port that the AX Series 1-2147483647
size will buffer. Default: 16384 bytes
[no] transmit-buffer number
Config > Service > Template > TCP Proxy
866 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Template Parameters
TABLE 44 TCP-Proxy Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Initial window Sets the initial TCP window size in SYN ACK 1-65535 bytes
size packets to clients. The TCP window size in a SYN Default: The AX device uses the TCP
ACK or ACK packet specifies the amount of data window size set by the client or server.
that a client can send before it needs to receive an
ACK.
[no] initial-window-size bytes
Config > Service > Template > TCP Proxy
P e r f o r m a n c e b y
D e s i g n 867 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Global SLB Parameters
TABLE 45 UDP Template Parameters (Continued)
Parameter Description and Syntax Supported Values
Idle timeout Number of seconds a connection can remain idle 60-120000 seconds (about 33 hours)
before the AX Series terminates it. Default: 120 seconds
Enter a value that is a multiple of 60 (60, 120, 1200,
and so on). If you enter a value that is not a multiple
of 60, the AX device rounds to the nearest multiple
of 60. For example, if you enter 70, the actual time-
out is 60 seconds.
[no] idle-timeout number
Config > Service > Template > L4 > UDP
Server Configures the AX device to select another real Enabled or disabled
reselection server if the server that is bound to an active con- Default: Disabled
nection goes down. Without this option, another
server is not selected.
[no] re-select-if-server-down
Config > Service > Template > L4 > UDP
{disable | enable}
slb virtual-server [server-name]
[port port-num]
868 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Global SLB Parameters
TABLE 46 Global SLB Parameters (Continued)
Parameter Description and Syntax Supported Values
DSR health Enables Layer 4-7 health checking in Direct Server Enabled or disabled
check Return (DSR) configurations. Default: Disabled
[no] slb dsr-health-check-enable
Config > Service > SLB > Global > Settings
Note: Additional configuration is required. See
“Configuring Health Monitoring of Virtual IP
Addresses in DSR Deployments” on page 394.
Graceful Enables the AX device to wait for the specified 1-65535 seconds (about 18 hours)
shutdown grace period before moving active sessions on a Default: Not set. When you delete a
deleted or disabled port or server to the delete real or virtual service port, the AX
queue. device places all the port’s sessions in
[no] slb graceful-shutdown the delete queue, and stops accepting
grace-period new sessions on the port.
[server | virtual-server]
[after-disable]
Config > Service > SLB > Global > Settings
Maximum Maximum session life following completion of a 1-40 seconds
session life TCP flow. Default: 2 seconds
[slb] msl-time seconds
Config > Service > SLB > Global > Settings
Hardware-based Enables system-wide protection against TCP SYN Disabled or Enabled
SYN cookies flood attacks. SYN cookies enable the AX device to On-Threshold – 0-2147483647 half-
continue to serve legitimate clients during a TCP open connections
SYN flood attack, without allowing illegitimate Off-Threshold – 0-2147483647 half-
traffic to consume system resources. open connections
• On-Threshold – Specifies the maximum number Default: Disabled
of concurrent half-open TCP connections
allowed on the AX device, before SYN cookies
Note: If you leave the On-Threshold
are enabled. If the number of halfopen TCP con-
and Off-Threshold fields blank, SYN
nections exceeds the on-threshold, the AX device
cookies are enabled and are always on
enables SYN cookies. You can specify 0-
regardless of the number of half-open
2147483647 half-open connections.
TCP connections present on the AX
• Off-Threshold - Specifies the minimum number device.
of concurrent half-open TCP connections for
which to keep SYN cookies enabled. If the num-
ber of half-open TCP connections falls below this
level, SYN cookies are disabled. You can specify
0-2147483647 halfopen connections.
[no] syn-cookie
[on-threshold num off-threshold
num]
Config > Service > SLB > Global > Settings
Note: This option is supported only on models
AX 2200, AX 3100, AX 3200, AX 5100, and
AX 5200.
P e r f o r m a n c e b y
D e s i g n 869 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Global SLB Parameters
TABLE 46 Global SLB Parameters (Continued)
Parameter Description and Syntax Supported Values
Use of IP pool Enables use of IP pool default gateways to forward Enabled or disabled
default gateways traffic from real servers. Default: Disabled
by real servers When this option is enabled, the AX device checks
the configured IP NAT pools for an IP address range
that includes the server IP address (the source
address of the traffic). If the address range in a pool
does include the server’s IP address, and a default
gateway is defined for the pool, the AX device for-
wards the server traffic through the pool’s default
gateway.
[no] slb snat-gwy-for-l3
Note: This parameter is not configurable using the
GUI.
Source-IP based Protects the system from excessive connection Connection limit – 1-1000000.
connection rate requests from individual clients. Limit period – One of the following:
limiting [no] slb conn-rate-limit src-ip • 100 milliseconds (one tenth of a
conn-limit second)
per {100 | 1000}
• 1000 milliseconds (one second)
[shared]
[exceed-action [log] Scope – One of the following:
[lock-out lockout-period]] • Shared – Connection limit applies
Note: The current release does not support configu- as an aggregate to all virtual ports.
ration of this feature using the GUI. • Not shared – Connection limit
For more information about this feature, see applies separately to each virtual
“Source-IP Based Connection Rate Limiting” on port. (This is the default behavior.
page 736. There is no “Not shared” option.)
Exceed actions – All connection
requests in excess of the connection
limit that are received from a client
within the limit period are dropped.
This action is enabled by default when
you enable the feature, and can not be
disabled. Optionally, you can enable
one or both of the following additional
exceed actions:
(cont.)
870 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Global SLB Parameters
TABLE 46 Global SLB Parameters (Continued)
Parameter Description and Syntax Supported Values
Source-IP based • Logging – Generates a log message
connection rate when a client exceeds the connec-
limiting tion limit.
(cont.) • Lockout – Locks out the client for a
specified number of seconds. Dur-
ing the lockout period, all connec-
tion requests from the client are
dropped. The lockout period can be
1-3600 seconds (1 hour). There is
no default.
P e r f o r m a n c e b y
D e s i g n 871 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Global SLB Parameters
TABLE 46 Global SLB Parameters (Continued)
Parameter Description and Syntax Supported Values
Layer 7 request Globally enables Layer 7 request accounting. Enabled or disabled
accounting Note: Layer 7 request accounting is automatically Default: disabled
enabled for service groups that use the least-request
load-balancing method.
To display Layer 7 request statistics, view details
for the service group, real port, or virtual port.
[no] slb enable-l7-req-acct
Config > Service > SLB > Global > Settings
Hardware-based Enables hardware-based compression. Enabled or disabled
content When you enable hardware-based compression, all Default: Disabled
compression compression settings configured in HTTP tem-
plates, except the compression level, are used.
Hardware-based compression always uses the same
compression level, regardless of the compression
level configured in an HTTP template.
Hardware-based compression is available using an
optional hardware module in new AX devices, on
certain models. If this option does not appear on
your AX device, the device does not contain a com-
pression module.
[no] slb hw-compression
Config > Service > SLB > Global > Settings
Idle timeout for Sets the idle timeout for pass-through TCP sessions. Name of a configured TCP template.
passthrough TCP A pass-through TCP session is one that is not termi- To use the default TCP template, spec-
sessions nated by the AX device (for example, a session for ify the name “default”.
which the AX device is not serving as a proxy for Default: The default idle timeout for
SLB). pass-through TCP sessions is 30 min-
Specify the name of a TCP template. The idle time- utes. The default idle timeout in TCP
out in the TCP template is used. templates is 120 seconds.
Only the idle timeout setting in the specified TCP
template is applicable to pass-through TCP ses-
sions. None of the other options in TCP templates
affect pass-through TCP sessions.
[no] slb transparent-tcp-template
template-name
Note: This parameter is not configurable using the
GUI.
Trunk load Disables or re-enables trunk load balancing or Enabled or disabled
balancing Layer2/Layer 3 traffic. Default: Enabled.
[no] slb l2l3-trunk-lb-disable
Note: This parameter is not configurable using the
GUI.
872 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Global SLB Parameters
TABLE 46 Global SLB Parameters (Continued)
Parameter Description and Syntax Supported Values
Fast-path Enables fast-path processing, wherein the AX Enabled (slb fast-path-dis-
processing device does not perform a deep inspection of every able) or disabled (no slb fast-
field within a packet. path-disable)
[no] slb fast-path-disable
Config > Service > SLB > Global > Settings Default: Enabled. Deep inspection of
every packet field is enabled.
TCP Maximum Changes the minimum TCP MSS the AX device 128-750
Segment Size allows for client traffic. Default: 538
(MSS) [no] slb mss-table num
Note: This parameter is not configurable using the
GUI.
Statistics Globally disables or re-enables collection of statisti- Enabled or disabled
collection cal data for system resources and for load-balancing Default: Statistical data collection for
resources. system resources is enabled by default.
stats-data-disable This also allows collection for those
stats-data-enable individual load-balancing resources on
which collection is enabled.
Note: Statistical data collection for load-balancing
resources also must be enabled on the individual Statistical data collection also is ena-
resources. bled by default on individual load-bal-
ancing resources.
Config > Service > SLB > Global > Settings
SLB application Fine-tunes thresholds for SLB buffer queues. The supported values and defaults
buffer threshold • Hardware buffer – IO buffer threshold. For each depend on the AX model. See the CLI
CPU, if the number of queued entries in the IO online help.
buffer reaches this threshold, fast aging is ena-
bled and no more IO buffer entries are allowed to
be queued on the CPU’s IO buffer.
• Relieve threshold – Threshold at which fast aging
is disabled, to allow IO buffer entries to be
queued again.
• Low buffer threshold – Threshold of queued sys-
tem buffer entries at which the AX begins refus-
ing new incoming connections.
• High buffer threshold – Threshold of queued sys-
tem buffer entries at which the AX device drops a
connection whenever a packet is received for that
connection.
[no] slb buff-thresh hw-buff num
relieve-thresh num sys-buff-low num
sys-buff-high num
Config > Service > SLB > Global > Settings
Compression Changes the default compression block size used for 6000-32000 bytes
block size SLB. Default: 16000 bytes
[no] compress-block-size bytes
Config > Service > SLB > Global > Rate-Limit Log
P e r f o r m a n c e b y
D e s i g n 873 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Real Server Parameters
TABLE 46 Global SLB Parameters (Continued)
Parameter Description and Syntax Supported Values
DDoS Protection See “DDoS Protection” on page 725. Default: Not set
Log rate limiting Configures rate limiting settings for system logging: • Max-local-rate – 1-100 messages
• Max-local-rate – Specifies the maximum number per second
of messages per second that can be sent to the • Max-remote-rate – 1-100000 mes-
local log buffer. sages per second
• Max-remote-rate – Specifies the maximum num- • Exclude-destination – Local,
ber of messages per second that can be sent to remote, or both
remote log servers. Defaults:
• Exclude-destination – Excludes logging to the • Max-local-rate – 32 messages per
specified destination. second
• Max-remote-rate – 15000 messages
slb rate-limit-logging per second
[max-local-rate msgs-per-second] • Exclude-destination – Logging to
[max-remote-rate msgs-per-second] both destinations is enabled.
[exclude-destination {local |
remote}]
Config > Service > SLB > Global > Rate-Limit Log
874 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Real Server Parameters
TABLE 47 Real Server Parameters (Continued)
Configurable in
Supported Real Server
Parameter Description and Syntax Values Template?
Real server Configuration template of real server parameters. Name of a config- N/A
template [no] template server template-name ured real server
template
Config > Service > SLB > Server
Default: “Default”
real server tem-
plate
Health check Enables or disables Layer 3 health monitoring and Enabled or disa- Yes
species the monitor to use. bled
[no] health-check Name of a config-
[monitor-name] ured health moni-
Config > Service > SLB > Server tor
Default: Enabled;
ping (ICMP)
Connection Number of concurrent connections allowed on a real 1-1000000 (one Yes
limit server. million) if config-
[no] conn-limit max-connections ured on the real
server; 1-1048575
Config > Service > SLB > Server
if configured in the
server template
Default: 1000000
if configured on
the real server;
1048575 if config-
ured in the server
template
Connection Maximum number of connections the server can 1-1000000 (one Yes, but as addi-
resume have before the AX device resumes use of the million) connec- tional parameter
server. Use does not resume until the number of tions with conn-limit
connections reaches the configured maximum or Default: Not set. command (CLI) or
less. The AX device is additional field
[no] conn-resume connections allowed to start under Connection
sending new con- Limit Status (GUI)
Config > Service > SLB > Server
nection requests to
the server as soon
as the number of
connections on the
server falls back
below the connec-
tion limit.
P e r f o r m a n c e b y
D e s i g n 875 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Real Server Parameters
TABLE 47 Real Server Parameters (Continued)
Configurable in
Supported Real Server
Parameter Description and Syntax Values Template?
Service port TCP or UDP port number. Transport protocol: N/A
[no] port port-num {tcp | udp} TCP or UDP
Config > Service > SLB > Server - Port Port number:
0-65534
(For parameters you can set on the service port, see
“Real Service Port Parameters” on page 877.) Default: None con-
figured
Slow start Allows time for a server to ramp up after the server Enabled or dis- Yes
is enabled or comes online, by temporarily limiting abled
the number of new connections on the server. Default: Disabled
[no] slow-start
Config > Service > SLB > Server - Port
Note: It is recommended to configure this feature in
the real server template or real port template
instead. See “Behavior When Slow Start Is Also
Configured on the Real Server Itself” on page 376.
Weight Administrative weight of the server, used for 1-100 No
weighted load balancing (weighted-least-connection Default: 1
or weighted-round-robin).
[no] weight num
Config > Service > SLB > Server
External IP External IP address, used for reaching a server in a Valid IP address No
address private network from outside the network. Default: Not set
[no] external-ip ipaddr
Config > Service > SLB > Server
Spoofing Enables support for a spoofing cache server. A Enabled or disa- No
cache spoofing cache server uses the client’s IP address bled
instead of its own as the source address when Default: Disabled
obtaining content requested by the client.
This command applies to the Transparent Cache
Switching (TCS) feature. (See “Transparent Cache
Switching” on page 301.)
[no] spoofing-cache
Config > Service > SLB > Server
Statistics Enables or disables collection of statistical data for Enabled or No
collection the server. disabled
stats-data-enable Default: enabled
stats-data-disable
Config > Service > SLB > Server
876 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Real Service Port Parameters
TABLE 47 Real Server Parameters (Continued)
Configurable in
Supported Real Server
Parameter Description and Syntax Values Template?
GSLB IPv6 Assigns an IPv6 address to the real server for Valid IPv6 address No
mapping GSLB. Default: None
[no] ipv6 ipv6-addr
Note: The current release does not support configu-
ration of this option using the GUI.
P e r f o r m a n c e b y
D e s i g n 877 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Real Service Port Parameters
TABLE 48 Real Service Port Parameters (Continued)
Configurable in
Supported Real Port
Parameter Description and Syntax Values Template?
Health check Enables or disables health monitoring and species Enabled or disa- Yes
the monitor to use. bled (The follow-port
To base the port’s health on the health of another Name of a config- option can not be
port of the same type on the same server, use the fol- ured health moni- configured using a
low-port option instead. tor template.)
[no] health-check Default: The AX
[monitor-name | performs the
follow-port portnum method-type] default TCP or
Config > Service > SLB > Server - Port UDP check every
5 seconds. (See
Note: In the current release, the follow-port option “Default Health
is not supported in the GUI.
Checks” on
page 381.)
Connection Number of concurrent connections allowed on the 1-1000000 (one Yes
limit service port. million) if config-
[no] conn-limit max-connections ured on the server
port; 1-1048575 if
Config > Service > SLB > Server - Port
configured in the
server port tem-
plate
Default: 1000000
if configured on
the server port;
1048575 if config-
ured in the server
port template
Connection Maximum number of connections the port can have 1-1000000 (one Yes, but as addi-
resume before the AX device resumes use of the port. Use million) connec- tional parameter
does not resume until the number of connections tions with conn-limit
reaches the configured maximum or less. Default: Not set. command (CLI) or
[no] conn-resume connections The AX device is additional field
allowed to start under Connection
Config > Service > SLB > Server - Port
sending new con- Limit Status (GUI)
nection requests to
the port as soon as
the number of con-
nections on the
port falls back
below the connec-
tion limit.
Weight Administrative weight of the service port, used for 1-100 Yes
weighted load balancing (service-weighted-least- Default: 1
connection).
[no] weight num
Config > Service > SLB > Server - Port
878 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Group Parameters
TABLE 48 Real Service Port Parameters (Continued)
Configurable in
Supported Real Port
Parameter Description and Syntax Values Template?
No-SSL Disables SSL for server-side connections. This Enabled or No
option is useful if a server-SSL template is bound to disabled
the virtual port that uses this real port, and you want Default: Disabled
to disable encryption on this real port. (SSL is enabled)
Encryption is disabled by default, but it is enabled
for server-side connections when the real port is
used by a virtual port that is bound to a server-SSL
template.
[no] no-ssl
Config > Service > SLB > Server - Port
Statistics Enables or disables collection of statistical data for Enabled or No
collection the port. disabled
stats-data-enable Default: enabled
stats-data-disable
Config > Service > SLB > Server - Port
P e r f o r m a n c e b y
D e s i g n 879 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Group Parameters
TABLE 49 Service Group Parameters (Continued)
Parameter Description and Syntax Supported Values
Member Real servers and service ports managed by the Name of a configured real server, and
group. a service port number configured on
[no] member server-name:portnum the server
[disable | enable] The priority can be 1-16.
[priority num] Defaults:
[template template-name] • State – enabled
[stats-data-enable]
• Priority – 1
The enable | disable options change the server and
port state within the service group only. • Template – not set
The priority option enables you to designate some • Statistical data collection – enabled
real servers as backups (the lower priority servers)
to be used only if the higher priority servers all are
unavailable.
The template option binds a real port template to
the port.
Config > Service > SLB > Service Group
880 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Group Parameters
TABLE 49 Service Group Parameters (Continued)
Parameter Description and Syntax Supported Values
Load balancing Algorithm used to select a real server and service One of the following:
method port to fulfil a client’s request. • Fastest-response – Selects the server
[no] method lb-method with the fastest SYN-ACK response
Config > Service > SLB > Service Group time.
Note: The fastest-response algorithm takes effect • Least-connection – Selects the server
only if the traffic rate on the servers is at least 5 con- that currently has the fewest connec-
nections per second (per server). If the traffic rate is tions.
lower, the first server in the service group usually is • Service-least-connection – Selects
selected. the server port that currently has the
fewest connections. If there is a tie,
the port (among those tied) that has
the lowest number of request bytes
plus response bytes is selected. If
there is still a tie, a port is randomly
selected from among the ones that
are still tied.
• Weighted-least-connection – Selects
a server based on a combination of
the server’s administratively
assigned weight and the number of
connections on the server.
• Service-weighted-least-connection
– Same as weighted-least-connec-
tion, but per service.
• Least-request – Selects the real
server port for which the AX device
is currently processing the fewest
HTTP requests. This method is
applicable to HTTP load balancing.
• Weighted-round-robin – Selects
servers in rotation, biased by the
servers’ administratively assigned
weights.
If the weight value is the same on
each server, this load-balancing
method simply selects the servers in
rotation.
(cont.)
P e r f o r m a n c e b y
D e s i g n 881 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Group Parameters
TABLE 49 Service Group Parameters (Continued)
Parameter Description and Syntax Supported Values
Load balancing • Round Robin Strict – Provides a
method more exact round-robin method.
(cont.) The standard, default round robin
method is optimized for high perfor-
mance. Over time, this optimization
can result in a slight imbalance in
server selection. Server selection is
still basically round robin, but over
time some servers may be selected
slightly more often than others.
882 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Service Group Parameters
TABLE 49 Service Group Parameters (Continued)
Parameter Description and Syntax Supported Values
Health monitor Assigns a health monitor to all members in the ser- The default health monitor (IP ping) or
vice group. the name of a configured health moni-
This option is useful in cases where the same server tor
provides content for multiple, independent sites. Default: Not set
When you use this feature, if a site is unavailable
(for example, is taken down for maintenance), the
server will fail the health check for that site, and cli-
ents will not be sent to the site. However, other sites
on the same server will pass their health checks, and
clients of those sites will be sent to the server.
[no] health-check monitor-name
Config > Service > SLB > Service Group
Minimum active Uses backup servers even if some primary servers 1-63
members are up. To configure this parameter, specify the Default: Not set. Backup servers are
number of primary servers that can still be active used only if all primary servers are
before the backup servers are used. unavailable.
The skip-pri-set option specifies whether the When you configure this parameter,
remaining primary servers continue to be used. If the skip-pri-set option is disabled by
you use this option, the AX device uses only the default, for all load-balancing methods
backup servers and stops using any of the primary except round-robin. For round-robin
servers. (the default), skip-pri-set is always
[no] min-active-member num enabled and can not be disabled.
[skip-pri-set]
Config > Service > SLB > Service Group
Reset after server Sends a TCP reset (RST) to clients if server selec- Enabled or disabled
selection tion fails. Default: disabled
failure [no] reset-on-server-selection-
fail
Config > Service > SLB > Service Group
Note: For more information about this option, see
“Sending a Reset After Server Selection Failure” on
page 905.
Statistics Enables or disables collection of statistical data for Enabled or
collection the service group. disabled
stats-data-enable Default: enabled
stats-data-disable
Config > Service > SLB > Service Group
P e r f o r m a n c e b y
D e s i g n 883 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Virtual Server Parameters
or
884 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Virtual Server Parameters
TABLE 50 Virtual Server Parameters (Continued)
Configurable in
Supported Virtual Server
Parameter Description and Syntax Values Template?
Virtual Service port number and service type. Port number: N/A
service port [no] port port-num service-type 0-65535
number and Service type:
Config > Service > SLB > Virtual Server - Port
service type
Service type can be one of the following: • fast-http
• fast-http – Streamlined Hypertext Transfer Proto- • ftp
col (HTTP) service • http
• ftp – File Transfer Protocol • https
• http – HTTP • mms
• https – Secure HTTP (SSL) • rtsp
• mms – Multimedia Messaging Service • sip
• rtsp – Real Time Streaming Protocol • smtp
• sip – Session Initiation Protocol • ssl-proxy
• smtp – Simple Mail Transfer Protocol • tcp
• ssl-proxy – SSL proxy service • udp
• tcp – Transmission Control Protocol • others
• udp – User Datagram Protocol Default: None con-
• others – Wildcard port used for IP protocol figured
load balancing. (For more information, see
“IP Protocol Load Balancing” on page 269.)
(For parameters you can set on the service port, see
“Virtual Service Port Parameters” on page 887.)
Note: Fast-HTTP is optimized for very high per-
formance information transfer in comparison to
regular HTTP. Due to this optimization, fast-
HTTP does not support all the comprehensive
capabilities of HTTP such as header insertion
and manipulation. It is recommended not to use
fast-HTTP for applications that require compete
data transfer integrity.
ARP disable Disables or re-enables ARP replies from a virtual Enabled or dis- No
server. abled
[no] arp-disable Default: Disabled;
Config > Service > SLB > Virtual Server ARP replies are
enabled.
HA group ID HA group ID to use for session backup. 1-31 No
[no] ha-group group-id Default: Not set
Config > Service > SLB > Virtual Server
P e r f o r m a n c e b y
D e s i g n 885 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Virtual Server Parameters
TABLE 50 Virtual Server Parameters (Continued)
Configurable in
Supported Virtual Server
Parameter Description and Syntax Values Template?
VIP-based Enables dynamic failover based on server weight. 1-255 No
High Avail- The configured amount is subtracted from the HA Default: Not set
ability (HA) group’s priority value for each real server that goes
failover down.
[no] ha-dynamic server-weight
Config > Service > SLB > Virtual Server
OSPF Explicitly include or exclude the VIP in OSPF Set or not set No
redistribution redistribution. Default: Not set
Setting this option enables you to selectively redis-
tribute individual VIPs. Without this option, the VIP
is automatically redistributed if VIP redistribution is
enabled in OSPF.
• To redistribute a VIP, set this option on the VIP,
and enter the following command at the OSPF
configuration level: redistribute vip
only-flagged
• To exclude this VIP from redistribution, set this
option on the VIP, and enter either of the follow-
ing commands at the OSPF configuration level:
redistribute vip only-not-flagged or redistrib-
ute vip
[no] redistribution-flagged
Note: The current release does not support configu-
ration of this option using the GUI.
Statistics Enables or disables collection of statistical data for Enabled or No
collection the virtual server. disabled
stats-data-enable Default: enabled
stats-data-disable
Config > Service > SLB > Virtual Server
886 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Virtual Service Port Parameters
P e r f o r m a n c e b y
D e s i g n 887 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Virtual Service Port Parameters
TABLE 51 Virtual Service Port Parameters (Continued)
Configurable in
Supported Virtual Port
Parameter Description and Syntax Values Template?
Virtual State of the virtual service port. Enabled or disa- No
service port [no] {disable | enable} bled
state Default: Enabled
Config > Service > SLB > Virtual Server - Virtual
Server Port
Virtual port Configuration template of virtual port parameters. Name of a config- N/A
template [no] template virtual-port ured virtual port
template-name template
Config > Service > SLB > Virtual Server - Virtual Default: “Default”
Server Port virtual port tem-
plate
Service group Service group bound to the virtual service port. The Name of a config- No
AX device uses real servers and ports in the service ured service group
group to fulfill requests for the virtual service port. Default: Not set
[no] service-group group-name
Config > Service > SLB > Virtual Server - Virtual
Server Port
Template Connection or application template to use for ser- Template type: N/A
vice port parameters. One of the types
[no] template template-type described in “Ser-
template-name vice Template
Parameters” on
Config > Service > SLB > Virtual Server - Virtual
page 829.
Server Port
Template name:
Name of a config-
ured template.
Default: Depends
on whether the
template type has a
default and
whether the ser-
vice type uses that
template type. (See
“Service Template
Parameters” on
page 829.)
888 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Virtual Service Port Parameters
TABLE 51 Virtual Service Port Parameters (Continued)
Configurable in
Supported Virtual Port
Parameter Description and Syntax Values Template?
Access ID of an ACL. Valid standard or No
Control List If you do not also specify a NAT pool name, the extended ACL ID
(ACL) ACL is used to deny or permit inbound traffic on the Default: None
service port.
If you do specify a NAT pool name, the ACL does
not permit or deny traffic. Instead, it binds the
source addresses in the ACL to the NAT pool. The
NAT pool is used only for the client addresses in the
ACL.
[no] access-list acl-num
[source-nat-pool pool-name]
Config > Service > SLB > Virtual Server - Virtual
Server Port
aFleX policy aFleX policy to use for custom SLB processing. Name of a config- No
[no] aflex aflex-name ured aFleX policy.
Config > Service > SLB > Virtual Server - Virtual Default: None
Server Port
Connection Number of concurrent connections allowed on the 0-8000000 (8 mil- Yes, but the range
limit virtual service port. lion) is 1-1048575
By default, after the connection limit is exceeded, 0 means no limit.
new connections are silently dropped and no reset is Default: Not set.
sent to the client. You can use the reset option to When the feature
send a connection reset to the client instead. is enabled, the
[no] conn-limit number reset option is dis-
[reset] [no-logging] abled and logging
is enabled.
Config > Service > SLB > Virtual Server - Virtual
Server Port
Session Backs up session information on the Standby AX Enabled or dis- No
synchroniza- device in an HA configuration. When this option is abled
tion enabled, sessions remain up even following a Default: Disabled
(connection failover.
mirroring) [no] ha-conn-mirror
Config > Service > SLB > Virtual Server - Virtual
Server Port
Note: In HA deployments, HA session synchroniza-
tion is required for persistent sessions (source-IP
persistence, and so on), and is therefore automati-
cally enabled for these sessions by the AX device.
Persistent sessions are synchronized even if session
synchronization is disabled in the configuration.
P e r f o r m a n c e b y
D e s i g n 889 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Virtual Service Port Parameters
TABLE 51 Virtual Service Port Parameters (Continued)
Configurable in
Supported Virtual Port
Parameter Description and Syntax Values Template?
Direct Server Disables destination NAT, so that server responses Enabled or dis- No
Return (DSR) go directly to clients. abled
[no] no-dest-nat Disabled: Destina-
Config > Service > SLB > Virtual Server - Virtual tion NAT is
Server Port enabled.
Policy-based Uses a black/white list to allow or deny clients who Name of a config- No
SLB (PBSLB) request the service port, select service groups for ured black/white
allowed clients, and drop or reset connections if the list. The list must
connection limit is reached. be imported onto
[no] pbslb bw-list name the AX device.
[no] pbslb id id Default: Not set
{service service-group-name |
drop | reset}
[logging [minutes [fail]]]
[no] pbslb over-limit {drop |
reset}
Note: In the GUI, PBSLB can only be configured
and applied using PBSLB policy templates.
Note: If the option to use default selection if pre-
ferred server selection fails is enabled on the virtual
port, log messages will never be generated for
server-selection failures. To ensure that messages
are generated to log server-selection failures, dis-
able the option on the virtual port. This limitation
does not affect failures that occur because a client is
over their PBSLB connection limit. These failures
are still logged.
(For information about PBSLB, see “Policy-Based
SLB (PBSLB)” on page 761.)
Source NAT Name of a pool of IP addresses to use for Network Name of a config- No
Address Translation (NAT). ured source NAT
[no] source-nat pool pool-name pool.
Config > Service > SLB > Virtual Server - Virtual Default: Not set
Server Port
Note: This option is not applicable to the mms or
rtsp service types.
890 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Virtual Service Port Parameters
TABLE 51 Virtual Service Port Parameters (Continued)
Configurable in
Supported Virtual Port
Parameter Description and Syntax Values Template?
VIP Source Enables IP NAT support for the VIP. Enabled or dis- No
NAT Source IP NAT can be configured on a virtual port abled
in the following ways: Default: Disabled
• ACL-Source NAT binding at the virtual port level
• VIP source NAT at the global configuration level
• aFleX policy bound to the virtual port
• Source NAT pool at the virtual port level
These methods are used in the order shown above.
For example, if IP source NAT is configured using
an ACL on the virtual port, and the VIP source NAT
is also enabled globally, then a pool assigned by the
ACL is used for traffic that is permitted by the ACL.
For traffic that is not permitted by the ACL, the
globally configured VIP source NAT can be used
instead.
[no] snat-on-vip
Config > Service > SLB > Virtual Server - Virtual
Server Port
Note: The current release does not support source
IP NAT on FTP or RTSP virtual ports.
Software- Protects against TCP SYN floods. Enabled or dis- No
based [no] syn-cookie [sack] abled
protection Default: Disabled
against TCP Config > Service > SLB > Virtual Server - Virtual
SYN flood Server Port
attacks Note: If hardware-based SYN cookies are sup-
ported on the AX model you are configuring, use
that version of the feature instead. (See “SYN
Cookies” on page 728.)
Use receive Sends replies to clients back through the last hop on Enabled or dis- No
hop for which the request for the virtual port's service was abled
responses received. Default: Disabled
[no] use-rcv-hop-for-resp
Config > Service > SLB > Virtual Server - Virtual
Server Port
P e r f o r m a n c e b y
D e s i g n 891 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Virtual Service Port Parameters
TABLE 51 Virtual Service Port Parameters (Continued)
Configurable in
Supported Virtual Port
Parameter Description and Syntax Values Template?
Reset after Sends a TCP reset (RST) to clients if server selec- Enabled or disa- No
server tion fails. bled
selection [no] reset-on-server-selection- Default: disabled
failure fail
Config > Service > SLB > Virtual Server - Virtual
Server Port
Note: For more information about this option, see
“Sending a Reset After Server Selection Failure” on
page 905.
Default Forwards client traffic at Layer 3, if SLB server Enabled or No
forwarding selection fails. disabled
after server Note: This option applies only to wildcard VIPs Default: disabled.
selection (VIP address 0.0.0.0). If SLB server
failure [no] use-default-if-no-server selection fails, the
Config > Service > SLB > Virtual Server - Virtual traffic is dropped.
Server Port
Default Continues checking for an available server in other Enabled or disa- No
selection if service groups if all of the servers are down in the bled
preferred first service group selected by SLB. Default: Enabled
server During SLB selection of the preferred server to use
selection fails for a client request, SLB checks the following con-
figuration areas, in the order listed:
(cont.)
892 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Virtual Service Port Parameters
TABLE 51 Virtual Service Port Parameters (Continued)
Configurable in
Supported Virtual Port
Parameter Description and Syntax Values Template?
Default 3. Default service group. If none of the items
selection if above results in selection of a server, the
preferred default service group is used.
server
• If the configuration uses only one service
selection fails
group, this is the default service group.
(cont.) • If the configuration uses multiple service
groups, the default service group is the
one that is used if none of the templates
used by the configuration selects another
service group instead.
P e r f o r m a n c e b y
D e s i g n 893 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Virtual Service Port Parameters
894 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
You can use DNS to simplify real server creation, by specifying a DNS
hostname instead of an IP address. In this case, the AX device periodically
sends a DNS query for the hostname’s IP address, and dynamically creates a
real server with the IP address returned by DNS. The AX device also creates
a service-group member for the server, in each service group that contains
the server.
To create and maintain dynamic real servers, the AX device sends a DNS
query for each hostname real server, at a configurable interval.
• If the DNS server replies with an Address (A) record for a hostname real
server, the AX device creates the server or, if the server is already cre-
ated, the AX device refreshes its TTL. The AX device also creates ser-
vice-group members for the server and its ports.
• If the DNS server replies with a CNAME record, the AX device also
sends a DNS query for the CNAME.
The AX device supports multiple servers with the same hostname. For
example, if the DNS server replies with a different IP address for a host-
name real server that has already been created, the AX device creates a sec-
ond real server with the same hostname and the new IP address.
The AX device sets a server’s initial TTL when the server is created. The
initial TTL value is the greater of the following:
• TTL value in the DNS reply
P e r f o r m a n c e b yD e s i g n 895 of 732
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Template Options for Dynamically Created Real Servers
If the TTL reaches 0, the dynamically created server is removed. If the DNS
server replies with the IP address after this, the server is dynamically cre-
ated again.
Note: When a dynamically created real server ages out, only that instance of the
server (its port and service group member) is removed. Other instances
(other IP addresses) for the same server (hostname) are not removed,
unless they also age out. The real server configuration that you entered,
used by the AX device to dynamically create servers, is not removed.
Note: These template options take effect when you apply a template to a
dynamic server configuration. After this, any dynamic real servers that
are created using the dynamic server configuration use the template val-
ues that were set when the template was applied to the dynamic server
configuration, even if the values are later changed in the template.
896 of 732 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Template Options for Dynamically Created Real Servers
• max-dynamic-server – Specifies the maximum number of real servers
that can be dynamically created for a given hostname. You can specify
1-1023. The default is 255. After the maximum number of servers is cre-
ated, the AX device deletes the oldest servers, as determined by the time
it was created, to make room for new ones.
• min-ttl-ratio – Specifies the minimum initial value for the TTL of
dynamic real servers. This option prevents dynamic real servers from
aging out too quickly due to a small TTL value from the DNS server.
To calculate the minimum TTL value for a dynamic real server, the AX
device multiplies the dns-query-interval by the min-ttl-ratio. For exam-
ple, if the min-ttl-ratio is 2 and the dns-query-interval is 10 minutes (600
seconds), then the minimum TTL for dynamic real servers is 1200.
The min-ttl-ratio can be 2-15. The default is 2.
Note: Settings that also apply to static servers and ports, such as connection and
rate limits, apply individually to each dynamically created server or port.
For example, the connection-rate limit configured in a server template
applies individually to each dynamically created server for a given host-
name. The limit is not applied collectively to all dynamically created serv-
ers for the hostname.
P e r f o r m a n c e b yD e s i g n 897 of 732
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Dynamic Real Server Creation
3. Enter a name for the dynamic real server in the Name field.
5. Configure additional options for the real server and add ports, as appli-
cable to your deployment.
To configure server options for dynamic real servers, use the following
commands at the configuration level for a server template:
dns-query-interval minutes
This command specifies how often the AX device sends DNS queries for
the IP addresses of dynamic real servers. You can specify 1-1440 minutes
(one day). The default is 10 minutes.
dynamic-server-prefix string
Changes the prefix added to the front of dynamically created servers. You
can specify a string of 1-3 characters. The default is “DRS”, for Dynamic
Real Servers.
898 of 732 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Dynamic Real Server Creation
max-dynamic-server num
This command specifies the maximum number of dynamic real servers that
can be created for a given hostname. You can specify 1-1023. The default is
255.
min-ttl-ratio num
This command specifies the minimum initial value for the TTL of dynamic
real servers. The AX device multiplies this value by the TTL in the DNS
reply to calculate the minimum TTL value to assign to the dynamically cre-
ated server. The min-ttl-ratio can be 2-15. The default is 2.
To configure server port options for dynamic real servers, use the following
command at the configuration level for a server port template:
dynamic-member-priority num decrement delta
The num option sets the initial TTL for dynamically created service-group
members, and can be 1-16. The delta option specifies how much to decre-
ment the TTL if the IP address is not included in the DNS reply, and can be
0-7. When configuring the service group, add the port template to the mem-
ber. The default priority value is 16 and the default delta is 0.
To display information about dynamically created real servers, use the fol-
lowing commands:
• show slb server server-name detail
CLI Example
The following commands configure hostname server parameters in a server
port template and a server template:
AX(config)#slb template port temp-port
AX(config-rport)#dynamic-member-priority 12
AX(config-rport)#exit
AX(config)#slb template server temp-server
AX(config-rserver)#dns-query-interval 5
AX(config-rserver)#min-ttl-ratio 3
AX(config-rserver)#max-dynamic-server 16
AX(config-rserver)#exit
P e r f o r m a n c e b yD e s i g n 899 of 732
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Dynamic Real Server Creation
The following commands configure a hostname server, add a port to it, and
bind the server template to it:
AX(config)#slb server s-test1 s1.test.com
AX(config-real server)#template server temp-server
AX(config-real server)#port 80 tcp
AX(config-real server-node port)#exit
AX(config-real server)#exit
The following commands configure a service group and add the hostname
server and static server to it. The port template is bound to the member for
the hostname server and port.
AX(config)#slb service-group sg-test tcp
AX(config-slb svc group)#member s-test1:80 template temp-port
AX(config-slb svc group)#member s-test2:80
AX(config-slb svc group)#exit
The following commands adds the DNS server to use for resolving the real
server hostname into server IP addresses:
AX(config)#ip dns primary 10.10.10.10
900 of 732 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Dynamic Real Server Creation
Total request: 1919
Total request success: 1877
Total forward bytes: 546650
Total forward packets: 5715
Total reverse bytes: 919730
Total reverse packets: 5631
Dynamic server name: DRS-10.4.2.5-s1.test.com
Last DNS reply: Tue Nov 17 03:41:59 2009
TTL: 4500
State: Up
Server template: test
DNS query interval: 5
Minimum TTL ratio: 15
Maximum dynamic server: 1023
Health check: none
Current connection: 0
Current request: 0
Total connection: 1919
Total request: 1919
Total request success: 1877
Total forward bytes: 546650
Total forward packets: 5715
Total reverse bytes: 919730
Total reverse packets: 5631
P e r f o r m a n c e b yD e s i g n 901 of 732
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Configuring Dynamic Real Server Creation
The following command displays detailed statistics for the dynamically cre-
ated service-group members:
AX#show slb service-group sg-test
Service group name: sg-test State: All Up
Service selection fail drop: 0
Service selection fail reset: 0
Service: DRS-10.4.2.6-s2.test.com:80 UP
Forward packets: 0 Reverse packets: 0
Forward bytes: 0 Reverse bytes: 0
Current connections: 0 Persistent connections: 0
Current requests: 0 Total requests: 0
Total connections: 0 Response time: 0.00 msec
Total requests succ: 0
Service: DRS-10.4.2.5-s1.test.com:80 UP
Forward packets: 5715 Reverse packets: 5631
Forward bytes: 546650 Reverse bytes: 919730
Current connections: 10 Persistent connections: 0
Current requests: 10 Total requests: 1919
Total connections: 1919 Response time: 0.00 msec
Total requests succ: 1877
Service: s-test1:80 UP
Forward packets: 450 Reverse packets: 360
Forward bytes: 31500 Reverse bytes: 44820
Current connections: 0 Persistent connections: 0
Current requests: 0 Total requests: 0
Total connections: 90 Response time: 0.00 msec
Total requests succ: 1877
902 of 732 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Notes
• The largest supported subnet length is /20.
• Statistics are aggregated for all VIPs in the subnet virtual server.
• The current release supports this feature only for DNS ports on the
default DNS port number (TCP port 53 or UDP port 53).
4. In the IP Address or CIDR Subnet field, enter the subnet address and
network mask, in the following format:
ipaddr/mask-length
Do not use a space before or after the forward slash.
The ipaddr is the starting host address in the range and must be a valid
host address. (For example, entering 192.168.1.0/24 is not valid.)
6. When finished, click OK at the bottom of the VIP creation page. The
VIP appears in the VIP table.
P e r f o r m a n c e b yD e s i g n 903 of 732
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
The starting-ip option specifies the beginning IP address in the range. The
subnet-mask | /mask-length option specifies the size of the range.
Note: If you do not specify a network mask, the virtual server is a standard VIP
that has the IP address you specify as the starting-ip address.
CLI Example
The following command configures a set of VIPs for IP addresses 1.1.1.5-
1.1.1.255:
AX(config)#slb virtual-server vs1 1.1.1.5 /24
904 of 732 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
• Virtual port
Note: The TCP template reset-rev option also can be used to send a RST to cli-
ents. In AX releases prior to 2.2.2, the reset-rev option would send a RST
in response to a server selection failure. In AX Release 2.2.2 and later, the
new reset-on-server-selection-fail option must be used instead.
P e r f o r m a n c e b yD e s i g n 905 of 732
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
906 of 732 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
• Grey-list clients
• Black-list clients
The virtual port to which clients will send mail traffic is bound to all three
service groups. In addition, the def-selection-if-pref-failed option is dis-
abled. This option must be disabled so that the AX device does not attempt
to use other configuration areas of the system to select a server, if SLB is
unable to select a server.
A policy template is used to identify the black/white list and the service
group assignments, and is bound to the virtual port.
Note: This example uses a separate server for each client category. However,
traffic for all clients could be sent to the same server. The essential parts
of this solution are use of a separate service group for each client cate-
gory, enabling of the reset-on-server-selection-fail option in the white-list
service group, and disabling of the def-selection-if-pref-failed option on
the virtual port.
To enable the option in a service group, use the following command at the
configuration level for the group:
[no] reset-on-server-selection-fail
P e r f o r m a n c e b yD e s i g n 907 of 732
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
To enable the option on a virtual port, use the following command at the
configuration level for the port:
[no] reset-on-server-selection-fail
CLI Example
The commands below implement the solution shown in Figure 192 on
page 906.
908 of 732 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
P e r f o r m a n c e b yD e s i g n 909 of 732
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
910 of 732 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
The match-type server option is useful in cases where the same service is
available on multiple service ports on the server. With this option, if the
server port that a client is using for a persistent session goes down, another
service port of the same service type on the same server can be used.
Figure 193 shows an example.
P e r f o r m a n c e b yD e s i g n 911 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
VIP 192.168.10.11 uses 3 real servers to provide HTTP service. Two of the
servers have a single protocol port for HTTP. However, one of the servers
has HTTP service on multiple service ports.
For a new session, the SLB load-balancing method enabled on the service
group is used to select a server and port for the client (source IP address).
Because source-IP persistence is enabled, subsequent requests from the
same client are always sent to the same server.
912 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
In this case, it is possible that a different server will be selected for the next
request. For example, if an admin needs to perform some maintenance on
port 80, and disables that port in order to prevent it from being used for fur-
ther requests, persistent sessions on the port and server may not remain per-
sistent to the same server.
CLI Example
The commands in this section configure the source-IP persistence template
and service group in Figure 193 on page 912.
P e r f o r m a n c e b yD e s i g n 913 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
914 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
This chapter describes how to install SSL keys, certificates, and Certificate
Revocation Lists (CRLs) on the AX device. Installing these SSL resources
on the AX device enables the AX device to provide SSL services on behalf
of real servers.
You can use the AX device to offload SSL processing from servers or, for
some types of traffic, you can use the AX device as an SSL proxy. (For
more information about SSL offload and SSL proxy, see “SSL Offload and
SSL Proxy” on page 225.)
Overview
Some types of client-server traffic need to be encrypted for security. For
example, traffic for online shopping must be encrypted to secure sensitive
account information from being stolen.
Commonly, clients and servers use Secure Sockets Layer (SSL) or Trans-
port Layer Security (TLS) to secure traffic. For example, a client that is
using a shopping application on a server will encrypt data before sending it
to the server. The server will decrypt the client’s data, then send an
encrypted reply to the client. The client will decrypt the server reply, and so
on.
Note: SSL is an older version of TLS. The AX device supports SSL version 3.0
and TLS version 1.0. The AX device also supports RFC 3268: “AES
Ciphersuites for TLS”. For simplicity, elsewhere this document and other
AX user documents use the term “SSL” to mean both SSL and TLS.
Note: The AX device supports Privacy Enhanced Mail (PEM) format for certif-
icate files and CRLs. AX SSL processing supports PEM format and RSA
encryption.
SSL Process
SSL works using certificates and keys. Typically, a client will begin a secure
session by sending an HTTPS request to a VIP. The request begins an SSL
handshake. The AX device will respond with a digital certificate, to provide
verification of the content server’s identity. From the client’s perspective,
this certificate comes from the server. Once the SSL handshake is complete,
the client begins an encrypted client-server session with the AX device.
P e r f o r m a n c e b yD e s i g n 915 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Figure 194 shows a simplified example of an SSL handshake. In this exam-
ple, the AX device is acting as an SSL proxy for backend servers.
To begin, the client sends an HTTPS request. The request includes some
encryption details such as the cipher suites supported by the client.
The client browser checks its certificate store (sometimes called the certifi-
cate list) for a copy of the server certificate. If the client does not have a
916 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
copy of the server certificate, the client will check for a certificate from the
Certificate Authority (CA) that signed the server certificate.
Certificate Chain
Ultimately, a certificate must be validated by a root CA. Certificates from
root CAs are the most trusted. They do not need to be signed by a higher
(more trusted) CA.
If the CA that signed the certificate is a root CA, the client browser needs a
copy of the root CA’s certificate. If the CA that signed the server certificate
is not a root CA, the client browser should have another certificate or a cer-
tificate chain that includes the CA that signed the CA’s certificate.
A certificate chain contains the “chain” of signed certificates that leads from
the CA to the signature authority that signed the certificate for the server.
Typically, the certificate authority that signs the server certificate also will
provide the certificate chain. Figure 195 shows an example of a certificate
chain containing three certificates:
-----BEGIN CERTIFICATE-----
ZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsHiyEFGDAmFiRodHRw
Oi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJKoZIhvcNAQEFBQAD
gYEAheIVEe8vArUOZxKkUIGjaYymzJAh8Ty0uUPrikLpQ0IGezByVdbDUJ+HQLGp
2eruTPZpBNADaEfymstIPIxrsuCRhyr3Ymsa2rgzwy9kSXeG83H7E7HxRnpxDNZ8
l+uzpU/rk4j3bO/JVxPZMnwzMWriPSYgL1EKYcOSKyReaxQ=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
ZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsHiyEFGDAmFiRodHRw
Oi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJKoZIhvcNAQEFBQAD
gYEAheIVEe8vArUOZxKkUIGjaYymzJAh8Ty0uUPrikLpQ0IGezByVdbDUJ+HQLGp
2eruTPZpBNADaEfymstIPIxrsuCRhyr3Ymsa2rgzwy9kSXeG83H7E7HxRnpxDNZ8
l+uzpU/rk4j3bO/JVxPZMnwzMWriPSYgL1EKYcOSKyReaxQ=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
ZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsHiyEFGDAmFiRodHRw
Oi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJKoZIhvcNAQEFBQAD
gYEAheIVEe8vArUOZxKkUIGjaYymzJAh8Ty0uUPrikLpQ0IGezByVdbDUJ+HQLGp
2eruTPZpBNADaEfymstIPIxrsuCRhyr3Ymsa2rgzwy9kSXeG83H7E7HxRnpxDNZ8
l+uzpU/rk4j3bO/JVxPZMnwzMWriPSYgL1EKYcOSKyReaxQ=
-----END CERTIFICATE-----
P e r f o r m a n c e b yD e s i g n 917 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
The certificate chain file and the server certificate files are text files. Each
certificate must begin with the “-----BEGIN CERTIFICATE-----” line and
end with the “-----END CERTIFICATE-----” line.
The certificate at the top of the certificate chain file is the root CA’s certifi-
cate. The next certificate is an intermediary certificate signed by the root
CA. The next certificate is signed by the intermediate signature authority
that was signed the root CA.
On the AX device, a client-SSL template can have one certificate chain file.
The certificate chain must begin at the top with the root CA’s certificate, fol-
lowed in order by the intermediary certificates. If the certificate authority
that signs the server certificate does not provide the certificate chain in a
single file, you can use a text editor to chain the certificates together in a
single file as shown in Figure 195.
If the client can not validate the server certificate or the certificate is out of
date, the client’s browser may display a certificate warning. Figure 196
shows an example of a certificate warning displayed by Internet Explorer.
918 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
CA-Signed and Self-Signed Certificates
P e r f o r m a n c e b yD e s i g n 919 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
SSL Templates
You can install more than one key-certificate pair on the AX device. The
AX device selects the certificate(s) to send a client or server based on the
SSL template bound to the VIP. You can bind the following types of SSL
templates to VIPs:
• Client-SSL template – Contains keys and certificates for SSL-encrypted
traffic between clients and the AX device. A client-SLS template can
also contain a certificate chain.
• Server-SSL template – Contains CA certificates for SSL-encrypted traf-
fic between servers and the AX device.
For the simple deployment example in Figure 194 on page 916, only the
first option (Certificate) needs to be configured. You may also need to con-
figure the Certificate chain option.
• Certificate – Specifies a server certificate that the AX device will send
to a client, so that the client can validate the server’s identity. The certif-
icate can be generated on the AX device (self-signed) or can be signed
by another entity and imported onto the AX device.
• Key – Specifies a public key for a server certificate. If the CSR used to
request the server certificate is generated on the AX device, the key is
automatically generated. Otherwise, the key must be imported.
• Certificate chain – Specifies a named set of server certificates beginning
with a root CA certificate, and containing all the intermediary certifi-
cates in the authority chain that ends with the authority that signed the
server certificate. (See “Certificate Chain” on page 917.)
• CA certificate – Specifies a CA certificate that the AX device can use to
validate the identity of a client. A CA certificate is needed only if the
AX device will be required to validate the identities of clients. If CA
certificates are required for this purpose, they must be imported onto the
AX device. The AX device is not configured at the factory to contain a
certificate store.
• Certificate Revocation List (CRL) – Specifies a list of client certificates
that have been revoked by the CAs that signed them. This option is
applicable only if the AX device will be required to validate the identi-
ties of clients.
920 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Note: The CRL should be signed by the same issuer as the CA certificate. Oth-
erwise, the client and AX device will not be able to establish a connec-
tion.
• Connection-request response – Specifies the AX response to connection
requests from clients. This option is applicable only if the AX device
will be required to validate the identities of clients. The response can be
one of the following:
• ignore (default) – The AX device does not request the client to send
its certificate.
• request – The AX device requests the client to send its certificate.
With this action, the SSL handshake proceeds even if either of the
following occurs:
• The client sends a NULL certificate (one with zero length).
• The certificate is invalid, causing client verification to fail.
Use this option if you want to the request to trigger an aFleX policy
for further processing.
• require – The AX device requires the client certificate. This action
requests the client to send its certificate. However, the SSL hand-
shake does not proceed (it fails) if the client sends a NULL certifi-
cate or the certificate is invalid.
• Cipher list – Specifies the cipher suites supported by the AX device.
When the client sends its connection request, it also sends a list of the
cipher suites it can support. The AX device selects the strongest cipher
suite supported by the client that is also enabled in the template, and
uses that cipher suite for traffic with the client. By default, all the fol-
lowing are enabled:
• SSL3_RSA_DES_192_CBC3_SHA
• SSL3_RSA_DES_40_CBC_SHA
• SSL3_RSA_DES_64_CBC_SHA
• SSL3_RSA_RC4_128_MD5
• SSL3_RSA_RC4_128_SHA
• SSL3_RSA_RC4_40_MD5
• TLS1_RSA_AES_128_SHA
• TLS1_RSA_AES_256_SHA
• TLS1_RSA_EXPORT1024_RC4_56_MD5
• TLS1_RSA_EXPORT1024_RC4_56_SHA
• Session cache size – Specifies the maximum number of cached sessions for
SSL session ID reuse.
P e r f o r m a n c e b yD e s i g n 921 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
Server-SSL Template Options
This section gives an overview of the process for each type of certificate.
Detailed procedures are provided later in this chapter.
922 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
3. Submit the CSR to the CA.
If the CSR was created on the AX device, do one of the following:
• Copy and paste the CSR from the AX CLI or GUI onto the CSR
submission page of the CA server.
• Export the CSR to another device, such as the PC from which you
access the AX CLI or GUI. Email the CSR to the CA, or copy-and-
paste it onto the CSR submission page of the CA server.
If the CSR was created on another device, email the CSR to the CA, or
copy-and-paste it onto the CSR submission page of the CA server.
4. After receiving the signed certificate and the CA’s public key from the
CA, import them onto the AX device.
• If the key and certificate are provided by the CA in separate files
(PKCS #7 format), import the certificate. You do not need to import
the key if the CSR was created on the AX device. In this case, the
key is already on the AX device. If the certificate is not in PEM for-
mat, specify the certificate format (type) when you import it.
If the CSR was not created on the AX device, you do need to import
the key also.
• If the key and certificate are provided by the CA in a single file
(PKCS #12 format), specify the certificate format (type) when you
import it. If the CSR was not created on the AX device, you need to
import the key also.
See “Converting SSL Certificates to PEM Format” on page 937.
5. If applicable, import the certificate chain onto the AX device. The certif-
icate chain must be a single text file, beginning with a root CA’s certifi-
cate at the top, followed in order by each intermediate signing
authority’s certificate. (See “Certificate Chain” on page 917.)
Figure 197 shows the most common way to obtain and install a CA-signed
certificate onto the AX device. You also may need to install a certificate
chain file.
P e r f o r m a n c e b yD e s i g n 923 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Overview
FIGURE 197 Obtaining and Installing Signed Certificate from CA
924 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Generating a Key and CSR for a CA-Signed Certificate
3. Click Create.
6. Enter the rest of the certificate information in the remaining fields of the
Certificate section.
Note: If you need to create a request for a wildcard certificate, use an asterisk as
the first part of the common name. For example, to request a wildcard cer-
tificate for domain example.com and it sub-domains, enter the following
common name: *.example.com
7. Enter a passphrase.
8. From the Key drop-down list, select the length (bits) for the key.
9. Click OK. The AX device generates the certificate key and the certifi-
cate signing request (CSR), and displays the CSR. The CSR is displayed
in the Request Text field.
Note: If the browser security settings normally block downloads, you may need
to override the setting. For example, in Internet Explorer, hold the Ctrl
key while clicking Download.
b. Click Save.
c. Navigate to the save location.
d. Click Save again.
Note: If you prefer to copy-and-paste the CSR, make sure to include everything,
including “-----BEGIN CERTIFICATE REQUEST-----” and “-----END
CERTIFICATE REQUEST-----”.
P e r f o r m a n c e b yD e s i g n 925 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Generating a Key and CSR for a CA-Signed Certificate
11. When you receive the certificate from the CA, import it onto the AX
device. (See “Importing a Certificate and Key” on page 928.)
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• rcp://[user@]host/file
• http://[user@]host/file
• https://[user@]host/file
• Country, 2 characters
926 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Generating a Key and CSR for a CA-Signed Certificate
Note: If you need to create a request for a wildcard certificate, use an asterisk as
the first part of the common name. For example, to request a wildcard cer-
tificate for domain example.com and it sub-domains, enter the following
common name: *.example.com
After the CSR is generated, send the CSR to the CA. After you receive the
signed certificate from the CA, use the import command to import the CA
onto the AX device. The key does not need to be imported. The key is gen-
erated along with the CSR.
The following commands generate and export a CSR, then import the
signed certificate.
AX(config)#slb ssl-create csr slbcsr1 ftp:
Address or name of remote host []?192.168.1.10
User name []?axadmin
Password []?********
File name [/]?slbcsr1
input key bits(512,1024,2048) default 1024:<Enter>
input Common Name, 1~64:slbcsr1
input Division, 0~31:div1
input Organization, 0~63:org2
input Locality, 0~31:westcoast
input State or Province, 0~31:ca
input Country, 2 characters:us
input email address, 0~64:axadmin@example.com
input Pass Phrase, 0~31:csrpword
Confirm Pass Phrase:csrpword
AX(config)#import ca-signedcert1 ftp:
Address or name of remote host []?192.168.1.10
User name []?axadmin
Password []?********
File name [/]?ca-signedcert1
P e r f o r m a n c e b yD e s i g n 927 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Importing a Certificate and Key
Note: If you are importing a CA-signed certificate for which you used the AX
device to generate the CSR, you do not need to import the key. The key is
automatically generated on the AX device when you generate the CSR.
928 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Importing a Certificate and Key
f. Click Open. The path and filename appear in the Source field.
g. If applicable, repeat the steps above for the private key.
h. Click OK. The certificate and key appear in the certificate and key
list.
To import a certificate and its key, or a certificate chain, use the following
command at the global Config level of the CLI:
[no] slb ssl-load
{certificate cert-name [type {der | pem | pfx}] |
private-key-string} url
The url specifies the file transfer protocol, username (if required), directory
path, and filename.
You can enter the entire URL on the command line or press Enter to display
a prompt for each part of the URL. If you enter the entire URL and a pass-
word is required, you will still be prompted for the password. To enter the
entire URL:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• rcp://[user@]host/file
• http://[user@]host/file
• https://[user@]host/file
Alternatively, you can use the following commands at the Privileged EXEC
or global Config level of the CLI:
import ssl-cert file-name url
import ssl-key file-name url
P e r f o r m a n c e b yD e s i g n 929 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Generating a Self-Signed Certificate
3. Click Create.
6. Enter the rest of the certificate information in the remaining fields of the
Certificate section.
Note: If you need to create a wildcard certificate, use an asterisk as the first part
of the common name. For example, to create a wildcard certificate for
domain example.com and it sub-domains, enter the following common
name: *.example.com
7. From the Key drop-down list, select the length (bits) for the key.
8. Click OK. The AX device generates the self-signed certificate and its
key. The new certificate and key appear in the certificate list. The certif-
icate is ready to be used in client-SSL and server-SSL templates.
930 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Generating a Self-Signed Certificate
• Country, 2 characters
Note: If you need to create a wildcard certificate, use an asterisk as the first part
of the common name. For example, to create a wildcard certificate for
domain example.com and it sub-domains, enter the following common
name: *.example.com
The key length, common name, and number of days the certificate is valid
are required. The other information is optional. The default key length is
1024 bits. The default number of days the certificate is valid is 730.
The following commands create a self-signed certificate named “slbcert1”
and verify the configuration:
AX(config)#slb ssl-create certificate slbcert1
input key bits(512,1024,2048) default 1024:<Enter>
input Common Name, 1~64:slbcert1
input Division, 0~31:Div1
input Organization, 0~63:Org2
input Locality, 0~31:WestCoast
input State or Province, 0~31:CA
input Country, 2 characters:US
input email address, 0~64:axadmin@example.com
input valid days, 30~3650, default 730:<Enter>
AX(config)#show slb ssl cert
name: slbcert1
type: certificate/key
Common Name: slbcert1
Organization: Org2
Expiration: Apr 10 00:34:34 2010 GMT
Issuer: Self
key size: 1024
P e r f o r m a n c e b yD e s i g n 931 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Importing a CRL
Importing a CRL
To import a CRL, place it on the PC that is running the GUI or CLI session,
or onto a PC or file server that can be locally reached over the network.
3. Click Import.
5. Click Open. The path and filename appear in the Source field.
6. Click OK.
The url specifies the file transfer protocol, username (if required), directory
path, and filename.
You can enter the entire URL on the command line or press Enter to display
a prompt for each part of the URL. If you enter the entire URL and a pass-
word is required, you will still be prompted for the password. To enter the
entire URL:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• rcp://[user@]host/file
932 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Exporting Certificates, Keys, and CRLs
3. To export a certificate:
a. Select the certificate. (Click the checkbox next to the certificate
name.)
b. Click Export.
Note: If the browser security settings normally block downloads, you may need
to override the setting. For example, in Internet Explorer, hold the Ctrl
key while clicking Export.
c. Click Save.
d. Navigate to the save location.
e. Click Save again.
4. To export a key:
a. Select the key.
b. Click Export.
c. Click Save.
d. Navigate to the save location.
e. Click Save again.
To export a certificate and its key, use the following commands at the Privi-
leged EXEC or global Config level of the CLI:
export ssl-cert file-name url
export ssl-key file-name url
The url specifies the file transfer protocol, username (if required), directory
path, and filename.
P e r f o r m a n c e b yD e s i g n 933 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Exporting Certificates, Keys, and CRLs
You can enter the entire URL on the command line or press Enter to display
a prompt for each part of the URL. If you enter the entire URL and a pass-
word is required, you will still be prompted for the password. To enter the
entire URL:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• rcp://[user@]host/file
Exporting a CRL
3. Select the CRL. (Click the checkbox next to the CRL name.)
4. Click Export.
Note: If the browser security settings normally block downloads, you may need
to override the setting. For example, in IE, hold the Ctrl key while click-
ing Export.
5. Click Save.
934 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Creating a Client-SSL or Server-SSL Template and Binding it to a VIP
3. Click Add.
Use one of the following commands at the global configuration level of the
CLI:
[no] slb template client-ssl template-name
[no] slb template server-ssl template-name
The command creates the template and changes the CLI to the configuration
level for it. Use the commands at the template configuration level to config-
ure template parameters. (For information, see “SSL Templates” on
page 920 or the AX Series CLI Reference.)
P e r f o r m a n c e b yD e s i g n 935 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Converting Certificates and CRLs to PEM Format
3. Click on the virtual server name or click Add to create a new one.
5. In the Port section, select a port and click Edit, or click Add to add a new
port. The Virtual Server Port page appears.
7. Click OK.
8. Click OK again.
Use one of the following commands at the configuration level for the virtual
port on the VIP:
[no] template client-ssl template-name
[no] template server-ssl template-name
Use the same command on each port for which SSL will be used.
If a certificate or CRL you plan to import onto the AX device is not in PEM
format, it must be converted to PEM format first, before you import it onto
the AX device.
Note: Beginning in AX Release 2.4.1, you do not need to convert the certificate
into PEM format before importing it. You can specify the format when
you import the certificate. The AX device automatically converts the
936 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Converting Certificates and CRLs to PEM Format
imported certificate into PEM format. (See “Importing a Certificate and
Key” on page 928.)
3. Expand the Certificate folders and navigate to the certificate you want to
convert.
P e r f o r m a n c e b yD e s i g n 937 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Converting Certificates and CRLs to PEM Format
Steps to perform on the Unix/Linux workstation:
5. Copy the PFX-format file that was created by the Export wizard to a
UNIX machine.
7. Use the vi editor to divide the PKCS12 file into two files, one for the
certificate (.crt) and the other for the private key.
8. To remove the passphrase from the key, use the following command:
$ openssl rsa -in encrypted.key -out unencrypted.key
openssl crl -in filename.der –inform der -outform pem -out file-
name.pem
938 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Route Tables
By default, the AX device attempts to use a route from the main route table
for management connections originated on the AX device. You can enable
the AX device to use the management route table to initiate management
connections instead.
This chapter describes the AX device’s two route tables, for data and man-
agement traffic, and how to configure the device to use the management
route table.
Route Tables
The AX device uses separate route tables for management traffic and data
traffic.
• Management route table – Contains all static routes whose next hops are
connected to the management interface. The management route table
also contains the route to the device configured as the management
default gateway.
• Main route table – Contains all routes whose next hop is connected to a
data interface. These routes are sometimes referred to as data plane
routes. Entries in this table are used for load balancing and for Layer 3
forwarding on data ports.
This route table also contains copies of all static routes in the manage-
ment route table, excluding the management default gateway route.
You can configure the AX device to use the management interface as the
source interface for automated management traffic. In addition, on a case-
by-case basis, you can enable use of the management interface and manage-
ment route table for various types of management connections to remote
devices:
The AX device automatically will use the management route table for reply
traffic on connections initiated by a remote host that reaches the AX device
on the management port. For example, this occurs for SSH or HTTP con-
nections from remote hosts to the AX device.
Note: In AX Release 1.2.4 and earlier, all static routes are stored in the main
route table, even if the next hop is connected to the management interface.
The management route table contains only the route to the subnet directly
P e r f o r m a n c e b yD e s i g n 939 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Management Routing Options
connected to the management interface, and the IP default gateway con-
figured on the management interface. When you upgrade to an AX release
later than 1.2.4, static routes whose next hop is the management interface
are duplicated in the management route table.
• SNMPD
• NTP
• RADIUS
• TACACS+
• SMTP
For example, when use of the management interface as the source interface
for control traffic is enabled, all log messages sent to remote log servers are
sent through the management interface. Likewise, the management route
table is used to find a route to the log server. The AX device does not
attempt to use any routes from the main route table to reach the server, even
if a route in the main route table could be used.
940 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Management Routing Options
• Upgrade of the AX software
• Backups
Caution: If you enable this feature, then downgrade to AX Release 1.2.4 or ear-
lier, it is possible to lose access to the AX device after you downgrade.
This can occur if you configure an external AAA server (TACACS+
server) to authorize CLI commands entered on the AX device, and
the TACACS+ server is connected to the AX device through the man-
agement default gateway.
If this is the case, before you downgrade, remove the TACACS+ con-
figuration from the AX device. After you downgrade, you can re-add
the configuration, but make sure the TACACS+ server can be
reached using a route other than through the management default
gateway.
To enable it, use the following command at the configuration level for the
management interface:
[no] ip control-apps-use-mgmt-port
Here is an example:
AX(config-if:management)#ip control-apps-use-mgmt-port
P e r f o r m a n c e b yD e s i g n 941 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Management Routing Options
942 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Management Routing Options
[no] slb ssl-load
{certificate file-name | private-key file-name}
[use-mgmt-port] url
upgrade {cf | hd} {pri | sec} [use-mgmt-port] url
Show Commands
show techsupport [[use-mgmt-port] export url]
[page]
P e r f o r m a n c e b yD e s i g n 943 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Management Routing Options
944 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.2 11/3/2010
AX Series - Configuration Guide
Backing Up System Information
Configuration Management
By default, when you click the Save button in the GUI or enter the write
memory command in the CLI, all unsaved configuration changes are saved
to the startup-config. The next time the AX device is rebooted, the configu-
ration is reloaded from this file.
Note: For upgrade instructions, see the release notes for the AX release to which
you plan to upgrade.
P e r f o r m a n c e b yD e s i g n 945 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Backing Up System Information
946 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Saving Multiple Configuration Files Locally
USING THE CLI
At the Privileged EXEC level of the CLI, use the following command:
The config option backs up the startup-config file, aFleX scripts, and SSL
certificates and keys.
The log option backs up the log entries in the AX device’s syslog buffer.
The url option specifies the file transfer protocol, username, and directory
path. You can enter the entire URL on the command line or press Enter to
display a prompt for each part of the URL. If you enter the entire URL and a
password is required, you will still be prompted for the password. To enter
the entire URL:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• rcp://[user@]host/file
Note: Unless you plan to locally store multiple configurations, you do not need
to use any of the advanced commands or options described in this section.
Just click Save in the GUI or enter the write memory command in the
CLI to save configuration changes. These simple options replace the com-
mands in the startup-config stored in the image area the AX device booted
from with the commands in the running-config.
P e r f o r m a n c e b yD e s i g n 947 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Saving Multiple Configuration Files Locally
Configuration Profiles
Configuration files are managed as configuration profiles. A configuration
profile is simply a configuration file. You can locally save multiple configu-
ration profiles on the AX device. The configuration management commands
described in this section enable you to do the following:
• Save the startup-config or running-config to a configuration profile.
Note: Although the enable and admin passwords are loaded as part of the sys-
tem configuration, they are not saved in the configuration profiles.
Changes to the enable password or to the admin username or password
take effect globally, regardless of the values that were in effect when a
given configuration profile was saved.
write memory
[primary | secondary | profile-name] [cf] |
terminal
948 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Saving Multiple Configuration Files Locally
If you enter write memory primary, the command replaces the configura-
tion profile stored in the primary image area with the running-config. Like-
wise, if you enter write memory secondary, the command replaces the
configuration profile stored in the secondary image area with the running-
config.
The cf option replaces the configuration profile in the specified image area
(primary or secondary) on the compact flash rather than the hard disk. If you
omit this option, the configuration profile in the specified area on the hard
disk is replaced.
When entered without the all or profile-name option, this command dis-
plays the contents of the configuration profile that is currently linked to
"startup-config". To display the contents of a different configuration profile,
use the profile-name option. To display a list of the locally stored configura-
tion profiles, use the all option.
The cf option displays the configuration profile in the specified image area
(primary or secondary) on the compact flash rather than the hard disk. If you
omit this option, the configuration profile in the specified area on the hard
disk is displayed. If the all option is also used, the cf option displays all the
configuration profiles stored on the compact flash.
The cf option copies the profile to the compact flash instead of the hard
disk.
Note: Copying a profile from the compact flash to the hard disk is not sup-
ported.
P e r f o r m a n c e b yD e s i g n 949 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Saving Multiple Configuration Files Locally
(The url option backs up the configuration to a remote device. See “Backing
Up System Information” on page 945.)
To compare any two configuration profiles, enter their profile names instead
of startup-config or running-config.
In the CLI output, the commands in the first profile name you specify are
listed on the left side of the terminal screen. The commands in the other pro-
file that differ from the commands in the first profile are listed on the right
side of the screen, across from the commands they differ from. The follow-
ing flags indicate how the two profiles differ:
• – This command has different settings in the two profiles.
• – This command is in the second profile but not in the first one.
• – This command is in the first profile but not in the second one.
This command enables you to easily test new configurations without replac-
ing the configuration stored in the image area.
The primary | secondary option specifies the image area. If you omit this
option, the image area last used to boot is selected.
950 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Saving Multiple Configuration Files Locally
The cf option links the profile to the specified image area in compact flash
instead of the hard disk.
The profile you link to must be stored on the boot device you select. For
example, if you use the default boot device selection (hard disk), the profile
you link to must be stored on the hard disk. If you specify cf, the profile
must be stored on the compact flash. (To display the profiles stored on the
boot devices, use the show startup-config all and show startup-config all
cf commands.)
Likewise, the next time the AX device is rebooted, the linked configuration
profile is loaded instead of the configuration that is in the image area.
Note: Although the command uses the startup-config option, the command
only deletes the configuration profile linked to “startup-config” if you
enter that profile’s name. The command deletes only the profile you spec-
ify.
CLI EXAMPLES
P e r f o r m a n c e b yD e s i g n 951 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Saving Multiple Configuration Files Locally
file that is currently linked to “startup-config”. If the profile name is
“default”, then “startup-config” is linked to the configuration profile stored
in the image area from which the AX device most recently rebooted.
AX(config)#show startup-config all
Current Startup-config Profile: slb-v6
Profile-Name Size Time
------------------------------------------------------------
1210test 1957 Jan 28 18:39
ipnat 1221 Jan 25 10:43
ipnat-l3 1305 Jan 24 18:22
ipnat-phy 1072 Jan 25 19:39
ipv6 2722 Jan 22 15:05
local-bwlist-123 3277 Jan 23 14:41
mgmt 1318 Jan 28 10:51
slb 1354 Jan 23 18:12
slb-v4 12944 Jan 23 19:32
slb-v6 13414 Jan 23 19:19
952 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Saving Multiple Configuration Files Locally
AX(config)#diff startup-config testcfg1
!Current configuration: 13378 bytes (
!Configuration last updated at 19:18:57 PST Wed Jan 23 2008 (
!Configuration last saved at 19:19:37 PST Wed Jan 23 2008 (
!version 1.2.1 (
! (
hostname AX (
! (
clock timezone America/Tijuana (
! (
ntp server 10.1.11.100 1440 (
! (
...
! (
interface ve 30 (
ip address 30.30.31.1 255.255.255.0 | ip address
10.10.20.1 255.255.255.0
ipv6 address 2001:144:121:3::5/64 | ipv6 address
fc00:300::5/64
! (
! (
> ip nat range-
list v6-1 fc00:300::300/64 2001:144:121:1::900/6
! (
ipv6 nat pool p1 2001:144:121:3::996 2001:144:121:3::999 netm <
! <
slb server ss100 2001:144:121:1::100 <
port 22 tcp <
--MORE--
P e r f o r m a n c e b yD e s i g n 953 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
Saving Multiple Configuration Files Locally
954 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
VLAN-to-VLAN Bridging
You can configure a bridge VLAN group to forward one of the following
types of traffic:
• IP traffic only (the default) – This option includes typical traffic
between end hosts, such as ARP requests and responses.
This option does not forward multicast packets.
• All traffic – This option forwards all types of traffic.
Configuration Notes
VLAN-to-VLAN bridging is supported on AX devices deployed in trans-
parent mode (Layer 2) or in gateway mode (Layer 3).
Each bridge VLAN group can have a maximum of 8 member VLANs. Traf-
fic from any VLAN in the group is bridged to all other VLANs in the group.
Up to 64 bridge VLAN groups are supported.
P e r f o r m a n c e b yD e s i g n 955 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
forward-all-traffic
This command configures the AX device to forward all types of traffic
between the VLANs in the group. By default, only IP traffic is forwarded. If
you change the traffic type but later want to change it back to the default,
you can use the following command: forward-ip-traffic
956 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
P e r f o r m a n c e b yD e s i g n 957 of 960
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
AX Series - Configuration Guide
958 of 960 P e r f o r m a n c e b y D e s i g n
Document No.: D-030-01-00-0006 - Ver. 2.4.3 11/3/2010
P e r f o r m a n c e b y D e s i g n
960
P e r f o r m a n c e b y D e s i g n
Corporate Headquarters
www.a10networks.com
This document is for informational purposes only. A10 Networks MAKES NO WARRANTIES,
EXPRESSED OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limit-
ing the rights under copyright, no part of this document may be reproduced, stored in or
introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express
written permission of A10 Networks Corporation.
A10 Networks may have patents, patent applications, trademarks, copyrights, or other intel-
lectual property rights covering subject matter in this document. Except as expressly pro-
vided in any written license agreement from A10 Networks, the furnishing of this document
does not give you any license to these patents, trademarks, copyrights, or other intellectual
property.
The names of actual companies and products mentioned herein may be the trademarks of
their respective owners.
960