ADC cluster setup

Notes before use

OPLON Virtual Appliance (VAPP from now on)isan OSI layer 2-3/4 and OSI Layer 7 HTTP/S DNS (ADC) layer data traffic balancing and routing tool.

OPLON ADC is a product intended for mission
critical environments, therefore only personnel who have carried out the course and passed the exam are authorized to certify the cluster
installation
and process the products in operation. All certified persons are
equipped with a certificate of participation in the courses and passing the
exam issued by OPLON NETWORKS SRL digitally signed.

Preparation for use

This specific manual creates a cluster of the OPLON
ADC module. The cluster allows you to use all the features in high
availability through the use of Virtual IP (VIP). In this case
you will consider a setup of two failed-over nodes between them.

images image1

For the example, we'll use the following IP addresses and networks to simulate a real
situation:

  • Heart-Beat: Is a node activity status verification network

  • Backend: it is the network where the services are attested, it can usually
    be reached through the gateway. In some realities it may reside
    in a separate network/vlan

  • Public: it's the network where service requests come from

  • VIP: it is the address that is shared between the two nodes

OPLON VAPPs Static Address Settings

After importing VAPPs into the virtual environment, virtual NICs must be
assigned to the two nodes. In this case,
2 VNICs will be assigned to each node:

images image2

The VIP will be assigned alternately to vNIC A1 and vNIC B1. The node that
holds the VIP is called MASTER.

We will now assign static addresses to NetworkManager-based VAPPs
(where not present, use the typical deployment tools).
To determine the assignment of virtual environment vNICs with
the internal interfaces of the VAPP, it is good to notethe MAC addressesofthe individual
interfaces because this will facilitate the assignment ofstatic
addresses.

In Network Manager-based systems, static addresses will be assigned through the
"nmtui" interface, while the dynamic address (VIP) will be assigned
directly by OPLON®ADC.

The following are the static address setup steps of one VAPP,
which are used to do the same for the other VAPP:

images image3

With the arrows position yourself on the first element

images image4

Check the Mac Address and report it to its function
(Public, Heart-Beat etc..). We recommend that you change the interfacedescription so that you can quickly identify it
later.
Go with the cursor to \<Automatic> and change it to Manual:

images image5

With the cursor go to \<Show>, you'll show you how to manually set
up addresses in the interface. \<Add> inserts
the address for the interface, in this casethe address designated for the
Heart-Beat (NB:remember to also set
the netmask with /XXat the end
of the address): images image6

after you finish typing the address with the arrows
position yourself at \<ok> and then confirm with the [enter] key

images image7

The interface will be repositioned in the choice of interfaces to
be set, con the arrows position themselves on the second interface...

images image8

Also change the description of the interface according to its
function by identifying it through the Mac Address. then
go to the choice of the \<automatic> address type andchange ittomanual
as follows

images image9

Add the address/addresses related to the interface
function, which in this case are the audience and the backend. (NB: Usually,
the backend can not be directly routed to the interface but can be reached through
a gateway, in this case adjust the setup to the specific
operating environment by adding the Gateway)

images image10

with the arrows go to the confirmation of the \<ok> setup and then
confirm with the [enter] button

images image11

After confirmation, the result will be similar to this

images image12

With the help of the arrows, position yourself on \<Back> and confirm with
the [enter] button.

images image13

At this point we will activate the interfaces with the new addresses.
(NB: If you are doing this from SSH with the initial DHCP dynamic addresses on the same
interfaces to which the new addresses will be assigned, you
will be disconnected during the assignment
operation)

images image14

To enable new addresses, you must first disable the
previous assignments, and then turn on the new assignments. The
symbol "*" identifies that the interface is active. With the
[enter] key it is possibleto disable the selected interface and withanother
[enter] you can reactivate it.

images image15

In this case, both interfaces were first disabled and then
with the [enter] button and positioning arrows
reactivated both interfaces...

images image16

Once the interfaces on the left are reactivated, the symbol
"*" will appear again.

images image15

With the arrows, position yourself on \<Back>, and then confirm with [enter]

images image17

With the arrows, position yourself on Quit, and then confirm with [enter]

images image18

to verify that the addresseswere set correctly run the command
"# ip addr"

images image19

If the setting was successful, the interfaces must
report the static addresses corresponding to the initial network
schema. Conveniently annotate interface names.

NODE A:

images image20

Return the same operations in the other VAPP, the end result
should be similar to the following and in any case in line with your network
addressing scheme.

NODE B:

images image21

OPLON VAPP Management Addresses Setting

From command line of the NODE VAPP To run "# oplonsetup"

images image22

With the [enter] position yourself on \<Choose> and choose the management address, in this case we will
set the network 192.168.45.xx as
management...

images image23 images image24

Then place yourself on the password of the user "root" to set the
password. In this case, for example, we will indicate "AdminAdmin1!". NB: For security reasons,
do not set "AdminAdmin1!" in production.

images image25

Setting delegation passwords allows you to use VAPP inHybrid environments
by allowing for administrative hierarchies.
This feature allows you to assign groups of VAPP in complete
self-management while maintaining overall control of the
infrastructure. See the"Autonomous
Delegated Authentication" manual for this purpose.

After you set administrative and delegation logins and passwords,
go to \< Save & Exit > to save the settings.

images image26

to make the settings effective you must restart
the services by using the "# oplonrestart" command

images image27

Executing the command "# oplonrestart"

images image28

The command takes about 1 minute at the end of which the VAPP
will be configured with the management addresses wherethe WEB services and the
Management Console will respond.

You can verify that management listeners actually match
through commands:

# ss –ln|grep 4444

And

# ss –ln|grep 54443

images image29

N.B.: Do the same in THE NODE B VAPP, the result
should be similar to the previous command

images image30

Set hostname on OPLON VAPP powered by CentOS

Run from root

# hostnamectl set-hostname OPLON10GDG001

images image31

# hostnamectl

images image32

# vi /etc/hosts

Change the address 127.0.1.1 to the new VAPP name

images image33

# hostname

images image34

# reboot

It is necessary to run a reboot so that applications or
services are also running under the new name.

Set hostname on OPLON GDG powered by Ubuntu

Run from root

# hostnamectl set-hostname OPLON10GDG001

images image35

# vi /etc/hosts

Change the address 127.0.1.1 to the new VAPP name

images image36

# hostname

images image37

# reboot

It is necessary to perform a reboot so that applications
or services are also in executorone with the newname.

Disabling OPLON Platform Demo/Test Services

Before proceeding with the cluster setup, you must set
the licenses on both nodes and disable unnecessary modulesthat start automatically to provide a fast-to-use platform
for
demo/test/prototype purposes. To do this, we will turn off the OPLON
Platform modules on both nodes and then enter thelicenses or licenses necessary for thecluster to
operate.

To disable the OPLON Platform module, simply type on a
browser:

https://192.168.45.200:4444/

(NB: The service has a self-signed digital certificate and therefore you will need
to indicated to the browser to continue. You can still
enter a new digital certificate that identifies the service).

When prompted for login and password, indicate the login and password
set in the console initially, in this case: Login root,
Password AdminAdmin1!

images image38

Once the login is confirmed, the Global Distributed Gateway
of global control will appear from which we will sequentially
disable the demo/test modules and set up licenses before setting up the
cluster

images image39

To disable the OPLON Platform module, expand the "Modules" menu and
select "ADC & GLB" and then click "Edit":

images image40

expand the "general start parameters" parameters and change the
parameter from "process start" from "automatic" to "manual"

images image41

Once the parameter is changed, a "1to save" indicator will appear at the top right to save the
configuration.

images image42

By following the link "1 to save" it will be possible to apply the changes. To
do this, press the save button. (NB: in this case the modification and application will be immediate and will result in the
shutdown of
the OPLON Platform module)

images image43

As soon as you press the "save" button you can describe the operation because all changes are
"recorded" both to
perform roll-backs and for "audit" procedures

images image44

If you return to the "Modules" -> "ADC & GLB" selection, you will
notice a rotating gear symbol

images image45

... until the module is completely shut down

images image46

NB: Do the same on NODE B

Setting up licenses

To enter form activation licenses, do the
following.

  1. Get licenses

  2. Install licenses

When obtained licenses you can install them depending on their
function. First of all we are going to install the "Catalog"
license that serves to populate the local and/or global inventory depending on the
license. In this case we need to have Catalog
licenses, for global control, and Standard HA licenses that can also have the
DoS/DDoS Attack Prevention & Mitigation extension as
below. Licenses must be present in a directory on your
system.

Example:

images image47

in the web interface select "nodes" and then press "actions"
on which you access the "install license" menu

images image48 images image49

after you select the "catalog" license press "confirm"

images image50

The operation confirmation message appears:

images image51

You must set up the license for the "OPLON ADC Standard
HA" module, which in this example also contains the DoS/DDoS AttackPrevention
& Mitigation extension, DNS Global Load Balancinf, and Web ApplicationFirewall
(WAF). To be able to set the license to the module "OPLON ADC
Standard HA" select "Modules" -> "ADC & GLB" and then go to
"See details" of the module.

images image52

Again, select "Actions" and "Install license" in the
previous modes.

images image53 images image54

select the "standardhadosddosWAF_DNSGLB" license and then
confirm

images image55

The operation confirmation message appears:

images image51

NB: Repeat licensing setup operations in NODE
B as well

To apply the "Catalog" licenses, you must restart the main module through the console or
SSH.

NODE A:

images image56

NODE B:

images image57

During these restart operations, the Web console may
report errors due to the restart of services similar to this:

images image58

As soon as the service is restored, the browser will return to ask for login.

images image59

Populating the node inventory catalog (Inventory)

To add nodes, you must have "Catalog" licenses and
"root" rights. Before creating a Cluster, you must indicate to OPLON
Workspace the nodes to administer. To do this,
you must use the Settings menu -> Nodes from the System Bar.

To add or remove nodes you must have "root" rights.
Other users, even if declared administrators, will not be able to add or delete
nodes to administer.

images image60 images image61 from the nodes menu you can clear add and parameterize nodes images image62 images image63

Then also proceed with the addition of the second node:

images image64

Once the two nodes are added, we save the configuration

images image65 images image66

We indicate the reason for the change to the configuration

images image67

You can now select the Nodes menu to view the status of the
nodes.

images image68 images image69 images image70 images image71

Creating the OPLON Workspace Cluster

To create the Cluster, you must have "Catalog" licenses and
"root" rights. Other users, even if declared administrators, will not be able to create or destroy
Clusters.

For all general parameterizations to be redundant, the first
Cluster we are going to create is the OPLON Workspace Cluster. This will
allow us to propagate the general parameters in at least one other no dead in case of
need, accessing the second node, you will have the same configuration automatically
replicated by the Cluster.

You access the creation/destruction of a cluster through the menus
placed in the System bar of which on the browser appear in the upper right.

You can already see that the dashboard's synthetic
view displays the status of the two nodesfor key
values: CPU, disk space, ADC tunnels, and Highwater, Memory usage Swap
area.

images image72 images image61 From the Cluster menu you can clear, create and parameterize clusters ... images image73

When you click add Cluster, you will be prompted to indicate a name and
description of the Cluster that you want to create.

images image74 images image75

As soon as it is confirmed with OK, you can set the Cluster through
the [edit] button.

images image76

after you select [edit] and expand the "processes" parameters you
can associate the processes in this "cluster"

images image77 images image78

With the [+] button we are going to associateand the second process that constitutes the
"Cluster"

images image79

For convenience, the [+] key copies the characteristics of the source where it
is pressed. Therefore, it will be enough to change the necessary values, in
this case only the "Node Address"

images image80

All you need to do is save and configure to activate the cluster...

images image81 images image82 images image83

Selecting Clusters will show us the composition of the newly
created cluster...

images image84

Returning to the OPLON Dashboard view
we will notice that the system detects a configuration misalignment.

images image85

This is due to the fact that the Cluster node, on which we have made the configurations, is not aligned with the
configurations of the node that,only now, is in Cluster and must therefore be
riallineated. OPLON is
equipped with a powerful engine to check the consistency of cluster
node configurations and if they are misalignment it proposes
an error message and therefore the possibility of reconciling
the configurations. Select the configuration that you wantto reconcile and press
edit

images image86

The system will propose configurations misalignment with their
characteristics. The operator is asked to select the configuration from which to start to align the other
nodes in the Cluster.
In this case we will start from Oklahoma which has the highest last modified date and also the highest configuration compared to
Oregon.

images image87

After confirmation, the system re-checks the consistency

images image88 images image89

Returning to the Dashboard, reports
of inconsistency will have disappeared.

images image90

Creating the OPLON ADC Standard HA Cluster

as for creating the first cluster select settings and clusters

images image91

Select add Cluster

images image92

Set cluster name and description

images image93

Go to [Edit] to complete cluster configuration

images image94

set the address of the node on which to create the cluster and then
the process (form) to place in cluster

images image95

Press Add new item and then change the address of the second node, and
then go to link 1 to
save... images image96

[save] the configuration

images image97 images image98

Selecting Clusters will result in 2 Clusters, one for
Workspace configurations and one for the OPLON ADC StandardHA
cluster.

images image99

Overview cluster management

Selecting "ADC Settings" -> "ADCs" will present the
synthetic situation of all ADC modules under management at the Global Distributed
Gateway. In this case, the "ADC" named STDHAEDUCLOUD is highlighted,
which is displayed as a single "Cluster" object consisting of multiple processes that must be managed
simultaneously. For this reason, the
system exposes a single element.

images image100

If we go to edit and then select the Cluster

images image101

The system will highlight the nodes that make up the Cluster in a concise
way giving the possibility to navigate the specific sections toverify the
characteristics. If the cluster nodes is running, you can fully explore all the details.

images image102 images image103

When you run settings in a Cluster, all operations you
do are replicated to all modules that make up the
Cluster.

Impostazione networks OPLON ADC Standard HA

The configurations are therefore kept constantly aligned transparently
to the operator. to set the cluster "oplon adc
standard ha" go to [edit]

images image104

In order to use the same configurations on multiple
nodes with different parameters, suchas local IP addresses to the node, you can use variables that associate a name with a
value locally
to a node or process and that are always available during setup.

images image105

Variables can be of two types, either associated with the node or
associated with the process/module. In this case, variables associated with
the process/module have been set up that describe the public
network, private network, and backend network. They also report the
value of a virtual address and its netmask.

Variables can be used in the setup, thus maintaining
different values for each process or node but equal configurations. To
use a variable, simply indicate the name ofthe variable between two
#.

Es.: #OPLONADDRESSIPV4_PRIVATE#

images image106

OPLON ADC Standard HA Heart-Beat Setting

To keep the application cluster consistent during run-time
it is necessary to maintain a constant interview of verification between the nodes
that compose it for the determination of the status of "Master". The
Heart-Beat network serves this purpose, and OPLON ADC Standard HA uses the
Heart-Beat network to exchange information about the state of activity of individual
nodes.

The Heart-Beat network can be set in two modes, Multicast
or UDP, and both can be used in encrypted mode.

images image107

Multicast mode is very convenient where this protocol is allowedas it allows the
look-up discovery of the nodes belonging tothe
Cluster. To use this mode, you must
check during installation whether the protocol is enabled in the datacenter. If
this isthe case, use the UDP protocol, which is always enabled.

UDP mode is essential on geographic networks or on-premises
or cloud installations where multicast is not
enabled. The strength of this protocol is that it is a protocol that is always enabled in all
circumstances.

UDP OPLON ADC Standard HA Heart-Beat Setting

Setting the Heart-Beat through UDP is as an
alternative to setting the Heart-Beat through Multicast. If you have already
set the Heat-Beat through Multicast skip this paragraph.

Heart-Beat setting through UDP is required in cases of installation
in geographic environments or where the
Multicast protocol is not available.

images image108 images image109

Change values by network schema...

images image110 images image111 The Heart-Beat protocol in UDP in the Lookup panel is set as the default. All other parameters have already been setin variables and therefore there are no other operations to be done. images image112

Unlike Multicast, which manages to perform an automatic lookup-discovery,
with the UDP it is necessary to indicate the peer nodes that make up the
Cluster. Since these parameters are different from node to node, there is already a
variable ,previously set in
process/module variables, which parameter the address of
the joint clustered node "OPLONADDRESSIPV4PRIVATEPEER".

when clustering on more than two nodes add variables in
quantities equal to the additional nodes in the cluster and then add them to
the "udp nodes lookup" panel

Save the configuration...

images image113 images image114 images image115

Impostazione heart-beat MULTICAST OPLON ADC Standard HA

Setting the Heart-Beat through Multicast is as an
alternative to setting the Heart-Beat through UDP. Sand you have already setthe
Heat-Beat through UDP skip this paragraph.

To set the Heart-Beat through Multicast, simply
change theprocess variable values to their network schema values and change from
UDP to MULTICAST.

images image116 images image117

Change values by network schema...

images image110 images image111 images image118

... and save...

images image119

Describe the reason for changing the parameters...

images image120

OPLON ADC Standard HA Virtual IPs (VIP) Setting

To set a VIP (Virtual IPs) select ADC Settings -> Virtual
IPs

images image121

You will see the processes and clusters that can manage
virtual addresses. In this case we will choose our Cluster.

A VIP basically consists of three panels:

  • Basic parameters

  • Public network health check

  • Health check della rete di backend

Basic Parameters panel:

images image122 **enable**=:valore di default=”true”

Enable disabling virtual address

description=:default value=""

Describes the virtual address

address=:default value=""

It is the virtual address in digits (e.g. 192,168.43.10).

For IPv6, representation must be made in square
brackets [fdd4:3c3f:aaaa::99].

netmask=:default="255.255.255. 0"

It is the netmask in digits (e.g. 255,255,255.0) of the virtual address

If the address refers to the IPv6 protocol, the value is determined by the precision that
you want to obtain e.g. for 64 the address setting will be
fdd4:3c3f:aaaa::99/64

healthCheckPort=:default=""

It is the port on which to perform the healthCheck test. If "" the health check
is not performed. This value is very important because it determines the activity status not only of the IP address but also of
the
balancing or routing system. IT MUST BE SET, usually 80 or
443, if the port is in SSL set healthCheckSSL to true! .

healthCheckSSL=:default value="false"

If set to true, healch check HTTP by establishing an
encrypted connection.

healthCheckUriPath=:default value="/OPLONHealthCheck"

It is the healthcheck path of activity of the balancing system.
This value is normally never changed unless it is already inuse in other
applications. If this value is changed,
it is also necessary to change it to"systemsmonitor_m.xml", "iproxy.xml",and
"healthcheck.xml".

The minimum values to be entered are:

  1. healthCheckPort

  2. Device and deviceName network adapter

  3. at least 3 public addresses (for certification)

  4. at least 3 backend addresses (for certification)

images image123

For our VIP Cluster we will parameterize the basic
parameter panel by identifying network adapters by simply exploring cluster
nodes

To browse network adapters, simply go to the link
that will display the cluster nodes from which to derive the names of the network
interfaces.

images image124 images image125

If the names of the devices were different, as in the case
of hybrid installations, it is possible to imposea local variable on the processor
node, with the valuecorresponding to the local interface and indicate
on "device" and "deviceName" the name of the variable.

The "Public network healt checks" and "Backend network health
checks"panels serveto check the real operation of the networks. In fact,
it is not enough to check if the link is UP as usually theconnection to a switch will always be UP even if
the
services are unattainable.

To do this, you must identify 3 public network
services and at least 3 backend network services to verify reachability.
You can use both ICMP
(ping) and connectivity services (TCP connect) on which no operation is
performed.

You can pre-run tests through the
Network checks utility that can be reached from navigation bar.

images image126

In this case, the public addresses 192.168.43.131, 192.168.43.115,
192.168.43.118 can be reached from ICMP.

The backend can be reached via ICMP at 192.168.45.131
and addresses 192.168.45.115 and 192.168.45.118 can bereached via connect to port
22 (ssh).

The parameters will then turn out to be:

images image127

Once the parameterization is completed, save the configuration...

images image128

Describe the reason for the change in parameters and confirm...

images image129

Start of THE OPLON ADC Standard HA Cluster Nodes

Once you have set the heart-beat parameters and set the first VIP
with you can start the Cluster processes. We're
going to do this from Cluster Panel...

images image130

Select one of the Cluster nodes, and then press Actions and Start
Process...

images image131

Confirmation of the operation will be requested...

images image132

Once confirmed the symbol will change to Running and you will
start to see CPU activity...

images image133

After a few moments it will be possible to check in the services panel that
the node, being the only running, has been attributed the status of Master...

images image134

In the Networks panel you can verify the attribution
of the VIP IP address in the designated interface...

images image135

The second node of the Cluster is now starting....

images image136

As soon as you start you will notice the state change
and CPU activity of the node...

images image137

... with relative attribution of the VIP.

images image138

The virtual address has migrated to the newly started node.

images image139

You can arbitrarily move the virtual address (VIP) from
one node to another simply by running "Promote master" from the node panel that you want to promote to
master...

images image140

After a few moments the virtual address will migrate to the chosen node.

images image141
Enable automatic start of processes when starting VAPPs

To make start jobs automatically at virtual appliance start,
position yourself on Clusters -> [Edit]

images image142

in the "general start parameters" panel change the "process
start" parameter from "manual" to "automatic"

images image143

Save the configuration that will automatically restart
jobs with the new configuration

images image144

Describe the change operation

images image145

Both nodes of the Cluster will restart by returning to
the running situation

images image146

Master node attribution hierarchy

With OPLON ADC Standard HA, you can set
a state attribution hierarchy to master individual nodes. This feature is
very useful in case you have sites where there is a preference tohave one master node over another in
the state of operational normality.
An example of using this feature is typically a configuration in Business
Continuity or geographic networks with addresses located in
other sites and regions (e.g.: Elastic IPs).

To determine in advance who should assign the
start the master state, simply change the "weight" of the node that by default is
valued at 100. In this case we will change the weight of the OKLAHOMA node from
100 to 110.

images image147 images image148

We save the change...

images image149

We describe the change....

images image150

We re-initialize the services associated
with determining the hierarchy

images image151

Reinit of services associated with determining hierarchy

images image152

Confirm the operation

images image153

Reinit of services associated with determining hierarchy

images image154

Confirm the operation

images image155

At the end of the "Reinit" of the service the Virtual IP will be assigned
to the node with the highest "weight".

images image156

You can always manually reassign the VIP to the other node until the next instance restart
through the "Promote
master" command

images image157

The result of the "Promote master" is the assignment of the VIP in the selected node in a few
moments

images image158

Cluster certification in critical environments

In extreme environments, such as aircraft, ships, industrial plants with a high risk, cluster certification can be carried out only by personnel certified in a statement digitally signed by OPLON NETWORKS SRL. The certification of the cluster in these environments requires the shipment to OPLON NETWORKS of the last page of the "installation and certification form" certifying the test.