Professional Documents
Culture Documents
A10 Thunder AX 271-P2 Admin-2013.07.22
A10 Thunder AX 271-P2 Admin-2013.07.22
A10 Thunder AX 271-P2 Admin-2013.07.22
Configuration and Administration Guide
Trademarks
A10 Networks, A10 Thunder, vThunder, the A10 logo, aACI, aCloud, ACOS, aDCS, aDNS, aELB, aFleX, aFlow, aGalaxy,
aPlatform, aUSG, aVCS, aWAF, aXAPI, IDAccess, IDSENTRIE, IP to ID, SmartFlow, SoftAX, Thunder, Unified Service
Gateway, Virtual Chassis, VirtualADC, and VirtualN are trademarks or registered trademarks of A10 Networks, Inc. All
other trademarks are property of their respective owners.
Patents Protection
A10 Networks products including all AX Series products are protected by one or more of the following US patents and pat-
ents pending: 20120216266, 20120204236, 20120179770, 20120144015, 20120084419, 20110239289, 20110093522,
20100235880, 20100217819, 20090049537, 20080229418, 20080148357, 20080109887, 20080040789, 20070283429,
20070282855, 20070271598, 20070195792, 20070180101, 8423676, 8387128, 8332925, 8312507, 8291487, 8266235,
8151322, 8079077, 7979585, 7716378, 7675854, 7647635, 7552126
Confidentiality
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas
herein may not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written
consent of A10 Networks, Inc.
Disclaimer
This document does not create any express or implied warranty about A10 Networks or about its products or services,
including but not limited to fitness for a particular use and non-infringement. A10 Networks has made reasonable efforts to
verify that the information contained herein is accurate, but A10 Networks assumes no responsibility for its use. All infor-
mation is provided "as-is." The product specifications and features described in this publication are based on the latest
information available; however, specifications are subject to change without notice, and certain features may not be avail-
able upon initial product release. Contact A10 Networks for current information regarding its products or services. A10
Networks’ products and services are subject to A10 Networks’ standard terms and conditions.
Environmental Considerations
Some electronic components may possibly contain dangerous substances. For information on specific component types,
please contact the manufacturer of that component. Always consult local authorities for regulations regarding proper dis-
posal of electronic components in your area.
Further Information
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10
Networks location, which can be found by visiting www.a10networks.com.
A10 Thunder Series and AX Series—System Guide
Obtaining Technical Assistance
For all customers, partners, resellers, and distributors who hold valid A10
Networks Regular and Technical Support service contracts, the A10 Net-
works Technical Assistance Center provides support services online and
over the phone.
Corporate Headquarters
www.a10networks.com
Note: As an alternative to saving the output in a log file captured by your termi-
nal emulation application, you can export the output from the CLI using
the following command:
show techsupport export [use-mgmt-port] url
(For syntax information, see the CLI Reference for the software version
you are running.)
FIGURE 2 AX 5630
For details about feature support on specific models, see the release notes.
User Documentation
Information is available for ACOS products in the following documents.
These documents are included on the documentation CD shipped with your
product, and also are available on the A10 Networks support site.
Basic Setup
• Installation Guides
Security Guides
• Management Access Security Guide
References
• LOM Reference
• GUI Reference
• CLI Reference
• aFleX Reference
• MIB Reference
• aXAPI Reference
Make sure to use the basic deployment instructions in the Installation Guide
for your Thunder or AX model, and in the System Configuration and
Administration Guide. Also make sure to set up your device’s Lights Out
Management (LOM) interface, if applicable.
Audience
This document is intended for use by network architects for determining
applicability and planning implementation, and for system administrators
for provision and maintenance of A10 Networks products.
Documentation Updates
Updates to these documents are published periodically to the A10 Networks
support site, on an updated documentation CD (posted as a zip archive). To
access the latest version, please log onto your A10 support account.
http://www.a10networks.com
http://www.a10networks.com/adc/
System Overview 23
A10 Thunder Series and AX Series Features..................................................................................... 23
ACOS Architecture ............................................................................................................................... 26
ACOS Software Processes ............................................................................................................. 27
Memory Pre-allocation .................................................................................................................... 28
Hardware Interfaces ............................................................................................................................. 28
Software Interfaces............................................................................................................................... 28
Server Load Balancing Features......................................................................................................... 29
Intelligent Server Selection ............................................................................................................. 30
SLB Configuration Templates ......................................................................................................... 30
Outbound Link Load Balancing ....................................................................................................... 32
Transparent Cache Switching ......................................................................................................... 32
Firewall Load Balancing .................................................................................................................. 32
Where Do I Start?.................................................................................................................................. 33
SoftAX 35
SoftAX for Multiple Hypervisors.......................................................................................................... 35
Standardized Parameter Limits for SoftAX Models ........................................................................ 38
SoftAX for Citrix XenServer 5.6........................................................................................................... 39
Application Delivery Partition Support............................................................................................... 39
Single-interface Mode for SoftAX (VMware only) .............................................................................. 39
AX-V 41
Installation Overview ....................................................................................................................... 42
Basic Setup 43
Logging On ............................................................................................................................................43
Logging Onto the CLI ..................................................................................................................... 45
Logging Onto the GUI .................................................................................................................... 46
Configuring Basic System Parameters ...............................................................................................49
Setting the Hostname and Other DNS Parameters ........................................................................ 49
Setting the CLI Banners ................................................................................................................. 50
Setting Time/Date Parameters ....................................................................................................... 52
Setting the NTP Server Authentication ....................................................................................... 54
CLI Example ............................................................................................................................... 56
Setting the NTP Server Preference ............................................................................................. 56
CLI Example ............................................................................................................................... 57
Configuring Syslog Settings ........................................................................................................... 58
Single-priority Logging ................................................................................................................ 60
Log Rate Limiting ........................................................................................................................ 61
Enabling SNMP .............................................................................................................................. 63
SNMP Traps ................................................................................................................................ 65
SNMP Communities and Views .................................................................................................. 67
SNMP Configuration Steps ......................................................................................................... 68
SNMP Source Interface for Notifications ..................................................................................... 71
Console Restart .............................................................................................................................. 72
Configuration Examples .......................................................................................................................73
Replacing the Web Certificate..............................................................................................................78
Emailing Log Messages........................................................................................................................80
Increased I/O Buffer Support ...............................................................................................................85
Network Setup 87
Overview ................................................................................................................................................87
Trunk Support ................................................................................................................................. 87
Virtual LAN Support ........................................................................................................................ 88
IP Subnet Support .......................................................................................................................... 89
Routing Support ............................................................................................................................. 90
Gateway Health Monitoring ............................................................................................................ 90
Partitioning with ADPs .................................................................................................................... 90
High Availability .............................................................................................................................. 91
System Overview
This chapter provides a brief overview of the A10 Thunder Series and
AX Series system and features. For more information, see the other chapters
in this guide.
Note: Support for some features depends on ACOS device model or software
version. The specific models and software versions required are listed in
the detailed sections for the features.
• Application Delivery Features
• SSL Acceleration
• Hardware-based SSL Offload
• Support for all TCP Protocols – SSL Termination, SSL Bridging
(SSL Initiation)
• TLS 1.2 and 4096-bit SSL key support
• SSL Intercept
• IPv6-->IPv6 NAPT
• Management
• Port Mirroring
• Virtualization
• AC or DC Power Supplies
• 40 Gb and 10 Gb Ports
• Tamper Detection
ACOS Architecture
A10 Thunder Series and AX Series devices use embedded Advanced Core
Operating System (ACOS) architecture. ACOS is built on top of a set of
Symmetric Multi-Processing CPUs and uses shared memory architecture to
maximize application data delivery.
• Monitors all its child processes and restarts a process and all depen-
dent processes if any of them die.
• syslogd – System logger daemon that logs kernel and system events.
• a10logd – Fetches all the logs from the ACOS Log database.
• a10stat – Monitors the status of all the main processes of the ACOS
device, such as a10switch (on models AX 2200 and higher) and a10lb.
The a10stat process probes every thread within these processes to ensure
that they are responsive. If a thread is deemed unhealthy, a10stat kills
the process, after which a10mon restarts the process and other processes
associated with it.
• a10switch – Contains libraries and APIs to program the Switching ASIC
to perform Layer 2 and Layer 3 switching at wire speed.
• a10hm – Performs health-checking for real servers and services. This
process sends pre-configured requests to external servers at pre-defined
intervals. If a server or individual service does not respond, it is marked
down. Once the server or service starts responding again, it is marked
up.
• a10rt – Routing daemon, which maintains the routing table with routes
injected from OSPF, as well as static routes.
• a10rip – Implements RIPv1 and v2 routing protocols.
• a10wa – Embedded Web Server residing on the ACOS device. This pro-
cess serves the Web-based management Graphical User Interface (GUI).
• a10gmpd – Global SLB (GSLB) daemon.
• a10lb – The heart of the ACOS device. This process contains all the
intelligence to perform Server Load Balancing.
Memory Pre-allocation
As part of normal operation, ACOS pre-allocates memory. For this reason,
memory utilization can be high even when the device first boots up. The
system allocates more memory if needed for burst conditions. In this case,
the additional memory is freed only slowly, in case further burst conditions
occur.
Hardware Interfaces
See the Installation Guide for your A10 Thunder or ACOS model.
Software Interfaces
The ACOS device supports the following management interfaces:
• Graphical User Interface (GUI)
• CLI Reference
• MIB Reference
• aXAPI Reference
You can easily grow server farms in response to changing traffic flow, while
protecting the servers behind a common virtual IP address. From the per-
spective of a client who accesses services, requests go to and arrive from a
single IP address. The client is unaware that the server is in fact multiple
servers managed by an ACOS device. The client simply receives faster,
more reliable service.
Moreover, you do not need to wait for DNS entries to propagate for new
servers. To add a new server, you simply add it to the configuration for the
virtual server, and the new real server becomes accessible immediately.
The ACOS device provides a robust set of configurable health monitors for
checking the health (availability) of servers and individual services.
Connectivity Templates
The ACOS device provides the following types of connectivity templates:
• TCP-Proxy – Controls TCP/IP stack parameters
• TCP – Controls TCP connection settings such as the idle timeout for
unused sessions, and specifies whether the ACOS device sends TCP
Resets to clients or servers after a session times out
• UDP – Controls UDP connection settings such as the idle timeout for
unused sessions, and specifies how quickly sessions are terminated after
a server response is received
• SSL session-ID persistence – Directs all client requests for a given vir-
tual port, and that have a given SSL session ID, to the same real server
and real port
Where Do I Start?
• To configure basic system settings, see “Basic Setup” on page 43.
SoftAX
ACOS release 2.6.1 first introduced support for SoftAX for VMware ESX/
ESXi. Support for additional hypervisors was added in subsequent releases,
with the current release supporting SoftAX on the following hypervisors:
• VMware (ESX 4.0 or higher, or ESXi 4.0 or higher).
Installation of SoftAX
The SoftAX software can be downloaded as an ISO image. Multiple
SoftAX instances can be installed in a single hardware platform, such as a
PC, with each instance running independently from the others.
• VMware—SoftAX for VMware is available as a virtual machine image
in Open Virtualization Format (OVF). You can install SoftAX for
System Requirements
The virtualized hardware upon which the SoftAX instance is installed must
meet the following requirements:
• 1 virtual CPU
• At least 2 GB RAM
• At least 8 GB storage
Management of SoftAX
SoftAX can be managed from the ACOS CLI or GUI, which is the same as
any standard hardware-based ACOS device.
Feature Support
SoftAX supports most of the same features that are supported on the hard-
ware-based ACOS devices.
• Port mirroring
• SSL Intercept and SSL Forward Proxy (features require SSL ASIC)
For more information on which features are supported and which are not,
please refer to the SoftAX Advanced Traffic Manager Installation Guide(s).
• High-performance Editions:
• 4 Gbps
• 8 Gbps
In prior ACOS releases, the maximum limits for the various system parame-
ters varied from one edition to the next for system parameters such as Max-
imum SSL VIPs, or the maximum number of Layer 4 sessions supported.
However, as of ACOS release 2.7.0, these parameters have been standard-
ized such that the maximum limits for the SoftAX system parameters are
the same for the Entry Level edition (with 200-Mbps throughput) as for the
High-performance edition (with 8-Gbps throughput).
The set of features supported in SoftAX for XenServer 5.6 is the same as
those supported in version 6.0. The requirements for the virtualized hard-
ware upon which the SoftAX instance is installed remain unchanged from
those associated with XenServer 6.0.
Prerequisites:
• This functionality is only supported for SoftAX running on the VMware
hypervisor, and it is not supported on any of the other hypervisors.
• The SoftAX interface type must be set to “vmxnet3” for single-interface
mode.
AX-V
This release introduces the A10 Thunder Series and AX Series AX-V
Advanced Traffic Manager / Server Load Balancer. The AX-V appliance
combines A10 Networks high-performance, purpose-built hardware with
the flexibility of SoftAX.
AX-V enables you to respond to changing traffic volume by provisioning or
de-provisioning multiple high performance SoftAX appliances as required.
You can configure multiple SoftAX appliances on the AX-V appliance for
High Availability (HA), thus providing complete software failover capabil-
ity on a single platform.
System Specifications
The AX-V is a 1-rack unit (1 RU) appliance with the following hardware
features:
• 20 Ethernet data interfaces: 4 10-Gig Fiber and 16 1-Gig Copper
• USB and VGA ports for console access to the AX-V management sub-
system
• Solid State Drive (SSD)
Installation Overview
To install the AX-V appliance:
• Install the AX-V chassis.
• Set the enable password for secure access to the operational and
configuration levels of the CLI.
You do not need to install the SoftAX virtual appliances on VMware. They
are already installed at the factory.
Basic Setup
This chapter describes how to log onto the ACOS device and how to config-
ure the following basic system parameters:
• Hostname and other Domain Name Server (DNS) settings
• Date/time settings
After you are through with this chapter, go to “Network Setup” on page 87.
Note: The only basic parameters that you are required to configure are date/time
settings. Configuring the other parameters is optional.
Note: This chapter does not describe how to access the serial console interface.
For that information, see the installation guide for your A10 Thunder
Series or AX Series model.
Logging On
A10 Thunder Series and AX Series devices provide the following manage-
ment interfaces:
• Command-Line Interface (CLI) – Text-based interface in which you
type commands on a command line. You can access the CLI directly
through the serial console or over the network using either of the
following protocols:
• Secure protocol – Secure Shell (SSH) version 2
• Unsecure protocol – Telnet (if enabled)
Note: By default, Telnet access is disabled on all interfaces, including the man-
agement interface. SSH, HTTP, HTTPS, and SNMP access are enabled by
default on the management interface only, and disabled by default on all
data interfaces.
2. Generally, if this the first time the SSH client has accessed the ACOS
device, the SSH client displays a security warning. Read the warning
carefully, then acknowledge the warning to complete the connection.
(Press Enter.)
Note: The “ACOS” in the CLI prompt is the hostname configured on the device,
which is “ACOS” by default. If the hostname has already been changed,
the new hostname appears in the prompt instead of “ACOS”.
5. To access the Privileged EXEC level of the CLI and allow access to all
configuration levels, enter the enable command.
At the Password: prompt, enter the enable password. (This is not the
same as the admin password, although it is possible to configure the
same value for both passwords.)
If the enable password is correct, the command prompt for the Privi-
leged EXEC level of the CLI appears: ACOS#
6. To access the global configuration level, enter the config command. The
following command prompt appears: ACOS(config)#
2. In the URL field, enter the IP address of the ACOS device’s manage-
ment interface.
Note: To prevent the certificate warning from appearing in the future, you can
install a certificate signed by a Certificate Authority. See “Replacing the
Web Certificate” on page 78.
A login dialog is displayed. The name and appearance of the dialog
depends on the browser you are using.
Note: The default admin username and password are “admin”, “a10”.
The Summary page appears, showing at-a-glance information for your
ACOS device.
You can access this page again at any time while using the GUI, by
selecting Monitor Mode > Overview > Summary.
Note: GUI management sessions are not automatically terminated when you
close the browser window. The session remains in effect until it times out.
To immediately terminate a GUI session, click Logout.
Note: For more information about the GUI, see the A10 Thunder Series and
AX Series GUI Reference or the GUI online help.
Note: If you plan to use the GUI, the Basic System page under Config Mode
also provides configuration access to most of the system parameters
described in this chapter. For information, navigate to Config Mode > Get
Started > Basic System, then click Help.
Note: Do not use a period ( . ) in the hostname. If you do use a period, the
ACOS device will use the text after the period as the DNS suffix instead
of the DNS suffix you configure.
2. In the Hostname field, edit the name to one that will uniquely identify
this particular ACOS device (for example, “ACOS-SLB1”).
3. In the DNS Suffix field, enter the domain name to which the host
(A10 Thunder Series and AX Series) belongs.
4. In the Primary DNS field, enter the IP address of the external DNS
server the A10 Thunder Series and AX Series should use for resolving
DNS queries.
6. Click OK.
3. To set the default domain name (DNS suffix) for hostnames on the
ACOS device, use the following command:
ip dns suffix string
4. To specify the DNS servers the ACOS device should use for resolving
DNS requests, use the following command:
ip dns {primary | secondary} ipaddr
The primary option specifies the DNS server the ACOS device should
always try to use first. The secondary option specifies the DNS server
that the ACOS device should use if the primary DNS server is unavail-
able.
The multi-line banner text starts from the first line and ends at the marker. If
the end marker is on a new line by itself, the last line of the banner text will
be empty. If you do not want the last line to be empty, put the end marker at
the end of the last non-empty line.
2. To configure a banner:
a. Select the banner type, single-line or multi-line.
b. If you selected multi-line, enter the delimiter value in the End
Marker field.
c. Enter the message in the Login Banner or Exec Banner field.
If the message is a multi-line message, press Enter / Return at the
end of every line. Do not type the end marker at the end of the mes-
sage. The GUI automatically places the end marker at the end of the
message text in the configuration.
3. If you are configuring both messages, repeat step 2 for the other mes-
sage.
4. Click OK.
The login option changes the first banner, which is displayed after you enter
the admin username. The exec option changes the second banner, which is
displayed after you enter the admin password.
To use blank spaces within the banner, enclose the entire banner string with
double quotation marks.
• Set the system time and date manually or configure the device to use a
Network Time Protocol (NTP) server. You can specify a preferred NTP
server and authenticate NTP servers with encrypted keys.
Note: You do not need to configure Daylight Savings Time. The ACOS device
automatically adjusts the time for Daylight Savings Time based on the
timezone you select. The UTC time standard does not observe daylight
savings time.
Note: When you change the ACOS timezone, the statistical database is cleared.
This database contains general system statistics (performance, CPU,
memory, and disk utilization) and SLB statistics.
3. Click OK.
Enter the following command at the global configuration level of the CLI:
clock timezone timezone [nodst]
Enter UTC for the timezone option to apply the UTC time standard to the
system. Enter timezone ? to display additional timezone options.
The nodst option disables Daylight Savings Time (DST) for the zone. DST
is enabled by default, if applicable to the timezone.
Note: The UTC time standard does not observe daylight savings time.
Use the following command to show the timezone selected for the device:
show clock
2. To enable NTP and synchronize the ACOS device clock with the NTP
server, enter the following command:
ntp enable
Note: The clock is based on 24 hours. For example, for 1 p.m., enter the hour as
“13”.
Note: The NTP server and NTP client must reference the same authentication
key ID number. If the NTP server and NTP client are configured with dif-
In the current release, this enhancement is not supported from the GUI.
For num, enter a value between 1-65535. This value applies an identifica-
tion number to the authentication key, which is referred to when adding the
key to the trusted key list or NTP server.
For string, enter a series of 1-31 alphanumeric characters for the key. This
value is stored in the system using the A10 encryption algorithm.
Use the no form of the command to remove one or more authentication keys
from the trusted key list.
For key num, enter the identification number of an authentication key that is
included in the trusted key list.
CLI Example
The following example creates 3 authentication keys (1337, 1001, and
1012) and adds these keys to the list of trusted keys. The NTP server located
at 10.10.3.18 is configured to use a trusted key (1337) for authentication:
ACOS(config)#ntp auth-key 1337 M XxEnc192
ACOS(config)#ntp auth-key 1001 M Vke1324as
ACOS(config)#ntp auth-key 1012 M 28fj039
ACOS(config)#ntp trusted-key 1337 1001 1012
ACOS(config)#ntp server 10.10.3.18 key 1337
You can verify the NTP server and authentication key configuration with
the show run command. The following example includes an output modi-
fier to display only NTP-related configuration:
ACOS(config)#show run | include ntp
ntp auth-key 1001 M encrypted
FSNiuf10Dtzc4aY0tk2J4DwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn
ntp auth-key 1012 M encrypted
NEMuh8GgapM8EIy41dsA5zwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn
ntp auth-key 1337 M encrypted zIJptJHuaQaw/
5o10esBTDwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn
ntp trusted-key 1001 1012 1337
ntp server 10.10.3.18 key 1337
Note: A10 Networks recommends enabling the preference option for a single
NTP server only. If preference is selected for more than one NTP server,
the prioritized NTP server is determined by an internal calculation.
In the current release, you cannot set a preferred NTP server from the GUI.
For ip-addr, enter the IPv4 or IPv6 address of the NTP server. If an NTP
server at the specified IP address does not currently exist, this command
will configure a new NTP server with preference applied. You can configure
a maximum of 4 NTP servers, regardless of preference settings.
Enter the prefer option to direct the ACOS to use this NTP server by
default. Additional NTP servers are used as backup servers if the preferred
NTP server is unavailable.
CLI Example
The following commands create an NTP server at 11.12.13.14 with pre-
ferred priority and verifies this configuration with the show run command:
ACOS(config)#ntp server 11.12.13.14 prefer
ACOS(config)#show run | begin ntp server
ntp server 11.12.13.14 prefer
!
...
• Email address(es)
Logging to the local buffer and to CLI sessions is enabled by default. Log-
ging to other places requires additional configuration. The standard Syslog
message severity levels are supported:
• Emergency – 0
• Alert – 1
• Critical – 2
• Error – 3
• Warning – 4
• Notification – 5
• Information – 6
• Debugging – 7
Single-priority Logging
Single-priority logging allows you to identify one specific severity level to
be logged from among the standard syslog message severity levels 0–7:
• 0 – emergency
• 1 – alert
• 2 – critical
• 3 – error
• 4 – warning
• 5 – notification
• 6 – information
Single-priority logging allows you to remove excess data so that you can
see a desired subset of log messages at your target severity level.
Prior releases did not offer a way for you to single out a particular subset of
log messages at a singular severity level. There was no way to only display
log message of the 5 (notification) level without also see levels 4–0.
The rate limit for external logging is 15,000 messages per second from the
device.
The rate limit for internal logging is 32 messages per second from the
device.
• If the number of new messages within a one-second interval exceeds 32,
then during the next one-second interval, the ACOS device sends log
messages only to the external log servers.
• If the number of new messages generated within the new one-second
interval is 32 or less, then during the following one-second interval, the
ACOS device will again send messages to the local logging buffer as
well as the external log server. In any case, all messages (up to 15,000
per second) get sent to the external log servers.
3. Click OK.
2. To change the severity level of messages that are logged in other places,
use the following command:
logging target severity-level
The target can be one of the following:
• console – Serial console
• email – Email
• monitor – Telnet and SSH sessions
• syslog – external Syslog host
• trap – external SNMP trap host
Note: Only severity levels emergency, alert, critical, and notification can be
sent by email. Sending log messages by email requires additional configu-
ration. See “Emailing Log Messages” on page 80.
4. To configure the ACOS device to send log messages by email, use the
following commands to specify the email server and the email
addresses:
smtp {hostname | ipaddr} [port protocol-port]
The port option specifies the protocol port to which to send email. The
default is 25.
logging email-address address [...]
To enter more than one address, use a space between each address.
The severity-level specifies the severity level to log. You can enter the name
of the severity level or the number that corresponds to the severity level.
Enabling SNMP
ACOS devices support the following SNMP versions: v1, v2c, v3. SNMP is
disabled by default.
You can configure the ACOS device to send SNMP traps to the Syslog and
to external trap receivers. You also can configure read (GET) access to
SNMP Management Information Base (MIB) objects on the ACOS device
by external SNMP managers.
Note: SNMP access to the ACOS device is read-only. SET operations (write
access) are not supported.
The ACOS device supports the following SNMP-related RFCs:
• RFC 1157, A Simple Network Management Protocol (SNMP)
Table 3 lists the SNMP traps supported by the ACOS device. All traps are
disabled by default.
You also can restrict access to specific Object IDs (OIDs) within the MIB,
on an individual community basis. OIDs indicate the position of a set of
MIB objects in the global MIB tree. The OID for A10 Networks
A10 Thunder Series and AX Series objects is 1.3.6.1.4.1.22610.
SNMP Views
An SNMP view is like a filter that permits or denies access to a specific OID
or portions of an OID. You can configure SNMP user groups and individual
SNMP users, and allow or disallow them to read specific portions of the
ACOS MIBs using different views.
When you configure an SNMP user group or user, you specify the SNMP
version. SNMP v1 and v2c do not support authentication or encryption of
SNMP packets. SNMPv3 does. You can enable authentication, encryption,
or both, on an individual SNMP user-group basis when you configure the
groups. You can specify the authentication method and the password for
individual SNMP users when you configure the users.
To configure SNMP:
1. Optionally, configure location and contact information.
You are not required to perform these configuration tasks in precisely this
order. The workflow in the GUI is slightly different from the workflow
shown here.
Note: By default, the ACOS device can reach remote logging and trap servers
only if they are reachable through the ACOS device’s data ports, not the
management port. To enable the ACOS device to reach remote logging
6. Click OK.
Note: When there are unsaved configuration changes on the ACOS device, the
Save button flashes.
5. To enable the SNMP agent and SNMP traps, use the following com-
mand:
snmp-server enable
[
traps [
snmp [trap-name] |
system [trap-name] |
network [trap-name] |
ha [trap-name] |
slb [trap-name]
]
]
While previous releases sent SNMP traps from the management port of the
ACOS device, the SNMP Trap Source feature allows you to select a data
interfaces from which to send the traps.
Details:
• This feature does not support IPv6.
• VLAN / VE
• Loopback
When the ACOS device sends an SNMP trap from the data interface you
specify, the “agent-address” in the SNMP trap is the data interface’s IP
address.
CLI Example
The following command attempts to set a loopback interface as the SNMP
trap source. However, the feature has already been enabled on Ethernet port
1, and only one interface can be enabled for SNMP traps, so this example
shows that the existing trap source will be overwritten with the new one:
ACOS(config)#interface loopback 1
ACOS(config-if:loopback1)#snmp-server trap-source
The trap source already exists for interface eth1. Do you want to overwrite?
[yes/no]:yes
ACOS(config-if:loopback1)#
Console Restart
The current release provides the following new command that enables you
to terminate the current login process and start a new one:
To resolve the issue of the hung console, due to an underlying hung rimacli
process, use the clear console command. After the hung login process is
terminated, the console will revert to the login prompt.
CLI Example
For the current session, the following command helps kill the console login
process that is causing the window to hang:
ACOS(config)#clear console
Configuration Examples
The following examples show how to configure the system settings
described in this chapter.
GUI EXAMPLE
The following examples show the GUI screens used for configuration of the
basic system settings described in this chapter.
The following commands log onto the CLI, access the global configuration
level, and set the hostname and configure the other DNS settings:
login as: admin
Welcome to ACOS
Using keyboard-interactive authentication.
Password:********
Last login: Tue Jan 13 19:51:56 2009 from 192.168.1.144
ACOS>enable
Password:********
ACOS#config
ACOS(config)#hostname ACOS-SLB2
ACOS-SLB2(config)#ip dns suffix ourcorp
ACOS-SLB2(config)#ip dns primary 10.10.20.25
ACOS-SLB2(config)#ip dns secondary 192.168.1.25
The following examples set the login banner to “welcome to login mode”
and set the EXEC banner to “welcome to exec mode”:
ACOS-SLB2(config)#banner login “welcome to login mode”
ACOS-SLB2(config)#banner exec “welcome to exec mode”
The following commands configure the ACOS device to send system log
messages to an external syslog server and to email Emergency messages to
the system admins. In this example, the message levels sent to the external
server are left at the default, Error (3) and above. By default, the same mes-
The following commands enable SNMP and all traps, configure the ACOS
device to send traps to an external trap receiver, and configure a community
string for use by external SNMP managers to read MIB data from the
ACOS device.
ACOS-SLB2(config)#snmp-server location ourcorp-HQ
ACOS-SLB2(config)#snmp-server contact Me_admin1
ACOS-SLB2(config)#snmp-server enable trap
ACOS-SLB2(config)#snmp-server community read ourcorpsnmp
ACOS-SLB2(config)#snmp-server host 192.168.10.11 ourcorpsnmp
5. To use the management interface as the source interface for the connec-
tion to the remote device, select Use Management Port. Otherwise, the
ACOS device will attempt to reach the remote server through a data
interface.
6. Select the file transfer protocol: FTP, TFTP, RCP, SCP, or SFTP.
9. If needed, change the protocol port number n the port field. By default,
the default port number for the selected file transfer protocol is used.
10. In the User and Password fields, enter the username and password
required for access to the remote server.
Use the following command at the global configuration level of the CLI:
certificate-reset
Boolean Operators
A logging email filter consists of a set of conditions joined by Boolean
expressions (AND / OR / NOT).
After listing all the conditions, specify the Boolean operator(s). The follow-
ing operators are supported:
• AND – All conditions must match in order for a log message to be
emailed.
• OR – Any one or more of the conditions must match in order for a log
message to be emailed.
(For more information about Reverse Polish Notation, see the following
link: http://en.wikipedia.org/wiki/Reverse_Polish_notation.)
2. In the Logging Email Filter section, click Add. A configuration page for
the filter appears.
Note: The conditions must be selected in the order described here. Otherwise,
the filter will be invalid. If you accidentally configure an invalid filter,
you can click Clear to remove the filter conditions and start again.
a. Select the message severity level from the Level drop-down list, and
click Add. To add more severity levels, repeat this step for each
severity level.
b. Optionally, select a software module from the Module drop-down
list, and click Add. To add more modules, repeat this step for each
module.
c. Optionally, enter a regular expression in the Pattern field to specify
message text to match on, and click Add.
d. Select the operator from the Operator drop-down list, and click Add.
6. Click OK. The new filter appears in the Logging Email Filter section on
the Log page.
e. When the log is full, the oldest entries are removed to make room
for new entries. The typical size is between 1000-30000 entries. The
default is 20000.
11. From the Log Status section, enter the following information:
FIGURE 13 Config Mode > System > Settings > Log - Status
a. Configure the log levels that will be displayed on the Monitor Mode
> Overview > Status page. You also can change the display color for
each message level. By default, all levels are enabled
b. Configure how often the Status page is automatically refreshed. The
time range can be 5-60 seconds. The default is 10 seconds.
c. Configure how many log entries can be views on the Status page.
The range of entries can be from 10-1000 messages. The default is
100 most recent messages.
The filter-num option specifies the filter number, and can be 1-8.
The operators are a set of Boolean operators (AND, OR, NOT) that specify
how the conditions should be compared.
Considerations
• You can configure up to 8 filters. The filters are used in numerical order,
starting with filter 1. When a message matches a filter, the message will
be emailed based on the buffer settings. No additional filters are used to
examine the message.
• A maximum of 8 conditions are supported in a filter.
CLI Example
The following command configures the ACOS device to buffer log mes-
sages to be emailed. Messages will be emailed only when the buffer reaches
32 messages, or 30 minutes passes since the previous log message email,
whichever happens first.
ACOS(config)#logging email buffer number 32 time 30
The following command resets the buffer settings to their default values.
ACOS(config)#no logging email buffer number time
In the current release, enabling this feature is not supported from the GUI.
Enter the following command to enable more I/O buffers for the system:
[no] big-buff-pool
Use the no version of the command to remove a larger buffer for the system.
Example:
AX5630(config)#no big-buff-pool
This will modify your boot profile to disable big I/O buffer pool.
It will take effect starting from the next reboot.
Please confirm: You want to disable the big I/O buffer pool(N/Y)?:
Y
Use the following command to view statistics for the I/O buffer pool:
Example:
AX5630(config)#show system platform buffer-stats
Buffers available in various states/threads...
-------------------------------------------
Thread Cache App APPQ Misc
-------------------------------------------
Q0 0001ec70 00000000 00000000 00000000
.
.
.
-------------------------------------------
Total=> 003fed27 00000000 00000000 00000000
-------------------------------------------
Approximate # buffers in App_cp 0
Approximate # buffers in Cache_cp 1024
Approximate # buffers in dfree 0
Approximate # buffers free 4199129
Approximate # buffers avail in HW 4183985
Network Setup
This chapter describes how to add the ACOS device to your network.
Overview
A10 Thunder Series and AX Series devices can be inserted into your net-
work with minimal or no changes to your existing network. You can insert
the ACOS device into your network as a Layer 2 switch (transparent mode)
or a Layer 3 router (route mode).
In either deployment mode, the ACOS device has a dedicated Ethernet man-
agement interface, separate from the Ethernet data interfaces. You can
assign an IPv4 address and an IPv6 address to the management interface.
Trunk Support
The ACOS device supports aggregation of multiple Ethernet data ports into
logical links, called “trunks”. Trunks can enhance performance by provid-
ing higher throughput and greater link reliability.
Although this chapter does not show trunking examples, the following
chapter does: “Link Trunking” on page 107
You can segment the ACOS device into multiple VLANs. Each Ethernet
data port can be a member of one or more VLANs, depending on whether
the port is tagged or untagged:
• Tagged – Tagged ports can be members of multiple VLANs. The port
can recognize the VLAN to which a packet belongs based on the VLAN
tag included in the packet.
• Untagged – Untagged ports can belong to only a single VLAN. By
default, all Ethernet data ports are untagged members of VLAN 1.
Note: A port actually can be an untagged member of a single VLAN, and also a
tagged member of one or more other VLANs. For example, to add a port
to a new VLAN, it is not required either to remove the port from VLAN 1,
or to change its status in VLAN 1 from untagged to tagged.
Each VLAN can have one VE. The VE ID must be the same as the VLAN
ID. For example, VLAN 2 can have VE 2, VLAN 3 can have VE 3, and so
on.
• For private partitions enabled for Layer 2/3 virtualization (both FPGA
and non-FPGA models): 32 VEs on a single port
IP Subnet Support
The ACOS device has a management interface and data interfaces. The
management interface is a physical Ethernet port. A data interface is a phys-
ical Ethernet port, a trunk group, or a Virtual Ethernet (VE) interface.
The management interface can have a single IPv4 address and a single IPv6
address.
*.
An exception is model AX 5200, which supports 384.
Routing Support
The ACOS device supports the following dynamic routing protocols:
• Open Shortest Path First (OSPF) version 2 for IPv4 and OSPFv3 for
IPv6
• Intermediate System to Intermediate System (IS-IS) for IPv4 and IPv6
• CLI Reference
For IS-IS, BGP, and RIP information, see the CLI Reference.
Note: It is recommended to set a fixed router-ID for all dynamic routing proto-
cols you plan to use on the ACOS device, to prevent router-ID changes
caused by HA or VRRP-A failover.
RBA partitions provide Layer 4-7 support and no direct access to system
and networking resources. RBA partitions are dependent on the shared par-
tition’s network resources. For details on RBA partitions, refer to “Role
Based Administration Private Partition” on page 219.
L3V partitions allow for the ACOS device to be partitioned into multiple
virtual devices, each with their own administrators. From a partition admin-
istrator’s point of view, they have management control of a complete, anton-
ymous device, separate from the other virtual devices (partitions).
High Availability
You can deploy the ACOS device as a single unit or as a High Availability
(HA) pair. Deploying a pair of ACOS devices in an HA configuration pro-
vides an extra level of redundancy to help ensure your site remains available
to clients. For simplicity, the examples in this chapter show deployment of a
single ACOS device. For information about HA, see the following chapters:
• “VRRP-A High Availability” on page 355
By default, the ACOS device attempts to use a route from the main route
table for management connections originated on the ACOS device. You can
enable the ACOS device to use the management route table to initiate man-
agement connections instead. (For information, see “Specifying the Source
Interface for Management Traffic” on page 537.)
Note: The ACOS device allows the same IP address to be configured as the
ACOS device’s global IP address, and as a NAT pool address. However,
in Layer 2 (transparent) deployments, if you do configure the same
address in both places, and later delete one of the addresses, you must
reload the ACOS device to place the change into effect.
Configuration Example
This section shows the GUI screens and CLI commands needed to config-
ure the management interface as shown in Figure 14.
2. Select Config Mode > Network > Interface > Management. (See
Figure 15.)
Figure 15 shows the GUI screen used to configure the management IP
addresses shown in Figure 14. Here and elsewhere in this guide, the
command paths used to access a GUI screen are listed in the figure cap-
tion.
4. In the IPv6 section, enter the IPv6 address, prefix length, and default
gateway address.
5. Click OK.
The following commands access the global configuration level of the CLI:
login as: admin
Welcome to AOCS
Using keyboard-interactive authentication.
Password:***
[type ? for help]
AOCS>enable
Password:(just press Enter on a new system)
AOCS#
AOCS#config
AOCS(config)#
Note: For simplicity, this example and the other examples in this chapter show
the physical links on single Ethernet ports. Everywhere a single Ethernet
connection is shown, you can use a trunk, which is a set of multiple ports
configured as a single logical link.
Configuration Example
This section shows the GUI screens and CLI commands needed to deploy
the ACOS device as shown in Figure 16.
3. Click OK.
4. On the menu bar, click LAN. The data interface table appears. (See
Figure 18.)
6. Click Enable.
The following commands enable the Ethernet interfaces used in the exam-
ple:
AOCS(config)#interface ethernet 1
AOCS(config-if:ethernet1)#enable
AOCS(config-if:ethernet1)#interface ethernet 2
Although this example shows single physical links, you could use trunks as
physical links. You also could use multiple VLANs. In this case, the IP
addresses would be configured on Virtual Ethernet (VE) interfaces, one per
VLAN, instead of being configured on individual Ethernet ports.
Configuration Example
This section shows the GUI screens and CLI commands needed to imple-
ment the configuration shown in Figure 19.
2. Click on the interface name (for example, “e1”). The configuration page
for the port appears. (See Figure 20.)
5. Click OK.
2. Enter the route information. (For an IPv4 example, see Figure 21.)
3. Click OK.
FIGURE 21 Config Mode > Network > Route > IPv4 Static
The following commands enable the Ethernet interfaces used in the exam-
ple and configure IP addresses on them:
AOCS(config)#interface ethernet 1
AOCS(config-if:ethernet1)#enable
AOCS(config-if:ethernet1)#ip address 10.10.10.2 /24
AOCS(config-if:ethernet1)#interface ethernet 2
AOCS(config-if:ethernet2)#enable
AOCS(config-if:ethernet2)#ip address 192.168.3.100 /24
AOCS(config-if:ethernet2)#interface ethernet 3
AOCS(config-if:ethernet3)#enable
AOCS(config-if:ethernet3)#ip address 192.168.1.111 /24
AOCS(config-if:ethernet3)#exit
AOCS(config-if:ethernet3)#interface ethernet 4
AOCS(config-if:ethernet4)#enable
AOCS(config-if:ethernet4)#ip address 192.168.2.100 /24
AOCS(config-if:ethernet4)#exit
Jumbo Frames
The current release adds support for jumbo frames. A jumbo frame is an
Ethernet frame that is more than 1522 bytes long.
You can enable jumbo support on a global basis. In this case, the MTU is
not automatically changed on any interfaces, but you can increase the MTU
on individual interfaces.
• On FPGA models, you can increase the MTU on individual Ethernet
interfaces up to 12000 bytes.
• On non-FPGA models, you can increase the MTU on individual Ether-
net interfaces up to 9216 bytes.
Notes:
• If your configuration uses VEs, you must enable jumbo on the individ-
ual Ethernet ports first, then enable it on the VEs that use the ports. If
the VE uses more than port, the MTU on the VE should be the same or
smaller than the MTU on each port.
• Enabling jumbo support does not automatically change the MTU on any
interfaces. You must explicitly increase the MTU on those interfaces
you plan to use for jumbo packets.
• Jumbo support is not recommended on 10/100 Mbps ports.
• On FPGA models only, for any incoming jumbo frame, if the outgoing
MTU is less than the incoming frame size, the ACOS device fragments
the frame into 1500-byte fragments, regardless of the MTU set on the
outbound interface. If it is less than 1500 bytes, it will be fragmented
into the configured MTU.
• Setting the MTU on an interface indirectly sets the frame size of incom-
ing packets to the same value. (This is the maximum receive unit
[MRU]).
• In previous releases, the default MTU is 1500 and can not be set to a
higher value.
• Jumbo frames are not supported on models AX 1030, AX 2500,
AX 2600, SoftAX, or AX-V 3000-11-GCF.
Caution: On non-FPGA models, after you enable (or disable) jumbo frame
support, you must save the configuration and reboot to place the
change into effect.
If jumbo support is enabled on a non-FPGA model and you erase the
startup-config, the device is rebooted after the configuration is
erased.
3. Click OK.
3. Click OK.
4. Click Save at the top of the GUI window to save the configuration
change.
5. Select Config Mode > System > Settings > Action > Reboot.
4. Click OK.
4. Click OK.
5. Repeat for each interface on which the MTU is greater than 1500 bytes.
8. Click OK.
4. Click OK.
5. Repeat for each interface on which the MTU is greater than 1500 bytes.
8. Click OK.
9. Click Save at the top of the GUI window to save the configuration
change.
10. Select Config Mode > System > Settings > Action > Reboot.
Caution: On non-FPGA models, you must save the configuration and reboot
after entering the “no enable-jumbo” command. If you reload or
reboot without first saving the configuration, the feature can not be
re-enabled until you first repeat the procedure above to disable it.
Then, you can re-enable the feature.
2. Use the following command at the global configuration level of the CLI:
no enable-jumbo
2. Use the following command at the global configuration level of the CLI:
no enable-jumbo
Caution: On non-FPGA models, you must save the configuration and reboot
after entering the “no enable-jumbo” command. If you reload or
reboot without first saving the configuration, the feature can not be
re-enabled until you first repeat the procedure above to disable it.
Then, you can re-enable the feature.
CLI Example
The following commands change the MTU on some Ethernet ports, then
change the MTU to the same value on the VE that uses the ports:
AX3400(config)#interface ethernet 15
AX3400(config-if:ethernet15)#mtu 6000
AX3400(config-if:ethernet15)#interface ethernet 16
AX3400(config-if:ethernet16)#mtu 6000
AX3400(config-if:ethernet16)#vlan 300
AX3400(config-vlan:300)#tagged ethernet 15 to 16
AX3400(config-vlan:300)#router-interface ve 300
AX3400(config-vlan:300)#interface ve 300
AX3400(config-if:ve300)#ip address 10.30.30.30 /24
AX3400(config-if:ve300)#mtu 6000
Configured Speed auto, Actual unknown Configured Duplex auto, Actual unknown
Member of L2 Vlan 300, Port is Tagged
Flow Control is disabled, IP MTU is 6000 bytes
Port as Mirror disabled, Monitoring this Port disabled
0 packets input, 0 bytes
Received 0 broadcasts, Received 0 multicasts, Received 0 unicasts
0 input errors, 0 CRC 0 frame
0 runts 0 giants
0 packets output 0 bytes
Transmitted 0 broadcasts 0 multicasts 0 unicasts
0 output errors 0 collisions
300 second input rate: 0 bits/sec, 0 packets/sec, 0% utilization
300 second output rate: 0 bits/sec, 0 packets/sec, 0% utilization
Link Trunking
This chapter describes how to configure trunk links on the ACOS device.
Overview
The ACOS device supports aggregation of multiple Ethernet data ports into
logical links, called “trunks”. Trunks can enhance performance by provid-
ing higher throughput and greater link reliability.
4. In the Interface section, click on the interface you want to associate with
the trunk and move the interface from the Available column using the
greater than redirect arrows (>>). If you want to move them back to the
Available column, select the interface, and move it back using the less
6. Click on OK.
Your static trunk will be added:
• Interface
At the trunk configuration level, you can enable or disable the trunk, add or
remove trunk members, and set port-threshold parameters. Using the dis-
able command at the trunk configuration level completely disables all ports
in the trunk.
At the interface configuration level for a trunk, you can configure interface-
related parameters such as IP, IPv6, and routing settings. You also can dis-
able or re-enable Layer 3 forwarding on the trunk.
Using the disable command at the interface configuration level for a trunk
disables Layer 3 forwarding on the trunk but does not completely disable
the trunk.
To add Ethernet data ports to the trunk, use the following command:
If the number of up ports falls below the configured threshold, the ACOS
device automatically disables the trunk’s member ports. The ports are dis-
abled in the running-config. The ACOS device also generates a log message
and an SNMP trap, if these services are enabled.
Note: After the feature has disabled the members of the trunk group, the ports
are not automatically re-enabled. The ports must be re-enabled manually
after the issue that caused the ports to go down has been resolved.
• The port threshold for the trunk is configured during runtime. (If the
threshold is set in the startup-config, the timer is not used.)
If the number of up ports falls below the configured threshold, the ACOS
device automatically disables the trunk’s member ports. The ports are dis-
abled in the running-config. The ACOS device also generates a log message
and an SNMP trap, if these services are enabled.
Enter this command at the global configuration level of the CLI. This com-
mand changes the CLI to the interface configuration level for the specified
trunk, where the following commands are available:
[no] access-list acl-num in
bfd
clear
disable
do
enable
end
exit
[no] icmp-rate-limit options
[no] icmpv6-rate-limit options
[no] interface options
[no] ip options
[no] ipv6 options
[no] isis options
[no] l3-vlan-fwd-disable
[no] mtu options
Note: The disable and enable commands at the interface configuration level for
the trunk control Layer 3 forwarding on the trunk but do not completely
disable the trunk. To control all forwarding on the trunk, use the disable
or enable command at the trunk configuration level instead.
For more information about these commands, see the “Config Commands:
Interface” chapter of the CLI Reference.
The following commands access the interface configuration level for the
trunk and assign an IPv6 address to the trunk interface:
ACOS(config)#interface trunk 7
ACOS(config-if:trunk7)#ipv6 address 2001:db8::7/32
LACP Parameters
The following LACP parameters are configurable.
UDLD
When UDLD is enabled, the UDLD uses LACP protocol packets as heart-
beat messages. If an LACP link on the ACOS device does not receive an
LACP protocol packet within a specified timeout, LACP blocks traffic on
the port. This corrects the problem by forcing the devices connected by the
non-operational link to use other, fully operational links.
A link that is blocked by LACP can still receive LACP protocol packets but
blocks all other traffic.
UDLD is disabled by default on LACP trunk links. You can enable UDLD
on individual LACP trunk interfaces.
Heartbeat Timeout
The local port waits for a configurable timeout to receive an LACP protocol
packet from the remote port. If an LACP protocol packet does not arrive
before the timeout expires, LACP disables the local port. You can set the
timeout to 1-60 seconds (slow timeout) or 100-1000 milliseconds (fast time-
out). The default is 1 second.
If the remote port begins sending LACP protocol packets again, LACP on
the local port re-enables the port.
Requirements
To operate properly, UDLD must be supported and enabled on both devices
that are using LACP trunk links.
Configuration
3. Click OK.
Note: If you administratively disable the LACP feature from members of the
trunk group, the links are not automatically re-enabled. The links must be
re-enabled manually after the issue that caused the links to go down has
been resolved.
• The port threshold for the trunk is configured during runtime. (If the
threshold is set in the “startup-config” file, the timer is not used.)
To configure the port threshold parameters for LACP trunks, do the follow-
ing.
Note: These steps assume that you have already created an LACP dynamic
trunk using Config Mode > Interface > LAN (from the LACP tab). For
details, refer to the System and Administration Guide.
1. Go to Config Mode > Network > Trunk.
The following window will appear:
4. Click on OK.
To verify your LACP configuration of the Port Threshold and the Port
Threshold Timer, do the following:
You can monitor LACP from Monitoring Mode. View the following LACP
information:
• Display LACP system IDs.
2. Assign the interface to the LACP trunk, using the following command:
[no] lacp trunk lacp-trunk-id [admin-key num]
mode {active | passive}
[unidirectional-detection]
The interface becomes a candidate member of the trunk.
3. (Optional) Specify the LACP priority of the interface, using the follow-
ing command:
[no] lacp port-priority num
You can specify 1-65535. The default is 32768.
4. (Optional) Specify the aging timeout for LACP data units from the other
end of the LACP link, using the following command:
[no] lacp timeout {short | long}
You can specify short (3 seconds) or long (90 seconds). The default
is long.
Configuring LACP
1. (Optional) Set the LACP system priority, using the following command
at the global configuration level of the CLI:
[no] lacp system-priority num
You can specify 1-65535. The default is 32768.
Enter this command at the global configuration level of the CLI. This com-
mand changes the CLI to the interface configuration level for the specified
trunk, where the following commands are available:
[no] access-list acl-num in
bfd
no
[no] ospf options
show
write
Note: The disable and enable commands at the interface configuration level for
the trunk control Layer 3 forwarding on the trunk but do not completely
disable the trunk. To control all forwarding on the trunk, use the disable
or enable command at the trunk configuration level instead.
For more information about these commands, see the “Config Commands:
Interface” chapter of the CLI Reference.
LACP Passthrough
LACP passthrough allows the ACOS device to forward traffic on one trunk
that originated on another trunk that is down. With this feature, if an LACP
trunk goes down, the other trunk is used to continue connectivity for the
traffic.
This feature can be useful in topologies that use LACP and where multiple
ACOS devices connect to the server farm. In this type of topology, if the
ACOS device acts as a proxy for client-server traffic, LACP passthrough
can help prevent sessions from being dropped following failover from one
LACP trunk to another.
In this example, two ACOS devices are connected through redundant device
pairs to clients and servers. Two VLANs are used, 210 and 220. Each
ACOS device has trunk interfaces in both VLANs:
Notes
• The current release supports LACP passthrough only on untagged
VLAN ports. Tagged ports are not supported in this release.
• Each LACP passthrough tunnel can contain two Ethernet data ports.
These ports must be in the same VLAN and use the same Virtual Ether-
net (VE) interface. On of the ports must be connected to the clients. The
other port must be connected to the servers.
• This feature requires use of the link monitoring and automatic disable
feature to bring all of a trunk’s ports down if any of its ports goes down.
(See “Link Monitoring with Automated Link Disable or Session Clear”
on page 135.)
• Similarly, the nexthop devices that connect the ACOS device to the cli-
ents and servers must be configured to bring a trunk down when any of
its member ports goes down.
• The current release has been tested only with virtual port type HTTP.
Configuration
To configure LACP passthrough:
1. Configure LACP trunk parameters. (See the System Configuration and
Administration Guide.)
2. Configure link monitoring so that the ACOS device brings all trunk
interfaces down when any of its interfaces goes down. (See “Link Mon-
itoring with Automated Link Disable or Session Clear” on page 135.)
The current release does not support this feature in the GUI.
The client-if is the Ethernet data port connected to clients. The server-if is
the Ethernet data port connected to servers.
On ACOS devices, the system MAC address is the lowest numbered MAC
address on the device.
Configuration Example
This example enables LACP on physical Ethernet data ports 1-3 and 6.
In this example, LACP has dynamically created two trunks, 5 and 10.
Trunk 5 contains ports 1 and 2. Trunk 10 contains port 6.
The following command shows details about the LACP admin keys:
ACOS#show lacp trunk admin-key-list-details
% Admin Key: 1
bandwidth: 0
mtu: 1500
duplex mode: 0
hardware type: 2
type: 0
additional parameter: 10001
ref count: 2
% Admin Key: 2
bandwidth: 1
mtu: 1500
duplex mode: 0
hardware type: 2
type: 0
additional parameter: 0
ref count: 451
% Admin Key: 3
bandwidth: 1
mtu: 16436
duplex mode: 0
The following command shows detailed information for all LACP trunks:
ACOS#show lacp trunk detail
Aggregator po5 1000000
Mac address: 00:1f:a0:02:1e:48
Admin Key: 0005 - Oper Key 0005
Receive link count: 1 - Transmit link count: 0
Individual: 0 - Ready: 1
Partner LAG- 0x0064,00-1f-a0-01-dc-60
Link: ethernet 1 (3) sync: 1
Link: ethernet 2 (4) sync: 1
The following command shows LACP information for Ethernet data port 1:
ACOS#show lacp trunk port ethernet 1
LACP link info: ethernet 1 - 3
LAG ID: 0x8000,00-1f-a0-02-1e-48
Partner oper LAG ID: 0x8000,00-1f-a0-01-dc-60
Actor priority: 0x8000 (32768)
Admin key: 0x0005 (5) Oper key: 0x0005 (5)
Physical admin key:(1)
Receive machine state : Current
Periodic Transmission machine state : Slow periodic
Mux machine state : Collecting/Distributing
Oper state: ACT:1 TIM:0 AGG:1 SYN:1 COL:1 DIS:1 DEF:0 EXP:0
Partner oper state: ACT:1 TIM:0 AGG:1 SYN:1 COL:1 DIS:1 DEF:0 EXP:0
Partner link info: admin port 0
Partner oper port: 3
Partner admin LAG ID: 0x0000-00:00:00:00:0000
Admin state: ACT:1 TIM:0 AGG:1 SYN:0 COL:0 DIS:0 DEF:1 EXP:0
Partner admin state: ACT:0 TIM:0 AGG:1 SYN:0 COL:0 DIS:0 DEF:1 EXP:0
Partner system priority - admin:0x8000 - oper:0x0064
Aggregator ID: 1000000
The ACOS device supports link monitoring with automated link disable or
session clear.
This feature monitors the link state of Ethernet data interfaces. You can
monitor Ethernet data interfaces for the following types of events:
• Link up
• Link down
The feature monitors the link state on a set of Ethernet data interfaces. If the
monitored event is detected, the ACOS device applies the specified action
to another set of interfaces.
This feature is especially useful in cases where you want to disable both
ACOS interfaces used by traffic flows through the ACOS device, if the link
on either interface goes down. (For an example, see “LACP Passthrough”
on page 126.)
Note: You can configure the feature for individual Ethernet data ports. Configu-
ration of the feature for logical interfaces such as Virtual Ethernet (VE)
interfaces is not supported.
The clear session option removes sessions from the session table. You can
configure the feature either to clear data sessions only, or to clear sessions of
all types.
Sequence Numbers
Each monitor template can contain the following types of entries:
• Monitoring entries – A monitoring entry monitors for a specific event
type (link up or link down) on a specific Ethernet data interface.
• Action entries – An action entry specifies the action to take when moni-
tored events are detected.
When you configure an entry of either type, you must specify a sequence
number, 1-16. The sequence numbers assigned to monitoring entries specify
the order in which to check the monitored ports for the specified event type.
Likewise, the sequence number assigned to action entries specify the order
in which to apply the actions.
The monitor with the lowest sequence number is performed first, then the
monitor with the next lowest sequence number is performed, and so on. For
example, monitor 1 is performed first, monitor 2 is performed second, and
so on. Likewise, if the monitored events are detected, action 1 is performed
first, then action 2, and so on.
OR and AND
Each monitor template uses one of the following logical operators:
• AND – The actions are performed only if all the monitored events are
detected. (This is the default).
• OR – The actions are performed if any of the monitored events is
detected.
The logical operator applies only to monitor entries, not to action entries.
For example, if the logical operator is OR, and at least one of the monitored
events occurs, all the actions configured in the template are applied.
You can configure the entries in any order. In the configuration, the entries
of each type are ordered based on sequence number.
Configuration
To configure link monitoring with automated link disable or session clear:
1. Configure a monitoring template. Within the template, specify the fol-
lowing parameters:
• Links (Ethernet data ports) to monitor
• Actions to perform on other links, if the monitored event is
detected:
• Clear sessions
• Disable links
• Enable links
• (Optional) Set the comparison operator for the monitoring entries:
• AND – The actions are performed only if all the monitored
events are detected.
• OR – The actions are performed if any of the monitored events is
detected.
This command creates the link monitor and changes the CLI to the configu-
ration level for it, where the following commands are available.
Monitor Configuration
Use the following command to configure a monitor entry:
[no] monitor
{
link-down eth portnum [eth portnum ...]
sequence num |
link-up eth portnum [eth portnum ...]
sequence num
}
This command specifies the links (Ethernet data ports) to monitor, and the
event type for which to monitor. The sequence number can be 1-16.
Note: The ports within a given monitor entry are always ANDed. If you specify
more than one port (eth portnum option) in the same monitor entry, the
specified event must occur on all the ports in the entry. For example, if
you specify link-down eth 9 eth 11, the link must go down on ports 9 and
11, for the link-state changes to count as a monitored event.
Action Configuration
Use the following command to configure an action entry:
[no] action
{
clear sessions [all] sequence num |
link-disable eth portnum sequence num |
link-enable eth portnum sequence num
}
Note: The clear session command clears only data sessions. To clear all ses-
sions, use clear sessions all.
Overview
LLDP allows A10 devices to discover directly-connected LAN neighbors
and allows these neighbors to discover the A10 devices. Configure LLDP
only in the shared partition.
The Link Layer Discovery Protocol Data Unit (LLDPDU) contains several
elements of variable lengths that comprise the LLCP frame. They carry
information on the type, length, and value fields (TLVs), where type identi-
fies the kind of information that is transmitted, length contains the string of
octets, and value is the actual content that is being transmitted. The manda-
tory information that is transmitted identifies the TLV for the chassis ID, the
port ID, the Time to Live, and the end of the LLDP data packet. It can also
contain zero or more optional TLVs. For the duration of an operational port,
the chassis ID and the port ID information will remain the same.
A Time to Live TLV or a non-zero TLV informs the receiving LLDP agent
to discard the LLDP data packet after the indicated time expires. A zero
TLV directs the receiving LLDP agent to discard the LLDP packet immedi-
ately. As the name suggests, the End of LLDP data packet indicates that
completion of the LLDP packet.
Configuration
This section describes how to configure LLDP.
Note: If you do not enable LLDP from the global level, but only enable it from
the interface level, LLDP will not work as designed.
BFD provides a faster failure detection mechanism than the timeout values
used by routing protocols. Routing protocol timers are multiple seconds
long, whereas BFD provides sub-second failover.
• Multihop
• Authentication
BFD Parameters
BFD is disabled by default. You can enable it on a global basis.
BFD Echo
BFD echo enables a device to test data path to the neighbor and back. When
a device generates a BFD echo packet, the packet uses the routing link to the
neighbor device to reach the device. The neighbor device is expected to
send the packet back over the same link.
BFD Timers
• Interface
BGP Support
If you run BGP on the ACOS device, you can enable BFD-based fallover
for individual BGP neighbors.
In the following example, you will see that the static routes experience a
flap when BFD is enabled. The fields to note are flagged in bold:
ACOS(config)#show ipv6 route
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
i - IS-IS, B - BGP
Timers: Uptime
The current release does not support BFD configuration using the GUI.
To enable BFD echo, use the following command at the global configura-
tion level of the CLI:
[no] bfd echo
The interval value can be 48-1000 ms, and is 800 ms by default. The min-
rx value can be 48-1000 ms, and is 800 ms by default. The multiplier value
can be 3-50 and is 4 by default.
To display BFD information for BGP neighbors, use the following com-
mand:
show ip bgp neighbor
Disable BFD
To enable BFD for all OSPF-enabled interfaces, enter the following com-
mands:
ACOS(config)#router ospf 1
ACOS(config-router)# bfd all-interfaces
Sample Configuration
Your running configuration will display your current BFD with OSPF con-
figuration:
!
interface ethernet 1
ipv6 router ospf area 0 tag 1
ip address 20.0.0.1 255.255.255.0
ip ospf bfd
!
interface ethernet 2
ipv6 router ospf area 0 tag 1
ip address 30.0.0.1 255.255.255.0
!
!
router ospf 1
bfd all-interfaces
network 20.0.0.0/24 area 0
network 30.0.0.0/24 area 0
area 1 virtual-link 40.0.0.1 fall-over bfd
!
!
bfd enable
!
To enable BFD for all OSPFv3-enabled interfaces, enter the following com-
mands:
ACOS(config)#router ipv6 ospf 1
ACOS(config-router)#bfd all-interfaces
Sample Configuration
Your running configuration will display your current BFD with OSPF for
IPv6 configuration:
!
interface ethernet 1
ipv6 address 2001::1/64
ipv6 router ospf area 0 tag 1
ipv6 ospf bfd
!
interface ethernet 2
ipv6 router ospf area 0 tag 1
ipv6 address 3001::1/64
!
!
router ipv6 ospf 1
router-id 1.1.1.1
bfd all-interfaces
area 1 virtual-link 2.2.2.2 fall-over bfd
!
!
bfd enable
!
To enable BFD for all IS-IS-enabled interfaces, enter the following com-
mands:
ACOS(config)#router isis
ACOS(config-router)#bfd all-interfaces
ACOS(config-router)#net 49.0001.0000.0000.0001.00
Sample Configuration
Your running configuration will display your current BFD with ISIS config-
uration:
!
interface ethernet 1
ip address 20.0.0.1 255.255.255.0
ip router isis
isis bfd
!
interface ethernet 2
ip address 30.0.0.1 255.255.255.0
ip router isis
isis bfd
!
!
router isis
bfd all-interfaces
net 49.0001.0000.0000.0001.00
!
!
bfd enable
!
To enable BFD for all IS-IS-enabled interfaces, enter the following com-
mands:
ACOS(config)#router isis
ACOS(config-router)#bfd all-interfaces
ACOS(config-router)#net 49.0001.0000.0000.0002.00
Sample Configuration
Your running configuration will display your current BFD with ISIS (for
IPv6 support) configuration:
!
interface ve 100
ipv6 address 2ffe:123::1/64
ipv6 router isis
isis bfd
!
router isis
bfd all-interfaces
net 49.0001.0000.0000.0002.00
!
bfd enable
Sample Configuration
Your running configuration will display your current BFD with BGP con-
figuration:
!
router bgp 1
neighbor 1.2.3.4 remote-as 2
neighbor 1.2.3.4 fall-over bfd multihop
!
!
bfd enable
!
From the global configuration mode, use the following command to add a
static BFD entry for the specified IPv4 nexthop:
ACOS(config)# ip route static bfd 20.0.0.1 20.0.0.2
In the above command, the first parameter is the IPv4 address of the local
interface. You can only use the IP addresses for interfaces to setup the BFD
session. The second parameter is the IPv4 address of the remote interface
that serves as the gateway for the static route.
From the global configuration mode, use the following command to add a
static BFD entry for the specified IPv6 nexthop:
ACOS(config)# ipv6 route static bfd 2001::1 2001::2
In the above command, the first parameter is the IPv6 address of the local
interface. You can only use the IP addresses for interfaces to setup the BFD
session. The second parameter is the IPv6 address of the remote interface
that serves as the gateway for the static route.
From the global configuration mode, use the following command to add a
static BFD entry for the specified link-local IPv6 nexthop:
ACOS(config)# ipv6 route static bfd ve 100 fe80::1
In the above command, the first parameter is the local interface name
(Ethernet, VE, or a specified trunk), and the second parameter is the remote
link-local IPv6 address that serves as the gateway.
From the global configuration mode, use the following command to modify
the global interval timer values:
ACOS(config)# bfd interval 500 min-rx 500 multi-
plier 4
This command will help configure the interval for any one of the following
three parameters and will be applied to all BFD sessions:
• DesiredMinTxInterval
• RequiredMinRxInterval
• Multiplier
From the interface configuration mode, use the following command to mod-
ify the interface interval timer values:
ACOS(config)# interface ve 10
ACOS(config-if)# bfd interval 500 min-rx 500 multi-
plier 4
Note: For a BFD session for BGP using a loopback address, for an OSPFv2 vir-
tual link, and for an OSPFv3 virtual link, the ACOS device will always
use the global timer configuration, immaterial of the timer that is config-
ured at the interface level.
Authentication
Authentication Per interface
• Keyed MD5
• Keyed SHA1
The following command is configured under the BGP (router bgp) con-
figuration mode:
ACOS(config-router)# neighbor 1.2.3.4 fall-over bfd authentication 1 md5
password-string
After you configure the global BFD echo, from the interface configuration
mode, you can enable BFD echo on a per interface basis using the following
command:
ACOS(config-if)# bfd echo
From the interface configuration mode, you can enable the demand mode to
work in conjunction with the echo function using the following command:
ACOS(config-if)# bfd echo demand
Asynchronous Mode
The Asynchronous mode is the default mode of operation for BFD. In this
mode, systems establish connectivity and know of each other’s existence by
periodically exchanging BFD Control packets. A session between two con-
nected systems is only declared down after several packets in a row are not
received by the other system. BFD will operate in this mode if you do not
configure or enable echo or demand.
To check the BFD neighbor status, from the EXEC mode, execute the show
bdf neighbors command:
ACOS# show bfd neighbors
Our Address Neighbor Address State Holddown txint mult diag
219.0.0.1 219.0.0.2 Up 150 50 3 3/0
219.0.1.1 219.0.1.2 Up 150 50 3 3/0
219.0.2.1 219.0.2.2 Up 150 50 3 0/0
219.0.3.1 219.0.3.2 Up 150 50 3 0/0
219.0.4.1 219.0.4.2 Up 150 50 3 3/0
219.0.5.1 219.0.5.2 Up 150 50 3 3/0
219.0.6.1 219.0.6.2 Up 150 50 3 0/0
219.0.7.1 219.0.7.2 Up 150 50 3 3/0
To check the BFD neighbor detailed status, from the EXEC mode, execute
the show BDF neighbors detail command:
ACOS# show bfd neighbors detail
Our Address 219.0.0.1
Neighbor Address 219.0.0.2
Clients OSPFv2, IS-IS
Singlehop, Echo disabled, Demand disabled, UDP source port 53214
Asynchronous mode, Authentication None
CPU ID 2, Interface index 93
Local State Up, Remote State Up, 2h:29m:45s up
Local discriminator 0x00000fdf, Remote discriminator 0x0000006f
Config DesiredMinTxInterval 50 milliseconds, RequiredMinRxInterval 50 milli-
seconds
Local DesiredMinTxInterval 50 milliseconds, RequiredMinRxInterval 50 millisec-
onds
Remote DesiredMinTxInterval 50 milliseconds, RequiredMinRxInterval 50 milli-
seconds
Local Multiplier 3, Remote Multiplier 3
Hold Down Time 150 milliseconds, Transmit Interval 50 milliseconds
Local Diagnostic: Neighbor Signalled Session Down(3)
Remote Diagnostic: No Diagnostic(0)
Last sent echo sequence number 0x00000000
Control Packet sent 215226, received 215195
Echo Packet sent 0, received 0
This chapter describes gateway health monitoring and how to configure it.
Notes
• Gateway health monitoring is useful in cases where there is more than
one route to a destination. In this case, the ACOS device can discard the
routes that use unresponsive gateways. If there is only one gateway, this
feature is not useful.
• Gateway health monitoring and SLB server health monitoring are inde-
pendent features. If a gateway fails its health check, a server reached
through the gateway is not immediately marked down. The status of the
server still depends on the result of the SLB server health check.
• If you plan to use gateway health as a failover trigger for High Avail-
ability (HA), a different configuration option is required. See “Gateway-
based Failover” on page 285 (for the older implementation of HA) or
“Dynamic Priority Reduction” on page 365 (for VRRP-A).
Overview
Gateway health monitoring uses ARP to test the availability of nexthop
gateways. When the ACOS device needs to send a packet through a gate-
way, the ACOS device begins sending ARP requests to the gateway.
• If the gateway replies to any ARP request within a configurable timeout,
the ACOS device forwards the packet to the gateway.
• The ARP requests are sent at a configurable interval. The ACOS device
waits for a configurable timeout for a reply to any request. If the gate-
way does not respond to any request before the timeout expires, the
ACOS device selects another gateway and begins the health monitoring
process again.
Note: It is recommended not to use a timeout value smaller than 3 times the
interval value. This is especially true for short interval values.
Configuration
Gateway health monitoring is disabled by default. To enable it, use either of
the following methods.
slb gateway-health-check
[interval seconds [timeout seconds]]
CLI Example
The following command enables gateway health monitoring with the
default settings:
ACOS(config)#slb gateway-health-check
Each IPv6 link can run up to 65535 OSPFv3 processes, on the same link.
Interface Configuration
The following commands configure two physical Ethernet data interfaces.
Each interface is configured with an IPv4 address and an IPv6 address. Each
interface also is added to OSPF area 0 (the backbone area).
The link-state metric (OSPF cost) of Ethernet 2 is set to 30, which is higher
than the default, 10. Based on the cost difference, OSPF routes through
Ethernet 1 will be favored over OSPF route through Ethernet 2, because the
OSPF cost of Ethernet 1 is lower.
interface ethernet 1
ip address 2.2.10.1 255.255.255.0
ipv6 address 5f00:1:2:10::1/64
ipv6 router ospf area 0 tag 1
!
interface ethernet 2
ip address 3.3.3.1 255.255.255.0
ipv6 address 5f00:1:2:20::1/64
ip ospf cost 25
ipv6 router ospf area 0 tag 1
Configuration Examples
The following command clears all OSPFv2 neighbors:
ACOS(config)#clear ip ospf neighbor all
OSPF Logging
Router logging is disabled by default. You can enable router logging to one
or more of the following destinations:
• CLI terminal (stdout)
• Local file
Note: Log file settings are retained across reboots but debug settings are not.
Note: Enabling debug settings that produce lots of output, or enabling all debug
settings, is not recommend for normal operation.
For additional syntax information, including show and clear commands for
router logging, see the CLI Reference.
To enable output to the local logging buffer, use the following command at
the global configuration level of the CLI:
router log syslog
To enable output to a local file, use the following command at the global
configuration level of the CLI:
[no] router log file
{
name string |
per-protocol |
rotate num |
size Mbytes
}
To enable output to a remote log server, use the following command at the
global configuration level of the CLI:
logging host ipaddr [ipaddr...]
[port protocol-port]
• 1 or alert
• 2 or critical
• 3 or error
• 4 or warning
• 5 or notification
• 7 or debugging
To change the severity level for messages output to the local logging buffer,
use the following command at the global configuration level of the CLI:
logging buffered severity-level
To change the severity level for messages output to external log servers, use
the following command at the global configuration level of the CLI:
logging syslog severity-level
To change the severity level for messages output to a file, use the following
command at the global configuration level of the CLI:
router log trap severity-level
To change the facility, use the following command at the global configura-
tion level of the CLI:
logging facility facility-name
• local1
• local2
• local3
• local4
• local5
• local6
• local7
The ipv6 option enables debugging for OSPFv3. Without the ipv6 option,
debugging is enabled for OSPFv2.
CLI Example
The following commands configure OSPFv2 logging to a local file.
ACOS(config)#router log file name ospf-log
ACOS(config)#router log file per-protocol
ACOS(config)#router log file size 100
ACOS(config)#debug a10 ospf all
ACOS(config)#debug ospf packet
These commands create a router log file named “ospf-log”. The per-proto-
col option will log messages for each routing protocol separately. The log
file will hold a maximum 100 MB of data, after which the messages will be
saved in a backup and the log file will be cleared.
The following command displays the contents of the local router log file:
ACOS(config)#show router log file ospfd
2010/04/21 09:57:20 OSPF: IFSM[ve 3:1.1.1.2]: Hello timer expire
2010/04/21 09:57:20 OSPF: SEND[Hello]: To 224.0.0.5 via ve
3:1.1.1.2,
length
64
2010/04/21 09:57:20 OSPF:
-----------------------------------------------------
DHCP Overview
Dynamic Host Configuration Protocol (DHCP) is a mechanism commonly
used by clients to auto-discover their addressing and other configuration
information when connected to a network. You can enable use of DHCP to
dynamically configure IP addresses on the following types of interfaces:
• Management interface – A single IP address can be assigned.
Likewise, a new configuration option for VIPs and IP NAT pools enables
the VIP or pool to use the DHCP-assigned address of a given data interface.
If this option is enabled, ACOS updates the VIP or pool address any time
the specified data interface’s IP address is changed by DHCP.
Notes
• DHCP can be enabled on an interface only if that interface does not
already have any statically assigned IP addresses.
• On ACOS devices deployed in gateway (Layer 3) mode, Ethernet data
interfaces can have multiple IP addresses. An interface can have a com-
bination of dynamically assigned addresses (by DHCP) and statically
configured addresses. However, if you plan to use both methods of
address configuration, static addresses can be configured only after you
finish using DHCP to dynamically configure addresses. To use DHCP in
this case, you must first delete all the statically configured IP addresses
from the interface.
• On SoftAX models, if single-IP mode is used, DHCP can be enabled
only at the physical interface level.
• On devices deployed in Transparent (Layer 2) mode:
• you can enable DHCP on the management interface and at the
global level.
• The VIP address and pool NAT address (if used) should match the
global data IP address of the device. Make sure to enable this option
when configuring the VIP or pool.
Configuring DHCP
You can configure the ACOS device to relay DHCP traffic between DHCP
clients and DHCP servers located in different VLANs or subnets.
DHCP relay is supported only for the standard DHCP protocol ports:
• Boot protocol server (BOOTPS) – UDP port 67
The ACOS device then places the receiving interface’s IP address (not the
helper address) in the relay gateway address field, and forwards the DHCP
packet to the server. When the DHCP server replies, the ACOS device for-
wards the response to the client.
Notes
• In the current release, the helper-address feature provides service for
DHCP packets only.
• The interface on which the helper address is configured must have an IP
address.
• The helper address can not be the same as the IP address on any inter-
face or an IP address used for SLB.
The current release does not support this feature in the GUI.
Note: ACOS 2.7.1 provides support for 2 IP helper addresses per Ethernet inter-
face. Previous releases supported only one. The configuration syntax is
unchanged.
To clear statistics counters for DHCP relay, use the following command:
clear ip helper-address statistics
CLI Example
The following commands configure two helper addresses. The helper
address for DHCP server 100.100.100.1 is configured on Ethernet interface
1 and on Virtual Ethernet (VE) interfaces 5 and 7. The helper address for
DHCP server 20.20.20.102 is configured on VE 9.
ACOS(config)#interface ethernet 1
IP Interface: ve5
------------
Helper-Address: 100.100.100.1
Packets:
RX: 16
BootRequest Packets : 16
BootReply Packets : 0
TX: 14
BootRequest Packets : 0
BootReply Packets : 14
No-Relay: 0
Drops:
Invalid BOOTP Port : 0
Invalid IP/UDP Len : 0
Invalid DHCP Oper : 0
Exceeded DHCP Hops : 0
Invalid Dest IP : 0
Exceeded TTL : 0
IP Interface: ve7
------------
Helper-Address: None
Packets:
RX: 14
BootRequest Packets : 0
BootReply Packets : 14
TX: 14
BootRequest Packets : 14
BootReply Packets : 0
No-Relay: 0
Drops:
Invalid BOOTP Port : 0
Invalid IP/UDP Len : 0
Invalid DHCP Oper : 0
Exceeded DHCP Hops : 0
Invalid Dest IP : 0
Exceeded TTL : 0
No Route to Dest : 0
Dest Processing Err : 0
Note: The ACOS software does not support the complete IGMP protocol or the
generation of generic membership queries for IGMPv3 or Multicast Lis-
tener Discovery (MLDv2).
Previous releases of the ACOS software did not provide support for the
IGMPv2 protocol at all, hence it did not provide IGMP membership query
support.
• The devices will not process any responses for this query request.
• Uses the default values for membership query request wherever possi-
ble.
• Provides the ability to configure the time interval for generation of these
membership queries per interface using the CLI.
• Provides support for this feature with Layer 3 Virtualization (L3V).
IGMP membership queries are supported in routed mode only and will not
be supported in non-routed mode.
In Routed Mode
In Figure 26, the interface for devices 1 and 2 are acting in routed mode,
that is, the IP address has been configured on the interface. When the inter-
In Non-Routed Mode
In Figure 26, the Device 2 device is acting as a switch and both Eth 11 and
Eth12 on the Device 2 device are in non-routed mode. Eth1 on the Device 1
device and Eth2 on the Device 2 device are configured in routed mode.
Hence Eth1 interface on the Device 1 device and Eth2 on the Device 3
device can be configured to generate IGMP Membership Queries.
In this case, when the Device 2 device receives IGMP Membership Queries
on Eth11 (generated by the Device 1 device) and Eth 12 (generated by the
Device 3 device) it will accept these packets and just switch them as it
would any other packet. More importantly, it will not drop these packets
since Eth11 and Eth12 on Device 2 are acting in non-routed (switched)
mode.
The query-timer represents the time interval (1-255 seconds) after which
your device (using the interface under which you are configuring this fea-
ture) will initiate an IGMP membership query request. Since this timer is
valid only per interface and it must be configured per interface. The default
query timer is 125 seconds. This means that IGMP membership queries will
be sent every 125 seconds from the configured interface.
The response-timer represents the time interval (in 1/10 of a second) before
which receiving devices will send an ICMP query message response to indi-
cate intention to join the IGMP group or not. Since this timer is valid only
for a particular interface, it must be configured per interface. The default
response timer is 100. This means that receiving devices have 10 seconds in
which to indicate if they will join the IGMP membership group or not.
Configuration Examples
To configure IGMP membership request queries on a physical interface, do
the following:
AX(config-if)#interface ethernet 2
AX(config-if:ethernet2)#ip address 192.168.1.1 /24
AX(config-if:ethernet2)#ip igmp generate-membership-query 10 max-resp-time
50
Overview
Application Delivery Partitions (ADPs) provide aggregated services that
include networking, system, and application resources. In addition, they also
provide a mechanism to administer any given partition.
Root admins can modify any partition, regardless of the partition being a
shared, RBA, or L3V partition.
If you do not wish to logically segment the shared partition, you do not need
to do so. You can configure the shared partition and do not need to create or
administer either an RBA or an L3V user-created private partition. In other
words, creation of user-partitions are completely optional.
Partition Benefits
Understanding the benefits of partitioning will help you determine whether
or not partitioning is meaningful or necessary in your environment. Parti-
tioning allows the ACOS device to be logically segmented to support sepa-
rate configurations for different customers. For example, separate
companies or separate departments within an enterprise may prefer to have
their content isolated from other departments.
Within each ADP partition, you can have several different types of
resources:
Admins assigned to the partition for A.com can add, modify, delete and save
only those resources contained in A.com's partition. Likewise, B.com's
admins can add, modify, delete and save only the resources in B.com's parti-
tion. For a better understanding of administrative roles, refer to “Adminis-
trative Roles” on page 200.
Types of Partitions
The ACOS device has a single shared partition and can have multiple pri-
vate partitions. By default, the ACOS device does not have any private par-
titions. An ACOS device can contain the following types of resource
partitions:
• Shared partition – The shared partition contains system and network-
ing resources. There is one shared partition for an ACOS device and it is
the default partition. The shared partition cannot be deleted.
• Private RBA partitions – Partitions that provide Layer 4-7 support are
referred to as RBA partitions. The RBA partition contains application
(SLB) resources only. System or networking resources reside in the
shared partition and not in the individual RBA private partitions. Creat-
ing an RBA partition is optional, not mandatory. An RBA partition can
be created, configured and deleted by a root admin and configured by
the partition administrator. The partition admin has access to configure
all applications within the partition. For system and network resources,
the partition admin will depend on the root admin for configuration
help. For details on RBA partitions and supported resources, refer to
“Role Based Administration Private Partition” on page 219.
• Private L3V partitions – Partitions that provide Layer 2-7 support are
referred to as L3V partitions. An L3V private partition contains applica-
tion (SLB) resources, networking resources, and the system resources.
In essence, each L3V partition can operate as an independent ACOS
device. Creating an L3V partition is optional, not mandatory. An L3V
partition can be created, configured and deleted by a root admin and
configured by the partition administrator. The partition admin has access
to configure all applications, network, and system resources within the
partition. For system and network resources, the partition admin will
depend on the root admin for configuration help. For details on L3V
partitions and supported resources, refer to “Layer 3 Virtualization of
Private Partitions” on page 227.
Table 9 lists the A10 Thunder and AX models that support RBA and L3V
partitions. The following table displays the maximum number of private
partitions that can run RBA or L3V.
Partition Logos
Each private partition has a logo file associated with it. The logo appears in
the upper left corner of the Web GUI. By default, the A10 Networks logo is
used. Partition admins can replace the A10 Networks logo with a company
logo. The recommended logo size is 180x60 pixels.
The following examples show Web GUI pages for two private partitions. A
company-specific logo has been uploaded for each partition.
Partition-Based Logging
Note: You can configure either dedicated logging within private partition or use
the partition shared to use shared partition logging capabilities.
On ACOS devices that do not support Layer 2/3 virtualization, the output of
the log command in aFleX scripts is written into the log of the shared par-
tition, even if the aFleX script is active in a private partition.
Admins with the proper privilege level can configure local and remote log-
ging for the partition. Partition-based logging applies to the following types
of log messages:
• Admin session open/close
Note: If the private partition is running from compact flash instead of the hard
drive, the default is 600 logs. The configurable range is 200-1000 logs.
Partition-Based Banners
Admins with the “write” or “write partition” access privilege level can con-
figure the banner message displayed when the Privileged EXEC level of the
CLI is accessed by a partition admin.
You may configure the default as a single or multiple lines. For details on
configuring banners using the CLI or GUI, refer to the “Basic Setup” on
page 43.
Once within a private partition, access GUI pages based on your privilege
level. If you only have read access, you will not be able to enter the config
mode. You can use show commands only. For example:
AX2500>enable
Password:
AX2500#
AX2500#config
You cannot configure neither the shared nor any other private partition apart
from your own.
Administrative Roles
Admins with Read Write privileges (also known as root admins) can config-
ure other admin accounts, including partition admin accounts. Each account
includes a GUI access role, a CLI privilege level, or both.
The following GUI access roles and privilege levels are supported:
• GUI access roles for private partition admins:
• PartitionReadWrite
Each private partition admin can have one GUI access role and one CLI
privilege level.
Table 10 describes the GUI access roles and CLI privilege levels.
Table 11 describes the GUI access roles and CLI privilege levels for shared
partition administrators.
TABLE 11 Shared and Private Partition Root Admin Privilege Level
GUI Access Role CLI Privilege Level Access to Shared Access to Private
Partition Partition
Note: For the PartitionSlbServiceOperator role under the Access to Private Par-
tition section, it says: “All access is restricted to the partition to which the
admin is assigned”. This applies to all partition roles.
2. Click Add.
4. Enter the password for the new admin account in the Password and Con-
firm Password fields.
Note: To allow access from any host, leave the Trusted Host IP Address and
Netmask fields blank.
6. Select the role from the Role drop-down list. The role defines the read or
write access allowed to the admin for each GUI page. (See “GUI Access
Roles” on page 462.)
10. Click OK. The new admin appears in the Admin table.
Note: For information about the SSH Key File section, see “SSH Public Key
Authentication for SSH Management Access” on page 476.
11. Click OK. The new admin appears in the admin list.
[no] privilege
{partition-write | partition-read |
partition-enable-disable}
partition-name
The default login is “admin” and the password “a10” (this is what it is
shipped with). An admin can be created without specifying a password. In
this case, the ACOS will give that admin the default password of “a10”.
For example, to create an admin called “xyz,” enter the following com-
mands:
AX2500(config)#admin xyz
AX2500(config-admin:xyz)#exit
To specify password:
The privilege command specifies the privilege level for the account and
assigns the account to a partition.
Note: The option takes affect immediately, even for private partition admins
who have active sessions. However, if a private partition admin is already
in the shared partition, this option does not force the admin to leave the
partition.
The current release does not support configuration of this option in the GUI.
To disable all private partitions admins from accessing the shared partition,
use the following command at the global configuration level of the CLI:
[no] partition no-sharing
Deleting a Partition
Only an admin with Read Write privileges can delete a partition. When a
partition is deleted, all resources within the partition also are deleted.
Note: When you delete a partition, resources associated with the partition are
permanently deleted. This includes SSL certificates and keys, and aFleX
scripts. These resources are deleted even if you reload or reboot without
saving the configuration. In this case, the partition configuration is
restored but the resources are still gone.
3. Select the partition. (Click the checkbox next to the partition name.)
4. Click Delete.
no partition [partition-name]
If you do not specify a partition name, the CLI displays a prompt to verify
whether you want to delete all partitions and the resources within them.
Enter “y” to confirm or “n” to cancel the request.
Admins with Read Write privileges can save resources in any partition.
Admins with Partition-write privileges can save only the resources within
their own partition.
show running-config
[all-partitions | partition partition-name]
show startup-config
[all-partitions | partition partition-name]
If you enter the command without either option, the command shows only
the resources that are in the shared partition.
The all-partitions option shows all resources in all partitions. In this case,
the resources in the shared partition are listed first. Then the resources in
each private partition are listed, organized by partition.
To save the configuration in the GUI, click the Save button on the title bar.
The GUI automatically saves only the resources that are in the current parti-
tion view. For example, if the partition view is set to the “companyB” pri-
vate partition, only the resources in that partition are saved.
write memory
[all-partitions | partition partition-name]
If you enter the command without either option, the command saves only
the changes for resources that are in the current partition.
The all-partitions option saves changes for all resources in all partitions.
If you specify a private partition-name, only the changes for the resources
in that partition are saved.
Note: The all-partitions and partition partition-name options are not applica-
ble for admins with Partition-write privileges. Partition admins can only
save their respective partitions. For these admins, the command syntax is
the same as in previous releases. The options are available only to admins
with Read Write privileges.
To change the view to a private partition, use either of the following meth-
ods.
2. Click Yes.
3. Click the Refresh button next to the Partition drop-down list. You must
refresh the page in order for the view change to take effect.
Use the following command at the Privileged EXEC level of the CLI:
If the ACOS device uses the ACOS Virtual Chassis System (aVCS) feature,
configuration synchronization is automatic. (See “Automated Configuration
Synchronization” on page 463.) Otherwise, the configuration must be syn-
chronized manually.
Manual Synchronization
When an admin assigned to a private partition manually synchronizes the
configuration to the other ACOS device in a High-Availability (HA) pair,
the resources in the private partition are synchronized for that partition. No
other resources are synchronized.
An admin with Read Write privileges can specify any partitions(s) to syn-
chronize.
The ha sync commands enable you to specify the partition and the IP
address of the target device. For admins with Read Write privileges, here is
the syntax for the ha sync commands:
ha sync all
{to-startup-config [with-reload] |
to-running-config}
[all-partitions | partition partition-name] ipaddr
ha sync startup-config
{to-startup-config [with-reload] |
to-running-config}
[all-partitions | partition partition-name] ipaddr
ha sync running-config
{to-startup-config [with-reload] |
to-running-config}
[all-partitions | partition partition-name] ipaddr
ha sync data-files
[all-partitions | partition partition-name] ipaddr
For admins logged on with Partition Write privileges, the following syntax
is available:
ha sync all to-startup-config ipaddr
ha sync startup-config to-startup-config ipaddr
ha sync running-config to-startup-config ipaddr
ha sync data-files ipaddr
Admins with Partition Write privileges are not allowed to synchronize to the
running-config or to reload the other ACOS device.
Note: Service port statistics are not available in the GUI. To display service port
statistics, use the CLI instead.
2. Select the checkbox next to each server you want to disable or re-enable,
or click Select All to select all of the servers.
Note: Although the GUI displays the Delete and New buttons, these buttons are
not supported for admins with Partition Real Server Operator privileges.
2. Select the checkbox next to each server for which you want to disable or
re-enable service ports, or click Select All to select all of the servers.
3. Click Edit.
7. Click OK.
CLI Example
The following commands access the configuration level and disable real
server “compArs1” and verify the change:
ACOS[companyA]>enable
Password:********
ACOS[companyA]#config
ACOS[companyA](config)#slb server compArs1
ACOS[companyA](config-real server)#disable
ACOS[companyA](config)#show slb server compArs1
Total Number of Services configured on Server compArs1: 1
Current = Current Connections, Total = Total Connections
Fwd-pkt = Forward packets, Rev-pkt = Reverse packets
Service Current Total Fwd-pkt Rev-pkt Peak-conn State
---------------------------------------------------------------------------------
compArs1:80/tcp 0 0 0 0 0 Down
compArs1: Total 0 0 0 0 0 Disabled
ACOS[companyA](config)#show slb server compArs1 config
Total Number of Services configured on Server compArs1: 1
H-check = Health check Max conn = Max. Connection Wgt = Weight
Service Address H-check Status Max conn Wgt
------------------------------------------------------------------------------
compArs1:80/tcp 7.7.7.7 Default Enable 1000000 1
compArs1 7.7.7.7 Default Disable 1000000 1
Overview
Role Based Administration (RBA) partitions provide Layer 4-7 support and
no direct access to system and networking resources. RBA partitions are
dependent on the shared partition’s network resources. If an administrator
has read and write privileges to all partitions, the admin can add VLANs,
VEs, and assign IP addresses to the RBA partition. However, the configura-
tion will be visible as part of the shared partition, and not the RBA partition.
The following graphic represents how an ACOS device can be carved into
separate RBA partitions.
Resource names must be unique within a partition. However, the same name
can be used for resources in different partitions. For example, partitions
“A.com” and “B.com” can each have a real server named “rs1”. The ACOS
device is able to distinguish between them.
All RBA partitions depend on the shared partition for the following net-
working and system resources. The resources in the shared partition are not
configurable by admins assigned to the RBA private partitions. However, as
the “root admin” who has read and write privileges, you can configure net-
working and system resources in the shared partition (that may be tweaked
by a root or an ‘all partition’ admin).
The ACOS device will automatically assign an ID when you create a parti-
tion. This ID will be chronological in order. For example, when you create
two partitions, the first RBA partition will be called “rba1” and the second
one will be called “rba2.”
• Layer 2 (System) resources:
• VLANs
• Virtual Ethernet (VE) interfaces
• Static MAC entries
3. Configure any SLB shared resources that you want to make available to
multiple private partitions. (For information about configuring SLB
resources, see the SLB configuration chapters in this guide.)
Note: This document shows how to set up partitions and assign admins to them.
The partition admins will be able to configure their own SLB resources.
However, you will need to configure connectivity resources such as inter-
faces, VLANs, routing, and so on. You also will need to configure any
additional admin accounts for the partition.
3. Click Add.
The Partition section appears.
4. Enter a name for the partition. This is similar to using the partition
name command.
6. To upload a logo for the partition, click Browse and navigate to the logo
file.
FIGURE 33 Config Mode > System > Admin > Partition - List
Note: In show partition output, the ID is listed in the Index column. The Index
column also lists potential IDs for partitions to which IDs have not been
assigned. However, these potential IDs do not appear in the configuration
(running-config or startup-config). Information on all user-created private
RBA or L3V partitions will also be displayed.
The above command denotes that the rba admin created will have read and
write access for axapi, webui, and cli.
AX3400(config-admin:admin-rba1)#exit
5. Display your RBA partition configuration using the show running com-
mand. RBA partitions will only show Layer 4-7 configuration such as
configuration of servers, service-groups, and VIPs. It will not display
any network resources, such as VLANs, VEs, or interfaces, since RBA
partitions do not provide configurable network resources.
AX3400[rba1](config)#show running
!Current configuration: 543 bytes
!
The show admin command shows privilege information for CLI access as
follows:
• R/W – The admin has Read-Write privileges.
Overview
The A10 Thunder Series and AX Series provide Virtualized Management
through Layer 3 Virtualization (L3V). L3V allows administrators
(“admins”) to configure and view network and SLB resources based on
administrative domains (“partitions”). In addition to providing separate par-
titions for these types of resources, L3V partitions support direct access to
networking resources per partition. Layer 2/3 virtualization can be enabled
on individual partitions, allowing partitions to own their own network
resources.
L3V partitions are part of the Application Delivery Partitions (ADP) feature
providing aggregated services that include networking, system, and applica-
tion resources. In addition, they also provide a mechanism to administer any
given partition. For details on partitioning, refer to “Application Delivery
Partitions” on page 193. L3V partitions provide a mechanism to segment a
single ACOS device into multiple instances that behave independent of
each other.
The following graphic represents how an ACOS device can be carved into
separate L3Vpartitions (network-enabled partition).
Layer 3 Virtualization (L3V) allows the ACOS device to split layer 2, 3, and
4-7 resources in multi-instance architecture enabling virtual segmentation
for multi-client organizations. Specifically, in a corporation or at a service
provider where many clients use the same load balancer, an administrator
can create multiple private partitions and then control access to each organi-
zation’s configuration or space. Each organization then can authenticate
their own partition and configure their own devices as if they were a com-
pletely, separate organization.
Every configured device has one shared partition. By default, all partitions
will have access to the shared partition unless the administrator restricts
access to the shared partition. For example, when a user logs into a device,
the user will also have access, although limited, to the shared partition. For
instance, the limited access will include access to templates.
The administrator may create partitions using CLI or GUI. For details on
configuring partitions, refer to “L3V Partition Configuration” on page 236.
L3V Advantages
Content Isolation—A partition administrator will be able to create
servers, service-groups, VIPs, templates, and aFleX scripts per parti-
tion. However, everything will be in a network that is totally indepen-
dent from that of a shared or any other L3V partition.
Without these capabilities, each partition will not have direct access to net-
working resources. For details on L3V, refer to “Layer 2/3 Virtualization”
on page 230.
For example, the administrator, as a root user, can access partition 1, assign
a particular interface, configure the interface, tag a VLAN, assign a VLAN
to that interface, and control access to the VLAN against unauthorized use.
All other types of resources can reside only in the shared partition and are
not configurable by admins assigned to private partitions but can be
tweaked by a root or ‘all partition’ admin.
After creating and assigning users to a partition, the administrator may then
configure all resources to the partition.
Each partition has its own MAC table and ARP table, and its own IPv4 and
IPv6 route tables. They are completely separate from the MAC, ARP, and IP
route tables in other partitions.
After a network resource belongs to a partition, the resource does not appear
in show command output except for the L3V partition and the partition to
which the interface belongs. Likewise, statistics for the resource are not
included in the statistics counters for other private partitions.
The current release adds support for jumbo frames. A jumbo frame is an
Ethernet frame that is more than 1522 bytes long. For details, refer to
“Jumbo Frames” on page 101.
Requirements
Layer 2/3 resources must be unique within a given partition. However, some
types of Layer 2/3 resources can be the same in multiple partitions, as long
as they remain unique within a given partition:
• VE number
Note: VE numbers must be unique and must match the VLAN ID in an L3V
partition. If a VLAN ID already belongs to a shared or another L3V parti-
tion, do not re-use it.
• NAT pool
• Interface IP addresses
For example, multiple partitions can use a real server that has IP address
10.10.10.10, but a given partition can have only one instance of the server.
TABLE 12 Operational Comparison Between Layer 2/3 Virtualization Enabled and Disabled
Layer 2/3 Virtualization Enabled Layer 2/3 Virtualization Disabled
Resource Private Partition Shared Partition Private Partition Shared Partition
Port state Enabling and Enabling and Enabling and Enabling and
disabling allowed disabling of any disabling allowed disabling allowed
port allowed from
shared partition
Untagged VLAN Visible only in the Visible in the shared Visible in all the Visible in the shared
ports partition they partition private partitions partitions
belong to Cannot be config- Can be configured, Can be configured,
Cannot be config- ured if it belongs to disabled, enabled disabled, enabled
ured from a some partition other from all the from the shared par-
partition which they than shared partitions tition
do not belong to
Tagged VLAN ports Visible in all the Visible in all the Visible in all the Visible in all the
partitions partitions partitions partitions
Disabling or Disabling or Disabling or Disabling or
enabling a tagged enabling a tagged enabling a tagged enabling a tagged
port within a parti- port within the port within a parti- port in the shared
tion does not dis- shared partition also tion also disables or partition also dis-
able the port in disables the port in enables the port in ables or enables the
other partitions all other partitions other partitions port in all private
partitions
Trunks Allowed Allowed Allowed Allowed
Note: The trunk can
be configured only
in the shared parti-
tion.
VLANs Same VLAN ID Same VLAN ID Same VLAN ID Same VLAN ID
cannot be config- cannot be config- cannot be config- cannot be config-
ured in different ured in shared parti- ured in different ured in shared parti-
partitions tion partitions tion
VEs Same VE numbers Same VE numbers Same VE numbers Same VE numbers
are not allowed in are not allowed in not allowed in dif- not allowed in dif-
different partitions. the shared partition. ferent partitions ferent partitions
The VE must match The VE must match
the VLAN ID, so the VLAN ID, so
cannot be re-used. cannot be re-used.
The CLI and GUI syntax for configuring and monitoring these features is
the same as in previous releases. Configuration of these features takes effect
in the partition where the configuration is performed.
Note: This enhancement applies only to partitions in which Layer 2/3 virtualiza-
tion is enabled. If Layer 2/3 virtualization is disabled, these features can
not be configured within the partition.
• DNS caching
• Session filtering
• Real port
• Virtual server
• Virtual port
Note: This behavior applies only to partitions on which Layer 2/3 virtualization
is enabled. This behavior does not apply to feature templates such as
HTTP, TCP, or source-IP persistence templates.
This behavior is available only if access to the shared partition by private
partition admins is disabled. This access is enabled by default. (See “Con-
figuration Examples” on page 239.)
Limitations
3. Configure any SLB shared resources that you want to make available to
multiple private partitions. (For information about configuring SLB
resources, see the SLB configuration chapters in this guide.)
Note: This document shows how to set up partitions and assign admins to them.
The partition admins will be able to configure their own SLB, network,
and system resources.
4. Enter a name for the network partition. (This is similar to the partition
name network-partition ID CLI command).
6. To upload a logo for the partition, click Browse and navigate to the logo
file.
FIGURE 35 Config Mode > System > Admin > Partition - List
Note: In show partition output, the ID is listed in the Index column. The Index
column also lists potential IDs for partitions to which IDs have not been
assigned. However, these potential IDs do not appear in the configuration
(running-config or startup-config). Information on user-created private
RBA or L3V partitions will also be displayed.
3. Assign privileges for that role and identify if the admin can write to the
axapi, web, or CLI:
privilege partition-write partition-name
access axapi web cli
4. Now that the admin has been successfully created, login to the partition
using the admin account:
login as: admin-partition-name
6. View your running configuration using the show running. Since you
have created an L3V partition, you can see and configure Layer 3 net-
work resources, such as VLANs, VEs, and IP Addresses.
Configuration Examples
Example 1: Simple L3V Partition Configuration
AX3400-Active[l3v1]>enable
Password:
AX3400-Active[l3v1]#config
AX3400-Active[l3v1](config)#
5. View your running configuration. Since you have created an L3V parti-
tion, you can see and configure Layer 3 network resources, such as
VLANs, VEs, and IP Addresses:
AX3400-Active[l3v1](config)#show running
!Current configuration: 596 bytes
!
!Configuration last updated at 20:03:00 PDT Thu Aug 30 2012
!
active-partition l3v1
vlan 50
tagged ethernet 1
router-interface ve 50
!
vlan 60
tagged ethernet 1
router-interface ve 60
!
!
interface ethernet 1
mtu 9216
!
interface ve 50
ip address 50.50.50.1 255.255.255.0
!
interface ve 60
ip address 60.60.60.1 255.255.255.0
!
slb server s1-l3v 60.60.60.20
port 80 tcp
!
slb service-group s1-80 tcp
service-group s1-80
The following commands log onto the CLI and access partition dmz2:
login as: admin-dmz2
Welcome to ACOS
Using keyboard-interactive authentication.
Password:***
[type ? for help]
ACOS[dmz2]>enable
ACOS[dmz2]#configure
ACOS[dmz2](config)#
The following command displays the list of Ethernet interfaces. The inter-
faces that belong exclusively to partition dmz1 are not included. Interface 1
is listed, since it is a tagged member of dmz1’s VLAN. However, interface 2
is not listed, since it is an untagged member of dmz1’s VLAN. Likewise,
dmz1’s VE is not listed.
ACOS[dmz2]#show interfaces brief
Port Link Dupl Speed Trunk Vlan MAC IP Address IPs Name
------------------------------------------------------------------------------------
mgmt Up Full 100 N/A N/A 001f.a001.d020 192.168.20.10/24 1
1 Up Full 1000 N/A Tag 001f.a002.0870 0.0.0.0/0 0
3 Disb None None None 1 001f.a002.0872 0.0.0.0/0 0
4 Disb None None None 1 001f.a002.0873 0.0.0.0/0 0
5 Disb None None None 1 001f.a002.0874 0.0.0.0/0 0
6 Disb None None None 1 001f.a002.0875 0.0.0.0/0 0
7 Disb None None None 1 001f.a002.0876 0.0.0.0/0 0
8 Disb None None None 1 001f.a002.0877 0.0.0.0/0 0
9 Disb None None None 1 001f.a002.78ec 0.0.0.0/0 0
The following commands configure Layer 2/3 resources for partition dmz2,
and list the interfaces:
ACOS[dmz2](config)#vlan 200
ACOS[dmz2](config-vlan:200)#tagged ethernet 1
ACOS[dmz2](config-vlan:200)#untagged ethernet 3
ACOS[dmz2](config-vlan:200)#router-interface ve 200
ACOS[dmz2](config-vlan:200)#exit
ACOS[dmz2](config)#interface ve 200
ACOS[dmz2](config-if:ve200)#ip address 20.20.2.1 255.255.255.0
ACOS[dmz2](config-if:ve200)#exit
ACOS[dmz2](config)#ip route 0.0.0.0 /0 20.20.102.50
ACOS[dmz2]#show interfaces brief
Port Link Dupl Speed Trunk Vlan MAC IP Address IPs Name
------------------------------------------------------------------------------------
mgmt Up Full 100 N/A N/A 001f.a001.d020 192.168.20.10/24 1
1 Up Full 1000 N/A Tag 001f.a002.0870 0.0.0.0/0 0
3 Up Full 1000 None 200 001f.a002.0871 0.0.0.0/0 0
4 Disb None None None 1 001f.a002.0873 0.0.0.0/0 0
5 Disb None None None 1 001f.a002.0874 0.0.0.0/0 0
6 Disb None None None 1 001f.a002.0875 0.0.0.0/0 0
7 Disb None None None 1 001f.a002.0876 0.0.0.0/0 0
8 Disb None None None 1 001f.a002.0877 0.0.0.0/0 0
9 Disb None None None 1 001f.a002.78ec 0.0.0.0/0 0
10 Disb None None None 1 001f.a002.78ed 0.0.0.0/0 0
11 Disb None None None 1 001f.a002.78ee 0.0.0.0/0 0
12 Disb None None None 1 001f.a002.78ef 0.0.0.0/0 0
ve1 Up N/A N/A N/A 200 001f.a002.0870 20.20.2.1/24 1
The following commands again log onto the CLI and access partition dmz1,
and display the list of Ethernet interfaces. Ethernet 3 is not listed since it
now belongs exclusively to partition dmz2.
login as: admin-dmz1
Welcome to ACOS
Using keyboard-interactive authentication.
Password:***
The following commands log onto the CLI with Read Write admin access,
and display the list of Ethernet interfaces in the shared partition. All physi-
cal Ethernet interfaces are listed, including those belonging to individual
partitions. The VEs belonging to other partitions are not listed.
login as: admin
Welcome to ACOS
Using keyboard-interactive authentication.
Password:***
[type ? for help]
ACOS>enable
ACOS#show interfaces brief
Port Link Dupl Speed Trunk Vlan MAC IP Address IPs Name
------------------------------------------------------------------------------------
mgmt Up Full 100 N/A N/A 001f.a001.d020 192.168.20.10/24 1
1 Up Full 1000 None Tag 001f.a002.0870 0.0.0.0/0 0
2 Up Full 1000 None 100 001f.a002.0871 0.0.0.0/0 0
3 Up Full 1000 None 200 001f.a002.0872 0.0.0.0/0 0
4 Disb None None None 1 001f.a002.0872 0.0.0.0/0 0
5 Disb None None None 1 001f.a002.0874 0.0.0.0/0 0
6 Disb None None None 1 001f.a002.0875 0.0.0.0/0 0
7 Disb None None None 1 001f.a002.0876 0.0.0.0/0 0
8 Disb None None None 1 001f.a002.0877 0.0.0.0/0 0
9 Disb None None None 1 001f.a002.78ec 0.0.0.0/0 0
10 Disb None None None 1 001f.a002.78ed 0.0.0.0/0 0
11 Disb None None None 1 001f.a002.78ee 0.0.0.0/0 0
12 Disb None None None 1 001f.a002.78ef 0.0.0.0/0 0
Overview
Resource templates help you to define limits for application, network, and
system resources in partitions enabled for Layer 2/3 virtualization. Once
defined, you can bind or unbind a resource template to a particular partition.
You can also apply a sample template to multiple partitions. By default,
Layer 2/3 partitions have the same resource limits as the shared partition.
Note: If the maximum number of real servers you specify is configured (no
additional real servers can be configured), the ACOS device does not
allow any additional GSLB service-IPs to be configured.
The current release allows you to ration resources to Layer 2/3 partitions.
For example, you can specify the number of real servers a partition can
access.
By configuring resource limits for individual Layer 2/3 partitions, you can
ensure that no partition starves another partition of resources by monopoliz-
ing the available system resource quotas.
*.
GSLB parameters are configurable on a per-partition basis hard-coded (and thus non-con-
figurable) at the system level.
2. Click Add.
Note: You may also access this page from Config Mode > System >
Admin > Partition. Select the System Resource Template checkbox, and
click ‘create ...’ from the drop-down menu.
3. In the name field, specify the name that will uniquely identify the tem-
plate.
5. Click OK.
2. Select Config Mode > System > Settings > General > Resource Usage >
Template.
4. Click Delete.
The system resource limits that you configure in a default template are
applied to all partitions, unless you explicitly apply a custom template
(where you may choose to change some default values) to a partition. Create
a custom template to modify the limits for any application, network, or sys-
tem resources from their default values.
Note: Though partitions need to bound to a template one at a time, several parti-
tions may be bound to the same custom template.
4. Unbind a template to revert to the default values for resources per parti-
tion. This step assumes that you have created a default template.
Configuration Example
From the template configuration mode, you can modify any application,
network, or system resource limits.
Application Resources
Use the following command to enter the application resource limit
configuration mode:
app-resources
Configuration Example
The following example shows you how to enter the application resources
configuration mode. From this location, you can set values for the available
application resources:
AX(config-resource template)#app-resources
AX(config-resource template-node app)#gslb-zone-count 10
AX(config-resource template-node app)#health-monitor-count 50
AX(config-resource template-node app)#real-server-count 100
AX(config-resource template-node app)#service-group-count 150
AX(config-resource template-node app)#virtual-server-count 250
Configuration Example
The following example shows you how to enter the network resources
configuration mode. From this location, you can set values for the available
network resources:
AX(config-resource template)#network-resources
AX(config-resource template-node network)#static-arp-count 100
AX(config-resource template-node network)#static-ipv4-route-count 1000
AX(config-resource template-node network)#static-ipv6-route-count 2000
AX(config-resource template-node network)#static-mac-count 200
AX(config-resource template-node network)#static-neighbor-count 128
Use the show running command to verify the configured network resource
values:
AX(config-resource template-node network)#show running
...
system resource-usage template ru-tmplt
network-resources
static-mac-count 200
static-arp-count 100
static-ipv4-route-count 1000
static-ipv6-route-count 2000
static-neighbor-count 128
System Resources
Use the following command to enter the system resource limit configuration
mode:
system-resources
Configuring system resource parameters allows you to assign values for
parameters listed in Table 15 on page 249:
Use the show running command to verify the configured network resource
values:
AX(config-resource template-node system)#show running
...
system resource-usage template ru-tmplt
system-resources
bw-limit 500
ssl-throughput-limit 1000
l4cps-limit 2000
natcps-limit 100000
l7cps-limit 4000
sslcps-limit 10000
concurrent-session-limit 3200
Note: The values from the default resource template will be automatically
applied to any partition that is not bound to a custom system template.
Though partitions need to bound to a template one at a time, several parti-
tions may be bound to the same custom template.
2. The table of this page displays existing network partitions. From here,
click the name of a partition to access the configuration page.
5. Click OK.
Enter the following command at the configuration level for the partition:
CLI Example
Use the following commands to apply a template to a partition. In this
example, the template called “ru-tmplt” is being applied to a partition called
“p55”:
AX(config)#partition p55 network-partition
AX(config-partition)#template ru-tmplt
CLI Example
When the custom template is removed from a partition, the default template
values (from the default template that you have created) will be applied to
the partition.
Inter-Partition Routing
In ACOS 2.7.1, you can configure static routes directly between a private
partition and the shared partition. This capability is meaningful in case you
use Advanced Delivery Partitions (ADPs) to lease different partitions to
various customers. Traffic can now be routed from the shared partition to
the VIP configured in a private partition and vice versa.
Prior to ACOS 2.7.1, to route traffic from one partition to another traffic,
traffic had to be sent out of the device to an external router, which then for-
warded the traffic to the destination partition of the devices. In addition, par-
tition-awareness was accomplished by using VLAN tags only.
Note: Inter-partition routing is only provided for IPv4 addresses. Also, hair pin-
ning across private partitions is not supported.
• To allow the shared partition to route traffic downstream to the real serv-
ers via the private partitions.
• To allow incoming traffic destined for a private partition with SLB
information to bypass the shared partition (since it does not contain SLB
configuration) and to be redirected to the private partition that is speci-
fied.
• To provide multiple private partitions, containing independent routing
tables, with the ability to look up routing entries in the shared partition’s
routing table (by treating the shared partition as the next hop within the
device.)
• To operate in conjunction with VRRP-A for route lookups in the For-
warding Information Base (FIB) tables.
This feature can be enabled successfully to route traffic between the shared
and private partitions provided the following requirements are met:
• Inter-partition routing is only provided for IPv4 addresses. Currently, no
IPv6 address support is provided.
• Private partitions do not have duplicate IP Addresses across all parti-
tions. If duplicate addresses are discovered, they will not be logged.
• If there are any overlapping real servers across partitions, NAT must be
configured.
• Traffic must be received on the physical ingress port in the shared parti-
tion only.
• Static routes can forward traffic from the shared partition to VIP in a pri-
vate partition.
Configuration
The current release supports use of the CLI to configure this feature.
3. Change to the CLI session to the private partition, and configure a static
default route back to the shared partition:
active-partition partition-name
Configuration Example
ACOS(config)#interface ethernet 4
ACOS(config-if:ethernet4)#ip slb-partition-redirect
ACOS(config-if:ethernet4)#exit
ACOS(config)#ip route 10.2.4.0 /24 partition p69
ACOS(config)#active-partition p69
ACOS(config)#ip route 0.0.0.0 /24 partition shared
To enable inter-partition routing capabilities, there are two tasks that must
be configured in the shared partition:
• Configure the specific route to the downstream real server via a private
partition or to the VIPs in the private partition.
• Optionally, If you wish to enable forwarding of pass through (non-SLB)
traffic, configure the ability to redirect traffic arriving on an incoming
interface to be redirected to a private partition, bypassing the shared par-
tition.
Packets destined for the downstream real server will be forwarded using this
route:
To verify that your configuration is valid, use either the show ip route
or the show ip fib command.
Configuration Example
In the following example, the default route to reach the real server
(10.15.0.0) from the shared partition will traverse via a partition (in this
example, partition a). Packets destined for the downstream real server will
be directed using this route:
AX(config)#ip route 10.15.0.0 /24 partition a
Verify your configuration using the show ip route command. In this output,
you can see that the real server 10.15.0.0/24 is accessible via partition a:
ax1(config)#show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
You can also verify your configuration using the show ip fib command. In
this command, you see that partition a is the nexthop to the network
address to which the VIP belongs, 10.15.0.0.
ax1(config)#show ip fib
Prefix Next Hop Interface Distance
------------------------------------------------------------------------
1.1.1.1 /32 0.0.0.0 loopback1 0
10.15.0.0 /24 partition a loopback1 0
219.247.8.0 /24 0.0.0.0 ethernet8 0
Total Routes = 3
[no] ip slb-partition-redirect
Configuration Example
In the following example, the ip slb-partition-redirect command will
apply to the virtual interface (ve 21) in the shared partition. The IP Address
10.11.0.1 /24 indicates the IP Address of the incoming virtual interface.
ax1(config)#interface ve 21
ax1(config-if:ve21)#ip address 10.11.0.1 /24
ax1(config-if:ve21)#ip slb-partition-redirect
Note: The current release does not provide support for outbound source NAT for
pass through traffic.
Change the CLI session to the private partition, and configure a static
default route back to the shared partition:
active-partition partition-name
Configuration Example
Ensure that you have SLB running and VIPs configured in your private par-
tition before you configure a static route to the VIP. Configure the default
route to the shared partition from the private partition:
ax1[a](config)#ip route 0.0.0.0 /0 partition shared
Verify your configuration using the show ip route command. Look at the
route that shows that 0.0.0.0/0 is accessible via partition shared:
ax1[a](config)#show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Verify your private partition SLB configuration using the show running
command and display the SLB configuration section:
ax1[a](config)#show run | sec slb
slb server abc 10.15.0.15
port 80 tcp
slb service-group abc tcp
member abc:80
slb virtual-server v1 10.15.0.101
port 80 http
service-group abc
slb virtual-server v2 10.15.0.102
port 80 tcp
service-group abc
Having configured the static route in the private partition and the shared
partition, and having configured SLB redirect capabilities on the shared
partition, the inter-partition routing feature is now functional.
High Availability
This chapter describes High Availability (HA) and how to configure it.
Note: The version of HA described in this chapter is the version that is also sup-
ported in previous releases. For information about the new HA, VRRP-A,
see “VRRP-A High Availability” on page 355.
Note: If you use source NAT, only half the protocol ports on each NAT IP
address are available at a given time. This is because the ACOS device
allocates half the ports to one of the ACOS devices in the HA pair and the
other half to the other ACOS device. This does not occur with VRRP-A.
If you use VRRP-A, all the protocol ports on NAT addresses are avail-
able.
Overview
High Availability (HA) is an ACOS feature that provides ACOS-level
redundancy to ensure continuity of service to clients. In HA configurations,
ACOS devices are deployed in pairs. If one ACOS device in the HA pair
becomes unavailable, the other ACOS device takes over.
Note: In High Availability (HA) deployments, the ACOS devices must be the
same model and must be running the same software version. For example,
if one of the ACOS devices in an HA deployment is model AX 3200-11
running 2.6.1, the other device also must be model AX 3200-11 running
2.6.1. The other device in this example can not be AX 3200 or any other
model except AX 3200-11.
Layer 3 Active-Standby HA
Figure 36 shows an example of an Active-Standby configuration.
FIGURE 36 Active-Standby HA
• For private partitions enabled for Layer 2/3 virtualization (both FPGA
and non-FPGA models): 64 floating IPs
Layer 3 Active-Active HA
Figure 37 shows an example of an Active-Active configuration.
FIGURE 37 Active-Active HA
Restrictions
• Supported for Active-Standby HA deployments only. Not supported for
Active-Active HA.
• Inline mode is designed for one HA group in Hot-Standby mode. Do not
configure more than one HA group on a device running in inline mode.
• In order to prevent Layer 2 loops in a Layer 2 host-standby environ-
ment, the Standby ACOS device does not forward traffic. In addition,
the Active ACOS device in the HA pair is designed to not forward pack-
ets destined for the Standby ACOS device. Depending on the network
topology, certain traffic to the Standby ACOS device might be dropped
if it must first pass through the Active ACOS device.
Preferred HA Port
When you enable inline mode on an ACOS device, the ACOS device uses a
preferred HA port for session synchronization and for management traffic
between the ACOS devices in the HA pair. For example, if you use the CLI
on one ACOS device to ping the other ACOS device, the ping packets are
sent only on the preferred HA port. Likewise, the other ACOS device sends
the ping reply only on its preferred HA port.
• Ping
Optionally, you can designate the preferred HA port when you enable inline
mode. In Figure 39 on page 274, Ethernet interface 5 on each ACOS device
has been configured as the preferred HA port.
The ACOS device selects the Active ACOS device’s preferred HA port as
follows:
1. Is a preferred port specified with the inline configuration, and is the port
up? If so, use the port.
Note: The preferred port must be added as an HA interface and heartbeat mes-
sages must be enabled on the interface.
Port Restart
For example, in Figure 39 on page 274, while AX1 is still Active, the active
router (the one on the left) uses the MAC entries it has learned on its link
with AX1 to reach downstream devices. If the link with AX1 goes down,
the router flushes the MAC entries. The router then relearns the MAC
addresses on the link with AX2 when it becomes the Active ACOS device.
This mechanism is applicable when the link with AX1 goes down. How-
ever, if the transition from Active to Standby does not involve failure of the
router's link with AX1, the router does not flush its learned MAC entries on
the link. As a result, the router might continue to send traffic for down-
To ensure that devices connected to the formerly Active ACOS device flush
their learned MAC entries on their links with AX1, you can enable HA port
restart.
Note: You must omit at least one port connecting the ACOS devices from the
restart port-list. This is so that heartbeat messages between the ACOS
devices are maintained; otherwise, flapping might occur.
In this example, each ACOS device has multiple Ethernet ports connected
to the clients, and multiple Ethernet ports connected to the servers. On each
ACOS device, all these Ethernet interfaces are configured as a single Virtual
Ethernet (VE) interface with a single IP address. The routers, both ACOS
devices, and the servers are all in the same subnet.
Restrictions
• Supported for Active-Standby HA deployments only. Not supported for
Active-Active HA.
• Inline mode is designed for one HA group in Hot-Standby mode. Do not
configure more than one HA group on an ACOS device running in
inline mode.
• In order to prevent Layer 2 loops in a Layer 2 host-standby environ-
ment, the Standby ACOS device does not forward traffic. In addition,
the Active ACOS device in the HA pair is designed to not forward pack-
ets destined for the Standby ACOS device. Depending on the network
topology, certain traffic to the Standby ACOS device might be dropped
if it must first pass through the Active ACOS device.
HA Messages
The ACOS devices in an HA pair communicate their HA status with the fol-
lowing types of messages:
• HA heartbeat messages
HA Heartbeat Messages
Each of the ACOS devices regularly sends HA heartbeat messages out its
HA interfaces. The Standby ACOS device listens for the heartbeat mes-
sages. If the Standby ACOS device stops receiving heartbeat messages from
the Active ACOS device, the Standby ACOS device transitions to Active
and takes over networking and SLB operations from the other ACOS
device.
The heartbeat interval and retry count are configurable. (See “HA Configu-
ration Parameters” on page 292.)
If the heartbeat messages from one ACOS device to the other will pass
through a Layer 2 switch, the switch must be able to pass UDP IP multicast
packets. (This requirement does not apply to Layer 2 inline HA because it
uses unicast to transmit the heartbeat.)
For IPv4, when an ACOS device transitions from Standby to Active, the
newly Active ACOS device sends gratuitous ARP requests and replies
(ARPs) for the IPv4 address under HA control.
Gratuitous ARPs or ICMPv6 neighbor advertisements are sent for the fol-
lowing types of addresses:
• Virtual server IP addresses, for the VIPs that are assigned to an HA
group.
• Floating IP address, if configured
After this, the ACOS device sends gratuitous ARPs or ICMPv6 neighbor
advertisements every 30 seconds to keep its IP information current.
HA Interfaces
When configuring HA, you specify each of the interfaces that are HA inter-
faces. An HA interface is an interface that is connected to an upstream
router, a real server, or the other ACOS device in the HA pair.
If you specify the HA interface type, the HA status of the ACOS device is
based on the status of the link with the real server and/or upstream router.
The HA status can be one of the following:
• Up – All configured HA router and server interfaces are up.
During selection of the active ACOS device, the ACOS device with the
highest state becomes the active ACOS device and all HA interfaces on that
ACOS device become active. For example, if one ACOS device is UP and
the other ACOS device is only Partially Up, the ACOS device that is UP
becomes the active ACOS device.
If each ACOS device has the same state, the active ACOS device is selected
as follows:
• If HA pre-emption is disabled (the default), the first ACOS device to
come up is the active ACOS device.
• If HA pre-emption is enabled, the ACOS device with the higher HA
group priority becomes active for that group. If the group priorities on
the two ACOS devices are also the same, the ACOS device that has the
lowest HA ID (1 or 2) becomes active.
Notes
• The maximum number of HA interfaces you can configure is the same
as the number of Ethernet data ports on the ACOS device.
• If the heartbeat messages from one ACOS device to the other will pass
through a Layer 2 switch, the switch must be able to pass UDP IP multi-
cast packets. (This requirement does not apply to Layer 2 inline HA
because it uses unicast to transmit the heartbeat.)
• If a tracked interface is a member of a trunk, only the lead port in the
trunk is shown in the tracking configuration and in statistics. For exam-
ple, if a trunk contains ports 1-3 and you configure tracking of port 3,
the configuration will show that tracking is enabled on port 1. Likewise,
tracking statistics will show port 1, not port 3. Similarly, if port 1 goes
down but port 3 is still up, statistics still will show that port 1 is up since
it is the lead port for the trunk.
• In non-Layer 2 inline deployments, if the heartbeat messages from one
ACOS device to the other will pass though a Layer 2 switch, the switch
must be able to pass UDP IP multicast packets. Layer 2 inline mode
does not have this requirement.
If the VLAN ID is not specified, the ACOS device does not transmit any
heartbeat packets on the interface. This is an invalid configuration. Previous
releases incorrectly allowed the invalid configuration but current releases
do not.
Session Synchronization
HA session synchronization sends information about active client sessions
to the Standby ACOS device. If a failover occurs, the client sessions are
maintained without interruption. Session synchronization is optional. With-
out it, a failover causes client sessions to be terminated. Session synchroni-
zation can be enabled on individual virtual ports.
Session synchronization is required for config sync. Config sync uses the
session synchronization link. (For more information, “Manually Synchro-
nizing Configuration Information” on page 335.)
VLAN-based Failover
If the ACOS device does not receive any traffic on the VLAN before the
timeout expires, a failover occurs. The timeout can be 2-600 seconds. You
must specify the timeout. Although there is no default, A10 recommends
trying 30 seconds.
Likewise, if the gateway becomes available again and all gateways pass
their health checks, the ACOS device recalculates its HA status according to
the HA interface counts. If the new HA status of the ACOS device is higher
than the other ACOS device’s HA status, a failover occurs.
Route-based Failover
Route-based failover reduces the HA priority of all HA groups on the
ACOS device, if a specific route is missing from the IPv4 or IPv6 route
table.
You can configure this feature for individual IP routes. When you configure
this feature for a route, you also specify the value to subtract from the HA
priority of all HA groups, if the route is missing from the route table.
You can configure this option for up to 100 IPv4 routes and up to 100 IPv6
routes. This option is valid for all types of IP routes supported in this release
(static and OSPF).
If the priority of an HA group falls below the priority for the same group on
the other ACOS device in an HA pair, a failover can be triggered.
Notes
• This feature applies only to routes in the data route table. The feature
does not apply to routes in the management route table.
• For failover to occur due to HA priority changes, the HA pre-emption
option must be enabled.
You can configure this feature on individual real servers and ports. The fea-
ture is disabled by default. To enable the feature, assign an HA weight to the
server or port. If the server or port’s health status changes to Down, the
weight value is subtracted from the priority value of the HA group. You can
specify a single HA group or allow the priority change to apply to all HA
groups.
If the server or port’s status changes back to Up, the weight value is added
back to the HA group’s priority value.
If the HA priority of a group falls below the priority of the same group on
the other ACOS device, HA failover can be triggered.
Notes
• The lowest HA priority value a server or port can have is 1.
VIP-based Failover
When you configure an HA group ID, you also specify its priority. If HA
pre-emption is enabled, the HA group’s priority can be used to determine
which ACOS device in the HA pair becomes the Active ACOS device for
the HA group. In this case, the ACOS device that has a higher value for the
group’s priority becomes the Active ACOS device for the group.
When a real server becomes available again, the weight value that was sub-
tracted from the HA group’s priority is re-added. If this results in the prior-
ity value being higher than on the other ACOS device, the virtual server is
failed over again to the ACOS device with the higher priority value for the
group.
After initial selection of the Active ACOS device, that device remains the
Active ACOS device unless one of the following events occurs:
• The Standby ACOS device stops receiving HA heartbeat messages from
the Active ACOS device.
• The HA interface status of the Active ACOS device becomes lower than
the HA interface status of the Standby ACOS device.
• VLAN-based failover is configured and the VLAN becomes inactive.
FIGURE 42 HA Failover
HA Pre-Emption
By default, a failover occurs only in the following cases:
• The Standby ACOS device stops receiving HA heartbeat messages form
the other ACOS device in the HA pair.
• HA interface state changes give the Standby ACOS device a better HA
state than the Active ACOS device. (See “HA Interfaces” on page 281.)
• VLAN-based failover is configured and the VLAN becomes inactive.
(See “VLAN-based Failover” on page 284.)
• Gateway-based failover is configured and the gateway becomes unavail-
able. (See “Gateway-based Failover” on page 285.)
• VIP-based failover is configured and the unavailability of real servers
causes the Standby ACOS device to have the greater HA priority for the
VIP’s HA group. (See “VIP-based Failover” on page 286.)
HA Sets
Optionally, you can provide even more redundancy by configuring multiple
sets of HA pairs.
You can configure up to 7 HA sets. This feature is supported for Layer 2 and
Layer 3 HA configurations. The set ID can be specified along with the HA
ID. (For syntax information, see Table 16 on page 292.)
HA Configuration Parameters
Table 16 lists the HA parameters.
TABLE 16 HA Parameters
Parameter Description and Syntax Supported Values
Global HA Parameters
HA ID HA ID of the ACOS device, and HA set to which HA ID: 1 or 2
and the ACOS device belongs. HA set ID: 1-7
HA set ID The HA ID uniquely identifies the ACOS device Default: Neither parameter is set
within the HA pair.
The HA set ID specifies the HA set to which the
ACOS device belongs. This parameter is applicable
to configurations that use multiple ACOS device
pairs.
[no] ha id {1 | 2} [set-id num]
Config Mode > System > HA > HA Global - Gen-
eral
HA group ID Uniquely identifies the HA group on an individual HA group ID: 1-31
ACOS device. Priority: 1 (low priority) to 255 (high
The priority value can be used during selection of priority
the Active ACOS device. (See“How the Active Default: not set
ACOS Device Is Selected” on page 288.)
[no] ha group group-id priority num
Config Mode > System > HA > HA Global - Group
Floating IP IP address that downstream devices should use as Default: not set
address their default gateway. The same address is shared by
both ACOS devices in the HA pair. Regardless of
which device is Active, downstream devices can
reach their default gateway at this IP address.
Note: A floating IP address can not be the same as
an address that already belongs to a device. For
example, the IP address of an interface can not be a
floating IP address.
[no] floating-ip ipaddr
ha-group group-id
Config Mode > System > HA > HA Global - Float-
ing IP Address
Session Enables active client sessions on this port to con- Enabled or disabled
synchronization tinue uninterrupted following a failover. Default: disabled
Note: This option also requires session synchroni-
zation to be enabled globally. (See “Global HA
Parameters” above.)
[no] ha-conn-mirror
HA Status Indicators
The HA status of an ACOS device is displayed in the GUI and CLI. The HA
status indicators provide the following information:
• Current HA status of the ACOS device: Active or Standby
• Configuration status:
• Most recent configuration update – The system time and date when
the most recent configuration change was made.
• Most recent configuration save – The system time and date when
the configuration was saved to the startup-config.
• Most recent config-sync – The system time and date when the most
recent configuration change was made.
If the ACOS device is configured with multiple Role-Based Administra-
tion (RBA) partitions, separate configuration status information is
shown for each partition.
In the GUI
The current HA status is shown as one of the following:
• Active
• Standby
• Not Configured
• Not-Sync
The GUI does not indicate when the most recent configuration update or
save occurred. This information is available in the CLI. (See below.)
ACOS 2.7.1 provides the user with the ability to configure the prompt. It
allows you to add or remove the device hostname, the aVCS chassis device
ID, the aVCS status, the VRRP-A status, or the HA status. Configuring a
prompt is optional. If all the five options are configured, an example of a
prompt may say AX1030-vMaster[7/1](config)#.
If your device is running aVCS and HA, you can configure the following
commands. With each configuration entry, see how the terminal prompt
changes. The prompt additions appear in bold font:
ACOS(config)#terminal prompt hostname vcs-status
AX1030-vMaster(config)#show run | sec prompt
terminal prompt hostname vcs-status
If the device is in a forced standby state, you will see the following prompt:
AX1030(config)#terminal prompt ha-status
ForcedStandby(config)#
Use the show terminal command to view the terminal prompt format.
By default, all prompts are displayed. So, if you revert from a configured
prompt to a default prompt, you will see the following results:
AX1030-vMaster(config)#no terminal prompt
AX1030-Active-vMaster[1/1](config)#show terminal
For details on all configurable prompts and how they work in conjunction
with one another, refer to “Configurable aVCS Prompts” on page 501.
Configuring Layer 3 HA
To configure Layer 3 HA:
1. Configure the following global HA parameters:
• HA ID
• HA group ID and priority. For an Active-Standby configuration,
configure one group ID. For Active-Active, configure multiple HA
group IDs.
• Floating IP address (optional)
• Session synchronization (optional)
• HA pre-emption (optional)
Note: Enter the real IP address of the ACOS device, not the floating IP address
that downstream devices will use as their default gateway address.
4. Click OK.
Configuring HA Interfaces
1. Select Config Mode > Network > Interface.
2. On the menu bar, select LAN. The list of the ACOS device’s physical
Ethernet data interfaces appears.
3. Perform the following steps for each HA interface. (For information, see
“HA Interfaces” on page 281.)
a. Click on the interface number.
b. In the HA section, select Enabled next to HA Enabled.
c. To specify the interface type, select one of the following or leave the
setting None:
• Router-Interface
• Server-Interface
• Both
d. To enable HA heartbeat messages, select Enabled next to Heartbeat.
e. To restrict the HA heartbeat messages to a specific VLAN, enter the
VLAN ID in the VLAN field.
f. Click OK.
2. Click on the virtual server name or click Add to add a new one.
Note: The GUI does not support enabling connection mirroring on some types
of service ports. However, you can enable connection mirroring for these
service types using the CLI.
FIGURE 46 Config Mode > SLB > Service > Virtual Server (VIP1)
HA Configuration of AX2
FIGURE 50 Config Mode > SLB > Service > Virtual Server (VIP2)
4. If IP NAT will be used, use the following option with the ip nat pool or
ipv6 nat pool command when configuring the pool.
ha-group group-id
(For the complete command syntax, see Table 16 on page 292.)
Commands on AX1
This examples shows the CLI commands to implement the Active-Active
configuration shown in Figure 37 on page 271.
Later in the configuration, each virtual server will need to be added to one
or the other of the HA groups.
AX1(config)#ha id 1
AX1(config)#ha group 1 priority 1
AX1(config)#ha group 2 priority 255
Commands on AX2
Here are the commands for AX2. The priority values for the groups are dif-
ferent from the values set on AX1, so that group 1 has higher priority on this
ACOS device than on AX1. Likewise, the priority of group 2 is set so that
its priority is higher on AX1.
AX2(config)#ha id 2
AX2(config)#ha group 1 priority 255
AX2(config)#ha group 2 priority 1
The floating IP addresses must be the same as the ones set on AX1.
AX2(config)#floating-ip 10.10.10.1 ha-group 1
AX2(config)#floating-ip 10.10.10.100 ha-group 2
AX2(config)#ha interface ethernet 1 router-interface no-heartbeat
AX2(config)#ha interface ethernet 2 router-interface no-heartbeat
AX2(config)#ha interface ethernet 3 server-interface no-heartbeat
AX2(config)#ha interface ethernet 4 server-interface no-heartbeat
AX2(config)#ha interface ethernet 5
Note: If source NAT is not configured for the VIP, but real servers send
responses to a gateway IP address other than the floating IP address, CPU
processing must be enabled on the interfaces connected to the real servers.
This applies to the following ACOS device models: AX 2200, AX 2200-
11, AX 3100, AX 3200, AX 3200-11, AX 3200-12, AX 3400, AX 5100,
Note: Enter the real IP address of the ACOS device, not the floating IP address
that downstream devices will use as their default gateway address.
4. Click OK.
2. On the menu bar, select LAN. The list of the ACOS device’s physical
Ethernet data interfaces appears.
3. Perform the following steps for each HA interface. (For information, see
“HA Interfaces” on page 281.)
a. Click on the interface number.
b. In the HA section, select Enabled next to HA Enabled.
c. To specify the interface type, select one of the following or leave the
setting None:
• Router-Interface
• Server-Interface
• Both
d. To enable HA heartbeat messages, select Enabled next to Heartbeat.
e. To restrict the HA heartbeat messages to a specific VLAN, enter the
VLAN ID in the VLAN field.
f. If source NAT is not configured for the VIP, but real servers send
responses to a gateway IP address other than the floating IP address,
select CPU Process in the General section.
This requirement applies to the following ACOS devices models:
AX 2200, AX 2200-11, AX 3100, AX 3200, AX 3200-11,
AX 3200-12, AX 3400, AX 5100, AX 5200, and AX 5200-11. On
other models, the option for CPU processing is not valid and is not
required.
g. Click OK.
6. Click OK.
Commands on AX1
The following commands configure the HA ID and set the HA priority. HA
priority is associated with an HA group. Since inline mode is supported only
in Active-Standby configurations, only one HA group is used. Later in the
configuration, the VIP is assigned to this HA group.
AX1(config)#ha id 1
AX1(config)#ha group 1 priority 255
The following command enables inline HA mode and specifies the pre-
ferred HA port.
AX1(config)#ha inline-mode preferred-port 5
Note: If source NAT is not configured for the VIP, but real servers send
responses to a gateway IP address other than the floating IP address, enter
the cpu-process command at the configuration level for each interface
connected to the real servers. This requirement applies to the following
AX models: AX 2200, AX 2200-11, AX 3100, AX 3200, AX 3200-11,
AX 3200-12, AX 3400, AX 5100, AX 5200, and AX 5200-11. On other
models, the option for CPU processing is not valid and is not required.
The following command configures the floating IP address for the real serv-
ers to use as their default gateway address.
AX1(config)#floating-ip 172.168.10.1 ha-group 1
• The HA priority is 1.
Note: The GUI does not support configuration of Layer 3 inline mode in the
current release.
Commands on AX1
The following command specifies the IP address of the other ACOS device,
to use for session synchronization.
AX1(config)#ha conn-mirror ip 172.168.10.3
Commands on AX2
Here are the commands for implementing HA on AX2. Most of the com-
mands are the same as those on AX1, with the following exceptions:
• The IP interfaces are different.
• The HA ID is 2.
• The HA priority is 1.
• Gateway-based failover
• VIP-based failover
2. In the Status Check section, enter the VLAN ID in the VLAN ID field.
4. Click Add.
5. Repeat step 2 through step 4 for each VLAN to be monitored for HA.
6. Click OK.
The timeout can be 2-600 seconds. You must specify the timeout. Although
there is no default, A10 recommends trying 30 seconds.
2. Configure the gateway as an SLB real server and apply the ICMP health
monitor to the server:
a. Select Config Mode > SLB > Service > Server on the menu bar.
b. Click Add. The General section appears.
c. In the General section, enter a name for the gateway in the Name
field.
d. In the IP Address field, enter the IP address of the gateway.
e. In the Health Monitor drop-down list, select the ICMP health moni-
tor you configured in step 1.
f. Click OK.
2. To configure the gateway as an SLB real server and apply the health
monitor to the server, use the following command.
[no] slb server server-name ipaddr
[no] health-check monitor-name
3. To enable HA health checking for the gateway, use the following com-
mand at the global configuration level.
[no] ha check gateway ipaddr
CLI Example
The following commands configure a real server for the gateway and apply
the health monitor to it:
ACOS(config)#slb server gateway1 10.10.10.1
ACOS(config-real server)#health-check gatewayhm1
ACOS(config-real server)#exit
Note: The current release does not support this feature in the GUI.
The priority-cost weight option specifies the value to subtract from the HA
priority of each HA group, if the IP route table does not have a route to the
destination subnet.
The gateway addr option specifies the next-hop gateway for the route.
The distance num option specifies the metric value (cost) of the route.
CLI Examples
The following command configures HA route awareness for a default IPv4
route. If this route is not in the IP route table, 255 is subtracted from the HA
priority of all HA groups.
ACOS(config)#ha check route 0.0.0.0 /0 priority-cost 255
If the IPv6 route table does contain a static route to the destination, but the
next-hop gateway is not 2001::1, the ACOS device subtracts only 5 from the
HA priority of each HA group.
ACOS(config)#ha check route 3000::/64 priority-cost 100
ACOS(config)#ha check route 3000::/64 priority-cost 5 protocol static gateway
2001::1
3. Click on the virtual server name or click Add to create a new one.
Note: If the HA Group drop-down list does not have any group IDs, you still
need to configure global HA parameters. See “Configuring Global HA
Parameters” on page 301.
6. Click OK.
Enter this command at the configuration level for a virtual server, to assign
the virtual server to the HA group. The group-id can be 1-31.
[no] ha-dynamic server-weight
Enter this command at the configuration level for the virtual server to
enable VIP-based failover. The server-weight specifies the amount to sub-
tract from the HA group's priority value for each real server that becomes
unavailable. The weight can be 1-255. The default is 1.
CLI Example
If you specify a group ID, only the specified group is forced to change from
Active to Standby. If you do not specify a group ID, all Active groups are
forced to change to Standby status.
CLI Example
The following command forces HA group 1 to change from Active to
Standby status:
ACOS(config)#ha force-self-standby 1
3. Click OK or Apply.
7. Click OK again.
[no] ha-conn-mirror
CLI Example
The following commands access the configuration level for a virtual port
and enable connection mirroring on the port:
ACOS(config)#slb virtual-server vip1 10.10.10.100
ACOS(config-slb virtual server)#port 80 tcp
ACOS(config-slb virtual server-slb virtua...)#ha-conn-mirror
OSPF Awareness of HA
The ACOS device uses HA-aware VIPs, floating IPs, IP NAT pools, and IP
range lists with route redistribution to achieve HA-aware dynamic routing.
However, by default, the OSPF protocol on the ACOS device is not aware
of the HA state (Active or Standby) of the ACOS device. Consequently, fol-
lowing HA failover of an ACOS device, other OSPF routers might continue
Note: In Layer 3 inline mode, all VLANs on the ACOS device participate in
OSPF routing by default. (See “OSPF Support on Standby ACOS Device
in Layer 3 Inline Mode” on page 335.)
After an OSPF neighbor receives the LSA update, the neighbor updates its
OSPF link-state database with the increased cost of the links. The increased
cost biases route selection away from paths that use the Standby ACOS
device.
Note: The additional cost for Standby status is removed only if the HA status for
all HA groups on the device is Active. Otherwise, if the status of any of
the groups is Standby, the additional cost remains in effect for all OSPF
interfaces on the device.
The num option specifies the extra cost to add to the ACOS device’s OSPF
interfaces, if the HA status of one or more of the device’s HA groups is
Standby. You can specify 1-65535. If the resulting cost value is more than
65535, the cost is set to 65535.
You can use config-sync options to manually synchronize some or all of the
following:
• Startup-config, to the other ACOS device’s startup-config or running-
config
• Running-config, to the other ACOS device’s running-config or startup-
config)
• Data files:
• SSL certificates and private-key files
• aFleX files
• External health check files
• Black/white-list files
Note: Manual config-sync is not required if the ACOS device is running aVCS.
Requirements
Session synchronization (connection mirroring) is required for manual con-
fig sync. Config sync uses the session synchronization link. To enable ses-
sion synchronization, see “Enabling Session Synchronization” on page 332.
SSH management access must be enabled on both ends of the link. (See
“Securing Admin Access by Ethernet” on page 471.)
• AAA settings
• Floating IP addresses
• ACLs
• Health monitors
• IP limiting settings
• PBSLB settings
• SLB
• RAM caching
• FWLB
• GSLB
• Data Files:
• aFleX files
• External health check files
• SSL certificates, private-key files, and CRLs
• Class-list files
• Black/white-list files
Note: For IP NAT configuration items to be backed up, you must specify an HA
group ID as part of the NAT configuration.
• MAC addresses
• Management IP addresses
• LACP settings
• Interface settings
Caveats
Before synchronizing the Active and Standby ACOS devices, verify that
both are running the same software version. HA configuration synchroniza-
tion between two different software versions is not recommended, since
some configuration commands in the newer version might not be supported
in the older version.
Performing HA Synchronization
To synchronize the ACOS devices in an HA configuration, use the CLI
commands described below.
3. In the User and Password fields, enter the admin username and pass-
word for logging onto the other ACOS device.
Note: In some cases, reload of the other ACOS device either is automatic or is
not allowed. See Table 17 on page 337.
To synchronize data files and the running-config, use the following com-
mand:
ha sync all
{to-startup-config [with-reload] |
to-running-config}
[all-partitions | partition partition-name]
ipaddr
Note: The ipaddr option specifies the IP address of the other ACOS device.
In some cases, reload of the other ACOS device either is automatic or is
not allowed. See Table 17 on page 337.
To synchronize the data files by copying the Active ACOS device’s data
files to the Standby ACOS device, use the following command:
ha sync data-files
[all-partitions | partition partition-name]
ipaddr
The time it takes for traffic to reconverge following HA failover can vary
based on the network environment, and depends on the following:
• How fast the ARPs (typically, ARPs of the default gateways) are learned
on the newly active ACOS device
• How fast the MAC tables in the devices along the traffic paths are
updated
To help reconvergence occur faster, you can create a real server configura-
tion for each router, and use an ICMP health monitor for checking the health
of the gateways. The health checks keep the ARP entries for the gateway
routers active, which can help to reduce reconvergence time considerably.
Note: The ACOS device also has an HA gateway health checking feature. This
feature also uses ICMP health monitors. However, if you use the HA gate-
way health checking feature, HA failover is triggered if a gateway fails a
health check. If you use real server configurations instead, as shown in the
following examples, HA failover is not triggered by a failed health check.
To use the default ICMP health monitor instead, the configuration is even
simpler:
ACOS(config)#slb server gateway-upstream 192.168.10.1
ACOS(config-real server)#exit
ACOS(config)#slb server gateway-downstream 10.10.10.1
ACOS(config-real server)#exit
HA To VRRP-A Migration
Migration Exceptions
During the migration process, some conditions will cause the migration
command to fail. An HA configuration that does not contain any of the
following HA configuration exceptions will result in a successful
conversion to VRRP-A. Issue the migration command only after you have
removed or manually upgraded the following HA configuration statements.
Note: When you launch the migration script, it will pre-check your HA configu-
ration to ensure that no HA configuration exceptions exist. If it encounters
exceptions, the script will quit automatically without conversion to
VRRP-A.
• Forward-L4-Packet-on-Standby is detected.
Note: If one of the seven exceptions defined above occur, a warning message
will be displayed on your screen and you will be asked to manually
migrate your configuration.
vrrp-a ha-migration
In case the migration script encounters any configuration scenarios that
it cannot handle, it will quit.
Note: Make sure that you do not issue the write-memory command. Before the
ACOS device commences the reload, be sure to say no to the question:
System configuration has been modified. Save?
[yes/no]:
Configuration Example
The following example shows successful completion of the migration
command on an Active ACOS device:
ACOS-Active(config)#vrrp-a ha-migration
ACOS boots from hard disk primary. VRRP-A migration only effects on hard disk
primary.
Migrate from HA to VRRP-A therein? (y/n) y
HA Migration Starts...
89 lines of configuration are processed
Replacing old config file with new config file.
Configure file has been replaced!
HA configuration has been replaced by VRRP-A configuration! Please reload the
system to finalize the migration!
Warning: After reloading, all vrids in all partitions will be forced standby!
Please manually remove forced-standby setting with command: no vrrp-a force-
self-standby all-partitions
Before you reload the ACOS device, check your running configuration to see that
no VRRP-A configuration exists:
ACOS-Active(config)#show running | sec vrrp-a
ACOS-Active(config)#
After you reload, view your running configuration to see that VRRP-A has
been configured on your ACOS device
ACOS#show running | sec vrrp-a
vrrp-a device-id 2
vrrp-a set-id 1
vrrp-a enable
vrrp-a vrid default
tracking-options
interface ethernet 3 priority-cost 15
interface ethernet 2 priority-cost 15
interface ethernet 1 priority-cost 15
vrrp-a vrid 1
priority 100
tracking-options
interface ethernet 3 priority-cost 15
interface ethernet 2 priority-cost 15
interface ethernet 1 priority-cost 15
vrrp-a interface ethernet 1 router-interface
vrrp-a interface ethernet 2 server-interface no-heartbeat
vrrp-a interface ethernet 3 vlan 100
CLI Example
The following example displays how the vrrp-a ha-migration-restore
command will restore your HA configuration:
ACOS-Active(config)# vrrp-a ha-migration-restore
ACOS boots from hard disk primary. Migration restore only effects on hard disk
primary.
Trying to find backup config file to replace current config file.
The backup files is found.
Proceed to replace current config file? (y/n) y
System has been successfully restored! Please reload system!
Overview
VRRP-A can provide redundancy for the following IP resources:
• Virtual server IP addresses (VIPs)
• IPv4 static range lists and individual mappings for inside source NAT
Virtual Router ID
Each IP resource can be associated with a virtual router ID (VRID). At any
given time, the VRID is active on one of the devices in the VRRP-A set.
The VRID is in standby state on the other devices. If network conditions
change (the active device becomes unavailable or a link goes down), a
standby device can assume the active role for the VRID.
In this example, a pair of ACOS devices are configured with private parti-
tions. The VIPs and other IP resources in each partition are backed up by the
partition’s VRID. (Partition support and VRIDs are described in more detail
below.)
At any given time, one of the devices is the active device for a VRID and
the other device is the standby for the VRID, as shown in Figure 55.
In this example, device 1 is the active device for the shared partition and for
private partition CorpB. Device 2 is the standby device for these partitions.
Likewise, device 2 is the active device for private partitions CorpA and
CorpC, and device 1 is the standby for these partitions.
Partition Support
VRRP-A is supported on ACOS devices configured with Role-Based
Administration (RBA) partitions, as long as Layer 2/3 virtualization is
enabled in each partition. Layer 2/3 virtualization allows each private parti-
tion to have its own VRID, independent from the VRIDs belonging to other
partitions.
Note: Use of VRRP-A on an ACOS device that has RBA partitions that are not
enabled for Layer 2/3 virtualization has not been tested and is not sup-
ported.
Default VRID
Admins with write privileges for the partition can assign a floating IP
address to the partition’s VRID. Generally, the floating IP address provides
redundancy for the default gateway IP address used by downstream devices.
Parameters related to selection of the active device and to failover also can
be configured. (See “Active / Standby Device Selection” on page 361.)
Non-Default VRID
Private partitions support non-default VRIDs in addition to the default
VRID. Previously, private partitions only supported the default VRID,
VRID 0. Now, private partitions support VRIDs 1-7 and continue to support
the default VRID 0.
ACOS 2.7.1 supports a maximum of 512 VRIDs on one device. Any time
this number is exceeded, VRIDs are automatically configured as follower
VRIDs or can be explicitly configured to be added as a follower VRID. To
configure a leader or a follower VRID. refer to “Configuring a Leader and
Follower VRID” on page 392.
021f.a000.nnnn
The last 2 bytes (nnnn portion) of the address indicate the partition ID,
VRRP-A set ID, and VRID.
Floating IP Addresses
VRRP-A supports use of floating IP addresses. Floating IP addresses can
reside on any device in the VRRP-A set, and always reside on the device
that is currently active. Because floating IP addresses are always reachable
regardless of the VRRP-A states of individual devices, the floating IP
addresses provide network stability.
Note: A floating IP address can not be the same as an address that already
belongs to a device. For example, the IP address of an ACOS device inter-
face can not be a floating IP address.
Configuration Synchronization
VRRP-A supports the following methods of configuration synchronization:
• Automated – Uses A10 Virtual Chassis System (aVCS) to automatically
synchronize the configuration. See “Automated Configuration Synchro-
nization” on page 463.
• Manual – See “Manually Synchronizing the Configuration” on
page 379.
Session Synchronization
VRRP-A uses one active device and one standby device for a given VRID.
If session synchronization (also called connection mirroring) is enabled, the
active device backs up active sessions on the standby device.
In this example, the priority of VRID 0 has been changed to 255 for the
shared partition and private partition CorpB on device 1, and for partitions
CorpA and CorpC on device 2. The active/standby state of each VRID on
each device is based on these priority settings.
If more than one device has the highest priority value, the device with the
lowest device ID becomes the active device. For example, if the VRID pri-
ority is left set to the default value on all devices, device 1 becomes the
active device for the VRID.
VRRP-A selects the device that has the second-highest priority for a VRID
as the standby device for the VRID. In VRRP-A deployments on more than
2 devices, if more than one device has the second-highest priority value, the
device with the lowest device ID becomes the standby device. Figure 58
shows an example.
The priority for VRID 0 in partition CorpB is set to 255 on device 1 but is
left to its default value on the other devices. Since device 2 is has the lowest
device ID among the remaining devices, device 2 becomes the standby for
the VRID. The other devices are backups. If session synchronization is
enabled, sessions are copied from device 1 to device 2. If a failover occurs,
device 2 becomes the active device and device 1 becomes the standby
device. Sessions are not synchronized to the backups.
Failover
Failover of a VRID from the active ACOS device to the standby ACOS
device can be triggered by any of the following events:
• The standby ACOS device stops receiving VRRP-A hello messages
from the active ACOS device.
• The VRRP-A priority on the active device is dynamically reduced
below the priority on the standby device. The priority can be dynami-
cally reduced when a tracked default gateway, data port, or VLAN goes
down, a tracked route is not in the data route table, or a VIP’s real server
fails its health check.
Policy-based Failover
If the standby device stops receiving hello messages from the active device,
operation for the VRID fails over to the standby device. The device to
which operation fails over becomes the new active device for the VRID.
The hello interval and maximum wait time (dead time) are configurable, on
a device basis. Configuration of the VRRP-A timers requires write access to
the shared partition. The timers can not be configured by partition admins.
In this example, link tracking is enabled for Ethernet port 6, and configured
to reduce the VRID priority by 155 if the link goes down. Device 1 has the
higher configured priority value for VRID 0 in partition CorpB, and is the
active device. However, if the link on Ethernet port 6 goes down, the prior-
ity is dynamically reduced below the priority value on device 2. Device 2
therefore becomes the active device for the VRID.
By default, none of the dynamic failover triggers are configured. They can
be configured on an individual partition basis.
Note: If a tracked interface is a member of a trunk, only the lead port in the
trunk is shown in the tracking configuration and in statistics. For example,
if a trunk contains ports 1-3 and you configure tracking of port 3, the con-
figuration will show that tracking is enabled on port 1. Likewise, tracking
statistics will show port 1, not port 3. Similarly, if port 1 goes down but
port 3 is still up, statistics still will show that port 1 is up since it is the
lead port for the trunk.
Note: If you track a trunk that does not exist, VRRP-A will not reduce the
device priority.
To track a trunk port within a private partition, you must verify that the
tracked port is actually being used within that private partition (for exam-
ple, verify that the port is used in a VLAN of that private partition).
If the tracked trunk is down, VRRP-A reduces the device priority based
on the trunk value and ignores the status of the ports within the trunk.
If the tracked trunk is up, VRRP-A checks the ports within the trunk, and
if any of them are down, VRRP-A reduces the device priority (1x config-
ured port priority). If two ports are down, VRRP-A reduces the device
priority by twice the priority assigned to the ports within the trunk (2x
configured port priority).
To calculate the priority, VRRP-A subtracts the priority values for all
optional failover trigger events that have occurred from the configured pri-
ority value. The lowest value to which the priority can be reduced is 1.
Once the link or server health is restored, the failover trigger event is no lon-
ger occurring and the priority value is not subtracted during the next priority
calculation.
For example, if the track event delay is 5 seconds, and a tracked link goes
down for 3 seconds, then comes back up, no failover is triggered. Failover is
triggered only if the link stays down for at least 5 seconds.
The track event delay can be from 1-tenth second to 10 seconds. The default
is 3 seconds.
Pre-emption
Pre-emption allows failover to be triggered by manually changing the prior-
ity on one or more devices so that the active device no longer has the high-
est priority for the VRID.
Pre-emption Delay
Force-self-standby
The force-self-standby option provides a simple method to force a failover,
without the need to change VRID priorities and use pre-emption.
The option can be entered by shared partition admins and private partition
admins. If entered in the shared partition, the option applies to all VRIDs on
the device. If entered in a private partition, the option applies to all VRIDs
within that partition but does not affect VRIDs in other partitions.
The option remains in effect until one of the other failover triggers occurs or
the device is reloaded or rebooted. The option is not added to the configura-
tion and does not persist across reloads or reboots.
VRRP-A Interfaces
VRRP-A sends hello messages and session synchronization messages on
the device’s VRRP-A interfaces.
Each ACOS device providing VRRP-A for a VRID must have at least one
Up Ethernet interface that can reach the other ACOS devices. If an ACOS
device can not receive hello messages from the other devices for the VRID,
the ACOS device's VRRP-A state becomes Active. In this case, there is
more than one active VRRP-A device for the same VRID, which is invalid.
One of the active VRRP-A devices is the ACOS device that does not have a
connection to the other devices. The other active VRRP-A device is the
ACOS device that can still reach the other ACOS devices (standby VRRP-
A devices).
If a data interface has both IPv4 and IPv6 addresses, the primary IPv4
address is used.
Admins with write privileges for the shared partition can explicitly specify
the ACOS device interfaces to use as VRRP-A interfaces. In this case, the
specified interfaces are used as VRRP-A interfaces by the shared partition
and by all private partitions in which Layer 2/3 virtualization is enabled.
Note: In the current release, the interface type is informational only. This setting
does not affect VRRP-A operation or interface tracking.
2. Click below the Preferred Session Sync Port to display the configuration
area for the feature.
4. If the interface belongs to more than one VLAN, enter the applicable
VLAN ID in the VLAN ID field.
6. Click Add.
7. Click OK.
VRRP-A Parameters
Table 20 lists the VRRP-A parameters you can configure.
Note: In the current release, VRRP-A is supported in the GUI. For details, refer
to “VRRP-A Configuration and Monitoring Using the GUI” on page 397
Deploying VRRP-A
Basic VRRP-A deployment requires only the following steps on each
ACOS device:
1. Specify the device ID.
3. Enable VRRP-A.
Use the following command at the global configuration level of the CLI:
[no] vrrp-a device-id num
Note: If aVCS is configured, use the same number as the device’s aVCS device
ID.
Enter the command at the global configuration level of the CLI. The com-
mand accesses the configuration level for the VRID, where the following
command is available:
Enable VRRP-A
Use the following command at the global configuration level of the CLI:
[no] vrrp-a enable
[no] ha force-self-standby
[ha-group-id group-num [persistent]] | [persistent]
Command Example
To place VRRP-A VRID 2 into a forced-self-standby state, issue the follow-
ing command. Since you are not using the persistence keyword, when the
device completes a restart or software reload, it will not place VRID 2 in a
self-standby state:
AX(config)#vrrp-a force-self-standby vrid 2
Note: Parameters that are set at their default values are not shown.
Notes:
• Before synchronizing the configuration, save the configuration for all
partitions (write memory all-partitions).
• Do not reload the ACOS device before synchronizing the configuration.
• vrrp-a hello-interval
• vrrp-a dead-timer
• vrrp-a track-event-delay
• vrrp-a enable
• vrrp-a disable-default-vrid
• vrrp-a set-id
• vrrp-a vrid
• floating-ip
• preempt-mode
SSH Requirement
Configuration synchronization requires SSH to be enabled on the source
and destination interfaces. SSH is enabled by default on the management
interface but disabled by default on the data interfaces.
Note: In the current release, VRRP-A is supported in the GUI. For details, refer
to “VRRP-A Configuration and Monitoring Using the GUI” on page 397
3. Click OK.
2. Enter the admin username and password required for read-write access
to the peer ACOS device.
Note: In some cases, reload either is automatic or is not allowed. See “Manually
Synchronizing Configuration Information” on page 335.
8. Click OK.
Use this command on the local ACOS device and on the peer ACOS device.
ha sync all
{to-startup-config [with-reload] |
to-running-config}
[all-partitions | partition partition-name]
ipaddr |
[auto-authentication]
ha sync running-config
{to-startup-config [with-reload] |
to-running-config}
[all-partitions | partition partition-name]
ipaddr |
[auto-authentication]
ha sync data-files
[all-partitions | partition partition-name]
ipaddr |
[auto-authentication]
2. Edit the value in the Preemption Delay field, to a value from 1-255. The
default VRRP-A preemption delay is 6 seconds (60 units of 100 ms).
You can globally set the delay to a value from 100 ms (1 unit of 100 ms)
to 25.5 seconds (255 units of 100 ms).
Click OK.
The default VRRP-A preemption delay is 6 seconds (60 units of 100 ms).
You can globally set the delay to a value from 100 ms (1 unit of 100 ms) to
25.5 seconds (255 units of 100 ms).
Configuration Examples
The following sections show configuration examples for VRRP-A. The first
example shows a very basic deployment using the minimum required com-
mands. The second example includes priority configuration changes and
tracking.
Simple Deployment
The following commands deploy VRRP-A on a set of 4 ACOS devices.
Commands on AX-1
AX-1(config)#vrrp-a device-id 1
AX-1(config)#vrrp-a enable
Commands on AX-2
AX-2(config)#vrrp-a device-id 2
AX-2(config)#vrrp-a enable
Commands on AX-3
AX-3(config)#vrrp-a device-id 3
AX-3(config)#vrrp-a enable
Commands on AX-4
AX-4(config)#vrrp-a device-id 4
AX-4(config)#vrrp-a enable
Commands on AX-1
AX-1(config)#vrrp-a device-id 1
AX-1(config)#vrrp-a enable
AX-1(config)#vrrp-a vrid default
AX-1(config-vrid)#priority 255
AX-1(config-vrid)#floating-ip 10.10.10.2
AX-1(config-vrid)#end
AX-1#active-partition CorpB
Currently active partition: CorpB
AX-1[CorpB]#config
AX-1[CorpB](config)#vrrp-a vrid default
AX-1[CorpB](config-vrid-default)#priority 255
AX-1[CorpB](config-vrid-default)#floating-ip 30.30.30.2
Commands on AX-2
AX-2(config)#vrrp-a device-id 2
AX-2(config)#vrrp-a enable
AX-2#active-partition CorpA
Currently active partition: CorpA
AX-2[CorpA]#config
AX-2[CorpA](config)#vrrp-a vrid default
AX-2[CorpA](config-vrid-default)#priority 255
AX-2[CorpA](config-vrid-default)#floating-ip 20.20.20.2
AX-2[CorpA](config-vrid-default)#end
AX-2(config)#vrrp-a enable
AX-2#active-partition CorpC
Currently active partition: CorpC
AX-2[CorpC]#config
AX-2[CorpC](config)#vrrp-a vrid default
AX-2[CorpC](config-vrid-default)#priority 255
AX-2[CorpC](config-vrid-default)#floating-ip 40.40.40.2
Trunk Tracking
The following commands configure the ACOS device to track the status of
a trunk (but not ports within the trunk). The VRRP-A protocol will reduce
the priority of the device by 100 if the trunk goes down.
AX2500(config)#vrrp-a vrid 1
AX2500(config-vrid)#tracking-options
AX2500(config-vrid-tracking)#trunk 1 priority-cost 100
The following commands configure the ACOS device to track the status of
a trunk, as well as the status of ports within the trunk. If trunk 2 goes down,
the priority of the associated VRID is reduced by 150. If a port within the
trunk goes down, the priority of the associated VRID is reduced by 40.
AX2500(config)#vrrp-a vrid 2
AX2500(config-vrid)#tracking-options
AX2500(config-vrid-tracking)#trunk 2 priority-cost 150 per-port-pri 40
VLAN Tracking
The following command configures tracking of VLAN 69. If the VLAN is
quiet for more than 30 seconds, 50 is subtracted from the VRID priority.
AX2500(config-vrid-tracking)#vlan 69 timeout 30 priority-cost 50
Route Tracking
The following command configures tracking of routes to destination net-
work 3000::/64. If the IPv6 route table does not contain any routes to the
destination, 105 is subtracted from the VRID priority.
AX2500(config-vrid-tracking)#route 3000::/64 priority-cost 105
If more than one server fails its health check, 10 is subtracted for each
server. For example, if 3 servers fail their health checks, a total of 30 is sub-
tracted from the VRID’s priority.
Preemption Delay
The following command will allow you to configure the desired preemption
delay value of 200 milliseconds:
AX2500(config)#vrrp-a preemption-delay 200
ACOS 2.7.1 provides support for an increased number of VLANs that can
be tracked as part of the VRRP-A failover tracking feature. The weight (as
assigned using failover policy templates—for details refer to “VRRP-A Pol-
icy-Based Failover Template” on page 429) or priority assigned to the
VLAN tracked event will be used in calculations that will impact VRRP-A
failover decisions. In previous releases, only tracking of 5 VLANs per parti-
tion was possible. Currently, 64 VLANs can be tracked per partition. For
each L3V partition, you can track 64 different VLANs
• Configure all 64 VLANs that can be tracked using a single failover pol-
icy template or split over multiple templates.
• Configure a mix of both options mentioned above. That is configure 32
VLANS using the tracking option and configure the remaining 32
VLANs using a failover policy template.
Note: Tracking options and the failover policy template can track the same
VLANs. For example, you configure 64 VLANs using the tracking
option. You can also configure tracking of 64 of the same VLANs using a
fail-over-policy template. In essence, you are still only tracking 64
VLANs.
To view your configuration, use the show vrrp-a conf command. This will
display the VLANs that are being tracked.
After you have enabled VRRP-A on the devices, set the VRRP-A VRID,
and then to set VLAN tracking-options for 64 VLANs based on their prior-
ity cost:
vrrp-a vrid 31
tracking-options
vlan 1000 timeout 30 priority-cost 1
vlan 1001 timeout 30 priority-cost 1
vlan 1002 timeout 30 priority-cost 1
vlan 1003 timeout 30 priority-cost 1
vlan 1004 timeout 30 priority-cost 1
vlan 1005 timeout 30 priority-cost 1
vlan 1006 timeout 30 priority-cost 1
vlan 1007 timeout 30 priority-cost 1
vlan 1008 timeout 30 priority-cost 1
vlan 1009 timeout 30 priority-cost 1
vlan 1010 timeout 30 priority-cost 1
vlan 1011 timeout 30 priority-cost 1
vlan 1012 timeout 30 priority-cost 1
vlan 1013 timeout 30 priority-cost 1
vlan 1014 timeout 30 priority-cost 1
vlan 1015 timeout 30 priority-cost 1
vlan 1016 timeout 30 priority-cost 1
vlan 1017 timeout 30 priority-cost 1
vlan 1018 timeout 30 priority-cost 1
vlan 1019 timeout 30 priority-cost 1
vlan 1020 timeout 30 priority-cost 1
vlan 1021 timeout 30 priority-cost 1
vlan 1022 timeout 30 priority-cost 1
vlan 1023 timeout 30 priority-cost 1
vlan 1024 timeout 30 priority-cost 1
vlan 1025 timeout 30 priority-cost 1
vlan 1026 timeout 30 priority-cost 1
vlan 1027 timeout 30 priority-cost 1
vlan 1028 timeout 30 priority-cost 1
vlan 1029 timeout 30 priority-cost 1
vlan 1030 timeout 30 priority-cost 1
vlan 1031 timeout 30 priority-cost 1
vlan 1032 timeout 30 priority-cost 1
vlan 1033 timeout 30 priority-cost 1
2. In the private L3V partition, configure the VRID you wish to designate
as the follower.
a. To do so, enter the partition:
AX#active-partition p1
b. In the currently active partition, p1, enter the following command:
AX[p1](config)#vrrp-a vrid 1 follow vrid-lead lead1
c. Use the show vrrp-a command to view your configuration:
AX[p1](config-vrid-follow)#show vrrp-a
vrid default
Unit State Weight Priority
1 (Local) Active 65534 150
became Active at: May 20 12:04:05 2013
for 0 Day,22 Hour,54 min
2 (Peer) Standby 65534 150 *
vrid 1 (follow vrid-lead lead1)
Unit State Weight Priority
1 (Local) Active 65534 150
became Active at: May 20 12:04:05 2013
for 0 Day,22 Hour,54 min
2 (Peer) Standby 65534 150 *
vrid that is running: default 1
2. Use the following show command to display your VRID leader configu-
ration:
AX(config)#show vrrp-a vrid-lead
vrrp-a vrid-lead default-vrid-lead
partition shared vrid default
vrrp-a vrid-lead myname
partition p1 vrid default
3. In the private partition, configure the VRID to follow the lead VRID:
AX[p1](config)#vrrp-a vrid 3 follow vrid-lead myname
5. As the Admin, if you want to change the VRID’s role from being a fol-
lower to standalone VRID again, issue the following command:
AX[p1](config)#vrrp-a vrid 3
Change the role of vrid 3 from follower to standalone? (y/n)y
If you try to remove a VRID that is configured as a lead VRID and that has
other VRIDs that follow it, you will not be allowed to remove it. You must
This user-configurable prompt allows you to add or remove the device host-
name, the aVCS chassis device ID, the aVCS status, the VRRP-A status, or
the HA status. Configuring a prompt is optional. If all the five options are
configured, an example of a prompt may say AX1030-vMaster[7/1](con-
fig)#.
If the device is in a forced standby state, you will see the following prompt:
AX1030(config)#terminal prompt ha-status
ForcedStandby(config)#
If your device is running aVCS and HA, you can configure the following
commands. With each configuration entry, see how the terminal prompt
changes. The prompt additions appear in bold font:
AX(config)#terminal prompt hostname vcs-status
AX1030-vMaster(config)#show run | sec prompt
terminal prompt hostname vcs-status
For details on all configurable prompts and how they work in conjunction
with one another, refer to “Configurable aVCS Prompts” on page 501.
The current release provides configuration support for VRRP-A using the
GUI.
Configure and view information for VRRP-A at the global and at the
interface level.
Configuration
This section describes how to configure VRRP-A using the GUI.
2. Click on the down arrow next to VRID to expand the VRID section:
Floating IP Address
VRRP-A uses one active device and one standby device for a given VRID.
If session synchronization (also called connection mirroring) is enabled, the
active device backs up active sessions on the standby device. Session syn-
chronization is disabled by default and can be enabled on individual virtual
ports.
To configure the VRRP-A Preferred Session Sync Port for receiving ses-
sions, do the following:
1. Select Config Mode > VRRP-A > Setting > VRRP-A Global to display
Preferred Session Sync Port tab.
2. Click on the down arrow next to expand the Preferred Session Sync Port
section.
3. From the Interface drop down menu, select the interface attached to the
port that you wish to use to sync information.
4. Indicate the VLAN ID in the text box. The valid range for your ID can
be from 1-4094.
5. Click on Add.
Your entry will be added to the Preferred Session Sync Port table:
VRID Leader
With an increase in the number of configurable VRIDs to 512, you may
configure a VRID as a “leader” VRID and some others as “follower”
VRIDs. The benefit of configuring the leader VRID is that when you are run
the risk of consuming all your resources, one VRID can serve as the leader
and others can be configured to operate as followers. This means that only
on one VRID will you be able to configure all capabilities, such as configur-
ing the failover policy template, the preempt mode, priority, and tracking
options, while in the follower VRID, you can only configure Floating IP
Addresses.
ACOS 2.7.1 supports a maximum of 512 VRIDs on one device. Any time
this number is exceeded, VRIDs are automatically configured as follower
VRIDs or can be explicitly configured to be added as a follower VRID.
1. Indicate the VRID Leader Name. This can be any alphanumeric string
of 1-63 characters.
4. Click on Add.
If you have private partitions configured, to configure followers for this lead
VRID, you must enter the appropriate information in this window:
2. Select the VRID lead name from the drop down list.
Force Self Standby provides a simple method to force a failover, without the
need to change VRID priorities and use preemption. Follow these steps to
configure this option:
1. Select Config Mode > VRRP-A > Setting > VRRP-A Global to display
Force Self Standby tab.
3. Click on either the All Partitions or the VRID radio button if you want
the force self standby operation to impact all partitions or specific
VRIDs. All Partitions will impact both shared partition and private
partitions. If entered in the shared partition, the option applies to all
VRIDs on the device. If entered in a private partition, the option applies
to all VRIDs within that partition but does not affect VRIDs in other
partitions.
4. Click on Enable or Disable to execute the force self standby operation.
Note: The Force Self Standby option remains in effect until one of the
other failover triggers occurs or the device is reloaded or rebooted. The
option is not added to the configuration and does not persist across
reloads or reboots.
3. The Port Number and the interface Type fields are automatically filled
in.
a. Click on Enabled in the Status field to enable the interface.
b. Click on Enabled to enable the VRRP-A Status for the particular
interface.
c. Click on the radio button to indicate if the interface Type is a Router
Interface (an upstream router reachable through the interface), a
Server Interface (a real server that is reachable through the inter-
face), or Both (the upstream router and the real server are accessible
through the interface). None is selected by default.
Note: In the current release, the interface type specified by this
parameter is informational only. This setting does not affect VRRP-
A operation or interface tracking.
d. Click on Enabled or Disabled to initiate an interface Heartbeat to
trace the health of the interface. By default, all up interfaces config-
ured with their IP Addresses in a partition are VRRP-A interfaces
for that partition.
e. Enter a VLAN ID from 1-4094.
4. Click on OK (at the bottom of the screen) to save your changes to your
running configuration or Save (from the top navigation bar) to perma-
nently register your changes.
Configuration on AX-1
5. Click on OK (at the bottom of the screen) to save your changes to your
running configuration or Save (from the top navigation bar) to perma-
nently register your changes.
Configuration on AX-2
5. Configure the Host ID. The Host ID helps to identify the peer devices
that are learned through heartbeat messages. The Host ID indicates
which devices are configured as VRRP-A peers.
6. Click on OK (at the bottom of the screen) to save your changes to your
running configuration or Save (from the top navigation bar) to perma-
nently register your changes.
Note: This example shows how to configure a partition for CorpB, but assumes
that each device has a shared partition and three private partitions for
CorpA, Corp B, and CorpC:
• On ACOS device AX-1, the priority value is set to 255 on the shared
partition’s default VRID and partition CorpB’s default VRID. The prior-
ity value is left set to its default (150) for CorpA and CorpC. The prior-
ity does not need to be set since this is the default value.
• On ACOS device AX-2, the priority value is set to 255 on the default
VRIDs in partitions CorpA and CorpC. The priority value is left set to
its default (150) for the shared partition and for CorpB. The priority
does not need to be set since this is the default value.
• Enable VRRP-A
Configuration on AX-1
2. Click on the down arrow next to VRID to expand the VRID section.
3. To configure the default VRID with a priority of 255, do the following:
a. Retain the default setting for the VRID from the drop down menu.
b. Enter 255 in the Priority field in lieu of the default value of 150.
c. Click on Add. The VRID table will be updated with your new VRID
entry.
4. Select Config Mode > VRRP-A > Setting > VRRP-A Global to display
the Floating IP Address option.
5. Click on the down arrow next to the Floating IP Address to expand the
Floating IP Address section.
6. Choose the VRID from the drop down list.
7. Click on the IPv4 radio button to specify Floating IP Address of
10.10.10.2. This IP addresses will be used by downstream devices as
their default IPv4 gateway. Regardless of which device is active for the
VRID, downstream devices can reach their default IPv4 gateway using
this Floating IP Address.
8. Click on Add.
9. Click on OK (at the bottom of the screen) to save your changes to your
running configuration or Save (from the top navigation bar) to perma-
nently register your changes.
10. On device 1, from Config Mode > System > Admin > Partition, do the
following:
a. Click on Add to create a partition for CorpB.
b. Create a partition for CorpB.
c. Click on Enabled to enable the Network Partition. When you click
on Enabled, you will have the option to specify a System Resource
Template.
d. Click OK:
13. Configure the CorpA partition for the default VRID with a Priority of
255 and a Floating IP Address of 20.20.20.2:
15. Configure an additional CorpC partition for the default VRID with a
Priority of 255 and a Floating IP Address of 40.40.40.2:
18. From Monitor Mode > VRRP-A > VRID for ACOS device 2, view the
Standby status of VRRP-A with a peer in Active mode:
19. When device 1 fails, it will cause a failover from the Active device to
the Standby device. At any given time, from Monitor Mode > VRRP-A
> VRID, view the Active or Standby status of your devices or your par-
titions:
Gateway Tracking
The following steps configure tracking of gateway 10.10.10.1. If the gate-
way stops responding to pings, 100 is subtracted from the VRID’s priority
value.
1. From Config Mode > SLB > Health Monitor > Health Monitor, click on
Add to create a Health Monitor.
2. In the Health Monitor section, enter gatewayhm1 as the Name for the
Health Monitor.
3. In the Method section, accept ICMP as the Type of the Health Monitor.
5. Go to Config Mode > SLB > Service > Server to view a list of available
servers.
8. Select Config Mode > System > VRRP-A > VRRP-A Global to display
the VRRP-A Tracking option.
10. From the Gateway section, choose the default VRID from the drop
down list.
11. Choose the IPv4 radio button and enter 10.10.10.1 as the IP Address.
Click on OK (at the bottom of the screen) to save your changes to your run-
ning configuration or Save (from the top navigation bar) to permanently reg-
ister your changes.
VLAN Tracking
The following steps help configure tracking of VLAN 69. If the VLAN is
quiet for more than 30 seconds, 50 is subtracted from the VRID priority:
1. Select Config Mode > System > VRRP-A > VRRP-A Global to display
the VRRP-A Tracking option.
5. Click on OK (at the bottom of the screen) to save your changes to your
running configuration or Save (from the top navigation bar) to perma-
nently register your changes.
Trunk Tracking
To configure the ACOS device to track the status of a trunk (but not ports
within the trunk), follow these steps. The VRRP-A protocol will reduce the
priority of the device by 100 if the trunk goes down.
1. Select Config Mode > System > VRRP-A > VRRP-A Global to display
the VRRP-A Tracking.
2. Click on the down arrow next to VRRP-A Tracking to expand the
VRRP-A Tracking section. In the Trunk section, enter the trunk track-
ing fields.
3. Choose VRID 1 from the drop down list.
4. Specify the Trunk ID value of 1.
Note: The ID must refer to an existing trunk.
5. Indicate the Priority Cost of 100.
6. Click on Add. The VRID table will include your table entry.
The following steps configure the ACOS device to track the status of a
trunk, as well as the status of ports within the trunk. If trunk 2 goes down,
the priority of the associated VRID is reduced by 150. If a port within the
trunk goes down, the priority of the associated VRID is reduced by 40.
8. Click on OK (at the bottom of the screen) to save your changes to your
running configuration or Save (from the top navigation bar) to perma-
nently register your changes.
Interface Tracking
To configure tracking of Ethernet port 1 follow these steps. If the port’s link
goes down, 100 is subtracted from the VRID’s priority value.
1. Select Config Mode > System > VRRP-A > VRRP-A Global to display
the VRRP-A Tracking.
6. Click on OK (at the bottom of the screen) to save your changes to your
running configuration or Save (from the top navigation bar) to perma-
nently register your changes.
Route Tracking
The following steps configure tracking of routes to destination network
3000::/64. If the IPv6 route table does not contain any routes to the destina-
tion, 100 is subtracted from the VRID priority.
1. Select Config Mode > System > VRRP-A > VRRP-A Global to display
the VRRP-A Tracking option.
3. From the Route section, choose the default VRID from the drop down
list.
4.Choose the IPv6 radio button and enter 3000::/64 as the IPv6 Address.
6. Click on Add.
3. From the Route section, choose 1 from the VRID drop down list.
4. Choose the IPv6 radio button and enter 5000::/64 as the IP Address.
6. Click on Add. Both routes are added to the VRID table for route track-
ing:
7. Click on OK (at the bottom of the screen) to save your changes to your
running configuration or Save (from the top navigation bar) to perma-
nently register your changes.
For instance, this window displays VRRP-A as enabled on one Active and
one Standby device, shows that the Standby device has been configured
with two peers, and that its peer is currently the Active device. It also dis-
plays the peer priority and whether or not the device is in a Forced Standby
state.
Each VRID is now allocated a fixed, total weight of 65534 and each event is
allocated a corresponding, configurable weight of 1-255. When the event
occurs, the configured weight for the event is deducted from the total weight
assigned to the VRID. Some events (for example, when an interface goes
down) are considered to be critical for a VRID and will reduce the VRID’s
weight. ACOS devices that are part of the same set, periodically exchange
their weight information with peer ACOS devices.
The VRRP-A state machine determines the Active or Standby status based
on received weight information. Based on the newly computed weight, a
failover will occur from an ACOS device of a lower weight to another
ACOS device of a higher weight.
When an ACOS device has a higher priority, it would assume the role of an
Active device in a group of ACOS devices, the others would automatically
be placed in a Standby state. If preemption is disabled, no failover will
occur. That is, when a Standby device assumes the Active role and preemp-
tion is disabled, the newly elected Active device will not give up its Active
even when another device with a higher priority becomes available.
When you configure VRRP-A using the GUI or command line at the
VRRP-A configuration level, you can specify the priority assigned to each
event. When the event occurs, the value you assign to the event will be
deducted from the priority you configure from 1-255 for the VRID of a
given ACOS device.
However, if you specify a value for a failed event using a VRRP-A failover
template, you are configuring the weight assigned to an event that will be
deducted from a fixed total weight of 65534 assigned to every VRID for an
ACOS device.
The fixed total weight for a VRID is not user configurable, unlike the prior-
ity assigned the VRID for an ACOS device which is configurable. A failed
event will result in a deduction of the weight assigned to the event from the
fixed total weight for the VRID. Since the weight of each VRID is tallied to
figure out the weight and/or priority of an ACOS device, when multiple
devices are configured with VRRP-A, this value is used to gauge the device
that will serve as the Active or the Standby device. When the weight for all
VRRP-A enabled devices are unequal, the device with the highest weight
will serve as the Active device, the rest will be placed in a Standby state.
• You can associate the same template to multiple VRIDs. For example,
VRID1 and VRID23 can both be attached to template1.
When creating templates in a private partition, adhere to the following
rules:
• You may create multiple templates, however only one template can be
associated with a particular VRID. For example, if you create two tem-
plates called “template1” and “template2,” you can only associate either
template1 or template2 with VRID1. Assuming template1 and
template2 have different events configured and you want template1 (that
tracks for VLANs and gateways) to also address the events that
template2 tracks (for interfaces and routes), edit template1 to include the
events covered by template2. You cannot associate both templates to
VRID1 to have it track all four events (VLANs, gateways, interfaces,
and routes).
• Create templates with unique names, however, the second time you try
to create a template with the same name, you will enter the template
module and can edit the events listed in the template.
• To associate a template to a private partition, you must switch to an
active-partition.
• Associate the template to the default VRID. Private partitions only con-
tain a default VRID. That is, only one template can be associated to the
default VRID.
• Since each private partition can have its own template, and templates
cannot be shared across multiple partitions, template names do not need
to be unique. For example, template1 can be the template for private
partition1 and template1 can be the template for private partition2. They
can be named the same, but can track different events for different
VRIDs.
• You can create a maximum of 32 templates in the private partition.
place it in Active state and the remaining ACOS devices in Standby state.
Level 1 weight assignments for events will result in the deduction of that
weight from the VRID when an event occurs. When the weight is reduced
for a particular VRID, it may result in a failover to another device if its total
weight is lower than that of its peer devices. Since preemption works at the
VRID level, any VRID with a higher weight can take over for another
VRID in a different ACOS device of a lower weight. When the original
Active device is operational again, its weight is subject to change, and if it
has the highest weight amongst its peers, it will resume its role and take
over as the Active device.
Use the show vrrp-a command to view the Active/Standby status of the
ACOS devices: Note that Unit 1 is the Active device and its weight is
“65534” for VRID1:
AX(config)#show vrrp-a
vrid default
Unit State Weight Priority
2 (Local) Standby 65534 150 *
became Standby at: May 20 12:10:05 2013
for 0 Day,22 Hour,54 min
1 (Peer) Active 65534 150
vrid 1
Unit State Weight Priority
2 (Local) Standby 65534 150 *
became Standby at: May 20 12:20:05 2013
for 0 Day,22 Hour,54 min
1 (Peer) Active 65534 200
After an event results in a reduction of the weight, Unit 1 now has a weight
of “65334” for VRID1, and a failover was triggered that placed Unit 1 in a
Standby state:
AX(config)#show vrrp-a
vrid default
Unit State Weight Priority
2 (Local) Standby 65534 150 *
became Standby at: May 20 12:10:05 2013
for 0 Day,22 Hour,54 min
1 (Peer) Active 65534 150
vrid 1
Unit State Weight Priority
2 (Local) Active 65534 150 *
became Active at: May 20 12:10:05 2013
for 0 Day,22 Hour,54 min
1 (Peer) Standby 65334 200
After an event results in a reduction of the priority, Unit 1 now has a priority
of “1” for VRID1, and a failover was triggered that placed Unit 1 in a
Standby state:
AX(config)#show vrrp-a
vrid default
Unit State Weight Priority
2 (Local) Standby 65534 150 *
became Standby at: May 20 12:15:05 2013
for 0 Day,22 Hour,54 min
1 (Peer) Active 65534 150
vrid 1
Unit State Weight Priority
2 (Local) Active 65534 150
became Active at: May 20 12:15:05 2013
for 0 Day,22 Hour,54 min
1 (Peer) Standby 65534 1 *
After an event results in an increase in weight, Unit 1 and Unit 2 both have
an equal weight and priority, yet a failover is triggered based on the device
ID. For VRID1, Unit 1 is lower than Unit 2, it is now is in Active state
instead of the Standby state:
AX(config)#show vrrp-a
vrid default
Unit State Weight Priority
2 (Local) Standby 65534 150 *
became Standby at: May 20 12:10:05 2013
for 0 Day,22 Hour,54 min
1 (Peer) Active 65534 150
vrid 1
Unit State Weight Priority
2 (Local) Standby 65534 150 *
became Standby at: May 20 12:20:05 2013
for 0 Day,22 Hour,54 min
1 (Peer) Active 65534 150
The following graphic visually represents where tracking can be enabled for
an ACOS device:
To configure the policy-based failover feature using the GUI, follow these
steps:
1. Go to Config Mode > System > VRRP-A > Failover Policy Template.
The Failover Policy Template window appears.
2. Indicate the Name of the template you would like to create. You may
also assign a name for the template using the General sub-window.
3. Enter the events-based tracking options that will allow you to assign a
weight to every event. When the event occurs, the weight will reduce the
weight of the VRID and may cause a failover. Enter tracking events in
the Gateway, VLAN, Trunk, Interface, or Route tracking tabs:
a. In the General tab, enter the name you wish to assign to the template
that you are creating. If you have already created a template with a
name, it will be displayed here:
c. In the VLAN Tracking window, select the VLAN ID from the drop-
down list, assign a timeout value (indicating the duration to wait
before a VLAN is declared dead), and the weight for the VLAN that
will be reduced from the VRID when VRRP-A stops detecting traf-
fic on the VLAN. Click on Add:
d. In the Trunk Tracking window, enter a Trunk ID and the weight for
the trunk or for the individual physical ports. The weight you assign
will be reduced from the VRID in the event of a failure of the trunk
or any port that is being tracked. Click on Add:
f. In the Route Tracking window, select the IPv4 or IPv6 route in the
data route table that you wish to track. Indicate the Gateway (IPv4
or IPv6 address of the real server, distance to get to this route, proto-
col, and weight for that route that will be reduced from the VRID in
the event of a failure. Click on Add:
4. Click on OK. Your failover template will be listed in the main failover
template window.
2. Go to Monitor Mode > System > VRRP-A > Status to see information
on your VRRP-A configuration.
Failover Policy Templates can be configured using the CLI in either the
shared or the private partition.
Note: Only one template can be assigned to a VRID in either the shared or pri-
vate partition.
8. You can delete a template using the “no” form of the command when
you specify the name of the template you created:
[no] vrrp-a policy-template template name
This error message will occur when you try to delete a failover template.
The following example shows you how to attach the template called “tem-
plate 1” to VRID 1 in the shared partition:
AX(config)#vrrp-a vrid 1
AX(config-vrid)#fail-over-policy-template template1
To view a failover policy template for VRID1, look at the running configu-
ration. In the following example, see that VRID 1 is now associated with the
template called “interface.”
AX(config)#show run | section vrid 1
vrrp-a vrid 1
fail-over-policy-template interface
AX(config)#show vrrp-a
vrid default
Unit State Weight Priority
1 (Local) Active 65534 150
became Active at: May 20 12:04:05 2013
for 0 Day,22 Hour,54 min
2 (Peer) Standby 65534 150 *
vrid 1
Unit State Weight Priority
1 (Local) Standby 65334 150 *
became Standby at: May 20 12:04:05 2013
for 0 Day,22 Hour,54 min
2 (Peer) Active 65534 150
Detected local policy based fail over events:
interface ethernet 1 weight 200
If you specify the name of the template, the show vrrp-a fail-over-policy-
template command will display the contents of that template:
AX(config)#show vrrp-a fail-over-policy-template template1
vrrp-a fail-over-policy-template template1
interface ethernet 1 weight 200
gateway 20.20.20.20 weight 200
vlan 10 timeout 2 weight 200
trunk 1 priority-weight 200
route 20.20.20.0 255.255.255.0 weight 200
...
VRRP-A stats
Peer: 1, vrid default
Port 1: received 25685 missed 3
...
...
To view specific information on a particular VRID, you can use the show
vrrp-a config command and specify the name of the VRID:
AX(config)#show vrrp-a conf | section vrid 1
vrrp-a vrid 1
fail-over-policy-template template1
To view information on all the fail-over policy templates, you can use the
show vrrp-a fail-over-policy-template:
AX(config)#show vrrp-a fail-over-policy-template
vrrp-a fail-over-policy-template interface
interface ethernet 1 weight 200
vrrp-a fail-over-policy-template trunk
trunk 1 priority-weight 200
vrrp-a fail-over-policy-template gateway
gateway 41.41.41.20 weight 200
gateway 20.20.20.20 weight 50
vrrp-a fail-over-policy-template route
route 4.4.4.0 255.255.255.0 weight 200
vrrp-a fail-over-policy-template vlan
vlan 10 timeout 2 weight 200
vrrp-a fail-over-policy-template template1
interface ethernet 1 weight 200
gateway 20.20.20.20 weight 200
vlan 10 timeout 2 weight 200
trunk 1 priority-weight 200
route 20.20.20.0 255.255.255.0 weight 200
Depending on the ACOS series model, with the help of VRRP-A, aVCS can
support a maximum 7 additional blades. aVCS requires that all devices in
the same virtual switch have the same number of CPUs and are the same
ACOS device model.
Caution: If you use the system-reset command to restore an ACOS device to its
factory default state, the command affects all ACOS devices in the
virtual chassis. The command erases any saved configuration profiles
(including startup-config), as well as system files such as SSL certifi-
cates and keys, aFleX policies, black/white lists, and system logs. The
management IP address and admin-configured admin and enable
passwords are also removed. The only workaround is to reload the
system from a saved configuration or configure the device once again.
Overview
An aVCS virtual chassis contains multiple ACOS devices (Figure 61). The
vMaster acts as a controller for the other devices (vBlades), which function
as blades in the virtual chassis. Apart from individual device management
and VCS configurations, the vMaster can take care of the following opera-
tions:
• Synchronize configurations
• Synchronize certificates
• Synchronize keys
Configuration Management
When you make a configuration change on the vMaster, the vMaster sends
the configuration change to the running-config on each vBlade. For exam-
ple, if you create a new SLB server, the vMaster sends the server to the run-
ning-configs on each of the vBlades. When you save the configuration on
the vMaster, the vMaster writes the contents of its running-config to its
startup-config. Likewise, each vBlade’s running-config is saved to that
vBlade’s startup-config.
Once the virtual chassis is fully operational, all devices in the virtual chassis
have exactly the same set of configuration profiles. This includes the
startup-config and any custom configuration profiles.
Likewise, aVCS checks to ensure that the vBlade has the latest configura-
tion. If the vBlade’s configuration is not up-to-date, the vMaster updates the
vBlade’s configuration.
High Availability
High Availability (HA) is an ACOS feature that provides ACOS
device-level redundancy to ensure continuity of service to clients. In HA
configurations, ACOS devices are deployed in pairs. If one ACOS device in
the HA pair becomes unavailable, the other ACOS device takes over. For
more information on HA, refer to “High Availability” on page 267.
This release supports the same High Availability (HA) features supported in
previous releases. You can use either HA or VRRP-A with aVCS. If you use
HA, an aVCS virtual chassis can contain a maximum of only 2 devices. If
you use VRRP-A, an aVCS virtual chassis can contain a maximum of 8
devices.
Configuration Preferences
VRRP-A
The current release supports VRRP-A, providing device redundancy.
VRRP-A is the A10 Thunder Series and AX Series implementation of the
High Availability protocol that is completely different from the industry-
standard implementation of Virtual Router Redundancy Protocol (VRRP).
For purposes of operational familiarity, it borrows concepts from VRRP, but
is significantly different from VRRP. VRRP-A will not inter-operate with
VRRP.
In this release, VRRP-A, a High Availability (HA) implementation, is mutu-
ally exclusive of the HA feature and is configured separately and not as part
of the HA functionality.
vMaster Election
Each aVCS virtual chassis has a single vMaster that acts as a controller
module for the other devices (the vBlades). The devices in a virtual chassis
use a vMaster election process to elect the vMaster for the virtual chassis.
To understand when a vMaster will take over as the Active device, it is nec-
essary to understand different configuration scenarios that impact vMaster
selection for aVCS, for HA, for VRRP-A, and for aVCS with HA or VRRP-
A:
• aVCS First Time Deployment—With aVCS, when a vMaster and mul-
tiple vBlades are configured, for the first time deployment, set the VCS
device id and the VCS priority for each ACOS device. An ACOS device
will become the vMaster if the configured VCS priority among all the
other ACOS devices in the aVCS configuration is highest. If all the
ACOS devices in the aVCS configuration have the same VCS priority,
then the ACOS device with the lowest device ID will become the vMas-
ter. Each ACOS device in this case will be a stand-alone device, without
any active or standby pairs. The ACOS devices will function as 7 inde-
pendent ACOS devices. To avoid having to configure each individual
ACOS device separately, configure only one ACOS device that will
serve as the vMaster and automatically configure the remaining 7 ACOS
devices.
• HA Active/Standby Device Selection—Just like the previous scenario,
with two ACOS devices, one device configures the other device, how-
ever, the devices are no longer stand-alone devices. Instead, the HA con-
figuration will place one device as the Active device and the other as the
Standby device. In this case, the device with the higher priority will be
the designated as the vMaster.
• VRRP-A Active/Standby Device Selection—When VRRP-A is con-
figured, the Active device selection is based on two factors, weight and
priority, before electing an Active device that will have several Standby
devices ready to take over that role. An ACOS device will become an
Active or Standby device depending on the weight or priority of that
device. The weight of an ACOS device will always take precedence
over the priority. If we have a higher weight but a lower priority, the
ACOS device with the higher weight will be the Active. If the weight of
In summary, aVCS has its own configured priority and dynamic priority
for electing the vMaster not for electing the Active or Standby device.
Use the show vcs statistics command to display the configured and
dynamic priority.
VRRP-A has its own weight and priority algorithm to determine which
ACOS device is the Active or the Standby device, however, it does not
elect the vMaster. Use the show vrrp-a command to display the weight
and priority for the devices running VRRP-A. For details on how a
failover occurs based on weight or priority using a template, refer to
“Event Tracking for Weight and Priority” on page 430. You can force a
device to serve as a vMaster without dynamic election by temporarily
assigning it a higher priority.
First-Time Deployment
The first time you deploy a virtual chassis, the vMaster is elected based on
one of the following parameters:
• Priority – The device with the highest configured aVCS priority is
elected to be the vMaster. If you boot one of the devices first and allow
it to become the vMaster, the device remains the vMaster when the other
devices join the virtual chassis, even if the configured priority is higher
on another device. This is due to the dynamic priority value assigned by
aVCS. Figure 66 shows an example.
Dynamic Priority
The configurable aVCS priority is a static value in each device’s configura-
tion. After a virtual chassis becomes active, another priority value, the
dynamic priority, becomes the most important parameter when electing the
vMaster The device with the highest dynamic priority always becomes the
vMaster
The dynamic priority is not configurable. However, you can force a vBlade
to become the vMaster. (See “Forced vMaster Takeover” on page 463.)
At regular intervals (the heartbeat time interval), the vMaster sends heart-
beat messages to each of the vBlades, to inform them that the vMaster is
still up, as shown in Figure 67.
The default heartbeat time is 3 seconds. The default heartbeat dead interval
is 10 seconds. Both parameters are configurable.
After the links among the disconnected devices are restored, the devices
again use the vMaster election process to elect a vMaster Generally, the
vMaster that was in effect before the virtual chassis divided continues to be
the vMaster after the virtual chassis is rejoined, based on the device’s
dynamic priority value. (See “Dynamic Priority” on page 460.)
Note: For brevity, some commands are omitted from the illustration. For exam-
ple, in a working configuration, the vcs enable command normally would
appear in the configuration for each device, under the vrrp-a commands,
and the enable command would appear among the aVCS commands for
each device.
When a vBlade upgrades in this way, the new image replaces the older
image, in the same image area. For example, if the vBlade boots the older
image from the primary image area on the hard drive, the upgrade image
downloaded from the vMaster replaces the image in the primary image area.
When you connect to the virtual chassis’ management IP address, the con-
nection goes to the vMaster You can make configuration changes only on
the vMaster The vMaster automatically sends the changes to the vBlades.
The management session will change from the vMaster to the specified
vBlade. For additional information, refer to “aVCS CLI-session Manage-
ment Enhancements” on page 484.
Requirements
aVCS has the following requirements.
Layer 2 Connectivity
aVCS uses IP multicast. All ACOS devices in an aVCS virtual chassis must
be in the same Layer 2 broadcast domain.
This is especially important if you need to set the time ahead on the vBlade.
In this case, if you set the time ahead directly on a vBlade, that device
leaves, then rejoins the virtual chassis, and the change does not take effect.
aVCS Parameters
Table 23 lists the aVCS parameters you can configure using either the CLI
or the GUI. The current release adds support for aVCS configuration using
the GUI. For details, refer to in the “Using the GUI” section in “Deploying a
Virtual Chassis (first-time deployment only)” on page 471. The screens
show the parameters that are described in Table 23.
Caution: Use this procedure only for first-time deployment of aVCS. If you are
upgrading ACOS devices on which aVCS is already configured, see
“Upgrading a Virtual Chassis” on page 493.
1. On the ACOS device to be used as the vMaster, configure aVCS. (See
“Details for step 1” on page 472.)
Note: If you plan to use Layer 2/3 virtualization, do not configure it yet.
For first-time aVCS deployment only, perform the following steps on each
device.
1. Configure basic system settings:
• Management interface and default gateway
• Hostname
• Ethernet interfaces
• VLANs
• Routing
3. Enable aVCS.
Before you install aVCS, you must define the chassis-id and set-id. This can
be done using VRRP-A:
1. Go to Config Mode > System > VRRP-A -> Setting.
A partial view of the window that appears is shown below:
4. Click OK.
a. When the local device has been set, enable aVCS by clicking on the
aVCS Enabled check box. When you click on Enabled, an addi-
tional option to specify a vmaster-take-over value will appear.
Note: Note: If you receive a message indicating that there is currently an active
admin configuration session, you must clear the session before you can
continue with the configuration tasks described below.
2. Go to Config Mode > System > aVCS > Settings. A window will appear
that shows three major configuration sections: Chassis, Device, and
aVCS Action.
a. Enter the Floating IPv4 or IPv6 Address, the subnet Mask or Prefix
Length.
b. Click on Add. Your configuration will be added to the table below
your configuration fields.
c. Enter the Multicast IP address.
d. Enter the Multicast Port.
e. Enter the Time Interval.
f. Enter the Dead Interval.
g. Enter the Failure Retry Count. During the aVCS start up process,
the aVCS process may encounter some errors. Indicate the number
of times aVCS will retry before it gives up trying to enable aVCS.
h. Click on the SSL Enable checkbox to enable Secure Socket Layer
encryption.
i. Click on the vMaster-message-buffer checkbox to activate a buffer
for vMaster messages.
Note: You must enter the multicast IP address and the multicast port.
Note: You must enter a Device ID, allocate a Priority, and specify a Unicast Port
for that device.
a. Specify the Device ID.
b. Enter the Priority.
c. Enter the Unicast Port number.
d. Drag and drop interfaces from the Unselected window to the Elec-
tion Interface window. These are the interfaces on which you want
to enable VCS.
e. Click on Enabled.
f. Click on Add. Your configuration will be added to the table listed in
this section.
Selecting this checkbox will reload the ACOS device after configuration
is complete.
7. Click on OK.
In monitoring mode, from Monitor Mode > System > aVCS display aVCS
Summary, Statistics (similar to the output for the show vcs statistics CLI
command), or Images (similar to the output for the show vcs images CLI
command). Access the following aVCS Monitor pages to view the existing
aVCS configuration:
1. Go to Monitor Mode > System > aVCS > Summary. The following win-
dow will appear:
2. Go to Monitor Mode > System > aVCS > Statistics window to view the
different statistics displayed for the ACOS devices configured in an
aVCS setup.
3. Go to Monitor Mode > System > aVCS > Images. View the existing
software primary or secondary images that are available on the hard
disk or on the compact flash:
2. To specify the chassis ID and device ID, use the following VRRP-A
commands or HA command at the global configuration level of the CLI.
If using VRRP-A:
• vrrp-a set-id num
• vrrp-a device-id num
If using HA:
ha id {1 | 2} [set-id num]
4. To specify the floating interface for virtual chassis management, use the
following command at the global configuration level of the CLI:
[no] vcs floating-ip ipaddr
{subnet-mask | /mask-length}
The address must be in the same subnet as an IP interface configured on
the device. Make sure the address is not already assigned to another
device on the network.
Note: This command is required only if you want to make a specific device the
vMaster instead of allowing aVCS to select the device with the lowest
device ID as the vMaster. This value is important when dynamic priority
does not apply.
Commands on Device 1
To begin, the following commands configure the high availability set ID
and device ID:
AX-1#configure
AX-1(config)#vrrp-a set-id 1
AX-1(config)#vrrp-a device-id 1
The following command enables aVCS:
AX-1#vcs enable
The following command configures the management address for the virtual
chassis:
AX-1(config)#vcs floating-ip 192.168.100.169 /24
The following commands configure the aVCS profile for the device:
AX-1(config)#vcs device 1
AX-1(config-vcs-dev)#enable
AX-1(config-vcs-dev)#interfaces management
AX-1(config-vcs-dev)#priority 125
AX-1(config-vcs-dev)#exit
AX-1(config)#vcs reload
Commands on Device 2
AX-2#configure
AX-2(config)#vrrp-a set-id 1
AX-2(config)#vrrp-a device-id 2
AX-2#vcs enable
AX-2(config)#vcs floating-ip 192.168.100.169 /24
AX-2(config)#vcs device 2
AX-2(config-vcs-dev)#enable
AX-2(config-vcs-dev)#interfaces management
AX-2(config-vcs-dev)#priority 120
AX-2(config-vcs-dev)#exit
AX-2(config)#vcs reload
2. Use the following command at the global configuration level of the CLI:
[no] vcs vmaster-take-over temp-priority
The temp-priority value can be 1-255.
Unless you use this command on more than one vBlade, it does not mat-
ter which value within the range 1-255 you specify. (See “Temp-priority
Value” on page 482.)
Temp-priority Value
This command does not change the configured aVCS priority on the
vBlade. The command only temporarily overrides the configured priority.
If you enter this command on only one vBlade, you can specify any value
within the valid range (1-255). The takeover occurs regardless of priority
settings on the current vMaster
If you enter the vcs vmaster-take-over command on more than one vBlade,
the device on which you enter the highest temp-priority value becomes the
vMaster
If you enter the same temp-priority value on more than one vBlade, the
same parameters used for initial vMaster election are used to select the new
vMaster:
• The device with the highest configured aVCS priority is selected. (This
is the priority configured by the priority command at the configuration
level for the aVCS device.)
• If there is a tie (more than one of the devices has the same highest con-
figured aVCS priority), then the device with the lowest device ID is
selected.
In either case, the new vMaster is selected from among only the vBlades on
which you enter the vcs vmaster-take-over command.
To determine a device’s aVCS ID, use the show vcs summary command.
The device you are logged onto is indicated with an asterisk in the State col-
umn of the Members section.
• If you are logged directly onto a device through its management inter-
face or a data interface, the asterisk indicates the device.
• If you are logged onto the floating IP address of the virtual chassis, the
asterisk indicates the vMaster
(This is true unless you changed the device context of the management
session. In this case, you are logged onto the vBlade to which you
changed the device context. See “Virtual Chassis Management Inter-
face” on page 467.)
You also can determine the device ID by entering the following command:
show running-config | include local-device
For example, the following command indicates that the device you are
logged onto is aVCS device 2:
ACOS#show running-config | include local-device
vcs local-device 2
CLI Message for Commands That Affect Only the Local Device
This release provides an option that displays a message when you enter a
configuration command that applies to only the local device. When this
option is enabled, a message is displayed if you enter a configuration com-
mand that affects only the local device, and the command does not explic-
itly indicate the device.
Local Device
The “local device” is the device your CLI session is on.
• If you log directly onto one of the devices in the virtual chassis, that
device is the local device. For example, if you log on through the man-
agement IP address of a vBlade, that vBlade is the local device.
• If you change the device context or router content to another ACOS
device, that device becomes the local device.
• If you log onto the virtual chassis’ floating IP address, the vMaster is the
local device.
Message Example
The following command configures a static MAC address:
ACOS(config)#mac-age-time 444
This operation applied to device 1
The message is not necessary if you explicitly specify the device, and there-
fore is not displayed:
ACOS(config)#mac-age-time 444 device 2
ACOS 2.7.1 allows the device designated as the aVCS master (vMaster) in
a cluster to failover when the device serving as the Active device running
VRRP-A fails over to the Standby device. When the Standby device
assumes the role as the Active device, it will also automatically serve as the
vMaster for the aVCS cluster. This ensures that the device that assumes
master configuration also serves as the active data path. Configuring the
VRID affinity will cause the aVCS master to stay with a selected VRID.
This capability provides deterministic behavior on the location of the aVCS
master and the unit processing traffic for a particular VRRP-A VRID. It also
provides better control to effectively utilize available bandwidth and facili-
tates troubleshooting efforts.
The GUI does not allow you to configure a master affinity to the Active
device running VRRP-A.
On each device that is part of the aVCS cluster, including the Active device,
issue the following command:
[no] affinity-vrrp-vrid vrid-group
Where vrid-group stands for the VRRP-A VRID status that you want this
mastership affinity to follow. The default VRID is 0. You can specify a
group of 1-31.
Command Example
ACOS-Active-vMaster[1/1](config)#vcs
ACOS-Active-vMaster[1/1](config)#vcs device 1
ACOS-Active-vMaster[1/1](config-vcs-dev)#?
affinity-vrrp-vrid vmaster affinity to vrid active
clear Clear or Reset Functions
do To run exec commands in config mode
enable Enable device
end Exit from configure mode
exit Exit from configure mode or sub mode
interfaces Interfaces over which election protocol runs
To verify your configuration, use the show running command. The follow-
ing excerpt of a running configuration displays your aVCS VRID affinity
configuration:
AX3200-12-1-Active-vMaster[1/1]#show running
...
vrrp-a device-id 1
vrrp-a set-id 1
vcs enable
vcs vMaster-id 1
vcs config-info 8872749ff5b45e57 1790
vcs chassis-id 1
vcs floating-ip 192.168.19.254 /24
vcs multicast-ip 224.0.0.210
vcs failure-retry-count -1
vcs device 1
priority 127
interfaces ve 19
enable
This release provides a new show command option, active-vrid, that dis-
plays information for the active VRRP-A device. This option is useful in
aVCS deployments that also use VRRP-A.
In some cases, the information can differ depending on whether the vMaster
is also the active VRRP-A device.
Note: The active-vrid option is displayed in the CLI help only if aVCS and
VRRP-A both are enabled. Otherwise, the option is inapplicable and is
not displayed.
Examples
The following examples show how the output can differ depending on
whether the vMaster is also the active VRRP-A device. They also show use
of the active-vrid option.
All of the commands are entered in the CLI session on the virtual chassis’s
floating IP address.
Since neither the device nor the active-vrid option is used, by default the
ARP table of the vMaster is displayed. In the following example, a failover
has occurred. The vMaster is a standby VRRP-A device instead of the
active device.
ACOS-Standby-vMaster[1/1]#show arp
Total arp entries: 2 Age time: 300 secs
IP Address MAC Address Type Age Interface Vlan
---------------------------------------------------------------------------
192.168.18.1 aaaa.aaaa.aaaa Dynamic 11 Management 1
192.168.18.120 bbbb.bbbb.bbbb Dynamic 253 Management 1
Notice that the ARP entries are the same. The information is still from the
vMaster.
In the current release and previous releases, you can use show commands to
determine which device is the active VRRP-A device for a VRID, then use
the device option with the show command to display the information from
the active VRRP-A device. The active-vrid option provides a simpler way
to access the information, as shown in the following example:
ACOS-Standby-vMaster[1/1]#show arp active-vrid default
Total arp entries: 2 Age time: 300 secs
IP Address MAC Address Type Age Interface Vlan
---------------------------------------------------------------------------
192.168.20.11 cccc.cccc.cccc Dynamic 15 Management 1
192.168.20.13 dddd.dddd.dddd Dynamic 257 Management 1
This output shows the ARP table on the active VRRP-A device for the
default VRID. The CLI prompt does not change, because the CLI session is
still on the virtual chassis’ floating IP address, which is managed by the
vMaster. The information, however, comes from the active device for the
VRID.
In both sets of output, the counters for request packets and response packets
are the same, indicating that the statistics come from the same ACOS
device, which is the vMaster.
Note: After configuring this option for an ACOS device, if you disable aVCS on
that device, the running-config is automatically updated to continue using
the same syscontact value you specified for the device. You do not need to
reconfigure the syscontact on the device after disabling aVCS.
The current release does not support this option in the GUI.
Use the following command at the global configuration level of the CLI:
This release provides a new aVCS option that allows the vMaster to briefly
be placed into maintenance, without triggering failover of the vMaster role
to a vBlade. During the maintenance window, the vBlades continue to oper-
ate, without attempting to failover to the vMaster role.
The default length of the maintenance window is 60 seconds. You can set it
to 0-3600 seconds.
To change the length of the vMaster maintenance window, use the following
command at the global configuration level of the CLI:
Without message buffering, in case there is a short period of time that vMas-
ter and vBlade lose communication, and during that period of time there is
configuration done on vMaster, after vBlade comes back and finds out the
configuration is out of date, the vBlade asks for the whole configuration
from the vMaster, and reloads itself.
With message buffering, when the vBlade comes back, instead of getting
the whole configuration from the vMaster, the vBlade gets only the incre-
mental changes, which are buffered on the vMaster. In this case, the vBlade
does not need to reload.
Message buffering is disabled by default. When you enable it, you can spec-
ify the following settings:
• Maximum number of seconds a configuration change message can be
buffered – This can be 0-900 seconds. The default is 90 seconds.
• Maximum number of messages that can be buffered – This can be
15-180 messages, and is 30 by default.
no vcs vMaster-message-buffer
Note: If a device has already been a member of a virtual chassis, the device can
not be added to a new virtual chassis.
3. Connect the configured ACOS device to the Layer 2 network that con-
tains the other virtual chassis members.
4. Configure aVCS settings on the new device and reload aVCS. (See
“CLI Example” below.)
Note: Do not use the disable-merge option when you reload aVCS. This option
is used only when replacing an existing virtual chassis member with a
new device. (See “Replacing a Device in a Virtual Chassis” on page 500.)
For detailed information on how to perform a staggered upgrade for VCS,
refer to “Staggered Upgrade (with VRRP-A)” and “Staggered Upgrade
with no VRRP-A)” in the Release 2.7.0 Release Notes. Staggered upgrade
allows you to perform an upgrade without impacting service.
Overview
Figure 73 shows the process that occurs when you add an ACOS device that
is already configured to a virtual chassis.
The following process occurs when you add a previously configured ACOS
device to a virtual chassis:
1. The previously configured ACOS device (labelled “Configured Device”
in the figure) is connected to the virtual chassis network at Layer 2.
An admin then configures aVCS settings on the previously configured
device and reloads aVCS.
The aVCS reload causes the device to send its aVCS configuration and
its device-specific configuration to the vMaster.
Procedure
CLI Example
The following commands configure aVCS settings on a configured ACOS
device to be added to a virtual chassis, and reload aVCS to activate the
aVCS configuration:
AX-3#configure
AX-3(config)#vrrp-a set-id 1
AX-3(config)#vrrp-a device-id 3
AX-3#vcs enable
AX-3(config)#vcs floating-ip 192.168.100.169 /24
AX-3(config)#vcs device 3
AX-3(config-vcs-dev)#enable
AX-3(config-vcs-dev)#interfaces management
AX-3(config-vcs-dev)#priority 197
AX-3(config-vcs-dev)#exit
AX-3(config)#vcs reload
Following the reload of aVCS, the ACOS device joins the virtual chassis as
a vBlade, and its configuration information is migrated to the virtual chas-
sis’ vMaster
Following the reload of aVCS, the ACOS device joins the virtual chassis as
a vBlade, and receives its configuration information from the virtual chas-
sis’ vMaster.
This user-configurable prompt allows you to add or remove the device host-
name, the aVCS chassis device ID, the aVCS status, the VRRP-A status, or
the HA status. Configuring a prompt is optional. If all the five options are
configured, an example of a prompt may say AX1030-vMaster[7/1](con-
fig)#.
In the above command, you may configure one or more options. The man-
datory keywords represent one of the following:
• hostname—Display the device serial number of the device in the
prompt. This can be AX 2600 or ACOS 6430.
Note: The aVCS Chassis ID and the aVCS Device ID are configurable as part of
the prompt if aVCS is running. The prompt that you specify will be syn-
chronized and reflected on all the other devices in the aVCS set.
Use the show vcs summary or show ha detail commands to view the ter-
minal prompts that will be displayed.
If your device is running aVCS and HA, you can configure the following
commands. With each configuration entry, see how the terminal prompt
changes. The prompt additions appear in bold font:
ACOS(config)#terminal prompt hostname vcs-status
AX1030-vMaster(config)#show run | sec prompt
terminal prompt hostname vcs-status
To view the aVCS status and chassis device ID, use the following com-
mand:
ACOS(config)#terminal prompt vcs-status chassis-device-id
vMaster[1/1](config)#
To view the aVCS status, chassis device ID, VRRP-A or HA status, and the
hostname, use the following command:
ACOS(config)#terminal prompt vcs-status chassis-device-id ha-status
hostname
AX1030-Active-vMaster[7/1](config)#
If the device is in a forced standby state, you will see the following prompt:
AX1030(config)#terminal prompt ha-status
ForcedStandby(config)#
Use the show terminal command to view the terminal prompt format.
By default, all prompts are displayed. So, if you revert from a configured
prompt to a default prompt, you will see the following results:
AX1030-vMaster(config)#no terminal prompt
AX1030-Active-vMaster[1/1](config)#show terminal
Terminal prompt format: hostname ha-status vcs-status chassis-device-id
You can use the ACOS Virtual Chassis System (aVCS) feature to provide
automated configuration synchronization in HA or VRRP-A deployments,
even if you do not plan to use any other aVCS features. Use of aVCS for
configuration synchronization provides the following benefits over using
the manual HA configuration synchronization options:
• aVCS configuration synchronization is automatic and occurs in real
time. Each configuration change is synchronized to the other ACOS
device(s) as soon as the change occurs.
• Reload is not required.
Note: The solution described in this chapter is supported only for two-device
HA deployments.
Commands on Device 1
To begin, the following command enables aVCS:
AX-1#vcs enable
The following commands configure the high availability set ID and device
ID:
AX-1#configure
AX-1(config)#vrrp-a set-id 1
AX-1(config)#vrrp-a device-id 1
The following commands configure the aVCS profile for the device.
AX-1(config)#vcs device 1
AX-1(config-vcs-dev)#priority 110
AX-1(config-vcs-dev)#interfaces management
AX-1(config-vcs-dev)#interfaces ethernet 1
AX-1(config-vcs-dev)#enable
AX-1(config-vcs-dev)#exit
The priority command helps identify this ACOS device as the preferred
vMaster. Use a higher priority value on this device than on the second
device.
The following commands save the changes and activate the aVCS configu-
ration.
AX-1(config)#write memory
AX-1(config)#vcs reload
Commands on Device 2
AX-2#vcs enable
AX-2#configure
AX-2(config)#vrrp-a set-id 1
AX-2(config)#vrrp-a device-id 2
AX-2(config)#vcs floating-ip 192.168.209.23 /24
AX-2(config)#vcs device 2
AX-2(config-vcs-dev)#priority 100
AX-2(config-vcs-dev)#interfaces management
AX-2(config-vcs-dev)#interfaces ethernet 1
AX-2(config-vcs-dev)#enable
AX-2(config-vcs-dev)#exit
AX-2(config)#write memory
AX-2(config)#vcs reload
Note: When you enter the vcs reload command on the second device, it receives
non-device-specific configuration information from the first device. This
occurs if the first device already has become the vMaster for the aVCS
virtual chassis.
Commands on Device 1
AX-1#vcs enable
AX-1#configure
AX-1(config)#ha id 1 set-id 1
AX-1(config)#vcs floating-ip 192.168.209.23 /24
AX-1(config)#vcs device 1
AX-1(config-vcs-dev)#priority 110
AX-1(config-vcs-dev)#interfaces management
AX-1(config-vcs-dev)#interfaces ethernet 1
AX-1(config-vcs-dev)#enable
AX-1(config-vcs-dev)#exit
AX-1(config)#write memory
AX-1(config)#vcs reload
Commands on Device 2
AX-2#vcs enable
AX-2#configure
AX-2(config)#ha id 2 set-id 1
AX-2(config)#vcs floating-ip 192.168.209.23 /24
AX-2(config)#vcs device 2
AX-2(config-vcs-dev)#priority 100
AX-2(config-vcs-dev)#interfaces management
AX-2(config-vcs-dev)#interfaces ethernet 1
AX-2(config-vcs-dev)#enable
AX-2(config-vcs-dev)#exit
AX-2(config)#write memory
AX-2(config)#vcs reload
This chapter describes Network Address Translation (NAT) and how to con-
figure it. NAT translates the source or destination IP address of a packet
before forwarding the packet.
Note: This chapter does not include information about NAT features for Server
Load Balancing (SLB) or for IPv6 migration.
Note: If you use the older implementation of High Availability (HA), only half
the protocol ports on each NAT IP address are available at a given time.
This is because the ACOS device allocates half the ports to one of the
ACOS devices in the HA pair and the other half to the other ACOS
device. This does not occur with VRRP-A. If you use VRRP-A, all the
protocol ports on NAT addresses are available.
Overview
The ACOS device supports traditional, Layer 3 IP source NAT. IP source
NAT translates internal host addresses into routable addresses before send-
ing the host’s traffic to the Internet. When reply traffic is received, the
ACOS device then retranslates addresses back into internal addresses before
sending the reply to the client.
Note: The ACOS device enables you to specify the default gateway for an IP
source NAT pool to use. However, the pool’s default gateway can be used
only if the data route table already has either a default route or a direct
route to the destination of the NAT traffic. In this case, the pool’s default
gateway will override the route, for NAT traffic that uses the pool.
If the data route table does not have a default route or a direct route to the
NAT traffic destination, the pool’s default gateway can not be used. In this
case, the NAT traffic can not reach its destination.
3. Enable inside source NAT and map the ACL to the pool.
3. To enable inside source NAT and map the ACL to the pool:
a. Select Config Mode > IP Source NAT, if not already selected.
b. Select Binding on the menu bar.
c. Select the ACL number from the ACL drop-down list.
d. Select the pool ID from the NAT Pool drop-down list.
e. Click Add. The new binding appears in the ACL section.
f. Click OK.
or
Note: The ha-use-all-ports option applies only to DNS virtual ports. Using this
option with other virtual port types is not valid. (For information about
this option, see the CLI Reference.)
3. To enable inside source NAT and map the ACL to the pool, use the fol-
lowing command:
ip nat inside source list acl-name
pool {pool-name | pool-group-name}
CLI EXAMPLE
The following command enables inside source NAT and associates the ACL
with the pool:
ACOS(config)#ip nat inside source list 1 pool pool1
The following commands enable inside source NAT on the interface con-
nected to the internal hosts:
ACOS(config)#interface ethernet 4
ACOS(config-if:ethernet4)#ip nat inside
Note: The GUI supports configuring a static NAT range but does not support
configuring individual mappings.
1. To configure the static translations of internal host addresses to external
addresses:
a. Select NAT Range on the menu bar.
b. Click Add.
c. Enter a name for the range.
d. Select the address type (IPv4 or IPv6)
e. In the From fields, enter the first (lowest numbered) address and
network mask in the range of inside host addresses to be translated.
f. In the To field, enter the first (lowest numbered) address and net-
work mask in the range of external addresses into which to translate
the inside host addresses.
g. In the Count field, enter the number of addresses to be translated.
h. To apply HA to the addresses, select the HA group.
i. Click OK.
2. If you used the ip nat inside source command, enter the following com-
mand at the global configuration level of the CLI, to enable static NAT
support:
ip nat allow-static-host
Note: This step is not required if you use a static source NAT range list instead.
CLI EXAMPLE
The ACOS device is deployed between PPTP clients and the VPN server
(VPN Server using PPTP). The ACOS device interface connected to the
PPTP clients is enabled for inside source NAT. The ACOS device interface
connected to the VPN server is enabled for outside source NAT.
Each client runs a PPTP Network Server (PNS). To set up a VPN session,
the PNS sends an Outgoing-Call-Request to the PPTP Access Concentrator
(PAC), which is the VPN server. The destination TCP port is the PPTP port
(1723 by default). The request includes a Call ID that the PNS chooses.
Because multiple clients may share the same NAT address, the ACOS
device must ensure that clients do not share the same Call ID as well. There-
fore, the ACOS device assigns to each client a NAT Call ID (analogous to a
NAT source port for TCP) and modifies the Outgoing-Call-Request to use
the NAT Call ID instead.
On the ACOS device, the GRE session is created after the PNS sends its
reply. In the GRE session, the Call ID is used as the Layer 4 port, instead of
a TCP/UDP port number. (See the example of show session output in “CLI
Example” on page 523.)
After the Call IDs are exchanged, the client and server encapsulate VPN
subnet traffic in a GRE tunnel. The GRE tunnel packets are sent under nor-
mal IP between 10.1.1.1 and 10.3.3.2. A GRE packet for PPTP uses a Call
ID in the same way as a TCP or UDP destination port. Therefore, GRE
packets from the server (10.3.3.2) will use the NAT Call ID. The ACOS
device translates the NAT Call ID back into the client’s original Call ID
before sending the packet to the client.
Note: One GRE session is supported per control session, which means one call
at a time is supported. In practice, PPTP is used only for VPNs, in which
case multiple concurrent calls do not occur.
Note: In the current release, NAT ALG support for PPTP can not be disabled or
re-enabled using the GUI.
First, to configure the ACL, use the following command at the global con-
figuration level of the CLI:
access-list acl-num permit
source-ipaddr {filter-mask | /mask-length}
Note: The ACL must permit IP traffic. The syntax above is for a standard ACL.
If you plan to use an extended ACL instead, make sure to use the ip
option, instead of icmp, tcp, or udp.
To configure the IP address pool, use the following command at the global
configuration level of the CLI:
ip nat pool pool-name start-ipaddr end-ipaddr
netmask {subnet-mask | /mask-length}
[gateway ipaddr] [ha-group-id group-id]
To enable or disable NAT ALG support for PPTP, use the following com-
mand at the global configuration level of the CLI:
ip nat alg pptp {enable | disable}
The feature is enabled by default. The default protocol port number is 1723
and can not be changed.
CLI Example
The commands in this section implement the NAT ALG for PPTP configu-
ration shown in Figure 82 on page 520.
The following commands specify the inside NAT interface and the outside
NAT interface.
ACOS(config)#interface ethernet 1
ACOS(config-if:ethernet1)#ip address 10.2.2.254 255.255.255.0
ACOS(config-if:ethernet1)#ip nat inside
ACOS(config-if:ethernet1)#interface ethernet 2
ACOS(config-if:ethernet2)#ip address 10.3.3.254 255.255.255.0
ACOS(config-if:ethernet2)#ip nat outside
---------------------------------------------------------------------------------------
--------------------
This example shows the GRE session and the TCP session over which the
GRE session is transported. For the GRE session, the number following
each IP address is the PPTP Call ID. For the TCP session, the number is the
TCP protocol port.
There are no GUI or CLI changes for this enhancement. The only change is
in the supported ranges.
Optionally, you can change the allocation method to IP round robin. The IP
round robin allocation method provides a more even distribution of address
selection, by selecting pool IP addresses in round robin fashion.
On the configuration page for the pool, select the IP-RR option.
The default timeout for IP NATted ICMP sessions, as well as UDP sessions
on port 53 (DNS), is set to the SLB maximum session life (MSL), which is
2 seconds by default.
Note: Fast aging applies to sessions between internal clients and external
resources, in cases where the ACOS device performs IP NAT translation
of the client addresses. This type of traffic is not SLB traffic between cli-
ents and a VIP configured on the ACOS device. For SLB DNS traffic,
short aging based on the MSL time is the default aging mechanism.
To display the timeout that will be used for IP NATted sessions, use the fol-
lowing command:
show ip nat timeouts
To change the IP NAT translation timeout for ICMP, use the following com-
mand:
[no] ip nat translation icmp-timeout
{seconds | fast}
To change the IP NAT translation timeout for a UDP port, use the following
command:
[no] ip nat translation service-timeout
udp port-num {seconds | fast}
The fast option sets the timeout to the SLB MSL timeout, for the specified
UDP port.
You can set the timeout for UDP sessions to a value in one of the following
ranges:
• 2-31 seconds – The timeout takes place very rapidly, as close to the con-
figured timeout as possible.
• 32-12000 seconds – The timeout value must be divisible by 60, and can
be a minimum of 1 minute. If the timeout is set to a value in the range
32-59, the timeout value is rounded up to 60. Values in the range
61-11999 are rounded down to the nearest multiple of 60.
CLI Example
The message at the bottom of the display indicates that the fast aging setting
(SLB MSL timeout) will be used for IP NATted UDP sessions on port 53. If
the message is not shown in the output, then the timeout shown under
“UDP” will be used instead.
The TIME-WAIT state lasts up to twice the MSL. On some older TCP/IP
stacks, this can result in a wait of up to 240 seconds (4 minutes) after a FIN
before the endpoint can enter a new connection.
To help reduce the time between connections for these endpoints, you can
set the MSL on individual source NAT pools. You can set the MSL to 1-
1800 seconds.
Note: The current release supports this feature for IPv4 source NAT pools, and
for virtual ports on IPv4 or IPv6 VIPs. The current release does not sup-
port this feature for IPv6 source NAT pools. For information about con-
figuring this feature for virtual ports, see the “Network Address
Translation for SLB” chapter in the Application Delivery and Server Load
Balancing Guide.
CLI Example
The following commands configure custom MSL values for system-level
source NAT:
ACOS(config)#access-list 123 permit tcp host 192.168.20.102 any eq 22
ACOS(config)#access-list 124 permit tcp host 192.168.20.102 any eq 80
ACOS(config)#ip nat pool ronpool 192.168.20.105 192.168.20.105 netmask /24
ACOS(config)#ip nat inside source list 123 pool ronpool msl 23
ACOS(config)#ip nat inside source list 124 pool ronpool msl 48
In this configuration, the ACOS device will initiate health checks using the
last IP address in the pool as the source IP address. In this example, the
ACOS device will use IP address 173.168.10.25. In addition, the ACOS
device will only respond to control traffic directed to 173.168.10.25 from
the 173.168.10.0/24 subnet.
• The ACOS device does not have any data interfaces or routes that con-
tain an address within the subnet of the range list's global address(es).
To work around this issue, configure an IP interface that is within the NAT
range list’s global subnet. You can configure the address on any active data
interface on the ACOS device.
This issue does not affect NATted traffic other than ICMP or UDP traffic, or
use of an ACL with a NAT pool.
IP NAT in HA Configurations
If you are using IP source NAT or full NAT in an HA configuration, make
sure to add the NAT pool or range list to an HA group. Doing so allows a
newly Active ACOS device to properly continue management of NAT
resources following a failover.
In the GUI, you can select the HA group from the HA Group drop-down list
on the following configuration tabs:
• Config Mode > IP Source NAT > IPv4 Pool
In the CLI, the ha-group-id option is supported with the following NAT
commands:
2. For each pool, configure a Limit ID (LID) and add the pool to the LID.
The start-ipaddr and end-ipaddr options specify the beginning and ending
public IP addresses in the range to be mapped to internal addresses. The
netmask option specifies the subnet mask or mask length for the addresses.
Configure LIDs
A Limit ID (LID) assigns a numeric ID to a NAT pool. To configure a LID,
use the following commands:
After the class list is configured, import it onto the ACOS device, using the
following command at the Privileged EXEC or global configuration level of
the CLI:.
import class-list file-name url
The file-name specifies the name the class list will have on the ACOS
device. The url specifies the file transfer protocol, username (if required),
and directory path.
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• rcp://[user@]host/file
The file option saves the class list as a separate file. Without this option, the
class list is instead saved in the startup-config. The file option is valid only
when you create the class list. After you create the list, the list remains
either in the startup-config or in a separate file, depending on whether you
use the file option when you create the list.
Note: If the class list contains 100 or more entries, as is likely with this feature,
it is recommended to use the file option.
A class list can be exported from the ACOS device only if you use the file
option.
The class-list command creates the class list if it is not already configured,
and changes the CLI to the configuration level for the list.
[no] ipaddr /network-mask glid num
• To add an entry to the class list, use the command without “no”.
• To modify an entry, use the command without “no”. Use the same
source IP address as the entry to replace. Entries are keyed by source IP
address.
• To delete an entry, use “no” followed by the source IP address.
Configuration Example
The commands in this example configure dynamic NAT with more than 100
pools.
Class List
This example uses the following class list:
10.10.10.1 /32 glid 1
10.10.10.2 /32 glid 2
10.10.10.3 /32 glid 3
10.10.10.4 /32 glid 4
10.10.10.5 /32 glid 5
10.10.10.6 /32 glid 6
...
10.10.10.254 /32 glid 254
For brevity, this example and the CLI example do not show LIDs or pools
7-253.
This example uses mask length /32 for each entry, which uses a separate
LID (and therefore, a separate pool) for each individual host. The entries are
not required to be for individual hosts. For example, the following entry
assigns all hosts in subnet 10.10.20.x to LID 10:
10.10.10.0 /24 glid 10
By default, the ACOS device uses data interfaces as the source for manage-
ment traffic. Optionally, you can configure the device to use only the fol-
lowing types of interfaces as the source for management traffic:
• Management interface
• Loopback interface
Route Tables
The ACOS device uses separate route tables for management traffic and
data traffic.
• Management route table – Contains all static routes whose next hops are
connected to the management interface. The management route table
also contains the route to the device configured as the management
default gateway.
• Main route table – Contains all routes whose next hop is connected to a
data interface. These routes are sometimes referred to as data plane
routes. Entries in this table are used for load balancing and for Layer 3
forwarding on data ports.
This route table also contains copies of all static routes in the manage-
ment route table, excluding the management default gateway route.
The ACOS device automatically will use the management route table for
reply traffic on connections initiated by a remote host that reaches the
ACOS device on the management port. For example, this occurs for SSH or
HTTP connections from remote hosts to the ACOS device.
Note: Static routes whose next hop is the management interface are duplicated
in the management route table.
• SNMPD
• NTP
• RADIUS
• TACACS+
• SMTP
For example, when use of the management interface as the source interface
for control traffic is enabled, all log messages sent to remote log servers are
• Backups
Caution: If you enable this feature, then downgrade to AX Release 1.2.4 or ear-
lier, it is possible to lose access to the ACOS device after you down-
grade. This can occur if you configure an external AAA server
(TACACS+ server) to authorize CLI commands entered on the
ACOS device, and the TACACS+ server is connected to the ACOS
device through the management default gateway.
If this is the case, before you downgrade, remove the TACACS+ con-
figuration from the ACOS device. After you downgrade, you can re-
add the configuration, but make sure the TACACS+ server can be
reached using a route other than through the management default
gateway.
By default, use of the management interface as the source interface for auto-
mated management traffic is disabled.
To enable it, use the following command at the configuration level for the
management interface:
[no] ip control-apps-use-mgmt-port
Here is an example:
ACOS(config-if:management)#ip control-apps-use-mgmt-port
To use the management interface as the source interface for manually gener-
ated management traffic, use the use-mgmt-port option.
Show Commands
show techsupport [[use-mgmt-port] export url]
[page]
You can enable use of a specific loopback interface as the source for one or
more of the following management traffic types:
• FTP
• NTP
• RCP
• SNMP
• SSH
• SYSLOG
• Telnet
• TFTP
• Web
FTP, RCP, and TFTP apply to file export and import, such as image
upgrades and system backups.
Telnet and SSH apply to remote login from the ACOS device to another
device. They also apply to RADIUS and TACACS+ traffic. SSH also
applies to file import and export using SCP.
Limitations
The current release has the following limitations related to this feature:
• Floating loopback interfaces are not supported.
The current release does not support configuration of this feature using the
GUI.
To apply the command only to a specific type of traffic (SNMP, NTP, and so
on), use the option for that traffic type. To apply the command to all man-
agement traffic types, use the all option.
CLI Example
The following commands configure an IP address on loopback interface 2:
ACOS(config)#interface loopback 2
ACOS(config-if:loopback2)#ip address 10.10.10.66 /24
ACOS(config-if:loopback2)#exit
The following command configures the ACOS device to use loopback inter-
face 2 as the source interface for management traffic of all types listed
above:
ACOS(config)#ip mgmt-traffic all loopback 2
Boot Options
This chapter describes how to display or change the storage area from
which the ACOS device boots.
Note: This chapter does not describe how to upgrade the system image. For
upgrade instructions, see the release notes for the release to which you
plan to upgrade.
Storage Areas
The ACOS device has four storage areas (also called “image areas”) that
can contain software images and configuration files:
• Primary storage on the Solid State Drive (SSD) or disk
The SSD or disk storage areas are used for normal operation. The compact
flash storage areas are used only for system recovery.
Note: In this document, references to SSD can refer to the hard disk in some
older ACOS devices.
Unless you change the storage area selection or interrupt the boot sequence
to specify a different storage area, the ACOS device always uses the same
storage area each time the device is rebooted.
Note: The ACOS device always tries to boot using the SSD or disk first. The
compact flash is used only if the SSD or hard disk is unavailable. If you
need to boot from compact flash for system recovery, contact A10 Net-
works.
The first page that is displayed when you log onto the GUI is the Summary
page (see Figure 85). The following graphic lists the software image ver-
sions installed in each of the storage areas (that is part of the Summary
page).
System
Images
Above the highlighted fields, the Startup Mode field lists the storage area
used for the most recent reboot. The Software Version field lists the cur-
rently running software version.
The show version command shows storage area information. The command
also lists other information, including the currently running software ver-
sion.
ACOS#show version
AX Series Advanced Traffic Manager AX2500
Copyright 2007-2013 by A10 Networks, Inc. All A10 Networks products are
protected by one or more of the following US patents and patents pending:
7716378, 7675854, 7647635, 7552126, 20090049537, 20080229418, 20080040789,
20070283429, 20070271598, 20070180101
Note: The ACOS device always tries to boot using the SSD or disk first. The
compact flash is used only if the SSD or hard disk is unavailable. If you
need to boot from compact flash for system recovery, contact A10 Net-
works.
In the following example, the ACOS device is configured to boot from the
primary storage area on the SSD or disk:
ACOS#show bootimage
(* = Default)
Version
-----------------------------------------------
Hard Disk primary 2.7.1-P2.29 (*)
Hard Disk secondary 2.6.6-GR1.50
Compact Flash primary 2.4.3-P8-SP3.2 (*)
Compact Flash secondary 2.4.3-P8-SP3.2
To reboot from a different image within the same storage device (SSD or
CF), do one of the following:
• Interrupt the boot sequence and use the bootloader menu to temporarily
select the other storage area.
• Configure the ACOS device to use the other storage area for all future
reboots, then reboot.
When the bootloader menu appears, use the Up and Down arrow keys to
select the image area from which to boot, and press Enter. The menu does
not automatically time out. You must press Enter to reboot using the
selected image.
Caution: Each storage area has its own version of the startup-config. When
you save configuration changes, they are saved only to the startup-
config in the storage area from which the ACOS device was booted.
If you plan to reboot from a different storage area, but you want to
use the same configuration, first save the configuration to the other
storage area. (The procedures in “Permanently Changing the Storage
Location for Future Reboots” on page 552 include steps for this.)
Note: The bootloader menu is available on new ACOS devices that are shipped
with AX Release 2.6.1 or later. However, the bootloader menu is not auto-
matically installed when you upgrade from a release earlier than 2.6.1. To
install the bootloader menu on upgraded devices, see the AX Release
# # ### # #
# # ## # # ## # ###### ##### # # #### ##### # # ####
# # # # # # # # # # # # # # # # # # # #
# # # # # # # # ##### # # # # # # # #### ####
####### # # # # # # # # # ## # # # ##### # # #
# # # # # # ## # # ## ## # # # # # # # #
# # ##### ### # # ###### # # # #### # # # # ####
Copyright 2005-2011 by A10 Networks, Inc. All A10 Networks products are
protected by one or more of the following US patents and patents pending:
7716378, 7675854, 7647635, 7552126, 20090049537, 20080229418, 20080040789,
20070283429, 20070271598, 20070180101
-------------------------------------------------------------------
0: ACOS (Primary Image)
1: ACOS (Secondary Image)
-------------------------------------------------------------------
Use the Up and Down arrow keys to select the image from which to boot.
Press enter to boot the selected image.
Highlighted entry is 1:
Booting........................[OK]
ACOS login:
Note: The procedures in this section change the storage area selection for all
future reboots (unless you later change the selection again). If you only
need to temporarily override the storage area selection for a single reboot,
see “Temporarily Changing the Boot Image for the Next Reboot” on
page 550.
Caution: Each storage area has its own version of the startup-config. When
you save configuration changes, they are saved only to the startup-
config in the storage area from which the ACOS device was booted.
If you plan to reboot from a different storage area, but you want to
use the same configuration, first save the configuration to the other
storage area. The procedures in this section include a step for this.
2. Copy the startup-config to the storage area you plan to use for the next
reboot:
a. Select Config Mode > System > Config.
b. Click one of the following:
• Primary Startup – This option selects the startup-config in the
primary storage area of the SSD or hard drive. Click this link if
you plan to use the primary storage area for the next reboot.
• Secondary Startup – This option selects the startup-config in the
secondary storage area of the SSD or hard drive. Click this link
if you plan to use the secondary storage area for the next reboot.
Note: You can select the storage area for the SSD or hard disk and for the com-
pact flash. However, the ACOS device always tries to boot using the SSD
or hard disk first. The compact flash is used only if the SSD or hard disk
is unavailable.
2. Copy the startup-config to the storage area you plan to use for the next
reboot. Use the following command:
write memory {primary | secondary}
• primary – Select this option if the secondary storage area is the one
the ACOS device was booted from, and you plan to boot from the
primary storage area next time.
• secondary – Select this option if the primary storage area is the one
the ACOS device was booted from, and you plan to boot from the
secondary storage area next time.
Note: This command is available at the global configuration level of the CLI.
• The hd | cf option specifies whether you are selecting a storage area
on the SSD or hard drive, or the compact flash.
• The pri | sec option specifies whether the ACOS device first tries to
boot using the image in the primary image area or the secondary
image area.
CLI Example
In this example, the ACOS device was booted from the primary storage
area, and will be configured to use the secondary image area for future
reboots.
The following command displays the current setting for the storage area to
use for reboots:
ACOS#show bootimage
(* = Default)
Version
-----------------------------------------------
Hard Disk primary 2.7.1-P2.29 (*)
Hard Disk secondary 2.6.6-GR1.50
Compact Flash primary 2.4.3-P8-SP3.2 (*)
Compact Flash secondary 2.4.3-P8-SP3.2
The following commands save the configuration and copy it to the other
storage area:
ACOS(config)#write memory
Building configuration...
[OK]
ACOS(config)#write memory secondary
Building configuration...
[OK]
Configuration Management
By default, when you click the Save button in the GUI or enter the write
memory command in the CLI, all unsaved configuration changes are saved
to the startup-config. The next time the ACOS device is rebooted, the con-
figuration is reloaded from this file.
Note: For upgrade instructions, see the release notes for the ACOS release to
which you plan to upgrade.
At the Privileged EXCE level of the CLI, use the following command:
The system option backs up the startup-config file, aFleX scripts, and SSL
certificates and keys.
The log option backs up the log entries in the ACOS device’s syslog buffer.
The use-mgmt-port option allows you to indicate the use of the management
interface as the source interface for the connection to the remote device.
The url option specifies the file transfer protocol, username, and directory
path. You can enter the entire URL on the command line or press Enter to
display a prompt for each part of the URL. If you enter the entire URL and a
password is required, you will still be prompted for the password. To enter
the entire URL:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• rcp://[user@]host/file
• sftp://[user@]host/file
Note: Unless you plan to locally store multiple configurations, you do not need
to use any of the advanced commands or options described in this section.
Just click Save in the GUI or enter the write memory command in the
CLI to save configuration changes. These simple options replace the com-
mands in the startup-config stored in the image area the ACOS device
booted from with the commands in the running-config.
Configuration Profiles
Configuration files are managed as configuration profiles. A configuration
profile is simply a configuration file. You can locally save multiple configu-
ration profiles on the ACOS device. The configuration management com-
mands described in this section enable you to do the following:
• Save the startup-config or running-config to a configuration profile.
Note: Although the enable and admin passwords are loaded as part of the sys-
tem configuration, they are not saved in the configuration profiles.
Changes to the enable password or to the admin username or password
take effect globally, regardless of the values that were in effect when a
given configuration profile was saved.
4. To use another configuration file as a template, select the file from the
Copy drop-down list.
6. Click OK.
4. Click OK.
3. Click Delete.
3. Click Diff.
If you enter write force, the command forces the ACOS device to save the
configuration regardless of whether the system is ready.
If you enter write memory primary, the command replaces the configura-
tion profile stored in the primary image area with the running-config. Like-
wise, if you enter write memory secondary, the command replaces the
configuration profile stored in the secondary image area with the running-
config.
show startup-config
[
all [cf]|
all-partitions |
partition {shared | partition-name} |
profile profile-name] [cf] |
all-partitions |
partition {shared | partition-name}]
]
To display a list of the locally stored configuration profiles, use the all
option. The cf option displays all the configuration pro- files stored on the
compact flash.
The cf option displays the configuration profile on the compact flash rather
than the hard disk. If you omit this option, the configuration profile on the
hard disk is displayed.
The partitions option shows only the resources in the specified partition.
The cf option copies the profile to the compact flash instead of the hard
disk.
Note: You cannot use the profile name “default”. This name is reserved and
always refers to the configuration profile that is stored in the image area
from which the ACOS device most recently rebooted.
(The url option backs up the configuration to a remote device. See “Backing
Up System Information” on page 557.)
To compare any two configuration profiles, enter their profile names instead
of startup-config or running-config.
In the CLI output, the commands in the first profile name you specify are
listed on the left side of the terminal screen. The commands in the other pro-
file that differ from the commands in the first profile are listed on the right
side of the screen, across from the commands they differ from. The
following flags indicate how the two profiles differ:
• >_ This command is in the second profile but not in the first one.
• <_ This command is in the first profile but not in the second one.
This command enables you to easily test new configurations without replac-
ing the configuration stored in the image area.
The primary | secondary option specifies the image area. If you omit this
option, the image area last used to boot is selected.
The cf option links the profile to the specified image area in compact flash
instead of the hard disk.
The profile you link to must be stored on the boot device you select. For
example, if you use the default boot device selection (hard disk), the profile
you link to must be stored on the hard disk. If you specify cf, the profile
must be stored on the compact flash. (To display the profiles stored on the
boot devices, use the show startup-config all and show startup-config all
cf commands.)
Likewise, the next time the ACOS device is rebooted, the linked configura-
tion profile is loaded instead of the configuration that is in the image area.
CLI EXAMPLES
The ACOS Power On Auto Provisioning (POAP) feature automates the pro-
cess of upgrading software images across many ACOS devices that are
being deployed in the network. POAP can be used to upgrade software on
existing devices or to roll out a configuration file to many ACOS devices.
POAP offers an efficient way to upgrade the software image or config file
across many devices at the same time.
Use of this feature requires a DHCP server and a TFTP server that has been
pre-configured with the proper ACOS software image and config file. The
ACOS device must have access to the management port on a DHCP server
and access to the TFTP server.
1. The ACOS device boots and sends a broadcast request to the DHCP
server.
2. The DHCP server sends a response that includes an IP address for the
ACOS device, and an IP address where the TFTP server can be reached.
3. The ACOS device attempts to locate the TFTP server at the IP address it
just received from the DHCP server by sending a request to that address.
4. The TFTP server responds to the request from the ACOS device by
sending the “ACOS_upg.tgz” file.
Once the ACOS device receives the “ACOS_upg.tgz” file, it performs
the following operations:
Configuration
Prerequisites before using POAP
• Create an upgrade package named “ACOS_upg.tgz”.
The package may contain one or both of the following optional files:
• Image file: “sto.tar.gz”
• Config file: “poap_startup”
• Save this upgrade package on a TFTP server that can be accessed by the
ACOS device. This package should be stored in the working directory
of the TFTP server, (for example, “tftpboot”).
• To enter POAP mode, the current startup-config file on the ACOS
device must be empty; if the startup-config file is not completely empty
then the POAP install will fail.
• At the end of the installation process, POAP links to the new
startup-config file, which is a text file named “poap_startup”.
Note: The POAP installation process does not erase an existing startup-config
file, but as a precaution, you can save an existing startup-config file by
creating a backup prior to enabling POAP.
POAP mode is enabled by default on SoftAX virtual appliances, but the fea-
ture is disabled by default on all physical devices. To enable POAP mode on
a physical device, use the following CLI command at the global config
level:
[no] poap
Using the “no” form of the command will disable the feature.
You can use the following CLI command to show the status (enabled or dis-
abled) of POAP mode:
show poap
This release introduces a management pack that allows the ACOS device to
be integrated with Microsoft’s System Center Operations Manager
(SCOM). SCOM is a data center management tool that provides administra-
tors with centralized management and the ability to monitor large numbers
of network devices. The tool displays device status, health, and performance
information for the devices on the network, and it can be configured to send
alerts for certain types of events.
Benefits of SCOM
Benefits of offering SCOM support on the ACOS device include the follow-
ing:
• Near real-time performance monitoring
The PowerShell “cmdlet” pulls updates from the ACOS device and displays
critical metrics within the SCOM Dashboard.
Configuration
The ACOS device SCOM management pack is installed as a snap-in. When
performing this installation, please observe the following system require-
ments.
• RAM: 4GB
The ACOS software provides support for multiple mirror ports for each
traffic direction (inbound, outbound) in addition to support for a single mir-
ror port for each traffic direction.
When configuring a mirror port, you can specify the traffic directions to be
mirrored to the port: input or output. If you do not specify a traffic direction,
both directions are mirrored to port.
When you enable monitoring on a port, you can specify the mirror port to
use. You also can specify the traffic direction. A monitored port can use
multiple mirror ports.
To configure mirror ports, use the following command at the global config-
uration level:
The portnum can be a valid Ethernet port number. (The range depends on
how many Ethernet data ports your ACOS device model has.)
At this point, monitoring is not yet enabled on any ports. The following
commands access the configuration level for Ethernet interface 1 and enable
monitoring of its traffic.
ACOS(config)#interface ethernet 1
ACOS(config-if:ethernet1)#monitor ?
both Both incoming and outgoing packets
input Incoming packets
output Outgoing packets
ACOS(config-if:ethernet1)#monitor input ?
<1-4> Mirror index
ACOS(config-if:ethernet1)#monitor input 1
The output now lists the monitoring configuration on port 1, which uses
mirror 1.
For brevity, this example does not show configuration of monitoring using
mirror 3. Likewise, the example does not show that a mirror can accept
monitored traffic from more than one interface, but this is supported.
In the monitoring mode, you can specify the device to which the Ethernet
belongs:
AX5200-11-Active-vMaster[1/1][p1]#show mirror ?
active-vrid VRRP-A vrid
device Device
| Output modifiers
VLAN-to-VLAN Bridging
Overview
VLAN-to-VLAN bridging allows an ACOS device to selectively bridge
traffic among multiple VLANs. The ACOS device selectively forwards
packets from one VLAN to another based on the VLAN-to-VLAN bridging
configuration on the ACOS device. This feature allows the traffic flow
between VLANs to be tightly controlled through the ACOS device without
the need to reconfigure the hosts in the separate VLANs.
You can configure a bridge VLAN group to forward one of the following
types of traffic:
• IP traffic only (the default) – This option includes typical traffic
between end hosts, such as ARP requests and responses.
This option does not forward multicast packets.
• All traffic – This option forwards all types of traffic.
Configuration Notes
VLAN-to-VLAN bridging is supported on ACOS devices deployed in
transparent mode (Layer 2) or in gateway mode (Layer 3).
Configuration
To configure VLAN-to-VLAN bridging:
1. Configure each of the VLANs to be bridged. In each VLAN, add the
ACOS device’s interfaces to the VLAN.
forward-all-traffic
This command configures the ACOS device to forward all types of traffic
between the VLANs in the group. By default, only IP traffic is forwarded. If
you change the traffic type but later want to change it back to the default,
you can use the following command: forward-ip-traffic
FIPS Support
The A10 Thunder Series and the AX Series support Federal Information
Processing Standards (FIPS).
The following sections describe the FIPS support added in this release.
• “FIPS-Compliant and FIPS-Certified ACOS Devices” on page 585
• AX 2600-GCF
• AX 3000-GCF
Note: The FIPS models listed above must be ordered and shipped directly from
A10 Networks. Converting or upgrading a standard ACOS unit to a FIPS
unit (through the field upgrade process) is not supported.
SSL Modules
FIPS-compliant ACOS devices do not offer the option to add SSL modules
(“cards”) in the expansion slots, because this would require a chassis that
could be opened at the customer premises (which would violate the FIPS
requirements).
Tamper-Proof Seals
To enhance security, one or more tamper-evident labels* with a serial num-
ber and company ID are affixed to the ACOS device chassis. (See
Figure 89, “A10 FIPS-approved Tamper-proof Labels,” on page 587.)
Tamper-evident seals are delicate and clearly indicate when the packaging
has been deliberately altered or adulterated. Seals are affixed to the ACOS
device chassis in several places to make it apparent when someone has
opened the box or otherwise disturbed any of the removable components.
*.
Novavision A1579 labels
Ports
While the USB ports have not been physically removed from the hardware,
they have been disabled at the software level to enhance security.
RMAs
In the event that a customer must return the ACOS device to A10 Networks
using the standard Return Merchandise Authorization (RMA) process, the
customer first must use the security-reset system command to destroy all
encryption keys.
Per FIPS requirements, the ACOS device can not be shipped back to the
manufacturer with the software encryption keys intact. This security-reset
system command destroys the keys prior to shipping the device.
Lost Passwords
Normally, if a customer loses their password, they can simply perform a
password reset by entering the serial number on their ACOS device using
the management or console port. However, due to FIPS requirements, this
“backdoor” password-reset behavior is not allowed, so if the password is
lost, customers must follow the standard RMA process to return the ACOS
device to A10 Networks so a factory reset of the password can be done.
Hardware Errors
When fail-safe monitoring is enabled for hardware errors, the following
types of errors are detected:
• SSL processor stops working – Fail-safe is triggered if an SSL processor
stops working.
• Compression processor stops working – Fail-safe is triggered if an
HTTP compression processor stops.
• FPGA stops working – Fail-safe is triggered if either of these internal
queues stops working.
If any of these types of errors occurs, the ACOS device captures diagnostic
information, then reboots.
Note: Fail-safe recovery also can be triggered by a “PCI not ready” condition.
This fail-safe recovery option is enabled by default and can not be dis-
abled.
Software Errors
When fail-safe monitoring is enabled for software errors, the following
types of errors are detected:
• FPGA I/O buffer shortage – The number of free (available) packet buf-
fers is below the configured threshold. By default, at least 512 packet
buffers must be free for new data. (Monitoring for this type of FPGA
error is applicable to all ACOS device models.)
On ACOS device models that use FPGAs hardware, the FPGA is logi-
cally divided into 2 domains, which each have their own buffers. If an
FPGA buffer shortage triggers fail-safe, recovery occurs only after both
domains have enough free buffers.
• Session memory shortage – The amount of system memory that must be
free for new sessions is below the configured threshold. By default, at
least 30 percent of the ACOS device’s session memory must be free for
new sessions.
Recovery Timeout
The recovery timeout is the number of minutes the ACOS device waits after
detecting one of the hardware or software errors above before recovering
the system.
• Recovery timeout for hardware errors – By default, the ACOS device
reboots as soon as it has gathered diagnostic information. Typically, this
occurs within 1 minute of detection of the error (no timeout). You can
change the recovery timeout for hardware errors to 1-1440 minutes.
• Recovery timeout for software errors – Fail-safe waits for the system to
recover through normal operation, before triggering a recovery. The
default recovery timeout for software errors is 3 minutes. You can
change it to 1-1440 minutes.
Configuration
This section describes how to configure the fail-safe feature.
[no] fail-safe
{
fpga-buff-recovery-threshold 256-buffer-units |
hw-error-monitor-enable |
hw-error-recovery-timeout minutes |
session-memory-recovery-threshold percentage |
sw-error-monitor-enable |
sw-error-recovery-timeout minutes
}
Parameter Description
fpga-buff-
recovery-
threshold
256-buffer-
units Minimum required number of free (available)
FPGA buffers. If the number of free buffers
remains below this value until the recovery time-
out, fail-safe software recovery is triggered.
You can specify 1-10 units. Each unit contains
256 buffers. The default is 2 units (512 buffers).
hw-error-
monitor-enable Enables fail-safe monitoring and recovery for
hardware errors. This is disabled by default.
hw-error-
recovery-
timeout minutes Number of minutes fail-safe waits after a hard-
ware error occurs to reboot the ACOS device.
You can specify 1-1440 minutes. The default is 0
(not set).
The information option displays fail-safe settings and statistics. The output
differs between models that use FPGAs in hardware and models that do not.
(See “CLI Example” on page 597.)
Note: The config option displays the CLI commands only the for settings you
configure. A fail-safe command that is still set to its default value does not
appear in the output.
Corporate Headquarters
www.a10networks.com
602