0

AppShape++ and SSL offloading

After running my fist AppShape++ script, I was wondering if it will work with SSL offloading as well.

Lets try it out, using my lab setup again, and I'll be adding on top my previous lab.



First I'll need to create SSL policy on the Alteon VA version 29.5.1.0:

 /c/slb/ssl/sslpol mySSL_Pol
        cipher "high"
        ena

This will select only high security encryption and integrity algorithms.

Next we need to create a self signed certificate:

>> LB1 - SSL Policy mySSL_Pol# /cfg/slb/ssl/certs/srvrcert

Enter server certificate id: mySRV_Cert
------------------------------------------------------------------
[Server certificate mySRV_Cert Menu]
     name     - Set descriptive certificate name
     generate - Create or update self-signed server certificate
     del      - Delete server certificate
     cur      - Display current server certificate configuration

>> LB1 - Server certificate mySRV_Cert# gen
This operation will generate a self-signed server certificate.
Enter key size [512|1024|2048|4096] [1024]: 2048
Enter server certificate hash algorithm [md5|sha1|sha256|sha384|sha512] [sha1]: sha256
Enter certificate Common Name (e.g. your site's name):  *.dans-net.com
Use certificate default values? [y/n]: y
Enter certificate validation period in days (1-3650) [365]: <enter>  
....
Continue reading

0

Alteon group selection by HTTP Host header using AppShape++

On the previous post I have used Content Rules to configure group (server pool) selection based on the Host header in HTTP.

This lab is also based on the lab setup I am using.


This time I'll do the same, but with AppShape++, which is similar to F5's iRules.

I want a2.dans-net.com to be served by SRV1 and b2.dans-net.com to be served by SRV2, any other host should be served by all web servers.

I'll use VIP 10.86.3.10 as the VIP. Here is how I edit my /etc/hosts files, which is c:windowssystem32driversetchosts :

10.136.6.10    a2.dans-net.com
10.136.6.10    b2.dans-net.com
First, I'll configured two new groups (server pools):

 /c/slb/group a2_dans
        add 1

 /c/slb/group b2_dans
        add 2

Next I'll write the AppShape++ script which will select a group based on the Host header:

attach group a2_dans
attach group b2_dans

when HTTP_REQUEST {
    switch -glob [HTTP::host] {
        "a2.dans-net.com" {
            group select a2_dans
        }
        "b2.dans*" {
Continue reading

0

Alteon group selection by HTTP Host header using Content Rules

Using this lab setup, I will practice HTTP Host based group selection, which is a server pool in Alteon's terminology.



Fist I need to add two hosts to my /etc/hosts files, which is c:windowssystem32driversetchosts :

• a.dans-net.com
• b.dans-net.com

0

Basic Alteon setup

Time to actually test the lab.

Click here for previous post to see the lab setup.



Here is a basic Alteon setup with very basic server loadbalancing.

The VIP is 10.136.85.10 and the Source NAT, or proxy ip in Alteon terminology is 10.136.85.200. We need the SNAT, as otherwise the Alteon will reply directly to the client. We need the reply traffic to pass through the Alteon to get it translated back to VIP from the real IP address of the selected server.

Notice that that we have a default GW for the management interface, and a different gateway for the data path, which is the traffic from the client and to the servers.

/c/sys/mmgmt
        dhcp disabled
        addr 10.136.1.100
        mask 255.255.255.0
        broad 10.136.1.255
        gw 10.136.1.254
        addr6 fc00:1:0:0:0:0:0:1
        prefix6 64
        gw6 fc00:1:0:0:0:0:0:254
        ena
/* LB1
/c/sys
        hprompt ena
/c/sys/ssnmp
        Continue reading

0

Load Balancing Lab setup

Virtual Loadblanacers

Nowadays, you don't need a physical load balancer to setup a lab. Almost each and every vendor offers a "virtual appliance", which is just their appliance repacked as a virtual machine:

Here is a list of few such virtual loadbalancers:

• Radware Alteon VA
• F5 VE
• Kemp Technologies - LoadMaster 
• A10 vThunder

There are even opensource alternatives such as:

• OpenBSD's relayd - in OpenBSD very few tutorials are needed as the man pages are complete, but here are some few links: tutorial1 tutorial2. It has full support for many advance loadbalncer's features.
  I plan to try it out.
• nginx
• Linux LVS

So building a virtual lab on a laptop is just one download away, isn't it?

No, there are to missing pieces: Network topology with a router and web servers with content which is suitable for such labs.

Luckily for you, I have just setup such a lab, and I welcome you to use it as well.

Network topology

Basic topology

Realistic topology

Topology Continue reading

0

OpenStack taining

There are two buzzwords floating around. Cloud and SDN.

They are even closely related.

For now, SDN is mostly a buzzword but Cloud is actually something people are using daily, such as AWS, Azure, Rackspace, Google and others.

As network engineer, my chances of touching or even seeing the details of the backends of those public clouds are quit small. However, private clouds are different.

With private clouds, as it was with VMWare installations, network engineers are expected to be able to support and install the network side of things.

So I have decided to jump in and learn private clouds. And for me, the best way to learn is always hands on.

OpenStack has these online training guides: http://docs.openstack.org/training-guides/content/

I'll jump right in and do the Operator Training Guide.

I'll publish a series of posts with my experience with the training material, and I'll update this post with links to all of the posts.