a10_adc-2.7v2.1-l-presentation_3.27.14
TRANSCRIPT
A10 Networks: Application Delivery Controller: Presentation
ACOS release 2.7
Course A10_ADC-2.7v2.1
Customer Driven Innovation
Do not distribute/edit/copy without the
written consent of A10 Networks
A10 Application Delivery Controller
ACOS release 2.7 Course ACOS_ADC-2.7v2.1
2
Table of Contents
Section 0: Course Introduction Section 1: ACOS Management Section 2: Load Balancing Concepts Section 3: HTTP Section 4: HTTPS Section 5: ACOS Acceleration Section 6: ACOS Security Section 7: High Availability Section 8: ACOS Troubleshooting Section 9: aFleX
3
Introduction
Section 0
4
Contents
Course goals
Materials
Objective for students
5
Goal of this course
To learn basic load balancing concepts
To learn load balancing of HTTP and HTTPS protocols on the ACOS device
To learn ACOS troubleshooting tools
To prepare students to install, configure and manage the ACOS device
6
Facilities and materials
Basics:
Schedule (class time / breaks / lunch) Break and restroom facilities Communications (cellphone / internet) WiFi: Instructor: Tony Griffen <[email protected]>
Material:
Lecture materials Lab equipment
Additional Resources:
Support web site for latest releases / User Guides / Release Notes / AppNotes Community – http://www.a10support.com/adc/
7
Class layout - generalized
Client Data 100.0.0.0/24 Server Data 200.0.0.0/24
1.0.0.(100+n)
100.0.0.(100+n)
.201 .202
1.0.0.n .201
.202
100.0.0.n 200.0.0.n
3.0.0.1
3.0.0.2
.203
.203
Management 1.0.0.0/24
HA
Lin
k Source NAT 200.0.0.(20+n) VIP1 100.0.0.(20+n)
Application servers
HA ID 1 Set ID y HA ID 2
8
Conventions and substitutions
Throughout the labs substitute the following variables
Variable Substitute with Student 1 example
<s1-IP> Server 1 IP address 200.0.0.201
<s2-IP> Server 2 IP address 200.0.0.202
<nat1-IP> 200.0.0.(20+n) where n is your student ID 200.0.0.21
<vip1-IP> 100.0.0.(20+n) where n is your student ID 100.0.0.21
<ACOS-Mgmt-IP> A10 device management IP - 1.0.0.n 1.0.0.1
<ha-sync-pri> 3.0.0.1
<ha-sync-sec> 3.0.0.2
<client-data-IP> 100.0.0.(100+n) where n is your student ID 100.0.0.101
<backup-IP> 1.0.0.(100+n) 1.0.0.101
<set-ID> Instructor will assign before the lab
<ha-ID> 1 for primary device, 2 for secondary in HA 1
9
Introductions
Your name
Role at your company
Location of your home office
Experience with server load balancing
Experience with ACOS devices
1
ACOS Management
Section 1
2
Section objectives
Explore ACOS management access
Understand ACOS configuration components
Backup/restore ACOS configuration
Review initial ACOS configuration
3
ACOS management access
CLI
Console (RS-232 connection / 9600, 8, N, 1) Telnet (disabled by default) SSHv2
Web
HTTP (configurable ports - disabled by default)
HTTPS (configurable ports)
Levels of CLI authentication
CLI: Login ID/Password and Enable ID/Password
Web: Admin roles (read-write / read-only)
4
CLI: Privilege levels
Official name Common name
Prompt Purpose
User EXEC Level user > Monitor SLB & CGN, do backups, use simple diagnostic utilities. From this level user cannot affect the functioning of the device or change configuration.
Privileged EXEC Level
enable # (same as user) + Manage system but not SLB or CGN configuration. Monitor system.
Privileged EXEC Level - Config Mode
config (config)# (same as enable) + Configure SLB or CGN. Actions which could affect SLB or CGN configuration are also accessible only from here, like config restore. Enable-level commands can be executed here by prepending them with “do”.
5
CLI: Additional prompt indicators
Redundancy
ACOS-Active>
ACOS-Standby>
Clustering
ACOS-Active-vMaster[7/1]>
ACOS-Standby-vBlade[7/2]>
Packet capture
ACOS(axdebug)#
Hostname
ACOS(config)#hostname MyThunder1
MyThunder1(config)#
6
CLI: Help
List options
ACOS>show health monitor ?
WORD<length:1-31> Name all-partitions All partition configurations partition Per-partition configurations | Output modifiers
Option disambiguation
ACOS>show ic?
icmp Display ICMP statistics icmpv6 Display ICMPv6 statistics
Command completion
ACOS>show rad<tab> ACOS>show radius-server
7
CLI: Undo
Commands are undone by prepending “no”
ACOS(config)#ip nat pool nat1 10.0.2.15 10.0.2.16 netmask /24 ACOS(config)#show ip nat pool
Total IP NAT Pools: 1 Pool Name Start Address End Address Mask Gateway HA Group Vrid nat1 10.0.2.15 10.0.2.16 /24 0.0.0.0 0 default
ACOS(config)#no ip nat pool nat1 ACOS(config)#show ip nat pool
Total IP NAT Pools: 0
8
CLI: Disabling configuration elements
On configuration elements, "no enable" has the same effect as command "disable"
ACOS#show run | sec slb
slb server s1 10.0.2.18
ACOS(config)#slb server s1
ACOS(config-real server)#no enable
ACOS#show run | sec slb
slb server s1 10.0.2.18 disable
9
CLI: Regular expressions
A subset of regular expressions can be used at the command line
. Matches any single character, including white space
* Matches 0 or more sequences of the pattern
+ Matches 1 or more sequences of the pattern
? Matches 0 or 1 occurrences of the pattern
^ Matches the beginning of the string
$ Matches the end of the string
_ Underscore matches a comma ",", left brace "{", right brace "}", left parenthesis "(", right parenthesis ")", the beginning of the string, the end of the string, or a space.
10
CLI: Filtering output (section & include)
ACOS supports filtering by piping output to section and include
section retrieves configuration elements containing regex
ACOS#show run | sec slb
slb server s1 10.0.2.18 port 80 tcp slb service-group http tcp member s1:80
include retrieves lines containing regex
ACOS#show run | inc slb
slb server s1 10.0.2.18 slb service-group http tcp
11
CLI: OR
To use "|" symbol as OR in inc or sec, escape it with "\" with no spaces around it
ACOS#show run | inc tacacs\|radius
tacacs-server host 1.0.0.100 secret (encrypted_secret) port 49 timeout 12 radius-server host 1.0.0.100 secret (encrypted_secret)
12
CLI: Exiting current level
Exit command takes CLI one level down
ACOS(config-slb vserver-vport)#exit
ACOS(config-slb vserver)#exit
ACOS(config)#exit
ACOS#exit
ACOS>
End command exits out of config
ACOS(config-slb vserver-vport)#end
ACOS#exit
ACOS>
Ctrl-C is a keyboard shortcut for exit in config mode, Ctrl-Z is a shortcut for end
13
CLI: Workflow
With CLI, build your configuration from bottom up
system
redundancy + clustering
servers
nat pools
templates
virtual server
virtual server port
Then apply pre-configured elements on virtual server port (vPort)
To use programming analogy, configuration elements are like functions. Those functions have to be called from vPort before they take effect.
14
WebUI: Privilege levels
Monitor
Equivalent to CLI User EXEC Level (user)
Config
Equivalent to CLI Privileged EXEC Level - Config Mode (config)
15
WebUI: Workflow
In WebUI, you can build configuration from top down in one of two ways
Config > SLB > Service > Virtual Server (and then add vPort underneath)
Config > SLB > Service > Virtual Service (all from one place)
Necessary configuration elements’ names are created automatically. Your virtual service is translated at the CLI level into virtual server + virtual port.
ACOS#show run | sec slb
slb server _s_10.0.2.18 10.0.2.18 port 80 tcp slb server _s_10.0.2.19 10.0.2.19 port 80 tcp slb service-group http tcp member _s_10.0.2.18:80 member _s_10.0.2.19:80 slb virtual-server _10.0.1.12_vserver 10.0.1.12 port 80 http name vip1-http service-group http
16
CLI vs. WebUI
CLI benefits
Structured, enhances understanding
Excellent for troubleshooting – can display multiple configuration items at the same time
Can be very fast with some familiarity
Requires very little bandwidth to operate device
WebUI benefits
Flexible workflow
Easy admin role definition
Familiar interface
Excellent for monitoring – graphical display
17
ACOS configuration components
ACOS configuration components
Configuration file
(optional) aFleX files
(optional) PBSLB files
(optional) SSL certificates and keys
(optional) Geo-location files (option in GSLB and geo-location-based VIP access)
18
Named configuration profiles
Benefits of named profiles
Maintain multiple configurations Link startup configuration per partition to a named profile Copy and edit profiles without disrupting normal operations Maintain single configuration for both physical partitions
Create new profile
ACOS#write memory <new_profile> ACOS(config)#copy <existing_profile> <new_profile>
See all profiles
ACOS#show startup-config all
Link startup config to profile
ACOS(config)#link startup-config <profile_name> [primary|secondary]
19
ACOS configuration full backup and restore
ACOS full configuration backup
WebUI: Config > System > Maintenance > Backup > System
CLI: ACOS(config)#backup system […]
ACOS full configuration restore
WebUI: Config > System > Maintenance > Restore > System
CLI: ACOS(config)#restore […]
Note: Supported upload protocols: FTP, SFTP, SCP, RCP, TFTP, and HTTPS (via WebUI)
20
ACOS configuration profile backup and restore
ACOS configuration profile backup
WebUI: Config > System > ConfigFile [open & copy]
CLI: ACOS(config)#copy <local_profile> [use-mgmt-port] <destination>
ACOS configuration profile restore
WebUI: Config > System > ConfigFile > Add [paste]
CLI: ACOS(config)#copy [use-mgmt-port] <remote_profile> <local_profile>
Note: Supported upload protocols: FTP, SFTP, SCP, RCP, TFTP, and HTTPS (via WebUI)
21
Backing up other configuration elements
ACOS#export ? running-config Running Config ssl-cert SSL Cert File ssl-cert-key SSL Cert/Key File ssl-crl SSL Crl File ssl-key SSL Key File aflex aFleX Script Source File bw-list Black/White List File class-list Class List File axdebug AX Debug Packet File debug_monitor Debug Monitor Output startup-config Startup Config syslog Syslog file thales-secworld Thales security world files - in .tgz format thales-kmdata Thales Kmdata files - in .tgz format dnssec-dnskey DNSSEC DNSKEY(KSK) file for the zone dnssec-ds DNSSEC DS file for the zone ip-map-list IP Map List File
22
Erasing configuration
You may erase configuration while preserving access to the device
ACOS(config)#erase ?
preserve-management Preserve management ip and default gateway preserve-accounts Preserve admin accounts reload Reload after erase <cr>
This command also erases profile linked to current startup config (except for “preserve” elements) but does not affect other profiles.
23
ACOS software location
ACOS software is stored on
Two disk partitions: primary and secondary
Second partition is designed for easy software rollback
Two Compact Flash partitions: primary and secondary
CF is designed for emergency recovery
Note: Each storage location has its own software and AX configuration
24
ACOS software upgrade options
Check the ACOS running partition
WebUI: Monitor > Overview > Summary > System Information CLI: ACOS#show bootimage
Upgrade AX device’s other partition
WebUI: Configuration > System > Maintenance > Upgrade
CLI: ACOS(config)#upgrade […]
Copy running configuration to the other partition or link existing profile to it
ACOS# write memory [primary|secondary]
ACOS(config)#link startup-config <profile_name> [primary|secondary]
Set boot source to the other partition
WebUI: Configuration > System > Settings > Boot CLI: ACOS(config)#bootimage hd [primary|secondary]
25
ACOS initial configuration
Rollback to Factory configuration
CLI: ACOS(config)#system-reset
ACOS(config)#end
ACOS#reboot
First step configuration
Connect on the ACOS device console (9600 baud - 8 bits – no parity - 1 stop bit)
Default user/password: admin/a10
Configure the management interface and its default gateway
Finish the ACOS configuration via CLI (ssh) or WebUI (https)
26
ACOS initial configuration example
ACOS login: admin
Password:
ACOS>en
Password:
ACOS#conf
ACOS(config)#interface management
ACOS(config-if:management)#ip address 172.31.31.11 /24
ACOS(config-if:management)#ip default-gateway 172.31.31.1
ACOS(config-if:management)#exit
ACOS(config)#exit
27
Lab
Backup your ACOS device using FTP server and local drive
28
Section summary
In this module, we discussed:
AX Management access
Backup and restore procedure
Upgrade and downgrade
AX Layer2 / VLAN
We have performed:
AX configuration back up and restore
1
Load Balancing Concepts
Section 2
2
Section objectives
Understand main load balancing goals and concepts
Configure ACOS L4 SLB Virtual Server
Configure two common L4 SLB Virtual Server options (Source IP Persistence + NAT)
3
Load balancing goals
Provide high availability of services
Share load among multiple servers (load balancing)
4
Topology: One-armed L2 (switched) mode (p. 1 of 2)
Internet
AX Series
AX Series
AX Series
Source IP Dest IP
200.0.0.1 100.0.0.10
Source IP Dest IP
100.0.0.50 100.0.0.100
Dest IP Source IP
200.0.0.1 100.0.0.10
Dest IP Source IP
100.0.0.50 100.0.0.100
100.0.0.0/24
200.0.0.1
VIP = 100.0.0.10 SNAT = 100.0.0.50
100.0.0.0/24
100.0.0.[100-200]
5
Topology: One-armed L2 (switched) mode (p. 2 of 2)
Benefits:
No change required on clients or servers
Easy to test
Clients can be in servers’ subnet
Points to keep in mind:
Servers lose Client IP visibility (can be partly remedied by IP header insertion in HTTP (X-ClientIP (customizable))
Requires Source NAT on SLB
Internet
AX Series
100.0.0.0/24
200.0.0.1
VIP = 100.0.0.10 SNAT = 100.0.0.50
100.0.0.0/24
100.0.0.[100-200]
6
Topology: L3 (routed) mode with SNAT (p. 1 of 2)
Internet
AX Series
AX Series
AX Series
Source IP Dest IP
200.0.0.1 100.0.0.10
Source IP Dest IP
100.0.1.50 100.0.1.100
Dest IP Source IP
200.0.0.1 100.0.0.10
Dest IP Source IP
100.0.1.50 100.0.1.100
100.0.0.0/24
200.0.0.1
VIP = 100.0.0.10 SNAT = 100.0.1.50
100.0.1.0/24
100.0.1.[100-200]
7
Topology: L3 (routed) mode with SNAT (p. 2 of 2)
Benefits:
No change required on clients or servers
Easy to test
Points to keep in mind:
Servers lose Client IP visibility (can be partly remedied by IP header insertion in HTTP)
Requires Source NAT on SLB
Internet
AX Series
100.0.0.0/24
200.0.0.1
VIP = 100.0.0.10 SNAT = 100.0.1.50
100.0.1.0/24
100.0.1.[100-200]
8
Topology: L3 (routed) mode w/o SNAT (p. 1 of 2)
AX Series
AX Series
Source IP Dest IP
200.0.0.1 100.0.0.10
Source IP Dest IP
200.0.0.1 100.0.1.100
Dest IP Source IP
200.0.0.1 100.0.0.10
Dest IP Source IP
200.0.0.1 100.0.1.100
Internet
AX Series
100.0.0.0/24
200.0.0.1
VIP = 100.0.0.10
100.0.1.0/24
100.0.1.[100-200]
9
Topology: L3 (routed) mode w/o SNAT (p. 2 of 2)
Benefits:
No change required on clients or servers
Provides additional layer of security
Points to keep in mind:
Configure SLB as default gateway on servers
Internet
AX Series
100.0.0.0/24
200.0.0.1
VIP = 100.0.0.10
100.0.1.0/24
100.0.1.[100-200]
10
100.0.0.0/24
Topology: DSR mode (p. 1 of 2)
Internet
AX Series
AX Series
Source IP Dest IP
200.0.0.1 100.0.0.10 SLB MAC
Source IP Dest IP
200.0.0.1 100.0.0.10 Server MAC
Dest IP Source IP
200.0.0.1 100.0.0.10
200.0.0.1
VIP = 100.0.0.10
100.0.0.0/24
Loopback IP = VIP = 100.0.0.10
100.0.0.[100-200]
11
Topology: DSR mode (p. 2 of 2)
Benefits:
Highly scalable (SLB processes only incoming traffic)
Points to keep in mind:
Can’t use any ACOS layer 7 features (aFleX can still be applied at virtual port level)
Configure VIP IP as loopback on servers
100.0.0.0/24 Internet
AX Series
200.0.0.1
VIP = 100.0.0.10
100.0.0.0/24
100.0.0.[100-200]
Loopback IP = VIP = 100.0.0.10
12
Server Load Balancing (SLB)
ACOS SLB configuration has three core elements:
Servers, Service Groups, Virtual Servers (VIPs)
13
SLB: Server
Minimum configuration
Name
IP address (can use DNS name)
Ports
Server configuration
WebUI: Config > Service > SLB > Server
CLI: AX(config)# slb server <name> […]
Server status and statistics
WebUI: Monitor > Service > SLB > Server
CLI: ACOS# show slb server […]
14
SLB: Service Group
Minimum configuration
Name
Type (TCP/UDP)
LB Algorithm
At least one Server/Port
15
Load balancing algorithms
Service group – load-balancing algorithms
Round-Robin
Least Connection
Service Least Connection
Weighted Round Robin
Weighted Least Connection
Service Weighted Least Connection
Fastest Response time
Least Request
Round Robin Strict
Stateless (new in release 2.4.2; see notes)
16
Health Monitor
Service availability is checked using health monitors
Health monitors can be applied to:
Server
Server:Port
Service Group
Health monitors can test server availability
On layer 3: ping (icmp)
On layer 4: tcp, udp
On layer 7 (application): http, https, ftp, smtp, pop3, snmp, dns, radius, ldap, rtsp, sip, ntp
Via manually created scripts
Multiple L3/L4/L7 tests can also be combined in a Boolean expression (and/or/not)
17
Applying health monitor
Physical server health monitor
If HM fails, that server is considered down and service groups configured with that specific server stop using it for load balancing
Note: Default Server health monitor is icmp.
Physical server port health monitoring
If HM fails, that server port is considered down and service groups configured with that specific server:port stop using it for load balancing
Note: Default TCP Server Port Health Monitor is tcp handshake
Service group health monitor
If HM fails for a specific member, the service group stops using this member for load balancing
Note: By default there is no health monitor configured on Service Group
18
Source IP persistence
When to use Source IP persistence
Source IP persistence must be used when clients must have their future connections/traffic terminated on the same server
19
Source IP persistence template
Create Source IP Persistence Template
Name Type: Port (persistence per VIP:Port) Server (persistence per VIP) Service-Group (persistence per URL or Host)
Timeout: How long inactive entries are saved (default = 5 minutes)
Don't Honor Conn Rules: Ignore connection limits defined on Servers and Server Ports and connect new clients' connections to the Server (default = disabled)
Netmask: Granularity of Client IP address hashing (default = 255.255.255.255 for the most granularity)
Assign the Source IP Persistence Template to the Virtual Server Port
20
NAT: SLB Source NAT template
Create IP Source NAT Pool:
Name: Name of the template Start IP address (can be the AX interface IP) End IP address (can be the same as Start IP)
Note: If the "Start" and "End IP address" are the same, the AX will NAT with one unique IP address and can NAT up to 64k flows
Netmask (used by "IP Source NAT – Group" when servers are on different subnets)
(optional) Gateway: Specify a gateway to use to reply to the clients' requests (optional) "HA Group": Specify the HA group to tie to the SLB source NAT pool
Assign the SLB Source NAT Pool to the Virtual Server Port
21
SLB: Virtual Server
Minimum configuration
Name
IP address (accessed by end users)
Virtual Server Ports (usually)
22
SLB: Virtual Server Port (vPort)
Minimum configuration
Type: (TCP/UDP/HTTP/HTTPS/Fast-HTTP/RTSP/FTP/MMS/ SSL-Proxy/SMTP/SIP/SIP-TCP/SIP-TLS/Others) Port Service Group (usually)
Pre-configured elements are applied here
23
SLB processing order: Virtual Server
Virtual Servers are processed from the most specific to the least specific. Example:
slb virtual-server acme 10.0.1.12
port 80 http
service-group acme
slb virtual-server emca 10.0.1.14
port 0 tcp
service-group emca
slb virtual-server default 0.0.0.0
port 0 tcp
service-group default
Virtual Servers are displayed in the order of processing from the CLI
24
SLB processing order: Virtual Server Port (vPort)
vPorts are displayed under Virtual Server in the order they were added but processed from most specific to least specific. Example:
slb virtual-server default 0.0.0.0
port 0 tcp
service-group default
port 80 tcp
service-group http
In the above example port 80 will be matched against incoming connection first
25
SLB processing order: vPort configuration elements
Configuration elements applied on the Virtual Server Port are processed in the following order:
Layer 4:
DNS template
Policy template
All other templates
Service group
Layer 7:
Cookie persistence template
aFleX script
All other templates
Service group
26
Lab
Configure Layer 4 SLB Virtual Server (VIP)
Physical servers
Service Group
Source NAT
Source IP Persistence
Virtual Server
Verify functionality
27
Section summary
In this section we discussed:
Load balancing’s main goals: server load sharing and high availability of services
Load balancers network integration modes: routed, one-arm, transparent, and DSR
Two common L4 SLB options and their ACOS configuration
We have configured the following:
ACOS Layer 4 SLB Virtual Server
Source IP Persistence
SLB Source NAT
1
HTTP
Section 3
2
Section objectives
Understand HTTP
Understand ACOS HTTP load balancing
Configure HTTP Virtual Server
3
HTTP protocol
HTTP RFC is 2616 (http://www.w3.org/Protocols/rfc2616/rfc2616.html)
HTTP (Hypertext Transfer Protocol) is an unencrypted TCP protocol used to access web content (usually on port 80)
Note: HTTPS uses the same protocol with explicit SSL encryption for higher security (usually on port 443)
HTTP is a sequence of network request/response transactions
Note: Browsers open multiple TCP sessions to download multiple objects from 1 web site in parallel (2 sessions with IE5.5/6.0, 6 sessions with IE8, 15 sessions with Firefox 3.x)
Request and response options are sent via headers
4
HTTP request
Main request methods
"GET url": Request object from server "POST url": Send data/object to server Others: HEAD, CONNECT
Note: The Host (such as www.a10networks.com) is not a part of the url but is listed in the "Host“ header in the request
Main request headers
"Host": Site name "Connection: Keep-Alive" : Client support for using the same session for multiple request/response transactions "Accept-Encoding: gzip, deflate": Support for HTTP compression "Cookie": Text used to keep track of user information
5
HTTP response codes
Main server response codes
200: OK (object in the response)
301: Redirect permanently
302: Temporary redirect
304: Not Modified
404: Page not found
5xx: Server error
6
HTTP response headers
Main response headers
"Last-Modified": When object was last modified
"Etag": Entity tag (used to detect object changes)
"Connection: Keep-Alive": Server support for using the same session for multiple request/response transactions
"Set-Cookie": Asks user to save cookie to keep track of user information
"Cache-Control" / "Pragma": Cacheability of the object
7
SLB configuration for HTTP (p. 1 of 5)
Load Balancers don't need a specific configuration for basic HTTP load balancing - Any L4 SLB VIP works for HTTP services
However, advanced load balancers provide techniques for improving HTTP services
Better Availability
Better Flexibility
Better Performance/Acceleration
Better Security
AX offers advanced flexibility options for web applications via HTTP templates
HTTP templates are associated with virtual server ports of service type “HTTP" or "HTTPS”
8
SLB configuration for HTTP (p. 2 of 5)
HTTP Health Monitor
ACOS provides the ability to test HTTP/HTTPS services using Health Monitors
HTTP/HTTPS Health Monitors have the following required parameters:
Port: TCP port
Method (GET or HEAD or POST)
URL
And the following optional parameters:
User + Password: For web sites that require authentication
Expect: Server Response code or Server text
Maintenance Code: To automatically mark the server in maintenance, rather than down (so users with persistence to that server remain on that server)
9
SLB configuration for HTTP (p. 3 of 5)
URL failover
When all servers have failed, the ACOS can send an HTTP redirect to a backup site.
ACOS(config)# slb template http <template_name>
ACOS(config-http)# failover-url ?
WORD<length:1-255> Failover URL Name
10
SLB configuration for HTTP (p. 4 of 5)
Retry HTTP request on HTTP 5xx
When the Server replies with a 5xx error, by default AX forwards it to the client. The retry option tells the ACOS to resend the request to another Server in the Service Group.
The following options are available:
"On HTTP 5xx code for each request": The client request is resent to a new server
"On HTTP 5xx code": The client request is resent to a new server + the server that replied with the 5xx is not used for new requests for 30 seconds
"#": Number of servers that can be tried
Logging: Generates logs when this event happens
11
SLB configuration for HTTP (p. 5 of 5)
Client IP header insertion
In Web server logs, the client IP address is logged. Web servers retrieve the client IP information from the source IP address.
Some ACOS advanced HTTP options (Connection Reuse or Source NAT) force the ACOS to establish the connection to the server with an ACOS IP address. In such case, the Web server loses the client IP address information.
To allow Web Servers to log Client IP address information, the ACOS can inject the Client IP information in a request header.
ACOS(config-http)#insert-client-ip ?
WORD<length:1-63> HTTP Header Name for inserting Client IP replace Replace the existing header <cr>
12
Lab
Configure layer 7 HTTP Virtual Server
Physical servers
HTTP Health Monitor
Service Group
Source NAT
Source IP Persistence
Virtual Server
HTTP Templates
Header rewriting/insertion
URL Failover
Verify functionality
13
Section summary
In this section we discussed HTTP protocol
We have configured the following:
HTTP Virtual Server
HTTP health monitor
URL switching
Response header insertion
1
HTTPS
Section 4
2
Section objectives
Understand HTTPS
Understand ACOS HTTPS load balancing and its options
Configure HTTPS Virtual Server
3
HTTPS protocol
HTTPS (HTTP over TLS) RFC is 2818 (http://www.ietf.org/rfc/rfc2818.txt)
HTTPS is the "secured" version of HTTP (usually port 443)
HTTPS offers
Server Authentication (with server certificates)
(optional) Client Authentication (with client certificates)
Encryption (with TLS/SSL)
4
Server authentication
TLS/SSL is based on public certificates and private keys
Certificates are issued and signed by Certificate Authority (CA)
HTTPS clients first request the server public certificate and validate it using list of trusted CAs
When the server certificate is validated (name, date, etc.), the client sends its HTTP request
5
SYN (TCP Port 443)
SYN/ACK
ACK
CLIENT_HELLO (Highest SSL Version, Ciphers Supported, Data Compression Methods, SessionID, Random Data)
SERVER_HELLO (Selected SSL Version, Selected Cipher, Selected Data Compr. Method, Assigned SessionID, Random Data)
CHANGE_CIPHER_SPEC (contents of subsequent SSL record data sent by the client during the SSL session will be encrypted)
SERVER_DONE
CERTIFICATE_VERIFY (Client informs the server that it has verified the server's certificate)
CERTIFICATE (Public Key, Authentication Signature)
CHANGE_CIPHER_SPEC (subsequent data sent by the server during the SSL session will be encrypted)
FINISHED (digest of all the SSL handshake commands so far for validation)
FINISHED (digest of all the SSL handshake commands so far for validation)
SSL Negotiation
Client sends server symmetric secret key encrypted with server’s public key. From now user data is encrypted.
7
HTTPS communication with clients
Client SSL templates
To enable HTTPS communication with the Clients
Client SSL template
Public certificate that will be presented to Clients Private key (and its passphrase) SSL cipher supported ("encrypted algorithm") (optional) Client certificate request
8
HTTPS communication with servers
Server SSL templates
To enable HTTPS communication with the Servers
Server SSL template
SSL cipher supported ("encrypted algorithm") (optional) CA that will be used to validate the Server’s certificate
9
Secure redirect with SSL Offload
URL redirect / rewrite
When the Server replies with an HTTP redirect, the AX can rewrite it with a new value.
This option usually is used for transparent "SSL-ization" of HTTP web applications.
ACOS(config)# slb template http <template_name>
ACOS(config-http)# redirect-rewrite secure
10
Cookie persistence
When to use cookie persistence
Like Source IP Persistence, Cookie Persistence is used when HTTP/HTTPS clients must have their future connections/traffic terminated on the same server.
But Cookie Persistence provides more granularity, since even different users coming from the same Proxy (same IP address) will get different persistence with Cookie Persistence.
11
Lab
Configure layer 7 HTTPS Virtual Server
Physical servers
Service Group
SSL Certificate
SSL Template
Source NAT
Cookie Persistence
Virtual Server
Transparent redirect
Verify functionality
12
Section summary
In this section we discussed HTTPS protocol
We have configured the following:
HTTPS Virtual Server using HTTP and HTTPS servers
HTTPS redirect
Cookie persistence
1
ACOS Acceleration
Section 5
2
Section objectives
Understand and configure advanced ACOS acceleration options:
Connection Reuse
HTTP compression
RAM Caching
3
Connection Reuse (p. 1 of 2)
Web servers need to manage:
New clients (open new sessions)
Clients leaving (close sessions)
Maintain all connected clients sessions
Note: Web browsers keep their TCP connections open - even when all objects have been loaded
4
Connection Reuse (p. 2 of 2)
Connection Reuse off loads the server TCP stack
This option provides faster server response time and higher server scalability
Connection reuse
Terminates all client’s connections to the ACOS device Maintains persistent connections to the Servers Sends all client’s requests on the same persistent connections
Note: Connection Reuse requires SLB Source NAT Note2: HTTP Keep-alive should be enabled on the web servers
5
SSL Offload
SSL Offload relieves the server of SSL tasks
This option provides faster server response time and higher server scalability
ACOS receives HTTPS client traffic and sends HTTP traffic to the servers
6
HTTP compression
Compresses HTTP/HTTPS objects
Uses less bandwidth and provides faster client download time
ACOS HTTP compression
Compresses objects sent to the clients (Note: By default, "text" (such as html/css/js) and "application" (such as doc/xls/ppt/pdf))
If HTTP compression is enabled on the servers, ACOS transparently offloads this task from servers
7
RAM Caching
Caches HTTP/HTTPS static and dynamic content in ACOS RAM
Delivers cached objects to clients directly from the ACOS Cache, offloading servers
Provides faster client download time and higher server scalability
8
RAM Caching – HTTP response codes
Caches objects unless explicitly denied by the server's response
Caches responses with the following codes:
200 OK
203 Non-Authoritative response
300 Multiple Choices
301 Moved Permanently
302 Found (only if Expires header is also present)
410 Gone
9
RAM Caching – limitations
Does not support client HTTP range requests (they are sent to the servers)
Does not cache server responses with "Vary" header (except "Vary: Accept-Encoding")
Does not cache server responses with "Warning" header
Does not cache server responses if requests had an "Authorization" header (even if the server specifies "Cache-Control: public”)
Does not cache incomplete (partial) responses
10
RAM Caching – dynamic objects
Allows the ACOS to Cache non-static objects
Need to understand application behavior to determine cacheability
What is to be cached?
How long is the cached content valid?
What is the trigger that would cause the response to change?
Parameterized requests
The URL matches a specific pattern.
Specific query parameters are present.
Specific cookies in the request are present.
Specific HTTP headers in the request are present.
11
RAM Caching – dynamic objects caveats
When not to use dynamic caching
Response sets cookies specific to that session. Example: response to a login page.
Response contains data specific to a previous action in the session. Example: confirmation number for a transaction that was just executed.
Response contains data that becomes stale based on a future action. Example: portfolio page of a brokerage account user changes when the user executes transactions.
Different versions of the response cannot be distinguished by using the URL, query parameters, or cookies in the request. Example: response contains personalized settings, such as the user name but no query parameter or cookie directly identifies the user.
12
RAM Caching – dynamic objects policies
Cacheability rules determine what is cacheable and what is not
Caching policies can be used to override/augment standard HTTP behavior
Policies are specified as follows:
policy <condition> <action>
Where: <condition> is of the form uri <pattern>, <action> is cache <seconds>, no-cache, or invalidate <entry>
Note: More sophisticated conditions will be supported in future using aFleX policies
Policies are evaluated in the order they are specified. The action in the first policy that matches will be applied.
13
RAM Caching – dynamic objects – example
You have a web application with the following URLs:
http://x.y.com/list lists all items from database http://x.y.com/add?a=p1&b=p2 adds item to database http://x.y.com/del?c=p3 deletes item from database http://x.y.com/private?user=u1 private info for user
The “list” URI gets a lot of hits. It makes sense to cache that URI while it remains up to date. However, when the user does an add/delete operation, or one of the other URIs arrives, the database would change and the cached list needs to be refreshed.
14
Lab
Configure layer 7 HTTP Virtual Server
Physical servers
Service Group
Source NAT
Cookie Persistence
Virtual Server
Connection Reuse
Compression template
RAM Caching template
Verify functionality
15
Section summary
In this section, you have configured the following ACOS acceleration options:
Connection Reuse
SSL offload
HTTP compression
RAM Caching
1
ACOS Security
Section 6
2
Section objectives
Understand advanced ACOS security options
DDoS protection
PBSLB
ACL
Management security
3
DDoS protection (p. 1 of 2)
ACOS provides protection against Distributed Denial of Service (DDoS) attacks
Note: AX 2200 / AX 3100 / AX 3200 / AX 5100 / AX 5200 provide DDoS protection in hardware. Other models provide DDoS protection in software.
DDoS basic filters
DDoS configuration
WebUI: Config > SLB > Global
CLI: ACOS(config)# ip anomaly-drop <DDoS-type>
4
DDoS protection (p. 2 of 2)
Advanced DDoS filters are also available with system-wide PBSLB
Invalid HTTP or SSL payload or DNS
Zero-Length TCP Window
Out-of-sequence packet
5
Policy Based Server Load Balancing (PBSLB) (p. 1 of 2)
Using PBSLB list:
Filter users (block and/or forward to specific service groups)
Note: IPv6 addresses are not supported in PBSLB.
6
PBSLB (p. 2 of 2)
Using Class List you can limit users on their:
Layer 4 traffic:
Connection Limit Connection-Rate Limit per 100 ms
Layer 7 traffic (for HTTP / HTTPS / DNS):
Request Limit Request-Rate Limit per 100 ms
Note: IPv6 addresses are supported in class lists.
7
PBSLB – Class List details
Large list support
Up to 8 M IP addresses
Up to 64 K IP subnets
Up to 32 group IDs
Highly efficient
Lists are stored in hash tables
Can process Gbps of traffic
(PBSLB list only) Automatic list download
AX device can update its PBSLB list automatically at specific intervals via TFTP
8
Access Control List (ACL)
ACOS supports standard and extended Access Control Lists (ACLs)
ACL can be applied to data interfaces, management interface, and virtual server ports
Remark, re-sequencing and logging options are supported (Cisco/Foundry format)
ACL components
[no] access-list acl-num [seq-num] {permit | deny | remark string} ip {any | host host-src-ipaddr | net-src-ipaddr {filter-mask | /mask-length}} {any | host host-dst-ipaddr | net-dst-ipaddr {filter-mask | /mask-length}} [log [transparent-session-only]
9
Management security
ACOS provides advanced management security options
Multiple management accounts with distinct levels of access
Interface level access for individual access types (ICMP / Telnet / SSH / HTTP / HTTPS / SNMP)
Management account with lockout in response to excessive invalid password
External Authentication support with RADIUS , TACACS+, and LDAP
Private partitions
Note: See ACOS Series Configuration Guide for more information
10
Section summary
In this module, we presented ACOS advanced security options:
DDoS protection
PBSLB
ACL
Management security
1
High Availability (HA)
Section 7
2
Section objectives
Discuss High Availability and its options
Active-Standby mode
Active-Active mode
Configure Active-Standby HA
3
Active-Standby mode
Active ACOS device processes all the production traffic
Standby ACOS device does not process any production traffic
Standby ACOS device optionally mirrors L4 session information from Active
Reliability is scaled but not performance
4
Active-Standby Failover
Peer ACOS device is elected as active
Gratuitous ARPs for virtual, floating and NAT IPs are sent
Existing mirrored sessions are picked up by newly elected active ACOS device
New sessions are served by newly elected active
5
Active-Active mode
Both ACOS devices process the production traffic
Session and state information is mirrored between both ACOS devices
Performance is scaled in addition to reliability
Note: Do not exceed 50% utilization on each unit for full HA
6
Active-Active Failover
Peer ACOS device is elected active for HA group 2 and sends gratuitous ARPs for virtual IPs, floating IPs, and NAT IPs
Existing mirrored sessions are picked up by peer ACOS device
Peer ACOS device serves requests for both HA groups
7
HA support
All ACOS integration modes support HA
Routed mode
Active-Standby, Active-Active
One-Arm mode
Active-Standby, Active-Active
Transparent mode
L2 Active-Standby
DSR mode
Active-Standby, Active-Active
8
Initial selection of Active ACOS device
After initial selection, ACOS device remains Active unless :
Standby stops receiving HA heartbeat from Active
HA interface status of the Active becomes lower than Standby’s
VLAN-based failover is triggered
Gateway-based failover is triggered
HA pre-emption is enabled, and the configured HA priority is changed to be higher on the Standby
9
Events causing HA Failover
By default, a failover occurs only in the following cases:
Standby stops receiving HA heartbeat form Active
HA interface state changes give the Standby device a better HA state than the Active device
VLAN-based failover is configured and the VLAN becomes inactive.
Gateway-based failover is configured and the gateway becomes unavailable.
VIP-based failover is configured and the
unavailability of real servers causes the Standby AX to have the greater HA priority for the VIP’s HA group
By default, failover does not occur due to HA configuration changes to the HA priority.
To enable the ACOS devices to failover in response to changes in priority, enable HA pre-emption.
10
Active-Standby configuration (p. 1 of 2)
Configure HA Global settings
Identifier (A1 = 1 , A2 = 2) HA Status: Enabled (optional) HA Mirroring IP address: Remote ACOS device Sync interface (optional) Preempt: to failover to a higher ACOS devicewhen available Group1 with priority 200 on A1 (priority 100 on A2) Floating VIP for Group1: IP addresses defined on servers' gateway (VRRP-like) (optional) IP and VLAN check (Note: IPs have to be defined as SLB-Server too)
Configure HA interfaces
All interfaces used with production traffic (+ ACOS device interlink if exists)
Note: We recommend a dedicated direct interlink between the ACOS devices so sync traffic is off the production network
11
Active-Standby configuration (p. 2 of 2)
Configure NAT pool HA settings
In IP Source NAT, associate the HA Group with IPv4 Pools, IPv6 Pools, NAT Ranges, or Static NAT
Configure VIP HA settings
In VIP settings, associate HA Group with the VIP
(optional) Enable Dynamic Server Weight: Reduce the AX HA Group priority when a server is down
(optional) Enable HA Connection Mirroring on the VIP ports: To synchronize SLB session table (available for TCP, UDP, RTSP, FTP, MMS and SIP VIP types)
Note: For HTTP/HTTPS VIP types, the client session is terminated on the ACOS device. HA Connection Mirroring is not available for these VIP types.
12
Active-Active configuration
Same as Active-Standby with two groups defined
Step2:
Group1 with priority 200 on AX1 (priority 100 on A2)
Group2 with priority 100 on AX1 (priority 200 on A2)
Step3:
Associate Group1 with half of the VIPs and Group2 with the second half
Step4:
Associate Group1 with the NAT Pools used by VIPs in Group1 and Group2 with the NAT Pools used by VIPs in Group2
13
Lab
Configure HA Active/Standby mode with your neighbor
14
Section summary
We discussed High Availability modes
Active-Standby
Active-Active
We have configured Active –Standby HA mode
1
ACOS Troubleshooting
Section 8
2
Section objectives
Learn ACOS troubleshooting tools
Use session-related commands
Perform packet trace in ACOS using axdebug
3
Log
ACOS logs many informational, warning, and error messages. show log is the first place to check when experiencing issues.
Port/Interface up/down messages L2 loop detection warnings Unicast/Multicast/Broadcast packet limit warnings MAC address movement warnings Duplicate IP warnings Server & service port up/down messages Application-specific error messages: SLB, PBSLB, HTTP, HA, AFLEX, […]
Monitoring
WebUI: Monitor > System > Logging > Logging
CLI: ACOS#show log [ | inc <reg_ex> ]
4
Audit log
ACOS logs administrative actions with username, date, and time stamp. It also logs new administrative sessions.
Examples
Sep 30 2013 12:21:04 [admin] web: add Source IP Persistence template [pers1] successfully.
Sep 30 2013 11:41:54 [admin] cli: vcs device-context device 2
Sep 30 2013 12:29:28 A web session[1] opened, username: admin, remote host: 10.254.102.12
Monitoring
WebUI: Monitor > System > Logging > Audit
CLI: ACOS#show audit [ | inc <reg_ex> ]
5
Exporting logs
Set up permanent logging on remote server
WebUI: Config > System > Settings > Log
CLI: ACOS(config)#logging […]
Export existing logs
WebUI: Monitor > System > Logging > [ Logging | Audit ] > Export (save to laptop)
CLI: ACOS#export syslog messages [use-mgmt-port] <remote_destination>
(this exports combined audit and syslog logs plus system messages – it is a lot larger than normal “log” and “audit” output)
6
Correlating log to audit log
Use built-in include and section utilities to find corresponding lines in log, audit log, and running config
ACOS#show log
:45 Warning [ACOS]:Duplicated IP 10.0.1.1 MAC 000c.2976.5904 from Port 1 VLAN 3 detected
ACOS# show audit | inc
Sep 24 2013 09:56:46 [admin] cli: port 80 http Sep 24 2013 09:56:28 [admin] cli: slb virtual-server vip1 10.0.1.1
ACOS(config)#show run | sec 10.0.1.1
ip route 0.0.0.0 /0 10.0.1.1 slb virtual-server vip1 10.0.1.1 port 80 http
7
Server health check
Display health check statistics
ACOS#show health stat
[long list of statistics] IP address Port Health monitor Status Cause(Up/Down) Retry PIN 10.0.2.18 default UP 11 /0 @0 0 0 /0 0 10.0.2.19 80 default UP 20 /0 @0 0 0 /0 0 10.0.2.18 80 web UP 10 /0 @0 0 0 /0 0 10.0.2.19 80 web UP 10 /0 @0 0 0 /0 0
see CLI Reference manual for codes
Show running health monitors
ACOS#show health monitor
Idle = Not used by any server In use = Used by server Monitor Name Interval Retries Timeout Up-Retries Method Status ping 5 3 5 1 ICMP In use web 5 3 5 1 HTTP In use
8
Examining running config
Examine running config with the following tools
ACOS#show run [ | sec ^[0-z] ]
↑ the optional element at the end of this command strips blank lines from the output
ACOS#show run | sec <config_element>
ACOS#show slb […]
↑ statistics for each configuration element
ACOS#show ha [config]
ACOS#show vrrp-a [ config | detail ]
ACOS#show vcs [ summary | message-buffer ]
9
Layers 1-4
Layer 1-2
ACOS#show int […]
Layer 3
ACOS#show arp
ACOS#show ip route
ACOS#show access-list
ACOS#show run | sec router
Layer 4
ACOS#show slb l4
host#telnet <ip> <port>
ACOS#axdebug
10
Layer 7: HTTP
Show enabled L7 features
ACOS#show run | sec slb
Try without the advanced features first (compression, connection reuse, and so on)
Packet trace
ACOS#axdebug
Is server receiving the request sent by the ACOS device? Any standard HTTP header missing? (host, method, … and so on) Do all of the HTTP headers have desired values? Response Code from server’s response? Size of request / response payload? Is it taking a long time to process the request? What are the cookies?
11
Layer 7: HTTPS
Show enabled features
ACOS#show run | sec slb
Are client-ssl and server-ssl templates applied on vport?
Packet trace
ACOS#axdebug
Is client able to finish SSL Handshake with VIP?
Is ACOS device able to finish SSL Handshake with server?
Any issues pertaining to redirect?
Decrypted trace
Are there any absolute links in Javascripts / Links / Images (http://xxx)?
12
ACOS Performance
Show memory utilization
ACOS#show memory [ system ]
System Memory Usage: Total(KB) Free Shared Buffers Cached Usage 16456546 8224340 0 2420 159084 49.0%
Show cpu utilization
ACOS#show cpu [ interval […] ]
↑ shows utilization per cpu for the past minute. Customizable “interval” triggers continuous updates.
Show resource limits
ACOS#show system resource-usage
↑ shows minimum, maximum, default, and currently set limits for configuration items
13
ShowTech
ShowTech is a comprehensive collection of output from many troubleshooting utilities. When contacting A10 Tech Support you will be asked to generate one.
WebUI: generate new file and save to laptop
Monitor > System > Diagnosis > Show Techsupport
WebUI: view and save previously generated files
Monitor > System > Diagnosis > ShowTech File
CLI: generate and export file to a remote server or view on the screen
AX# show techsupport [export] [use-mgmt-port] [<remote_destination>]
14
axdebug
axdebug
Captured files are in pcap format (Wireshark / tcpdump)
Able to see every detail of the packets the AX receives & sends
axdebug is session based
If one pkt matches filter, dump all the following pkts in the same session
15
axdebug filters
Build filters to fine tune your capture
Multiple conditions within a filter are ANDed, multiple filters are ORed.
axdebug example
ACOS#axdebug
ACOS(axdebug)#filter 1
ACOS(axdebug-filter:1)#ip 1.2.3.4 /32
ACOS(axdebug)#capture save <file_name>
Stop axdebug trace
ACOS#no axdebug
Export axdebug trace
ACOS#export axdebug <filename> [use-mgmt-port] <destination>
16
Session filtering
Fine tune session monitoring by using filters
ACOS(config)#session-filter <filter_name> […]
Example
ACOS(config)#session-filter c1 source-addr 10.0.1.161 dest-addr 10.0.1.12 dest-port 80
ACOS#show session filter c1
Prot Forward Source Forward Dest Reverse Source Reverse Dest Age Hash Flags Type Tcp 10.0.1.161:36690 10.0.1.12:80 10.0.2.18:80 10.0.2.16:14075 0 1 NSe1 SLB-L7 Tcp 10.0.1.161:36660 10.0.1.12:80 10.0.2.18:80 10.0.2.16:14045 0 1 NSe1 SLB-L7
17
Lab
Use session-control and packet-level CLI tools
1
aFleX
Section 9
2
Section objectives
Understand purpose of aFleX
Import and execute aFleX script
3
aFleX scripting language
aFleX is a powerful and flexible ACOS feature that you can use to manage your traffic and provide enhanced benefits/services
aFleX uses industry-standard Tcl (Tools command language) based syntax
Standard Tcl commands
Special set of extensions provided by ACOS
aFleX allows:
Content inspection (headers / data)
Actions on traffic
Block traffic
Redirect traffic to a specific Service Group (pool) or Server (node)
Modify traffic content
4
aFleX elements (p. 1 of 3)
aFleX scripts are made up of three basic elements:
Events
Tests
Actions
Events
aFleX scripts are event-driven, which means that the AX system triggers the aFleX whenever that event occurs. Examples:
HTTP_REQUEST is triggered when an HTTP request is received. CLIENT_ACCCEPTED is triggered when a client has established a connection.
5
aFleX elements (p. 2 of 3)
Operators
Standard Tcl operators
Relational operators: contains, matches, equals, starts_with, ends_with, matches_regex
Logical operators: not, and, or
aFleX commands
Used to query for data, manipulate data, or specify a traffic destination. These may be grouped into three main categories:
Statement commands
Example: "pool <name>“ directs traffic to the named load balancing pool
6
aFleX elements (p. 3 of 3)
Commands that query or manipulate data, examples:
"IP::remote_addr“ returns the remote IP address of a connection
"HTTP::header remove <name>” removes the last occurrence of the named header from a request or response
Utility commands - useful for parsing and manipulating content, example:
"decode_uri <string>“ decodes the named string using HTTP URI encoding and returns the result
Note: aFleX is extensible. In future releases, additional aFleX events and aFleX commands will be added
7
aFleX configuration
Place aFleX script on the ACOS device
Using CLI
Use a computer with any text editor to write an aFleX script and save it as a file.
Use “import aflex” command to import the aFleX file from a server to ACOS.
aFleX CLI syntax check: "aflex check <name>".
Using WebUI
With ACOS web interface, users can directly type in aFleX scripts and save them on the ACOS device under "Config > Service > aFleX".
Using aFleX Editor
aFleX editor can download/upload aFleX scripts from/to the ACOS device. Moreover, it can do syntax checking. It also has syntax highlighting, keyword auto-completion, etc.
8
aFleX examples (p. 1 of 2)
Redirect a specific client to a specific service group
when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 10.10.10.10] } { pool sg2 } } Note: This could also be achieved by PBSLB.
Redirect clients to https for the host secure.abc.com
when HTTP_REQUEST { if {[HTTP::host] equals "secure.abc.com"} { HTTP::redirect https://[HTTP::host][HTTP::uri] } } Note: This could NOT be achieved by PBSLB
9
aFleX examples (p. 2 of 2)
Redirect clients to specific pools in function of the url
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/finance" } {
pool finance_pool
} elseif { [HTTP::uri] starts_with "/dev" } {
pool dev_pool
}
}
10
Lab
Enter and verify aFleX script to block HTTP access to a designated directory
11
Summary
We discussed the purpose of aFleX
We wrote and executed a working aFleX script
12
Table of Contents
Section 0: Course Introduction Section 1: Load Balancing Concepts Section 2: ACOS Management Section 3: HTTP Section 4: HTTPS Section 5: ACOS Acceleration Section 6: ACOS Security Section 7: High Availability Section 8: ACOS Troubleshooting Section 9: aFleX