Professional Documents
Culture Documents
ServerIron ADX
Graphical User Interface Guide
Supporting ServerIron ADX 1000, ServerIron ADX 4000, ServerIron ADX 8000, and ServerIron ADX 10000
Copyright 2008-2011 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, BigIron, DCFM, DCX, Fabric OS, FastIron, IronView, NetIron, SAN Health, ServerIron, TurboIron, and Wingspan are registered trademarks, and Brocade Assurance, Brocade NET Health, Brocade One, Extraordinary Networks, MyBrocade, VCS, and VDX are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned are or may be trademarks or service marks of their respective owners. Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government.
European Headquarters Brocade Communications Switzerland Srl Centre Swissair Tour B - 4me tage 29, Route de l'Aroport Case Postale 105 CH-1215 Genve 15 Switzerland Tel: +41 22 799 5640 Fax: +41 22 799 5641 E-mail: emea-info@brocade.com
Document History
Title
ServerIron ADX Graphical User Interface Guide
Publication number
53-1002074-01
Summary of changes
New document
Date
March 2011
Contents
Chapter 1
Configuring Source IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Configuring Source IP, Source NAT IP, and Source Standby IP addresses on switch code. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Configuring Source NAT IP addresses on router code. . . . . . . . 19 Displaying the Dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Displaying the Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Defining global system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Displaying and saving the running configuration . . . . . . . . . . . . . . . 23
Chapter 2
Chapter 3
vi
Enabling or disabling a virtual server port . . . . . . . . . . . . . . . . . . . . 43 Enabling at Summary tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Disabling at Summary tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Enabling at Port tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Disabling at Port tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Defining advanced virtual server parameters. . . . . . . . . . . . . . . . . . 46
Chapter 4
Chapter 5
Application Templates
In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Generic HTTP application template . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Chapter 6
Chapter 7
vii
Configuring VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Configuring a VLAN on switch code . . . . . . . . . . . . . . . . . . . . . . 79 Configuring a VLAN on router code. . . . . . . . . . . . . . . . . . . . . . . 80 Configuring standard Access Control List . . . . . . . . . . . . . . . . . . . . . 81 Configuring a static route on router code . . . . . . . . . . . . . . . . . . . . . 82
Chapter 8
Chapter 9
Chapter 10
viii
Displaying Layer 7 Summary of Response Rules, Policies, and associated virtual servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129 Using the L7 Switching Request Wizard . . . . . . . . . . . . . . . . . . . . .130 Launching the Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130 Wizard 1: Traffic Forwarding based on URL prefix. . . . . . . . . .131 Step 1: Creating a rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132 Step 2: Creating a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132 Step 3: Enabling Layer 7 Switching . . . . . . . . . . . . . . . . . . . . .133 Wizard 2: Traffic Forwarding based on URL suffix . . . . . . . . . .134
Chapter 11
Maintenance
In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135 Software upgrade overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135 Copying system software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136 Rebooting the device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Chapter 12
Displaying Statistics
In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139 Statistics overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139 Viewing system resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140 Displaying traffic statistics for a real server . . . . . . . . . . . . . . . . . . 141 Current Connection Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142 Current Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143 Connection Distribution among Application Ports. . . . . . . . . .144 Total Accumulated Connections to Server . . . . . . . . . . . . . . . .144 Total Accumulated Connections per Application Port . . . . . . .145 Received and Transmitted Packets among Application Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145 Displaying statistics for a real server port . . . . . . . . . . . . . . . . . . . .146 Current Connections on Ports. . . . . . . . . . . . . . . . . . . . . . . . . . 147 Total Accumulated Connections on Ports. . . . . . . . . . . . . . . . . 147 Received and Transmitted Packets on Ports . . . . . . . . . . . . . .148 Displaying statistics for a virtual server. . . . . . . . . . . . . . . . . . . . . .148 Connection Distribution among Application Ports. . . . . . . . . .149 Total Accumulated Connections to Server . . . . . . . . . . . . . . . .150 Total Accumulated Connections per Port . . . . . . . . . . . . . . . . .150 Displaying statistics for virtual server port . . . . . . . . . . . . . . . . . . .151 Current Connections on Ports. . . . . . . . . . . . . . . . . . . . . . . . . .152 Current Connection Distribution among Real Servers . . . . . .152 Total Accumulated Connections . . . . . . . . . . . . . . . . . . . . . . . .153 Total Accumulated Connection Distribution among Real Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153 Displaying global traffic statistics . . . . . . . . . . . . . . . . . . . . . . . . . .154 Displaying interface statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154 Viewing Syslog entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
ix
In this chapter
Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Notice to the reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Getting technical help or reporting errors . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Audience
This document is designed for system administrators with a working knowledge of Layer 2 and Layer 3 switching and routing. If you are using a Brocade Layer 3 Switch, you should be familiar with the following protocols if applicable to your network: IP, RIP, OSPF, BGP, ISIS, IGMP, PIM, DVMRP, and VRRP.
ServerIron ADX 1000 ServerIron ADX 4000 ServerIron ADX 8000 ServerIron ADX 10000
Document conventions
This section describes text formatting conventions and important notice formats used in this document.
xi
In this chapter
Text formatting
The narrative-text formatting conventions that are used are as follows: bold text Identifies command names Identifies the names of user-manipulated GUI elements Identifies keywords Identifies text to enter at the GUI or CLI italic text Provides emphasis Identifies variables Identifies document titles
code text
For readability, command names in the narrative portions of this guide are presented in bold: for example, show version.
NOTE
A note provides a tip, guidance or advice, emphasizes important information, or provides a reference to related information.
CAUTION A Caution statement alerts you to situations that can be potentially hazardous to you or cause damage to hardware, firmware, software, or data.
DANGER A Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you. Safety labels are also attached directly to products to warn of these conditions or situations.
xii
In this chapter
Corporation
Microsoft Corporation Mozilla Corporation Sun Microsystems
Related publications
The following Foundry Networks documents supplement the information in this guide:
Release Notes for ServerIron Switch and Router Software TrafficWorks 12.0.00 ServerIron ADX TrafficWorks Graphical User Interface ServerIron ADX TrafficWorks Server Load Balancing Guide ServerIron ADX TrafficWorks Advanced Server Load Balancing Guide ServerIron ADX TrafficWorks Global Server Load Balancing Guide ServerIron ADX TrafficWorks Security Guide ServerIron ADX TrafficWorks Administration Guide ServerIron ADX TrafficWorks Switching and Routing Guide ServerIron ADX Firewall Load Balancing Guide ServerIron ADX Hardware Installation Guide IronWare MIB Reference
NOTE
For the latest edition of these documents, which contain the most up-to-date information, see Product Manuals at kp.foundrynet.com.
Web access
The Knowledge Portal (KP) contains the latest version of this guide and other user guides for the product. You can also report errors on the KP. Log in to my.Brocade.com, click the Product Documentation tab, then click on the link to the Knowledge Portal (KP). Then click on Cases > Create a New Ticket to report an error. Make sure you specify the document title in the ticket description.
xiii
In this chapter
E-mail access
Go to http://www.brocade.com/services-support/index.page for the latest e-mail and telephone contact information.
xiv
Chapter
In this chapter
The ServerIron ADX GUI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Accessing the GUI through HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Accessing the GUI through HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Web management using the management port . . . . . . . . . . . . . . . . . . . . . . 13 Configuring IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Configuring Source IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Displaying the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Displaying the Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Defining global system settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Displaying and saving the running configuration . . . . . . . . . . . . . . . . . . . . . 23
NOTE
NOTE
The ServerIron ADX GUI has been tested with Internet Explorer and Firefox Web browsers. Also, you must have the latest version of Java Runtime Environment (JRE) installed on your system to be able to view some of the graphics on the GUI. Obtain the latest JRE version from the Sun Microsystems Java Web site.
FIGURE 1
The context bars allow you to access the main functions by clicking the background. The main functions are: Overview, System, Traffic Management, L7 Traffic Management, Security, Network, and Maintenance. The option tabs allow you to access the detailed functions by clicking the tab on top of the respective content area; for example, Real Server, and Statistics. The content area allows you to configure, monitor, or troubleshoot the detailed functions; for example, a Real Server. The Log Out button allows you to log out from any window in the application.
2 3 4
The circular arrow in the right hand corner of the content window refreshes the screen. The file save button saves the content you enter. The "help button" (?) in the right hand corner of the content window links to the Brocade ADC Community website.
NOTE
3. Write to memory.
ServerIronADX# write memory .Write startup-config in progress. .Write startup-config done. ServerIronADX#
2. Configure an interface.
ServerIronADX(config)# interface ethernet 1
5. Write to memory.
ServerIronADX(config)# ^Z ServerIronADX# write memory .Write startup-config in progress. .Write startup-config done. ServerIronADX#
If an IPv6 address is used, type the address into the address bar enclosed by square brackets.
Example http://[fd00:60:69bc::100]
NOTE
The default User name is admin. The default Password is brocade. The password can be edited for greater security.
NOTE
You have three attempts to log in to the web management. If all three log in tries fail, you will be locked out for 30 minutes. During the locked out period, you cannot log in even if you provide a correct password.
3. Write to memory.
ServerIronADX# write memory .Write startup-config in progress. .Write startup-config done. ServerIronADX#
2. Configure an interface.
ServerIronADX(config)# interface ethernet 1
5. Write to memory.
ServerIronADX(config)#^Z ServerIronADX# write memory .Write startup-config in progress. .Write startup-config done. ServerIronADX#
After you have imported the digital certificate, reformat and prepare the SSL certificate for use by HTTPS access by entering the following command.
ServerIronADX(config)# crypto-ssl certificate generate
NOTES:
Imported certificates can be no larger than 2048 bytes. Encrypted private key files (DES, DES3, or other ciphers) are not supported. Private
key files must be unencrypted; private keys greater than 1024 bits are not supported; and private key files must be either 512 or 1024 bits.
If an IPv6 address is used, type the address into the address bar enclosed by square brackets.
Example http://[fd00:60:69bc::100]
4. Click Yes. The system prompts for the user name and password.
10
NOTE
The default User name is admin. The default Password is brocade. This password can be edited for greater security. 5. Enter the user name and password and click OK.
NOTE
You have three attempts to log in to the web management. If all three log in tries fail, you will be locked out for 30 minutes. During the locked out period, you cannot log in even if you provide a correct password.
11
The home page for the ServerIron web interface is displayed. A lock symbol displayed on the top right corner indicates that the current connection is a secure HTTPS connection.
6. To log out, click Log Out in the upper right corner of the window. The message You are successfully logged out is displayed.
12
NOTE
13
3. Configure a static route (the default route cannot point to the management port).
ServerIronADX(config-if-mgmt-1)# ip route 10.54.1.0/24 1.1.1.254
4. Write to memory.
ServerIronADX# write memory .Write startup-config in progress. .Write startup-config done. ServerIronADX#
3. Assign an IP address.
ServerIronADX(config-if-mgmt-1)# ip address 1.1.1.1/24 ServerIronADX(config-if-mgmt-1)# exit
4. Configure a static route (the default route cannot point to the management port).
ServerIronADX(config)# ip route 10.54.1.0/24 1.1.1.254
5. Write to memory.
ServerIronADX# write memory .Write startup-config in progress. .Write startup-config done. ServerIronADX#
2. Press Enter.
14
Configuring IP addresses
You can log in to the web management by clicking either HTTP (non secure) or HTTPS (secure). If you click HTTPS, the system prompts you for certificate verification, and you must click Yes to proceed further. The User name and Password window displays. Enter the user name and password and click OK.
Configuring IP addresses
This section describes the procedure to configure an IP address on switch code and router code.
15
Configuring IP addresses
Management IP: Enter the IP address. Subnet Mask: Enter the subnet mask. Default Gateway: Enter the default gateway address.
4. Click Apply.
16
NOTE
You can also configure multiple IP addresses for the management port (mgmt1). 4. Enter the information for the following fields:
IP Address: Enter the management IP address. Subnet Mask: Enter the subnet mask. Default Gateway: Enter the default gateway address.
You can configure a secondary IP address for an interface using the GUI.
NOTE
Configuring Source IP, Source NAT IP, and Source Standby IP addresses on switch code
You can configure the following addresses on a ServerIron running switch code:
17
IP Address: Enter the IP address. Subnet Mask: Enter the subnet mask. Default Gateway: Enter the default gateway address. Use this IP for SSL Traffic (Optional): Select the check box to use the Source IP address for SSL terminate or proxy traffic. to be allocated on the real server.
Allocate Source Port per Real Server (Optional): Select the check box if the source port is
5. Click Add to add the Source IP address. The new Source IP address is displayed in the summary table.
IP Address: Enter the IP address. Subnet Mask: Enter the subnet mask. Default Gateway: Enter the default gateway address. Source Port Range: Select Lower Port Range or Higher Port Range.
18
Use this IP for SSL Traffic (Optional): Select the check box to use this Source IP address for
SSL terminate or proxy traffic.
Allocate Source Port per Real Server (Optional): Select the check box if the source port is
to be allocated on the real server. 5. Click Add to add the Source NAT IP address. The new Source NAT IP address is displayed in the summary table.
IP Address: Enter the IP address. Subnet Mask: Enter the subnet mask. Default Gateway: Enter the default gateway address.
5. Click Add to add the Source Standby IP address. The new Source Standby IP address is displayed in the summary table.
19
IP Address: Enter the IP address. Subnet Mask: Enter the subnet mask. Default Gateway: Enter the default gateway address. Source Port Range: Select Lower Port Range or Higher Port Range. Allocate Source Port per Real Server (Optional): Select the check box if the source port is to be allocated on the real server.
4. Click Add to add the Source NAT IP address. The new Source NAT IP address is displayed in the summary table.
20
The Dashboard shows CPU utilization for the management processor, available and used memory in the management processor, CPU utilization by the barrel processors, and the number of used and available sessions in the barrel processors. The Dashboard additionally provides status of fans, power supplies, and system temperature. It also shows software images installed on the system.
21
Load Balancing Predictor: Select the predictor to be used by the ServerIron from the Load
Balancing Predictor list.
TCP Age: Enter the number of minutes for TCP age. UDP Age: Enter the number of minutes for UDP age. Sticky Age: Enter the number of minutes for Sticky age. Clock Scale: Enter a value from 1 to 24 for clock scale. Max Sessions Per BP: Enter the maximum number of sessions allowed for each BP.
NOTE
If you change the Max Session Per BP setting, you must reload the ServerIron from the CLI.
22
TCP SYN NAK Threshold: Select the Enable check box to edit the TCP NAK threshold value.
The default value is 20. 3. Click Apply to save your changes.
Scroll down the display to view the running configuration. To save the configuration to a file, click Download. A file download dialog box displays.
23
24
Chapter
In this chapter
Creating a basic real server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating a real server port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling or disabling a real server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling or disabling a real server port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cloning a real server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Defining advanced parameters for real servers . . . . . . . . . . . . . . . . . . . . . . Viewing real server summary information . . . . . . . . . . . . . . . . . . . . . . . . . . .
25 26 27 29 32 33 35
25
The configuration details of the real server are displayed in the right panel. The summary table displays the first 20 entries of the real servers. Click Next Page and Previous Page to navigate to the respective pages or select the page number from the Go To list. 2. Click the Basic tab at the top of the window. The basic real server window is displayed.
3. Click New, if New is not already displayed. 4. Enter the following information:
Real Server Name: Enter the real server name; for example, real1. Server IP: Enter the server IP address. You can configure both IPv4 and IPv6 addresses.
5. Click Enable for Admin Status. Enable is the default option. 6. Click Apply. The message The operation was successful is displayed.
26
3. In the Applications panel, select HTTP and click Add to enter a new application type. 4. In the Characteristics panel, click Enable for Admin Status (Enable is the default option). 5. Optionally, configure other port level parameters. 6. Click Update. The message The operation was successful is displayed.
27
3. Find the real server you want in the Real Server Name column. In the example above, "real1" is in the "Disabled" running state. 4. Click the arrow button in the Status column and select Enable. 5. Click Apply in the User Action column. The Running State column now shows Enabled.
28
3. Select a real server from the list. 4. Click Enable for Admin Status. 5. Click Apply.
29
3. Find the real server you want in the Real Server Name column. In the above example, "real1" is in the "Enable" running state. 4. Click the arrow in the Port column to view a list of configured ports. The DNS port for real1 is Disabled.
5. Click the arrow button in the DNS row and select Enable. 6. Click Apply. The status should now show Enable.
30
5. Click the arrow button in the Port row and select Disable. 6. Click Apply. The status should now show Disabled.
3. Select the real server from the Real Server Name list and the port from the Port list. 4. Click Enable for Admin Status. 5. Click Update.
31
3. Select the real server from the Real Server Name list and the port from the Port list. 4. Click Disable for Admin Status. 5. Click Update.
3. Select a real server from the Real Server Name list. 4. Enter an IP address in the Base IP field and the number of clones you want in the Number of Clones field, and click Preview. The number of clones you specified are displayed. You can edit clone names and IP addresses.
32
5. Click Create Clones to create the clones. The message The operation was successful is displayed at the top of the window.
33
Real Server Name: Select a real server from the list. Description: Enter a description for the real server. Alias Name: Enter the alias name. Ping Health Check: Click Disable to disable Layer 3 health check. By default, Layer 3 health check is enabled.
Backup: Select the check box to designate the real server to be a backup server. Source-NAT: Select the check box to enable Source NAT on the real server. Source-NAT ACL: Select the check box to enter the Source NAT access list number in the
ACL # field.
Max Connections: Enter the maximum number of sessions the ServerIron will maintain in
its session table.
Max TCP Connection Rate: Enter the maximum TCP connection rate. Max UDP Connection Rate: Enter the maximum UDP connection rate.
34
Port Number: Enter the port number and specify the community name in the Community
Name field.
Entry ID: Enter the entry IDs in the respective fields and the SNMP OID value in the SNMP
Request OID fields.
Least Connection Weight: Enter the weight of the real server relative to other real servers
in terms of the number of connections on the server. 4. Click Apply to accept your entries.
Sorted by IP address
To view real server status sorted by IP address, follow these steps. 1. Click the Summary tab. 2. Click the IP column heading. The real server information sorted by IP address is displayed.
35
36
Chapter
In this chapter
Creating a virtual server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating a virtual server port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Binding the virtual server port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling or disabling a virtual server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling or disabling a virtual server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Defining advanced virtual server parameters . . . . . . . . . . . . . . . . . . . . . . . .
37 38 40 41 41 46
37
The content area for configuring the virtual server is displayed in the right panel. The Summary tab displays a list of the virtual servers in the system. 2. Click the Basic tab at the top of the window. The basic virtual server window is displayed.
3. Click New, if New is not already displayed. 4. Enter the following information:
Virtual Server Name: Enter the virtual server name. Server IP: Enter the server IP address. You can configure both IPv4 and IPv6 addresses.
5. Click Enable for Admin Status (Enable is the default option). 6. Select a predictor in the Predictor list; for example, Least Connection. 7. Click Apply. The message The operation was successful is displayed.
38
3. In the Applications panel, select a port from the list and click Add to enter a new application type. 4. In the Characteristics panel, select Enable for Admin Status. (Enabled is the default option.) Optionally, specify other port level items.
39
40
From the Virtual Server list, select the virtual server name. From the Port list, select the virtual server port name. From the Real Server list, select the real server name. From the Port list, select the real server port name.
4. Click Bind. 5. Repeat the above steps for binding additional real servers.
41
3. Find the virtual server you want in the Virtual Server Name column. 4. Click the arrow button in the Admin column and select Enable. 5. Click Apply in the User Action column. The Running State column should now show Enabled.
3. Select a virtual server from the list. 4. Click Enable for Admin Status. 5. Click Apply.
42
3. Find the virtual server you want in the Virtual Server Name column. In the example above, "vip2" is in the "Enabled" running state. 4. Click the arrow in the Port column to view the list of virtual ports. The DNS port for vip2 is Disabled.
43
5. Click the arrow button in the DNS row and select Enable. 6. Click Apply. The Port status should now show Enable.
5. Click the arrow button in the DNS row and select Disable. 6. Click Apply. The Port status should now show Disable.
44
3. Select a virtual server in the Virtual Server Name list and a virtual port in the Port list. 4. Click Enable for Admin Status. 5. Click Update.
45
46
Description: Enter a description for the virtual server. Track Group: Select to enable track group. Track Port: Select to enable track port. Master Port: Select the master port from the list. TCP Age: Enter the TCP age. UDP Age: Enter the UDP age. Sticky Age: Enter the sticky age. Rate Limiting, Client Connection Limit: Select the maximum number of client connections allowed for the virtual server. transactions allowed for the virtual server.
Rate Limiting, Transaction Rate Limit: Select the maximum number of TCP, UDP, and ICMP Click the down arrow next to VIP Route Health Injection (VIP RHI) to display the parameters
to be configured. Enter the information for the following fields:
VIP Route: Select the Advertise VIP Route check box to advertise the availability of a VIP address throughout the network. Click Enable to enable VIP RHI for the virtual server or click Disable to disable VIP RHI for the virtual server. Enable is the default option. Subnet Mask: You can enter the subnet mask of VIP RHI injected route for the virtual server using the prefix length. The default prefix length for IPv4 address is 32 and for IPv6 address is 128. To specify the full subnet mask, select the Specify Full Mask check box and enter the full subnet mask.
47
48
Chapter
In this chapter
Configuring health check for a real server. . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling Layer 2 to Layer 4 health checks . . . . . . . . . . . . . . . . . . . . . . . . . . Disabling Layer 2 to Layer 4 health checks . . . . . . . . . . . . . . . . . . . . . . . . . . Creating a port profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating a port policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring element health checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring a match list policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
49 52 53 53 57 59 62
49
2. Click the Summary tab. The Summary tab displays the links to configure global health check settings and individual real server health checks.
3. Follow the links available under Step 1 (Optional): Define global health check settings to create or modify system level health check containers such as port profiles, port policies, element health checks, and match lists, or modify global health check settings. 4. Under Step 2: Configure Health Check, select the real server name from the Select Real Server list. 5. Select the port name from the Select Real Port list. 6. Click Open Port Health Check configuration page. The system opens a new dialog box for displaying the port configurations for the selected real server.
50
7.
Click Enable to enable periodic health check for the real server. Click L4 Check Only to enable a Layer 4 check. Enter the Bringup Health Check Interval in the L4 and L7 fields. Click Update.
8. Close the dialog box and click Finish on the parent window.
51
3. Click Enable for Periodic ARP to enable Layer 2 ARP check. Enable is the default option. 4. Click Enable for Real Server and Remote Server to enable Layer 3 ping check. Enable is the default option. 5. Click Enable for Layer 4 Health Check and Fast Port Bring-up to enable Layer 4 TCP/UDP check. Enable is the default option. 6. Click Apply.
52
53
The content area for configuring the health checks is displayed on the right side of the window. The Summary tab displays links to configure global health check settings and individual real server health checks.
54
2. Click the Port Profile tab. or Click the Summary tab and then click Port Profile. The Port Profile Health Checks window is displayed.
55
3. Click New, if New is not already displayed. 4. Enter the well-known port name or port number in the Port field. 5. Select the protocol from the Protocol list. 6. Select Enable for Status to enable health check for the port. 7. Select TCP or UDP for Type to globally define the type for this port, and enter the following information:
8. Select Enable or Disable for Periodic HC. (This option is available only for the TCP type).
Interval: You can edit the default interval value. Retries: You can edit the default retries value.
NOTE
The ServerIron assumes that ports for which it does not know the type are UDP ports. 9. Select the L4 Check Only check box to enable only Layer 4 checks. This selection disables Layer 7 checks if applicable. 10. Select Enable for Session Sync to enable session synchronization for the port in high availability designs. 11. Click Apply. The port profile is listed in the Summary table. You can click Edit in the table or select the port profile from the list (next to the New button) at the top of the page to modify the port profile. Also click Del to delete the port profile from the Summary table. However, you cannot edit or delete port profiles if they are in use.
57
3. Click New, if New is not already displayed. 4. Enter the name of the port policy in the Name field. 5. Edit the default health check interval value in the HC Interval field. 6. Edit the default health check retries in the HC Retries field. 7. Select the L4 Check Only check box to enable only Layer 4 checks. This selection disables Layer 7 checks if applicable.
8. Optionally, select the port from the Port list. 9. Select the protocol from the HC Protocol list. The port value is displayed in the field next to the HC Protocol list. Depending on the selected HC Protocol, the display changes and the system asks for additional information. 10. Provide the required additional information and click Apply. The port policy is listed in the table at the bottom of the page. You can click Edit in the table or select the port policy from the list (next to the New button) at the top of the page to modify the port policy. Also click Del to delete the port profile from the Summary table. However, you cannot edit or delete port policies if they are in use.
58
59
3. Click New, if New is not already displayed. 4. Enter the name for the health check in the Name field. 5. Select TCP or UDP for Type. 6. Enter the following information:
Destination IP: Enter the destination IP address. You can configure both IPv4 and IPv6
addresses.
State: Select Enable or Disable. HC Interval: You can edit the default interval value. HC Retries: You can edit the default retries value. Port: Select the port from the Port list. The port value is displayed in the field next to the Port list. field next to the HC Protocol list. Depending on the selected HC Protocol, the display changes and the system asks for additional information.
HC Protocol: Select the protocol from the HC Protocol list. The port value is displayed in the L4 Check: Select Enable or Disable. L7 Check: Select Enable or Disable.
7. Click Apply. The details are listed in the table at the bottom of the page. You can click Edit in the table or select the TCP or UDP health check policy from the list (next to the New button) at the top of the page to modify the health check policy. You can also delete the health check policy from the table by clicking Del. However, you cannot edit or delete health check policies if they are in use.
60
3. Click New, if New is not already displayed. 4. Enter the name for the health check in the Name field. 5. Click ICMP for Type. 6. Enter the destination IP address in the Destination IP field. You can configure both IPv4 and IPv6 addresses. 7. Click Apply. The details are listed in the table at the bottom of the page.You can click Edit in the table or select the ICMP health check policy from the list (next to the New button) at the top of the page to modify the health check policy. You can also delete the ICMP policy from the table by clicking Del. However, you cannot edit or delete ICMP health check policies if they are in use.
61
3. Click New, if New is not already displayed. 4. Enter the name for the health check in the Name field. 5. Click Boolean for Type. 6. Enter the following information:
Select an Element health check policy from the Element HC #1 list. Select a boolean operator from the Operator list. Select an Element health check policy from the Element HC #2 list.
7. Click Apply. The details are listed in the table at the bottom of the page. You can click Edit in the table or select the Boolean health check policy from the list (next to the New button) at the top of the page to modify the health check policy. You can also delete the boolean policy from the table by clicking Del. However, you cannot edit or delete the boolean health check policies if they are in use.
62
3. Click New, if New is not already displayed. 4. Enter the name of the match list in the Name field. 5. Select Up or Down from the Health State list. 6. Select one of the following conditions from the Match Condition list to define a rule:
Select String Starts With and enter the string in the String field. Select String Ends With and enter the string in the String field. Select Simple String Match and enter the following details:
Enter the string in the String field. Select the Log check box. Select Compound String Match and enter the following details:
Enter the string start text in the Starts With field. Enter the string end text in the Ends With field. Select the Log check box.
7.
Click Add. The rule is displayed in the table below the Add button. You can click Edit in the table to modify the rule. Also click Del to delete the rule from the table.
63
8. Repeat step 5 to step 7 to define additional match conditions. 9. Select Up or Down for Default. 10. Click Apply. The configured match list is listed in the table at the bottom of the page. You can click Edit in the table to modify the match list. Also click Del to delete the match list from the table.
64
Chapter
Application Templates
In this chapter
Generic HTTP application template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
2. Click the HTTP link in the Template page. or Click the HTTP tab. The HTTP tab is displayed.
65
3. Edit the Specify Naming Prefix field to enter any string which will be used as prefix in generating distinguishable virtual server and real server names. The default prefix is app_http_. 4. Provide the following information under Virtual Server Details:
What is the IP Address: Enter the virtual server IP address. What is the Port: By default, the HTTP port value is displayed. You can change this value to
specify any other port.
Load Balancing Method: Select the appropriate load balancing method from the list.
5. Provide the following information under Real Server Details:
What is the IP Address: Enter the real server IP address. Service Port: Select the service port from the list.
The selected service port value is displayed in the adjacent field. 6. Click Add. The real server details are displayed in the table below the Add button. You can click Delete to delete a selected real server from the table or click Delete All to delete all the real servers listed in the table. 7. Repeat steps 5 and 6 to add multiple real servers. 8. Enter the server health check URL address in the Health check URL field.
66
9. Click Apply to save the configuration. The system automatically creates a sample Layer 4 server load balancing configuration in the background. You can verify the changes by viewing the running configuration (refer to Displaying and saving the running configuration on page 23) or using a CLI interface. A sample output is shown as follows.
! server real app_http_rs_1 10.1.1.1 port http port http url "GET /" ! server real app_http_rs_2 10.1.1.2 port http port http url "GET /" ! server real app_http_rs_3 10.1.1.3 port http port http url "GET /" ! server real app_http_rs_4 10.1.1.4 port 8080 port 8080 url "GET /" ! server real app_http_rs_5 10.1.1.5 port 8080 port 8080 url "GET /" ! ! server virtual app_http_vip_1 100.10.10.1 predictor least-conn port http bind http app_http_rs_1 http app_http_rs_2 http app_http_rs_3 http app_http_rs_4 8080 bind http app_http_rs_5 8080 !
67
68
Chapter
In this chapter
Creating a context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Assigning a user role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating a role template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Web server authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System log details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
69 71 72 75 76 77 78
Creating a context
To create a context, perform the following steps. 1. Click System on the context bar and select User/Role Management. The user/role based window is displayed.
The Summary tab displays the list of users. 2. Click the Context tab.
69
Creating a context
3. In the Name field, enter the context name; for example, Finance. 4. Click Add. The message The operation was successful is displayed and the context name is included in the table.
70
Creating a user
Creating a user
To create a user, follow these steps. 1. Click the User tab. The user window is displayed.
User Name: Enter the user name. User Type: Select Super User, Role Based, or Read Only as the user type.
NOTE
For more information on the role based user type, refer to Assigning a user role on page 72.
Password: Enter the password with a minimum of eight characters containing the following
combinations:
At least two uppercase characters At least two lowercase characters At least two numeric characters At least two special characters
71
72
3. Click None, Viewer, or Manager for Global (non-Context) Config. The global configuration refers to Layer 2, Layer 3, and other miscellaneous configurations on the system.
NOTE
The global configuration does not include configurations from other contexts. 4. Select a context from the Context list and the respective role from the Role list and then click Add. 5. Repeat step 4 for every context as desired. 6. Select a context from the Default Operational Context list for the user. On logging in, you will find the selected default operational context. 7. Optionally, define a Role Template for the user. The user role is displayed with the message The operation was successful. 8. Click Apply.
73
74
2. Click New. 3. Enter the role template name in the Name field. 4. Click None, Viewer, or Manager for Global (non-Context) Config. The global configuration refers to Layer 2, Layer 3, and other miscellaneous configurations on the system. 5. Select a context from the Context list and the respective role from the Role list and then click Add. 6. Select a context from the Default Context list. 7. Click Apply. The role template is displayed with the message The operation was successful.
75
During the RADIUS authentication process, if a user supplies a valid user name and password, the RADIUS server sends an Access-Accept packet to the ServerIron, authenticating the user. The Access-Accept packet contains three attributes as given below.
Vendor Specific Attribute
foundry-privilege-level
Value
0
Description
Super User level. Allows user to modify configuration through web GUI Read Only level. Allows user to view configurations only (All Submit buttons are disabled) If exists, it will be ignored If exists, it will be ignored
If the EXEC authorization command aaa authorization exec default tacacs+ is not configured, the user will get Super User privilege by default upon successful authentication by the TACACS+ server. Otherwise, the user obtains the privilege through TACACS+ EXEC authorization. During TACACS+ EXEC authorization, the ServerIron expects the TACACS+ server to send a response containing an A-V (Attribute-Value) pair that specifies the privilege level of the user. When the ServerIron receives the response, it extracts an A-V pair configured for the EXEC service and uses it to determine the user's privilege level. To set a user's privilege level, you can configure the "foundry-privlvl" A-V pair for the EXEC service on the TACACS+ server.
Example
user=admin0 { default service = permit member admin # Global password global = cleartext "cat" service = exec { foundry-privlvl = 0 } }
76
In the previous example, the A-V pair foundry-privlvl=0 grants the user full read-write access.
user=admin5 { default service = permit member admin # Global password global = cleartext "cat" service = exec { foundry-privlvl = 5 } }
In the previous example, the A-V pair foundry-privlvl=5 grants the user read-only access.
The following command configures the device to use the Telnet password to authenticate access to the device through the web management interface.
aaa authentication web-server default line
User logged in User logged out User login failed User locked out (3 login tries failed)
77
Navigation
To display the system log details, click Overview on the context bar and select Statistics and then click the System Log tab.
Navigation
1. Log in as a valid user and create Layer 4-7 objects such as real, virtual, etc. 2. Log out and log in as a different user. You can only view objects that belong to respective user contexts.
78
Chapter
In this chapter
Configuring VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Configuring standard Access Control List . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Configuring a static route on router code . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Configuring VLANs
This section describes the procedure to configure a VLAN on switch code and router code.
79
Configuring VLANs
2. Click the VLAN tab. 3. Click New, if New is not already displayed. 4. Enter the information for the following fields:
VLAN #: Enter the value between 1 and 4095. VLAN Name: Enter the VLAN name.
5. To assign VLAN port membership, do the following:
Select the Tag check box if the port is expected to be a tagged port and carry multiple
VLANs.
Select the Show All Ports check box if you want to see all ports on the system. Use Add Port and Remove to assign ports to the VLAN.
6. Click Apply.
80
2. Click the VLAN tab. 3. Click New, if New is not already displayed. 4. Enter the information for the following fields:
VLAN #: Enter the value between 1 and 4095. VLAN Name: Enter the VLAN name. Router Interface: Define a virtual routing interface, if necessary.
5. To assign VLAN port membership, do the following:
Select the Tag check box if the port is expected to be a tagged port and carry multiple
VLANs.
Select the Show All Ports check box if you want to see all ports on the system. Use Add Port and Remove to assign ports to the VLAN.
6. Click Apply.
2. Select New from the list. 3. Select either ID# or Name and enter the number or name of a standard ACL.
81
4. Select Permit or Deny for Action. 5. Enter the information for the following fields:
Source IP Address: Enter the IP address. Subnet Mask: Enter the subnet mask. Remark (optional): Enter the remark. Log (optional): Select or clear the check box.
6. Click Apply.
IP Version: By default, IPV4 is enabled. Destination Network: Enter the IP address. Subnet Mask: Enter the subnet mask or select the Specify Prefix Length check box and
enter the prefix length.
Gateway: If you click IP, enter the IP address in the IP field. If you click Interface, select the
port from the Interface list.
82
Metric: Enter the metric between 1 and 16. Distance: Enter the distance between 1 and 255.
3. Click Apply. The message The operation was successful is displayed and the configured static route is listed in the summary table. Click Edit to modify the static route. You can also delete the static route from the summary table by clicking Del.
83
84
Chapter
In this chapter
High Availability modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Hot Standby mode on switch code. . . . . . . . . . . . . . . . . . . . . . . Configuring Symmetric Active-Standby mode . . . . . . . . . . . . . . . . . . . . . . . . Configuring Symmetric Active-Active mode . . . . . . . . . . . . . . . . . . . . . . . . . . Displaying High Availability summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
85 85 88 91 93
NOTE
85
The content area for configuring High Availability is displayed on the right side of the window. The Summary tab displays the configured ServerIron services. 2. Click the Configuration tab.
86
The Basic panel provides the minimum required configuration for Hot Standby mode.
Sync VLAN: Click the Sync VLAN list to select a VLAN. If none exists, then click Create VLAN
to create one. For creating a VLAN, refer to Configuring a VLAN on switch code on page 79.
Sync Port: Select the Hot Standby port from the list. Shared MAC: Specify the MAC address of one of the ServerIrons. Be sure to use a chassis
MAC address from one of the two devices, not the MAC address of one of the backup ports.
Router Ports: Click Add Port to specify the number of router ports for the ServerIron to
become active. Click Remove to remove an added router port.
Spanning Tree: Select the Disable check box to avoid system conflicts.
4. Optionally, select Advanced to configure advanced settings.
87
Backup Preference: Enter the number of minutes for the ServerIron to wait before
assuming the active role.
Failover Delay Time: Enter the number of seconds for the ServerIron to wait before
beginning the failover check.
Track Active VIP Count: Select this check box to include an active VIP count in a failover
decision.
Track Virtual Port Count: Select this check box to include a virtual port count in a failover
decision.
Track Trunk Port Count: Select this check box to include a router port count in a failover
decision.
Backup Timer: Enter a value between 5 and 100 in units of 100 milliseconds to set the
timer. The default value is 10.
NOTE
Symmetric Active-Standby mode is supported in both switch code and router code. Use of router code is highly recommended.
88
To configure the Symmetric Active-Standby mode on a ServerIron, follow these steps. 1. Click System on the context bar and select High Availability. 2. Click the Configuration tab. 3. Click the Symmetric Active-Active / Symmetric Active-Standby down arrow to display the parameters to be configured.
4. Symmetric Active-Standby configuration is a six step process in which step 2 to step 6 are optional. 5. For Step 1: Assign Sym-Priority & Enable Session Synchronization, enter the information for the following fields:
89
Sym Priority: Enter the priority value for the ServerIron. The range is 0 through 225. Dyn Sym Pri Factor (optional): Specify the value for the dynamic priority. Session Sync: Click the image button under this column to enable session synchronization
for a specific port. If a port profile is not available, a new port profile will be created. 6. For Step 2: (Optional) Enable Symmetric Active-Active HA, by default Disable is selected. Select Enable if you want to enable Symmetric Active-Active HA mode. 7. For Step 3: (Optional) Define Synchronization (Symmetric) Port, enter the following information:
Select Sync VLAN from the list or click Create VLAN to create one. To create a VLAN, see
Configuring VLANs on page 79.
VIP Group ID: Enter the VIP group ID. Member VIPs: Click Add to include an available VIP as a member of this group. Click
Remove to remove an added VIP.
Select Interface: Select the required interface from the list. Associate VRRE-E VRID: Enter the VRRE-E VRID.
90
Delay Symmetric: Select the Enable check box and enter the minutes you want the
recovered ServerIron to wait before becoming active again.
NOTE
Symmetric Active-Active mode is supported in both switch code and router code. Use of router code is highly recommended. To configure Symmetric Active-Active mode on a ServerIron follow these steps. 1. Click System on the context bar and select High Availability. 2. Click the Configuration tab. 3. Click the Symmetric Active-Active / Symmetric Active-Standby down arrow. The window displays the configuration details in a step-by-step process.
91
4. For Step 1: Assign Sym-Priority & Enable Session Synchronization, enter the information for the following fields:
Sym Priority: Enter the priority value for the ServerIron. The range is 0 through 225. Dyn Sym Pri Factor (optional): Specify the value for the dynamic priority.
92
Session Sync: Click the image button under this column to enable session synchronization
for a specific port. If a port profile is not available, a new port profile will be created. 5. For Step 2: (Optional) Enable Symmetric Active-Active HA, click Enable. 6. For Step 4: (Optional) Define Active-Active Port, enter the following information:
Select a VLAN from the Sync VLAN list or click Create VLAN to create one. To create a
VLAN, see Configuring VLANs on page 79.
NOTE
You can only enable one of the three HA modes on ServerIron.
93
If this mode is configured for switch code, then the details will appear as shown in the following image.
NOTE
This mode is not applicable for router code and thus the message Hot Standby High Availability mode is not enabled will be displayed.
94
95
96
Chapter
In this chapter
Generating an SSL key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Uploading an existing SSL Key to ServerIron. . . . . . . . . . . . . . . . . . . . . . . . 101 Generating a self-signed certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Generating a certificate signing request . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Uploading certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Creating an SSL profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Defining SSL accelerated services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Displaying SSL summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
97
98
3. Click the down arrow next to Key Generation on ServerIron to display the parameters for generating an SSL key.
Key File Name: Enter the key name. Encryption Algorithm: Select RSA. Key Length: Select the key length from the list. The default is 1024.
99
The Summary tab lists the SSL keys available in the ServerIron. When the key entries exceed 20, page mode is automatically displayed. You can navigate through the pages by clicking Next Page and Previous Page, or you can use the Go To list. You can search for a particular key or keys by entering the string in the Search Keys field in one of the following ways:
* -- Enter to display all keys. *<string>* -- Enter to search keys that contain <string>. <string>* -- Enter to search keys that start with <string>. *<string> -- Enter to search keys that end with <string>.
100
Click Delete to delete a key. Click Details to view the contents of the key. Click Download to save the key. The key is displayed in a separate window. You can then save
the key to a file on your local drive.
Key Format: Select the key format from the list. The default is PEM. Encryption Password: (Optional) Enter the password if the key is encrypted; otherwise
leave this field blank.
101
Save As File Name: (Optional) Enter the file name if you want to save the key file on the
ServerIron with a different name. If this field is left blank, the key file is saved with the same name.
Select Local Key File: Click Browse to find the key file in the local directory.
4. Click Upload. If the key is uploaded successfully, the message The operation was successful is displayed at the top of the page. The newly uploaded key is listed in the Summary tab.
102
Certificate File Name: Enter the certificate name. Select Key File: You can select the previously generated or uploaded SSL key file in two
ways.
The Select Key File list displays the first 20 entries. To view other entries, use the arrow keys. Select the key you want and it will appear in the Search Key File field. Enter the string in the Select Key File field in one of the following ways and then click Find.
*<string>* <string>* *<string> Enter to search keys that contain <string> Enter to search keys that start with <string> Enter to search keys that end with <string>
The keys are displayed in the Select Key File list. Select the key file you want.
Encryption Password: Enter the password. Organization: Enter the organization name. Domain Name: Enter the domain name. City: Enter the city name. State or Province: Enter the state name. Country: Enter the country name. Only two characters are allowed. Department: Enter the department name. Email: Enter the e-mail address.
103
5. Click Generate to generate the certificate. If the operation is successful, the message The operation was successful is displayed at the top of the page. The certificate will be listed in the Summary tab.
The Summary tab lists the generated SSL certificates available in the ServerIron. When the entries exceed 20, page mode is automatically displayed. You can navigate through the pages by clicking Next Page and Previous Page, or you can use the Go To list. You can search for a particular certificate or certificates by entering the string in the Search Certificates field in one of the following ways:
104
*<string>* -- Enter to search certificates that contain <string>. <string>* -- Enter to search certificates that start with <string>. *<string> -- Enter to search certificates that end with <string>.
After entering the <string>, click Find to display the certificates. The following actions can be performed on the certificates:
Click Delete to delete the certificate. Click Details to view the contents of the certificate. Click Download to save the certificate. The certificate is displayed in a separate window. You
can then save the certificate to a file on your local drive.
105
Select Key File: You can select the previously generated or uploaded SSL key file in two
ways.
The Select Key File list displays the first 20 entries. To view other entries, click the arrow keys. Select the key you want and it will appear in the Search Key File field. Enter the string in the Select Key File field in one of the following ways and then click Find.
*<string>* <string>* *<string> Enter to search keys that contain <string> Enter to search keys that start with <string> Enter to search keys that end with <string>
The keys are displayed in the Select Key File list. Select the key file you want.
Organization: Enter the organization name. Domain Name: Enter the domain name. City: Enter the city name. State or Province: Enter the state name. Country: Enter the country name. Only two characters are allowed. Department: Enter the department name.
106
Uploading certificates
6. Copy the entire certificate request and save it to a file. 7. Send the certificate request to an authorized certificate signing agency. The agency will send you a signed certificate file that you must upload into ServerIron.
Uploading certificates
Once you receive an SSL certificate from the CA, upload it to the ServerIron by performing the following tasks. 1. Click Security in the context bar and select SSL Traffic Management. 2. Click the Certificates tab.
107
Save As File Name: (Optional) Enter a name for the certificate if you want to upload the
certificate on the ServerIron with a different name. If you leave this field blank, the certificate will be uploaded with the same name.
Chain CA Certificate: Select the check box to chain (append) the certificate you are
uploading to an existing certificate on the ServerIron.
NOTE
The title of the Select Server Certificate changes to Select CA Certificate when you select the Chain CA Certificate check box.
Select Server Certificate on ServerIron: Select the existing certificate on the ServerIron to
which you want to chain the selected CA certificate. The Select Server Certificate on ServerIron list displays the first 20 entries. You can use the arrow keys to view other sets of certificates.
108
1. Click Security in the context bar and select SSL Traffic Management. 2. Click the SSL Profiles tab.
Click New or select New from the list. SSL Profile Name: Enter the profile name. SSL Key: You can select the previously generated or uploaded SSL key file in two ways:
The SSL Key list displays the first 20 entries. To view other entries, use the arrow keys. Select the key you want and it will appear in the SSL Key field. Enter the string in the SSL Key field in one of the following ways and then click Find.
*<string>* <string>* *<string> Enter to search keys that contains <string> Enter to search keys that start with <string> Enter to search keys that end with <string>
The keys are displayed in the SSL Key list. Select the key file you want. If no key is available, click Create New Key to create a new key.
SSL Certificate: You can select the previously generated or uploaded SSL certificate in two
ways:
The SSL Certificate list displays the first 20 entries. To view other entries, use the arrow keys. Select the certificate you want and it will appear in the SSL Certificate field. Enter the string in the SSL Certificate field in one of the following ways and then click Find.
109
Enter to search certificates that contain <string> Enter to search certificates that start with <string> Enter to search certificates that end with <string>
The certificates are displayed in the SSL Certificate list. Select the certificate you want. If no certificate is available, click Create New Certificate to create a new certificate.
Check if Certificate is self-signed: Select the check box to check if the SSL certificate is a
self-signed certificate.
Certificate Chaining: Click Enable if the certificate in use is a chained certificate. Cipher Suites: Select the cipher suites you want from the left field and click the right arrow
to move them to the right field. 4. Click Apply to accept and create the SSL profile. 5. If you want to specify additional options under the SSL profile, click the down arrow next to Advanced Options to display these options.
110
SSL 2.0: Select Enable or Disable. The default is Disable. Verify Client Certificate: By default, client certificate verification is disabled. Select this
option if you want ServerIron to verify the connecting client. Select the appropriate option:
Per New Connection: Verify the client certificate with every new connection. Per SSL Handshake: Verify the client certificate with every SSL handshake. Accept Connection Only if Certificate is present: If selected, the ServerIron rejects any client connection if the client does not present a certificate for verification. If this option is not selected, then the ServerIron will verify the client certificate only if presented.
111
Enable CLOSE-NOTIFY Alert: Select to enable sending close notify alert. Enable SSL Session Cache: Select to enable SSL session cashing. By default, session
caching is turned off. Client Side: Select to enable session caching for the SSL client only. Server Side: Select to enable session caching for the SSL server only. Both Side: Select to enable session caching for the SSL client and the SSL server. Cache Timeout: Enter the cache timeout between 30 and 86400. Maximum Cache Entries: Enter the maximum number of cache entries. The default is 1024. Create / Edit TCP Profile: Select to create or edit the TCP profile.
Select the TCP profile you want to edit from the list or click New to create a new profile. Profile Name: Enter the profile name. Nagle Algorithm: Select On or Off. Delayed ACK Algorithm: Select On or Off. PUSH Bit: Select On or Off. Click Apply. The message The operation was successful is displayed. To delete a TCP profile, select the profile from the list and click Delete.
112
The Summary tab lists the SSL profiles available in the ServerIron. When the entries exceed 20, page mode is automatically displayed. You can navigate through the pages by clicking Next Page and Previous Page, or you can use the Go To list. You can search for a particular profile by entering the string in the Search Profiles field in one of the following ways:
* -- Enter to display all profiles. *<string>* -- Enter to search profiles that contain <string>. <string>* -- Enter to search profiles that start with <string>. *<string> -- Enter to search profiles that end with <string>.
After entering the <string>, click Find to display the profiles. You can click Edit to modify the profile. You can also delete the profile by clicking Delete. However, you cannot delete a profile if it is in use.
113
Virtual server: Refer to Creating a virtual server on page 37. Virtual server port: Refer to Creating a virtual server port on page 38. SSL (TCP) profile: Refer to Creating an SSL profile on page 108.
1. Click Security in the context bar and select SSL Traffic Management. 2. Click the SSL Services tab.
Virtual Server: Select a virtual server from the list or click Create Virtual Server to create
one.
Virtual Server Port: Select a virtual server port from the list or click Add Virtual Server Port
to create one.
SSL Mode: Select Terminate or Proxy. SSL Client Communication: Select the SSL profile from the Server Profile list or click
Create SSL Profile to create one. The list displays the first 20 profiles. Use the arrow keys to view other sets of profiles.
114
Real Server Communication: (Cipher-Text): If SSL Proxy mode is enabled, select a profile
from the Client Profile list or click Create SSL Profile to create one. The list displays the first 20 profiles. Use the arrow keys to view other sets of profiles. 4. Click Apply to enable SSL acceleration for a service (VIP). 5. If real servers (member servers) are already bound to VIPs, then those members are shown under the member servers summary table. If none are bound, then you can bind them or create new ones and bind them under Member Servers. Click the down arrow next to Member Servers.
Real Server: Select a real server from the list or click Create Real Server to create one. Real Server Port: Select a real server port from the list or click Add Real Server Port to
create one.
115
116
Depending on which option you selected, the entries are displayed. When the entries exceed 20, page mode is automatically displayed. You can navigate through the pages by clicking Next Page and Previous Page, or you can use the Go To list. You can search for a particular virtual server by entering the string in the Search Virtual Servers field in one of the following ways:
* -- Enter to display all profiles. *<string>* -- Enter to search profiles that contain <string>. <string>* -- Enter to search profiles that start with <string>. *<string> -- Enter to search profiles that end with <string>.
You can view and download the SSL keys and SSL certificates from ServerIron. For example, if you selected SSL Certificates, the Certificate Name field is displayed with a list of the certificates that have been created in the ServerIron. When you click View, the details for the selected certificate are displayed, as in the following example.
Click Download for the selected entry to save the certificate to a file on your local drive. Likewise, you can download the SSL keys by clicking SSL Keys under the Summary tab.
117
118
Chapter
10
In this chapter
Creating a Layer 7 Switching Rule (Request). . . . . . . . . . . . . . . . . . . . . . . . 119 Creating a Layer 7 Request Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Enabling Layer 7 Switching (HTTP Requests) . . . . . . . . . . . . . . . . . . . . . . . 123 Displaying Layer 7 Summary (HTTP Requests) . . . . . . . . . . . . . . . . . . . . . . 124 Creating Layer 7 Rules for HTTP Response . . . . . . . . . . . . . . . . . . . . . . . . . 124 Creating Layer 7 Policies for HTTP Responses . . . . . . . . . . . . . . . . . . . . . . 125 Enabling Layer 7 Switching for HTTP Responses . . . . . . . . . . . . . . . . . . . . 128 Displaying Layer 7 Summary of Response Rules, Policies, and associated virtual servers
129
119
10
Name: Enter a name for the rule. Type: Select the type of rule from the list.
The appropriate parameters are displayed depending on what Type you selected. Fill in the values for the parameters displayed.
Case Insensitive: Select this check box if you want the rule to be case insensitive.
5. Click Apply. The rule is listed in the Rule Summary table. You can click Edit to modify the rule or select it from the list at the top of the page, next to New. You can also delete the rule from the Rule Summary table. However, you cannot edit or delete rules if they are in use.
Click the arrow next to rule name in Rule Summary table to display its details.
120
10
2. Enter the Name for the nested rule. 3. Identify individual rules and select the appropriate operator (AND, OR) from the list. You can use the NOT operator by placing a check mark in the NOT box. ServerIron starts generating an expression for the Nested Rule, which will be visible in grey color in the Input Expression field. 4. To add brackets to an expression, select the option for the Input Expression field and build your own custom expression. 5. Click Apply when you have finished. The nested rule is created and is listed in the Rule Summary table.
121
10
2. Select New from the list. 3. Enter the name of the Layer 7 policy in the Name field. 4. Click Add. The fields to define the policy are displayed.
5. Select a rule from the Rule list. If a rule is not created already, then you can define one by clicking Create New Rule.
122
10
6. Select an action from the Action list. Depending on the selected Action, the display changes and the system asks for additional information. 7. Provide the required additional information and click Add Rule to Policy. 8. Repeat step 4 to step 7 if you wish to add more rules to this policy. You can also add a default rule to the policy. The rule is listed in the policy table. You can delete a rule from the policy table by clicking Del. You can also click the down arrows to display details for a rule.
3. Select a virtual server from the Virtual Server list or click Create Virtual Server to create one. 4. Select a virtual port from the Virtual Port list or click Add Virtual Port to create one. 5. Select Enable to enable Layer 7 switching under the selected VIP and VIP port; select Disable to disable Layer 7 switching. 6. Select a request policy from the Request Policy list or click Create New Policy to create one. 7. Click Apply.
123
10
Click Request Rules to display summary of Layer 7 rules for HTTP requests. Click the down arrow next to the rule name to display details for that rule. Rules that are not in use can be modified or deleted. Click Request Policies to display a summary Layer 7 policies for HTTP requests. Click the down arrow next to the policy name to display its details. You can edit or delete polices from the summary. Click L7 Switching to display the summary of VIPs that are enabled with Layer 7 switching for HTTP requests. Click the down arrow next to the policy name to view its details. You can also click Edit to modify the policy or Unbind to remove the policy from the virtual server. For example, the following shows a summary of the Layer 7 rules for HTTP requests.
124
10
Name: Name of the response rule. Type: Select the type of the response rule: response status code, response header, or
response body from the list. The display changes depending on the selected rule type. Fill in the requested data. 5. Click Apply. The new rule is listed in the Rule Summary table. You can edit or delete rules.
3. Select New from the list. 4. Enter the name of the Layer 7 policy for HTTP response in the Name field. 5. Click Add.
125
10
There are two types of Layer 7 HTTP response policies - HTTP header rewrite and HTTP body rewrite:
For HTTP header rewrite policy, click the down arrow next to Response Rewrite on HTTP
Header and configure as described in Configuring Response Rewrite on HTTP Header on page 126.
For HTTP body rewrite policy, click the down arrow next to Response Rewrite on HTTP Body
and configure as described in Configuring Response Rewrite on HTTP Body on page 127.
126
10
3. For Step 2 under the Response Rewrite on HTTP Header, select a rule from the HTTP Response Header Name & String Rule list that identifies an HTTP response header name and the string that needs to be rewritten. If the rule is not present, then click the Create New Rule to create a new one. 4. Enter the New String Value. The Offset and Length parameters are automatically filled in. 5. Click Add Rules to Policy. The new Layer 7 Response Policy is added to the Policy table. You can click Del to delete a rules from inside the policy.
2. For Step 1 under the Response Rewrite on HTTP Body, select the HTTP Request Rule with the response packet that needs to be acted upon or select HTTP Response Rule to identify if the response packet needs to be acted upon. If rule is not present, then click Create New Rule to create a new rule. 3. For Step 2 under Response Rewrite on HTTP Body, select the HTTP Response Body String Rule. If the rule is not present, then click Create New Rule to create a new rule. 4. After selecting the rule, its old value is displayed. If necessary, enter the new value for any of the fields displayed. 5. Click Add Rules to Policy.
127
10
The new Layer 7 Response Policy is added to the Policy table. You can click Del to delete a rule from inside the policy.
128
Displaying Layer 7 Summary of Response Rules, Policies, and associated virtual servers
10
Virtual Server: Select the virtual server for which you wish to enable Layer 7 switching from
the Virtual Server list. If none exists, then click Create Virtual Server to create one.
Virtual Port: Select a port from the Virtual Port list or click Add Virtual Port to create one. Response Policy: Select a response policy from the Response Policy list or click Create
New Policy to create one. 4. Click Apply.
Displaying Layer 7 Summary of Response Rules, Policies, and associated virtual servers
You can display summaries of Layer 7 rules, response policies, and associated virtual servers from the Summary tab. Select L7 Switching (Response) and click the Summary tab.
Click Response Rules to display the summary of response rules. Click the down arrow next to the rule name to display details for that rule. Rules that are not in use can be modified or deleted. Click Response Policies to display a summary of a response policy. Click the down arrow next to the policy name to display its details. Click Edit if you wish to make changes, or Delete to delete the policy. Click L7 Switching to display virtual servers that have Layer 7 response policies associated with them. Click the down arrow next to the policy name to view its details. You can also click Edit to modify the policy or Unbind to remove the policy from the virtual server.
129
10
You can click the down arrow to the right of Name to display details for a rule.
NOTE
A rule in use cannot be edited or deleted.
130
10
4. The Wizard guides you through the steps for creating a Layer 7 switching configuration.
131
10
1. Enter a name for the rule in the Name field. The type and the operator with this rule would be URL and Prefix respectively. Select Case Insensitive if case sensitivity is not required. 2. Click Create to create the rule. This rule will then be displayed under the Rule summary table. 3. Repeat step 1 and step 2 within this procedure if you wish to create additional rules. 4. Click >> to continue to the next step.
132
10
3. Repeat step 1 and step 2 within this procedure if you wish to create additional rules. 4. Click >> to continue to the next step.
133
10
134
Chapter
Maintenance
11
In this chapter
Software upgrade overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
135
11
You can perform the following actions using the software upgrade window:
2. Enter the TFTP server IP address in the TFTP Server IP field. 3. Enter the image name in the Software Image Name field. 4. By default, the flash memory is set as Primary. Select Secondary to download the image to secondary memory. 5. Click Copy to start loading the software image. On successful completion, a status message is displayed, TFTP copy completed successfully. If an error occurs, an error message is displayed.
136
11
3. The current configured boot location is displayed on the screen. You can change the current boot location by selecting Primary or Secondary. 4. By default, the system is configured to boot from the Primary memory. Select Secondary to configure the boot from the secondary memory. 5. Click Save and Reboot. On successful reboot, a status message is displayed, System reboot complete. Now the system is up. If any of the embedded system images such as boot image or other image files require update, an information message with further instructions to be performed using CLI are displayed on the screen as shown below.
137
11
You must perform the following procedure using the CLI. 1. Connect your system to the ServerIron console connector using the serial cable. 2. Press Enter to bring up the command line prompt.
ServerIronADX1000> ServerIronADX1000>enable ServerIronADX1000#
3. Enter boot upgrade flash primary/Secondary as specified in the Web GUI boot upgrade message.
ServerIronADX1000#boot upgrade flash primary
The system will start rebooting. Wait until the following prompt comes up.
MP-Appl#
138
Chapter
Displaying Statistics
12
In this chapter
Statistics overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing system resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Displaying traffic statistics for a real server . . . . . . . . . . . . . . . . . . . . . . . . Displaying statistics for a real server port . . . . . . . . . . . . . . . . . . . . . . . . . . Displaying statistics for a virtual server . . . . . . . . . . . . . . . . . . . . . . . . . . . . Displaying statistics for virtual server port . . . . . . . . . . . . . . . . . . . . . . . . . Displaying global traffic statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Displaying interface statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing Syslog entries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
139 140 141 146 148 151 154 154 158
Statistics overview
The ServerIron GUI displays information about system CPU and memory resources; traffic statistics for real servers, virtual server and ports; details on system interfaces, ARP and MAC tables; and system resources. To view system statistics, click Overview on the context bar and select Statistics.
139
12
140
12
The System Resources page displays CPU and memory utilization of the management processor (MP), and CPU and session utilization of barrel processors (BP).
Select a real server from the list. Click the left or right arrow to the sides of the list.
141
12
3. You can select how often the display is refreshed by selecting a value from the Refresh Interval list on the Live Chart bar. The default refresh interval is 10 seconds and it can be adjusted from 5 seconds to 2 minutes. 4. By default, auto-refresh is enabled. You can stop auto-refresh by clicking Stop. Resume the refresh by clicking Start again, or start over by clicking Reset.
The top portion of the display shows a summary for the real server. The remainder of the page contains several charts that shows the statistical information for the real server:
Current Connection Rate on page 142 Current Connections on page 143 Connection Distribution among Application Ports on page 144 Total Accumulated Connections to Server on page 144 Total Accumulated Connections per Application Port on page 145 Received and Transmitted Packets among Application Ports on page 145
The charts show live client connections to the real servers and the number of packets that have been sent or received by the real server.
142
12
Current Connections
The Current Connections live chart shows the current connections to a selected real server. The X-axis displays the time interval, based on your selection for Refresh Interval. For example, if you selected 1-minute intervals, one-minute increments are displayed on the X-axis. The Y-axis shows the number of connections.
143
12
144
12
145
12
Select a real server from the Real Server list. Click the left or right arrow to the sides of the Real Server list.
4. From the Real Port list, select a real port. Use one of the following methods:
Select a real port from the Real Port list. Click the left or right arrow to the sides of the Real Port list.
The table at the top of the page displays information about the selected real server port.
5. To view statistics on the Live Chart, select the refresh rate from the Refresh Interval list. 6. Click Start to start or resume the data display, Stop to stop it, or Reset to start over again. The following charts are displayed:
Current Connections on Ports on page 147 Total Accumulated Connections on Ports on page 147 Received and Transmitted Packets on Ports on page 148
146
12
147
12
Select a virtual server from the list. Click the left or right arrow to the sides of the list.
The top portion of the display shows a summary of the statistics for the virtual server.
148
12
4. You can select how often the display is refreshed by selecting a value from the Refresh Interval list on the Live Chart bar. 5. Click Start to begin or resume the statistics display. Click Stop to stop it or Reset to start over. The page displays the following charts:
Connection Distribution among Application Ports on page 149 Total Accumulated Connections to Server on page 150 Total Accumulated Connections per Port on page 150
149
12
150
12
Select a virtual server from the Virtual Server list. Click the left or right arrow to the sides of the Virtual Server list.
4. From the Virtual Port list, select a virtual port. Use one of the following methods:
Select a virtual port from the Virtual Port list. Click the left or right arrow to the sides of the Virtual Port list.
The top portion of the display shows the summary of statistics for the virtual server port.
5. You can select how often the display is refreshed by selecting a value from the Refresh Interval list on the Live Chart bar. 6. Click Start to start or resume the statistics display. Click Stop to stop it or Reset to start over. The page shows the following charts:
Current Connections on Ports on page 152 Current Connection Distribution among Real Servers on page 152 Total Accumulated Connections on page 153 Total Accumulated Connection Distribution among Real Servers on page 153
151
12
152
12
153
12
154
12
4. Click I/F Details to view more details for an interface. The Interface Details page provides data for the interface attributes, its utilization, and errors on the interface.
155
12
6. Click ARP to display the ARP Statistics and the entries in the ARP Cache. The ARP cache table shows IP to MAC address association.
I/F Summary, I/F Details and ARP also display the management port statistics.
NOTE
156
12
7.
Click MAC to display Layer 2 MAC table information. The MAC Address table shows the association between a MAC address and a system port.
157
12
158