A10 Lab

A10 Networks
Application Delivery Controller: Labs
ACOS release 2.7
Course A10_ADC-2.7v2.2
Section 1
Conventions
Reference
Labs Load Balancing Concepts Page 2 of 4
Conventions and variable substitution in labs
Substitutions
<string> indicates variable which should be substituted with a value. Here is a list of
common required substitutions throughout the lab book:
Variable Substitute with Student 1

ACOS device name. Substitute n with A1
<An>
your device number
AnClass. Substitute n with your device A1Class
<ConfigProfile>
number
Management IP of your ACOS device: 1.0.0.1
<ACOS-Mgmt-IP>
1.0.0.n where n is your student ID
Virtual server IP 100.0.0.(20+n) where 100.0.0.21
<vip1-IP>
n is your student ID
Name of the system backup file of your
<tarball> ACOS device in the form of An.tar.gz A1.tar.gz
where n is your student ID
<s1-IP> Server 1 IP address 200.0.0.201
<s2-IP> Server 2 IP address 200.0.0.202
IP address of the client-side ACOS 100.0.0.1
<ACOS-ClientData-IP>
device data interface 100.0.0.n
IP address of the server-side ACOS 200.0.0.1
<ACOS-ServerData-IP>
device data interface 200.0.0.n
Network Address Translation Pool
<nat1-IP> 200.0.0.(20+n) where n is your student 200.0.0.21
ID
<ha-sync-pri> if your device is odd
<ACOS-HALink-IP> numbered, and <ha-sync-sec> if your 3.0.0.1
device is even numbered
<ha-sync-pri> 3.0.0.1
<ha-sync-sec> 3.0.0.2
100.0.0.(100+n) where nn is your 100.0.0.101
<client-data-IP>
student ID
<backup-IP> 1.0.0.(100+n) 1.0.0.101
<set-ID> Instructor will assign before the lab
1 for primary device, 2 for secondary in 1
<ha-ID>
HA

Section 1
ACOS Management
Lab
Labs AX Management Page 2 of 8
Initial configuration and backup
CLI
Configuration steps
Initial setup of the ACOS device
1. To perform initial setup of the ACOS device, we will connect to the console port
and configure management port. The rest of the initial configuration will be
performed remotely via ssh.
2. Connect to the console port of your ACOS device. At the terminal window
prompt execute the following command and log in with username admin
password a10 :
console n (where “n” is your student number)
3. First reset the device to factory state in case someone used it before the class:
enable
config
system-reset (and answer yes to the following two questions)
4. Wait for the device to reboot. Log in and configure management port for remote
connectivity and save the initial setup in a named configuration profile:
enable [Enter] for password
config
interface management
ip address <ACOS-Mgmt-IP> /24
enable
write mem <ConfigProfile>
y
end
exit
exit
y
5. Note that you did not provide default gateway for the management port. This is
because in our classroom layout management port is on the same network as
your remote desktop. In real life you would add default gateway.
6. Exit out of console port by hitting Ctrl-] and typing quit.
7. Close the terminal window and open a new one.
8. Connect to the management port through ssh. At the terminal prompt execute
the following command and log in with password a10:

ssh admin@<ACOS-Mgmt-IP>
9. If you get an error message “WARNING: REMOTE HOST IDENTIFICATION HAS
CHANGED”, remove known_hosts from your remote desktop with the following
command and continue with login:
rm /home/student/.ssh/known_hosts
10. Now we will configure the following items:
a. host name
b. time zone
c. vlans for data interfaces (client side, server side, and ha link)
d. virtual Ethernet (ve) interfaces
e. assign ip addresses to those interfaces
f. enable physical interfaces associated with ve interfaces
g. change default terminal timeout to 60 minutes – useful in class exercises
h. enable multi-config mode (allows multiple admins to work at the config
prompt at the same time – it is useful in class, you need to determine if
you want to use this feature in a production environment)
enable [Enter] for password
config
hostname <An>
clock timezone America/Los_Angeles
vlan 100
untagged ethernet 1 (We are using untagged in our simplified lab
setup. In real life you would most likely tag)
router-interface ve 100
vlan 200
untagged ethernet 2
vlan 300
tagged ethernet 3 (Here our lab setup allows us to tag)
interface ve 100
ip address <ACOS-ClientData-IP> /24
interface ve 200
ip address <ACOS-ServerData-IP> /24
interface ve 300
ip address <ACOS-HALink-IP> /24
interface ethernet 1
enable
enable

enable
exit
terminal idle-timeout 60
multi-config enable
end
write mem
11. Verify state of the interfaces:
show interface brief
12. Verify connectivity (let instructor know if you are unsuccessful):
ping <client-data-IP>
ping <s1-IP>
ping <s2-IP>
13. In the next steps you will learn how to create new profiles and back up the
configuration you just created.
Remote backup to an FTP server
14. Open ssh connection to your ACOS management port and log in as username
admin, password a10. After you see “An>” prompt, type “enable” and hit Enter,
and again Enter for password.
15. Execute commands:
show startup-config all
16. Go to config prompt and execute commands:

write mem Profile2 (answer “no” to the question whether you want
to create a link to default startup)
config
copy <ConfigProfile> Profile3
show startup-config all
Can you see the two new profiles? Now delete them:
delete startup-config Profile2
delete startup-config Profile3
end
show startup all
17. In your remote desktop open “srv” folder on the left of the screen, then “ftproot”,
then “ConfigBackup”. You will be able to watch backup progress there.
18. From your ACOS device execute command:
backup system use-mgmt-port ftp://ftp@<backup-IP>/ConfigBackup/

When asked for password, hit Enter. Accept default filename format. Answer
“no” to the question “Do you want to save the remote host information to a
profile for later use?[yes/no]no”. You should see a response indicating success.
19. Now create a backup with an explicitly stated file name:
backup system use-mgmt-port ftp://ftp@<backup-
IP>/ConfigBackup/<tarball>
You will restore this backup to your ACOS device before starting each lab, so
please follow naming conventions for convenience.
20. To back up just the configuration profile, execute command (all in one line,
replace “n” in destination filename with the number of your ACOS device) from
the config prompt:
copy <ConfigProfile> use-mgmt-port
ftp://ftp@<backup-IP>/ConfigBackup/<ConfigProfile>.txt
21. To back up running configuration, execute command (all in one line, replace “n”
in destination filename with the number of your ACOS device):
copy running-config use-mgmt-port ftp://ftp@<backup-IP>/
ConfigBackup/Anrunning.txt
Verifying backed up config files

22. Explore contents of the system backup tar.gz file. Go to folder srv > ftproot >
ConfigBackup. Find the files you backed up. Right click on text files, open them in
Notepad++ and compare them visually. You config profile and running config
should be identical.
23. Right click on the system back up tar.gz file, choose 7-zip Open Archive. Enter
a10data directory. You should see all configuration elements from your ACOS
device. Go to config folder. You should find the config profile you created earlier.
WebUI
Configuration steps
Local backup
24. Click on Chrome browser in your remote desktop taskbar. Click on the
bookmark corresponding to the device you just configured and log in.
25. Go to Config > System > Maintenance > Backup > System. Select “Local” (should
be selected by default). Click “OK” and save file to your local drive.

26. Go to Config > System > Config File. Click “Add”, name “NewProfile”, copy from
<ConfigProfile>, then underneath the line “clock timezone
America/Los_Angeles” add line “ip dns primary 8.8.8.8” and click “OK”.
27. Select <ConfigProfile> and “NewProfile” and click “Diff”. Find the difference in
the two profiles.
28. Dismiss the diff window and delete NewProfile (select and click on Delete –
make sure <ConfigProfile> is not also selected).

Section 2
Load Balancing Concepts
Lab
Objective: Configure layer 4 SLB Virtual Server
WebUI
Configuration steps
Server
1. Open a browser in your remote desktop and connect via HTTPS to
<ACOS-Mgmt-IP> and log in with username: admin password: a10
2. Go to Config Mode > SLB > Service > Server. You should see this screen:
3. Click on the Add button. You should see two sections, upper, entitled General,
and lower, entitled Port.
4. In the General section enter “s1” as name of the server and <s1-IP> as IP
Address.
5. In the Port section enter “80” as port, click on “Add” in the same section on the
right (you should see the port show up in the table), and then click “OK” at the
bottom of the page. You should now see this screen:
6. Repeat the steps to add server 2 (“s2”) with IP address <s2-IP> and port “80”.
7. Go to Monitor Mode > SLB > Service > Server.
8. Click once on the name/IP of the newly configured server. A row with the port
number should open below. Here you can monitor per-physical server/port
statistics during later exercises. In the column to the left green arrows should
point up. That indicates that our default health monitor was able to ping the
server and performed a successful TCP handshake on port 80. In future labs you
will build even more sophisticated, layer 7 health monitors.

Service Group
9. Go to Config Mode > SLB > Service > Service Group.
10. Click on the Add button. You should see two sections, upper, entitled Service
Group, and lower, entitled Server.
11. In the Service Group section enter “http” as name of the group. In the Server
section click on the drop-down list next to “Server”, select s1, type “80” in the
Port field, and then click on the “Add” button. You should see your physical
server s1 show up in the table as a member of this service group.
12. Repeat step above to add server s2.
13. Click on the “OK” button at the bottom of the page.
14. Go to Monitor Mode > SLB > Service > Service Group, and click on the http
service group. You should see the service group and both server members with
green arrows to the left of them. Here you can monitor per-service group
statistics during later exercises.
Source Network Address Translation (Source NAT)
15. Go to Config Mode > IP Source NAT > IPv4 Pool.
16. Click Add.
17. Enter “nat1” as name, <nat1-IP> as start and end addresses, “255.255.255.0” as
netmask, and click OK. You have created a NAT pool that will be applied in a
Virtual Server section.
Source IP Persistence
18. In this section you will build a template that will ensure that ACOS, once the
HTTP connection is established, forwards subsequent requests to the same
server.
19. Go to Config Mode > SLB > Template > Persistent > Source IP Persistence.
20. Click Add, type “pers1” as name, and click OK to save the template. It will be
applied in the Virtual Server section.
Virtual Server (VIP)
21. Go to Config Mode > SLB > Service > Virtual Server.
22. Click Add. You should see two sections, upper, entitled General, and lower,
entitled Port.
23. In the General section enter “vip1” as name of the server, and <vip1-IP> as IP
Address.
24. In the Port section click on Add. A new screen should open up. Leave “TCP” as
type, enter “80” as port, select “http” as service group, select “nat1” as Source
NAT Pool, select Source IP Persistence Template in Persistence Template Type,
then “pers1” in the dropdown list below, click on “OK” at the bottom of the page,

and click on “OK” again at the bottom of the Virtual Server page. You should
now see this screen:
25. You have configured layer 4 SLB Virtual Server.
Verifying functionality
26. In your browser open a connection to http://<vip1-IP>/
27. You should see a web page containing three images.
28. All three images should be coming from the same server. You can recognize that
by having the same image repeated three times. Server1 only serves cherries,
Server2 only serves lemons. Refresh page several times.
29. Your source IP address shown at the top of the page should be from the NAT
pool.
30. Go to Monitor Mode > IP Source NAT > Pool. You should see how many times
your NAT pool was used.
31. Go to Monitor Mode > SLB > Application > Persistent. In the table you can find
statistics for successful Source IP Persistent connections broken down by CPU.
32. Go to Monitor Mode > SLB > Service > Virtual Server. Click on the name of your
virtual server, then on port, and watch connection statistics per server. All of
them should be on one server.
33. Now we will see what happens when you remove Source IP Persistence
template from the virtual server. Go to Config Mode, Service, SLB, and click on
Virtual Server.
34. In the Port section select the port and click “Edit”. Remove Source IP Persistence
and click OK, then again OK to apply the new configuration for the virtual
server.
35. Open terminal window (icon with black “C” on green background in quick
launch toolbar at the bottom of the screen), type “ssh <ACOS-Mgmt-IP>”, and log
in as username admin, password a10. After you see “An>” prompt, type
“enable” and hit Enter, and again Enter for password. At the “#” prompt type
“clear sessions all” and hit Enter. For testing purposes in the lab this
ensures that none of the old sessions remains alive.

37. The images should now be coming from two servers. Reload the page a few
times.
38. In your browser connect via HTTPS to <ACOS-Mgmt-IP> and log in with
username: admin password: a10
39. Go to Monitor Mode > SLB > Service > Virtual Server. Then click on the name of
your virtual server, then on port, and watch connection statistics per server.
They should be distributed between two servers.
40. When you are happy that your configuration worked, click on “Save” at the top
right of the ACOS WebUI. This ensures that your configuration would be
reloaded should you reboot your device. The configuration you have done so far
remains in ACOS memory only.
41. If you are not certain about any of the steps performed so far or the results, ask
the instructor now. In the subsequent steps we will clear the existing
configuration and will perform the same configuration from the command line.
42. Go to Addendum A “Restore Configuration” and perform steps in section
“WebUI”.
CLI
Configuration steps
Server
43. Open ssh connection to <ACOS-Mgmt-IP> and log in as username admin,
password a10. After you see “An>” prompt, type “enable” and hit Enter, and
again Enter for password. At the “#” prompt type “config” and hit Enter. You
should now see “An(config)#” prompt. That indicates you are in config mode,
just as you are in config mode in the Config tab in WebUI. You will notice many
more similarities in the workflow as we go through the exercise.
44. At the prompt type “?” and watch the list of commands available. Press space
bar if needed to move to the next page. On one of the pages you can find
command “slb”, just like in WebUI. If you still see “—MORE—“at the bottom of
the screen, you can break out of it by pressing “q”.
45. At the prompt type “slb”, press space, and type “?” to see the list of submenus.
One of them is “server”. Extend your command so it now says “slb server”,
press space, and then “?” again. You need to provide name of the server, just like
in WebUI. Use “s1”, then space and “?”. ACOS asks for one of three alternative
means of addressing the server. We will use IP Address. Append <s1-IP> to the
end of the command, press space, and then “?”. ACOS indicates it is ready to
accept the command. Press Enter. Your prompt should now look like this:
“An(config-real server)#”. That means you are within the physical server

configuration section. Press “?”. Choose command “port” and provide options
“80” and “tcp”. Press Enter. Your prompt should change to “An(config-real
server-node port)#” indicating you can configure further options on that port.
For now you will stop and configure the second server. Type “exit” at the
prompt and press Enter. Notice that you have backed off one menu level. You
need to type “exit” again and press Enter to find yourself at the plain config
prompt.
46. Using steps above configure server s2 with address <s2-IP>, and add port 80
tcp. When you are done, type “end” and press Enter. Notice that by typing “end”
you exited from the config menu. You should now be at the “An#” prompt.
47. To verify what you have just configured type “show slb server config” and
press Enter. You should see two configured servers and their ports. Command
“show” is the CLI’s equivalent of the WebUI “Monitor” tab. Press arrow key UP
and execute “show slb server” command again, but first backspace and erase
“config” from the end of the command. Notice that by itself this command shows
traffic statistics per physical server/port.
Service Group
48. Enter config mode again by typing “config” and pressing Enter.
49. To create service group type “slb service-group http tcp” and press Enter.
Your prompt should now change to “An(config-slb svc group)#”.
50. To add servers as group members type “member s1:80 enable” and press
Enter. Repeat this command for server 2 (s2), then type “end” to exit.
51. To verify your configuration type “show slb service-group http config” and
press Enter. Try the same command without “config” at the end, and then again
without “http config” at the end. The first one gives you detailed statistics for
service group http, the second gives summary statistics for all configured
service groups.
Source NAT
52. Enter config mode.
53. Build IP NAT pool using command:
ip nat pool nat1 <nat1-IP> <nat1-IP> netmask /24
Two IP addresses listed indicate start and end of the pool. Press Enter.
54. Verifying using command:
show ip nat pool
55. We will apply this NAT pool when configuring Virtual Server.

56. In config mode execute command:
slb template persist source-ip persist1
57. Verify using command
show slb template persist source-ip
58. Type “exit” and press Enter.

59. In config mode execute command
slb virtual-server vip1 <vip1-IP>
60. You should now be at prompt “An(config-slb vserver)#”. We will proceed to
configure remaining parameters.
61. Execute command:
port 80 tcp
62. You should see prompt “An(config-slb vserver-vport)#”.
63. To apply source IP persistence template you have created earlier use command:
template persist source-ip persist1
64. Apply source NAT pool you have created earlier with command:
source-nat pool nat1
65. Apply service group you have created earlier with command
service-group http
66. After a while this should also change the state of the port to “All Up”. Wait for a
moment, then execute command:
show slb virtual-server vip1
67. Type “end” and press Enter.
68. To see physical servers bound to your virtual server, use command:
show slb virtual-server bind
69. Verify your completed configuration using command

show running
70. This shows entire running configuration. You may have to move from page to
page by pressing space bar. Watch for all the components you have configured.
71. To look at just one element from the running configuration, pipe output of
“show running” through command “section” and providing a string to match
(regular expressions are also allowed). Try this command:

show run | sec vip1
(you can abbreviate commands as long as they are unambiguous).
73. You should see a web page that contains three images.
74. All three images should be coming from the same server. Refresh page several
times.
75. Your source IP address shown at the top of the page should be from the NAT
pool.
76. At the user-level prompt (An>) execute command:
show ip nat pool statistics
77. As you can see, from the command line you can watch usage statistics per
individual address. Notice that you can watch most of the statistics from the
user-level prompt, without switching to enable mode (admin).
78. At the user-level prompt (An>) execute these two commands:
show slb persist
show slb persist detail
79. Now try:
show slb server
80. Watch connection statistics per server. All of them should be on one server.
81. Now we will see what happens when you remove Source IP Persistence
template from the virtual server.
82. Go to config mode (type “config” and press Enter). Execute commands:
slb virtual-server vip1
port 80 tcp
83. You are now in the same virtual server port where you applied source IP
persistence template. Verify the configuration using command:
show slb virtual-server config
84. If you remember, to apply the template we used command “template persist
source-ip persist1”. Now to remove it, use the same command but prepend “no”
in front of it. Your full command should look like this:
no template persist source-ip persist1
85. Execute it and verify the effects using previous command:

86. Your template should be detached from virtual server vip1. Type “end” and
press Enter to exit config mode.
87. At the “#” prompt execute command:
clear sessions all
88. For testing purposes in the lab this ensures that none of the old sessions
remains alive.
90. The images should now be coming from two servers. Reload the page a few
times.
91. Use command:
show slb server
92. Watch connection statistics per server. They should be distributed between two
servers.
93. If you are not certain about any of the steps performed so far or the results, ask
the instructor now. In the subsequent steps we will clear the existing
configuration and will perform the same configuration from the command line.
94. Go to Addendum A “Restore Configuration” and perform steps in section “CLI”.

Section 3
HTTP
Lab
Labs HTTP Page 2 of 6
Objective: Configure layer 7 HTTP SLB Virtual Server
with HTTP health monitor, header insertion, and URL
failover
WebUI
Configuration steps
Server
1. Follow steps in Load Balancing Concepts Lab, WebUI, Server, to configure s1 and
s2 servers, port 80.
HTTP Health Monitor and Service Group
2. Go to Config > SLB > Health Monitor > Health Monitor.
3. Click Add, Name “http”, in section “Method” select HTTP as Type, in URL second
field enter “/”, in Expect enter “bluesky” (that string does not exist in the root
page, we are using it for testing only), then click “OK” at the bottom to apply.
4. Go to Config > SLB > Service, then click on Service Group. Specify “http” as name,
select “http” as Health Monitor, then in the server section as s1 and s2 as
members with port 80, and click “OK” at the bottom to apply.
5. Go to Monitor > SLB > Service, and click on Service Group. Service Group status
should be down. Click on service group name to verify status of member servers.
6. Go to Config > SLB > Health Monitor > Health Monitor, open http by clicking on
it, change “bluesky” in the Expect field to “Temporibus” (that string does exist in
root page), and apply.
7. Go to Monitor > SLB > Service > Service Group. Service Group status should be
up. Click on service group name to verify status of member servers.
8. Go to Config > IP Source NAT > IPv4 Pool.
9. Click Add.
netmask, and click OK.
11. You have created a NAT pool that will be applied in a Virtual Server section.

12. In this section you will build a template that will ensure that ACOS, once the
HTTP connection is established, forwards subsequent requests to the same
server.
13. Go to Config > SLB > Template > Persistent, and click on Source IP Persistence.
14. Click Add, type “pers1” as name, and click OK to save the template. It will be
applied in the Virtual Server section.
15. Go to Config > SLB > Service > Virtual Server.
entitled Port.
17. In the General section enter “vip1” as name of the server, and <vip1- IP> as IP
Address. When you see that reference, please substitute the address you have
just entered.
18. In the Port section click on Add. A new screen should open up. Select “HTTP” as
NAT Pool, select Source IP Persistence Template in Persistence Template Type,
then “pers1” in the dropdown list below, click on “OK” at the bottom of the page,
and click on “OK” again at the bottom of the Virtual Server page. You should now
see this screen:
19. You have configured layer 7 SLB Virtual Server.

21. You should see a web page that starts with “It works!” and contains three
images.
22. Refer to Section 3 Load Balancing Concepts Lab, WebUI, Verifying functionality
for additional verification steps should you like to perform them again.
HTTP templates
Header rewriting/insertion
23. In this part of the lab we will change the name of the responding HTTP server
header. First we will find check existing response headers.
24. In your browser clear your cache, Ctrl-Shift-I (as in capital letter i), request page
from your vip1, then check the response headers and find the server header by

clicking on “Network” menu item, then clicking on the IP address of your VIP,
and then on “Headers” tab. Scroll down through headers to Response Headers
section. This verification step may also be done using Wireshark or other packet
trace on your workstation.
25. Go to Config > SLB > Template > Application > HTTP.
26. Click Add, enter “header-rewrite” as Name, open section Header Insert below, in
Response part enter “Server: nginx” as Name, and make sure the next field is
blank (that means “rewrite existing header”).
27. Go to Config > SLB > Service > Virtual Server, edit port, select “header-rewrite”
as HTTP Template, then click “OK” and “OK” again to apply.
28. In your browser clear your cache, hit Ctrl-Shift-I, request page from your vip1,
then check the response headers and find the server header.
URL Failover
29. In this part of the lab we will create HTTP failover in case your servers become
non-responsive.
30. Go to Config > SLB > Template > Application > HTTP.
31. Click Add, enter “failover” as Name, enter http://1.0.0.201/failover/ below in
Failover URL, then click “OK” at the bottom to save.
32. Go to Config > SLB > Service > Virtual Server, edit port, select “failover” as HTTP
Template, then click “OK” and “OK” again to apply.
33. Go to Config > SLB > Service > Server. Select both servers, and click Disable at the
bottom.
34. Open ssh session to your ACOS device, go to enable prompt, type “clear
sessions all” and press Enter.
35. In your browser request page from your vip1. You should be redirected.
36. Re-enable your servers and request page from your vip1 again. You should be
able to reach the servers.
37. If you have any questions, ask instructor for assistance.
HTTP Templates in CLI
38. Go to your virtual server port and remove http template from it.
39. Go to Config > SLB > Template > Application > HTTP, select both templates and
delete them.
40. Open ssh session to your AX. Go to config mode (refer to Section 1 Load
Balancing Concepts Lab, CLI in case you have doubts how to do it), type “slb
template http header-rewrite” and press Enter. You should now be at
“An(config-http)#” prompt.
response-header-insert "Server: nginx"

42. Type “exit”, press Enter, execute commands:
port 80 http
43. Your prompt should now say “An(config-slb vserver-vport)#”.

template http header-rewrite
45. In your Chrome browser clear your cache, press Ctrl-Shift-I, request page from
your vip1, then check the response headers and find the server header. You
should see header “Server: nginx”.
no template http header-rewrite
47. Repeat step above to verify incoming headers. “Server: nginx” should now be
gone.
48. At your ACOS CLI prompt type “end”, Enter, then “config” and Enter.
49. Execute commands:
slb template http failover
failover-url http://1.0.0.201/failover/
50. You can check the existence of both templates by executing command:
show slb template http
51. Apply this template to vip1 port 80 as you have done for the previous template.
52. Type “end”, Enter, then “config”, Enter, “slb server s1”, and Enter. Type
“disable” and press Enter. Repeat steps for server 2.
53. Attempt to reach your vip1 via your web browser. You should be redirected.
54. Re-enable your servers and verify that you can connect to your vip1 through the
browser.

Section 4
HTTPS
Lab
Labs HTTPS Page 2 of 8
Objective: Configure layer 7 HTTPS SLB Virtual Server
with SSL, Cookie Persistence, HTTP-to-HTTPS
transparent redirect templates, and SSL Offload
WebUI
Configuration steps
Server
1. Follows steps in Load Balancing Concepts Lab, WebUI, Server, to configure s1
and s2 servers, with port 80 for both servers.
Service Group
2. Go to Config > SLB > Service > Service Group. Specify “http” as name, then in the
server section select s1 and s2 as members with port 80, and click “OK” at the
bottom to save.
SSL Certificate
3. Go to Config > SLB > SSL Management > Certificate. Click Create. Enter “ss1” as
File Name, “a10networks.com” as Common Name, “Training class” as
“Organization”, and click “OK” to save.
SSL Template
4. Go to Config > SLB > Template > SSL > Client SSL. Click Add, enter “cssl” as
Name, select “ss1” as Certificate Name and Key Name, and then click “OK” to
save.
5. Go to Config > IP Source NAT > IPv4 Pool.
6. Click Add.
netmask, and click OK.
8. You have created a NAT pool that will be applied in a Virtual Server section.
Cookie Persistence
9. In this section you will build a template that will ensure that client’s browser,
once the HTTPS connection is established, forwards subsequent requests to the
same server.
10. Go to Config > SLB > Template > Persistent > Cookie Persistence.

11. Click Add, type “cpers” as name, enter “ElvisLives” as Cookie Name, and click OK
to save the template. It will be applied in the Virtual Server section.
12. Go to Config > SLB > Service > Virtual Server.
entitled Port.
14. In the General section enter “vip1” as name of the server, and <vip1-IP> as IP
Address.
15. In the Port section click on Add. A new screen should open up. Select “HTTPS” as
NAT Pool, select Cookie Persistence Template in Persistence Template Type,
then “cpers” in the dropdown list below, select appropriate client-ssl template,
click on “OK” at the bottom of the page, and click on “OK” again at the bottom of
the Virtual Server page. You should now see this screen:
16. You have configured layer 7 HTTPS SLB Virtual Server.

17. Go to Monitor > SLB > Service > Virtual Server, click on vip1 and make sure all
elements are green and healthy.
18. In your browser open a connection to https://<vip1-IP>/
19. Accept self-signed certificate. You should see a web page that starts with “It
works!” and contains three images. Reload page a few times. All images should
be coming from the same server.
20. Verify the certificate sent from the ACOS device: right click on the “It works!”
web page, select “View Page Info”, then click on “Security”, and “View
Certificate”. You should find the information you entered earlier in the lab.
21. Verify the cookie sent from the ACOS device: right click on the “It works!” web
page, select “View Page Info”, then click on “Security”, and “View Cookies”. You
should recognize the cookie.
22. We will now see what happens when someone tries to connect to your virtual
server via http instead of https.

24. It should not work. In the following section we will solve that problem
transparently.
Configuration steps
Transparent redirect
25. Import aflex script to redirect request from port 80 to 443. From the ACOS
enable prompt execute command:
import aflex redirect1 ftp://ftp@<backup-IP>/BaseConfig/redirect1.tcl
26. Go to Config > SLB > Service > Virtual Server. Open your virtual server and add a
new port – port 80, type HTTP, leave Service Group blank, select “redirect1” as
aFleX, click “OK” and again “OK” to save.
27. Go to Config > SLB > aFleX and open “redirect1”. This is the script you applied
on port 80. What does it do?
28. Click on Logout(admin).
29. To verify new functionality, in your browser open a connection to
http://<vip1-IP>/
30. You should be automatically redirected to https://<vip1-IP>/
32. This time instead of reloading clean configuration after WebUI operations, we
will remove selected configuration items in CLI and rebuild them.
CLI
Deleting configuration elements

33. Connect to ACOS device via ssh, log in, go to enable mode.
34. Check existing templates using command:
show slb template
35. Check Virtual Server configuration using command:
36. Notice template attached to port 443.

37. Go to config mode. Execute command:
no slb template client-ssl cssl
38. Check existing templates again using command:

show slb template

no slb template persist cookie cpers
40. Verify it has been deleted.
41. Check Virtual Server configuration using command:
42. As you can see templates you deleted have automatically been removed from
the virtual server configuration.
43. Show existing SSL certificates using command:
show slb ssl cert
44. Delete SSL certificate using command
slb ssl-delete certificate ss1
and verify it has been deleted. You can see that while the certificate has been
deleted, the key still exists.
45. Delete it using command:
slb ssl-delete private-key ss1
and verify it has been removed.
46. Now we will rebuild those elements from the CLI and restore full functionality.
47. Before we start, verify that remaining SLB configuration elements are intact
using command:
show run | sec slb
Configuration steps
SSL certificate and key
48. Make sure you are in a config mode. Execute command:
slb ssl-create certificate ss1
You will have to answer several questions. Provide the same values we used
earlier in this lab.
49. Verify the certificate has been created using:
show slb ssl cert ss1
SSL Template
slb template client-ssl cssl

51. You should be at the “An(config-client ssl)#” prompt. To add the certificate and
key you created, type “cert ss1”, press Enter, then “key ss1” and press Enter.
Verify using command:
show slb template client-ssl cssl
Cookie Persistence
slb template persist cookie cpers
54. You should be at the “An(config-cookie persist)#” prompt. Type “name
ElvisLives” and press Enter. Verify using command:
show slb template persist cookie
Applying Templates to Virtual Server port
56. Go to configuration of your virtual server using command:
57. Proceed to port configuration using command:
port 443 https
58. Apply templates you have created with commands:
template client-ssl cssl
template persist cookie cpers
59. Verify configuration using commands:
show run | sec slb
60. In your browser open a connection to https://<vip1-IP>/
61. Accept self-signed certificate. You should see a web page that starts with “It
works!” and contains three images. Reload page a few times. All images should
be coming from the same server.
62. Verify the certificate sent from the ACOS device: right click on the “It works!”
web page, select “View Page Info”, then click on “Security”, and “View
Certificate”. You should find the information you entered earlier in the lab.

63. Verify the cookie sent from the AX: right click on the “It works!” web page, select
“View Page Info”, then click on “Security”, and “View Cookies”. You should
recognize the cookie.
64. We will now see what happens when someone tries to connect to your virtual
server via http instead of https.
66. It should automatically redirect you to https://<vip1-IP>/

Section 5
ACOS Acceleration
Lab
Labs AX Acceleration Page 2 of 6
Objective: Configure layer 7 HTTP SLB Virtual Server
with Connection Reuse, Compression, and RAM
Caching templates
WebUI
Configuration steps
Server
1. Follow steps in Load Balancing Concepts Lab, WebUI, Server to configure s1 and
s2 servers using port 80 for this lab.
Service Group
2. Follow steps in Load Balancing Concepts Lab, WebUI, Service Group to
configure HTTP service group for this lab.
3. Follow steps in Load Balancing Concepts Lab, WebUI, Source NAT to configure
source NAT for this lab.
4. Follow steps in Load Balancing Concepts Lab, WebUI, Virtual Server to
configure virtual server for this lab, but specify Virtual Server port type “HTTP”
(instead of TCP), and skip source IP persistence.
5. Verify that your configuration is working before proceeding. Continuing this lab
we will add connection reuse, compression, and RAM caching capabilities to our
virtual server.
Configuration steps
Connection Reuse template
6. Go to Config > SLB > Template > Connection Reuse.
7. Click Add, enter “creuse” as Name, enter “5” in “Limit Per Server” field, and click
“OK” to save. Please note that a limit of 5 connections is unrealistic, and we are
only using it in the classroom. Minimum number of reusable connections is
equal to the number of data CPUs. Please also note that the "Keep Alive
Connections" option is applicable only to SIP-over-TCP sessions.

Compression template
8. Go to Config > SLB > Template > Application > HTTP. Click Add, enter
“compression” as Name, open section “Compression” below, check “Enabled” for
Compression and click “OK” to save.
RAM Caching template
9. Go to Config > SLB > Template > Application > RAM Caching. Click Add, enter
“caching” as Name and click “OK” to save.
Applying templates to Virtual Server port
10. Go to Config > SLB > Service > Virtual Server, open vip1, Edit port and apply the
connection reuse template you have just configured. Do not apply caching and
compression templates yet. Save the port and virtual server.
Connection Reuse
11. Open terminal window and execute command:
connreuse <vip1-IP>
12. From another terminal window ssh to <ACOS-Mgmt-IP>, go to enable prompt
and execute command:
show slb connection-reuse detail
13. Repeat the command a few times (arrow key up). You should see a total of ~10
persistent connections with an even spread per data CPU.
14. Go back to the terminal window with “connreuse <vip1-IP>” command
running and terminate it with Ctrl-C.
Configuration steps
Applying templates to Virtual Server port
compression template you have just configured.
Compression
16. Point your browser to <vip1-IP> to generate some data traffic (script in the
previous exercise does not create cacheable or compressible content).
17. Go to Monitor > SLB > Application > Proxy > HTTP. See compression statistics
toward the bottom of the table.

18. In CLI execute command:
show slb http-proxy | inc compress
19. Note that in the command above “sec” instead of “inc” would also work. “sec”
(short for “section”) displays sections, or records, whereas “inc” (short for
“include”) displays lines. In the output above a record happens to be a line, so
both work the same.
RAM Caching
RAM caching template you have configured.
21. Point your browser to <vip1-IP> to generate some data traffic.
22. Go to Monitor > SLB > Application > RAM Caching > Objects. You should see
contents of the RAM cache.
23. In CLI execute the following commands:
show slb cache entries vip1 80
show slb cache memory-usage
show slb cache stats vip1 80
show slb cache
Removing configuration elements in WebUI

24. If you have any questions, ask for instructor’s assistance. In the next step we
will remove some of the configuration elements and then recreate them from
the CLI.
25. In WebUI, go to Config > SLB > Template > Connection Reuse, check “creuse”
template and delete it.
26. In WebUI, go to Config > SLB > Template > Application > HTTP, check
“compression” template and delete it.
27. In WebUI, go to Config > SLB > Template > Application > RAM Caching, check
“caching” template and delete it.
28. Verify in CLI by going to enable mode, then executing command:
show run | sec slb
CLI
Configuration steps
Connection Reuse template
29. Go to Config mode, execute commands:
slb template connection-reuse creuse

limit-per-server 5
30. Verify with command:
show slb template connection-reuse

Compression template
32. At the config prompt execute commands:
slb template http compression
compression enable
show slb template http compression

RAM Caching template
35. At the config prompt execute command:
slb template cache caching
show slb template cache
Applying Templates to Virtual Server port
38. Go to configuration of your virtual server using commands:
port 80 http
39. Apply templates one by one, verifying functionality after adding each template.
40. If anything does not work as expected, ask instructor for assistance.

Section 7
High Availability
Lab
Labs High Availability Page 2 of 14
Objective: Configure AX High Availability
WebUI
Preparation
1. In this lab we will configure high availability. For this we need to work in teams
of two. Odd numbers will be Primary ACOS device, even numbers will be
Secondary. For example, in a team of A1 and A2, A1 will be primary, A2 will be
secondary. Steps below will be separated into those that need to be performed
on the primary, and those that need to be performed on the secondary. Make
sure you coordinate those steps within your team.
Overview of the HA configuration workflow

2. Configure global HA parameters:
a. HA ID
b. HA group ID and priority
c. Floating IP address
d. Session synchronization
e. HA pre-emption
3. Configure HA interfaces.
4. Build SLB configuration with HA parameters (Primary ACOS device)
5. If session synchronization is globally enabled, enable it on the individual virtual
ports whose client sessions you want to synchronize.
6. Run sync.
7. Verify HA functionality, and if successful, "Save", then back up configuration to a
server.
Configuration steps on the Primary ACOS device

Configuring global HA parameters
8. Go to Config > System > HA > HA Global.
9. Check “Enabled” for HA Status, select “1” for HA ID (this is a unique identifier for
this ACOS device in an HA pair), enter <set-ID> as Set ID, check “Enabled” for
Preemption Status, enter <ha-sync-sec> as HA Mirroring IP Address (this is the
address of your partner’s Interlink interface), in the Group section enter “200”
as Priority and click Add, and then click “OK” at the bottom to save.
10. Verify configuration at the enable prompt:
show ha config
show run | sec ha

Enabling HA Interfaces
11. Go to Config > System > HA > HA Interface. You should see a list of all physical
interfaces and their status. If you knew that they were configured properly, you
could check appropriate interfaces and enable them from here. In this exercise
we will go one by one and make sure everything is done right.
12. Click on “e1”. Change HA Status to “Enabled”. Since this is a client-facing
interface, select “Router-interface” as Type. Depending on the topology you may
want to have Heartbeat enabled, in our topology you should disable it. Click
“OK” to save.
13. Repeat operation for “e2” but select Type “Server-interface” as e2 faces the
server farm. Depending on the topology you may want to have Heartbeat
enabled, in our topology you should disable it. Save.
14. Repeat operation for “e3” but select Type “None”. Enable Heartbeat, specify vlan
300, and save.
15. The status of all three interfaces in the “HA Status” column should now be green.
16. Verify configuration in WebUI by going to Monitor > System > HA > Status. Note
at the bottom of the page is a table monitoring heartbeats. You should be seeing
sent heartbeats on HA Port 3. Click “Refresh” in the upper right corner of the
page. Counters should be increasing.
17. Verify configuration in CLI by executing the following commands:
show ha config
show ha detail
Building SLB with HA parameters: Server

18. Go to Config > SLB > Service > Server, and click Add. Enter “s1” as name, <s1-IP>
as IP Address, in Port section add port 80, then click “OK” to save. Repeat steps
for server “s2” with IP address <s2-IP>.
Service Group
19. Go to Config > SLB > Service > Service Group, and click Add. Enter “http” as
Name, then in Server section add s1 and s2, both port 80, and click “OK” to save.
Source NAT
20. Go to Config > IP Source NAT > IPv4 Pool. Specify “nat1” as Name, <nat1-IP> as
start and end IP addresses, “255.255.255.0” as Netmask, select “1” as HA Group,
and click “OK” to save.
21. Verify using command:
show ip nat pool

22. Go to Config > SLB > Template > Persistent > Source IP Persistence.
23. Click Add, enter “persist1” as Name and click “OK” to save.
show slb template
Virtual Server
25. Go to Config > SLB > Service > Virtual Server, and click Add. Enter “vip1” as
Name, <vip1-IP> as IP address, select “1” for HA Group. Enter “150” as Dynamic
Server Weight. This field serves to subtract the weight of the virtual server from
the priority value in case of virtual server becoming unavailable, thus leading to
a potential failover. Since we specified “200” as priority, a failure of vip1 should
trigger a failover.
26. Add port 80, Service Group “http”, select “nat1” as Source NAT Pool, select
“Source IP Persistence” as Persistence Template Type, and select “persist1” as
Source IP Persistence Template, Click “OK” and “OK” to save.
27. Verify using commands:
show run | sec vip1
28. This ends configuration steps on the Primary ACOS device.
Configuration steps on the Secondary ACOS device

29. Go to Config > System > HA > HA Global.
30. Check “Enabled” for HA Status, select “2” for HA ID (this is a unique identifier for
this ACOS device in an HA pair), enter <set-ID> in Set ID, check “Enabled” for
Preemption Status, enter “<ha-sync-pri>” as HA Mirroring IP Address (this is
the address of your partner’s Interlink interface), in the Group section enter
“100” as Priority and click Add, and then click “OK” at the bottom to save.
31. Verify configuration by executing the following commands at the enable
prompt:
show ha config
show run | sec ha
32. Go to Config > System > HA > HA Interface. You should see a list of all physical
interfaces and their status. If you knew that they were configured properly, you
could check appropriate interfaces and enable them from here. In this exercise
we will go one by one and make sure everything is done right.

33. Click on “e1”. Change HA Status to “Enabled”. Since this is a client-facing
interface, select “Router-interface” as Type. Depending on the topology you may
want to have Heartbeat enabled, in our topology you should disable it. Click
“OK” to save.
34. Repeat operation for “e2” but select Type “Server-interface” as e2 faces the
server farm. Depending on the topology you may want to have Heartbeat
enabled, in our topology you should disable it. Save.
35. Repeat operation for “e3” but select Type “None”. Enable Heartbeat and Save.
36. The status of all three interfaces in the “HA Status” column should now be green.
37. Verify configuration in WebUI by going to Monitor, HA, and clicking on Status.
Note at the bottom of the page is a table monitoring heartbeats. You should be
seeing sent and received heartbeats on HA Port 3. Click “Refresh” in the upper
right corner of the page. Counters should be increasing.
show ha config
show ha detail
39. This ends configuration steps on the Secondary ACOS device.
Synchronizing configuration
40. Before starting synchronization “Save” config on both devices and then back up
the Secondary ACOS device to a local drive.
41. On the Primary ACOS device go to Config > System > HA > Config Sync, enter
“admin” as User, “a10” as Password, enter <ha-sync-sec>, and click “OK”. After
you see message “HA config-sync operation successful” go to the Secondary
ACOS device (it takes a moment to load) and verify that its configuration has
been synchronized.
Verifying functionality (from the Primary ACOS device)

42. From your browser open HTTP connection to your vip1. You should see the “It
works!” web page.
43. On the Primary ACOS device at the CLI type “show ha” and press Enter to show
HA state. You should see this:
A1-Active>show ha
Local Unit: UP Peer Unit: UP
HA Group Unit State Priority
1 Local Active 200
Peer Standby 100
44. In the WebUI go to Config > SLB > Service > Server, check both servers and click
“Disable”.

A1-Active>show ha
1 Local Standby 1
Peer Active 100
46. Your prompt should change to “An-Standby>”.
47. Clear cache in your browser and open HTTP connection to your vip1. You
should still see the “It works!” web page. Your connection is now routed
through the Secondary ACOS device.
48. In the WebUI go to Config > SLB > Service > Server, check one server and click
“Enable”.
A1-Standby>show ha
1 Local Standby 50
Peer Active 100
50. Notice how the weight of the servers corresponds to priority.
51. In the WebUI go to Config > SLB > Service > Server and enable both servers.
A1-Standby>show ha
1 Local Active 200
Peer Standby 100
53. On the Primary ACOS device go to Config > Network > Interface and disable
interface e1. Its status should turn red.
54. On the Primary ACOS device at the CLI type “show ha” and press Enter. You
should see this:
A1-Standby#show ha
Local Unit: DOWN Peer Unit: UP
1 Local Standby 200
Peer Active 100

55. Re-enable interface e1 and check the Primary ACOS device status. After a
moment it should change to Active. Why?
56. Disable pre-emption on both AX devices.
57. On the Primary ACOS device go to Config > Network > Interface and disable
interface e1. Its status should turn red.
58. On the Primary ACOS device at the CLI type “show ha” and press Enter. You
should see this:
A1-Standby#show ha
1 Local Standby 200
Peer Active 100
59. Re-enable interface e1 and check the Primary ACOS device status. It should
remain in Standby. Why?
60. On the Secondary ACOS device disable e1 interface, verify that failover occurred,
and re-enable e1. Verify that Primary AX is now active.
61. Now we will examine the behavior of Dynamic Server Weight in the absence of
pre-emption. Disable one of the physical servers on the Primary ACOS device
and check the status of the ACOS device from the CLI. It should display
diminished priority, but it should remain Active. Failover trigger due to
diminished priority works only with pre-emption enabled. Re-enable the
physical server.
62. Ask instructor if you need assistance. In the next step we will restore clean
configurations and prepare for HA setup from CLI.
“WebUI”.
CLI
Preparation
64. In this lab we will configure high availability. For this we need to work in teams
of two. Odd numbers will be Primary ACOS devices, even numbers will be
Secondary. For example, in a team of A1 and A2, A1 will be primary, A2 will be
secondary. Steps below will be separated into those that need to be performed
on the primary, and those that need to be performed on the secondary. Make
sure you coordinate those steps within your team.
Overview of the HA configuration workflow

65. Configure global HA parameters:

a. HA ID
b. HA group ID and priority
c. Floating IP address
d. Session synchronization
e. HA pre-emption
66. Configure HA interfaces.
67. Build SLB configuration with HA parameters (Primary ACOS device)
68. If session synchronization is globally enabled, enable it on the individual virtual
ports whose client sessions you want to synchronize.
69. Run sync.
70. Verify HA functionality, and if successful, "Save", then back up configuration to a
server.
Configuration steps on the Primary ACOS device

71. From the config prompt execute the following commands (substitute your
student # for “n” and instructor assigned Set ID for “x”):
ha id 1 set-id <set-ID> Assign AX device unique ID within the HA
group and instructor assigned unique Set ID
ha group 1 priority 200 Specify AX device priority within the HA
group
ha preemption-enable Use assigned weighs as a tiebreaker to
determine active device
ha conn-mirror ip <ha-sync-sec> Send mirrored connections to IP …
72. Verify configuration by executing the following commands at the AX enable
prompt:
show ha config
show run | sec ha
73. Add router-side (facing clients), server-side, and HA Interlink interfaces to the
list of HA interfaces:
ha interface ethernet 1 router-interface no-heartbeat
ha interface ethernet 2 server-interface no-heartbeat
ha interface ethernet 3 vlan 300
show ha config
show ha detail

You should see heartbeat being sent on HA Port 3.
Building SLB configuration with HA parameters
75. With the HA framework established, we will now build SLB configuration
including HA parameters. If you need more help with the commands used here,
see Load Balancing Concepts Lab.
Server
76. Go to config prompt and use the following commands to configure physical
servers (substitute your student # for “n”):
slb server s1 <s1-IP> Start configuring server s1
port 80 tcp Add port 80 tcp to to the server s1
slb server s2 <s2-IP> Start configuring server s2
port 80 tcp Add port 80 tcp to the server s2
show slb server config Verify completed configuration
Service Group
77. From the config prompt execute the following commands:
slb service-group http tcp Start configuring Service Group “http”
member s1:80 enable Add physical server 1 with port 80 as
member
member s2:80 enable Add physical server 2 with port 80 as
member
show slb service-group http config Verify completed configuration
Source NAT
ip nat pool nat1 <nat-IP> <nat-IP> netmask /24 ha-group-id 1 Create
NAT
pool
show ip nat pool Verify
slb template persist source-ip persist1 Create Source IP Persistence
template
show slb template persist source-ip Verify
Virtual Server

slb virtual-server vip1 <vip1-IP> Start configuring Virtual Server
“vip1”
ha-group 1 Join this Virtual Server to HA Group
1
ha-dynamic 150 This field serves to subtract the
weight of the server from the
priority value in case of virtual
server becoming unavailable, thus
leading to a potential failover. Since
we specified “200” as priority for
Primary AX in HA global
configuration and will specify “100”
as priority for Secondary AX, a
failure of vip1 should trigger a
failover.
port 80 http Add port 80 HTTP
template persist source-ip persist1 To port 80 apply Source IP
Persistence template
source-nat pool nat1 To port 80 apply source NAT nat1
service-group http To port 80 apply Service Group
“http”
show slb virtual-server config Verify
show run | sec slb Verify
81. This ends configuration on the Primary ACOS device.
Configuration steps on the Secondary ACOS device

82. From the config prompt execute the following commands (substitute your
Primary AX student’s # for “n” in command “floating-IP”):
ha id 2 set-id x Assign AX device unique ID within the HA
group
ha group 1 priority 100 Specify AX device priority within the HA
group
ha preemption-enable Use assigned weighs as a tiebreaker to
determine active device
ha conn-mirror ip <ha-sync-pri> Send mirrored connections to IP …
83. Verify configuration by executing the following commands at the AX enable
prompt:
show ha config
show run | sec ha

84. We will now add router-side (facing clients), server-side, and HA Interlink
interfaces to the list of HA interfaces:
ha interface ethernet 1 router-interface no-heartbeat
ha interface ethernet 2 server-interface no-heartbeat
ha interface ethernet 3
show ha config
show ha detail
86. You should see heartbeat being sent on HA Port 3.
87. This ends configuration on the Secondary ACOS device.
Synchronizing configuration
88. Before starting synchronization save config on both devices and then back up
the Secondary ACOS device to a local drive.
89. On the Secondary ACOS device type “show run | sec slb” to verify server
load balancing is not configured.
90. On the Primary ACOS device save your configuration using command “write
mem” from the enable prompt.
91. On the Primary ACOS device execute the following command from the config
prompt to force configuration sync:
ha sync all to-startup-config <ha-sync-sec> with-reload [all-partitions]
92. Once you see the message “Sync to 10.0.3.2 succeeded!” and the Secondary
ACOS device reloads, log in to it and from the enable prompt verify successful
synchronization using command “show run | sec slb”.
Verifying functionality (from the Primary ACOS device)

93. From your browser open HTTP connection to your vip1. You should see the
“It works!” web page.
94. On the Primary ACOS device at the CLI type “show ha” and press Enter to
show HA state. You should see this:
A1-Active>show ha
1 Local Active 200
Peer Standby 100
95. From the config prompt on the Primary ACOS device execute command:

disable slb server s1
96. Wait for a moment, hit Enter. Your prompt should change at “An-Standby”.
97. From your browser open HTTP connection to your vip1. You should see the
“It works!” web page.
A1-Standby>show ha
1 Local Standby 50
Peer Active 100
99. From the config prompt on the Primary ACOS device execute command:
enable slb server s1
100. Wait for a moment, hit Enter. Your prompt should change at “An-Active”.
A1-Standby>show ha
1 Local Active 200
Peer Standby 100
102. From the config prompt on the Primary ACOS device execute commands:
disable
show ha
103. You should see this:
A1-Active(config-if:ethernet1)#show ha
1 Local Standby 200
Peer Active 100
104. Re-enable e1 interface and check the status of the primary ACOS device. After
a while it should change to Active. Why?
105. From the config prompt disable pre-emption on both ACOS device devices
using command:
no ha preemption-enable

show ha config
107. From the config prompt on the Primary ACOS device execute commands:
disable
108. After a moment verify using “show ha”. Primary ACOS device should be in
Standby.
109. Re-enable interface e1, wait and check status of the Primary ACOS device
using “show ha”. Your Primary ACOS device should remain in Standby even
though Local Unit status should be UP. Why does it remain in Standby?
110. On the Secondary ACOS device disable e1 interface, verify that failover
occurred, and re-enable e1. Verify that Primary ACOS device is now Active.
111. Now we will examine the behavior of Dynamic Server Weight in the absence
of pre-emption. Disable one of the physical servers on the Primary ACOS
device and check the status of the ACOS device from the CLI. It should display
diminished priority, but it should remain Active. Failover trigger due to
diminished priority works only with pre-emption enabled. Re-enable the
physical server.
112. Ask instructor if you need assistance. In the next step we will restore clean
configurations and prepare for HA setup from CLI.
“CLI”.

Section 8
ACOS Troubleshooting
Lab
Labs AX Troubleshooting Page 2 of 6
Objective: Troubleshoot sessions and flows
WebUI
Overview
In previous labs we demonstrated most common configuration and monitoring
tools. In this lab we will use session and packet-level CLI tools. Throughout this lab
you will need to access your virtual server from your browser as needed to maintain
open sessions. Use commands shown in this lab and study their output.
Notes:
1. A <tab> followed by “#” denotes a comment. Do not type it as part of the
command.
2. “disable” commands must be executed from the config prompt. To undo
“disable”, use command “enable” with the same syntax
Preparation
3. Build HTTP-type Virtual Server with the following elements:
a. Two physical servers
b. Service Group http
c. Source IP Persistence with 10 minute timeout
d. Source NAT
4. When finished, verify functionality before proceeding.
Session-level commands
5. Total
show session
clear session filter # terminates selected sessions – more
# on session filters on next page
clear session all # terminates all sessions
6. Per Virtual Server
show slb virtual-server vip1 detail # show statistics
clear slb virtual-server vip1 # clear statistics
disable slb virtual-server vip1 # disable vip1
7. Per Virtual Server port (per virtual port)
show slb virtual-server vip1 80 detail
show slb virtual-server vip1 80 http detail
disable slb virtual-server vip1 port 80 # disable/drain port 80

8. Per Physical Server
show slb server
show slb server s1 detail
disable slb server s1 # disable/drain server s1
Undo the effects of the above command.
9. Per physical server port
show slb server s1 80 detail
disable slb server s1 port 80 # disable/drain port 80 on server s1
10. Per Service Group

show slb service-group
show slb service-group http
11. Per IP Address
show session ipv4 source-v4-addr your_IP_address
clear session ipv4 source-v4-addr IP # terminate this session
show session ipv4 dest-addr your_VIP_address dest-port 80
clear session ipv4 dest-addr IP dest-port 80 # terminate
Explore more options with commands above.
12. Per layer
show slb l4
show slb http-proxy
13. Configuring session monitoring and termination filters
config
session-filter s1:80 dest-addr your_VIP_address dest-port 80
show session filter s1:80
clear session filter s1:80 # terminate sessions according to
# pre-configured filter
no session-filter s1:80 # deletes filter s1:80
Packet trace
Packet trace is done on ACOS devices using axdebug command. You can set up
multiple filters with multiple conditions in each filter. Conditions within each filter
are subject to logical AND, filters are subject to logical OR. Example:
(filter_1::cond_1 && filter_1::con_2) || (filter_2::cond_1 && filter_2::cond_2)
14. Perform the following commands::
axdebug
show axdebug filter # no filters should be configured

filter 1
src ip <client-data-IP>
dst ip <vip1-IP>
exit
show axdebug filter
capture brief
15. Connect to your Virtual Server from your browser and watch axdebug output.
Press Ctrl-C to stop output. Notice that capture shows your traffic end-to-end,
from client to physical server, and shows you how ACOS is handling this traffic.
16. Now try this:
capture detail save mytraffic
17. Interrupt with Ctrl-C when done, and execute following commands:
no filter 1
exit
18. In your browser log in to your ACOS device, go to Monitor, System, Diagnosis,
and click on AXDebug File. Select your capture and press Export. Save to your
remote desktop, unpack, and open in Wireshark or other packet debugger.
Techsupport file
19. Techsupport file is an amalgamation of the output of various troubleshooting
tools. Any time you call tech support at A10 Networks, you will likely be asked
to provide it. It can be generated from the CLI or the WebUI.
20. In CLI execute the following command at the enable prompt:
show techsupport page
21. If you used “export” instead of “page”, you could upload the file to a remote
server.
22. In WebUI go to Monitor, System, Diagnostics, click on Show Techsupport, and
save it to your local drive. Open it in a text editor.
24. Leave your configuration intact (do not reload base config). We will use it in the
next exercise.

Section 9
aFleX
Lab
Labs aFleX Page 2 of 4
Objective: Install an aFleX script
Preparation
1. Build HTTP-type Virtual Server with the following elements:
a. Two physical servers
b. Service Group http
c. Source IP Persistence with 10 minute timeout, Match Type “Port”
d. Source NAT
2. When finished, verify functionality before proceeding:
a. Open browser to http://<vip1-IP>/private (should work)
b. Open browser to http://<vip1-IP>/ (should work)
Installing aFleX script

3. In this exercise you will import an aFleX script from the server, modify it, install
it, and verify its functionality.
4. Here are script’s parameters:
a. Event:
HTTP_REQUEST
b. Tests:
[IP::addr [IP::client_addr] equals <your-data-IP>]
[HTTP::uri] starts_with "/private"
c. Action:
reject
log
5. At the CLI config prompt execute (this is all one line):
import aflex no_private use-mgmt-port ftp://ftp@<backup-IP>/
BaseConfig/aFleX-no_private.tcl
6. Verify the script contains your IP address:

show aflex no_private
7. Associate the script with Virtual Server vip1 port 80.
8. From the command line execute command:
clear session all
9. Test functionality:
a. Open browser to http://<vip1-IP>/ (should work)
b. Open browser to http://<vip1-IP>/private (should fail – reset packet)

c. Open log to view aFlex reject event
10. If you have any questions, ask instructor for assistance. In the next step you will
reload base configuration.
11. Reload base configuration on your AX.

Addendum A
Restore Configuration
Lab
Loading clean configuration
WebUI
Configuration steps
1. Position mouse pointer over Config tab, move down to System, Maintenance,
Restore, and click on System. You should see this screen:
2. In “Restore from” field select remote, check “Use Management Port”, in Host field
enter <backup-IP>, in Location field type “/ConfigBackup/<tarball>” – READ
THIS: please make sure you specify proper number, otherwise you will make
your ACOS device unreachable. If in doubt, ask instructor for assistance. Enter
“ftp” as Username, and leave Password blank – our classroom server is
configured for anonymous login. In real life you will need to use valid username
and password. Verify again that all information is correct and then click “OK”.
You should be disconnected while the ACOS reloads the configuration.
3. Log in to your ACOS device, and in the opening screen verify “Feature
Configuration” section on the right side. It should show 0 service groups, servers,
or virtual servers. If that is correct, you are ready to proceed to the next section
of the lab. If not, ask instructor for assistance.
CLI
Configuration steps
4. Open ssh connection to your ACOS management port and log in as username
admin, password a10. After you see “An>” prompt, type “enable” and hit Enter,
and again Enter for password. At the “#” prompt type “config” and hit Enter. You
should now see “An(config)#” prompt. That indicates you are in config mode,
just as you were in config mode when you moused over Config tab in WebUI.
5. Execute command:
restore use-mgmt-port ftp://ftp@<backup-IP>/ConfigBackup/<tarball>
Labs Addendum A: Restore Configuration Page 2 of 4

When asked for password, hit Enter (we are using anonymous ftp in the
classroom). You should see a response indicating success. That means your
config file was stored on your ACOS device. Type “end” and press Enter. Now
type “reload” and press Enter. You should be disconnected while the ACOS
reloads the configuration.
6. Wait for a while, then log in to your ACOS device again, go to enable mode and
execute command “show run”. Page through it and verify you are running clean
configuration.


A10 Lab

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A10 Lab

Uploaded by

Copyright:

Available Formats

A10 Networks

Application Delivery Controller: Labs

ACOS release 2.7

Variable Substitute with Student 1

Labs Load Balancing Concepts Page 3 of 4

Labs AX Management Page 3 of 8

Labs AX Management Page 4 of 8

16. Go to config prompt and execute commands:

Labs AX Management Page 5 of 8

Verifying backed up config files

Labs AX Management Page 6 of 8

Labs AX Management Page 7 of 8

Labs Load Balancing Concepts Page 3 of 10

Labs Load Balancing Concepts Page 4 of 10

25. You have configured layer 4 SLB Virtual Server.

Labs Load Balancing Concepts Page 5 of 10

Labs Load Balancing Concepts Page 6 of 10

Labs Load Balancing Concepts Page 7 of 10

58. Type “exit” and press Enter.

69. Verify your completed configuration using command

Labs Load Balancing Concepts Page 8 of 10

Labs Load Balancing Concepts Page 9 of 10

Labs Load Balancing Concepts Page 10 of 10

Labs HTTP Page 3 of 6

19. You have configured layer 7 SLB Virtual Server.

Labs HTTP Page 4 of 6

Labs HTTP Page 5 of 6

43. Your prompt should now say “An(config-slb vserver-vport)#”.

Labs HTTP Page 6 of 6

Labs HTTPS Page 3 of 8

16. You have configured layer 7 HTTPS SLB Virtual Server.

Labs HTTPS Page 4 of 8

Deleting configuration elements

36. Notice template attached to port 443.

38. Check existing templates again using command:

Labs HTTPS Page 5 of 8

Labs HTTPS Page 6 of 8

Labs HTTPS Page 7 of 8

Labs HTTPS Page 8 of 8

Labs AX Acceleration Page 3 of 6

Labs AX Acceleration Page 4 of 6

Removing configuration elements in WebUI

Labs AX Acceleration Page 5 of 6

31. Type “exit” and press Enter.

34. Type “exit” and press Enter.

Labs AX Acceleration Page 6 of 6

Overview of the HA configuration workflow

Configuration steps on the Primary ACOS device

Labs High Availability Page 3 of 14

Building SLB with HA parameters: Server

Labs High Availability Page 4 of 14

Configuration steps on the Secondary ACOS device

Labs High Availability Page 5 of 14

Verifying functionality (from the Primary ACOS device)

Labs High Availability Page 6 of 14

Labs High Availability Page 7 of 14

Overview of the HA configuration workflow

Labs High Availability Page 8 of 14

Configuration steps on the Primary ACOS device

Labs High Availability Page 9 of 14

Labs High Availability Page 10 of 14

Configuration steps on the Secondary ACOS device