# A10 System Administration Training

This book is about initial training of A10 devices and ACOS operating system

# Introduction

# Course Details

## Target
This course is targeted for ;
- Computer Network administrators
- Network or security engineers
- IT Technicians
- Basically, people that like to have knowledge on traffic load balancing and management

## Requirements
- Basic knowledge on tcp/ip and ethernet networks
- Basic understanding of http protocol
- Basic knowledge about linux web servers like apache or nginx


## Achievements
After you complete this training

You will be able to;
- Setup and install a10 devices
- Do administration tasks
- Create basic load-balancing solutions
- Secure connections
- Automate repetitive tasks using ansible or python
- Troubleshoot and monitor a10 devices using command line and observium.

## Structure
It is as basic as it can be, i am going to explain a detail or a feature  and you will do it on your lab and after you complete the lab, i will ask 5 to 8 questions about things i told and you'll measure your understanding about that section.

# How are we going to learn

## Basics

As far as i know, the best way to learn is by doing. And i mean by doing is to do every configuration one by one.
I am going to supply all the configurations using a public github repo but i must say again best way to learn ACOS is to do the configuration by typing just like coding.


## The playground
we are going to use gns3 to create our playground and configuration testing
There will be a section about how to construct the lab so we can easiliy test our configurations

In this training you will be supplied two files,
1. A gns3 lab file that has all the required setup to be able to finish this course
2. A list of to-do's before you must do to work with this training like downloading some files and uploading them to gns3 before we go on with the training.


## Course materials
Every required is supplied through a zip file after you extract it, you can find all the needed config files or any other materials there.

# About tutor

I am a, self educated, network engineer that has experince more than 20 years. I've been working at system integrators for 10 ten years and right now own one for more than 15 years.

I am not a certified trainer or anything else.

# About Acos and A10networks

## A10 networks

A10 Networks is a U.S. public company specializing in the manufacturing of application delivery controllers (software and hardware). Founded in 2004 by Lee Chen, co-founder of Foundry Networks, A10 originally serviced just the identity management market with its line of ID Series products. In early 2007, they added bandwidth management appliances (EX Series). The company had its initial public offering on March 21, 2014, raising $187.5 million.

In May 2013, A10 launched its A10 Thunder Series platforms of hardware and software application delivery controllers (ADCs)

A10 Networks released the Harmony design of the Thunder Series ADC in 2015.

Also in 2015, A10 Networks upgraded the Advanced Core Operating System (ACOS). The update allowed 100 percent of software capabilities to be addressed by APIs, whereas the previous ACOS could only address 40 percent through APIs.

In 2016, A10 acquired the cloud-native ADC company Appcito.


## Acos

Acos is an 64 bit operating system that has powerfull features like 
- multitenancy, 
- form free (bare-metal, virtual, physical) 
- flex licensed

that can do;
- application delivery
- Transparent ssl decryption and re-encryption
- Authorization and authentication
- Firewalling


https://www.a10networks.com/solutions/advanced-core-operating-system/

# Product line up


# Features

# Course sandbox setup

Trainig Scenario &amp; Topology  
  
This training is best used with the gns3 lab supplied with lab that you can find below  
Building the playground  
topology  
Connectivity and logon details  
  
asbru için config sağla import edilebilir  
securecrt için sağla

# System configuration and downloading tools

In this section we are going to need a computer with the following minimum requirements:

- windows 10
- 4 cores
- 8 gb ram 
- 120 disk space


You will need to download gns3 and to do that you are going to create an account at gns3.org using this link

---link---


after you created the account,

Please download gns3 from this link :

---link2---


I've made a lab and shared it over gdrive so you can download it but please note that this lab is 45 gigbytes large and you should download it through your unmetered connection.
Again please don't download this over your cellular tethered wifi connection. 

download the lab linked here;

---link3---


And last download  is the configuration files for machines in the lab which are very small in this link

---link4---

# Tools and installation

In this section we are going to ;

- install virtualbox
- install gns3
- import the lab
- install vnc viewer
- install spice client


we are going to learn;

- Start/stop the lab
- connect to virtual lab machines

# First Time

# Unboxing

## Physical devices
- contents
- required tools
- Physical installation requirements

## Virtual edition 
- Licensing
- Sizing

### installation
1. VMWare 
2. Qemu/KVM installation
3. GNS3
4. Eve-ng installation

# Management Access

## Console port details

This is the "monitor" port of this device, with a terminal emulator and a serial console cable, you can access the device. 

Console port is at the front of the device which is called "Console". and it is shown with green arrow here, 
You should remember that devices and the location of console ports vary depending to the model of device.

Most of the time it is called Console, but some vendors might use acronyms lik "Con", "IOIOI"

[![](https://books.netdev.com.tr/uploads/images/gallery/2023-04/scaled-1680-/image-1680667248419.png)](https://books.netdev.com.tr/uploads/images/gallery/2023-04/image-1680667248419.png)


To be able to that you'll need to set the configuration of the port to 

- Speed/baudrate: 9600
- data bits : 8
- stop bits: 1 

For windows you can use putty and for linux gtkterm is a good option, if you are a mac user you can user a tool like [Serial2](https://www.decisivetactics.com/products/serial/)

## Management ethernet port details
Management port is a special port seperated from the device's main thing, you'll need this port to access the device remotely or using an ethernet/ip connection.

The default settings are; 
- ip address is 172.31.31.31
- user: admin
- password: a10
 
 ## Management access 
 You can connect to the device using https and ssh protocols, there is another way which is api access and we have a special section to show you how it's used. 
 
### Using ssh
for ssh you can use putty in windows and openssh for remaining platforms

### Using https
 For https the only need is a modern browser,

# Registration, licensing and flexpool

## Physical devices
All physical devices that A10networks ships, comes with ADC -Application Delivery Controller- license.
And if you'd like use additional features like datacenter firewall, supplied web categories, etc.. you will need to purchase additional licenses like

- Webroot
- CFW

The methods to obtain these license will be listed later.
The registration will be done on purchasing, by a a10networks salesperson. They will ask for a e-mail address to register the lead and the shipments. You will use that mail address to work with RMA or guarantee requirements. 

Note :
By default no physical device requires internet connectivity to work in ADC mode. And to unlock additional licenses / features you'll have to allow the device reach either from data ports or from management port to internet.


## Virtual appliances
Virtual appliances downloaded from internet or by applying to trial comes with limited to 10 mbit througput and ADC features only
To use the virtual appliances fully, you'll need to have trial key or paid licenses which are activated with GLM.
To obtain licenses, you'll have to supply a contact mail address and use that mail address to login what we called GLM. 

## GLM and why we need it for ?

GLM which is Global License manager is a platform from A10networks that manages all this registration, licensing and other bureocratic stuff and also enables something called Flexpool, 
it resides on https://glm.a10networks.com .

## Flexpool

You can buy your license in Throughput not in per device mode. This feature of a10networks allows comissioning many devices sharing one throughput and it is very effective when it comes to create High availability scenarios. It is used by sharing a "GLM Token" through out the devices.

# Administration tasks

# Backup System Configuration

## copy config
With this option you can only take a configuration backup, a complete backup includes ;
- SSL certificates
- User passwords
- PKI Infra passwords
- Logs

This type of backup is not a complete backup but it is better than nothing. 

To take a quick configuration backup and according the length of your configuraiton, you can;
- copy/paste
- record serial terminal or ssh session output

## backup using gui


## backup to ftp server

## automated backup jobs

# Upgrade system OS


# Downgrade System Os


# Set time or use NTP


# What is VCS


# Certificate Management


# User Management & Access LDAP/TACACS

# Basic server load balancing

# What is server load balancing


# Acronyms and their details


# Creating Real servers


# Creating Service Groups


# Creating Virtual Servers


# Configuring traffic distribution


# XFF or x-forwarded-for


# Https and ssl


# Certificate Management & Pki


# SSL-Offloading

# High availability

# A-VCS

## What is A-VCS
It is the acronym of ACOS Virtual Chassis Systems.

[![](https://books.netdev.com.tr/uploads/images/gallery/2023-04/scaled-1680-/image-1680667656818.png)](https://books.netdev.com.tr/uploads/images/gallery/2023-04/image-1680667656818.png)

It is a special process created to manage many ACOS devices from a single-point view however it is not the only use case. It also synchronizes ;
- Configurations
- Certificates
- Keys
- Aflex Policies
- Black/Whit lists
- Code/Firmware versions.

You must always remeber that l2 level configurations like ethernet LAG interfaces vlan tags vlan names is not in sync process. We'll get to reason of this later

Remember, A-vcs does not do anything about live traffic, configuration only !
## Prequisites
- A-vcs is a multicast helped operation so all devices must be in same L2 domain
- VCS Can operate between different geographic regions so it is not delay bound to a threshold
- As told before avcs candidate's must have the same version of ACOS on same partition's. You can't run same ACOS version on Differen partitions
- Vrrp-a will be enabled when using A-vcs, if you ever need to create a a-vcs cluster on a L2 domain that also has another a-vcs cluster be sure to check machine mnd cluster ids first
- A Floating ip is used to manage the devices. You will have to use an additional ip addres when you choose to use A-vcs

## Master / Slave / Election
- Master device is the one with expensive a-vcs cost , others are called vBlades not slaves. So if you have 3 devices with same vcs cost or cost unconfigured, vcs id decides whichever is going to be the master. 
- The bigger a-vcs cost wins the election regardless of device id
- If by some reason you have same cost on v-blades, the one with smaller a-vcs id will become master in case of losing master.
- Vblades are subscribers, master sends heartbeats to vblades, if by some reason this heartbeat can't reach vblades, the election begins.

We'll do a demo of this later in the training.
	
You will see all the devices in config context with their respective machine id's you will configure later in this training.

You can login to vblades without going thorugh floating ip however all the changes will be forced to done through floating ip

You can use Management port only to create a a-vcs cluster. Any l2 implementation will continue to work. 
    
## Split Brain on more than 2 device clusters
This is a dangerous situation. If by some reason the devices decide to become masters at same time any traffic processing will create network problems. So at all times the necessary precautions must be taken like
[![](https://books.netdev.com.tr/uploads/images/gallery/2023-04/scaled-1680-/image-1680667639311.png)](https://books.netdev.com.tr/uploads/images/gallery/2023-04/image-1680667639311.png)
- having a mesh connected a-vcs link configuration
- Minimum device count 


###  Initial config of a-vcs
On the master device
1. Enable the vrrp
to start configuring vcs we have to enable vrrp-a first
	
        ACOS# configure
        ACOS(config)# vrrp-a common
        ACOS(config-common)# set-id 1
        ACOS(config-common)# device-id 1
        ACOS(config-common)# enable
        ACOS-Active(config-common)# exit
        ACOS-Active(config)#
2. Enable a-vcs

    		
        ACOS-Active(config)# vcs enable
		ACOS-Active(config:1)#
    
3. configure the floating ip address

		ACOS(config:1)# vcs floating-ip 192.168.16.10 /24

4. Configure a-vcs with masters parameters
After the confgiuration commands typed in, you'll need to do vcs reload to start a-vcs formation process.

		ACOS(config:1)# vcs device 1
        ACOS(config:1-device:1)# interfaces management
        ACOS(config:1-device:1)# priority 225
        ACOS(config:1-device:1)# enable
        ACOS(config:1-device:1)# exit
        ACOS(config:1)# vcs reload

### adding second device to cluster
On first blade
### adding third device to cluster
On second blade
### adding fourth device to cluster
On third blade
### forced a-vcs master commands
Force vBlade-1 to become master
### adding a fifth device with older version to cluster and auto image upgrade process

# VRRP-A

# Appliance access management

# Basic monitoring & troubleshooting

# Basics and what to look for ?

# Automation

# SNMP v2-v3


# Logging and log destinations


# Partitions