elfiq_linkbalancer_administrator_guide_v3_04.pdf

Elfiq Link Balancer (Link LB) – Administrator Guide Elfiq Operating System (EOS) - Version 3.5.2 and higher Document Version 3.04 - July 2012

Elfiq Networks (Elfiq Inc.) www.elfiq.com

1. About the Document Purpose This document provides detailed information on configuring and managing Elfiq Link Balancer.

Conventions In this document, the following conventions are used: 

Command syntaxes are written in 12pt courier on a single line with the parameters in brackets:

command name [parameter1] [parameter2option1|parameter2option2] 

Example configurations or excerpts from output of commands are written in a box: LinkLB-enable:system [single] #set int eth0 auto



Specific annotations are written in bold and can be of 3 types: NOTE IMPORTANT WARNING

Additional Information For online access to our complete set of documentation and tools, please visit the support section of our website at http://www.elfiq.com

Support Center You can contact the Elfiq Support Center at [email protected]. A member of our team will be pleased to answer you.

© Copyright 2004-2011, Elfiq Networks (Elfiq Inc.). All rights reserved. All the information contained in this document is owned by Elfiq inc. and protected by worldwide copyright laws. No modification or reproduction is permitted without the prior written authorization of the owner. Elfiq is a trademark of Elfiq inc. All trademarks mentioned herein belong to their respective owners. Elfiq inc. shall not be liable for any damages resulting from the use of this information and the products described herein. Elfiq inc. reserves the right to make changes to any information within this document and to make improvements and/or changes in the products described herein at any time and without notice.

Link LB – Administrator Guide – EOS 3.5.2 and higher – Document Version 3.04 - July 2012

2/160

Table of Contents 1.

ABOUT THE DOCUMENT .................................................................................................................................... 2

2.

GETTING STARTED .............................................................................................................................................. 8

2.1. About the Elfiq Link Balancer .................................................................................................................................................8 2.1.1. Layer 2 Integration and Primary Link ..................................................................................................................................... 8 2.1.2. Ports ....................................................................................................................................................................................... 9 2.2. Access the Elfiq Link Balancer .............................................................................................................................................. 10 2.2.1. Console Port ......................................................................................................................................................................... 10 2.2.1. Management Port ................................................................................................................................................................ 11 2.3. Configure and Manage the Elfiq Link Balancer ..................................................................................................................... 11 2.3.1. Required Information before Configuring ........................................................................................................................... 11 2.3.2. Command Line Interface (CLI) .............................................................................................................................................. 11 2.3.3. Elfiq Operating System (EOS) Overview ............................................................................................................................... 12 2.3.4. Navigate through EOS Modules ........................................................................................................................................... 13 2.3.5. Graphical User Interface (GUI) ............................................................................................................................................. 14 2.3.1. Application Programming Interface (API) ............................................................................................................................ 15 2.4. Monitoring and Troubleshooting ......................................................................................................................................... 15 2.4.1. System Log Events ................................................................................................................................................................ 15 2.4.2. VFI Probe and Statistics ........................................................................................................................................................ 16

3.

SYSTEM MODULE (SYST) .................................................................................................................................. 19

3.1.

About System Module ......................................................................................................................................................... 19

3.2.

Initial Configuration ............................................................................................................................................................. 19

3.3. Change Settings ................................................................................................................................................................... 22 3.3.1. Set Date and Time ................................................................................................................................................................ 22 3.3.2. Set Local Time Zone ............................................................................................................................................................. 22 3.3.3. Set a Network Time Protocol (NTP) Server .......................................................................................................................... 23 3.3.4. Set the IP Address ................................................................................................................................................................ 23 3.3.5. Set the Default Gateway ...................................................................................................................................................... 23 3.3.6. Set IP Address and Default Gateway Simultaneously .......................................................................................................... 23 3.3.7. Set the Hostname ................................................................................................................................................................ 24 3.3.8. Set SYSLOG Server Information ............................................................................................................................................ 24 3.3.9. Set Ethernet Network Port Speed and Duplex ..................................................................................................................... 24 3.3.10. Create Dynamic Network Interfaces .................................................................................................................................... 25 3.3.11. Set a Virtual Management (VMGMT) Interface ................................................................................................................... 25 3.3.12. Set LAN Bypass Ports............................................................................................................................................................ 26 3.3.13. Change the LCD Display Mode ............................................................................................................................................. 27 3.4. Change Services ................................................................................................................................................................... 28 3.4.1. HTTP/HTTPS Service ............................................................................................................................................................. 28 3.4.2. SNMP Configuration ............................................................................................................................................................. 28 Link LB – Administrator Guide – EOS 3.5.2 and higher – Document Version 3.04 - July 2012

3/160

3.4.3.

SMTP Alert Service ............................................................................................................................................................... 29

3.5. Display System Information ................................................................................................................................................. 30 3.5.1. EOS Version and License ...................................................................................................................................................... 31 3.5.2. System Module Information and Environment Metrics ...................................................................................................... 31 3.5.3. System Log Events ................................................................................................................................................................ 32 3.6. Manage User Access ............................................................................................................................................................ 32 3.6.1. First Log In with the Management User ............................................................................................................................... 32 3.6.2. Set the Enable Mode ............................................................................................................................................................ 33 3.6.3. Change the Management User Password ............................................................................................................................ 33 3.6.4. Change the Enable User Password ....................................................................................................................................... 34 3.6.5. Define Users and Assign to Security Groups ........................................................................................................................ 34 3.6.6. Show All Users ...................................................................................................................................................................... 34 3.6.7. Show All Groups ................................................................................................................................................................... 34 3.6.8. Add/Remove a User to/from a Group.................................................................................................................................. 35 3.6.9. Change a User Password ...................................................................................................................................................... 35 3.6.10. Add a DSA Key to a User ...................................................................................................................................................... 35 3.6.11. Show a User DSA Key ........................................................................................................................................................... 36 3.6.12. Lightweight Directory Access Protocol (LDAP) and Active Directory (AD) ........................................................................... 36 3.6.13. Password Reset .................................................................................................................................................................... 41 3.7. Manage Configuration Files ................................................................................................................................................. 41 3.7.1. Save the Running Configuration of a Module to Flash......................................................................................................... 42 3.7.2. Save the Running Configuration of all Modules to Flash ..................................................................................................... 44 3.7.3. Execute a Configuration from Flash ..................................................................................................................................... 44 3.7.4. Manually Edit Configuration Files ........................................................................................................................................ 44 3.7.5. Manage Configuration Files on Flash ................................................................................................................................... 46 3.8.

EOS Firmware Update .......................................................................................................................................................... 46

3.9.

Shutdown or Reload the System .......................................................................................................................................... 47

4.

VIRTUAL FORWARDER INTERFACE (VFI) .................................................................................................. 49

4.1.

About Virtual Forwarder Interface ....................................................................................................................................... 49

4.2. Initial Configuration of Primary Link..................................................................................................................................... 50 4.2.1. Inside and Outside Interfaces .............................................................................................................................................. 50 4.2.2. VFI features .......................................................................................................................................................................... 54 4.2.3. ARP Requests and MAC Adresses ........................................................................................................................................ 57 4.2.4. Primary Link GMAC .............................................................................................................................................................. 61 4.2.5. Installation and Verification ................................................................................................................................................. 64 4.3. Add Alternate Links and GMAC Management ...................................................................................................................... 66 4.3.1. DHCP and PPPoE Configuration ........................................................................................................................................... 66 4.3.2. Discover MAC Addresses ..................................................................................................................................................... 67 4.3.3. Assign a GMAC to an Outside Inteface ................................................................................................................................ 67 4.3.4. GMAC MTU .......................................................................................................................................................................... 68 4.3.5. GMAC Aliases ....................................................................................................................................................................... 68 4.3.6. GMAC Networks ................................................................................................................................................................... 68

Link LB – Administrator Guide – EOS 3.5.2 and higher – Document Version 3.04 - July 2012

4/160

4.3.7. 4.3.8. 4.3.9. 4.3.10. 4.3.11. 4.3.12.

Change the State of a GMAC ................................................................................................................................................ 68 GMAC probe......................................................................................................................................................................... 69 GMAC tcpprobe ................................................................................................................................................................... 69 GMAC Weight, Speed, Threshold and Description .............................................................................................................. 69 Remove a GMAC Entry ......................................................................................................................................................... 70 GMAC Statistics .................................................................................................................................................................... 70

4.4. IP Association between Links, Access Lists and Persistence ................................................................................................. 70 4.4.1. IP Association Table ............................................................................................................................................................. 70 4.4.2. Access Lists ........................................................................................................................................................................... 71 4.4.3. Outside Network Address Translation (NAT) Rules ............................................................................................................. 75 4.4.4. Persistence ........................................................................................................................................................................... 78 4.4.5. Protocol Specific Fixes .......................................................................................................................................................... 80 4.5. Outgoing Load Balancing (OLB) ............................................................................................................................................ 80 4.5.1. IP Address Pools ................................................................................................................................................................... 80 4.5.2. Outgoing Load Balancing Algorithms Using NAT ................................................................................................................. 84 4.5.3. Inside Network Address Translation Rules........................................................................................................................... 85 4.6. Incoming Load Balancing (ILB) .............................................................................................................................................. 89 4.6.1. Intelligent DNS Facility (IDNS) .............................................................................................................................................. 89 4.6.2. DNS Server Configuration .................................................................................................................................................... 90 4.6.3. Incoming Traffic Balancing Algorithms ................................................................................................................................ 93 4.6.4. IDNS Interceptors ................................................................................................................................................................. 94 4.6.5. IDNS Resource Records ........................................................................................................................................................ 95 4.7. Advanced Options and Tools ................................................................................................................................................ 97 4.7.1. Child GMACs......................................................................................................................................................................... 97 4.7.2. Route Policy Based Balancing .............................................................................................................................................. 98 4.7.3. Quality of Service (QoS) ....................................................................................................................................................... 99 4.7.4. Deep Packet Inspection (DPI) ............................................................................................................................................. 102 4.7.5. TAG Load Balancing ............................................................................................................................................................ 105 4.7.6. Internal Condition Verificator (ICV).................................................................................................................................... 107 4.7.7. Intelligent Service Verificator (ISV) .................................................................................................................................... 115 4.7.8. Filtering Access Lists ........................................................................................................................................................... 117 4.7.9. Shunning Engine................................................................................................................................................................. 119 4.7.10. Tap Interface ...................................................................................................................................................................... 120 4.7.11. Debug Tools ....................................................................................................................................................................... 121 4.7.12. How to manage the LLB using Inline Access ...................................................................................................................... 122 4.8. Site-to-site Resilience with SitePathMTPX ......................................................................................................................... 123 4.8.1. About SitePathMTPX .......................................................................................................................................................... 123 4.8.2. Components ....................................................................................................................................................................... 124 4.8.3. SitePathMTPX Algorithms .................................................................................................................................................. 125 4.8.4. BSFA Adjustments .............................................................................................................................................................. 126 4.8.5. Polling................................................................................................................................................................................. 127 4.8.6. Encryption .......................................................................................................................................................................... 127 4.8.7. Dynamic SitePath IP Address ............................................................................................................................................. 127 4.9. Geographic Balancing with Geolink .................................................................................................................................... 128 4.9.1. About Geolink .................................................................................................................................................................... 128 4.9.2. Geolink ............................................................................................................................................................................... 129

Link LB – Administrator Guide – EOS 3.5.2 and higher – Document Version 3.04 - July 2012

5/160

4.9.3. 4.9.4. 4.9.5.

Geotag and Geotag Groups................................................................................................................................................ 130 Inbound Geolink ................................................................................................................................................................. 132 Global Geolink .................................................................................................................................................................... 132

5.

FAILOVER MODULE (FOVE).......................................................................................................................... 134

5.1.

About Failover Module ...................................................................................................................................................... 134

5.2. Initial Configuration ........................................................................................................................................................... 136 5.2.1. IP Address of the Peer Unit ................................................................................................................................................ 136 5.2.2. Interfaces to Monitor ......................................................................................................................................................... 137 5.2.3. Virtual IP Address (VIP) ...................................................................................................................................................... 137

6.

APPENDIXES ...................................................................................................................................................... 139

6.1.

Appendix A: Information Sheets for Configuration ............................................................................................................ 139

6.2.

Appendix B: System Log Events .......................................................................................................................................... 146

6.3.

Appendix C: API Programming Examples ........................................................................................................................... 151

6.4.

Appendix D: DNS Delegation on a Microsoft DNS Server ................................................................................................... 156

Link LB – Administrator Guide – EOS 3.5.2 and higher – Document Version 3.04 - July 2012

6/160

Table of Figures Figure 1: Typical setup with a single Internet Service Provider (ISP) ..................................................................................... 8 Figure 2: Typical setup with multiple ISPs .............................................................................................................................. 9 Figure 3: USB, console, and Ethernet ports ........................................................................................................................... 9 Figure 4: Graphical User Interface ........................................................................................................................................ 15 Figure 5: Configuration files flowchart ................................................................................................................................... 42 Figure 6: VFI in a monomode setup with 2 links ................................................................................................................... 50 Figure 7: Ethernet network port selection example in a monomode setup with 2 links ........................................................ 51 Figure 8: Ethernet network ports on a 4-port unit ................................................................................................................. 52 Figure 9: Virtual Forwarder Interface packet flow diagram ................................................................................................... 56 Figure 10: ARP interception flowchart .................................................................................................................................. 58 Figure 11: ARP verification order .......................................................................................................................................... 59 Figure 12: Display of 2 GMACs where a VFI balances 2 ISPs ............................................................................................. 61 Figure 13: DHCP link connected on the eth2 interface ......................................................................................................... 66 Figure 14: IP association with 3 links .................................................................................................................................... 70 Figure 15: Access list flowchart............................................................................................................................................. 72 Figure 16: dnat and rnat out .................................................................................................................................................. 75 Figure 17: dnat and rnat in .................................................................................................................................................... 88 Figure 18: Flowchart of the IDNS facility DNS interception process ..................................................................................... 89 Figure 19: Flowchart of a typical DNS query ........................................................................................................................ 91 Figure 20: Flowchart of the IDNS facility DNS interception process ..................................................................................... 92 Figure 21: Setup with a tap interface to monitor the network through a network IDS ........................................................ 120 Figure 22: SitePathMTPX ................................................................................................................................................... 124 Figure 23: BSFA Adjustments ............................................................................................................................................. 126 Figure 24: Inbound Geolink ................................................................................................................................................. 128 Figure 25: Typical failover scenario .................................................................................................................................... 134 Figure 26: Failover to peer unit after a failure from a critical port in a VFI .......................................................................... 134 Figure 27: Failover to peer unit after a failure from switch .................................................................................................. 135 Figure 28: Failover to peer unit after a failure from a master unit ....................................................................................... 135 Figure 29: No changes occur after a failure of a management port ................................................................................... 136 Figure 30: No changes occur after a failure of an ISP link ................................................................................................. 136 Figure 31: Management LAN with 2 Link LB units in failover mode with a virtual IP (VIP) ................................................ 137

Link LB – Administrator Guide – EOS 3.5.2 and higher – Document Version 3.04 - July 2012

7/160

2. Getting Started In this section, you will find information about the Elfiq Link Balancer (Link LB) and how to:   

Access the Link LB. Configure and manage the Link LB. Monitor and troubleshoot the Link LB.

2.1.

About the Elfiq Link Balancer 2.1.1.

Layer 2 Integration and Primary Link

When you install an Elfiq Link Balancer, no network configuration changes are required because of the layer 2 integration design. The Link LB operates at the data link layer (layer 2) of the OSI model. Therefore, it is transparent, or inline to your firewall and internal network.

Typical setup with a single Internet Service Provider (ISP):

Internal Network

ISP network

ISP Link Firewall Public IP: 194.204.1.2

Internet

ISP’s router IP: 194.204.1.1/25

Figure 1: Typical setup with a single Internet Service Provider (ISP)

NOTE: The public network segment has been randomly chosen for this guide and must be changed for your link IP addresses. In this setup, all internal computers are connected to a firewall and the firewall is in turn connected to the ISP router. All the internal computers are configured with private IP addressing and using the firewall as their default gateway. In most cases, no information about internal IP addressing is necessary for configuring the Link LB. On the public internet side, the firewall itself uses the IP address of the ISP router as its default gateway. The Link Balancer is installed between the firewall and the ISP router on the public and unprotected side. Inbound connections from the Internet will pass through the Link LB and be processed by the firewall’s corporate security policies. From this point, you can install alternate links without changing the configuration of your firewall. The Link LB will handle all the links transparently.

Typical setup with two Internet Service Providers (ISP):

Link LB – Administrator Guide – EOS 3.5.2 and higher – Document Version 3.04 - July 2012

8/160

ISP A Link

Client Network

ISP A network ISP A’s router IP: 194.204.1.1/25

Internet

ISP B Link

Firewall IP: 194.204.1.3

ISP B network ISP B’s router IP: 212.217.1.1/28 Figure 2: Typical setup with multiple ISPs

ISP A becomes the primary link and is the only ISP logically visible to your firewall. To your firewall, all data will always seem to come and go from your primary link as the Link LB will take care of handling the other links in a transparent manner. In case of a primary link failure or a primary link router being turned off, your firewall will still have the impression it is in operation and continue to send traffic to the Link LB and the alternate links. IMPORTANT: The only difference at layer 2 for your firewall is that the primary link router MAC address will change for the Link LB inside interface MAC address. NOTE: The term "primary link" does not imply any preference or performance considerations. It is called as such because of its IP addressing. From a load balancing perspective, this link and all the other links are considered based on the configured strategy carried out by the algorithms.

2.1.2.

Ports

Figure 3: USB, console, and Ethernet ports

Console Port The console port is a serial DB-9 or RJ45 port, depending on the Link LB model and is used to access the Command Line Interface (CLI).

Ethernet Ports Ethernet ports can be 10/100 or 10/100/1000 Mbps copper ports, Single Fibre Ports (SFP) or CX4 Ports, depending on the Link LB model. Copper ports are referred as ethx, SFP ports as sfpx and CX4 ports as cx4x where x is the port number (for example, eth1 refers to copper port 1). The number and type of Ethernet ports depend on the Link LB model. Ethernet ports are divided into three categories: 

Management interface (MGMT) The Ethernet port of the management interface is configured with an IP address. It is used to configure the Link LB, access statistics, and send alerts, syslog and SNMP traps. This can be done via the Web-based Link Balancer Management console or an SSH client. It is a dedicated port by default but it can be virtualized for certain environments. With a virtual management interface, the physical port becomes available for use with ISP

Link LB – Administrator Guide – EOS 3.5.2 and higher – Document Version 3.04 - July 2012

9/160

links. 

Inside interface The inside interface is connected to the inside device, usually the firewall.



Outside interfaces Outside interfaces are connected to link routers.

NOTE: The inside and outside interfaces are not dedicated to specific physical ports in order to fulfill different operating modes and architectures. They are assigned in the Link LB configuration. NOTE: Only one physical port or VLAN can be configured to be the inside interface. You cannot attach multiple ports or VLANs to the inside interface of the Link LB. In the case of multiple primary link devices, a switch must be used. Bypass Your Link LB model is equipped with one or more pairs of ports supporting the Elfiq LAN Failsafe technology. They are identified with the keyword “Bypass” on the faceplate. On some models, LAN Failsafe can be turned on or off in the configuration while on others it is always on. IMPORTANT: In a single unit installation, the WAN interface of the firewall and the LAN interface of the primary link router should be connected to a LAN Failsafe port. WARNING: In a physical redundancy (failover) installation, LAN Failsafe ports must not be used or must be deactivated in the configuration. This is because it would cause a loop in one of the connected switches. USB Ports A USB port can be used to inject a configuration at boot up or to perform an EOS firmware update via USB thumb drive. It can also be used to connect a USB Mobile Stick for 3G/4G ISP links.

2.2.

Access the Elfiq Link Balancer

You can access the Link LB directly through the console port or through a secured network connection.

2.2.1.

Console Port

In case of network failure, or for security purposes, the Link LB can always be accessed through the console port. Since physical access is required and no information is passed over the network, this is the most secure way to manage your Link LB. Before you can access the system through the console port, you must first connect your computer or terminal to the Elfiq Link Balancer with a DB9 F/F or RJ45 null modem cable, like the one provided with your Link LB. You must then setup a terminal application, in which you will set the console port on your system with the following options:     

Bits per seconds: 9600 Data bits: 8 Parity: None Stop bits: 1 Flow Control: None

Once your physical connectivity is completed, simply press the enter key to establish a session and have the login prompt. login as:

There are several terminal applications that are freely available, depending on your system’s operating system. For Microsoft Windows © users, you can use the built-in HyperTerminal application, available in the “Program Files – Accessories – Communications” sub menu of the Start Menu. Other suggested freeware applications include Tera Term Link LB – Administrator Guide – EOS 3.5.2 and higher – Document Version 3.04 - July 2012

10/160

Pro, PuTTY and IVT, which are freely accessible for download on the Internet. For Linux or Unix users, notable suggestions are Minicom and Kermit.

2.2.1.

Management Port

The Link LB can also be managed via the management port. This Ethernet port is identified as “MGMT” on the front bezel of the unit and is referred to as the management interface. The default IP address for a Link LB is 10.1.0.100 (subnet mask 255.255.255.0 or /24). The following management methods can be used via this management interface:     

Web Interface (GUI) via HTTP and/or HTTPS, accessible via most browsers SSHv2 (CLI), for use with SSH clients, such as PuTTY SNMP API SYSLOG

Access to the management interface and IP address on all TCP/UDP ports corresponding to the services mentioned above is required. For the initial configuration setup, the MGMT port may be connected to a computer with an IP address in the 10.1.0.0/24 network (with the exception of 10.1.0.100). NOTE: This initial setup can be done using a provided orange or red crossover network cable directly connected to the Link LB management interface and the computer Ethernet network port. That computer’s IP address could be set to 10.1.0.101 with a subnet mask of 255.255.255.0 and an optional gateway of 10.1.0.1. A simple test to ensure connectivity between the computer and the management interface is to ping the default Link LB’s IP address (10.1.0.100) from that computer.

2.3.

Configure and Manage the Elfiq Link Balancer

You can configure and manage the Link LB through the Command Line Interface, a web-based interface as well as remotely through the Application Programming Interface.

2.3.1.

Required Information before Configuring

Before configuring the Elfiq Link Balancer, you should fill out the information sheets provided in appendix. The basic installation and initial configuration will be made easier as all required information This will help you simplify the initial configuration of your Link LB by limiting the delays related to information gathering, since most of the required information will already be contained in the sheets for a basic installation. A more complex installation, however, will require additional information and possibly the support of an Elfiq specialist. In this case, a network diagram is also required. For the list of information sheets to fill in, please refer to Appendix A.

2.3.2.

Command Line Interface (CLI)

The CLI is your main access point to configure and manage the Elfiq Link Balancer. You can access the CLI using one of the following accesses:   

Console port SSHv2 connection Graphical User Interface

For detailed information on the CLI and a complete list of all available commands, please consult the Command Reference Guide.

Link LB – Administrator Guide – EOS 3.5.2 and higher – Document Version 3.04 - July 2012

11/160

2.3.3.

Elfiq Operating System (EOS) Overview

Organization The EOS is divided into modules and each module provides a specific set of functions and settings.

The following modules are available: broker: Master module Link and access point to all the other modules. syst: System module Manage system configuration such as IP address configuration, system name, date and time, SMTP alerts, SNMP settings, logging, system loading options, configuration files on flash, EOS upgrades vfix: Virtual Forwarder Interface (x is the ID of the VFI) Manage all traffic passing through the inside and outside ports, links, access lists, NAT, IDNS, balancing rules, etc. Advanced Link LB models have multiple instances of the VFI module (vfi0, vfi1, etc.). fove: Failover module Manage the failover engine including setting and monitoring the peer status and the virtual IP interface.

Versions and License Keys Depending of the model, Elfiq Operating Systems are available in up to four different versions per model:    

Single version. Failover version. Single version with Geolink option. Failover version with Geolink option.

Each Elfiq Link Balancer model and version requires a unique license to operate which is specific to the activated features/modules. The maximum number of VFI instances (1, 2 or 5) is also a parameter inside your license key. License keys are unique to each Link LB unit. A license key is comprised of 32 characters in upper case letters and was supplied at purchasing. IMPORTANT: Please contact your Elfiq partner or the Elfiq support center at [email protected] if you do not have your license key. It is required prior to configuring the Elfiq Link Balancer. NOTE: Keep your Elfiq license key. You will need the license key in the future if you remove the flash configuration to return to factory settings.

Activate a new license key A new license key must be activated following a firmware update in these cases:   

EOS with additional features (failover module, Geolink option, etc.) EOS with a different license type (end-user, demo, not for resale, etc.); A major EOS software update (for example passing from version 3.x to 4.0).

Link LB – Administrator Guide – EOS 3.5.2 and higher – Document Version 3.04 - July 2012

12/160

When required, the new license key is sent to your administrative contact. If you did not receive your new license key, please contact the Elfiq support center at [email protected]. Command syntax: licence

[licence key]

LinkLB-mgmt: [single] #ena Password: LinkLB-enable: [single] #syst LinkLB-enable:system [single] #license EEECAAA4966658F86HG80L400F2J0F4P LinkLB-enable:system [** License not verified **] #sh license Key[EEECAAA4966658F86HG80L400F2J0F4P] Type[Not Available] Description[LinkLB-AX-VFI1-SH-EXT] Hw Model[LB1000] Version[3] Status[Key not verified] LinkLB-enable:system [** License not verified **] #LinkLB-enable:system [single] #ram2flash LinkLB-enable:system [** License not verified **] #LinkLB-enable:system [single] #reload

Verify License Activation Verify that the [key ok] status is displayed. Command syntax: sh

license

LinkLB-enable:system [single] #sh license Key[EEECAAA4966658F86HG80L400F2J0F4P] Type[Demo] Description[LinkLB-AX-VFI1-SH-EXT] Hw Model[LB1000] Version[3] Status[key ok, DEMONSTRATOR, Evaluation only] LinkLB-mgmt: [single] #sh license Key[EEECAAA4966658F86HG80L400F2J0F4P] Description[LinkLB-NX-VFI5-SH-TP-EXT] Hw Model[LB3000] Version[3] Status[key ok]

EOS Firmware version verification To make sure that you are running the latest EOS firmware, check the version with the module.

sh ver command from any

LinkLB-enable:system [single] #sh ver Version [3] Revision [4] Build [3 (701)] Date [Jan 29 2011] HW Model [LB1000] Type [LinkLB-AX-VFI1-SH-EXT] Compiled By [[email protected] RC13]

2.3.4.

Navigate through EOS Modules

To navigate through the different modules, all you have to do is enter its name on the command prompt. This will then take you into the appropriate module. Typing exit will either return you to the broker master module, or if you were already in broker, exit the configuration utility. There is no need to go back to the broker module to switch between one of the sub modules. Once again, just entering the name of the module will bring you into it. Here is an example: LinkLB-mgmt: [master] # syst LinkLB-mgmt:system [master] # exit LinkLB-mgmt: [master] # vfi0 LinkLB-mgmt:vfi0 [master] # syst LinkLB-mgmt:system [master] # broker LinkLB-mgmt: [master] #

Link LB – Administrator Guide – EOS 3.5.2 and higher – Document Version 3.04 - July 2012

13/160

2.3.5.

Graphical User Interface (GUI)

The GUI is the easiest way to verify the Link LB status, see real-time link usage and statistics, and perform basic configuration in a typical NAT-based implementation using public Internet links. You can access the GUI by typing the Link LB management port IP address in the address bar of a web browser. IMPORTANT: The HTTP and/or HTTPS module must be enabled in the system module configuration in order to access the GUI. Once connected, a login screen is displayed for user authentication.

Link LB – Administrator Guide – EOS 3.5.2 and higher – Document Version 3.04 - July 2012

14/160

Figure 4: Graphical User Interface

2.3.1.

Application Programming Interface (API)

You can manage your Elfiq Link Balancer remotely through the Application Programming Interface and custom applications. The Elfiq API is based on XML and connections are handled through port 9998. Any command that can be issued on the CLI can be used in the API. For examples of API programming, please refer to Appendix C.

2.4.

Monitoring and Troubleshooting

You can monitor and troubleshoot the Link LB using the following available tools. NOTE: You can also refer to the Troubleshooting Knowledge Base in the support section of the Elfiq website at www.elfiq.com/support

2.4.1.

System Log Events

The system module logs all the events of the Elfiq Link Balancer. You can display the log to view the most recent events that took place in the Link LB. For a list of system log events, please refer to Appendix B.

Display System Log Events

Link LB – Administrator Guide – EOS 3.5.2 and higher – Document Version 3.04 - July 2012

15/160

Command syntax: sh

log event

LinkLB-mgmt:system [single] #sh log Feb 25 14:41:41 I-EOS2-007001 Feb 25 14:41:41 W-EOS2-006100 Feb 25 14:41:41 W-EOS2-006101 Feb 25 14:41:43 I-VFI0-020702 Feb 25 14:41:45 A-SYST-004001 Feb 25 14:41:47 N-BNET-000162 Feb 25 14:41:51 I-VFI0-020601 Feb 25 14:41:51 I-VFI0-020600 Feb 25 14:41:51 I-VFI0-020602 Feb 25 14:41:54 I-VFI0-020703 Feb 25 14:41:54 A-VFI0-020705 Feb 25 14:41:58 W-VFI0-020201 Feb 25 14:41:59 N-VFI0-009001 Feb 25 14:42:24 A-VFI0-009004 (N) Feb 25 14:42:24 A-VFI0-009003

2.4.2.

event 4 (Info) Restoring system configuration from flash 2 (Warning) Flash2ram, start 2 (Warning) Flash2ram, done 4 (Info) VFI ready, initial status [running] 1 (Alert) Elfiq Operating System (EOS) loaded/initialized 3 (Notice) Api service ready 4 (Info) Acquiring VFI reconfig state 4 (Info) Clearing all VFI configuration 4 (Info) Releasing VFI reconfig state 4 (Info) Outside interface [eth2], carrier ok, [interface up] 1 (Alert) Inside interface [eth1], carrier ok, [interface up] 2 (Warning) TCP probe OK for gmac2 [test], enabled [link up] 3 (Notice) TCP probe[1] timeout for gmac2 [test], tcpprobe [20.0.0.2:22] 1 (Alert) Verification of gmac1 [test] failed, disabled [link down] 1 (Alert) Verification of gmac2 [test] successfull, enabled [link up

VFI Probe and Statistics

Each VFI instance has a probe. You can use this probe to see actual sessions passing through the Elfiq Link Balancer and display statistics. The probe stores the following statistics for each session:           

The link that the session is balanced on. Actual session link usage (in Kb/s for incoming and outgoing packets). Top bandwidth usage that the session achieved (in Kb/s for incoming and outgoing packets). Protocol. Inside IP address of the session (primary link or associated IP on an alternate link). Inside port number. Session flow, defines if the session was initiated from the inside (outgoing) or from the outside (incoming). Outside IP address of the session. Outside port number. Total number of KB transferred for incoming and outgoing packets. Duration of the session since it was established.

NOTE: The rank is calculated with the total number of KB transferred (incoming + outgoing).

Enable the Probe Feature Command syntax: feature

probe enable

IMPORTANT: You must first enable the probe feature in order for the probe to be activated into the VFI stack. LinkLB-enable:vfi0 [single] #feature probe enable

Display Probe Statistics Command syntax: sh

probe report [number of sessions]

LinkLB:vfi0 [single] #sh probe report 10 Top 10 live sessions Rank Gmac In (kb/s) Out (kb/s) Top In (kb/s) Top Out (kb/s) Proto IP Inside Port Flow IP Outside Port In KB Out KB Duration ---- ---- ---------- ---------- -------------- -------------- ---------- ---------------- ------ ------ ---------------- ------ -------- -------- --------------1 1 0.00 0.83 0.00 1.75 icmp 172.16.1.100 --> 172.16.1.1 0 459302 51d18h29m53s 2 1 55.25 1564.87 69.61 1874.94 tcp 172.16.1.102 52865 0 Spathgrp:%lu, icv action stats reset Spathgrp:%lu, stats reset Idns rr can't be inserted, limit [%d] Idns rr, rra merge limit reached Idns rr, isv group merge limit [%d] reached Inline access, SSH session started, client ip [%s] Inline access, SSH session ended, client ip [%s] Inline access, API session started, client ip [%s] Inline access, API session ended, client ip [%s] Clearing all VFI configuration Acquiring VFI reconfig state Releasing VFI reconfig state Pausing VFI operations Resuming VFI operations Attach failed, if_name [%s] Poolip masq init failed Ready, initial status [paused] reason [failover] Ready, initial status [running] Outside interface [%s%s], carrier ok, [interface up] Outside interface [%s%s], carrier lost, [interface down] Inside interface [%s%s], carrier ok, [interface up] Inside interface [%s%s], carrier lost, [interface down] Reconfig_lock released, timer exceeded Failed, interface [%s] already in use Failed, interface [%s] already in use

Link LB – Administrator Guide – EOS 3.5.2 and higher – Document Version 3.04 - July 2012

150/160

Event Code

Severity

W-VFI%d-020900 W-VFI%d-020901 I-VFI%d-020902 I-VFI%d-020903 I-VFI%d-020904 N-VFI%d-020905 N-VFI%d-020906 N-VFI%d-020907 I-VFI%d-020908 I-VFI%d-020909 I-VFI%d-021001 I-VFI%d-021002 I-VFI%d-021101 I-VFI%d-021102 I-VFI%d-021201 I-VFI%d-021202 A-VFIU-005000 I-WEB0-007000 I-WEB0-007001

6.3.

2 2 4 4 4 3 3 3 4 4 4 4 4 4 4 4 1 4 4

Description isvgrp:%d, state change [down] caused by isv:%u, down count [%hu] isvgrp:%d, state change [up] caused by isv:%u, down count [%hu] Isv:%u [%s], admin state change [enable] Isv:%u [%s], admin state change [disable] Isv:%u [%s], state change [disable] Isv:%u [%s], state change [ok] Isv:%u [%s], state change [down] Isv:%u [%s], state change [incomplete] Isv:%u [%s], update timeout, state change [down] Isv:%u [%s], update timeout, state change [down] Iagrp:%d, icv action enable Iagrp:%d, icv action disable Qos:%lu, icv action stat reset Qos:%lu, stats reset Vfi, icv action stat reset Vfi, stat reset Hub registration failed Sid [%s], user[%s], login ok Sid [%s], user[%s], logout ok

Appendix C: API Programming Examples

The following examples are samples of code in various languages that illustrate how to communicate with the Elfiq Link Balancer through the application programming interface. Any command that can be issued on the command line interface can be used in the application programming interface, which means that you are free to create maintenance, modification or monitoring applications tailored for all your needs.

Example in C This is a simple Linux application in C. For other UNIX platforms, some modifications to the code, such as libraries and sockets, might be required. Please consult your platform’s respective documentation for more information. /* -----------------------------------------------------Author: Date: Project:

Elfiq Inc. 2004

Source: Version:

sample1.c

Description: very simple C app using Link Balancer API's Paths: Changes: ------------------------------------------------------ */ #include #include #include #include



#include

Link LB – Administrator Guide – EOS 3.5.2 and higher – Document Version 3.04 - July 2012

151/160

#include #include #include #define LINK_LB_API_PORT #define #define #define #define #define #define

g_user g_pass g_enab g_dest g_cmd g_dst_ip

9998

"mgmt" "mgmt" "" "syst" "sh ver" "192.168.30.245"

// m a i n int main(void) { int int int int char struct sockaddr_in struct in_addr

flags = 0; nb; rc; sock; ascii_ip[128]; s_in; bin_ip;

char char fd_set struct timeval

cmd_req[2048]; buffer[65536]; fds; tv;

socklen_t s_len = sizeof(struct sockaddr); strcpy(ascii_ip, g_dst_ip); if (inet_pton(AF_INET, ascii_ip, &bin_ip) < 0) { printf("Invalid ip address [%s]\n", ascii_ip); return 0; } printf("Connecting to Link LB at [%s:%d]\n", ascii_ip, LINK_LB_API_PORT); memset(&s_in, 0x00, sizeof(struct sockaddr_in)); memcpy(&s_in.sin_addr,&bin_ip,sizeof(struct in_addr)); s_in.sin_family = AF_INET; s_in.sin_port = htons(LINK_LB_API_PORT); if ((sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { printf("Can't open socket\n"); return 0; } if ((rc = connect(sock,(struct sockaddr*)&s_in, s_len)) < 0) { close(sock); printf("Can't connect to [%s]\n", ascii_ip); return 0; } sprintf(cmd_req, "", g_user, g_pass, g_enab, g_dest, g_cmd); sprintf(buffer, "%04X%s", strlen(cmd_req), cmd_req); printf("Sending [%s]\n", buffer); // sending to the Link LB

Link LB – Administrator Guide – EOS 3.5.2 and higher – Document Version 3.04 - July 2012

152/160

if ((nb = send(sock, buffer, strlen(buffer), 0)) != nb) { close(sock); printf("Send failed\n"); return 0; } // going into non-blocking mode for receving fcntl(sock, F_GETFL, flags); fcntl(sock, F_SETFL, flags | O_NONBLOCK); while (1) { FD_ZERO(&fds); FD_SET(sock, &fds);

// initialise the file descriptior set // put our filedescriptior to the set

tv.tv_sec = 2; // 2 seconds for the timeout tv.tv_usec = 0; // 0 micro-seconds // verifying if the our socket is ready if ((rc = select(FD_SETSIZE, &fds, NULL, NULL, &tv)) < 0) { printf("Error in select\n"); close(sock); return 0; } else if (rc == 0) { printf("Timeout in select\n"); close(sock); return 0; } else { if (FD_ISSET(sock, &fds)) { // getting the data if ((nb = recv(sock, buffer, 65536, MSG_NOSIGNAL) > 0)) printf("Receiving [%s]\n", buffer); } } } close(sock); return 0; }

Example in Perl Another example on Linux, but this time in Perl; which means that it should easily be ported to the platform of your choice. #!/usr/bin/perl # Elfiq Inc. 2004 # # Simple API application for Link Balancer # use IO::Select; use IO::Socket; my $rc = 0; ############################################################################

Link LB – Administrator Guide – EOS 3.5.2 and higher – Document Version 3.04 - July 2012

153/160

## C O N F I G U R A T I O N ## C O N F I G U R A T I O N my $r_ip my $r_port 'mgmt'; my $r_pass my $r_enab

= '192.168.30.245'; = 9998;

## VIP or management IP of Link LB ## default port for APImy $r_user

=

= 'mgmt'; = 'mgmt';

## a list of commands my @list_cmd = ( [ "syst", "set logging 192.168.30.252", 0 ], [ "syst", "sh conf", 0 ] ); $rc = talk_to_linklb($r_ip, $r_port, \@list_cmd, $r_user, $r_pass, $r_enab); exit(0); ############################## R O U T I N E S ############################# ############################## R O U T I N E S ############################# ############################## R O U T I N E S ############################# ## t a l k _ t o _ l i n k l b sub talk_to_linklb($$$$$$) { my $remote_ip = shift; my $remote_port = shift; my $ref_list_cmd = shift; my $user = shift; my $pass = shift; my $enab = shift; my $sock = new IO::Socket::INET ( PeerAddr => "$remote_ip", PeerPort => "$remote_port", Proto => 'tcp' ) or return -1; $sock->autoflush(1); foreach $lref (@$ref_list_cmd) { my $component = $$lref[0]; my $command = $$lref[1]; my $timer = $$lref[2]; my $req_xml my $req_len my $buffer

= ""; = 0; = "";

$req_xml = ""; $req_len = length($req_xml); $buffer = sprintf("%04X%s", $req_len, $req_xml); print "the Request: req_xml = [$req_xml]\n"; ## sending the request to the Link LB print $sock $buffer; my $rset = new IO::Select($sock); while (1) { my $tmp1;

Link LB – Administrator Guide – EOS 3.5.2 and higher – Document Version 3.04 - July 2012

154/160

my @ready_set = $rset->can_read(1);

## timeout of 1 seconds

if ($ready_set[0] == $sock) { recv($sock, $tmp1, 65536, 0); last if ("$tmp1" eq ""); ## removing answer length (4 digits in hex) substr($tmp1, 0, 4) = ""; ## print the answer print "$tmp1\n"; ## ## ## ## ##

parse parse parse parse parse

the the the the the

XML XML XML XML XML

here here here here here

} else { last; } } sleep($timer); } ## foreach close($sock); return 0; }

Example in .NET Here is a sample of a VB.NET 2003 form which contains the relevant information for the Elfiq Link Balancer API. The complete VB.NET project is available in a compressed archive on the CDROM that came with your Link LB. Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click Dim tcpClient As New TcpClient Try ' We connect to the Link LB's management IP and port tcpClient.Connect(Me.tbIP.Text, Integer.Parse(Me.tbPort.Text)) tbOutput.Text = "Connected" & vbCrLf ' We send a command and wait for the response, for the first command, ' we must provide good username, password and enable password. ' We send the "sh ver" command to the "syst" module Me.SendCmd("sh ver", "syst", tbUsername.Text, tbPassword.Text, tbEnable.Text, tcpClient) Catch ex As ArgumentNullException Console.WriteLine("ArgumentNullException: {0}", ex) Catch ex As SocketException Console.WriteLine("SocketException: {0}", ex) Finally ' Close everything. tcpClient.Close() tcpClient = Nothing End Try End Sub Sub SendCmd(ByVal cmd As String, ByVal dst As String, ByVal username As String, ByVal password As String, ByVal enable As String, ByVal tcpClient As TcpClient) ' We build the command to send (in XML) Dim builder As New StringBuilder builder.Append("") ' We append the lengt (4 digits, in hexadecimal) of the XML command at the ' start (ex. 001A