ACOS 4.1.4-GR1 and Harmony Controller Integration Information

First step in connecting Thunder device to A10 HarmonyTM Controller is to register Thunder with A10 HarmonyTM Controller. On registration, configuration of the Thunder Device is synchronized with A10 HarmonyTM Controller. This includes all partition information, and VIPs Configured for ADC service.

Pre-requisities

  • Ensure the connectivity between Harmony Controller and Thunder using ping command.

  • Check if you are able to reach to the ports 8443 and 443 from Thunder to Harmony using telnet command.

    Example:

    “telnet <harmony IP> 8443
    
  • Check if the visibility module is enabled using “visibility” command followed by “show context”.

  • Check the NTP service status on Thunder using command “show ntp status” , and we have to ensure NTP is in sync in order to view the analytics and telemetry.

  • If NTP is not configured and user does not wish to configure, then we have to set the time manually using command “clock set”.

    Example:

    clock set 16:18:15 April 9 2019
    
  • On completion of above steps user has to perform partition tenant mapping on Harmony Controller User Interface. After tenant mapping is done you can verify the same on Thunder cli using command “sh harmony-controller tenant partition info”

Thunder registration can be done in one of the following ways:

  1. Using Thunder CLI
  2. Using Thunder UI
  3. Using Thunder Device Manager

Registration occurs in the following sequence of steps:

Register using A10 HarmonyTM Controller information

  1. Authenticate the device using the provider’s credentials so that the device is registered for the provider.
  2. Configure the A10 HarmonyTM Controller profile in the Thunder device with the host and provider details.

A registration message contains a list of partitions, users, roles, privileges and the encrypted passwords. A10 HarmonyTM Controller creates the partitions and its associated users or roles and privileges in the database. As a part of registration, Thunder ADC configures the account ID map for each partition. A10 HarmonyTM Controller creates a different tenant for each partition that is registered. This helps in mapping the telemetry information to the correct partition and the applications.

API call to A10 HarmonyTM Controller

The Thunder device sends API calls to A10 HarmonyTM Controller for registering each object. After the object is registered, A10 HarmonyTM Controller creates a object tree for each partition.

Connecting Thunder Device to Harmony Controller

The ACOS devices have the management functionality for application delivery control (ADC). The ACOS devices can be accessed and configured through the GUI, Web User Interface, and the CLI.

The Thunder Device/ADC can be connected to the A10 Harmony Controller for strengthening the utility. The ACOS ADC devices can be integrated to the A10 Harmony Controller platform for visibility, rich analytics, and graphical view of the traffic flowing through it.

Additionally, the A10 Harmony Controller provides the capabilities such as central management, configuration of Provider and Tenant devices or the self-service through Provider-Tenant model, deviceclusters, or VM instances.

Registering the Thunder Device to Harmony Controller Using the CLI Mode

Pre-requisites

The user must have Thunder device upgraded to the firmware 4.1.1-P7 version or later.

  1. Log-in to the Thunder device with the following credentials:
  • username: admin
  • password: a10
  1. Enter the Enable mode first and then the Configuration mode.
  2. Configure the A10 Harmony Controller profile as in

Reference

The following is a sample CLI reference for the applicable Thunder versions:

harmony-controller profile
 host controller.example.com use-mgmt-port
 thunder-mgmt-ip 13.78.173.250
 provider root
 user-name user@company.com
 password encrypted pwl23ABCDefgh (The password is displayed as an encrypted text)
 region India
 availability-zone Bangalore
!
 harmony-controller telemetry
 log-rate 1
 !

Registration using the Thunder User Interface

  1. Login to the Thunder device using the following credentials:

    username: admin
    password: *****
    
  2. From the System drop-down list, select Admin

  3. Click the Controller tab to view the Harmony Controller Settings page.

  4. Enter the A10 HarmonyTM Controller information as shown in the video

  5. Select Use Management Port

  6. Click Register Device

Registration using Thunder Device Manager

  1. Login to A10 HarmonyTM Controller using your credentials

  2. On the Provider Admin Management page, click View in Device Manager

  3. From the Devices drop-down menu, select Device List

  4. Click +Add Devices

  5. In the Add Device dialog box, enter the following:

    Device IP Address
    User Name
    Password
    
  6. Click Submit to add the device to the Device List

  7. Select the device and click the HC button

  8. Enter the A10 HarmonyTM Controller information as shown in the video

  9. Select Use Management Port

  10. Click Submit to register the device

Configuring the Harmony Controller Profile on ACOS CLI

The user can configure the A10 Harmony Controller profile through the ACOS CLI mode.

To configure the A10 Harmony Controller profile with the ACOS CLI, use the following commands:

  1. Enable the A10 Harmony Controller profile configuration:
ACOS(config)# harmony-controller profile
  1. Enable the host for the A10 Harmony Controller:
ACOS(config-profile)# host 10.6.100.23 use-mgmt-port
  1. Enable the provider with name of length 1 to 128 characters for the A10 Harmony Controller:
ACOS(config-profile)# provider root
  1. Enter the provider specified user-name:
ACOS(config-profile)# user-name user1@a10networks.com
  1. Enter the configured password:
ACOS(config-profile)# password password
  1. Enable register and de-register:
ACOS(config-profile)# register
  1. To verify the A10 Harmony Controller registration status, use the following command:
ACOS(config-profile)# show harmony-controller status

overall-status : Registration with Harmony Controller is partially completed.
To complete the registration, please go to Infrastructure page of HC Portal and map Device Partitions into Tenants
heartbeat-status : ACTIVE
service-registry : ACTIVE
registration-status : PASS
registration-status-code : 200
schema-registry-status : Registration of schemas with SR passed
broker_info : 10.6.34.53:9093
kafka-broker-state : Up
Number-of-tenant-mapped-partitions : 99
Number-of-tenant-unmapped-partitions : 1

New command:

ACOS(config-profile)# show harmony-controller partition-tenant-info
partition-name : part1
tenant-name : Dev109_119_All
tenant-id : daa21128-887f-4369-857f-e581f1c550be
cluster-name : cluster1.part1
cluster-id : 1fc77a68-035c-11e9-82df-001fa00d46f0
log-rate-per-sec : 30
ACOS(config-profile)#

Note: The user can verify the Harmony Controller registration status in single mode or in multi-mode.

Configuring the Virtual Router Redundancy Protocol (VRRP) for Cluster

  1. Before registering a VRRP cluster to Harmony Controller, it is required to synchronize the configuration between the VRRP peer devices. This is done by running the “config sync” command on the Active thunder device. This command will sync the configuration along with the UUID between devices in the VRRP cluster:

    config sync running all-partitions auto-authentication $OTHER_HA_MEMBER_MGMT_IP

    Note: Wait for the configuration sync to complete before proceeding to the next step.

    For example: - Active Node will show below logs in “show log” when config is pushed to Standby:

    Mar 26 2019 15:08:31 Notice      [CLI]:Configuration sync to 10.6.1.25 succeeded
    Mar 26 2019 15:08:25 Notice      [CLI]:HA SYNC : prepare to send
    Mar 26 2019 15:08:25 Notice      [CLI]:HA SYNC : prepare completely
    
    • Standby Node prompt will go through below stages:
Before config sync  > ADC_10_6_1_25-Standby#
While config sync   > ADC_10_6_1_25-Standby(HA/VRRP-A SYNCHRONIZING RUNNING-CONFIG)#
After config sync   > ADC_10_6_1_25-Standby#
  1. Register the Active Thunder device first to the Harmony Controller, wait for the registration process to complete and then register the standby device.
  2. Once the registration is complete, login to Harmony Controller and verify that Active and Standby devices are registered under the same cluster.

Note 1: Any configuration change should only be done on one device (either Active or standby), followed by syncing that change using “config sync” command. This will maintain consistency across both the nodes in a cluster.

Note 2: For any reason if VRRP members are registered as separate clusters on Harmony Controller, then

  1. De-register all the VRRP members individually and make sure there is no cluster entry on Harmony Controller for any of the members.
  2. Run the config sync command and follow the steps above to re-register.

This is needed even if the existing configurations are already synchronized across HA members.

Note: Refer and follow the steps for tenant to device partitions mapping mentioned in documentation.

Single Sign-On and Authorization

When a user logs in to A10 HarmonyTM Controller assumes role of provider administrator or tenant administrator. Based on the role they are able to view the content. When the user wants to get into a device for editing configuration, they need not login again to the device due to single sign-on feature. However, the permissions to the user on that particular device are still be honoured. In this way, administrator of one device is able to change configuration of other device in-spite of being the administrator in A10 HarmonyTM Controller until they get the authorization on the device.

Configuration Synchronization

Any configuration change done on the device even if it is done through device User Interface, device CLI or through A10 HarmonyTM Controller is automatically synchronized with A10 HarmonyTM Controller. If for any reason, connection between Thunder device and A10 HarmonyTM Controller breaks, the application services on Thunder device continues to work. During this time users are able to login to device User Interface or CLI directly for configuration update. Such configuration changes are synchronized with A10 HarmonyTM Controller when the link restores.

Integration Commands for Harmony Controller

harmony-controller profile

Description: This CLI option helps in starting the A10 Harmony Controller profile configuration mode.

Important: This command is only applicable in the shared partition.

Syntax:

[no] harmony-controller profile
Parameters
Description
[no]
Disable the A10 Harmony Controller profile
profile
Define the A10 Harmony Controller profile

Default: Not applicable

Mode: ACOS Configuration Mode

Usage: It enables the A10 Harmony Controller profile configuration mode.

Example: The following example shows how to start the A10 Harmony Controller profile configuration mode:

ACOS(config)# harmony-controller profile

host

Description: This CLI option helps in entering the IP address or FQDN associated with the A10 Harmony Controller.

Syntax:

[no] host host-name
[port port-num]
[use-mgmt-port]
Parameters
Description
[no] host
host-name
Enter the IP address or fully-qualified domain name (FQDN) of the A10 Harmony Controller.
host-name
The host-name can be an alphanumeric value with 1 to 128 characters or an IPv4 address.
[port port-num]
The port port-num option allows you to specify the port used on the remote A10 Harmony Controller device.
The port-num can be a numeric value from 1 to 32767.
The default value is 8443.
[use-mgmt-port]
The use-mgmt-port option uses the ACOS device’s management port as the source interface.
Otherwise, a data interface is used.

Default: Not default value

Mode: A10 Harmony Controller configuration mode

Usage: Enter the IPv4 address or FQDN of the A10 Harmony Controller. This allows the ACOS device to find the controller on the network during the registration process.

Example: The following example shows how to enter the A10 Harmony Controller configuration mode on the ACOS device, in order to enter the host IP address of 1.2.3.4, which is the IP of the controller:

ACOS(config)# harmony-controller profile
ACOS(config-profile)# host 1.2.3.4 port 8445
ACOS(config-profile)#

provider

Description: This CLI option helps in configuring the data or information provider for the A10 Harmony Controller.

Syntax:

[no] provider provider-name
Parameters
Description
[no]
Remove data provider for the A10 Harmony Controller
provider-name
The provider-name is the owner of the A10 Harmony Controller.
For Self-Managed A10 Harmony Controller deployment activities, this parameter becomes the name of the user, where the device is deployed.
For example, a user purchases the A10 Harmony Controller software and installs it on a Thunder Bare Metal device, and this device is deployed on the user’s own network.
In this situation, the user must ideally enter their name as the provider-name.
However, for cloud-based deployments, where the metrics collection and analytics are sold as a service, then this can be from the A10 Networks or any other similar service provider.
The provider-name is an alphanumeric value with 1 to 128 characters.

Default: Not default value

Mode: A10 Harmony Controller configuration mode

Usage: The provider-name is the owner of the A10 Harmony Controller that is selling the software services (SaaS) for metrics collection and analytics for the managed Thunder.

Example: The following example shows how to enter the A10 Harmony Controller configuration mode and how to enter the provider name, “PROV-1”:

ACOS(config)# harmony-controller profile
ACOS(config-profile)# provider PROV-1
ACOS(config-profile)#

user-name

Description: This CLI option helps in configuring the user name for the A10 Harmony Controller client.

Syntax:

[no]user-name <name>
Parameters
Description
[no]
Remove configured user name.
name
Name string.

Default: Not default value

Mode: A10 Harmony Controller configuration mode

Usage: Enter the user-name for the tenant in the A10 Harmony Controller. The ACOS device uses these credentials to log into the controller.

Example: The following example shows how to enter the A10 Harmony Controller configuration mode and also to enter the user-name “USERNAME123”. This user name is associated with the tenant on the controller:

ACOS(config)# harmony-controller profile
ACOS(config-profile)# user-name USERNAME123
ACOS(config-profile)#

password

Description: This CLI option helps in configuring the password for the A10 Harmony Controller profile.

Syntax:

password {password_string}
Parameters
Description
password
Specify the password for the user
password_string
Specify the password for the user of length maximum 128 characters.
encrypted
Encrypt the password.
password_string
The encrypted password string of length range, 1 to 512 characters.

Default: Not default value

Mode: A10 Harmony Controller configuration mode

Usage: The ACOS device uses the credentials during the registration process to access the tenant account on the A10 Harmony Controller.

Example: The following example shows how to enter the A10 Harmony Controller configuration mode on the ACOS device, and how to enter the password of “PASSWORD123”. This is the password associated with the user account on the A10 Harmony Controller. These credentials are passed to the controller during the registration process:

ACOS(config)# harmony-controller profile
ACOS(config-profile)# password PASSWORD123
ACOS(config-profile)#

register

Description: This CLI option helps in registering the ACOS device with the A10 Harmony Controller.

Register: This command is used to start the registration of the thunder device to the A10 Harmony Controller.

Syntax:

[no] register

Default: Disabled

Mode: A10 Harmony Controller configuration mode

Usage: This command registers the ACOS device with the A10 Harmony Controller by initiating the registration process from ACOS device to the controller. Once the registration is complete, the ACOS device can start sending logs or analytics.

Example: The following example shows how to enter the A10 Harmony Controller configuration mode and register the ACOS device with the controller:

ACOS(config)# harmony-controller profile
ACOS(config-profile)# register
ACOS(config-profile)#

deregister

Description: This CLI option helps in de-registering the ACOS device with the A10 Harmony Controller.

Deregister: This command is used to remove the registered thunder device.

Syntax:

[no] deregister

Default: Disabled

Mode: A10 Harmony Controller configuration mode

Usage: This command de-registers the ACOS device with the A10 Harmony Controller by initiating the de-registration from the controller. Once the ACOS device is de-registered, the controller stops receiving the logs and the analytics data from the ACOS device.

Example: The following example shows how to enter the A10 Harmony Controller configuration mode and then de-register the ACOS device from the controller:

ACOS(config)# harmony-controller profile
ACOS(config-profile)# deregister
ACOS(config-profile)#

availability-zone

Description: This CLI option helps in configuring the geographical availability zone of the ACOS device.

Syntax:

[no] availability-zone <zone_name>
Parameters
Description
no
Remove the availability zone of the thunderdevice.
zone_name
Name of the availability zone of length from 1 to 128 characters of the thunder device created by the zone command.

Default: Not default value

Mode: A10 Harmony Controller configuration mode

Usage: The harmony-controller profile is used to specify the location of the Thunder managed devices. The command is similar to the region command, because both commands are used to specify the location of the managed Thunder devices.

However, whereas the region is typically used to specify a city name, the availability-zone is used to provide more granular information about the location of a managed device, such as the building name or rack ID within a data center

Example: The following example shows how to enter A10 Harmony Controller configuration mode and create a new availability-zone called “NEW-ZONE123”:

ACOS(config)# harmony-controller profile
ACOS(config-profile)# availability-zone NEW-ZONE123
ACOS(config-profile)#

region

Description: This CLI option helps in specifying the region of the ACOS device network.

Syntax:

[no] region region_name
Parameters
Description
no
Remove the configured region of ACOS device network.
region_name
Name of the region.

Default: Not default value

Mode: A10 Harmony Controller configuration mode

Usage: The region name is used to specify the location of the Thunder managed devices. The command is similar to the harmony-controller profile command, in that both are used to specify the location of the managed Thunder devices.

However, whereas the region is typically used to specify a city name, the harmony-controller profile could be used to provide more granular information about the location of a managed device, such as the building name or rack ID within a data center.

Example: The following example shows how to enter A10 Harmony Controller configuration mode and create a new region called “REG-BLR-123”:

ACOS(config)# harmony-controller profile
ACOS(config-profile)# region REG-BLR-123
ACOS(config-profile)#

thunder-mgmt-ip

Description: This CLI option helps in entering the IP address for the Thunder. This address is used to specify the source IP of the Thunder device, and this information is pushed to the A10 Harmony Controller during the registration.

Syntax:

[no] thunder-mgmt-ip ip-address
Parameters
Description
thunder-mgmt-ip ip-address
The ip-address can be a standard IPv4 address.

Default: Not default value

Mode: A10 Harmony Controller configuration mode

Usage: This CLI option thunder-mgmt-ip is required for the registration of the A10 Networks Thunder device to the A10 Harmony Controller

The A10 Networks Thunder device uses this IP address to send the required information and also to communicate back, for on-box UI and TDM communications purpose with the A10 Harmony Controller during registration.

If the CLI option thunder-mgmt-ip is configured or set after the registration, then the On-box UI functionality picks this updated IP on the process (There is no re-registration required). However for TDM listing, a re-registration is required.

Example: The following example shows how to enter A10 Harmony Controller configuration mode and enter a thunder-mgmt-ip “1.2.3.4” for the Thunder managed device, to be used during registration with the controller:

ACOS(config)# harmony-controller profile
ACOS(config-profile)# thunder-mgmt-ip 1.2.3.4
ACOS(config-profile)#

harmony-controller telemetry

Description: This CLI option helps in configuring the A10 Harmony Controller telemetry mode to collect ACOS firewall statistics.

Syntax:

[no] harmony-controller telemetry per partition configuration
Parameters
Description
no
Disable telemetry mode for the A10 Harmony Controller
telemetry
Telemetry mode
per partition configuration
To enable the configurations to the partition level

Default: Not default value

Mode: Configuration mode

Usage: This is applicable to the statistics of the following:

  • Application firewall
  • GI firewall
  • Data-centre firewall

Example: The following example shows how to configure the A10 Harmony Controller telemetry mode to collect the ACOS firewall statistics:

ACOS(config)# harmony-controller telemetry per partition configuration

log-rate

Description: This CLI option helps in configuring the maximum number of logs per second sent by the ACOS device to the A10 Harmony Controller.

Syntax:

log-rate <log_rate_value>
Parameters
Description
log_rate_value
Maximum number of logs of range (0 to 10000) sent by the partitions per second.

Default: The default value is 10

Mode: A10 Harmony Controller configuration mode

Usage: This option sets the sampling rate of traffic logs sent from the Thunder device to the controller

Example: The following example shows how to enter the A10 Harmony Controller configuration mode on the ACOS device in order to specify a log-rate maximum value of 10,000 traffic logs from the managed Thunder device to the controller:

ACOS(config)# harmony-controller telemetry
ACOS(config-profile)# log-rate 10000
ACOS(config-profile)#

show harmony-controller status

Description: This CLI option helps in displaying the status of the A10 Harmony Controller profile.

Syntax:

show harmony-controller status

Default: No default value

Mode: Configuration mode

Usage: This parameter is used to check the status of the A10 Harmony Controller.

Example: The following is an example of the show output:

ACOS(config-profile)# show harmony-controller status
overall-status : Registration with Harmony Controller is partially completed.
To complete the registration, please go to Infrastructure page of HC
Portal and map Device Partitions into Tenants
heartbeat-status : ACTIVE
service-registry : ACTIVE
registration-status : PASS
registration-status-code : 200
schema-registry-status : Registration of schemas with SR passed
broker_info : 10.6.34.53:9093
kafka-broker-state : Up
Number-of-tenant-mapped-partitions : 99
Number-of-tenant-unmapped-partitions : 1

Command to Verify Partition Tenant Mapping::


ACOS(config-profile)# show harmony-controller partition-tenant-info
partition-name : part1
tenant-name : Dev109_119_All
tenant-id : daa21128-887f-4369-857f-e581f1c550be
cluster-name : cluster1.part1
cluster-id : 1fc77a68-035c-11e9-82df-001fa00d46f0
log-rate-per-sec : 30
ACOS(config-profile)#

show harmony-controller stats

Description: This CLI option helps in displaying the statistics of the A10 Harmony Controller profile.

Syntax:

show harmony-controller stats

Default: No default value

Mode: Configuration mode

Usage: This parameter is used to check the statistics of the A10 Harmony Controller.

Example: The following is an example of the show output:

ACOS(config-profile)# show harmony-controller stats
Counter
Value
PR topic counter from ACOS to Harmony
0
AVRO device status from ACOS to Harmony
270
AVRO partition metrics from ACOS to Harmony
270
Telemetry exported via AVRO
270
PR topic to Harmony enqueue error
0
PR topic to Harmony dequeue error
0
Telemetry exported via AVRO failed encoding
0
Telemetry exported via AVRO failed sending
0
AVRO device status enqueue error
0
AVRO device status dequeue error
0
AVRO partition metrics enqueue error
0
AVRO partition metrics dequeue error
0
Kafka Unknown topic error
0
Telemetry drop because kafka broker is down
0
Telemetry drop because kafka Queue is full
0
PR drop due to throttling
0
PR drop because not allowed to log
0
PR back-end ttfb is negative
0
PR back-end ttlb is negative
0
PR in latency threshold exceeded
0
PR out latency threshold exceeded
0
PR out latency negative
0
PR in latency negative
0
Telemetry dropped because Kafka topic not created
0
Telemetry exported via AVRO failed encoding
0
PC topic counter from ACOS to Harmony
0
PC topic to Harmony dequeue error
0
CGN PC topic counter from ACOS to Harmony
0
CGN PC topic to Harmony dequeue error
0
CGN PE topic counter from ACOS to Harmony
0
CGN PE topic to Harmony dequeue error
0
FW PC topic counter from ACOS to Harmony
0
FW PC topic to Harmony dequeue error
0
FW DENY PC topic counter from ACOS to Harmony
0
FW DENY PC topic to Harmony dequeue error
0
FW RST PC topic counter from ACOS to Harmony
0
FW RST PC topic to Harmony dequeue error
0
CGN Summary PE topic counter from ACOS to Harmony
0
CGN Summary PE topic to Harmony dequeue error
0
PC drop due to throttling
0
Partition-Tenant mapping not saved on HC
3635