AX Training v1.12

A10 Networks: AX Planning, Deployment and Management ClassAX release 2.4

Course AX-DSC-001.12

1

Table of Contents

Module 1: Course Introduction - 3 Module 2: AX Product Line - 8 Module 3: Basic Load Balancing Concepts and Related AX Configuration & Management - 19 Module 4: FTP, HTTP and HTTPS Protocols - 68 Module 5: AX Acceleration - 118 Module 6: AX Security - 141 Module 7: AX Power and Flexibility- 178 Module 8: AX Management and Troubleshooting - 2102

Course IntroductionModule 1

3

Module objectives

Understand the course goals Understand the facilities and materials available Understand the objective for the students

4

Goal of this course

To present the A10 Networks AX product line To teach the basic load balancing concepts To present FTP, HTTP and HTTPS protocols To teach advanced AX load balancing concepts To prepare students to install, configure and manage the AX device

5

Facilities and materials

Basics:

Material:

Additional Resources:

6

Course map

Module 2: AX Product Line Module 3: Basic Load Balancing Concepts and Related AX Configuration & Management Module 4: FTP, HTTP and HTTPS Protocols Module 5: AX Acceleration Components Module 6: AX Security Components Module 7: AX Power and Flexibility Module 8: AX Management and Troubleshooting

7

AX Product LineModule 2

8

Module objectives

Understand the AX solution / market Understand the AX product portfolio Understand the feature set Understand the licensing

9

AX solution / market: AX new generation load balancers

New Generation in Design and PerformanceSingle

ACOS

Designed for multi-core CPUs Hardware Accelerated Symmetrical Multiprocessing (SMP) Flexible Traffic ASIC, SSL ASIC, Switching and Routing ASIC Highest throughput and performance

CPU or MultiCPU with instruction blocking Retrofitted Platform Limited scalability Lower throughput Half the performance SSL ASIC only

10

AX solution / market: AX new generation customer benefits

Basic LB benefits

New Generation LB benefits

11

789

AX 32-bit Series Models

AX 3200-11 AX 2200-117.4 Gbps302,000 L4 CPS

153,000 L4 CPS

Small to Large Enterprise

PriceAX 1000-114 Gbps

8.7 Gbps541,000 L4 CPS

Overall Performance12

789

AX 64-bit Series ModelsAX 5200 AX 510040 Gbps3 Million L4 CPS

40 Gbps

AX 3000-11* AX 2600* AX 250019 Gbps 11 Gbps300,000 L4 CPS 355,000 L4 CPS

2 Million L4 CPS

Medium to Large Enterprise

Price

30 Gbps850,000 L4 CPS

Large Enterprise or Service Provider

Overall Performance13

AX product line32-bit:

AX Series Family Interface and hardware optionsAX 1000 AX 20008 2 0 Yes Yes Single

AX 21008 4 0 Yes Yes Dual




Ethernet Interfaces: Gigabit Copper Gigabit Fiber SFP Mini GBIC 10 Gigabit Fiber SFP+ Management Interface Console Port Storage Cooling Fan Power Supplies

6 2 0 Yes Yes Single Fixed 250 W RPS

Hot Swap Smart Fan Dual 600 W RPS Dual 600 W RPS Dual 600 W RPS

Dual 460 W Dual 460 W RPS RPS 100 to 240 VAC, Frequency 50-60 Hz Yes No Yes No No Yes No Yes No No Yes No Yes No Option

Hardware Acceleration Linear Decoupled Architecture Flexible Traffic ASIC SSL Acceleration ASIC Switching and Routing ASIC Hardware Compression ASIC

Yes Yes Yes Yes Option



14

AX product line64-bit:

AX Series Family Interface and hardware optionsAX 2500 AX 2600GC 24 0 0 Yes Yes GF 0 24 0 GCF 16 8 0

AX 3000GC 16 0 4 Yes Yes GCF 8 8 4

AX 51000 4 8 Yes Yes

AX 52000 4 16 Yes Yes

Model Option Code Ethernet Interfaces: Gigabit Copper Gigabit Fiber SFP Mini GBIC 10 Gigabit Fiber SFP+ Management Interface Console Port Storage Cooling Fan Dual Power Supplies

8 4 0 Yes Yes SSD

Hot Swap Smart Fan 400 W RPS 400 W RPS 400 W RPS 900W RPS 900W RPS

100 to 240 VAC, Frequency 50-60 Hz Hardware Acceleration Linear Decoupled Architecture Flexible Traffic ASIC SSL Acceleration ASIC Multi-ASIC High Performance SSL Switching and Routing ASIC Hardware Compression ASIC Yes No Yes Option No Option Yes No Yes Option No Option Yes No Yes Option No Option Yes Yes x4 No Option Yes Option Yes Yes x4 No Option Yes Option

15

AX feature setLayer

4 and Layer 7 Application AccelerationSSL ASIC RAM HTTP

aXAPI

aFleX

L7 TCL scripting for deep packet inspection Advanced NAT options AX High-Availability Firewall LB GSLB Global Server Load Balancing DNS Application Layer Firewall Operates in Layer 2/Layer 3 simultaneously

caching static or dynamic compression

REST-based XML API for custom management Virtualized managementRole-Based

IPv4

and IPv6 load balancing and management Full web interface or industry standard command line interface

and Partition-Based Management Seamless Management for Multiple Devices

Covered in this Training16

AX licensing

No extra licenses required for performance or features Each AX is offered with full scalability and benefits

17

Summary

In this module we discussed:

18

Basic Load Balancing Concepts and Related AX Configuration & ManagementModule 3

19

Module objectives

Understand Main Load Balancing Goals and Concepts Configure AX Basic L4 SLB VIP configuration steps Understand and Configure two common L4 SLB VIP Options (Source IP Persistence + NAT)

20

Module 3 Lesson1

Main LB Goals and Concepts

21

Main load balancing goals and concepts

Share load among multiple servers (load balancing)

Provide high availability of services

22

Methods of load balancer integration into network

Routed Mode

23

Methods of load balancer integration into network Benefits:

Routed Mode

No

change required on clients and servers Servers keep the Client IP@ visibility

Points

to keep in mind:has to be the servers dgw can't be in the servers' subnet24

SLB

Clients


One-Arm Mode

25


One-Arm Mode

Benefits:No

change required on clients and servers Easy to test Clients can be in the servers' subnet

Points

to keep in mind:

Servers

lose the Client IP@ visibility Requires Source NAT on SLB

26


Transparent Mode

27


Transparent Mode

Benefits:No

change required on clients and servers Servers keeps the Client IP@ visibility

Points

to keep in mind:to implement servers responses must go through AX"

"Harder

28


DSR Mode

29


DSR Mode

Benefits:Highly

Points

to keep in mind:

sclalable (SLB process only incomming traffic)

Cant

use any AX layer 7 features Extra configuration required on every server (IP Stack update)30

Server Load Balancing

AX SLB configuration has three core elements:

31

Servers

Minimum configuration

Server configuration

Server status and statistics

32

Service groups


Service group configuration

Service group status and statistics

33

Service groups

Service group load-balancing algorithms

34

Virtual Server (VIP)


Virtual server configuration

Virtual server status and statistics

35

Virtual server (VIP) Virtual server port (VIP port)


Virtual server port configuration

AX(config-slb vserver))# port N

Virtual server port status and statistics

36

Health monitors

Service availability is checked using health monitors Health monitors apply to:

37

Health monitors

Health monitors can test server availability

Multiple L3/L4/L7 tests can also be combined in a Boolean expression (and/or/not) Health monitor configuration

38

Service group health monitor

Health Monitoring is done on all Service Group members

Service Group HM configuration

AX(config-slb svc group)# health-check

Service Group HM status

39

Server port health monitor

Health Monitoring is done on the Server Port

Server Port HM configuration

AX(config-slb vserver)# port N AX(config-slb vserver-vport)# health-check

Server Port HM status

40

Server health monitor

Health Monitoring is done on the Server

Server HM configuration

AX(config-real server)# health-check

Server HM status41

Lab1 - Create basic L4 VIP

In this lab, you will configure one L4 SLB VIP

a. Create a TCP Health Monitor for port 80: "hm-tcp-80" b. Associate the Health Monitor "hm-tcp-80" with the Service Group "sg-80" c. Check Virtual Server "vip1" status42

Module 3 Lesson2

Common SLB VIP Options

43

Source IP persistence

When to use Source IP persistence

44


Source IP persistence configuration steps

Name Type: Port (persistence per VIP:Port) or Server (persistence per VIP) or Service-Group (persistence per URL or Host switching see Module 4 lesson 2) Timeout: How long inactive entries are saved (default = 5 minutes) Don't Honor Conn Rules: Ignore connection limits defined on Servers and Server Ports and connect new clients' connections to the Server (default = disabled) Netmask: Granularity of Client IP address hashing (default = 255.255.255.255 for the most granularity)

45


Source IP persistence configuration

WebUI: Config > Service > Template > Persistent > Source IP Persistence CLI: AX(config)# slb template persist source-ip

WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server AX(config-slb vserver)# port N tcp AX(config-slb vserver-vport)# template persist source-ip

Source IP persistence entries46

Network Address Translation

AX provides multiple NAT services

47

Network Address Translation SLB source NAT

When to use SLB source NAT

48


SLB source NAT configuration steps Name: Name of the template Start IP address: First IP address for the SLB source NAT (can be the AX interface IP address) End IP address: Last IP address for the SLB source NAT (can be the same as "Start IP address") Note: If the "Start" and "End IP address" are the same, the AX will NAT with one unique IP address and can NAT up to 64k flows. Netmask: Specify the netmask of the SLB source IP addresses. Note: This is used by the "IP Source NAT Group" when servers are in different subnets (see AX Config Guide for more information). (optional) Gateway: Specify a specific gateway to use to reply to the clients' requests when SLB Source NAT has been used. (optional) "HA Group": Specify the HA group to tie to the SLB source NAT pool.

49


SLB source NAT configuration

WebUI: Config > Service > IP Source NAT > IPv4 Pool CLI: AX(config)# ip nat pool

WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server AX(config-slb vserver)# port N AX(config-slb vserver-vport)# source-nat pool

50


SLB source NAT statistics

51

Network Address Translation Layer3 NAT

When to use Layer3 NAT

52


Dynamic Layer3 NAT

53


Dynamic Layer3 NAT configuration steps

54


Dynamic Layer3 NAT configuration

WebUI: Config > Service > IP Source NAT > IPv4 Pool CLI: AX(config)# ip nat pool WebUI: Config > Service > IP Source NAT > Group CLI: AX(config)# ip nat pool-group WebUI: Config > Network > ACL CLI: AX(config)# access-list [] WebUI: Config > Service > IP Source NAT > Binding CLI: AX(config)# ip nat inside source list [acl#] pool [pool-group-name | pool-name]55


Dynamic Layer3 NAT configuration (cont.)

On the inside interfaces WebUI: Config > Service > IP Source NAT > Interface CLI: AX(config)# interface ethernet # AX(config-if:ethernetx)# ip nat inside On the outside interfaces WebUI: Config > Service > IP Source NAT > Interface CLI: AX(config)# interface ethernet # AX(config-if:ethernetx)# ip nat outside

56


Dynamic Layer3 NAT statistics

57


Static Layer3 NAT

58


Static Layer3 NAT configuration steps

4.

59


Static Layer3 NAT configuration

WebUI: Config > Service > IP Source NAT > Static NAT CLI: AX(config)# ip nat inside source static [original-IP@] [NAT-IP@] WebUI: Config > Service > IP Source NAT > NAT Range CLI: AX(config)# ip nat range-list []

60


Static Layer3 NAT configuration (cont.)

On the inside interfaces WebUI: Config > Service > IP Source NAT > Interface CLI: AX(config)# interface ethernet # AX(config-if:ethernetx)# ip nat inside On the outside interfaces WebUI: Config > Service > IP Source NAT > Interface CLI: AX(config)# interface ethernet # AX(config-if:ethernetx)# ip nat outside WebUI: Config > Service > IP Source NAT > Global CLI: AX(config)# ip nat allow-static-host

61


Static Layer3 NAT statistics

62

Network Address Translation

Virtual Server Port option "Source NAT traffic against VIP"

63

Lab2a Update basic L4 VIP with source IP persistence

In this lab, you will configure source IP persistence

64

Lab2b - (optional) Update basic L4 VIP with SLB source NAT

In this lab, you will configure SLB source NAT

65

Lab2c - (optional) Create Static NAT to access directly your server S1

In this lab, you will configure static Layer3 NAT

66

Summary

In this module, we discussed:

And also:

67

FTP, HTTP and HTTPS protocolsModule 4

68

Module objectives

Understand protocols

Understand Load Balancing specifics for each Configure FTP, HTTP and HTTPS VIPs

69

Module 4 Lesson1

FTP protocol

70

FTP protocol

File Transfer Protocol (FTP) RFC is 959 ( http://www.w3.org/Protocols/rfc959/) FTP is an unencrypted TCP protocol used to transfer files between clients and servers FTP has 2 connections

71

FTP protocol

FTP Control Session

FTP Data session

Important Notes:

72

FTP protocol

FTP Data session 2 modes

In the control session, the client tells the server what IP and TCP port to use to establish the data connection. The server establishes the data connection to the client, and data requested in the control session can be exchanged.

73

FTP protocol

FTP Data session 2 modes (cont.)

In the control session, the server tells the client what IP and TCP port to use to establish the data session. The client establishes the data connection to the server, and data requested in the control session can be exchanged.

74

Load balancer configuration for FTP applications

Control session resets

75


Active Mode - Data session established from the server IP@ (not the VIP IP@)

76


Passive Mode - Data session established to the server IP@ (not the VIP IP@)

77


Control session resets

Note: AX default aging time is 120 seconds

78


AX configuration to update default aging timer1. Create a TCP template with 15,000 seconds Idle Timeout WebUI: Config > Service > Template > L4 > TCP CLI: AX(config)# slb template tcp AX(config-l4 tcp)# idle-timeout 15000 2. Assign the TCP template to the Virtual Server Port WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server AX(config-slb vserver)# port N tcp AX(config-slb vserver-vport)# template tcp

Show aging time of SLB entries

79


Active Mode - Data session established from the server IP@ (not VIP IP@)

WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server AX(config-slb vserver)# port N ftp

80


Passive Mode - Data session established to the server IP@ (not the VIP IP@)

WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server AX(config-slb vserver)# port N ftp

81

Lab3a - Create FTP VIP

In this lab, you will configure one FTP VIP

82

Lab3b (optional) Create FTP health monitor and use least connection algorithm

In this lab, you will configure an FTP VIP health monitor and the least connection algorithm

83

Module 4 Lesson2

HTTP protocol

84

HTTP protocol

HTTP RFC is 2616 ( http://www.w3.org/Protocols/rfc2616/rfc2616.html) HTTP (Hypertext Transfer Protocol) is an unencrypted TCP protocol used to access web content (usually on port 80)

HTTP is a sequence of network request/response transactions

Request and response options are sent via headers

85

HTTP requests

Main request methods

Main request headers

86

HTTP responses

Main server response codes

Main response headers

87

HTTP example (using HttpFox)

88

Load balancer configuration for HTTP applications

Load Balancers don't need a specific configuration for basic HTTP load balancing - Any L4 SLB VIP works for HTTP services However, advanced load balancers provide techniques for improving HTTP services

89

Load balancer configuration for HTTP applications greater availability

HTTP Health Monitor

Port: TCP port Method (GET or HEAD or POST) URL User + Password: For web sites that require authentication Expect: Server Response code or Server text Maintenance Code: To automatically mark the server in maintenance, rather than down (so users with persistence to that server remain on that server)

90

Load balancer configuration for HTTP applications greater flexibility

AX offers advanced flexibility options for web applications These options are available via HTTP templates

HTTP templates are associated with virtual server ports of service type HTTP" or "HTTPS

91


HTTP template options

Load Balancing of Servers is done based on hash on the URL (beginning or end of the URL). This option is usually used for Web Cache load balancing. Selection of Servers is done based on Host or URL (beginning or end). This option also is usually used for Web Cache load balancing. Allows the AX to insert or remove client request header (such as "Accept-Encoding") server response header (such as "Cache-Control") This option usually is used to centrally change web server behavior without changing the web servers configuration.

92


HTTP template options (cont.)

Allows HTTP/HTTPS load balancing per request (instead of per session). This option usually is used when the load among the Servers is unequal.

93

Load balancer configuration for HTTP applications greater security

AX offers advanced security options for web applications These options are available via HTTP templates

HTTP templates are associated with virtual server ports of service type "HTTP" or "HTTPS Note: Some of the following options can be considered as availability and flexibility options too.

94


URL failover

95


URL redirect / rewrite

96


Retry HTTP request on HTTP 5xx

"On HTTP 5xx code for each request": The client request is resent to a new server "On HTTP 5xx code": The client request is resent to a new server + the server that replied with the 5xx is not used for new requests for 30 seconds "#": Number of servers that can be tried Logging: Generates logs when this event happens (not available in WebUI in AX 2.4.2)

97


Client IP header insertion

98

Lab4a - Create HTTP VIP with advanced health monitor

In this lab, you will configure an HTTP VIP with an HTTP health monitor

99

Lab4b - (optional) Use server "s2" for images

In this lab, you will configure an HTTP VIP with URL switching

100

Lab4c - (optional) Hide server type information

In this lab, you will configure an HTTP VIP with response header insertion

101

Lab4d - (optional) Redirect clients to backup site when all servers are down

In this lab, you will configure an HTTP VIP with URL failover

102

Module 4 Lesson3

HTTPS protocol

103

HTTPS protocol

HTTPS (HTTP over TLS) RFC is 2818 ( http://www.ietf.org/rfc/rfc2818.txt) HTTPS is the "secured" version of HTTP (usually port 443) HTTPS offers

104

How does server authentication work?

TLS/SSL is based on public certificates / private keys Certificates are issued and signed by Certificate Authority (CA) HTTPS clients first request the server public certificate and validates it using list of trusted CAs When the server certificate is validated (name, date, etc.), the client sends its HTTP requests

105

How does the encryption work?

Once the server is trusted, the client and server negotiate a "session key" to encrypt the traffic The session key is negotiated via an asymmetric encryption protocol using long keys (usually 2048 bits) Once the"session key is negotiated, the HTTPS client requests / server responses are sent encryptedNote: If the client re-establishes a new TCP session before the session key expires, it will propose to the server to use it (SSL session ID reuse option). The server can accept or refuse it. If refused, a new session key is negotiated.

106

Load balancer configuration for HTTPS applications

Load balancers don't need a specific configuration for HTTPS load balancing - Any L4 SLB VIP works for HTTPS services However, advanced load balancers provide techniques to improve HTTPS services

107

Load balancer configuration for HTTPS applications

AX offers advanced flexibility/performance/security options for HTTPS applications These options are available via HTTP templates

HTTP templates are associated with virtual server ports of type "HTTP" or "HTTPS.

108

HTTPS communication with clients

Client SSL templates

Public certificate that will be presented to Clients Private key (and its passphrase) SSL cipher supported ("encrypted algorithm") (optional) Client certificate request

109

HTTPS communication with clients

HTTPS communication with clients configuration

WebUI: Config > Service > SSL Managament > Certificate CLI: AX(config)# import ssl-cert AX(config)# import ssl-key WebUI: Config > Service > Template > SSL > Client SSL CLI: AX(config)# slb template client-ssl []

WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server AX(config-slb vserver)# port N https AX(config-slb vserver-vport)# template client-ssl 110

HTTPS communication with servers

Server SSL templates

SSL cipher supported ("encrypted algorithm") (optional) CA that will be used to validate the Servers certificate

111

HTTPS communication with servers

HTTPS communication with servers configuration

WebUI: Config > Service > SSL Managament > Certificate CLI: AX(config)# import ssl-cert WebUI: Config > Service > Template > SSL > Server SSL CLI: AX(config)# slb template server-ssl []

WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server AX(config-slb vserver)# port N https AX(config-slb vserver-vport)# template server-ssl

112

HTTPS virtual port options

SSL statistics

113

Lab5a - Create HTTPS VIP using HTTPS servers

In this lab, you will configure an HTTPS VIP using HTTPS servers

114

Lab5b - (optional) Create HTTPS VIP using HTTP servers

In this lab, you will configure an HTTPS VIP using HTTP servers

115

Lab5c - (optional) Transparently convert an HTTP service into HTTPS on AX

In this lab, you will configure an HTTPS VIP and an HTTP VIP that will redirect traffic to HTTPS

116

Summary

In this module, we presented:

And also:

117

AX AccelerationModule 5

118

Module objectives

Understand the advanced AX options for acceleration

Configure advanced AX options for acceleration

119

Connection reuse

Web servers need to manage:

Note: Web browsers keep their TCP connections open - even when all objects have been loaded

120

Connection reuse

Connection Reuse off loads the server TCP stack This option provides faster server response time and higher server scalability Connection reuse

121

Connection reuse

Connection reuse configuration

WebUI: Config > Service > Template > Connection Reuse CLI: AX(config)# slb template connection-reuse []

WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server AX(config-slb vserver)# port N http AX(config-slb vserver-vport)# template connection-reuse Note: IP Source NAT also must be configured on the Virtual Server Port

Connection Reuse statistics122

SSL offload

SSL Offload relieves the server of SSL tasks This option provides faster server response time and higher server scalability AX receives HTTPS client traffic and sends HTTP traffic to the servers

123

SSL offload

SSL offload configuration

124

HTTP compression

Compresses HTTP/HTTPS objects Uses less bandwidth and provides faster client download time AX HTTP compression

125

HTTP compression

HTTP compression configuration

WebUI: Config > Service > Template > Application > HTTP CLI: AX(config)# slb template http []

WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server AX(config-slb vserver)# port N http AX(config-slb vserver-vport)# template http

WebUI: Config > Service > SLB > Global CLI: AX(config)# slb hw-compression

126

HTTP compression

HTTP compression statistics

127

RAM Caching

Caches HTTP/HTTPS static and dynamic content in AX RAM Delivers cached objects to clients directly from the AX Cache, offloading servers from these requests Provides faster client download time and higher server scalability

128

RAM Caching

AX RAM Caching

200 OK 203 Non-Authoritative response 300 Multiple Choices 301 Moved Permanently 302 Found (only if Expires header is also present) 410 Gone

129

RAM Caching

AX RAM Caching limitations

130

RAM Caching

RAM Caching configuration

WebUI: Config > Service > Template > Application > RAM Caching CLI: AX(config)# slb template cache

WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server AX(config-slb vserver)# port N http AX(config-slb vserver-vport)# template cache

RAM Caching statistics

131

RAM Caching

AX RAM Caching for dynamic objects

What is to be cached? How long is the cached content valid? What is the trigger that would cause the response to change? The URL matches a specific pattern. Specific query parameters are present. Specific cookies in the request are present. Specific HTTP headers in the request are present. Cacheability rules determine what is cacheable and what is not Invalidation rules

132

RAM Caching

When not to use dynamic caching

Example: the response to a login page Example: a confirmation number for a transaction that was just executed

Example: the portfolio page of a brokerage account user changes when the user executes transactions.

Example: the response contains personalized settings, such as the user name but no query parameter or cookie directly identifies the user.

133

RAM Caching

Dynamic caching caching policies

policy Where: is of the form uri is cache , no-cache, or invalidate Note: More sophisticated conditions will be supported in future using aFleX policies

134

RAM Caching

Dynamic caching example

http://x.y.com/list http://x.y.com/add?a=p1&b=p2 http://x.y.com/del?c=p3 http://x.y.com/private?user=u1

lists all items from database adds item to database deletes item from database private info for user

135

RAM Caching

WebUI configuration for the example

136

Lab6a - Update HTTP "vip2" port "80" with connection reuse

In this lab, you will update HTTP "vip2" to use connection reuse

137

Lab6b - Update HTTP "vip2" port "80" with HTTP compression

In this lab, you will update HTTP "vip2" to use HTTP compression

138

Lab6c - Update HTTP "vip2" port "80" with RAM Caching

In this lab, you will update HTTP "vip2" to use RAM Caching

139

Summary

In this module, we presented the AX acceleration options:

And also configured them on the AX.

140

AX SecurityModule 6

141

Module objectives

Understand the advanced AX options for security

Configure HA on AX devices

142

Points to keep in mind

Some advanced HTTP/HTTPS security options are detailed in Module 4 (HTTP Templates) This module (Module 6) presents other AX advanced security options Note: aFleX (covered in Module 7) also can be considered a security option

143

DDoS protection

AX provides enhanced protection against DDoS (Distributed Denial of Service) attacks

DDoS basic filters

DDoS configuration

144

DDoS protection

Advanced DDoS filters are also available with system-wide PBSLB

Advanced DDoS configuration Basic and advanced DDoS statistics

145

Policy-based SLB

Policy-based SLB (PBSLB) allows "black lists" and "white lists" with individual clients or subnets PBSLB denies client traffic based on:

146

Policy-based SLB

PBSLB specifics

Up to 8 M IP addresses Up to 64 K IP subnets Up to 32 group IDs B/W lists are stored in hash tables Can process Gbps of traffic AX can update its B/W automatically at specific intervals via TFTP

PBSLB components

ipaddr [/network-mask] [group-id] [#conn-limit] [;comment-string]147

Policy-based SLB

PBSLB configuration

WebUI (creation or import): Config > Service > PBSLB CLI (import): AX(config)# import bw-list [] WebUI: Config > Service > Template > PBSLB Policy CLI (import): AX(config)# slb template policy []

WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server AX(config-slb vserver)# port N AX(config-slb vserver-vport)# template policy

PBSLB statistics148

Policy-based SLB

PBSLB file example

PBSLB template example

149

Access Control Lists

AX supports standard and extended Access Control Lists (ACLs) ACL can be applied to data interfaces, management interface, and virtual server ports Remark, re-sequencing and logging options are supported (Cisco/Foundry format) IPv4 and IPv6 ACLs are supported

150


ACL components

ACL configuration

WebUI: Config > Network > ACL CLI: AX(config)# access-list []

151


ACL configuration

Data Interface: WebUI: Config > Network > Interfaces > LAN CLI: AX(config)# interface ethernet 1 AX(config-if:ethernet1)# access-list in Management: CLI only: AX(config)# interface management AX(config-if:ethernet1)# access-list in Virtual Server Port: WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server AX(config-slb vserver)# port N AX(config-slb vserver-vport)# access-list 152


ACL statistics

153

Management security

AX provides advanced management security options

Note: See AX Series Configuration Guide for more information

154

High Availability (HA)

High Availability Design Options

155


Active-Standby Mode

156


Active-Standby Failover

157


Active-Active Mode

Note: Don't exceed 50% utilization on each unit for full HA

158


Active-Active Failover

159


L2/3 Hot Standby Mode

Note: Loop elimination protocols such as STP are not required

160


L2/3 Hot Standby Failover

161

High Availability

All AX integration modes support HA

Active-Standby, Active-Active and L3 Hot Standby modes Active-Standby and Active-Active modes and L3 Hot Standby modes L2 Hot Standby mode Active-Standby, Active-Active and L3 Hot Standby modes

162

High Availability

HA Active-Standby Mode configuration stepsAll interfaces used with production traffic (+ AX interlink if exists) Note: We recommend a dedicated direct interlink between the AX so sync traffic is off the production network.

Identifier (AX1 = 1 , AX2 = 2) HA Status: Enabled (optional) HA Mirroring IP address: Remote AX Sync interface (optional) Preempt: to failover to a higher AX when available Group1 with priority 200 on AX1 (priority 100 on AX2) Floating VIP for Group1: IP addresses defined on servers' gateway (VRRP-like) (optional) IP@ and VLAN check Note: IP@ have to be defined as SLB-Server too

163

High Availability

HA Active-Standby Mode configuration steps (cont.)In VIP settings, associate HA Group with the VIP (optional) Enable Dynamic Server Weight: Reduce the AX HA Group priority when a server is down (optional) Enable HA Connection Mirroring on the VIP ports: To synchronize SLB session table (available for TCP, UDP, RTSP, FTP, MMS and SIP VIP types) Note: For HTTP/HTTPS VIP types, the client session is terminated on the AX device. HA Connection Mirroring is not available for these VIP types.

In IP Source NAT, associate the HA Group with IPv4 Pools, IPv6 Pools, NAT Ranges, or Static NAT.

164

High Availability

HA Active-Active Mode configuration steps

Step2:

Group1 with priority 200 on AX1 (priority 100 on AX2) Group2 with priority 100 on AX1 (priority 200 on AX2) Associate Group1 with half of the VIPs and Group2 with the second half Associate Group1 with the NAT Pools used by VIPs in Group1 and Group2 with the NAT Pools used by VIPs in Group2

Step3:

Step4:

165

High Availability

HA Layer2/3 Mode configuration steps2. Configure HA Inline Mode Enable Preferred port: Port used to sync configuration and sessions (optional) Restart port list: Add AX interfaces in production (optional) L3 mode enabled: If AX in Layer3 Inline mode

166

High Availability

HA Active-Standby Mode configuration

WebUI: Config > HA > Setting > HA Global CLI: AX(config)# ha interface []

Active-Standby or Active-Active Modes: WebUI : Config > HA > Setting > HA Global CLI: AX(config)# ha [] Note: If IP@ check is configured, define these IP@ in SLB-Server too. L2/3 Modes: WebUI : Config > HA > Setting > HA Inline Mode CLI: AX(config)# ha [inline-mode | l3inline-mode]

167

High Availability

HA Active-Standby Mode configuration (cont.)

WebUI: Config > Service > SLB > Virtual Server CLI: AX(config)# slb virtual-server AX(config-slb vserver))# ha-group WebUI: Config > Service > SLB > IP Source NAT CLI: AX(config)# ip nat []

168

High Availability

Configuration synchronization

HA Manual failover can also be initiated with the following:

169

High Availability

HA status

170

High Availability

HA statistics

171

Lab7 - Configure HA with your neighbor

In this lab, you will configure HA Active/Standby mode with your neighborAn interlink has been added on the AXs (on ether3). AX1 is connected to AX2, AX3 to AX4, etc. Note: The trainer will show you how to configure the ether3 interface. HA config sync will erase the configuration of the AX Standby. Backup your configuration to be able to do the following labs after this one. Note: The trainer will show you how to backup your AXs. Servers' default gateway is changed to the AX floating VIP

172


In this lab, you will configure HA Active/Standby mode with your neighbor (cont.)a. Configure inter-AX connection i. Create VLAN 100 called "AX-HA" with interface "e3untagged" and Virtual Ethernet (VE) interface "100" ii. Configure VE "100" with IP@ "10.0.3.1/255.255.255.252" iii. Enable interface "e3" b. Enable HA for interfaces "e1" + "e2" + "e3" c. Enable HA Global Settings i. Identifier "1" - Set-ID "group-pair" (AX1=1, AX3=2, AX5=3, etc) ii. HA Mirroring IP = "10.0.3.2" (Secondary-AX-e3) iii. Group1 with priority 200 iv. Floating IP = "10.0.2.x" (AX1=10.0.2.10, AX3=10.0.2.30, etc) d. Configure VIP HA for "vip1" + "vip2" + "snat-pool1" i. Associate HA Group "1" with both VIPs and SNAT ii. Enable HA Connection Mirroring on "vip1" port "21" + "80" e. Save your config

173


In this lab, you will configure HA Active/Standby mode with your neighbor (cont.)a. Configure inter-AX connection i. Create VLAN 100 called "AX-HA" with interface "e3untagged" and the VE "100" ii. Configure VE "100" with IP@ "10.0.3.2/255.255.255.252" iii. Enable interface "e3" b. Enable HA interfaces for "e1" + "e2" + "e3" c. Enable HA Global Settings i. Identifier "2" - Set-ID "group-pair" (AX2=1, AX4=2, AX6=3, etc) ii. HA Mirroring IP = "10.0.3.1" (AX2=10.0.2.10, AX4=10.0.2.30, etc) iii. Group1 with priority 100 iv. Floating IP = "10.0.2.x" (Server's default gateway) d. Save your config e.

174


In this lab, you will configure HA Active/Standby mode with your neighbor (cont.)

a. Be sure you saved your config on both AXs before you start the config sync b. Sync Configuration Primary-AX "all" to Secondary-AX "startup-config + reload"

Note: Don't close the FTP control session

175


In this lab, you will configure HA Active/Standby mode with your neighbor (cont.)

176

Summary

In this module, we presented AX advanced security options:

And also configured HA.

177

AX Power and FlexibilityModule 7

178

Module objectives

Understand the advanced AX options for flexibility

Understand AX Advanced Core Operating System (ACOS)

179

Module 7 Lesson1

AX Flexibility

180

Points to keep in mind

Some advanced HTTP/HTTPS flexibility options already have been detailed in Module 4 (HTTP Templates) This module (Module 7) presents other advanced AX flexibility options

181

Cookie persistence

When to use cookie persistence

182

Cookie persistence

AX Cookie Persistence configuration

Name (optional) Expiration (optional) Cookie Name (optional) Domain (optional) Path (optional) Match type (optional) Insert Always (optional) Don't Honor Conn Rules

183

Cookie persistence

AX Cookie Persistence configuration (cont.)

WebUI: Config > Service > Template > Persistent > Cookie Persistence CLI: AX(config)# slb template persist cookie []

WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server AX(config-slb vserver)# port N tcp AX(config-slb vserver-vport)# template persist cookie

184

Lab8 - Update HTTP "vip2" port "80" with cookie persistence

In this lab, you will configure cookie persistence

185

aFleX

What is aFleX?

Stantard Tcl commands Special set of extensions provided by the AX Content inspection (headers / data) Actions on traffic Block traffic Redirect traffic to a specific Service Group (pool) or Server (node) Modify traffic content

186

aFleX

Elements of an aFleX script

Events Operators aFleX commands

aFleX scripts are event-driven, which means that the AX system triggers the aFleX whenever that event occurs. Examples: HTTP_REQUEST is triggered when an HTTP request is received. CLIENT_ACCCEPTED is triggered when a client has established a connection.

Standard Tcl operators Relational operators: contains, matches, equals, starts_with, ends_with, matches_regex Logical operators: not, and, or

187

aFleX

Elements of an aFleX script (cont.)

Used to query for data, manipulate data, or specify a traffic destination. These may be grouped into three main categories: Statement commands Example: "pool directs traffic to the named load balancing pool Commands that query or manipulate data Examples: "IP::remote_addr returns the remote IP address of a connection "HTTP::header remove removes the last occurrence of the named header from a request or response Utility commands - useful for parsing and manipulating content Example: "decode_uri decodes the named string using HTTP URI encoding and returns the result188

aFleX

aFleX configuration

Using the CLI Use a computer with any text editor to write an aFleX script and save it as a file. Use import aflex command to import the aFleX file from the computer to AX. aFleX CLI syntax check: "aflex check ". Using the WebUI With AXs web interface, users can directly type in aFleX scripts and save them on the AX under "Config > Service > aFleX". Using the aFleX Editor The aFleX editor can download/upload aFleX scripts from/to the AX. Moreover, it can do syntax checking. As an editor, it also has syntax highlighting, keyword autocompletion, etc.189

aFleX

aFleX configuration (cont.)WebUI: Config > Service > SLB > Virtual Server > Port CLI: AX(config)# slb virtual-server AX(config-slb vserver)# port N tcp AX(config-slb vserver-vport)# aflex

aFleX statistics

190

aFleX

aFleX examples

When CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 10.10.10.10] } { pool sg2 } }

when HTTP_REQUEST { if {[HTTP::host] equals "secure.abc.com"} { HTTP::redirect } }191

aFleX

aFleX examples

when HTTP_REQUEST { if { [HTTP::uri] starts_with "/finance" } { pool finance_pool } elseif { [HTTP::uri] starts_with "/dev" } { pool dev_pool } }

192

Lab9a - Block HTTP access to directory /private from your IP address on "vip2" port "80"

In this lab, you will configure an aFleX rule1. Connect via HTTPS to your AX Management IP@ 2. Create aFleX script "aFleX-9a" to Block HTTP access to directory /private from your IP address

Event is "HTTP_REQUEST" Tests are: [IP::addr [IP::client_addr] equals x.x.x.x] [HTTP::uri] starts_with "/private" Action is: drop

3. Associate aFleX "aFleX-9a" with Virtual Server "vip2" port "80"

193

Lab9a - Block HTTP access to directory /private from your IP address on "vip2" port "80"

In this lab, you will configure an aFleX rule (cont.)4. Request the page "http://vip2-IP@/private", validate your IP address is blocked 5. Request the page "http://vip2-IP@/", validate your IP address is not blocked 6. Show aFleX statistics

194

Lab9b Transparently convert "intranet.abc.com" from HTTP to HTTPS Create the HTTP + HTTPS VIP

In this lab, you will create the HTTP + HTTPS VIP1. Connect via HTTPS to your AX Management IP@ 2. Create one Virtual Server: "vip3" 3. Create one Virtual Server port on "vip3": type "HTTP" + port "80" + service group "none" 4. Create one Virtual Server port on "vip3": type "HTTPS" + port "443" + service group "sg-http" + "Client-SSL template "client-ssl1" 5. Check Virtual Server "vip3" status 6. Update your PC "hostfile" with "intranet.abc.com" = "vip3IP@"

195

Lab9b Transparently convert "intranet.abc.com" from HTTP to HTTPS Redirect HTTP clients

In this lab, you will create the HTTP + HTTPS VIP (cont.)7. Create aFleX script "aFleX-9b-80" to transparently redirect the HTTP clients to HTTPS (for instance clients that use old bookmarks)

Event is "HTTP_REQUEST" Tests are: No test Action is: HTTP::redirect https://[HTTP::host][HTTP::uri]

8. Associate aFleX "aFleX-9b-80" with Virtual Server "vip3" port "80"

196

Lab9b Transparently convert "intranet.abc.com" from HTTP to HTTPS Redirect HTTP clients

In this lab, you will create the HTTP + HTTPS VIP (cont.)9. Request the page "http://intranet.abc.com/", validate you're redirected to "https://intranet.abc.com/" 10.Request the page "http://intranet.abc.com/index.html", validate you're redirected to https://intranet.abc.com/index.html

197

Lab9b Transparently convert "intranet.abc.com" from HTTP to HTTPS Rewrite sever redirect

(optional) In this lab, you will configure an aFleX rule to transparently rewrite the redirects from the server1. If pages contain redirections, create aFleX script "aFleX-9b443" to rewrite the server redirects from "http://intranet.abc.com/*" to "https://intranet.abc.com/*"

Event is "HTTP_RESPONSE" Test is: [HTTP::header Location] contains "http://intranet.abc.com" Action is: regsub "http://intranet.abc.com" [HTTP::header Location] "https://intranet.abc.com" new_location HTTP::header replace Location $new_location

2. Associate updated aFleX "aFleX-9b-443" with Virtual Server "vip3" port "443" 3. Request the page https://intranet.abc.com/redirect.html and verify the redirection198

Lab9b Transparently convert "intranet.abc.com" from HTTP to HTTPS Rewrite absolute links

(optional) In this lab, you will configure an aFleX rule to transparently rewrite absolute links1. If pages contain absolute links, expand aFleX script "aFleX9b-443" to rename absolute links from "http://intranet.abc.com" to "https://intranet.abc.com"

aFleX rule iswhen HTTP_REQUEST { HTTP::header remove Accept-Encoding } when HTTP_RESPONSE { if { [HTTP::header exists "Location"]} { if {([HTTP::header "Location"] starts_with "http://intranet.abc.com")} { regsub "http://intranet.abc.com" [HTTP::header Location] "https://intranet.abc.com" new_location HTTP::header replace Location $new_location } } if { [HTTP::header "Content-Type"] starts_with "text" } { HTTP::collect } }199

Lab9b Transparently convert "intranet.abc.com" from HTTP to HTTPS Rewrite absolute links

(optional) In this lab, you will configure an aFleX rule to transparently rewrite absolute links (cont)

when HTTP_RESPONSE_DATA { if { [HTTP::header "Content-Type"] contains "text" } { set payload_length [HTTP::payload length] regsub -all "http://intranet.abc.com" [HTTP::payload] "https://intranet.abc.com" new_payload HTTP::payload replace 0 $payload_length $new_payload HTTP::release } }

2. Associate aFleX "aFleX-9b-443" with Virtual Server "vip3" port "443" 3. Access page https://intranet.abc.com/absolute.html and check the link

200

Module 7 Lesson2

Advanced Core Operating System

201

ACOS Architecture Overview

SSL Acceleration Module SSL Processing

Memory Session Tables, Buffer Memory, Application Data

L4-7 CPUs L4-7 Processing, Security

rnel CLI, GUI , Manageme nt Tasks and Health Checking

le Traffic ASIC (FTA) utes Traffic Across L4-7 CPUs, Efficient Network I/O, DDoS

Switching & Routing ASIC L2 & L3 Processing and Security

202

ACOS Design Highlights

ACOS on the data plane

Linux on the control plane All application delivery traffic handled by ACOS Efficient use of memory no duplicate data203

ACOS = Resource Efficiency

Processing Efficiency

Eliminates unneeded cycles for faster processing

Zero locking, zero buffer copy, zero IPC, zero scheduling, zero interrupt

Physical Memory Efficiency

Data is not replicated, multiple copies of data are not needed, more total memory available

Space saving, non-replication, zero copy, accuracy, real-time data

Input/Output (I/O) Efficiency

Faster overall system processing

Low latency packet processing, optimized drivers, Flexible Traffic ASIC, low overhead

204

Shared Memory Versus Legacy Approach AX Series Shared Memory

Replicate to each cores dedicated m

Legacy approach

205

AX Shared Memory Advantage AX Series Shared Memory

AX

Series eliminates IPC and maximizes performance Data required by all CPUs is processed in the same location without other CPU notification/reliance Accurate real-time decision criteria, e.g. rate-limiting, connection-limit, max TCP connections, server selection, tracked global variables used for decisions or any shared data set Maximizes memory no redundant copies of information per core. More total system memory

206

Shared Memory Efficiency

Shared Memory

One copy of each item kept in memory, for example

PBSLB List uses 64 MB of RAM, Total AX Memory Usage = 64MB RAM Cached Objects, 10 x 0.5 MB, Total AX Memory Usage = 5 MB Total 69 MB of RAM used

Without Shared Memory

Multiple copies of each item kept in each cores memory, for example 32 cores

PBSLB List uses 64 MB of RAM per core, Total Memory Usage = 2048 MB RAM Cached Objects, 10 x 0.5 MB per core, Total Memory Usage = 160 MB Total 2208 MB of RAM used

Total system memory is reduced dramatically by the nonshared memory architecture

207

ACOS Versus Legacy OSACOS Legacy OS ACOS Designed for multi- Not Designed for core multi-core 32-bit or 64-bit OS (With Feature Parity) 32-bit OS Only

Decoupled CPU Architecture Shared Memory

Coupled CPU Architecture Non-shared Memory

No IPC (Inter Process Communication)

IPC (Inter Process Communication)

Optimized Flow Distribution

Software Based Flow Distribution

208

Summary

In this module, we presented the following advanced AX flexibility options:

And also configured them on the AX. We also presented the ACOS architecture.

209

AX Management and TroubleshootingModule 8

210

Module objectives

Understand the different types of AX management access Understand the AX configuration components and how to backup/restore AX configuration Understand the AX software components and how to upgrade/downgrade AX Understand VLAN on AX Learn initial AX configuration Learn troubleshooting techniques and tools Understand AX Release Process and how to contact AX support211

AX management access

CLI

Web

Levels of CLI authentication

Login ID/Password Enable ID/Password User roles (read-write / read-only)

212

AX configuration components


213


AX full configuration backup

WebUI: Configuration > System > Maintenance > Backup > System CLI: AX(config)# backup config []

AX full configuration restore

WebUI: Configuration > System > Maintenance > Restore > System CLI: AX(config)# restore []

Note: Supported upload protocols: FTP, SCP, RCP, TFTP, and HTTPS (via WebUI)

214

AX software management

AX software is stored on

Second partition is designed for easy software rollback CF is designed for emergency recovery

215

AX software management

AX software upgrade recommended steps

Back up your system

(covered on previous slide) WebUI: Monitor > Overview > Summary > System Information CLI: AX# show bootimage WebUI: Configuration > System > Maintenance > Upgrade CLI: AX(config)# upgrade [] CLI only: AX# write memory [primary|secondary] WebUI: Configuration > System > Settings > Boot CLI: AX(config)# bootimage hd [primary|secondary] WebUI: Configuration > System > Settings > Action > Reboot CLI: AX# reboot

Check the AX running partition

Upgrade the AX devices other partition

Copy the running configuration to the other partition

Set the boot source to the other partition

Restart from the other partition

216

VLAN

VLAN allows AX to

217

VLAN

VLAN allows AX to (cont.)

218

VLAN

VLAN configuration steps

VLAN ID Physical interfaces tagged and untagges (optional) VLAN Name (optional) Virtual Interface IP address Netmask (optional) all ethernet options such as ACL, secondary IP@

219

VLAN

VLAN configuration

WebUI: Config > Network > VLAN CLI: AX(config)# vlan [] WebUI: Config > Network > Interface > Virtual CLI: AX(config)# interface ve []

220

VLAN

Important Point

221

First Steps configuration

Rollback to Factory configuration

First Step configuration

Default user/password: admin/a10 Configure the management interface, its default gateway Finish the AX configuration via CLI (ssh) or WebUI (https) Configure Production interfaces (vlan, ethernet/ve interfaces) Enable production interfaces (optional) Configure routing (static/dynamic) (optional) Configure specific management rights Configure Servers / Service Groups / Virtual Servers etc

222

First Steps configuration

First Step configuration example

AX login: admin Password: [type ? for help] AX>en Password: AX#conf AX(config)#in AX(config)#interface m AX(config)#interface management AX(config-if:management)#ip address 172.31.31.11 /24 AX(config-if:management)#ip default-gateway 172.31.31.1 AX(config-if:management)#exit AX(config)#exit

223

Troubleshooting methodology

Layer 2 and 3: Data Link & Network Layers

AX# ping AX# show interface brief + AX# show interface

AX# show arp + AX# show mac-address-table AX# show ip fib + AX# show ip route Check for connection errors Check for application specific errors224

Troubleshooting tools

AX log (AX# show log)

Port/Interface up/down messages L2 loop detection warnings Unicast/Multicast/Broadcast packet limit warnings MAC address movement warnings Duplicate IP warnings Server & service port up/down messages Application specific error messages: SLB, PBSLB, HTTP, HA, etc.

225


Debug

AXs WebUI provides a number of report graphs that can help you identify any potential issues Example: CPU and server/virtual-server load information can help identify time periods when the system was under stress SNMP clients can query AX for status information AX can be configured to send SNMP traps to servers/receivers

226


Debug (cont.)

Define a set of filters for packet capture Example: interface, IP address, protocol, port number, etc. Captures application specific debug information Use this command after defining a filter to display captured packets on screen Make sure your filter is specific enough to capture only the packets needed for debugging The CLI may become temporarily unresponsive if a large number of packets are captured to the screen

227


AXdebug

Show techsupport

Backup log

228

AX Release Process

AX provides 5 different releases

Major features/enhancements (between 12 - 14 months) Enhancements (between 6 - 8 months) Periodic bug fixes and minor enhancements (between 3 - 4 months) Collection of P1/P2 fixes and previous patch fixes (between 4-5 weeks) Emergency patch for a specific customer (2-3 days)

229

AX Release Process

AX releases testsMAJOR Enhancement New features New features Full Affected Manual=affected Automated=full Full Affected Affected 1 week Affected Affected Minor Fixes Fixes Affected None Manual=affected Automated=full Partial Affected Affected 3 days Affected None PATCH Fixes Fixes None None Manual=affected Automated=full Partial as needed None None 1 day None None New features New features Full Full Manual=full Automated=full Full Full Full 2 weeks Full Full

Unit Functional Negative Stress Regression Sys Integration Performance Scalability Stability Alpha Beta

230

AX Release Process

QA patch release processSupport QA Release Mgr

Approve

Release

Functional Test

Alpha Test

Regression Test Manual Automated

Test

Sys Integration Test

Performance Test Scalability Test (as needed)231

AX Release Process

AX provides 5 different releases type

Major features/enhancements (between 12 - 14 months) Enhancements (between 6 - 8 months) Periodic bug fixes and minor enhancements (between 3 - 4 months) Collection of P1/P2 fixes and previous patch fixes (between 4-5 weeks) Emergency patch for a specific customer (2-3 days)

232

AX Release Process

Source Tree Branch Diagram

233

Why AX support is better

Qualified support staff Training

Passionate

234

How to contact AX support

AX support can be contacted by 3 methods

From North America: 1 888 822 7210 (1-888-TACSA10) From International: +1 408 325 8676 24 x 7 x 365 Support Mon-Fri 6AM-11PM PST + Sat, Sun 9AM 6PM PST A10 support engineers All other hours Call center When needed: escalation to standby engineers and standby engineers contact customer immediately Be ready to provide Problem description Showtech (almost always required) Topology; highly preferred Trace Backup log235


AX support can be contacted by 3 methods (cont.)[email protected] A support ticket auto generated Auto reply email with a ticket number is sent What information to provide? Subject with "Priority (if urgent)" + "Customer name" + "Brief description of ticket + Release number" Example: "P1: abc.com - Certain VIPs fail to pass traffic release 2.4.2" Additional information : Detail problem description Production, eval, POC, etc, Expected time of resolution by customer Showtech attachment (almost always required) Topology; highly preferred Trace Backup log

236


AX support can be contacted by 3 methods (cont.)

http://a10networks.com/support A support ticket auto generated Auto reply email with a ticket number is sent What information to provide? Same as by email (see previous slide).

237

How to contact AX support Security levels Priority Level Acknowledgement Response

Ownership Support Manager Support Engineer Support Engineer Support Engineer

Priority 1 Priority 2 Priority 3 Priority 4

< 1 Hour* < 1 Hour < 8 Hour < 8 Hour

< 1 Hour < 4 Hours < 2 Day < 4 Day

* 30 minutes of less

238


Escalation metrics

Escalation Priority 1, Critical Priority 2, High Priority 3, 4, Medium Low

Level 1 TAC Engineer/ Manager

Level 2 (after 1 hour) Director, Technical Support TAC Manager TAC Engineer

Level 3 (after 4 hours) VP, Engineering/ Sales

Level 4 (after 24 hours) CEO

Level 5 (after 7 days)

TAC Engineer TAC Engineer

Director, Technical VP, Engineering/ Support Sales TAC Engineer TAC Manager Engineer

CEO Flagged (after 14 days)

239

Lab10a Troubleshooting

Restore the AX configuration provided by your trainer Fix your AX configuration:

240

Lab10b Troubleshooting

Group troubleshooting

241

Summary

In this module, we presented:

242

Documents

AX Training v1.12