Best Of
Re: ADC virtual-server BGP RHI
Also
show ip route database works on newer versions of ACOS
4.1.0-P9 is very old and no longer supported. Eond of support was 12/21
dquinn
Re: ADC virtual-server BGP RHI
Hello
You can use ""show ip bgp" as you have above or "sh ip bgp neighbors x.x.x.x advertised-routes"
VIPs will not show up under "show ip route"
dquinn
Re: A10 WAF vs A10 Next-Gen WAF
A10 NGWAF is a completely new detection / processing / enforcement engine compared to legacy WAF. The engine still runs locally on the ADC and is applied per vPort. NGWAF runs on either physical or virtual A10 appliances and requires a separate license to activate.
NGWAF brings a wealth of benefits including ease of deployment, simplified configuration, and near-zero false positive rate. Full details on the NGWAF are available on the A10 networks website here. Be sure to check out the Solution Brief: https://www.a10networks.com/products/a10-next-gen-waf/
mdunn
Re: ADC virtual-server BGP RHI
To withdraw the route when the VIP is DOWN, we also need to add one of these commands depending on your use-case:disable-when-all-ports-down
or disable-when-any-port-down
To view the routes, "show ip route" should show the entire route table, and "show ip route bgp" should show any routes learned from BGP, but you can also try:
show ip bgp
show ip route database
show ip fib
mdunn
Re: Application Delivery Partitions (ADPs) and Next-Gen WAF
Hello - this is an interesting set of questions. Let's dive in:
- If an interface is "pristine" and has no configuration (vlans, ip address, etc), then a L3V partition may claim the interface by defining "interface ethernet 1" in the configuration. This will prevent access to the interface from other partitions. Alternatively, a physical interface can be shared amongst L3V partitions with unique tagged VLANs.
- Resource templates are optional and are dependent on the needs of the deployment. These can be used to prevent a L3V from exhausting system resources from the global pool. With small deployments, such as 3 web servers, it is unlikely that a resource template is needed. Application, network, and system resources offer these configurations:
Application Resources
Contains configuration parameters for application resources such as the number of health monitors, real servers, service groups, virtual servers, as well as a number of GSLB parameters, such as GSLB devices, GSLB sites, and GSLB zones. GSLB parameters are configurable on a per-partition basis (and thus non-configurable at the system level).
Network Resources
Contains configuration parameters for available network resources such as static ARPs, static IPv4 routes, static IPv6 routes, MAC addresses, and static neighbors.
System Resources
Contains configuration parameters for system resources such as limits for bandwidth, concurrent sessions, Layer 4 Connections Per Second (CPS), Layer 4 Session Limits, Layer 7 CPS, NAT CPS, SSL throughput, SSL CPS, and FW CPS. - L3V Partition count varies based on the A10 hardware platform and ranges from 32 - 255
https://documentation.a10networks.com/ACOS/604x/ACOS_6.0.4/html/relnotes_Responsive_HTML5/Default.htm#rel_original/Supported_Number_of_Part.htm
Thunder 1060S ADC 127
Thunder 3350-E ADC 64
Thunder 3350 ADC 127
Thunder 3350S ADC 255
Thunder 4440 ADC 127
Thunder 5440 ADC 255 - NGWAF is supported up to (8) L3V partitions. Only a single NGWAF license is required, and that licenses the device and the partitions.
mdunn
Re: Can we test the ADC features on the A10 CFW?
Thunder CFW contains the entirety of ADC, so basic ADC functionality can be tested. Please keep in mind that there are two flavors of WAF: "old" WAF and NGWAF. "Old" WAF is no longer sold, so if this is a new customer, be sure to use the NGWAF on v6.x
Re: Can't access GUI
So are you getting the GUI login screen and can't log in with your new user, or are you not even getting to the GUI login screen? Is this an A10 Appliance or vThunder? If Appliance, what model?
Re: Configure VIP
Are there firewall rules blocking the traffic to the VIP address? Can you try to telnet or netcat to the VIP virtual port?
You can also try axdebug to perform TCPDUMP on the traffic. Create a filter for the VIP address or client and see what comes across:
axdebug filter 1 ip 10.10.0.5 /32 exit filter 2 ip client.ip.address.here /32 exit capture brief
mdunn
Re: Can we control the A10 ADC license from Harmony Controller?
Flexpool capacity licenses can be imported into Harmony Controller for management. This allows Harmony to manage and provision Flexpool license capacity on vThunder instances managed by Harmony. In this scenario, Harmony acts as local ELM instance for the pool.
The "LLM" is a local instance of GLM that facilitates license management without allowing A10 devices access to the internet. This can be either the ELM (enterprise license manager) appliance or Harmony Controller.
mdunn
Re: Harmony Controller license and FlexPool license are the same?
These are different licenses. FlexPool licenses are applied to Virtual Thunder (vThunder) instances. These licenses control the throughput of those vThunder instances. Harmony controller Managed Bandwidth Unit (MBU) licenses are applied to Harmony Controller. The MBU license controls how much throughput Harmony Controller can manage.
Here's an example:
Flexpool 10g license - we can split this into 4x 2.5g vThunder instances
Harmony Controller 100g MBU license - we can manage up to 100g of A10 devices. This could be:
Thunder 1060 pair = 50g
Flexpool 10g = 10g
This leaves 40g MBU free
mdunn