Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
A10_CompactTrainingv5.pdf (1).pdf
1. 1
Customer Driven Innovation
1
Do not distribute/edit/copy without the
written consent of A10 Networks
Compact Training – A10 Thunder Fundamentals
José Luis Serrano
Sr. Systems Engineer, Spain & Portugal
2. 2
Agenda
„ Thunder ADC Series Overview
„ Device Management
„ Basic Device Setup
„ Basic SLB Configuration
„ VRRP-A High Availability
„ aVCS Clustering
„ Troubleshooting
„ Tech Support Procedure
„ Additional Online Resources
„ Q & A
5. 5
ACOS Scalable Symmetrical Multi-Processing
Shared Memory Architecture
1 2 3 N
Flexible Traffic Accelerator
Switching and Routing
64-Bit Multi-Core
Optimized
Optimized
Flow Distribution
Shared Memory Architecture
Application
Acceleration
Application
Security
Application
Availability
Efficient &
Accurate Memory
Architecture
6. 6
Mgmt. CPU
CPU
0
Data CPUs
ACOS: FTA Models
Shared Memory Architecture
Flexible Traffic Accelerator (FPGA Matrix)
Switching and Routing ASIC (Broadcom)
CPU
12 Compression
SSL
CPU
1
Efficient &
Accurate Memory
Architecture
Hardware Assisted
Flow Distribution
Broadcom ASIC Chip
for High Performance
Switching
64-Bit Multi-Core
Optimized L4-7
Processing &
Security
CPU
2
CPU
3
7. 7
Mgmt. CPU
CPU
0
Data CPUs
High Performance Driver (HPD)
ACOS: Non FTA Models
Shared Memory
Architecture
Flexible Traffic Acceleration by HPD (non-ASIC)
Switching and Routing by HPD (non-ASIC)
CPU
1
CPU
4
CPU
11 Compression
SSL
CPU
5
Efficient &
Accurate Memory
Architecture
Software Optimized
Flow Distribution
Intel 82599 Chip for
High Performance
Switching
64-Bit Multi-Core
Optimized L4-7
Processing &
Security
12. 12
Blade Front View
• Management Interfaces:
• 1 x Console Port
• 1 x Ethernet Port
• 1 x USB Port
• 6 x 1GE Copper • 2 x 1GE Fiber (SFP)
• 2 x 10GE Fiber (SFP+)
13. 13
Blade Rear view
• 4 x Hot-Swap Smart
Fans
• 2 x Hot-Wap PSU
• 76W Max Consumption
• 80Plus Platinum Eficiency (90%
Eficiency min)
• Power Switch
14. 14
A10 Feature Set
† Application Delivery & Acceleration
¿ Comprehensive IPv4/IPv6 Support
¿ Advanced Layer 4/Layer 7 Server Load Balancing
¿ HTTP Acceleration & Optimization
¿ aFleX – for customizable, application-aware switching
¿ Advanced Health Monitoring
¿ Spam Filter Support
¿ FWLB, GSLB, TCS, Link Load Balancing (LLB), Diameter AAA
Load Balancing, Database Load Balancing
† Security
¿ Web Application Firewall (WAF)
¿ Next-generation DDoS protection
¿ Application Access Management (AAM)
¿ DNS Application Firewall (DAF)
¿ SSL-- SSL Intercept (SI), SSL Acceleration, SSL Session ID
Reuse
¿ Connection Rate Limiting/Connection Limiting
† High Performance, Scalable Platform
† Management
¿ Industry-standard Command Line Interface
¿ Web-based Graphical User Interface (GUI) with Language
Localization
¿ REST-style XML API (aXAPI)
† Networking
¿ Integrated Layer 2/Layer 3
¿ Routing – Static Routes, IS-IS (v4/v6), OSPF v2/v3, BGP4+
¿ VLAN (802.1Q), Trunking (802.1AX), LACP
¿ Access Control Lists (ACLs)
¿ IPv4-->IPv4 NAT/NAPT & IPv6-->IPv6 NAPT
† IPv6 Migration/IPv4 Preservation
¿ Full native IPv6 management and feature support
¿ SLB-PT (Protocol Translation), SLB-64 (IPv4<->IPv6, IPv6<-
>IPv4)
† Virtualization
¿ aVCS (Virtual Chassis System)
¿ Multi-tenancy with Application Delivery Partitions (ADPs)
¿ NVGRE
¿ VXLAN
† Carrier-grade Hardware
¿ Advanced hardware architecture
¿ Smart Fans (hot swap)
¿ Hot swap Redundant Power Supplies (AC and DC)
¿ Solid-state drive (SSD)
¿ High Port Density
15. 15
A10 Licensing
† No extra licenses required for performance or features
† Each A10 is offered with full scalability and benefits
17. 17
ACOS Management Access
† CLI
¿ Console (RS-232 connection / 9600, 8, N, 1)
Telnet (disabled by default)
SSHv2
† Web
¿ HTTP (configurable ports - disabled by default)
¿ HTTPS (configurable ports)
† API
¿ aXAPI: a REST like API
† User Authentication
¿ CLI: Login ID/Password and Enable ID/Password
¿ Web: Admin roles (read-write / read-only)
¿ Modes: Local (default)/RADIUS/TACACS+/LDAP
18. 18
CLI: Privilege Levels
Official
name
Common
name
Prompt
Purpose
User
EXEC
Level
user
>
• Monitor
SLB
&
CGN,
do
backups,
use
simple
diagnosAc
uAliAes
• From
this
level
user
cannot
affect
the
funcAoning
of
the
device
or
change
configuraAon
Privileged
EXEC
Level
enable
#
• (same
as
user)
+
Manage
system
but
not
SLB
or
CGN
configuraAon
• Monitor
system
Privileged
EXEC
Level
-‐
Config
Mode
config
(config)#
• (same
as
enable)
+
Configure
SLB
or
CGN.
AcAons
which
could
affect
SLB
or
CGN
configuraAon
are
also
accessible
only
from
here,
like
config
restore
• Enable-‐level
commands
can
be
executed
here
by
prepending
them
with
“do”
20. 20
CLI: Help
† List options
¿ ACOS>show
health
monitor
?
WORD<length:1-‐31>
Name
all-‐partitions
All
partition
configurations
partition
Per-‐partition
configurations
|
Output
modifiers
† Option disambiguation
¿ ACOS>show
ic?
icmp
Display
ICMP
statistics
icmpv6
Display
ICMPv6
statistics
† Tab completion
¿ ACOS>show
rad<tab>
ACOS>show
radius-‐server
21. 21
CLI: Usability
† Commands can be abbreviated
¿ #show run
° instead of:
¿ #show running-config
† Commands are case insensitive
¿ #show run
° equals:
¿ #SHOW RUN
† Defined Items are case sensitive
¿ #show slb server s1
° is not the same as:
¿ #show slb server S1
† Commands typed take affect immediately
† Show commands can be run within configuration mode as well
22. 22
CLI: Undo
† Commands are undone by prepending ‘no’
¿ ACOS(config)#ip
nat
pool
nat1
10.0.2.15
10.0.2.16
netmask
/24
ACOS(config)#show
ip
nat
pool
Total
IP
NAT
Pools:
1
Pool
Name
Start
Address
End
Address
Mask
Gateway
HA
Group
Vrid
nat1
10.0.2.15
10.0.2.16
/24
0.0.0.0
0
default
¿ ACOS(config)#no
ip
nat
pool
nat1
ACOS(config)#show
ip
nat
pool
Total
IP
NAT
Pools:
0
23. 23
CLI: Disabling Configuration Elements
† On configuration elements, ‘no enable’ has the same effect as
command ‘disable’
¿ ACOS#
show
run
|
sec
slb
server
s1
10.0.2.18
¿ ACOS(config)#slb
server
s1
ACOS(config-‐real
server)#no
enable
¿ ACOS#
show
run
|
sec
slb
slb
server
s1
10.0.2.18
disable
24. 24
CLI: Filtering Output (section & include)
† ACOS supports filtering by piping output to section and include
¿ section retrieves configuration elements containing regex
° ACOS#show
run
|
sec
slb
° slb
server
s1
10.0.2.18
port
80
tcp
slb
service-‐group
http
tcp
member
s1:80
¿ include retrieves lines containing regex
° ACOS#show
run
|
inc
slb
° slb
server
s1
10.0.2.18
slb
service-‐group
http
tcp
25. 25
CLI: OR
† To use ‘|’ symbol as OR in inc or sec, escape it with ‘’ with no spaces
around it
° ACOS#show
run
|
inc
tacacs|radius
° tacacs-‐server
host
1.0.0.100
secret
(encrypted_secret)
port
49
timeout
12
radius-‐server
host
1.0.0.100
secret (encrypted_secret)
26. 26
CLI: Exiting Current Level
† Exit command takes CLI one level down
¿ ACOS(config-‐slb
vserver-‐vport)#exit
ACOS(config-‐slb
vserver)#exit
ACOS(config)#exit
ACOS#exit
ACOS>
† End command exits out of config
¿ ACOS(config-‐slb
vserver-‐vport)#end
ACOS#exit
ACOS>
† Ctrl-C is a keyboard shortcut for exit in config mode, Ctrl-Z is a
shortcut for end
27. 27
CLI: Workflow
† With CLI, build your configuration from bottom up
¿ System (IP/VLAN/…etc.)
¿ Redundancy + clustering (VRRP-A/aVCS)
¿ Servers
¿ Service Groups
¿ NAT pools
¿ Templates
¿ Virtual server
¿ Virtual server port
† Then apply pre-configured elements on virtual server port (vPort)
¿ To use programming analogy, configuration elements are like functions. Those
functions have to be called from vPort before they take effect.
30. 30
CLI vs. WebUI
† CLI benefits
¿ Structured, enhances understanding
¿ Excellent for troubleshooting – can display multiple configuration items at the same
time
¿ Can be very fast with some familiarity
† WebUI benefits
¿ Flexible workflow
¿ Easy admin role definition
¿ Familiar interface
¿ Excellent for monitoring – graphical display
31. 31
aXAPI
Architecture
Admin Authentication
The aXAPI uses the same admin authentication resources as those
configured for CLI and GUI access. For example, if the A10 device is
configured to use RADIUS first to authenticate admins, RADIUS will be
used first when authenticating an admin for an aXAPI session.
Session ID
The first request from the third-party application sends the authentication
method along with a valid A10 admin username and password. If the
username and password are valid, the A10 device replies with a session
ID. The third-party application must present the session ID with all future
requests during that session. The session ID is valid until the third-party
application sends a session close request or the session times out.
Encoding
The aXAPI expects all data to be UTF-8 encoded, and it checks for valid
UTF-8 sequences. If an invalid sequence is found, the aXAPI assumes
that the data is ISO-8859-1 encoded and converts it to UTF-8. The aXAPI
discards data that is sent in any other format.
† aXAPI uses a REST like request/response model to exchange data over HTTPS
32. 32
aXAPI
Request
Format
–
Header
The request header is a URL in the following format:
https://<AX-IPaddr:port>/services/rest/<aXAPI Version>/?session_id=<session ID>&method=<aXAPI method name>&format=<data format>
https://192.168.2.2/services/rest/V2/?session_id=308528f465597c7be6631533c4c315&method=system.time.get
The data format you wish to use in the aXAPI request and response. aXAPI has the
following formats:
• url: (default) url-based data for requests and XML-based data for responses
• json*: json-based data for both requests and responses
• xml: (not currently supported) XML-based data for both requests and responses
You can leave the data format field empty when using the ‘default’ data format (xml)
The string returned by the authentication
method. For the authentication method,
omit the following parameter
(&session_id=<session id>), since you
may not have the session ID at that time.
The aXAPI-
version to be
used.
Host name or IP address of the A10
device (IPv4 or IPv6), & the HTTPS
service port on A10 device. By
default, the port number is 443 for
HTTPS, and can be omitted.
The aXAPI method to
be invoked. The aXAPI
is organized according
to a series of methods
and their corresponding
data structure.
• A properly formatted request to the aXAPI is a URI
request header and a request body.
• The request body can be a URI-based or JSON*-based
data structure.
• The request can be sent as an HTTP or HTTPS GET or
POST action.
33. 33
Named configuration profiles
† Benefits of named profiles
¿ Maintain multiple configurations
¿ Link startup configuration per partition to a named profile
¿ Copy and edit profiles without disrupting normal operations
¿ Maintain single configuration for both physical partitions
† Create new profile
¿ ACOS#write
memory
<new_profile>
ACOS(config)#copy
<existing_profile>
<new_profile>
† See all profiles
¿ ACOS#show
startup-‐config
all
† Link startup config to profile
¿ ACOS(config)#link
startup-‐config
<profile_name>
[primary|secondary]
34. 34
ACOS System Backup & Restore
† ACOS full system backup
¿ WebUI:
Config
>
System
>
Maintenance
>
Backup
>
System
¿ CLI:
ACOS(config)#backup
system
[…]
† ACOS full system restore
¿ WebUI:
Config
>
System
>
Maintenance
>
Restore
>
System
¿ CLI:
ACOS(config)#restore
[…]
† Note: Supported upload protocols: FTP, SFTP, SCP, RCP, TFTP, and
HTTPS (via WebUI)
35. 35
ACOS Software Location
† ACOS software is stored on
¿ Two disk partitions: primary and secondary
° Second partition is designed for easy software rollback
¿ Two Compact Flash partitions: primary and secondary
° CF is designed for emergency recovery
† Note: Each storage location has its own software and A10
configuration
36. 36
ACOS Software Upgrade Options
† Check the ACOS running partition
¿ WebUI:
Monitor
>
Overview
>
Summary
>
System
Information
¿ CLI:
ACOS#
show
bootimage
† Upgrade A10 device’s other partition
¿ WebUI:
Configuration
>
System
>
Maintenance
>
Upgrade
¿ CLI:
ACOS(config)#
upgrade
[…]
† Copy running configuration to the other partition or link existing profile to it
¿ ACOS#
write
memory
[primary|secondary]
¿ ACOS(config)#
link
startup-‐config
<profile_name>
[primary|secondary]
† Set boot source to the other partition
¿ WebUI:
Configuration
>
System
>
Settings
>
Boot
¿ CLI:
ACOS(config)#
bootimage
hd
[primary|secondary]
37. 37
A10 Initial Deployment & Configuration
• Connect Console
• Assign
Management IP
Address
• Software Update
• Management Tasks
• Users
• Syslog
• SNMP
• VLANS
• VE Interfaces
• IP Addresses
• Routing
• Static
• Protocols
• Servers
• Server Ports
• Health Checks
• Match Application
• Service Groups
• TCP/UDP
• LB Algorithm
• Server Members
• Health Checks
• Virtual IP (VIP)
• Application Ports
• Service Groups
• NAT (Optional)
• SSL
• Templates
• Rack
• Power
• Cooling
• Cabling
1) Initial Configuration
2) Application Load
Balancing
• Scripts
• Customer Health checks
• Content Inspection
• Modify traffic Content
• GSLB Configuration
• Rate Limiting
• Security Features
• HTTP Compression
• RAM Caching
• API Programming
3) Advanced Load
Balancing
38. 38
ACOS Initial Configuration
† First Step configuration
¿ Connect to the A10 console (9600 baud - 8 bits – no parity - 1 stop bit)
° Default user/password: admin/a10
° Management IP address: 172.31.31.31 /24
° SSH Enabled (telnet disabled)
° HTTP redirected to HTTPS
° All Data Ports Disabled
¿ Configure the management interface, and it’s default Gateway
° Finish the A10 configuration via CLI (SSH) or WebUI (HTTPS)
² Configure Production interfaces (vlan, Ethernet/ve interfaces)
² Enable production interfaces
² (optional) Configure routing (static/dynamic)
² (optional) Configure specific management rights
² Configure Servers / Service Groups / Virtual Servers / etc.
39. 39
ACOS Initial Configuration - Example
AX#
AX#conf
t
AX(config)#interface
management
AX(config-‐if:management)#ip
address
192.168.2.2
/24
AX(config-‐if:management)#ip
default-‐gateway
192.168.2.1
AX(config-‐if:management)#end
AX#wr
mem
Building
configuration...
Write
configuration
to
default
startup-‐config
[OK]
AX#
40. 40
Sample ACOS L2/3 Configuration
vlan
11
tagged
ethernet
1
router-‐interface
ve
11
vlan
12
tagged
ethernet
1
router-‐interface
ve
12
interface
ethernet
1
enable
interface
ve
11
ip
address
100.0.1.11
255.255.255.0
interface
ve
12
ip
address
100.0.0.11
255.255.255.0
42. 42
Server Load Balancing (SLB)
† Share load among multiple servers (load balancing)
† Provide high availability of services
43. 43
Server Load Balancing
† ACOS SLB configuration has three core elements
¿ Servers
¿ Service Groups
¿ Virtual Servers (VIPs)
Web
DNS
SMTP
Server
Web
DNS
SMTP
Server
VIP
Service
Group
-‐
Web
44. 44
SLB: Server
† Minimum configuration
¿ Name
¿ IP address (can use DNS name)
¿ Ports
† Server configuration
¿ WebUI: Config > SLB > Service > Server
¿ CLI: Thunder(config)# slb server <name> […]
† Server status and statistics
¿ WebUI: Monitor > Service > SLB > Server
¿ CLI: Thunder# show slb server […]
Web
DNS
SMTP
Server
Web
DNS
SMTP
Server
VIP
Sample Configuration
slb server S1 100.0.0.201
port 80 tcp
slb server S2 100.0.0.202
port 80 tcp
45. 45
SLB: Service Group
† Minimum configuration
¿ Name
¿ Type (TCP/UDP)
¿ LB Algorithm
¿ At least one Server/Port
† Service Group status and statistics
¿ WebUI: Monitor > SLB > Service > Service Group
¿ CLI: Thunder# show slb service-group […]
Web
DNS
SMTP
Server
Web
DNS
SMTP
Server
VIP
Service
Group
-‐
Web
Sample Configuration
slb service-group http1 tcp
member S1:80
member S2:80
46. 46
Load Balancing Algorithms
† Service group – load balancing algorithms
¿ Round Robin
¿ Least Connection
¿ Service Least Connection
¿ Weighted Round Robin
¿ Weighted Least Connection
¿ Service Weighted Least
Connection
¿ Fastest Response Time
¿ Least Request
¿ Round Robin Strict
¿ Stateless
¿ And more…..
47. 47
SLB: Virtual Server
† Minimum configuration
¿ Name
¿ IP address (accessed by end users)
¿ Virtual server ports (usually)
¿ Service Groups
† Virtual Server status and statistics
¿ WebUI: Monitor > SLB > Service > Virtual Server
¿ CLI: Thunder# show slb virtual-server […]
Web
DNS
SMTP
Server
Web
DNS
SMTP
Server
VIP
Service
Group
-‐
Web
Sample Configuration
slb virtual-server "VIP1" 100.0.0.10
port 80 http
service-group http1
48. 48
Source IP Persistence
† When to use Source IP Persistence?
¿ Source IP persistence must be used when clients must have their future
connections/traffic terminated on the same server
Connection 1
Connection 2
49. 49
Source IP Persistence Template
† Create Source IP Persistence Template
¿ Name Type
° Port (persistence per VIP:Port)
° Server (persistence per VIP)
° Service-Group (persistence per URL or Host)
¿ Timeout: How long inactive entries are saved (default = 5 minutes)
¿ Don't Honor Conn Rules: Ignore connection limits defined on Servers and Server Ports
and connect new clients' connections to the Server (default = disabled)
¿ Netmask: Granularity of Client IP address hashing (default = 255.255.255.255 for the
most granularity)
† Assign the Source IP Persistence Template to the Virtual Server
Port
Sample Configuration
slb template persist source-ip srcip
50. 50
SLB Source NAT
† Create IP Source NAT Pool
¿ Name
° Name of the template
° Start IP address (can be the ACOS interface IP)
° End IP address (can be the same as Start IP)
Note: If the "Start" and "End IP address" are the same, the ACOS will NAT with one unique IP address
and can NAT up to 64k flows
¿ Netmask (used by "IP Source NAT – Group" when servers are on different subnets)
¿ (optional) Gateway: Specify a gateway to use to reply to the clients' requests
¿ (optional) "HA Group": Specify the HA group to tie to the SLB source NAT pool
† Assign the SLB Source NAT Pool to the Virtual Server Port
Sample Configuration
ip nat pool sNAT1 100.0.0.50 100.0.0.50 netmask /24
51. 51
Health-checks
† Service availability is checked using health monitors (HMs)
† Health monitors can be applied to
¿ Server
¿ Server:Port
¿ Service Group
† Health monitors can test server availability
¿ On Layer 3: ping (ICMP)
¿ On Layer 4: TCP, UDP
¿ On Layer 7 (application):
HTTP. HTTPS. FTP, SMTP, POP3, DNS, RADIUS, LDAP, RSTP, NTP, SIP
¿ Via manually created scripts
† Multiple L3/L4/L7 tests can also be combined in a Boolean expression (and/or/
not)
Web
DNS
SMTP
Server
Web
DNS
SMTP
Server
VIP
Service
Group
-‐
Web
Sample Configuration
health monitor http-hm
method http
52. 52
Applying a Health Monitor
† Physical server health monitor
¿ If HM fails, that server is considered down and service groups configured with that specific
server stop using it for load balancing
Note: Default Server HM type is ICMP
† Physical server port health monitoring
¿ If HM fails, that server port is considered down and service groups configured with that
specific Server:Port stop using it for load balancing
Note: Default TCP server port HM type is TCP handshake
† Service group health monitor
¿ If HM fails for a specific member, the service group stops using this member for load
balancing
Note: By default, no HM is configured on Service Group
53. 53
Sample ACOS SLB Configuration
ip nat pool sNAT1 100.0.0.50 100.0.0.50 netmask /24
health monitor http-hm
method http
slb server S1 100.0.0.201
port 80 tcp
slb server S2 100.0.0.202
port 80 tcp
slb service-group http1 tcp
health-check http-hm
member S1:80
member S2:80
slb template persist source-ip srcip
slb virtual-server "VIP1" 100.0.0.10
port 80 http
service-group http1
source-nat pool sNAT1
template persist source-ip srcip
54. 54
Topology: One-Armed L2 (Switched) Mode
100.0.0.0/24
200.0.0.1
VIP
=
100.0.0.10
SNAT
=
100.0.0.50
100.0.0.0/24
100.0.0.[100-‐200]
Source IP Dest IP
200.0.0.1 100.0.0.10
Source IP Dest IP
100.0.0.50 100.0.0.101
Source IP Dest IP
100.0.0.10 200.0.0.1
Source IP Dest IP
100.0.0.101 100.0.0.50
55. 55
Topology: One-Armed L2 (Switched) Mode
† Benefits:
¿ No change required on clients
or servers
¿ Easy to test
¿ Clients can be in servers’
subnet
† Points to keep in mind:
¿ Servers lose Client IP visibility (can
be partly remedied by IP header
insertion in HTTP/TCP)
¿ Requires Source NAT on SLB if the
servers don’t point to the A10 for
their default gateway.
100.0.0.0/24
200.0.0.1
VIP
=
100.0.0.10
SNAT
=
100.0.0.50
100.0.0.0/24
100.0.0.[100-‐200]
56. 56
Topology: L3 (Routed) Mode with SNAT
Source IP Dest IP
200.0.0.1 100.0.0.10
Source IP Dest IP
100.0.1.50 100.0.1.101
Source IP Dest IP
100.0.0.10 200.0.0.1
Source IP Dest IP
100.0.1.101 100.0.1.50
100.0.0.0/24
200.0.0.1
VIP
=
100.0.0.10
SNAT
=
100.0.1.50
100.0.1.0/24
100.0.1.[100-‐200]
57. 57
Topology: L3 (Routed) Mode with SNAT
100.0.0.0/24
200.0.0.1
VIP
=
100.0.0.10
SNAT
=
100.0.1.50
100.0.1.0/24
100.0.1.[100-‐200]
† Benefits:
¿ No change required on clients or
servers
¿ Easy to test
† Points to keep in mind:
¿ Servers lose Client IP visibility
(can be partly remedied by IP
header insertion in HTTP/TCP)
¿ Requires Source NAT (SNAT) on
SLB
58. 58
Topology: L3 (Routed) Mode without SNAT
Source IP Dest IP
200.0.0.1 100.0.0.10
Source IP Dest IP
200.0.0.1 100.0.1.101
Source IP Dest IP
100.0.0.10 200.0.0.1
Source IP Dest IP
100.0.1.101 200.0.0.1
100.0.0.0/24
200.0.0.1
VIP
=
100.0.0.10
100.0.1.0/24
100.0.1.[100-‐200]
59. 59
Topology: L3 (Routed) Mode without SNAT
† Benefits:
¿ No change required on clients
Provides additional layer of
security
† Points to keep in mind:
¿ Configure SLB as default gateway
on servers
100.0.0.0/24
200.0.0.1
VIP
=
100.0.0.10
100.0.1.0/24
100.0.1.[100-‐200]
60. 60
Topology: Direct Server Return (DSR) Mode
Source IP Dest IP
200.0.0.1 100.0.0.10
Source IP Dest IP
200.0.0.1 100.0.0.10
Source IP Dest IP
100.0.0.10 200.0.0.1
100.0.0.0/24
200.0.0.1
VIP
=
100.0.0.10
Loopback
IP
=
VIP
=
100.0.0.10
100.0.0.0/24
100.0.0.[100-‐200]
61. 61
Topology: Direct Server Return (DSR) Mode
† Benefits:
¿ Highly scalable (SLB processes
only incoming traffic)
† Points to keep in mind:
¿ Can’t use any Layer 7 features
(aFleX can still be applied at virtual
port level)
¿ Configure VIP IP as loopback on
servers
100.0.0.0/24
200.0.0.1
VIP
=
100.0.0.10
Loopback
IP
=
VIP
=
100.0.0.10
100.0.0.0/24
100.0.0.[100-‐200]
63. 63
VRRP-A
† VRRP-A (Virtual Router Redundancy Protocol) provides redundancy for up to
8 devices or L3V partitions
† Assigns Virtual MAC address for each VRID
¿ VRRP-A assigns a virtual MAC address to each VRID with the format 021f.a000.nnnn. The last 2
bytes of the address (nnnn) indicate the partition ID, set-id, and VRID.
† While server/application failure is covered by Health Monitors, VRRP-A
covers A10 device or network Element or Link failures
† VRRP-A supports arbitrary N+M deployments where N is the number of
active, and M is the number of standby devices
† VRRP-A was introduced in release 2.6 to replace Legacy HA
¿ Legacy HA is still supported for backwards compatibility but can't run in parallel with VRRP-A
64. 64
VRRP-A: Selection of Active VRRP-A device
Devices
boot
PreempAon
disabled
OR
prioriAes
equal?
Device
with
lowest
ID
is
elected
acAve
Device
with
highest
priority
is
elected
acAve
Yes
No
Weights
equal?
Yes
No
Device
with
highest
weight
is
elected
acAve
65. 65
VRRP-A: Design Options
† Active-Standby mode
¿ 1 Active A10 and 2 or more Passive AXs
AX1
AX2
AX3
AX1: Standby#1 for all VIPs
AX2: Active for all VIPs
AX3: Standby#2 for all VIPs
66. 66
VRRP-A: Design Options (cont.)
N+1 deployment N+M deployment
Note: N+M deployments means M boxes standby for higher availability
† Active-Active mode: All AXs are active for some services (VIPs)
AX1: Active for VIPs-Group1
AX2: Active for VIPs-Group2
AX3: Standby#1 for VIPs-Group1
Standby#1 for VIPs-Group2
AX1
AX2
AX3
AX1: Active for VIPs-Group1
Standby#1 for VIPs-Group2
Standby#1 for VIPs-Group3
AX2: Active for VIPs-Group2
Standby#1 for VIPs-Group1
Standby#1 for VIPs-Group3
AX3: Active for VIPs-Group3
Standby#1 for VIPs-Group1
Standby#1 for VIPs-Group2
AX1
AX2
AX3
67. 67
VRRP-A: Active–Standby Mode
† Active-Standby Mode
¿ Active A10 processes all production traffic
¿ Standby A10 does not process any production traffic
¿ Standby A10 mirrors all session information from Active AX
° In case of "N Standby" deployments, only the primary
standby mirrors the sessions
¿ One VRID (default) is sufficient to implement Active-Standby
¿ Reliability is scaled but not performance
Active Standby
VIPs
Floating IP
SNAT IP
VIPs
Floating IP
SNAT IP
68. 68
VRRP-A: Active–Standby Failover
† Active-Standby Failover
¿ Peer A10 elected as active
¿ Gratuitous ARPs for virtual, floating and NAT IPs are
sent
¿ Existing mirrored sessions are picked up by newly
elected active AX
¿ New sessions are served by newly elected active AX
¿ In case of "N Standby" deployments, the secondary
standby becomes primary standby and mirrors the active
sessions from the new Active AX
Failed New Active
VIPs
Floating IP
SNAT IP
VIPs
Floating IP
SNAT IP
69. 69
VRRP-A: Active–Standby Configuration
† VRRP-A Active–Standby Mode – configuration steps
1. Configure VRRP-A Set ID
¿ The Set ID is a unique identifier for all participating devices. All devices must be in
the same layer 2 broadcast domain
¿ AX(config)# vrrp-a set-id 1
Note: Each VRRP-A/aVCS cluster in an L2 domain must have a unique set-id
2. Configure VRRP-A Device ID
¿ The Device ID is a unique device identifier within the VRRP-A set
¿ AX(config)# vrrp-a device –id (AX1 = 1, AX2 = 2, etc)
3. Enable VRRP-A
¿ AX(config)# vrrp-a enable
70. 70
VRRP-A: Active–Standby Configuration (cont.)
4. Configure VRRP-A group options (called VRID)
¿ All functional resources not explicitly assigned to user-created VRIDs are
automatically assigned to default VRID
¿ Default VRID number is 0. That number cannot be used to create a custom VRID
¿ Recommended settings:
° Floating IP (VRRP IP Address used as gateway by servers/routers)
¿ Optional settings: (Recommended values in "italic“)
° Preempt ("enabled ", default = enabled)
° Preempt Delay (“vrrp-a preemption-delay 60”)
° Priority ("AX-Active=200 / AX-Standby=199", default = 150)
° Tracking
² Gateway ("default gateway IP Address", no default)
² Interface ("production interfaces", no default)
¿ Deployment scenarios with more than one active device require at least as many
VRIDs as active devices (including default)
¿ AX(config)# vrrp-a vrid default
AX(config-vrid-default)# …
71. 71
VRRP-A: Active–Standby Configuration (cont.)
5. Configure VRRP-A settings for VIPs
¿ No Configuration is required if using VRID default
¿ Optional settings
° Enable HA Connection Mirroring on the VIP ports: To synchronize SLB session table (available for
TCP, UDP, RTSP, FTP, MMS and SIP VIP types)
Note: For HTTP/HTTPS VIP types, the client session is terminated on the A10 device. HA Connection
Mirroring is not available for these VIP types.
° AX(config)# slb virtual-server <name>
AX(config-slb vserver)# port <#> tcp
AX(config-slb vserver-vport)# ha-conn-mirror
¿ Optional settings – Not recommended
° Enable Dynamic Server Weight: Reduce the A10 VRRP-A priority when a server is down
73. 73
VRRP-A: Active–Active Mode
† Active-Active Mode
¿ All A10 units process the production traffic
¿ Sessions and state information are
mirrored between Active & peer units for
each Group-ID
¿ Performance is scaled in addition to
reliability Active Active
VIPs – Group1
Floating IP – Group1
SNAT IP – Group1
VIPs – Group1
Floating IP – Group1
SNAT IP – Group1
VIPs – Group2
Floating IP – Group2
SNAT IP – Group2
VIPs – Group2
Floating IP – Group2
SNAT IP – Group2
74. 74
VRRP-A: Active–Active Failover
† Active-Active Failover
¿ Peer A10 is elected active for VIPs-group 2 and sends
gratuitous ARPs for virtual IPs, floating IPs, and NAT
IPs
¿ Existing mirrored sessions are picked up by peer AX
¿ Peer A10 serves requests for both VIPs groups
¿ In case of "N Standby" deployments, the secondary
standby becomes primary standby and mirrors the
active sessions from the new Active AX
Failed Active
VIPs – Group1+2
Floating IP – Group1+2
SNAT IP – Group1+2
VIPs – Group1+2
Floating IP – Group1+2
SNAT IP – Group1+2
75. 75
VRRP-A: Active–Active Configuration
† VRRP-A Active-Active Mode – configuration steps
1. Configure VRRP-A
° Same as Active/Standby
2. Configure VRRP-A group options (called VRID)
° Same as Active/Standby (configured for each VRRP-A VRID)
° Requires a unique VRID for each Group-ID
3. Configure VRRP VRID for SLB-VIPs + NAT
° Associate the SLB-VIPs + NAT with a VRID
Note: By default the SLB-VIPs + NAT are in the default VRID
79. 79
aVCS
† aVCS (Virtual Chassis System) is a centralized configuration management layer
† aVCS can be combined with VRRP-A or legacy HA
† Combined with redundancy, aVCS facilitates clustering of ACOS devices
vMaster
vBlade
vBlade
vBlade
aVCS
VRRP-‐A
Virtual
Chassis
80. 80
aVCS: Benefits
† Centralized point (single IP) for management of all aVCS devices
¿ L4/7 configuration changes are automatically propagated to all devices
¿ L2/3 device configuration can be performed using device-specific ID
° A1-‐Active-‐vMaster[1/1](config)#vlan
2/300
A1-‐Active-‐vMaster[1/1](config-‐vlan:2/300)#tagged
ethernet
3
OR
° A1-‐Active-‐vMaster[1/1](config)#router
device-‐context
2
All
the
following
router
configuration
will
go
to
device
2
A1-‐Active-‐vMaster[1/1](config)#router
ospf
1
† Adding new devices to aVCS chassis is largely automated
¿ vMaster checks and upgrades vBlade if necessary
¿ vMaster pushes configuration to vBlade
81. 81
aVCS: Requirements
† Topology
¿ aVCS uses Link Local UDP multicast for heartbeat messages
¿ Heartbeat messages are sent via multicast to all vBlades
° Multicast IP: 224.0.0.210
° UDP Port: 41217
¿ vMaster transfers data to vBlades (configuration, status, image files) via Unicast TCP
¿ Interfaces selected for aVCS need to be in the same layer 2 broadcast domain
† Software and hardware
¿ Devices should be the same model number and hardware and capable of running the
same version of ACOS
82. 82
aVCS: vMaster and vBlade
† vMaster
¿ All configuration is performed from here
¿ vMaster uses floating IP, so admin always logs in to the same management IP -- even
after failover
† vBlade
¿ Device which acts as a blade in a virtual chassis
¿ Config privilege level is disabled
¿ vBlade can become vMaster when the device hosting the latter loses connectivity or
admin forces vMaster takeover
83. 83
aVCS: Device ID and Chassis ID
† Device ID
¿ Unique device identifier within the virtual chassis. It can be set using vrrp-‐a
command
° A1(config)#vrrp-‐a
device-‐id
1
† Chassis ID
¿ Unique chassis identifier. It can be set using vrrp-a command
° A1(config)#vrrp-‐a
set-‐id
1
86. 86
aVCS: Configuration
† Device 1
¿ vrrp-‐a
device-‐id
1
vrrp-‐a
set-‐id
1
vcs
enable
vcs
floating-‐ip
<ip_add>
/<netmask>
vcs
device
1
interface
<interface_id>
interface
<interface_id>
enable
vcs
reload
Note: You must issue a ‘vcs reload’ after each aVCS configuration change.
Note: Use ‘vcs reload disable-merge’ for un-configured device (RMA)
Note: You should configure more than one aVCS interface for redundancy
† Device n
¿ vrrp-‐a
device-‐id
n
vrrp-‐a
set-‐id
1
vcs
enable
vcs
device
n
interface
<interface_id>
interface
<interface_id>
enable
vcs
reload
87. 87
aVCS: Troubleshooting
† aVCS summary and status
¿ A1-‐Active-‐vMaster[1/1]#show
vcs
summary
† aVCS statistics
¿ A1-‐Active-‐vMaster[1/1]#show
vcs
stat
° (over 100 lines of output per device in the chassis)
† Check vcs running config
¿ A1-‐Active-‐vMaster[1/1]#show
run
|
sec
vcs
† Check ACOS versions
¿ A1#show
bootimage
¿ A1#show
version
88. 88
aVCS: Best practices
† Configure aVCS before VRRP-A
† Set up redundant aVCS paths (data ports/trunk and management
port)
† Use vcs
vMaster-‐maintenance
<seconds>
mode when making config
changes on production networks in order to preserve integrity of the
original configuration during maintenance
† Set vcs
failure-‐retry-‐count
-‐1
to prevent aVCS timeouts
† Use staggered upgrade to install new ACOS on devices in an aVCS
chassis
90. 90
A10 Troubleshooting – Bottom Up Approach
† Basic Network – L1 / L2 / L3
¿ L1; power, cabling, system core, logs
¿ L2/3: ping / traceroute / interface status / routing
† Server Status
¿ Health Checks,
¿ Server/Service-group status
† TCP / UDP - L4
¿ SYN/SYN ACKs
¿ Ports Available / NAT
† HTTP ( HTTPS ) - L7
¿ aFleX ?
¿ Rewrite Rules / Redirection / Response Codes
¿ Compression / Caching?
† Sessions / Persistence L4/7
¿ Cookies / Source IP / Ports / LB Metric?
† Performance
¿ CPS / L4-7 / SSL
¿ Total Connections established
91. 91
Log
† ACOS logs many informational, warning, and error messages.
show
log is the first place to check when experiencing issues.
¿ Port/Interface up/down messages
¿ L2 loop detection warnings
¿ Unicast/Multicast/Broadcast packet limit warnings
¿ MAC address movement warnings
¿ Duplicate IP warnings
¿ Server & service port up/down messages
¿ Application-specific error messages: SLB, PBSLB, HTTP, HA, AFLEX, […]
† Monitoring
¿ WebUI: Monitor > System > Logging > Logging
¿ CLI: ACOS#
show
log
[
|
inc
<reg_ex>
]
92. 92
Audit Log
† ACOS logs administrative actions with username, date, and time
stamp. It also logs new administrative sessions.
¿ Example
Sep
30
2013
12:21:04
[admin]
web:
add
Source
IP
Persistence
template
[pers1]
successfully.
Sep
30
2013
11:41:54
[admin]
cli:
vcs
device-‐context
device
2
Sep
30
2013
12:29:28
A
web
session[1]
opened,
username:
admin,
remote
host:
10.254.102.12
† Monitoring
¿ WebUI: Monitor > System > Logging > Audit
¿ CLI: ACOS#
show
audit
[
|
inc
<reg_ex>
]
93. 93
Examining running config
† Examine running config with the following tools
¿ ACOS#
show
run
[
|
sec
^[0-‐z]
]
↑ the optional element at the end of this command strips blank lines from the output
¿ ACOS#
show
run
|
sec
<config_element>
¿ ACOS#
show
run
slb
[…]
↑ statistics for each configuration element
¿ ACOS#
show
ha
[config]
¿ ACOS#
show
vrrp-‐a
[
config
|
detail
]
¿ ACOS#
show
vcs
[
summary
|
message-‐buffer
]
94. 94
Correlating log to audit log
† Use built-in include and section utilities to find corresponding lines
in log, audit log, and running config
¿ Thunder#
show
log
:45
Warning
[ACOS]:Duplicated
IP
10.0.1.1
MAC
000c.
2976.5904
from
Port
1
VLAN
3
detected
¿ ThunderX#
show
audit
|
inc
° Sep
24
2013
09:56:46
[admin]
cli:
port
80
http
Sep
24
2013
09:56:28
[admin]
cli:
slb
virtual-‐server
vip1
10.0.1.1
¿ ThunderX(config)#
show
run
|
sec
10.0.1.1
° ip
route
0.0.0.0
/0
10.0.1.1
slb
virtual-‐server
vip1
10.0.1.1
port
80
http
95. 95
Server Health Check
† Display health check statistics
ACOS#
show
health
stat
[long
list
of
statistics]
IP
address
Port
Health
monitor
Status
Cause(Up/Down)
Retry
PIN
10.0.2.18
default
UP
11
/0
@0
0
0
/0
0
10.0.2.19
80
default
UP
20
/0
@0
0
0
/0
0
10.0.2.18
80
web
UP
10
/0
@0
0
0
/0
0
10.0.2.19
80
web
UP
10
/0
@0
0
0
/0
0
(see CLI Reference manual for codes)
† Show running health monitors
ACOS
#show
health
monitor
Idle
=
Not
used
by
any
server
In
use
=
Used
by
server
Monitor
Name
Interval
Retries
Timeout
Up-‐Retries
Method
Status
ping
5
3
5
1
ICMP
In
use
web
5
3
5
1
HTTP
In
use
96. 96
† axdebug
¿ Captured files are in pcap format (Wireshark / tcpdump)
¿ Able to see every detail of the packets the A10 receives & sends
† axdebug is session based
¿ If one packet matches filter, dump all the following packets in the same session
Packet 2
Packet 1
axdebug
Src: 200.0.0.1 Dst: 100.0.0.10
Src: Port 35525 Dst: Port 80
Src: 100.0.0.100 Dst: 100.0.0.201
Src Port: 35525 Dst Port: 80
Client:
200.0.0.1
AX-VIP:
100.0.0.10
NAT Pool:
100.0.0.100
Server:
100.0.0.201
97. 97
axdebug filters
† Build filters to fine tune your capture
¿ Multiple conditions within a filter are ANDed, multiple filters are ORed.
† axdebug example
¿ ACOS#
axdebug
ACOS(axdebug)#
count
3000
ACOS(axdebug)#
filter
1
ACOS(axdebug-‐filter:1)#
ip
1.2.3.4
/32
ACOS(axdebug-‐filter:1)#
exit
ACOS(axdebug)#
capture
save
<file_name>
¿ NOTE: (make sure to use caution when printing output to the screen on a production system. Limiting
the count number is good practice)
† Stop axdebug trace
¿ ACOS#
no
axdebug
† Export axdebug trace
¿ ACOS#
export
axdebug
<filename>
[use-‐mgmt-‐port]
<destination>
98. 98
Session Filtering
† Fine-tune session monitoring by using filters
¿ ACOS(config)#
session-‐filter
<filter_name>
[…]
† Example
ACOS(config)#
session-‐filter
c1
source-‐addr
10.0.1.161
dest-‐addr
10.0.1.12
dest-‐port
80
ACOS#
show
session
filter
c1
Prot
Forward
Source
Forward
Dest
Reverse
Source
Reverse
Dest
Age
Hash
Flags
Type
Tcp
10.0.1.161:36690
10.0.1.12:80
10.0.2.18:80
10.0.2.16:14075
0
1
NSe1
SLB-‐L7
Tcp
10.0.1.161:36660
10.0.1.12:80
10.0.2.18:80
10.0.2.16:14045
0
1
NSe1
SLB-‐L7
99. 99
Layers 1-4
† Layer 1-2
¿ ACOS#
show
int
[…]
† Layer 3
¿ ACOS#
show
arp
¿ ACOS#
show
ip
route
¿ ACOS#
show
access-‐list
¿ ACOS#
show
run
|
sec
router
† Layer 4
¿ ACOS#
show
slb
l4
¿ host#
telnet
<ip>
<port>
¿ ACOS#
axdebug
100. 100
Layer 7: HTTP Troubleshooting
† Show enabled L7 features
¿ ACOS#
show
run
|
sec
slb
¿ Try without the advanced features first (compression, connection reuse, and so on)
† Packet trace
¿ ACOS#
axdebug
° Is server receiving the request sent by the ACOS device?
° Any standard HTTP header missing? (host, method, … and so on)
° Do all of the HTTP headers have desired values?
° Response Code from server’s response?
° Size of request / response payload?
° Is it taking a long time to process the request?
° What are the cookies?
103. 103
Layer 7: HTTP (cont.)
ACOS# show slb http-proxy
Total
------------------------------------------------------------------
Curr Proxy Conns 0
Total Proxy Conns 63
HTTP requests 63
HTTP requests(succ) 63
HTTP req (cache succ) 0
No proxy error 0
Client RST 3
Server RST 0
No tuple error 0
Parse req fail 0
Server selection fail 0
Fwd req fail 0
Fwd req data fail 0
Req retransmit 0
Req pkt out-of-order 0
Server reselection 0
Server premature close 0
Server conn made 63
Source NAT failure 0
Tot data before compress 0
Tot data after compress 0
Request over limit 0
Request rate over limit 0
104. 104
Layer 7: HTTPS/SSL Troubleshooting
† Show enabled features
¿ ACOS#
show
run
|
sec
slb
° Are client-ssl and server-ssl templates applied on vport?
† Show SSL stats
° show
slb
ssl
stat
° show
slb
ssl
cert
† Packet trace
¿ ACOS#
axdebug
° Is client able to finish SSL Handshake with VIP?
° Is ACOS device able to finish SSL Handshake with server?
° Analyze packet pcap in protocol analyzer tool.
° Any issues pertaining to redirect?
† Decrypted trace
¿ Are there any absolute links in Javascripts / Links / Images (http://xxx)?
105. 105
Session details
#show session
Traffic Type Total
-------------------------------------------------
TCP Established 1
TCP Half Open 10
UDP 0
Non TCP/UDP IP sessions 0
Other 0
Reverse NAT TCP 0
Reverse NAT UDP 0
Curr Free Conn 2031556
Conn Count 1387
Conn Freed 1354
TCP SYN Half Open 0
Conn SMP Alloc 0
Conn SMP Free 0
Conn SMP Aged 0
Conn Type 0 Available 3866622
Conn Type 1 Available 1933300
Conn Type 2 Available 966644
Conn Type 3 Available 483305
Prot Forward Source Forward Dest Reverse Source Reverse Dest Age Hash Flags
----------------------------------------------------------------------------------------------------------------------------------------------------------
Tcp 192.168.4.1:60456 192.168.4.200:80 192.168.3.100:80 192.168.4.50:2344 0 1 NSe1
Tcp 192.168.4.1:60447 192.168.4.200:80 0.0.0.0 0.0.0.0 0 1 NSe1
…..
Total Sessions: 11
Forward Source: Client IP address when connecting to a VIP.
• For DNS sessions, the client’s DNS transaction ID is shown instead of a protocol port
number.
• The output for connection-reuse sessions shows 0.0.0.0 for the forward source and forward
destination addresses.
Forward Dest: VIP to which the client is connected.
Reverse Source: Real server’s IP address.
Reverse Dest: IP address to which the real server responds.
• If source NAT is used for the virtual port, this address is the source NAT address used by
A10 device when connecting to the real server.
• If source IP NAT is not used for the virtual port, this address is the client IP address.
Age: Number of seconds since the session started.
Hash: CPU ID.
Flags: This value is used by A10 Technical Support.
If 0.0.0.0 then connection has not been established yet (half-open)
106. 106
ACOS Performance
† Show memory utilization
¿ ACOS#
show
memory
[
system
]
System
Memory
Usage:
Total(KB)
Free
Shared
Buffers
Cached
Usage
16456546
8224340
0
2420
159084
49.0%
↑ Memory is pre-allocated based on system resource configuration.
† Show cpu utilization / Slb usage
¿ ACOS#
show
cpu
[
interval
[…]
]
¿ ACOS#
show
slb
performance
[
interval
[…]
]
↑ shows utilization per cpu for the past minute. Customizable “interval” triggers continuous updates.
† Show resource limits
¿ ACOS#
show
system
resource-‐usage
↑ shows minimum, maximum, default, and currently set limits for configuration items
107. 107
ShowTech
† ShowTech is a comprehensive collection of output from many
troubleshooting utilities
¿ When contacting A10 Tech Support you will be asked to generate one
† WebUI: generate new file and save to laptop
¿ Monitor > System > Diagnosis > Show Techsupport
† WebUI: view and save previously generated files
¿ Monitor > System > Diagnosis > ShowTech File
† CLI: generate and export file to a remote server or view on the screen
¿ ACOS#
show
techsupport
[export]
[use-‐mgmt-‐port]
[<remote_destination>]
108. 108
The Power of Show Tech and Backup Logs
† What is ‘show tech’ and why you need it?
¿ Configuration, logging, crash, version, uptime, memory, and real time snapshot of
various l2-l7 statistics of the system.
¿ Getting a diff of two show tech snapshots while a problem is happening can help
identify underlying problems in the platform.
¿ Can greatly aid in offline debugging.
¿ CLI : (ACOS#
sh tech export)
¿ GUI : Monitor > System > Diagnosis > ShowTech File
† Backup logs may also contain valuable information into the cause
of the problem.
¿ Could be extremely helpful in post-network outage troubleshooting.
¿ CLI : (‘ACOS#
export log’)
¿ GUI : Config > System > Maintenance > Backup
109. 109
Useful Troubleshooting Commands– from Bottom-Up
L7
¿ HTTP
° show slb http debug
° show slb http-proxy
° debug http-proxy
¿ SSL/HTTPS
° show slb ssl stat
° show slb ssl cert
° debug ssl
° x.509 aFlex logging
¿ Capture tools (Axdebug, Debug Monitor)
¿ aFlex:
° debug aflex,
° show aflex debug
° show aflex <aflex name> debug
° (aflex TCL logging)
Helathcheck
° show health stat
° show health monitor
° debug hm
L1/System
¿ show interface eth <number>, show int stat
¿ show stat interface eth <number>
¿ show core, show version, show log, show tech
¿ show cpu, show hardware, show slb performance
¿ show mem, show mem system
L2
¿ show arp, show mac, show ipv6 neigh
¿ show switch mac (FPGA units)
L3
¿ show slb switch
¿ show ip route, sh ip fib (sh ipv6 route, sh ipv6 fib)
¿ debug packet l3-protocol <ip/ipv6> <ip address>
¿ capture tools (Axdebug, Debug Monitor)
L4
¿ show session, Show session persist
¿ show slb server, Show slb virtual, show slb service
¿ show slb l4 <det>
¿ show ip nat pool stat
¿ show ip nat trans
¿ show slb persist
¿ debug tcp stack, show slb tcp stack
¿ debug packet l4-protocol <tcp/udp> <port>
¿ capture tools (Axdebug, Debug Monitor)
111. 111
Experienced & Focused Organization
† Qualified Support Staff
¿ Engineering Background with industry experience
† Support Organization
¿ Japan and China Support
° Local language support available in Japan and China
¿ Tier 2 and Tier 3 Support Engineers
° Case manager -> Support engineers
¿ Support QA Engineers
° Patch and Maintenance testing
° Recreating CFD (Customer Found Defects)
° Verifying CFD fixes using customer profile
¿ Sustaining Engineers
° Integrated into Support
112. 112
2014 Global Support and RMA Depots
§ 4 Technical Support Centers
providing 24 x 7 x 365 support.
§ 60 Support Resources
§ Toll free numbers and local language
support
§ 35 RMA depots worldwide and
growing (99% OTD)
Support Center
San Jose, USA
Netherlands
Tokyo,
Japan
China
Dubai
113. 113
Hardware RMA Centers
† RMA Depots
¿ 4 hour Advance RMA
° US & Canada
¿ Next Business Day Advance Replacements
° US & Canada
° Japan
° Taiwan
° Hong Kong
° EU Countries
° Australia
¿ By Q4 2014
° Colombia, Chile, New Zealand, China, South Korea, Singapore, Turkey, Saudi Arabia, Dubai,
Switzerland
114. 114
A10 Support Contact Guidelines
† If there is a network emergency or time-critical issue – Call the
A10 Networks TAC:
¿ +1-888-TACS-A10 (888-822-7210)
¿ +1 (408) 325-8676
¿ 900 804 766 (Spain Toll Free)
† If you have a critical question on “How do I….” Contact A10 TAC via:
Phone: 1-888-TACS-A10 (888-822-7210)
Email: support@a10networks.com
Support Web: http://a10networks.com/support
† You may refer to the following document for A10 TAC procedures:
¿ <https://www.a10networks.com/resources/files/A10-BR-Support.pdf>
115. 115
Information Gathering
† When requesting A10 TAC assistance, be prepared to provide the
following:
¿ Product Serial number
¿ Customer contact information
¿ Partner/Reseller name
¿ Description of the problem in detail
¿ Priority level and impact of the problem
¿ Indication of the activity that was being performed when the problem occurred
¿ Software version
¿ Configuration and/or network topology information
¿ Show techsupport (output that provides the whole configuration and statistics)
° WebUI: Monitor > System > Logging > Show Techsupport
° CLI: AX# show techsupport
116. 116
Additional Information required for RMA request
† For RMA requests, include the shipping information.
¿ Company
¿ Ship-to Address
¿ City, State, ZIP code
¿ Country (if outside of US)
¿ Contact person
¿ Contact phone number
117. 117
Online Tech Support
† A10 TAC offers two online resources
¿ Support Web Portal: <https://www.a10networks.com/support-axseries/index.php>
¿ A10 User Community Forum: <https://www.a10networks.com/vadc/>
118. 118
Severity Level
Priority 1 and 2 issues should be reported via 1-888-TACS-A10
Priority 1:
Network
Down
Priority 2:
Serious
Performance
Degradation
Priority 3:
Performance Impact,
Installation Issue
Priority 4:
Information
request
126. 126
Engineering Release Type
† Architecture Release : 1.x , 2.x, 3.x
¿ Architectural Change
¿ Scheduled on average around 2 years
† Major Release: x.1.y to x.2.y
¿ Release for customer features and internal enhancements.
¿ Scheduled on average between 12-14 months.
† Minor Release: x.y.1 to x.y.2
¿ Periodic bug fix release, with some minor feature enhancement.
¿ Schedule on average every 4 – 6 months.
127. 127
Support Release Type
† Patch Release: x.y.z-P1
¿ Release for bug fixes (mostly customer reported bugs)
¿ May include minor changes for supportability and reliability
¿ Scheduled between 2 – 6 Months
¿ Include previous patch releases’ bug fixes
¿ Signed off by Sustaining, QA, and Support
† Special Patch Release: x.y.z.-P1-SP1
¿ Emergency release targeted for a specific customer.
¿ Full automation regression testing 2-3 days
¿ Limited manual functional testing
¿ Signed off by Engineering, Sustaining, QA, and Support
128. 128
Software Release Type
† Gold Releases
¿ 2.6.1-GR1 as the First SLB Gold Release
° Released in February, 2012
¿ 2.6.6-GR1 as the First LSN/IPv6 Gold Release
° To be released in 2Q2013
¿ Supported for a minimum of 4 years
¿ Additional QA resources for extended test cases
¿ Thorough code reviews on all code check-in
¿ Based on proven released branch with field exposure
¿ No major enhancement added
° Supportability, Compliance, and MIB changes may be added