ACOS 5.2.1-P3 System Configuration and Admin-Istration Guide

ACOS 5.2.
1-P3
System Configuration and Admin-
istration Guide
September, 2021
© 2021 A10 Networks, Inc.CONFIDENTIAL AND PROPRIETARY- ALL RIGHTS RESERVED.
Information in this document is subject to change without notice.
PATENT PROTECTION
A10 Networks, Inc. products are protected by patents in the U.S. and elsewhere. The following website is provided
to satisfy the virtual patent marking provisions of various jurisdictions including the virtual patent marking pro-
visions of the America Invents Act. A10 Networks, Inc. products, including all Thunder Series products, are pro-
tected by one or more of U.S. patents and patents pending listed at:
a10-virtual-patent-marking.
TRADEMARKS
A10 Networks, Inc. trademarks are listed at: a10-trademarks
CONFIDENTIALITY
This document contains confidential materials proprietary to A10 Networks, Inc.. This document and information
and ideas herein may not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc.
without prior written consent of A10 Networks, Inc..
DISCLAIMER
This document does not create any express or implied warranty about A10 Networks, Inc. or about its products or
services, including but not limited to fitness for a particular use and non-infringement. A10 Networks, Inc. has
made reasonable efforts to verify that the information contained herein is accurate, but A10 Networks, Inc.
assumes no responsibility for its use. All information is provided "as-is." The product specifications and features
described in this publication are based on the latest information available; however, specifications are subject to
change without notice, and certain features may not be available upon initial product release. Contact A10 Net-
works, Inc. for current information regarding its products or services. A10 Networks, Inc. products and services
are subject to A10 Networks, Inc. standard terms and conditions.
ENVIRONMENTAL CONSIDERATIONS
Some electronic components may possibly contain dangerous substances. For information on specific com-
ponent types, please contact the manufacturer of that component. Always consult local authorities for regulations
regarding proper disposal of electronic components in your area.
FURTHER INFORMATION
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest
A10 Networks, Inc. location, which can be found by visiting www.a10networks.com.
Table of Contents
Chapter 1: System Overview 18
ACOS Architecture 19
Details 19
ACOS Software Processes 19
Memory Pre-allocation 21
Hardware Interfaces 21
Software Interfaces 21
User Interfaces 21
Data Interfaces and IP Subnet Support 22
Application Delivery Control 22
Details 23
Intelligent Server Selection 23
SLB Configuration Templates 24
Server and Port Configuration Templates 24
Connectivity Templates 24
Application Templates 25
Outbound Next Hop Load Distributor 26
Transparent Cache Switching 26
Firewall Load Balancing 26
Where Do I Start? 27
Chapter 2: FIPS Support 28

FIPS Level 2 ACOS Models 29
FIPS Compliance for Hardware 29
SSL Modules 29
Tamper-Proof Seals 30
Internal Components in ACOS Device Chassis are Hidden 32
FIPS Compliance for Software 33
Software Upgrade Image 33
RMAs 33
Lost Passwords 33
FIPS Compliance Usage Guidelines 34
3
Contents
ACOS 5.2.1-P3 System Configuration and Administration Guide
Transferring Files To or From ACOS 34

SNMPv3 Configuration 34
Data Plane Certificate Generation 35
RSA Key and Certificate Import 35
ECDSA Key and Certificate Import 35
DNSSec Configuration 36
SSL/TLS Support for FIPS Compliance 36
CLI Support for FIPS Compliance 37
Web Access Support for FIPS Compliance 37
Web Server Support for FIPS Compliance 38
Chapter 3: Jumbo Frames 39

Overview of Jumbo Frames on ACOS Devices 40
Details 40
Additional Notes 40
Configuring Jumbo Frame Support 41
Configuring Jumbo Frame Support Using the GUI 41
Changing the MTU on an Interface 41
Disabling Jumbo Support 41
Configuring Jumbo Frame Support Using the CLI 42
Globally Enable Jumbo Frame Support on your ACOS Device 43
Creating a TCP-proxy Template and Apply to VIP 43
Disabling Jumbo Frame Support 44
Viewing MTU Interface Settings 44
Common Setup Tasks 47

Chapter 4: Logging On 48
User Interfaces 49
Logging On to the CLI 50
Logging On to the GUI 51
Console Restart 54
Configuring ADC and CGN on the Same Device 55
4
Contents
Chapter 5: Configuring Basic System Parameters 56

Setting the System Time and Date 57
Setting the Clock 57
Using the GUI to Set the Clock 57
Using the CLI to Set the Clock 58
Setting the NTP Interface 59
Setting the NTP Server 59
Using the GUI to Set the NTP Server 59
Using the CLI to Set the NTP Server 60
Setting the NTP Server Authentication 61
Details 61
Configuring NTP Server Authentication 61
Using the GUI to Set NTP Server Authentication 62
Using the CLI to Set NTP Server Authentication 62
Setting the Hostname and DNS Parameters 63
Using the GUI to Set the Hostname and DNS Parameters 63
Using the CLI to Set the Hostname and DNS Parameters 64
Setting the CLI Banners 65
Details 65
Using the GUI to Set the CLI Banners 65
Using the CLI to Set the CLI Banners 66
Replacing the Web Certificate 66
Details 66
Using the CLI to Replace the Web Certificate 67
Configuring Increased I/O Buffer Support 67
Configuring the Management Interface 68
Details 69
Using the GUI to Configure the Management Interface 69
Using the CLI to Configure the Management Interface 70
Chapter 6: Deployment Examples 72

Deployment Modes 73
Transparent Mode Deployment 73
Deployment Examples 73
5
Contents
Configuration Example 74
Using the GUI 74
Using the CLI 74
Routed Mode Deployment 75
Deployment Example 75
Using the GUI 76
Configuring the Default Route 77
Using the CLI 77
Chapter 7: vThunder 78
vThunder for Multiple Hypervisors 79
vThunder Installation 80
Installation Details 80
Management of vThunder 80
vThunder Feature Support 80
Application Delivery Partition Support 81
Configuration Management 82
Chapter 8: Backing Up System Information 83
Details 84
Overview of System Backup 84
Using the GUI to Perform a Backup 85
Using the CLI to Perform a Backup 86
Restoring from a Backup 86
System Memory 87
FTA versus Non-FTA 87
L3V Partitions 87
Port Splitting 87
Port Mapping 88
What is Not Restored? 88
Restore Example 88
Enhancing the Dynamic Port Breakout Support for Thunder 7x50 Series 91
Introduction 91
Overview 91
6
Contents
Feature Description 92
Implementing the Dynamic Port Breakout Support 92
Implementing the Logical Port Mapping Support 92
Supporting the Dynamic Port Breakout 92
Example for the Port Mapping Implementation 93
Applying the Feature Details 94
Port Numbering 94
Important Points for the Breakout Feature 94
Example of the Feature Implementation 95
Impact Details for the Feature 98
Saving Multiple Configuration Files Locally 98
Understanding Configuration Profiles 99
Using the CLI to Save Configurations 100
Using the CLI to View Configurations 101
Using the CLI to Copy Configurations 101
Using the CLI to Compare Configurations 102
Using the CLI to Link Configuration Profiles 102
Using the CLI to Delete a Profile 103
CLI Example of Configuration Profile Management 104
Chapter 9: Source Interface for Management Traffic 106

Using the Management Interface as the Source for Management Traffic 107
Understanding Route Tables 107
Keeping the Management and Data Interfaces in Separate Networks 108
Management Routing Options 108
Configuring the Management Interface as Source for Automated Management Traffic 109
Configuring the Management Interface as Source Interface for Manually Generated Man-
agement Traffic 109
Using a Loopback or Virtual Ethernet Interface as the Source for Management Traffic 110
Loopback Interface Management Traffic Types 110
Loopback Interface Implementation Notes 111
Loopback Interface Limitations 111
Configuring a Loopback Interface for Management Traffic 112
Configuring a Virtual Ethernet Interface for Management Traffic 112
7
Contents
Chapter 10: Dynamic and Block Configuration 113

Overview of Dynamic and Block Configuration 114
Block Configuration Modes for CMDB 114
Block-Merge Mode 114
Block-Replace Mode 116
Expected Behaviors in Block Mode 117
Block Configuration Modes for aFleX 118
Chapter 11: Boot Options 119

Storage Areas 120
Details 120
Displaying Current Storage Information 121
Using the GUI to View Storage Information 121
Using the CLI to View Storage Information 122
Displaying the Storage Location for Future Reboots 123
Using the GUI to View the Storage Location for Future Reboots 123
Using the CLI to View the Storage Location for Future Reboots 123
Booting from a Different Storage Area 123
Details 124
Temporarily Changing the Boot Image for the Next Reboot 124
Permanently Changing the Storage Location for Future Reboots 126
Using the GUI to Change the Location for Future Reboots 127
Using the CLI to Change the Location for Future Reboots 127
Chapter 12: Power On Auto Provisioning 129

Power On Auto Provisioning Overview 130
Power On Auto Provisioning Process 130
Configuring Power On Auto Provisioning Process 132
System Logs and Error Messages 133
Chapter 13: Fail-Safe Automatic Recovery 134

Error Types Monitored by Automatic Recovery 135
Hardware Errors 135
Software Errors 135
Recovery Timeout 136
8
Contents
Total Memory Decrease 136

Configuring Fail-Safe Automatic Recovery 137
Example of Fail-safe for Total Memory Decrease 139
Chapter 14: Installing the Systems Center Virtual Machine Manager Gate-
way Plugin 142
Prerequisites 143
Installing the Gateway Plugin 143
Configuring the A10 Networks Overlay Gateway Interface in the VMM 144
Verifying Configuration Prerequisites 144
Configuring the A10 Networks Gateway 145
Verifying the Configuration 150
Monitoring Tools 152

Chapter 15: System Log Messages 153
Destinations for Syslog Messages 154
Syslog Message Severity Levels 154
Configurable Syslog Parameters 154
System Log Settings 155
Operational Logging 161
Configuring Single-Priority Logging 162
Configuring Log Rate Limiting 162
Details 163
Configuring Log Rate Limiting Using the GUI 163
Configuring Log Rate Limiting Using the CLI 163
Specifying Multiple Syslog Servers 164
Specifying Protocol Ports 164
Sending the Syslog Over TLS/SSL 165
Sending Log Messages to a Server in Another Partition 166
Sending Log Messages by Email 166
Chapter 16: Event Logging System 168

Event Logging System 169
Syslog 169
Common Event Format (CEF) 169
9
Contents
Event Logs 169

acos events 169
Log Replication 179
Event Logging with the Active Template 180
Event Logging without the Active Template 180
CLI Configuration 181
Counters 181
Chapter 17: Emailing Log Messages 185

Overview of Email Logging 186
Boolean Operators 186
Configuring Email Log Settings 187
Using the GUI to Configure Email Logging Settings 187
Using the CLI to Configure Email Logging Settings 188
Chapter 18: Simple Network Management Protocol (SNMP) 189

SNMP MIB Information 190
Downloading the MIBs 190
AX MIB Groups 190
AX MIB Files 191
MIB Access 192
SNMP RFCs supported 192
ifIndex Table Support 196
SNMP Support on the ACOS Device 196
Partition-aware SNMP Configuration 197
Details 197
Prerequisites 198
Known Limitations 198
SNMP Views and Community Strings 198
SNMP Views 199
Details 199
Using the GUI to Configure SNMP Views 199
Using the CLI to Configure SNMP Views 199
SNMP Community Strings 200
10
Contents
Details 200
Using the GUI to Configure an SNMP Community String 200
Using the CLI to Configure an SNMP Community String 200
Configuring SNMP Groups 202
Using the GUI to Configure SNMP Groups 202
Using the CLI to Configure SNMP Groups 203
Configuring AES or DES Encryption for SNMPv3 Users 203
Details 203
Using the GUI to Configure Encryption for SNMPv3 Users 204
Using the CLI to Configure Encryption for SNMPv3 Users 204
Configuring SNMP Traps 205
Enabling SNMP Traps 205
Using the GUI to Enable SNMP Traps 206
Using the CLI to Enable SNMP Traps 206
Disabling SNMP Traps for L3V Partitions 208
Configuring SNMP 209
Details 209
Using the GUI to Configure SNMP 209
Using the CLI to Configure SNMP 210
Configuring the Source Interface for SNMP Notifications 211
Details 211
Using the GUI to Configure the SNMP Source Interface 212
Using the CLI to Configure the SNMP Source Interface 212
Chapter 19: Link Monitoring 213

Overview of Link Monitoring 214
Link Monitoring Actions 214
Link Monitor Template Sequence Numbers 214
Link Monitor Template Logical Operators 215
Configuring Link Monitor 216
Chapter 20: ACE Monitoring and Analytics 218

ACE Monitoring and Show Command Options 219
Discovery Monitoring 219
Related Commands 219
11
Contents
Granularity 219
Cumulative Updates 220
Collection of Statistics 220
Anomaly Detection 220
Related CLI Commands 221
Notification Templates 221
Details 221
Notification Events 221
Notification Data 222
Notification Template Properties 222
Notification Template Examples 222
Creating a Notification Template 223
Deleting a Template 224
Enabling a Template 224
Disabling a Template 225
Binding a Template 225
Configuring Visibility on ACOS 226
Visibility and Analytics Monitoring 227
Functionalities 227
Secondary Monitoring on ACOS 229
Details 229
Anomaly Detection Example 229
Session Indexing 230
Details 230
Known Issues or Limitations 230
Chapter 21: Gateway Health Monitoring 232

Gateway Health Monitoring Overview 233
Gateway Health Monitoring Configurable Parameters 233
Configuring Gateway Health Monitoring 235
Using the GUI to Configure Gateway Health Monitoring 235
Using the CLI to Configure Gateway Health Monitoring 235
12
Contents
Chapter 22: Multiple Port-Monitoring Mirror Ports 237

Overview of Port Mirroring 238
Configuring Mirror Ports 238
Port Monitoring and Mirroring for aVCS Devices 240
Removing Mirror Port Configuration 241
Chapter 23: NetFlow v9 and v10 (IPFIX) 242

NetFlow Overview 243
NetFlow Versions Supported 243
NetFlow Parameters 244
Formatting of NetFlow Records for Long-Lived Sessions 246
Formatting Procedure 246
Formatting of NetFlow Records 247
Predefined NetFlow Templates 248
SLB NetFlow Templates 248
CGN NetFlow Templates 250
Templates for A10 Flow Records with NAT Addresses 250
Templates for NAT Session Event Records 253
Templates for NAT Port Mapping Event Records 255
Templates for NAT Port Batching Event Records 256
Templates for NAT Port Batching v2 Event Records 258
Firewall Event Records Templates 259
Supported NetFlow Templates (ADC/CGN/FW) 260
Supported IPFIX Information Elements 273
Notes 292
Log Information for Closed Sessions (CGN/FW) 293
Configuring Custom Templates 293
Examples Reference 294
Terminating a Session 294
Custom IPFIX Templates 295
Overview 296
Configuration Details 297
Supported Event Types 298
Sample Custom Templates 299
13
Contents
Example 1: For sesn-event-nat44-creation and sesn-event-nat44-deletion 300

Example 2: For sesn-event-nat64-creation, sesn-event-nat64-deletion, sesn-event-dslite-
creation, sesn-event-dslite-deletion 301
Example 3: For sesn-event-fw4-creation, sesn-event-fw4-deletion 302
Example 4: For sesn-event-fw6-creation, sesn-event-fw6-deletion 303
Example 5: For port-mapping-nat44-creation, port-mapping-nat44-deletion 304
Example 6: For port-mapping-nat64-creation, port-mapping-nat64-deletion, port-map-
ping-dslite-creation, port-mapping-dslite-deletion 304
Example 7: For port-batch-nat44-creation, port-batch-nat44-deletion 305
Example 8: For port-batch-nat64-creation, port-batch-nat64-deletion, port-batch-dslite-
creation, port-batch-dslite-deletion 305
Example 9: For port-batch-v2-nat44-creation, port-batch-v2-nat44-deletion 306
Example 10: For port-batch-v2-nat64-creation, port-batch-v2-nat64-deletion, port-batch-
v2-dslite-creation, port-batch-v2-dslite-deletion 306
Example 11: For deny-reset-event-fw4 307
Example 12: For deny-reset-event-fw6 307
Configuring NetFlow 308
Overview 308
Using the GUI to Configure NetFlow 309
Using the CLI to Configure NetFlow 310
CLI Example: Single Collector 311
CLI Example: Multiple Collectors (SLB) 311
CLI Example: Multiple Collectors (CGN) 312
CLI Example: Firewall Session Event 312
Disabling CGN Logs based on Destination Protocol and Port Criteria 313
Chapter 24: sFlow 314

sFlow Overview 315
sFlow Sampling Types 315
Details 315
Counter Polling Interval 316
Packet Sampling Rate 316
Information Included in sFlow Datagrams 317
sFlow Configuration 317
Configuring the sFlow Data Collection 317
14
Contents
Using the GUI to Configure sFlow 318

Using the CLI to Configure sFlow 319
sFlow Config Snippets for GUI Support 320
Other Details 321
Network Address Translation (NAT) 322

Chapter 25: Configuring Dynamic NAT 323
Configuration Elements for Dynamic NAT 324
Configuring Dynamic IP Source NAT 325
Details 325
Using the GUI to Configure Dynamic IP Source NAT 326
Using the CLI to Configure Dynamic IP Source NAT 328
Chapter 26: Configuring Static NAT 330

Configuration Elements for Static NAT 331
Configuring Static IP Source NAT 331
Details 331
Using the GUI to Configure Static IP Source NAT 331
Using the CLI to Configure Static IP Source NAT 333
Support for Inter-Partition Static NAT and Overlapping IP Addresses 333
Chapter 27: NAT ALG Support for PPTP 335

Overview of NAT ALG Support for PPTP 336
Configuring NAT ALG Support for PPTP 337
Chapter 28: Additional NAT Configuration Features 340

Faster Timeout for TCP/UDP IP NAT Translations 341
Mapping Allocation Method 341
Details 341
Using the GUI 342
Using the CLI 342
Fast Aging for IP NATted ICMP and DNS Sessions 342
Details 342
Using the GUI 343
Using the CLI 344
CLI Example 344
15
Contents
Client and Server TCP Resets for NATted TCP Sessions 345
Using the GUI 345
Using the CLI 345
Requirements for Translation of DNS Traffic 346
Pool-specific TCP Maximum Segment Life 346
Details 346
Using the GUI 347
Using the CLI 347
CLI Example 347
IP NAT Use in Transparent Mode in Multi-netted Environment 348
NAT Range List Requires ACOS Device Interface or Route Within the Global Subnet 348
IP NAT in HA Configurations 349
Details 349
Using the GUI 349
Using the CLI 349
System Geo-location Mappings 351

Chapter 29: Geo-location Mappings 352
Loading or Configuring Geo-location Mappings 353
Geo-location Mappings Overview 353
Geo-location Database Files 353
Geo-location Database File Example 354
Creating and Loading a Custom Geo-location Database 355
Details 355
Configuring the CSV Template (CLI Procedure) 356
CSV File Field Delimiter 356
Importing the CSV File (CLI Procedure) 356
Loading the CSV File Data into the Geo-location Database (CLI Procedure) 357
Manually Configuring Geo-location Mappings 357
Details 357
Displaying the Geo-location Database (CLI Procedure) 358
Displaying the Geo-location Database (CLI Example) 358
Configuring Geo-location Entry through CLI 359
Loading Geo-location Database to ACOS 359
16
Contents
Details 359
Loading MAXMIND Database 360
Preparing the CSV File 361
Importing User Defined CSV Geo-location File into ACOS 361
Verifying Geo-location Configuration 362
Geo-location Lists 362
Details 363
CLI Configuration Options for Geo-location Lists 363
Details 363
Configuration Example for Geo-location List 364
Geo-location Name Active/Inactive 365
Geo-location Lists on Shared Partitions 366
Hit Counter 366
Configuration Output Examples 366
GUI Configuration Options for Geo-location Lists 367
Details 368
Geo List Page 368
Geo Database 369
Adding a New System Geo Location Entry 370
File Management 371
Importing Geo-location Database from a Local Page 372
Importing Geo-location Database from a Remote Server Page 373
Exporting Geo-location Database into Remote Server Page 374
Exporting Geo-location Database into a Local Drive 375
17
Chapter 1: System Overview
This chapter provides a brief overview of the A10 Thunder Series and AX Series systems and
features.
The following topics are covered:
ACOS Architecture 19
Hardware Interfaces 21
Software Interfaces 21
Application Delivery Control 22
Where Do I Start? 27
18
Chapter 1: System Overview Feedback
ACOS Architecture
This following topics are covered:
Details 19
ACOS Software Processes 19
Memory Pre-allocation 21
Details
A10 ThunderÆ Series and AX™ Series devices use embedded Advanced Core Operating Sys-
tem (ACOS) architecture. ACOS is built on top of a set of Symmetric Multi-Processing CPUs
and uses shared memory architecture to maximize application data delivery.
ACOS is designed to handle high-volume application data with integrated Layer 2 / Layer 3
processing and integrated SSL acceleration built into the system. In addition, ACOS incor-
porates the A10 Networks customizable aFleX scripting language, which provides admin-
istrators with configuration flexibility for application data redirection.
ACOS inspects packets at Layers 2, 3, 4, and 7 and uses hardware-assisted forwarding. Pack-
ets are processed and forwarded based on ACOS configuration.
You can deploy the ACOS device into your network in transparent mode or gateway (route)
mode.
l Transparent mode – The ACOS device has a single IP interface. For multinetted envir-
onments, you can configure multiple Virtual LANs (VLANs).
l Route mode – Each ACOS interface is in a separate IP subnet.
ACOS Software Processes
The ACOS software performs its many tasks using the following processes:
l a10mon – Parent process of the ACOS device. This process is executed when the system
comes up. The a10mon process does the following:
19
o Brings user-space processes up and down.

o Monitors all its child processes and restarts a process and all dependent processes
if any of them die.
l syslogd – System logger daemon that logs kernel and system events.
l a10logd – Fetches all the logs from the ACOS Log database.
l a10timer – Schedules and executes scheduled tasks.
l a10stat – Monitors the status of all the main processes of the ACOS device, such as
a10switch and a10lb. Also probes every thread within these processes to ensure that
they are responsive. If a thread is deemed unhealthy, a10stat kills the process, after
which a10mon restarts the process and other processes associated with it.
l a10switch – Contains libraries and APIs to program the Switching ASIC to perform
Layer 2 and Layer 3 switching at wire speed.
l a10hm – Performs health-checks for real servers and services. This process sends pre-
configured requests to external servers at pre-defined intervals. If a server or indi-
vidual service does not respond, it is marked down. Once the server or service starts
responding again, it is marked up.
l a10rt – Routing daemon, which maintains the routing table with routes injected from
OSPF, as well as static routes.
l a10rip – Implements RIPv1 and v2 routing protocols.
l a10ospf – Implements the OSPFv2 routing protocol.
l a10snmpd – SNMPv2c and v3 agent, which services MIB requests.
l a10wa – Embedded Web Server residing on the ACOS device. This process serves the
Web-based management Graphical User Interface (GUI).
l a10gmpd – Global SLB (GSLB) daemon.
l a10snpm_trapd – Handles SNMP traps initiated by a10lb.
l a10lb – The heart of the ACOS device. This process contains all the intelligence to per-
form Application Delivery Control.
l rimacli – This process is automatically invoked when an admin logs into the ACOS
device through an interface address. The admin is presented a Command Line Interface
(CLI) that can issue and save commands to configure the system.
20
Memory Pre-allocation
As part of normal operation, ACOS pre-allocates memory. For this reason, memory utilization
can be high even when the device first boots up. The system allocates more memory if
needed for burst conditions. In this case, the additional memory is freed only slowly, in case
further burst conditions occur.
Hardware Interfaces
See the Installation Guide for your A10 Thunder Series model.
Software Interfaces
User Interfaces 21
Data Interfaces and IP Subnet Support 22
User Interfaces
The ACOS device can be configured by using the following user interfaces:
l Graphical User Interface (GUI).
For help using the GUI, refer to the online help available directly from the GUI.
l Command Line Interface (CLI) accessible using console, Telnet, or Secure Shell (v1 and
v2).
For additional information, refer to the Command Line Interface Reference guide, or
the CLI reference chapters in some of the configuration guides.
l Simple Network Management Protocol (SNMP) v1, v2c, and v3
NOTE: For additional information, refer to Simple Network Man-

agement Protocol (SNMP).
21
l XML Application Programming Interface (aXAPI)
For more information, refer to the aXAPI Reference, available as part of the doc-
umentation library.
Data Interfaces and IP Subnet Support
The ACOS device has a management interface and data interfaces. The management inter-
face is a physical Ethernet port. A data interface is a physical Ethernet port, a trunk group, or
a Virtual Ethernet (VE) interface.
The management interface can have a single IPv4 address and/or a single IPv6 address.
An ACOS device deployed in transparent mode (Layer 2) can have a single IP address for all
data interfaces. The IP address of the data interfaces must be in a different subnet than the
management interface’s address.
An ACOS device deployed in route mode (Layer 3) can have separate IP addresses on each
data interface. No two interfaces can have IP addresses that are in the same subnet. This
applies to the management interface and all data interfaces.
Application Delivery Control

Application Delivery Control (ADC) is a suite of resource management features that make
server farms more reliable, more efficient, and help optimize performance.
Details 23
Intelligent Server Selection 23
SLB Configuration Templates 24
Outbound Next Hop Load Distributor 26
Transparent Cache Switching 26
Firewall Load Balancing 26
22
Details
You can easily grow server farms in response to changing traffic flow, while protecting the
servers behind a common virtual IP address. From the perspective of a client who accesses
services, requests go to and arrive from a single IP address. The client is unaware that the
server is in fact multiple servers managed by an ACOS device. The client simply receives
faster, more reliable service.
Moreover, you do not need to wait for DNS entries to propagate for new servers. To add a new
server, you simply add it to the configuration for the virtual server, and the new real server
becomes accessible immediately.
FIGURE 1-1: SLB Example
Intelligent Server Selection
The services managed by the ACOS device are controlled by service groups. A service group
is a set of real servers. The ACOS device selects a real server for a client’s request based on a
set of tunable criteria including server health, server response time, and server load. These
criteria can be tuned for individual servers and even individual service ports.
23
The ACOS device picks a server based on the load balancing algorithms and template once
the client requests hits the service group.
The ACOS device provides a robust set of configurable health monitors for checking the
health (availability) of servers and individual services.
SLB Configuration Templates
SLB configuration is simplified by the use of templates. Templates simplify configuration by

enabling you to configure common settings once and use them in multiple service con-
figurations. The ACOS device provides templates to control server and port configuration
parameters, connectivity parameters, and application parameters.
Server and Port Configuration Templates 24
Connectivity Templates 24
Application Templates 25
Server and Port Configuration Templates

The ACOS device provides the following types of server and port configuration templates:
l Server – Controls parameters for real servers

l Port – Controls parameters for service ports on real servers
l Virtual server – Controls parameters for virtual servers
l Virtual port – Controls parameters for service ports on virtual servers
Connectivity Templates
The ACOS device provides the following types of connectivity templates:
l TCP-Proxy – Controls TCP/IP stack parameters such as transmit, buffer, and so on

l TCP – Controls TCP connection settings such as the idle timeout for unused sessions,
and specifies whether the ACOS device sends TCP Resets to clients or servers after a
session times out
24
l UDP – Controls UDP connection settings such as the idle timeout for unused sessions,
and specifies how quickly sessions are terminated after a server response is received
Application Templates
The following types of application templates are provided:
l DBLB – MS-SQL and MySQL database load balancing.

l Diameter – Provides proxy service and load balancing for Diameter AAA
l DNS – Provides DNS security and optimization.
l HTTP – Provides a robust set of options for HTTP header manipulation and for load bal-
ancing based on HTTP header content or the URL requested by the client, and other
options
l FTP – Provides load balancing for FTP traffic.
l Policy – Uses Policy-based SLB (PBSLB) to permit or deny clients, or direct them to ser-
vice groups, based on client black/white lists
l External-service – Adds capabilities needed for intelligently steering traffic based on
application (example: Internet Content Adaptation Protocol [ICAP]).
l Cache – Caches web content on the ACOS device to enhance website performance for
clients
l Client SSL – Offloads SSL validation tasks from real servers
l Server SSL – Validates real servers on behalf of clients
l Cipher – Contains a set of SSL ciphers that can be applied to a client-SSL or server-SSL
template.
l Connection reuse – Reduces overhead from TCP connection setup by establishing and
reusing TCP connections with real servers for multiple client requests
l Cookie persistence – Inserts a cookie into server replies to clients, to direct clients to
the same service group, real server, or real service port for subsequent requests for the
service
l Source-IP persistence – Directs a given client, identified by its IP address, to the same
service port, server, or service group
25
l Destination-IP persistence – Configures persistence to real servers based on des-

tination IP address
l FIX – Configures Financial Information eXchange load balancing.
l Logging – Configures logging to external servers over TCP.
l SSL session-ID persistence – Directs all client requests for a given virtual port, and that
have a given SSL session ID, to the same real server and real port
l SIP – Customizes settings for load balancing of Session Initiation Protocol (SIP) traffic
l SMPP – Configures load balancing for Short Message Peer to Peer (SMPP).
l SMTP – Configures STARTTLS support for Simple Mail Transfer Protocol (SMTP) clients
l Streaming-media – Directs client requests based on the requested content
Where applicable, the ACOS device automatically applies a default template with commonly
used settings. For example, when you configure SLB for FTP, the ACOS device automatically
applies the default TCP template. If required by your application, you can configure a dif-
ferent template and apply that one instead. The configuration examples in this guide show
how to do this.
Outbound Next Hop Load Distributor
Outbound Next Hop Load Distributor (NHLD) balances client-server traffic across a set of
WAN links. With outbound NHLD, the clients are located on the internal side of the network.
The servers are located on the external side of the network.
Transparent Cache Switching
Transparent Cache Switching (TCS) enables you to improve server response times by redir-
ecting client requests for content to cache servers containing the content.
Firewall Load Balancing
Firewall Load Balancing (FWLB) maximizes throughput through firewall bottlenecks by load
balancing server-client sessions across the firewalls.
26
Where Do I Start?
l To configure basic system settings, see Common Setup Tasks.
l To configure network settings, see the Network Configuration Guide.
l To configure management access security features, see the Management Access Secur-
ity guide.
l To configure and secure application delivery and load balancing features, see the
Application Delivery Controller Guide.
27
Chapter 2: FIPS Support
The A10 Thunder Series supports the National Institute of Standards and Technology (NIST)
Federal Information Processing Standards (FIPS) Publication 104-2 for Security Level 2.
FIPS 140-2 Level 2, also referred to simply as FIPS Level 2, improves on Level 1 and extends
the physical security boundary to encompass the entire appliance and not just its internal
components.
NOTE: FIPS 140-2 requirements and specifications are described in the

NIST document:, which can be accessed at:
http://csrc.nist.gov/groups/STM/cmvp/standards.html#02
The following sections describe the FIPS Level 2 support in A10 Thunder Series devices begin-
ning with the earlier ACOS Release version 4.1.1-P3.
l FIPS Level 2 ACOS Models

l FIPS Compliance for Hardware
l FIPS Compliance for Software
l FIPS Compliance Usage Guidelines
l SSL/TLS Support for FIPS Compliance
l CLI Support for FIPS Compliance
l Web Access Support for FIPS Compliance
l Web Server Support for FIPS Compliance
28
Chapter 2: FIPS Support Feedback
FIPS Level 2 ACOS Models

The following ACOS models are compliant with FIPS Level 2 and the contemporary require-
ments for FIPS Level 2 validation and certification. They are in-process and undergoing cer-
tification testing by NIST.
l TH-3030S (with 1 SSL Module)

l TH-4440S (with 2 SSL Modules)
NOTE: The FIPS models listed above must be ordered and shipped
directly from A10 Networks. Converting or upgrading a
standard (non-FIPS) ACOS unit to a FIPS unit (through the
field upgrade process) is not supported.
FIPS Compliance for Hardware

To enhance device security and achieve FIPS-compliance, the ACOS device hardware has the
following enhancements beginning in ACOS Release 4.1.1-P3 for FIPS-compliant models.
SSL Modules 29
Tamper-Proof Seals 30
Internal Components in ACOS Device Chassis are Hidden 32
SSL Modules
FIPS-compliant ACOS devices do not offer the option to add SSL modules (“cards”) in avail-
able expansion slots, as this would require a chassis that could be opened at the customer
premises (which would violate the FIPS requirements).
29
While standard (non-FIPS) ACOS devices allow installation of SSL modules, the FIPS-com-
pliant ACOS devices come with a preset number of SSL modules. No options are available to
upgrade the device by adding SSL modules at a later time.
Tamper-Proof Seals
To enhance security, one or more tamper-evident labels1 with a serial number and company
ID are affixed to the ACOS device chassis. (See FIGURE 2-1)
Tamper-evident seals are delicate and clearly indicate when the packaging has been delib-
erately altered or adulterated. Seals are affixed to the ACOS device chassis in several places
to make it apparent when someone has opened the box or otherwise disturbed any of the
removable components.
Tamper-evident seals are affixed by A10 Networks prior to delivery to the customer.
FIGURE 2-1: A10 FIPS-approved Tamper-proof Labels
As shown in the FIGURE 2-2 through the FIGURE 2-5 below, tamper-evident seals are affixed
to the ACOS device in one or more the following locations:
l On the chassis side

l On the fan units
l On the power supply
1Novavision A1579 labels
30
FIGURE 2-2: Position of Tamper-proof Labels on TH-3030S
31
Internal Components in ACOS Device Chassis are Hidden
To ensure that internal electronic components cannot be seen through ventilation or other
openings, the chassis is designed so that it is impossible to read identification information
printed on these internal components.
32
FIPS Compliance for Software

To enhance device security and achieve FIPS-compliance, the following system-level
changes are in effect beginning with ACOS Release 4.1.1-P3 for FIPS-compliant models:
l Software Upgrade Image

l RMAs
l Lost Passwords
Software Upgrade Image
FIPS-compliant software upgrade images have a signature using an HMAC. Software

upgrades are allowed only when it is determined that the upgrade image is correct, after hav-
ing been verified using the signature.
RMAs
In the event that a customer must return the FIPS-compliant ACOS device to A10 Networks
using the standard Return Merchandise Authorization (RMA) process, the customer first must
use the security-reset system command to destroy all encryption keys.
Per FIPS requirements, the ACOS device cannot be shipped back to the manufacturer with
the software encryption keys intact. This security-reset system command destroys all sens-
itive information prior to shipping the device.
CAUTION: Running this command will remove all keys from the system,
including those used for image integrity during bootup. After
the command is entered, the ACOS device will not boot again.
Lost Passwords
Normally, if a customer loses their password, they can use the “Recovering an Administrator
Password” procedure described in the ACOS Management Access and Security Guide. With
this procedure they can perform a password reset by entering the serial number on their
ACOS device using the management or console port.
33
However, due to FIPS requirements, this password recovery procedure is not allowed and is
not supported for FIPS-compliant models. If the password is lost, customers must follow the
RMA process described above and return the ACOS device to A10 Networks so a factory reset
of the system can be done.
FIPS Compliance Usage Guidelines

A10 recommends the following guidelines for use of FIPS-Compliant ACOS models:
l Transferring Files To or From ACOS

l SNMPv3 Configuration
l Data Plane Certificate Generation
l RSA Key and Certificate Import
l ECDSA Key and Certificate Import
l DNSSec Configuration
Transferring Files To or From ACOS
A number of CLI commands and their corresponding GUI operations support the transfer of
files to or from the ACOS device. When performing such operations, only the "scp:", "sftp:", or
"https:" methods should be indicated in the "url" parameter.
The "tftp:", "ftp:", and "http" alternative methods for this parameter do not support secure file
transfer mechanisms and should not be used.
SNMPv3 Configuration
When configuring SNMPv3 in ACOS, only the “sha1” and “aes” algorithms should be indicated
for authentication and privacy (encryption) options; respectively. This applies to the fol-
lowing CLI commands and their corresponding GUI operations.
l snmp-server SNMPv3
34
Data Plane Certificate Generation
The generation of certificates for use by the ACOS data plane, via pki create CLI command
or corresponding GUI operation, should be avoided. Alternatively, use the import cert CLI
command or corresponding GUI operation to IMPORT such certificates otherwise generated
outside the A10 platform.
RSA Key and Certificate Import
When importing RSA key or certificate files, ensure that they are validly formed and comply
with the following constraints before uploading such files to the A10 platform. Specifically,
ensure that:
l Key size is 2048-bits or greater, for private keys

l Key size is 1024-bits or greater, for public keys
l Signature format is SHA-2 compatible
This applies to the following CLI commands and their corresponding GUI operations:
l import key
l import cert
l web-service secure private-key load
l web-service secure certificate load
l import glm-cert
l sshd key load
l ssh-pubkey import
l import dnssec-dnskey
ECDSA Key and Certificate Import
When importing ECDSA key or certificate files, ensure that they are validly formed and com-
ply with the following constraints before uploading such files to the A10 platform. Spe-
cifically, ensure that:
35
l EC Parameter group is either prime256v1 or secp384r1

l Signature format is SHA-2 compatible.
This applies to the following CLI commands and their corresponding GUI operations:
l import key
l import cert
l web-service secure private-key load
l web-service secure certificate load
DNSSec Configuration
When configuring DNSSEC using the dnssec template CLI command or corresponding GUI
operation, ensure the following for the template:
l no algorithm is specified (will default to RSASHA256)
l algorithm parameter is set to RSASHA256 or RSASHA512
SSL/TLS Support for FIPS Compliance

To enhance device security and achieve FIPS-compliance, the following SSL/TLS data plane
changes are in effect beginning with ACOS Release 4.1.1-P3 for FIPS-compliant models.
l Transport Layer Security (TLS), which is FIPS-compliant, is allowed, but SSLv2 and
SSLv3, which are not FIPS-compliant, are not supported. TLS versions 1.0, 1.1, and 1.2
are allowed by default.
l Ciphers that are not FIPS-compliant are disabled.
NOTE: MD5, RC4, DES, and EXPORT ciphers are not FIPS-compliant and
are therefore not supported.
l Inside the SSL/TLS implementation, random number generation is implemented based

on DRBG with counter mode.
l Certificates must have at least 2048 bits.
36
l Only certificates with SHA-2 authentication are allowed.

l If Diffie-Hellman key exchange method is used in TLS, then groups supporting key size
less than 2048 are disabled.
l When a random number is generated, the value is compared with the last number that
was generated to ensure it is not the same.
l In client/server-SSL situations, the certificate that the ACOS device receives must
meet the requirement of having at least 2048 bits and SHA-2 authentication.
l To meet FIPS-compliance, the ACOS device supports, per configuration, encryption of
keys with a length equal to or greater than 2048-bits.
l In FIPS mode, exporting of keys can be by secure protocols.
CLI Support for FIPS Compliance

To achieve FIPS-compliance, the following changes to the CLI are in effect beginning with
ACOS Release 4.1.1-P3 for FIPS-compliant models.
l The following new CLI commands are added in 4.1.1-P3 for enabling or disabling FIPS.
For more information, see the Command Line Interface Reference.
o system fips enable
o system fips disable
l Telnet services are no longer available under the enable-management service com-
mand.
l SSH 2.0 is FIPS-compliant (and therefore allowed). The RSA key exchange key sizes
must be at least 2048 bits.
l User passwords must be greater than or equal to 8 characters. FIPS-compliance
requires that passwords must be at least 8 characters long. The default ACOS device
password has been changed from “a10” to “a10$pass” for FIPS-compliant ACOS devices.
Web Access Support for FIPS Compliance

To achieve FIPS-compliance, the following changes to the management GUI are in effect
beginning with ACOS 4.1.1-P3 for FIPS-compliant models.
37
l Local user passwords must be greater than or equal to 8 characters. FIPS-compliance

requires that passwords must be at least 8 characters long. The default password has
been changed from “a10” to “a10$pass” for FIPS-compliant ACOS devices.
Web Server Support for FIPS Compliance

The ACOS web server is FIPS-compliant. As part of this compliance, the following Cryp-
tographic Algorithms are supported for FIPS-compliant models:
l AES for encryption/decryption

l SHA-1 and SHA-2 for hashing and for authentication of hashed messages
l ECDSA and RSA for authentication
l ECDHE and RSA for key exchange
l NIST SP-800-90A for DRBG (Deterministic Random Bit Generator)
l Transport Layer Security (TLS) 1.2 is the only FIPS-compliant cryptographic protocol
supported. SSL v2.0 and v3.0 are not FIPS-compliant and will not be supported. TLS 1.0
and 1.1 protocols are also not supported.
38
Chapter 3: Jumbo Frames
Overview of Jumbo Frames on ACOS Devices 40
Configuring Jumbo Frame Support 41
39
Chapter 3: Jumbo Frames Feedback
Overview of Jumbo Frames on ACOS Devices

Details 40
Additional Notes 40
Details
A jumbo frame is an Ethernet frame that is more than 1522 bytes long. Support for jumbo
frames is offered on Layer 4 VIPs.
By default, the maximum transmission unit (MTU) on all physical Ethernet interfaces is 1500
bytes. The default Ethernet frame size is 1522 bytes, which includes 1500 bytes for the pay-
load, 14 bytes for the Ethernet header, 4 bytes for the CRC, and 4 bytes for a VLAN tag.
Jumbo support is disabled by default.
Additional Notes
l Jumbo frame support is not available on all platforms. See the Release Notes for a list of
supported platforms.
l Jumbo frame support is disabled by default. You can enable jumbo frame support on a
global basis for the device.
l The maximum transmission unit (MTU) is not automatically changed on any of the inter-
faces and must be explicitly configured on those interfaces that will be used for jumbo
frames; this can be done using either the GUI or the CLI.
l On non-FTA models, you can increase the MTU on individual Ethernet interfaces up to
9216 bytes.
l Jumbo frames (L4) are supported on most 64-bit models and are not supported on 32-
bit models.
l If your configuration uses VEs, you must enable jumbo on the individual Ethernet ports
first, then enable it on the VEs that use the ports. If the VE uses more than port, the
MTU on the VE should be the same or smaller than the MTU on each port.
40
l It is not recommended to enable jumbo frame support on 10/100 Mbps ports.

l Setting the MTU on an interface indirectly sets the frame size of incoming packets to
the same value. (This is the maximum receive unit [MRU]).
Configuring Jumbo Frame Support

This section describes how to configure jumbo frame support on your ACOS device:
Configuring Jumbo Frame Support Using the GUI 41
Configuring Jumbo Frame Support Using the CLI 42
Configuring Jumbo Frame Support Using the GUI
Disabling Jumbo Support 41
Changing the MTU on an Interface

To change the MTU on an interface:
1. Hover over Network in the navigation bar, and select Interfaces.

2. Check the menu bar to confirm you’re on the LAN page.
3. Click Edit in the Actions column for any interface you choose to apply the jumbo frame
config.
4. In the General Fields section, edit the value in the MTU field.
5. Click Update.
Disabling Jumbo Support

To disable jumbo frame support:
41

2. Check the menu bar to confirm you’re on the LAN page.
3. Click Edit in the Action column for the interface number. The configuration page for
the interface appears.
4. Edit the value in the MTU field to be 1500 (or less).
5. Click Update.
6. Repeat for each interface on which the MTU is greater than 1500 bytes.
7. On non-FTA platforms, you must also save your configuration and reboot the device:
a. Hover over System in the navigation bar, and select Settings.
b. Click Actions on the menu bar.
c. In the Action field, select Reboot from the drop-down list.
d. In the Save configuration field, select Yes from the drop-down list.
e. Click OK.
CAUTION: On non-FTA models, you must save the configuration and

reboot after changing the MTU settings to disable jumbo
frame support. If you reload or reboot without first saving the
configuration, the feature cannot be re-enabled until you first
repeat the procedure above to disable it. Then, you can re-
enable the feature.
Configuring Jumbo Frame Support Using the CLI
Globally Enable Jumbo Frame Support on your ACOS Device 43
Creating a TCP-proxy Template and Apply to VIP 43
Disabling Jumbo Frame Support 44
Viewing MTU Interface Settings 44
42
Globally Enable Jumbo Frame Support on your ACOS Device

This section describes how to globally enable jumbo frame support. This can only be done via
the CLI and not through the GUI.
This topic has the following sections:
l Enabling Jumbo Frame Support (FTA Models)

l Enabling Jumbo Support (Non-FTA Models)
Enabling Jumbo Frame Support (FTA Models)
To enable jumbo frame support on FTA models, use the following command:
ACOS(config)# system-jumbo-global enable-jumbo
Enabling Jumbo Support (Non-FTA Models)
To enable jumbo frame support on a non-FTA model, enter the following series of commands:
ACOS(config)# system-jumbo-global enable-jumbo
ACOS(config)# write memory
Building configuration...
Write configuration to primary default startup-config
[OK]
ACOS(config)# reboot
Changing the MTU on an Interface

To change the MTU on an interface, use the mtu command at the configuration level for the
interface. For example:
ACOS(config)# interface ethernet 1
ACOS(config-if:ethernet:1)# mtu 1500
Creating a TCP-proxy Template and Apply to VIP

To create a TCP-proxy template and apply is to a VIP, use the following commands:
ACOS(config)# slb template tcp-proxy mss-size
ACOS(config-tcp proxy)# mss 1460
ACOS(config)# slb virtual-server vs1
ACOS(config-slb vserver)# port 80 tcp
ACOS(config-slb vserver-vport)# template tcp-proxy mss-size
43
Disabling Jumbo Frame Support

This section describes how to globally disable jumbo frame support.
This topic has the following sections:
l Disabling Jumbo Frame Support (FTA Models)

l Disabling Jumbo Support (non-FTA Models)
Disabling Jumbo Frame Support (FTA Models)
To disable jumbo frame support on FTA models, use the following command:
ACOS(config)# no system-jumbo-global enable-jumbo
Disabling Jumbo Support (non-FTA Models)
To disable jumbo frame support on a non-FTA model, enter the following series of commands:
ACOS(config)# no system-jumbo-global enable-jumbo
[OK]
ACOS(config)# reboot
CAUTION: On non-FTA models, you must save the configuration and

reboot after entering the no system-jumbo-global enable-
jumbo command. If you reload or reboot without first saving
the configuration, the feature can not be re-enabled until you
first repeat the procedure above to disable it. Then, you can
re-enable the feature.
Viewing MTU Interface Settings

The following commands show detailed information for the interfaces, which includes the
MTU settings:
ACOS(config)# show interface ve 10

VirtualEthernet 10 is up, line protocol is up
Hardware is VirtualEthernet, Address is 001f.a004.c0e2
Internet address is 110.10.10.1, Subnet mask is 255.255.255.0
IPv6 address is 2001:10::241 Prefix 64 Type: unicast
IPv6 link-local address is fe80::21f:a0ff:fe04:c0e2 Prefix 64 Type: unicast
44
Router Interface for L2 Vlan 10

IP MTU is 1500 bytes
28 packets input 2024 bytes
Received 0 broadcasts, Received 24 multicasts, Received 4 unicasts
10 packets output 692 bytes
Transmitted 8 broadcasts, Transmitted 2 multicasts, Transmitted 0 unicasts
300 second input rate: 48 bits/sec, 0 packets/sec
300 second output rate: 16 bits/sec, 0 packets/sec
ACOS(config)# show interface ethernet 15

Ethernet 15 is disabled, line protocol is down
Hardware is GigabitEthernet, Address is 001f.a005.53e0
Configured Speed auto, Actual unknown Configured Duplex auto, Actual unknown
Member of L2 Vlan 300, Port is Tagged
Flow Control is disabled, IP MTU is 6000 bytes
Port as Mirror disabled, Monitoring this Port disabled
0 packets input, 0 bytes
0 input errors, 0 CRC 0 frame
0 runts 0 giants
Transmitted 0 broadcasts 0 multicasts 0 unicasts
0 output errors 0 collisions
300 second input rate: 0 bits/sec, 0 packets/sec, 0% utilization
300 second output rate: 0 bits/sec, 0 packets/sec, 0% utilization
ACOS(config)# show interface ethernet 16

Ethernet 16 is disabled, line protocol is down
Hardware is GigabitEthernet, Address is 001f.a005.53e1
Configured Speed auto, Actual unknown Configured Duplex auto, Actual unknown
Member of L2 Vlan 300, Port is Tagged
Port as Mirror disabled, Monitoring this Port disabled
0 runts 0 giants
300 second input rate: 0 bits/sec, 0 packets/sec, 0% utilization
45
300 second output rate: 0 bits/sec, 0 packets/sec, 0% utilization
46
Common Setup Tasks
This part of the document describes how to log onto the ACOS device, how to configure the
following basic system parameters, and applicable examples:
l Logging On
l Configuring Basic System Parameters
l Deployment Examples (For reference and examples of configuration and deployment)
l vThunder (For more information on the virtual ACOS devices)
47
Chapter 4: Logging On
User Interfaces 49
Logging On to the CLI 50
Logging On to the GUI 51
Console Restart 54
Configuring ADC and CGN on the Same Device 55
48
Chapter 4: Logging On Feedback
User Interfaces
ACOS devices provide the following user interfaces:
l Command-Line Interface (CLI) – Text-based interface in which you type commands on

a command line. You can access the CLI directly through the serial console or over the
network using either of the following protocols:
o Secure protocol – Secure Shell (SSH) (versions 1 and 2)
o Unsecure protocol – Telnet (if enabled)
l Graphical User Interface (GUI) – Web-based interface in which you click to access con-
figuration or management pages and type or select values to configure or manage the
device. You can access the GUI using either of the following protocols:
o Secure protocol – Hypertext Transfer Protocol over Secure Socket Layer (HTTPS)
o Unsecure protocol – Hypertext Transfer Protocol (HTTP)
l aXAPI – XML Application Programming Interface based on the Representational State
Transfer (REST) architecture. The aXAPI enables you to use custom third-party applic-
ations to configure and monitor Application Delivery Controller (ADC) parameters on
the ACOS device, and to monitor Ethernet interfaces. (For more information, see the
aXAPI Reference.)
NOTE: By default, Telnet access is disabled on all interfaces, including

the management interface. SSH, HTTP, HTTPS, and SNMP access
are enabled by default on the management interface only, and
disabled by default on all data interfaces.
NOTE: The maximum number of CLI, GUI, and aXAPI sessions that can be
opened simultaneously on an ACOS device depends on the spe-
cific device.
49
Logging On to the CLI

NOTE: ACOS devices provide advanced features for securing man-
agement access to the device. This section assumes that only the
basic security settings are in place.
To log onto the CLI using SSH:
1. On a PC connected to a network that can access the ACOS device’s management inter-
face, open an SSH connection to the IP address of the management interface.
2. Generally, if this the first time the SSH client has accessed the ACOS device, the SSH cli-
ent displays a security warning. Read the warning carefully, then acknowledge the
warning to complete the connection. (Press Enter.)
3. At the login as: prompt, enter the admin username.
4. At the Password: prompt, enter the admin password.
If the admin username and password are valid, the command prompt for the User EXEC
level of the CLI appears:
ACOS>
The User EXEC level allows you to enter a few basic commands, including some show
commands as well as ping and traceroute.
NOTE: The “ACOS” in the CLI prompt represents the host name con-
figured on the device; “ACOS” is the default host name used
in all technical publications. The host name on your device
may be different. The default host name on a system rep-
resents the system type; for example, on an A10 Thunder
Series 5435 device, the default prompt is:
TH5435>
5. To access the Privileged EXEC level of the CLI and allow access to all configuration
levels, enter the enable command.
50
At the Password: prompt, enter the enable password. (This is not the same as the
admin password, although it is possible to configure the same value for both pass-
words.)
If the enable password is correct, the command prompt for the Privileged EXEC level of
the CLI appears:
ACOS#
6. To access the global configuration level, enter the configure command. The following
command prompt appears:
ACOS(config)#
Logging On to the GUI

Web access to the ACOS device is supported on the Web browsers listed in the TABLE 4-1.
TABLE 4-1 : GUI Browser Support
Browser Windows Linux MAC
Firefox 40.0.3 and Supported Supported N/A

higher
Safari 3.0 and higher Not Supported N/A Supported
Chrome 45.0.2454.93 Supported Supported Supported

and higher
Microsoft Edge Supported N/A N/A

44.18362.387.0 and
higher
A screen resolution of at least 1024x768 is recommended.
1. Open a supported Web browser.

2. In the URL field, enter the IP address of the ACOS device’s management interface.
3. If the browser displays a certificate warning, select the option to continue to the server
(the ACOS device).
51
NOTE: To prevent the certificate warning from appearing in the

future, you can install a certificate signed by a Certificate
Authority. For more information, See Replacing the Web Cer-
tificate.
A log in page is displayed in the FIGURE 4-2. The name and appearance of the dialog
depends on the browser you are using and the specific device which you are trying to
access.
FIGURE 4-2: Example GUI Login Dialog
4. Enter your admin username and password and click Login.
NOTE: The default admin username and password are “admin”,

“a10”.
The Dashboard (As in the FIGURE 4-3) appears, showing at-a-glance information for
your ACOS device.
You can access this page again at any time while using the GUI by selecting
Dashboard.
NOTE: For a detailed information about this option and all other
GUI screens, see the latest version of the GUI Online Help.
52
FIGURE 4-3: Dashboard
NOTE: GUI management sessions are not automatically terminated

when you close the browser window. The session remains in
effect until it times out. To immediately terminate a GUI ses-
sion, click the Sign Out icon in the menu bar
5. If the ACOS is a CPE device, then the user will redirect to CPE web page instead of
ACOS Dashboard ().
53
FIGURE 4-4: Dashboard
Console Restart
Use the clear console command to terminate the current login process and start a new one:
ACOS(config)# clear console
Use this command if you notice that SSH and data traffic still appear to be operational,
though the console session is hung. This may be caused if rimacli is in a hung state. rimacli is
the process that is automatically invoked when an admin logs into the ACOS device through
an interface address. This process provides admins access to the Command Line Interface
(CLI) to be able to issue and save commands to configure the system.
54
To resolve the issue of the hung console due to an underlying hung rimacli process, use the
clear console command. After the hung login process is terminated, the console will revert
to the login prompt.
Configuring ADC and CGN on the Same Device

ACOS 4.x software supports both ADC and CGNv6 configuration. Either one may be con-
figured in any partition but they may not be configured together in the same partition.
When you login to the device using the CLI, all ADC and CGN options are available by default
in the shared partition (see the Configuration Application Delivery Partitions guide for more
information about partitions). When an ADC object is configured (for example, an SLB server),
all CGN options are automatically disabled until all ADC objects are removed. Similarly, if a
CGN object is configured, then all ADC options are disabled until the CGN objects are all
removed.
When an L3V partition is created, the behavior is the same as the shared partition. All ADC
and CGN objects are available until either one is configured.
While creating partitions, you can use the application-type command to explicitly specify
the type of objects that are available in any partition, before any objects are configured. For
example, the following command creates an L3V partition called “PART-ADC” which will only
have ADC options available:
ACOS(config)# partition PART-ADC id 1 application-type adc
The behavior in the GUI is slightly different. The GUI menu options are static and will not
make ADC or CGN objects unavailable based on the existing configuration. Therefore, it is up
to the user to maintain records about which types of objects are configured in each partition.
If an attempt is made to use the GUI to configure a CGN object in a partition that already con-
tains ADC objects, the user will see an error message.
55
Chapter 5: Configuring Basic System Para-
meters
This chapter describes the basic system parameters and provides CLI and GUI steps for con-
figuring them.
Setting the System Time and Date 57
Setting the Hostname and DNS Parameters 63
Setting the CLI Banners 65
Replacing the Web Certificate 66
Configuring Increased I/O Buffer Support 67
Configuring the Management Interface 68
NOTE: The only basic parameters that you are required to configure are
date/time settings. Configuring the other parameters is optional.
NOTE: This chapter does not describe how to access the serial console
interface. For that information, see the installation guide for your
specific ACOC device.
56
Chapter 5: Configuring Basic System Parameters Feedback
Setting the System Time and Date

This section provides instructions for setting the time and date on your system.
Setting the Clock 57
Setting the NTP Interface 59
Setting the NTP Server 59
Setting the NTP Server Authentication 61
Setting the Clock
The time and date are not set at the factory. Therefore, you must manually set them or con-
figure NTP (see Setting the NTP Server).
Using the GUI to Set the Clock 57
Using the CLI to Set the Clock 58
Using the GUI to Set the Clock

To set the clock using the GUI:
1. Navigate to System > Settings >Time.
2. In the Clock section, you can:

l Set the date and time. Click in the Date/Time field to select the date from the
pop-up calendar.
l Set the timezone
l Select whether or not you want to enable or disable daylight savings time.
NOTE: When you change the ACOS timezone, the statistical

database is cleared. This database contains general
57
system statistics (performance, CPU, memory, and

disk utilization) and SLB statistics.
By default, daylight savings is enabled on the ACOS device. The ACOS device auto-
matically adjusts the time for Daylight Savings Time based on the timezone you
select. The UTC time standard does not observe daylight savings time.
3. Click OK to save your changes.
Using the CLI to Set the Clock

To set the clock using the CLI:
1. From Privileged EXEC mode, use the clock set command to set the time. This com-
mand must be run in Privileged EXEC mode.
The following example sets the time to 10:31 AM on February 13, 2015:
ACOS# clock set 10:31:00 February 13 2015
The following example sets the time to 7:15 PM and 33 seconds on December 17, 2015
(for times beyond 12:00 PM, use the 24-hour notation):
ACOS# clock set 19:15:33 December 17 2015
2. Enter Global configuration mode to use the timezone command to set the time zone.
The following example sets the timezone to America/Los_Angeles:

ACOS# configure
ACOS(config)# timezone America/Los_Angeles
3. To verify your settings, use the show clock command:

ACOS# show clock
.08:43:07 PDT Thu Oct 2 2015
ACOS#
If you manually set the time or the time comes from the NTP configuration on the server,
there will not be an extra dot (.) in the display when you use the show clock command. If,
however, the NTP configuration does not work properly, the time displays an extra dot as
shown in the example above. An extra dot also displays if there is neither an NTP con-
figuration nor a manual configuration.
58
Setting the NTP Interface
NTP listens on the management port by default.
To configure NTP to also listen on the data ports, use the ntp allow-data-ports command.
To configure NTP to listen on a virtual Ethernet (VE) interface, you must configure a loopback
interface with an IP address on the same subnet as the VE interface, and then use the ip
mgmt-traffic ntp source-interface command.
Example
vlan 2211
untagged ethernet 1
router-interface ve 2211
!
interface ve 2211
enable
ip address 192.168.11.254 255.255.255.0
!
interface loopback 1
ip address 192.168.11.90 255.255.255.255
!
ntp allow-data-ports
!
ntp server 192.168.11.50
!
ip mgmt-traffic ntp source-interface loopback 1
Setting the NTP Server
Using the GUI to Set the NTP Server 59
Using the CLI to Set the NTP Server 60
Using the GUI to Set the NTP Server

To configure an NTP server using the GUI:
59
1. Navigate to System > Settings > Time.
2. In the NTP Servers section:

l Configure an NTP hos with either an IP or hostname.
l Select Enable in the status field to enable the server.
l To designate this server as the preferred server, select the Preferred checkbox.
This option allows you to specify a preferred NTP server. You now direct ACOS to
use the prioritized NTP server by default and rely on additional NTP servers as
backups if the preferred NTP server becomes unavailable.
NOTE: It is recommended that you enable the Preferred

option for a single NTP server only. If the preference is
selected for more than one NTP server, the prioritized
NTP server is determined by an internal calculation.
3. Click OK to save your changes. The new server is added to the NTP Server table below
the configuration fields.
Using the CLI to Set the NTP Server

To configure a preferred NTP server using the CLI, use the ntp server command from Global
Configuration mode, then use the prefer command to make this the preferred server:
ACOS(config)# ntp server 216.171.124.36
ACOS(config-ntpsvr:216.171.124.36)# prefer
Use the show running-config command to verify your configuration:

ACOS(config-ipv4-serveraddr:216.171.124.36)# show run | begin ntp server
ntp server 207.69.131.204
!
ntp server 207.69.131.205
!
ntp server 216.171.124.36
prefer
!
...
60
Setting the NTP Server Authentication
Details 61
Configuring NTP Server Authentication 61
Using the GUI to Set NTP Server Authentication 62
Using the CLI to Set NTP Server Authentication 62
Details
NTP server authentication keys are stored using a special A10 Networks encryption algorithm
to conceal the clear-text form of the authentication key. You can add the ID numbers of
encrypted authentication keys to a list of trusted keys, and apply the trusted keys to one or
more NTP servers.
An NTP server can operate in either an authentication or a non-authentication mode. If an

authentication key is specified in the client’s NTP request, the NTP server appends a message
authentication code (MAC) to the response packet header, using the authentication key. The
NTP client compares the MAC of the NTP server against the specified authentication key and
accepts the packet from the NTP server if the MAC matches.
Configuring NTP Server Authentication

1. Create a list of authentication keys, which are stored on the ACOS device.
2. Add the identification numbers of one or more authentication keys to the list of trusted
keys. Only keys from the trusted key list are valid for NTP server authentication.
3. Configure an NTP server and apply a trusted authentication key.
NOTE: The NTP server and NTP client must reference the same authen-
tication key ID number. If the NTP server and NTP client are con-
figured with different authentication key ID numbers, NTP server
authentication will always fail.
NOTE: Currently, aXAPI is not supported for SHA and SHA1 authen-
tication of NTP servers.
61
Using the GUI to Set NTP Server Authentication

To set up NTP server authentication in the GUI:
1. Navigate to System > Settings > Time.
2. In the NTP Keys section:

l Enter a Key ID.
l Configure the encryption type and ASCII or Hex key parameters.
3. Click OK to save your configuration.
You can add multiple trusted keys using this screen. After you create the keys, you can then
configure an NTP server in the NTP section (see Setting the NTP Server), then select one of
the trusted authentication keys from the drop-down menu to assign to the NTP server. Keys
created here can be used while creating NTP servers.
Using the CLI to Set NTP Server Authentication

The example in this section shows how to configure NTP server authentication.
1. Create two authentication keys (13579 and 24680). Both keys use MD5 encryption and
ASCII key strings:
ACOS(config)# ntp auth-key 13579 M ascii XxEnc192
ACOS(config)# ntp auth-key 24680 M ascii Vke1324as
2. Add keys 13579 and 24680 to the list of trusted keys.

ACOS(config)# ntp trusted-key 13579
ACOS(config)# ntp trusted-key 24680
3. Configure the NTP server at 207.69.131.204 to use trusted key 13579.

ACOS(config)# ntp server 207.69.131.204
AOCS(config-ipv4-serveraddr:207.69.131.204)# key 13579
4. You can verify the NTP server and authentication key configuration with the show run-
ning-config command. The following example includes an output modifier to display
only NTP-related configuration:
ACOS(config)# show running-config | include ntp
ntp auth-key 13579 M ascii encrypted

zIJptJHuaQaw/5o10esBTDwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn
62
ntp auth-key 24680 M ascii encrypted FSNi-

uf10Dtzc4aY0tk2J4DwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn
ntp trusted-key 13579
ntp trusted-key 24680
ntp server 207.69.131.204
ntp server 207.69.131.205
ntp server 216.171.124.36
ACOS(config)#
Setting the Hostname and DNS Parameters

Using the GUI to Set the Hostname and DNS Parameters 63
Using the CLI to Set the Hostname and DNS Parameters 64
NOTE: Do not use a period (.) in the hostname. The ACOS device will
interpret text that appears after the period as the DNS suffix
instead of the DNS suffix you configure.
Using the GUI to Set the Hostname and DNS Parameters
To use the GUI to set the hostname and DNS parameters:
1. Navigate to System > Settings > DNS.
2. On the Configure DNS screen, you can specify:

l Host name (required)
l Domain suffix (domain name to which the host belongs)
l Primary IP
l Secondary IP
3. Click Update DNS to store your changes.
63
Using the CLI to Set the Hostname and DNS Parameters
This section provides an example of how to use the CLI to change the name and DNS para-
meters on your device. You must be in the global configuration mode:
1. To begin using the CLI, make sure you are in the Global Configuration mode.
2. Use the hostname command to change the hostname to “ACOS-SLB2”:”

ACOS(config)# hostname ACOS-SLB2
ACOS-SLB2(config)#
After you enter this command, note that the command prompt is changed to reflect the
new hostname.
NOTE: The “>” or “#” character and characters in parentheses

before “#” indicate the CLI level you are on and are not part
of the hostname.
3. Use the ip dns suffix command to set the default domain name (DNS suffix) for host
names on the ACOS device. The suffix “a10networks.com” is used in this example:
ACOS(config)# ip dns suffix a10networks.com
4. Use the ip dns primary command to set the primary DNS server (10.10.128.101 in this
example) for resolving DNS requests:
ACOS(config)# ip dns primary 10.10.128.101
5. Use the ip dns secondary command to set the secondary DNS server (10.10.128.102 in
this example) for resolving DNS requests:
ACOS(config)# ip dns secondary 10.10.128.102
6. Use the show running-config command to view your configuration:

ACOS-SLB2(config)# show running-config | include dns
ip dns primary 10.10.128.101
ip dns secondary 10.10.128.102
ip dns suffix a10networks.com
ACOS-SLB2(config)#
64
Setting the CLI Banners

Details 65
Using the GUI to Set the CLI Banners 65
Using the CLI to Set the CLI Banners 66
Details
The CLI displays banner messages when you log onto the CLI. By default, the messages
shown in bold type in the following example are displayed:
login as: admin
Welcome to ACOS
Using keyboard-interactive authentication.
Password:
Last login: Thu Feb 7 13:44:32 2008 from 192.168.1.144
[type ? for help]
You can format banner text as a single line or multiple lines.
If you configure a banner message that occupies multiple lines, you must specify the end
marker that indicates the end of the last line. The end marker is a simple string up to 2-char-
acters long, each of the which must be an ASCII character from the following range: 0x21-
0x7e.
The multi-line banner text starts from the first line and ends at the marker. If the end marker
is on a new line by itself, the last line of the banner text will be empty. If you do not want the
last line to be empty, put the end marker at the end of the last non-empty line.
Using the GUI to Set the CLI Banners
To set the CLI banners using the GUI:
65
1. Navigate to System > Settings > Terminal.
2. On the Terminal page:

l Configure the Login banner.
l Configure the EXEC banner.
3. Click OK to save your changes.
Using the CLI to Set the CLI Banners
This section describes how to change the CLI banners using CLI commands.
1. Use the banner login command to set the login banner. This is the banner that will be
seen after you enter the admin username and password. This example sets the banner
to “welcome to login mode:”
ACOS(config)# banner login “welcome to login mode”
2. Use the banner exec command to set the exec banner to “welcome to exec mode.” This
banner is displayed after you enter the admin password:
ACOS(config)# banner login “welcome to exec mode”
To use blank spaces within the banner, enclose the entire banner string with double quo-
tation marks.
Replacing the Web Certificate

Details 66
Using the CLI to Replace the Web Certificate 67
Details
You can replace the web certificate shipped with the ACOS device. Replacing the certificate
with a CA-signed certificate prevents the certificate warning from being displayed by your
browser when you log in to the GUI.
66
Using the CLI to Replace the Web Certificate
Use the following command at the global configuration level of the CLI:
ACOS(config)# web-service secure wipe
Then, use the import cert command to import a CA-signed certificate.
Configuring Increased I/O Buffer Support

On some higher-end models only, you can enable the big-buff-pool option to expand sup-
port from 4 million to 8 million buffers and increase the buffer index from 22 to 24 bits.
NOTE: Some models may require 96 GB of memory to support this fea-

ture. Please check that your system meets this requirement by
using the show memory system command and checking the out-
put.
Enter the following command to enable more I/O buffers for the system:
ACOS(config)# big-buff-pool
Use the no version of the command to remove a larger buffer for the system:
ACOS(config)# no big-buff-pool
This will modify your boot profile to disable big I/O buffer pool.
It will take effect starting from the next reboot.
Please confirm: You want to disable the big I/O buffer pool(N/Y)?:
Use the show system platform buffer-stats command to view statistics for the I/O buffer
pool:
ACOS(config)# show system platform buffer-stats

Buffers available in various states/threads...
---------------------------------------------------
Thread Cache App AppQueue Misc
---------------------------------------------------
Q0 136034 0 0 0
Q1 127873 0 0 0
Q2 154496 0 0 0
67
Q3 154515 0 0 0
Q4 154511 0 0 0
Q5 153147 0 0 0
Q6 154511 0 0 0
Q7 153147 0 0 0
Q8 153829 0 0 0
Q9 153147 0 0 0
Q10 154511 0 0 0
Q11 153147 0 0 0
Approximate # buffers in App 0
Approximate # buffers in App_cp 0
Approximate # buffers in Cache_cp 1024
Approximate # buffers in Cache 1802868
Approximate # buffers in Queue 0
Approximate # buffers in misc 0
Approximate # buffers in dfree 745472
Approximate # buffers free 2391436
Approximate # buffers avail in HW 1639073
# Capsules in per thread pool:
t00 t01 t02 t03 t04 t05
FPGA0: 9 11 11 11 11 11
FPGA1: 21 15 15 15 15 15
FPGA2: 10 19 19 19 19 19
FPGA3: 21 22 22 22 22 22
t06 t07 t08 t09 t10 t11
FPGA0: 5 16 16 16 16 16
FPGA1: 17 17 17 17 17 17
FPGA2: 12 12 11 11 11 11
FPGA3: 21 22 22 22 22 22
Approximate # of operations on Global buffer pool:
GetsD0 PutsD0 GetsD1 PutsD1
FPGA0: 0x00000016 0x00000052 0x00000000 0x00000037
FPGA1: 0x00000000 0x00000033 0x00000000 0x00000032
FPGA2: 0x00000000 0x0000003d 0x00000016 0x0000004a
FPGA3: 0x00000000 0x00000010 0x00000000 0x00000013
Approximate # buffers in total 4194304
Configuring the Management Interface

68
Details 69
Using the GUI to Configure the Management Interface 69
Using the CLI to Configure the Management Interface 70
Details
The management interface (MGMT) is an Ethernet interface to which you can assign a single
IPv4 address and a single IPv6 address. The management interface is separate from the Eth-
ernet data interfaces.
The following FIGURE 5-1 shows an example of the management interface on an Thunder Ser-
ies device.
FIGURE 5-1: ACOS Deployment Example – Management Interface
By default, the ACOS device attempts to use a route from the main route table for man-
agement connections originated on the ACOS device. You can enable the ACOS device to use
the management route table to initiate management connections instead. (For information,
see Source Interface for Management Traffic.)
NOTE: ACOS allows the usage of the same IP address for both the mgmt
IP address and the NAT pool address. However, in Layer 2 (trans-
parent) deployments, if you do configure the same address in
both places, and later delete one of the addresses, a reload is
required for the changes to take effect.
Using the GUI to Configure the Management Interface
This section describes how to use the GUI to configure the management interface.
69
NOTE: Unless you have already configured an IP interface, navigate to

the default IP address: http://172.31.31.31.
1. Navigate to Network > Interfaces > Management.
2. On the Management page:

l Configure the duplexity of the management interface.
l Configure the speed of the management interface.
NOTE: The available selection of speeds in this field depends

on the device you are configuring. Devices with no 1G
interface, for example, will not have a 1G option in this
field.
o Configure the IPv4, IPv6, and LLDP settings.

3. Click Configure to save your changes.
Using the CLI to Configure the Management Interface
The example commands in this section configure access on the management interface.
1. The interface management command puts you in interface management mode, where
you can continue the management interface configuration.
ACOS(config)# interface management
2. Use the ipv6 commands to configure IPv6 access.

ACOS(config-if:management)# ipv6 address 2001:db8::2/32
ACOS(config-if:management)# ipv6 default-gateway 2001:db8::1
3. The ip commands configure IPv4 access on the management interface:

ACOS(config-if:management)# ip address 192.168.10.2 /24
ACOS(config-if:management)# ip default-gateway 192.168.2.1
4. Use the show interfaces management command to verify the configuration:

ACOS(config-if:management)# show interfaces management
GigabitEthernet 0 is up, line protocol is up.
70
Hardware is GigabitEthernet, Address is 0090.0b0b.ea38
Internet V6 address is 2001:db8::2/32
Configured Speed auto, Actual 1000, Configured Duplex auto, Actual fdx
0 runts 0 giants
71
Chapter 6: Deployment Examples
Deployment Modes 73
Transparent Mode Deployment 73
Routed Mode Deployment 75
72
Chapter 6: Deployment Examples Feedback
Deployment Modes
You can deploy the ACOS device into your network as a Layer 2 switch (transparent mode) or
a Layer 3 router (route mode). In either of the deployment modes, the ACOS device has a ded-
icated Ethernet management interface, different from the Ethernet data interfaces. You can
assign an IPv4 address and/or an IPv6 address to the management interface.
For network deployment examples, see the following:
l Transparent Mode Deployment

l Routed Mode Deployment
Transparent Mode Deployment

Deployment Examples 73
Deployment Examples
The following FIGURE 6-1 shows an example of an Thunder Series device deployed in trans-
parent mode.
FIGURE 6-1: ACOS Deployment Example – Transparent Mode
73
NOTE: For simplicity, this example and the other examples in this
chapter show the physical links on single Ethernet ports. Every-
where a single Ethernet connection is shown, you can use a
trunk, which is a set of multiple ports configured as a single
logical link.
NOTE: Transparent mode deployments are not valid for CGNv6 con-
figurations. CGNv6 is only supported in Routed Mode
Deployment.
Configuration Example
This section describes the GUI screens and CLI commands needed to deploy the ACOS device
as shown in the ACOS Deployment Example – Transparent Mode.
Using the GUI 74
Using the CLI 74
Using the GUI

2. Click on Transparent on the menu bar.
3. Enter the IP Address, IP Mask, and Default Gateway, or alternatively, the IPv6 address
and gateway.
4. Click Configure.
5. The data interface is added to the table, which can be seen if you click LAN in the menu
bar.
6. Select the checkbox next to each Ethernet data interface you wish to enable, and click
Enable.
Using the CLI

The following commands configure the global IP address and default gateway:
ACOS(config)# ip address 10.10.10.2 /24
ACOS(config)# ip default-gateway 10.10.10.1
74
The following commands enable the Ethernet interfaces used in the example:
ACOS(config-if:ethernet:1)# enable
ACOS(config-if:ethernet:1)# interface ethernet 2
ACOS(config-if:ethernet:3)# exit
Routed Mode Deployment

Deployment Example 75
Deployment Example
The following FIGURE 6-2 shows an example of an ACOS device deployed in route mode.
NOTE: Route mode is also called “gateway” mode.
FIGURE 6-2: ACOS Deployment Example – Route Mode
In this example, the ACOS device has separate IP interfaces in different subnets on each of
the interfaces connected to the network. The ACOS device can be configured with static IP
routes and can be enabled to run OSPF and IS-IS. In this example, a static route is configured
to be used as the default route through 10.10.10.1.
Although this example illustrates single physical links, you could use trunks as physical links.
You also could use multiple VLANs. In this case, the IP addresses would be configured on
75
Virtual Ethernet (VE) interfaces, one per VLAN, instead of being configured on individual Eth-
ernet ports.
Since the ACOS device is a router in this deployment, downstream devices can use the ACOS
device as their default gateway. For example, devices connected to Ethernet port 2 would
use 192.168.3.100 as their default gateway, devices connected to port 3 would use
192.168.1.111 as their default gateway, and so on.
If multiple ACOS devices in a VRRP-A high availability configuration is used, the downstream
devices will use a floating IP address shared by the two ACOS devices as their default gate-
way.
NOTE: For more information, see the Configuring VRRP-A High Avail-
ability guide.
This section shows the GUI screens and CLI commands needed to implement the con-
figuration shown in the this figure.
Using the GUI 76
Configuring the Default Route 77
Using the CLI 77
Using the GUI

1. Hover over Network in the navigation bar and select Interfaces.
2. If you are not already on the LAN index page, click LAN on the menu bar.
3. Click Edit in the Actions column for the interface number (for example, Interface “e1”).
The configuration page appears.
a. To assign an IPv4 address, locate the “IP” section and then click the plus symbol ( )
to display the configuration fields for that section, and enter the address inform-
ation.
76
b. To assign an IPv6 address, locate the “IPv6” section and then click the plus symbol (
) to display the configuration fields for that section, and enter the address inform-
ation.
c. Click Update.
Configuring the Default Route

1. Hover over Network in the navigation bar and select Routes.
2. Select either the IPv4 Static Routes or IPv6 Static Routes tab, then click Create.
3. Complete the IP Dest Address and IP Mask fields.
NOTE: For a detailed information about these configuration and

other fields on this page, see the latest version of the
Online Help.
4. Click Create Route.
Using the CLI

The following commands enable the Ethernet interfaces used in the example and configure
IP addresses on them:
ACOS(config-if:ethernet:1)# ip address 10.10.10.2 /24
ACOS(config)#
The following command configures the default route through 10.10.10.1:

ACOS(config)# ip route 0.0.0.0 /0 10.10.10.1
77
Chapter 7: vThunder
vThunder is a fully operational software-only version of A10 Networks’ line of Thunder Series
Application Delivery Controllers.
vThunder for Multiple Hypervisors 79
vThunder Installation 80
vThunder Feature Support 80
Application Delivery Partition Support 81
78
Chapter 7: vThunder Feedback
vThunder for Multiple Hypervisors

vThunder is supported on multiple hypervisors. See the Release Notes for a complete list of
supported hypervisors for this release.
The following FIGURE 7-1 shows a network topology in which a vThunder can be installed on a
supported hypervisor.
FIGURE 7-1: vThunder for Multiple Hypervisors
79
The hypervisor is installed on top of the commodity hardware. The virtualized vThunder
instance sits on top of the hypervisor layer. Functionality of vThunder is, for the most part,
the same as a hardware-based ACOS device.
vThunder Installation
Installation Details 80
Management of vThunder 80
Installation Details
Multiple vThunder instances can be installed in a single hardware platform, such as a PC,
with each instance running independently from the others.
NOTE: For specific installation instructions, see the vThunder Install-

ation Guide for your hypervisor. All installation instructions are
available for download on the Support Portal.
NOTE: To locate the Installation Guide, see https://-

documentation.a10networks.com/Install/Software/A10_ ACOS_
Install/index.html
Management of vThunder
vThunder can be managed from the ACOS CLI or GUI, which is the same as any standard hard-
ware-based ACOS device.
vThunder Feature Support

vThunder supports many of the same features as the A10 Thunder Series and AX Series hard-
ware-based models. The exact set of supported features varies and is based on whether
vThunder is running an ADC (SLB) release or a CGN (IPv6 Migration) release.
80
NOTE: For more information on vThunder Datasheet, see

https://www.a10networks.com/sites/default/files/A10-DS-vThunder.pdf.
Application Delivery Partition Support

Up to 32 L3V partitions can be created for each vThunder instance.
NOTE: For more information on this topic, see the Configuration Applic-
ation Delivery Partitions Guide.
81
Configuration Management
This part of the document describes how to configure the following management features for
ACOS devices:
l Backing Up System Information

l Source Interface for Management Traffic
l Dynamic and Block Configuration
l Boot Options
l Power On Auto Provisioning
l Fail-Safe Automatic Recovery
l Installing the Systems Center Virtual Machine Manager Gateway Plugin
82
Chapter 8: Backing Up System Information
Details 84
Overview of System Backup 84
Enhancing the Dynamic Port Breakout Support for Thunder 7x50 Series 91
Saving Multiple Configuration Files Locally 98
83
Chapter 8: Backing Up System Information Feedback
Details
By default, when you click the Save button in the GUI or enter the write memory command
in the CLI, all unsaved configuration changes are saved to the startup-config. The next time
the ACOS device is rebooted, the configuration is reloaded from this file.
In addition to these simple configuration management options, the ACOS device has
advanced configuration management options that allow you to save multiple configuration
files. You can save configuration files remotely on a server and locally on the ACOS device
itself.
NOTE: For information about managing configurations for separate par-

titions on an ACOS device, see the Configuring Application Deliv-
ery Partitions guide.
NOTE: For information about synchronizing configuration information

between multiple ACOS devices configured for VRRP-A high avail-
ability, see the Configuring VRRP-A High Availability Guide.
NOTE: For upgrade instructions, see the “Release Notes” for the ACOS
release to which you plan to upgrade.
Overview of System Backup

The ACOS device allows you to back up the system, individual configuration files, and log
entries onto remote servers. You can use any of the following file transfer protocols:
l Trivial File Transfer Protocol (TFTP)

l File Transfer Protocol (FTP)
l Secure Copy Protocol (SCP)
l SSH File Transfer Protocol (SFTP)
NOTE: Backing up system from one hardware platform and restoring it

to another hardware platform is not supported.
84
Using the GUI to Perform a Backup 85
Using the CLI to Perform a Backup 86
Restoring from a Backup 86
Using the GUI to Perform a Backup
To configure backup using the GUI:
1. Navigate to System >> Maintenance.
2. In the menu bar, click Backup. From the drop-down menu that appears, select one of
the following:
l System—This option performs an immediate backup of the configuration file(s),
aFleX scripts, and SSL certificates and keys.
l Log—This option perform an immediate backup of the log entries in the ACOS
device’s syslog buffer (along with any core files on the system)
l Periodic Backup—This option performs a scheduled backup of either the system
or log files.
3. Complete your backup configuration by specifying any necessary information (for
example, the remote host and port, file transfer protocol, location and name of the
backup file, and remote system access information).
The following example shows an example of a system backup:
85
Using the CLI to Perform a Backup
This section provides examples of how to back up your system using the CLI.
The following example creates a backup of the system (startup-config file, aFleX scripts, and
SSL certificates and keys) on a remote server using SCP.
ACOS(config)# backup system scp://exampleuser-
@192.168.3.3/home/users/exampleuser/backups/backupfile.tar.gz
The following example creates a daily backup of the log entries in the syslog buffer. The con-
nection to the remote server will be established using SCP on the management interface
(use-mgmt-port).
ACOS(config)# backup log period 1 use-mgmt-port scp://exampleuser-
@192.168.3.3/home/users/exampleuser/backups/backuplog.tar.gz
Restoring from a Backup
You can use a saved backup to restore your current system; for example, if you are upgrading
the AX Series devices in your network to the newer A10 Thunder Series devices.
This section contains some important things to consider before performing a restore oper-
ation:
l System Memory
l FTA versus Non-FTA
86
l L3V Partitions
l Port Splitting
l Port Mapping
l What is Not Restored?
l Restore Example
System Memory
If your current device has less memory than the backup device (for example, 16 GB on the cur-
rent device but 32 GB on the previous device), this can adversely affect system performance.
FTA versus Non-FTA

If you are restoring from an FTA device to a non-FTA device, for example, some commands
may not be available after the restore operation. This command is lost and cannot be
restored.
L3V Partitions
L3v partitions and their configurations are restored; however, if you are restoring to a device
which supports a fewer number of partitions (for example, 32) than you have configured
from the backup device (for example, 64) then any partitions and corresponding con-
figuration beyond 32 are lost.
Port Splitting
If you are restoring between devices with various 40 GB port splitting configurations, see the
following TABLE 8-1 for more information.
TABLE 8-1 : Restore Behavior for Port Splitting Combinations
Backup Device Current Device Behavior During the Restore Operation
Port splitting dis- Port splitting dis- Allow user to perform port mapping (See Port Map-
abled. abled. ping.)
Port splitting Port splitting Allow user to perform port mapping (See Port Map-
enabled. enabled. ping.)
87
Backup Device Current Device Behavior During the Restore Operation
Port splitting Port splitting dis- Ask the user if they want to perform port map-
enabled. abled. ping. If yes, enable port splitting, reboot the
device, then perform the restore operation again,
where port mapping will be enabled.
Port splitting dis- Port splitting Exit the restore operation. The user will have to
abled. enabled. perform a system-reset or disable port splitting,
reboot the system, and then perform the restore
operation again.
Port Mapping
When restoring from a device that has a different number of ports, or even the same number
of ports, you can map the port number from the previous configuration to a new port number
(or same port number) in the new configuration.
In cases where the original number of ports is greater than the number of ports on the new
system, some configuration may be lost.
If you choose to skip port mapping (see the example below) then the original port numbers
and configurations are preserved. If the original device had ports 1-10 configured, and the
new device only has ports 1-8, and you skip port mapping, then ports 9 and 10 are lost. If you
choose port mapping, you can decide which 8 out of the original 10 ports you want to pre-
serve during the port mapping process.
What is Not Restored?

The following items are not restored:
l VLAN configurations.
l VCS configurations are not supported; to perform a restore and preserve VCS con-
figurations, perform the restore using the GUI. This operation completely overwrites the
configuration on the target system and does not provide the options available in the CLI
(see the example below).
Restore Example
This section provides an example of a restore operation:
88
l Restore from version 4.1.1-P1 to 4.1.1-P2

l The system memory on the original device is 8 GB, but is 16GB on the new device.
l Number of interfaces on the original device is 10, but the new device has 12.
See the other highlighted lines in the example output along with the corresponding com-
ments, which are preceded by th e “<--“characters:
ACOS(config)# restore use-mgmt-port scp://[email protected]/root/user1/backup1

Password []?
A10 Product:
Object Backup device Current device
--------------------------------------------------------------------
Device TH1030 TH3030
Image version 4.1.1-P1 4.1.1-P2
System memory:
--------------------------------------------------------------------
Memory (MB) 8174 16384
Checking memory: OK.

Ethernet Interfaces:
--------------------------------------------------------------------
Total 10 12
1 Gig 1-10 1-12
Do you want to skip port map?(Answer no if you want port mapping manually.)
[yes/no]: no
Please specify the Current device to Backup device port mapping

1-10 : a valid port number in backup device.
0 : to skip a port
-1 : to restart port mapping.
Current Port: Backup device port

Port 1 : 2 <-- port 2 on the backup device is re-numbered to 1
Port 2 : 1 <-- port 1 on the backup device is re-numbered to 2
Port 3 : 0
Port 4 : 0
Port 5 : 0
Port 6 : 0
Port 7 : 0
89
Port 8 : 0
Port 9 : 0
Port 10 : 0
The current startup-configuration will be replaced with the new configuration
that was imported.
Do you wish to see the diff between the updated startup-config and the original
backup configuration?
[yes/no]: yes
Modified configuration begin with "!#"
!Current configuration: 277 bytes

!Configuration last updated at 05:38:18 UTC Fri Mar 17 2017
!Configuration last saved at 05:38:19 UTC Fri Mar 17 2017
!64-bit Advanced Core OS (ACOS) version 4.1.1-P2, build 112 (Mar-13-2017,15:41)
!
interface management
ip address 192.168.210.24 255.255.255.0
ip default-gateway 192.168.210.1
!#interface management
!# ip address 192.168.210.24 255.255.255.0
!# ip default-gateway 192.168.210.1
!# exit-module
!
interface ethernet 2
!#interface ethernet 1 <-- original port 1 is now port 2
exit-module
!
interface ethernet 1
!#interface ethernet 2 <-- original port 2 is now port 1
exit-module
!
!#interface ethernet 3
!# exit-module
!
!# exit-module
!
!# exit-module
!
!# exit-module
!
90
!# exit-module
!
!# exit-module
!
!
end
Complete the restore process?
[yes/no]: yes
Please wait restore to complete: .

Restore successful. Please reboot to take effect.
Enhancing the Dynamic Port Breakout Support for Thun-

der 7x50 Series
Introduction 91
Overview 91
Applying the Feature Details 94
Introduction
This feature helps in enhancing the dynamic port splitting/breakout support for the Thunder
7x50 series.
Overview
The third generation Thunder xx30 series and the fourth generation Thunder series, such as
TH4440, TH5440, and TH5840, supports the breaking out 40G interfaces into 4x10G using the
command “system-4x10g-mode”.
The dynamic port breakout was first extended to the port-level configuration on the Thun-
der 5x50 platform, and now this feature is also supported on the Thunder 7x50 platform.
91
Feature Description
Implementing the Dynamic Port Breakout Support 92
Implementing the Logical Port Mapping Support 92
Supporting the Dynamic Port Breakout 92
Example for the Port Mapping Implementation 93
Implementing the Dynamic Port Breakout Support

This feature helps the user to perform and understand the following tasks:
1. Adding support of interface level CLI command “port-breakout” on the Thunder 7x50
platform.
2. Supporting and generating the dynamic plat_if table, which defines the front ports
to and/or from Broadcom chipset internal mapping along with the total number of inter-
faces.
3. Supporting dynamic generation of Broadcom chipset configuration, which defines total
numbers of its internal ports along with per-port parameters, such as speed.
4. Supporting dynamic parse of ACOS startup configuration file to support the above-men-
tioned task items 2 and 3.
Implementing the Logical Port Mapping Support

The logical port mapping helps in redirecting the various communication request from mul-
tiple sources.
For the reference, Broadcom SDK uses a configuration text file for logical ports management.
The following is a synopsis of its Syntax:

portmap_logical_port.unit=physical_port:speed
Supporting the Dynamic Port Breakout

The following are the steps and representations to support the dynamic port breakout fea-
ture:
92
1. The CLI validates the users entered port breakout command, corresponding messages
are shown which could be rejected or a prompt for saving the configuration before it
can be applied on the next reload or reboot.
2. At the system initialization phase, startup configuration is parsed for per-physical port
breakout and per-platform plat_if table generation.
3. The configuration file is generated before the control is passed to Broadcom SDK, per-
platform.
Example for the Port Mapping Implementation

The following is an example of a partial of port mapping scenario:
# port breakout begin
portmap_5.1=5:25
portmap_6.1=6:25
portmap_7.1=7:25
portmap_8.1=8:25
portmap_13.1=13:100
portmap_21.1=21:50
portmap_23.1=23:50
portmap_29.1=29:50
portmap_31.1=31:50
portmap_41.1=41:25
portmap_42.1=42:25
portmap_43.1=43:25
portmap_44.1=44:25
portmap_49.1=49:50
portmap_51.1=51:50
portmap_57.1=57:25
portmap_58.1=58:25
portmap_59.1=59:25
portmap_60.1=60:25
portmap_61.1=61:25
portmap_62.1=62:25
portmap_63.1=63:25
portmap_64.1=64:25
portmap_67.1=65:100
portmap_71.1=69:100
portmap_79.1=77:100
portmap_87.1=85:100
portmap_99.1=97:100
portmap_107.1=105:100
93
portmap_115.1=113:100
portmap_123.1=121:100
Applying the Feature Details
Port Numbering 94
Important Points for the Breakout Feature 94
Example of the Feature Implementation 95
Impact Details for the Feature 98
Port Numbering
In the Thunder Series 7650, there are 16x100G physical front ports. The port numbering is
illustrated as the following:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Important Points for the Breakout Feature

The following is a list of important points for applying this feature:
l As each lane of a Falcon chip can optionally run in a flexible speed of 10G, the port-
level command “speed-forced-40g” can be applied.
l With ACOS implementation, all the front ports of Thunder 7650 are “speed-forced cap-
able”, while only the front ports from one to eight are “breakout capable.”
l The “speed-forced” feature can be applied without even a system reload or reboot on-
the-go.
But the “breakout” feature must be reloaded for configuration to take effect.
This could create a configuration event issue among the threads or the processes.
l This implies, enabling both features simultaneously on the same front ports is not
presently supported.
Only one feature can be enabled at a time on a given physical port.
l To enable the port breakout feature on a given physical interface, the cited port-
94
breakout command can be issued with a mandatory keyword to specify the desired
breakout mode.
Presently, 4x25G and 2x50G are two breakout modes that are supported.
l When a physical front port is breaking out into two or four logical ones, the physical
port number of it stays unchanged while one or three logical ports are augmented after
the last physical one.
Example of the Feature Implementation

The following is an example scenario for this feature implementation:
When port one is in the 4x25G breakout mode, it becomes ports [1, 17, 18, 19] after a system
reboot or reload. At this time, if port breakout mode 4x25G is also enabled on port three, it
then results into a total of 22 front ports with two ports breakout [1, 17, 18, 19] and [3, 20,
21, 22].
This is reflected in the startup configuration and can be realized with the command “show
startup-config”. Only the first eight front ports can be broken out into 4x25G or 2x50G
mode, the combination of total numbers of ports is illustrated in the following table, where
only 39 front ports are not possible from the range [16 to 40].
TABLE 8-2 : Feature Implementation - Dynamic Port Breakout Support - Combination of

Total Numbers of Ports
Number of Number of Number of Total Num- 8 + (4xQ) + (2xB) +

Non-Break- 4x25G Ports, 2x50G Ports, ber of Ports
(8 - Q - B), (Q + B) < = 8
out Capable Denoted by: Denoted by:
Port
Q [0 to 8] B [0 to (8 -
Q)]
8 8 0 40 8 + (4x8) + (2x0) + 0
8 7 1 38 8 + (4x7) + (2x1) + 0
8 7 0 37 8 + (4x7) + (2x0) + 1
8 6 2 36 8 + (4x6) + (2x2) + 0
8 6 1 35 8 + (4x6) + (2x1) + 1
95

(8 - Q - B), (Q + B) < = 8
Port
Q [0 to 8] B [0 to (8 -
Q)]
8 6 0 34 8 + (4x6) + (2x0) + 2
8 5 3 34 8 + (4x5) + (2x3) + 0
8 5 2 33 8 + (4x5) + (2x2) + 1
8 5 1 32 8 + (4x5) + (2x1) + 2
8 5 0 31 8 + (4x5) + (2x0) + 3
8 4 4 32 8 + (4x4) + (2x4) + 0
8 4 3 31 8 + (4x4) + (2x3) + 1
8 4 2 30 8 + (4x4) + (2x2) + 2
8 4 1 29 8 + (4x4) + (2x1) + 3
8 4 0 28 8 + (4x4) + (2x0) + 4
8 3 5 30 8 + (4x3) + (2x5) + 0
8 3 4 29 8 + (4x3) + (2x4) + 1
8 3 3 28 8 + (4x3) + (2x3) + 2
8 3 2 27 8 + (4x3) + (2x2) + 3
8 3 1 26 8 + (4x3) + (2x1) + 4
8 3 0 25 8 + (4x3) + (2x0) + 5
8 2 6 28 8 + (4x2) + (2x6) + 0
8 2 5 27 8 + (4x2) + (2x5) + 1
8 2 4 26 8 + (4x2) + (2x4) + 2
96

(8 - Q - B), (Q + B) < = 8
Port
Q [0 to 8] B [0 to (8 -
Q)]
8 2 3 25 8 + (4x2) + (2x3) + 3
8 2 2 24 8 + (4x2) + (2x2) + 4
8 2 1 23 8 + (4x2) + (2x1) + 5
8 2 0 22 8 + (4x2) + (2x0) + 6
8 1 7 26 8 + (4x1) + (2x7) + 0
8 1 6 25 8 + (4x1) + (2x6) + 1
8 1 5 24 8 + (4x1) + (2x5) + 2
8 1 4 23 8 + (4x1) + (2x4) + 3
8 1 3 22 8 + (4x1) + (2x3) + 4
8 1 2 21 8 + (4x1) + (2x2) + 5
8 1 1 20 8 + (4x1) + (2x1) + 6
8 1 0 19 8 + (4x1) + (2x0) + 7
8 0 8 24 8 + (4x0) + (2x8) + 0
8 0 7 23 8 + (4x0) + (2x7) + 1
8 0 6 22 8 + (4x0) + (2x6) + 2
8 0 5 21 8 + (4x0) + (2x5) + 3
8 0 4 20 8 + (4x0) + (2x4) + 4
8 0 3 19 8 + (4x0) + (2x3) + 5
8 0 2 18 8 + (4x0) + (2x2) + 6
97

(8 - Q - B), (Q + B) < = 8
Port
Q [0 to 8] B [0 to (8 -
Q)]
8 0 1 17 8 + (4x0) + (2x1) + 7
8 0 0 16 8 + (4x0) + (2x0) + 8
Impact Details for the Feature

The following is a list of important points regarding the impact of this feature:
l There must be no impact on fast path traffic after the breakout is enabled.
l The control CPUs may experience minor higher usage because of the augmented front
ports.
l The details regarding the configuration to breakout ports cannot be preserved before
or after the feature is enabled or disabled.
l The LED microprocessor does not need to be reprogrammed to reflect the link or activ-
ity status of the newly acquired breakout ports.
NOTE: For more information on this feature, see “Dynamic Port Breakout
Support” or “Port Splitting Support” under the various guides from
the Hardware or Platform Documents section.
NOTE: The CLI/command details are also available in the “Command Line
Interface (CLI) Reference Guide” and “aXAPI Reference Guide” for
this feature.
NOTE: This feature can also be referred from the earlier “Thunder and AX
Series Release GUI Reference - ACOS 2.7.2.”
Saving Multiple Configuration Files Locally

The ACOS device has CLI commands that enable you to store and manage multiple con-
figurations on the ACOS device.
98
NOTE: Unless you plan to locally store multiple configurations, you do

not need to use any of the advanced commands or options
described in this section. You can enter the write memory com-
mand in the CLI to save configuration changes. These simple
options replace the commands in the startup-config stored in the
image area the ACOS device booted from with the commands in
the running-config.
Understanding Configuration Profiles 99
Using the CLI to Save Configurations 100
Using the CLI to View Configurations 101
Using the CLI to Copy Configurations 101
Using the CLI to Compare Configurations 102
Using the CLI to Link Configuration Profiles 102
Using the CLI to Delete a Profile 103
CLI Example of Configuration Profile Management 104
Understanding Configuration Profiles
Configuration files are managed as configuration profiles. A configuration profile is simply a

configuration file. You can locally save multiple configuration profiles on the ACOS device.
The configuration management commands described in this section enable you to do the fol-
lowing:
l Save the startup-config or running-config to a configuration profile.

l Copy locally saved configuration profiles.
l Delete locally saved configuration profiles.
l Compare two configuration profiles side by side to see the differences between the con-
figurations.
l Link the command option “startup-config” to a configuration profile other than the one
stored in the image area used for the most recent reboot. (This is the profile that
99
“startup-config” refers to by default.) This option makes it easier to test a configuration

without altering the configuration stored in the image area.
NOTE: Although the enable and admin passwords are loaded as part of
the system configuration, they are not saved in the configuration
profiles. Changes to the enable password or to the admin user-
name or password take effect globally, regardless of the values
that were in effect when a given configuration profile was saved.
Using the CLI to Save Configurations
To manage multiple locally stored configurations, use the write memory or write force com-
mands (available at the global configuration level of the CLI).
l If you enter write memory without additional options, the command replaces the con-
figuration profile that is currently linked to by startup-config with the commands in
the running-config. If startup-config is set to its default (linked to the configuration
profile stored in the image area that was used for the last reboot), then write memory
replaces the configuration profile in the image area with the running-config.
l If you enter write force, the command forces the ACOS device to save the con-
figuration regardless of whether the system is ready.
l If you enter write memory primary, the command replaces the configuration profile
stored in the primary image area with the running-config. Likewise, if you enter write
memory secondary, the command replaces the configuration profile stored in the sec-
ondary image area with the running-config.
l If you enter write memory profile-name, the ACOS device replaces the commands in
the specified profile-name with the running-config.
l You can also specify a specific L3V partition or all-partitions with the write memory
and write force commands; these options save the configuration changes in your L3V
partitions. Without either option, only the configuration in the shared partition is saved.
NOTE: For CLI syntax information about write memory and write force,
see the Command Line Interface Reference Guide.
100
Using the CLI to View Configurations
To view locally stored configuration information, use the show startup-config command.
l To display a list of the locally stored configuration profiles, use the show startup-con-
fig all command.
l The show startup-config all-partitions command shows all resources in all par-
titions. In this case, the resources in the shared partition are listed first, followed by the
resources in each L3V partition. You can also specify a single partition instead of all-
partitions to view the startup-config for the specified partition only.
l The show startup-config profile profile-name command displays the commands

that are in the specified configuration profile.
NOTE: For CLI syntax information about show startup-config, see the
Command Line Interface Reference Guide.
Using the CLI to Copy Configurations
To copy configurations, use the copy command.
l The copy startup-config profile-name command copies the configuration profile

that is currently linked to “startup-config” and saves the copy under the specified pro-
file name.
l The copy startup-config running-config command copies the configuration profile
that is currently linked to “startup-config” and replaces the current running-config.
l The copy running-config startup-config command copies the running-config and
saves it to the configuration profile currently linked to the startup-config.
NOTE: You cannot use the profile name “default”. This name is reserved
and always refers to the configuration profile that is stored in the
image area from which the ACOS device most recently rebooted.
l For all commands, specify the url to the remote device where you want to back up the
configuration. See Backing Up System Information.)
101
NOTE: For CLI syntax information about the copy command, see the
Command Line Interface Reference Guide.
Using the CLI to Compare Configurations
To view a side-by-side comparison of configurations, use the diff command.
l The diff startup-config running-config command compares the configuration pro-

file that is currently linked to “startup-config” with the running-config. Similarly, the
diff startup-config profile-name command compares the configuration profile that
is currently linked to “startup-config” with the specified configuration profile.
l To compare any two configuration profiles, enter their profile names.
For example: diff profile-name1 profile-name2
In the CLI output, the commands in the first profile name you specify are listed on the left
side of the terminal screen. The commands in the other profile that differ from the com-
mands in the first profile are listed on the right side of the screen, across from the commands
they differ from. The following TABLE 8-3 describes the flags indicating how the two profiles
differ:
TABLE 8-3 : Description of the Flags in the diff Command Output
Flag Description
| Indicates that the corresponding command has different settings in each pro-
file.
> Indicates that the corresponding command is in the second profile, but not
the first.
< Indicates that the corresponding command is in the first profile, but not the
second.
Using the CLI to Link Configuration Profiles
Use the link command to link configuration profiles. By default, “startup-config” is linked to
“default”, which means the configuration profile stored in the image area from which the
102
ACOS device most recently rebooted.
This command enables you to easily test new configurations without replacing the con-
figuration stored in the image area. For example, the following command links the startup-
config to a new profile called as the test_profile:
ACOS(config)# link startup-config test-profile primary
You can specify the primary or secondary option to indicate an image area; if you omit this
option, the image area last used to boot is selected.
The profile you link to must be stored on the boot device you select. For example, if you use
the default boot device selection (hard disk), the profile you link to must be stored on the
hard disk. (To display the profiles stored on the boot devices, use the show startup-config
all command.)
After you link “startup-config” to a different configuration profile, configuration man-

agement commands that affect “startup-config” affect the linked profile instead of affecting
the configuration stored in the image area. For example, if you enter the write memory com-
mand without specifying a profile name, the command saves the running-config to the
linked profile instead of saving it to the configuration stored in the image area.
Likewise, the next time the ACOS device is rebooted, the linked configuration profile is
loaded instead of the configuration that is in the image area.
To relink “startup-config” to the configuration profile stored in the image area, use the
default option:
ACOS(config)# link startup-config default
Using the CLI to Delete a Profile
Use the delete startup-config command to remove a specific configuration profile.
For example:
ACOS(config)# delete startup-config slb_profile1
Although the command uses the startup-config option, the command only deletes the con-
figuration profile linked to “startup-config” if you enter that profile’s name. The command
deletes only the profile you specify.
103
If the configuration profile you specify is linked to “startup-config”, “startup-config” is auto-

matically relinked to the default. (The default is the configuration profile stored in the image
area from which the ACOS device most recently rebooted).
CLI Example of Configuration Profile Management
The following command saves the running-config to a configuration profile named “slb-
config2”:
ACOS(config)# write memory slbconfig2
The following command shows a list of the configuration profiles locally saved on the ACOS
device. The first line of output lists the configuration profile that is currently linked to “star-
tup-config”. If the profile name is “default”, then “startup-config” is linked to the con-
figuration profile stored in the image area from which the ACOS device most recently
rebooted.
ACOS(config)# show startup-config all

Current Startup-config Profile: slb-v6
Profile-Name Size Time
------------------------------------------------------------
1210test 1957 Jan 28 18:39
ipnat 1221 Jan 25 10:43
ipnat-l3 1305 Jan 24 18:22
ipnat-phy 1072 Jan 25 19:39
ipv6 2722 Jan 22 15:05
local-bwlist-123 3277 Jan 23 14:41
mgmt 1318 Jan 28 10:51
slb 1354 Jan 23 18:12
slb-v4 12944 Jan 23 19:32
slb-v6 13414 Jan 23 19:19
The following command copies the configuration profile currently linked to “startup-config”
to a profile named “slbconfig3”:
ACOS(config)# copy startup-config slbconfig3
104
The following command compares the configuration profile currently linked to “startup-con-
fig” with configuration profile “testcfg1”. This example is abbreviated for clarity. The dif-
ferences between the profiles are shown in this example in bold type.
ACOS(config)# diff startup-config testcfg1

!Current configuration: 13378 bytes (
!Configuration last updated at 19:18:57 PST Wed Jan 23 2008 (
!Configuration last saved at 19:19:37 PST Wed Jan 23 2008 (
!version 1.2.1 (
! (
hostname ACOS (
! (
clock timezone America/Tijuana (
! (
ntp server 10.1.11.100 1440 (
! (
...
! (
interface ve 30 (
ip address 30.30.31.1 255.255.255.0 | ip address 10.10.20.1 255.255.255.0
ipv6 address 2001:144:121:3::5/64 | ipv6 address fc00:300::5/64
! (
! (
> ip nat range-list v6-1 fc00:300::300/64 2001:144:121:1::900/6
! (
ipv6 nat pool p1 2001:144:121:3::996 2001:144:121:3::999 netm <
! <
slb server ss100 2001:144:121:1::100 <
port 22 tcp <
--MORE--
The following command links configuration profile “slbconfig3” with “startup-config”:
ACOS(config)# link startup-config slbconfig3
The following command deletes configuration profile “slbconfig2”:
ACOS(config)# delete startup-config slbconfig2
105
Chapter 9: Source Interface for Management
Traffic
By default, the ACOS device uses data interfaces as the source for management traffic. This
chapter describes how you can configure the management interface and loopback interfaces
to act as the source for management traffic instead of using data interfaces.
Using the Management Interface as the Source for Management Traffic 107
Using a Loopback or Virtual Ethernet Interface as the Source for Management Traffic 110
106
Chapter 9: Source Interface for Management Traffic Feedback
Using the Management Interface as the Source for Man-

agement Traffic
Understanding Route Tables 107
Keeping the Management and Data Interfaces in Separate Networks 108
Management Routing Options 108
Configuring the Management Interface as Source for Automated Management Traffic 109
Configuring the Management Interface as Source Interface for Manually Generated Man-
agement Traffic 109
Understanding Route Tables
By default, the ACOS device attempts to use a route from the main route table for man-
agement connections originated on the ACOS device. You can enable the ACOS device to use
the management route table to initiate management connections instead.
This section describes the ACOS device’s two route tables, for data and management traffic,
and how to configure the device to use the management route table.
The ACOS device uses separate route tables for management traffic and data traffic.
l Management route table – Contains all static routes whose next hops are connected to
the management interface. The management route table also contains the route to the
device configured as the management default gateway.
l Main route table – Contains all routes whose next hop is connected to a data interface.
These routes are sometimes referred to as data plane routes. Entries in this table are
used for load balancing and for Layer 3 forwarding on data ports.
This route table also contains copies of all static routes in the management route table,
excluding the management default gateway route.
You can configure the ACOS device to use the management interface as the source interface
for automated management traffic. In addition, on a case-by-case basis, you can enable the
107
use of the management interface and management route table for various types of man-
agement connections to remote devices.
The ACOS device automatically uses the management route table for reply traffic on con-
nections initiated by a remote host that reaches the ACOS device on the management port.
For example, this occurs for SSH or HTTP connections from remote hosts to the ACOS device.
NOTE: Static routes whose next hop is the management interface are
duplicated in the management route table.
Keeping the Management and Data Interfaces in Separate Networks
The management interface and the data interfaces must be in separate networks. If both
tables have routes to the same destination subnet, some operations (for example, ping) may
have unexpected results. An exception is the default route (0.0.0.0/0), which can be in both
tables.
To display the routes in the management route table, use the show ip route mgmt command.
To display the data plane routes, use the show ip route or show ip fib commands.
Management Routing Options
You can configure the ACOS device to use the management interface as the source interface
for the following management protocols, used for automated management traffic:
l SYSLOG
l SNMPD
l NTP
l RADIUS
l TACACS+
l SMTP
For example, when use of the management interface as the source interface for control
traffic is enabled, all log messages sent to remote log servers are sent through the man-
agement interface. Likewise, the management route table is used to find a route to the log
108
server. The ACOS device does not attempt to use any routes from the main route table to
reach the server, even if a route in the main route table could be used.
In addition, on a case-by-case basis, you can enable use of the management interface and
management route table for the following types of management connections to remote
devices:
l Upgrade of the ACOS software

l SSH or Telnet connection to a remote host
l Import or export of files
l Export of show techsupport output
l Reload of black/white lists
l SSL loads (keys, certificates, and Certificate Revocation Lists)
l Copy or restore of configurations
l Backups
Configuring the Management Interface as Source for Automated Man-

agement Traffic
By default, use of the management interface as the source interface for automated man-
agement traffic is disabled.
To enable it, use the ip control-apps-use-mgmt-port command at the configuration level

for the management interface:
ACOS(config)# interface management

ACOS(config-if:management)# ip control-apps-use-mgmt-port
Configuring the Management Interface as Source Interface for Manu-

ally Generated Management Traffic
To use the management interface as the source interface for manually generated man-
agement traffic, use the use-mgmt-port option as part of the command string. This option is
available with certain file management commands, including the import command:
109
ACOS(config)# import ssl-cert-key bulk ?

use-mgmt-port Use management port as source port
tftp: Remote file path of tftp: file system(Format: tftp://host/file)
ftp: Remote file path of ftp: file system(Format:
ftp://[user@]host[:port]/file)
scp: Remote file path of scp: file system(Format:
scp://[user@]host/file)
sftp: Remote file path of sftp: file system(Format:
sftp://[user@]host/file)
NAME<length:1-31> profile name for remote url
Using a Loopback or Virtual Ethernet Interface as the

Source for Management Traffic
You can configure the ACOS device to use a loopback or virtual Ethernet interface IP address
to be used as the source interface for management traffic originated by the device.
Loopback Interface Management Traffic Types 110
Loopback Interface Implementation Notes 111
Loopback Interface Limitations 111
Configuring a Loopback Interface for Management Traffic 112
Configuring a Virtual Ethernet Interface for Management Traffic 112
Loopback Interface Management Traffic Types
You can enable use of a specific loopback interface as the source for one or more of the fol-
lowing management traffic types:
l FTP
l NTP
l RCP
l SNMP
l SSH
110
l SYSLOG
l Telnet
l TFTP
l Web
FTP, RCP, and TFTP apply to file export and import, such as image upgrades and system
backups.
Telnet and SSH apply to remote login from the ACOS device to another device. They also
apply to RADIUS and TACACS+ traffic. SSH also applies to file import and export using SCP.
Web applies to GUI login.
Loopback Interface Implementation Notes
Some notes to consider for loopback interfaces:
l Loopback interface IP address – The loopback interface you specify when configuring
this feature must have an IP address configured on it. Otherwise, this feature does not
take effect.
l Management interface – If use of the management interface as the source for man-
agement traffic is also enabled, the loopback interface takes precedence over the man-
agement interface. The loopback interface’s IP address will be used instead of the
management interface’s IP address as the source for the management traffic. In con-
junction, the use-mgmt-port CLI option will have no effect.
l Ping traffic – Configuration for use of a loopback interface as the source for man-
agement traffic does not apply to ping traffic. By default, ping packets are sourced
from the best interface based on the ACOS route table. You can override the default
interface selection by specifying a loopback or other type of interface as part of the
ping command. (See the Command Line Interface Reference for syntax information.)
Loopback Interface Limitations
The current release has the following limitations related to this feature:
111
l Floating loopback interfaces are not supported.

l IPv6 interfaces are not supported.
Configuring a Loopback Interface for Management Traffic
The following commands configure an IP address on loopback interface 2 in the shared par-
tition:
ACOS(config)# interface loopback 2
ACOS(config-if:loopback:2)# ip address 10.10.10.66 /24
ACOS(config-if:loopback:2)# exit
The following command configures the device to use loopback interface 2 as the source inter-
face for management traffic of all types:
ACOS(config)# ip mgmt-traffic all source-interface loopback 2
Configuring a Virtual Ethernet Interface for Management Traffic
The following commands configure virtual Ethernet interface 2 in the L3V partition called p1:
ACOS[p1](config)# vlan 2
ACOS[p1](config-vlan:2)# router-interface ve 2
ACOS[p1](config-if:ve2)# ip address 10.1.1.254 /24
ACOS[p1](config-if:ve2)# exit
The following command configures the device to use ve 2 as the source interface for man-
agement traffic in the p1 partition:
ACOS[p1](config)# ip mgmt-traffic traffic-type source-interface ve 2
NOTE: If the virtual Ethernet interface belongs to the shared vlan, then
the shared virtual Ethernet interface IP address will be used. For
example, if vlan 2 above is also in the shared partition, the IP
address 10.1.1.254 /24 will not be used for management
traffic, but the IP address as configured for the virtual Ethernet
in the shared partition will be used.
NOTE: See the Configuring Application Delivery Partitions guide for

more information about partitions.
112
Chapter 10: Dynamic and Block Configuration
In the classical (default) mode of the CLI, configuration commands take effect as they are
entered. For example, slb server s1 10.10.10.1 creates an SLB server “s1” with an IP
address of 10.10.10.1 without having to take any further action.
Using the CLI or aXAPI, block configuration modes allow you to update portions of your con-
figuration without having to take your ACOS device off-line or disrupting live traffic.
Overview of Dynamic and Block Configuration 114
Block Configuration Modes for CMDB 114
Block Configuration Modes for aFleX 118
113
Chapter 10: Dynamic and Block Configuration Feedback
Overview of Dynamic and Block Configuration

The Configuration Management Database (CMDB) allows for dynamic changes to be made to
the running configuration using either the CLI or the aXAPI using the cli.deploy method.
You enter a block configuration mode to create a new configuration file in the CMDB. ACOS
compares the existing running configuration with this new file (your new configuration),
which is considered the primary configuration. ACOS parses the commands in the new con-
figuration file and rearranges them into an order in which the new commands will be applied
so that live traffic is not disturbed.
For replicated configurations, the old configuration is left in place rather than removed and
then re-entered.
During this process, some dependency checks may be disabled. After parsing the new con-
figuration, ACOS will ensure that all dependency checks are passed and all configurations are
complete and valid.
NOTE: This feature is not supported in the GUI. Multiple users cannot
configure ACOS through the CLI. Concurrent aXAPI calls are pos-
sible although they will be queued.
Block Configuration Modes for CMDB

Block-Merge Mode 114
Block-Replace Mode 116
Expected Behaviors in Block Mode 117
Block-Merge Mode
In block-merge mode, existing elements edited in block-merge mode are replaced with your
new definitions and then merged with the remaining configuration with block-merge-end.
114
If the running configuration is not committed before entering “block-merge” mode, then all
changes made before and after “block-merge” mode are committed when you end “block-
merge” mode.
NOTE: In this release, a setting to control the behavior of block-merge

mode called merge mode is supported. In the merge mode, any
child instances of the old configuration are retained if not
present in the new configuration. The merge mode can be
accessed using the merge-mode-add command from the Global
configuration mode.
The following is an example showing how block-merge mode works. First, view the existing
SLB configuration:
ACOS(config)# show run | sec slb

slb server s1 2.2.2.2
port 80 tcp
sampling-enable all
slb virtual-server vip1 1.1.1.1
port 80 tcp
sampling-enable curr_conn
sampling-enable total_conn
ACOS(config)#
Next, edit the SLB server configuration to exclude the baselining configuration (sampling-
enable command):
ACOS(config)# block-merge-start
Beginning merge mode. Enter configuration followed by 'block-merge-end' to
merge configuration into running.
ACOS(config)# slb server s1 2.2.2.2
ACOS(config-real server)# port 80 tcp
ACOS(config-real server-node port)# exit
ACOS(config-real server)# exit
ACOS(config)# block-merge-end
Configuration merged into running.
ACOS(config)#
View the running configuration again:

115
port 80 tcp
port 80 tcp
ACOS(config)#
The changes are merged into the existing running-config so that “sampling-enable all” is
no longer part of the SLB real server configuration.
Block-Replace Mode
In block-replace mode, instead of individual SLB configuration elements, the entire SLB con-
figuration gets discarded and replaced when the new configuration is committed with
block-replace-end. The rest of the configuration remains intact.
All configurations before entering “block-replace” mode, whether committed or not, are
removed unless they also are configured in “block-replace” mode.
Below is an example showing how block-replace mode works. First, view the existing SLB con-
figuration:
port 80 tcp
sampling-enable all
port 80 tcp
ACOS(config)#
Next, edit the SLB server configuration to exclude the SLB virtual server:
ACOS(config)# block-replace-start
Beginning replace mode. Enter configuration followed by 'block-replace-end' to
apply diff and replace configuration into running.
ACOS(config-real server)# port 80 tcp
ACOS(config-real server-node port)# sampling-enable all
ACOS(config)# block-replace-end
Configuration replaced into running.
116
ACOS(config)#
View the running configuration again:

port 80 tcp
sampling-enable all
ACOS(config)#
The changes have completely replaced the existing SLB configuration; there is no longer an
SLB virtual server configured.
Expected Behaviors in Block Mode
ACOS parses the configurations entered in block mode before it commits those changes. Any
invalid command that results in a configuration error will void all of the block-mode con-
figurations, and none of those changes will be made. The configuration will revert to the ori-
ginal running configuration. All configurations done in a block mode must succeed or else
none of the configurations take effect.
If an undesired command or an erroneous command is entered in block mode, most of those

can be removed using the no form of the command. However, using the CLI only, syntax
errors will be ignored when the “block-replace” mode configuration is committed. If you run
into a syntax error but still enter the block-replace-end command, then all valid con-
figurations made in “block-replace” mode, prior to the syntax error, will still be committed
and entirely replace the old running configuration. Using the aXAPI, if there is an error in
both syntax and configuration while using the cli.deploy method, then ACOS will rollback to
the original configuration. If an error is detected and ACOS reverts to the old running con-
figuration, the configuration entered in block mode will be cleared.
To avoid erasing the old running configuration with an erroneous configuration entered in
block mode, exit block mode using the block-abort command. This will erase all con-
figuration commands entered in block mode and retain the old running configuration.
In block mode, you can view the current running configuration with the show config com-
mand. This is the same as the show running-config command in the classical mode of the
CLI. The changes you are currently making in block mode are not visible in the output of this
command.
117
To view the configuration you are making in either “block-merge” or “block-replace” mode,
enter the show config-block command.
Block Configuration Modes for aFleX

aFleX can also be configured in-line within block-merge and block-replace mode. Within the
CLI, you enter the command aflex-scripts start to enter the aFleX configuration mode.
aFleX commands should be entered in-line following that. When you are finished, simply
enter a period (.) to indicate the end of the aFleX commands to be committed. All of these
commands should be entered within the “block-merge” or “block-replace” mode in order for
the aFleX commands to take effect.
Like the “block-merge” and “block-replace” mode in the CLI, the application of the aFleX com-
mands is dependent on all features passing. One failed command will mean that not of the
commands are entered into the running configuration.
To enter aFleX commands in-line within “block-merge” or “block-replace” mode, enter the fol-
lowing command at the block configuration level:
aflex-scripts start
Each aFlex can then be entered using the convention where the header contains <aflex-
script aflexName, followed by the actual aFleX and then a closing bracket (>). A period is
used to indicate the end of all scripts.
<aflex-script aflexName
aflex code {
...
}
>
To indicate the end of all the aFleX commands, enter the following symbol at the end of the
aFleX commands:
.
To view all aFleX commands as part of the running configuration, enter the running-config
display aflex global configuration command in the CLI, then enter the show running-con-
fig command.
118
Chapter 11: Boot Options
This chapter describes how to display or change the storage area from which the ACOS
device boots.
Storage Areas 120
Booting from a Different Storage Area 123
NOTE: This chapter does not describe how to upgrade the system image.
For upgrade instructions, see the “Release Notes” for the release
to which you plan to upgrade.
119
Chapter 11: Boot Options Feedback
Storage Areas
Details 120
Displaying Current Storage Information 121
Displaying the Storage Location for Future Reboots 123
Details
The ACOS device has four storage areas (also called “image areas”) that can contain software
images and configuration files:
l Primary storage on the Solid State Drive (SSD) or disk

l Secondary storage on the SSD or disk
l Primary storage on the compact flash (CF)
l Secondary storage on the compact flash
NOTE: Not all storage areas are available on all devices.
The SSD or disk storage areas are used for normal operation. The compact flash storage areas
are used only for system recovery.
NOTE: In this document, references to SSD can refer to the hard disk in
some older ACOS devices.
Normally, each time the ACOS device is rebooted, the device uses the same storage area that
was used for the previous reboot. For example, if the primary storage area of the SSD or disk
was used for the previous reboot, the system image and startup-config from the primary stor-
age area are used for the next reboot.
Unless you change the storage area selection or interrupt the boot sequence to specify a dif-
ferent storage area, the ACOS device always uses the same storage area each time the device
is rebooted.
120
NOTE: The ACOS device always tries to boot using the SSD or disk first.
The compact flash is used only if the SSD or hard disk is unavail-
able. If you need to boot from compact flash for system recovery,
contact A10 Networks.
Displaying Current Storage Information
To display the software images installed in the ACOS storage areas, and the currently run-
ning software version, use either of the following methods:
Using the GUI to View Storage Information 121
Using the CLI to View Storage Information 122
Using the GUI to View Storage Information

Navigate to System > Dashboard in the GUI (see the FIGURE 11-1).
FIGURE 11-1: System Dashboard in the GUI
121
The field at upper left, in the System Info area, shows the software version that is currently
running.
The system info is also displayed in the top right corner of every page. Hover over the link to
display the same system info as shown on the Dashboard.
Using the CLI to View Storage Information

The show version command shows storage area information. The command also lists other
information, including the currently running software version.
ACOS# show version

AX Series Advanced Traffic Manager AX5100
Copyright 2007-2015 by A10 Networks, Inc. All A10 Networks products are
protected by one or more of the following US patents:
8977749, 8943577, 8918857, 8914871, 8904512, 8897154, 8868765, 8849938
8826372, 8813180, 8782751, 8782221, 8595819, 8595791, 8595383, 8584199
8464333, 8423676, 8387128, 8332925, 8312507, 8291487, 8266235, 8151322
8079077, 7979585, 7804956, 7716378, 7665138, 7647635, 7627672, 7596695
7577833, 7552126, 7392241, 7236491, 7139267, 6748084, 6658114, 6535516
6363075, 6324286, 5931914, 5875185, RE44701, 8392563, 8103770, 7831712
7606912, 7346695, 7287084, 6970933, 6473802, 6374300
64-bit Advanced Core OS (ACOS) version 4.1.0, build 141 (Aug-17-2015,08:03 )

Booted from Hard Disk primary image
Serial Number: AX51071112030080

Firmware version: 0.26
aFleX version: 2.0.0
aXAPI version: 3.0
Hard Disk primary image (default) version 4.1.0, build 141
Hard Disk secondary image version 2.6.1-GR1-P7, build 51
Compact Flash primary image (default) version 2.6.1-GR1-P7, build 51
Last configuration saved at Aug-18-2015, 02:02
Hardware: 16 CPUs(Stepping 5), Single 62G Hard disk
Memory 24677 Mbyte, Free Memory 9797 Mbyte
Hardware Manufacturing Code: 120311
Current time is Aug-21-2015, 08:09
The system has been up 3 days, 6 hours, 5 minutes
ACOS#
122
Displaying the Storage Location for Future Reboots
To display the storage area that will be used for the future reboots, use either of the fol-
lowing methods.
NOTE: The ACOS device always tries to boot using the SSD or disk first.
The compact flash is used only if the SSD or hard disk is unavail-
able. If you need to boot from compact flash for system recovery,
contact A10 Networks.
Using the GUI to View the Storage Location for Future Reboots 123
Using the CLI to View the Storage Location for Future Reboots 123
Using the GUI to View the Storage Location for Future Reboots
1. Hover over System in the navigation bar, and select Settings.
2. Click Boot Image on the menu bar.
Using the CLI to View the Storage Location for Future Reboots
Use the show bootimage command to view the storage location for future reboots.
In the following example, the ACOS device is configured to boot from the primary storage
area on the SSD or disk:
ACOS# show bootimage
(* = Default)
Version
-----------------------------------------------
Hard Disk primary 4.1.0.141 (*)
Hard Disk secondary 2.6.1-GR1-P7.51
Compact Flash primary 2.6.1-GR1-P7.51 (*)
Booting from a Different Storage Area

Details 124
Temporarily Changing the Boot Image for the Next Reboot 124
123
Permanently Changing the Storage Location for Future Reboots 126
Details
The ACOS device allows you to change the boot device from the primary image to the sec-
ondary image on a single storage device, either the SSD, hard disk, or the CF. You can use the
CLI or the GUI to make the change from the primary image to the secondary image or vice
versa. However, if you are choosing to change the boot device from the SSD (hard disk) to the
CF (Compact Flash) you have to interrupt the boot sequence to do so. Both boot devices, SSD
(hard disk) and CF, contain their own primary and secondary boot locations.
To reboot from a different image within the same storage device (SSD or CF), do one of the
following:
l Interrupt the boot sequence and use the bootloader menu to temporarily select the
other storage area.
l Configure the ACOS device to use the other storage area for all future reboots, then
reboot.
Temporarily Changing the Boot Image for the Next Reboot
To temporarily change the storage location within the same boot device (SSD or CF) from the
primary to the secondary image, interrupt the boot sequence to access the bootloader menu.
To access the bootloader menu, reboot the ACOS device, then press Esc within 3 seconds
when prompted.
When the bootloader menu appears, use the Up and Down arrow keys to select the image
area from which to boot, and press Enter. The menu does not automatically time out. You
must press Enter to reboot using the selected image.
CAUTION: Each storage area has its own version of the startup-config.
When you save configuration changes, they are saved only to
the startup-config in the storage area from which the ACOS
device was booted.
124
CAUTION: If you plan to reboot from a different storage area, but you
want to use the same configuration, first save the con-
figuration to the other storage area. (The procedures in Per-
manently Changing the Storage Location for Future Reboots
include steps for this.)
NOTE: The bootloader menu is available on all new ACOS devices later
than release 2.6.1. However, the bootloader menu is not auto-
matically installed when you upgrade from a release earlier than
2.6.1. To install the bootloader menu on upgraded devices, see the
AX Release 2.6.1 release notes, or the description of the boot-
block-fix command in the Command Line Interface Reference
for 2.6.1 or later.
ACOS# reboot
Rebooting System Now !!!
Proceed with reboot? [yes/no]:yes
INIT:
Shutting down........Restarting system.

Press `ESC' to enter the boot menu... 1
Admin presses Esc within 3 seconds.
# # ### # #
# # ## # # ## # ###### ##### # # #### ##### # # ####
# # # # # # # # # # # # # # # # # # # #
# # # # # # # # ##### # # # # # # # #### ####
####### # # # # # # # # # ## # # # ##### # # #
# # # # # # ## # # ## ## # # # # # # # #
# # ##### ### # # ###### # # # #### # # # # ####
protected by one or more of the following US patents and patents pending:
7716378, 7675854, 7647635, 7552126, 20090049537, 20080229418, 20080040789,
20070283429, 20070271598, 20070180101
-------------------------------------------------------------------
0: ACOS (Primary Image)
1: ACOS (Secondary Image)
-------------------------------------------------------------------
125
Use the Up and Down arrow keys to select the image from which to boot.
Press enter to boot the selected image.
Admin presses down arrow to select 1.
Highlighted entry is 1:
Admin presses Enter to reboot using the selected image.
Booting 'ACOS (Secondary Image)'

Please wait while the system boots...
Booting........................[OK]
ACOS login:
Permanently Changing the Storage Location for Future Reboots
This section describes how to change the storage area that will be used for future reboots:
NOTE: The procedures in this section change the storage area selection
for all future reboots (unless you later change the selection
again). If you only need to temporarily override the storage area
selection for a single reboot, see Temporarily Changing the Boot
Image for the Next Reboot.
CAUTION: Each storage area has its own version of the startup-config.
When you save configuration changes, they are saved only to
the startup-config in the storage area from which the ACOS
device was booted.
CAUTION: If you plan to reboot from a different storage area, but you
want to use the same configuration, first save the con-
figuration to the other storage area. The procedures in this
section include a step for this.
Using the GUI to Change the Location for Future Reboots 127
126
Using the CLI to Change the Location for Future Reboots 127
Using the GUI to Change the Location for Future Reboots

To change the location that will be used for future reboots from the GUI:
1. Hover over System in the menu bar, then select Settings.

2. Select the Boot Image tab.
3. On the Boot Image page, select the location from which the device will be rebooted in
the future.
4. Click OK.
Using the CLI to Change the Location for Future Reboots

In this example, the ACOS device was booted from the primary storage area, and will be con-
figured to use the secondary image area for future reboots.
1. Use show bootimage to view the current storage area being used for reboots:
ACOS# show bootimage
(* = Default)
Version
-----------------------------------------------
Hard Disk primary 4.1.0.141 (*)
Hard Disk secondary 2.6.1-GR1-P7.51
The asterisk (*) indicates that when the system is booted from the hard disk, version
4.1.0.141 will be loaded.
2. Use the write memory command to save the configuration, then use the write memory
secondary command to copy it to the secondary storage area:
[OK]
ACOS(config)# write memory secondary
127
Write configuration to secondary default startup-config
[OK]
3. Use bootimage to set the secondary storage area on the SSD or hard drive for future
reboots, and verify the setting:
ACOS(config)# bootimage hd sec
Secondary image will be used if system is booted from hard disk
ACOS(config)# show bootimage
(* = Default)
Version
-----------------------------------------------
Hard Disk primary 4.1.0.141
Hard Disk secondary 2.6.1-GR1-P7.51 (*)
The asterisk (*) now indicates that the device will be booted from the secondary image
on the hard disk.
128
Chapter 12: Power On Auto Provisioning
Power On Auto Provisioning Overview 130
Power On Auto Provisioning Process 130
Configuring Power On Auto Provisioning Process 132
129
Chapter 12: Power On Auto Provisioning Feedback
Power On Auto Provisioning Overview

The ACOS Power On Auto Provisioning (POAP) feature offers an efficient way to automate the
process of upgrading software images or config file across many ACOS devices on the net-
work.
Use of this feature requires a DHCP server and a TFTP server that has been pre-configured
with the proper ACOS software image and config file. The ACOS device must have access to
the management port on a DHCP server and access to the TFTP server.
Power On Auto Provisioning Process

The following FIGURE 12-1 shows how the POAP process works.
FIGURE 12-1: Power On Auto Provisioning Process
1. The ACOS device boots and sends a broadcast request to the DHCP server.
2. The DHCP server sends a response that includes an IP address for the ACOS device, and
an IP address where the TFTP server can be reached.
3. The ACOS device attempts to locate the TFTP server at the IP address it just received
from the DHCP server by sending a request to that address.
4. The TFTP server responds to the request from the ACOS device by sending the upgrade
130
file (ACOS_FTA_version.upg for FTA devices, or ACOS_non_FTA_version.upg for non-

FTA devices).
Once the ACOS device receives the upgrade file, it performs the following operations:
l Extracts the upgrade image and configuration file.
l Upgrades its software using the new image.
l Links to the configuration file.
l Then, the ACOS device reboots.
Feature Description
POAP features and the use cases are as follows:
1. POAP is enabled at power on by default
The customer orders 10 new devices and wants to install them in remote facilities. The
customer doesn't have staff at the facility and is relying on the “smart-hands” service.
Configuring POAP and power on enables the customer to have the smart-hands rack
and connect the box.
2. Capability for referencing configuration and image files by name
Customer has a pair of FTA devices and a pair of FTA3 devices. Each device requires a
new “poap_startup” script and at least one upgrade image “swap”. On the other hand,
if devices can POAP and request specific startup scripts and upgrade images based on
a unique device ID (such as a serial number), then all files can be prepared (built or
linked) in advance allowing all devices to POAP simultaneously.
3. Verbose console logging
Dropbox is changing their workflow to use significantly more automatic provisioning.

Part of the auto-provisioning is automated inspection of the onlining of new devices to
determine success or failure of provisioning. Dropbox is currently using a monitoring
process that inspects mirrored console output and determines success status. The con-
sole output is used as a success or a failure flag.
4. DHCP client functionality from all interfaces at power on
131
The customer does not want to pay for design with a separate management network.
The customer also wants to use POAP which requires DHCP. Customer may not know
the ports that gets connected to the network in advance. Therefore, POAP can act as a
DHCP client on all the interfaces.
5. Multiple file transfer protocol support
Devices in several remote Data Centers need to be POAP provisioned from a server loc-
ated at a central location (i.e. HQ) potentially traversing firewalls. TFTP would be non-
trivial to make work in this setting.
Use of this feature requires a DHCP server and a TFTP server that has been pre-con-
figured with the proper ACOS software image and config file. The ACOS device must
have access to the management port on a DHCP server and access to the TFTP server.
Configuring Power On Auto Provisioning Process

The following are the prerequisites before using POAP:
l Create an upgrade package named “ACOS_upg.tgz”.
The package may contain one or both of the following optional files:
o Image file: “sto.tar.gz”
o Config file: “poap_startup”
l Save this upgrade package on a TFTP server that can be accessed by the ACOS device.
This package should be stored in the working directory of the TFTP server, (for
example, “tftpboot”).
l To enter POAP mode, the current startup-config file on the ACOS device must be
empty; if the startup-config file is not completely empty then the POAP install will fail.
o At the end of the installation process, POAP links to the new startup-config file,
which is a text file named “poap_startup”.
NOTE: The POAP installation process does not erase an existing startup-
config file, but as a precaution, you can save an existing startup-
config file by creating a backup prior to enabling POAP.
132
NOTE: If the ACOS device encounters an existing file named “poap_star-

tup ” on the ACOS device (perhaps a remnant left over from a
prior attempt to enable the feature), the POAP installation pro-
cess will rename this existing file “poap_startup.original”.
POAP mode is enabled by default on vThunder virtual appliances, but the feature is disabled
by default on all physical devices. To enable POAP mode on a physical device, use the poap
enable command at the Global configuration level of the CLI.
Use the poap disable command to disable the feature.
You can use the show poap command to show the status (enabled or disabled) of POAP mode:
ACOS# show poap
POAP Mode Enabled
ACOS#
System Logs and Error Messages
System logs and error messages appear in the following scenarios:
l The startup-config profile “poap_startup” exists and new “poap_startup” gets installed
with the POAP package.
l The link fails or the link is successful.
l The upgrade fails or the upgrade is successful.
133
Chapter 13: Fail-Safe Automatic Recovery
Fail-safe automatic recovery detects critical hardware and software error conditions. The fea-
ture also automatically takes action to recover the system if any of these errors occurs, so
that the ACOS device can resume service to clients.
Fail-safe automatic recovery is disabled by default, for both hardware and software errors.
You can enable the feature for hardware errors, software errors, or both.
Error Types Monitored by Automatic Recovery 135
Configuring Fail-Safe Automatic Recovery 137
134
Chapter 13: Fail-Safe Automatic Recovery Feedback
Error Types Monitored by Automatic Recovery

Fail-safe automatic recovery monitors and recovers from the following types of system error
conditions:
l Hardware Errors
l Software Errors
l Recovery Timeout
l Total Memory Decrease
Hardware Errors
When fail-safe monitoring is enabled for hardware errors, the following types of errors are
detected:
l SSL processor stops working – Fail-safe is triggered if an SSL processor stops working.
l Compression processor stops working – Fail-safe is triggered if an HTTP compression
processor stops.
l FPGA stops working – Fail-safe is triggered if either of these internal queues stops
working.
If any of these types of errors occurs, the ACOS device captures diagnostic information, then
reboots.
NOTE: Fail-safe recovery also can be triggered by a “PCI not ready” con-
dition. This fail-safe recovery option is enabled by default and
can not be disabled.
Software Errors
When fail-safe monitoring is enabled for software errors, the following types of errors are
detected:
l FPGA I/O buffer shortage – The number of free (available) packet buffers is below the
configured threshold. By default, at least 512 packet buffers must be free for new data.
135
(Monitoring for this type of FPGA error is applicable to all ACOS device models.)
On ACOS device models that use FPGA hardware, the FPGA is logically divided into 2
domains, which each have their own buffers. If an FPGA buffer shortage triggers fail-
safe, recovery occurs only after both domains have enough free buffers.
l Session memory shortage – The amount of system memory that must be free for new
sessions is below the configured threshold. By default, at least 30 percent of the ACOS
device’s session memory must be free for new sessions.
In VRRP-A deployments, fail-safe recovers from software errors by triggering failover to a

standby device. To trigger the failover, fail-safe enables the force-self-standby option.
NOTE: Fail-safe temporarily enables the force-self-standby option. The

vrrp-a force-self-standby command is not added to the run-
ning-config.
If VRRP-A is not enabled, fail-safe reloads the ACOS device.
Recovery Timeout
The recovery timeout is the number of minutes the ACOS device waits after detecting one of
the hardware or software errors above before recovering the system.
l Recovery timeout for hardware errors – By default, the ACOS device reboots as soon as
it has gathered diagnostic information. Typically, this occurs within 1 minute of detec-
tion of the error (no timeout). You can change the recovery timeout for hardware errors
to 1-1440 minutes.
l Recovery timeout for software errors – Fail-safe waits for the system to recover
through normal operation, before triggering a recovery. The default recovery timeout
for software errors is 3 minutes. You can change it to 1-1440 minutes.
Total Memory Decrease
At device reload or reboot, the fail-safe feature provides a mechanism to check the total
memory decrease when the ACOS device boots up and loads the startup configuration. If the
total memory size has decreased, and if the size is less than the configured memory size, a
136
message will be logged (if you have configured the log option) or the ACOS device will shut
down after logging a message (if you have configured the kill option).
When the configured expected physical memory size is larger than the current memory size,
a reboot or log message recording the discrepancy will be triggered. The device will remain
always in a “loading” state after it reboots or reloads.
Configuring Fail-Safe Automatic Recovery

The following CLI commands configure some fail-safe settings and verify the changes.
Trigger the fail-safe recovery if the amount of free memory on your system remains below
30% long enough for the recovery timeout to occur:
ACOS(config)# fail-safe session-memory-recovery-threshold 30
Trigger the fail-safe recovery if the number of free (available) FPGA buffers drops below 2
long enough for the recovery timeout to occur:
ACOS(config)# fail-safe fpga-buff-recovery-threshold 2
Trigger the fail-safe recovery if a software error remains in effect for longer than 3 minutes:
ACOS(config)# fail-safe sw-error-recovery-timeout 3
Verify the configuration:

ACOS(config)# show fail-safe config
fail-safe session-memory-recovery-threshold 30
fail-safe fpga-buff-recovery-threshold 2
fail-safe sw-error-recovery-timeout 3
The show fail-safe command output differs between models that use FPGAs in hardware
and models that do not. The following command shows fail-safe settings and statistics on an
ACOS device model that uses FPGAs in hardware:
ACOS(config)# show fail-safe information
Total Session Memory (2M blocks): 1012
Free Session Memory (2M blocks): 1010
Session Memory Recovery Threshold (2M blocks): 809
Total Configured FPGA Buffers (# of buffers): 4194304
Free FPGA Buffers in Domain 1 (# of buffers): 507787
Free FPGA Buffers in Domain 2 (# of buffers): 508078
Total Free FPGA Buffers (# of buffers): 1015865
FPGA Buffer Recovery Threshold (# of buffers): 256
Total System Memory (Bytes): 2020413440
137
The TABLE 13-1 describes the fields in the command output.
TABLE 13-1 : show Fail-safe Information Fields (FPGA Models)
Field Description
Total Session Memory Total amount of the ACOS device’s memory that is alloc-
ated for session processing.
Free Session Memory Amount of the ACOS device’s session memory that is free
for new sessions.
Session Memory Recovery Minimum percentage of session memory that must be free
Threshold before fail-safe occurs.
Total Configured FPGA Total number of configured FPGA buffers the ACOS device
Buffers has. These buffers are allocated when the ACOS device is
booted. This number does not change during system oper-
ation.
The FPGA device is logically divided into 2 domains, which

each have their own buffers. The next two counters are for
these logical FPGA domains.
Free FPGA Buffers in Number of FPGA buffers in Domain 1 that are currently
Domain 1 free for new data.
Free FPGA Buffers in Number of FPGA buffers in Domain 2 that are currently
Domain 2 free for new data.
Total Free FPGA Buffers Total number of free FPGA buffers in both FPGA domains.
FPGA Buffer Recovery Minimum number of packet buffers that must be free
Total System Memory Total size the ACOS device’s system memory.
The following command shows fail-safe settings and statistics on an ACOS device model that
does not use FPGAs in hardware. (The FPGA buffer is an I/O buffer instead.)
ACOS(config)# show fail-safe information

Total Session Memory (2M blocks): 1018
Free Session Memory (2M blocks): 1017
138
Session Memory Recovery Threshold (2M blocks): 305

Total Configured FPGA Buffers (# of buffers): 2097152
Free FPGA Buffers (# of buffers): 2008322
FPGA Buffer Recovery Threshold (# of buffers): 1280
Total System Memory (Bytes): 4205674496
The TABLE 13-2 describes the fields in the command output.
TABLE 13-2 : show Fail-safe Information Fields (non-FPGA models)
Field Description
Total Session Memory Total amount of the ACOS device’s memory that is alloc-
ated for session processing.
Free Session Memory Amount of the ACOS device’s session memory that is free
for new sessions.
Session Memory Recovery Minimum percentage of session memory that must be free
Total Configured FPGA Total number of configured FPGA buffers the ACOS device
Buffers has. These buffers are allocated when the ACOS device is
booted. This number does not change during system oper-
ation.
Free FPGA Buffers Number of FPGA that are free for new data.
FPGA Buffer Recovery Minimum number of packet buffers that must be free
Total System Memory Total size the ACOS device’s system memory.
Example of Fail-safe for Total Memory Decrease
In the following example, the fail-safe feature will be triggered when the total memory size is
less than 5 GB. When this happens, this event will be logged:
ACOS(config)# fail-safe total-memory-size-check 5 log
The following example helps you decipher if you have a problem with your system memory.
139
Use the show version command to see the current memory size of your system. The current
memory is shown as highlighted:
ACOS# show version
AX Series Advanced Traffic Manager AX1030
protected by one or more of the following US patents:
8918857, 8914871, 8904512, 8897154, 8868765, 8849938, 8826372, 8813180
8782751, 8782221, 8595819, 8595791, 8595383, 8584199, 8464333, 8423676
8387128, 8332925, 8312507, 8291487, 8266235, 8151322, 8079077, 7979585
7804956, 7716378, 7665138, 7647635, 7627672, 7596695, 7577833, 7552126
7392241, 7236491, 7139267, 6748084, 6658114, 6535516, 6363075, 6324286
5931914, 5875185, RE44701, 8392563, 8103770, 7831712, 7606912, 7346695
7287084, 6970933, 6473802, 6374300
64-bit Advanced Core OS (ACOS) version 4.1.0, build 182 (Sep-21-2015,05:20)

Booted from Hard Disk primary image
Serial Number: AX10B33012260039

aFleX version: 2.0.0
aXAPI version: 3.0
Hard Disk primary image (default) version 4.1.0, build 182
Hard Disk secondary image version 2.7.2-P4-SP1, build 2
Compact Flash primary image (default) version 2.6.1-GR1, build 107
Last configuration saved at Oct-2-2015, 06:37
Hardware: 8 CPUs(Stepping 7), Single 39G Hard disk
Memory 18155 Mbyte, Free Memory 12551 Mbyte
Hardware Manufacturing Code: 122600
Current time is Oct-8-2015, 19:11
The system has been up 17 days, 0 hour, 12 minutes
The current system memory is shown as 12G. In case you configure the fail-safe memory mon-
itoring to be 5G, as shown below, your system will continue to operate normally, since 5G of
memory is less than the 12G of memory that your device has at its disposal:
ACOS(config)# fail-safe total-memory-size-check 5 kill
However, if you use the above command and configure a memory size of 14G (and you save
your configuration by issuing the write memory command) since 14G exceeds your current
device memory size of 12G, your device will experience a problem. When the device reloads,
the fail-safe mechanism will be triggered, traffic will be stopped, and the device will be shut
down. The abnormal state of the device will be evident in the following log message:
[SYSTEM]:Current memory size 12G, less than monitor number 14G. Please check
memory.
140
To correct this issue, use the fail-safe total-memory-check size kill command and spe-
cify a memory size that is less than or equal to the current memory size. The next time your
device reloads, it will operate normally.
141
Chapter 14: Installing the Systems Center Vir-
tual Machine Manager Gateway Plugin
This chapter describes how to install the A10 SCVMM (Systems Center Virtual Machine Man-
ager) Gateway plugin.
This procedure adds a gateway to the resources in VMM.
Prerequisites 143
Installing the Gateway Plugin 143
Configuring the A10 Networks Overlay Gateway Interface in the VMM 144
142
Chapter 14: Installing the Systems Center Virtual Machine Manager Gateway Plugin Feedback
Prerequisites
Before you begin, ensure that your system meets the requirements described in this section.
l Windows Server 2012 R2
NOTE: For more information, see: http://technet.microsoft.com/en-

us/library/hh801901.aspx
l .NET Framework 4.0 or higher
NOTE: For more information, see: http://www.microsoft.com/en- us/-

download/details.aspx?id=22
l SCVMM 2012 R2
To install SCVMM 2012 R2:

o Visit the VMM main page at: http://technet.microsoft.com/en-us/lib-
rary/gg610610.aspx
o To download an evaluation version of SCVMM 2012 R2, see: http://-

technet.microsoft.com/en-US/evalcenter/hh505660.aspx?wt.mc_id=TEC_103_1_
33
o For installation instructions, see: http://technet.microsoft.com/en-us/lib-
rary/gg610656.aspx.
l An ACOS device with version 2.7.2 installed.
Installing the Gateway Plugin

This section describes how to install the A10 Network SCVMM Gateway Plugin.
1. Launch the SCVMM Gateway installer.
Click Next to navigate your way through the screens until the installation is complete.
2. Restart the System Center Virtual Machine Manager service.
143
From a Windows command prompt or PowerShell window, run the net stop scvmmser-
vice and net start scvmmservice commands.
After the restart is complete, the A10 Networks Gateway provider is visible in configuration
provider windows.
Configuring the A10 Networks Overlay Gateway Inter-

face in the VMM
Follow the instruction in this section to add the gateway for A10 Networks:
NOTE: Additional instructions for this procedure can be found at http://-

technet.microsoft.com/en-us/library/dn249416.aspx.
l Verifying Configuration Prerequisites

l Configuring the A10 Networks Gateway
l Verifying the Configuration
Verifying Configuration Prerequisites
Verify that your network configuration meets the requirements described in this section.
1. Verify the configuration requirements on your system, in accordance with the doc-
umentation at this location:
http://technet.microsoft.com/en-us/library/e73bfafa-6b57-4a5b-9f15-
144
1cf9befa082b#BKMK_gateways.
2. Configure the logical network that will be the foundation for the VM network that will
use the gateway, and ensure that network virtualization is enabled on the logical net-
work.
3. Create an IP address pool on the logical network, and ensure that the pool includes the
address that you intend to use on the gateway provider IP.
4. Ensure that the gateway is configured with an IP address that is in the IP address pool
that you created. Make a note of the IP address so that you can specify it when you use
the following procedure to add the gateway to VMM.
Refer to the following for additional network resource information:
l Configuring Networking in VMM: http://technet.microsoft.com/en-us/lib-

rary/gg610596.aspx.
l Configuring Logical Network in VMM Overview:
http://technet.microsoft.com/en-us/library/jj721568.aspx
l How to Create a Logical Network in VMM:
http://technet.microsoft.com/en-us/library/gg610588.aspx
Configuring the A10 Networks Gateway
Follow the instructions in this section to add the gateway.
1. Open the Fabric workspace in VMM.
2. In SCVMM, right-click Network Service and select Add Network Service.
145
The Add Gateway Wizard opens.
146
On this screen:
a. On the Name page, enter a name and optional description for the gateway, then click Next.
b. On the Manufacturer and Model page, in the Manufacturer list, select A10 Net-
works, and in the Model list, select a model, then click Next.
c. On the Credentials page, select the account you want to use for the ACOS device:
l Select an existing account (click Browse, then click Select a Run As
Account and select an account)
l Create a new account (click Create Run As Account) and specify the user-
name and password for the account.
l Click Next when you are finished.
d. On the Connection String page, specify the connection string in the following
format.
IPAddress=ip-address;VTEPPartitionName=vtep-partition-name;In-
stanceName=instance-name;[UnderlayEthernet=gateway-ethernet-index;]
[UnderlayVirtualEthernet=gateway-virtual-ethernet-index;][LifSubnet=lif-
subnet;][WriteMemory=False;]
TABLE 14-1 : Connection String Parameters
Parameter Description
ip-address IP address on the A10 device providing the Overlay Gate-

way functionality.
vtep-partition-name Overlay tunnel VTEP partition name of the gateway;

this partition must be configured before you reach this
point in the process.
instance-name Unique identifier for this instance in the SCVMM.
147
gateway-ethernet- Optional parameter indicating the index of the gateway

index ethernet interface.
This interface must be properly configured before you

reach this point in the procedure.
gateway-virtual-eth- Optional parameter indicating the index of the gateway

ernet-index virtual ethernet interface.
This interface must be properly configured before you

reach this point in the procedure.
lif-subnet The subnet in which the LIF will be configured. Any sub-
net is valid as long as there is no conflict with the VM
subnets. By default, the second IP of that subnet is
chosen as the IP of the lif interface which serves as the
gateway interface for the overlay (VM) network.
WriteMemory=False This parameter causes the gateway plugin to save the

config to disk on the ACOS device. Setting it to false
will disable saving the config to disk.
Below is an example:
IPAd-
dress-
s=192.168.105.198;InstanceName=GW0001;VTEPPartitionName=shared;Underlay
Ethernet=1;LifSubnet=51.51.54.0/24;WriteMemory=False;
148
e. On the Provider page, in the Configuration provider list, select an available pro-
vider, click Test to run basic validation against the gateway using the selected pro-
vider, then click Next.
f. On the Host Group page, select the host group for which you want this network ser-
vice to be available, then click Next.
g. On the Summary page, review and confirm the settings, then click Finish.
The gateway will be added in SCVMM.

h. After the gateway is added, find the listing for the gateway under Network Ser-
vices, right-click the listing, select Properties, then select Connectivity, and:
l Select Enable front end connection, and then select the gateway network adapter
and the network site that provide connectivity outside the hosting-provider or enter-
prise data center. the network site must have a static IP address pool.
l Select Enable back end connection, and then select a gateway network adapter and
network site in a logical network within the hosting-provider or enterprise data center.
The logical network must have Hyper-V network virtualization enabled. Also, the net-
work site must have a static IP address pool.
149
Verifying the Configuration
To verify the configuration, click the Test button on the Provider page.
150
In the Result column, look for “Implemented” or “Passed” to verify that the specified portion
of the configuration is operating correctly.
151
Monitoring Tools
This part of the document describes about monitoring tools for the ACOS devices.
The ACOS device can send alerts to administrators through the following methods:
System Log Messages
Emailing Log Messages
Simple Network Management Protocol (SNMP)
In order to monitor the health of the network and its nodes, you can implement the following
monitoring tools:
Link Monitoring
ACE Monitoring and Analytics
Gateway Health Monitoring
Multiple Port-Monitoring Mirror Ports
NetFlow v9 and v10 (IPFIX)
sFlow
Event Logging System
NOTE: For information about monitoring network components in ADC

configurations, see the Application Delivery Controller Guide.
152
Chapter 15: System Log Messages
The ACOS device logs system events with system log (Syslog) messages.
Destinations for Syslog Messages 154
Syslog Message Severity Levels 154
Configurable Syslog Parameters 154
Configuring Single-Priority Logging 162
Configuring Log Rate Limiting 162
153
Chapter 15: System Log Messages Feedback
Destinations for Syslog Messages

The ACOS device can send Syslog messages to the following places:
l Local buffer (default level: Debugging - 7)

l Console CLI session (default level: Error - 3)
l Console SSH and Telnet sessions
l External Syslog server
l Syslog server in another partition
l Email address(es)
l SNMP servers (for events that are logged by SNMP traps)
Logging to the local buffer and to CLI sessions is enabled by default. Logging to other places
requires additional configuration.
Syslog Message Severity Levels

The standard Syslog message severity levels are supported:
l Emergency – 0
l Alert – 1
l Critical – 2
l Error – 3
l Warning – 4
l Notification – 5
l Information – 6
l Debugging – 7
Configurable Syslog Parameters

System Log Settings 155
154
Operational Logging 161
System Log Settings
The following TABLE 15-1 lists the configurable Syslog parameters.
155
TABLE 15-1 : Configurable System Log Settings
Parameter Description Supported Values
Disposition Output options for each message level. The following message
For each message level, you can select levels can be individually
(message tar-
which of the following output options to selected for each output
get)
enable: option:
l Console – Messages are displayed in l Emergency (0)

Console sessions. l Alert (1)
l Buffered – Messages are stored in l Critical (2)
the system log buffer. l Error (3)
l Email – Messages are sent to the l Warning (4)
email addresses in the Email To list.
l Notification (5)
(See below.)
l Information (6)
l SNMP – SNMP traps are generated
l Debug (7)
and sent to the SNMP receivers.
l Syslog – Messages are sent to the Only Emergency, Alert, and
Critical can be selected for
external log servers specified in the
SNMP.
Log Server fields. (See below.)
Only Emergency, Alert, Crit-
l Monitor – Messages are displayed in
ical, and Notification can be
Telnet and SSH sessions.
selected for Email.
NOTE: For inform-

ation about
emailing log
messages, see
Emailing Log
Messages.
156
Logging Email Settings for sending log messages by See Emailing Log Messages.
Filter email.
Logging Email
Buffer Number
Logging Email
Buffer Time
Facility Standard Syslog facility to use. Standard Syslog facilities lis-

ted in RFC 3164.
Log Buffer Maximum number of log entries the log 10000 to 50000 entries
Entries buffer can store.
Default: 30000
157
Log Server- IP addresses or fully-qualified domain Any valid IP address or fully-

/Host names of external log servers. qualified domain name.
Only the message levels for which Syslog Default: None configured
is selected in the Disposition list are sent
to log servers.
NOTE: By default,
the ACOS
device can
reach remote
log servers
only if they
are reachable
through the
ACOS device’s
data ports,
not the man-
agement port.
To enable the
ACOS device
to reach
remote log
servers
through the
management
port, see
Source Inter-
face for Man-
agement
Traffic.
158
Log Server Protocol port to which log messages sent Any valid protocol port num-
Port to external log servers are addressed. ber
Default: 514
Email To Email addresses to which to send log mes- Valid email address. Click
sages. the down arrow next to the
input field to add another
Only the message levels for which Email
address (up to 10).
is selected in the Disposition list are sent
to log servers. Each email address can be a
maximum of 31 characters
long.
159
SMTP Server IP address or fully-qualified domain name Any valid IP address or fully-
of an email server using Simple Message qualified domain name.
Transfer Protocol.
Default: None configured
NOTE: By default,
the ACOS
device can
reach SMTP
servers only if
they are
reachable
through the
ACOS device’s
data ports,
not the man-
agement port.
To enable the
ACOS device
to reach SMTP
servers
through the
management
port, see
Source Inter-
face for Man-
agement
Traffic.
SMTP Server Protocol port to which email messages Any valid protocol port num-
Port sent to the SMTP server are addressed. ber
Default: 25
160
Mail From Specifies the email From address. Valid email address
Default: Not set
Need Specifies whether access to the SMTP Selected (enabled) or unse-

Authentication server requires authentication. lected (disabled)
Default: disabled
Username Username required for access to the Valid username

SMTP server.
Default: Not set
Password Password required for access to the SMTP Valid password

server.
Default: Not set
Operational Logging
The following TABLE 15-2 lists the types of operational events that are logged.
TABLE 15-2 : LSN Operational Logs
Severity Event Message String

Level
Critical User-quota creation failure LSN: User-quota creation failed (out of memory)
for pool...
Full-cone session creation LSN: Full-cone session creation failed (out-of-

failure memory) for pool...
Warning New inside user unable to LSN: New user could not get a NAT IP on pool..
get NAT IP
Current inside user on NAT LSN: NAT port usage exceeded on pool...
IP can not get new NAT port
161
Severity Event Message String

Level
Notice User quota exceeded LSN: ICMP user-quota exceeded on pool...
LSN: UDP user-quota exceeded on pool...
LSN: TCP user-quota exceeded on pool...
Extended user quota LSN: UDP extended user-quota exceeded on pool...

exceeded
LSN: TCP extended user-quota exceeded on pool...
Configuring Single-Priority Logging

Single-priority logging allows you to identify one specific severity level to be logged from
among the standard syslog message severity levels (See Syslog Message Severity Levels).
This allows you to remove excess data so that you can see a desired subset of log messages at
your target severity level.
In prior releases, when you specify a severity level to be logged, the selected level becomes
the “basement level”, or the most trivial level that will appear along with the more important
messages. For example, if you specify level 3 (error), you would also get severities 2, 1, and 0,
but 3 would be the most trivial severity level to be included in the log messages.
Prior releases did not offer a way for you to single out a particular subset of log messages at
a singular severity level; for example, there was no way to display severity level 5 log mes-
sages without also seeing messages from severity levels 4–0.
Single-priority logging offers more granular control of syslog messages.
To configure single-priority logging, use the logging single-priority command.
The following example logs only error (level 3) messages:

ACOS(config)# logging single-priority error
Configuring Log Rate Limiting

162
Details 163
Configuring Log Rate Limiting Using the GUI 163
Configuring Log Rate Limiting Using the CLI 163
Details
The ACOS device uses a log rate limiting mechanism to ensure against overflow of external
log servers and the internal logging buffer.
The rate limit for external logging is 15,000 messages per second from the device.
The rate limit for internal logging is 32 messages per second from the device.
l If the number of new messages within a one-second interval exceeds 32, then during
the next one-second interval, the ACOS device sends log messages only to the external
log servers.
l If the number of new messages generated within the new one-second interval is 32 or
less, then during the following one-second interval, the ACOS device will again send
messages to the local logging buffer as well as the external log server. In any case, all
messages (up to 15,000 per second) get sent to the external log servers.
Configuring Log Rate Limiting Using the GUI
To configure log rate limiting using the GUI:
1. Hover over System in the navigation bar, and select Settings.

2. Click Logging on the menu bar.
3. Change settings as needed. (For descriptions of the settings, see Configurable System
Log Settings.)
4. Click OK.
Configuring Log Rate Limiting Using the CLI
Use the logging command to configure log rate limiting using the CLI.
163
For example, to change the severity level of messages logged in the local buffer to “warning”
(level 4):
ACOS(config)# logging buffered warning
Replace buffered with a different destination, as desired (see Destinations for Syslog Mes-
sages).
NOTE: Only severity levels emergency , alert , critical , and noti-

fication can be sent by email. Sending log messages by email
requires additional configuration. See Emailing Log Messages.
To configure the ACOS device to send log messages to an external Syslog server, use the log-
ging host command to specify the server:
ACOS(config)# logging host 20.20.10.8
Specifying Multiple Syslog Servers 164
Specifying Protocol Ports 164
Sending the Syslog Over TLS/SSL 165
Sending Log Messages to a Server in Another Partition 166
Sending Log Messages by Email 166
Specifying Multiple Syslog Servers

To specify multiple server names or IP addresses, use multiple commands. The following
example configures 20.20.10.8, 30.30.10.5, and “loghost1” as syslog servers:
ACOS(config)# logging host loghost1
Specifying Protocol Ports

You can also specify a protocol port. The default port is 514. If you specify multiple servers,
then all servers specified must use the same protocol port to listen for syslog messages; you
can only specify one protocol port per command.
The following example configures 20.20.10.8 and 30.30.10.5 as syslog servers listening on
port 515, and 40.40.5.9 as a syslog server listening on port 517:
ACOS(config)# logging host 20.20.10.8 port 515
164
Sending the Syslog Over TLS/SSL

For sending the syslog over TLS/SSL to the remote server, perform the followings steps:
1. Configuring the logging using syslog over TLS:
To configure remote logging over TLS use the over-tls parameter in logging host com-
mand. Following is the example CLI command.
ACOS(config)# logging host <host-ip> use-mgmt-port port <port-no> tcp
over-tls
l The over-tls parameter is available only if tcp parameter is used in logging

host command.
l When the port number is not configured by default port 514 is used, similar to sys-
log over TLS.
2. Creating the template for logging using syslog over TLS
The syslog-over-tls template command is used to configure the self signed CA root
certificate for TLS handshake. This template is shared across all the configured syslog
servers. Following are the example CLI command.
ACOS(config)# template syslog-over-tls
ACOS(config)# ca-cert <CAcert-name>
3. Creating the CA root self signed certificate
a. Generating RSA private key for CA root:

ACOS(config)# openssl genrsa -des3 -out <key-name.key> 2048
b. Generating self-signed CA root certificate.

ACOS(config)# openssl req -x509 -new -nodes -key <key-name.key> -sha256
-days 1825 -out <CAroot-name.pem>
c. Generating certificate signing request.

ACOS(config)# openssl req -out <csr-name.csr> -new -newkey rsa:2048 -
nodes -keyout <server-keyname.key>
d. Signing and creating certificate using ‘.csr’ and CA root.
165
ACOS(config)# openssl x509 -req -days 360 -in <csr-name.csr> -CA

<CAroot-name.pem> -CAkey <CAkey key> -CAcreateserial -out <cert-
name.crt>
NOTE: Different common name should be mentioned for CA

root and certificate signing request.
4. Deleting the configuration of logging using syslog over TLS.

ACOS(config)# no logging host <host-ip> use-mgmt-port port <port-no> tcp
over-tls
5. Deleting the syslog over TLS template.
The template can be deleted in one of the following ways:

ACOS(config)# no template syslog-over-tls
ACOS(config-syslog-over-tls template)# no ca-cert <CA certificate name>
NOTE: For receiving messages over TLS/SSL socket, OpenSSL provides

the socket listening API
ACOS (config)# openssl s_ server - accept <port> - cert
<server-certificate> -key <server-key>
Sending Log Messages to a Server in Another Partition

The following example configures a a log server in the shared partition:
The following commands configured a logging server 45.3.2.1 in partition LOG1, and also
sends logging information to the shared partition:
ACOS[LOG1](config)# logging host 45.3.2.1
ACOS[LOG1](config)# logging host partition shared
In partition LOG2, a third syslog server 46.3.2.1 is configured, and log messages are sent to
the syslog server configured in partition LOG1:
ACOS[LOG2](config)# logging host 46.3.2.1
ACOS[LOG2](config)# logging host partition LOG1
Sending Log Messages by Email

To configure the ACOS device to send log messages by email, use the following commands to
specify the email server and the email addresses:
166
ACOS(config)# smtp 10.10.10.5

ACOS(config)# logging [email protected]
The smtp command specifies the mail server. By default, it uses port 25 to send email. You
can customize this with the optional port parameter.
To send event messages to an external SNMP server, see Simple Network Management Pro-
tocol (SNMP).
167
Chapter 16: Event Logging System
Event Logging System 169
acos events 169
168
Chapter 16: Event Logging System Feedback
Event Logging System

The Event Logging Mechanism is a flexible and extensible mechanism for logging events that
occur in the ACOS system. Currently, the event logging system supports the following log
formats:
l Syslog
l Common Event Format (CEF)
Syslog
The Syslog format specifies a message format as well as a message transport mechanism. The
message format consists of a small header followed by the body of the log message. The log
message is unstructured (that is, unformatted) text.
Common Event Format (CEF)
The CEF format is a class of structured log message specifications that use syslog as a trans-
port. In syslog, the message is just plain text. However, CEF and LEEF specify the encoding of
the commonly-used fields in a key-value format as well as provide an extension mechanism
for specifying additional fields.
Event Logs
For more information on event logs, see Event Logging Guide.
acos events
Description Configure acos-events settings such as acos-events message-selector,
log-server, acos-events log-server, acos-events collector-group, acos-
events active-template.
Syntax [no] acos-events
169
NOTE: Some modules in ACOS might have overridden the infrastructure

to send logs using their logging infrastructure like:
lCGNv6:
CGNv6 related logs are generated by the CGN logging infra-
structure and not Event logging infrastructure. Please look at
the CGN logging guide for more details.
lAAM:
If the log format is set to CEF for authentication/aam logs,
“acos-events” must be configured.
lExplicit Proxy:
The below table shows the different use cases for con-
figuration scenarios for an explicit proxy (EP) along with the
corresponding outcomes. The log results are based on all the
configurations described in the Configuration Use Case
column being in effect at the same time.
Type Configuration Use Case Log Results
EP Log l Have an active acos-events tem- EP logs are sent to the external
plate. server with acos-events in the spe-
cified format.
l Use an ACOS-EVENT-LOG in your
policy.
l Have an active acos-events tem-

plate.
l Use an ACOS-EVENT-LOG in your
policy
l Use a logging host.
NOTE: It is recommended that you use the first configuration scenario in

the table above.
Refer to the following table for details about the different parameters:
170
active-tem- Allows you to select a configured template to be the global logging tem-
plate plate. The logs are generated for the modules enabled in the selected
template.
NOTE: Only one active- template can be con-

figured. If the active template is not con-
figured, it will use the logging host *
config.
NOTE: For more information about system logging,

see the Application Delivery Controller
Guide.
collector- The name of the log server/collector group to which the generated log
group messages are sent using the specified protocol (TCP or UDP). You can
add multiple log servers to the log collector group.
NOTE: The following are the important notes.
l You can configure a maximum of 16 collector groups for each L3v

partition.
l You can add a maximum of 16 log servers to a collector group.
l If there are multiple log servers configured under a single col-
lector group, the generated logs are sent in a round-robin method
to the log servers.
In the collector-group you can configure the following:
l log-server: Add the log server(s) to the collector group.

l rate-limit: Specify the number of log messages that needs to be
sent to the configured log server per second. The Range is 0-
2147483647 and default is 500 logs per second.
171
collector- NOTE:
group Contd..
The rate-limiting under the collector group is supported only for the
logs that are sent to external log servers when acos-event's active tem-
plate is configured.
To configure the rate limit for local logs shown in show logging com-
mand:
l acos-events rate-limit-local <0-100>

l Default 32.
l format: Select the log message format for the logs that are sent to
the configured log server.
l use-mgmt-port: ACOS uses the management port to connect and
transmit the log messages to the log server. In this case, the logs
will be sent out through the control CPU. The number of logs that
can be sent out is significantly less than it would be without
using this option, which will be sent through the data CPU.
health-check: Configure the health check monitor for the configured log
servers.
log-server The name of the log server to which the generated logs are trans-
mitted.
l enable: Enables the log server.

l disable: Disables the log server.
l port: Configure the logging server port to which the logs needs to
be sent.
l health-check: Configure the health check monitor.
l health-check-disable: Disables the configured health check mon-
itor.
172
logdb Log for internal database.
The “logdb” configuration is used to query and display the log data in
the Graphical User Interface (GUI).
Allows you to enable the logdb logging for different modules such as:
l enable-all: Enables logging for all modules in the system.

l enable-cgn: Enables logging for the CGN module.
l enable-file-inspection: Enables logging when a file is inspected.
l enable-fw: Enables logging for the Firewall module.
l enable-smtp: Enables logging for the SMTP module.
l enable-ssli-bypass: Enables logging for the SSLi Bypass module.
l enable-ssli-failed: Enables logging when SSLi connections are
failed.
l enable-ssli-success: Enables logging when SSLi connections are
successful.
NOTE: In an environment where local logs are pro-

duced at a high rate, configuring logdb may
cause high CPU utilization for GUI and con-
sume more time to process the results.
173
message-id Changes the properties of message ID. It takes either an object lineage
to change the properties for all the logs under the object tree or just
the complete lineage for a single event.
l message-id-scope: Specify the scope of the entered lineage.
Following are the configuration options:
l all: Log messages at this level and all the sub-trees.
Example: If message-id slb all is configured, then message ID

is configured for all the logs under the SLB objects, its child
objects and all the other object till in the list.
l node-only: Log messages at this level only.
Example: If message-id slb node-only is configured, then mes-

sage ID is configured for logs that are defined under the SLB
object.
l children-only: Log messages at this level are not included but all
the log messages starting from the next level are included.
Example: If message-id slb children-only is configured, then

logs in the next levels like slb.server, slb.service-group, slb.serv-
er.port is included but for logs under slb object are not included.
l log-field-only: The entered field is a log field rather than an

object.
Example: slb.server.port.icmp_exceed. This is the default option.
l Properties that can be modified:

o Property severity: Configure the severity of the log message
only if different severity is required than what is defined for
that log message. This is a system-level setting and not a par-
tition level.
o Property log-route: Configure whether the logs should be
174
sent to local-only (show logging) or remote-only (external log

servers) or local-and-remote. It overrides the default setting
for each log.
o Use case: Ideally, all the packet driven logs are remote only
by default, so if these logs are required sending to local as
well, then they can configure local-and-remote. The default
route of each log is shown in the log documentation.
message- The message-selector object. The message-selector is a set of message

selector selection rules. These rules determine whether the logs corresponding
to a specific message-id needs to be generated and sent, or not gen-
erated. The log messages are filtered based on the configured rules. By
default, all the logs are disabled. The log messages are generated, and
the rules are enforced only on the enabled logs.
l rule: Configure the rule for the message-selector object. Specify

a number for the rule. You can configure multiple rules for a mes-
sage selector object. Each rule is a tuple consisting of a node in
the name hierarchy and/or a severity. The rules will be applied in
the order from 1 to 256, and only the first rule that applies to a
message id will be applied to that message id and the remaining
are skipped. Range: 1-256.
l message-id: The message ID to be associated with the con-
figured message-selector object. It can be an object or a specific
log field.
l severity: Configure the severity. The configured severity will be
checked against the severity of logs.
l send: Selected logs by this message-selector are transmitted to
the log server.
l drop: Selected logs by this message-selector will be dropped.
175
rate-limit- Configure rate limit for the local logs to display in the show logging.
local The configurable values range is 0-100 and the default is 32. Ideally,
only the system/configuration/error-related information is sent to local
logging and not packet driven log information.
rate-limit- This is not applied when acos-events active-template is configured.

remote Configure rate limit for the logs that are sent to external servers if sys-
tem logging is configured and acos-events active template is not con-
figured. The configurable values range is 0-250 and the default is 32.
statistics The acos-events global statistics that enable base-lining to get the min,
max, avg, and rates for the statics.
template The specified template associates the message-selector with the col-
lector-group.
NOTE: The following are the important notes.
l You can set a maximum of 16 templates for each L3v partition.

l A given collector-group can be bound only once for each tem-
plate.
If the log is enabled by the respective message-selector, logs are sent

to each binded collector group. This process provides replication. If mul-
tiple collector groups are configured for a log, that log will be rep-
licated among those collector groups in the same format or different
formats. See Log Replication.
use-partition If the logs need to be sent from a given partition to log servers that are
reachable through other partitions. So the given partition will use the
other partition’s acos-events configuration to generate and send the
logs.
Note: When use-partition is configured, none of the other acos-events

related configuration will be allowed and vice versa.
176
Below is the example of a configured acos-event.
ACOS(config)#sh running-config acos-events

acos-events message-selector S1
rule 1
message-id cmroot all
!
rule 1
message-id slb.template.policy.forward-policy all
!
rule 1
message-id slb.template.policy.forward-policy all
deny
rule 2
message-id cmroot all
!
acos-events log-server server1 172.16.1.190
health-check-disable
port 514 udp
!
acos-events log-server2 172.16.1.191
port 514 udp
!
acos-events collector-group cg1udp
log-server server1 514
!
acos-events collector-group cg2 udp
format cef
!
acos-events template T1
message-selector S1
collector-group cg1
collector-group cg2
177
!
message-selector S2
collector-group cg1
message-selector S3
collector-group cg2
!
acos-events active-template T2
In the configuration example, there are three message-selectors:
message-select- All logs are enabled.

ors S1
message-select- All logs under slb.temlate.policy.forward-

ors S2 policy object is enabled. The remaining logs are
disabled.
message-select- All logs are enabled except the logs under slb.tem-
ors S3 late.policy.forward-policy object.
message-
The following rules apply:
selector
l Rule 1: This rule is applied first and disables

the logs under the slb.tem-
late.policy.forward-policy object.
l Rule 2: This rule is applied after rule 1 and it

enables all logs except the slb.tem-
late.policy.forward-policy object. Only the
first rule that matches a message ID is applied.
Template 1 All logs are enabled for S1. They are sent in syslog
format to the log-server in cg1 and in CEF format
Template to cg2.
Template 2 All forward-policy logs for S2 are sent in syslog

format to cg1 and all other logs, which are for S3,
are sent in CEF format to cg2.
178
Log Replication
If the selector groups within a collector group enable the same log, log replication is auto-
matically supported when collector groups are binded under a template. For example, if you
want the same log to be sent to eight different log-servers (the maximum supported) in sys-
log format, the configuration should like the following:

message-selector S1
collector-group cg1
collector-group cg2
collector-group cg3
collector-group cg4
collector-group cg5
collector-group cg6
collector-group cg7
collector-group cg8
These collector groups can be of the same format or different formats. The log will be sent to
one log-server in each collector group. The selection of log server is done in round-robin
based method. However, if there is only one log-server in each collector group, it will be sent
to that log-server every time.
179
Event Logging with the Active Template
When the “acos-events active-template” is configured through the Command Line Interface
(CLI) and the log is generated using the acos-events API:
1. ACOS uses the configuration from the active-template instead of “logging-host” con-
figuration.
2. The logs are transmitted to the local log, configured syslog server(s) in the format (Sys-
log or CEF) specified under “format” of the associated “collector-group(s)”.
a. Logs transmitted to the configured syslog server(s):
l Data Plane Logging: If the logs are generated from the data CPU of the load balancer
process, they are transmitted through the data CPU only. If TCP is configured, then
activating the acos-events template will create sessions equal to the number of data
CPU which will be used to send logs. All the packet driven logs are in this category.
l Control Plane Logging: If the logs are generated from the control CPU of the load bal-
ancer process or from other process(es), they are transmitted through the control CPU.
All the system or configuration related logs comes under this category.
Event Logging without the Active Template
When the “acos-events active-template” is not configured and the log is generated using the
acos-events API:
1. ACOS uses the configuration from the “logging host” configuration, rather than the
acos-events active template configuration. In this case, all the logs will be sent through
control CPU.
2. The logs are transmitted to the local log and to the configured syslog server(s) in one of
the predefined log formats in the following order: Syslog or CEF.
a. Logs transmitted to the configured syslog server(s):

l Control Plane Logging: The logs are transmitted through the control CPU.
180
CLI Configuration
Counters
Description View the statistics of the acos-events module
Syntax show counters acos-events
181
show coun- Show the ACOS events statistics.

ters acos-
Following is a list of counters that are shown along
events
with reason for each:
statistics
l Messages sent, to Remote - Incremented
when a log is sent to a remote log server
l Messages sent, to LogDB - Incremented
when a log is sent to the local database,
which is used for the GUI.
l Messages Dropped, format not defined -
Incremented when the format for a given log
message that is enabled by the selector and
collector group is not defined in schema.
l Messages Dropped, malloc failure - Incre-
mented when we could not get a buffer to
send to the log-server.
l Messages Dropped, no active template -
Should be incremented when there is an issue
with the active template to send a log.
l Messages Dropped, selector does not
enable msg - Incremented when a log mes-
sage is not enabled in the selector.
l Message Dropped, invalid length - Incre-
mented when the length of the message is
longer than the length supported by the trans-
port (usually UDP).
l Messages Dropped, msg crafting failed -
Incremented when there is a problem trying
to craft the log message. For example, there
182
is an issue with the schema definition or

length issue.
l Messages Dropped, local log ratelimited -
Incremented when we hit rate limit for local
logs like show logs and show varlog, to not
overwhelm the Contorl CPU.
l Messages Dropped, remote ratelimited -
Incremented when we hit the rate limit set in
the given collector-group when active-tem-
plate is configured.
l Messages Dropped, send failed - Incre-
mented when there is a failure while sending
the log to a remote server.
l Messages Dropped, no active member in
collector grp - Incremented when there are
no log-servers in a collector-group or none of
the configured log-servers are reachable
when a log is sent to a template that is using
the collector-group.
l Messages Dropped, Route lookup failed -
Incremented when a route to the destination
log-server is not found.
l Messages Dropped, unexpected error -
Incremented when an unexpected error hap-
pens, sometimes due to configuration trans-
ition (usually while it is being changed), other
times some internal issue.
183
show coun- Show the counters for each collector-group level.

ters acos-
Following is a list of counters that are shown along
events col-
with reason for each:
lector-
group l Number of log messages sent - Incre-
mented when a message is sent to all the log
severs in a collector-group.
l Number of rate limited log messages -
Incremented when the rate-limit of a col-
lector group is hit.
l Number of messages dropped for other
reasons - Incremented when a message is
dropped for a collector group for reasons
other than rate limit. For example, there
might be a failure to send, config transition,
or something unexpected occurred.
show coun- Show the counters for each log-server level.

ters acos-
Following is the counter that is shown along with
events
reason:
log-server
l Number of log messages sent: Incremented
when a message is sent to a log server
184
Chapter 17: Emailing Log Messages
Overview of Email Logging 186
Boolean Operators 186
Configuring Email Log Settings 187
185
Chapter 17: Emailing Log Messages Feedback
Overview of Email Logging

You can configure the ACOS device to email log messages, using email log filters. By default,
emailing of log messages is disabled.
Log email filters consist of the following parameters:
l Filter ID – Filter number, 1-8.

l Conditions – One or more of the following:
o Severity – Severity levels of messages to send in email. If you do not specify a mes-
sage level, messages of any severity level match the filter and can be emailed.
o Software Module – Software modules for which to email messages. Messages are
emailed only if they come from one of the specified software modules. If you do not
specify a software module, messages from all modules match the filter and can be
emailed.
o Regular Expression (Patterns and Operators) – Message text to match on. Standard
regular expression syntax is supported. Only messages that meet the criteria of the
regular expression can be emailed. The regular expression can be a simple text
string or a more complex expression using standard regular expression logic. If you
do not specify a regular expression, messages with any text match the filter and
can be emailed.
The operators (AND, OR, NOT) specify how the conditions must be compared. (See
Boolean Operators.)
l Trigger option – Specifies to send the matching messages immediately.
Boolean Operators
A logging email filter consists of a set of conditions joined by Boolean expressions (AND / OR
/ NOT).
The CLI Boolean expression syntax is based on Reverse Polish Notation (also called Postfix
Notation), a notation method that places an operator (AND, OR, NOT) after all of its operands
(in this case, the conditions list).
186
After listing all the conditions, specify the Boolean operator(s). The following operators are
supported:
l AND – All conditions must match in order for a log message to be emailed.
l OR – Any one or more of the conditions must match in order for a log message to be
emailed.
l NOT – A log message is emailed only if it does not match the condition
NOTE: For more information about Reverse Polish Notation, see the link:
http://en.wikipedia.org/wiki/Reverse_Polish_notation.)
Configuring Email Log Settings

Using the GUI to Configure Email Logging Settings 187
Using the CLI to Configure Email Logging Settings 188
Using the GUI to Configure Email Logging Settings
To configure Email logging settings in the GUI:
1. Hover over System in the navigation bar, and click Settings.

2. Click Logging in the menu bar.
3. In the Level field, select the log level you want to enable.
4. The Buffer field contains two optional configuration choices:
a. To change the maximum number of log messages to buffer before sending them in
email, edit the number in the field on the left. You can specify 16-256 messages.
The default is 50.
b. To change the number of minutes the ACOS device waits before sending all buf-
fered messages, edit the number in the field on the right. This option takes effect if
187
the buffer does not reach the maximum number of messages allowed. You can spe-
cify 10-1440 minutes. The default is 10.
5. In the Email Addresses field, specify the Email addresses to which the log files will be
sent.
6. In the Filters section:

a. Specify a filter ID (1-8) and regular expression filter in the Filter section.
b. To immediately send matching messages in an email instead of buffering them,
select Trigger. Otherwise, matching messages are buffered until the message buf-
fer becomes full or the send timer for emailed log messages expires.
c. Click Save Filter.
d. Repeat the process if you want to create multiple filters.

7. When finished configuring log settings, click the OK button at the bottom of the page.
Using the CLI to Configure Email Logging Settings
This section contains CLI examples of Email logging configuration.
The following command configures the ACOS device to buffer log messages to be emailed.
Messages will be emailed only when the buffer reaches 32 messages, or 30 minutes passes
since the previous log message email, whichever happens first.
ACOS(config)# logging email buffer number 32 time 30
The following command resets the buffer settings to their default values.
ACOS(config)# no logging email buffer number time
The following command configures a filter that matches on log messages if they are inform-
ation-level messages and contain the string “abc”. The trigger option is not used, so the mes-
sages will be buffered rather than emailed immediately.
ACOS(config)# logging email filter 1 "level information pattern abc and"
The following command reconfigures the filter to immediately email matching messages.
ACOS(config)# logging email filter "1 level information pattern abc and" trig-
ger
188
Chapter 18: Simple Network Management Pro-
tocol (SNMP)
This chapter describes how to enable SNMP to monitor and manage your network.
SNMP MIB Information 190
SNMP Support on the ACOS Device 196
Partition-aware SNMP Configuration 197
SNMP Views and Community Strings 198
Configuring SNMP Groups 202
Configuring AES or DES Encryption for SNMPv3 Users 203
Configuring SNMP Traps 205
Configuring SNMP 209
Configuring the Source Interface for SNMP Notifications 211
189
Chapter 18: Simple Network Management Protocol (SNMP) Feedback
SNMP MIB Information

Downloading the MIBs 190
AX MIB Groups 190
AX MIB Files 191
MIB Access 192
SNMP RFCs supported 192
ifIndex Table Support 196
Downloading the MIBs
The MIB files are available for download through the GUI:
1. Hover over System on the menu bar, then select Monitoring.

2. Click on the SNMP tab, then select SNMP MIB Download from the drop-down menu.
3. Select a target location for the MIB archive file, then click Save.
AX MIB Groups
The AX MIB consists of the groups described as follows:
TABLE 18-1 : AX MIB Groups
Group Description
axSystem Provides system-level information about the ACOS device, such as the
installed software versions, the serial number, and current CPU util-
ization.
axLogging Provides configuration information about system logging.
axApp Provides configuration and operational information for ACOS device

features.
190
AX MIB Files
The AX MIB consists of the files described as follows::
TABLE 18-2 : AX MIB Files
File Description
A10-COMMON-MIB.txt Contains common MIB definitions for A10 NetworksÆ, includ-

ing the A10 enterprise object identifier (OID) and the OIDs for
all A10 products.
A10-AX-MIB.txt Contains ACOS device MIB definitions, including the SNMP

notification node.
A10-AX-CGN-NOTIF- Contains SNMPv2c trap definitions for CGN-related objects.

V2C.txt
A10-AX-CGN-TRAP-V1.txt Contains SNMPv1 trap definitions for CGN-related objects.
A10-AX-NOTIFICATIONS- Contains SNMPv2c trap definitions for the ACOS device.

V2C.txt
A10-AX-TRAPS-V1.txt Contains SNMPv1 trap definitions for the ACOS device.
The first three files are required; the other files that should be used depend on your SNMP
version (v1 or v2c).
If you are using an SNMPv2c manager, use the following MIB files:
l A10-COMMON-MIB.txt
l A10-AX-MIB.txt
l A10-AX-CGN-NOTIF-V2C.txt
l A10-AX-NOTIFICATIONS-V2C.txt
Or, if you are using an SNMPv1 manager, use the following MIB files:
l A10-COMMON-MIB.txt
l A10-AX-MIB.txt
191
l A10-AX-CGN-TRAP-V1.txt
l A10-AX-TRAPS-V1.txt
MIB Access
SNMP access to the ACOS device is read-only. You can use SNMP managers to retrieve inform-
ation using GET or GET NEXT requests. SET requests are not supported.
To enable SNMP traps from the CLI, use the snmp-server enable traps command.
The following example enables system start traps:

ACOS(config)# snmp-server enable traps system start
NOTE: For more information about the SNMP CLI commands, see the
Command Line Interface Reference.
SNMP RFCs supported
The ACOS device supports the SNMP-related RFCs described as follows:
TABLE 18-3 : Supported SNMP-related RFCs
RFC Description and Notes
RFC 1155 Structure and Identification of Management Information for TCP/IP-based

Networks.
RFC 1157 A Simple Network Management Protocol (SNMP).
RFC 1212 Concise MIB Definitions: the MIB SET operation is not supported.
192
RFC 1213 Management Information Base for Network Management of TCP/IP-based

Networks: MIB-II.
The following system objects are supported:
l sysDescr
l sysObjectID
l sysUpTime
l sysContact
l sysName
l sysLocation
l sysServices
The sysService object returns a value that indicates the set of services the
ACOS device offers. For the ACOS device, the sysService object always
returns the value 76. This value indicates that the ACOS device offers the fol-
lowing services (for information about how this value is calculated, refer to
the RFC):
l datalink/subnetwork – 0x2
l internet – 0x4
l end-to-end – 0x8
l applications – 0x40
The following interfaces on MIB-II are supported:
l ifNumber
l ifTable
The ipAddrTable on MIB-II are also supported.
RFC 1215 A Convention for Defining Traps for use with the SNMP.
RFC 1850 OSPF Version 2 Management Information Base.
RFC 1901 Introduction to Community-based SNMPv2.
193
RFC 2233 The Interfaces Group MIB using SMIv2. The ifXTable table is supported.
RFC 2465 Management Information Base for IP Version 6: Textual Conventions and Gen-
eral Group. The ipv6AddrTable on MIB-II is supported.
RFC 2576 Coexistence between Version 1, Version 2, and Version 3 of the Internet-
standard Network Management Framework.
RFC 2578 Structure of Management Information Version 2 (SMIv2).
RFC 2790 Host Resources MIB. The following subtrees are supported:
l hrSystem: .1.3.6.1.2.1.25.1
l hrStorage: .1.3.6.1.2.1.25.2
l hrDeviceTable: .1.3.6.1.2.1.25.3.2
l hrProcessorTable: .1.3.6.1.2.1.25.3.3
RFC 2863 The Interfaces Group MIB. The following table is supported:
l ifXTable: .1.3.6.1.2.1.31.1.1
194
RFC 3418 Physical Topology MIB. The following objects are supported:
l lldpV2PortConfigTable
l lldpV2DestAddrTable
l lldpV2LocPortTable
l lldpV2LocManAddrTable
l lldpV2RemTable
l lldpV2RemManAddrTable
l lldpV2LocChassisIdSubtype
l lldpV2LocChassisId
l lldpV2LocSysName
l lldpV2LocSysDesc
l lldpV2LocSysCapSupported
l lldpV2LocSysCapEnabled
RFC 3410 Introduction and Applicability Statements for Internet Standard Man-
agement Framework.
RFC 3411 An Architecture for Describing Simple Network Management Protocol

(SNMP) Management Frameworks.
RFC 3412 Message Processing and Dispatching for the Simple Network Management
Protocol (SNMP).
RFC 3413 Simple Network Management Protocol (SNMP) Applications.
RFC 3414 User-based Security Model (USM) for version 3 of the Simple Network Man-
agement Protocol (SNMPv3).
RFC 3415 View-based Access Control Model (VACM) for the Simple Network Man-
agement Protocol (SNMP).
RFC 3416 Version 2 of Protocol Operations for the SNMP.
195
RFC 3418 MIB for the SNMP.
RFC 3635 Definitions of Managed Objects for the Ethernet-like Interface Types
RFC 4001 Textual Conventions for Internet Network Addresses. The following values
for IP address type are supported:
l 0 - Unknown
l 1 - IPv4
l 2 - IPv6
RFC 4273 Definitions of Managed Objects for BGP-4. The following traps are sup-
ported:
l bgpEstablishedNotification
l bgpBackwardTransNotification
RFC 4293 Management Information Base for the Internet Protocol. The following tables
are supported:
l Ipv4InterfaceTable
l Ipv6InterfaceTable
l IpAddrTable
l Ipv6AddrTable
ifIndex Table Support
The ifInUnknownProtos and ifOutLen objects in the ifIndex table are not implemented on
AX interfaces and always return value 0. Likewise, the ifSpecific object is not present and
always returns “0.0”.
SNMP Support on the ACOS Device

ACOS devices support the following SNMP versions: v1, v2c, v3. SNMP is disabled by default.
196
You can configure the ACOS device to send SNMP traps to the Syslog and to external trap
receivers. You also can configure read (GET) access to SNMP Management Information Base
(MIB) objects on the ACOS device by external SNMP managers.
NOTE: SNMP access to the ACOS device is read-only. SET operations

(write access) are not supported.
The following list of items clarifies the current implementation of SNMP:
l Limit the number of SNMP polling requests to two or three instances. Several con-
current “snmpwalk” requests, will result in delays, unfinished requests, time out, or
error messages.
l Certain SNMP objects, such as the “CPU Per Partition” value, might not work in the cur-
rent release.
l Since the ACOS device generates the SNMP community string for private partitions,
you are not allowed to configure or change the community string.
l The SNMP process may consume 100% of the Control CPU cycles.
Partition-aware SNMP Configuration

Details 197
Prerequisites 198
Known Limitations 198
Details
SNMP is enhanced to support the configuration of SNMP on private partitions. Such con-
figuration will be partition-aware and only applied to the partition being configured.
When SNMP is disabled in the shared partition, no configuration change is required in any
L3V partition. From the shared partition, the ACOS device will not get SNMP responses nor
see any L3V traps.
197
With this enhancement, user can get SNMP response and traps of a L3V partition through
shared VLAN interfaces. Traps in the L3V partition uses different community strings.
To enable L3V partition traps, SNMP service and community string on L3V partition must be
configured. The enabling/disabling of traps in L3V partition can only be done on the group
level, and not on individual trap level.
Since the community string on the L3V partition is configured and encrypted, there is no
auto-generated community string on the L3V partition.
Prerequisites
l To support SNMP request and traps in L3V partition, SNMP must be enabled in the L3V
partition.
l L3V partition SNMP cannot be enabled if SNMP is not enabled in the shared partition.
l To enabled L3V partition traps, SNMP service and community string on the L3V par-
tition must be configured.
Known Limitations
l SNMP get request can only be SNMPv2 on L3V partitions.

l SNMP traps will be only snmp-v2 traps.
l SNMP get request with share_community_string@part_name is not supported.
l SNMP configuration of GSLB group traps is not supported on L3V partitions.
SNMP Views and Community Strings

You can allow external SNMP managers to access the values of MIB objects from the ACOS
device. To allow remote read-only access to ACOS MIB objects, configure one or both of the
following types of access:
l SNMP Views
l SNMP Community Strings
198
SNMP Views
Details 199
Using the GUI to Configure SNMP Views 199
Using the CLI to Configure SNMP Views 199
Details
An SNMP view is like a filter that permits or denies access to a specific OID or portions of an
OID. You can configure SNMP user groups and individual SNMP users, and allow or disallow
them to read specific portions of the ACOS MIBs using different views.
When you configure an SNMP user group or user, you specify the SNMP version. SNMP v1 and
v2c do not support authentication or encryption of SNMP packets. SNMPv3 does. You can
enable authentication, encryption, or both, on an individual SNMP user-group basis when you
configure the groups. You can specify the authentication method and the password for indi-
vidual SNMP users when you configure the users.
Using the GUI to Configure SNMP Views

To configure an SNMP view using the GUI:
1. Hover over System in the menu bar, then select Monitoring.

2. Select SNMP, then select SNMP Views from the drop-down menu.
3. Click Create.
4. Enter a name for the view in the Viewname field.
5. Enter the MIB view family name or OID in the Oid field, then specify whether this OID
should be included or excluded in the view.
6. Click Create.
Using the CLI to Configure SNMP Views

Use the snmp-server view command to configure an SNMP view from the CLI. The following
example creates a view called “exampleview” which includes OID 1.2.3:
ACOS(config)# snmp-server view exampleview 1.2.3 included
199
SNMP Community Strings
Details 200
Using the GUI to Configure an SNMP Community String 200
Using the CLI to Configure an SNMP Community String 200
Details
An SNMP community string is a string that an SNMP manager can present to the ACOS device
when requesting MIB values.
Community strings are similar to passwords. You can minimize security risk by applying the
same principles to selecting a community name as you would to selecting a password. Use a
hard-to-guess string and avoid use of commonly used community names such as “public” or
“private”.
You also can restrict access to specific Object IDs (OIDs) within the MIB, on an individual com-
munity basis. OIDs indicate the position of a set of MIB objects in the global MIB tree. The OID
for A10 Networks Thunder Series objects is 1.3.6.1.4.1.22610.
Using the GUI to Configure an SNMP Community String

To configure an SNMP community string using the GUI:
1. Hover over System, then select Monitoring.

2. Select the SNMP tab, then select SNMP from the drop-down menu.
3. Enter the community string in the Community Read field, then click Add.
4. Click Configure SNMP.
Using the CLI to Configure an SNMP Community String

This section contains the following examples:
l CLI Example—Configure a Community String for SNMPv1 or SNMPv2c Users

l CLI Example—Configure a Community String for SNMPv3 Users
l CLI Example—Restrict Access to Specific Remote Hosts
l CLI Example—Restrict Access to Specific OIDs
200
CLI Example—Configure a Community String for SNMPv1 or SNMPv2c Users
The following example shows how to configure an SNMP community string using the CLI for
SNMPv1 or SNMPv2c users:
ACOS(config)# snmp-server SNMPv1-v2c user u1
ACOS(config-user:u1)# community read examplestring
ACOS(config-user:u1)# show running-config | sec snmp
snmp-server enable service
snmp-server enable traps all
snmp-server SNMPv1-v2c user u1
community read encrypted mGXzd9xr-
cGiMBaDQuY/jnDwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn
snmp-server host 10.6.7.22 version v2c public
NOTE: The community string is encrypted in the show running-config

output for security purposes. Each SNMP v1-v2c user has a com-
munity string. You can change the value of this string by using
the community read command and entering a new community
string.
The user name u1 is a system-specific name and cannot be used to retrieve any SNMP data.
Instead, the encrypted community string configured under this user should be used to
retrieve data. This community string can also be used by any remote host to access the ACOS
device, assuming there are no access restrictions configured.
CLI Example—Configure a Community String for SNMPv3 Users
The following example shows how to configure an SNMP community string for SNMPv3 users.
An SNMP view and group must be configured prior to configuring the SNMPv3 user.
ACOS(config)# snmp-server group examplegroup v3 auth read exampleview
ACOS(config)# snmp-server SNMPv3 user exampleuser group examplegroup v3 auth
md5 examplepassword1 priv aes examplepassword2
ACOS(config)# show running-config | sec snmp
snmp-server enable service
snmp-server enable traps all
snmp-server view exampleview 1.2.3 included
snmp-server group examplegroup v3 auth read exampleview
snmp-server SNMPv3 user exampleuser group examplegroup v3 auth md5 encrypted
IrrqRoL9DI2HGP3wipS0lDwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn priv aes
encrypted 6D2AC0vBjbGHGP3wipS0lLD/mjXR6wFMPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn
snmp-server host 10.6.7.22 version v2c public
201
CLI Example—Restrict Access to Specific Remote Hosts
The following example shows how to restrict access to allow only specific remote hosts to
access SNMP data. From the SNMP v1-v2c user configuration level specify which remote
hosts are allowed to access the ACOS device using the community string:
ACOS(config-user:u1)# remote 192.168.20.1 /24
ACOS(config-user:u1)# remote 192.168.30.1 /24
CLI Example—Restrict Access to Specific OIDs
The following example shows how to restrict access so that only a specific OID (1.2.3) can be
accessed by the specified hosts (subnets 192.168.30.x and 192.168.40.x). From the SNMPv1-
v2c user configuration level:
ACOS(config-user:u1)# oid 1.2.3
ACOS(config-user:u1-oid:1.2.3)# remote 192.168.40.1 255.255.255.0
ACOS(config-user:u1-oid:1.2.3)# remote 192.168.50.1 255.255.255.0
Configuring SNMP Groups

SNMP users can be organized into groups, which can be configured to allow or disallow users
access to read specific SNMP views.
Using the GUI to Configure SNMP Groups 202
Using the CLI to Configure SNMP Groups 203
Using the GUI to Configure SNMP Groups
To configure an SNMP group using the GUI:
1. Hover over System in the menu bar, then select Monitoring.

2. Select SNMP, then select SNMP Groups from the drop-down menu.
3. Click Create.
4. Enter a name for the group in the Groupname field.
5. Select the desired SNMPv3 packet authentication level.
202
6. Select a read-only view for accessing MIB objects.

7. Click Create.
Using the CLI to Configure SNMP Groups
Use the snmp-server group command to configure an SNMP group from the CLI. The fol-
lowing example creates a group called “examplegroup”:
ACOS(config)# snmp-server group examplegroup v3 priv read exampleview
Configuring AES or DES Encryption for SNMPv3 Users

Details 203
Using the GUI to Configure Encryption for SNMPv3 Users 204
Using the CLI to Configure Encryption for SNMPv3 Users 204
Details
Advanced Encryption Standard (AES) or Data Encryption Standard (DES) encryption can be
added at the SNMP “user” level. This feature extends overall security with support for
SNMPv3 notifications (traps). SNMPv3 traps are authenticated and encrypted, using the
same options already supported for SNMPv3 in previous releases.
l Authentication is performed by using the user’s authentication key to sign the message
being sent. This can be done using either MD5 or SHA encryption. The authentication
key is generated using the specified encryption method and the specified password.
l Encryption is performed by using a user’s privacy key to encrypt the data portion of the
message being sent. This can be done using either AES or DES encryption. The authen-
tication key is generated using the specified encryption method and the specified pass-
word.
203
NOTE: After changing the encryption for an SNMP user, SNMP must be
restarted in order to reload the configuration. This process will
take some time before the SNMP service becomes available.
Using the GUI to Configure Encryption for SNMPv3 Users
To configure encryption for SNMPv3 users from the GUI:
1. Hover over System, then select Monitoring.

2. Select the SNMP tab, then select SNMP User from the drop-down menu.
3. Click Create to create a new user.
4. Specify the user name and group.
5. In the Authentication field, select the Enable checkbox.
This displays the authentication options for the SNMP user configuration.
a. Specify the authentication algorithm you want to use (MD5 or SHA) and password.
b. Specify the Encryption type (DES or AES) and encryption passphrase.
6. Click Create.
Using the CLI to Configure Encryption for SNMPv3 Users
To add encryption at the snmp “user” level, use the snmp-server command at the global con-
fig level.
204
The following example shows how to configure an SNMPv3 user “exampleuser”, who is a mem-
ber in “examplegroup”, which is part of “exampleview”:
ACOS(config)# snmp-server group examplegroup v3 auth read exampleview
ACOS(config)# snmp-server SNMPv3 user exampleuser group examplegroup v3 auth
md5 examplepassword1 priv aes examplepassword2
The auth md5 examplepassword1 portion of the command will generate a user key using MD5
encryption and the string “examplepassword1”. The priv aes examplepassword2 portion of
the command will encrypt the message using a key with AES encryption and the string “jon-
password2”:
NOTE: More information about the snmp-server command can be found

in the Command Line Interface Reference.
Configuring SNMP Traps

Enabling SNMP Traps 205
Using the GUI to Enable SNMP Traps 206
Using the CLI to Enable SNMP Traps 206
Disabling SNMP Traps for L3V Partitions 208
Enabling SNMP Traps
In order to start receiving SNMP traps, you must enable SNMP traps on a configured SNMP
server. You can enable any of the individual traps, or a category of new SNMP traps. Follow
the steps below to enable SNMP traps. All traps are disabled by default.
For more information about SNMP CLI commands used for enabling SNMP traps, along with a
list of available traps, see the Command Line Interface Reference.
For information about configuring SNMP traps on L3V partitions, see the Configuring Applic-
ation Delivery Partitions guide.
Take note of the following:
205
l In order to begin receiving ssl-cert-expire SNMP traps, you must enable email noti-
fication of SSL certificate expiration. To do so, use the logging email-address com-
mand from the global configuration level in the CLI. For more information, refer to the
Command Line Interface Reference.
l In order to begin receiving resource-usage-warning SNMP traps, you must set resource
utilization thresholds for partitions.
l If you have a DNS anycast configuration, all ports of a given virtual server must to be
down before an SNMP trap will be sent.
NOTE: The enabling/disabling of traps in the L3V partition can only be

done on the group level, and not on an individual trap level.
Using the GUI to Enable SNMP Traps
To enable SNMP traps:
1. Hover over System in the navigation bar, and select Monitoring.

2. Click SNMP on the menu bar, and then select SNMP from the drop-down menu that
appears.
3. Click Trap List to display the traps you can add, sorted by category.
4. Select the checkbox next to any SNMP traps you want to enable.
5. Click Configure SNMP to save your changes.
Using the CLI to Enable SNMP Traps
The snmp-server enable traps command allows you to enable SNMP traps. The following
traps are available on the shared partition:
l all
l gslb
l lldp
l lsn
l network
206
l routing
l slb
l slb-change
l snmp
l system
l vcs
l vrrp-a
NOTE: On the L3V partition, only the all, snmp, gslb, slb, slb-change, and
vrrp-a traps are available. For details on these traps, see the Com-
mand Line Interface Reference.
The following CLI command enables SNMP traps for all SLB events. Note that using the ?
allows you to see all SNMP traps within the category before activating that category.
AX5100(config)# snmp-server enable traps slb ?
all Enable all SLB traps
application-buffer-limit Enable application buffer reach limit trap
bw-rate-limit-exceed Enable SLB server/port bandwidth rate limit exceed
trap
bw-rate-limit-resume Enable SLB server/port bandwidth rate limit resume
trap
server-conn-limit Enable SLB server connection limit trap
server-conn-resume Enable SLB server connection resume trap
server-disabled Enable SLB server-disabled trap
server-down Enable SLB server-down trap
server-selection-failure Enable SLB server selection failure trap
server-up Enable slb server up trap
service-conn-limit Enable SLB service connection limit trap
service-conn-resume Enable SLB service connection resume trap
service-down Enable SLB service-down trap
service-group-down Enable SLB service-group-down trap
service-group-member-down Enable SLB service-group-member-down trap
service-group-member-up Enable SLB service-group-member-up trap
service-group-up Enable SLB service-group-up trap
service-up Enable SLB service-up trap
vip-connlimit Enable the virtual server reach conn-limit trap
vip-connratelimit Enable the virtual server reach conn-rate-limit
trap
vip-down Enable SLB virtual server down trap
207
vip-port-connlimit Enable the virtual port reach conn-limit trap

vip-port-connratelimit Enable the virtual port reach conn-rate-limit trap
vip-port-down Enable SLB virtual port down trap
vip-port-up Enable SLB virtual port up trap
vip-up Enable SLB virtual server up trap
The following CLI command enables SNMP traps for all SLB changes. An SNMP trap will be
sent whenever a change has been made to the SLB configuration. This includes the creation
or deletion of virtual or real servers or ports, and changes to or near expiration of SSL cer-
tificates.
ACOS(config)# snmp-server enable traps slb-change
The following CLI commands only enable SNMP traps for the creation or removal of virtual
and real servers and ports.
ACOS(config)# snmp-server enable traps slb-change server
ACOS(config)# snmp-server enable traps slb-change server-port
ACOS(config)# snmp-server enable traps slb-change vip
ACOS(config)# snmp-server enable traps slb-change vip-port
Disabling SNMP Traps for L3V Partitions
ACOS allows you to enable SNMP traps on shared partitions. The ACOS device can disable
traps on L3V partitions while the SNMP traps are still enabled on shared partitions. The
default behavior is for both shared and L3V partition traps to be sent out when SNMP traps
are enabled on shared partitions.
When SNMP is disabled in the shared partition, no configuration change is required in any
L3V partition. From the shared partition, the ACOS device will not send any SNMP responses
nor traps once SNMP is disabled.
NOTE: GSLB group traps are not partition-aware so they cannot be con-
trolled using the snmp-server disable traps gslb command.
To disable SNMP traps on L3V partitions, use the CLI and make sure that you are in the con-
figuration level for an L3V partition.
The example below switches to the private partition named “pl3v,” then disables network and
LLDP traps on this partition:
ACOS(config)# active-partition pl3v
ACOS[pl3v](config)# snmp-server disable traps network
208
ACOS[pl3v](config)# snmp-server disable traps LLDP
Configuring SNMP
Details 209
Using the GUI to Configure SNMP 209
Using the CLI to Configure SNMP 210
Details
By default, SNMP service is disabled for all data interfaces. See “Default Management Access
Settings” in the Management Access and Security Guide for more information.
To configure SNMP:
1. If desired, configure location and contact information.

2. If desired, configure external SNMP trap receivers.
3. If desired, configure SNMPv1/v2c.
4. If desired, configure views, groups, and users.
5. Enable the SNMP agent and SNMP traps.
6. Save the configuration changes.
You are not required to perform these configuration tasks in precisely this order. The work-
flow in the GUI is slightly different from the workflow shown here.
Using the GUI to Configure SNMP
To configure basic SNMP parameters:

2. Click SNMP on the menu bar, then select SNMP from the drop-down list.
209
3. Configure general SNMP settings, including the system information, Engine ID, and trap
host, in the General Fields section. Refer to the GUI online help for detailed information
about each field.
4. Configure SNMP trap settings by clicking and expanding the Trap List section, then
selecting the traps you want to monitor.
5. Click Create SNMP Server when you are finished making your selections.
Using the CLI to Configure SNMP
All SNMP configuration commands are available at the global configuration level of the CLI.
1. To configure SNMPv1/v2c, use the following command:

ACOS(config)# snmp-server snmpv1-v2c
2. To configure an SNMPv3 user, specify the user name, group name, and authentication
method. For example:
ACOS(config)# snmp-server snmpv3 user example-user group example-group v3
auth md5 example-password
3. To configure contact information, use the snmp-server contact command:

ACOS(config)# snmp-server contact example-contact
4. To enable the SNMP agent and SNMP traps, use the snmp-server enable traps com-
mand. For example, to enable all SNMP traps:
ACOS(config)# snmp-server enable traps all
5. To configure an SNMP group, specify the group name and security level. For example:
ACOS(config)# snmp-server group example-grou-name v3 auth read example-read-
view-name
6. To configure external SNMP trap receivers, use the snmp-server host command:
ACOS(config)# snmp-server host 10.10.10.10 version v3 user WDCS
7. To configure location information, use the snmp-server location command:

ACOS(config)# snmp-server location example-location
210
8. To configure an SNMP view, use the following command:

ACOS(config)# snmp-server view example-view-name example-oid included
NOTE: For more information about these commands and other SNMP-
related commands, refer to the Command Line Interface Refer-
ence.
Be sure to use the write memory command to save any configuration changes.
Configuring the Source Interface for SNMP Notifications

Details 211
Using the GUI to Configure the SNMP Source Interface 212
Using the CLI to Configure the SNMP Source Interface 212
Details
You can specify a data interface to use as the source interface for SNMP traps. By default,
the management interface is the source interface for SNMP traps.
l This feature does not support IPv6.

l This feature supports SNMPv1 but not SNMPv2c or SNMPv3.
The interface can be any of the following types:
l Ethernet
l VLAN / VE
l Loopback
When the ACOS device sends an SNMP trap from the data interface you specify, the “agent-
address” in the SNMP trap is the data interface’s IP address.
211
Using the GUI to Configure the SNMP Source Interface
To configure an Ethernet interface as the source for SNMP traps:
1. Hover over Network in the navigation bar and select Interface.

2. On the menu bar, click LAN.
3. Click Edit in the Actions column for the Ethernet interface.
4. Select the checkbox next to Trap Source in the General Fields section.
5. Click Update.
Using the CLI to Configure the SNMP Source Interface
The following command attempts to set a loopback interface as the SNMP trap source.
However, the feature has already been enabled on Ethernet port 1, and only one interface can
be enabled for SNMP traps, so this example shows that the existing trap source will be over-
written with the new one:
ACOS(config)# interface loopback 1
ACOS(config-if:loopback:1)# snmp-server trap-source
The trap source already exists for interface eth1. Do you want to overwrite?
[yes/no]:yes
ACOS(config-if:loopback:1)#
212
Chapter 19: Link Monitoring
The ACOS device supports link monitoring with automated link disable or session clear.
Overview of Link Monitoring 214
Link Monitoring Actions 214
Link Monitor Template Sequence Numbers 214
Link Monitor Template Logical Operators 215
Configuring Link Monitor 216
213
Chapter 19: Link Monitoring Feedback
Overview of Link Monitoring

This feature monitors the link state of Ethernet data interfaces. You can monitor Ethernet
data interfaces for the following types of events:
l Link up
l Link down
The feature monitors the link state on a set of Ethernet data interfaces. If the monitored
event is detected, the ACOS device applies the specified action to another set of interfaces.
This feature is especially useful in cases where you want to disable both ACOS interfaces
used by traffic flows through the ACOS device, if the link on either interface goes down.
NOTE: For an example, see “LACP Passthrough” in the Network Con-

figuration Guide.
NOTE: You can configure the feature for individual Ethernet data ports.
Configuration of the feature for logical interfaces such as Virtual
Ethernet (VE) interfaces is not supported.
Link Monitoring Actions

You can configure the ACOS device to take one of the following actions when the specified
event type (link up or link down) is detected on a monitored Ethernet data interface:
l Clear sessions
l Disable the link on one or more other interfaces
l Enable the link on one or more other interfaces
The clear session option removes sessions from the session table. You can configure the fea-
ture either to clear data sessions only, or to clear sessions of all types.
Link Monitor Template Sequence Numbers

Each monitor template can contain the following types of entries:
214
l Monitoring entries – A monitoring entry monitors for a specific event type (link up or
link down) on a specific Ethernet data interface.
l Action entries – An action entry specifies the action to take when monitored events are
detected.
When you configure an entry of either type, you must specify a sequence number, 1-16. The
sequence numbers assigned to monitoring entries specify the order in which to check the
monitored ports for the specified event type.
Likewise, the sequence number assigned to action entries specify the order in which to apply
the actions.
The sequence number can be important in cases such as the following:
l The order in which link state changes take place can affect whether traffic loops occur.
l The template contains action entries that clear sessions and that disable or enable
links. In this case, the sequence number controls whether the sessions are cleared
before or after the link states are changed. Normally, it is recommended to clear the ses-
sions first, before changing the link states.
The monitor with the lowest sequence number is performed first, then the monitor with the
next lowest sequence number is performed, and so on. For example, monitor 1 is performed
first, monitor 2 is performed second, and so on. Likewise, if the monitored events are detec-
ted, action 1 is performed first, then action 2, and so on.
Link Monitor Template Logical Operators

Each monitor template uses one of the following logical operators:
l AND – The actions are performed only if all the monitored events are detected. (This is
the default).
l OR – The actions are performed if any of the monitored events is detected.
The logical operator applies only to monitor entries, not to action entries. For example, if the
logical operator is OR, and at least one of the monitored events occurs, all the actions con-
figured in the template are applied.
215
You can configure the entries in any order. In the configuration, the entries of each type are
ordered based on sequence number.
Configuring Link Monitor

To configure link monitoring with automated link disable or session clear:
1. Configure a monitoring template. Within the template, specify the following para-
meters:
l Links (Ethernet data ports) to monitor
l Actions to perform on other links, if the monitored event is detected:

o Clear sessions
o Disable links
o Enable links
l (Optional) Set the comparison operator for the monitoring entries:
o AND – The actions are performed only if all the monitored events are detected.
o OR – The actions are performed if any of the monitored events is detected.
Link monitoring template commands are available through global configuration

mode (See the Command Line Reference). A similar set of commands are available
through slb template monitor mode (See the Command Line Interface Reference
for ADC).
2. Active the monitoring template.
You can configure and activate up to 16 monitor templates. A monitor template does not take
effect until you activate it.
The following commands configure monitor template 1 and the physical data interfaces and
events to monitor:
ACOS(config)# system mon-template monitor 1
ACOS(config-monitor)# monitor link-down eth 5 sequence 1
The following commands configure the actions to take when a monitored event is detected.
216
ACOS(config-monitor)# action clear sessions sequence 1

ACOS(config-monitor)# action link-disable eth 5 sequence 2
ACOS(config-monitor)# exit
The following command activates the template, to place it into effect:

ACOS(config)# system template-bind monitor 1
Based on this configuration, when a link-down event is detected for Ethernet port 5 OR 6 OR
9 OR 10, sessions are cleared first. Then the remaining links are disabled, in the following
sequence: 5 AND 6 AND 9 AND 10.
NOTE: The clear session command clears only data sessions. To clear
all sessions, use clear sessions all.
217
Chapter 20: ACE Monitoring and Analytics
The ACE (Analytics Computing Engine) implements visibility and analytics as a base ACOS
function. ACE collects data from counter library metrics per connection for statistical ana-
lysis.
Visibility of anomalies like traffic spikes and traffic failures, provides some guidance on sea-
sonality of traffic to help the user with resource assignment.
ACE Monitoring and Show Command Options 219
Notification Templates 221
Configuring Visibility on ACOS 226
Visibility and Analytics Monitoring 227
Secondary Monitoring on ACOS 229
Session Indexing 230
218
Chapter 20: ACE Monitoring and Analytics Feedback
ACE Monitoring and Show Command Options

ACE monitoring options can be configured in Visibility Configuration mode in CLI using the
visibility command.
Discovery Monitoring 219
Related Commands 219
Granularity 219
Cumulative Updates 220
Collection of Statistics 220
Anomaly Detection 220
Related CLI Commands 221
Discovery Monitoring
Monitoring samples are collected for every ACOS partition receiving and generating the
samples,
creating keys as specified in the partition configuration.
Related Commands
Example of monitoring commands in CLI:
l Monitor x-flow source information:
ACOS(config-visibility)# monitor xflow source
Granularity
The granularity can be configured by the user for all rate based calculations. Granularity is the
time selection interval specified, for example, a default value of 5 seconds. to collect mon-
itoring information for each monitoring parameter. Supported values are 1 to 300 seconds.
219
Using the granularity command.

ACOS (config-visibility)# granularity 60
Cumulative Updates
This is a feature that can be enabled when creating the ACE monitor. the statistics counter
library on if sends cumulative updates from ACOS .
Collection of Statistics
The following values are calculated and the data is further used for analysis:
l Minimum
l Maximum
l Mean
l Standard deviation
l Threshold: The highest value that was observed for the given metric that was not an
anomaly.
l Continuous learning: Through continuous monitoring of data or x-flow traffic, A
sample is considered if it is not anomalous. Also, when 3 consecutive spikes, are detec-
ted, it is considered an anomaly.
Anomaly Detection
Sensitivity settings help in anomaly detection. 3 consecutive spikes mean the monitored para-
meter is anomalous. There are two settings:
l Low sensitivity:This is what the system defaults to. In this case, any sample that is
greater than 2 times the threshold is a spike.
l High sensitivity: Any sample that is greater than 2 times the standard deviation mean
is a spike.
220
Related CLI Commands
The important anomaly detection related CLI commands are as follows:
l Enable anomaly detection in Visibility Configuration mode:

ACOS(config-visibility)# anomaly-detection
l Configure sensitivity for anomaly detection

ACOS(config-visibility-anomaly-detection)# sensitivity high
Notification Templates
Details 221
Notification Events 221
Notification Data 222
Notification Template Properties 222
Notification Template Examples 222
Details
ACE supports for primary and secondary level monitoring. Primary and Secondary key types
can be specified from CLI. The module creates monitoring entities based on these keys. ACOS
evaluates these baseline metric values. The base line values calculated are minimum, max-
imum, mean and standard deviation. Using these baseline values, 'anomalies are detected
or cleared.
This feature adds support to send notifications on different events. The host that should
receive these notifications can be configured from the CLI.
Notification Events
Notifications are sent for the following events:
221
l Monitoring entity creation

l Monitoring entity deletion
l Anomaly detection
l Anomaly clear
Notification Data
The notification data contains:
l Parameter name.
l The type of information (source / destination/ service / Source NAT IP)
l Notification type (entity created / entity deleted /anomaly detected / anomaly cleared)
l Processed metric values (minimum, maximum, current, threshold, mean)
l Anomaly status for every metric.
l Entity type (primary / secondary)
Notification Template Properties
A maximum of 8 notification templates can be configured on ACOS. These templates are

global, and can be bound to any partition. Notification templates have the following prop-
erties:
l By default, a template is active after creation.

l An incomplete template cannot be bound to a partition.
l Template must be disabled before modification, unless it is not bound.
l Template cannot be deleted when it is bound.
Notification Template Examples
Creating a Notification Template 223
Deleting a Template 224
222
Enabling a Template 224
Disabling a Template 225
Binding a Template 225
Creating a Notification Template

l Configure visibility reporting
ACOS(config-visibility-reporting)# template notification user1
l Configure the host with an IPv4 address

ACOS(config-visibility-reporting-notifica...)#host ip 1.1.1.1
l Use the management port option for notifications

ACOS(config-visibility-reporting-notifica...)# host ip 1.1.1.1 use-mgmt-port
l To use IPv6 address as host

ACOS(config-visibility-reporting)# template notification ipv6
ACOS(config-visibility-reporting-notification)# host ip6 1::1 use-mgmt-port
ACOS(config-visibility-reporting)#show run visibility
!Section configuration: 94 bytes
visibility
reporting
template notification ipv6
host ip6 1::1 use-mgmt-port
To use URI as a host, use the command:

ACOS(config-visibility-reporting-notifica...)#host host-name a10networks.com
ACOS(config-visibility-reporting-notifica...)#protocol http 80
NOTE: The default protocol is HTTPS and port 443.
223
ACOS(config-visibility-reporting)#show run visibility
visibility
reporting
template notification user1
host ip 1.1.1.1
protocol http 80
Deleting a Template
ACOS(config-visibility-reporting)#no template notification user1
ACOS(config-visibility-reporting)#sh run visibility
Enabling a Template
Enable or bind a complete template
ACOS(config-visibility-reporting-notifica...)#host ip 1.1.1.1
ACOS(config-visibility-reporting-notifica...)#enable
ACOS(config-visibility-reporting-notifica...)#show run visibility
visibility
reporting
template notification test
host ip 1.1.1.1
NOTE: Host details is must to enable any template. Incomplete templates

can’t be enabled.
224
Disabling a Template
Disable template using:
ACOS(config-visibility-reporting-notifica...)#disable
ACOS(config-visibility-reporting-notifica...)#show run visibility
visibility
reporting
template notification user1
host ip 1.1.1.1
disable
Binding a Template
To bind a template, enable monitoring and notifications for the template.
ACOS(config-visibility)# monitor traffic dest
ACOS(config-visibility-monitor:traffic)# template notification user1
ACOS(config-visibility-monitor:traffic)# show run visibility
visibility
reporting
host ip 1.1.1.1
monitor traffic dest
225
Configuring Visibility on ACOS

To configure a new notification template for visibility on vThunder, configure IPv6 AAAA
using and then the visibility reporting notifications using the following commands:
ACOS(config)# visibility
ACOS(config-visibility)# reporting
ACOS(config-visibility-reporting)# notification-template user1
1. Template host configuration for IPV6 AAAA.
2. Configure the host IPv6 address.

ACOS(config-visibility-reporting-notifica...)# host ip 6.6.6.6 use-mgmt-port
3. Protocol to use. Configure the http port to use <1-65535>:

ACOS(config-visibility-reporting-notifica...)# protocol http 8080
4. Relative URI.
ACOS(config-visibility-reporting-notifica...)# relative-uri companyuri/
5. Enable / disable a template.
6. The show command for operation support.

ACOS# show run visibility
visibility
monitor dest
reporting
notification-template test
host ip 6.6.6.6 use-mgmt-port
protocol http 8080
relative-uri testuri/
226
Visibility and Analytics Monitoring

ACOS users with critical infrastructure can monitor network resources through visibility and
analytics. ACOS supports a logging system to monitor resources like system interface stat-
istics, virtual server, remote server, and virtual port.
All ACOS 5.2.0 platforms, ACOS Thunder, vThunder, and Thunder Container, have native sup-
port for Prometheus. A Prometheus server can query various stats and rate metrics for ana-
lysis as specified in its configuration.
Functionalities
Users and systems can use the following functionalities:
l Create and view dashboards to communicate with the Prometheus server using a
Visualization and Analytics tool, like Grafana.
l Query any API statistics configured in the Prometheus server's YAML file.
l View the default metrics logged, when no filters are specified:
o All Interface Metrics
o CPU Usage
o Memory Usage
For example, to monitor a particular object or class of objects, add that object or class of
objects to the parameters (params) in the Prometheus YAML file as follows.
Sample prometheus.yml Configuration Snippet

global:
scrape_interval: 5s
evaluation_interval: 5s
scrape_configs:
227
- job_name: 'prometheus_job_fetch_metrics'
scheme: 'https'
tls_config:
insecure_skip_verify: true
static_configs:
- targets: ["10.65.22.161:443"]
metrics_path: ‘/metrics’
params:
username:[“username”]
password:[“password”]
api_endpoint: ["/slb/virtual-server/vs1/stats","/slb/service-group/stats",
"/slb/virtual-server/vs1/rate"]
The descriptions for the parameters are as follows:
scrape_interval Time intervals for querying the statistics fields.
target Hostname and port that the Exporter is running on and port
must be the same as the port number of the webserver on ACOS
Prometheus client.
api_endpoint URI endpoint that the Exporter intercepts to invoke the appro-
priate aXAPI. (A comma-separated list of APIs can be provided
here for a single host..)
In this scenario, once the Prometheus server is up and running, it invokes the query every 15
seconds, as specified in the “scraping interval.api_endpoint”. The API names are passed to
them as parameters. The ACOS Prometheus client creates the gauge metrics for each stat-
istics field and exposes the metrics to the Prometheus server.
NOTE: To enable Prometheus support for previous versions of ACOS,

refer to the Prometheus Exporter procedure, click here.
228
Secondary Monitoring on ACOS

Details 229
Anomaly Detection Example 229
Details
Primary key type for ACE monitoring can be specified from ACOS CLI. A secondary level
entity can be configured to monitor each entity. Traffic anomalies can be detected using
these baseline values.
User can specify the secondary level key type from CLI. Secondary level entities are created
under the primary to help investigate further on primary entity. You can analyze which sec-
ondary entity is responsible for the anomaly. Configure using the secondary-monitor com-
mand.
vThunder(config-visibility)# monitor traffic dest
vThunder(config-visibility-monitor:traffic)# secondary-monitor service
Anomaly Detection Example
When a visibility is enabled on a sample SLB SSL template:

!
visibility
monitor Service secondary-monitor source
granularity 1 !
If anomaly is caused at client side on the secondary entity, the following show output dis-
plays the secondary entity responsible for the anomaly.
ACOS# show visibility monitored-entity detail
Entity: ip 12.12.12.203
metric-name min max mean threshold error anomaly
Fwd pkts 126 140 133 140 2.581687 No
Rev pkts 125 140 133 140 2.637233 No
Fwd Bytes 11264 12544 11987 12544 232.692383 No
229
Rev bytes 14625 16380 15652 16380 308.556244 No

64B_pkt 151 168 160 168 3.108687 No
64-512B_pkt 100 112 107 112 2.109786 No
connections 25 28 26 28 0.527446 No
sec-entities
Entity: ip 12.12.12.49
metric-name min max mean threshold error anomaly
Fwd pkts 126 140 133 140 2.581687 No
Rev pkts 125 140 133 140 2.637233 No
Fwd Bytes 11264 12544 11987 12544 232.692383 No
Rev bytes 14625 16380 15652 16380 308.556244 No
64B_pkt 151 168 160 168 3.108687 No
64-512B_pkt 100 112 107 112 2.109786 No
connections 25 28 26 28 0.527446 No
Session Indexing
Details 230
Known Issues or Limitations 230
Details
When “Session Indexing” is enabled for an application, administrators can view the sessions
that are uploading data to the monitoring entities. The primary use case of “Session indexing”
is to make the debugging easier for the administrators.
Known Issues or Limitations
Some of the items/aspects of the feature are not addressed in this release. They will be
addressed in the subsequent release.
230
CLI Configuration
To enable session indexing, use the following CLI command:

ACOS(config)# visibility
ACOS(config-visibility)# monitor traffic dest
ACOS(config-visibility-monitor:traffic)# index-sessions
To enable per CPU list for session indexing, use the following CLI command:
ACOS(config-visibility-monitor:traffic)# index-sessions per-cpu
To disable session indexing, use the following CLI command:

ACOS(config-visibility-monitor:traffic)# no index-sessions
To disable per CPU list, use the following CLI command:

ACOS(config-visibility-monitor:traffic)# no index-sessions per-cpu
231
Chapter 21: Gateway Health Monitoring
This chapter describes how to configure gateway health monitoring.
Gateway Health Monitoring Overview 233
Gateway Health Monitoring Configurable Parameters 233
Configuring Gateway Health Monitoring 235
NOTE: For information about health monitoring of servers in load bal-

ancing configurations, see the “ Health Monitoring” chapter in
the Application Delivery Controller Guide.
232
Chapter 21: Gateway Health Monitoring Feedback
Gateway Health Monitoring Overview

Gateway health monitoring uses ARP to test the availability of nexthop gateways. When the
ACOS device needs to send a packet through a gateway, the ACOS device begins sending
ARP requests to the gateway.
l If the gateway replies to any ARP request within a configurable timeout, the ACOS
device forwards the packet to the gateway.
l The ARP requests are sent at a configurable interval. The ACOS device waits for a con-
figurable timeout for a reply to any request. If the gateway does not respond to any
request before the timeout expires, the ACOS device selects another gateway and
begins the health monitoring process again.
The following items clarify the implementation of gateway health monitoring on your ACOS
device:
l Gateway health monitoring is useful in cases where there is more than one route to a
destination. In this case, the ACOS device can discard the routes that use unresponsive
gateways. If there is only one gateway, this feature is not useful.
l Gateway health monitoring and SLB server health monitoring are independent features.
If a gateway fails its health check, a server reached through the gateway is not imme-
diately marked down. The status of the server still depends on the result of the SLB
server health check.
l If you plan to use gateway health as a failover trigger for VRRP-A high availability, a dif-
ferent configuration option is required.
NOTE: For more information, see “Dynamic Priority Reduction” in Con-

figuring VRRP-A High Availability.
Gateway Health Monitoring Configurable Parameters

The following parameters are used for gateway health monitoring:
233
l Interval – The interval specifies the amount of time between health check attempts
(ARP requests), and can be 1-180 seconds. The default is 5 seconds.
l Timeout – The timeout specifies how long the ACOS device waits for a reply to any of
the ARP requests, and can be 1-60 seconds. The default is 15 seconds.
Using the default gateway health monitoring settings, a gateway must respond to a gateway
health check within 15 seconds. The following FIGURE 21-1 shows how a gateway health
check times out using the default settings.
NOTE: It is recommended not to use a timeout value smaller than 3

times the interval value. This is especially true for short interval
values.
FIGURE 21-1: Gateway Health Check Using Default Settings – Timeout
The following FIGURE 21-2 shows an example in which a gateway responds before the
timeout.
FIGURE 21-2: Gateway Health Check Using Default Settings – Gateway Responds
234
Configuring Gateway Health Monitoring

Using the GUI to Configure Gateway Health Monitoring 235
Using the CLI to Configure Gateway Health Monitoring 235
Gateway health monitoring is disabled by default.
Using the GUI to Configure Gateway Health Monitoring
To enable gateway health monitoring from the GUI:
1. Navigate to ADC > SLB > Global.

2. Select the checkbox in the Gateway Health Check field.
3. Configure the interval and timeout values as desired.
4. Click Update.
Using the CLI to Configure Gateway Health Monitoring
To enable gateway health monitoring from the CLI, use the gateway-health-check command
at the SLB common configuration level of the CLI. The following command enables gateway
235
health monitoring with the default settings:

ACOS(config)# slb common
ACOS(config-common)# gateway-health-check
The following command displays gateway health monitoring statistics:

ACOS(config)# show health gateway
Gateway health-check is enabled
Interval=5, Timeout=15
Total health-check sent : 10
Total health-check retry sent : 2
Total health-check timeout : 1
236
Chapter 22: Multiple Port-Monitoring Mirror
Ports
Overview of Port Mirroring 238
Configuring Mirror Ports 238
Port Monitoring and Mirroring for aVCS Devices 240
Removing Mirror Port Configuration 241
237
Chapter 22: Multiple Port-Monitoring Mirror Ports Feedback
Overview of Port Mirroring

Port mirroring is used to send copies of network packets (inbound, outbound, or both) from a
monitored port to a separate port for monitoring. This is often used for the purpose of
troubleshooting, debugging, and for analyzing traffic.
Up to four physical Ethernet data interfaces can be configured as mirror ports.
L3V port mirroring can be based on the port and optionally, the VLAN ID.
NOTE: The port mirroring and monitoring feature is supported on all A10
Thunder Series and AX Series devices that are supported with
this software release; it is NOT supported on vThunder platforms.
l In earlier 2.7.2.x releases, this feature is supported on A10 Thunder Series and AX Series
FTA-enabled models only.
l Since mirrored packets are handled by the switching ASIC directly, not the CPU, do not
use the debug packet command to test packet mirroring on FTA devices.
l Instead, verify that packets are received on the neighboring devices.
Configuring Mirror Ports

To configure mirror ports, use the mirror-port command at the global configuration level:
The following commands configure four mirror ports:

ACOS(config)# mirror-port 1 ethernet 4
ACOS(config)# mirror-port 2 ethernet 7 output
ACOS(config)# mirror-port 3 ethernet 9
ACOS(config)# mirror-port 4 ethernet 3 input
The output and input parameters used in these commands must match the ones you use
when configuring the monitor port. The output parameter enables outbound traffic on the
monitored port to be copied and sent out on the mirror port. The input parameter enables
inbound traffic on the monitored port to be copied and sent out on the mirror port.
The show mirror command verifies the mirror configuration:

ACOS(config)# show mirror
238
Mirror Ports 1: Input = 4 Output = 4

Mirror Ports 2: Input = None Output = 7
Mirror Ports 4: Input = 3 Output = None
At this point, monitoring is not yet enabled on any ports. The next step is to access the con-
figuration level for Ethernet interface 1 and enable monitoring of its traffic. For example:
ACOS(config-if:ethernet:1)# monitor input 1
The following command displays the mirror configuration:

ACOS(config-if:ethernet:1)# show mirror
Ports monitored at ingress : 1
The output now lists the monitoring configuration on port 1, which uses mirror 1.
The following commands attempt to enable monitoring of ingress traffic on port 2, using mir-
ror 2. However, this configuration is not valid because mirror 2 can accept egress traffic only.
Please configure mirror port first.
Likewise, the both option is not valid in this case:

ACOS(config-if:ethernet:2)# monitor both 2
Please configure mirror port first.
The following configuration is valid, since mirror 2 is configured to accept only the egress
traffic of monitored ports:
ACOS(config-if:ethernet:2)# monitor output 2
Here is the mirror configuration now:

Ports monitored at egress : 2
239
The ingress traffic received on port 2 can be monitored, if a mirror that accepts ingress
traffic is used. In this example, mirrors 1, 3, and 4 can accept ingress traffic. The following
command configures use of mirror 4 for ingress traffic received on port 2:
The following is the mirror configuration after this change:

Ports monitored at egress : 2
For brevity, this example does not show configuration of monitoring using mirror 3. Likewise,
the example does not show that a mirror can accept monitored traffic from more than one
interface, but this is supported.
Port Monitoring and Mirroring for aVCS Devices

Port mirroring and monitoring is supported in an aVCS setup. For example:
ACOS-11-Active-vMaster[1/1](config)# mirror-port 2 ethernet 13 ?
device Device
input Mirror incoming packets to this port
output Mirror outgoing packets to this port
The only distinction from the base command is that in an aVCS scenario, you must specify
the device ID.
In the monitoring mode, you can specify the device to which the Ethernet belongs:
ACOS-11-Active-vMaster[1/1][p1]# show mirror ?
active-vrid VRRP-A vrid
device Device
| Output modifiers
The following output displays that Ethernet 2 resides on device 1:

interface ethernet 1/2
cpu-process
monitor both 1 vlan 3
240
NOTE: For more information about configuring aVCS, see Configuring

ACOS Virtual Chassis Systems.
Removing Mirror Port Configuration

To properly remove mirror port configuration, you must remove both the monitor con-
figuration at the interface configuration level, and also the mirror-port configuration. Remov-
ing one without the other does not completely remove the mirror port configuration and may
cause problems if you try to re-configure mirror ports at a later time.
An example of removing the monitor configuration:

ACOS(config-if:ethernet:2)# no monitor output 2
An example of removing the mirror port configuration:

ACOS(config)# no mirror-port 2 ethernet 7 output
241
Chapter 23: NetFlow v9 and v10 (IPFIX)
This chapter describes how to configure NetFlow on your ACOS device.
NetFlow Overview 243
NetFlow Versions Supported 243
NetFlow Parameters 244
Formatting of NetFlow Records for Long-Lived Sessions 246
Predefined NetFlow Templates 248
Custom IPFIX Templates 295
Configuring NetFlow 308
242
Chapter 23: NetFlow v9 and v10 (IPFIX) Feedback
NetFlow Overview
An ACOS device can act as a NetFlow exporter. The NetFlow exporter (ACOS device) monitors
traffic and sends the data to one or more NetFlow collectors, where the information can be
stored and analyzed by a network administrator.
NOTE: NetFlow support for SLB does not support VCS.
FIGURE 23-1: NetFlow Architecture with an ACOS device as Exporter
CAUTION: NetFlow is a heavy user of system resources and requires addi-

tional memory, which is equivalent to half the size of a session
for each data session. When NetFlow is enabled, the session
table capacity is reduced by one-third (1/3) of its original
amount. For example, a system with a maximum of 100 ses-
sions can only have 66 sessions.
NetFlow Versions Supported

Both NetFlow version 9 and NetFlow version 10 (IPFIX) are supported.
243
l NetFlow version 9 is described in RFC 3954, Cisco Systems NetFlow Services Export
Version 9.
l NetFlow version10 (IPFIX) is compliant with RFC 5101 and 5102.
NOTE: The terms “NetFlow v10” and “IPFIX” are used interchangeably in
this document and in the CLI, even though they are not the same
thing. This anomaly exists for backwards compatibility.
NetFlow Parameters
On an ACOS device, you can configure up to 128 NetFlow monitors. This is a global system
maximum. If the device has multiple partitions, this maximum applies in aggregate to all the
partitions, including the shared partition.
A NetFlow monitor consists of the following protocol parameters, which can be used to con-
figure the ACOS device to export data in the format of NetFlow v9 or NetFlow v10 (IPFIX). The
default protocol is NetFlow v9.
l Export destination – External devices to export the collected data. You can specify the
IP address of a single NetFlow collector, or configure a service group that comprises
multiple collectors.
o To achieve load balancing of NetFlow traffic among two or more collectors, they
must be placed within the same service group.
o If two or more NetFlow collectors are configured using only IP addresses and are
not included in a service group, and if they are configured with the same NetFlow
properties (record types), then NetFlow traffic will be duplicated to both places
and the NetFlow traffic will not be load-balanced.
NOTE: NetFlow information is sent from the ACOS device through a data
port that is dynamically selected and is based upon information
in the routing table.
l Record type – Types of data to export. NetFlow exporters use the following types of
messages to send collected data to a collector server:
244
o Templates – A NetFlow template defines the set of data to be collected, and the
order in which that information will appear in the data messages.
o Data – NetFlow data messages contain the collected data, such as flow inform-
ation. Packets for data messages can contain data for more than one flow.
Each NetFlow monitor can use one or more NetFlow templates. This release
includes some predefined NetFlow templates. (See Predefined NetFlow Templates.)
Alternatively, instead of using a predefined NetFlow template, you may wish to cre-
ate your own custom event template for IPFIX. (See Custom IPFIX Templates.)
l Monitoring filters – Specific type of resources to monitor. You can specify monitoring of
the following resource:
o Ethernet data ports – Specify the list of ports to monitor. Flow information for the
monitored interfaces is sent to the NetFlow collector(s). By default, no filters are in
effect. Traffic is monitored on all interfaces and Virtual Ethernet (VE) interfaces.
l Flow timeout – This is the interval for sending flow records for long-lived sessions. (For
short-lived sessions, any flow records are sent upon termination of the session.) For
long-lived sessions, the flow timeout default value is 10 minutes. After this amount of
time has elapsed, the ACOS device will send any flow records to the NetFlow collector,
even if the flow is still active. The flow timeout can be set to 0-1440 minutes. If this is
set to 0, this essentially disables the flow timeout feature. Regardless of how long-lived
a flow might be, the ACOS device waits until the flow has ended and the session is
deleted before it sends any flow records for it.
NOTE: This parameter applies to the flows associated with templates lis-
ted under “Templates for A10 Flow Records with NAT Addresses”
in ACOS NetFlow Template Types for SLB Monitoring.
NOTE: This document uses the terms “flow” and “session” inter-
changeably, while acknowledging that there are subtle dif-
ferences in their meaning.
l Template transmission options – The ACOS device periodically resends the NetFlow tem-
plates to the collector(s). The following counters control when the templates are resent:
245
o Number of data records sent – This is a running counter of the total number of data
messages that have been sent to the NetFlow collector. After the specified number
of data records are sent, the ACOS device resends the template that describes the
data (as a way to refresh the template). The default is 1000 records. You can con-
figure the set template interval to 0-1000000 records. To disable, set this number
to 0.
o Number of seconds since the last time the template was sent – After the specified
number of seconds has passed, the ACOS device resends the template to perform a
refresh of the template on the collector. The default is 1800 seconds. You can set it
to 0-86400 seconds. After the template is resent, this counter is set back to 0
second. To disable, set this number to 0.
l Management interface – Uses the IP of the ACOS management interface, instead of the
IP of the data interfaces when sending traffic to the NetFlow collectors. By default, the
ACOS device sends NetFlow traffic out to the data interface. When the Management
Interface option is enabled, the NetFlow information is still sent via a data interface
that is dynamically (and automatically) selected based upon the routing table, but the
source IP of the packets will be the IP of the management port.
l Monitor state – Enabled or disabled. By default, a NetFlow monitor is enabled.
Formatting of NetFlow Records for Long-Lived Sessions

Formatting Procedure 246
Formatting of NetFlow Records 247
Formatting Procedure
This section discusses the formatting of the “start time” and “duration” fields in NetFlow
records for long-lived sessions (typically defined as those lasting more than 10 minutes).
246
For each new NetFlow record created for a session on the ACOS device, the NetFlow record
will show the time that the session began as the start time. Therefore, NetFlow records sent
out for different sessions will have different start times.
However, for long-lived sessions (for example, 15 minutes), if the flow-timeout period is set to
5 minutes, then ACOS will produce three flow records for one 15-minute session. The three
flow records will each have the same start time, because the records are reporting on the
same session.
Formatting of NetFlow Records
The following example illustrates sample NetFlow records:

Duration: 318.000000000 seconds
StartTime: Feb 2, 2015 12:35:52.341000000 Russia TZ 2 Standard Time
NOTE: The start time is the same for all three records for this one ses-
sion. In addition, the duration is not reset to zero. Instead, it is
incrementally larger for each record since more time has elapsed
since the first, second, and third records were sent.
The benefit of this method of formatting the session “start time” and “duration” fields in the
NetFlow records is that the records are joined into a single session that can be easily stored
and searched in a database. The following types of NetFlow records are described in the fol-
lowing sections:
l dslite – DS-Lite Flow Record Template

l nat44 – NAT44 Flow Record Template
l nat64 – NAT64 Flow Record Template
l netflow-v5 – NetFlow V5 Flow Record Template
l netflow-v5-ext – Extended NetFlow V5 Flow Record Template, supports ipv6
247
Predefined NetFlow Templates

ACOS device includes the following pre-defined NetFlow templates.
l SLB NetFlow Templates

l CGN NetFlow Templates
l Firewall Event Records Templates
l Supported NetFlow Templates (ADC/CGN/FW)
l Supported IPFIX Information Elements
l Log Information for Closed Sessions (CGN/FW)
SLB NetFlow Templates
The following templates can be used to monitor SLB configurations:
l Cisco NetFlow V5 record, for IPv4 (netflow-v5)

l Cisco NetFlow V5 Extended record, for IPv6 (netflow-v5-ext)
The following TABLE 23-2 includes details about templates that used for SLB configurations.
248
TABLE 23-2 : ACOS NetFlow Template Types for SLB Monitoring
Template Name Key Fields Non-Key Fields
netflow-v5 l IP Protocol l IP Source AS

l IPv4 Source Address l IP Destination AS
l IPv4 Destination Address l IPv4 Next Hop Address
l Source Port l IPv4 Source Mask
l Destination Port l IPv4 Destination Mask
l IP ToS
l TCP Flags
l Interface Input
l Interface Output
l Counter Bytes
l Counter Packets
l Timestamp First Packet
l Timestamp Last Packet
netflow-v5-ext l Protocol l Traffic Class

l IPv6 Source Address l Routing Source AS
l IPv6 Destination Address l Routing Destination AS
l Transport Source Port l Routing Next-hop Address
l Transport Destination Port l IP Source Mask
Protocol l IP Destination Mask
l IPv6 Source Address l Transport TCP Flags
l IPv6 Destination Address l Interface Input
l Transport Source Port l Interface Output
l Transport Destination Port l Counter Bytes
l Counter Packets
l Timestamp First Packet
l Timestamp Last Packet
249
CGN NetFlow Templates
The following templates can be used to monitor CGN configurations:
l Templates for A10 Flow Records with NAT Addresses

l Templates for NAT Session Event Records
l Templates for NAT Port Mapping Event Records
l Templates for NAT Port Batching Event Records
l Templates for NAT Port Batching v2 Event Records
Templates for A10 Flow Records with NAT Addresses

These templates are bi-directional. One session results in one flow record.
l NAT44 (nat44)
l NAT64 (nat64)
l DS-Lite (dslite)
The following TABLE 23-3includes details about these templates.
250
TABLE 23-3 : ACOS NetFlow Templates for A10 Flow Records with NAT Addresses
nat44 l IP Protocol l Reverse tuple partition ID

l Forward tuple partition ID l IPv4 NAT source address
l IPv4 Source Address l IPv4 NAT dest address
l IPv4 Destination Address l NAT source port
l Source Port l NAT dest port
l Destination Port l Interface Input
l Flow Direction (inbound, l Interface Output
outbound, or hairpin) l Fwd Bytes
l Fwd Packets
l Rev Bytes
l Rev Packets
l Start time (msec)
l Duration (msec)
251
nat64 l IP Protocol l Reverse tuple type

l Forward tuple type l Reverse tuple partition ID
l IPv6 Source Address (hairpin)
l IPv4 Destination Address l IPv4 NAT source address

(IPv6 in IPv4) l IPv6 NAT dest address
l IPv6 Destination Address l IPv4 NAT dest address
outbound, or hairpin) l Fwd Bytes
l Fwd Packets
l Rev Bytes
l Rev Packets
l Start time (msec)
l Duration (msec)
252
dslite l IP Protocol l Reverse tuple type

l IPv6 Source Address (hairpin)
l IPv4 Source Address l IPv4 NAT source address
l Source Port l NAT source port
l Destination Port l NAT dest port
l Flow Direction (inbound, l Interface Input

outbound, or hairpin) l Interface Output
l Fwd Bytes
l Fwd Packets
l Rev Bytes
l Rev Packets
l Start time (msec)
l Duration (msec)
Templates for NAT Session Event Records

l NAT44 Session Events (sesn-event-nat44)
l NAT64 Session Events (sesn-event-nat64)
l DS-List Session Events (sesn-event-dslite)
The following TABLE 23-4 includes details about these templates.
253
TABLE 23-4 : ACOS NetFlow Template Types for NAT Event Records
sesn-event- l IP Protocol l Reverse tuple partition ID

nat44
l Destination Port l Start time (msec)
l Flow Direction (inbound, l sesnEvent (Create, Delete)
outbound, or hairpin)
sesn-event- l IP Protocol l Reverse tuple type

nat64
outbound, or hairpin) l Start time (msec)
l sesnEvent (Create, Delete)
254
sesn-event- l IP Protocol l Reverse tuple type

dslite
l Destination Port l Start time (msec)
l Flow Direction (inbound, l sesnEvent (Create, Delete)
outbound, or hairpin)
Templates for NAT Port Mapping Event Records

l NAT44 Port Mapping (port-mapping-nat44)
l NAT64 Port Mapping (port-mapping-nat64)
l DS-Lite Port Mapping (port-mapping-dslite)
The following TABLE 23-5 includes details about NetFlow templates for port mapping event
records.
TABLE 23-5 : ACOS NetFlow Template Types for NAT Port Mapping Event Records
Template Name Data Fields
port-mapping-nat44 l IP Protocol
l IPv4 Source Address
l Source Port
l IPv4 NAT source address
l NAT source port
l timestamp (msec)
l natEvent (Create, Delete)
255
port-mapping-nat64 l IP Protocol
l Source Port
l NAT source port
l timestamp (msec)
port-mapping-dslite l IP Protocol
l Source Port
l NAT source port
l timestamp (msec)
Templates for NAT Port Batching Event Records

l NAT44 Port Batching (port-batch-nat44)
l NAT64 Port Batching (port-batch-nat64)
l DS-Lite Port Batching (port-batch-dslite)
The following TABLE 23-6 includes details about NetFlow templates for port batching event
records.
256
TABLE 23-6 : ACOS NetFlow Template Types for NAT Port Batching Event Records
port-batch-nat44 l natEvent (Create, Delete)

l IP Protocol
l Post NAT IPv4 Source Address
l Flow Start Milliseconds
l Port Range Start
l Port Range End
l Port Range Step Size
l Port Range Num Ports
port-batch-nat64 l natEvent (Create, Delete)

l IP Protocol
l Port Range Start
l Port Range End
257
port-batch-dslite l natEvent (Create, Delete)

l IP Protocol
l Port Range Start
l Port Range End
Templates for NAT Port Batching v2 Event Records

l NAT44 Port Batching (port-batch-v2-nat44)
l NAT64 Port Batching (port-batch-v2-nat64)
l DS-Lite Port Batching (port-batch-v2-dslite)
The following TABLE 23-7 includes details about NetFlow templates for port batching event
records.
TABLE 23-7 : ACOS NetFlow Template Types for NAT Port Batching Event Records
port-batch-v2-nat44 l natEvent (Create, Delete)

l IP Protocol
l Port Range Start
l Port Range End
258
port-batch-v2-nat64 l natEvent (Create, Delete)

l IP Protocol
l Port Range Start
l Port Range End
port-batch-v2-dslite l natEvent (Create, Delete)

l IP Protocol
l Port Range Start
l Port Range End
Firewall Event Records Templates
l IPv4 Firewall Session (sesn-event-fw4)

l IPv6 Firewall Session (sesn-event-fw6)
The following TABLE 23-8 includes details about NetFlow templates for IPv4 and IPv6 firewall
sessions.
259
TABLE 23-8 : ACOS NetFlow Template Types for IPv4 and IPv6 Firewall Sessions Event
Records
sesn-event-fw4 l sesnEvent (Create, Delete, Both)

l IP Protocol
l IPv4 Destination Address
l Source Port
l Destination Port
l Timestamp (msec)
sesn-event-fw6 l sesnEvent (Create, Delete, Both)

l IP Protocol
l IPv6 Destination Address
l Source Port
l Destination Port
l Timestamp (msec)
Supported NetFlow Templates (ADC/CGN/FW)
The following templates can be used to monitor configurations for ADC, CGN, and FW:
The following TABLE 23-9 includes details about the A10-supported NetFlow templates.
260
TABLE 23-9 : _A10 Supported NetFlow Templates
Template Name Fields ID Field Name Key

(ID) Fields?
nat44 (1101) l 4 l iprotocolIdentifier (ipProto) l Yes

l 33028 l fwdVNPID l Yes
l 8 l sourceIPv4Address l Yes
l 12 l destinationIPv4Address l Yes
l 7 l sourceTransportPort l Yes
l 11 l destinationTransportPort l Yes
l 61 l flowDirection l Yes
l 33029 l revVNPID
l 225 l postNATSourceIPv4Address
l 226 l postNATDestinationIPv4Address
l 227 l postNAPTsourceTransportPort
l 228 l postNAPTdestinationTransportPort
l 10 l ingressInterface
l 14 l egressInterface
l 1 l octetDeltaCount (fwdBytes)
l 2 l packetDeltaCount(fwdPackets)
l 32769 l octetDeltaCount (RevBytes)
l 32770 l RevPackets
l 6 l tcpControlBits
l 152 l flowStartMilliseconds
l 161 l flowDurationMilliseconds
261

(ID) Fields?
nat64 (1102) l 4 l iprotocolIdentifier (ipProto) l Yes

l 33025 l revTupleType
l 33029 l revVNPID
262

(ID) Fields?
dslite (1103) l 4 l iprotocolIdentifier (ipProto) l Yes

l 33024 l fwdTupleType l Yes
l 33029 l revVNPID
263

(ID) Fields?
sess-event- l 4 l protocolIdentifier (ipProto) l Yes

fw4 (1014)
l 233 l firewallEvent
sess-event- l 4 l protocolIdentifier (ipProto) l Yes

fw6 (1015)
l 233 l firewallEvent
264

(ID) Fields?
sesn-event- l 4 l protocolIdentifier (ipProto) l Yes

nat44 (1104)
l 33029 l revVNPID
l 230 l natEvent
265

(ID) Fields?

nat64 (1105)
l 33024 l fwdTupleType l yes
l 27 l sourceIPv6Address l yes
l 28 l destinationIPv6Address l yes
l 33029 l revVNPID
l 230 l natEvent
266

(ID) Fields?

dslite (1106)
l 33024 l fwdTupleType l Yes
l 33029 l revVNPID
l 230 l natEvent
267

(ID) Fields?
port-map- l 4 l protocolIdentifier (ipProto) l Yes

nat44(1007)
l 230 l natEvent

nat64(1008)
l 230 l natEvent

dslite(1009)
l 230 l natEvent
268

(ID) Fields?
netflow-v5 l 8 l sourceIPv4Address
(1010)
l 12 l destinationIPv4Address
l 15 l ipNextHopIPv4Address
l 22 l flowStartSysUpTime
l 21 l flowEndSysUpTime
l 7 l sourceTransportPort
l 11 l destinationTransportPort
l 4 l protocolIdentifier (ipProto)
l 5 l IpClassOfService
l 16 l bgpSourceAsNumber
l 17 l bgpDestinationAsNumber
l 9 l sourceIPv4PrefixLength
l 13 l destinationIPv4PrefixLength
269

(ID) Fields?
netflow-v5-ext l 27 l sourceIPv6Address
(1011)
l 28 l destinationIPv6Address
l 62 l ipNextHopIPv6Address
l 22 l flowStartSysUpTime
l 21 l flowEndSysUpTime
l 7 l sourceTransportPort
l 11 l destinationTransportPort
l 4 l protocolIdentifier (ipProto)
l 5 l IpClassOfService
l 16 l bgpSourceAsNumber
l 17 l bgpDestinationAsNumber
l 29 l sourceIPv6PrefixLength
l 30 l destinationIPv6PrefixLength
270

(ID) Fields?
port-batch- l 4 l protocolIdentifier (ipProto) l Yes

nat44(1020)
l 230 l natEvent
l 361 l portRangeStart
l 362 l portRangeEnd
l 363 l portRangeStepSize
l 364 l portRangeNumPorts

nat64(1021)
l 230 l natEvent
271

(ID) Fields?

dslite(1022)
l 230 l natEvent
port-batch-v2- l 4 l protocolIdentifier (ipProto) l Yes

nat44(1023)
l 230 l natEvent

nat64(1024)
l 230 l natEvent
272

(ID) Fields?

dslite(1025)
l 230 l natEvent
Supported IPFIX Information Elements
A10 supports the following IP Flow Information Export (IPFIX) information elements. RFC5102
describes the Information Elements used in IPFIX, and it offers details on Information Ele-
ment naming, numbers, and data type. Information elements are the smallest units or pieces
of information in IPFIX log messages.
The following TABLE 23-10 list the A10-supported information elements.
273
TABLE 23-10 : A10 Supported Information Elements
ID Element Size Data Description

Type
Seman-
tics
1 octetDeltaCount 8 bytes/ 4 deltaC- The number of octets since the

bytes in
(fwdBytes) A10* ounter previous report (if any) in incom-
unsigned64 ing packets for this Flow at the
Observation Point. The number of
* The
octets includes IP header(s) and IP
standard
payload.
IE size is 8
bytes, but
A10’s is 4
bytes.
Please
adjust on
the col-
lector side.
2 packetDeltaCount 8 bytes/ 4 deltaC- The number of incoming packets

bytes in
(fwdPackets) A10* ounter since the previous report (if any)
unsigned64 for this flow at the Observation
Point.
* The
standard
IE size is 8
bytes, but
A10’s is 4
bytes.
Please
adjust on
the col-
lector side.
274

Type
Seman-
tics
4 protocolIdentifier 1 byte iden- The value of the protocol number

(ipProto) unsigned8 tifier in the IP packet header. The pro-
tocol number identifies the IP
packet payload type. Protocol
numbers are defined in the IANA
Protocol Numbers registry.
In Internet Protocol version 4

(IPv4), this is carried in the Pro-
tocol field. In Internet Protocol ver-
sion 6 (IPv6), this is carried in the
Next Header field in the last exten-
sion header of the packet.
5 IpClassOfService 1 byte iden- For IPv4 packets, this is the value

unsigned8 tifier of the TOS field in the IPv4 packet
header. For IPv6 packets, this is
the value of the Traffic Class field
in the IPv6 packet header.
275

Type
Seman-
tics
6 tcpControlBits 2 bytes flags TCP control bits observed for the

unsigned16 packets of this flow. This inform-
ation is encoded as a bit field; for
each TCP control bit, there is a bit
in this set. The bit is set to 1 if any
observed packet of this flow has
the corresponding TCP control bit
set to 1. The bit is cleared to 0 oth-
erwise.
The values of each bit are shown

below, per the definition of the
bits in the TCP header [RFC793]
[RFC3168][RFC3540]:
MSb LSb
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
+---+---+---+---+---+---+---+---+---+---+--
-+---+
|N|C |E|U|A |P |R |S|F|
| Zero | Future | S | W | C | R | C | S | S | Y | I |
| (Data Offset) | Use | | R | E | G | K | H | T | N | N |
+---+---+---+---+---+---+---+---+---+---+--
-+---+---+---+---+---+
bit flag value name description
------+-----+----------------------------------
---
276

Type
Seman-
tics
0x8000 Zero (see tcpHeaderLength)
0x0800 Future Use
0x0400 Future Use
0x0200 Future Use
0x0100 NS ECN Nonce Sum
0x0080 CWR Congestion Window Reduced
0x0040 ECE ECN Echo
0x0020 URG Urgent Pointer field significant
0x0010 ACK Acknowledgment field significant
0x0008 PSH Push Function
0x0004 RST Reset the connection
0x0002 SYN Synchronize sequence numbers
0x0001 FIN No more data from sender
As the most significant 4 bits of octets 12 and 13
(counting from zero) of the TCP header [RFC793]
are used to encode the TCP data offset (header
length), the corresponding bits in this Information
Element MUST be exported as zero and MUST be
ignored by the collector. Use the tcpHead-
erLength Information Element to encode this
value. (truncated)
277

Type
Seman-
tics
7 sourceTransportPort 2 bytes iden- The source port identifier in the

unsigned16 tifier transport header. For the trans-
port protocols UDP, TCP, and
SCTP, this is the source port num-
ber given in the respective
header. This field MAY also be
used for future transport pro-
tocols that have 16-bit source port
identifiers.
8 sourceIPv4Address 4 bytes default The IPv4 source address in the IP

ipv4Ad- packet header.
dress
9 sourceIPv4Pre- 1 byte -- The number of contiguous bits

fixLength unsigned8 that are relevant in the
sourceIPv4Prefix Information Ele-
ment.
10 ingressInterface 4 bytes/ 2 iden- The index of the IP interface

bytes in
A10* tifier where packets of this Flow are
unsigned32 being received. The value matches
the value of managed object 'ifIn-
* The
dex' as defined in [RFC2863].
standard
Note that ifIndex values are not
IE size is 4
assigned statically to an interface
bytes, but
and that the interfaces may be
A10’s is 2
renumbered every time the
bytes.
device's management system is
Please
re-initialized, as specified in
adjust on
[RFC2863].
the col-
lector side.
278

Type
Seman-
tics
11 des- 2 bytes iden- The destination port identifier in

tin- unsigned16 tifier the transport header. For the
ationTransportPort transport protocols UDP, TCP, and
SCTP, this is the destination port
number given in the respective
header. This field MAY also be
used for future transport pro-
tocols that have 16-bit destination
port identifiers.
12 des- 4 bytes default The IPv4 destination address in

tinationIPv4Address ipv4Ad- the IP packet header.
dress
13 des- 1 byte -- The number of contiguous bits

tin- unsigned8 that are relevant in the des-
ationIPv4PrefixLength tinationIPv4Prefix Information Ele-
ment.
14 egressInterface 4 bytes/ 2 iden- The index of the IP interface

bytes in
A10* tifier where packets of this flow are
unsigned32 being sent. The value matches the
value of managed object 'ifIndex'
* The
as defined in [RFC2863]. Note
standard
that ifIndex values are not
IE size is 4
assigned statically to an interface
bytes, but
and that the interfaces may be
A10’s is 2
renumbered every time the
bytes.
device's management system is
Please
re-initialized, as specified in
adjust on
[RFC2863].
the col-
lector side.
279

Type
Seman-
tics
15 ipNex- 4 bytes default The IPv4 address of the next IPv4

tHopIPv4Address ipv4Ad- hop.
dress
16 bgpSourceAsNum- 4 bytes iden- The autonomous system (AS) num-

ber unsigned32 tifier ber of the source IP address. If AS
path information for this flow is
only available as an unordered AS
set (and not as an ordered AS
sequence), then the value of this
Information Element is 0.
17 bgpDestin- 4 bytes iden- The autonomous system (AS) num-

ationAsNumber unsigned32 tifier ber of the destination IP address.
If AS path information for this
flow is only available as an
unordered AS set (and not as an
ordered AS sequence), then the
value of this Information Element
is 0.
21 flowEndSysUpTime 4 bytes -- The relative timestamp of the last

unsigned32 packet of this flow. It indicates
the number of milliseconds since
the last (re-)initialization of the
IPFIX Device (sysUpTime).
sysUpTime can be calculated from
systemInitTimeMilliseconds.
280

Type
Seman-
tics
22 flowStartSysUpTime 4 bytes -- The relative timestamp of the first

unsigned32 packet of this flow. It indicates
the number of milliseconds since
the last (re-)initialization of the
IPFIX Device (sysUpTime).
sysUpTime can be calculated from
systemInitTimeMilliseconds.
27 sourceIPv6Address 16 bytes default The IPv6 source address in the IP

ipv6Ad- packet header.
dress
28 des- 16 bytes default The IPv6 destination address in

tinationIPv6Address ipv6Ad- the IP packet header.
dress
29 sourceIPv6Pre- 1 byte -- The number of contiguous bits

fixLength unsigned8 that are relevant in the des-
tinationIPv6Prefix Information Ele-
ment.
30 des- 1 byte -- The number of contiguous bits

tin- unsigned8 that are relevant in the des-
ationIPv6PrefixLength tinationIPv6Prefix Information Ele-
ment.
61 flowDirection 1 byte iden- The direction of the flow observed

unsigned8 tifier at the Observation Point. There
are only two values defined.
62 ipNex- 1 byte default The IPv6 address of the next IPv6

tHopIPv6Address unsigned8 hop.
82 interfaceName(source) 16 bytes default A short name uniquely describing an

string
interface, e.g., “ethernet1”
281

Type
Seman-
tics
95 applicationId 3 bytes default The first byte identifies that the

octetArray
selector ID id QOSMOS defined (21). The
next two bytes are for the QOSMOS
defined ID for the application.
152 flowStartMil- 8 bytes default The absolute timestamp of the

liseconds dateTimeMil- first packet of this flow.
liseconds
161 flowDur- 4 bytes -- The difference in time between

ationMilliseconds unsigned32 the first observed packet of this
flow and the last observed packet
of this flow.
225 postNATSourceIPv4- 4 bytes default The definition of this Information

Address ipv4Ad- Element is identical to the defin-
dress
ition of Information Element
'sourceIPv4Address', except that
it reports a modified value caused
by a NAT middlebox function after
the packet passed the Obser-
vation Point.
226 postNATDestin- 4 bytes default The definition of this Information

ationIPv4Address ipv4Ad- Element is identical to the defin-
dress
ition of Information Element 'des-
tinationIPv4Address', except that
by a NAT middlebox function after
the packet passed the Obser-
vation Point.
282

Type
Seman-
tics
227 postNAPT- 2 bytes iden- The definition of this Information

sourceTransportPort unsigned16 tifier Element is identical to the defin-
'sourceTransportPort', except that
by a Network Address Port Trans-
lation (NAPT) middlebox function
after the packet passed the Obser-
vation Point.
228 postNAPTdes- 2 bytes iden- The definition of this Information

tin- unsigned16 tifier Element is identical to the defin-
ationTransportPort ition of Information Element 'des-
tinationTransportPort', except
that it reports a modified value
caused by a Network Address Port
Translation (NAPT) middlebox
function after the packet passed
the Observation Point.
283

Type
Seman-
tics
281 postNATSourceIPv6- 16 bytes default The definition of this Information

Address ipv6Ad- Element is identical to the defin-
dress
'sourceIPv6Address', except that
by a NAT64 middlebox function
vation Point.
See [RFC8200] for the definition

of the Source Address field in the
IPv6 header. See [RFC3234] for
the definition of middleboxes. See
[RFC6146] for nat64 specification.
282 postNATDestin- 16 bytes default The definition of this Information

ationIPv6Address ipv6Ad- Element is identical to the defin-
dress
ition of Information Element 'des-
tinationIPv6Address', except that
by a NAT64 middlebox function
vation Point.
See [RFC8200] for the definition

of the Destination Address field in
the IPv6 header. See [RFC3234]
for the definition of middleboxes.
See [RFC6146] for nat64 spe-
cification.
284

Type
Seman-
tics
230 natEvent 1 byte iden- This Information Element iden-

unsigned8 tifier tifies a NAT event. This IE iden-
tifies the type of a NAT event.
Examples of NAT events include,
but are not limited to, NAT trans-
lation create, NAT translation
delete, Threshold Reached, or
Threshold Exceeded, etc.
Values for this Information Ele-

ment are listed in the “NAT Event
Type” registry, see [http://www.i-
ana.or-
g/assignments/ipfix/ipfix.xml#ipfix-
nat-event-type].
New assignments of values will be

administered by IANA and are sub-
ject to Expert Review [RFC8126].
Experts need to check definitions
of new values for completeness,
accuracy, and redundancy.
285

Type
Seman-
tics
233 firewallEvent 1 byte -- Indicates a firewall event. The

unsigned8 allowed values are:
0 - Ignore (invalid)
1 - Flow Created
2 - Flow Deleted
3 - Flow Denied
4 - Flow Alert
5 - Flow Update
361 portRangeStart 2 bytes iden- The port number identifying the

unsigned16 tifier start of a range of ports. A value
of zero indicates that the range
start is not specified, ie the range
is defined in some other way.
362 portRangeEnd 2 bytes iden- The port number identifying the

unsigned16 tifier end of a range of ports. A value of
zero indicates that the range end
is not specified, i.e., the range is
defined in some other way.
Additional information on defined

TCP port numbers can be found at
[IANA registry service-names-
port-numbers].
286

Type
Seman-
tics
363 portRangeStepSize 2 bytes iden- The step size in a port range. The
unsigned16 tifier default step size is 1, which indic-
ates contiguous ports. A value of
zero indicates that the step size is
not specified, i.e., the range is
defined in some other way.
364 portRangeNumPorts 2 bytes iden- The number of ports in a port

unsigned16 tifier range. A value of zero indicates
that the number of ports is not
specified, i.e., the range is defined
in some other way.
455 mobileIMSI Variable default One of the RADIUS attributes: The Inter-
(max 15
bytes) national Mobile Subscription Identity
string
(IMSI). The IMSI is a decimal digit string
with up to a maximum of 15 ASCII/UTF-
8 encoded digits (0x30 - 0x39).
456 mobileMSISDN variable default One of the RADIUS attributes: The

(max 15
bytes) Mobile Station International Subscriber
string
Directory Number (MSISDN). The
MSISDN is a decimal digit string with up
to a maximum of 15 ASCII/UTF-8
encoded digits (0x30 - 0x39).
32769 octetDeltaCount 4 bytes deltaC- This is the same as oct-

(PEN:2- (RevBytes) unsigned64 ounter etDeltaCount, but in reverse dir-
9305) ection.
32770 RevPackets 4 bytes deltaC- This is the same as pack-

(PEN:2- unsigned64 ounter etDeltaCount, but in reverse dir-
9305) ection.
287

Type
Seman-
tics
32851 interfaceName(dest) 16 bytes default A short name uniquely describing

(PEN:2- string an interface, e.g., "ethernet1"
9305)
33024 fwdTupleType 1 byte iden- The forward A10 tuple type.

(PEN:4- unsigned8 tifier 1: ipv4
0842)l
2: ipv6
3: ipv6 in ipv4
4: ipv4 in ipv6
33025 revTupleType 1 byte iden- Same as fwdTupleType, in reverse

(PEN:4- unsigned8 tifier direction
0842)
33028 fwdVNPID 2 bytes iden- L3v Partition id for forward tuple

(PEN:4- unsigned16 tifier
0842)
33029 revVNPID 2 bytes iden- L3v partition id for reverse tuple

(PEN:4- tifier
unsigned1-
0842)
6
33030 mobileIMEI Variable default One of the RADIUS attributes: The

(PEN:4- (max 16 International Mobile Equipment
0842) bytes) Identity is a unique15 digit code.
string
33031 Custom1 Variable default One of the Custom RADIUS attrib-

(PEN:4- (max 31 utes (part of the radius con-
0842) bytes) figuration)
string
288

Type
Seman-
tics

string

string
33034 RuleName Variable default Name of the Firewall Rule that the
(PEN:4- (max 64 packet hit
0842) bytes)
string
33035 RuleSetName Variable default Name of the Firewall Ruleset that

(PEN:4- (max 64 the packet hit
0842) bytes)
string
33036 SourceZone Variable default Source Zone Name

(PEN:4- (max 128
0842) bytes)
String
33037 DestZone Variable default Destination Zone Name

(PEN:4- (max 128
0842) bytes)
String
289

Type
Seman-
tics
33038 fwDenyReset 1 byte default Indicates a firewall deny/reset

(PEN:4- unsigned8 event. The allowed values are:
0842)
0 - Deny
1 - Reset
33039 flowDur- 8 bytes default The difference in time between

(PEN:4- ationMilliseconds64 the first observed packet of this
0842) Flow and the last observed packet
of this Flow. This has been to
accommodate for values more
than ff ff ff ff (4294967295 in mil-
liseconds and 49.71026961806 in
days)
33040 cgn-flow-direction 1 byte iden- Flow direction: 0:inbound(To an

(PEN:4- unsigned8 tifier outside interface)/1:outbound(To
0842) an inside interface)/2:hairpin
(From an inside interface to an
inside interface) (ID: 33040)
33041 fw-dest-fqdn Variable default Firewall Destination FQDN string

(Max 128 address
bytes)
33042 flow-end-reason 1 byte iden- For detailed information about the

tifier A10 flow end reasons and its
description, see Terminating a Ses-
sion.
290

Type
Seman-
tics
33043 flow-event 1 byte iden- Indicates the following flow

tifier events:
1- Session Create, 2 - Session

Delete, 3 - Interim Log
33044 gtp-deny-reason Variable default Indicates the reason in the event

(Max 128 of packet drop due to GTP policy
bytes) violation.
33045 gtp-apn Variable default Indicates the GTP Access Point

(Max 128 Name
bytes)
33046 gtp-steid 4 bytes default Indicates the GTP Source TEID
33047 gtp-dteid 4 bytes default Indicates the GTP Destination TEID
33048 gtp-selection-mode Variable default Indicates the GTP Selection Mode

(Max 128
bytes)
33049 gtp-mcc 3 bytes default Indicates the GTP Mobile Country

Code
33050 gtp-mnc 3 bytes default Indicates the GTP Mobile Network

Code
33051 gtp-rat-type 6 bytes default Indicates the GTP RAT Type
33052 gtp-pdn-pdp-type 6 bytes default Indicates the GTP PDN/PDP Type
33053 gtp-uli Variable default Indicates the GTP User Location

(Max 128 Information
bytes)
291

Type
Seman-
tics
33054 gtp-enduser-v4- 4 bytes default Indicates the GTP PAA IPv4

addr Address
33055 gtp-enduser-v6- 16 bytes default Indicates the GTP PAA IPv6

addr Address
33056 gtp-bearer-id-or- 1 byte default Indicates the EPS Bearer ID or

nsapi NSAPI in GTP-C Packet
33057 gtp-qci 1 byte default Indicates the GTP QoS or Traffic

Class
33058 gtp-info-event-ind 1 byte iden- Indicates the GTP INFO event 1 -

tifier upon S5 Node restart
33059 gtp-restarted-node- 4 bytes default Indicates the Ipv4 Address of S5

ipv4 Node restarted
33060 gtp-restarted-node- 16 bytes default Indicates the Ipv6 Address of S5

ipv6 Node restarted
33061 gtp-c-tunnels- 4 bytes totalCo- Number of GTP-C tunnels deleted

removed-with- unter with Node restart
node-restart
Notes
1. Fields with PEN (Private Enterprise Number) is not documented in NetFlow V9, however
we support those fields in V9 packets.
2. The PEN 40842 is for A10 Networks Inc. The fields with this PEN are A10 specific private
defined.
3. The PEN 29305 is public defined for bidirectional flow information model (RFC 5103).
4. The PEN 33040 (cgn-flow-direction) is an A10 specified IE that is recommended to be
used for CGN flows to distinguish between inbound, outbound and hairpin traffic. The
292
flow-direction (ID 61) is an IANA specified IE that only has two values: inbound and out-
bound.
5. The PEN 161 (flowDurationMillisecondsNetflow) is an IANA specified IE that records the

time a particular session is open. This field is 4 bytes and shows value in milliseconds.
Hence, maximum value would be ff ff ff ff. This value corresponds to 4294967295 in
milliseconds and 49.71026961806 in days. A new A10 specified IE is added that is 8
bytes in size (flow-duration-msec-64 (ID: 33039)). Select the 32-bit IANA specified IE
or the new A10 defined IE based on the use case. Duration is calculated as curr - start.
If a user has the below config selected, then the 32 bit IE is good enough, because then
the start time is reset each time a NetFlow record is sent out for the session.
ACOS(config)#netflow common ?
reset-time-on-flow-record
Reset session start time to current time on each flow timeout export for
long-lasting session (default: disabled)
6. For more information about other fields, see: https://www.i-

ana.org/assignments/ipfix/ipfix.xhtml.
Log Information for Closed Sessions (CGN/FW)
Configuring Custom Templates 293
Examples Reference 294
Terminating a Session 294
Configuring Custom Templates

You can configure custom templates to provide increased visibility into the cause for session
closure for CGN and FW. The following command option configures flow-end-reason for ses-
sion logs:
ACOS (config)#netflow template nat44
ACOS (config-template:nat44))#information-element flow-end-reason
293
Examples Reference
To see examples of this configuration in a template, see the following custom templates under
Sample Custom Templates:
l Example 1: For sesn-event-nat44-creation and sesn-event-nat44-deletion

l Example 2: For sesn-event-nat64-creation, sesn-event-nat64-deletion, sesn-event-
dslite-creation, sesn-event-dslite-deletion
l Example 6: For port-mapping-nat64-creation, port-mapping-nat64-deletion, port-map-
ping-dslite-creation, port-mapping-dslite-deletion
l Example 7: For port-batch-nat44-creation, port-batch-nat44-deletion
l Example 8: For port-batch-nat64-creation, port-batch-nat64-deletion, port-batch-
dslite-creation, port-batch-dslite-deletion
l Example 9: For port-batch-v2-nat44-creation, port-batch-v2-nat44-deletion
l Example 10: For port-batch-v2-nat64-creation, port-batch-v2-nat64-deletion, port-
batch-v2-dslite-creation, port-batch-v2-dslite-deletion
Terminating a Session
A session can terminate for a number of reasons as shown in the following table
End Description
Reason
Code
0x01 Indicates that the uplink subscriber session is closed on receiving a FIN.
0x02 Indicates that the DNS Session is closed on receiving a DNS Response.
0x03 Indicates that the session is closed on receiving a RADIUS Stop message
for a subscriber.
0x04 Indicates that the downlink subscriber session is closed on receiving a FIN.
0x05 Indicates that the uplink subscriber session is closed on receiving an RST.
0x06 Indicates that the downlink subscriber session is closed on receiving an

RST.
294
End Description
Reason
Code
0x07 Indicates that the session is closed due to ACOS sending a TCP RST.
0x11 Indicates that the session is closed due to idle timeout.
0x12 Indicates that the session is closed by ACOS while recovering session
memory.
0x21 Indicates that the session termination is triggered by an explicit action,

such as clear sessions, by the system administrator.
0x22 Indicates that the session is closed to accommodate a configuration

change such as the removal of Fixed NAT LID or the LSN NAT IP being
obsolete.
0x31 Indicates that the session closed is triggered by the configured DDoS fea-
tures.
0x41 Indicates that the GTP session is closed when Delete Session Request,
Delete Bearer Request, or Delete PDP Context Request is received for the
deletion of GTP-C or GTP-U sessions.
0x42 Indicates that the handover request caused the termination of the exist-
ing GTP session.
0x43 Indicates that the GTP session is closed as a result of detecting a network
element failure.
0x44 Indicates that the GTP-U session is deleted due to the deletion of GTP-C
session.
0x45 Indicates that the GTP-C connection is deleted on receiving a retrans-

mitted Create Session Request.
Custom IPFIX Templates

Beginning with ACOS 4.1.4-P3, you can create custom event templates for IPFIX logging for
GiFW. This is an additional configuration option, that is in addition to the pre-defined
295
NetFlow templates.
Overview 296
Configuration Details 297
Supported Event Types 298
Sample Custom Templates 299
Overview
Starting with 4.1.4-P3, ACOS supports creation of custom IPFIX templates, so users can
select specific Information Elements (IEs) to record.
The IPFIX protocol is used to export CGN and firewall logging information using custom tem-
plates. IPFIX (or IP Flow Information Export) is similar to NetFlow and was derived from
NetFlow v9. The protocol is used to perform traffic analysis on traffic flows based on logs
exported from the ACOS device and sent to a collector.
In prior releases, ACOS support for NetFlow/IPFIX consisted of a list of predefined templates
for NAT44, NAT64, DSlite, firewall, and so on. These predefined (or “fixed”) templates did not
support the ability to transmit information about RADIUS attributes, such as IMSI, MSISDN,
and ruleset information, like rule name, rule-set name, zone information, interface inform-
ation, application, and so on.
Now, users can create custom templates, allowing them to be more agile with sending flow
data in a format that meets the needs and requirements of their NetFlow collector and ana-
lyzer. Users can select the specific IEs for their custom template. The release adds several
new IEs, which are available in the custom templates only and not in the fixed templates.
In addition, in previous releases, Firewall Netflow records were only sent for “permit” action.
This release extends support such that NetFlow logs will also be sent for the following
actions: “fw deny”, and “fw reset” events.
This release supports the ability to create custom IPFIX templates, so you can configure the
exact “Field Types” to be logged. The supported field types are documented in the following
RFC:
296
l NetFlow v10/IPFIX (RFC-5101: https://tools.ietf.org/html/rfc5101)
For more information, see:
l The “netflow monitor” and “netflow template” commands in the ACOS 4.1.4-P3 Com-
mand Line Reference.
Configuration Details
Keep in mind the following configuration details when configuring a custom template:
l The custom template can be bound under “netflow monitor” with the supported event
types. For a list, see Supported Event Types
l Firewall logs will only be sent if the “log” keyword is configured under the rule in the
active ruleset.
l The config under the template cannot be modified until the template is bound. If any
change is needed in the template, you must configure a new template and bind it, or
you can 1) unbind the template from the netflow monitor, and 2) then modify the tem-
plate and the template id, and 3) bind it again.
l Once a template is modified and bound to a NetFlow monitor again, the new definition
will be sent out to the NetFlow collector.
l The template IDs need to be unique across different templates. An error message is
seen if two templates with the same template IDs are bound to any NetFlow monitor.
l Also, template IDs should not be reused for 3 times the retransmission delay. An error
message is seen when a template with such template ID is bound to a NetFlow monitor.
[RFC: Template IDs MAY be reused by Exporting Processes by exporting a new Template
for the Template ID after waiting at least 3 times the retransmission delay.]
l The criteria upon which Netflow records are differentiated:
o Source IP/port
o Observation domain (CPU id)
o Template ID
l ACOS does not currently have a way to identify which partition is used to send out the
NetFlow records, and will not be able to do so unless different IPs are used to send out
297
logs in different partitions. This is not a concern with fixed template, since the tem-
plate IDs are fixed, so there is no confusion at the collector. However, for custom tem-
plates, users must configure a unique source IP for each monitor if they want to be able
to differentiate between monitors in different partitions.
l Some of the new IEs have variable-length fields. For variable-length fields, the NetFlow
records will include both the length and the value, whereas the template definition will
have the length as 65535, as mentioned in the RFC.
l If configuring an IE that is not relevant to the event type it is bound to, then the field
will be filled with an invalid value or 0. (IE 33028 and 33029 that correspond to forward
and reverse Partition ids will be set to FFFF if they are not relevant to the event type.
The other IEs will be set to 0 if they are not relevant to the event type.)
l For all deletion event records, intermediate logs are sent every 10 minutes for long-
lived
sessions. "flow-timeout" can be set to 0 under the “netflow monitor” command to dis-
able this.
Supported Event Types
l nat44-session-creation
l nat44-session-deletion
l nat64-session-creation
l nat64-session-deletion
l dslite-session-creation
l dslite-session-deletion
l fw4-session-creation
l fw4-session-deletion
l fw6-session-creation
l fw6-session-deletion
l fw4-deny-reset
l fw4-deny-reset
298
l fw6-deny-reset
l fw6-deny-reset
l port-mapping-nat44-creation
l port-mapping-nat44-deletion
l port-mapping-nat64-creation
l port-mapping-nat64-deletion
l port-mapping-dslite-creation
l port-mapping-dslite-deletion
l port-batch-nat44-creation
l port-batch-nat44-deletion
l port-batch-nat64-creation
l port-batch-nat64-deletion
l port-batch-dslite-creation
l port-batch-dslite-deletion
l port-batch-v2-nat44-creation
l port-batch-v2-nat44-deletion
l port-batch-v2-nat64-creation
l port-batch-v2-nat64-deletion
l port-batch-v2-dslite-creation
l port-batch-v2-dslite-deletion
Sample Custom Templates
As a guideline for configuring custom templates, examples of template definitions are

provided below for several different event types:
l Example 1: For sesn-event-nat44-creation and sesn-event-nat44-deletion

l Example 2: For sesn-event-nat64-creation, sesn-event-nat64-deletion, sesn-event-
dslite-creation, sesn-event-dslite-deletion
l Example 3: For sesn-event-fw4-creation, sesn-event-fw4-deletion
299
l Example 4: For sesn-event-fw6-creation, sesn-event-fw6-deletion

l Example 5: For port-mapping-nat44-creation, port-mapping-nat44-deletion
l Example 6: For port-mapping-nat64-creation, port-mapping-nat64-deletion, port-map-
ping-dslite-creation, port-mapping-dslite-deletion
l Example 7: For port-batch-nat44-creation, port-batch-nat44-deletion
l Example 8: For port-batch-nat64-creation, port-batch-nat64-deletion, port-batch-
dslite-creation, port-batch-dslite-deletion
l Example 9: For port-batch-v2-nat44-creation, port-batch-v2-nat44-deletion
l Example 10: For port-batch-v2-nat64-creation, port-batch-v2-nat64-deletion, port-
batch-v2-dslite-creation, port-batch-v2-dslite-deletion
l Example 11: For deny-reset-event-fw4
l Example 12: For deny-reset-event-fw6
Example 1: For sesn-event-nat44-creation and sesn-event-nat44-deletion

Use the following config:
netflow template nat44
information-element ip-proto
information-element fwd-tuple-vnp-id
information-element rev-tuple-vnp-id
information-element dest-ipv4-address
information-element source-ipv4-address
information-element source-port
information-element dest-port
information-element cgn-flow-direction
information-element post-nat-source-ipv4-address
information-element post-nat-dest-ipv4-address
information-element post-nat-source-port
information-element post-nat-dest-port
information-element fwd-bytes
information-element fwd-packets
information-element rev-bytes
information-element rev-packets
information-element in-port
information-element out-port
information-element in-interface
information-element out-interface
information-element application-id
300
information-element rule-name
information-element rule-set-name
information-element fw-source-zone
information-element fw-dest-zone
information-element radius-imsi
information-element radius-msisdn
information-element radius-imei
information-element radius-custom1
information-element flow-start-msec
information-element nat-event
information-element flow-duration-msec-64
information-element tcp-control-bits
information-element flow-end-reason
template-id 2001
!
Example 2: For sesn-event-nat64-creation, sesn-event-nat64-deletion, sesn-

event-dslite-creation, sesn-event-dslite-deletion
netflow template nat64
information-element rev-tuple-vnp-id
information-element cgn-flow-direction
information-element post-nat-dest-port
301
information-element tcp-control-bits
information-element fwd-tuple-type
information-element rev-tuple-type
template-id 2002
!
Example 3: For sesn-event-fw4-creation, sesn-event-fw4-deletion

netflow template fw4
302
information-element fw-event
template-id 2003
!
Example 4: For sesn-event-fw6-creation, sesn-event-fw6-deletion

netflow template fw6
303
information-element fw-event
template-id 2004
!
Example 5: For port-mapping-nat44-creation, port-mapping-nat44-deletion

netflow template port_map44
template-id 2005
!
Example 6: For port-mapping-nat64-creation, port-mapping-nat64-deletion,

port-mapping-dslite-creation, port-mapping-dslite-deletion
netflow template port_map64
304
template-id 2006
!
Example 7: For port-batch-nat44-creation, port-batch-nat44-deletion

netflow template port_batch44
information-element port-range-start
information-element port-range-end
information-element port-range-step-size
information-element port-range-num-ports
template-id 2007
!
Example 8: For port-batch-nat64-creation, port-batch-nat64-deletion, port-

batch-dslite-creation, port-batch-dslite-deletion
netflow template port_batch64
305
information-element port-range-step-size
information-element port-range-num-ports
template-id 2008
!
Example 9: For port-batch-v2-nat44-creation, port-batch-v2-nat44-deletion

netflow template pool_port_batch44
template-id 2009
!
Example 10: For port-batch-v2-nat64-creation, port-batch-v2-nat64-deletion,

port-batch-v2-dslite-creation, port-batch-v2-dslite-deletion
netflow template pool_port_batch64
306
template-id 2010
!
Example 11: For deny-reset-event-fw4

netflow template fw4_deny
information-element fw-deny-reset-event
template-id 2011
!
Example 12: For deny-reset-event-fw6

netflow template fw6_deny
307
information-element fw-deny-reset-event
template-id 2012
!
Configuring NetFlow
Overview 308
Using the GUI to Configure NetFlow 309
Using the CLI to Configure NetFlow 310
Disabling CGN Logs based on Destination Protocol and Port Criteria 313
Overview
The following is an overview of the steps needed to configure NetFlow:
1. If using multiple NetFlow collectors, create an SLB server configuration for each col-
lector, and add the server configurations to a service group.
308
Make sure to disable the Layer 4 health check on the UDP port.
2. Configure a NetFlow monitor. Within the monitor, specify the following:
l The destination, which can be one of the following:

o Host address, if using a single NetFlow collector
o Service-group name, if using multiple NetFlow collectors
l The record types to export. (Specify them by NetFlow template type.)
l (Optional) The Ethernet interfaces from which to collect NetFlow information. By
default, information is collected for all interfaces.
l (Optional) Adjust the flow timeout.
l (Optional) Adjust the template resend counters.
l (Optional) Adjust the maximum packet queue time.
NOTE: If you plan to use only a single NetFlow collector, you do not need
to perform If using multiple NetFlow collectors, create an SLB
server configuration for each collector, and add the server con-
figurations to a service group. . You can specify the NetFlow col-
lector’s IP address when configuring the NetFlow monitor (in
Configure a NetFlow monitor. Within the monitor, specify the fol-
lowing:).
Using the GUI to Configure NetFlow
To configure NetFlow using the GUI:

2. Click NetFlow on the menu bar.
3. Choose one of the following:
l Monitors to create a monitor from one of the Predefined Templates. Then choose:
o Create Netflow v9, OR
o Create IPFix
l Custom Templates to create a monitor from a Custom Event Templates, and click
309
Create.
The Create NetFlow Monitor page appears.
4. Enter a name for the NetFlow monitor in the Name field.
5. Configure the following fields and options:
l The Destination, which can be one of the following:

o Host address, if using a single NetFlow collector
o Service-group name, if using multiple NetFlow collectors
l (Optional) Adjust the flow timeout. Default is 10 minutes.
l (Optional) Adjust the amount of records after which to resend template in the Resend
Template Records field. The default is 1000 records, after which the template will be
re-sent to the collector and the counter will be reset to 0.
l (Optional) Adjust the timeout for resending template in the Resend Template Timeout
field. The default is 1800 seconds, after which the template is re-sent to the collector.
l (Optional) Set Source IP Use Management to Enable to use the IP address of the man-
agement port of the ACOS device as the source IP of the NetFlow packets, even when
packets are sent out the data interface.
l Select the Protocol version. The default is NetFlow Version 9, but you can also select
NetFlow Version 10.
l Select the record types to export. (Specify them by NetFlow template type. See Pre-
defined NetFlow Templates for details.)
6. When finished, click Save to save your changes.ni
Using the CLI to Configure NetFlow
This section provides the following CLI examples for configuring NetFlow:
l CLI Example: Single Collector

l CLI Example: Multiple Collectors (SLB)
l CLI Example: Multiple Collectors (CGN)
310
l CLI Example: Firewall Session Event

l Disabling CGN Logs based on Destination Protocol and Port Criteria
CLI Example: Single Collector

The following commands configure NetFlow in a partition. This example uses a single NetFlow
collector.
ACOS(config)# netflow monitor test
ACOS(config-netflow-monitor)# record netflow-v5
ACOS(config-netflow-monitor)# record netflow-v5-ext
ACOS(config-netflow-monitor)# destination 10.10.3.2
ACOS(config-netflow-monitor)# show netflow monitor
Netflow Monitor test
Protocol Netflow v9
Status: Enable
Filter: Global
Destination: 10.10.3.2:9996
Source IP Use MGMT: No
Flow Timeout: 60 Minutes
Resend Template Per Records: 1000
Resend Template Timeout: 1800 Seconds
Sent: 45 (Pkts) / 8360 (Bytes)
Records:
netflow-v5: 86 (records) / 0 (fails)
netflow-v5-ext: 0 (records) / 0 (fails)
CLI Example: Multiple Collectors (SLB)

The following commands configure export of NetFlow records to multiple collectors. The con-
figuration is for an SLB partition.
ACOS(config-real server)# port 9996 udp
ACOS(config-real server-node port)# health-check-disable
ACOS(config)# slb service group sg1 udp
ACOS(config-slb svc group)# member s1 9996
ACOS(config-slb svc group-member:9996)# member s2 9996
311
ACOS(config-slb svc group-member:9996)# exit

ACOS(config-slb svc group)# exit
ACOS(config)# netflow monitor nf1
ACOS(config-netflow-monitor)# destination service-group sg1
ACOS(config-netflow-monitor)# record netflow-v5
ACOS(config-netflow-monitor)# record netflow-v5-ext
ACOS(config-netflow-monitor)# end
ACOS#
CLI Example: Multiple Collectors (CGN)

The following commands configure export of NetFlow records to multiple collectors for a CGN
partition.
ACOS(config)# cgnv6 server s1 80.1.1.108
ACOS(config)# cgnv6 server s2 80.1.1.109
ACOS(config)# cgnv6 service-group sg1 udp
ACOS(config-cgnv6 svc group)# member s1 9996
ACOS(config-cgnv6 svc group)# member s2 9996
ACOS(config-cgnv6 svc group)# exit
ACOS(config)# netflow monitor nf1
ACOS(config-netflow-monitor)# destination service-group sg1
ACOS(config-netflow-monitor)# record nat44
ACOS(config-netflow-monitor)# record dslite
ACOS(config-netflow-monitor)# record sesn-event-nat64 both
ACOS#
CLI Example: Firewall Session Event

The following commands configure export of NetFlow records for firewall session events to
multiple collectors.
NOTE: In the following example, the “service-group netflow-collector” is

configured prior to configuring NetFlow.
ACOS(config)# netflow monitor netflow_monitor1
312
ACOS(config-netflow-monitor)# record sesn-event-fw4 both

ACOS(config-netflow-monitor)# destination service-group netflow-collector
ACOS(config-netflow-monitor)# resend-template records 0
ACOS(config-netflow-monitor)# resend-template timeout 1200
ACOS#
NOTE: Use the both option to export both creation and deletion events.
Use the creation option to export only creation events and the
deletion option to export only deletion events. Use the sesn-
event-fw4 option to configure an IPv4 firewall session, the sesn-
event-fw6 option to configure an IPv6 firewall session.
Disabling CGN Logs based on Destination Protocol and Port Criteria
The ACOS device can act as a NetFlow exporter. The NetFlow exporter (ACOS device) mon-
itors traffic and sends the data to one or more NetFlow collectors, where the information can
be stored and analyzed by a network administrator.
To configure NetFlow monitor, enter the following command at the global configuration level:
ACOS(config)# netflow monitor 1
To reduce CGN logs at the logging infrastructure, ACOS enables the disabling of CGN logs for an
application by destination protocol and port criteria. To disable CGN logs based on destination pro-
tocol and port criteria, enter the following commands to disable CGN logs based on destination pro-
tocol and port criteria:
ACOS(config)# netflow monitor 1
ACOS(config-netflow-monitor)# disable-log-by-destination
ACOS(config-netflow-monitor-disable by de...)# udp port 1 to 10
ACOS(config-netflow-monitor-disable by de...)# tcp port 80
ACOS(config-netflow-monitor-disable by de...)# icmp
ACOS(config-netflow-monitor-disable by de...)# others
313
Chapter 24: sFlow
sFlow Overview 315
sFlow Sampling Types 315
Information Included in sFlow Datagrams 317
sFlow Configuration 317
314
Chapter 24: sFlow Feedback
sFlow Overview
ACOS can act as an sFlow agent by sampling random packets and sending statistics in an
sFlow datagram to an external sFlow collector for analysis.
Some important implementation notes:
l sFlow data collection is supported only for individual Ethernet data ports and VE inter-
faces. Data collection cannot be performed on trunk interfaces, loopback interfaces, or
on the management interface of ACOS.
l Host resource sampling is not supported:
l Application behavior sampling is not supported
l Configuration of sFlow agent behavior using SNMP is not supported
sFlow Sampling Types

sFlow supports two types of sampling. One type of sampling uses a time-based approach to
retrieve statistics for a specific interface, while the other approach samples information from
the packet header of every Nth packet.
Details 315
Counter Polling Interval 316
Packet Sampling Rate 316
Details
l You can enable one or both sampling types on a single Ethernet data port – the
sampling types are not mutually exclusive.
l The sFlow datagram includes information about the incoming interface but not the out-
going interface where sampling occurred.
315
l sFlow data can be exported to up to 4 sFlow collectors. This offers the benefit of
redundancy, as well as the ability to send sFlow datagrams to different destinations.
l By default, the sFlow datagrams use the management IP of ACOS as the source
address, but you can modify the exported sFlow datagrams to the source address of
your choice.
Counter Polling Interval
This is a counter sampling method that is based on time. Statistics for an interface are
gathered periodically and sent to the sFlow collector. You can specify the time interval (fre-
quency) with which the counter interfaces statistics are gathered and sent. This global con-
figuration will apply to all interfaces where sFlow is enabled unless a more granular value is
configured at the interface level. You can enter a value ranging from 1–200 seconds. By
default, this interval is set to 20 seconds.
Once ACOS has sampled statistics from a target interface, the information is collected and
sent in an sFlow datagram to one or more sFlow collectors. The sFlow datagrams are listed in
the Received and Transmitted counter fields in show interface CLI output, or on the Net-
work > Interface page of the GUI.
Packet Sampling Rate
This is a sampling method that is based on the number of incoming packets. This sampling
rate value essentially means that one packet is sampled out of every N packets. When
expressed as a ratio, the packet sampling rate looks like 1/N. You can enter a value for N (the
denominator) ranging from 10–1000000 packets. By default, N is equal to 1000, meaning that
one packet is sampled out of every 1000 packets arriving at that interface. This global con-
figuration will apply to all interfaces where sFlow data is collected, unless a more granular
value has been configured at the interface level.
Unlike the other time-based sampling method, which gathers counter statistics for an inter-
face, this packet-volume sampling approach gathers data about specific packets arriving at
an interface. Information is extracted from the first 128 bytes in the header of the sampled
packet, beginning with the MAC header. Once ACOS has sampled packets from a specified
target interface, the information is collected and sent in an sFlow datagram to one or more
sFlow collectors.
316
Information Included in sFlow Datagrams

The following information is included in sFlow datagrams:
l Discarded packets
Information about the discarded packets is included in the sFlow datagrams.
For a list of Destination Unreachable codes associated with discarded packets, see sec-
tion “Input/Output Port Information” in the following RFC: http://sflow.org/sflow_
version_5.txt.
l Export CPU and Memory information
CPU and memory information are included in the “Processor information” section of the
exported sFlow datagram.
sFlow Configuration
Configuring the sFlow Data Collection 317
Using the GUI to Configure sFlow 318
Using the CLI to Configure sFlow 319
sFlow Config Snippets for GUI Support 320
Other Details 321
Configuring the sFlow Data Collection
The following list summarizes the high-level steps involved in configuring the sFlow data col-
lection feature on an ACOS device:
1. Specify the sFlow collector where data will be exported.

2. (Optional) Enable use of the management interface’s IP as the source address for out-
bound sFlow packets. This may be beneficial for filtering at the collector or to maintain
consistency in the source address of the sFlow packets.
317
3. Specify the individual Ethernet data interfaces that will be sampled.

4. (Optional) Change the default data sampling rate or polling interval.
Using the GUI to Configure sFlow

2. Click sFlow on the menu bar. The sFlow update page appears.
3. Enter an IP address for the sFlow agent. By default, the management IP of ACOS is
used, but you may enter a different address if desired. :
NOTE: This information will appear in the Layer 4 information sec-

tion of the sFlow datagram. Although the information is
“textual” and is not used for routing decisions, it may be
helpful in identifying which sFlow agent a particular packet
came from, particularly in complex networks that have
more than one sFlow agent.
4. (Optional) Enable Source IP use mgmt if you wish to use the ACOS device’s man-
agement IP as the source address for exported sFlow datagrams. This changes the
source address on the sFlow datagrams but has no effect on which interface the ACOS
device selects for exporting sFlow datagrams.
5. (Optional) In the Counter Polling Interval field, specify the time interval at which the
counter of interface statistics will be sampled. (See Counter Polling Interval for more
information.)
6. (Optional) In the Packet Sampling Rate field, alter the default value if desired. Smaller
numbers increase the sampling frequency, and larger numbers decrease the sampling
frequency. (See Packet Sampling Rate for more information.)
7. (Optional) In the Max Header field, specify the number of bytes, from 14-512, that
should be copied from a sampled packet.
8. (Optional) Select Enable in the CPU Usage field to enable CPU utilization monitoring.
9. (Optional) Select Enable in the Enable HTTP field to enable sFlow counter polling on
HTTP interfaces.
318
10. In the Collector section:

a. Select the IPv4 or IPv6 radio button for Type.
b. Enter an IPv4 or IPv6 address in the Address field, depending on which IP protocol
version was selected for Type.
c. Enter a value in the Port field. This is the port on the collector where sFlow traffic
will be sent. By default, traffic is sent to UDP port 6343.
d. Click Add to add the sFlow collector’s information
11. To enable time-based sFlow sampling, specify polling interfaces in the Polling Ethernet
and/or Polling VE fields.
12. To enable packet volume-based sFlow sampling, specify sampling interfaces in the
Sampling Ethernet and/or Sampling VE fields.
13. Click Configure to save your changes.
Using the CLI to Configure sFlow
This section contains CLI sFlow configuration examples.
The following commands specify the sFlow collector through port 5, and enable use of the
management interface’s IP as the source IP for the data samples sent to the sFlow collector:
ACOS(config)# sflow collector ip 192.168.100.3 5
ACOS(config)# sflow setting source-ip-use-mgmt
The following command enables counter polling for several Ethernet data interfaces, and
uses the globally configured sampling rate by default:
ACOS(config)# sflow polling ethernet 1 to 8
The following command enables packet sampling for a range of Ethernet interfaces:
ACOS(config)# sflow sampling ethernet 3 to 5
The following command displays sFlow data collection statistics:

ACOS(config)# show sflow statistics
Interface Packet Sample Records Counter Sample Records
-------------------------------------------------------------------
1 3461 81
2 20801 81
3 0 81
4 0 81
319
5 0 81
6 0 81
7 0 81
8 0 81
9 0 81
10 0 81
11 0 81
12 0 81
-------------------------------------------------------------------
sflow total statistics
Packet sample records: 24262
Counter sample records: 972
Sflow packets sent: 16257
sFlow Config Snippets for GUI Support
To support GUI functionality, small blocks of sFlow CLI config snippets have been added to
the config beginning with ACOS 4.1.4. These sFlow snippets (below) may even appear in the
config for users who are NOT using sFlow.
NOTE: If you see the sFlow config snippets below, it is recommended

that you do NOT delete them, as deleting them may block access
to the statistics that the GUI needs to generate certain charts.
Starting with the 4.1.4 release, the following sFlow configuration snippets may appear in the
shared partition:
sflow setting local-collection
sflow collector ip 127.0.0.1 6343
And starting with the 4.1.4-P2 release, the following config snippet may appear in an L3V par-
tition:
sflow collector ip 127.0.0.1 6343
The GUI requires presence of these sFlow snippets to display statistics in the charts that
appear in the Dashboards panels (for example, FW Dashboard and SSLi Dashboard).
ACOS automatically adds these snippets to provide a better user-experience. The sFlow snip-
pets enable local statistics collection, without which the charts in the GUI would appear
blank.
320
Other Details
l These sFlow snippets are configured on a per-partition basis. If they are not already
present, they will be automatically configured each time a user logs into the GUI and
switches to that partition.
l If these sFlow config snippets are manually removed, they will be automatically added
the next time a user logs into the GUI.
l The reason that the shared partition has one more command than the L3V is that the
additional command “sflow setting local-collection” is only supported in the shared par-
tition by design.
321
Network Address Translation (NAT)
This part of the document describes about the Network Address Translation (NAT) and how to
configure it. NAT translates the source or destination IP address of a packet before for-
warding the packet.
The ACOS device supports traditional, Layer 3 IP source NAT. The IP source NAT translates
internal host addresses into routable addresses before sending the host’s traffic to the Inter-
net. When reply traffic is received, the ACOS device then re-translates addresses back into
internal addresses before sending the reply to the client.
The chapters in this section provide additional information about NAT features and con-
figuration:
Configuring Dynamic NAT
Configuring Static NAT
NAT ALG Support for PPTP
Additional NAT Configuration Features
This section does not include information about NAT features for load balancing or IPv6 migra-
tion.
322
Chapter 25: Configuring Dynamic NAT
This chapter describes how to configure static source NAT, in which internal addresses are
dynamically translated into external addresses from a pool.
Configuration Elements for Dynamic NAT 324
Configuring Dynamic IP Source NAT 325
323
Chapter 25: Configuring Dynamic NAT Feedback
Configuration Elements for Dynamic NAT

Dynamic NAT uses the following configuration elements:
l Access Control List (ACL) – to identify the inside host addresses to be translated
l Pool – to identify a contiguous range of external addresses into which to translate
inside addresses
l Optionally, pool group – to use non-contiguous address ranges. To use a non-con-

tiguous range of addresses, you can configure separate pools, then combine them in a
pool group and map the ACL to the pool group. The addresses within an individual pool
still must be contiguous, but you can have gaps between the ending address in one
pool and the starting address in another pool. You also can use pools that are in dif-
ferent subnets.
Pool group members must belong to the same protocol family (IPv4 or IPv6) and must
use the same VRID. A pool can be a member of multiple pool groups. Up to 200 NAT pool
groups are supported.
If a pool group contains pools in different subnets, the ACOS device selects the pool
that matches the outbound subnet. For example, if there are two routes to a given des-
tination, in different subnets, and the pool group has a pool for one of those subnets,
the ACOS device selects the pool that is in the subnet for the outbound route.
The ACOS device searches the pools beginning with the first one added to the group,
and selects the first match. If none of the pools are in the destination subnet, the ACOS
device uses the first pool that has available addresses.
l Inside NAT setting on the interface connected to the inside host.
l Outside NAT setting on the interface connected to the Internet. Inside host addresses
are translated into external addresses from a pool before the host traffic is sent to the
Internet.
NOTE: The ACOS device enables you to specify the default gateway for
an IP source NAT pool to use.
However, the pool’s default gateway can be used only if the data route table already has
either a default route or a direct route to the destination of the NAT traffic.
324
In this case, the pool’s default gateway will override the route, for NAT traffic that uses the
pool.
If the data route table does not have a default route or a direct route to the NAT traffic des-
tination, the pool’s default gateway can not be used. In this case, the NAT traffic can not
reach its destination.
Configuring Dynamic IP Source NAT

Details 325
Using the GUI to Configure Dynamic IP Source NAT 326
Using the CLI to Configure Dynamic IP Source NAT 328
Details
To configure dynamic source NAT:
1. Configure an Access Control List (ACL) to identify the inside addresses that need to be
translated.
2. Configure a pool of external addresses to use for translation. To use non-contiguous
ranges of addresses, configure multiple pools and add them to a pool group.
3. Enable inside source NAT and map the ACL to the pool.
4. Enable inside NAT on the interfaces connected to the inside hosts.
5. Enable outside NAT on the interfaces connected to the Internet.
NOTE: In addition, on some ACOS device models, if Layer 2 IP NAT is

required, you also must enable CPU processing on the NAT inter-
faces. (On these models, this option will be visible at the interface
configuration level.)
NOTE: When configuring a NAT pool, an interface IP address cannot be

included as part of the pool if source-nat auto is configured on
325
the device. Additionally, if an existing NAT pool already includes

an IP address that is configured on one of the interfaces on the
device and the source-nat auto configuration is being added, it
will be rejected.
Using the GUI to Configure Dynamic IP Source NAT
To configure an access list to identify the inside addresses that need to be translated:
1. Hover over Security in the navigation bar, and select Access List from the drop-down
menu.
2. Select the access list type (Standard, Extended, IPv4 or IPv6) on the menu bar.
3. Click Create.
a. Specify an access list number.
b. Enter the values to filter for Remark. Otherwise, select Entry to select values to fil-
ter. For example, Network > Access List > Extended > Create shows the con-
figurable fields for an Extended Access List when Entry is selected.
c. Click Create. The new access list appears in the table of configured access lists of
that type.
To configure a pool of external addresses to use for translation:
1. Hover over ADC in the navigation bar, and select IP Source NAT from the drop-down
menu.
2. Select IPv4 Pool or IPv6 Pool on the menu bar.
3. Click Create.
a. Enter a name for the pool.
b. Enter the start and end addresses.
c. Enter the network mask.
d. If the ACOS device is deployed in transparent mode, enter the default gateway to
use for NATted traffic.
e. To use session synchronization for NAT translations, select the VRID.
326
f. If the device is part of a Scaleout cluster configuration, specify the Scaleout device
ID.
g. Optionally, enable IP-RR. For information about this feature, see Mapping Alloc-
ation Method.
h. Click Create.
To enable inside source NAT and map the access list to the pool:
menu.
2. Select ACL Bind on the menu bar, then select IPv4 or IPv6.
3. Click Create.
a. Select the access list number from the ACL drop-down list.
b. Select the pool name from the Pool drop-down list. For IPv4 ACL Bind, select an
IPv4 pool; for IPv6 ACL Bind, select an IPv6 pool.
c. Optionally, specify a TCP Maximum Segment Life (MSL) of 1-1800 seconds for
NATted session.
d. Click Create. The new binding appears in the table of configured access lists of
that type.
To enable inside an/or outside NAT on interfaces connected to inside hosts, the Internet or
both:
menu.
2. Select NAT Interfaces on the menu bar, then select Ethernets or Virtual Ethernets.
a. Click Edit in the Actions column for the interface.
b. To enable inside NAT on the interface, select Inside for the IPv4 Direction and/or
IPv6 Direction.
c. To enable outside NAT on the interface, select Outside for the IPv4 Direction
and/or IPv6 Direction.
d. To enable both inside and outside NAT on the interface, select Both for the IPv4 Dir-
ection and/or IPv6 Direction.
327
e. Click Update.
f. Repeat for each interface connected to the internal hosts, the Internet or both.
FIGURE 25-1: Network > Access List > Extended > Create
Using the CLI to Configure Dynamic IP Source NAT
The following command configures an ACL to specify the internal hosts to be NATted. In this
example, all hosts in the 10.10.10.x subnet are to receive NAT service for traffic to the Inter-
net.
ACOS(config)# access-list 1 permit 10.10.10.0 0.0.0.255
The following command configures an IPv4 pool of external addresses to use for the NAT
translations. In this example, 10.10.10.x addresses will be translated into 192.168.1.1 or
192.168.1.2:
ACOS(config)# ip nat pool pool1 192.168.1.1 192.168.1.2 netmask /24
The following command enables inside source NAT and associates the ACL with the pool:
328
ACOS(config)# ip nat inside source list 1 pool pool1
The following commands enable inside source NAT on the interface connected to the internal
hosts:
ACOS(config-if:ethernet:4)# ip nat inside
The following commands enable source NAT on the interface connected to the external hosts:
ACOS(config-if:ethernet:6)# ip nat outside
329
Chapter 26: Configuring Static NAT
This chapter describes how to configure static source NAT, in which internal addresses are
explicitly mapped to external addresses.
Configuration Elements for Static NAT 331
Configuring Static IP Source NAT 331
Support for Inter-Partition Static NAT and Overlapping IP Addresses 333
330
Chapter 26: Configuring Static NAT Feedback
Configuration Elements for Static NAT

Static NAT uses the following configuration elements:
l Static mappings or an address range list – A static mapping is a one-to-one mapping of

an inside address to an external address. An address range list is a contiguous range of
inside addresses and external addresses to translate them into.
l Inside NAT setting on the interface connected to the inside host.
l Outside NAT setting on the interface connected to the Internet. Inside host addresses
are translated into external addresses from a static mapping or a range list before the
host traffic is sent to the Internet.
Configuring Static IP Source NAT

Details 331
Using the GUI to Configure Static IP Source NAT 331
Using the CLI to Configure Static IP Source NAT 333
Details
You can configure individual static source NAT mappings or configure a range of static map-
pings.
After configuring the static source NAT mappings, do the following:
l Enable inside NAT on the interfaces connected to the inside hosts.

l Enable outside NAT on the interfaces connected to the Internet.
Using the GUI to Configure Static IP Source NAT
To configure an individual static source NAT mapping:
331
1. Hover over ADC in the navigation bar and select IP Source NAT.
2. Select Static NAT on the menu bar.
3. Click Create.
a. Enter the external address into which to translate the inside host address.
b. Enter the inside host address to be translated.
c. To apply VRRP-A to the address, select the VRID.
d. Click Create.
To configure the static translations of a range of internal host addresses to external

addresses:
2. Select NAT Range on the menu bar.
3. Click Create.
a. Enter a name for the range.
b. Select the address type (IPv4 or IPv6)
c. In the Local IP Address field, enter the first (lowest numbered) address in the range
of inside host addresses to be translated.
d. In the Local Netmask field, enter the network mask in the range of inside host
addresses.
e. In the Global IP Address field, enter the first (lowest numbered) address in the
range of external addresses to which to translate the inside host addresses.
f. In the Global Netmask field, enter the network mask in the range of external
addresses to which to translate the inside host addresses.
g. In the Count field, enter the number of addresses to be translated.
h. To apply VRRP-A to the addresses, select the VRID group.
i. Click Create.
To enable inside an/or outside NAT on interfaces connected to inside hosts, the Internet or
both:
332
2. Select NAT Interfaces on the menu bar, then select the interface type from the drop-
down list.
3. Click Edit in the Actions column for the interface.
a. To enable inside NAT on the interface, select Inside for the IPv4 Direction and/or
IPv6 Direction.
b. To enable outside NAT on the interface, select Outside for the IPv4 Direction and/or
IPv6 Direction.
c. To enable both inside and outside NAT on the interface, select Both for the IPv4 Dir-
ection and/or IPv6 Direction.
d. Click Update.
e. Repeat for each interface connected to the internal hosts, the Internet or both.
Using the CLI to Configure Static IP Source NAT
The following commands enable static NAT, configure an IP address range named “nat-list-1”
that maps up to 100 local addresses starting from 10.10.10.97 to Internet addresses starting
from 192.168.22.50, set Ethernet interface 2 as the inside NAT interface, and set Ethernet
interface 4 as the outside NAT interface.
ACOS(config)# ip nat range-list nat-list-1 10.10.10.97 /16 192.168.22.50 /16
count 100
Support for Inter-Partition Static NAT and Overlapping

IP Addresses
ACOS release 4.1.0 provides support for inter-partition routing with static NAT, similar to
inter-partition routing for fixed NAT.
333
NOTE: For more information on L3V Inter-partition Routing for Fixed-

NAT, see the IPv4-to-IPv6 Transition Solutions Guide.
To accomplish this, configure a static route in the private partitions pointing to the shared
partition. This enables static NAT traffic to be routed from private partitions to the shared
partition.
The cgnv6 nat range-list and cgnv6 nat inside source CLI commands are enhanced to
configure this feature:
cgnv6 nat range-list list_name inside_start_address inside_netmask
partition inside_partition_name nat_start_address nat_netmask count num
cgnv6 nat inside source static source_address

partition inside_partition_name nat_ip_address [vrid vrid_num]
The partition inside_partition_name parameter is introduced to these existing com-

mands.
This feature also adds support for overlapping addresses in the private partitions. For
example – 10.10.10.1 from private partition P1 can be mapped to a NAT address 20.20.20.1 and
10.10.10.1 from private partition P2 can be mapped to a NAT address 20.20.20.2.
334
Chapter 27: NAT ALG Support for PPTP
This chapter describes NAT Application Layer Gateway (ALG) support for the Point-to-Point
Tunneling Protocol (PPTP):
Overview of NAT ALG Support for PPTP 336
Configuring NAT ALG Support for PPTP 337
335
Chapter 27: NAT ALG Support for PPTP Feedback
Overview of NAT ALG Support for PPTP

NAT Application Layer Gateway (ALG) support for the Point-to-Point Tunneling Protocol
(PPTP) enables clients and servers to exchange Point-to-Point (PPP) traffic through the ACOS
device over a Generic Routing Encapsulation (GRE) tunnel.
PPTP is used to connect Microsoft Virtual Private Network (VPN) clients and VPN hosts. The
following FIGURE 27-1 shows an example.
FIGURE 27-1: NAT ALG for PPTP
The ACOS device is deployed between PPTP clients and the VPN server (VPN Server using
PPTP). The ACOS device interface connected to the PPTP clients is enabled for inside source
NAT. The ACOS device interface connected to the VPN server is enabled for outside source
NAT.
Each client runs a PPTP Network Server (PNS). To set up a VPN session, the PNS sends an Out-
going-Call-Request to the PPTP Access Concentrator (PAC), which is the VPN server. The
336
destination TCP port is the PPTP port (1723 by default). The request includes a Call that the
PNS chooses.
Because multiple clients may share the same NAT address, the ACOS device must ensure that
clients do not share the same Call ID as well. Therefore, the ACOS device assigns to each cli-
ent a NAT Call ID (analogous to a NAT source port for TCP) and modifies the Outgoing-Call-
Request to use the NAT Call ID instead.
The PAC replies to the Outgoing-Call-Request with a Call ID of its own. This is like a TCP des-
tination port. The ACOS device does not change the PAC’s Call ID. The PAC then assigns to
the client an IP address belonging to the VPN subnet.
On the ACOS device, the GRE session is created after the PNS sends its reply. In the GRE ses-
sion, the Call ID is used as the Layer 4 port, instead of a TCP/UDP port number.
In the NAT ALG for PPTP , client (PNS) 10.1.1.1 wants to connect to a VPN through the VPN
Server (PAC) 10.3.3.2, which is using PPTP. Client 10.1.1.1 establishes a PPTP control session
(on port 1723) with 10.3.3.2. When the client sends the Outgoing-Call-Request over that TCP
session with its desired Call ID, the ACOS device will translate the Call ID into a unique Call ID
for NAT. Once the VPN server replies with its own Call ID, the ACOS device will establish the
GRE session.
After the Call IDs are exchanged, the client and server encapsulate VPN subnet traffic in a
GRE tunnel. The GRE tunnel packets are sent under normal IP between 10.1.1.1 and 10.3.3.2. A
GRE packet for PPTP uses a Call ID in the same way as a TCP or UDP destination port. There-
fore, GRE packets from the server (10.3.3.2) will use the NAT Call ID. The ACOS device trans-
lates the NAT Call ID back into the client’s original Call ID before sending the packet to the
client.
NOTE: One GRE session is supported per control session, which means
one call at a time is supported. In practice, PPTP is used only for
VPNs, in which case multiple concurrent calls do not occur.
Configuring NAT ALG Support for PPTP

To configure an ACOS device to support NAT ALG for PPTP:
337
l Configure dynamic IP source NAT:

o Configure an ACL that matches on the PPTP client subnet(s).
o Configure an IP source NAT pool that contains the range of IP addresses into which
to translate client addresses.
o Configure an inside source NAT list, using the ACL and pool.
o Enable inside IP source NAT on the ACOS device interface connected to the VPN cli-
ents.
o Enable outside IP source NAT on the ACOS device interface connected to the VPN
server.
l If NAT ALG support for PPTP is disabled, enable it. (The feature is enabled by default.)
NOTE: In the current release, NAT ALG support for PPTP is not supported
with static NAT or NAT range lists.
The following example implements the NAT ALG for PPTP configuration shown in NAT ALG for
PPTP .
The following commands configure dynamic inside source NAT.

ACOS(config)# access-list 1 permit 10.1.1.0 0.0.0.255
ACOS(config)# ip nat pool pptp-pool 192.168.1.100 192.168.1.110 netmask /24
ACOS(config)# ip nat inside source list 1 pool pptp-pool
The following commands specify the inside NAT interface and the outside NAT interface.
ACOS(config-if:ethernet:1)# ip address 10.2.2.254 255.255.255.0
ACOS(config-if:ethernet:2)# ip address 10.3.3.254 255.255.255.0
The following command displays session information:

ACOS(config-if:ethernet:2)# show session
Prot Forward Source Forward Dest Reverse Source Reverse Dest Age Hash
-------------------------------------------------------------------------------
----------------------------
Gre 10.1.1.1:49152 10.3.3.2:32799 10.3.3.2:32799 192.168.1.100:2109 240 1
338
Tcp 10.1.1.1:2301 10.3.3.2:1723 10.3.3.2:1723 192.168.1.100:2109 240 2
This example shows the GRE session and the TCP session over which the GRE session is trans-
ported. For the GRE session, the number following each IP address is the PPTP Call ID. For the
TCP session, the number is the TCP protocol port.
The following command displays PPTP NAT ALG statistics.

ACOS(config-if:ethernet:2)# show ip nat alg pptp statistics
Statistics for PPTP NAT ALG:
-----------------------------
Calls In Progress: 0
Call Creation Failure: 0
Truncated PNS Message: 0
Truncated PAC Message: 0
Mismatched PNS Call ID: 0
Mismatched PAC Call ID: 0
Retransmitted PAC Message: 0
Truncated GRE Packets: 0
Unknown GRE Packets: 0
No Matching GRE Session: 0
339
Chapter 28: Additional NAT Configuration
Features
This chapter describes additional NAT configuration options available on an ACOS device:
Faster Timeout for TCP/UDP IP NAT Translations 341
Mapping Allocation Method 341
Fast Aging for IP NATted ICMP and DNS Sessions 342
Client and Server TCP Resets for NATted TCP Sessions 345
Requirements for Translation of DNS Traffic 346
Pool-specific TCP Maximum Segment Life 346
IP NAT Use in Transparent Mode in Multi-netted Environment 348
NAT Range List Requires ACOS Device Interface or Route Within the Global Subnet 348
IP NAT in HA Configurations 349
340
Chapter 28: Additional NAT Configuration Features Feedback
Faster Timeout for TCP/UDP IP NAT Translations

The current release supports faster timeout for TCP and UDP IP NAT translations. You can set
the timeout for TCP or UDP sessions to a value in one of the following ranges:
l 2-31 seconds – The timeout takes place very rapidly, as close to the configured timeout
as possible.
l 32-12000 seconds – The timeout value must be divisible by 60, and can be a minimum
of 1 minute. If the timeout is set to a value in the range 32-59, the timeout value is roun-
ded up to 60. Values in the range 61-11999 are rounded down to the nearest multiple of
60.
There are no GUI or CLI changes for this enhancement. The only change is in the supported
ranges.
Mapping Allocation Method

Details 341
Using the GUI 342
Using the CLI 342
Details
By default, the ACOS device creates NAT translations by using all the protocol ports of the
first IP address in a pool, then using all the ports of the next IP address, and so on.
Optionally, you can change the allocation method to IP round robin. The IP round robin alloc-
ation method provides a more even distribution of address selection, by selecting pool IP
addresses in round robin fashion.
The mapping allocation method is configurable on an individual pool basis.
341
Using the GUI
On the configuration page for the pool, enable the IP-RR option.
Using the CLI
When configuring the pool, use the ip-rr option.
Fast Aging for IP NATted ICMP and DNS Sessions

Details 342
Using the GUI 343
Using the CLI 344
CLI Example 344
Details
The ACOS device uses application-aware aging for IP NATted sessions, in cases where the
ACOS device performs IP NAT translation of the internal client IP addresses.
The default timeout for IP NATted ICMP sessions, as well as UDP sessions on port 53 (DNS), is
set to the SLB maximum session life (MSL), which is 2 seconds by default.
NOTE: Fast aging applies to sessions between internal clients and

external resources, in cases where the ACOS device performs IP
NAT translation of the client addresses. This type of traffic is not
SLB traffic between clients and a VIP configured on the ACOS
device. For SLB DNS traffic, short aging based on the MSL time is
the default aging mechanism.
The following TABLE 28-1 summarizes the session timeouts and how to configure them.
342
TABLE 28-1 : Session Timeout for IP NATted ICMP and UDP Sessions
Default Timeout for IP NATted Method To Change Timeout

ICMP or DNS Sessions
SLB MSL timeout (2 seconds by You can use either of the following methods:
default)
l Change the SLB MSL timeout.
Note: For DNS, this is the default
Change the IP NAT translation timeout:
only for the default DNS port l
(53). o ICMP – Change the IP NAT translation ICMP

timeout, by specifying the number of
seconds for the timeout, instead of “fast”.
To be able to specify a faster timeout value,
refer to Faster Timeout for TCP/UDP IP NAT
Translations.
o DNS – Change the IP NAT translation UDP
timeout for the DNS port, by specifying the
number of seconds for the timeout, instead
of “fast”. The timeout is configurable for
individual UDP ports. To be able to specify
a faster timeout value, refer to Faster
Timeout for TCP/UDP IP NAT Translations.
Using the GUI
1. To change the IP NAT translation timeout for ICMP or UDP:

a. Hover over ADC in the navigation bar, and select IP Source NAT.
b. Select NAT Global on the menu bar.
c. To change the IP NAT translation timeout for ICMP timeout, specify Custom or Fast
for the ICMP Timeout field. If you specify custom, choose 2-1500 seconds.
d. To change the IP NAT translation timeout for a UDP port, use the Service Timeout
343
field. Specify UDP for the Service Type, a port number for Port, Fast or Age for
Timeout Type. If you specify Fast, it will be set to the SLB MSL timeout value. If you
specify Age, specify a value in one of the following ranges:
l 2-31 seconds – The timeout takes place very rapidly, as close to the con-
figured timeout as possible.
l 32-12000 seconds – The timeout value must be divisible by 60, and can be a
minimum of 1 minute. If the timeout is set to a value in the range 32-59, the
timeout value is rounded up to 60. Values in the range 61-11999 are rounded
down to the nearest multiple of 60.
Using the CLI
To display the timeout that will be used for IP NATted sessions, use the following command:
show ip nat timeouts
To change the IP NAT translation timeout for ICMP, use the following command:
[no] ip nat translation icmp-timeout {seconds | fast}
To change the IP NAT translation timeout for a UDP port, use the following command:
[no] ip nat translation service-timeout udp port-num {seconds | fast}
The port-num option specifies the UDP port number.
The fast option sets the timeout to the SLB MSL timeout, for the specified UDP port.
You can set the timeout for UDP sessions to a value in one of the following ranges:
l 2-31 seconds – The timeout takes place very rapidly, as close to the configured timeout
as possible.
l 32-12000 seconds – The timeout value must be divisible by 60, and can be a minimum
of 1 minute. If the timeout is set to a value in the range 32-59, the timeout value is roun-
ded up to 60. Values in the range 61-11999 are rounded down to the nearest multiple of
60.
CLI Example
The following command displays the current IP NAT translation timeouts:
344
ACOS#show ip nat timeouts

NAT Timeout values in seconds:
TCP UDP ICMP
------------------------
300 300 fast
Service 53/udp has fast-aging configured
In this example, the output indicates that fast aging is used for IP NATted ICMP sessions, and
for IP NATted DNS sessions on port 53.
The message at the bottom of the display indicates that the fast aging setting (SLB MSL
timeout) will be used for IP NATted UDP sessions on port 53. If the message is not shown in
the output, then the timeout shown under “UDP” will be used instead.
Client and Server TCP Resets for NATted TCP Sessions

You can enable the ACOS device to send TCP resets to the client and server when a NATted
TCP session becomes idle.
Using the GUI 345
Using the CLI 345
Using the GUI
1. To enable this option:

b. Enable the Reset Idle TCP Conn option.
Using the CLI
To enable this option, use the following command at the global configuration level of the CLI:
ACOS(config)#ip nat reset-idle-tcp-conn
345
Requirements for Translation of DNS Traffic

If you plan to use IP NAT for DNS traffic, make sure the configuration includes the following:
l Both the DNS request from the inside client, and the response from the external DNS
server, must pass through the IP NAT outside interface.
l If an ACL is configured on the interface that will receive the DNS responses (the IP NAT
outside interface), the ACL must include a permit rule that allows traffic from the DNS
server. Otherwise, the traffic will be denied by the implicit (non-visible) deny any rule
at the end of the ACL.
Pool-specific TCP Maximum Segment Life

Details 346
Using the GUI 347
Using the CLI 347
CLI Example 347
Details
You can customize the Maximum Segment Life (MSL) for source-NAT connections.
The MSL is the maximum number of seconds a TCP segment (packet) is allowed to remain in
the network. When one of the endpoints in a TCP connection sends a FIN to close the con-
nection, that endpoint then enters the TIME-WAIT state.
During the TIME-WAIT state, the endpoint is not allowed to accept any new TCP connections.
This behavior is meant to ensure that the TCP endpoint does not receive a segment belonging
to a previous connection after the endpoint enters a new connection.
The TIME-WAIT state lasts up to twice the MSL. On some older TCP/IP stacks, this can result
in a wait of up to 240 seconds (4 minutes) after a FIN before the endpoint can enter a new
connection.
346
To help reduce the time between connections for these endpoints, you can set the MSL on
individual source NAT pools. You can set the MSL to 1-1800 seconds.
NOTE: The current release supports this feature for IPv4 source NAT
pools, and for virtual ports on IPv4 or IPv6 VIPs.
NOTE: For more information about configuring this feature for virtual
ports, see the “Network Address Translation for SLB” chapter
in the Application Delivery and Server Load Balancing Guide.
Using the GUI
1. To set the MSL for system-level source NAT:

b. Click ACL Bind on the menu bar.
c. Enter the MSL value in the MSL field.
Using the CLI
To set the MSL for system-level source NAT, use the msl option when configuring the ACL
binding. To configure the ACL binding, use the following command at the global con-
figuration level of the CLI:
[no] ip nat inside source list acl-name pool pool-or-group-name msl seconds
CLI Example
The following commands configure custom MSL values for system-level source NAT:
ACOS(config)#access-list 123 permit tcp host 192.168.20.102 any eq 22
ACOS(config)#access-list 124 permit tcp host 192.168.20.102 any eq 80
ACOS(config)#ip nat pool ronpool 192.168.20.105 192.168.20.105 netmask /24
ACOS(config)#ip nat inside source list 123 pool ronpool msl 23
ACOS(config)#ip nat inside source list 124 pool ronpool msl 48
347
IP NAT Use in Transparent Mode in Multi-netted Envir-

onment
If the ACOS device is deployed in transparent mode, the device uses NAT IP addresses to per-
form health monitoring on servers that are outside the IP subnet or VLAN of the ACOS device.
If there are multiple IP addresses in the NAT pool, the ACOS device uses only the last IP
address in the pool for the health checks. Also, the ACOS device only responds to control
traffic (for example, management and ICMP traffic) on the last IP address in the pool.
In the following example, the ACOS device’s IP address is on the 172.168.101.0/24 subnet. A
NAT pool has been configured to reach servers outside of that subnet/VLAN.
ACOS#show ip
System is running in Transparent Mode
IP address: 172.168.101.4 255.255.255.0
IP Gateway address: 172.168.101.251
SMTP Server address: Not configured
ACOS#show ip nat pool

Total IP NAT Pools: 4
Pool Name Start Address End Address Mask Gateway HA Group
----------------------------------------------------------------------------
Pool-A 173.168.10.20 173.168.10.25 /24 173.168.10.250 0
In this configuration, the ACOS device will initiate health checks using the last IP address in
the pool as the source IP address. In this example, the ACOS device will use IP address
173.168.10.25. In addition, the ACOS device will only respond to control traffic directed to
173.168.10.25 from the 173.168.10.0/24 subnet.
NAT Range List Requires ACOS Device Interface or

Route Within the Global Subnet
In an IP source NAT configuration, return UDP or ICMP traffic may not be able to reach the
ACOS device. This can occur under the following circumstances:
l IP source NAT is configured using a NAT range list.

l The ACOS device does not have any data interfaces or routes that contain an address
within the subnet of the range list's global address(es).
348
To work around this issue, configure an IP interface that is within the NAT range list’s global
subnet. You can configure the address on any active data interface on the ACOS device.
This issue does not affect NATted traffic other than ICMP or UDP traffic, or use of an ACL
with a NAT pool.
IP NAT in HA Configurations
Details 349
Using the GUI 349
Using the CLI 349
Details
If you are using IP source NAT or full NAT in an HA configuration, make sure to add the NAT
pool or range list to an HA group. Doing so allows a newly Active ACOS device to properly con-
tinue management of NAT resources following a failover.
Using the GUI
In the GUI, you can select the VRID group from the HA Group drop-down list on the following
configuration tabs:
l ADC > IP Source NAT > IPv4 Pool

l ADC > IP Source NAT > IPv6 Pool
l ADC > IP Source NAT > NAT Range
Using the CLI
In the CLI, the ha-group-id option is supported with the following NAT commands:
[no] ip nat pool pool-name start-ipaddr end-ipaddr
349
netmask {subnet-mask | /mask-length} [gateway ipaddr]

[ha-group-id group-id]
[no] ipv6 nat pool pool-name start-ipv6-addr

end-ipv6-addr netmask mask-length [gateway ipaddr]
[ha-group-id group-id]
[no] ip nat range-list list-name

source-ipaddr /mask-length nat-ipaddr /mask-length count number [ha-group-id
group-id]
350
System Geo-location Mappings
This part of the document describes about the Geo-location mapping and filtering at system-
level and how to configure it. The Geo-location IP mapping provides abilities to ACOS to filter
based on user's Geo-location and function according to the settings assigned to the Geo-loc-
ation. It can be used in firewall rule-set to allow or disallow access to users from certain coun-
tries or cities.
The Geo-location is now supported throughout the ACOS system for firewall and CGN.
Refer to the Geo-location Mappings chapter for further details.
351
Chapter 29: Geo-location Mappings
You can configure geo-location mappings to ACOS manually or by loading the mappings from
a file. Configuring the geo-location mappings manually might not be practical, unless you
have only a few sites.
The geo-location configuration options are described in detail below.
To skip the descriptions and go directly to configuration instructions, see one of the following
sections. Each section provides the procedure for one of the approaches to configuring geo-
location mappings.
Loading or Configuring Geo-location Mappings 353
Geo-location Lists 362
352
Chapter 29: Geo-location Mappings Feedback
Loading or Configuring Geo-location Mappings

Geo-location Mappings Overview 353
Geo-location Database Files 353
Geo-location Database File Example 354
Creating and Loading a Custom Geo-location Database 355
Manually Configuring Geo-location Mappings 357
Loading Geo-location Database to ACOS 359
Geo-location Mappings Overview
A geo-location mapping consists of a geo-location name and an IP address or IP range.
l If you manually map a geo-location to a global site.

l If a service-ip cannot be mapped to a geo-location, the site ACOS device is mapped to a
geo-location.
If more than one geo-location matches a client’s IP address, the most specific match is used.
For example, if a client is in the same city as a site ACOS, that site will be preferred. If the cli-
ent and site are in the same state but in different cities, the site in that state will be pre-
ferred.
Use the related “load” command to load databases to synchronize the start-up configuration
on ACOS system or group members.
There is full parity in the synchronization, so the process works in reverse also. Unloading a
geo-location database from a configuration, or deleting a geo-location database, will remove
that database from all ACOS group members.
Geo-location Database Files
You can load the geo-location database (which contains the geo-location mappings) from one
of the following types of files:
353
l MAXMIND database – We have built-in databases from a third-party provider

MAXMIND named GeoLite2-Country and GeoLite2-City.
l Internet Assigned Numbers Authority (IANA) database – The IANA database con-
tains geographic locations of IP address ranges and subnets assigned by the IANA. This
database is loaded by default.
l Custom database in CSV format – You can load a custom geo-location database from
a file in comma-separated-values (CSV) format. However, before loading the file, you
must first configure a CSV template on the ACOS device because the data in the file is
formatted by the template.
Geo-location Database File Example
An example of a database file is shown below. Each paragraph is actually a single line in the
file, but they are displayed here in multiple lines due to the limited width of the page. (Note
that lines in the database file should not have spaces between the paragraphs. This was done
to improve readability.)
"119363840","11936409","US","UNITED STATES","NA","NORTH
AMERICA","EST","MA","MASSACHUSETTS", "COMMRAIL
INC","MARLBOROUGH","MIDDLESEX","42.3495","-71.5482"
AMERICA","","","","ENVIRONMENTAL COMPLIANCE SERVICE","SILVER","","32.0708","-
100.682"
AMERICA","EST","MA","MASSACHUSETTS", "MLS PROPERTY INFORMATION
NETWORK","SHREWSBURY","WORCESTER","42.2959","-71.7134"
...
The example above shows how the CSV file appears when displayed in a text editor. If the
same data were displayed in a spreadsheet application, it appears like the following FIGURE
29-1.
FIGURE 29-1: CSV File in Spreadsheet Application
354
The database file can contain more types of information (fields, or columns) than are required
for the Geo-location database. When you load the CSV file into the geo-location database, the
CSV template on the ACOS device filters the file to extract the required data, while ignoring
the rest of the data. In the example below, only the fields shown in bold type will be extrac-
ted and placed into the geo-location database:
AMERICA","EST","MA","MASSACHUSETTS","COMMRAIL
INC","MARLBOROUGH","MIDDLESEX","42.3495","-71.5482"
These fields contain the following information:

From IP address (starting IP address in range), To IP address (ending IP
address in range, or subnet mask), Continent, Country
The IP addresses in this example are in bin4 format. Dotted decimal format (for example:
69.26.125.0) is also supported. If you use bin4 format, the ACOS device automatically con-
verts the addresses into dotted decimal format when you load the database into ACOS.
Creating and Loading a Custom Geo-location Database
Details 355
Configuring the CSV Template (CLI Procedure) 356
CSV File Field Delimiter 356
Importing the CSV File (CLI Procedure) 356
Loading the CSV File Data into the Geo-location Database (CLI Procedure) 357
Details
To create and load a custom geo-location database:
1. Prepare the database file. (This step requires an application that can save to text for
CSV format, and it cannot be performed on the ACOS device.)
2. Configure a CSV template on the ACOS device. The CSV template specifies the field pos-
itions (or columns) in the database that should be extracted, such as IP address and loc-
ation information.
3. Import the CSV file onto the ACOS device.
355
4. Load the CSV file.

5. Display the geo-location database.
Configuring the CSV Template (CLI Procedure)

On the ACOS device, you must configure a CSV template for the database file. When you load
the file onto the ACOS system, the ACOS device uses the template to extract the data and
load it into the
system database.
1. Use the system template csv command to create the template.

2. Use the field command to identify the field positions for the geo-location data.
3. The CSV file uses commas to delimit fields. Use the “delimiter” command to specify
the delimiter.
ACOS(config-csv:1)# delimiter {<number> | <name> }
<0-255> enter a delimiter number, default 44 (",")
NAME<length:1-1> enter a delimiter character, default ","
CSV File Field Delimiter

CSV file fields must be separated by a delimiter. By default, the ACOS device interprets com-
mas as delimiters. When configuring a CSV template on the ACOS device, the delimiter can
be set to any valid ASCII character.
Importing the CSV File (CLI Procedure)

To import the CSV file onto the ACOS device, use the import geo-location command at the
privileged EXEC or global configuration level of the CLI:period num]
You can enter the entire URL on the command line or press Enter to display a prompt for
each part of the URL.If you enter the entire URL and a password is required, you will still be
prompted for the
password. To enter the entire URL:
l tftp://host/file
l ftp://[user@]host[:port]/file
l scp://[user@]host/file
356
l disk:path
l sftp://[user@]host/file
NOTE: For more information about the use-mgmt-port option, see the
“ Using the Management Interface as the Source for Man-
agement Traffic ” chapter in the System Configuration and
Administration Guide.
Loading the CSV File Data into the Geo-location Database (CLI Procedure)
To load the CSV file, use the system geo-location load command at the global con-
figuration level of the CLI:
Use the file name you specified when you imported the CSV file, and the name of the CSV
template to be used for extracting data from the file.
To display information about CSV files as they are being loaded, use the show geo-location
command.
Manually Configuring Geo-location Mappings
Details 357
Displaying the Geo-location Database (CLI Procedure) 358
Displaying the Geo-location Database (CLI Example) 358
Configuring Geo-location Entry through CLI 359
Details
To manually configure a geo-location mapping:
1. Configure each geographic location (geo-location) as a named range of client IP

addresses at
system level.
2. To configure a geo-location, use the system geo-location entry command at the
global
configuration level or from remote system.
357
Displaying the Geo-location Database (CLI Procedure)

To display the geo-location database and to search for an entry in the geo-location database
that is based on client IP address, use the show geo-location command.
Displaying the Geo-location Database (CLI Example)

The commands in this example load a custom geo-location database from a CSV file called
“test.csv”, and then display the database. The test.csv file is shown in Geo-location Database
File Example.
First, the following commands configure the CSV template:

ACOS(config)# template csv test1-template
ACOS(config template csv)# field 1 ip-from
ACOS(config template csv)# field 2 ip-to-mask
ACOS(config template csv)# field 5 continent
ACOS(config template csv)# field 3 country
ACOS(config template csv)# exit
The following command imports the file onto the ACOS device:
ACOS(config)# import geo-location test1.csv ftp://1.0.0.100/BaseCon-
fig/Test1.csv
User name []?admin2
Password []?*******
Done.
The following commands initiates loading the data from the CSV file into the geo-location
database, and display the status of the load operation:
ACOS(config)# geo-location load test1.csv test1-template
ACOS(config)# show geo-location file
Per = Percentage of loading, Err/W = Error or Warning
T = T(Template)/B(Built-in)
Filename T Template Per Lines Success Err/W

-------------------------------------------------------------------------------
-
iana* B 100% 77 77 0
test1.csv T test1-template 100% 5 5 0
ACOS(config)#
The following command displays the geo-location database extracted from the CSV file.
ACOS(config)# show geo-location db NA

Last = Last Matched Client, Hits = Count of Client matched
358
Sub = Count of Sub Geo-location

T = Type, P-Name = Policy name
G(global)/P(policy), S(sub)/R(sub range)
M(manually config)/B(built-in)
Geo-location: NA
From To/Mask Last Hits Sub T P-Name
-------------------------------------------------------------------------------
-
0 1 G
Configuring Geo-location Entry through CLI

1. Configure geo-location using CLI, using the system geo-location entry command,
and set the IP mask, for example:
ACOS(config)# system geo-location entry GEO_APAC1
ACOS(config-geo-location:GEO_APAC1)#ip 111.13.100.0 mask /24
2. Verify with the show geo-location command to verify if the geo-location is added,
with the
following options:
show geo-location [db/file/ip/ipv6]
Loading Geo-location Database to ACOS
Details 359
Loading MAXMIND Database 360
Preparing the CSV File 361
Importing User Defined CSV Geo-location File into ACOS 361
Verifying Geo-location Configuration 362
Details
The steps to configure user-defined geo-location database on ACOS are:
359
1. Prepare the CSV database file. including converting third-party database file into CSV
format. Refer to Preparing the CSV File.
2. Import the CSV database file into ACOS. Refer to Importing User Defined CSV Geo-loc-
ation File into ACOS.
NOTE: Load the MAXMIND database using system geo-location load

command as specified in Loading MAXMIND Database.
Loading MAXMIND Database

MAXMIND is a third party provider that provides IP geo-location accuracy and services. ACOS
provides built-in MAXMIND databases.
The geo-location databases can be downloaded from MAXMIND and loaded onto ACOS.
NOTE: Use the GeoLite2 databases from MAXMIND, available at:
http://www.maxmind.com
Geo-location based list feature provides the following important options:
1. By default, the IANA database is loaded. Use the built-in MAXMIND database by loading
it to ACOS.
ACOS(config)# system geo-location load GeoLite_Country2
NOTE: GeoLite2_ Country and GeoLite2_ City are the MAXMIND

databases loaded to ACOS.
By default, only the IANA database is loaded. To unload the
default database, use the no system geo-location load com-
mand.
2. To load built-in GeoLite2-Country database from MAXMIND, use.

ACOS(config)# system geo-location load GeoLite2-Country
3. In order to use ipv6 address, add include-ipv6 behind the database name.
ACOS(config)# system geo-location load GeoLite2-City include-ipv6
ACOS(config)# system geo-location load GeoLite2-Country include-ipv6
NOTE: The limitations on loading the MAXMIND database are:

GeoLite2- City and GeoLite2 Country cannot be loaded at the
360
same time.
GeoLite2- City has city level geo- location IP mappings.
GeoLite2-Country only have country level geo-location IP map-
pings.
Preparing the CSV File

1. Prepare the CSV database file. This is required if we are using third-party database file,
convert it into CSV file.
2. Define the CSV template.

AX(config)# template csv
field 1 ip-from
field 2 ip-to-mask
field 3 continent
field 4 country
field 5 state
field 6 city
3. Prepare geo-location CVS file. Import the file using import geo-location command as
follows: ACOS(config)# import geo-location GEO_APAC1
Importing User Defined CSV Geo-location File into ACOS

There are two methods to import a user-defined geo-location CSV file.
l import geo-location: Import CSV file directly into ACOS.

l import-periodic geo-location: Import CSV file into ACOS with periodic refresh.
To import geo-location file manually, use the option, use the import-periodic geo-location
command.
AX(config)# import geo-location USER_DB scp://userdb.csv
OR
To import geo-location file with periodic refresh option through a new system template or
geo-location import, use the import-periodic geo-location
command.
361
ACOS(config)# import-periodic geo-location USER_DB use-mgmt-port tft-

p://host/user_db.csv period 1200
Provide system wide CLI to define the configuration of geo-location database that can be
later used in a firewall rule-set.
NOTE: For details on geo-location list configuration through CLI, see CLI
Configuration Options for Geo-location Lists.
Verifying Geo-location Configuration

1. Verify if all the geo-location entries are loaded by using show system geo-location
command and show running-config sec geo command.
ACOS(config)# show system geo-location
2. Multiple database files can also be loaded. Verify using the show running-config sec
geo
command.
ACOS(config)# show running-config sec geo
system geo-location load USER_DB
system geo-location load GeoLite_Country2
system geo-location load GEO_APAC1
Geo-location Lists
This chapter describes the fundamentals and configuration options for Geo-location data-
base loading, mapping, lists setup, and so on through ACOS CLI and GUI:
Details 363
CLI Configuration Options for Geo-location Lists 363
GUI Configuration Options for Geo-location Lists 367
362
Details
Geo-location IP mapping provides abilities to ACOS to filter based on user's geo-location and
function according to the settings assigned to the geo-location. It can be used in firewall
rule-set to allow or
disallow access to users from certain countries or cities.
The following options and add-ons are available on ACOS:
l ACOS provides a pre-installed internal geo-location database (MAXMIND) and an option

to switch to the database.
l User can import third party geo-location database.
l User can configure a geo-location list that consists of geo-location names.
l The geo-location-list can be bound to firewall rule-list as source or destination filters.
CLI Configuration Options for Geo-location Lists
Details 363
Configuration Example for Geo-location List 364
Geo-location Name Active/Inactive 365
Geo-location Lists on Shared Partitions 366
Hit Counter 366
Configuration Output Examples 366
Details
The following configuration options are available for Geo-location List settings through ACOS
CLI. The Geo-location list settings can be configured once geo-location database is loaded to
ACOS system.
NOTE: For details on loading the databases, see Loading or Configuring

Geo-location Mappings.
363
Configuration Example for Geo-location List

CLI configuration for Geo-location List setup. Geo-location list can be configured as specified
in the following example:
1. Configure geolocation-name in geolocation-list using the system geoloc-list list

command and include or exclude the required geo-locations as follows. The options lis-
ted are depending on the geo-location database loaded onto system.
ACOS(config)# system geoloc-list list
ACOS(config-geoloc-list:list)# include ?
"Asia"
"Asia.?
"Oceania"
"Oceania.?
"ripe"
"lacnic"
"apnic"
"afrinic"
"arin"
"default"
ACOS(config-geoloc-list:list)#include"Asia.?
"Asia.China"
"Asia.China.?
ACOS(config-geoloc-list:list)#include "Asia.China.?
"Asia.China.Fujian"
"Asia.China.Fujian.?
ACOS(config-geoloc-list:list)#include "Asia.China.Fujian.?
"Asia.China.Fujian.Fuzhou"
ACOS(config-geoloc-list:list)#include "Asia.China.Fujian.Fuzhou"
2. The configuration is displayed as follows:

ACOS(config-geoloc-list:list)#show running-config | sec geoloc-list
364
system geoloc-list list
shared
include Asia.China.Beijing
include "Europe.San Marino.Castello di Domagnano.Domagnano"
include "Asia.Qatar.Baladiyat az Za'ayin.Az Za`ayin"
include Asia.China.Jiangxi.Longnan
include "Oceania.Australia.Victoria.Fountain Gate"
include Asia.China.Fujian.Fuzhou
Geo-location Name Active/Inactive

Every geo-location name in the geo-location list must be added into the search tree. When
the
geo-location name is added into the search tree, we call it "active". In order to let geo-loc-
ation name work, it must be active on the geo-location list.
Use the following CLI to check if the geo-location name is active or not.
ACOS(config-geoloc-list:list)# show geoloc-list list
include Asia.China | status:Active. hit:516
include Asia.China.Beijing.Haidian | status:Active. hit:0
include North America.United States | status:Active. hit:4
include Asia.a.donot.exists | status:Inactive. hit:0
exclude Asia.China.Beijing | status:Active.
--------------------
Total hit: 520
Total geolocation name: 5
Total active: 4
The geo-location names in a list are set to active when the geo-location list is in use and
bound to a
firewall rule set. If a geo-location list is not in use, all the geo-location names are inactive.
If a geo-location name in a list is not recognized by the geo-location database, the name is
inactive.
365
Geo-location Lists on Shared Partitions

Geo-location lists can be configured per partition. Geo-location list in shared partition can be
used by private partition.
Configuration example for geo-location lists on shared partition:
1. Configure geo-list for shared partition

system geoloc-list geo-list-share
shared
include "Asia.China"
include "North America.United States"
2. Associate with a rule on partition:

rule 1
source geo list geo-list-share shared
source ipv4-address any
Hit Counter
The hit counter provides the following options:
l Hit counters can be setup for geo-location list per geo-location name.
l If one geo-location list is bound to more than one firewall rules, the hit counter of each
geo-location name is an aggregate value for all the attached firewall rules.
l If two geo-location lists have the same geo-location name, they use separate hit coun-
ters.
l By default, the geo-location-list hit counter is not updated into geo-location database,
but it can be enabled by "system geo-db-hitcount-enable"
A maximum of 2048 geo-location lists are supported on ACOS platform. 1024 geo-location
names (type include) and 1024 geo-location name (type excluded). Also, the total number of
geo-location name that can be configured under geo-location list and under all rule-set is
4096.
Configuration Output Examples

System wide CLI to show geo-location lists loaded and related statistics.
ACOS(config)# show geoloc-list list
366
include Asia.China | status:Inactive. hit:652
include Asia.China.Beijing.Haidian | status:Inactive. hit:0
include North America.United States | status:Inactive. hit:4
include Asia.a.donot.exists | status:Inactive. hit:0
exclude Asia.China.Beijing | status:Inactive.
--------------------
Total hit: 656
Total geolocation name: 5
Total active: 0
Show the geo-location list settings on running system configuration.

ACOS(config-geoloc-list:list)#show running-config | sec geoloc-list
system geoloc-list client
include Asia.Home.Yxiong
shared
include Asia.China
include Asia.China.Beijing.Haidian
include "North America.United States"
include Asia.a.donot.exists
exclude Asia.China.Beijing
GUI Configuration Options for Geo-location Lists
Details 368
Geo List Page 368
Geo Database 369
Adding a New System Geo Location Entry 370
367
File Management 371
Importing Geo-location Database from a Local Page 372
Importing Geo-location Database from a Remote Server Page 373
Exporting Geo-location Database into Remote Server Page 374
Exporting Geo-location Database into a Local Drive 375
Details
The following important GUI pages are available to configure geo-location list through ACOS
GUI. This section provides the details on some important GUI screens required to configure
Geo-location lists.
Geo List Page

To create a Geo-List navigate to Shared Objects > Geo List page
1. Click + New Geo List to create a new geo-location list.

2. This opens up a Create New Geo List page with a Basic section.
3. Create a new Geo-list by defining a name with alphanumeric characters.
4. Select Shared option if this geo-location list is going to be used by any private par-
tition.
5. Select Geo-location Name and add it into include or exclude list. Select predefined
geo-location Add multiple list names to be included or excluded with the Add another
item option.
6. Click Create to create a geo-location list.
368
FIGURE 29-2: New Geo List Page
Geo Database
Navigate to System > Settings > Geo Database page.
FIGURE 29-3: Geo Database Page
The following options are available:
369
1. Click Built-In option to load or unload built-in MAXMIND database, GeoLite2-City and
GeoLite2-Country.
2. Click Save to load or unload the selected geo-databases.
FIGURE 29-4: Load Built-in Geo Database
Adding a New System Geo Location Entry

To add a custom Geo-location:
1. Click + Locations under Custom Locations

2. Enter Geo Location Object Name
3. Add IP addresses, IP Mask, and Secondary IP Addresses in IPv4 or IPv6 format.
4. Click Create to create new custom geo-location.
370
FIGURE 29-5: Add New Geo-location Entry
File Management
1. Click File Imports/Exports option on Geo-Database page to open File Management
page:
2. The Systems >> Settings >> File Management page has all the file management
options, and users can manage the geo-location files through this page.
3. Select a Class List file, Geo-database or any other file. Click Delete to delete the file
from ACOS
system.
The other important options available under All Categories are: Class List, Geo Location,
and All. The Import and Export options for files including geo-location files are available
through the File Management page as displayed in the image.
The following options are available on the File Management page:
l Import Local Class List

l Import Remote Class List
l Export Local Class List
l Export Remote Class List
371
l Import Local Geo-location Database

l Import Remote Geo-location Database
l Export Local Geo-location Database
l Export Remote Geo-location Database
FIGURE 29-6: File Management
Importing Geo-location Database from a Local Page

The following configuration options are available on Import Geo-location Database from
Local page.
1. Click Import > Geo-location > Local to open the page:

2. Choose the geo-location database from local.
3. Click Import to import the geo-location database file from local system.
372
FIGURE 29-7: Import Geo-location Database from Local Page
Importing Geo-location Database from a Remote Server Page

1. Click Import > Geo-location > Remote to open Remote Import page.
2. Enter the Name of geo-location file in CSV format, Host address of Remote system,
File
location name, file transfer Protocol like TFTP, HTTP, SCTP, options and so on.
3. Select Use Management Port if required.
4. Enter value in seconds in the Period field for periodic import. Additional details are spe-
cified in the GUI Online Help.
373
FIGURE 29-8: Import Geo-location Database from Remote Server Page
Exporting Geo-location Database into Remote Server Page

1. Select the geo-location lists to be exported from the File Management page and then
export.
2. The following configuration options are available on Export Geo-location Database
into Remote Server page.
374
FIGURE 29-9: Export Geo-location Database into Remote Server Page
Exporting Geo-location Database into a Local Drive

1. Select the geo-location database to be exported from the File Management page and
then export.
2. The geo-location database is downloaded to local system in .tar.gz format.
375

ACOS 5.2.1-P3 System Configuration and Admin-Istration Guide

Uploaded by

Copyright:

Available Formats

ACOS 5.2.1-P3 System Configuration and Admin-Istration Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ACOS 5.2.1-P3 System Configuration and Admin-Istration Guide

Uploaded by

Copyright:

Available Formats

ACOS 5.2.

Chapter 2: FIPS Support 28

Transferring Files To or From ACOS 34

Chapter 3: Jumbo Frames 39

Common Setup Tasks 47

Chapter 5: Configuring Basic System Parameters 56

Chapter 6: Deployment Examples 72

Chapter 9: Source Interface for Management Traffic 106

Chapter 10: Dynamic and Block Configuration 113

Chapter 11: Boot Options 119

Chapter 12: Power On Auto Provisioning 129

Chapter 13: Fail-Safe Automatic Recovery 134

Total Memory Decrease 136

Monitoring Tools 152

Chapter 16: Event Logging System 168

Event Logs 169

Chapter 17: Emailing Log Messages 185

Chapter 18: Simple Network Management Protocol (SNMP) 189

Chapter 19: Link Monitoring 213

Chapter 20: ACE Monitoring and Analytics 218

Chapter 21: Gateway Health Monitoring 232

Chapter 22: Multiple Port-Monitoring Mirror Ports 237

Chapter 23: NetFlow v9 and v10 (IPFIX) 242

Example 1: For sesn-event-nat44-creation and sesn-event-nat44-deletion 300

Chapter 24: sFlow 314

Using the GUI to Configure sFlow 318

Network Address Translation (NAT) 322

Chapter 26: Configuring Static NAT 330

Chapter 27: NAT ALG Support for PPTP 335

Chapter 28: Additional NAT Configuration Features 340

System Geo-location Mappings 351

The following topics are covered:

Application Delivery Control 22

ACOS Software Processes 19

ACOS Software Processes

o Brings user-space processes up and down.

Data Interfaces and IP Subnet Support 22

l Graphical User Interface (GUI).

l Simple Network Management Protocol (SNMP) v1, v2c, and v3

NOTE: For additional information, refer to Simple Network Man-

l XML Application Programming Interface (aXAPI)

Data Interfaces and IP Subnet Support

Application Delivery Control

This following topics are covered:

Intelligent Server Selection 23

SLB Configuration Templates 24

Outbound Next Hop Load Distributor 26

Transparent Cache Switching 26

Firewall Load Balancing 26

FIGURE 1-1: SLB Example

Intelligent Server Selection

SLB Configuration Templates

SLB configuration is simplified by the use of templates. Templates simplify configuration by

This following topics are covered:

Server and Port Configuration Templates 24

Server and Port Configuration Templates

l Server – Controls parameters for real servers

l TCP-Proxy – Controls TCP/IP stack parameters such as transmit, buffer, and so on

l DBLB – MS-SQL and MySQL database load balancing.