Friday, February 20, 2015

Alteon AppShape++ persistency and multiple scripts per service

Lab goal

Create new VIP on 10.136.6.17.

Using an AppShape++ script to choose the preconfigured group/pool "10".

Once the laodbalancer chooses a server, all requests from the client's source IP should go to the same server. This is called persistence or stickiness.

Setup

I'll use my Loadbalancer Lab Setup.

The loadbalancer is Radware's Alteon VA version 29.5.1.0

The initial Alteon VA configuration can be found here.

Notice the group and hosts are preconfigured:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
/c/slb/real 1
        ena
        ipver v4
        rip 10.136.85.1
/c/slb/real 2
        ena
        ipver v4
        rip 10.136.85.2
/c/slb/real 3
        ena
        ipver v4
        rip 10.136.85.3
/c/slb/group 10
        ipver v4
        add 1
        add 2
        add 3

 

Alteon configuration

First the AppShape++ script:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
/cfg/slb/appshape/script take_10/en/import


attach group 10

when HTTP_REQUEST {
    group select 10
}

-----END

Line 1 - This allows to just copy paste the whole text to Alteon's CLI. It defines a script if its not exists, enable it and imports it.
Line 7 - Selects group 10.

Next, lets configure VIP/virt with its services:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
/c/slb/virt 6_17
       ena
       ipver v4
       vip 10.136.6.17
/c/slb/virt 6_17/service 80 http
       group 1
       rport 80
       pbind clientip norport
       dbind forceproxy
/c/slb/virt /service 80 http/appshape
       add 10 take_10

Line 8 - Add the stickiness/persistence part, based on the clients IP address.
Line 11- Add AppShape++ script.

 

Test


This didn't go well. We still see that all servers were used and not just one.

The reason for that is that once we select a group/pool using AppShape++, Alteon will ignore pbind settings.

 

Another try

AppShape++ has the following command : persist

This command can be used to create a persistence/stickiness .

One way we can use this command is by fixing our script. Another way would be to create another script and add it to the service. Using a separate script will allow us to reuse that script on more than on service / VIP.


1
2
3
4
5
6
7
/cfg/slb/appshape/script persist/en/import

when HTTP_REQUEST {
    persist source_addr 255.255.255.255
}

-----END

Line 4 - Create persistence/stickiness by using the source IP address with /32 mask.

Now lets add it to the service:

1
2
/c/slb/virt 6_17/service 80 http/appshape
       add 16 persist

Line 2 - We have added the new AppShape++ script to the service. We use priority 16  which means this will run after priority 10 which was take_10 script.

 

Another Test 

It works! SRV3 was selected for all HTTP requests.

We can also have a look at the persistance table:


1
2
3
4
5
>> LB1 - Persistency Information# /i/slb/persist/dump 

 Printing Data Table Entries for SP 1
key-10.136.3.1,vs:10.136.6.17,80,g:10,value-g:10 rs:3 80, age 178
Total number of session IDs: 1

Line 1 - Is the command to show all persistence object, in yellow.
Line 4 - Me in red, is using SRV3 in green, and the idle timeout is 178 seconds in blue.

 

Summary

So we learned that not everything we configure on the VIP/virl service applies when we use AppShape++.

We also learned how and why to use more than one script per service.

Enjoy...

Monday, February 2, 2015

ACS 5.X REST API

For a typical network engineer, reading Cisco's REST API documentation looks really simple. All you need to do is to issue the following CLI command
acs config-web-interface rest enable.
But now what? Where are the examples? Thats easy, all you need to do is to download example code directly from the ACS administration UI. But that code is in Java, and several pages long for each example.
So let me do you a favor and show you how to extract a list of all ACS users without even writing a single line of code:
wget -O user-list.xml --auth-no-challenge --http-user=acs_admin_user --http-password=admin_pass --no-check-certificate https://acs.ip.address.x/Rest/Identity/User 
Few things to notice:
  • Its a one line command UNIX command. A windows version can be found here.
  • The output is XML file called user-list.xml
  • --no-check-certificate is needed because ACS has its own self generated SSL certificate, and wget will fail to authenticate that certificate. This can be changed, but how many are actually using anything else?
  • --auth-no-challenge is used because ACS expects to use preemptive authentication.
Enjoy!