Best Of
Re: Deleting a ve interface on a vblade
Looks like you want to disable the VE on the blade which is device 2 in the cluster. To accomplish this, login to the vmaster and disable the VE using blade/interface notation:
configure interface ve 2/350 disable interface ve 2/351 disable end
Can you give that a try?
mdunn
Re: Deleting a ve interface on a vblade
try the following
A1-vMaster1/1# device-context 2
All the following configuration will go to device 2
A1-vMaster1/1# interface ve 100
A1-vMaster1/1 disable
This operation applied to device 2
dquinn
Re: Hosting and automating web content on A10 ADC
I have seen a basic PAC file hosted within a AFLEX script on A10. There is some extra syntax in addition to the actual PAC file config, but perhaps this will give you a starting point for ideas.
mdunn
Re: Factory reset hardware.
System Reset will not impact the license on an A10 hardware appliance.
mdunn
Re: Limit ID
With this config, each subscriber is allowed a maximum of 2000 TCP ports and 10 ports per address are reserved. When tcp user-quota is exceeded, an alert is logged and this counter is incremented in this show command:
cgn-1#show cgnv6 lsn statistics <snip> TCP User-Quota Exceeded 17 <snip>
mdunn
Re: A10 vThunder ADC/SLB - Redirection based on URL
You should be able to accomplish this with a http template, this is in the following guide
here is an example from the ADC config guide
ACOS(config)# slb template http urlswitch
ACOS(config-http)# url-switching starts-with /abc service-group sg-abc
ACOS(config-http)# url-switching starts-with /123 service-group sg-123
ACOS(config-http)# exit
ACOS(config)# slb virtual-server vs1 1.1.1.1
ACOS(config-slb vserver)# port 80 http
ACOS(config-slb vserver-vport)# template http urlswitch
ACOS(config-slb vserver-vport)# service-group sg-abc
dquinn
[T&C] Deploy DNS recursive resolver using Thunder CFW
In this article, we will see you can deploy DNS recursive resolver using Thunder CFW.
Setup
This is what we want to achieve:
- By default, the Thunder device should resolve queries starting from the root servers.
- However, for the domain names ending in a10networks.com, it should use the response from a DNS service-group that is bound to the DNS VIP.
Step-by-Step Configuration
Create a NAT pool:
This NAT pool will be used by the Thunder device to send out DNS queries:
ip nat pool IPv4-DNS 100.64.100.250 100.64.100.250 netmask /32
Specify a class list of domain names:
class-list internal-domains dns dns ends-with a10networks.com
Create a DNS template:
slb template dns dns-enable-template recursive-dns-resolution hostnames internal-domains ipv4-nat-pool IPv4-DNS default-recursive
Note:
With the “default-recursive” command, the Thunder CFW will by default act as a recursive resolver and try to resolve the DNS queries starting from the root server.
In this case, the domains specified using the class-list specifies an “exception” to this default lookup process – the domains matching the “hostnames <class-list>” will be resolved using the service-group that is applied on the VIP (see the next step) instead of the default resolution process (starting from the root server).
Apply the DNS template to a DNS VIP:
slb server RS10 100.64.100.10 port 53 tcp port 53 udp ! slb server RS11 100.64.100.11 port 53 tcp port 53 udp ! slb service-group SG-DNS-TCP tcp member RS10 53 member RS11 53 ! slb service-group SG-DNS-UDP udp member RS10 53 member RS11 53 ! slb template dns dns-enable-template recursive-dns-resolution hostnames internal-domains ipv4-nat-pool IPv4-DNS default-recursive ! slb virtual-server DNS-VIP 100.64.1.250 port 53 dns-udp source-nat auto service-group SG-DNS-UDP template dns dns-enable-template
Verification
You can view the statistics for DNS queries resolved recursively using:
vThunder#sh slb virtual-server DNS-VIP 53 dns-udp application-statistics | include Recursive Recursive Resolution Started: 525 Recursive Resolution Succeeded: 524 Recursive Resolution Send Failed: 1 Recursive Resolution Timed Out: 7 Recursive Resolution Retransmit Sent: 7
Here is a sample packet capture showing the DNS resolution for a website by the Thunder device starting from the root server (in this case, 192.112.36.4):
By doing a packet capture on the DNS servers making up the service group, we can also confirm that the query for the domain name ending in a10networks.com is resolved using the service-group that is bound to the DNS VIP:
Additional Features
You can additionally configure the following features:
· Integrated DDoS protection
· DNS caching
· DNS Application Firewall (DAF)
· Filter DNS queries of type ANY
ip anomaly-drop bad-content 24 ip anomaly-drop drop-all ip anomaly-drop out-of-sequence 24 ip anomaly-drop zero-window 24 ! icmp-rate-limit 2000 ! slb common dns-cache-enable ! slb template dns dns-enable-template default-policy cache malformed-query drop query-type-filter deny query-type ANY
You can also apply RPZ policy by importing an RPZ file and specifying it under the DNS template.
For this, import the RPZ file as follows:
vThunder(config)#import rpz a10rpz use-mgmt-port scp://a10tme@10.64.4.130/home/a10tme/a10rpz Password []? Done. vThunder(config)#sh rpz Name DNS template -------------------------------------------------------------- a10rpz No Total RPZ number: 1 vThunder(config)# vThunder(config)#sh rpz debug Total Class-list Set Error: 0 Total RPZ Parse Error: 0 vThunder(config)# vThunder(config)#sh rpz a10rpz Name : a10rpz DNS template : No Content: $TTL 3H @ IN SOA @ rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS @ A 127.0.0.1 AAAA ::1 ; PASSTHRU action www.a10networks.com IN CNAME rpz-passthru. ; NXDOMAIN action www.netflix.com IN CNAME . ; NODATA action www.facebook.com IN CNAME *. 32.36.65.13.31.rpz-ip IN CNAME *. vThunder(config)#
Now apply this RPZ file under the DNS template:
slb template dns dns-enable-template rpz 1 a10rpz logging enable
Complete Configuration
Here is the complete configuration for reference:
ip anomaly-drop bad-content 24 ip anomaly-drop drop-all ip anomaly-drop out-of-sequence 24 ip anomaly-drop zero-window 24 ! ip dns primary 8.8.8.8 ! ip dns secondary 9.9.9.9 ! icmp-rate-limit 2000 ! timezone America/Los_Angeles ! ntp server time.google.com prefer ! interface management ip address 10.64.4.135 255.255.255.0 ip default-gateway 10.64.4.1 ! interface ethernet 1 enable ip address 100.64.1.253 255.255.255.0 ! interface ethernet 2 enable ip address 100.64.100.253 255.255.255.0 ! ! ip route 0.0.0.0 /0 100.64.100.254 ! ip nat pool IPv4-DNS 100.64.100.250 100.64.100.250 netmask /32 ! slb common dns-cache-enable ! slb server RS10 100.64.100.10 port 53 tcp port 53 udp ! slb server RS11 100.64.100.11 port 53 tcp port 53 udp ! slb service-group SG-DNS-TCP tcp member RS10 53 member RS11 53 ! slb service-group SG-DNS-UDP udp member RS10 53 member RS11 53 ! slb template dns dns-enable-template default-policy cache malformed-query drop query-type-filter deny query-type ANY rpz 1 a10rpz logging enable recursive-dns-resolution hostnames internal-domains ipv4-nat-pool IPv4-DNS default-recursive ! slb virtual-server DNS-VIP 100.64.1.250 port 53 dns-udp source-nat auto service-group SG-DNS-UDP template dns dns-enable-template ! logging facility local3 ! logging syslog information ! sflow setting local-collection ! sflow collector ip 127.0.0.1 6343 ! ! end !Current config commit point for partition 0 is 0 & config mode is classical-mode vThunder#
Re: REST APIs tester
try the links below on your A10 device
API calls, documentation and tests
there is also a lightweight version of axAPI test/verification :
dquinn
Re: Redirect 302 with aFlex
You can also just use HTTP Policy instead, no need for an aflex in this case.
Re: Redirect 302 with aFlex
Please try below:
when HTTP_REQUEST {
if { [HTTP::host] equals "recargaweb.imperial.com" } {
HTTP::redirect "https://[HTTP::host]/publico"
}
I have tested this script and the results are as below
boteye