`
`IOS Server Load Balancing
`
`Feature History
`Release
`12.0(7)XE
`
`12.1(1)E
`
`Modification
`This feature was introduced with support for the following platforms:
`
`• Multilayer Switch Feature Card 2 (MSFC2) and Supervisor Engine 1
`for Cisco Catalyst 6500 family switches (including the Catalyst 6506,
`Catalyst 6509, and Catalyst 6513)
`
`(cid:129) Cisco 7200 Series Routers
`
`The following functions were provided:
`
`(cid:129) Algorithms for Server Load Balancing, page 5
`
`(cid:129) Automatic Server Failure Detection, page 6
`
`(cid:129) Automatic Unfail, page 6
`
`(cid:129) Bind ID Support, page 7
`
`(cid:129) Client-Assigned Load Balancing, page 7
`
`(cid:129) Delayed Removal of TCP Connection Context, page 8
`
`(cid:129) Dynamic Feedback Protocol for IOS SLB, page 8
`
`(cid:129) Maximum Connections, page 11
`
`(cid:129) Port-Bound Servers, page 12
`
`(cid:129) Slow Start, page 15
`
`(cid:129) Sticky Connections, page 15
`
`(cid:129) SynGuard, page 16
`
`(cid:129) TCP Session Reassignment, page 16
`The following functions were added:
`
`(cid:129) Alternate IP Addresses, page 6
`
`(cid:129) Content Flow Monitor Support, page 8
`
`(cid:129) Network Address Translation (NAT) and Session Redirection,
`page 11—Server NAT
`
`(cid:129) Redundancy Enhancements, page 14—Stateless Backup
`
`(cid:129) Transparent Webcache Load Balancing, page 16
`
`Cisco IOS Release 12.2 S
`
`1
`
`1
`
`GOOGLE 1016
`
`
`
`C i s c o C o n f i d e n t i a l — Av a i l a b l e t o A u t h o r i z e d C u s t o m e r s U n d e r
`
`12.1(2)E
`
`The following functions were added:
`
`(cid:129) Probes, page 12—HTTP Probes
`
`12.1(3a)E
`
`12.1(5a)E
`
`12.1(5)T
`
`12.2
`
`12.1(7)E
`
`12.1(8a)E
`
`12.1(9)E
`
`12.2 S
`
`(cid:129) Network Address Translation (NAT) and Session Redirection,
`page 11—Server and Client NAT
`
`(cid:129) Redundancy Enhancements, page 14—Stateless and Stateful Backup
`The following functions were added:
`
`(cid:129) Firewall Load Balancing, page 9
`
`(cid:129) Probes, page 12—HTTP and Ping Probes
`
`(cid:129) Protocol Support, page 13
`
`(cid:129) Redundancy Enhancements, page 14—Stateless and Stateful Backup,
`and Active Standby
`
`(cid:129) WAP Load Balancing, page 17
`The following functions were added:
`
`(cid:129) Avoiding Attacks on Server Farms and Firewall Farms, page 7
`
`(cid:129) Probes, page 12—HTTP, Ping, and WSP Probes
`The Cisco IOS Release 12.1(1)E feature was integrated into Cisco IOS
`Release 12.1(5)T, supporting Cisco 7200 Series Routers only.
`The Cisco IOS Release 12.1(5)T feature was integrated into Cisco IOS
`Release 12.2.
`Support for the following platform was added:
`
`(cid:129) Cisco 7100 Series Routers
`
`The following functions were added:
`
`(cid:129) Multiple Firewall Farm Support, page 11
`
`(cid:129) Route Health Injection, page 15
`Support for the following platform was added:
`
`(cid:129) MSFC2 and Supervisor Engine 2 for Cisco Catalyst 6500 family
`switches (including the Catalyst 6506, Catalyst 6509, and
`Catalyst 6513)
`
`The following functions were added:
`
`(cid:129) Backup Server Farms, page 7
`
`(cid:129) DFP Agent Subsystem Support, page 8
`The following functions were added:
`
`(cid:129) GPRS Load Balancing, page 10
`The Cisco IOS Release 12.1(8a)E feature and the GPRS Load Balancing
`function were integrated into Cisco IOS Release 12.2 S.
`
`This document describes the Cisco IOS Server Load Balancing (SLB) feature in Cisco IOS
`Release 12.2 S. It includes the following sections:
`
`(cid:129) Overview of the IOS SLB Feature, page 3
`
`(cid:129) Functions and Capabilities, page 4
`
`(cid:129) Benefits, page 17
`
`Cisco IOS Release 12.2 S
`
`2
`
`2
`
`
`
`C i s c o C o n f i d e n t i a l — Av a i l a b l e t o A u t h o r i z e d C u s t o m e r s U n d e r
`
`Overview of the IOS SLB Feature
`
`(cid:129) Restrictions, page 18
`
`(cid:129) Related Features and Technologies, page 20
`
`(cid:129) Related Documents, page 21
`
`(cid:129) Supported Platforms, page 21
`
`(cid:129) Supported Standards, MIBs, and RFCs, page 21
`
`(cid:129) Configuration Tasks, page 22
`
`(cid:129) Monitoring and Maintaining the IOS SLB Feature, page 41
`
`(cid:129) Configuration Examples, page 42
`
`(cid:129) Command Reference, page 95
`
`(cid:129) FAQ (Frequently Asked Questions), page 215
`
`(cid:129) Glossary, page 217
`
`Overview of the IOS SLB Feature
`
`The IOS SLB feature is an IOS-based solution that provides IP server load balancing. Using the
`IOS SLB feature, you can define a virtual server that represents a group of real servers in a cluster of
`network servers known as a server farm. In this environment, the clients connect to the IP address of the
`virtual server. When a client initiates a connection to the virtual server, the IOS SLB function chooses a real
`server for the connection based on a configured load-balancing algorithm.
`
`Note
`
`IOS SLB does not support load balancing of flows between clients and real servers that are on the same
`local area network (LAN) or virtual LAN (VLAN). The packets being load balanced cannot enter and
`leave the load-balancing device on the same interface.
`
`IOS SLB also provides firewall load balancing, which balances flows across a group of firewalls called
`a firewall farm.
`
`Figure 1 illustrates a logical view of a simple IOS SLB network.
`
`Cisco IOS Release 12.2 S
`
`3
`
`3
`
`
`
`Functions and Capabilities
`
`C i s c o C o n f i d e n t i a l — Av a i l a b l e t o A u t h o r i z e d C u s t o m e r s U n d e r
`
`Figure 1
`
`Logical View of IOS SLB
`
`Virtual server
`
`Real
`server
`
`Real
`server
`
`Real
`server
`
`IOS SLB
`device
`
`45770
`
`Client
`
`Client
`
`Client
`
`Client
`
`Functions and Capabilities
`
`This section describes the following functions and capabilities provided by IOS SLB.
`
`Note
`
`Some IOS SLB functions are specific to one platform and are not described in this feature module. For
`information about those functions, refer to the appropriate platform-specific documentation.
`
`(cid:129) Algorithms for Server Load Balancing, page 5
`
`(cid:129) Alternate IP Addresses, page 6
`
`(cid:129) Automatic Server Failure Detection, page 6
`
`(cid:129) Automatic Unfail, page 6
`
`(cid:129) Avoiding Attacks on Server Farms and Firewall Farms, page 7
`
`(cid:129) Backup Server Farms, page 7
`
`(cid:129) Bind ID Support, page 7
`
`(cid:129) Client-Assigned Load Balancing, page 7
`
`(cid:129) Content Flow Monitor Support, page 8
`
`(cid:129) Delayed Removal of TCP Connection Context, page 8
`
`(cid:129) DFP Agent Subsystem Support, page 8
`
`(cid:129) Dynamic Feedback Protocol for IOS SLB, page 8
`
`(cid:129) Firewall Load Balancing, page 9
`
`(cid:129) GPRS Load Balancing, page 10
`
`(cid:129) Maximum Connections, page 11
`
`Cisco IOS Release 12.2 S
`
`4
`
`4
`
`
`
`C i s c o C o n f i d e n t i a l — Av a i l a b l e t o A u t h o r i z e d C u s t o m e r s U n d e r
`
`Functions and Capabilities
`
`(cid:129) Multiple Firewall Farm Support, page 11
`
`(cid:129) Network Address Translation (NAT) and Session Redirection, page 11
`
`(cid:129) Port-Bound Servers, page 12
`
`(cid:129) Probes, page 12
`
`(cid:129) Protocol Support, page 13
`
`(cid:129) Redundancy Enhancements, page 14
`
`(cid:129) Route Health Injection, page 15
`
`(cid:129) Slow Start, page 15
`
`(cid:129) Sticky Connections, page 15
`
`(cid:129) SynGuard, page 16
`
`(cid:129) TCP Session Reassignment, page 16
`
`(cid:129) Transparent Webcache Load Balancing, page 16
`
`(cid:129) WAP Load Balancing, page 17
`
`Algorithms for Server Load Balancing
`
`IOS SLB provides the following load-balancing algorithms:
`
`(cid:129) Weighted Round Robin, page 5
`
`(cid:129) Weighted Least Connections, page 6
`
`You can specify one of these algorithms as the basis for choosing a real server for each new connection
`request that arrives at the virtual server.
`
`Weighted Round Robin
`
`The weighted round robin algorithm specifies that the real server used for a new connection to the virtual
`server is chosen from the server farm in a circular fashion. Each real server is assigned a weight, n, that
`represents its capacity to handle connections, as compared to the other real servers associated with the
`virtual server. That is, new connections are assigned to a given real server n times before the next real
`server in the server farm is chosen.
`
`For example, assume a server farm comprised of real server ServerA with n = 3, ServerB with n = 1, and
`ServerC with n = 2. The first three connections to the virtual server are assigned to ServerA, the fourth
`connection to ServerB, and the fifth and sixth connections to ServerC.
`
`Note
`
`Assigning a weight of n=1 to all of the servers in the server farm configures the IOS SLB device to use
`a simple round robin algorithm.
`
`GPRS load balancing requires the weighted round robin algorithm. A server farm that uses weighted
`least connections can be bound to a virtual server providing GPRS load balancing, but you cannot place
`the virtual server INSERVICE. If you try to do so, IOS SLB issues an error message.
`
`Cisco IOS Release 12.2 S
`
`5
`
`5
`
`
`
`Functions and Capabilities
`
`C i s c o C o n f i d e n t i a l — Av a i l a b l e t o A u t h o r i z e d C u s t o m e r s U n d e r
`
`Weighted Least Connections
`
`The weighted least connections algorithm specifies that the next real server chosen from a server farm
`for a new connection to the virtual server is the server with the fewest active connections. Each real
`server is assigned a weight for this algorithm, also. When weights are assigned, the server with the fewest
`connections is based on the number of active connections on each server, and on the relative capacity of
`each server. The capacity of a given real server is calculated as the assigned weight of that server divided
`by the sum of the assigned weights of all of the real servers associated with that virtual server, or
`n1/(n1+n2+n3...).
`For example, assume a server farm comprised of real server ServerA with n = 3, ServerB with n = 1, and
`ServerC with n = 2. ServerA would have a calculated capacity of 3/(3+1+2), or half of all active
`connections on the virtual server, ServerB one-sixth of all active connections, and ServerC one-third of
`all active connections. At any point in time, the next connection to the virtual server would be assigned
`to the real server whose number of active connections is farthest below its calculated capacity.
`
`Note
`
`Assigning a weight of n=1 to all of the servers in the server farm configures the IOS SLB device to use
`a simple least-connection algorithm.
`
`GPRS load balancing does not support the weighted least connections algorithm.
`
`Alternate IP Addresses
`
`IOS SLB enables you to telnet to the load-balancing device using an alternate IP address. To do so, use
`either of the following methods:
`
`(cid:129) Use any of the interface addresses to telnet to the load-balancing device.
`
`(cid:129) Define a secondary IP address to telnet to the load-balancing device.
`
`This function is similar to that provided by the LocalDirector (LD) Alias command.
`
`Automatic Server Failure Detection
`
`IOS SLB automatically detects each failed Transmission Control Protocol (TCP) connection attempt to
`a real server, and increments a failure counter for that server. (The failure counter is not incremented if
`a failed TCP connection from the same client has already been counted.) If a server’s failure counter
`exceeds a configurable failure threshold, the server is considered out of service and is removed from the
`list of active real servers.
`
`Automatic Unfail
`
`When a real server fails and is removed from the list of active servers, it is assigned no new connections
`for a length of time specified by a configurable retry timer. After that timer expires, the server is again
`eligible for new virtual server connections and IOS SLB sends the server the next qualifying connection.
`If the connection is successful, the failed server is placed back on the list of active real servers. If the
`connection is unsuccessful, the server remains out of service and the retry timer is reset.
`
`Cisco IOS Release 12.2 S
`
`6
`
`6
`
`
`
`C i s c o C o n f i d e n t i a l — Av a i l a b l e t o A u t h o r i z e d C u s t o m e r s U n d e r
`
`Functions and Capabilities
`
`Avoiding Attacks on Server Farms and Firewall Farms
`
`IOS SLB relies on a site’s firewalls to protect the site from attacks. In general, IOS SLB is no more
`susceptible to direct attack than is any switch or router. However, a highly secure site can take the
`following steps to enhance its security:
`
`(cid:129) Configure real servers on a private network to keep clients from connecting directly to them. This
`ensures that the clients must go through IOS SLB to get to the real servers.
`
`(cid:129) Configure input access lists on the access router or on the IOS SLB device to deny flows from the
`outside network aimed directly at the interfaces on the IOS SLB device. That is, deny all direct flows
`from unexpected addresses.
`
`(cid:129) To protect against attackers trying to direct flows to real or nonexistent IP addresses in the firewall
`subnet, configure the firewalls in a private network.
`
`(cid:129) Configure firewalls to deny all unexpected flows targeted at the firewalls, especially flows
`originating from the external network.
`
`Backup Server Farms
`
`A backup server farm is a server farm that can be used when none of the real servers defined in a primary
`server farm is available to accept new connections. When configuring backup server farms, keep in mind
`the following considerations:
`
`(cid:129) A server farm can act as both primary and backup at the same time.
`
`(cid:129) The same real server cannot be defined in both primary and backup at the same time.
`
`(cid:129) Both primary and backup require the same NAT configuration (none, client, server, or both). In
`addition, if NAT is specified, both server farms must use the same NAT pool.
`
`Bind ID Support
`
`The bind ID allows a single physical server to be bound to multiple virtual servers and report a different
`weight for each one. Thus, the single real server is represented as multiple instances of itself, each having
`a different bind ID. DFP uses the bind ID to identify for which instance of the real server a given weight
`is specified. The bind ID is needed only if you are using DFP.
`
`GPRS load balancing does not support bind IDs.
`
`Client-Assigned Load Balancing
`
`Client-assigned load balancing allows you to limit access to a virtual server by specifying the list of
`client IP subnets that are permitted to use that virtual server. With this feature, you can assign a set of
`client IP subnets (such as internal subnets) connecting to a virtual IP address to one server farm or
`firewall farm, and assign another set of clients (such as external clients) to a different server farm or
`firewall farm.
`
`GPRS load balancing does not support client-assigned load balancing.
`
`Cisco IOS Release 12.2 S
`
`7
`
`7
`
`
`
`Functions and Capabilities
`
`C i s c o C o n f i d e n t i a l — Av a i l a b l e t o A u t h o r i z e d C u s t o m e r s U n d e r
`
`Content Flow Monitor Support
`
`IOS SLB supports the Cisco Content Flow Monitor (CFM), a web-based status monitoring application
`within the CiscoWorks2000 product family. You can use CFM to manage Cisco server load-balancing
`devices. CFM runs on Windows NT and Solaris workstations, and is accessed using a web browser.
`
`Delayed Removal of TCP Connection Context
`
`Because of IP packet ordering anomalies, IOS SLB might “see” the termination of a TCP connection (a
`finish [FIN] or reset [RST]) followed by other packets for the connection. This problem usually occurs
`when there are multiple paths that the TCP connection packets can follow. To correctly redirect the
`packets that arrive after the connection is terminated, IOS SLB retains the TCP connection information,
`or context, for a specified length of time. The length of time the context is retained after the connection
`is terminated is controlled by a configurable delay timer.
`
`DFP Agent Subsystem Support
`
`IOS SLB supports the DFP Agent Subsystem feature, which enables client subsystems other than
`IOS SLB to act as DFP agents. With the DFP Agent Subsystem, you can use multiple DFP agents from
`different client subsystems at the same time.
`
`For more information about the DFP Agent Subsystem, see the DFP Agent Subsystem feature module.
`
`Dynamic Feedback Protocol for IOS SLB
`
`With IOS SLB Dynamic Feedback Protocol (DFP) support, a DFP manager in a load-balancing
`environment can initiate a TCP connection with a DFP agent. Thereafter, the DFP agent collects status
`information from one or more real host servers, converts the information to relative weights, and reports
`the weights to the DFP manager. The DFP manager factors in the weights when load balancing the real
`servers. In addition to reporting at user-defined intervals, the DFP agent sends an early report if there is
`a sudden change in a real server’s status.
`The weights calculated by DFP override the static weights you define using the weight (server farm)
`command. If DFP is removed from the network, IOS SLB reverts to the static weights.
`
`You can define IOS SLB as a DFP manager, as a DFP agent for another DFP manager (such as
`DistributedDirector), or as both at the same time. In such a configuration, IOS SLB sends periodic
`reports to DistributedDirector, which uses the information to choose the best server farm for each new
`connection request. IOS SLB then uses the same information to choose the best real server within the
`chosen server farm.
`
`DFP also supports the use of multiple DFP agents from different client subsystems (such as IOS SLB
`and GPRS) at the same time.
`
`In GPRS load balancing, you can define IOS SLB as a DFP manager and define a DFP agent on each
`GGSN in the server farm, and the DFP agent can report the weights of the GGSNs. The DFP agents
`calculate the weight of each GGSN based on CPU utilization, processor memory, and the maximum
`number of PDP contexts (mobile sessions) that can be activated for each GGSN. As a first approximation,
`DFP calculates the weight as the number of existing PDP contexts divided by the maximum allowed
`PDP contexts:
`
`(existing PDP contexts)/(maximum PDP contexts)
`
`Cisco IOS Release 12.2 S
`
`8
`
`8
`
`
`
`C i s c o C o n f i d e n t i a l — Av a i l a b l e t o A u t h o r i z e d C u s t o m e r s U n d e r
`
`Functions and Capabilities
`
`Maximum PDP contexts are specified using the gprs maximum-pdp-context-allowed command,
`which defaults to 1000 PDP contexts. If you accept the default value, DFP might calculate a very low
`weight for the GGSN:
`
`(existing PDP contexts)/1000 = Low GGSN weight
`
`Keep this calculation in mind when specifying maximum PDP contexts using the
`gprs maximum-pdp-context-allowed command.
`
`Firewall Load Balancing
`
`As its name implies, firewall load balancing enables IOS SLB to balance flows to firewalls. Firewall load
`balancing uses a load-balancing device on each side of a group of firewalls (called a firewall farm) to
`ensure that the traffic for each flow travels to the same firewall, ensuring that the security policy is not
`compromised.
`
`You can configure more than one firewall farm in each load-balancing device.
`
`Layer 3 firewalls, which have IP-addressable interfaces, are supported by IOS SLB firewall load
`balancing if they are subnet-adjacent to the firewall load-balancing device and have unique MAC
`addresses. The device does not modify the IP addresses in the user packet. To send the packet to the
`chosen firewall, the device determines which interface to use and changes the Layer 2 headers
`accordingly. This is the standard dispatched routing used by IOS SLB.
`
`Layer 2 firewalls, which do not have IP addresses, are transparent to IOS SLB firewall load balancing.
`IOS SLB supports Layer 2 firewalls by placing them between two IP-addressable interfaces.
`
`Whereas many Layer 3 firewalls might exist off a single Layer 3 interface on the load-balancing device
`(for example, a single LAN), only one Layer 2 firewall can exist off each interface.
`
`When configuring the load-balancing device, you configure a Layer 3 firewall using its IP address, and
`a Layer 2 firewall using the IP address of the interface of the device on the “other side” of the firewall.
`
`To balance flows across the firewalls in a firewall farm, IOS SLB firewall load balancing performs a
`route lookup on each incoming flow, examining the source and destination IP addresses (and optionally
`the source and destination TCP or User Datagram Protocol [UDP] port numbers). Firewall load
`balancing applies a hash algorithm to the results of the route lookup and selects the best firewall to
`handle the connection request.
`
`Note
`
`IOS SLB firewall load balancing must examine incoming packets and perform route lookup. On
`Catalyst 6500 Family Switches, some additional packets might need to be examined. Firewall load
`balancing impacts internal (secure) side routing performance and must be considered in the complete
`design.
`
`To maximize availability and resilience in a network with multiple firewalls, configure a separate
`equal-weight route to each firewall, rather than a single route to only one of the firewalls.
`
`IOS SLB firewall load balancing provides the following capabilities:
`
`(cid:129) Connections initiated from either side of the firewall farm are load-balanced.
`
`(cid:129) The load is balanced among a set of firewalls—the firewall farm.
`
`(cid:129) All packets for a connection travel through the same firewall. Subsequent connections can be
`“sticky,” ensuring that they are assigned to the same firewall.
`
`(cid:129) Probes are used to detect and recover from firewall failures.
`
`Cisco IOS Release 12.2 S
`
`9
`
`9
`
`
`
`Functions and Capabilities
`
`C i s c o C o n f i d e n t i a l — Av a i l a b l e t o A u t h o r i z e d C u s t o m e r s U n d e r
`
`(cid:129) Redundancy is provided. Hot Standby Router Protocol (HSRP), stateless backup, and stateful
`backup are all supported.
`
`(cid:129) Multiple interface types and routing protocols are supported, enabling the external (Internet side)
`load-balancing device to act as an access router.
`
`(cid:129) Proxy firewalls are supported.
`
`GPRS Load Balancing
`
`General Packet Radio Service (GPRS) is the packet network infrastructure based on the European
`Telecommunications Standards Institute (ETSI) Global System for Mobile Communication (GSM) phase 2+
`standards for transferring packet data from the GSM mobile user to the packet data network (PDN). The
`Cisco gateway GPRS support node (GGSN) interfaces with the serving GPRS support node (SGSN)
`using the GPRS Tunneling Protocol (GTP), which in turn uses UDP/IP for transport. IOS SLB provides
`GPRS load balancing and increased reliability and availability for the GGSN.
`
`Tunnel creation messages destined to the virtual GGSN IP address are redirected via Layer 2 to one of
`the real GGSNs using the weighted round robin load-balancing algorithm. See the “Weighted Round
`Robin” section on page 5 for more information about this algorithm.
`
`The real GGSNs must be Layer 2-adjacent to the IOS SLB device. The SGSNs need not be Layer
`2-adjacent to the IOS SLB device, unless you implement IOS SLB redundancy enhancements.
`
`GPRS load balancing uses standard dispatched routing, so you must configure the real GGSNs with the
`virtual GGSN IP address as a loopback address, or secondary IP address. See the “Network Address
`Translation (NAT) and Session Redirection” section on page 11 for more information about dispatched
`routing. See the “Configuring Logical Interfaces” chapter of the Cisco IOS Interface Configuration
`Guide for more information about configuring the loopback address.
`
`When configuring the network shared by IOS SLB and the GGSNs, keep the following considerations
`in mind:
`(cid:129) Specify static routes (using ip route commands) and real server IP addresses (using real commands)
`such that the Layer 2 information is correct and unambiguous.
`
`(cid:129) Do not configure default routes or gateways on any of the GGSNs.
`
`(cid:129) Do not configure a route to IOS SLB’s virtual server on the GGSNs. Doing so can prevent messages
`from reaching GTP.
`
`(cid:129) Choose subnets carefully, using one of the following methods:
`– Do not overlap virtual template address subnets.
`– Specify next hop addresses to real servers, not to interfaces on those servers.
`
`In GPRS load balancing, IOS SLB knows when a PDP context is established, but it does not know when
`PDP contexts are cleared, and therefore it cannot know the number of open PDP contexts for each
`GGSN. Use DFP to calculate GPRS load-balancing weights dynamically. See the “Dynamic Feedback
`Protocol for IOS SLB” section on page 8 for more information about DFP.
`
`If you have enabled Cisco Express Forwarding (CEF) on a GGSN, you must identify the IP address of
`the GGSN virtual server to CEF. If you have not enabled CEF on the GGSN, do not perform this task.
`See the “Identifying the GGSN Virtual Server to CEF” section on page 37 for more details.
`
`Cisco IOS Release 12.2 S
`
`10
`
`10
`
`
`
`C i s c o C o n f i d e n t i a l — Av a i l a b l e t o A u t h o r i z e d C u s t o m e r s U n d e r
`
`Functions and Capabilities
`
`Maximum Connections
`
`IOS SLB allows you to configure maximum connections for server and firewall load balancing.
`
`(cid:129) For server load balancing, you can configure a limit on the number of active connections that a real
`server is assigned. If the maximum number of connections is reached for a real server, IOS SLB
`automatically switches all further connection requests to another server until the connection number
`drops below the specified limit.
`
`(cid:129) For firewall load balancing, you can configure a limit on the number of active TCP or UDP
`connections that a firewall farm is assigned. If the maximum number of connections is reached for
`the firewall farm, new connections are dropped until the connection number drops below the
`specified limit.
`
`Multiple Firewall Farm Support
`
`You can configure more than one firewall farm in each load-balancing device.
`
`Network Address Translation (NAT) and Session Redirection
`
`Cisco IOS NAT, RFC 1631, allows unregistered “private” IP addresses to connect to the Internet by
`translating them into globally registered IP addresses. Cisco IOS NAT also increases network privacy by
`hiding internal IP addresses from external networks.
`
`IOS SLB can operate in one of two session redirection modes:
`
`(cid:129) Dispatched mode—the virtual server address is known to the real servers; you must configure the
`virtual server IP address as a loopback address, or secondary IP address, on each of the real servers.
`IOS SLB redirects packets to the real servers at the media access control (MAC) layer. Since the
`virtual server IP address is not modified in dispatched mode, the real servers must be
`Layer 2-adjacent to IOS SLB, or intervening routers might not be able to route to the chosen real
`server.
`
`See the “Configuring Logical Interfaces” chapter of the Cisco IOS Interface Configuration Guide
`for more information about configuring the loopback address.
`
`(cid:129) Directed mode—the virtual server can be assigned an IP address that is not known to any of the real
`servers. IOS SLB translates packets exchanged between a client and real server, translating the
`virtual server IP address to a real server IP address through NAT.
`
`IOS SLB supports the following types of NAT:
`(cid:129) Server NAT—By replacing the virtual server IP address with the real server IP address (and vice
`versa):
`– Servers can be many hops away from the load-balancing device.
`– Intervening routers can route to them without requiring tunnelling.
`– Loopback and secondary interfaces are not required on the real server.
`– The real server need not be Layer 2-adjacent to IOS SLB.
`
`A less common form of server NAT is server port translation, which involves replacement of a
`virtual server port. Server port translation does not require server IP address translation, but the two
`translations can be used together.
`
`Cisco IOS Release 12.2 S
`
`11
`
`11
`
`
`
`Functions and Capabilities
`
`C i s c o C o n f i d e n t i a l — Av a i l a b l e t o A u t h o r i z e d C u s t o m e r s U n d e r
`
`Note
`
`If an IP address is configured as a real IP address for a NAT virtual server, you cannot
`balance connection requests from that address to a different virtual server (whether NAT or
`dispatched) on the same load-balancing device.
`
`(cid:129) Client NAT—If multiple load-balancing devices are used, replacing the client IP address with an IP
`address associated with one of the devices results in proper routing of outbound flows to the correct
`device. Client NAT also requires that the ephemeral client port be modified since many clients can
`use the same ephemeral port. Even in cases where multiple load-balancing devices are not used,
`client NAT can be useful to ensure that packets from load-balanced connections are not routed
`around the device.
`
`In both dispatched and directed modes, IOS SLB must track connections. Therefore, you must design
`your network so that there is no alternate network path from the real servers to the client that bypasses
`the load-balancing device.
`
`Note
`
`Both server NAT and client NAT are supported for the same connection.
`
`IOS SLB supports FTP, firewall load balancing, and GPRS load balancing only in dispatched mode.
`Therefore, FTP, firewall load balancing, and GPRS load balancing cannot use NAT.
`
`Port-Bound Servers
`
`Probes
`
`When you define a virtual server, you must specify the TCP or UDP port handled by that virtual server.
`However, if you configure NAT on the server farm, you can also configure port-bound servers.
`Port-bound servers allow one virtual server IP address to represent one set of real servers for one service,
`such as Hypertext Transfer Protocol (HTTP), and a different set of real servers for another service, such
`as Telnet.
`
`Packets destined for a virtual server address for a port that is not specified in the virtual server definition
`are not redirected.
`
`IOS SLB supports both port-bound and non-port-bound servers, but port-bound servers are
`recommended.
`
`IOS SLB firewall load balancing and GPRS load balancing do not support port-bound servers.
`
`IOS SLB supports HTTP probes, ping probes, and WSP probes.
`
`HTTP and ping probes are a simple way to verify connectivity for devices being server load-balanced,
`and for firewalls being firewall load-balanced (even devices on the other side of a firewall).
`
`HTTP probes also enable you to monitor applications being server load-balanced. With frequent probes,
`the operation of each application is verified, not just connectivity to the application.
`
`HTTP probes do not support HTTP over Secure Socket Layer (HTTPS). That is, you cannot send an
`HTTP probe to an SSL server.
`
`WSP probes detect failures in the Wireless Application Protocol (WAP) stack on port 9201.
`
`You can configure more than one probe, in any combination of types (HTTP, ping, or WSP), for each
`server farm, or for each firewall in a firewall farm.
`
`Cisco IOS Release 12.2 S
`
`12
`
`12
`
`
`
`C i s c o C o n f i d e n t i a l — Av a i l a b l e t o A u t h o r i z e d C u s t o m e r s U n d e r
`
`Functions and Capabilities
`
`Probes in Server Load Balancing
`
`Probes determine the status of each real server in a server farm. All real servers associated with all virtual
`servers tied to that server farm are probed.
`
`If a real server fails for one probe, it is failed for all probes. After the real server recovers, all probes
`must acknowledge its recovery before it is restored to service.
`
`Probes in Firewall Load Balancing
`
`Probes detect firewall failures. All firewalls associated with the firewall farm are probed.
`
`If a firewall fails for one probe, it is failed for all probes. After the firewall recovers, all probes must
`acknowledge its recovery before it is restored to service.
`
`Make sure you configure the HTTP probe to expect status code 401, to eliminate password problems.
`See the description of the expect command in the “Command Reference” section on page 95 for more
`details.
`Use the ip http server command to configure an HTTP server on the device. See the description of the
`ip http server command in the Cisco IOS Configuration Fundamentals Command Reference for more
`details.
`
`In a transparent webcache load-balancing environment, an HTTP probe uses the real IP address of the
`webcache, since there is no virtual IP address configured.
`
`Protocol Support
`
`IOS SLB supports the following protocols:
`
`(cid:129) Domain Name System (DNS)
`
`(cid:129) File Transfer Protocol (FTP)
`
`(cid:129) GPRS Tunneling Protocol (GTP)
`
`(cid:129) Hypertext Transfer Protocol (HTTP)
`
`(cid:129) Hypertext Transfer Protocol over Secure Socket Layer