Best Of
Re: NHLD Publics IP
Typically NHLD is used for outbound internet connections. The configuration often consists of Wildcard VIPs with ACLs, and we can use the ACLs to select which traffic we are intercepting. If we only intercept outbound traffic, then there should be no distribution for inbound traffic such as the NAT you described. Then, you can keep the NAT on your FW configuration. Would that work for you?
For further discussion, could you post a sanitized network diagram and your NHLD configuration?
mdunn
Re: Deleting a ve interface on a vblade
Looks like you want to disable the VE on the blade which is device 2 in the cluster. To accomplish this, login to the vmaster and disable the VE using blade/interface notation:
configure interface ve 2/350 disable interface ve 2/351 disable end
Can you give that a try?
mdunn
Re: Deleting a ve interface on a vblade
try the following
A1-vMaster1/1# device-context 2
All the following configuration will go to device 2
A1-vMaster1/1# interface ve 100
A1-vMaster1/1 disable
This operation applied to device 2
dquinn
Re: Hosting and automating web content on A10 ADC
I have seen a basic PAC file hosted within a AFLEX script on A10. There is some extra syntax in addition to the actual PAC file config, but perhaps this will give you a starting point for ideas.
mdunn
Re: Factory reset hardware.
System Reset will not impact the license on an A10 hardware appliance.
mdunn
Re: Limit ID
With this config, each subscriber is allowed a maximum of 2000 TCP ports and 10 ports per address are reserved. When tcp user-quota is exceeded, an alert is logged and this counter is incremented in this show command:
cgn-1#show cgnv6 lsn statistics <snip> TCP User-Quota Exceeded 17 <snip>
mdunn
Re: A10 vThunder ADC/SLB - Redirection based on URL
You should be able to accomplish this with a http template, this is in the following guide
here is an example from the ADC config guide
ACOS(config)# slb template http urlswitch
ACOS(config-http)# url-switching starts-with /abc service-group sg-abc
ACOS(config-http)# url-switching starts-with /123 service-group sg-123
ACOS(config-http)# exit
ACOS(config)# slb virtual-server vs1 1.1.1.1
ACOS(config-slb vserver)# port 80 http
ACOS(config-slb vserver-vport)# template http urlswitch
ACOS(config-slb vserver-vport)# service-group sg-abc
dquinn
[T&C] Deploy DNS recursive resolver using Thunder CFW
In this article, we will see you can deploy DNS recursive resolver using Thunder CFW.
Setup
This is what we want to achieve:
- By default, the Thunder device should resolve queries starting from the root servers.
- However, for the domain names ending in a10networks.com, it should use the response from a DNS service-group that is bound to the DNS VIP.
Step-by-Step Configuration
Create a NAT pool:
This NAT pool will be used by the Thunder device to send out DNS queries:
ip nat pool IPv4-DNS 100.64.100.250 100.64.100.250 netmask /32
Specify a class list of domain names:
class-list internal-domains dns dns ends-with a10networks.com
Create a DNS template:
slb template dns dns-enable-template recursive-dns-resolution hostnames internal-domains ipv4-nat-pool IPv4-DNS default-recursive
Note:
With the “default-recursive” command, the Thunder CFW will by default act as a recursive resolver and try to resolve the DNS queries starting from the root server.
In this case, the domains specified using the class-list specifies an “exception” to this default lookup process – the domains matching the “hostnames <class-list>” will be resolved using the service-group that is applied on the VIP (see the next step) instead of the default resolution process (starting from the root server).
Apply the DNS template to a DNS VIP:
slb server RS10 100.64.100.10 port 53 tcp port 53 udp ! slb server RS11 100.64.100.11 port 53 tcp port 53 udp ! slb service-group SG-DNS-TCP tcp member RS10 53 member RS11 53 ! slb service-group SG-DNS-UDP udp member RS10 53 member RS11 53 ! slb template dns dns-enable-template recursive-dns-resolution hostnames internal-domains ipv4-nat-pool IPv4-DNS default-recursive ! slb virtual-server DNS-VIP 100.64.1.250 port 53 dns-udp source-nat auto service-group SG-DNS-UDP template dns dns-enable-template
Verification
You can view the statistics for DNS queries resolved recursively using:
vThunder#sh slb virtual-server DNS-VIP 53 dns-udp application-statistics | include Recursive Recursive Resolution Started: 525 Recursive Resolution Succeeded: 524 Recursive Resolution Send Failed: 1 Recursive Resolution Timed Out: 7 Recursive Resolution Retransmit Sent: 7
Here is a sample packet capture showing the DNS resolution for a website by the Thunder device starting from the root server (in this case, 192.112.36.4):
By doing a packet capture on the DNS servers making up the service group, we can also confirm that the query for the domain name ending in a10networks.com is resolved using the service-group that is bound to the DNS VIP:
Additional Features
You can additionally configure the following features:
· Integrated DDoS protection
· DNS caching
· DNS Application Firewall (DAF)
· Filter DNS queries of type ANY
ip anomaly-drop bad-content 24 ip anomaly-drop drop-all ip anomaly-drop out-of-sequence 24 ip anomaly-drop zero-window 24 ! icmp-rate-limit 2000 ! slb common dns-cache-enable ! slb template dns dns-enable-template default-policy cache malformed-query drop query-type-filter deny query-type ANY
You can also apply RPZ policy by importing an RPZ file and specifying it under the DNS template.
For this, import the RPZ file as follows:
vThunder(config)#import rpz a10rpz use-mgmt-port scp://a10tme@10.64.4.130/home/a10tme/a10rpz Password []? Done. vThunder(config)#sh rpz Name DNS template -------------------------------------------------------------- a10rpz No Total RPZ number: 1 vThunder(config)# vThunder(config)#sh rpz debug Total Class-list Set Error: 0 Total RPZ Parse Error: 0 vThunder(config)# vThunder(config)#sh rpz a10rpz Name : a10rpz DNS template : No Content: $TTL 3H @ IN SOA @ rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS @ A 127.0.0.1 AAAA ::1 ; PASSTHRU action www.a10networks.com IN CNAME rpz-passthru. ; NXDOMAIN action www.netflix.com IN CNAME . ; NODATA action www.facebook.com IN CNAME *. 32.36.65.13.31.rpz-ip IN CNAME *. vThunder(config)#
Now apply this RPZ file under the DNS template:
slb template dns dns-enable-template rpz 1 a10rpz logging enable
Complete Configuration
Here is the complete configuration for reference:
ip anomaly-drop bad-content 24 ip anomaly-drop drop-all ip anomaly-drop out-of-sequence 24 ip anomaly-drop zero-window 24 ! ip dns primary 8.8.8.8 ! ip dns secondary 9.9.9.9 ! icmp-rate-limit 2000 ! timezone America/Los_Angeles ! ntp server time.google.com prefer ! interface management ip address 10.64.4.135 255.255.255.0 ip default-gateway 10.64.4.1 ! interface ethernet 1 enable ip address 100.64.1.253 255.255.255.0 ! interface ethernet 2 enable ip address 100.64.100.253 255.255.255.0 ! ! ip route 0.0.0.0 /0 100.64.100.254 ! ip nat pool IPv4-DNS 100.64.100.250 100.64.100.250 netmask /32 ! slb common dns-cache-enable ! slb server RS10 100.64.100.10 port 53 tcp port 53 udp ! slb server RS11 100.64.100.11 port 53 tcp port 53 udp ! slb service-group SG-DNS-TCP tcp member RS10 53 member RS11 53 ! slb service-group SG-DNS-UDP udp member RS10 53 member RS11 53 ! slb template dns dns-enable-template default-policy cache malformed-query drop query-type-filter deny query-type ANY rpz 1 a10rpz logging enable recursive-dns-resolution hostnames internal-domains ipv4-nat-pool IPv4-DNS default-recursive ! slb virtual-server DNS-VIP 100.64.1.250 port 53 dns-udp source-nat auto service-group SG-DNS-UDP template dns dns-enable-template ! logging facility local3 ! logging syslog information ! sflow setting local-collection ! sflow collector ip 127.0.0.1 6343 ! ! end !Current config commit point for partition 0 is 0 & config mode is classical-mode vThunder#
Re: REST APIs tester
try the links below on your A10 device
API calls, documentation and tests
there is also a lightweight version of axAPI test/verification :
dquinn
Re: Redirect 302 with aFlex
You can also just use HTTP Policy instead, no need for an aflex in this case.
