Appdirector Guide Version 2.14 6x6s2w

@author Antoon Bosselaers @author Paulo Barreto < [email protected]>

The OnDemand Switch may use software components licensed under the GNU General Public License Agreement Version 2 (GPL v.2) including LinuxBios and Filo open source projects. The source code of the LinuxBios and Filo is available from Radware upon request. A copy of the license can be viewed at: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html This code is hereby placed in the public domain. THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF

Document ID: RDWR-AD-V021403-UG0211

3

AppDirector Guide

LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product contains code developed by the OpenBSD Project Copyright (c) 1983, 1990, 1992, 1993, 1995 The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1.

Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2.

Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3.

Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes software developed by Markus Friedl This product includes software developed by Theo de Raadt This product includes software developed by Niels Provos This product includes software developed by Dug Song This product includes software developed by Aaron Campbell This product includes software developed by Damien Miller This product includes software developed by Kevin Steves This product includes software developed by Daniel Kouril This product includes software developed by Wesley Griffin This product includes software developed by Per Allansson This product includes software developed by Nils Nordman This product includes software developed by Simon Wilkinson Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1.

Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2.

Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE AUTHOR “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.

4


AppDirector Guide

IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Safety Instructions CAUTION Due to the risks of electrical shock, and energy, mechanical, and fire hazards, any procedures that involve opening s or changing components must be performed by qualified service personnel only. To reduce the risk of fire and electrical shock, disconnect the device from the power line before removing cover or s. SERVICING Do not perform any servicing other than that contained in the operating instructions unless you are qualified to do so. There are no serviceable parts inside the unit. HIGH VOLTAGE Any adjustment, maintenance, and repair of the opened instrument under voltage must be avoided as much as possible and, when inevitable, must be carried out only by a skilled person who is aware of the hazard involved. Capacitors inside the instrument may still be charged even if the instrument has been disconnected from its source of supply. GROUNDING Before connecting this device to the power line, the protective earth terminal screws of this device must be connected to the protective earth in the building installation. LASER This equipment is a Class 1 Laser Product in accordance with IEC60825 - 1: 1993 + A1:1997 + A2:2001 Standard. FUSES Make sure that only fuses with the required rated current and of the specified type are used for replacement. The use of repaired fuses and the short-circuiting of fuse holders must be avoided. Whenever it is likely that the protection offered by fuses has been impaired, the instrument must be made inoperative and be secured against any unintended operation. LINE VOLTAGE Before connecting this instrument to the power line, make sure the voltage of the power source matches the requirements of the instrument. Refer to the Specifications for information about the correct power rating for the device. SPECIFICATION CHANGES


5

AppDirector Guide

Specifications are subject to change without notice.

Note: This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of the FCC Rules and EN55022 Class A, EN 55024; EN 610003-2; EN 61000-3-3 For CE MARK Compliance. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the is required to correct the interference at his own expense. Special Notice for North American s: For North American power connection, select a power supply cord that is UL Listed and CSA Certified 3 - conductor, [18 AWG], terminated in a molded on plug cap rated 125 V, [5 A], with a minimum length of 1.5m [six feet] but no longer than 4.5m...For European connection, select a power supply cord that is internationally harmonized and marked “ ”, 3 - conductor, 0,75 mm2 minimum mm2 wire, rated 300 V, with a PVC insulated jacket. The cord must have a molded on plug cap rated 250 V, 3 A.”. RESTRICT AREA ACCESS The DC powered equipment should only be installed in a Restricted Access Area. INSTALLATION CODES This device must be installed according to country national electrical codes. For North America, equipment must be installed in accordance with the US National Electrical Code, Articles 110 - 16, 110 -17, and 110 -18 and the Canadian Electrical Code, Section 12. INTERCONNECTION OF UNITS Cables for connecting to the unit RS232 and Ethernet Interfaces must be UL certified type DP-1 or DP-2. (Note- when residing in non LPS circuit) OVERCURRENT PROTECTION A readily accessible listed branch-circuit over current protective device rated 15 A must be incorporated in the building wiring for each power input. REPLACEABLE BATTERIES If equipment is provided with a replaceable battery, and is replaced by an incorrect battery type, then an explosion may occur. This is the case for some Lithium batteries and the following is applicable: •

If the battery is placed in an Operator Access Area, there is a marking close to the battery or a statement in both the operating and service instructions.

•

If the battery is placed elsewhere in the equipment, there is a marking close to the battery or a statement in the service instructions.

This marking or statement includes the following text warning: CAUTION RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT BATTERY TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS. Caution – To Reduce the Risk of Electrical Shock and Fire 1.

This equipment is designed to permit connection between the earthed conductor of the DC supply circuit and the earthing conductor equipment. See Installation Instructions.

2.

All servicing must be undertaken only by qualified service personnel. There are not serviceable parts inside the unit.

3.

DO NOT plug in, turn on or attempt to operate an obviously damaged unit.

6


AppDirector Guide

4. Ensure that the chassis ventilation openings in the unit are NOT BLOCKED. 5. Replace a blown fuse ONLY with the same type and rating as is marked on the safety label adjacent to the power inlet, housing the fuse. 6. Do not operate the device in a location where the maximum ambient temperature exceeds 40°C/104°F. 7. Be sure to unplug the power supply cord from the wall socket BEFORE attempting to remove and/or check the main power fuse. CLASS 1 LASER PRODUCT AND REFERENCE TO THE MOST RECENT LASER STANDARDS IEC 60 825-1:1993 + A1:1997 + A2:2001 AND EN 60825-1:1994+A1:1996+ A2:2001 AC units for Denmark, Finland, Norway, Sweden (marked on product): •

Denmark - “Unit is class I - unit to be used with an AC cord set suitable with Denmark deviations. The cord includes an earthing conductor. The Unit is to be plugged into a wall socket outlet which is connected to a protective earth. Socket outlets which are not connected to earth are not to be used!”

•

Finland - (Marking label and in manual) - “Laite on liitettävä suojamaadoituskoskettimilla varustettuun pistorasiaan”

•

Norway (Marking label and in manual) - “Apparatet må tilkoples jordet stikkontakt”

•

Unit is intended for connection to IT power systems for Norway only.

•

Sweden (Marking label and in manual) - “Apparaten skall anslutas till jordat uttag.”

To connect the power connection: 1. Connect the power cable to the main socket, located on the rear of the device. 2. Connect the power cable to the grounded AC outlet. CAUTION Risk of electric shock and energy hazard. Disconnecting one power supply disconnects only one power supply module. To isolate the unit completely, disconnect all power supplies. ACHTUNG Gafahr des elektrischen Schoks. Entfernen des Netzteckers elnes Netzeils spanningsfrei Um alle Einheiten spannengsfrei zu chen, sind die Netzstecker aller Netzeile zu entfernen. ATTENTION Risque de choc et de danger e’lectriques. Le de’branchement d’une seule alimentation stabilis’e ne de’branche uniquement qu’un module “Alimentation Stabilise’e”. Pour Isoler completement le module en cause, il faut, de’brancher toutes les alimentations stabilise’es Attention: Pour Reduire Les Risques d'Electrocution et d'Incendie 1. Toutes les operations d'entretien seront effectuees UNIQUEMENT par du personnel d'entretien qualifie. Aucun composant ne peut etre entretenu ou remplace par l'utilisateur. 2. NE PAS connecter, mettre sous tension ou essayer d'utiliser une unite visiblement defectueuse. 3. Assurez vous que les ouvertures de ventilation du chassis NE SONT PAS OBSTRUEES. 4. Remplacez un fusible qui a saute SEULEMENT par un fusible du meme type et de meme capacite, comme indique sur l'etiquette de securite proche de l'entree de l'alimentation qui contient le fusible. 5. NE PAS UTILISER l'equipement dans des locaux dont la temperature maximale dee 40×C. 6. Assurez vous que le cordon d'alimentation a ete deconnecte AVANT d'essayer de l'enlever et / ou verifier le fusible de l'alimentation generale. Maßnahmen zum Schutz vor elektrischem Schock und Feuer •

Alle Wartungsarbeiten sollten ausschließlich von geschultem Wartungspersonal durchgeführt werden. Keine im Gerät befindlichen Teile dürfen vom Benutzer gewartet werden.

•

Offensichtlich defekte oder beschädigte Geräte dürfen nicht angeschlossen, eingeschaltet oder in Betrieb genommen werden.


7

AppDirector Guide

•

Stellen Sie sicher, dass die Belüftungsschlitze am Gert nicht blockiert sind.

•

Ersetzen Sie eine defekte Sicherung ausschließlich mit Sicherungen laut Sicherheitsbeschriftung.

•

Betreiben Sie das Gerät nicht in Räumen mit Temperaturen über 40°C.

•

Trennen Sie das Netzkabel von der Steckdose bevor Sie die Hauptsicherung prüfen oder austauschen.

Document Conventions This guide uses the following conventions and symbols:

Item

Description Additional information

Note: A suggestion or workaround Tip: A statement and instructions

To An example scenario

Example Possible damage to equipment, software, or data Caution: Possible physical harm to the operator Warning: This feature only operates when application acceleration is disabled Standard Acceleration This feature only works operates when application acceleration is enabled

Enhanced Acceleration

8


AppDirector Guide Table of Contents

Table of Contents Important Notice ............................................................................................................ 3 Copyright Notices .......................................................................................................... 3 Safety Instructions ......................................................................................................... 5 Document Conventions ................................................................................................. 8

Chapter 1 – Introducing AppDirector .................................................................... 17 AppDirector Modules ........................................................................................................... 18 Management Tools .............................................................................................................. 20 Licenses ............................................................................................................................... 20

Configuration and Workflows for AppDirector ............................................................. 22 Before Installation and Configuration ................................................................................... 22 Configuration for all AppDirectors ........................................................................................ 24 AppDirector Modes Workflow .............................................................................................. 25

Chapter 2 – istering and Monitoring AppDirector..................................... 27 ed Management Interfaces for AppDirector .................................................... 27 Web Based Management .................................................................................................... Web Services ....................................................................................................................... Command Line Interface ..................................................................................................... Configuring Telnet ............................................................................................................... Configuring FTP Server ....................................................................................................... Configuring SNMP ...............................................................................................................

28 29 31 33 35 35

Version and Configuration Management ..................................................................... 46 Upgrades ............................................................................................................................. Software Versions ................................................................................................................ Configuration File Management ........................................................................................... Licensing and Upgrading Licenses ...................................................................................... Managed Devices ................................................................................................................ Resetting Devices ................................................................................................................ Device Shutdown .................................................................................................................

46 47 48 53 56 57 57

Tuning AppDirector ...................................................................................................... 58 Device Tuning ...................................................................................................................... Device Global Parameters ................................................................................................... Main Device Tuning Parameters ......................................................................................... Bandwidth Management Settings Tuning ............................................................................ Client Table Settings Tuning ................................................................................................ DNS Settings Tuning ........................................................................................................... NAT Settings Tuning ............................................................................................................ Security Tuning .................................................................................................................... Session Table Tuning .......................................................................................................... Tuning Memory Check .........................................................................................................


58 61 62 64 65 65 65 66 67 67

9


Tuning Statistics .................................................................................................................. Bandwidth Management Tuning (ODS Devices Only) ........................................................ Classifier Tuning ................................................................................................................. SYN Protection Tuning ........................................................................................................ Application Security Tuning ................................................................................................. Behavioral DoS Tuning Parameters ....................................................................................

68 68 69 71 72 73

Monitoring AppDirector ............................................................................................... 75 Device Information .............................................................................................................. Device Monitoring ............................................................................................................... Notifications ......................................................................................................................... Configuration Auditing ......................................................................................................... AppDirector Thresholds .......................................................................................................

75 77 77 82 83

Basic Switching (Layer 2 Capability) .......................................................................... 88 AppDirector Physical Interface Configuration ...................................................................... 88 Layer 2 Interface Table ....................................................................................................... 89 Virtual LAN .......................................................................................................................... 91 VLAN Tagging ..................................................................................................................... 96 Spanning Tree Protocol ...................................................................................................... 98 Link Aggregation (Port Trunking) ...................................................................................... 101 Port Mirroring .................................................................................................................... 104

IP Addressing and Routing ....................................................................................... 105 Interface IP Addresses ...................................................................................................... Routing .............................................................................................................................. Routing Table .................................................................................................................... ARP Table ......................................................................................................................... NHRs ................................................................................................................................. VIP NHR ............................................................................................................................ Routing Information Protocol ............................................................................................. Open Shortest Path First (OSPF) ...................................................................................... Border Gateway Protocol ..................................................................................................

106 107 109 110 110 111 112 114 119

Redundancy ............................................................................................................. 123 Network Configurations ..................................................................................................... Configuration Guidelines ................................................................................................... Global Redundancy Configuration .................................................................................... Failover Decision ............................................................................................................... Stateful Failover (Mirroring) ............................................................................................... Physical IP Addresses versus Virtual IP Addresses Redundancy .................................... Virtual Router Redundancy Protocol ................................................................................. Proprietary Redundancy ................................................................................................... Configuration Synchronization ..........................................................................................

125 128 134 136 140 142 142 147 148

Chapter 3 – Traffic Management and Application Acceleration....................... 157 Configuring Farms .................................................................................................... 159 Farm Parameters .............................................................................................................. 159 Additional HTTP Connectivity Checks Parameters ........................................................... 167

10



No HTTP Service Page .................................................................................................... 168

Configuring Servers .................................................................................................. 170 Physical Servers ............................................................................................................... Application/Farm Servers ................................................................................................. Dispatch Methods ............................................................................................................. Local Triangulation ...........................................................................................................

170 172 177 181

Traffic Management Policies .................................................................................... 183 Layer 4 Policies ................................................................................................................ Layer 4 Policies Lookup Mechanism ................................................................................ Layer 4 Policy Statistics .................................................................................................... HTTP Policies ................................................................................................................... T Policies .....................................................................................................................

183 186 187 188 192

SSL Offloading and Authentication .......................................................................... 194 SSL Policies ...................................................................................................................... Authentication Policies Overview ...................................................................................... Client Authentication Policies ........................................................................................... Trust-service Status List (TSL) Authentication Policies .................................................... Certificate Validation Policies ...........................................................................................

195 199 199 203 211

Application Acceleration ........................................................................................... 217 Benefits of Application Acceleration ................................................................................. 217 Enabling Application Acceleration .................................................................................... 218 Acceleration Policies ......................................................................................................... 219

Layer 7 Traffic Management ..................................................................................... 228 Layer 7 Methods ............................................................................................................... Layer 7 Farm Selection ..................................................................................................... Layer 7 Modification .......................................................................................................... Layer 7 Server Persistency ...............................................................................................

228 234 238 252

Client Table Management ........................................................................................ 264 Types of Client Table Entries ............................................................................................ Static Client Table ............................................................................................................. View Filtered Clients ......................................................................................................... Client Table Views ............................................................................................................ Reset Client on Server Failure .......................................................................................... Close Session At Aging .................................................................................................... Client Table Sessions Modes ...........................................................................................

264 265 266 266 268 268 268

Network Address Translation (NAT) ......................................................................... 274 Client NAT ........................................................................................................................ 275 Server NAT ....................................................................................................................... 279 Outbound NAT .................................................................................................................. 284

Configuring AppDirector Advanced Global Parameters ........................................... 289

Chapter 4 – Configuring Global Load Balancing ............................................... 293 Global Traffic Management ...................................................................................... 293 IP Traffic Management ..................................................................................................... 293


11


Global Solution Configuration Guidelines .......................................................................... 296

Proximity ................................................................................................................... 297 Proximity Parameters ........................................................................................................ Proximity Checks ............................................................................................................... Proximity Report Protocol (PRP) ....................................................................................... Static Proximity Database .................................................................................................

298 299 300 301

Configuring Local Report Protocol ............................................................................ 303 Introducing the Load Report Protocol (LRP) ..................................................................... 303 LRP in Multi-Homed Environments ................................................................................... 307 Local Load Report Protocol (Local LRP) ........................................................................... 309

Domain Name System (DNS) ................................................................................... 311 Host Names ...................................................................................................................... DNS Server Parameters .................................................................................................... DNS Persistency ............................................................................................................... DNS Statistics ...................................................................................................................

311 315 315 319

Redirection ............................................................................................................... 319 DNS Redirection ............................................................................................................... HTTP Redirection .............................................................................................................. HTTP to HTTPS Protocol Redirection ............................................................................... RTSP Redirection ............................................................................................................. SIP Redirection ................................................................................................................. Proxy Redirection .............................................................................................................. Global Triangulation Redirection ....................................................................................... Setting Redirection Parameters ........................................................................................ Anycast .............................................................................................................

320 320 321 323 323 323 324 326 328

Chapter 5 – Configuring Health Monitoring ....................................................... 331 Checked Element .............................................................................................................. 331 Health Check ..................................................................................................................... 331 Health Monitoring Global Parameters ............................................................................... 331

Health Checks .......................................................................................................... 332 Group Health Checks ........................................................................................................ Single Health Checks ........................................................................................................ Health Checks Per Farm ................................................................................................... Health Monitoring Check Table ......................................................................................... Binding .............................................................................................................................. Packet Sequence Table .................................................................................................... Server Table ...................................................................................................................... Diameter Argument List and Additional Method Arguments ............................................. ing, ing and Deleting the Diameter File using Binary File Transfer ........ Defined Methods ......................................................................................................

333 333 333 333 347 348 349 350 352 352

AppDirector Farm Connectivity Checks .................................................................... 353 Ping Connectivity Method ................................................................................................. 353 T Port Connectivity Method .......................................................................................... 354 UDP Port Connectivity Method .......................................................................................... 354

12



HTTP Page Connectivity Method ..................................................................................... 354 Long URL Checks ............................................................................................................. 355 Disabled Connectivity Method .......................................................................................... 355

Chapter 6 – Classes and Bandwidth Management ............................................ 357 Bandwidth Management Introduction ....................................................................... 357 Radware Implementation of Bandwidth Management ...................................................... 358

Bandwidth Management and Classifier Settings ...................................................... 361 Bandwidth Management Rules ......................................................................................... 362

Configuring Bandwidth Management ....................................................................... 364 Bandwidth Management and Classes Update Policies .................................................... 372 Configuring Networks ....................................................................................................... 372

Services .................................................................................................................... 374 Basic Filters ...................................................................................................................... Application Port Groups .................................................................................................... Physical Port Groups ........................................................................................................ VLAN Tag Groups ............................................................................................................ MAC Groups ..................................................................................................................... Protocol Discovery ............................................................................................................ Interface Classification ......................................................................................................

376 380 382 382 383 383 384

Chapter 7 – Advanced Capabilities ..................................................................... 389 Diameter and LDAP Load Balancing ........................................................................ 389 Application Server T Splitting ....................................................................................... 390 T Splitting Table ........................................................................................................... 391

Multihoming .............................................................................................................. 392 Default Router Per Virtual IP ............................................................................................ 393 Using Redirect to Self in Multi-Homed Environments ....................................................... 396

Segmentation ........................................................................................................... 398 Segmentation Overview .................................................................................................... 398 Implementing Segmentation with AppDirector .................................................................. 400

Session Initiation Protocol (SIP) ............................................................................... 404 SIP Load Balancing with AppDirector ............................................................................... Farm Selection Based on SIP Parameters ....................................................................... Load Balancing SIP Servers ............................................................................................. Outbound SIP Sessions ....................................................................................................

405 405 405 406

Stream Control Transmission Protocol (SCTP) ........................................................ 406 Performance Statistics .............................................................................................. 408 Acceleration Engine Statistics .......................................................................................... Bandwidth Management Statistics .................................................................................... Element Statistics ............................................................................................................. IP Interface Statistics ........................................................................................................ Servers .............................................................................................................................


409 422 424 428 430

13


AppDirector Statistics ........................................................................................................ T Splitting Statistics ...................................................................................................... Protocol Statistics .............................................................................................................. Statistics Monitor ...............................................................................................................

432 433 435 437

Utilities ...................................................................................................................... 439 DNS Client ........................................................................................................................ 439 Time Settings .................................................................................................................... 440 Event Scheduler ................................................................................................................ 442

Chapter 8 – Security ............................................................................................. 445 AppDirector Device Security ..................................................................................... 445 Management Ports (Setting Physical Management Ports Restrictions) ............................ 445 Ports Access ..................................................................................................................... 446 Table and Authentication .......................................................................................... 446

Keys and Certificates ................................................................................................ 450 Certificates ........................................................................................................................ Keys .................................................................................................................................. Certificates Workflows ....................................................................................................... Configuration of Keys and Certificates ..............................................................................

450 450 450 452

Application Security .................................................................................................. 456 SYN Flood Protection ........................................................................................................ Session Table and Session Table Lookup Mode .............................................................. Working in Application Acceleration Disabled Mode ......................................................... Signature Protection .......................................................................................................... Behavioral DoS ................................................................................................................. Connection Limit ............................................................................................................... Global Suspend Table ....................................................................................................... Security Reporting ............................................................................................................. Attack Database ................................................................................................................

457 462 465 465 487 499 503 504 509

Appendix A – Radware Technical Glossary ....................................................... 519 Appendix B – Regular Expressions .................................................................... 559 Appendix C – Troubleshooting............................................................................ 561 Diagnostic Tools ....................................................................................................... 561 Diagnostics Trace-Log ...................................................................................................... Traffic Capture .................................................................................................................. Diagnostics Tools Policies ................................................................................................. Diagnostics Tools File Management ................................................................................. Diagnostics Tools Tuning .................................................................................................. System Diagnostics ...........................................................................................................

561 564 569 571 572 572

Acceleration-Engine Logs ......................................................................................... 576 ing the Technical File .................................................................. 578

14



Appendix D – Optimizing AppDirector with AppXcel Application Accelerator 581 Appendix E – SSL Encryption,Certificates and Ciphers .................................. 583 SSL Encryption ......................................................................................................... 583 Encryption Protects Data During Transmission ................................................................ 583 Credentials Establish Identity Online ................................................................................ 584 Authentication Generates Trust in Credentials ................................................................. 584

Certificates ............................................................................................................... 584 Online Certificate Status Protocol (OS) ....................................................................... 587 Certificate g Request (CSR) ................................................................................... 588 Certificate Authority .......................................................................................................... 588

Ciphers and Cipher Suites ........................................................................................ 590 Ciphers ............................................................................................................................. Cipher Suites .................................................................................................................... Cipher Suites Used by AppDirector .................................................................................. Securing a Connection - the SSL Handshake ..................................................................


590 591 592 599

15


16


AppDirector Guide Introducing AppDirector

Chapter 1 – Introducing AppDirector This chapter introduces AppDirector capabilities and provides a brief description of its main characteristics in the following sections: •

AppDirector Modules, page 18

•

Configuration and Workflows for AppDirector, page 22

AppDirector by Radware is an Application Delivery Controller (ADC) that provides Layer 4-7 local and global application delivery and acceleration across Web applications and Database server farms, ensuring application uptime, global redundancy, and experience optimization. AppDirector provides full availability, high performance, and complete security for mission critical applications. AppDirector is intended for organizations that conduct their business using networked applications, the Internet, or a private intranet to communicate between offices that are geographically dispersed or between business partners and end s, as in e-commerce or online banking. As a result of the reliance on networked/Web applications like ERP, CRM, or Citrix applications, there has been significant growth in the volume of transactions and in the processing power required to execute them efficiently. AppDirector relies on a successful combination of a powerful hardware platform and an application smart service to achieve a high level of availability, performance, and security. AppDirector is based on Radware’s Intelligent Application Switching Architecture, which provides high speed hardware processing power, along with APSolute OS Application Smart Service. Throughout this AppDirector Guide, AppDirector’s main capabilities have been delineated into two non-mutually exclusive options where necessary. They are:

Enhanced Acceleration For Application acceleration, including SSL offloading, Web compression, caching and T optimization, that provides best Quality of Experience (QoE)

Standard Acceleration For Optimized Server Utilization and Application Performance Look out for these labels throughout this Guide, they are here to help you get the maximum benefit from AppDirector. The AppDirector Application Smart Service modules offer these capabilities: •

24/7 Network Health Monitoring

•

Intelligent Load Balancing

•

Fault Management

•

Traffic Shaping


17


AppDirector Modules AppDirector successfully combines various functional modules. AppDirector’s advanced Health Monitoring module verifies the availability of the entire transaction path and resources. The Traffic Redirection module works closely with the Health Monitoring module and performs Layer 4-7 switching based on resource availability. Traffic Redirection optimizes server usage by applying intelligent dispatch load balancing algorithms. If network elements fail (e.g; routers, switches, or other resources in path to servers, or back-end servers), Traffic Management allows the traffic to by any faulty elements. The network path can be further optimized by utilizing the Bandwidth Management (BWM) features. The BWM can be utilized to enforce business priorities and resource utilization across the network. You can assign a higher priority and guaranteed bandwidth to mission critical applications such as SAP, ORACLE, etc., while asg a best effort policy with lowered priorities for bulk traffic such as FTP, e-mail, and any other non-critical applications. Numerous application level attacks through firewalls expose an organization's network and applications to various threats. If left unchecked, these can result in severe damage, either to intellectual property and/or confidential data theft, or to disruptions of services resulting in lost revenue. The advanced security module is an integral part of the AppDirector intelligent application switching process, providing protection against various attacks, worms, and viruses.

Health Monitoring The Health Monitoring module constantly checks the health of the entire transaction path. This ensures the availability of all the network elements required for the completion of a successful transaction, including routers, backend servers and applications. This module enables you to create any type of Layer 2 - Layer 7 Health Check on any network element. The wide variety of predefined Health Checks allows you to meet the specific requirements of your network. For more information on Health Monitoring, see Configuring Health Monitoring, page 331.

Traffic Redirection The Traffic Redirection module provides Layer 4 - Layer 7 switching capability. This module performs server selection in a Farm, based on availability, load, and content considerations. For more information on Traffic Redirection, see Traffic Management and Application Acceleration, page 157. To select a server within a Farm, AppDirector uses various dispatch algorithms based on the traffic load of the servers and available server resources. You can also define server persistency, where all sessions with same predefined characteristics are forwarded to the same server. Traffic Redirection can be configured with many dispatch methods and settings ensuring optimum utilization of server resources while monitoring network conditions. When content is distributed among multiple sites, AppDirector applies a global Traffic Redirection solution combining advanced load and proximity-based decisions with different redirection methods optimizing resource usage and providing accelerated content delivery. This enables you to add network elements without service interruption in a geographically dispersed global context.

Global Traffic Redirection AppDirector-Global provides global and local internet traffic management services. It redirects the to the best available site, before a server is selected within the local site. AppDirector-Global performs load balancing for distributed sites, according to proximity, load and availability considerations.

18



Acceleration Engine

Enhanced Acceleration AppDirector assists acceleration with the following attributes: •

Reduces web-application latency across the WAN and decreases application response time.

•

Offload servers from handling SSL decryption and encryption.

•

Reduce "chattiness" of T and HTTP protocols.

•

Improves response time by offloading T connection handling. It accelerates repetitive content fetching time by using a cache.

•

Using compression, reduces WAN bandwidth consumption and accelerates web-pages on low bandwidth (dial-up, wireless) WAN connections.

Secure Socket Layer (SSL) Offload

Enhanced Acceleration AppDirector can accelerate SSL traffic and offload servers. AppDirector handles the SSL key negotiation with the client and encrypting and decrypting of communication. AppDirector serves as a proxy, terminating the SSL client sessions and opening a separate session to the backend servers.

Trust-Service Status List (TSL)

Enhanced Acceleration AppDirector is the only ADC solution that provides full of the TSL standard allowing: •

Automatic retrieval and updates of the client authentication configuration according to the TSL standard.

•

OCSP Caching to minimize authenticating infrastructure overload of Advance Clients Certificates Field.

•

Verification capabilities for granular control over allowed certificate holders access at network level.

T Optimization

Enhanced Acceleration AppDirector reorders T packets that arrive out of order. This offloads this task from the backend server.


19


Web Compression

Enhanced Acceleration AppDirector compresses HTTP traffic to reduce the latency for clients that access web applications over WAN. Compression reduces the size of the objects and therefore the objects take less time to over the WAN. Latency is high for instance, when clients are located a large number of network hops away from the server, over satellite links, or when bandwidth (and thus transfer rate) is low. AppDirector s Compression in software by default. An optional Hardware Compression module enables AppDirector to handle higher throughput from the web application server.

Web Caching

Enhanced Acceleration AppDirector improves response time by caching web objects from the server and offloading them to save resources. AppDirector caches server content according to their cache settings as they appear in the HTTP headers

Management Tools The following management tools can be used to manage a single AppDirector device. •

Web Based Management (WBM), using HTTP and/or HTTPS.

•

Command Line Interface (CLI), using Telnet, SSH, or Serial Console access.

Please consult the latest accompanying Release Notes for this AppDirector version for detailed management tool information.

Licenses The licensing mechanism is used to provide an easy path for adding product capabilities after initial product purchase. There are several types of license available.

Note: Please also see the Radware Licensing Model for further information.

Capabilities License This is available on all platforms and allows you to add product specific capabilities (such as Global Load Balancing) and APSolute OS capabilities (BWM and IPS, DoS). This license is accumulative – it can both enable a product specific capability and APSolute OS capability for example. For more information on AppDirector and AppDirector Global capabilities, see Radware Devices Used in Global Solution, page 295.

20



Compression Throughput License

Enhanced Acceleration This defines the HTTP compression capacity level and enables capacity upgrade (compression throughput in Mbps) for AppDirector (version 2.0 and up). HTTP Compression license upgrade does not require device rebooting.

SSL TPS License

Enhanced Acceleration AppDirector comes bundled with basic SSL capabilities (maximum number of transactions per second - TPS) which can be upgraded by license. This license defines the SSL offload capacity level and enables capacity upgrade (SSL TPS) for AppDirector (version 2.0 and up). The SSL TPS license upgrade does not require device rebooting.

TSL License

Enhanced Acceleration This allows you to handle situations where one organization is responsible for the creation, distribution and management of Digital ID cards (e.g. Government), and other organizations need to authenticate s based on the Digital IDs (e.g. Tax management, Health Insurance, Financial institutes, employers, etc.).

Management Interfaces The following Management interfaces are ed for AppDirector. •

Command Line Interface - over Telnet, SSH or RS232

•

Web-based GUI - over HTTP & HTTPS

•

SNMP

•

Web Services - SOAP API over HTTP & HTTPS

•

FTP server


21


Configuration and Workflows for AppDirector This section describes the step-by-step configuration for AppDirector. It is common to many scenarios and you can adjust it to meet your specific needs using your own network's IP addresses. •

Before Installation and Configuration, page 22

•

Configuration for all AppDirectors, page 24

•

AppDirector Modes Workflow, page 25

Before Installation and Configuration Before installation, Radware recommends you take into consideration the following: •

Radware Platforms ed, page 22

•

Physical Connectivity Concerns, page 22

•

IP Allocation Concerns, page 22

•

Management Concerns, page 23

•

Technical , page 23

•

Technical , page 23

Radware Platforms ed AppDirector 2.14 s the following Radware platforms (XL and non-XL models): OnDemand Switch 1, OnDemand Switch 2, OnDemand Switch 3 v2,OnDemand Switch VL For further information, see the Radware Installation and Maintenance Guide.

Physical Connectivity Concerns A Radware device acts as a switch. Crossed cables should be used between switches and straight cables should be used for connecting other network hosts. Make sure you use the right type of cable as stated. Some platforms the Auto sensing feature (MDIX) and can operate with any type of cable, however this feature is disabled once you disable Auto negotiation. Only GBICs that have been tested and approved by Radware can be used. For an updated list, refer to: http://www.radware.com/content//faq/gigabitethernetandgibc.asp. Auto negotiation is activated by default. In most cases, this is the preferred option. that it is activated on the other side as well.

Note: Disabling Auto negotiation also disables the cable type Auto sensing feature (MDIX). Optical cables are not provided by Radware and need to be purchased separately. Some devices use SC connectivity and LC. Make sure you have the appropriate cable. The copper cables that Radware provides are intended for management only and should not be used for other types of traffic. CAT5 certified copper cables must be used. When connecting to network switches and working with Radware's proprietary redundancy protocol, ensure that you disable Spanning Tree or at least enable Port Fast on the relevant ports (on the switch). You can also set the Spanning Tree to operate in fast learning mode on the relevant ports.

IP Allocation Concerns Ensure that you have the IP addresses allocated and defined in your network for the AppDirector's interfaces, new servers, NAT IP addresses (if activated on the AppDirector), DNS IP addresses (if activated on the AppDirector) and for the redundant AppDirector as well.

22


AppDirector Guide Introducing AppDirector Pay particular attention to the Local Triangulation implementation and VLANs (explained in this document) where the IP addresses of the servers should be public routable IP addresses.

Management Concerns Radware management uses SNMP communication running on UDP port 161. Ensure that this communication port is not blocked by your firewall. Configuration / action uses TFTP protocol. Ensure that TFTP is not blocked by your firewall and the management station is not NATed toward the Radware device. As TFTP traffic is initiated from the Radware device to the management station, a relevant firewall rule should be configured. UDP ports 162 and 69 are used for TFTP. Radware devices can also use HTTP, HTTPS, Telnet, and SSH for management. If you choose to activate one of the above, that they are not blocked by your firewall. Traffic direction is from the management system to the Radware device. Radware devices have a console port for terminal communication. This uses an RS232 cable (provided by Radware).

Technical Radware offers its Certainty Program, a suite of technical packages in various levels. You can view all programs at: http://www.radware.com/content//default.asp. Once you purchased the relevant Certainty package you can either Radware via email ( [email protected]) or via the phone using our worldwide toll free numbers. An updated list is available at: http://www.radware.com/content// program/.asp. Additional information about the Radware Certainty program is available at: http:// www.radware.com/content/document.asp?_v=about&document=2774.


23


Configuration for all AppDirectors The following general workflow with mappings to appropriate chapters is shown here to help you configure your AppDirector devices.

24



AppDirector Modes Workflow For AppDirector version 2.14, this diagram helps you to distinguish between Enhanced Application Acceleration and Standard Application Acceleration Modes and their capabilities.


25


26


AppDirector Guide istering and Monitoring AppDirector

Chapter 2 – istering and Monitoring AppDirector This chapter provides information on the AppDirector management and maintenance processes. For information on installing and configuring AppDirector, see the Radware Installation and Maintenance Guide. This chapter includes the following sections: •

ed Management Interfaces for AppDirector, page 27

•

Version and Configuration Management, page 46

•

Tuning AppDirector, page 58

•

Monitoring AppDirector, page 75

•

Basic Switching (Layer 2 Capability), page 88

•

IP Addressing and Routing, page 105

•

Redundancy, page 123

ed Management Interfaces for AppDirector This section discusses management interfaces ed by AppDirector and includes these topics: •

Web Based Management, page 28

•

Web Services, page 29

•

Command Line Interface, page 31

•

Configuring Telnet, page 33

•

Configuring FTP Server, page 35

•

Configuring SNMP, page 35

Web Based Management (WBM) is the main management interface for Radware products. Additionally, you can manage your AppDirector with Command Line Interface (CLI).You can connect AppDirector devices to management interfaces through network physical interfaces or serial ports. These port types are ed: •

For network connection: SNMP, HTTP, HTTPS, Telnet, SSH.

•

For serial port connection: RS-232 up to 115 Kbps (default is 19,200 Kbps).

This table lists the AppDirector physical interfaces and the ing management interfaces:

Port

Web Based Management Command Line Interface

SNMP V1, V3 HTTP

x

Secure Web

x

Telnet

x

SSH

x

RS-232

x


27


Web Based Management The WBM (Web Based Management) graphical interface (GUI) does not require client installation, and is designed for easy and fast single device management via HTTP or HTTPS (for secure access). When using WBM, on-line help is available (by clicking the? icon that appears on every screen) from the Radware corporate website. However, you can specify a custom location for the help files.

Web You can use Web Server Parameters to enable and define to which port the WBM should be assigned.

To configure the Web Based Management 1.

From the Services menu, select Management Interfaces > Web Server > Web. The Web Server Parameters window appears.

2.

Set the parameters.

Parameter

Description

Web Server Port

Port to which the Web Based Management is assigned.

Web Server Status

Enables or disables the status of the web server.

Web Help Location

Location (path) of the web help files.

Web Access Level

Values: Read Write (default) or Read Only. This setting affects both WBM and Secure WBM. When WBM Access Level is set to Read Only, s using WBM or Secure WBM experience the following limitations: • Cannot change the configuration of the device • Cannot view the Community Table or Table • Have no access to SSH Public Key Table • SSL keys and certificates cannot be viewed • Configuration File cannot be sent to or received from the device • Software update to the device is not allowed • Cannot reset the device Note: Setting this requires restarting the device.

3.

28

Click Set. Your configuration is set.



Secure Web You can define the parameters for obtaining secure HTTP requests.

To define secure web parameters 1. From the Services menu, select Management Interfaces > Web Server > Secure Web. The Secure Web Parameters window appears 2. Set the parameters.

Parameter

Description

Secure Web Port

Port through which HTTPS gets requests.

Secure Web Status

Enables or disables (default) the status of the web server.

Secure Web Private Key File

Private Key file used by secure web for encryption.

Secure Web Certificate File

Certificate file used by secure web for encryption.

3. Click Set. Your configuration is set.

ed Browsers WBM is ed with the following Internet browsers: •

Microsoft Internet Explorer version 6 (when using Windows operating systems)

•

Microsoft Internet Explorer version 7

•

Microsoft Internet Explorer version 8

•

Mozilla (when using Linux operating systems)

•

Firefox

Web Services To provide customers with the capability to develop enhanced application monitoring, customized application delivery network management applications and advanced automation tools, Radware provides a web services interface on AppDirector via APSolute API, an open standards-based SOAP (XML) API. AppDirector Web Services operate via HTTP or HTTPS requests, like a regular web browser and default disabled. They can be enabled via: •

CLI: manage web-services status

•

WBM: Services/Web/Web Services window

Note: Web Services can only be enabled if either web or secure web management interface are enabled on the device. Changing the Web Services status requires a device reset.


29


To enable Web Services 1.

From the Services menu, select Management Interfaces > Web Server > Web Services. The Web Services window appears.

2.

Set the parameter.

3.

Parameter

Description

Web Services Status

Enables Web Services


APSolute API Overview APSolute API is an advanced network Application Programming Interface that enables the development of software applications to remotely monitor and control Radware products. This Webservices interface to all Radware application switches and appliances providing for native software access from any external application or development tool environment. Integration with APSolute API gives you a comprehensive view of the AppDirector devices performance including historical data analysis and trending, performance diagnostics, availability reports, and automation of maintenance operations and fine-tuning of AppDirector for optimal application delivery based on parameters external to AppDirector. The APSolute API is a SOAP/XML interface providing full access to Radware devices for third-party applications and utilizing common development languages including Java, Visual Basic/C#, and Perl. APSolute API offers two approaches to interact with Radware devices: 1.

Issuing CLI commands and receiving output via a generic SOAP method.

Note: This interface will not provide for: >> Non- configuration commands or monitoring, such as ping, telnet, or trace-route. >> Asynchronous output commands (e.g. accelerator related CLI commands). 2.

Ability to configure and monitor the devices via SOAP commands that mirror Radware's SNMP MIB. Commands include: a. b.

For scalar MIB parameter: retrieve (get) the value and change (set) the value For a MIB table entry: create an entry, delete an entry, update one or more parameters of an entry, retrieve (get) an entry, retrieve (get) the entire table, walk through the table (get first entry then get next).

APSolute API Software Development Kit (SDK) The APSolute API SDK provided for each AppDirector version, contains components and documentation to enable development of control and monitoring capabilities in custom-developed applications. This includes: •

WSDL files for all interfaces and modules.

•

API Reference.

•

Product overview.

•

Sample code for basic device configuration/monitoring functions.

30


AppDirector Guide istering and Monitoring AppDirector The APSolute API SDK requires a SOAP client tool kit (ing SOAP version 1.1 and above) and the development environment for the tool kit must be installed on the workstation used. The SDK was verified and tested for compatibility with the following:

Development Environments

Languages

Microsoft Visual Studio .NET 2005

Visual Basic & C#

Axis 1.3

Java 1.50

Active Perl 5.8.8

Perl

Command Line Interface The Command Line Interface (CLI) is a built-in, text-based menu system for access via local terminal or remote Telnet or SSH session. The main CLI menu is displayed in the following table:

CLI Command

Explanation

appDirector

AppDirector parameters

classes

Configures traffic attributes used for classification

device

Device Settings

health-monitoring

Advanced Health Monitoring

help

Displays help for the specified command

into the device

of the device

manage

Device management configuration

net

Network configuration

nslookup

Queries the DNS server

performance

AD performance

ping

Sends echo requests

reboot

Reboot the device

redundancy

Redundancy settings

security

Security settings

services

General networking services

shutdown

Shutdown

ssh

SSH to a remote host

statistics

Device statistics configuration

system

System parameters

telnet

Telnets to a remote host

trace-route

Measures hops and latency to a given destination


31


CLI ed Capabilities Radware's Command Line Interface provides the following capabilities: •

Consistent, logically structured, and intuitive command syntax.

•

A system config command to view the current configuration of the device, formatted as CLI command lines.

•

Pasting the output of system config, or part of it, to the CLI of another device, using the system config set command. This option can be used for easy configuration replication.

•

Help and command completion keys.

•

Command line editing keys.

•

Command history.

•

Configurable prompt.

•

Configurable banner for Telnet and SSH.

•

Ping: Ping other hosts on the network to test availability of those hosts.

•

Traceroute: Use command trace-route <destination IP addr>. Output format:

AppDirector#trace-route www.radware.com trace-route to host 209.218.228.203: 1:

50ms

50ms

50ms 212.150.43.130

2:

50ms

50ms

50ms 80.74.101.129

3:

50ms

50ms

50ms 192.116.214.2

4:

*

5:

50ms

* 50ms

* 50ms 80.74.96.40

•

Telnet client: To initiate a Telnet session to remote hosts, use CLI command telnet .

•

SSH client: To initiate a SSH session to remote hosts, use CLI command ssh .

•

DNS Lookup: Uses configured DNS servers to query IP addresses of a host name. This requires that DNS client is enabled and DNS servers configured. The DNS client also enables using host names rather than IP addresses in commands such as trace-route, ping, telnet, etc. Use the command nslookup .

CLI Session Time-Out You can define a period of time during which the connection with the device via the console is kept despite the session’s inactivity. This period is defined by the Session Time-Out parameters. If at the end of the predefined time-out the session is still inactive, it is automatically terminated.

To configure the Console Time-Out •

Manage terminal session-timeout – to configure the Console Time-Out

•

Manage ssh session-timeout

•

Manage telnet session-timeout

•

Manage ssh auth-timeout

•

Manage telnet auth-timeout

32



Configuring Telnet A Telnet connection offers the convenience of accessing the device from any workstation connected to the network. To establish a Telnet connection with the device, run the Telnet program on your workstation and issue the Telnet command, followed by the device IP address:

telnet .

To configure Telnet access 1. In the main window of WBM, select Management Interfaces > Telnet. The Telnet window appears. 2. Set the parameters.

Parameter

Description

Telnet Port

The T port used by the Telnet.

Telnet Status

Enables and disables the Telnet access to the device.

Telnet Session Timeout

Time-out (in minutes) required for device to maintain connection during periods of inactivity. When you enter a name and , if you make three incorrect attempts, the terminal is locked for 10 minutes and no further s are accepted from that IP address. Default: 5 minutes. Values: 1 – 120 minutes. Notes: • To avoid affecting device performance, time-out is automatically checked every 10 seconds. This means that the actual time-out can be up to 10 seconds longer. • If you want to set your session to never expire then set the timeout to 0 (= unlimited).

Telnet Authentication Timeout

Time-out (in seconds) required to complete authentication process. Values: 10 – 60 seconds. Default: 30 seconds.

3. Click Ok. Your configuration is set.

Configuring SSH Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure channel between two computers. Encryption provides confidentiality and integrity of data. SSH uses publickey cryptography to authenticate the remote computer and allow the remote computer to authenticate the , if necessary. As a secure alternative to using Telnet to manage device configuration, SSH ensures that all data sent over the network is encrypted and secure.

SSH Public Keys In addition to normal authentication, the device also s SSH public key authentication. For this method the has to generate an SSH key pair (public key and private key).


33


Note: When both and public key are configured for a , the Authentication Method configured in the client software will dictate which authentication is selected for this .

To configure an SSH public key 1.

From the Security menu select Certificates > Import. The Import PKI Components window appears.

2.

Import the SSH public key (Entry Type=Key). See Importing Certificates, page 453 for details.

3.

From the Security menu select s. The s Table and Authentication window appears.

4.

Double-click on the existing or click Create to add a new . The Table Update/ Create window appears.

5.

In the SSH public key name drop-down select the relevant key configured in step 2 and click Set. The SSH public key is configured for this .

Configuring the SSH Connection There are two versions of SSH: SSH1 and SSH2. AppDirector s only SSH2.

To set the SSH server connection parameters 1.

From the Services menu select Management Interfaces > SSH > Server. The Secure Shell Parameters window appears.

2.

Set the parameters.

Parameter

Description

SSH Port

Source port for the SSH server connection.

SSH Status

Enables or disables (default) SSH access to the device.

SSH Session Timeout

Timeout (minutes) for device to maintain connection while inactive. Values: 1 – 120 minutes. Default: 5 minutes Note: To avoid affecting device performance, time-out is automatically checked every 10 seconds. This means that the actual time-out can be up to 10 seconds longer

SSH Authentication Timeout

Timeout (seconds) for completing authentication process. Available for Telnet / SSH only. When you enter a name and , if you make three incorrect attempts, the terminal is locked for 10 minutes and no further s are accepted from that IP address. Values: 10 – 60 seconds. Default: 30 seconds.

3.

Enter the SSH Port and set the SSH Status to Enable.

4.


34



Configuring FTP Server The FTP Server allows you to connect to the device using FTP and transfer files to/from the device flash memory.

To configure FTP Service 1. From the Services menu, select Management Interfaces > FTP Server. The FTP Server window appears, which contains the following parameter:

Parameter

Description

FTP Server Port

Application port to use to access the FTP server on the device.

FTP Server Status

Enable/Disable the FTP Server on the Device.


Note: To access the device via a FTP service, the FTP server must be enabled prior to access

Configuring SNMP The Simple Network Management Protocol (SNMP) is an application layer protocol that facilitates the exchange of management information between network devices. SNMP is a part of the Transmission Control Protocol/Internet Protocol (T/IP) protocol suite. Radware devices work with the following versions of SNMP: SNMPv1, SNMPv2, and SNMPv3. Network management systems contain two primary elements: Managers and Agents. The Manager is the console through which the network performs network management functions. Agents are entities that interface with the device being managed, allowing you to change or retrieve objects. These objects are arranged in what is referred to as Management Information Base (MIB). SNMP is the protocol that allows managers and agents to communicate to access these objects.

SNMPv3 SNMPv3 contains two communication layers between manager and agent: •

Security Model (USM), which provides secure communication, including message integrity and privacy.

•

View-Based Access Control Model (VACM), which provides access permissions.

Parameter

Description

Name

name, up to 18 characters.

Use Authentication

Check this box to use authentication.

Authentication Protocol

Select authentication protocol for the authentication process.

Authentication

required for authentication.

Use Privacy

Check this box to use privacy.

Privacy

Enter the privacy .

Values: MD5, SHA1,SHA2.


35


To set the SNMP Global parameters 1.

From the Security menu, select SNMP > Global Parameters. The SNMP Global Parameters window appears.

2.

Set the parameters.

3.

Parameter

Description

ed SNMP Versions

SNMP versions currently ed by the SNMP.

ed SNMP Versions After Reset

SNMP versions ed by the SNMP agent after resetting the device. Check the SNMP version you wish to . Un-check the versions not ed.

SNMP Port

UDP port where the agent is listening for SNMP requests.

SNMP Status

Status of the SNMP agent. Default: Enable


Defining SNMP s With SNMPv3 -based management, each can have different permissions based on the name and connection method. You can create a new by cloning the definitions an existing . In the Based Security Model window, you can define s who can connect to the device and store the access for each SNMP . You can define s that can connect to the device and store the access parameters for each SNMP in the Based Security Model window.

To define a new 1.

From the Security menu select SNMP > Table. The Table window appears.

2.

Click Create. The Table Create window appears.

3.

Set the parameters.

Parameter

Description

Name

Type name of the new , up to 18 characters.


Protocol used during authentication process. meaning using clear text during the session. Values: None, (default), MD5, SHA1, SHA2.

4.

36

Authentication

Enter an authentication .

Privacy Protocol

Algorithm to be used for encryption. Default: None, which means that the data is not encrypted. Possible value is DES.

Privacy

Enter a privacy .




SNMP VACM Edit Security to Group SNMPv3 permissions are defined for groups of s. If, based on the connection method, there is a need to grant different permissions to the same , you can associate a to more than one group. For example, if A connects to a Radware device using SNMPv3 with authentication and privacy, the gets Read-Write permissions; if the same A connects to a Radware device with authentication and without privacy (data is not encrypted), then the same gets Read-Only permissions. You can associate s with groups listed in the VACM Edit Security to Group window. Access rights are defined for groups of s.

VACM MIB View The View table defines subnets of the MIB tree. These views are used to allow Read-Write access based on the MIB tree. The same Family View name can be used for multiple entries to allow maximum flexibility. Each entry can include or exclude parts of the entire MIB tree.

SNMP Access The Access table binds the groups, views, and security models. It grants permissions to the groups, based on the SNMP version. You can define the access rights for each group and security model in the VACM Group Access window. Objects can be accessed for a read, write, or notify action based on the Read View Name, Write View Name, and Notify View Name parameters. These parameters depend on the specified security model. The Read, Write, and Notify permissions are configured for Family View names, which are defined in the VACM MIB View window, (see VACM MIB View, page 37).

To configure the SNMP Access Table 1. From the Security menu, select SNMP >Access Table. The SNMP Community Table window appears. 2. Click Create. The SNMP Access Table Create window appears. 3. Set the parameters.

Parameter

Description

Group Name

The name of your group.

Security Model

Select SNMP version that represents the required Security Model. Security models are predefined sets of permissions that can be used by the groups. These sets are defined according to the SNMP versions. By selecting the SNMP version for this parameter, you determine the permissions set to be used. Values: Any, SNMPv1 (Default), or Based (SNMPv3).

Security Level

Select one of the relevant Security Levels: • NoAuthNoPriv (Default): No authentication or privacy are required • AuthNoPriv: Authentication is required, but Privacy is not required • AuthPriv: Both authentication and privacy are required

ReadView Name

Name of one or more entries in View Tree Family Table. Specifies which objects in the MIB tree are readable by this group.


37


4.

Parameter

Description

WriteView Name

Name of one or more entries in View Tree Family Table. Specifies which objects in the MIB tree are writable by this group.

NotifyView Name

Name of one or more entries in View Tree Family Table. Specifies which objects in MIB tree can be accessed in notifications (traps) by this group.


SNMP Target Address In SNMP v3, this table contains transport addresses to be used in the generation of traps. If the tag list of an entry contains a tag from the SNMP Notify Table, this target is selected for reception of notifications. For SNMP version 1 and 2 this table is used to restrict the range of addresses from which SNMP requests are accepted and to which SNMP traps may be sent. If the Transport Tag of an entry in the community table is not empty it must be included in one or more entries in the Target Address Table window. The Target Address Table window allows you to set and update the SNMP Target Parameters.

To configure the SNMP Target Address Table 1.

From the Security menu, select SNMP > Target Address Table. The SNMP Target Address Table window appears.

2.

Click Create. The SNMP Target Address Table Create window appears.

3.

Set the parameters.

Parameter

Description

Name

Name of this entry.

Address-Port

Number of the Target Port. (T port to be used). Values: 161 for SNMP Access, 162 for SNMP Traps (Default). Address-Port must be a hex string ([1...255] bytes) E.g. 0.0.0.0-162

Tag List

A list of tags separated by spaces. The tags contained in the list can may be either tags from the Notify table or Transport tags from the Community table.

Parameters

Name of entry in Parameters Table to be used when sending the SNMP Traps

Mask

Mask address of the subnet. Default: 0.0.0.0

Tip: The SNMP Target Address window also allows you to access the SNMP Target parameters window (see SNMP Target, page 39).

38



SNMP Target The Target Parameters Table window contains parameters to be used in generating a message. Entries in this table are referenced in the Target Address Table window.

To configure the SNMP Target Parameters Table 1. From the Security menu, select SNMP > Target Parameters Table. The SNMP Target Parameters Table window appears. 2. Click Create. The SNMP Target Parameters Table Create window appears. 3. Set the parameters.

Parameter

Description

Name

Name of this entry.

Message Processing Select one of the following: • SNMPv1 (Default) • SNMPv3 Security Model

Select the SNMP version that represents the required Security Model. Security models are predefined sets of permissions that can be used by the groups. These sets are defined according to the SNMP versions. By selecting the SNMP version for this parameter, you determine the permissions set to be used. Values: Any, SNMPv1 (Default), or Based (SNMPv3).

Security Name

The name of the .

Security Level

Select one of the relevant Security Levels: • NoAuthNoPriv (Default): No authentication or privacy are required • AuthNoPriv: Authentication is required, but Privacy is not required • AuthPriv: Both authentication and privacy are required


SNMP Community Table (SNMPv1 and SNMPv2 Only) The Community table allows backwards compatibility with SNMPv1 and SNMPv2 mapping community strings to s. Once a is connected to a device with SNMPv1 or SNMPv2, the device checks the Community String sent in the SNMP packet. Based on a specific community string, the device maps the community string to a predefined , which belongs to a group with certain access rights. Therefore, when working with SNMPv1 or SNMPv2, s, groups, and access must be defined. You can map community strings into names and vice versa using the SNMP Community Table window. This table restricts the range of addresses from which SNMP requests are accepted and to which traps can be sent. The SNMP Community Table is used only for SNMP versions 1 and 2.

To configure the SNMP Community Table 1. From the Security menu, select SNMP > Community Table. The SNMP Community Table window appears. 2. Click Create. The SNMP Community Table Create window appears.


39

AppDirector Guide istering and Monitoring AppDirector 3.

4.

Set the parameters.

Parameter

Description

Index

A descriptive name for this entry.

Community Name

The community string.

Security Name

name associated with community string.

Transport Tag

Specifies a set of target addresses from which the SNMP accepts SNMP requests and to which traps can be sent. Target addresses identified by this tag are defined in the “target address table”. If this string is empty, addresses are not checked when an SNMP request is received or when a trap is sent. If this string is not empty, the transport tag must be contained in the value of the “tag list” of at least one entry in the “target address table.”


SNMP Notify Table Using the SNMP Notify table, you can select management targets that receive notifications and the type of notification to be sent to each selected management target. The Tag parameters contains a string that is used to select entries in the Target Address table (see SNMP Target Address, page 38). An entry in the Target Address table whose tag list contains the tag of one or more notification table entries is selected for receipt of notifications.

To configure the SNMP Notify Table 1.

From the Security menu, select SNMP >Notify Table. The SNMP Notify Table window appears.

2.

Click Create. The SNMP Notify Table Create window appears.

3.

Set the parameters.

Parameter

Description

Name

A descriptive name for this entry.

Tag

This string selects one or more entries in the Target Address table. All entries whose tag list contains this tag are selected for reception of notifications.

Example SNMPv3 Access to the Device with Authentication and Privacy The following example shows how to configure a Radware device to allow access using only SNMPv3, MD5 as the authentication protocol and DES as the privacy protocol. Since the with limited access privileges cannot create a with unlimited access, the first must be created via the CLI or via Web Based Management (WBM).

40



To configure SNMPv3 access with Authentication and Privacy 1. From a browser window enter the IP address of the AppDirector device. Web Based Management (WBM) for the device window opens. 2. In WBM, select Security > SNMP > Table. The Table window appears. 3. Click Create. The Table Create window appears. Set the following parameters according to the explanations provided:

Parameter

Description

Name


MD5

Authentication

Privacy Protocol

DES

Privacy

4. Click Set. The is added to the Table. 5. Open APSolute Insite. 6. From the Device menu select Add Radware Device > AppDirector. The AppDirector icon appears in Site Explorer and/or on the map. 7. Double-click the AppDirector icon. The Connect AppDirector Device window appears. 8. Enter the Device IP Address, and select the SNMPv3 checkbox. The SNMPv3 pane appears. 9. In the Name field, enter “radware.” When connecting using this name, neither authentication nor privacy is required. 10. Click OK. APSolute Insite is connected to the device through SNMPv3. 11. From the Device menu select Device Permissions. The Device Permissions window appears. 12. Click SNMP. The SNMP pane appears. 13. Click Access. The VACM Group Access window appears. 14. Click Add, then set the following parameters according to the explanations provided:

Parameter

Description

Group Name

Security Model

USM

Security Level

AuthPrivate

Read View Name

iso

Write View Name

iso

Notify View Name

iso

15. Click OK twice. 16. To associate the with the group, in the SNMP pane, click Add. The VACM - Edit Security To Group window appears.


41

AppDirector Guide istering and Monitoring AppDirector 17. Set the following parameters according to the values provided:

Parameter

Description

Security Model

USM

Security Name

Group Name

18. Click OK twice to close all the windows. 19. Reconnect to the device using SNMPv3, Name "," and "," both for authentication and privacy protocols. a.

b. c.

To create additional s with the same access rights, open the s window, and add a new . The new can be cloned from the existing logged in or from a different (see Defining SNMP s, page 36). To associate a new with a group, from the SNMP window, click Add and associate the new with a group. To restrict SNMPv1 and SNMPv2 access to the device, remove the "public" community entry from the Community window (see page 39).

Example Sending Secured SNMP Traps to Specific s The following example shows how to configure a Radware device to send SNMP traps using a secure channel over SNMPv3. This example is based on the example. See page 40.

To configure Sending Secure SNMP traps to Specific s 1.

From the main APSolute Insite window, select Device >Add Radware Device > AppDirector. The AppDirector icon appears in Site Explorer and/or on the map (depending on the view selected).

2.

Double-click the AppDirector device icon. The Connect AppDirector Device window appears.

3.

Enter the Device IP Address, and select the SNMPv3 checkbox. The SNMPv3 pane appears.

4.

In the Name text box, enter “.”

5.

Click OK. The device is connected using SNMPv3.

6.

From the Device menu, select Device Permissions. The Device Permissions window appears.

7.

Click SNMP. The SNMP pane appears containing the following configuration options: Targets, Views, s, Community, Access.

8.

Click Target. The Target Address window appears.

9.

Click Parameters. The Target Parameters window appears.

10. Click Add. The Edit Target parameters window appears. 11. Set the parameters.

42

Parameter

Description

Name

Secure Traps

Message Processing Model

SNMP Ver 3

Security Model

Based



Parameter

Description

Security Name

Security Level

Auth Private

12. Click OK twice to return to the Target Address window. 13. Click Add, and set the following parameters according to values provided:

Parameter

Description

Name

s_NMS

Target Address

10.204.100.18

Target Port

162

Target Mask

A subnet mask of the management station.

Tag List

V3Traps

Parameters

Secure Traps

14. Click OK to apply the setup, and OK again to close all windows. 15. From the Options menu select Events & Traps. The Events & Traps window appears.

SNMP Groups Table You can associate s with groups in the Groups Table window. Access rights are defined for groups of s.

To configure the SNMP Groups Table 1. From the Security menu, select SNMP > Groups Table. The SNMP Groups Table window appears. 2. Click Create. The SNMP Groups Table Create window appears. 3. Set the parameters.

Parameter

Description

Security Model

Select SNMP version for association with this group. Values: SNMPv1, Based (SNMPv3).

Security Name

Select relevant security name, (name as defined in the s Table.)

Group Name

Select name from list of all available group names.


SNMP View Table An SNMP view filters objects from the entire MIB and defines a subset of MIB objects. Every SNMP access group has views for read and write access which either allow or limit that group's access to MIB objects. If you want a group to access just a subset of MIB information, you will have to create a new view that describes those MIB object identifiers (OIDs) that should be included or excluded. The View Table window allows you to define these subsets of the MIB tree for use in the Access Table. Different entries may have the same name. The union of all entries with the same name defines the subset of the MIB tree and can be referenced in the Access Table through its name.


43


To configure the SNMP View Table 1.

From the Security menu, select SNMP > View Table. The SNMP View Table window appears.

2.

Click Create. The SNMP View Table Create window appears.

3.

Set the parameters.

Parameter View Name

Description Name of this entry. The MIB view is a sub-set of MIB. You can bind a community name/ name with a MIB view when configuring an agent, to control the MIB objects that NMS can access. You can configure the objects in the MIB view as excluded or included; excluded indicates that not all the nodes on the subtree are included in the current MIB view, and included indicates that the current MIB includes all the nodes on the subtree.

Subtree

The Object ID of a subtree of the MIB. When combined with the corresponding instance of MASK, defines a family of view subtrees. MIB stores data using a tree structure. A node of the tree is a managed object and can be uniquely identified by a path starting from the root node. The managed object system can be uniquely identified by a string of numbers {1.3.6.1.2.1.1}. This string of numbers is the OID of the managed object system. A subtree can be identified by the OID of its root node. For example, the OID of the subtree with the root node being private is the OID of node private –– {1.3.6.1.4}.

Subtree Mask

A subtree OID used with a subtree mask defines a view subtree. A subtree mask is in hexadecimal format. The mask indicates which subidentifiers of the associated subtree OID are significant to a particular MIB view instance. After it is converted to binary bits, each bit corresponds to a node of the OID, where: • 1 means full match, that is, the OID of the MIB object to be accessed must be identical to the subtree OID. • 0 means wildcard match, that is, the OID of the MIB object to be accessed can be different from the subtree OID. For example, provided the subtree mask 0xDB (11011011 in binary) and the subtree OID 1.3.6.1.6.1.2.1, their relationship is as shown below. The view determined by them includes all the nodes under the subtree whose OID is 1.3.*.1.6.*.2.1, where * represents any number.

Type

Defines whether object defined in entry is included/excluded in MIB view. Values: Included (Default) or Excluded,

4.

44




Notes: >> If the number of bits in the subtree mask is greater than the number of nodes of the OID, the excessive bits of the subtree mask will be ignored during subtree mask-OID matching. >> If the number of bits in the subtree mask is smaller than the number of nodes of the OID, the short bits of the subtree mask will be set to 1 during subtree mask-OID matching. >> If no subtree mask is specified, the default subtree mask (all ones) will be used for mask-OID matching.

Create SNMP You can define s that can connect to the device and store the access parameters for each SNMP in the Based Security Model window.

To define a new 1. From the Security menu select SNMP > Create SNMP . The Create SNMP window appears. 2. Click Create. The Table Create window appears. 3. Set the parameters.

Parameter

Description

SNMP Version

SNMPv3, SNMPv1, SNMPv2c

/Community Name

name or community string name.

s Use Authentication

Checkmark this box to use authentication.

Authentication

Enter an authentication .

Use Privacy

Checkmark this box to use privacy.

Privacy

Enter a privacy .

Permissions Read

Values: ReadOnlyView/iso (default)

Write

Values: ReadOnlyView/iso/none (default)

Notify

Values: ReadOnlyView/iso/none (default)

4. Click Create . The new SNMP is created.

Note: The Configuration file of the device, that contains SNMPv3 s with authentication, can only be used by the specific device that the s configured. When exporting the configuration file to another device, s need to be re-entered, since s (of SNMPv3 s) cannot be exported from one device to another. Therefore there must be at least one in the table (to change the ) in case the configuration file is ed to another device. Note that this is according to SNMPv3 RFC.


45


Version and Configuration Management This section includes the following topics: •

Upgrades, page 46

•

Software Versions, page 47

•

Configuration File Management, page 48

•

Licensing and Upgrading Licenses, page 53

•

Resetting Devices, page 57

•

Device Shutdown, page 57

Upgrades You can upgrade all Radware devices to newer versions with a straightforward FLASH process. Depending on the maintenance contract, you are either eligible for new versions with new features, or for maintenance versions only. Performing an AppDirector device upgrade involves two steps: •

Saving the current device configuration.

•

Upgrading the device software.

Radware releases updated versions of AppDirector software that can be ed. You can upgrade a device using one of these methods: •

WBM

•

CLI

•

APSolute Insite

A device upgrade enables new features and functions without altering the existing configuration. New software versions require a . This can be obtained from the Radware corporate website. You must obtain this before you load the upgrade file onto the device. If you do not supply the correct during upgrade, you cannot proceed. A maintenance-only upgrade does not require a . The is based on the software version file and on the Base MAC Address of the AppDirector unit.

Notes: >> Before upgrading, save the existing configuration file. >> Before upgrading, refer to the appropriate Release Notes. >> When downgrading to a software version not ing the current device license, the license is lost. Radware for more information.

46



Software Versions

To display a list of software versions loaded on the device •

In WBM, click File > Software List.

•

In the Command Line Interface, use the command:

system file-system software.

To change active software version •

In WBM, click File > Software List. Select the inactive version (Inactive Field has value False), and change the Active parameters to True. Click Set to record your preferences. You are prompted to reboot the device.

•

In the Command Line Interface, use the command:

system file-system config act-appl set X, where X is the application index as previously displayed.

Notes: >> Each software version has its own configuration file >> You can a new software version by using WBM. For versions using the File System, the software file is in TAR format and for previous versions, it appears in binary (BIN) format.

Updating Device Software

To upgrade the software version 1. the AppDirector software update zip file from Radware’s Software Status Matrix (http://www.radware.com/content//software/statusmatrix/default.asp). Write down the software version - you will need it later. 2. Unzip the file. You will see a file named: appdirector_[platform]_[major version]_[minor version]_[bugfix version].tar. This is the software update file. 3. If you are upgrading or downgrading to a different major version, use the Generator (http://www.radware.com/content//pwordgen/default.asp) to generate a . 4. From browser window, enter IP address of your AppDirector. Web Based Management opens. 5. From the File menu, select Software Upgrade. The Update Device Software window appears. 6. Parameters are as follows: —

—

Software version

—

File

—

Enable New Version Checkbox

7. If you are upgrading or downgrading to a different major version, enter your case-sensitive in the field. For instructions on obtaining a , see step 3 above.


47


In the Software version field, enter the software version that you wrote down in step 1. Note: the software version also appears in the name of the software update file; for example, appdirector-ods1-2_00_01.tar is the file for version 2.00.01.

9.

In the File field, click Browse and navigate to the software update file that you ed and unzipped. You are looking for a file named: appdirector_[platform]_[major version]_[minor version]_[bugfix version].tar.

10. Check Enable New Version to apply the upgrade. 11. Click Set. You are prompted to reset the device. 12. In the Device menu, select Reset Device. The Reset the Device window appears. 13. Click Set to reset AppDirector.

Backup Version Update To manually update the backup application version or install it, use the CLI command: system file-system files copy-to-flash x, where x is the index of the new application you want to use (existing applications and their indexes are displayed by: system file-system config act-appl command).

Configuration File Management The configuration file format is based on the CLI (system config format) and is the default format for all operations. Radware recommends saving existing configurations on each Radware device. If a change to the configuration results in problems, s can restore a previous configuration. Files are stored locally on the desktop or laptop.

Caution: Configuration changes cannot be performed until any pending reboot has completed. The configuration file can be received from the device in the following ways: 1.

Displayed within the CLI (Console, Telnet, SSH) by entering: system config immediate

2.

Copying the output to a text editor.

3.

ed from the device using WBM or the terminal command:

system config [File] [Server IP]. The configuration file output in the CLI or within the configuration file itself (ed from the device) is divided into two sections:

Note: Commands which require rebooting the device, including BWM Application Classification Mode, Application Security status etc. Copying and pasting a command from this section takes effect only after the device is rebooted.

48



Commands not requiring device reboot Copying and pasting a command takes effect immediately after the paste.Commands are printed within each section, in the order of implementation; for example, server related commands are printed after the farm related commands. At the end of the file, the device prints the signature of the configuration file. This is used to the authenticity of the file and that it has not been corrupted. The signature is validated each time the configuration file is ed to the device, and if the validity check fails, then the device accepts the configuration, but a notification is sent to the that the configuration file has been tampered with and there is no guarantee that it works.

Note: The signature is validated only when sending a complete configuration to the device in Replace mode.

Device Configuration Update The configuration can be updated in one of the following methods: 1. Append - You can add parts of a configuration into a device. For example, you can add a specific farm and its servers into an AppDirector's configuration. It also allows simple multi device management, pushing the same BWM Policy to multiple devices at once. It is configured: a.

By pasting the configuration into the terminal using the command

system config paste start Once all the data is pasted, the following command must be issued

system config paste stop b. c.

By ing the file using WBM and selecting the option - Append Commands to Configuration File in the Configuration File to Device window. By performing the terminal command

system config append Using the Append method you can only append commands which do not require rebooting the device for the commands to take effect. If a command which requires reboot is pasted/ ed to the device using the Append method, then the command is not implemented. To log the command outputs in the terminal, enter

system config append with option -v. The output to the terminal displays each command and its result. 2. Append and Reboot - You can add parts of a configuration into a device. The difference between this option and the Append option is that it also s commands that require rebooting the device for the commands to take effect. The flow of commands using the Append and Reboot option is as follows: —

All commands requiring the reboot of the device are implemented first.

—

The device is rebooted.

—

All commands not requiring reboot of the device are implemented.

The Append and Reboot method is ed using the following options: a.

By performing the terminal command:

system config append-reboot b.

By ing the file using WBM and selecting the option - Append Commands to Configuration File with Reboot in the Configuration File to Device window.

To log the command outputs in the terminal, enter

system config append-reboot with option -v. The output to the terminal displays each command and its result.


49


Replace - You can replace the complete configuration file with a new configuration file. This requires rebooting the device. You can the configuration file to the device as follows: a.

By pasting the configuration into the terminal using the command:

system config paste-replace Once all the data is pasted CTRL+C must be performed. b.

By performing the terminal command

system config replace c.

By ing the file using WBM and selecting the option - Replace Configuration File in the Configuration File to Device window. When using this option, you can a configuration file to the device in CLI format.

Note: system config replace does not configuration from previous versions.

Automatic Rollback to Last Known Good Configuration The device also s an automatic rollback to the last good known configuration (in case of a fatal error after a configuration ). The rollback is performed automatically if a problem occurs during the reboot and initialization process performed after a configuration file is sent to the device in Replace mode. Once the rollback occurs, the device reboots (again) and loads the configuration which existed prior to the 1st reboot.

Configuration Management Log File The Configuration Management log file logs every error printout which occurs when ing text files. The log file is accessed via the following management options: 1.

WBM - The log file is managed via the following menus: —

The can clear the file via the following menu: File > Configuration > Log File > Clear.

—

The can the file via the following menu: File > Configuration > Log File > .

—

The can display the file via the following menu: File > Configuration > Log File > Show.

2.

CLI - The following command is used to view the Configuration Management logfile: —

system config logfile .

Note: >> If there is no room on the device's compact flash to store the file, the device does not log any information within the log file. >> Each event is also sent via Email, Syslog, SNMP traps and console trap.

50



ing a Configuration File

To a configuration file to the device 1. From the File menu, select Configuration File > Send To Device. The Configuration File to Device window appears. 2. Select the mode from one of the following:

Parameter

Description

Replace Configuration File

Existing configuration file is replaced by the ed one, and the device is rebooted.

Append Commands Used when a new configuration file is a text file containing CLI to Configuration File configuration commands and you want to execute only those commands. The CLI commands are appended to the device's existing configuration file and executed. Append Commands Similar to above except that the device is rebooted after the commands to Configuration File have been appended to the configuration file. with Reboot 3. Enter the name of the file you want to send. Alternatively, click Browse to search the directory tree for the file. 4. Click Set. The file is ed to the device.

ing a Configuration File (Saving and Restoring) This section discusses the saving and restoring of Configuration Files by ing.

To the configuration file from the device 1. From the File menu, select Configuration > Receive from Device. The Configuration File window appears. 2. Set the parameters. 3. In the Configuration Type field, select one of the following:

Parameter

Description

Regular

the device configuration

Peer (Active-Active)

configuration created for peer device synchronization in an Active-Active environment. This configuration must be ed to the peer device. To enable this device to create such a configuration you need to provide the IP for the same interface in the peer device for each IP Interface that you configured on this device,. Note: Configuration file for Active-Active synchronization is ed for proprietary redundancy only.


51


Parameter

Description

Backup (ActiveBackup)

configuration created for backup device synchronization in an Active-Backup environment. This configuration must be then ed to the backup device. To enable this device to create such a configuration you need to provide the IP for the same interface in the peer device for each IP Interface that you configured on this device.

4.

Mark the checkbox if you want to include Private Keys.

5.

Click Set. The file is ed to the device

Log Files A server log is a log file (or several files) automatically created and maintained by a server of activity performed by it. A typical example is a web server log which maintains a history of page requests. More recent entries are appended to the end of the file. Information about the request, including client IP address, request date/time, page requested, HTTP code, bytes served, agent, and referer are added. These data can be combined into a single file, or separated into distinct logs, such as an access log, error log, or referer log. However, server logs do not collect -specific information. These files are usually not accessible to general Internet s, only to the or other istrative person.

Show Log File The Configuration Error Log window allows you to view the configuration errors. The report of configuration errors presented in this log file is automatically generated by the device.

To view the Log File From the File menu, select Configuration > LogFile > Show. The Configuration Error Log window appears displaying the configuration errors.

Logfile Clear The Clear Error Log window allows you to clear data contained in the configuration log file.

To clear the Error Log 1.

From the File menu, select Logfile > Clear. The Clear Error Log window appears.

2.

Click Set. The log file is cleared.

Logfile The Error Log window allows you to the log file that contains configuration errors. Once the file is ed, you can view it.

52



To the Error Log 1. From the File menu, select Logfile > . The Error Log window appears. 2. To the latest error log file, click Set. The file is ed and now you can view it.

Licensing and Upgrading Licenses You can upgrade the software capabilities of AppDirector via the licensing procedure; for example, adding BWM and IPS , (when Acceleration Application is disabled). To change licenses, you need to insert a new license code. The license provided to you, is a one-time license. Once this is changed, the old license code cannot be re-used. For example, if a license that includes BWM and IPS activation keys was given to you on a trial basis but not purchased, Radware will provide you with another license, but without these activation keys. The old license cannot be reused. Each license is based on the device’s MAC address and on a license ID that is changed every time a new license is inserted. To obtain a license upgrade, you need to send the MAC address and the current license ID of the device. To perform a license downgrade, you have to send the MAC address and the current license ID of the device. Once you receive and insert the new license, a screen capture of the License Upgrade window or the output of system license get CLI command must be sent to Radware to prove that you are using the new license. Radware ensures that the old license cannot be reused. The following procedures enable you to upgrade your software and throughput licenses using WBM and the Command Line Interface (CLI).

Note: For s of Radware’s APSolute Insite, you can also upgrade your AppDirector device licence. For further details, see the APSolute Insite Guide.

Upgrading Licenses Using WBM You can upgrade the software capabilities of AppDirector Director via the licensing procedure and increasing product capacity (throughput). For more information about obtaining licenses, please Radware Technical . To change licenses, you need to insert a new license code. The license provided to you, is a one-time license. Once this is changed, the old license code cannot be re-used. Each license is based on the device’s MAC address and on a license ID that is changed every time a new license is inserted. To obtain a license upgrade, you need to send the MAC address and the current license ID of the device. To perform a license downgrade, you have to send the MAC address and the current license ID of the device. Once you receive and insert the new license, a screen capture of the License Upgrade window or the output of system license get CLI command must be sent to Radware to prove that you are using the new license. Radware then ensures that the old license cannot be reused. The following procedure enables you to upgrade your license using WBM.


53


To upgrade a license 1.

From the Device menu, select License Upgrade. The License Upgrade window appears.

2.

Set the configurable parameters.

Parameter

Description

Base MAC Address

The MAC address of the first port on the device.

License ID

Reports the device software license ID and must be provided to the Radware ordering department when a new license is required.

Insert your License Code

The device software license allows you to activate advanced software functionality.

Throughput License ID Manages the device throughput license ID and must be provided to the Radware ordering department when a new throughput license is required. Insert your Throughput License Code

Manages the device throughput level license.

Enhanced Acceleration SSL S License ID

Sets or displays AppDirector's SSL Connections Per Second license as follows: • appdirector-ssl-500 • appdirector-ssl-2000 • appdirector-ssl-5000 • appdirector-ssl-10000 • appdirector-ssl-20000 • appdirector-ssl-30000 • appdirector-ssl-40000 • appdirector-ssl-50000 • appdirector-ssl-unlimited

Insert your SSL S License Code

54

Manages the device SSL S license ID and must be provided to Radware ordering department when a new throughput license is required.



Parameter

Description

Compression on server's side License ID

Sets or displays AppDirector's Compression on the server's side license as follows: • appdirector-compression-100 • appdirector-compression-250 • appdirector-compression-500 • appdirector-compression-750 • appdirector-compression-1000 • appdirector-compression-1250 • appdirector-compression-1500 • appdirector-compression-unlimited

Insert your Compression on server's side License Code

Manages the device Compression on server's side license ID and must be provided to Radware ordering department when a new throughput license is required.

3. Enter your new license code, located on your CD case (or ed from www.radware.com), in the License Code field.

Note: The license code is case sensitive. 4. Enter your new License ID in the License ID field.

Note: The license ID is case sensitive. 5. Click Set to perform the reset. The reset may take a few minutes. A success message is displayed on completion.

Upgrading Licenses Using the CLI You can upgrade your software and hardware licenses using the Command Line Interface (CLI).

To upgrade a software license using the CLI 1. In the CLI, type system license. 2. Press Enter. The current license code is displayed. 3. Type system license set . 4. Click Enter. A license updated message is displayed in the command line.

Note: To implement the upgrade, the device must be reset. 5. Type reboot to reset the device, and then type yes to confirm the reset.


55


To upgrade a hardware license using the CLI 1.

In the CLI, type system hw-license.

2.

Click Enter. The current license code is displayed.

3.

Type system hw-license.

4.

Click Enter. A message is displayed in the command line indicating the license has been updated.

Note: To upgrade, you must be using Port =10G. The device must be reset. 5.

Type reboot to reset the device, and then type yes to confirm the reset.

Managed Devices

Standard Acceleration When in Acceleration disabled mode, and using AppXcel devices managed by AppDirector with T splitting, the configuration must be configured in the Managed Devices Table. AppDirector opens a SSH/Telnet connection to the management IP of each AppXcel configured in its Managed Devices Table and sends it relevant information regrading the availability and load of backend servers.

To configure AppXcels managed by the AppDirector device 1.

From the Device menu, select Manage Devices. The Manage Devices Table window appears.

2.

Set the parameters.

Parameter

Description

Device Name

Name of the managed AppXcel device.

Description

Description of the managed AppXcel device.

Management IP

IP address by which the managed devices can be accessed.

Management Application

The application that is used to manage the remote device. • SSH (default) • Telnet

Management Port

The layer 4 destination port of the application that is used to manage the AppXcel device. Default: 22

Status

Controls the status of the managed device. • Disable: The connection is closed. • Enable: The connection remains open.

name

56

name to be used for authentication during communication with the managed device.



Parameter

Description

used for authentication during communication with the managed device.

Connection Status (Read Only)

Displays the status of the connection to the managed devices as follows: • Connecting - Trying to establish an SSH/Telnet connection with AppXcel. • Open - Connection is established but managed device is not in sync yet. • In Sync - Managed device is in sync. • Terminating - Connection was closed by AppXcel. • Closed - Connection is closed.

#Sent Messages (Read Only)

Counts the number of messages sent from AppDirector to the managed device since the connection was established. Displays 0 when a connection is not present.

#Received Messages (Read Only)

Counts the number of messages received by AppDirector from the managed device since the connection was established. Displays 0 when a connection is not present.

3. Click Set. Your preferences are recorded.

Resetting Devices You may have made various changes to configurations and settings and need to reset the device for these changes to take effect. You can reboot the device at any given time.

To reset an AppDirector device 1. In the Device window, select Reset Device. 2. The device is reset.

Device Shutdown If you need to shutdown the device (assuming you have the required privileges), use this procedure.

To shutdown the device 1. Click Shutdown. The following dialog message appears.

2. Click OK to confirm, the device begins shutdown.


57


Tuning AppDirector This section describes interfaces and methods for tuning AppDirector. Use Tuning to determine the maximum number of entries allowed in the various tables listed. This section includes: •

Device Tuning, page 58

•

Device Global Parameters, page 61

•

Main Device Tuning Parameters, page 62

•

Client Table Settings Tuning, page 65

•

DNS Settings Tuning, page 65

•

NAT Settings Tuning, page 65

•

Session Table Tuning, page 67

•

Tuning Memory Check, page 67

•

Tuning Statistics, page 68

•

Bandwidth Management Tuning (ODS Devices Only), page 68

•

Classifier Tuning, page 69

•

SYN Protection Tuning, page 71

•

Application Security Tuning, page 72

•

Behavioral DoS Tuning Parameters, page 73

Device Tuning The Device Tuning window allows you to tune the AppDirector device. The values in the fields are synchronized and any changes are implemented after the device reset.

To tune the AppDirector device tables 1.

From the Services menu, select Tuning > Device. The Device Tuning window appears.

2.

Set the parameters.

58

Parameter

Description

Bridge Forwarding Table (Read Only)

Limit on number of local station addresses. Read-only parameter.

Bridge Forwarding Table (After Reset)

After reset, the limit on number of local station addresses.

IP Forwarding Table (Read Only)

Displays limit on the number of IP destinations.

IP Forwarding Table (After Reset)

After reset, displays the limit on the number of IP destinations.

ARP Forwarding Table (Read Only)

Contains Destination MAC Address per Destination IP.

ARP Forwarding Table (After Reset)

After reset, the limit on the number of entries in the ARP table.

Client Table (Read Only)


Client Table (After Reset)

After reset, the limit on the number of entries in the client table.

Hosts Table (Read Only)

Limited number of entries for the Hosts Table.



Parameter

Description

Hosts Table (After Reset)

After reset, the limited number of entries for the Hosts Table.

Request Table (Read Only)

Limit on number of entries in the Request Table, used by all delayed binding based mechanisms, for example, SSL ID tracking, Layer 4 Policies etc.

Request Table (After Reset)

After reset, the limit on number of entries in the Request Table, used by all delayed binding based mechanisms, for example, SSL ID tracking, Layer 4 Policies etc.

Routing Table (Read Only)

Limit on the number of entries in the Routing Table.

Routing Table (After Reset)

Limit on the number of entries in the Routing Table after reset.

Client NAT Addresses (Read Only)

Specifies the number of IP addresses to be used for NAT. The default is 0, the maximum value is 128.

Client NAT Addresses (After Reset)

After reset, specifies the number of IP addresses to be used for NAT. The default is 0, the maximum value is 128.

Client NAT Ports Per Address (Read Only)

Specifies number of ports to be used with each IP address, the maximum value is 63K. Note: Before enabling Client NAT this must be set to value > 0.

Client NAT Ports Per Address (After Reset)

After reset, specifies the number of ports to be used with each IP address, the maximum value is 63K. Note: Before enabling Client NAT this must be set to value > 0.

Outbound NAT Addresses (Read Only)

Limited number of entries in this table.

Outbound NAT Addresses (After Reset)

Limited number of entries in this table, after reset.

Outbound NAT Ports Per Address (Read Only)


Outbound NAT Ports Per Address (After Reset)


Outbound NAT Intercept Ranges (Read Only)


Outbound NAT Intercept Ranges (After Reset)


Proximity Subnets (Read Only)


Proximity Subnets (After Reset)


Session IDs (Read Only)

Specifies size of table in which association of Session ID values to servers is kept. Default table size is 16,384, maximum is 256,000.

Session IDs (After Reset)

Specifies size of table in which association of Session ID values to servers is kept, after reset. Default table size is 16,384, maximum is 256,000.

Layer3 Client Table After Reset (Read Only)

Size of Layer 3 Client Table can be configured and defined as percent of the Client Table size, default is 20%

Layer3 Client Table After Reset [% of the client table]

Size of Layer 3 Client Table after reset can be configured and defined as a percent of the Client Table size, default is 20%.

Network Segments (Read Only)

Displays the number of Network Segments ed when the device uses the segmentation feature.


59


Parameter

Description

Network Segments After Reset

Displays the number of Network Segments after reset ed when the device uses the segmentation feature.

Layer 4 Policies (Read Only)

Number of Layer 4 policies that can be defined on the device.

Layer 4 Policies After Reset

Number of Layer 4 policies that can be defined on the device after reset.

Static DNS Persistency Entries (Read Only)

Displays the number of DNS entries used in static DNS persistency.

Static DNS Persistency Entries After Reset

Displays the number of DNS entries used in static DNS persistency after reset.

Dynamic DNS Persistency Entries (Read Only)

Displays the number of DNS entries used in dynamic DNS persistency.

Dynamic DNS Persistency Entries After Reset

Displays the number of DNS entries used in dynamic DNS persistency after reset.

Session Table (Read Only)

Displays the number of entries the session table can hold.

Session Table After Reset

Displays the number of entries the session the table can hold after a reset.

Session ive Protocols Table (Read Only)

Displays the number of session ive protocols entered in the table.

Session ive Protocols Table After Reset

Displays the number of session ive protocols entered in the table after reset.

Session Resets Table (Read Only)

Current amount of sessions that the device tracks to send RESET in case "Send Rest To Server" is enabled in the Session Table.

Session Resets Table After Reset

New amount of sessions that device tracks to send RESET in case "Send Rest To Server" is enabled in the Session Table after reset.

Enhanced Acceleration Acceleration Engine RAM Percentage For Cache

Percentage of Accel-engine RAM allocated for cache. Also see Caching Policies, page 220. Default: 20

Acceleration Engine RAM Percentage For Cache After Change 3.

Percentage of Accel-engine RAM allocated for cache after change. Also see Caching Policies, page 220.


You can determine the maximum number of entries allowed in the various tables in the following Device Tuning Table tabs: •

AppDirector

•

BWM

•

Security Settings

60



Note: Most of the parameters in the BWM and Security Settings tabs described above only exist in devices with BWM and IPS activated. You can also define the security parameters for your previously defined security policy. The values in the fields are synchronized, and any changes are implemented after the device is reset.

Caution: Device Tuning should only be performed after consulting Radware Technical .

Device Global Parameters This feature defines the Hardware version of the product.

To view Device Global Parameters 1. In the Device menu, select Device Global Parameters. The Device Global Parameters window appears. 2. Set the parameters.

Parameter

Description

Description (Read Only)

A textual description of the entity.

Name

istratively-assigned name for this managed AppDirector device/ node.

This value includes the full name and version identification of the system's hardware type, software operating-system, and networking software.

By convention, this is the node's fully-qualified domain name. If the name is unknown, the value is the zero-length string. This value is optional. Location

Physical location of this AppDirector device/node (e.g., telephone closet, 3rd floor). Setting this value is optional.

System Up Time (Read Only)

Reports the time elapsed since the device last reboot.

The information of the person responsible for AppDirector. Setting this value is optional.

Bootp Server Address

Sets the IP address of the BootP server.

Bootp Threshold

Sets the BootP threshold. (The number of seconds that the device will wait before relaying requests to the BootP server).

The device forwards BootP requests to the BootP server and acts as a Bootp relay.

This delay allows local BootP Servers to answer first. Serial Number (Read Only)

Sets or returns the device serial number.

Software Version (Read Only)

Reports the device's software version, e.g. 2.10.00


61


3.

Parameter

Description

Hardware Version (Read Only)

Reports the device’s hardware version, e.g. 3.1.


Main Device Tuning Parameters Main device tuning parameters are described here:

Parameter

Description

Bridge Forwarding Table (Read Only)

Used when regular VLAN is defined. AppDirector learns the MAC addresses of frames arriving from each physical interface, and maintains a list of MAC addresses per interface. The table that stores this list is the Bridge Forwarding table.

IP Forwarding Table (Read Only)

Contains the destination MAC address and Port per Destination IP address. A MAC address is searched in this table before searched in the ARP table. A larger tuning value implies more different IP addresses can be recorded in this table, improving performance.

ARP Forwarding Table (Read Only)


Routing Table (Read Only)

Stores information about destinations and how they can be reached. By default, all networks directly attached to AppDirector are ed in this table. Other entries can either be statically configured or dynamically created through the routing protocol.

Hosts Table (Read Only)

Defines the relationship between host names and Layer 4 Policy entry.

Request Table (Read Only)

Contains Layer 7 information saved during delayed binding.

Client NAT Addresses (Read Only)

Specifies NAT Addresses used to hide IP addresses of clients accessing this farm. For each farm you can select a single NAT Addresses range. Note: When no Client NAT Address Range is selected for a farm, AppDirector uses any configured Client NAT Address Ranges when performing Client NAT for servers in this farm.

Client NAT Ports Per Address (Read Only)

Specifies number of ports used with each IP address.

Proximity Subnets (Read Only)

Defines limit on the number of Proximity subnets.

Session IDs (Read Only)

Using Session ID Persistency, a server's reply contains a Session ID. This is saved in this table.

Network Segments (Read Only)

Segments ed when device uses segmentation.

Layer 4 Policies (Read Only)

Maximum number of Layer 4 policies defined on device.

Session Resets Table (Read Only)

Current amount of sessions that the device tracks to send RESET in case "Send Rest To Server" is enabled in the Session Table.

62

Note: Before enabling Client NAT this parameter must be set to a value higher than zero.



Parameter

Description

Acceleration Engine RAM Percentage For Cache (Read Only)

Percentage of Accel-engine RAM allocated for cache. Also see Caching Policies, page 220.

SNMP Communities

The SNMP community table allows backwards compatibility with SNMPv1 and SNMPv2. The Community Table maps community strings to s. Once a is connected to Radware device with SNMPv1 or SNMPv2, the device checks the Community String sent in the SNMP packet. Based on the Community String, the device maps the Community Sting to a pre-defined , which belongs to a group, with certain access rights. Therefore, when working with SNMPv1 or SNMPv2, s, groups, and access must be defined as well.

Logical Servers

AppDirector works with server farms rather than with individual servers. An AppDirector farm is a group of networked servers that provide the same service. Utilizing multiple servers organized in a farm accelerates the service response time and improves overall performance including:

Default: 20

• maximum number of application server connections. • Weight of the server in a farm • the Response Threshold parameter defines the number of milliseconds in which the server may reply to the GET command. • maximum amount of bandwidth in Kbps allowed for this application server. Physical Servers

You can configure the physical servers you have included in your server farm including: • maximum number of application server connections. • maximum number of frames per second dispatched to the server since the last reset • number of currently active s attached to server • number of frames per second dispatched to server • number of frames sent to server

Servers per Farm

Average of servers per farm.

Farms

Default number of farms configurable on one device.

NHRs

A Next Hop Router (NHR) is a network element used for outbound traffic in AppDirector Multi Homing configurations. NAT addresses can be associated with NHRs, similar to the way VIPs are associated with NHRs. This provides a backup NHR for NAT Addresses, or for the simultaneous use of two NHRs with Hashing for the outbound traffic.

VIP NHR

The VIP NHR Table enables you to associate a next hop router, that is configured in the NHR Table, to a virtual IP address configured on the device, for example a Server Farm.

Static Proximity Entries

Number of proximity subnets are configurable per farm. Static Proximity is configurable through the farm parameters.


63


Bandwidth Management Settings Tuning You can tune the Bandwidth Management Settings tables according to your needs. The following table shows descriptions of the Bandwidth Management tables and provides their tuning parameters.

Parameter

Description

Policy Table

Maximum number of bandwidth management policy entries in the table. A policy classifies traffic ing through the device, and enforces bandwidth management, and enables access control.

Network Table

Maximum number of network ranges entered in the table. A network is a logical entity that consists of a group of IP addresses linked together by a network IP and subnet mask or a range of IP addresses (from-to) that is identified by a unique name.

Destination Table

Maximum number of Destination Address entries in the table. A Destination Address can be a specific IP address, a range of IP addresses, or an IP Subnet address. Each address in the table contains an optimized list of policies. This improves classification time for the specific Destination addresses. The number of entries implies the number of concurrent Destinations which the device s.

Regular Service Table

Maximum number of regular (basic) service entries in the table. A regular service is a set of traffic parameters that define a packet.

Advanced Service Table

Maximum number of advanced service entries in the table. An advanced class is a group of regular classes with a logical AND relation between them.

Grouped Service Table

Maximum number of service group entries in table. A grouped service is a group of regular services and/or grouped filters with logical OR relation between them.

Content Table

The device uses content searches in the Layer 7 policies that can be defined for BWM.

Discreet IP Address Per Network

Maximum number of individual IP addresses in a single dynamic network. Relevant for CID only.

Subnets Per Network

Maximum number of subnets sharing the same network name in a single network entry.

MAC Groups

Maximum number of MAC group entries in the table. A MAC group classifies applications and protocols present in the traffic, and sent to or from a transparent network device like a firewall or router.

BW Per Traffic Flow

Maximum number of traffic flows for a single policy. Used only for bandwidth management per traffic flow.

Protocol Discovery Reports

Maximum number of ports to be monitored by the Protocol Discovery module.

Application Port Group

Group of Layer 4 ports for UDP and T traffic only. Each group is identified by its unique name. Each group name can be associated with a number of entries in the Application Port Groups table.

64



Client Table Settings Tuning You can tune the Client Table Settings according to your needs. This table shows descriptions of the Client Tables and their tuning parameters.

Parameter

Description

Client Table

Keeps track of which clients are connected to which servers for each of the Local Farms.

Layer 3 Client Table

Contains information about the server selected for each client (Source IP address) in each farm, defined as a percent of the Client Table size. While setting Layer 3 Client Table entries, note the number of entries in the Client Table opened for each new session. For example, if for each session there are 5 Client Table entries, set the size of the table to 20%.

DNS Settings Tuning You can tune the DNS Settings according to your needs. Descriptions of the DNS Settings Tables and their tuning parameters. are shown here.

Parameter

Description

Static DNS Table

Maximum number of DNS entries used in static DNS Persistency. See Static DNS Persistency, page 317.

Dynamic DNS Table

Maximum number of DNS entries used in dynamic DNS Persistency. See DNS Persistency, page 315.

NAT Settings Tuning You can tune the NAT Settings according to your needs. This table shows descriptions of the NAT Settings Tables and provides their tuning parameters.

Parameter

Description

NAT Ports Table

Specifies number of ports used with each IP address. AppDirector uses port range starting at 1024 that ends according to NAT Ports per Address value.

NAT Addresses Table

Specifies number of IP addresses used for NAT.

Outbound NAT Addresses

Note: Defines number of IP addresses to be used by Outbound NAT. Before enabling Outbound NAT, this must be set to > 0.

Outbound NAT Ports per Defines number of ports used with each NAT IP address. Address Note: Before enabling Outbound NAT, this parameter must be set to a value higher than zero. Outbound NAT Intercept Addresses

Defines number of IP ranges intercepted and NATed by Outbound NAT. Note: Before enabling Outbound NAT, this must be set to > 0.


65


Security Tuning Security tables store information about sessions ing through the device and their sizes, which are correlated to the number of sessions. Some of the tables store Layer 3 information for every Source-Destination address pair of traffic going through the device. These pairs require an entry for each combination. Some of the tables need to keep information about Layer-4 sessions, which means that every combination of Source Address, Source Port, Destination Address and Destination Port requires its own entry in the table.

Note: Layer-4 tables are usually larger than Layer-3 tables. For example, a typical T client, using HTTP, opens several T sessions to the same destination address. Each Security table has its own Free-Up process, which is responsible for clearing the tables of old entries that are no longer required, and ensuring that all detected attacks are reported and logged properly. The Free-Up Frequency for each table determines how often the device clears unnecessary entries from the table and stores information about newly detected security events in a dedicated internal alerts buffer. The alerts are then distributed to the logfile, SNMP management station, and Syslog server, as required by the configuration. The alerts buffer ensures that the device is not overloaded with alerts distribution. You can tune the Security tables according to your needs. Descriptions of the Security tables and their tuning parameters are shown here.

Parameter

Description

Log File Polling Time (ms)

Configures how often alerts are read from the internal alerts buffer and sent to the Log File. If the device is busy, change this value to 1,000 ms. to ensure that all alerts are logged on time.

Target Table

Contains an attack detection system that is based on the Destination addresses of the incoming traffic. If number of packets sent to same destination is above the predefined limit, it is identified as an attack. The Target Table tuning parameters define how often per session to check the Destination Address.

Source Table

Contains attack detection system based on source addresses of the incoming traffic. If the number of packets sent from the same source is above the predefined limit, it is identified as an attack. The Source Table parameters define how often per session to check the source address.

Source & Target Table

Contains an attack detection system that is based on the Source and Destination addresses of the incoming traffic. Each entry in this table contains Source and Destination addresses. If the number of packets sent from the same Source to the same Destination is above the predefined limit, it is identified as an attack. The Source & Target Table tuning parameters define how often per session to check the source address.

Security Tracking Tables Free-Up Frequency (ms)

Determines how often device clears unnecessary entries from the table, and stores information about newly detected security events.

DH Discover

Contains an attack detection system based on counting the IP requests for each MAC address. Requests are made using the Dynamic Host Configuration Protocol. When the number of IP requests for a particular MAC address is above the predefined limit, it is identified as an attack. The DH Discover tuning parameters determines how many MAC addresses to check.

66



Parameter

Description

IP Reassembly buffers pool size (MB)

Defines memory size allocated for the IP reassembly process. To perform reassembly for more packets, you need to increase the memory size.

Session Table Tuning This shows Session Table tuning parameters.

Parameter

Description

Session Table Size

Keeps track of sessions.

Session ive Protocol

Records ive protocol port commands, so that all related sessions can be linked together.

Tuning Memory Check AppDirector pre-checks the feasibility of values in the configured tables. This eliminates the chance of causing a memory allocation problem. Each time you update a value for a certain table, you can check whether there is enough free memory for the requested value. However, following tuning changes, you can perform a manual check using WBM or CLI.

Caution: Perform tuning only after consulting Radware Technical .

Note: In CLI, use the command: system tune test-after-reset-values.

To perform the device tuning memory check 1. Perform Device Tuning. 2. From the Services menu, select Tuning > Memory Check. The Tuning Memory Check window appears, which lists all the changes that have been made in Device Tuning windows. 3. Click Perform Test. The memory check is performed to whether the device contains sufficient memory to allocate the changes. The following messages may be displayed: a. b.

Sufficient memory available for the pending table size updates. Reboot to update the table sizes: Click Reboot to reboot the device and apply the changes. # Kbytes are missing for the pending table size updates. Reduce the size of the tables using dispensable memory to accommodate the required updates: Click tables to access the Device Tuning windows and adjust the tables according to the amount of memory required.


67


Tuning Statistics In the Tuning Statistics window you can view and edit the statistics tuning parameters. The changes take effect after the reset.


To tune the Statistics 1.

From the Services menu select Tuning > Statistics. The Statistics Tuning window appears.

2.

Set the parameters.

3.

Parameter

Description

Protocol Discovery Policies

Current size of the table for Protocol Discovery Policies entries. Read-only parameter.

Protocol Discovery Policies After Reset

Size of table for Protocol Discovery Policies entries that you define. Settings are applied after reset.

Protocol Discovery Report Entries

Total number of discovered protocols that can be recorded by the device. (Read-only).

Protocol Discovery Report Entries After Reset

Total number of the discovered protocols that can be recorded by the device after reset.


Bandwidth Management Tuning (ODS Devices Only)

Standard Acceleration The BWM Tuning window allows you to tune and view the Bandwidth Management tables.


To tune Bandwidth Management tables 1.

From the Services menu, select Tuning > BWM. The BWM Tuning window appears.

2.

Set the parameters

68

Parameter

Description

Policy Table

Displays number of policy entries in the table.

Policy Table (After Reset)

Displays number of policy entries in the table after reset.


AppDirector Guide istering and Monitoring AppDirector BW per Traffic Flow sessions tracking

Number of traffic flows for which the device can provide bandwidth or limit the number of sessions. Maximum value: 100,000

BW per Traffic Flow sessions tracking (After Reset)

Number of traffic flows for which the device can provide bandwidth or limit the number of sessions after reset.

Destination Table

Displays number of entries in the Destination table after reset.

Destination Table (After Reset)

Displays number of entries in the Destination table.


Classifier Tuning A Classifier packet first flows into the system through the classifier. It’s the classifier’s duty to decide what to do with the packet. How the classifier treats packets ing through is governed by the Bandwidth Management policy that best matches the packet and by these tuning parameters. From the Classifier Tuning window you can view and edit the Classifier tuning parameters. The changes take effect after the reset.

To tune AppDirector Classifier tables 1. From the Services menu, select Tuning > Classifiers. The Classifiers Tuning window appears. 2. Set the parameters.

Parameter

Description

Network Table

Displays number of ranges entered in the table. Default: 32

Network Table After Reset Displays number of ranges entered in the table after reset. Default: 32 Discrete IP Addresses Per Network

Displays number of entries in the table for IP addresses that are allocated to a network. Default: 32

Discrete IP Addresses Per Network After Reset

Displays number of entries in the table for IP addresses allocated to a network after reset. Default: 32

Subnets Per Network

Displays number entries in the table for network subnets. Default: 32

Subnets Per Network After Displays number entries in table for network subnets after reset. Reset Default: 32 MAC groups Table

Displays number of MAC groups entries in the table. Default: 2

MAC groups Table After Reset

Displays number of MAC groups entries in the table after reset. Default: 2


69


Parameter Filter Table

Description Displays number of basic filter entries in table. Default: 32

Filter Table After Reset

Displays number of basic filter entries in the table after reset. Default: 32

AND Group Table

Displays maximum number of AND group services that can be currently configured. Default: 16

AND Group Table After Reset

Displays maximum number of AND group services that can be currently configured after reset. Default: 16

OR Group Table

Displays maximum number of OR group services that can be currently configured. Default: 16

OR Group Table After Reset

Displays maximum number of OR group services that can be currently configured after reset. Default: 16

Application port groups

Displays number of application port group entries in the table. Default: 32

Application port groups After Reset

Displays number of application port group entries in the table after reset. Default: 32

Content Table

Displays number of content entries in the table. Default: 512

Content Table After Reset

Displays number of content entries in the table after reset. Default: 512

3.

70




SYN Protection Tuning From the SYN Protection Tuning window you can view and edit the SYN protection tuning parameters. The changes take effect after the reset.


To tune Global Security tables 1. From the Services menu, select Tuning > SYN Protection. The Syn Flood Protection Tuning window appears. 2. Set the parameters.

Parameter

Description

SYN Protection Table

Stores data regarding the delayed binding process. An entry in the table exists from the time the client starts the 3-way handshake until the handshake is complete. Current number of entries in SYN Protection Table.

SYN Protection Table (After Reset)

Number of entries in SYN Protection Table after reset.

SYN Protection Requests Table

Sets number of entries in the SYN Protection requests table

SYN Protection Requests Table After Reset

Number of entries in SYN Protection Table after reset.

SYN Protection Triggers Table

Sets number of entries in the SYN Protection triggers table, which holds the destination IP addresses that should be protected.

SYN Protection Triggers Table After Reset

Number of entries in SYN Protection Triggers Table after reset.

SYN Protection Policies Table

Sets number of entries in the SYN Protection policies table.

SYN Protection Policies Table After Reset

Number of entries in the SYN Protection Policies Table after reset.

ACK reflection IPs Table

Sets number of entries in the SYN ACK reflection IPs table.

ACK reflection IPs Table After Reset

Number of entries in the ACK reflection IPs Table after reset.

SYN Protection Attack Detection Sets number of entries for counting new T sessions for Entries detecting syn attacks and creating triggers. SYN Protection Attack Detection Number of entries in the SYN Flood Attack Detection Entries Entries After Reset after reset. SYN Statistics Entries

Sets number of entries in the SYN protection statistics table.

SYN Statistics Entries After Reset

Number of entries in the SYN Flood Statistics Entries after reset.



71


Application Security Tuning From the Application Security Tuning Parameters window you can view and edit the application security tuning parameters. The changes take effect after device reset.


To tune AppDirector Application Security tables 1.

From the Services menu, select Tuning > Security > Application Security. The Application Security Tuning window appears.

2.

Set the parameters.

Parameter

Description

Source Table

The current number of entries in the Source Table that contains attacks detection mechanism, which is based on the source addresses of the incoming traffic. If the number of packets sent from the same source is above the predefined limit, this is identified as an attack. The Source Table tuning parameter defines in how many sessions to check the source address.

Source Table After Reset

The number of entries in the Source Table after reset.

Target Table

Represents the current size of the table for destination entries. This table contains attacks detection mechanism, which is based on the destination addresses of the incoming traffic. If the number of packets sent to the same destination is above the predefined limit, this is identified as an attack. The Target Table tuning parameter defines in how many sessions to check the destination address.

Target Table After Reset

The size of the table for destination entries that you define. The settings are applied after reset.

Source & Target Table

Represents the current size of the table for both source and destination entries, which are counted as one.

Source & Target Table After Reset

The size of the table for both source and destination entries that you define. The settings are applied after reset.

DH Table

The current number of entries in the DH Table that contains attacks detection mechanism based on counting of IP requests for each MAC address. The requests are made using the Dynamic Host Configuration Protocol. When the number of IP requests for a particular MAC address is above the predefined limit, an attack is identified. The DH Discover tuning parameter determines for how many MAC addresses to check the number of IP requests.

DH Table After Reset The number of entries in the DH Table after reset. Maximal number of Maximum number of defined groups that can be defined on the groups to be defined by device. Maximal number of Maximum number of defined groups that can be defined on the groups to be defined by device after reset. after reset

72



Parameter

Description

Maximal number of attacks to be defined by

Maximum number of defined attacks that can be defined on the device.

Maximal number of attacks to be defined by after reset

Maximum number of defined attacks that can be defined on the device after reset.

IP Reassembly buffers pool size [MB]

The current allotted memory, in MB, of the IP Reassembly buffers pool.

IP Reassembly buffers pool size after reset [MB]

The allotted memory, in MB, of the IP Reassembly buffers pool after reset.

Maximal number of entries in NF table

Maximum number of entries that can be defined in the NPCF table.

Maximal number of entries in NF table after reset

Maximum number of entries that can be defined in the NPCF table after reset.

Maximal number of Maximum number of entries that can be defined in the Suspend table. srcIPs in Suspend Table Maximal number of Maximum number of entries that can be defined in the Suspend table srcIPs in Suspend Table after reset. after reset Maximal number of Anti-Scanning IP pairs Table

Maximum number of entries that can be defined in the Anti-Scanning IP pairs table.

Maximal number of Anti-Scanning IP pairs Table after reset

Maximum number of entries that can be defined in the Anti-Scanning IP pairs table after reset.


Behavioral DoS Tuning Parameters

Standard Acceleration Behavioral DoS Tuning Parameters enable you to set the maximal number of Behavioral DoS policies. The default number of policies for Behavioral DoS is 10. If you wish to configure more, you must reset the number of policies allowed.

Note: When you update a value for a Behavioral DoS, you can check whether there is enough free memory for the requested value.


73


To set maximum number of Behavioral DoS policies 1.

From the Services menu, select Tuning > Security > Behavioral DoS. The Behavioral DoS Tuning Parameters window appears.

2.

Set the parameters.

3.

74

Parameter

Description

Maximal number of Behavioral DoS policies

Maximum number of Behavioral DoS policies that can be defined on the device.

Maximal number of Behavioral DoS policies after reset

Maximum number of Behavioral DoS policies that can be defined on the device after reset.

Click Set. Your preferences are recorded.



Monitoring AppDirector This section includes notifications features and threshold settings. It includes these topics: •

Device Information, page 75

•

Device Monitoring, page 77

•

Notifications, page 77

•

Configuration Auditing, page 82

•

AppDirector Thresholds, page 83

Device Information This feature helps you to understand the fundamentals of your installed Radware device and accompanying software.

Note: Please quote this information when you seek assistance from Radware Technical .

To view Device information 1. In the Device menu, select Device Information. The Device Information window appears. 2. View the parameters.

Parameter

Description

Name

Designated device name.

System Up Time

Reports the time elapsed since the device last reboot.

Base MAC Address

The MAC address of the first port on the device.

Type

Type of Radware device installed, for example, AppDirector with Global with Persistency.

Platform

Type of processor/ platform for this device. For example, OnDemand Switch 1.

Ports Number of Ports

Quantity of ports on this device.

Ports Config

Type and configuration of ports on this device.

License Information Throughput

Maximum accelerated throughput in Mbps (Megabits per second).

SSL S

Secure Socket Layer Connections per second (S) where acceleration mode is used. Also listed is Peak usage (S).

Compression

Level of compression where acceleration mode is used. Also listed is Peak usage (Mbps).


75


Parameter

Description Version Information

Hardware Version

The hardware version.

Software Version

The software version of AppDirector installed, for example 2.00.

Build

Date and time stamp with the build number of the software.

Version State

State of this software version. Open/Closed.

APSolute OS Version

Versions of Bandwidth Management and Application Security modules for this software, for example, 10.31-03.01:2.06.08.

Network Driver

Version of network driver used.

Platform Information RAM Size (MB)

Amount of RAM, in megabytes.

Flash Size (MB)

Size of flash (permanent) memory, in megabytes.

Hard Disk(s)

Number of hard disks configured.

Serial Number

Serial number of the device.

Date

Date logged in.

Time

Time logged in.

Active Boot

Time (in days) since active boot commenced.

Secondary Boot

Time (in days) since secondary (redundant) boot commenced.

Power Supply

Single or double and its status.

Enhanced Acceleration Compression Card Status

Displays the Compression card status.

SSL Card Status

Displays the SSL Card status.

Values: In service, Not in Service.

Values: In service, Not in Service.

76

Number of Cores

Number of U cores on the device

Number of Us

Number of Us on the device



Device Monitoring Device Monitoring provides an overview of the devices configuration from a single window. From the Device Monitoring window the following information can be viewed and accessed.

To view the Device Monitoring information 1. From the Device Menu, select Device Monitoring. The Device Monitoring window appears.

Parameter

Description

Farms

A table is displayed containing the following columns: Farm: Names of the farms configured on this device. Clicking the Farm's name displays the Farm Table Update window which enables you to view and update all the parameters of the selected farm. s (read only): Displays the amount of s connected to the configured farms. Servers: Displays the amount of servers and their status in the form of the following icons:

Each icon is also a link and clicking on a specific icon displays the relevant Application Server Table Update window for the selected server.

Refresh Interval [sec]

This field defines the rate at which the Device Monitoring window is refreshed and updated. Default: 60 seconds.

2. To change the Refresh Rate, enter the required value in the field and click Update.

Notifications Radware devices provide a choice of event notification methods including: •

CLI Traps

•

Device Log

•

SNMP Traps

•

Syslog

•

Emails

CLI Traps When connected to any Radware product through a serial cable, the device generates traps when events occur. For example, if a Next Hop Router fails, AppDirector generates the following error:

10-01-2003 08:35:42 WARNING NextHopRouter 10.10.10.10 Is Not Responding to Ping. You can configure if traps are sent only to the serial terminal and also to SSH and Telnet clients. or if they are not sent at all, via the CLI command:

manage terminal traps-outputs set.


77

AppDirector Guide istering and Monitoring AppDirector The available values are: •

normal - traps are only sent to serial terminal

•

on - traps are sent via all CLI access protocols (serial, Telnet, SSH)

•

off - no traps are sent

For console only:

manage terminal traps-outputs set normal.

Event Log All the events are logged on the device and can be viewed.

To view the event log 1.

From the Services menu, select Logging > Event Log. The Event Log window appears showing an Event Number and an accompanying description.

Parameter

Description

Event Number

Index of this table.

Event Description

This text will include time and severity.

2.

Click Event Number to select the event that you wish to display.

3.

To configure the number of results per page, choose from the accompanying dropdown for 50,(default), 25,10 or 100 results per page.

4.

Now, click Reset Filter. The Results per page is reset.

To clear the event log From the Event Log window, in the Clear Event Log field, click Set. The AppDirector Event log is cleared.

78



SysLog Any event traps generated by AppDirector can be mirrored to a specified Syslog server, (a device running the syslog service - syslogd). AppDirector s sending events to up to 5 Syslog servers.

To enable Syslog Messages 1. From the Services menu, select Logging > Syslog Reporting. The Syslog Reporting window appears. 2. Set Syslog Operation to Enable. 3. To add a Syslog server click Create. The Syslog Reporting Create window is displayed.

Parameter

Description

Syslog Server Address Or Hostname

The URL/IP Address of the syslog station, the device running syslog service.

Syslog Server Operational Status

Enables or disables syslog message sending to remote station.

Syslog Server Source Port

Configures the source port with which Syslog packets will be sent.

Syslog Server Destination Port

Configures the destination port with which Syslog packets will be sent.

Syslog Facility

-defined value is used when the device sends Syslog messages. Values include: • Kernel Messages

• UU

• Level Messages

• Clock Daemon

• Mail System

• Security messages

• System Daemons

• FTP Daemon

• Authorization Messages

• NTP Daemon

• Syslogd Messages

• Log Audit

• Line Printer Subsystem

• Log Alert

• Network News Subsystem

• Clock Daemon2 • Local Use 0, 1, 2, 3, 4, 5, 6 (default), 7

4. Click Set. The Syslog server is configured.


79


SNMP Traps This enables you to set the size of the traps log by entries.

To enable SNMP Traps 1.

From the Services menu, select Logging > SNMP Traps. The Traps Logging window appears.

2.

Set the parameters.

3.

Parameter

Description

Trap Logging

Enables/Disables the Trap Logging

Minimum Severity for Trap Logging

Sets the minimum severity value for the trap.

Traps Log File Size

Sets the size of the traps log, as a number of entries.

Power supply trap status

Enable/disable the ability to measure power supply trap status

Values: Info, Error, Warning

Click Set. Trap Logging is enabled.

E-mail Notification The device can send notifications on events to s via email. For each you can configure whether it should receive notifications via email (by defining an email address for the ) and the minimal event severity reported via SNMP traps and email. The will receive traps of configured severity and higher. The severity levels are: Info, Warning, Error and Fatal. For email address and notification severity configuration per see - s (link to s configuration).

Note: AppDirector optimizes the mailing process by gathering reports and sending them in a single notification message once the buffer is full or once a timeout of 60 seconds expires.

To configure E-mail Notifications 1.

From the Services menu, select Logging > Email Reporting. The Email Error Reporting window appears.

2.

Set the parameters.

3.

80

Parameter

Description

Send Emails on Errors

Whether to send notifications via email or not.

To Field Text

Text to use in the sent email "To" field.

Values: Enabled or Disabled (Default).




Configurable SMTP To Field Message logging is disabled by default. You must enable logging if you wish to send messages to one or more output locations. When enabled, log messages are sent to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages. You must set a logging output location to view any logs. The SMTP Client window enables AppDirector to send information messages via email to predetermined s. This feature can be used for sending trap information via email. In the Table each is assigned a trap severity level, Info, Warning, Error or Fatal and receives emails according to that severity level. For example, a assigned the severity level Error, receives emails for events with the severity level Error and Fatal. To optimize AppDirector configuration and resource utilization, AppDirector can indicate and alert usage of various tables and other parameters. To allow AppDirector to send event notifications via email, the SMTP client must be configured on the device.

To configure the SMTP Client 1. From the Services menu, select Logging > SMTP. The SMTP Client window appears. 2. Set the parameters.

Parameter

Description

SMTP Server

IP address of the SMTP Server.

Alternate SMTP Server Address

An IP address of an alternative SMTP Server. The alternate SMTP server is used when SMTP connection cannot be established successfully with the main SMTP server, or when main SMTP server closed the connection. The device tries to establish connection to the main SMTP server, and starts re-using it when available.

Backup Device Email Sets the email of the Backup AppDirector device. This is used when the Address device is configured as an SMTP client. You can configure AppDirector as an SMTP client, allowing it to send email messages to specified s. This feature can be used for sending trap messages. In the Table, each is assigned a trap severity level (Info, Warning, Error, or Fatal) and receives emails according to that severity level. For example, a assigned the severity level Error, receives emails for events with the severity level Error and Fatal. Own Email Address

Mail address of the device, for example [email protected].

SMTP Client Status

Enables / Disables the SMTP client. Status must be set to Enabled to features that are related to sending email messages. Default: Disable

3. Click Set. The SMTP Client is configured.

Note: To receive emails about errors, you need to enable features related to mail sending, such as Send Emails on Errors and for each set email address and Severity level in the s Table.


81


Configuration Auditing Configuration Auditing is the process of logging every configuration change and activity. When Configuration Auditing is enabled, the device keeps track of all changes made to the configuration. When a creates a new configuration object, the device reports the action, e.g. created a new farm or added a server to a farm. The device sends an event in CLI format (if the created the object via Web Based Management). If the modifies the existing entry, the device also reports the old and new values of the changed parameter. Deletions of objects are reported in the same CLI format. Where there is no CLI equivalent to a Web Based Management, the device reports the parameter’s MIB Name. The notification message contains these details: •

Name of the MIB variable that was changed.

•

New value of the variable.

•

Time of configuration change.

•

Configuration tool that was used (APSolute, Telnet, SSH, WBM).

•

name, when applicable.

Configuration Auditing is enabled or disabled per device and it affects all s and all management interfaces. The default is disabled.

To enable configuration auditing 1.

Select Services > Auditing. The Auditing Status window appears.

2.

Select enable.

3.

Click Set. The auditing status is set to enable.

To disable configuration auditing 1.

Select Services > Auditing. The Auditing Status window appears.

2.

Select disable.

3.

Click Set. The auditing status is set to disable.

82



AppDirector Thresholds To optimize AppDirector configuration and resource thresholds, AppDirector can indicate and alert usage of various tables and other parameters. AppDirector continuously monitors this usage and can notify you when usage thresholds are exceeded. Threshold warnings are available for the following tables and parameters.

To view and set Threshold Settings 1. From the Services menu select AppDirector Thresholds > Settings. The AppDirector Thresholds Settings window appears 2. Set the parameters.

Parameter

Description

Send Threshold Warnings

Enables or disables (default) the threshold warning traps mechanism.

Min. Time Between Warnings (sec)

Minimum time, in seconds, between consecutive warnings AppDirector sends about the same resource. Default: 60 Value of 0 means traps are sent continuously.

Client Table Threshold Level

Defines the percentage of Client Table usage where a trap is sent. Statistics are kept as follows: • Current number of entries • Average value for last 5 seconds • Average value for the last 60 seconds Default: 85

Layer 3 Client Table Threshold Level

Defines percentage of Client Table usage where a trap is sent.

Application Servers Connection Limit Threshold Level

Defines the percentage of Application Servers Connection Limit usage where a trap is sent.

Default: 85

Default: 85 When the number of sessions to an application server exceeds 85% of the Connection Limit configured for that server, a trap is sent.

Physical Servers Connection Limit Threshold Level

Defines the percentage of Physical Servers Connection Limit usage where a trap is sent. Default: 85 When the number of sessions to a physical server exceeds 85% of the Connection Limit configured for that server, a trap is sent.

Farms Capacity Threshold Level

Defines the percentage of farm capacity used where a trap is sent. Default: 85 When the number of sessions to a farm exceeds 85% of the Capacity Threshold configured for that farm, a trap is sent.

Client NAT Threshold Level

Percentage of Client NAT ports usage above which a trap is sent. Default: 85 When 85% of Client NAT ports for any Client NAT address are used, a trap is sent.


83


Parameter

Description

Outbound NAT Threshold Level

Percentage of Outbound NAT ports usage above which a trap is sent. Default: 85 When 85% of Outbound NAT ports of the Outbound NAT addresses are used, a trap is sent.

Session ID Threshold Level

Percentage of the Session ID table usage above which a trap is sent. When 85% of Session ID table is used, a trap is sent. Values: 1 - 99 Default: 85

Requests Threshold Level

Percentage of the Request table usage above which a trap is sent. Default: 85 When 85% of the Request table is used, a trap is sent.

U Utilization Threshold Level

High U on the device is caused by many reasons. A device should actively notify its status, if this status is suspected to be a non-valid status. To do this, a trap can be sent if for a period of 30 seconds the average U utilization in the device is higher than a specified threshold. Another trap can be sent if the device had 30 seconds of U utilization lower than the specified threshold. Threshold is configurable with CLI or WBM and SNMP. Traps are sent only if threshold warning sending has been enabled (similar to other threshold traps). Default: 95

Throughput s configurable overflow alert threshold for licensed throughput Utilization Threshold utilization. The default for the threshold level is 90%. Level (Mbps) SSL S Utilization Threshold Level

s configurable overflow alert threshold for licensed SSL S utilization. The default for the threshold level is 90%.

Compression s configurable overflow alert threshold for licensed compression Utilization Threshold utilization. The default for the threshold level is 90%. Level (Mbps) 3.


AppDirector Thresholds Statistics AppDirector Thresholds statistics contains various tables where you can view averages, configured maximums and minimums.

Tunable Tables The Tunable Tables Usage Statistics window provides you with information regarding the utilization of various tables in AppDirector.

84



To view the Tunable Tables Usage Statistics parameters From the Services menu, select AppDirector Thresholds > Statistics > Tuning Tables. The Tunable Tables Usage Statistics window appears, which contains these read-only parameters:

Parameter

Description

Table Name

The name of the table in the Tunable Table.

Current Entries

The number of entries in the Tunable Table.

5 sec Average

Average resources utilization in the last 5 seconds.

60 sec Average

Average resources utilization in the last 60 seconds.

Max Num of Entries

Maximum configured table size.

Client NAT Level The Client Table Threshold Level defines the percentage of Client Table usage where a trap is sent. The default is 85. The Client NAT Level window allows you to view the client table's threshold data.

To view the Client NAT Level parameters From the Services menu, select AppDirector Threshold > Statistics > Client NAT Level. The Client NAT Level window appears, which contains the following read-only parameters:

Parameter

Description

NAT Address

Specifies the IP address to be used for NAT.

Current

Current port usage for the Client NAT address.

Average

Average port usage for the Client NAT address.

Outbound NAT Level Outbound NAT Port Threshold Level defines the percentage of Outbound NAT Ports usage where a trap is sent. The default is 85. When 85% of Outbound NAT ports for the Outbound NAT addresses, a trap is sent. The Outbound NAT Level window allows you to view outbound NAT level information.

To view the Outbound NAT Level parameters From the Services menu, select AppDirector Threshold > Statistics > Outbound NAT Level. The Outbound NAT Level window appears, which contains these read-only parameters:

Parameter

Description

NAT Address

Specifies the IP address to be used for NAT.

Current

Current port usage for the Outbound NAT address.

Average

Average port usage for the Outbound NAT address.


85


Application Servers Level Application Servers Connection Limit Threshold Level defines the percentage of Application Servers Connection Limit usage where a trap is sent. Default is 85. When the number of sessions to an application server exceeds 85% of the Connection Limit configured for that server, a trap is sent. Application Servers Connection Limit defines the maximum number of allowed sessions open at any given time on this application server. When the limit is reached, new sessions are no longer forwarded to this application server. The Application Servers Connection Level window allows you to view the application server's Connection Level information.

To view the Application Servers Connection Level parameters From the Services menu, select AppDirector Threshold > Statistics > Application Servers Level. The Application Servers Connection Level window appears containing these read-only parameters:

Parameter

Description

Farm Name

The name of the farm.

Server Address

IP address of the required server.

Current

Number of currently active s attached to this server.

Average

Average attached s for the Application Servers address.

Server Port

Displays active connections per server statistics

RTSP Redirect (last second)

Number of RTSP sessions redirected to this Server during the last second.

Physical Servers Level Physical Servers Connection Limit defines the maximum number of allowed sessions open at any given time on this physical server, meaning to application servers in any AppDirector farm that share the same name. When the limit is reached, new sessions are no longer forwarded to this physical server. Physical Servers Connection Limit Threshold Level defines the percentage of Physical Servers Connection Limit usage where a trap is sent. The default is 85. When the number of sessions to a physical server exceeds 85% of the Connection Limit configured for that server, a trap is sent. The Physical Servers Connection Level window allows you to view the physical server's connection level information.

To view the Physical Servers Connection Level parameters From the Services menu, select AppDirector Threshold > Statistics > Physical Servers Level. The Physical Servers Connection Level window appears, which contains these read-only parameters:

Parameter

Description

Server Name

Defines name of group of farm servers associated with this physical server. Adding a new server to a farm using a Server Name already defined in another farm, implies that it is the same physical server.

Current

Current attached s for the Physical Servers address.

Average

Average attached s for the Physical Servers address.

86



Farms Capacity Level Farm Capacity Threshold is used for a farm that is part of a distributed environment. When the farm’s Capacity Threshold is met, AppDirector reports to remote devices that it is no longer accepting further distributed sessions to this farm. The Farm Capacity Threshold Level is the percentage of farm capacity used, above which a trap is sent. The default is 85. When the number of sessions to a farm exceeds 85% of the capacity threshold configured for that farm, a trap is sent. The Farm Capacity Level window lets you view information about the Farm's Capacity Level.

To view the Farm Capacity Level parameters 1. From the Services menu, select AppDirector Threshold > Statistics > Farm Capacity Level. The Farm Capacity Level window appears, which contains these read-only parameters:

Parameter

Description

Farm Name

The address of the server farm.

Current Connections Number

Current number of connection to the farm.

Average Connections Number

Average number of connections to the farm.

2. Select the desired farm name. The Farm Capacity Level Update window appears, which contains the following read-only parameters.

Parameter

Description

Farm Name

-defined name of the farm.

Attached s

Number of currently active s attached to this server.

Peak Load

Maximum number of frames per second dispatched to the server since the last reset.

Frame Rate

Number of frames dispatched to server

Frame Rate (bytes)

Number of frames per second dispatched to server.

Backup Server Used

Indicates that the farm used a backup server.

Distribution Threshold Reached

Indicates the number of times this threshold is reached.

Capacity Threshold Reached

Indicates that the farm has reached its full capacity.

DNS Reply Redirect (last second)

Number of DNS queries resolved to other SIPDirectors in the last second.

Redirected HTTP (last second)

Number of HTTP sessions which arrived for this farm and were redirected to remote/distributed servers.

Redirected Triangle (last second)

Indicates the rate at which clients were redirected by triangulation service in the last second.

Redirected RTSP (last second)

Number of RTSP sessions which arrived during the last second for this farm and were redirected to remote/distributed servers.

Current Connections Number

Number of directed attached clients to this farm.

Average Connections Number

Average number of directed attached clients to this farm.


87


Parameter

Description

Redirected SIP (last second)

Total number of SIP sessions which arrived for this Farm during the last second.

Local Proxy (local second)

Total number of proxy sessions handled by local servers.

Basic Switching (Layer 2 Capability) This section discusses how to configure Layer 1-2 switching functions and includes these topics: •

AppDirector Physical Interface Configuration, page 88

•

Layer 2 Interface Table, page 89

•

Virtual LAN, page 91

•

Spanning Tree Protocol, page 98

•

VLAN Tagging, page 96

•

Link Aggregation (Port Trunking), page 101

•

Port Mirroring, page 104

This table summarizes Layer 2 capability for Radware’s OnDemand switches.

Layer 2 Feature

ODS1 and ODS1 XL

ODS2 and ODS3 v2 and ODS VL and ODS2XL ODS3XL ODS VL XL

Radware Segmentation (physical Port and VLAN)

Yes

Yes

Yes

Yes

Regular VLAN (bridging)

Yes

Yes

Yes

Yes

Switch VLAN

No

Yes

Yes

No

VLAN tagging 802.1q

Yes

Yes

Yes

Yes

Link aggregation 802.3ad

Yes

Yes

Yes

Yes

Port mirroring (Copy port)

No

Yes

Yes

No

STP 802.1d

No

Yes

Yes

No

AppDirector Physical Interface Configuration AppDirector enables you to change physical attributes of each port such as speed and duplex mode.

To update the port’s physical attributes 1.

From the Device menu, select Physical Interface. The Physical Interface window appears.

2.

Set the parameters.

88

Parameter

Description

Port Index

Index number of the port



Parameter

Description

Speed

Traffic speed of the port. Values: Ethernet, Fast Ethernet, Giga Ethernet, or XG Ethernet. Note: According to standards, this parameter can be changed only for copper ports. Once this parameter is changed the Auto Negotiate parameter is set to Off.

Duplex

Whether the port allows both inbound and outbound traffic (Full Duplex) or one way only (Half Duplex). Note: According to standards, this parameter can be changed only for copper ports with a speed lower than Giga Ethernet. Once this parameter is changed the Auto Negotiate parameter is set to Off.

Auto Negotiate

Automatically detects and configures the speed and duplex required for the interface.

3. Select the required port. The Physical Interface Table Update window appears. 4. Update the required fields and click Set. Your configuration is set.

Layer 2 Interface Table Layer 2 takes the bits from higher layers and creates network specific frames which are then transmitted to another endpoint on the LAN. It provides an address space on the LAN and some addressing modes like point-to-point (unicast), point-to-multipoint (multicast) and broadcast. In the T/IP model, the T/IP protocol defines the first step in the abstraction from the physical network. The Address Resolution Protocol (ARP) and its counterpart Reverse ARP (RARP) provide the conversion functions from IP to LAN address and visa versa respectively. ARP and RARP are usually placed on this level, because each LAN has its own method of addressing hosts connected to it. Another property of this layer is that it defines some capabilities or services for the Internet Layer to use: Frame size, addressing capabilities (unicast, multicast, broadcast), Quality of Service (QoS) parameters, etc. A Layer 2 Interface is defined as any interface that has its own MAC address - physical port, trunk, VLAN. You are able to configure the istrative status of each interface and monitor status and interface statistics.

To view/edit the Layer 2 Interface Table 1. From the Device menu, select Layer 2 Interface. The Layer 2 Interface Table window appears. 2. Select the Interface Index number to edit, and the Layer 2 Interface Table Update window appears with read-only parameters. 3. Set the parameters.

Read Only Parameter Description Interface Index

The Interface index number.

Interface Description

A textual string containing information about the interface. This string should include the name of the manufacturer, the product name and the version of the interface hardware/software.


89


Read Only Parameter Description Interface Type

Type of interface. Additional values are assigned by the Internet Assigned Numbers Authority (IANA), through updating the syntax of the textual convention.

Interface Speed

An estimate of the interface's current bandwidth in bits per second.

MAC Address

The MAC Address of the interface.

Interface Status Controls interface istrative status. Values: Up/Down. Operational Status

Specifies the operational status of the router. Values: Up/Down.

4.

90

Interface Last Change

Value of sysUpTime at the time the interface entered its current operational state. If the current state was entered prior to the last reinitialization of the local network management subsystem, then this object contains a zero value.

ifINOctets

Number of incoming octets (bytes) through the interface including framing characters.

InUcastPkt

Number of packets delivered by this sub-layer to a higher (sub-) layer, which were not addressed to a multicast or broadcast address at this sub-layer.

InNUcastPkt

Number of packets delivered by this sub-layer to a higher (sub-) layer, which were addressed to a multicast or broadcast address at this sublayer.

ifINDiscards

Number of inbound packets chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher-layer protocol. One possible reason for discarding such a packet could be to free up buffer space.

ifINErrors

For packet-oriented interfaces, the number of inbound packets that contained errors preventing them from being deliverable to a higherlayer protocol. For character-oriented or fixed-length interfaces, the number of inbound transmission units that contained errors preventing them from being deliverable to a higher-layer protocol.

ifOutOctets

Total number of octets (bytes) transmitted out of the interface, including framing characters.

OutUcastPkt

Total number of packets that higher-level protocols requested be transmitted, and which were not addressed to a multicast or broadcast address at this sub-layer, including those that were discarded or not sent.

OutNUcastPkt

Total number of packets that higher-level protocols requested be transmitted, and which were addressed to a multicast or broadcast address at this sub-layer, including those discarded or not sent.

ifOutDiscards

Number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their being transmitted. One possible reason for discarding such a packet could be to free up buffer space.

ifOutErrors

For packet-oriented interfaces, the number of outbound packets that could not be transmitted because of errors. For character-oriented or fixed-length interfaces, the number of outbound transmission units that could not be transmitted because of errors.




Virtual LAN A Virtual LAN (VLAN) is a group of devices on different physical LAN segments or on a single LAN segment, which can interact with each other as if they were all on the same physical LAN segment. In other words, a VLAN is a group of PCs, servers and other network resources that behave as if they were connected to a single, network segment even though they are not, physically. They are able to share resources and bandwidth as if they were connected to the same section. Some switches are configured to single or multiple VLANs. When a switch s multiple VLANs, the broadcast domains are not shared between the VLANs. •

The device learns the Layer 2 addresses on every VLAN port.

•

Known unicast frames are forwarded to the relevant port.

•

Unknown unicast frames and broadcast frames are forwarded to all ports.

AppDirector VLAN Types AppDirector VLANs provide bridging and switching functionality among ports assigned to the same VLAN. AppDirector s both Regular VLAN and Switch VLAN.

Note: AppDirector devices up to 64 regular or switched VLANs and up to 2048 VLAN IDs.

Regular VLAN A Regular VLAN can be described as an IP Bridge (a software bridge) between multiple ports that incorporates all the traffic redirection of ing traffic at all layers (Layer 2-Layer 7). Two protocols can be used with Regular VLANs: •

IP Protocol: The VLAN must be assigned an IP address. All of the traffic between ports is intercepted transparently by AppDirector. Packets that need intelligent intervention are checked and modified by AppDirector and then forwarded to the relevant port. Other packets are simply bridged by AppDirector as if they were on the same wire.

•

Other Protocol: An Other protocol VLAN cannot be assigned an IP address. This type of VLAN is used to bridge non-IP traffic through AppDirector. To handle both packets that need intelligent intervention and non-IP traffic, you can configure IP VLAN and “Other” VLAN on the same ports.

Note: Switch VLAN can be standalone or part of a Regular VLAN.

Switch VLAN Switch VLAN provides wire-speed VLAN capabilities implemented through the hardware switch fabric of the AppDirector device. Depending on the protocol defined for the Switch VLAN, frames are treated accordingly. •

Switch VLAN Protocol: Frames arriving at the VLAN port are switched according to Layer 2 information. AppDirector does not intercept this traffic.

•

IP Protocol: Frames reaching the VLAN port are switched according to Layer 2 information, except those whose Layer 2 address is the same as the AppDirector port Layer 2 address. Frames with AppDirector Layer 2 destination are processed by AppDirector and then forwarded.


91


VLAN Configuration A VLAN configuration procedure involves: 1.

Creating a VLAN

2.

Adding ports and/or trunks to that VLAN.

In addition you can change the Ethernet type and mask used by all VLANs.

VLAN Parameters Here you can configure the VLAN Ethernet type and mask per the device.

To configure the VLAN Parameters window 1.

From the Device menu, select VLAN Parameters. The VLAN Parameters window appears.

2.

Set the parameters.

3.

Parameter

Description

VLAN Ethernet Type

Defines the Ethernet type for defined VLANs.

VLAN Ethernet Type Mask

Defines the mask on Ethernet type for defined VLANs


Creating and Editing VLANs and VLAN Ports This shows you how to create and edit VLANs and VLAN ports.

To view/create a VLAN 1.

From the Device menu, select VLAN Table. The Virtual LAN Table window appears. The Virtual LAN Table window appears.

2.

Set the parameters.

Parameter

Description

Interface Number

Interface number of VLAN automatically assigned by management station.

Type

Required VLAN type: Regular (Default): The VLAN acts as a bridge. Switch: Switch VLAN can be part of a Regular VLAN.

Protocol

92

Required VLAN protocol. You can choose IP or Switch VLAN only when the VLAN type is Switch. Otherwise, the protocol is IP or Other (default).



Parameter

Description

Up Criterion

Defines conditions under which a VLAN interface is considered Up. • Default by Type (Default): For Regular VLAN, all ports in the VLAN are up. Note: This is true when interface grouping is enabled, otherwise ports behave the same as Switch VLAN. For Switch VLAN, at least one of the ports in the VLAN is up. • All Ports: The VLAN is considered down when all the ports participating in the VLAN are down and it is considered up when all the ports, participating in the VLAN are up. Note: After reboot the VLAN status is "up" even though the port is still down, therefore VLAN status should be "down". • One Port: The VLAN is considered down when at least one port participating in the VLAN is down and it is considered up when at least one port, participating in the VLAN is up

Down Criterion

Defines conditions under which a VLAN interface is considered Down. • Default by Type (Default): For Regular VLAN, at least one of the ports in the VLAN is down. Note: This is true when interface grouping is enabled, otherwise ports behave the same as Switch VLAN. For Switch VLAN, all ports in the VLAN are down. • All Ports: The VLAN is considered down when all the ports participating in the VLAN are down and it is considered up when all the ports, participating in the VLAN are up. • One Port: The VLAN is considered down when at least one port participating in the VLAN is down and it is considered up when at least one port, participating in the VLAN is up.

3. To create a new VLAN, click Create. The Virtual LAN Table Create window appears. 4. For editing, in the Virtual LAN Table window, select a VLAN to update. 5. Click Edit. The Virtual LAN Update window appears. 6. Set the parameters. 7. Click Set. Your configuration is set.


93


Adding Physical Ports to a VLAN This procedure explains how to add physical ports to a VLAN.

To add physical ports to the VLAN 1.

In the Virtual LAN Table window, in the VLAN Port Table section, click Create. The VLAN Port Create window appears.

2.

Set the parameters.

Parameter

Description

VLAN Interface Index

Select VLAN for which you require to add a port.

VLAN Port Index

The Layer 2 interface you want to attach to the VLAN. Can be port index, trunk index, or Switch VLAN.

Port Type

Values: • Static: configured by the . • Dynamic: autoconfigured by the remote server.

Port Interface Grouping State

Defines whether the status of this L2 interface should be taken into consideration when calculating VLAN status for Interface Grouping (relevant in redundant configurations only - see Redundancy, page 123) Select from: • Included: Allows interfaces to initiate Interface Grouping if it is down. • Excluded: Does not allow interfaces to initiate Interface Grouping if it is down.

3.


Bridging Once a regular VLAN is defined, AppDirector performs bridging among interfaces assigned to the same VLAN. Bridging within a VLAN means that AppDirector learns the MAC addresses of frames arriving from each physical interface, and maintains a list of MAC addresses per interface. AppDirector enables you to statically add MAC addresses to the interface list. When a frame arrives from one interface, AppDirector looks for the frame Destination addresses within its address list according to the following conditions: •

If the Destination address is listed in the same interface as the Source address, AppDirector discards the frame.

•

If the Destination address is listed in another interface, AppDirector forwards the frame to the relevant interface.

•

If the Destination address is not listed in any interface, AppDirector broadcasts the frame to all interfaces participating in the VLAN.

94



Bridge Operating Parameters To configure Bridge operating parameters, perform he procedure shown here.

To configure Bridge Operating Parameters 1. From the Bridge menu, select Operating Parameters. The Bridge Operating Parameters window appears. 2. Set the parameters

Parameter

Description

Bridge Address (Read Only)

The MAC Address used by the device.

Bridge Type (Read Only)

Types of bridging the device can perform.

Forwarding Table Aging Time

How many seconds learned entries remain in the Forwarding Table. The counter is reset each time the entry is used. After this time, entries are deleted from the table. Minimum: 10 seconds.

3. Change the Forwarding Table Aging Time value. 4. Click Set. Your configuration is set.

Bridge Global Forwarding Table The Bridge Global Forwarding Table is used to monitor bridge forwarding nodes.

To access the Global Forwarding Table From the Bridge menu, select Global Forwarding Table. The Global Forwarding Table window appears with these read-only parameters:

Parameter

Description

MAC Address

The node's MAC address

Port

Port through which node has been learned. Port through which frames are received from this entry.

Status

Describes how node entry was added to the list, and indicates status • Learned: The entry was automatically learned. • Self: The entry is a device port. • Mgmt: The entry is a static node manually entered using the Edit button. • Other: Node status cannot be described by above.


95


Static Forwarding Table This table is used to monitor, create and edit static bridge forwarding nodes.

To create/edit the Static Forwarding Table 1.

From the Bridge menu, select Static Forwarding Table. The Static Forwarding Table window appears.

2.

Click Create. The Static Bridge Forwarding Table Create window appears.

3.

Set the parameters.

Parameter

Description

Static MAC Address

The static node's MAC address.

Static Receive Port

Port through which frames are received from this entry.

Status

Describes how node entry behaves upon device reset: • Permanent: Entry remains after device reset. • DeleteOnReset: Entry is deleted by a device reset.

4.


VLAN Tagging VLAN Tagging is an IEEE standard (802.1q) for ing multiple VLANs associated with the same switch port. Each VLAN is tagged with a unique identifier to allow the identification of different VLAN traffic on the same physical port. This protocol allows individual VLANs to communicate with one another with the use of a Layer 3 router. AppDirector can rewrite VLAN Tags or retain the tags on packets that through it. For AppDirector to VLAN Tags, by either forwarding or overwriting them, for a 802.1q environment must be enabled. By default VLAN Tags are not ed on AppDirector. When the status of VLAN Tag is changed, you need to reboot the device.

Note: If you want 8021q information, you need to capture what is being sent to the AppDirector on the neighboring switch. Therefore 8021q header information cannot be displayed in the packet capture.

Retaining VLAN Tags AppDirector enables you to preserve existing VLAN Tags on incoming traffic ing through the device.

Rewriting VLAN Tags VLAN Tagging can be used with AppDirector, where AppDirector is connected to multiple VLANs on the same switch, and different servers are assigned to different VLANs. VLAN Tagging is based on the local subnet to which the traffic is sent or on the destination MAC of the packet. Therefore, AppDirector cannot tag packets by the destination subnet if it is not local to the AppDirector. The switch connected to the AppDirector must be configured consistently with the AppDirector tagging configuration.

96


AppDirector Guide istering and Monitoring AppDirector Each IP interface can have a VLAN tag associated with it. AppDirector recognizes an IP interface as a L2 interface/IP address combination. When using AppDirector with VLAN Tagging, all packets sent to a Destination MAC address of a Next Hop Router (with an IP address on a local subnet that is associated with a tag-configured IP interface), carry the VLAN tag, regardless of the Destination IP address of the packet. In addition, all packets sent to any Destination host on a tag-configured IP interface carry the VLAN tag. This includes: •

All Health Check packets from AppDirector to Next Hop Routers, including Full Path Health Monitoring.

•

ARP requests and responses from AppDirector to the Next Hop Routers.

•

Unicast ARPs between redundant AppDirectors.

•

Gratuitous ARPs, as part of the redundancy feature.

If an IP interface does not have a VLAN tag configured, then the packets are sent without a tag (standard Layer 2 MAC header). Configurable VLAN ID values range from 0 to 4095. AppDirector automatically sets the 802.1p portion of the tag (the first three bits) to 000. If a packet arrives without a VLAN tag, to a Destination interface of AppDirector with VLAN tag, AppDirector sets a tag on the packet according to the Destination local subnet, even if it’s in retain mode and behaves as in overwrite.

Note: 802.1p is a specification for giving Layer 2 switches the ability to prioritize traffic (and perform dynamic multicast filtering).

VLAN Tagging Configuration The VLAN Tagging window allows you to enable and disable VLAN tagging. AppDirector can rewrite VLAN Tags on packets that through it.Configurable VLAN ID values range from 0 to 4095. AppDirector automatically sets the 802.1p portion of the tag (the first three bits) to 000. If a packet arrives without a VLAN tag, to a Destination interface of AppDirector with VLAN tag, AppDirector sets a tag on the packet according to the Destination local subnet, even if it’s in retain mode and behaves as in overwrite.

To enable VLAN Tagging 1. From the Device menu, select VLAN Tagging. The VLAN Tagging window appears. 2. From the 802.1q Environment drop-down box, select Enable. 3. Set the VLAN Tag Handling using these parameters.

Parameter

Description

Retain

The device preserves existing VLAN tags on the incoming traffic that es through the device. Traffic generated by the device is tagged according to IP Interface configuration.


97


Parameter

Description

Overwrite (Default) The device performs VLAN Tagging of outgoing traffic in accordance with IP Interface configurations. AppDirector sets tags for packets according to the following parameters: • Destination IP of the packet if it is on the same local subnet with AppDirector OR • MAC address of the firewall that is configured on AppDirector and through which the packet is sent. 4.


Spanning Tree Protocol The Spanning Tree Protocol (STP) is a protocol that prevents loops in networks and environments where there is more than one path that the traffic may through. If a packet has numerous links, it can choose which path to use, which may cause loops in the network. The STP algorithm makes a calculation based on various parameters including the preferred path and logically blocks all other paths. AppDirector s the Rapid Spanning Tree Protocol (backwards compatible with STP), allowing you to configure Spanning Tree on each VLAN of the device. Different VLANs may have different STP settings.

Notes: >> STP is NOT ed on OnDemand Switch 1 Platforms. >> Spanning Tree is ed only for IP-Regular and IP-Switch VLANs. >> When working with STP in redundant configuration, VRRP redundancy mechanism must be used and the primary device must have the lowest Bridge ID.

·Spanning Tree Global Parameters/Settings The Spanning Tree Global Parameters/Settings window enables you to configure the global parameters of the Spanning Tree, affecting all the Spanning Tree instances running on the device.

To configure the STP Global Settings 1.

From the Bridge menu, select STP > Global Parameters. The STP Global Parameters window appears.

2.

Set the parameters.

Parameter Spanning Tree Mode

Description Disables Spanning Tree per VLAN. Values: Disabled (Default) or Per-VLAN (enabled).

Default Bridge Priority Value represents default priority of bridge. Values: 0 - 61440 in multiples of 4096. The lower the value, the higher the priority Default: 32768

98



Parameter

Description

Default Hello Time [sec.]

Value represents interval in seconds, between 2 BPDU packets sent by device. Values: 1 - 10 seconds. Default: 2 seconds.

Default Max Aging Time [sec.]

Value represents the maximum time, in seconds, the device waits for a BPDU packet before it tries to re-configure. Values: 6 - 40 seconds. Default: 20 seconds.

Default Forward Delay Time that the device waits before changing the port`s state. Time [sec.] Values: 4 - 30 seconds. Default: 15 seconds. Default Port Priority

Value represents port priority. When 2 (or more) ports have same value, device uses port with lowest MAC address. Values: 0 - 240 seconds. Default value: 128 seconds.


Note: Default values will take effect only after a reboot, or when creating new instances.

Spanning Tree Instances When there is more than one VLAN on the device, each VLAN can run its own instance of a Spanning Tree with different parameters for each VLAN. When there are multiple VLANs on the device, you can enable and disable the Spanning Tree for each VLAN.

Notes: >> Spanning Tree per VLAN is ed only when the VLANs do not share any physical ports (each VLAN has its own physical ports). >> Regular VLAN defaults UP/Down criterion are set to Down: 1 port Up: All Ports. To work affectively with STP redundancy it should be set to Down:All ports Up: 1 Port

To configure Spanning Tree Instances 1. From the Bridge menu, select STP > Instances. The STP Instances window appears. 2. Select the relevant VLAN ID that you wish to edit and select it. The Spanning Tree Instances Run on this Bridge Update window appears.


99


Set the parameters.

Parameter

Description

VLAN ID

VLAN to apply these settings to, alternatively you may apply the settings to multiple VLANs.

Bridge Priority

Default priority of the bridge. Values: 0 - 61440 in multiples of 4096. Default: 32768

Maximum Aging Time Maximum time, in seconds, that the device waits for a BPDU packet [sec.] before it tries to re-configure. Values: 6 - 40 seconds. Default: 20 seconds. Hello Time [sec.]

Interval, in seconds, between two BPDU packets sent by device. Values: 1 - 10 seconds. Default: 2 seconds.

4.

Forward Delay Time [sec.]

Time, in seconds, the device waits before changing port's state.

STP Status

Allows you to enable and disable the STP status.

Values: 4 - 30 seconds. Default:15 seconds.


Spanning Tree Ports Within each VLAN, you can configure individual physical port behavior. Ports connected directly to servers do not need to wait for the forward delay timer to expire before they start forwarding traffic. You can enable ModeFast, enabling the device to forward traffic as quickly as possible. You can also exclude any physical port from participating in the STP algorithm.

To configure Spanning Tree Ports 1.

From the Bridge menu, select STP > Ports. The STP Port Information window appears.

2.

Select the relevant port from the table. The STP Port Information Update window reappears.

3.

Set the parameters.

Parameter

Description

Port ID (Read Only)

Number of the selected port from the table.

VLAN ID (Read Only)

Specifies the VLAN the physical port belongs to.

Priority

Represents port priority. When two (or more) ports have the same value, the device uses the port with the lowest MAC address. Values: 0 - 240 in multiples of 16. Default: 128

Path Cost

This sets the spanning tree path cost for this port. Values: 1 - 65535, defined automatically according to port speed. You can also change this value. Note: Default values for costs on the devices ports are influenced by the port speed. Port Speed versus Path Cost

100

• 10Mbps /100

• 100Mbps /19

• 1Gbps /4

• 10Gbps/ 2



Parameter Mode Fast

Description When enabled, this port will change its status to forwarding state. Values: Enabled / Disabled (default).

STP Status

Enables STP on the selected port. When disabled, the physical port does not participate in STP. Values: Enabled (default)/ Disabled


Link Aggregation (Port Trunking) Link Aggregation, or Port Trunking, is a method of combining physical network links into a single logical link for increased bandwidth. With Link Aggregation you can increase the capacity and availability of the communications channel between devices (both switches and end stations) using existing Fast Ethernet and Gigabit Ethernet technology. This is performed by using a set of multiple parallel physical links between two devices grouped together to form a single logical link. Link Aggregation includes the following topics: •

Link Aggregation Global Configuration, page 102

•

Link Aggregation Trunk Table, page 103

•

Link Aggregation Trunk Port Table, page 103

•

Trunk Management, page 104

The port trunking feature allows you to define up to seven trunks, (on OnDemand Switch 1, 2 , 3, VL and XL platforms. Up to eight physical links can be aggregated into one trunk. All trunk configurations are static. To provide optimal distribution for different scenarios the load sharing algorithm allows decisions based on source or destination (or both) Layer 2 address (MAC), Layer 3 address (IP), and Layer 4 address (T/UDP port numbers). These parameters are used as input for a hashing function Link aggregation also provides load balancing where the processing and communications activity is distributed across several links in a trunk ensuring that no single link is overwhelmed. By taking multiple LAN connections and treating them as a unified, aggregated link, you can achieve higher link availability and increased link capacity Port Trunking is ed according to the IEEE 802.3ad standard for Link Aggregation as follows: •

Link Aggregation is ed only on links using the IEEE 802.3 MAC

•

Link Aggregation is ed only on point-to-point links

•

Link Aggregation is ed only on links operating in full duplex mode

•

Link Aggregation is permitted only among links with the same speed and direction. On the device bandwidth increments are provided in units of 100Mbps and 1Gbps respectively

•

The failure or replacement of a single link within a Link Aggregation Group will not cause failure from the perspective of a MAC client.

Note: AppDirector does not the Link Aggregation Control Protocol (LA), only a static trunks configuration. MAC Client traffic can be distributed across multiple links. To guarantee the correct ordering of frames at the receiving-end station, all frames belonging to one conversation must be transmitted through the same physical link. The algorithm for asg frames to a conversation depends on the application environment. Radware devices can define conversations upon Layer 2, 3, or 4 information, or on combined layers.


101


Link Aggregation Global Configuration To perform port trunking on a global AppDirector configuration, you need to follow this procedure.

To configure Link Aggregation Global Configuration 1.

From the Device menu, select Link Aggregation > Global Configuration. The Distribution Method window appears.

2.

Set the parameters.

Parameter

Description

Layer 2

Defines if the MAC address is to be used in traffic distribution algorithm. Select: • Ignore: Do not use MAC address • Source Address: Use source MAC address • Destination Address: Use destination MAC address • Both Addresses (Default): Use source and destination MAC addresses

Layer 3

Defines if the IP address is to be used in traffic distribution algorithm. Select: • Ignore: Do not use IP address • Source Address: Use source IP address • Destination Address: Use destination IP address • Both Addresses (Default): Use source and destination IP addresses

Layer 4

Defines if application port is used in the traffic distribution algorithm. Select: • Ignore: Do not use application port • Source Port: Use source application port • Destination Port: Use destination application port • Both Ports (Default): Use source and destination application ports

3.

102




Link Aggregation Trunk Table You can define up to seven trunks with up to eight physical links being aggregated into one trunk. All trunk configurations are static. The Trunk Table window allows you to view the Trunk Index settings that were defined in the Port Table.

To view the Link Aggregation Trunk Table From the Device menu, select Link Aggregation >Trunk Table. The Link Aggregation Trunk Table window appears, which contains the following read-only parameters:

Parameter

Description

Trunk Index

Displays the trunk index.

Trunk MAC Address

Displays the MAC Address assigned to the trunk.

Trunk Status

Individual: (False) No ports attached to this trunk. Aggregated: (True) Ports attached to this trunk.

Link Aggregation Trunk Port Table The Trunk Port Table window allows you to attach ports to a trunk but only connected ports (Link Up) operating in full duplex mode can be attached to a trunk.

To set the Link Aggregation Trunk Port Table parameters 1. From the Device menu, select Link Aggregation > Port Table. The Link Aggregation Port Table window appears. 2. Select the Port Index to edit and Ports Table Update window appears. 3. Set the parameters

Parameter

Description

Port Index (Read only)

The physical port index

Port MAC Address (Read only)

The MAC address assigned to the port.

Trunk Index

Trunk to which the port is attached. Select from: • 1-7 • Unattached (Default)

Port Status (Read only)

Individual: (False) Port is not attached to any trunk. Aggregated: (True) The Port is attached to a trunk.

4. Select the Trunk to which you wish to attach the port. 5. Click Set. Your configuration is set.


103


Notes: >> The same algorithm must be applied on the other switch in the trunk. >> OnDemand Switch 1 and VL implement link aggregation via software and not at the switch level, (these platforms do not include a Layer 2 switch hardware component). Therefore, you cannot define trunks as participants in port mirroring, on these platforms.

Trunk Management You can define a management trunk (T-MNG) that only includes the management ports (MNG-1 and MNG-2). The management ports cannot be a part of any other trunk. Using the management trunk provides redundancy at the physical level for connectivity to the management network. One link is active while the other is in backup mode. Failure of the active link seamlessly activates the backup.

Port Mirroring Port Mirroring enables the AppDirector device to duplicate traffic from one physical port on the device to another physical port on the same device. This is useful, for example, when an Intrusion Detection System (IDS) device is connected to one of the ports on the AppDirector device. You can configure port mirroring for received traffic only, for transmitted traffic only, or for both. You can also decide whether to mirror the received broadcast packets.

To set the Port Mirroring parameters 1.

From the Device menu select Port Mirroring. The Port Mirroring Table window appears.

2.

Click Create. The Port Mirroring Table Create window appears.

3.

Set the parameters.I

Parameter

Description

Input Port

The port from which the traffic is mirrored

Output Port

The port to which traffic is mirrored.

Receive\Transmit

Select the direction of traffic to be mirrored. • Transmit & Receive (default) • Receive Only • Transmit Only

104



Parameter

Description

Promiscuous Mode

You can either copy all traffic from the input port to the output port or to copy only traffic destined for the input port. Select either: Enabled (default): All traffic is copied to the Output Port. Disabled: Only traffic destined to the Input port is copied. Note: The difference between enable / disable status is the ARP packet. If you set Promiscuous mode to enable, you can receive ARP packets with MAC address FF-FF-FF-FF-FF-FF or you can receive ARP packets without the MAC address FFFF-FF-FF-FF-FF.


Notes: >> Device Port mirroring is not ed with VLAN or OnDemand Switch 1. >> OnDemand Switch 2 s port mirroring of up to 4 ports. >> For OnDemand Switches 2 and 3, the trunk cannot be a port mirroring destination but can be a source. For OnDemand Switches VL and 1, trunks cannot participate at all in port mirroring. >> When mirroring traffic from a port which is part of a Switch VLAN, since traffic between hosts on this VLAN is switched by the ASICs of the device, this traffic is not mirrored. >> When mirroring traffic is received on a physical port, which is part of a Switch VLAN, and if the mirrored port is configured to mirror Received Broadcast packets then these packets are mirrored from all ports on the Switch VLAN. >> Traffic generated by the device itself, such as Connectivity Checks or management traffic, is not mirrored by Port Mirroring. >> Using Regular VLAN, traffic with destination multicast MAC is not always mirrored. >> You can copy traffic from one Input Port to up to two Output Ports, or from many Input Ports into one Output Port.

IP Addressing and Routing This section discusses configuration of IP addressing and includes the following topics: •

Interface IP Addresses, page 106

•

Routing, page 107

•

Routing Information Protocol, page 112

•

Open Shortest Path First (OSPF), page 114

•

Border Gateway Protocol, page 119

•

Routing Table, page 109

•

ARP Table, page 110

•

NHRs, page 110

•

VIP NHR, page 111


105


Interface IP Addresses IP addresses can have up to 32-bit binary numbers with each 32-bit IP address consisting of two sub-addresses; one identifying the network, and the other identifying the host of the network, with an imaginary boundary separating the two. The location of the boundary between the network and host portions of an IP address is determined through the use of a subnet mask. A subnet mask is another 32-bit binary number that acts like a filter when it is applied to the 32-bit IP address. By comparing a subnet mask with an IP address, systems determine which portion of the IP address relates to the network and which to the host. Anywhere the subnet mask has a bit set to "1", the underlying bit in the IP address is part of the network address. Anywhere the subnet mask is set to "0", the related bit in the IP address is part of the host address. AppDirector performs routing between all IP interfaces defined on its Layer 2 interfaces (ports, trunks, VLANs).

IP Interface Parameters The IP Interface Parameters window allows you to configure the Interface and ICMP Interface parameters.

To set the Interface Parameters 1.

From the Router menu select IP Router > Interface Parameters. The IP Interface Parameters window appears.

2.

Select the IP Address, the IP Interface Parameters Update window appears.

3.

Set the parameters.

4.

106

Parameter

Description

IP Address

IP address of the interface.

IF Number

Interface Number of the interface. If the interface is a VLAN, the included interfaces are listed in the box in the Edit window.

Network Mask

Associated subnet mask.

FWD Broadcast

Formerly known as Free World Dialup or Voice over IP. This parameter decides whether the device forwards incoming broadcasts to this interface.

Broadcast Addr

Fill the host ID in the broadcast address with ones or zeros.

VLAN Tag

When multiple VLANs are associated with the same switch port, the switch needs to identify to which VLAN to direct incoming traffic from that specific port. VLAN tagging provides an indication in the Layer 2 header, which enables the switch to make the correct decision. Enter the Tag to be associated with this IP Interface.

Peer Address

The IP address for the same layer 2 interface on the redundancy peer device. This is mandatory if you want to synchronize configuration between main and backup devices.




To set the ICMP Interface Parameters 1. From the Router menu select IP Router > Interface Parameters. The IP Interface Parameters window appears. 2. Double-click on an IP address from the ICMP Interface parameters section. The ICMP Interface Parameters Update window appears. 3. Set the parameters.

Parameter

Description

IP Address

IP address of the interface.

Advert Address

IP destination address for multicast Router ments sent from the interface. Values are: • all-systems multicast address, 224.0.0.1 • limited-broadcast address, 255.255.255.255

Max Advert. Interval

Maximum time in seconds between multicast Router ments from the interface. Values are between the Minimum Advert Interval defined below and 1800 seconds.

Min Advert. Interval

Minimum time (seconds) between sending unsolicited multicast Router ments from the interface. Values are between 3 seconds and the maximum interval defined above. Default: 0.75 of the Maximum Interval.

Advert. Lifetime

Maximum time (seconds) that the d addresses are considered valid. This must be no less than Maximum Interval as defined above, and no greater than 9000 seconds. Default: 3 times the Maximum Advert Interval.

Enables you to the device IP using ICMP Router .

Preference Level

Preferability of address as default router address, relative to other router addresses on same subnet.

Reset to Defaults

Resets ICMP interface parameters to default values.


Routing Routing is the ability to forward IP packets to their Destination using an IP Routing Table. This table stores information about the Destinations and how they can be reached. By default, all networks directly attached to AppDirector are ed in the IP Routing Table. Other entries can either be statically configured or dynamically created through the routing protocol. AppDirector forwards IP packets to their destination using an IP Routing Table. This table stores information about the destinations and how they can be reached. By default, all networks directly attached to AppDirector are ed in the IP Routing Table. Other entries can either be statically configured or dynamically created through the routing protocol. •

When AppDirector forwards an IP packet, the IP Routing Table is used to determine the NextHop IP address and the Next-Hop interface.


107

AppDirector Guide istering and Monitoring AppDirector •

For a direct delivery (the Destination is a neighboring node), the Next-Hop MAC address is the Destination MAC address for the IP packet.

•

For indirect delivery (Destination is not a neighboring node), the Next-Hop MAC address is the IP router address according to the IP Routing Table.

•

The Destination IP address does not change from Source to Destination. The Destination MAC (Layer 2 information) is manipulated to move a packet across networks.

•

The MAC of the Destination host is applied once the packet arrives on the Destination network.

IP Router Operating Parameters The IP Router Parameters window allows you to monitor, add and edit router settings.

To access the IP Router Parameters window 1.

From the Router menu, select IP Router > Operating Parameters. The Adjusting Operating Parameters window appears.

2.

Set the parameters.

Parameter

Description

Inactive ARP Timeout

If an ARP cache entry is not refreshed within a specified period, it is assumed that there is a problem with that address and the cache entry is deleted. Using the Inactive ARP timeout command enables you to set the amount of time an ARP entry can remain in an ARP table before being cleared. You can reset the timeout period to the default. Values: 1 - 9999999 seconds Default: 60000 seconds.

ARP Proxy

Here, a network host answers ARP queries for the network address that it does not have configured on the receiving interface. Proxying ARP requests on behalf of another host effectively directs all LAN traffic destined for that host to the proxying host. The "captured" traffic is then routed to the destination host via another interface. Values: Enable (Default), Disable

ICMP Error Messages

The Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite and is used by networked computers' operating systems to send error messages indicating, for instance, that a requested service is not available or that a host or router could not be reached. Values: Enable (Default), Disable

3.

108




Routing Table AppDirector s IP routing. Dynamic addition and deletion of IP interfaces is ed. This ensures that extremely low latency is maintained. The IP router s RIP 1, RIP 2, and OSPF routing protocols OSPF and its MIB are ed as specified in RFC 1583 and RFC 1850, with some limitations. The Routing Table allows you to configure static routing and define the default gateway.

To configure routing 1. From the Router menu, select Routing Table. The Routing Table window appears. 2. Set the parameters.

Parameter

Description

Destination IP Address

Destination network to which the route is defined.

Network Mask

Network mask of the Destination subnet.

Next Hop

IP address of next hop towards Destination subnet. Next hop must reside on subnet local to the device.

Interface Index

Interface Index number for local interface or VLAN through which the next hop of this route is reached.

Metric

Number of hops to the Destination network.

Type

Type of route. Each routing table can contain an arbitrary number of route entries. Aside from the local routing table, which is maintained by the kernel, and the main routing table which is partially maintained by the kernel, all routing tables are controlled by the or routing software. All routes on a machine can be changed or removed. Each route type causes a particular sort of behavior, which is identified in the textual description. Values: • Other types of routes including: unicast, broadcast, prohibit, blackhole, throw • Remote (Forwards packets) - refers to a route for which the next hop is not the final destination. Routes which do not result in traffic forwarding or rejection should not be displayed even if the implementation keeps them stored internally • Reject (Discards packets) - refers to a route which, if matched, discards the message as unreachable. This is used in some protocols as a means of correctly aggregating routes • Local (Read-only) - refers to a route for which the next hop is the final destination



109


ARP Table The ARP table contains the IP address and corresponding MAC address (physical address) of each network element connected to the device. Through the ARP Table, you can monitor, set and edit ARP addresses on the local router.

To access the ARP Table from WBM 1.

From the Router menu, select ARP Table. The ARP Table window appears.

2.

Set the parameters.

Parameter

Description

Interface Index

The interface number where the station resides.

IP Address

The station's IP address.

MAC Address

The station's MAC address.

Type

Entry type: • Other: Not Dynamic or Static • Invalid: Invalidates ARP entry and effectively deletes it. • Dynamic: Entry is learned from ARP protocol. If the entry is not active for a predetermined time, the node is deleted from the table. • Static: Entry has been configured by the network management station and is permanent.

3.


NHRs Each host or router handling a packet examines the Destination Address in the IP header, computes the next hop that will bring the packet one step closer to its destination, and delivers the packet to the next hop, where the process is repeated. A Next Hop Router (NHR) is a network element used for outbound traffic in AppDirector Multi Homing configurations. NAT addresses can be associated with Next Hop Routers (NHRs), similar to the way VIPs are associated with NHRs. The NHR Table window enables you to list the device's next hop routers.

To access the NHR Table from WBM 1.

From the Router menu, select NHR Table. The NHR Table window appears.

2.

Set the parameters.

110

Parameter

Description

NHR IP Address

IP address of required NHR (next hop router).

NHR MAC Address

MAC address of the NHR.

Device MAC Address

MAC address of the device.



Parameter

Description

Status

istration status of the NHR, Enable or Disable.

Port Number

Displays the number of the selected management port.

Oper Status

In Service/ Not In Service

Path Health Check IP

IP address of network element to be checked via this NHR to establish the health status of this router.

Check Method

Method that device uses to the NHR's health via the Health Monitoring Module, Ping or Disable.

Check Interval

Interval, in seconds, between checks.

Check Retries

Amount of checks that the device should perform without reply before it acknowledges that router is off line.

3. For creating new NHR Table entries, click Create. The NHR Table Create window appears as above without NHR MAC Address, Device MAC Address, Port Number and Oper Status. 4. Click Set. Your configuration is set.

Setting Up Default Router Per VIP All Next-Hop Routers connected to the AppDirector are defined in the NHR table. NHRs are associated with the Virtual IP addresses of the device using the VIP NHR table. The VIP NHR table is enabled only when the packet is destined for the default gateway of the box. Due to the static route, the packet was not destined for the default gateway so in these instances the VIP NHR table is not enabled. The NHR per VIP feature works only for traffic that matches the device's default gateway. Before defining the VIP NHR table, add a new NHR to the network and set up the general NHR parameters

VIP NHR The VIP NHR Table window enables you to associate a next hop router, configured in the NHR Table, to a virtual IP address configured on the device.

To access the Virtual IP Table 1. From the Router menu, select VIP NHR Table. The VIP NHR Table window appears,. 2. Set the parameters.

Parameter

Description

Virtual IP Address

Required Virtual IP address.

NHR IP Address

IP address of the required next hop router.

No Route Action

Determines action if both primary and backup next hop routers are offline. Values: • Discard: The packets are discarded. • Use Regular Routing: Packets are forwarded using Routing Table.


111


Parameter

Description

NHR Weight

Determines relative amount of total traffic forwarded to the primary router when Load Sharing is enabled.

Backup NHR Weight

Determines relative amount of total traffic forwarded to backup router when Load Sharing enabled.

Backup NHR IP Address

IP address of the backup next hop router.

NHR Load Sharing

Enable/disable load sharing between primary and backup next hop routers, based on relative weights. • Layer 3 Hashing: Traffic sent through both configured and backup NHR. Load sharing is based on Layer 3 information (IP address). • Layer 4 Hashing: Traffic sent through both configured and backup NHR. Load sharing is based on Layer 4 information (IP address and port). • Disabled (Default): Traffic sent via configured NHR only.

3.

Click Set. The Virtual IP address is associated with the relevant NHR.

Routing Information Protocol Routing Information Protocol (RIP) is a commonly-used protocol for managing router information within a self-contained network, such as a corporate Local Area Network (LAN) or an interconnected group of such LANs. RIP is classified by the Internet Engineering Task Force (IETF) as one of several internal gateway protocols (Interior Gateway Protocol). RIP is intended for small homogeneous networks. Using RIP, a gateway host (with a router) sends its entire Routing Table, which lists all the other hosts that it recognizes, to its closest neighbor host every 30 seconds. The neighbor host then es the information on to its next available neighbor until all hosts within the network have the same knowledge of the routing paths. This is known as Network Convergence. RIP uses a hop count as a means to determine network distance. Each host with a router in the network uses the Routing Table information to determine the next host to route a packet to a specified destination. AppDirector s RIP version 1 and RIP version 2. The RIP protocol is configured from the RIP Parameters window. VIP Advertising via Dynamic Routing enables you to achieve a redundant solution by using a single AppDirector on each site, or by using a single AppDirector and a remote backup server within the RIP or OSPF environment.

To configure the RIP Parameters 1.

From the Router menu, select RIP > Parameters. The RIP Parameters window appears.

2.

Set the parameters.

112

Parameter

Description

istrative Status

istrative status of RIP in the router. Disabled (default) means the process is not active on any interfaces.



Parameter

Description

Leak OSPF Routes

This controls leaking (redistribution) of routes from OSPF to RIP. If enabled, all routes learned via OSPF are d into RIP. Default: Enable

RIP ment Interval [seconds]

RIP ment interval where AppDirector sends static routes ments via RIP. Default: 30 seconds.

Leak Static Routes

Controls redistribution of routes from static routes to RIP. When enabled, all static routes learned via static are d into RIP. Default: Disable

3. Click Set. Your configuration is set

RIP Interface Parameters This table window allows you to set and edit RIP interface parameters.

To Update the RIP Interface 1. From the Router menu, select RIP > Interface Parameters. The RIP Interface Parameters window appears. 2. Set the parameters.

Parameter IP Address

Description The IP Address of this system on the indicated subnet. (Read Only when updating)

Incoming RIP

Define type of RIP to be received. • RIP 1: Accepting RIP 1. • RIP 2: Accepting RIP 2. • Do Not Receive: No RIP updates are accepted.

Status

on/off

Outgoing RIP

Define type of RIP to be sent. • RIP version 1: Sending RIP updates compliant with RFC 1058. • RIP version 2: Multicasting RIP-2 updates. • Do Not Send: No RIP updates are sent.

Default Metric

Metric for default route entry in RIP updates originated on this interface. 0 (Zero) indicates that no default route can be originated; here, a default route through another router is propagated.

Virtual Distance

Virtual number of hops assigned to the interface. This enables finetuning of the RIP routing algorithm.


113


Parameter

Description

Auto Send

Enable to minimize traffic when AppDirector is the only router on the network. Note: When enabled, the device s RIP messages with the default metric only. This allows some stations to learn the default router address. If the device detects another RIP message, Auto Send is disabled.

3.

Click Set. The changes are reflected in the RIP Interface Table list.

Open Shortest Path First (OSPF) Open Shortest Path First (OSPF) is an interior gateway routing protocol developed for IP networks and based on the shortest path first or linkstate algorithm. Routers use link-state algorithms to send routing information to all nodes in a network by calculating the shortest path to each node based on a topography of the Internet constructed by each node. After sending the routing information, each router sends the portion of the routing table (keeping track of routers to particular network destinations) that describes the state of its own links, and sending the complete routing structure (topography).Shortest path first algorithms allow you to perform more frequent updates. With OSPF you can build a more stable network, as fast convergence prevents routing loops and Count-to-Infinity (when routers continuously increment the hop count to a particular network).

OSPF Operating Parameters

To set the OSPF Operating Parameters 1.

From the Router menu select OSPF > Operating Parameters. The OSPF Operating Parameters window appears.

2.

Set the parameters.

Parameter

Description

istrative Status

OSPF istrative status in the router. • Enabled: OSPF process is active on at least one interface. • Disabled: OSPF process is not active on any interfaces.

3.

114

Router ID

ID number of router. To ensure uniqueness the router ID should equal one of the router IP addresses.

Leak RIP Routes

Controls the redistribution of routes from RIP into OSPF. When this parameter is enabled, all routes inserted into the IP routing table via SNMP are d into OSPF as external routes.

Leak Static Routes

Controls redistribution of routes from static routes to RIP. When enabled, all static routes learned via static are d into RIP.

Leak External Direct Routes

Controls redistribution of direct routes external to OSPF into OSPF. If enabled, all external routes are d into OSPF as external.




OSPF Interface Parameters The OSPF Interface Parameters window allows you to update the OSPF Parameters and Interface Metrics.

To update the OSPF Interface Parameters 1. From the Router menu select OSPF > Interface Parameters. The OSPF Interface Parameters window appears. 2. Select the IP Interface. The OSPF Interface Table Update window appears. 3. Set the parameters.

Parameter

Description

IP Address

IP Address of this OSPF interface.

Interface Type

OSPF interface type. Broadcast LANs are broadcast type, x.25 and Frame Relay are NBMA type, and point-to-point LANs are Point to Point type.

istrative Status

istrative status of the OSPF in the router. Enabled means that the OSPF process is active on at least one interface. Disabled means the process is not active on any interfaces.

IfRtrPriority

Priority of this interface. Value 0 means that this router is not eligible to become the designated router on the current network. If more than one router has the same priority then router ID is used.

Hello Interval

Number of seconds between Hello packets. All routers attached to a common network must have the same Hello Interval.

RtrDeadInterval

Number of seconds router's Hello packets have not been seen before router's neighbors declare the router down. The Time Before Declare Router Dead value must be a multiple of the Hello Interval. All routers attached to a common network must have a Time Before Declare Router Dead value.

Interface State

The interface state of the OSPF interface: • Down: OSPF interface is down. • Waiting: OSPF interface is currently waiting. • Point to Point: OSPF interface is in point to point state. • Designated Router: OSPF interface is the designated router. • Backup Designated Router: OSPF interface is the backup designated router.

Designated Route

Address of designated router, if Interface state is Designated Router.

Backup Designated Router

Address of the backup designated router, in case Interface state is Backup Designated Router.

IfAuthKey

Authentication key for the interface.

AuthType

Type of authentication key for the interface.



115


OSPF Interface Metrics Table Update If you wish to update the metrics for the OSPf interface, use this feature.

To update the OSPF Interface Metrics 1.

Select the OSPF interfaceIP Interface. The OSPF Interface Metrics Table Update window appears.

2.

Set the parameters.

3.

Parameter

Description

IP Address


Metric

The metric of using this type of service on this interface. The default value of the TOS 0 Metric is 10.

Reset the Metric value.

Parameter

Description

IP Address


Interface Type

OSPF interface type. Broadcast LANs are broadcast type, x.25 and Frame Relay are NBMA type, and point-to-point LANs are Point to Point type.

istrative Status

istrative status of the OSPF in the router. Enabled means that the OSPF process is active on at least one interface. Disabled means the process is not active on any interfaces.

IfRtrPriority

Priority of this interface. Value 0 means that this router is not eligible to become the designated router on the current network. If more than one router has the same priority then router ID is used.

Hello Interval

Number of seconds between Hello packets. All routers attached to a common network must have the same Hello Interval.

RtrDeadInterval

Number of seconds router's Hello packets have not been seen before router's neighbors declare the router down. The Time Before Declare Router Dead value must be a multiple of the Hello Interval. All routers attached to a common network must have a Time Before Declare Router Dead value.

Interface State

The interface state of the OSPF interface: • Down: OSPF interface is down. • Waiting: OSPF interface is currently waiting. • Point to Point: OSPF interface is in point to point state. • Designated Router: OSPF interface is the designated router. • Backup Designated Router: OSPF interface is the backup designated router.

116

Designated Route

Address of designated router, if Interface state is Designated Router.

Backup Designated Router

Address of the backup designated router, in case Interface state is Backup Designated Router.



Parameter

Description

IfAuthKey

Authentication key for the interface.

AuthType

Type of authentication key for the interface.

4. Click Set. Your configuration is recorded.

OSPF Area Parameters An OSPF network is divided into areas, which have 32-bit area identifiers commonly, but not always, written in the dotted decimal format of an IP address. Area identifiers are not IP addresses and may duplicate, without conflict, any IP address. The OSPF Area Parameters window allows you to access, create and update OSPF area parameters.

To access OSPF Area Parameters 1. From the Router menu, select OSPF > Area Parameters. The OSPF Area Parameters Table window appears. 2. Set the parameters.

Parameter

Description

Area ID

IP address of the area.

Import AS Extern

Ability to import autonomous system external link ments. Values: importExternal, importNoteExternal

Number of AS Border Routers

Total number of Autonomous System border routers reachable within this area. This is initially 0 and calculated in each SPF .

(Update mode only) Area LSA Count

Number of internal link-state ments in the link-state database.

(Update mode only) Area LSA Checksum Sum (Update mode only)

Sum of LS checksums of internal LS ments contained in the LS database. Use this sum to determine if there has been a change in a router's LS database, and to compare the LS database of two routers.

3. When updating Area Parameters, in the OSPF Area Parameters Table window, select the Area ID. 4. When creating Area Parameters, in the OSPF Area Parameters Table window, select Create. 5. Click Set. Your changes are recorded.


117


OSPF Link State Database OSPF uses both unicast and multicast to send Hello packets and link state updates. The OSPF Link State Database window allows you to access, create and update the OSPF Link State Database. OSPF detects changes in the topology, such as link failures, very quickly and converges on a new loop-free routing structure within seconds. For this, each OSPF router collects link-state information to construct the entire network topology of so-called "areas" from which it computes the shortest path tree for each route. The link-state information is maintained on each router as a link-state database (LSDB) which is a tree-image of the network topology. Identical copies of the LSDB are periodically updated through flooding on all routers in each OSPF-aware area.

To access OSPF Link State Database 1.

From the Router menu, select OSPF > Link State Database. The OSPF Link State Database window appears.

2.

Set the parameters.

Parameter

Description

Area ID

IP address of the area.

Type

Each link state ment has a specific format. The link can be a Router Link, Network Link, External Link, Summary Link or Stub Link.

Link State ID

Identifies a piece of routing domain described by the ment. It can be a router ID or an IP address.

Router ID

Identifies the originating router in autonomous system.

Sequence

Number for link. Use this to detect old and duplicate link state ments. The larger the sequence number the more recent the ment.

3.

When updating Link State Database, in the OSPF Link State Database window, select the Area ID.

4.

When creating Link State Database, in the OSPF Link State Database window, select Create.

5.


OSPF Neighbor Table As a link state routing protocol, OSPF establishes and maintains neighbor relationships to exchange routing updates with other routers. The neighbor relationship table is called an adjacency database in OSPF. If OSPF is configured correctly, it forms neighbor relationships only with directly connected routers. These routers must be in the same area as the interface to form a neighbor relationship. An interface can only belong to a single area. This table allows you to access, create and update OSPF Neighbor parameters.

118



To access OSPF Neighbor Table 1. From the Router menu, select OSPF > Neighbor Table. The OSPF Neighbor Table window appears. 2. You can view the following parameters.

Parameter

Description

Neighbor's Address

The IP address that this neighbor is using in its IP Source Address.

Address Less Index

If interface is without an IP address, index appears in this field. If there is an IP address, 0 appears.

Router ID

Unique identifier for neighboring router in the autonomous system.

Options

A bit mask corresponding to the neighbor's options.

Priority

Priority of this neighbor. Priority of 0 means neighbor cannot become designated router on the network.

Note: On addressless links, this will not be 0.0.0.0, but the address of another of the neighbor's interfaces.

3. When updating OSPF Neighbor Table, in the OSPF Neighbor Table window, select the Neighbor’s Address. 4. When creating OSPF Neighbor Table, in the OSPF Neighbor Table window, select Create. 5. Click Set. Your configuration is set.

Border Gateway Protocol The Border Gateway Protocol (BGP) is the core routing protocol of the Internet. It works by maintaining a table of IP networks or 'prefixes' which designate network reachability among autonomous systems (AS). It is described as a path vector protocol. BGP does not use traditional Interior Gateway Protocol (IGP) metrics, but makes routing decisions based on path, network policies and/or rulesets. Most Internet s do not use BGP directly. However, since most Internet service providers must use BGP to establish routing between one another (especially if they are multihomed), it is one of the most important protocols of the Internet. Very large private IP networks use BGP internally. An example would be the ing of a number of large Open Shortest Path First (OSPF) networks where OSPF by itself would not scale to size. Another reason to use BGP is Multihoming, (page 392),a network for better redundancy either to multiple access points of a single ISP or to multiple ISPs.

BGP Router Parameters Dynamic routing protocols, such as Border Gateway Protocol, announce and distribute routing information between routers. AppDirector provides a redundant solution by using AppDirector and a remote backup server that participate in the BGP environment. AppDirector works as a BGP peer, ing a single BGP instance (local AS), and does not route traffic based on BGP information. From the BGP Route Injection Parameters window the BGP Router Parameters can be set.


119


To set BGP Router Parameters 1.

From the Router menu select BGP Route Injection > Router BGP Parameters. The Router BGP Parameters window appears.

2.

Set the parameters.

Parameter

Description

BGP Status

Allows s to enable or disable the BGP.

Local Autonomous System Number

Defines AppDirector's Autonomous System number.

Initial Connection Delay Time

Time to wait (in seconds) at device startup before establishing BGP connections. Values: 15 - 120 seconds

3.


BGP Peer Groups The major benefit you achieve when you specify a BGP peer group is that a BGP peer group reduces the amount of system resources (U and memory) necessary in an update generation. In addition, a BGP peer group also simplifies the BGP configuration. A BGP peer group reduces the load on system resources by allowing the routing table to be checked only once, and updates to be replicated to all peer group instead of being done individually for each peer in the peer group. Based on the number of peer group , the number of prefixes in the table, and the number of prefixes d, this can significantly reduce the load. It is recommended that you group together peers with identical outbound announcement policies. You can group BGP neighbors who share the same outbound policies together in what is called a BGP peer group. Instead of configuring each neighbor with the same policy individually, a peer group allows you to group the policies which can be applied to individual peers thus making efficient update calculation along with simplified configuration. Peer groups have these requirements: •

All of a peer group must share identical outbound announcement policies (such as distribute-list, filter-list, and route-map), except for default-originate, which is handled on a perpeer basis even for peer group .

•

You can customize the inbound update policy for any member of a peer group.

•

A peer group must be either internal (with internal BGP (iBGP) ) or external (with external BGP (eBGP) ). of an external peer group have different autonomous system (AS) numbers.

Notes: The total number of BGP peers and the configurable limit and the maximum number of established BGP peers that are ed on a router depends on many variables, such as: >> Total number of routes in the BGP table >> Level of stability of the routes >> Number of routes sent to each peer >> Similarity between routes sent to different neighbors

120


AppDirector Guide istering and Monitoring AppDirector >> Devices available memory and processor power

Peer Table BGP neighbors, or peers, are established by manual configuration between routers to create a T session on port 179. A BGP speaker will periodically send 19-byte keep-alive messages to maintain the connection (every 60 seconds by default). Among routing protocols, BGP is unique in using T as its transport protocol. The BGP Peer Table reflects information about BGP peer connections, such as their status and current activity.

To create/edit a BGP Peer Table 1. From the Router menu, select BGP Route Injection > Peer Table. The Peer Table window appears. 2. For updating a BGP Peer, in the Peer Table window, select the Peer IP Address. 3. For creating a BGP Peer, click Create. The BGP Peer Table Create window. 4. Set the parameters.

Parameter

Description

Peer IP Address

IP address of the remote peer.

Status

Allows s to enable or disable the peer.

Connect Retry Interval

Interval where AppDirector will try to re-establish a BGP connection with remote peer after T failure event.

Hold Time (sec)

Defines hold time offered by AppDirector during BGP connection establishment. During hold time, a peer must receive a keepalive or an update message from the remote peer to consider the BGP connection active. Zero (0) indicates that keepalive will not be sent by AppDirector and AppDirector will not expect keepalive messages from remote peer.

Keep Alive Time (sec)

Time interval used by AppDirector for sending keepalive messages to the remote peer. Zero (0) indicates that keepalive messages are not sent.


Peer Statistics The routing tables managed by a BGP implementation are adjusted continually to reflect changes in the network, such as links breaking and being restored or routers going down and coming back up. In the network as a whole it is normal for these changes to happen almost continuously, but for any particular router or link changes are supposed to be relatively infrequent. Therefore AppDirector s need to monitor the BGP statistics from the BGP Peer table.


121


To access the Peer Table statistics 1.

From the Router menu select BGP Route Injection > Statistics. The Statistics window appears.

2.

Select the Peer IP Address. The BGP Peer Table Statistics Update window appears.

3.

Set the parameters.

Parameter

Description

Peer IP Address

IP address of the remote peer.

Status

Allows s to enable or disable the peer.

Connection State

• Idle: The Peer is stopped. • Connect: AppDirector initiated a T connection to remote peer. • Active: Peer is waiting during a connect retry interval, after failing to establish T connection to a remote peer. In this state, AppDirector also listens on port 179 for potential incoming connections from the remote peer. • OpenSent: A T connection is established with the remote peer. AppDirector sent a BGP OPEN message to the remote peer and expects to receive an OPEN message from it. • OpenConfirm: AppDirector received an OPEN message from the remote peer. AppDirector responds with a KEEPALIVE message and expects a KEEPALIVE message from the remote peer. • Established: BGP connection is established with remote peer. AppDirector can now exchange UPDATE messages with it.

122

Remote AS

Remote autonomous system number.

Peer Identifier

IP address identifies remote peer for current BGP connection.

Local Address

AppDirector IP interface address used as source IP for BGP connection.

Local Port

T source port number used by AppDirector for BGP connection to remote peer.

In/Out Updates

The number of BGP UPDATE messages transmitted on this connection. This object should be initialized to zero (0) when the connection is established.

In/Out Total Messages

The total number of messages received from/transmitted to the remote peer on this connection. This should be initialized to zero when the connection is established.

Last Error

The last error code and subcode seen by this peer on this connection. If no error has occurred, this field is zero. Otherwise, the first byte of this two byte OCTET STRING contains the error code, and the second byte contains the subcode.

FSM Established Transitions

The total number of times the BGP FSM transitioned into the established state.



Parameter

Description

FSM Established Time

This timer indicates how long (in seconds) this peer has been in the established state or how long since this peer was last in the established state. It is set to zero when a new peer is configured or the router is booted.

Connect Retry Interval (sec)

Interval in which AppDirector tries to re-establish BGP connection with remote peer after T failure event.

Hold Time (sec)

Defines hold time offered by AppDirector during a BGP connection establishment. During this time, a peer must receive a keepalive or an update message from the remote peer to consider the BGP connection active. Zero (0) indicates that keepalive messages will not be sent by AppDirector and AppDirector will not expect keepalive messages from the remote peer.

Keep Alive Time (sec)

Time interval used by AppDirector for sending keepalive messages to the remote peer. Zero (0) indicates that keep alive messages are not sent.

Hold Time Configured

Time interval in seconds for the Hold Time configured for this BGP speaker with this peer. This value is placed in an OPEN message sent to this peer by this BGP speaker, and is compared with the Hold Time field in an OPEN message received from the peer when determining the Hold Time (bgpPeerHoldTime) with the peer. This value must not be less than three seconds if it is not zero (0) in which case the Hold Time is NOT to be established with the peer. The suggested value for this timer is 90 seconds

Keep Alive Configured

Time interval in seconds for the KeepAlive timer configured for this BGP speaker with this peer. The value of this object will only determine the KEEPALIVE messages' frequency relative to the value specified in bgpPeerHoldTimeConfigured; the actual time interval for the KEEPALIVE messages is indicated by bgpPeerKeepAlive. A reasonable maximum value for this timer would be configured to be one third of that of bgpPeerHoldTimeConfigured. If the value of this object is zero (0), no periodical KEEPALIVE messages are sent to the peer after the BGP connection has been established. The suggested value for this timer is 30 seconds.

In Update Elapsed Time (sec.)

Elapsed time in seconds since the last BGP UPDATE message was received from the peer. Each time bgpPeerInUpdates is incremented, the value of this object is set to zero (0)


Redundancy This section introduces AppDirector redundancy capabilities and includes the following topics: •

Network Configurations, page 125.

•

Configuration Guidelines, page 128.

•

Global Redundancy Configuration, page 134

•

Proprietary Redundancy, page 147.

•

Failover Decision, page 136.

•

Stateful Failover (Mirroring), page 140.


123


Physical IP Addresses versus Virtual IP Addresses Redundancy, page 142.

•

Virtual Router Redundancy Protocol, page 142.

•

Proprietary Redundancy, page 147.

•

Configuration Synchronization, page 148 Internet

Router

s

Network A Port 1 MAC A

virtual IP 1 AppDirector 1

Port 2 MAC B

Port 1 MAC C

IP A 1

IP B 1

IP A 2

virtual IP AppDirector 2

Port 2 MAC D

IP B 2

Network B

Server 1

Server 2

Radware recommends installing AppDirector devices in pairs to provide fault tolerance in the case of a single device failure. Each pair of AppDirectors can function in an active/backup setup or active/ active setup. To achieve redundancy between pairs of AppDirector devices, the following methods are ed: •

VRRP: Working with Virtual Router Redundancy Protocol enables dynamic redundancy to be maintained using a logical entity called a virtual router. (VRRP was initially developed to provide high availability for routers, hence the name virtual router. However, this protocol can be ed by a wide range of devices that are not routers as it is not a routing protocol - it does not IP routes or affect the routing table in any way). With VRRP, IP addresses are associated with the Virtual MAC addresses that are owned by the main device, and are taken over by the backup device at fail-over time.

•

Proprietary ARP: Working with Address Resolution Protocol enables monitoring of the other device in a pair and checking its availability. Using Proprietary ARP redundancy, at the failover time, the IP addresses of the main device are managed by the backup device and are associated with the backup device’s MAC address.

Note: Radware recommends using VRRP as described above for AppDirector redundancy.

124



Network Configurations The network configuration affects the redundancy configuration. The following network configurations are ed by AppDirector.

Routing Client side and server side (as shown here) are on different networks.

Figure 1: Routing network configuration


125


Bridging Client side and server side (as shown here) are on the same network. The physical port connected to the client side and the physical port connected to the server side must belong to the same Regular VLAN to achieve bridge configuration.

Figure 2: Bridge network configuration

Fully Redundant Network Configuration In certain cases, full redundancy of all network elements is required to ensure that the configuration s failures of multiple network elements. This is also to ensure that the configuration can handle failures without needing to failover between AppDirector devices, as long as primary AppDirector is available.

Notes: >> This type of configuration can be ed only when using VRRP redundancy mechanism. >> RSTP (Rapid Spanning Tree Protocol) should be configured on AppDirector devices to prevent loops. (This type of configuration requires using a Switch VLAN on the AppDirector devices). >> These types of configurations are not ed on OnDemand Switches VL and 1 platforms. Here, the servers are either directly connected to both AppDirector devices (dual-NIC servers) or to two switches that are connected to both AppDirector devices. On the client side, full redundancy is achieved by either connecting each AppDirector to a different upstream router or connecting each AppDirector to the two upstream routers (or Layer 3 switches) that run STP. For these types of configurations, AppDirector needs the following routing configuration •

126

The two AppDirectors must be connected via two separate links.



One of the physical ports used for inter-AppDirector connectivity and the physical port to which the client side is connected are attached to an IP Switch VLAN (shown in Figure 3 - Fully redundant routing network configuration, page 127). This allows the primary AppDirector to continue to be active and receive client traffic even when its direct connection to the router (or the router itself) fails.

•

One of the physical ports used for inter-AppDirector connectivity and the physical port to which the server side is connected are attached to another IP Switch VLAN (blue marking on Figure 3). This allows the primary AppDirector to continue to be active and see the servers even when its direct connection to the servers or their switch (or the switch itself) fails.

Figure 3: Fully redundant routing network configuration

Bridge Configuration •

The two AppDirectors must be connected via one link

•

The physical port used for inter-AppDirector connectivity and the physical port to which the server side is connected are attached to an IP Switch VLAN (blue marking on Figure 4). This allows the primary AppDirector to continue to be active and see the servers even when its direct connection to the servers or their switch (or the switch itself) fails.

•

The physical port to which the client side is connected and the server side Switch VLAN are attached to a Regular VLAN (green marking on Figure 4).


127


Figure 4: Fully redundant Bridge network configuration

Configuration Guidelines The configuration needed in redundant environments depends on the following factors: •

Redundancy configuration: Active-Backup or Active-Active

•

Network configuration: Routing or Bridging

•

VRRP Preemption state: enabled or disabled

Note: A fully redundant network environment only affects the required inter-AppDirector connectivity and Layer 2 configuration as described in Fully redundant network configuration section. The rest of the redundancy configuration parameters are affected by the factors mentioned above. This chapter provides configuration guidelines for the different cases above.

Active-Backup Routing Configuration In an Active/Backup configuration, the primary AppDirector device is configured with the primary Virtual IP addresses. This device performs the regular AppDirector operations, handling all the inbound sessions to the Virtual IP addresses and distributing traffic among the servers in the farm linked to the Virtual IP address (via Layer 4 Policy). The backup AppDirector device is configured with identical Virtual IP addresses that contain the exact same Layer 4 Policies, servers and farm settings. This device acts as a hot standby and does not perform load balancing as long as the primary device is active. When the backup AppDirector detects that the primary AppDirector has failed, the backup device takes over the IP addresses of its primary partner, informing all devices on the network that the backup device is now responsible for the services of the primary device.

128


AppDirector Guide istering and Monitoring AppDirector When the primary device is back online, the backup device releases the services if VRRP preemption is enabled (default) or if a proprietary redundancy protocol is used. If VRRP preemption is disabled, the backup device will remain active as long as it is online.

Figure 5: Active Backup

Parameters Global Parameters

Primary

Secondary

Redundancy Status

VRRP

Same as primary

Interface Grouping

Enable

Same as primary

Backup Interface Grouping

Enable

Same as primary

Backup in VLAN

N/R - use default

Same as primary

Force Port Down

N/R - use default

Same as primary


129


Parameters VRID Internet Side

Primary

Secondary

VRID

1

Same as primary

If Index

1

Same as primary

Primary IP

100.1.1.10

Same as primary

Priority

200

100

Preempt Mode

Same for all VRIDs

Same as primary

Associated IPs

100.1.1.100,

Same as primary

100.1.1.10 Outbound NAT addresses, if relevant VRID Server Side

VRID

2

Same as primary

If Index

3

Same as primary

Primary IP

20.1.1.10

Same as primary

Priority

200

100

Preempt Mode

Same for all VRIDs

Same as primary

Associated IPs

20.1.1.10

Same as primary

Client NAT addresses, if relevant Mirroring

Mirroring Status

• Disabled (if preemption is enabled).

Enabled

• Enabled (if preemption is disabled). Mirror Device IP

1.1.1.12

Default

Mirrored Tables

• Client Table

Same as Primary

• Session ID Table • Proximity and DNS Persistency for geographically distributed solution

Active-Active Routing configuration AppDirector devices can also be configured to function in an Active/Active mode where each AppDirector is the primary provider of some services and a backup for the services provided by the other AppDirector in the pair. In this case, both devices are set up as primary AppDirector for one or more Virtual IPs and as backup AppDirector for the Virtual IPs for which the other unit is primary.

130


AppDirector Guide istering and Monitoring AppDirector When one of the devices fails, the other continues to handle traffic to its own Virtual IPs while assuming responsibility for the backup device’s Virtual IPs.

Note: Using the Active/Active setup, each server can provide service to Virtual IPs that are active on one device. A server cannot provide service to multiple Virtual IPs where one Virtual IP is active on one device, while another Virtual IP is active on another device.

Figure 6: Active-Active Routing Configuration


AppDirector 1

AppDirector 2

Redundancy Status

VRRP

Same as AppDirector 1

Interface Grouping

Enable



Enable


Backup in VLAN

N/R - use default

Same as primary

Force Port Down

N/R - use default

Same as primary


131


Parameters VRID Internet Side for VIP active on AppDirector 1

AppDirector 1

AppDirector 2

VRID

1


If Index

1


Primary IP

100.1.1.10


Priority

200

100

Preempt Mode

Same for all VRIDs


Associated IPs

100.1.1.100,


100.1.1.10 Outbound NAT addresses (if relevant) VRID Server Side for VIP active on AppDirector 1

VRID

3


If Index

3


Primary IP

20.1.1.10


Priority

200

100

Preempt Mode

Same for all VRIDs


Associated IPs

20.1.1.10


Client NAT addresses (if relevant) VRID Server Side for VIP active on AppDirector 2

VRID

4


If Index

3


Primary IP

30.1.1.10


Priority

100

200

Preempt Mode

Same for all VRIDs


Associated IPs

30.1.1.10


Client NAT addresses (if relevant) Mirroring

Mirroring Status


Enabled


1.1.1.12

Default

Mirrored Tables

• Client Table


• Session ID Table • Proximity and DNS Persistency for geographically distributed solution

132



Active-Backup Bridging configuration Figure 7: Active-Backup Bridging Configuration


VRID

Primary

Secondary

Redundancy Status

VRRP

Same as primary

Interface Grouping

Enable

Same as primary


Enable

Same as primary

Backup in VLAN

Block Broadcast

Same as primary

Force Port Down

Enable

Same as primary

VRID

1

Same as primary

If Index

1001

Same as primary

Primary IP

100.1.1.10

Same as primary

Priority

200

100

Preempt Mode

Same for all VRIDs

Same as primary

Associated IPs

100.1.1.100,

Same as primary

100.1.1.10


133


Parameters Mirroring

Mirroring Status

Primary

Secondary


Enabled


1.1.1.12

Default

Mirrored Tables

• Client Table

Same as Primary

• Session ID Table

Global Redundancy Configuration You can configure more than one AppDirector device on a network so that they back up one another. If there is a failure of any network interface, AppDirector will fail the whole device, and the backup device, previously handling its own farms, will take over all activity. The Global Configuration window allows you to enable a backup device. Before starting redundancy configuration, the role of each AppDirector must be set via CLI command.

To access AppDirector Global Redundancy Go to AppDirector > Redundancy > Global Configuration. The Global Redundancy Configuration window appears.

134



To configure global redundancy parameters 1. From the AppDirector menu, select Redundancy > Global Configuration. The Global Redundancy Configuration window appears. 2. Set the parameters.

Parameter

Description

IP Redundancy Each pair of AppDirectors can function in an active/backup setup or Status active/active setup. To achieve redundancy between pairs of AppDirector devices, these methods are used: • Disable (default) • VRRP: Working with Virtual Router Redundancy Protocol enables dynamic redundancy to be maintained using a logical entity called a virtual router. • Proprietary [ARP]: Working with ARP enables you to monitor the other device in a pair and check its availability. Using Proprietary ARP redundancy, at failover time, the main device IP addresses are managed by the backup device and are associated with the backup device’s MAC address. Interface Grouping

Ensures that if one port fails, the others are also taken down. When it is enabled, the backup device takes over only when all the interfaces of the main device are down. Default: Disabled

ARP with Interface Grouping

Defines whether device can send ARP requests (when device is the backup device) with active interface grouping. • Send (Default) • Avoid

Backup Device in VLAN

When AppDirector is installed in a bridge configuration, this defines how the device behaves when its redundancy state is set to backup. Values: • Forward Traffic - Forward all traffic. This is the default value, but should be used only when the device is in routing configuration. • Block Broadcast -When the device is in backup state broadcast traffic is blocked in order to prevent loops. • Block All - When the device is in backup state, all traffic is blocked in order to prevent loops. This cannot be used in a fully redundant network configuration.

Backup Fake ARP

Backup Fake ARP: Enables the backup device to perform a fake ARP. Default: Enabled Note: In networks with layer 3 switches, the Fake ARP will confuse the switch during the redundancy process. In this case, disable this option.


When it is enabled the backup will take over only when IP interfaces defined in its Redundancy Table fail. Respectively, it will release those interfaces only when all the main's interfaces are up.


135


Parameter

Description

VRRP Interval [msec.]

Interval that the main device sends active messages. Values: 100 - 25,000 Default: 0 msec. Note: Configuring the specific ment interval value for a VRRP entry is only possible when the global value is set to 0. When the global value is not 0, the specific values for VRRP entries are discarded and the global value is used. See Virtual Router Redundancy Protocol, page 142.

VRRP Automated AppDirector can automatically add a new Virtual IP configured on the Configuration Updates device to the VRRP Associated IP Addresses table. When the Automated VVRP Configuration feature is enabled and a layer 4 policy is configured that uses a new Virtual IP, this IP is automatically associated with the VRID defined for the AppDirector interface that belongs to the same subnet as the Virtual IP. Messages are sent to the device log announcing that a Virtual IP was automatically associated to a specific VRID and interface. Values: Enabled or Disabled (Default). Force Down Ports Time

The period of time for which the port must be down. Values: 0 (the feature is disabled) or 5 - 60 seconds. When enabled, the value depends on how long it takes the switch to clear its MAC tables.

Enhanced Acceleration Failure Action

This defines when Proxy related failures will induce failover in an active-backup configuration. • Accel-engine Fail: Acceleration engine failure. • SSL or Accel-engine Fail: SSL accelerator or Acceleration engine failure. • Compression or Accel-engine Fail: Hardware Compression Card or Acceleration engine failure. • SSL or Compression or Accel-engine Fail: SSL Accelerator, Hardware Compression Card or Acceleration engine failure. • Ignore (default): Ignore failures and do not perform failover.

3.

Ensure that IP Redundancy Status is enabled, unless the network is a one-legged configuration.

4.

Ensure that Interface Grouping is disabled.

5.


Failover Decision Failover is a backup operational mode in which the functions of a system component (such as a processor, server, network, or database, for example) are assumed by secondary system components when the primary component becomes unavailable through either failure or scheduled

136


AppDirector Guide istering and Monitoring AppDirector down time. Used to make systems more fault-tolerant, failover is an integral part of mission-critical systems that must be constantly available. The procedure involves automatically offloading tasks to a standby system component so that the procedure is as seamless as possible to the end . Failover decision is taken by a backup AppDirector when: •

The active device fails

•

One or more interfaces fail on the active device.

•

Application Acceleration modules fail on active device

Interface Grouping When AppDirector notices that one of its physical ports is down, if Interface Grouping is enabled, it intentionally brings all other active ports down. When an interface (physical port, trunk or VLAN) on AppDirector goes down, due to a cable failure, switch port failure, hub failure, or other problems, AppDirector performs the following: 1. AppDirector examines the configuration to see if any IP addresses were configured on the interface that went down. 2. If there were IP addresses configured on the interface, AppDirector deactivates all other active interfaces. 3. If no IP addresses were configured on the interface, nothing occurs and normal operation continues.

Notes: >> You can configure per physical port whether it triggers Interface Grouping or not (Selective Interface Grouping). >> A trunk or VLAN failure always triggers Interface Grouping, but for each VLAN you can configure per physical port whether it affects VLAN status for Interface Grouping or not (see Adding Physical Ports to a VLAN). >> The dedicated management ports failure will not trigger Interface Grouping.

Backup Interface Grouping To prevent cases where partial failover can occur the backup device should take control only if ALL the relevant interfaces of the main device are out of service, and releases those interfaces only when all the main device interfaces are back up. The backup device takes control only if ALL the interfaces of the primary device are out of service. This solves the problem of an active and a backup device, each connected to a switch, where the switches are cross-connected. When the cable that cross-connects the switches fails, this is not communicated to the primary device. As a result, Interface Grouping is not triggered, but since the backup device cannot communicate with the primary device, the backup device takes over. This causes downtime in the service. When the Backup Interface Grouping parameter is enabled, the backup device takes over only when all IP interfaces defined in its Redundancy Table (or VRID Table) fail, and releases those interfaces only when all the primary device interfaces are back up. When Backup Interface Grouping is not activated, the backup device takes control for each interface of the main device if it is out of service. Once the respective interface of the main device is available, the backup device releases this interface.


137


ARP in Interface Grouping Determines whether the device can send ARP requests (to servers for example) while interface grouping is active; also see the parameter in Global Redundancy Configuration, page 134.

Backup Device and Interface Grouping Behavior in VLAN Using redundancy in bridging environment (Regular VLAN), the backup device must remain completely silent on the network to prevent broadcast storms. This behavior should be enabled using the Backup Device in VLAN parameter in Global Redundancy Configuration, page 134. The VLAN status sets the Interface Grouping behavior (a VLAN that goes down triggers Interface Grouping), but the Selective Interface Grouping settings of specific ports within the VLAN are ignored. However, VLAN behavior based ports status can be controlled via the following configurations: •

Up/Down Criterion: Per VLAN you can configure when the VLAN is considered up/down based on the number of its ports that are up/down.

•

Port Interface Grouping State: For each port that is attached to a VLAN you can configure whether its status will be included or excluded from Up/Down Criterion calculations.

138



Selective Interface Grouping In AppDirector redundancy installations, primary and redundant AppDirectors can have separate interfaces solely for management purposes and not for handling the traffic. When one of the management ports is down and Interface Grouping is enabled, the backup device takes over. To avoid this, you can use Selective Interface Grouping, where AppDirector defines which interfaces initiate Interface Grouping and which do not. In the Selective Interface Grouping table, you can define whether each interface initiates Interface Grouping if the management port is down. All the interfaces for which VRs are defined are included in Selective Interface Grouping. This feature allows you to enable interface grouping on a selected port.

To enable interface grouping on a selected port 1. From the AppDirector menu, select Redundancy > Selective Interface Grouping. The Selective Interface Grouping window appears. 2. Select the desired Port Number. The Selective Interface Grouping Update window appears. 3. Set the parameters.

Parameter

Description

Port Number

Select the relevant port number.

Port Status

Define for each interface whether to be included. Included (default): port status can determine the VLAN status. Excluded: port status cannot determine the VLAN status. Notes: • when a port has an IP address, and a VRID assigned to it and is set to “excluded”, and then disconnected, it will still initiate a failover. • when a port has an IP address assigned to it, but no VRID, and is set to “include”, and that disconnected, it does not initiate a failover.


Application Acceleration Module Failover

Enhanced Acceleration AppDirector can also initiate failover on Application Acceleration capability failure, either Application Acceleration Engine or hardware SSL Acceleration card or hardware Compression card. When such a failure occurs on the active AppDirector, the device enters the same mode as Interface Grouping and failover occurs.


139


Stateful Failover (Mirroring) Stateful failover allows a backup device to take over when a primary device fails, without dropping existing sessions or breaking persistency. Stateful failover is provided by mirroring the content of the tables that define a session. There are 3 Mirroring procedures that you can perform, they are: •

Active Device Mirroring, page 140

•

Backup Device Mirroring, page 141

•

Mirroring Device Parameters, page 141

For effective and reliable mirroring you need to: •

Provide a direct connection between the two devices.

•

Configure an IP interface on each device for the direct connection port and address used as the Mirroring Device Address for the other device.

•

Exclude physical port used for inter-device communication from Interface grouping.

•

Use a trunk (link aggregation) for direct connection between two devices.

Notes: >> Mirroring is not ed when delayed binding is used with “L7 Persistent Switching Mode” and configured to either overwrite or maintain. >> Mirroring is ed for the Layer 7 Persistent Switching Mode named “First”. >> Client entries that are not mirrored are RADIUS client entries. Mirroring can handle long and short sessions and HTTP traffic. The following are mirrored: •

Dynamic Session ID Table

•

DNS Persistency Table (AppDirector Global Only)

•

Proximity table

Active Device Mirroring

To set up device mirroring 1.

From the AppDirector menu, select Redundancy > Mirroring > Active Device Parameters. The Mirroring: Active Device Parameters window appears.

2.

Set the parameters.

Parameter

Description

Proximity Table Mirroring

Enable or Disable (Default) Proximity Table Mirroring.

Dynamic DNS Persistency Table Mirroring

Enable or Disable (Default) Dynamic DNS Persistency Table Mirroring.

Client Table Mirroring

Enable or Disable (Default) Client table Mirroring. Note: Client entries that are not mirrored are RADIUS client entries. They are not supposed to be mirrored.

Session Id Table Mirroring Enable or Disable (Default) Session Id Table Mirroring. 3.

140

Click Set. Your changes are recorded.



Backup Device Mirroring

To set up backup device mirroring 1. From the AppDirector menu, select Redundancy >Mirroring > Backup Device Parameters. The Mirroring: Backup Device Parameters window appears. 2. Set the parameter.

Parameter

Description

Mirroring Status

Enable or Disable (Default)

3. Click Set. Your changes are recorded.

Mirroring Device Parameters

To set up mirror device parameters 1. From the AppDirector menu, select Redundancy >Mirroring > Mirror Device Parameters. The Mirror Device Parameters window appears. 2. Set the parameter.

Parameter Active Device IP

Description IP address of the device to mirror from.

3. Click Set. Your changes are recorded.

Notes: >> When setting up Mirroring, Radware recommends using the same AppDirector software version for the main and backup devices. >> Setting up Mirroring affects the general device performance. >> Radware recommends that mirroring is used for Stateful Failover with the VRRP redundancy mechanism.

To fail the main AppDirector, use one of the following: Using a Web Based Management window: AppDirector > Redundancy >VRRP > Virtual Routers, using the All VRIDs Up or All VRIDs Down options. OR by CLI command: redundancy vrrp global--status


141


Force Port Down When operating in VRRP configuration, this capability allows to force down electrically, for a short period, physical ports belonging to a VLAN when the VLAN is disabled due to Interface Grouping activation. This allows the switches to which these ports are connected to clear their MAC tables and prevents them from continuing to send traffic to the wrong AppDirector device. This capability can be configured (AppDirector -> Redundancy -> Global Configuration) or CLI (redundancy force-down-ports-time command) via the following parameter.

Parameter

Description

Force Down Ports Time

The period of time for which the port must be down. The values can be either 0 (the feature is disabled), or between 2 and 60 seconds. When enabled, the value to be used depends on how long it takes the switch to clear its MAC tables.

Notes: >> Upon failovers, printouts displayed for ports down and up have extra 2 seconds delay (in addition to the value set in force-port-down-time). >> This capability is ed only for one VLAN per device. >> This capability will not function when VRRP is not enabled and there is no VLAN configured as part of the VRRP interfaces.

Physical IP Addresses versus Virtual IP Addresses Redundancy In redundancy configurations, both primary and backup AppDirectors must be configured to work with virtual and physical addresses. The primary device ensures that the backup AppDirector s virtual addresses. These addresses are defined on the backup AppDirector just like the primary AppDirector. Different physical IP addresses are used for the primary and backup devices, and often, another configuration is required on the redundant AppDirector to backup for physical IP addresses of the primary device. When a physical interface of the primary AppDirector device is set as the default gateway of a server, and the backup AppDirector takes over, the server works using the backup device as a Next Hop Router. However, in this situation the server cannot ping its default gateway IP address because the primary device is down. To avoid this, you can use Virtual IP addresses as the default gateways of servers and other devices around AppDirector. To use Virtual IP addresses, you need to create a Virtual IP Interface address for each local subnet of AppDirector, and use this address in the relevant routing tables for hosts on that subnet. Ensure that the same Virtual IP Interface addresses are set as backup on the redundant device.

Virtual Router Redundancy Protocol The Virtual Router Redundancy Protocol (VRRP) eliminates the single point of failure inherent in the static default routed environment. VRRP specifies an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. The VRRP router controlling the IP addresses associated with a virtual router is called the Master, and forwards packets sent to these IP addresses. The election process provides dynamic fail-over in the forwarding responsibility should the Master become unavailable. Any of the virtual router's IP addresses on a LAN can then be used as the default first hops router by end-hosts. To achieve redundancy between pairs of devices, Radware recommends using Virtual Router Redundancy Protocol (VRRP). VRRP enables you to maintain dynamic redundancy using a logical entity called virtual router (VRRP was initially developed to provide high availability for routers).

142


AppDirector Guide istering and Monitoring AppDirector A VR (virtual router), has a Virtual Router Identifier (VRID) with one or more associated IP addresses. Each VR has a VRMAC, which is a MAC address associated with the VR. This saves the need for a MAC address update in case of a failover. The VRMAC address is determined by the VRID and does not need to be configured manually. The same VR needs to be configured on multiple devices to achieve redundancy between them for the VR. Each device has a priority for a VR, and the primary device for the VR is the device with the highest priority. Using VRRP, the primary device constantly sends ments to other VRRP devices to indicate that it is online. When the ments stop, the primary device is assumed to be inactive. A new primary device is then selected for this VR; that is, the device with the next highest priority for that VR. However this protocol can be ed by a wide range of devices that are not routers as it is not a routing protocol - it does not IP routes or affect the routing table in any way. With VRRP, IP Addresses are associated with the Virtual MAC Addresses that are owned by the primary device, and are taken over by the backup device at failover time.

To set up the VRRP Table 1. From the AppDirector menu, select Redundancy > Global Configuration. The Global Redundancy Configuration window appears. 2. Ensure that IP Redundancy Status is VRRP. 3. From the AppDirector menu, select Redundancy >VRRP > Virtual Routers. The Virtual Router Table window appears. 4. Click Create. The Virtual Router Table Create window appears. 5. Set the parameters. 6. Click Set. Your configuration is set.

Parameter

Description

If Index

Interface number. Default: F-1

VR ID

Virtual router’s identification number. Values: 1 - 255

VR MAC

State

The virtual MAC address of the virtual router. Although this object can be derived from the 'vrrpOperVrId' object, it is defined so that it is easily obtainable by a management application and can be included in VRRP-related SNMP traps. The current state of the virtual router. Values: • Initialize: indicates that virtual router is waiting for a startup event. • Master: virtual router is forwarding packets for IP addresses that are associated with this router. • Backup: virtual router is monitoring the availability of the master router.


143


Parameter

Description

Status

Displays the status of the istration, Up or Down. Values: Up, Down (Default). This parameter will enable/disable the virtual router function. Setting the value to ùp', will transition the state of the virtual router from ìnitialize' to `backup' or `master', depending on the value of Priority. Setting the value to `down', will transition the router from `master' or `backup' to ìnitialize'. State transitions may not be immediate; they sometimes depend on other factors, such as the interface (IF) state.

Priority

The highest priority (255) must be assigned to the VR associated with a device’s physical IP address (IP address that the device owns). Values: 1 - 255 Default: 100 Notes: • When 2 devices are configured with VRRP and the master device has a priority of 255 set for its virtual routers, shutting down all virtual routers causes the backup state to move to master but causes the client connections to cease. This is because when you down Virtual Routers, you DO NOT down the port. This port will continue functioning and as soon as you down the virtual router, the port will broadcast its MAC as the owner of the device interface IP. It will continue sending health checks with source IP and interface IP and ARPs for IPs on the directly connected networks. • These ARPs will poison the ARP cache of all machines on this network and they will record the interface MAC of the primary box as the holder of the interface IP that the backup device tried to take over via VRRP. • Therefore, all traffic sent to the primary device interface IP as a gateway (reply traffic from the servers) reaches the primary device and is routed straight to the default gateway of the device. This is not where this traffic should be heading because traffic sent to a VIP which was taken over by the backup device (the primary device will not fix the IP headers) will route the packet as it stands which will break the session. • When you use VR priority of 255 on the primary device, you must manually add its interface IP in the associated IP table. • When you do not use VR priority of 255 on the primary device, you cannot place its interface IP in the associated IP table. This means that the default gateway will be a different IP which has no problems being poisoned but with the interface activities of the primary device.

144

Address Count

Number of IP addresses that are associated with this virtual router.

Master IP

The master router's real (primary) IP address. This is the IP address listed as the source in VRRP ment last received by this virtual router.



Parameter

Description

Primary IP

Used internally only, as the source IP of VRRP messages sent by the device. It is recommended to leave the default. The device adds a default unless the defines one. When there is more than one IP address for a given If Index, this parameter is used to specify the IP address that will become the VRRP Master IP Address should the virtual router transition from backup to master. If this object is set to 0.0.0.0, the IP address which is numerically lowest will be selected.

Auth Type

Authentication type used for VRRP protocol exchanges between virtual routers. The value of this parameter is the same for a given If Index. Values: No Authentication (default), Text Authentication

Auth Key

The Authentication Key. This parameter is set according to the value of the AuthType parameter. If the length of the value is less than 16 octets, the agent will left adjust and zero fill to 16 octets. The value of this parameter is the same for a given If Index.

Interval

Interval at which packets are checked in seconds. Default: 1 second. Note: Configuring the specific ment interval value for a VRRP entry is only possible when the global value is set to 0. When the global value is not 0, the specific values for VRRP entries are discarded and the global value is used. See Global Redundancy Configuration, page 134.

Preempt Mode

Defines takeover procedure for VR when a device fails and then resumes functioning. When a device with a certain priority fails, the device with the next highest priority takes control of the VR. Then, when the device with the higher priority for this VR resumes functioning, Preemption Mode decides whether to retake control of VR from the device with the lower priority. Values: • True (Default) - the higher priority device takes over the VR • False - the device with lower priority maintains control of the VR. This is only applicable when two or more devices share a VR. Note: The router owning the IP address associated with the VR is an exception as it always preempts independently of parameter setting.

Up Time

This is the value of the `sysUpTime' object when this virtual router (i.e., the `vrrpOperState') transitioned out of ìnitialized'.

Preferred State

The preferred state of the virtual router. This field affects the configuration of the peer device's parallel VRRP entry. Values: • Backup - indicates that the peer's VRRP entry should have a higher priority. • Master - which indicates that the peer's VRRP entry should have a lower priority.

Peer Status

Values: Up / Down (default)


145


To activate or shut down the devices 1.

In the VRIDs Up/Down drop-down list, set the desired parameter.

Parameter

Description

VRIDs Up/Down

• All Down: Sets Status for all VRIDs to Down. This shuts down the main device. • All Up: Sets the status of all VRIDs to Up. So that the main AppDirector is immediately activated and takes control from the backup device. • No Change (Default): There is no change in the Status.

2.


Associated IP Addresses The Virtual Router Redundancy Protocol (VRRP) eliminates the single point of failure inherent in the static default routed environment. VRRP specifies an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. The VRRP router controlling the IP address(es) associated with a virtual router is called the Master, and forwards packets sent to these IP addresses. The election process provides dynamic fail-over in the forwarding responsibility should the Master become unavailable. Any of the virtual router's IP addresses on a LAN can then be used as the default first hops router by end-hosts. You use the Associated IP Addresses window to configure the VRRP.

To set up the Associated IP Addresses 1.

From the AppDirector menu, select Redundancy > VRRP > Associated IP Addresses. The Associated IP Addresses window appears.

2.

Click Create. The Associated IP Addresses Create window appears.

3.

Set the parameters.

Parameter

Description

If Index

Displays the interface number.

VR ID

Displays the virtual routers identification number. Note: VR ID must be Disabled to add Associated IP addresses and then subsequently Enabled. It is set in the Virtual Routers table.

Associated IP

Displays the IP address associated with this VR ID. Note: Up to 255 IP Addresses can be associated with a single VR ID.

4.

146




Proprietary Redundancy Radware proprietary redundancy mechanism uses ARP (Address Resolution Protocol) to ensure that the backup AppDirector is available and that the network connections between the main and backup devices are up and that failover is achieved when primary device fails. The backup device manages the polling process by continuously polling the main device, using the ARP protocol. If the main device fails, the teaching process is realized when the backup device sends broadcast ARPs informing its network neighbors that the IP addresses of the main device are now associated with its own MAC addresses. This ensures that all traffic destined to the IP addresses of the main device arrives to the backup device.

Backup Fake ARP When the backup device takes over it sends gratuitous ARPs to all local stations informing that the main device IP addresses now correspond to the MAC addresses of the backup device. When the main device is operational again, it uses the same technique. It sends gratuitous ARP to all local stations informing them that the main device IP addresses now correspond to the MAC addresses of the main device. To speed up this process, the backup device publishes a message. This is fake ARP, as one device (the backup) publishes the other device (the main). The fake ARP might confuse some Layer 3 switches, as they update their ARP tables by the source MAC of the packet, rather than by the MAC in the information part of the packet. The backup fake ARP option is enabled by default and can be disabled if necessary.

IP Redundancy In redundancy configurations both AppDirectors, the main and the backup, must be defined to work with virtual and physical addresses. The virtual IP addresses are defined on the backup AppDirector in the same manner as on the main AppDirector and the main device makes sure that the backup AppDirector s virtual addresses. Different physical IP addresses are used for the main and backup devices, and an additional configuration is required on the redundant AppDirector to backup for the physical IP addresses of the main device. The IP Redundancy Table window allows you to setup IP router redundancy: The IP Redundancy Table is relevant for proprietary redundancy only.

To setup IP router redundancy 1. From the AppDirector menu, select Redundancy > IP Redundancy Table. The IP Redundancy window appears. 2. Click Create. The IP Redundancy Table Create window appears. 3. Set the parameters.

Parameter

Description

Interface IP Address

The IP address of the IP interface on which the redundancy feature is operational.

Main Router Address

IP address on the main AppDirector interface, which this AppDirector is backing up.

Operating Status

The redundancy status. If active, the main AppDirector is considered inoperational and the IP interface operates as its backup • Active: The backup AppDirector is now active on this interface. • Inactive: The backup AppDirector is not active.


147


Parameter

Description

Poll Interval [sec]

Polling interval for the main AppDirector interfaces, in seconds. If the interval is 0, the AppDirector is not polled. Default: 3 seconds

Time Out [sec]

Interval, in seconds, during which the AppDirector must respond. If the main AppDirector does not respond within this interval, it is considered inoperative. If Time Out is 0, the backup AppDirector ignores the row. Default: 12 seconds

4.

Click Set. Your changes are recorded. This procedure must be repeated for every back-up interface.

Note: To allow the backup device to poll the main device, it must be aware of the main device IP interfaces that its IP interfaces are backing up.

Configuration Synchronization In a redundant configuration, master and slave devices require consistent configuration. Online configuration synchronization helps to prevent a tedious error-prone manual process to ensure that the configuration is synchronized between a pair of redundant devices. This feature provides a mechanism where the configuration created on one device is updated automatically and synchronously on its redundancy peer. This way, the device configurations are guaranteed to be always synchronized, without requiring manual intervention. This capability operates in a master/slave mode where the master device is the only one that can be configured by the and the slave device is configured by the master device only. Automatic configuration synchronization is achieved by providing an online update of the slave device for all configuration operations performed on the master device.

Notes: >> The redundancy configuration is updated on the slave device according to the recommended configuration in the Configuration Guidelines section. >> This capability is only ed for a pair of devices using VRRP in an Active-backup scenario.

Master/Slave Roles The roles of the devices are set manually and never change dynamically in contrast to the VRRP active ownership. •

The configuration synchronization roles are independent of the device redundancy operation mode (Active/Backup). You need to set the primary device as configuration master.

•

The configuration synchronization will consider the VRRP status when rebooting the slave device (after configuration changes that require reboot). If the configuration slave is the VRRP active device, then reboot is suppressed to avoid unnecessary failover that will cause connection disruption. The master will wait for the VRRP role to switch over and only then issue a reboot.

148



Activating Configuration Synchronization Pre-requisites For auto-configuration synchronization, master and slave devices must match the following criteria: 1. Hardware platform type - master and slave devices must use the same hardware platform. 2. Memory size. 3. License - (license upgrading needs to be performed manually on both devices, as each license is bound to a specific machine). 4. Software version - Any software upgrade is performed manually on each device. During this process, the configuration synchronization must be disabled. 5. Network topology (parallel ports connected to the same subnets and the same IP addresses matching crosswise). 6. Before the configuration is synchronized for the first time, there must be at least one matching IP interface (same subnet, same interface) on the two devices.

Example A

Master IP: 1.1.1.1, Subnetmask: 255.0.0.0, Port: G-1, PeerAddress: 1.1.1.2

B

Slave IP: 1.1.1.2, Subnetmask: 255.0.0.0, Port: G-1, PeerAddress: 1.1.1.1

Notes: >> that all above steps before enabling configuration synchronization on your devices. >> The master device checks all the above conditions (except number 5 which is the ’s responsibility) and will not start synchronization if one of these conditions is not satisfied.

Starting to Configure

To start configuration synchronization 1. On the master device, set the Device Role to Master and configure the Synchronization Session with the same value that you used on the slave device. In a few seconds the devices will start to synchronize with each other. This process will trigger a reboot of the slave device. 2. Next, on the slave device, set the Device Role to Slave and configure a new value for the Synchronization Session (for security purposes the initial is randomly generated). 3. When the slave device comes up from reboot, the devices will finish the synchronization process and their configuration will be matched. Subsequently, each configuration change now made on the master device is synchronized on the slave device.


149


Notes: >> For each IP interface configured on the master device a Peer IP address must be configured (to be used as IP interface on the slave device). >> You can monitor synchronization state on the Master device. The state should show InSync. See Configuration Synchronization Monitoring, page 153. >> Configurations requiring reboot will only take effect on the slave after you have rebooted the Master device (and it will then automatically reboot the slave). There are additional configuration synchronization parameters that can be modified, see Configuration Synchronization Settings, page 150. The configuration synchronization status and statistics can be constantly monitored, see Configuration Synchronization Monitoring, page 153.

Slave Device Behavior While the online configuration synchronization is enabled, the slave device cannot be directly configured by , with the exception of a few parameters that are not synchronized and can then be configured directly on the slave device. These parameters are marked in both master and slave devices. Examples of parameters that are not synchronized: Device Name, VRRP Global Status, OSPF Router ID, Layer 2 Interface parameters. You can also perform software and license upgrade on a slave device, reset statistics and clear table, perform any non-configuration commands (such as ping, telnet, etc.), perform troubleshooting operations (filter client table view, configure diagnostics and retrieve file) as well as CLI terminal configuration.

Configuration Synchronization Settings

To configure Configuration Synchronization Settings 1.

From the main menu, select Redundancy > Configuration Synchronization > Settings. The Configuration Synchronization Settings window appears.

2.

Set the parameters.

Parameter Device Role

Description The role that this device plays in configuration synchronization: • None (default): the device does not participate in configuration synchronization • Master: only this device is configurable and it synchronizes the slave device • Slave: this device receives its configuration from the Master device, only change of its role in configuration synchronization and reboot can be performed on a device in Slave mode

Synchronization Session

The used to establish an SSH session between the devices for configuration synchronization. The same value must be configured in both devices (master and slave) to allow session establishment.

150



Parameter

Description

Connection Preference

The IP Interface through which configuration synchronization communication with peer device should be established. Values: • Any: The device will try to establish connectivity via any of the device IP Interfaces. • Any MNG IP: The device will try to establish connectivity via any of the device IP Interfaces configured on dedicated MNG ports. • Select a specific device IP Interfaces. Only IP Interfaces for which a Peer IP Address is configured are eligible. Note: If the Connection Preference is changed while the configuration synchronization communication between the devices is active, Reconnect Slave command must be performed in order to cause the devices to connect via the new preferred interface.

Alternate Connection Preference

Alternate Connection PreferenceThe IP Interface through which configuration synchronization communication with peer device should be established in case the IP Interface defined for first Connection Preference is not available. Values: • None: No alternate connection • Any: The device will try to establish connectivity via any of the device IP Interfaces. • Any MNG IP: The device will try to establish connectivity via any of the device IP Interfaces configured on dedicated MNG ports. Select a specific device IP Interfaces. Only IP Interfaces for which a Peer IP Address is configured are eligible.

Allow Active Slave Reboot (When device has Master role)

You can decide whether to allow the slave device to be rebooted. Due to configuration changes requiring reboot, the slave device is in active state (redundancy wise). Default: Disabled.

Peer Connectivity Timers (sec) Slave Connect Interval (When device has Master role)

The interval at which a master device tries to establish connectivity to a disconnected slave.

Keep Alive Interval (When device has Master role)

The interval at which a master device sends keep alive messages to slave to maintain connectivity.

Slave Response Timeout (When device has Master role)

If the slave device does not answer either connection attempt or keep alive message within this timeout, it is considered to be disconnected.

Slave Reboot Timeout (When device has Master role)

If the slave device does not answer connection attempt after it was rebooted within this timeout, it is considered to be disconnected.

Default: 15 sec.

Default: 120 sec.

Default: 20 sec.

Default: 240 sec.


151


Parameter

Description

Peer Disconnect Alert Delay (When device has either Master or Slave role)

A trap that alerts on a slave disconnection will be sent only after the slave has been disconnected for this period (to avert flip-flops).

Master Communication Timeout (When device has Slave role)

If the slave device does not receive communication from a master for this timeout, the master is considered disconnected.

Default: 60 sec.

Default: 180 sec.

Exclude from Synchronization

3.

152

Exclude Management IP (When device has Master role)

IP interfaces defined on the management ports: MNG-1 and MNG-2. You can decide whether to synchronize management interfaces.

Exclude Secured Management Settings (When device has Master role)

You can decide whether to synchronize the secure management interface settings and the certificates that they use. These include the secure Webbased management and SSH.

Values: Enabled (default)/disabled

Values: Enabled (default)/disabled




Configuration Synchronization Monitoring This feature includes monitoring values related to the configuration synchronization feature. They apply to both master and slave devices

To view Configuration Synchronization Monitoring From the main menu, select Redundancy > Configuration Synchronization > Monitoring. The Configuration Synchronization Monitoring window appears displaying the following states and counters.

Parameter

Description

Synchronization State

The current state of the configuration synchronization. Values for Master devices: • Sync-off - Disabled • Disconnected - indicates that config-sync feature is enabled on your device, but synchronization did not yet occur • Master-connected - Master and slave are In Synchronization, and everything you configure on master will be configured automatically on the slave. • No-master - No master connected. • Synchronizing - both devices are synchronizing for the first time and this state will take a few minutes until they get into In-Sync state, (until all configuration will be sent to the slave, and the slave reboots). • In-Sync - Slave and Master devices are synchronized. • Incompatible - the devices are not compatible. True master-slave matching has not occurred or the slave's device-role is not configured as a slave. To find the problem, first check the monitoring scalar of "incompatibility". It will give you a reason why the devices are not incompatible due to a hardware, software or configuration problem. • Cannot-Sync- this usually indicates a configuration problem. For example, a master device tried to configure the slave, but a command failed. Check the logs and after the fix, you need to set the master's mode to disabled, and then back to "Master". • Pending-VRRP-switch - pending failover • Out-Of-Sync - this state is useful when you have a single farm failure in the In-Sync state. Normally, Full sync triggers immediately, and may result in reconfiguring the device. Out-ofSync allows you to carry on configuring other farms until the timeout expires. Values for Slave devices: • Disabled • Disconnected (for explanation, see above) • Master-Connected (for explanation, see above)


153


Parameter

Description

Incompatibility Status

The reason the master and slave are incompatible. Applies only to master device and only if current state is incompatible or disconnected. Values: • Hardware platform • Memory size • License • Software version • Initial configuration (applies to disconnected state - the slave will refuse to connect in this case) • Slave compatibility is not established Notes: • If there is more than one reason, then the first reason detected is displayed. • Slave compatibility is not established when configuration synchronization is not activated.

Synchronization IP Interface

The current IP interface used for the communication with the peer device. If the devices are disconnected - null=0.0.0.0

Peer IP

Displays the synchronization peer IP. • For synchronization master devices, the slave IP is displayed. • For synchronization slave devices, the master IP is displayed.

Peer Base MAC

The base MAC of the configuration synchronized peer device that is currently logged in or has last logged in. Used as the unique identifier of the peer device. Set to null, if the peer was never connected.

Configuration Timestamp

The last time the configuration was successfully propagated from the master to the slave.

Availability Status

Availability for receiving configuration changes. When AppDirector is unavailable, and when it acts as a slave, it will refuse to accept a configuration change. Values: • Available • axDown (meaning unavailable because the acceleration engine is down) • Unavailable

Device Should Reboot

Indicates whether changes were made to the configuration that require the device to be rebooted. Values: True/False

For Master Devices Only Last Configuration Synchronization

The last time that the configuration was successfully propagated from the master to the slave. The configuration synchronization can be either individual or full synchronization. Default: 0

Last Full Configuration Synchronization

154

The last time that a full synchronization was successfully performed. Default: 0



Parameter

Description

Discrete Synchronization Attempts

The number of successful individual synchronization operations since last full synchronization. Default: 0

Full Synchronization Operations

The number of successful full synchronization operations since configuration synchronization was last enabled, or since the last reboot (the later of the two). Default: 0

Number of Successful Connections

The number of successful individual synchronization operations since the last full configuration synchronization. Default: 0

Synchronization Failures

The number of synchronization operations (individual or full synchronization) that failed since last enablement or reboot (the later). The failures include only operations that failed due to application problems to update the slave device. They do not include disconnections, connection setup failures, failed compatibility checks and inability to reboot the slave because it was the VRRP active device. Default: 0

Disconnections

The number of times that the peer was disconnected since last enablement or reboot (the later). Default: 0

Slave Configuration version (Master only)

Version/timestamp of last time the configuration was modified on Master, but not necessarily propagated to slave. If this time is identical to the slave configuration version then the two devices are in sync. Default: 0

Reset Slave Device When the changes performed on the configuration master require the device reboot to become active or when full synchronization is performed, you need to reboot the slave device. To avoid unnecessary failover from a forwarded connection disruption, the master device will not reboot the slave device, if the slave device is the VRRP active device. Full synchronization is required and the configuration synchronization is suspended until VRRP control returns to the master of configuration and only then will full synchronization occur. This behavior can be overridden by a configuration flag named Allow Active Slave Reboot. When this flag is enabled, the configuration master disregards the VRRP status and reboots the slave device whenever the configuration synchronization requires. For configuration changes requiring a reboot (such as table size tuning), the master device updates the slave device with the configuration change like any other change, but will not reboot the slave immediately. It will instead wait until it is rebooted itself, because until then, the configuration change will not have taken effect in either device, and the configurations are still in synchronization. When the master device comes online after reboot, a self-check will show that it has a more updated configuration (due to the reboot) and full synchronization will occur. If a configuration change requiring a reboot was performed, and the slave device was rebooted for any reason (manually, due to crash or due to full synchronization after connection loss) before the master device was rebooted, then the slave device will now have a more updated configuration than the master. This is the only case where this occurs.


155


Manually Resetting a Slave Device From a device that has Master role, the can reboot a Slave device. This allows you to override the Allow Active Slave Reboot flag disabled status and to force a slave device reboot.

To manually reset a Slave device 1.

From the main menu, select Redundancy > Configuration Synchronization > Monitoring > Reset Slave. The Reset Slave Device window appears.

2.

Click Set (for Reboot Slave (master only). The slave device is reset.

Reconnect From a device that has Master role, the can force a reconnect to the slave device. This should be used when you have changed the interface through which you want the config-sync connection to be established.

To reconnect to slave from Master device 1.

From the main menu, select Redundancy > Configuration Synchronization > Monitoring > Reconnect. The Reconnect window appears.

2.

Click Set (for Reconnect to Slave (master only). The slave is reconnected.

156


AppDirector Guide Traffic Management and Application Acceleration

Chapter 3 – Traffic Management and Application Acceleration This chapter introduces concepts for load balancing and application acceleration (when enabled) and explains how to configure your data center for traffic management policies. It includes these topics: •

Configuring Farms, page 159

•

Configuring Servers, page 170

•

Traffic Management Policies, page 183

•

SSL Offloading and Authentication, page 194

•

Application Acceleration, page 217

•

Layer 7 Traffic Management, page 228

•

Layer 7 Modification, page 238

•

Layer 7 Server Persistency, page 252

•

Client Table Management, page 264

•

Network Address Translation (NAT), page 274

•

Configuring AppDirector Advanced Global Parameters, page 289

The following workflow helps you to understand how to configure traffic management and acceleration for AppDirector and distinguishes between Acceleration enabled and disabled functionalities.


157


AppDirector load balances traffic to application servers that provide various application services, such as FTP, Web, Mail, ERP, CRM, Streaming, VoIP, etc. To receive the requested service, traffic is directed to a homogenous and redundant group of servers. This is managed by AppDirector, which decides:

158


AppDirector Guide Traffic Management and Application Acceleration •

To which group of servers to direct the request to provide the service required by the client.

•

To which server within the required group to direct the traffic to optimize the service provided and to ensure its operation.

The main elements involved in configuring server load balancing on AppDirector are: 1. Farm - A group of application servers that provide the same service. A farm can provide multiple services and a server can be part of multiple farms. 2. Virtual IP (VIP) - A single point of entry through which clients can access a variety of services. 3. Layer 7 Policy - a set of rules that allow to select a farm based on application data (Layer 7). 4. Layer 4 Policy - a set of rules that allow to select a farm based on layer 4 and layer 7 data if required (by linking to a Layer 7 policy) and activate application acceleration capabilities. The layer 4 data used to classify traffic via L4 Polices is: a. b.

Destination IP (VIP) Layer 4 Protocol (T, UDP, ICMP, SCTP, Any or Other)

c.

Layer 4 Port

d.

Source IP Range

When traffic reaches the services point of entry (VIP) AppDirector Matches the Layer 4 data in the packet to Layer 4 policies configured on the device until the best match is found. Once a matching Layer 4 Policy is found the device processes the traffic according to the services required for this Layer 4 Policy. As an example the following actions are performed for HTTPS traffic processing: 1. SSL processing is performed by AppDirector, if required, to off-load it from the servers. 2. If HTTP caching is enabled, AppDirector can respond from the cache, to off-load it from servers if the requested object is in the cache. In this case steps 3-5 are not relevant. 3. If a Layer 7 policy is attached, the device processes the application request searching for the Layer 7 policy criteria to select the target farm, if not the target farm is the one directly attached to the Layer 4 policy. 4. Traffic is forwarded to the server best able to deliver the requested service within the target farm. 5. If HTTP caching is enabled, cache objects from the response according to configuration. 6. HTTP response can be compressed if required. 7. Response is SSL encrypted before being sent to client.

Configuring Farms This section describes how to configure Farms for AppDirector operations. Topics include: •

Farm Parameters, page 159

•

Additional HTTP Connectivity Checks Parameters, page 167

•

No HTTP Service Page, page 168

Farm Parameters A server farm is a group of networked servers that provide the same service. Servers contained in a server farm can be placed in different physical locations, belong to different vendors, or have different capacities. Differences between servers within a farm are transparent to clients. If all the servers within a group provide the same service managed by the AppDirector device, this group can be defined as an AppDirector server farm. A server providing multiple services can be used in multiple farms. For example, Server 3 (S3), as shown in this figure, provides Web service in one farm and FTP service in another server farm.


159


Web Farm

S1

S2

.

FTP Farm S3

S4

S5

S6

To add or edit a new server farm 1.

From the AppDirector menu, select Farms > Farm Table. The Farms Table window appears. Select the desired farm name. The Farm Table Update window appears.

2.

Set the parameters..

Parameter

Description

Farm Name

Name of farm (Read- Only in Edit Mode).

Status

Can be one of the following options: • Enable: Farm is active. All s are balanced between servers. • Disable: Farm is inactive. Clients connecting to the farm cannot be served.

Dispatch Method

Method used to determine to which server traffic is directed: Cyclic: Directs traffic to each operational server 1 by 1 (round robin). Weighted Cyclic: This method uses the Weighted Round Robin algorithm. AppDirector distributes clients’ requests for service in the round robin manner taking into consideration the weight of servers in that farm. Explicitly, every new session is distributed to the next server up to the server weight. For example, if one server has a weight of 2 and another server has weight of 5, the first two sessions are sent to #1, the next five are sent to #2. Sessions eight and nine are sent to #1 again, and ten to fourteen are sent to #1 and so on. Least Amount of Traffic: Directs traffic to server with least traffic belonging to this farm (relevant when server belongs to multiple farms). Server weights are also considered. Fewest Number of s: Directs traffic to server with least amount of s belonging to this farm (relevant when server belongs to multiple farms). Server weights are also considered. Least Amount of Traffic Local: Directs s to the server with the least traffic. Server weights are also considered. Fewest Number of s Local: Directs s to the server with the fewest s. Server weights are also considered. nt-1: AppDirector queries the farm's servers for Windows NT SNMP statistics and redirects new sessions to the least busy server according to the servers' reported statistics. nt-2: Similar to nt-1, but using the second weights scheme. private-1: AppDirector queries the farm's servers for private SNMP parameters, as defined in the first private weights scheme. Ratios of s on servers are balanced according to reported statistics.

160



Parameter

Description

Dispatch Method (continued)

private-2: Similar to private-1, but using second weights scheme. Response Time: Enables Response Time load balancing. This load balances the servers in the farm based on the least loaded server as calculated by the Response Level. Server weights are also considered. • Note: You need to create a health check that also measures response time, for each server, to have the response time dispatch method working properly. See Binding, page 347. Hashing: AppDirector selects a server for a session using a static Hash function. This method enables AppDirector to repeatedly direct requests from the same client to the same server within a farm even after the client entry has aged, as long as the server is still in service. This Dispatch Method also provides for reverse proxy Web farms, avoiding data replication among the proxy servers. Input for the Hash function is usually the Client IP only. A formula is applied to this IP address. Output received is a numeric value. When the traffic is SIP, input for the hash function is either Call-ID or Request-URI (configurable) and when the traffic is RADIUS input for the hash function is -defined RADIUS attribute value. • Note: When a Hash result indicates to use a server with status of Not in Service, a second hash is used to select an available server for the session.

Sessions Mode

The method used to handle new sessions: •

Regular: All sessions from the same client IP to the same service (VIP + Protocol + port) are forwarded to the same server.

•

Entry Per Session: All sessions from the same client IP to the same service (VIP + Protocol + port) are forwarded to the same server, but each session is recorded in the client table providing more accurate minimum- load balancing.

•

Server Per Session: Different sessions opened by a client IP are served by different servers, according to load balancing algorithms. This enhances load balancing performance but may hinder some applications dependent on being served by the same server. It also may overload internal tables.

•

Remove on Session End - EPS: After T client session ends, the client's entry is removed from the Client Table ends after 5-6 seconds. This automatically enables Entry Per Session.

•

Remove on Session End - SPS: After T client session ends, the client's entry is immediately removed from the Client Table after 5-6 seconds. This automatically enables Server Per Session.

Aging Time [sec]

Amount of time a non-active session is kept in the client table (in seconds). As long as a session is kept in the client table, the client is connected to the same server.

Bandwidth Limit

Maximum amount of bandwidth in Kbps allowed for this farm. If traffic through the farm exceeds the configured limit for any given second, AppDirector drops excess packets. Note: Bandwidth Limit is measured in Kbps, so 1Mbps is represented with a bandwidth limit of 1000. A value of 0 = no bandwidth limit. Default: No Limit.


161


Parameter

Description Connectivity Checks

Connectivity Check Method

Indicates method of checking for server availability. Values: No Checks, Ping, T Port, UDP Port and HTTP Page. If Ping is selected, AppDirector pings the servers to valid communication. If HTTP Page is selected, AppDirector tries to retrieve the web page (as configured in the Home Page field) from the servers. T Port/ UDP Port causes AppDirector to attempt to connect to the specified application port, according to the protocol.

Connectivity Check Retries

Number of polling attempts made before a server is considered inactive.

Connectivity Check Interval

How often the device polls servers (seconds).

Connectivity Check Port

Specific port where you can conduct a connectivity check.

Extended Check Frequency

To save unnecessary web page requests, web page retrieval is performed only periodically for HTTP page connectivity check. Once in a number of requests, according to the retrieval frequency, the web page is requested. Otherwise, a simple T check for port 80 occurs.

Authorized name

Used for protected HTTP page checks.

Authorized

Used for protected HTTP page checks.

Home Page

With the "HTTP pages" check method, this defines the default web page retrieved from servers. If this web page is unavailable, the server is considered down.

Connection Denials (Read-Only)

Number of times connection to this farm was denied.

Operational Status (Read Only)

Farm Operational Status OID is calculated according to these rules:

Values: FTP, HTTP, SMTP, DNS, NNTP, HTTPS, RTSP, RADIUS or any port number you enter manually. For example, HTTP automatically checks port 80.

Active when: •

(Farm Status is Enabled) AND (at least one farm server is Active).

Not In Service when: •

(Farm Status is Disabled) OR (all farm servers Operational Status is not Active = Not In Service or No New Sessions).

Note: When the Farm Operational Status is changing, the device sends a trap to notify. 3.

162




Additional Farm Parameters You can use the Extended Parameters window to configure additional server farm information.

To configure extended farm parameters 1. From the AppDirector menu, select Farms > Extended Parameters. The Extended Farm Parameters window appears. 2. Select a farm. The Extended Farm Parameters Update window appears. 3. Set the parameters.

Parameter

Description

Farm Name (ReadOnly)

Name of the farm.

Connection Management Close Session At Aging

Specifies when a T session is aged whether you want the device to send RESET to client, server or both. Values: • Server side - Gracefully close the client-side connection when it ages. • Client side - Gracefully close the client-side connection when it ages out the persistency entry from the client table. • Client & Server side - When Client Aging expires for a specific session, AppDirector removes the Client Table entry for this session and sends a RESET to the server to close the associated port. (Applicable to T sessions only). • Disabled

Connection Limit Exception

AppDirector allows Connection Limit configured for servers to be exceeded. When this is enabled, in cases where existing client opens new sessions and all sessions should use the same server, the session should use the same server. For example, when using EntryPerSession or Client Grouping Mask. Default: Disabled

Reset Client on Server Failure

When it closes a connection with the client by sending it a RESET when a server is detected to be down. Default: Disabled Note: This cannot be enabled on a Regular farm. This feature requires one of these layer 4 modes (EPS or SPS). Here, every session can obtain client entry.

Client NAT Client NAT Address Range

Range of NAT addresses, based on the NAT Address Table, to be used for this farm. A client with an IP address within the Client NAT Range, approaching the farm, is NATed according to the selected NAT Address Range. Also see Client NAT Addresses, page 276.


163


Parameter

Description

Add X-ForwardedFor to HTTP requests

When using Client NAT, the source IP address is replaced by NAT address, so that server cannot know the identity of the original client. To solve this problem AppDirector can insert an X-Forwarded-For header with the identity of the original client in the traffic forwarded to server. Default: Disabled

HTTP Persistency Insert Cookie for HTTP Persistency

When enabled, AppDirector s client-server persistency for HTTP where the server does not insert a cookie into the reply or when replies from all servers contain the same cookie. Persistency is maintained using cookies that AppDirector generates automatically and inserts in replies to the client. There are 3 modes for the field: • Enabled • Disabled (Default) • Enable and Remove Cookie on Return Path: allows cookies previously inserted by AppDirector to be removed from client requests before forwarding to the server.

Select Server Per Transaction

Defines whether a new server is selected per each transaction (Enabled). • Default: Enabled.

SSL Persistency SSL ID Tracking:

See SSL Persistency, page 261. When the SSL ID Tracking parameter is enabled, AppDirector keeps track of SSL Session IDs to ensure that all sessions with the same SSL ID are served by the same server even when Server Per Session Client Table mode is used.

SSL ID Aging

The amount of time a non-active client is kept in the client table (in seconds). As long as a client is kept in the client table, the client is connected to the same server. You can configure this as part of the farm configuration. The default value is 120 seconds. Allowed values are from 1 second to 65,535 seconds.

RADIUS Persistency RADIUS Attribute

The RADIUS attribute is required to maintain persistency for RADIUS sessions. Remote Authentication Dial-In Server (RADIUS) attributes are used to define specific authentication, authorization, and ing (AAA) elements in a profile, which is stored on the RADIUS daemon. Values: 0 (default - no RADIUS attribute will be learnt) - 255

Radius Secret

164

Used for the RADIUS Connectivity Check on the Farm. When the farm is a Radius Server Farm, the Radius secret must be configured to allow access to the farm.



Parameter

Description

RADIUS Proxy Attribute

When RADIUS servers that AppDirector is managing operate as proxies and forward access/ing requests to another RADIUS server, the RADIUS Proxy attribute allows AppDirector to ensure that the RADIUS responses are sent to the correct proxy server. This attribute must be inserted by the proxy RADIUS servers before forwarding the request and must include as the first 4 bytes the server IP in hex format. Values: 0 (default = disabled) - 255

SIP Persistency Hash Parameter for To maintain client-server persistency in SIP sessions, the device searches SIP the Call-ID header in SIP and selects an available server based on a static hash algorithm performed on the Call ID. If the farm is part of a Layer 4 Policy, the input function for the Hash is the requested URL. Default: Call-ID

No Service Page No Service Page HTTP Code

This parameter allows you to configure the code to be used for the "Sorry" page response sent when this farm is unavailable. Values: 100 Continue

302 Moved Temporarily

200 OK (Default)

304 Not Modified

202 Accepted

400 Bad request

204 No Content

401 Unauthorized

205 Reset Content

402 Payment Required

206 Partial Content

403 Forbidden

300 Multiple Choices

404 Object Not Found

301 Moved Permanently

503 Service Unavailable

Backend SSL Backend SSL State

This parameter allows you to override the SSL policy back-end SSL settings and forward traffic to the back-end servers in clear text. This capability is required when SSL offloading is required on the front-end, but on the back-end some of the Layer 7 services require back-end SSL encryption. Values: • Override to Clear text • Respect SSL Policy (default)


165


Parameter

Description

Standard Acceleration Transparent Server

You can enable AppDirector to manage AppXcel devices. Values include: • Disabled • Enabled • Front-End AppXcel Farm: If farm is AppXcel farm used as front end. • T Splitting: If the farm is the back-end farm.

4.

166

Click Set. Your configuration is set



Additional HTTP Connectivity Checks Parameters When the HTTP page is used for connectivity checks you can can configure additional parameters: •

Acceptable HTTP Codes

•

Content Checks

Acceptable HTTP Codes This defines up to 10 HTTP codes that when included in server response indicate a healthy server.

To add or edit a HTTP Acceptable Response Code 1. From the AppDirector menu, select Farms > HTTP Codes. The Acceptable HTTP Codes window appears. 2. When adding a new code, click Create. The Acceptable HTTP Codes Create window appears. 3. From the Acceptable HTTP Code drop down list, select the acceptable code. 4. When editing, select the required farm. The Acceptable HTTP Codes Update window appears. 5. Set the parameters.

Parameter

Description

Farm Name

From the Farm Name drop down list field select a farm name.

Acceptable HTTP Code Values: 100 Continue

302 Moved Temporarily

200 OK

304 Not Modified

202 Accepted

400 Bad request

204 No Content

401 Unauthorized

205 Reset Content

402 Payment Required

206 Partial Content

403 Forbidden

300 Multiple Choices

404 Object Not Found

301 Moved Permanently

503 Service Unavailable

6. Click Set. The HTTP Code is added to the Acceptable HTTP Code Table

Note: You must also have at least one code on the list. The maximum number of codes or farms is 10.

Content Checks This defines strings whose existences or absence from retrieved HTTP page indicate a healthy server. AppDirector examines the HTTP header of the server response and considers responses with the -defined HTTP status code to indicate a healthy server. You can configure HTTP status codes to be used as acceptable responses. By default, an HTTP code of 200 indicates service availability. Servers and applications can health checks but if the content is not accurate, (for example, corrupt or misplaced files), AppDirector can also check for content accuracy. There are several methods including:


167

AppDirector Guide Traffic Management and Application Acceleration •

using an application-level health check by using an HTTP GET request for a URL of customer choice, the load balancer can check the returned Web page for accuracy.

•

scanning the page for certain keywords (shown here).

•

calculating a checksum and compare it against a configured value.

For other applications, such as FTP, the load balancer can a file and compute the checksum to check accuracy.

To configure new dynamic content checks 1.

From the AppDirector menu, select Farms > Content Checks. The Content Checks window appears.

2.

When creating, click Create. The Content Checks Create window appears.

3.

When updating, select required farm. The Content Checks window appears

4.

Set the parameters.

Parameter

Description

Farm Name

Name of the farm where the extended check is made.

Search String

The string to look for in the HTTP response.

Check Mode

Type of check to perform. Values: • String Exists (default): Checks if string exists. • String is Absent: Checks if string exists.

5.

Click Set. The string is added to the Content Check Table.

No HTTP Service Page When no servers can be used for a specific session, AppDirector can reply to a Web request (to port 80) with a simple Web page, indicating that the service is currently not available. Servers that cannot be used for a session include those in Not In Service or in No New Sessions mode. The No HTTP Service Page window is configured for each farm. Each Web page is limited to 1K of HTML code. When configuring the No HTTP Service Page, the page text must be entered as one line with no line separators. Sample HTML code for a default Web page is shown here:

<TITLE>Service Unavailable

Service is currently unavailable. Please try again later.

Appdirector Guide Version 2.14 6x6s2w

Overview 3e4r5l

More details w3441

Related Documents 3m3m1z

Appdirector Guide Version 2.14 6x6s2w

Cramm Version 5.1 Guide 4d1b41

Maltego Version 3 Guide ks4f

Codeigniter Guide Version 1.7.2 651q3z

Smi Version 8 Guide 1i144p

Maximo Guide Version 5.2 6t6w3a

More Documents from "eva" 3e5y3g

1.1.3. Ep. 1 Sop Penngembangan Dalam Penyelenggaraan Upaya Puskesmas (repaired) k1d2g

Ethiopian Higher Education Proclamation Pdf 646w2h

Kerangka Acuan 6p3j3a

1.1.3.1sop-pengembangan-pelayanan.doc 1c2t15

Appdirector Guide Version 2.14 6x6s2w

Plantilla Placa 96 Pocillos 1b1d1h