A10 ACOS ADC 2.7v2.1

A10 Networks
Application Delivery Controller: Labs
ACOS release 2.7
Course A10_ADC-2.7v2.2
Section 1
Conventions
Reference
Labs
Load Balancing Concepts
Page 2 of 4
Conventions and variable substitution in labs
Substitutions
<string> indicates variable which should be substituted with a value. Here is a list of
common required substitutions throughout the lab book:
Variable
<An>
<ConfigProfile>
<ACOS-Mgmt-IP>
<vip1-IP>
<tarball>
<s1-IP>
<s2-IP>
<ACOS-ClientData-IP>
<ACOS-ServerData-IP>
<nat1-IP>
<ACOS-HALink-IP>
<ha-sync-pri>
<ha-sync-sec>
<client-data-IP>
<backup-IP>
<set-ID>
<ha-ID>
Labs
Substitute with
ACOS device name. Substitute n with
your device number
AnClass. Substitute n with your device
number
Management IP of your ACOS device:
1.0.0.n where n is your student ID
Virtual server IP 100.0.0.(20+n) where
n is your student ID
Name of the system backup file of your
ACOS device in the form of An.tar.gz
where n is your student ID
Server 1 IP address
Student 1
Server 2 IP address
IP address of the client-side ACOS
device data interface 100.0.0.n
IP address of the server-side ACOS
device data interface 200.0.0.n
Network Address Translation Pool
200.0.0.(20+n) where n is your student
ID
<ha-sync-pri> if your device is odd
numbered, and <ha-sync-sec> if your
device is even numbered
3.0.0.1
200.0.0.202
A1
A1Class
1.0.0.1
100.0.0.21
A1.tar.gz
200.0.0.201
100.0.0.1
200.0.0.1
200.0.0.21
3.0.0.1
3.0.0.2
100.0.0.(100+n) where nn is your
student ID
1.0.0.(100+n)
100.0.0.101
Instructor will assign before the lab
1 for primary device, 2 for secondary in
HA
1
Load Balancing Concepts
1.0.0.101
Page 3 of 4
Labs
Load Balancing Concepts
Page 4 of 4
Section 1
ACOS Management
Lab
Labs
AX Management
Page 2 of 8
Initial configuration and backup
CLI
Configuration steps
Initial setup of the ACOS device
1. To perform initial setup of the ACOS device, we will connect to the console port
and configure management port. The rest of the initial configuration will be
performed remotely via ssh.
2. Connect to the console port of your ACOS device. At the terminal window
prompt execute the following command and log in with username admin
password a10 :
console n
(where “n” is your student number)
3. First reset the device to factory state in case someone used it before the class:
enable
config
system-reset
(and answer yes to the following two questions)
4. Wait for the device to reboot. Log in and configure management port for remote
connectivity and save the initial setup in a named configuration profile:
enable
[Enter] for password
config
interface management
ip address <ACOS-Mgmt-IP> /24
enable
write mem <ConfigProfile>
y
end
exit
exit
y
5. Note that you did not provide default gateway for the management port. This is
because in our classroom layout management port is on the same network as
your remote desktop. In real life you would add default gateway.
6. Exit out of console port by hitting Ctrl-] and typing quit.
7. Close the terminal window and open a new one.
8. Connect to the management port through ssh. At the terminal prompt execute
the following command and log in with password a10:
Labs
AX Management
Page 3 of 8
ssh admin@<ACOS-Mgmt-IP>
9. If you get an error message “WARNING: REMOTE HOST IDENTIFICATION HAS
CHANGED”, remove known_hosts from your remote desktop with the following
command and continue with login:
rm /home/student/.ssh/known_hosts
10. Now we will configure the following items:
a. host name
b. time zone
c. vlans for data interfaces (client side, server side, and ha link)
d. virtual Ethernet (ve) interfaces
e. assign ip addresses to those interfaces
f. enable physical interfaces associated with ve interfaces
g. change default terminal timeout to 60 minutes – useful in class exercises
h. enable multi-config mode (allows multiple admins to work at the config
prompt at the same time – it is useful in class, you need to determine if
you want to use this feature in a production environment)
enable
[Enter] for password
config
hostname <An>
clock timezone America/Los_Angeles
vlan 100
untagged ethernet 1
(We are using untagged in our simplified lab
setup. In real life you would most likely tag)
router-interface ve 100
vlan 200
untagged ethernet 2
router-interface ve 200
vlan 300
tagged ethernet 3
(Here our lab setup allows us to tag)
router-interface ve 300
interface ve 100
ip address <ACOS-ClientData-IP> /24
interface ve 200
ip address <ACOS-ServerData-IP> /24
interface ve 300
ip address <ACOS-HALink-IP> /24
interface ethernet 1
enable
interface ethernet 2
enable
Labs
AX Management
Page 4 of 8
interface ethernet 3
enable
exit
terminal idle-timeout 60
multi-config enable
end
write mem
11. Verify state of the interfaces:
show interface brief
12. Verify connectivity (let instructor know if you are unsuccessful):
ping <client-data-IP>
ping <s1-IP>
ping <s2-IP>
13. In the next steps you will learn how to create new profiles and back up the
configuration you just created.
Remote backup to an FTP server
14. Open ssh connection to your ACOS management port and log in as username
admin, password a10. After you see “An>” prompt, type “enable” and hit Enter,
and again Enter for password.
15. Execute commands:
show startup-config all
16. Go to config prompt and execute commands:
write mem Profile2
(answer “no” to the question whether you want
to create a link to default startup)
config
copy <ConfigProfile> Profile3
show startup-config all
Can you see the two new profiles? Now delete them:
delete startup-config Profile2
delete startup-config Profile3
end
show startup all
17. In your remote desktop open “srv” folder on the left of the screen, then “ftproot”,
then “ConfigBackup”. You will be able to watch backup progress there.
18. From your ACOS device execute command:
backup system use-mgmt-port ftp://ftp@<backup-IP>/ConfigBackup/
Labs
AX Management
Page 5 of 8
When asked for password, hit Enter. Accept default filename format. Answer
“no” to the question “Do you want to save the remote host information to a
profile for later use?[yes/no]no”. You should see a response indicating success.
19. Now create a backup with an explicitly stated file name:
backup system use-mgmt-port ftp://ftp@<backupIP>/ConfigBackup/<tarball>
You will restore this backup to your ACOS device before starting each lab, so
please follow naming conventions for convenience.
20. To back up just the configuration profile, execute command (all in one line,
replace “n” in destination filename with the number of your ACOS device) from
the config prompt:
copy <ConfigProfile> use-mgmt-port
ftp://ftp@<backup-IP>/ConfigBackup/<ConfigProfile>.txt
21. To back up running configuration, execute command (all in one line, replace “n”
in destination filename with the number of your ACOS device):
copy running-config use-mgmt-port ftp://ftp@<backup-IP>/
ConfigBackup/Anrunning.txt
Verifying backed up config files
22. Explore contents of the system backup tar.gz file. Go to folder srv > ftproot >
ConfigBackup. Find the files you backed up. Right click on text files, open them in
Notepad++ and compare them visually. You config profile and running config
should be identical.
23. Right click on the system back up tar.gz file, choose 7-zip Open Archive. Enter
a10data directory. You should see all configuration elements from your ACOS
device. Go to config folder. You should find the config profile you created earlier.
WebUI
Configuration steps
Local backup
24. Click on Chrome browser in your remote desktop taskbar. Click on the
bookmark corresponding to the device you just configured and log in.
25. Go to Config > System > Maintenance > Backup > System. Select “Local” (should
be selected by default). Click “OK” and save file to your local drive.
Labs
AX Management
Page 6 of 8
26. Go to Config > System > Config File. Click “Add”, name “NewProfile”, copy from
<ConfigProfile>, then underneath the line “clock timezone
America/Los_Angeles” add line “ip dns primary 8.8.8.8” and click “OK”.
27. Select <ConfigProfile> and “NewProfile” and click “Diff”. Find the difference in
the two profiles.
28. Dismiss the diff window and delete NewProfile (select and click on Delete –
make sure <ConfigProfile> is not also selected).
Labs
AX Management
Page 7 of 8
Labs
AX Management
Page 8 of 8
Section 2
Load Balancing Concepts
Lab
Labs
Load Balancing Concepts
Page 2 of 10
Objective: Configure layer 4 SLB Virtual Server
WebUI
Configuration steps
Server
1.
2.
3.
4.
5.
6.
7.
8.
Labs
Open a browser in your remote desktop and connect via HTTPS to
<ACOS-Mgmt-IP> and log in with username: admin password: a10
Go to Config Mode > SLB > Service > Server. You should see this screen:
Click on the Add button. You should see two sections, upper, entitled General,
and lower, entitled Port.
In the General section enter “s1” as name of the server and <s1-IP> as IP
Address.
In the Port section enter “80” as port, click on “Add” in the same section on the
right (you should see the port show up in the table), and then click “OK” at the
bottom of the page. You should now see this screen:
Repeat the steps to add server 2 (“s2”) with IP address <s2-IP> and port “80”.
Go to Monitor Mode > SLB > Service > Server.
Click once on the name/IP of the newly configured server. A row with the port
number should open below. Here you can monitor per-physical server/port
statistics during later exercises. In the column to the left green arrows should
point up. That indicates that our default health monitor was able to ping the
server and performed a successful TCP handshake on port 80. In future labs you
will build even more sophisticated, layer 7 health monitors.
Load Balancing Concepts
Page 3 of 10
Service Group
9. Go to Config Mode > SLB > Service > Service Group.
10. Click on the Add button. You should see two sections, upper, entitled Service
Group, and lower, entitled Server.
11. In the Service Group section enter “http” as name of the group. In the Server
section click on the drop-down list next to “Server”, select s1, type “80” in the
Port field, and then click on the “Add” button. You should see your physical
server s1 show up in the table as a member of this service group.
12. Repeat step above to add server s2.
13. Click on the “OK” button at the bottom of the page.
14. Go to Monitor Mode > SLB > Service > Service Group, and click on the http
service group. You should see the service group and both server members with
green arrows to the left of them. Here you can monitor per-service group
statistics during later exercises.
Source Network Address Translation (Source NAT)
15. Go to Config Mode > IP Source NAT > IPv4 Pool.
16. Click Add.
17. Enter “nat1” as name, <nat1-IP> as start and end addresses, “255.255.255.0” as
netmask, and click OK. You have created a NAT pool that will be applied in a
Virtual Server section.
Source IP Persistence
18. In this section you will build a template that will ensure that ACOS, once the
HTTP connection is established, forwards subsequent requests to the same
server.
19. Go to Config Mode > SLB > Template > Persistent > Source IP Persistence.
20. Click Add, type “pers1” as name, and click OK to save the template. It will be
applied in the Virtual Server section.
Virtual Server (VIP)
21. Go to Config Mode > SLB > Service > Virtual Server.
22. Click Add. You should see two sections, upper, entitled General, and lower,
entitled Port.
23. In the General section enter “vip1” as name of the server, and <vip1-IP> as IP
Address.
24. In the Port section click on Add. A new screen should open up. Leave “TCP” as
type, enter “80” as port, select “http” as service group, select “nat1” as Source
NAT Pool, select Source IP Persistence Template in Persistence Template Type,
then “pers1” in the dropdown list below, click on “OK” at the bottom of the page,
Labs
Load Balancing Concepts
Page 4 of 10
and click on “OK” again at the bottom of the Virtual Server page. You should
now see this screen:
25. You have configured layer 4 SLB Virtual Server.
Verifying functionality
26. In your browser open a connection to http://<vip1-IP>/
27. You should see a web page containing three images.
28. All three images should be coming from the same server. You can recognize that
by having the same image repeated three times. Server1 only serves cherries,
Server2 only serves lemons. Refresh page several times.
29. Your source IP address shown at the top of the page should be from the NAT
pool.
30. Go to Monitor Mode > IP Source NAT > Pool. You should see how many times
your NAT pool was used.
31. Go to Monitor Mode > SLB > Application > Persistent. In the table you can find
statistics for successful Source IP Persistent connections broken down by CPU.
32. Go to Monitor Mode > SLB > Service > Virtual Server. Click on the name of your
virtual server, then on port, and watch connection statistics per server. All of
them should be on one server.
33. Now we will see what happens when you remove Source IP Persistence
template from the virtual server. Go to Config Mode, Service, SLB, and click on
Virtual Server.
34. In the Port section select the port and click “Edit”. Remove Source IP Persistence
and click OK, then again OK to apply the new configuration for the virtual
server.
35. Open terminal window (icon with black “C” on green background in quick
launch toolbar at the bottom of the screen), type “ssh <ACOS-Mgmt-IP>”, and log
in as username admin, password a10. After you see “An>” prompt, type
“enable” and hit Enter, and again Enter for password. At the “#” prompt type
“clear sessions all” and hit Enter. For testing purposes in the lab this
ensures that none of the old sessions remains alive.
36. In your browser open a connection to http://<vip1-IP>/
Labs
Load Balancing Concepts
Page 5 of 10
37. The images should now be coming from two servers. Reload the page a few
times.
38. In your browser connect via HTTPS to <ACOS-Mgmt-IP> and log in with
username: admin password: a10
39. Go to Monitor Mode > SLB > Service > Virtual Server. Then click on the name of
your virtual server, then on port, and watch connection statistics per server.
They should be distributed between two servers.
40. When you are happy that your configuration worked, click on “Save” at the top
right of the ACOS WebUI. This ensures that your configuration would be
reloaded should you reboot your device. The configuration you have done so far
remains in ACOS memory only.
41. If you are not certain about any of the steps performed so far or the results, ask
the instructor now. In the subsequent steps we will clear the existing
configuration and will perform the same configuration from the command line.
42. Go to Addendum A “Restore Configuration” and perform steps in section
“WebUI”.
CLI
Configuration steps
Server
43. Open ssh connection to <ACOS-Mgmt-IP> and log in as username admin,
password a10. After you see “An>” prompt, type “enable” and hit Enter, and
again Enter for password. At the “#” prompt type “config” and hit Enter. You
should now see “An(config)#” prompt. That indicates you are in config mode,
just as you are in config mode in the Config tab in WebUI. You will notice many
more similarities in the workflow as we go through the exercise.
44. At the prompt type “?” and watch the list of commands available. Press space
bar if needed to move to the next page. On one of the pages you can find
command “slb”, just like in WebUI. If you still see “—MORE—“at the bottom of
the screen, you can break out of it by pressing “q”.
45. At the prompt type “slb”, press space, and type “?” to see the list of submenus.
One of them is “server”. Extend your command so it now says “slb server”,
press space, and then “?” again. You need to provide name of the server, just like
in WebUI. Use “s1”, then space and “?”. ACOS asks for one of three alternative
means of addressing the server. We will use IP Address. Append <s1-IP> to the
end of the command, press space, and then “?”. ACOS indicates it is ready to
accept the command. Press Enter. Your prompt should now look like this:
“An(config-real server)#”. That means you are within the physical server
Labs
Load Balancing Concepts
Page 6 of 10
configuration section. Press “?”. Choose command “port” and provide options
“80” and “tcp”. Press Enter. Your prompt should change to “An(config-real
server-node port)#” indicating you can configure further options on that port.
For now you will stop and configure the second server. Type “exit” at the
prompt and press Enter. Notice that you have backed off one menu level. You
need to type “exit” again and press Enter to find yourself at the plain config
prompt.
46. Using steps above configure server s2 with address <s2-IP>, and add port 80
tcp. When you are done, type “end” and press Enter. Notice that by typing “end”
you exited from the config menu. You should now be at the “An#” prompt.
47. To verify what you have just configured type “show slb server config” and
press Enter. You should see two configured servers and their ports. Command
“show” is the CLI’s equivalent of the WebUI “Monitor” tab. Press arrow key UP
and execute “show slb server” command again, but first backspace and erase
“config” from the end of the command. Notice that by itself this command shows
traffic statistics per physical server/port.
Service Group
48. Enter config mode again by typing “config” and pressing Enter.
49. To create service group type “slb service-group http tcp” and press Enter.
Your prompt should now change to “An(config-slb svc group)#”.
50. To add servers as group members type “member s1:80 enable” and press
Enter. Repeat this command for server 2 (s2), then type “end” to exit.
51. To verify your configuration type “show slb service-group http config” and
press Enter. Try the same command without “config” at the end, and then again
without “http config” at the end. The first one gives you detailed statistics for
service group http, the second gives summary statistics for all configured
service groups.
Source NAT
52. Enter config mode.
53. Build IP NAT pool using command:
ip nat pool nat1 <nat1-IP> <nat1-IP> netmask /24
Two IP addresses listed indicate start and end of the pool. Press Enter.
54. Verifying using command:
show ip nat pool
55. We will apply this NAT pool when configuring Virtual Server.
Source IP Persistence
Labs
Load Balancing Concepts
Page 7 of 10
56. In config mode execute command:
slb template persist source-ip persist1
57. Verify using command
show slb template persist source-ip
58. Type “exit” and press Enter.
Virtual Server (VIP)
59. In config mode execute command
slb virtual-server vip1 <vip1-IP>
60. You should now be at prompt “An(config-slb vserver)#”. We will proceed to
configure remaining parameters.
61. Execute command:
port 80 tcp
62. You should see prompt “An(config-slb vserver-vport)#”.
63. To apply source IP persistence template you have created earlier use command:
template persist source-ip persist1
64. Apply source NAT pool you have created earlier with command:
source-nat pool nat1
65. Apply service group you have created earlier with command
service-group http
66. After a while this should also change the state of the port to “All Up”. Wait for a
moment, then execute command:
show slb virtual-server vip1
67. Type “end” and press Enter.
68. To see physical servers bound to your virtual server, use command:
show slb virtual-server bind
69. Verify your completed configuration using command
show running
70. This shows entire running configuration. You may have to move from page to
page by pressing space bar. Watch for all the components you have configured.
71. To look at just one element from the running configuration, pipe output of
“show running” through command “section” and providing a string to match
(regular expressions are also allowed). Try this command:
Labs
Load Balancing Concepts
Page 8 of 10
show run | sec vip1
(you can abbreviate commands as long as they are unambiguous).
Verifying functionality
72. In your browser open a connection to http://<vip1-IP>/
73. You should see a web page that contains three images.
74. All three images should be coming from the same server. Refresh page several
times.
75. Your source IP address shown at the top of the page should be from the NAT
pool.
76. At the user-level prompt (An>) execute command:
show ip nat pool statistics
77. As you can see, from the command line you can watch usage statistics per
individual address. Notice that you can watch most of the statistics from the
user-level prompt, without switching to enable mode (admin).
78. At the user-level prompt (An>) execute these two commands:
show slb persist
show slb persist detail
79. Now try:
show slb server
80. Watch connection statistics per server. All of them should be on one server.
81. Now we will see what happens when you remove Source IP Persistence
template from the virtual server.
82. Go to config mode (type “config” and press Enter). Execute commands:
slb virtual-server vip1
port 80 tcp
83. You are now in the same virtual server port where you applied source IP
persistence template. Verify the configuration using command:
show slb virtual-server config
84. If you remember, to apply the template we used command “template persist
source-ip persist1”. Now to remove it, use the same command but prepend “no”
in front of it. Your full command should look like this:
no template persist source-ip persist1
85. Execute it and verify the effects using previous command:
show slb virtual-server config
Labs
Load Balancing Concepts
Page 9 of 10
86. Your template should be detached from virtual server vip1. Type “end” and
press Enter to exit config mode.
87. At the “#” prompt execute command:
clear sessions all
88. For testing purposes in the lab this ensures that none of the old sessions
remains alive.
89. In your browser open a connection to http://<vip1-IP>/
90. The images should now be coming from two servers. Reload the page a few
times.
91. Use command:
show slb server
92. Watch connection statistics per server. They should be distributed between two
servers.
93. If you are not certain about any of the steps performed so far or the results, ask
the instructor now. In the subsequent steps we will clear the existing
configuration and will perform the same configuration from the command line.
94. Go to Addendum A “Restore Configuration” and perform steps in section “CLI”.
Labs
Load Balancing Concepts
Page 10 of 10
Section 3
HTTP
Lab
Labs
HTTP
Page 2 of 6
Objective: Configure layer 7 HTTP SLB Virtual Server
with HTTP health monitor, header insertion, and URL
failover
WebUI
Configuration steps
Server
1. Follow steps in Load Balancing Concepts Lab, WebUI, Server, to configure s1 and
s2 servers, port 80.
HTTP Health Monitor and Service Group
2. Go to Config > SLB > Health Monitor > Health Monitor.
3. Click Add, Name “http”, in section “Method” select HTTP as Type, in URL second
field enter “/”, in Expect enter “bluesky” (that string does not exist in the root
page, we are using it for testing only), then click “OK” at the bottom to apply.
4. Go to Config > SLB > Service, then click on Service Group. Specify “http” as name,
select “http” as Health Monitor, then in the server section as s1 and s2 as
members with port 80, and click “OK” at the bottom to apply.
5. Go to Monitor > SLB > Service, and click on Service Group. Service Group status
should be down. Click on service group name to verify status of member servers.
6. Go to Config > SLB > Health Monitor > Health Monitor, open http by clicking on
it, change “bluesky” in the Expect field to “Temporibus” (that string does exist in
root page), and apply.
7. Go to Monitor > SLB > Service > Service Group. Service Group status should be
up. Click on service group name to verify status of member servers.
Source Network Address Translation (Source NAT)
8. Go to Config > IP Source NAT > IPv4 Pool.
9. Click Add.
10. Enter “nat1” as name, <nat1-IP> as start and end addresses, “255.255.255.0” as
netmask, and click OK.
11. You have created a NAT pool that will be applied in a Virtual Server section.
Source IP Persistence
Labs
HTTP
Page 3 of 6
12. In this section you will build a template that will ensure that ACOS, once the
HTTP connection is established, forwards subsequent requests to the same
server.
13. Go to Config > SLB > Template > Persistent, and click on Source IP Persistence.
14. Click Add, type “pers1” as name, and click OK to save the template. It will be
applied in the Virtual Server section.
Virtual Server (VIP)
15. Go to Config > SLB > Service > Virtual Server.
16. Click Add. You should see two sections, upper, entitled General, and lower,
entitled Port.
17. In the General section enter “vip1” as name of the server, and <vip1- IP> as IP
Address. When you see that reference, please substitute the address you have
just entered.
18. In the Port section click on Add. A new screen should open up. Select “HTTP” as
type, enter “80” as port, select “http” as service group, select “nat1” as Source
NAT Pool, select Source IP Persistence Template in Persistence Template Type,
then “pers1” in the dropdown list below, click on “OK” at the bottom of the page,
and click on “OK” again at the bottom of the Virtual Server page. You should now
see this screen:
19. You have configured layer 7 SLB Virtual Server.
20. In your browser open a connection to http://<vip1-IP>/
21. You should see a web page that starts with “It works!” and contains three
images.
22. Refer to Section 3 Load Balancing Concepts Lab, WebUI, Verifying functionality
for additional verification steps should you like to perform them again.
HTTP templates
Header rewriting/insertion
23. In this part of the lab we will change the name of the responding HTTP server
header. First we will find check existing response headers.
24. In your browser clear your cache, Ctrl-Shift-I (as in capital letter i), request page
from your vip1, then check the response headers and find the server header by
Labs
HTTP
Page 4 of 6
clicking on “Network” menu item, then clicking on the IP address of your VIP,
and then on “Headers” tab. Scroll down through headers to Response Headers
section. This verification step may also be done using Wireshark or other packet
trace on your workstation.
25. Go to Config > SLB > Template > Application > HTTP.
26. Click Add, enter “header-rewrite” as Name, open section Header Insert below, in
Response part enter “Server: nginx” as Name, and make sure the next field is
blank (that means “rewrite existing header”).
27. Go to Config > SLB > Service > Virtual Server, edit port, select “header-rewrite”
as HTTP Template, then click “OK” and “OK” again to apply.
28. In your browser clear your cache, hit Ctrl-Shift-I, request page from your vip1,
then check the response headers and find the server header.
URL Failover
29. In this part of the lab we will create HTTP failover in case your servers become
non-responsive.
30. Go to Config > SLB > Template > Application > HTTP.
31. Click Add, enter “failover” as Name, enter http://1.0.0.201/failover/ below in
Failover URL, then click “OK” at the bottom to save.
32. Go to Config > SLB > Service > Virtual Server, edit port, select “failover” as HTTP
Template, then click “OK” and “OK” again to apply.
33. Go to Config > SLB > Service > Server. Select both servers, and click Disable at the
bottom.
34. Open ssh session to your ACOS device, go to enable prompt, type “clear
sessions all” and press Enter.
35. In your browser request page from your vip1. You should be redirected.
36. Re-enable your servers and request page from your vip1 again. You should be
able to reach the servers.
37. If you have any questions, ask instructor for assistance.
HTTP Templates in CLI
38. Go to your virtual server port and remove http template from it.
39. Go to Config > SLB > Template > Application > HTTP, select both templates and
delete them.
40. Open ssh session to your AX. Go to config mode (refer to Section 1 Load
Balancing Concepts Lab, CLI in case you have doubts how to do it), type “slb
template http header-rewrite” and press Enter. You should now be at
“An(config-http)#” prompt.
41. Execute command:
response-header-insert "Server: nginx"
Labs
HTTP
Page 5 of 6
42. Type “exit”, press Enter, execute commands:
slb virtual-server vip1
port 80 http
43. Your prompt should now say “An(config-slb vserver-vport)#”.
44. Execute command:
template http header-rewrite
45. In your Chrome browser clear your cache, press Ctrl-Shift-I, request page from
your vip1, then check the response headers and find the server header. You
should see header “Server: nginx”.
46. Execute command:
no template http header-rewrite
47. Repeat step above to verify incoming headers. “Server: nginx” should now be
gone.
48. At your ACOS CLI prompt type “end”, Enter, then “config” and Enter.
49. Execute commands:
slb template http failover
failover-url http://1.0.0.201/failover/
50. You can check the existence of both templates by executing command:
show slb template http
51. Apply this template to vip1 port 80 as you have done for the previous template.
52. Type “end”, Enter, then “config”, Enter, “slb server s1”, and Enter. Type
“disable” and press Enter. Repeat steps for server 2.
53. Attempt to reach your vip1 via your web browser. You should be redirected.
54. Re-enable your servers and verify that you can connect to your vip1 through the
browser.
55. If you have any questions, ask instructor for assistance.
56. Go to Addendum A “Restore Configuration” and perform steps in section “CLI”.
Labs
HTTP
Page 6 of 6
Section 4
HTTPS
Lab
Labs
HTTPS
Page 2 of 8
Objective: Configure layer 7 HTTPS SLB Virtual Server
with SSL, Cookie Persistence, HTTP-to-HTTPS
transparent redirect templates, and SSL Offload
WebUI
Configuration steps
Server
1.
Follows steps in Load Balancing Concepts Lab, WebUI, Server, to configure s1
and s2 servers, with port 80 for both servers.
Service Group
2.
Go to Config > SLB > Service > Service Group. Specify “http” as name, then in the
server section select s1 and s2 as members with port 80, and click “OK” at the
bottom to save.
SSL Certificate
3.
Go to Config > SLB > SSL Management > Certificate. Click Create. Enter “ss1” as
File Name, “a10networks.com” as Common Name, “Training class” as
“Organization”, and click “OK” to save.
SSL Template
4.
Go to Config > SLB > Template > SSL > Client SSL. Click Add, enter “cssl” as
Name, select “ss1” as Certificate Name and Key Name, and then click “OK” to
save.
Source Network Address Translation (Source NAT)
5.
6.
7.
8.
Go to Config > IP Source NAT > IPv4 Pool.
Click Add.
Enter “nat1” as name, <nat1-IP> as start and end addresses, “255.255.255.0” as
netmask, and click OK.
You have created a NAT pool that will be applied in a Virtual Server section.
Cookie Persistence
9.
In this section you will build a template that will ensure that client’s browser,
once the HTTPS connection is established, forwards subsequent requests to the
same server.
10. Go to Config > SLB > Template > Persistent > Cookie Persistence.
Labs
HTTPS
Page 3 of 8
11. Click Add, type “cpers” as name, enter “ElvisLives” as Cookie Name, and click OK
to save the template. It will be applied in the Virtual Server section.
Virtual Server (VIP)
12. Go to Config > SLB > Service > Virtual Server.
13. Click Add. You should see two sections, upper, entitled General, and lower,
entitled Port.
14. In the General section enter “vip1” as name of the server, and <vip1-IP> as IP
Address.
15. In the Port section click on Add. A new screen should open up. Select “HTTPS” as
type, enter “443” as port, select “http” as service group, select “nat1” as Source
NAT Pool, select Cookie Persistence Template in Persistence Template Type,
then “cpers” in the dropdown list below, select appropriate client-ssl template,
click on “OK” at the bottom of the page, and click on “OK” again at the bottom of
the Virtual Server page. You should now see this screen:
16. You have configured layer 7 HTTPS SLB Virtual Server.
17. Go to Monitor > SLB > Service > Virtual Server, click on vip1 and make sure all
elements are green and healthy.
Verifying functionality
18. In your browser open a connection to https://<vip1-IP>/
19. Accept self-signed certificate. You should see a web page that starts with “It
works!” and contains three images. Reload page a few times. All images should
be coming from the same server.
20. Verify the certificate sent from the ACOS device: right click on the “It works!”
web page, select “View Page Info”, then click on “Security”, and “View
Certificate”. You should find the information you entered earlier in the lab.
21. Verify the cookie sent from the ACOS device: right click on the “It works!” web
page, select “View Page Info”, then click on “Security”, and “View Cookies”. You
should recognize the cookie.
22. We will now see what happens when someone tries to connect to your virtual
server via http instead of https.
23. In your browser open a connection to http://<vip1-IP>/
Labs
HTTPS
Page 4 of 8
24. It should not work. In the following section we will solve that problem
transparently.
Configuration steps
Transparent redirect
25. Import aflex script to redirect request from port 80 to 443. From the ACOS
enable prompt execute command:
import aflex redirect1 ftp://ftp@<backup-IP>/BaseConfig/redirect1.tcl
26. Go to Config > SLB > Service > Virtual Server. Open your virtual server and add a
new port – port 80, type HTTP, leave Service Group blank, select “redirect1” as
aFleX, click “OK” and again “OK” to save.
27. Go to Config > SLB > aFleX and open “redirect1”. This is the script you applied
on port 80. What does it do?
28. Click on Logout(admin).
Verifying functionality
29. To verify new functionality, in your browser open a connection to
http://<vip1-IP>/
30. You should be automatically redirected to https://<vip1-IP>/
31. If you have any questions, ask instructor for assistance.
32. This time instead of reloading clean configuration after WebUI operations, we
will remove selected configuration items in CLI and rebuild them.
CLI
Deleting configuration elements
33. Connect to ACOS device via ssh, log in, go to enable mode.
34. Check existing templates using command:
show slb template
35. Check Virtual Server configuration using command:
show slb virtual-server config
36. Notice template attached to port 443.
37. Go to config mode. Execute command:
no slb template client-ssl cssl
38. Check existing templates again using command:
show slb template
Labs
HTTPS
Page 5 of 8
39. Execute command:
no slb template persist cookie cpers
40. Verify it has been deleted.
41. Check Virtual Server configuration using command:
show slb virtual-server config
42. As you can see templates you deleted have automatically been removed from
the virtual server configuration.
43. Show existing SSL certificates using command:
show slb ssl cert
44. Delete SSL certificate using command
slb ssl-delete certificate ss1
and verify it has been deleted. You can see that while the certificate has been
deleted, the key still exists.
45. Delete it using command:
slb ssl-delete private-key ss1
and verify it has been removed.
46. Now we will rebuild those elements from the CLI and restore full functionality.
47. Before we start, verify that remaining SLB configuration elements are intact
using command:
show run | sec slb
Configuration steps
SSL certificate and key
48. Make sure you are in a config mode. Execute command:
slb ssl-create certificate ss1
You will have to answer several questions. Provide the same values we used
earlier in this lab.
49. Verify the certificate has been created using:
show slb ssl cert ss1
SSL Template
50. Execute command:
slb template client-ssl cssl
Labs
HTTPS
Page 6 of 8
51. You should be at the “An(config-client ssl)#” prompt. To add the certificate and
key you created, type “cert ss1”, press Enter, then “key ss1” and press Enter.
Verify using command:
show slb template client-ssl cssl
52. Type “exit” and press Enter.
Cookie Persistence
53. Execute command:
slb template persist cookie cpers
54. You should be at the “An(config-cookie persist)#” prompt. Type “name
ElvisLives” and press Enter. Verify using command:
show slb template persist cookie
55. Type “exit” and press Enter.
Applying Templates to Virtual Server port
56. Go to configuration of your virtual server using command:
slb virtual-server vip1
57. Proceed to port configuration using command:
port 443 https
58. Apply templates you have created with commands:
template client-ssl cssl
template persist cookie cpers
59. Verify configuration using commands:
show slb virtual-server config
show run | sec slb
Verifying functionality
60. In your browser open a connection to https://<vip1-IP>/
61. Accept self-signed certificate. You should see a web page that starts with “It
works!” and contains three images. Reload page a few times. All images should
be coming from the same server.
62. Verify the certificate sent from the ACOS device: right click on the “It works!”
web page, select “View Page Info”, then click on “Security”, and “View
Certificate”. You should find the information you entered earlier in the lab.
Labs
HTTPS
Page 7 of 8
63. Verify the cookie sent from the AX: right click on the “It works!” web page, select
“View Page Info”, then click on “Security”, and “View Cookies”. You should
recognize the cookie.
64. We will now see what happens when someone tries to connect to your virtual
server via http instead of https.
65. In your browser open a connection to http://<vip1-IP>/
66. It should automatically redirect you to https://<vip1-IP>/
67. If you have any questions, ask instructor for assistance.
68. Go to Addendum A “Restore Configuration” and perform steps in section “CLI”.
Labs
HTTPS
Page 8 of 8
Section 5
ACOS Acceleration
Lab
Labs
AX Acceleration
Page 2 of 6
Objective: Configure layer 7 HTTP SLB Virtual Server
with Connection Reuse, Compression, and RAM
Caching templates
WebUI
Configuration steps
Server
1.
Follow steps in Load Balancing Concepts Lab, WebUI, Server to configure s1 and
s2 servers using port 80 for this lab.
Service Group
2.
Follow steps in Load Balancing Concepts Lab, WebUI, Service Group to
configure HTTP service group for this lab.
Source Network Address Translation (Source NAT)
3.
Follow steps in Load Balancing Concepts Lab, WebUI, Source NAT to configure
source NAT for this lab.
Virtual Server (VIP)
4.
Follow steps in Load Balancing Concepts Lab, WebUI, Virtual Server to
configure virtual server for this lab, but specify Virtual Server port type “HTTP”
(instead of TCP), and skip source IP persistence.
Verifying functionality
5.
Verify that your configuration is working before proceeding. Continuing this lab
we will add connection reuse, compression, and RAM caching capabilities to our
virtual server.
Configuration steps
Connection Reuse template
6.
7.
Labs
Go to Config > SLB > Template > Connection Reuse.
Click Add, enter “creuse” as Name, enter “5” in “Limit Per Server” field, and click
“OK” to save. Please note that a limit of 5 connections is unrealistic, and we are
only using it in the classroom. Minimum number of reusable connections is
equal to the number of data CPUs. Please also note that the "Keep Alive
Connections" option is applicable only to SIP-over-TCP sessions.
AX Acceleration
Page 3 of 6
Compression template
8.
Go to Config > SLB > Template > Application > HTTP. Click Add, enter
“compression” as Name, open section “Compression” below, check “Enabled” for
Compression and click “OK” to save.
RAM Caching template
9.
Go to Config > SLB > Template > Application > RAM Caching. Click Add, enter
“caching” as Name and click “OK” to save.
Applying templates to Virtual Server port
10. Go to Config > SLB > Service > Virtual Server, open vip1, Edit port and apply the
connection reuse template you have just configured. Do not apply caching and
compression templates yet. Save the port and virtual server.
Verifying functionality
Connection Reuse
11. Open terminal window and execute command:
connreuse <vip1-IP>
12. From another terminal window ssh to <ACOS-Mgmt-IP>, go to enable prompt
and execute command:
show slb connection-reuse detail
13. Repeat the command a few times (arrow key up). You should see a total of ~10
persistent connections with an even spread per data CPU.
14. Go back to the terminal window with “connreuse <vip1-IP>” command
running and terminate it with Ctrl-C.
Configuration steps
Applying templates to Virtual Server port
15. Go to Config > SLB > Service > Virtual Server, open vip1, Edit port and apply the
compression template you have just configured.
Verifying functionality
Compression
16. Point your browser to <vip1-IP> to generate some data traffic (script in the
previous exercise does not create cacheable or compressible content).
17. Go to Monitor > SLB > Application > Proxy > HTTP. See compression statistics
toward the bottom of the table.
Labs
AX Acceleration
Page 4 of 6
18. In CLI execute command:
show slb http-proxy | inc compress
19. Note that in the command above “sec” instead of “inc” would also work. “sec”
(short for “section”) displays sections, or records, whereas “inc” (short for
“include”) displays lines. In the output above a record happens to be a line, so
both work the same.
RAM Caching
20. Go to Config > SLB > Service > Virtual Server, open vip1, Edit port and apply the
RAM caching template you have configured.
21. Point your browser to <vip1-IP> to generate some data traffic.
22. Go to Monitor > SLB > Application > RAM Caching > Objects. You should see
contents of the RAM cache.
23. In CLI execute the following commands:
show
show
show
show
slb
slb
slb
slb
cache entries vip1 80
cache memory-usage
cache stats vip1 80
cache
Removing configuration elements in WebUI
24. If you have any questions, ask for instructor’s assistance. In the next step we
will remove some of the configuration elements and then recreate them from
the CLI.
25. In WebUI, go to Config > SLB > Template > Connection Reuse, check “creuse”
template and delete it.
26. In WebUI, go to Config > SLB > Template > Application > HTTP, check
“compression” template and delete it.
27. In WebUI, go to Config > SLB > Template > Application > RAM Caching, check
“caching” template and delete it.
28. Verify in CLI by going to enable mode, then executing command:
show run | sec slb
CLI
Configuration steps
Connection Reuse template
29. Go to Config mode, execute commands:
slb template connection-reuse creuse
Labs
AX Acceleration
Page 5 of 6
limit-per-server 5
30. Verify with command:
show slb template connection-reuse
31. Type “exit” and press Enter.
Compression template
32. At the config prompt execute commands:
slb template http compression
compression enable
33. Verify with command:
show slb template http compression
34. Type “exit” and press Enter.
RAM Caching template
35. At the config prompt execute command:
slb template cache caching
36. Verify with command:
show slb template cache
37. Type “exit” and press Enter.
Applying Templates to Virtual Server port
38. Go to configuration of your virtual server using commands:
slb virtual-server vip1
port 80 http
39. Apply templates one by one, verifying functionality after adding each template.
40. If anything does not work as expected, ask instructor for assistance.
41. Go to Addendum A “Restore Configuration” and perform steps in section “CLI”.
Labs
AX Acceleration
Page 6 of 6
Section 7
High Availability
Lab
Labs
High Availability
Page 2 of 14
Objective: Configure AX High Availability
WebUI
Preparation
1.
In this lab we will configure high availability. For this we need to work in teams
of two. Odd numbers will be Primary ACOS device, even numbers will be
Secondary. For example, in a team of A1 and A2, A1 will be primary, A2 will be
secondary. Steps below will be separated into those that need to be performed
on the primary, and those that need to be performed on the secondary. Make
sure you coordinate those steps within your team.
Overview of the HA configuration workflow
2.
3.
4.
5.
6.
7.
Configure global HA parameters:
a. HA ID
b. HA group ID and priority
c. Floating IP address
d. Session synchronization
e. HA pre-emption
Configure HA interfaces.
Build SLB configuration with HA parameters (Primary ACOS device)
If session synchronization is globally enabled, enable it on the individual virtual
ports whose client sessions you want to synchronize.
Run sync.
Verify HA functionality, and if successful, "Save", then back up configuration to a
server.
Configuration steps on the Primary ACOS device
Configuring global HA parameters
8.
9.
Go to Config > System > HA > HA Global.
Check “Enabled” for HA Status, select “1” for HA ID (this is a unique identifier for
this ACOS device in an HA pair), enter <set-ID> as Set ID, check “Enabled” for
Preemption Status, enter <ha-sync-sec> as HA Mirroring IP Address (this is the
address of your partner’s Interlink interface), in the Group section enter “200”
as Priority and click Add, and then click “OK” at the bottom to save.
10. Verify configuration at the enable prompt:
show ha config
show run | sec ha
Labs
High Availability
Page 3 of 14
Enabling HA Interfaces
11. Go to Config > System > HA > HA Interface. You should see a list of all physical
interfaces and their status. If you knew that they were configured properly, you
could check appropriate interfaces and enable them from here. In this exercise
we will go one by one and make sure everything is done right.
12. Click on “e1”. Change HA Status to “Enabled”. Since this is a client-facing
interface, select “Router-interface” as Type. Depending on the topology you may
want to have Heartbeat enabled, in our topology you should disable it. Click
“OK” to save.
13. Repeat operation for “e2” but select Type “Server-interface” as e2 faces the
server farm. Depending on the topology you may want to have Heartbeat
enabled, in our topology you should disable it. Save.
14. Repeat operation for “e3” but select Type “None”. Enable Heartbeat, specify vlan
300, and save.
15. The status of all three interfaces in the “HA Status” column should now be green.
16. Verify configuration in WebUI by going to Monitor > System > HA > Status. Note
at the bottom of the page is a table monitoring heartbeats. You should be seeing
sent heartbeats on HA Port 3. Click “Refresh” in the upper right corner of the
page. Counters should be increasing.
17. Verify configuration in CLI by executing the following commands:
show ha config
show ha detail
Building SLB with HA parameters: Server
18. Go to Config > SLB > Service > Server, and click Add. Enter “s1” as name, <s1-IP>
as IP Address, in Port section add port 80, then click “OK” to save. Repeat steps
for server “s2” with IP address <s2-IP>.
Service Group
19. Go to Config > SLB > Service > Service Group, and click Add. Enter “http” as
Name, then in Server section add s1 and s2, both port 80, and click “OK” to save.
Source NAT
20. Go to Config > IP Source NAT > IPv4 Pool. Specify “nat1” as Name, <nat1-IP> as
start and end IP addresses, “255.255.255.0” as Netmask, select “1” as HA Group,
and click “OK” to save.
21. Verify using command:
show ip nat pool
Source IP Persistence
Labs
High Availability
Page 4 of 14
22. Go to Config > SLB > Template > Persistent > Source IP Persistence.
23. Click Add, enter “persist1” as Name and click “OK” to save.
24. Verify using command:
show slb template
Virtual Server
25. Go to Config > SLB > Service > Virtual Server, and click Add. Enter “vip1” as
Name, <vip1-IP> as IP address, select “1” for HA Group. Enter “150” as Dynamic
Server Weight. This field serves to subtract the weight of the virtual server from
the priority value in case of virtual server becoming unavailable, thus leading to
a potential failover. Since we specified “200” as priority, a failure of vip1 should
trigger a failover.
26. Add port 80, Service Group “http”, select “nat1” as Source NAT Pool, select
“Source IP Persistence” as Persistence Template Type, and select “persist1” as
Source IP Persistence Template, Click “OK” and “OK” to save.
27. Verify using commands:
show slb virtual-server config
show run | sec vip1
28. This ends configuration steps on the Primary ACOS device.
Configuration steps on the Secondary ACOS device
Configuring global HA parameters
29. Go to Config > System > HA > HA Global.
30. Check “Enabled” for HA Status, select “2” for HA ID (this is a unique identifier for
this ACOS device in an HA pair), enter <set-ID> in Set ID, check “Enabled” for
Preemption Status, enter “<ha-sync-pri>” as HA Mirroring IP Address (this is
the address of your partner’s Interlink interface), in the Group section enter
“100” as Priority and click Add, and then click “OK” at the bottom to save.
31. Verify configuration by executing the following commands at the enable
prompt:
show ha config
show run | sec ha
Enabling HA Interfaces
32. Go to Config > System > HA > HA Interface. You should see a list of all physical
interfaces and their status. If you knew that they were configured properly, you
could check appropriate interfaces and enable them from here. In this exercise
we will go one by one and make sure everything is done right.
Labs
High Availability
Page 5 of 14
33. Click on “e1”. Change HA Status to “Enabled”. Since this is a client-facing
interface, select “Router-interface” as Type. Depending on the topology you may
want to have Heartbeat enabled, in our topology you should disable it. Click
“OK” to save.
34. Repeat operation for “e2” but select Type “Server-interface” as e2 faces the
server farm. Depending on the topology you may want to have Heartbeat
enabled, in our topology you should disable it. Save.
35. Repeat operation for “e3” but select Type “None”. Enable Heartbeat and Save.
36. The status of all three interfaces in the “HA Status” column should now be green.
37. Verify configuration in WebUI by going to Monitor, HA, and clicking on Status.
Note at the bottom of the page is a table monitoring heartbeats. You should be
seeing sent and received heartbeats on HA Port 3. Click “Refresh” in the upper
right corner of the page. Counters should be increasing.
38. Verify configuration in CLI by executing the following commands:
show ha config
show ha detail
39. This ends configuration steps on the Secondary ACOS device.
Synchronizing configuration
40. Before starting synchronization “Save” config on both devices and then back up
the Secondary ACOS device to a local drive.
41. On the Primary ACOS device go to Config > System > HA > Config Sync, enter
“admin” as User, “a10” as Password, enter <ha-sync-sec>, and click “OK”. After
you see message “HA config-sync operation successful” go to the Secondary
ACOS device (it takes a moment to load) and verify that its configuration has
been synchronized.
Verifying functionality (from the Primary ACOS device)
42. From your browser open HTTP connection to your vip1. You should see the “It
works!” web page.
43. On the Primary ACOS device at the CLI type “show ha” and press Enter to show
HA state. You should see this:
A1-Active>show ha
Local Unit:
UP
HA Group
Unit
1
Local
Peer
Peer Unit:
State
Active
Standby
UP
Priority
200
100
44. In the WebUI go to Config > SLB > Service > Server, check both servers and click
“Disable”.
Labs
High Availability
Page 6 of 14
45. On the Primary ACOS device at the CLI type “show ha” and press Enter to show
HA state. You should see this:
A1-Active>show ha
Local Unit:
UP
HA Group
Unit
1
Local
Peer
Peer Unit:
State
Standby
Active
UP
Priority
1
100
46. Your prompt should change to “An-Standby>”.
47. Clear cache in your browser and open HTTP connection to your vip1. You
should still see the “It works!” web page. Your connection is now routed
through the Secondary ACOS device.
48. In the WebUI go to Config > SLB > Service > Server, check one server and click
“Enable”.
49. On the Primary ACOS device at the CLI type “show ha” and press Enter to show
HA state. You should see this:
A1-Standby>show
Local Unit:
HA Group
1
ha
UP
Unit
Local
Peer
Peer Unit:
State
Standby
Active
UP
Priority
50
100
50. Notice how the weight of the servers corresponds to priority.
51. In the WebUI go to Config > SLB > Service > Server and enable both servers.
52. On the Primary ACOS device at the CLI type “show ha” and press Enter to show
HA state. You should see this:
A1-Standby>show
Local Unit:
HA Group
1
ha
UP
Unit
Local
Peer
Peer Unit:
State
Active
Standby
UP
Priority
200
100
53. On the Primary ACOS device go to Config > Network > Interface and disable
interface e1. Its status should turn red.
54. On the Primary ACOS device at the CLI type “show ha” and press Enter. You
should see this:
A1-Standby#show
Local Unit:
HA Group
1
Labs
ha
DOWN
Unit
Local
Peer
Peer Unit:
State
Standby
Active
High Availability
UP
Priority
200
100
Page 7 of 14
55. Re-enable interface e1 and check the Primary ACOS device status. After a
moment it should change to Active. Why?
56. Disable pre-emption on both AX devices.
57. On the Primary ACOS device go to Config > Network > Interface and disable
interface e1. Its status should turn red.
58. On the Primary ACOS device at the CLI type “show ha” and press Enter. You
should see this:
A1-Standby#show
Local Unit:
HA Group
1
ha
DOWN
Unit
Local
Peer
Peer Unit:
State
Standby
Active
UP
Priority
200
100
59. Re-enable interface e1 and check the Primary ACOS device status. It should
remain in Standby. Why?
60. On the Secondary ACOS device disable e1 interface, verify that failover occurred,
and re-enable e1. Verify that Primary AX is now active.
61. Now we will examine the behavior of Dynamic Server Weight in the absence of
pre-emption. Disable one of the physical servers on the Primary ACOS device
and check the status of the ACOS device from the CLI. It should display
diminished priority, but it should remain Active. Failover trigger due to
diminished priority works only with pre-emption enabled. Re-enable the
physical server.
62. Ask instructor if you need assistance. In the next step we will restore clean
configurations and prepare for HA setup from CLI.
63. Go to Addendum A “Restore Configuration” and perform steps in section
“WebUI”.
CLI
Preparation
64. In this lab we will configure high availability. For this we need to work in teams
of two. Odd numbers will be Primary ACOS devices, even numbers will be
Secondary. For example, in a team of A1 and A2, A1 will be primary, A2 will be
secondary. Steps below will be separated into those that need to be performed
on the primary, and those that need to be performed on the secondary. Make
sure you coordinate those steps within your team.
Overview of the HA configuration workflow
65. Configure global HA parameters:
Labs
High Availability
Page 8 of 14
66.
67.
68.
69.
70.
a. HA ID
b. HA group ID and priority
c. Floating IP address
d. Session synchronization
e. HA pre-emption
Configure HA interfaces.
Build SLB configuration with HA parameters (Primary ACOS device)
If session synchronization is globally enabled, enable it on the individual virtual
ports whose client sessions you want to synchronize.
Run sync.
Verify HA functionality, and if successful, "Save", then back up configuration to a
server.
Configuration steps on the Primary ACOS device
Configuring global HA parameters
71. From the config prompt execute the following commands (substitute your
student # for “n” and instructor assigned Set ID for “x”):
ha id 1 set-id <set-ID>
ha group 1 priority 200
ha preemption-enable
ha conn-mirror ip <ha-sync-sec>
Assign AX device unique ID within the HA
group and instructor assigned unique Set ID
Specify AX device priority within the HA
group
Use assigned weighs as a tiebreaker to
determine active device
Send mirrored connections to IP …
72. Verify configuration by executing the following commands at the AX enable
prompt:
show ha config
show run | sec ha
Enabling HA Interfaces
73. Add router-side (facing clients), server-side, and HA Interlink interfaces to the
list of HA interfaces:
ha interface ethernet 1 router-interface no-heartbeat
ha interface ethernet 2 server-interface no-heartbeat
ha interface ethernet 3 vlan 300
74. Verify configuration in CLI by executing the following commands:
show ha config
show ha detail
Labs
High Availability
Page 9 of 14
You should see heartbeat being sent on HA Port 3.
Building SLB configuration with HA parameters
75. With the HA framework established, we will now build SLB configuration
including HA parameters. If you need more help with the commands used here,
see Load Balancing Concepts Lab.
Server
76. Go to config prompt and use the following commands to configure physical
servers (substitute your student # for “n”):
slb server s1 <s1-IP>
Start configuring server s1
port 80 tcp
Add port 80 tcp to to the server s1
slb server s2 <s2-IP>
Start configuring server s2
port 80 tcp
Add port 80 tcp to the server s2
show slb server config
Verify completed configuration
Service Group
77. From the config prompt execute the following commands:
slb service-group http tcp
Start configuring Service Group “http”
member s1:80 enable
Add physical server 1 with port 80 as
member
Add physical server 2 with port 80 as
member
Verify completed configuration
member s2:80 enable
show slb service-group http config
Source NAT
78. From the config prompt execute the following commands:
ip nat pool nat1 <nat-IP> <nat-IP> netmask /24 ha-group-id 1
show ip nat pool
Create
NAT
pool
Verify
Source IP Persistence
79. From the config prompt execute the following commands:
slb template persist source-ip persist1
show slb template persist source-ip
Create Source IP Persistence
template
Verify
Virtual Server
80. From the config prompt execute the following commands:
Labs
High Availability
Page 10 of 14
Start configuring Virtual Server
“vip1”
Join this Virtual Server to HA Group
1
This field serves to subtract the
weight of the server from the
priority value in case of virtual
server becoming unavailable, thus
leading to a potential failover. Since
we specified “200” as priority for
Primary AX in HA global
configuration and will specify “100”
as priority for Secondary AX, a
failure of vip1 should trigger a
failover.
Add port 80 HTTP
slb virtual-server vip1 <vip1-IP>
ha-group 1
ha-dynamic 150
port 80 http
template persist source-ip persist1
source-nat pool nat1
To port 80 apply Source IP
Persistence template
To port 80 apply source NAT nat1
show slb virtual-server config
To port 80 apply Service Group
“http”
Verify
show run | sec slb
Verify
service-group http
81. This ends configuration on the Primary ACOS device.
Configuration steps on the Secondary ACOS device
Configuring global HA parameters
82. From the config prompt execute the following commands (substitute your
Primary AX student’s # for “n” in command “floating-IP”):
ha id 2 set-id x
ha group 1 priority 100
ha preemption-enable
ha conn-mirror ip <ha-sync-pri>
Assign AX device unique ID within the HA
group
Specify AX device priority within the HA
group
Use assigned weighs as a tiebreaker to
determine active device
Send mirrored connections to IP …
83. Verify configuration by executing the following commands at the AX enable
prompt:
show ha config
show run | sec ha
Labs
High Availability
Page 11 of 14
Enabling HA Interfaces
84. We will now add router-side (facing clients), server-side, and HA Interlink
interfaces to the list of HA interfaces:
ha interface ethernet 1 router-interface no-heartbeat
ha interface ethernet 2 server-interface no-heartbeat
ha interface ethernet 3
85. Verify configuration in CLI by executing the following commands:
show ha config
show ha detail
86. You should see heartbeat being sent on HA Port 3.
87. This ends configuration on the Secondary ACOS device.
Synchronizing configuration
88.
89.
90.
91.
Before starting synchronization save config on both devices and then back up
the Secondary ACOS device to a local drive.
On the Secondary ACOS device type “show run | sec slb” to verify server
load balancing is not configured.
On the Primary ACOS device save your configuration using command “write
mem” from the enable prompt.
On the Primary ACOS device execute the following command from the config
prompt to force configuration sync:
ha sync all to-startup-config <ha-sync-sec> with-reload [all-partitions]
92.
Once you see the message “Sync to 10.0.3.2 succeeded!” and the Secondary
ACOS device reloads, log in to it and from the enable prompt verify successful
synchronization using command “show run | sec slb”.
Verifying functionality (from the Primary ACOS device)
93.
94.
From your browser open HTTP connection to your vip1. You should see the
“It works!” web page.
On the Primary ACOS device at the CLI type “show ha” and press Enter to
show HA state. You should see this:
A1-Active>show ha
Local Unit:
UP
HA Group
Unit
1
Local
Peer
Peer Unit:
State
Active
Standby
UP
Priority
200
100
95. From the config prompt on the Primary ACOS device execute command:
Labs
High Availability
Page 12 of 14
disable slb server s1
96. Wait for a moment, hit Enter. Your prompt should change at “An-Standby”.
97.
From your browser open HTTP connection to your vip1. You should see the
“It works!” web page.
98.
On the Primary ACOS device at the CLI type “show ha” and press Enter to
show HA state. You should see this:
A1-Standby>show
Local Unit:
HA Group
1
ha
UP
Unit
Local
Peer
Peer Unit:
State
Standby
Active
UP
Priority
50
100
99. From the config prompt on the Primary ACOS device execute command:
enable slb server s1
100.
101.
Wait for a moment, hit Enter. Your prompt should change at “An-Active”.
On the Primary ACOS device at the CLI type “show ha” and press Enter to
show HA state. You should see this:
A1-Standby>show
Local Unit:
HA Group
1
102.
ha
UP
Unit
Local
Peer
Peer Unit:
State
Active
Standby
UP
Priority
200
100
From the config prompt on the Primary ACOS device execute commands:
interface ethernet 1
disable
show ha
103.
You should see this:
A1-Active(config-if:ethernet1)#show ha
Local Unit:
DOWN
Peer Unit:
HA Group
Unit
State
1
Local
Standby
Peer
Active
104.
105.
UP
Priority
200
100
Re-enable e1 interface and check the status of the primary ACOS device. After
a while it should change to Active. Why?
From the config prompt disable pre-emption on both ACOS device devices
using command:
no ha preemption-enable
106.
Labs
Verify using command:
High Availability
Page 13 of 14
show ha config
107.
From the config prompt on the Primary ACOS device execute commands:
interface ethernet 1
disable
108.
109.
110.
111.
112.
113.
Labs
After a moment verify using “show ha”. Primary ACOS device should be in
Standby.
Re-enable interface e1, wait and check status of the Primary ACOS device
using “show ha”. Your Primary ACOS device should remain in Standby even
though Local Unit status should be UP. Why does it remain in Standby?
On the Secondary ACOS device disable e1 interface, verify that failover
occurred, and re-enable e1. Verify that Primary ACOS device is now Active.
Now we will examine the behavior of Dynamic Server Weight in the absence
of pre-emption. Disable one of the physical servers on the Primary ACOS
device and check the status of the ACOS device from the CLI. It should display
diminished priority, but it should remain Active. Failover trigger due to
diminished priority works only with pre-emption enabled. Re-enable the
physical server.
Ask instructor if you need assistance. In the next step we will restore clean
configurations and prepare for HA setup from CLI.
Go to Addendum A “Restore Configuration” and perform steps in section
“CLI”.
High Availability
Page 14 of 14
Section 8
ACOS Troubleshooting
Lab
Labs
AX Troubleshooting
Page 2 of 6
Objective: Troubleshoot sessions and flows
WebUI
Overview
In previous labs we demonstrated most common configuration and monitoring
tools. In this lab we will use session and packet-level CLI tools. Throughout this lab
you will need to access your virtual server from your browser as needed to maintain
open sessions. Use commands shown in this lab and study their output.
Notes:
1.
2.
A <tab> followed by “#” denotes a comment. Do not type it as part of the
command.
“disable” commands must be executed from the config prompt. To undo
“disable”, use command “enable” with the same syntax
Preparation
3.
4.
Build HTTP-type Virtual Server with the following elements:
a. Two physical servers
b. Service Group http
c. Source IP Persistence with 10 minute timeout
d. Source NAT
When finished, verify functionality before proceeding.
Session-level commands
5.
Total
show session
clear session filter
clear session all
6.
# terminates selected sessions – more
# on session filters on next page
# terminates all sessions
Per Virtual Server
show slb virtual-server vip1 detail
clear slb virtual-server vip1
disable slb virtual-server vip1
7.
# show statistics
# clear statistics
# disable vip1
Per Virtual Server port (per virtual port)
show slb virtual-server vip1 80 detail
show slb virtual-server vip1 80 http detail
disable slb virtual-server vip1 port 80 # disable/drain port 80
Labs
AX Troubleshooting
Page 3 of 6
8.
Per Physical Server
show slb server
show slb server s1 detail
disable slb server s1
# disable/drain server s1
Undo the effects of the above command.
9.
Per physical server port
show slb server s1 80 detail
disable slb server s1 port 80 # disable/drain port 80 on server s1
10. Per Service Group
show slb service-group
show slb service-group http
11.
Per IP Address
show session ipv4 source-v4-addr your_IP_address
clear session ipv4 source-v4-addr IP
# terminate this session
show session ipv4 dest-addr your_VIP_address dest-port 80
clear session ipv4 dest-addr IP dest-port 80
# terminate
Explore more options with commands above.
12. Per layer
show slb l4
show slb http-proxy
13. Configuring session monitoring and termination filters
config
session-filter s1:80 dest-addr your_VIP_address dest-port 80
show session filter s1:80
clear session filter s1:80
# terminate sessions according to
# pre-configured filter
no session-filter s1:80
# deletes filter s1:80
Packet trace
Packet trace is done on ACOS devices using axdebug command. You can set up
multiple filters with multiple conditions in each filter. Conditions within each filter
are subject to logical AND, filters are subject to logical OR. Example:
(filter_1::cond_1 && filter_1::con_2) || (filter_2::cond_1 && filter_2::cond_2)
14. Perform the following commands::
axdebug
show axdebug filter
Labs
# no filters should be configured
AX Troubleshooting
Page 4 of 6
filter 1
src ip <client-data-IP>
dst ip <vip1-IP>
exit
show axdebug filter
capture brief
15. Connect to your Virtual Server from your browser and watch axdebug output.
Press Ctrl-C to stop output. Notice that capture shows your traffic end-to-end,
from client to physical server, and shows you how ACOS is handling this traffic.
16. Now try this:
capture detail save mytraffic
17. Interrupt with Ctrl-C when done, and execute following commands:
no filter 1
exit
18. In your browser log in to your ACOS device, go to Monitor, System, Diagnosis,
and click on AXDebug File. Select your capture and press Export. Save to your
remote desktop, unpack, and open in Wireshark or other packet debugger.
Techsupport file
19. Techsupport file is an amalgamation of the output of various troubleshooting
tools. Any time you call tech support at A10 Networks, you will likely be asked
to provide it. It can be generated from the CLI or the WebUI.
20. In CLI execute the following command at the enable prompt:
show techsupport page
21. If you used “export” instead of “page”, you could upload the file to a remote
server.
22. In WebUI go to Monitor, System, Diagnostics, click on Show Techsupport, and
save it to your local drive. Open it in a text editor.
23. If you have any questions, ask instructor for assistance.
24. Leave your configuration intact (do not reload base config). We will use it in the
next exercise.
Labs
AX Troubleshooting
Page 5 of 6
Labs
AX Troubleshooting
Page 6 of 6
Section 9
aFleX
Lab
Labs
aFleX
Page 2 of 4
Objective: Install an aFleX script
Preparation
1.
2.
Build HTTP-type Virtual Server with the following elements:
a. Two physical servers
b. Service Group http
c. Source IP Persistence with 10 minute timeout, Match Type “Port”
d. Source NAT
When finished, verify functionality before proceeding:
a. Open browser to http://<vip1-IP>/private (should work)
b. Open browser to http://<vip1-IP>/
(should work)
Installing aFleX script
3.
4.
In this exercise you will import an aFleX script from the server, modify it, install
it, and verify its functionality.
Here are script’s parameters:
a. Event:
HTTP_REQUEST
b. Tests:
[IP::addr [IP::client_addr] equals <your-data-IP>]
[HTTP::uri] starts_with "/private"
c. Action:
reject
log
5.
At the CLI config prompt execute (this is all one line):
import aflex no_private use-mgmt-port ftp://ftp@<backup-IP>/
BaseConfig/aFleX-no_private.tcl
6.
Verify the script contains your IP address:
show aflex no_private
7.
8.
Associate the script with Virtual Server vip1 port 80.
From the command line execute command:
clear session all
9.
Labs
Test functionality:
a. Open browser to http://<vip1-IP>/
b. Open browser to http://<vip1-IP>/private
aFleX
(should work)
(should fail – reset packet)
Page 3 of 4
c. Open log to view aFlex reject event
10. If you have any questions, ask instructor for assistance. In the next step you will
reload base configuration.
11. Reload base configuration on your AX.
Labs
aFleX
Page 4 of 4
Addendum A
Restore Configuration
Lab
Loading clean configuration
WebUI
Configuration steps
1. Position mouse pointer over Config tab, move down to System, Maintenance,
Restore, and click on System. You should see this screen:
2. In “Restore from” field select remote, check “Use Management Port”, in Host field
enter <backup-IP>, in Location field type “/ConfigBackup/<tarball>” – READ
THIS: please make sure you specify proper number, otherwise you will make
your ACOS device unreachable. If in doubt, ask instructor for assistance. Enter
“ftp” as Username, and leave Password blank – our classroom server is
configured for anonymous login. In real life you will need to use valid username
and password. Verify again that all information is correct and then click “OK”.
You should be disconnected while the ACOS reloads the configuration.
3. Log in to your ACOS device, and in the opening screen verify “Feature
Configuration” section on the right side. It should show 0 service groups, servers,
or virtual servers. If that is correct, you are ready to proceed to the next section
of the lab. If not, ask instructor for assistance.
CLI
Configuration steps
4. Open ssh connection to your ACOS management port and log in as username
admin, password a10. After you see “An>” prompt, type “enable” and hit Enter,
and again Enter for password. At the “#” prompt type “config” and hit Enter. You
should now see “An(config)#” prompt. That indicates you are in config mode,
just as you were in config mode when you moused over Config tab in WebUI.
5. Execute command:
restore use-mgmt-port ftp://ftp@<backup-IP>/ConfigBackup/<tarball>
Labs
Addendum A: Restore Configuration
Page 2 of 4
When asked for password, hit Enter (we are using anonymous ftp in the
classroom). You should see a response indicating success. That means your
config file was stored on your ACOS device. Type “end” and press Enter. Now
type “reload” and press Enter. You should be disconnected while the ACOS
reloads the configuration.
6. Wait for a while, then log in to your ACOS device again, go to enable mode and
execute command “show run”. Page through it and verify you are running clean
configuration.
Labs
Addendum A: Restore Configuration
Page 3 of 4
Labs
Addendum A: Restore Configuration
Page 4 of 4
Download PDF
Similar pages