ACOS 4.1.1-P11 System Configuration and Administration Guide

ACOS 4.1.
1-P11
System Configuration and Administration Guide
for A10 Thunder® Series and AX™ Series
29 May 2019
© 2019 A10 NETWORKS, INC. CONFIDENTIAL AND PROPRIETARY- ALL RIGHTS RESERVED
Information in this document is subject to change without notice.
PATENT PROTECTION
A10 Networks products are protected by patents in the U.S. and elsewhere. The following website is provided to satisfy the virtual pat-
ent marking provisions of various jurisdictions including the virtual patent marking provisions of the America Invents Act. A10 Net-
works' products, including all Thunder Series products, are protected by one or more of U.S. patents and patents pending listed at:
https://www.a10networks.com/company/legal-notices/a10-virtual-patent-marking
TRADEMARKS
A10 Networks trademarks are listed at:
https://www.a10networks.com/company/legal-notices/a10-trademarks
CONFIDENTIALITY
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas herein may
not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written consent of A10 Net-
works, Inc.
A10 NETWORKS INC. SOFTWARE LICENSE AND END USER AGREEMENT

Software for all A10 Networks products contains trade secrets of A10 Networks and its subsidiaries and Customer agrees to treat Soft-
ware as confidential information.
Anyone who uses the Software does so only in compliance with the terms of the End User License Agreement (EULA), provided later in
this document or available separately. Customer shall not:
1. Reverse engineer, reverse compile, reverse de-assemble, or otherwise translate the Software by any
means.
2. Sub-license, rent, or lease the Software.
DISCLAIMER
This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not
limited to fitness for a particular use and non-infringement. A10 Networks has made reasonable efforts to verify that the information
contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided "as-is." The product
specifications and features described in this publication are based on the latest information available; however, specifications are sub-
ject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current
information regarding its products or services. A10 Networks’ products and services are subject to A10 Networks’ standard terms and
conditions.
ENVIRONMENTAL CONSIDERATIONS
Some electronic components may possibly contain dangerous substances. For information on specific component types, please con-
tact the manufacturer of that component. Always consult local authorities for regulations regarding proper disposal of electronic com-
ponents in your area.
FURTHER INFORMATION
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10 Networks loca-
tion, which can be found by visiting www.a10networks.com.
Table of Contents
System Overview ........................................................................................................................ 11

ACOS Architecture................................................................................................................11
ACOS Software Processes ....................................................................................................................... 12
Memory Pre-allocation ............................................................................................................................. 13
Hardware Interfaces.............................................................................................................13
Software Interfaces ..............................................................................................................13
User Interfaces ........................................................................................................................................... 13
Data Interfaces and IP Subnet Support ................................................................................................ 14
Server Load Balancing .........................................................................................................14
Intelligent Server Selection ...................................................................................................................... 15
SLB Configuration Templates ................................................................................................................. 15
Outbound Next Hop Load Distributor .................................................................................................... 17
Transparent Cache Switching ................................................................................................................. 17
Firewall Load Balancing ........................................................................................................................... 17
Where Do I Start? ..................................................................................................................18
FIPS Support .............................................................................................................................. 19

FIPS Level 2 ACOS Models ..................................................................................................19
FIPS Compliance for Hardware ...........................................................................................21
SSL Modules ............................................................................................................................................... 21
Tamper-Proof Seals .................................................................................................................................. 21
Changes to ACOS Device Chassis .......................................................................................................... 24
FIPS Compliance for Software.............................................................................................24
Software Upgrade Image ......................................................................................................................... 24
RMAs ............................................................................................................................................................ 25
Lost Passwords ......................................................................................................................................... 25
FIPS Compliance Usage Guidelines ....................................................................................25
Transferring Files To or From ACOS ...................................................................................................... 26
SNMPv3 Configuration ............................................................................................................................. 26
Data Plane Certificate Generation .......................................................................................................... 26
RSA Key and Certificate Import .............................................................................................................. 26
ECDSA Key and Certificate Import ......................................................................................................... 27
DNSSec Configuration .............................................................................................................................. 27
SSL/TLS Support for FIPS Compliance...............................................................................28
CLI Support for FIPS Compliance ........................................................................................28
Web Access Support for FIPS Compliance.........................................................................29
Web Server Support for FIPS Compliance ..........................................................................29
page 3
ACOS 4.1.1-P11 Configuring Overlay Networks
Contents
Jumbo Frames ........................................................................................................................... 31

Overview of Jumbo Frames on ACOS Devices ...................................................................31
Configure Jumbo Frame Support ........................................................................................32
Configure Jumbo Frame Support Using the GUI ................................................................................ 32
Configure Jumbo Frame Support Using the CLI ................................................................................. 33
Globally Enable Jumbo Frame Support on your ACOS Device .................................................. 33
Change the MTU on an Interface ..................................................................................................... 34
Create a TCP-proxy Template .......................................................................................................... 34
Apply the TCP-proxy Template to VIP ............................................................................................ 34
Disable Jumbo Frame Support ........................................................................................................ 34
View MTU Interface Settings ............................................................................................................ 35
COMMON SETUP TASKS ..........................................................................................................37
Logging On ................................................................................................................................. 39
User Interfaces .....................................................................................................................39
Logging On to the CLI...........................................................................................................40
Logging On to the GUI ..........................................................................................................41
Console Restart ....................................................................................................................43
Configuring ADC and CGN on the Same Device .................................................................44
Configuring Basic System Parameters ....................................................................................... 45

Set the System Time and Date ............................................................................................45
Set the Clock ............................................................................................................................................... 46
Use the GUI to Set the Clock ............................................................................................................ 46
Use the CLI to Set the Clock ............................................................................................................. 46
Set the NTP Interface ................................................................................................................................ 47
Set the NTP Server .................................................................................................................................... 48
Use the GUI to Set the NTP Server .................................................................................................. 48
Use the CLI to Set the NTP Server ................................................................................................... 48
Set the NTP Server Authentication ........................................................................................................ 49
Use the GUI to Set NTP Server Authentication ............................................................................. 49
Use the CLI to Set NTP Server Authentication .............................................................................. 50
Set the Hostname and DNS Parameters.............................................................................50
Use the GUI to Set the Hostname and DNS Parameters ................................................................... 51
Use the CLI to Set the Hostname and DNS Parameters ................................................................... 51
Set the CLI Banners ..............................................................................................................52
Use the GUI to Set the CLI Banners ....................................................................................................... 52
Use the CLI to Set the CLI Banners ........................................................................................................ 53
Replace the Web Certificate.................................................................................................53
Use the CLI to Replace the Web Certificate ......................................................................................... 53
Configure Increased I/O Buffer Support..............................................................................53
Configure the Management Interface .................................................................................55
Use the GUI to Configure the Management Interface ........................................................................ 56
page 4
Contents
Use the CLI to Configure the Management Interface ......................................................................... 56
Deployment Examples ................................................................................................................ 59

Deployment Modes ..............................................................................................................59
Transparent Mode Deployment ...........................................................................................59
Configuration Example ............................................................................................................................. 61
Routed Mode Deployment ...................................................................................................62
Configuration Example ............................................................................................................................. 62
vThunder .................................................................................................................................... 65
vThunder for Multiple Hypervisors ......................................................................................65
vThunder Installation ...........................................................................................................67
System Requirements .............................................................................................................................. 67
Management of vThunder ....................................................................................................................... 67
vThunder Feature Support ...................................................................................................67
Standardized Parameter Limits for vThunder Models ....................................................................... 67
Application Delivery Partition Support ................................................................................68
Single-Interface Mode for vThunder (VMware only)...........................................................68
CONFIGURATION MANAGEMENT ..............................................................................................69
Backing Up System Information ................................................................................................. 71

Overview of System Backup ................................................................................................71
Use the GUI to Perform a Backup .......................................................................................................... 72
Use the CLI to Perform a Backup ........................................................................................................... 73
Restoring from a Backup ......................................................................................................................... 73
System Memory .................................................................................................................................. 73
FTA versus Non-FTA .......................................................................................................................... 73
L3V Partitions ...................................................................................................................................... 74
Port Splitting ........................................................................................................................................ 74
Port Mapping ....................................................................................................................................... 74
Restore Example ................................................................................................................................. 74
Saving Multiple Configuration Files Locally .......................................................................77
Understanding Configuration Profiles ................................................................................................... 77
Using the CLI to Save Configurations .................................................................................................... 78
Using the CLI to View Configurations .................................................................................................... 79
Using the CLI to Copy Configurations ................................................................................................... 79
Using the CLI to Compare Configurations ............................................................................................ 79
Using the CLI to Link Configuration Profiles ........................................................................................ 80
Using the CLI to Delete a Profile ............................................................................................................. 81
CLI Example of Configuration Profile Management ........................................................................... 81
Source Interface for Management Traffic .................................................................................. 83

Using the Management Interface as the Source for Management Traffic .......................83
Understanding Route Tables ................................................................................................................... 83
page 5
Contents
Keeping the Management and Data Interfaces in Separate Networks .......................................... 84

Management Routing Options ................................................................................................................ 84
Configuring the Management Interface as Source for Automated Management Traffic .......... 85
Configuring the Management Interface as Source Interface for Manually Generated Manage-
ment Traffic ................................................................................................................................................ 85
Using a Loopback or Virtual Ethernet Interface as the Source for Management Traffic .86
Loopback Interface Management Traffic Types ................................................................................. 86
Loopback Interface Implementation Notes .......................................................................................... 87
Loopback Interface Limitations .............................................................................................................. 87
Configuring a Loopback Interface for Management Traffic ............................................................. 87
Configuring a Virtual Ethernet Interface for Management Traffic ................................................... 88
Dynamic and Block Configuration .............................................................................................. 89

Overview of Dynamic and Block Configuration ..................................................................89
Block Configuration Modes for CMDB ................................................................................90
Block-Merge Mode ..................................................................................................................................... 90
Block-Replace Mode .................................................................................................................................. 91
Expected Behaviors in Block Mode ........................................................................................................ 92
Block Configuration Modes for aFleX .................................................................................93
Boot Options .............................................................................................................................. 95

Storage Areas .......................................................................................................................95
Displaying Current Storage Information ............................................................................................... 96
Use the GUI to View Storage Information ...................................................................................... 96
Use the CLI to View Storage Information ....................................................................................... 97
Displaying the Storage Location for Future Reboots ......................................................................... 98
Booting from a Different Storage Area................................................................................99
Temporarily Changing the Boot Image for the Next Reboot ............................................................ 99
Permanently Changing the Storage Location for Future Reboots ................................................101
Use the GUI to Change the Location for Future Reboots .........................................................101
Use the CLI to Change the Location for Future Reboots ..........................................................101
Power On Auto Provisioning ..................................................................................................... 103

Power On Auto Provisioning Overview............................................................................. 103
Power On Auto Provisioning Process .............................................................................. 103
Configure Power On Auto Provisioning Process ............................................................. 104
Fail-Safe Automatic Recovery .................................................................................................. 107

Error Types Monitored by Automatic Recovery............................................................... 107
Hardware Errors .......................................................................................................................................107
Software Errors ........................................................................................................................................108
Recovery Timeout ....................................................................................................................................108
Total Memory Decrease .........................................................................................................................109
Configuring Fail-Safe Automatic Recovery...................................................................... 109
page 6
Contents
Installing the Systems Center Virtual Machine Manager Gateway Plugin ................................ 113
Prerequisites...................................................................................................................... 113
Installing the Gateway Plugin ........................................................................................... 114
Configuring the A10 Networks Overlay Gateway Interface in the VMM......................... 114
Verifying Configuration Prerequisites ..................................................................................................115
Configuring the A10 Networks Gateway .............................................................................................115
Verifying the Configuration ....................................................................................................................119
MONITORING TOOLS ............................................................................................................121
System Log Messages ............................................................................................................. 123

Destinations for Syslog Messages................................................................................... 123
Syslog Message Severity Levels ...................................................................................... 124
Configurable Syslog Parameters...................................................................................... 124
Configure Single-Priority Logging..................................................................................... 126
Configure Log Rate Limiting ............................................................................................. 127
Configuring Log Rate Limiting Using the GUI ....................................................................................127
Configuring Log Rate Limiting Using the CLI .....................................................................................127
Emailing Log Messages ........................................................................................................... 131

Overview of Email Logging................................................................................................ 131
Boolean Operators............................................................................................................. 131
Configuring Email Log Settings ........................................................................................ 132
Use the GUI to Configure Email Logging Settings ............................................................................132
Use the CLI to Configure Email Logging Settings .............................................................................133
Simple Network Management Protocol (SNMP) ....................................................................... 135

SNMP MIB Information ..................................................................................................... 135
Downloading the MIBs ............................................................................................................................135
AX MIB Groups .........................................................................................................................................136
AX MIB Files ..............................................................................................................................................136
MIB Access ...............................................................................................................................................137
SNMP RFCs supported ...........................................................................................................................137
Note Regarding ifIndex Table Support ................................................................................................140
SNMP Support on the ACOS Device................................................................................. 140
Partition-aware SNMP Configuration ............................................................................... 140
SNMP Views and Community Strings .............................................................................. 141
SNMP Views .............................................................................................................................................141
Use the GUI to Configure SNMP Views ........................................................................................142
Use the CLI to Configure SNMP Views .........................................................................................142
SNMP Community Strings .....................................................................................................................142
Use the GUI to Configure an SNMP Community String ............................................................142
Use the CLI to Configure an SNMP Community String .............................................................143
Configure SNMP Groups ................................................................................................... 144
page 7
Contents
Use the GUI to Configure SNMP Groups ............................................................................................144

Use the CLI to Configure SNMP Groups .............................................................................................145
Configure AES or DES Encryption for SNMPv3 Users..................................................... 145
Use the GUI to Configure Encryption for SNMPv3 Users ................................................................145
Use the CLI to Configure Encryption for SNMPv3 Users .................................................................146
Configure SNMP Traps...................................................................................................... 147
Enable SNMP Traps ................................................................................................................................147
Use the GUI to Enable SNMP Traps .....................................................................................................147
Use the CLI to Enable SNMP Traps .....................................................................................................148
Disable SNMP Traps for L3V Partitions ..............................................................................................149
Configure SNMP ................................................................................................................ 150
Use the GUI to Configure SNMP ...........................................................................................................150
Use the CLI to Configure SNMP ............................................................................................................ 151
Configure the Source Interface for SNMP Notifications................................................. 152
Use the GUI to Configure the SNMP Source Interface .....................................................................152
Use the CLI to Configure the SNMP Source Interface .....................................................................152
Link Monitoring ........................................................................................................................ 155

Overview of Link Monitoring ............................................................................................. 155
Link Monitoring Actions .................................................................................................... 156
Link Monitor Template Sequence Numbers .................................................................... 156
Link Monitor Template Logical Operators........................................................................ 157
Configure Link Monitor...................................................................................................... 157
Gateway Health Monitoring ...................................................................................................... 159

Gateway Health Monitoring Overview .............................................................................. 159
Gateway Health Monitoring Configurable Parameters ................................................... 160
Configure Gateway Health Monitoring............................................................................. 161
Use the GUI to Configure Gateway Health Monitoring ....................................................................161
Use the CLI to Configure Gateway Health Monitoring .....................................................................161
Multiple Port-Monitoring Mirror Ports ...................................................................................... 163

Overview of Port Mirroring ................................................................................................ 163
Configure Mirror Ports....................................................................................................... 163
Port Monitoring and Mirroring for aVCS Devices ............................................................ 165
Removing Mirror Port Configuration ................................................................................ 166
NetFlow v9 and v10(IPFIX) ....................................................................................................... 167

NetFlow Overview.............................................................................................................. 167
NetFlow Versions Supported ............................................................................................ 168
NetFlow Parameters.......................................................................................................... 168
Formatting of NetFlow Records for Long-Lived Sessions .............................................. 170
Predefined NetFlow Templates ........................................................................................ 171
page 8
Contents
SLB NetFlow Templates .........................................................................................................................171

CGN NetFlow Templates ........................................................................................................................172
Templates for A10 Flow Records with NAT Addresses ............................................................172
Templates for NAT Session Event Records ................................................................................174
Templates for NAT Port Mapping Event Records ......................................................................175
Templates for NAT Port Batching Event Records ......................................................................176
Templates for NAT Port Batching v2 Event Records ................................................................ 177
Configuring NetFlow.......................................................................................................... 178
Use the GUI to Configure NetFlow ....................................................................................................... 179
Use the CLI to Configure NetFlow ........................................................................................................180
CLI Example: Single Collector .........................................................................................................180
CLI Example: Multiple Collectors (SLB) ........................................................................................180
CLI Example: Multiple Collectors (CGN) .......................................................................................181
sFlow ....................................................................................................................................... 183

sFlow Overview.................................................................................................................. 183
sFlow Sampling Types ...................................................................................................... 183
Counter Polling Interval ..........................................................................................................................184
Packet Sampling Rate ............................................................................................................................184
Information Included in sFlow Datagrams....................................................................... 184
sFlow Configuration .......................................................................................................... 185
Use the GUI to Configure sFlow ............................................................................................................ 185
Use the CLI to Configure sFlow ............................................................................................................ 186
NETWORK ADDRESS TRANSLATION (NAT) ..............................................................................189
Configuring Dynamic NAT ........................................................................................................ 191

Configuration Elements for Dynamic NAT ....................................................................... 191
Configuring Dynamic IP Source NAT................................................................................ 192
Use the GUI to Configure Dynamic IP Source NAT ...........................................................................192
Use the CLI to Configure Dynamic IP Source NAT ...........................................................................194
Configuring Static NAT ............................................................................................................ 197

Configuration Elements for Static NAT............................................................................ 197
Configuring Static IP Source NAT .................................................................................... 197
Use the GUI to Configure Static IP Source NAT ................................................................................198
Use the CLI to Configure Static IP Source NAT .................................................................................199
Support for Inter-Partition Static NAT and Overlapping IP Addresses........................... 199
NAT ALG Support for PPTP ...................................................................................................... 201

Overview of NAT ALG Support for PPTP .......................................................................... 201
Configure NAT ALG Support for PPTP ............................................................................. 202
page 9
Contents
page 10
System Overview
This chapter provides a brief overview of the A10 Thunder Series and AX Series systems and features.
The following topics are covered:
• ACOS Architecture
• Hardware Interfaces
• Software Interfaces
• Server Load Balancing
• Where Do I Start?
ACOS Architecture
A10 Thunder® Series and AX™ Series devices use embedded Advanced Core Operating System (ACOS)
architecture. ACOS is built on top of a set of Symmetric Multi-Processing CPUs and uses shared mem-
ory architecture to maximize application data delivery.
ACOS is designed to handle high-volume application data with integrated Layer 2 / Layer 3 processing
and integrated SSL acceleration built into the system. In addition, ACOS incorporates the A10 Networks
customizable aFleX scripting language, which provides administrators with configuration flexibility for
application data redirection.
ACOS inspects packets at Layers 2, 3, 4, and 7 and uses hardware-assisted forwarding. Packets are
processed and forwarded based on ACOS configuration.
You can deploy the ACOS device into your network in transparent mode or gateway (route) mode.
• Transparent mode – The ACOS device has a single IP interface. For multinetted environments,
you can configure multiple Virtual LANs (VLANs).
• Route mode – Each ACOS interface is in a separate IP subnet.
page 11
ACOS Architecture
ACOS Software Processes

The ACOS software performs its many tasks using the following processes:
• a10mon – Parent process of the ACOS device. This process is executed when the system comes
up. The a10mon process does the following:
• Brings user-space processes up and down.
• Monitors all its child processes and restarts a process and all dependent processes if any of
them die.
• syslogd – System logger daemon that logs kernel and system events.
• a10logd – Fetches all the logs from the ACOS Log database.
• a10timer – Schedules and executes scheduled tasks.
• a10stat – Monitors the status of all the main processes of the ACOS device, such as a10switch
(on models AX 2200 and higher) and a10lb.
The a10stat process probes every thread within these processes to ensure that they are respon-
sive. If a thread is deemed unhealthy, a10stat kills the process, after which a10mon restarts the
process and other processes associated with it.
• a10switch – Contains libraries and APIs to program the Switching ASIC to perform Layer 2 and
Layer 3 switching at wire speed.
• a10hm – Performs health-checking for real servers and services. This process sends pre-config-
ured requests to external servers at pre-defined intervals. If a server or individual service does not
respond, it is marked down. Once the server or service starts responding again, it is marked up.
• a10rt – Routing daemon, which maintains the routing table with routes injected from OSPF, as
well as static routes.
• a10rip – Implements RIPv1 and v2 routing protocols.
• a10ospf – Implements the OSPFv2 routing protocol.
• a10snmpd – SNMPv2c and v3 agent, which services MIB requests.
• a10wa – Embedded Web Server residing on the ACOS device. This process serves the Web-
based management Graphical User Interface (GUI).
• a10gmpd – Global SLB (GSLB) daemon.
• a10snpm_trapd – Handles SNMP traps initiated by a10lb.
• a10lb – The heart of the ACOS device. This process contains all the intelligence to perform
Server Load Balancing.
• rimacli – This process is automatically invoked when an admin logs into the ACOS device
through an interface address. The admin is presented a Command Line Interface (CLI) that can
issue and save commands to configure the system.
page 12
Hardware Interfaces
Memory Pre-allocation
As part of normal operation, ACOS pre-allocates memory. For this reason, memory utilization can be
high even when the device first boots up. The system allocates more memory if needed for burst condi-
tions. In this case, the additional memory is freed only slowly, in case further burst conditions occur.
Hardware Interfaces
See the Installation Guide for your A10 Thunder Series or AX Series model.
Software Interfaces
This section contains the following topics:
• User Interfaces
• Data Interfaces and IP Subnet Support
User Interfaces
The ACOS device can be configured by using the following user interfaces:
• Graphical User Interface (GUI).
For help using the GUI, refer to the online help available directly from the GUI.
• Command Line Interface (CLI) accessible using console, Telnet, or Secure Shell (v1 and v2).
For additional information, refer to the Command Line Interface Reference guide, or the CLI refer-
ence chapters in some of the configuration guides.
• Simple Network Management Protocol (SNMP) v1, v2c, and v3
For additional information, refer to “Simple Network Management Protocol (SNMP)” on page 135.
• XML Application Programming Interface (aXAPI)
For more information, refer to the aXAPI Reference, available as part of the documentation library.
page 13
Server Load Balancing
Data Interfaces and IP Subnet Support

The ACOS device has a management interface and data interfaces. The management interface is a
physical Ethernet port. A data interface is a physical Ethernet port, a trunk group, or a Virtual Ethernet
(VE) interface.
The management interface can have a single IPv4 address and a single IPv6 address.
An ACOS device deployed in transparent mode (Layer 2) can have a single IP address for all data inter-
faces. The IP address of the data interfaces must be in a different subnet than the management inter-
face’s address.
An ACOS device deployed in route mode (Layer 3) can have separate IP addresses on each data inter-
face. No two interfaces can have IP addresses that are in the same subnet. This applies to the manage-
ment interface and all data interfaces.

Server Load Balancing (SLB) is a suite of resource management features that make server farms more
reliable and efficient.
You can easily grow server farms in response to changing traffic flow, while protecting the servers
behind a common virtual IP address. From the perspective of a client who accesses services, requests
go to and arrive from a single IP address. The client is unaware that the server is in fact multiple servers
managed by an ACOS device. The client simply receives faster, more reliable service.
Moreover, you do not need to wait for DNS entries to propagate for new servers. To add a new server,
you simply add it to the configuration for the virtual server, and the new real server becomes accessible
immediately.
page 14
FIGURE 1 SLB Example
Intelligent Server Selection

The services managed by the ACOS device are controlled by service groups. A service group is a set of
real servers. The ACOS device selects a real server for a client’s request based on a set of tunable crite-
ria including server health, server response time, and server load. These criteria can be tuned for indi-
vidual servers and even individual service ports.
The ACOS device provides a robust set of configurable health monitors for checking the health (avail-
ability) of servers and individual services.
SLB Configuration Templates

SLB configuration is simplified by the use of templates. Templates simplify configuration by enabling
you to configure common settings once and use them in multiple service configurations. The ACOS
device provides templates to control server and port configuration parameters, connectivity parame-
ters, and application parameters.
Server and Port Configuration Templates
The ACOS device provides the following types of server and port configuration templates:
page 15
• Server – Controls parameters for real servers
• Port – Controls parameters for service ports on real servers
• Virtual server – Controls parameters for virtual servers
• Virtual port – Controls parameters for service ports on virtual servers
Connectivity Templates
The ACOS device provides the following types of connectivity templates:
• TCP-Proxy – Controls TCP/IP stack parameters
• TCP – Controls TCP connection settings such as the idle timeout for unused sessions, and spec-
ifies whether the ACOS device sends TCP Resets to clients or servers after a session times out
• UDP – Controls UDP connection settings such as the idle timeout for unused sessions, and spec-
ifies how quickly sessions are terminated after a server response is received
Application Templates
The following types of application templates are provided:
• DBLB – MS-SQL and MySQL database load balancing.
• Diameter – Provides proxy service and load balancing for Diameter AAA
• DNS – Provides DNS security and optimization.
• HTTP – Provides a robust set of options for HTTP header manipulation and for load balancing
based on HTTP header content or the URL requested by the client, and other options
• FTP – Provides load balancing for FTP traffic.
• Policy – Uses Policy-based SLB (PBSLB) to permit or deny clients, or direct them to service
groups, based on client black/white lists
• External-service – Adds capabilities needed for intelligently steering traffic based on application
(example: Internet Content Adaptation Protocol [ICAP]).
• Cache – Caches web content on the ACOS device to enhance website performance for clients
• Client SSL – Offloads SSL validation tasks from real servers
• Server SSL – Validates real servers on behalf of clients
• Cipher – Contains a set of SSL ciphers that can be applied to a client-SSL or server-SSL template.
• Connection reuse – Reduces overhead from TCP connection setup by establishing and reusing
TCP connections with real servers for multiple client requests
• Cookie persistence – Inserts a cookie into server replies to clients, to direct clients to the same
service group, real server, or real service port for subsequent requests for the service
page 16
• Source-IP persistence – Directs a given client, identified by its IP address, to the same service
port, server, or service group
• Destination-IP persistence – Configures persistence to real servers based on destination IP
address
• FIX – Configures Financial Information eXchange load balancing.
• Logging – Configures logging to external servers over TCP.
• SSL session-ID persistence – Directs all client requests for a given virtual port, and that have a
given SSL session ID, to the same real server and real port
• SIP – Customizes settings for load balancing of Session Initiation Protocol (SIP) traffic
• SMPP – Configures load balancing for Short Message Peer to Peer (SMPP).
• SMTP – Configures STARTTLS support for Simple Mail Transfer Protocol (SMTP) clients
• Streaming-media – Directs client requests based on the requested content
Where applicable, the ACOS device automatically applies a default template with commonly used set-
tings. For example, when you configure SLB for FTP, the ACOS device automatically applies the default
TCP template. If required by your application, you can configure a different template and apply that one
instead. The configuration examples in this guide show how to do this.
Outbound Next Hop Load Distributor

Outbound Next Hop Load Distributor (NHLD) balances client-server traffic across a set of WAN links.
With outbound NHLD, the clients are located on the internal side of the network. The servers are
located on the external side of the network.
Transparent Cache Switching

Transparent Cache Switching (TCS) enables you to improve server response times by redirecting client
requests for content to cache servers containing the content.
Firewall Load Balancing

Firewall Load Balancing (FWLB) maximizes throughput through firewall bottlenecks by load balancing
server-client sessions across the firewalls.
page 17
Where Do I Start?
Where Do I Start?
• To configure basic system settings, see “Common Setup Tasks” on page 37.
• To configure network settings, see the Network Configuration Guide.
• To configure management access security features, see the Management Access Security guide.
• To configure and secure application delivery and Server Load Balancing features, see the Applica-
tion Delivery and Server Load Balancing Guide.
page 18
FIPS Support
The A10 Thunder Series supports the National Institute of Standards and Technology (NIST) Federal
Information Processing Standards (FIPS) Publication 104-2 for Security Level 2.
FIPS 140-2 Level 2, also referred to simply as FIPS Level 2, improves on Level 1 and extends the physi-
cal security boundary to encompass the entire appliance and not just its internal components.
FIPS 140-2 requirements and specifications are described in the NIST document:
http://csrc.nist.gov/groups/STM/cmvp/standards.html#02
The following sections describe the FIPS Level 2 support in A10 Thunder Series devices beginning with
ACOS Release 4.1.1-P3.
• FIPS Level 2 ACOS Models
• FIPS Compliance for Hardware
• FIPS Compliance for Software
• FIPS Compliance Usage Guidelines
• SSL/TLS Support for FIPS Compliance
• CLI Support for FIPS Compliance
• Web Server Support for FIPS Compliance
FIPS Level 2 ACOS Models

The following ACOS models are compliant with FIPS Level 2 and the contemporary requirements for
FIPS Level 2 validation and certification. They are in-process and undergoing certification testing by
NIST.
• TH-3030S (with 1 SSL Module)
• TH-4440S (with 2 SSL Modules)
page 19
FIPS Level 2 ACOS Models
NOTE: The FIPS models listed above must be ordered and shipped directly from
A10 Networks. Converting or upgrading a standard (non-FIPS) ACOS unit
to a FIPS unit (through the field upgrade process) is not supported.
page 20
FIPS Compliance for Hardware

To enhance device security and achieve FIPS-compliance, the ACOS device hardware has the following
changes beginning in ACOS Release 4.1.1-P3 for FIPS-compliant models.
• SSL Modules
• Tamper-Proof Seals
• Changes to ACOS Device Chassis
SSL Modules
FIPS-compliant ACOS devices do not offer the option to add SSL modules (“cards”) in available expan-
sion slots, as this would require a chassis that could be opened at the customer premises (which would
violate the FIPS requirements).
While standard (non-FIPS) ACOS devices allow installation of SSL modules, the FIPS-compliant ACOS
devices come with a preset number of SSL modules. No options are available to upgrade the device by
adding SSL modules at a later time.
Tamper-Proof Seals
To enhance security, one or more tamper-evident labels* with a serial number and company ID are
affixed to the ACOS device chassis. (See Figure 2)
Tamper-evident seals are delicate and clearly indicate when the packaging has been deliberately
altered or adulterated. Seals are affixed to the ACOS device chassis in several places to make it appar-
ent when someone has opened the box or otherwise disturbed any of the removable components.
Tamper-evident seals are affixed by A10 Networks prior to delivery to the customer.
*. Novavision A1579 labels
page 21
FIGURE 2 A10 FIPS-approved Tamper-proof Labels
As shown in Figure 3 through Figure 6 below, tamper-evident seals are affixed to the ACOS device in
one or more the following locations:
• On the chassis side
• On the fan units
• On the power supply
FIGURE 3 Position of Tamper-proof Labels on TH-3030S
page 22
page 23
FIPS Compliance for Software
Changes to ACOS Device Chassis

To ensure that internal electronic components cannot be seen through ventilation or other openings,
the chassis is designed so that it is impossible to read identification information printed on these inter-
nal components.
FIPS Compliance for Software

To enhance device security and achieve FIPS-compliance, the following system-level changes are in
effect beginning with ACOS Release 4.1.1-P3 for FIPS-compliant models:
• Software Upgrade Image
• RMAs
• Lost Passwords
Software Upgrade Image

FIPS-compliant software upgrade images have a signature using an HMAC. Software upgrades are
allowed only when it is determined that the upgrade image is correct, after having been verified using
the signature.
page 24
FIPS Compliance Usage Guidelines
RMAs
In the event that a customer must return the FIPS-compliant ACOS device to A10 Networks using the
standard Return Merchandise Authorization (RMA) process, the customer first must use the security-
reset system command to destroy all encryption keys.
Per FIPS requirements, the ACOS device cannot be shipped back to the manufacturer with the software
encryption keys intact. This security-reset system command destroys all sensitive information prior
to shipping the device.
CAUTION: Running this command will remove all keys from the system, including
those used for image integrity during bootup. After the command is
entered, the ACOS device will not boot again.
Lost Passwords
Normally, if a customer loses their password, they can use the “Recovering an Administrator Pass-
word” procedure described in the ACOS Management Access and Security Guide. With this procedure
they can perform a password reset by entering the serial number on their ACOS device using the man-
agement or console port.
However, due to FIPS requirements, this password recovery procedure is not allowed and is not sup-
ported for FIPS-compliant models. If the password is lost, customers must follow the RMA process
described above and return the ACOS device to A10 Networks so a factory reset of the system can be
done.

A10 recommends the following guidelines for use of FIPS-Compliant ACOS models:
• Transferring Files To or From ACOS
• SNMPv3 Configuration
• Data Plane Certificate Generation
• RSA Key and Certificate Import
• ECDSA Key and Certificate Import
• DNSSec Configuration
page 25
Transferring Files To or From ACOS

A number of CLI commands and their corresponding GUI operations support the transfer of files to or
from the ACOS device. When performing such operations, only the "scp:", "sftp:", or "https:" methods
should be indicated in the "url" parameter.
The "tftp:", "ftp:", and "http" alternative methods for this parameter do not support secure file transfer
mechanisms and should not be used.
SNMPv3 Configuration
When configuring SNMPv3 in ACOS, only the “sha1” and “aes” algorithms should be indicated for
authentication and privacy (encryption) options; respectively. This applies to the following CLI com-
mands and their corresponding GUI operations.
• snmp-server SNMPv3
Data Plane Certificate Generation

The generation of certificates for use by the ACOS data plane, via pki create CLI command or corre-
sponding GUI operation, should be avoided. Alternatively, use the import cert CLI command or corre-
sponding GUI operation to IMPORT such certificates otherwise generated outside the A10 platform.
RSA Key and Certificate Import

When importing RSA key or certificate files, ensure that they are validly formed and comply with the fol-
lowing constraints before uploading such files to the A10 platform. Specifically, ensure that:
• Key size is 2048-bits or greater, for private keys
• Key size is 1024-bits or greater, for public keys
• Signature format is SHA-2 compatible
This applies to the following CLI commands and their corresponding GUI operations:
• import key
• import cert
• web-service secure private-key load
• web-service secure certificate load
• import glm-cert
• sshd key load
page 26
• ssh-pubkey import
• import dnssec-dnskey
ECDSA Key and Certificate Import

When importing ECDSA key or certificate files, ensure that they are validly formed and comply with the
following constraints before uploading such files to the A10 platform. Specifically, ensure that:
• EC Parameter group is either prime256v1 or secp384r1
• Signature format is SHA-2 compatible.
This applies to the following CLI commands and their corresponding GUI operations:
• import key
• import cert
• web-service secure private-key load
• web-service secure certificate load
DNSSec Configuration
When configuring DNSSEC using the dnssec template CLI command or corresponding GUI operation,
ensure the following for the template:
• no algorithm is specified (will default to RSASHA256)
• algorithm parameter is set to RSASHA256 or RSASHA512
page 27
SSL/TLS Support for FIPS Compliance
SSL/TLS Support for FIPS Compliance

To enhance device security and achieve FIPS-compliance, the following SSL/TLS data plane changes
are in effect beginning with ACOS Release 4.1.1-P3 for FIPS-compliant models.
• Transport Layer Security (TLS), which is FIPS-compliant, is allowed, but SSLv2 and SSLv3, which
are not FIPS-compliant, are not supported. TLS versions 1.0, 1.1, and 1.2 are allowed by default.
• Ciphers that are not FIPS-compliant are disabled.
NOTE: MD5, RC4, DES, and EXPORT ciphers are not FIPS-compliant and are
therefore not supported.
• Inside the SSL/TLS implementation, random number generation is implemented based on DRBG
with counter mode.
• Certificates must have at least 2048 bits.
• Only certificates with SHA-2 authentication are allowed.
• If Diffie-Hellman key exchange method is used in TLS, then groups supporting key size less than
2048 are disabled.
• When a random number is generated, the value is compared with the last number that was gen-
erated to ensure it is not the same.
• In client/server-SSL situations, the certificate that the ACOS device receives must meet the
requirement of having at least 2048 bits and SHA-2 authentication.
• To meet FIPS-compliance, the ACOS device supports, per configuration, encryption of keys with a
length equal to or greater than 2048-bits.
• In FIPS mode, exporting of keys can be by secure protocols.
CLI Support for FIPS Compliance

To achieve FIPS-compliance, the following changes to the CLI are in effect beginning with ACOS
Release 4.1.1-P3 for FIPS-compliant models.
• The following new CLI commands are added in 4.1.1-P3 for enabling or disabling FIPS. For more
information, see the Command Line Interface Reference.
• system fips enable
• system fips disable
• Telnet services are no longer available under the enable-management service command.
page 28
Web Access Support for FIPS Compliance
• SSH 2.0 is FIPS-compliant (and therefore allowed). The RSA key exchange key sizes must be at
least 2048 bits.
• User passwords must be greater than or equal to 8 characters. FIPS-compliance requires that
passwords must be at least 8 characters long. The default ACOS device password has been
changed from “a10” to “a10$pass” for FIPS-compliant ACOS devices.
Web Access Support for FIPS Compliance

To achieve FIPS-compliance, the following changes to the management GUI are in effect beginning
with ACOS 4.1.1-P3 for FIPS-compliant models.
• Local user passwords must be greater than or equal to 8 characters. FIPS-compliance requires
that passwords must be at least 8 characters long. The default password has been changed
from “a10” to “a10$pass” for FIPS-compliant ACOS devices.
Web Server Support for FIPS Compliance

The ACOS web server is FIPS-compliant. As part of this compliance, the following Cryptographic Algo-
rithms are supported for FIPS-compliant models:
• AES for encryption/decryption
• SHA-1 and SHA-2 for hashing and for authentication of hashed messages
• ECDSA and RSA for authentication
• ECDHE and RSA for key exchange
• NIST SP-800-90A for DRBG (Deterministic Random Bit Generator)
• Transport Layer Security (TLS) 1.2 is the only FIPS-compliant cryptographic protocol supported.
SSL v2.0 and v3.0 are not FIPS-compliant and will not be supported. TLS 1.0 and 1.1 protocols
are also not supported.
page 29
Web Server Support for FIPS Compliance
page 30
Jumbo Frames
This chapter contains the following topics:
• Overview of Jumbo Frames on ACOS Devices
• Configure Jumbo Frame Support
Overview of Jumbo Frames on ACOS Devices

A jumbo frame is an Ethernet frame that is more than 1522 bytes long. Support for jumbo frames is
offered on Layer 4 VIPs.
By default, the maximum transmission unit (MTU) on all physical Ethernet interfaces is 1500 bytes. The
default Ethernet frame size is 1522 bytes, which includes 1500 bytes for the payload, 14 bytes for the
Ethernet header, 4 bytes for the CRC, and 4 bytes for a VLAN tag. Jumbo support is disabled by default.
Additional Notes:
• Jumbo frame support is not available on all platforms. See the Release Notes for a list of supported
platforms.
• Jumbo frame support is disabled by default. You can enable jumbo frame support on a global
basis for the device.
• The maximum transmission unit (MTU) is not automatically changed on any of the interfaces
and must be explicitly configured on those interfaces that will be used for jumbo frames; this can
be done using either the GUI or the CLI. On non-FTA models, you can increase the MTU on indi-
vidual Ethernet interfaces up to 9216 bytes.
• Jumbo frames (L4) are supported on most 64-bit models and are not supported on 32-bit mod-
els.
• If your configuration uses VEs, you must enable jumbo on the individual Ethernet ports first, then
enable it on the VEs that use the ports. If the VE uses more than port, the MTU on the VE should
be the same or smaller than the MTU on each port.
• It is not recommended to enable jumbo frame support on 10/100 Mbps ports.
• Setting the MTU on an interface indirectly sets the frame size of incoming packets to the same
value. (This is the maximum receive unit [MRU]).
page 31
Configure Jumbo Frame Support

This section describes how to configure jumbo frame support on your ACOS device:
• Configure Jumbo Frame Support Using the GUI
• Configure Jumbo Frame Support Using the CLI
Configure Jumbo Frame Support Using the GUI

Changing the MTU on an Interface
To change the MTU on an interface:
1. Hover over Network in the navigation bar, and select Interfaces.

2. Check the menu bar to confirm you’re on the LAN page.
3. Click Edit in the Actions column for the interface number. The configuration page for the interface
appears.
4. In the General Fields section, edit the value in the MTU field.
5. Click Update.
Disabling Jumbo Support
To disable jumbo frame support:

2. Check the menu bar to confirm you’re on the LAN page.
3. Click Edit in the Action column for the interface number. The configuration page for the interface
appears.
4. Edit the value in the MTU field to be 1500 (or less).
5. Click Update.
6. Repeat for each interface on which the MTU is greater than 1500 bytes.
7. On non-FTA platforms, you must also save your configuration and reboot the device:
a. Hover over System in the navigation bar, and select Settings.
b. Click Actions on the menu bar.
c. In the Action field, select Reboot from the drop-down list.
d. In the Save configuration field, select Yes from the drop-down list.
page 32
e. Click OK.
CAUTION: On non-FTA models, you must save the configuration and reboot after
changing the MTU settings to disable jumbo frame support. If you reload
or reboot without first saving the configuration, the feature cannot be re-
enabled until you first repeat the procedure above to disable it. Then, you
can re-enable the feature.
Configure Jumbo Frame Support Using the CLI

This section contains the following:
• Globally Enable Jumbo Frame Support on your ACOS Device
• Change the MTU on an Interface
• Create a TCP-proxy Template
• Apply the TCP-proxy Template to VIP
• Disable Jumbo Frame Support
• View MTU Interface Settings
Globally Enable Jumbo Frame Support on your ACOS Device

This section describes how to globally enable jumbo frame support. This can only be done via the CLI
and not through the GUI.
Enable Jumbo Frame Support (FTA Models)
To enable jumbo frame support on FTA models, use the following command:
ACOS(config)# system-jumbo-global enable-jumbo
Enable Jumbo Support (Non-FTA Models)
To enable jumbo frame support on a non-FTA model, enter the following series of commands:
ACOS(config)# system-jumbo-global enable-jumbo

ACOS(config)# write memory
Building configuration...
Write configuration to primary default startup-config
[OK]
ACOS(config)# reboot
page 33
Change the MTU on an Interface

To change the MTU on an interface, use the mtu command at the configuration level for the interface.
For example:
ACOS(config)# interface ethernet 1

ACOS(config-if:ethernet:1)# mtu 1500
Create a TCP-proxy Template

To create a TCP-proxy template, use the following commands:
ACOS(config)# slb template tcp-proxy mss-size

ACOS(config-tcp proxy)# mss 1460
Apply the TCP-proxy Template to VIP

To apply the template to a VIP, use the template command at the configuration level for a virtual port
on a previously configured VIP. For example:
ACOS(config)# slb virtual-server vs1

ACOS(config-slb vserver)# port 80 tcp
ACOS(config-slb vserver-vport)# template tcp-proxy mss-size
Disable Jumbo Frame Support

This section describes how to globally disable jumbo frame support.
Disable Jumbo Frame Support (FTA Models)
To disable jumbo frame support on FTA models, use the following command:
ACOS(config)# no system-jumbo-global enable-jumbo
Disable Jumbo Support (non-FTA Models)
To disable jumbo frame support on a non-FTA model, enter the following series of commands:
ACOS(config)# no system-jumbo-global enable-jumbo

[OK]
ACOS(config)# reboot
page 34
CAUTION: On non-FTA models, you must save the configuration and reboot after
entering the no system-jumbo-global enable-jumbo command. If you
reload or reboot without first saving the configuration, the feature can
not be re-enabled until you first repeat the procedure above to disable it.
Then, you can re-enable the feature.
View MTU Interface Settings

The following commands show detailed information for the interfaces, which includes the MTU set-
tings:
ACOS(config)# show interface ve 10

VirtualEthernet 10 is up, line protocol is up
Hardware is VirtualEthernet, Address is 001f.a004.c0e2
Internet address is 110.10.10.1, Subnet mask is 255.255.255.0
IPv6 address is 2001:10::241 Prefix 64 Type: unicast
IPv6 link-local address is fe80::21f:a0ff:fe04:c0e2 Prefix 64 Type: unicast
Router Interface for L2 Vlan 10
IP MTU is 1500 bytes
28 packets input 2024 bytes
Received 0 broadcasts, Received 24 multicasts, Received 4 unicasts
10 packets output 692 bytes
Transmitted 8 broadcasts, Transmitted 2 multicasts, Transmitted 0 unicasts
300 second input rate: 48 bits/sec, 0 packets/sec
300 second output rate: 16 bits/sec, 0 packets/sec
ACOS(config)# show interface ethernet 15

Ethernet 15 is disabled, line protocol is down
Hardware is GigabitEthernet, Address is 001f.a005.53e0
Configured Speed auto, Actual unknown Configured Duplex auto, Actual unknown
Member of L2 Vlan 300, Port is Tagged
Flow Control is disabled, IP MTU is 6000 bytes
Port as Mirror disabled, Monitoring this Port disabled
0 packets input, 0 bytes
0 input errors, 0 CRC 0 frame
0 runts 0 giants
Transmitted 0 broadcasts 0 multicasts 0 unicasts
0 output errors 0 collisions
page 35
300 second input rate: 0 bits/sec, 0 packets/sec, 0% utilization

300 second output rate: 0 bits/sec, 0 packets/sec, 0% utilization
ACOS(config)# show interface ethernet 16

Ethernet 16 is disabled, line protocol is down
Hardware is GigabitEthernet, Address is 001f.a005.53e1
Configured Speed auto, Actual unknown Configured Duplex auto, Actual unknown
Member of L2 Vlan 300, Port is Tagged
Port as Mirror disabled, Monitoring this Port disabled
0 runts 0 giants
300 second input rate: 0 bits/sec, 0 packets/sec, 0% utilization
300 second output rate: 0 bits/sec, 0 packets/sec, 0% utilization
page 36
Part I
Common Setup Tasks
This section describes how to log onto the ACOS device and how to configure the following basic system
parameters:
• “Logging On” on page 39

• “Configuring Basic System Parameters” on page 45
This section also includes “Deployment Examples” on page 59.
For information on virtual ACOS devices, see “vThunder” on page 65.
To save your configuration changes in the GUI, click the following icon:
To save your configuration changes in the CLI, use the write memory command.
When you make configuration changes, be sure to remember to save the changes. Unsaved
configuration changes will be lost following a reboot.
Logging On
• User Interfaces
• Logging On to the CLI
• Logging On to the GUI
• Console Restart
• Configuring ADC and CGN on the Same Device
User Interfaces
ACOS devices provide the following user interfaces:
• Command-Line Interface (CLI) – Text-based interface in which you type commands on a com-
mand line. You can access the CLI directly through the serial console or over the network using
either of the following protocols:
• Secure protocol – Secure Shell (SSH) version 2
• Unsecure protocol – Telnet (if enabled)
• Graphical User Interface (GUI) – Web-based interface in which you click to access configuration
or management pages and type or select values to configure or manage the device. You can
access the GUI using either of the following protocols:
• Secure protocol – Hypertext Transfer Protocol over Secure Socket Layer (HTTPS)
• Unsecure protocol – Hypertext Transfer Protocol (HTTP)
• aXAPI – XML Application Programming Interface based on the Representational State Transfer
(REST) architecture. The aXAPI enables you to use custom third-party applications to configure
and monitor Server Load Balancing (SLB) parameters on the ACOS device, and to monitor Ether-
net interfaces. (For more information, see the aXAPI Reference.)
NOTE: By default, Telnet access is disabled on all interfaces, including the man-
agement interface. SSH, HTTP, HTTPS, and SNMP access are enabled
by default on the management interface only, and disabled by default on
all data interfaces.
page 39
Logging On to the CLI
NOTE: The maximum number of CLI, GUI, and aXAPI sessions that can be
opened simultaneously on an ACOS device depends on the specific
device.
Logging On to the CLI

NOTE: ACOS devices provide advanced features for securing management
access to the device. This section assumes that only the basic security
settings are in place.
To log onto the CLI using SSH:
1. On a PC connected to a network that can access the ACOS device’s management interface, open
an SSH connection to the IP address of the management interface.
2. Generally, if this the first time the SSH client has accessed the ACOS device, the SSH client dis-
plays a security warning. Read the warning carefully, then acknowledge the warning to complete
the connection. (Press Enter.)
3. At the login as: prompt, enter the admin username.
4. At the Password: prompt, enter the admin password.
If the admin username and password are valid, the command prompt for the User EXEC level of
the CLI appears:
ACOS>
The User EXEC level allows you to enter a few basic commands, including some show commands
as well as ping and traceroute.
NOTE: The “ACOS” in the CLI prompt represents the host name configured on
the device; “ACOS” is the default host name used in all technical publica-
tions. The host name on your device may be different. The default host
name on a system represents the system type; for example, on an A10
Thunder Series 5435 device, the default prompt is:
TH5435>
5. To access the Privileged EXEC level of the CLI and allow access to all configuration levels, enter
the enable command.
At the Password: prompt, enter the enable password. (This is not the same as the admin password,
although it is possible to configure the same value for both passwords.)
page 40
Logging On to the GUI
If the enable password is correct, the command prompt for the Privileged EXEC level of the CLI
appears:
ACOS#
6. To access the global configuration level, enter the configure command. The following command
prompt appears:
ACOS(config)#

Web access to the ACOS device is supported on the Web browsers listed in Table 1.
TABLE 1 GUI Browser Support

Browser Windows Linux MAC
IE 10.0 and higher Supported N/A N/A
Firefox 40.0.3 and higher Supported Supported N/A
Safari 3.0 and higher Not Supported N/A Supported
Chrome 45.0.2454.93 and Supported Supported Supported
higher
A screen resolution of at least 1024x768 is recommended.
1. Open a supported Web browser.

2. In the URL field, enter the IP address of the ACOS device’s management interface.
3. If the browser displays a certificate warning, select the option to continue to the server (the ACOS
device).
NOTE: To prevent the certificate warning from appearing in the future, you can
install a certificate signed by a Certificate Authority. See “Replace the
Web Certificate” on page 53.
A login page is displayed in Figure 7. The name and appearance of the dialog depends on the
browser you are using and the specific device which you are trying to access.
page 41
FIGURE 7 Example GUI Login Dialog
4. Enter your admin username and password and click Login.
NOTE: The default admin username and password are “admin”, “a10”.
The Dashboard (Figure 8) appears, showing at-a-glance information for your ACOS device.
You can access this page again at any time while using the GUI by selecting Dashboard.
Refer to the GUI online help for detailed information about this and all other GUI screens.
page 42
Console Restart
FIGURE 8 Dashboard
NOTE: GUI management sessions are not automatically terminated when you
close the browser window. The session remains in effect until it times
out. To immediately terminate a GUI session, click the Sign Out icon in
the menu bar.
Console Restart
Use the clear console command to terminate the current login process and start a new one:
ACOS(config)# clear console
Use this command if you notice that SSH and data traffic still appear to be operational, though the con-
sole session is hung. This may be caused if rimacli is in a hung state. rimacli is the process that is auto-
matically invoked when an admin logs into the ACOS device through an interface address. This process
provides admins access to the Command Line Interface (CLI) to be able to issue and save commands
to configure the system.
page 43
Configuring ADC and CGN on the Same Device
To resolve the issue of the hung console due to an underlying hung rimacli process, use the clear
console command. After the hung login process is terminated, the console will revert to the login
prompt.
Configuring ADC and CGN on the Same Device

ACOS 4.x software supports both ADC and CGNv6 configuration. Either one may be configured in any
partition but they may not be configured together in the same partition.
When you login to the device using the CLI, all ADC and CGN options are available by default in the
shared partition (see the Configuration Application Delivery Partitions guide for more information about
partitions). When an ADC object is configured (for example, an SLB server), all CGN options are auto-
matically disabled until all ADC objects are removed. Similarly, if a CGN object is configured, then all
ADC options are disabled until the CGN objects are all removed.
When an L3V partition is created, the behavior is the same as the shared partition. All ADC and CGN
objects are available until either one is configured.
You can use the application-type command to explicitly specify the type of objects that are available
in any partition, before any objects are configured. For example, the following command creates an L3V
partition called “PART-ADC” which will only have ADC options available:
ACOS(config)# partition PART-ADC id 1 application-type adc
The behavior in the GUI is slightly different. The GUI menu options are static and will not make ADC or
CGN objects unavailable based on the existing configuration. Therefore, it is up to the user to maintain
records about which types of objects are configured in each partition. If an attempt is made to use the
GUI to configure a CGN object in a partition that already contains ADC objects, the user will see an error
message.
page 44
Configuring Basic System Parameters
This chapter describes the basic system parameters and provides CLI and GUI steps for configuring
them.
The following topics are covered in this chapter:
• Set the System Time and Date
• Set the Hostname and DNS Parameters
• Set the CLI Banners
• Replace the Web Certificate
• Configure Increased I/O Buffer Support
• Configure the Management Interface
NOTE: The only basic parameters that you are required to configure are date/
time settings. Configuring the other parameters is optional.
NOTE: This chapter does not describe how to access the serial console inter-
face. For that information, see the installation guide for your specific
ACOC device.
Set the System Time and Date

This section provides instructions for setting the time and date on your system. The following topics
are covered:
• Set the Clock
• Set the NTP Interface
• Set the NTP Server
• Set the NTP Server Authentication
page 45
Set the Clock

The time and date are not set at the factory. Therefore, you must manually set them or configure NTP
(see “Set the NTP Server” on page 48).
• Use the GUI to Set the Clock
• Use the CLI to Set the Clock
Use the GUI to Set the Clock

To set the clock using the GUI:
1. Navigate to System >> Settings >>Time.

2. In the Clock section, you can:
• Set the date and time. Click in the Date/Time field and select the date from the calendar.
• Set the timezone
• Select whether or not you want to enable or disable daylight savings time.
NOTE: When you change the ACOS timezone, the statistical database is cleared.
This database contains general system statistics (performance, CPU,
memory, and disk utilization) and SLB statistics.
By default, daylight savings is enabled on the ACOS device. The ACOS device automatically
adjusts the time for Daylight Savings Time based on the timezone you select. The UTC time
standard does not observe daylight savings time.
3. Click OK to save your changes.
Use the CLI to Set the Clock

To set the clock using the CLI:
1. From Privileged EXEC mode, use the clock set command to set the time. This command must be
run in Privileged EXEC mode.
The following example sets the time to 10:31 AM on February 13, 2015:
ACOS# clock set 10:31:00 February 13 2015
The following example sets the time to 7:15 PM and 33 seconds on December 17, 2015 (for times
beyond 12:00 PM, use the 24-hour notation):
page 46
ACOS# clock set 19:15:33 December 17 2015
2. Enter Global configuration mode to use the timezone command to set the time zone.
The following example sets the timezone to America/Los_Angeles:
ACOS# configure
ACOS(config)# timezone America/Los_Angeles
3. To verify your settings, use the show clock command:

ACOS# show clock
.08:43:07 PDT Thu Oct 2 2015
ACOS#
Set the NTP Interface

NTP listens on the management port by default.
To configure NTP to also listen on the data ports, use the ntp allow-data-ports command.
To configure NTP to listen on a virtual Ethernet (VE) interface, you must configure a loopback interface
with an IP address on the same subnet as the VE interface, and then use the ip mgmt-traffic ntp
source-interface command. For example:
vlan 2211
untagged ethernet 1
router-interface ve 2211
!
interface ve 2211
enable
ip address 192.168.11.254 255.255.255.0
!
interface loopback 1
ip address 192.168.11.90 255.255.255.255
!
ntp allow-data-ports
!
ntp server 192.168.11.50
!
ip mgmt-traffic ntp source-interface loopback 1
page 47
Set the NTP Server

• Use the GUI to Set the NTP Server
• Use the CLI to Set the NTP Server
Use the GUI to Set the NTP Server

To configure an NTP server using the GUI:
1. Navigate to System >> Settings >> Time.

2. In the NTP Servers section:
• Configure an NTP host.
• Select Enable in the status field to enable the server.
• To designate this server as the preferred server, select the Preferred checkbox.
This option allows you to specify a preferred NTP server. You now direct ACOS to use the prior-
itized NTP server by default and rely on additional NTP servers as backups if the preferred NTP
server becomes unavailable.
NOTE: It is recommended that you enable the Preferred option for a single
NTP server only. If the preference is selected for more than one NTP
server, the prioritized NTP server is determined by an internal calculation.
3. Click OK to save your changes. The new server is added to the NTP Server table below the config-
uration fields.
Use the CLI to Set the NTP Server

To configure a preferred NTP server using the CLI, use the ntp server command from Global Configu-
ration mode, then use the prefer command to make this the preferred server:
ACOS(config)# ntp server 216.171.124.36

ACOS(config-ntpsvr:216.171.124.36)# prefer
Use the show running-config command to verify your configuration:
ACOS(config-ipv4-serveraddr:216.171.124.36)# show run | begin ntp server

ntp server 207.69.131.204
!
ntp server 207.69.131.205
!
page 48
ntp server 216.171.124.36

prefer
!
...
Set the NTP Server Authentication

NTP server authentication keys are stored using a special A10 Networks encryption algorithm to con-
ceal the clear-text form of the authentication key. You can add the ID numbers of encrypted authentica-
tion keys to a list of trusted keys, and apply the trusted keys to one or more NTP servers.
An NTP server can operate in either an authentication or a non-authentication mode. If an authentica-

tion key is specified in the client’s NTP request, the NTP server appends a message authentication
code (MAC) to the response packet header, using the authentication key. The NTP client compares the
MAC of the NTP server against the specified authentication key and accepts the packet from the NTP
server if the MAC matches.
To configure NTP server authentication:
1. Create a list of authentication keys. The encrypted keys are stored on the ACOS device.
2. Add the identification numbers of one or more authentication keys to the list of trusted keys. Only
keys from the trusted key list are valid for NTP server authentication.
3. Configure an NTP server and apply a trusted authentication key.
NOTE: The NTP server and NTP client must reference the same authentication
key ID number. If the NTP server and NTP client are configured with dif-
ferent authentication key ID numbers, NTP server authentication will
always fail.
NOTE: Currently, aXAPI is not supported for SHA and SHA1 authentication of
NTP servers.
Use the GUI to Set NTP Server Authentication

To set up NTP server authentication in the GUI:
1. Navigate to System >> Settings >> Time.

2. In the NTP Keys section:
• Enter a Key ID.
• Configure the encryption type and ASCII or Hex key parameters.
3. Click OK to save your configuration.
page 49
Set the Hostname and DNS Parameters
You can add multiple trusted keys using this screen. After you create the keys, you can then configure
an NTP server in the NTP section (see “Set the NTP Server” on page 48), then select one of the trusted
authentication keys from the drop-down menu to assign to the NTP server.
Use the CLI to Set NTP Server Authentication

The example in this section shows how to configure NTP server authentication.
1. Create two authentication keys (13579 and 24680). Both keys use MD5 encryption and ASCII key
strings:
ACOS(config)# ntp auth-key 13579 M ascii XxEnc192
ACOS(config)# ntp auth-key 24680 M ascii Vke1324as
2. Add keys 13579 and 24680 to the list of trusted keys.

ACOS(config)# ntp trusted-key 13579
ACOS(config)# ntp trusted-key 24680
3. Configure the NTP server at 207.69.131.204 to use trusted key 13579.

ACOS(config)# ntp server 207.69.131.204
AOCS(config-ipv4-serveraddr:207.69.131.204)# key 13579
4. You can verify the NTP server and authentication key configuration with the show running-config
command. The following example includes an output modifier to display only NTP-related configu-
ration:
ACOS(config)# show running-config | include ntp
ntp auth-key 13579 M ascii encrypted zIJptJHuaQaw/5o10esBTDwQjLjV2wDnPBCMuNXbAOc-
8EIy41dsA5zwQjLjV2wDn
ntp auth-key 24680 M ascii encrypted
FSNiuf10Dtzc4aY0tk2J4DwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn
ntp trusted-key 13579
ntp trusted-key 24680
ntp server 207.69.131.204
ntp server 207.69.131.205
ntp server 216.171.124.36
ACOS(config)#

• Use the GUI to Set the Hostname and DNS Parameters
• Use the CLI to Set the Hostname and DNS Parameters
page 50
NOTE: Do not use a period ( . ) in the hostname. The ACOS device will interpret
text that appears after the period as the DNS suffix instead of the DNS
suffix you configure.
Use the GUI to Set the Hostname and DNS Parameters

To use the GUI to set the hostname and DNS parameters:
1. Navigate to System >> Settings >> DNS.

2. On the Configure DNS screen, you can specify:
• Host name (required)
• Domain suffix (domain name to which the host belongs)
• Primary IP
• Secondary IP
3. Click Update DNS to store your changes.
Use the CLI to Set the Hostname and DNS Parameters

This section provides an example of how to use the CLI to change the name and DNS parameters on
your device. You must be in the global configuration mode:
1. To begin using the CLI, make sure you are in the Global Configuration mode.
2. Use the hostname command to change the hostname to “ACOS-SLB2”:”
ACOS(config)# hostname ACOS-SLB2
ACOS-SLB2(config)#
After you enter this command, note that the command prompt is changed to reflect the new host-
name.
NOTE: The “ > ” or “ # ” character and characters in parentheses before “ # ” indi-

cate the CLI level you are on and are not part of the hostname.
3. Use the ip dns suffix command to set the default domain name (DNS suffix) for host names on
the ACOS device. The suffix “a10networks.com” is used in this example:
ACOS(config)# ip dns suffix a10networks.com
4. Use the ip dns primary command to set the primary DNS server (10.10.128.101 in this example)
for resolving DNS requests:
ACOS(config)# ip dns primary 10.10.128.101
page 51
Set the CLI Banners
5. Use the ip dns secondary command to set the secondary DNS server (10.10.128.102 in this
example) for resolving DNS requests:
ACOS(config)# ip dns secondary 10.10.128.102
6. Use the show running-config command to view your configuration:

ACOS-SLB2(config)# show running-config | include dns
ip dns primary 10.10.128.101
ip dns secondary 10.10.128.102
ip dns suffix a10networks.com
ACOS-SLB2(config)#
Set the CLI Banners

The CLI displays banner messages when you log onto the CLI. By default, the messages shown in bold
type in the following example are displayed:
login as: admin
Welcome to ACOS
Using keyboard-interactive authentication.
Password:
Last login: Thu Feb 7 13:44:32 2008 from 192.168.1.144
[type ? for help]
You can format banner text as a single line or multiple lines.
If you configure a banner message that occupies multiple lines, you must specify the end marker that
indicates the end of the last line. The end marker is a simple string up to 2-characters long, each of the
which must be an ASCII character from the following range: 0x21-0x7e.
The multi-line banner text starts from the first line and ends at the marker. If the end marker is on a new
line by itself, the last line of the banner text will be empty. If you do not want the last line to be empty,
put the end marker at the end of the last non-empty line.
Use the GUI to Set the CLI Banners

To set the CLI banners using the GUI:
1. Navigate to System >> Settings >> Terminal.

2. On the Terminal page:
page 52
Replace the Web Certificate
a. Configure the Login banner.

b. Configure the EXEC banner.
3. Click OK to save your changes.
Use the CLI to Set the CLI Banners

This section describes how to change the CLI banners using CLI commands.
1. Use the banner login command to set the login banner. This is the banner that will be seen after
you enter the admin username and password. This example sets the banner to “welcome to login
mode:”
ACOS(config)# banner login “welcome to login mode”
2. Use the banner exec command to set the exec banner to “welcome to exec mode.” This banner is
displayed after you enter the admin password:
ACOS(config)# banner login “welcome to exec mode”
To use blank spaces within the banner, enclose the entire banner string with double quotation marks.
Replace the Web Certificate

You can replace the web certificate shipped with the ACOS device. Replacing the certificate with a CA-
signed certificate prevents the certificate warning from being displayed by your browser when you log
in to the GUI.
Use the CLI to Replace the Web Certificate

Use the following command at the global configuration level of the CLI:
ACOS(config)# web-service secure wipe
Then, use the import cert command to import a CA-signed certificate.
Configure Increased I/O Buffer Support
page 53
Configure Increased I/O Buffer Support
On some high-end models only, you can enable the big-buff-pool option to expand support from 4
million to 8 million buffers and increase the buffer index from 22 to 24 bits.
NOTE: The AX 5200-11 requires 96 GB of memory to support this feature. To

check that your system meets this requirement, use the show memory
system command.
Enter the following command to enable more I/O buffers for the system:
ACOS(config)# big-buff-pool
Use the no version of the command to remove a larger buffer for the system:
ACOS(config)# no big-buff-pool
This will modify your boot profile to disable big I/O buffer pool.
It will take effect starting from the next reboot.
Please confirm: You want to disable the big I/O buffer pool(N/Y)?:
Use the show system platform buffer-stats command to view statistics for the I/O buffer pool:
ACOS(config)# show system platform buffer-stats

Buffers available in various states/threads...
---------------------------------------------------
Thread Cache App AppQueue Misc
---------------------------------------------------
Q0 136034 0 0 0
Q1 127873 0 0 0
Q2 154496 0 0 0
Q3 154515 0 0 0
Q4 154511 0 0 0
Q5 153147 0 0 0
Q6 154511 0 0 0
Q7 153147 0 0 0
Q8 153829 0 0 0
Q9 153147 0 0 0
Q10 154511 0 0 0
Q11 153147 0 0 0
Approximate # buffers in App 0
Approximate # buffers in App_cp 0
Approximate # buffers in Cache_cp 1024
Approximate # buffers in Cache 1802868
Approximate # buffers in Queue 0
Approximate # buffers in misc 0
Approximate # buffers in dfree 745472
page 54
Configure the Management Interface
Approximate # buffers free 2391436

Approximate # buffers avail in HW 1639073
# Capsules in per thread pool:
t00 t01 t02 t03 t04 t05
FPGA0: 9 11 11 11 11 11
FPGA1: 21 15 15 15 15 15
FPGA2: 10 19 19 19 19 19
FPGA3: 21 22 22 22 22 22
t06 t07 t08 t09 t10 t11
FPGA0: 5 16 16 16 16 16
FPGA1: 17 17 17 17 17 17
FPGA2: 12 12 11 11 11 11
FPGA3: 21 22 22 22 22 22
Approximate # of operations on Global buffer pool:
GetsD0 PutsD0 GetsD1 PutsD1
FPGA0: 0x00000016 0x00000052 0x00000000 0x00000037
FPGA1: 0x00000000 0x00000033 0x00000000 0x00000032
FPGA2: 0x00000000 0x0000003d 0x00000016 0x0000004a
FPGA3: 0x00000000 0x00000010 0x00000000 0x00000013
Approximate # buffers in total 4194304

The management interface (MGMT) is an Ethernet interface to which you can assign a single IPv4
address and a single IPv6 address. The management interface is separate from the Ethernet data inter-
faces.
Figure 9 shows an example of the management interface on an Thunder Series device.
FIGURE 9 ACOS Deployment Example – Management Interface
By default, the ACOS device attempts to use a route from the main route table for management con-
nections originated on the ACOS device. You can enable the ACOS device to use the management
page 55
route table to initiate management connections instead. (For information, see “Source Interface for
Management Traffic” on page 83.)
NOTE: The ACOS device allows the same IP address to be configured as the
ACOS device global IP address, and as a NAT pool address. However, in
Layer 2 (transparent) deployments, if you do configure the same address
in both places, and later delete one of the addresses, you must reload the
ACOS device to put the change into effect.
Use the GUI to Configure the Management Interface

This section describes how to use the GUI to configure the management interface.
NOTE: Unless you have already configured an IP interface, navigate to the

default IP address: http://172.31.31.31.
1. Navigate to Network >> Interfaces >> Management.

2. On the Management page:
• Configure the duplexity of the management interface.
• Configure the speed of the management interface.
NOTE: The available selection of speeds in this field depends on the device you
are configuring. Devices with no 1G interface, for example, will not have a
1G option in this field.
• Configure the IPv4, IPv6, and LLDP settings.

3. Click Configure to save your changes.
Use the CLI to Configure the Management Interface

The example commands in this section configure access on the management interface.
1. The interface management command puts you in interface management mode, where you can
continue the management interface configuration.
ACOS(config)# interface management
2. Use the ipv6 commands to configure IPv6 access.

ACOS(config-if:management)# ipv6 address 2001:db8::2/32
ACOS(config-if:management)# ipv6 default-gateway 2001:db8::1
page 56
3. The ip commands configure IPv4 access on the management interface:

ACOS(config-if:management)# ip address 192.168.10.2 /24
ACOS(config-if:management)# ip default-gateway 192.168.2.1
4. Use the show interfaces management command to verify the configuration:

ACOS(config-if:management)# show interfaces management
GigabitEthernet 0 is up, line protocol is up.
Hardware is GigabitEthernet, Address is 0090.0b0b.ea38
Internet V6 address is 2001:db8::2/32
Configured Speed auto, Actual 1000, Configured Duplex auto, Actual fdx
0 runts 0 giants
page 57
page 58
Deployment Examples
Deployment Modes
You can insert the ACOS device into your network as a Layer 2 switch (transparent mode) or a Layer 3
router (route mode). In either of the deployment modes, the ACOS device has a dedicated Ethernet
management interface, separate from the Ethernet data interfaces. You can assign an IPv4 address
and an IPv6 address to the management interface.
For network deployment examples, see the following:
• Transparent Mode Deployment
• Routed Mode Deployment
Transparent Mode Deployment

Figure 10 shows an example of an Thunder Series device deployed in transparent mode.
FIGURE 10 ACOS Deployment Example – Transparent Mode
NOTE: For simplicity, this example and the other examples in this chapter show
the physical links on single Ethernet ports. Everywhere a single Ethernet
connection is shown, you can use a trunk, which is a set of multiple ports
configured as a single logical link.
page 59
NOTE: Transparent mode deployments are not valid for CGNv6 configurations.
CGNv6 is only supported in Routed Mode Deployment.
page 60
Configuration Example
This section describes the GUI screens and CLI commands needed to deploy the ACOS device as
shown in Figure 10.
Using the GUI

2. Click on Transparent on the menu bar.
3. Enter the IP Address, IP Mask, and Default Gateway, or alternatively, the IPv6 address and gate-
way.
4. Click Configure.
The data interface is added to the table, which can be seen if you click LAN in the menu bar. Select the
checkbox next to each Ethernet data interface you wish to enable, and click Enable.
Using the CLI
The following commands configure the global IP address and default gateway:
ACOS(config)# ip address 10.10.10.2 /24

ACOS(config)# ip default-gateway 10.10.10.1
The following commands enable the Ethernet interfaces used in the example:

ACOS(config-if:ethernet:1)# enable
ACOS(config-if:ethernet:1)# interface ethernet 2
ACOS(config-if:ethernet:3)# exit
page 61
Routed Mode Deployment

Figure 11 shows an example of an ACOS device deployed in route mode.
NOTE: Route mode is also called “gateway” mode.
FIGURE 11 ACOS Deployment Example – Route Mode
In this example, the ACOS device has separate IP interfaces in different subnets on each of the inter-
faces connected to the network. The ACOS device can be configured with static IP routes and can be
enabled to run OSPF and IS-IS. In this example, a static route is configured to be used as the default
route through 10.10.10.1.
Although this example illustrates single physical links, you could use trunks as physical links. You also
could use multiple VLANs. In this case, the IP addresses would be configured on Virtual Ethernet (VE)
interfaces, one per VLAN, instead of being configured on individual Ethernet ports.
Since the ACOS device is a router in this deployment, downstream devices can use the ACOS device as
their default gateway. For example, devices connected to Ethernet port 2 would use 192.168.3.100 as
their default gateway, devices connected to port 3 would use 192.168.1.111 as their default gateway,
and so on.
If multiple ACOS devices in a VRRP-A high availability configuration is used, the downstream devices
will use a floating IP address shared by the two ACOS devices as their default gateway. (See the Config-
uring VRRP-A High Availability guide for more information.)
Configuration Example
This section shows the GUI screens and CLI commands needed to implement the configuration shown
in Figure 11.
Using the GUI

1. Hover over Network in the navigation bar and select Interfaces.
2. If you are not already on the LAN index page, click LAN on the menu bar.
page 62
3. Click Edit in the Actions column for the interface number (for example, Interface “e1”). The config-
uration page appears.
a. To assign an IPv4 address, locate the “IP” section and then click the plus symbol ( ) to dis-
play the configuration fields for that section, and enter the address information.
b. To assign an IPv6 address, locate the “IPv6” section and then click the plus symbol ( ) to dis-
play the configuration fields for that section, and enter the address information.
c. Click Update.
Configuring the Default Route
1. Hover over Network in the navigation bar and select Routes.

2. Select either the IPv4 Static Routes or IPv6 Static Routes tab, then click Create.
3. Complete the IP Dest Address and IP Mask fields. Refer to the online help for detailed information
about these and other fields on this page.
4. Click Create Route.
Using the CLI
The following commands enable the Ethernet interfaces used in the example and configure IP
addresses on them:

ACOS(config-if:ethernet:1)# ip address 10.10.10.2 /24
ACOS(config)#
The following command configures the default route through 10.10.10.1:
ACOS(config)# ip route 0.0.0.0 /0 10.10.10.1
page 63
page 64
vThunder
vThunder is a fully operational software-only version of A10 Networks’ line of A10 Thunder Series and
AX Series Advanced Traffic Managers / Server Load Balancers.
• vThunder for Multiple Hypervisors
• vThunder Installation
• vThunder Feature Support
• Application Delivery Partition Support
• Single-Interface Mode for vThunder (VMware only)
vThunder for Multiple Hypervisors

vThunder is supported on multiple hypervisors. See the Release Notes for a complete list of supported
hypervisors for this release.
Figure 12 shows a network topology in which a vThunder can be installed on a supported hypervisor.
page 65
vThunder for Multiple Hypervisors
FIGURE 12 vThunder for Multiple Hypervisors
The hypervisor is installed on top of the commodity hardware. The virtualized vThunder instance sits
on top of the hypervisor layer. Functionality of vThunder is, for the most part, the same as a hardware-
based ACOS device.
page 66
vThunder Installation
vThunder Installation
The vThunder software can be downloaded as an ISO image. Multiple vThunder instances can be
installed in a single hardware platform, such as a PC, with each instance running independently from
the others.
For specific installation instructions, see the vThunder installation guide for your hypervisor. All installa-
tion instructions are available for download on the Support Portal.
System Requirements
The virtualized hardware upon which the vThunder instance is installed must meet the requirements
with regard to the total free disk space and RAM. However, there is wide variation from one hypervisor
to another, see the “System Requirements” section in your specific vThunder installation guide for
requirements.
Management of vThunder
vThunder can be managed from the ACOS CLI or GUI, which is the same as any standard hardware-
based ACOS device.
vThunder Feature Support

vThunder supports many of the same features as the A10 Thunder Series and AX Series hardware-
based models. The exact set of supported features varies and is based on whether vThunder is running
an ADC (SLB) release or a CGN (IPv6 Migration) release.
See your specific vThunder installation guide for more information.
Standardized Parameter Limits for vThunder Models

vThunder versions vary by price according to the amount of bandwidth offered. A10 Networks offers a
Lab/Developer Edition, as well as the following paid versions, which can be used in production environ-
ments:
• Entry Level/Lab Editions:
• 200 Mbps
• 1 Gbps
page 67
Application Delivery Partition Support
• High-performance Editions:
• 4 Gbps
• 8 Gbps
In ACOS releases earlier than 2.7.0, the maximum limits for the various system parameters varied from
one edition to the next for system parameters such as Maximum SSL VIPs, or the maximum number of
Layer 4 sessions supported. These parameters are now standardized such that the maximum limits for
the vThunder system parameters are the same for the Entry Level edition (with 200-Mbps throughput)
as for the High-performance edition (with 8-Gbps throughput).
This standardization enhancement affects both publicly available parameters, such as Layer 4 ses-
sions, real servers, virtual servers, and server ports, and also so-called “private parameters”, which can
not be viewed through the CLI, such as the maximum number of supported NAT pools, templates, as
well as the limits associated with cookie persistence.
Application Delivery Partition Support

Up to 32 L3V partitions can be created for each vThunder instance.
For more information, see the Configuration Application Delivery Partitions guide.
Single-Interface Mode for vThunder (VMware only)

To simplify deployment, vThunder for VMware can be configured to use a single interface for manage-
ment and data traffic. While vThunder is typically deployed with a separate management and data
interface, “single-interface mode” requires consolidating the functionality of both the data and manage-
ment interfaces into one unified interface.
You can configure vThunder to receive a DHCP-assigned IP address, and this same IP address will be
used for the interface IP, Source NAT IP, and the SLB VIP.
Take note of the following prerequisites:
• This functionality is only supported for vThunder running on the VMware hypervisor, and it is not
supported on any of the other hypervisors.
• The vThunder interface type must be set to “vmxnet3” for single-interface mode.
For more information on configuring Single-interface Mode, see the vThunder for VMware Installation
Guide.
page 68
Part II
Configuration Management
This section describes how to configure the following management features for ACOS devices:
• “Backing Up System Information” on page 71

• “Source Interface for Management Traffic” on page 83
• “Dynamic and Block Configuration” on page 89
• “Boot Options” on page 95
• “Power On Auto Provisioning” on page 103
• “Fail-Safe Automatic Recovery” on page 107
• “Installing the Systems Center Virtual Machine Manager Gateway Plugin” on page 113
Backing Up System Information
By default, when you click the Save button in the GUI or enter the write memory command in the CLI, all
unsaved configuration changes are saved to the startup-config. The next time the ACOS device is
rebooted, the configuration is reloaded from this file.
In addition to these simple configuration management options, the ACOS device has advanced config-
uration management options that allow you to save multiple configuration files. You can save configu-
ration files remotely on a server and locally on the ACOS device itself.
NOTE: For information about managing configurations for separate partitions

on an ACOS device, see the Configuring Application Delivery Partitions
guide.
For information about synchronizing configuration information between

multiple ACOS devices configured for VRRP-A high availability, see the
Configuring VRRP-A High Availability guide.
For upgrade instructions, see the release notes for the ACOS release to which you plan to upgrade.
• Overview of System Backup
• Saving Multiple Configuration Files Locally
Overview of System Backup

The ACOS device allows you to back up the system, individual configuration files, and log entries onto
remote servers. You can use any of the following file transfer protocols:
• Trivial File Transfer Protocol (TFTP)
• File Transfer Protocol (FTP)
• Secure Copy Protocol (SCP)
• SSH File Transfer Protocol (SFTP)
NOTE: Backing up system from one hardware platform and restoring it to

another hardware platform is not supported.
page 71
• Use the GUI to Perform a Backup
• Use the CLI to Perform a Backup
• Restoring from a Backup
Use the GUI to Perform a Backup

To configure backup using the GUI:
1. Navigate to System >> Maintenance.

2. In the menu bar, click Backup. From the drop-down menu that appears, select one of the follow-
ing:
• System—This option performs an immediate backup of the configuration file(s), aFleX scripts,
and SSL certificates and keys.
• Log—This option perform an immediate backup of the log entries in the ACOS device’s syslog
buffer (along with any core files on the system)
• Periodic Backup—This option performs a scheduled backup of either the system or log files.
3. Complete your backup configuration by specifying any necessary information (for example, the
remote host and port, file transfer protocol, location and name of the backup file, and remote sys-
tem access information).
The following example shows an example of a system backup:
page 72
Use the CLI to Perform a Backup

This section provides examples of how to back up your system using the CLI.
The following example creates a backup of the system (startup-config file, aFleX scripts, and SSL certif-
icates and keys) on a remote server using SCP.
ACOS(config)# backup system scp://[email protected]/home/users/exampleuser/backups/

backupfile.tar.gz
The following example creates a daily backup of the log entries in the syslog buffer. The connection to
the remote server will be established using SCP on the management interface (use-mgmt-port).
ACOS(config)# backup log period 1 use-mgmt-port scp://[email protected]/home/users/

exampleuser/backups/backuplog.tar.gz
Restoring from a Backup

You can use a saved backup to restore your current system; for example, if you are upgrading the AX
Series devices in your network to the newer A10 Thunder Series devices.
This section contains some important things to consider before performing a restore operation:
• System Memory
• FTA versus Non-FTA
• L3V Partitions
• Port Splitting
• Port Mapping
• Restore Example
System Memory
If your current device has less memory than the backup device (for example, 16 GB on the current
device but 32 GB on the previous device), this can adversely affect system performance.
FTA versus Non-FTA

If you are restoring from an FTA device to a non-FTA device, for example, some commands may not be
available after the restore operation. This command is lost and cannot be restored.
page 73
L3V Partitions
L3v partitions and their configurations are restored; however, if you are restoring to a device which sup-
ports a fewer number of partitions (for example, 32) than you have configured from the backup device
(for example, 64) then any partitions and corresponding configuration beyond 32 are lost.
Port Splitting
If you are restoring between devices with various 40 GB port splitting configurations, see Table 2 for
more information.
TABLE 2 Restore Behavior for Port Splitting Combinations

Backup Device Current Device Behavior During the Restore Operation
Port splitting disabled. Port splitting disabled. Allow user to perform port mapping (See “Port Mapping” on
page 74.)
Port splitting enabled. Port splitting enabled. Allow user to perform port mapping (See “Port Mapping” on
page 74.)
Port splitting enabled. Port splitting disabled. Ask the user if they want to perform port mapping. If yes, enable port
splitting, reboot the device, then perform the restore operation
again, where port mapping will be enabled.
Port splitting disabled. Port splitting enabled. Exit the restore operation. The user will have to perform a system-
reset or disable port splitting, reboot the system, and then perform
the restore operation again.
Port Mapping
When restoring from a device that has a different number of ports, or even the same number of ports,
you can map the port number from the previous configuration to a new port number (or same port
number) in the new configuration.
In cases where the original number of ports is greater than the number of ports on the new system,
some configuration may be lost.
If you choose to skip port mapping (see the example below) then the original port numbers and config-
urations are preserved. If the original device had ports 1-10 configured, and the new device only has
ports 1-8, and you skip port mapping, then ports 9 and 10 are lost. If you choose port mapping, you can
decide which 8 out of the original 10 ports you want to preserve during the port mapping process.
Restore Example
This section provides an example of a restore operation:
• Restore from version 4.1.1-P1 to 4.1.1-P2
• The system memory on the original device is 8 GB, but is 16GB on the new device.
• number of interfaces on the original device is 10, but the new device has 12.
page 74
See the other highlighted lines in the example output along with the corresponding comments, which
are preceded by th e “<--“ characters:
ACOS(config)# restore use-mgmt-port scp://[email protected]/root/user1/backup1

Password []?
A10 Product:
Object Backup device Current device
--------------------------------------------------------------------
Device TH1030 TH3030
Image version 4.1.1-P1 4.1.1-P2
System memory:
--------------------------------------------------------------------
Memory (MB) 8174 16384
Checking memory: OK.

Ethernet Interfaces:
--------------------------------------------------------------------
Total 10 12
1 Gig 1-10 1-12
Do you want to skip port map?(Answer no if you want port mapping manually.)
[yes/no]: no
Please specify the Current device to Backup device port mapping

1-10 : a valid port number in backup device.
0 : to skip a port
-1 : to restart port mapping.
Current Port: Backup device port

Port 1 : 2 <-- port 2 on the backup device is re-numbered to 1
Port 2 : 1 <-- port 1 on the backup device is re-numbered to 2
Port 3 : 0
Port 4 : 0
Port 5 : 0
Port 6 : 0
Port 7 : 0
Port 8 : 0
Port 9 : 0
Port 10 : 0
The current startup-configuration will be replaced with the new configuration that was
imported.
Do you wish to see the diff between the updated startup-config and the original backup con-
figuration?
page 75
[yes/no]: yes
Modified configuration begin with "!#"
!Current configuration: 277 bytes

!Configuration last updated at 05:38:18 UTC Fri Mar 17 2017
!Configuration last saved at 05:38:19 UTC Fri Mar 17 2017
!64-bit Advanced Core OS (ACOS) version 4.1.1-P2, build 112 (Mar-13-2017,15:41)
!
interface management
ip address 192.168.210.24 255.255.255.0
ip default-gateway 192.168.210.1
!#interface management
!# ip address 192.168.210.24 255.255.255.0
!# ip default-gateway 192.168.210.1
!# exit-module
!
interface ethernet 2
!#interface ethernet 1 <-- original port 1 is now port 2
exit-module
!
interface ethernet 1
!#interface ethernet 2 <-- original port 2 is now port 1
exit-module
!
!#interface ethernet 3
!# exit-module
!
!# exit-module
!
!# exit-module
!
!# exit-module
!
!# exit-module
!
!# exit-module
!
!
page 76
Saving Multiple Configuration Files Locally
end
Complete the restore process?
[yes/no]: yes
Please wait restore to complete: .

Restore successful. Please reboot to take effect.

The ACOS device has CLI commands that enable you to store and manage multiple configurations on
the ACOS device.
NOTE: Unless you plan to locally store multiple configurations, you do not need
to use any of the advanced commands or options described in this sec-
tion. You can enter the write memory command in the CLI to save config-
uration changes. These simple options replace the commands in the
startup-config stored in the image area the ACOS device booted from
with the commands in the running-config.
• Understanding Configuration Profiles
• Using the CLI to Save Configurations
• Using the CLI to View Configurations
• Using the CLI to Copy Configurations
• Using the CLI to Compare Configurations
• Using the CLI to Link Configuration Profiles
• Using the CLI to Delete a Profile
• CLI Example of Configuration Profile Management
Understanding Configuration Profiles

Configuration files are managed as configuration profiles. A configuration profile is simply a configura-
tion file. You can locally save multiple configuration profiles on the ACOS device. The configuration
management commands described in this section enable you to do the following:
page 77
• Save the startup-config or running-config to a configuration profile.
• Copy locally saved configuration profiles.
• Delete locally saved configuration profiles.
• Compare two configuration profiles side by side to see the differences between the configura-
tions.
• Link the command option “startup-config” to a configuration profile other than the one stored in
the image area used for the most recent reboot. (This is the profile that “startup-config” refers to
by default.) This option makes it easier to test a configuration without altering the configuration
stored in the image area.
NOTE: Although the enable and admin passwords are loaded as part of the sys-
tem configuration, they are not saved in the configuration profiles.
Changes to the enable password or to the admin username or password
take effect globally, regardless of the values that were in effect when a
given configuration profile was saved.
Using the CLI to Save Configurations

To manage multiple locally stored configurations, use the write memory or write force commands
(available at the global configuration level of the CLI).
• If you enter write memory without additional options, the command replaces the configuration
profile that is currently linked to by startup-config with the commands in the running-config. If
startup-config is set to its default (linked to the configuration profile stored in the image area that
was used for the last reboot), then write memory replaces the configuration profile in the image
area with the running-config.
• If you enter write force, the command forces the ACOS device to save the configuration regard-
less of whether the system is ready.
• If you enter write memory primary, the command replaces the configuration profile stored in the
primary image area with the running-config. Likewise, if you enter write memory secondary, the
command replaces the configuration profile stored in the secondary image area with the running-
config.
• If you enter write memory profile-name, the ACOS device replaces the commands in the speci-
fied profile-name with the running-config.
• You can also specify a specific L3V partition or all-partitions with the write memory and write
force commands; these options save the configuration changes in your L3V partitions. Without
either option, only the configuration in the shared partition is saved.
For CLI syntax information about write memory and write force, see the Command Line Interface
Reference.
page 78
Using the CLI to View Configurations

To view locally stored configuration information, use the show startup-config command.
• To display a list of the locally stored configuration profiles, use the show startup-config all
command.
• The show startup-config all-partitions command shows all resources in all partitions. In this
case, the resources in the shared partition are listed first, followed by the resources in each L3V
partition. You can also specify a single partition instead of all-partitions to view the startup-
config for the specified partition only.
• The show startup-config profile profile-name command displays the commands that are in
the specified configuration profile.
For CLI syntax information about show startup-config, see the Command Line Interface Reference.
Using the CLI to Copy Configurations

To copy configurations, use the copy command.
• The copy startup-config profile-name command copies the configuration profile that is cur-
rently linked to “startup-config” and saves the copy under the specified profile name.
• The copy startup-config running-config command copies the configuration profile that is cur-
rently linked to “startup-config” and replaces the current running-config.
• The copy running-config startup-config command copies the running-config and saves it to
the configuration profile currently linked to the startup-config.
NOTE: You cannot use the profile name “default”. This name is reserved and
always refers to the configuration profile that is stored in the image area
from which the ACOS device most recently rebooted.
• For all commands, specify the url to the remote device where you want to back up the configura-
tion. See “Backing Up System Information” on page 71.)
For CLI syntax information about the copy command, see the Command Line Interface Reference.
Using the CLI to Compare Configurations

To view a side-by-side comparison of configurations, use the diff command.
• The diff startup-config running-config command compares the configuration profile that is
currently linked to “startup-config” with the running-config. Similarly, the diff startup-config
page 79
profile-name command compares the configuration profile that is currently linked to “startup-
config” with the specified configuration profile.
• To compare any two configuration profiles, enter their profile names. For example:
diff profile-name1 profile-name2
In the CLI output, the commands in the first profile name you specify are listed on the left side of the
terminal screen. The commands in the other profile that differ from the commands in the first profile
are listed on the right side of the screen, across from the commands they differ from. Table 3 describes
the flags indicating how the two profiles differ:
TABLE 3 Description of the Flags in the diff Command Output

Flag Description
| Indicates that the corresponding command has different settings in each profile.
> Indicates that the corresponding command is in the second profile, but not the first.
< Indicates that the corresponding command is in the first profile, but not the second.
Using the CLI to Link Configuration Profiles

Use the link command to link configuration profiles. By default, “startup-config” is linked to “default”,
which means the configuration profile stored in the image area from which the ACOS device most
recently rebooted.
This command enables you to easily test new configurations without replacing the configuration
stored in the image area. For example, the following command links the startup-config to a new profile
called test_profile:
ACOS(config)# link startup-config test-profile primary
You can specify the primary or secondary option to indicate an image area; if you omit this option, the
image area last used to boot is selected.
The profile you link to must be stored on the boot device you select. For example, if you use the default
boot device selection (hard disk), the profile you link to must be stored on the hard disk. (To display the
profiles stored on the boot devices, use the show startup-config all command.)
After you link “startup-config” to a different configuration profile, configuration management com-
mands that affect “startup-config” affect the linked profile instead of affecting the configuration stored
in the image area. For example, if you enter the write memory command without specifying a profile
name, the command saves the running-config to the linked profile instead of saving it to the configura-
tion stored in the image area.
Likewise, the next time the ACOS device is rebooted, the linked configuration profile is loaded instead of
the configuration that is in the image area.
To relink “startup-config” to the configuration profile stored in the image area, use the default option:
page 80
ACOS(config)# link startup-config default
Using the CLI to Delete a Profile

Use the delete startup-config command to remove a specific configuration profile. For example:
ACOS(config)# delete startup-config slb_profile1
Although the command uses the startup-config option, the command only deletes the configuration
profile linked to “startup-config” if you enter that profile’s name. The command deletes only the profile
you specify.
If the configuration profile you specify is linked to “startup-config”, “startup-config” is automatically

relinked to the default. (The default is the configuration profile stored in the image area from which the
ACOS device most recently rebooted).
CLI Example of Configuration Profile Management

The following command saves the running-config to a configuration profile named “slbconfig2”:
ACOS(config)# write memory slbconfig2
The following command shows a list of the configuration profiles locally saved on the ACOS device.
The first line of output lists the configuration profile that is currently linked to “startup-config”. If the
profile name is “default”, then “startup-config” is linked to the configuration profile stored in the image
area from which the ACOS device most recently rebooted.
ACOS(config)# show startup-config all

Current Startup-config Profile: slb-v6
Profile-Name Size Time
------------------------------------------------------------
1210test 1957 Jan 28 18:39
ipnat 1221 Jan 25 10:43
ipnat-l3 1305 Jan 24 18:22
ipnat-phy 1072 Jan 25 19:39
ipv6 2722 Jan 22 15:05
local-bwlist-123 3277 Jan 23 14:41
mgmt 1318 Jan 28 10:51
slb 1354 Jan 23 18:12
slb-v4 12944 Jan 23 19:32
slb-v6 13414 Jan 23 19:19
page 81
The following command copies the configuration profile currently linked to “startup-config” to a profile
named “slbconfig3”:
ACOS(config)# copy startup-config slbconfig3
The following command compares the configuration profile currently linked to “startup-config” with
configuration profile “testcfg1”. This example is abbreviated for clarity. The differences between the
profiles are shown in this example in bold type.
ACOS(config)# diff startup-config testcfg1

!Current configuration: 13378 bytes (
!Configuration last updated at 19:18:57 PST Wed Jan 23 2008 (
!Configuration last saved at 19:19:37 PST Wed Jan 23 2008 (
!version 1.2.1 (
! (
hostname ACOS (
! (
clock timezone America/Tijuana (
! (
ntp server 10.1.11.100 1440 (
! (
...
! (
interface ve 30 (
ip address 30.30.31.1 255.255.255.0 | ip address 10.10.20.1
255.255.255.0
ipv6 address 2001:144:121:3::5/64 | ipv6 address fc00:300::5/64
! (
! (
> ip nat range-list v6-1
fc00:300::300/64 2001:144:121:1::900/6
! (
ipv6 nat pool p1 2001:144:121:3::996 2001:144:121:3::999 netm <
! <
slb server ss100 2001:144:121:1::100 <
port 22 tcp <
--MORE--
The following command links configuration profile “slbconfig3” with “startup-config”:
ACOS(config)# link startup-config slbconfig3
The following command deletes configuration profile “slbconfig2”:
ACOS(config)# delete startup-config slbconfig2
page 82
Source Interface for Management Traffic
By default, the ACOS device uses data interfaces as the source for management traffic. This chapter
describes how you can configure the management interface and loopback interfaces to act as the
source for management traffic instead of using data interfaces.
• Using the Management Interface as the Source for Management Traffic
• Using a Loopback or Virtual Ethernet Interface as the Source for Management Traffic
Using the Management Interface as the Source for

Management Traffic
• Understanding Route Tables
• Keeping the Management and Data Interfaces in Separate Networks
• Management Routing Options
• Configuring the Management Interface as Source for Automated Management Traffic
• Configuring the Management Interface as Source Interface for Manually Generated Management
Traffic
Understanding Route Tables

By default, the ACOS device attempts to use a route from the main route table for management con-
nections originated on the ACOS device. You can enable the ACOS device to use the management
route table to initiate management connections instead.
This section describes the ACOS device’s two route tables, for data and management traffic, and how
to configure the device to use the management route table.
The ACOS device uses separate route tables for management traffic and data traffic.
page 83
Using the Management Interface as the Source for Management Traffic
• Management route table – Contains all static routes whose next hops are connected to the man-
agement interface. The management route table also contains the route to the device configured
as the management default gateway.
• Main route table – Contains all routes whose next hop is connected to a data interface. These
routes are sometimes referred to as data plane routes. Entries in this table are used for load bal-
ancing and for Layer 3 forwarding on data ports.
This route table also contains copies of all static routes in the management route table, excluding
the management default gateway route.
You can configure the ACOS device to use the management interface as the source interface for auto-
mated management traffic. In addition, on a case-by-case basis, you can enable the use of the man-
agement interface and management route table for various types of management connections to
remote devices.
The ACOS device automatically uses the management route table for reply traffic on connections initi-
ated by a remote host that reaches the ACOS device on the management port. For example, this occurs
for SSH or HTTP connections from remote hosts to the ACOS device.
NOTE: Static routes whose next hop is the management interface are dupli-
cated in the management route table.
Keeping the Management and Data Interfaces in Separate Networks

The management interface and the data interfaces must be in separate networks. If both tables have
routes to the same destination subnet, some operations (for example, ping) may have unexpected
results. An exception is the default route (0.0.0.0/0), which can be in both tables.
To display the routes in the management route table, use the show ip route mgmt command.
To display the data plane routes, use the show ip route or show ip fib commands.
Management Routing Options

You can configure the ACOS device to use the management interface as the source interface for the
following management protocols, used for automated management traffic:
• SYSLOG
• SNMPD
• NTP
• RADIUS
• TACACS+
page 84
Using the Management Interface as the Source for Management Traffic
• SMTP
For example, when use of the management interface as the source interface for control traffic is
enabled, all log messages sent to remote log servers are sent through the management interface. Like-
wise, the management route table is used to find a route to the log server. The ACOS device does not
attempt to use any routes from the main route table to reach the server, even if a route in the main
route table could be used.
In addition, on a case-by-case basis, you can enable use of the management interface and manage-
ment route table for the following types of management connections to remote devices:
• Upgrade of the ACOS software
• SSH or Telnet connection to a remote host
• Import or export of files
• Export of show techsupport output
• Reload of black/white lists
• SSL loads (keys, certificates, and Certificate Revocation Lists)
• Copy or restore of configurations
• Backups
Configuring the Management Interface as Source for Automated

Management Traffic
By default, use of the management interface as the source interface for automated management traf-
fic is disabled.
To enable it, use the ip control-apps-use-mgmt-port command at the configuration level for the man-
agement interface:
ACOS(config)# interface management

ACOS(config-if:management)# ip control-apps-use-mgmt-port
Configuring the Management Interface as Source Interface for

Manually Generated Management Traffic
To use the management interface as the source interface for manually generated management traffic,
use the use-mgmt-port option as part of the command string. This option is available with certain file
management commands, including the import command:
page 85
Using a Loopback or Virtual Ethernet Interface as the Source for Management Traffic
ACOS(config)# import ssl-cert-key bulk ?

use-mgmt-port Use management port as source port
tftp: Remote file path of tftp: file system(Format: tftp://host/file)
ftp: Remote file path of ftp: file system(Format:
ftp://[user@]host[:port]/file)
scp: Remote file path of scp: file system(Format:
scp://[user@]host/file)
sftp: Remote file path of sftp: file system(Format:
sftp://[user@]host/file)
NAME<length:1-31> profile name for remote url
Using a Loopback or Virtual Ethernet Interface as the

Source for Management Traffic
You can configure the ACOS device to use a loopback or virtual Ethernet interface IP address to be
used as the source interface for management traffic originated by the device.
This section contains the following related information:
• Loopback Interface Management Traffic Types
• Loopback Interface Implementation Notes
• Loopback Interface Limitations
• Configuring a Loopback Interface for Management Traffic
Loopback Interface Management Traffic Types

You can enable use of a specific loopback interface as the source for one or more of the following man-
agement traffic types:
• FTP
• NTP
• RCP
• SNMP
• SSH
• SYSLOG
page 86
• Telnet
• TFTP
• Web
FTP, RCP, and TFTP apply to file export and import, such as image upgrades and system backups.
Telnet and SSH apply to remote login from the ACOS device to another device. They also apply to
RADIUS and TACACS+ traffic. SSH also applies to file import and export using SCP.
Web applies to GUI login.
Loopback Interface Implementation Notes

Some notes to consider for loopback interfaces:
• Loopback interface IP address – The loopback interface you specify when configuring this fea-
ture must have an IP address configured on it. Otherwise, this feature does not take effect.
• Management interface – If use of the management interface as the source for management traf-
fic is also enabled, the loopback interface takes precedence over the management interface. The
loopback interface’s IP address will be used instead of the management interface’s IP address as
the source for the management traffic. In conjunction, the use-mgmt-port CLI option will have no
effect.
• Ping traffic – Configuration for use of a loopback interface as the source for management traffic
does not apply to ping traffic. By default, ping packets are sourced from the best interface based
on the ACOS route table. You can override the default interface selection by specifying a loop-
back or other type of interface as part of the ping command. (See the Command Line Interface Ref-
erence for syntax information.)
Loopback Interface Limitations

The current release has the following limitations related to this feature:
• Floating loopback interfaces are not supported.
• IPv6 interfaces are not supported.
Configuring a Loopback Interface for Management Traffic

The following commands configure an IP address on loopback interface 2 in the shared partition:
ACOS(config)# interface loopback 2

ACOS(config-if:loopback:2)# ip address 10.10.10.66 /24
page 87
ACOS(config-if:loopback:2)# exit
The following command configures the device to use loopback interface 2 as the source interface for
management traffic of all types:
ACOS(config)# ip mgmt-traffic all source-interface loopback 2
Configuring a Virtual Ethernet Interface for Management Traffic

The following commands configure virtual Ethernet interface 2 in the L3V partition called p1:
ACOS[p1](config)# vlan 2
ACOS[p1](config-vlan:2)# router-interface ve 2
ACOS[p1](config-if:ve2)# ip address 10.1.1.254 /24
ACOS[p1](config-if:ve2)# exit
The following command configures the device to use ve 2 as the source interface for management traf-
fic in the p1 partition:
ACOS[p1](config)# ip mgmt-traffic traffic-type source-interface ve 2
NOTE: If the virtual Ethernet interface belongs to the shared vlan, then the
shared virtual Ethernet interface IP address will be used. For example, if
vlan 2 above is also in the shared partition, the IP address 10.1.1.254 /
24 will not be used for management traffic, but the IP address as config-
ured for the virtual Ethernet in the shared partition will be used.
See the Configuring Application Delivery Partitions guide for more information about partitions.
page 88
Dynamic and Block Configuration
In the classical (default) mode of the CLI, configuration commands take effect as they are entered. For
example, slb server s1 10.10.10.1 creates an SLB server “s1” with an IP address of 10.10.10.1 with-
out having to take any further action.
Using the CLI or aXAPI, block configuration modes allow you to update portions of your configuration
without having to take your ACOS device off-line or disrupting live traffic.
• Overview of Dynamic and Block Configuration
• Block Configuration Modes for CMDB
• Block Configuration Modes for aFleX
Overview of Dynamic and Block Configuration

The Configuration Management Database (CMDB) allows for dynamic changes to be made to the run-
ning configuration using either the CLI or the aXAPI using the cli.deploy method. You enter a block
configuration mode to create a new configuration file in the CMDB. ACOS compares the existing run-
ning configuration with this new file (your new configuration), which is considered the primary configu-
ration. ACOS parses the commands in the new configuration file and rearranges them into an order in
which the new commands will be applied so that live traffic is not disturbed.
For replicated configurations, the old configuration is left in place rather than removed and then re-
entered.
During this process, some dependency checks may be disabled. After parsing the new configuration,
ACOS will ensure that all dependency checks are passed and all configurations are complete and valid.
NOTE: This feature is not supported in the GUI.
Multiple users cannot configure ACOS through the CLI. Concurrent

aXAPI calls are possible although they will be queued.
page 89
Block Configuration Modes for CMDB

• Block-Merge Mode
• Block-Replace Mode
• Expected Behaviors in Block Mode
Block-Merge Mode
In block-merge mode, existing elements edited in block-merge mode are replaced with your new defini-
tions and then merged with the remaining configuration with block-merge-end.
If the running configuration is not committed before entering “block-merge” mode, then all changes
made before and after “block-merge” mode are committed when you end “block-merge” mode.
NOTE: In this release, a setting to control the behavior of block-merge mode

called merge mode is supported. In the merge mode, any child instances
of the old configuration are retained if not present in the new configura-
tion. The merge mode can be accessed using the merge-mode-add com-
mand from the Global configuration mode.
The following is an example showing how block-merge mode works. First, view the existing SLB config-
uration:
ACOS(config)# show run | sec slb

slb server s1 2.2.2.2
port 80 tcp
sampling-enable all
slb virtual-server vip1 1.1.1.1
port 80 tcp
sampling-enable curr_conn
sampling-enable total_conn
ACOS(config)#
Next, edit the SLB server configuration to exclude the baselining configuration (sampling-enable com-
mand):
ACOS(config)# block-merge-start
Beginning merge mode. Enter configuration followed by 'block-merge-end' to merge configura-
tion into running.
ACOS(config)# slb server s1 2.2.2.2
ACOS(config-real server)# port 80 tcp
page 90
ACOS(config-real server-node port)# exit

ACOS(config-real server)# exit
ACOS(config)# block-merge-end
Configuration merged into running.
ACOS(config)#
View the running configuration again:

port 80 tcp
port 80 tcp
ACOS(config)#
The changes are merged into the existing running-config so that “sampling-enable all” is no longer part
of the SLB real server configuration.
Block-Replace Mode
In block-replace mode, instead of individual SLB configuration elements, the entire SLB configuration
gets discarded and replaced when the new configuration is committed with block-replace-end. The
rest of the configuration remains intact.
All configurations before entering “block-replace” mode, whether committed or not, are removed unless
they also are configured in “block-replace” mode.
Below is an example showing how block-replace mode works. First, view the existing SLB configura-
tion:

port 80 tcp
sampling-enable all
port 80 tcp
ACOS(config)#
page 91
Next, edit the SLB server configuration to exclude the SLB virtual server:
ACOS(config)# block-replace-start
Beginning replace mode. Enter configuration followed by 'block-replace-end' to apply diff
and replace configuration into running.
ACOS(config-real server)# port 80 tcp
ACOS(config-real server-node port)# sampling-enable all
ACOS(config)# block-replace-end
Configuration replaced into running.
ACOS(config)#
View the running configuration again:

port 80 tcp
sampling-enable all
ACOS(config)#
The changes have completely replaced the existing SLB configuration; there is no longer an SLB virtual
server configured.
Expected Behaviors in Block Mode

ACOS parses the configurations entered in block mode before it commits those changes. Any invalid
command that results in a configuration error will void all of the block-mode configurations, and none
of those changes will be made. The configuration will revert to the original running configuration. All
configurations done in a block mode must succeed or else none of the configurations take effect.
If an undesired command or an erroneous command is entered in block mode, most of those can be
removed using the no form of the command. However, using the CLI only, syntax errors will be ignored
when the “block-replace” mode configuration is committed. If you run into a syntax error but still enter
the block-replace-end command, then all valid configurations made in “block-replace” mode, prior to
the syntax error, will still be committed and entirely replace the old running configuration. Using the
aXAPI, if there is an error in both syntax and configuration while using the cli.deploy method, then ACOS
will rollback to the original configuration. If an error is detected and ACOS reverts to the old running
configuration, the configuration entered in block mode will be cleared.
To avoid erasing the old running configuration with an erroneous configuration entered in block mode,
exit block mode using the block-abort command. This will erase all configuration commands entered
in block mode and retain the old running configuration.
page 92
Block Configuration Modes for aFleX
In block mode, you can view the current running configuration with the show config command. This is
the same as the show running-config command in the classical mode of the CLI. The changes you are
currently making in block mode are not visible in the output of this command.
To view the configuration you are making in either “block-merge” or “block-replace” mode, enter the
show config-block command.

aFleX can also be configured in-line within block-merge and block-replace mode. Within the CLI, you
enter the command aflex-scripts start to enter the aFleX configuration mode. aFleX commands
should be entered in-line following that. When you are finished, simply enter a period (.) to indicate the
end of the aFleX commands to be committed. All of these commands should be entered within the
“block-merge” or “block-replace” mode in order for the aFleX commands to take effect.
Like the “block-merge” and “block-replace” mode in the CLI, the application of the aFleX commands is
dependent on all features passing. One failed command will mean that not of the commands are
entered into the running configuration.
To enter aFleX commands in-line within “block-merge” or “block-replace” mode, enter the following
command at the block configuration level:
aflex-scripts start
Each aFlex can then be entered using the convention where the header contains <aflex-script aflex-
Name, followed by the actual aFleX and then a closing bracket (>). A period is used to indicate the end of
all scripts.
<aflex-script aflexName
aflex code {
...
}
>
To indicate the end of all the aFleX commands, enter the following symbol at the end of the aFleX com-
mands:
To view all aFleX commands as part of the running configuration, enter the running-config display
aflex global configuration command in the CLI, then enter the show running-config command.
page 93
page 94
Boot Options
This chapter describes how to display or change the storage area from which the ACOS device boots.
The following topics are included:
• Storage Areas
• Booting from a Different Storage Area
NOTE: This chapter does not describe how to upgrade the system image. For
upgrade instructions, see the release notes for the release to which you
plan to upgrade.
Storage Areas
The ACOS device has four storage areas (also called “image areas”) that can contain software images
and configuration files:
• Primary storage on the Solid State Drive (SSD) or disk
• Secondary storage on the SSD or disk
• Primary storage on the compact flash (CF)
• Secondary storage on the compact flash
Note that not all storage areas are available on all devices.
The SSD or disk storage areas are used for normal operation. The compact flash storage areas are
used only for system recovery.
NOTE: In this document, references to SSD can refer to the hard disk in some
older ACOS devices.
Normally, each time the ACOS device is rebooted, the device uses the same storage area that was used
for the previous reboot. For example, if the primary storage area of the SSD or disk was used for the
page 95
Storage Areas
previous reboot, the system image and startup-config from the primary storage area are used for the
next reboot.
Unless you change the storage area selection or interrupt the boot sequence to specify a different stor-
age area, the ACOS device always uses the same storage area each time the device is rebooted.
NOTE: The ACOS device always tries to boot using the SSD or disk first. The
compact flash is used only if the SSD or hard disk is unavailable. If you
need to boot from compact flash for system recovery, contact A10 Net-
works.
Displaying Current Storage Information

To display the software images installed in the ACOS storage areas, and the currently running software
version, use either of the following methods:
• Use the GUI to View Storage Information
• Use the CLI to View Storage Information
Use the GUI to View Storage Information

Navigate to System >> Dashboard in the GUI (see Figure 13).
page 96
Storage Areas
FIGURE 13 System Dashboard in the GUI
System Info Tab Hover over this text to view System
The field at upper left, in the System Info area, shows the software version that is currently running.
The system info is also displayed in the top right corner of every page. Hover over the link to display the
same system info as shown on the Dashboard.
Use the CLI to View Storage Information

The show version command shows storage area information. The command also lists other informa-
tion, including the currently running software version.
ACOS# show version

AX Series Advanced Traffic Manager AX5100
Copyright 2007-2015 by A10 Networks, Inc. All A10 Networks products are
protected by one or more of the following US patents:
8977749, 8943577, 8918857, 8914871, 8904512, 8897154, 8868765, 8849938
8826372, 8813180, 8782751, 8782221, 8595819, 8595791, 8595383, 8584199
8464333, 8423676, 8387128, 8332925, 8312507, 8291487, 8266235, 8151322
8079077, 7979585, 7804956, 7716378, 7665138, 7647635, 7627672, 7596695
7577833, 7552126, 7392241, 7236491, 7139267, 6748084, 6658114, 6535516
6363075, 6324286, 5931914, 5875185, RE44701, 8392563, 8103770, 7831712
7606912, 7346695, 7287084, 6970933, 6473802, 6374300
64-bit Advanced Core OS (ACOS) version 4.1.0, build 141 (Aug-17-2015,08:03 )
page 97
Storage Areas
Booted from Hard Disk primary image
Serial Number: AX51071112030080

Firmware version: 0.26
aFleX version: 2.0.0
aXAPI version: 3.0
Hard Disk primary image (default) version 4.1.0, build 141
Hard Disk secondary image version 2.6.1-GR1-P7, build 51
Compact Flash primary image (default) version 2.6.1-GR1-P7, build 51
Last configuration saved at Aug-18-2015, 02:02
Hardware: 16 CPUs(Stepping 5), Single 62G Hard disk
Memory 24677 Mbyte, Free Memory 9797 Mbyte
Hardware Manufacturing Code: 120311
Current time is Aug-21-2015, 08:09
The system has been up 3 days, 6 hours, 5 minutes
ACOS#
Displaying the Storage Location for Future Reboots

To display the storage area that will be used for the future reboots, use either of the following methods.
NOTE: The ACOS device always tries to boot using the SSD or disk first. The
compact flash is used only if the SSD or hard disk is unavailable. If you
need to boot from compact flash for system recovery, contact A10 Net-
works.
Use the GUI to View the Storage Location for Future Reboots
1. Hover over System in the navigation bar, and select Settings.
2. Click Boot Image on the menu bar.
Using the CLI to View the Storage Location for Future Reboots
Use the show bootimage command to view the storage location for future reboots.
In the following example, the ACOS device is configured to boot from the primary storage area on the
SSD or disk:
ACOS# show bootimage

(* = Default)
Version
-----------------------------------------------
Hard Disk primary 4.1.0.141 (*)
page 98
Booting from a Different Storage Area
Hard Disk secondary 2.6.1-GR1-P7.51

Compact Flash primary 2.6.1-GR1-P7.51 (*)

The ACOS device allows you to change the boot device from the primary image to the secondary image
on a single storage device, either the SSD, hard disk, or the CF. You can use the CLI or the GUI to make
the change from the primary image to the secondary image or vice versa. However, if you are choosing
to change the boot device from the SSD (hard disk) to the CF (Compact Flash) you have to interrupt the
boot sequence to do so. Both boot devices, SSD (hard disk) and CF, contain their own primary and sec-
ondary boot locations.
To reboot from a different image within the same storage device (SSD or CF), do one of the following:
• Interrupt the boot sequence and use the bootloader menu to temporarily select the other storage
area.
• Configure the ACOS device to use the other storage area for all future reboots, then reboot.
Temporarily Changing the Boot Image for the Next Reboot

To temporarily change the storage location within the same boot device (SSD or CF) from the primary
to the secondary image, interrupt the boot sequence to access the bootloader menu.
To access the bootloader menu, reboot the ACOS device, then press Esc within 3 seconds when
prompted.
When the bootloader menu appears, use the Up and Down arrow keys to select the image area from
which to boot, and press Enter. The menu does not automatically time out. You must press Enter to
reboot using the selected image.
CAUTION: Each storage area has its own version of the startup-config. When you
save configuration changes, they are saved only to the startup-config in
the storage area from which the ACOS device was booted.
If you plan to reboot from a different storage area, but you want to use
the same configuration, first save the configuration to the other storage
area. (The procedures in “Permanently Changing the Storage Location
for Future Reboots” on page 101 include steps for this.)
NOTE: The bootloader menu is available on all new ACOS devices later than
release 2.6.1. However, the bootloader menu is not automatically
installed when you upgrade from a release earlier than 2.6.1. To install
page 99
the bootloader menu on upgraded devices, see the AX Release 2.6.1

release notes, or the description of the boot-block-fix command in the
Command Line Interface Reference for 2.6.1 or later.
ACOS# reboot
Rebooting System Now !!!
Proceed with reboot? [yes/no]:yes
INIT:
Shutting down........Restarting system.

Press `ESC' to enter the boot menu... 1
Admin presses Esc within 3 seconds.
# # ### # #
# # ## # # ## # ###### ##### # # #### ##### # # ####
# # # # # # # # # # # # # # # # # # # #
# # # # # # # # ##### # # # # # # # #### ####
####### # # # # # # # # # ## # # # ##### # # #
# # # # # # ## # # ## ## # # # # # # # #
# # ##### ### # # ###### # # # #### # # # # ####
protected by one or more of the following US patents and patents pending:
7716378, 7675854, 7647635, 7552126, 20090049537, 20080229418, 20080040789,
20070283429, 20070271598, 20070180101
-------------------------------------------------------------------
0: ACOS (Primary Image)
1: ACOS (Secondary Image)
-------------------------------------------------------------------
Use the Up and Down arrow keys to select the image from which to boot.
Press enter to boot the selected image.
Admin presses down arrow to select 1.
Highlighted entry is 1:
Admin presses Enter to reboot using the selected image.
Booting 'ACOS (Secondary Image)'

Please wait while the system boots...
Booting........................[OK]
page 100
ACOS login:
Permanently Changing the Storage Location for Future Reboots

This section describes how to change the storage area that will be used for future reboots:
NOTE: The procedures in this section change the storage area selection for all
future reboots (unless you later change the selection again). If you only
need to temporarily override the storage area selection for a single
reboot, see “Temporarily Changing the Boot Image for the Next Reboot”
on page 99.
CAUTION: Each storage area has its own version of the startup-config. When you
save configuration changes, they are saved only to the startup-config in
the storage area from which the ACOS device was booted.
If you plan to reboot from a different storage area, but you want to use
the same configuration, first save the configuration to the other storage
area. The procedures in this section include a step for this.
Use the GUI to Change the Location for Future Reboots

To change the location that will be used for future reboots from the GUI:
1. Hover over System in the menu bar, then select Settings.

2. Select the Boot Image tab.
3. On the Boot Image page, select the location from which the device will be rebooted in the future.
4. Click OK.
Use the CLI to Change the Location for Future Reboots

In this example, the ACOS device was booted from the primary storage area, and will be configured to
use the secondary image area for future reboots.
1. Use show bootimage to view the current storage area being used for reboots:
ACOS# show bootimage
(* = Default)
Version
-----------------------------------------------
Hard Disk primary 4.1.0.141 (*)
page 101
Hard Disk secondary 2.6.1-GR1-P7.51

The asterisk (*) indicates that when the system is booted from the hard disk, version 4.1.0.141 will
be loaded.
2. Use the write memory command to save the configuration, then use the write memory secondary
command to copy it to the secondary storage area:
[OK]
ACOS(config)# write memory secondary
Write configuration to secondary default startup-config
[OK]
3. Use bootimage to set the secondary storage area on the SSD or hard drive for future reboots, and
verify the setting:
ACOS(config)# bootimage hd sec
Secondary image will be used if system is booted from hard disk
ACOS(config)# show bootimage
(* = Default)
Version
-----------------------------------------------
Hard Disk primary 4.1.0.141
Hard Disk secondary 2.6.1-GR1-P7.51 (*)
The asterisk (*) now indicates that the device will be booted from the secondary image on the hard
disk.
page 102
Power On Auto Provisioning
• Power On Auto Provisioning Overview
• Power On Auto Provisioning Process
• Configure Power On Auto Provisioning Process
Power On Auto Provisioning Overview

The ACOS Power On Auto Provisioning (POAP) feature offers an efficient way to automate the process
of upgrading software images or config file across many ACOS devices on the network.
Use of this feature requires a DHCP server and a TFTP server that has been pre-configured with the
proper ACOS software image and config file. The ACOS device must have access to the management
port on a DHCP server and access to the TFTP server.
Power On Auto Provisioning Process

Figure 14 shows how the POAP process works.
page 103
Configure Power On Auto Provisioning Process
FIGURE 14 Power On Auto Provisioning Process
1. The ACOS device boots and sends a broadcast request to the DHCP server.
2. The DHCP server sends a response that includes an IP address for the ACOS device, and an IP
address where the TFTP server can be reached.
3. The ACOS device attempts to locate the TFTP server at the IP address it just received from the
DHCP server by sending a request to that address.
4. The TFTP server responds to the request from the ACOS device by sending the upgrade file
(ACOS_FTA_version.upg for FTA devices, or ACOS_non_FTA_version.upg for non-FTA devices).
Once the ACOS device receives the upgrade file, it performs the following operations:
• Extracts the upgrade image and configuration file.
• Upgrades its software using the new image.
• Links to the configuration file.
• Then, the ACOS device reboots.

Below are the prerequisites before using POAP
• Create an upgrade package named “ACOS_upg.tgz”.

The package may contain one or both of the following optional files:
• Image file: “sto.tar.gz”
• Config file: “poap_startup”
page 104
• Save this upgrade package on a TFTP server that can be accessed by the ACOS device. This
package should be stored in the working directory of the TFTP server, (for example, “tftpboot”).
• To enter POAP mode, the current startup-config file on the ACOS device must be empty; if the
startup-config file is not completely empty then the POAP install will fail.
• At the end of the installation process, POAP links to the new startup-config file, which is a text
file named “poap_startup”.
NOTE: The POAP installation process does not erase an existing startup-config
file, but as a precaution, you can save an existing startup-config file by
creating a backup prior to enabling POAP.
NOTE: If the ACOS device encounters an existing file named “poap_startup” on

the ACOS device (perhaps a remnant left over from a prior attempt to
enable the feature), the POAP installation process will rename this exist-
ing file “poap_startup.original”.
POAP mode is enabled by default on vThunder virtual appliances, but the feature is disabled by default
on all physical devices. To enable POAP mode on a physical device, use the poap enable command at
the Global configuration level of the CLI.
Use the poap disable command to disable the feature.
You can use the show poap command to show the status (enabled or disabled) of POAP mode:
ACOS# show poap

POAP Mode Enabled
ACOS#
page 105
page 106
Fail-Safe Automatic Recovery
Fail-safe automatic recovery detects critical hardware and software error conditions. The feature also
automatically takes action to recover the system if any of these errors occurs, so that the ACOS device
can resume service to clients.
Fail-safe automatic recovery is disabled by default, for both hardware and software errors. You can
enable the feature for hardware errors, software errors, or both.
This chapter contains the following:
• Error Types Monitored by Automatic Recovery
• Configuring Fail-Safe Automatic Recovery
Error Types Monitored by Automatic Recovery

Fail-safe automatic recovery monitors and recovers from the following types of system error condi-
tions:
• Hardware Errors
• Software Errors
• Recovery Timeout
• Total Memory Decrease
Hardware Errors
When fail-safe monitoring is enabled for hardware errors, the following types of errors are detected:
• SSL processor stops working – Fail-safe is triggered if an SSL processor stops working.
• Compression processor stops working – Fail-safe is triggered if an HTTP compression proces-

sor stops.
• FPGA stops working – Fail-safe is triggered if either of these internal queues stops working.
If any of these types of errors occurs, the ACOS device captures diagnostic information, then reboots.
page 107
Error Types Monitored by Automatic Recovery
NOTE: Fail-safe recovery also can be triggered by a “PCI not ready” condition.
This fail-safe recovery option is enabled by default and can not be dis-
abled.
Software Errors
When fail-safe monitoring is enabled for software errors, the following types of errors are detected:
• FPGA I/O buffer shortage – The number of free (available) packet buffers is below the configured
threshold. By default, at least 512 packet buffers must be free for new data. (Monitoring for this
type of FPGA error is applicable to all ACOS device models.)
On ACOS device models that use FPGA hardware, the FPGA is logically divided into 2 domains,
which each have their own buffers. If an FPGA buffer shortage triggers fail-safe, recovery occurs
only after both domains have enough free buffers.
• Session memory shortage – The amount of system memory that must be free for new sessions
is below the configured threshold. By default, at least 30 percent of the ACOS device’s session
memory must be free for new sessions.
In VRRP-A deployments, fail-safe recovers from software errors by triggering failover to a standby
device. To trigger the failover, fail-safe enables the force-self-standby option.
NOTE: Fail-safe temporarily enables the force-self-standby option. The vrrp-a

force-self-standby command is not added to the running-config.
If VRRP-A is not enabled, fail-safe reloads the ACOS device.
Recovery Timeout
The recovery timeout is the number of minutes the ACOS device waits after detecting one of the hard-
ware or software errors above before recovering the system.
• Recovery timeout for hardware errors – By default, the ACOS device reboots as soon as it has
gathered diagnostic information. Typically, this occurs within 1 minute of detection of the error
(no timeout). You can change the recovery timeout for hardware errors to 1-1440 minutes.
• Recovery timeout for software errors – Fail-safe waits for the system to recover through normal
operation, before triggering a recovery. The default recovery timeout for software errors is 3 min-
utes. You can change it to 1-1440 minutes.
page 108
Configuring Fail-Safe Automatic Recovery
Total Memory Decrease

At device reload or reboot, the fail-safe feature provides a mechanism to check the total memory
decrease when the ACOS device boots up and loads the startup configuration. If the total memory size
has decreased, and if the size is less than the configured memory size, a message will be logged (if you
have configured the log option) or the ACOS device will shut down after logging a message (if you
have configured the kill option).
When the configured expected physical memory size is larger than the current memory size, a reboot
or log message recording the discrepancy will be triggered. The device will remain always in a “loading”
state after it reboots or reloads.

The following CLI commands configure some fail-safe settings and verify the changes.
Trigger the fail-safe recovery if the amount of free memory on your system remains below 30% long
enough for the recovery timeout to occur:
ACOS(config)# fail-safe session-memory-recovery-threshold 30
Trigger the fail-safe recovery if the number of free (available) FPGA buffers drops below 2 long enough
for the recovery timeout to occur:
ACOS(config)# fail-safe fpga-buff-recovery-threshold 2
Trigger the fail-safe recovery if a software error remains in effect for longer than 3 mimutes:
ACOS(config)# fail-safe sw-error-recovery-timeout 3
Verify the configuration:
ACOS(config)# show fail-safe config

fail-safe session-memory-recovery-threshold 30
fail-safe fpga-buff-recovery-threshold 2
fail-safe sw-error-recovery-timeout 3
The show fail-safe command output differs between models that use FPGAs in hardware and models
that do not. The following command shows fail-safe settings and statistics on an ACOS device model
that uses FPGAs in hardware:
ACOS(config)# show fail-safe information

Total Session Memory (2M blocks): 1012
page 109
Free Session Memory (2M blocks): 1010

Session Memory Recovery Threshold (2M blocks): 809
Total Configured FPGA Buffers (# of buffers): 4194304
Free FPGA Buffers in Domain 1 (# of buffers): 507787
Free FPGA Buffers in Domain 2 (# of buffers): 508078
Total Free FPGA Buffers (# of buffers): 1015865
FPGA Buffer Recovery Threshold (# of buffers): 256
Total System Memory (Bytes): 2020413440
Table 4 describes the fields in the command output.
TABLE 4 show fail-safe information fields (FPGA models)

Field Description
Total Session Memory Total amount of the ACOS device’s memory that is allocated for session
processing.
Free Session Memory Amount of the ACOS device’s session memory that is free for new ses-
sions.
Session Memory Recovery Minimum percentage of session memory that must be free before fail-
Threshold safe occurs.
Total Configured FPGA Buffers Total number of configured FPGA buffers the ACOS device has. These
buffers are allocated when the ACOS device is booted. This number does
not change during system operation.
The FPGA device is logically divided into 2 domains, which each have
their own buffers. The next two counters are for these logical FPGA
domains.
Free FPGA Buffers in Domain 1 Number of FPGA buffers in Domain 1 that are currently free for new data.
Free FPGA Buffers in Domain 2 Number of FPGA buffers in Domain 2 that are currently free for new data.
Total Free FPGA Buffers Total number of free FPGA buffers in both FPGA domains.
FPGA Buffer Recovery Threshold Minimum number of packet buffers that must be free before fail-safe
occurs.
Total System Memory Total size the ACOS device’s system memory.
The following command shows fail-safe settings and statistics on an ACOS device model that does not
use FPGAs in hardware. (The FPGA buffer is an I/O buffer instead.)
ACOS(config)# show fail-safe information

Total Session Memory (2M blocks): 1018
Free Session Memory (2M blocks): 1017
Session Memory Recovery Threshold (2M blocks): 305
Total Configured FPGA Buffers (# of buffers): 2097152
Free FPGA Buffers (# of buffers): 2008322
FPGA Buffer Recovery Threshold (# of buffers): 1280
Total System Memory (Bytes): 4205674496
page 110
Table 5 describes the fields in the command output.
TABLE 5 show fail-safe information fields (non-FPGA models)

Field Description
Total Session Memory Total amount of the ACOS device’s memory that is allocated for session
processing.
Free Session Memory Amount of the ACOS device’s session memory that is free for new ses-
sions.
Session Memory Recovery Minimum percentage of session memory that must be free before fail-
Threshold safe occurs.
Total Configured FPGA Buffers Total number of configured FPGA buffers the ACOS device has. These
buffers are allocated when the ACOS device is booted. This number does
not change during system operation.
Free FPGA Buffers Number of FPGA that are free for new data.
FPGA Buffer Recovery Threshold Minimum number of packet buffers that must be free before fail-safe
occurs.
Total System Memory Total size the ACOS device’s system memory.
Example of Fail-safe for Total Memory Decrease
In the following example, the fail-safe feature will be triggered when the total memory size is less than 5
GB. When this happens, this event will be logged:
ACOS(config)# fail-safe total-memory-size-check 5 log
The following example helps you decipher if you have a problem with your system memory.
Use the show version command to see the current memory size of your system. The current memory
is shown as highlighted:
ACOS# show version

AX Series Advanced Traffic Manager AX1030
protected by one or more of the following US patents:
8918857, 8914871, 8904512, 8897154, 8868765, 8849938, 8826372, 8813180
8782751, 8782221, 8595819, 8595791, 8595383, 8584199, 8464333, 8423676
8387128, 8332925, 8312507, 8291487, 8266235, 8151322, 8079077, 7979585
7804956, 7716378, 7665138, 7647635, 7627672, 7596695, 7577833, 7552126
7392241, 7236491, 7139267, 6748084, 6658114, 6535516, 6363075, 6324286
5931914, 5875185, RE44701, 8392563, 8103770, 7831712, 7606912, 7346695
7287084, 6970933, 6473802, 6374300
64-bit Advanced Core OS (ACOS) version 4.1.0, build 182 (Sep-21-2015,05:20)

Booted from Hard Disk primary image
page 111
Serial Number: AX10B33012260039

aFleX version: 2.0.0
aXAPI version: 3.0
Hard Disk primary image (default) version 4.1.0, build 182
Hard Disk secondary image version 2.7.2-P4-SP1, build 2
Compact Flash primary image (default) version 2.6.1-GR1, build 107
Last configuration saved at Oct-2-2015, 06:37
Hardware: 8 CPUs(Stepping 7), Single 39G Hard disk
Memory 18155 Mbyte, Free Memory 12551 Mbyte
Hardware Manufacturing Code: 122600
Current time is Oct-8-2015, 19:11
The system has been up 17 days, 0 hour, 12 minutes
The current system memory is shown as 12G. In case you configure the fail-safe memory monitoring
to be 5G, as shown below, your system will continue to operate normally, since 5G of memory is less
than the 12G of memory that your device has at its disposal:
ACOS(config)# fail-safe total-memory-size-check 5 kill
However, if you use the above command and configure a memory size of 14G (and you save your con-
figuration by issuing the write memory command) since 14G exceeds your current device memory size
of 12G, your device will experience a problem. When the device reloads, the fail-safe mechanism will be
triggered, traffic will be stopped, and the device will be shut down. The abnormal state of the device will
be evident in the following log message:
[SYSTEM]:Current memory size 12G, less than monitor number 14G. Please check memory.
To correct this issue, use the fail-safe total-memory-check size kill command and specify a mem-
ory size that is less than or equal to the current memory size. The next time your device reloads, it will
operate normally.
page 112
Installing the Systems Center Virtual Machine

Manager Gateway Plugin
This chapter describes how to install the A10 SCVMM (Systems Center Virtual Machine Manager)
Gateway plugin.
This procedure adds a gateway to the resources in VMM.
The following sections are included in this chapter:
• Prerequisites
• Installing the Gateway Plugin
• Configuring the A10 Networks Overlay Gateway Interface in the VMM
Prerequisites
Before you begin, ensure that your system meets the requirements described in this section.
• Windows Server 2012 R2
For more information, go to:

http://technet.microsoft.com/en-us/library/hh801901.aspx
• .NET Framework 4.0 or higher
For more information, go to:

http://www.microsoft.com/en-us/download/details.aspx?id=22
• SCVMM 2012 R2
To install SCVMM 2012 R2:

• Visit the VMM main page at the following location:
http://technet.microsoft.com/en-us/library/gg610610.aspx
• To download an evaluation version of SCVMM 2012 R2, go to:
http://technet.microsoft.com/en-US/evalcenter/hh505660.aspx?wt.mc_id=TEC_103_1_33
• For installation instructions, go to:
page 113
Installing the Gateway Plugin
• An ACOS device with version 2.7.2 installed.
Installing the Gateway Plugin

This section describes how to install the A10 Network SCVMM Gateway Plugin.
1. Launch the SCVMM Gateway installer.

Click Next to navigate your way through the screens until the installation is complete.
2. Restart the System Center Virtual Machine Manager service.
From a Windows command prompt or PowerShell window, run the net stop scvmmservice and
net start scvmmservice commands.
After the restart is complete, the A10 Networks Gateway provider is visible in configuration provider
windows.
Configuring the A10 Networks Overlay Gateway Interface

in the VMM
Follow the instruction in this section to add the gateway for A10 Networks:
page 114
Configuring the A10 Networks Overlay Gateway Interface in the VMM
NOTE: Additional instructions for this procedure can be found at http://tech-

net.microsoft.com/en-us/library/dn249416.aspx.
• Verifying Configuration Prerequisites
• Configuring the A10 Networks Gateway
Verifying Configuration Prerequisites

Verify that your network configuration meets the requirements described in this section.
1. Verify the configuration requirements on your system, in accordance with the documentation at
this location:
http://technet.microsoft.com/en-us/library/e73bfafa-6b57-4a5b-9f15-1cf9befa082b#BKMK_gate-
ways
2. Configure the logical network that will be the foundation for the VM network that will use the gate-
way, and ensure that network virtualization is enabled on the logical network.
3. Create an IP address pool on the logical network, and ensure that the pool includes the address
that you intend to use on the gateway provider IP.
4. Ensure that the gateway is configured with an IP address that is in the IP address pool that you
created. Make a note of the IP address so that you can specify it when you use the following proce-
dure to add the gateway to VMM.
Refer to the following for additional network resource information:
• Configuring Networking in VMM
• Configuring Logical Network in VMM Overview
http://technet.microsoft.com/en-us/library/jj721568.aspx
• How to Create a Logical Network in VMM
Configuring the A10 Networks Gateway

Follow the instructions in this section to add the gateway.
1. Open the Fabric workspace in VMM.

2. In SCVMM, right-click Network Service and select Add Network Service.
page 115
The Add Gateway Wizard opens.
page 116
On this screen:
a. On the Name page, enter a name and optional description for the gateway, then click Next .
b. On the Manufacturer and Model page, in the Manufacturer list, select A10 Networks, and in
the Model list, select a model, then click Next.
c. On the Credentials page, select the account you want to use for the ACOS device:
• Select an existing account (click Browse, then click Select a Run As Account and select
an account)
• Create a new account (click Create Run As Account) and specify the username and pass-
word for the account.
• Click Next when you are finished.
d. On the Connection String page, specify the connection string in the following format.
IPAddress=ip-address;VTEPPartitionName=vtep-partition-name;InstanceName=instance-
name;[UnderlayEthernet=gateway-ethernet-index;][UnderlayVirtualEthernet=gateway-virtual-ether-
net-index;][LifSubnet=lif-subnet;][WriteMemory=False;]
TABLE 6 Connection String Parameters

Parameter Description
ip-address IP address on the A10 device providing the Overlay Gateway functionality.
vtep-partition-name Overlay tunnel VTEP partition name of the gateway; this partition must be
configured before you reach this point in the process.
instance-name Unique identifier for this instance in the SCVMM.
gateway-ethernet-index Optional parameter indicating the index of the gateway ethernet interface.
This interface must be properly configured before you reach this point in the
procedure.
gateway-virtual-ethernet-index Optional parameter indicating the index of the gateway virtual ethernet inter-
face.
This interface must be properly configured before you reach this point in the
procedure.
lif-subnet The subnet in which the LIF will be configured. Any subnet is valid as long as
there is no conflict with the VM subnets. By default, the second IP of that sub-
net is chosen as the IP of the lif interface which serves as the gateway inter-
face for the overlay (VM) network.
WriteMemory=False This parameter causes the gateway plugin to save the config to disk on the
ACOS device. Setting it to false will disable saving the config to disk.
Below is an example:
IPAddress=192.168.105.198;InstanceName=GW0001;VTEPPartitionName=shared;UnderlayEther‐
net=1;LifSubnet=51.51.54.0/24;WriteMemory=False;
page 117
e. On the Provider page, in the Configuration provider list, select an available provider, click
Test to run basic validation against the gateway using the selected provider, then click Next.
f. On the Host Group page, select the host group for which you want this network service to be
available, then click Next.
g. On the Summary page, review and confirm the settings, then click Finish.
The gateway will be added in SCVMM.
h. After the gateway is added, find the listing for the gateway under Network Services, right-click
the listing, select Properties, then select Connectivity, and:
• Select Enable front end connection, and then select the gateway network adapter and
the network site that provide connectivity outside the hosting-provider or enterprise data
center. the network site must have a static IP address pool.
• Select Enable back end connection, and then select a gateway network adapter and net-
work site in a logical network within the hosting-provider or enterprise data center. The logi-
cal network must have Hyper-V network virtualization enabled. Also, the network site must
have a static IP address pool.
page 118
Verifying the Configuration

To verify the configuration, click the Test button on the Provider page.
page 119
In the Result column, look for “Implemented” or “Passed” to verify that the specified portion of the con-
figuration is operating correctly.
page 120
Part III
Monitoring Tools
This section describes monitoring tools for ACOS devices.
The ACOS device can send alerts to administrators through the following methods:
• “System Log Messages” on page 123

• “Emailing Log Messages” on page 131
• “Simple Network Management Protocol (SNMP)” on page 135
In order to monitor the health of the network and its nodes, you can implement the following monitoring
tools:
• “Link Monitoring” on page 155

• “Gateway Health Monitoring” on page 159
• “Multiple Port-Monitoring Mirror Ports” on page 163
• “NetFlow v9 and v10(IPFIX)” on page 167
• “sFlow” on page 183
For information about monitoring network components in SLB configurations, see the Application
Delivery and Server Load Balancing Guide.
System Log Messages
The ACOS device logs system events with system log (Syslog) messages.
• Destinations for Syslog Messages
• Syslog Message Severity Levels
• Configurable Syslog Parameters
• Configure Single-Priority Logging
• Configure Log Rate Limiting
Destinations for Syslog Messages

The ACOS device can send Syslog messages to the following places:
• Local buffer (default level: Debugging - 7)
• Console CLI session (default level: Error - 3)
• Console SSH and Telnet sessions
• External Syslog server
• Syslog server in another partition
• Email address(es)
• SNMP servers (for events that are logged by SNMP traps)
Logging to the local buffer and to CLI sessions is enabled by default. Logging to other places requires
additional configuration.
page 123
Syslog Message Severity Levels
Syslog Message Severity Levels

The standard Syslog message severity levels are supported:
• Emergency – 0
• Alert – 1
• Critical – 2
• Error – 3
• Warning – 4
• Notification – 5
• Information – 6
• Debugging – 7
Configurable Syslog Parameters

Table 7 lists the configurable Syslog parameters.
TABLE 7 Configurable System Log Settings

Parameter Description Supported Values
Disposition Output options for each message level. For each The following message levels can be
message level, you can select which of the follow- individually selected for each output
(message tar- ing output options to enable: option:
get)
• Console – Messages are displayed in Console • Emergency (0)
sessions. • Alert (1)
• Buffered – Messages are stored in the system • Critical (2)
log buffer.
• Error (3)
• Email – Messages are sent to the email
addresses in the Email To list. (See below.) • Warning (4)
• SNMP – SNMP traps are generated and sent to • Notification (5)
the SNMP receivers. • Information (6)
• Syslog – Messages are sent to the external log • Debug (7)
servers specified in the Log Server fields. (See
below.) Only Emergency, Alert, and Critical
• Monitor – Messages are displayed in Telnet and can be selected for SNMP.
SSH sessions.
Only Emergency, Alert, Critical, and
Note: For information about emailing log messages, Notification can be selected for
see “Emailing Log Messages” on page 131. Email.
page 124
Configurable Syslog Parameters
TABLE 7 Configurable System Log Settings (Continued)

Logging Email Settings for sending log messages by email. See “Emailing Log Messages” on
Filter page 131.
Logging Email
Buffer Number
Logging Email
Buffer Time
Facility Standard Syslog facility to use. Standard Syslog facilities listed in
RFC 3164.
Log Buffer Maximum number of log entries the log buffer can 10000 to 50000 entries
Entries store.
Default: 30000
Log Server/ IP addresses or fully-qualified domain names of Any valid IP address or fully-qualified
Host external log servers. domain name.
Only the message levels for which Syslog is Default: None configured
selected in the Disposition list are sent to log serv-
ers.
Note: By default, the ACOS device can reach remote

log servers only if they are reachable through the
ACOS device’s data ports, not the management
port. To enable the ACOS device to reach remote
log servers through the management port, see
“Source Interface for Management Traffic” on
page 83.
Log Server Port Protocol port to which log messages sent to exter- Any valid protocol port number
nal log servers are addressed.
Default: 514
Email To Email addresses to which to send log messages. Valid email address. Click the down
arrow next to the input field to add
Only the message levels for which Email is selected another address (up to 10).
in the Disposition list are sent to log servers.
Each email address can be a maxi-
mum of 31 characters long.
SMTP Server IP address or fully-qualified domain name of an Any valid IP address or fully-qualified
email server using Simple Message Transfer Proto- domain name.
col.
Default: None configured
Note: By default, the ACOS device can reach SMTP
servers only if they are reachable through the ACOS
device’s data ports, not the management port. To
enable the ACOS device to reach SMTP servers
through the management port, see “Source Inter-
face for Management Traffic” on page 83.
SMTP Server Protocol port to which email messages sent to the Any valid protocol port number
Port SMTP server are addressed.
Default: 25
page 125
Configure Single-Priority Logging
TABLE 7 Configurable System Log Settings (Continued)

Mail From Specifies the email From address. Valid email address
Default: Not set

Need Authenti- Specifies whether access to the SMTP server Selected (enabled) or unselected
cation requires authentication. (disabled)
Default: disabled
Username Username required for access to the SMTP server. Valid username
Default: Not set

Password Password required for access to the SMTP server. Valid password
Default: Not set
Configure Single-Priority Logging

Single-priority logging allows you to identify one specific severity level to be logged from among the
standard syslog message severity levels (See “Syslog Message Severity Levels” on page 124).
This allows you to remove excess data so that you can see a desired subset of log messages at your
target severity level.
In prior releases, when you specify a severity level to be logged, the selected level becomes the “base-
ment level”, or the most trivial level that will appear along with the more important messages. For
example, if you specify level 3 (error), you would also get severities 2, 1, and 0, but 3 would be the most
trivial severity level to be included in the log messages.
Prior releases did not offer a way for you to single out a particular subset of log messages at a singular
severity level; for example, there was no way to display severity level 5 log messages without also see-
ing messages from severity levels 4–0.
Single-priority logging offers more granular control of syslog messages.
To configure single-priority logging, use the logging single-priority command. The following exam-
ple logs only error (level 3) messages:
ACOS(config)# logging single-priority error
page 126
Configure Log Rate Limiting

The ACOS device uses a log rate limiting mechanism to ensure against overflow of external log servers
and the internal logging buffer.
The rate limit for external logging is 15,000 messages per second from the device.
The rate limit for internal logging is 32 messages per second from the device.
• If the number of new messages within a one-second interval exceeds 32, then during the next
one-second interval, the ACOS device sends log messages only to the external log servers.
• If the number of new messages generated within the new one-second interval is 32 or less, then
during the following one-second interval, the ACOS device will again send messages to the local
logging buffer as well as the external log server. In any case, all messages (up to 15,000 per sec-
ond) get sent to the external log servers.
Configuring Log Rate Limiting Using the GUI

To configure log rate limiting using the GUI:
1. Hover over System in the navigation bar, and select Settings.

2. Click Logging on the menu bar.
3. Change settings as needed. (For descriptions of the settings, see Table 7 on page 124.)
4. Click OK.
Configuring Log Rate Limiting Using the CLI

Use the logging command to configure log rate limiting using the CLI.
For example, to change the severity level of messages logged in the local buffer to “warning” (level 4):
ACOS(config)# logging buffered warning
Replace buffered with a different destination, as desired (see “Destinations for Syslog Messages” on
page 123).
NOTE: Only severity levels emergency, alert, critical, and notification can be
sent by email. Sending log messages by email requires additional config-
uration. See “Emailing Log Messages” on page 131.
To configure the ACOS device to send log messages to an external Syslog server, use the logging host
command to specify the server:
page 127
ACOS(config)# logging host 20.20.10.8
Specifying Multiple Syslog Servers
To specify multiple server names or IP addresses, use multiple commands. The following example con-
figures 20.20.10.8, 30.30.10.5, and “loghost1” as syslog servers:

ACOS(config)# logging host loghost1
Specifying Protocol Ports
You can also specify a protocol port. The default port is 514. If you specify multiple servers, then all
servers specified must use the same protocol port to listen for syslog messages; you can only specify
one protocol port per command.
The following example configures 20.20.10.8 and 30.30.10.5 as syslog servers listening on port 515,
and 40.40.5.9 as a syslog server listening on port 517:
ACOS(config)# logging host 20.20.10.8 port 515

Sending Log Messages to a Server in Another Partition
The following example configures a a log server in the shared partition:
The following commands configured a logging server 45.3.2.1 in partition LOG1, and also sends log-
ging information to the shared partition:
ACOS[LOG1](config)# logging host 45.3.2.1

ACOS[LOG1](config)# logging host partition shared
In partition LOG2, a third syslog server 46.3.2.1 is configured, and log messages are sent to the syslog
server configured in partition LOG1:
ACOS[LOG2](config)# logging host 46.3.2.1

ACOS[LOG2](config)# logging host partition LOG1
page 128
Sending Log Messages by Email
To configure the ACOS device to send log messages by email, use the following commands to specify
the email server and the email addresses:
ACOS(config)# smtp 10.10.10.5

ACOS(config)# logging [email protected]
The smtp command specifies the mail server. By default, it uses port 25 to send email. You can custom-
ize this with the optional port parameter.
To send event messages to an external SNMP server, see “Simple Network Management Protocol
(SNMP)” on page 135.
page 129
page 130
Emailing Log Messages
• Overview of Email Logging
• Boolean Operators
• Configuring Email Log Settings
Overview of Email Logging

You can configure the ACOS device to email log messages, using email log filters. By default, emailing
of log messages is disabled.
Log email filters consist of the following parameters:
• Filter ID – Filter number, 1-8.
• Conditions – One or more of the following:
• Severity – Severity levels of messages to send in email. If you do not specify a message level,
messages of any severity level match the filter and can be emailed.
• Software Module – Software modules for which to email messages. Messages are emailed
only if they come from one of the specified software modules. If you do not specify a software
module, messages from all modules match the filter and can be emailed.
• Regular Expression (Patterns and Operators) – Message text to match on. Standard regular
expression syntax is supported. Only messages that meet the criteria of the regular expression
can be emailed. The regular expression can be a simple text string or a more complex expres-
sion using standard regular expression logic. If you do not specify a regular expression, mes-
sages with any text match the filter and can be emailed.
The operators (AND, OR, NOT) specify how the conditions should be compared. (See Boolean
OperatorsBoolean Operators““Boolean Operators” on page 131”.)
• Trigger option – Specifies whether to buffer matching messages or send them immediately.
Boolean Operators
A logging email filter consists of a set of conditions joined by Boolean expressions (AND / OR / NOT).
page 131
Configuring Email Log Settings
The CLI Boolean expression syntax is based on Reverse Polish Notation (also called Postfix Notation),
a notation method that places an operator (AND, OR, NOT) after all of its operands (in this case, the
conditions list).
After listing all the conditions, specify the Boolean operator(s). The following operators are supported:
• AND – All conditions must match in order for a log message to be emailed.
• OR – Any one or more of the conditions must match in order for a log message to be emailed.
• NOT – A log message is emailed only if it does not match the conditions
(For more information about Reverse Polish Notation, see the following link: http://en.wikipedia.org/
wiki/Reverse_Polish_notation.)

• Use the GUI to Configure Email Logging Settings
• Use the CLI to Configure Email Logging Settings
Use the GUI to Configure Email Logging Settings

To configure Email logging settings in the GUI:
1. Hover over System in the navigation bar, and click Settings.

2. Click Logging in the menu bar.
3. In the Level field, select the log level you want to enable.
4. The Buffer field contains two optional configuration choices:
a. To change the maximum number of log messages to buffer before sending them in email, edit
the number in the field on the left. You can specify 16-256 messages. The default is 50.
b. To change the number of minutes the ACOS device waits before sending all buffered mes-
sages, edit the number in the field on the right. This option takes effect if the buffer does not
reach the maximum number of messages allowed. You can specify 10-1440 minutes. The
default is 10.
5. In the Email Addresses field, specify the Email addresses to which the log files will be sent.
6. In the Filters section:
a. Specify a filter ID (1-8) and regular expression filter in the Filter section.
page 132
b. To immediately send matching messages in an email instead of buffering them, select Trigger.
Otherwise, matching messages are buffered until the message buffer becomes full or the send
timer for emailed log messages expires.
c. Click Save Filter.
d. Repeat the process if you want to create multiple filters.
7. When finished configuring log settings, click the OK button at the bottom of the page.
Use the CLI to Configure Email Logging Settings

This section contains CLI examples of Email logging configuration.
The following command configures the ACOS device to buffer log messages to be emailed. Messages
will be emailed only when the buffer reaches 32 messages, or 30 minutes passes since the previous
log message email, whichever happens first.
ACOS(config)# logging email buffer number 32 time 30
The following command resets the buffer settings to their default values.
ACOS(config)# no logging email buffer number time
The following command configures a filter that matches on log messages if they are information-level
messages and contain the string “abc”. The trigger option is not used, so the messages will be buff-
ered rather than emailed immediately.
ACOS(config)# logging email filter 1 level information pattern "abc" and
The following command reconfigures the filter to immediately email matching messages.
ACOS(config)# logging email filter 1 level information pattern "abc" and trigger
page 133
page 134
Simple Network Management Protocol (SNMP)
This chapter describes how to enable SNMP to monitor and manage your network.
• SNMP MIB Information
• SNMP Support on the ACOS Device
• Partition-aware SNMP Configuration
• SNMP Views and Community Strings
• Configure SNMP Groups
• Configure AES or DES Encryption for SNMPv3 Users
• Configure SNMP Traps
• Configure SNMP
• Configure the Source Interface for SNMP Notifications
SNMP MIB Information

• Downloading the MIBs
• AX MIB Groups
• AX MIB Files
• MIB Access
• SNMP RFCs supported
• Note Regarding ifIndex Table Support
Downloading the MIBs

The MIB files are available for download through the GUI:
page 135
1. Hover over System on the menu bar, then select Monitoring.

2. Click on the SNMP tab, then select SNMP MIB Download from the drop-down menu.
3. Select a target location for the MIB archive file, then click Save.
AX MIB Groups
The AX MIB consists of the groups described as follows:
TABLE 8 AX MIB Groups

Group Description
axSystem Provides system-level information about the ACOS device, such as the
installed software versions, the serial number, and current CPU utili-
zation.
axLogging Provides configuration information about system logging.
axApp Provides configuration and operational information for ACOS device fea-
tures.
AX MIB Files
The AX MIB consists of the files described as follows::
TABLE 9 AX MIB Files

File Description
A10-COMMON-MIB.txt Contains common MIB definitions for A10 Networks®, including the A10
enterprise object identifier (OID) and the OIDs for all A10 products.
A10-AX-MIB.txt Contains ACOS device MIB definitions, including the SNMP notification
node.
A10-AX-CGN-MIB.txt Contains MIB definitions for CGN-related objects.
A10-AX-CGN-NOTIF-V2C.txt Contains SNMPv2c trap definitions for CGN-related objects.
A10-AX-CGN-TRAP-V1.txt Contains SNMPv1 trap definitions for CGN-related objects.
A10-AX-NOTIFICATIONS- Contains SNMPv2c trap definitions for the ACOS device.
V2C.txt
A10-AX-TRAPS-V1.txt Contains SNMPv1 trap definitions for the ACOS device.
The first three files are required; the other files that should be used depend on your SNMP version (v1 or
v2c).
If you are using an SNMPv2c manager, use the following MIB files:
• A10-COMMON-MIB.txt
• A10-AX-MIB.txt
• A10-AX-CGN-MIB.txt
page 136
• A10-AX-CGN-NOTIF-V2C.txt
• A10-AX-NOTIFICATIONS-V2C.txt
Or, if you are using an SNMPv1 manager, use the following MIB files:
• A10-COMMON-MIB.txt
• A10-AX-MIB.txt
• A10-AX-CGN-MIB.txt
• A10-AX-CGN-TRAP-V1.txt
• A10-AX-TRAPS-V1.txt
MIB Access
SNMP access to the ACOS device is read-only. You can use SNMP managers to retrieve information
using GET or GET NEXT requests. SET requests are not supported.
To enable SNMP traps from the CLI, use the snmp-server enable traps command.
The following example enables system start traps:
ACOS(config)# snmp-server enable traps system start
For more information about the SNMP CLI commands, see the Command Line Interface Reference.
SNMP RFCs supported

The ACOS device supports the SNMP-related RFCs described as follows:
TABLE 10Supported SNMP-related RFCs

RFC Description and Notes
RFC 1155 Structure and Identification of Management Information for TCP/IP-based Networks.
RFC 1157 A Simple Network Management Protocol (SNMP).
RFC 1212 Concise MIB Definitions: the MIB SET operation is not supported.
page 137

RFC 1213 Management Information Base for Network Management of TCP/IP-based Networks: MIB-II.
The following system objects are supported:
• sysDescr
• sysObjectID
• sysUpTime
• sysContact
• sysName
• sysLocation
• sysServices
The sysService object returns a value that indicates the set of services the ACOS device offers.
For the ACOS device, the sysService object always returns the value 76. This value indicates
that the ACOS device offers the following services (for information about how this value is cal-
culated, refer to the RFC):
• datalink/subnetwork – 0x2
• internet – 0x4
• end-to-end – 0x8
• applications – 0x40
The following interfaces on MIB-II are supported:
• ifNumber
• ifTable
The ipAddrTable on MIB-II are also supported.

RFC 1215 A Convention for Defining Traps for use with the SNMP.
RFC 1850 OSPF Version 2 Management Information Base.
RFC 1901 Introduction to Community-based SNMPv2.
RFC 2233 The Interfaces Group MIB using SMIv2. The ifXTable table is supported.
RFC 2465 Management Information Base for IP Version 6: Textual Conventions and General Group. The
ipv6AddrTable on MIB-II is supported.
RFC 2576 Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network
Management Framework.
RFC 2578 Structure of Management Information Version 2 (SMIv2).
RFC 2790 Host Resources MIB. The following subtrees are supported:
• hrSystem: .1.3.6.1.2.1.25.1
• hrStorage: .1.3.6.1.2.1.25.2
• hrDeviceTable: .1.3.6.1.2.1.25.3.2
• hrProcessorTable: .1.3.6.1.2.1.25.3.3
RFC 2863 The Interfaces Group MIB. The following table is supported:
• ifXTable: .1.3.6.1.2.1.31.1.1
page 138

RFC 3418 Physical Topology MIB. The following objects are supported:
• lldpV2PortConfigTable
• lldpV2DestAddrTable
• lldpV2LocPortTable
• lldpV2LocManAddrTable
• lldpV2RemTable
• lldpV2RemManAddrTable
• lldpV2LocChassisIdSubtype
• lldpV2LocChassisId
• lldpV2LocSysName
• lldpV2LocSysDesc
• lldpV2LocSysCapSupported
• lldpV2LocSysCapEnabled
RFC 3410 Introduction and Applicability Statements for Internet Standard Management Framework.
RFC 3411 An Architecture for Describing Simple Network Management Protocol (SNMP) Management
Frameworks.
RFC 3412 Message Processing and Dispatching for the Simple Network Management Protocol (SNMP).
RFC 3413 Simple Network Management Protocol (SNMP) Applications.
RFC 3414 User-based Security Model (USM) for version 3 of the Simple Network Management Protocol
(SNMPv3).
RFC 3415 View-based Access Control Model (VACM) for the Simple Network Management Protocol
(SNMP).
RFC 3416 Version 2 of Protocol Operations for the SNMP.
RFC 3418 MIB for the SNMP.
RFC 3635 Definitions of Managed Objects for the Ethernet-like Interface Types
RFC 4001 Textual Conventions for Internet Network Addresses. The following values for IP address type
are supported:
• 0 - Unknown
• 1 - IPv4
• 2 - IPv6
RFC 4273 Definitions of Managed Objects for BGP-4. The following traps are supported:
• bgpEstablishedNotification
• bgpBackwardTransNotification
RFC 4293 Management Information Base for the Internet Protocol. The following tables are supported:
• Ipv4InterfaceTable
• Ipv6InterfaceTable
• IpAddrTable
• Ipv6AddrTable
page 139
SNMP Support on the ACOS Device
Note Regarding ifIndex Table Support

The ifInUnknownProtos and ifOutLen objects in the ifIndex table are not implemented on AX inter-
faces and always return value 0. Likewise, the ifSpecific object is not present and always returns
“0.0”.
SNMP Support on the ACOS Device

ACOS devices support the following SNMP versions: v1, v2c, v3. SNMP is disabled by default.
You can configure the ACOS device to send SNMP traps to the Syslog and to external trap receivers.
You also can configure read (GET) access to SNMP Management Information Base (MIB) objects on
the ACOS device by external SNMP managers.
NOTE: SNMP access to the ACOS device is read-only. SET operations (write
access) are not supported.
The following list of items clarifies the current implementation of SNMP:
• Limit the number of SNMP polling requests to two or three instances. Several concurrent “snmp-
walk” requests, will result in delays, unfinished requests, time out, or error messages.
• Certain SNMP objects, such as the “CPU Per Partition” value, might not work in the current
release.
• Since the ACOS device generates the SNMP community string for private partitions, you are not
allowed to configure or change the community string.
• The SNMP process may consume 100% of the Control CPU cycles.
Partition-aware SNMP Configuration

SNMP is enhanced to support the configuration of SNMP on private partitions. Such configuration will
be partition-aware and only applied to the partition being configured.
When SNMP is disabled in the shared partition, no configuration change is required in any L3V partition.
From the shared partition, the ACOS device will not get SNMP responses nor see any L3V traps.
With this enhancement, user can get SNMP response and traps of a L3V partition through shared VLAN
interfaces. Traps in the L3V partition uses different community strings.
page 140
SNMP Views and Community Strings
To enable L3V partition traps, SNMP service and community string on L3V partition must be config-
ured. The enabling/disabling of traps in L3V partition can only be done on the group level, and not on
individual trap level.
Since the community string on the L3V partition is configured and encrypted, there is no auto-gener-
ated community string on the L3V partition.
Prerequisites
• To support SNMP request and traps in L3V partition, SNMP must be enabled in the L3V partition.
• L3V partition SNMP cannot be enabled if SNMP is not enabled in the shared partition.
• To enabled L3V partition traps, SNMP service and community string on the L3V partition must be
configured.
Known Limitations
• SNMP get request can only be SNMPv2 on L3V partitions.
• SNMP traps will be only snmp-v2 traps.
• SNMP get request with share_community_string@part_name is not supported.
• SNMP configuration of GSLB group traps is not supported on L3V partitions.

You can allow external SNMP managers to access the values of MIB objects from the ACOS device. To
allow remote read-only access to ACOS MIB objects, configure one or both of the following types of
access:
• SNMP Views
• SNMP Community Strings
SNMP Views
An SNMP view is like a filter that permits or denies access to a specific OID or portions of an OID. You
can configure SNMP user groups and individual SNMP users, and allow or disallow them to read spe-
cific portions of the ACOS MIBs using different views.
When you configure an SNMP user group or user, you specify the SNMP version. SNMP v1 and v2c do
not support authentication or encryption of SNMP packets. SNMPv3 does. You can enable authentica-
tion, encryption, or both, on an individual SNMP user-group basis when you configure the groups. You
page 141
can specify the authentication method and the password for individual SNMP users when you config-
ure the users.
Use the GUI to Configure SNMP Views

To configure an SNMP view using the GUI:
1. Hover over System in the menu bar, then select Monitoring.

2. Select SNMP, then select SNMP Views from the drop-down menu.
3. Click Create.
4. Enter a name for the view in the Viewname field.
5. Enter the MIB view family name or OID in the Oid field, then specify whether this OID should be
included or excluded in the view.
6. Click Create.
Use the CLI to Configure SNMP Views

Use the snmp-server view command to configure an SNMP view from the CLI. The following example
creates a view called “exampleview” which includes OID 1.2.3:
ACOS(config)# snmp-server view exampleview 1.2.3 included
SNMP Community Strings

An SNMP community string is a string that an SNMP manager can present to the ACOS device when
requesting MIB values.
Community strings are similar to passwords. You can minimize security risk by applying the same prin-
ciples to selecting a community name as you would to selecting a password. Use a hard-to-guess
string and avoid use of commonly used community names such as “public” or “private”.
You also can restrict access to specific Object IDs (OIDs) within the MIB, on an individual community
basis. OIDs indicate the position of a set of MIB objects in the global MIB tree. The OID for A10 Net-
works Thunder Series objects is 1.3.6.1.4.1.22610.
Use the GUI to Configure an SNMP Community String

To configure an SNMP community string using the GUI:
1. Hover over System, then select Monitoring.

2. Select the SNMP tab, then select SNMP from the drop-down menu.
page 142
3. Enter the community string in the Community Read field, then click Add.
4. Click Configure SNMP.
Use the CLI to Configure an SNMP Community String

This section contains the following examples:
• CLI Example—Configure a Community String for SNMPv1 or SNMPv2c Users
• CLI Example—Configure a Community String for SNMPv3 Users
• CLI Example—Restrict Access to Specific Remote Hosts
• CLI Example—Restrict Access to Specific OIDs
CLI Example—Configure a Community String for SNMPv1 or SNMPv2c Users
The following example shows how to configure an SNMP community string using the CLI for SNMPv1
or SNMPv2c users:
ACOS(config)# snmp-server SNMPv1-v2c user u1

ACOS(config-user:u1)# community read examplestring
ACOS(config-user:u1)# show running-config | sec snmp
snmp-server enable service
snmp-server enable traps all
snmp-server SNMPv1-v2c user u1
community read encrypted mGXzd9xrcGiMBaDQuY/jnDwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjL-
jV2wDn
snmp-server host 10.6.7.22 version v2c public
Note that the community string is encrypted in the show running-config output for security purposes.
Each SNMP v1-v2c user has a community string. You can change the value of this string by using the
community read command and entering a new community string.
The user name u1 is a system-specific name and cannot be used to retrieve any SNMP data. Instead,
the encrypted community string configured under this user should be used to retrieve data. This com-
munity string can also be used by any remote host to access the ACOS device, assuming there are no
access restrictions configured.
CLI Example—Configure a Community String for SNMPv3 Users
The following example shows how to configure an SNMP community string for SNMPv3 users. An
SNMP view and group must be configured prior to configuring the SNMPv3 user.

ACOS(config)# snmp-server group examplegroup v3 auth read exampleview
ACOS(config)# snmp-server SNMPv3 user exampleuser group examplegroup v3 auth md5 example-
page 143
Configure SNMP Groups
password1 priv aes examplepassword2

ACOS(config)# show running-config | sec snmp
snmp-server enable service
snmp-server enable traps all
snmp-server view exampleview 1.2.3 included
snmp-server group examplegroup v3 auth read exampleview
snmp-server SNMPv3 user exampleuser group examplegroup v3 auth md5 encrypted
IrrqRoL9DI2HGP3wipS0lDwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn priv aes encrypted
6D2AC0vBjbGHGP3wipS0lLD/mjXR6wFMPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn
snmp-server host 10.6.7.22 version v2c public
CLI Example—Restrict Access to Specific Remote Hosts
The following example shows how to restrict access to allow only specific remote hosts to access
SNMP data. From the SNMP v1-v2c user configuration level specify which remote hosts are allowed to
access the ACOS device using the community string:
ACOS(config-user:u1)# remote 192.168.20.1 /24

ACOS(config-user:u1)# remote 192.168.30.1 /24
CLI Example—Restrict Access to Specific OIDs
The following example shows how to restrict access so that only a specific OID (1.2.3) can be accessed
by the specified hosts (subnets 192.168.30.x and 192.168.40.x). From the SNMPv1-v2c user configura-
tion level:
ACOS(config-user:u1)# oid 1.2.3

ACOS(config-user:u1-oid:1.2.3)# remote 192.168.40.1 255.255.255.0
ACOS(config-user:u1-oid:1.2.3)# remote 192.168.50.1 255.255.255.0
Configure SNMP Groups

SNMP users can be organized into groups, which can be configured to allow or disallow users access
to read specific SNMP views.
Use the GUI to Configure SNMP Groups

To configure an SNMP group using the GUI:
1. Hover over System in the menu bar, then select Monitoring.
page 144
Configure AES or DES Encryption for SNMPv3 Users
2. Select SNMP, then select SNMP Groups from the drop-down menu.
3. Click Create.
4. Enter a name for the group in the Groupname field.
5. Select the desired SNMPv3 packet authentication level.
6. Select a read-only view for accessing MIB objects.
7. Click Create.
Use the CLI to Configure SNMP Groups

Use the snmp-server group command to configure an SNMP group from the CLI. The following exam-
ple creates a group called “examplegroup”:
ACOS(config)# snmp-server group examplegroup v3 priv read exampleview

Advanced Encryption Standard (AES) or Data Encryption Standard (DES) encryption can be added at
the SNMP “user” level. This feature extends overall security with support for SNMPv3 notifications
(traps). SNMPv3 traps are authenticated and encrypted, using the same options already supported for
SNMPv3 in previous releases.
• Authentication is performed by using the user’s authentication key to sign the message being
sent. This can be done using either MD5 or SHA encryption. The authentication key is generated
using the specified encryption method and the specified password.
• Encryption is performed by using a user’s privacy key to encrypt the data portion of the message
being sent. This can be done using either AES or DES encryption. The authentication key is gener-
ated using the specified encryption method and the specified password.
NOTE: After changing the encryption for an SNMP user, SNMP must be
restarted in order to reload the configuration. This process will take
some time before the SNMP service becomes available.
Use the GUI to Configure Encryption for SNMPv3 Users

To configure encryption for SNMPv3 users from the GUI:
1. Hover over System, then select Monitoring.
page 145
2. Select the SNMP tab, then select SNMP User from the drop-down menu.
3. Click Create to create a new user.
4. Specify the user name and group.
5. In the Authentication field, select the Enable checkbox.
This displays the authentication options for the SNMP user configuration.
a. Specify the authentication algorithm you want to use (MD5 or SHA) and password.
b. Specify the Encryption type (DES or AES) and encryption passphrase.
6. Click Create.
Use the CLI to Configure Encryption for SNMPv3 Users

To add encryption at the snmp “user” level, use the snmp-server command at the global config level.
The following example shows how to configure an SNMPv3 user “exampleuser”, who is a member in
“examplegroup”, which is part of “exampleview”:

ACOS(config)# snmp-server group examplegroup v3 auth read exampleview
ACOS(config)# snmp-server SNMPv3 user exampleuser group examplegroup v3 auth md5 example-
password1 priv aes examplepassword2
The auth md5 examplepassword1 portion of the command will generate a user key using MD5 encryp-
tion and the string “examplepassword1”. The priv aes examplepassword2 portion of the command will
encrypt the message using a key with AES encryption and the string “jonpassword2”:
More information about the snmp-server command can be found in the Command Line Interface Refer-
ence.
page 146
Configure SNMP Traps
Enable SNMP Traps

In order to start receiving SNMP traps, you must enable SNMP traps on a configured SNMP server. You
can enable any of the individual traps, or a category of new SNMP traps. Follow the steps below to
enable SNMP traps. All traps are disabled by default.
For more information about SNMP CLI commands used for enabling SNMP traps, along with a list of
available traps, see the Command Line Interface Reference.
For information about configuring SNMP traps on L3V partitions, see the Configuring Application Delivery
Partitions guide.
Take note of the following:
• In order to begin receiving ssl-cert-expire SNMP traps, you must enable email notification of
SSL certificate expiration. To do so, use the logging email-address command from the global
configuration level in the CLI. For more information, refer to the Command Line Interface Refer-
ence.
• In order to begin receiving resource-usage-warning SNMP traps, you must set resource utiliza-
tion thresholds for partitions.
• If you have a DNS anycast configuration, all ports of a given virtual server must to be down
before an SNMP trap will be sent.
NOTE: The enabling/disabling of traps in the L3V partition can only be done on
the group level, and not on an individual trap level.
Use the GUI to Enable SNMP Traps

To enable SNMP traps:
1. Hover over System in the navigation bar, and select Monitoring.

2. Click SNMP on the menu bar, and then select SNMP from the drop-down menu that appears.
3. Click Trap List to display the traps you can add, sorted by category.
4. Select the checkbox next to any SNMP traps you want to enable.
5. Click Configure SNMP to save your changes.
page 147
Use the CLI to Enable SNMP Traps

The snmp-server enable traps command allows you to enable SNMP traps. The following traps are
available on the shared partition:
• all
• gslb
• lldp
• lsn
• network
• routing
• slb
• slb-change
• snmp
• system
• vcs
• vrrp-a
NOTE: On the L3V partition, only the all, snmp, gslb, slb, slb-change, and vrrp-a
traps are available. For details on these traps, see the Command Line
Interface Reference.
The following CLI command enables SNMP traps for all SLB events. Note that using the ? allows you to
see all SNMP traps within the category before activating that category.
AX5100(config)# snmp-server enable traps slb ?

all Enable all SLB traps
application-buffer-limit Enable application buffer reach limit trap
bw-rate-limit-exceed Enable SLB server/port bandwidth rate limit exceed
trap
bw-rate-limit-resume Enable SLB server/port bandwidth rate limit resume
trap
server-conn-limit Enable SLB server connection limit trap
server-conn-resume Enable SLB server connection resume trap
server-disabled Enable SLB server-disabled trap
server-down Enable SLB server-down trap
server-selection-failure Enable SLB server selection failure trap
server-up Enable slb server up trap
service-conn-limit Enable SLB service connection limit trap
page 148
service-conn-resume Enable SLB service connection resume trap

service-down Enable SLB service-down trap
service-group-down Enable SLB service-group-down trap
service-group-member-down Enable SLB service-group-member-down trap
service-group-member-up Enable SLB service-group-member-up trap
service-group-up Enable SLB service-group-up trap
service-up Enable SLB service-up trap
vip-connlimit Enable the virtual server reach conn-limit trap
vip-connratelimit Enable the virtual server reach conn-rate-limit
trap
vip-down Enable SLB virtual server down trap
vip-port-connlimit Enable the virtual port reach conn-limit trap
vip-port-connratelimit Enable the virtual port reach conn-rate-limit trap
vip-port-down Enable SLB virtual port down trap
vip-port-up Enable SLB virtual port up trap
vip-up Enable SLB virtual server up trap
The following CLI command enables SNMP traps for all SLB changes. An SNMP trap will be sent when-
ever a change has been made to the SLB configuration. This includes the creation or deletion of virtual
or real servers or ports, and changes to or near expiration of SSL certificates.
ACOS(config)# snmp-server enable traps slb-change
The following CLI commands only enable SNMP traps for the creation or removal of virtual and real
servers and ports.
ACOS(config)# snmp-server enable traps slb-change server

ACOS(config)# snmp-server enable traps slb-change server-port
ACOS(config)# snmp-server enable traps slb-change vip
ACOS(config)# snmp-server enable traps slb-change vip-port
Disable SNMP Traps for L3V Partitions

ACOS allows you to enable SNMP traps on shared partitions. The ACOS device can disable traps on
L3V partitions while the SNMP traps are still enabled on shared partitions. The default behavior is for
both shared and L3V partition traps to be sent out when SNMP traps are enabled on shared partitions.
When SNMP is disabled in the shared partition, no configuration change is required in any L3V partition.
From the shared partition, the ACOS device will not send any SNMP responses nor traps once SNMP is
disabled.
page 149
Configure SNMP
NOTE: GSLB group traps are not partition-aware so they cannot be controlled
using the snmp-server disable traps gslb command.
To disable SNMP traps on L3V partitions, use the CLI and make sure that you are in the configuration
level for an L3V partition.
The example below switches to the private partition named “pl3v,” then disables network and LLDP
traps on this partition:
ACOS(config)# active-partition pl3v

ACOS[pl3v](config)# snmp-server disable traps network
ACOS[pl3v](config)# snmp-server disable traps LLDP
Configure SNMP
By default, SNMP service is disabled for all data interfaces. See “Default Management Access Settings”
in the Management Access and Security Guide for more information.
To configure SNMP:
1. If desired, configure location and contact information.

2. If desired, configure external SNMP trap receivers.
3. If desired, configure SNMPv1/v2c.
4. If desired, configure views, groups, and users.
5. Enable the SNMP agent and SNMP traps.
6. Save the configuration changes.
You are not required to perform these configuration tasks in precisely this order. The workflow in the
GUI is slightly different from the workflow shown here.
Use the GUI to Configure SNMP

To configure basic SNMP parameters:

2. Click SNMP on the menu bar, then select SNMP from the drop-down list.
3. Configure general SNMP settings, including the system information, Engine ID, and trap host, in
the General Fields section. Refer to the GUI online help for detailed information about each field.
page 150
Configure SNMP
4. Configure SNMP trap settings by clicking and expanding the Trap List section, then selecting the
traps you want to monitor.
5. Click Create SNMP Server when you are finished making your selections.
Use the CLI to Configure SNMP

All SNMP configuration commands are available at the global configuration level of the CLI.
1. To configure SNMPv1/v2c, use the following command:

ACOS(config)# snmp-server snmpv1-v2c
2. To configure an SNMPv3 user, specify the user name, group name, and authentication method.
For example:
ACOS(config)# snmp-server snmpv3 user example-user group example-group v3 auth md5 exam-
ple-password
3. To configure contact information, use the snmp-server contact command:

ACOS(config)# snmp-server contact example-contact
4. To enable the SNMP agent and SNMP traps, use the snmp-server enable traps command. For
example, to enable all SNMP traps:
ACOS(config)# snmp-server enable traps all
5. To configure an SNMP group, specify the group name and security level. For example:
ACOS(config)# snmp-server group example-grou-name v3 auth read example-read-view-name
6. To configure external SNMP trap receivers, use the snmp-server host command:
ACOS(config)# snmp-server host example-trap-host
7. To configure location information, use the snmp-server location command:

ACOS(config)# snmp-server location example-location
8. To configure an SNMP view, use the following command:

ACOS(config)# snmp-server view example-view-name example-oid included
For more information about these commands and other SNMP-related commands, refer to the Com-
mand Line Interface Reference.
Be sure to use the write memory command to save any configuration changes.
page 151
Configure the Source Interface for SNMP Notifications

You can specify a data interface to use as the source interface for SNMP traps. By default, the manage-
ment interface is the source interface for SNMP traps.
Details:
• This feature does not support IPv6.
• This feature supports SNMPv1 but not SNMPv2c or SNMPv3.
The interface can be any of the following types:
• Ethernet
• VLAN / VE
• Loopback
When the ACOS device sends an SNMP trap from the data interface you specify, the “agent-address” in
the SNMP trap is the data interface’s IP address.
Use the GUI to Configure the SNMP Source Interface

To configure an Ethernet interface as the source for SNMP traps:
1. Hover over Network in the navigation bar and select Interface.

2. On the menu bar, click LAN.
3. Click Edit in the Actions column for the Ethernet interface.
4. Select the checkbox next to Trap Source in the General Fields section.
5. Click Update.
Use the CLI to Configure the SNMP Source Interface

The following command attempts to set a loopback interface as the SNMP trap source. However, the
feature has already been enabled on Ethernet port 1, and only one interface can be enabled for SNMP
traps, so this example shows that the existing trap source will be overwritten with the new one:
ACOS(config)# interface loopback 1

ACOS(config-if:loopback:1)# snmp-server trap-source
The trap source already exists for interface eth1. Do you want to overwrite? [yes/no]:yes
ACOS(config-if:loopback:1)#
page 152
page 153
page 154
Link Monitoring
The ACOS device supports link monitoring with automated link disable or session clear.
This chapter contains the following:
• Overview of Link Monitoring
• Link Monitoring Actions
• Link Monitor Template Sequence Numbers
• Link Monitor Template Logical Operators
• Configure Link Monitor
Overview of Link Monitoring

This feature monitors the link state of Ethernet data interfaces. You can monitor Ethernet data inter-
faces for the following types of events:
• Link up
• Link down
The feature monitors the link state on a set of Ethernet data interfaces. If the monitored event is
detected, the ACOS device applies the specified action to another set of interfaces.
This feature is especially useful in cases where you want to disable both ACOS interfaces used by traf-
fic flows through the ACOS device, if the link on either interface goes down. For an example, see “LACP
Passthrough” in the Network Configuration Guide.
NOTE: You can configure the feature for individual Ethernet data ports. Configu-
ration of the feature for logical interfaces such as Virtual Ethernet (VE)
interfaces is not supported.
page 155
Link Monitoring Actions
Link Monitoring Actions

You can configure the ACOS device to take one of the following actions when the specified event type
(link up or link down) is detected on a monitored Ethernet data interface:
• Clear sessions
• Disable the link on one or more other interfaces
• Enable the link on one or more other interfaces
The clear session option removes sessions from the session table. You can configure the feature either
to clear data sessions only, or to clear sessions of all types.
Link Monitor Template Sequence Numbers

Each monitor template can contain the following types of entries:
• Monitoring entries – A monitoring entry monitors for a specific event type (link up or link down)
on a specific Ethernet data interface.
• Action entries – An action entry specifies the action to take when monitored events are detected.
When you configure an entry of either type, you must specify a sequence number, 1-16. The sequence
numbers assigned to monitoring entries specify the order in which to check the monitored ports for the
specified event type.
Likewise, the sequence number assigned to action entries specify the order in which to apply the
actions.
The sequence number can be important in cases such as the following:
• The order in which link state changes take place can affect whether traffic loops occur.
• The template contains action entries that clear sessions and that disable or enable links. In this
case, the sequence number controls whether the sessions are cleared before or after the link
states are changed. Normally, it is recommended to clear the sessions first, before changing the
link states.
The monitor with the lowest sequence number is performed first, then the monitor with the next lowest
sequence number is performed, and so on. For example, monitor 1 is performed first, monitor 2 is per-
formed second, and so on. Likewise, if the monitored events are detected, action 1 is performed first,
then action 2, and so on.
page 156
Link Monitor Template Logical Operators
Link Monitor Template Logical Operators

Each monitor template uses one of the following logical operators:
• AND – The actions are performed only if all the monitored events are detected. (This is the
default).
• OR – The actions are performed if any of the monitored events is detected.
The logical operator applies only to monitor entries, not to action entries. For example, if the logical
operator is OR, and at least one of the monitored events occurs, all the actions configured in the tem-
plate are applied.
You can configure the entries in any order. In the configuration, the entries of each type are ordered
based on sequence number.
Configure Link Monitor

To configure link monitoring with automated link disable or session clear:
1. Configure a monitoring template. Within the template, specify the following parameters:
• Links (Ethernet data ports) to monitor
• Actions to perform on other links, if the monitored event is detected:
• Clear sessions
• Disable links
• Enable links
• (Optional) Set the comparison operator for the monitoring entries:
• AND – The actions are performed only if all the monitored events are detected.
• OR – The actions are performed if any of the monitored events is detected.
2. Active the monitoring template.
You can configure and activate up to 16 monitor templates. A monitor template does not take effect
until you activate it.
The following commands configure monitor template 1 and the physical data interfaces and events to
monitor:
ACOS(config)# slb template monitor 1

ACOS(config-monitor)# monitor link-down eth 5 sequence 1
page 157
Configure Link Monitor

The following commands configure the actions to take when a monitored event is detected.
ACOS(config-monitor)# action clear sessions sequence 1

ACOS(config-monitor)# action link-disable eth 5 sequence 2
ACOS(config-monitor)# exit
The following command activates the template, to place it into effect:
ACOS(config)# system template-bind monitor 1
Based on this configuration, when a link-down event is detected for Ethernet port 5 OR 6 OR 9 OR 10,
sessions are cleared first. Then the remaining links are disabled, in the following sequence: 5 AND 6
AND 9 AND 10.
NOTE: The clear session command clears only data sessions. To clear all ses-
sions, use clear sessions all.
page 158
Gateway Health Monitoring
This chapter describes how to configure gateway health monitoring.
• Gateway Health Monitoring Overview
• Gateway Health Monitoring Configurable Parameters
• Configure Gateway Health Monitoring
For information about health monitoring of servers in Server Load Balancing (SLB) configurations, see
the “Health Monitoring” chapter in the Application Delivery and Server Load Balancing Guide.
Gateway Health Monitoring Overview

Gateway health monitoring uses ARP to test the availability of nexthop gateways. When the ACOS
device needs to send a packet through a gateway, the ACOS device begins sending ARP requests to the
gateway.
• If the gateway replies to any ARP request within a configurable timeout, the ACOS device for-
wards the packet to the gateway.
• The ARP requests are sent at a configurable interval. The ACOS device waits for a configurable
timeout for a reply to any request. If the gateway does not respond to any request before the tim-
eout expires, the ACOS device selects another gateway and begins the health monitoring process
again.
The following items clarify the implementation of gateway health monitoring on your ACOS device:
• Gateway health monitoring is useful in cases where there is more than one route to a destination.
In this case, the ACOS device can discard the routes that use unresponsive gateways. If there is
only one gateway, this feature is not useful.
• Gateway health monitoring and SLB server health monitoring are independent features. If a gate-
way fails its health check, a server reached through the gateway is not immediately marked
down. The status of the server still depends on the result of the SLB server health check.
• If you plan to use gateway health as a failover trigger for VRRP-A high availability, a different con-
figuration option is required. See “Dynamic Priority Reduction” in Configuring VRRP-A High Avail-
ability for more information.
page 159
Gateway Health Monitoring Configurable Parameters
Gateway Health Monitoring Configurable Parameters

The following parameters are used for gateway health monitoring:
• Interval – The interval specifies the amount of time between health check attempts (ARP
requests), and can be 1-180 seconds. The default is 5 seconds.
• Timeout – The timeout specifies how long the ACOS device waits for a reply to any of the ARP
requests, and can be 1-60 seconds. The default is 15 seconds.
Using the default gateway health monitoring settings, a gateway must respond to a gateway health
check within 15 seconds. Figure 15 shows how a gateway health check times out using the default set-
tings.
NOTE: It is recommended not to use a timeout value smaller than 3 times the
interval value. This is especially true for short interval values.
FIGURE 15 Gateway Health Check Using Default Settings – Timeout
page 160
Configure Gateway Health Monitoring
Figure 16 shows an example in which a gateway responds before the timeout.
FIGURE 16 Gateway Health Check Using Default Settings – Gateway Responds

Gateway health monitoring is disabled by default.
Use the GUI to Configure Gateway Health Monitoring

To enable gateway health monitoring from the GUI:
1. Navigate to ADC >> SLB >> Global.

2. Select the checkbox in the Gateway Health Check field.
3. Configure the interval and timeout values as desired.
4. Click Update.
Use the CLI to Configure Gateway Health Monitoring

To enable gateway health monitoring from the CLI, use the gateway-health-check command at the
SLB common configuration level of the CLI. The following command enables gateway health monitor-
ing with the default settings:
ACOS(config)# slb common
page 161
ACOS(config-common)# gateway-health-check
The following command displays gateway health monitoring statistics:
ACOS(config)# show health gateway

Gateway health-check is enabled
Interval=5, Timeout=15
Total health-check sent : 10
Total health-check retry sent : 2
Total health-check timeout : 1
page 162
Multiple Port-Monitoring Mirror Ports
• Overview of Port Mirroring
• Configure Mirror Ports
• Port Monitoring and Mirroring for aVCS Devices
• Removing Mirror Port Configuration
Overview of Port Mirroring

Port mirroring is used to send copies of network packets (inbound, outbound, or both) from a moni-
tored port to a separate port for monitoring. This is often used for the purpose of troubleshooting,
debugging, and for analyzing traffic.
Up to four physical Ethernet data interfaces can be configured as mirror ports.
L3V port mirroring can be based on the port and optionally, the VLAN ID.
NOTE: The port mirroring and monitoring feature is supported on all A10 Thun-
der Series and AX Series devices that are supported with this software
release; it is NOT supported on vThunder platforms.
In earlier 2.7.2.x releases, this feature is supported on A10 Thunder

Series and AX Series FTA-enabled models only.
Since mirrored packets are handled by the switching ASIC directly, not
the CPU, do not use the debug packet command to test packet mirroring
on FTA devices. Instead, verify that packets are received on the neighbor-
ing devices.
Configure Mirror Ports

To configure mirror ports, use the mirror-port command at the global configuration level:
page 163
Configure Mirror Ports
The following commands configure 4 mirror ports:
ACOS(config)# mirror-port 1 ethernet 4

ACOS(config)# mirror-port 2 ethernet 7 output
ACOS(config)# mirror-port 3 ethernet 9
ACOS(config)# mirror-port 4 ethernet 3 input
The output and input parameters used in these commands must match the ones you use when con-
figuring the monitor port. The output parameter enables outbound traffic on the monitored port to be
copied and sent out on the mirror port. The input parameter enables inbound traffic on the monitored
port to be copied and sent out on the mirror port.
The show mirror command verifies the mirror configuration:
ACOS(config)# show mirror

Mirror Ports 1: Input = 4 Output = 4
Mirror Ports 2: Input = None Output = 7
Mirror Ports 4: Input = 3 Output = None
At this point, monitoring is not yet enabled on any ports. The next step is to access the configuration
level for Ethernet interface 1 and enable monitoring of its traffic. For example:

ACOS(config-if:ethernet:1)# monitor input 1
The following command displays the mirror configuration:
ACOS(config-if:ethernet:1)# show mirror

Ports monitored at ingress : 1
The output now lists the monitoring configuration on port 1, which uses mirror 1.
The following commands attempt to enable monitoring of ingress traffic on port 2, using mirror 2. How-
ever, this configuration is not valid because mirror 2 can accept egress traffic only.

Please configure mirror port first.
Likewise, the both option is not valid in this case:
page 164
Port Monitoring and Mirroring for aVCS Devices
ACOS(config-if:ethernet:2)# monitor both 2

Please configure mirror port first.
The following configuration is valid, since mirror 2 is configured to accept only the egress traffic of
monitored ports:
ACOS(config-if:ethernet:2)# monitor output 2
Here is the mirror configuration now:

Ports monitored at egress : 2
The ingress traffic received on port 2 can be monitored, if a mirror that accepts ingress traffic is used.
In this example, mirrors 1, 3, and 4 can accept ingress traffic. The following command configures use
of mirror 4 for ingress traffic received on port 2:
Here is the mirror configuration after this change:

Ports monitored at egress : 2
For brevity, this example does not show configuration of monitoring using mirror 3. Likewise, the exam-
ple does not show that a mirror can accept monitored traffic from more than one interface, but this is
supported.
Port Monitoring and Mirroring for aVCS Devices

Port mirroring and monitoring is supported in an aVCS setup. For example:
page 165
Removing Mirror Port Configuration
ACOS-11-Active-vMaster[1/1](config)# mirror-port 2 ethernet 13 ?

device Device
input Mirror incoming packets to this port
output Mirror outgoing packets to this port
The only distinction from the base command is that in an aVCS scenario, you must specify the device
ID.
In the monitoring mode, you can specify the device to which the Ethernet belongs:
ACOS-11-Active-vMaster[1/1][p1]# show mirror ?

active-vrid VRRP-A vrid
device Device
| Output modifiers
The following output displays that Ethernet 2 resides on device 1:
interface ethernet 1/2

cpu-process
monitor both 1 vlan 3
For more information about configuring aVCS, see Configuring ACOS Virtual Chassis Systems.
Removing Mirror Port Configuration

To properly remove mirror port configuration, you must remove both the monitor configuration at the
interface configuration level, and also the mirror-port configuration. Removing one without the other
does not completely remove the mirror port configuration and may cause problems if you try to re-con-
figure mirror ports at a later time.
An example of removing the monitor configuration:

ACOS(config-if:ethernet:2)# no monitor output 2
An example of removing the mirror port configuration:
ACOS(config)# no mirror-port 2 ethernet 7 output
page 166
NetFlow v9 and v10(IPFIX)
This chapter describes how to configure NetFlow on your ACOS device.
• NetFlow Overview
• NetFlow Versions Supported
• NetFlow Parameters
• Formatting of NetFlow Records for Long-Lived Sessions
• Predefined NetFlow Templates
• Configuring NetFlow
NetFlow Overview
An ACOS device can act as a NetFlow exporter. The NetFlow exporter (ACOS device) monitors traffic
and sends the data to one or more NetFlow collectors, where the information can be stored and ana-
lyzed by a network administrator.
NOTE: NetFlow support for SLB does not support VCS.
page 167
NetFlow Versions Supported
FIGURE 17 NetFlow Architecture with an ACOS device as Exporter
CAUTION: NetFlow is a heavy user of system resources and requires uses addi-
tional memory, equivalent to half the size of a session for each data ses-
sion. When NetFlow is enabled, the session table capacity is reduced by
one-third (1/3) of its original amount. For example, a system with max
100 sessions can only have 66 sessions.
NetFlow Versions Supported

NetFlow version 9 and NetFlow version 10 (IPFIX) are supported. This version is described in RFC
3954, Cisco Systems NetFlow Services Export Version 9. NetFlow version10 (IPFIX) is compliant with
RFC 5101 and 5102.
NetFlow Parameters
On an ACOS device, you can configure up to 128 NetFlow monitors. This is a global system maximum.
If the device has multiple partitions, this maximum applies in aggregate to all the partitions, including
the shared partition.
A NetFlow monitor consists of the following protocol parameters, which can be used to configure the
ACOS device to export data in the format of NetFlow v9 or NetFlow v10 (IPFIX). The default protocol is
NetFlow v9.
page 168
NetFlow Parameters
• Export destination – External devices to export the collected data. You can specify the IP address
of a single NetFlow collector, or configure a service group that comprises multiple collectors.
• To achieve load balancing of NetFlow traffic among two or more collectors, they must be
placed within the same service group.
• If two or more NetFlow collectors are configured using only IP addresses and are not included
in a service group, and if they are configured with the same NetFlow properties (record types),
then NetFlow traffic will be duplicated to both places and the NetFlow traffic will not be load-
balanced.
NOTE: NetFlow information is sent from the ACOS device through a data port
that is dynamically selected and is based upon information in the routing
table.
• Record type – Types of data to export. NetFlow exporters use the following types of messages to
send collected data to a collector server:
• Templates – A NetFlow template defines the set of data to be collected, and the order in which
that information will appear in the data messages.
• Data – NetFlow data messages contain the collected data, such as flow information. Packets
for data messages can contain data for more than one flow.
Each NetFlow monitor can use one or more NetFlow templates. This release includes some pre-
defined NetFlow templates. (See “Predefined NetFlow Templates” on page 171.)
• Monitoring filters – Specific type of resources to monitor. You can specify monitoring of the fol-
lowing resource:
Ethernet data ports – Specify the list of ports to monitor. Flow information for the monitored inter-
faces is sent to the NetFlow collector(s).
By default, no filters are in effect. Traffic on all interfaces and Virtual Ethernet (VE) interfaces are
monitored.
• Flow timeout – This is the interval for sending flow records for long-lived sessions. (For short-
lived sessions, any flow records are sent upon termination of the session.) For long-lived ses-
sions, the flow timeout default value is 10 minutes. After this amount of time has elapsed, the
ACOS device will send any flow records to the NetFlow collector, even if the flow is still active.
The flow timeout can be set to 0-1440 minutes. If this is set to 0, this essentially disables the flow
timeout feature. Regardless of how long-lived a flow might be, the ACOS device waits until the
flow has ended and the session is deleted before it sends any flow records for it.
NOTE: This parameter applies only to templates for flows. These are the tem-
plates listed in the “Templates for A10 Flow Records with NAT
Addresses” section of Table 11 on page 172.
page 169
Formatting of NetFlow Records for Long-Lived Sessions
• Template transmission options – The ACOS device periodically resends the NetFlow templates
to the collector(s). The following counters control when the templates are resent:
• Number of data records sent – This is a running counter of the total number of data messages
that have been sent to the NetFlow collector. After the specified number of data records are
sent, the ACOS device resends the template that describes the data (as a way to refresh the
template). The default is 1000 records. You can configure the set template interval to 0-
1000000 records. To disable, set this number to 0.
• Number of seconds since the last time the template was sent – After the specified number of
seconds has passed, the ACOS device resends the template to perform a refresh of the tem-
plate on the collector. The default is 1800 seconds. You can set it to 0-86400 seconds. After the
template is resent, this counter is set back to 0 second. To disable, set this number to 0.
• Management interface – Uses the IP of the ACOS management interface, instead of the IP of the
data interfaces when sending traffic to the NetFlow collectors. By default, the ACOS device sends
NetFlow traffic out to the data interface. When the Management Interface option is enabled, the
NetFlow information is still sent via a data interface that is dynamically (and automatically)
selected based upon the routing table, but the source IP of the packets will be the IP of the man-
agement port.
• Monitor state – Enabled or disabled. By default, a NetFlow monitor is enabled.
Formatting of NetFlow Records for Long-Lived Sessions

This section discusses the formatting of the “start time” and “duration” fields in NetFlow records for
long-lived sessions (typically defined as those lasting more than 10 minutes).
For each new NetFlow record created for a session on the ACOS device, the NetFlow record will show
the time that the session began as the start time. Therefore, NetFlow records sent out for different ses-
sions will have different start times.
However, for long-lived sessions (for example, 15 minutes), if the flow-timeout period is set to 5 min-
utes, then ACOS will produce three flow records for one 15-minute session. The three flow records will
each have the same start time, because the records are reporting on the same session.
The following example illustrates sample NetFlow records:
Formatting of NetFlow Records:
Duration: 318.000000000 seconds

StartTime: Feb 2, 2015 12:35:52.341000000 Russia TZ 2 Standard Time
page 170
Predefined NetFlow Templates
NOTE: The start time is the same for all three records for this one session. In
addition, the duration is not reset to zero. Instead, it is incrementally
larger for each record since more time has elapsed since the first, sec-
ond, and third records were sent.
The benefit of this method of formatting the session “start time” and “duration” fields in the NetFlow
records is that the records are joined into a single session that can be easily stored and searched in a
database. The following types of NetFlow records are described in the following sections:
• dslite – DS-Lite Flow Record Template
• nat44 – NAT44 Flow Record Template
• nat64 – NAT64 Flow Record Template
• netflow-v5 – NetFlow V5 Flow Record Template
• netflow-v5-ext – Extended NetFlow V5 Flow Record Template, supports ipv6

ACOS device includes the following pre-defined NetFlow templates.
• SLB NetFlow Templates
• CGN NetFlow Templates
SLB NetFlow Templates

The following templates can be used to monitor SLB configurations:
• Cisco NetFlow V5 record, for IPv4 (netflow-v5)
• Cisco NetFlow V5 Extended record, for IPv6 (netflow-v5-ext)
page 171
Table 11 includes details about templates that used for SLB configurations.
TABLE 11ACOS NetFlow Template Types for SLB Monitoring

Template Name Key Fields Non-Key Fields
netflow-v5 • IP Protocol • IP Source AS
• IPv4 Source Address • IP Destination AS
• IPv4 Destination Address • IPv4 Next Hop Address
• Source Port • IPv4 Source Mask
• Destination Port • IPv4 Destination Mask
• IP ToS
• TCP Flags
• Interface Input
• Interface Output
• Counter Bytes
• Counter Packets
• Timestamp First Packet
• Timestamp Last Packet
netflow-v5-ext • Protocol • Traffic Class
• IPv6 Source Address • Routing Source AS
• IPv6 Destination Address • Routing Destination AS
• Transport Source Port • Routing Next-hop Address
• Transport Destination Port Protocol • IP Source Mask
• IPv6 Source Address • IP Destination Mask
• IPv6 Destination Address • Transport TCP Flags
• Transport Source Port • Interface Input
• Transport Destination Port • Interface Output
• Counter Bytes
• Counter Packets
• Timestamp First Packet
• Timestamp Last Packet
CGN NetFlow Templates

The following templates can be used to monitor CGN configurations:
• Templates for A10 Flow Records with NAT Addresses
• Templates for NAT Session Event Records
• Templates for NAT Port Mapping Event Records
Templates for A10 Flow Records with NAT Addresses

These template types are bidirectional. One session results in one flow record.
• NAT44 (nat44)
page 172
• NAT64 (nat64)
• DS-Lite (dslite)
Table 12 includes details about these templates.
TABLE 12ACOS NetFlow Template Types for A10 Flow Records with NAT Addresses
nat44 • IP Protocol • Reverse tuple partition ID
• Forward tuple partition ID • IPv4 NAT source address
• IPv4 Source Address • IPv4 NAT dest address
• IPv4 Destination Address • NAT source port
• Source Port • NAT dest port
• Destination Port • Interface Input
• Flow Direction (inbound, outbound, or • Interface Output
hairpin) • Fwd Bytes
• Fwd Packets
• Rev Bytes
• Rev Packets
• Start time (msec)
• Duration (msec)
nat64 • IP Protocol • Reverse tuple type
• Forward tuple type • Reverse tuple partition ID
• Forward tuple partition ID • IPv6 NAT source address (hairpin)
• IPv6 Source Address • IPv4 NAT source address
• IPv4 Destination Address (IPv6 in • IPv6 NAT dest address
IPv4) • IPv4 NAT dest address
• IPv4 Destination Address • NAT dest port
• Source Port • Interface Input
• Destination Port • Interface Output
• Flow Direction (inbound, outbound, or • Fwd Bytes
hairpin)
• Fwd Packets
• Rev Bytes
• Rev Packets
• Duration (msec)
page 173
TABLE 12ACOS NetFlow Template Types (Continued) for A10 Flow Records with NAT Addresses
dslite • IP Protocol • Reverse tuple type
• Forward tuple partition ID • IPv6 NAT source address (hairpin)
• IPv6 Destination Address • IPv4 NAT dest address
hairpin) • Fwd Bytes
• Fwd Packets
• Rev Bytes
• Rev Packets
• Duration (msec)
Templates for NAT Session Event Records

• NAT44 Session Events (sesn-event-nat44)
• NAT64 Session Events (sesn-event-nat64)
• DS-List Session Events (sesn-event-dslite)
page 174
Table 13 includes details about these templates.
TABLE 13ACOS NetFlow Template Types for NAT Event Records

sesn-event-nat44 • IP Protocol • Reverse tuple partition ID
• Destination Port • Start time (msec)
• Flow Direction (inbound, outbound, or • sesnEvent (Create, Delete)
hairpin)
sesn-event-nat64 • IP Protocol • Reverse tuple type
hairpin) • Start time (msec)
• sesnEvent (Create, Delete)
sesn-event-dslite • IP Protocol • Reverse tuple type
• Destination Port • Start time (msec)
• Flow Direction (inbound, outbound, or • sesnEvent (Create, Delete)
hairpin)
Templates for NAT Port Mapping Event Records

• NAT44 Port Mapping (port-mapping-nat44)
• NAT64 Port Mapping (port-mapping-nat64)
• DS-Lite Port Mapping (port-mapping-dslite)
page 175
Table 14 includes details about NetFlow templates for port mapping event records.
TABLE 14ACOS NetFlow Template Types for NAT Port Mapping Event Records
Template Name Data Fields
port-mapping- • IP Protocol
nat44 • IPv4 Source Address
• Source Port
• IPv4 NAT source address
• NAT source port
• timestamp (msec)
• natEvent (Create, Delete)
nat64 • IPv6 Source Address
• IPv4 Source Address
• Source Port
• NAT source port
dslite • IPv6 Source Address
• Source Port
• NAT source port
Templates for NAT Port Batching Event Records

• NAT44 Port Batching (port-batch-nat44)
• NAT64 Port Batching (port-batch-nat64)
• DS-Lite Port Batching (port-batch-dslite)
page 176
Table 14 includes details about NetFlow templates for port batching event records.
TABLE 15ACOS NetFlow Template Types for NAT Port Batching Event Records
port-batch-nat44 • natEvent (Create, Delete)
• IP Protocol
• Post NAT IPv4 Source Address
• Flow Start Milliseconds
• Port Range Start
• Port Range End
• Port Range Step Size
• Port Range Num Ports
port-batch-nat64 • natEvent (Create, Delete)
• IP Protocol
• Port Range End
port-batch-dslite • natEvent (Create, Delete)
• IP Protocol
• Port Range End
Templates for NAT Port Batching v2 Event Records

• NAT44 Port Batching (port-batch-v2-nat44)
• NAT64 Port Batching (port-batch-v2-nat64)
• DS-Lite Port Batching (port-batch-v2-dslite)
page 177
Configuring NetFlow
Table 14 includes details about NetFlow templates for port batching event records.
TABLE 16ACOS NetFlow Template Types for NAT Port Batching Event Records
port-batch-v2- • natEvent (Create, Delete)
nat44 • IP Protocol
• Port Range End
nat64 • IP Protocol
• Port Range End
dslite • IP Protocol
• Port Range End
Configuring NetFlow
Below is an overview of the steps needed to configure NetFlow:
1. If using multiple NetFlow collectors, create an SLB server configuration for each collector, and add
the server configurations to a service group.
Make sure to disable the Layer 4 health check on the UDP port.
2. Configure a NetFlow monitor. Within the monitor, specify the following:
• The destination, which can be one of the following:
• Host address, if using a single NetFlow collector
• Service-group name, if using multiple NetFlow collectors
• The record types to export. (Specify them by NetFlow template type.)
page 178
Configuring NetFlow
• (Optional) The Ethernet interfaces from which to collect NetFlow information. By default, infor-
mation is collected for all interfaces.
• (Optional) Adjust the flow timeout.
• (Optional) Adjust the template resend counters.
• (Optional) Adjust the maximum packet queue time.
NOTE: If you plan to use only a single NetFlow collector, you do not need to per-
form step 1. You can specify the NetFlow collector’s IP address when
configuring the NetFlow monitor (in step 2).
Use the GUI to Configure NetFlow

To configure NetFlow using the GUI:

2. Click NetFlow Monitor on the menu bar.
3. Click Create. The Create NetFlow Monitor page appears.
4. Enter a name for the NetFlow monitor in the Name field.
5. Configure the following fields and options:
• The Destination, which can be one of the following:
• Host address, if using a single NetFlow collector
• Service-group name, if using multiple NetFlow collectors
• (Optional) Adjust the flow timeout. Default is 10 minutes.
• (Optional) Adjust the amount of records after which to resend template in the Resend Template
Records field. The default is 1000 records, after which the template will be re-sent to the collec-
tor and the counter will be reset to 0.
• (Optional) Adjust the timeout for resending template in the Resend Template Timeout field. The
default is 1800 seconds, after which the template is re-sent to the collector.
• (Optional) Set Source IP Use Management to Enable to use the IP address of the management
port of the ACOS device as the source IP of the NetFlow packets, even when packets are sent
out the data interface.
• Select the Protocol version. The default is NetFlow Version 9, but you can also select NetFlow
Version 10.
• Select the record types to export. (Specify them by NetFlow template type. See Predefined Net-
Flow Templates for details.)
6. When finished, click Create to save your changes.ni
page 179
Configuring NetFlow
Use the CLI to Configure NetFlow

This section provides the following CLI examples for configuring NetFlow:
• CLI Example: Single Collector
• CLI Example: Multiple Collectors (SLB)
• CLI Example: Multiple Collectors (CGN)
CLI Example: Single Collector

The following commands configure NetFlow in an SLB partition. This example uses a single NetFlow
collector.
ACOS(config)# netflow monitor test

ACOS(config-netflow-monitor)# record netflow-v5
ACOS(config-netflow-monitor)# record netflow-v5-ext
ACOS(config-netflow-monitor)# destination 10.10.3.2
ACOS(config-netflow-monitor)# show netflow monitor
Netflow Monitor test
Protocol Netflow v9
Status: Enable
Filter: Global
Destination: 10.10.3.2:9996
Source IP Use MGMT: No
Flow Timeout: 60 Minutes
Resend Template Per Records: 1000
Resend Template Timeout: 1800 Seconds
Sent: 45 (Pkts) / 8360 (Bytes)
Records:
netflow-v5: 86 (records) / 0 (fails)
netflow-v5-ext: 0 (records) / 0 (fails)
CLI Example: Multiple Collectors (SLB)

The following commands configure export of NetFlow records to multiple collectors. The configuration
is for an SLB partition.

ACOS(config-real server)# port 9996 udp
ACOS(config-real server-node port)# health-check-disable
page 180
Configuring NetFlow

ACOS(config)# slb service group sg1 udp
ACOS(config-slb svc group)# member s1 9996
ACOS(config-slb svc group-member:9996)# member s2 9996
ACOS(config-slb svc group-member:9996)# exit
ACOS(config-slb svc group)# exit
ACOS(config)# netflow monitor nf1
ACOS(config-netflow-monitor)# destination service-group sg1
ACOS(config-netflow-monitor)# record netflow-v5
ACOS(config-netflow-monitor)# record netflow-v5-ext
ACOS(config-netflow-monitor)# end
ACOS#
CLI Example: Multiple Collectors (CGN)

The following commands configure export of NetFlow records to multiple collectors for a CGN parti-
tion.
ACOS(config)# cgnv6 server s1 80.1.1.108

ACOS(config)# cgnv6 server s2 80.1.1.109
ACOS(config)# cgnv6 service-group sg1 udp
ACOS(config-cgnv6 svc group)# member s1 9996
ACOS(config-cgnv6 svc group)# member s2 9996
ACOS(config-cgnv6 svc group)# exit
ACOS(config)# netflow monitor nf1
ACOS(config-netflow-monitor)# destination service-group sg1
ACOS(config-netflow-monitor)# record nat44
ACOS(config-netflow-monitor)# record dslite
ACOS(config-netflow-monitor)# record sesn-event-nat64 both
ACOS(config-netflow-monitor)# end
ACOS#
page 181
Configuring NetFlow
page 182
sFlow
• sFlow Overview
• sFlow Sampling Types
• Information Included in sFlow Datagrams
• sFlow Configuration
sFlow Overview
ACOS can act as an sFlow agent by sampling random packets and sending statistics in an sFlow data-
gram to an external sFlow collector for analysis.
Some important implementation notes:
• sFlow data collection is supported only for individual Ethernet data ports and VE interfaces. Data
collection cannot be performed on trunk interfaces, loopback interfaces, or on the management
interface of ACOS.
• Host resource sampling is not supported:
• Application behavior sampling is not supported
• Configuration of sFlow agent behavior using SNMP is not supported
sFlow Sampling Types

sFlow supports two types of sampling. One type of sampling uses a time-based approach to retrieve
statistics for a specific interface, while the other approach samples information from the packet header
of every Nth packet.
Details
• You can enable one or both sampling types on a single Ethernet data port – the sampling types
are not mutually exclusive.
page 183
Information Included in sFlow Datagrams
• The sFlow datagram includes information about the incoming interface but not the outgoing
interface where sampling occurred.
• sFlow data can be exported to up to 4 sFlow collectors. This offers the benefit of redundancy, as
well as the ability to send sFlow datagrams to different destinations.
• By default, the sFlow datagrams use the management IP of ACOS as the source address, but you
can modify the exported sFlow datagrams to the source address of your choice.
Counter Polling Interval

This is a counter sampling method that is based on time. Statistics for an interface are gathered peri-
odically and sent to the sFlow collector. You can specify the time interval (frequency) with which the
counter interfaces statistics are gathered and sent. This global configuration will apply to all interfaces
where sFlow is enabled unless a more granular value is configured at the interface level. You can enter
a value ranging from 1–200 seconds. By default, this interval is set to 20 seconds.
Once ACOS has sampled statistics from a target interface, the information is collected and sent in an
sFlow datagram to one or more sFlow collectors. The sFlow datagrams are listed in the Received and
Transmitted counter fields in show interface CLI output, or on the Network > Interface page of the
GUI.
Packet Sampling Rate

This is a sampling method that is based on the number of incoming packets. This sampling rate value
essentially means that one packet is sampled out of every N packets. When expressed as a ratio, the
packet sampling rate looks like 1/N. You can enter a value for N (the denominator) ranging from 10–
1000000 packets. By default, N is equal to 1000, meaning that one packet is sampled out of every
1000 packets arriving at that interface. This global configuration will apply to all interfaces where sFlow
data is collected, unless a more granular value has been configured at the interface level.
Unlike the other time-based sampling method, which gathers counter statistics for an interface, this
packet-volume sampling approach gathers data about specific packets arriving at an interface. Infor-
mation is extracted from the first 128 bytes in the header of the sampled packet, beginning with the
MAC header. Once ACOS has sampled packets from a specified target interface, the information is col-
lected and sent in an sFlow datagram to one or more sFlow collectors.
Information Included in sFlow Datagrams

The following information is included in sFlow datagrams:
• Discarded packets
page 184
sFlow Configuration
Information about the discarded packets is included in the sFlow datagrams. For a list of Destina-
tion Unreachable codes associated with discarded packets, see section “Input/Output Port Infor-
mation” in the following RFC:
http://sflow.org/sflow_version_5.txt
• Export CPU and Memory information
CPU and memory information are included in the “Processor information” section of the exported
sFlow datagram.
sFlow Configuration
The following list summarizes the high-level steps involved in configuring the sFlow data collection fea-
ture on an ACOS device:
1. Specify the sFlow collector where data will be exported.

2. (Optional) Enable use of the management interface’s IP as the source address for outbound sFlow
packets. This may be beneficial for filtering at the collector or to maintain consistency in the
source address of the sFlow packets.
3. Specify the individual Ethernet data interfaces that will be sampled.
4. (Optional) Change the default data sampling rate or polling interval.
Use the GUI to Configure sFlow

2. Click sFlow on the menu bar. The sFlow update page appears.
3. Enter an IP address for the sFlow agent. By default, the management IP of ACOS is used, but you
may enter a different address if desired.
NOTE: This information will appear in the Layer 4 information section of the
sFlow datagram. Although the information is “textual” and is not used for
routing decisions, it may be helpful in identifying which sFlow agent a
particular packet came from, particularly in complex networks that have
more than one sFlow agent.
4. (Optional) Enable Source IP use mgmt if you wish to use the ACOS device’s management IP as the
source address for exported sFlow datagrams. This changes the source address on the sFlow
datagrams but has no effect on which interface the ACOS device selects for exporting sFlow data-
grams.
page 185
sFlow Configuration
5. (Optional) In the Counter Polling Interval field, specify the time interval at which the counter of
interface statistics will be sampled. (See “Counter Polling Interval” on page 184 for more informa-
tion.)
6. (Optional) In the Packet Sampling Rate field, alter the default value if desired. Smaller numbers
increase the sampling frequency, and larger numbers decrease the sampling frequency. (See
“Packet Sampling Rate” on page 184 for more information.)
7. (Optional) In the Max Header field, specify the number of bytes, from 14-512, that should be cop-
ied from a sampled packet.
8. (Optional) Select Enable in the CPU Usage field to enable CPU utilization monitoring.
9. (Optional) Select Enable in the Enable HTTP field to enable sFlow counter polling on HTTP inter-
faces.
10.In the Collector section:
a. Select the IPv4 or IPv6 radio button for Type.
b. Enter an IPv4 or IPv6 address in the Address field, depending on which IP protocol version was
selected for Type.
c. Enter a value in the Port field. This is the port on the collector where sFlow traffic will be sent.
By default, traffic is sent to UDP port 6343.
d. Click Add to add the sFlow collector’s information
11.To enable time-based sFlow sampling, specify polling interfaces in the Polling Ethernet and/or
Polling VE fields.
12.To enable packet volume-based sFlow sampling, specify sampling interfaces in the Sampling
Ethernet and/or Sampling VE fields.
13.Click Configure to save your changes.
Use the CLI to Configure sFlow

This section contains CLI sFlow configuration examples.
The following commands specify the sFlow collector through port 5, and enable use of the manage-
ment interface’s IP as the source IP for the data samples sent to the sFlow collector:
ACOS(config)# sflow collector ip 192.168.100.3 5

ACOS(config)# sflow setting source-ip-use-mgmt
The following command enables counter polling for several Ethernet data interfaces, and uses the
globally configured sampling rate by default:
ACOS(config)# sflow polling ethernet 1 to 8
page 186
sFlow Configuration
The following command enables packet sampling for a range of Ethernet interfaces:
ACOS(config)# sflow sampling ethernet 3 to 5
The following command displays sFlow data collection statistics:
ACOS(config)# show sflow statistics

Interface Packet Sample Records Counter Sample Records
-------------------------------------------------------------------
1 3461 81
2 20801 81
3 0 81
4 0 81
5 0 81
6 0 81
7 0 81
8 0 81
9 0 81
10 0 81
11 0 81
12 0 81
-------------------------------------------------------------------
sflow total statistics
Packet sample records: 24262
Counter sample records: 972
Sflow packets sent: 16257
page 187
sFlow Configuration
page 188
Part IV
Network Address Translation (NAT)
This section describes Network Address Translation (NAT) and how to configure it. NAT translates the
source or destination IP address of a packet before forwarding the packet.
The ACOS device supports traditional, Layer 3 IP source NAT. IP source NAT translates internal host
addresses into routable addresses before sending the host’s traffic to the Internet. When reply traffic is
received, the ACOS device then re-translates addresses back into internal addresses before sending the
reply to the client.
The chapters in this section provide additional information about NAT features and configuration:
• “Configuring Dynamic NAT” on page 191

• “Configuring Static NAT” on page 197
• “NAT ALG Support for PPTP” on page 201
This section does not include information about NAT features for Server Load Balancing (SLB) or for
IPv6 migration.
Configuring Dynamic NAT
This chapter describes how to configure static source NAT, in which internal addresses are dynami-
cally translated into external addresses from a pool.
• Configuration Elements for Dynamic NAT
• Configuring Dynamic IP Source NAT
Configuration Elements for Dynamic NAT

Dynamic NAT uses the following configuration elements:
• Access Control List (ACL) – to identify the inside host addresses to be translated
• Pool – to identify a contiguous range of external addresses into which to translate inside
addresses
• Optionally, pool group – to use non-contiguous address ranges. To use a non-contiguous range
of addresses, you can configure separate pools, then combine them in a pool group and map the
ACL to the pool group. The addresses within an individual pool still must be contiguous, but you
can have gaps between the ending address in one pool and the starting address in another pool.
You also can use pools that are in different subnets.
Pool group members must belong to the same protocol family (IPv4 or IPv6) and must use the
same VRID. A pool can be a member of multiple pool groups. Up to 200 NAT pool groups are sup-
ported.
If a pool group contains pools in different subnets, the ACOS device selects the pool that matches
the outbound subnet. For example, if there are two routes to a given destination, in different sub-
nets, and the pool group has a pool for one of those subnets, the ACOS device selects the pool that
is in the subnet for the outbound route.
The ACOS device searches the pools beginning with the first one added to the group, and selects
the first match. If none of the pools are in the destination subnet, the ACOS device uses the first
pool that has available addresses.
• Inside NAT setting on the interface connected to the inside host.
• Outside NAT setting on the interface connected to the Internet. Inside host addresses are trans-
lated into external addresses from a pool before the host traffic is sent to the Internet.
page 191
Configuring Dynamic IP Source NAT
NOTE: The ACOS device enables you to specify the default gateway for an IP
source NAT pool to use. However, the pool’s default gateway can be
used only if the data route table already has either a default route or a
direct route to the destination of the NAT traffic. In this case, the pool’s
default gateway will override the route, for NAT traffic that uses the pool.
If the data route table does not have a default route or a direct route to
the NAT traffic destination, the pool’s default gateway can not be used.
In this case, the NAT traffic can not reach its destination.

To configure dynamic source NAT:
1. Configure an Access Control List (ACL) to identify the inside addresses that need to be translated.
2. Configure a pool of external addresses to use for translation. To use non-contiguous ranges of
addresses, configure multiple pools and add them to a pool group.
3. Enable inside source NAT and map the ACL to the pool.
4. Enable inside NAT on the interfaces connected to the inside hosts.
5. Enable outside NAT on the interfaces connected to the Internet.
NOTE: In addition, on some ACOS device models, if Layer 2 IP NAT is required,

you also must enable CPU processing on the NAT interfaces. (On these
models, this option will be visible at the interface configuration level.)
NOTE: When configuring a NAT pool, an interface IP address cannot be included

as part of the pool if source-nat auto is configured on the device. Addi-
tionally, if an existing NAT pool already includes an IP address that is
configured on one of the interfaces on the device and the source-nat
auto configuration is being added, it will be rejected.
Use the GUI to Configure Dynamic IP Source NAT

To configure an access list to identify the inside addresses that need to be translated:
1. Hover over Security in the navigation bar, and select Access List from the drop-down menu.
2. Select the access list type (Standard, Extended, IPv4 or IPv6) on the menu bar.
3. Click Create.
page 192
e. Specify an access list number.

f. Enter the values to filter for Remark. Otherwise, select Entry to select values to filter. For exam-
ple, Figure 18 shows the configurable fields for an Extended Access List when Entry is
selected.
g. Click Create. The new access list appears in the table of configured access lists of that type.
To configure a pool of external addresses to use for translation:
1. Hover over ADC in the navigation bar, and select IP Source NAT from the drop-down menu.
2. Select IPv4 Pool or IPv6 Pool on the menu bar.
3. Click Create.
a. Enter a name for the pool.
b. Enter the start and end addresses.
c. Enter the network mask.
d. If the ACOS device is deployed in transparent mode, enter the default gateway to use for NAT-
ted traffic.
e. To use session synchronization for NAT translations, select the VRID.
f. If the device is part of a Scaleout cluster configuration, specify the Scaleout device ID.
g. Optionally, enable IP-RR. For information about this feature, see Mapping Allocation Method.
h. Click Create.
To enable inside source NAT and map the access list to the pool:
2. Select ACL Bind on the menu bar, then select IPv4 or IPv6.
3. Click Create.
a. Select the access list number from the ACL drop-down list.
b. Select the pool name from the Pool drop-down list. For IPv4 ACL Bind, select an IPv4 pool; for
IPv6 ACL Bind, select an IPv6 pool.
c. Optionally, specify a TCP Maximum Segment Life (MSL) of 1-1800 seconds for NATted session.
d. Click Create. The new binding appears in the table of configured access lists of that type.
To enable inside an/or outside NAT on interfaces connected to inside hosts, the Internet or both:
2. Select NAT Interfaces on the menu bar, then select Ethernets or Virtual Ethernets.
page 193
a. Click Edit in the Actions column for the interface.

b. To enable inside NAT on the interface, select Inside for the IPv4 Direction and/or IPv6 Direc-
tion.
c. To enable outside NAT on the interface, select Outside for the IPv4 Direction and/or IPv6 Direc-
tion.
d. To enable both inside and outside NAT on the interface, select Both for the IPv4 Direction and/
or IPv6 Direction.
e. Click Update.
f. Repeat for each interface connected to the internal hosts, the Internet or both.
FIGURE 18 Network >> Access List >> Extended >> Create
Use the CLI to Configure Dynamic IP Source NAT

The following command configures an ACL to specify the internal hosts to be NATted. In this example,
all hosts in the 10.10.10.x subnet are to receive NAT service for traffic to the Internet.
page 194
ACOS(config)# access-list 1 permit 10.10.10.0 0.0.0.255
The following command configures an IPv4 pool of external addresses to use for the NAT translations.
In this example, 10.10.10.x addresses will be translated into 192.168.1.1 or 192.168.1.2:
ACOS(config)# ip nat pool pool1 192.168.1.1 192.168.1.2 netmask /24
The following command enables inside source NAT and associates the ACL with the pool:
ACOS(config)# ip nat inside source list 1 pool pool1
The following commands enable inside source NAT on the interface connected to the internal hosts:

ACOS(config-if:ethernet:4)# ip nat inside
The following commands enable source NAT on the interface connected to the external hosts:

ACOS(config-if:ethernet:6)# ip nat outside
page 195
page 196
Configuring Static NAT
This chapter describes how to configure static source NAT, in which internal addresses are explicitly
mapped to external addresses.
• “Configuration Elements for Static NAT” on page 197
• “Configuring Static IP Source NAT” on page 197
• “Support for Inter-Partition Static NAT and Overlapping IP Addresses” on page 199
Configuration Elements for Static NAT

Static NAT uses the following configuration elements:
• Static mappings or an address range list – A static mapping is a one-to-one mapping of an inside
address to an external address. An address range list is a contiguous range of inside addresses
and external addresses to translate them into.
• Inside NAT setting on the interface connected to the inside host.
• Outside NAT setting on the interface connected to the Internet. Inside host addresses are trans-
lated into external addresses from a static mapping or a range list before the host traffic is sent
to the Internet.
Configuring Static IP Source NAT

You can configure individual static source NAT mappings or configure a range of static mappings.
After configuring the static source NAT mappings, do the following:
• Enable inside NAT on the interfaces connected to the inside hosts.
• Enable outside NAT on the interfaces connected to the Internet.
page 197
Configuring Static IP Source NAT
Use the GUI to Configure Static IP Source NAT

To configure an individual static source NAT mapping:
1. Hover over ADC in the navigation bar and select IP Source NAT.
2. Select Static NAT on the menu bar.
3. Click Create.
a. Enter the external address into which to translate the inside host address.
b. Enter the inside host address to be translated.
c. To apply VRRP-A to the address, select the VRID.
d. Click Create.
To configure the static translations of a range of internal host addresses to external addresses:
2. Select NAT Range on the menu bar.
3. Click Create.
a. Enter a name for the range.
b. Select the address type (IPv4 or IPv6)
c. In the Local IP Address field, enter the first (lowest numbered) address in the range of inside
host addresses to be translated.
d. In the Local Netmask field, enter the network mask in the range of inside host addresses.
e. In the Global IP Address field, enter the first (lowest numbered) address in the range of external
addresses to which to translate the inside host addresses.
f. In the Global Netmask field, enter the network mask in the range of external addresses to which
to translate the inside host addresses.
g. In the Count field, enter the number of addresses to be translated.
h. To apply VRRP-A to the addresses, select the VRID group.
i. Click Create.
To enable inside an/or outside NAT on interfaces connected to inside hosts, the Internet or both:
2. Select NAT Interfaces on the menu bar, then select the interface type from the drop-down list.
3. Click Edit in the Actions column for the interface.
page 198
Support for Inter-Partition Static NAT and Overlapping IP Addresses
a. To enable inside NAT on the interface, select Inside for the IPv4 Direction and/or IPv6 Direction.
b. To enable outside NAT on the interface, select Outside for the IPv4 Direction and/or IPv6 Direc-
tion.
c. To enable both inside and outside NAT on the interface, select Both for the IPv4 Direction and/
or IPv6 Direction.
d. Click Update.
e. Repeat for each interface connected to the internal hosts, the Internet or both.
Use the CLI to Configure Static IP Source NAT

The following commands enable static NAT, configure an IP address range named “nat-list-1” that
maps up to 100 local addresses starting from 10.10.10.97 to Internet addresses starting from
192.168.22.50, set Ethernet interface 2 as the inside NAT interface, and set Ethernet interface 4 as the
outside NAT interface.
ACOS(config)# ip nat range-list nat-list-1 10.10.10.97 /16 192.168.22.50 /16 count 100
Support for Inter-Partition Static NAT and Overlapping IP

Addresses
ACOS release 4.1.0 provides support for inter-partition routing with static NAT, similar to inter-partition
routing for fixed NAT (see “L3V Inter-partition Routing for Fixed-NAT” in the IPv4-to-IPv6 Transition Solutions
Guide).
To accomplish this, configure a static route in the private partitions pointing to the shared partition.
This enables static NAT traffic to be routed from private partitions to the shared partition.
The cgnv6 nat range-list and cgnv6 nat inside source CLI commands are enhanced to configure
this feature:
cgnv6 nat range-list list_name inside_start_address inside_netmask

partition inside_partition_name nat_start_address nat_netmask count num
cgnv6 nat inside source static source_address
page 199
Support for Inter-Partition Static NAT and Overlapping IP Addresses
partition inside_partition_name nat_ip_address [vrid vrid_num]
The partition inside_partition_name parameter is introduced to these existing commands.
This feature also adds support for overlapping addresses in the private partitions. For example –
10.10.10.1 from private partition P1 can be mapped to a NAT address 20.20.20.1 and 10.10.10.1 from
private partition P2 can be mapped to a NAT address 20.20.20.2.
page 200
NAT ALG Support for PPTP
This chapter describes NAT Application Layer Gateway (ALG) support for the Point-to-Point Tunneling
Protocol (PPTP):
• Overview of NAT ALG Support for PPTP
• Configure NAT ALG Support for PPTP
Overview of NAT ALG Support for PPTP

NAT Application Layer Gateway (ALG) support for the Point-to-Point Tunneling Protocol (PPTP) enables
clients and servers to exchange Point-to-Point (PPP) traffic through the ACOS device over a Generic
Routing Encapsulation (GRE) tunnel.
PPTP is used to connect Microsoft Virtual Private Network (VPN) clients and VPN hosts. Figure 19
shows an example.
FIGURE 19 NAT ALG for PPTP
page 201
Configure NAT ALG Support for PPTP
The ACOS device is deployed between PPTP clients and the VPN server (VPN Server using PPTP). The
ACOS device interface connected to the PPTP clients is enabled for inside source NAT. The ACOS
device interface connected to the VPN server is enabled for outside source NAT.
Each client runs a PPTP Network Server (PNS). To set up a VPN session, the PNS sends an Outgoing-
Call-Request to the PPTP Access Concentrator (PAC), which is the VPN server. The destination TCP
port is the PPTP port (1723 by default). The request includes a Call that the PNS chooses.
Because multiple clients may share the same NAT address, the ACOS device must ensure that clients
do not share the same Call ID as well. Therefore, the ACOS device assigns to each client a NAT Call ID
(analogous to a NAT source port for TCP) and modifies the Outgoing-Call-Request to use the NAT Call
ID instead.
The PAC replies to the Outgoing-Call-Request with a Call ID of its own. This is like a TCP destination
port. The ACOS device does not change the PAC’s Call ID. The PAC then assigns to the client an IP
address belonging to the VPN subnet.
On the ACOS device, the GRE session is created after the PNS sends its reply. In the GRE session, the
Call ID is used as the Layer 4 port, instead of a TCP/UDP port number.
In Figure 19 on page 201, client (PNS) 10.1.1.1 wants to connect to a VPN through the VPN Server
(PAC) 10.3.3.2, which is using PPTP. Client 10.1.1.1 establishes a PPTP control session (on port 1723)
with 10.3.3.2. When the client sends the Outgoing-Call-Request over that TCP session with its desired
Call ID, the ACOS device will translate the Call ID into a unique Call ID for NAT. Once the VPN server
replies with its own Call ID, the ACOS device will establish the GRE session.
After the Call IDs are exchanged, the client and server encapsulate VPN subnet traffic in a GRE tunnel.
The GRE tunnel packets are sent under normal IP between 10.1.1.1 and 10.3.3.2. A GRE packet for
PPTP uses a Call ID in the same way as a TCP or UDP destination port. Therefore, GRE packets from
the server (10.3.3.2) will use the NAT Call ID. The ACOS device translates the NAT Call ID back into the
client’s original Call ID before sending the packet to the client.
NOTE: One GRE session is supported per control session, which means one call
at a time is supported. In practice, PPTP is used only for VPNs, in which
case multiple concurrent calls do not occur.

To configure an ACOS device to support NAT ALG for PPTP:
• Configure dynamic IP source NAT:
• Configure an ACL that matches on the PPTP client subnet(s).

• Configure an IP source NAT pool that contains the range of IP addresses into which to translate
client addresses.
page 202
• Configure an inside source NAT list, using the ACL and pool.
• Enable inside IP source NAT on the ACOS device interface connected to the VPN clients.
• Enable outside IP source NAT on the ACOS device interface connected to the VPN server.
• If NAT ALG support for PPTP is disabled, enable it. (The feature is enabled by default.)
NOTE: In the current release, NAT ALG support for PPTP is not supported with
static NAT or NAT range lists.
The following example implements the NAT ALG for PPTP configuration shown in Figure 19 on
page 201.
The following commands configure dynamic inside source NAT.
ACOS(config)# access-list 1 permit 10.1.1.0 0.0.0.255

ACOS(config)# ip nat pool pptp-pool 192.168.1.100 192.168.1.110 netmask /24
ACOS(config)# ip nat inside source list 1 pool pptp-pool
The following commands specify the inside NAT interface and the outside NAT interface.

ACOS(config-if:ethernet:1)# ip address 10.2.2.254 255.255.255.0
ACOS(config-if:ethernet:2)# ip address 10.3.3.254 255.255.255.0
The following command displays session information:
ACOS(config-if:ethernet:2)# show session

Prot Forward Source Forward Dest Reverse Source Reverse Dest
Age Hash
------------------------------------------------------------------------------------------
-----------------
Gre 10.1.1.1:49152 10.3.3.2:32799 10.3.3.2:32799 192.168.1.100:2109

240 1
Tcp 10.1.1.1:2301 10.3.3.2:1723 10.3.3.2:1723 192.168.1.100:2109

240 2
This example shows the GRE session and the TCP session over which the GRE session is transported.
For the GRE session, the number following each IP address is the PPTP Call ID. For the TCP session,
the number is the TCP protocol port.
page 203
The following command displays PPTP NAT ALG statistics.
ACOS(config-if:ethernet:2)# show ip nat alg pptp statistics

Statistics for PPTP NAT ALG:
-----------------------------
Calls In Progress: 0
Call Creation Failure: 0
Truncated PNS Message: 0
Truncated PAC Message: 0
Mismatched PNS Call ID: 0
Mismatched PAC Call ID: 0
Retransmitted PAC Message: 0
Truncated GRE Packets: 0
Unknown GRE Packets: 0
No Matching GRE Session: 0
page 204
page 205
CONTACT US
2 a10networks.com/contact
ACOS 4.1.1-P11 CONFIGURING OVERLAY NETWORKS 29 MAY 2019

ACOS 4.1.1-P11 System Configuration and Administration Guide

Uploaded by

Copyright:

Available Formats

ACOS 4.1.1-P11 System Configuration and Administration Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ACOS 4.1.1-P11 System Configuration and Administration Guide

Uploaded by

Copyright:

Available Formats

ACOS 4.1.

A10 NETWORKS INC. SOFTWARE LICENSE AND END USER AGREEMENT

System Overview ........................................................................................................................ 11

FIPS Support .............................................................................................................................. 19

Jumbo Frames ........................................................................................................................... 31

COMMON SETUP TASKS ..........................................................................................................37

Configuring Basic System Parameters ....................................................................................... 45

Use the CLI to Configure the Management Interface ......................................................................... 56

Deployment Examples ................................................................................................................ 59

CONFIGURATION MANAGEMENT ..............................................................................................69

Backing Up System Information ................................................................................................. 71

Source Interface for Management Traffic .................................................................................. 83

Keeping the Management and Data Interfaces in Separate Networks .......................................... 84

Dynamic and Block Configuration .............................................................................................. 89

Boot Options .............................................................................................................................. 95

Power On Auto Provisioning ..................................................................................................... 103

Fail-Safe Automatic Recovery .................................................................................................. 107

MONITORING TOOLS ............................................................................................................121

System Log Messages ............................................................................................................. 123

Emailing Log Messages ........................................................................................................... 131

Simple Network Management Protocol (SNMP) ....................................................................... 135

Use the GUI to Configure SNMP Groups ............................................................................................144

Link Monitoring ........................................................................................................................ 155

Gateway Health Monitoring ...................................................................................................... 159

Multiple Port-Monitoring Mirror Ports ...................................................................................... 163

NetFlow v9 and v10(IPFIX) ....................................................................................................... 167

SLB NetFlow Templates .........................................................................................................................171

sFlow ....................................................................................................................................... 183

NETWORK ADDRESS TRANSLATION (NAT) ..............................................................................189

Configuring Dynamic NAT ........................................................................................................ 191

Configuring Static NAT ............................................................................................................ 197

NAT ALG Support for PPTP ...................................................................................................... 201

The following topics are covered:

• Server Load Balancing

ACOS Software Processes

• a10timer – Schedules and executes scheduled tasks.

• a10ospf – Implements the OSPFv2 routing protocol.

• a10snmpd – SNMPv2c and v3 agent, which services MIB requests.

• a10snpm_trapd – Handles SNMP traps initiated by a10lb.

• Data Interfaces and IP Subnet Support

• Graphical User Interface (GUI).

Data Interfaces and IP Subnet Support

Server Load Balancing

FIGURE 1 SLB Example

Intelligent Server Selection

SLB Configuration Templates

Server and Port Configuration Templates

• Server – Controls parameters for real servers

• Port – Controls parameters for service ports on real servers

• Virtual server – Controls parameters for virtual servers

• Virtual port – Controls parameters for service ports on virtual servers

The ACOS device provides the following types of connectivity templates:

• TCP-Proxy – Controls TCP/IP stack parameters

The following types of application templates are provided:

• DBLB – MS-SQL and MySQL database load balancing.

• DNS – Provides DNS security and optimization.

• Client SSL – Offloads SSL validation tasks from real servers

• Server SSL – Validates real servers on behalf of clients

• Logging – Configures logging to external servers over TCP.