Professional Documents
Culture Documents
A10 Lab
A10 Lab
Course A10_ADC-2.7v2.2
Section 1
Conventions
Reference
Labs Load Balancing Concepts Page 2 of 4
Conventions and variable substitution in labs
Substitutions
<string> indicates variable which should be substituted with a value. Here is a list of
common required substitutions throughout the lab book:
Configuration steps
Initial setup of the ACOS device
1. To perform initial setup of the ACOS device, we will connect to the console port
and configure management port. The rest of the initial configuration will be
performed remotely via ssh.
2. Connect to the console port of your ACOS device. At the terminal window
prompt execute the following command and log in with username admin
password a10 :
console n (where “n” is your student number)
3. First reset the device to factory state in case someone used it before the class:
enable
config
system-reset (and answer yes to the following two questions)
4. Wait for the device to reboot. Log in and configure management port for remote
connectivity and save the initial setup in a named configuration profile:
enable [Enter] for password
config
interface management
ip address <ACOS-Mgmt-IP> /24
enable
write mem <ConfigProfile>
y
end
exit
exit
y
5. Note that you did not provide default gateway for the management port. This is
because in our classroom layout management port is on the same network as
your remote desktop. In real life you would add default gateway.
6. Exit out of console port by hitting Ctrl-] and typing quit.
7. Close the terminal window and open a new one.
8. Connect to the management port through ssh. At the terminal prompt execute
the following command and log in with password a10:
Can you see the two new profiles? Now delete them:
delete startup-config Profile2
delete startup-config Profile3
end
show startup all
17. In your remote desktop open “srv” folder on the left of the screen, then “ftproot”,
then “ConfigBackup”. You will be able to watch backup progress there.
18. From your ACOS device execute command:
backup system use-mgmt-port ftp://ftp@<backup-IP>/ConfigBackup/
WebUI
Configuration steps
Local backup
24. Click on Chrome browser in your remote desktop taskbar. Click on the
bookmark corresponding to the device you just configured and log in.
25. Go to Config > System > Maintenance > Backup > System. Select “Local” (should
be selected by default). Click “OK” and save file to your local drive.
Configuration steps
Server
1. Open a browser in your remote desktop and connect via HTTPS to
<ACOS-Mgmt-IP> and log in with username: admin password: a10
2. Go to Config Mode > SLB > Service > Server. You should see this screen:
3. Click on the Add button. You should see two sections, upper, entitled General,
and lower, entitled Port.
4. In the General section enter “s1” as name of the server and <s1-IP> as IP
Address.
5. In the Port section enter “80” as port, click on “Add” in the same section on the
right (you should see the port show up in the table), and then click “OK” at the
bottom of the page. You should now see this screen:
6. Repeat the steps to add server 2 (“s2”) with IP address <s2-IP> and port “80”.
7. Go to Monitor Mode > SLB > Service > Server.
8. Click once on the name/IP of the newly configured server. A row with the port
number should open below. Here you can monitor per-physical server/port
statistics during later exercises. In the column to the left green arrows should
point up. That indicates that our default health monitor was able to ping the
server and performed a successful TCP handshake on port 80. In future labs you
will build even more sophisticated, layer 7 health monitors.
Verifying functionality
26. In your browser open a connection to http://<vip1-IP>/
27. You should see a web page containing three images.
28. All three images should be coming from the same server. You can recognize that
by having the same image repeated three times. Server1 only serves cherries,
Server2 only serves lemons. Refresh page several times.
29. Your source IP address shown at the top of the page should be from the NAT
pool.
30. Go to Monitor Mode > IP Source NAT > Pool. You should see how many times
your NAT pool was used.
31. Go to Monitor Mode > SLB > Application > Persistent. In the table you can find
statistics for successful Source IP Persistent connections broken down by CPU.
32. Go to Monitor Mode > SLB > Service > Virtual Server. Click on the name of your
virtual server, then on port, and watch connection statistics per server. All of
them should be on one server.
33. Now we will see what happens when you remove Source IP Persistence
template from the virtual server. Go to Config Mode, Service, SLB, and click on
Virtual Server.
34. In the Port section select the port and click “Edit”. Remove Source IP Persistence
and click OK, then again OK to apply the new configuration for the virtual
server.
35. Open terminal window (icon with black “C” on green background in quick
launch toolbar at the bottom of the screen), type “ssh <ACOS-Mgmt-IP>”, and log
in as username admin, password a10. After you see “An>” prompt, type
“enable” and hit Enter, and again Enter for password. At the “#” prompt type
“clear sessions all” and hit Enter. For testing purposes in the lab this
ensures that none of the old sessions remains alive.
36. In your browser open a connection to http://<vip1-IP>/
CLI
Configuration steps
Server
43. Open ssh connection to <ACOS-Mgmt-IP> and log in as username admin,
password a10. After you see “An>” prompt, type “enable” and hit Enter, and
again Enter for password. At the “#” prompt type “config” and hit Enter. You
should now see “An(config)#” prompt. That indicates you are in config mode,
just as you are in config mode in the Config tab in WebUI. You will notice many
more similarities in the workflow as we go through the exercise.
44. At the prompt type “?” and watch the list of commands available. Press space
bar if needed to move to the next page. On one of the pages you can find
command “slb”, just like in WebUI. If you still see “—MORE—“at the bottom of
the screen, you can break out of it by pressing “q”.
45. At the prompt type “slb”, press space, and type “?” to see the list of submenus.
One of them is “server”. Extend your command so it now says “slb server”,
press space, and then “?” again. You need to provide name of the server, just like
in WebUI. Use “s1”, then space and “?”. ACOS asks for one of three alternative
means of addressing the server. We will use IP Address. Append <s1-IP> to the
end of the command, press space, and then “?”. ACOS indicates it is ready to
accept the command. Press Enter. Your prompt should now look like this:
“An(config-real server)#”. That means you are within the physical server
Two IP addresses listed indicate start and end of the pool. Press Enter.
54. Verifying using command:
show ip nat pool
55. We will apply this NAT pool when configuring Virtual Server.
Source IP Persistence
70. This shows entire running configuration. You may have to move from page to
page by pressing space bar. Watch for all the components you have configured.
71. To look at just one element from the running configuration, pipe output of
“show running” through command “section” and providing a string to match
(regular expressions are also allowed). Try this command:
Verifying functionality
72. In your browser open a connection to http://<vip1-IP>/
73. You should see a web page that contains three images.
74. All three images should be coming from the same server. Refresh page several
times.
75. Your source IP address shown at the top of the page should be from the NAT
pool.
76. At the user-level prompt (An>) execute command:
show ip nat pool statistics
77. As you can see, from the command line you can watch usage statistics per
individual address. Notice that you can watch most of the statistics from the
user-level prompt, without switching to enable mode (admin).
78. At the user-level prompt (An>) execute these two commands:
show slb persist
show slb persist detail
79. Now try:
show slb server
80. Watch connection statistics per server. All of them should be on one server.
81. Now we will see what happens when you remove Source IP Persistence
template from the virtual server.
82. Go to config mode (type “config” and press Enter). Execute commands:
slb virtual-server vip1
port 80 tcp
83. You are now in the same virtual server port where you applied source IP
persistence template. Verify the configuration using command:
show slb virtual-server config
84. If you remember, to apply the template we used command “template persist
source-ip persist1”. Now to remove it, use the same command but prepend “no”
in front of it. Your full command should look like this:
no template persist source-ip persist1
85. Execute it and verify the effects using previous command:
show slb virtual-server config
88. For testing purposes in the lab this ensures that none of the old sessions
remains alive.
89. In your browser open a connection to http://<vip1-IP>/
90. The images should now be coming from two servers. Reload the page a few
times.
91. Use command:
show slb server
92. Watch connection statistics per server. They should be distributed between two
servers.
93. If you are not certain about any of the steps performed so far or the results, ask
the instructor now. In the subsequent steps we will clear the existing
configuration and will perform the same configuration from the command line.
94. Go to Addendum A “Restore Configuration” and perform steps in section “CLI”.
Configuration steps
Server
1. Follow steps in Load Balancing Concepts Lab, WebUI, Server, to configure s1 and
s2 servers, port 80.
HTTP Health Monitor and Service Group
2. Go to Config > SLB > Health Monitor > Health Monitor.
3. Click Add, Name “http”, in section “Method” select HTTP as Type, in URL second
field enter “/”, in Expect enter “bluesky” (that string does not exist in the root
page, we are using it for testing only), then click “OK” at the bottom to apply.
4. Go to Config > SLB > Service, then click on Service Group. Specify “http” as name,
select “http” as Health Monitor, then in the server section as s1 and s2 as
members with port 80, and click “OK” at the bottom to apply.
5. Go to Monitor > SLB > Service, and click on Service Group. Service Group status
should be down. Click on service group name to verify status of member servers.
6. Go to Config > SLB > Health Monitor > Health Monitor, open http by clicking on
it, change “bluesky” in the Expect field to “Temporibus” (that string does exist in
root page), and apply.
7. Go to Monitor > SLB > Service > Service Group. Service Group status should be
up. Click on service group name to verify status of member servers.
Source Network Address Translation (Source NAT)
8. Go to Config > IP Source NAT > IPv4 Pool.
9. Click Add.
10. Enter “nat1” as name, <nat1-IP> as start and end addresses, “255.255.255.0” as
netmask, and click OK.
11. You have created a NAT pool that will be applied in a Virtual Server section.
Source IP Persistence
23. In this part of the lab we will change the name of the responding HTTP server
header. First we will find check existing response headers.
24. In your browser clear your cache, Ctrl-Shift-I (as in capital letter i), request page
from your vip1, then check the response headers and find the server header by
29. In this part of the lab we will create HTTP failover in case your servers become
non-responsive.
30. Go to Config > SLB > Template > Application > HTTP.
31. Click Add, enter “failover” as Name, enter http://1.0.0.201/failover/ below in
Failover URL, then click “OK” at the bottom to save.
32. Go to Config > SLB > Service > Virtual Server, edit port, select “failover” as HTTP
Template, then click “OK” and “OK” again to apply.
33. Go to Config > SLB > Service > Server. Select both servers, and click Disable at the
bottom.
34. Open ssh session to your ACOS device, go to enable prompt, type “clear
sessions all” and press Enter.
35. In your browser request page from your vip1. You should be redirected.
36. Re-enable your servers and request page from your vip1 again. You should be
able to reach the servers.
37. If you have any questions, ask instructor for assistance.
HTTP Templates in CLI
38. Go to your virtual server port and remove http template from it.
39. Go to Config > SLB > Template > Application > HTTP, select both templates and
delete them.
40. Open ssh session to your AX. Go to config mode (refer to Section 1 Load
Balancing Concepts Lab, CLI in case you have doubts how to do it), type “slb
template http header-rewrite” and press Enter. You should now be at
“An(config-http)#” prompt.
41. Execute command:
response-header-insert "Server: nginx"
45. In your Chrome browser clear your cache, press Ctrl-Shift-I, request page from
your vip1, then check the response headers and find the server header. You
should see header “Server: nginx”.
46. Execute command:
no template http header-rewrite
47. Repeat step above to verify incoming headers. “Server: nginx” should now be
gone.
48. At your ACOS CLI prompt type “end”, Enter, then “config” and Enter.
49. Execute commands:
slb template http failover
failover-url http://1.0.0.201/failover/
50. You can check the existence of both templates by executing command:
show slb template http
51. Apply this template to vip1 port 80 as you have done for the previous template.
52. Type “end”, Enter, then “config”, Enter, “slb server s1”, and Enter. Type
“disable” and press Enter. Repeat steps for server 2.
53. Attempt to reach your vip1 via your web browser. You should be redirected.
54. Re-enable your servers and verify that you can connect to your vip1 through the
browser.
55. If you have any questions, ask instructor for assistance.
56. Go to Addendum A “Restore Configuration” and perform steps in section “CLI”.
Configuration steps
Server
1. Follows steps in Load Balancing Concepts Lab, WebUI, Server, to configure s1
and s2 servers, with port 80 for both servers.
Service Group
2. Go to Config > SLB > Service > Service Group. Specify “http” as name, then in the
server section select s1 and s2 as members with port 80, and click “OK” at the
bottom to save.
SSL Certificate
3. Go to Config > SLB > SSL Management > Certificate. Click Create. Enter “ss1” as
File Name, “a10networks.com” as Common Name, “Training class” as
“Organization”, and click “OK” to save.
SSL Template
4. Go to Config > SLB > Template > SSL > Client SSL. Click Add, enter “cssl” as
Name, select “ss1” as Certificate Name and Key Name, and then click “OK” to
save.
Source Network Address Translation (Source NAT)
5. Go to Config > IP Source NAT > IPv4 Pool.
6. Click Add.
7. Enter “nat1” as name, <nat1-IP> as start and end addresses, “255.255.255.0” as
netmask, and click OK.
8. You have created a NAT pool that will be applied in a Virtual Server section.
Cookie Persistence
9. In this section you will build a template that will ensure that client’s browser,
once the HTTPS connection is established, forwards subsequent requests to the
same server.
10. Go to Config > SLB > Template > Persistent > Cookie Persistence.
Verifying functionality
18. In your browser open a connection to https://<vip1-IP>/
19. Accept self-signed certificate. You should see a web page that starts with “It
works!” and contains three images. Reload page a few times. All images should
be coming from the same server.
20. Verify the certificate sent from the ACOS device: right click on the “It works!”
web page, select “View Page Info”, then click on “Security”, and “View
Certificate”. You should find the information you entered earlier in the lab.
21. Verify the cookie sent from the ACOS device: right click on the “It works!” web
page, select “View Page Info”, then click on “Security”, and “View Cookies”. You
should recognize the cookie.
22. We will now see what happens when someone tries to connect to your virtual
server via http instead of https.
23. In your browser open a connection to http://<vip1-IP>/
Configuration steps
Transparent redirect
25. Import aflex script to redirect request from port 80 to 443. From the ACOS
enable prompt execute command:
import aflex redirect1 ftp://ftp@<backup-IP>/BaseConfig/redirect1.tcl
26. Go to Config > SLB > Service > Virtual Server. Open your virtual server and add a
new port – port 80, type HTTP, leave Service Group blank, select “redirect1” as
aFleX, click “OK” and again “OK” to save.
27. Go to Config > SLB > aFleX and open “redirect1”. This is the script you applied
on port 80. What does it do?
28. Click on Logout(admin).
Verifying functionality
29. To verify new functionality, in your browser open a connection to
http://<vip1-IP>/
30. You should be automatically redirected to https://<vip1-IP>/
31. If you have any questions, ask instructor for assistance.
32. This time instead of reloading clean configuration after WebUI operations, we
will remove selected configuration items in CLI and rebuild them.
CLI
Configuration steps
SSL certificate and key
48. Make sure you are in a config mode. Execute command:
slb ssl-create certificate ss1
You will have to answer several questions. Provide the same values we used
earlier in this lab.
49. Verify the certificate has been created using:
show slb ssl cert ss1
SSL Template
50. Execute command:
slb template client-ssl cssl
Verifying functionality
60. In your browser open a connection to https://<vip1-IP>/
61. Accept self-signed certificate. You should see a web page that starts with “It
works!” and contains three images. Reload page a few times. All images should
be coming from the same server.
62. Verify the certificate sent from the ACOS device: right click on the “It works!”
web page, select “View Page Info”, then click on “Security”, and “View
Certificate”. You should find the information you entered earlier in the lab.
Configuration steps
Server
1. Follow steps in Load Balancing Concepts Lab, WebUI, Server to configure s1 and
s2 servers using port 80 for this lab.
Service Group
2. Follow steps in Load Balancing Concepts Lab, WebUI, Service Group to
configure HTTP service group for this lab.
Source Network Address Translation (Source NAT)
3. Follow steps in Load Balancing Concepts Lab, WebUI, Source NAT to configure
source NAT for this lab.
Virtual Server (VIP)
4. Follow steps in Load Balancing Concepts Lab, WebUI, Virtual Server to
configure virtual server for this lab, but specify Virtual Server port type “HTTP”
(instead of TCP), and skip source IP persistence.
Verifying functionality
5. Verify that your configuration is working before proceeding. Continuing this lab
we will add connection reuse, compression, and RAM caching capabilities to our
virtual server.
Configuration steps
Connection Reuse template
6. Go to Config > SLB > Template > Connection Reuse.
7. Click Add, enter “creuse” as Name, enter “5” in “Limit Per Server” field, and click
“OK” to save. Please note that a limit of 5 connections is unrealistic, and we are
only using it in the classroom. Minimum number of reusable connections is
equal to the number of data CPUs. Please also note that the "Keep Alive
Connections" option is applicable only to SIP-over-TCP sessions.
Verifying functionality
Connection Reuse
11. Open terminal window and execute command:
connreuse <vip1-IP>
12. From another terminal window ssh to <ACOS-Mgmt-IP>, go to enable prompt
and execute command:
show slb connection-reuse detail
13. Repeat the command a few times (arrow key up). You should see a total of ~10
persistent connections with an even spread per data CPU.
14. Go back to the terminal window with “connreuse <vip1-IP>” command
running and terminate it with Ctrl-C.
Configuration steps
Applying templates to Virtual Server port
15. Go to Config > SLB > Service > Virtual Server, open vip1, Edit port and apply the
compression template you have just configured.
Verifying functionality
Compression
16. Point your browser to <vip1-IP> to generate some data traffic (script in the
previous exercise does not create cacheable or compressible content).
17. Go to Monitor > SLB > Application > Proxy > HTTP. See compression statistics
toward the bottom of the table.
CLI
Configuration steps
Connection Reuse template
29. Go to Config mode, execute commands:
slb template connection-reuse creuse
Preparation
1. In this lab we will configure high availability. For this we need to work in teams
of two. Odd numbers will be Primary ACOS device, even numbers will be
Secondary. For example, in a team of A1 and A2, A1 will be primary, A2 will be
secondary. Steps below will be separated into those that need to be performed
on the primary, and those that need to be performed on the secondary. Make
sure you coordinate those steps within your team.
Source IP Persistence
Virtual Server
25. Go to Config > SLB > Service > Virtual Server, and click Add. Enter “vip1” as
Name, <vip1-IP> as IP address, select “1” for HA Group. Enter “150” as Dynamic
Server Weight. This field serves to subtract the weight of the virtual server from
the priority value in case of virtual server becoming unavailable, thus leading to
a potential failover. Since we specified “200” as priority, a failure of vip1 should
trigger a failover.
26. Add port 80, Service Group “http”, select “nat1” as Source NAT Pool, select
“Source IP Persistence” as Persistence Template Type, and select “persist1” as
Source IP Persistence Template, Click “OK” and “OK” to save.
27. Verify using commands:
show slb virtual-server config
show run | sec vip1
28. This ends configuration steps on the Primary ACOS device.
Enabling HA Interfaces
32. Go to Config > System > HA > HA Interface. You should see a list of all physical
interfaces and their status. If you knew that they were configured properly, you
could check appropriate interfaces and enable them from here. In this exercise
we will go one by one and make sure everything is done right.
Synchronizing configuration
40. Before starting synchronization “Save” config on both devices and then back up
the Secondary ACOS device to a local drive.
41. On the Primary ACOS device go to Config > System > HA > Config Sync, enter
“admin” as User, “a10” as Password, enter <ha-sync-sec>, and click “OK”. After
you see message “HA config-sync operation successful” go to the Secondary
ACOS device (it takes a moment to load) and verify that its configuration has
been synchronized.
CLI
Preparation
64. In this lab we will configure high availability. For this we need to work in teams
of two. Odd numbers will be Primary ACOS devices, even numbers will be
Secondary. For example, in a team of A1 and A2, A1 will be primary, A2 will be
secondary. Steps below will be separated into those that need to be performed
on the primary, and those that need to be performed on the secondary. Make
sure you coordinate those steps within your team.
Synchronizing configuration
88. Before starting synchronization save config on both devices and then back up
the Secondary ACOS device to a local drive.
89. On the Secondary ACOS device type “show run | sec slb” to verify server
load balancing is not configured.
90. On the Primary ACOS device save your configuration using command “write
mem” from the enable prompt.
91. On the Primary ACOS device execute the following command from the config
prompt to force configuration sync:
ha sync all to-startup-config <ha-sync-sec> with-reload [all-partitions]
92. Once you see the message “Sync to 10.0.3.2 succeeded!” and the Secondary
ACOS device reloads, log in to it and from the enable prompt verify successful
synchronization using command “show run | sec slb”.
100. Wait for a moment, hit Enter. Your prompt should change at “An-Active”.
101. On the Primary ACOS device at the CLI type “show ha” and press Enter to
show HA state. You should see this:
A1-Standby>show ha
Local Unit: UP Peer Unit: UP
HA Group Unit State Priority
1 Local Active 200
Peer Standby 100
102. From the config prompt on the Primary ACOS device execute commands:
interface ethernet 1
disable
show ha
103. You should see this:
A1-Active(config-if:ethernet1)#show ha
Local Unit: DOWN Peer Unit: UP
HA Group Unit State Priority
1 Local Standby 200
Peer Active 100
104. Re-enable e1 interface and check the status of the primary ACOS device. After
a while it should change to Active. Why?
105. From the config prompt disable pre-emption on both ACOS device devices
using command:
no ha preemption-enable
106. Verify using command:
Overview
In previous labs we demonstrated most common configuration and monitoring
tools. In this lab we will use session and packet-level CLI tools. Throughout this lab
you will need to access your virtual server from your browser as needed to maintain
open sessions. Use commands shown in this lab and study their output.
Notes:
1. A <tab> followed by “#” denotes a comment. Do not type it as part of the
command.
2. “disable” commands must be executed from the config prompt. To undo
“disable”, use command “enable” with the same syntax
Preparation
3. Build HTTP-type Virtual Server with the following elements:
a. Two physical servers
b. Service Group http
c. Source IP Persistence with 10 minute timeout
d. Source NAT
4. When finished, verify functionality before proceeding.
Session-level commands
5. Total
show session
clear session filter # terminates selected sessions – more
# on session filters on next page
clear session all # terminates all sessions
6. Per Virtual Server
show slb virtual-server vip1 detail # show statistics
clear slb virtual-server vip1 # clear statistics
disable slb virtual-server vip1 # disable vip1
7. Per Virtual Server port (per virtual port)
show slb virtual-server vip1 80 detail
show slb virtual-server vip1 80 http detail
disable slb virtual-server vip1 port 80 # disable/drain port 80
Packet trace
Packet trace is done on ACOS devices using axdebug command. You can set up
multiple filters with multiple conditions in each filter. Conditions within each filter
are subject to logical AND, filters are subject to logical OR. Example:
(filter_1::cond_1 && filter_1::con_2) || (filter_2::cond_1 && filter_2::cond_2)
14. Perform the following commands::
axdebug
show axdebug filter # no filters should be configured
Techsupport file
19. Techsupport file is an amalgamation of the output of various troubleshooting
tools. Any time you call tech support at A10 Networks, you will likely be asked
to provide it. It can be generated from the CLI or the WebUI.
20. In CLI execute the following command at the enable prompt:
show techsupport page
21. If you used “export” instead of “page”, you could upload the file to a remote
server.
22. In WebUI go to Monitor, System, Diagnostics, click on Show Techsupport, and
save it to your local drive. Open it in a text editor.
23. If you have any questions, ask instructor for assistance.
24. Leave your configuration intact (do not reload base config). We will use it in the
next exercise.
10. If you have any questions, ask instructor for assistance. In the next step you will
reload base configuration.
11. Reload base configuration on your AX.
Configuration steps
1. Position mouse pointer over Config tab, move down to System, Maintenance,
Restore, and click on System. You should see this screen:
2. In “Restore from” field select remote, check “Use Management Port”, in Host field
enter <backup-IP>, in Location field type “/ConfigBackup/<tarball>” – READ
THIS: please make sure you specify proper number, otherwise you will make
your ACOS device unreachable. If in doubt, ask instructor for assistance. Enter
“ftp” as Username, and leave Password blank – our classroom server is
configured for anonymous login. In real life you will need to use valid username
and password. Verify again that all information is correct and then click “OK”.
You should be disconnected while the ACOS reloads the configuration.
3. Log in to your ACOS device, and in the opening screen verify “Feature
Configuration” section on the right side. It should show 0 service groups, servers,
or virtual servers. If that is correct, you are ready to proceed to the next section
of the lab. If not, ask instructor for assistance.
CLI
Configuration steps
4. Open ssh connection to your ACOS management port and log in as username
admin, password a10. After you see “An>” prompt, type “enable” and hit Enter,
and again Enter for password. At the “#” prompt type “config” and hit Enter. You
should now see “An(config)#” prompt. That indicates you are in config mode,
just as you were in config mode when you moused over Config tab in WebUI.
5. Execute command:
restore use-mgmt-port ftp://ftp@<backup-IP>/ConfigBackup/<tarball>