tag:blogger.com,1999:blog-52043778127120960782024-02-20T23:34:42.701-08:00Dan's NetworkTechnical blog about network engineeringDan Shechter Gelleshttp://www.blogger.com/profile/18175247280485392482noreply@blogger.comBlogger26125tag:blogger.com,1999:blog-5204377812712096078.post-4366991820815561232017-11-01T16:09:00.002-07:002017-11-08T15:36:31.351-08:00PTT - Push To TalkWhen was the last time you were looking for the unmute button in Webex and it took you more than two seconds to find it?<br />
<br />
When was the last time you thought you are on mute but actually everyone can hear you snore?<br />
<br />
I spend a lot of time in conference calls. This mute thing happens to me a lot.<br />
<br />
PTT stands for Push To Talk like we used in walkie-talkies. The computer mic would be normally muted and as long as I press the PTT button, it will unmute the mic.<br />
<br />
I couldn't find any such off the shelf device, so I decided to create one on my own.<br />
<br />
To do so I had to integrate few components. Here is the flow of things:<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvFtBiKQuUciOIeStMRS6zsPKKzQqNUCzTZdbIGCjUL5GPnN4mrl_G36gGxbBLJDkw663ChZBT6YkhUw6dm7MdqCG-MPDV5GfpJd0yjDYjgqGyqsQtMgjG7r1sqR9cKqlc8aGoKlnVDbs/s1600/Blank+Diagram+-+Page+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="280" data-original-width="940" height="190" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvFtBiKQuUciOIeStMRS6zsPKKzQqNUCzTZdbIGCjUL5GPnN4mrl_G36gGxbBLJDkw663ChZBT6YkhUw6dm7MdqCG-MPDV5GfpJd0yjDYjgqGyqsQtMgjG7r1sqR9cKqlc8aGoKlnVDbs/s640/Blank+Diagram+-+Page+1.png" width="640" /></a></div>
<br />
When I press a button on my special device, it will send the key combination of "PrintScreen+F11". Then a special program called <a href="https://www.autohotkey.com/">AutoHotKey </a>will intercept that key combination and execute an application I wrote that controls the computer mic.<br />
<br />
<h3>
The PTT button</h3>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcriNyp3Gr4wTnK5cKv0K9Uzw8A-7luQkBIgp7Y37pXyj0lKVxuDM1WwIAgaV_BGNAjLnCwt40t4LcHTMLx-fqEdK0x65CnQiqpsNKmcW9ixq9rt6mnjxamr6TWMwPCFtT5H-cdoR_enAH/s1600/IMG_20171101_160636.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1200" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcriNyp3Gr4wTnK5cKv0K9Uzw8A-7luQkBIgp7Y37pXyj0lKVxuDM1WwIAgaV_BGNAjLnCwt40t4LcHTMLx-fqEdK0x65CnQiqpsNKmcW9ixq9rt6mnjxamr6TWMwPCFtT5H-cdoR_enAH/s320/IMG_20171101_160636.jpg" width="240" /></a></div>
<div>
<br /></div>
<div>
I am using an <a href="https://arduino.cc/">Arduino </a>like microcontroller called <a href="https://www.pjrc.com/store/teensylc.html">Teensy LC</a>. I value my time and my money, and there is nothing better than the <a href="https://www.pjrc.com/teensy/">Teensy </a>line of microcontrollers which are very powerful, Arduino IDE based, excellent support and superb software quality.</div>
<div>
<br /></div>
<div>
I decided to use two buttons, as sometimes I am the star of the meeting and I don't want to keep pressing the PTT button all the time. The "toggle button" will flip the default mic state.</div>
<div>
<br /></div>
<div>
I also added a LED to show red when unmuted and green when muted.</div>
<div>
<br /></div>
<div>
<iframe src="https://pastebin.com/embed_iframe/cV6W648J" style="border: none; height: 300px; width: 100%;"></iframe>
<br />
<h3>
AutoHotKey</h3>
<div>
<a href="https://www.autohotkey.com/">AutoHotKey </a>is a program that can run macros when a key is pressed. I use it to capture the keyboard signals from the button device and run the MuteMe.exe program.</div>
<div>
<br /></div>
<div>
Here is the code:<br />
<br />
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<h3>
</h3>
</div>
<iframe src="https://pastebin.com/embed_iframe/yqMpt5mT" style="border: none; width: 100%;"></iframe><br />
<br />
<h3>
MuteMe.exe</h3>
<div>
<br /></div>
<div>
I don't know how to write a program to mute, but <a href="http://www.computercabal.com/2010/11/mute-microphone-from-c-on-windows.html">Computer Cabal</a> knows, and I shamelessly used his code.</div>
<div>
<br /></div>
<div>
I had to do some modifications:</div>
<div>
<ol>
<li>I found no need to mute and unmute before actually muting or unmuting. each and every time I run the program. I think he/she had a specific problem with their setup. It works on my laptop without.</li>
<li>I added a method to detect what the current mic status is.</li>
<li>I change the main program to accept a parameter. If its "0" then mute, if it is "1" then unmute.</li>
</ol>
<div>
Here is the code</div>
<div>
<br /></div>
<div>
<br />
CoreAudioMicMute.cs:</div>
<br />
<iframe src="https://pastebin.com/embed_iframe/McpR75M7" style="border: none; width: 100%;"></iframe>
<br />
<br />
WindowsMicMute.cs:<br />
<iframe src="https://pastebin.com/embed_iframe/1LXcnwtk" style="border: none; width: 100%;"></iframe> MuteMe.cs:<br />
<iframe src="https://pastebin.com/embed_iframe/WrCiVVV7" style="border: none; width: 100%;"></iframe>
</div>
Dan Shechter Gelleshttp://www.blogger.com/profile/13150340662392293475noreply@blogger.comtag:blogger.com,1999:blog-5204377812712096078.post-55244615524576411332016-03-10T17:16:00.000-08:002016-03-10T17:20:07.184-08:00dt_aclcheck - Find a match in extended access list.Some ACLs are short, some ACLs are really long!<br />
<br />
<br />
<br />
<textarea cols="80" rows="20" style="font-family: "courier new" , "courier" , monospace; font-size: small;">access-list 100 permit gre host 4.2.4.66 host 4.55.3.1
access-list 100 permit ip any host 8.7.110.3
access-list 100 permit icmp any host 4.1.72.186
access-list 100 permit tcp any any eq 22 established
access-list 100 permit ip host 64.251.10.175 host 8.7.108.94
access-list 100 permit tcp host 2.201.145.67 any eq telnet
access-list 100 deny tcp host 202.156.182.196 host 8.7.109.70 log
access-list 100 deny tcp host 202.156.2.18 host 8.7.109.70 log
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 deny ip 169.254.0.0 0.0.255.255 any
access-list 100 deny ip 172.0.0.0 0.31.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 8.7.108.0 0.0.0.252 any log
access-list 100 permit tcp host 75.149.49.36 any
access-list 100 permit ip any host 8.7.111.32
access-list 100 permit ip any host 8.7.111.33
access-list 100 permit tcp host 64.251.10.175 any
access-list 100 permit icmp any host 8.7.108.180
access-list 100 permit icmp any host 8.7.108.181
access-list 100 permit tcp any host 8.7.108.180 eq 443
access-list 100 permit udp any host 8.7.108.180 eq 3544
access-list 100 permit tcp any host 8.7.108.181 eq 443
access-list 100 permit udp any host 8.7.108.181 eq 3544
access-list 100 permit tcp any host 8.7.109.186 eq ftp-data
access-list 100 permit tcp any host 8.7.109.186 eq ftp
access-list 100 permit tcp any host 8.7.109.186 gt 1023
access-list 100 permit tcp any host 8.7.109.61 eq www
access-list 100 permit icmp any host 8.7.109.61
access-list 100 permit tcp any host 8.7.109.62 eq www
access-list 100 permit icmp any host 8.7.109.62
access-list 100 permit tcp any host 8.7.109.63 eq www
access-list 100 permit icmp any host 8.7.109.63
access-list 100 permit tcp any host 8.7.109.64 eq www
access-list 100 permit icmp any host 8.7.109.64
access-list 100 permit tcp any host 8.7.109.67 eq www
access-list 100 permit icmp any host 8.7.109.67
access-list 100 permit tcp any host 8.7.109.68 eq www
access-list 100 permit icmp any host 8.7.109.68
access-list 100 permit tcp any host 8.7.109.30 eq www
access-list 100 permit icmp any host 8.7.109.30
access-list 100 permit tcp any host 8.7.109.21 eq www
access-list 100 permit icmp any host 8.7.109.21
access-list 100 permit tcp any host 8.7.109.22 eq www
access-list 100 permit icmp any host 8.7.109.22
access-list 100 permit tcp any host 8.7.109.23 eq www
access-list 100 permit icmp any host 8.7.109.23
access-list 100 permit tcp any host 8.7.109.24 eq www
access-list 100 permit icmp any host 8.7.109.24
access-list 100 permit tcp any host 8.7.110.21 eq www
access-list 100 permit icmp any host 8.7.110.21
access-list 100 permit tcp any host 8.7.110.22 eq www
access-list 100 permit icmp any host 8.7.110.22
access-list 100 permit tcp any host 8.7.110.23 eq www
access-list 100 permit icmp any host 8.7.110.23
access-list 100 permit tcp any host 8.7.110.24 eq www
access-list 100 permit icmp any host 8.7.110.24
access-list 100 permit tcp any host 8.7.111.106 eq 443
access-list 100 permit tcp host 69.60.116.220 host 8.7.109.179 eq www
access-list 100 permit tcp host 69.60.116.221 host 8.7.109.179 eq www
access-list 100 permit tcp host 69.60.116.222 host 8.7.109.179 eq www
access-list 100 permit tcp host 69.60.116.223 host 8.7.109.179 eq www
access-list 100 permit tcp host 69.60.116.224 host 8.7.109.179 eq www
access-list 100 permit tcp host 65.111.170.190 host 8.7.109.179 eq www
access-list 100 permit tcp host 65.111.170.191 host 8.7.109.179 eq www
access-list 100 permit tcp host 65.111.170.192 host 8.7.109.179 eq www
access-list 100 permit tcp host 65.111.170.179 host 8.7.109.179 eq www
access-list 100 permit tcp host 64.251.26.117 host 8.7.109.179 eq www
access-list 100 permit tcp host 64.251.26.118 host 8.7.109.179 eq www
access-list 100 permit tcp host 65.111.166.64 host 8.7.109.179 eq www
access-list 100 permit tcp host 65.111.166.65 host 8.7.109.179 eq www
access-list 100 permit tcp host 85.13.210.66 host 8.7.109.179 eq www
access-list 100 permit tcp host 85.13.208.154 host 8.7.109.179 eq www
access-list 100 permit tcp host 85.13.209.34 host 8.7.109.179 eq www
access-list 100 permit tcp host 85.13.205.139 host 8.7.109.179 eq www
access-list 100 permit tcp host 85.13.205.140 host 8.7.109.179 eq www
access-list 100 permit tcp host 85.13.205.141 host 8.7.109.179 eq www
access-list 100 permit tcp host 85.13.205.142 host 8.7.109.179 eq www
access-list 100 permit tcp host 203.92.34.25 host 8.7.109.179 eq www
access-list 100 permit tcp host 203.92.34.26 host 8.7.109.179 eq www
access-list 100 permit tcp host 64.130.221.146 host 8.7.109.179 eq www
access-list 100 permit tcp host 64.130.221.147 host 8.7.109.179 eq www
access-list 100 permit tcp host 111.125.163.134 host 8.7.109.179 eq www
access-list 100 permit tcp host 111.125.163.135 host 8.7.109.179 eq www
access-list 100 permit tcp any any eq domain
access-list 100 permit udp any any eq domain
access-list 100 permit icmp any host 8.7.109.93
access-list 100 permit icmp any host 8.7.109.92
access-list 100 permit icmp any host 8.7.108.11
access-list 100 permit icmp any host 8.7.108.12
access-list 100 permit tcp any host 8.7.109.73 eq www
access-list 100 permit tcp any host 8.7.109.73 eq 443
access-list 100 permit icmp any host 8.7.109.73
access-list 100 permit tcp any host 8.7.109.176 eq www
access-list 100 permit tcp any host 8.7.109.176 eq 443
access-list 100 permit icmp any host 8.7.109.176
access-list 100 permit tcp any host 8.7.109.29 eq www
access-list 100 permit icmp any host 8.7.109.29
access-list 100 permit tcp any host 8.7.109.74 eq www
access-list 100 permit icmp any host 8.7.109.74
access-list 100 permit tcp any host 8.7.109.175 eq www
access-list 100 permit icmp any host 8.7.109.175
access-list 100 permit tcp any host 8.7.109.88 eq www
access-list 100 permit tcp any host 8.7.109.154 eq www
access-list 100 permit icmp any host 8.7.109.154
access-list 100 permit tcp any host 8.7.109.78 eq www
access-list 100 permit icmp any host 8.7.109.78
access-list 100 permit tcp any host 8.7.109.155 eq www
access-list 100 permit tcp any host 8.7.109.155 eq 443
access-list 100 permit icmp any host 8.7.109.155
access-list 100 permit tcp any host 8.7.109.168 eq www
access-list 100 permit icmp any host 8.7.109.168
access-list 100 permit tcp any host 8.7.109.137 eq www
access-list 100 permit icmp any host 8.7.109.137
access-list 100 permit tcp any host 8.7.109.138 eq www
access-list 100 permit tcp any host 8.7.109.138 eq 443
access-list 100 permit tcp any host 8.7.111.108 eq www
access-list 100 permit icmp any host 8.7.109.138
access-list 100 permit tcp any host 8.7.109.139 eq www
access-list 100 permit tcp any host 8.7.109.139 eq 443
access-list 100 permit icmp any host 8.7.109.139
access-list 100 permit tcp 63.81.16.64 0.0.0.63 host 8.7.109.85 eq www
access-list 100 permit tcp any host 8.7.109.85 eq 443
access-list 100 permit icmp any host 8.7.109.85
access-list 100 permit tcp any host 8.7.109.150 eq 443
access-list 100 permit icmp any host 8.7.109.150
access-list 100 permit tcp any host 8.7.109.86 eq 443
access-list 100 permit icmp any host 8.7.109.86
access-list 100 permit tcp any host 8.7.109.151 eq 443
access-list 100 permit icmp any host 8.7.109.151
access-list 100 permit tcp any host 8.7.109.87 eq www
access-list 100 permit icmp any host 8.7.109.87
access-list 100 permit tcp any host 8.7.109.152 eq www
access-list 100 permit icmp any host 8.7.109.152
access-list 100 permit icmp any host 8.7.109.88
access-list 100 permit tcp any host 8.7.109.153 eq www
access-list 100 permit icmp any host 8.7.109.153
access-list 100 permit tcp any host 8.7.109.169 eq www
access-list 100 permit icmp any host 8.7.109.169
access-list 100 permit tcp any host 8.7.109.170 eq www
access-list 100 permit icmp any host 8.7.109.170
access-list 100 permit tcp any host 8.7.109.171 eq www
access-list 100 permit icmp any host 8.7.109.171
access-list 100 permit tcp any host 8.7.109.172 eq www
access-list 100 permit icmp any host 8.7.109.172
access-list 100 permit tcp any host 8.7.109.173 eq www
access-list 100 permit icmp any host 8.7.109.173
access-list 100 permit tcp any host 8.7.109.174 eq www
access-list 100 permit icmp any host 8.7.109.174
access-list 100 permit tcp any host 8.7.109.178 eq 443
access-list 100 permit tcp any host 8.7.109.156 eq www
access-list 100 permit tcp any host 8.7.109.156 eq 443
access-list 100 permit icmp any host 8.7.109.156
access-list 100 permit tcp any host 8.7.109.162 eq www
access-list 100 permit icmp any host 8.7.109.162
access-list 100 permit tcp any host 8.7.109.76 eq www
access-list 100 permit icmp any host 8.7.109.76
access-list 100 permit tcp any host 8.7.109.157 eq 443
access-list 100 permit tcp any host 8.7.109.157 eq www
access-list 100 permit icmp any host 8.7.109.157
access-list 100 permit tcp any host 8.7.109.163 eq www
access-list 100 permit icmp any host 8.7.109.163
access-list 100 permit tcp any host 8.7.109.164 eq www
access-list 100 permit icmp any host 8.7.109.164
access-list 100 permit tcp any host 8.7.109.166 eq www
access-list 100 permit icmp any host 8.7.109.166
access-list 100 permit tcp any host 8.7.109.165 eq www
access-list 100 permit icmp any host 8.7.109.165
access-list 100 permit tcp any host 8.7.109.190 eq 443
access-list 100 permit icmp any host 8.7.109.190
access-list 100 permit tcp any host 8.7.109.158 eq www
access-list 100 permit icmp any host 8.7.109.158
access-list 100 permit tcp any host 8.7.109.159 eq www
access-list 100 permit icmp any host 8.7.109.159
access-list 100 permit tcp any host 8.7.109.160 eq www
access-list 100 permit icmp any host 8.7.109.160
access-list 100 permit tcp any host 8.7.109.161 eq 443
access-list 100 permit icmp any host 8.7.109.161
access-list 100 permit tcp any host 8.7.109.161 eq www
access-list 100 permit tcp any host 8.7.109.70 eq www
access-list 100 permit tcp any host 8.7.109.70 eq 443
access-list 100 permit tcp any host 8.7.109.70 eq 1164
access-list 100 permit tcp any host 8.7.109.70 eq 1165
access-list 100 permit icmp any host 8.7.109.70
access-list 100 permit tcp any host 8.7.109.133 eq www
access-list 100 permit tcp any host 8.7.109.133 eq 443
access-list 100 permit icmp any host 8.7.109.133
access-list 100 permit tcp any host 8.7.109.71 eq www
access-list 100 permit icmp any host 8.7.109.71
access-list 100 permit tcp any host 8.7.109.140 eq www
access-list 100 permit icmp any host 8.7.109.140
access-list 100 permit tcp any host 8.7.109.142 eq www
access-list 100 permit tcp any host 8.7.109.142 eq 443
access-list 100 permit icmp any host 8.7.109.142
access-list 100 permit tcp any host 8.7.109.141 eq www
access-list 100 permit icmp any host 8.7.109.141
access-list 100 permit tcp any host 8.7.109.72 eq 443
access-list 100 permit icmp any host 8.7.109.72
access-list 100 permit tcp any host 8.7.109.31 eq 443
access-list 100 permit icmp any host 8.7.109.31
access-list 100 permit tcp any host 8.7.109.82 eq www
access-list 100 permit icmp any host 8.7.109.82
access-list 100 permit tcp any host 8.7.109.134 eq www
access-list 100 permit icmp any host 8.7.109.134
access-list 100 permit tcp any host 8.7.109.83 eq www
access-list 100 permit icmp any host 8.7.109.83
access-list 100 permit tcp any host 8.7.109.135 eq www
access-list 100 permit icmp any host 8.7.109.135
access-list 100 permit tcp any host 8.7.109.84 eq www
access-list 100 permit icmp any host 8.7.109.84
access-list 100 permit tcp any host 8.7.109.136 eq 443
access-list 100 permit tcp any host 8.7.109.136 eq www
access-list 100 permit icmp any host 8.7.109.136
access-list 100 permit tcp any host 8.7.109.26 eq www
access-list 100 permit tcp any host 8.7.109.26 eq 443
access-list 100 permit icmp any host 8.7.109.26
access-list 100 permit tcp any host 8.7.109.167 eq www
access-list 100 permit tcp any host 8.7.109.167 eq 443
access-list 100 permit icmp any host 8.7.109.167
access-list 100 permit tcp any host 8.7.109.184 eq www
access-list 100 permit icmp any host 8.7.109.184
access-list 100 permit tcp any host 8.7.109.188 eq www
access-list 100 permit icmp any host 8.7.109.188
access-list 100 permit tcp any host 8.7.109.189 eq www
access-list 100 permit tcp any host 8.7.109.189 eq 443
access-list 100 permit icmp any host 8.7.109.189
access-list 100 permit tcp any host 8.7.109.185 eq 443
access-list 100 permit esp any host 8.7.108.68
access-list 100 permit ahp any host 8.7.108.68
access-list 100 permit icmp any host 8.7.108.68
access-list 100 permit udp any host 8.7.108.68 eq isakmp
access-list 100 permit gre host 8.7.110.1 host 8.7.108.98
access-list 100 permit gre host 8.7.108.98 host 8.7.110.1
access-list 100 permit gre host 8.7.110.1 host 144.223.249.94
access-list 100 permit gre host 144.223.249.94 host 8.7.110.1
access-list 100 permit ip host 144.223.246.46 host 144.223.246.45
access-list 100 permit ip host 144.223.246.45 host 144.223.246.46
access-list 100 permit ip host 65.173.2.226 host 65.173.2.225
access-list 100 permit ip host 65.173.2.225 host 65.173.2.226
access-list 100 permit ip host 144.223.249.94 host 144.223.249.93
access-list 100 permit ip host 144.223.249.93 host 144.223.249.94
access-list 100 permit ip host 4.79.40.157 host 4.79.40.158
access-list 100 permit ip host 4.79.40.158 host 4.79.40.157
access-list 100 permit ip host 206.223.117.60 host 206.223.117.126
access-list 100 permit ip host 206.223.117.126 host 206.223.117.60
access-list 100 permit ip host 206.223.117.60 host 206.223.117.116
access-list 100 permit ip host 206.223.117.116 host 206.223.117.60
access-list 100 permit ip host 206.51.39.254 host 206.51.39.53
access-list 100 permit ip host 206.51.38.254 host 206.51.38.53
access-list 100 permit tcp 144.223.249.92 0.0.0.3 144.223.249.92 0.0.0.3 eq bgp
access-list 100 permit icmp 144.223.249.92 0.0.0.3 144.223.249.92 0.0.0.3
access-list 100 permit tcp 206.223.116.0 0.0.0.255 host 206.223.116.113 eq bgp
access-list 100 permit tcp host 206.223.116.113 206.223.116.0 0.0.0.255 eq bgp
access-list 100 permit icmp 206.223.116.0 0.0.0.255 host 206.223.116.113
access-list 100 permit tcp 198.32.176.0 0.0.0.255 host 198.32.176.204 eq bgp
access-list 100 permit tcp host 198.32.176.204 198.32.176.0 0.0.0.255 eq bgp
access-list 100 permit icmp 198.32.176.0 0.0.0.255 host 198.32.176.204
access-list 100 permit tcp 206.223.115.0 0.0.0.255 host 206.223.115.11 eq bgp
access-list 100 permit tcp 206.126.236.0 0.0.3.255 host 206.126.236.11 eq bgp
access-list 100 permit icmp 206.223.115.0 0.0.0.255 host 206.223.115.11
access-list 100 permit icmp 206.126.236.0 0.0.3.255 host 206.126.236.11
access-list 100 permit ip host 4.71.112.65 host 4.71.112.66
access-list 100 permit tcp host 4.31.72.185 host 4.31.72.186 eq bgp
access-list 100 permit icmp host 4.31.72.185 host 4.31.72.186 echo
access-list 100 permit icmp host 4.31.72.185 host 4.31.72.186 echo-reply
access-list 100 permit ip host 206.51.37.254 host 206.51.37.96
access-list 100 permit ip host 206.51.36.254 host 206.51.36.96
access-list 100 permit ip host 63.80.145.231 host 137.39.2.25
access-list 100 permit ip host 137.39.2.25 host 63.80.145.231
access-list 100 permit icmp host 137.39.2.25 host 63.80.145.231
access-list 100 permit icmp host 63.80.145.231 host 137.39.2.25
access-list 100 permit tcp 206.197.187.0 0.0.0.255 host 206.197.187.7 eq bgp
access-list 100 permit tcp host 206.197.187.7 206.197.187.0 0.0.0.255 eq bgp
access-list 100 permit icmp 206.197.187.0 0.0.0.255 host 206.197.187.7
access-list 100 permit tcp any host 8.7.111.125 eq 443
access-list 100 permit icmp any host 8.7.111.125
access-list 100 permit tcp any host 8.7.111.91 eq 443
access-list 100 permit icmp any host 8.7.111.91
access-list 100 permit tcp host 125.19.31.142 host 8.7.111.92 eq 443
access-list 100 permit icmp host 125.19.31.142 host 8.7.111.92
access-list 100 permit tcp any host 8.7.111.56 eq 443
access-list 100 permit icmp any host 8.7.111.56
access-list 100 permit tcp any host 8.7.111.61 eq smtp
access-list 100 permit icmp any host 8.7.111.61
access-list 100 permit tcp any host 8.7.111.50 eq smtp
access-list 100 permit icmp any host 8.7.111.50
access-list 100 permit tcp any host 8.7.111.60 eq smtp
access-list 100 permit icmp any host 8.7.111.60
access-list 100 permit tcp any host 8.7.111.52 eq smtp
access-list 100 permit tcp any host 8.7.111.52 eq 8100
access-list 100 permit tcp any host 8.7.111.52 eq 143
access-list 100 permit icmp any host 8.7.111.52
access-list 100 permit tcp any host 8.7.111.51 eq 443
access-list 100 permit icmp any host 8.7.111.51
access-list 100 permit tcp any host 8.7.111.53 eq 443
access-list 100 permit icmp any host 8.7.111.53
access-list 100 permit tcp host 68.165.105.15 host 8.7.111.249 eq pop3
access-list 100 permit tcp any host 8.7.111.30 eq 443
access-list 100 permit esp any host 8.7.111.30
access-list 100 permit ahp any host 8.7.111.30
access-list 100 permit icmp any host 8.7.111.30
access-list 100 permit udp any host 8.7.111.30 eq isakmp
access-list 100 permit tcp any host 8.7.111.30 eq 10000
access-list 100 permit esp any host 8.7.111.29
access-list 100 permit ahp any host 8.7.111.29
access-list 100 permit icmp any host 8.7.111.29
access-list 100 permit udp any host 8.7.111.29 eq isakmp
access-list 100 permit tcp any host 8.7.111.29 eq 10000
access-list 100 permit ip any host 8.7.111.21
access-list 100 permit ip any host 8.7.111.70
access-list 100 permit tcp any host 8.7.111.49 eq 22
access-list 100 permit tcp host 216.131.127.209 host 8.7.111.49 eq 443
access-list 100 permit tcp any host 8.7.111.53 eq 444
access-list 100 permit tcp any host 8.7.111.55 eq 443
access-list 100 permit tcp any host 8.7.111.54 eq 443
access-list 100 permit tcp any host 8.7.111.54 eq 446
access-list 100 permit tcp any host 8.7.111.109 eq www
access-list 100 permit tcp any host 8.7.111.109 eq 1182
access-list 100 permit tcp any host 8.7.111.109 eq 1183
access-list 100 permit tcp any host 8.7.111.109 eq 443
access-list 100 permit icmp any host 8.7.111.109
access-list 100 permit tcp any host 8.7.111.71 eq 3061
access-list 100 permit tcp any host 8.7.111.253 eq www
access-list 100 permit icmp any host 8.7.111.253
access-list 100 permit ip any host 8.7.111.118
access-list 100 permit ip any host 8.7.111.119
access-list 100 permit ip any host 8.7.111.120
access-list 100 permit tcp any host 8.7.111.120 eq www
access-list 100 permit tcp any host 8.7.111.120 eq 443
access-list 100 permit tcp any host 8.7.111.120 eq 5901
access-list 100 permit icmp any host 8.7.111.120
access-list 100 permit tcp any host 8.7.111.122 eq 443
access-list 100 permit tcp any host 8.7.111.122 eq 444
access-list 100 permit tcp any host 8.7.111.122 eq 446
access-list 100 permit icmp any host 8.7.111.122
access-list 100 permit tcp any host 8.7.111.121 eq www
access-list 100 permit tcp any host 8.7.111.121 eq 443
access-list 100 permit icmp any host 8.7.111.121
access-list 100 permit tcp host 8.7.108.94 host 8.7.108.97 eq bgp
access-list 100 permit tcp host 8.7.108.94 host 8.7.108.98 eq bgp
access-list 100 permit icmp any host 8.7.108.97
access-list 100 permit icmp any host 8.7.108.98
access-list 100 permit icmp any host 8.7.108.123
access-list 100 permit icmp any host 8.7.108.124
access-list 100 permit icmp any host 8.7.108.125
access-list 100 permit tcp any host 8.7.111.101 eq 5061
access-list 100 permit tcp any host 8.7.111.101 eq 443
access-list 100 permit tcp any host 8.7.111.101 eq 5269
access-list 100 permit tcp any host 8.7.111.102 eq 443
access-list 100 permit tcp any host 8.7.111.103 eq 443
access-list 100 permit udp any host 8.7.111.103 eq 3478
access-list 100 permit tcp any host 8.7.111.104 eq 443
access-list 100 permit tcp any host 8.7.111.105 eq 105
access-list 100 permit tcp any host 8.7.111.105 eq 443
access-list 100 permit icmp any host 8.7.108.126
access-list 100 permit icmp any host 8.7.108.129
access-list 100 permit tcp 125.19.41.0 0.0.0.240 host 8.7.111.16 eq www
access-list 100 permit tcp 69.63.0.0 0.0.240.255 host 8.7.111.16 eq www
access-list 100 permit tcp 204.15.20.0 0.0.3.255 host 8.7.111.16 eq www
access-list 100 permit tcp any host 8.7.111.68 eq 22
access-list 100 permit tcp 80.67.69.0 0.0.0.255 host 8.7.111.68 range ftp-data ftp
access-list 100 permit tcp 80.67.82.0 0.0.0.255 host 8.7.111.68 range ftp-data ftp
access-list 100 permit tcp 72.246.199.0 0.0.0.255 host 8.7.111.68 range ftp-data ftp
access-list 100 permit tcp 72.246.4.0 0.0.3.255 host 8.7.111.68 range ftp-data ftp
access-list 100 permit tcp host 80.67.64.20 host 8.7.111.68 range ftp-data ftp
access-list 100 permit tcp host 72.246.199.231 host 8.7.111.68 range ftp-data ftp
access-list 100 permit tcp 72.247.245.0 0.0.0.255 host 8.7.111.68 range ftp-data ftp
access-list 100 permit tcp 96.17.65.0 0.0.0.255 host 8.7.111.68 range ftp-data ftp
access-list 100 permit tcp 96.17.66.0 0.0.0.255 host 8.7.111.68 range ftp-data ftp
access-list 100 permit tcp 96.17.12.0 0.0.0.255 host 8.7.111.68 range ftp-data ftp
access-list 100 permit gre host 8.7.108.95 host 144.223.246.46
access-list 100 permit tcp 96.17.67.0 0.0.0.255 host 8.7.111.68 range ftp-data ftp
access-list 100 permit tcp any host 8.7.111.68 range ftp-data ftp
access-list 100 permit icmp host 199.171.54.34 host 157.130.193.226
access-list 100 permit icmp host 199.171.54.42 host 157.130.193.226
access-list 100 permit icmp host 153.39.16.40 host 157.130.193.226
access-list 100 permit icmp host 153.39.16.42 host 157.130.193.226
access-list 100 permit icmp host 147.225.26.91 host 157.130.193.226
access-list 100 permit icmp host 147.225.26.93 host 157.130.193.226
access-list 100 permit icmp host 153.39.50.6 host 63.65.129.138
access-list 100 permit icmp host 199.171.54.34 host 63.65.129.138
access-list 100 permit icmp host 199.171.54.42 host 63.65.129.138
access-list 100 permit icmp host 153.39.16.40 host 63.65.129.138
access-list 100 permit icmp host 153.39.16.42 host 63.65.129.138
access-list 100 permit icmp host 147.225.26.91 host 63.65.129.138
access-list 100 permit icmp host 147.225.26.93 host 63.65.129.138
access-list 100 permit icmp host 153.39.50.6 host 63.65.129.142
access-list 100 permit icmp host 199.171.54.34 host 63.65.129.142
access-list 100 permit icmp host 199.171.54.42 host 63.65.129.142
access-list 100 permit icmp host 153.39.16.40 host 63.65.129.142
access-list 100 permit icmp host 153.39.16.42 host 63.65.129.142
access-list 100 permit icmp host 147.225.26.91 host 63.65.129.142
access-list 100 permit icmp host 147.225.26.93 host 63.65.129.142
access-list 100 permit icmp host 153.39.50.6 host 63.80.145.231
access-list 100 permit icmp host 199.171.54.34 host 63.80.145.231
access-list 100 permit icmp host 199.171.54.42 host 63.80.145.231
access-list 100 permit icmp host 153.39.16.40 host 63.80.145.231
access-list 100 permit icmp host 153.39.16.42 host 63.80.145.231
access-list 100 permit icmp host 147.225.26.91 host 63.80.145.231
access-list 100 permit icmp host 147.225.26.93 host 63.80.145.231
access-list 100 deny icmp any any echo
access-list 100 deny icmp any any traceroute log
access-list 100 permit icmp any any
access-list 100 permit tcp any any established
access-list 100 permit tcp any any gt 1023 established
access-list 100 permit udp any any gt 1023
access-list 100 permit tcp any host 8.7.108.92 eq 123
access-list 100 permit udp any host 8.7.108.92 eq ntp
access-list 100 permit tcp any host 8.7.108.93 eq 123
access-list 100 permit udp any host 8.7.108.93 eq ntp
access-list 100 permit tcp any host 8.7.108.94 eq 22
access-list 100 permit gre host 144.228.44.94 host 8.7.110.1
access-list 100 permit ip 8.7.108.0 0.0.3.255 any
access-list 100 deny tcp any any eq 445
access-list 100 deny tcp any any eq 137
access-list 100 deny ip any any </textarea><br />
<br />
Here is a question, would any to 8.7.109.176 port 443 match any of the ACEs?<br />
<br />
With dt_aclcheck.tcl, it is easy:<br />
<br />
<span style="font-size: small;"><span style="font-family: "courier new" , "courier" , monospace;">IOU1#<b>tclsh unix:dt_aclcheck.tcl 100 tcp <span style="font-family: "courier new" , "courier" , monospace;">any</span> 8.7.109.176 1234 443</b><br />01<br /> 950 permit tcp any host 8.7.109.176 eq 443<br /> 4040 permit tcp any any established</span></span><br />
<br />
<br />
How about icmp?<br />
<br />
<span style="font-size: small;"><span style="font-family: "courier new" , "courier" , monospace;">IOU1#<b>tclsh unix:dt_aclcheck.tcl 100 icmp any any</b><br />01<br /> 4010 deny icmp any any echo<br /> 4020 deny icmp any any traceroute log<br /> 4030 permit icmp any any<br /> 4160 deny ip any any</span></span> <br />
<br />
Here is the syntax for the command:<br />
<span style="font-size: small;"><span style="font-family: "courier new" , "courier" , monospace;"><br /></span></span><span style="font-size: small;">
<span style="font-size: small;"><span style="font-family: "courier new" , "courier" , monospace;">IOU1#<b>tclsh unix:dt_aclcheck.tcl</b> <br />Usage - dt_aclMatch.tcl <acl_name> <protocol> <source IP> <destination IP> [source port] [destination port]</span></span></span><br />
<br />
Grab the <a href="http://dans-net.com/tcl/dt_aclcheck.tcl">file HERE</a>, and upload it to the router. Enjoy!<br />
<br />
And let me know if you need any help with this. <br />
<br />
<br />Dan Shechter Gelleshttp://www.blogger.com/profile/18175247280485392482noreply@blogger.comtag:blogger.com,1999:blog-5204377812712096078.post-50036687207317113942015-09-24T20:10:00.001-07:002015-09-24T20:10:34.493-07:00Embedded packet capture and interface ACLs and Zone Based FirewallCisco IOS <a href="https://supportforums.cisco.com/document/139686/configuration-example-embedded-packet-capture-cisco-ios-and-ios-xe" target="_blank">Embedded packet capture </a>is a great tool for trouble shooting. Very similar to the <a href="http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html" target="_blank">ASA capture command</a>.<br />
<br />
It could be better, as it won't parse the packets as good as tpcdump, but it is way better than nothing.<br />
<br />
However I couldn't figure out what the order of operation, with regards to ACLs and ZBF.<br />
<br />
So I labbed it up, with IOU 15.4, and here are the results:<br />
<br />
<ul>
<li>For incoming ACL, packets are captured before ACL is evaluated</li>
<li>For incoming ZBF policy, packets are captured before the policy is checked.</li>
</ul>
<br />
So it looks like the embedded packet capture is placed at the right place, right before incoming ACL/ZBF check. However more testing needed to be done: NAT, outgoing ACL/ZBF, IPS drops, encryption, sanity checks<br />
<br />
I wish Cisco would have published an official and full "order of operation". <a href="http://etherealmind.com/cisco-ios-order-of-operation/" target="_blank">Here is the best </a>I have found so far.<br />
<br />
FYI.... Dan Shechter Gelleshttp://www.blogger.com/profile/18175247280485392482noreply@blogger.comtag:blogger.com,1999:blog-5204377812712096078.post-29336354401266141082015-07-31T17:03:00.000-07:002015-07-31T17:03:51.970-07:00FirePower management interfaceWhile installing <a href="http://www.cisco.com/c/en/us/products/security/asa-firepower-services/index.html" target="_blank">Cisco FirePOWER</a> on 5545-X, I was following the "<a href="http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html" target="_blank">Install and Configure a FirePOWER Services Module on an ASA Platform</a>" guide.<br />
<br />
One of the steps was to <a href="http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html#anc10" target="_blank">configure an IP address</a> to the FirePower management interface. However, nowhere in the document it was mentioned how would that interface connect to the outside world.<br />
<br />
So I tired to google it, and it looks like no one was asking that question: How would an internal module connect to the outside world? Not a single blog post about it. It just worked for everyone, no questions asked!<br />
<br />
After digging around I found this document: "<a href="http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html" target="_blank">Cisco ASA FirePOWER Module Quick Start Guide</a>"<br />
<br />
And there I have found my answers:<br />
<ol>
<li>For 5585-X, FirePOWER is installed on a dedicated slot with its own mgmt0 interface.</li>
<li>For 5545-X, FirePOWER module (SRF) is using the 5545-X's management0/0 interface. Which means that we can not use that interface for managment and it must be dedicated to FirePOWER!</li>
<li>For the rest, it will use the "inside" interface.</li>
</ol>
I would have expected a command to allow me to set up a bridge between the SRF management interface and some ifname on the ASA. But no, it is hard wired! Why?Dan Shechter Gelleshttp://www.blogger.com/profile/18175247280485392482noreply@blogger.comtag:blogger.com,1999:blog-5204377812712096078.post-34058250966869282012015-02-20T17:29:00.000-08:002015-02-20T17:31:03.855-08:00Alteon AppShape++ persistency and multiple scripts per service<h3>
Lab goal</h3>
<div>
Create new VIP on 10.136.6.17.<br />
<br />
Using an AppShape++ script to choose the preconfigured group/pool "10".<br />
<br />
Once the laodbalancer chooses a server, all requests from the client's source IP should go to the same server. This is called persistence or stickiness.</div>
<div>
<br /></div>
<h3>
Setup</h3>
<div>
I'll use my <a href="http://dans-net.blogspot.com/2014/08/load-balancing-lab-setup.html">Loadbalancer Lab Setup</a>.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUQqL25A98lAHg9Qh3mY63rHDSdFbi31lJzdsqM-Lb3B0kDQR_cZ6Qci7NyVhbCqbrAJ8XrYef9iNQpembo920T1cVXtJ9AWsB8Lmw8vM8LD7_V_mipUHdhn6sPwDQGm2qD3C8IvYs8c8/s1600/Alteon+LB+lab+stand+alone.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUQqL25A98lAHg9Qh3mY63rHDSdFbi31lJzdsqM-Lb3B0kDQR_cZ6Qci7NyVhbCqbrAJ8XrYef9iNQpembo920T1cVXtJ9AWsB8Lmw8vM8LD7_V_mipUHdhn6sPwDQGm2qD3C8IvYs8c8/s1600/Alteon+LB+lab+stand+alone.png" height="512" width="640" /></a></div>
</div>
<div>
<br /></div>
<div>
The loadbalancer is Radware's Alteon VA version 29.5.1.0</div>
<div>
<br /></div>
<div>
The initial Alteon VA configuration can be found <a href="http://dans-net.blogspot.com/2014/09/basic-alteon-setup.html">here</a>.<br />
<br />
Notice the group and hosts are preconfigured:<br />
<br />
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17</pre>
</td><td><pre style="line-height: 125%; margin: 0;">/c/slb/real 1
ena
ipver v4
rip 10.136.85.1
/c/slb/real 2
ena
ipver v4
rip 10.136.85.2
/c/slb/real 3
ena
ipver v4
rip 10.136.85.3
/c/slb/group 10
ipver v4
add 1
add 2
add 3
</pre>
</td></tr>
</tbody></table>
</div>
<h3>
</h3>
<h3>
Alteon configuration</h3>
<div>
<!-- HTML generated using hilite.me -->First the AppShape++ script:<br />
<br />
<div style="background: #ffffff; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;"> 1
2
3
4
5
6
7
8
9
10</pre>
</td><td><pre style="line-height: 125%; margin: 0;">/<span style="color: #aa0000;">cfg</span>/slb/appshape/script take_10/en/import
<span style="color: #aa0000;">attach</span> group <span style="color: #009999;">10</span>
<span style="color: #aa0000;">when</span> HTTP_REQUEST <span style="color: #0000aa;">{</span>
<span style="color: #aa0000;">group</span> select <span style="color: #009999;">10</span>
<span style="color: #0000aa;">}</span>
<span style="color: #aa0000;">-----END</span>
</pre>
</td></tr>
</tbody></table>
</div>
<br />
Line 1 - This allows to just copy paste the whole text to Alteon's CLI. It defines a script if its not exists, enable it and imports it.<br />
Line 7 - Selects group 10.<br />
<br />
Next, lets configure VIP/virt with its services:<br />
<!-- HTML generated using hilite.me --><br />
<div style="background: #ffffff; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;"> 1
2
3
4
5
6
7
8
9
10
11</pre>
</td><td><pre style="line-height: 125%; margin: 0;">/<span style="color: #aa0000;">c</span>/slb/virt <span style="color: #009999;">6</span>_17
<span style="color: #aa0000;">ena</span>
<span style="color: #aa0000;">ipver</span> v4
<span style="color: #aa0000;">vip</span> <span style="color: #009999;">10.136</span>.6.17
/<span style="color: #aa0000;">c</span>/slb/virt <span style="color: #009999;">6</span>_17/service <span style="color: #009999;">80</span> http
<span style="color: #aa0000;">group</span> <span style="color: #009999;">1</span>
<span style="color: #aa0000;">rport</span> <span style="color: #009999;">80</span>
<span style="color: #aa0000;">pbind</span> clientip norport
<span style="color: #aa0000;">dbind</span> forceproxy
/<span style="color: #aa0000;">c</span>/slb/virt /service <span style="color: #009999;">80</span> http/appshape
<span style="color: #aa0000;">add</span> <span style="color: #009999;">10</span> take_10
</pre>
</td></tr>
</tbody></table>
</div>
</div>
<br />
Line 8 - Add the stickiness/persistence part, based on the clients IP address.<br />
Line 11- Add AppShape++ script.<br />
<h3>
</h3>
<h3>
Test</h3>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEil7Bb9Hcbf4ZEUx0SfS4ykTh1aU3fhuZGZyCHTy7_P2g1jyjPU-GuRqhhuBYKwEl4VZWahJL2J9WO0_Lq_kwZGtW0vnRSG2kI-lNyi8WWW-mczWTmUqe1j_udZ3Q_FBUllBEGG9HqLDjk/s1600/alteon_stickiness_no_working.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEil7Bb9Hcbf4ZEUx0SfS4ykTh1aU3fhuZGZyCHTy7_P2g1jyjPU-GuRqhhuBYKwEl4VZWahJL2J9WO0_Lq_kwZGtW0vnRSG2kI-lNyi8WWW-mczWTmUqe1j_udZ3Q_FBUllBEGG9HqLDjk/s1600/alteon_stickiness_no_working.PNG" height="640" width="561" /></a></div>
<br />
This didn't go well. We still see that all servers were used and not just one.<br />
<br />
The reason for that is that once we select a group/pool using AppShape++, Alteon will ignore <i>pbind</i> settings.<br />
<br />
<h3>
</h3>
<h3>
Another try</h3>
AppShape++ has the following command : <i>persist</i><br />
<br />
This command can be used to create a persistence/stickiness .<br />
<br />
One way we can use this command is by fixing our script. Another way would be to create another script and add it to the service. Using a separate script will allow us to reuse that script on more than on service / VIP.<br />
<br />
<!-- HTML generated using hilite.me --><br />
<div style="background: #ffffff; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;">1
2
3
4
5
6
7</pre>
</td><td><pre style="line-height: 125%; margin: 0;">/<span style="color: #aa0000;">cfg</span>/slb/appshape/script persist/en/import
<span style="color: #aa0000;">when</span> HTTP_REQUEST <span style="color: #0000aa;">{</span>
<span style="color: #aa0000;">persist</span> source_addr <span style="color: #009999;">255.255</span>.255.255
<span style="color: #0000aa;">}</span>
<span style="color: #aa0000;">-----END</span>
</pre>
</td></tr>
</tbody></table>
</div>
<br />
Line 4 - Create persistence/stickiness by using the source IP address with /32 mask.<br />
<br />
Now lets add it to the service:<br />
<br />
<h3>
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;">1
2</pre>
</td><td><pre style="line-height: 125%; margin: 0;">/<span style="color: #aa0000;">c</span>/slb/virt <span style="color: #009999;">6</span>_17/service <span style="color: #009999;">80</span> http/appshape
<span style="color: #aa0000;">add</span> <span style="color: #009999;">16</span> persist
</pre>
</td></tr>
</tbody></table>
</h3>
</div>
Line 2 - We have added the new AppShape++ script to the service. We use priority 16 which means this will run after priority 10 which was <i>take_10</i> script.<br />
<h3>
</h3>
<h3>
Another Test </h3>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXh6j1lCg-vGLq9njjggGcfGiuGa9n1840yRUQBF7fv9Ume-ZJHZ_upYYOrErFag2umEstbtuqOdMu0xiAnrB5TEhBdkyMWfPevD2f65eVVQuirOlPA9TPgteOrjEOiar_AV3GMD4orFE/s1600/alteon_stickiness_works.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXh6j1lCg-vGLq9njjggGcfGiuGa9n1840yRUQBF7fv9Ume-ZJHZ_upYYOrErFag2umEstbtuqOdMu0xiAnrB5TEhBdkyMWfPevD2f65eVVQuirOlPA9TPgteOrjEOiar_AV3GMD4orFE/s1600/alteon_stickiness_works.PNG" height="640" width="506" /></a></div>
It works! SRV3 was selected for all HTTP requests.<br />
<br />
We can also have a look at the persistance table:<br />
<br />
<!-- HTML generated using hilite.me --><br />
<div style="background: #ffffff; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;">1
2
3
4
5</pre>
</td><td><pre style="line-height: 125%; margin: 0;">>> LB1 - Persistency Information# <span style="background-color: #fff2cc;"><b>/i/slb/persist/dump</b></span>
Printing Data Table Entries for SP 1
key-<span style="background-color: #ea9999;">10.136.3.1</span>,vs:10.136.6.17,80,g:10,value-g:10 <span style="background-color: #b6d7a8;">rs:3</span> 80, <span style="background-color: #6fa8dc;">age 178</span>
Total number of session IDs: 1
</pre>
</td></tr>
</tbody></table>
</div>
<br />
Line 1 - Is the command to show all persistence object, in yellow.<br />
Line 4 - Me in red, is using SRV3 in green, and the idle timeout is 178 seconds in blue. <br />
<h3>
</h3>
<h3>
Summary</h3>
<div>
So we learned that not everything we configure on the VIP/virl service applies when we use AppShape++.<br />
<br />
We also learned how and why to use more than one script per service.<br />
<br />
Enjoy...</div>
Dan Shechter Gelleshttp://www.blogger.com/profile/18175247280485392482noreply@blogger.comtag:blogger.com,1999:blog-5204377812712096078.post-83965946154709773032015-02-02T15:06:00.000-08:002015-02-02T15:06:01.493-08:00ACS 5.X REST APIFor a typical network engineer, reading Cisco's <a href="http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/sdk/acs_sdk/rest.html" target="_blank">REST API documentation</a> looks really simple. All you need to do is to issue the following CLI command <br />
<div class="pEx1_Example1">
<a href="https://www.blogger.com/null" name="pgfId-1055975"></a><b class="cBold">acs config-web-interface rest enable.</b></div>
<div class="pEx1_Example1">
</div>
<div class="pEx1_Example1">
<span class="cBold">But now what? Where are the examples? Thats easy, all you need to do is to download example code directly from the ACS administration UI. But that code is in Java, and several pages long for each example.</span></div>
<div class="pEx1_Example1">
</div>
<div class="pEx1_Example1">
<span class="cBold">So let me do you a favor and show you how to extract a list of all ACS users without even writing a single line of code:</span></div>
<div class="pEx1_Example1">
</div>
<div class="pEx1_Example1">
<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><span class="cBold">wget -O user-list.xml --auth-no-challenge --http-user=acs_admin_user --http-password=admin_pass --no-check-certificate https://acs.ip.address.x/Rest/Identity/User </span></span></span><b class="cBold"><span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"> </span></span></b></div>
<div class="pEx1_Example1">
</div>
<div class="pEx1_Example1">
<b class="cBold">Few things to notice: </b></div>
<div class="pEx1_Example1">
<ul>
<li><span class="cBold">Its a one line command UNIX command. A windows version can be found <a href="http://gnuwin32.sourceforge.net/packages/wget.htm" target="_blank">here</a>.</span></li>
<li><span class="cBold">The</span><span class="cBold"> output is XML file called <span style="font-family: "Courier New",Courier,monospace;">user-list.xml</span></span></li>
<li><span class="cBold"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><span class="cBold">--</span></span></span></span></span><span class="cBold"><span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><span class="cBold"><span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><span class="cBold">no-check-certificate</span></span></span> <span style="font-size: small;"><span style="font-family: inherit;"><span style="font-family: Georgia,"Times New Roman",serif;">is needed because ACS has its own self generated SSL certificate, and <i>wget</i> will fail to authenticate that certificate. This can be changed, but how many are actually using anything else?</span></span></span></span></span></span><span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><span class="cBold"><span style="font-size: small;"><span style="font-family: inherit;"><span style="font-family: Georgia,"Times New Roman",serif;"></span></span></span></span></span></span> </span></span></li>
<li><span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><span class="cBold">--auth-no-challenge <span style="font-size: small;"><span style="font-family: inherit;"><span style="font-family: Georgia,"Times New Roman",serif;">is used because ACS expects to use </span></span></span></span></span></span><span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><span class="cBold"><span style="font-size: small;"><span style="font-family: inherit;"><span style="font-family: Georgia,"Times New Roman",serif;"><a href="http://hc.apache.org/httpclient-3.x/authentication.html#Preemptive_Authentication" target="_blank">preemptive authentication</a>.</span></span></span></span></span></span><br />
<span style="font-size: small;"><span style="font-family: "Courier New",Courier,monospace;"><span class="cBold"></span></span></span></li>
</ul>
</div>
<div class="pEx1_Example1">
</div>
<div class="pEx1_Example1">
<span class="cBold">Enjoy! </span></div>
Dan Shechter Gelleshttp://www.blogger.com/profile/18175247280485392482noreply@blogger.comtag:blogger.com,1999:blog-5204377812712096078.post-3180867921061068972015-01-29T13:03:00.001-08:002015-01-29T13:03:22.099-08:00CCIE Lab or dual CCIE written preferredI <span class="Words alert">got</span> <span class="Words alert">this</span> <span class="Words alert">sent</span> from a <span class="Words alert">friend</span> of <span class="Words alert">mine</span> <span class="Words alert">who</span> is <span class="Words alert">looking</span> <span class="Words alert">for</span> a <span class="Words alert">job</span>. <span class="Words alert">The</span> <span class="Words alert">job</span> <span class="Words alert">description</span> <span class="Words alert">asked</span> <span class="Words alert">for</span> "CCIE <span class="IgnoredWords alert span946">Lab <span class="Words alert">or</span></span> <span class="Words alert">dual</span> CCIE <span class="Words alert">written</span>".<br class="para" /><span class="modif"></span><span class="modif"></span><span class="modif"></span><span class="modif"></span><span class="modif"></span><br />I <span class="Words alert">wonder</span> <span class="Words alert">who</span> <span class="Words alert">wrote</span> <span class="Words alert">this</span> <span class="Words alert">stuff</span>?<br class="para" /><span class="modif"></span><span class="modif"></span><span class="modif"></span><span class="modif"></span><span class="modif"></span><span class="modif"></span><span class="modif"></span><span class="modif"></span><span class="modif"></span><br />CCIE <span class="Words alert">written</span> is <span class="Words alert">easy</span>. <span class="AccidentallyConfused alert span957"><span class="modif">It is</span></span> not a certification exam. <br class="para" /><span class="modif"></span><span class="modif"></span><span class="modif"></span><span class="modif"></span><span class="modif"></span><span class="modif"></span><span class="modif"></span><br class="para" /><span class="Words alert">The</span> exam is not intendant to <span class="Words alert">mean</span> anything <span class="Words alert">other</span> than a <span class="Words alert">ticket</span> <span class="Words alert">for</span> <span class="Words alert">the</span> <span class="AccidentallyConfused alert span965">lab <span class="Words alert">or</span></span> to <span class="IgnoredWords alert span967">recert</span> <span class="Words alert">and</span> <span class="Words alert">existing</span> CCIE certification, <span class="Words alert">so</span> Cisco is not <span class="Words alert">putting</span> <span class="Words alert">too</span> <span class="Words alert">much</span> <span class="Words alert">effort</span> into <span class="Words alert">it</span>. <span class="Words alert">For</span> <span class="Words alert">example</span><span class="modif"></span> there are <span class="Words alert">no</span> simulations, everything is a multi-choice<span class="modif">, </span><span class="Words alert">so</span> <span class="AccidentallyConfused alert span980"><span class="modif">it is</span></span> <span class="Words alert">easy</span> to <span class="Words alert">eliminate</span> <span class="Words alert">absurd</span> <span class="Words alert">answers</span>.<br class="para" /><span class="modif"></span><span class="modif"></span><span class="modif"></span><span class="modif"></span><span class="modif"></span><span class="modif"></span><span class="modif"></span><span class="modif"></span><br class="para" /><span class="Words alert">Most</span> <span class="Words alert">if</span> not <span class="Words alert">all</span> CCIE <span class="Words alert">candidates</span>, <span class="Words alert">who</span> are <span class="Words alert">already</span> CCNPs, are <span class="Words alert">surprised</span> <span class="Words alert">how</span> <span class="Words alert">easy</span> <span class="Words alert">it</span> is. <span class="Words alert">Many</span> are <span class="Words alert">fooled</span> to <span class="Words alert">believe</span> <span class="Words alert">that</span> <span class="Words alert">the</span> lab is <span class="Words alert">anywhere</span> <span class="Words alert">close</span> to <span class="modif">being</span> at <span class="Words alert">the</span> <span class="Words alert">same</span> level of <span class="Words alert">difficulty</span> <span class="Words alert">and</span> <span class="Words alert">depth</span>.<br class="para" /><span class="modif"></span><span class="modif"></span><span class="modif"></span><span class="modif"></span><span class="modif"></span><span class="modif"></span><span class="modif"></span><br /><span class="Words alert">If</span> I <span class="Words alert"><span class="Colloquial alert active span1010">was</span></span> a CCNP, I would <span class="Words alert">have</span> <span class="Words alert">preferred</span> to <span class="Words alert">take</span> CCIE <span class="Words alert">written</span> to <span class="IgnoredWords alert span1015">recert</span> over <span class="Words alert">the</span> CCNP exams.<br class="para" /><span class="modif"></span><span class="modif"></span><span class="modif"></span><span class="modif"></span><span class="modif"></span><span class="modif"></span><span class="modif"></span><span class="modif"></span><span class="modif"></span><br /><span class="Words alert">If</span> I <span class="Words alert"><span class="Colloquial alert active span1019">was</span></span> <span class="Words alert">hiring</span>, I would <span class="Words alert">prefer</span> a <span class="Words alert">dual</span> CCNP over <span class="Words alert">dual</span> CCIE <span class="Words alert">written</span> <span class="modif">anytime</span>. In <span class="Words alert">fact</span><span class="modif">, </span>I would <span class="Words alert">prefer</span> a <span class="Words alert">humble</span> CCNP than someone <span class="Words alert">who</span> <span class="Words alert">passed</span> <span class="Words alert">the</span> <span class="Words alert">written</span> <span class="Words alert">and</span> brags about <span class="Words alert">it</span>.Dan Shechter Gelleshttp://www.blogger.com/profile/18175247280485392482noreply@blogger.comtag:blogger.com,1999:blog-5204377812712096078.post-15629818010369654302015-01-26T18:14:00.003-08:002015-01-26T18:15:34.326-08:00VIRL - A slow greatnessI had a migration project from 6500 to ASRs. I have decided to check out <a href="http://virl.cisco.com/" target="_blank">VIRL</a>.<br />
<br />
My <span class="Words alert">migration</span> <span class="Words alert">setup</span> <span class="Words alert">requires</span> 14 routers <span class="Words alert">and</span> a <span class="Words alert">test</span> server. <span class="Words alert">Reading</span> <span class="Words alert">the</span> <span class="Words alert">system</span> <span class="Words alert">requirements</span> <span class="Words alert">for</span> <span class="Words alert">such</span> a <span class="Words alert">setup</span> <span class="Words alert">made</span> me <span class="modif">decide</span> not to <span class="Words alert">install</span> on my laptop.<br />
<br />
I <span class="Words alert">went</span> <span class="Words alert">ahead</span> <span class="Words alert">and</span> <span class="Words alert">installed</span> <span class="Words alert">it</span> on a not <span class="Words alert">so</span> <span class="Words alert">small</span> ESX server: A <span class="Words alert">new</span> UCS <span class="Words alert">machine</span> (24 <span class="Words alert">cores</span>, 380G <span class="Words alert">memory</span>, <span class="Words alert">running</span> 4 VMs, <span class="Words alert">including</span> VIRL), ESX 5.1.<br />
<br />
I have allocated VIRL 4vCPU, 16GB memory.<br />
<br />
The installation was not that short, but not that hard either. After the installation was over, I installed VM Maestro and started building my lab. Working with VM Maestro, which is VIRL's GUI, was really easy. The only annoying thing was <u>my</u> inability to set the interface numbers for the connections between routers.<br />
<br />
Here is how my final setup looks like:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdnuRSKehEE9XDqyAA5JOr0CuMPIbXovM65ugGPz0qU0vpbOv3bGVahVQAk_jKwFKed-7KrB6fYRXprnEW0Q_oQWFqSeOLHlR3wkvlu6yVXHvJD__FJBQ-Wz9yQC4zPBbt2FQmN-QlWDU/s1600/virl_asr_migration.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdnuRSKehEE9XDqyAA5JOr0CuMPIbXovM65ugGPz0qU0vpbOv3bGVahVQAk_jKwFKed-7KrB6fYRXprnEW0Q_oQWFqSeOLHlR3wkvlu6yVXHvJD__FJBQ-Wz9yQC4zPBbt2FQmN-QlWDU/s1600/virl_asr_migration.PNG" height="320" width="640" /></a></div>
<br />
<span class="Words alert">The</span> <span class="Words alert"><span class="WordChoice alert span3794">setup</span></span> is <span class="Words alert">running</span> 12 <span class="Misspelled alert span3796">vIOS</span>, 2 CSR1K<span class="modif">, </span><span class="Words alert">and</span> one Ubuntu server, from <span class="Words alert">where</span> I <span class="Words alert">ran</span> my <span class="Words alert">automated</span> <span class="Words alert">tests</span>.<br />
<br />
I <span class="Words alert">pressed</span> on "Start simulation" <span class="Words alert">and</span> <span class="Words alert">then</span> <span class="Words alert">when</span> <span class="Words alert">trouble</span> <span class="Words alert">started</span>. <span class="Words alert">It</span> <span class="Words alert">took</span> <span class="Words alert">about</span> 40 <span class="Words alert">minutes</span> <span class="Words alert">for</span> all <span class="Words alert">the</span> routers to <span class="Words alert">load</span><span class="modif">. Then</span> <span class="Words alert">the</span> CLI <span class="Words alert">felt</span> like 2400 baud. <span class="Words alert">It</span> <span class="Words alert">was</span> <span class="Words alert">crawling</span>!<br />
<br />
<span class="Words alert">Notice</span> <span class="WordOrder alert span3821"><span class="Words alert">that</span> <span class="Words alert">each</span> <span class="Words alert">time</span></span> <span class="Words alert">you</span> <span class="Words alert">start</span> <span class="Words alert">the</span> simulation, <span class="Words alert">for</span> <span class="Words alert">example</span> after <span class="Words alert">adding</span> <span class="Words alert">or</span> <span class="Words alert">removing</span> a <span class="Words alert">link</span>, all <span class="Words alert">the</span> routers are rebuild from <span class="Words alert">scratch</span>. <span class="Words alert">They</span> <span class="PassiveVoice alert active span3837">are not <span class="Words alert">just</span> powered</span> <span class="Colloquial alert span3839">on</span>. <span class="Words alert">They</span> <span class="PassiveVoice alert active span3841">are cloned</span> from a template<span class="modif"></span> <span class="Words alert">and</span> <span class="Words alert">go</span> through <span class="Words alert">lengthy</span> <span class="Words alert">installation</span> <span class="Words alert">process</span>. <span class="Words alert">Especially</span> <span class="Words alert">the</span> ASRs which <span class="Words alert">take</span> <span class="modif">forever</span> to <span class="Words alert">install</span> themselves.<br />
<br />
So I tried to run just 4 routers. That was working well and everything was snappy. <br />
<br />
Then I tried to upgrade the VM to 6 vCPUs. Now it took just 3 minutes to load all the routers. The CLI felt much better at 9600 baud.<br />
<br />
Then I tried to upgrade the VM to 8 vCPUs. Now everything works <b>almost as fast as GNS3 with IOU</b>! <br />
<br />
After <span class="WordOrder alert span3888"><span class="Words alert">setting</span> up <span class="Words alert">the</span> lab <span class="Words alert">foundation</span></span>, <span class="Words alert">it</span> <span class="Words alert">was</span> <span class="Words alert">time</span> <span class="modif">actually to start</span> configuring <span class="Words alert">the</span> lab. I <span class="Words alert">have</span> <span class="modif">configured</span> OSPF <span class="Words alert">and</span> BGP. <span class="Fragment alert span3902">Everything <span class="Words alert">worked</span>, <span class="Words alert">but</span> <span class="Words alert">the</span> <span class="Words alert">response</span> <span class="Words alert">time</span> <span class="Words alert">was</span> <span class="Words alert">slower</span>.</span> <span class="Fragment alert span3910"><span class="Words alert">Although</span> <span class="Words alert">the</span> <span class="Words alert">response</span> <span class="Words alert">time</span> <span class="Words alert">was</span> <span class="Words alert">slower</span>, <span class="Words alert">the</span> lab <span class="Words alert">was</span> <span class="Words alert">very</span> <span class="Words alert">usable</span>.</span><br />
<br />
To <span class="Words alert">run</span> <span class="Words alert">the</span> <span class="Words alert">test</span>, I am <span class="Words alert">using</span> <span class="Words alert">some</span> VRF <span class="Words alert">magic</span> <span class="Words alert">and</span> bash scripting on <span class="Words alert">the</span> <span class="modif">Linux</span> <span class="Words alert">machine</span>. I <span class="Words alert">think</span> <span class="Words alert">it</span> <span class="Words alert">worth</span> a blog <span class="Words alert">entry</span> on its <span class="Words alert">own</span>. <span class="Words alert">Then</span> after 30 <span class="Words alert">minute</span> of <span class="Words alert">stepping</span> <span class="Words alert">away</span> from <span class="Words alert">the</span> lab, I <span class="Words alert">noticed</span> <span class="Words alert">that</span> <span class="Words alert">most</span> OSPF <span class="Words alert">and</span> BGP <span class="Words alert">sessions</span> <span class="PassiveVoice alert active span3946"><span class="Words alert">were</span> <span class="Words alert">lost</span></span>. I<span class="ClosingPunct alert span2908"> </span><span class="Words alert">had</span> to <span class="Words alert">press</span> "enter" <span class="Words alert">several</span> <span class="Words alert">times</span> on <a href="http://www.vandyke.com/support/tips/chatsendcom.html" target="_blank"><span class="Words alert">each</span> router's <span class="Words alert">prompt</span></a> to <span class="Words alert">wake</span> everything up:<br />
<br />
Just when I wake the routers:<br />
<br />
<pre><span style="background-color: #eeeeee;"><span style="font-family: "Courier New",Courier,monospace;"><code>16:54:20 +++++-+---+-+---+--++++--++--+-+++++++++
16:54:33 +++++++++++++++++++++++--+++++++++++++++
16:54:36 +++++++++++++++++++++++--+++++++++++++++
16:54:40 ++++++++++++++++++++++++++++++++++++++++
16:54:42 ++++++++++++++++++++++++++++++++++++++++
16:54:43 ++++++++++++++++++++++++++++++++++++++++
16:54:45 ++++++++++++++++++++++++++++++++++++++++</code></span></span></pre>
<br />
After 30 minutes:<br />
<pre><code> </code></pre>
<pre><span style="background-color: #eeeeee;"><code>17:21:53 ++++++++++++++++++++++++++++++++++++++++
17:21:55 ++++++++++++++++++++++++++++++++++++++++
17:21:56 ++++++++++++++++++++++++++++++++++++++++
17:21:58 ++++++++++++++++++++++++++++++++++++++++
17:22:00 ++++++++++++++++++++++++++++++++++++++++
17:22:01 ++++++++++++++--+------++++--+--+-++++++
time 111112222222333333444445555666677788899B
%H:%M:%S 589BC34679BC4679BC679BC89BC79BC9BC9BCBCC
17:22:17 +++++-----+-----+------++++--+--+-++++++
17:22:40 +++++-----+-----+------++++--+--+-++++++
17:23:02 +++++-----+-----+------++++--+--+-++++++
17:23:24 +++++-----+-----+------++++--+--+-++++++</code></span></pre>
<br />
<br />
<section class="ember-view post-menu-area clearfix" id="ember1576"><nav class="post-controls"><br /></nav><nav class="post-controls"><span class="modif">In</span> <span class="Words alert">the</span> <span class="Words alert">beginning</span><span class="modif">, </span>I <span class="Words alert">was</span> <span class="Words alert">very</span> annoyed by <span class="Words alert">this</span>, <span class="Words alert">but</span> <span class="Words alert">then</span> <span class="modif">I</span> <span class="Words alert">realized</span> <span class="Words alert">that</span> <span class="modif">it is</span> <span class="Words alert">just</span> <span class="Words alert">another</span> <span class="Words alert">test</span> <span class="Words alert">case</span> "everything is <span class="Words alert">broken</span>. <span class="modif">Can</span> my <span class="Words alert">network</span> <span class="Words alert">recover</span>?".</nav><nav class="post-controls"><br /></nav><nav class="post-controls">To sum up my experience:</nav><nav class="post-controls"> </nav><nav class="post-controls">VIRL is a <span class="modif">splendid</span> <span class="Words alert">product</span>. <span class="Words alert">Very</span> <span class="Words alert">polished</span> <span class="Words alert">for</span> <span class="Words alert">early</span> <span class="Words alert">release</span>. <span class="Words alert">It</span> <span class="Words alert">takes</span> <span class="modif">too</span> <span class="Words alert">much</span> <span class="Words alert">resources</span> to <span class="Words alert">get</span> <span class="Words alert">the</span> <span class="Words alert">job</span> <span class="Words alert">done</span>. I <span class="Words alert">prefer</span> GNS3 with IOU as I can <span class="Words alert">run</span> in on my laptop. <span class="Words alert">No</span> <span class="Words alert">need</span> <span class="Words alert">for</span> a <span class="Words alert">monster</span> server.</nav></section>Dan Shechter Gelleshttp://www.blogger.com/profile/18175247280485392482noreply@blogger.comtag:blogger.com,1999:blog-5204377812712096078.post-65824766284692870392014-12-28T14:20:00.000-08:002014-12-28T14:20:08.833-08:00Docker for network engineers. Part 1 - What is Docker?Forget OpenStack, forget VMWare, <a href="https://www.docker.com/" target="_blank">Docker</a> is the new kid on the block.<br />
<br />
<h3>
TL;DR</h3>
Docker <span class="Words alert">and</span> Linux <span class="Words alert">containers</span> <span class="Words alert">result</span> in <span class="Words alert">more</span> <span class="Words alert">dense</span> VMs per <span class="Words alert">physical</span> servers, <span class="Words alert">increasing</span> <span class="Words alert">the</span> <span class="Words alert">network</span> <span class="Words alert">load</span> per <span class="Words alert">physical</span> server <span class="Words alert">and</span> developers <span class="Words alert">use</span> <span class="Words alert">it</span> to <span class="Words alert">run</span> <span class="Words alert">more</span> VMs than <span class="Words alert">ever</span> <span class="Words alert">before</span>.<br />
<br />
Also, there is no vSwitch (that is the most important peace of information). <br />
<h2>
What is Docker?</h2>
<h2>
</h2>
<br />
Docker is an <span class="Words alert">echo</span> <span class="Words alert">system</span> <span class="Words alert">built</span> on <span class="Words alert">top</span> Linux <span class="Words alert">containers</span>. To <span class="Words alert">tell</span> <span class="Words alert">the</span> <span class="Words alert">tale</span>, <span class="Words alert">we</span> <span class="Words alert">need</span> to <span class="Words alert">start</span> with Hypervisors.<br />
<br />
<h3>
Hypervisors</h3>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiD6pi5wSoToc3KCiXUInBJnZETP3D6_Shk8-4U-TtGEPdZLER0MbMlpi-71sx6qYm04aum6T4PGkUZ9csn7cNSRjaSHMbXtMPTpcAu8pW_GtZYJc_Pi2ouSDO7IgctS4EREdSw2y8KkOA/s1600/virtualization_before_docker.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiD6pi5wSoToc3KCiXUInBJnZETP3D6_Shk8-4U-TtGEPdZLER0MbMlpi-71sx6qYm04aum6T4PGkUZ9csn7cNSRjaSHMbXtMPTpcAu8pW_GtZYJc_Pi2ouSDO7IgctS4EREdSw2y8KkOA/s1600/virtualization_before_docker.png" height="268" width="320" /></a></div>
<br />
<span class="Words alert">The</span> "<span class="Words alert">regular</span>" virtualization is a <span class="Words alert">hardware</span> virtualization. <span class="Words alert">That</span> <span class="Words alert">means</span> <span class="Words alert">that</span> a hypervisor <span class="Words alert">such</span> as ESX, <span class="Words alert">or</span> <span class="Words alert">even</span> your laptop <span class="Words alert">running</span> <span class="Misspelled alert span54">vmware</span>/<span class="Misspelled alert span55">vbox</span>, <span class="Words alert">emulates</span> <span class="Words alert">several</span> virtualized <span class="Words alert">physical</span> servers <span class="Words alert">running</span> <span class="Words alert">side</span> by <span class="Words alert">side</span> on a <span class="Words alert">single</span> <span class="Words alert">physical</span> <span class="Words alert">machine</span>.<br />
<br />
<span class="Words alert">Notice</span> <span class="Words alert">that</span> <span class="Words alert">each</span> <span class="Words alert">virtual</span> <span class="Words alert">machine</span> is <span class="Words alert">running</span> <span class="Words alert">it</span> <span class="Words alert">own</span> OS. <span class="Words alert">That</span> is <span class="Words alert">wasteful</span>. <span class="Words alert">Especially</span> <span class="Words alert">because</span> <span class="Words alert">it</span> is <span class="Words alert">very</span> <span class="Words alert">rare</span> to <span class="Words alert">find</span> two <span class="Words alert">applications</span> <span class="Words alert">running</span> inside a <span class="Words alert">single</span> server, <span class="Words alert">so</span> <span class="Words alert">for</span> <span class="Words alert">each</span> <span class="Words alert"><span class="WordChoice alert span88">application</span></span>, <span class="Words alert">we</span> <span class="Words alert">run</span> <span class="Words alert">the</span> OS <span class="Words alert">too</span>.<br />
<br />
<span class="Words alert">The</span> <span class="Words alert">plus</span> <span class="Words alert">side</span> is <span class="Words alert">that</span> <span class="Words alert">you</span> can <span class="Words alert">run</span> <span class="Words alert">any</span> mix of OSes <span class="Words alert">side</span> by <span class="Words alert">side</span> on <span class="Words alert">the</span> <span class="Words alert">same</span> <span class="Words alert">physical</span> server.<span class="Words alert">You</span> can <span class="Words alert">run</span> Windows, Linux, Solaris, IOSv, ASAv, CSR1000v, vMX, Alteon VA, F5, Vyatta, <span class="Colloquial alert span107">etc.</span><span class="SpecialCharacters alert span108">...</span> concurrently on one <span class="Words alert">physical</span> server.<br />
<br />
<br />
<h3>
Linux Containers</h3>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmweEPgyR3Q2_HJ5bdJzOopClR35ErydmbG5RQzZoHebp72qr8Mde6wOD5sBUtZk-eX_nRJ49q_4wpVCkdYLNZULzRgbEClEc7RcPb7r47RYmvIfPTkSwZ_LsLtIazH1CxEogEdzbHCe4/s1600/linux_containers_after_docker.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmweEPgyR3Q2_HJ5bdJzOopClR35ErydmbG5RQzZoHebp72qr8Mde6wOD5sBUtZk-eX_nRJ49q_4wpVCkdYLNZULzRgbEClEc7RcPb7r47RYmvIfPTkSwZ_LsLtIazH1CxEogEdzbHCe4/s1600/linux_containers_after_docker.png" height="265" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6LfD7l_qvDjNrdvK6gUSTOAZbsRGh8YCq9ZgK5bQ00KaKjH5FhI0NUe-MHhPRWY0_cwHjgkTRBO7Yd7XDdBJpAcJbQg1KbwmHCayKdSMg3GYNnGLLqTy6KiirAMyLvTNjzqDl3v0_px0/s1600/linux_containers_after_docker.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<br />
<span class="Words alert">It</span> <span class="Words alert">looks</span> <span class="Words alert">very</span> <span class="Words alert">similar</span> to <span class="Words alert">the</span> <span class="Words alert">previous</span> <span class="Words alert">diagram</span>, isn't <span class="Words alert">it</span>? I <span class="Words alert">just</span> <span class="Words alert">changed</span> <span class="Words alert">the</span> <span class="Words alert">text</span> inside <span class="Words alert">the</span> <span class="Words alert">blocks</span> :)<br />
<br />
<span class="Words alert">Now</span> everything is <span class="Words alert">running</span> on a <span class="Words alert">single</span> Linux <span class="Words alert">kernel</span>. <span class="Words alert">The</span> <span class="Words alert">applications</span> <span class="Words alert">run</span> on <span class="Words alert">top</span> LXCs. <span class="Words alert"><span class="Colloquial alert span133">And</span></span> <span class="Words alert">here</span> <span class="Words alert">comes</span> <span class="Words alert">the</span> <span class="Words alert">big</span> <span class="Words alert">difference</span>. LXCs are <span class="Words alert">part</span> of <span class="Words alert">the</span> Linux <span class="Words alert">kernel</span>. LXCs <span class="Words alert">provide</span> a lightweight VMs, <span class="Words alert">all</span> <span class="Words alert">sharing</span> <span class="Words alert">the</span> <span class="Words alert">same</span> OS. <span class="Words alert">O<b>nly</b></span><b> one OS is <span class="Words alert">running</span> <span class="Words alert">for</span> <span class="Words alert">all</span> <span class="Words alert">containers</span>.</b><br />
<br />
<a href="http://en.wikipedia.org/wiki/LXC" target="_blank">LXC</a> is to Linux <span class="Words alert">containers</span>/namespaces/layered filesystem as VMWare is to ESXi, <span class="Misspelled alert span153">vmtools</span>,<span class="modif"> </span><span class="Colloquial alert span154"><span class="BasicPunct alert span155 active"></span>etc<span class="modif">..</span></span>. LXC is an <span class="Words alert">umbrella</span> <span class="Words alert">term</span> <span class="Words alert">for</span> <span class="Words alert">all</span> <span class="Words alert">what</span> <span class="Words alert">it</span> <span class="Words alert">takes</span> to <span class="Words alert">run</span> Linux <span class="Words alert">containers</span>. <br />
<br />
<span class="Words alert">Notice</span> <span class="Words alert">the</span> "<span class="Words alert">all</span> <span class="Words alert">sharing</span> <span class="Words alert">the</span> <span class="Words alert">same</span> OS". There is <span class="Words alert">only</span> one LXC per <span class="Words alert">kernel</span>. <span class="Words alert">Each</span> "VM" is <span class="Words alert">called</span> a <span class="Words alert">container</span>. <span class="Words alert">Each</span> <span class="Words alert">container</span> has its <span class="Words alert">files</span>, its users, <span class="Words alert">and</span> its networking.<br />
<br />
<span class="Words alert">It</span> should <span class="Words alert">ring</span> a <span class="Words alert">bell</span> to us, networking <span class="Words alert">engineers</span>. <b><span class="modif">It is</span> <span class="Words alert">just</span> like VRFs</b>. <span class="Words alert">We</span> <span class="modif">do not</span> <span class="Words alert">need</span> to <span class="Words alert">run</span> a <span class="Words alert">full</span> <span class="Words alert">blown</span> IOS per <span class="Words alert">each</span> VRF. <span class="Words alert">Same</span> <span class="Words alert">goes</span> with LXC. <span class="Words alert">We</span> <span class="modif">do not</span> <span class="Words alert">run</span> a <span class="Words alert">full</span> <span class="Words alert">blown</span> OS (Linux) <span class="Words alert">for</span> <span class="Words alert">each</span> VM; LXC <span class="Words alert">just</span> <span class="Words alert">creates</span> <span class="Words alert">isolation</span> <span class="Words alert">same</span> as VRFs.<br />
<br />
LXCs compared to Hypervisors results not only that we can <a href="http://www.socallinuxexpo.org/sites/default/files/presentations/Jerome-Scale11x%20LXC%20Talk.pdf" target="_blank">cram 10 times more "VMs" on the same hardware</a>, not only that <a href="http://blogs.vmware.com/performance/2014/10/docker-containers-performance-vmware-vsphere.html" target="_blank">networking is much faster per CPU cycle</a>, not only that containers save a lot of disk space, not only that containers saves memory (one OS) but that it takes less than 200ms to create and run a new container.<br />
<br />
<br />
<h3>
Docker</h3>
Docker is a set of tools, utilities and repositories:<br />
<ul>
<li><span class="Fragment alert span255"><span class="Words alert">Deploying</span> <span class="Words alert">and</span> <span class="Words alert">running</span> Linux <span class="Words alert">containers</span> in a <span class="Words alert">very</span> <span class="Words alert">easy</span> <span class="Words alert">way</span>.</span></li>
<li><span class="Words alert">Ease</span> <span class="Words alert">the</span> <span class="Words alert">life</span> of developers, QA, <span class="Words alert">and</span> Op <span class="Words alert">teams</span>. <span class="Words alert">It</span> <span class="Words alert">allows</span> <span class="Words alert">all</span> of them to <span class="Words alert">use</span> <span class="Words alert">the</span> <span class="Words alert">same</span> <span class="Words alert">execution</span> <span class="Words alert">environment</span>. </li>
</ul>
If you are little more interested in what Docker is, here is a <a href="https://www.youtube.com/watch?v=ddhU3NMrhX4&list=WL&index=1" target="_blank">short video to watch</a>. It is very recommended!<br />
<br />
<h2>
What does Docker/LXC mean for networking engineers?</h2>
<h3>
A lot more VMs</h3>
<span class="Words alert">If</span> Hypervisors <span class="Words alert">brought</span> us virtualization sprawl, <span class="Words alert">imagine</span> <span class="Words alert">what</span> LXC/Docker <span class="TooFormal alert span303">will</span> <span class="Words alert">do</span>! <br />
<br />
VMWare <span class="Words alert">made</span> <span class="Words alert">it</span> <span class="Words alert">much</span> <span class="Words alert">cheaper</span> <span class="Words alert">and</span> <span class="Words alert">easier</span> to <span class="Words alert">create</span> <span class="Words alert">new</span> servers, <span class="Words alert">compared</span> to <span class="Words alert">physical</span> servers. Docker/LXC <span class="Words alert">make</span> <span class="Words alert">it</span> <span class="Words alert">even</span> <span class="Words alert">cheaper</span> <span class="Words alert">and</span> <span class="Words alert">easier</span>.<br />
<br />
<span class="Words alert">That</span> <span class="Words alert">means</span> <span class="Words alert">more</span> endpoints in <span class="Words alert">the</span> data <span class="Words alert">centre</span>.<br />
<br />
<h3>
More VMs per physical server</h3>
<span class="Words alert">Being</span> <span class="Words alert">able</span> to <span class="Words alert">run</span> <span class="Words alert">more</span> VMs per server, <span class="Words alert">means</span> <span class="Words alert">that</span> <span class="Words alert">we</span> <span class="TooFormal alert span335">will</span> <span class="Words alert">see</span> <span class="Words alert">more</span> bandwidth <span class="Words alert">consumed</span> per <span class="Words alert">physical</span> server. <br />
<br />
<h3>
Dynamic DC</h3>
<span class="Words alert">If</span> <span class="Words alert">it</span> is <span class="Words alert">so</span> <span class="Words alert">easy</span> and fast to <span class="Words alert">spawn</span> and a <span class="Words alert">new</span> VM/<span class="Words alert">container</span>, <span class="Words alert">we</span> might <span class="Words alert">start</span> <span class="Words alert">seeing</span> <span class="Words alert">more</span> VMs <span class="Words alert">created</span> <span class="Words alert">and</span> <span class="Words alert">destroyed</span> on <span class="Words alert">the</span> <span class="Words alert">fly</span>.<br />
<h3>
No vSwitch</h3>
<span class="Words alert">The</span> <span class="Words alert">default</span> networking <span class="Words alert">model</span> <span class="Words alert">for</span> Docker is <span class="Words alert">nothing</span> <span class="Words alert">but</span> <span class="Words alert">standard</span>.<br />
<br />
<span class="Words alert">For</span> <span class="Words alert">network</span> <span class="Words alert">engineers</span>, with VMWare <span class="Words alert">nothing</span> <span class="Words alert">changed</span> <span class="Words alert">compared</span> to <span class="Words alert">the</span> <span class="Words alert">physical</span> <span class="Words alert">world</span>. Servers (VM) are <span class="Words alert">connected</span> to switches (vSwitche). Server's switches (vSwitche) are <span class="Words alert">connected</span> to <span class="Words alert">other</span> switches (<span class="Words alert">real</span> switches) <span class="Words alert">using</span> Dot1Q uplinks.<br />
<br />
With Docker <span class="Words alert">the</span> is <span class="Words alert">no</span> <span class="Words alert">such</span> <span class="Words alert">concept</span> as vSwitch (at <span class="Words alert">least</span> not by <span class="Words alert">default</span>, <span class="Words alert">or</span> <span class="Words alert">even</span> not built-in as an <span class="Words alert">integrated</span> <span class="Words alert">option</span>).<br />
<br />
On <span class="Words alert">part</span> II of Docker networking, I'll <span class="Words alert">explain</span> <span class="Words alert">the</span> <span class="Words alert">default</span> Docker networking <span class="Words alert">model</span>.<br />
<br />
<br />Dan Shechter Gelleshttp://www.blogger.com/profile/18175247280485392482noreply@blogger.comtag:blogger.com,1999:blog-5204377812712096078.post-72759847368378007082014-12-05T13:53:00.001-08:002014-12-05T13:55:26.797-08:00Alteon's REST APIAlteonOS has a <span class="Words alert">reach</span> <span class="Words alert">REST</span> API <span class="Words alert">for</span> <span class="Words alert">monitor</span>, <span class="Words alert">operation</span><span class="modif">, </span><span class="Words alert">and</span> <span class="Words alert">configuration</span>.<br />
<br />
<span class="Words alert">REST</span> can <span class="PassiveVoice alert active span537">be <span class="Words alert">used</span></span>/<span class="Words alert">called</span> with <span class="Words alert">verity</span> of programming <span class="Words alert">languages</span>, <span class="Words alert">or</span> <span class="Words alert">even</span> <span class="Words alert">just</span> <span class="Words alert">using</span> <span class="Misspelled alert span546">wget</span>. <span class="Words alert"><span class="modif">However,</span></span> since <span class="Words alert">this</span> blog <span class="Words alert">was</span> <span class="Words alert">already</span> <span class="Words alert">using</span> TCL <span class="Words alert">for</span> AppShape++ scripting, <span class="Words alert">we</span> may as <span class="Words alert">well</span> <span class="Words alert">keep</span> <span class="Words alert">using</span> TCL <span class="Words alert">for</span> <span class="Words alert">REST</span> <span class="Words alert">too</span>. <span class="Words alert"><span class="modif">However,</span></span> <span class="Words alert">REST</span>ing with<span class="Words alert"></span> <span class="Misspelled alert span565">TCL</span> is a <span class="Words alert">bit</span> <span class="Words alert">pain</span> in <span class="Words alert">the</span> <span class="SpecialCharacters alert span569">...</span>, <span class="Words alert">so</span> <span class="Words alert">this</span> <span class="Words alert">time</span> I'll <span class="Words alert">use</span> python instead.<br />
<br />
<span class="Words alert">All</span> <span class="Words alert">most</span> <span class="Words alert">forgot</span> to <span class="Words alert">explain</span> <span class="Words alert">what</span> <span class="Words alert">REST</span> is. <span class="modif">Its</span> a <span class="Words alert">way</span> to <span class="Words alert">run</span> <span class="Words alert">remote</span> <span class="Words alert">procedures</span> <span class="Words alert">calls</span> <span class="Words alert">using</span> HTTP. <span class="Words alert">Example calls</span>:<br />
<ol>
<li>Read interface counters</li>
<li>Update real's weight</li>
<li>Bring down a real inside a group</li>
</ol>
I strongly recommend using a browser plugin for testing out REST calls. I use <a href="https://addons.mozilla.org/en-us/firefox/addon/httprequester/" target="_blank">HttpRequest for firefox</a>.<br />
<br />
<span class="Words alert">Here</span> are two <span class="modif">screenshots</span>. <span class="Words alert">The</span> <span class="Words alert">first</span> is <span class="Words alert">how</span> I <span class="Words alert">get</span> <span class="Words alert">the</span> <span class="Words alert">current</span> <span class="Words alert">status</span> of <span class="Words alert">real</span> 1<span class="modif">, </span><span class="Words alert">and</span> <span class="Words alert">the</span> <span class="Words alert">second</span> is <span class="Words alert">how</span> I <span class="Words alert">disable</span> <span class="Words alert">real</span> 1.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMTRityLcZfB8NXKyRqAiuaY_3PKmVIHlU-6xpHfvPNBjAKEYesOdVp0RxlGZO2J_aYMNzihzqahkOEyqlkMM-sUOmfmdDkhcb7SfGWssZNgk4Y5NYZ7OVJRejm0HE5E-GyqFAlVZn-Vc/s1600/httprequest_get.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMTRityLcZfB8NXKyRqAiuaY_3PKmVIHlU-6xpHfvPNBjAKEYesOdVp0RxlGZO2J_aYMNzihzqahkOEyqlkMM-sUOmfmdDkhcb7SfGWssZNgk4Y5NYZ7OVJRejm0HE5E-GyqFAlVZn-Vc/s1600/httprequest_get.PNG" height="416" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2pIPfZaxi-V_a4rja16OBfSBNwg5ZldBM16S8LJ4KJ5g5PI3BoKFea2orrrXG0mVXn-ZrdmA9mPoYoXlZTPOwBpBD5D4-64rMpJChSzkqk2j1kNY8jEQ4YsR-8YTFPZaqvhvqUq0gNB8/s1600/httprequest_put.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2pIPfZaxi-V_a4rja16OBfSBNwg5ZldBM16S8LJ4KJ5g5PI3BoKFea2orrrXG0mVXn-ZrdmA9mPoYoXlZTPOwBpBD5D4-64rMpJChSzkqk2j1kNY8jEQ4YsR-8YTFPZaqvhvqUq0gNB8/s1600/httprequest_put.PNG" height="414" width="640" /></a></div>
<br />
<ol>
</ol>
<h3>
</h3>
<h3>
</h3>
<h3>
Lab goal</h3>
<div>
<br />
Using the base setup, create python script to toggle the status of <i>real 1</i> from not enabled to enabled and from disable to enable.</div>
<div>
<br /></div>
<h3>
</h3>
<h3>
Setup</h3>
<div>
<br />
I'll use my <a href="http://dans-net.blogspot.com/2014/08/load-balancing-lab-setup.html">Loadbalancer Lab Setup</a>.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUQqL25A98lAHg9Qh3mY63rHDSdFbi31lJzdsqM-Lb3B0kDQR_cZ6Qci7NyVhbCqbrAJ8XrYef9iNQpembo920T1cVXtJ9AWsB8Lmw8vM8LD7_V_mipUHdhn6sPwDQGm2qD3C8IvYs8c8/s1600/Alteon+LB+lab+stand+alone.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUQqL25A98lAHg9Qh3mY63rHDSdFbi31lJzdsqM-Lb3B0kDQR_cZ6Qci7NyVhbCqbrAJ8XrYef9iNQpembo920T1cVXtJ9AWsB8Lmw8vM8LD7_V_mipUHdhn6sPwDQGm2qD3C8IvYs8c8/s1600/Alteon+LB+lab+stand+alone.png" height="512" width="640" /></a></div>
</div>
<div>
<br /></div>
<div>
The loadbalancer is Radware's Alteon VA version 29.5.1.0</div>
<div>
<br /></div>
<div>
The initial Alteon VA configuration can be found <a href="http://dans-net.blogspot.com/2014/09/basic-alteon-setup.html">here</a>.<br />
<br />
Notice the group and hosts are preconfigured:<br />
<br />
<!-- HTML generated using hilite.me --><br />
<div style="background: #f8f8f8; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17</pre>
</td><td><pre style="line-height: 125%; margin: 0;"><span style="color: #666666;">/</span><span style="color: #19177c;">c</span><span style="color: #666666;">/</span>slb<span style="color: #666666;">/</span>real <span style="color: #666666;">1</span>
<span style="color: #19177c;">ena</span>
<span style="color: #19177c;">ipver</span> v4
<span style="color: #19177c;">rip</span> <span style="color: #666666;">10.136</span>.85.1
<span style="color: #666666;">/</span><span style="color: #19177c;">c</span><span style="color: #666666;">/</span>slb<span style="color: #666666;">/</span>real <span style="color: #666666;">2</span>
<span style="color: #19177c;">ena</span>
<span style="color: #19177c;">ipver</span> v4
<span style="color: #19177c;">rip</span> <span style="color: #666666;">10.136</span>.85.2
<span style="color: #666666;">/</span><span style="color: #19177c;">c</span><span style="color: #666666;">/</span>slb<span style="color: #666666;">/</span>real <span style="color: #666666;">3</span>
<span style="color: #19177c;">ena</span>
<span style="color: #19177c;">ipver</span> v4
<span style="color: #19177c;">rip</span> <span style="color: #666666;">10.136</span>.85.3
<span style="color: #666666;">/</span><span style="color: #19177c;">c</span><span style="color: #666666;">/</span>slb<span style="color: #666666;">/</span>group <span style="color: #666666;">10</span>
<span style="color: #19177c;">ipver</span> v4
<span style="color: #19177c;">add</span> <span style="color: #666666;">1</span>
<span style="color: #19177c;">add</span> <span style="color: #666666;">2</span>
<span style="color: #19177c;">add</span> <span style="color: #666666;">3</span>
</pre>
</td></tr>
</tbody></table>
</div>
</div>
<h3>
</h3>
<h3>
Python script</h3>
<div>
<br />
I have used python 2.7 and the following modules: <a href="https://docs.python.org/2/library/json.html" target="_blank">json </a>and <a href="http://docs.python-requests.org/en/latest/" target="_blank">requests </a><br />
<br />
Alteon's REST API is using json as its data format. Python's build in json module converts <a href="https://docs.python.org/2/library/stdtypes.html" target="_blank">python dict</a> to <a href="http://en.wikipedia.org/wiki/JSON#Data_types.2C_syntax_and_example" target="_blank">json format </a>and vice-versa.<br />
<br />
requests is a very easy python module to use for REST API.<br />
<br />
Here is the source code for the python script. See the comments inside for explanations:<br />
<br />
<!-- HTML generated using hilite.me --><br />
<div style="background: #f8f8f8; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66</pre>
</td><td><pre style="line-height: 125%; margin: 0;"><span style="color: green; font-weight: bold;">import</span> <span style="color: blue; font-weight: bold;">requests</span>
<span style="color: green; font-weight: bold;">import</span> <span style="color: blue; font-weight: bold;">json</span>
<span style="color: green; font-weight: bold;">import</span> <span style="color: blue; font-weight: bold;">sys</span>
<span style="color: #408080; font-style: italic;"># set Alteon and real parameters</span>
ALTEON <span style="color: #666666;">=</span> <span style="color: #ba2121;">"10.136.1.100"</span>
REAL <span style="color: #666666;">=</span> <span style="color: #ba2121;">"1"</span>
USER <span style="color: #666666;">=</span> <span style="color: #ba2121;">"admin"</span>
PASSWORD <span style="color: #666666;">=</span> <span style="color: #ba2121;">"admin"</span>
<span style="color: #408080; font-style: italic;"># get the current status of real server</span>
<span style="color: #408080; font-style: italic;"># ============================================================</span>
<span style="color: #408080; font-style: italic;"># set authentication object</span>
myAuth<span style="color: #666666;">=</span>requests<span style="color: #666666;">.</span>auth<span style="color: #666666;">.</span>HTTPBasicAuth(USER, PASSWORD)
<span style="color: #408080; font-style: italic;"># set request string with the ALTEON name/ip address and the 'real' we want to toggle</span>
reqSTR <span style="color: #666666;">=</span> <span style="color: #ba2121;">"https://"</span><span style="color: #666666;">+</span>ALTEON<span style="color: #666666;">+</span><span style="color: #ba2121;">"/config/SlbOperEnhRealServerTable/"</span> <span style="color: #666666;">+</span> REAL
<span style="color: #408080; font-style: italic;"># turn off SSL warning. Don't do this in production!</span>
<span style="color: #408080; font-style: italic;"># see here how to deal with it http://docs.python-requests.org/en/latest/user/advanced/#ssl-cert-verification</span>
requests<span style="color: #666666;">.</span>packages<span style="color: #666666;">.</span>urllib3<span style="color: #666666;">.</span>disable_warnings()
<span style="color: #408080; font-style: italic;"># send the request, use the auth object, don't verify certification and return a python dct out of json string</span>
<span style="color: #408080; font-style: italic;"># The return is a one item dict with 'SlbNewCfgEnhRealServerTable' as key. </span>
<span style="color: #408080; font-style: italic;"># That item contains one item list, hence the [0]</span>
<span style="color: #408080; font-style: italic;"># That list item is another dict with two entries: 'Status' and 'Index' we need the Status</span>
r <span style="color: #666666;">=</span> requests<span style="color: #666666;">.</span>get(reqSTR, auth<span style="color: #666666;">=</span>myAuth, verify<span style="color: #666666;">=</span><span style="color: green;">False</span>)<span style="color: #666666;">.</span>json()[<span style="color: #ba2121;">'SlbOperEnhRealServerTable'</span>][<span style="color: #666666;">0</span>]
state <span style="color: #666666;">=</span> r[<span style="color: #ba2121;">'Status'</span>]
<span style="color: #408080; font-style: italic;"># print current state and set the new requierd state</span>
<span style="color: green; font-weight: bold;">if</span> state <span style="color: #666666;">==</span> <span style="color: #666666;">1</span>:
<span style="color: green; font-weight: bold;">print</span> <span style="color: #ba2121;">"Real is enabled. Changing status to disabled"</span>
newStatus <span style="color: #666666;">=</span> <span style="color: #ba2121;">"2"</span> <span style="color: #408080; font-style: italic;"># disabled</span>
<span style="color: green; font-weight: bold;">elif</span> state <span style="color: #666666;">==</span> <span style="color: #666666;">2</span>:
<span style="color: green; font-weight: bold;">print</span> <span style="color: #ba2121;">"Real is disabled. Changing status to enabled"</span>
newStatus <span style="color: #666666;">=</span> <span style="color: #ba2121;">"1"</span> <span style="color: #408080; font-style: italic;"># enabled</span>
<span style="color: green; font-weight: bold;">elif</span> state <span style="color: #666666;">==</span> <span style="color: #666666;">3</span>:
<span style="color: green; font-weight: bold;">print</span> <span style="color: #ba2121;">"Real is disabled but waiting for cookies to timeout. Changing status to enabled"</span>
newStatus <span style="color: #666666;">=</span> <span style="color: #ba2121;">"1"</span> <span style="color: #408080; font-style: italic;"># enabled</span>
<span style="color: green; font-weight: bold;">elif</span> state <span style="color: #666666;">==</span> <span style="color: #666666;">4</span>:
<span style="color: green; font-weight: bold;">print</span> <span style="color: #ba2121;">"Real is disabled but waiting for sessions to timeout. Changing status to enabled"</span>
newStatus <span style="color: #666666;">=</span> <span style="color: #ba2121;">"1"</span> <span style="color: #408080; font-style: italic;"># enabled</span>
<span style="color: green; font-weight: bold;">elif</span> state <span style="color: #666666;">==</span> <span style="color: #666666;">5</span>:
<span style="color: green; font-weight: bold;">print</span> <span style="color: #ba2121;">"Real is disabled but waiting for sessions to timeout and for cookeis to timeout. Changing status to enabled"</span>
newStatus <span style="color: #666666;">=</span> <span style="color: #ba2121;">"1"</span> <span style="color: #408080; font-style: italic;"># enabled</span>
<span style="color: green; font-weight: bold;">else</span>:
<span style="color: #408080; font-style: italic;"># we should never get here</span>
<span style="color: green; font-weight: bold;">print</span> <span style="color: #ba2121;">"error retrieving real status. return object:"</span>
<span style="color: green; font-weight: bold;">print</span> r
sys<span style="color: #666666;">.</span>exit(<span style="color: #666666;">0</span>)
<span style="color: #408080; font-style: italic;"># set the new real status</span>
<span style="color: #408080; font-style: italic;"># ============================================================</span>
<span style="color: #408080; font-style: italic;"># create JSON data to be passed</span>
myData <span style="color: #666666;">=</span> json<span style="color: #666666;">.</span>dumps({<span style="color: #ba2121;">'Status'</span> : newStatus})
<span style="color: #408080; font-style: italic;"># send the oper command to change the status. Notice that his time the method is PUT</span>
r <span style="color: #666666;">=</span> requests<span style="color: #666666;">.</span>put(reqSTR, auth<span style="color: #666666;">=</span>myAuth, verify<span style="color: #666666;">=</span><span style="color: green;">False</span>, data<span style="color: #666666;">=</span>myData)<span style="color: #666666;">.</span>json()[<span style="color: #ba2121;">'status'</span>]
<span style="color: #408080; font-style: italic;"># print the return status of the command</span>
<span style="color: green; font-weight: bold;">print</span> r
</pre>
</td></tr>
</tbody></table>
</div>
<br /></div>
<h3>
Test</h3>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8grVkJnM335v-pA6S38UJsFb8Q8C_AAp1STjYn7_2B9ivrUb78O3OUhdfOUp4oJSj8em7hPJ5-v1cJLmQEsCR8NB9VPr1GW_Z-8qY3UAM8sbuq3aOz7sOaZyk7_2CZwBLhFLvvxrTtkg/s1600/python_rest_alteon.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8grVkJnM335v-pA6S38UJsFb8Q8C_AAp1STjYn7_2B9ivrUb78O3OUhdfOUp4oJSj8em7hPJ5-v1cJLmQEsCR8NB9VPr1GW_Z-8qY3UAM8sbuq3aOz7sOaZyk7_2CZwBLhFLvvxrTtkg/s1600/python_rest_alteon.PNG" height="280" width="640" /></a></div>
<br />
<br />
Notice how the status is changing from one run to the other.</div>
<h3>
</h3>
<h3>
Summary</h3>
<br />
Alteon's REST API is easy to use and straight forward. It is way better then using <a href="http://en.wikipedia.org/wiki/Expect" target="_blank">expect scripts </a>for automation.<br />
<h3>
</h3>
<div>
<br /></div>
Dan Shechter Gelleshttp://www.blogger.com/profile/18175247280485392482noreply@blogger.comtag:blogger.com,1999:blog-5204377812712096078.post-45055152784529110732014-11-14T15:00:00.002-08:002014-11-14T15:12:25.335-08:00GNS3 - ASAv and XRv and IOU and XEvI am able to run ASAv and XRv and IOU and XEv on my la;ptop, forming OSPF neighbor relationship between them.<br />
<br />
I then pinged each loopback from the ASA and also pinged each loopback from IOU. This test shows:<br />
<ul>
<li>One way broadcast and one way unicast are working - ARP </li>
<li>Unicast is working - ICMP</li>
<li>Multicast is working - OSPF</li>
</ul>
<br />
All thanks for GNS3 v1.1. Isn't it great?<br />
<br />
Here is the topology:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOO68MqY_PZiTo6F7jjRNtBNodOEuadeMcdm7ArK-Y6jBKYbcr8jXzTqb_jxiY5voqYj9JNO5GZzeWEyw7fOFKiTh3PVoTSpmgzU-aKnU13iqh7_HiJxzOlvX81oAWZZhYXJsbZdtrrLU/s1600/gns3_all.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOO68MqY_PZiTo6F7jjRNtBNodOEuadeMcdm7ArK-Y6jBKYbcr8jXzTqb_jxiY5voqYj9JNO5GZzeWEyw7fOFKiTh3PVoTSpmgzU-aKnU13iqh7_HiJxzOlvX81oAWZZhYXJsbZdtrrLU/s1600/gns3_all.png" height="328" width="640" /></a></div>
<br />
And here is some show commands from the ASA:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPp38jTvaw8un0y-UXuUBkIott_M9vFfveQ9gjjzqViqsiZOaa64WRnqjGrslEQF0A-WPni5C7DhH4nH_QTZD93rk1YAPrU3z1_cNIREsuhE6Z_I_seFm1T0B4MpswYWDIPvwsN7Gvuf4/s1600/asav.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPp38jTvaw8un0y-UXuUBkIott_M9vFfveQ9gjjzqViqsiZOaa64WRnqjGrslEQF0A-WPni5C7DhH4nH_QTZD93rk1YAPrU3z1_cNIREsuhE6Z_I_seFm1T0B4MpswYWDIPvwsN7Gvuf4/s1600/asav.png" height="378" width="640" /></a></div>
<br />
GNS3 integration with Virtual box is very useful. Whatever you can run inside Virtualbox, you can connect to each other with endless possibilities.<br />
<br />
My system76 laptop is running Ubuntu 14.04, 16GB, i7 and SSDs.<br />
<br />
I was using the following resources:<br />
<br />
<ul>
<li>Install these items from <a href="https://github.com/GNS3/">https://github.com/GNS3/</a></li>
<ul>
<li>gns3-gui</li>
<li>gns3-server</li>
<li>iouyap</li>
<li>dynamips (this is needed even if not using dynamips for IOS)</li>
<li>vboxwrapper</li>
<li>vpcs (optional, but very handy to test connectivity)</li>
</ul>
<li>Virtualbox integration with GNS3 won't work without virtualbox SDK: <a href="http://forum.gns3.net/topic6145.html">http://forum.gns3.net/topic6145.html</a></li>
<li>Set permissions for dynamips and iouap:<span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"><br />cd /usr/local/bin<br />sudo setcap cap_dac_override,cap_net_admin,cap_net_raw+eip dynamips<br />sudo setcap cap_net_raw,cap_net_admin+eip iouap </span></span></li>
<li>CSR1K install: <a href="http://herdingpackets.net/2014/02/06/using-the-cisco-csr1000v-in-gns3-with-virtualbox/">http://herdingpackets.net/2014/02/06/using-the-cisco-csr1000v-in-gns3-with-virtualbox/</a></li>
<li>XRv install: <a href="http://www.noshutdown.ma/ios-xrv-step-step-install-gns3-integration/">http://www.noshutdown.ma/ios-xrv-step-step-install-gns3-integration/</a><br />Notice the NIC type. It should be MT server.<br />Notice to set the NIC type in GNS3. GNS3 will override vbox configuration.</li>
<li>XR tutorial for IOS users: <a href="http://networkgeekstuff.com/networking/cisco-ios-xr-complete-getting-started-examples-guide/">http://networkgeekstuff.com/networking/cisco-ios-xr-complete-getting-started-examples-guide/</a></li>
<li>How to install ASAv on VMWare workstation: <a href="http://brezular.com/2014/07/04/cisco-asav-virtual-appliance-on-vmware-workstation/">http://brezular.com/2014/07/04/cisco-asav-virtual-appliance-on-vmware-workstation/</a> </li>
<li>I encounter the following issues:</li>
<ul>
<li>IOU console connection get lost: <a href="https://community.gns3.com/message/4635?sr=search&searchId=4578100e-e5c1-4653-8be8-83f6c7dcc7b9&searchIndex=1#4635">https://community.gns3.com/message/4635?sr=search&searchId=4578100e-e5c1-4653-8be8-83f6c7dcc7b9&searchIndex=1#4635</a><br />Should be fixed next version</li>
<li>GNS telnet server and XRv not working. Don't enable "remote console": <a href="http://forum.gns3.net/post38696.html#p38696" target="_blank">http://forum.gns3.net/post38696.html#p38696</a> <br />Should be fixed next version</li>
<li>Sometime I need to disconnect and reconnect the XRv from the switch: <a href="http://www.noshutdown.ma/ios-xrv-step-step-install-gns3-integration/">http://www.noshutdown.ma/ios-xrv-step-step-install-gns3-integration/</a><br />Search for "know issue" in that link.</li>
</ul>
</ul>
<br />
<br />
<br />
<br />Dan Shechter Gelleshttp://www.blogger.com/profile/18175247280485392482noreply@blogger.comtag:blogger.com,1999:blog-5204377812712096078.post-40681769549316058412014-11-06T16:54:00.000-08:002014-11-06T16:55:08.265-08:00Alteon - each server is different<h3>
Lab goal</h3>
<div>
Create VIP 10.136.6.16 with the following servers/reals:<br />
<ul>
<li>"r8080" - 10.136.85.1 port 8080</li>
<li>"r8081" - 10.136.85.2 port 8081</li>
<li>"r8082" - 10.136.85.3 port 8082</li>
</ul>
The group name should be "gMulti". </div>
<div>
<br /></div>
<h3>
Setup</h3>
<div>
I'll use my <a href="http://dans-net.blogspot.com/2014/08/load-balancing-lab-setup.html">Loadbalancer Lab Setup</a>.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUQqL25A98lAHg9Qh3mY63rHDSdFbi31lJzdsqM-Lb3B0kDQR_cZ6Qci7NyVhbCqbrAJ8XrYef9iNQpembo920T1cVXtJ9AWsB8Lmw8vM8LD7_V_mipUHdhn6sPwDQGm2qD3C8IvYs8c8/s1600/Alteon+LB+lab+stand+alone.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUQqL25A98lAHg9Qh3mY63rHDSdFbi31lJzdsqM-Lb3B0kDQR_cZ6Qci7NyVhbCqbrAJ8XrYef9iNQpembo920T1cVXtJ9AWsB8Lmw8vM8LD7_V_mipUHdhn6sPwDQGm2qD3C8IvYs8c8/s1600/Alteon+LB+lab+stand+alone.png" height="512" width="640" /></a></div>
</div>
<div>
<br /></div>
<div>
The loadbalancer is Radware's Alteon VA version 29.5.1.0</div>
<div>
<br /></div>
<div>
The initial Alteon VA configuration can be found <a href="http://dans-net.blogspot.com/2014/09/basic-alteon-setup.html">here</a>.</div>
<h3>
Alteon configuration</h3>
<div>
First lets add the reals.<br />
<br />
<br />
<!-- HTML generated using hilite.me --><br />
<div style="background: #ffffff; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27</pre>
</td><td><pre style="line-height: 125%; margin: 0;">/c/slb/real r8080
ena
ipver v4
rip 10.136.85.1
addport 8080
/c/slb/real r8081
ena
ipver v4
rip 10.136.85.2
addport 8081
/c/slb/real r8082
ena
ipver v4
rip 10.136.85.3
addport 8082
/c/slb/group gMulti
ipver v4
add r8080
add r8081
add r8082
/c/slb/virt 6_16
ena
ipver v4
vip 10.136.6.16
/c/slb/virt 6_16/service 80 http
group gMulti
rport 0
</pre>
</td></tr>
</tbody></table>
</div>
</div>
<br />
<ul>
<li>Lines 1-15 : Configure the real servers</li>
<ul>
<li>Notice the<i> addport</i> command, which sets the port being used by the server.</li>
</ul>
<li>Lines 16-20: Create a new group and adds the previously defined servers</li>
<li>Lines 21-27: Create the VIP</li>
<ul>
<li>Notice line 27, which states that the Alteon should use the rport configured on a real server's configuration.</li>
</ul>
</ul>
<h3>
Test</h3>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi03NnGS8Pqa4Mwa-NLkFqL9tqJ44SkrPNWgACopADIwcX64Ep_m8xh2DzK6Mnp_g7kE2AljILm7Y4-8X7wCYaAq4SrCzglsrJ7v2pebNq3kMpMTs9M0dApJSWqfL1dao_PpeCXFJClMCU/s1600/alteon_multi_port.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi03NnGS8Pqa4Mwa-NLkFqL9tqJ44SkrPNWgACopADIwcX64Ep_m8xh2DzK6Mnp_g7kE2AljILm7Y4-8X7wCYaAq4SrCzglsrJ7v2pebNq3kMpMTs9M0dApJSWqfL1dao_PpeCXFJClMCU/s1600/alteon_multi_port.PNG" height="640" width="518" /></a></div>
<br />
Notice the SRV_PORT and SRV_ADDR, which shows that the 808X port is being used.<br />
<br />
But a better way to see that is to see the sessions in the session table:<br />
<br />
<br />
<!-- HTML generated using hilite.me --><br />
<div style="background: #ffffff; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;">1
2
3
4
5
6
7
8
9</pre>
</td><td><pre style="line-height: 125%; margin: 0;">>> LB1 - Session Table Information# /i/slb/sess/cip 10.136.3.1
Printing Sessions for SP 1
1,01: 10.136.3.1 50040, 10.136.6.16 http -> 2094 10.136.85.3 <span style="background-color: #fff2cc;">8082</span> tcp age 10 v:1 E
1,01: 10.136.3.1 50041, 10.136.6.16 http -> 2095 10.136.85.2 <span style="background-color: #fff2cc;">8081 </span>tcp age 10 v:1 E
1,01: 10.136.3.1 50042, 10.136.6.16 http -> 2096 10.136.85.1 <span style="background-color: #fff2cc;">8080 </span>tcp age 10 v:1 E
1,01: 10.136.3.1 50043, 10.136.6.16 http -> 2097 10.136.85.3 8082 tcp age 10 v:1 E
1,01: 10.136.3.1 50044, 10.136.6.16 http -> 2098 10.136.85.2 8081 tcp age 10 v:1 E
1,01: 10.136.3.1 50046, 10.136.6.16 http -> 2100 10.136.85.3 8082 tcp age 10 v:1 E
</pre>
</td></tr>
</tbody></table>
</div>
</div>
<h3>
Summary</h3>
<div>
As usual, the configurations are simple and straight forward.</div>
Dan Shechter Gelleshttp://www.blogger.com/profile/18175247280485392482noreply@blogger.comtag:blogger.com,1999:blog-5204377812712096078.post-7578420931037657572014-11-04T22:03:00.000-08:002014-11-04T22:06:18.393-08:00Alteon SSL key import wowsI was trying to import a new certificate with an SSL key, but it was without success.<br />
<br />
But as usual, before trying that on production, I tried that on <a href="http://dans-net.blogspot.com/2014/08/load-balancing-lab-setup.html" target="_blank">my lab setup</a>. It was done without any problems.<br />
<br />
But when trying with the production Alteon, running the same 29.5.1 version, I got this message:<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">> -----END RSA PRIVATE KEY-----<br />Enter key passphrase: <br />Error: The private key is not a valid RSA key<br /><br />Error: Failed to extract key XXXXX</span><br />
<br />
After trying it several times, comparing some random strings inside the key I noticed a lag when I pasted the key to the production Alteon. The reason for the lag was SecureCRT that was configured to <a href="http://www.vandyke.com/support/tips/echoflowctrl.html" target="_blank">insert delays between keys</a>. This feature is extremely useful with pasting large text into NX-OS.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzyQFzam-fk39FzhRdJchnP4Nr_orDSsqXCkuop_5ahE8AkEfnjmVEFc2Jc1YeIhQB4qrfLvIWuiixrQlcjHu6Pl9Y9M1O8RHjDfhxQp08TjnVrZ1ZFYH8Rc1DEJI3JRn6udFBTFdyHew/s1600/securecrt_delay.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzyQFzam-fk39FzhRdJchnP4Nr_orDSsqXCkuop_5ahE8AkEfnjmVEFc2Jc1YeIhQB4qrfLvIWuiixrQlcjHu6Pl9Y9M1O8RHjDfhxQp08TjnVrZ1ZFYH8Rc1DEJI3JRn6udFBTFdyHew/s1600/securecrt_delay.PNG" height="561" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7Fm8pf6E9OB_cKtu9jH2Acq2FcwAIDYmC0y0Asr2ti13oWDWS-p5pcCVMOVaQ8wCFWRBczK6b5_AlBX6A8vwAtWM3w2pKnlntlRoPJ41HCEjG0zdY4urG7Vpnj28HckAnZ0s4Dl_LMEI/s1600/securecrt_delay.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
My lab setup is with the default Line Send delay of 5ms and Character send delay of 0ms.<br />
<br />
So I tried to use the lap SecureCRT delay setup on my production Alteon, and to my surprise it worked!<br />
<br />
So to sum up: when pasting to Alteon 29.5.1, you better use the default SecureCRT delay settings.<br />
<br />
One more thing and this will save you precious time digging through the command reference:<br />
<br />
<span style="font-size: large;">"key" and "srvrcert" names must be identical</span> Dan Shechter Gelleshttp://www.blogger.com/profile/18175247280485392482noreply@blogger.comtag:blogger.com,1999:blog-5204377812712096078.post-72988392685182199812014-10-28T12:46:00.000-07:002014-10-28T12:46:11.773-07:00GNS3 1.1<br />
I was never a big fan of GUI tools, so I used dynagen and dynamips for my network designs. But since 15.2 was the last version released for 7200, dynamips is no longer useful (especially for IKEv2 and OSPFv3 stuff)<br />
<br />
I was hoping that Cisco would release <a href="https://learningnetwork.cisco.com/thread/74945" target="_blank">VIRL</a>, and they promised to do so for the past year and a half, but it looks like it will never come. Shelling out 10K$ for <a href="http://www.cisco.com/c/en/us/products/cloud-systems-management/modeling-labs/index.html" target="_blank">CML </a>(the payed version of VIRL) is a bit too much for most of us. But there is a good alternative:<br />
<br />
Not long time ago <a href="http://www.gns3.com/" target="_blank">GNS3 </a>version 1.0 was released and soon after version 1.1. was released too. And after long time of being a backer for their <a href="https://gns3.crowdhoster.com/become-an-early-release-member" target="_blank">funding campaign </a>I have decided to try GNS3 with IOU.<br />
<br />
After installing GNS3 on both linux and windows (vmware required), I found that GNS3 is really easy to use, and that IOU is AMAZING. IOU is sooooo fast, and everything just works(tm). I wish I had it years ago!<br />
<br />
Goodbye dynamips and dynagen, and thank you so much.<br />
<br />
Hello IOU and GNS3. I know it will be a start of a wonderful friendship :)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4kRzbohjUKV6jdOVPQ6avxLfogj5p-pMpaXORPQZIxsFd-yVIIYjF2LQwKBzLJSbPabVz7bgc_cxnkVcUVdPo6jhjmCLrSozR0rL_As74ZghNJHwyyQwjllarqsRRR685TcATDuta2LI/s1600/gns3_iou.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4kRzbohjUKV6jdOVPQ6avxLfogj5p-pMpaXORPQZIxsFd-yVIIYjF2LQwKBzLJSbPabVz7bgc_cxnkVcUVdPo6jhjmCLrSozR0rL_As74ZghNJHwyyQwjllarqsRRR685TcATDuta2LI/s1600/gns3_iou.PNG" height="251" width="400" /></a></div>
<br />Dan Shechter Gelleshttp://www.blogger.com/profile/18175247280485392482noreply@blogger.comtag:blogger.com,1999:blog-5204377812712096078.post-23309236338322641522014-10-15T17:42:00.002-07:002014-10-16T09:32:52.260-07:00IPv6 to IPv4 basic setup<h3>
Lab goal</h3>
<div>
Configure Alteon to serve IPv6 clients. The servers should use IPv4.<br />
<br />
The IPv6 VIP should be fc00:85::10.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWiKWvtiDaP9iz-XKXI7AVGPNq_AiEXDoRVqHuCz-VFriVZaShbkqsnRdRF_K2m-G_g6B0F87_4i02TpehcpRzMWK0VRTMZiN-Ry4TaCVcsfwEcBIDXk-4mrmgyjHoix6HPBOew9pfYPQ/s1600/IPv6+Gateway+-+New+Page.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWiKWvtiDaP9iz-XKXI7AVGPNq_AiEXDoRVqHuCz-VFriVZaShbkqsnRdRF_K2m-G_g6B0F87_4i02TpehcpRzMWK0VRTMZiN-Ry4TaCVcsfwEcBIDXk-4mrmgyjHoix6HPBOew9pfYPQ/s1600/IPv6+Gateway+-+New+Page.png" height="370" width="400" /></a></div>
<br /></div>
<div>
<br /></div>
<h3>
Setup</h3>
<div>
I'll use my <a href="http://dans-net.blogspot.com/2014/08/load-balancing-lab-setup.html">Loadbalancer Lab Setup</a>.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUQqL25A98lAHg9Qh3mY63rHDSdFbi31lJzdsqM-Lb3B0kDQR_cZ6Qci7NyVhbCqbrAJ8XrYef9iNQpembo920T1cVXtJ9AWsB8Lmw8vM8LD7_V_mipUHdhn6sPwDQGm2qD3C8IvYs8c8/s1600/Alteon+LB+lab+stand+alone.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUQqL25A98lAHg9Qh3mY63rHDSdFbi31lJzdsqM-Lb3B0kDQR_cZ6Qci7NyVhbCqbrAJ8XrYef9iNQpembo920T1cVXtJ9AWsB8Lmw8vM8LD7_V_mipUHdhn6sPwDQGm2qD3C8IvYs8c8/s1600/Alteon+LB+lab+stand+alone.png" height="512" width="640" /></a></div>
</div>
<div>
<br /></div>
<div>
The loadbalancer is Radware's Alteon VA version 29.5.1.0</div>
<div>
<br /></div>
<div>
The initial Alteon VA configuration can be found <a href="http://dans-net.blogspot.com/2014/09/basic-alteon-setup.html">here</a>.<br />
<br />
Below is the IPv4 real servers configuration which we will use as a base config. <br />
<br />
<!-- HTML generated using hilite.me --><br />
<div style="background: #ffffff; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17</pre>
</td><td><pre style="line-height: 125%; margin: 0;">/c/slb/real 1
ena
ipver v4
rip 10.136.85.1
/c/slb/real 2
ena
ipver v4
rip 10.136.85.2
/c/slb/real 3
ena
ipver v4
rip 10.136.85.3
/c/slb/group 10
ipver v4
add 1
add 2
add 3
</pre>
</td></tr>
</tbody></table>
</div>
</div>
<h3>
Alteon configuration</h3>
<div>
All we need to do is create a new virt/VIP and assign it with IPv6 address.<br />
<br />
<br />
<!-- HTML generated using hilite.me --><br />
<div style="background: #ffffff; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;"> 1
2
3
4
5
6
7
8
9
10
11</pre>
</td><td><pre style="line-height: 125%; margin: 0;"> /c/slb/virt v6_85_10
ena
ipver v6
vip fc00:85:0:0:0:0:0:10
/c/slb/virt v6_85_10/service 80 http
group 10
rport 80
dbind forceproxy
/c/slb/virt v6_85_10/service 80 http/pip
mode address
addr v4 10.136.85.200 255.255.255.255 persist disable
</pre>
</td></tr>
</tbody></table>
</div>
<br />
Notice that we need the <i>pip</i> which is Proxy IP, a.k.a SNAT. Since we translating from IPv6 to IPv4 we need Alteon to act as a proxy and for that it needs IPv4 address to communicate with the real servers.<br />
<br /></div>
<h3>
Test</h3>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWevfCpU4eEQEIOlWQJl5UwIwl7eWeGOM2X5PRhCuohzBKLhb4KanA-Kx4lSy0B03Ii1c222-IHjRtzIwtFUWuheRWbHEpyHRtznN89FYv3VmBSjTVjBb_uX6s1e36ojwsEPKsOU1Bo58/s1600/alteon_ipv6_basic.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWevfCpU4eEQEIOlWQJl5UwIwl7eWeGOM2X5PRhCuohzBKLhb4KanA-Kx4lSy0B03Ii1c222-IHjRtzIwtFUWuheRWbHEpyHRtznN89FYv3VmBSjTVjBb_uX6s1e36ojwsEPKsOU1Bo58/s1600/alteon_ipv6_basic.PNG" height="640" width="516" /></a></div>
<br /></div>
<h3>
Summary</h3>
<div>
That was really simple, wasn't it? Just change the <i>virt/</i>VIP to be IPv6 and we have<i> </i>IPv6 to IPv6 gateway.</div>
Dan Shechter Gelleshttp://www.blogger.com/profile/18175247280485392482noreply@blogger.comtag:blogger.com,1999:blog-5204377812712096078.post-1603419355282881342014-09-26T14:09:00.000-07:002014-09-26T14:09:05.247-07:00Change HTTP reply content with AppShape++<h3>
Lab goal</h3>
<div>
When a clients asks for beta/a2.html, return "Hello" instead.<br />
<br />
Use VIP 10.136.85.14</div>
<div>
<br /></div>
<h3>
Setup</h3>
<div>
I'll use my <a href="http://dans-net.blogspot.com/2014/08/load-balancing-lab-setup.html">Loadbalancer Lab Setup</a>.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUQqL25A98lAHg9Qh3mY63rHDSdFbi31lJzdsqM-Lb3B0kDQR_cZ6Qci7NyVhbCqbrAJ8XrYef9iNQpembo920T1cVXtJ9AWsB8Lmw8vM8LD7_V_mipUHdhn6sPwDQGm2qD3C8IvYs8c8/s1600/Alteon+LB+lab+stand+alone.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUQqL25A98lAHg9Qh3mY63rHDSdFbi31lJzdsqM-Lb3B0kDQR_cZ6Qci7NyVhbCqbrAJ8XrYef9iNQpembo920T1cVXtJ9AWsB8Lmw8vM8LD7_V_mipUHdhn6sPwDQGm2qD3C8IvYs8c8/s1600/Alteon+LB+lab+stand+alone.png" height="512" width="640" /></a></div>
<br /></div>
<div>
<br /></div>
<div>
The loadbalancer is Radware's Alteon VA version 29.5.1.0</div>
<div>
<br /></div>
<div>
The initial Alteon VA configuration can be found <a href="http://dans-net.blogspot.com/2014/09/basic-alteon-setup.html">here</a>.<br />
<br /></div>
Notice the group and hosts are preconfigured:<br />
<br />
<div style="background: #ffffff; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17</pre>
</td><td><pre style="line-height: 125%; margin: 0;">/c/slb/real 1
ena
ipver v4
rip 10.136.85.1
/c/slb/real 2
ena
ipver v4
rip 10.136.85.2
/c/slb/real 3
ena
ipver v4
rip 10.136.85.3
/c/slb/group 10
ipver v4
add 1
add 2
add 3
</pre>
</td></tr>
</tbody></table>
</div>
<h3>
Alteon configuration</h3>
<div>
First, lets configure the VIP/virt.<br />
<br />
Remember routing! The returning traffic needs to go through the Alteon, otherwise TCP will break. So we also need to configure Proxy IP/SNAT so return traffic will go through the Alteon.<br />
<br />
<br />
<div style="background: #f8f8f8; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;">1
2
3
4
5
6
7
8</pre>
</td><td><pre style="line-height: 125%; margin: 0;"> /c/slb/virt 85_14
ena
vip 10.136.85.14
/c/slb/virt 85_14/service 80 http
group 10
/c/slb/virt 85_14/service 80 http/pip
mode address
addr v4 10.136.85.200
</pre>
</td></tr>
</tbody></table>
</div>
</div>
<br />
Next we need to write the Appshape++ script:<br />
<br />
<div style="background: #f8f8f8; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19</pre>
</td><td><pre style="line-height: 125%; margin: 0;"><span style="color: #19177c;">when</span> HTTP_REQUEST <span style="color: green; font-weight: bold;">{</span>
<span style="color: #408080; font-style: italic;"># retrieve URL from the request</span>
<span style="color: green; font-weight: bold;">set</span> url <span style="color: green; font-weight: bold;">[</span><span style="color: #19177c;">HTTP</span><span style="color: #666666;">::</span>uri<span style="color: green; font-weight: bold;">]</span>
<span style="color: green; font-weight: bold;">set</span> reply <span style="color: green; font-weight: bold;">{</span>
<span style="color: #666666;"><</span><span style="color: #19177c;">html</span><span style="color: #666666;">></span>
<span style="color: #666666;"><</span><span style="color: #19177c;">body</span><span style="color: #666666;">></span>
<span style="color: #666666;"><</span><span style="color: #19177c;">h1</span><span style="color: #666666;">></span>Hello<span style="color: #666666;">!</</span>h1<span style="color: #666666;">></span>
<span style="color: #666666;"><</span><span style="color: #19177c;">body</span><span style="color: #666666;">></span>
<span style="color: #666666;"></</span><span style="color: #19177c;">html</span><span style="color: #666666;">></span>
<span style="color: green; font-weight: bold;">}</span>
<span style="color: #408080; font-style: italic;"># check if URL is with /beta/a2.html</span>
<span style="color: green; font-weight: bold;">if</span> <span style="color: green; font-weight: bold;">{[</span><span style="color: green;">string</span> match <span style="color: #ba2121;">"/beta/a2.html"</span> <span style="color: #19177c;">$url</span><span style="color: green; font-weight: bold;">]</span> <span style="color: #666666;">==</span> <span style="color: #19177c;">1</span><span style="color: green; font-weight: bold;">}</span> <span style="color: green; font-weight: bold;">{</span>
<span style="color: #408080; font-style: italic;"># change the URL and select SRV1</span>
<span style="color: #19177c;">HTTP</span><span style="color: #666666;">::</span>respond <span style="color: #666666;">200</span> content <span style="color: #19177c;">$reply</span>
<span style="color: green; font-weight: bold;">}</span>
<span style="color: green; font-weight: bold;">}</span>
<span style="color: #19177c;">-----END</span>
</pre>
</td></tr>
</tbody></table>
</div>
<br />
<br />
<ul>
<li>Line 1-17 - When a request comes in do:</li>
<ul>
<li>Line 3 - Extract the URL</li>
<li>Line 4-10 - Set a response content.</li>
<li>Lines 13-16 - If the URL is "beta/a2.html" then:</li>
<ul>
<li>Line 15 - Respond with code 200 and the content we set earlier.</li>
</ul>
</ul>
<li>Line 19 - The end of the script.</li>
</ul>
<div>
Now lets import the script and apply it to the VIP/virt:</div>
<div>
<br /></div>
<br />
<div style="background: #f8f8f8; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23</pre>
</td><td><pre style="line-height: 125%; margin: 0;"> /c/slb/appshape/script respond
ena
import text
when HTTP_REQUEST {
# retrieve URL from the request
set url [HTTP::uri]
set reply {
<html>
<body>
<h1>Hello!</h1>
<body>
</html>
}
# check if URL is /beta/a2.html
if {[string match "/beta/a2.html" $url] == 1} {
# change the URL and select SRV1
HTTP::respond 200 content $reply
}
}
-----END
/c/slb/virt 85_14/service 80 http/appshape
add 10 respond
</pre>
</td></tr>
</tbody></table>
</div>
<h3>
Test</h3>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWeHtBkA4HhCxZ6jknr_jjQNrzDv21IdwBKsc_Gc95tU5PtXEMG6WrUaUopXXYS_si95bCqdRkUm8CizAWtRK73hhpxEw0q8r5MDwOaYmC2z-g87TGlcib14Dc0FProefR3vBEtbBvDg4/s1600/appshape_respond.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWeHtBkA4HhCxZ6jknr_jjQNrzDv21IdwBKsc_Gc95tU5PtXEMG6WrUaUopXXYS_si95bCqdRkUm8CizAWtRK73hhpxEw0q8r5MDwOaYmC2z-g87TGlcib14Dc0FProefR3vBEtbBvDg4/s1600/appshape_respond.PNG" height="640" width="476" /></a></div>
<br />
Notice the "Hello!". Success!</div>
<h3>
Summary</h3>
<div>
After writing few AppShape++ , a pattern emerges: It really easy :)</div>
Dan Shechter Gelleshttp://www.blogger.com/profile/18175247280485392482noreply@blogger.comtag:blogger.com,1999:blog-5204377812712096078.post-74027884040867592352014-09-18T15:06:00.001-07:002014-09-18T17:31:50.838-07:00Using AppShape++ to change a request's URL<h3>
Lab goal</h3>
<div>
<ul>
<li>When a clients asks for /cgi-bin/* change that to /alpha/a1.html, and serve it from SRV1 </li>
<li>Fix the 404 page not found.</li>
</ul>
<br />
Use VIP 10.136.6.13.</div>
<h3>
Setup</h3>
<div>
I'll use my <a href="http://dans-net.blogspot.com/2014/08/load-balancing-lab-setup.html">Loadbalancer Lab Setup</a>.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUQqL25A98lAHg9Qh3mY63rHDSdFbi31lJzdsqM-Lb3B0kDQR_cZ6Qci7NyVhbCqbrAJ8XrYef9iNQpembo920T1cVXtJ9AWsB8Lmw8vM8LD7_V_mipUHdhn6sPwDQGm2qD3C8IvYs8c8/s1600/Alteon+LB+lab+stand+alone.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUQqL25A98lAHg9Qh3mY63rHDSdFbi31lJzdsqM-Lb3B0kDQR_cZ6Qci7NyVhbCqbrAJ8XrYef9iNQpembo920T1cVXtJ9AWsB8Lmw8vM8LD7_V_mipUHdhn6sPwDQGm2qD3C8IvYs8c8/s1600/Alteon+LB+lab+stand+alone.png" height="512" width="640" /></a></div>
<br /></div>
<div>
<br /></div>
<div>
The loadbalancer is Radware's Alteon VA version 29.5.1.0</div>
<div>
<br /></div>
<div>
The initial Alteon VA configuration can be found <a href="http://dans-net.blogspot.com/2014/09/basic-alteon-setup.html">here</a>.<br />
<br />
Notice the group and hosts are preconfigured:<br />
<br />
<div style="background: #ffffff; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17</pre>
</td><td><pre style="line-height: 125%; margin: 0;">/c/slb/real 1
ena
ipver v4
rip 10.136.85.1
/c/slb/real 2
ena
ipver v4
rip 10.136.85.2
/c/slb/real 3
ena
ipver v4
rip 10.136.85.3
/c/slb/group 10
ipver v4
add 1
add 2
add 3
</pre>
</td></tr>
</tbody></table>
</div>
</div>
<h3>
Alteon configuration</h3>
<div>
Lets first create the VIP/virt and test it out.<br />
<br />
<br />
<div style="background: #ffffff; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;">1
2
3
4
5</pre>
</td><td><pre style="line-height: 125%; margin: 0;"> /c/slb/virt 6_13
ena
vip 10.136.6.13
/c/slb/virt 6_13/service 80 http
group 10
</pre>
</td></tr>
</tbody></table>
</div>
</div>
<br />
To fix the 404 at the bottom of the webpage, we need to change the request URL from /not_here to /here.html.<br />
<br />
So lets write the AppShape++ script:<br />
<br />
<div style="background: #f8f8f8; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19</pre>
</td><td><pre style="line-height: 125%; margin: 0;"><span style="color: #19177c;">attach</span> group <span style="color: #666666;">10</span>
<span style="color: #19177c;">when</span> HTTP_REQUEST <span style="color: green; font-weight: bold;">{</span>
<span style="color: #408080; font-style: italic;"># retrieve URL from the request</span>
<span style="color: green; font-weight: bold;">set</span> url <span style="color: green; font-weight: bold;">[</span><span style="color: #19177c;">HTTP</span><span style="color: #666666;">::</span>uri<span style="color: green; font-weight: bold;">]</span>
<span style="color: #408080; font-style: italic;"># check if URL begins with /cgi-bin/</span>
<span style="color: green; font-weight: bold;">if</span> <span style="color: green; font-weight: bold;">{[</span><span style="color: green;">string</span> match <span style="color: #ba2121;">"/cgi-bin/*"</span> <span style="color: #19177c;">$url</span><span style="color: green; font-weight: bold;">]</span> <span style="color: #666666;">==</span> <span style="color: #19177c;">1</span><span style="color: green; font-weight: bold;">}</span> <span style="color: green; font-weight: bold;">{</span>
<span style="color: #408080; font-style: italic;"># change the URL and select SRV1</span>
<span style="color: #19177c;">HTTP</span><span style="color: #666666;">::</span>uri <span style="color: #ba2121;">"/alpha/a1.html"</span>
<span style="color: #19177c;">group</span> select <span style="color: #666666;">10</span> server <span style="color: #666666;">1</span>
<span style="color: #408080; font-style: italic;"># check if the request is for /not_here</span>
<span style="color: green; font-weight: bold;">}</span> <span style="color: green; font-weight: bold;">elseif</span> <span style="color: green; font-weight: bold;">{[</span><span style="color: green;">string</span> match <span style="color: #ba2121;">"/not_here"</span> <span style="color: #19177c;">$url</span><span style="color: green; font-weight: bold;">]</span> <span style="color: #666666;">==</span> <span style="color: #19177c;">1</span><span style="color: green; font-weight: bold;">}</span> <span style="color: green; font-weight: bold;">{</span>
<span style="color: #408080; font-style: italic;"># change the URL to here.html</span>
<span style="color: #19177c;">HTTP</span><span style="color: #666666;">::</span>uri <span style="color: #ba2121;">"/here.html"</span>
<span style="color: green; font-weight: bold;">}</span>
<span style="color: green; font-weight: bold;">}</span>
<span style="color: #19177c;">-----END</span>
</pre>
</td></tr>
</tbody></table>
</div>
<br />
<br />
<ul>
<li>Line 1 - declare that we are about to use group 10.</li>
<li>Lines 3 - 17 - When HTTP_REQUEST comes from the client to the VIP do this:</li>
<ul>
<li>Line 5 - Retrieve the URL</li>
<li>Lines 8-13 - Check if the URL begins with <i>/cgi-bin/</i> if so:</li>
<ul>
<li>Lines 10-11 - Send the request to the web server as <i>"/alpha/a1.html"</i> and select SRV1.</li>
</ul>
<li>Lines 13-16 - Check if the URL is <i>not_here</i> if so:</li>
<ul>
<li>Line 15 - Send the request to the web server as <i>"here.html"</i></li>
</ul>
</ul>
</ul>
<div>
Now lets apply this script to the Alteon:</div>
<div>
<br /></div>
<div>
<div style="background: #f8f8f8; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22</pre>
</td><td><pre style="line-height: 125%; margin: 0;"> /c/slb/appshape/script set_url
ena
import text
attach group 10
when HTTP_REQUEST {
# retrieve URL from the request
set url [HTTP::uri]
# check if URL begins with /cgi-bin/
if {[string match "/cgi-bin/*" $url] == 1} {
# change the URL and select SRV1
HTTP::uri "/alpha/a1.html"
group select 10 server 1
# check if the request is for /not_here
} elseif {[string match "/not_here" $url] == 1} {
# change the URL to here.html
HTTP::uri "/here.html"
}
}
-----END
/c/slb/virt 6_13/service 80 http/appshape
add 10 set_url
</pre>
</td></tr>
</tbody></table>
</div>
<br /></div>
<br />
<ul>
<li>Lines 1-19 - importing the script</li>
<li>Lines 21-22 - applying the script to the VIP</li>
</ul>
<br />
<h3>
Test</h3>
<div>
<br /></div>
<div>
Before:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoLmXA2-7HyvBtghNXHw-bvanlZ6ErghXOhbQWbyCGHhLqaQ0kMuPxHyULDyiyOyOMmwpMSyQ1T61fFZdvxRYnbeM__pMyMvVBgap3DPlNu12UtgDNqTEjhAsNEcUVvTyFHa1wa-DPdXg/s1600/before_set_url.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoLmXA2-7HyvBtghNXHw-bvanlZ6ErghXOhbQWbyCGHhLqaQ0kMuPxHyULDyiyOyOMmwpMSyQ1T61fFZdvxRYnbeM__pMyMvVBgap3DPlNu12UtgDNqTEjhAsNEcUVvTyFHa1wa-DPdXg/s1600/before_set_url.PNG" height="640" width="498" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
After:</div>
<div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAI9wvpM4CcISWxsbF0IRoFtl4wyL7xKoBgG0_0_NubzTppNTW87MJn55NiGc2wkm19LLkcEN9JQPXNEhUBVNJyUaw27nAtIqewMXVk6v54CeD9SrtqvUHlZxuRYpCX3xjIdGYq7y6r8k/s1600/set_url.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAI9wvpM4CcISWxsbF0IRoFtl4wyL7xKoBgG0_0_NubzTppNTW87MJn55NiGc2wkm19LLkcEN9JQPXNEhUBVNJyUaw27nAtIqewMXVk6v54CeD9SrtqvUHlZxuRYpCX3xjIdGYq7y6r8k/s1600/set_url.PNG" height="640" width="476" /></a></div>
<br /></div>
<br />
Success!<br />
<br />
Notice how the CGI script, which shows connection data (it just prints ENV vars), changed to show a static page from SRV1 and also notice that the 404 is fixed.<br />
<div>
</div>
<br />
<h3 style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">
Summary</h3>
<div>
Setting the URL is really easy, once you know how.... :)</div>
Dan Shechter Gelleshttp://www.blogger.com/profile/18175247280485392482noreply@blogger.comtag:blogger.com,1999:blog-5204377812712096078.post-82413445056603951002014-09-12T12:58:00.000-07:002014-09-12T12:58:08.478-07:00HTTP to HTTPs redirect with a twist<h3>
Lab goal</h3>
<div>
Create a new VIP/virt - 10.136.85.13.<br />
<br />
The main page should be using HTTP but all the other elements should be using SSL.<br />
<br />
<br /></div>
<h3>
Setup</h3>
<div>
I'll use my <a href="http://dans-net.blogspot.com/2014/08/load-balancing-lab-setup.html">Loadbalancer Lab Setup</a>.</div>
<div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu6DwkfDk8J62Bl0TPUtNGYdYL8JooyQG24e0j0jke8cPdoFyfTdKPmKtA-tKPl3tNqvtH2x-QcrQBXRSi55fwACv3z_li8qy-1X_sMEZmsDuNjD72ogogshOL2froM8QJn6Zj3Cdbnpw/s1600/Alteon+LB+lab+stand+alone.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu6DwkfDk8J62Bl0TPUtNGYdYL8JooyQG24e0j0jke8cPdoFyfTdKPmKtA-tKPl3tNqvtH2x-QcrQBXRSi55fwACv3z_li8qy-1X_sMEZmsDuNjD72ogogshOL2froM8QJn6Zj3Cdbnpw/s1600/Alteon+LB+lab+stand+alone.png" height="512" width="640" /></a></div>
<br />
<br /></div>
<div>
The loadbalancer is Radware's Alteon VA version 29.5.1.0</div>
<div>
<br /></div>
<div>
The initial Alteon VA configuration can be found <a href="http://dans-net.blogspot.com/2014/09/basic-alteon-setup.html">here</a>.</div>
<h3>
Alteon configuration</h3>
<div>
We will reuse group 10 which includes all web servers.<br />
<br />
So all is left is to create a VIP/<i>virt</i> with services HTTP and HTTPS<br />
<br />
<div style="background: #ffffff; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16</pre>
</td><td><pre style="line-height: 125%; margin: 0;"> /c/slb/virt 86_13
ena
ipver v4
vip 10.136.85.13
/c/slb/virt 86_13/service 80 http
group 10
rport 80
/c/slb/virt 86_13/service 80 http/pip
mode address
addr v4 10.136.85.200
/c/slb/virt 86_13/service 443 https
group 10
rport 443
/c/slb/virt 86_13/service 443 https/pip
mode address
addr v4 10.136.85.200
</pre>
</td></tr>
</tbody></table>
</div>
<br />
Lines 8-10 - Source NAT. Without it traffic from the server will go directly to client without going first through the Alteon.<br />
<br />
Now for the AppShape script:<br />
<br />
<br />
<div style="background: #f8f8f8; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;"> 1
2
3
4
5
6
7
8
9
10
11
12</pre>
</td><td><pre style="line-height: 125%; margin: 0;"><span style="color: #19177c;">when</span> HTTP_REQUEST <span style="color: green; font-weight: bold;">{</span>
<span style="color: #408080; font-style: italic;"># exctract the fields from the HTTP headers</span>
<span style="color: green; font-weight: bold;">set</span> url <span style="color: green; font-weight: bold;">[</span><span style="color: #19177c;">HTTP</span><span style="color: #666666;">::</span>uri<span style="color: green; font-weight: bold;">]</span>
<span style="color: green; font-weight: bold;">set</span> host <span style="color: green; font-weight: bold;">[</span><span style="color: #19177c;">HTTP</span><span style="color: #666666;">::</span>host<span style="color: green; font-weight: bold;">]</span>
<span style="color: green; font-weight: bold;">if</span> <span style="color: green; font-weight: bold;">{[</span><span style="color: green;">string</span> equal <span style="color: #19177c;">$url</span> <span style="color: #ba2121;">"/"</span><span style="color: green; font-weight: bold;">]</span> <span style="color: #666666;">==</span><span style="color: #19177c;">0</span><span style="color: green; font-weight: bold;">}</span> <span style="color: green; font-weight: bold;">{</span>
<span style="color: #19177c;">HTTP</span><span style="color: #666666;">::</span>redirect <span style="color: #ba2121;">"https://$host$url"</span> <span style="color: #666666;">301</span>
<span style="color: green; font-weight: bold;">}</span>
<span style="color: green; font-weight: bold;">}</span>
<span style="color: #19177c;">-----END</span>
</pre>
</td></tr>
</tbody></table>
</div>
</div>
<br />
<br />
<ul>
<li>Line 7 checks if the path is not /" and then:</li>
<ul>
<li>Line 8 Redirect all requests to the page elements, such as pictures, iFrames and CGI-BIN to HTTPS</li>
<li>Notice that the redirect was built with the extracted host name and the URL</li>
</ul>
</ul>
<div>
Next lets import and apply the AppShape++ script:</div>
<div>
<br /></div>
<div>
<br />
<div style="background: #f8f8f8; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15</pre>
</td><td><pre style="line-height: 125%; margin: 0;"> /c/slb/appshape/script redirect_to_https
ena
import text
when HTTP_REQUEST {
# exctract the fields from the HTTP headers
set url [HTTP::uri]
set host [HTTP::host]
if {[string equal $url "/"] ==0} {
HTTP::redirect "https://$host$url" 301
}
}
-----END
/c/slb/virt 86_13/service 80 http/appshape
add 10 redirect_to_https
</pre>
</td></tr>
</tbody></table>
</div>
</div>
<br />
<h3>
Test</h3>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV_rtOdq3_XgRFxTJ6GAYdeIJhxuCWQO_1hVAFH3hyempMQ7yEt0fxKdKRPYBX-Qd9qH1C236EWJFSWsMPzyi8LVH1s8_m3jkE7XVjSd7Zq-3H-TPVIduX1IZqnn7W_kad_MXYnRZOR5Y/s1600/https_redirect.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV_rtOdq3_XgRFxTJ6GAYdeIJhxuCWQO_1hVAFH3hyempMQ7yEt0fxKdKRPYBX-Qd9qH1C236EWJFSWsMPzyi8LVH1s8_m3jkE7XVjSd7Zq-3H-TPVIduX1IZqnn7W_kad_MXYnRZOR5Y/s1600/https_redirect.PNG" height="640" width="482" /></a></div>
<br /></div>
It looks like a regular HTTP page, but notice the TCP port being used inside the iFrame. Its 443, which is HTTPS.<br />
<br />
Success!<br />
<div>
</div>
<br />
<h3 style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">
Summary</h3>
<div>
This exact setup can be done with <i>crule,</i>but I think that using AppShape++ is much easier to understand, as you see the condition and the action in one place.</div>
Dan Shechter Gelleshttp://www.blogger.com/profile/18175247280485392482noreply@blogger.comtag:blogger.com,1999:blog-5204377812712096078.post-7897500633587979532014-09-10T12:27:00.003-07:002014-09-12T13:07:30.619-07:00Alteon AppShape++ Redirects <h3>
Lab goals</h3>
<div>
In the lab we will practice:<br />
<br />
<ul>
<li>Redirection - r.dans-net.com should be redirected to 3.dans-net.com</li>
<li>Decision by URL matching:</li>
<ul>
<li>If URL length is 1 or 2, not including the leading "/", then redirect to 3.dans-net.com</li>
<li>If URL is "/images/number.jpg" or "/icons/number.jpg" then select SRV1</li>
<li>URL begins with "/alpha" or with "/beta" then select SRV2</li>
<li>URL contains "cgi-bin" or "gamma" then select SRV3</li>
</ul>
</ul>
</div>
<div>
Both r.dans-net.com and 3.dans-net.com should resolve to 10.136.6.11.</div>
<h3>
Setup</h3>
<div>
I'll use my <a href="http://dans-net.blogspot.com/2014/08/load-balancing-lab-setup.html">Loadbalancer Lab Setup</a>.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu6DwkfDk8J62Bl0TPUtNGYdYL8JooyQG24e0j0jke8cPdoFyfTdKPmKtA-tKPl3tNqvtH2x-QcrQBXRSi55fwACv3z_li8qy-1X_sMEZmsDuNjD72ogogshOL2froM8QJn6Zj3Cdbnpw/s1600/Alteon+LB+lab+stand+alone.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu6DwkfDk8J62Bl0TPUtNGYdYL8JooyQG24e0j0jke8cPdoFyfTdKPmKtA-tKPl3tNqvtH2x-QcrQBXRSi55fwACv3z_li8qy-1X_sMEZmsDuNjD72ogogshOL2froM8QJn6Zj3Cdbnpw/s1600/Alteon+LB+lab+stand+alone.png" height="512" width="640" /></a></div>
<br /></div>
<div>
<br /></div>
<div>
The loadbalancer is Radware's Alteon VA version 29.5.1.0<br />
<br />
Here is the /etc/hosts or c:\windows\system32\drivers\etc\hosts resolve snippet:</div>
<div>
<br /></div>
<!-- HTML generated using hilite.me --><br />
<div style="background: #ffffff; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;">1
2</pre>
</td><td><pre style="line-height: 125%; margin: 0;"><span style="color: #6600ee; font-weight: bold;">10.136</span>.<span style="color: #6600ee; font-weight: bold;">6.11</span> <span style="color: #6600ee; font-weight: bold;">3.</span>dans<span style="color: #333333;">-</span>net.com
<span style="color: #6600ee; font-weight: bold;">10.136</span>.<span style="color: #6600ee; font-weight: bold;">6.11</span> r.dans<span style="color: #333333;">-</span>net.com
</pre>
</td></tr>
</tbody></table>
</div>
<br />
<h3>
Alteon configuration</h3>
<div>
Fist lets create 3 groups, one for each SRV:<br />
<br />
<br /></div>
<!-- HTML generated using hilite.me --><br />
<div style="background: #ffffff; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;">1
2
3
4
5
6
7
8
9</pre>
</td><td><pre style="line-height: 125%; margin: 0;"><span style="color: #333333;">/</span><span style="color: #996633;">c</span><span style="color: #333333;">/</span>slb<span style="color: #333333;">/</span>group g1
<span style="color: #996633;">ipver</span> v4
<span style="color: #996633;">add</span> <span style="color: #0000dd; font-weight: bold;">1</span>
<span style="color: #333333;">/</span><span style="color: #996633;">c</span><span style="color: #333333;">/</span>slb<span style="color: #333333;">/</span>group g2
<span style="color: #996633;">ipver</span> v4
<span style="color: #996633;">add</span> <span style="color: #0000dd; font-weight: bold;">2</span>
<span style="color: #333333;">/</span><span style="color: #996633;">c</span><span style="color: #333333;">/</span>slb<span style="color: #333333;">/</span>group g3
<span style="color: #996633;">ipver</span> v4
<span style="color: #996633;">add</span> <span style="color: #0000dd; font-weight: bold;">3</span>
</pre>
</td></tr>
</tbody></table>
</div>
<br />
Next, lets configure create the VIP/virt:<br />
<br />
<!-- HTML generated using hilite.me --><br />
<div style="background: #ffffff; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;">1
2
3
4</pre>
</td><td><pre style="line-height: 125%; margin: 0;"> <span style="color: #333333;">/</span><span style="color: #996633;">c</span><span style="color: #333333;">/</span>slb<span style="color: #333333;">/</span>virt <span style="color: #0000dd; font-weight: bold;">6</span>_11
<span style="color: #996633;">ena</span>
<span style="color: #996633;">vip</span> <span style="color: #6600ee; font-weight: bold;">10.136</span>.6.11
<span style="color: #333333;">/</span><span style="color: #996633;">c</span><span style="color: #333333;">/</span>slb<span style="color: #333333;">/</span>virt <span style="color: #0000dd; font-weight: bold;">6</span>_11<span style="color: #333333;">/</span>service <span style="color: #0000dd; font-weight: bold;">80</span> http
</pre>
</td></tr>
</tbody></table>
</div>
<br />
Next the AppShape++ script. This time I'll show two parts. The draft and the final.<br />
<br />
<h4>
Draft Script</h4>
<div>
The draft script is a regular TCL script, where I test the script with regular TCL enviourment, such as <a href="http://www.activestate.com/activetcl">ActiveTCL for windows</a>.</div>
<br />
<!-- HTML generated using hilite.me --><br />
<div style="background: #ffffff; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43</pre>
</td><td><pre style="line-height: 125%; margin: 0;"><span style="color: #888888;">#attach group g1</span>
<span style="color: #888888;">#attach group g2</span>
<span style="color: #888888;">#attach group g3</span>
<span style="color: #888888;">#</span>
<span style="color: #888888;">#when HTTP_REQUEST {</span>
<span style="color: #888888;">#}</span>
<span style="color: #888888;">#</span>
<span style="color: #888888;">#-----END</span>
<span style="color: #888888;"># usage</span>
<span style="color: #888888;"># redirect_url_match [URL] [HOST]</span>
<span style="color: #888888;"># set default values</span>
<span style="color: #008800; font-weight: bold;">set</span> host <span style="background-color: #fff0f0;">"3.dans-net.com"</span>
<span style="color: #008800; font-weight: bold;">set</span> url <span style="background-color: #fff0f0;">"/a"</span>
<span style="color: #888888;"># set values if exists</span>
<span style="color: #008800; font-weight: bold;">if</span> <span style="color: #008800; font-weight: bold;">{</span><span style="color: #996633;">$argc</span> <span style="color: #333333;">==</span> <span style="color: #996633;">1</span><span style="color: #008800; font-weight: bold;">}</span> <span style="color: #008800; font-weight: bold;">{</span>
<span style="color: #008800; font-weight: bold;">set</span> url <span style="color: #008800; font-weight: bold;">[</span><span style="color: #007020;">lindex</span> <span style="color: #996633;">$argv</span> <span style="color: #0000dd; font-weight: bold;">0</span><span style="color: #008800; font-weight: bold;">]</span>
<span style="color: #008800; font-weight: bold;">}</span> <span style="color: #008800; font-weight: bold;">elseif</span> <span style="color: #008800; font-weight: bold;">{</span><span style="color: #996633;">$argc</span> <span style="color: #333333;">></span> <span style="color: #996633;">1</span><span style="color: #008800; font-weight: bold;">}</span> <span style="color: #008800; font-weight: bold;">{</span>
<span style="color: #008800; font-weight: bold;">set</span> host <span style="color: #008800; font-weight: bold;">[</span><span style="color: #007020;">lindex</span> <span style="color: #996633;">$argv</span> <span style="color: #0000dd; font-weight: bold;">1</span><span style="color: #008800; font-weight: bold;">]</span>
<span style="color: #008800; font-weight: bold;">}</span>
<span style="color: #888888;"># the code to use later on the alteon</span>
<span style="color: #008800; font-weight: bold;">if</span> <span style="color: #008800; font-weight: bold;">{[</span><span style="color: #007020;">string</span> equal <span style="color: #996633;">$host</span> <span style="background-color: #fff0f0;">"r.dans-net.com"</span><span style="color: #008800; font-weight: bold;">]}</span> <span style="color: #008800; font-weight: bold;">{</span>
<span style="color: #007020;">puts</span> <span style="background-color: #fff0f0;">"redirect to 3.dans-net.com"</span>
<span style="color: #008800; font-weight: bold;">}</span> <span style="color: #008800; font-weight: bold;">else</span> <span style="color: #008800; font-weight: bold;">{</span>
<span style="color: #888888;"># check length of url. since the cout also includes the leading / we need to add 1 to the comparison</span>
<span style="color: #008800; font-weight: bold;">if</span> <span style="color: #008800; font-weight: bold;">{[</span><span style="color: #007020;">string</span> length <span style="color: #996633;">$url</span><span style="color: #008800; font-weight: bold;">]</span> <span style="color: #333333;">==</span> <span style="color: #996633;">2</span> <span style="color: #333333;">||</span> <span style="color: #008800; font-weight: bold;">[</span><span style="color: #007020;">string</span> length <span style="color: #996633;">$url</span><span style="color: #008800; font-weight: bold;">]</span> <span style="color: #333333;">==</span> <span style="color: #0000dd;">3</span><span style="color: #008800; font-weight: bold;">}</span> <span style="color: #008800; font-weight: bold;">{</span>
<span style="color: #007020;">puts</span> <span style="background-color: #fff0f0;">"redirect to 3.dans-net.com"</span>
<span style="color: #888888;"># exact match </span>
<span style="color: #008800; font-weight: bold;">}</span> <span style="color: #008800; font-weight: bold;">elseif</span> <span style="color: #008800; font-weight: bold;">{</span> <span style="color: #008800; font-weight: bold;">[</span><span style="color: #007020;">string</span> match <span style="background-color: #fff0f0;">"/images/number.jpg"</span> <span style="color: #996633;">$url</span><span style="color: #008800; font-weight: bold;">]</span> <span style="color: #333333;">||</span> <span style="color: #008800; font-weight: bold;">[</span><span style="color: #007020;">string</span> match <span style="background-color: #fff0f0;">"/icons/number.jpg"</span> <span style="color: #996633;">$url</span> <span style="color: #008800; font-weight: bold;">]</span> <span style="color: #008800; font-weight: bold;">}</span> <span style="color: #008800; font-weight: bold;">{</span>
<span style="color: #007020;">puts</span> <span style="background-color: #fff0f0;">"SRV1"</span>
<span style="color: #888888;">#match begin with </span>
<span style="color: #008800; font-weight: bold;">}</span> <span style="color: #008800; font-weight: bold;">elseif</span> <span style="color: #008800; font-weight: bold;">{</span> <span style="color: #008800; font-weight: bold;">[</span><span style="color: #007020;">string</span> match <span style="background-color: #fff0f0;">"/alpha*"</span> <span style="color: #996633;">$url</span><span style="color: #008800; font-weight: bold;">]</span> <span style="color: #333333;">||</span> <span style="color: #008800; font-weight: bold;">[</span><span style="color: #007020;">string</span> match <span style="background-color: #fff0f0;">"/beta*"</span> <span style="color: #996633;">$url</span><span style="color: #008800; font-weight: bold;">]</span> <span style="color: #008800; font-weight: bold;">}</span> <span style="color: #008800; font-weight: bold;">{</span>
<span style="color: #007020;">puts</span> <span style="background-color: #fff0f0;">"SRV2"</span>
<span style="color: #888888;"># match contains X</span>
<span style="color: #008800; font-weight: bold;">}</span> <span style="color: #008800; font-weight: bold;">elseif</span> <span style="color: #008800; font-weight: bold;">{</span> <span style="color: #008800; font-weight: bold;">[</span><span style="color: #007020;">string</span> match <span style="background-color: #fff0f0;">"*gama*"</span> <span style="color: #996633;">$url</span><span style="color: #008800; font-weight: bold;">]</span> <span style="color: #333333;">||</span> <span style="color: #008800; font-weight: bold;">[</span><span style="color: #007020;">string</span> match <span style="background-color: #fff0f0;">"*cgi-bin*"</span> <span style="color: #996633;">$url</span><span style="color: #008800; font-weight: bold;">]</span> <span style="color: #008800; font-weight: bold;">}</span> <span style="color: #008800; font-weight: bold;">{</span>
<span style="color: #007020;">puts</span> <span style="background-color: #fff0f0;">"SRV3"</span>
<span style="color: #008800; font-weight: bold;">}</span>
<span style="color: #008800; font-weight: bold;">}</span>
</pre>
</td></tr>
</tbody></table>
</div>
<br />
<br />
<ul>
<li>Lines 1-8 - This is my template for AppShape++ scripts. Its is currently commented out.</li>
<li>Lines 14-22 - Simulate HTTP headers and URL</li>
<ul>
<li>We are basing our group/pool selection on Host name and URL, so we need to simulate those parameters.</li>
<li>Lines 14-15 - Set the default Host and URL</li>
<li>Lines 18-22 - Extract the URL and Host name from command line arguments.</li>
<li>The script can be run:</li>
<ul>
<li>Without arguments: <i>tclsh.exe my_script.tcl</i> . Then the URL is "/a" and the host is "3.dans-net.com"</li>
<li>With just one argument: <i>tclsh.exe my_script /gamma/a3.html</i>. Then the URL is "/gamma/a3.html" and the host is "3.dans-net.com".</li>
<li>With two arguments: <i>tclsh.exe my_script /gamma/a3.html r.dans-net.com. </i>Then the URL is "/gamma/a3.html" and the host is "r.dans-net.com"</li>
</ul>
</ul>
<li>Lines 26-28 - Check if host name is "r.dans-net.com". If so, print "redirect to 3.dans-net.com". This is instead of actually using the Alteon command <i>HTTP::redirect</i> </li>
<li>Lines 28-43 - Check the URL</li>
<ul>
<li>Line 30 is checking the length of the URL.</li>
<li>Line 33 is checking exact match.for the URL</li>
<li>Line 36 is checking if the URL begins with....</li>
<li>Line 39 is checking if the URL contains ....</li>
</ul>
</ul>
After running the script and checking that its actually working as indicated in the Lab Goals, we need to convert it to Alteon AppShape script:<br />
<br />
<!-- HTML generated using hilite.me --><br />
<div style="background: #ffffff; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34</pre>
</td><td><pre style="line-height: 125%; margin: 0;"><span style="color: #996633;">attach</span> group g1
<span style="color: #996633;">attach</span> group g2
<span style="color: #996633;">attach</span> group g3
<span style="color: #996633;">attach</span> group <span style="color: #0000dd; font-weight: bold;">10</span>
<span style="color: #996633;">when</span> HTTP_REQUEST <span style="color: #008800; font-weight: bold;">{</span>
<span style="color: #888888;"># exctract the fields from the HTTP headers</span>
<span style="color: #008800; font-weight: bold;">set</span> host <span style="color: #008800; font-weight: bold;">[</span><span style="color: #996633;">HTTP</span><span style="color: #333333;">::</span>host<span style="color: #008800; font-weight: bold;">]</span>
<span style="color: #008800; font-weight: bold;">set</span> url <span style="color: #008800; font-weight: bold;">[</span><span style="color: #996633;">HTTP</span><span style="color: #333333;">::</span>uri<span style="color: #008800; font-weight: bold;">]</span>
<span style="color: #008800; font-weight: bold;">if</span> <span style="color: #008800; font-weight: bold;">{[</span><span style="color: #007020;">string</span> equal <span style="color: #996633;">$host</span> <span style="background-color: #fff0f0;">"r.dans-net.com"</span><span style="color: #008800; font-weight: bold;">]}</span> <span style="color: #008800; font-weight: bold;">{</span>
<span style="color: #996633;">HTTP</span><span style="color: #333333;">::</span>redirect <span style="background-color: #fff0f0;">"http://3.dans-net.com"</span> 301
<span style="color: #008800; font-weight: bold;">}</span> <span style="color: #008800; font-weight: bold;">else</span> <span style="color: #008800; font-weight: bold;">{</span>
<span style="color: #888888;"># check length of url. since the cout also includes the leading / we need to add 1 to the comparison</span>
<span style="color: #008800; font-weight: bold;">if</span> <span style="color: #008800; font-weight: bold;">{[</span><span style="color: #007020;">string</span> length <span style="color: #996633;">$url</span><span style="color: #008800; font-weight: bold;">]</span> <span style="color: #333333;">==</span> <span style="color: #996633;">2</span> <span style="color: #333333;">||</span> <span style="color: #008800; font-weight: bold;">[</span><span style="color: #007020;">string</span> length <span style="color: #996633;">$url</span><span style="color: #008800; font-weight: bold;">]</span> <span style="color: #333333;">==</span> <span style="color: #0000dd; font-weight: bold;">3</span><span style="color: #008800; font-weight: bold;">}</span> <span style="color: #008800; font-weight: bold;">{</span>
<span style="color: #996633;">HTTP</span><span style="color: #333333;">::</span>redirect <span style="background-color: #fff0f0;">"http://3.dans-net.com"</span>
<span style="background-color: #ffaaaa; color: red;">#</span> exact match
<span style="color: #008800; font-weight: bold;">}</span> <span style="color: #008800; font-weight: bold;">elseif</span> <span style="color: #008800; font-weight: bold;">{</span> <span style="color: #008800; font-weight: bold;">[</span><span style="color: #007020;">string</span> match <span style="background-color: #fff0f0;">"/images/number.jpg"</span> <span style="color: #996633;">$url</span><span style="color: #008800; font-weight: bold;">]</span> <span style="color: #333333;">||</span> <span style="color: #008800; font-weight: bold;">[</span><span style="color: #007020;">string</span> match <span style="background-color: #fff0f0;">"/icons/number.jpg"</span> <span style="color: #996633;">$url</span> <span style="color: #008800; font-weight: bold;">]</span> <span style="color: #008800; font-weight: bold;">}</span> <span style="color: #008800; font-weight: bold;">{</span>
<span style="color: #996633;">group</span> select g1
<span style="color: #888888;">#match begin with </span>
<span style="color: #008800; font-weight: bold;">}</span> <span style="color: #008800; font-weight: bold;">elseif</span> <span style="color: #008800; font-weight: bold;">{</span> <span style="color: #008800; font-weight: bold;">[</span><span style="color: #007020;">string</span> match <span style="background-color: #fff0f0;">"/alpha*"</span> <span style="color: #996633;">$url</span><span style="color: #008800; font-weight: bold;">]</span> <span style="color: #333333;">||</span> <span style="color: #008800; font-weight: bold;">[</span><span style="color: #007020;">string</span> match <span style="background-color: #fff0f0;">"/beta*"</span> <span style="color: #996633;">$url</span><span style="color: #008800; font-weight: bold;">]</span> <span style="color: #008800; font-weight: bold;">}</span> <span style="color: #008800; font-weight: bold;">{</span>
<span style="color: #996633;">group</span> select g2
<span style="color: #888888;"># match contains X</span>
<span style="color: #008800; font-weight: bold;">}</span> <span style="color: #008800; font-weight: bold;">elseif</span> <span style="color: #008800; font-weight: bold;">{</span> <span style="color: #008800; font-weight: bold;">[</span><span style="color: #007020;">string</span> match <span style="background-color: #fff0f0;">"*gamma*"</span> <span style="color: #996633;">$url</span><span style="color: #008800; font-weight: bold;">]</span> <span style="color: #333333;">||</span> <span style="color: #008800; font-weight: bold;">[</span><span style="color: #007020;">string</span> match <span style="background-color: #fff0f0;">"*cgi-bin*"</span> <span style="color: #996633;">$url</span><span style="color: #008800; font-weight: bold;">]</span> <span style="color: #008800; font-weight: bold;">}</span> <span style="color: #008800; font-weight: bold;">{</span>
<span style="color: #996633;">group</span> select g3
<span style="color: #008800; font-weight: bold;">}</span> <span style="color: #008800; font-weight: bold;">else</span> <span style="color: #008800; font-weight: bold;">{</span>
<span style="color: #996633;">group</span> select <span style="color: #0000dd; font-weight: bold;">10</span>
<span style="color: #008800; font-weight: bold;">}</span>
<span style="color: #008800; font-weight: bold;">}</span>
<span style="color: #008800; font-weight: bold;">}</span>
<span style="color: #996633;">-----END</span>
</pre>
</td></tr>
</tbody></table>
</div>
<br />
This is basically the same script as before, with just Alten AppShape++ commands like <i>HTTP::redirect: </i> and <i>group select</i><br />
<i><br /></i>
Notice that at line 28, we have a default action, which is to use group 10, which includes all web servers. This will allow serving the main page, javascript and css.<br />
<br />
Also notice the difference between the redirect at line 13 and the redirect at line 17. The first will return 301 - permanent move, and the second will send the default 302 which is temporary move.<br />
<br />
Now lets import the script and apply it to the <i>virt</i> configuration<br />
<br />
<br />
<!-- HTML generated using hilite.me --><br />
<div style="background: #ffffff; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;"> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38</pre>
</td><td><pre style="line-height: 125%; margin: 0;"> /c/slb/appshape/script redirect_match_url
ena
import text
attach group g1
attach group g2
attach group g3
attach group 10
when HTTP_REQUEST <span style="font-weight: bold;">{</span>
<span style="font-style: italic;"># exctract the fields from the HTTP headers</span>
<span style="font-weight: bold;">set</span> host <span style="font-weight: bold;">[</span>HTTP::host<span style="font-weight: bold;">]</span>
<span style="font-weight: bold;">set</span> url <span style="font-weight: bold;">[</span>HTTP::uri<span style="font-weight: bold;">]</span>
<span style="font-weight: bold;">if</span> <span style="font-weight: bold;">{[</span>string equal $host <span style="font-style: italic;">"r.dans-net.com"</span><span style="font-weight: bold;">]}</span> <span style="font-weight: bold;">{</span>
HTTP::redirect <span style="font-style: italic;">"http://3.dans-net.com"</span> 301
<span style="font-weight: bold;">}</span> <span style="font-weight: bold;">else</span> <span style="font-weight: bold;">{</span>
<span style="font-style: italic;"># check length of url. since the cout also includes the leading / we need to add 1 to the comparison</span>
<span style="font-weight: bold;">if</span> <span style="font-weight: bold;">{[</span>string length $url<span style="font-weight: bold;">]</span> == 2 || <span style="font-weight: bold;">[</span>string length $url<span style="font-weight: bold;">]</span> == 3<span style="font-weight: bold;">}</span> <span style="font-weight: bold;">{</span>
HTTP::redirect <span style="font-style: italic;">"http://3.dans-net.com"</span>
<span style="border: 1px solid #FF0000;">#</span> exact match
<span style="font-weight: bold;">}</span> <span style="font-weight: bold;">elseif</span> <span style="font-weight: bold;">{</span> <span style="font-weight: bold;">[</span>string match <span style="font-style: italic;">"/images/number.jpg"</span> $url<span style="font-weight: bold;">]</span> || <span style="font-weight: bold;">[</span>string match <span style="font-style: italic;">"/icons/number.jpg"</span> $url <span style="font-weight: bold;">]</span> <span style="font-weight: bold;">}</span> <span style="font-weight: bold;">{</span>
group select g1
<span style="font-style: italic;">#match begin with </span>
<span style="font-weight: bold;">}</span> <span style="font-weight: bold;">elseif</span> <span style="font-weight: bold;">{</span> <span style="font-weight: bold;">[</span>string match <span style="font-style: italic;">"/alpha*"</span> $url<span style="font-weight: bold;">]</span> || <span style="font-weight: bold;">[</span>string match <span style="font-style: italic;">"/beta*"</span> $url<span style="font-weight: bold;">]</span> <span style="font-weight: bold;">}</span> <span style="font-weight: bold;">{</span>
group select g2
<span style="font-style: italic;"># match contains X</span>
<span style="font-weight: bold;">}</span> <span style="font-weight: bold;">elseif</span> <span style="font-weight: bold;">{</span> <span style="font-weight: bold;">[</span>string match <span style="font-style: italic;">"*gamma*"</span> $url<span style="font-weight: bold;">]</span> || <span style="font-weight: bold;">[</span>string match <span style="font-style: italic;">"*cgi-bin*"</span> $url<span style="font-weight: bold;">]</span> <span style="font-weight: bold;">}</span> <span style="font-weight: bold;">{</span>
group select g3
<span style="font-weight: bold;">}</span> <span style="font-weight: bold;">else</span> <span style="font-weight: bold;">{</span>
group select 10
<span style="font-weight: bold;">}</span>
<span style="font-weight: bold;">}</span>
<span style="font-weight: bold;">}</span>
-----END
/c/slb/virt 6_11/service 80 http
dbind forceproxy
/c/slb/virt 6_11/service 80 http/appshape
add 10 redirect_match_url
</pre>
</td></tr>
</tbody></table>
</div>
<br />
<h3>
Test</h3>
<div>
First I tried some redirection tests. The best way to see them is using chrome or firefox developer tools and have a look at the network tab. However, this is not the best way to show it here as the data is hierarchical and I can't show in one snapshot how redirection worked.<br />
<br />
So I used wireshark to show the redirection.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCs2OVNbriUstbOhv0metwhslio0Ir_NGsXfDLzymsR879lQ0OEutvBJZqhuqKfQJjT51FO2u0sVwAdNG8CFGKbDH2OhJAc-xDV6Gl9Bble52qxDT1VzHY7ITuxI9J2bDUx7q33JEmOaU/s1600/redirect.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCs2OVNbriUstbOhv0metwhslio0Ir_NGsXfDLzymsR879lQ0OEutvBJZqhuqKfQJjT51FO2u0sVwAdNG8CFGKbDH2OhJAc-xDV6Gl9Bble52qxDT1VzHY7ITuxI9J2bDUx7q33JEmOaU/s1600/redirect.PNG" /></a></div>
<br />
<br />
<ul>
<li>Packet 4 is the request for r.dans-net.com</li>
<li>Packet 6 is the reply with the redirect</li>
<li>Packet 7 is the new request to the redirected host</li>
</ul>
</div>
Next lets see how the page looks like:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitDpx1y_b5mEJSWazEKqRUTUuk7y12qJOT6Q3_v_0f2nT7quxXs7iudPurCGnqcQdxf7fIrRE3LUW6RFPE_Mmkjw0-5ig-9FBxuZDsdDhV-iWbM6AO-PsgNkxRAP4xC9puqKBWbrk1Oro/s1600/url_match.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitDpx1y_b5mEJSWazEKqRUTUuk7y12qJOT6Q3_v_0f2nT7quxXs7iudPurCGnqcQdxf7fIrRE3LUW6RFPE_Mmkjw0-5ig-9FBxuZDsdDhV-iWbM6AO-PsgNkxRAP4xC9puqKBWbrk1Oro/s1600/url_match.PNG" height="640" width="554" /></a></div>
<br />
We can see that reach element (in red) is using the correct SRV.<br />
<div>
</div>
<br />
<h3 style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">
Summary</h3>
<div>
I really like TCL. It is very simple. So is AppShape++.</div>
Dan Shechter Gelleshttp://www.blogger.com/profile/18175247280485392482noreply@blogger.comtag:blogger.com,1999:blog-5204377812712096078.post-28599937975122752862014-09-08T16:10:00.003-07:002014-09-12T13:07:14.310-07:00Select group/pool by query URI<h3>
Lab goal</h3>
<div>
When a request looks like this: http://a3.dans-net.com/group=GROUPNAME then the group/pool will be selected by the following name:</div>
<div>
<br /></div>
<div>
group_GROUPNAME</div>
<div>
<br /></div>
<div>
For example for <span style="font-family: Courier New, Courier, monospace;">http://10.136.5.10/group=<span style="color: red;"><b>g1</b></span></span> the selected group will be group_<span style="color: red;"><b>g1</b></span></div>
<div>
<span style="color: red;"><br /></span></div>
<div>
The following groups should be defined:</div>
<div>
<ul>
<li>g1 - SRV1</li>
<li>g2 - SRV2</li>
<li>g3 - SRV3</li>
</ul>
<div>
<br />
The VIP should be 10.136.5.10</div>
</div>
<div>
<br /></div>
<h3>
Setup</h3>
<div>
I'll use my <a href="http://dans-net.blogspot.com/2014/08/load-balancing-lab-setup.html">Loadbalancer Lab Setup</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu6DwkfDk8J62Bl0TPUtNGYdYL8JooyQG24e0j0jke8cPdoFyfTdKPmKtA-tKPl3tNqvtH2x-QcrQBXRSi55fwACv3z_li8qy-1X_sMEZmsDuNjD72ogogshOL2froM8QJn6Zj3Cdbnpw/s1600/Alteon+LB+lab+stand+alone.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu6DwkfDk8J62Bl0TPUtNGYdYL8JooyQG24e0j0jke8cPdoFyfTdKPmKtA-tKPl3tNqvtH2x-QcrQBXRSi55fwACv3z_li8qy-1X_sMEZmsDuNjD72ogogshOL2froM8QJn6Zj3Cdbnpw/s1600/Alteon+LB+lab+stand+alone.png" height="512" width="640" /></a></div>
<br /></div>
<div>
<br /></div>
<div>
The loadbalancer is Radware's Alteon VA version 29.5.1.0</div>
<div>
<br /></div>
<div>
The initial Alteon VA configuration can be found <a href="http://dans-net.blogspot.com/2014/09/basic-alteon-setup.html">here</a>.</div>
<h3>
Alteon configuration</h3>
<div>
First, lets configure the groups.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> /c/slb/group g1 </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> add 1</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> /c/slb/group g2</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> add 2</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> /c/slb/group g3</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> add 3</span></div>
</div>
<div>
<br /></div>
<div>
Next lets write the script.<br />
<br />
<!-- HTML generated using hilite.me --><br />
<div style="background: #ffffff; border-width: .1em .1em .1em .8em; border: solid gray; overflow: auto; padding: .2em .6em; width: auto;">
<table><tbody>
<tr><td><pre style="line-height: 125%; margin: 0;"> 1
2
3
4
5
6
7
8
9
10
11
12</pre>
</td><td><pre style="line-height: 125%; margin: 0;"><span style="color: #996633;">attach</span> group g1
<span style="color: #996633;">attach</span> group g2
<span style="color: #996633;">attach</span> group g3
<span style="color: #996633;">when</span> HTTP_REQUEST <span style="color: #008800; font-weight: bold;">{</span>
<span style="color: #008800; font-weight: bold;">set</span> group_exists <span style="color: #008800; font-weight: bold;">[</span><span style="color: #007020;">regexp</span> <span style="color: #333333;">-</span>nocase <span style="color: #008800; font-weight: bold;">{</span><span style="color: #996633;">group</span><span style="background-color: #ffaaaa; color: red;">=</span><span style="color: #008800; font-weight: bold;">(</span><span style="color: #996633;">g</span><span style="color: #008800; font-weight: bold;">[</span><span style="color: #996633;">0-9</span><span style="color: #008800; font-weight: bold;">]</span><span style="color: #333333;">+</span><span style="color: #008800; font-weight: bold;">)(</span><span style="color: #333333;">&</span><span style="color: #996633;">.</span><span style="color: #333333;">*</span><span style="color: #008800; font-weight: bold;">)</span><span style="color: #333333;">*</span><span style="background-color: #ffaaaa; color: red;">$</span><span style="color: #008800; font-weight: bold;">}</span> <span style="color: #008800; font-weight: bold;">[</span><span style="color: #996633;">HTTP</span><span style="color: #333333;">::</span>query<span style="color: #008800; font-weight: bold;">]</span> a group_name<span style="color: #008800; font-weight: bold;">]</span>
<span style="color: #008800; font-weight: bold;">if</span> <span style="color: #008800; font-weight: bold;">{</span><span style="color: #996633;">$group_exists</span> <span style="color: #333333;">==</span> <span style="color: #996633;">1</span><span style="color: #008800; font-weight: bold;">}</span> <span style="color: #008800; font-weight: bold;">{</span>
<span style="color: #996633;">group</span> select <span style="color: #996633;">$group_name</span>
<span style="color: #008800; font-weight: bold;">}</span>
<span style="color: #008800; font-weight: bold;">}</span>
<span style="color: #996633;">-----END</span>
</pre>
</td></tr>
</tbody></table>
</div>
<br />
<br />
<br />
<ul>
<li>Lines 1-3 declare the groups which will be used later on.</li>
<li>Line 6 has the regular expression matching</li>
<ul>
<li>The matching is case insensitive.</li>
<li>It looks for a group=g* in the query part of the URI.</li>
<li>If a match is found it will </li>
<ul>
<li>set <i>group_exists </i>to 1</li>
<li>put what ever matches in <i>a</i></li>
<li>the result of the first parenthesis (g[0-9]+) to <i>group_name</i></li>
</ul>
</ul>
<li>Line 7-8 - If a match was found, select the group according to the group name</li>
<li>Line 12 - As allways we need the <i>-----END </i>to mark the end of script.</li>
</ul>
<br />
Next lets configure the virtual server. Notice that since we are using 10.136.5.X address as VIP, we need to configure the Alteon to use Source NAT/Proxy IP so return traffic from the servers go through Alteon and not directly back to the client.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;"> /c/slb/virt 5_10</span><br />
<span style="font-family: Courier New, Courier, monospace;"> ena</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> vip 10.136.5.10</span><br />
<span style="font-family: Courier New, Courier, monospace;"> /c/slb/virt 5_10/service 80 http</span><br />
<span style="font-family: Courier New, Courier, monospace;"> group 10</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> /c/slb/virt 5_10/service 80 http/pip</span><br />
<span style="font-family: Courier New, Courier, monospace;"> mode address</span><br />
<span style="font-family: Courier New, Courier, monospace;"> addr v4 10.136.85.200 255.255.255.255 </span><br />
<br />
Notice we added <i>group 10</i> to the config. We need this as last resort group. If the AppShape++ script won't choose a group, that group will be chosen.<br />
<br />
Next we need to import and apply the AppShape++ script to the HTTP service.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;"> /c/slb/appshape/script host_by_query</span><br />
<span style="font-family: Courier New, Courier, monospace;"> ena</span><br />
<span style="font-family: Courier New, Courier, monospace;"> import text </span><br />
<span style="font-family: Courier New, Courier, monospace;"> attach group g1</span><br />
<span style="font-family: Courier New, Courier, monospace;"> attach group g2</span><br />
<span style="font-family: Courier New, Courier, monospace;"> attach group g3</span><br />
<span style="font-family: Courier New, Courier, monospace;"> when HTTP_REQUEST {</span><br />
<span style="font-family: Courier New, Courier, monospace;"> set group_exists [regexp -nocase {group=(g[0-9]+)(&.*)*$} [HTTP::query] a group_name]</span><br />
<span style="font-family: Courier New, Courier, monospace;"> if {$group_exists == 1} {</span><br />
<span style="font-family: Courier New, Courier, monospace;"> log "$group_exists $a $group_name"</span><br />
<span style="font-family: Courier New, Courier, monospace;"> group select $group_name</span><br />
<span style="font-family: Courier New, Courier, monospace;"> }</span><br />
<span style="font-family: Courier New, Courier, monospace;"> }</span><br />
<span style="font-family: Courier New, Courier, monospace;"> -----END</span><br />
<br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"> /c/slb/virt 5_10/service 80 http/appshape</span><br />
<span style="font-family: Courier New, Courier, monospace;"> add 10 host_by_query</span></div>
<h3>
Test</h3>
<div>
First we will try selecting group g1:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKC0qfhHgbKAWoehTYmwgKmQjn-EJAb2JwHmqrz54p2leUWRjqFNpvlJj_xo0OiJuaU8r4ylKbGxKaL-7HUsRS-2PLJi37KuswnvAkvzeWfNxY9G0knpfbLg-pt0ykO3RX-m64gsZvHwA/s1600/byquery1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKC0qfhHgbKAWoehTYmwgKmQjn-EJAb2JwHmqrz54p2leUWRjqFNpvlJj_xo0OiJuaU8r4ylKbGxKaL-7HUsRS-2PLJi37KuswnvAkvzeWfNxY9G0knpfbLg-pt0ykO3RX-m64gsZvHwA/s1600/byquery1.PNG" height="640" width="570" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
Notice that just the GET to the main page was sent with ?group=g1&b=1 . The rest of the requests went without the query string.<br />
<br />
Next g3:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSCMGZs5ah_kS2NImpUPVy3NrXvW0JNBlPnIWr_js74L4eSTo6NcEufpIR40WDdyRMg-hMv4yTBBPfnMGWQ9ATs_-qo6GJFTjoITkYEO4SqWBInUFxV7YH18pffmhMivxAN5z2D-GEmlI/s1600/byquery3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSCMGZs5ah_kS2NImpUPVy3NrXvW0JNBlPnIWr_js74L4eSTo6NcEufpIR40WDdyRMg-hMv4yTBBPfnMGWQ9ATs_-qo6GJFTjoITkYEO4SqWBInUFxV7YH18pffmhMivxAN5z2D-GEmlI/s1600/byquery3.PNG" height="640" width="492" /></a></div>
<div>
<br /></div>
<div>
Success!</div>
<h3>
Summary</h3>
<div>
That wasn't too hard, was it? The one thing I do is to test the TCL script on tclsh and only then import it to the Alteon. That is much faster then copy pasting into the Alteon's config.</div>
Dan Shechter Gelleshttp://www.blogger.com/profile/18175247280485392482noreply@blogger.comtag:blogger.com,1999:blog-5204377812712096078.post-41457139380442888612014-09-04T14:31:00.001-07:002014-09-12T13:07:52.017-07:00AppShape++ and SSL offloadingAfter running my fist AppShape++ script, I was wondering if it will work with SSL offloading as well.<br />
<br />
Lets try it out, using <a href="http://dans-net.blogspot.com/2014/08/load-balancing-lab-setup.html">my lab setup again</a>, and I'll be adding on top <a href="http://dans-net.blogspot.com/2014/09/alteon-group-selection-by-http-host_3.html">my previous lab</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu6DwkfDk8J62Bl0TPUtNGYdYL8JooyQG24e0j0jke8cPdoFyfTdKPmKtA-tKPl3tNqvtH2x-QcrQBXRSi55fwACv3z_li8qy-1X_sMEZmsDuNjD72ogogshOL2froM8QJn6Zj3Cdbnpw/s1600/Alteon+LB+lab+stand+alone.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu6DwkfDk8J62Bl0TPUtNGYdYL8JooyQG24e0j0jke8cPdoFyfTdKPmKtA-tKPl3tNqvtH2x-QcrQBXRSi55fwACv3z_li8qy-1X_sMEZmsDuNjD72ogogshOL2froM8QJn6Zj3Cdbnpw/s1600/Alteon+LB+lab+stand+alone.png" height="512" width="640" /></a></div>
<br />
<br />
First I'll need to create SSL policy on the Alteon VA version 29.5.1.0:<br />
<br />
<span style="font-family: Courier New, Courier, monospace;"> /c/slb/ssl/sslpol mySSL_Pol</span><br />
<span style="font-family: Courier New, Courier, monospace;"> cipher "high"</span><br />
<span style="font-family: Courier New, Courier, monospace;"> ena</span><br />
<br />
This will select only high security encryption and integrity algorithms.<br />
<br />
Next we need to create a self signed certificate:<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">>> LB1 - SSL Policy mySSL_Pol# <b>/cfg/slb/ssl/certs/srvrcert</b></span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Enter server certificate id: <b>mySRV_Cert</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">------------------------------------------------------------------</span><br />
<span style="font-family: Courier New, Courier, monospace;">[Server certificate mySRV_Cert Menu]</span><br />
<span style="font-family: Courier New, Courier, monospace;"> name - Set descriptive certificate name</span><br />
<span style="font-family: Courier New, Courier, monospace;"> generate - Create or update self-signed server certificate</span><br />
<span style="font-family: Courier New, Courier, monospace;"> del - Delete server certificate</span><br />
<span style="font-family: Courier New, Courier, monospace;"> cur - Display current server certificate configuration</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">>> LB1 - Server certificate mySRV_Cert# <b>gen</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">This operation will generate a self-signed server certificate.</span><br />
<span style="font-family: Courier New, Courier, monospace;">Enter key size [512|1024|2048|4096] [1024]: <b>2048</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">Enter server certificate hash algorithm [md5|sha1|sha256|sha384|sha512] [sha1]: <b>sha256</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">Enter certificate Common Name (e.g. your site's name): <b>*.dans-net.com</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">Use certificate default values? [y/n]: <b>y</b></span><br />
<span style="font-family: Courier New, Courier, monospace;">Enter certificate validation period in days (1-3650) [365]: <b><enter></b> </span><br />
<span style="font-family: Courier New, Courier, monospace;">....</span><br />
<span style="font-family: Courier New, Courier, monospace;">Self signed server certificate, certificate signing request and key added.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: inherit;">We also need to enable SSL globally:</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">/cfg/slb/ssl/on</span><br />
<br />
Now lets add SSL offloading to <i>virt 6_10</i>:<br />
<br />
<span style="font-family: Courier New, Courier, monospace;"> /c/slb/virt 6_10/service 443 https/ssl</span><br />
<span style="font-family: Courier New, Courier, monospace;"> srvrcert cert mySRV_Cert</span><br />
<span style="font-family: Courier New, Courier, monospace;"> sslpol mySSL_Pol</span><br />
<span style="font-family: Courier New, Courier, monospace;"> /c/slb/virt 6_10/service 443 https/appshape</span><br />
<span style="font-family: Courier New, Courier, monospace;"> add 10 group_by_host</span><br />
<br />
Notice that not only SSL offloading was added, but also we applied the AppShape++ script.<br />
<br />
Lets try it out:<br />
<i><br /></i>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZVE8dOua7G0yFZUq5tE-eIB4cPTg09ia5CWLDuYAUih_HZw-abABErxTSPnxg0cBo5SoVixrP9IVAvdS7m6JhABMgB8uhTP4IEPcVmtByFbAzKrLblHAi36i8Nw0XSSSf8-X_TT2sgOM/s1600/a2_ssl.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZVE8dOua7G0yFZUq5tE-eIB4cPTg09ia5CWLDuYAUih_HZw-abABErxTSPnxg0cBo5SoVixrP9IVAvdS7m6JhABMgB8uhTP4IEPcVmtByFbAzKrLblHAi36i8Nw0XSSSf8-X_TT2sgOM/s1600/a2_ssl.PNG" height="640" width="504" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhguWoQUoRLdU4xdKzDEXktDLJ5V4wvLHwfK4gCJ5VO20KTU9SDlJMHXKGmgmgIaGuZGDBD42MWYdSMlkqxbekYwcSUUX1NL5LNIvPKAD2Xc9nelchraNe6JzgS1J0npU22k_6stVQlctQ/s1600/b2_ssl.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhguWoQUoRLdU4xdKzDEXktDLJ5V4wvLHwfK4gCJ5VO20KTU9SDlJMHXKGmgmgIaGuZGDBD42MWYdSMlkqxbekYwcSUUX1NL5LNIvPKAD2Xc9nelchraNe6JzgS1J0npU22k_6stVQlctQ/s1600/b2_ssl.PNG" height="640" width="504" /></a></div>
<i><br /></i>
Notice that the background is still blue, which means its HTTPS and that the SRV_PORT is 80, so we really have SSL offloading and the AppShape++ script works with SSL offloading too.<br />
<i><br /></i>
<br />
So yes! AppShape++ works also when using SSL offloading.<br />
<br />Dan Shechter Gelleshttp://www.blogger.com/profile/18175247280485392482noreply@blogger.comtag:blogger.com,1999:blog-5204377812712096078.post-84132025247820575502014-09-03T15:10:00.002-07:002014-09-12T13:08:07.659-07:00Alteon group selection by HTTP Host header using AppShape++<a href="http://dans-net.blogspot.com/2014/09/alteon-group-selection-by-http-host.html">On the previous post</a> I have used Content Rules to configure group (server pool) selection based on the Host header in HTTP.<br />
<br />
This lab is also based on the <a href="http://dans-net.blogspot.com/2014/08/load-balancing-lab-setup.html">lab setup I am using</a>.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu6DwkfDk8J62Bl0TPUtNGYdYL8JooyQG24e0j0jke8cPdoFyfTdKPmKtA-tKPl3tNqvtH2x-QcrQBXRSi55fwACv3z_li8qy-1X_sMEZmsDuNjD72ogogshOL2froM8QJn6Zj3Cdbnpw/s1600/Alteon+LB+lab+stand+alone.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu6DwkfDk8J62Bl0TPUtNGYdYL8JooyQG24e0j0jke8cPdoFyfTdKPmKtA-tKPl3tNqvtH2x-QcrQBXRSi55fwACv3z_li8qy-1X_sMEZmsDuNjD72ogogshOL2froM8QJn6Zj3Cdbnpw/s1600/Alteon+LB+lab+stand+alone.png" height="512" width="640" /></a></div>
<br />
<br />
This time I'll do the same, but with AppShape++, which is similar to F5's iRules.<br />
<br />
I want a2.dans-net.com to be served by SRV1 and b2.dans-net.com to be served by SRV2, any other host should be served by all web servers.<br />
<br />
I'll use VIP 10.86.3.10 as the VIP. Here is how I edit my /etc/hosts files, which is c:\windows\system32\drivers\etc\hosts :<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">10.136.6.10 a2.dans-net.com</span><br />
<span style="font-family: Courier New, Courier, monospace;">10.136.6.10 b2.dans-net.com</span><br />
<div>
<br /></div>
First, I'll configured two new groups (server pools):<br />
<br />
<span style="font-family: Courier New, Courier, monospace;"> /c/slb/group a2_dans</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> add 1</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"> /c/slb/group b2_dans</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"> add 2</span><br />
<br />
Next I'll write the AppShape++ script which will select a group based on the Host header:<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">attach group a2_dans</span><br />
<span style="font-family: Courier New, Courier, monospace;">attach group b2_dans</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">when HTTP_REQUEST {</span><br />
<span style="font-family: Courier New, Courier, monospace;"> switch -glob [HTTP::host] {</span><br />
<span style="font-family: Courier New, Courier, monospace;"> "a2.dans-net.com" {</span><br />
<span style="font-family: Courier New, Courier, monospace;"> group select a2_dans</span><br />
<span style="font-family: Courier New, Courier, monospace;"> }</span><br />
<span style="font-family: Courier New, Courier, monospace;"> "b2.dans*" {</span><br />
<span style="font-family: Courier New, Courier, monospace;"> group select b2_dans</span><br />
<span style="font-family: Courier New, Courier, monospace;"> }</span><br />
<span style="font-family: Courier New, Courier, monospace;"> default {</span><br />
<span style="font-family: Courier New, Courier, monospace;"> group select 10</span><br />
<span style="font-family: Courier New, Courier, monospace;"> }</span><br />
<span style="font-family: Courier New, Courier, monospace;"> }</span><br />
<span style="font-family: Courier New, Courier, monospace;">}</span><br />
<span style="font-family: Courier New, Courier, monospace;">-----END</span><br />
<div>
<br /></div>
<div>
The first two lines are <i>attach</i> statements. I have no idea <i>why</i> they are needed. All I know that any group referenced inside other parts of the script <i>must</i> be declared there.</div>
<div>
<br /></div>
<div>
Then, with the help of the <i>switch</i> command we select which group to use when using this host or the other. If the Host matches nothing, then we will use group #10, which includes all the web servers.</div>
<div>
<br /></div>
<div>
Lets import the script into Alteon. Notice the "-----END" at the end, which marks the end of the script.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b> /c/slb/appshape/script <span style="background-color: yellow;">group_by_host</span></b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> ena</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> import text </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> attach group a2_dans</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> attach group b2_dans</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> when HTTP_REQUEST {</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> switch -glob [HTTP::host] {</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> "a2.dans-net.com" {</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> group select a2_dans</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> }</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> "b2.dans*" {</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> group select b2_dans</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> }</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> default {</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> group select 10</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> }</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> }</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> }</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> -----END</span></div>
</div>
<div>
<br /></div>
<div>
Next lets configure the VIP, or <i>virt</i> in Alteon's terminology.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;"></span><br />
<div>
<span style="font-family: Courier New, Courier, monospace;"> /c/slb/virt 6_10</span></div>
<span style="font-family: Courier New, Courier, monospace;">
<div>
ena</div>
<div>
vip 10.136.6.10</div>
</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> /c/slb/virt 6_10/service 80 http</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> /c/slb/virt 6_10/service 80 http/appshape</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> add 10 <span style="background-color: yellow;">group_by_host</span></span></div>
</div>
<div>
<br /></div>
After <i>apply</i> lets test:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5l-Op4o4XacMlIphrX5Pf0bZrhG4A1v4ZKM4xv6OMAB5sfPsZ6zrNSXDhjC25ebXtChdizntXPyH17mmBG5p4g5pXM82Jj6SAFsZXdUVqmgRoINk7yE97WFOGSOazw2pV_BvuV7T90Dw/s1600/a2_srv1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5l-Op4o4XacMlIphrX5Pf0bZrhG4A1v4ZKM4xv6OMAB5sfPsZ6zrNSXDhjC25ebXtChdizntXPyH17mmBG5p4g5pXM82Jj6SAFsZXdUVqmgRoINk7yE97WFOGSOazw2pV_BvuV7T90Dw/s1600/a2_srv1.PNG" height="640" width="504" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKMa78-kBWfq5RhKf-eZ39hyphenhyphenamaiiIyZnheMwMo3D2EMVc_rfuIWVSMig9Iq1x9yD2IKbpXDXE1vIgSWK61bLkvoTGVw1WEu87AZRGDD953qfJBN3lSmE3PrWoLFzzz8Nvvvqys-7JsLg/s1600/b2_srv2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKMa78-kBWfq5RhKf-eZ39hyphenhyphenamaiiIyZnheMwMo3D2EMVc_rfuIWVSMig9Iq1x9yD2IKbpXDXE1vIgSWK61bLkvoTGVw1WEu87AZRGDD953qfJBN3lSmE3PrWoLFzzz8Nvvvqys-7JsLg/s1600/b2_srv2.PNG" height="640" width="502" /></a></div>
<br />
<br />
Success!<br />
<br />
So which is better? Using Content Rules or use AppShape++ scripts.<br />
<br />
I think that once you learn it, AppShape++ scripts are much easier as you you always use the same TCL commands and you are not forced in awkward configurations which at the end mimic that short script.Dan Shechter Gelleshttp://www.blogger.com/profile/18175247280485392482noreply@blogger.comtag:blogger.com,1999:blog-5204377812712096078.post-46019658286759489602014-09-02T22:40:00.001-07:002014-09-12T13:08:24.732-07:00Alteon group selection by HTTP Host header using Content Rules<a href="http://dans-net.blogspot.com/2014/08/load-balancing-lab-setup.html">Using this lab setup</a>, I will practice HTTP Host based group selection, which is a <i>server</i> <i>pool</i> in Alteon's terminology.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu6DwkfDk8J62Bl0TPUtNGYdYL8JooyQG24e0j0jke8cPdoFyfTdKPmKtA-tKPl3tNqvtH2x-QcrQBXRSi55fwACv3z_li8qy-1X_sMEZmsDuNjD72ogogshOL2froM8QJn6Zj3Cdbnpw/s1600/Alteon+LB+lab+stand+alone.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu6DwkfDk8J62Bl0TPUtNGYdYL8JooyQG24e0j0jke8cPdoFyfTdKPmKtA-tKPl3tNqvtH2x-QcrQBXRSi55fwACv3z_li8qy-1X_sMEZmsDuNjD72ogogshOL2froM8QJn6Zj3Cdbnpw/s1600/Alteon+LB+lab+stand+alone.png" height="512" width="640" /></a></div>
<br />
<br />
Fist I need to add two hosts to my /etc/hosts files, which is c:\windows\system32\drivers\etc\hosts :<br />
<br />
<ul>
<li>a.dans-net.com</li>
<li>b.dans-net.com</li>
</ul>
<div>
<br /></div>
<div>
Both will point to 10.136.85.11.</div>
<div>
<br /></div>
<br />
<div>
<span style="font-family: Courier New, Courier, monospace;">10.136.85.11 a.dans-net.com</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">10.136.85.11 b.dans-net.com</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
I want a.dans-net.com to go to SRV1 and b.dan-net.com to go to SRV2</div>
<div>
<br /></div>
<div>
I need to add two groups with one host only. Notice that AFAIK since version 29 Alteon allows to use strings as rip, groups and virt</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> /c/slb/group a_dans</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> ipver v4</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> add 1</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> /c/slb/group b_dans</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> ipver v4</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> add 2</span></div>
</div>
<div>
<br /></div>
<div>
Next step is to configure the Content Class, which means to configure matching classes which will be later used by Content Rules</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> /c/slb/layer7/slb/cntclss a_dans http</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> /c/slb/layer7/slb/cntclss a_dans http/hostname a_dans</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> hostname "a.dans-net.com"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> match equal</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> /c/slb/layer7/slb/cntclss b_dans http</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> /c/slb/layer7/slb/cntclss b_dans http/hostname b_dans</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> hostname "b.dans"</span></div>
</div>
<div>
<br /></div>
<div>
Notice that class <i>a_dans</i> is and <i>exact</i> match and that class <i>b_dans</i> is an <i>include</i> match (the default mathod, thats why we don't see it in the config). Just for fun...</div>
<div>
<br /></div>
<div>
Now lets add <i>virt </i> and apply the changes.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> /c/slb/virt 11</span></div>
</div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> ena</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> ipver v4</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> vip 10.136.85.11</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> /c/slb/virt 11/service 80 http</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> group 1</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> rport 80</span></div>
<div>
<span style="font-family: 'Courier New', Courier, monospace;"> /c/slb/virt 11/service 80 http/cntrules 10</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> ena</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> cntclss "a_dans"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> group a_dans</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> /c/slb/virt 11/service 80 http/cntrules 20</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> ena</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> cntclss "b_dans"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> group b_dans</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> /c/slb/virt 11/service 80 http/pip</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> mode address</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> addr v4 10.136.85.200 255.255.255.255 persist disable</span></div>
</div>
<div>
<br /></div>
<div>
Notice that we added two new rules, matching the Content Class we configured before and the action is to select a group, which we configured before too.</div>
<div>
<br /></div>
<div>
As usual we use Source NAT, hence the <i>pip</i> with 10.136.85.200 address.</div>
<div>
<br /></div>
<div>
And he are some "show" commands</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">>> LB1 - Server Load Balancing Information# <b>/i/slb/virt 11</b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">11: IP4 10.136.85.11, 00:03:b2:80:00:4e</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> Virtual Services:</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> http: rport http, group 1, health tcp (TCP), dbind forceproxy</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> <span style="background-color: yellow;">Content Rule 10</span>, enabled</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> content class a_dans, group a_dans</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> Real Servers:</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> <span style="background-color: yellow;">1: 10.136.85.1</span>, group ena, health (runtime TCP), 2 ms, UP</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> <span style="background-color: yellow;">Content Rule 20</span>, enabled</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> content class b_dans, group b_dans</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> Real Servers:</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"> <span style="background-color: yellow;">2: 10.136.85.2</span>, group ena, health (runtime TCP), 2 ms, UP</span></div>
</div>
<div>
<br /></div>
<div>
Now lets see what happens in the browser.</div>
<div>
<br /></div>
<div>
First we test for a.dans-net.com. We expect to see SRV1 only.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEkftKvntVYCcVm9M8Kj5_sfvYCLr10YXGhswatA1hFFzAZkA-z5y-Mk2VEUJ9S51owzn1jbGCzqkTzqY8Oin88StDHEjOxrThY6G_7yleg_kmQeA4h1my9xWlG8TgSspbAMgpiEFJoBM/s1600/crule_srv1_only.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEkftKvntVYCcVm9M8Kj5_sfvYCLr10YXGhswatA1hFFzAZkA-z5y-Mk2VEUJ9S51owzn1jbGCzqkTzqY8Oin88StDHEjOxrThY6G_7yleg_kmQeA4h1my9xWlG8TgSspbAMgpiEFJoBM/s1600/crule_srv1_only.PNG" height="640" width="467" /></a></div>
<div>
<br /></div>
<div>
Success. We see SRV1 only. Next lets try b.dans-net.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeUNl1W6dsf1QbdpgK3zszilJCjuEyENu0UDEZg6rtW-dHiJL2n9qoIMfJJ5d_degyYh8Ok0K3Ty2Kx2cD0_5fZA13vx2J5HFNJ3vtfOi08-bTS9WWHwa6x8r_K-RltdetX99Y75DkWEY/s1600/crule_srv2_only.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeUNl1W6dsf1QbdpgK3zszilJCjuEyENu0UDEZg6rtW-dHiJL2n9qoIMfJJ5d_degyYh8Ok0K3Ty2Kx2cD0_5fZA13vx2J5HFNJ3vtfOi08-bTS9WWHwa6x8r_K-RltdetX99Y75DkWEY/s1600/crule_srv2_only.PNG" height="640" width="474" /></a></div>
<div>
<br /></div>
<div>
Success again, we see SRV2 only.</div>
Dan Shechter Gelleshttp://www.blogger.com/profile/18175247280485392482noreply@blogger.comtag:blogger.com,1999:blog-5204377812712096078.post-48765996286595368112014-09-02T12:39:00.003-07:002014-09-12T13:08:47.561-07:00Basic Alteon setupTime to actually test the lab.<br />
<br />
<a href="http://dans-net.blogspot.com/2014/08/load-balancing-lab-setup.html" target="_blank">Click here for previous post to see the lab setup.</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu6DwkfDk8J62Bl0TPUtNGYdYL8JooyQG24e0j0jke8cPdoFyfTdKPmKtA-tKPl3tNqvtH2x-QcrQBXRSi55fwACv3z_li8qy-1X_sMEZmsDuNjD72ogogshOL2froM8QJn6Zj3Cdbnpw/s1600/Alteon+LB+lab+stand+alone.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiu6DwkfDk8J62Bl0TPUtNGYdYL8JooyQG24e0j0jke8cPdoFyfTdKPmKtA-tKPl3tNqvtH2x-QcrQBXRSi55fwACv3z_li8qy-1X_sMEZmsDuNjD72ogogshOL2froM8QJn6Zj3Cdbnpw/s1600/Alteon+LB+lab+stand+alone.png" height="512" width="640" /></a></div>
<br />
<br />
Here is a basic Alteon setup with very basic server loadbalancing.<br />
<br />
The VIP is 10.136.85.10 and the Source NAT, or proxy ip in Alteon terminology is 10.136.85.200. We need the SNAT, as otherwise the Alteon will reply directly to the client. We need the reply traffic to pass through the Alteon to get it translated back to VIP from the real IP address of the selected server.<br />
<br />
Notice that that we have a default GW for the management interface, and a different gateway for the data path, which is the traffic from the client and to the servers.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">/c/sys/mmgmt</span><br />
<span style="font-family: Courier New, Courier, monospace;"> dhcp disabled</span><br />
<span style="font-family: Courier New, Courier, monospace;"> addr 10.136.1.100</span><br />
<span style="font-family: Courier New, Courier, monospace;"> mask 255.255.255.0</span><br />
<span style="font-family: Courier New, Courier, monospace;"> broad 10.136.1.255</span><br />
<span style="font-family: Courier New, Courier, monospace;"> gw 10.136.1.254</span><br />
<span style="font-family: Courier New, Courier, monospace;"> addr6 fc00:1:0:0:0:0:0:1</span><br />
<span style="font-family: Courier New, Courier, monospace;"> prefix6 64</span><br />
<span style="font-family: Courier New, Courier, monospace;"> gw6 fc00:1:0:0:0:0:0:254</span><br />
<span style="font-family: Courier New, Courier, monospace;"> ena</span><br />
<span style="font-family: Courier New, Courier, monospace;">/* LB1</span><br />
<span style="font-family: Courier New, Courier, monospace;">/c/sys</span><br />
<span style="font-family: Courier New, Courier, monospace;"> hprompt ena</span><br />
<span style="font-family: Courier New, Courier, monospace;">/c/sys/ssnmp</span><br />
<span style="font-family: Courier New, Courier, monospace;"> name "LB1"</span><br />
<span style="font-family: Courier New, Courier, monospace;">/c/sys/access/sshd/ena</span><br />
<span style="font-family: Courier New, Courier, monospace;">/c/sys/access/sshd/on</span><br />
<span style="font-family: Courier New, Courier, monospace;">/c/l3/if 1</span><br />
<span style="font-family: Courier New, Courier, monospace;"> ena</span><br />
<span style="font-family: Courier New, Courier, monospace;"> ipver v4</span><br />
<span style="font-family: Courier New, Courier, monospace;"> addr 10.136.85.100</span><br />
<span style="font-family: Courier New, Courier, monospace;"> mask 255.255.255.0</span><br />
<span style="font-family: Courier New, Courier, monospace;"> broad 10.136.85.255</span><br />
<span style="font-family: Courier New, Courier, monospace;">/c/l3/if 2</span><br />
<span style="font-family: Courier New, Courier, monospace;"> ena</span><br />
<span style="font-family: Courier New, Courier, monospace;"> ipver v6</span><br />
<span style="font-family: Courier New, Courier, monospace;"> addr fc00:85:0:0:0:0:0:100</span><br />
<span style="font-family: Courier New, Courier, monospace;"> mask 64</span><br />
<span style="font-family: Courier New, Courier, monospace;">/c/l3/gw 1</span><br />
<span style="font-family: Courier New, Courier, monospace;"> ena</span><br />
<span style="font-family: Courier New, Courier, monospace;"> ipver v4</span><br />
<span style="font-family: Courier New, Courier, monospace;"> addr 10.136.85.254</span><br />
<span style="font-family: Courier New, Courier, monospace;">/c/l3/gw 2</span><br />
<span style="font-family: Courier New, Courier, monospace;"> ena</span><br />
<span style="font-family: Courier New, Courier, monospace;"> ipver v6</span><br />
<span style="font-family: Courier New, Courier, monospace;"> addr fc00:85:0:0:0:0:0:254</span><br />
<span style="font-family: Courier New, Courier, monospace;">/c/slb</span><br />
<span style="font-family: Courier New, Courier, monospace;"> on</span><br />
<span style="font-family: Courier New, Courier, monospace;">/c/slb/real 1</span><br />
<span style="font-family: Courier New, Courier, monospace;"> ena</span><br />
<span style="font-family: Courier New, Courier, monospace;"> ipver v4</span><br />
<span style="font-family: Courier New, Courier, monospace;"> rip 10.136.85.1</span><br />
<span style="font-family: Courier New, Courier, monospace;">/c/slb/real 2</span><br />
<span style="font-family: Courier New, Courier, monospace;"> ena</span><br />
<span style="font-family: Courier New, Courier, monospace;"> ipver v4</span><br />
<span style="font-family: Courier New, Courier, monospace;"> rip 10.136.85.2</span><br />
<span style="font-family: Courier New, Courier, monospace;">/c/slb/real 3</span><br />
<span style="font-family: Courier New, Courier, monospace;"> ena</span><br />
<span style="font-family: Courier New, Courier, monospace;"> ipver v4</span><br />
<span style="font-family: Courier New, Courier, monospace;"> rip 10.136.85.3</span><br />
<span style="font-family: Courier New, Courier, monospace;">/c/slb/group 10</span><br />
<span style="font-family: Courier New, Courier, monospace;"> ipver v4</span><br />
<span style="font-family: Courier New, Courier, monospace;"> add 1</span><br />
<span style="font-family: Courier New, Courier, monospace;"> add 2</span><br />
<span style="font-family: Courier New, Courier, monospace;"> add 3</span><br />
<span style="font-family: Courier New, Courier, monospace;">/c/slb/port 1</span><br />
<span style="font-family: Courier New, Courier, monospace;"> client ena</span><br />
<span style="font-family: Courier New, Courier, monospace;"> server ena</span><br />
<span style="font-family: Courier New, Courier, monospace;"> proxy ena</span><br />
<span style="font-family: Courier New, Courier, monospace;">/c/slb/virt 10</span><br />
<span style="font-family: Courier New, Courier, monospace;"> ena</span><br />
<span style="font-family: Courier New, Courier, monospace;"> ipver v4</span><br />
<span style="font-family: Courier New, Courier, monospace;"> vip 10.136.85.10</span><br />
<span style="font-family: Courier New, Courier, monospace;">/c/slb/virt 10/service 80 http</span><br />
<span style="font-family: Courier New, Courier, monospace;"> group 10</span><br />
<span style="font-family: Courier New, Courier, monospace;"> rport 80</span><br />
<span style="font-family: Courier New, Courier, monospace;">/c/slb/virt 10/service 80 http/pip</span><br />
<span style="font-family: Courier New, Courier, monospace;"> mode address</span><br />
<span style="font-family: Courier New, Courier, monospace;"> addr v4 10.136.85.200 255.255.255.255 persist disable</span><br />
<span style="font-family: Courier New, Courier, monospace;">/c/slb/virt 10/service 443 https</span><br />
<span style="font-family: Courier New, Courier, monospace;"> group 10</span><br />
<span style="font-family: Courier New, Courier, monospace;"> rport 443</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><br /></span>Dan Shechter Gelleshttp://www.blogger.com/profile/18175247280485392482noreply@blogger.comtag:blogger.com,1999:blog-5204377812712096078.post-41349791223260264712014-08-21T09:49:00.004-07:002014-09-02T12:50:05.170-07:00Load Balancing Lab setup<h2>
Virtual Loadblanacers</h2>
Nowadays, you don't need a physical load balancer to setup a lab. Almost each and every vendor offers a "virtual appliance", which is just their appliance repacked as a virtual machine:<br />
<br />
Here is a list of few such virtual loadbalancers:<br />
<ul>
<li><a href="http://www.radware.com/Resources/SoftwareDownloads/VMware-vSphere/" target="_blank">Radware Alteon VA</a></li>
<li><a href="https://f5.com/products/trials/product-trials" target="_blank">F5 VE</a></li>
<li><a href="http://kemptechnologies.com/server-load-balancing-appliances/virtual-loadbalancer/vlm-download" target="_blank">Kemp Technologies - LoadMaster </a></li>
<li><a href="http://www.a10networks.com/vThunder_trial/" target="_blank">A10 vThunder</a></li>
</ul>
<br />
There are even opensource alternatives such as:<br />
<ul>
<li><a href="http://www.openbsd.org/" target="_blank">OpenBSD's relayd</a> - in OpenBSD very few tutorials are needed as the man pages are complete, but here are some few links: <a href="http://home.nuug.no/~peter/pf/newest/" target="_blank">tutorial1 </a><a href="http://www.slideshare.net/GiovanniBechis/relayd-a-load-balancer-for-openbsd" target="_blank">tutorial2</a>. It has full support for many advance loadbalncer's features.<br />I plan to try it out.</li>
<li><a href="http://nginx.org/en/docs/http/load_balancing.html" target="_blank">nginx</a></li>
<li><a href="http://www.linuxvirtualserver.org/" target="_blank">Linux LVS</a></li>
</ul>
<br />
So building a virtual lab on a laptop is just one download away, isn't it?<br />
<br />
No, there are to missing pieces: Network topology with a router and web servers with content which is suitable for such labs.<br />
<br />
Luckily for you, I have just setup such a lab, and I welcome you to use it as well.<br />
<br />
<h2>
Network topology</h2>
<h3>
Basic topology</h3>
<div>
The usual loadbalancer lab looks like this:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.internetsociety.org/deploy360/wp-content/uploads/2013/06/mcaoipv6-01-nativipv6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://www.internetsociety.org/deploy360/wp-content/uploads/2013/06/mcaoipv6-01-nativipv6.png" height="168" width="640" /></a></div>
<div>
<br /></div>
<div>
But this is not how loadbalncers are usually deployed. And its also not the best way to deploy them, as not all traffic needs to go through the loadbalancer.</div>
<h3>
</h3>
<h3>
Realistic topology</h3>
<div class="separator" style="clear: both; text-align: center;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwrP4dwXhDRxjLQrsA976RtOP6onXMGre-jCrzqrDvF3ajQQ0osMEYZieBnavmsB5JVBNu-TIgqdjEhEzR6Ci0C4AC-L1-fylaslMy0R4sT1N1ApRZyxz9ffc2VrT3B4m7egUf85aIaj0/s1600/LB+Lab+-+New+Page+(1).png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwrP4dwXhDRxjLQrsA976RtOP6onXMGre-jCrzqrDvF3ajQQ0osMEYZieBnavmsB5JVBNu-TIgqdjEhEzR6Ci0C4AC-L1-fylaslMy0R4sT1N1ApRZyxz9ffc2VrT3B4m7egUf85aIaj0/s1600/LB+Lab+-+New+Page+(1).png" height="512" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Topology and IP addresses</td></tr>
</tbody></table>
<div>
The laptop is the only physical device here. Every thing else is virtualized.</div>
<div>
<br /></div>
<div>
The router and the servers are running <a href="http://www.openbsd.org/" target="_blank">OpenBSD </a>5.6 snapshot Aug 8, 2014.</div>
<div>
<br /></div>
<div>
The host/laptop will be used as the client for testing.<br />
<br />
If you are using just one loadbalancer, make sure it's IP address ends with .100 or ::100 as some routing depends on that.</div>
<h2>
VMWare setup</h2>
<div>
You will need to create 4 new networks, here is my VMWare workstation setup:</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0YPHwZnnJ4vXu_tx1qSx0m8cb3L07pOkw79cS2a2hCynm4LyHlF-SHaJmyV6BF4IYizjxm64999XxyfUqqnVk7acFPis-4iE9CZzLYnB9h7BhYdexJmEYAzHOq1XEYjIA1EGTLY-PQpU/s1600/lb+lab+vmware+networks.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0YPHwZnnJ4vXu_tx1qSx0m8cb3L07pOkw79cS2a2hCynm4LyHlF-SHaJmyV6BF4IYizjxm64999XxyfUqqnVk7acFPis-4iE9CZzLYnB9h7BhYdexJmEYAzHOq1XEYjIA1EGTLY-PQpU/s1600/lb+lab+vmware+networks.PNG" height="568" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">VMWare networks</td></tr>
</tbody></table>
<div>
Here is a short reference:</div>
<div>
<ul>
<li>Name:</li>
<ul>
<li>For each interface on the list, VMWare create a virtual interface on the host with the same Name. We will use that later to add IPv6 address and IPv4/IPv6 routes.</li>
</ul>
<li>Type: </li>
<ul>
<li>Host-only means that your host/laptop has connectivity to that network, and it also has an IP address on that network.</li>
<li>Custom means that you host/laptop is not connected to that network and that network is used for VM to VM communication.</li>
</ul>
<li>Subnet Address:</li>
<ul>
<li>For type Custom, where the host is not connected to, its not really important what the IP address is, but its a good reference.</li>
<li>For type Host-only the IP address is actually important, as VMWare will configured the host's interface with an address from that network, usually .1</li>
</ul>
</ul>
</div>
<div>
And here is how the GW VM is configured. You will need to match your own VMNet names to mine, using the network IP address as a key. The most important thing is the <u>order of the network adapters</u>:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6dwrwk232BZF2oABcYA9SM3Ec9mY-h3e64JezmGhLR7CcfdSiZwuN2mxJsFhZWyYEN0eSYhRuWbsutkrRgMSoomKIn6W36A9jhwiAIZ7lR3U8GbYsrKazlNvqtooWaQEOZxmj_LTKWfE/s1600/lb_lab_gw_vm.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6dwrwk232BZF2oABcYA9SM3Ec9mY-h3e64JezmGhLR7CcfdSiZwuN2mxJsFhZWyYEN0eSYhRuWbsutkrRgMSoomKIn6W36A9jhwiAIZ7lR3U8GbYsrKazlNvqtooWaQEOZxmj_LTKWfE/s1600/lb_lab_gw_vm.PNG" height="576" width="640" /></a></div>
<div>
<br /></div>
<h3>
Host/Laptop IPv6 configs</h3>
<div>
We need to add IPv6 addresses to the Host-only VMNet interfaces:</div>
<div>
<br /></div>
<div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">C:\Users\dan.shechter>netsh interface ipv6 add address "VMware Network Adapter VMnet12" fc00:3::100/64</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">C:\Users\dan.shechter>netsh interface ipv6 add address "VMware Network Adapter VMnet13" fc00:4::100/64</span></div>
</div>
</div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<span style="font-family: inherit;">Now would be a good time to verify your host connectivity by pinging to:</span><br />
<br />
<ol>
<li>10.136.3.254</li>
<li>10.136.4.254</li>
<li>fc00:3::254</li>
<li>fc00:3::254</li>
</ol>
<br />
<div>
<br /></div>
<h2>
Routing</h2>
<div>
We need to add routes on laptop/host to get to the loadbalancers and to the VIPs.<br />
<br /></div>
<div>
<style type="text/css">
.tg {border-collapse:collapse;border-spacing:0;border-color:#aabcfe;}
.tg td{font-family:Arial, sans-serif;font-size:14px;padding:10px 5px;border-style:solid;border-width:0px;overflow:hidden;word-break:normal;border-color:#aabcfe;color:#669;background-color:#e8edff;border-top-width:1px;border-bottom-width:1px;}
.tg th{font-family:Arial, sans-serif;font-size:14px;font-weight:normal;padding:10px 5px;border-style:solid;border-width:0px;overflow:hidden;word-break:normal;border-color:#aabcfe;color:#039;background-color:#b9c9fe;border-top-width:1px;border-bottom-width:1px;}
.tg .tg-e3zv{font-weight:bold}
</style>
<br />
<table class="tg">
<tbody>
<tr>
<th class="tg-e3zv">Route</th>
<th class="tg-e3zv">Purpose</th>
</tr>
<tr>
<td class="tg-031e">10.136.85.0/24<br />
fc00:85::/64</td>
<td class="tg-031e">This is where the real web servers are.<br />
This is also used for VIPs with client NAT/SNAT</td>
</tr>
<tr>
<td class="tg-031e">10.136.1.0/24<br />
fc00:1::/64</td>
<td class="tg-031e">Some loadbalancers require separate management interface.</td>
</tr>
<tr>
<td class="tg-031e">10.136.5.0/24<br />
fc00:5::/64</td>
<td class="tg-031e">VIP network, which is routed by the router directly to the loadbalancer 10.136.85.100<br />
or fc00:85::100 addresses.</td>
</tr>
<tr>
<td class="tg-031e">10.136.6.0/24<br />
fc00:6::/64</td>
<td class="tg-031e">Same as above but the host will use the 10.136.3.0 or the fc00:3:: network to get there.<br />
The web servers are configured to send replies to 10.136.3.0 or fc00:3:: through the <br />
loadbalancer 10.136.85.100or fc00:85::100 addresses.</td>
</tr>
</tbody></table>
<br />
Here is a network diagram to show the routes:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSIn2qKsJautMIhYGojy_8S0_l0SeG9UYACm_JcMEBmZhgwa7YgqHSd-BMOxlN3PAyyWJUqzP_UHfbRGrtmHcCD5fC5kg4DCtWnIXHhrpU2ZoVR6Qc8J1ADAwds14SESe0ZISReVNDg2s/s1600/LB+Lab+routing+-+New+Page.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSIn2qKsJautMIhYGojy_8S0_l0SeG9UYACm_JcMEBmZhgwa7YgqHSd-BMOxlN3PAyyWJUqzP_UHfbRGrtmHcCD5fC5kg4DCtWnIXHhrpU2ZoVR6Qc8J1ADAwds14SESe0ZISReVNDg2s/s1600/LB+Lab+routing+-+New+Page.png" height="522" width="640" /></a></div>
This setup allows different VIPs to be used in different network configurations:<br />
<br />
<br /></div>
<style type="text/css">
.tg {border-collapse:collapse;border-spacing:0;border-color:#aabcfe;}
.tg td{font-family:Arial, sans-serif;font-size:14px;padding:10px 5px;border-style:solid;border-width:0px;overflow:hidden;word-break:normal;border-color:#aabcfe;color:#669;background-color:#e8edff;border-top-width:1px;border-bottom-width:1px;}
.tg th{font-family:Arial, sans-serif;font-size:14px;font-weight:normal;padding:10px 5px;border-style:solid;border-width:0px;overflow:hidden;word-break:normal;border-color:#aabcfe;color:#039;background-color:#b9c9fe;border-top-width:1px;border-bottom-width:1px;}
.tg .tg-s6z2{text-align:center}
</style>
<br />
<table class="tg">
<tbody>
<tr>
<th class="tg-031e">Client Network </th>
<th class="tg-031e">VIP</th>
<th class="tg-031e">SNAT</th>
<th class="tg-031e">Logical VIP</th>
<th class="tg-031e">DSR</th>
</tr>
<tr>
<td class="tg-031e">10.136.4.0/24<br />
fc00::4::/64</td>
<td class="tg-031e">10.136.8.150-250<br />
fc00:85::150-250</td>
<td class="tg-s6z2">X</td>
<td class="tg-s6z2"></td>
<td class="tg-s6z2"></td>
</tr>
<tr>
<td class="tg-031e">10.136.4.0/24<br />
fc00::4::/64</td>
<td class="tg-031e">10.136.5.X<br />
fc00:5::X</td>
<td class="tg-s6z2">X</td>
<td class="tg-s6z2">X</td>
<td class="tg-s6z2"></td>
</tr>
<tr>
<td class="tg-031e">10.136.5.0/24<br />
fc00::5::/64</td>
<td class="tg-031e">10.136.6.X<br />
fc00:6::X</td>
<td class="tg-s6z2"></td>
<td class="tg-s6z2">X</td>
<td class="tg-s6z2"></td>
</tr>
<tr>
<td class="tg-031e">10.136.4.0/24<br />
fc00::4::/64</td> <td class="tg-031e">10.136.85.199<br />
fc00:85::199</td>
<td class="tg-s6z2"></td>
<td class="tg-s6z2"></td>
<td class="tg-s6z2">X</td>
</tr>
</tbody></table>
<br />
<div>
Here is an explanation to the columns:</div>
<div>
<ol>
<li>Client Network - The client IP address from where the http/https connection is coming from. As we set the routing on the host/lpatop, the source IP address is determined by those routes, and more specifically, from which interface the connection is sourced.</li>
<li>SNAT - or Cleint NAT. The loadbalancer needs to use client NAT/SNAT to get the replies from the web server back to it. For VIPs which do not need that, the web servers are configured to route traffic to the client via the loadbalancer .100 or ::100 address. <br />That is the sole reason why the host is connected to the router via two interfaces.</li>
<li>Logical VIP - VIP addresses that do not belong to a directly connected network.</li>
<li>DSR - Direct Server Return/L4 Performance/Local Triangulation. That address is also configured as loopback interface on the web servers.</li>
</ol>
<h4>
Host static routes</h4>
</div>
<div>
The GW and the web server routing is preconfigured. Only the host/laptop needs to be configured:</div>
<div>
<br /></div>
<div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">C:\Users\dan.shechter>netsh interface ipv4 add route 10.136.85.0/24 "VMware Netw</span><span style="font-family: 'Courier New', Courier, monospace;">ork Adapter VMnet13" 10.136.4.254</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Ok.</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">C:\Users\dan.shechter>netsh interface ipv4 add route 10.136.5.0/24 "VMware Netwo</span><span style="font-family: 'Courier New', Courier, monospace;">rk Adapter VMnet13" 10.136.4.254</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Ok.</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">C:\Users\dan.shechter>netsh interface ipv6 add route fc00:85::/64 "VMware Networ</span><span style="font-family: 'Courier New', Courier, monospace;">k Adapter VMnet13" fc00:4::254</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Ok.</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">C:\Users\dan.shechter>netsh interface ipv6 add route fc00:5::/64 "VMware Network</span><span style="font-family: 'Courier New', Courier, monospace;"> Adapter VMnet13" fc00:4::254</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Ok.</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">C:\Users\dan.shechter>netsh interface ipv4 add route 10.136.6.0/24 "VMware Netwo</span><span style="font-family: 'Courier New', Courier, monospace;">rk Adapter VMnet12" 10.136.3.254</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Ok.</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">C:\Users\dan.shechter>netsh interface ipv6 add route fc00:6::/64 "VMware Network</span><span style="font-family: 'Courier New', Courier, monospace;"> Adapter VMnet12" fc00:3::254</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">Ok.</span></div>
</div>
<div>
<br />
<span style="font-family: Courier New, Courier, monospace;">C:\Users\dan.shechter>netsh interface ipv6 add route fc00:1::/64 "VMware Network Adapter VMnet13" fc00:4::254</span><br />
<span style="font-family: Courier New, Courier, monospace;">Ok.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">C:\Users\dan.shechter>netsh interface ipv4 add route 10.136.1.0/24 "VMware Network Adapter VMnet13" 10.136.4.254</span><br />
<span style="font-family: Courier New, Courier, monospace;">Ok.</span></div>
<div>
<br /></div>
<div>
After we are done with the configuration we can test connectivity.</div>
<div>
<br /></div>
<h2>
Web servers</h2>
<h3>
Users</h3>
<div>
user: cisco</div>
<div>
password: cisco!@34</div>
<div>
<br /></div>
<div>
Same for the gateway. Use <i>sudo </i>for root commands.</div>
<h3>
Web page</h3>
<div>
Browsing directly to 10.136.85.1 shows:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiARjwX-3rZW6KN_l1w0E-nRWmy3tX_Um-c2PeZyzDUNygqHrUKxVYvfI2XFy6sUHR6y7R3EN9tXoxblI_GxY-GB1g9a7pLZM0tzygqK-W36DNlt__echvk4cv1R5XSKZ3TGpNshcZh1xE/s1600/http+srv1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiARjwX-3rZW6KN_l1w0E-nRWmy3tX_Um-c2PeZyzDUNygqHrUKxVYvfI2XFy6sUHR6y7R3EN9tXoxblI_GxY-GB1g9a7pLZM0tzygqK-W36DNlt__echvk4cv1R5XSKZ3TGpNshcZh1xE/s1600/http+srv1.PNG" height="640" width="506" /></a></div>
<div>
<br /></div>
<div>
Few things to notice:</div>
<div>
<h3>
SRVX</h3>
Everything inside the table is iFrame, which means it get loaded on its own.<br />
<br />
Web server #1 will return SRV1 and images with 1 in them.<br />
Web server #2 will return SRV2 and images with 2 in them.<br />
Web server #3 will return SRV3 and images with 3 in them.<br />
<div>
<br /></div>
That is how we can detect which server answered the specific request<br />
<br />
<h4>
CSS</h4>
</div>
<div>
HTTP page is using CSS file named http.css with a blue background</div>
<div>
HTTPS page is using CSS file named https.css with a red background</div>
<div>
There is another CSS filse called green.css and yellow.css . You can use them for iRules / AppShape manipulations.</div>
<div>
<br /></div>
<h3>
Direcories</h3>
<div>
You have alpha, beta and gamma directories, which you can use as a server selector.</div>
<div>
<br /></div>
<h3>
Images</h3>
<div>
In the images directory there are the following files: number1.jpg and number2.jpg and number3.jpg.</div>
<div>
<br /></div>
<div>
On each server X, number.jpg will point to numberX.jpg, but you can manipulate that.</div>
<div>
<br /></div>
<h3>
Java script</h3>
<div>
By default the page will load scripts/flash.js . There is also scripts/flash_fast.js for your iRules/appShape manipulations.</div>
<div>
<br /></div>
<h3>
404 Error</h3>
<div>
That is on purpose. To fix that you need the client to request here.html or make the server think that the client has requested here.html instead of not_here<br />
<br />
<h2>
VMWare/vbox images</h2>
</div>
<div>
Last but not least here are the OVA (virtual appliance) images:</div>
<div>
<ul>
<li><a href="http://dans-net.com/images/GW.ova" target="_blank">GW</a></li>
<li><a href="http://dans-net.com/images/SRV1.ova" target="_blank">SRV1</a></li>
<li><a href="http://dans-net.com/images/SRV2.ova" target="_blank">SRV2</a></li>
<li><a href="http://dans-net.com/images/SRV3.ova" target="_blank">SRV3</a></li>
</ul>
<div>
Enjoy...</div>
</div>
Dan Shechter Gelleshttp://www.blogger.com/profile/18175247280485392482noreply@blogger.com