Best Of
Re: A10 vThunder ADC/SLB - Redirection based on URL
You should be able to accomplish this with a http template, this is in the following guide
here is an example from the ADC config guide
ACOS(config)# slb template http urlswitch
ACOS(config-http)# url-switching starts-with /abc service-group sg-abc
ACOS(config-http)# url-switching starts-with /123 service-group sg-123
ACOS(config-http)# exit
ACOS(config)# slb virtual-server vs1 1.1.1.1
ACOS(config-slb vserver)# port 80 http
ACOS(config-slb vserver-vport)# template http urlswitch
ACOS(config-slb vserver-vport)# service-group sg-abc
[T&C] Deploy DNS recursive resolver using Thunder CFW
In this article, we will see you can deploy DNS recursive resolver using Thunder CFW.
Setup
This is what we want to achieve:
- By default, the Thunder device should resolve queries starting from the root servers.
- However, for the domain names ending in a10networks.com, it should use the response from a DNS service-group that is bound to the DNS VIP.
Step-by-Step Configuration
Create a NAT pool:
This NAT pool will be used by the Thunder device to send out DNS queries:
ip nat pool IPv4-DNS 100.64.100.250 100.64.100.250 netmask /32
Specify a class list of domain names:
class-list internal-domains dns dns ends-with a10networks.com
Create a DNS template:
slb template dns dns-enable-template recursive-dns-resolution hostnames internal-domains ipv4-nat-pool IPv4-DNS default-recursive
Note:
With the “default-recursive” command, the Thunder CFW will by default act as a recursive resolver and try to resolve the DNS queries starting from the root server.
In this case, the domains specified using the class-list specifies an “exception” to this default lookup process – the domains matching the “hostnames <class-list>” will be resolved using the service-group that is applied on the VIP (see the next step) instead of the default resolution process (starting from the root server).
Apply the DNS template to a DNS VIP:
slb server RS10 100.64.100.10 port 53 tcp port 53 udp ! slb server RS11 100.64.100.11 port 53 tcp port 53 udp ! slb service-group SG-DNS-TCP tcp member RS10 53 member RS11 53 ! slb service-group SG-DNS-UDP udp member RS10 53 member RS11 53 ! slb template dns dns-enable-template recursive-dns-resolution hostnames internal-domains ipv4-nat-pool IPv4-DNS default-recursive ! slb virtual-server DNS-VIP 100.64.1.250 port 53 dns-udp source-nat auto service-group SG-DNS-UDP template dns dns-enable-template
Verification
You can view the statistics for DNS queries resolved recursively using:
vThunder#sh slb virtual-server DNS-VIP 53 dns-udp application-statistics | include Recursive Recursive Resolution Started: 525 Recursive Resolution Succeeded: 524 Recursive Resolution Send Failed: 1 Recursive Resolution Timed Out: 7 Recursive Resolution Retransmit Sent: 7
Here is a sample packet capture showing the DNS resolution for a website by the Thunder device starting from the root server (in this case, 192.112.36.4):
By doing a packet capture on the DNS servers making up the service group, we can also confirm that the query for the domain name ending in a10networks.com is resolved using the service-group that is bound to the DNS VIP:
Additional Features
You can additionally configure the following features:
· Integrated DDoS protection
· DNS caching
· DNS Application Firewall (DAF)
· Filter DNS queries of type ANY
ip anomaly-drop bad-content 24 ip anomaly-drop drop-all ip anomaly-drop out-of-sequence 24 ip anomaly-drop zero-window 24 ! icmp-rate-limit 2000 ! slb common dns-cache-enable ! slb template dns dns-enable-template default-policy cache malformed-query drop query-type-filter deny query-type ANY
You can also apply RPZ policy by importing an RPZ file and specifying it under the DNS template.
For this, import the RPZ file as follows:
vThunder(config)#import rpz a10rpz use-mgmt-port scp://a10tme@10.64.4.130/home/a10tme/a10rpz Password []? Done. vThunder(config)#sh rpz Name DNS template -------------------------------------------------------------- a10rpz No Total RPZ number: 1 vThunder(config)# vThunder(config)#sh rpz debug Total Class-list Set Error: 0 Total RPZ Parse Error: 0 vThunder(config)# vThunder(config)#sh rpz a10rpz Name : a10rpz DNS template : No Content: $TTL 3H @ IN SOA @ rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS @ A 127.0.0.1 AAAA ::1 ; PASSTHRU action www.a10networks.com IN CNAME rpz-passthru. ; NXDOMAIN action www.netflix.com IN CNAME . ; NODATA action www.facebook.com IN CNAME *. 32.36.65.13.31.rpz-ip IN CNAME *. vThunder(config)#
Now apply this RPZ file under the DNS template:
slb template dns dns-enable-template rpz 1 a10rpz logging enable
Complete Configuration
Here is the complete configuration for reference:
ip anomaly-drop bad-content 24 ip anomaly-drop drop-all ip anomaly-drop out-of-sequence 24 ip anomaly-drop zero-window 24 ! ip dns primary 8.8.8.8 ! ip dns secondary 9.9.9.9 ! icmp-rate-limit 2000 ! timezone America/Los_Angeles ! ntp server time.google.com prefer ! interface management ip address 10.64.4.135 255.255.255.0 ip default-gateway 10.64.4.1 ! interface ethernet 1 enable ip address 100.64.1.253 255.255.255.0 ! interface ethernet 2 enable ip address 100.64.100.253 255.255.255.0 ! ! ip route 0.0.0.0 /0 100.64.100.254 ! ip nat pool IPv4-DNS 100.64.100.250 100.64.100.250 netmask /32 ! slb common dns-cache-enable ! slb server RS10 100.64.100.10 port 53 tcp port 53 udp ! slb server RS11 100.64.100.11 port 53 tcp port 53 udp ! slb service-group SG-DNS-TCP tcp member RS10 53 member RS11 53 ! slb service-group SG-DNS-UDP udp member RS10 53 member RS11 53 ! slb template dns dns-enable-template default-policy cache malformed-query drop query-type-filter deny query-type ANY rpz 1 a10rpz logging enable recursive-dns-resolution hostnames internal-domains ipv4-nat-pool IPv4-DNS default-recursive ! slb virtual-server DNS-VIP 100.64.1.250 port 53 dns-udp source-nat auto service-group SG-DNS-UDP template dns dns-enable-template ! logging facility local3 ! logging syslog information ! sflow setting local-collection ! sflow collector ip 127.0.0.1 6343 ! ! end !Current config commit point for partition 0 is 0 & config mode is classical-mode vThunder#
Re: REST APIs tester
try the links below on your A10 device
API calls, documentation and tests
there is also a lightweight version of axAPI test/verification :
Re: Redirect 302 with aFlex
You can also just use HTTP Policy instead, no need for an aflex in this case.
Re: Redirect 302 with aFlex
Please try below:
when HTTP_REQUEST {
if { [HTTP::host] equals "recargaweb.imperial.com" } {
HTTP::redirect "https://[HTTP::host]/publico"
}
I have tested this script and the results are as below
Re: Redirect 302 with aFlex
Host does not contain the protocol or /, just using recargaweb.imperial.com should work.
Re: Management port
10vThunder(config)(NOLICENSE)#interface management vThunder(config-if:management)(NOLICENSE)#ip address 10.1.45.31 /24 vThunder(config-if:management)(NOLICENSE)#ip default-gateway 10.1.45.28 vThunder(config-if:management)(NOLICENSE)#exit vThunder(config)(NOLICENSE)#
For DHCP, substitute the ip address
line with this:
vThunder(config-if:management)(NOLICENSE)#ip address dhcp
You can check for what IP address was assigned using the show interface brief
command:
mbp-vthnd1(NOLICENSE)#sh int br Port Link Dupl Speed Trunk Vlan MAC IP Address IPs Name ---------------------------------------------------------------------------------------------------- mgmt Up Full 1000 N/A N/A 000c.292e.68d5 172.16.109.128/24 1 1 Disb None None None 1 000c.292e.68df 0.0.0.0/0 0 2 Disb None None None 1 000c.292e.68e9 0.0.0.0/0 0 mbp-vthnd1(NOLICENSE)#
Change Hostname:
vThunder(config)#hostname pm-vthnd1 pm-vthnd1(config)#exit pm-vthnd1#wr mem Building configuration... Write configuration to default primary startup-config [OK] pm-vthnd1#
Set DNS for MGMT port:
vThunder(config)(NOLICENSE)#ip dns primary 44.147.45.28
Don't forget to set a route (ip route {subnet} /24 {gateway}
) to get to the network local DNS is on!
It would also be a good idea to set the timezone and clock:
mbp-vthnd1(config)(NOLICENSE)#timezone America/Chicago mbp-vthnd1(config)(NOLICENSE)#sh clock *19:21:30 CDT Wed May 1 2019
You can also set an NTP service:
mbp-vthnd1(config)(NOLICENSE)#ntp server time.nist.gov mbp-vthnd1(config-ntpsvr:time.nist.gov)(NOLICENSE)#prefer mbp-vthnd1(config-ntpsvr:time.nist.gov)(NOLICENSE)#end mbp-vthnd1(NOLICENSE)#sh clock .19:24:03 CDT Wed May 1 2019
Re: SSLi traffic bypass
A single pair of 10g SFP+ ports with optical bypass are installed as well. Please refer to this diagram:
Re: AXAPI: Determine when configuration last updated
I would say to try:
http://192.168.0.152/axapi/v3/running-config
however it doesn't appear to return anything for me, so another approach would be to run cli-deploy to get the running-config. The running-config has the info I think you are looking for at the top. If you wanted, you could also hash the response and then check the hash against the previous hash to see if it changed. Would this work for you?
curl -X POST \ http://192.168.0.152/axapi/v3/clideploy \ -H 'authorization: A10 6121c2b4423d55bc5435fd6f8318b0' \ -H 'content-type: text/plain' \ -d 'show running-config'
!Current configuration: 18822 bytes !Configuration last updated at 22:27:45 PST Tue Nov 28 2017 !Configuration last saved at 22:28:01 PST Tue Nov 28 2017 !64-bit Advanced Core OS (ACOS) version 4.1.0-P10, build 105 (Oct-30-2017,17:16) ! vrrp-a common device-id 2 set-id 5 enable ! ...
vcs disable - split vchassis in 2 standalone - will result in outage?
We have a pair of thunder 3040 used for CGNAT in vChassis mode.
We need to split it in two Standalone nodes.
We will do it using the command: "vcs disable"
A colleague mentioned that no disruption will occur.
But I would like to double-check it.
I looked into "ACOS 4.1.4-GR1-P5 Configuring ACOS Virtual Chassis Systems" pdf...
In there it is explicit that a reload is needed to add a node to a vChassis, but is not explicit if it is needed to reload to disable aVCS.
Any suggestions?