manualshive.com logo in svg

Radware Alteon, Application Manual

Share
Download
Radware Alteon Application Manual Download Page 618

Alteon Application Switch Operating System Application Guide

 

Advanced Denial of Service Protection

618

 Document 

ID: 

RDWR-ALOS-V2900_AG1302

To configure UDP blast protection

1. Configure the UDP port numbers or ranges of UDP ports that you want to protect against UDP 

attacks.
For example, configure UDP ports 1001-2000 @ 1000pps, UDP ports 2001-4000 @2000pps, and 
UDP ports 4001-6000 @5000pps.

Alteon supports up to 5000 UDP port numbers, using any integer from 1 to 65535. For the entire 
port range, the difference between the highest port number and the lowest port number must 
be less than or equal to 5000.

2. Enable UDP blast protection on the ports that are connected to unsafe networks.

3. Apply and save the configuration.

TCP or UDP Pattern Matching

This feature provides the capability to scan ingressing packets for patterns contained in some well-
known TCP or UDP attacks on back-end servers. Alteon can be configured with one or more filters 
that scan the first IP packet, and drop if it finds one or all of the configured patterns. If no match is 
found, the packets are allowed through.
Pattern matching is constructed much in the same way as any other filter configured to examine 
Layer 7 content.

Note:

The ability to match and perform filter action on a pattern or group of patterns is available 

only when you enable the Security Pack software.

Pattern Criteria

Many TCP or UDP attacks contain common signatures or patterns in the IP packet data. Alteon can 
be configured to examine an IP packet from either the beginning, from a specific offset value 
(starting point) within the IP packet, and/or from a specified depth (number of characters) into the 
IP packet. It then performs a matching operation.

Figure 100 -  IP Packet Format, page 619

 illustrates an IP packet format. Alteon is able to track from 

the beginning of the IP packet (at the IP version number), through an IP packet payload of 1500 
bytes. Each row in an IP packet is four bytes.

>> /cfg/security/udpblast

>> UDP Blast Protection# add

Enter UDP port number (1 to 65535) or range (first-last): 1001-2000

Enter max packet rate per second (1 to 20000000):         1000

>> UDP Blast Protection# add

Enter UDP port number (1 to 65535) or range (first-last): 2001-4000

Enter max packet rate per second (1 to 20000000):         2000

>> UDP Blast Protection# add

Enter UDP port number (1 to 65535) or range (first-last): 4001-6000

Enter max packet rate per second (1 to 20000000):         5000

>> /cfg/security/port 1/udpblast ena

Summary of Contents for Alteon

Page 1: ...Alteon Application Switch Operating System Application Guide Software Version 29 0 0 0 Document ID RDWR ALOS V2900_AG1302 February 2013 ...

Page 2: ...Alteon Application Switch Operating System Application Guide 2 Document ID RDWR ALOS V2900_AG1302 ...

Page 3: ...guide or any part thereof without the prior written consent of Radware Notice importante Ce guide est sujet aux conditions et restrictions suivantes Les applications AppShape Script Files fournies par Radware Ltd sont soumises aux termes de la Licence Spéciale Special License Terms incluse dans chaque fichier électronique AppShape Script Files mais aussi au Contrat de Licence d Utilisateur Final d...

Page 4: ...raulich behandelt werden Es ist streng verboten dieses Handbuch oder Teile daraus ohne vorherige schriftliche Zustimmung von Radware zu kopieren vervielfältigen reproduzieren oder offen zu legen Copyright Notices The following copyright notices are presented in English French and German Copyright Notices The programs included in this product are subject to a restricted use license and can only be ...

Page 5: ...binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials ...

Page 6: ... membres du conseil de l Université de Californie Tous droits réservés La distribution et l usage sous une forme source et binaire avec ou sans modifications est autorisée pour autant que les conditions suivantes soient remplies 1 La distribution d un code source doit inclure la notice de copyright mentionnée ci dessus cette liste de conditions et l avis de non responsabilité suivant 2 La distribu...

Page 7: ...tzt werden Dieses Produkt enthält einen vom OpenSSL Projekt entwickelten Code Dieses Produkt enthält vom OpenSSL Projekt entwickelte Software Zur Verwendung im OpenSSL Toolkit http www openssl org Copyright c 1998 2005 The OpenSSL Project Alle Rechte vorbehalten Dieses Produkt enthält die Rijndael cipher Die Rijndael Implementierung von Vincent Rijndael Anton Bosselaers und Paulo Barreto ist öffen...

Page 8: ...n Bedingungen und den folgenden Haftungsausschluss in der Dokumentation und oder andere Materialien die mit verteilt werden reproduzieren SÄMTLICHE VORGENANNTE SOFTWARE WIRD VOM AUTOR IM IST ZUSTAND AS IS BEREITGESTELLT JEGLICHE AUSDRÜCKLICHEN ODER IMPLIZITEN GARANTIEN EINSCHLIESSLICH DOCH NICHT BESCHRÄNKT AUF DIE IMPLIZIERTEN GARANTIEN DER MARKTGÄNGIGKEIT UND DER ANWENDBARKEIT FÜR EINEN BESTIMMTE...

Page 9: ...H VOLTAGE Any adjustment maintenance and repair of the opened instrument under voltage must be avoided as much as possible and when inevitable must be carried out only by a skilled person who is aware of the hazard involved Capacitors inside the instrument may still be charged even if the instrument has been disconnected from its source of supply GROUNDING Before connecting this device to the powe...

Page 10: ...ot installed and used in accordance with the instruction manual may cause harmful interference to radio communications Operation of this equipment in a residential area is likely to cause harmful interference in which case the user is required to correct the interference at his own expense VCCI ELECTROMAGNETIC INTERFERENCE STATEMENTS Figure 3 Statement for Class A VCCI certified Equipment Translat...

Page 11: ... 250 V 3 A RESTRICT AREA ACCESS The DC powered equipment should only be installed in a Restricted Access Area INSTALLATION CODES This device must be installed according to country national electrical codes For North America equipment must be installed in accordance with the US National Electrical Code Articles 110 16 110 17 and 110 18 and the Canadian Electrical Code Section 12 INTERCONNECTION OF ...

Page 12: ...nland Norway Sweden marked on product Denmark Unit is class I unit to be used with an AC cord set suitable with Denmark deviations The cord includes an earthing conductor The Unit is to be plugged into a wall socket outlet which is connected to a protective earth Socket outlets which are not connected to earth are not to be used Finland Marking label and in manual Laite on liitettävä suojamaadoitu...

Page 13: ...rce d alimentation électrique Déconnectez toutes les sources d alimentation électrique avant d entretenir l appareil ceci pour éviter tout choc électrique ENTRETIEN N effectuez aucun entretien autre que ceux répertoriés dans le manuel d instructions à moins d être qualifié en la matière Aucune pièce à l intérieur de l unité ne peut être remplacée ou réparée HAUTE TENSION Tout réglage opération d e...

Page 14: ...interférences nuisibles lorsque l équipement est utilisé dans un environnement commercial Cet équipement génère utilise et peut émettre des fréquences radio et s il n est pas installé et utilisé conformément au manuel d instructions peut entraîner des interférences nuisibles aux communications radio Le fonctionnement de cet équipement dans une zone résidentielle est susceptible de provoquer des in...

Page 15: ...0 V 3 A ZONE A ACCÈS RESTREINT L équipement alimenté en CC ne pourra être installé que dans une zone à accès restreint CODES D INSTALLATION Ce dispositif doit être installé en conformité avec les codes électriques nationaux En Amérique du Nord l équipement sera installé en conformité avec le code électrique national américain articles 110 16 110 17 et 110 18 et le code électrique canadien Section ...

Page 16: ...de classe 1 qui doit être utilisée avec un cordon CA compatible avec les déviations du Danemark Le cordon inclut un conducteur de mise à la terre L unité sera branchée à une prise murale mise à la terre Les prises non mises à la terre ne seront pas utilisées Finlande Étiquette et inscription dans le manuel Laite on liitettävä suojamaadoituskoskettimilla varustettuun pistorasiaan Norvège Étiquette ...

Page 17: ...ßlich von qualifiziertem Servicepersonal durchgeführt werden Zur Reduzierung der Feuer und Stromschlaggefahr muss das Gerät vor der Entfernung der Abdeckung oder der Paneele von der Stromversorgung getrennt werden Folgende Abbildung zeigt das VORSICHT Etikett das auf die Radware Plattformen mit Doppelspeisung angebracht ist Figure 13 Warnetikett Stromschlaggefahr SICHERHEITSHINWEIS IN CHINESISCHER...

Page 18: ...Beachten Sie die technischen Angaben bezüglich der korrekten elektrischen Werte des Gerätes Plattformen mit 48 V DC verfügen über eine Eingangstoleranz von 36 72 V DC ÄNDERUNGEN DER TECHNISCHEN ANGABEN Änderungen der technischen Spezifikationen bleiben vorbehalten Hinweis Dieses Gerät wurde geprüft und entspricht den Beschränkungen von digitalen Geräten der Klasse 1 gemäß Teil 15B FCC Vorschriften...

Page 19: ... elektromagnetische Wellen geeignete Geräten angehört und dass diese Geräte nicht für den heimischen Gebrauch bestimmt sind BESONDERER HINWEIS FÜR BENUTZER IN NORDAMERIKA Wählen Sie für den Netzstromanschluss in Nordamerika ein Stromkabel das in der UL aufgeführt und CSA zertifiziert ist 3 Leiter 18 AWG endend in einem gegossenen Stecker für 125 V 10 A mit einer Mindestlänge von 1 5 m sechs Fuß do...

Page 20: ...im Handbuch Laite on liitettävä suojamaadoituskoskettimilla varustettuun pistorasiaan Norway Markierungsetikett und im Handbuch Apparatet må tilkoples jordet stikkontakt Ausschließlich für Anschluss an IT Netzstromsysteme in Norwegen vorgesehen Sweden Markierungsetikett und im Handbuch Apparaten skall anslutas till jordat uttag Anschluss des Stromkabels 1 Schließen Sie das Stromkabel an den Haupta...

Page 21: ...设备而言 Tma 为制造商规范允许的最大环境温度 或者为 25 C 采用两 者中的较大者 2 关于在海拔不超过 2000m 或者在非热带气候地区使用的设备 附加警告要求如下 关于在海拔不超过 2000m 的地区使用的设备 必须在随时可见的位置处粘贴包含如下内容或者类似用语的警告标 记 或者附件 DD 中的符号 只可在海拔不超过 2000m 的位置使用 关于在非热带气候地区使用的设备 必须在随时可见的位置处粘贴包含如下内容的警告标记 只可在非热带气候地区使用 附件 DD 有关新安全警告标记的说明 DD 1 海拔警告标记 标记含义 设备的评估仅基于 2000m 以下的海拔高度 因此设备只适用于该运行条件 如果在海拔超过 2000m 的 位置使用设备 可能会存在某些安全隐患 DD 2 气候警告标记 标记含义 设备的评估仅基于温带气候条件 因此设备只适用于该运行条件 如果在热带气候地区使用设备 可...

Page 22: ...ossible damage to equipment software or data Endommagement possible de l équipement des données ou du logiciel Mögliche Schäden an Gerät Software oder Daten Note Additional information Informations complémentaires Zusätzliche Informationen To A statement and instructions Références et instructions Eine Erklärung und Anweisungen Tip A suggestion or workaround Une suggestion ou solution Ein Vorschla...

Page 23: ...teon 43 Using the CLI 43 Using SNMP 44 SNMP v1 0 44 SNMP v3 0 44 Using the Browser Based Interface 51 Configuring BBI Access via HTTP 51 Configuring BBI Access via HTTPS 51 Generating a Certificate for BBI Access via HTTPS 52 Using the Management Port 52 Setting Up the Management Port 53 Limiting Management Access 54 File Transfers 55 Time Configuration 55 Time Zone Configuration 55 Network Time P...

Page 24: ...nt Commands 73 SSH and SCP Encryption of Management Messages 74 Generating RSA Host and Server Keys for SSH Access 74 SSH SCP Integration with RADIUS Authentication 75 SSH SCP Integration With SecurID 75 End User Access Control 76 Considerations for Configuring End User Accounts 76 User Access Control Menu 76 Setting up User IDs 77 Defining User Names and Passwords 77 Changing Passwords 77 Definin...

Page 25: ...p Configuration Guidelines 100 Adding a VLAN to a Spanning Tree Group 101 Creating a VLAN 101 Rules for VLAN Tagged Ports 101 Adding and Removing Ports to and from STGs 101 Spanning Tree Implementations in Trunk Groups 102 Multiple Spanning Trees 102 Purpose of Multiple Spanning Trees 103 Four Alteon Topology with a Single Spanning Tree 103 Four Alteon Topology with Multiple Spanning Trees 104 Rap...

Page 26: ...Version 1 122 RIP Version 2 122 RIP Version 2 in RIP Version 1 Compatibility Mode 122 RIP Features 123 Poison 123 Triggered Updates 123 Multicast 123 Default 123 Metric 123 Authentication 123 RIP Configuration Example 124 Chapter 10 Border Gateway Protocol 125 Internal Routing Versus External Routing 125 Forming BGP Peer Routers 126 Route Maps 126 Incoming and Outgoing Route Maps 127 Precedence 12...

Page 27: ...amples 150 Configuring OSPF for a Virtual Link on Alteon 1 153 Configuring OSPF for a Virtual Link on Alteon 2 154 Configuring Host Routes on Alteon 1 159 Configuring Host Routes on Alteon 2 162 Verifying OSPF Configuration 164 Chapter 12 Server Load Balancing 165 Understanding Server Load Balancing 165 Identifying Your Network Needs 165 How Server Load Balancing Works 166 Implementing Server Load...

Page 28: ...teway 208 IPv6 to IPv4 Server Load Balancing 209 IPv6 to IPv6 Server Load Balancing 212 IPv6 Layer 4 SLB Information 214 IPv6 Real Server Health Checks 214 Source Network Based Server Load Balancing 214 Configuring Network Classes 214 Configuring Source Network Based Server Load Balancing 216 HTTP HTTPS Server Load Balancing 217 Implementing HTTP HTTPS Server Load Balancing 218 Content Intelligent...

Page 29: ...Content Intelligent RTSP Load Balancing 295 Secure Socket Layer SSL SLB 299 Associating an SSL Policy to a Virtual Service 299 Associating a Server Certificate to a Virtual Service 300 Wireless Application Protocol WAP SLB 300 WAP SLB with RADIUS Static Session Entries 301 WAP SLB with RADIUS Snooping 304 WAP SLB with RADIUS WAP Persistence 306 Intrusion Detection System IDS SLB 309 How Intrusion ...

Page 30: ...ts 356 Filtering Classification Criteria 356 Filtering Actions 357 Stacking Filters 358 Overlapping Filters 358 Default Filter 359 Optimizing Filter Performance 359 Filtering with Network Classes 360 IP Address Ranges 360 Filter Logs 361 Cached Versus Non Cached Filters 362 Logging Non Cached Filter Hits 362 Filtering Enhancements 363 Reverse Session 363 Return to Proxy 363 Layer 7 Invert Filter 3...

Page 31: ...agement 410 Resource Dashboard 411 Accessing the Dashboard 412 Dashboard Charts 413 Settings Menu 417 Basic ADC VX Procedures 419 Creating a New vADC 419 Resizing vADC Resources 427 Assigning a VLAN Shared Interface to a vADC 428 Importing the Active ADC Configuration 429 Restoring the Active Configuration of an Existing vADC 429 Performing a Complete System Recovery 430 Importing vADC Configurati...

Page 32: ...ion 466 HTTP Header Based Cache Redirection 472 Browser Based Cache Redirection 474 URL Hashing for Cache Redirection 475 RTSP Streaming Cache Redirection 477 Peer to Peer Cache Load Balancing 480 Chapter 18 Health Checking 481 Understanding Health Check Monitoring 482 Pre defined Health Checks 483 Basic Health Checks 483 Advanced Server Health Checks 484 Supported Health Check Types 484 Link Heal...

Page 33: ...Components 508 VRRP Priority 509 Alteon Extensions to VRRP 510 IPv6 VRRP Support 518 IPv6 VRRP Support Overview 518 IPv6 VRRP Packets 519 IPv6 VRRP Configuration 519 IPv6 VRRP Information 520 Failover Methods and Configurations 521 Active Standby Redundancy 521 Active Active Redundancy 527 Hot Standby Redundancy 535 Tracking Virtual Routers 542 Service Based Virtual Router Groups 543 IPv6 VRRP Con...

Page 34: ...n Client IP 584 Cookie Based Persistence 585 Permanent and Temporary Cookies 586 Cookie Formats 587 Cookie Properties 587 Client Browsers that Do Not Accept Cookies 587 Cookie Modes of Operation 588 Configuring Cookie Based Persistence 591 Cookie Based Persistence Examples 593 Server Side Multi Response Cookie Search 595 Proxy Support for Insert Cookie 596 SSL Session ID Based Persistence 596 How ...

Page 35: ...ing Groups of Patterns 620 FlexiRules for SIP over UDP Traffic 626 Chapter 22 WAN Link Load Balancing 631 Multi homing 631 Benefits of WAN Link Load Balancing 632 Identifying Your Network Needs 632 What is Load Balancing 633 How WAN Link Load Balancing Works 633 Outbound Traffic 633 Inbound Traffic 634 Configuring WAN Link Load Balancing 637 Before You Begin 637 Configuration Summary 638 WAN Link ...

Page 36: ...n 724 Master Slave DNS Configuration 730 Configuring GSLB with Rules 730 Configuring Time Based Rules 731 Using the Availability Metric in a Rule 732 Configuring GSLB Network Preference 733 Configuring GSLB with Client Proximity 734 Configuring Static Client Proximity 735 Configuring Dynamic Client Proximity 742 Configuring GSLB with DNSSEC 743 Basic DNSSEC Configuration 743 DNSSEC Key Rollover 74...

Page 37: ...1 Statistics and Management Information Bases 772 Synchronizing BWM Configurations in VRRP 772 Packet Coloring TOS bits for Burst Limit 772 Contract Based Packet Mirroring 773 Configuring Bandwidth Management 773 Additional BWM Configuration Examples 776 Chapter 27 XML Configuration API 795 Software Components 795 XML Configuration File 796 XML File Transmission 796 XML Configuration 797 Additiona...

Page 38: ...7 Con tent Switching Rules 809 URL Based Server Load Balancing 809 Virtual Hosting 813 Cookie Based Preferential Load Balancing 815 Browser Smart Load Balancing 817 Configure SLB Strings for HTTP Redirection 818 Appendix C IPv6 835 IPv4 versus IPv6 835 IPv6 Address Format 836 Compressing Long Sequences of Zeros 836 Prefix Length for a Network Identifier 836 IPv6 Address Types 837 Unicast 837 Multi...

Page 39: ... system from attacks unauthorized access and discusses different methods to manage Alteon for remote administrators using specific IP addresses RADIUS authentication Secure Shell SSH and Secure Copy SCP VLANs describes how to configure Virtual Local Area Networks VLANs for creating separate network segments including how to use VLAN tagging for Alteons that use multiple VLANs Port Trunking describ...

Page 40: ... load balancing and application redirection features High Availability describes how to use the Virtual Router Redundancy Protocol VRRP to ensure that network resources remain available if one Alteon is removed for service Part 4 Advanced Load Balancing Persistence describes how to ensure that all connections from a specific client session reach the same server Persistence can be based on cookies ...

Page 41: ...ntation Alteon Application Switch Operating System Release Notes Radware Alteon Maintenance and Installation Guide Alteon Application Switch Operating System Command Reference Alteon Application Switch Operating System Browser Based Interface BBI Quick Guide Alteon Application Switch Operating System Troubleshooting Guide ...

Page 42: ...Alteon Application Switch Operating System Application Guide Preface 42 Document ID RDWR ALOS V2900_AG1302 ...

Page 43: ...n software Using the management port The management port is a Gigabit Ethernet port that is used exclusively for managing Alteon For more information on the management port see Using the Management Port page 52 Using a Telnet connection over the network A Telnet connection offers the convenience of accessing Alteon from any workstation connected to the network Telnet access provides the same optio...

Page 44: ...y strings enabled on Alteon presents a security risk You can change the community strings as follows Read community string cfg sys ssnmp rcomm string Write community string cfg sys ssnmp wcomm string The SNMP manager should reach the management interface management port or any one of the Alteon IP interfaces SNMP v3 0 SNMPv3 is an enhanced version of SNMP approved by the Internet Engineering Steer...

Page 45: ...cify the access level for this user along with the views to which the user is allowed access This is specified in the access table 3 Link the user to a particular access group If you want to allow the user to access only certain MIBs see View Based Configurations page 46 cfg sys ssnmp snmpv3 usm x cfg sys ssnmp snmpv3 usm 5 SNMPv3 usmUser 5 name test SNMPv3 usmUser 5 auth md5 SNMPv3 usmUser 5 auth...

Page 46: ... view 7 name usr tree 1 3 6 1 4 1 1872 2 5 1 3 cfg sys ssnmp snmpv3 view 8 name usr tree 1 3 6 1 4 1 1872 2 5 2 2 cfg sys ssnmp snmpv3 view 9 name usr tree 1 3 6 1 4 1 1872 2 5 2 3 cfg sys ssnmp snmpv3 view 10 name usr tree 1 3 6 1 4 1 1872 2 5 3 2 cfg sys ssnmp snmpv3 view 11 name usr tree 1 3 6 1 4 1 1872 2 5 3 3 cfg sys ssnmp snmpv3 view 12 name usr tree 1 3 6 1 4 1 1872 2 5 4 2 cfg sys ssnmp s...

Page 47: ...ee 1 3 6 1 4 1 1872 2 5 1 3 cfg sys ssnmp snmpv3 view 22 name slboper tree 1 3 6 1 4 1 1872 2 5 2 2 cfg sys ssnmp snmpv3 view 23 name slboper tree 1 3 6 1 4 1 1872 2 5 2 3 cfg sys ssnmp snmpv3 view 24 name slboper tree 1 3 6 1 4 1 1872 2 5 3 2 cfg sys ssnmp snmpv3 view 25 name slboper tree 1 3 6 1 4 1 1872 2 5 3 3 cfg sys ssnmp snmpv3 view 26 name slboper tree 1 3 6 1 4 1 1872 2 5 4 cfg sys ssnmp ...

Page 48: ...user name used with this targetParam table cfg sys ssnmp snmpv3 usm 10 name v1trap cfg sys ssnmp snmpv3 access 10 SNMPv3 vacmAccess 10 name v1trap SNMPv3 vacmAccess 10 model snmpv1 SNMPv3 vacmAccess 10 nview iso cfg sys ssnmp snmpv3 group 10 SNMPv3 vacmSecurityToGroup 10 model snmpv1 SNMPv3 vacmSecurityToGroup 10 uname v1trap SNMPv3 vacmSecurityToGroup 10 gname v1trap cfg sys ssnmp snmpv3 notify 1...

Page 49: ...nmpv3 comm 10 Select the community table SNMPv3 snmpCommunityTable 10 index v1trap SNMPv3 snmpCommunityTable 10 name public SNMPv3 snmpCommunityTable 10 uname v1trap cfg sys ssnmp snmpv3 usm 10 name v2trap cfg sys ssnmp snmpv3 access 10 name v2trap model snmpv2 nview iso cfg sys ssnmp snmpv3 group 10 model snmpv2 uname v2trap gname v2trap cfg sys ssnmp snmpv3 taddr 10 name v2trap addr 50 81 25 66 ...

Page 50: ... example illustrates how to configure an SNMPv3 user v3trap with authentication only cfg sys ssnmp snmpv3 usm usmUser number 1 16 cfg sys ssnmp snmpv3 usm 11 name v3trap auth md5 authpw v3trap cfg sys ssnmp snmpv3 access 11 name v3trap level authNoPriv nview iso cfg sys ssnmp snmpv3 group 11 uname v3trap gname v3trap cfg sys ssnmp snmpv3 taddr 11 name v3trap addr 50 81 25 66 taglist v3trap pname v...

Page 51: ...teon via HTTP To change the HTTP web server port from the default port 80 To access your Alteon via the Browser Based Interface 1 Open a Web browser window 2 Type the Alteon hostname or the IP address Configuring BBI Access via HTTPS You can access the BBI via a secure HTTPS connection over management and data ports To enable BBI access on Alteon via HTTPS To change the HTTPS Web server port numbe...

Page 52: ...uld otherwise be used for processing requests You can use the management port to access Alteon using Telnet CLI SSH or HTTP BBI The management port does not participate in the switching and routing protocols that run on the data ports but it can be used to perform management functions such as Accessing the NTP server Sending out SNMP traps Sending out syslog messages Accessing the RADIUS server Ac...

Page 53: ... command boot mgmt ena then use the command cfg sys mmgmt ena to enable the management port For more information see the section on configuring management ports in the Radware Alteon Installation and Maintenance Guide To set up the management port 1 Configure a default gateway address Both IPv4 and IPv6 addresses can be configured on the management port each one with its own gateway 2 Configure a ...

Page 54: ...t access through VLANs Unlike standalone appliances a vADC does not necessarily own the entire physical port and can share it with other applications or services To accommodate such a design the data port management access for vADCs is supported by VLAN IDs and not by physical ports Table 2 lists the commands that can be used to limit management services from VLANs Management Port ena Enable the m...

Page 55: ...gure Alteon with the appropriate time zone configuration This enables Alteon to provide proper time offsets and to adjust for Daylight Savings Time Example Set the Time Zone Set the time zone to Atlantic Time for an Alteon that is physically located in Atlantic Canada 1 Access time zone configuration 2 Select the general geographic zone in which Alteon is located Table 2 Commands to Limit vADC Man...

Page 56: ...ble timezone setting Enter the number of your choice 2 Please select a country 1 Anguilla 18 Ecuador 35 Paraguay 2 Antigua Barbuda 19 El Salvador 36 Peru 3 Argentina 20 French Guiana 37 Puerto Rico 4 Aruba 21 Greenland 38 St Kitts Nevis 5 Bahamas 22 Grenada 39 St Lucia 6 Barbados 23 Guadeloupe 40 St Pierre Miquelon 7 Belize 24 Guatemala 41 St Vincent 8 Bolivia 25 Guyana 42 Suriname 9 Brazil 26 Hai...

Page 57: ...cotia most places NB W Labrador E Que bec PEI 3 Atlantic Time E Labrador 4 Eastern Time Ontario Quebec most locations 5 Eastern Time Thunder Bay Ontario 6 Eastern Standard Time Pangnirtung Nunavut 7 Eastern Standard Time east Nunavut 8 Eastern Standard Time central Nunavut 9 Central Time Manitoba west Ontario 10 Central Time Rainy River Fort Frances Ontario 11 Central Time west Nunavut 12 Central ...

Page 58: ...P time zone offset from Greenwich Mean Time defaults to the setting configured when the Alteon time zone was set If this has not been done or you want to override the current value do the following 6 Enable NTP functionality Note To disable NTP functionality use the off command NTP Server prisrv Current NTP server address 0 0 0 0 Enter new NTP server address 192 168 249 13 NTP Server secsrv Curren...

Page 59: ...setting the maximum rate at which packets can enter Alteon After the configured limit has been reached packets are dropped The maximum rate packets per second can be configured differently for each of the supported protocols How Different Protocols Attack Alteon Without the system wide rate limiting commands enabled the following protocol packets destined for an Alteon owned management interface c...

Page 60: ...access rlimit Enter protocol arp icmp tcp udp arp Current max rate 0 Enter new max rate 1000 Set the rate to 1000 packets per second Main stats sp maint Enter SP number 1 4 2 Maintenanc e statistics for SP 2 Receive Letter success from MP 6487510 Receive Letter success from SP 1 0 Receive Letter success from SP 3 0 Receive Letter success from SP 4 0 Receive Letter errors from MP 0 Receive Letter e...

Page 61: ... is discarded You can configure both IPv4 and IPv6 IP ranges with up to 128 management IP addresses and mask prefix pairs Example Definition of a range of allowed source IP addresses between 192 192 192 1 to 192 192 192 127 continued Sp Application Services Engine Statistics Client frames sent Success 0 Client frames sent Failed 0 Server frames sent Success 0 Server frames sent Failed 0 Packets re...

Page 62: ... of the following components A protocol with a frame format that uses UDP over IP based on RFC 2138 and RFC 2866 A centralized server that stores all the user authorization information A client in this case Alteon RADIUS Authentication Features Alteon supports the following RADIUS authentication features Supports RADIUS client in Alteon based on the protocol definitions in RFC 2138 and RFC 2866 Al...

Page 63: ...llowing is an example RADIUS authentication configuration 1 Turn RADIUS authentication on then configure the primary and secondary RADIUS servers You can configure IPv4 or IPv6 addresses for the RADIUS servers 2 Configure the RADIUS secret Caution If you configure the RADIUS secret using any method other than a direct console connection the secret may be transmitted over the network as clear text ...

Page 64: ...d Access Levels User Account Description and Tasks Performed Password User The User has no direct responsibility for Alteon management The User can view all Alteon status information and statistics but cannot make any configuration changes to Alteon user SLB Viewer The SLB Viewer can view Alteon information Server Load Balancing SLB statistics and information but cannot make any configuration chan...

Page 65: ... exception of configuring filters or bandwidth management Available to the vADC administrator only slbadmin Layer 3 Administrator The Layer 3 Administrator manages Layer 3 features Available to the vADC administrator only l3admin Layer 4 Administrator The Layer 4 Administrator configures and manages traffic on the lines leading to the shared Internet services In addition to SLB Administrator funct...

Page 66: ...DIUS Dictionary All user privileges other than those assigned to the administrator have to be defined in the RADIUS dictionary RADIUS attribute 6 which is built into all RADIUS servers defines the administrator The filename of the dictionary is RADIUS vendor dependent The following RADIUS attributes are defined for Alteon user privileges levels Main cfg sys access user uid 9 backdoor e Main cfg sy...

Page 67: ...ion as described on How RADIUS Authentication Works page 63 1 The remote administrator connects to Alteon and provides the user name and password 2 Using the authentication or authorization protocol Alteon sends the request to the authentication server 3 The authentication server checks the request against the user ID database 4 Using the TACACS protocol the authentication server instructs Alteon ...

Page 68: ...p dis Table 6 displays TACACS levels with enabled privilege level mapping cfg sys tacacs cmap ena Table 5 Alteon Proprietary with Disabled Privilege Level Mapping for TACACS Alteon User Access Level TACACS level user 0 slboper 1 l4oper 2 oper 3 slbadmin 4 l4admin 5 admin 6 slbview 7 crtadmin 7 slbadmin crtmng 8 l4admin crtmng 9 l1oper 10 l2oper 11 l3oper 12 l3admin 13 Table 6 Alteon Proprietary wi...

Page 69: ...te Other than these attributes the cmd and cmd arg accounting attributes are also supported for command logging Configuring TACACS Authentication To configure TACACS authentication 1 Turn TACACS authentication on then configure the primary and secondary TACACS servers You can configure IPv4 or IPv6 addresses for TACACS servers 2 Configure the TACACS secret l2oper 24 l3oper 25 l3admin 26 Main cfg s...

Page 70: ...nto another computer over a network to execute management commands SCP is typically used to copy files securely from one computer to another SCP uses SSH for encryption of data on the network Alteon uses SCP to download and upload the Alteon configuration via secure channels The Alteon implementation of SSH supports both versions 1 5 and 2 0 and supports SSH clients version 1 5 to 2 x The followin...

Page 71: ...SSH commands you must turn on SSH and SCP To enable or disable SSH 1 To enable SSH 2 To disable SSH To enable or disable SCP putcg_apply and putcg_apply_save 1 To enable SCP putcfg_apply and putfg_apply_save Main cfg sys access sshd on Current status OFF New status ON Main cfg sys access sshd off Current status ON New status OFF cfg sys access sshd ena Enable SCP apply and save SSH Server apply Ap...

Page 72: ...client that is running the SCP application getcfg Used to download the configuration to the remote host via SCP putcfg Used to upload the configuration from a remote host to Alteon The diff command is executed at the end of putcfg to notify the remote client of the difference between the new and the current configurations putcfg_apply Runs the apply command after the putcfg is done putcfg_apply_sa...

Page 73: ...onfiguration using SCP Example Downloading Alteon Configuration Using SCP Uploading the Configuration to Alteon The following is the syntax for uploading the configuration to Alteon Example Uploading the Configuration to Alteon The apply and save commands are still needed after the last command scp appldevice cfg 192 168 249 13 putcfg Alternately you can use the following commands ssh Alteon IP ad...

Page 74: ...and server keys and is stored in the flash memory To configure RSA host and server keys 1 Connect to Alteon via the console port the commands for this procedure are not available via Telnet connection 2 Enter the following commands to generate the keys manually These two commands take effect immediately without the need of an apply command When Alteon reboots it retrieves the host and server keys ...

Page 75: ...cation requests to the specified RADIUS servers for authentication This redirection is transparent to the SSH clients SSH SCP Integration With SecurID SSH SCP can also work with SecurID a token card based authentication method Using SecurID requires the interactive mode during login which is not provided by the SSH connection Note There is no SNMP or BBI support for SecurID because the SecurID ser...

Page 76: ...ir own real servers via the CLI commands Once end user accounts are configured and enabled Alteon requires username and password authentication For example an administrator can assign a user to manage real servers 1 and 2 only The user can then log into Alteon and perform operational commands effective only until the next reboot to enable or disable the real servers or change passwords on the real...

Page 77: ... class of service or CoS The CoS for all user accounts has global access to all resources except for User CoS which has access to view resources that only the user owns For more information see Table 3 Alteon User Accounts and Access Levels page 64 To change the user s level Enter the class of service cos command and select one of the following options cfg sys access user uid 1 User ID 1 name jane...

Page 78: ...number 1 1023 23 User ID 2 cur name jane dis cos user password valid offline real servers 23 0 0 0 0 disabled name weight 1 timeout 20 mins max con 200000 24 0 0 0 0 disabled name weight 1 timeout 20 mins max con 200000 cfg sys access user cur Usernames user Enabled slbview Disabled slboper Disabled l4oper Disabled oper Disabled l3admin Disabled slbadmin Disabled l4admin Disabled admin Always Enab...

Page 79: ...pty To disable a user account The following is an example for disabling user accounts Deny Routes A deny route or black hole route can be configured to deny Layer 3 routable packets to destinations covered by a static route A deny route is created by setting the gateway address in a static route to 0 If the longest prefix match route which is obtained via route lookup is a deny route the packet is...

Page 80: ...erface as well as the subnet is denied which is not the desired result Viewing a Deny Route The following is an example view or dump of a deny route To view a deny route Enter the info l3 dump command A deny route appears in the routing table in bold cfg l3 route Select the IP Static Route menu IP Static Route add Add a static route Enter destination IP address 62 62 0 0 Of this IP network address...

Page 81: ...can be done from the CLI For more information see VLAN Configuration as well as Port Configuration in the Alteon Application Switch Operating System Command Reference VLAN ID Numbers Alteon supports up to 2048 VLANs per Alteon Even though the maximum number of VLANs supported at any given time is 2048 each can be identified with any number between 1 and 4090 VLANs are defined on a per port basis E...

Page 82: ...ingle VLAN configured on every port This configuration groups all ports into the same broadcast domain The VLAN has an 802 1Q VLAN PVID of 1 VLAN tagging is turned off because by default only a single VLAN is configured per port Since VLANs are most commonly used to create individual broadcast domains and or separate IP subnets host systems should be present on more than one VLAN simultaneously Al...

Page 83: ...d only for VLAN 3 so VLAN tagging is off Server 2 This high use server needs to be accessed from all VLANs and IP subnets The server has a VLAN tagging adapter installed with VLAN tagging turned on The adapter is attached to one of Alteon s Gigabit Ethernet ports that is configured for VLANs 1 2 and 3 Tagging is turned on Because of the VLAN tagging capabilities of both the adapter and Alteon the ...

Page 84: ...To prevent broadcast loops port 25 is on VLAN 10 and port 26 is on VLAN 109 Both Alteon to Alteon links are on different VLANs and therefore are separated into their own broadcast domains Figure 3 Parallel Links with VLANs Example Note In this example the Gig ports are on different VLANs and the Spanning Tree Protocol STP is disabled For information on STP see Spanning Tree Protocol page 99 PC 4 A...

Page 85: ...nfiguration page 85 illustrates a configuration where VLANs 2 and 3 have different routing requirements VLAN 2 is required to route traffic through default gateway 5 and VLAN 3 is required to route traffic through default gateway 6 Figure 4 Example Segregation of VLAN Traffic Configuration You can configure up to 255 gateways with one gateway per VLAN with values starting from 5 through 259 If the...

Page 86: ...y to client based traffic Rather defining a VLAN based gateway configures Alteon to use a predetermined gateway for the real server response The following configuration has three VLANs The real servers reside on VLAN 1 By specifying a VLAN based gateway Alteon controls which external link these real servers will use to respond to client requests The external link used is not dependent on whether t...

Page 87: ...ample Gateway Configuration for a VLAN 1 Assign an IP address for each router and client workstation 2 Assign an IP interface for each subnet attached to Alteon cfg l3 if 1 Select IP interface 1 for gateway 5 and 6 subnet IP Interface 1 addr 10 10 1 1 Assign IP address for interface 1 IP Interface 1 mask 255 255 255 0 Assign mask for IF 1 IP Interface 1 vlan 4 Assign VLAN 4 to IF 1 IP Interface 1 ...

Page 88: ...eway 5 Default gateway 5 addr 10 10 1 20 Assign IP address for gateway 5 Default gateway 5 cfg l3 gw 6 Select default gateway 6 Default gateway 6 addr 10 10 1 30 Assign IP address for gateway 6 Default gateway 6 cfg l3 gw 1 Select default gateway 1 Default gateway 1 addr 10 10 4 1 Assign IP address for gateway 1 cfg l3 gw 5 Select gateway 5 Default gateway 5 vlan 2 Add VLAN 2 for default gateway 5...

Page 89: ...ng page 91 Link Aggregation Control Protocol Trunking page 93 Overview When using port trunk groups between two Alteons as shown in Figure 5 Example Port Trunk Group Between Alteons page 89 you can create a virtual link between Alteons operating up to 4 gigabits per second depending on how many physical ports are combined Alteon supports up to 12 static trunk groups per Alteon each with two to eig...

Page 90: ... with just a few routers feeding the trunk the normal source and destination IP address combinations even within a single LAN can be widely varied This results in a wider statistical load distribution and maximizes the use of the combined bandwidth available to trunked ports The Trunk Hash Algorithm In order to distribute the load across all active ports in a trunk group the following algorithm is...

Page 91: ...nnect to the appropriate CLI as the administrator Note For details about accessing and using any of the menu commands described in this example see the Alteon Application Switch Operating System Command Reference In this example two Alteons are used If a third party device supporting link aggregation is used such as Cisco routers and switches with EtherChannel technology or Sun s Quad Fast Etherne...

Page 92: ... group Best performance is achieved when all ports in any given trunk group are configured for the same speed Trunking from non Alteon devices must comply with Cisco EtherChannel technology cfg l2 trunk 1 Select trunk group 1 Trunk group 1 add 2 Add port 2 to trunk group 1 Trunk group 1 add 12 Add port 12 to trunk group 1 Trunk group 1 add 15 Add port 15 to trunk group 1 Trunk group 1 ena Enable t...

Page 93: ...namically replaces it with the standby port Alteon can form trunk groups with any device which supports the IEEE 802 3ad standard Each LACP port has a parameter called admin key An LACP trunk group is formed with the ports with the same admin key The value of admin key can be any integer between 1 and 65535 Example Actor Versus Partner LACP Configuration In this example actor device ports 1 throug...

Page 94: ...rticipate in link aggregation Perform a similar configuration on the partner device with admin key 50 1 Set the LACP mode on port 1 2 Define the admin key on port 1 Only ports with the same admin key can form a LACP trunk group 3 Set the LACP mode on ports 2 to 4 4 Define the admin key on ports 2 to 4 5 Apply and verify the configuration cfg l2 lacp port 1 mode Select port 1 for LACP mode of opera...

Page 95: ...Alteon Application Switch Operating System Application Guide Port Trunking Document ID RDWR ALOS V2900_AG1302 95 6 Save your new configuration changes LACP port 4 save Save for restore after reboot ...

Page 96: ...Alteon Application Switch Operating System Application Guide Port Trunking 96 Document ID RDWR ALOS V2900_AG1302 ...

Page 97: ...mple two trunk team 1 Create a new port team 2 Add trunks to the new team 3 Enable port team In both of these examples the teams are placed in passive mode with either the ports or trunks operational The team is in passive mode when all ports or trunks are operational and the team is waiting for any one of the ports or trunks to become disabled When one of the ports or trunks is disabled the team ...

Page 98: ...perationally enabled some of the other ports or trunks in the team are not operational either because of a link going down or because they were operationally disabled or were set as disabled If this happens the team goes into off mode In this mode the team waits until all ports or trunks are operational before going back to passive mode to repeat the cycle ...

Page 99: ...e to STP s sequence of listening learning and forwarding or blocking lengthy delays may occur For more information on using STP in cross redundant topologies see Eliminating Loops with STP and VLANs page 568 Bridge Protocol Data Units BPDUs To create a spanning tree Alteon generates a configuration Bridge Protocol Data Unit BPDU which it then forwards out of its ports All devices in the Layer 2 ne...

Page 100: ... parameter controls which bridge on the network is the STP root bridge To make one Alteon the root bridge configure the bridge priority lower than all other switches and bridges on your network The lower the value the higher the bridge priority The bridge priority is configured using the cfg l2 stg brg prior command Port Priority The port priority helps determine which bridge port becomes the desi...

Page 101: ...ts Tagged ports can belong to more than one STG but untagged ports can belong to only one STG When a tagged port belongs to more than one STG the egress BPDUs are tagged to distinguish the BPDUs of one STG from those of another STG An untagged port cannot span multiple STGs Adding and Removing Ports to and from STGs This section includes the following sub sections Adding a Port page 101 Removing a...

Page 102: ...t are within a trunk group should be configured to have the same spanning tree and VLAN parameters Spanning tree parameters should not be changed on individual ports that belong to a trunk group To change spanning tree parameters on one or more ports belonging to a trunk group first remove individual members from the trunk group Multiple Spanning Trees Alteon supports the Multiple Spanning Tree Pr...

Page 103: ...rming a loop Both VLANs can forward packets between the Alteons without losing connectivity Figure 7 Example Multiple Spanning Tree Configuration Four Alteon Topology with a Single Spanning Tree In a four Alteon topology see Figure 8 Four Alteon Topology with a Single Spanning Tree page 104 and assuming Alteon A has a higher priority you can have at least three loops on the network Data flowing fr...

Page 104: ...ee elimination of logical loops will not isolate any VLAN Figure 9 Four Alteon Topology with a Multiple Spanning Tree page 104 shows the same four Alteon topology as in Figure 8 Four Alteon Topology with a Single Spanning Tree page 104 but with multiple spanning trees enabled The VLANs are identified on each of the three shaded areas connecting the Alteons The port numbers are shown next to each A...

Page 105: ...ds it out from port 8 Alteon B receives this BPDU on its port 1 Port 1 on Alteon B is on VLAN 2 STG1 Because Alteon B has no additional ports participating in STG1 this BPDU is not be forwarded to any additional ports and Alteon A remains the designated root VLAN 3 Participation For VLAN 3 you can have Alteon B or C to be the root bridge If Alteon B is the root bridge for VLAN 3 STG2 then Alteon B...

Page 106: ...rt Edge ports are generally connected to a server Edge ports can start forwarding as soon as the link is up Edge ports do not take part in a spanning tree configuration and should not receive BPDUs If a port with edge enabled does receive a BPDU it begins STP processing only if it is connected to a spanning tree bridge If it is connected to a host the edge port ignores BPDUs Link Type The link typ...

Page 107: ...ow separate paths each path based on an independent spanning tree instance This approach provides multiple forwarding paths for data traffic enabling load balancing and reducing the number of spanning tree instances required to support a large number of VLANs By default the spanning tree on the management ports is turned off in both STP PVST mode and in MSTP RSTP mode Main cfg l2 vlan 2 If the VLA...

Page 108: ...ct with them CIST port configuration includes Hello time edge port enable disable and link type These parameters do not affect STGs 1 through 16 They apply only when the CIST is used MSTP Configuration Guidelines Follow these guidelines when configuring MSTP When MSTP is turned on Alteon moves management VLAN 4095 to the CIST When MSTP is turned off Alteon moves VLAN 4095 from the CIST to STG16 Wh...

Page 109: ...ers 4 Assign VLANs to STGs 5 Turn off Layer 3 forwarding Main cfg l2 mrst Select Multiple Spanning Tree menu Multiple Spanning Tree mode mstp Set mode to Multiple Spanning Trees Multiple Spanning Tree on Turn Multiple Spanning Trees on Multiple Spanning Tree name xxxxxx Define the region name Main cfg l2 stg 2 Spanning Tree Group 2 add 2 Main cfg l3 frwd off IP Forwarding apply IP Forwarding save ...

Page 110: ...Alteon Application Switch Operating System Application Guide Spanning Tree Protocol 110 Document ID RDWR ALOS V2900_AG1302 ...

Page 111: ...es provide the following benefits Connects the server IP subnets to the rest of the backbone network Performs Server Load Balancing using both Layer 3 and Layer 4 in combination to server subnets that are separate from backbone subnets Routing IP traffic between multiple Virtual Local Area Networks VLANs configured on Alteon Routing Between IP Subnets The physical layout of most corporate networks...

Page 112: ...oss subnet communication This compromises efficiency in two ways Routers can be slower than switches The cross subnet side trip from the switch to the router and back again adds two hops for the data slowing throughput considerably Traffic to the router increases increasing congestion Even if every end station could be moved to better logical subnets competition for access to common server pools o...

Page 113: ...r for the next level of routing intelligence The router fills in the necessary address information and sends the data back to Alteon which then relays the packet to the proper destination subnet using Layer 2 switching With Layer 3 IP routing in place routing between different IP subnets can be accomplished entirely within Alteon This leaves the routers free to handle inbound and outbound traffic ...

Page 114: ...mon Servers 206 30 15 2 254 Table 15 Subnet Routing Example IP Interface Assignments Interface Devices IP Interface Address IF 1 Primary and Secondary Default Routers 205 21 17 3 IF 2 First Floor Client Workstations 100 20 10 1 IF 3 Second Floor Client Workstations 131 15 15 1 IF 4 Common Servers 206 30 15 1 cfg l3 if 1 Select IP interface 1 IP Interface 1 addr 205 21 17 3 Assign IP address for th...

Page 115: ... segregate broadcast domains using VLANs Note This procedure uses the configuration in Figure 10 Example Topology Migration page 112 as its baseline 1 Determine which ports and IP interfaces belong to which VLANs Table 16 includes port and VLAN information used in this example Default gateway 2 addr 205 21 17 2 Assign address for secondary router Default gateway 2 ena Enable secondary default gate...

Page 116: ...d port for second floor to VLAN 1 VLAN 1 ena Enable VLAN 1 VLAN 1 cfg l2 vlan 2 Select VLAN 2 VLAN 2 add port 3 Add port for default router 1 VLAN 2 add port 4 Add port for default router 2 VLAN 2 ena Enable VLAN 2 VLAN 2 cfg l2 vlan 3 Add port for default router 3 VLAN 3 add port 5 Select VLAN 3 VLAN 3 add port 6 Select port for common server 1 VLAN 3 ena Enable VLAN 3 Port 4 is an untagged port ...

Page 117: ...locating reusable network addresses and configuration parameters for client operation Built on the client server model DHCP allows hosts or clients on an IP network to obtain their configurations from a DHCP server thereby reducing the network administration effort The most significant configuration the client receives from the server is its required IP address Other optional parameters include th...

Page 118: ... configure the command IP interface closest to the client so that the DHCP server knows from which IP subnet the newly allocated IP address should come Figure 12 Example Basic DHCP Network page 118 illustrates a basic DHCP network example Figure 12 Example Basic DHCP Network In this Alteon implementation there is no need for primary or secondary servers The client request is forwarded to the BOOTP...

Page 119: ...t user intervention and therefore do not adequately represent the ever changing reality of an enterprise network It is because of this that static routes have an important but limited role in the enterprise network Typically static routes are used in situations when a protocol like RIP or OSPF cannot provide the information necessary to create connectivity between two nodes For example a node in a...

Page 120: ...ly differ in the addressing format used For information about IPv6 concepts and addressing formats see IPv6 page 835 IPv6 static routes are added using the cfg l3 route ip6 add command using the following syntax IPv6 static routes are removed from the switch using the cfg l3 route ip6 rem command using the following syntax The IPv6 static routes that are currently part of the switch configuration ...

Page 121: ...ntry it adds 1 to the metric value indicated in the update and enters the network in the routing table The IP address of the sender is used as the next hop Stability RIP includes a number of stability features that are common to many routing protocols For example RIP implements the split horizon and hold down mechanisms to prevent incorrect routing information RIP prevents routing loops from conti...

Page 122: ...RIP Version 2 RIP version 2 RIPv2 is the most popular and preferred configuration for most networks RIPv2 expands the amount of useful information carried in RIP messages and provides a measure of security RIPv2 improves efficiency by using multicast UDP address 224 0 0 9 data packets for regular routing updates Subnet mask information is provided in the routing updates A security option is added ...

Page 123: ...s 224 0 0 9 for periodic broadcasts Multicast RIPv2 announcements are not processed by RIPv1 routers To configure RIPv2 in RIPv1 compatibility mode set multicast to disable Default The RIP router can listen and supply a default route usually represented as 0 0 0 0 in the routing table When a router does not have an explicit route to a destination network in its routing table it uses the default ro...

Page 124: ...t of the routing table with metric 16 use the info l3 route dump command Locally configured static routes do not appear in the RIP routing table Main cfg l2 vlan 2 ena Enable VLAN 2 VLAN 2 add 2 Add port 2 to VLAN 2 Port 2 is an UNTAGGED port and its current PVID is 1 Confirm changing PVID from 1 to 2 y n y VLAN 2 cfg l2 vlan 3 ena Enable VLAN 3 VLAN 3 add 3 Add port EXT3 to VLAN 3 Port 3 is an UN...

Page 125: ...e 758 Internal Routing Versus External Routing To ensure effective processing of network traffic every router on your network needs to be configured to correctly send a packet directly or indirectly to any other location or destination in your network This is referred to as internal routing and can be done with static routes or using active internal dynamic routing protocols such as the Routing In...

Page 126: ... and the new route is static an update message is sent to that peer containing the new route For each route removed from the routing table if the route has already been sent to a peer an update message containing the route to withdraw is sent to that peer For each Internet host your system must send a packet to that host and that host must have a path back to your system Whatever system provides I...

Page 127: ...lustrates the relationship between route maps access lists and network filters Figure 14 Relationship Between Route Maps Access Lists and Network Filters Incoming and Outgoing Route Maps You can have two types of route maps incoming and outgoing A BGP peer router can be configured to support up to eight route maps in the incoming route map list and outgoing route map list If a route map is not con...

Page 128: ... to match In this step the network filter number is used to match the subnets defined in the network filter In step 3 the autonomous system number is used to match the subnets Alternately you can use both step 2 and step 3 criteria access list network filter and access path AS filter to configure the route maps 3 Optionally configure the attributes in the AS filter menu cfg l3 rmap x pre Specify a...

Page 129: ...the routing table You can configure aggregate routes in BGP either by redistributing an aggregate route into BGP or by creating an aggregate entry in the BGP routing table When a subnet is redistributed from an Interior Gateway Protocol IGP into BGP only the network route is injected into the BGP table By default this automatic summarization is disabled To define the route to aggregate For an exam...

Page 130: ...e routes are learned from another routing protocol enable that protocol for redistribution None BGP Attributes The following two BGP attributes are discussed in this section Local Preference Attribute page 130 Metric Multi Exit Discriminator Attribute page 130 Local Preference Attribute When there are multiple paths to the same destination the local preference attribute indicates the preferred pat...

Page 131: ...ath weight 128 x AS path length number of autonomous systems transversed 4 In the case of equal weight and routes learned from peers that reside in the same AS the lower metric is selected A route with a metric is preferred over a route without a metric 5 The lower cost to the next hop of routes is selected 6 In the case of equal cost the eBGP route is preferred over iBGP 7 If all routes are from ...

Page 132: ...on to be three router hops away Example 1 Configure Alteon as you normally would for Server Load Balancing SLB Assign an IP address to each of the real servers in the server pool Define each real server Define a real server group Define a virtual server Define the port configuration For more information about SLB configuration see Server Load Balancing page 165 2 Define the VLANs For simplicity bo...

Page 133: ...Alteon should never use it unless peer 1 goes down cfg l3 arp rearp 10 Set the re ARP period for interface to 10 IP cfg l3 metric strict Set metric for default gateway IP if 1 Select default gateway interface 1 IP Interface 1 ena Enable Interface 1 IP Interface 1 addr 200 200 200 1 Configure IP address of Interface 1 IP Interface 1 mask 255 255 255 0 Configure IP subnet address mask IP Interface 1...

Page 134: ...134 there are two peer routers an internal and an external peer router Alteon is configured to redistribute the default routes from AS 200 to AS 135 At the same time route aggregation condenses the number of routes traversing from AS 135 to AS 200 Figure 16 Default Redistribution and Route Aggregation Example Example 1 Configure the IP interface 2 Configure the AS number AS 135 and router ID numbe...

Page 135: ...eer 1 addr 10 1 1 4 Set IP address for peer router 1 BGP Peer 1 ras 135 Set remote AS number BGP Peer 1 cfg l3 bgp peer 2 Select external peer router 2 BGP Peer 2 ena Enable this peer configuration BGP Peer 2 addr 20 20 20 2 Set IP address for peer router 2 BGP Peer 2 ras 200 Set remote AS number cfg l3 bgp peer 1 redist Select redistribute BGP Peer 1 default redistribute Set default to redistribu...

Page 136: ...Alteon Application Switch Operating System Application Guide Border Gateway Protocol 136 Document ID RDWR ALOS V2900_AG1302 ...

Page 137: ...mple OSPF Domain page 151 Example 2 Virtual Links page 152 Example 3 Summarizing Routes page 156 Example 4 Host Routes page 158 Note CLI command paths in this chapter reflect OSPF version 2 For OSPF version 3 paths it is sufficient in most cases to replace the ospf parameter with ospfv3 For example OSPF version 2 CLI path Corresponding OSPF version 3 CLI path OSPF Overview OSPF is designed for rou...

Page 138: ...as in the AS must be connected to the backbone Areas inject summary routing information into the backbone which then distributes it to other areas as needed As shown in Figure 17 OSPF Areas page 138 OSPF defines the following types of areas Stub Area An area that is connected to only one other area External route information is not distributed into stub areas Not So Stubby Area NSSA An area simila...

Page 139: ...routing devices neighbors and adjacencies are formed Neighbors are routing devices that maintain information about each others health To establish neighbor relationships routing devices periodically send hello packets on each of their interfaces All routing devices that share a common network segment appear in the same area and have the same health parameters hello and dead intervals and authentic...

Page 140: ...ute has already been sent to an adjacency an update message containing the route to withdraw is sent The Shortest Path First Tree The routing devices use a link state algorithm Dijkstra s algorithm to calculate the shortest path to all known destinations based on the cumulative cost required to reach the destination The cost of an individual interface in OSPF is an indication of the overhead requi...

Page 141: ... separate OSPF networks parts of the AS will be unreachable and you will need to configure virtual links to reconnect the partitioned areas see Virtual Links page 145 Up to three OSPF areas can be connected to Alteon To configure an area the OSPF number must be defined and then attached to a network interface on Alteon The full process is explained in this section An OSPF area is defined by assign...

Page 142: ...ghout an area Attaching an Area to a Network Once an OSPF area has been defined it must be associated with a network To attach the area to a network you must assign the OSPF area index to an IP interface that participates in the area The format for the command is as follows Example The following commands could be used to configure IP interface 14 for a presence on the 10 10 10 1 24 network to defi...

Page 143: ...uting devices can reduce some sets of routes to a single advertisement reducing both the load on the routing device and the perceived complexity of the network The importance of route summarization increases with network size Summary routes can be defined for up to 16 IP address ranges using the following command range number is a number 1 to 16 IP address is the base IP address for the range mask...

Page 144: ...er configuration To resolve the situation and select one default route among multiple choices in an area you can manually configure a metric value on each ABR The metric assigns a priority to the ABR for its selection as the priority default route in an area To set the metric value metric value sets the priority for choosing this device for the default route The value none sets no default The valu...

Page 145: ... area index is the OSPF area index of the transit area router ID is the IP address of the virtual neighbor nbr the routing device at the target end point Another router ID is needed when configuring a virtual link in the other direction To provide Alteon with a router ID see Router ID page 145 For a detailed configuration example on Virtual Links see Example 2 Virtual Links page 152 Router ID Rout...

Page 146: ...on supports simple password type 1 plain text passwords and MD5 cryptographic authentication for OSPF version 2 This type of authentication allows a password to be configured per area Figure 20 Authentication Example page 146 shows authentication configured for area 0 with the password test Simple authentication is also configured for the virtual link between area 2 and area 0 Area 1 is not config...

Page 147: ...ey ID for Area 0 on Alteons 1 2 and 3 3 Assign MD5 key ID to OSPF interfaces on Alteons 1 2 and 3 4 Enable OSPF MD5 authentication for Area 2 on Alteon 4 5 Configure MD5 key for the virtual link between Area 2 and Area 0 on Alteons 2 and 4 6 Assign MD5 key ID to OSPF virtual link on Alteons 2 and 4 cfg l3 ospf if 1 OSPF Interface 1 key test OSPF Interface 1 cfg l3 ospf if 2 OSPF Interface 2 key te...

Page 148: ...ferred route for each virtual server and the others are available as backups for failover purposes If redundant routes via multiple routing processes such as OSPF RIP BGP or static routes exist on your network Alteon defaults to the OSPF derived route For a configuration example see 4 Host Routes page 158 Redistributing Routes into OSPF Alteon lets you emulate an ASBR by redistributing information...

Page 149: ... that protocol match any of the routes in the access lists and if action is set to permit then those routes are redistributed into OSPF using the metric and metric type assigned for that route map Metric sets the priority for choosing this device for the default route 3 Enable the access list 4 Set the action to permit for the access list To redistribute routes matched by the route map the action ...

Page 150: ...ure OSPF to export all routes of the protocol using the export command as described in Exporting All Routes page 149 2 Use route maps to configure routes to be denied by setting the action in the access list of the route map to deny The configuration of the route map is similar to that described in the second method except that the action is set to deny OSPF Configuration Examples Each of the conf...

Page 151: ...en into the backbone Figure 21 Simple OSPF Domain Example 1 Configure IP interfaces on each network that is attached to OSPF areas Two IP interfaces are needed one for the backbone network on 10 10 7 0 24 and one for the stub area network on 10 10 12 0 24 2 Enable OSPF 3 Define the backbone Always configure the backbone as a transit area using areaid 0 0 0 0 cfg l3 if 1 Select menu for IP interfac...

Page 152: ... index 0 areaid 0 0 0 0 Set the ID for backbone area 0 Open Area index 0 type transit Define backbone as transit type OSPF Area index 0 enable Enable the area OSPF Area index 0 cfg l3 ospf aindex 1 Select menu for area index 1 OSPF Area index 1 areaid 0 0 0 1 Set the area ID for OSPF area 1 OSPF Area index 1 type stub Define area as stub type OSPF Area index 1 enable Enable the area OSPF Area 1 cf...

Page 153: ...ess 3 Enable OSPF 4 Define the backbone cfg l3 if 1 Select menu for IP interface 1 IP Interface 1 addr 10 107 1 Set IP address on backbone network IP Interface 1 mask 255 255 255 0 Set IP mask on backbone network IP Interface 1 enabled Enable IP interface 1 IP Interface 1 cfg l3 if 2 Select menu for IP interface 2 IP Interface 2 addr 10 10 12 1 Set IP address on transit area network IP Interface 2...

Page 154: ...as transit type OSPF Area index 1 enable Enable the area OSPF Area index 1 cfg l3 ospf if 1 Select OSPF menu for IP interface 1 OSPF Interface 1 aindex 0 Attach network to backbone index OSPF Interface 1 enable Enable the backbone interface OSPF Interface 1 cfg l3 ospf if 2 Select OSPF menu for IP interface 2 OSPF Interface 2 aindex 1 Attach network to transit area index OSPF Interface 2 enable En...

Page 155: ...d 10 10 14 1 IP cfg 13 ospf on Open Shortest Path First aindex 0 Select the menu for area index 0 OSPF Area index 0 areaid 0 0 0 0 Set the area ID for OSPF area 0 OSPF Area index 0 enable Enable the area OSPF Area index 0 cfg l3 ospf aindex 1 Select menu for area index 1 OSPF Area index 1 areaid 0 0 0 1 Set the area ID for OSPF area 1 OSPF Area index 1 type transit Define area as transit type OSPF...

Page 156: ...ork If the network IP addresses in an area are assigned to a contiguous subnet range you can configure the ABR to advertise a single summary route that includes all the individual IP addresses within the area Figure 23 Summarizing Routes Example page 157 illustrates one summary route from area 1 stub area injected into area 0 the backbone The summary route consists of all IP addresses from 36 128 ...

Page 157: ...ress on backbone network IP Interface 1 mask 255 255 255 0 Set IP mask on backbone network IP Interface 1 ena Enable IP interface 1 IP Interface 1 cfg l3 if 2 Select menu for IP interface 2 IP Interface 2 addr 36 128 192 1 Set IP address on stub area network IP Interface 2 mask 255 255 192 0 Set IP mask on stub area network IP Interface 2 ena Enable IP interface 2 IP Interface 2 cfg l3 ospf on Ena...

Page 158: ... hosts but with the costs reversed one host route has a high cost for virtual server 10 10 10 1 and another has a low cost for virtual server 10 10 10 2 OSPF Area index 1 type stub Define area as stub type OSPF Area index 1 enable Enable the area OSPF Area index 1 cfg l3 ospf if 1 Select OSPF menu for IP interface 1 OSPF Interface 1 aindex 0 Attach network to backbone index OSPF Interface 1 enable...

Page 159: ...stribute traffic among available real servers In addition if one of Alteons were to fail the upstream routing device would forward the traffic to the ABR whose host route has the next lowest cost The remaining device assumes the entire load for both virtual servers Figure 24 Host Routes Example Configuring Host Routes on Alteon 1 1 Configure IP interfaces for each network that is attached to OSPF ...

Page 160: ...Add real server 1 to group Real server group 1 add 2 Add real server 2 to group Real server group 1 enable Enable the group Real server group 1 cfg slb on Turn SLB on Layer 4 cfg slb port 4 Select port 4 SLB Port 4 client ena Enable client processing on port 4 SLB Port 4 cfg slb port 5 Select port 5 SLB Port 5 server ena Enable server processing on port 5 Layer 4 Port 5 cfg slb adv Select the SLB ...

Page 161: ...P Interface 2 cfg l3 ospf on Enable OSPF on Alteon 1 Open Shortest Path First aindex 0 Select menu for area index 0 OSPF Area index 0 areaid 0 0 0 0 Set the ID for backbone area 0 OSPF Area index 0 type transit Define backbone as transit type OSPF Area index 0 enable Enable the area OSPF Area index 0 cfg l3 ospf aindex 1 Select menu for area index 1 OSPF Area index 1 areaid 0 0 0 1 Set the ID for ...

Page 162: ... Host Entry 2 addr 10 10 10 2 Set IP address same as virtual server 2 OSPF Host Entry 2 aindex 0 Inject host route into backbone area OSPF Host Entry 2 cost 100 Set high cost for use as backup path OSPF Host Entry 2 enable Enable the host route OSPF Host Entry 2 apply Global command to apply all changes OSPF Host Entry 2 save Global command to save all changes cfg slb real 1 Select menu for real s...

Page 163: ...r http service Virtual server 1 cfg l3 if 1 Select menu for IP Interface 1 IP Interface 1 addr 10 10 10 6 Set IP address on backbone network IP Interface 1 enable Enable IP interface 1 IP Interface 1 cfg l3 if 2 Select menu for IP Interface 2 IP Interface 2 addr 100 100 100 41 Set IP address on stub area network IP Interface 2 enable Enable IP interface 2 IP Interface 2 cfg l3 ospf on Enable OSPF ...

Page 164: ...ence for information on these commands OSPF Interface 1 cfg l3 ospf if 2 Select OSPF menu for IP interface 2 OSPF Interface 2 aindex 1 Attach network to stub area index OSPF Interface 2 enable Enable the stub area interface OSPF Interface 2 cfg l3 ospf host 1 Select menu for host route 1 OSPF Interface 1 addr 10 10 10 1 Set IP address same as virtual server 1 OSPF Host Entry 1 aindex 0 Inject host...

Page 165: ...perating System Command Reference Understanding Server Load Balancing SLB benefits your network in the following ways Increased efficiency for server utilization and network bandwidth With SLB Alteon is aware of the shared services provided by your server pool and can then balance user session traffic among the available servers Important session traffic gets through more easily reducing user comp...

Page 166: ... the entire network as user requests are rejected by the server and then resubmitted by the user stations Ironically overuse of key servers often happens in networks where other servers are actually available The solution to getting the most from your servers is SLB With this software feature Alteon is aware of the services provided by each server Alteon can direct user session traffic to an appro...

Page 167: ... address protocol or Layer 4 port criteria In filter based load balancing a filter is used to redirect traffic to a real server group If the group is configured with more than one real server entry redirected traffic is load balanced among the available real servers in the group Firewalls WAP with RADIUS snooping IDS and WAN links use redirection filters to load balance traffic Content based load ...

Page 168: ...omer Web sites are hosted by a popular Web hosting company and or Internet Service Provider ISP The Web content is relatively static and is kept on a single NFS server for easy administration As the customer base increases the number of simultaneous Web connection requests also increases Figure 26 Web Hosting Configuration Without SLB Such a company has three primary needs Increased server availab...

Page 169: ...alancing the Web request load across multiple servers More servers can be added at any time to increase processing power For ease of maintenance servers can be added or removed dynamically without interrupting shared services Network Topology Requirements When deploying SLB there are a few key aspects to consider In standard SLB all client requests to a virtual server IP address and all responses ...

Page 170: ...se types of services must be configured as persistent see Persistence page 583 or must use the minmisses hash phash metrics see Metrics for Real Server Groups page 180 Clients and servers can be connected through the same Alteon port Each port in use can be configured to process client requests server traffic or both You can enable or disable processing on a port independently for each type of Lay...

Page 171: ...ing you must be connected to the CLI as the administrator Note For details about any of the menu commands described in this example refer to the Alteon Application Switch Operating System Command Reference 1 Assign an IP address to each of the real servers in the server pool The real servers in any given real server group must have an IP route to Alteon that performs the SLB functions This IP rout...

Page 172: ...ist of other well known services and ports see Table 20 To configure multiple services see Multiple Services per Real Server page 177 cfg l3 if 1 Select IP Interface 1 IP Interface 1 addr 200 200 200 100 Assign IP address for the interface IP Interface 1 ena Enable IP Interface 1 IP Interface 1 cfg slb real 1 Server A is Real Server 1 Real server 1 rip 200 200 200 2 Assign Server A IP address Real...

Page 173: ...FS server provides centralized content for all three real servers This port does not require switching features None 5 Client router A connects Alteon to the Internet where client requests originate Client 6 Client router B connects Alteon to the Internet where client requests originate Client Virtual server 1 cfg slb port 1 Select physical port 1 SLB port 1 server ena Enable server processing on ...

Page 174: ... is configured on a separate real server with its own ports all with the same IP address The real servers are associated with groups each dedicated to a Layer 7 content switching rule on the virtual service Health check Lets you configure scripted health checks for a server with multiple ports Maximum connections Physical server If you need to limit the maximum number of connections per physical s...

Page 175: ...Multiple real servers with the same IP address with no addport configured must be associated to different server groups Supported Services and Applications Each virtual server can be configured to support up to eight services limited to a total of 1023 services per Alteon Using the cfg slb virt virtual server number service option the following TCP UDP applications can be specified Note The servic...

Page 176: ... slb dis commands The grace option is enabled only if the real server is in failed state and not in disabled state failed by health check For example consider HTTP service when the grace option is enabled After handling client requests for some time the real server is marked failed by the health check but the remaining sessions to the real server are still kept to maintain previous connections fro...

Page 177: ...ces If you are configuring two dependent services such as HTTP and HTTPS where the real server failure on one service blocks the real server for other services then configure a single group with multiple services If a real server configured for both HTTP and HTTPS fails for the HTTP service then the server is blocked from supporting any HTTPS requests Alteon blocks HTTPS requests even though HTTPS...

Page 178: ...uddy Server Health Check Configuration To add a real server as a buddy server for another real server To remove a real server as a buddy server Main cfg slb real real server number adv buddyhc addbd real server number real server group service Main cfg slb real real server number adv buddyhc delbd real server number real server group service ...

Page 179: ...d enable HTTP service Main cfg slb real real server number adv buddyhc cur Main cfg l3 if 1 addr 10 1 11 1 mask 255 255 255 0 ena Main cfg slb on Main cfg slb port 2 server en Main cfg slb port 3 server en Main cfg slb port 4 server en Main cfg slb port 5 server en Main cfg slb port 6 server en Main cfg slb real 1 rip 10 1 11 30 ena Main cfg slb real 2 rip 10 1 11 31 ena Main cfg slb real 3 rip 10...

Page 180: ...2 Weighted Hash page 182 Least Connections page 182 Least Connections Per Service page 182 Round Robin page 182 Response Time page 183 Bandwidth page 183 Changing the Real Server Group Metric The default metric is least connections leastconns You can change the metric using the metric command as shown in the following example Main cfg slb virt 1 vip 120 10 10 10 ena Main cfg slb virt 1 service htt...

Page 181: ...cfg slb group x mhash 32 This 32 bit hash is most useful in the wireless world The minmisses metric cannot be used for Firewall Load Balancing FWLB since the real server IP addresses used in calculating the score for this metric are different on each side of the firewall Hash The hash metric uses IP address information in the client request to select a server The specific IP address information us...

Page 182: ...n hashing is chosen as the load balancing metric Weighted Hash Weighted hash allows real server weighting to be used in conjunction with the hash load balancing algorithm If the configured real server weight is greater than 1 the real server weight is taken into account during the load balancing calculation There are no CLI commands to configure or change the weighted hash state Least Connections ...

Page 183: ... more octets are considered to have less available bandwidth than servers that have processed fewer octets For example the server that processes half the amount of octets over the last interval receives twice the weight of the other servers The higher the bandwidth used the smaller the weight assigned to the server Based on this weighting the subsequent requests go to the server with the highest a...

Page 184: ...width metered real servers are also used in other real server groups that use the leastconns or roundrobin metrics the bandwidth weights are applied on top of the leastconns or roundrobin calculations for the affected real servers Since the bandwidth weight changes dynamically this can produce fluctuations in traffic distribution for the real server groups that use the leastconns or roundrobin met...

Page 185: ...r real servers can handle When a server reaches its maxcon limit Alteon no longer sends new connections to the server When the server drops back below the maxcon limit new sessions are again allowed You can also set the max connections mode to physical default or logical Real servers with the same IP address must be set to the same maxcon connection mode Real servers with the same IP address set t...

Page 186: ...ackup server must be assigned to each real server that it will back up Example Define Real Server 4 as a backup overflow for Real Servers 1 and 2 Example Assign a backup overflow server to a real server group Similarly a backup overflow server can be assigned to a real server group If all real servers in a real server group fail or overflow the backup comes online Main cfg slb Real Server 700 maxc...

Page 187: ... Assign a backup overflow server to a real server group Similarly a backup overflow server can be assigned to a real server group If all real servers in a real server group fail the backup comes online cfg slb group real server group number Select Real Server group Real server group backup r4 Assign Real Server 4 as backup cfg slb group real server group number Select Real Server group Real server...

Page 188: ...is to avoid sending a high rate of new connections to a new server When the slow start begins traffic is throttled and increased gradually until server initialization is complete Server slow start is controlled by setting a time limit that determines the length of the slow start period Server slow start begins when any of the following occur Server comes online A new real server is added and comes...

Page 189: ...tecture VMA is a hybrid architecture that takes full advantage of the distributed processing capability in Alteon With VMA Alteon makes optimal use of system resources by distributing the workload to multiple processors thereby improving performance and increasing session capacity VMA also removes the topology constraints introduced by using Direct Access Mode DAM By default VMA is enabled cfg slb...

Page 190: ...address space subnet By using NAT on the the client IP address traffic returning from the server is forced to pass via Alteon Support for non transparent proxy functionality Alteon works as a non transparent proxy in the following cases When performing connection management multiplexing When performing as an IPv4 IPv6 gateway Note Client IP address translation is mandatory for non transparent prox...

Page 191: ... the proxy IP mode per virtual service and determine whether to perform client NAT using the proxy addresses configured on the ingress interface port or VLAN or on the egress interface By default ingress interface addresses are used You must define whether Alteon uses port based or VLAN based proxy IP addresses they cannot both be active on the same Alteon When multiple addresses are configured pe...

Page 192: ...ific proxy IP addresses or as part of proxy IP network class Host Preservation You can choose to translate only the network prefix portion of the client IP address and to preserve the host portion For example if the proxy IP address is set to 20 12 32 0 255 255 255 0 client IP 133 14 15 29 is translated to 20 12 32 29 client IP 145 11 23 67 is translated to 20 12 32 67 and so on This capability re...

Page 193: ...a virtual service 2 Configure a network class 3 Configure a proxy IP address for the virtual service Enter new IPv6 PIP address or none Enter new IPv6 PIP prefix 128 Virtual Server 1 80 http Service pip mode Select PIP Mode Address Subnet Current pip mode ingress Enter new pip mode disable ingress egress address nwclss address Proxy IP addr Define proxy IP subnet Current PIP addresses v4 none v6 n...

Page 194: ...rnal servers initiate requests to the external network they require a public IP address for their source IP address When the real servers initiate traffic flows Alteon can mask real IP addresses of the servers in the server farm with a virtual server IP address configured in Alteon Using a virtual server IP address as the PIP address enables conservation of public IP addresses This behavior can be...

Page 195: ...red to map a single virtual port to multiple real ports This lets site managers for example differentiate users of a service by using multiple service ports to process client requests Alteon supports up to 64 real ports per server when multiple rports are enabled This feature allows the network administrator to configure up to 64 real ports for a single service port It is supported in Layer 4 and ...

Page 196: ...etric to choose a real port to receive the incoming connection If the algorithm is leastconns Alteon sends the incoming connections to the logical real server real server IP address port combination with the least number of connections The cfg slb virt command defines the real server TCP or UDP port assigned to a service By default this is the same as the virtual port service virtual port If rport...

Page 197: ...ent providers or portal sites that typically have asymmetric traffic patterns DSR and content intelligent Layer 7 load balancing cannot be performed at the same time because content intelligent load balancing requires that all frames go back to Alteon for connection splicing cfg slb real 1 rip 192 168 2 1 ena cfg slb real 2 rip 192 168 2 2 ena cfg slb real 3 rip 192 168 2 3 ena cfg slb real 4 rip ...

Page 198: ...ient bypassing Alteon and using the virtual server IP address as the source IP address To set up DSR One Arm Topology Application Source MAC Address Substitution By default in packets destined for servers in an SLB environment the source MAC address is not modified and the client request is forwarded to the server with the MAC address of the client You can substitute the client source MAC address ...

Page 199: ...return though Alteon without making changes on the server In this configuration everything works properly on the server side The server receives packets with the client s source MAC address and because it has a different IP range than the client the server correctly returns the traffic to the client However the packets fail to reach the client because both Alteon and the Layer 2 switch are located...

Page 200: ...adv direct is enabled any client can communicate with any real server s load balanced service Also any number of virtual services can be configured to load balance a real service With DAM traffic that is sent directly to real server IP addresses instead of the virtual server IP address is excluded from load balancing decisions The same clients may also communicate to the virtual server IP address ...

Page 201: ...re cannot be recorded in a session entry in the session table To block use of DAM for the UDP protocol service port 9200 Notes The cfg slb virt x service y direct command requires that DAM be enabled globally on Alteon If DAM is not enabled globally on Alteon the direct disable command has no effect When DAM is enabled on Alteon and disabled on a virtual server virtual port pair direct access to o...

Page 202: ...ing the virtual server IP address Mapping Ports for Multiple IP Addresses When SLB is used without PIP addresses and without DAM Alteon must process the server to client responses If a client were to access the real server IP address and port directly bypassing client processing the server to client response could be mishandled by SLB processing as it returns through Alteon with the real server IP...

Page 203: ...on about the client connection on which a load balancing decision is performed Delayed binding consists of the following statuses Enabled Performs SYN SYN denial of service Protection and enables some Alteon Layer 7 capabilities and SYN protection Disabled No delayed binding is performed Force Proxy Uses the Application Service Engine and enables TCP Optimization Delayed Binding Using Denial of se...

Page 204: ...pped and Non Mapped Server Access Using delayed binding Alteon intercepts the client SYN request before it reaches the server Alteon responds to the client with a SYN ACK that contains embedded client information Alteon does not allocate a session until a valid SYN ACK is received from the client or the three way handshake is complete ...

Page 205: ...s for the server to respond with a SYN ACK and then forwards the clients DATA REQ to the server This means that Alteon delays binding the client session to the server until the proper handshakes are complete As a result two independent TCP connections span a session one from the client to Alteon and the second from Alteon to the selected server Alteon temporarily terminates each TCP connection unt...

Page 206: ... track of the number of new half open sessions for a set period If the value exceeds the threshold then a syslog message and an SNMP trap are generated You can change the default parameters for detecting SYN attacks in the cfg slb adv synatk menu You can specify how frequently you want to check for SYN attacks from two seconds to one minute and modify the default threshold representing the number ...

Page 207: ...6 30 1 are assigned to service the virtual server The imask is set to 255 255 255 0 If the client request is set to virtual server IP address 172 16 10 45 the unmasked portion of the address 0 0 0 45 gets mapped directly to whichever real server IP address is selected by the SLB algorithm This results in the request being sent to either 172 16 20 45 or 172 16 30 45 Session Timeout Per Service This...

Page 208: ...rsion of the server is different from the IP version of the client Alteon converts the client packet to a packet of the server IP version before it is forwarded to the server In this environment Alteon supports Layer 4 and Layer 7 traffic processing for HTTP and HTTPS including application acceleration Layer 4 SLB and SSL offloading for SSL Basic Layer 4 SLB for UDP and TCP Note Since IPv6 does no...

Page 209: ...coming packet IPv6 to IPv4 Server Load Balancing Figure 37 IPv6 to IPv4 Layer 4 SLB Example page 209 illustrates SLB between IPv6 clients and IPv4 servers Figure 37 IPv6 to IPv4 Layer 4 SLB Example To configure IPv6 support for load balancing IPv4 real servers This procedure references Figure 37 IPv6 to IPv4 Layer 4 SLB Example page 209 1 Configure the IPv6 network interface Main cfg l3 if 1 IP In...

Page 210: ...N 3 add 14Port 14 is an UNTAGGED port and its current PVID is 1 Confirm changing PVID from 1 to 3 y n y VLAN 3 add 15Port 15 is an UNTAGGED port and its current PVID is 1 Confirm changing PVID from 1 to 3 y n y Main cfg l3 if 3 Interface 3 ena Interface 3 ipver v4 Interface 3 addr 30 1 1 1 Interface 3 mask 255 255 255 0 Interface 3 broad 30 1 1 255 Interface 3 vlan 3 Main cfg l3 gw 5 Default gatew...

Page 211: ... type port 11 Apply and save the configuration Main cfg slb real 1 Real Server 1 ena Real Server 1 rip 30 1 1 13 Main cfg slb real 2 Real Server 2 ena Real Server 2 rip 30 1 1 14 Main cfg slb real 3 Real Server 3 ena Real Server 3 rip 30 1 1 15 Main cfg slb group 1 Real Server Group 1 ena Real Server Group 1 health http Real Server Group 1 add 1 Real Server Group 1 add 2 Real Server Group 1 add 3 ...

Page 212: ...e page 212 illustrates SLB between IPv6 clients and IPv6 servers Figure 38 IPv6 to IPv6 Layer 4 SLB Example To configure IPv6 support for load balancing IPv6 real servers This procedure references Figure 38 IPv6 to IPv6 Layer 4 SLB Example page 212 1 Configure the IPv6 network interface Main cfg l3 if 1 Interface 1 ena Interface 1 ipver v6 Interface 1 addr abcd 0 0 0 0 0 0 253 Interface 1 mask 64 ...

Page 213: ...fg slb real 1 Real Server 1 ena Real Server 1 ipver v6 Real Server 1 rip abcd 0 0 0 0 0 0 11 Main cfg slb real 2 Real Server 2 ena Real Server 2 ipver v6 Real Server 2 rip abcd 0 0 0 0 0 0 12 Main cfg slb group 1 Real Server Group 1 ipver v6 Real Server Group 1 add 1 Real Server Group 1 add 2 Main cfg slb port 1 SLB Port 1 client ena Main cfg slb port 2 SLB Port 2 client ena Main cfg slb port 21 S...

Page 214: ...evels of service and different service access rights This can be achieved by adding source IP classification to a virtual server or filter using network classes A network class is a configuration object that can include multiple IP ranges and or IP subnets and can be used for traffic classification Configuring Network Classes page 214 Configuring Source Network Based Server Load Balancing page 216...

Page 215: ...a range of IP addresses and the network match type Enter subnet to define an IP address a subnet mask and the network match type For a description of all of the cfg slb nwclss commands refer to the Alteon Application Switch Operating System Command Reference cfg slb nwclss Network Class NWC1 Menu name Set network class name network Network Element Menu ipver Set IP version copy Copy network class ...

Page 216: ...able client processing on the port connected to the clients For information on how to configure your network for SLB see Server Load Balancing page 165 2 Define network classes for the type of differentiated services you want to configure 3 Define virtual servers for internal and external customers and assign the network classes you defined for each virtual server accordingly Define an HTTP servic...

Page 217: ...ee Supported Services and Applications page 175 This section describes the following topics Implementing HTTP HTTPS Server Load Balancing page 218 Content Intelligent Server Load Balancing page 219 Content Intelligent Application Services page 237 Advanced Content Modifications page 244 Content Intelligent Caching and Compression Overview FastView page 267 Content Intelligent Caching page 268 Cach...

Page 218: ... To configure Alteon for HTTPS load balancing on its well known port 443 Access the virtual server and set the HTTPS virtual service To configure HTTP or HTTPS on a non standard port Use the same command with the requested port number Alteon prompts you for the application for which you want to use this port assuming it is not the well known port of another application To configure Alteon for HTTP...

Page 219: ...ation or discarding the HTTP request altogether Similarly the default action configured at the service level can be any available action The content class is a matching object used for Layer 7 content switching rules You can define a set of matching criteria that are based on the application type For example with an HTTP class you can define matching criteria based on HTTP protocol elements such a...

Page 220: ... any modifications and is based on the original requests The following sample use cases illustrate the feature range of Layer 7 content switching URL Based Server Load Balancing page 220 Virtual Hosting page 226 Cookie Based Preferential Load Balancing page 227 Browser Smart Load Balancing page 231 XML SOAP Based Server Load Balancing page 234 URL Hashing for Server Load Balancing page 236 URL Bas...

Page 221: ...erver pool Define an IP interface Define each real server Define a real server group containing all servers 1 through 4 and set up health checks for the group Define a virtual server with a virtual service on port 80 HTTP and assign the real server group to service it This will be the group servicing all other requests not cgi or images containing Real Servers 1 through 4 Enable SLB Enable client ...

Page 222: ...d balance Resource cfg slb layer7 slb Server Load balance Resource cntclss Enter Class id cgi HTTP Content Class cgi Menu name Set the Descriptive HTTP content class name hostname URL Hostname lookup Menu path URL Path lookup Menu filename URL File Name lookup Menu filetype URL File Type lookup Menu header Header lookup Menu cookie Cookie lookup Menu text Text lookup Menu xmltag XML tag lookup Men...

Page 223: ...rect Set application redirection location rport Set real port hname Set hostname cont Set BW contract for this virtual service pbind Set persistent binding type thash Set hash parameter tmout Set minutes inactive connection remains open ptmout Set in minutes for inactive persistent connection dbind Enable disable forceproxy delayed binding nonat Enable disable only substituting MAC addresses direc...

Page 224: ...nal rule ID Virtual Server 10 80 http Service cntrules Enter Content Based Services Rule number 1 12800 5 HTTP Content Rule 5 Menu name Set descriptive content rule name cntclss Set content class for this rule action Set action type for this rule group Set real server group number for this rule redirect Set application redirection location for this rule copy Copy rule ena Enable rule dis Disable r...

Page 225: ...e action Set action type for this rule group Set real server group number for this rule redirect Set application redirection location for this rule copy Copy rule ena Enable rule dis Disable rule del Delete rule cur Display current rule configuration HTTP Content Rule 15 name Current descriptive content rule name Enter new descriptive content rule name redirect secure request HTTP Content Rule 15 ...

Page 226: ... retrieve the URL www radware com products Alteon would look like this GET products Alteon HTTP 1 1 Host www radware com User agent Mozilla 3 0 Accept text html image gif image jpeg The Host header carries the hostname used to generate the IP address of the site Based on the Host header Alteon forwards the request to servers representing different customer Web sites The network administrator needs...

Page 227: ... to scarce resources on a Web site Provide better services to repeat customers based on access count Clients that receive preferential service can be distinguished from other users by one of the following methods Individual User A specific individual user can be distinguished by IP address login authentication or permanent HTTP cookie User Communities A set of users such as Premium Users for servi...

Page 228: ...ass cookie gold Menu name Set the Descriptive HTTP content class name hostname URL Hostname lookup Menu path URL Path lookup Menu filename URL File Name lookup Menu filetype URL File Type lookup Menu header Header lookup Menu cookie Cookie lookup Menu text Text lookup Menu xmltag XML tag lookup Menu logexp Set logical expression between classes copy Copy HTTP content class del Delete HTTP content ...

Page 229: ...disable direct access mode mirror Enable disable session mirroring epip Enable disable pip selection based on egress port vlan winsize0 Enable disable using window size zero in SYN ACK ckrebind Enable disable server rebalancing when cookie is absent del Delete virtual service cur Display current virtual service configuration Virtual Server 10 80 http Service cntrules Enter Content Based Services R...

Page 230: ...http Virtual Server 10 80 http Service Menu name Set descriptive virtual service name http HTTP Load Balancing Menu cntrules Content Based Services Rules Menu action Set action type of this service group Set real server group number redirect Set application redirection location rport Set real port hname Set hostname cont Set BW contract for this virtual service pbind Set persistent binding type th...

Page 231: ...P Class1 Includes a list of user agents to match laptops and desktops HTTP Class2 Includes a list of user agents to match mobile phones HTTP Class3 Matched with URL my site com AND class1 and performs SLB using Server Group 1 providing regular web site content HTTP Class4 Matched with URL my site com and class2 and redirects request to the mobile phone specific version of the Web site located at m...

Page 232: ... Set match type case Enable disable case sensitive for string matching copy Copy header del Delete header cur Display current header configuration Header internet explorer match Current matching type for Header name include value include Enter new matching type for Header name eq incl regex regex eq Enter new matching type for Header value eq incl regex regex regex Header internet explorer header ...

Page 233: ...TTP virtual service to match Class3 with URL my site com and desktop browsers and perform load balancing using Server Group 1 Server Load balance Resource cntclss Enter Class id class3 HTTP Content Class class3 Menu name Set the Descriptive HTTP content class name hostname URL Hostname lookup Menu path URL Path lookup Menu filename URL File Name lookup Menu filetype URL File Type lookup Menu heade...

Page 234: ...tent switching based on a tag attribute such as the tag GetStockPrice with the attribute StockEx which has the value NASDAQ Alternatively Alteon can perform content switching based on a tag value like the tag StockName with the value IBM To configure XML based load balancing 1 Before you can configure XML based load balancing ensure that Alteon is configured for basic SLB with the following tasks ...

Page 235: ...nformation on how to configure content switching rules see URL Based Server Load Balancing page 220 Main cfg slb layer7 slb cntclss Enter Class id StockName IBM HTTP Content Class StockName IBM Menu name Set the Descriptive HTTP content class name hostname URL Hostname lookup Menu path URL Path lookup Menu filename URL File Name lookup Menu filetype URL File Type lookup Menu header Header lookup M...

Page 236: ...s for the same origin server to the same proxy cache server For example requests made from a client to http radwarealteon com from different clients may get sent to different caches Figure 40 Load Balancing Non transparent Caches Configuring URL Hashing You can direct the same URL request to the same cache or proxy server by using a virtual server IP address to load balance proxy requests By confi...

Page 237: ... Codes Changing URLs in Server Responses page 239 Enhancing Server Security by Hiding Server Identity page 241 Enhancing Security by Hiding Page Locations page 241 Replacing Free Text in Server Responses page 243 Sending Original Client IPs to Servers Alteon can insert the inclusion of the X Forwarded For header in client HTTP requests in order to preserve client IP information This feature is use...

Page 238: ...all the relevant codes To configure multiple error codes type the codes separated with a comma For example 403 504 Make sure that you define whether the new values are added to or replace the existing values For example if the current configuration is for X and you update the code to Y then X is removed To configure both X and Y type both ports separated with a comma For example X Y When editing t...

Page 239: ...hen editing the existing configuration the current configuration is displayed in square brackets to facilitate the update To clear the existing configuration of the page name and page type enter None By default URL path change modification is disabled Note Using these commands results in path modifications only The protocol HTTP or HTTPS and the port when specified are not modified To change URLs ...

Page 240: ...l any any eq Enter hostname to match www a com Enter path match type sufx prefx eq incl any any eq Enter path to match www path com Enter page name to match or none test Enter page type to match or none html Enter path action type insert replace remove none Table 24 URL In Server Responses Action Parameters Action Action Parameters None No action is taken Continue to the next step Remove The match...

Page 241: ...hen hiding path locations specified URLs within the server responses are removed and added back to the client requests For example if the user wants to hide a path with newsite all links such as www site com newsite page htm appear to the user as www site com page htm Therefore newsite will be added at the beginning of the path to all requests to www site com You can enable disable or clear the pa...

Page 242: ...n servers to real server groups Define virtual servers and services 2 Access and then enable URL path change 3 Enter the hostname type and path type to be matched Example In all URLs in the server responses that use www site com test test should be removed from the path For example when www site com test a page html appears in the response it is translated to www site com a page html Client reques...

Page 243: ...he action type enter the required parameters Example To remove the text this is a dummy line from server responses use the following configuration HTTP Load Balancing pathhide Note The match condition applies to the response Current path hide obfuscate configuration disabled Enter enabled disabled or clear e d c c e Enter hostname match type sufx prefx eq incl any any eq Enter hostname to match ww...

Page 244: ...P headers or the entire message body See Configuring HTTP Modification for Text Elements page 265 Depending on the element type these modifications are applied to the header only or both header and body of the HTTP responses or requests About Rule Lists You can configure lists of HTTP modification rules rule lists and then associate a rule list to services The same HTTP modification rule list can ...

Page 245: ...y the changes for the modifications to take effect For information on how to associate rules to a virtual service see Associating HTTP Modification Rules to a Service page 267 The following is a list of all HTTP elements and their supported actions Table 26 HTTP Elements and Their Supported Actions Element Action Header Configuring the Replace Action for HTTP Headers page 246 To configure the remo...

Page 246: ...t configuration via the Layer 7 menu enter a rule list ID and enable the rule list 2 Enter rule the rule ID number and then enter the desired element type 3 Enter action to access the Rule Action menu and then enter replace to set the new rule replace action Note To replace only the content of the header field the value and not the header field name enter the same header field name in new header f...

Page 247: ...e is removed A value match means a complete word within the value of the header Note The numbers and names in this procedure are examples only 1 Access HTTP Modification rule list configuration via the Layer 7 menu enter a rule list ID and enable the rule list 2 Enter rule the rule ID number and then enter the desired element type header Modification http mod list Rule 5 directn Enter new rule dir...

Page 248: ...e The numbers and names in this procedure are examples only 1 Access HTTP Modification rule list configuration via the Layer 7 menu enter a rule list ID and enable the rule list 2 Enter rule the rule ID number and then enter the desired element type header Modification http mod list Rule 5 action Current rule action Enter new rule action insert replace remove remove Enter header field to remove En...

Page 249: ...he Cookies HTTP header is updated When using cookies for responses the Set Cookie header is updated When creating a rule for a cookie element the following actions can be defined To configure the replace action for cookies page 250 To configure the remove action for cookies page 251 To configure the insert action for cookies page 252 Note When both cookie based pbind is used and HTTP modifications...

Page 250: ...ce action 4 Enter directn to set the rule direction and then enter the rule direction request or response Example To change the value of the cookie User Type from Gold to Premium in all client requests use the following configuration Main cfg slb layer7 httpmod Enter HTTP Modification rule list id alphanumeric http mod list HTTP Modification rule list http mod list ena HTTP Modification rule list ...

Page 251: ...enter remove to set the new rule remove action 4 Enter directn to set the rule direction and then enter the rule direction request or response HTTP Modification rule list mylist cur Current rule list mylist enabled 10 enabled action replace cookie from KEY User Type VALUE Gold to KEY User Type VALUE Premium direction request Main cfg slb layer7 httpmod Enter HTTP Modification rule list id alphanum...

Page 252: ...on is set to response the Set Cookie header is modified Note The numbers and names in this procedure are examples only 1 Access HTTP Modification rule list configuration via the Layer 7 menu enter a rule list ID and enable the rule list 2 Enter rule the rule ID number and then enter the desired element type URL Modification rule list mylist cur Current rule list mylist enabled 10 enabled action re...

Page 253: ...To insert the Set Cookie for a cookie named Device ID with the value Alteon123 to all server responses use the following configuration cookie Modification http mod list Rule 5 action Current rule action Enter new rule action insert replace remove insert Enter cookie key to insert Enter cookie value to insert Enter cookie path or none Enter cookie domain name or none Enter insert cookie expiration ...

Page 254: ...nt to modify these headers use HTTP modification for headers and specify header name as Location or Content Type accordingly Links that appear in the HTML within the server response If you want to modify all file types of other objects referenced in the server s response for example links in the HTML then use URL modification and select Header and Body To configure HTTP modification for the HTTP f...

Page 255: ...re the replace action for the HTTP status line Note The numbers and names in this procedure are examples only 1 Access HTTP Modification rule list configuration via the Layer 7 menu enter a rule list ID and enable the rule list 2 Enter rule the rule ID number and then enter the desired element type filetype Modification http mod list Rule 5 action Current rule action filetype supports only action ...

Page 256: ...ml the following results The protocol is HTTP The port is 80 default for HTTP The host is www site com The path is a b c The page name is index The page type is html All the components within this URL can be modified using a single HTTP Modification URL rule The following topics are discussed in this section Configuring Modification for HTTP URL Elements page 257 Example 1 Update the Path page 259...

Page 257: ... the response so that the same path is added to the subsequent request 4 Enter body to enable URL modification in the body By default only headers are modified body exclude To modify both header and body set to body include 5 Enter match to access the Match menu and define the match criteria Set the match parameters according to the configured rule direction request or response When the direction ...

Page 258: ...as abc a abc and so on Page Name Used for an exact match Page Type Used for an exact match Note An AND operation is used between the configured match criteria Therefore only when all the configured match criteria are met in the request or response the action is performed 6 Enter action to access the Rule Action menu and define the action criteria You can set actions for the following parameters Pr...

Page 259: ...ew page type Leave this action empty to remove the matched page type When both match and action are empty no operation is performed Example 1 Update the Path The web site links should be updated as follows Every link that ends with cars should now be updated to end with new cars For example the URL HTTP www site com vehicles offer cars details html should now be HTTP www site com vehicles offer ne...

Page 260: ... URL Modification add new Rule 10 match URL Match path Current path match configuration Enter path match type sufx prefx eq incl any any sufx Enter path to match cars URL Modification add new Rule 10 action URL Match path Current path action configuration none Enter path action type insert replace remove none none insert Enter path to insert new Insert the specified path before or after the matche...

Page 261: ...ple Rule 10 is added 4 It is required to modify URLs in the body of the response so set the body to include 5 Set the match criteria HTTP Load Balancing Menu httpmod Current HTTP modifications rule list Enter new HTTP modifications rule list or none force https For HTTP Modification rule list configuration use cfg slb layer7 httpmod Main cfg slb layer7 httpmod Enter HTTP Modification rule list id ...

Page 262: ...le 10 action URL Match protocol https URL Match path Current path action configuration none Enter path action type insert replace remove none none replace Enter new path to replace the matched section sensitive URL Modification force https Rule 10 ena URL Modification force https Rule 10 URL Modification rule list force https ena URL Modification rule list force https apply URL Modification rule l...

Page 263: ...ody exclude Enter new rule body include exclude exclude include URL Modification move site2 Rule 20 URL Modification move site2 Rule 20 match URL Match host Current host match configuration Enter host match type sufx prefx eq incl any any eq Enter host to match www site2 com URL Modification move site2 Rule 20 action URL Match host Current host action configuration none Enter host action type inse...

Page 264: ... rule list move site2 save URL Modification rule list move site2 cur Current rule list move site2 enabled 20 enabled element url match protocol http port 80 host eq www site2 com path any action protocol http port 80 host replace www site1 com path insert site2 before URL Modification rule list move site2 cur Current rule list move site2 enabled 20 enabled element url match protocol http port 80 h...

Page 265: ...Enter rule the rule ID number and then enter the desired element type 3 Enter action to access the Rule Action menu and then enter replace to set the new rule replace action 4 Enter directn to set the rule direction and then enter the desired rule direction 5 Enter body to enable text modification in the body Main cfg slb layer7 httpmod Enter HTTP Modification rule list id alphanumeric http mod li...

Page 266: ...set the new rule remove action 4 Enter directn to set the rule direction and then enter the desired rule direction URL Modification rule list mylist cur Current rule list mylist enabled 10 enabled action replace text from TEXT Copyright 2013 to TEXT All rights reserved direction response body include Main cfg slb layer7 httpmod Enter HTTP Modification rule list id alphanumeric http mod list HTTP M...

Page 267: ...he amount of network capacity available to applications using the following techniques Content caching This technique stores data that is likely to be used again and is unlikely to change instead of requiring servers to retrieve or generate it every time For more details see Content Intelligent Caching page 268 Compression This technique reduces the amount of data crossing the link squeezing it in...

Page 268: ...e fewer the number of concurrent connections that can be handled by Alteon Caching occurs at the client side of the flow This means that when a request comes it is considered higher priority for serving from cache before all other application services for example HTTP modifications On the other hand when a server response arrives at the Application Services Engine it goes through all required trea...

Page 269: ...d Reference Cache Content Management You can manage the content of the cache using Alteon configuration or Alteon operations Alteon configuration Use Caching rule lists see Caching Rule Lists page 270 to define which objects do not go into the cache Alteon operations Use a cache purge see Purging Cached Content page 270 to specify services and virtual service and URLs including a wildcard The cahe...

Page 270: ...s a page name and or page suffix and then an asterisk for example http mycompany com path page type only various instances of the specific page with different query parameters specified after the question mark sign are removed Purging Cached Content In some cases you may want to purge the cached content of HTTP responses The cache is purged for the specified virtual server and virtual service For ...

Page 271: ...interface Enable SLB Assign an IP address to each of the real servers in the server pool Define each real server Assign servers to real server groups Define server port and client port Define virtual server For more information on how to configure your network for SLB see Server Load Balancing page 165 2 Define the FastView policy which will govern the caching behavior as follows For details on de...

Page 272: ...res compatibility with virtually all popular Web browsers without requiring any special software installation on the end user computer Alteon HTTP compression includes options to control compression behavior These include the ability to define whether objects should be compressed for browser content type or URL specific behavior as well as a set of predefined exceptions of the default compression ...

Page 273: ...he same compression configuration Compression parameters include Policy name Compression algorithm Compression level Minimum file size to be compressed Maximum file size to be compressed Compression URL exceptions rule list Compression browser exceptions rule list Predefined browser exceptions rule list Compression by real server For details on configuring the compression policy parameters see the...

Page 274: ...e general than the URL exceptions For example the following rules result in all files in images folder being compressed except for image1 jpg rule1 images image1 jpg do not compress rule2 images compress Predefined Browser Exceptions Rule List This is a list of compression browser exception rules that address known issues in commonly used browsers which cause them to mishandle specific types of co...

Page 275: ...ver groups Enable SLB Define server port and client port Define virtual server For more information on how to configure your network for SLB see Server Load Balancing page 165 2 Define the compression policy which will govern the compression behavior For details on defining additional compression policy parameters see the section on the cfg slb accel compress comppol menu in the Alteon Application...

Page 276: ...licy which will govern the compression behavior For details on defining additional compression policy parameters see the section on the cfg slb accel compress comppol menu in the Alteon Application Switch Operating System Command Reference 3 Define a compression browser exception rule list Main cfg slb accel compress urllist myurllist Define an alphanumeric ID to identify the URL exception rule li...

Page 277: ... sessions The SSL session reuse attempts are usually successful because the back end server recognizes Alteon as a client that connects repeatedly SSL session re use between Alteon and the back end servers helps lower the overhead involved in performing a full SSL handshake In a connection managed environment a pool of server connections is maintained for servicing client connections When a client...

Page 278: ...g egress PIP to ensure PIP is used only to the required servers and service When using ingress PIP all traffic coming via the specified port uses PIP including traffic to other services Main cfg slb virt 1 service 80 http connmgt Current Connection management configuration disabled Enter new Connection management configuration enabled disabled pooling d ena Enter server side connection idle timeou...

Page 279: ...IDS SLB page 309 Session Initiation Protocol SIP Server Load Balancing page 323 SoftGrid Load Balancing page 330 Workload Manager WLM Support page 332 For additional information on SLB commands refer to the Alteon Application Switch Operating System Command Reference IP Server Load Balancing IP SLB lets you perform server load balancing based on a client s IP address only Typically the client IP a...

Page 280: ...nection In Passive FTP the FTP client initiates the data connection Because the client also initiates the connection to the control channel passive FTP mode does not pose a problem with firewalls and is the most common mode of operation Alteon supports both active and passive FTP operation modes You can switch from active to passive or vice versa in the same FTP session Active FTP Configuration To...

Page 281: ...s with a request to read or write a file which also serves to request a connection If the server grants the request the connection is opened and the file is sent in fixed length blocks of 512 bytes Each data packet contains one block of data and must be acknowledged by an acknowledgment packet before the next packet can be sent A data packet of less than 512 bytes signals termination of a transfer...

Page 282: ...rver There are two types of LDAP servers read and write servers Read servers only conduct read operations and write servers perform both read and write operations How LDAP SLB Works An LDAP connection is set up via Layer 4 load balancing and is bound to a read server After that operation frames received by Alteon are checked at Layer 7 to determine if there are any write operations The bind and wr...

Page 283: ...ueries Figure 41 LDAP Load Balancing Configuring LDAP SLB This procedure references Figure 41 LDAP Load Balancing page 283 To configure LDAP SLB 1 Enable SLB 2 Configure the four real LDAP servers and their real IP addresses cfg slb virt 1 service ldap reset enable cfg slb on cfg slb real 20 Real server 20 ena Enable Real Server 20 Real server 20 rip 10 10 10 20 Specify the IP address Real server ...

Page 284: ... Server 21 cfg slb real 26 ena rip 10 10 10 26 layer7 ldapwr e Configure and enable LDAP Write Server 21 cfg slb group 1 Select real server Group 1 Real server group 1 metric roundrobin Specify the load balancing metric for Group 1 Real server group 1 add 20 Add Real Server 20 Real server group 1 add 21 Add Real Server 21 Real server group 1 add 22 Add Real Server 22 Real server group 1 add 26 Add...

Page 285: ...P DNS queries to another group of real servers The requests are then load balanced among the real servers in that group Figure 42 Layer 4 DNS Load Balancing page 285 shows four real servers load balancing UDP and TCP queries between two groups Figure 42 Layer 4 DNS Load Balancing Note You can configure both UDP and TCP DNS queries for the same virtual server IP address Pre configuration Tasks This...

Page 286: ... 21 Real server 21 ena Enable Real Server 21 Real server 21 rip 10 10 10 21 Specify the IP address Real server 20 cfg slb real 22 Real server 22 ena Enable Real Server 22 Real server 22 rip 10 10 10 22 Specify the IP address Real server 20 cfg slb real 26 Real server 26 ena Enable Real Server 26 Real server 26 rip 10 10 10 26 Specify the IP address Main cfg slb group 1 Select Real Server Group 1 R...

Page 287: ...nfiguration for TCP Based DNS SLB To configure TCP based DNS load balancing 1 Configure and enable the virtual server IP address 2 on Alteon 2 Set up the DNS service for virtual server and select Real Server Group 2 3 As this is TCP based load balancing ensure that you enable TCP DNS queries cfg slb virt 1 vip 20 20 20 20 Specify the virt server IP address Virtual Server 1 ena Enable the virtual s...

Page 288: ...S and UDP DNS stateful in a pure IPv4 environment IPv4 clients and servers and UDP DNS stateful in a pure IPv6 environment IPv6 clients and servers For UDP stateful DNS load balancing Alteon creates session entries in its session table and removes them when a response is sent from the server to the client For example as illustrated in Figure 43 Load Balancing DNS Queries page 289 a DNS server farm...

Page 289: ...nterface on Alteon Define each real server DNS server address Assign servers to real server groups Define virtual servers and services Enable SLB Define server port and client port For information on how to configure your network for SLB see Server Load Balancing page 165 2 Enable DNS load balancing For servers 1 through 3 configure and enable a virtual server that supports only DNS load balancing...

Page 290: ...dnstype both Support DNS queries of type DNS only Virtual Server 1 DNS Service protocol tcp Virtual Server 1 DNS Service dbind ena cfg slb layer7 slb addstr DNSQ any TP dns HN abcdefg com cfg slb layer7 slb addstr DNSQ any TP dns HN hijklm com cfg slb layer7 slb addstr DNSQ any TP dns HN nopqrst com cfg slb layer7 slb addstr DNSQ any TP dns HN uvwxyz com Server Load balance Resource cfg slb layer7...

Page 291: ...udio video text multimedia streams In this section the term RTSP server refers to any multimedia server that implements the RTSP protocol for multimedia presentations Note RTSP SLB cannot be set to None for the RTSP service 554 How RTSP Server Load Balancing Works The objective of RTSP SLB is to intelligently switch an RTSP request and the other media streams associated with a presentation to a su...

Page 292: ... files have the extension mov Alteon can also support other RTSP compliant applications such as Microsoft Windows Media Server 9 RTSP Port Configuration You can also configure RTSP to use a port other than the default of 554 To configure an RTSP port 1 Select a non standard port to use for RTSP 2 Configure RTSP load balancing on the selected port Configuring RTSP Load Balancing In the example conf...

Page 293: ...Alteon Configure the IP interfaces on Alteon Enable Direct Access Mode DAM Disable Bandwidth Management Disable proxy IP addressing 2 Enable SLB 3 Configure IP addresses for the real servers cfg slb on cfg slb real 1 rip 30 30 30 10 ena Define IP address for Real Server 1 cfg slb real 2 rip 30 30 30 20 ena Define IP address for Real Server 2 cfg slb real 3 rip 30 30 30 30 ena Define IP address for...

Page 294: ...al Server 4 Real Server Group 200 add 5 Add Real Server 5 Real Server Group 200 add 6 Add Real Server 6 cfg slb virt 1 Select the virtual server Virtual Server 1 vip 30 30 30 100 Set IP address for the virtual server Virtual Server 1 service 554 Add the RTSP service for the virtual server Virtual Server 1 rtsp Service group 100 Set the real server group Virtual Server 1 rtsp Service cfg slb virt 1...

Page 295: ...vers 1 2 3 and 4 The domain name GlobalNews com associated with the virtual IP address 120 10 10 10 is configured for URL hash The first request for http Globalnews com saleswebcast rm hashes to media server 1 Subsequent requests for http Globalnews com saleswebcast rm from other clients or from client 1 hashes to the same Server 1 Similarly another request for http Globalnews com marketingwebcast...

Page 296: ...on for standard server load balancing as described in Server Load Balancing Configuration Basics page 171 Connect each Media server to Alteon Configure the IP addresses on all devices connected to Alteon Configure the IP interfaces on Alteon Enable SLB cfg slb on Enable client processing at the client port cfg slb port 1 client ena Enable server processing at the Server Ports 2 and 7 for example c...

Page 297: ... 5 rip 10 10 10 5 ena Define IP address for Real Server 5 cfg slb real 6 rip 10 10 10 6 ena Define IP address for Real Server 6 cfg slb real 7 rip 10 10 10 7 ena Define IP address for Real Server 7 cfg slb real 8 rip 10 10 10 8 ena Define IP address for Real Server 8 cfg slb group 100 Define a group Real Server Group 100 add 1 Add Real Server 1 Real Server Group 100 add 2 Add Real Server 2 Real Se...

Page 298: ...t the virtual server Virtual Server 2 vip 120 10 10 20 Set IP address for the virtual server Virtual Server 2 service 554 Add the RTSP service for the virtual server Virtual Server 2 rtsp Service group 200 Set the real server group Virtual Server 2 rtsp Service cfg slb virt 2 ena Enable virtual server Virtual Server 2 rtsp Service rtspslb pattern cfg slb layer7 slb addstr radware1 mov Server Loadb...

Page 299: ... you must define an SSL virtual service and associate both a server certificate and an SSL policy to it As with other Alteon features the virtual service is assigned to an application in this case either HTTPS or another protocol encrypted by SSL For details on defining SSL policies see SSL Policies page 338 For details on defining server certificates see Certificate Repository page 338 The follow...

Page 300: ...nfigure to the server certificate see the section on the cfg slb ssl certs srvrcert menu in the Alteon Application Switch Operating System Command Reference Notes You can associate only a single server certificate to a virtual service When the virtual service is enabled and you associate an SSL policy with a virtual service without a certificate and try to apply the changes with the apply command ...

Page 301: ... can configure Alteon to select a WAP gateway for each client request based on one of the following three methods WAP SLB with RADIUS Static Session Entries page 301 WAP SLB with RADIUS Snooping page 304 WAP SLB with RADIUS WAP Persistence page 306 WAP SLB with RADIUS Static Session Entries RADIUS a proposed IETF standard is a client server protocol that enables remote access servers to communicat...

Page 302: ...t a request The WAP gateway detects this situation when it receives WAP traffic that does not belong to that WAP gateway If a Delete Session request is lost it is overwritten by another Add Session request How WAP SLB Works with Static Session Entries 1 On dialing the user is first authenticated by the Remote Access Server RAS 2 The RAS sends a RADIUS authentication request to one of the RADIUS se...

Page 303: ... and delete session requests if you are using static session via TPCP 6 Enable TPCP for adding and deleting WAP sessions 7 Apply and save your configuration cfg slb virt number service name number protocol udp cfg slb on cfg slb real 1 rip 1 1 1 100 Define address for WAP Gateway1 Real server 1 ena Enable Real Server 1 cfg slb real 2 rip 2 2 2 100 Define address for WAP Gateway 2 Real server 2 ena...

Page 304: ... following steps occur when using RADIUS snooping 1 The user is authenticated on dialing 2 The RAS establishes a session with the client and sends a RADIUS Accounting Start message with the client IP address to the RADIUS server 3 Alteon snoops on the RADIUS accounting packet and adds a session entry if it finds enough information in the packet 4 Alteon load balances the WAP traffic to a specific ...

Page 305: ...r the RADIUS WAP gateways 4 Create a group to load balance the WAP gateways 5 Enable the external notification from WAP gateway to add and delete session requests if you are using static session via TPCP cfg slb virt number layr3 ena cfg slb virt number service name number protocol udp cfg slb virt number service name number protocol udp cfg slb on cfg slb real 1 rip 1 1 1 100 Define address for W...

Page 306: ...accept or reject frame Alteon forwards this reply to the RAS After the RAS receives the RADIUS accept packet it sends a RADIUS accounting start packet on UDP port 1813 to the bound server Alteon snoops on the RADIUS accounting start packet for the framed IP address attribute The framed IP address attribute is used to rebind the RADIUS accounting session to a new server cfg slb wap tpcp ena cfg slb...

Page 307: ...dress to select a real server for the RADIUS accounting session If the framed IP address is not found in the RADIUS accounting packet then persistence is not maintained for the RADIUS WAP session The load balancing metric of the real server group has to be hash for RADIUS WAP Persistence 5 When the client begins to send WAP requests to the WAP gateways on ports 9200 through 9203 a new session is a...

Page 308: ...fg slb virt 1 service 1813 Virtual Server 1 radius acc service protocol udp Virtual Server 1 radius auth service cfg slb virt 1 service 9200 Virtual Server 1 9200 service protocol udp Virtual Server 1 radius auth service cfg slb virt 1 service 9201 Virtual Server 1 9201 service protocol udp Virtual Server 1 radius auth service cfg slb virt 1 service 9202 Virtual Server 1 9202 service protocol udp ...

Page 309: ...ttacks Analyzing abnormal activity patterns Tracking user policy violations Intrusion detection devices inspect every packet before it enters a network looking for any signs of an attack The attacks are recorded and logged in an attempt to guard against future attacks and to record the information about the intruders IDS SLB helps scale intrusion detection systems since it is not possible for an i...

Page 310: ...IDS rport value Default any If multiple groups are configured for the same rport then only one of the groups is used for SLB 3 Enable IDS on the incoming ports both client and server ports Enabling IDS at the port level enables Alteon to make a copy of the frames ingressing the port and forward the copy to the IDS server group 4 Configure filter processing on the incoming ports with the IDS hash m...

Page 311: ...them with different VLANs and tag the packets accordingly Because unmodified frames are sent to the IDS servers Alteon does not use the L2 destination field of the packet to direct it to the correct IDS server The port or the VLAN tag is used to identify the destination IDS server However if the ingress packet is already tagged you must use different ports for different IDS servers Stealth mode wi...

Page 312: ...Single Group page 312 illustrates a basic configuration for load balancing client and server traffic to the IDS servers Alteon 1 performs IDS load balancing and Alteon 2 performs standard server load balancing IDS is enabled on the client port port 25 and both the firewall ports ports 26 and 27 Figure 47 Server Load Balancing and IDS Load Balancing to a Single Group When the client request enters ...

Page 313: ... group must be numbered between 1 and 63 4 Define the group metric for the IDS server group IDS SLB supports the hash metric only 5 Define the health check for the group Configure link health check which is specifically developed for IDS servers set up in stealth mode without IP addresses 6 Define the group for IDS SLB 7 Select the rport for the IDS group 8 Enable IDS on the client and server port...

Page 314: ...er list to ensure that all traffic matches a filter A deny all filter can also be used as the final filter instead of an allow all filter 11 Apply and save your changes 12 Configure Alteon 2 to load balance the real servers as described in Server Load Balancing Configuration Basics page 171 Configure the IP interfaces on Alteon Configure the SLB real servers and add the real servers to the group C...

Page 315: ... and IDS servers filter processing is not required on the client processing port port 25 To maintain session persistency if you add the filter to the client port Alteon can be configured to hash on both the client IP and virtual server IP This ensures that both client and server traffic belonging to the same session is sent to the same IDS server If you do not add the filter on port 25 then Alteon...

Page 316: ... Specify IP address for IDS Server 7 cfg slb real 8 rip 10 20 20 3 ena Specify IP address for IDS Server 8 cfg slb group 51 Define a group Real Server Group 51 add 6 Add IDS Server 6 Real Server Group 51 add 7 Add IDS Server 7 Real Server Group 51 cfg slb group 52 Define another group Real Server Group 52 add 8 Add IDS Server 8 Real Server Group 51 metric hash Set the metric to hash Real Server Gr...

Page 317: ...is ensures that both client and server traffic belonging to the same session is sent to the same IDS server If you do not add the allow filter on port 25 Alteon hashes on the client IP only for client frames and hashes on the client IP and virtual server IP addresses for server frames cfg slb port 25 idslb ena Enable IDS SLB for port 25 SLB port 25 cfg slb port 2 idslb ena Enable IDS SLB for port ...

Page 318: ...igh availability configuration By allowing the administrator to disable learning of client and server source MAC addresses over the interswitch link client request packets are able to reach the real servers when failover occurs As illustrated in Figure 49 Server Load Balancing and IDS Load Balancing Across Multiple Alteons page 319 the Alteons are connected to each other via a trunked interswitch ...

Page 319: ... are learned via the interswitch link port the request packets from clients are forwarded to the interswitch link port on the new master Alteon and are received by the new standby Alteon Because the standby Alteon does not forward traffic the request packets do not normally reach the real servers Alteon remedies this situation by allowing the administrator to disable learning of client and server ...

Page 320: ...on Alteon 2 that are connected to the IDS servers cfg port 25 tag ena pvid 1000 cfg port 26 tag ena pvid 1000 cfg l2 trunk 1 ena add 25 add 26 cfg l2 trunk 2 ena add 27 add 28 Add ports 25 26 to Trunk Group 1 Add ports 27 28 to Trunk Group 2 cfg l3 if 3 addr 11 11 11 1 mask 255 255 255 255 vlan 1000 Main cfg l2 vlan 1001 ena VLAN 1001 learn dis VLAN 1001 add 25 add 26 Disable source MAC learning o...

Page 321: ...1 100 ena Set the IP interface for Alteon 2 Real server 3 ids idsvlan 1003 Real Server 3 IDS idsport 25 Real Server 3 IDS oid 1 3 6 1 2 1 2 2 1 8 259 Set OID to health check port 3 on Alteon 2 cfg slb real 4 rip 11 11 11 100 ena Real server 4 ids idsvlan 1004 Real Server 4 IDS idsport 25 Real Server 4 IDS oid 1 3 6 1 2 1 2 2 1 8 260 Set OID to health check port 4 on Alteon 2 cfg slb group 53 Defin...

Page 322: ... processing on all ports that have IDS enabled If you add the allow filter to the client port 4 Alteon hashes on the client IP and virtual server IP address for both the client and server frames This ensures that both client and server traffic belonging to the same session is sent to the same IDS server If you do not add the allow filter on port 5 then Alteon hashes on the client IP only for clien...

Page 323: ... and instant messaging The protocol initiates call setup routing authentication and other feature messages to end points within an IP domain The SIP protocol is used to locate users where the caller and called parties are located determine user capability what type of protocol TCP or UDP and other capabilities the user can support determine user availability call setup how to create the call deter...

Page 324: ...ates an Alteon performing TCP based SIP SLB In this example three SIP proxy servers are configured in a Real Server Group 100 Alteon is configured for SIP service port 5060 for virtual server 40 40 40 100 Figure 50 SIP Load Balancing To configure SIP load balancing 1 Before you start configuring SIP load balancing Connect each SIP proxy server to Alteon Configure the IP addresses on all devices co...

Page 325: ...n Call distribution can be improved by increasing the number of Call ID bytes that are used as input to the hash function For example Virtual Server 1 sip Service sip hashlen 16 Real server 2 ena Enable Real Server 2 cfg slb real 3 rip 10 10 10 3 Define address for MCS 3 Real server 3 ena Enable Real Server 3 cfg slb group 100 Define a group Real Server Group 100 add 1 Add Real Server 1 Real Serve...

Page 326: ...eding the content Like HTTP the first header line has the method specification followed by the other header lines that specify other parameters like Call ID and so on Configuring SIP Server Load Balancing Figure 51 SIP Load Balancing Configuration Example page 327 illustrates an Alteon performing UDP based SIP SLB In this example three SIP proxy servers are configured in a Real Server Group 100 Al...

Page 327: ...DAM Disable proxy IP addressing 2 Enable server load balancing 3 Configure IP addresses for the SIP proxy servers 4 Create a group to load balance the SIP proxy servers cfg slb on cfg slb real 1 rip 10 10 10 1 Define address for MCS 1 Real server 1 ena Enable Real Server 1 cfg slb real 2 rip 10 10 10 2 Define address for MCS 2 Real server 2 ena Enable Real Server 2 cfg slb real 3 rip 10 10 10 3 De...

Page 328: ...al server session timeout value to 30 minutes Default 10 minutes When the call terminates with a BYE command Alteon releases the session entry immediately 13 Enable server and client processing at the port level Real Server Group 100 metric minmiss Real Server Group 100 health sip cfg slb virt 1 Select Virtual Server 1 Virtual Server 1 vip 40 40 40 100 Set IP address for the virtual server Virtual...

Page 329: ...he real server specified in the session entry is used if that real server is up Otherwise the normal minmiss method is used to select the real server Supports standard health check options Alteon supports the standard method to health check SIP servers The options method like HTTP and RTSP is supported by all RFC 3261 compliant proxies Alteon sends an options request to the SIP server when configu...

Page 330: ...dia portal address Create static NAT filters to operate in both directions one to translate the public address to the private address and one to translate the private address to the public address For more information on static NAT filters see Network Address Translation page 384 SoftGrid Load Balancing The Softricity SoftGrid platform is used to provide sequenced applications from a SoftGrid Serv...

Page 331: ...used to transport the application data between the server and the client 3 Real Time Control Protocol RTCP RTCP is used to control the streaming of the application data that is transported by RTP The SoftGrid platform uses three channels to complete the application delivery process Initially the SoftGrid Client uses the RTSP channel to create a connection with the SoftGrid Server The SoftGrid Serv...

Page 332: ...lication State Protocol SASP used by the Enterprise Workload Management WLM tool This section includes the following topics How Alteon Works with the DM page 333 Configuring WLM Support page 333 Verifying WLM Configurations page 334 Limitations for WLM Support page 336 This feature is used to monitor server resources and provide additional input on load balancing decisions WLM takes into account a...

Page 333: ...stered groups When a real server is disabled or enabled operationally Alteon sends a request to temporarily remove the server from the weight calculation Configuring WLM Support Before you start configuring for WLM support ensure you have configured the following for all the groups and real servers participating in dynamic weights with WorkLoad Managers WLM Alteon name cfg sys ssnmp name group nam...

Page 334: ...3 245 3860 Not Connected Main stats slb wlm 11 Workload Manager 11 Statistics Registration Requests 1 Registration Replies 1 Registration Reply Errors 0 Deregisteration Requests 1 Deregisteration Replies 1 Deregisteration Reply Errors 0 Set LB State Requests 1 Set LB State Replies 1 Set LB State Reply Errors 0 Set Member State Requests 0 Set Member State Replies 0 Set Member State Reply Errors 0 S...

Page 335: ...ic weight Main stats slb group 2 Real server group 2 stats Total weight updates from WorkLoad Manager 10 Current Total Highest Real IP address Sessions Sessions Sessions Octets 1 1 1 1 1 0 0 0 0 2 2 2 2 2 0 0 0 0 3 3 3 3 3 0 0 0 0 4 4 4 4 4 0 0 0 0 group 2 0 0 0 0 Main info slb Server Load Balancing Information virt 1 1 10 10 7 1 00 01 81 2e a0 8e virtual ports http rport http group 1 backup none ...

Page 336: ...s the weight of real server for all other services Workload manager de registration after a Layer2 or Layer 3 change If you make any changes to the VLAN or IP Interface as the eWLM environment then WLM de registration updates are sent to all the DMs Workload manager de registration after an SLB change WLM de registration is sent to all DMs after an SLB update Main info slb Server Load Balancing In...

Page 337: ...Common SSL Offloading Service Use Cases page 343 SSL Offloading Implementation For Alteon to provide SSL offloading you must configure enable and apply the following components SSL Virtual Service As discussed in SSL Offloading Implementation page 337 you must define an HTTPS or SSL virtual service and associate to it both an SSL server certificate and an SSL policy that governs the behavior of th...

Page 338: ...use Which SSL information to pass to the back end servers When and if to use HTTP protocol based location redirection conversion from HTTP to HTTPS Whether to use back end encryption Whether and how to use client authentication Whether to use SSL TLS on the front end connection An single SSL policy can be associated to multiple virtual services if they share the same SSL configuration For details ...

Page 339: ...g with the server certificate The resulting server certificate is a self signed server certificate meaning it was issued by the server for itself This kind of a certificate is good for testing purposes as real users will experience various warning messages if used for the real SSL service In order to be used in the real life SSL environment the server certificate must be issued signed by a Certifi...

Page 340: ...rmation on exporting and importing certificate repository components see the section on the cfg slb ssl certs menu in the Alteon Application Switch Operating System Command Reference Table 28 Import and Export of Certificate Repository Components Component Export Import Description Key pair Export Import Key pairs include a private key and public key The private key is used to decrypt and encrypt ...

Page 341: ...s are not created in Alteon you must first import them from the CA Trusted CA certificates are usually exported for backup purposes Note The maximum file size for importing SSL components excluding 2424 SSL configuration is 200 KB 2424 SSL configuration Import If you are migrating your SSL configuration from an Alteon 2424 SSL platform to an Alteon platform running Alteon version 27 0 0 0 or later...

Page 342: ...lidation period in days 1 3650 365 4 Enter the new validation period 5 Enter Apply and Save To renew a real server certificate signed by a third party trusted CA 1 Log in over a secure management interface SSH HTTPS 2 Enter the certificate repository cfg slb ssl certs 3 If the original server certificate was generated on this Alteon platform then a corresponding Certificate Signing Request CSR wil...

Page 343: ...lteon enables you to perform ad hoc certificate validation using Online Certificate Status Protocol OCSP Note Certificate validation is using the SSL handshake process which means the TCP handshake was already completed This implies that Alteon will open the connection to the back end server even if the OCSP validation failed For details on configuring client authentication policies see the sectio...

Page 344: ...vely generate a self signed server certificate as shown in the following example 4 Globally enable SSL 5 Set the HTTPS virtual service to be used in the defined virtual server Main cfg slb ssl sslpol myPol Define an ID to identify the SSL Policy The ID may be alphanumeric or numeric SSL Policy myPol cipher high Select the cipher suite to use during SSL handshake By default the RSA cipher suite is ...

Page 345: ...n is configured for basic SLB Assign an IP address to each of the real servers in the server pool Define an IP interface Define each real server Assign servers to real server groups Enable SLB Define server port and client port Define virtual server For more information on how to configure Alteon for SLB see Server Load Balancing page 165 2 Define the SSL Policy which will govern the SSL offloadin...

Page 346: ...le SSL Main cfg slb ssl sslpol myPol Define an ID to identify the SSL Policy The ID may be alphanumeric or numeric SSL Policy myPol cipher high Select the cipher suite to be used during SSL handshake By default the RSA cipher suite is selected Radware recommends using the PCI DSS pre configured cipher suite for best SSL security SSL Policy myPol ena Enable the policy Main cfg slb ssl certs srvrcer...

Page 347: ... basic SLB Assign an IP address to each of the real servers in the server pool Define an IP interface Define each real server Assign servers to real server groups Enable SLB Define server port and client port Define virtual server For more information on how to configure Alteon for SLB see Server Load Balancing page 165 Main cfg slb virt 1 service 12345 Application usage http https ssl dns rtsp wt...

Page 348: ...myPol Define an ID to identify the SSL Policy The ID may be alphanumeric or numeric SSL Policy myPol cipher rsa Select the cipher suite to use during SSL handshake By default the RSA cipher suite is selected Radware recommends using the PCI DSS pre configured cipher suite for enhanced SSL security SSL Policy myPol bessl enabled Enable back end SSL SSL Policy myPol becipher low Set the cipher to be...

Page 349: ...kes For more details on multiplexing see Content Intelligent Connection Management page 277 Example 4 Configuring an SSL Offloading Service for Multiple Domains on the Same Virtual IP Using Server Name Indication SNI To configure SSL offloading for multiple domains behind a single virtual IP SSL handshake server name indication SNI is used 1 Before you can configure an SSL offloading service ensur...

Page 350: ... with the following change cfg slb ssl certs Certificate Repository group Enter group id 1 Enter the Group menu 4416 2 Group 1 type Current certificate group type intermca Enter new certificate group type srvrcert trustca intermca srvrcert Select the Group type of the Server Certificate Group 4416 2 Group 1 add Enter certificate ID servercert1 Certificate servercert1 is added to group 1 4416 2 Gro...

Page 351: ...he matched server certificate to the client b Match the client SNI content to the server s certificate with wildcards looking for a match in the domain name and ignoring the hostname If there is a domain name match ignoring the hostname send the matched wildcard server certificate to the client c Match the client SNI content to the server s certificate with Subject Alternative Names SAN appearing ...

Page 352: ...SSL offloading behavior For basic SSL offloading see Example 1 Configuring a Basic SSL Offloading Service page 343 For SSL offloading with back end encryption enabled see Example 3 Configuring an SSL Offloading Service with Back End Encryption page 347 HTTP Content Class 1 cfg slb layer7 slb cntclss 1 hostname 1 Hostname 1 hostname Current hostname to match Enter new hostname to match mydomain com...

Page 353: ... configure proxy IP addresses and enable proxy on the client port Example 6 Configuring a Clear text HTTP Service with Back end Encryption 1 Before you can configure an SSL offloading service ensure that Alteon is configured for basic SLB as follows Assign an IP address to each of the real servers in the server pool Define an IP interface Define each real server Assign servers to real server group...

Page 354: ...Radware recommends using multiplexing to minimize the server load of performing new SSL handshakes For more details on multiplexing see Content Intelligent Connection Management page 277 Main cfg slb ssl sslpol myPol Define an ID to identify the SSL Policy The ID may be alphanumeric or numeric SSL Policy myPol fessl disable Disable front end SSL SSL Policy myPol bessl enable Enable back end SSL SS...

Page 355: ...tments to the client s packet Transparent load balancing Alteon performs traffic inspection and classification of all layers load balancing traffic with one or more service farms while forwarding it to the original destination without any change to the original packet The following topics are discussed in this chapter Basic Filtering Features page 356 Describes the benefits and filtering criteria ...

Page 356: ... server networks Filtering gives you control over the types of traffic permitted through Alteon Filters can be configured to allow or deny traffic from Layer 2 through Layer 7 including MAC address IP address protocol Layer 4 port Layer 7 string or pattern content Layer 2 only filters as described in MAC Based Filters for Layer 2 Traffic page 373 can be configured to allow or deny non IP traffic M...

Page 357: ...ition Layer 4 processing must be activated using the cfg slb on command nat Performs generic Network Address Translation NAT This can be used to map the source or destination IP address and port information of a private network scheme to and from the advertised network IP address and ports This is used in conjunction with the nat option and can also be combined with proxies goto Allows the user to...

Page 358: ...he following filter As long as the filters do not overlap you can improve filter performance by making sure that the most heavily used filters are applied first For example consider a filter system where the Internet is divided according to destination IP address Example Stacking Filters Assuming that traffic is distributed evenly across the Internet the largest area would be the most used and is ...

Page 359: ...ing failures as shown in the Server Load Balancing Maintenance statistics stats slb maint you may want to remove some of the default filters Optimizing Filter Performance Filter efficiency can be increased by placing filters that are used most often near the beginning of the filtering list Note Radware recommends numbering filters in small increments 5 10 15 20 and so on to make it easier to inser...

Page 360: ...stination IP address for traffic When a range of IP addresses is needed the source IP sip address or destination IP dip address defines the base IP address in the desired range The source mask smask or destination mask dmask is the mask that is applied to produce the range For example to determine if a client request s destination IP address should be redirected to the cache servers attached to a ...

Page 361: ...er When applied to one or more ports this simple filter rule produces log messages that show when the filter is triggered and what the IP source and destination addresses were for the ICMP frames traversing those ports Note After port filtering is enabled or disabled and you apply the change session entries are deleted immediately The following is a filter log message output displaying the filter ...

Page 362: ...abled filters Otherwise the cache disabled filters could potentially be bypassed for frames matching the cache enabled criteria Logging Non Cached Filter Hits A non cached filter hit occurs when a session entry is not cached Cache disabled filters are used when a session is either very short lived or contains minimal data In order to log cache disabled filters without generating an excess amount o...

Page 363: ...affic is redirected to the original session table and forwarded to the client with the original parameters Reverse session is defined per filter At Layer 4 if DAM is activated it takes precedence over reverse session and overrides it At Layer 7 reverse session takes precedence over DAM That is if reverse session is enabled DAM is automatically overridden To view an example using reverse session se...

Page 364: ...here the network and or client traffic is not interrupted That is Alteon redirects the traffic and returns it to the client without changing any of its parameters Transparent load balancing can be performed in various ways The following are examples of supported transparent load balancing scenarios Redirecting Traffic with a Transparent Server page 364 Redirecting Traffic with a NAT Filter page 36...

Page 365: ...ination address Filter 10 dmask 0 0 0 0 For any subnet range Filter 10 proto tcp For TCP protocol traffic Filter 10 sport any From any source port Filter 10 dport http To any HTTP destination port Filter 10 action redirect Redirect matching traffic Filter 10 group 10 Redirect to Real Server Group 10 Filter 10 vlan any To any VLAN Filter 10 ena Enable the filter cfg slb filt 20 Select the menu for ...

Page 366: ...e client Figure 54 Redirecting Traffic with a NAT Server To redirect traffic with a NAT filter 1 Configure Filter 10 to redirect traffic to Real Server Group 10 VAS server cfg slb filt 10 Select the menu for Filter 10 Filter 10 sip 1 1 0 0 From a specific source IP address Filter 10 smask 255 255 0 0 From a specific source IP mask Filter 10 dip any To any network destination address Filter 10 dmas...

Page 367: ... Server and Return to Proxy page 368 Redirecting Traffic with a Semi Transparent Server page 370 Filter 10 vlan any To any VLAN Filter 10 ena Enable the filter cfg slb filt 20 Select the menu for Filter 20 Filter 20 sip 1 1 0 0 From a specific source IP address Filter 20 smask 255 255 0 0 From a specific source IP mask Filter 20 dip any To any network destination address Filter 20 dmask 0 0 0 0 Fo...

Page 368: ... its source IP and source port are translated back to the original before returning to the client Figure 55 Redirecting Traffic with a Semi Transparent Server and Return to Proxy To redirect traffic with a semi transparent server and return to proxy 1 Configure Filter 10 to redirect traffic to Real Server Group 10 VAS server cfg slb filt 10 Select the menu for Filter 10 Filter 10 sip 1 1 0 0 From ...

Page 369: ...ble the filter cfg slb filt 10 adv Select the Advanced menu for Filter 10 Filter 10 Advanced redir Select the Redirection Advanced menu for Filter 10 Filter 10 Advanced rtproxy ena Enable redirect to proxy server cfg slb filt 20 Select the menu for Filter 20 Filter 20 sip 1 1 0 0 From the proxy IP address Filter 20 smask 255 255 0 0 From the proxy IP mask Filter 20 dip any To any network destinati...

Page 370: ...slated back to the original before returning to the client Figure 56 Redirecting Traffic with a Semi Transparent Server To redirect traffic with a semi transparent server 1 Configure Filter 10 to redirect traffic to Real Server Group 10 VAS server cfg slb filt 10 Select the menu for Filter 10 Filter 10 sip 1 1 0 0 From a specific source IP address Filter 10 smask 255 255 0 0 From a specific source...

Page 371: ...traffic with a non transparent server the client traffic is redirected to a VAS server group The VAS server changes the destination IP and destination port to that of the VAS server and sends the traffic to the internet The return traffic is then redirected back to the VAS server and the server translates its source IP and source port back to the original before returning to the client Filter 10 v...

Page 372: ...ilter 10 sip 1 1 0 0 From a specific source IP address Filter 10 smask 255 255 0 0 From a specific source IP mask Filter 10 dip any To any network destination address Filter 10 dmask 0 0 0 0 For any subnet range Filter 10 proto tcp For TCP protocol traffic Filter 10 rport 8080 To real server port 8080 Filter 10 dport http To any destination port Filter 10 ipver v4 Set filter IP version to IP Versi...

Page 373: ...ering on 802 1p Priority Bit in a VLAN Header page 376 Example MAC Based Filters for Layer 2 Traffic VLAN Based Filtering Filters are applied per Alteon per port or per VLAN VLAN based filtering allows a single Alteon to provide differentiated services for multiple customers groups or departments For example you can define separate filters for Customers A and B on the same Alteon on two different ...

Page 374: ... of sip and dip 1 Configure Filter 2 to allow local clients to browse the Web and then assign VLAN 20 to the filter The filter must recognize and allow TCP traffic from VLAN 20 to reach the local client destination IP addresses if originating from any HTTP source port cfg slb filt 2 Select the menu for Filter 2 Filter 2 sip any From any source IP address Filter 2 dip 205 177 15 0 To base local net...

Page 375: ...dress Filter 3 dip 205 177 15 0 To base local network destination address Filter 3 dmask 255 255 255 0 For entire subnet range Filter 3 proto tcp For TCP protocol traffic Filter 3 sport telnet From a Telnet port Filter 3 dport any To any destination port Filter 3 action allow Allow matching traffic to pass Filter 3 name allow clients to telnet Provide a descriptive name for the filter Filter 3 vla...

Page 376: ...s already present in the packets It does not assign or overwrite the 802 1p values in the packet Classifying Packets Based on 802 1p Priority Bits Traffic is easily classified based on its 802 1p priority by applying a filter based on the priority bit value The Filtering Advanced menu provides the option to filter based on the priority bit value The filter matches if it finds the corresponding 802...

Page 377: ...servers at the site Persistence binding per filter is similar to client IP based persistence for virtual services where the cip dip rport and dport values force sessions with values that match the filter to be redirected to the same server in the group Notes When either Layer 3 4 or Layer 7 persistence is required the group metric must be set to hash or minmiss HTTP Layer 7 persistence when config...

Page 378: ...roup for either of the two metrics cfg slb group 1 Select the group of real servers Real server group 1 metric minmiss Set the metric to minmiss or hash cfg slb filt 10 ena Enable the filter Filter 10 action redir Specify the redirection action Filter 10 proto 80 Specify the protocol Filter 10 group 1 Specify the group of real servers Filter 10 vlan any Specify the VLAN Filter 10 adv Select the Ad...

Page 379: ... and a connection to the Internet All the local devices are on the same subnet The administrator wants to install basic security filters to allow only the following traffic External HTTP access to the local Web server External SMTP mail access to the local mail server Local clients browsing the World Wide Web Local clients using Telnet to access sites outside the intranet DNS traffic All other tra...

Page 380: ...lter must recognize and allow TCP traffic with the Web server s destination IP address and HTTP destination port Table 31 Web Cache Example Real Server IP Addresses Network Device IP address Local Subnet 205 177 15 0 205 177 15 255 Web Server 205 177 15 2 Mail Server 205 177 15 3 Domain Name Server 205 177 15 4 cfg slb filt 2048 Select the default filter Filter 2048 sip any From any source IP addr...

Page 381: ...affic Filter 2 sport any From any source port Filter 2 dport smtp To a SMTP destination port Filter 2 action allow Allow matching traffic to pass Filter 2 ena Enable the filter Filter 2 cfg slb filt 3 Select the menu for Filter 3 Filter 3 sip 205 177 15 3 From mail server source IP address Filter 3 smask 255 255 255 255 Set mask for exact source address Filter 3 dip any To any destination IP addre...

Page 382: ...5 dport any To any destination port Filter 5 action allow Allow matching traffic to pass Filter 5 ena Enable the filter Filter 5 cfg slb filt 6 Select the menu for Filter 6 Filter 6 sip any From any source IP address Filter 6 dip 205 177 15 4 To local DNS Server Filter 6 dmask 255 255 255 255 Set mask for exact destination address Filter 6 proto udp For UDP protocol traffic Filter 6 sport any From...

Page 383: ...affic Filter 8 sport any From any source port Filter 8 dport domain To any DNS destination port Filter 8 action allow Allow matching traffic to pass Filter 8 ena Enable the filter Filter 8 cfg slb filt 9 Select the menu for Filter 9 Filter 9 sip 205 177 15 4 From local DNS Server Filter 9 smask 255 255 255 255 Set mask for exact source address Filter 9 dip any To any destination IP address Filter ...

Page 384: ...n a company has configured its internal network with private IP addresses A private network is one that is isolated from the global Internet and is therefore free from the usual restrictions requiring the use of registered globally unique IP addresses With NAT private networks are not required to remain isolated Alteon NAT capabilities allow internal private network IP addresses to be translated t...

Page 385: ... Filter 10 adv proxyadv proxy disable Override any proxy IP settings Static NAT is used for this filter Enter new NAT IP address Set the NAT Address Filter 10 Advanced cfg slb filt 11 Select the menu for inbound filter Filter 11 action nat Use the same settings as outbound Filter 11 nat dest Reverse the translation direction Filter 11 sip 10 10 10 0 Use the same settings as outbound Filter 11 smas...

Page 386: ...tries are deleted immediately Dynamic NAT Dynamic NAT is a many to one solution Multiple clients on the private subnet take advantage of a single external IP address thus conserving valid IP addresses In the example in Figure 61 Dynamic NAT Example page 386 clients on the internal private network require TCP UDP access to the Internet Figure 61 Dynamic NAT Example You may directly connect the clie...

Page 387: ...s not a requirement for dynamic NAT Filters for dynamic NAT should be given a higher numbers than any static NAT filters see Static NAT page 384 After port filtering is enabled or disabled and you apply the change session entries are deleted immediately cfg slb filt 14 Select the menu for client filter Filter 14 invert ena Invert the filter logic Filter 14 dip 10 10 10 0 If the destination is not ...

Page 388: ... IP address defined on Alteon When a client in active FTP mode sends a port command to a remote FTP server Alteon analyzes the data part of the frame and modifies the port command as follows The real server client IP address is replaced by a public proxy IP address The real server client port is replaced with a proxy port Figure 62 FTP Client NAT Example You may directly connect the real servers t...

Page 389: ...he VLAN must be configured for this to function properly When there is an overlapping NAT Alteon does not use the routing table to route the packet back to the sender in Layer 3 mode due to the overlapping source address Instead Alteon uses the VLAN gateway to forward the packet back to the sender While VLAN gateway configuration is necessary to make this feature function properly Layer 2 mode is ...

Page 390: ... results in a one way path Therefore Alteon allows you to translate the address using NAT for the Session Description Protocol SDP and create sessions for the media communication How SIP NAT Works All occurrences of the internal client s private IP address and port in the outgoing SIP message is replaced with the translated address This procedure is reversed when the SIP messages come from an exte...

Page 391: ...up fails with MCS proxy authentication enabled as Alteon does not regenerate these message digests with the public address Matching TCP Flags This section describes the ACK filter criteria which provides greater filtering flexibility Alteon supports packet filtering based on any of the following TCP flags Main cfg slb filt 14 Filter 14 action nat Filter 14 nat source Main cfg slb filt 14 Filter 14...

Page 392: ...tion Example In this network the Web servers inside the LAN must be able to transfer mail to any SMTP based mail server out on the Internet At the same time you want to prevent access to the LAN from the Internet except for HTTP SMTP traffic uses well known TCP port 25 The Web servers originates TCP sessions to the SMTP server using TCP destination port 25 and the SMTP server acknowledges each TCP...

Page 393: ...subnet range Filter 10 sport any From any source port Filter 10 proto tcp For TCP traffic Filter 10 dip any To any destination IP address Filter 10 dport smtp To well known destination SMTP port Filter 10 action allow Allow matching traffic to pass Filter 10 ena Enable the filter Filter 10 cfg slb filt 15 Select a filter for Internet SMTP ACKs Filter 15 sip any From any source IP address Filter 15...

Page 394: ...rt http From well known source HTTP port Filter 17 proto tcp For TCP traffic Filter 17 dip 203 122 186 0 To the Web servers IP address Filter 17 dmask 255 255 255 0 To the entire subnet range Filter 17 dport http To well known destination HTTP port Filter 17 action allow Allow matching traffic to pass Filter 17 ena Enable the filter Filter 17 cfg slb filt 18 Select a filter for outgoing HTTP traff...

Page 395: ...SLB port 1 add 15 Add the SMTP ACK filter to the port SLB port 1 add 16 Add the incoming HTTP filter SLB port 1 add 17 Add the incoming HTTP filter SLB port 1 add 2048 Add the default filter to the port SLB port 1 filt ena Enable filtering on the port SLB port 1 cfg slb port 2 Select the first Web server port SLB port 2 add 10 Add the outgoing SMTP filter to the port SLB port 2 add 18 Add the outg...

Page 396: ...s Since the destination MAC address and destination IP address need to be in same cast category the redirected multicast or broadcast packets should keep the multicast type destination MAC address In redirection filter processing Alteon checks cast type of destination MAC address in the received packet If the received packet is a unicast packet the destination MAC address is substituted to the spe...

Page 397: ...l ALLOW filter for these multicast packets so that link neighbors can be learnt If this is not done no packets are allowed because link neighbors cannot be learnt Filter inversion also must take these NSol packets into consideration Not all Advanced menu commands that are available for configuring IPv4 filters are available for configuring IPv6 filters You can use the following Advanced menu comma...

Page 398: ...direction menu commands cfg slb filt filter Number adv security ratelim All Rate Limiting menu commands Main cfg slb on Main cfg slb filt 1 ena Enable Filter 1 Filter 1 action allow Specify an ALLOW filter Filter 1 ipver v6 Specify an IPv6 filter Filter 1 sip 2001 0 0 0 0 0 0 0 Specify source IP Filter 1 smask 64 Specify IPv6 source prefix Filter 1 dip ff00 0 0 0 0 0 0 0 Specify destination IP Fil...

Page 399: ...ses B C and D need to match specific URLs for all the mobile phones from Class A To configure this Class A is defined as a logical expression matching the criteria of Classes B C and D When you need to add additional mobile phone browsers to the list you add them to Class A and they are then propagated to Classes B C and D For more information see Content Intelligent Server Load Balancing page 219...

Page 400: ...RL file name URL file type header cookie general text XML tag Main cfg slb layer7 slb cntclss vADC 1 Server Load balance Resource cntclss Enter Class id myclass HTTP Content Class myclass Menu name Set the Descriptive HTTP content class name hostname URL Hostname lookup Menu path URL Path lookup Menu filename URL File Name lookup Menu filetype URL File Type lookup Menu header Header lookup Menu co...

Page 401: ... with the MAC address of the WAN router This ensures that the returning traffic takes the same ISP path as the incoming traffic RTS is enabled on the incoming WAN ports port 2 and 7 to maintain persistence for the returning traffic Data leaves Alteon from the same WAN link that it used to enter thus maintaining persistency Note As of version 29 0 the RTS method has been superseded by Transparent L...

Page 402: ...Alteon Application Switch Operating System Application Guide Filtering and Traffic Manipulation 402 Document ID RDWR ALOS V2900_AG1302 ...

Page 403: ...ysical ADC Each virtual ADC instance contains a complete and separated environment of resources configurations and management ADC Form Factors ADC VX supports three different ADC form factors Dedicated ADC The traditional Alteon hardware ADC vADC A virtualized instance of the Alteon operating system AlteonOS Alteon VA A software based ADC supporting AlteonOS functionality and running on the VMware...

Page 404: ...n addition one of the main tasks of the Global Administrator is to dynamically allocate CPU and throughput resources by assigning capacity units and adjusting throughput limits to a vADC For more details on capacity units and throughput see Allocating and Removing Processing Power Capacity Units and Throughput Resources page 406 For more details on the Global Administrator s tasks see Global Admin...

Page 405: ...he basic tasks and responsibilities of the Global Administrator include the following Managing vADCs page 405 Monitoring Health and Resource Usage page 406 Allocating and Removing Processing Power Capacity Units and Throughput Resources page 406 The following are additional tasks the Global Administrator performs Assigning Initial User Access page 406 Configuring and Maintaining Management Ports p...

Page 406: ...essing power without having to adjust the allocated throughput You can assign multiple capacity units to a vADC from the available capacity units in the pool of global capacity units After initially assigning a capacity unit you can add or remove throughput in 100 Mb increments up until the amount of available throughput based on the total amount of your installed throughput license To adjust the ...

Page 407: ...bution A Global Administrator managing the system is required to define a vADC only once while the system synchronizes all the settings to one of the peers The system is aware of the location of all vADCs and their peers at all times and performs the configuration synchronization based on the location of the target vADC Therefore there is no need to keep track of or make modifications in multiple ...

Page 408: ...DCs into existing environments and avoid risky and invasive changes to the existing infrastructure Shared interfaces are dedicated tagged or untagged ports that can be assigned to one or more vADCs as a new interface type A shared interface consolidates multiple private vADC communications links with a shared physical network Even though each vADC instance is virtualized they appear and perform in...

Page 409: ...obal Administrator is responsible for the initial vADC settings including user access methods Additionally the Global Administrator can control the access method in which a vADC is accessed such as limiting access through SSH and or HTTPS These settings can be changed by the vADC Administrator if the Global Administrator allows for this For more details on configuring and maintaining management po...

Page 410: ... by the vADC administrator and synchronizes elements such as filters SLB groups virtual IPs and all the vADC SLB settings If the vADC Administrator needs to synchronize vADC configurations the synchronization is done in the same manner as traditional ADCs using the oper slb sync command For more details see the Alteon Application Switch Operating System Command Reference Resource Management ADC VX...

Page 411: ...ocated resources The dashboard provides a centralized view of this data so the Global Administrator can preemptively identify potential application and user issues and needs by verifying the health resource usage and activity of the vADC Note The dashboard is only accessible through the BBI The dashboard displays data on throughput and CPU usage enabling the Global Administrator to identify alloca...

Page 412: ...e Dashboard The following is the procedure for accessing the resource dashboard To access the dashboard From the Monitor tab select Dashboard The following is an example dashboard display of multiple vADCs as set for viewing through the Settings menu see Settings Menu page 417 Figure 65 Example Dashboard Display for Multiple vADCs ...

Page 413: ...each dashboard Bar chart Line chart Chart Filters You can select one of the following filters based on operating capacity Customize default view vADCs operating at 90 capacity vADCs operating at 80 capacity vADCs operating at 70 capacity Time real time 1 hour 24 hours Tool Tips All charts include tool tips which provide more detailed information for a given vADC For example the tool tip for the Th...

Page 414: ...ble 36 Chart Views Chart View Chart Type Behavior Resource Utilization Chart Bar When using filters The real time filter displays real time data The hour displays the maximum value of the last hour The day filter displays the maximum value within the last 24 hours The following is a sample resource utilization bar chart ...

Page 415: ...ement Document ID RDWR ALOS V2900_AG1302 415 Line This displays the CPU utilization Multiple lines in different colors are used to represent the different vADCs The following is a sample resource utilization line chart Table 36 Chart Views cont Chart View Chart Type Behavior ...

Page 416: ...he limit set by the Global Administrator The Comp Throughput tab displays the amount of data going through the compression engine in relation to the limit set by the Global Administrator When using filters The real time filter displays real time data The hour displays the maximum value of the last hour The day filter displays the maximum value of the last 24 hours To provide context the tool tip d...

Page 417: ...rd settings Sampling interval Default chart type vADC chart selection To configure the dashboard settings 1 Expand the Dashboard option to display the Settings menu The following panel displays Service Utilization Chart continued Line The tool tip displays detailed data per vADC The following is a sample resource throughput line chart Table 36 Chart Views cont Chart View Chart Type Behavior ...

Page 418: ... Chart displays the top 10 vADCs in the resource utilization category and the top 10 vADCs in the throughput category Throughput Services is the selection key The Top 10 chart displays the top 10 vADCs that consume the most throughput relative to their throughput limit Util Resource utilization is the selection key The Top 10 chart displays the top 10 vADCs that consume the most resources relative...

Page 419: ...s the following configuration The new vADC is set with four VLANs Only one VLAN is limited for a specific subnet in the example 100 while VLANs 101 102 and 200 can use any IP subnet as required by the vADC Administrator For more details on the vADC Creation Dialog and the vADC Configuration menu see the section on the cfg vadc menu in the Alteon Application Switch Operating System Command Referenc...

Page 420: ...llocation 2 Capacity Unit is Assigned Enter VLAN Number to be added 100 102 200 Do you want to configure Allowed Networks y n y Enter VLAN Number 100 Enter allowed IP version v4 v6 v4 Enter allowed IP network 192 168 20 0 Enter subnet 255 255 255 0 Do you want to assign additional IP network to the allowed list y n n Enter vADC management IP address v4 or v6 10 1 1 1 Enter vADC management subnet m...

Page 421: ...ock certain delegated services so that the vADC Administrator is not able to reconfigure them 1 In the following steps the syslog and RADIUS servers are enabled cfg vadc 2 sys vADC 2 sys vADC system services Menu mmgmt Management Port Menu peer Sync Peer Management Port Menu sync Assign target appliance for configuration sync haid Set HA ID value syslog System Syslog Servers radius System RADIUS S...

Page 422: ...sys RADIUS Menu delegate Enable Disable service delegation from global to vADC lock Lock access for vADC Administrator unlock Unlock access for vADC Administrator cur Display current settings Global vADC sys RADIUS delegate Current Settings disabled Enter new Settings d e e Global vADC sys RADIUS apply Global System syslog cur Current syslog configuration hst1 212 150 48 1 severity 7 facility 7 hs...

Page 423: ...nu vADC 1 Syslog cur Current syslog configuration Current Syslog Status Enabled vADC 1 sys radius cur Current RADIUS status Enabled Global Main cfg Configuration Menu sys System wide Parameter Menu port Port Menu vadc vADC Management Menu dashboard Dashboard Menu l2 Layer 2 Menu dump Dump current configuration to script file ptcfg Backup current configuration to FTP TFTP server gtcfg Restore curre...

Page 424: ...ink and such links can be associated with a vADC trunk dedicated link VLAN tag on a dot1q trunk team shared interface and so on For an example of assigning a VLAN shared interface to a vADC see Assigning a VLAN Shared Interface to a vADC page 428 Global vADC 4 sys mmgmt addr 10 203 114 54 Current vADC IP address 0 0 0 0 New pending vADC 4 IP address 10 203 114 53 Global vADC 4 sys mmgmt mask 255 2...

Page 425: ...interfaces Pending new vADC 4 Layer2 interfaces 101 104 Global vADC allowed IP networks add Enter allowed network number 1 Current VLAN Number 0 Pending new VLAN Number 100 Enter new VLAN Number 1 4090 100 Enter new IP version v4 v6 v4 Current Network IP address 0 0 0 0 Enter new Network IP address 192 168 1 0 Current Network Mask 0 0 0 0 Enter new Network Mask 255 255 255 0 Current Settings vADC ...

Page 426: ...shown in the following example To enable a newly created vADC Global Configuration vadc 4 vADC 1 Menu sys Enable system services add Add Vlan rem Remove Vlan name vADC Name cu Update Capacity Units limit Maximum throughput allowed allow Allocate allowed IP networks users vADC Users Menu swf Enable Disable software features ena Enable vADC dis Disable vADC del Delete vADC cur Display current vADC c...

Page 427: ...vADC resources vADC 1 dis Current status enabled New status disabled vADC 1 apply Apply complete don t forget to save updated configuration vADC 1 cu 5 Current Settings vADC 1 Assigned Capacity Units 3 New Settings vADC 1 Assigned Capacity Units 5 vADC 1 apply vADC 1 ena Current status disabled New status enabled vADC 1 apply Apply complete don t forget to save updated configuration vADC 1 In orde...

Page 428: ...e disable VLAN tagging for port iponly Enable disable allowing only IP related frames ena Enable port dis Disable port cur Display current port configuration Port 15 ena Current status enabled New status enabled Global Configuration cfg l2 vlan 300 VLAN number 300 with name VLAN 300 created VLAN 300 Menu name Set VLAN name stg Assign VLAN to a Spanning Tree Group add Add port to VLAN rem Remove po...

Page 429: ...r both administrators the file can contain a full ADC configuration or a partial ADC configuration Restoring the Active Configuration of an Existing vADC The vADC Administrator can restore the active configuration of an existing vADC To restore the active configuration of an existing vADC Access the Active Switch Configuration Restoration menu and configure the following parameters VLAN 300 shared...

Page 430: ...lace an existing one vadmin Creates a vADC Administrator level backup file containing the configuration information available to the vADC administrator This option requires a vADC to exist in the system padc Creates a new vADC from the configuration files of a physical standalone ADC or to replace one or all existing vADCs with the configuration files of a physical standalone ADC This section incl...

Page 431: ...t return for TFTP server Global Configuration c gtcfg Select Import option all vadc padc vadc Select vADC recovery type all vadmin all Enter vADC number 1 28 1 Enter hostname or IP address of FTP TFTP SCP server 192 168 1 1 Enter name of file on FTP TFTP SCP server OCS Service vADC Enter username for FTP SCP server or hit return for TFTP server radware Enter password for username on FTP SCP server...

Page 432: ...following message displays 5 Enter y to create a new vADC 6 When prompted configure the following parameters cfg gtcfg Select import option all vadc padc padc Enter hostname or IP address of FTP TFTP SCP server Enter name of file on FTP TFTP SCP server Enter username for FTP SCP server or hit return for TFTP server Enter password for username on FTP SCP server Enter scp or hit return for FTP serve...

Page 433: ...configurations of one or all existing vADCs to a destination on the file server This section includes the following topics Backing Up the vADC Administrator Level Configuration page 434 Backing Up the Complete System page 434 Backing Up vADC Configuration Files from an Existing vADC page 434 Backing Up the Entire Administrator Environment page 435 cfg gtcfg Select import option all vadc padc padc ...

Page 434: ... following parameters Backing Up vADC Configuration Files from an Existing vADC The Global Administrator can back up vADC configuration files from an existing vADC and define the type of file to back up To backup all vADC configuration files from an existing vADC 1 Access the Active Switch Configuration Restoration menu Choosing this option backs up the entire vADC including both the Global and vA...

Page 435: ... the entire Administrator environment 1 Access the Active Switch Configuration Restoration menu 2 When prompted configure the following parameters Enter vADC number 1 28 all Enter hostname or IP address of FTP TFTP SCP server Enter name of file on FTP TFTP SCP server Enter username for FTP SCP server or hit return for TFTP server cfg ptcfg vadc Select backup option all global vadc vadc Enter vADC ...

Page 436: ...stem The image is pre loaded to the system supporting both ADC VX and standalone ADC deployment without the need to change software images For downloading procedures see the Radware Alteon Installation and Maintenance Guide The following are the available image types Table 37 Image Formats Image Format File Name Description AlteonOS AlteonOS version platform img For example AlteonOS 29 0 0 0 4408 ...

Page 437: ...DC VX infrastructure Note This image can only be installed when an image is first installed and set as the default image USB Recovery System Image Recovery AlteonOS version platform zip For example Recovery AlteonOS 29 0 0 0 4416 zip This image is a USB recovery image for the system image It is used for the entire system not for only one element standalone mode vADC mode or ADC VX infrastructure A...

Page 438: ...gnments and up to four ADC VX infrastructure images Global administrators can view and manage ADC VX and standalone deployment images Image Bank The image bank can store up to 10 ADC application images and ADC VX infrastructure images When booting the system or loading an image the image bank displays all available images and their statuses You can only load one image of each AlteonOS version Load...

Page 439: ...es ID Version Downloaded Image status 1 28 1 0 5 17 41 28 Sun Jan 13 2013 Idle 2 28 1 0 0 12 45 39 Wed Mar 31 2013 Idle 3 28 1 0 1 17 41 28 Sun Jan 13 2013 Idle 4 28 1 0 2 12 45 39 Wed Mar 31 2013 Idle Enter Image ID to be replaced 1 4 2 ADC Application Images ID Version Downloaded Image status vADC IDs 1 17 41 28 Sun Jan 13 2013 Incompatible 2 28 1 0 0 12 45 39 Wed Mar 31 2013 Active 6 3 28 1 0 2...

Page 440: ...RNING Restarts Spanning Tree cur Display current boot options Standalone ADC Boot Options gtimg Enter image type all vx adc adc ADC Application Images ID Version Downloaded Image status vADC IDs 1 17 41 28 Sun Jan 13 2013 Incompatible 2 28 1 0 0 12 45 39 Wed Mar 31 2013 Active 6 3 28 1 0 2 17 41 28 Sun Jan 13 2013 Active 7 4 28 1 0 3 12 45 39 Wed Mar 31 2013 Active 10 12 5 28 1 0 4 17 41 28 Sun Ja...

Page 441: ...ge Standalone ADC Main boot Boot Options Menu virtual Switch mode from Standalone to ADC VX image Select software image to use on next boot conf Select config block to use on next boot gtimg Download new software image via FTP TFTP SCP reset Reset switch WARNING Restarts Spanning Tree cur Display current boot options Standalone ADC Boot Options gtimg Enter image type all vx adc vx ADC VX Infrastru...

Page 442: ...t affecting certified image versions or existing configurations Loading Images Only the Global Administrator can load images Because the system only holds one image for each ADC VX at a time you do not need to load the same image more than once The same image can be used by multiple vADCs You can only replace an active image after the Global Administrator authorizes the switch In the ADC VX mode y...

Page 443: ... default image image Select software image to use on next boot conf Select config block to use on next boot gtimg Download new software image via FTP TFTP SCP reset Reset switch cur Display current boot options logen Enable Disable Enhanced Log Size Global Boot Options gtimg Enter image type all vx adc adc Enter image ID to be replaced 1 10 Global Main boot Boot Options Menu single Switch between ...

Page 444: ... 2013 Active 10 12 5 28 1 0 4 17 41 28 Sun Jan 13 2013 Active 15 20 6 28 1 0 5 12 45 39 Wed Mar 31 2013 Idle 28 7 28 1 0 6 17 41 28 Sun Jan 13 2013 Idle 1 5 8 9 28 3 0 0 17 41 28 Sun Jan 13 2013 Active 22 10 28 4 0 0 12 45 39 Wed Mar 31 2013 Idle Enter image ID to be replaced 1 10 8 Enter hostname or IP address of FTP TFTP SCP server 10 210 31 39 Enter name of file on FTP TFTP SCP server AAS 28 1 ...

Page 445: ...C vADCs can use any of the 10 ADC application images loaded on the system To upgrade a single vADC 1 Access the Active Switch Configuration Boot menu 2 Enter image and select the image type used for the upgrade Global Boot Options gtimg Enter image type all vx adc vx ADC VX Infrastructure Images ID Version Downloaded Image status 1 28 1 0 3 17 41 28 Sun Jan 13 2013 Idle 2 28 1 0 0 12 45 39 Wed Mar...

Page 446: ...2013 Active 7 4 28 1 0 3 12 45 39 Wed Mar 31 2013 Active 10 12 5 28 1 0 4 17 41 28 Sun Jan 13 2013 Active 15 20 6 28 1 0 5 12 45 39 Wed Mar 31 2013 Idle 28 7 28 1 0 6 17 41 28 Sun Jan 13 2013 Idle 1 5 8 9 28 3 0 0 17 41 28 Sun Jan 13 2013 Active 22 10 28 4 0 0 12 45 39 Wed Mar 31 2013 Idle Enter vADC ID 1 28 1 Enter image ID 1 10 10 Image 10 instead of image 7 will be used by vADC next vADC restar...

Page 447: ...Application Images ID Version Downloaded Image status vADC IDs 1 17 41 28 Sun Jan 13 2013 Incompatible 2 28 1 0 0 12 45 39 Wed Mar 31 2013 Active 6 3 28 1 0 2 17 41 28 Sun Jan 13 2013 Active 7 4 28 1 0 3 12 45 39 Wed Mar 31 2013 Active 10 12 5 28 1 0 4 17 41 28 Sun Jan 13 2013 Active 15 20 6 28 1 0 5 12 45 39 Wed Mar 31 2013 Idle 28 7 28 1 0 6 17 41 28 Sun Jan 13 2013 Idle 1 5 8 9 28 3 0 0 17 41 2...

Page 448: ...age status vADC IDs 1 17 41 28 Sun Jan 13 2013 Incompatible 2 28 1 0 0 12 45 39 Wed Mar 31 2013 Active 6 3 28 1 0 2 17 41 28 Sun Jan 13 2013 Active 7 4 28 1 0 3 12 45 39 Wed Mar 31 2013 Active 10 12 5 28 1 0 4 17 41 28 Sun Jan 13 2013 Active 15 20 6 28 1 0 5 12 45 39 Wed Mar 31 2013 Idle 28 7 28 1 0 6 17 41 28 Sun Jan 13 2013 Idle 1 5 8 9 28 3 0 0 17 41 28 Sun Jan 13 2013 Active 22 10 28 4 0 0 12 ...

Page 449: ... the image type used for the upgrade Note If you select no you must restart the system manually ADC Application Image Status Options The image status options display the current ADC VX setup Caution You should not remove images that are currently being used by vADCs Global Boot Options image Enter image type vx adc vx ADC VX Infrastructure Images ID Version Downloaded Image status 1 28 1 0 3 17 41...

Page 450: ... old configuration files Caution If you remove all infrastructure images the image switching process cannot be initiated Switching from Standalone to ADC VX Mode Switching from standalone to ADC VX mode includes both the software and the configuration files The following boot options are available Boot with factory defaults Boot with the last known configuration When booting with the last known co...

Page 451: ... mode ADC VX images and ADC VX configuration files are not deleted from their respective banks as a result of the switch This option imports the vADC Administrator level settings and the related network settings available to the Global Administrator VLANs and port association Note Always use the settings available to the vADC including the management address management access mode syslog service a...

Page 452: ...nk between up to 64 vADCs Global Main boot Boot Options Menu single Switch between ADC VX and Standalone vadc Restart selected vADC process dimage Select default image image Select software image to use on next boot conf Select config block to use on next boot gtimg Download new software image via FTP TFTP SCP reset Reset switch cur Display current boot options logen Enable Disable Enhanced Log Si...

Page 453: ...on By default they are identical to the vADC ID and can be modified by the Global Administrator Table 40 describes the HA ID settings Modifying HA IDs The Global Administrator can modify the HA ID of vADCs To modify an HA ID 1 Access the Active Switch Configuration vADC System Services menu 2 Enter haid to set the HA ID value Table 40 HA ID Settings HA ID Description 0 This HA ID is required when ...

Page 454: ...pplication Switch Operating System Application Guide ADC VX Management 454 Document ID RDWR ALOS V2900_AG1302 Global vADC 3 system services haid Enter HA ID value 0 63 1 Current HA ID value 3 New HA ID value 1 ...

Page 455: ... Peer Cache Load Balancing page 480 Discusses the pattern matching filter redirection for load balancing peer to peer caches Note To access application redirection functionality the optional Layer 4 software must be enabled For more information see the section on Filtering and Layer 4 in the Alteon Application Switch Operating System Command Reference Overview Most of the information downloaded fr...

Page 456: ...egularly overload the Internet router Figure 67 Network without Application Redirection This network needs a solution that addresses the following key concerns The solution must be readily scalable The administrator should not need to reconfigure all the clients browsers to use proxy servers If you have more clients than ports then connect the clients to a Layer 2 switch as shown in Figure 68 Netw...

Page 457: ... described in this example see the Alteon Application Switch Operating System Command Reference In this example Alteon is placed between the clients and the border gateway to the Internet Alteon is configured to intercept all Internet bound HTTP requests on default TCP port 80 and redirect them to the cache servers Alteon distributes HTTP requests equally to the cache servers based on the destinat...

Page 458: ...real server For example 5 Define a real server group This places the three cache real servers into one service group Table 41 Cache Redirection Example Real Server IP Addresses Cache Server IP address Server A 200 200 200 2 Server B 200 200 200 3 Server C 200 200 200 4 cfg l3 if 1 Select IP interface 1 IP Interface 1 addr 200 200 200 100 Assign IP address for the interface IP Interface 1 ena Enabl...

Page 459: ...eter defines the real server TCP or UDP port to which redirected traffic is sent The port defined by the rport parameter is used when performing Layer 4 health checks of TCP services Also if NAT and proxy addresses are used on Alteon see step 3 the rport parameter must be configured for all application redirection filters Make sure to use the proper port designation with rport If the transparent p...

Page 460: ... Save your new configuration changes 14 Check the SLB information Filter 2 cfg slb filt 2048 Select the default filter Filter 2048 sip any From any source IP addresses Filter 2048 dip any To any destination IP addresses Filter 2048 proto any For any protocols Filter 2048 action allow Set the action to allow traffic Filter 2048 ena Enable the default filter Filter 2048 cfg slb port 5 Select the Cli...

Page 461: ...e delivery of the data To ensure the high quality of multimedia presentations several caching servers are needed to cache the multimedia data locally This data is then made available quickly from the cache memory as required RTSP cache redirection redirects cached data transparently and balances the load among the cache servers If there is no cache server the request is directed to the origin serv...

Page 462: ...ache servers cfg slb real 1 Real server 1 rip 1 1 1 1 Configure RTSP Cache Server 1 Real server 1 ena Enable RTSP Cache Server 1 Real server 1 cfg slb real 2 Real server 2 rip 1 1 1 2 Configure RTSP Cache Server 2 Real server 2 ena Enable RTSP Cache Server 2 Real server 2 cfg slb real 3 Real server 3 rip 1 1 1 3 Configure RTSP Cache Server 3 Real server 3 ena Enable RTSP Cache Server 3 Real server...

Page 463: ...b filt 1 Select the menu for Filter 1 Filter 1 action redir Set the action for redirection Filter 1 proto tcp Enter TCP protocol Filter 1 dport rtsp Enter service port for RTSP Filter 1 rport rtsp Enter redirection port for RTSP Filter 1 group 1 Select RTSP cache server Group 1 Filter 1 adv proxyadv Select advanced menu for Filter 1 Filter 1 Advanced proxy disable Disable proxy cfg slb filt 2048 S...

Page 464: ...orts Each of the ports using redirection filters require proxy IP addresses For more information on proxy IP addresses see Client Network Address Translation Proxy IP page 190 2 In this example proxy IP addresses are configured SLB port 3 cfg slb pip Select proxy IP address menu Proxy IP address type port Use port based proxy IP Proxy IP Address add 200 200 200 68 Set proxy IP address Proxy IP Add...

Page 465: ...p real time session information or authenticate by client IP address To prevent such sites from being redirected to cache servers create a filter that allows this specific traffic to pass normally through Alteon This filter must have a higher precedence a lower filter number than the application redirection filter For example if you want to prevent a popular Web based game site on subnet 200 10 10...

Page 466: ...he following types of cache redirection URL Based Cache Redirection page 466 HTTP Header Based Cache Redirection page 472 Browser Based Cache Redirection page 474 URL Hashing for Cache Redirection page 475 RTSP Streaming Cache Redirection page 477 URL Based Cache Redirection URL parsing for cache redirection operates in a manner similar to URL based server load balancing except that in cache redir...

Page 467: ...onfigure to add delete or modify are Dynamic content files Common gateway interface files cgi Cold fusion files cfm ASP files asp BIN directory CGI BIN directory SHTML scripted html Microsoft HTML extension files htx Executable files exe Dynamic URL parameters As shown in Figure 70 URL Based Cache Redirection page 467 requests matching the URL are load balanced among the multiple servers depending...

Page 468: ...figure URL based cache redirection 1 Before you can configure URL based cache redirection configure Alteon for basic SLB with the following tasks Assign an IP address to each of the real servers in the server pool Define an IP interface Define each real server For information on how to configure your network for SLB see Server Load Balancing page 165 2 Configure Alteon to support basic cache redir...

Page 469: ...er to the following examples Example 1 String Starting with the Forward Slash A string that starts with a forward slash such as images indicates that the server will process requests that start with the images string only With the images string the server will handle these requests images product b gif images company a gif images testing c jpg The server will not handle these requests company imag...

Page 470: ...ing The server can have multiple defined strings For example images sales gif With these defined strings the server can handle requests that begin with images or sales and any requests that contain gif 8 Define a real server group and add real servers to the group The following configuration combines three real servers into a group 9 Configure a filter to support basic cache redirection The filter...

Page 471: ...rce port Filter filter number dport http To an HTTP destination port Filter filter number action redir Set the action for redirection Filter filter number rport http Set the redirection port Filter filter number group 1 Select real server group 1 Filter filter number ena Enable the filter cfg slb filt filter number adv layer7 l7lkup ena cfg slb filter filter number adv proxyadv proxy dis cfg slb f...

Page 472: ... Before you can configure header based cache redirection ensure that Alteon is configured for basic SLB see Server Load Balancing page 165 Assign an IP address to each of the real servers in the server pool Filter filter number ena Enable the default filter Filter filter number port port number Assign the default filter to a port SLB port number filt ena SLB port number add filter number SLB port ...

Page 473: ...ers with this command Each defined string has an associated ID number 7 Configure the real servers to handle the appropriate load balance strings 8 Add the defined string IDs to the real servers where ID is the identification number of the defined string Note If you do not add a defined string or add ID 1 the server will handle any request cfg slb filt 1 adv layer7 l7lkup ena cfg slb layer7 redir ...

Page 474: ...le header load balancing for User Agent header 4 Define the hostnames 5 Apply and save your configuration changes 6 Identify the string ID numbers with this command Each defined string has an ID number Number of entries four 7 Add the defined string IDs to configure the real servers to handle the appropriate load balance strings where ID is the identification number of the defined string If you do...

Page 475: ...he redirection based on a hash key 1 Configure basic SLB Before you can configure header based cache redirection ensure that Alteon is configured for basic SLB see Server Load Balancing page 165 Assign an IP address to each of the real servers in the server pool Define an IP interface Define each real server Assign servers to real server groups Define virtual servers and services Configure the loa...

Page 476: ...ex htm is directed to cache server 1 Figure 71 URL Hashing for Application Redirection B Hashing on the Host Header Field Only In this example URL hashing is disabled If you use the host header field to calculate the hash key the same URL request goes to the same cache server Client 1 request http www radware com is directed to cache server 1 Client 2 request http www radware com is directed to ca...

Page 477: ...switched to the same cache server to facilitate caching of entire presentations This section explains Layer 7 support for RTSP Streaming Cache Redirection For more information on RTSP Streaming Cache Redirection see RTSP Cache Redirection page 461 For detailed information on two prominent commercial RTSP servers Real Player and QuickTime see Real Time Streaming Protocol SLB page 291 As shown in Fi...

Page 478: ...b real 4 Real server 4 rip 1 1 1 4 Configure RTSP Cache Server 4 Real server 4 ena Enable RTSP Cache Server 4 cfg slb group 1 Real Server Group 1 add 1 Add RTSP Cache Server 1 to Group 1 Real Server Group 1 add 2 Add RTSP Cache Server 2 to Group 1 Real Server Group 1 add 3 Add RTSP Cache Server 3 to Group 1 Real Server Group 1 add 4 Add RTSP Cache Server 4 to Group 1 cfg slb filter 100 Select the ...

Page 479: ... Define the RTSP file extensions to load balance among the cache servers 11 Apply and save your configuration changes 12 Identify the associated ID number for each of the defined RTSP file extension 13 Assign the URL string ID to the cache servers Filter 2048 ena Enable a default allow filter Filter 2048 action allow Set the action to allow normal traffic cfg slb port 25 Select the menu for port 2...

Page 480: ...tance subsequent packets after the initial match are not subjected to pattern matching Packet redirection is accomplished by substituting the original destination MAC address with the real server MAC address Some applications however require that all of the Layer 2 information remain unmodified in the redirected packet To support instances where this is the case you can disable destination MAC add...

Page 481: ... Checks page 489 Describes how the File Transfer Protocol FTP server is used to perform health checks and explains how to configure Alteon to perform FTP health checks POP3 Server Health Checks page 489 Explains how to use Post Office Protocol Version 3 POP3 mail server to perform health checks between a client system and a mail server and how to configure Alteon for POP3 health checks SMTP Server...

Page 482: ...Health Check page 506 Describes how to disable fast link health checks Understanding Health Check Monitoring Monitoring the availability of real servers and groups is an important component in any Application Delivery Controller Detection of real server failure is critical in ensuring continuous service Alteon allows to accurately monitor the health and performance response time of real servers an...

Page 483: ...tion address set to real server IP When assigned to a real server a run time instance is created with the destination address set to real server IP When a destination address is specified the health check is always sent to that destination regardless of its assigned elements This option is useful to determine real server availability based on the availability of an external element non real server...

Page 484: ...checks can monitor different applications and different targets For example to determine whether application servers are available you must test that the application is running on the server and back end processing servers or databases are available Multiple basic health checks can be bound to the monitored real server by means of an advanced logical expression LOGEXP health check Supported Health...

Page 485: ...sible to configure a user defined Link health check TCP Health Checks TCP health checks are useful in verifying that a specific TCP application port is up Session devices monitor the health of servers and applications by sending Layer 4 connection requests TCP SYN packets When a connection request succeeds the session device quickly closes the connection by sending a TCP FIN packet The pre defined...

Page 486: ...ce hname parameter and virtual server dname parameter hname dname See Example HTTP Health Checks page 487 Path Specifies the request path up to 256 characters If empty the request is sent to the Web service root An Inherit value can be configured to allow the path configuration using the group content See Example HTTP Health Checks page 487 Method Specifies the HTTP method used in the request The ...

Page 487: ...irtual server dname parameter only C Host header not specified D Request path using group content hname everest dname example com content index html Health check is performed using GET index html HTTP 1 1 Host everest example com hname none dname raleighduram cityguru com content page gen _template alteon Health check is performed using GET page gen _template alteon HTTP 1 1 Host raleighduram city...

Page 488: ... the RRQ The health check fails if Alteon receives an error packet from the real server The following TFTP specific argument is available Path Filename Specifies the file name requested up to 256 characters Depending on the implementation of the TFTP daemon on the real servers being health checked you may have to specify the full pathname of the file tftpboot filename on some systems On others a f...

Page 489: ... the login user name to the FTP server up to 32 characters Default anonymous Password Specifies the login password for the configured username up to 32 characters Path Filename Specifies the name of the file to be downloaded up to 256 characters An Inherit value can be configured to allow path filename definition using the group content parameter If no filename is specified the FTP health check on...

Page 490: ...rmed for that group is TCP A pre defined imap health check is available for simple IMAP service monitoring The health check has the Username and Password parameters set to Inherit allowing definition using the group content and the destination port set to standard IMAP port 143 NNTP Server Health Checks Net News Transfer Protocol NNTP specifies a protocol for the distribution inquiry retrieval and...

Page 491: ... based on the server port rport configured on the service If the server port is not a standard RADIUS port 1812 or 1813 a TCP health check is performed For this health check the username password and shared secret are set to Inherit SSL HELLO Health Checks Alteon can query the health of the SSL servers by sending an SSL client Hello packet and then verifying that the response is a valid Server Hel...

Page 492: ...pted WSP and WTP WAP health checks if the mandatory content arguments are empty the health check performed for that group is TCP The following WAP pre defined health checks are available wsp wtp wtls wsp and wtls wtp Unlike other pre defined health checks available on Alteon these health checks are editable For WSP and WTP health checks if the content parameters are not configured the health check...

Page 493: ...allows a user to access applications and data on a remote computer over a network using the Remote Desktop Protocol RDP The WTS health check attempts to open a connection to the TS server You can define a user name to be used in the TS cookie By default the user name Administrator is used An Inherit value can be configured to allow the user name configuration via group content A pre defined wts he...

Page 494: ...group content Response codes Specifies a list of up to 10 response codes that represent health check success The default is 200 A pre defined rtsp health check is available for simple RTSP service monitoring The health check has the parameters set to Inherit allowing definition using the group content and destination port set to standard RTSP port 554 SIP Health Checks The Session Initiation Proto...

Page 495: ... a specific TCP or UDP port send a request to the server expect an ASCII string or binary pattern and for TCP based health checks only to close a connection The string or pattern configured with an expect or in the case of binary bexpect command is searched for in each response packet If it is not seen anywhere in any response packet before the real server health check interval expires the server ...

Page 496: ...strings or binary patterns The close command is not required for a health check on UDP protocol Notes TCP based Health Checks for HTTP Protocol If you are performing HTTP 1 1 pipelining you need to individually open and close each response in the script open application_port protocol name for example 80 TCP send request 1 ascii string expect response 1 send request 2 expect response 2 send request...

Page 497: ...rsus Scripting Commands Listed below are the currently available commands for building a script based health check OPEN Specify which destination real server UDP port to be used For example OPEN 9201 You can also use Inherit to allow a script to inherit the destination port from the service server port This enables the reuse of a script for multiple services After entering the destination port you...

Page 498: ... an EXPECT command in the script or the OFFSET command if one exists after an EXPECT command The wait window is in units of milliseconds Wildcard character Trigger a match as long as a response is received from the server The wildcard character is allowed with the BEXPECT command as in BEXPECT Any NEXPECT OFFSET or DEPTH commands that follow a wildcard character will be ignored Scripting Guideline...

Page 499: ... real server on the remote device that was up If all real servers on the remote device were down the remote real server a virtual server of a remote device responded with an HTTP redirect message to the health check Using the scriptable health check feature you can set up health check statements to check all the substrings involved in all the real servers The following is an example GSLB URL healt...

Page 500: ...ver IP addresses are down Real Server 7 the virtual server IP address of the remote site responds with an HTTP redirect respond code 302 to the health check As a result the health check fails as the expected response code is 200 ensuring that the HTTP redirect messages will not cause a loop Figure 73 Example Health Checking Script Example 3 A UDP Based Health Check using Binary Content Health chec...

Page 501: ...f a script fails the expect line in the script that is failing is displayed using the info slb real real server number command In this case the server is not responding to the get with the expect string When the script succeeds in determining the health of a real server the following information displays cfg slb group x health script3 content none cfg slb advhc script 3 open 53 udp bsend 53 53 01 ...

Page 502: ...se code dhcp Sends a DHCP request determined by the health check content configuration in the monitored group dns Sends a DNS query for domain name configured in the group health check content to standard TCP DNS port 53 udpdns Sends a DNS query for domain name configured in the group health check content to standard UDP DNS port 53 ftp Attempts an anonymous login to the FTP server and retrieval o...

Page 503: ...nt value sip Sends an SIP ping proprietary Nortel request to the real server sipoptions Sends an SIP OPTIONS request to the real server smtp Attempts to access the SMTP server on the standard port 25 and verify the validity of the username configured in the group health check content sslh Sends an SSL Hello version 2 to the real server sslh3 Sends an SSL Hello version 3 to the real server tftp Att...

Page 504: ... associated with existing sessions continues to be sent to the server All load balanced services on a server must fail before Alteon places the server in the server failed state The server is brought back into service as soon as the first service is proven to be healthy Additional services are brought online as they are subsequently proven to be healthy Preventing a Flood of Server Connections Alt...

Page 505: ...e enabled the health check will fail if the real server is not properly configured with the virtual server IP address Note The DSR VIP health check cfg slb group viphlth is enabled by default This has no effect on the health check unless the real server is configured with DSR Advanced Group Health Check Alteon lets you configure an expression to fine tune the selected health check for a real serve...

Page 506: ...ionally down as soon as the physical connection to it is down without waiting for the health check to fail This behavior may not be advantageous in certain configurations in which a link may go down and then be quickly restored such as in VPN load balancing By disabling this fast health check behavior the real server will be marked as down only after the configured health check interval thus allow...

Page 507: ...pology no device should be a single point of failure for the network or cause a single point of failure in any other part of the network This means that a network remains in service despite the failure of any single device To achieve this usually requires redundancy for all vital network components Each participating VRRP capable routing device is configured with the same virtual router IP address...

Page 508: ...ss for ICMP pings TCP connections and so on Only one of the VRRP routers in a virtual interface router may be configured as the IP address owner There is no requirement for any VRRP router to be the IP address owner Most VRRP installations choose not to implement an IP address owner If the owner is not available the backup becomes the master and takes responsibility for packet forwarding and respo...

Page 509: ... the master and the backup can be down If the master has failed it is clearly desirable for the backup or one of the backups if there is more than one to become the master Note If communication links between the master and the backup are down but the master is healthy Alteon may select a second master within the virtual router To prevent this configure redundant links between the VRRP devices with...

Page 510: ...which extend the benefits of VRRP to virtual server IP addresses that are used to perform SLB Virtual server routers operate for virtual server IP vip addresses in much the same manner as virtual interface routers operate for IP interfaces A master is negotiated via a bidding process during which information about each VRRP router s priority is exchanged Only the master can process packets that ar...

Page 511: ...Alteon 2 is a virtual router backup Its real interface is configured with an IP address that is on the same subnet as the virtual interface router but is not the IP address of the virtual interface router The virtual interface router is assigned a VRID of 1 Both of the VRRP routers have a virtual router MAC address of 00 00 5E 00 01 01 Sharing Interfaces for Active Active Failover Alteon supports ...

Page 512: ...Service based virtual router groups allow for efficient tracking and failover based on each group s tracking parameters while leaving other groups unaffected Virtual routers in one vrgroup cfg l3 vrrp vrgroup 1 will not necessarily all have the same status master backup or init By contrast virtual routers in the global vrrp group cfg l3 vrrp group will always have the same status The priority trac...

Page 513: ...oups Physical Alteon based VRRP groups must be disabled cfg l3 vrrp group dis Up to 16 vrgroups can be configured on a single Alteon Each vrgroup can contain up to 64 virtual routers assigned with a virtual router number from 1 through 1024 Each virtual router can be configured as a virtual interface router or a virtual service router Virtual routers that become members of a vrgroup assume the pri...

Page 514: ...ce the switch based VRRP group is enabled assume the group s tracking and priority When one member of a switch based VRRP group fails the priority of the group decreases and the state of the entire Alteon changes from master to backup If an Alteon is in the backup state Layer 4 processing is still enabled If a virtual server is not a virtual router the backup can still process traffic addressed to...

Page 515: ...rtual routers in master mode on Alteon To enable tracking on VRs cfg l3 vrrp vr track vrs ena To change the virtual router increment cfg l3 vrrp track vrs 0 254 Useful for ensuring that traffic for any particular client server pair is handled by the same Alteon increasing routing and load balancing efficiency This parameter influences the VRRP router s priority in both virtual interface routers an...

Page 516: ... then the entire vrgroup will fail over Tracking can be configured for each vrgroup with the same resources tracked on individual virtual routers see Table 48 VRRP Tracking Parameters page 515 The only resource that cannot be tracked on a vrgroup basis is the number of virtual routers Number of physical ports that have active Layer 4 processing To enable tracking on Layer 4 ports cfg l3 vrrp vr tr...

Page 517: ...eways or real servers are operational Alteon may create empty session entries for the coming data packets and the traffic cannot be forwarded to any gateway or real server Alteon supports a VRRP holdoff timer which pauses VRRP instances from starting or changing to master state during the initialization The VRRP holdoff timer can be set from 0 to 255 seconds The VRRP master waits the specified num...

Page 518: ...with path dependencies That is the service paths are related and affect one another You can set the OSPF cost increment for the VR single interface VR group multiple interface and group multiple interface For more information on configuring the OSPF cost refer to the Alteon Application Switch Operating System Command Reference IPv6 VRRP Support Alteon supports using IPv6 with VRRP For background i...

Page 519: ...0 second This is an 8 bit field in IPv4 that specifies this interval in seconds Note Radware recommends setting the default to 100 1 second or greater to avoid a high load on the management CPU The Hop Limit field is used to track how many nodes have forwarded the packet The field value is decremented by one for each node that forwards the packet VRRP routers are instructed to discard IPv6 VRRP pa...

Page 520: ... the cfg l3 vrrp group ipver v6 command IPv6 VRRP Information The following are sample informational and statistical displays for IPv6 VRRP support To view IPv6 VRRP information To view IPv6 VRRP statistics Main info l3 vrrp VRRP information 9 vrid 9 2005 0 0 0 0 0 10 9 if 9 renter prio 101 master 10 vrid 10 10 10 10 50 if 1 renter prio 101 master 20 vrid 20 2005 0 0 0 0 0 20 20 if 20 renter prio ...

Page 521: ...ion are valid without session synchronization Active Standby Redundancy This section describes the following topics Active Standby Environments page 521 Configuring Active Standby Redundancy page 522 Active Standby Environments In an active standby configuration the active switch supports all traffic or services The backup switch acts as a standby for services on the active master switch If the ma...

Page 522: ...n does not require dedicated interswitch links ISL or hotstandby settings on ports 2 Enable IP forwarding For more information see To enable IP forwarding page 523 3 Configure two interfaces one for each VLAN For more information see To configure Layer 3 physical interface settings page 523 4 Configure virtual routers one for each interface and one for each service For more information see To conf...

Page 523: ...e Layer 3 physical interface settings 1 On the active Alteon configure two interfaces and associate a different VLAN with each interface Each interface has a unique IP address Main cfg l2 stg 1 Select the STP Group number Main cfg l2 stg 1 off Disable STP Main cfg l2 stg 1 apply Make your changes active Main cfg l3 frwd on Main cfg l3 if 1 Name the device interface Main cfg l3 if 1 ena Enable the ...

Page 524: ...nterface Main cfg l3 if 1 vlan 10 Set the VLAN number for the interface Main cfg l3 if 2 Name the device interface Main cfg l3 if 2 ena Enable the interface Main cfg l3 if 2 addr 10 10 20 252 Set the IP address for the interface Main cfg l3 if 2 mask 255 255 255 0 Set the subnet mask for the interface Main cfg l3 if 2 vlan 20 Set the VLAN number for the interface Main cfg l3 vrrp on Enable VRRP Ma...

Page 525: ...vrrp vr 1 Specify the virtual router number for VLAN 10 at interface 1 Main cfg l3 vrrp vr 1 ena Enable the virtual router Main cfg l3 vrrp vr 1 vrid 25 Set the virtual router ID Main cfg l3 vrrp vr 1 if 1 Select a device IP interface Main cfg l3 vrrp vr 1 prio 100 Set the priority bias for the virtual router Main cfg l3 vrrp vr 1 addr 10 10 10 254 Set the virtual router IP address Main cfg l3 vrr...

Page 526: ...the service Main cfg l3 vrrp on Enable VRRP Main cfg l3 vrrp vr 4 Specify the virtual router number for the service Main cfg l3 vrrp vr 4 ena Enable the virtual router Main cfg l3 vrrp vr 4 vrid 55 Set the virtual router ID Main cfg l3 vrrp vr 4 if 1 Select a device IP interface Main cfg l3 vrrp vr 4 prio 101 Set the priority bias for the virtual router Main cfg l3 vrrp vr 4 addr 10 10 10 200 Set ...

Page 527: ...lancing virtual server VIP This configuration is often used to allow two different data centers located at different locations to have different Internet access paths Main cfg l3 vrrp group en Enable VRRP grouping Main cfg l3 vrrp group vrid 60 Specify the virtual router ID for the VRRP group Main cfg l3 vrrp group if 1 Set the IP interface to which VRRP group advertisements will be sent Main cfg ...

Page 528: ...akes over processing for all services The backup may forward Layer 2 and Layer 3 traffic as appropriate In a non shared or switch based environment two Alteon devices are used as VRRP routers implementing a virtual server router VSR The active switch supports all traffic or services The backup switch acts as a standby for services on the active master switch If the master switch fails the backup s...

Page 529: ...ers may be configured on one device and synchronized with the settings on the other device see step 5 3 Configure all required SLB parameters on one of the devices For the purposes of this example assume that Alteon 1 is configured in this step Configure a VIP set to 205 178 13 226 and one real server group with two real servers RIP 10 10 10 103 should be configured as a backup server to RIP 10 10...

Page 530: ...ice and is activated simultaneously as a backup by the other device the total number of possible connections to that server is the sum of the maximum connection limits defined for it on both devices To configure background configuration In this procedure you perform the following Define IP interfaces Define VLANs Disable the Spanning Tree protocol Verify that IP forwarding is enabled 1 Define the ...

Page 531: ...to communicate through the device If you are not sure whether to enable IP forwarding enable it In this example the virtual server IP addresses and real server IP addresses are on different subnets so it should be enabled To configure SLB In this procedure you perform the following Define real servers Define real server groups Define virtual servers Define client and server port states 1 Define th...

Page 532: ...alances HTTPS Port 443 to Group 2 VIP 3 200 200 200 102 load balances POP SMTP Ports 110 25 to Group 3 VIP 4 200 200 200 104 load balances FTP Ports 20 21 to Group 4 4 Define the client and server port states The defined client port state results in the port watching for any frames destined for the VIP and to load balance them if they are destined for a load balanced service as well as remapping N...

Page 533: ...hop or default gateways they are called virtual interface routers VIRs Configure each virtual router VR 1 VRID 1 IF 1 associate with IP interface 1 Address 10 10 10 1 VR 3 VRID 3 IF 2 associate with IP interface 2 Address 20 10 10 1 VR 5 VRID 5 IF 3 associate with IP interface 3 Address 30 10 10 1 VR 7 VRID 7 IF 4 associate with IP interface 4 Address 40 10 10 1 3 Set the renter priority for each ...

Page 534: ...COM port on your computer to the console port on Alteon 1 c Open HyperTerminal or the terminal program of your choice and connect to the device using the following parameters Baud 115200 Data Bits 8 Parity None Stop Bits 1 Flow Control None HyperTerminal a Only the Baud Rate and Flow Control options need to be changed from the default settings b Once you connect to the device start logging your se...

Page 535: ...Type apply then save When you can type characters in the terminal session again reboot the device boot reset Hot Standby Redundancy This configuration is based on proprietary Alteon extensions to VRRP In a hot standby configuration the Spanning Tree Protocol STP is not needed to eliminate bridge loops This speeds up failover when an Alteon fails The standby Alteon blocks all ports configured as st...

Page 536: ...al Each VRRP advertisement can include up to 1024 addresses and is therefore is not limited to a single virtual router IP address A VRRP advertisement packet that contains all virtual routers are advertised in the same packet thus conserving processing and buffering resources Hot Standby and Interswitch Port States The hot standby configuration includes two Layer 4 port states hotstan hot standby ...

Page 537: ... ports on both Alteons should be able to process or forward traffic to the master The interswitch port state is only a place holder It forces you to configure an interswitch link when hot standby is globally enabled and prohibits the interswitch link from also being a hot standby link for VRRP advertisements These advertisements must be able to reach the backup Alteon Hot Standby Configuration A h...

Page 538: ...meters from Alteon 1 to Alteon 2 page 542 To configure Layer 2 and Layer 3 parameters on Alteon 1 This procedure assumes you have already configured SLB parameters 1 On Alteon 1 configure the external ports into their respective VLANs as shown in Figure 80 Hot Standby Configuration page 537 2 Trunk the ports you configured for the client VLAN Main cfg port 3 tag ena Enable VLAN tagging for Port 3 ...

Page 539: ...erface 2 addr 192 168 1 251 IP Interface 2 vlan 192 IP Interface 2 client traffic IP Interface 2 cfg l3 if 3 IP Interface 3 ena IP Interface 3 addr 172 16 2 251 IP Interface 3 vlan 172 IP Interface 3 interswitch link and servers Main cfg l3 vrrp vr 2 VRRP Virtual Router 2 ena VRRP Virtual Router 2 vrid 2 VRRP Virtual Router 2 if 2 VRRP Virtual Router 2 addr 192 168 1 250 Virtual router for client ...

Page 540: ... 6 Apply and save changes to the configuration To prepare a configuration script for Alteon 2 This procedure dumps the configuration script text dump from Alteon 1 This configuration will be modified and loaded onto Alteon 2 1 Dump Alteon configuration using the following command A script is dumped out Main cfg l3 vrrp VRRP Virtual Router Group vrid 254 VRRP Virtual Router Group prio 101 Set prior...

Page 541: ...to 101 This indicates that Alteon 2 is the backup for now 4 Save the changes to the text file as Customer Name_backup_config and load it onto a TFTP server 5 Begin a Telnet session for the second Alteon Delete any existing configuration on it by resetting it to factory settings using the following command A confirmation message displays Do one of the following Enter y to save changes and restart E...

Page 542: ...remains the master This behavior is preferred because running one server down is less disruptive than bringing a new master online and severing all active connections in the process If Alteon 1 is the master and it has two or more active servers fewer than Alteon 2 then Alteon 2 becomes the master If Alteon 2 is the master it remains the master even if servers are restored on Alteon 1 such that it...

Page 543: ...vers multiplied by 6 per healthy server resulting in 124 Because 124 is less than 125 Alteon 2 remains the master If at this point a server fails on Alteon 2 its priority falls by 6 resulting in 119 Because 119 is less than 124 Alteon 1 becomes the master Its priority results in 129 since it is now the master while the priority for Alteon 2 drops by 5 more resulting in 114 Tip There is no shortcut...

Page 544: ...the others To implement this active standby example with tracking of service based virtual router groups do the following 1 Define the IP interfaces Alteon needs an IP interface for each subnet to which it is connected so it can communicate with devices attached to it To configure the IP interfaces for this example enter the following commands from the CLI Repeat the commands for the following int...

Page 545: ...al server Virtual server 1 service http Select the HTTP Service Port menu Virtual server 1 http Service group 1 Associate the virtual port to real group Main cfg slb group 2 Real server group 1 add 3 Add Real Server 1 to Group 1 Real server group 1 add 4 Add Real Server 2 to Group 1 Main cfg slb virt 1 vip 205 178 13 300 Virtual server 1 ena Enable the virtual server Virtual server 1 service http ...

Page 546: ...ce VRRP Virtual Router 2 share dis Disable sharing of interfaces VRRP Virtual Router 2 ena Enable Virtual Router 2 Main cfg l3 vrrp vr 4 Select Virtual Router 4 VRRP Virtual Router 4 vrid 4 Set virtual router ID VRRP Virtual Router 4 addr 205 178 13 300 Assign VR IP address VRRP Virtual Router 4 if 4 Assign virtual router interface VRRP Virtual Router 4 share dis Disable sharing of interfaces VRRP...

Page 547: ...n example illustrates a hot standby configuration between two Alteons The following are considerations for a IPv6 hot standby configuration For Layer 2 port and VLAN configurations Each VLAN must be configured per interface Client side and server side VLANs must also be members in an interswitch link ISL port or have the ISL interface as the VRRP group interface In a one arm setup the VR group can...

Page 548: ...ication Guide High Availability 548 Document ID RDWR ALOS V2900_AG1302 Figure 82 Example IPv6 Hot Standby Configuration To configure an IPv6 hot standby configuration 1 Alteon A configuration Layer 2 port and VLAN and Layer 3 interface configuration ...

Page 549: ...on Interface configuration cfg port 1 pvid 3 cfg port 2 pvid 2 cfg port 3 tagged ena pvid 911 cfg port 4 tagged ena pvid 911 cfg l2 vlan 2 ena name server learn ena def 2 3 4 cfg l2 vlan 3 ena name client learn ena def 1 3 4 cfg l2 vlan 911 ena name intersw learn ena def 3 4 cfg l2 trunk 1 ena add 3 add 4 cfg l2 stg 1 off cfg l2 stg 1 add 1 2 3 911 ...

Page 550: ... if 3 ena ipver v6 addr 3000 3 3 0 0 0 0 a mask 96 vlan 3 cfg l3 if 254 ena ipver v4 addr 192 168 0 1 mask 255 255 255 0 broad 192 168 0 255 vlan 911 cfg l3 gw 1 ena ipver v6 addr 3000 3 3 0 0 0 0 c cfg l3 vrrp on cfg l3 vrrp vr 2 ena ipver v6 vrid 2 if 2 addr 2000 2 2 0 0 0 0 fff0 share dis cfg l3 vrrp vr 3 ena ipver v6 vrid 3 if 3 addr 3000 3 3 0 0 0 0 ffff share dis cfg l3 vrrp group ena ipver ...

Page 551: ...Layer 4 port configuration cfg slb on cfg slb adv direct ena cfg slb real 1 ena ipver v6 rip 2000 2 2 0 0 0 0 1001 cfg slb real 2 ena ipver v6 rip 2000 2 2 0 0 0 0 1002 cfg slb group 1 ipver v6 add 1 add 2 cfg slb virt 1 ena ipver v6 vip 3000 3 3 0 0 0 0 ffff vname v6http cfg slb virt 1 service http group 1 cfg slb port 1 client ena hotstan en cfg slb port 2 server ena hotstan en cfg slb port 3 in...

Page 552: ...ration Spanning tree group configuration cfg slb sync prios d cfg slb sync peer 1 ena addr 192 168 0 2 cfg port 1 pvid 3 cfg port 2 pvid 2 cfg port 3 tagged ena pvid 911 cfg port 4 tagged ena pvid 911 cfg l2 vlan 2 ena name server learn ena def 2 3 4 cfg l2 vlan 3 ena name client learn ena def 1 3 4 cfg l2 vlan 911 ena name intersw learn ena def 3 4 cfg l2 trunk 1 ena add 3 add 4 cfg l2 stg 1 off ...

Page 553: ...lan 2 cfg l3 if 3 ena ipver v6 addr 3000 3 3 0 0 0 0 b mask 96 vlan 3 cfg l3 if 255 ena ipver v4 addr 192 168 0 2 mask 255 255 255 0 broad 192 168 0 255 vlan 911 cfg l3 gw 1 ena ipver v6 addr 3000 3 3 0 0 0 0 c cfg l3 vrrp on cfg l3 vrrp vr 2 ena ipver v6 vrid 2 if 2 addr 2000 2 2 0 0 0 0 fff0 share dis cfg l3 vrrp vr 3 ena ipver v6 vrid 3 if 3 addr 3000 3 3 0 0 0 0 ffff share dis cfg l3 vrrp grou...

Page 554: ...ayer 4 ports configuration cfg slb on cfg slb adv direct ena cfg slb real 1 ena ipver v6 rip 2000 2 2 0 0 0 0 1001 cfg slb real 2 ena ipver v6 rip 2000 2 2 0 0 0 0 1002 cfg slb group 1 ipver v6 add 1 add 2 cfg slb virt 1 ena ipver v6 vip 3000 3 3 0 0 0 0 ffff vname v6http cfg slb virt 1 service http group 1 cfg slb port 1 client ena hotstan en cfg slb port 2 server ena hotstan en cfg slb port 3 in...

Page 555: ... two Alteon units The following are considerations for a IPv6 active standby configuration Layer 2 port and VLAN configuration Each VLAN must be configured per interface Layer 3 interface and VRRP configuration In this example tracking is performed by Layer 4 ports so that the two virtual routers fail over when one of the master virtual routers declares itself as the backup Figure 83 Active Standb...

Page 556: ...ation Interface configuration cfg port 1 pvid 3 cfg port 2 pvid 2 cfg port 3 pvid 911 cfg l2 vlan 2 ena name server learn ena def 2 cfg l2 vlan 3 ena name client learn ena def 1 cfg l2 vlan 911 ena name intersw learn ena def 3 cfg l3 if 2 ena ipver v6 addr 2000 2 2 0 0 0 0 a mask 96 vlan 2 cfg l3 if 3 ena ipver v6 addr 3000 3 3 0 0 0 0 a mask 96 vlan 3 cfg l3 if 254 ena ipver v4 addr 192 168 0 1 m...

Page 557: ...1 configuration cfg l3 gw 1 ena ipver v6 addr 3000 3 3 0 0 0 0 c cfg l3 vrrp on cfg l3 vrrp vr 2 ena ipver v6 vrid 2 if 2 addr 2000 2 2 0 0 0 0 fff0 share dis track l4pts ena cfg l3 vrrp vr 3 ena ipver v6 vrid 3 if 3 addr 3000 3 3 0 0 0 0 ffff share dis track l4pts ena cfg slb on cfg slb adv direct ena cfg slb real 1 ena ipver v6 rip 2000 2 2 0 0 0 0 1001 cfg slb real 2 ena ipver v6 rip 2000 2 2 0...

Page 558: ...d VLAN and Layer 3 interface configuration cfg slb virt 1 ena ipver v6 vip 3000 3 3 0 0 0 0 ffff vname v6http cfg slb virt 1 service http group 1 cfg slb port 1 client ena cfg slb port 2 server ena cfg slb sync prios d cfg slb sync peer 1 ena addr 192 168 0 2 cfg port 1 pvid 3 cfg port 2 pvid 2 cfg port 3 pvid 911 cfg l2 vlan 2 ena name server learn ena def 2 cfg l2 vlan 3 ena name client learn en...

Page 559: ... 0 0 0 b mask 96 vlan 2 cfg l3 if 3 ena ipver v6 addr 3000 3 3 0 0 0 0 b mask 96 vlan 3 cfg l3 if 255 ena ipver v4 addr 192 168 0 2 mask 255 255 255 0 broad 192 168 0 255 vlan 911 cfg l3 gw 1 ena ipver v6 addr 3000 3 3 0 0 0 0 c cfg l3 vrrp on cfg l3 vrrp vr 2 ena ipver v6 vrid 2 if 2 addr 2000 2 2 0 0 0 0 fff0 share dis track l4pts ena cfg l3 vrrp vr 3 ena ipver v6 vrid 3 if 3 addr 3000 3 3 0 0 0...

Page 560: ...Layer 4 ports configuration Synchronization configuration cfg slb on cfg slb adv direct ena cfg slb real 1 ena ipver v6 rip 2000 2 2 0 0 0 0 1001 cfg slb real 2 ena ipver v6 rip 2000 2 2 0 0 0 0 1002 cfg slb group 1 ipver v6 add 1 add 2 cfg slb virt 1 ena ipver v6 vip 3000 3 3 0 0 0 0 ffff vname v6http cfg slb virt 1 service http group 1 cfg slb port 1 client ena cfg slb port 2 server ena cfg slb ...

Page 561: ...iguration between two Alteons The following are considerations for a IPv6 active active configuration 1 Layer 2 port and VLAN configuration Each VLAN must be configured per interface 2 Layer 3 interface and VRRP configuration In this example tracking is performed by Layer 4 ports so that the two virtual routers fail over when one of the master virtual routers declare itself as the backup Figure 84...

Page 562: ...ation Interface configuration cfg port 1 pvid 3 cfg port 2 pvid 2 cfg port 3 pvid 911 cfg l2 vlan 2 ena name server learn ena def 2 cfg l2 vlan 3 ena name client learn ena def 1 cfg l2 vlan 911 ena name intersw learn ena def 3 cfg l3 if 2 ena ipver v6 addr 2000 2 2 0 0 0 0 a mask 96 vlan 2 cfg l3 if 3 ena ipver v6 addr 3000 3 3 0 0 0 0 a mask 96 vlan 3 cfg l3 if 254 ena ipver v4 addr 192 168 0 1 m...

Page 563: ...Server Group 1 configuration cfg l3 gw 1 ena ipver v6 addr 3000 3 3 0 0 0 0 c cfg l3 vrrp on cfg l3 vrrp vr 2 ena ipver v6 vrid 2 if 2 addr 2000 2 2 0 0 0 0 fff0 share en track l4pts ena cfg l3 vrrp vr 3 ena ipver v6 vrid 3 if 3 addr 3000 3 3 0 0 0 0 ffff share en track l4pts ena cfg slb on cfg slb real 1 ena ipver v6 rip 2000 2 2 0 0 0 0 1001 cfg slb real 2 ena ipver v6 rip 2000 2 2 0 0 0 0 1002 ...

Page 564: ... 4 ports configuration Synchronization configuration cfg slb virt 1 ena ipver v6 vip 3000 3 3 0 0 0 0 ffff vname v6http cfg slb virt 1 service http group 1 cfg slb port 1 client ena hotstan en cfg slb port 2 server ena hotstan en cfg slb port 3 intersw ena vlan 400 cfg slb port 4 intersw ena vlan 400 cfg slb sync prios d cfg slb sync peer 1 ena addr 192 168 0 2 ...

Page 565: ...port 1 pvid 3 cfg port 2 pvid 2 cfg port 3 pvid 911 cfg l2 vlan 2 ena name server learn ena def 2 cfg l2 vlan 3 ena name client learn ena def 1 cfg l2 vlan 911 ena name intersw learn ena def 3 cfg l3 if 2 ena ipver v6 addr 2000 2 2 0 0 0 0 b mask 96 vlan 2 cfg l3 if 3 ena ipver v6 addr 3000 3 3 0 0 0 0 b mask 96 vlan 3 cfg l3 if 255 ena ipver v4 addr 192 168 0 2 mask 255 255 255 0 broad 192 168 0 ...

Page 566: ...ation cfg l3 vrrp on cfg l3 vrrp vr 2 ena ipver v6 vrid 2 if 2 addr 2000 2 2 0 0 0 0 fff0 share en track l4pts en cfg l3 vrrp vr 3 ena ipver v6 vrid 3 if 3 addr 3000 3 3 0 0 0 0 ffff share en track sl4pts en cfg slb on cfg slb real 1 ena ipver v6 rip 2000 2 2 0 0 0 0 1001 cfg slb real 2 ena ipver v6 rip 2000 2 2 0 0 0 0 1002 cfg slb group 1 ipver v6 add 1 add 2 cfg slb virt 1 ena ipver v6 vip 3000...

Page 567: ...9 Configuring VRRP Peers for Synchronization page 569 Synchronizing Active Active Failover page 570 Mixing Active Standby and Active Active Virtual Routers If your network environment can support sharing enable it for all virtual routers in the LAN If not use active standby for all virtual routers Do not mix active active and active standby virtual routers in a LAN Mixed configurations may result ...

Page 568: ...anning Tree Protocol to Eliminate Loops VRRP generally requires Spanning Tree Protocol STP to be enabled in order to resolve bridge loops that usually occur in cross redundant topologies In Figure 86 STP Resolving Cross Redundancy Loops page 568 a number of loops are wired into the topology STP resolves loops by blocking ports where looping is detected Figure 86 STP Resolving Cross Redundancy Loop...

Page 569: ...nd 255 Configuring VRRP Peers for Synchronization The final step in configuring a high availability solution includes the addition of synchronization options to simplify the manual configuration Synchronization configuration options refine what is synchronized to what and to disable synchronizing certain configurations These options include proxy IP addresses Layer 4 port configuration filter conf...

Page 570: ... By default this option is disabled When certificate repository synchronization is enabled you are required to set a passphrase to be used during the configuration synchronization for the encryption of private keys cfg slb sync passphrs The same passphrase should be set manually by the administrator in all VRRP members for private key decryption To encrypt or decrypt certificate private keys durin...

Page 571: ...supported persistence types see Persistence page 583 Stateful failover lets you mirror Layer 7 and Layer 4 persistent transactional states on the Alteon peers Note Stateful failover is not supported in active active mode Also stateful failover does not synchronize all sessions except persistent sessions SSL session ID persistence and cookie based persistence If a service fails in the middle of a c...

Page 572: ...ing sequence of events occurs 1 The backup becomes active 2 The incoming request is redirected to the backup 3 When the user clicks Submit again the request is forwarded to the correct server Even though the master has failed the stateful failover feature prevents the client from having to re establish a secure session The server that stores the secure session now returns a response to the client ...

Page 573: ...e backup use the info l3 vrrp command The column on the far right displays Alteon status If Alteon is a master If Alteon is a backup Main cfg slb sync Config Synchronization peer 1 Select a peer Peer Switch 1 addr 10 1 1 2 Assign backup Alteon IP address Peer Switch 1 enable Enable peer Alteon Main cfg slb sync state ena Main cfg slb sync update 10 Main cfg slb sync Config Synchronization peer 2 S...

Page 574: ...ed as the communication mechanism between the master and backup Since NAAP is a Layer 2 protocol the Alteons need to be connected directly over the interswitch link You must also enable the Spanning Tree protocol in hot standby configurations In ADC VX enabling and disabling the interswitch link for session mirroring is available per vADC As vADCs are completely independent instances they are neit...

Page 575: ... the session is updated or deleted on the master the session on the backup is also updated or deleted When the master becomes a backup due to reboot or link failure it sends a session sync message to the new master The new master mirrors all the sessions that need to be mirrored to the backup To avoid performance impact all sessions are not sent at the same time A timer routine is used to mirror t...

Page 576: ...dby VRRP configurations The following filters and protocols are supported SIP FTP when ftpp is disabled under cfg slb virt service Layer 4 SLB with delayed binding NAT filters The following filters and protocols are not supported Active active VRRP RTSP Layer 7 SLB Allow deny redir filters Recommendations Ensure a direct interswitch link between the master and backup as NAAP packets cannot be rout...

Page 577: ...ur minute date month year and frequency is specified as daily weekly or monthly Based on this configuration mirroring is done at every configured period For example if the frequency is configured as weekly w mirroring is performed on the date it is configured once a week If frequency is configured as monthly m mirroring is done on the date it is configured once a month To set time and frequency fo...

Page 578: ...is required to avoid network loops The interswitch link does not require IP interfaces in the VLAN You do not need to enable the Spanning Tree protocol in active standby configurations To enable session failover for active standby configurations 1 Connect an interswitch link 2 Enable interswitch on connected ports 3 Enable service based session failover Figure 90 Session Failover for Active Standb...

Page 579: ...Alteon Application Switch Operating System Application Guide High Availability Document ID RDWR ALOS V2900_AG1302 579 Figure 90 Session Failover for Active Standby Configurations ...

Page 580: ...ernal organizational priorities For more information on vADCs see ADC VX Management page 403 Figure 91 Example Peer Synchronization Topology page 580is an example topology for a set of Alteons that use peer synchronization Figure 91 Example Peer Synchronization Topology Configuring Peer Synchronization To configure peer synchronization you must 1 Configure peer switches Alteons for your Alteon see...

Page 581: ...r switches to that vADC see Creating a Basic vADC with the Creation Dialog page 420 After creating the vADC you can also separately associate and configure peers switches to it 1 Access the Peer Switch Addresses prompt 2 Enter the peer switch number you want to associate to the selected vADC 3 Apply and save After setting peer switch addresses vADC configuration is synchronized to the assigned pee...

Page 582: ...Alteon Application Switch Operating System Application Guide High Availability 582 Document ID RDWR ALOS V2900_AG1302 ...

Page 583: ...Windows Terminal Server Load Balancing and Persistence page 598 Explains how to configure load balancing and persistence for Windows Terminal Services Overview of Persistence In a typical SLB environment traffic comes from various client networks across the Internet to the virtual server IP address on Alteon Alteon then load balances this traffic among the available real servers In any authenticat...

Page 584: ...kies Cookies are strings passed via HTTP from servers to browsers Based on the mode of operation cookies are inserted by either Alteon or the server After a client receives a cookie a server can poll that cookie with a GET command which allows the querying server to positively identify the client as the one that received the cookie earlier Cookie based persistence solves the proxy server problem a...

Page 585: ...configure your network for SLB see Server Load Balancing page 165 2 If a proxy IP address is not configured on the client port enable DAM for real servers 3 Select Client IP based persistence as the persistent binding option for the virtual port If multiple real server ports are configured for this service you may choose whether to maintain persistence to the rport on the real server 4 Enable clie...

Page 586: ...e The following topics discussing cookie based persistence are discussed in this section Permanent and Temporary Cookies page 586 Cookie Formats page 587 Cookie Properties page 587 Client Browsers that Do Not Accept Cookies page 587 Cookie Modes of Operation page 588 Configuring Cookie Based Persistence page 591 Note When both cookie based pbind is used and HTTP modifications on the same cookie he...

Page 587: ...ing The offset directs Alteon to the starting point of the real cookie value within the longer cookie string Length of the cookie value This defines the number of bytes to extract for the cookie value within a longer cookie string Whether to find the cookie value in the HTTP header the default or the URL Cookie values of up to 64 bytes for hashing Hashing on cookie values is used only with the pas...

Page 588: ... byte random client ID value In this mode the client sends a request to visit the Web site Alteon performs load balancing and selects a real server The real server responds without a cookie Alteon inserts a cookie and forwards the new request with the cookie to the client Figure 93 Insert Cookie Mode page 588 illustrates insert cookie mode Figure 93 Insert Cookie Mode Insert Cookie Mode Enhancemen...

Page 589: ...C 1036 and RFC 1123 with the variations that the only legal time zone is GMT Once the expiration date is met the cookie is not stored or given out For example Relative timer This timer defines the elapsed time from when the cookie was created The syntax for the relative timer is days hours minutes For example Alteon adds or subtracts hours according to the time zone settings using the cfg sys ntp ...

Page 590: ... same cookie value are sent to the same real server RIP 1 in this example When passive cookie persistence mode is enabled Alteon creates persistent entries for server returned responses with new cookie values within the same TCP connection Rewrite Cookie Mode In rewrite cookie mode Alteon generates the cookie value on behalf of the server eliminating the need for the server to generate cookies for...

Page 591: ...nfiguring Cookie Based Persistence The following is an example procedure for configuring cookie based persistence To configure cookie based persistence 1 Before you can configure cookie based persistence configure Alteon for basic SLB Assign an IP address to each of the real servers in the server pool Define an IP interface Configure each real server with its IP address name weight and so on Assig...

Page 592: ...okie based persistence is enabled for service 80 HTTP After you specify cookie as the persistence mode you are prompted for the following parameters Cookie based persistence mode insert passive or rewrite Cookie name Starting point of the cookie value Number of bytes to be extracted Look for cookie in the URI e d If you want to look for a cookie name value pair in the URI enter e to enable this op...

Page 593: ...appears in the URI GET product switch UID 12345678 ck 1234 Host www radware com Cookie UID 87654321 A Look for the Cookie in the HTTP Header The last parameter in this command answers the Look for cookie in URI prompt If you set this parameter to disable Alteon uses UID 87654321 as the cookie Virtual Server 10 http Service c sl vi 10 ser http pbind Current persistent binding mode disabled New pers...

Page 594: ...irects Alteon to use the sid cookie starting with the eighth byte in the value and using only four bytes This uses 789a as a hashing key C Using wildcards for selecting cookie names With this configuration Alteon looks for a cookie name that starts with ASPSESSIONID ASPSESSIONID123 ASPSESSIONID456 and ASPSESSIONID789 are seen as the same cookie name If more than one cookie matches only the first o...

Page 595: ...f0a All subsequent traffic from a specific client to the particular virtual server IP address with this cookie is directed to the same real server Server Side Multi Response Cookie Search Cookie based persistence requires Alteon to search the HTTP response packet from the server and if a persistence cookie is found set up a persistence connection between the server and the client Alteon looks thro...

Page 596: ...chanism even when the client IP address changes to send all sessions to the same real server Notes The SSL session ID can only be read after the TCP three way handshake In order to make a forwarding decision Alteon must terminate the TCP connection to examine the request SSL session ID persistence is not supported when SSL offloading is enabled and other more advanced persistency features such as ...

Page 597: ...ame source IP address as Client 1 because they share the same proxy firewall However Alteon does not direct Client 2 traffic to Server 1 based on the source IP address Instead an SSL session ID for the new traffic is assigned Based on SLB settings the connection from Client 2 is spliced to Server 3 As a result subsequent connections from Client 2 with the same SSL session ID are directed to Server...

Page 598: ...servers to coordinate the reconnection of disconnected sessions The session director is updated and queried by the terminal servers whenever users log on log off or disconnect their sessions while leaving their applications active The client can be reconnected to the terminal server where the user s disconnected session resides using the routing token information The session director passes the ro...

Page 599: ...Alteon Application Switch Operating System Application Guide Persistence Document ID RDWR ALOS V2900_AG1302 599 Figure 97 Windows Terminal Server Load Balancing Network Topology ...

Page 600: ...ss has been configured To configure Windows Terminal Server load balancing and persistence 1 Access the Windows Terminal Server menu 2 Enable the Windows Terminal Server feature 3 Optionally enable the WTS userhash Note If the dedicated session director does not exist to relate users to disconnected sessions Radware recommends enabling the userhash functionality to perform this task Main cfg slb v...

Page 601: ...ackets and combine them into pattern groups which can be applied to a filter to deny traffic containing those patterns Background The Advanced DoS feature set extends the Alteon functionality to act as an application intelligent firewall You can use these features to perform deep inspection and blocking of malicious content For example many newer viruses worms malicious code applications with secu...

Page 602: ...resses that are to be denied access to Alteon When traffic ingresses Alteon the client source or destination IP address is checked against this pool of addresses If a match is found then the client traffic is blocked ACLs versus Filters ACLs are used to control which IP addresses are allowed access to a network Unlike a filter the IP ACL feature can only perform a deny action The decision about wh...

Page 603: ...nd save the configuration Viewing IP ACL Statistics You can view the accumulated blocked packets for each IP address mask pair by entering the following command Main cfg security ipacl IP ACL add 192 168 40 0 Enter IP subnet mask default is 255 255 255 255 255 255 255 0 Select the IP ACL menu Enter a network address Enter the appropriate mask Main cfg security ipacl IP ACL dadd 192 180 11 0 Enter ...

Page 604: ...ction on the ports 2 Add a DoS attack type to guard against Note To determine which DoS attack types a port is guarding against view the current settings by using the command cfg security port port number cur 3 Optionally remove a DoS attack type from a port 4 Repeat step 1 and step 2 to apply DoS protection to any other ports 5 Apply and save the configuration Viewing DoS Statistics You can view ...

Page 605: ...omaly and DoS attack prevention statistics for port 1 Protocol anomaly and DoS attack prevention statistics for port 8 broadcast 1 loopback 8 land 1 ipptl 1 ipprot 1 fragmoredont 1 fragdata 2 fragboundary 2 fraglast 1 fragdontoff 1 fragoff 1 fragoversize 1 tcplen 4 tcpportzero 2 blat 1 nullscan 1 fullxmasscan 1 finscan 1 vecnascan 5 xmasscan 1 synfinscan 1 synfrag 1 ftpport 1 dnsport 1 seqzero 1 a...

Page 606: ... less than the IP header length or an actual packet length less than the IP total length and drops any matching packets IPVersion An IPv4 packet is sent with an invalid IP version Alteon checks for IPv4 packets marked with a version other than version 4 and drops any matching packets Broadcast An IPv4 packet with a broadcast source or destination IP address Alteon checks for IPv4 packets with a br...

Page 607: ...eon checks for IPv4 packets with a non zero fragment offset and the don t fragment bits set and drops any matching packets FragOpt An IPv4 packet with a non zero fragment offset and IP options bits set Alteon checks for IPv4 packets with a non zero fragment offset and the IP options bits set and drops any matching packets FragOff An IPv4 packet with a small non zero fragment offset Alteon checks f...

Page 608: ...ts with the SYN and more fragments bits set and drops any matching packets FTPPort A TCP packet with a source port of 20 a destination port of less than 1024 and the SYN bit set Alteon checks for TCP packets with a source port of 20 a destination port of less than 1024 and the SYN bit set and drops any matching packets DNSPort A TCP packet with a source port of 53 a destination port of less than 1...

Page 609: ...source IP of the victim Alteon checks every packet for destination IP set to a broadcast address in a filter and drops any matching packet ICMPData An ICMP packet with a zero fragment offset and a large payload Alteon checks for ICMP packets with a zero fragment offset and a large payload and drops any matching packets ICMPOff An ICMP packet with a large fragment offset Alteon checks for ICMP pack...

Page 610: ...ination IP Alteon checks for ARP request or reply packets with the same source and destination IP and drops any matching packets IP6Len An IPv6 packet with an improper header length Alteon checks for IPv6 packets with an improper header length and drops any matching packets IP6Version An IPv6 packet with the IP version set to a value other than 6 Alteon checks for IPv6 packets with the IP version ...

Page 611: ...e Filtering Advanced menu TCP Rate Limiting Limits new TCP connection requests or SYN packets Alteon monitors the rate of incoming TCP connection requests to a virtual IP address and limits the client requests with a known set of IP addresses For more information see TCP Rate Limiting page 613 Main cfg security dos cur Main info security dos Main cfg security dos help Table 52 DoS Attack Preventio...

Page 612: ...it is decremented by one second until the value is zero 0 When the value is zero the session time limit value resets to the next total time window value When the holddown is triggered the session time limit starts with holddown time and it is decremented after every x minutes where x 2 2 slowage Holddown Calculation hold_down holddur X slowage_time where holddur the value entered using cfg slb fil...

Page 613: ...ter increment the TCP rate session counter If the counter reaches the threshold value before the TCP rate session ages out then a holddown period is reached During the holddown period no new TCP sessions from this client that match this filter are allowed After the holddown period ends the next SYN packet is allowed and a new TCP rate session is created Figure 98 Configuring Clients with Different...

Page 614: ...w to configure rate limiting for Filter 10 1 Set the protocol used for the rate limiting filter Only UDP ICMP and TCP protocols are supported for rate limiting 2 Enable rate limiting for the filter 3 Configure maximum number of connections The value of 1 indicates a total of 10 TCP connections or sessions 4 Set the time window in seconds Note The rate limit defined in step 3 and step 4 as the maxi...

Page 615: ...utes Example 3 A Rate Limiting Filter Based on Virtual Server IP Address This example defines a filter that limits clients to 100 TCP connections per second or 100 UDP or ICMP sessions per second to a specific destination VIP 10 10 10 100 Once a client exceeds that limit the client is not allowed to initiate new TCP connection requests or send UDP or ICMP traffic to that destination for 40 minutes...

Page 616: ...s this rate then the client is not allowed to transmit sessions or connections to the virtual server for 40 minutes 2 Add the filter to the ingress port 3 Apply and save the configuration cfg slb filt 100 ena Enable the filter Filter 100 dip 10 10 10 100 Filter 100 dmask 255 255 255 255 Filter 100 proto any number name Specify TCP UDP or ICMP protocol Filter 100 adv security Select the Security me...

Page 617: ...servers Alteon can be configured to restrict the amount of traffic allowed on any UDP port thus ensuring that back end servers are not flooded with data In the CLI you specify a series of UDP port ranges and the allowed packet limit for that range When the maximum number of packets per second is reached UDP traffic is shut down on those ports cfg slb filt 30 ena Filter 30 proto icmp Specify ICMP p...

Page 618: ... constructed much in the same way as any other filter configured to examine Layer 7 content Note The ability to match and perform filter action on a pattern or group of patterns is available only when you enable the Security Pack software Pattern Criteria Many TCP or UDP attacks contain common signatures or patterns in the IP packet data Alteon can be configured to examine an IP packet from either...

Page 619: ...ing regular expressions to match pattern data see Regular Expression Matching page 803 If the pattern is binary specify the binary pattern in hexadecimal notation For example to specify the binary pattern 1111 1100 0010 1101 enter FC2D Offset An offset value is the byte count from the start of the IP header from which a search or compare operation is performed An offset value is always required wh...

Page 620: ...for pattern 1 Once pattern 1 of the chain is matched subsequent packets of the session are searched for pattern 2 and if matched pattern 3 is searched for and so on until all the patterns in the chain are matched The filter action is taken after patterns 1 through 4 are matched Note A reset frame is sent to the destination device when a Layer 7 deny filter is matched instead of waiting for a serve...

Page 621: ...nary Add the first pattern Select binary matching Enter HEX string 014F For this binary pattern Enter offset in bytes from start of IP frame 0 1500 2 Enter depth in bytes to search from offset 0 1500 0 Starting from third byte Search length of the pattern Enter operation eq gt lt eq For values equal to this binary pattern Server Loadbalance Resource add Enter type of string l7lkup pattern pattern ...

Page 622: ... on the filter This command enables Layer 7 lookup on the filter 10 Apply the filter to the client port If the incoming client requests enter Alteon on port 3 then add this filter to port 3 11 Apply and save the configuration cfg security pggroup 1 name Name Pattern Group 1 cfg security pggroup 1 name cfg security pggroup 1 name Name the group Pattern Match Group 1 add 8 Add the first binary patte...

Page 623: ...ng of Death Example A ping of death attack sends fragmented ICMP echo request packets When these packets are reassembled they are larger than the 65536 byte packets allowed by the IP protocol Oversized packets cause overflows in the server s input buffer and can cause a system to crash hang or reboot Large ICMP packets such as in an ICMP ping of death attack can be blocked using a deny filter comb...

Page 624: ...pattern type ascii binary binary Add the pattern Select binary matching Enter HEX string 0000 non zero IP offset Enter offset in bytes from start of IP frame 0 1500 6 Enter depth in bytes to search from offset 0 1500 0 Search from seventh byte Through end of pattern Enter operation eq gt lt gt For values greater than 0000 Server Loadbalance Resource add Enter type of string l7lkup pattern pattern ...

Page 625: ... to the filter 11 Enable pattern matching on the filter 8 BINMATCH 014F offset 2 depth 0 op eq cont 256 9 STRMATCH default htm offset 44 depth 30 op eq cont 256 10 BINMATCH 0000 offset 6 depth 0 op gt cont 256 11 BINMATCH 4000 offset 6 depth 0 op lt cont 256 cfg security pgroup 2 name Current pattern group name Enter new pattern group name pingofdeath Pattern Match Group 2 add 10 Pattern Match Gro...

Page 626: ...ontent match Rate limit based on content match Monitor SIP Uniform Resource Identifiers URI FlexiRules for SIP over UDP are advanced pattern match filters Multiple rules can be configured The severity level can be set from 1 to 5 where 1 is the highest severity Selection is based on severity when multiple rules are hit The following inputs define FlexiRules for SIP over UDP Header field name and c...

Page 627: ...endent rules Alteon takes the action of the highest severity rule only when all its dependent rules are matched Configuring the FlexiRules The following is an example configuration FlexiRules To configure FlexiRules 1 Create the rule 2 Define the rule 3 Define the content of the header field name 4 Define the severity 1 to 5 5 Assign contract for this rule 1 to 1024 For information about creating ...

Page 628: ... filt adv layer7 sip sips ena cfg slb filt adv security pmatch ena cfg slb port port number filt ena add filter number cfg bwm Select BWM on Enable BWM cfg bwm cont 1 Select the contract ena Enable the contract pol 1 Set contract policy cfg bwm pol 1 Select the policy hard 0k Set the hard limit soft 0k Set the soft limit resv 0k Set the reservation limit userlim 0k Set the user limit cfg slb layer...

Page 629: ...eon rate limits the traffic according to Rule 99 The following is an example of the logs cfg slb layer7 rule 99 Select Rule 99 ena Enable Rule 99 hdrfld to Enter the header field name content Sam Enter the content of the header field message to_is_sam Enter the alert message severity 5 Select the severity cfg slb layer7 rule 100 Select Rule 100 ena Enable Rule 100 hdrfld sdpcontent Enter the heade...

Page 630: ...Alteon Application Switch Operating System Application Guide Advanced Denial of Service Protection 630 Document ID RDWR ALOS V2900_AG1302 ...

Page 631: ... be supported in typical implementations IPv6 related protocols IP within IP Encapsulation Protocol IPIP Generic Routing Encapsulation GRE Encap Security Payload Authentication Header ESP AH WAN link load balancing supports the following metrics Response time Bandwidth Least connections Round robin When the response time or bandwidth metrics are used Alteon calculates weights and uses the round ro...

Page 632: ... Alteon and by accessing a pool of WAN links If one WAN link fails the others can take up the additional load Increased scalability of services As traffic increases and the WAN link pool s capabilities are saturated new WAN links can be added to the pool transparently Ease of maintenance WAN links can be added or removed dynamically without interrupting traffic Identifying Your Network Needs WAN l...

Page 633: ...ch frame from virtual addresses to real address This method of load balancing is used to load balance inbound traffic For more information see Inbound Traffic page 634 How WAN Link Load Balancing Works To effectively use multiple ISP links Radware recommends that both outbound and inbound traffic is load balanced using Alteon Alteon can be configured to load balance up to eight ISP links Alteon re...

Page 634: ...om an external client on the Internet that enters Alteon to access an internal service such as corporate Web servers or FTP servers Alteon lets you load balance the inbound traffic by providing access to the external client with the best available WAN link Note For load balancing inbound traffic you must have the Inbound Link Load Balancing license installed For more information on installing lice...

Page 635: ... in each of the ISP s address ranges Once Alteon responds with the best virtual server IP address all subsequent traffic from the clients to this domain is sent to the same virtual server IP address thereby passing through the same ISP External client request can be one of the following ways External Client Accessing Data from a Non SLB Group page 635 External Client Accessing Data from an SLB Gro...

Page 636: ...he provided virtual IP address 5 The server responds to the content request An allow filter at port 5 processes the data for the services configured on the server For example if the client sends an HTTP request to server 3 then the allow filter should be configured for source port 80 Similarly if the client sends an SMTP request to server 3 then the allow filter should be configured for source por...

Page 637: ...r the SLB servers on Alteon are configured as a real server IP address Real 7 IP 30 30 30 2 Real 7 is added to a group 7 The returning data from the SLB server reaches port 1 which is enabled for server processing For information on server processing see Network Topology Requirements page 169 The transparent load balancing feature on the WAN ports maintains persistency so that the traffic returns ...

Page 638: ...onfigure the load balancing parameters for the ISP WAN links a Configure the ISP routers as real servers b Optionally assign weight to real servers c Add it to a group d Define the metric and health e Enable SLB 3 Configure the WAN link ports a Configure a proxy IP address 3 Configure the WAN link ports a Enable client processing b Enable transparent load balancing c Enable DAM 4 Configure the out...

Page 639: ...er options Figure 104 Simple WAN Link Load Balancing Example page 639 illustrates a simple topology with two WAN links Two ISPs a server and a client are directly connected to Alteon Alteon load balances traffic between the two WAN links for both inbound and outbound traffic The server hosting www radware com is directly connected to a port on Alteon To illustrate outbound traffic a client is dire...

Page 640: ...nd Traffic For Inbound Traffic Step 1 Configure Basic Parameters page 640 Step 2 Configure the Load Balancing Parameters for ISP Routers page 641 Step 3a Outbound Traffic Configure the WAN Link Ports page 642 Step 3b Inbound Traffic Configure the WAN Link Ports page 642 Step 4a Outbound Traffic Configure the Client Ports page 643 Step 4b Inbound Traffic Configure Server Ports page 643 Step 5 Confi...

Page 641: ...e 2 Main cfg l3 if 7 Define interface 7 for ISP 2 IP Interface 7 ena Enable interface 7 IP Interface 7 addr 80 1 1 2 Define the IP address for interface 7 IP Interface 7 mask 255 255 255 0 Define the mask for interface 7 IP Interface 7 broad 80 1 1 255 Define the broadcast for interface 7 IP Interface 7 vlan 7 Specify the VLAN for interface 7 Main cfg l3 if 1 Define interface 1 for Real server 3 I...

Page 642: ...r ports 25 and 26 This enables inbound traffic to access the virtual server IP address 2 Enable transparent load balancing for ports 25 and 26 Enable transparent load balancing to ensure the returning traffic from all servers to go back to the same ISP router Real server 2 adv Select the advance menu Real server 2 Advanced proxy dis Disable proxy cfg slb group 100 Define a group Real Server Group ...

Page 643: ...g for outbound traffic only then go to Step 7 Apply and Save Your Changes page 645 The remaining steps in this procedure are used for load balancing of inbound traffic only Step 4b Inbound Traffic Configure Server Ports For each real server connected to Alteon assign a real server number specify its IP address and enable the real server Define a real server group and add the real server to the gro...

Page 644: ...or each ISP Step 5a Configure the Virtual Server IP Address and the Services for ISP 1 Define a virtual server and add the services and real server group for ISP 1 1 Configure a virtual server for ISP 1 2 Add HTTP and FTP services for the virtual server Step 5b Configure the Virtual Server IP Address and the Services for ISP 2 Define a virtual server and add the services and real server group for ...

Page 645: ...ou want them to remain in effect after reboot 1 Apply and verify the configuration Examine the resulting information If any settings are incorrect make the appropriate changes 2 Save your new configuration changes cfg slb virt 2 Select the virtual server Virtual Server 2 service 80 Add the HTTP service Virtual Server 2 HTTP Service ena Enable the service Virtual Server 2 HTTP Service group 3 Add r...

Page 646: ...Link Load Balancing with Server Load Balancing In this example Alteon is configured for standard server load balancing Alteon is configured to load balance the WAN links for both outbound and inbound traffic and perform server load balancing for inbound traffic The configuration is similar to Example 1 Simple WAN Link Load Balancing page 639 except that the virtual server IP addresses are configur...

Page 647: ...he traffic Alteon uses this path to determine the level of TCP IP reach of the WAN links 3 On Alteon configure VLANs Table 58 Configuring WAN Link Load Balancing with SLB For outbound traffic For inbound traffic Step 1 Configure Basic Parameters page 647 Step 2 Configure the Load Balancing Parameters for ISP Routers page 648 Step 3a Outbound Traffic Configure the WAN Link Ports page 649 Step 3b In...

Page 648: ...nterface 1 IP Interface 1 broad 1 1 1 255 Define the broadcast for interface 1 IP Interface 1 vlan 1 Specify the VLAN for interface 1 cfg if 2 Define interface 2 IP Interface 2 ena Enable interface 2 IP Interface 2 addr 50 1 1 2 Define the IP address for interface 2 IP Interface 2 mask 255 255 255 0 Define the mask for interface 2 IP Interface 2 broad 50 1 1 255 Define the broadcast for interface ...

Page 649: ...al server IP address 2 Enable transparent load balancing for ports 25 and 26 Enable transparent load balancing to ensure the returning traffic from all servers to go back to the same ISP router 3 Enable WAN link load balancing cfg slb group 100 Define a group Real Server Group 100 add 1 Add real server 1 Real Server Group 100 add 2 Add real server 2 Real Server Group 100 metric response Real Serve...

Page 650: ...ng steps in this procedure are for load balancing inbound traffic only Step 4b Inbound Traffic Configure the Internal Network Configure the virtual server IP addresses on Alteon as real server IP addresses In this example you will configure two real server IP addresses for each of the two virtual server IP addresses Then define a real server group and add the real servers to the group 1 Configure ...

Page 651: ...the WAN links For more information on health checking see Health Checks for Real Servers page 176 6 Add the allow filter 50 to port 1 Note If you are using two Alteons for redundancy then must add allow filters for VRRP before the redirection filter For more information on VRRP see High Availability page 507 cfg slb real 8 rip 1 1 1 200 Define IP address for xyz com Real server 8 ena Enable real s...

Page 652: ...1 Define a virtual server and add the services and real server group for ISP 1 1 Configure a virtual server for ISP 1 2 Add HTTP and FTP services for the virtual server Step 5b Configure the VIrtual Server IP Address and the Services for ISP 2 Define a virtual server and add the services and real server group for ISP 2 1 Configure a virtual server for ISP 2 cfg slb virt 1 Select the virtual server...

Page 653: ...s a virtual IP address and a real server IP address The virtual IP address is used to respond to the DNS query for the radware com domain The real server IP address is used to measure the ISP load and ISP health These commands map the two parameters to the ISP link 1 Configure the domain record for abc com cfg slb virt 2 Select the virtual server Virtual 1 Server 2 service 80 Add the HTTP service ...

Page 654: ...g as expected If necessary make any appropriate configuration changes and then check the information again Domain record 1 entry 1 ena Define entry for ISP 1 Virt Real Mapping virt 1 Select virtual server 1 for ISP 1 Virt Real Mapping real 1 Select real server for ISP 1 Domain record 1 entry 2 ena Define entry for ISP 2 Virt Real Mapping virt 2 Select virtual server 2 for ISP 2 Virt Real Mapping r...

Page 655: ...ction to the second service provider This is a by product of the tendency of any routing protocol to re route a packet to an active link To overcome this problem two filters can be used to on the two load balanced ports to suppress the ICMP echo reply which makes the health check fail if the link fails Example This example applies filter 10 to the link to the first service provider After the filte...

Page 656: ...Alteon Application Switch Operating System Application Guide WAN Link Load Balancing 656 Document ID RDWR ALOS V2900_AG1302 ...

Page 657: ...xample configuration for FWLB in a large scale high availability network with redundant firewalls and Alteons This method combines redirection filters static routing and Virtual Router Redundancy Protocol VRRP Advanced FWLB Concepts page 683 Free Metric FWLB page 683 Using other load balancing metrics besides hash by enabling the transparent load balancing rtsrcmac option Adding a Demilitarized Zo...

Page 658: ...side resources FWLB provides a variety of options that enhance firewall performance and resolve typical firewall problems Alteon supports the following FWLB methods Basic FWLB for simple networks This method uses a combination of static routes and redirection filters and is usually employed in smaller networks An Alteon filter on the dirty side splits incoming traffic into streams headed for diffe...

Page 659: ...ctions for a connection Although basic FWLB techniques can support more firewalls as well as multiple devices on the clean and dirty sides for redundancy the configuration complexity increases dramatically The four subnet FWLB solution is usually preferred in larger scale high availability topologies see Four Subnet FWLB page 668 Basic FWLB Implementation As shown in Figure 108 Basic FWLB Process ...

Page 660: ...he real server responds to the client request 7 Redirection filters on the clean side Alteon balance responses among different IP addresses Redirection filters are needed on all ports on the clean side Alteon that attach to real servers or internal clients on the clean side of the network Filters on these ports redirect the Internet bound traffic to a real server group that consists of a number of...

Page 661: ...d you do not want to configure VLANs you must enable the Spanning Tree Protocol STP to prevent broadcast loops 2 Define the dirty side IP interface In addition to one IP interface for general Alteon management there must be one dirty side IP interface for each firewall path being load balanced Each must be on a different subnet cfg l3 if 1 Select IP Interface IF 1 IP Interface 1 addr 192 16 12 1 S...

Page 662: ...ean side server group then the Real Server 1 IF on the dirty side should be connected to Firewall 1 Selecting the same real server ensures that the traffic travels through the same firewall Note Each of the four interfaces used for FWLB two on each Alteon in this example must be configured for a different IP subnet 4 Place the IP interface real servers into a real server group 5 Set the health che...

Page 663: ... 9 Create the FWLB redirection filter This filter redirects inbound traffic load balancing it among the defined real servers in the group In this network the real servers represent IP interfaces on the clean side Alteon 10 Enable FWLB Real server group 1 cfg slb on Layer 4 cfg slb filt 10 Select Filter 10 Filter 10 sip any From any source IP address Filter 10 dip 192 16 12 0 Specify destination IP...

Page 664: ... the clean side IP interfaces Create one clean side IP interface on a different subnet for each firewall being load balanced Note An extra IP interface IF 1 prevents server to server traffic from being redirected 2 Configure the dirty side IP interfaces as if they were real servers on the clean side SLB Port 5 cfg l3 route ip4 IP Static Route add 10 1 3 1 255 255 255 255 10 1 1 10 IP Static Route ...

Page 665: ...the four IP interfaces two on each Alteon in this example must be configured for a different IP subnet 3 Place the real servers into a real server group 4 Set the health check type for the real server group to ICMP 5 Set the load balancing metric for the real server group to hash Note The clean side Alteon must use the same metric as defined on the dirty side 6 Enable SLB IP Interface 3 cfg slb re...

Page 666: ...SLB port 3 save Save the configuration SLB port 3 cfg slb virt 100 Configure Virtual Server 100 Virtual Server 100 vip 20 1 1 10 Assign Virtual Server 100 an IP address Virtual Server 100 ena Enable the virtual server Real server group 1 cfg slb real 3 Select Real Server 3 Real server 2 rip 20 1 12 Assign Real Server 2 an IP address Real server 2 ena Enable Real Server 2 Real server 2 cfg slb real...

Page 667: ...its gateway Note Configuring static routes for FWLB does not require IP forwarding to be turned on Note When adding an IPv4 static route if you are using FWLB and you define two IP interfaces on the same subnet where one IP interface has a subnet of the host which is also included in the subnet of the second interface you must specify the interface Filter 10 action allow Allow traffic Filter 10 en...

Page 668: ...hat use internal hubs or diagonal cross connections between Alteons and simple switches are also possible While such topologies may resolve networking issues in special circumstances they can make configuration more complex and can cause restrictions when using advanced features such as active active VRRP free metric FWLB or content intelligent switching In the example topology in Figure 110 Four ...

Page 669: ...s Just as with basic FWLB filters on the ingress ports of the dirty side Alteon redirect traffic to a real server group composed of multiple IP addresses This configuration splits incoming traffic into multiple streams Each stream is then routed toward the primary clean side Alteon through a different firewall Although other load balancing metrics can be used in some configurations see Free Metric...

Page 670: ...Configure routers and firewalls and test them for proper operation as explained in Configure the Routers page 671 and Configure the Firewalls page 671 Configure VLANs IP interfaces and static routes on all Alteons and test them as explained in Configure the Primary Dirty Side Alteon page 672 Configure FWLB groups and redirection filters on the primary dirty side Alteon Configure the Secondary Dirt...

Page 671: ...figured with a static route to the clean side virtual server using the VIR in its clean side subnet as the next hop For outbound traffic each firewall must use the VIR in its dirty side subnet as the default gateway As shown in Table 60 in this example the firewalls are configured with the following IP addresses The firewalls must also be configured with rules that determine which types of traffic...

Page 672: ...on Subnet 1 IF 2 is used for routing traffic through the top firewall IF 3 is used for routing traffic through the lower firewall To avoid confusion IF 2 and IF 3 are used in the same way on all Alteons Note By configuring the IP interface mask prior to the IP address the broadcast address is calculated Also only the first IP interface in a given subnet is given the full subnet range mask Subseque...

Page 673: ...urce IP interface numbers 5 When dynamic routing protocols are not used configure a gateway to the external routers 6 Apply and save the configuration and reboot Alteon Configure the Secondary Dirty Side Alteon The following is an example configuration for a secondary dirty side Alteon To configure the secondary dirty side Alteon Except for the IP interfaces this configuration is identical to the ...

Page 674: ...ay to the external routers on the secondary dirty side Alteon 6 Apply and save the configuration and reboot Alteon cfg l3 if 1 mask 255 255 255 0 addr 195 1 1 11 ena cfg l3 if 2 mask 255 255 255 0 addr 10 10 2 11 vlan 2 ena cfg l3 if 3 mask 255 255 255 255 addr 10 10 2 12 vlan 2 ena cfg l2 stg off cfg l3 frwd route add 10 10 3 1 255 255 255 255 10 10 2 3 2 add 10 10 3 2 255 255 255 255 10 10 2 4 3...

Page 675: ...Spanning Tree Protocol is disabled because VLANs prevent broadcast loops 4 Configure static routes on the primary clean side Alteon Four static routes are needed To primary dirty side IF 2 via Firewall 1 using clean side IF 2 To primary dirty side IF 3 via Firewall 2 using clean side IF 3 To secondary dirty side IF 2 via Firewall 1 using clean side IF 2 To secondary dirty side IF 3 via Firewall 2 ...

Page 676: ... Alteon 2 Configure IP interfaces on the secondary clean side Alteon 3 Turn STP off for the secondary clean side Alteon Spanning Tree Protocol is disabled because VLANs prevent broadcast loops cfg l3 frwd route add 10 10 2 1 255 255 255 255 10 10 3 3 2 add 10 10 2 2 255 255 255 255 10 10 3 4 3 add 10 10 2 11 255 255 255 255 10 10 3 3 2 add 10 10 2 12 255 255 255 255 10 10 3 4 3 apply save boot res...

Page 677: ...econdary Dirty Side Alteon The secondary dirty side Alteon must be configured with the primary as its peer Once this is done the secondary Alteon receives the remainder of its configuration from the primary when synchronized in a later step In this example the secondary Alteon is configured to use primary dirty side Interface 1 as its peer cfg l3 frwd route add 10 10 2 1 255 255 255 255 10 10 3 3 ...

Page 678: ...F 2 on all Alteons whenever routing through the top firewall and IF 3 on all Alteons whenever routing through the lower firewall Therefore the first address represents the primary clean side IF 2 and the second represents the primary clean side IF 3 Using the hash metric all traffic between specific IP source destination address pairs flows through the same firewall ensuring that sessions establis...

Page 679: ... one for the subnet attached to the routers and one for the subnet attached to the firewalls cfg slb filt 10 dip 195 1 1 0 dmask 255 255 255 0 ena cfg slb filt 20 dip 224 0 0 0 dmask 255 255 255 0 ena cfg slb filt 2048 action redir group 1 ena cfg slb port 1 filt ena add 10 add 20 add 2048 cfg l3 vrrp 2 on vr 1 vrid 1 addr 195 1 1 9 Configure Virtual Router 1 For the subnet attached to the routers...

Page 680: ... real server group is used as the target for the FWLB redirection filter Each IP address assigned to the group represents a return path through a different firewall In this case since two firewalls are used two addresses are added to the group The two addresses are the interfaces of the dirty side Alteon and are configured as if they are real servers Note IF 2 is used on all Alteons whenever routi...

Page 681: ... later step cfg slb Select the SLB menu real 20 Select Real Server 20 rip 10 10 4 20 Set IP address of Real Server 20 ena Enable cfg slb real 21 Select Real Server 21 rip 10 10 4 21 Set IP address of Real Server 21 ena Enable cfg slb real 22 Select Real Server 22 rip 10 10 4 22 Set IP address of Real Server 22 ena Enable cfg slb group 2 Select Real Server group 2 add 20 Add the Real Servers to the...

Page 682: ... firewall group 4 Configure VRRP on the primary clean side Alteon VRRP in this example requires two virtual routers to be configured one for the subnet attached to the real servers and one for the subnet attached to the firewalls cfg slb filt 10 dip 10 10 4 0 dmask 255 255 255 0 ena cfg slb filt 20 dip 224 0 0 0 dmask 255 255 255 0 ena cfg slb filt 2048 action redir group 1 ena cfg slb port 4 filt...

Page 683: ...epts This section includes the following topics Free Metric FWLB page 683 Adding a Demilitarized Zone DMZ page 686 Firewall Health Checks page 687 Free Metric FWLB Free metric FWLB lets you use load balancing metrics other than hash such as leastconns roundrobin minmiss response and bandwidth for more versatility The free metric method uses the transparent load balancing option which can be used w...

Page 684: ... looked up in the session table 2 On the clean side Alteon remove the redirection filter from the ports attached to the real servers Ports 4 and 5 but ensure that filter processing is enabled The redirection filter is removed so that the return packet traverses through the same firewall If the firewalls synchronize their states then it is not required to remove the redirection filter Filter proces...

Page 685: ...r subnet FWLB network as illustrated in Figure 114 Four Subnet Network page 685 Figure 114 Four Subnet Network To use free metric FWLB in a four subnet FWLB network 1 On the clean side Alteons enable RTS on the ports attached to the firewalls Port 3 and on the interswitch port port 9 Enable filter and server processing on Ports 3 and 9 so that the responses from the real server are looked up in th...

Page 686: ... traffic filtering off loading this task from the firewall A DMZ is created by configuring FWLB with another real server group and a redirection filter towards the DMZ subnets The DMZ servers can be connected to Alteon on the dirty side of the firewall A typical firewall load balancing configuration with a DMZ is shown in Figure 115 FWLB with a Demilitarized Done DMZ page 686 Figure 115 FWLB with ...

Page 687: ...d send packets only to healthy firewalls There are two methods of firewall service monitoring ICMP and HTTP Each Alteon monitors the health of the firewalls on a regular basis by pinging the IP interfaces configured on its partner Alteon on the other side of the firewall cfg slb filt 80 Filter 80 sip any Filter 80 dip 205 178 29 0 Filter 80 dmask 255 255 255 0 Filter 80 proto tcp Filter 80 sport a...

Page 688: ...he physical link status of ports connected to firewalls If the physical link to a firewall goes down that firewall is placed immediately in the Server Failed state When Alteon detects that a failed physical link to a firewall has been restored it brings the firewall back into service Using HTTP Health Checks For those firewalls that do not permit ICMP pings to pass through Alteon can be configured...

Page 689: ...In addition to HTTP Alteon lets you configure up to five 5 different TCP services to listen for health checks For example you can configure FTP and SMTP ports to perform health checks For a list of other well known application ports see Table 20 Well Known Application Ports page 175 cfg slb port add 2048 Add the dummy filter ...

Page 690: ...Alteon Application Switch Operating System Application Guide Firewall Load Balancing 690 Document ID RDWR ALOS V2900_AG1302 ...

Page 691: ...st of the data sent between VPN initiators and terminators is encrypted network devices cannot use information inside the packet to make intelligent routing decisions How VPN Load Balancing Works VPN load balancing requires that all ingress traffic passing through a particular VPN must traverse the same VPN as it egresses back to the client Traffic ingressing from the Internet is usually addressed...

Page 692: ...nes which VPN device processed the frame by performing a lookup with the source MAC address of the frame If the MAC address matches a MAC address of a VPN device Alteon adds an entry to the session table so that reverse traffic is redirected to the same VPN device VPN Load Balancing Persistence VPN load balancing persistence ensures that VPN sessions that exist in a load balanced environment retai...

Page 693: ...N load balancing do the following Configure Alteon with firewall load balancing FWLB Configure a filter to enable the transparent load balancing Return to Source MAC address option This adds an opposite entry in the session table so that the return traffic matches its source MAC address Figure 117 Example VPN Load Balancing Configuration page 693 illustrates VPN load balancing with two VPN devices...

Page 694: ... Interface 1 IP Interface 1 addr 30 9 0 10 Set IP address for Interface 1 IP Interface 1 vlan 1 For VLAN 1 IP Interface 1 cfg 13 if 2 ena Select IP Interface 2 and enable IP Interface 2 mask 255 255 255 0 Set subnet mask for Interface 2 IP Interface 2 addr 20 0 0 10 Set IP address for Interface 2 IP Interface 2 vlan 2 For VLAN 2 IP Interface 2 cgf 13 if 3 ena Select IP Interface 3 and enable IP In...

Page 695: ...er 1 VRRP Virtual Router 1 prio 101 Set the renter priority VRRP Virtual Router 1 addr 30 0 0 50 Set IP address of virtual router VRRP Virtual Router 1 share dis Disable sharing VRRP Virtual Router 1 track Select Virtual Router Tracking menu VRRP VR 1 Priority Tracking vrs ena Enable tracking of virtual routers VRRP VR 1 Priority Tracking apply Apply the configuration VRRP VR 1 Priority Tracking s...

Page 696: ...re the clean side Alteon CB 1 Turn off BOOTP cfg slb real 1 ena Enable SLB for Real Server 1 Real server 1 rip 10 0 0 10 Assign IP address for Real Server 1 Real server 1 cfg slb real 2 ena Enable SLB for Real Server 2 Real server 2 rip 10 0 0 11 Assign IP address for Real Server 2 Real server 2 cfg slb real 3 ena Enable SLB for Real Server 3 Real server 3 rip 10 0 0 20 Assign IP address for Real ...

Page 697: ...ena mask 255 255 255 0 addr 20 0 0 20 vl 2 cfg l3 if 3 ena mask 255 255 255 255 addr 20 0 0 21 vl 2 cfg l3 route add 10 0 0 10 255 255 255 255 20 0 0 101 2 add 10 0 0 11 255 255 255 255 20 0 0 102 3 add 10 0 0 20 255 255 255 255 20 0 0 101 2 add 10 0 0 21 255 255 255 255 20 0 0 102 3 cfg l3 vrrp on Virtual Router Redundancy Protocol vr VRRP Virtual Router 1 ena VRRP Virtual Router 1 vrid VRRP Virt...

Page 698: ...LAN 2 for ports 25 and 26 3 Turn off the Spanning Tree Protocol STP 4 Configure IP interfaces 1 2 and 3 5 Define static routes for each of the IP interfaces you configured in step 4 using the VPN devices as gateways One static route is required for each VPN device being load balanced Real server 4 cfg slb group Real server group 1 metric hash Real server group 1 add 1 add 2 add 3 add 4 cfg slb fil...

Page 699: ...ter 1 if 1 VRRP Virtual Router 1 prio 101 VRRP Virtual Router 1 addr 192 168 10 50 VRRP Virtual Router 1 share dis VRRP Virtual Router 1 track VRRP Virtual Router 1 Priority Tracking vrs ena VRRP Virtual Router 1 Priority Tracking ports ena VRRP Virtual Router 1 Priority Tracking cfg l3 vrrp vr 2 VRRP Virtual Router 2 ena VRRP Virtual Router 2 vrid 2 VRRP Virtual Router 2 if 2 VRRP Virtual Router ...

Page 700: ...ort 14 Apply and save the configuration and reboot Alteon To configure the dirty side Alteon DB 1 Turn off BOOTP 2 Define and enable VLAN 2 for ports 25 and 26 cfg slb filt 100 ena sip any dip 192 168 10 0 dmask 255 255 255 0 action allow cfg slb filt 110 ena sip any dip 224 0 0 0 dmask 255 0 0 0 action allow cfg slb filt 2048 ena sip any dip any action redir cfg slb filt 2048 adv redir fwlb ena c...

Page 701: ...up cfg l2 stg off cfg l3 if 1 ena mask 255 255 255 0 addr 192 168 10 11 cfg l3 if 2 ena mask 255 255 255 0 addr 10 0 0 20 vl 2 cfg l3 if 3 ena mask 255 255 255 255 addr 10 0 0 21 vl 2 cfg l3 route add 20 0 0 10 255 255 255 255 10 0 0 101 2 add 20 0 0 11 255 255 255 255 10 0 0 102 3 add 20 0 0 20 255 255 255 255 10 0 0 101 2 add 20 0 0 21 255 255 255 255 10 0 0 102 3 cfg l3 vrrp on cfg l3 vrrp vr 1...

Page 702: ...group 12 Add filters to the ingress port 13 Apply and save the configuration and reboot Alteon To test the configurations and general topology Alteons should be able to perform health checks to each other and all devices should see four real servers cfg slb group 1 metric hash add 1 add 2 add 3 add 4 cfg slb filt 100 ena sip any dip 192 168 10 0 dmask 255 255 255 0 cfg slb filt 110 ena sip any dip...

Page 703: ...ct the cables cause failures to change the available servers that are up This should change the VRRP preferences You can view VRRP preferences using the command info l3 vrrp 2 Watch for accepted and dropped traffic In the toolbar go to Window Log Viewer Note To help simplify the logs the health checks are not logged To test the VPN 1 Launch the SecuRemote client on the dirty side of the network 2 ...

Page 704: ...eing used by looking at the Log Viewer You should also see the client authentication as well as the decrypted traffic 7 To verify that the FWLB and hash metric is working correctly on the dirty side Alteons that is hashed on client IP address destination IP address do one of the following Configure your current client with an IP address one higher or lower in the last octet and try to re establish...

Page 705: ...rlier versions of the Alteon are maintained after upgrading When you upgrade the software image to the new version the configuration is migrated Once you have obtained the proper password key to enable GSLB do the following 1 Connect to the CLI via Telnet or the console port and log in as the administrator following the directions in the Command Line Interface chapter of the Alteon Application Swi...

Page 706: ... the DSSP version GSLB Overview GSLB enables balancing server traffic load across multiple physical sites The Alteon GSLB implementation takes into account an individual site s health response time and geographic location to smoothly integrate the resources of the dispersed server sites for complete global performance Benefits GSLB meets the following demands for distributed network services High ...

Page 707: ...a Web browser to view the Web site for the Example Corporation at www example com The Example Corporation has two Web sites one in San Jose and one in Denver each with identical content and available services Both Web sites have an Alteon configured for GSLB with domain name set to www gslb example com These devices are also configured as the Authoritative Name Servers for www example com On the c...

Page 708: ...er site The end result is that the client gets quick reliable service with no latency and no special client side configuration GSLB Metrics This section describes all GSLB metrics as governed by DSSP All metrics can be prioritized for selection order and can be weighted on a per site basis This section includes the following sub sections Metric Preferences page 710 Rules page 710 GSLB Availability...

Page 709: ...his metric selects the next server based on a ranking of the local virtual server and remote real server in a list from the highest 48 to the lowest 1 ranking Multiple servers can have the same priority This metric allows servers to be grouped based on priorities or into primary and secondary groups This metric requires SLB health checks and remote site updates This is discussed in further detail ...

Page 710: ...d starts with the first metric in the metric preference list of the rule For more information on rules see Configuring GSLB with Rules page 730 GSLB Availability Persistence The GSLB availability metric is used in GSLB rules to select a server exclusively when that server is available Should that server become unavailable the next available server in a list is selected to service requests Availabi...

Page 711: ...oth sites are reporting their configured availability turn the feature back on by enabling availability persistence on Alteon with the backup server You can use the following command to enable or disable availability persistence on the backup Alteon GSLB Client Proximity Metric The GSLB client proximity metric measures the proximity between each data center and the client It is limited to HTTP and...

Page 712: ...ature of the DNS resource record set answer The digital signature can be verified by locating the correct public key found in a DNSKEY record The DNS record is used in the authentication of DNSKEYs in the lookup procedure using the chain of trust To enable the use of replacement keys a key rollover procedure is used New keys are rolled out in new DNSKEY records in addition to the existing old keys...

Page 713: ...es Configure the Alteon IP interface Configure the default gateways 4 Configure Alteon at each site to act as the DNS server for each service that is hosted on its virtual servers Also configure the master DNS server to recognize Alteon as the authoritative DNS server for the hosted services 5 Configure Alteon at each site for local SLB Define each local real server Group local real servers into r...

Page 714: ...ics at the San Jose Site 1 Optionally on the San Jose Alteon configure management access and the management gateway address and then enable the management port 2 If you are using the BBI for managing the San Jose Alteon change its service port By default GSLB listens on service port 80 for HTTP redirection By default the BBI also uses port 80 Both services cannot use the same port If the BBI is en...

Page 715: ...201 name servers VLAN 201 add 4 ena VLAN 201 for local servers Add Port 4 to VLAN 201 Port 4 is an UNTAGGED port and its current PVID is 1 Confirm changing PVID from 1 to 201 y n y Current ports for VLAN 201 empty Pending new ports for VLAN 201 10 Current status disabled New status enabled VLAN 201 add 3 ena Add Port 3 to VLAN 201 Port 3 is an UNTAGGED port and its current PVID is 1 Confirm changi...

Page 716: ...n the same IP subnet although advanced routing techniques can be used as long as they do not violate the topology rules For this example the host real servers have IP addresses on the same IP subnet 2 Define each local real server For each local real server you must assign a real server number specify its actual IP address and enable the real server For example 3 On the San Jose Alteon define a re...

Page 717: ...e Site for GSLB 1 On the San Jose Alteon turn on GSLB 2 Enable DSSP version 2 to send out remote site updates Note Unless you are in the middle of network migration from an Alteon version prior to 22 0 you should always enable DSSP version 2 or later Real server group 1 health http Use HTTP for health checks Real server group 1 content index html Set URL content for health checks Real server group...

Page 718: ... parameter is enabled and the real server entry is added to the real server group under the local virtual server for the intended service Finally since the real server health checks are performed across the Internet the health checking interval should be increased to 30 or 60 seconds to avoid generating excess traffic The health check interval should also depend on the number of remote sites The m...

Page 719: ... for managing the San Jose Alteon change its service port By default GSLB listens on service port 80 for HTTP redirection By default the BBI also uses port 80 Both services cannot use the same port If the BBI is enabled configure it to use a different port Note Use the cfg sys access http command to enable BBI For example enter the following command to change the BBI port to 8080 3 Configure a VLA...

Page 720: ... y n y Current ports for VLAN 202 empty Pending new ports for VLAN 202 11 Current status disabled New status enabled VLAN 202 add 12 ena Add Port 12 to VLAN 201 Port 11 is an UNTAGGED port and its current PVID is 1 Confirm changing PVID from 1 to 202 y n y Current ports for VLAN 202 empty Pending new ports for VLAN 202 11 12 cfg l3 if 202 Select IP Interface 202 IP Interface 202 addr 174 40 7 202 ...

Page 721: ...al server 3 On the Denver Alteon define a real server group 4 On the Denver Alteon define a virtual server apply save Table 61 Denver Real Server IP Addresses Real Server IP address Server 11 174 14 7 11 Server 21 174 14 7 21 Default gateway 1 cfg slb real 11 Server C is Real Server 1 Real server 11 rip 174 14 7 11 Assign IP address for Server 11 Real server 11 ena Enable Real Server 11 Real serve...

Page 722: ...n s IP address interface In this example there is only one remote site San Jose with an IP interface address of 200 200 200 1 Use the following commands Each additional remote site would be configured in the same manner You can enable up to 64 remote sites 4 On the Denver Alteon assign each remote distributed service to a local virtual server Virtual server 1 http service group 1 Associate virtual...

Page 723: ...le Note You should note where each configured value originates or this step can result in improper configuration 5 On the Denver Alteon define the domain name and hostname for each service hosted on each virtual server These are the same as for the San Jose Alteon the domain name is gslb example com and the hostname for the HTTP service is www Configure these values as follows 6 Apply and verify t...

Page 724: ...ng only SLB or even a site that uses another vendor s load balancers An Alteon running GSLB can operate in standalone mode as long as it uses site selection metrics that do not require remote site updates Example GSLB Topology with a Standalone GSLB Site The procedures to implement the example GSLB topology illustrated in Figure 121 GSLB Topology with a Standalone GSLB Site Example page 725 are de...

Page 725: ...13 configure a third site Tokyo in standalone mode Remember that in standalone mode Alteon does not require SLB configuration of local real servers 1 Optionally on the Tokyo Alteon configure management access and management gateway address 2 Configure a VLAN for the Internet traffic cfg sys mmgmt addr 43 100 80 20 Management port IP address Management Port mask 255 255 255 0 Management port mask M...

Page 726: ...te for GSLB page 717 configure the Tokyo site as follows 1 On the Tokyo Alteon turn on SLB and GSLB cfg l2 vlan 103 name internet VLAN 103 add 3 VLAN 102 for Internet Add Port 3 to VLAN 103 Port 3 is an UNTAGGED port and its current PVID is 1 Confirm changing PVID from 1 to 103 y n y Current ports for VLAN 103 empty Pending new ports for VLAN 103 3 Current status disabled New status enabled cfg l3...

Page 727: ...5 Apply and verify the configuration cfg slb real 1 Create an entry for San Jose Real server 1 ena Enable the real server entry Real server 1 name San_Jose Set a name for the real server entry Real server 1 rip 200 200 200 100 Set remote VIP address of San Jose Real server 1 adv remote enable Define the real server as remote cfg slb real 2 Create an entry for Denver Real server 2 ena Enable the re...

Page 728: ... After that Alteon2 is alive and DNS server continues to use NS1 If Alteon2 is alive NS2 is used Alteon1 was down After that Alteon1 is alive and DNS server continues to use NS2 The round robin algorithm for DNS server can be disabled To configure a Microsoft Windows 2003 DNS Server The DNS server is configured to resolve domain name e g geored com into active Alteon virtual IP address which repre...

Page 729: ...Figure 122 DNS Console 6 Set TTL equal to 10 seconds for records of zone com 7 Disable the round robin algorithm for the server as shown in Figure 123 ZDEDIC 5 Properties Window page 729 Figure 123 ZDEDIC 5 Properties Window Note If the DNS server is down the clients PCC Sigma phone that supports DNS and AudioCodes GW do not work ...

Page 730: ...rule The site selection metric sequence in the default Rule 1 is as follows 1 Network Preference The first metric in Rule 1 is set to Network Preference which selects the server based on the preferred network of the source IP address for a given domain If preferred networks are not configured this metric is not used in the default rule For more information on configuring preferred networks see Con...

Page 731: ...a site if a server is not selected at first Since network metric is the first metric make sure to add the configured networks to metric 1 6 Specify the other preferred GSLB metrics To configure the second time based rule Using the steps in configure the first time based rule page 731 configure another rule with the following parameters cfg slb gslb rule 1 dis cfg slb gslb net 43 sip 43 0 0 0 mask ...

Page 732: ... metric for metric 2 in Rule 1 2 Set the availability values for the real virt servers For example 3 Apply and save the configuration cfg slb gslb net 48 sip 48 0 0 0 mask 240 0 0 0 addreal 2 en cfg slb gslb rule 4 start 18 00 end 7 00 ena cfg slb gslb rule 4 metric 1 gmetric network addnet 48 cfg slb gslb rule 4 metric 2 gmetric geographical cfg slb gslb rule 4 metric 3 gmetric random cfg slb vir...

Page 733: ...ks A and B are configured in the network preference rule on the master Alteon at Site 4 Client A with a subnet address of 205 178 13 0 is configured with a network preference rule for preferred Sites 1 and 3 Client B with a subnet address of 204 165 0 0 is configured a network preference rule for preferred Sites 2 and 4 Client A with a source IP address of 205 178 13 10 initiates a request that is...

Page 734: ... enabled If dbind is disabled traffic goes to the MP and not the SP impacting performance Carefully analyze your network mask requirements Increasing the client IP mask reduces computation time for client proximity as the clients with the same subnet IP can reuse the client proximity that is already calculated Client proximity entries can be generated statically or dynamically Configuring Static C...

Page 735: ...ow for GSLB Client Proximity Site with HTTPS Service The following is the workflow for the example as shown Figure 125 GSLB Client Proximity Site with HTTPS Service page 735 1 The Client X DNS requests the local DNS server to send the www radware com IP address 2 The local DNS server queries the upstream DNS server on Alteon 3 The Site A Alteon receives a DNS request and acts as the authoritative ...

Page 736: ...rver For example the real server IP address is 10 10 10 12 4 Set up remote real servers for Site B and Site C 5 Configure SLB Group 1 with content based health check cfg slb on cfg slb adv direct ena cfg slb gslb on Enable SLB Enable DAM Enable GSLB cfg slb gslb version 4 cfg slb real 1 ena ipver v4 rip 10 10 10 12 Assign local real server IP Set the DSSP version to 4 cfg slb real 2 ena ipver v4 r...

Page 737: ...erver ena Enable server processing cfg slb port 8 client ena Enable client processing server ena Enable server processing for health packet in this port cfg slb virt 1 ena ipver v4 Configure virtual server vip 210 10 10 100 Assign virtual IP address dname radware com Assign domain name cfg slb virt 1 service http group 1 dbind ena Enable delayed binding for HTTP service cfg slb virt 1 service http...

Page 738: ...10 Least preferred site Most preferred site cfg slb on cfg slb adv direct ena cfg slb gslb on Enable SLB Enable DAM Enable GSLB cfg slb gslb version 4 cfg slb real 1 ena ipver v4 rip 174 168 10 100 Set the DSSP version to 4 Assign local real server IP cfg slb real 2 ena ipver v4 rip 201 2 2 100 cfg slb real 2 adv remote ena cfg slb real 3 ena ipver v4 rip 201 2 2 100 Assign real server to Site A E...

Page 739: ...a server ena Enable server processing Enable client processing Enable server processing for health packet in this port cfg slb virt 1 ena ipver v4 vip 174 14 70 100 dname radware com Configure virtual server Local VIP Site B Assign domain name cfg slb virt 1 service http group 1 dbind ena cfg slb virt 1 service http http clntprox http Enable delayed binding for HTTP service Enable Client proximity...

Page 740: ...30 Most preferred site Least preferred site cfg slb on cfg slb adv direct ena cfg slb gslb on Enable SLB Enable DAM Enable GSLB cfg slb gslb version 4 cfg slb real 1 ena ipver v4 rip 174 168 10 100 Set the DSSP version to 4 Assign local real server IP cfg slb real 2 ena ipver v4 rip 174 14 70 200 cfg slb real 2 adv remote ena cfg slb real 3 ena ipver v4 rip 201 2 2 100 Assign real server to Site A...

Page 741: ...g cfg slb port 8 client ena Enable client processing server ena Enable server processing for health packet in this port cfg slb virt 1 ena ipver v4 Configure virtual server vip 201 2 2 100 Local VIP Site C dname radware com Assign domain name cfg slb virt 1 service http group 1 dbind ena Enable delayed binding for HTTP service cfg slb virt 1 service http http clntprox http Enable client proximity ...

Page 742: ...ording to the DNS GSLB configured metric 4 The client opens an HTTP application session with Alteon at Site A 5 Site A receives the HTTP request and checks the client proximity entry If a client proximity entry does not exist computation begins for this client network 6 Alteon at Site A responds with three URL links The Site A Alteon computes multi trip time RTT with the client from current connec...

Page 743: ...correctly in the GSLB configuration for all Alteons Radware recommends that you manually configure the time date using NTP This section includes the following topics Basic DNSSEC Configuration page 743 DNSSEC Key Rollover page 746 Importing and Exporting Keys page 749 Deleting Keys page 752 NSEC and NSEC3 Records page 752 Basic DNSSEC Configuration For DNSSEC to work with GSLB you must perform the...

Page 744: ...d in seconds 0 2147483647 604800 Enter key signature publication period in seconds 0 2147483647 302400 Generating key Please wait Key examplekey added Main cfg slb gslb dnssec key Enter key id examplekey Key examplekey generate Enter key type zsk ksk zsk Should the key be enabled yes no yes no yes Enter key size 1024 2048 4096 2048 Enter key algorithm RSA SHA1 RSA SHA256 RSA SHA512 1 256 512 1 Ent...

Page 745: ...dentical Remote Sites with GSLB and DNSSEC There are 3 sites Site A Denver Site B New York Site C London Although the configuration is asymmetric Site A holds www denver com and www london com Site B holds www newyork com www denver com and www london com Site C holds www London com and www newyork com In the site DSSP configuration each site contains the configuration of the other sites remote IP...

Page 746: ...m for preventing expiration The following information is relevant when the ZSK and the KSK are assigned to the same zone The goal of an automatic rollover process is that the created key is published and RRs are signed before the old key is revoked During key rollovers automatic emergency KSK or ZSK the KSK must finalize before the ZSK rollover begins To prevent overload on the CPU when creating k...

Page 747: ...including all RRSIGs still existing in cache 7 The old RRSIGs are removed from storage The old ZSK remains in storage and is publicly available using DNSKEY 8 A timeout of 12 hours in addition to the TTL of the highest signed RRSIG starts 9 The old ZSK is revoked and is removed from storage Automated KSK Rollover The expiration period is the period for which the key is valid for example one month ...

Page 748: ... does not ensure that the DS was signed a warning is issued that the DNSSEC service might be disturbed To initiate a ZSK emergency rollover 1 Initiate the emergency rollover The system administrator is warned through SNMP console or e mail that an emergency ZSK rollover has been initiated which can disrupt services 2 The system administrator must confirm the emergency rollover The system administr...

Page 749: ...s can be exported publicly either a DS or DNSKEY where only the public key is exported When a private key is exported it is encrypted with a one time passphrase supplied at the time of export This same passphrase is supplied during import for decrypting of the keys When exporting keys the digital properties of the keys are exported regardless of the zone assignments During a DNSSEC private key exp...

Page 750: ...48 4096 1024 Enter key hash algorithm encryption is always RSA RSA SHA1 RSA SHA256 RSA SHA512 RSA SHA1 Enter key ttl in seconds 0 86400 86400 Enter key expiration in seconds 0 2147483647 2419200 Enter key rollover period in seconds 0 2147483647 1814400 Enter key signature validity period in seconds 0 2147483647 604800 Enter key signature publication period in seconds 0 2147483647 302400 At Import ...

Page 751: ...8Ieujs 7HYUxGgdv SSuf ciRhNoxWXHVm 027ZuN84QsxW4KI3NmjTYI4jDkeUARznDeal TcXkXCH u18u9NUCvlo04djnzvs3uB Ryw qLtMIupFFJiOHu4Ckx d3WPI5k9Sz XEsSYhnSfnmGNT7oR4U3SVUkUdmD72wYQzxteWuFaTu4psM4Gi0oXfFmbYKj09AA CYZ73ElFF0Ce dpU2o2JYp4h8JTbRc 7KiO3yzzlS27 9WFxOkAR99tYxcII33g2 Q8 zpJr3BEkUClQbQv7II y3BKZHm1VvObP6BZCfj2awZ 1lbuKBFoRWs6y6vOkr dY59fCJfIJMVkVyMWm6pTUtNEO0FjCKT lW6bdZZfSBWDtFgoIrZlSSqa01Itvga 7Os...

Page 752: ... Automatic NSEC and NSEC3 Record Creation The following procedure occurs 1 Alteon receives a DNS query 2 One of the following occurs If the domain name and a matching record exists the regular GSLB DNSSEC procedure is followed If the domain name exists but no matching record exists Alteon returns the NSEC or NSEC3 record of the requested name If neither the domain name nor a matching record exists...

Page 753: ...virtual server IP addresses in other Alteons Figure 126 HTTP and Non HTTP Redirects page 754 illustrates the packet flow of HTTP and non HTTP redirects in a GSLB environment The following table explains the HTTP or non HTTP request from the client when it reaches Site 2 but Site 2 has no available services Table 64 HTTP versus Non HTTP Redirects Application Type Site 2 Alteon Site 1 Alteon HTTP ap...

Page 754: ...Alteon Application Switch Operating System Application Guide Global Server Load Balancing 754 Document ID RDWR ALOS V2900_AG1302 Figure 126 HTTP and Non HTTP Redirects ...

Page 755: ...urces to handle the request 2 The Site 2 Alteon rewrites the request such that it now contains a client proxy IP address as the source IP address and the virtual server IP address at Site 1 as the destination IP address 3 Alteon at Site 1 receives the POP3 TCP SYN request to its virtual server The request looks like a normal SYN frame so it performs normal local load balancing 4 Internally at Site...

Page 756: ...00 200 4 Set unique proxy IP address cfg slb port 6 proxy enable Enable proxy on the port Proxy IP address cfg slb real 1 adv proxy dis Disable local real server proxy Real server 1 cfg slb real 2 adv proxy dis Disable proxy for the local server Real server 2 cfg slb real 3 adv proxy ena Enable proxy for the remote server Real server 3 apply Apply configuration changes Real server 3 save Save conf...

Page 757: ... be configured using public NAT addresses Figure 128 Network with GSLB Configuration Behind NAT Devices page 757 illustrates a configuration where Alteons at Sites A and B are located behind NAT devices and Alteon at Site C is not Figure 128 Network with GSLB Configuration Behind NAT Devices Table 65 summarizes the network configuration Table 65 GSLB Configuration Behind NAT Devices IP Address Typ...

Page 758: ...e Internet Because of the way IP routing works BGP based GSLB allows routing protocols to route DNS requests to the closest location which then return IP addresses of that particular site locking in the requests to that site In effect the Internet is making the decision of the best location for you avoiding the need for advanced GSLB Remote servers 173 121 34 5 site B service public IP 155 23 112 ...

Page 759: ... received via any given feed but are funneled to the same server on the local network In BGP based GSLB the DNS server with the IP address 1 1 1 1 is duplicated and placed local to the peering point instead of having a local network direct traffic to one server When a particular DNS server receives a request for a record in this case Alteon it returns with the IP address of a virtual server at the...

Page 760: ...Alteon Application Switch Operating System Application Guide Global Server Load Balancing 760 Document ID RDWR ALOS V2900_AG1302 ...

Page 761: ...d These license strings may only be enabled if Layer 4 services have been enabled Once you have obtained the proper license string to enable BWM do the following 1 Connect to the CLI via Telnet or the console port and log in as the administrator following the directions in the Command Line Interface chapter of the Alteon Application Switch Operating System Command Reference 2 From the CLI enter th...

Page 762: ...x Architecture VMA is enabled traffic classification is performed on the ingress port the port on which the frame is received and not the client port or the server port If the traffic classification is performed on Layer 4 through Layer 7 traffic filter based or SLB traffic then the classification occurs on the designated port Figure 129 How Bandwidth Management Works Classification Rules In a cla...

Page 763: ...e URL HTTP headers cookies and so on If a frame falls into all of classifications 1 through 5 and if the precedence is same for all the applicable contracts then the Layer 7 applications contract classification precedence level 5 is assigned because it comes last and has the highest precedence Application Bandwidth Control Classification policies allow bandwidth limitations to be applied to partic...

Page 764: ...nd and recalculating the bandwidth allocation Table 66 Bandwidth Reallocation in Grouped Contracts page 765 illustrates how the hard limits of individual contracts self adjust when placed into a contract group The hard limit indicates the actual hard limits set for each individual contract Since contracts 1 through 4 are part of a contract group the total hard limit allowed for the group in this e...

Page 765: ... classified into different contracts and can have different user limits applied according to the class of traffic Because user limiting for a contract is optional it can be set for contracts where fair sharing of bandwidth is important and not set for the contracts where fair sharing of bandwidth is not important or desirable The following are examples that further explain how user limits work Exa...

Page 766: ... kbps egressing out on port 20 For an example see Configuring an IP User Level Rate Limiting Contract page 780 Policies Bandwidth policies are bandwidth limitations defined for any set of frames that specify the maximum best effort and minimum guaranteed bandwidth rates A bandwidth policy is assigned to one or more contracts You can define up to 64 bandwidth policies A bandwidth policy is often ba...

Page 767: ...miting contract is controlled by metering the traffic that egresses from Alteon If the egress rate is below the configured rate limit hard limit for the port the traffic is transmitted immediately without any buffering If the egress rate is above the configured rate limit the traffic above the rate limit is dropped This is illustrated in Figure 130 Bandwidth Rate Limits page 767 Figure 130 Bandwid...

Page 768: ...dwidth is available a bandwidth class is allowed to send data at this rate No exceptional condition is reported when the data rate does not exceed this limit For rate limiting contracts the soft limit is ignored Hard limit This is a never exceed rate A bandwidth class is never allowed to transmit above this rate Typically traffic bursts between the soft limit and the hard limit are charged a premi...

Page 769: ...econd The timeslot traffic limit is the traffic that is sent for a particular contract for every timeslot corresponding to the contract s rate limit or the hard limit as initially calculated For any contract there is one timeslot traffic limit for each egress port The timeslot traffic limit is calculated from the hard limit The timeslot traffic limit is the amount of traffic that corresponds to th...

Page 770: ...Real time Clocks and Theoretical Departure Times page 770 illustrates how data may be paced in a traffic shaping contract Six arriving frames are processed differently depending on rate of the queue Queue 1 processes each packet evenly Queue 2 processes per 1500 bytes and inserts some delay as it processes the first three 500 byte frames and then the next three frames Queue 3 processes at 3000 byt...

Page 771: ...the contracts for which the history option is enabled using the cfg bwm cont x hist command Sending BWM History The MP maintains global statistics such as total octets and a window of historical statistics When the history buffer of 128K is ready to over flow it can be sent from Alteon using either an e mail or direct socket transfer mechanism To configure sending Bandwidth Management statistics 1...

Page 772: ... are not synchronized For more information on VRRP and synchronized configurations see Configuring VRRP Peers for Synchronization page 569 Packet Coloring TOS bits for Burst Limit Whenever the soft limit is exceeded optional packet coloring can be done to allow downstream routers to use diff serv mechanisms that is writing the Type Of Service TOS byte of the IP header to delay or discard these out...

Page 773: ... Note This feature is available in maintenance mode only To set a mirroring port for a contract To disable a mirroring port on a contract Note Mirroring occurs before the application of the limiting contract Packets that would have been otherwise discarded by the contract are also copied to the mirroring port Configuring Bandwidth Management The following procedure provides general instructions fo...

Page 774: ... underlimit and overlimit There are two parameters for specifying the TOS bits underlimit utos and overlimit otos These TOS values are used to overwrite the TOS values of IP packets if the traffic for a contract is under or over the soft limit respectively These values only have significance to a contract if TOS overwrite is enabled in the Bandwidth Management Contract menu cfg bwm cont x wtos ena...

Page 775: ...licy 11 Optionally enable traffic shaping Rate limiting is enabled by default Enabling traffic shaping disables rate limiting For more information see Traffic Shaping page 769 12 Enable the BWM contract 13 Classify the frames for this contract and assign the BWM contract to the filter or virtual IP address Each BWM contract must be assigned a classification rule The classification can be based on ...

Page 776: ...ment page 789 Configuring Time and Day Policies page 791 Egress Bandwidth Tuning for Lower Speed Networks page 792 Overwriting the TCP Window Size page 793 Note Ensure BWM is enabled on Alteon cfg bwm on Example Configuring User Application Fairness Bandwidth Management can be applied to prevent heavy bandwidth bursters from locking out other users such as the following Customers using broadband a...

Page 777: ...6 Select the second bandwidth policy for broadband customers 7 Set the hard soft and reserved rate limits for this policy in Mbps 8 On Alteon select the second BWM contract and name the contract 9 Set the bandwidth policy for this contract Each BWM contract must be assigned a bandwidth policy 10 Enable this BWM contract 11 On Alteon apply and verify the configuration cfg bwm pol 1 Policy 1 hard 5 ...

Page 778: ...group the hard limits of each contract are readjusted every few seconds in proportion to each contract s share in the group In effect the contract with only 10 Mbps may be allowed at times to share any unused resources in the group and burst up to a higher hard limit If that contract is removed from the group the contract reverts to its individual hard limits and any traffic above its configured h...

Page 779: ...ct 13 Configure Policy 4 with hard soft and reserved limits of 40 35 and 30 Mbps respectively Then create Contract 4 and apply Policy 4 to this contract 14 Configure BWM Contract Group 1 and add all four contracts to this group cfg bwm pol 1 Policy 1 hard 10M Policy 1 soft 5M Policy 1 resv 1M Select BWM Policy 1 Set never exceed rate Set desired bandwidth rate Set committed information rate Policy...

Page 780: ...contract 10 Mbps excess octets are dropped If the number of octets is below the value of the contract 10 Mbps a session is created on Alteon that records the student s IP address the egress port number and the contract number as well as the number of octets transferred for that second The session updates the number of octets being transferred every second thus maintaining traffic within the config...

Page 781: ...tial Services BWM can be used to provide preferential treatment to certain traffic based on source IP blocks applications URL paths or cookies You may find it useful to configure higher policy rate limits for specific sites for example those used for e commerce In this example there are two Web sites A com and B com BWM is configured to give preference to traffic sent to Web site B com 1 Configure...

Page 782: ...bandwidth policy 6 Enable this BWM contract 7 Select Bandwidth Policy 2 8 Set the hard soft and reserved rate limits for this policy in Mbps 9 Select the second BWM contract and name the contract 10 Assign the bandwidth policy to this contract Each BWM contract must be assigned a bandwidth policy 11 Enable this BWM contract cfg bwm pol 1 Policy 1 hard 10 Policy 1 soft 8 Policy 1 resv 5 Set never e...

Page 783: ...ample Configuring Content Intelligent Bandwidth Management Content intelligent BWM allows the network administrator or Web site manager to control bandwidth based on Layer 7 content such as URLs HTTP headers or cookies All three types of Bandwidth Management are accomplished by following the configuration guidelines on content load balancing described in Content Intelligent Server Load Balancing p...

Page 784: ...ement page 784 users are able to allocate a certain percentage of bandwidth for Web cache requests by using the URL parsing and bandwidth management feature Figure 132 URL Based SLB with Bandwidth Management This example assumes you have configured URL based SLB and the layer 7 strings as described in Content Intelligent Server Load Balancing page 219 For URL based SLB a user has to first define s...

Page 785: ...strings and contracts are assigned properly 7 Configure a real server to handle the URL request Main cfg bwm pol 1 hard 3M soft 2M res 1M Policy 1 cfg bwm pol 2 hard 4M soft 3M res 2M Policy 2 cfg bwm pol 3 hard 1M soft 500k res 250k Policy 3 cfg bwm pol 4 hard 2M soft 1M res 500k Main cfg bwm cont 1 policy 1 BW Contract 1 cfg bwm cont 2 policy 2 BW Contract 2 cfg bwm cont 3 policy 3 BW Contract 3...

Page 786: ... allocate a certain percentage of bandwidth to this URL string for this service on the virtual server then define a rule using the urlcont command This contract is tied to service 1 The urlcont command overrides the contract assigned to the URL string ID 10 Enable SLB 11 Apply and save the configuration Example Configuring Cookie Based Bandwidth Management Cookie based BWM enables Web site manager...

Page 787: ...cenario the Web site has a single virtual server IP address and supports multiple classes of users Turn on cookie parsing for the service on the virtual server 1 Define one or more load balancing strings For example cfg slb virt 1 service 80 Virtual Server 1 http Service http httpslb Application urlslb host cookie browser urlhash headerhash version others none Select Application cookie Operation a...

Page 788: ...n or alternatively disabling DAM and configuring a proxy on the client port port mapping for URL based load balancing can be performed 5 Enable SLB B In this scenario the Web site has multiple virtual server IP addresses and the same user classification or multiple sites use the same string name There are two virtual IP VIP addresses 172 17 1 1 and 172 17 1 2 Both the virtual servers and sites hav...

Page 789: ...act 1 and cfg slb layer7 lb cont Contract 2 to the same URL urlcont will override Contract 2 even if Contract 2 has higher precedence Example Configuring Security Management BWM can be used to prevent Denial of Service DoS attacks that generate a flooding of necessary evil packets BWM limits the rate of TCP SYN ping and other disruptive packets BWM can alert the network manager when soft limits ar...

Page 790: ...BWM contract must be assigned a bandwidth policy 7 Enable the BWM contract 8 Create a filter that will be used to classify the frames for this contract and assign the BWM contract to the filter The classification rule for this BWM contract is based on a filter configured to match ICMP traffic The contract will be applied to any frames that match this filter cfg bwm pol 1 Policy 1 hard 250k Policy ...

Page 791: ...h as on evenings or weekends Up to two time policies can be applied to each contract The default settings for each time policy are Day everyday From Hour 12am To Hour 12am Policy 512 time policy disabled If both Time Policy 1 and Time Policy 2 are enabled on a contract and both policies match the current time set in Alteon s system clock Time Policy 1 will take effect Note When configuring time po...

Page 792: ...to a Wide Area Network WAN using a T1 line 1 544 Mbps or a T3 line 44 736 Mbps Any packets that exceed the capacity of the WAN are dropped Egress bandwidth tuning is only available on 10 100 1000Base T ports To tune down the egress bandwidth to T3 speeds enter the following commands cfg bwm cont 1 timepol 1 BW Contract 1 Time Policy 1 day weekday Current Time Policy Day everyday Pending new Time P...

Page 793: ...nd traffic usually exceeds the configured BWM soft limit in a BWM contract the TCP window size may be overwritten to better accommodate the prevailing traffic rates It would be beneficial if the TCP traffic was slowed down by modifying the TCP window size rather than by dropping TCP packets which would cause retransmissions By default the TCP window size is overwritten only when traffic exceeds th...

Page 794: ...Alteon Application Switch Operating System Application Guide Bandwidth Management 794 Document ID RDWR ALOS V2900_AG1302 ...

Page 795: ...ument The schema document is the roadmap that enables Alteon to interpret the XML documents that are sent to it This schema document defines the markup tags that appear in the XML document and what each means The following is an example schema document used by the XML Configuration API XML Parser An XML parser is embedded in the software This parser is used to interpret an XML file into usable CLI...

Page 796: ...er application After authentication takes place the file can be sent securely Notes Certificates used for authentication purposes must be in PEM format Self signed certificates are supported for this purpose A certificate can be either obtained via TFTP FTP or by simply pasting the certificate directly through the CLI FTC1 ADC VX Main cfg sys access xml gtcert Import from text or file in PEM forma...

Page 797: ...les is the SSL port by default You can change the default by using the following command Note Since both HTTPS and XML use SSL as a transport layer the two are closely tied together Both HTTPS and XML must use the same port if both are enabled 3 Import client certificate Certificate authentication is required to send an XML configuration file to Alteon To import a client certificate do the followi...

Page 798: ...perations Enabling XML debug operations results in all commands in the XML file to be displayed on the console with one of the following prefaces running XML cmd Invalid XML cmd All responses to these commands are also displayed on the console To display the current XML API configuration Main cfg sys access xml dispcert Main cfg sys access xml debug enabled Main cfg sys access xml cur ...

Page 799: ...hout additional equipment investment AppShape provides specific API extension to the Tool Command Language Tcl to query and manipulate data and take actions such as server selection For more informaton on Tcl see www tcl tk The AppShape scripts can be attached to virtual service thus allowing to perform protocol content switching decisions and modification on any TCP UDP protocol AppShape Script R...

Page 800: ...oad Balancing page 165 2 Write the AppShape script which will complete the virtual service behavior Radware recommends using a Tcl enabled editor 3 Import the script to Alteon the switch 4 Enable the script 5 Attach the script to the virtual service Main cfg slb appshape script myscript AppShape script myscript import Import script from text or file in PEM format text file text file Enter hostname...

Page 801: ...t Matches URLs that starts with product product Matches URLs that have the string product anywhere in the URL You can assign one or more strings to each real server When more than one URL string is assigned to a real server requests matching any string are redirected to that real server There is also a special string known as any that matches all content Alteon also supports exclusionary string ma...

Page 802: ... Enable SLB Enable URL based HTTP SLB For information on how to configure your network for SLB see Server Load Balancing page 165 2 Add the load balancing strings for example test images and product to the real server 3 Apply and save the configuration 4 Identify the IDs of the defined strings 5 Assign the URL string ID to the real server 6 Enable the exclusionary string matching option If you con...

Page 803: ...ser input string must be 40 characters or less The size of the regular expression structure after compilation cannot exceed 43 bytes for load balancing strings and 23 bytes for cache redirection The size of regular expressions after compilation varies based on the regular expression characters used in the user input string Use at the beginning of the regular expression Otherwise a regular expressi...

Page 804: ...t to examine the order in which they are examined and a logical operator and or for their evaluation The following Layer 7 content types can be specified URL SLB HTTP Host Cookie Browsers user agent URL hash Header hash Using these content types with the and and or operators Alteon is configured to refine HTTP based server load balancing multiple times on a single client HTTP request in order to b...

Page 805: ...AM is disabled Enable delayed binding Using the or and Operators Figure 135 Content Precedence Lookup Protectors Example page 805 illustrates a network with Real Servers 1 and 3 configured for URL SLB and Real Servers 2 and 3 configured for HTTP Host SLB Figure 135 Content Precedence Lookup Protectors Example If you have configured Content Precedence Lookup with the or and and operators the reques...

Page 806: ...conservative basis As a result the company implements virtual hosting by advertising a single virtual server IP address that includes both customers Web sites Additionally the hosting company assigns only one service HTTP port 80 to support the virtual server The virtual hosting company wants to maintain the flexibility to allow different types of content to be placed on different servers To make ...

Page 807: ...d not bind to string 1 because of the capitalized D in Default asp String case sensitivity may be disabled so that any incoming request containing GET Default asp GET DEFAULT ASP and other case combinations all map to string 1 Configurable HTTP Methods Various types of HTTP methods to be processed by the Layer 7 engine are configurable To view the currently supported HTTP methods Server 3 Customer...

Page 808: ...cument ID RDWR ALOS V2900_AG1302 To add an HTTP method type Select the method by its index number from the list in To view the currently supported HTTP methods page 807 The list of supported HTTP methods is updated regularly in Alteon as the HTTP protocol evolves cfg slb layer7 slb addmeth 2 ...

Page 809: ...ptimize resource access and server performance Content dispersion can be optimized by making load balancing decisions on the entire path and filename of each URL Note Both HTTP 1 0 and HTTP 1 1 requests are supported For URL matching you can configure up to 1024 strings comprised of 40 bytes each Each URL request is then examined against the URL strings defined for each real server URL requests ar...

Page 810: ... the following tasks Note When URL based SLB is used in an active active redundant setup use a proxy IP address instead of Direct Access Mode DAM to enable the URL parsing feature Assign an IP address to each of the real servers in the server pool Define an IP interface Define each real server Define a real server group and set up health checks for the group Define a virtual server on virtual port...

Page 811: ...ng only The images string allows the server to process these requests images product b gif images company a gif images testing c jpg This string would not allow the server to process these requests however company images b gif product images c gif testing images a gif Example 2 String without the Forward Slash A string that does not start with a forward slash indicates that the server will process...

Page 812: ...fined string Note If you do not add a defined string or add the defined string any the server handles any request A server can have multiple defined strings such as images sales gif With these defined strings this particular server can handle requests that start with images or sales and any requests that contain gif 6 Enable SLB 7 Enable DAM or configure proxy IP addresses and enable proxy on the ...

Page 813: ...IP addresses by dedicating an individual IP address for each home page they host By supporting an extension in HTTP 1 1 to include the host header Alteon enables service providers to create a single virtual server IP address to host multiple Web sites per customer each with their own host name Note For SLB one HTTP header is supported per virtual server The following list provides more details on ...

Page 814: ...es a domain name as part of the 128 supported URL strings Both domain names www company a com and www company b com resolve to the same IP address In this example the IP address is for a virtual server on Alteon 2 www company a com and www company b com are defined as URL strings 3 Server Group 1 is configured with Servers 1 through 8 Servers 1 through 4 belong to www company a com and Servers 5 t...

Page 815: ...sed persistent load balancing is described in Persistence page 583 Cookie based preferential services enable the following support Redirect higher priority users to a larger server or server group Identify a user group and redirect them to a particular server Serve content based on user identity Prioritize access to scarce resources on a Web site Provide better services to repeat customers based o...

Page 816: ...o real server groups Define virtual servers and services For information on how to configure your network for SLB see Server Load Balancing page 165 2 Turn on URL parsing for the virtual server In this example sid is the cookie name 1 is the offset the starting position of the value to be used for hashing 6 is the length the number of bytes in the cookie value d looks for the cookie in the cookie ...

Page 817: ...lancing strings Add a defined string where ID is the identification number of the string Note If you do not add a defined string or add the defined string any the server handles any request 5 Enable DAM on Alteon or configure proxy IP addresses and enable proxy on the client port To use cookie based preferential load balancing without DAM you must configure proxy IP addresses Enable proxy load bal...

Page 818: ... handles any request Use the following command to add a defined string where ID is the identification number of the defined string Configure SLB Strings for HTTP Redirection All of the following HTTP filtering redirection examples require configuring the SLB strings listed in Table 70 Each defined string has an associated ID number A filter is then configured to redirect from one configured string...

Page 819: ... Host mobile example com 4g w url HOST_URL 11 HTTPHDR Host any 12 HTTPHDR Host any 90 13 HTTPHDR Host any 8080 14 HTTPHDR X Foo ipaddress 10 168 100 15 HTTPHDR Host www abc com cont 256 16 HTTPHDR Host any 443 cont 256 17 HTTPHDR Host mobile example com 4g w url HOST nava toggle jad nre cont 1024 18 HTTPHDR Host mobile example com 4g w url dev example com URL nre cont 1024 cfg slb layer7 slb Serve...

Page 820: ...e following is the client phone configuration used for the example Enter HTTP header name Host Define HTTP header name Host Enter SLB header value string wap yahoo com cfg slb layer7 slb cur Number of entries 1 41 any cont 256 2 HTTPHDR Host wap example com cont 256 3 HTTPHDR Host wap yahoo com cont 256 4 HTTPHDR Host wap google com cont 256 5 HTTPHDR Host wap p example com cont 256 6 HTTPHDR Host...

Page 821: ...e defined strings The strings in bold in the filters defined above are used in this example 2 Configure Filter 1 Device Gateway IP address 10 168 107 101 Home page http wap example com WAP port 9001 CSD number as 18881234567 username john cfg slb layer7 slb cur Number of entries 14 1 any cont 256 2 HTTPHDR Host wap example com cont 256 3 HTTPHDR Host wap yahoo com cont 256 4 HTTPHDR Host wap googl...

Page 822: ...d Layer 7 menu Layer 7 Advanced addrd Enter filtering string ID 1 1024 to redirect from 2 Redirect string 2 Enter filtering string ID 2 1024 to redirect to 3 to string 3 cfg slb filt 2 Filter 2 sip 10 46 6 0 0 Current source address any New pending source address 10 46 6 0 0 Filter 2 smask 255 255 255 0 Current source mask 0 0 0 0 New pending source mask 255 255 255 0 Filter 2 proto tcp Enter prot...

Page 823: ...ort 80 and redirect that URL to TCP service port 90 Filter 5 Configure a filter that intercepts all traffic entering on TCP service port 80 and send it to 10 168 120 129 on TCP service port 8080 cfg slb filt 3 Filter 3 sip 10 23 43 0 Current source address any New pending source address 10 23 43 0 Filter 3 smask 255 255 255 0 Current source mask 0 0 0 0 New pending source mask 255 255 255 0 Filter...

Page 824: ...ont 256 12 HTTPHDR Host any 90 cont 256 13 HTTPHDR Host any 8080 cont 256 14 HTTPHDR X Foo ipaddress 10 168 100 cont 256 15 HTTPHDR Host www abc com cont 256 16 HTTPHDR Host any 443 cont 256 17 HTTPHDR Host mobile example com 4g w url HOST nava toggle jad nre cont 1024 18 HTTPHDR Host mobile example com 4g w url dev example com URL nre cont 1024 cfg slb filt 4 Filter 4 dip 10 46 6 231 Current dest...

Page 825: ...example com java toggle jad If the MIME type is text vnd foo j2me app descriptor or if the URL contains jad or jar as an extension it will replace the URL with http mobile example com 4g w url dev example com nava toggle jad cfg slb filt 5 Filter 5 dip 10 46 6 231 Current destination address any New pending destination address 10 46 6 231 Filter 5 smask 255 255 255 255 Current source mask 0 0 0 0 ...

Page 826: ... HTTPHDR Host any cont 256 12 HTTPHDR Host any 90 cont 256 13 HTTPHDR Host any 8080 cont 256 14 HTTPHDR X Foo ipaddress 10 168 100 cont 256 15 HTTPHDR Host www abc com cont 256 16 HTTPHDR Host any 443 cont 256 17 HTTPHDR Host mobile example com 4g w url HOST nava toggle jad nre cont 1024 18 HTTPHDR Host mobile example com 4g w url dev example com URL nre cont 1024 cfg slb filt 6 Filter 6 dip 10 46...

Page 827: ...ur Number of entries 14 1 any cont 256 2 HTTPHDR Host wap example com cont 256 3 HTTPHDR Host wap yahoo com cont 256 4 HTTPHDR Host wap google com cont 256 5 HTTPHDR Host wap p example com cont 256 6 HTTPHDR Host 10 168 224 227 top cont 256 7 jad cont 256 8 jar cont 256 9 HTTPHDR Accept text vnd foo j2me app descriptor cont 256 10 HTTPHDR Host mobile example com 4g w url HOST_URL cont 256 11 HTTPH...

Page 828: ...ddress any New pending destination address 10 46 6 231 Filter 7 smask 255 255 255 255 Current source mask 0 0 0 0 New pending source mask 255 255 255 255 Filter 7 proto tcp Enter protocol or any udp Pending new protocol tcp Filter 7 dport httpCurrent destination port or range any Pending new destination port or range http Filter 7 action redirCurrent action allow Pending new action redir Filter 7 ...

Page 829: ... Number of entries 14 1 any cont 256 2 HTTPHDR Host wap example com cont 256 3 HTTPHDR Host wap yahoo com cont 256 4 HTTPHDR Host wap google com cont 256 5 HTTPHDR Host wap p example com cont 256 6 HTTPHDR Host 10 168 224 227 top cont 256 7 jad cont 256 8 jar cont 256 9 HTTPHDR Accept text vnd foo j2me app descriptor cont 256 10 HTTPHDR Host mobile example com 4g w url HOST_URL cont 256 11 HTTPHDR...

Page 830: ... Layer 7 strings and identify their ID numbers The strings in bold in the filters defined above are used in this example cfg slb filt 8 Filter 8 sip 10 46 6 231 Current source address any New pending source address 10 46 6 231 Filter 8 smask 255 255 255 255 Current source mask 0 0 0 0 New pending source mask 255 255 255 255 Filter 8 proto tcp Enter protocol or any udp Pending new protocol tcp Filt...

Page 831: ...r 10 3 Apply and save the configuration Example IPv6 Redirection Filter Figure 138 TCP Service Port Based HTTP Redirection page 832 illustrates an IPv6 redirection filter c slb filt 9 ena action redir ipver v4 proto tcp dport http c slb filt 9 adv layer7 l7lkup ena addrd 3 4 c slb filt 10 ena action redir ipver v4 dip 205 10 10 10 proto tcp dport http c slb filt 10 adv layer7 l7lkup ena addrd 2 4 ...

Page 832: ...Configure the cache server VLAN 4 Configure the cache server interface 5 Configure the original server VLAN VLAN to Internet 6 Configure the interface to the Internet 7 Enable SLB Main cfg l2 vlan 2 en name Client_VLAN add 1 Main cfg l3 if 2 en vlan 2 ipv v6 add 2001 1 mask 64 Main cfg l2 vlan 3 en name Cache_VLAN add 10 add 20 Main cfg l3 if 3 en vlan 3 ipv v6 add 2002 1 mask 64 Main cfg l2 vlan ...

Page 833: ...affic to the cache servers 12 Configure IPv6 default filter to allow other traffic 13 Enable filter processing on client ports and add the two filters to the client ports 14 Apply the configuration Main cfg slb re 1 en ipv v6 rip 2002 11 Main cfg slb re 2 en ipv v6 rip 2002 12 Main cfg slb gr 1 ipv v6 add 11 add 12 Main cfg slb fi 1 en name IPv6_HTTP_Redir_Filter ipv v6 act redir proto tcp dport h...

Page 834: ...Alteon Application Switch Operating System Application Guide Content Intelligent Server Load Balancing Not Using Layer 7 Content Switching Rules 834 Document ID RDWR ALOS V2900_AG1302 ...

Page 835: ...imately 5 1028 addresses for each of the roughly 6 5 billion people alive today Table 71 includes a summary of the key differences between IPv4 and IPv6 protocols Table 71 Differences Between IPv4 and IPv6 Protocols IPv4 IPv6 Source and destination addresses are 32 bits 4 bytes in length Source and destination addresses are 128 bits 16 bytes in length IPSec support is optional IPSec support is req...

Page 836: ...e network prefix 21DA D300 0000 2F3C 64 ICMP Router Discovery is used to determine the IPv4 address of the best default gateway and is optional ICMPv4 Router Discovery is replaced with ICMPv6 Router Solicitation Discovery and Router Advertisement messages and is required Broadcast addresses are used to send traffic to all nodes on the subnet There are no IPv6 broadcast addresses Instead a link loc...

Page 837: ...municate with a neighbor on the same link Link local addresses use the high order bit range from FE80 to FEBF Link local unicast addresses are configured on the interface by using the link local prefix FE80 10 and the interface identifier in EUI 64 format for its low order 64 bit Link local packets are not routed between subnets Multicast A multicast address FF00 to FFFF is an identifier for a gro...

Page 838: ... IPv6 configuration General IPv6 information IPv6 routing table IPv6 neighbor discovery protocol table Verifying IPv6 Statistics The following is the command to display and verify IPv6 statistics To display IPv6 statistics Main info l3 nbrcache IP6 Neighbor Discovery Protocol ping6 fe80 20d 56ff fe22 df09 Enter interface number 1 256 200 fe80 0 0 0 20d 56ff fe22 df09 is alive Main info l3 ip Main ...

Page 839: ... APPLICABLE THE SOFTWARE IS LICENSED NOT SOLD BY OPENING THE PACKAGE CONTAINING RADWARE S PRODUCT OR BY DOWNLOADING INSTALLING COPYING OR USING THE SOFTWARE AS APPLICABLE YOU CONFIRM THAT YOU HAVE READ AND UNDERSTAND THIS LICENSE AGREEMENT AND YOU AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE AGREEMENT FURTHERMORE YOU HEREBY WAIVE ANY CLAIM OR RIGHT THAT YOU MAY HAVE TO ASSERT THAT YOUR ACCEPTANC...

Page 840: ...sing the Software until the end of your extended subscription period If you do not extend your subscription after the expiration of your subscription you are legally obligated to discontinue your use of the Software and completely remove the Software from your system 4 Feedback Any feedback concerning the Software including without limitation identifying potential errors and improvements recommend...

Page 841: ... shall have been subject to misuse neglect accident or improper installation or if repairs or modifications were made by persons other than by Radware s authorized service personnel 8 Limitation of Liability Except to the extent expressly prohibited by applicable statutes in no event shall Radware or its principals shareholders officers employees affiliates licensors contractors subsidiaries or pa...

Page 842: ... therefor 12 Governing Law This License Agreement shall be construed and governed in accordance with the laws of the State of Israel 13 Miscellaneous If a judicial determination is made that any of the provisions contained in this License Agreement is unreasonable illegal or otherwise unenforceable such provision or provisions shall be rendered void or invalid only to the extent that such judicial...

Reviews:

No comments

Brands by name

Popular brands

Load more brands