Download Print this page

Radware Alteon Application Manual

Radware Alteon Application Manual

Application switch operating system

Hide thumbs Also See for Alteon:

Installation and maintenance manual (98 pages)

Table Of Contents

page of 842

/ 842
Contents
Table of Contents
Bookmarks

Table of Contents

Advertisement

Quick Links

See also: Installation and Maintenance Manual

Alteon Application Switch Operating System

Application Guide

Software Version 29.0.0.0

Document ID: RDWR-ALOS-V2900_AG1302

February, 2013

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the Alteon and is the answer not in the manual?

Questions and answers

Summary of Contents for Radware Alteon

Page 1 Alteon Application Switch Operating System Application Guide Software Version 29.0.0.0 Document ID: RDWR-ALOS-V2900_AG1302 February, 2013...
Page 2 Alteon Application Switch Operating System Application Guide Document ID: RDWR-ALOS-V2900_AG1302...
Page 3: Important Notices
Ce guide d’informations est fourni à nos clients dans le cadre de l’installation et de l’usage des produits de Radware décrits dans ce document et ne pourra être utilisé dans un but autre que celui pour lequel il a été conçu.
Page 4: Copyright Notices
The OnDemand Switch may use software components licensed under the GNU General Public License Agreement Version 2 (GPL v.2) including LinuxBios and Filo open source projects. The source code of the LinuxBios and Filo is available from Radware upon request. A copy of the license can be viewed at: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html...
Page 5 Alteon Application Switch Operating System Application Guide The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Page 6 GNU General Public License Agreement Version 2 (GPL v.2), y compris les projets à source ouverte LinuxBios et Filo. Le code source de LinuxBios et Filo est disponible sur demande auprès de Radware. Une copie de la licence est répertoriée sur: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html Ce code est également placé...
Page 7 Der OnDemand Switch verwendet möglicherweise Software, die im Rahmen der DNU Allgemeine Öffentliche Lizenzvereinbarung Version 2 (GPL v.2) lizensiert sind, einschließlich LinuxBios und Filo Open Source-Projekte. Der Quellcode von LinuxBios und Filo ist bei Radware auf Anfrage erhältlich. Eine Kopie dieser Lizenz kann eingesehen werden unter: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html...
Page 8: Safety Instructions
Alteon Application Switch Operating System Application Guide 3. Weder der Name der Universität noch die Namen der Beitragenden dürfen ohne ausdrückliche vorherige schriftliche Genehmigung verwendet werden, um von dieser Software abgeleitete Produkte zu empfehlen oder zu bewerben. Dieses Produkt enthält von Markus Friedl entwickelte Software Dieses Produkt enthält von Theo de Raadt entwickelte Software Dieses Produkt enthält von Niels Provos entwickelte Software Dieses...
Page 9 Alteon Application Switch Operating System Application Guide The following figure shows the caution label that is attached to Radware platforms with dual power supplies. Figure 1: Electrical Shock Hazard Label DUAL-POWER-SUPPLY-SYSTEM SAFETY WARNING IN CHINESE The following figure is the warning for Radware platforms with dual power supplies.
Page 10: Main# /Cfg/Slb/Group 1/Slowstr
Alteon Application Switch Operating System Application Guide LINE VOLTAGE Before connecting this instrument to the power line, make sure the voltage of the power source matches the requirements of the instrument. Refer to the Specifications for information about the correct power rating for the device.
Page 11 Alteon Application Switch Operating System Application Guide KCC KOREA Figure 5: KCC—Korea Communications Commission Certificate of Broadcasting and Communication Equipment Figure 6: Statement For Class A KCC-certified Equipment in Korean Translation of Statement For Class A KCC-certified Equipment in Korean: This equipment is Industrial (Class A) electromagnetic wave suitability equipment and seller or user should take notice of it, and this equipment is to be used in the places except for home.
Page 12 Alteon Application Switch Operating System Application Guide This marking or statement includes the following text warning: CAUTION RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT BATTERY TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS. Caution – To Reduce the Risk of Electrical Shock and Fire 1.
Page 13 Alteon Application Switch Operating System Application Guide La figure suivante montre l’étiquette d’avertissement apposée sur les plateformes Radware dotées de plus d’une source d’alimentation électrique. Figure 7: Étiquette d’avertissement de danger de chocs électriques AVERTISSEMENT DE SÉCURITÉ POUR LES SYSTÈMES DOTÉS DE DEUX SOURCES D’ALIMENTATION ÉLECTRIQUE (EN CHINOIS)
Page 14 Alteon Application Switch Operating System Application Guide FUSIBLES Assurez-vous que, seuls les fusibles à courant nominal requis et de type spécifié sont utilisés en remplacement. L’usage de fusibles réparés et le court-circuitage des porte-fusibles doivent être évités. Lorsqu’il est pratiquement certain que la protection offerte par les fusibles a été détériorée, l’instrument doit être désactivé...
Page 15 Alteon Application Switch Operating System Application Guide KCC Corée Figure 11: KCC—Certificat de la commission des communications de Corée pour les equipements de radiodiffusion et communication. Figure 12: Déclaration pour l’équipement de classe A certifié KCC en langue coréenne Translation de la Déclaration pour l’équipement de classe A certifié...
Page 16 Alteon Application Switch Operating System Application Guide Cette marque ou remarque inclut l’avertissement textuel suivant: AVERTISSEMENT RISQUE D’EXPLOSION SI LA BATTERIE EST REMPLACÉE PAR UN MODÈLE INCORRECT. METTRE AU REBUT LES BATTERIES CONFORMÉMENT AUX INSTRUCTIONS. Attention - Pour réduire les risques de chocs électriques et d’incendie 1.
Page 17 Servicepersonal durchgeführt werden. Zur Reduzierung der Feuer- und Stromschlaggefahr muss das Gerät vor der Entfernung der Abdeckung oder der Paneele von der Stromversorgung getrennt werden. Folgende Abbildung zeigt das VORSICHT-Etikett, das auf die Radware-Plattformen mit Doppelspeisung angebracht ist. Figure 13: Warnetikett Stromschlaggefahr SICHERHEITSHINWEIS IN CHINESISCHER SPRACHE FÜR SYSTEME MIT DOPPELSPEISUNG...
Page 18 Alteon Application Switch Operating System Application Guide HOCHSPANNUNG Jegliche Einstellungs-, Instandhaltungs- und Reparaturarbeiten am geöffneten Gerät unter Spannung müssen so weit wie möglich vermieden werden. Sind sie nicht vermeidbar, dürfen sie ausschließlich von qualifizierten Personen ausgeführt werden, die sich der Gefahr bewusst sind.
Page 19 Alteon Application Switch Operating System Application Guide Figure 16: Erklärung zu VCCI-zertifizierten Geräten der Klasse B Übersetzung von Erklärung zu VCCI-zertifizierten Geräten der Klasse Dies ist ein Produkt der Klasse B gemäß den Normen des Voluntary Control Council for Interference by Information Technology Equipment (VCCI).
Page 20 Alteon Application Switch Operating System Application Guide VERKOPPLUNG VON GERÄTEN Kabel für die Verbindung des Gerätes mit RS232- und Ethernet- müssen UL-zertifiziert und vom Typ DP-1 oder DP-2 sein. (Anmerkung: bei Aufenthalt in einem nicht-LPS-Stromkreis) ÜBERSTROMSCHUTZ Ein gut zugänglicher aufgeführter Überstromschutz mit Abzweigstromkreis und 15 A Stärke muss für jede Stromeingabe in der Gebäudeverkabelung integriert sein.
Page 21: Altitude And Climate Warning
Alteon Application Switch Operating System Application Guide Altitude and Climate Warning Note: This warning only applies to The People's Republic of China. 对于在非热带气候条件下运行的设备而言， Tma：为制造商规范允许的最大环境温度，或者为 25°C，采用两者中的较大者。关于在海拔不超过 2000m 或者在非热带气候地区使用的设备，附加警告要求如下：关于在海拔不超过 2000m 的地区使用的设备，必须在随时可见的位置处粘贴包含如下内容或者类似用语的警告标记、或者附件 DD 中的符号。 “ 只可在海拔不超过 2000m 的位置使用。” 关于在非热带气候地区使用的设备，必须在随时可见的位置处粘贴包含如下内容的警告标记：...
Page 22: Document Conventions
Alteon Application Switch Operating System Application Guide Document Conventions The following describes the conventions and symbols that this guide uses: Item Description Description (French) Beschreibung (German) An example scenario Un scénario d’exemple Ein Beispielszenarium Example Possible damage to Endommagement Mögliche Schäden an equipment, software, or possible de l’équipement,...
Page 23: Table Of Contents
Part 2—IP Routing ......................Part 3—Application Load Balancing Fundamentals ............Part 4—Advanced Load Balancing ..................Appendices .......................... Related Documentation ....................Chapter 2 – Accessing Alteon ................Using the CLI ....................... Using SNMP ........................ SNMP v1.0 ........................... SNMP v3.0 ........................... Using the Browser-Based Interface ................
Page 24 Alteon Application Switch Operating System Application Guide Table of Contents RADIUS Authentication and Authorization ..............RADIUS Authentication Features ..................How RADIUS Authentication Works ..................Configuring RADIUS Authentication in Alteon ..............User Accounts ........................RADIUS Attributes for User Privileges ................TACACS+ Authentication ...................
Page 25 Spanning Tree Implementations in Trunk Groups ............Multiple Spanning Trees ................... Purpose of Multiple Spanning Trees ................. Four-Alteon Topology with a Single Spanning Tree ............Four-Alteon Topology with Multiple Spanning Trees ............Rapid Spanning Tree Protocol ................. Port State Changes ......................
Page 26 Alteon Application Switch Operating System Application Guide Table of Contents Defining IP Address Ranges for the Local Route Cache .......... Dynamic Host Configuration Protocol ............... DHCP Relay Agent ......................DHCP Relay Agent Configuration ..................Gratuitous ARP (GARP) Command ................. Static Routes ......................
Page 27 Host Routes for Load Balancing ..................Redistributing Routes into OSPF ..................OSPF Configuration Examples ................. Configuring OSPF for a Virtual Link on Alteon 1 .............. Configuring OSPF for a Virtual Link on Alteon 2 .............. Configuring Host Routes on Alteon 1 ................
Page 28 Alteon Application Switch Operating System Application Guide Table of Contents Maximum Connections for Real Servers ................Unlimited Connections to Real Servers ................Backup/Overflow Servers ....................Backup Only Server ......................Backup Preemption ......................Server Slow Start ......................Extending Server Load Balancing Topologies ............
Page 29 Alteon Application Switch Operating System Application Guide Table of Contents Configuring FTP Server Load Balancing ................TFTP Server Load Balancing ................... Requirements ........................Configuring TFTP Server Load Balancing ................ Lightweight Directory Access Server SLB ..............LDAP Operations and Server Types ................
Page 30 Alteon Application Switch Operating System Application Guide Table of Contents Limitations for WLM Support ..................... Chapter 14 – Offloading SSL Encryption and Authentication ......SSL Offloading Implementation ................SSL Policies ......................Certificate Repository ....................Certificate Types in the Certificate Repository ..............
Page 31 Alteon Application Switch Operating System Application Guide Table of Contents Dynamic NAT ........................FTP Client NAT ......................... Overlapping NAT ......................SIP NAT and Gleaning Support ..................Matching TCP Flags ....................Matching ICMP Message Types ................Multicast Filter Redirection ..................IPv6 Filtering ......................
Page 32 Alteon Application Switch Operating System Application Guide Table of Contents Switching Between System Modes ................... HA ID Management ....................What is an HA ID? ......................HA ID Settings ........................Modifying HA IDs ......................Chapter 17 – Application Redirection ..............Overview ........................
Page 33 Alteon Application Switch Operating System Application Guide Table of Contents WAP Gateway Health Checks ..................LDAP/LDAPS Health Checks ................... Windows Terminal Server Health Checks ................ ARP Health Checks ......................DHCP Health Checks ....................... RTSP Health Checks ......................SIP Health Checks ......................
Page 34 Alteon Application Switch Operating System Application Guide Table of Contents What Happens When Alteon Fails ..................Viewing Statistics on Persistent Port Sessions ..............Service-Based Session Failover ................Session Failover for Hot Standby Configurations .............. Operations During Session Mirroring on Reboot ...............
Page 35 Alteon Application Switch Operating System Application Guide Table of Contents Viewing DoS Statistics ...................... Viewing DoS Statistics Per Port ..................Understanding the Types of DoS Attacks ................. DoS Attack Prevention Configuration ................Preventing Other Types of DoS Attacks ................Protocol-Based Rate Limiting ...................
Page 36 Alteon Application Switch Operating System Application Guide Table of Contents Chapter 24 – Virtual Private Network Load Balancing ........Overview ........................How VPN Load Balancing Works ..................VPN Load-Balancing Persistence ..................VPN Load Balancing Configuration ................Chapter 25 – Global Server Load Balancing ............
Page 37 Alteon Application Switch Operating System Application Guide Table of Contents Classification Rules ......................Grouped Bandwidth Contracts ..................IP User Level Contracts for Individual Sessions ............... Policies ........................Bandwidth Policy Index ..................... Bandwidth Queue Size ..................... Time Policy ........................Enforcing Policies ......................
Page 38 Alteon Application Switch Operating System Application Guide Table of Contents Content Precedence Lookup ..................Requirements ........................Using the or / and Operators .................... Assigning Multiple Strings ....................String Case Insensitivity ................... Configurable HTTP Methods ..................Appendix B – Content-Intelligent Server Load Balancing Not Using Layer 7 Con- tent Switching Rules.....................
Page 39: Chapter 1 - Preface
(AlteonOS) software on the Alteon Application Switches. Throughout this guide, in most cases the AlteonOS and the Alteon platform are referred to as Alteon. For documentation on installation and initial configuration of Alteon, see the Radware Alteon Installation and Maintenance Guide.
Page 40: Part 4-Advanced Load Balancing
AlteonOS that behaves in the same manner as a traditional standalone Alteon ADC, with the exception that while it is bound to a specific hardware resource, the amount of resources allocated to the vADC may vary based on the user’s or application's resource needs.
Page 41: Related Documentation
Alteon Application Switch Operating System Release Notes • Radware Alteon Maintenance and Installation Guide • Alteon Application Switch Operating System Command Reference • Alteon Application Switch Operating System Browser-Based Interface (BBI) Quick Guide • Alteon Application Switch Operating System Troubleshooting Guide Document ID: RDWR-ALOS-V2900_AG1302...
Page 42 Alteon Application Switch Operating System Application Guide Preface Document ID: RDWR-ALOS-V2900_AG1302...
Page 43: Chapter 2 - Accessing Alteon
Chapter 2 – Accessing Alteon The AlteonOS lets you access, configure, and view information and statistics about Alteon. The following topics are discussed in this chapter: • Using the CLI, page 43 • Using SNMP, page 44 • Using the Browser-Based Interface, page 51 •...
Page 44: Using Snmp
To access the SNMP agent, the read and write community strings on the SNMP manager should be configured to match those on Alteon. The default read community string on Alteon is set to public, and the default write community string is set to private.
Page 45 To configure an SNMP username >> # /cfg/sys/ssnmp/snmpv3/usm <x> User Configuration Configure users to use the authentication and privacy options. Alteon supports two authentication algorithms: MD5 and SHA. To configure authentication and privacy options This example procedure configures a user with the name test, authentication type MD5, authentication password test, privacy option DES, and with privacy password test.
Page 46 Alteon Application Switch Operating System Application Guide Accessing Alteon View-Based Configurations To configure an SNMP user equivalent to the user CLI access level /cfg/sys/ssnmp/snmpv3/usm 4 name "usr" /cfg/sys/ssnmp/snmpv3/access 3 name "usrgrp" rview "usr" wview "usr" nview "usr" /cfg/sys/ssnmp/snmpv3/group 4 uname usr...
Page 47 Alteon Application Switch Operating System Application Guide Accessing Alteon To configure an SNMP user equivalent to the oper CLI access level /cfg/sys/ssnmp/snmpv3/usm 5 name "slboper" /cfg/sys/ssnmp/snmpv3/access 4 name "slbopergrp" rview "slboper" wview "slboper" nview "slboper" /cfg/sys/ssnmp/snmpv3/group 4 uname slboper gname slbopergrp /cfg/sys/ssnmp/snmpv3/view 20 name "slboper"...
Page 48 Alteon Application Switch Operating System Application Guide Accessing Alteon Configuring SNMP Trap Hosts This section describes how to configure the following SNMP trap hosts: • SNMPv1 Trap Host, page 48 • SNMPv2 Trap Host, page 49 • SNMPv3 Trap Host, page 49...
Page 49 Alteon Application Switch Operating System Application Guide Accessing Alteon 5. Specify the community string used in the traps using the community table. (Select the community table) >> # /cfg/sys/ssnmp/snmpv3/comm 10 >> SNMPv3 snmpCommunityTable 10 # index v1trap >> SNMPv3 snmpCommunityTable 10 # name public >>...
Page 50 Alteon Application Switch Operating System Application Guide Accessing Alteon 2. Configure the user in the user table from the SNMPv3 usmUser 1 menu: >> /cfg/sys/ssnmp/snmpv3/usm <usmUser number: (1-16)> Note: It is not necessary to configure the community table for SNMPv3 traps because the community string is not used by SNMPv3.
Page 51: Using The Browser-Based Interface
Alteon Application Switch Operating System Application Guide Accessing Alteon Using the Browser-Based Interface The Browser-Based Interface (BBI) is a Web-based management interface for interactive Alteon access through your Web browser. Configuring BBI Access via HTTP To enable BBI access on Alteon via HTTP...
Page 52: Generating A Certificate For Bbi Access Via Https
..Self signed server certificate, certificate signing request and key added. You can save the certificate to flash for use if you reboot Alteon by using the apply and save commands. When a client (for example, a Web browser) connects to Alteon, the client is asked to accept the certificate and verify that the fields are what are expected.
Page 53: Setting Up The Management Port
Running the ping, telnet, and traceroute commands Note: BOOTP is not supported over the management port. For more information on using the commands to perform these functions, see the Alteon Application Switch Operating System Command Reference. Setting Up the Management Port This section describes how to set up the management port.
Page 54: Limiting Management Access
Alteon Application Switch Operating System Application Guide Accessing Alteon (Enable the management port) >> Management Port# ena Note: There are a maximum of four concurrent Telnet sessions over the management and data ports combined. 4. Configure the default port type for each management function.
Page 55: File Transfers
Alteon to provide proper time offsets and to adjust for Daylight Savings Time. Example Set the Time Zone Set the time zone to Atlantic Time for an Alteon that is physically located in Atlantic Canada. 1. Access time zone configuration. >> Main# /cfg/sys/timezone 2.
Page 56 31) Montserrat 15) Cuba 32) Netherlands Antilles 49) Virgin Islands(US) 16) Dominica 33) Nicaragua 17) Dominican Republic 34) Panama Enter the number of your choice: 4. Select the time zone appropriate to the specific geographic location of Alteon. Document ID: RDWR-ALOS-V2900_AG1302...
Page 57: Network Time Protocol
1. Access the NTP menu. You can configure an IPv4 or IPv6 address for the NTP server. >> Main# /cfg/sys/ntp 2. Set the IP address of the primary NTP server. This is the NTP server that Alteon would regularly synchronize with to adjust its time.
Page 58 Enter new NTP server address: 192.168.249.13 3. Set the IP address of the secondary NTP server. This is the NTP server that Alteon would synchronize with in instances where the primary server is not available. You can configure an IPv4 or IPv6 address for the NTP server.
Page 59: Chapter 3 - Securing Alteon
Denial of Service (DoS) attacks can be targeted not only at real servers, but at any IP address that is owned by an Alteon. A DoS attack can potentially overwhelm Alteon resources. You can use the system-wide rlimit (rate limiting) command to prevent DoS attacks over Address Resolution Protocol (ARP), ICMP, TCP, and UDP traffic by setting the maximum rate at which packets can enter Alteon.
Page 60: Configuring Denial Of Service Protection
Use the command to view the number of dropped packets for each protocol /stats/sp/maint which are configured for system-wide rate limiting. The information is available on a per-Alteon processor (SP) basis. Note: This is available only in the vADC Administrator environment.
Page 61: Setting Source Ip Address Ranges For Management
Setting Source IP Address Ranges for Management To limit access to Alteon without having to configure filters for each Alteon port, you can set a source IP address or range that allows you to connect to Alteon IP interface through Telnet, SSH, SNMP, or the Browser-Based Interface (BBI).
Page 62: Radius Authentication And Authorization
Time-out value: 1 to 10 seconds — Retries: 1 to 3 Alteon times out if it does not receive a response from the RADIUS server within 1 to 3 retries. Alteon also retries connecting to the RADIUS server before it declares the server down. •...
Page 63: How Radius Authentication Works
Figure 1 - RADIUS Authentication Process, page 63 illustrates the RADIUS Authentication process. In the figure, Alteon acts as the RADIUS client, and communicates to the RADIUS server to authenticate and authorize a remote administrator using the protocol definitions specified in RFC 2138 and RFC 2866.
Page 64: User Accounts
The User can view all Alteon status information and statistics but cannot make any configuration changes to Alteon. SLB Viewer The SLB Viewer can view Alteon information, Server Load slbview Balancing (SLB) statistics and information but cannot make any configuration changes to Alteon.
Page 65: Radius Attributes For User Privileges
RADIUS Attributes for User Privileges When a user logs in, Alteon authenticates the user’s access level by sending the RADIUS access request (the client authentication request) to the RADIUS authentication server. If the remote user is successfully authenticated by the authentication server, Alteon verifies the privileges of the remote user and authorizes the appropriate access.
Page 66 Note: If a user cannot establish a connection to the RADIUS server, failover to the local backdoor users are not permitted. This is done to avoid a DoS attack on RADIUS or Alteon allowing access. Examples The following command enables backdoor access for user 9: >>...
Page 67: Tacacs+ Authentication
TACACS+ Authentication Features Authentication is the action of determining the identity of a user, and is generally done when the user first attempts to log into Alteon or gain access to its services. Alteon supports ASCII inbound logins. The following are not supported: •...
Page 68: Authorization
Alteon Application Switch Operating System Application Guide Securing Alteon Authorization Authorization is the action of determining a user's privileges on Alteon, and usually takes place after authentication. The mapping between TACACS+ authorization levels and Alteon management access levels is described in...
Page 69: Accounting
Accounting Accounting is the act of recording a user's activities on Alteon for the purposes of billing and/or security. It follows the authentication and authorization actions. If the authentication and authorization actions are not performed through TACACS+, no TACACS+ accounting messages are sent out.
Page 70: Secure Shell And Secure Copy
SCP is typically used to copy files securely from one computer to another. SCP uses SSH for encryption of data on the network. Alteon uses SCP to download and upload the Alteon configuration via secure channels.
Page 71: Configuring Ssh And Scp Features
TFTP getcfg can also change the SSH and SCP configurations. When you enable SSH, SCP is also enabled. The Alteon SSH daemon uses TCP port 22 only and is not configurable. Before you can use SSH commands, you must turn on SSH and SCP.
Page 72: Configuring The Scp Administrator Password
SCP. • putcfg—Used to upload the configuration from a remote host to Alteon. The diff command is executed at the end of putcfg to notify the remote client of the difference between the new and the current configurations.
Page 73: Using Ssh And Scp Client Commands
192.168.249.13 as the IP address of a sample Alteon. Logging into Alteon The following is the syntax for logging into Alteon: ssh <Alteon IP address> or ssh -l <login-name> <Alteon IP address> Example Logging into Alteon >> # ssh 192.168.249.13 (Log into Alteon) >>...
Page 74: Ssh And Scp Encryption Of Management Messages
To support the SSH server feature, two sets of RSA keys (host and server keys) are required. The host key is 1024 bits and is used to identify Alteon. The server key is 768 bits and is used to make it impossible to decipher a captured session by breaking into Alteon at a later time.
Page 75: Ssh/Scp Integration With Radius Authentication
Alteon performs only one key/cipher generation session at a time. As a result, an SSH/SCP client cannot log in if Alteon is performing key generation at the same time, or if another client has just logged in. Also, key generation fails if an SSH/SCP client is logging in at the same time.
Page 76: End User Access Control
If the two passwords are the same, the administrator using that password is not allowed to log in as an SSH user because Alteon recognizes him as the SCP-only administrator, and only allows the administrator access to SCP commands.
Page 77: Setting Up User Ids
Alteon Application Switch Operating System Application Guide Securing Alteon Setting up User IDs To set up a user ID You can configure up to 10 user IDs. For example: /cfg/sys/access/user/uid 1 Defining User Names and Passwords To define user names and passwords The following is an example for defining a user name and password: >>...
Page 78: Assigning One Or More Real Servers To The End User
Alteon Application Switch Operating System Application Guide Securing Alteon Assigning One or More Real Servers to the End User A single end user may be assigned up to 1023 real servers. Once assigned, the real server cannot be assigned to any other user.
Page 79: Enabling Or Disabling A User
>> # /cfg/sys/access/user/uid <#> /dis Logging into an End User Account After you have configured and enabled an end-user account, the user can log into Alteon with a username and password combination. The CoS established for the end user account determines the level of access.
Page 80: Configuring A Deny Route
In this example, IP addresses in the network 62.62.0.0 are under attack from an unknown source. You temporarily configure Alteon with a deny route so that any traffic destined to this network is dropped. In the meantime, the attack pattern and source can be detected.
Page 81: Chapter 4 - Vlans
2048, each can be identified with any number between 1 and 4090. VLANs are defined on a per-port basis. Each port on Alteon can belong to one or more VLANs, and each VLAN can have any number of ports in its membership. Any port that belongs to multiple...
Page 82: Vlans And The Ip Interfaces
You can access Alteon for remote configuration, trap messages, and other management functions only from stations on VLANs that include an IP interface to Alteon. For more information, see the IP Interface Menu section in the Alteon Application Switch Operating System Command Reference.
Page 83 These PCs are attached to a shared media hub that is then connected to Alteon. They belong to VLAN 2 and are logically in the same IP subnet as Server 2 and PC 5. Tagging is not enabled on their ports.
Page 84 Gigabit Ethernet links. Without VLANs, this configuration would create a broadcast loop. To prevent broadcast loops, port 25 is on VLAN 10 and port 26 is on VLAN 109. Both Alteon-to-Alteon links are on different VLANs and therefore are separated into their own broadcast domains.
Page 85: Vlans And Default Gateways
Alteon Application Switch Operating System Application Guide VLANs VLANs and Default Gateways Alteon lets you assign different gateways for each VLAN. You can effectively map multiple customers to specific gateways on a single Alteon. The benefits of segregating customers to different default gateways are: •...
Page 86 Gateway 6, because 192.168.20.200 in the route cache is mapped to Gateway 5. If the requested route is not in the route cache, then Alteon reads the routing table. If the requested route is not in the routing table, then Alteon looks at the configured default Gateway.
Page 87: Configuring The Local Network
VLAN 2 is forwarded to Gateway 5 and all traffic from VLAN 3 is forwarded to Gateway 6. Typically, Alteon routes traffic based on the routes in the routing table. The routing table contains an entry of the configured local network with the default gateway. The route cache will not contain the route entry.
Page 88 Alteon Application Switch Operating System Application Guide VLANs 3. Configure the default gateways. Configure gateways 5 and 6 for VLANs 2 and 3, respectively. Configure default gateway 1 for load-balancing session requests and as backup when gateways 5 and 6 fail.
Page 89: Chapter 5 - Port Trunking
89, you can create a virtual link between Alteons operating up to 4 gigabits per second, depending on how many physical ports are combined. Alteon supports up to 12 static trunk groups per Alteon, each with two to eight ports per group.
Page 90: Statistical Load Distribution
Port Trunking Statistical Load Distribution Network traffic is statistically load balanced between the ports in a trunk group. Alteon uses both the Layer 2 MAC address and Layer 3 IP address information present in each transmitted frame for determining load distribution.
Page 91: Built-In Fault Tolerance
In the following example, three ports are trunked between two Alteons: Figure 6: Static Port Trunking Example Prior to configuring each Alteon, you must connect to the appropriate CLI as the administrator. Note: For details about accessing and using any of the menu commands described in this example, see the Alteon Application Switch Operating System Command Reference.
Page 92 >> Trunk group 3# cur (Save for restore after reboot) >> Trunk group 3# save Trunk group 1 (on Alteon 1) is now connected to trunk group 3 (on Alteon 2). 7. Examine the trunking information on each Alteon. >> /info/l2/trunk Information about each port in each configured trunk group is displayed.
Page 93: Link Aggregation Control Protocol Trunking
(LACP trunk group). Standby ports in LACP are created only when there are more than eight LACP ports configured in a trunk. Alteon assigns any non-trunked LACP-configured ports as standby ports for the LACP trunk. If any of the eight primary LACP ports fails, Alteon dynamically replaces it with the standby port.
Page 94: Configuring Lacp
Alteon Application Switch Operating System Application Guide Port Trunking When the system is initialized, all ports by default are in LACP off mode and are assigned unique admin keys. To make a group of ports eligible for aggregation, you assign all of them the same admin key.
Page 95 Alteon Application Switch Operating System Application Guide Port Trunking 6. Save your new configuration changes. (Save for restore after reboot) >> LACP port 4# save Document ID: RDWR-ALOS-V2900_AG1302...
Page 96 Alteon Application Switch Operating System Application Guide Port Trunking Document ID: RDWR-ALOS-V2900_AG1302...
Page 97: Chapter 6 - Port Teaming
High Availability, page 507. If an uplink connection fails, then Alteon notifies uplink routers and switches of the failure instead of waiting for the routers and switches to time out. This feature is also used to team ports or trunks so that when one port or trunk in the team is down, all others in the team are operationally disabled.
Page 98 Alteon Application Switch Operating System Application Guide Port Teaming In some cases when the ports and trunks are operationally enabled, some of the other ports or trunks in the team are not operational either because of a link going down, or because they were operationally disabled or were set as disabled.
Page 99: Chapter 7 - Spanning Tree Protocol
(blocked) state. When multiple paths exist, STP configures the network so that an Alteon uses only the most efficient path. If that path fails, STP sets up another active path on the network to sustain network operations.
Page 100: Determining The Path For Forwarding Bpdus
Spanning Tree Protocol The generic action of an Alteon on receiving a BPDU is to compare the received BPDU to its own BPDU that it transmits. If the received BPDU is better than its own BPDU, it will replace its BPDU with the received BPDU.
Page 101: Adding A Vlan To A Spanning Tree Group
VLAN1 belongs to STG1. You add an untagged port, port 1, that does not belong to any STG to VLAN1, and port 1 becomes part of STG1. If you add untagged port 5 (which is a member to STG2) to STG1, Alteon prompts you to change the PVID from 2 to 1: "Port 5 is an UNTAGGED port and its current PVID is 2.
Page 102: Spanning Tree Implementations In Trunk Groups
Before the 802.1S standard, MSTP was implemented through a variety of proprietary protocols such as Alteon MSTP and Cisco PVST+. Each one of these proprietary protocols had advantages and disadvantages but they were never interoperable. The 801.S standard solves this by creating standards-based MSTP.
Page 103: Purpose Of Multiple Spanning Trees
In a four-Alteon topology (see Figure 8 - Four-Alteon Topology with a Single Spanning Tree, page 104), and assuming Alteon A has a higher priority, you can have at least three loops on the network: • Data flowing from Alteons A to B to C and back to Alteon A.
Page 104: Four-Alteon Topology With Multiple Spanning Trees
104, but with multiple spanning trees enabled. The VLANs are identified on each of the three shaded areas connecting the Alteons. The port numbers are shown next to each Alteon. The STG number for each VLAN is shown at each Alteon.
Page 105: Rapid Spanning Tree Protocol
VLAN 2 Participation—Alteon A, the root bridge generates another BPDU for STG2 and forwards it out from port 8. Alteon B receives this BPDU on its port 1. Port 1 on Alteon B is on VLAN 2, STG1. Because Alteon B has no additional ports participating in STG1, this BPDU is not be forwarded to any additional ports and Alteon A remains the designated root.
Page 106: Port State Changes
Alteon Application Switch Operating System Application Guide Spanning Tree Protocol RSTP is compatible with devices that run 802.1d Spanning Tree Protocol. If Alteon detects 802.1d BPDUs, it responds with 802.1d-compatible data units. RSTP is not compatible with the Per VLAN Spanning Tree (PVST+) protocol.
Page 107: Multiple Spanning Tree Protocol
Alteon Application Switch Operating System Application Guide Spanning Tree Protocol Example RSTP Configuration 1. Create VLAN and add ports. Once ports have been readied for VLAN membership, VLAN 3 can be created and the ports added to the VLAN. >> Main# /cfg/l2/vlan 2 <If the VLAN was not already created, it would be created with this command.>...
Page 108: Mstp Region
The Common Internal Spanning Tree (CIST) provides a common form of STP, with one spanning tree instance that can be used throughout the MSTP region. CIST allows Alteon to operate with legacy equipment, including devices that run IEEE 802.1d (STP).
Page 109 Alteon Application Switch Operating System Application Guide Spanning Tree Protocol 3. Set the mode to Multiple Spanning Tree, and configure MSTP region parameters. (Select Multiple Spanning Tree menu) >> Main# /cfg/l2/mrst (Set mode to Multiple Spanning Trees) >> Multiple Spanning Tree# mode mstp (Turn Multiple Spanning Trees on) >>...
Page 110 Alteon Application Switch Operating System Application Guide Spanning Tree Protocol Document ID: RDWR-ALOS-V2900_AG1302...
Page 111: Chapter 8 - Basic Ip Routing
• Static Routes, page 119 IP Routing Benefits Alteon uses a combination of configurable IP interfaces and IP routing options. The IP routing capabilities provide the following benefits: • Connects the server IP subnets to the rest of the backbone network.
Page 112 This problem is solved by using Alteon with built-in IP routing capabilities. Cross-subnet LAN traffic can now be routed within Alteon with wire speed Layer 2 switching performance. This not only eases the load on the router but saves the network administrators from reconfiguring each and every end- station with new IP addresses.
Page 113: Subnet Routing Example
Layer 2 switching. With Layer 3 IP routing in place, routing between different IP subnets can be accomplished entirely within Alteon. This leaves the routers free to handle inbound and outbound traffic for this group of subnets.
Page 114 Second Floor Client Workstations 131.15.15.2-254 Common Servers 206.30.15.2-254 2. Assign an IP interface for each subnet attached to Alteon. Since there are four IP subnets connected to Alteon, four IP interfaces are needed: Table 15: Subnet Routing Example: IP Interface Assignments Interface...
Page 115: Using Vlans To Segregate Broadcast Domains
Alteon Application Switch Operating System Application Guide Basic IP Routing (Assign address for secondary router) >> Default gateway 2# addr 205.21.17.2 (Enable secondary default gateway) >> Default gateway 2# 5. Enable, apply, and verify the configuration. (Select the IP Forwarding Menu) >>...
Page 116 Alteon Application Switch Operating System Application Guide Basic IP Routing 2. Add the ports to their respective VLANs. The VLANs are configured as follows: (Select VLAN 1) >> # /cfg/l2/vlan 1 (Add port for 1st floor to VLAN 1) >> VLAN 1#...
Page 117: Defining Ip Address Ranges For The Local Route Cache
/cfg/l3/frwd/local/add range of addresses that are cached on Alteon. The local network address is used to define the base IP address in the range that will be cached. The local network mask is applied to produce the range.
Page 118: Dhcp Relay Agent Configuration
When Alteon receives a UDP broadcast on port 67 from a DHCP client requesting an IP address, Alteon acts as a proxy for the client, replacing the client source IP (SIP) and destination IP (DIP) addresses. The request is then forwarded as a UDP Unicast MAC layer message to two BOOTP servers with configured IP addresses.
Page 119: Gratuitous Arp (Garp) Command
OSPF. OSPF would not provide information about either network to its counterpart. In this situation, a static route should be used to provide connectivity. Alteon supports both IPv4 and IPv6 static routes through the Layer 3 Configuration menu. Up to 128 IPv4 and 128 IPv6 static routes are supported.
Page 120: Ipv6 Static Routes
Alteon Application Switch Operating System Application Guide Basic IP Routing To remove an IPv4 static route >> Main#/cfg/l3/route/ip4/rem <destination> <mask> The IPv4 static routes that are currently part of the configuration can be displayed using the /cfg/ command. l3/route/ip4/cur IPv6 Static Routes IPv6 static routes support static connectivity to an IPv6 network.
Page 121: Chapter 9 - Routing Information Protocol
One hop is considered to be the distance from one Alteon to the next, which is typically 1. This cost or hop count is known as the metric. When Alteon receives a routing update that contains a new or changed destination network entry, it adds 1 to the metric value indicated in the update and enters the network in the routing table.
Page 122: Rip Versions
RIP Version 2 in RIP Version 1 Compatibility Mode Alteon allows for RIP version 2 (RIPv2) configuration and RIP version 1 (RIPv1) compatibility mode to use both RIPv2 and RIPv1 routers within a network. In this mode, the regular routing updates use broadcast UDP data packets to allow RIPv1 routers to receive those packets.
Page 123: Rip Features
That is the most common configuration used in RIP network topology. Split horizon with poisoned reverse includes such routes in updates, but sets their metrics to 16. The disadvantage of using this feature is the increase of size in the routing updates. Therefore, Radware recommends disabling split horizon with poisoned reverse.
Page 124: Rip Configuration Example
Alteon Application Switch Operating System Application Guide Routing Information Protocol For maximum security, RIPv1 messages are ignored when authentication is enabled. If not, the routing information from authenticated messages is propagated by RIPv1 routers in an unauthenticated manner. RIP Configuration Example...
Page 125: Chapter 10 - Border Gateway Protocol
BGP is defined in RFC 1771. Alteon can advertise its IP interfaces and virtual server IP addresses using BGP and take BGP feeds from as many as 16 BGP router peers. This allows more resilience and flexibility in balancing traffic from the Internet.
Page 126: Forming Bgp Peer Routers
IP space represented in the route being advertised. For example, if Alteon advertises 192.204.4.0/24, it is declaring that if another router sends it data destined for any address in 192.204.4.0/24, Alteon knows how to carry that data to its destination.
Page 127: Incoming And Outgoing Route Maps
BGP Failover Configuration, page 131. Alteon lets you configure up to 32 route maps. Each route map can have up to eight access lists. Each access list consists of a network filter. A network filter defines an IP address and subnet mask of the network that you want to include in the filter.
Page 128: Precedence
Alteon Application Switch Operating System Application Guide Border Gateway Protocol Precedence You can set a priority to a route map by specifying a precedence value with the following command: (Specify a precedence) >> /cfg/l3/rmap <x> /pre The lower the value, the higher the precedence. If two route maps have the same precedence value, the lower number has higher precedence.
Page 129: Aggregating Routes
Alteon Application Switch Operating System Application Guide Border Gateway Protocol 4. Set up the BGP attributes. If you want to overwrite the attributes that the peer router is sending, define the following BGP attributes: — Specify the AS numbers that you want to prepend to a matched route and the local preference for the matched route.
Page 130: Redistributing Routes
In addition to running multiple routing protocols simultaneously, Alteon can redistribute information from one routing protocol to another. For example, you can instruct Alteon to use BGP to readvertise static routes. This applies to all of the IP-based routing protocols.
Page 131: Selecting Route Paths In Bgp
Figure 15 - Example BGP Failover Configuration, page 132, Alteon is connected to ISP 1 and ISP 2. The customer negotiates with both ISPs to allow Alteon to use the ISPs’ peer routers as default gateways. The ISP peer routers announce themselves as default gateways to Alteon.
Page 132 On Alteon, one peer router (the secondary one) is configured with a longer AS path than the other, so that the peer with the shorter AS path will be seen by Alteon as the primary default gateway. ISP 2, the secondary peer, is configured with a metric of 3, appearing to Alteon to be three router hops away.
Page 133 4. IP forwarding is enabled by default and is used for VLAN-to-VLAN (non-BGP) routing. Make sure IP forwarding is enabled if the default gateways are on different subnets or if Alteon is connected to different subnets and those subnets need to communicate through Alteon.
Page 134: Default Redistribution And Route Aggregation Example
Alteon Application Switch Operating System Application Guide Border Gateway Protocol The metric command in the Peer menu causes Alteon to create an AS path of 3 when advertising via BGP. 7. Apply and save your configuration changes. (Make your changes active) >>...
Page 135 Alteon Application Switch Operating System Application Guide Border Gateway Protocol 3. Configure internal peer router 1 and external peer router 2. (Select internal peer router 1) >> # /cfg/l3/bgp/peer 1 (Enable this peer configuration) >> BGP Peer 1# ena (Set IP address for peer router 1) >>...
Page 136 Alteon Application Switch Operating System Application Guide Border Gateway Protocol Document ID: RDWR-ALOS-V2900_AG1302...
Page 137: Chapter 11 - Open Shortest Path First (Ospf)
Chapter 11 – Open Shortest Path First (OSPF) Alteon supports versions 2 and 3 of the Open Shortest Path First (OSPF) routing protocol. The Alteon OSPF version 2 implementation conforms to the specifications detailed in Internet RFC 1583. The Alteon OSPF version 3 implementation conforms to the specifications detailed in Internet RFC 2740.
Page 138: Equal Cost Multipath Routing Support
Internal versus External Routing, page 140 Equal Cost Multipath Routing Support Alteon supports equal-cost multipath (ECMP), which is a routing technique for routing packets along multiple paths of equal cost. The routing table contains multiple next hops for any given destination.
Page 139: Types Of Ospf Routing Devices
Alteon Application Switch Operating System Application Guide Open Shortest Path First (OSPF) Types of OSPF Routing Devices As shown in Figure 18 - OSPF Routing Device Types, page 139, OSPF uses the following types of routing devices: • Internal Router (IR)—A router that has all of its interfaces within the same area. IRs maintain LSDBs identical to those of other routing devices within the local area.
Page 140: The Link-State Database
Note: The Alteon IPv6 component runs OSPFv3 adjacency per VLAN and not per Layer 3 interface. This is because OSPFv3 requires a link local address, which is available with a VLAN, but not with a Layer 3 interface.
Page 141: Ospf Implementation
Virtual Links, page 145). Up to three OSPF areas can be connected to Alteon. To configure an area, the OSPF number must be defined and then attached to a network interface on Alteon. The full process is explained in this section.
Page 142 Alteon Application Switch Operating System Application Guide Open Shortest Path First (OSPF) (Use index 0 to set area 0 in ID octet format) /cfg/l3/ospf/aindex 0/areaid 0.0.0.0 (Use index 1 to set area 1 in ID octet format) /cfg/l3/ospf/aindex 1/areaid 0.0.0.1 •...
Page 143: Interface Cost
Each Alteon acting as an ABR inserts a default route into each attached area. In simple OSPF stub areas or NSSAs with only one ABR leading upstream (see Area 1 in...
Page 144 Alteon Application Switch Operating System Application Guide Open Shortest Path First (OSPF) Figure 19: Default Routes Example In more complex OSPF areas with multiple ABRs or ASBRs (such as area 0 and area 2 in Figure 19 - Default Routes Example, page 144), there are multiple routes leading from the area.
Page 145: Virtual Links
ID is the IP address of the virtual neighbor (nbr), the routing device at the target end- point. Another router ID is needed when configuring a virtual link in the other direction. To provide Alteon with a router ID, see Router ID, page 145.
Page 146: Authentication
This ensures less processing on routing devices that are not listening to OSPF packets. OSPF allows packet authentication and uses IP multicast when sending and receiving packets. Routers participate in routing domains based on predefined passwords. Alteon supports simple password (type 1 plain text passwords) and MD5 cryptographic authentication for OSPF version 2.
Page 147 >> OSPF Interface 1 # /cfg/l3/ospf/if 3 >> OSPF Interface 3 # mdkey 1 4. Enable OSPF MD5 authentication for Area 2 on Alteon 4. >> # /cfg/l3/ospf/aindex 2/autn md5 5. Configure MD5 key for the virtual link between Area 2 and Area 0 on Alteons 2 and 4.
Page 148: Host Routes For Load Balancing
Exporting all routes of the protocol except a few selected routes Each of these methods is discussed in detail in the following sections. Note: Alteon does not redistribute Layer 3 interface IPv6 addresses when the address has a prefix length of 128. Document ID: RDWR-ALOS-V2900_AG1302...
Page 149 Alteon Application Switch Operating System Application Guide Open Shortest Path First (OSPF) Exporting All Routes Use the following command to redistribute all routes of a protocol: >> /cfg/l3/ospf/redist <protocol name> /export <metric> <metric type> • metric sets the OSPF cost for the route •...
Page 150: Ospf Configuration Examples
Each of the configuration examples in this section are constructed using the following basic steps: 1. Configure IP interfaces—One IP interface is required for each desired network (range of IP addresses) being assigned to an OSPF area on Alteon. 2. Optionally configure the router ID—The router ID is required only when configuring virtual links on Alteon.
Page 151 Alteon Application Switch Operating System Application Guide Open Shortest Path First (OSPF) 6. Optionally configure route summarization between OSPF areas. 7. Optionally configure virtual links. 8. Optionally configure host routes. Example 1: Simple OSPF Domain In this example, two OSPF areas are defined: the backbone and the stub area. A stub area does not allow advertisements of external routes, thus reducing the size of the database.
Page 152 Alteon Application Switch Operating System Application Guide Open Shortest Path First (OSPF) (Select menu for area index 0) >> Open Shortest Path First # aindex 0 (Set the ID for backbone area 0) >> Open Area (index) 0 # areaid 0.0.0.0 (Define backbone as transit type) >>...
Page 153: Configuring Ospf For A Virtual Link On Alteon 1
2. Configure the router ID. A router ID is required when configuring virtual links. Later, when configuring the other end of the virtual link on Alteon 2, the router ID specified here is used as the target virtual neighbor (nbr) address.
Page 154: Configuring Ospf For A Virtual Link On Alteon 2
Configuring OSPF for a Virtual Link on Alteon 2 1. Configure IP interfaces on each network that is attached to OSPF areas. Two IP interfaces are needed on Alteon 2: the transit area network on 10.10.12.0/24, and the stub area network on 10.10.24.0/24.
Page 155 Alteon Application Switch Operating System Application Guide Open Shortest Path First (OSPF) (Set IP mask on stub area network) >> IP Interface 2 # mask 255.255.255.0 (Enable IP interface 2) >> IP Interface 2 # enable 2. Configure the router ID. A router ID is required when configuring virtual links. This router ID...
Page 156 Alteon Application Switch Operating System Application Guide Open Shortest Path First (OSPF) (Specify a virtual link number) >> OSPF Interface 2 # /cfg/l3/ospf/virt 1 (Specify the transit area for the virtual >> OSPF Virtual Link 1 # aindex 1 link) (Specify the router ID of the recipient) >>...
Page 157 Alteon Application Switch Operating System Application Guide Open Shortest Path First (OSPF) Figure 23: Summarizing Routes Example Note: You can specify a range of addresses to prevent advertising by using the hide option. In this example, routes in the range 36.128.200.0 through 36.128.200.255 are kept private.
Page 158 IP addresses: 10.10.10.1 and 10.10.10.2. Alteon 1 is given a host route with a low cost for virtual server 10.10.10.1, and another host route with a high cost for virtual server 10.10.10.2. Alteon 2 is configured with the same hosts but with the costs reversed;...
Page 159: Configuring Host Routes On Alteon 1
Traffic for 10.10.10.1 goes to Alteon 1 because its host route has the lowest cost for that address. Traffic for 10.10.10.2 goes to Alteon 2 because its host route has the lowest cost. This effectively shares the load among ABRs.
Page 160 >> Virtual server 1 http service # group 1 6. Configure the backup virtual server. Alteon 1 acts as a backup for virtual server 10.10.10.2. Both virtual servers in this example are configured with the same real server group and provide identical services.
Page 161 >> OSPF Interface 2 # enable 1 12. Configure host routes. One host route is needed for each virtual server on Alteon 1. Since virtual server 10.10.10.1 is preferred for Alteon 1, its host route has a low cost. Because virtual server 10.10.10.2 is used as a backup in case Alteon 2 fails, its host route has a high cost.
Page 162: Configuring Host Routes On Alteon 2
>> OSPF Host Entry 2 # save Configuring Host Routes on Alteon 2 1. Configure basic SLB parameters. Alteon 2 is connected to two real servers. Each real server is given an IP address and is placed in the same real server group.
Page 163 Alteon Application Switch Operating System Application Guide Open Shortest Path First (OSPF) (Select menu for service on virtual >> Virtual server 1 # service http server) (Use real server group 1 for http >> Virtual server 1 http service # group 1...
Page 164: Verifying Ospf Configuration
Since virtual server 10.10.10.2 is preferred for Alteon 2, its host route has been given a low cost. Because virtual server 10.10.10.1 is used as a backup in case Alteon 1 fails, its host route has been given a high cost.
Page 165: Chapter 12 - Server Load Balancing
Chapter 12 – Server Load Balancing Server Load Balancing (SLB) lets you configure Alteon to balance user session traffic among a pool of available servers that provide shared services. This chapter includes the following sections: • Understanding Server Load Balancing, page 165—Discusses the benefits of SLB and its...
Page 166: How Server Load Balancing Works
Ironically, overuse of key servers often happens in networks where other servers are actually available. The solution to getting the most from your servers is SLB. With this software feature, Alteon is aware of the services provided by each server. Alteon can direct user session traffic to an appropriate server, based on a variety of load-balancing algorithms.
Page 167: Implementing Server Load Balancing
IP address (or range of addresses) for each collection of services it distributes. Depending on your Alteon platform, there can be as many as 1023 virtual servers on Alteon, each distributing up to eight different services.
Page 168: Basic Server Load Balancing Topology
Alteon Application Switch Operating System Application Guide Server Load Balancing • Backup/Overflow Servers, page 186 • Backup Only Server, page 187 • Backup Preemption, page 188 • Server Slow Start, page 188 Basic Server Load Balancing Topology Consider a situation where customer Web sites are hosted by a popular Web hosting company and/or Internet Service Provider (ISP).
Page 169: Network Topology Requirements
Alteon Application Switch Operating System Application Guide Server Load Balancing All of these issues can be addressed by adding an Alteon with SLB software, as shown in Figure 27 - Web Hosting with SLB Solutions, page 169: Figure 27: Web Hosting with SLB Solutions SLB accomplishes the following: •...
Page 170 180). • Clients and servers can be connected through the same Alteon port. Each port in use can be configured to process client requests, server traffic, or both. You can enable or disable processing on a port independently for each type of Layer 4 traffic: —...
Page 171: Server Load Balancing Configuration Basics
Figure 29: Example Network for Client/Server Port Configuration Alteon load balances traffic to a Web server pool and to a Domain Name System (DNS) server pool. The port connected to the Web server pool (port 11) is instructed to perform both server and client processing.
Page 172 5. Define a virtual server. All client requests are addressed to a virtual server IP address on a virtual server defined on Alteon. Clients acquire the virtual server IP address through normal DNS resolution. In this example, HTTP is configured as the only service running on this virtual server, and this service is associated with the real server group.
Page 173 Alteon Application Switch Operating System Application Guide Server Load Balancing 6. Define the port settings. In this example, the following ports are being used on Alteon: Table 19: Web Host Example: Port Usage Port Host L4 Processing Server A serves SLB requests.
Page 174: Physical And Logical Real Server Modes
Physical and Logical Real Server Modes Alteon supports multiple real servers having the same IP address. To do this, you can define numerous "physical" or "logical" real servers, all with the same IP address associated with the same real, physical server.
Page 175: Supported Services And Applications
Alteon. Using the option, /cfg/slb/virt <virtual server number> /service the following TCP/UDP applications can be specified: Note: The service number specified on Alteon must match the service specified on the server. Table 20: Well-Known Application Ports Number TCP/UDP Number...
Page 176: Disabling And Enabling Real Servers
Health Checks for Real Servers Determining the health for each real server is a basic function for SLB. By default, Alteon checks the health of a real server using ICMP. Once servers are attached to groups which, in turn, are attached to services, Alteon checks the availability of the services running on the server using the health checks configured for the group.
Page 177: Multiple Services Per Real Server
Buddy Server Health Checks Alteon enables the administrator to tie the health of a real server to another real server. This real server can be in the same real server group, but also can be in a separate group. In this configuration, a real server is only considered healthy if the buddy it is associated with is also healthy.
Page 178 Alteon Application Switch Operating System Application Guide Server Load Balancing Figure 30: Example Buddy Server Health Check Configuration To add a real server as a buddy server for another real server >> Main# /cfg/slb/real <real server number> /adv/buddyhc/addbd <real server number>...
Page 179 Alteon Application Switch Operating System Application Guide Server Load Balancing To view the current buddy server settings for a real server >> Main# /cfg/slb/real <real server number> /adv/buddyhc/cur To configure buddy server health checking 1. Configure an interface. >>Main# /cfg/l3/if 1/addr 10.1.11.1/mask 255.255.255.0/ena 2.
Page 180: Metrics For Real Server Groups
Alteon Application Switch Operating System Application Guide Server Load Balancing >> Main # /cfg/slb/virt 1/vip 120.10.10.10/ena >> Main # /cfg/slb/virt 1/service http >> Main # /cfg/slb/virt 1/service http/group 1 >> Main # /cfg/slb/virt 2/vip 120.10.10.11/ena >> Main # /cfg/slb/virt 2/service http >>...
Page 181 The minmisses metric is optimized for cache redirection. It uses IP address information in the client request to select a server. When selecting a server, Alteon calculates a value for each available real server based on the relevant IP address information. The server with the highest value is assigned the connection.
Page 182 The svcleast (least connections per service) metric is an extension of the leastconns metric. When using this metric, Alteon selects the real server based only on the number of active connections for the service which is load balanced, and not the total number of connections active on the server. For...
Page 183: Group Availability Threshold
The bandwidth metric uses real server octet counts to assign sessions to a server. Alteon monitors the number of octets sent between the server and Alteon. The real server weights are then adjusted so they are inversely proportional to the number of octets that the real server processes during the last interval.
Page 184: Weights For Real Servers
Readjusting Server Weights Based on SNMP Health Check Response Alteon can be configured to dynamically change weights of real servers based on a health check response using the Simple Network Management Protocol (SNMP). To enable dynamic assignment of weights based on the response to an SNMP health check, enter the following commands: >>...
Page 185: Maximum Connections For Real Servers
When a server reaches its maxcon limit, Alteon no longer sends new connections to the server. When the server drops back below the maxcon limit, new sessions are again allowed.
Page 186: Unlimited Connections To Real Servers
This feature allows for an unlimited number of connections to be allocated to traffic accessing a real server. Alteon allows for a range of 0 to 200000 connections per real server. A maxcon value of 0 allows the specified real server to handle up to its (or Alteon’s) maximum number of connections.
Page 187: Backup Only Server
Alteon Application Switch Operating System Application Guide Server Load Balancing (Select Real Server group) >> # /cfg/slb/group <real server group number> (Assign Real Server 4 as backup) >> Real server group# backup r4 Example Real server groups using another real server group for...
Page 188: Backup Preemption
When preempt is disabled, the backup server continues processing requests sent by Alteon even if the primary server becomes active. During this process, the primary server is operationally disabled and becomes active only if the backup server goes down.
Page 189: Extending Server Load Balancing Topologies
For standard SLB, all client-to-server requests to a particular virtual server and all related server-to-client responses must pass through the same Alteon. In complex network topologies, routers and other devices can create alternate paths around Alteon managing SLB functions. Under such conditions, the Alteon provides the following solutions: •...
Page 190: Client Network Address Translation (Proxy Ip)
NAT mechanism must modify higher-level information such as TCP or UDP ports in outgoing communications. Alteon uses the many-to-one NAT mechanism to translate client IP address and port information. Client NAT can serve several purposes, including: •...
Page 191 Use an egress port or a VLAN-based proxy IP address for Web Cache Redirection (WCR) filtering. You can configure up to 1024 port or VLAN-based proxy IP addresses (IPv4 or IPv6) per Alteon, and up to 32 per single port or VLAN interface.
Page 192 For a virtual service, you can configure an IPv4 and/or an IPv6 proxy IP address (both could be needed in a mixed IPv4/IPv6 environment). You can configure up to 1024 IPv4 subnets, and up to 1024 IPv6 addresses per Alteon, as specific proxy IP addresses or as part of proxy IP network class.
Page 193 For a virtual service, you can configure an IPv4 and/or an IPv6 network class (both could be needed in a mixed IPv4/IPv6 environment). You can configure up to 1024 IPv4 subnets, and up to 1024 IPv6 addresses per Alteon, as specific proxy IP addresses or as part of proxy IP network class.
Page 194: Mapping Ports
Traffic Manipulation. Mapping Ports For security, Alteon lets you hide the identity of a port by mapping a virtual server port to a different real server port. This section includes the following topics: • Mapping a Virtual Server Port to a Real Server Port, page 195 •...
Page 195 Layer 4 and Layer 7 and in cookie-based and SSL persistence switching environments. When multiple real ports on each real server are mapped to a virtual port, Alteon treats the real server IP address/port mapping combination as a distinct real server.
Page 196 Alteon uses the roundrobin metric to choose a real port to receive the incoming connection. If the algorithm is leastconns, Alteon sends the incoming connections to the logical real server (real server IP address/port combination) with the least number of connections.
Page 197: Direct Server Return
DSR and content-intelligent Layer 7 load balancing cannot be performed at the same time because content-intelligent load balancing requires that all frames go back to Alteon for connection splicing. Document ID: RDWR-ALOS-V2900_AG1302...
Page 198: One Arm Topology Application
MAC address of the client. You can substitute the client source MAC address for the packets going to the server with the Alteon MAC address using source MAC address substitution.
Page 199 However, the packets fail to reach the client because both Alteon and the Layer 2 switch are located on the same broadcast domain. This results in Alteon forwarding packets from the client on a different port on the Layer 2 switch, with the MAC address acting like a floating address, meaning that first the Layer 2 switch reads the client MAC address on the client's physical port, and then it reads it on the Alteon physical port.
Page 200: Direct Access Mode
Blocking Direct Access Mode on Selected Services, page 201 • Direct Access Mode Limitations, page 201 Configuring Global Direct Access Mode To configure Direct Access Mode globally on Alteon >> Main# /cfg/slb/adv/direct e Current Direct Access Mode: disabled New Direct Access Mode: enabled...
Page 201 IP address is configured, or URL parsing is enabled on any port. Blocking Direct Access Mode on Selected Services When Direct Access Mode (DAM) is enabled globally on Alteon, it can also be disabled on selected virtual servers and virtual services.
Page 202: Assigning Multiple Ip Addresses
If Alteon is configured with proxy IP addresses and the client port is enabled for proxy, the client can access each real server directly using the real server's IP address. To directly access a real server, the port connected to the real server must have server processing disabled.
Page 203: Delayed Binding
The delayed binding feature prevents SYN denial-of-service (DoS) attacks on the server. DoS occurs when the server or Alteon is denied servicing the client because it is saturated with invalid traffic. Typically, a three-way handshake occurs before a client connects to a server. The client sends out a synchronization (SYN) request to the server.
Page 204 Using delayed binding, Alteon intercepts the client SYN request before it reaches the server. Alteon responds to the client with a SYN ACK that contains embedded client information. Alteon does not allocate a session until a valid SYN ACK is received from the client or the three-way handshake is complete.
Page 205 Figure 36: Normal Request with Delayed Binding After Alteon receives a valid ACK or DATA REQ from the client, Alteon sends a SYN request to the server on behalf of the client, waits for the server to respond with a SYN ACK, and then forwards the clients DATA REQ to the server.
Page 206 /stat/slb/layer7/maint To detect SYN attacks, Alteon keeps track of the number of new half-open sessions for a set period. If the value exceeds the threshold, then a syslog message and an SNMP trap are generated. You can change the default parameters for detecting SYN attacks in the /cfg/slb/adv/synatk menu.
Page 207: Ip Address Ranges Using Imask
(which is performed when the delayed binding mode is set to enabled), function as a full TCP proxy, reorder TCP packets, and so on. The Application Service Engine can work in both Alteon delayed binding modes. In enabled delayed binding mode, the Application Service Engine only provides SYN attack protection. In force proxy mode, it only provides TCP optimizations.
Page 208: Ipv6 And Server Load Balancing
IPv6 real servers. Real server groups can contain mixed IPv4 and IPv6 servers. When the IP version of the server is different from the IP version of the client, Alteon converts the client packet to a packet of the server IP version before it is forwarded to the server. In this environment, Alteon supports •...
Page 209: Ipv6 To Ipv4 Server Load Balancing
Alteon Application Switch Operating System Application Guide Server Load Balancing PIP addresses can be in either IPv4 or IPv6 format. Ports and VLANs can be assigned either one type or both. The appropriate PIP is used in load-balancing operations based on the IP version of the incoming packet.
Page 210 Alteon Application Switch Operating System Application Guide Server Load Balancing 2. Configure VLAN for Interface 3. >> Main# /cfg/l2/vlan 3 >> VLAN 3# ena >> VLAN 3# add 13 Port 13 is an UNTAGGED port and its current PVID is 1.
Page 211 Alteon Application Switch Operating System Application Guide Server Load Balancing 8. Configure real servers and a real server group. >> Main# /cfg/slb/real 1 >> Real Server 1# ena >> Real Server 1# rip 30.1.1.13 >> Main# /cfg/slb/real 2 >> Real Server 2# ena >>...
Page 212: Ipv6 To Ipv6 Server Load Balancing
Alteon Application Switch Operating System Application Guide Server Load Balancing IPv6 to IPv6 Server Load Balancing Figure 38 - IPv6 to IPv6 Layer 4 SLB Example, page 212 illustrates SLB between IPv6 clients and IPv6 servers: Figure 38: IPv6 to IPv6 Layer 4 SLB Example...
Page 213 Alteon Application Switch Operating System Application Guide Server Load Balancing 2. Globally enable load balancing. >> Main# /cfg/slb >> Layer 4# on 3. Configure the IPv6 real servers. >> Main# /cfg/slb/real 1 >> Real Server 1# ena >> Real Server 1# ipver v6 >>...
Page 214: Ipv6 Layer 4 Slb Information
481. Source Network-Based Server Load Balancing Alteon lets you provide differentiated services for specific client groups, including different types of services, different levels of service, and different service access rights. This can be achieved by adding source IP classification to a virtual server or filter using network classes.
Page 215 Alteon Application Switch Operating System Application Guide Server Load Balancing To configure a network class 1. Access the Network Class menu. >> # /cfg/slb/nwclss 2. At the prompt, enter the network class ID you want to configure. The Network Class menu displays.
Page 216: Configuring Source Network-Based Server Load Balancing
• Regular application delivery for internal service customers. To configure source network-based SLB 1. Before you can configure SLB string-based load balancing, ensure that Alteon is configured for basic SLB with the following tasks: — Assign an IP address to each of the real servers in the server pool.
Page 217: Http/Https Server Load Balancing
The default port used for HTTPS is 443 but it also can be used with other non-standard ports. Alteon enables you to load balance HTTP/HTTPS traffic. Note: For a list of well-known ports identified by Alteon, see Supported Services and Applications, page 175.
Page 218: Implementing Http/Https Server Load Balancing
To configure HTTP or HTTPS on a non-standard port Use the same command with the requested port number. Alteon prompts you for the application for which you want to use this port (assuming it is not the well-known port of another application).
Page 219: Content-Intelligent Server Load Balancing
These rules consist of a protocol-specific matching content class and an action, and are evaluated by priority based on their ID number. When Alteon matches a rule, the defined action is performed, and stops searching for matches. If no matching rule is found, Alteon performs the default service action configured at the service level itself.
Page 220 Alteon supports both HTTP1.0 and HTTP1.1 for Layer7 content switching. Note: Alteon performs HTTP Layer 7 content switching before applying any modifications and is based on the original requests. The following sample use cases illustrate the feature range of Layer 7 content switching: •...
Page 221 Alteon Application Switch Operating System Application Guide Server Load Balancing To configure URL-based SLB 1. Before you can configure SLB string-based load balancing, ensure that Alteon is configured for basic SLB with the following tasks: — Assign an IP address to each of the real servers in the server pool.
Page 222 Alteon Application Switch Operating System Application Guide Server Load Balancing 2. Define the HTTP classes to be used for URL load balancing. do the following: — For an HTTP class to match a path that includes "cgi", >> Server Load balance Resource# /cfg/slb/layer7/slb >>...
Page 223 Alteon Application Switch Operating System Application Guide Server Load Balancing — The following rule defines matching the "cgi" class and redirecting traffic to the group of Real Servers 1 and 2 for load balancing: >> HTTP Load Balancing# /cfg/slb/virt 10/service http...
Page 224 Real Servers 3 and 4. Tip: Because the content switching rule ID serves as rule matching priority, Radware recommends that you leave a gap between rule numbers that you create so you can easily place future rules within the current hierarchy. For example, create rules 1, 5, and 10 in the event that new rule 3 should be placed between rules 1 and 5, or new rule 7 should be placed between rules 5 and 10.
Page 225 Alteon Application Switch Operating System Application Guide Server Load Balancing — The following rule defines matching the "secure" class and redirecting traffic to a secure site: >> Virtual Server 10 80 http Service# /cfg/slb/virt/service >> Virtual Server 10 80 http Service# cntrules...
Page 226 Server Load Balancing Virtual Hosting Alteon enables individuals and companies to have a presence on the Internet in the form of a dedicated Web site address. For example, you can have a "www.site-a.com" and "www.site-b.com" instead of "www.hostsite.com/site-a" and "www.hostsite.com/site-b."...
Page 227 Based on one or more of these criteria you can load balance requests to different server groups. To configure cookie-based preferential load balancing 1. Before you can configure header-based load balancing, ensure that Alteon is configured for basic SLB with the following tasks: —...
Page 228 Alteon Application Switch Operating System Application Guide Server Load Balancing For example, to configure the cookie name session-id with the value gold: >> Main# /cfg/slb/layer7/slb/cntclss/ Enter Class id: cookie-gold ------------------------------------------------------------ [HTTP Content Class cookie-gold Menu] name - Set the Descriptive HTTP content class name...
Page 229 Alteon Application Switch Operating System Application Guide Server Load Balancing 5. Define Layer 7 content switching rules in the HTTP virtual service to match each cookie value and redirect to the respective server group: >> Main# /cfg/slb/virt 10/service http ------------------------------------------------------------...
Page 230 Alteon Application Switch Operating System Application Guide Server Load Balancing >> HTTP Content Rule 10# group Current real server group: 1 Enter new real server group [1-1024]: 10 6. Because a session cookie does not exist in the first request of an HTTP session, a default server group is needed to assign cookies to a None cookie HTTP request.
Page 231 This procedure is based on Example Browser-Smart Load Balancing, page 231. 1. Before you can configure browser-based load balancing, ensure that Alteon is configured for basic SLB with the following tasks: — Assign an IP address to each of the real servers in the server pool.
Page 232 Alteon Application Switch Operating System Application Guide Server Load Balancing >> Main# /cfg/slb/layer7/slb/cntclss/ Enter Class id: desktop-browsers ------------------------------------------------------------ [HTTP Content Class desktop-browsers Menu] name - Set the Descriptive HTTP content class name hostname - URL Hostname lookup Menu path - URL Path lookup Menu...
Page 233 Alteon Application Switch Operating System Application Guide Server Load Balancing Regular expressions (regex) can be used to match multiple browser user agents with a single value. Additional desktop or laptop browser user agents can be added to this class. 3. Configure Class2 to match mobile browsers user-agent header values using the same procedure...
Page 234 </soap:Body> </soap:Envelope> In this message, Alteon performs content switching based on a tag attribute such as the tag GetStockPrice with the attribute StockEx, which has the value NASDAQ. Alternatively, Alteon can perform content switching based on a tag value like the tag StockName with the value IBM.
Page 235 Alteon Application Switch Operating System Application Guide Server Load Balancing 2. Configure the Layer 7 content classes to match the XML tags values you need to load balance by. For example, configuring the XML tag StockName from Example XML/SOAP-Based Message,...
Page 236 By configuring hash or minmisses as the metric, Alteon uses the number of bytes in the URI to calculate the hash key. If the host field exists and Alteon is configured to look into the Host: header, Alteon uses the Host: header field to calculate the hash key.
Page 237: Content-Intelligent Application Services
Replacing Free Text in Server Responses, page 243 Sending Original Client IPs to Servers Alteon can insert the inclusion of the X-Forwarded-For header in client HTTP requests in order to preserve client IP information. This feature is useful in proxy mode, where the client source IP information is replaced with the proxy IP address.
Page 238 >> # save Controlling Server Response Codes Alteon can intercept server responses and update the HTTP error messages sent to the user by the server. You can change the error code generated by the server, edit the error reason, or redirect to a different HTTP location.
Page 239 Enter URL for redirection []: http://www.alternatesite.com/trythis Changing URLs in Server Responses Alteon lets you update the links within the server responses that do not match the actual object location on the servers. By changing the URL, the server responses are updated with the correct URLs.
Page 240 Alteon Application Switch Operating System Application Guide Server Load Balancing 2. Access and then enable URL path change. >> Main# /cfg/slb/virt 1/service 80/http/urlchang >> Enter enabled/disabled or clear [e|d|c] [d]: e >> Enter hostname match type [sufx|prefx|eq|incl|any] [any]: eq >> Enter hostname to match: www.a.com >>...
Page 241 >>Main# /cfg/slb/virt 1/service 80/http/cloaksrv ena Enhancing Security by Hiding Page Locations Alteon enables you to hide links within the server responses to avoid exposing the internal data structure on the server. When hiding path locations, specified URLs within the server responses are removed and added back to the client requests.
Page 242 Using these commands results in path modifications only. The protocol (HTTP or HTTPS) and the port (when specified) are not modified. To hide page locations 1. Ensure that Alteon is configured for basic SLB: — Assign an IP address to each of the real servers in the server pool.
Page 243 Enter path to remove []: test Replacing Free Text in Server Responses Alteon lets you remove or replace free text in server responses. To replace free text in server responses 1. Ensure that Alteon is been configured for basic SLB: —...
Page 244: Advanced Content Modifications
Web application. This can include modifying URLs of objects, modifying cookies or other HTTP headers or modifying any text in the HTTP or HTML. Alteon lets you modify different types of HTTP elements. Following are the HTTP elements that can be modified: •...
Page 245 Rules are displayed in numerical order. Tip: Radware recommends that you leave a gap between rule numbers that you create so you can easily place future rules within the current hierarchy. For example, create rules 1, 5, and 10 in the event that new rule 3 should be placed between rules 1 and 5, or new rule 7 should be placed between rules 5 and 10.
Page 246: Configuring The Replace Action For Http Headers
Alteon Application Switch Operating System Application Guide Server Load Balancing Configuring HTTP Modification for HTTP Headers When creating a rule for a HTTP header element, the following actions can be defined: • Configuring the Replace Action for HTTP Headers, page 246 •...
Page 247: To Configure The Remove Action For Http Headers
Alteon Application Switch Operating System Application Guide Server Load Balancing >>header Modification http-mod-list Rule 5 # directn >>Enter new rule direction [req:resp] [req]: Example To replace the value of the HTTP Header "My-Header" in all client requests, so that the first match of the string "ABC"...
Page 248: To Configure The Insert Action For Http Headers
Alteon Application Switch Operating System Application Guide Server Load Balancing 3. Enter action to access the Rule Action menu, and then enter remove to set the new rule remove action. >>header Modification http-mod-list Rule 5 # action >>Current rule action: >>Enter new rule action [insert|replace|remove]: remove...
Page 249 To configure the insert action for cookies, page 252 Note: When both cookie-based pbind is used and HTTP modifications on the same cookie header are defined, Alteon performs both. This may lead to various application behaviors and should be done with caution. Document ID: RDWR-ALOS-V2900_AG1302...
Page 250: To Configure The Replace Action For Cookies
Alteon Application Switch Operating System Application Guide Server Load Balancing To configure the replace action for cookies This action replaces the matched cookie key and value with the new specified key and value. When the direction is set to request, the cookie header is modified. When the direction is set to response, the Set-Cookie header is modified.
Page 251: To Configure The Remove Action For Cookies
Alteon Application Switch Operating System Application Guide Server Load Balancing >>HTTP Modification rule-list mylist# cur Current rule-list: mylist enabled enabled action replace cookie from: KEY=User-Type, VALUE=Gold to: KEY=User-Type, VALUE=Premium direction request To configure the remove action for cookies With this action, the entire key=value pair is removed from the header. The value specified is used to decide whether the header should be removed.
Page 252: To Configure The Insert Action For Cookies
Alteon Application Switch Operating System Application Guide Server Load Balancing Example To remove the Set-Cookie for a cookie named "Old-Cookie" from all server responses, use the following configuration: >>URL Modification rule-list mylist# cur Current rule-list: mylist enabled enabled action remove cookie...
Page 253 4. For the insert action, you can define a match criteria. If you define a match criteria, the insertion is performed only if the match is met. Enter the element to be matched for insertion. For more information, see the Alteon Application Switch Operating System Command Reference.
Page 254: To Configure Http Modification For The Http File Type
Alteon Application Switch Operating System Application Guide Server Load Balancing To insert the Set-Cookie for a cookie named "Device-ID" with the value "Alteon123" to server responses where a cookie named "GSLB" with the value "On" exists, use the following configuration: >>...
Page 255: To Configure The Replace Action For The Http Status Line
Alteon Application Switch Operating System Application Guide Server Load Balancing 3. Enter action to access the Rule Action menu, and then enter replace to set the new rule replace action. >>filetype Modification http-mod-list Rule 5 # action >>Current rule action: >>filetype supports only action replace...
Page 256 Alteon Application Switch Operating System Application Guide Server Load Balancing 3. Enter action to access the Rule Action menu, and then enter replace to set the new rule replace action. >>statusline Modification http-mod-list Rule 5 # action >>Current rule action: >>Enter status code to replace: 333...
Page 257: Configuring Modification For Http Url Elements
Alteon Application Switch Operating System Application Guide Server Load Balancing Configuring Modification for HTTP URL Elements The following procedure provides general background and parameter-level explanation for modifying HTTP URL elements. To use HTTP content modifications for URL elements Note: The numbers and names in this procedure are examples only.
Page 258 Alteon Application Switch Operating System Application Guide Server Load Balancing — Port—The port used in the URL. The default value is 0, implying a match for cases when the port is not explicitly specified in the URL. This means the default port for the specified protocol (80 for HTTP, 443 for HTTPS) is used.
Page 259 Alteon Application Switch Operating System Application Guide Server Load Balancing — Path—Path Action Type can be set to Insert, Replace, or Remove. • Insert—Lets you insert additional text to the path, either before or after the matched text. • Replace—Lets you replace the matched text in the path with another text.
Page 260 Alteon Application Switch Operating System Application Guide Server Load Balancing 4. It is required to modify URLs in the body of the response, so set the body to include. >>URL Modification add-new Rule 10#body Current rule body: exclude Enter new rule body [include|exclude] [exclude]:include >>URL Modification add-new Rule 10#...
Page 261 A Web site includes sensitive information. However, the links in the Web site were not designed to use HTTPS for the sensitive information, and so some links refer to HTTP. Alteon needs to modify URLs that appear in the response, where the path includes "/sensitive/", to use HTTPS rather than HTTP.
Page 262 Alteon Application Switch Operating System Application Guide Server Load Balancing 6. Set the required action. Since a path match was set, an action also must be specified. To leave the path unchanged, use replace with the same path string. >>URL Modification force-https Rule 10#action >>URL Match#protocol https...
Page 263 Alteon Application Switch Operating System Application Guide Server Load Balancing 3. One rule is required. In this example, Rule 20 is added: >>URL Modification rule-list move-site2# >>Enter HTTP Modification rule number (1-128): 20 >>Element can be one of: url, header, cookie, filetype, statusline, text >>Enter element to be modified: URL...
Page 264 Alteon Application Switch Operating System Application Guide Server Load Balancing 8. Apply and save. In addition, you can use cur to see the complete rule list configuration: >>URL Modification rule-list move-site2# apply >>URL Modification rule-list move-site2# save >>URL Modification rule-list move-site2# cur...
Page 265: To Configure The Replace Action For An Http Text Element
Alteon Application Switch Operating System Application Guide Server Load Balancing Configuring HTTP Modification for Text Elements When configuring actions for text elements, these modifications are applied to the header only (default), or to both the header and body, of the HTTP responses or requests.
Page 266: To Configure The Remove Action For The Http Text Element
Alteon Application Switch Operating System Application Guide Server Load Balancing Example To replace responses that include the text "Copyright 2013" to "All rights reserved", use the following configuration: >>URL Modification rule-list mylist# cur Current rule-list: mylist enabled enabled action replace text...
Page 267: Content-Intelligent Caching And Compression Overview (Fastview™)
Alteon Application Switch Operating System Application Guide Server Load Balancing 5. Enter body to enable text modification in the body. >>text Modification http-mod-list Rule 5 # body >>Current rule body: exclude >>Enter new rule body [include:exclude] [exclude]: Example To remove the text "test test test" wherever it appears in the response, use the following configuration: >>URL Modification rule-list mylist# cur...
Page 268: Content-Intelligent Caching
For Alteon to perform caching, you must define an HTTP virtual service and associate a FastView policy to it. As with other Alteon capabilities, the virtual service is assigned to an application, in this case HTTP, or HTTPS with SSL offloading.
Page 269: Cache Content Management
The object is removed immediately from the cache, but it may be cached again later. Alteon automatically removes from its cache objects that have been changed by users. HTTP POST, PUT, or DELETE requests for an object clear that object from the cache, in accordance with RFC 2616.
Page 270 Application Switch Operating System Command Reference. Common FastView Policy Use Cases Example 1: Configuring a Basic FastView Service 1. Before you can configure a caching service, ensure that Alteon is configured for basic SLB: — Define an IP interface. —...
Page 271 5. Enable DAM or configure proxy IP addresses and enable proxy on the client port. Example 2: Configuring a FastView Service with a Caching Exception Rule List 1. Before you can configure a FastView service, ensure that Alteon is configured for basic SLB: — Define an IP interface.
Page 272: Content-Intelligent Compression
For Alteon to perform compression, you must define an HTTP virtual service and associate a compression policy to it. As with other Alteon capabilities, the virtual service is assigned to an application, in this case HTTP or HTTPS. HTTP is the only supported application type and is the only protocol that supports compression inherently.
Page 273 3. To configure the compression policy, see the section on the menu /cfg/slb/accel/compress in the Alteon Application Switch Operating System Command Reference. Compression Policy The compression policy defines the compression behavior required for the virtual service. A single compression policy can be associated to multiple virtual services if they share the same compression configuration.
Page 274 Common Compression Policy Use Cases Example 1: Configuring a Basic Compression Service 1. Before you can configure a compression service, ensure that Alteon is configured for basic SLB: — Define an IP interface. —...
Page 275 2: Configuring a Compression Service with a Compression URL Exception Rule List 1. Before you can configure a compression service, ensure that Alteon is configured for basic SLB: — Assign an IP address to each of the real servers in the server pool.
Page 276 3: Configuring a Compression Service with a Compression Browser Exception Rule List 1. Before you can configure a compression service, ensure that Alteon is configured for basic SLB: — Assign an IP address to each of the real servers in the server pool.
Page 277: Tcp Congestion Avoidance
SLB. It also helps the real server lower the need of establishing and tearing down TCP connections. Since Alteon acts as a client for the back-end servers, Alteon always tries to reuse previously established SSL sessions. The SSL session reuse attempts are usually successful because the back-end server recognizes Alteon as a client that connects repeatedly.
Page 278 You must configure the Proxy IP (PIP) addresses to be used as source IP addresses for the server-side connections. Radware recommends using egress PIP, to ensure PIP is used only to the required servers and service. When using ingress PIP, all traffic coming via the specified port uses PIP, including traffic to other services.
Page 279: Chapter 13 - Load Balancing Special Services
IP SLB lets you perform server load balancing based on a client's IP address only. Typically, the client IP address is used with the client port number to produce a session identifier. When the Layer 3 option is enabled, Alteon uses only the client IP address as the session identifier. To configure Alteon for IP load balancing >>...
Page 280: Ftp Server Load Balancing
FTP mode does not pose a problem with firewalls and is the most common mode of operation. Alteon supports both active and passive FTP operation modes. You can switch from active to passive, or vice versa, in the same FTP session.
Page 281: Configuring Ftp Server Load Balancing
Alteon Application Switch Operating System Application Guide Load Balancing Special Services Configuring FTP Server Load Balancing The following procedure is an example configuration for FTP SLB. To configure FTP SLB 1. Ensure that a proxy IP address is enabled on the client ports, or DAM is enabled.
Page 282: Configuring Tftp Server Load Balancing
LDAP connection is closed. Alteon may then create another session to accept the same connection data. To prevent this, Alteon can be configured to send a reset to a real server whose session has timed out before the LDAP connection is closed.
Page 283: Configuring Ldap Slb
Alteon Application Switch Operating System Application Guide Load Balancing Special Services To enable a session reset for a virtual server that is running the LDAP service >> # /cfg/slb/virt 1/service ldap/reset enable Figure 41 - LDAP Load Balancing, page 283...
Page 284 >> Real server group 1 # add 22 (Add Real Server 26) >> Real server group 1 # add 26 4. Configure and enable a virtual server IP address 1 on Alteon. (Specify the virtual server IP address) >> # /cfg/slb/virt 1/vip 20.20.20.20 (Enable the virtual server) >>...
Page 285: Domain Name Server (Dns) Slb
In Alteon, DNS load balancing lets you choose the service based on the two forms of DNS queries: UDP and TCP. This enables Alteon to send TCP DNS queries to one group of real servers and UDP DNS queries to another group of real servers. The requests are then load balanced among the real servers in that group.
Page 286 Alteon Application Switch Operating System Application Guide Load Balancing Special Services 2. Configure the four real servers and their real IP addresses. >> # /cfg/slb/real 20 (Enable Real Server 20) >> Real server 20 # ena (Specify the IP address) >>...
Page 287: Configuring Udp-Based Dns Load Balancing
The following procedure is an example configuration for UDP-Based DNS SLB. To configure UDP-based DNS Load Balancing 1. Configure and enable a virtual server IP address 1 on Alteon. (Specify the virt server IP address) >> # /cfg/slb/virt 1/vip 20.20.20.20 (Enable the virtual server) >>...
Page 288: Layer 7 Dns Load Balancing
This is resolved by splitting the registry and saving it on different servers. If you have large DNS server farms, Alteon lets you load balance traffic based on DNS names, DNS query types and DNS versus DNSSEC queries. To load balance DNS queries, the DNS protocol elements are extracted from the query, processed by Alteon DNS Layer 7 processing engine, and the request is sent to the appropriate real server.
Page 289 Figure 43: Load Balancing DNS Queries To configure Alteon for DNS load balancing 1. Before you can configure DNS load balancing, ensure that Alteon is configured for basic SLB: — Assign an IP address to each of the real servers in the server pool.
Page 290 Alteon Application Switch Operating System Application Guide Load Balancing Special Services (Enable DNS SLB) >> Virtual Server 1 DNS Service # dnsslb ena (Support DNS queries of type DNS >> Virtual Server 1 DNS Service # dnstype both only) 3. In addition to the TCP settings, for the virtual server, if using a TCP-based DNS server, enable delayed binding (if using a UDP-based DNS server, do not enable delayed binding).
Page 291: Real Time Streaming Protocol Slb
554 and the data flows over UDP or TCP. This port can be changed however. Alteon supports two Layer 7 metrics, URL hashing and URL pattern matching, and all Layer 4 load- balancing metrics. This section discusses load balancing RTSP servers for Layer 4. For information...
Page 292: Supported Rtsp Servers
There are several variations to this procedure, depending upon the RTSP client and the server involved. For example, there are two prominent RTSP server and client implementations. The RTSP stream setup sequence is different for these two servers, and Alteon handles each differently: •...
Page 293 Alteon Application Switch Operating System Application Guide Load Balancing Special Services Figure 44: Load Balancing RTSP Servers To configure RTSP load balancing 1. On Alteon, before you start configuring RTSP load balancing: — Connect each QuickTime server to the Layer 2 switch —...
Page 294 Alteon Application Switch Operating System Application Guide Load Balancing Special Services 4. Create a group to support RealNetworks servers. (Define a group) >> # /cfg/slb/group 100 (Add Real Server 1) >>Real Server Group 100# add 1 (Add Real Server 2) >>Real Server Group 100# add 2...
Page 295: Content-Intelligent Rtsp Load Balancing
Content-Intelligent RTSP Load Balancing Alteon supports RTSP load balancing based on URL hash metric or string matching to load balance media servers that contain multimedia presentations. Because multimedia presentations consume a large amount of Internet bandwidth, and their correct presentation depends upon the real time delivery of the data over the Internet, several media servers contain the same multimedia data.
Page 296 Load Balancing Special Services Figure 45: RTSP Load Balancing To configure content-intelligent RTSP load balancing 1. Before you start configuring RTSP load balancing, configure Alteon for standard server load balancing, as described in Server Load Balancing Configuration Basics, page 171: —...
Page 297 Alteon Application Switch Operating System Application Guide Load Balancing Special Services 2. Configure IP addresses for the real servers. (Define IP address for Real Server 1) >> # /cfg/slb/real 1/rip 10.10.10.1/ena (Define IP address for Real Server 2) >> # /cfg/slb/real 2/rip 10.10.10.2/ena (Define IP address for Real Server 3) >>...
Page 298 Alteon Application Switch Operating System Application Guide Load Balancing Special Services 7. Create another virtual server for Group 2 media servers. Configure a virtual server and select rtsp, or port 554, as a service for the virtual server. (Select the virtual server) >>...
Page 299: Secure Socket Layer (Ssl) Slb
Applications that require special SSL support and are not supported by Alteon include FTPS, POPS, SMTPS. For Alteon to perform SSL offloading, you must define an SSL virtual service and associate both a server certificate and an SSL policy to it. As with other Alteon features, the virtual service is assigned to an application, in this case either HTTPS or another protocol encrypted by SSL.
Page 300: Associating A Server Certificate To A Virtual Service
Associating a Server Certificate to a Virtual Service When configuring an SSL virtual service, you must associate a server certificate to it. Alteon requires the server certificate and private key in order to perform SSL handshaking and be able to decrypt and encrypt traffic related to the virtual service.
Page 301: Wap Slb With Radius Static Session Entries
In this example, the RADIUS servers are integrated with the WAP gateways: Figure 46: Load Balancing WAP Gateways You can configure Alteon to select a WAP gateway for each client request based on one of the following three methods: •...
Page 302 (destination) IP address, and virtual (destination) port number. A static session entry added via TPCP to Alteon does not age out. The entry is only deleted by another TPCP Delete Session request. If the user adds session entries using the traditional server load balancing methods, the entries will continue to age out.
Page 303 If the application is not recognized by the port, set the application to basic-slb. >> # /cfg/slb/virt <number> /service <name|number> /protocol udp Note: The RADIUS service number specified on Alteon must match with the service specified on the server. 2. Configure Alteon for basic SLB.
Page 304: Wap Slb With Radius Snooping
RADIUS snooping is similar to the static session entry method in the way that a static session entry is added to, or removed from, Alteon for the WAP traffic for a user. It is different from the static session entry method in the way that RADIUS accounting packets are snooped by Alteon instead of by the RADIUS server using TPCP.
Page 305 Configure for RADIUS services 1812, 1813, and 1645. >> # /cfg/slb/virt <number> /service <name|number> /protocol udp Note: The RADIUS service number specified on Alteon must match the service specified on the server. 2. Configure Alteon for basic SLB. >> # /cfg/slb/on 3.
Page 306: Wap Slb With Radius/Wap Persistence
A WAP client is first authenticated by the RADIUS server on UDP port 1812. The server replies with a RADIUS accept or reject frame. Alteon forwards this reply to the RAS. After the RAS receives the RADIUS accept packet, it sends a RADIUS accounting start packet on UDP port 1813 to the bound server.
Page 307 The following steps occur when using RADIUS/WAP persistence: 1. The user is authenticated on dialing. The RAS sends a RADIUS authentication request on UDP port 1812 to one of the servers. Alteon receives the authentication request. If there is no session corresponding to this request, a new session is allocated and the client is bound to a server.
Page 308 5. Configure the services for Virtual Server 1. Notes • The RADIUS service number specified on Alteon must match with the service specified on the server. • If the application is not recognized by the port, set the application as basic-slb.
Page 309: Intrusion Detection System (Ids) Slb
How Intrusion Detection Server Load Balancing Works Alteon can forward a copy of the IP packets to an Intrusion Detection server. IDS SLB must be enabled on the incoming ports and enabled for the groups containing the IDS real servers. The IDS SLB-enabled device copies packets entering IDS-enabled ports.
Page 310 SLB. 3. Enable IDS on the incoming ports (both client and server ports). Enabling IDS at the port level enables Alteon to make a copy of the frames ingressing the port and forward the copy to the IDS server group.
Page 311: Setting Up Ids Servers
• Example 1: Load Balancing to a Single IDS Group, page 312—One Alteon is dedicated to load balancing two IDS servers in a single group, and a second Alteon performs standard server load balancing. • Example 2: Load Balancing to Multiple IDS Groups, page 315—A single Alteon performs both...
Page 312 The client request is processed and returned to Alteon 1 via the firewall. An allow filter at ports 26 and port 27 causes Alteon to make a copy of the request and directs the copy to the IDS server group.
Page 313 Alteon Application Switch Operating System Application Guide Load Balancing Special Services To load balance to a single IDS group 1. Set up the IDS servers. To configure the IDS servers as real servers you must consider the setup of the IDS servers and the selection of the health check.
Page 314 IP address ensures that the returning traffic goes to the same IDS server. If the port is configured for client processing only, then Alteon hashes on the source IP address. By default, the IDS hash metric hashes on the source IP address only.
Page 315 This ensures that both client and server traffic belonging to the same session is sent to the same IDS server. If you do not add the filter on port 25, then Alteon hashes on the client IP address only. To load balance to multiple IDS groups 1.
Page 316 Alteon Application Switch Operating System Application Guide Load Balancing Special Services 2. Configure the IDS servers as real servers. Figure 49 - Server Load Balancing and IDS Load Balancing Across Multiple Alteons, page 319, the IDS servers are set up with non-routable IP addresses. The real servers must be numbered 1 to 63.
Page 317 10. Apply the filter to ports 2, 3, 4 and 25 only. Enable filter processing on all ports that have IDS enabled. If you add the allow filter to the client port 25, Alteon hashes on the client IP and virtual server IP addresses for both client and server frames. This ensures that both client and server traffic belonging to the same session is sent to the same IDS server.
Page 318 319, the Alteons are connected to each other via a trunked interswitch link (ports 25 and 26) that is associated with all VLANs configured on Alteon. Each Alteon is connected to IDS servers that are each on different VLANs but belong to the same IDS group. For VLAN-based IDS load balancing, the ingress packets are copied by the master Alteon and flooded to the IDS servers for monitoring through the path associated with an IDS VLAN.
Page 319 The standby Alteon also learns the source MAC address of the server when the server response packets enter the master Alteon and are flooded to the IDS VLAN over the interswitch link.
Page 320 Alteon Application Switch Operating System Application Guide Load Balancing Special Services 2. On the master Alteon, configure the interswitch link ports/VLANs for the IDS VLAN. /cfg/port 25/tag ena/pvid 1000 /cfg/port 26/tag ena/pvid 1000 3. Configure trunk groups. (Add ports 25, 26 to Trunk Group 1)
Page 321 >> # /cfg/slb/real 3/rip 11.11.11.100/ena >> Real server 3 # ids/idsvlan 1003 >> Real Server 3 IDS# idsport 25 (Set OID to health check port 3 on Alteon 2) >> Real Server 3 IDS# oid 1.3.6.1.2.1.2.2.1.8.259 >> # /cfg/slb/real 4/rip 11.11.11.100/ena >>...
Page 322 15. Apply the allow filter to ports 4, 7, 8, 27, and 28 to enable filter processing on all ports that have IDS enabled. If you add the allow filter to the client port 4, Alteon hashes on the client IP and virtual server IP address for both the client and server frames. This ensures that both client and server traffic belonging to the same session is sent to the same IDS server.
Page 323: Session Initiation Protocol (Sip) Server Load Balancing
16. Apply and save your changes. >> SLB Port 26# apply >> SLB Port 26# save 17. Configure Alteon 2 to load balance the real servers as described in Server Load Balancing Configuration Basics, page 171. —...
Page 324: Tcp-Based Sip Servers
Figure 50 - SIP Load Balancing, page 324 illustrates an Alteon performing TCP-based SIP SLB. In this example, three SIP proxy servers are configured in a Real Server Group 100. Alteon is configured for SIP service (port 5060) for virtual server 40.40.40.100.
Page 325 Alteon Application Switch Operating System Application Guide Load Balancing Special Services (Enable Real Server 2) >> Real server 2# ena (Define address for MCS 3) >> # /cfg/slb/real 3/rip 10.10.10.3 (Enable Real Server 3) >> Real server 3# ena 4. Create a group to load balance the SIP proxy servers.
Page 326: Udp-Based Sip Servers
Note: SIP sessions are quite long and data may be flowing while the signaling path is idle. Because Alteon resides in the signaling path, Radware recommends increasing the real server session timeout value to 30 minutes (Default: 10 minutes). (Increase Real 1 session timeout) >>...
Page 327 1. Before you start configuring SIP load balancing: — Connect each SIP proxy server to Alteon — Configure the IP addresses on all devices connected to Alteon — Configure the IP interfaces on Alteon — Enable Direct Access Mode (DAM) —...
Page 328 Because Alteon resides in the signaling path, Radware recommends increasing the real server session timeout value to 30 minutes (Default: 10 minutes). When the call terminates with a BYE command, Alteon releases the session entry immediately. (Increase Real 1 session timeout) >>...
Page 329: Enhancements To Sip Server Load Balancing
Alteon creates a persistent session. When creating a session for a new request, Alteon looks up the session table and selects the correct real server. If there is a persistent session, then the real server specified in the session entry is used if that real server is up.
Page 330: Softgrid Load Balancing
Support for RTP (SDP) Media Portal NAT—This feature is useful if you have several media portal servers with private IP addresses. When the proxy servers respond to an INVITE request, the private IP address of the media portal is embedded in the SDP. Alteon translates this private IP address to a public IP address.
Page 331 Alteon Application Switch Operating System Application Guide Load Balancing Special Services Figure 52: SoftGrid Load Balancing Network Topology The SoftGrid platform supports TCP unicast connections using the following protocols: 1. Real Time Streaming Protocol (RTSP)—RTSP is an application-level protocol that is responsible for controlling the transport of multimedia content, session announcements, and tear downs.
Page 332: Configuring Softgrid Load Balancing
Domain Manager (DM). The DM recommends a weight for each application or server in the group. This weight recommendation is based on the business importance, topology, and ability of the system to meet its business goals. This recommended weight helps Alteon make intelligent SLB decisions.
Page 333: How Alteon Works With The Dm
Generic Window Manager (GWM) to propose new group members to Alteon How Alteon Works with the DM Alteon initiates a TCP connection with the GWM for all the configured IP address and port numbers. After establishing the connection, Alteon registers various WLM-configured groups of real servers with the GWM.
Page 334: Verifying Wlm Configurations
Alteon Application Switch Operating System Application Guide Load Balancing Special Services 4. Apply and save the configuration. >> Management Port# apply >> Management Port# save Verifying WLM Configurations The following are example commands to display and verify WLM configurations. To display WLM information >>...
Page 335 Alteon Application Switch Operating System Application Guide Load Balancing Special Services To display weights updates for the WLM-configured group >> Main# /stats/slb/group 2 Real server group 2 stats: Total weight updates from WorkLoad Manager : 10 Current Total Highest Real IP address Sessions Sessions Sessions...
Page 336: Limitations For Wlm Support
Alteon Application Switch Operating System Application Guide Load Balancing Special Services To display the current weight for the real server for application redirection >> Main# /info/slb >> Server Load Balancing Information# filt 224 224: action allow group 1, health 3, backup none, vlan any, content web.gif...
Page 337: Chapter 14 - Offloading Ssl Encryption And Authentication
Client Authentication Policies, page 343 • Common SSL Offloading Service Use Cases, page 343 SSL Offloading Implementation For Alteon to provide SSL offloading, you must configure, enable, and apply the following components: • SSL Virtual Service—As discussed in SSL Offloading Implementation, page...
Page 338: Ssl Policies
/cfg/slb/ssl/sslpol menu in the Alteon Application Switch Operating System Command Reference. Note: Alteon lets you explicitly select or deselect supported SSL and TLS protocol versions for the front-end and back-end connections. Certificate Repository Certificates are digitally signed indicators that identify a server or a user. They are usually provided in the form of an electronic key or value.
Page 339: Certificate Types In The Certificate Repository
The certificate repository is a secured stronghold of all PKI-related components such as encryption keys, certificates of different types, and Certificate Signing Requests (CSRs). Certificate components are required for Alteon to supply SSL offloading services and client authentication. Alteon supports the X.509 standard for PKIs.
Page 340: Importing And Exporting Certificate Components To And From The Repository
CA certificate or group of trusted client CA certificates to allow Alteon to know which client certificates to accept. Trusted CA certificates are not created in Alteon—you must first import them. You select the trusted CA certificates from those you have imported.
Page 341 The maximum file size for importing SSL components (excluding 2424-SSL configuration) is 200 KB. Trusted CA certificate Export, Import Trusted CA certificates are not created in Alteon— you must first import them from the CA. Trusted CA certificates are usually exported for backup purposes. Note:...
Page 342: Ssl Server Certificate Renewal Procedure
In both cases, in order to facilitate a timely renewal process, you can track Alteon SNMP alerts. Alteon generates SNMP alerts 30, 15, 10, 5, 4, 3, 2, and 1 day before certificate expiration. Once a certificate has expired a daily alert is issued.
Page 343: Client Authentication Policies
To authenticate the client's identity, you import a CA certificate into Alteon. This CA certificate is used when Alteon receives a client certificate to validate it. By checking that it was generated by this trusted CA. Additionally, you can configure Alteon to ensure that the client certificates were not revoked by checking their statuses using OCSP (Online Certificate Status Protocol).
Page 344 — Define server port and client port. — Define virtual server For more information on how to configure Alteon for SLB, see Server Load Balancing, page 165. 2. Define the SSL Policy which will govern the SSL offloading behavior. (Define an ID to identify the SSL >>...
Page 345 7. Enable DAM or configure proxy IP addresses and enable proxy on the client port. Example 2: Configuring a Basic SSL Offloading Service for a Non-HTTP Protocol 1. Before you can configure an SSL offloading service, ensure that Alteon is configured for basic SLB: —...
Page 346 (Enable the policy) >> SSL Policy myPol# ena For details on defining additional SSL policy parameters, see the section on the /cfg/slb/ssl/ menu in the Alteon Application Switch Operating System Command Reference. sslpol 3. Define a server certificate for this service: —...
Page 347 7. Enable DAM or configure proxy IP addresses and enable proxy on the client port. Example 3: Configuring an SSL Offloading Service with Back-End Encryption 1. Before you can configure an SSL offloading service, ensure that Alteon is configured for basic SLB: —...
Page 348 (Enable the policy) >> SSL Policy myPol# ena For details on defining additional SSL policy parameters, see the section on the /cfg/slb/ssl/ menu in the Alteon Application Switch Operating System Command Reference. sslpol 3. Define a server certificate for this service: —...
Page 349 Same Virtual IP Using Server Name Indication (SNI) To configure SSL offloading for multiple domains behind a single virtual IP, SSL handshake server name indication (SNI) is used. 1. Before you can configure an SSL offloading service, ensure that Alteon is configured for basic SLB: —...
Page 350 Offloading SSL Encryption and Authentication — Define virtual server. For more information on how to configure Alteon for SLB, see Server Load Balancing, page 165. 2. Create or import SSL server certificates of all the servers that are SSL offloaded according to Example 1: Configuring a Basic SSL Offloading Service, page 343.
Page 351 (Associate a SSL policy) >> SSL Load Balancing# sslpol myPol Alteon supports both SSL offloading with and without SNI, and there are various ways to indicate domain names in certificates (common name, wildcards, subject alternative name extension). The following is the order in which certificates are used in various scenarios (SSL offloading certificate matching logic).
Page 352 7. Apply and save your configuration. Example 5: Configuring an SSL Offloading Service with Client Authentication 1. Before you can configure an SSL offloading service, ensure that Alteon is configured for basic SLB: — Assign an IP address to each of the real servers in the server pool.
Page 353 6. Enable DAM or configure proxy IP addresses and enable proxy on the client port. Example 6: Configuring a Clear-text HTTP Service with Back-end Encryption 1. Before you can configure an SSL offloading service, ensure that Alteon is configured for basic SLB, as follows: —...
Page 354 5. Enable DAM or configure proxy IP addresses, and enable proxy on the client port. 6. When using back-end encryption, Radware recommends using multiplexing to minimize the server load of performing new SSL handshakes. For more details on multiplexing, see...
Page 355: Chapter 15 - Filtering And Traffic Manipulation
Filters are policies that enable classification, manipulation and redirection of traffic for load balancing purposes, network security, Network Address Translation (NAT) and more. Starting with version 28.1.50, Alteon includes additional filtering features, such as reverse session and redirection to proxy, to support the different load balancing modes. For more information, see Filtering Enhancements, page 363.
Page 356: Basic Filtering Features
Alteon Application Switch Operating System Application Guide Filtering and Traffic Manipulation Basic Filtering Features Alteon includes extensive filtering capabilities at the Layer 2 (MAC), Layer 3 (IP), Layer 4 (TCP/ UDP), and Layer 7 (content-based) levels. This section includes an overview of the following topics: •...
Page 357: Filtering Actions
Starting with version 28.1.50, it is possible to reverse the filter logic at layer 7 using an advanced filter option. For more information, Layer 7 Invert Filter, page 363. In addition, Alteon supports advanced filtering options, such as TCP flags (Matching TCP Flags, page 391) ICMP message types...
Page 358: Stacking Filters
If the filter criteria do not match, Alteon tries to match the criteria of the following filter. As long as the filters do not overlap, you can improve filter performance by making sure that the most heavily used filters are applied first.
Page 359: Default Filter
Note: Radware recommends numbering filters in small increments (5, 10, 15, 20, and so on) to make it easier to insert filters into the list at a later time. However, as the number of filters increases, you can improve performance by minimizing the increment between filters. For example, filters numbered 2, 4, 6, and 8 are more efficient than filters numbered 20, 40, 60, and 80.
Page 360: Filtering With Network Classes
IP address. Example IP Address Ranges Alteon can be configured with two filters so that each would handle traffic filtering for one half of the Internet. To do this, you could define the following parameters: Table 30: Filtering IP Address Ranges...
Page 361: Filter Logs
Alteon Application Switch Operating System Application Guide Filtering and Traffic Manipulation Filter Logs To provide enhanced troubleshooting and session inspection capabilities, packet source and destination IP addresses are included in filter log messages. Filter log messages are generated when a Layer 3 or Layer 4 filter is triggered and has logging enabled. The messages are output to the console port, system host log (syslog), and the Web-based interface message window.
Page 362: Cached Versus Non-Cached Filters
Filtering and Traffic Manipulation Cached Versus Non-Cached Filters To improve efficiency, Alteon by default performs filter processing only on the first frame in each session. Subsequent frames in a session are assumed to match the same criteria and are treated in the same way as the initial frame.
Page 363: Filtering Enhancements
Direct Access Mode (DAM) or a reverse session must be defined. When using DAM, Alteon changes the source port of the session and identifies the return session by its changed source port. Alteon then reverts the session parameters to the original parameters of the client session.
Page 364: Load Balancing Modes
Transparent load balancing is the deployment of a server load balancer where the network and/or client traffic is not interrupted. That is, Alteon redirects the traffic and returns it to the client without changing any of its parameters. Transparent load balancing can be performed in various ways.
Page 365 Alteon Application Switch Operating System Application Guide Filtering and Traffic Manipulation To redirect traffic with a transparent server 1. Configure Filter 10 to redirect traffic to Real Server Group 10 (VAS server). (Select the menu for Filter 10) >> # /cfg/slb/filt 10 (From a specific source IP address) >>...
Page 366 When redirecting traffic with a NAT filter, the client traffic is first redirected to a VAS server group. Traffic is returned to Alteon transparently through a NAT filter, which changes the client address to CNAT before sending it to the HTTP port. The NAT filter translates the CNAT of the return traffic back to its original state before returning it to the client.
Page 367: Semi-Transparent Load Balancing
>> Proxy Advanced# proxy enable Semi-Transparent Load Balancing When employing semi-transparent load balancing, Alteon redirects the traffic and returns it to the client and changes one or more source parameters in the process. The following are examples of supported semi-transparent load balancing scenarios: •...
Page 368 Alteon Application Switch Operating System Application Guide Filtering and Traffic Manipulation Redirecting Traffic with a Semi-Transparent Server and Return to Proxy When redirecting traffic with a semi-transparent server, the client traffic is redirected to a VAS server group through a proxy server, changing the destination IP and destination port. By using reverse session, an opposite entry is added to the session table so that the return traffic matches its source MAC address and is redirected to the VAS server group.
Page 369 Alteon Application Switch Operating System Application Guide Filtering and Traffic Manipulation (Redirect to Real Server Group 10) >> Filter 10# group 10 (To any VLAN) >> Filter 10# vlan any (Enable the filter) >> Filter 10# ena 2. Configure Filter 10 to enable the Redirect to Proxy option.
Page 370 Alteon Application Switch Operating System Application Guide Filtering and Traffic Manipulation Redirecting Traffic with a Semi-Transparent Server When redirecting traffic with a semi-transparent server, the client traffic is redirected to a VAS server group, which changes the server source port. By using reverse session, an opposite entry is added to the session table so that the return traffic matches its source MAC address and is redirected to the VAS server group.
Page 371: Non-Transparent Load Balancing
Non-Transparent Load Balancing Alteon continues to support non-transparent load balancing. When employing non-transparent load balancing, Alteon redirects the traffic and returns it to the client and changes one or more source or destination parameters in the process. The following is an example of a supported non-transparent load balancing scenario.
Page 372 Alteon Application Switch Operating System Application Guide Filtering and Traffic Manipulation Figure 57: Redirecting Traffic with a Non-Transparent Server To redirect traffic with a non-transparent server 1. Configure Filter 10 to redirect traffic to Real Server Group 10 (VAS server).
Page 373: Mac-Based Filters For Layer 2 Traffic
For example, you can define separate filters for Customers A and B on the same Alteon on two different VLANs. If VLANs are assigned based on data traffic, for example, ingress traffic on VLAN 1, egress traffic on VLAN 2, and management traffic on VLAN 3, filters can be applied accordingly to the different VLANs.
Page 374 Alteon Application Switch Operating System Application Guide Filtering and Traffic Manipulation Figure 58: Example VLAN-Based Filtering Configuration To configuring VLAN-based filtering This procedure is based on Figure 58 - Example VLAN-Based Filtering Configuration, page 374. Note: While this example is based on IP traffic, VLAN-based filtering can also be used for non-IP traffic by specifying smac and dmac criteria instead of sip and dip.
Page 375 >> Filter 3# ena 3. Configure Filter 2048 to deny traffic and then assign VLAN 70 to the filter. As a result, ingress traffic from VLAN 70 is denied entry to Alteon. (Select the menu for Filter 2048) >> # /cfg/slb/filt 2048 (From any source IP address) >>...
Page 376: Filtering On 802.1P Priority Bit In A Vlan Header
Filtering on 802.1p Priority Bit in a VLAN Header Alteon lets you filter based on the priority bits in a packet's VLAN header. The priority bits are defined by the 802.1p standard within the IEEE 802.1Q VLAN header. The 802.1p bits, if present in the packet, specify the priority that should be given to packets during forwarding.
Page 377: Persistence For Filter Redirection
Persistence for Filter Redirection The persistence feature ensures that all connections from a specific client session reach the same real server. Alteon provides the following options for persistence when using filter redirection: • Layer 3/4 persistence—The hash is based on Layer 3/4 session parameters. You can choose...
Page 378 Alteon Application Switch Operating System Application Guide Filtering and Traffic Manipulation 2. Set the metric for the real server group to minmiss or hash. The source IP address is passed to the real server group for either of the two metrics.
Page 379: Filter-Based Security
Figure 59: Filter-Based Security Configuration Example In this example, the network is made of local clients on a collector Alteon, a Web server, a mail server, a domain name server, and a connection to the Internet. All the local devices are on the same subnet.
Page 380 Alteon Application Switch Operating System Application Guide Filtering and Traffic Manipulation • Filtering is not limited to the few protocols and TCP or UDP applications shown in this example. Well-Known Application Ports, page 175 for a list of well-known applications ports.
Page 381 Alteon Application Switch Operating System Application Guide Filtering and Traffic Manipulation (Provide a descriptive name for the >> Filter 1# name allow matching traffic filter) (Enable the filter) >> Filter 1# ena 5. Create a pair of filters to allow incoming and outgoing mail to and from the mail server.
Page 382 Alteon Application Switch Operating System Application Guide Filtering and Traffic Manipulation 7. Create a filter that allows local clients to telnet anywhere outside the local intranet. The filter must recognize and allow TCP traffic to reach the local client destination IP addresses if...
Page 383 >> SLB Port 5# add 2048 (Enable filtering for port 5) >> SLB Port 5# filt enable Alteon lets you add and remove a contiguous block of filters with a single command. 10. Apply and verify the configuration. >> SLB Port 5# apply >>...
Page 384: Network Address Translation
Operating System Command Reference). Network Address Translation Network Address Translation (NAT) is an Internet standard that enables Alteon to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. Alteon uses filters to implement NAT.
Page 385 Alteon Application Switch Operating System Application Guide Filtering and Traffic Manipulation Figure 60: Static NAT Example To configure static NAT (Select the menu for outbound filter) >> # /cfg/slb/filt 10 (Perform NAT on matching traffic) >> Filter 10# action nat (Translate source information) >>...
Page 386: Dynamic Nat
386, clients on the internal private network require TCP/UDP access to the Internet: Figure 61: Dynamic NAT Example You may directly connect the clients to Alteon if the total number of clients is less than or equal to the ports. Note: Dynamic NAT can also be used to support ICMP traffic for PING.
Page 387 IP address on Alteon. In addition, the public IP address must be configured as a proxy IP address on the Alteon port that is connected to the internal clients. The proxy performs the reverse translation, restoring the private network addresses on inbound packets.
Page 388: Ftp Client Nat
Alteon can monitor the control channel and replace the client 's private IP address with a proxy IP address defined on Alteon. When a client in active FTP mode sends a port command to a remote FTP server, Alteon analyzes the data part of the frame and modifies the port command as follows: •...
Page 389: Overlapping Nat
A proxy IP address for the VLAN must be configured for this to function properly. When there is an overlapping NAT, Alteon does not use the routing table to route the packet back to the sender in Layer 3 mode, due to the overlapping source address. Instead, Alteon uses the VLAN gateway to forward the packet back to the sender.
Page 390: Sip Nat And Gleaning Support
The voice media which gets directed to the private IP address identified in the signaling message cannot be routed and results in a one-way path. Therefore, Alteon allows you to translate the address (using NAT) for the Session Description Protocol (SDP) and create sessions for the media communication.
Page 391: Matching Tcp Flags
Alteon does not regenerate these message digests with the public address. Matching TCP Flags This section describes the ACK filter criteria, which provides greater filtering flexibility. Alteon supports packet filtering based on any of the following TCP flags. Table 32: Supported TCP Flags...
Page 392 A filter with the ACK flag enabled prevents external devices from beginning a TCP connection (with a TCP SYN) from TCP source port 25. Alteon drops any frames that have the ACK flag turned off. Document ID: RDWR-ALOS-V2900_AG1302...
Page 393 (Enable the filter) >> Filter 10# ena 2. Configure a filter that allows SMTP traffic from the Internet to pass through Alteon only if the destination is one of the Web servers, and the frame is an acknowledgment (SYN-ACK) of a TCP session.
Page 394 >> Filter 16 Advanced# ack ena (Match acknowledgments only) >> Filter 16 Advanced# psh ena 4. Configure a filter that allows trusted HTTP traffic from the Internet to pass through Alteon to the Web servers. (Select a filter for incoming HTTP traffic) >>...
Page 395: Matching Icmp Message Types
Table 33 - ICMP Supported Message Types, page 395. Although ICMP packets can be filtered using the option, by default, Alteon ignores the ICMP message type when matching a proto icmp packet to a filter. To perform filtering based on specific ICMP message types, ICMP message type filtering must be enabled.
Page 396: Multicast Filter Redirection
MAC address. In redirection filter processing, Alteon checks cast type of destination MAC address in the received packet. If the received packet is a unicast packet, the destination MAC address is substituted to the specified server's MAC address.
Page 397: Ipv6 Filtering
Filtering and Traffic Manipulation IPv6 Filtering Alteon IPv6 support includes support for filter classification and action up to Layer 4. Layer 7 classification and actions are not supported on IPv6 filters. IPv6 filtering operates in a similar fashion to IPv4 filtering.
Page 398 Alteon Application Switch Operating System Application Guide Filtering and Traffic Manipulation Table 34: IPv6 Filter Configuration Commands Command Menu Supported Commands All 802.1p menu commands. /cfg/slb/filt <filter Number> /adv/ 8021p All Proxy menu commands. /cfg/slb/filt <filter Number> /adv/ proxyadv All Redirection menu commands.
Page 399: Content Class Filters For Layer 7 Traffic
System Command Reference. In earlier versions of Alteon, filters are tied to content rules. The content rules act as a link to virtual services. Alteon version 29 lets you assign content classes to Layer 7 filtering, freeing content rules for use in a classification library.
Page 400: Defining A Content Class
Alteon Application Switch Operating System Application Guide Filtering and Traffic Manipulation Defining a Content Class This section describes how to define a new content class. To configure a content class 1. Select the cntclss option. >> Main# /cfg/slb/layer7/slb/cntclss 2. Set an ID and class type for the content class.
Page 401: Assigning A Content Class To Filters
WAN router. This ensures that the returning traffic takes the same ISP path as the incoming traffic. RTS is enabled on the incoming WAN ports (port 2 and 7) to maintain persistence for the returning traffic. Data leaves Alteon from the same WAN link that it used to enter, thus maintaining persistency.
Page 402 Alteon Application Switch Operating System Application Guide Filtering and Traffic Manipulation Document ID: RDWR-ALOS-V2900_AG1302...
Page 403: Chapter 16 - Adc-Vx Management
A vADC is a virtualized instance of the AlteonOS that behaves in the same manner as a traditional Alteon hardware ADC, with the exception that while it is bound to a specific hardware resource, the amount of resources allocated to the vADC may vary based on the user’s or application's resource needs.
Page 404 Alteon Application Switch Operating System Application Guide ADC-VX Management Each vADC comprises a vSP (Virtualized Switch Processor) and a vMP (Virtualized Management Processor), providing the vADCs with their own set of resources, network infrastructure, and services that are completely independent of neighboring vADCs. This enables multiple users to run vADCs and allocate resources to these vADCs without introducing any risk to the other vADCs within the shared physical environment.
Page 405: Vadc Management
The Global Administrator is a superuser that works at a management level above and separate from a vADC Administrator. The Global Administrator manages the physical Alteon resources and uses the physical devices in a data center, is responsible for creating vADC instances, and manages and monitors both system and vADC resource allocation and utilization.
Page 406 System Command Reference. For an example procedure, see step Assigning Initial User Access The Global Administrator assigns initial access to vADCs, including the vADC Administrator, using the menu. For more information, see the Alteon Application Switch Operating /cfg/vadc/users/uid System Command Reference. Configuring and Maintaining Management Ports The Global Administrator is responsible for the initial vADC settings, including user access methods.
Page 407 Operating System Command Reference. Synchronizing vADCs Environments using ADC-VX usually take advantage of a least one additional Alteon for redundancy purposes. ADC-VX supports solution designs constructed with up to six peers for redundancy and risk distribution. A Global Administrator managing the system is required to define a vADC only once, while the system synchronizes all the settings to one of the peers.
Page 408 Alteon Application Switch Operating System Application Guide ADC-VX Management Backing Up and Restoring vADCs ADC-VX supports multiple backup and restore mechanisms for quick and efficient disaster recovery. vADCs are entities that can be exported and imported in their entirety, similar to virtual machines.
Page 409: Vadc Administrator
Administrator if the Global Administrator allows for this. For more details on configuring and maintaining management ports in the vADC environment, see the section on the menu in the Alteon Application Switch Operating System /cfg/sys/mmgmt Command Reference. Delegating System Services When vADCs are first created by the Global Administrator, all vADCs inherit the system services settings as defined by the Global Administrator.
Page 410: Resource Management
Limiting Resource Consumption of vADCs, page 411. • Disabled (default for Alteon 5412)—Enables sharing of any extra available resources between vADCs. See Sharing Idle Resource Consumption with Other vADCs, page 410. The Global Administrator can switch between these two modes. When changing modes, all vADCs remain active and operational.
Page 411: Resource Dashboard
Alteon Application Switch Operating System Application Guide ADC-VX Management To share resource consumption of vADCs Access the System menu and disable the limitcu command. >> /cfg/sys/limitcu/disable Limiting Resource Consumption of vADCs Limit (enabled) mode is a resource management mode for handling idle resources. Unlike share mode, in which idle resources can be used by any active vADC, in limit mode idle resources remain unused and vADCs can use only resources assigned specifically to them.
Page 412: Accessing The Dashboard
Alteon Application Switch Operating System Application Guide ADC-VX Management Accessing the Dashboard The following is the procedure for accessing the resource dashboard. To access the dashboard From the Monitor tab, select Dashboard. The following is an example dashboard display of multiple vADCs, as set for viewing through the...
Page 413: Dashboard Charts
Alteon Application Switch Operating System Application Guide ADC-VX Management Dashboard Charts The dashboard displays two charts: • Resource utilization (CPU and memory)—This chart consists of two metrics: CPU and memory consumption per vADC. • Service usage of the set limit (in percents)—This chart displays throughput, SSL, and compression consumption per vADC.
Page 414 Alteon Application Switch Operating System Application Guide ADC-VX Management Table 36: Chart Views Chart View Chart Type Behavior Resource Utilization When using filters: Chart • The real-time filter displays real time data. • The hour displays the maximum value of the last hour.
Page 415 Alteon Application Switch Operating System Application Guide ADC-VX Management Table 36: Chart Views (cont.) Chart View Chart Type Behavior Line This displays the CPU utilization. Multiple lines in different colors are used to represent the different vADCs. The following is a sample resource utilization line chart:...
Page 416 Alteon Application Switch Operating System Application Guide ADC-VX Management Table 36: Chart Views (cont.) Chart View Chart Type Behavior Service Utilization Chart Bar When using the tabs: • The System Throughput tab displays the amount of throughput that is used in relation to the limit set by the Global Administrator.
Page 417: Settings Menu
Alteon Application Switch Operating System Application Guide ADC-VX Management Table 36: Chart Views (cont.) Chart View Chart Type Behavior Service Utilization Chart Line The tool tip displays detailed data per vADC. The following is a sample resource throughput line chart:...
Page 418 Alteon Application Switch Operating System Application Guide ADC-VX Management Figure 66: Dashboard Settings Example 2. Change the following settings as required: Parameter Description Time Value This sets the display increments of the real-time chart. Range: 15—3600 seconds Default: 15 seconds Chart View The chart view affects the way information is selected.
Page 419: Basic Adc-Vx Procedures
200 can use any IP subnet as required by the vADC Administrator. For more details on the vADC Creation Dialog and the vADC Configuration menu, see the section on menu in the Alteon Application Switch Operating System Command Reference. /cfg/vadc...
Page 420 Alteon Application Switch Operating System Application Guide ADC-VX Management Creating a Basic vADC with the Creation Dialog This example creates a basic vADC through the vADC Creation Dialog. The Creation Dialog is invoked whenever you create a new vADC using the...
Page 421 Alteon Application Switch Operating System Application Guide ADC-VX Management To enable delegated services After creating a basic vADC with the Creation Dialog, the Global Administrator can configure additional settings using the vADC menu system. Under the menu, for example, /cfg/vadc/sys the Global Administrator can enable or disable certain system delegated services in order to set the global usage policy, such as centralized logging and SMTP.
Page 422 Alteon Application Switch Operating System Application Guide ADC-VX Management (continued) >> Global - vADC sys/syslog# .. ------------------------------------------------------------ [vADC system services Menu] mmgmt - Management Port Menu peer - Sync Peer Management Port Menu sync - Assign target appliance for configuration sync...
Page 423 Alteon Application Switch Operating System Application Guide ADC-VX Management — Display for the vADC Administrator >> vADC 1 - Syslog# cur Current syslog configuration: Current Syslog Status: Enabled >> vADC 1# sys/radius/cur Current RADIUS status: Enabled Creating a vADC Using the vADC Menu The following is an example procedure for creating a vADC using the vADC menu.
Page 424 6. Each vADC requires at least one VLAN assigned to it. A vADC supports any type of interface represented by a VLAN ID. Alteon uses VLAN IDs to represent any type of link, and such links can be associated with a vADC (trunk, dedicated link, VLAN tag on a dot1q trunk, team, shared interface, and so on).
Page 425 Alteon Application Switch Operating System Application Guide ADC-VX Management You can add VLANs using one of the following syntaxes: — vlan1 vlan2 vlan3 (one by one) — vlan1-vlan3 vlan4 (range and list) >> vADC 4# add 101-102 104 Current vADC 4 Layer2 interfaces:...
Page 426 Alteon Application Switch Operating System Application Guide ADC-VX Management Enabling a Newly Created vADC After creating a new vADC either through the Creation Dialog or the vADC menu, you must enable it for it to be functional, as shown in the following example: To enable a newly created vADC >>...
Page 427: Resizing Vadc Resources
Alteon Application Switch Operating System Application Guide ADC-VX Management The following example displays all vADCs: Resizing vADC Resources You can resize vADC resources by changing the number of capacity units, as shown in the following example. To resize vADC resources (In order to resize >>...
Page 428: Assigning A Vlan Shared Interface To A Vadc
Alteon Application Switch Operating System Application Guide ADC-VX Management Assigning a VLAN Shared Interface to a vADC When assigning a VLAN that is a shared interface to a vADC, the shared interface must be a dedicated port. For more information on shared interfaces, see...
Page 429: Importing The Active Adc Configuration
Alteon Application Switch Operating System Application Guide ADC-VX Management >> VLAN 300# shared Current Enabled VLAN sharing: disabled Enter new Enabled VLAN sharing [d/e]: e >> VLAN 300# ena Current status: disabled >> vADC 1# add 300 Current vADC 1 Layer2 interfaces: 100 Pending new vADC 1 Layer2 interfaces: >>...
Page 430: Performing A Complete System Recovery
Alteon Application Switch Operating System Application Guide ADC-VX Management Performing a Complete System Recovery The Global Administrator can perform a complete system recovery (administrator configuration and vADC files) and restore all current settings. To perform a complete system recovery 1. Access the Active Switch Configuration Restoration menu.
Page 431 Enter hostname or IP address of FTP/TFTP/SCP server: 192.168.1.1 Enter name of file on FTP/TFTP/SCP server: OCS Service vADC Enter username for FTP/SCP server or hit return for TFTP server: radware Enter password for username on FTP/SCP server: Enter "scp" or hit return for FTP server:...
Page 432: Creating A New Vadc From Configuration Files Of A Physical Adc
Alteon Application Switch Operating System Application Guide ADC-VX Management Creating a New vADC from Configuration Files of a Physical ADC The Global Administrator can create a new vADC from the configuration files of a physical, standalone ADC, or to replace one or all existing vADCs with the configuration files of a physical, standalone ADC.
Page 433: Backing Up The Active Vadc Configuration
Alteon Application Switch Operating System Application Guide ADC-VX Management To replace an existing vADC with the configuration files of a physical, standalone ADC 1. Access the Active Switch Configuration Restoration menu. >> /cfg/gtcfg 2. When prompted, configure the following parameters:...
Page 434: Backing Up The Vadc Administrator Level Configuration
Alteon Application Switch Operating System Application Guide ADC-VX Management Backing Up the vADC Administrator Level Configuration The vADC Administrator can upload the vADC Administrator level configuration of an existing vADC. To upload the vADC Administrator level configuration of an existing vADC 1.
Page 435: Backing Up The Entire Administrator Environment
Alteon Application Switch Operating System Application Guide ADC-VX Management 2. When prompted, configure the following parameters: Enter vADC number: [1-28, all]: Enter hostname or IP address of FTP/TFTP/SCP server: Enter name of file on FTP/TFTP/SCP server: Enter username for FTP/SCP server or hit return for TFTP server:...
Page 436: Image Management
ADC-VX Management Image Management Alteon can support completely separate and unrelated ADC virtual instances ranging from 10 to 28, whose images and configurations are managed by the Global Administrator. ADC management also includes image management, enabling the Global Administrator to manage both standalone and virtual modes.
Page 437 Alteon Application Switch Operating System Application Guide ADC-VX Management Table 37: Image Formats Image Format File Name Description ADC-VX This image is an upgrade image for the ADC-VX AlteonOS-<version>- Infrastructure Update infrastructure. It is only issued when an update is <platform>-VX.img...
Page 438: Image Management In A Standalone Adc
Alteon Application Switch Operating System Application Guide ADC-VX Management 2. Enter dimage to select the new default image from a list of existing images. >> ADC-VX - Boot Options# dimage ADC Application Images: Version Downloaded Image status vADC IDs -------...
Page 439 Alteon Application Switch Operating System Application Guide ADC-VX Management To load an AlteonOS image This procedure upgrades both ADC-VX and ADC application images with a single operation, whether the system is in standalone or ADC-VX mode. 1. Access the Active Switch Configuration Boot menu.
Page 440 Alteon Application Switch Operating System Application Guide ADC-VX Management To load an ADC application image This procedure uploads an ADC application image for the active standalone ADC, or as an image for one or more vADCs in ADC-VX mode. 1. Access the Active Switch Configuration Boot menu.
Page 441 Alteon Application Switch Operating System Application Guide ADC-VX Management Managing Images for ADC-VX You can add ADC-VX images to the image bank while in standalone mode. In standalone mode, the Global Administrator can prepare the system for the switch to ADC-VX mode by loading the desired ADC-VX infrastructure image.
Page 442: Adc-Vx Image Management
Alteon Application Switch Operating System Application Guide ADC-VX Management Image Statuses The image status displays the current ADC-VX setup. The following are the image statuses: Caution: You should not remove images that are currently being used by vADCs. Table 38: Image Statuses...
Page 443 Alteon Application Switch Operating System Application Guide ADC-VX Management To load an AlteonOS image 1. Access the Active Switch Configuration Boot menu. >> Global - Main# /boot ------------------------------------------------------------ [Boot Options Menu] single - Switch between ADC-VX and Standalone vadc - Restart selected vADC process...
Page 444 Alteon Application Switch Operating System Application Guide ADC-VX Management >> Global - Boot Options#gtimg Enter image type [all|vx|adc]: adc ADC Application Images: Version Downloaded Image status vADC IDs ------- ---------- ------------ -------- 17:41:28 Sun Jan 13, 2013 Incompatible 28.1.0.0 12:45:39 Wed Mar 31, 2013 Active 28.1.0.2...
Page 445 Alteon Application Switch Operating System Application Guide ADC-VX Management >> Global - Boot Options# gtimg Enter image type [all|vx|adc]: vx ADC-VX Infrastructure Images: Version Downloaded Image status ------- ---------- ------------ 28.1.0.3 17:41:28 Sun Jan 13, 2013 Idle 28.1.0.0 12:45:39 Wed Mar 31, 2013 Active 28.1.0.1...
Page 446 Alteon Application Switch Operating System Application Guide ADC-VX Management >> Global - Boot Options# image Enter image type [vx|adc]: adc ADC Application Images: Version Downloaded Image status vADC IDs ------- ---------- ------------ -------- 17:41:28 Sun Jan 13, 2013 Incompatible 28.1.0.0...
Page 447 Alteon Application Switch Operating System Application Guide ADC-VX Management Upgrading a Group of vADCs You can upgrade a group of vADCs by entering their ID numbers separated by a comma, or entering a range of vADCs. For example, enter 1-10, 25 to upgrade vADCs 1 to 10 and vADC 25. After upgrading, restart all relevant vADCs for the changes to apply.
Page 448 Alteon Application Switch Operating System Application Guide ADC-VX Management Upgrading All vADCs You can upgrade all vADCs by entering the entire range of existing vADCs. For example, enter 1-28. After upgrading, restart all vADCs for the changes to apply. To upgrade all vADCs 1.
Page 449 Alteon Application Switch Operating System Application Guide ADC-VX Management Upgrading the ADC-VX Infrastructure ADC-VX infrastructure is backward- and forward-compatible with AlteonOS. Because of this, when upgrading the ADC-VX infrastructure software, you are not required to re-certify the AlteonOS for multiple applications.
Page 450: Switching Between System Modes
Images inherited from a standalone ADC that are not compatible with ADC-VX display in the ADC application repository as incompatible. Switching Between System Modes The factory-installed Alteon image supports both ADC-VX and standalone modes. You can switch between these two modes using a single command. There are two options for switching between modes: —...
Page 451 Alteon Application Switch Operating System Application Guide ADC-VX Management To switch from standalone to ADC-VX mode 1. Access the Active Switch Configuration Boot menu. >> Standalone ADC - Main# boot [Boot Options Menu] virtual - Switch mode from Standalone to ADC-VX...
Page 452: Ha Id Management
Alteon Application Switch Operating System Application Guide ADC-VX Management To switch a vADC to a standalone ADC 1. Access the Active Switch Configuration Boot menu. >> Global - Main# /boot ------------------------------------------------------------ [Boot Options Menu] single - Switch between ADC-VX and Standalone...
Page 453: What Is An Ha Id
Alteon Application Switch Operating System Application Guide ADC-VX Management What is an HA ID? An HA ID is a unique identifier that you use to assign vADC MAC addresses. You use HA IDs for vADCs with different IDs, establishing relationships, and for when an overlapping MAC address is...
Page 454 Alteon Application Switch Operating System Application Guide ADC-VX Management >> Global - vADC 3 system services# haid Enter HA-ID value [0-63]: 1 Current HA-ID value: 3 New HA-ID value: 1 Document ID: RDWR-ALOS-V2900_AG1302...
Page 455: Chapter 17 - Application Redirection
Note: To access application redirection functionality, the optional Layer 4 software must be enabled. For more information, see the section on Filtering and Layer 4 in the Alteon Application Switch Operating System Command Reference. Overview Most of the information downloaded from the Internet is not unique, as clients will often access a Web page many times for additional information or to explore other links.
Page 456: Cache Redirection Environment
Alteon Application Switch Operating System Application Guide Application Redirection Cache Redirection Environment Consider the network illustrated in Figure 67 - Network without Application Redirection, page 456, where client HTTP requests begin to regularly overload the Internet router. Figure 67: Network without Application Redirection This network needs a solution that addresses the following key concerns: •...
Page 457: Additional Application Redirection Options
Similar to SLB, the cache real servers are assigned an IP address and placed into a real server group. The real servers must be in the same VLAN and must have an IP route to Alteon that will perform the cache redirection. In addition, the path from Alteon to the real servers must not contain a router.
Page 458 2. Install transparent cache software on all three cache servers. 3. Define an IP interface on Alteon. Alteon must have an IP interface on the same subnet as the three cache servers because, by default, Alteon only remaps destination MAC addresses.
Page 459 If the transparent proxy operation resides on the host, the well-known port 80 (or HTTP) is probably required. If the transparent proxy occurs in Alteon, make sure to use the service port required by the specific software package.
Page 460 Alteon Application Switch Operating System Application Guide Application Redirection 9. Create a default filter. In this case, the default filter will allow all non-cached traffic to proceed normally. (Select the default filter) >> Filter 2# /cfg/slb/filt 2048 (From any source IP addresses) >>...
Page 461: Delayed Binding For Cache Redirection
RTSP servers (Real Player and QuickTime), see Real Time Streaming Protocol SLB, page 291. You can also configure Alteon to redirect client requests based on URL content. For information on Layer 7 RTSP Streaming Cache Redirection, see RTSP Streaming Cache Redirection, page 477.
Page 462 Configure the IP addresses on all devices connected to Alteon — Configure the IP interfaces on Alteon 2. Configure RTSP cache servers and the IP addresses on Alteon. >> # /cfg/slb/real 1 (Configure RTSP Cache Server 1) >> Real server 1# rip 1.1.1.1 (Enable RTSP Cache Server 1) >>...
Page 463 Alteon Application Switch Operating System Application Guide Application Redirection (Add RTSP Cache Server 3 to Group 1) >> Real Server Group 1# add 3 (Add RTSP Cache Server 4 to Group 1) >> Real Server Group 1# add 4 4. Define the group metric for the RTSP cache servers. RTSP supports all the standard load- balancing metrics.
Page 464: Ip Proxy Addresses For Nat
Application redirection is enabled when a filter with the redir action is applied on a port. • With proxy IP addresses configured on ports that use redirection filters, Alteon can redirect client requests to servers located on any subnet. •...
Page 465: Excluding Non-Cacheable Sites
IP address. To prevent such sites from being redirected to cache servers, create a filter that allows this specific traffic to pass normally through Alteon. This filter must have a higher precedence (a lower filter number) than the application redirection filter.
Page 466: Content-Intelligent Cache Redirection
The HTTP 1.0 Pragma: no-cache header is equivalent to the HTTP 1.1 Cache-Control header. By enabling the Pragma: no-cache header, requests are forwarded to the origin server. For cache redirection, at any given time one HTTP header is supported globally on Alteon. This section discusses the following types of cache redirection: •...
Page 467 Alteon Application Switch Operating System Application Guide Application Redirection • —Any URL that starts with "/product," including any information in the "/product" /product directory. • —Any URL that has the string "product". product Some of the common noncacheable items that you can configure to add, delete, or modify are: •...
Page 468 Configuring URL-Based Cache Redirection This procedure is an example configuration for URL-based cache redirection. To configure URL-based cache redirection 1. Before you can configure URL-based cache redirection, configure Alteon for basic SLB with the following tasks: — Assign an IP address to each of the real servers in the server pool.
Page 469 HTTP 1.1 header or the string "Pragma:no cache" in the HTTP 1.0 header to the origin server. >> # /cfg/slb/layer7/redir/nocache {ena|dis} • ena—Alteon redirects all requests that contain the string “Cache-control: no cache” in the HTTP 1.1 header or the string “Pragma:no cache” in the HTTP 1.0 header to the origin server. •...
Page 470 Alteon Application Switch Operating System Application Guide Application Redirection The server will handle any files in the ROOT directory: //index.htm /default.asp /index.shtm 5. Apply and save your configuration changes. 6. Identify the defined string IDs. >> # /cfg/slb/layer7/slb/cur For easy configuration and identification, each defined string has an ID attached, as shown in Table 42 - SLB Strings, page 470.
Page 471 Alteon Application Switch Operating System Application Guide Application Redirection (Select the menu for Filter #) >> # /cfg/slb/filt <filter number> (From any source IP addresses) >> Filter <filter number> # sip any (To any destination IP addresses) >> Filter <filter number> # dip any (For TCP protocol traffic) >>...
Page 472: Http Header-Based Cache Redirection
This procedure is an example configuration for HTTP header-based cache redirection. To configure Alteon for cache direction based on the "Host:" header 1. Before you can configure header-based cache redirection, ensure that Alteon is configured for basic SLB (see Server Load Balancing, page 165): —...
Page 473 Alteon Application Switch Operating System Application Guide Application Redirection — Define an IP interface. — Define each real server. — Assign servers to real server groups. — Define virtual servers and services. 2. Turn on Layer 7 lookup for the filter.
Page 474: Browser-Based Cache Redirection
Browser-Based Cache Redirection Browser-based cache redirection uses the User-agent: header. To configure browser-based cache redirection 1. Before you can configure header-based cache redirection, ensure that Alteon is configured for basic SLB: — Assign an IP address to each of the real servers in the server pool.
Page 475: Url Hashing For Cache Redirection
URL. Instead, the host header field to calculate the hash key. If the host header field does not exist in the HTTP header, then Alteon uses the source IP address as the hash key.
Page 476 — Client 2 request http://www.radware.com/sales/index.htmis directed to cache server 1. — Client 3 request http://www.radware.com/sales/index.htm is directed to cache server 1. Figure 71: URL Hashing for Application Redirection Hashing on the Host Header Field Only In this example, URL hashing is disabled. If you use the host header field to calculate the hash key, the same URL request goes to the same cache server: —...
Page 477: Rtsp Streaming Cache Redirection
Figure 72 - RTSP Steaming Cache Redirection, page 477. 1. Before you start configuring this feature, do the following: — Connect each cache server to the Alteon appliance. — Configure the IP addresses on all devices connected to Alteon. — Configure the IP interfaces. Document ID: RDWR-ALOS-V2900_AG1302...
Page 478 Alteon Application Switch Operating System Application Guide Application Redirection 2. Configure RTSP cache servers and the IP addresses. >> # /cfg/slb/real 1 (Configure RTSP Cache Server 1) >> Real server 1# rip 1.1.1.1 (Enable RTSP Cache Server 1) >> Real server 1# ena >>...
Page 479 Alteon Application Switch Operating System Application Guide Application Redirection (Enable a default allow filter) >> Filter 2048# ena (Set the action to allow normal traffic) >> Filter 2048# action allow 7. Add and enable the redirection filter to the port.
Page 480: Peer-To-Peer Cache Load Balancing
Alteon Application Switch Operating System Application Guide Application Redirection (Select the Real Server 1) >> # /cfg/slb/real 1 (Add the URL string ID 3) >> Real Server 1# Layer 7/addlb 3 >> Real Server 1 Layer 7 Commands# cfg/slb/real 2 (Add the URL string ID 3) >>...
Page 481: Chapter 18 - Health Checking
— FTP Server Health Checks, page 489—Describes how the File Transfer Protocol (FTP) server is used to perform health checks and explains how to configure Alteon to perform FTP health checks. 489—Explains how to use Post Office Protocol Version 3 —...
Page 482: Understanding Health Check Monitoring
Delivery Controller. Detection of real server failure is critical in ensuring continuous service. Alteon allows to accurately monitor the health and performance (response time) of real servers and the applications running on the servers using a wide range of health check types.
Page 483: Pre-Defined Health Checks
Health Checking Pre-defined Health Checks Alteon provides out-of-the-box health checks for most popular applications. The purpose of pre-defined health checks is saving time by allowing you to quickly define group health checks without having to configure a health check object first. Pre-defined health checks cannot be edited (with the exception of WAP health checks) and are meant to be used as is.
Page 484: Advanced Server Health Checks
484. Advanced Server Health Checks Alteon lets you determine real server availability based on multiple health checks. These checks can monitor different applications and different targets. For example, to determine whether application servers are available, you must test that the application is running on the server and back-end processing servers or databases are available.
Page 485: Link Health Checks
Alteon Application Switch Operating System Application Guide Health Checking • SIP Health Checks, page 494 • Script-Based Health Checks, page 495 Link Health Checks Link health checks are performed at the Layer 1 (physical) level, and are relevant only for Intrusion Detection Servers (IDS) servers.
Page 486: Icmp Health Checks
Alteon Application Switch Operating System Application Guide Health Checking ICMP Health Checks The ICMP health check monitors real server availability by sending an ICMP echo request and waiting for an echo reply with the correct sequence number. A pre-defined icmp health check is available. User-defined ICMP health checks are only necessary when you want to select non-default timer values or monitor a specific network element.
Page 487 Alteon Application Switch Operating System Application Guide Health Checking Example HTTP Health Checks The following examples show the health checks sent when using HTTP health check configuration inherited from virtual service and group. Note: If content is not specified, the health check is performed using the character.
Page 488: Tcp And Udp-Based Dns Health Checks
Alteon supports the Trivial File Transfer Protocol (TFTP) health check, which uses the TFTP protocol to request a file from the server. At regular intervals, Alteon transmits TFTP read requests (RRQ) to all the servers in the group. The health check is successful if the server successfully responds to the RRQ.
Page 489: Ftp Server Health Checks
Alteon Application Switch Operating System Application Guide Health Checking • Minimum and maximum value—Specifies the minimum and/or maximum value that can be received as response that is considered a success. This should be used when the OID value is of numeric type (integer, counter, and so on) •...
Page 490: Smtp Server Health Checks
NNTP port (119). RADIUS Server Health Checks Alteon lets you use the Remote Authentication Dial-In User Service (RADIUS) protocol to health check the RADIUS accounting and authentication services on RADIUS servers. RADIUS is stateless and uses UDP as its transport protocol.
Page 491: Ssl Hello Health Checks
Inherit. SSL HELLO Health Checks Alteon can query the health of the SSL servers by sending an SSL client “Hello” packet and then verifying that the response is a valid Server Hello response.
Page 492: Ldap/Ldaps Health Checks
2 – Wireless Transport Layer Security Note: In Alteon, all four WAP services are grouped together. If a health check to one of the services fail on a specific real server, then all four WAP services (9200, 9201, 9202, or 9203) are disabled on that real server.
Page 493: Windows Terminal Server Health Checks
The health checks have all the parameters set to Inherit, allowing definition using the group content. The Alteon LDAP health check is supported for LDAP version 2 and 3. The LDAP version used is defined per Alteon by the global flag...
Page 494: Rtsp Health Checks
The protocol initiates call setup, routing, authentication and other feature messages to end-points within an IP domain. Alteon can monitor SIP service using standard SIP OPTIONS health check or Nortel proprietary SIP Ping.
Page 495: Script-Based Health Checks
Script Configuration Examples, page 498 Configuring Script-Based Health Checks You can configure Alteon to send a series of health check requests to real servers or real server groups and monitor the responses. Both ASCII and binary-based scripts, for TCP and UDP protocols, can be used to verify application and content availability.
Page 496 Alteon Application Switch Operating System Application Guide Health Checking ASCII-Based Health Check The following is the general format for ASCII-based health-check: open application_port, protocol-name #(for example: 80, TCP) send request 1 (ascii string) expect response 1 send request 2 expect response 2...
Page 497 ” prompt, which is one Enter key stroke. When using the send command, note what happens when you type the send command with the command string. When you type send, press the Enter key and allow Alteon to format the command string (that is, versus...
Page 498 Example 4: A TCP-Based Health Check using Binary Content, page 501 Example 1: A Basic ASCII TCP-Based Health Check Configure Alteon to check a series of Web pages (HTML or dynamic CGI scripts) before it declares a real server is available to receive requests. Document ID: RDWR-ALOS-V2900_AG1302...
Page 499 Load Balancing (GSLB) site's virtual server IP address was required to be a real server of the local Alteon. Each Alteon sent a health check request to the other virtual servers that were configured on the local device. The health check was successful if there was at least one real server on the remote device that was up.
Page 500 Alteon Application Switch Operating System Application Guide Health Checking Script-based health checking only sends the appropriate requests to the relevant servers. Using the script as shown in Figure 73 - Example Health Checking Script, page 500, the first GET statement is only be sent to Real Server 1 and Real Server 2.
Page 501 Alteon Application Switch Operating System Application Guide Health Checking >> /cfg/slb/group <x> /health script3/content none >> /cfg/slb/advhc/script 3 open "53,udp" bsend "53 53 01 00 00 01 00 00" nsend "00 00 00 00 03 77 77 77" nsend "04 74 65 73 74 03 63 6f"...
Page 502: Pre-Defined Health Check Summary
Alteon Application Switch Operating System Application Guide Health Checking >> # /info/slb/real 1 1: 205.178.13.223, 00:00:5e:00:01:24, vlan 1, port 2, health 4, up real ports: script 2, up, current Pre-defined Health Check Summary The following table details all available out-of-the-box health check objects:...
Page 503: Failure Types
Server Failure, page 504 Service Failure If a certain number of connection requests for a particular service fail, Alteon puts the service into the service failed state. While in this state, no new connection requests are sent to the server for this service.
Page 504: Server Failure
When a service on a server is in the service failed state, the Alteon sends Layer 4 connection requests for the failed service to the server. When Alteon has successfully established a connection to the failed service, the service is restored to the load-balancing algorithm.
Page 505: Dsr Health Checks
IP address. When DSR health checks are selected, the specified health check is sent originating from one of Alteon's configured IP interfaces, and is destined to the virtual server IP address with the MAC address that was acquired from the real server IP address's Address Resolution Protocol (ARP) entry.
Page 506: Disabling The Fast Link Health Check
Disabling the Fast Link Health Check By default, Alteon sets the real server as operationally down as soon as the physical connection to it is down, without waiting for the health check to fail. This behavior may not be advantageous in certain configurations in which a link may go down and then be quickly restored, such as in VPN load balancing.
Page 507: Chapter 19 - High Availability
Chapter 19 – High Availability Alteon supports high availability network topologies through an enhanced implementation of the Virtual Router Redundancy Protocol (VRRP). This chapter describes the following topics: • Virtual Router Redundancy Protocol, page 507 • IPv6 VRRP Support, page 518 •...
Page 508: Standard Vrrp Components
If the owner is not available, the backup becomes the master and takes responsibility for packet forwarding and responding to Address Resolution Protocol (ARP) requests. However, because this Alteon is not the owner, it does not have a real interface configured with the virtual interface router's IP address.
Page 509: Vrrp Priority
To ensure that a decrease in priority causes failover from the current master to the backup virtual router, set the priority of the master Alteon one point higher than the backup. For example, priority 101 for the master, and 100 for the backup. If the master and backup Alteons are set to priorities 110 and 100 respectively, a single port failure only decreases the master's priority to 108.
Page 510: Alteon Extensions To Vrrp
LAN, VRIDs must be unique among all virtual routers, whether virtual interface routers or virtual server routers. Alteon VSRs with a virtual router ID (VRID) greater than 255 use a new packet format, which differs in size and location to the VRID field. When sending advertisements using a VSR with a VRID greater than 255, set the type to 15.
Page 511 IP address owner. As the IP address owner, it receives a priority of 255, and is the virtual router master. Alteon 2 is a virtual router backup. Its real interface is configured with an IP address that is on the same subnet as the virtual interface router, but is not the IP address of the virtual interface router.
Page 512 00-00-5E-00-01-02 00-00-5E-00-01-04 00-00-5E-00-01-06 When sharing is used, incoming packets are processed by the Alteon on which they enter the virtual router. The ingress Alteon is determined by external factors, such as routing and Spanning Tree configuration. Sharing cannot be used in configurations where incoming packets have more than one entry point into the virtual router.
Page 513 /cfg/l3/vrrp/group dis • Up to 16 vrgroups can be configured on a single Alteon. Each vrgroup can contain up to 64 virtual routers assigned with a virtual router number from 1 through 1024. Each virtual router can be configured as a virtual interface router or a virtual service router.
Page 514 Alteon changes from master to backup. • If an Alteon is in the backup state, Layer 4 processing is still enabled. If a virtual server is not a virtual router, the backup can still process traffic addressed to that virtual server IP address.
Page 515 537. Tracking VRRP Router Parameters Alteon supports a tracking function that dynamically modifies the priority of a VRRP router based on its current state. The objective of tracking is to have, whenever possible, the master bidding processes for various virtual routers in a LAN converge on the same Alteon. Tracking ensures that the selected Alteon is the one that offers optimal network performance.
Page 516 VRRP router’s tracking. Alteon allows for the independent failover of individual virtual router groups on the same Alteon. When Web hosting is shared between two or more customers on a single VRRP device, several virtual routers can be grouped to serve the high availability needs of a specific customer.
Page 517 543. VRRP Holdoff Timer When an Alteon becomes the VRRP master at power up or after a failover operation, it may begin to forward data traffic before the connected gateways or real servers are operational. Alteon may create empty session entries for the coming data packets and the traffic cannot be forwarded to any gateway or real server.
Page 518: Ipv6 Vrrp Support
3. Alteon intercepts and redirects the traffic based on the HTTP policy of the 10.10.11.x network. 4. The 10.10.10.x network does not appear in the OSPF routing and is accessed only by Alteon. 5. If the link between the first Alteon and the 10.10.11.x network fails, OSPF is not affected because the interface of the 10.10.10.X network is not bound to OSPF.
Page 519: Ipv6 Vrrp Packets
The Advertisement Interval field is a 12-bit field that indicates the advertisement interval in centiseconds (1/100 second). This is an 8-bit field in IPv4 that specifies this interval in seconds. Note: Radware recommends setting the default to 100 (1 second) or greater to avoid a high load on the management CPU. •...
Page 520: Ipv6 Vrrp Information
Alteon Application Switch Operating System Application Guide High Availability 2. Assign an IPv6 address to the virtual router. Use the command to assign an IPv6 address to the virtual router. address <IPv6_address> To enable IPv6 support on the virtual router group After IPv6 support has been enabled on the virtual router, enable it on the virtual router group using command.
Page 521: Failover Methods And Configurations
Radware recommends that you do not allow sharing between the Alteon devices. Without sharing, only the active Alteon performs load balancing. This is a very robust configuration that does not require dedicated interswitch links (ISL), or hotstandby settings on ports.
Page 522 1. Disable the Spanning Tree protocol. For more information, see To disable the Spanning Tree protocol, page 523. Using the Spanning Tree protocol or VLANs prevents Layer 2 loops. Radware recommends that you use VLANs. Note: The configuration does not require dedicated interswitch links (ISL), or hotstandby settings on ports.
Page 523 (Make your changes active) >> Main# /cfg/l2/stg 1/apply 2. Repeat for other Spanning Tree groups. Alteon supports up to 16 Spanning Tree groups. To enable IP forwarding IP forwarding is enabled by default. Make sure IP forwarding is enabled if the virtual server IP addresses and real server IP addresses are on different subnets, or if the device is connected to different subnets and those subnets need to communicate through the device.
Page 524 (Set the VLAN number for the >> Main # /cfg/l3/if 2/vlan 20 interface) 2. On the standby Alteon, configure two more interfaces and associate a different VLAN with each interface. Each interface has a unique IP address. (Name the device interface) >>...
Page 525 >> Main # /cfg/l3/vrrp/vr 2/prio 101 router) (Set the virtual router IP address) >> Main # /cfg/l3/vrrp/vr 2/addr 10.10.20.254 2. On the standby Alteon, copy these active Alteon settings, but lower the priority of each virtual router. (Enable VRRP) >> Main # /cfg/l3/vrrp/on (Specify the virtual router number for >>...
Page 526 >> Main # /cfg/l3/vrrp/vr 4/prio 101 router) (Set the virtual server IP address) >> Main # /cfg/l3/vrrp/vr 4/addr 10.10.10.200 3. On the standby Alteon, copy these active Alteon settings, but lower the priority of each virtual router. (Enable VRRP) >> Main # /cfg/l3/vrrp/on (Specify the virtual router number for >>...
Page 527: Active-Active Redundancy
(Set tracking to IP interfaces) >> Main # /cfg/l3/vrrp/group/track/if e 2. On the standby Alteon, define the same VRRP group with a lower base priority. (Enable VRRP grouping) >> Main # /cfg/l3/vrrp/group en (Specify the virtual router ID for the >>...
Page 528 Each Alteon is active for its own set of services, such as IP routing interfaces or load balancing virtual server IP addresses, and acts as a standby for other services on the other Alteon. If either Alteon fails, the remaining Alteon takes over processing for all services.
Page 529 The Alteon device on which a frame enters the virtual server router is the one that processes that frame. The ingress device is determined by external factors, such as routing and STP settings.
Page 530 Verify that IP forwarding is enabled 1. Define the IP interfaces. Alteon needs an IP interface for each subnet to which it will be connected so it can communicate with devices attached to it. Each interface needs to be placed in the appropriate VLAN.
Page 531 Alteon Application Switch Operating System Application Guide High Availability 2. Define the VLANs. In this configuration, set up two VLANs: — One for the outside world—the ports connected to the upstream devices, toward the routers (VLAN 3 in Figure 78 - Active-Standby Configuration, page 522).
Page 532 Alteon Application Switch Operating System Application Guide High Availability Repeat this sequence of commands for the following real servers: — RIP 2—10.10.10.6/24 — RIP 3—20.10.10.5/24 — RIP 4—20.10.10.6/24 — RIP 5—30.10.10.5/24 — RIP 6—30.10.10.6/24 — RIP 7—200.1.1.5/24 — RIP 8—200.1.1.6/24 2.
Page 533 Since you want Alteon 1 to be the master router, you need to bump the default virtual router priorities (which are 100 to 101 on virtual routers 1 through 4) to force Alteon 1 to be the master for these virtual routers: (Select Virtual Router 1) >>...
Page 534 You need a serial cable that is a DB-9 male to DB-9 female, straight-through (not a null modem) cable. b. Connect the cable from a COM port on your computer to the console port on Alteon 1. Open HyperTerminal (or the terminal program of your choice) and connect to the device using the following parameters: Baud: 115200, Data Bits: 8, Parity: None, Stop Bits:1, Flow Control: None.
Page 535: Hot Standby Redundancy
Alteon considers a trunk port failed and changes its priority only when all the ports in the trunk are down. Note: When a hot standby port is not part of a VLAN assigned to a vADC, Alteon does track the port for VRRP priority. This section describes the following topics: •...
Page 536 Alteon Application Switch Operating System Application Guide High Availability Switch-Centric Virtual Router Group Hot standby requires all virtual routers on an Alteon to fail over together as a group. For more information about the switch-based virtual router groups, see Switch-Based VRRP Groups, page 514.
Page 537 (hotstan) approach. Enabling hot standby on a port allows the hot standby algorithm to control the forwarding state of the port. If an Alteon is the master, the forwarding states of the hot standby ports are enabled. If an Alteon is a backup, the hot standby ports are blocked from forwarding or receiving traffic.
Page 538 To configure Layer 2 and Layer 3 parameters on Alteon 1 This procedure assumes you have already configured SLB parameters. 1. On Alteon 1, configure the external ports into their respective VLANs as shown in Figure 80 - Hot Standby Configuration, page 537.
Page 539 Alteon Application Switch Operating System Application Guide High Availability 3. Turn off spanning tree. (Disable STG group) >> Main # /cfg/l2/stg 1/off (Make your changes active) >> Spanning Tree Group 1# apply (Save for restore after reboot) >> Spanning Tree Group 1# save 4.
Page 540 Alteon Application Switch Operating System Application Guide High Availability 3. Set VRRP tracking for the ports. If a link on any of the connected ports goes down, the VRRP priority of Alteon decreases and the backup takes over as the master. >> Main # /cfg/l3/vrrp >>...
Page 541 .252 (denoting Alteon 2), to .251 (Alteon 1). /c/slb/sync/peer 1 addr 172.16.2.251 — Change the virtual router priority from 100 to 101. This indicates that Alteon 2 is the backup for now. /c/l3/vrrp/group prio 101 4.
Page 542: Tracking Virtual Routers
This behavior is preferred because running one server down is less disruptive than bringing a new master online and severing all active connections in the process. • If Alteon 1 is the master and it has two or more active servers fewer than Alteon 2, then Alteon 2 becomes the master. •...
Page 543: Service-Based Virtual Router Groups
If, at this point, a server fails on Alteon 2, its priority falls by 6, resulting in 119. Because 119 is less than 124, Alteon 1 becomes the master. Its priority results in 129, since it is now the master, while the priority for Alteon 2 drops by 5 more, resulting in 114.
Page 544 Service-Based Virtual Router Groups Configuration In this example, if the interface or link to the real server fails for the vrgroup 1 on Alteon 1, then all the virtual routers in vrgroup 1 change to the backup state. At the same time, all virtual routers in vrgroup 1 on Alteon 2 change to the master state.
Page 545 These virtual routers are assigned the same IP address as the IP interfaces configured in step resulting in Alteon recognizing these as virtual interface routers (VIRs). In this example, Layer 3 bindings are left in their default configuration (disabled). For an active-standby configuration, sharing is disabled.
Page 546 5. Configure virtual server routers 2 and 4. These virtual routers have the same IP addresses as the virtual server IP address. This is how Alteon recognizes that these are virtual service routers (VSRs). For an active-standby configuration, sharing is disabled.
Page 547: Ipv6 Vrrp Configuration Examples
• Server Load Balancing — Ports connected to the Alteon peer directly, or via a Layer 2 device, must have hot standby ) enabled. ISL and other ports should not have hot standby enabled. /cfg/slb/port hot Document ID: RDWR-ALOS-V2900_AG1302...
Page 548 Alteon Application Switch Operating System Application Guide High Availability Figure 82: Example IPv6 Hot Standby Configuration To configure an IPv6 hot standby configuration 1. Alteon A configuration: — Layer 2 (port and VLAN) and Layer 3 (interface) configuration: Document ID: RDWR-ALOS-V2900_AG1302...
Page 549 Alteon Application Switch Operating System Application Guide High Availability /cfg/port 1 pvid 3 /cfg/port 2 pvid 2 /cfg/port 3 tagged ena pvid 911 /cfg/port 4 tagged ena pvid 911 /cfg/l2/vlan 2 name "server" learn ena 2,3,4 /cfg/l2/vlan 3 name "client"...
Page 550 Alteon Application Switch Operating System Application Guide High Availability /cfg/l3/if 2 ipver v6 addr 2000:2:2:0:0:0:0:a mask 96 vlan 2 /cfg/l3/if 3 ipver v6 addr 3000:3:3:0:0:0:0:a mask 96 vlan 3 /cfg/l3/if 254 ipver v4 addr 192.168.0.1 mask 255.255.255.0 broad 192.168.0.255 vlan 911 —...
Page 551 Alteon Application Switch Operating System Application Guide High Availability — General SLB configuration: /cfg/slb /cfg/slb/adv direct ena — IPv6 real server configuration: /cfg/slb/real 1 ena ipver v6 rip 2000:2:2:0:0:0:0:1001 /cfg/slb/real 2 ipver v6 rip 2000:2:2:0:0:0:0:1002 — IPv6 Real Server Group 1 configuration:...
Page 552 Alteon Application Switch Operating System Application Guide High Availability — Synchronization configuration: /cfg/slb/sync prios d /cfg/slb/sync/peer 1 addr 192.168.0.2 2. Alteon B configuration: — Layer 2 (port and VLAN) and Layer 3 (interface) configuration: /cfg/port 1 pvid 3 /cfg/port 2...
Page 553 Alteon Application Switch Operating System Application Guide High Availability — Interface configuration: /cfg/l3/if 2 ipver v6 addr 2000:2:2:0:0:0:0:b mask 96 vlan 2 /cfg/l3/if 3 ipver v6 addr 3000:3:3:0:0:0:0:b mask 96 vlan 3 /cfg/l3/if 255 ipver v4 addr 192.168.0.2 mask 255.255.255.0 broad 192.168.0.255...
Page 554 Alteon Application Switch Operating System Application Guide High Availability — General SLB configuration: /cfg/slb /cfg/slb/adv direct ena — IPv6 real server configuration: /cfg/slb/real 1 ipver v6 rip 2000:2:2:0:0:0:0:1001 /cfg/slb/real 2 ipver v6 rip 2000:2:2:0:0:0:0:1002 — IPv6 Real Server Group 1 configuration:...
Page 555: Active-Standby Configuration
/cfg/slb/sync/peer 1 addr 192.168.0.1 Active-Standby Configuration Figure 83 - Active-Standby Configuration Example, page 555 illustrates an active-standby configuration between two Alteon units. The following are considerations for a IPv6 active-standby configuration: • Layer 2 (port and VLAN) configuration: — Each VLAN must be configured per interface.
Page 556 Alteon Application Switch Operating System Application Guide High Availability To configure an IPv6 active-standby configuration 1. Alteon A configuration: — Layer 2 (port and VLAN) and Layer 3 (Interface) configuration: /cfg/port 1 pvid 3 /cfg/port 2 pvid 2 /cfg/port 3...
Page 557 Alteon Application Switch Operating System Application Guide High Availability — Default gateway configuration: /cfg/l3/gw 1 ipver v6 addr 3000:3:3:0:0:0:0:c — VRRP configuration: /cfg/l3/vrrp/on /cfg/l3/vrrp/vr 2 ipver v6 vrid 2 if 2 addr 2000:2:2:0:0:0:0:fff0 share dis track l4pts ena /cfg/l3/vrrp/vr 3...
Page 558 Alteon Application Switch Operating System Application Guide High Availability — IPv6 VIP 1 HTTP Service configuration: /cfg/slb/virt 1 ipver v6 vip 3000:3:3:0:0:0:0:ffff vname "v6http" /cfg/slb/virt 1/service http group 1 — Layer 4 ports configuration: /cfg/slb/port 1 client ena /cfg/slb/port 2 server ena —...
Page 559 Alteon Application Switch Operating System Application Guide High Availability — Interface configuration: /cfg/l3/if 2 ipver v6 addr 2000:2:2:0:0:0:0:b mask 96 vlan 2 /cfg/l3/if 3 ipver v6 addr 3000:3:3:0:0:0:0:b mask 96 vlan 3 /cfg/l3/if 255 ipver v4 addr 192.168.0.2 mask 255.255.255.0 broad 192.168.0.255...
Page 560 Alteon Application Switch Operating System Application Guide High Availability — General SLB configuration: /cfg/slb /cfg/slb/adv direct ena — IPv6 real server configuration: /cfg/slb/real 1 ipver v6 rip 2000:2:2:0:0:0:0:1001 /cfg/slb/real 2 ipver v6 rip 2000:2:2:0:0:0:0:1002 — IPv6 Real Server Group 1 configuration:...
Page 561: Active-Active Configuration
Alteon Application Switch Operating System Application Guide High Availability Active-Active Configuration Figure 84 - Active-Active Configuration Example, page 561 illustrates an active-active configuration between two Alteons. The following are considerations for a IPv6 active-active configuration: 1. Layer 2 (port and VLAN) configuration: —...
Page 562 Alteon Application Switch Operating System Application Guide High Availability To configure an IPv6 active-active configuration 1. Alteon A configuration: — Layer 2 (port and VLAN) and Layer 3 (interface) configuration. /cfg/port 1 pvid 3 /cfg/port 2 pvid 2 /cfg/port 3...
Page 563 Alteon Application Switch Operating System Application Guide High Availability — Default gateway configuration: /cfg/l3/gw 1 ipver v6 addr 3000:3:3:0:0:0:0:c — VRRP configuration: /cfg/l3/vrrp/on /cfg/l3/vrrp/vr 2 ipver v6 vrid 2 if 2 addr 2000:2:2:0:0:0:0:fff0 share en track l4pts ena /cfg/l3/vrrp/vr 3...
Page 564 Alteon Application Switch Operating System Application Guide High Availability — IPv6 VIP 1 HTTP service configuration: /cfg/slb/virt 1 ipver v6 vip 3000:3:3:0:0:0:0:ffff vname "v6http" /cfg/slb/virt 1/service http group 1 — Layer 4 ports configuration: /cfg/slb/port 1 client ena hotstan en...
Page 565 Alteon Application Switch Operating System Application Guide High Availability 2. Alteon B configuration: — Layer 2 (port and VLAN) and Layer 3 (interface) configuration: /cfg/port 1 pvid 3 /cfg/port 2 pvid 2 /cfg/port 3 pvid 911 /cfg/l2/vlan 2 name "server"...
Page 566 Alteon Application Switch Operating System Application Guide High Availability — VRRP configuration: /cfg/l3/vrrp/on /cfg/l3/vrrp/vr 2 ipver v6 vrid 2 if 2 addr 2000:2:2:0:0:0:0:fff0 share en track l4pts en /cfg/l3/vrrp/vr 3 ipver v6 vrid 3 if 3 addr 3000:3:3:0:0:0:0:ffff share en...
Page 567: Virtual Router Deployment Considerations
Alteon Application Switch Operating System Application Guide High Availability — Layer 4 ports configuration: /cfg/slb/port 1 client ena hotstan en /cfg/slb/port 2 server ena hotstan en /cfg/slb/port 3 intersw ena vlan 400 /cfg/slb/port 4 intersw ena vlan 400 — Synchronization configuration:...
Page 568: Eliminating Loops With Stp And Vlans
Figure 86: STP Resolving Cross-Redundancy Loops One drawback to using STP with VRRP is the failover response time. STP could take as long as 45 seconds to re-establish alternate routes after an Alteon or link failure. Document ID: RDWR-ALOS-V2900_AG1302...
Page 569: Assigning Vrrp Virtual Router Id
This provides added synchronization validation but does not require users to enter the IP address of the redundant Alteon for each synchronization. Each VRRP-capable device is autonomous. Alteons in a virtual router need not be identically configured.
Page 570: Synchronizing Active/Active Failover
Radware recommends that the hardware configurations and network sync connections of all Alteons in the virtual router be identical. This means that each Alteon should be the same model, have the same line cards in the same slots (if modular), and have the same ports connected to the same external network devices.
Page 571: Stateful Failover Of Persistent Sessions
For more information about the supported persistence types, see Persistence, page 583. Stateful failover lets you mirror Layer 7 and Layer 4 persistent transactional states on the Alteon peers. Note: Stateful failover is not supported in active-active mode. Also, stateful failover does not synchronize all sessions, except persistent sessions (SSL session ID persistence and cookie-based persistence).
Page 572: What Happens When Alteon Fails
Figure 88 - Stateful Failover Example when the Master Alteon Fails, page 572. The user then clicks Submit to purchase the items. At this time, the active Alteon fails. With stateful failover, the following sequence of events occurs: 1. The backup becomes active.
Page 573: Viewing Statistics On Persistent Port Sessions
Viewing Statistics on Persistent Port Sessions You can view statistics on persistent port sessions using the command. To /stats/slb/ssl determine which Alteon is the master and which is the backup, use the command. /info/l3/vrrp The column on the far right displays Alteon status.
Page 574: Service-Based Session Failover
Current inter-switch processing: disabled Enter new inter-switch processing [d/e]: e Enter new ISL VLAN: 200 Similar to a standalone Alteon, the vADCs must share a broadcast domain in order to send the session updates the neighboring vADC. Document ID: RDWR-ALOS-V2900_AG1302...
Page 575: Operations During Session Mirroring On Reboot
Alteon Application Switch Operating System Application Guide High Availability Figure 89 - Service-Based Session Failover for Hot Standby Configurations, page 575 illustrates a service-based session failover network topology: Figure 89: Service-Based Session Failover for Hot Standby Configurations When a new session is created on the master, the session entry is sent to the backup using NAAP.
Page 576: Service-Based Session Failover (Session Mirroring) Limitations And Recommendations
Alteon Application Switch Operating System Application Guide High Availability After the request is sent, the timer routine is disabled with reset flag sfo_sync_req_flg. • On the receipt of the sync message, the master invokes a response timer routine with one second time interval.
Page 577: Automate Session Mirroring
Note: Due to the difference in the amount of physical memory and session capacity between different Alteon models, not all sessions can be synchronized. Session synchronization works correctly if the same model Alteons are used in VRRP HA topologies. Automate Session Mirroring Session mirroring can be automated to synchronize sessions from master to backup at the configured time and frequency.
Page 578: Session Failover For Active-Standby Configurations
Alteon Application Switch Operating System Application Guide High Availability Session Failover for Active-Standby Configurations Although group-based VRRP is supported for active-standby configurations, it is not required in order to enable session failover for active-standby configurations. However, group-based VRRP is required in order to enable session failover for hot standby configurations.
Page 579 Alteon Application Switch Operating System Application Guide High Availability Figure 90: Session Failover for Active-Standby Configurations Document ID: RDWR-ALOS-V2900_AG1302...
Page 580: Peer Synchronization
Alteons that use peer synchronization: Figure 91: Example Peer Synchronization Topology Configuring Peer Synchronization To configure peer synchronization, you must: 1. Configure peer switches (Alteons) for your Alteon (see To configure peers, page 581) 2. Associate the peer switches to vADCs (see...
Page 581 You can associate vADCs with the range option. You can enter a combination of single vADCs and ranges of vADCs. For example: 1, 3-5, 8 Note: For a description of these menu options, see the Alteon Application Switch Operating System Command Reference. >> # /cfg/sys/sync/peer...
Page 582 Alteon Application Switch Operating System Application Guide High Availability Document ID: RDWR-ALOS-V2900_AG1302...
Page 583: Chapter 20 - Persistence
Overview of Persistence In a typical SLB environment, traffic comes from various client networks across the Internet to the virtual server IP address on Alteon. Alteon then load balances this traffic among the available real servers. In any authenticated Web-based application, it is necessary to provide a persistent connection between a client and the content server to which it is connected.
Page 584: Using Source Ip Address
Cookies are strings passed via HTTP from servers to browsers. Based on the mode of operation, cookies are inserted by either Alteon or the server. After a client receives a cookie, a server can poll that cookie with a GET command, which allows the querying server to positively identify the client as the one that received the cookie earlier.
Page 585: Cookie-Based Persistence
HTTPS traffic only) from the same client to map to the same server, as long as the same group is configured for both services. In Alteon, when the metric configured is hash, phash, or minmisses, persistence may also be maintained to the real server port (rport), in addition to the real server.
Page 586: Permanent And Temporary Cookies
Configuring Cookie-Based Persistence, page 591 Note: When both cookie-based pbind is used and HTTP modifications on the same cookie header are defined, Alteon performs both. This may lead to various application behaviors and should be done with caution. Permanent and Temporary Cookies Cookies can either be permanent or temporary.
Page 587: Cookie Formats
The offset of the cookie value within the cookie string. For security, the real cookie value can be embedded somewhere within a longer string. The offset directs Alteon to the starting point of the real cookie value within the longer cookie string. •...
Page 588: Cookie Modes Of Operation
IP (CIP) value, a 4-byte real server port (RPORT) value, and an 8-byte random client ID value. In this mode, the client sends a request to visit the Web site. Alteon performs load balancing and selects a real server. The real server responds without a cookie. Alteon inserts a cookie and forwards the new request with the cookie to the client.
Page 589 New persistent binding for http: cookie New cookie persistence mode: insert Inserted cookie expires after 33 days 2 hours 1 minutes Alteon adds or subtracts hours according to the time zone settings using the /cfg/sys/ntp/ command. When the relative expiration timer is used, ensure the...
Page 590 Persistence Passive Cookie Mode In passive cookie mode, when the client first makes a request, Alteon selects the server based on the configured load-balancing metric. The real server embeds a cookie in its response to the client. Alteon records the cookie value and matches it in subsequent requests from the same client.
Page 591: Configuring Cookie-Based Persistence
Figure 95: Rewrite Cookie Mode Note: When Alteon rewrites the value of the cookie, the rewritten value represents the responding server. This means that the value can be used for hashing into a real server ID or it can be the real server IP address.
Page 592 Alteon Application Switch Operating System Application Guide Persistence — Disable DAM and specify proxy IP addresses on the client ports. (Disable DAM) >> # /cfg/slb/adv/direct disable (Select network Port 1) >> # /cfg/slb/port 1 (Set proxy IP address for Port 1) >>...
Page 593: Cookie-Based Persistence Examples
Alteon Application Switch Operating System Application Guide Persistence CLI Capture When you issue the command /cfg/slb/virt <virtual#>/service <service#>/pbind additional inputs taken from the user are listed in the output: >> Virtual Server 10 http Service# /c/sl/vi 10/ser http/pbind Current persistent binding mode: disabled...
Page 594 Select the entire value of the sid cookie as a hashing key for selecting the real server >> # /cfg/slb/virt 1/service 80/pbind cookie passive sid 1 16 dis This command directs Alteon to use the sid cookie, starting with the first byte in the value, and using the full 28 bytes.
Page 595: Server-Side Multi-Response Cookie Search
Rewrite server cookie with the encrypted real server IP address and virtual server IP address If the cookie length is configured to be 28 bytes, Alteon rewrites the cookie value with the encrypted real server IP address and virtual server IP address: >>...
Page 596: Proxy Support For Insert Cookie
• If no session ID is presented by the client, Alteon picks a real server based on the metric for the real server group and waits until a connection is established with the real server and a session ID is received.
Page 597: Configuring Ssl Session Id-Based Persistence
Alteon Application Switch Operating System Application Guide Persistence • Session IDs are kept on Alteon until an idle time equal to the configured server timeout (a default of 10 minutes) for the selected real server has expired. Figure 96 - SSL Session ID-Based Persistence, page 597...
Page 598: Windows Terminal Server Load Balancing And Persistence
Windows Terminal Services refers to a set of technologies that allow Windows users to run Windows- based applications remotely on a computer running as the Windows Terminal Server. Alteon includes load balancing and persistence options designed specifically for Windows Terminal Services.
Page 599 Alteon Application Switch Operating System Application Guide Persistence Figure 97: Windows Terminal Server Load Balancing Network Topology Document ID: RDWR-ALOS-V2900_AG1302...
Page 600: Configuring Windows Terminal Server Load Balancing And Persistence
3. Optionally, enable the WTS userhash. Note: If the dedicated session director does not exist to relate users to disconnected sessions, Radware recommends enabling the userhash functionality to perform this task. >> WTS Load Balancing# userhash enable Document ID: RDWR-ALOS-V2900_AG1302...
Page 601: Chapter 21 - Advanced Denial Of Service Protection
A virus pattern often is a combination of multiple patterns within the IP payload. Alteon can be configured to inspect multiple patterns and locate them at different offsets within the payload.
Page 602: Other Types Of Security Inspection
Alteon Application Switch Operating System Application Guide Advanced Denial of Service Protection 4. When an attack pattern is matched, Alteon drops this packet, and creates a session so that subsequent packets of the same session (if it is TCP) are also dropped without going through additional rule inspection.
Page 603: Configuring Blocking With Ip Access Control Lists
Alteon Application Switch Operating System Application Guide Advanced Denial of Service Protection Configuring Blocking with IP Access Control Lists The following is an example procedure for configuring blocking with IP access control lists. To configure blocking with IP ACLs 1. Add the IP addresses that you want to block.
Page 604: Protection Against Common Denial Of Service Attacks
5. Apply and save the configuration. Viewing DoS Statistics You can view the number of times packets are dropped when a DoS attack is detected on Alteon or on a specific port. When an attack is detected, Alteon generates a message similar to the following: >>...
Page 605 Alteon Application Switch Operating System Application Guide Advanced Denial of Service Protection To shows DoS statistics on all ports where DoS protection is enabled >> /stats/security/dos/dump --------------------------------------------------------------------------- Protocol anomaly and DoS attack prevention statistics for port 1: Protocol anomaly and DoS attack prevention statistics for port 8...
Page 606: Viewing Dos Statistics Per Port
To obtain a brief explanation of each type of detected DoS attack >> /stats/security/dos/help Once DoS protection is enabled on the appropriate ports, Alteon performs checks on incoming packets, as described in Table 50. Table 50: DoS Attacks Detected by Alteon...
Page 607 IP options length set, and drops any matching packets. FragMoreDont An IPv4 packet with the “more” Alteon checks for IPv4 packets with both the fragments and “don't” fragment bits “more” fragments and “don't” fragments bits set. set, and drops any matching packets.
Page 608 Table 50: DoS Attacks Detected by Alteon DoS Attack Description Action FullXmasScan A TCP packet with all control bits Alteon checks for TCP packets with all of the set. control bits set, and drops any matching packets. FinScan A TCP packet with only the FIN bit Alteon checks for TCP packets with only the set.
Page 609 DoS Attack Description Action UDPPortZero An UDP packet with a source or Alteon checks for UDP packets with a source destination port of zero. or destination port of zero, and drops any matching packets. Fraggle Similar to a smurf attack, attacks...
Page 610: Dos Attack Prevention Configuration
DoS Attack Prevention Configuration Many of the DoS attacks that Alteon guards against have configurable values associated with them. These values allow Alteon to determine if the packets under inspection are DoS attacks based on additional administrator input. Table 51 outlines these DoS attacks and their associated commands.
Page 611: Preventing Other Types Of Dos Attacks
Use of the of the following commands: >> Main# /cfg/security/dos/cur >> Main# /info/security/dos To display a brief explanation of any of the DoS attacks that Alteon guards against >> Main# /cfg/security/dos/help Preventing Other Types of DoS Attacks Table 52 describes how to prevent other types of DoS attacks.
Page 612: Time Windows And Rate Limits
By default, the fastage value is 0. Holddown Periods Alteon monitors the number of new TCP connections (for TCP rate limiting) or UDP/ICMP packets received (for UDP/ICMP rate limiting). When the number of new connections or packets exceeds the configured limit, any new TCP connection requests or UDP/ICMP packets from the client are blocked.
Page 613: Udp And Icmp Rate Limiting
Alteon Application Switch Operating System Application Guide Advanced Denial of Service Protection UDP and ICMP Rate Limiting Alteon filters can be configured to perform rate limiting on UDP and ICMP traffic. Because UDP and ICMP are stateless protocols, the maximum threshold (the command) should be interpreted maxcon as the maximum number of packets received from a particular client IP address.
Page 614: Configuring Protocol-Based Rate Limiting Filters
Alteon Application Switch Operating System Application Guide Advanced Denial of Service Protection Configuring Protocol-Based Rate Limiting Filters Rate limiting filters are supported on TCP, UDP, or ICMP protocols only. Protocol-based rate limiting can be configured for all filter types (allow, deny, redir, sip, and dip) and parameters. Specify the source IP address and mask options in the Filter Configuration menu to monitor a client or a group of clients.
Page 615 Alteon Application Switch Operating System Application Guide Advanced Denial of Service Protection Example 2: A Rate Limiting Filter Based on Source IP Address This example illustrates how to define a filter that limits clients with IP address 30.30.30.x to a maximum of 150 TCP connections or 150 UDP or ICMP packets per second.
Page 616 Alteon Application Switch Operating System Application Guide Advanced Denial of Service Protection Figure 99: Limiting User Service to a Server 1. Configure the following: (Enable the filter) >> # /cfg/slb/filt 100/ena >> Filter 100 # dip 10.10.10.100 >> Filter 100 # dmask 255.255.255.255 (Specify TCP, UDP or ICMP protocol) >>...
Page 617: Protection Against Udp Blast Attacks
3. Apply and save the configuration. Protection Against UDP Blast Attacks Malicious attacks over UDP protocol ports are a common way to bring down real servers. Alteon can be configured to restrict the amount of traffic allowed on any UDP port, thus ensuring that back-end servers are not flooded with data.
Page 618: Tcp Or Udp Pattern Matching
Enter max packet rate per second (1 to 20000000): 5000 Alteon supports up to 5000 UDP port numbers, using any integer from 1 to 65535. For the entire port range, the difference between the highest port number and the lowest port number must be less than or equal to 5000.
Page 619 (0). For example, if an offset of 12 is specified, Alteon starts examining the hexadecimal representation of a binary string from the 13th byte. In the IP packet, the 13th byte starts at the source IP address portion of the IP payload.
Page 620: Matching Groups Of Patterns
When a pattern group is applied to a deny filter, Alteon matches any of the strings or patterns within that group before denying and dropping the packet. Up to five (5) patterns can be combined into a single pattern group. Configure the binary or ASCII pattern strings, group them into a pattern group, name the pattern group, and then apply the group to a filter.
Page 621 Alteon Application Switch Operating System Application Guide Advanced Denial of Service Protection Matching and Denying a UDP Pattern Group The following is an example configuration for matching an denying a UDP pattern group. To match and deny a UDP pattern group 1.
Page 622 Current Pattern Match: disabled New Pattern Match: enabled 10. Apply the filter to the client port. If the incoming client requests enter Alteon on port 3, then add this filter to port 3. (Select the client port) >> # /cfg/slb/port 3 (Enable filtering on the client port) >>...
Page 623 Matching All Patterns in a Group Alteon is capable of matching on all patterns in a pattern group before the filter denies a packet. Use the matchall command to instruct the filter to match all patterns in the group before performing the deny action.
Page 624 Alteon Application Switch Operating System Application Guide Advanced Denial of Service Protection To match and deny large packets This configuration is similar to the examples in Matching and Denying a UDP Pattern Group, page 621 Matching All Patterns in a Group, page 623.
Page 625 Alteon Application Switch Operating System Application Guide Advanced Denial of Service Protection SLB String BINMATCH=014F, offset=2, depth=0, op=eq, cont 256 STRMATCH=/default.htm offset=44, depth=30, op=eq, cont 256 BINMATCH=0000, offset=6, depth=0, op=gt, cont 256 BINMATCH=4000, offset=6, depth=0, op=lt, cont 256 5. In the Security menu, configure a pattern group and name it something relevant and easy to remember.
Page 626: Flexirules For Sip Over Udp Traffic
14. Apply and save the configuration. FlexiRules for SIP over UDP Traffic FlexiRules control the SIP over UDP traffic going through Alteon, and enhances the SIP security in the network. They enable administrators to customize the security policies and set rules. These rules monitor the SIP calls and gives the SIP engine the ability to dynamically filter SIP traffic.
Page 627 It checks only the dependent rules for a match. Alteon is in the inspection path until it finds a match. When multiple rules are matched, Alteon takes the action of the highest severity rule. If the highest severity rule contains dependent rules, and if the dependent rules are not matched, Alteon takes the action of the next highest severity rule that does not contain dependent rules.
Page 628 Alteon Application Switch Operating System Application Guide Advanced Denial of Service Protection 7. Enable the rule. /cfg/slb/layer7/rule 1/ena Enable SIPs in the filter. /cfg/slb/filt/adv/layer7/sip/sips ena 9. Enable pattern matching in the filter. /cfg/slb/filt/adv/security/pmatch ena 10. Add the filter on the port. Enable filter on the server port if reverse lookup for SIP UDP rule is configured.
Page 629 After creating the rules, when Bob calls Sam, Rule 1 and Rule 99 are matched and Alteon takes the action of Rule 99. Alteon takes the action of Rule 1 only when Rule 100 is also matched. Until rule 100 is matched in the return traffic, Alteon rate limits the traffic according to Rule 99.
Page 630 Alteon Application Switch Operating System Application Guide Advanced Denial of Service Protection Document ID: RDWR-ALOS-V2900_AG1302...
Page 631: Chapter 22 - Wan Link Load Balancing
Chapter 22 – WAN Link Load Balancing WAN link load balancing lets you configure Alteon to balance user session traffic among a pool of available WAN Links. The following sections in this chapter provide conceptual information on WAN Link Load balancing: •...
Page 632: Benefits Of Wan Link Load Balancing
• Increased reliability—Reliability is increased by providing multiple paths from the clients to Alteon and by accessing a pool of WAN links. If one WAN link fails, the others can take up the additional load. •...
Page 633: What Is Load Balancing
The design of outbound WAN link load balancing is identical to standard redirection, except that Alteon substitutes the source IP address of each frame with the proxy IP address of the port to which the WAN link is connected. This substitution ensures that the returning response traverses the same link.
Page 634: Inbound Traffic
5. The returning request from the Internet uses the same WAN link because the destination IP address responds to the proxy IP address, thereby maintaining persistency. The selected ISP processes the packet. 6. Alteon converts the proxy IP address to the client IP address and the request is returned to the client. Inbound Traffic Inbound traffic is data from an external client on the Internet that enters Alteon to access an internal service, such as corporate Web servers or FTP servers.
Page 635 635, the client request enters Alteon via ISP A or ISP B. ISP A is configured as real server 1 and ISP B is configured as real server 2. A virtual server IP address is configured for each ISP and each domain. The virtual server IP addresses for each ISP must be configured in the ISP's address range.
Page 636 2. The client query does not exist in the local DNS database. Local DNS queries the Domain Name Server on Alteon. 3. Alteon monitors WAN links and responds with the virtual IP address of the optimal ISP. Note: Radware recommends default gateways for each ISP VLAN to avoid asymmetric routing.
Page 637: Configuring Wan Link Load Balancing
6. The session request egresses from port 1 and port 11 of Alteon where it is then load balanced between the SLB servers. The virtual server IP address for the SLB servers on Alteon are configured as a real server IP address (Real 7 IP: 30.30.30.2).
Page 638: Configuration Summary
ISP. For each ISP link, configure a virtual server IP address per domain. 6. Configure Alteon to behave like a Domain Name Server. This involves defining the domain record name and mapping the virtual server and real server addresses (ISP router) for each WAN link.
Page 639: Wan Link Load Balancing Examples
Figure 104 - Simple WAN Link Load Balancing Example, page 639 illustrates a simple topology with two WAN links. Two ISPs, a server, and a client are directly connected to Alteon. Alteon load balances traffic between the two WAN links for both inbound and outbound traffic.
Page 640 1. Assign an IP address to each of the ISP links. The WAN links in any given real server group must have an IP route to Alteon that performs the load balancing functions. For this example, the two ISP links are the following IP addresses on different IP subnets:...
Page 641 >> # /cfg/l2/stg 1/port 1257 3. Configure the IP interfaces on Alteon. Alteon must have an IP route to all of the real servers that receive switching services. For load balancing the traffic, Alteon uses this path to determine the level of TCP/IP reach of the WAN links.
Page 642 Alteon Application Switch Operating System Application Guide WAN Link Load Balancing (Select the advance menu) >> Real server 2 # adv (Disable proxy) Advanced# proxy dis >> Real server 2 2. Create a group to load balance the WAN link routers.
Page 643 Step 4b (Inbound Traffic)—Configure Server Ports For each real server connected to Alteon, assign a real server number, specify its IP address, and enable the real server. Define a real server group and add the real server to the group.
Page 644 2. Enable server processing. >> # /cfg/slb/port 1/server ena 3. Enable filtering on server port 1. Filtering is enabled on port 1, because you want Alteon to look up the session table for the transparent load balancing entry. (Select port 1) >>...
Page 645 IP address and a real server IP address. The virtual IP address is used to respond to the DNS query for the radware.com domain. The real server IP address is used to measure the ISP load and ISP health. These commands map the two parameters to the ISP link.
Page 646 2: WAN Link Load Balancing with Server Load Balancing In this example, Alteon is configured for standard server load balancing. Alteon is configured to load balance the WAN links for both outbound and inbound traffic and perform server load balancing for inbound traffic.
Page 647 ISP 2 30.1.1.1 2. Configure the IP interfaces on Alteon. Alteon must have an IP route to all of the real servers that receive switching services. For load balancing the traffic, Alteon uses this path to determine the level of TCP/IP reach of the WAN links.
Page 648 >> IP Interface 7# vlan 7 Step 2—Configure the Load Balancing Parameters for ISP Routers On Alteon, configure the ISP routers as if they were real servers, with SLB parameters: real servers, group, metric, and health. 1. Configure IP addresses for WAN link routers.
Page 649 Alteon Application Switch Operating System Application Guide WAN Link Load Balancing 2. Create a group to load balance the WAN link routers. (Define a group) >> # /cfg/slb/group 100 (Add real server 1) >> Real Server Group 100# add 1 (Add real server 2) >>...
Page 650 Step 4b (Inbound Traffic)—Configure the Internal Network Configure the virtual server IP addresses on Alteon as real server IP addresses. In this example, you will configure two real server IP addresses for each of the two virtual server IP addresses. Then, define a real server group and add the real servers to the group.
Page 651 (Add real server 8) >> Real server Group 4# add 4 3. Enable filter on server port 1. Filter is enabled on port 1, because you want Alteon to look up the session table for the transparent load balancing entry. (Select port 1) >>...
Page 652 Step 5—Configure the Virtual Server IP Address and the Services for Each ISP All client requests are addressed to a virtual server IP address on a virtual server defined on Alteon. Clients acquire the virtual server IP address through normal DNS resolution. In this example, HTTP and FTP are configured as the services running on this virtual server, and this service is associated with the real server group.
Page 653 IP address and a real server IP address. The virtual IP address is used to respond to the DNS query for the radware.com domain. The real server IP address is used to measure the ISP load and ISP health. These commands map the two parameters to the ISP link.
Page 654 Alteon Application Switch Operating System Application Guide WAN Link Load Balancing 2. Configure an entry for each ISP and specify the virtual and real server (ISP router). (Define entry for ISP 1) >> Domain record 1# entry 1/ena (Select virtual server 1 for ISP 1) >>...
Page 655: Health Checking And Multi-Homing
This is because of how health checking interacts with a load balanced WAN environment. Consider an Alteon that is multi-homed to two service providers. Alteon has WAN link load balancing configured for incoming and outgoing traffic. If the link to the first service provider is removed, the health check for this link does not fail even though the corresponding interface is down.
Page 656 Alteon Application Switch Operating System Application Guide WAN Link Load Balancing Document ID: RDWR-ALOS-V2900_AG1302...
Page 657: Chapter 23 - Firewall Load Balancing
Chapter 23 – Firewall Load Balancing Firewall Load Balancing (FWLB) with Alteon allows multiple active firewalls to operate in parallel. Parallel operation enables users to maximize firewall productivity, scale firewall performance without forklift upgrades, and eliminate the firewall as a single point-of-failure.
Page 658: Basic Fwlb
Basic FWLB for simple networks—This method uses a combination of static routes and redirection filters and is usually employed in smaller networks. An Alteon filter on the dirty-side splits incoming traffic into streams headed for different firewalls. To ensure persistence of session traffic through the same firewall, distribution is based on a mathematical hash of the IP source and destination addresses.
Page 659: Basic Fwlb Implementation
2. A redirection filter balances incoming requests among different IP addresses. When the client request arrives at the dirty-side Alteon, a filter redirects it to a real server group that consists of a number of different IP addresses. This redirection filter splits the traffic into balanced streams: one for each IP address in the real server group.
Page 660 On the dirty-side Alteon, one static route is needed for each traffic stream. For instance, the first static route leads to an IP interface on the clean-side Alteon using the first firewall as the next hop. A second static route leads to a second clean-side IP interface using the second firewall as the next hop, and so on.
Page 661: Configuring Basic Fwlb
VLANs, you must enable the Spanning Tree Protocol (STP) to prevent broadcast loops. 2. Define the dirty-side IP interface. In addition to one IP interface for general Alteon management, there must be one dirty-side IP interface for each firewall path being load balanced. Each must be on a different subnet.
Page 662 Real servers in the server groups must be ordered the same on both clean side and dirty side Alteon. For example, if the Real Server 1 IF connects to Firewall 1 for the clean side server group, then the Real Server 1 IF on the dirty side should be connected to Firewall 1. Selecting the same real server ensures that the traffic travels through the same firewall.
Page 663 9. Create the FWLB redirection filter. This filter redirects inbound traffic, load-balancing it among the defined real servers in the group. In this network, the real servers represent IP interfaces on the clean-side Alteon. (Select Filter 15) >> Filter 10# /cfg/slb/filt 15 (From any source IP address) >>...
Page 664 Alteon Application Switch Operating System Application Guide Firewall Load Balancing 11. Add filters to the ingress port. >> SLB Port 5# /cfg/l3/route/ip4 >> IP Static Route# add 10.1.3.1 255.255.255.255 10.1.1.10 >> IP Static Route# add 10.1.4.1 255.255.255.255 10.1.2.10 Note: When adding an IPv4 static route, if you are using FWLB and you define two IP interfaces on the same subnet, where one IP interface has a subnet of the host which is also included in the subnet of the second interface, you must specify the interface.
Page 665 Firewall Load Balancing You should already have configured a dirty-side IP interface on a different subnet for each firewall path being load balanced. Create two real servers on the clean-side Alteon using the IP address of each dirty-side IP interface.
Page 666 Alteon Application Switch Operating System Application Guide Firewall Load Balancing 7. Configure ports 2 and 3, which are connected to the clean-side of the firewalls, for client processing. (Enable client processing on Port 2) >> Real server group 1# /cfg/slb/port 2/client (Enable client processing on Port 3) >>...
Page 667 15. Add the filters to the ingress ports for the outbound packets. Redirection filters are needed on all the ingress ports on the clean-side Alteon. Ingress ports are any that attach to real servers or internal clients on the clean-side of the network. In this case, two real servers are attached to the clean-side Alteon on ports 4 and 5.
Page 668: Four-Subnet Fwlb
In this network, external traffic arrives through both routers. Since VRRP is enabled, one of the dirty-side Alteons acts as the primary and receives all traffic. The dirty-side primary Alteon performs FWLB similar to basic FWLB—a redirection filter splits traffic into multiple streams which are routed through the available firewalls to the primary clean-side Alteon.
Page 669: Four-Subnet Fwlb Implementation
2. FWLB is performed between primary Alteons. Just as with basic FWLB, filters on the ingress ports of the dirty-side Alteon redirect traffic to a real server group composed of multiple IP addresses. This configuration splits incoming traffic into multiple streams.
Page 670: Configuring Four-Subnet Fwlb
Alteon. — Configure the Primary Clean-Side Alteon, page 675—Configure FWLB and SLB groups, and add FWLB redirection filters on the primary clean-side Alteon. — Configure the Secondary Clean-Side Alteon, page 676—Configure VRRP on the primary clean-side Alteon and synchronize the secondary.
Page 671 Alteon using normal SLB settings, the routers require a static route to the virtual server IP address. The next hop for this static route is the Alteon Virtual Interface Router (VIR), which is in the same subnet as the routers: Route Added: 10.10.4.100 (to clean-side virtual server) via 195.1.1.9 (Subnet 1...
Page 672 The following is an example configuration for a primary dirty-side Alteon. To configure the primary dirty-side Alteon 1. Configure VLANs on the primary dirty-side Alteon. Two VLANs are required. VLAN 1 includes port 25 for the Internet connection. VLAN 2 includes port 26 for the firewall connection, and port 28 for the interswitch connection.
Page 673 >> # /boot/reset Configure the Secondary Dirty-Side Alteon The following is an example configuration for a secondary dirty-side Alteon. To configure the secondary dirty-side Alteon Except for the IP interfaces, this configuration is identical to the configuration of the primary dirty- side Alteon.
Page 674 Alteon Application Switch Operating System Application Guide Firewall Load Balancing 2. Configure IP interfaces on the secondary dirty-side Alteon. >> /cfg/l3/if 1 >> mask 255.255.255.0 >> addr 195.1.1.11 >> ena >> /cfg/l3/if 2 >> mask 255.255.255.0 >> addr 10.10.2.11 >> vlan 2 >>...
Page 675 Alteon Application Switch Operating System Application Guide Firewall Load Balancing Configure the Primary Clean-Side Alteon The following is an example configuration for a primary clean-side Alteon. To configure the primary clean-side Alteon 1. Configure VLANs on the primary clean-side Alteon.
Page 676 >> # apply >> # save >> # /boot/reset Configure the Secondary Clean-Side Alteon The following is an example configuration for a secondary clean-side Alteon. To configure the secondary clean-side Alteon 1. Configure VLANs on the secondary clean-side Alteon. >> /cfg/l2/vlan 3 >>...
Page 677 Response; 10.10.2.12: #1 OK, RTT 1 msec. Configure VRRP on the Secondary Dirty-Side Alteon The secondary dirty-side Alteon must be configured with the primary as its peer. Once this is done, the secondary Alteon receives the remainder of its configuration from the primary when synchronized in a later step.
Page 678 Alteon Application Switch Operating System Application Guide Firewall Load Balancing Configure VRRP on the Secondary Clean-Side Alteon In this example, the secondary Alteon uses primary clean-side Interface 1 as its peer. >> # /cfg/l3/vrrp/on >> # /cfg/slb >> # on >>...
Page 679 >> # add 20 >> # add 2048 3. Configure VRRP on the primary dirty-side Alteon. VRRP in this example requires two virtual routers: one for the subnet attached to the routers and one for the subnet attached to the firewalls.
Page 680 In this case, since two firewalls are used, two addresses are added to the group. The two addresses are the interfaces of the dirty-side Alteon, and are configured as if they are real servers. Note: IF 2 is used on all Alteons whenever routing through the top firewall, and IF 3 is used on all Alteons whenever routing through the lower firewall.
Page 681 Free-Metric FWLB, page 683. 2. Create an SLB real server group on the primary clean-side Alteon to which traffic will be load balanced. The external clients are configured to connect to HTTP services at a publicly advertised IP address.
Page 682 Alteon Application Switch Operating System Application Guide Firewall Load Balancing 3. Create the FWLB filters on the primary clean-side Alteon. Three filters are required on the port attaching to the real servers: — Filter 10 prevents local traffic from being redirected.
Page 683: Advanced Fwlb Concepts
>> # share dis >> # ena >> # track >> # ifs ena >> # ports ena 5. Configure the peer on the primary clean-side Alteon. >> # /cfg/slb/sync >> # prios d >> # peer 1 >> # ena >>...
Page 684 To configure free-metric FWLB in a basic network 1. On the clean-side Alteon, enable RTS on the ports attached to the firewalls (Ports 2 and 3). Enable filter and server processing on ports 2 and 3 so that the responses from the real server are looked-up in the session table.
Page 685 Alteon Application Switch Operating System Application Guide Firewall Load Balancing Any of the following load-balancing metrics can be used: hash, leastconns, roundrobin, minmiss, response, or bandwidth. See Metrics for Real Server Groups, page 180 for details on using each metric.
Page 686: Adding A Demilitarized Zone (Dmz)
A DMZ is created by configuring FWLB with another real server group and a redirection filter towards the DMZ subnets. The DMZ servers can be connected to Alteon on the dirty side of the firewall. A typical firewall load- balancing configuration with a DMZ is shown in...
Page 687: Firewall Health Checks
To add the filters required for the DMZ (to each Alteon) 1. On the dirty-side Alteon, create the filter to allow HTTP traffic to reach the DMZ Web servers. In this example, the DMZ Web servers use IP addresses 205.178.29.0/24.
Page 688 Alteon Application Switch Operating System Application Guide Firewall Load Balancing If an Alteon IP interface fails to respond to a user-specified number of pings, it (and, by implication, the associated firewall) is placed in a Server Failed state. When this happens, the partner Alteon stops routing traffic to that IP interface, and instead distributes it across the remaining healthy Alteon IP interfaces and firewalls.
Page 689 >> # /cfg/slb/port #/add 2048 In addition to HTTP, Alteon lets you configure up to five (5) different TCP services to listen for health checks. For example, you can configure FTP and SMTP ports to perform health checks. For a list of...
Page 690 Alteon Application Switch Operating System Application Guide Firewall Load Balancing Document ID: RDWR-ALOS-V2900_AG1302...
Page 691: Chapter 24 - Virtual Private Network Load Balancing
The Virtual Private Network (VPN) load balancing feature allows Alteon to simultaneously load balance up to 255 VPN devices. Alteon records from which VPN server a session was initiated and ensures that traffic returns back to the same VPN server from which the session started.
Page 692: Vpn Load-Balancing Persistence
VPN device processed the frame by performing a lookup with the source MAC address of the frame. If the MAC address matches a MAC address of a VPN device, Alteon adds an entry to the session table so that reverse traffic is redirected to the same VPN device.
Page 693: Vpn Load Balancing Configuration
IPSec session is bound to a VPN server according to the previously configured load- balancing metrics. VPN Load Balancing Configuration Before you start configuring Alteon for VPN load balancing, do the following: • Configure Alteon with firewall load balancing (FWLB).
Page 694 Alteon Application Switch Operating System Application Guide Virtual Private Network Load Balancing To configure the clean-side Alteon CA 1. Turn off BOOTP. >> # /cfg/sys/bootp dis 2. Define and enable VLAN 2 for ports 25, and 26. >> # /cfg/l2/vlan 2/ena/def 25 26 3.
Page 695 >> VRRP VR 2 Priority Tracking# ports ena (Apply the configuration) >> VRRP VR 2 Priority Tracking# apply (Save the configuration) >> VRRP VR 2 Priority Tracking# save 7. Enable SLB on the clean Alteon CA. >> # /cfg/slb/on Document ID: RDWR-ALOS-V2900_AG1302...
Page 696 >> # /cfg/slb/port 1/filt ena 12. When dynamic routing protocols are not used, configure a gateway to the external router. >> # /cfg/l3/gw 1/addr 192.168.10.50 13. Apply and save the configuration, and reboot Alteon. >> # apply >> # save >>...
Page 697 Alteon Application Switch Operating System Application Guide Virtual Private Network Load Balancing 2. Define and enable VLAN 2 for ports 25 and 26. >> # /cfg/l2/vlan 2/ena/def 25 26 3. Turn off the Spanning Tree Protocol (STP). >> # /cfg/l2/stg #/off 4.
Page 698 11. Enable filter processing on the server ports so that the response from the real server will be looked up in VPN session table. >> SLB port 25# /cfg/slb/port 1 /filt ena 12. Apply and save the configuration, and reboot Alteon. >> SLB port 25# apply >> SLB port 25# save >>...
Page 699 Alteon Application Switch Operating System Application Guide Virtual Private Network Load Balancing >> # /cfg/l3/route >> # add 20.0.0.10 255.255.255.255 10.0.0.101 2 >> # add 20.0.0.11 255.255.255.255 10.0.0.102 3 >> # add 20.0.0.20 255.255.255.255 10.0.0.101 2 >> # add 20.0.0.21 255.255.255.255 10.0.0.102 3 6.
Page 700 13. Add filters to the ingress port. >> # /cfg/slb/port 1 >> # filt ena >> # add 100/add 110/add 2048 14. Apply and save the configuration, and reboot Alteon. >> # apply >> # save >> # /boot/reset To configure the dirty-side Alteon DB 1.
Page 701 Alteon Application Switch Operating System Application Guide Virtual Private Network Load Balancing 3. Turn off Spanning Tree Protocol (STP). >> # /cfg/l2/stg/off 4. Configure IP interfaces 1, 2, and 3. >> # /cfg/l3/if 1/ena/mask 255.255.255.0/addr 192.168.10.11 >> # /cfg/l3/if 2/ena/mask 255.255.255.0/addr 10.0.0.20/vl 2 >>...
Page 702 12. Add filters to the ingress port. >> # /cfg/slb/port 1 >> # filt ena >> # add 100/add 110/add 2048 13. Apply and save the configuration and reboot Alteon. >> # apply >> # save >> # /boot/reset To test the configurations and general topology Alteons should be able to perform health checks to each other and all devices should see four real servers.
Page 703 Alteon Application Switch Operating System Application Guide Virtual Private Network Load Balancing Figure 118: Checkpoint Rules for both VPN Devices as seen in the Policy Editor 1. Disconnect the cables (cause failures) to change the available servers that are up >>...
Page 704 3. Enter the policy server IP address: 192.168.10.120. You have the option of adding a nickname. 4. Launch a browser (such as Netscape or Internet Explorer) and go to http://30.0.0.100. 5. Enter vpnuser for user name and alteon for the password. A message displays verifying that you were authenticated.
Page 705: Chapter 25 - Global Server Load Balancing
2. From the CLI, enter the command. /oper/swkey You are prompted to enter the license string. If it is correct for this MAC address, Alteon accepts the password, permanently records it in non-volatile RAM (NVRAM), and then enables the feature.
Page 706: Dssp Versions
Alteon Application Switch Operating System Application Guide Global Server Load Balancing DSSP Versions By default, DSSP version 1 is enabled. Alteon supports the following DSSP versions: • DSSP version 1—The initial release of DSSP. • DSSP version 2—DSSP version 2 adds support for server response time, CPU use, session availability, and session utilization in the remote site updates.
Page 707: How Gslb Works
Alteon Application Switch Operating System Application Guide Global Server Load Balancing • GSLB is easy to deploy, manage, and scale. Alteon configuration is straightforward. There are no complex system topologies involving routers, protocols, and so on. • Flexible design options are provided.
Page 708: Gslb Metrics
Alteon Application Switch Operating System Application Guide Global Server Load Balancing 3. The Example Inc.'s San Jose DNS tells the local DNS to query the Alteon with GSLB software as the authoritative name server for "www.example.com." 4. The San Jose Alteon responds to the DNS request, listing the IP address with the current best service.
Page 709 Alteon Application Switch Operating System Application Guide Global Server Load Balancing • Geographical preference—Causes the GSLB-enabled Alteon to select the server based on the same IANA region of the source IP address and the server IP address. This metric does not require remote site updates.
Page 710 Alteon Application Switch Operating System Application Guide Global Server Load Balancing Metric Preferences Setting metric preferences enables the GSLB selection mechanism to use multiple metrics from a metric preference list. GSLB selection starts with the first metric in the list. It then goes to the next metric when no server is selected, or when more than the required servers is selected.
Page 711 2. The availability metric must be the first metric configured in the first GSLB rule. For information on rule creation, see Rules, page 710. 3. Enable availability persistence on the backup Alteon (the Alteon that will take over from the primary Alteon) using the following command: /oper/slb/gslb/avpersis <virtual server number> enable Note: This is an operational command that does not survive an Alteon reboot.
Page 712: Gslb And Dnssec
IP address and subnet mask. If Alteon finds the client IP address and mask, it executes the rule. If Alteon does not find the client IP address and mask, it returns a saved GSLB load-balancing decision from the persistence table and stops the process.
Page 713: Configuring Basic Gslb
— Configure the default gateways. 4. Configure Alteon at each site to act as the DNS server for each service that is hosted on its virtual servers. Also, configure the master DNS server to recognize Alteon as the authoritative DNS server for the hosted services.
Page 714 (Enable the management port) >> Management Port# ena 2. If you are using the BBI for managing the San Jose Alteon, change its service port. By default, GSLB listens on service port 80 for HTTP redirection. By default, the BBI also uses port 80.
Page 715 Alteon Application Switch Operating System Application Guide Global Server Load Balancing For example, enter the following command to change the BBI port to 8080: >> # /cfg/sys/access/wport 8080 3. Configure a VLAN for the Internet traffic. (VLAN 101 for Internet) >>...
Page 716 1. Assign an IP address to each of the real servers in the local San Jose server pool. The real servers in any real server group must have an IP route to Alteon that will perform the SLB functions. This is most easily accomplished by placing Alteons and servers on the same IP subnet, although advanced routing techniques can be used as long as they do not violate the topology rules.
Page 717 Well-Known Application Ports, page 175. 5. On the San Jose Alteon, define the type of Layer 4 traffic processing each port must support. The ports are configured as follows: (Select physical Port 4) >> Virtual server 1# /cfg/slb/port 4 (Enable server processing on Port 4) >>...
Page 718 Configure the local San Jose site to recognize the services offered at the remote Denver site. To do this, configure one real server entry on the San Jose Alteon for each virtual server located at each remote site. Since there is only one remote site (Denver) with only one virtual server, only one more local real server entry is needed at the San Jose site.
Page 719 (Enable the management port) >> Management Port# ena 2. If you are using the BBI for managing the San Jose Alteon, change its service port. By default, GSLB listens on service port 80 for HTTP redirection. By default, the BBI also uses port 80.
Page 720 Alteon Application Switch Operating System Application Guide Global Server Load Balancing (VLAN 102 for Internet) >> # /cfg/l2/vlan 102/name internet (Add port 2 to VLAN 102 and enable) >> VLAN 102# add 2/ena Port 2 is an UNTAGGED port and its current PVID is 1.
Page 721 >> # apply >> # save 9. Configure the local DNS server to recognize the local GSLB Alteon as the authoritative name server for the hosted services. Determine the domain name that will be distributed to both sites and the hostname for each distributed service.
Page 722 (Enable the virtual server) >> Virtual server 1 http service# /cfg/slb/virt 1/ena 5. On the Denver Alteon, define the type of Layer 4 processing each port must support, as follows: (Select physical Port 11) >> # /cfg/slb/port 11 (Enable server processing on Port 11) >>...
Page 723 In this step, the local Denver site is configured to recognize the services offered at the remote San Jose site. As before, configure one real server entry on the Denver Alteon for each virtual server located at each remote site. Since there is only one remote site (San Jose) with only one virtual server, only one more local real server entry is needed at the Denver site.
Page 724: Configuring A Standalone Gslb Domain
The remote sites can be other sites configured with an Alteon running GSLB, an Alteon running only SLB, or even a site that uses another vendor's load balancers. An Alteon running GSLB can operate in standalone mode as long as it uses site selection metrics that do not require remote site updates.
Page 725 Configuring Basic GSLB, page 713, configure a third site—Tokyo—in standalone mode. Remember that in standalone mode, Alteon does not require SLB configuration of local real servers. 1. Optionally, on the Tokyo Alteon, configure management access and management gateway address. (Management port IP address) >>...
Page 726 Following the similar procedure described for San Jose (see To configure the San Jose Site for GSLB, page 717), configure the Tokyo site as follows: 1. On the Tokyo Alteon, turn on SLB and GSLB. (Select the SLB Menu) >> # /cfg/slb (Activate SLB for Alteon) >>...
Page 727 In this step, the local site, Tokyo, is configured to recognize the services offered at the remote San Jose and Denver sites. As before, configure one real server entry on the Tokyo Alteon for each virtual server located at each remote site.
Page 728 The round-robin algorithm for DNS server can be disabled. To configure a Microsoft Windows 2003 DNS Server The DNS server is configured to resolve domain name (e.g. “geored.com”) into active Alteon virtual IP address which represents active MCS system (Alteon1 VIP1, Alteon1 VIP2, or Alteon2 VIP1, Alteon2 VIP2).
Page 729 Alteon Application Switch Operating System Application Guide Global Server Load Balancing Figure 122: DNS Console 6. Set TTL equal to 10 seconds for records of zone “com”. 7. Disable the round-robin algorithm for the server as shown in Figure 123 - ZDEDIC-5 Properties Window, page 729.
Page 730: Master/Slave Dns Configuration
Alteon Application Switch Operating System Application Guide Global Server Load Balancing Master/Slave DNS Configuration The following is the DNS configuration for a GSLB setup where each site contains a master and slave: 1. Add the first resource record, FQDN—Alteon1 (site1 master) interface IP address (set by the command ), where IP address is the Alteon1 interface IP address.
Page 731: Configuring Time-Based Rules
Alteon Application Switch Operating System Application Guide Global Server Load Balancing Configuring Time-Based Rules This section explains how to configure time-based rules. To configure the first time-based rule Using the base configuration Configuring Basic GSLB, page 713, you can define a new time-based rule for certain networks, as follows: 1.
Page 732: Using The Availability Metric In A Rule
Alteon Application Switch Operating System Application Guide Global Server Load Balancing >> # /cfg/slb/gslb/net 48/sip 48.0.0.0/mask 240.0.0.0/addreal 2/en >> # /cfg/slb/gslb/rule 4/start 18 00/end 7 00/ena >> # /cfg/slb/gslb/rule 4/metric 1/gmetric network/addnet 48 >> # /cfg/slb/gslb/rule 4/metric 2/gmetric geographical >> # /cfg/slb/gslb/rule 4/metric 3/gmetric random 1.
Page 733: Configuring Gslb Network Preference
Client A, with a source IP address of 205.178.13.10, initiates a request that is sent to the local DNS server. The local DNS server is configured to forward requests to the DNS server at Site 4. Alteon at Site 4 looks up its network preference and finds that Client A prefers to connect to Sites 1 or 3.
Page 734: Configuring Gslb With Client Proximity
DNS response with only the virtual server IP address of Site 1, if Site 1 has less load than Site 3. Configuring GSLB with Client Proximity Using GSLB with the client proximity metric, Alteon selects the optimal site for the end-client. This is based on calculated shortest response time from site to site in GSLB mode. The GSLB client proximity metric calculates the response time between each data center site and end-client in Layer 7.
Page 735: Configuring Static Client Proximity
2. The local DNS server queries the upstream DNS server on Alteon. 3. The Site A Alteon receives a DNS request and acts as the authoritative DNS. Site A responds to the DNS request with a Site A VIP address according to the DNS GSLB configured metric.
Page 736 Alteon Application Switch Operating System Application Guide Global Server Load Balancing In the client proximity table, the static client proximity entries are set to Site C as the closest. Note: When the closest site is down, the client is redirected to the next closest site. In...
Page 737 Alteon Application Switch Operating System Application Guide Global Server Load Balancing (Add remote Real Server 2—Site B) add 2 (add remote Real Server 3—Site C) add 3 6. Enable client and server processing. (Enable server processing) >> # /cfg/slb/port 1...
Page 738 Alteon Application Switch Operating System Application Guide Global Server Load Balancing 11. Configure a static entry for client network 20.0.0.0. >> # /cfg/slb/gslb/network 3 sip 20.1.1.10 mask 255.0.0.0 (Least preferred site) addvirt 1 30 addreal 2 20 (Most preferred site)
Page 739 Alteon Application Switch Operating System Application Guide Global Server Load Balancing 6. Enable client and server processing. (Enable server processing) >> # /cfg/slb/port 1 server ena (Enable client processing) >> # /cfg/slb/port 8 (Enable server processing for health client ena...
Page 740 Alteon Application Switch Operating System Application Guide Global Server Load Balancing 11. Configure a static entry for client network 20.0.0.0. >> # /cfg/slb/gslb/network 3ena sip 20.1.1.10 mask 255.0.0.0 addvirt 1 20 (Most preferred site) addreal 2 10 (Least preferred site)
Page 741 Alteon Application Switch Operating System Application Guide Global Server Load Balancing 6. Enable client and server processing. (Enable server processing) >> # /cfg/slb/port 1 server ena (Enable client processing) >> # /cfg/slb/port 8 client ena (Enable server processing for health...
Page 742: Configuring Dynamic Client Proximity
2. The local DNS server queries the upstream DNS server on Alteon. 3. The Site A Alteon receives a DNS request and acts as the authoritative DNS. Site A responds to the DNS request with a Site A VIP address according to the DNS GSLB configured metric.
Page 743: Configuring Gslb With Dnssec
3. Associate the ZSK and KSK with a DNS zone. 4. Export the KSK Delegation Signer (DS) to the parent of the zone. For example, if you have a domain called mywebhosting.radware.com, the parent of the domain resides in radware.com.
Page 744 Alteon Application Switch Operating System Application Guide Global Server Load Balancing 2. Create a Key Signing Key (KSK) and define its parameters. >> Main# /cfg/slb/gslb/dnssec/key Enter key id: examplekey >> Key examplekey# generate Enter key type [zsk | ksk]: ksk...
Page 745 Alteon Application Switch Operating System Application Guide Global Server Load Balancing 5. Export the KSK as text using the DS option. >> Main# /cfg/slb/gslb/dnssec/export Select key ID to export: examplekey Enter component type to export [Key|DNSKEY|ds-record]: ds-record Exporting [ZSK | KSK] examplekey in PEM format.
Page 746: Dnssec Key Rollover
Preventing Expiration of KSK or ZSK in Rollover Situations Alteon includes a DNS key rollover mechanism for preventing expiration. The following information is relevant when the ZSK and the KSK are assigned to the same zone. The goal of an automatic rollover process is that the created key is published and RRs are signed before the old key is revoked.
Page 747 The expiration period is the period for which the key is valid (for example, one month). The rollover period is defined in Alteon as the period during which the rollover will be finished before the key expiration period starts. When entering the value, ensure that it is valid and does not overlap with the expiration date.
Page 748 Emergency Rollovers Emergency rollover is an administrator action. When an emergency KSK rollover is enabled, Alteon waits for the DS record to be signed by the parent. The timer waits a pre-defined period (KSK Rollover Phase timer). If the administrator does not ensure that the DS was signed, a warning is issued that the DNSSEC service might be disturbed.
Page 749: Importing And Exporting Keys
Alteon Application Switch Operating System Application Guide Global Server Load Balancing 4. The system administrator is notified through SNMP, console, or e-mail that a new emergency KSK has been created. 5. The KSK rollover is counted to zero. 6. The RR of the Parent must point to the new DNSKEY.
Page 750 Alteon Application Switch Operating System Application Guide Global Server Load Balancing 3. The following is an example set of parameters to enter at each prompt: Select key id: 12 Enter key type (KSK or ZSK) [KSK|ZSK] [ZSK]: zsk Enter key passphrase:...
Page 751 3. The following is an example set of parameters to enter at each prompt: Note: The export type DS format is for KSK export only. For more information on DNSSEC export types, see the Alteon Application Switch Operating System Command Reference. Enter key id: 45 Enter component type to export...
Page 752: Deleting Keys
DNSSEC authenticates denial of existence by using NSEC and NSEC3 records. An NSEC is used to prove that a name does not exist. When a record does not exist, the DNS server (Alteon) answers with an NSEC DNS signature using the closest lexicographic name of the request.
Page 753: Configuring Gslb With Proxy Ip For Non-Http Redirects
Alteon Application Switch Operating System Application Guide Global Server Load Balancing Configuring GSLB with Proxy IP for Non-HTTP Redirects Typically, client requests for HTTP applications are redirected to the location with the best response and least load for the requested content. The HTTP protocol has a built-in redirection function that allows requests to be redirected to an alternate site.
Page 754 Alteon Application Switch Operating System Application Guide Global Server Load Balancing Figure 126: HTTP and Non-HTTP Redirects Document ID: RDWR-ALOS-V2900_AG1302...
Page 755: How Proxy Ip Works
2. The Site 2 Alteon rewrites the request such that it now contains a client proxy IP address as the source IP address, and the virtual server IP address at Site 1 as the destination IP address.
Page 756: Configuring Proxy Ip Addresses
Global Server Load Balancing Configuring Proxy IP Addresses Alteon at Site 1 in San Jose is configured with port 6 connecting to the default gateway and Real Server 3 represents the remote server in Denver. To configure the proxy address at Site 1 in San Jose for the remote server in Denver 1.
Page 757: Configuring Gslb Behind A Nat Device
Figure 128 - Network with GSLB Configuration Behind NAT Devices, page 757 illustrates a configuration where Alteons at Sites A and B are located behind NAT devices, and Alteon at Site C is not. Figure 128: Network with GSLB Configuration Behind NAT Devices Table 65 summarizes the network configuration.
Page 758: Using Border Gateway Protocol For Gslb
To add a NAT device IPv4 address to an Alteon server 1. Set the network preference to IPv4. >> # /cfg/slb/virt 1/ipver v4 2. Add the service public IP address (NAT) of the device to the Alteon server. >> # /cfg/slb/virt 1/nat >> Virtual Server 1# nat Current NAT IP address: 0.0.0.0...
Page 759: Verifying Gslb Operation
When a particular DNS server receives a request for a record (in this case, Alteon), it returns with the IP address of a virtual server at the same site. This can done using the...
Page 760 Alteon Application Switch Operating System Application Guide Global Server Load Balancing Document ID: RDWR-ALOS-V2900_AG1302...
Page 761: Chapter 26 - Bandwidth Management
2. From the CLI, enter the command. /oper/swkey You are prompted to enter the license string. If it is correct for this MAC address, Alteon accepts the password, permanently records it in non-volatile RAM (NVRAM), and then enables the feature.
Page 762: Classification Rules
Alteon Application Switch Operating System Application Guide Bandwidth Management • —Used to configure classifications based on virtual servers. /cfg/slb/virt • —Used to configure classifications based on physical ports. /cfg/port Note: For trunking, use /cfg/l2/trunk • —Used to configure classifications based on VLANs.
Page 763 Alteon Application Switch Operating System Application Guide Bandwidth Management • IP Source Address—All frames have a specified IP source address or range of addresses defined with a subnet mask. • IP Destination Address—All frames have a specified IP destination address or range of addresses defined with a subnet mask.
Page 764: Grouped Bandwidth Contracts
40 Mbps each. Together, the total rate limit of the member contracts is 100 Mbps. If a particular contract is not using its full bandwidth allocation, Alteon reallocates the bandwidth to the other members of the contract group by polling bandwidth statistics every second, and recalculating the bandwidth allocation.
Page 765: Ip User Level Contracts For Individual Sessions
The user limit policy monitors the amount of bandwidth used per second, and drops any traffic that exceeds the configured limit. To monitor a user's bandwidth, Alteon creates an IP user entry that records the source or destination IP address, and the amount of bandwidth used.
Page 766: Policies
The user limit configured for a contract is the limit for one egress Switch Processor (SP) rather than the entire Alteon. For example, if a contract is configured for a user limit of 64 kbps, and traffic for a user (IP address) is egressing port 1 (SP 1) and port 20 (SP 2), that user (IP address) is restricted to 64 kbps egressing on port 1 and 64 kbps egressing out on port 20.
Page 767: Enforcing Policies
Rate Limiting A rate limiting contract is controlled by metering the traffic that egresses from Alteon. If the egress rate is below the configured rate limit (hard limit) for the port, the traffic is transmitted immediately without any buffering. If the egress rate is above the configured rate limit the traffic above the rate limit is dropped.
Page 768: Application Session Capping
(CIR) or reserved limit information rates never exceeds the link speeds associated with ports on which the traffic is transmitted. If the total CIRs exceed the outbound port bandwidth, Alteon performs a graceful degradation of all traffic on the associated ports. Soft limit For traffic shaping contracts, this is the desired bandwidth rate—that is, the...
Page 769: Rate Limiting Timeslots
Alteon Application Switch Operating System Application Guide Bandwidth Management Application session capping is especially relevant in today's world of peer-to-peer applications that require a large amount of network bandwidth. It enables the administrator to cap the number of sessions of an application assigned to each user. In this way, peer-to-peer (and other such non- business applications) can be limited or completely eliminated on the network.
Page 770: Data Pacing For Traffic Shaping Contracts
CIR is hit. If the CIR is overcommitted among all the contracts configured for Alteon, graceful degradation reduces each CIR until the total bandwidth allocated fits within the total bandwidth available.
Page 771: Bandwidth Management Information
The MP maintains global statistics, such as total octets, and a window of historical statistics. When the history buffer of 128K is ready to over flow, it can be sent from Alteon using either an e-mail or direct socket transfer mechanism.
Page 772: Statistics And Management Information Bases
/cfg/bwm/cont <x> /wtos enable/disable overwriting IP TOS. The actual values used by Alteon for overwriting TOS values (depending on whether traffic is over or under the soft TOS limit) are set in the bandwidth policy menu ( ) with the /cfg/bwm/pol <x>...
Page 773: Contract-Based Packet Mirroring
Additional BWM Configuration Examples, page 776. To configure Bandwidth Management 1. Configure Alteon as you normally would for SLB. Configuration includes the following tasks: — Assign an IP address to each of the real servers in the server pool. —...
Page 774 Alteon Application Switch Operating System Application Guide Bandwidth Management For more information about SLB configuration, see Server Load Balancing, page 165. 2. Enable BWM. >># /cfg/bwm/on Note: If you purchased the Bandwidth Management option, be sure to enable it by typing and entering the license string.
Page 775 Alteon Application Switch Operating System Application Guide Bandwidth Management 7. On Alteon, select a BWM contract and, optionally, a name for the contract. Each contract must have a unique number from 1 to 256. >> Policy 1# /cfg/bwm/cont 1 >> BWM Contract 1# name BigCorp 8.
Page 776: Additional Bwm Configuration Examples
Alteon Application Switch Operating System Application Guide Bandwidth Management 15. On Alteon, save your new configuration changes. >> Bandwidth Management# save 16. On Alteon, check the BWM information. (View BWM information) >> Bandwidth Management# /info/bwm <contract number> (View BWM statistics) >>...
Page 777 >> Policy 1# soft 4 (Set committed information rate) >> Policy 1# resv 3 3. On Alteon, select a BWM contract and name the contract. Each contract must have a unique number from 1 to 1024. >> Policy 1# /cfg/bwm/cont 1 >>...
Page 778 1. Ensure BWM is enabled on Alteon. >> /cfg/bwm/on 2. Configure Alteon as you normally would for SLB. Configuration includes the following tasks: — Assign an IP address to each of the real servers in the server pool.
Page 779 Alteon Application Switch Operating System Application Guide Bandwidth Management (Select BWM Policy 1) >> # /cfg/bwm/pol 1 (Set "never exceed" rate) >> Policy 1# hard 10M (Set desired bandwidth rate) >> Policy 1# soft 5M (Set committed information rate) >> Policy 1# resv 1M 4.
Page 780 If the number of octets is below the value of the contract (10 Mbps), a session is created on Alteon that records the student's IP address, the egress port number, and the contract number, as well as the number of octets transferred for that second. The session updates the number of octets being transferred every second, thus maintaining traffic within the configured user limit of 64 kbps.
Page 781 In this example, there are two Web sites, "A.com" and "B.com." BWM is configured to give preference to traffic sent to Web site "B.com:" 1. Configure Alteon as you normally would for SLB. Configuration includes the following tasks: — Assign an IP address to each of the real servers in the server pool.
Page 782 Alteon Application Switch Operating System Application Guide Bandwidth Management For more information about SLB configuration, refer to Server Load Balancing, page 165. Note: Ensure BWM is enabled on Alteon ( /cfg/bwm/on 2. Select bandwidth Policy 1. Each policy must have a number from 1 to 512.
Page 783 Alteon Application Switch Operating System Application Guide Bandwidth Management >> BWM Contract 2# ena 12. Create a virtual server that is used to classify the frames for Contract 1 and assign the virtual server IP address for this server. Assign the BWM contract to the virtual server. Repeat this procedure for a second virtual server.
Page 784 Bandwidth Management • Alteon allocates bandwidth based on certain strings in the incoming URL request. For example, if a Web site has 10 Mbps of bandwidth, the site manager can allocate 1 Mbps of bandwidth for static HTML content, 3 Mbps of bandwidth for graphic content and 4 Mbps of bandwidth for dynamic transactions, such as URLs with cgi-bin requests and .asp requests.
Page 785 Alteon Application Switch Operating System Application Guide Bandwidth Management >> Main# /cfg/bwm/pol 1/hard 3M/soft 2M/res 1M >> Policy 1# /cfg/bwm/pol 2/hard 4M/soft 3M/res 2M >> Policy 2# /cfg/bwm/pol 3/hard 1M/soft 500k/res 250k >> Policy 3# /cfg/bwm/pol 4/hard 2M/soft 1M/res 500k 3.
Page 786 SLB string ID is the identification number of the defined string as displayed when you enter the command. For example: /cfg/slb/real 2/layer7/addlb 3 8. Either enable Direct Access Mode (DAM) on Alteon or configure a proxy IP address on the client port. To turn on DAM. >> # /cfg/slb/adv/direct ena To turn off DAM and configure a proxy IP address on the client port.
Page 787 Alteon Application Switch Operating System Application Guide Bandwidth Management Figure 133: Cookie-Based Bandwidth Management Note: Cookie-based BWM does not apply to cookie-based persistency or cookie passive/active mode applications. In this example, you assign bandwidth based on cookies. First, configure cookie-based SLB, which is very similar to URL-based load balancing.
Page 788 For example: >> # /cfg/slb/real 2/layer7/addlb 4. Either enable DAM on Alteon or configure a proxy IP address on the client port. To turn on DAM: >> # /cfg/slb/adv/direct ena To turn off DAM and configure a Proxy IP address on the client port: >>...
Page 789 In this example, a filter is configured to match ping packets, and BWM is configured to prevent DoS attacks by limiting the bandwidth policy rate of those packets: 1. Configure Alteon as usual for SLB (see Server Load Balancing, page 165): —...
Page 790 >> Policy 1# buffer 8192 5. On Alteon, select a BWM contract and name the contract. Each contract must have a unique number from 1 to 1024. >> Bandwidth Management# /cfg/bwm/cont 1 >>...
Page 791 Note: When configuring time policies, the "To" hour cannot be earlier than the "From" hour, as in a time policy set from 7PM to 7AM. Alteon does not calculate time policies that cross the 24-hour day boundary. 1. Configure three BWM policies for high, low, and default bandwidth. These policies will be applied...
Page 792 For example, an Alteon may be connected to a router with high bandwidth of 1 Gbps. However, that router may be connected into a Wide Area Network (WAN) using a T1 line (1.544 Mbps) or a T3 line (44.736 Mbps).
Page 793 Alteon Application Switch Operating System Application Guide Bandwidth Management Example Overwriting the TCP Window Size The TCP window size set in the packet indicates how many bytes of data the receiver of that TCP packet can send without waiting for acknowledgement. In network environments where congestion is a common problem and traffic usually exceeds the configured BWM soft limit in a BWM contract, the TCP window size may be overwritten to better accommodate the prevailing traffic rates.
Page 794 Alteon Application Switch Operating System Application Guide Bandwidth Management Document ID: RDWR-ALOS-V2900_AG1302...
Page 795: Chapter 27 - Xml Configuration Api
Alteon supports an Extensible Markup Language (XML) configuration application programming interface (API). This support provides a common interface for applications to operate with an Alteon. XML was chosen for its wide adoption and usage. XML is also supported by the Alteon Threat Protection System.
Page 796: Xml Configuration File
Import from text or file in PEM format [text|file] [text]: • Running the “gtcert” is only allowed when you are using SSH to access Alteon, if you are using telnet you will get the following error: FTC1 - ADC-VX - Main# /cfg/sys/access/xml/gtcert Access Denied: This operation can only be performed over a secure connection such as HTTPS “...
Page 797: Xml Configuration
2. Optionally, set the XML transport port number. Since SSL is the transport mechanism for the XML configuration file, the port used by Alteon to receive these files is the SSL port by default. You can change the default by using the following command: >>...
Page 798 Alteon Application Switch Operating System Application Guide XML Configuration API To display the current client certificate >> Main# /cfg/sys/access/xml/dispcert To enable XML debug operations >> Main# /cfg/sys/access/xml/debug/ enabled Enabling XML debug operations results in all commands in the XML file to be displayed on the console with one of the following prefaces: —...
Page 799: Chapter 28 - Appshape++ Scripting
TCP/UDP protocol. AppShape++ Script Repository AppShape++ scripts need to be uploaded to the Alteon repository before they can be used. Up to 1024 scripts are supported. When the Apply command is invoked, all new or edited scripts are validated.
Page 800 For more information on how to configure your network for SLB, see Server Load Balancing, page 165. 2. Write the AppShape++ script which will complete the virtual service behavior. Radware recommends using a Tcl-enabled editor. 3. Import the script to Alteon the switch. >> Main # /cfg/slb/appshape/script myscript >>...
Page 801: Appendix A - Layer 7 String Handling
There is also a special string known as any that matches all content. Alteon also supports exclusionary string matching. Using this option, you can define a server to accept any requests regardless of the URL, except requests with a specific string.
Page 802: Configuring Exclusionary Url String Matching
This configuration example illustrates how to configure a server to handle any requests except requests that contain the string "test", or requests that start with "/images" or "/product". To configure exclusionary URL string matching 1. Before you can configure URL string matching, ensure that Alteon has already been configured for basic SLB: —...
Page 803: Regular Expression Matching
Alteon Application Switch Operating System Application Guide Layer 7 String Handling Regular Expression Matching Regular expressions are used to describe patterns for string matching. They enable you to match the exact string, such as URLs, hostnames, or IP addresses. It is a powerful and effective way to express complex rules for Layer 7 string matching.
Page 804: Configuring Regular Expressions
• Header hash Using these content types with the and and or operators, Alteon is configured to refine HTTP-based server load-balancing multiple times on a single client HTTP request in order to bind it to an appropriate server. Typically, when you combine two content types with an operator (and/or), URL hash and header hash are used in combination with host, cookie, or browser content types.
Page 805: Requirements
The following are example scenarios for which to use the Content Precedence Lookup feature: • If the client request is sent without a cookie and if no HTTP SLB is configured, then Alteon binds the request to the real server using normal SLB.
Page 806: Assigning Multiple Strings
Alteon Application Switch Operating System Application Guide Layer 7 String Handling • HTTP Host and URL SLB—The HTTP Host header takes precedence because it is specified first. Because and is the operator, both a Host Header and URL string are required. If either is not available, the request is dropped.
Page 807: String Case Insensitivity
(a Host Header string and a URL string) for each real server. String Case Insensitivity By default, Alteon supports case-sensitive matching when performing lookup of Layer 7 string content. For example, if the following strings were configured for a real server, any incoming request containing "...
Page 808 Select the method by its index number from the list in To view the currently supported HTTP methods, page 807. >> # /cfg/slb/layer7/slb/addmeth 2 The list of supported HTTP methods is updated regularly in Alteon as the HTTP protocol evolves. Document ID: RDWR-ALOS-V2900_AG1302...
Page 809: Appendix B - Content-Intelligent Server Load Balancing Not Using Layer 7 Content Switching Rules
Balancing Not Using Layer 7 Content Switching Rules Alteon lets you load balance HTTP requests based on different HTTP header information, such as the "Cookie:" header for persistent load balancing, the "Host:" header for virtual hosting, or the "User- Agent" for browser-smart load balancing.
Page 810 Figure 137: Requests with ".cgi" in the URL Configuring URL-Based Server Load Balancing To configure URL-based SLB 1. Before you can configure SLB string-based load balancing, ensure that Alteon has already been configured for basic SLB with the following tasks: Note: When URL-based SLB is used in an active/active redundant setup, use a proxy IP address instead of Direct Access Mode (DAM) to enable the URL parsing feature.
Page 811 Alteon Application Switch Operating System Application Guide Content-Intelligent Server Load Balancing Not Using Layer 7 Content 2. Define the strings to be used for URL load balancing. >> # /cfg/slb/layer7/slb/addstr | remstr <l7lkup | pattern> — addstr—Add string or a pattern.
Page 812 Alteon Application Switch Operating System Application Guide Content-Intelligent Server Load Balancing Not Using Layer 7 Content Switching Rules • /index.shtm 3. Apply and save your configuration changes. 4. Identify the defined string IDs. >> # /cfg/slb/layer7/slb/cur For easy configuration and identification, each defined string is assigned an ID number, as...
Page 813: Virtual Hosting
/manual .jpg Virtual Hosting Alteon allows individuals and companies to have a presence on the Internet in the form of a dedicated Web site address. For example, you can have a "www.site-a.com" and "www.site-b.com", instead of "www.hostsite.com/site-a" and "www.hostsite.com/site-b." Service providers, on the other hand, do not want to deplete the pool of unique IP addresses by dedicating an individual IP address for each home page they host.
Page 814 "www.company-b.com" to Servers 5 through 8. 5. Alteon inspects the HTTP host header in requests received from the client. — If the host header is "www.company-a.com," Alteon directs requests to one of the Servers 1 through 4. — If the host header is "www.company-b.com," Alteon directs requests to one of the Servers 5 through 8.
Page 815: Cookie-Based Preferential Load Balancing
Alteon Application Switch Operating System Application Guide Content-Intelligent Server Load Balancing Not Using Layer 7 Content 2. Turn on URL parsing for the virtual server for virtual hosting. (Select the virtual IP for host header- >> # /cfg/slb/virt 1 based SLB) (Select the HTTP service) >>...
Page 816 Based on one or more of these criteria, you can load balance requests to different server groups. Configuring Cookie-Based Preferential Load Balancing To configure cookie-based preferential load balancing 1. Before you can configure header-based load balancing, ensure that Alteon has already been configured for basic SLB with the following tasks: —...
Page 817: Browser-Smart Load Balancing
If you do not add a defined string (or add the defined string any), the server handles any request. 5. Enable DAM on Alteon or configure proxy IP addresses and enable proxy on the client port. To use cookie-based preferential load balancing without DAM, you must configure proxy IP addresses.
Page 818: Configure Slb Strings For Http Redirection
Alteon Application Switch Operating System Application Guide Content-Intelligent Server Load Balancing Not Using Layer 7 Content Switching Rules — Define virtual servers and services. 2. Turn on URL parsing for the virtual server for "User-Agent:" header. >> # /cfg/slb/virt 1/service 80/http/httpslb browser 3.
Page 819 HTTPHDR=Host:www.abc.com, cont 256 HTTPHDR=Host:any:443, cont 256 HTTPHDR=Host:mobile.example.com=/4g/w?url=$HOST/nava/toggle.jad, nre, cont 1024 HTTPHDR=Host:mobile.example.com=/4g/w?url=dev.example.com/$URL, nre, cont 1024 1. Configure Alteon with the basic SLB requirements as described in Server Load Balancing Configuration Basics, page 171. 2. Configure the filter strings. >> # /cfg/slb/layer7/slb/ (Add the first SLB string) >>...
Page 820 17: HTTPHDR=Host:mobile.example.com=/4g/w?url=$HOST/nava/toggle.jad, nre, cont 1024 18: HTTPHDR=Host:mobile.example.com=/4g/w?url=dev.example.com/$URL, nre, cont 1024 5. Configure a port for client traffic. This configuration assumes client traffic enters Alteon on port 1. Enabled filtering on the client port. (Select the SLB Port 1 menu) >> /cfg/slb/port 1 (Enable filtering on the port) >>...
Page 821 /wap.p-example.com, then redirect the client request to http://10.168.224.227/top. Assuming that each client is in a different subnet, configure Alteon with three filters to redirect client requests from each subnet, to the URLs specified above. Use the string index numbers in...
Page 822 Alteon Application Switch Operating System Application Guide Content-Intelligent Server Load Balancing Not Using Layer 7 Content Switching Rules (For TCP protocol traffic) >> Filter 1 # proto tcp Enter protocol or any: udp Pending new protocol: (To destination port HTTP) >>...
Page 823 Example TCP Service Port Based HTTP Redirection In this example, Alteon redirects traffic entering Alteon on one TCP service port, and redirects it through another service port. Use the provided string index numbers to configure a redirection map for each filter.
Page 824 Alteon Application Switch Operating System Application Guide Content-Intelligent Server Load Balancing Not Using Layer 7 Content Switching Rules 1. Identify the ID numbers of the defined strings. The strings in bold in the filters defined above are used in this example.
Page 825 In this example, Alteon receives a URL request from a mobile client and examines the Multipurpose Internet Mail Extensions (MIME) type header in the URL. If the URL contains a pre-defined MIME type, text, or URL, Alteon replaces the URL. Use the string index numbers to configure a redirection map for the filter.
Page 826 Alteon Application Switch Operating System Application Guide Content-Intelligent Server Load Balancing Not Using Layer 7 Content Switching Rules 1. Identify the ID numbers of the defined strings. The strings in bold are used in this example. >> # /cfg/slb/layer7/slb/cur Number of entries: 14 1: any, cont 256 2: HTTPHDR=Host:wap.example.com, cont 256...
Page 827 Alteon Application Switch Operating System Application Guide Content-Intelligent Server Load Balancing Not Using Layer 7 Content Apply and save the configuration. >> Layer 7 Advanced# apply >> Layer 7 Advanced# save Example URL-Based Redirection A request for a URL can be redirected to another URL as follows: —...
Page 828 Alteon Application Switch Operating System Application Guide Content-Intelligent Server Load Balancing Not Using Layer 7 Content Switching Rules 2. Configure Filter 7 to redirect the URL as described above. By default, filter protocol is any. Change it to udp. >> /cfg/slb/filt 7 >>...
Page 829 Alteon Application Switch Operating System Application Guide Content-Intelligent Server Load Balancing Not Using Layer 7 Content Example Source IP from HTTP Header and Host Header-Based Redirection In this example, a filter is configured as follows: — Filter 8—If X-Foo-ipaddress: 10.168.100.* and the request is to http://wap.example.com, then redirect the request to wap.yahoo.com.
Page 830 Alteon Application Switch Operating System Application Guide Content-Intelligent Server Load Balancing Not Using Layer 7 Content Switching Rules 2. Configure Filter 8 redirect URL as described above. By default, filter protocol is any. Change it to udp. >> /cfg/slb/filt 8 >>...
Page 831 Alteon Application Switch Operating System Application Guide Content-Intelligent Server Load Balancing Not Using Layer 7 Content 2. Configure Filter 9 and Filter 10. /c/slb/filt 9 action redir ipver v4 proto tcp dport http /c/slb/filt 9/adv/layer7 l7lkup ena addrd 3>4 /c/slb/filt 10...
Page 832 Alteon Application Switch Operating System Application Guide Content-Intelligent Server Load Balancing Not Using Layer 7 Content Switching Rules Figure 138: TCP Service Port Based HTTP Redirection 1. Configure the client VLAN. >> Main# /cfg/l2/vlan 2/en/name "Client_VLAN"/add 1 2. Configure the client interface.
Page 833 Alteon Application Switch Operating System Application Guide Content-Intelligent Server Load Balancing Not Using Layer 7 Content 8. Configure Cache Server 1. >> Main# /cfg/slb/re 1/en/ipv v6/rip 2002::11 9. Configure Cache Server 2. >> Main# /cfg/slb/re 2/en/ipv v6/rip 2002::12 10. Add the two cache servers to the real group.
Page 834 Alteon Application Switch Operating System Application Guide Content-Intelligent Server Load Balancing Not Using Layer 7 Content Switching Rules Document ID: RDWR-ALOS-V2900_AG1302...
Page 835: Appendix C - Ipv6
Appendix C – IPv6 This appendix describes the basic configuration and management of IPv6. For IPv6 implementation with specific Alteon features, refer to the appropriate chapters for details on the level of support. This appendix includes the following topics: •...
Page 836: Ipv6 Address Format
Alteon Application Switch Operating System Application Guide IPv6 Table 71: Differences Between IPv4 and IPv6 Protocols (cont.) IPv4 IPv6 ICMP Router Discovery is used to determine ICMPv4 Router Discovery is replaced with ICMPv6 the IPv4 address of the best default gateway Router Solicitation (Discovery) and Router and is optional.
Page 837: Ipv6 Address Types
2000 to 3FFF. If the last 64 bits of the address are not configured, Alteon defaults to the EUI-64 (Extended Unique Identifier 64-bit) address format. RFC 3513 defines the expanding of the Ethernet MAC address based on a 48-bit format into a 64-bit EUI-64 format.
Page 838: Verifying An Ipv6 Configuration
Alteon Application Switch Operating System Application Guide IPv6 To specify the interface number when pinging to a IPv6 link-local unicast address >> Main# /info/l3/nbrcache >> IP6 Neighbor Discovery Protocol# ping6 fe80::20d:56ff:fe22:df09 Enter interface number: (1-256) 200 fe80:0:0:0:20d:56ff:fe22:df09 is alive Verifying an IPv6 Configuration The following are commands used to display and verify an IPv6 configuration.
Page 839: Radware Ltd. End User License Agreement
EMPLOYEES AND THIRD PARTY CONTRACTORS TO COMPLY WITH THE TERMS OF THIS LICENSE AGREEMENT. 1. License Grant. Subject to the terms of this Agreement, Radware hereby grants to you, and you accept, a limited, nonexclusive, nontransferable license to install and use the Software in machine-readable, object code form only and solely for your internal business purposes (“Commercial License”).
Page 840 You may use the Software only for internal evaluation purposes (“Evaluation Use”) for a maximum of 30 days or such other duration as may specified by Radware in writing at its sole discretion (the “Evaluation Period”). The evaluation copy of the Software contains a feature that will automatically disable it after expiration of the Evaluation Period.
Page 841 If any Radware Party is found to be liable to You or to any third- party under any applicable law despite the explicit disclaimers and limitations under these terms, then any liability of such Radware Party, will be limited exclusively to refund of any license or registration or subscription fees paid by you to Radware.
Page 842 Alteon Application Switch Operating System Application Guide Radware Ltd. End User License Agreement intellectual property associated therewith. In addition to the use limitations applicable to Third Party Software pursuant to Section 5 above, you agree and undertake not to use the Third Party Software as a general SQL server, as a stand-alone application or with applications other than the Software under this License Agreement.

Save PDF