Coyote Point Systems Equalizer Spezifikationen

Document Version:10.0.4cEqualizer®Administration GuideEQ/OS 10April 18, 2013The recognized leader in proven and affordable loadbalancing and applicati

Table of ContentsUDP Cluster Configuration Persistence 280UDP Cluster Configuration Timeouts 281Modifying a Layer 7 HTTP or HTTPS Cluster 282Layer 7 C

Network ConfigurationA number of methods can be used to mitigate problems and threats associated with large broadcast domains,including broadcast filt

Task Command / ProcedureGUI1. Expand the VLANs node in the left frame.2. Right-click the name of the VLAN you want to delete.3. Select Delete VLAN fro

Network Configurationl VID - A unique integer identifier for the VLAN, between 1 and 4094.l MTU - MTU can be specified for tagged and untagged VLANs o

l tagged - Tagged ports can be assigned to more than one VLAN.l untagged - Untagged ports can be assigned to exactly one VLAN.Click on Commit to save

Network ConfigurationTask Command / ProcedureVLANGUI1. Expand the VLANs node in the left frame object tree.2. Expand a VLAN.3. Click the Subnets node

Click on Reset to revert to the default permissions. Click on Commit to save any subnet permission changesmade.See "VLAN and Subnet Commands"

Network Configuration1. Log into the GUI using a login that has add/del access for global parameters (See "Logging In" on page 192)2. Click

eqcli > vlan [internal vlan name] subnet [internal subnet name] default_route [IP address]4. If there are any static routes configured for the exte

Network ConfigurationThe same information for a single port can be displayed by specifying the port name:eqcli > show interface swport03Interface N

l MTU - MTU can be specified for tagged and untagged VLANs on all switched systems (E350GX, E450GX,E650GX)for tagged VLANs on non-switched systems (E2

How Match Rules are Processed 319Match Rule Order 319Match Rule Expressions and Bodies 321Match Rule Expressions 321Match Bodies 323Match Rule Functio

Network ConfigurationPolicy RoutingRouting is the process of selecting the network path to use when one device (the source) sends a packet toanother d

routed from Equalizer based on each scenario. Refer to"How Spoof Influences Routing" on page 245 for additionalinformation on spoofing and &

Network ConfigurationlDestination IP Address - The IP address for the host or subnet. For IPv4, specified as a ClasslessInternet Domain Routing (CIDR)

Source Based Routing ScenariosSource routing allows the originator of a packet to partially or completely specify the path that a packet will takethro

Network Configuration114Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc.

Source Routing ScenariosThe following are possible scenarios for load balancing source-based routing through Equalizer:Scenario Source Destination DSS

Network ConfigurationSpoof Load Balancing Toward ServerIn the load balancing source-based routing scenario presented below, spoofing is enabled so tha

Spoof Load Balancing Toward ClientIn the load balancing source-based routing scenario presented below, spoofing is enabled so that the source is speci

Network ConfigurationNon-Spoof Load Balancing Toward ClientThis scenario is the same as "Spoof Load Balancing Toward Client" however, spoofi

Source, Destination SpecifiedIn this scenario, the source and destination are both specified by the client. Equalizer will function as a router tosend

Table of ContentsCreating a Match Rule to Redirect All Traffic for a Specific URL 355More Responder Examples 356Responders and Hot Spares 356Configuri

Network ConfigurationGenerated by EqualizerThis scenario is typically used for administrative and probing purposes. It can also be used for upgrades,

Enabling DNSTo enable the Domain Name Service (DNS), add a name server to the configuration. Name servers are added tothe name-server list one at a ti

Network Configurationlatency, for example, the two clocks may never be in sufficient agreement to increase the delay towardsmaxpoll. In this case, Equ

Or, for the US, you would use:0.us.pool.ntp.org1.us.pool.ntp.org2.us.pool.ntp.orgBe careful when using country based NTP pool servers, since some coun

Network ConfigurationDefault Source SelectionThe DSS, or Default Source Selection table is a listing of all destination networks configured in Equaliz

To view the current IP Filter rules, the show sbr command can once again be used. The example below isshortened due to its length.IP Filter Rules:IPv4

Network ConfigurationUsing this command while trying to establish a connection that may not be working can be a good method offinding out what is wron

Chapter 9Working in the CLISections in this chapter include:Starting the CLI 128Logging In to the CLI Over a Serial Connection 128Logging In to the CL

Working in the CLIStarting the CLIThe Equalizer Command Line Interface, CLI, gives you complete administrative control over Equalizer and is oneof the

2. Use SSH client software to open a connection with Equalizer using the enabled VLAN IP address and port22. Specify the login eqadmin, as shown in th

Simple Health Check Probes 378Configuring Simple Health Check Probe Parameters 378Simple Health Checks and Load Balancing Policies 382Server Agents 38

Working in the CLIWorking in the CLIThe Equalizer command line interface, or CLI, was developed to be an easy to use, intuitive, and flexiblecommand l

In each context, you can perform operations on the objects and parameters that exist in that context (e.g., create,delete, modify, display, set). When

Working in the CLIObject RelationshipsMost contexts in the CLI correspond to an Equalizer object -- servers, server instances, server pools, clusters,

Command Line EditingUse the key sequences below to edit the current command linectrl–actrl–eMove the cursor to the beginning of the lineMove the curso

Working in the CLIeqcli > srvpool sp01 si “sv01, sv02” flags “hot_spare, quiesce”Enabling and Disabling FlagsMost objects have a flags keyword that

Command Abbreviation and CompletionYou do not need to type an entire command name in order to execute a command. If you type enough characters touniqu

Working in the CLIWhen specifying server instances on the command line, the user can specify either a single object or a commaseparated list of object

For parameters, the no form requires the complete command used to set the parameter, minus the argumentsetting the value. So, for example, to reset th

Working in the CLIFor example, if sv01 exists and the current context is “sv-sv01”, then the following commands are queued until acommit, exit, or <

l If you type the complete name of a command that is valid in the current context and type <?>, context helpfor that command is displayed. For e

Table of ContentsFailover Probes and Failover Timeouts 436Modifying Failover Timeouts in Production 438Peer, Interface, Subnet States and Substates 43

Working in the CLIdate Tue Apr 2 18:39:36 UTC 2013timezone UTClocale englobal services http, https, ssh, snmp, envoy, envoy_agentname-servers 10.0.

Global CommandsThe table below lists the global configuration commands that are available in the global context of the CLI. Thesecommands allow you to

Working in the CLIGlobal Commandseqcli > icmp_maxtries : Set the maximum number of ICMP probes in a probeintervaleqcli > interface : Modify an i

Global Commandseqcli > syslog : Enable or disable remote logging.eqcli > syslog-server : Set the syslog server IP addresseqcli > timezone : S

Working in the CLICertificate CommandsEach SSL certificate installed on Equalizer has a CLI context that provides commands for managing the certificat

Certificate Revocation List CommandsThe crl context provides commands for managing Certificate Revocation Lists (or CRLs). CRLs can be used toverify t

Working in the CLICluster and Match Rule CommandsEach cluster has its own context and the settings available in the cluster’s context depends on the c

Using Cluster Commands in a Cluster Specific Context[!]ignore_case,[!]insert_client_ip,[!]no_header_rewrite, [!]once_only,[!]spoof,[!]tcp_mux}For Laye

Working in the CLIUsing Cluster Commands in a Cluster Specific Context{[!]allow_sslv2,[!]allow_sslv3,[!]push_client_cert,[!]require_client_cert,[!]str

Using Match Rule Commands in the Global Contexteqcli > cluster clname match maname req_cmds : Create maname (req_cmds = *commands below)eqcli >

Creating Alerts for SNMP Traps 497User and Group Management 499Best User and Group Management Practices 500Object Permission Types 500Required Task Pe

Working in the CLICluster and Match Rule Command Notesl When creating a cluster, the list of available parameters depends on the protocol selected for

https onlyallow_sslv2Enable SSLv2 for client connections.Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc.All Rights Reserved.151E

Working in the CLIallow_sslv3Enable SSLv3 for client connections.152Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc.

push_client_certSend the entire client certificate to the back-end server. This allowsthe server to confirm that the client connection is authenticate

Working in the CLI(the default), onlythe last certificate in the chain is checked forvalidity.154Copyright © 2013 Coyote Point Systems. A subsidiary o

External Services CommandsUsing External Services Commands in the Global Contexteqcli > ext_services : Add or modify a mail server inthe'ext_s

Working in the CLIGeoCluster and GeoSite Instance CommandsEnvoy provides cluster load balancing between Equalizers running at two or more geographical

GeoCluster Context Commandsresponsivenesseqcli gcl-gclname> ttl integer : DNS cache lifetime for EnvoyresponsesUsing Geosite Instance Commands in t

GeoSite CommandsA GeoSite definition points to an Equalizer running Envoy and a cluster defined on that Equalizer. GeoSites areassociated with GeoClus

Table of ContentsName a GeoSite Resource (CLI) 537Add a GeoSite Resource Instance to a GeoCluster (GUI) 537Add a GeoSite Resource Instance to a GeoClu

Interface CommandsThe interface context commands let you configure and manage Equalizer’s front panel interface ports. There is aseparate context corr

Number of transmitted QoS Class 3 framesThe total number of received Quality of Service (QoS) Class3frames transmitted by thisportTotal number of drop

errorsThe total number of bad packets (e.g., CRC errors,,alignment errors) received on thisinterface.dropsThe total number of packets that were droppe

Object List CommandsObject lists make it easier to manage user permissions by allowing an administrator to assign user permissions vialist of objects.

Peer CommandsPeer context commands are used to manage the configuration of failover peers, including the failover peerconfiguration for this Equalizer

Peer Context Commandseqcli peer-peer> debug : Set the debug leveleqcli peer-peer> flags[!]failover|fo_config_xfer|[!]os8|[!]preferred_primary[!]

Responder CommandsResponders are global objects in the sense that a single responder can be assigned to multiple clusters. They areused when no server

lsorry - A customized HTML “sorry page” that can, for example, ask the client to retry later or go to anotherURLFor example, the following command cre

Server CommandsIn the server context, you define a real server using a minimal set of parameters (IP address, port, protocol, etc.).Once defined, a re

Server Pool and Server Instance CommandsA server is attached to a cluster via aserver pool. A server pool is a collection of server definitions, each

VMware Host Requirements 570Installing Equalizer OnDemand Using OVF 570VMware vSphere or vCenter Clients 571Installing Equalizer OnDemand from a ZIP f

Using Server Pool Commands in a Server Pool Specific Contextslowest,5 = fastest. Default =3.eqcli sp-spname> show : Show the server poolconfigurati

Using Health Check Commands in a ServerPool Specific Context'down'.eqcli sp-spname-hc-hcname> stimulus stimulus : Set the stimulus strin

hot_spareEnable the hot spare check box if you plan to use this server as a backup server,in case the other server instances in a server pool on the c

once_onlyEvaluate the first set of headers in a client connection only.persist_overrideIf cluster persist isenabled, disable it for thisserver.spoofUs

Load Balancing Policy Descriptionstatic weightstatic weight load balancing distributes requests among the serversdepending on their assigned initial w

lOptimization Threshold controls how frequently Equalizer adjusts dynamic weights. If Equalizeradjusts server weights too aggressively, oscillations i

SNMP CommandsThe parameters in the SNMP context specify return values for the following Object IDs (OIDs) in the EqualizerSNMP Management Information

Enabling SNMP (CLI)By default, SNMP is a globally enabled service -- meaning that it will run on any subnet that is configured to offerthe SNMP servic

IP address. “fo_snmp” means that SNMP is globally enabled for any subnet failover IP address. Ifeither of these keywords has a preceding exclamation p

Tunnel CommandsUse tunnel context commands to configure Equalizer to access the IPv6 Internet via an IPv6 “6in4” tunnel. Notethat you must first reque

User CommandsUsing "User"Comands in the Global Contexteqcli > user uname [cmds] : Create user uname (see belowfor cmds)eqcli > user u

Using User-alert context commands:User-alertContext Commandseqcli > user-uname-alertname > alert-typealert flags{[!]exception,[!]state_change}:

emailWhen enabled, sends an email to the specified recipients, using aspecified SMTP relay mail server. When this notification type is used, anemail a

l A default user (i.e. "touch") is assigned a duration of 0 seconds . When additional users are created thedefault duration value is 3600 se

be separated by commas. If spaces are included, the entire list of permissions must be enclosed inquotes.l type - One of the following object types:ce

l This form of the permit_objlist command allows the user to create objects of the specified type.The command arguments for assigning permission to ob

VLAN and Subnet CommandsUsing VLAN Commands in the Global Contexteqcli > vlan vlname req_cmds : Create vlname (req_cmds = *commands below)eqcli >

Subnet Specific Context Commandseqcli vl-vlname-sn-subname> default_routeip_addr: Set default routeeqcli vl-vlname-sn-subname> flags{[!]command,

def_src_addr Stipulates that this subnet is to be used for the default equalizer source IP.heartbeatAllows the failover peers to probe one another ove

VLAN SubnetsA single VLAN can have more than one subnet assigned to it. In most configurations, there is a one-to-onerelationship between VLANs and su

Chapter 1IntroductionSubsections in this chapter include:Chapter Summary 20Using the WebHelp 22Differences From Prior Releases of EQ/OS 25Typographica

Similarly, you’ll need to specify the reverse route: let’s say you only want to route packets to vlan1 from portsconfigured for vlan2if they originate

Chapter 11Using the GUISections in this chapter include:Logging In 192Navigating Through the Interface 193Entering Names for Equalizer Objects 196Glob

Using the GUILogging InThe Equalizer Administrative Interface, here inafter referred to as the “GUI” is a browser based interface. Ingeneral, the GUI

Navigating Through the InterfaceThe Equalizer Administration Interface is divided into three major sections:1. Left Navigational PaneCurrent Host Name

Using the GUIClustersClick thisitem to display the Cluster Summary.Right-click this item to display the cluster command menu.If clusters are defined,

VLANsClick thisitem to display the VLAN Summary.Right-click this item to display the VLAN command menu.If VLANs are defined, clickthe triangle to disp

Using the GUIClick on any item in the left pane, or right click to choose a command for that object. The right pane will display themanagement tabs fo

The following Global Parameters are configured on this screen (tab). Click on Commit to save your parameters orReset to return the default values.Host

Using the GUIleast probe interval seconds apart. This value is solelyatarget; the monitoring processadjustsitself based on a numberof factors, includi

l Device name and Modell Software versionl Internal and External IP addresses and netmasksl Default gatewayl Failover aliasEqualizer's failover d

Copyright © 2013 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard® are registeredtrademarks of Fortinet, Inc., and other Fort

IntroductionChapter SummaryEqualizer is designed to be administered equally as well from either a console Command Line Interface or abrowser-based Adm

Using the GUISystem Name - this is the name assigned to the system. By default it is Equalizer.Community String - Any SNMP management console needs to

MIB FilesAll MIBs referenced by the supported MIBs are included on Equalizer.The MIB filenames comprise the MIB name plus the filename extension ”.my”

Using the GUI2. Click on Add Certificate to display the Add Certificate dialogue form as shown below.3. Click on Choose File to select a locally store

If a CRL attached to a cluster was generated by a Certificate Authority (CA) different fromthe CA used to generate a client certificate presented when

Using the GUIClick on Commit if the CRL is the one you would like to upload to Equalizer. The CRL file will beuploaded to Equalizer and will appear on

Events LogThe events log displays events for each element configured on the Equalizer. This includes Clusters, ServerPools, Servers and Responders. It

Using the GUIExport to CSVClick on the Export to CSV button to download the load in comma separated values (*.csv) format. The file namewill be in the

Enter a name of the Remote Syslog server and enable the logging by checking the Enable Remote Loggingcheckbox. Click on Commit to save the entry.Exter

Using the GUITo add and SMTP relay, click on to display the Add SMTP Relay form as shown below:Enter an IP Address for the SMTP Relay in the SMTP Serv

l Click on the appropriate label at the bottom of the screen to expand the screen so that you can editparameters on any of the existing connections.l

lClusters -- tells you how to add and remove virtual clusters and servers, changing load balancing options,and shutting down servers.lMatch Rules -- s

Using the GUIMaintenanceThe Maintenance screen (tab) allows you to access the sections in the related topics.Setting Date and TimeThe System time sett

The Backup feature allows you to back up an Equalizer’s user-configured objects and parameters to a file that canbe uploaded and later restored to ano

Using the GUICurrent Boot ImageThe current boot image and the partition where it resides is displayed.EQ/OS Release StatusWhen you select the upgrade

ToolsThe Tools screen provides three useful utilities that includes:l A Halt/Shutdown command, allows you to turn your Equalizer "off" from

Using the GUISave System StateClick on the Save System State accordian tab to display the following. In this screen you can set up a Save State orsyst

a. If you select Local, the archive will be saved in the default “save” directory specified in yourweb browser options.b. If you select FTP URL, enter

Using the GUIThe following is en example of a switched system, Equalizer E650GX. The E350GX and E450GX are alsoswitched systems.The following is an ex

No Link, No VLANs Assigned.Administratively Disabled.Modifying Port SettingsYou modify settings for any selected port using the GUI by selecting Equal

Using the GUIautonegotiation.Duplex ModeIf the port status is Link Up, this is the current port duplex setting. If thestatus is Link Down, this is eit

Number of good broadcasts and multicastsThe total number of goodbroadcast/multicast (e.g., ARP) packetsreceived on this port.Number of bad packets rec

IntroductionlEqualizer OnDemand -- discusses the differences between Equalizer OnDemand and Equalizer hardware,prerequisite requirements, installation

Using the GUIerrorsThe total number of bad packets (e.g., CRCerrors,, alignment errors) received on thisinterface.dropsThe total number of packets tha

Additional Equalizer Objects on the GUIThe Equalizer Command Line Interface eqcli or “CLI” is a major new feature in EQ/OS 10. In addition toconfigura

Chapter 12Configuring an IPv6 TunnelSections in this chapter include:IPv6 Tunnel Overview 224Configuring an IPv6 Tunnel 225Creating a "6in4"

Configuring an IPv6 TunnelIPv6 Tunnel OverviewEvery network administrator needs to have a strategy to address the transition to the IPv6 Internet. Var

For example, Hurricane Electric provides what they call “regular” tunnels and “BGP” tunnels. For Equalizer, youwould choose a “regular” Hurricane Elec

Configuring an IPv6 Tunnelcreated in Step 1, or its routable NAT address.Hurricane Electric will set up the tunnel and provide you with the following

l You can choose any names for the VLAN and subnet.l The VLAN ID (vid) supplied must be appropriate for your network configuration.l The IPv6 address

Chapter 13Server Pools and Server InstancesSections in this chapter include:Managing Server Pools 230Configuring Server Pool Load-Balancing Options 23

This text entry box is where you can enter a search term to search the open topic for specific details. Click onafter you have entered a search term.T

Server Pools and Server InstancesManaging Server PoolsA server is attached to a cluster via a server pool. A server pool is a collection of server def

server.l Response load balancing - dispatches the highest percentage of requests to the server with the shortestresponse time. Equalizer does this car

Server Pools and Server Instancesl Weight Spread Coefficient regulates the speed of change to a server’s dynamic weight. The weightspread coefficient

Equalizer can perform the same exchange automatically and verify the server’s response by checking the returneddata against an expected result.Specify

Server Pools and Server InstancesClicking on the icon will delete the currently selected server pool.In addition to the names of the server pool on th

4. Configure the Handshake Probesas described in "Health Check Timeouts" on page 394.5. Configure the load balancing options as described ab

Server Pools and Server Instances3. Use the load balancing options as described above in "Configuring Server Pool Load-Balancing Options" on

5. Configure the server instance using the following parameters:Note - For servers in Layer 7 HTTPS clusters, set the probe port to something other th

Server Pools and Server InstancesFor example, you might configure a server as a hot spare if you are usinglicensed software on your servers and the li

Adding Server Instances (CLI)Server instance specific commands can be applied to multiple server instances by entering a comma-separatedlist of server

IntroductionGlossarySelect the Glossary accordion tab to access a glossary of load balancing and Equalizer-specific terminology. Clickon each term to

Server Pools and Server InstancesThe CLI is now in the aggregate server instance context “sv01,sv02,sv03” -- only the first three characters ofwhich a

eqcli sp-spname> test acv12020289: There are no server instances in the server pool to test.Associate a Server Pool with a Cluster (GUI)1. To assoc

Server Pools and Server Instancespane and select Delete Server Pool.3. Click on Confirm when prompted on the Delete Server Pool dialogue form.Deleting

Chapter 14ServersSections within this chapter include:Server Configuration Constraints 244Configuring Routing on Servers 245Spoof Controls SNAT 245How

ServersServer Configuration ConstraintsWhen configuring servers on Equalizer, you must observe the following constraints:l In general, there must be n

Configuring Routing on ServersThe way you configure routing on servers behind Equalizer depends largely on whether Equalizer’s spoof option isenabled

ServersNote that you should configure routing on each server from the server’s system console, not through a telnetsession. This will avoid any discon

1. Log into the GUI using a login that has at least write access for the cluster that contains the server (See"Logging In" on page 192.)The

ServersMaximum ReusedConnections -Sets the maximum number of permitted open connections for the server. Once thislimit is reached, no more traffic is

Adding a Server (CLI)Perform this procedure once for each real server that you want to add to Equalizer.Enter the following:eqcli > server [server

Differences From Prior Releases of EQ/OSThe following are differences from previous versions of EQ/OS:New Command Line InterfaceThe Equalizer Command

ServersServer Summary ScreenClicking on a Server on the Server branch displays the Server Summary Screen that displays active connectioninformation as

l You donotneed to configure Equalizer as the gateway for the servers if you havedisabledthe IP spoof flagfor the cluster.Header Limitl Server respons

Serversquiesce option on the server’s Configuration tab. If the server is already configured for operation whenyou add it to Equalizer, you can disabl

Adjusting a Server’s Initial WeightEqualizer uses a server’s initial weight as the starting point for determining the percentage of requests to route

ServersSetting initial Weights for Mixed ClustersEqualizer enables you to build heterogeneous clusters using servers of widely varying capabilities. A

d. Click on Commit to save your changes to the server configuration.Maximum Connections Limits, Responders, and Hot SparesWhen a maximum connections l

Serversincoming connection has an existing Layer 4 sticky record or Layer 7 cookie for a server, however, therequest will be sent to that server even

1. In the left frame, click the name of the server to be removed. The server’s parameters appear in the rightframe.2. Set the server’s weight to zero;

Chapter 15ClustersSections in this chapter include:Cluster Types and Use with Equalizer 260Cluster Connection Timeouts 261Adding and Deleting Clusters

Introduction1. Create servers -- use the IP addresses and ports of the real servers behind Equalizer.2. Create server pools -- set load balancing para

ClustersCluster Types and Use with EqualizerA virtual cluster is a collection of server pools with a single network-visible IP address. All client req

the request is notexamined.balancing decisions can bebased on application specificcriteria through the use of"Match Rules" on page 317.)IPAd

Clusters1. Equalizer has an idle timer for the established client connection, a connect timer to establish a serverconnection, and an idle timer for t

The timeline below shows the sequence of timeout events when a new connection is received by Equalizer.Copyright © 2013 Coyote Point Systems. A subsid

ClustersThe following table shows the value range for the Layer 7 HTTP / HTTPS connection timeouts.Parameter Minimum Default Maximum Unitsclient timeo

The previous sections describe how the connection timeouts work when the once only flag is disabled on a cluster;that is, when Equalizer is examining

ClustersParameter Minimum Default Maximum Unitsidle timeout 0 0 2147483647.0 secondsstale timeout 1.0 15.0 120.0 secondsNote that if you change the st

eq.l7lb.http.client_timeoutsThe total number of Layer 7 (HTTP and HTTPS) connections that were terminatedbecause the client timeout expired.eq.l7lb.ht

ClustersCluster Name - The logical name for the cluster, or accept Equalizer’s default. Each clustermust have a unique name that begins with an alphab

Follow these steps to delete a new Layer 7 or Layer 4 virtual cluster using the GUI:1. Log into the GUI using a login that has add/del access for glob

l Bold courier text is text the user must type at the CLI prompt. Bold courier text in brackets -- indicatesa keyboard key or key sequence that must b

ClustersAdd a cluster using eqcli as follows. In this example a Layer 7 HTTPS cluster is created. Since the protocol isHTTPS, port 443 is used.1. Log

Sticky - For Layer 4 clusters only. This is the number of entries in the "sticky table" for each server.Customizing the DisplayThe cluster s

Clusterseqcli > show cluster httptest-1The following is an example of the http cluster summary display. It is different than the GUI display in tha

Modifying a Layer 4 TCP or UDP ClusterThe configuration tabs for a cluster are displayed automatically when a cluster is added to the system, or bysel

Clustersnavigational pane and then selecting the Configuration>Settings tabs.Protocol The protocol used for the cluster.VID The VLAN ID number. Thi

SpoofWhen the Spoof option is enabled on a cluster, Equalizer uses the client’sIP address as the source IP address in all packets sent to a server in

ClustersSticky NetmaskEnables sticky network aggregation for a subnet. Sticky networkaggregation is applicable for Layer 4 and Layer 7 clusters. Stick

Server TimeoutThe time in seconds that Equalizer waits before closing an idle serverconnection. The default is the global value. (between 1 and 65535s

ClustersUDP Cluster Configuration SummaryThe UDP Cluster Configuration Summary screen is displayed automatically when a UDP cluster is added to thesys

Protocol The protocol used for the cluster.VID The VLAN ID number. This is an integer between 1 and 4095.IPEnter the IP address, which is the dotted d

Introductionl Online device manuals, supplements, and release notes: the latest Equalizer documentation andupdates.l Links to additional resources, an

ClustersWhen Spoof is enabled, all server responses to client requests that camethrough the Equalizer cluster IP address must be routed by the serverb

Sticky NetmaskEnables sticky network aggregation for a subnet. Sticky networkaggregation is applicable for Layer 4 and Layer 7 clusters. Sticky networ

ClustersClick on the Commit button after making changes to the settings.Modifying a Layer 7 HTTP or HTTPS ClusterOn the GUI, the Configuration >Sum

Layer 7 Cluster Configuration SummaryAs described in "Modifying a Layer 7 HTTP or HTTPS Cluster" on page 282 the Layer 7 Cluster Configurati

ClustersSample Layer 7 HTTP, HTTPS, and TCP Cluster Configuration Summary ScreenLayer 7 HTTP and HTTPS Cluster SettingsThe following are descriptions

The fields on this screen are as follows:ProtocolThe protocol selected in the Add Cluster form will be displayed “grayedout”.VIDThe VLAN ID number ass

Clusters"Specifying a Custom Header for HTTP/HTTPS Clusters" on page308.Compression Minimum Size(E650GX Only)The minimum file size in bytes

Insert client IPWhen this flag is enabled, Equalizer inserts an X-forwarded-for: headerwith the client's IP address into all client requests befo

Clustersserver so that they are HTTPS. You can direct Equalizer to pass responsesfrom the server without rewriting them by enabling this option.Ignore

The fields on this screen are as follows:ProtocolThe protocol selected in the Add Cluster form will be displayed “grayedout”.VIDThe VLAN ID number ass

Chapter 2Equalizer OverviewSections within this chapter include:About Equalizer 30Intelligent Load Balancing 30Load Balancing Configuration 31Real-Tim

Clustersnetstat console command.Delayed BindingWhen enabled, this option will require servers to send the first byte ofinformation on newly establishe

Equalizer can use cookies or a server’s IP address to maintain a persistent session between a client and aparticular server. A cookie is included with

Clusterspersistence method and the “fallback” persistence method by dragging and dropping as well. As indicatedpreviously, with “fallback persistence”

number embedded in the cookie. Conversely, if you need to invalidate oldcookies, increment this number.Always - When this flag is disabled Equalizer w

ClustersPersist Type Fallback Persist Type Result[none] [none] The server isselected on the load balancing Policy/Algorithm.[none] Source IP invalid c

Persist Type Fallback Persist Type Resultselected using the Load balancing Policy/Algorithm.Cookie 0:Cluster IP/Port,Server IP/PortCookie 2:Cluster IP

ClustersLayer 7 Cluster ReportingRefer to "Cluster and Match Rule Reporting (CLI and GUI)" on page 404 for details.Layer 7 Cluster TimeoutsT

3. PFX - PFX format files are also in PKCS #12 format, however, with additional Microsoft specifics. Thesefiles usually have a ".pfx" extens

Clusterschain. The default of 2 indicates that the client certificate (level 0) and twolevels above it (levels 1 and 2) are checked; any certificates

Allow SSLv3 Enables SSLv3 for client connections.Software SSL Only(E450GX & E650GX only)When disabled (default), an HTTPS cluster performs hardwar

Table of ContentsTable of Contents 3Introduction 19Chapter Summary 20Using the WebHelp 22Differences From Prior Releases of EQ/OS 25Typographical Conv

Equalizer OverviewAbout EqualizerEqualizer is a high-performance content switch that features:l Intelligent load balancing based on multiple, user-con

Clusters1. Configure an HTTPS cluster on Equalizer. Use the GUI as described in "Adding and Deleting Clusters" onpage 2672. Add a default ce

associated withCertificateUse the drop down list to select the name of a certificate that you would liketo associate the SNI with.7. Click on Commit t

Clusterswhere:testsni is the name of the SNIsnicertificate1 is the name of the certificate being added to the SNI.6. Display the contents of the new c

About Passive FTP TranslationIn version 8.6 if your servers were on a network that the outside world could not reach, you were provided thecapability

ClustersSticky connections are managed on Equalizer usingsticky recordsthat record the IP address, port and otherinformation for the client-server con

For example, before HTTP 1.1, if a browser wished to retrieve the file index.html from the serverwww.coyotepoint.com, the browser would take the follo

ClustersRequestsin a singlekeep-aliveconnectiononce only enabled once only disabledhit, send the request to the server in the cookieonlyifit is in the

once only enabled once only disabledalwaysenabledEqualizer always inserts a cookie into thefirstset ofresponse headerson a connectiononly. The cookie

ClustersNote that the GUI does not permit you to enable once only and disable no header rewrite -- this optioncombination would rewrite the Location:

Front-End-Https: on7. Select commit to modify the cluster.Performance Considerations for HTTPS ClustersLayer 7 HTTPS clusters have several options tha

FeatureCluster TypeL4 UDP L4, L7 TCP L7 HTTP L7 HTTPSLoad balancingpoliciesRound Robin, StaticWeight, Adaptive, Fastest response,Least Connections, Se

ClustersWhen a connection is established by a client for an HTTPS cluster, Equalizer performs the SSL processing on therequest (this is called SSL off

Consult the documentation for the firewalls and NAT devices used at your site to determine how to set up thosedevices appropriately for FTP transfers.

ClustersConfiguring Direct Server Return (DSR)In a typical load balancing scenario, server responses to client requests are routed through Equalizer o

Note - In both configurations that the incoming client traffic is assumed to originate on the other side of the gatewaydevice for the subnets on which

ClustersDSR can also be used in dual network mode, although this is a less common configuration than single networkmode. Cluster IPs are on the extern

The cluster parameters Direct Server Return, Spoof, and Idle Timeout are directly related to direct server returnconnections:l Direct Server Return -

ClustersTesting Your Basic ConfigurationOnce you have installed and configured Equalizer and your servers, perform tests to verify that Equalizer iswo

Chapter 16Match RulesSections in this chapter include:Using Match Rules 318How Match Rules are Processed 319Match Rule Order 319Match Rule Expressions

Match RulesUsing Match RulesThe ability to make load balancing decisions based on the content of a client request is what separates Layer 7processing

Some sites may want to have one system serve only requests for graphics, and one system serve only textrequests.By adding appropriate Match Rules, Equ

Equalizer OverviewICMP Probesuses the Internet Control Message Protocol to send an "Echo request" to the server, and then waitfor the server

Match RulesIn other words, the goal is to load balance the highest possible number of requests according to the settings in thefirst match rule, which

At left in the figure above are the expressions for the three match rules, shown in the order in which they areconfigured in the cluster. At right, th

Match Rules!expressiongiving rise to the next simplest example:!any()which always evaluates tofalseand always results in the match rule not being sele

Some function arguments can take the form of a regular expression1. Note that you cannot put regularexpressions.Matching regular expressions (using *_

Match RulesMatch Rule FunctionsMatch rulefunctionsgenerally test for certain strings or settings in the headers and URI of a client request. In thetab

tls1()HTTPS only. This function evaluates to true if the client negotiated theencrypted connection using TLS version 1.0.Non-URI header match function

Match Rulesl Match functions for the optional <params> component are not provided. Use the pathname*() andfilename*() functions to match charact

URI Function Descriptiondirname_regex(string)This function evaluates to true if the string argument, interpreted as a regularexpression, matches the d

Match RulesMatchrulesare defined in the file/var/eq/eq.confwith the definition of the cluster to which the match rule applies.A match rule as it appea

Functions can be negated using the “!” operator. To change the above example to match all client requests with asource IPnoton the 10.10.10/24 network

to one of Equalizer’s IP addresses before forwarding packets to a server. The servers will send responsesback to Equalizer’s IP (so it is usually not

Match RulesIf we instead were to skip a match rule because, for example, the server selected by the match rule is down, therequest would be evaluated

Accept-Language If-Modified-Since Transfer-EncodingAuthorization If-None-Match UpgradeCache-Control If-Range User-AgentConnection If-Unmodified-Since

Match Rulesmatch rule hit on... once only disabled once only enabledon the sameconnectionlist, send the request to the server in thecookie.Otherwise,

All Layer 7 clusters created via the Equalizer Administration Interface start with a single match rule (namedDefault) that matches all requests and se

Match Rules6. Use the Expression Editor to build your match expression. Refer to"Match Rule Expression Examples" onpage 328 for details on u

connection.Ignore CaseThis function always evaluates to true, and is intended to be used to apply theIgnore Caseflag for comparisons when it is not se

Match Rules3. Assign a Server Pool to the newly created Match Rule by entering:eqcli cl-clname-ma-maname> srvpool spname4. Add or remove Responder,

Using Responders in Match RulesResponders are used to send automated responses to clients when all the server pools in a match rule are down.See "

Match Rules4. Type “support” into the hostname prefix text box as follows:5. Click on accept after entering “support” and then click on the continue b

b. Select the server pool that this new rule willprecedeusing the Next Match Rule drop-downlist and click on Commit. The new rule will appear on the n

Equalizer Overviewl Active connections - The number of connections a server currently has active and the number ofconnections that it tends to have op

Match RulesWhen a match rule is configured you can specify that persistence methods for that match rule -- which supercedethose the persistence method

The procedure below shows you how to create a match rule that selectively disables the cluster Spoof optionbased on the client IP address of an incomi

Match RulesTo do this, we’ll create two match rules, as follows:1. Log into the GUI using a login that has add/del access for the cluster.2. In the na

c. Select continue.5. Repeat Step 4 for each of the other filename suffixes on our example servers -- gif, bmp, tif and png.6. In our example, we want

Match Rules7. Click on Commit.The images rule we created selects all the requests for image files; now we need a rule to determine whichservers will r

The Match Rule Expression Editor is separated into 3 panes.l The Operators pane displays the available operators:“$$” is used for the logical AND oper

Match RulesClicking on the continue or cancel button will close the Expression Editor.Clicking on the Reset button will remove all of your configured

Chapter 17Automatic Cluster RespondersNote - Responders are not supported on E250GX model EqualizersSections within this chapter include:Overview 348M

Automatic Cluster RespondersOverviewA Responder is a server-like object that can be associated with a Match Rule. It provides you with the ability toc

The Add New Responder dialog appears. By default, the form for creating a RedirectResponder is displayed:2. Type a Name for the Responder or leave the

l load balance all other requests across all of the serversMatch Rules are constructed using match functions that make decisions based on the followin

Automatic Cluster Responders4. In the screen that follows, you can optionally test your responder. Do one of the following:l For a Sorry Server respon

l parse the URL of an incoming requestl break it down into separate strings (based on the positions of literal characters in the expression)l assign e

Automatic Cluster RespondersThis Responder can be used in any cluster where a Redirect to an HTTPS cluster is desired.Example 2 - Multi-Hostname Redir

It should be noted that this example will not work for requests with destination URLs specified with an IP addressfor a hostname (e.g.,"12.34.56.

Automatic Cluster RespondersThis Responder can be used in a Match Rule in any cluster where a similar directory name based redirect isrequired.Using R

l matches any incoming requestl selects the server pool specifiedl has a Sorry Server Responder selectedFor example, let’s say you have two Responders

Automatic Cluster RespondersAnother common cluster configuration requirement is to be able to automatically redirect all traffic that uses aspecific U

Responders provide functionality that automates the very basic functions of a hot spare server, and off loads themonto Equalizer. If more functionalit

Chapter 18Configuring Server ConnectionsSections within this chapter include:HTTP Multiplexing 360Enabling HTTP Multiplexing 360Disabling "spoof&

Equalizer OverviewThe figure below shows the connection establishment and server failover mechanism.For Layer 7 clusters, the connection must be estab

Configuring Server ConnectionsHTTP MultiplexingHTTP multiplexing is the re-use of established server connections for multiple clients connections. The

After TCP multiplexing is enabled as above, it can be selectively disabled on clusters and server instances withoutmodifying the TCP multiplexing para

Configuring Server ConnectionsServer Options for HTTP MultiplexingOnce a server sends a complete response to a client request, instead of closing the

In releases of EQ/OS previous to Version 10, an outbound NAT address was specified on a per-server basis. InEQ/OS 10, outbound NAT addresses are confi

Configuring Server Connectionsaddress. Since the cluster IP address is configured on the loopback interface of each server (See "ConfiguringDirec

respond to clients directly. In most DSR configurations, the default gateway used on servers is thegateway most appropriate for reaching the client ne

Configuring Server Connectionsc. On the Web Site tab, next to IP address, select the Advanced button.d. Select the Add... button under the top list bo

The output should look like this:lo:dsr Link encap:Local Loopbackinet addr:cluster-ip Mask:255.255.255.255UP LOOPBACK RUNNING MTU:16436 Metric:13. To

Configuring Server ConnectionsMost Linux and Unix systems default to the “weak host” model on all network interfaces, so no additionalconfiguration is

Chapter 19Server Health Check ProbesSections within this chapter include:About Server Health Check Probes 370Layer 3 ICMP Probes 370Enabling/Disabling

PersistenceThepersistenceofsession datais important when a client and server need to refer to data previously generatedagain and again as they interac

Server Health Check ProbesAbout Server Health Check ProbesThis chapter describes:l How Equalizer uses health check probes to ensure server availabilit

If a server does not respond to an ICMP echo request and no other probes are configured, the server is marked"DOWN", and Equalizer continues

Server Health Check ProbesWhen the ICMP Interval timer expires, a server is marked "up" if a response to any probe sent during the ICMPInter

Enabling/Disabling L4 UDP ProbesUDP probes are enabled for a UDP server as soon as a server instance for the server is added to a server pool.Default

Server Health Check ProbesEqualizer can perform the same exchange automatically and verify the server pool’s response by checking thereturned data aga

l Must be enclosed in single or double quotes if it contains a space character.l Any single or double quotes included within the string must be preced

Server Health Check ProbesGUI Probe Parameter (CLI Probe Parameter) DescriptionProbe Interval (probe_interval)A timer specifying the length of time (i

2. Modify the appropriate probe parameter values, as described inUDP, TCP, and ACV Probe Parametersabove.3. Click on Commit to save the configuration

Server Health Check ProbesSimple Health Check ProbesSimple health checks allow you to configure Equalizer to probe a specified target and retrieve a &

GUI Parameter (CLI Parameter) DescriptionProbe Connect Timeout (probe_cto)The health checkconnection timeout. The number of seconds(default: 1) that E

Equalizer Overviewnot aware. What Equalizerdoesknow is that a specific client has been load balanced to a specific server in one ofits virtual cluster

Server Health Check Probes6. Enter Simple Health Check parameters usingSimple Health Check Parametersabove.7. Click on Commit to save the configuratio

10. Select a Health Check Name from the drop down list and click on Commit. The following will be displayed.11. Health check instances will be arrange

Server Health Check Probes2. Display the configuration of HC1:eqcli > show srvpool MyPool health_check HC1Health Check Name : HC1Type : simplePort

By default, server agents are disabled on all new server pools. To enable server agents for a server pool, you needto write the agent, install and run

Server Health Check Probes# bind to the port, then listen on itbind(SERVER, $paddr) or die "bind: $!";listen(SERVER, SOMAXCONN) or die "

By default VLB health using the information in the VLB Manager object and the UUID as specified by the serverobject. If the use_server_port is set, th

Server Health Check ProbesConfiguring VLB Health Check Probe ParametersThe procedures in the Related Topics describe the process of configuring VLB ma

a. Enter a URL for the VLB Manager you would like to connect with in the VLB Manager URLfield. Add Username/Password credentials for login as well.b.

Server Health Check Probesselect a VLB Manager from the drop-down list above and click Get VMList. The figure below will bedisplayed.The popup contain

Note - Use the custom load balancing policy when you want to primarily rely on the load values specified by VLBhealth checks. Refer to "Equalizer

sticky connections. If Equalizer does not find a sticky record, Equalizer proceeds to check all of the other clustersthat have the same IP address. If

Server Health Check ProbesThe Health Check Instances screen features accordion panes for the existing and the new healthcheck instances that are label

where:name is the name of the vlb manager3. Enter the new VLB Manager, adding a URL, Username, Password, Connect Timeout parameters and flags.Enter:eq

Server Health Check Probes6. Enter the server context and set the vlb_manager value by entering the following. In this example the vlb_manager is “esx

Name URLesxi-01 https://192.168.213.196/sdkeqcli > show serverName Protocol IP Address Port Flagsmac-80 tcp 192.168.213.222 80 probe_l3xp-80 tcp 19

Server Health Check ProbesThis server is enabled.Server Name : centos216IP Address : 192.168.213.216Port : 22Protocol : tcpVID : 1Max Reuse Connection

to the IP address of every configured server object. The timeouts that control Layer 3 Health Check probes arelocated in the global CLI context and on

Server Health Check ProbesGUI Parameter (CLI Parameter) Location Descriptionexpects to receive in the first 1024 characters of the serverinstance resp

Simple and VLB Health Check TimeoutsSimple and VLB health checks each have their own timeouts, defined within the health check definition. They arenam

Server Health Check Probessection, with the exception that the Probe Data Timeout (probe_dto) is the timeout for the server response forthese health c

Chapter 20LoggingSections within this chapter include:Displaying Logs 400Remote System Logging 400Copyright © 2013 Coyote Point Systems. A subsidiary

Table of ContentsFirst Time Configuration Using EQ OS 10 49First Time VLAN Configuration Example 50Sample Equalizer Configuration 51Upgrading and Down

Equalizer OverviewGeographic load balancing can dramatically improve reliability by ensuring that your service remains availableeven if a site-wide fa

LoggingDisplaying LogsEqualizer logs can be displayed in both the CLI and the GUI.In the CLI, use the following command:eqcli > show log name lines

Substitute the IP address or hostname of a working syslog() server for IPaddr_or_name.If the remote syslog server is later removed using the no form o

Chapter 21Reporting (Statistics and Plotting)Sections within this chapter include:Cluster and Match Rule Reporting 404Server Pool and Server Instance

Reporting (Statistics and Plotting)Cluster and Match Rule ReportingThe CLI display of Statistics can be seen by entering the following within the clus

Sample Layer 7 Cluster GUI Statistical DisplaysThe following are definitions for the statistical terms shown on both the CLI and GUI:Layer 7Cluster S

Reporting (Statistics and Plotting)CLI Term GUITerm DefinitionACTIVECONX Active Connections Active Connections.BYTERCVD Bytes Received Bytes received

CLI Term GUITerm DefinitionN/A Transactions/second (TPS) The total responses processed.N/A Throughput ThroughputN/A Total Connections Total connectio

Reporting (Statistics and Plotting)The following is an example of a graphical plot that can be displayed on the GUI. Select a Cluster or Match Rule on

Sample Match Rule Graphical PlotSample Layer 4 Cluster Graphical PlotThe specific types of statistics that are displayed are determined by the selecti

Chapter 3InstallationSubsections in this chapter include:Warnings and Precautions 42Power Requirements 43Power Consumption 43Operating Environment 45R

Reporting (Statistics and Plotting)The Plot Type selection determines whether the display shown reflects a Static Time Span which is configuredusing t

To view the GUI display, select a server pool or server instance on the left navigational pane and click on theReporting tab to display statistics. Th

Reporting (Statistics and Plotting)Server Pool Statistic DefinitionsCLI Term GUITerm DefinitionTotal connections processed Total Connections Connecti

CLI Term GUITerm DefinitionTCP MUX Reuse Pool Overflow OverflowTotal Connections Closed byServer in TCP MUX Reuse PoolOverflowCx Dropped Due To Serve

Reporting (Statistics and Plotting)CLI Term GUITerm DefinitionFailed ParsingRSPFAILHDRTotal Responses Dropped forExceeding Header LimitResponses drop

The specific types of statistics that are displayed are determined by the selections on the Statistics pane on theupper right corner of the GUI.Make s

Reporting (Statistics and Plotting)Server Reporting (CLI and GUI)The CLI display of Statistics can be seen by entering the following within the server

The following are definitions for the statistical terms shown on both the CLI and GUI:Server Statistic DefinitionsCLI Term GUITerm DefinitionTOTALPRC

Reporting (Statistics and Plotting)CLI Term GUITerm DefinitionBYTERCVD Bytes Received Bytes received.BYTESEND Bytes Sent Bytes transmitted.TOTALSTKY

CLI Term GUITerm DefinitionN/A Input Bytes To Compress Input Bytes To CompressN/A Output BytesAfter Compression Output BytesAfter CompressionThe foll

InstallationWarnings and PrecautionsShort-Circuit ProtectionWarning This product relies on the building's installation for short-circuit (overcur

Reporting (Statistics and Plotting)Responder Reporting (CLI and GUI)The CLI display of Statistics can be seen by entering the following within the res

The following is a graphical plot that can be displayed on the GUI. Select a Responder on the left navigational paneand click on the Reporting tab and

Chapter 22FailoverSections within this chapter include:Understanding Failover 424How Equalizer Determines if it Should Assume the Primary Role 424Rele

FailoverUnderstanding FailoverIn an Active/Passive failover configuration, two Equalizers are configured into active and passive roles, with theactive

c. If the "Failed Probe Count" configured on the subnet is reached BEFORE the Global "FailedProbe Count" a failover will occur.3.

Failover1. Verify that your current failover configuration is operating properly and that there are no error messages inthe Peer Summary Screen on the

l On the EQ/OS 8.6 system, failover must be configured manually as shown in the procedure below (i.e., youcannot use the Failover Wizard).Server Avail

Failover3. Configure failover peers on the EQ/OS 8.6 system.a. Click Mode: Standalone at the top of the left frame to open the Failover > Required

l Be sure to use the same VLAN IP addresses on the EQ/OS 10 system that youspecified in Step "Failover Between EQ/OS 8 and EQ/OS 10" on page

l This unit should be mounted at the bottom of the rack if it is the only unit in the rack.l When mounting this unit in a partially filled rack, load

Failover12200451: Last probe sent to this Peer : #2 at Fri Jan 7 22:03:40 201112200452: Last probe received from this Peer: #2 at Fri Jan 7 22:03:41 2

b. Since the EQ/OS 10 Equalizer is in Backup Mode, it will not attempt to assume the cluster IPaddresses until a failover occurs.5. Set the hb_interva

FailoverNote that the coyote icons at the top of the left frame of the EQ/OS GUI will not change to indicate when theEQ/OS 10 system is the primary un

N+1 FailoverN+1 Failover is a feature of EQ/OS 10 where the failover configuration consists of multiple active peers ("N") plus1 passive pee

FailoverFailover Mode DescriptionStandalone No failover configured.Not InitializedA peer has not completed initialization. Thisis a temporarycondition

EQ/OS Version 10 Failover ConstraintsBefore you begin configuring failover, you must do the following:1. Ensure that the VLAN configuration on both EQ

FailoverThe following Equalizer objects AREsynchronized in a Failover configuration:The following Equalizer objects ARE NOTsynchronized in a Failover

When Equalizers are configured into a failover group, they continually probe (or heartbeat) each other so that abackup peer can assume the primary rol

FailoverModifying Failover Timeouts in ProductionWhen an failover pair is actively serving traffic, any changes to the global or subnet failover param

Configuring Active/Passive FailoverBetween Two EQ/OS 10 SystemsWhen two Equalizers are configured into Active/Passive failover, they form a "fail

Installationl Watts -- total power consumed by productl PF -- Power Factor (a ratio of the real power and apparent power consumed by the product)l Vol

Failover1. Configure VLANs and Subnets as described in "Configuring Subnets" on page 103. It is important that boththe VLANs are identical i

a. fo_https- when enabled the Equalizer will listen for https connections on the Failover IPaddress on the subnet.b. fo_ssh - when enabled ssh login w

Failover2. Configure VLANs and subnets on both units; they must be exactly the same as noted above under "EQ/OSVersion 10 Failover Constraints&qu

which the configuration file transfers (between preferred primary and preferred backup) canoccur.b. Checking the Heartbeat checkbox will allow the fai

Failovereqcli > ping gateway_IP_addressIf no gateways are responding, then configure a server with an IP address on a subnet withheartbeat enabled.

Perform Steps 4 and 5 on thepreferred primaryEqualizer to add failover flags and tocreate a new peer definition for the backup.You now need to configu

FailoverPeer Name Type Flags F/O Modeeq_00241DB2ABA0 (Local) OS/10 F/O, P/P, xfr Primaryeq_001D7D78E13E (Remote) OS/10 F/O BackupFlags Key:F/O => f

b. Add the failover flag to the backup by entering:eqcli > peer name flags failoverWhere the peer name is the same one that appears beneath the Pee

Failovereqcli > show peerPeer Name Type Flags F/O Mode Erroreq_00241DB2ABA0 (Local) OS/10 F/O, P/P, xfr Primary Noeq_001D7D78E13E (Remote)

The remote peer definition includes detailed information about the success or failure of the healthcheck probes being sent by the local Equalizer (the

Model 220V/50Hz Watts PF Volts AmpsE650GXRush-in 109.1 0.645 224 0.752No Load 109.9 0.925 222 0.536100% CPU 140.5 0.943 222 0.671E450GXRush-in 109.1 0

FailoverLast heartbeat sent : #161 at Wed Mar 14 12:07:10 2012Last heartbeat received : #97 at Wed Mar 14 12:07:10 2012Number of strikes : 0The above

Configuring Active/Passive Failover (GUI)Perform Steps 1 and 2 onbothEqualizer.1. Perform initial system configuration on both units as outlined in &q

Failoverb. Highlight and copy the failover Signatureof the preferred primary Equalizer. Copy thesignature to an electronic clipboard, notepad or whate

d. Enable the Failover flag and click on Commit. Both peers should appear on the leftnavigational pane on the Peers branch.Perform Step 6 on theprefer

Failover7. Access the GUI for the preferred primary or backup Equalizer.a. Right click on Peerson the left navigational pane to display the Peers summ

Peer Summary Display Showing ErrorsIf failover were NOT configured correctly or a problem existed with one of the peers, youwould see a display simila

FailoverRefer to "Peer Interface Subnet States and Substates" on page 438 for descriptions of the Peerstates and substate conditions.Configu

eqcli > peer [name] flags active-activeOnce you have added active-active flags to each local peer if the Equalizers are heartbeating you should see

Failover4. Set the preferred_peer flag on a cluster. The purpose of the preferred_peer parameter is to indicate thefailover peer on which the cluster

Display the elements of the failover group by entering show fogrp <name> - where <name> is one ofthe names in the list. For example:eqcli

InstallationHardware InstallationTo install Equalizer, follow these steps:1. Carefully remove the Equalizer rack-mount enclosure and cables from the s

Failover(172.16.0.181) and floating IP 172.16.0.219.l F/O Group 2 - has subnet 192.168.0/24 with cluster cl02 (192.168.0.211), server sv02(192.168.0.1

Network Design for N+1 FailoverThe design of the host network is critical to a successful failover configuration.The essential concept of active-activ

Failover5. If the preferred peer is not one of the systems that can provide connectivity, or if a cluster has no preferredpeer set, then Equalizer che

The four columns contain the following details information:F/O Group NameThese are determined by Equalizer, according to cluster IP addresses, server

FailoverFor "N+1" failover:1. Each peer should have the A/A (active-active) flag enabled2. The modes displayed will be different for active-

Displaying Cluster StatusSpecify the name of a cluster to the show cluster command to see if the cluster is currently instantiated on theEqualizer to

FailoverAlso shown in the output are the preferred peer and VID (VLAN ID) settings. Basic troubleshooting for failoverincludes verifying that all pref

c. Set the command and heartbeat flags on the subnets. One subnet must have the commandflag enabled, both subnets need the heartbeat flag since we wan

FailoverNote that the <TAB> above means press the Tab key on your keyboard to auto-complete the local peer name. Since this unit currently has o

eqcli > peer Eq-B signature signature flags failovereqcli > peer Eq-C signature signature flags failoverNote - The signature for each remote pee

l no parityl one stop bitl VT100 terminal emulationl ignore hang-ups (if supported); this allows a single terminal session to continue running even if

Failovereqcli > peer Eq-C flags failover,active-activeb. Create the peer definitions for the remote peers Eq-A and Eq-B:eqcli > peer Eq-A signat

l 3 VLAN subnetsl 3 clusters -- 1 preferred on each of EQ-A, Eq-B, and EQ-C; no clusters on Eq-Dl 3 failover groups1. Do the following on all four Equ

FailoverLocate your timezone in the displayed list and press "q" to quit out of the list. Then,type in your timezone number and press <En

sp02eqcli > server sv4 proto tcp ip 192.168.0.24 port 80eqcli > srvpool sp03 policy adaptiveeqcli > srvpool sp03 si sv4 weight 100eqcli >

Failoverf. Verify that the clusters have been configured into three failover groups:3. Do the following on Eq-B:a. Update the flags for peer Eq-B:eqcl

5. Do the following on Eq-D:a. Update the flags for peer Eq-D:eqcli > peer Eq-D flags failover,active-activeb. Create the peer definitions for the

Failoverd. On Eq-D, the peer status should now look like this:If all peers sharing several failover groups are rebooted or powered on in a sequential

Configuring N + 0 Failover with 4 Equalizers (CLI)In this configuration, four Equalizers (Eq-A, Eq-B, Eq-C, and Eq-D) cooperate to provide high availa

Failovereqcli > hostname namef. Set the timezone. Enter:eqcli > timezone?Locate your timezone in the displayed list and press "q" to q

default settings:eqcli > server sv2 proto tcp ip 172.16.0.170 port 80eqcli > srvpool sp01 policy adaptiveeqcli > srvpool sp01 si sv2 weight 1

Failoverd. Create the peer definitions for the remote peers Eq-B and Eq-C:eqcli > peer Eq-B signature signature flags failovereqcli > peer Eq-C

eqcli > peer Eq-A signature signature flags failover,fo_config_xfer,preferred_primaryeqcli > peer Eq-C signature signature flags failovereqcli &

Failover6. Check failover group status on each Equalizer:a. On Eq-A, the peer status should now look like this:b. On Eq-B, the peer status should now

Chapter 23AlertsSections within this chapter include:Overview of Alerts 484Alert Object Names 484Alert Types and Object Types 484Alert Notification Ty

AlertsOverview of AlertsAn alert is an administratively configured action that is executed whenever an event of a particular type occurs ona particula

Alert Type Object Type When an alert is generatedexception Peer An alert is generated whenEqualizer has received a heartbeat from a peer on asubnet o

Alerts3. snmp - SNMP traps enable an agent to notify a management station of significant events by way ofunsolicited SNMP messages. Refer to "Set

Configuring an SMTP Relay in the CLIEmail alerts require an SMTP relay in order to send email to the recipient specified in the alert definition. To s

AlertsAlert ParametersnameA descriptive name for the alert.objectThe fully qualified name of the object to which the alert applies. Currently, must be

eqcli user-tou*-alert-tes*> object testservereqcli user-tou*-alert-tes*> object_type servereqcli user-tou*-alert-tes*> to [email protected]

Chapter 4First Time Configuration Using EQ OS 10Sections within this chapter include:First Time VLAN Configuration Example 50Sample Equalizer Configur

AlertsWelcome to Equalizer!12000004: You have 2 pending alert notifications.eqcli >You can configure notifications, via the user alert_interval par

Alert Name : al_switchObject Type : interfaceObject Name : swport01Message : 50000197: Port 1 has become ACTIVEeqcli >To show the first notificatio

Alertseqcli > no notification id-number492Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc.

Chapter 24Using SNMP TrapsSections within this chapter include:Setting Up SNMP Traps 494Setting Up an SNMP Management Station 495Enabling SNMP 495Enab

Using SNMP TrapsSetting Up SNMP TrapsThe Simple Network Management Protocol (SNMP) is an internet standard that allows a management station tomonitor

Setting Up an SNMP Management StationAn SNMP management station is not provided with Equalizer. In order to use SNMP to manage Equalizer, a third-part

Using SNMP Trapseqcli > showVariable Valuerecv_timeout 2conn_timeout 1hb_interval 2retry_interval 5strike_count 3icmp_interval 15icmp_maxtries 3hos

Enabling SNMP TrapsSNMP traps must first be enabled using the CLI. An snmp trap address and port is required to enable the traps.Enter the following a

Using SNMP TrapsSetting an SNMP Trap alert enables the sending of snmp trap messages to the snmp management stationwhenever a peer state changes to Pr

Chapter 25User and Group ManagementSections within this chapter include:Best User and Group Management Practices 500Object Permission Types 500Require

Configuring Subnets 103About Permitted Subnets 104Configuring Outbound NAT 105Enabling Outbound NAT 105Managing Interface Ports 107Configuring Front P

First Time Configuration Using EQ OS 10First Time VLAN Configuration ExampleFollow the steps below to get Equalizer onto your network and start using

User and Group ManagementBest User and Group ManagementPracticesWhen adding additional users and groups to your configuration, follow these guidelines

Permission Type DescriptionsWriteIn addition to read permission, the user can modify existing objects, but cannot add new objects ordelete existing ob

User and Group ManagementOperation Permissions Required Flags Required Notesadding a GeoClustercreate geoclusteradding a GeoSitecreate geositeadding a

Operation Permissions Required Flags Required Notesadd/delete/modify grouppermit listadminadd/delete/modify useradminadd/delete/modify userpermit list

User and Group ManagementOperation Permissions Required Flags Required Notesdelete: peer DNS serverNTP server syslog serverwrite_globaldisplaying a ce

Operation Permissions Required Flags Required Notesdisplaying a number ofsubnet routesread vlan_namedisplaying a peerread_globaldisplaying peer status

User and Group ManagementOperation Permissions Required Flags Required Notesmodifying a subnetwrite vlan_namemodifying a user password admin (see note

l User “Touch_1” will be able to read, write, create and delete all of the servers, server pools and associatedVLAN and subnets used on an Equalizer.l

User and Group Managementpermissions for cluster “Cl2”. The next step is to add specific permissions on the Equalizerobjects within each cluster for e

User Name : Touch_1Duration : 3600Flags :Locale : enRead Permissions :servers : test2, test1server pools : testserverpool1responders :VLANs : vl1geocl

eqcli > vlan 172net subnet sn01 ip 172.16.0.200/21 default_route 172.16.0.1services ssh,http flags def_src_addr5. Connect Equalizer to your network

User and Group Managementports :clusters :eqcli > show user Touch_2show user Touch_2User Name : Touch_2Duration : 3600Flags :Locale : enRead Permis

servers : test3, test4server pools : testserverpool2responders :VLANs :geoclusters :geosites :users :certificates :CRLs :ports :clusters :Copyright ©

Chapter 26Using EnvoySections within this chapter include:Overview of Envoy® Geographic Load Balancing 514Envoy Configuration Summary 514DNSConfigura

Using EnvoyOverview of Envoy® Geographic LoadBalancingGeographic load balancing increases availability by allowing regional server clusters to share w

3. Configure the authoritative DNS server for your website’s domain with DNS records for all Equalizers in theGeoCluster. The DNS server returns these

Using EnvoyAn example of a DNS zone file for this configuration is shown below. In this example, the systems ns1 and ns2 areassumed to be the authorit

In the example above, we left the domain parameters as zeros, since these vary widely between DNSinstallations. Please see the documentation for the v

Using EnvoyConfiguring GeoClustersThis section shows you how to add or delete a GeoCluster and how to configure a GeoCluster’s load-balancingoptions.

1. Log in to the GUI (See "Logging In" on page 192).2. Click on the GeoCluster on the left navigation pane. The figure below will be display

First Time Configuration Using EQ OS 10The procedure below shows you how to use one line commands in the global context to set up the configurationill

Using Envoythan other criteria.Mail Exchanger FQDNThe fully qualified domain name (e.g., "mail.example.com") to be returned ifEqualizer rece

send a NULL response.]If only some GeoSites report failed triangulation, and there are others that did not fail and that are not down, thenGeoSite sel

Using Envoy3. Enter a GeoCluster Name in the space provided.4. Enter a FQDN in the space provided. This is the Fully Qualified Domain Name of the GeoC

1. Log in to eqcli as described in "Starting the CLI" on page 128.2. Enter the following at the CLI prompt:eqcli > no geocluster gcnameVi

Using EnvoyGeoCluster (for example, www.coyotepoint.com). The FQDN mustinclude all name components up to the top level (com, net, org, etc). Do notinc

selected GeoSite. Those that follow will be any site which is up in the list ofGeoSites.ICMP triangulation (option)When a request for name resolution

Using EnvoyConfiguring GeoSitesIn EQ/OS 10, GeoSites are defined separately (like Servers) and then added to GeoClusters as GeoSiteInstances. This sec

Too add a GeoSite using eqcli as follows:1. Log in to eqcli as described in "Starting the CLI" on page 128.2. Enter the following at the CLI

Using EnvoyDeleting a GeoSite (GUI)To delete a GeoSite using the GUI proceed with the following:1. Log in to the GUI (See "Logging In" on pa

a. Using the GUI drag and drop functionality, click on a GeoSite on the left navigational paneand drag it to the desired GeoCluster on the tree. The G

Otherwise, set the time manually on all systems to the current time:eqcli > date HHmmss9. Create two real servers:eqcli > server sv01 proto tcp

Using EnvoyDynamic site weights can vary from 50% to 150% of the assigned initial weights. To optimize GeoClusterperformance, you might need to adjust

To remove a GeoSite instance from a GeoCluster using the GUI proceed with the following:1. Log in to the GUI (See "Logging In" on page 192).

Using Envoywhere:gclname is the name of the GeoClustergsi is the GeoSite instancegsimaname is the name of the GeoSite instance.Adding and Configuring

4. In both methods of creating GeoSite Instances the GeoSite IP Address is required. This is the IP addressreturned by DNS to a client when the GeoClu

Using EnvoyDefaultDesignates this site as the default site for the GeoCluster. Envoy loadbalances to the default site whenever it cannot choose a site

Name a GeoSite Resource (GUI)1. Log in to the GUI (See "Logging In" on page 192).2. Select a GeoSite from the left navigational pane.3. Righ

Using EnvoyName a GeoSite Resource (CLI)1. Log in to eqcli as described in "Starting the CLI" on page 128.2. Enter the GeoSite context and a

4. Enter a name for the Resource and click on Commit. The GeoSite Resource will appear on the leftnavigation pane as shown below.Name a GeoSite Resour

Using Envoy3. Use the Resource Name drop down list to select one of the previously defined GeoSite Resources.4. Click on Commit to add the Resource In

Add a GeoSite Resource Instance to a GeoCluster (CLI)1. Log in to eqcli as described in "Starting the CLI" on page 128.2. Enter the GeoClust

First Time Configuration Using EQ OS 10eqcli > certificate ct01eqcli-cert> certfile ftp://10.0.0.21/certfile.pemeqcli-cert> keyfile ftp://10.

Chapter 27Backup and RestoreSections within this chapter include:Backup 542Backup (GUI) 542Backup (CLI) 543Restore 543Restore (GUI) 544Restore (CLI) 5

Backup and RestoreBackupThe Backup feature allows you to back up an Equalizer’s user-configured objects and parameters to a file that canbe uploaded a

4. In the Destination section, select either FTP URL to upload to an FTP site or Local File to save the filelocally.a. For FTP URL, you must type the

Backup and RestoreIf a unique local peer definition is found, the System ID found in the local peer definition is compared against theSystem ID being

3. In the Restore section select either FTP URL or Local File.For FTP URL you must type in the full path name (including the file name) into the text

Backup and Restoreftp://[user[:password]@]server[/path]Note - You will be prompted to enter a password if it is not supplied in the URL546Copyright ©

Chapter 28How to Use Regular ExpressionsSections within this chapter include:Regular Expression Terms 548Learning About Atoms 548Creating a Bracket Ex

How to Use Regular ExpressionsRegular Expression TermsThe terms in this section describe the components of regular expressions.lA regular expression (

l A single character with no other significance, which simply matches that character. Note that regularexpressions are case-insensitive.l An open brac

20. Add a redirect responder that will redirect all requests coming into the same cluster IP as cl03 onport 80(viaHTTP); the responder will be configu

How to Use Regular Expressions\\matches a single backslash (\)\bmatches the beginning of a word (e.g.: \bex matches "example" but not "

Using Regular Expressions with ACVTBDCopyright © 2013 Coyote Point Systems. A subsidiary of Fortinet, Inc.All Rights Reserved.551Equalizer Administrat

Appendix APhysical DimensionsSections within this chapter include:Physical Dimensions 554Copyright © 2013 Coyote Point Systems. A subsidiary of Fortin

Physical DimensionsPhysical DimensionsThe following are the physical dimensions of the E370LX Equalizer as well as the GX series Equalizer.Model Weigh

Appendix BUsing the File EditorSections within this chapter include:Editing Files 556Copyright © 2013 Coyote Point Systems. A subsidiary of Fortinet,

Using the File EditorEditing FilesFiles from the data store, for example, can be edited using the files edit command in the CLI using the "ee&quo

Main and Submenu Commandsa) leave editorLeaves the ee editor. You will be prompted to save changes before exiting.b) helpWilldisplay a complete list o

Using the File Editorf) searchWillopen a search submenu with 2 options:a) search for - will prompt you to enter a search term(s)b) search - [not avail

Appendix CVersion 8.6 to 10.0 Configuration ConverterSections within this chapter include:EQ/OS 8.6 to EQ/OS 10 Configuration Conversion Process 560Co

Version 8.6 to 10.0 Configuration ConverterEQ/OS 8.6 to EQ/OS 10 ConfigurationConversion ProcessEQ/OS 8.6 and EQ/OS 10 configuration files are not com

ServersAdded as global server objects and server instances within server pools.The Server VID isnow deprecated, and servers are automatically consider

Version 8.6 to 10.0 Configuration ConverterEQ/OS 10 uses Server Pools that contain Server Instances. When migrating to EQ/OS 10 a Server Pool will bec

1. Create a backup of the Version 8.6 system. Refer to theEqualizer Administration Guidefor version 8.6 forinstructions.2. Upgrade your version 8.6 sy

Version 8.6 to 10.0 Configuration Convertereqcli: 12020315: Processing line 2: server otherserver ip 3.4.5.6 port 81proto tcpeqcli: 12000287: Operatio

The EQ/OS 8.6 backup file can be uploaded either from a URL or FTP server or from a local directory. Proceedwith either step 5 or step 6 depending on

Version 8.6 to 10.0 Configuration Converter8. After clicking on Run the script is executed on Equalizer. If no errors occur and the script runs to com

Appendix DEqualizer OnDemandSections in this chapter include:What is Equalizer OnDemand? 568Differences from Equalizer Hardware 568Adding Ports on VM

Equalizer OnDemandWhat is Equalizer OnDemand?Equalizer OnDemand™ is a software-based virtual appliance that operates as an integral part of the virtua

3. Equalizer OnDemand is delivered with no serial console configured because this requires additionalconfiguration by the user. A serial console can b

Chapter 5Upgrading and DowngradingSections within this chapter include:Version 8.6 Upgrade Procedure 58Downgrading to Version 8.6 62Upgrading to the L

Equalizer OnDemandline (highlighted in green) that indicates the network interface device type. The text highlighted in yellow iswhat VMware added to

VMware vSphere or vCenter ClientsVMware ESX and ESXi servers are managed using either the vSphere or vCenter management clients. If you areusing eithe

Equalizer OnDemandh. The VMDK file for the OVF is now downloaded from the local directory. When it is done, theEqualizerOnDemand VM should now appear

eqcli > user touch passwordVMware Player and VMware FusionBesides running on dedicated hardware with the VMware ESX operating system, VMware can al

Equalizer OnDemandl In the CLI, enter:eqcli > versionl In the GUI, the System ID is shown on the Welcome screen that is displayed when you login.4.

found in the section "Configuring VLANs" on page 100.d. Confirm you can reach the default route gateway using the ping command:eqcli > pi

Glossary66in46in4 is an Internet transition mechanism for migrating from Internet Protocol version 4 (IPv4) to IPv6.AAccess Control Lists (ACLs)Refers

Glossaryadministration addressThe IP address assigned to Equalizer on any VLAN. Access to Equalizer can be configured for each VLAN.administration int

backup EqualizerThe backup unit in a failover pair of Equalizers. The backup unit constantly monitors the health of the active(primary) unit, and repl

Upgrading and DowngradingVersion 8.6 Upgrade Procedure1. Connect Equalizer with a serial console. Refer to "Setting Up a Terminal or Terminal Emu

Glossarycookie headerOne of Equalizer's supported headers, a cookie header is an HTTP data string previously sent by a server that isstored in Eq

the network infrastructure so that configuration and routing protocols handle both IPv4 and IPv6 addressing.dynamic weightThe weight that Equalizer as

GlossaryfirewallA set of security programs, which is located at a network gateway server and which protect the network fromany user on an external net

hubA device that joins all the components attached to a network.IICMPInternet Control Message Protocol. Used by operating systems of networked compute

Glossarypacket, and TCP/IP.IP addressA 32-bit address assigned to a host using TCP/IP. IP addresses are written in dotted decimal format, forexample,

is a more performant protocol which does not protect data from all the issues described above. It is howevermore useful for time-sensitive data so it

Glossaryspecify that if a page is requested which is company-internal only and the client is not on the local network todrop the request (or hand out

PpacketA group of data that is transmitted as a single entity.passive FTP connectionAn Equalizer option that rewrites outgoing FTP PASV control messag

GlossaryportThe abstraction used by Internet transport protocols to distinguish among multiple simultaneous connections toa single destination host.po

redirectionThe process of receiving input from or sending output to a different resource than usual.regular expression (RE)One or more non-empty branc

8. Enter the upgrade URL using the Version 8.6 syntax and press "Enter". For example, the following URLdownloads the image from a local serv

GlossaryRSTRefers to the TCP protocol’s reset command, which instructs a device to end a connection.SSecure Sockets Layer (SSL)A protocol that enables

sessionA logical connection between a server and a client that may span a series of individual client requests and serverresponses (i.e., transactions

Glossarysticky connectionA Layer 4 connection in which a particular client remains connected to same server to handle subsequentrequests within a set

TTCPTransmission Control Protocol; the rules for the conversion of data messages into packets. TCP providesSeeISO/OSI model, Layer 4, packet, transpor

Glossaryvirtual server addressAn IP address that is aliased to a physical server that has its own, separate IP address. See virtual web server.virtual

Table of ContentsExiting the CLI 129Working in the CLI 130CLI Contexts and Objects 130Object Relationships 132Command Line Editing 133Entering Names f

Upgrading and Downgrading11. The following message is displayed:PERMANENTLY upgrade this system to EQ/OS 10 [Y/N]?Press "Y" and then "E

Press "Y" and then "Enter" to create a restore image.14. The system then prompts you to enter a URL for the restore image as well

Upgrading and Downgrading18. Press any key to reboot the system.19. As the system reboots, you may see prompts indicating that the front panel switch

1. Connect Equalizer with a serial console. Refer to "Setting Up a Terminal or Terminal Emulator" on page 46.2. Log into the CLI.3. At the g

Upgrading and Downgradingprompts indicated in the sample output below, enter the restore image password (restore_password) and press the Enter key to

Beginning image restore process./tmp/restore.img.xz (1/1)Once the image is restored, the system reboots again. After the reboot is complete, theVersio

Chapter 6Licensing EqualizerSections within this chapter include:Licensing Equalizer 68Adding and Removing Licenses (CLI) 68Adding and Removing Licens

Licensing EqualizerLicensing EqualizerEqualizer can be configured without a license, but will not process any cluster traffic until it is licensed. Th

a. Log into the CLI.b. Enter:license genreqc. Copy the output of the above command into an email and send it [email protected], requesting an

User Flags 182Setting the Locale 182Creating a User 182Deleting a User 183User Passwords 183User Permissions 183User Permissions Assigned on Object Cr

Licensing EqualizerAdding and Removing Licenses (GUI)1. Log in to the GUI as described in "Logging In" on page 192.2. Click on the host name

5. To request an Offline License:Note - When generating an offline license for upload to Equalizer, be sure that the last line in the file is a blankl

Licensing Equalizerb. Click on Choose File to locate and select the file received from Coyote Point Support.c. Click on Commit to upload the file to E

Chapter 7Configuring AccessSections within this chapter include:Default Login 74Creating Additional Logins 74Serial Access 74Network Access 74Global S

Configuring AccessDefault LoginThe “touch“login (password: “touch“) is the default Equalizer administrative login for both the CLI and the GUI.For se

The global services settings provide a convenient way to enable and disable services on all subnets, should theneed arise. For example, when you are u

Configuring AccessCLI GUI Network Servicefo_httpsFailover HTTPSFailover HTTPS GUI service; when enabled, the Equalizer will listen forHTTPS connection

Chapter 8Network ConfigurationSections in this chapter include:Networking Conventions 78Networking Technologies 78Common Equalizer Networking Scenario

Network ConfigurationNetworking ConventionsSeveral conventions are used within this section:• Network addresses are represented in Classless Inter-Dom

If the destination IP address is on a local network, source-based routing is not used. The packet is sent to thedestination system via Ethernet.If the

Table of ContentsManage Software 211Tools 213Interfaces 215Viewing Link Status and Port Settings 215Modifying Port Settings 217Displaying Port Statist

Network ConfigurationIn this configuration, 192.168.211.0/24 is a local network for Equalizer, configured by adding a subnet to theconfiguration. 192.

In this example, neither the 192.168.211.0/24 nor the 192.168.105.0/24 networks can access the Internet directly.The administrator configures Equalize

Network ConfigurationCommon Equalizer Networking ScenariosThis section describes individual networking scenarios that can be used to build up a large,

IPv4 Rules:1: pass on interface lo0 all hits: 0 bytes: 02: pass on interface wm1 hits: 227 bytes: 7025From To192.168.211.0/24 -> 192.168.211.0/243:

Network ConfigurationIP Filter Rules:IPv4 Rules:1: pass on interface lo0 all hits: 0 bytes: 02: pass on interface wm1 hits: 32 bytes: 1368From To192.1

Dual VLAN/NetworkAnother typical configuration is to have two networks connected to Equalizer:1. One for external connectivity (this is where the Equa

Network Configuration2: pass on interface wm1 hits: 36 bytes: 1608From To192.168.211.0/24 -> 192.168.211.0/243: pass on interface wm0 hits: 48 byte

We see that setting this flag has created a DSS table entry. This entry is a definition for the 0/0 destinationnetwork, which specifies that theextern

Network Configuration2: pass on interface wm1 hits: 141 bytes: 7025From To192.168.211.0/24 -> 192.168.211.0/243: pass on interface wm0 hits: 5 byte

Dual VLAN/Network with 2 GatewaysImagine a scenario very similar to the one described in Dual VLAN/Network, but theinternal networkis also able torout

Server Configuration Constraints 244Configuring Routing on Servers 245Spoof Controls SNAT 245How Spoof Influences Routing 245Managing Servers 246Addin

Network ConfigurationSource Routing Table:0.0.0.0/00:default via 10.0.0.254192.168.211.0/24:default via 192.168.211.210.0.0.0/24:default via 10.0.0.25

-> 10.0.0.0/240.0.0.0/07: pass on interface wm0 hits: 4 bytes: 756From To10.0.0.0/24 -> any8: pass on interface wm1 hits: 0 bytes: 0From Toany -

Network ConfigurationOutbound NAT allows the administrator to associate two subnets together using the outbound_nat parameter. Thisparameter is config

All three rules are created for the single NAT change that we made. They can be read as "whenever traffic isleaving through the wm0 interface, if

Network Configuration0.0.0.0/05: pass on interface wm1 hits: 0 bytes: 0From To192.168.211.0/24 -> any6: block on interface wm0 hits: 0 bytes: 0From

Dual VLAN/Network with Multiple DestinationNetworksThe scenario above is sufficient if the servers are directly connected to (or are within the same b

Network Configurationsuccessfuleqcli > vlan external subnet net destination 0.0.0.0/0gw10.0.0.6812000287: Operation successfuleqcli > vlan exter

192.168.105.0/24:192.168.105.0/24 via 192.168.211.2default via 10.0.0.25410.0.0.0/24:192.168.105.0/24 via 192.168.211.2default via 10.0.0.254IP Filter

Network Configuration7: pass on interface wm0 hits: 6 bytes: 956From To10.0.0.0/24 -> any8: pass on interface wm0 hits: 0 bytes: 0From Toany 192.16

Equalizer Use of VLAN TechnologyEqualizer models E350GX, E450GX, E650GX support tagged and untagged VLANs on all front panel interfaceports. This sect